context-mode 1.0.118 → 1.0.120

package/.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Claude Code plugins by Mert Koseoğlu",
-    "version": "1.0.118"
+    "version": "1.0.120"
   },
   "plugins": [
     {
       "name": "context-mode",
       "source": "./",
       "description": "Claude Code MCP plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-      "version": "1.0.118",
+      "version": "1.0.120",
       "author": {
         "name": "Mert Koseoğlu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.118",
+  "version": "1.0.120",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.openclaw-plugin/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.118",
+  "version": "1.0.120",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/.openclaw-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.118",
+  "version": "1.0.120",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
   "author": {
     "name": "Mert Koseoğlu",

package/build/adapters/openclaw/mcp-tools.js

@@ -175,7 +175,16 @@ export const OPENCLAW_TOOL_DEFS = [
     },
     {
         name: "ctx_purge",
-        description: "Permanently delete all indexed content and reset session stats. Destructive.",
+        description: "DESTRUCTIVE — permanently delete indexed content. CANNOT be undone.\n\n" +
+            "MUST specify exactly ONE scope:\n" +
+            "  • {confirm:true, sessionId:\"<uuid>\"}  → wipes ONLY that session's events + chunks; preserves stats and other sessions\n" +
+            "  • {confirm:true, scope:\"project\"}      → wipes ENTIRE project: FTS5 KB + every session DB + stats file\n\n" +
+            "REFUSED:\n" +
+            "  • confirm:false                              → 'purge cancelled'\n" +
+            "  • sessionId AND scope:\"project\" together     → 'ambiguous — pick one'\n" +
+            "  • scope:\"session\" without sessionId          → throws\n" +
+            "  • bare {confirm:true}                        → DEPRECATED: maps to scope:\"project\" with stderr warning\n\n" +
+            "Use sessionId for clearing one conversation. Use scope:\"project\" only when the user explicitly resets everything. NEVER call with bare {confirm:true}.",
         parameters: {
             type: "object",
             properties: {},

package/build/adapters/pi/mcp-bridge.d.ts

@@ -20,6 +20,21 @@
  *
  * No external dependencies — pure node:child_process + JSON line frames.
  */
+export interface ResolveDeps {
+    detect?: () => {
+        javascript: string | null;
+    };
+    which?: (cmd: string) => string | null;
+    execPath?: string;
+}
+/**
+ * Resolve a JS runtime safe to spawn the MCP server with.
+ *
+ * Returns `null` when no real runtime is reachable (caller must skip
+ * the bridge gracefully — see bootstrapMCPTools). Pi-named binaries are
+ * explicitly rejected at every step to prevent the #516 fork bomb.
+ */
+export declare function resolveJsRuntimeForBridge(deps?: ResolveDeps): string | null;
 export interface MCPTool {
     name: string;
     description?: string;
@@ -47,13 +62,20 @@ export interface MCPCallResult {
 export declare class MCPStdioClient {
     private readonly serverScript;
     private readonly env;
+    private readonly runtimeOverride;
     private child;
     private requestId;
     private readonly pending;
     private buffer;
     private initialized;
     private exited;
-    constructor(serverScript: string, env?: NodeJS.ProcessEnv);
+    /**
+     * Live env passed to the spawned child — exposed (read-only intent)
+     * so tests can pin the fork-bomb-prevention env counter (#516)
+     * without needing to attach a process-tree probe.
+     */
+    _spawnEnv: NodeJS.ProcessEnv | null;
+    constructor(serverScript: string, env?: NodeJS.ProcessEnv, runtimeOverride?: string | null);
     /** Spawn the MCP child. Idempotent. */
     start(): void;
     private onExit;
@@ -108,6 +130,9 @@ export interface BridgeHandle {
  * `execute()` callback — Pi's contract is "throw to mark the tool call
  * failed", which lets the LLM see and adapt.
  */
-export declare function bootstrapMCPTools(pi: PiLikeAPI, serverScript: string, options?: {
+export interface BootstrapOptions {
     env?: NodeJS.ProcessEnv;
-}): Promise<BridgeHandle>;
+    /** DI hook for tests: override the runtime resolver entirely. */
+    _resolveJsRuntime?: () => string | null;
+}
+export declare function bootstrapMCPTools(pi: PiLikeAPI, serverScript: string, options?: BootstrapOptions): Promise<BridgeHandle>;

