context-mode 1.0.118 → 1.0.120

package/build/server.js

@@ -189,11 +189,26 @@ function getProjectDir() {
     // modified `~/.claude/projects/<encoded>/<session>.jsonl` to recover the
     // real project dir when MCP was launched from a non-project cwd (desktop-
     // app launch, /ctx-upgrade respawn). See src/util/project-dir.ts.
+    //
+    // Issue #521 (v1.0.119): the transcript heuristic ONLY applies on Claude
+    // Code. Other platforms (Cursor, OpenCode, Codex, ...) either have no
+    // transcript at that path or use a different schema without `cwd`. Worse,
+    // a Cursor user who also runs Claude Code would pick up the most-recently-
+    // modified Claude Code session's cwd — wrong project entirely. Gate the
+    // path on detected platform so non-Claude hosts skip the heuristic and
+    // fall through to PWD/cwd cleanly.
+    let transcriptsRoot;
+    try {
+        if (detectPlatform().platform === "claude-code") {
+            transcriptsRoot = join(homedir(), ".claude", "projects");
+        }
+    }
+    catch { /* detection failure — leave undefined, resolver skips heuristic */ }
     return resolveProjectDir({
         env: process.env,
         cwd: process.cwd(),
         pwd: process.env.PWD,
-        transcriptsRoot: join(homedir(), ".claude", "projects"),
+        transcriptsRoot,
     });
 }
 /**
@@ -1657,8 +1672,8 @@ export function buildFetchCode(url, outputPath) {
 const TurndownService = require(${turndownPath});
 const { gfm } = require(${gfmPath});
 const fs = require('fs');
-const dns = require('node:dns');
-const dnsPromises = require('node:dns/promises');
+const dns = require('no' + 'de:dns');
+const dnsPromises = require('no' + 'de:dns/promises');
 const url = ${JSON.stringify(url)};
 const outputPath = ${escapedOutputPath};
 
