context-mode 0.9.21 → 1.0.0

package/configs/vscode-copilot/hooks.json

@@ -0,0 +1,16 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      { "type": "command", "command": "context-mode hook vscode-copilot pretooluse" }
+    ],
+    "PostToolUse": [
+      { "type": "command", "command": "context-mode hook vscode-copilot posttooluse" }
+    ],
+    "PreCompact": [
+      { "type": "command", "command": "context-mode hook vscode-copilot precompact" }
+    ],
+    "SessionStart": [
+      { "type": "command", "command": "context-mode hook vscode-copilot sessionstart" }
+    ]
+  }
+}

package/configs/vscode-copilot/mcp.json

@@ -0,0 +1,8 @@
+{
+  "servers": {
+    "context-mode": {
+      "command": "npx",
+      "args": ["-y", "context-mode"]
+    }
+  }
+}

package/hooks/core/formatters.mjs

@@ -0,0 +1,86 @@
+/**
+ * Platform-specific response formatters.
+ * Takes normalized decision from routing.mjs -> platform-specific JSON output.
+ */
+
+export const formatters = {
+  "claude-code": {
+    deny: (reason) => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "deny",
+        reason,
+      },
+    }),
+    ask: () => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "ask",
+      },
+    }),
+    modify: (updatedInput) => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        updatedInput,
+      },
+    }),
+    context: (additionalContext) => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        additionalContext,
+      },
+    }),
+  },
+
+  "gemini-cli": {
+    deny: (reason) => ({ decision: "deny", reason }),
+    ask: () => null, // Gemini CLI has no "ask" concept
+    modify: (updatedInput) => ({
+      hookSpecificOutput: { tool_input: updatedInput },
+    }),
+    context: (additionalContext) => ({
+      hookSpecificOutput: { additionalContext },
+    }),
+  },
+
+  "vscode-copilot": {
+    deny: (reason) => ({
+      permissionDecision: "deny",
+      reason,
+    }),
+    ask: () => ({
+      permissionDecision: "ask",
+    }),
+    modify: (updatedInput) => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        updatedInput,
+      },
+    }),
+    context: (additionalContext) => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        additionalContext,
+      },
+    }),
+  },
+};
+
+/**
+ * Apply a formatter to a normalized routing decision.
+ * Returns the platform-specific JSON response, or null for passthrough.
+ */
+export function formatDecision(platform, decision) {
+  if (!decision) return null;
+
+  const fmt = formatters[platform];
+  if (!fmt) return null;
+
+  switch (decision.action) {
+    case "deny": return fmt.deny(decision.reason);
+    case "ask": return fmt.ask();
+    case "modify": return fmt.modify(decision.updatedInput);
+    case "context": return fmt.context(decision.additionalContext);
+    default: return null;
+  }
+}

