context-mode 1.0.119 → 1.0.120

package/.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Claude Code plugins by Mert Koseoğlu",
-    "version": "1.0.119"
+    "version": "1.0.120"
   },
   "plugins": [
     {
       "name": "context-mode",
       "source": "./",
       "description": "Claude Code MCP plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-      "version": "1.0.119",
+      "version": "1.0.120",
       "author": {
         "name": "Mert Koseoğlu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.119",
+  "version": "1.0.120",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.openclaw-plugin/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.119",
+  "version": "1.0.120",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/.openclaw-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.119",
+  "version": "1.0.120",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
   "author": {
     "name": "Mert Koseoğlu",

package/build/adapters/openclaw/mcp-tools.js

@@ -175,7 +175,16 @@ export const OPENCLAW_TOOL_DEFS = [
     },
     {
         name: "ctx_purge",
-        description: "Permanently delete all indexed content and reset session stats. Destructive.",
+        description: "DESTRUCTIVE — permanently delete indexed content. CANNOT be undone.\n\n" +
+            "MUST specify exactly ONE scope:\n" +
+            "  • {confirm:true, sessionId:\"<uuid>\"}  → wipes ONLY that session's events + chunks; preserves stats and other sessions\n" +
+            "  • {confirm:true, scope:\"project\"}      → wipes ENTIRE project: FTS5 KB + every session DB + stats file\n\n" +
+            "REFUSED:\n" +
+            "  • confirm:false                              → 'purge cancelled'\n" +
+            "  • sessionId AND scope:\"project\" together     → 'ambiguous — pick one'\n" +
+            "  • scope:\"session\" without sessionId          → throws\n" +
+            "  • bare {confirm:true}                        → DEPRECATED: maps to scope:\"project\" with stderr warning\n\n" +
+            "Use sessionId for clearing one conversation. Use scope:\"project\" only when the user explicitly resets everything. NEVER call with bare {confirm:true}.",
         parameters: {
             type: "object",
             properties: {},

