context-mode 1.0.110 → 1.0.112

package/hooks/core/routing.mjs

@@ -16,7 +16,7 @@ import {
 } from "../routing-block.mjs";
 import { createToolNamer } from "./tool-naming.mjs";
 import { isMCPReady } from "./mcp-ready.mjs";
-import { existsSync, mkdirSync, rmSync, openSync, closeSync, constants as fsConstants } from "node:fs";
+import { existsSync, mkdirSync, rmSync, rmdirSync, readdirSync, unlinkSync, openSync, closeSync, statSync, constants as fsConstants } from "node:fs";
 
 /**
  * Guard for actions that redirect to MCP tools (#230).
@@ -84,12 +84,30 @@ function guidanceOnce(type, content, sessionId) {
   return { action: "context", additionalContext: content };
 }
 
+/**
+ * Robust recursive delete. On Windows, `fs.rmSync` on directories under a
+ * tmpdir whose path contains non-ASCII characters (e.g. a Chinese / Japanese /
+ * Korean username) silently no-ops without throwing — see #454. Fall back to a
+ * manual unlink + rmdir walk so the marker dir actually goes away.
+ */
+function rmSyncRobust(dir) {
+  try { rmSync(dir, { recursive: true, force: true }); } catch {}
+  if (!existsSync(dir)) return;
+  // Manual fallback for Windows + non-ASCII tmpdir paths
+  try {
+    for (const name of readdirSync(dir)) {
+      try { unlinkSync(resolve(dir, name)); } catch {}
+    }
+    rmdirSync(dir);
+  } catch {}
+}
+
 export function resetGuidanceThrottle(sessionId) {
   _guidanceShown.clear();
   // Clear ppid-based dir (legacy / fallback callers) and the sessionId dir if given
-  try { rmSync(guidanceDirFor(), { recursive: true, force: true }); } catch {}
+  rmSyncRobust(guidanceDirFor());
   if (sessionId) {
-    try { rmSync(guidanceDirFor(sessionId), { recursive: true, force: true }); } catch {}
+    rmSyncRobust(guidanceDirFor(sessionId));
   }
 }
 
@@ -112,15 +130,145 @@ function stripQuotedContent(cmd) {
     .replace(/"[^"]*"/g, '""');                   // double-quoted strings
 }
 