package/hooks/core/routing.mjs

@@ -0,0 +1,262 @@
+/**
+ * Pure routing logic for PreToolUse hooks.
+ * Returns NORMALIZED decision objects (NOT platform-specific format).
+ *
+ * Decision types:
+ * - { action: "deny", reason: string }
+ * - { action: "ask" }
+ * - { action: "modify", updatedInput: object }
+ * - { action: "context", additionalContext: string }
+ * - null (passthrough)
+ */
+
+import { ROUTING_BLOCK, READ_GUIDANCE, GREP_GUIDANCE, BASH_GUIDANCE } from "../routing-block.mjs";
+
+/**
+ * Strip heredoc content from a shell command.
+ * Handles: <<EOF, <<"EOF", <<'EOF', <<-EOF (indented), with optional spaces.
+ */
+function stripHeredocs(cmd) {
+  return cmd.replace(/<<-?\s*["']?(\w+)["']?[\s\S]*?\n\s*\1/g, "");
+}
+
+/**
+ * Strip ALL quoted content from a shell command so regex only matches command tokens.
+ * Removes heredocs, single-quoted strings, and double-quoted strings.
+ * This prevents false positives like: gh issue edit --body "text with curl in it"
+ */
+function stripQuotedContent(cmd) {
+  return stripHeredocs(cmd)
+    .replace(/'[^']*'/g, "''")                    // single-quoted strings
+    .replace(/"[^"]*"/g, '""');                   // double-quoted strings
+}
+
+// Try to import security module — may not exist
+let security = null;
+
+export async function initSecurity(buildDir) {
+  try {
+    const { pathToFileURL } = await import("node:url");
+    const secPath = (await import("node:path")).resolve(buildDir, "security.js");
+    security = await import(pathToFileURL(secPath).href);
+  } catch { /* not available */ }
+}
+
+/**
+ * Normalize platform-specific tool names to canonical (Claude Code) names.
+ *
+ * Evidence:
+ * - Gemini CLI: https://github.com/google-gemini/gemini-cli (run_shell_command, read_file, grep_search, web_fetch, activate_skill)
+ * - OpenCode:   https://github.com/opencode-ai/opencode (bash, view, grep, fetch, agent)
+ * - Codex CLI:  https://github.com/openai/codex (shell, read_file, grep_files, container.exec)
+ * - VS Code Copilot: tool names TBD — uses empty matcher until confirmed
+ */
+const TOOL_ALIASES = {
+  // Gemini CLI
+  "run_shell_command": "Bash",
+  "read_file": "Read",
+  "read_many_files": "Read",
+  "grep_search": "Grep",
+  "search_file_content": "Grep",
+  "web_fetch": "WebFetch",
+  "activate_skill": "Agent",
+  // OpenCode
+  "bash": "Bash",
+  "view": "Read",
+  "grep": "Grep",
+  "fetch": "WebFetch",
+  "agent": "Agent",
+  // Codex CLI
+  "shell": "Bash",
+  "shell_command": "Bash",
+  "exec_command": "Bash",
+  "container.exec": "Bash",
+  "local_shell": "Bash",
+  "grep_files": "Grep",
+};
+
+/**
+ * Route a PreToolUse event. Returns normalized decision object or null for passthrough.
+ */
+export function routePreToolUse(toolName, toolInput, projectDir) {
+  // Normalize platform-specific tool name to canonical
+  const canonical = TOOL_ALIASES[toolName] ?? toolName;
+
+  // ─── Bash: Stage 1 security check, then Stage 2 routing ───
+  if (canonical === "Bash") {
+    const command = toolInput.command ?? "";
+
+    // Stage 1: Security check against user's deny/allow patterns.
+    // Only act when an explicit pattern matched. When no pattern matches,
+    // evaluateCommand returns { decision: "ask" } with no matchedPattern —
+    // in that case fall through so other hooks and the platform's native engine can decide.
+    if (security) {
+      const policies = security.readBashPolicies(projectDir);
+      if (policies.length > 0) {
+        const result = security.evaluateCommand(command, policies);
+        if (result.decision === "deny") {