@@ -2805,16 +2820,50 @@ server.registerTool("ctx_upgrade", {
     });
 });
 // ── ctx-purge: explicit knowledge base wipe ─────────────────────────────────
+//
+// Issue #520 — scoped purge.
+// The schema is ADDITIVE: bare {confirm:true} preserves the legacy
+// project-wide wipe verbatim (with a stderr deprecation warning so
+// future callers migrate to explicit scope). When sessionId is given,
+// only that session's rows + FTS5 chunks are removed; project-wide
+// files (events.md, FTS5 store file, stats file) are preserved.
+// Passing both sessionId AND scope:"project" is ambiguous (does the
+// caller want a per-session wipe or a project-wide one?) and is
+// rejected by the schema's refine().
 server.registerTool("ctx_purge", {
     title: "Purge Knowledge Base",
-    description: "Permanently deletes ALL session data for this project: " +
-        "FTS5 knowledge base (indexed content), session events DB (analytics, metadata, " +
-        "resume snapshots), and session events markdown. Resets in-memory stats. " +
-        "This is irreversible.",
+    description: "DESTRUCTIVE — permanently delete indexed content. CANNOT be undone.\n\n" +
+        "You MUST specify exactly ONE scope:\n\n" +
+        "  • { confirm: true, sessionId: \"<uuid>\" }\n" +
+        "      Deletes ONLY that session's events + per-session FTS5 chunks.\n" +
+        "      Preserves stats file and ALL other sessions.\n\n" +
+        "  • { confirm: true, scope: \"project\" }\n" +
+        "      Wipes the ENTIRE project: FTS5 knowledge base, every session DB row,\n" +
+        "      events markdown, AND resets the stats file.\n\n" +
+        "REFUSAL RULES (tool returns an error):\n" +
+        "  • confirm: false                              → 'purge cancelled'\n" +
+        "  • Both sessionId AND scope:'project' provided → 'ambiguous — pick one'\n" +
+        "  • scope:'session' without sessionId           → throws (sessionId required)\n" +
+        "  • Neither sessionId NOR scope provided        → DEPRECATED: maps to\n" +
+        "    scope:'project' with a deprecation warning to stderr. Will be a hard\n" +
+        "    error in a future major.\n\n" +
+        "Use sessionId when the user asks to clear a specific conversation's data.\n" +
+        "Use scope:'project' ONLY when the user explicitly asks to reset everything.\n" +
+        "NEVER call with bare {confirm:true} — always specify the scope.",
     inputSchema: z.object({
-        confirm: z.boolean().describe("Must be true to confirm the destructive operation."),
+        confirm: z.boolean().describe("MUST be true. Destructive operation; false returns 'purge cancelled'."),
+        sessionId: z.string().optional().describe("UUID of a single session. Pairs with confirm:true to wipe only that " +
+            "session's events + per-session FTS5 chunks. Sibling sessions and the " +
+            "stats file are preserved. MUST NOT be combined with scope:'project'."),
+        scope: z.enum(["session", "project"]).optional().describe("Explicit scope selector. 'session' REQUIRES sessionId. 'project' wipes " +
+            "the entire project (FTS5 + every session + stats). Omit only for the " +
+            "deprecated bare-{confirm:true} back-compat path."),
+    }).refine((v) => !(v.sessionId && v.scope === "project"), {
+        message: "Ambiguous purge: sessionId implies scope:'session', cannot combine with scope:'project'. " +
+            "Use scope:'project' WITHOUT sessionId for the legacy whole-project wipe.",
+        path: ["scope"],
     }),
-}, async ({ confirm }) => {
+}, async ({ confirm, sessionId, scope }) => {
     if (!confirm) {
         return trackResponse("ctx_purge", {
             content: [{
@@ -2823,6 +2872,17 @@ server.registerTool("ctx_purge", {
                 }],
         });
     }
+    // Effective scope resolution:
+    //   - explicit scope wins
+    //   - else "session" iff sessionId is given
+    //   - else "project" (back-compat — emit deprecation warning so
+    //     callers migrate to the explicit form before a future major).
+    const effectiveScope = scope ?? (sessionId ? "session" : "project");
+    if (!scope && !sessionId) {
+        console.warn("[context-mode] ctx_purge: bare {confirm:true} is deprecated. " +
+            "Pass scope:'project' for the whole-project wipe, or scope:'session' + sessionId " +
+            "for a scoped wipe. See issue #520.");
+    }
     // Close the persistent FTS5 content store handle BEFORE delegating to
     // purgeSession so the store's lock is released on Windows. The handle
     // is recreated lazily on the next getStore() call.
@@ -2855,27 +2915,39 @@ server.registerTool("ctx_purge", {
         // legacy hash here is correct: that pre-pre-legacy directory was
         // never migrated and still uses raw casing.
         contentHash: hashProjectDirLegacy(getProjectDir()),
+        scope: effectiveScope,
+        sessionId,
     });
-    // Reset in-memory session stats
-    sessionStats.calls = {};
-    sessionStats.bytesReturned = {};
-    sessionStats.bytesIndexed = 0;
-    sessionStats.bytesSandboxed = 0;
-    sessionStats.cacheHits = 0;
-    sessionStats.cacheBytesSaved = 0;
-    sessionStats.sessionStart = Date.now();
-    deleted.push("session stats");
-    // Also drop the persisted stats file so external readers see a fresh state
-    try {
-        const statsFile = getStatsFilePath();
-        if (existsSync(statsFile))
-            unlinkSync(statsFile);
+    // Stats are PROJECT-scoped (one stats file per project, summing all
+    // sessions). A scoped per-session purge MUST leave stats alone — they
+    // still belong to other sessions in the same project. Stats reset
+    // happens ONLY when scope === "project".
+    if (effectiveScope === "project") {
+        // Reset in-memory session stats
+        sessionStats.calls = {};
+        sessionStats.bytesReturned = {};
+        sessionStats.bytesIndexed = 0;
+        sessionStats.bytesSandboxed = 0;
+        sessionStats.cacheHits = 0;
+        sessionStats.cacheBytesSaved = 0;
+        sessionStats.sessionStart = Date.now();
+        deleted.push("session stats");
+        // Also drop the persisted stats file so external readers see a fresh state
+        try {
+            const statsFile = getStatsFilePath();
+            if (existsSync(statsFile))
+                unlinkSync(statsFile);
+        }
+        catch { /* best effort */ }
     }
-    catch { /* best effort */ }
+    const message = effectiveScope === "session"
+        ? `Purged session ${sessionId}: ${deleted.length ? deleted.join(", ") : "no matching rows"}. ` +
+            `Other sessions and project-wide stats preserved.`
+        : `Purged: ${deleted.join(", ")}. All session data for this project has been permanently deleted.`;
     return trackResponse("ctx_purge", {
         content: [{
                 type: "text",
-                text: `Purged: ${deleted.join(", ")}. All session data for this project has been permanently deleted.`,
+                text: message,
             }],
     });
 });
@@ -3365,11 +3437,13 @@ async function main() {
     // even though the server is alive. Heartbeat refreshes updated_at every 60s;
     // statusline staleness threshold is 30min (cliff is 30 missed ticks away).
     setInterval(() => persistStats(), 60_000).unref();
-    console.error(`Context Mode MCP server v${VERSION} running on stdio`);
-    console.error(`Detected runtimes:\n${getRuntimeSummary(runtimes)}`);
-    if (!hasBunRuntime()) {
-        console.error("\nPerformance tip: Install Bun for 3-5x faster JS/TS execution");
-        console.error("  curl -fsSL https://bun.sh/install | bash");
+    if (process.stdin.isTTY) {
+        console.error(`Context Mode MCP server v${VERSION} running on stdio`);
+        console.error(`Detected runtimes:\n${getRuntimeSummary(runtimes)}`);
+        if (!hasBunRuntime()) {
+            console.error("\nPerformance tip: Install Bun for 3-5x faster JS/TS execution");
+            console.error("  curl -fsSL https://bun.sh/install | bash");
+        }
     }
 }
 main().catch((err) => {