+/**
+ * Built-in allowlist of structurally-bounded Bash commands (#463).
+ *
+ * The PreToolUse Bash nudge ("May produce large output. Use ctx_…") is
+ * tuned for unbounded commands like `find /` or `cat large-file`. On
+ * commands whose stdout is structurally bounded (system probes, version
+ * checks, simple git read subcommands), the nudge is pure noise — a
+ * recurring ~85 tokens that trains the agent to ignore the warning.
+ *
+ * isStructurallyBounded() returns true ONLY when the command:
+ *   1. Has no shell control operators (pipe, redirect, command
+ *      substitution, &&, ||, ;) — any of those can compose with an
+ *      unbounded command and re-introduce flooding.
+ *   2. Matches one of the conservative patterns below.
+ *
+ * Unknown commands are treated as unbounded (false) — fail-safe default.
+ */
+const SAFE_COMMAND_PATTERNS = [
+  // System probes (no stdout, or one short line)
+  // Defense-in-depth (#470): trailing wildcards use `[^\r\n]+` instead of
+  // `.+`. The primary gate is SHELL_CONTROL_OPERATORS, which already rejects
+  // `\n` / `\r`, but in JS regex `\s` matches LF/CR too — so a pattern like
+  // `\s+.+$` would silently span a newline if the operator gate ever
+  // regressed. Anchoring `.+` to a single line removes that latent footgun.
+  /^pwd$/,
+  /^whoami$/,
+  /^hostname(?:\s+-[a-zA-Z]+)?$/,
+  /^date(?:\s+[^\r\n]+)?$/,
+  /^echo\s/,
+  /^printf\s/,
+  /^which\s+\S+(?:\s+\S+)*$/,
+  /^type\s+\S+(?:\s+\S+)*$/,
+  /^command\s+-v\s+\S+(?:\s+\S+)*$/,
+  /^readlink(?:\s+[^\r\n]+)?$/,
+  /^basename(?:\s+[^\r\n]+)?$/,
+  /^dirname(?:\s+[^\r\n]+)?$/,
+  // Filesystem ops (silent on success, errors on stderr only).
+  // For cp / mv / rm we explicitly refuse `-v` / `--verbose`: verbose
+  // mode prints one line per file and can flood on big trees
+  // (recursive copy of /etc, mass rename, etc.). The "silent on
+  // success" invariant only holds without -v.
+  /^cd(?:\s+[^\r\n]+)?$/,
+  /^mkdir(?:\s+[^\r\n]+)?$/,
+  /^touch\s+[^\r\n]+$/,
+  /^mv(?!\s+-[a-zA-Z]*v\b)(?!\s+--verbose\b)\s+[^\r\n]+$/,
+  /^cp(?!\s+-[a-zA-Z]*v\b)(?!\s+--verbose\b)\s+[^\r\n]+$/,
+  /^rm(?!\s+-[a-zA-Z]*v\b)(?!\s+--verbose\b)\s+[^\r\n]+$/,
+  // ls — refuse recursive (-R / --recursive) to keep output bounded.
+  /^ls(?!\s+-[a-zA-Z]*R)(?!\s+--recursive)(?:\s+[^\r\n]+)?$/,
+  // git read-only / status subcommands
+  /^git\s+status(?:\s+[^\r\n]+)?$/,
+  /^git\s+rev-parse(?:\s+[^\r\n]+)?$/,
+  /^git\s+remote(?:\s+-v|\s+show\s+\S+)?$/,
+  /^git\s+branch(?:\s+[^\r\n]+)?$/,
+  /^git\s+config\s+--get(?:\s+[^\r\n]+)?$/,
+  /^git\s+diff\s+--stat(?:\s+[^\r\n]+)?$/,
+  /^git\s+diff\s+--name-only(?:\s+[^\r\n]+)?$/,
+  /^git\s+stash\s+list$/,
+  /^git\s+tag(?:\s+-l(?:\s+[^\r\n]+)?)?$/,
+  // git log only when explicitly bounded by -<N> with N up to two digits
+  /^git\s+log\s+-\d{1,2}(?:\s+[^\r\n]+)?$/,
+  // Version probes (--version anywhere, or `cmd -V`)
+  /(?:^|\s)--version(?:\s|$)/,
+  /^\S+\s+-V(?:\s|$)/,
+];
+
+// Bash shell control operators that can compose a safe command with an
+// unbounded sink. Any match disqualifies the command from the allowlist.
+//
+// Note `&` (single — background + sequence): listed BEFORE `&&` in the
+// alternation so the regex engine doesn't accidentally short-match `&&`
+// when `&` is itself a separator (`date & cat huge.log`). Without this,
+// `^date(?:\s+.+)?$` would match the whole string and bypass the gate.
+//
+// `\n` / `\r` (newline injection — #470): bash treats LF as a statement
+// separator equivalent to `;`. CRLF (Windows clipboard paste) and bare CR
+// fall in the same defect class. Without these, `git status\nfind /`
+// would short-match the single-line `^git\s+status` pattern and bypass
+// the gate entirely.
+const SHELL_CONTROL_OPERATORS = /[|`\n\r]|\$\(|>>|>|<(?!<)|&(?!&)|&&|\|\||;/;
+
+/**
+ * @param {string} command Raw Bash command string from the hook payload.
+ * @returns {boolean} true when the command's output is bounded enough that
+ *   the routing nudge would be noise. Conservative — unknown commands
+ *   return false.
+ */
+export function isStructurallyBounded(command) {
+  if (!command) return false;
+  const trimmed = command.trim();
+  if (SHELL_CONTROL_OPERATORS.test(trimmed)) return false;
+  return SAFE_COMMAND_PATTERNS.some(rx => rx.test(trimmed));
+}
+
 // Try to import security module — may not exist
 let security = null;
+let securityInitFailed = false;
 