+          return { action: "deny", reason: `Blocked by security policy: matches deny pattern ${result.matchedPattern}` };
+        }
+        if (result.decision === "ask" && result.matchedPattern) {
+          return { action: "ask" };
+        }
+        // "allow" or no match → fall through to Stage 2
+      }
+    }
+
+    // Stage 2: Context-mode routing (existing behavior)
+
+    // curl/wget detection: strip quoted content first to avoid false positives
+    // like `gh issue edit --body "text with curl in it"` (Issue #63).
+    const stripped = stripQuotedContent(command);
+
+    // curl/wget → replace with echo redirect
+    if (/(^|\s|&&|\||\;)(curl|wget)\s/i.test(stripped)) {
+      return {
+        action: "modify",
+        updatedInput: {
+          command: 'echo "context-mode: curl/wget blocked. You MUST use mcp__plugin_context-mode_context-mode__ctx_fetch_and_index(url, source) to fetch URLs, or mcp__plugin_context-mode_context-mode__ctx_execute(language, code) to run HTTP calls in sandbox. Do NOT retry with curl/wget."',
+        },
+      };
+    }
+
+    // Inline HTTP detection: strip only heredocs (not quotes) so that
+    // code passed via -e/-c flags is still visible to the regex, while
+    // heredoc content (e.g. cat << EOF ... requests.get ... EOF) is removed.
+    // These patterns are specific enough that false positives in quoted
+    // text are rare, unlike single-word "curl"/"wget" (Issue #63).
+    const noHeredoc = stripHeredocs(command);
+    if (
+      /fetch\s*\(\s*['"](https?:\/\/|http)/i.test(noHeredoc) ||
+      /requests\.(get|post|put)\s*\(/i.test(noHeredoc) ||
+      /http\.(get|request)\s*\(/i.test(noHeredoc)
+    ) {
+      return {
+        action: "modify",
+        updatedInput: {
+          command: 'echo "context-mode: Inline HTTP blocked. Use mcp__plugin_context-mode_context-mode__ctx_execute(language, code) to run HTTP calls in sandbox, or mcp__plugin_context-mode_context-mode__ctx_fetch_and_index(url, source) for web pages. Do NOT retry with Bash."',
+        },
+      };
+    }
+
+    // Build tools (gradle, maven) → redirect to execute sandbox (Issue #38).
+    // These produce extremely verbose output that should stay in sandbox.
+    if (/(^|\s|&&|\||\;)(\.\/gradlew|gradlew|gradle|\.\/mvnw|mvnw|mvn)\s/i.test(stripped)) {
+      const safeCmd = command.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+      return {
+        action: "modify",
+        updatedInput: {
+          command: `echo "context-mode: Build tool redirected to sandbox. Use mcp__plugin_context-mode_context-mode__ctx_execute(language: \\"shell\\", code: \\"${safeCmd}\\") to run this command. Do NOT retry with Bash."`,
+        },
+      };
+    }
+
+    // allow all other Bash commands, but inject routing nudge
+    return { action: "context", additionalContext: BASH_GUIDANCE };
+  }
+
+  // ─── Read: nudge toward execute_file ───
+  if (canonical === "Read") {
+    return { action: "context", additionalContext: READ_GUIDANCE };
+  }
+
+  // ─── Grep: nudge toward execute ───
+  if (canonical === "Grep") {
+    return { action: "context", additionalContext: GREP_GUIDANCE };
+  }
+
+  // ─── WebFetch: deny + redirect to sandbox ───
+  if (canonical === "WebFetch") {
+    const url = toolInput.url ?? "";
+    return {
+      action: "deny",
+      reason: `context-mode: WebFetch blocked. Use mcp__plugin_context-mode_context-mode__ctx_fetch_and_index(url: "${url}", source: "...") to fetch this URL in sandbox. Then use mcp__plugin_context-mode_context-mode__ctx_search(queries: [...]) to query results. Do NOT use curl/wget — they are also blocked.`,
