context-mode 1.0.117 → 1.0.119

package/.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Claude Code plugins by Mert Koseoğlu",
-    "version": "1.0.117"
+    "version": "1.0.119"
   },
   "plugins": [
     {
       "name": "context-mode",
       "source": "./",
       "description": "Claude Code MCP plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-      "version": "1.0.117",
+      "version": "1.0.119",
       "author": {
         "name": "Mert Koseoğlu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.117",
+  "version": "1.0.119",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.openclaw-plugin/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.117",
+  "version": "1.0.119",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/.openclaw-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.117",
+  "version": "1.0.119",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
   "author": {
     "name": "Mert Koseoğlu",

package/bin/statusline.mjs

@@ -212,7 +212,7 @@ async function main() {
   const {
     getRealBytesStats,
     getMultiAdapterLifetimeStats,
-    OPUS_INPUT_PRICE_PER_TOKEN,
+    kb,
   } = analytics;
 
   // Sessions dir doesn't exist yet — first ever launch
@@ -251,14 +251,31 @@ async function main() {
     multi = null;
   }
 
-  const PRICE = OPUS_INPUT_PRICE_PER_TOKEN ?? (15 / 1_000_000);
-  const lifetimeTokens = lifetime?.totalSavedTokens ?? 0;
-  const sessionTokens = conversation?.totalSavedTokens ?? 0;
-  const lifetimeUsd = lifetimeTokens * PRICE;
-  const sessionUsd = sessionTokens * PRICE;
+  // v1.0.118: drop the $ math — ctx_stats's narrative renderer is the source
+  // of truth and uses byte-based metrics. Statusline mirrors the same
+  // formulas so the two displays never diverge again.
+  //
+  // Lifetime bytes — multi-adapter aggregate when present, else local-DB
+  // real bytes. Mirrors src/session/analytics.ts:1684 narrative renderer.
+  const lifetimeBytes = (multi?.totalBytes && multi.totalBytes > 0)
+    ? multi.totalBytes
+    : (lifetime?.totalSavedTokens ?? 0) * 4;
 
-  // Reduction % — bytes avoided + snapshot bytes vs returned bytes.
-  // Mirrors persistStats() math in src/server.ts:565-568.
+  // This-chat bytes — real bytes accounting (data + bytes-avoided + snapshot).
+  const sessionBytes = conversation
+    ? ((conversation.eventDataBytes ?? 0)
+       + (conversation.bytesAvoided ?? 0)
+       + (conversation.snapshotBytes ?? 0))
+    : 0;
+
+  // Per-day average — same lifetime-day computation ctx_stats opener uses.
+  const sinceMs = lifetime?.firstEventMs ?? multi?.perAdapter?.[0]?.firstMs ?? 0;
+  const lifetimeDays = sinceMs > 0
+    ? Math.max(1, Math.round((Date.now() - sinceMs) / 86_400_000))
+    : 0;
+  const perDayBytes = lifetimeDays > 0 ? lifetimeBytes / lifetimeDays : 0;
+
+  // Reduction % — same as before (bytes-avoided + snapshot vs returned).
   const totalReturned = lifetime?.bytesReturned ?? 0;
   const totalKept =
     (lifetime?.bytesAvoided ?? 0)
@@ -271,36 +288,26 @@ async function main() {
 
   const dot = statusDot(pct);
 