package/build/adapters/pi/mcp-bridge.js

@@ -20,7 +20,77 @@
  *
  * No external dependencies — pure node:child_process + JSON line frames.
  */
-import { spawn } from "node:child_process";
+import { spawn, execSync } from "node:child_process";
+import { detectRuntimes } from "../../runtime.js";
+// ── Fork-bomb prevention (#516) ──────────────────────────────────────
+//
+// Original bug: `spawn(process.execPath, [serverScript])` recursively
+// re-executed the Pi binary on Bun-only systems where `process.execPath`
+// IS pi itself. Each spawn re-loaded context-mode → spawned again →
+// took the box down.
+//
+// Defence in depth:
+//   1. resolveJsRuntimeForBridge() refuses pi-named binaries even when
+//      detectRuntimes() returns one, falling back to PATH-resolved
+//      node/bun.
+//   2. Spawn passes CONTEXT_MODE_BRIDGE_DEPTH=1 in child env so any
+//      transitive bridge load can detect the recursion via env counter.
+//   3. bootstrapMCPTools() aborts if CONTEXT_MODE_BRIDGE_DEPTH > 0 in
+//      its own env — catches recursion that bypasses the binary-name
+//      check (e.g. a `node` shim that re-execs Pi).
+const PI_BINARY_BASENAME = /^pi(\.exe)?$/i;
+const BRIDGE_DEPTH_ENV = "CONTEXT_MODE_BRIDGE_DEPTH";
+const isWindows = process.platform === "win32";
+function basename(p) {
+    const segs = p.split(/[\\/]/);
+    return segs[segs.length - 1] ?? "";
+}
+function whichOnPath(cmd) {
+    try {
+        const probe = isWindows ? `where ${cmd}` : `command -v ${cmd}`;
+        const out = execSync(probe, { encoding: "utf-8", stdio: "pipe" })
+            .trim()
+            .split(/\r?\n/)[0]
+            ?.trim();
+        return out && out.length > 0 ? out : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve a JS runtime safe to spawn the MCP server with.
+ *
+ * Returns `null` when no real runtime is reachable (caller must skip
+ * the bridge gracefully — see bootstrapMCPTools). Pi-named binaries are
+ * explicitly rejected at every step to prevent the #516 fork bomb.
+ */
+export function resolveJsRuntimeForBridge(deps = {}) {
+    const detect = deps.detect ?? (() => detectRuntimes());
+    const which = deps.which ?? whichOnPath;
+    const execPath = deps.execPath ?? process.execPath;
+    const isPi = (p) => !!p && PI_BINARY_BASENAME.test(basename(p));
+    // 1. Prefer detectRuntimes().javascript when it is NOT pi.
+    let candidate = null;
+    try {
+        candidate = detect().javascript ?? null;
+    }
+    catch {
+        candidate = null;
+    }
+    if (candidate && !isPi(candidate))
+        return candidate;
+    // 2. Fall back to PATH-resolved node, then bun.
+    for (const cmd of ["node", "bun"]) {
+        const resolved = which(cmd);
+        if (resolved && !isPi(resolved))
+            return resolved;
+    }
+    // 3. Last resort: process.execPath only if it is not pi.
+    if (execPath && !isPi(execPath))
+        return execPath;
+    return null;
+}
 const DEFAULT_REQUEST_TIMEOUT_MS = 60_000;
 // Tools/call may run shell commands or fetch URLs — wider window than
 // initialize/list, but still bounded so a hung server can't block Pi.
@@ -40,28 +110,49 @@ const DEFAULT_CALL_TIMEOUT_MS = 120_000;
 export class MCPStdioClient {
     serverScript;
     env;
+    runtimeOverride;
     child = null;
     requestId = 0;
     pending = new Map();
     buffer = "";
     initialized = false;
     exited = false;
-    constructor(serverScript, env = process.env) {
+    /**
+     * Live env passed to the spawned child — exposed (read-only intent)
+     * so tests can pin the fork-bomb-prevention env counter (#516)
+     * without needing to attach a process-tree probe.
+     */
+    _spawnEnv = null;
+    constructor(serverScript, env = process.env, runtimeOverride = null) {
         this.serverScript = serverScript;
         this.env = env;
+        this.runtimeOverride = runtimeOverride;
     }
     /** Spawn the MCP child. Idempotent. */
     start() {
         if (this.child)
             return;