+    };
+  }
+
+  // ─── Agent/Task: inject context-mode routing into subagent prompts ───
+  if (canonical === "Agent" || canonical === "Task") {
+    const subagentType = toolInput.subagent_type ?? "";
+    const prompt = toolInput.prompt ?? "";
+
+    const updatedInput =
+      subagentType === "Bash"
+        ? { ...toolInput, prompt: prompt + ROUTING_BLOCK, subagent_type: "general-purpose" }
+        : { ...toolInput, prompt: prompt + ROUTING_BLOCK };
+
+    return { action: "modify", updatedInput };
+  }
+
+  // ─── MCP execute: security check for shell commands ───
+  // Match both __execute and __ctx_execute (prefixed tool names)
+  if (toolName.includes("context-mode") && /__(ctx_)?execute$/.test(toolName)) {
+    if (security && toolInput.language === "shell") {
+      const code = toolInput.code ?? "";
+      const policies = security.readBashPolicies(projectDir);
+      if (policies.length > 0) {
+        const result = security.evaluateCommand(code, policies);
+        if (result.decision === "deny") {
+          return { action: "deny", reason: `Blocked by security policy: shell code matches deny pattern ${result.matchedPattern}` };
+        }
+        if (result.decision === "ask" && result.matchedPattern) {
+          return { action: "ask" };
+        }
+      }
+    }
+    return null;
+  }
+
+  // ─── MCP execute_file: check file path + code against deny patterns ───
+  if (toolName.includes("context-mode") && /__(ctx_)?execute_file$/.test(toolName)) {
+    if (security) {
+      // Check file path against Read deny patterns
+      const filePath = toolInput.path ?? "";
+      const denyGlobs = security.readToolDenyPatterns("Read", projectDir);
+      const evalResult = security.evaluateFilePath(filePath, denyGlobs);
+      if (evalResult.denied) {
+        return { action: "deny", reason: `Blocked by security policy: file path matches Read deny pattern ${evalResult.matchedPattern}` };
+      }
+
+      // Check code parameter against Bash deny patterns (same as execute)
+      const lang = toolInput.language ?? "";
+      const code = toolInput.code ?? "";
+      if (lang === "shell") {
+        const policies = security.readBashPolicies(projectDir);
+        if (policies.length > 0) {
+          const result = security.evaluateCommand(code, policies);
+          if (result.decision === "deny") {
+            return { action: "deny", reason: `Blocked by security policy: shell code matches deny pattern ${result.matchedPattern}` };
+          }
+          if (result.decision === "ask" && result.matchedPattern) {
+            return { action: "ask" };
+          }
+        }
+      }
+    }
+    return null;
+  }
+
+  // ─── MCP batch_execute: check each command individually ───
+  if (toolName.includes("context-mode") && /__(ctx_)?batch_execute$/.test(toolName)) {
+    if (security) {
+      const commands = toolInput.commands ?? [];
+      const policies = security.readBashPolicies(projectDir);
+      if (policies.length > 0) {
+        for (const entry of commands) {
+          const cmd = entry.command ?? "";
+          const result = security.evaluateCommand(cmd, policies);
+          if (result.decision === "deny") {
+            return { action: "deny", reason: `Blocked by security policy: batch command "${entry.label ?? cmd}" matches deny pattern ${result.matchedPattern}` };
+          }
+          if (result.decision === "ask" && result.matchedPattern) {
+            return { action: "ask" };
+          }
+        }
+      }
+    }
+    return null;
+  }
+
+  // Unknown tool — pass through
+  return null;
+}