+/**
+ * @returns {boolean} true if security module loaded successfully.
+ *
+ * Loud fail: if `build/security.js` is missing or fails to import, log a
+ * clear stderr warning instead of swallowing the error silently. Without
+ * this, user-configured `permissions.deny` patterns (#466) become no-ops
+ * with no indication that policy enforcement is disabled — a fail-open
+ * security regression.
+ */
 export async function initSecurity(buildDir) {
   try {
+    const { existsSync } = await import("node:fs");
+    const { resolve } = await import("node:path");
     const { pathToFileURL } = await import("node:url");
-    const secPath = (await import("node:path")).resolve(buildDir, "security.js");
+    const secPath = resolve(buildDir, "security.js");
+    if (!existsSync(secPath)) {
+      if (!securityInitFailed && !process.env.CONTEXT_MODE_SUPPRESS_SECURITY_WARNING) {
+        process.stderr.write(
+          `[context-mode] WARNING: ${secPath} not found — security deny patterns will NOT be enforced. ` +
+            `Run \`npm run build\` to generate it. Set CONTEXT_MODE_SUPPRESS_SECURITY_WARNING=1 to silence.\n`,
+        );
+      }
+      securityInitFailed = true;
+      return false;
+    }
     security = await import(pathToFileURL(secPath).href);
-  } catch { /* not available */ }
+    return true;
+  } catch (err) {
+    if (!securityInitFailed && !process.env.CONTEXT_MODE_SUPPRESS_SECURITY_WARNING) {
+      process.stderr.write(
+        `[context-mode] WARNING: failed to load security module — deny patterns NOT enforced: ${err?.message ?? err}\n`,
+      );
+    }
+    securityInitFailed = true;
+    return false;
+  }
+}
+
+/** @returns {boolean} true if a previous initSecurity() call failed to load the module. */
+export function isSecurityInitFailed() {
+  return securityInitFailed;
 }
 
 /**
@@ -182,6 +330,21 @@ const TOOL_ALIASES = {
   "execute_bash": "Bash",
 };
 
+function toolLeafName(toolName) {
+  const raw = String(toolName ?? "");
+  const withoutMcpPrefix = raw.startsWith("MCP:") ? raw.slice(4) : raw;
+  const parts = withoutMcpPrefix.split(/__|\//).filter(Boolean);
+  return parts.at(-1) ?? withoutMcpPrefix;
+}
+
+function matchesContextModeTool(toolName, ctxName, legacyName) {
+  const raw = String(toolName ?? "");
+  const leaf = toolLeafName(raw);
+  if (leaf === ctxName) return true;
+  if (raw.startsWith("MCP:") && leaf === legacyName) return true;
+  return raw.includes("context-mode") && leaf === legacyName;
+}
+
 /**
  * Route a PreToolUse event. Returns normalized decision object or null for passthrough.
  *
@@ -194,6 +357,23 @@ const TOOL_ALIASES = {
  *   invocations even when process.ppid shifts (Windows/Git Bash — see #298).
  */
 export function routePreToolUse(toolName, toolInput, projectDir, platform, sessionId) {
+  // ─── Opt-in fail-closed gate (#468 follow-up) ───
+  // Default behavior on security-module load failure is fail-OPEN (a stderr
+  // warning is emitted but routing continues). Security-conscious users can
+  // opt in to fail-CLOSED via CONTEXT_MODE_REQUIRE_SECURITY=1 — every PreToolUse
+  // event is denied with a clear reason until the security module loads cleanly.
+  // Universal gate (applies to all tools, not just Bash) since user `permissions.deny`
+  // patterns may target Read/Write paths that would otherwise leak before security loads.
+  if (process.env.CONTEXT_MODE_REQUIRE_SECURITY === "1" && securityInitFailed) {
+    return {
+      action: "deny",
+      reason:
+        "context-mode: security module unavailable and CONTEXT_MODE_REQUIRE_SECURITY=1 — fail-closed engaged. " +
+        "Run `npm run build` (or reinstall context-mode) to restore security enforcement. " +
+        "To bypass, unset or set CONTEXT_MODE_REQUIRE_SECURITY=0.",
+    };
+  }
+
   // Build platform-specific tool namer (defaults to claude-code for backward compat)
   const t = createToolNamer(platform || "claude-code");
 
