context-mode 1.0.111 → 1.0.112

package/build/session/event-emit.js

@@ -0,0 +1,101 @@
+/**
+ * event-emit — Phase 5+7 of D2 PRD (stats-event-driven-architecture)
+ *
+ * Server-side helpers that record sandbox / index / cache work into
+ * `session_events` with the new `bytes_avoided` / `bytes_returned`
+ * columns so the renderer can compute the real $ saved instead of the
+ * conservative `events × 256` token estimate.
+ *
+ * Design notes
+ * ────────────
+ * - Uses the public `SessionDB.insertEvent(... , bytes)` API the schema
+ *   engineer extended in this branch — same dedup + FIFO eviction +
+ *   transaction wrapping you'd get from any other event source.
+ * - Best-effort error swallowing matches `persistToolCallCounter` in
+ *   `persist-tool-calls.ts`. A stats-side failure must NEVER break the
+ *   parent MCP tool call.
+ * - Resolves the latest `session_id` from `session_meta` so the wiring
+ *   in `server.ts` is `setImmediate(() => emit*({...}))` — no need to
+ *   plumb session ids through every handler.
+ */
+import { existsSync } from "node:fs";
+import { SessionDB } from "./db.js";
+/**
+ * Open the SessionDB at `dbPath`, find the latest session_id, and run
+ * `fn` with both. Wraps everything in try/catch so callers stay
+ * fire-and-forget.
+ */
+function withLatestSession(dbPath, fn) {
+    try {
+        if (!existsSync(dbPath))
+            return;
+        const sdb = new SessionDB({ dbPath });
+        try {
+            const sid = sdb.getLatestSessionId();
+            if (!sid)
+                return;
+            fn(sdb, sid);
+        }
+        finally {
+            try {
+                sdb.close();
+            }
+            catch { /* ignore */ }
+        }
+    }
+    catch {
+        // Best-effort: never break the parent MCP tool call.
+    }
+}
+/**
+ * Record a `ctx_execute` / `ctx_execute_file` / `ctx_batch_execute` run.
+ * `bytesReturned` is the size of the stdout text the user actually saw —
+ * the rest of the sandbox output stayed out of context.
+ */
+export function emitSandboxExecuteEvent(opts) {
+    withLatestSession(opts.sessionDbPath, (sdb, sid) => {
+        sdb.insertEvent(sid, {
+            type: "sandbox-execute",
+            category: "sandbox",
+            priority: 1,
+            data: opts.toolName,
+            project_dir: "",
+            attribution_source: "server",
+            attribution_confidence: 1,
+        }, "ctx-server", undefined, { bytesReturned: opts.bytesReturned });
+    });
+}
+/**
+ * Record a `ctx_index` / `trackIndexed` write — content kept out of
+ * context by being chunked into FTS5 instead of returned inline.
+ */
+export function emitIndexWriteEvent(opts) {
+    withLatestSession(opts.sessionDbPath, (sdb, sid) => {
+        sdb.insertEvent(sid, {
+            type: "index-write",
+            category: "sandbox",
+            priority: 1,
+            data: opts.source,
+            project_dir: "",
+            attribution_source: "server",
+            attribution_confidence: 1,
+        }, "ctx-server", undefined, { bytesAvoided: opts.bytesAvoided });
+    });
+}
+/**
+ * Record a `ctx_fetch_and_index` TTL cache hit — bytes the user would
+ * have spent re-fetching the same URL within the 24h cache window.
+ */
+export function emitCacheHitEvent(opts) {
+    withLatestSession(opts.sessionDbPath, (sdb, sid) => {
+        sdb.insertEvent(sid, {
+            type: "cache-hit",
+            category: "cache",
+            priority: 1,
+            data: opts.source,
+            project_dir: "",
+            attribution_source: "server",
+            attribution_confidence: 1,
+        }, "ctx-server", undefined, { bytesAvoided: opts.bytesAvoided });
+    });
+}

package/build/session/extract.d.ts

@@ -33,6 +33,7 @@ export interface HookInput {
     /** Optional structured output from the tool (may carry isError) */
     tool_output?: {
         isError?: boolean;
+        is_error?: boolean;
     };
 }
 /** Reset error-resolution state (for testing). */