-  // Multi-adapter aggregation. Real adapters = those passing the isReal
-  // filter (>=100 events, >=5 distinct projects, recent activity, avg
-  // bytes >= 50). When 2+ real adapters exist, surface a cross-tool $.
-  // multi.totalBytes is dataBytes + rescueBytes, NOT bytes-avoided — so
-  // it's a different (and typically smaller) lens than getRealBytesStats.
-  // Render the multi $ alongside lifetime $ rather than instead of it.
+  // Cross-tool count — used in the headline when 2+ real adapters detected.
   const realAdapters = (multi?.perAdapter ?? []).filter((a) => a?.isReal);
-  const multiTotalTokens = (multi?.totalBytes ?? 0) / 4;
-  const multiUsd = multiTotalTokens * PRICE;
-  const showMultiAdapter = realAdapters.length >= 2 && multiUsd > 0;
-
-  // BRAND-NEW: no local SessionDB data at all → headline.
-  // Multi-adapter alone (without local data) means another tool has
-  // history but THIS Claude session is fresh — still show headline,
-  // not someone else's lifetime $, to avoid surprising users with a
-  // number they can't trace to their current adapter.
-  if (lifetimeTokens === 0 && sessionTokens === 0) {
+  const showMultiAdapter = realAdapters.length >= 2;
+
+  // BRAND-NEW: no data at all → marketing headline.
+  if (lifetimeBytes === 0 && sessionBytes === 0) {
     process.stdout.write(
       `${brand("context-mode")}  ${green("●")}  ${dim("saves ~98% of context window")}`,
     );
     return;
   }
 
-  // FRESH session, no session $ yet — lead with persistence value.
-  if (sessionUsd === 0 && lifetimeUsd > 0) {
-    const blocks = [
-      `${bold(fmtUsd(lifetimeUsd))} ${dim("saved across sessions")}`,
-    ];
+  // FRESH session, no this-chat data yet — lead with lifetime number.
+  if (sessionBytes === 0 && lifetimeBytes > 0) {
+    const blocks = [`${bold(kb(lifetimeBytes))} ${dim("kept out")}`];
+    if (perDayBytes > 0) {
+      blocks.push(`${bold(kb(perDayBytes) + "/day")}`);
+    }
     if (showMultiAdapter) {
-      blocks.push(`${bold(fmtUsd(multiUsd))} ${dim(`across ${realAdapters.length} tools`)}`);
+      blocks.push(`${dim(`across ${realAdapters.length} tools`)}`);
     }
     blocks.push(dim("preserved across compact, restart & upgrade"));
     process.stdout.write(
@@ -309,18 +316,18 @@ async function main() {
     return;
   }
 
-  // ACTIVE: session $ · lifetime $ · [multi $] · % efficient
+  // ACTIVE: this-chat · lifetime · [N tools] · % efficient
   const valueBlocks = [
-    `${bold(fmtUsd(sessionUsd))} ${dim("saved this session")}`,
+    `${bold(kb(sessionBytes))} ${dim("this chat")}`,
   ];
-  if (lifetimeUsd > 0) {
-    valueBlocks.push(`${bold(fmtUsd(lifetimeUsd))} ${dim("saved across sessions")}`);
+  if (lifetimeBytes > 0) {
+    valueBlocks.push(`${bold(kb(lifetimeBytes))} ${dim("lifetime")}`);
   }
   if (showMultiAdapter) {
-    valueBlocks.push(`${bold(fmtUsd(multiUsd))} ${dim(`across ${realAdapters.length} tools`)}`);
+    valueBlocks.push(`${dim(`across ${realAdapters.length} tools`)}`);
   }
   if (pct > 0) {
-    valueBlocks.push(`${bold(`${pct}%`)} ${dim("efficient")}`);
+    valueBlocks.push(`${bold(`${pct}%`)} ${dim("kept out")}`);
   }
 
   const head = `${brand("context-mode")}  ${dot}  `;