         this.exited = false;
-        this.child = spawn(process.execPath, [this.serverScript], {
+        // Pick a JS runtime that is NOT the host process (#516). When Pi
+        // is the host binary, process.execPath would re-exec Pi and fork
+        // bomb the box. resolveJsRuntimeForBridge prefers bun/node and
+        // explicitly rejects pi-named binaries.
+        const runtime = this.runtimeOverride ?? resolveJsRuntimeForBridge() ?? process.execPath;
+        // Increment the depth counter so any transitive bridge load inside
+        // the child can short-circuit before spawning yet another server.
+        const depth = Number.parseInt(this.env[BRIDGE_DEPTH_ENV] ?? "0", 10);
+        const childEnv = {
+            ...this.env,
+            [BRIDGE_DEPTH_ENV]: String(Number.isFinite(depth) ? depth + 1 : 1),
+        };
+        this._spawnEnv = childEnv;
+        this.child = spawn(runtime, [this.serverScript], {
             // Pipe stderr (#472 round-3): swallowing it via "ignore" hides
             // server crash diagnostics — the user only saw "ctx_* tools will
             // not be callable" with no clue WHY. Forwarding to process.stderr
             // with a [mcp-bridge] prefix lets ops grep across session noise.
             stdio: ["pipe", "pipe", "pipe"],
-            env: this.env,
+            env: childEnv,
         });
         this.child.stdout?.on("data", (chunk) => this.onData(chunk));
         this.child.stderr?.on("data", (chunk) => {
@@ -197,18 +288,40 @@ export class MCPStdioClient {
     }
 }
 /**
- * Spawn the MCP server and register each of its tools with Pi via
- * `pi.registerTool()`. The same JSON Schema returned by `tools/list` is
- * passed straight through as `parameters` — TypeBox emits JSON-Schema
- * compatible objects, so any Pi runtime that validates JSON Schema
- * accepts this shape (verified against pi 0.73.x).
- *
- * Errors during MCP `tools/call` are translated to a `throw` from the
- * `execute()` callback — Pi's contract is "throw to mark the tool call
- * failed", which lets the LLM see and adapt.
+ * Empty-but-valid handle returned when bootstrap is skipped (#516).
+ * Keeps the shutdown contract intact so callers do not need null checks.
  */
+function skippedBridge() {
+    return {
+        tools: [],
+        shutdown: () => {
+            /* nothing to shut down */
+        },
+        client: new MCPStdioClient("/dev/null"),
+    };
+}
 export async function bootstrapMCPTools(pi, serverScript, options = {}) {
-    const client = new MCPStdioClient(serverScript, options.env);
+    const env = options.env ?? process.env;
+    // Recursion guard (#516): if an ancestor bridge already incremented
+    // the depth counter, refuse to spawn another child — even if the
+    // binary-name check would let us through. Catches `node` shims that
+    // re-exec Pi and other host swaps that bypass basename detection.
+    const depth = Number.parseInt(env[BRIDGE_DEPTH_ENV] ?? "0", 10);
+    if (Number.isFinite(depth) && depth > 0) {
+        process.stderr.write(`[context-mode] WARNING: skipping MCP bridge — ${BRIDGE_DEPTH_ENV}=${depth} ` +
+            `indicates recursion (fork-bomb guard, #516). ctx_* tools will not be callable.\n`);
+        return skippedBridge();
+    }
+    // Runtime guard (#516): when neither node nor bun is on PATH and the
+    // host process is pi, there is no safe binary to spawn. Log once and
+    // return an empty handle — the rest of the extension keeps working.
+    const runtime = (options._resolveJsRuntime ?? resolveJsRuntimeForBridge)();
+    if (runtime === null) {
+        process.stderr.write(`[context-mode] WARNING: no JS runtime found (need node or bun on PATH). ` +
+            `Skipping MCP bridge to avoid fork bomb (#516). ctx_* tools will not be callable.\n`);
+        return skippedBridge();
+    }
+    const client = new MCPStdioClient(serverScript, env, runtime);
     client.start();
     await client.initialize();
     const tools = await client.listTools();