package/build/session/extract.js

@@ -17,6 +17,48 @@ function safeStringAny(value) {
         return "";
     return typeof value === "string" ? value : JSON.stringify(value);
 }
+function isToolError(input) {
+    const response = String(input.tool_response ?? "");
+    const isErrorFlag = input.tool_output?.isError === true || input.tool_output?.is_error === true;
+    const isBashError = input.tool_name === "Bash" &&
+        /exit code [1-9]|error:|Error:|FAIL|failed/i.test(response);
+    return isBashError || isErrorFlag;
+}
+function extractApplyPatchTargets(command) {
+    if (!command)
+        return [];
+    const targets = [];
+    for (const line of command.split(/\r?\n/)) {
+        if (line.startsWith("*** Add File: ")) {
+            targets.push({ path: line.slice(14).trim(), type: "file_write" });
+            continue;
+        }
+        if (line.startsWith("*** Update File: ")) {
+            targets.push({ path: line.slice(17).trim(), type: "file_edit" });
+            continue;
+        }
+        if (line.startsWith("*** Delete File: ")) {
+            targets.push({ path: line.slice(17).trim(), type: "file_edit" });
+            continue;
+        }
+        if (line.startsWith("*** Move to: ")) {
+            targets.push({ path: line.slice(13).trim(), type: "file_edit" });
+        }
+    }
+    const seen = new Set();
+    return targets.filter((target) => {
+        if (!target.path)
+            return false;
+        const key = `${target.type}:${target.path}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+function isPlanFilePath(filePath) {
+    return /(?:^|[/\\])\.claude[/\\]plans[/\\]/.test(filePath);
+}
 // ── Category extractors ────────────────────────────────────────────────────
 /**
  * Category 1 & 2: rule + file
@@ -105,6 +147,20 @@ function extractFileAndRule(input) {
         });
         return events;
     }
+    if (tool_name === "apply_patch") {
+        if (isToolError(input))
+            return [];
+        const patchTargets = extractApplyPatchTargets(String(tool_input["command"] ?? tool_input["patch"] ?? ""));
+        for (const target of patchTargets) {
+            events.push({
+                type: target.type,
+                category: "file",
+                data: safeString(target.path),
+                priority: 1,
+            });
+        }
+        return events;
+    }
     // Glob — file pattern exploration
     if (tool_name === "Glob") {
         const pattern = String(tool_input["pattern"] ?? "");
@@ -156,12 +212,9 @@ function extractCwd(input) {
  * isError flag in tool_output.
  */
 function extractError(input) {
-    const { tool_name, tool_input, tool_response, tool_output } = input;
+    const { tool_response } = input;
     const response = String(tool_response ?? "");
-    const isErrorFlag = tool_output?.isError === true;
-    const isBashError = tool_name === "Bash" &&
-        /exit code [1-9]|error:|Error:|FAIL|failed/i.test(response);
-    if (!isBashError && !isErrorFlag)
+    if (!isToolError(input))
         return [];
     return [{
             type: "error_tool",
@@ -287,7 +340,7 @@ function extractPlan(input) {
     // Detect plan file writes (Write/Edit to ~/.claude/plans/)
     if (input.tool_name === "Write" || input.tool_name === "Edit") {
         const filePath = String(input.tool_input["file_path"] ?? "");
-        if (/[/\\]\.claude[/\\]plans[/\\]/.test(filePath)) {
+        if (isPlanFilePath(filePath)) {
             return [{
                     type: "plan_file_write",
                     category: "plan",
@@ -296,6 +349,19 @@ function extractPlan(input) {
                 }];
         }
     }
+    if (input.tool_name === "apply_patch") {
+        if (isToolError(input))
+            return [];
+        const patchTargets = extractApplyPatchTargets(String(input.tool_input["command"] ?? input.tool_input["patch"] ?? ""));
+        return patchTargets
+            .filter((target) => isPlanFilePath(target.path))
+            .map((target) => ({
+            type: "plan_file_write",
+            category: "plan",
+            data: safeString(`plan file: ${target.path.split(/[/\\]/).pop() ?? target.path}`),
+            priority: 2,
+        }));
+    }
     return [];
 }
 /**
@@ -766,13 +832,10 @@ function extractData(message) {
  */
 let lastError = null;
 function extractErrorResolution(input) {
-    const { tool_name, tool_response, tool_output } = input;
+    const { tool_name, tool_response } = input;
     const response = String(tool_response ?? "");
-    const isErrorFlag = tool_output?.isError === true;
-    const isBashError = tool_name === "Bash" &&
-        /exit code [1-9]|error:|Error:|FAIL|failed/i.test(response);
     // If this call is an error, store it and return
-    if (isBashError || isErrorFlag) {
+    if (isToolError(input)) {
         lastError = { tool: tool_name, error: response.slice(0, 200), callsSince: 0 };
         return [];
     }
@@ -786,9 +849,13 @@ function extractErrorResolution(input) {
         lastError = null;
         return [];
     }
+    const callSucceeded = !isToolError(input);
+    if (!callSucceeded)
+        return [];
     // Check if this is a resolution: same tool, or Edit/Write after a Read error
     const sameTool = tool_name === lastError.tool;
-    const editAfterReadError = lastError.tool === "Read" && (tool_name === "Edit" || tool_name === "Write");
+    const editAfterReadError = lastError.tool === "Read"
+        && (tool_name === "Edit" || tool_name === "Write" || tool_name === "apply_patch");
     if (sameTool || editAfterReadError) {
         const event = {
             type: "error_resolved",