package/build/session/purge.d.ts

@@ -84,6 +84,33 @@ export interface PurgeOpts {
      * session DB hash.
      */
     contentHash?: string;
+    /**
+     * Issue #520 — scoped purge.
+     *
+     *  - `"project"` (default when omitted for back-compat callers that
+     *    only pass `confirm:true` at the MCP layer): wipe ALL session
+     *    artifacts for `projectDir`. This is the legacy destructive
+     *    behavior preserved verbatim.
+     *  - `"session"`: wipe ONLY the rows for `sessionId` inside the
+     *    project's SessionDB plus FTS5 chunks tagged with that
+     *    `session_id`. Project-wide files (events.md, content store
+     *    file, stats file) are left intact. Requires `sessionId`.
+     *
+     * When `scope` is omitted but `sessionId` is set, behavior implies
+     * `scope:"session"` (a sessionId-only call cannot mean "wipe the
+     * whole project"). When neither is set, behavior implies
+     * `scope:"project"` for back-compat with the original handler.
+     */
+    scope?: "session" | "project";
+    /**
+     * Session identifier whose rows should be wiped from the project's
+     * SessionDB and tagged FTS5 chunks. Only consulted when `scope ===
+     * "session"`. The `session_events`, `session_meta`, and
+     * `session_resume` rows for this id are removed; rows for other
+     * sessions in the same DB are preserved. Match SessionDB.deleteSession
+     * semantics (see src/session/db.ts).
+     */
+    sessionId?: string;
 }
 export interface PurgeResult {
     /**