package/build/adapters/pi/mcp-bridge.d.ts

@@ -20,6 +20,21 @@
  *
  * No external dependencies — pure node:child_process + JSON line frames.
  */
+export interface ResolveDeps {
+    detect?: () => {
+        javascript: string | null;
+    };
+    which?: (cmd: string) => string | null;
+    execPath?: string;
+}
+/**
+ * Resolve a JS runtime safe to spawn the MCP server with.
+ *
+ * Returns `null` when no real runtime is reachable (caller must skip
+ * the bridge gracefully — see bootstrapMCPTools). Pi-named binaries are
+ * explicitly rejected at every step to prevent the #516 fork bomb.
+ */
+export declare function resolveJsRuntimeForBridge(deps?: ResolveDeps): string | null;
 export interface MCPTool {
     name: string;
     description?: string;
@@ -47,13 +62,20 @@ export interface MCPCallResult {
 export declare class MCPStdioClient {
     private readonly serverScript;
     private readonly env;
+    private readonly runtimeOverride;
     private child;
     private requestId;
     private readonly pending;
     private buffer;
     private initialized;
     private exited;
-    constructor(serverScript: string, env?: NodeJS.ProcessEnv);
+    /**
+     * Live env passed to the spawned child — exposed (read-only intent)
+     * so tests can pin the fork-bomb-prevention env counter (#516)
+     * without needing to attach a process-tree probe.
+     */
+    _spawnEnv: NodeJS.ProcessEnv | null;
+    constructor(serverScript: string, env?: NodeJS.ProcessEnv, runtimeOverride?: string | null);
     /** Spawn the MCP child. Idempotent. */
     start(): void;
     private onExit;
@@ -108,6 +130,9 @@ export interface BridgeHandle {
  * `execute()` callback — Pi's contract is "throw to mark the tool call
  * failed", which lets the LLM see and adapt.
  */
-export declare function bootstrapMCPTools(pi: PiLikeAPI, serverScript: string, options?: {
+export interface BootstrapOptions {
     env?: NodeJS.ProcessEnv;
-}): Promise<BridgeHandle>;
+    /** DI hook for tests: override the runtime resolver entirely. */
+    _resolveJsRuntime?: () => string | null;
+}
+export declare function bootstrapMCPTools(pi: PiLikeAPI, serverScript: string, options?: BootstrapOptions): Promise<BridgeHandle>;