package/build/session/purge.d.ts

@@ -0,0 +1,111 @@
+/**
+ * purgeSession — deep module that wipes ALL session-related on-disk artifacts
+ * for a single project directory.
+ *
+ * Why a deep module instead of an inline handler:
+ *   - The previous inline ctx_purge handler was 100+ lines split across three
+ *     try/catch blocks. Only ONE of those blocks knew about the case-fold
+ *     migration's dual-hash legacy filenames, so a partial upgrade could
+ *     leak orphaned events.md / .cleanup files on macOS / Windows.
+ *   - Centralizing the logic here means: one canonical sidecar list, one
+ *     uniform dual-hash sweep, one place to add new file kinds.
+ *
+ * Worktree separation guarantee (carried over from the case-fold migration):
+ *   Every path this module touches is derived deterministically from the input
+ *   `projectDir`. There is NO `readdirSync` + glob-filter loop. Different
+ *   worktrees → different physical paths → different canonical hashes →
+ *   different file names → cannot collapse worktrees on disk.
+ *
+ * SQLite sidecar handling:
+ *   Each `.db` file may be accompanied by `-wal` (write-ahead log) and `-shm`
+ *   (shared memory index) sidecars. We unlink the triple unconditionally —
+ *   missing sidecars are not an error. This matches the canonical SQLite
+ *   sidecar naming used elsewhere (see refs/platforms/zed/crates/sqlez:
+ *   `[main, "{main}-wal", "{main}-shm"]`).
+ *
+ * Cross-platform notes:
+ *   - All paths are joined via `node:path.join` so Windows backslash
+ *     separators and POSIX forward slashes both work.
+ *   - On macOS / Windows (case-insensitive FS) we sweep BOTH the canonical
+ *     (lowercased) and legacy (raw-cased) project-dir hash variants for the
+ *     session-related kinds. On Linux the two hashes coincide, so the dual
+ *     sweep collapses into a single unique-path pass.
+ */
+export interface PurgeOpts {
+    /**
+     * Absolute path to the project root. Drives every other path the module
+     * touches via the project-dir hash. MUST be the same string the rest of
+     * the system uses (e.g. `getProjectDir()`); otherwise the wrong DB is
+     * targeted. Worktree separation is preserved — only files matching
+     * THIS projectDir's hash are unlinked.
+     */
+    projectDir: string;
+    /**
+     * Adapter-specific session directory (e.g. `~/.claude/context-mode/sessions`).
+     * Holds: `<hash><suffix>.db`, `<hash><suffix>-events.md`,
+     * `<hash><suffix>.cleanup`.
+     */
+    sessionsDir: string;
+    /**
+     * Absolute path to the per-project FTS5 knowledge-base DB
+     * (e.g. `~/.claude/context-mode/content/<hash>.db`). When omitted no
+     * FTS5 wipe runs. Caller is responsible for closing any open handle
+     * BEFORE invoking purgeSession (Windows file locks).
+     *
+     * Use `contentDir` instead for new code — it dual-sweeps the canonical
+     * AND legacy raw-casing variants, mirroring the session events pattern.
+     * `storePath` remains for callers that have already pre-resolved a single
+     * absolute path and only want to wipe that exact file.
+     */
+    storePath?: string;
+    /**
+     * Per-platform FTS5 content directory (e.g.
+     * `~/.claude/context-mode/content`). When provided, purgeSession sweeps
+     * BOTH the canonical and legacy raw-casing hash variants of the FTS5
+     * store inside this directory plus their `-wal` / `-shm` sidecars. This
+     * is the recommended input — covers a partial upgrade where the user
+     * had been writing to a legacy raw-casing FTS5 file before the case-fold
+     * migration landed.
+     *
+     * Mutually-additive with `storePath`: if both are passed, both are swept
+     * (de-duped on path). Closing FTS5 handles before invoking is still the
+     * caller's responsibility.
+     */
+    contentDir?: string;
+    /**
+     * Legacy shared content directory at `~/.context-mode/content`. When
+     * omitted, the legacy content sweep is skipped.
+     */
+    legacyContentDir?: string;
+    /**
+     * Hash used to locate the legacy shared content DB. Required when
+     * `legacyContentDir` is provided. Computed by the caller because the
+     * legacy code-path uses a different hash function than the canonical
+     * session DB hash.
+     */
+    contentHash?: string;
+}
+export interface PurgeResult {
+    /**
+     * Human-readable labels rendered to the user by the ctx_purge handler.
+     * MUST stay backward-compatible with the existing UI strings:
+     *   "knowledge base (FTS5)", "session events DB", "session events markdown".
+     * Each label appears at most once, and only when at least one matching
+     * file was actually unlinked.
+     */
+    deleted: string[];
+    /**
+     * Every full path that was successfully `unlink`ed. Surfaced for tests
+     * and for diagnostic logging — NEVER shown to end users (the labels
+     * above carry the human story).
+     */
+    wipedPaths: string[];
+}
+/**
+ * Wipe every session-related on-disk artifact for `projectDir`.
+ *
+ * This function never throws on missing files (a fresh install is a no-op).
+ * It throws only when given an invalid argument (e.g. `legacyContentDir`
+ * without `contentHash`), which is a programmer bug not a runtime concern.
+ */
+export declare function purgeSession(opts: PurgeOpts): PurgeResult;