package/build/server.js

@@ -2820,16 +2820,50 @@ server.registerTool("ctx_upgrade", {
     });
 });
 // ── ctx-purge: explicit knowledge base wipe ─────────────────────────────────
+//
+// Issue #520 — scoped purge.
+// The schema is ADDITIVE: bare {confirm:true} preserves the legacy
+// project-wide wipe verbatim (with a stderr deprecation warning so
+// future callers migrate to explicit scope). When sessionId is given,
+// only that session's rows + FTS5 chunks are removed; project-wide
+// files (events.md, FTS5 store file, stats file) are preserved.
+// Passing both sessionId AND scope:"project" is ambiguous (does the
+// caller want a per-session wipe or a project-wide one?) and is
+// rejected by the schema's refine().
 server.registerTool("ctx_purge", {
     title: "Purge Knowledge Base",
-    description: "Permanently deletes ALL session data for this project: " +
-        "FTS5 knowledge base (indexed content), session events DB (analytics, metadata, " +
-        "resume snapshots), and session events markdown. Resets in-memory stats. " +
-        "This is irreversible.",
+    description: "DESTRUCTIVE — permanently delete indexed content. CANNOT be undone.\n\n" +
+        "You MUST specify exactly ONE scope:\n\n" +
+        "  • { confirm: true, sessionId: \"<uuid>\" }\n" +
+        "      Deletes ONLY that session's events + per-session FTS5 chunks.\n" +
+        "      Preserves stats file and ALL other sessions.\n\n" +
+        "  • { confirm: true, scope: \"project\" }\n" +
+        "      Wipes the ENTIRE project: FTS5 knowledge base, every session DB row,\n" +
+        "      events markdown, AND resets the stats file.\n\n" +
+        "REFUSAL RULES (tool returns an error):\n" +
+        "  • confirm: false                              → 'purge cancelled'\n" +
+        "  • Both sessionId AND scope:'project' provided → 'ambiguous — pick one'\n" +
+        "  • scope:'session' without sessionId           → throws (sessionId required)\n" +
+        "  • Neither sessionId NOR scope provided        → DEPRECATED: maps to\n" +
+        "    scope:'project' with a deprecation warning to stderr. Will be a hard\n" +
+        "    error in a future major.\n\n" +
+        "Use sessionId when the user asks to clear a specific conversation's data.\n" +
+        "Use scope:'project' ONLY when the user explicitly asks to reset everything.\n" +
+        "NEVER call with bare {confirm:true} — always specify the scope.",
     inputSchema: z.object({
-        confirm: z.boolean().describe("Must be true to confirm the destructive operation."),
+        confirm: z.boolean().describe("MUST be true. Destructive operation; false returns 'purge cancelled'."),
+        sessionId: z.string().optional().describe("UUID of a single session. Pairs with confirm:true to wipe only that " +
+            "session's events + per-session FTS5 chunks. Sibling sessions and the " +
+            "stats file are preserved. MUST NOT be combined with scope:'project'."),
+        scope: z.enum(["session", "project"]).optional().describe("Explicit scope selector. 'session' REQUIRES sessionId. 'project' wipes " +
+            "the entire project (FTS5 + every session + stats). Omit only for the " +
+            "deprecated bare-{confirm:true} back-compat path."),
+    }).refine((v) => !(v.sessionId && v.scope === "project"), {
+        message: "Ambiguous purge: sessionId implies scope:'session', cannot combine with scope:'project'. " +
+            "Use scope:'project' WITHOUT sessionId for the legacy whole-project wipe.",
+        path: ["scope"],
     }),
-}, async ({ confirm }) => {
+}, async ({ confirm, sessionId, scope }) => {
     if (!confirm) {
         return trackResponse("ctx_purge", {
             content: [{
@@ -2838,6 +2872,17 @@ server.registerTool("ctx_purge", {
                 }],
         });
     }
+    // Effective scope resolution:
+    //   - explicit scope wins
+    //   - else "session" iff sessionId is given
+    //   - else "project" (back-compat — emit deprecation warning so
+    //     callers migrate to the explicit form before a future major).
+    const effectiveScope = scope ?? (sessionId ? "session" : "project");
+    if (!scope && !sessionId) {
+        console.warn("[context-mode] ctx_purge: bare {confirm:true} is deprecated. " +
+            "Pass scope:'project' for the whole-project wipe, or scope:'session' + sessionId " +
+            "for a scoped wipe. See issue #520.");
+    }
     // Close the persistent FTS5 content store handle BEFORE delegating to
     // purgeSession so the store's lock is released on Windows. The handle
     // is recreated lazily on the next getStore() call.
@@ -2870,27 +2915,39 @@ server.registerTool("ctx_purge", {
         // legacy hash here is correct: that pre-pre-legacy directory was
         // never migrated and still uses raw casing.
         contentHash: hashProjectDirLegacy(getProjectDir()),
+        scope: effectiveScope,
+        sessionId,
     });
-    // Reset in-memory session stats
-    sessionStats.calls = {};
-    sessionStats.bytesReturned = {};
-    sessionStats.bytesIndexed = 0;
-    sessionStats.bytesSandboxed = 0;
-    sessionStats.cacheHits = 0;
-    sessionStats.cacheBytesSaved = 0;
-    sessionStats.sessionStart = Date.now();
-    deleted.push("session stats");
-    // Also drop the persisted stats file so external readers see a fresh state
-    try {
-        const statsFile = getStatsFilePath();
-        if (existsSync(statsFile))
-            unlinkSync(statsFile);
+    // Stats are PROJECT-scoped (one stats file per project, summing all
+    // sessions). A scoped per-session purge MUST leave stats alone — they
+    // still belong to other sessions in the same project. Stats reset
+    // happens ONLY when scope === "project".
+    if (effectiveScope === "project") {
+        // Reset in-memory session stats
+        sessionStats.calls = {};
+        sessionStats.bytesReturned = {};
+        sessionStats.bytesIndexed = 0;
+        sessionStats.bytesSandboxed = 0;
+        sessionStats.cacheHits = 0;
+        sessionStats.cacheBytesSaved = 0;
+        sessionStats.sessionStart = Date.now();
+        deleted.push("session stats");
+        // Also drop the persisted stats file so external readers see a fresh state
+        try {
+            const statsFile = getStatsFilePath();
+            if (existsSync(statsFile))
+                unlinkSync(statsFile);
+        }
+        catch { /* best effort */ }
     }
-    catch { /* best effort */ }
+    const message = effectiveScope === "session"
+        ? `Purged session ${sessionId}: ${deleted.length ? deleted.join(", ") : "no matching rows"}. ` +
+            `Other sessions and project-wide stats preserved.`
+        : `Purged: ${deleted.join(", ")}. All session data for this project has been permanently deleted.`;
     return trackResponse("ctx_purge", {
         content: [{
                 type: "text",
-                text: `Purged: ${deleted.join(", ")}. All session data for this project has been permanently deleted.`,
+                text: message,
             }],
     });
 });