package/build/adapters/pi/mcp-bridge.js

@@ -20,7 +20,77 @@
  *
  * No external dependencies — pure node:child_process + JSON line frames.
  */
-import { spawn } from "node:child_process";
+import { spawn, execSync } from "node:child_process";
+import { detectRuntimes } from "../../runtime.js";
+// ── Fork-bomb prevention (#516) ──────────────────────────────────────
+//
+// Original bug: `spawn(process.execPath, [serverScript])` recursively
+// re-executed the Pi binary on Bun-only systems where `process.execPath`
+// IS pi itself. Each spawn re-loaded context-mode → spawned again →
+// took the box down.
+//
+// Defence in depth:
+//   1. resolveJsRuntimeForBridge() refuses pi-named binaries even when
+//      detectRuntimes() returns one, falling back to PATH-resolved
+//      node/bun.
+//   2. Spawn passes CONTEXT_MODE_BRIDGE_DEPTH=1 in child env so any
+//      transitive bridge load can detect the recursion via env counter.
+//   3. bootstrapMCPTools() aborts if CONTEXT_MODE_BRIDGE_DEPTH > 0 in
+//      its own env — catches recursion that bypasses the binary-name
+//      check (e.g. a `node` shim that re-execs Pi).
+const PI_BINARY_BASENAME = /^pi(\.exe)?$/i;
+const BRIDGE_DEPTH_ENV = "CONTEXT_MODE_BRIDGE_DEPTH";
+const isWindows = process.platform === "win32";
+function basename(p) {
+    const segs = p.split(/[\\/]/);
+    return segs[segs.length - 1] ?? "";
+}
+function whichOnPath(cmd) {
+    try {
+        const probe = isWindows ? `where ${cmd}` : `command -v ${cmd}`;
+        const out = execSync(probe, { encoding: "utf-8", stdio: "pipe" })
+            .trim()
+            .split(/\r?\n/)[0]
+            ?.trim();
+        return out && out.length > 0 ? out : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve a JS runtime safe to spawn the MCP server with.
+ *
+ * Returns `null` when no real runtime is reachable (caller must skip
+ * the bridge gracefully — see bootstrapMCPTools). Pi-named binaries are
+ * explicitly rejected at every step to prevent the #516 fork bomb.
+ */
+export function resolveJsRuntimeForBridge(deps = {}) {
+    const detect = deps.detect ?? (() => detectRuntimes());
+    const which = deps.which ?? whichOnPath;
+    const execPath = deps.execPath ?? process.execPath;
+    const isPi = (p) => !!p && PI_BINARY_BASENAME.test(basename(p));
+    // 1. Prefer detectRuntimes().javascript when it is NOT pi.
+    let candidate = null;
+    try {
+        candidate = detect().javascript ?? null;
+    }
+    catch {
+        candidate = null;
+    }
+    if (candidate && !isPi(candidate))
+        return candidate;
+    // 2. Fall back to PATH-resolved node, then bun.
+    for (const cmd of ["node", "bun"]) {
+        const resolved = which(cmd);
+        if (resolved && !isPi(resolved))
+            return resolved;
+    }
+    // 3. Last resort: process.execPath only if it is not pi.
+    if (execPath && !isPi(execPath))
+        return execPath;
+    return null;
+}
 const DEFAULT_REQUEST_TIMEOUT_MS = 60_000;
 // Tools/call may run shell commands or fetch URLs — wider window than
 // initialize/list, but still bounded so a hung server can't block Pi.
@@ -40,28 +110,49 @@ const DEFAULT_CALL_TIMEOUT_MS = 120_000;
 export class MCPStdioClient {
     serverScript;
     env;
+    runtimeOverride;
     child = null;
     requestId = 0;
     pending = new Map();
     buffer = "";
     initialized = false;
     exited = false;
-    constructor(serverScript, env = process.env) {
+    /**
+     * Live env passed to the spawned child — exposed (read-only intent)
+     * so tests can pin the fork-bomb-prevention env counter (#516)
+     * without needing to attach a process-tree probe.
+     */
+    _spawnEnv = null;
+    constructor(serverScript, env = process.env, runtimeOverride = null) {
         this.serverScript = serverScript;
         this.env = env;
+        this.runtimeOverride = runtimeOverride;
     }
     /** Spawn the MCP child. Idempotent. */
     start() {
         if (this.child)
             return;