@@ -276,6 +456,15 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
           updatedInput: {
             command: `echo "context-mode: curl/wget blocked. Think in Code — use ${t("ctx_execute")}(language, code) to write code that fetches, processes, and prints only the answer. Or use ${t("ctx_fetch_and_index")}(url, source) to fetch and index. Write pure JS with try/catch, no npm deps. Do NOT retry with curl/wget."`,
           },
+          // D2 PRD Phase 3.1: marker payload for PostToolUse byte accounting.
+          redirectMeta: {
+            tool: "Bash",
+            type: "bash-redirected",
+            // 8192 byte default — typical curl/wget HTTP body the agent would
+            // have spilled into the model's context window had we not blocked.
+            bytesAvoided: 8192,
+            commandSummary: command.slice(0, 200),
+          },
         });
       }
       // All segments safe → allow through
@@ -314,12 +503,41 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
       });
     }
 
+    // Skip the routing nudge for commands whose output is structurally
+    // bounded (#463) — pwd, whoami, git status, --version probes, etc.
+    // Conservative: any pipe/redirect/chain disqualifies, unknown commands
+    // still get the nudge.
+    if (isStructurallyBounded(command)) {
+      return null;
+    }
+
     // allow all other Bash commands, but inject routing nudge (once per session)
     return guidanceOnce("bash", bashGuidance, sessionId);
   }
 
-  // ─── Read: nudge toward execute_file (once per session) ───
+  // ─── Read: nudge toward execute_file + large-file byte accounting ───
+  // D2 PRD Phase 4 (slices 4.4–4.6): when the file is large enough to flood
+  // context, attach `redirectMeta` so PostToolUse can emit a `read-redirected`
+  // event with the actual file size as bytes_avoided. Threshold = 50 000 bytes;
+  // smaller reads stay on the existing one-shot guidance nudge.
   if (canonical === "Read") {
+    const filePath = toolInput.file_path ?? toolInput.path ?? "";
+    if (filePath) {
+      try {
+        const st = statSync(filePath);
+        if (st.isFile() && st.size > 50_000) {
+          const decision = guidanceOnce("read", readGuidance, sessionId)
+            ?? { action: "context", additionalContext: readGuidance };
+          decision.redirectMeta = {
+            tool: "Read",
+            type: "read-redirected",
+            bytesAvoided: st.size,
+            commandSummary: String(filePath).slice(0, 200),
+          };
+          return decision;
+        }
+      } catch { /* file missing or unreadable — fall through to plain guidance */ }
+    }
     return guidanceOnce("read", readGuidance, sessionId);
   }
 
@@ -334,6 +552,15 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
     return mcpRedirect({
       action: "deny",
       reason: `context-mode: WebFetch blocked. Think in Code — use ${t("ctx_fetch_and_index")}(url: "${url}", source: "...") to fetch and index, then ${t("ctx_search")}(queries: [...]) to query. Or use ${t("ctx_execute")}(language, code) to fetch, process, and console.log() only what you need. Write pure JS, no npm deps. Do NOT use curl, wget, or WebFetch.`,
+      // D2 PRD Phase 4.1: marker payload for PostToolUse byte accounting.
+      redirectMeta: {
+        tool: "WebFetch",
+        type: "webfetch-redirected",
+        // 16384 = typical web page body bytes prevented from entering the
+        // model's context window.
+        bytesAvoided: 16384,
+        commandSummary: String(url).slice(0, 200),
+      },
     });
   }
 
@@ -356,12 +583,8 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
   }
 
   // ─── MCP execute: security check for shell commands ───
-  // Match both __execute and __ctx_execute (prefixed tool names)
-  // Cursor can also surface the tool as MCP:ctx_execute_file.
-  if (
-    (toolName.includes("context-mode") && /(?:__|\/)(ctx_)?execute$/.test(toolName)) ||
-    /^MCP:(ctx_)?execute$/.test(toolName)
-  ) {
+  // Match bare, generic MCP, and legacy context-mode execute tool names.
+  if (matchesContextModeTool(toolName, "ctx_execute", "execute")) {
     if (security && toolInput.language === "shell") {
       const code = toolInput.code ?? "";
       const policies = security.readBashPolicies(projectDir);
@@ -379,11 +602,7 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
   }
 