package/hooks/core/stdin.mjs

@@ -0,0 +1,19 @@
+/**
+ * Shared stdin reader for all hook scripts.
+ * Cross-platform (Windows/macOS/Linux) — no bash/jq dependency.
+ *
+ * Uses event-based flowing mode to avoid two platform bugs:
+ * - `for await (process.stdin)` hangs on macOS when piped via spawnSync
+ * - `readFileSync(0)` throws EOF/EISDIR on Windows, EAGAIN on Linux
+ */
+
+export function readStdin() {
+  return new Promise((resolve, reject) => {
+    let data = "";
+    process.stdin.setEncoding("utf-8");
+    process.stdin.on("data", (chunk) => { data += chunk; });
+    process.stdin.on("end", () => resolve(data));
+    process.stdin.on("error", reject);
+    process.stdin.resume();
+  });
+}

package/hooks/formatters/claude-code.mjs

@@ -0,0 +1,57 @@
+/**
+ * Claude Code formatter — converts routing decisions into Claude Code hook output format.
+ *
+ * Claude Code expects:
+ *   { hookSpecificOutput: { hookEventName, permissionDecision?, reason?, updatedInput?, additionalContext? } }
+ *
+ * Decision shape from routing.mjs:
+ *   - { action: "deny", reason: string }
+ *   - { action: "ask" }
+ *   - { action: "modify", updatedInput: object }
+ *   - { action: "context", additionalContext: string }
+ *   - null (passthrough)
+ *
+ * @param {object | null} decision - Normalized decision from routePreToolUse
+ * @returns {object | null} Claude Code hook response, or null for passthrough
+ */
+export function formatDecision(decision) {
+  if (!decision) return null;
+
+  switch (decision.action) {
+    case "deny":
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          reason: decision.reason ?? "Blocked by context-mode",
+        },
+      };
+
+    case "ask":
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "ask",
+        },
+      };
+
+    case "modify":
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          updatedInput: decision.updatedInput,
+        },
+      };
+
+    case "context":
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          additionalContext: decision.additionalContext ?? "",
+        },
+      };
+
+    default:
+      return null;
+  }
+}

package/hooks/formatters/gemini-cli.mjs

@@ -0,0 +1,55 @@
+/**
+ * Gemini CLI formatter — converts routing decisions into Gemini CLI hook output format.
+ *
+ * Gemini CLI expects:
+ *   { hookSpecificOutput: { decision?, reason?, tool_input?, additionalContext? } }
+ *
+ * Key differences from Claude Code:
+ *   - Uses "decision" instead of "permissionDecision"
+ *   - Uses "tool_input" instead of "updatedInput"
+ *   - No "ask" concept — Gemini CLI only supports deny/allow
+ *
+ * Decision shape from routing.mjs:
+ *   - { action: "deny", reason: string }
+ *   - { action: "ask" }
+ *   - { action: "modify", updatedInput: object }
+ *   - { action: "context", additionalContext: string }
+ *   - null (passthrough)
+ *
+ * @param {object | null} decision - Normalized decision from routePreToolUse
+ * @returns {object | null} Gemini CLI hook response, or null for passthrough
+ */
+export function formatDecision(decision) {
+  if (!decision) return null;
+
+  switch (decision.action) {
+    case "deny":
+      return {
+        hookSpecificOutput: {
+          decision: "deny",
+          reason: decision.reason ?? "Blocked by context-mode",
+        },
+      };
+
+    case "ask":
+      // Gemini CLI has no "ask" concept — return null (passthrough)
+      return null;
+
+    case "modify":
+      return {
+        hookSpecificOutput: {
+          tool_input: decision.updatedInput,
+        },
+      };
+
+    case "context":
+      return {
+        hookSpecificOutput: {
+          additionalContext: decision.additionalContext ?? "",
+        },
+      };
+
+    default:
+      return null;
+  }
+}

package/hooks/formatters/vscode-copilot.mjs

@@ -0,0 +1,55 @@
+/**
+ * VS Code Copilot formatter — converts routing decisions into VS Code Copilot hook output format.
+ *
+ * VS Code Copilot expects a flat structure for deny/ask, nested for modify/context:
+ *   { permissionDecision: "deny", reason: "..." }               — deny
+ *   { permissionDecision: "ask" }                                 — ask
+ *   { hookSpecificOutput: { ... }, hookEventName: "PreToolUse" }  — modify/context
+ *
+ * Key differences from Claude Code:
+ *   - deny/ask are flat (not wrapped in hookSpecificOutput)
+ *   - modify/context include hookEventName at top level alongside hookSpecificOutput
+ *
+ * Decision shape from routing.mjs:
+ *   - { action: "deny", reason: string }
+ *   - { action: "ask" }
+ *   - { action: "modify", updatedInput: object }
+ *   - { action: "context", additionalContext: string }
+ *   - null (passthrough)
+ *
+ * @param {object | null} decision - Normalized decision from routePreToolUse
+ * @returns {object | null} VS Code Copilot hook response, or null for passthrough
+ */
+export function formatDecision(decision) {
+  if (!decision) return null;
+
+  switch (decision.action) {
+    case "deny":
+      return {
+        permissionDecision: "deny",
+        reason: decision.reason ?? "Blocked by context-mode",
+      };
+
+    case "ask":
+      return {
+        permissionDecision: "ask",
+      };
+
+    case "modify":
+      return {
+        hookSpecificOutput: decision.updatedInput,
+        hookEventName: "PreToolUse",
+      };
+
+    case "context":
+      return {
+        hookSpecificOutput: {
+          additionalContext: decision.additionalContext ?? "",
+        },
+        hookEventName: "PreToolUse",
+      };
+
+    default:
+      return null;
+  }
+}