package/build/session/purge.js

@@ -0,0 +1,138 @@
+/**
+ * purgeSession — deep module that wipes ALL session-related on-disk artifacts
+ * for a single project directory.
+ *
+ * Why a deep module instead of an inline handler:
+ *   - The previous inline ctx_purge handler was 100+ lines split across three
+ *     try/catch blocks. Only ONE of those blocks knew about the case-fold
+ *     migration's dual-hash legacy filenames, so a partial upgrade could
+ *     leak orphaned events.md / .cleanup files on macOS / Windows.
+ *   - Centralizing the logic here means: one canonical sidecar list, one
+ *     uniform dual-hash sweep, one place to add new file kinds.
+ *
+ * Worktree separation guarantee (carried over from the case-fold migration):
+ *   Every path this module touches is derived deterministically from the input
+ *   `projectDir`. There is NO `readdirSync` + glob-filter loop. Different
+ *   worktrees → different physical paths → different canonical hashes →
+ *   different file names → cannot collapse worktrees on disk.
+ *
+ * SQLite sidecar handling:
+ *   Each `.db` file may be accompanied by `-wal` (write-ahead log) and `-shm`
+ *   (shared memory index) sidecars. We unlink the triple unconditionally —
+ *   missing sidecars are not an error. This matches the canonical SQLite
+ *   sidecar naming used elsewhere (see refs/platforms/zed/crates/sqlez:
+ *   `[main, "{main}-wal", "{main}-shm"]`).
+ *
+ * Cross-platform notes:
+ *   - All paths are joined via `node:path.join` so Windows backslash
+ *     separators and POSIX forward slashes both work.
+ *   - On macOS / Windows (case-insensitive FS) we sweep BOTH the canonical
+ *     (lowercased) and legacy (raw-cased) project-dir hash variants for the
+ *     session-related kinds. On Linux the two hashes coincide, so the dual
+ *     sweep collapses into a single unique-path pass.
+ */
+import { unlinkSync } from "node:fs";
+import { join } from "node:path";
+import { getWorktreeSuffix, hashProjectDirCanonical, hashProjectDirLegacy, } from "./db.js";
+/** Canonical SQLite sidecar suffixes. The empty string is the main DB. */
+const SQLITE_SIDECARS = ["", "-wal", "-shm"];
+/** Try to unlink one path; report success without throwing on ENOENT etc. */
+function tryUnlink(p, wipedPaths) {
+    try {
+        unlinkSync(p);
+        wipedPaths.push(p);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Unlink a SQLite db at `path` plus its `-wal` / `-shm` sidecars.
+ * Returns true when the MAIN db file (not a sidecar) was removed.
+ */
+function tryUnlinkSqliteTriple(path, wipedPaths) {
+    let mainRemoved = false;
+    for (const suffix of SQLITE_SIDECARS) {
+        const removed = tryUnlink(`${path}${suffix}`, wipedPaths);
+        if (removed && suffix === "")
+            mainRemoved = true;
+    }
+    return mainRemoved;
+}
+/**
+ * Wipe every session-related on-disk artifact for `projectDir`.
+ *
+ * This function never throws on missing files (a fresh install is a no-op).
+ * It throws only when given an invalid argument (e.g. `legacyContentDir`
+ * without `contentHash`), which is a programmer bug not a runtime concern.
+ */
+export function purgeSession(opts) {
+    const { projectDir, sessionsDir, storePath, contentDir, legacyContentDir, contentHash } = opts;