   // ─── MCP execute_file: check file path + code against deny patterns ───
-  // Cursor can also surface the tool as MCP:ctx_execute_file.
-  if (
-    (toolName.includes("context-mode") && /(?:__|\/)(ctx_)?execute_file$/.test(toolName)) ||
-    /^MCP:(ctx_)?execute_file$/.test(toolName)
-  ) {
+  if (matchesContextModeTool(toolName, "ctx_execute_file", "execute_file")) {
     if (security) {
       // Check file path against Read deny patterns
       const filePath = toolInput.path ?? "";
@@ -413,7 +632,7 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
   }
 
   // ─── MCP batch_execute: check each command individually ───
-  if (toolName.includes("context-mode") && /(?:__|\/)(ctx_)?batch_execute$/.test(toolName)) {
+  if (matchesContextModeTool(toolName, "ctx_batch_execute", "batch_execute")) {
     if (security) {
       const commands = toolInput.commands ?? [];
       const policies = security.readBashPolicies(projectDir);

package/hooks/cursor/afteragentresponse.mjs

@@ -51,7 +51,7 @@ try {
     : text;
 
   const { SessionDB } = await loadSessionDB();
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);
 

package/hooks/cursor/hooks.json

@@ -0,0 +1,31 @@
+{
+  "version": 1,
+  "hooks": {
+    "preToolUse": [
+      {
+        "command": "npx -y context-mode hook cursor pretooluse",
+        "matcher": "Shell|Read|Grep|WebFetch|mcp_web_fetch|mcp_fetch_tool|Task|MCP:ctx_execute|MCP:ctx_execute_file|MCP:ctx_batch_execute"
+      }
+    ],
+    "postToolUse": [
+      {
+        "command": "npx -y context-mode hook cursor posttooluse"
+      }
+    ],
+    "sessionStart": [
+      {
+        "command": "npx -y context-mode hook cursor sessionstart"
+      }
+    ],
+    "afterAgentResponse": [
+      {
+        "command": "npx -y context-mode hook cursor afteragentresponse"
+      }
+    ],
+    "stop": [
+      {
+        "command": "npx -y context-mode hook cursor stop"
+      }
+    ]
+  }
+}

package/hooks/cursor/posttooluse.mjs

@@ -41,7 +41,7 @@ try {
   const { resolveProjectAttributions } = await loadProjectAttribution();
   const { SessionDB } = await loadSessionDB();
 
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);
 

package/hooks/cursor/sessionstart.mjs

@@ -47,7 +47,7 @@ try {
 
   if (source === "compact" || source === "resume") {
     const { SessionDB } = await loadSessionDB();
-    const dbPath = getSessionDBPath(OPTS);
+    const dbPath = getSessionDBPath(OPTS, projectDir);
     const db = new SessionDB({ dbPath });
 
     if (source === "compact") {
@@ -57,7 +57,7 @@ try {
         db.markResumeConsumed(sessionId);
       }
     } else {
-      try { unlinkSync(getCleanupFlagPath(OPTS)); } catch { /* no flag */ }
+      try { unlinkSync(getCleanupFlagPath(OPTS, projectDir)); } catch { /* no flag */ }
     }
 
     // Filter events to the session being resumed/compacted. Falling back to
@@ -68,16 +68,16 @@ try {
     const sessionId = getSessionId(input, OPTS);
     const events = sessionId ? getSessionEvents(db, sessionId) : [];
     if (events.length > 0) {
-      const eventMeta = writeSessionEventsFile(events, getSessionEventsPath(OPTS));
+      const eventMeta = writeSessionEventsFile(events, getSessionEventsPath(OPTS, projectDir));
       additionalContext += buildSessionDirective(source, eventMeta, toolNamer);
     }
 
     db.close();
   } else if (source === "startup") {
     const { SessionDB } = await loadSessionDB();
-    const dbPath = getSessionDBPath(OPTS);
+    const dbPath = getSessionDBPath(OPTS, projectDir);
     const db = new SessionDB({ dbPath });
-    try { unlinkSync(getSessionEventsPath(OPTS)); } catch { /* no stale file */ }
+    try { unlinkSync(getSessionEventsPath(OPTS, projectDir)); } catch { /* no stale file */ }
 
     db.cleanupOldSessions(7);
     db.db.exec(`DELETE FROM session_events WHERE session_id NOT IN (SELECT session_id FROM session_meta)`);

package/hooks/cursor/stop.mjs

@@ -28,7 +28,7 @@ try {
 
   const { SessionDB } = await loadSessionDB();
 