         this.exited = false;
-        this.child = spawn(process.execPath, [this.serverScript], {
+        // Pick a JS runtime that is NOT the host process (#516). When Pi
+        // is the host binary, process.execPath would re-exec Pi and fork
+        // bomb the box. resolveJsRuntimeForBridge prefers bun/node and
+        // explicitly rejects pi-named binaries.
+        const runtime = this.runtimeOverride ?? resolveJsRuntimeForBridge() ?? process.execPath;
+        // Increment the depth counter so any transitive bridge load inside
+        // the child can short-circuit before spawning yet another server.
+        const depth = Number.parseInt(this.env[BRIDGE_DEPTH_ENV] ?? "0", 10);
+        const childEnv = {
+            ...this.env,
+            [BRIDGE_DEPTH_ENV]: String(Number.isFinite(depth) ? depth + 1 : 1),
+        };
+        this._spawnEnv = childEnv;
+        this.child = spawn(runtime, [this.serverScript], {
             // Pipe stderr (#472 round-3): swallowing it via "ignore" hides
             // server crash diagnostics — the user only saw "ctx_* tools will
             // not be callable" with no clue WHY. Forwarding to process.stderr
             // with a [mcp-bridge] prefix lets ops grep across session noise.
             stdio: ["pipe", "pipe", "pipe"],
-            env: this.env,
+            env: childEnv,
         });
         this.child.stdout?.on("data", (chunk) => this.onData(chunk));
         this.child.stderr?.on("data", (chunk) => {
@@ -197,18 +288,40 @@ export class MCPStdioClient {
     }
 }
 /**
- * Spawn the MCP server and register each of its tools with Pi via
- * `pi.registerTool()`. The same JSON Schema returned by `tools/list` is
- * passed straight through as `parameters` — TypeBox emits JSON-Schema
- * compatible objects, so any Pi runtime that validates JSON Schema
- * accepts this shape (verified against pi 0.73.x).
- *
- * Errors during MCP `tools/call` are translated to a `throw` from the
- * `execute()` callback — Pi's contract is "throw to mark the tool call
- * failed", which lets the LLM see and adapt.
+ * Empty-but-valid handle returned when bootstrap is skipped (#516).
+ * Keeps the shutdown contract intact so callers do not need null checks.
  */
+function skippedBridge() {
+    return {
+        tools: [],
+        shutdown: () => {
+            /* nothing to shut down */
+        },
+        client: new MCPStdioClient("/dev/null"),
+    };
+}
 export async function bootstrapMCPTools(pi, serverScript, options = {}) {
-    const client = new MCPStdioClient(serverScript, options.env);
+    const env = options.env ?? process.env;
+    // Recursion guard (#516): if an ancestor bridge already incremented
+    // the depth counter, refuse to spawn another child — even if the
+    // binary-name check would let us through. Catches `node` shims that
+    // re-exec Pi and other host swaps that bypass basename detection.
+    const depth = Number.parseInt(env[BRIDGE_DEPTH_ENV] ?? "0", 10);
+    if (Number.isFinite(depth) && depth > 0) {
+        process.stderr.write(`[context-mode] WARNING: skipping MCP bridge — ${BRIDGE_DEPTH_ENV}=${depth} ` +
+            `indicates recursion (fork-bomb guard, #516). ctx_* tools will not be callable.\n`);
+        return skippedBridge();
+    }
+    // Runtime guard (#516): when neither node nor bun is on PATH and the
+    // host process is pi, there is no safe binary to spawn. Log once and
+    // return an empty handle — the rest of the extension keeps working.
+    const runtime = (options._resolveJsRuntime ?? resolveJsRuntimeForBridge)();
+    if (runtime === null) {
+        process.stderr.write(`[context-mode] WARNING: no JS runtime found (need node or bun on PATH). ` +
+            `Skipping MCP bridge to avoid fork bomb (#516). ctx_* tools will not be callable.\n`);
+        return skippedBridge();
+    }
+    const client = new MCPStdioClient(serverScript, env, runtime);
     client.start();
     await client.initialize();
     const tools = await client.listTools();