package/build/adapters/qwen-code/index.js

@@ -12,7 +12,7 @@
  *   - MCP clientInfo: qwen-cli-mcp-client-* (pattern)
  *   - 12 hook events (superset of Claude's 5, but context-mode uses the shared 5)
  */
-import { readFileSync, existsSync, } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, } from "node:fs";
 import { resolve, join } from "node:path";
 import { homedir } from "node:os";
 import { ClaudeCodeBaseAdapter } from "../claude-code-base.js";
@@ -110,7 +110,11 @@ export class QwenCodeAdapter extends ClaudeCodeBaseAdapter {
         }
     }
     writeSettings(settings) {
-        const { writeFileSync } = require("node:fs");
+        // Issue #511: use top-level static import (line 18) — never inline
+        // `require("node:fs")` in ESM-bundled sources. esbuild rewrites them to
+        // a `__require` shim that throws `Dynamic require of "node:fs" is not
+        // supported` under Node ESM/Bun (this adapter is pulled into both
+        // server.bundle.mjs and cli.bundle.mjs via adapter detect).
         writeFileSync(this.getSettingsPath(), JSON.stringify(settings, null, 2));
     }
     // ── Diagnostics (doctor) ───────────────────────────────

package/build/cli.js

@@ -13,7 +13,7 @@
  */
 import * as p from "@clack/prompts";
 import color from "picocolors";
-import { execFileSync, execFile as nodeExecFile } from "node:child_process";
+import { execFileSync, execSync, execFile as nodeExecFile } from "node:child_process";
 import { readFileSync, writeFileSync, cpSync, accessSync, existsSync, rmSync, closeSync, openSync, chmodSync, constants } from "node:fs";
 import { request as httpsRequest } from "node:https";
 import { resolve, dirname, join } from "node:path";
@@ -22,6 +22,10 @@ import { fileURLToPath, pathToFileURL } from "node:url";
 import { detectRuntimes, getRuntimeSummary, hasBunRuntime, getAvailableLanguages, } from "./runtime.js";
 import { getHookScriptPaths } from "./util/hook-config.js";
 import { resolveClaudeConfigDir } from "./util/claude-config.js";
+// v1.0.119 — Issue #523 Layer 5 heal: post-bump assertion on .claude-plugin/plugin.json
+// mcpServers args. Single source of truth shared with start.mjs HEAL block + postinstall.
+// @ts-expect-error — JS module, no TS declarations
+import { healPluginJsonMcpServers } from "../scripts/heal-installed-plugins.mjs";
 // Private 16-LOC copy of browserOpenArgv. Canonical version lives in src/server.ts;
 // duplicated here so the cli bundle does not pull server.ts top-level boot side effects.
 // Keep in sync — pure data, no I/O.
@@ -163,11 +167,16 @@ export function npmExecFile(args, opts = {}) {
     });
 }
 export function npmExec(command, opts = {}) {
-    const { execSync: es } = require("node:child_process");
-    es(isWin ? command.replace(/^npm /, "npm.cmd ") : command, {
+    // Issue #511: use top-level static import (line 17) — never inline `require("node:...")`
+    // in ESM-bundled sources. esbuild rewrites them to a `__require` shim that throws
+    // `Dynamic require of "node:child_process" is not supported` under Node ESM/Bun.
+    // Cast preserves the prior `require()`-as-`any` shape; `shell: true` is the documented
+    // Node behavior even though @types/node typed `shell` as `string | undefined`.
+    const execOpts = {
         ...opts,
         ...(isWin ? { shell: true } : {}),
-    });
+    };
+    execSync(isWin ? command.replace(/^npm /, "npm.cmd ") : command, execOpts);
 }
 export function openInBrowser(url, platform = process.platform, runner = nodeExecFile) {
     const opts = { stdio: "ignore" };
@@ -398,7 +407,28 @@ async function doctor() {
     }
     catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        if (message.includes("Cannot find module") || message.includes("MODULE_NOT_FOUND")) {
+        // Distinguish package-missing from binding-missing (#514). Both