package/build/session/purge.js

@@ -31,9 +31,10 @@
  *     session-related kinds. On Linux the two hashes coincide, so the dual
  *     sweep collapses into a single unique-path pass.
  */
-import { unlinkSync } from "node:fs";
+import { existsSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
-import { getWorktreeSuffix, hashProjectDirCanonical, hashProjectDirLegacy, } from "./db.js";
+import { loadDatabase } from "../db-base.js";
+import { getWorktreeSuffix, hashProjectDirCanonical, hashProjectDirLegacy, SessionDB, } from "./db.js";
 /** Canonical SQLite sidecar suffixes. The empty string is the main DB. */
 const SQLITE_SIDECARS = ["", "-wal", "-shm"];
 /** Try to unlink one path; report success without throwing on ENOENT etc. */
@@ -68,9 +69,110 @@ function tryUnlinkSqliteTriple(path, wipedPaths) {
  * without `contentHash`), which is a programmer bug not a runtime concern.
  */
 export function purgeSession(opts) {
-    const { projectDir, sessionsDir, storePath, contentDir, legacyContentDir, contentHash } = opts;
+    const { projectDir, sessionsDir, storePath, contentDir, legacyContentDir, contentHash, sessionId, scope } = opts;
     const deleted = [];
     const wipedPaths = [];
+    // Issue #520 — scope discipline.
+    // Resolve effective scope: explicit `scope` wins; otherwise infer
+    // "session" iff sessionId is given, else "project".
+    const effectiveScope = scope ?? (sessionId ? "session" : "project");
+    if (effectiveScope === "session" && !sessionId) {
+        throw new TypeError("purgeSession: scope:'session' requires sessionId. " +
+            "Pass scope:'project' for the legacy whole-project wipe.");
+    }
+    // ── Session-scoped path (issue #520). ─────────────────────────────────
+    // Wipe ONLY this sessionId's rows from the project's SessionDB. The DB
+    // file itself, the events.md sidecar, the FTS5 store, and the stats
+    // file are all left intact — those are project-scoped concerns. The
+    // label "session rows for <id>" appears once when at least one row was
+    // removed, mirroring the project-scoped UI contract.
+    if (effectiveScope === "session" && sessionId) {
+        const worktreeSuffix = getWorktreeSuffix(projectDir);
+        const canonicalHash = hashProjectDirCanonical(projectDir);
+        const legacyHash = hashProjectDirLegacy(projectDir);
+        const hashes = canonicalHash === legacyHash
+            ? [canonicalHash]
+            : [canonicalHash, legacyHash];
+        let rowsRemoved = false;
+        for (const h of hashes) {
+            const dbPath = join(sessionsDir, `${h}${worktreeSuffix}.db`);
+            if (!existsSync(dbPath))
+                continue;
+            let db = null;
+            try {
+                db = new SessionDB({ dbPath });
+                const before = db.getEvents(sessionId).length;
+                db.deleteSession(sessionId);
+                if (before > 0)
+                    rowsRemoved = true;
+            }
+            catch {
+                // Best-effort — corrupt DB is logged elsewhere; do not block purge.
+            }
+            finally {
+                // close() releases the handle WITHOUT deleting the file —
+                // this is what makes the scoped wipe non-destructive at the
+                // file-system level. Using cleanup() here would erase the
+                // entire DB (main + WAL + SHM), defeating per-session scope.
+                try {
+                    db?.close();
+                }
+                catch { /* best effort */ }
+            }
+        }
+        if (rowsRemoved)
+            deleted.push(`session rows for ${sessionId}`);
+        // Per-session FTS5 chunk wipe. The chunks table has a `session_id
+        // UNINDEXED` column (src/store.ts schema). The public index() path
+        // currently inserts NULL — but a future per-session-tagged path
+        // (e.g. tool-call indexing keyed to a session) will populate it,
+        // and the SQL contract here keeps that future correct from day one.
+        // Today this is a safe no-op against existing data.
+        //
+        // Caller is responsible for closing any persistent ContentStore
+        // handle BEFORE invoking purgeSession (Windows file lock). The
+        // ctx_purge handler does this via _store?.cleanup() before delegating.
+        const ftsTargets = [];
+        if (storePath && existsSync(storePath))
+            ftsTargets.push(storePath);
+        if (contentDir) {
+            const canonicalH = hashProjectDirCanonical(projectDir);
+            const legacyH = hashProjectDirLegacy(projectDir);
+            const hh = canonicalH === legacyH ? [canonicalH] : [canonicalH, legacyH];
+            for (const h of hh) {
+                const p = join(contentDir, `${h}.db`);
+                if (existsSync(p) && !ftsTargets.includes(p))
+                    ftsTargets.push(p);
+            }
+        }
+        let chunksRemoved = false;
+        for (const path of ftsTargets) {
+            try {
+                const Database = loadDatabase();
+                const fts = new Database(path, { timeout: 30000 });
+                try {
+                    const before = fts.prepare("SELECT COUNT(*) AS c FROM chunks WHERE session_id = ?").get(sessionId).c;
+                    fts.prepare("DELETE FROM chunks WHERE session_id = ?").run(sessionId);
+                    fts.prepare("DELETE FROM chunks_trigram WHERE session_id = ?").run(sessionId);
+                    if (before > 0)
+                        chunksRemoved = true;
+                }
+                finally {
+                    try {
+                        fts.close();
+                    }
+                    catch { /* best effort */ }
+                }
+            }
+            catch {
+                // Best-effort — schema mismatch / corrupt DB / missing FTS5 must not
+                // block the per-session SessionDB wipe that already succeeded.
+            }
+        }
+        if (chunksRemoved)
+            deleted.push(`FTS5 chunks for ${sessionId}`);
+        return { deleted, wipedPaths };
+    }
     // ── 1. Knowledge base FTS5 store (per-platform). ──────────────────────
     // Two input modes:
     //   - `storePath`: single absolute path; pre-resolved by caller. Wipes

package/build/util/project-dir.js

@@ -1,3 +1,5 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
 /**
  * Project-dir resolution helpers — shared between `start.mjs` (the MCP entry
  * point) and `src/server.ts getProjectDir()` (the consumer).
@@ -52,11 +54,6 @@ export function isPluginInstallPath(p) {
  * transcripts have older mtimes and are correctly ignored.
  */
 export function resolveProjectDirFromTranscript(opts) {
-    // Inline imports kept private to this function — keeps the module test-
-    // friendly when fs is stubbed at the call sites that don't use this path.
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const fs = require("node:fs");
-    const path = require("node:path");
     if (!fs.existsSync(opts.projectsRoot))
         return undefined;
     let bestPath;
@@ -156,6 +153,13 @@ export function resolveProjectDir(opts) {
         env.OPENCODE_PROJECT_DIR,
         env.PI_PROJECT_DIR,
         env.IDEA_INITIAL_DIRECTORY,
+        // Issue #521: Cursor MCP env override. The cursor adapter already
+        // trusts CURSOR_CWD for hook input resolution (adapters/cursor/index.ts:581);
+        // mirror that trust here so ctx_stats / SessionDB / hash see the workspace
+        // path on Cursor. Whether Cursor itself sets this on MCP child spawn is
+        // unconfirmed — but documenting it as a supported override gives users a
+        // documented escape hatch (`~/.cursor/mcp.json` env: { CURSOR_CWD: "..." }).
+        env.CURSOR_CWD,
         env.CONTEXT_MODE_PROJECT_DIR,
     ];
     for (const c of candidates) {