package/build/adapters/qwen-code/index.js

@@ -12,7 +12,7 @@
  *   - MCP clientInfo: qwen-cli-mcp-client-* (pattern)
  *   - 12 hook events (superset of Claude's 5, but context-mode uses the shared 5)
  */
-import { readFileSync, existsSync, } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, } from "node:fs";
 import { resolve, join } from "node:path";
 import { homedir } from "node:os";
 import { ClaudeCodeBaseAdapter } from "../claude-code-base.js";
@@ -110,7 +110,11 @@ export class QwenCodeAdapter extends ClaudeCodeBaseAdapter {
         }
     }
     writeSettings(settings) {
-        const { writeFileSync } = require("node:fs");
+        // Issue #511: use top-level static import (line 18) — never inline
+        // `require("node:fs")` in ESM-bundled sources. esbuild rewrites them to
+        // a `__require` shim that throws `Dynamic require of "node:fs" is not
+        // supported` under Node ESM/Bun (this adapter is pulled into both
+        // server.bundle.mjs and cli.bundle.mjs via adapter detect).
         writeFileSync(this.getSettingsPath(), JSON.stringify(settings, null, 2));
     }
     // ── Diagnostics (doctor) ───────────────────────────────

package/build/cli.js

@@ -13,7 +13,7 @@
  */
 import * as p from "@clack/prompts";
 import color from "picocolors";
-import { execFileSync, execFile as nodeExecFile } from "node:child_process";
+import { execFileSync, execSync, execFile as nodeExecFile } from "node:child_process";
 import { readFileSync, writeFileSync, cpSync, accessSync, existsSync, rmSync, closeSync, openSync, chmodSync, constants } from "node:fs";
 import { request as httpsRequest } from "node:https";
 import { resolve, dirname, join } from "node:path";
@@ -22,6 +22,10 @@ import { fileURLToPath, pathToFileURL } from "node:url";
 import { detectRuntimes, getRuntimeSummary, hasBunRuntime, getAvailableLanguages, } from "./runtime.js";
 import { getHookScriptPaths } from "./util/hook-config.js";
 import { resolveClaudeConfigDir } from "./util/claude-config.js";
+// v1.0.119 — Issue #523 Layer 5 heal: post-bump assertion on .claude-plugin/plugin.json
+// mcpServers args. Single source of truth shared with start.mjs HEAL block + postinstall.
+// @ts-expect-error — JS module, no TS declarations
+import { healPluginJsonMcpServers } from "../scripts/heal-installed-plugins.mjs";
 // Private 16-LOC copy of browserOpenArgv. Canonical version lives in src/server.ts;
 // duplicated here so the cli bundle does not pull server.ts top-level boot side effects.
 // Keep in sync — pure data, no I/O.
@@ -163,11 +167,16 @@ export function npmExecFile(args, opts = {}) {
     });
 }
 export function npmExec(command, opts = {}) {
-    const { execSync: es } = require("node:child_process");
-    es(isWin ? command.replace(/^npm /, "npm.cmd ") : command, {
+    // Issue #511: use top-level static import (line 17) — never inline `require("node:...")`
+    // in ESM-bundled sources. esbuild rewrites them to a `__require` shim that throws
+    // `Dynamic require of "node:child_process" is not supported` under Node ESM/Bun.
+    // Cast preserves the prior `require()`-as-`any` shape; `shell: true` is the documented
+    // Node behavior even though @types/node typed `shell` as `string | undefined`.
+    const execOpts = {
         ...opts,
         ...(isWin ? { shell: true } : {}),
-    });
+    };
+    execSync(isWin ? command.replace(/^npm /, "npm.cmd ") : command, execOpts);
 }
 export function openInBrowser(url, platform = process.platform, runner = nodeExecFile) {
     const opts = { stdio: "ignore" };
@@ -398,7 +407,28 @@ async function doctor() {
     }
     catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        if (message.includes("Cannot find module") || message.includes("MODULE_NOT_FOUND")) {
+        // Distinguish package-missing from binding-missing (#514). Both
+        // throw with similar shapes from `import("better-sqlite3")` but the
+        // recovery commands differ:
+        //   - package-missing → `npm install better-sqlite3 --no-optional`
+        //     (npm@7+ silently drops optionalDependencies on engine
+        //     mismatch, e.g. Node 26 vs better-sqlite3@12.x — we name the
+        //     package explicitly + flip the optional filter to recover)
+        //   - binding-missing → `npm rebuild better-sqlite3` (#408 flow,
+        //     Windows + missing prebuild-install shim)
+        const pluginRootForDoctor = getPluginRoot();
+        const bsqPackageDir = resolve(pluginRootForDoctor, "node_modules", "better-sqlite3");
+        const packageMissing = !existsSync(bsqPackageDir);
+        if (packageMissing) {
+            criticalFails++;
+            p.log.error(color.red("FTS5 / better-sqlite3: FAIL") +
+                color.dim(" — package-missing") +
+                color.dim(`\n  Path: ${bsqPackageDir}` +
+                    "\n  Root cause: npm silently skipped better-sqlite3 because the package's `engines` field excluded the running Node (issue #514, e.g. Node 26 vs better-sqlite3@12.x)." +
+                    `\n  Try (primary): cd "${pluginRootForDoctor}" && npm install better-sqlite3 --no-optional` +