package/build/session/purge.d.ts

@@ -84,6 +84,33 @@ export interface PurgeOpts {
      * session DB hash.
      */
     contentHash?: string;
+    /**
+     * Issue #520 — scoped purge.
+     *
+     *  - `"project"` (default when omitted for back-compat callers that
+     *    only pass `confirm:true` at the MCP layer): wipe ALL session
+     *    artifacts for `projectDir`. This is the legacy destructive
+     *    behavior preserved verbatim.
+     *  - `"session"`: wipe ONLY the rows for `sessionId` inside the
+     *    project's SessionDB plus FTS5 chunks tagged with that
+     *    `session_id`. Project-wide files (events.md, content store
+     *    file, stats file) are left intact. Requires `sessionId`.
+     *
+     * When `scope` is omitted but `sessionId` is set, behavior implies
+     * `scope:"session"` (a sessionId-only call cannot mean "wipe the
+     * whole project"). When neither is set, behavior implies
+     * `scope:"project"` for back-compat with the original handler.
+     */
+    scope?: "session" | "project";
+    /**
+     * Session identifier whose rows should be wiped from the project's
+     * SessionDB and tagged FTS5 chunks. Only consulted when `scope ===
+     * "session"`. The `session_events`, `session_meta`, and
+     * `session_resume` rows for this id are removed; rows for other
+     * sessions in the same DB are preserved. Match SessionDB.deleteSession
+     * semantics (see src/session/db.ts).
+     */
+    sessionId?: string;
 }
 export interface PurgeResult {
     /**