+    const deleted = [];
+    const wipedPaths = [];
+    // ── 1. Knowledge base FTS5 store (per-platform). ──────────────────────
+    // Two input modes:
+    //   - `storePath`: single absolute path; pre-resolved by caller. Wipes
+    //     exactly that file plus -wal / -shm sidecars. Back-compat path.
+    //   - `contentDir`: directory; purgeSession derives BOTH canonical and
+    //     legacy raw-casing variants of the FTS5 store filename (matches
+    //     the case-fold migration pattern from `resolveContentStorePath`)
+    //     and sweeps each with sidecars. Recommended for new callers.
+    // Both inputs may be supplied; paths are de-duped via the unlink-or-fail
+    // semantics of `tryUnlinkSqliteTriple`. The "knowledge base (FTS5)"
+    // label appears at most once.
+    let storeFound = false;
+    if (storePath && tryUnlinkSqliteTriple(storePath, wipedPaths))
+        storeFound = true;
+    if (contentDir) {
+        const canonicalHash = hashProjectDirCanonical(projectDir);
+        const legacyHash = hashProjectDirLegacy(projectDir);
+        const storeHashes = canonicalHash === legacyHash
+            ? [canonicalHash]
+            : [canonicalHash, legacyHash];
+        for (const h of storeHashes) {
+            const path = join(contentDir, `${h}.db`);
+            if (tryUnlinkSqliteTriple(path, wipedPaths))
+                storeFound = true;
+        }
+    }
+    if (storeFound)
+        deleted.push("knowledge base (FTS5)");
+    // ── 2. Legacy shared content DB at ~/.context-mode/content/<hash>.db.
+    // Same reasoning as (1) — single hash, legacy code-path only.
+    if (legacyContentDir) {
+        if (!contentHash) {
+            throw new TypeError("purgeSession: contentHash is required when legacyContentDir is provided");
+        }
+        const legacyPath = join(legacyContentDir, `${contentHash}.db`);
+        tryUnlinkSqliteTriple(legacyPath, wipedPaths);
+        // No user-facing label — this is a silent legacy cleanup.
+    }
+    // ── 3. Session-events kinds at BOTH canonical AND legacy hashes. ─────
+    // This is the bug fix: the prior handler only dual-hashed the .db file
+    // (after migration commit a32cc29). events.md and .cleanup were left
+    // single-hash, so a casing-drift project on macOS/Windows could leak
+    // orphan files past a purge. We now sweep all three uniformly.
+    const worktreeSuffix = getWorktreeSuffix(projectDir);
+    const canonicalHash = hashProjectDirCanonical(projectDir);
+    const legacyHash = hashProjectDirLegacy(projectDir);
+    const hashes = canonicalHash === legacyHash
+        ? [canonicalHash]
+        : [canonicalHash, legacyHash];
+    let sessDbFound = false;
+    let eventsFound = false;
+    for (const h of hashes) {
+        const base = join(sessionsDir, `${h}${worktreeSuffix}`);
+        if (tryUnlinkSqliteTriple(`${base}.db`, wipedPaths))
+            sessDbFound = true;
+        if (tryUnlink(`${base}-events.md`, wipedPaths))
+            eventsFound = true;
+        tryUnlink(`${base}.cleanup`, wipedPaths); // no user-facing label
+    }
+    if (sessDbFound)
+        deleted.push("session events DB");
+    if (eventsFound)
+        deleted.push("session events markdown");
+    return { deleted, wipedPaths };
+}