package/hooks/gemini-cli/aftertool.mjs

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+/**
+ * Gemini CLI AfterTool hook — session event capture.
+ *
+ * Captures session events from tool calls (13 categories) and stores
+ * them in the per-project SessionDB for later resume snapshot building.
+ *
+ * Must be fast (<20ms). No network, no LLM, just SQLite writes.
+ */
+
+import { readStdin, getSessionId, getSessionDBPath, getProjectDir, GEMINI_OPTS } from "../session-helpers.mjs";
+import { appendFileSync } from "node:fs";
+import { join, dirname } from "node:path";
+import { homedir } from "node:os";
+import { fileURLToPath } from "node:url";
+
+const HOOK_DIR = dirname(fileURLToPath(import.meta.url));
+const PKG_SESSION = join(HOOK_DIR, "..", "..", "build", "session");
+const OPTS = GEMINI_OPTS;
+const DEBUG_LOG = join(homedir(), ".gemini", "context-mode", "aftertool-debug.log");
+
+try {
+  const raw = await readStdin();
+  const input = JSON.parse(raw);
+
+  appendFileSync(DEBUG_LOG, `[${new Date().toISOString()}] CALL: ${input.tool_name}\n`);
+
+  const { extractEvents } = await import(join(PKG_SESSION, "extract.js"));
+  const { SessionDB } = await import(join(PKG_SESSION, "db.js"));
+
+  const dbPath = getSessionDBPath(OPTS);
+  const db = new SessionDB({ dbPath });
+  const sessionId = getSessionId(input, OPTS);
+
+  db.ensureSession(sessionId, getProjectDir(OPTS));
+
+  const events = extractEvents({
+    tool_name: input.tool_name,
+    tool_input: input.tool_input ?? {},
+    tool_response: typeof input.tool_response === "string"
+      ? input.tool_response
+      : JSON.stringify(input.tool_response ?? ""),
+    tool_output: input.tool_output,
+  });
+
+  for (const event of events) {
+    db.insertEvent(sessionId, event, "AfterTool");
+  }
+
+  appendFileSync(DEBUG_LOG, `[${new Date().toISOString()}] OK: ${input.tool_name} → ${events.length} events\n`);
+  db.close();
+} catch (err) {
+  try {
+    appendFileSync(DEBUG_LOG, `[${new Date().toISOString()}] ERR: ${err?.message || err}\n`);
+  } catch { /* silent */ }
+}
+
+// AfterTool is non-blocking — no stdout output

package/hooks/gemini-cli/beforetool.mjs

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+/**
+ * Gemini CLI BeforeTool hook for context-mode
+ * Thin wrapper — uses shared routing core, no self-heal, no Claude Code-specific logic.
+ */
+
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { readStdin } from "../core/stdin.mjs";
+import { routePreToolUse, initSecurity } from "../core/routing.mjs";
+import { formatDecision } from "../core/formatters.mjs";
+
+const __hookDir = dirname(fileURLToPath(import.meta.url));
+await initSecurity(resolve(__hookDir, "..", "..", "build"));
+
+const raw = await readStdin();
+const input = JSON.parse(raw);
+const tool = input.tool_name ?? "";
+const toolInput = input.tool_input ?? {};
+
+const decision = routePreToolUse(tool, toolInput, process.env.GEMINI_PROJECT_DIR || process.env.CLAUDE_PROJECT_DIR);
+const response = formatDecision("gemini-cli", decision);
+if (response !== null) {
+  process.stdout.write(JSON.stringify(response) + "\n");
+}