package/build/session/purge.js

@@ -31,9 +31,10 @@
  *     session-related kinds. On Linux the two hashes coincide, so the dual
  *     sweep collapses into a single unique-path pass.
  */
-import { unlinkSync } from "node:fs";
+import { existsSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
-import { getWorktreeSuffix, hashProjectDirCanonical, hashProjectDirLegacy, } from "./db.js";
+import { loadDatabase } from "../db-base.js";
+import { getWorktreeSuffix, hashProjectDirCanonical, hashProjectDirLegacy, SessionDB, } from "./db.js";
 /** Canonical SQLite sidecar suffixes. The empty string is the main DB. */
 const SQLITE_SIDECARS = ["", "-wal", "-shm"];
 /** Try to unlink one path; report success without throwing on ENOENT etc. */
@@ -68,9 +69,110 @@ function tryUnlinkSqliteTriple(path, wipedPaths) {
  * without `contentHash`), which is a programmer bug not a runtime concern.
  */
 export function purgeSession(opts) {
-    const { projectDir, sessionsDir, storePath, contentDir, legacyContentDir, contentHash } = opts;
+    const { projectDir, sessionsDir, storePath, contentDir, legacyContentDir, contentHash, sessionId, scope } = opts;
     const deleted = [];
     const wipedPaths = [];
+    // Issue #520 — scope discipline.
+    // Resolve effective scope: explicit `scope` wins; otherwise infer
+    // "session" iff sessionId is given, else "project".
+    const effectiveScope = scope ?? (sessionId ? "session" : "project");
+    if (effectiveScope === "session" && !sessionId) {
+        throw new TypeError("purgeSession: scope:'session' requires sessionId. " +
+            "Pass scope:'project' for the legacy whole-project wipe.");
+    }
+    // ── Session-scoped path (issue #520). ─────────────────────────────────
+    // Wipe ONLY this sessionId's rows from the project's SessionDB. The DB
+    // file itself, the events.md sidecar, the FTS5 store, and the stats
+    // file are all left intact — those are project-scoped concerns. The
+    // label "session rows for <id>" appears once when at least one row was
+    // removed, mirroring the project-scoped UI contract.
+    if (effectiveScope === "session" && sessionId) {
+        const worktreeSuffix = getWorktreeSuffix(projectDir);
+        const canonicalHash = hashProjectDirCanonical(projectDir);
+        const legacyHash = hashProjectDirLegacy(projectDir);
+        const hashes = canonicalHash === legacyHash
+            ? [canonicalHash]
+            : [canonicalHash, legacyHash];
+        let rowsRemoved = false;
+        for (const h of hashes) {
+            const dbPath = join(sessionsDir, `${h}${worktreeSuffix}.db`);
+            if (!existsSync(dbPath))
+                continue;
+            let db = null;
+            try {
+                db = new SessionDB({ dbPath });
+                const before = db.getEvents(sessionId).length;
+                db.deleteSession(sessionId);
+                if (before > 0)
+                    rowsRemoved = true;
+            }
+            catch {
+                // Best-effort — corrupt DB is logged elsewhere; do not block purge.
+            }
+            finally {
+                // close() releases the handle WITHOUT deleting the file —
+                // this is what makes the scoped wipe non-destructive at the
+                // file-system level. Using cleanup() here would erase the
+                // entire DB (main + WAL + SHM), defeating per-session scope.
+                try {
+                    db?.close();
+                }
+                catch { /* best effort */ }
+            }
+        }
+        if (rowsRemoved)
+            deleted.push(`session rows for ${sessionId}`);
+        // Per-session FTS5 chunk wipe. The chunks table has a `session_id
+        // UNINDEXED` column (src/store.ts schema). The public index() path
+        // currently inserts NULL — but a future per-session-tagged path
+        // (e.g. tool-call indexing keyed to a session) will populate it,
+        // and the SQL contract here keeps that future correct from day one.
+        // Today this is a safe no-op against existing data.
+        //
+        // Caller is responsible for closing any persistent ContentStore
+        // handle BEFORE invoking purgeSession (Windows file lock). The
+        // ctx_purge handler does this via _store?.cleanup() before delegating.
+        const ftsTargets = [];
+        if (storePath && existsSync(storePath))
+            ftsTargets.push(storePath);
+        if (contentDir) {
+            const canonicalH = hashProjectDirCanonical(projectDir);
+            const legacyH = hashProjectDirLegacy(projectDir);
+            const hh = canonicalH === legacyH ? [canonicalH] : [canonicalH, legacyH];
+            for (const h of hh) {
+                const p = join(contentDir, `${h}.db`);
+                if (existsSync(p) && !ftsTargets.includes(p))
+                    ftsTargets.push(p);
+            }
+        }
+        let chunksRemoved = false;
+        for (const path of ftsTargets) {
+            try {
+                const Database = loadDatabase();
+                const fts = new Database(path, { timeout: 30000 });
+                try {
+                    const before = fts.prepare("SELECT COUNT(*) AS c FROM chunks WHERE session_id = ?").get(sessionId).c;
+                    fts.prepare("DELETE FROM chunks WHERE session_id = ?").run(sessionId);
+                    fts.prepare("DELETE FROM chunks_trigram WHERE session_id = ?").run(sessionId);
+                    if (before > 0)
+                        chunksRemoved = true;
+                }
+                finally {
+                    try {
+                        fts.close();
+                    }
+                    catch { /* best effort */ }
+                }
+            }
+            catch {
+                // Best-effort — schema mismatch / corrupt DB / missing FTS5 must not
+                // block the per-session SessionDB wipe that already succeeded.
+            }
+        }
+        if (chunksRemoved)
+            deleted.push(`FTS5 chunks for ${sessionId}`);
+        return { deleted, wipedPaths };
+    }
     // ── 1. Knowledge base FTS5 store (per-platform). ──────────────────────
     // Two input modes:
     //   - `storePath`: single absolute path; pre-resolved by caller. Wipes