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);
 

package/hooks/ensure-deps.mjs

@@ -141,19 +141,18 @@ export function ensureNativeCompat(pluginRoot) {
     }
 
     if (skipProbe) {
-      // On modern Node: if binary exists, trust it; if missing, rebuild without probing
-      if (!existsSync(binaryPath)) {
-        execSync(`${process.platform === "win32" ? "npm.cmd" : "npm"} rebuild better-sqlite3 --ignore-scripts=false`, {
-          cwd: pluginRoot,
-          stdio: "pipe",
-          timeout: 60000,
-          shell: true,
-        });
-        codesignBinary(binaryPath);
-        // Cache the rebuilt binary for this ABI
-        if (existsSync(binaryPath)) {
-          copyFileSync(binaryPath, abiCachePath);
-        }
+      // On modern Node, the current ABI cache is the compatibility marker.
+      // Without it, rebuild even when the active binary exists: it may be stale
+      // from a previous Node ABI and cannot be probed safely here.
+      execSync(`${process.platform === "win32" ? "npm.cmd" : "npm"} rebuild better-sqlite3 --ignore-scripts=false`, {
+        cwd: pluginRoot,
+        stdio: "pipe",
+        timeout: 60000,
+        shell: true,
+      });
+      codesignBinary(binaryPath);
+      if (existsSync(binaryPath)) {
+        copyFileSync(binaryPath, abiCachePath);
       }
       return;
     }

package/hooks/gemini-cli/aftertool.mjs

@@ -33,7 +33,7 @@ try {
   const { resolveProjectAttributions } = await loadProjectAttribution();
   const { SessionDB } = await loadSessionDB();
 
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);
 

package/hooks/gemini-cli/beforeagent.mjs

@@ -48,7 +48,7 @@ try {
     const { SessionDB } = await loadSessionDB();
     const { extractUserEvents } = await loadExtract();
     const { resolveProjectAttributions } = await loadProjectAttribution();
-    const dbPath = getSessionDBPath(OPTS);
+    const dbPath = getSessionDBPath(OPTS, projectDir);
     const db = new SessionDB({ dbPath });
     const sessionId = getSessionId(input, OPTS);
 

package/hooks/gemini-cli/precompress.mjs

@@ -9,7 +9,7 @@ import "../ensure-deps.mjs";
  * snapshot (<2KB XML), and stores it for injection after compress.
  */
 
-import { readStdin, parseStdin, getSessionId, getSessionDBPath, GEMINI_OPTS } from "../session-helpers.mjs";
+import { readStdin, parseStdin, getSessionId, getSessionDBPath, getInputProjectDir, GEMINI_OPTS } from "../session-helpers.mjs";
 import { createSessionLoaders } from "../session-loaders.mjs";
 import { appendFileSync } from "node:fs";
 import { join, dirname } from "node:path";
@@ -24,11 +24,12 @@ const DEBUG_LOG = join(homedir(), ".gemini", "context-mode", "precompress-debug.
 try {
   const raw = await readStdin();
   const input = parseStdin(raw);
+  const projectDir = getInputProjectDir(input, OPTS);
 
   const { buildResumeSnapshot } = await loadSnapshot();
   const { SessionDB } = await loadSessionDB();
 
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);
 

package/hooks/gemini-cli/sessionstart.mjs

@@ -19,7 +19,7 @@ const ROUTING_BLOCK = createRoutingBlock(toolNamer);
 import { writeSessionEventsFile, buildSessionDirective, getSessionEvents } from "../session-directive.mjs";
 import {
   readStdin, parseStdin, getSessionId, getSessionDBPath, getSessionEventsPath, getCleanupFlagPath,
-  getProjectDir, GEMINI_OPTS,
+  getInputProjectDir, GEMINI_OPTS,
 } from "../session-helpers.mjs";
 import { createSessionLoaders } from "../session-loaders.mjs";
 import { join, dirname } from "node:path";
@@ -37,10 +37,11 @@ try {
   const raw = await readStdin();
   const input = parseStdin(raw);
   const source = input.source ?? "startup";
+  const projectDir = getInputProjectDir(input, OPTS);
 