package/build/store.d.ts

@@ -30,6 +30,13 @@ export declare class ContentStore {
     constructor(dbPath?: string);
     /** Delete this session's DB files. Call on process exit. */
     cleanup(): void;
+    /**
+     * Register a deny-policy checker. When set, #refreshStaleSources
+     * calls it before re-reading any file_path during auto-refresh.
+     * Returning `true` causes the source to be skipped (kept in cache,
+     * not re-indexed). server.ts wires this to the Read deny patterns.
+     */
+    setDenyChecker(fn: ((filePath: string) => boolean) | undefined): void;
     index(options: {
         content?: string;
         path?: string;

package/build/store.js

@@ -9,7 +9,7 @@
  */
 var _a;
 import { loadDatabase, applyWALPragmas, closeDB, cleanOrphanedWALFiles, withRetry, deleteDBFiles, isSQLiteCorruptionError } from "./db-base.js";
-import { readFileSync, readdirSync, unlinkSync, existsSync, statSync } from "node:fs";
+import { readFileSync, readdirSync, unlinkSync, existsSync, statSync, openSync, fstatSync, closeSync } from "node:fs";
 import { createHash } from "node:crypto";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
@@ -290,6 +290,13 @@ function findMinSpan(positionLists) {
 export class ContentStore {
     #db;
     #dbPath;
+    // Optional deny-policy callback. When set (by server.ts at startup),
+    // #refreshStaleSources consults it before re-reading file_path during
+    // auto-refresh. This catches policy edits between initial indexing and
+    // a later search: a file that was allowed at index time may have been
+    // added to the Read deny list afterwards. Without this hook, refresh
+    // would re-read and re-expose the file. See #442 round-3.
+    #denyChecker;
     // ── Cached Prepared Statements ──
     // Prepared once at construction, reused on every call to avoid
     // re-compiling SQL on each invocation.
@@ -695,6 +702,16 @@ export class ContentStore {
         this.#stmtCleanupChunksTrigram = this.#db.prepare("DELETE FROM chunks_trigram WHERE source_id IN (SELECT id FROM sources WHERE datetime(indexed_at) < datetime('now', '-' || ? || ' days'))");
         this.#stmtCleanupSources = this.#db.prepare("DELETE FROM sources WHERE datetime(indexed_at) < datetime('now', '-' || ? || ' days')");
     }
+    // ── Deny Policy Hook ──
+    /**
+     * Register a deny-policy checker. When set, #refreshStaleSources
+     * calls it before re-reading any file_path during auto-refresh.
+     * Returning `true` causes the source to be skipped (kept in cache,
+     * not re-indexed). server.ts wires this to the Read deny patterns.
+     */
+    setDenyChecker(fn) {
+        this.#denyChecker = fn;
+    }
     // ── Index ──
     index(options) {
         const { content, path, source } = options;
@@ -707,7 +724,31 @@ export class ContentStore {
         if (!hasContent && !path) {
             throw new Error("Either content or path must be provided");
         }
-        const text = hasContent ? content : readFileSync(path, "utf-8");
+        // Read file via fd to close the TOCTOU window between the security
+        // gate (security.ts evaluateFilePath calls realpathSync) and the read
+        // here. Lexical re-read by path string allowed an attacker to swap a
+        // symlink to a denied target (e.g. ~/.ssh/id_rsa) AFTER gate passed.
+        // openSync + fstat + readFileSync(fd) binds the read to the inode
+        // captured at gate-time. fstat also rejects non-regular files
+        // (directories, character devices) which would otherwise read as ""
+        // or throw inconsistently. See #442 round-3.
+        let text;
+        if (hasContent) {
+            text = content;
+        }
+        else {
+            const fd = openSync(path, "r");
+            try {
+                const st = fstatSync(fd);
+                if (!st.isFile()) {
+                    throw new Error(`refusing to index ${path}: not a regular file`);
+                }
+                text = readFileSync(fd, "utf-8");
+            }
+            finally {
+                closeSync(fd);
+            }
+        }
         const label = source ?? path ?? "untitled";
         const chunks = this.#chunkMarkdown(text);
         // Stale detection: store file_path + SHA-256 for file-backed sources
@@ -1028,17 +1069,39 @@ export class ContentStore {
             try {
                 if (!existsSync(src.file_path))
                     continue; // file deleted — keep cached results
+                // Re-check deny policy before re-reading. The Read deny list may
+                // have been edited after this source was originally indexed; a
+                // file that was allowed then may now be denied. Without this
+                // gate, refresh would happily re-read and re-expose it. #442 r3.
+                if (this.#denyChecker && this.#denyChecker(src.file_path))
+                    continue;
                 const mtime = statSync(src.file_path).mtime;
                 const indexedAt = new Date(src.indexed_at + "Z");
                 if (mtime <= indexedAt)
                     continue; // file unchanged — fast path
-                // mtime advanced — check hash to confirm real change (not just touch)
-                const newContent = readFileSync(src.file_path, "utf-8");
+                // mtime advanced — fd-bound read for hash + indexing in one go.
+                // Open once, fstat, read from fd. Closes the swap-mid-flight
+                // window between hash read and re-index. #442 round-3.
+                const fd = openSync(src.file_path, "r");
+                let newContent;
+                try {
+                    const st = fstatSync(fd);
+                    if (!st.isFile())
+                        continue; // skip non-regular targets
+                    newContent = readFileSync(fd, "utf-8");
+                }
+                finally {
+                    closeSync(fd);
+                }
                 const newHash = createHash("sha256").update(newContent).digest("hex");
                 if (newHash === src.content_hash)
                     continue; // content identical — skip
-                // File genuinely changed — re-index
-                this.index({ path: src.file_path, source: src.label });
+                // File genuinely changed — re-index using already-read content
+                // (avoids a second open/read race) but preserve file_path/hash
+                // by going through index() which stores them. Since we pass
+                // content, index() does NOT re-read; the bytes hashed above
+                // are exactly the bytes indexed.
+                this.index({ content: newContent, path: src.file_path, source: src.label });
                 this.lastRefreshCount++;
             }
             catch {