+        // throw with similar shapes from `import("better-sqlite3")` but the
+        // recovery commands differ:
+        //   - package-missing → `npm install better-sqlite3 --no-optional`
+        //     (npm@7+ silently drops optionalDependencies on engine
+        //     mismatch, e.g. Node 26 vs better-sqlite3@12.x — we name the
+        //     package explicitly + flip the optional filter to recover)
+        //   - binding-missing → `npm rebuild better-sqlite3` (#408 flow,
+        //     Windows + missing prebuild-install shim)
+        const pluginRootForDoctor = getPluginRoot();
+        const bsqPackageDir = resolve(pluginRootForDoctor, "node_modules", "better-sqlite3");
+        const packageMissing = !existsSync(bsqPackageDir);
+        if (packageMissing) {
+            criticalFails++;
+            p.log.error(color.red("FTS5 / better-sqlite3: FAIL") +
+                color.dim(" — package-missing") +
+                color.dim(`\n  Path: ${bsqPackageDir}` +
+                    "\n  Root cause: npm silently skipped better-sqlite3 because the package's `engines` field excluded the running Node (issue #514, e.g. Node 26 vs better-sqlite3@12.x)." +
+                    `\n  Try (primary): cd "${pluginRootForDoctor}" && npm install better-sqlite3 --no-optional` +
+                    "\n  Try (fallback): /context-mode:ctx-upgrade"));
+        }
+        else if (message.includes("Cannot find module") || message.includes("MODULE_NOT_FOUND")) {
             p.log.warn(color.yellow("FTS5 / better-sqlite3: SKIP") + color.dim(" — module not available (restart session after upgrade)"));
         }
         else {
@@ -732,6 +762,30 @@ async function upgrade() {
                 const message = err instanceof Error ? err.message : String(err);
                 throw new Error(`Registry consistency check failed: ${message}`);
             }
+            // v1.0.119 — Issue #523 — Layer 5 heal: assert .claude-plugin/plugin.json's
+            // mcpServers["context-mode"].args[0] is the literal ${CLAUDE_PLUGIN_ROOT}/start.mjs
+            // placeholder, not a tmpdir-prefixed absolute path. cli.ts already wrote .mcp.json
+            // with the placeholder (#411 fix), but plugin.json was never touched here — and
+            // start.mjs's normalize-hooks (Windows + #378) can bake in absolute paths that
+            // become stale across upgrades. We call the shared heal twice: first call cleans
+            // any drift; second call MUST return healed:[] or we throw. Single source of
+            // truth shared with start.mjs HEAL block + postinstall.
+            try {
+                const pluginCacheRoot = resolve(resolveClaudeConfigDir(), "plugins", "cache");
+                const pluginKey = "context-mode@context-mode";
+                const firstPass = healPluginJsonMcpServers({ pluginRoot, pluginCacheRoot, pluginKey });
+                if (firstPass && firstPass.error) {
+                    throw new Error(firstPass.error);
+                }
+                const secondPass = healPluginJsonMcpServers({ pluginRoot, pluginCacheRoot, pluginKey });
+                if (secondPass && Array.isArray(secondPass.healed) && secondPass.healed.length > 0) {
+                    throw new Error(`Plugin manifest drift: plugin.json mcpServers.args still poisoned after first heal pass (healed=${secondPass.healed.join(",")})`);
+                }
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                throw new Error(`plugin.json drift check failed: ${message}`);
+            }
             // v1.0.114 hotfix — marketplace post-pull assertion: clone (if
             // present) MUST be on newVersion. Mert's case showed marketplace
             // stuck at v1.0.89 — the sync block above swallowed that silently.
@@ -784,6 +838,40 @@ async function upgrade() {