   if (source === "compact") {
     const { SessionDB } = await loadSessionDB();
-    const dbPath = getSessionDBPath(OPTS);
+    const dbPath = getSessionDBPath(OPTS, projectDir);
     const db = new SessionDB({ dbPath });
     const sessionId = getSessionId(input, OPTS);
     const resume = db.getResume(sessionId);
@@ -51,16 +52,16 @@ try {
 
     const events = getSessionEvents(db, sessionId);
     if (events.length > 0) {
-      const eventMeta = writeSessionEventsFile(events, getSessionEventsPath(OPTS));
+      const eventMeta = writeSessionEventsFile(events, getSessionEventsPath(OPTS, projectDir));
       additionalContext += buildSessionDirective("compact", eventMeta, toolNamer);
     }
 
     db.close();
   } else if (source === "resume") {
-    try { unlinkSync(getCleanupFlagPath(OPTS)); } catch { /* no flag */ }
+    try { unlinkSync(getCleanupFlagPath(OPTS, projectDir)); } catch { /* no flag */ }
 
     const { SessionDB } = await loadSessionDB();
-    const dbPath = getSessionDBPath(OPTS);
+    const dbPath = getSessionDBPath(OPTS, projectDir);
     const db = new SessionDB({ dbPath });
 
     // Filter events to the session being resumed. Falling back to
@@ -70,22 +71,21 @@ try {
     const sessionId = getSessionId(input, OPTS);
     const events = sessionId ? getSessionEvents(db, sessionId) : [];
     if (events.length > 0) {
-      const eventMeta = writeSessionEventsFile(events, getSessionEventsPath(OPTS));
+      const eventMeta = writeSessionEventsFile(events, getSessionEventsPath(OPTS, projectDir));
       additionalContext += buildSessionDirective("resume", eventMeta, toolNamer);
     }
 
     db.close();
   } else if (source === "startup") {
     const { SessionDB } = await loadSessionDB();
-    const dbPath = getSessionDBPath(OPTS);
+    const dbPath = getSessionDBPath(OPTS, projectDir);
     const db = new SessionDB({ dbPath });
-    try { unlinkSync(getSessionEventsPath(OPTS)); } catch { /* no stale file */ }
+    try { unlinkSync(getSessionEventsPath(OPTS, projectDir)); } catch { /* no stale file */ }
 
     db.cleanupOldSessions(7);
     db.db.exec(`DELETE FROM session_events WHERE session_id NOT IN (SELECT session_id FROM session_meta)`);
 
     const sessionId = getSessionId(input, OPTS);
-    const projectDir = getProjectDir(OPTS);
     db.ensureSession(sessionId, projectDir);
 
     // Auto-write GEMINI.md on startup if missing or not merged yet

package/hooks/jetbrains-copilot/posttooluse.mjs

@@ -33,7 +33,7 @@ try {
   const { resolveProjectAttributions } = await loadProjectAttribution();
   const { SessionDB } = await loadSessionDB();
 
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);
 

package/hooks/jetbrains-copilot/precompact.mjs

@@ -10,7 +10,7 @@ import "../ensure-deps.mjs";
  */
 
 import { createSessionLoaders } from "../session-loaders.mjs";
-import { readStdin, parseStdin, getSessionId, getSessionDBPath, JETBRAINS_OPTS } from "../session-helpers.mjs";
+import { readStdin, parseStdin, getSessionId, getSessionDBPath, getInputProjectDir, JETBRAINS_OPTS } from "../session-helpers.mjs";
 import { appendFileSync } from "node:fs";
 import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -24,11 +24,12 @@ const DEBUG_LOG = join(homedir(), ".config", "JetBrains", "context-mode", "preco
 try {
   const raw = await readStdin();
   const input = parseStdin(raw);
+  const projectDir = getInputProjectDir(input, OPTS);
 
   const { buildResumeSnapshot } = await loadSnapshot();
   const { SessionDB } = await loadSessionDB();
 
-  const dbPath = getSessionDBPath(OPTS);
+  const dbPath = getSessionDBPath(OPTS, projectDir);
   const db = new SessionDB({ dbPath });
   const sessionId = getSessionId(input, OPTS);