package/build/util/claude-config.d.ts

@@ -0,0 +1,26 @@
+export declare function resolveClaudeConfigDir(env?: NodeJS.ProcessEnv): string;
+/** Resolve the global settings.json path, honoring CLAUDE_CONFIG_DIR. */
+export declare function resolveClaudeGlobalSettingsPath(env?: NodeJS.ProcessEnv): string;
+/**
+ * Issue #451 round-3: cross-adapter deny-policy parity.
+ *
+ * `resolveClaudeGlobalSettingsPath` hardcodes the `.claude` segment, so
+ * non-Claude adapters (cursor, codex, qwen-code, gemini-cli, jetbrains-copilot,
+ * vscode-copilot, etc.) never had their global settings consulted by the
+ * security policy reader. This helper returns the union of:
+ *
+ *   1. The currently-detected adapter's home-rooted settings.json (when the
+ *      adapter is non-claude — claude is already covered by entry 2).
+ *   2. The claude global settings.json (always — defense in depth).
+ *
+ * Lazy import of `./adapters/detect.js` keeps this file free of any direct
+ * adapter dependency: the detect module itself only `import type`s adapter
+ * types at the top level (concrete adapters are loaded dynamically inside
+ * `getAdapter()`), so a static import is safe — but we use `createRequire`
+ * to make the dependency direction crystal clear and to avoid surprising
+ * future maintainers who add eager adapter imports to detect.ts.
+ *
+ * The returned array is deduplicated and order-stable: adapter-specific path
+ * first (most specific), claude global second (fallback).
+ */
+export declare function resolveAdapterGlobalSettingsPaths(env?: NodeJS.ProcessEnv): string[];