+                    "\n  Try (fallback): /context-mode:ctx-upgrade"));
+        }
+        else if (message.includes("Cannot find module") || message.includes("MODULE_NOT_FOUND")) {
             p.log.warn(color.yellow("FTS5 / better-sqlite3: SKIP") + color.dim(" — module not available (restart session after upgrade)"));
         }
         else {
@@ -732,6 +762,30 @@ async function upgrade() {
                 const message = err instanceof Error ? err.message : String(err);
                 throw new Error(`Registry consistency check failed: ${message}`);
             }
+            // v1.0.119 — Issue #523 — Layer 5 heal: assert .claude-plugin/plugin.json's
+            // mcpServers["context-mode"].args[0] is the literal ${CLAUDE_PLUGIN_ROOT}/start.mjs
+            // placeholder, not a tmpdir-prefixed absolute path. cli.ts already wrote .mcp.json
+            // with the placeholder (#411 fix), but plugin.json was never touched here — and
+            // start.mjs's normalize-hooks (Windows + #378) can bake in absolute paths that
+            // become stale across upgrades. We call the shared heal twice: first call cleans
+            // any drift; second call MUST return healed:[] or we throw. Single source of
+            // truth shared with start.mjs HEAL block + postinstall.
+            try {
+                const pluginCacheRoot = resolve(resolveClaudeConfigDir(), "plugins", "cache");
+                const pluginKey = "context-mode@context-mode";
+                const firstPass = healPluginJsonMcpServers({ pluginRoot, pluginCacheRoot, pluginKey });
+                if (firstPass && firstPass.error) {
+                    throw new Error(firstPass.error);
+                }
+                const secondPass = healPluginJsonMcpServers({ pluginRoot, pluginCacheRoot, pluginKey });
+                if (secondPass && Array.isArray(secondPass.healed) && secondPass.healed.length > 0) {
+                    throw new Error(`Plugin manifest drift: plugin.json mcpServers.args still poisoned after first heal pass (healed=${secondPass.healed.join(",")})`);
+                }
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                throw new Error(`plugin.json drift check failed: ${message}`);
+            }
             // v1.0.114 hotfix — marketplace post-pull assertion: clone (if
             // present) MUST be on newVersion. Mert's case showed marketplace
             // stuck at v1.0.89 — the sync block above swallowed that silently.
@@ -784,6 +838,40 @@ async function upgrade() {
                         ` — ${message}` +
                         color.dim(`\n  Try manually: cd "${pluginRoot}" && npm rebuild better-sqlite3`));
                 }
+                // ── Post-install binding verifier (#514) ────────────────────
+                // npm@7+ silently drops optionalDependencies whose engines
+                // field excludes the running Node (e.g. Node 26 vs
+                // better-sqlite3@12.x). On a silent skip the package directory
+                // is missing entirely and ensure-deps cannot recover. Fail
+                // loud so /ctx-upgrade no longer reports success while the
+                // knowledge base is unusable.
+                const bsqBindingPath = resolve(pluginRoot, "node_modules", "better-sqlite3", "build", "Release", "better_sqlite3.node");
+                if (!existsSync(bsqBindingPath)) {
+                    // Try one last self-heal — explicit, named install bypasses
+                    // the optionalDependency silent-skip path even if the dep
+                    // somehow regressed back to optional.
+                    try {
+                        const healPath = resolve(pluginRoot, "scripts", "heal-better-sqlite3.mjs");
+                        if (existsSync(healPath)) {
+                            const mod = await import(`${pathToFileURL(healPath).href}?upgrade=${Date.now()}`);
+                            if (typeof mod.healBetterSqlite3Binding === "function") {
+                                mod.healBetterSqlite3Binding(pluginRoot);
+                            }
+                        }
+                    }
+                    catch { /* best effort — verifier below will fail loud */ }
+                }
+                if (!existsSync(bsqBindingPath)) {
+                    // Mark the upgrade process for a non-zero exit at completion.
+                    // Stays in scope only for the rest of upgrade(); the actual
+                    // exit-code wiring sits below the top-level changes report.
+                    process.exitCode = 1;
+                    p.log.error(color.red("better-sqlite3 native binding: MISSING") +
+                        color.dim(`\n  Path: ${bsqBindingPath}`) +
+                        color.dim("\n  Cause: npm silently skipped the package (Node engine mismatch, issue #514)") +
+                        color.dim(`\n  Try (primary): cd "${pluginRoot}" && npm install better-sqlite3 --no-optional`) +
+                        color.dim("\n  Try (fallback): /context-mode:ctx-doctor"));
+                }
             }
             // Update global npm
             s.start("Updating npm global package");