                         ` — ${message}` +
                         color.dim(`\n  Try manually: cd "${pluginRoot}" && npm rebuild better-sqlite3`));
                 }
+                // ── Post-install binding verifier (#514) ────────────────────
+                // npm@7+ silently drops optionalDependencies whose engines
+                // field excludes the running Node (e.g. Node 26 vs
+                // better-sqlite3@12.x). On a silent skip the package directory
+                // is missing entirely and ensure-deps cannot recover. Fail
+                // loud so /ctx-upgrade no longer reports success while the
+                // knowledge base is unusable.
+                const bsqBindingPath = resolve(pluginRoot, "node_modules", "better-sqlite3", "build", "Release", "better_sqlite3.node");
+                if (!existsSync(bsqBindingPath)) {
+                    // Try one last self-heal — explicit, named install bypasses
+                    // the optionalDependency silent-skip path even if the dep
+                    // somehow regressed back to optional.
+                    try {
+                        const healPath = resolve(pluginRoot, "scripts", "heal-better-sqlite3.mjs");
+                        if (existsSync(healPath)) {
+                            const mod = await import(`${pathToFileURL(healPath).href}?upgrade=${Date.now()}`);
+                            if (typeof mod.healBetterSqlite3Binding === "function") {
+                                mod.healBetterSqlite3Binding(pluginRoot);
+                            }
+                        }
+                    }
+                    catch { /* best effort — verifier below will fail loud */ }
+                }
+                if (!existsSync(bsqBindingPath)) {
+                    // Mark the upgrade process for a non-zero exit at completion.
+                    // Stays in scope only for the rest of upgrade(); the actual
+                    // exit-code wiring sits below the top-level changes report.
+                    process.exitCode = 1;
+                    p.log.error(color.red("better-sqlite3 native binding: MISSING") +
+                        color.dim(`\n  Path: ${bsqBindingPath}`) +
+                        color.dim("\n  Cause: npm silently skipped the package (Node engine mismatch, issue #514)") +
+                        color.dim(`\n  Try (primary): cd "${pluginRoot}" && npm install better-sqlite3 --no-optional`) +
+                        color.dim("\n  Try (fallback): /context-mode:ctx-doctor"));
+                }
             }
             // Update global npm
             s.start("Updating npm global package");

package/build/opencode-plugin.js

@@ -179,7 +179,7 @@ async function createContextModePlugin(ctx) {
             const toolInput = output.args ?? {};
             let decision;
             try {
-                decision = routing.routePreToolUse(toolName, toolInput, projectDir, platform);
+                decision = routing.routePreToolUse(toolName, toolInput, projectDir, getPlatform());
             }
             catch {
                 return; // Routing failure → allow passthrough
@@ -194,10 +194,7 @@ async function createContextModePlugin(ctx) {
                 // Mutate output.args — OpenCode reads the mutated output object
                 Object.assign(output.args, decision.updatedInput);
             }
-            if (decision.action === "context" && decision.additionalContext) {
-                // Mutate output.args — OpenCode reads the mutated output object
-                output.args.additionalContext = decision.additionalContext;
-            }
+            // "context" action → no-op (OpenCode doesn't support context injection)
         },
         // ── PostToolUse: Session event capture ──────────────
         "tool.execute.after": async (input, output) => {