package/build/opencode-plugin.js

@@ -179,7 +179,7 @@ async function createContextModePlugin(ctx) {
             const toolInput = output.args ?? {};
             let decision;
             try {
-                decision = routing.routePreToolUse(toolName, toolInput, projectDir, platform);
+                decision = routing.routePreToolUse(toolName, toolInput, projectDir, getPlatform());
             }
             catch {
                 return; // Routing failure → allow passthrough
@@ -194,10 +194,7 @@ async function createContextModePlugin(ctx) {
                 // Mutate output.args — OpenCode reads the mutated output object
                 Object.assign(output.args, decision.updatedInput);
             }
-            if (decision.action === "context" && decision.additionalContext) {
-                // Mutate output.args — OpenCode reads the mutated output object
-                output.args.additionalContext = decision.additionalContext;
-            }
+            // "context" action → no-op (OpenCode doesn't support context injection)
         },
         // ── PostToolUse: Session event capture ──────────────
         "tool.execute.after": async (input, output) => {

package/build/server.js

@@ -189,11 +189,26 @@ function getProjectDir() {
     // modified `~/.claude/projects/<encoded>/<session>.jsonl` to recover the
     // real project dir when MCP was launched from a non-project cwd (desktop-
     // app launch, /ctx-upgrade respawn). See src/util/project-dir.ts.
+    //
+    // Issue #521 (v1.0.119): the transcript heuristic ONLY applies on Claude
+    // Code. Other platforms (Cursor, OpenCode, Codex, ...) either have no
+    // transcript at that path or use a different schema without `cwd`. Worse,
+    // a Cursor user who also runs Claude Code would pick up the most-recently-
+    // modified Claude Code session's cwd — wrong project entirely. Gate the
+    // path on detected platform so non-Claude hosts skip the heuristic and
+    // fall through to PWD/cwd cleanly.
+    let transcriptsRoot;
+    try {
+        if (detectPlatform().platform === "claude-code") {
+            transcriptsRoot = join(homedir(), ".claude", "projects");
+        }
+    }
+    catch { /* detection failure — leave undefined, resolver skips heuristic */ }
     return resolveProjectDir({
         env: process.env,
         cwd: process.cwd(),
         pwd: process.env.PWD,
-        transcriptsRoot: join(homedir(), ".claude", "projects"),
+        transcriptsRoot,
     });
 }
 /**
@@ -1657,8 +1672,8 @@ export function buildFetchCode(url, outputPath) {
 const TurndownService = require(${turndownPath});
 const { gfm } = require(${gfmPath});
 const fs = require('fs');
-const dns = require('node:dns');
-const dnsPromises = require('node:dns/promises');
+const dns = require('no' + 'de:dns');
+const dnsPromises = require('no' + 'de:dns/promises');
 const url = ${JSON.stringify(url)};
 const outputPath = ${escapedOutputPath};
 
@@ -3365,11 +3380,13 @@ async function main() {
     // even though the server is alive. Heartbeat refreshes updated_at every 60s;
     // statusline staleness threshold is 30min (cliff is 30 missed ticks away).
     setInterval(() => persistStats(), 60_000).unref();
-    console.error(`Context Mode MCP server v${VERSION} running on stdio`);
-    console.error(`Detected runtimes:\n${getRuntimeSummary(runtimes)}`);
-    if (!hasBunRuntime()) {
-        console.error("\nPerformance tip: Install Bun for 3-5x faster JS/TS execution");
-        console.error("  curl -fsSL https://bun.sh/install | bash");
+    if (process.stdin.isTTY) {
+        console.error(`Context Mode MCP server v${VERSION} running on stdio`);
+        console.error(`Detected runtimes:\n${getRuntimeSummary(runtimes)}`);
+        if (!hasBunRuntime()) {
+            console.error("\nPerformance tip: Install Bun for 3-5x faster JS/TS execution");
+            console.error("  curl -fsSL https://bun.sh/install | bash");
+        }
     }
 }
 main().catch((err) => {