context-mode 1.0.123 → 1.0.124

package/.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Claude Code plugins by Mert Koseoğlu",
-    "version": "1.0.123"
+    "version": "1.0.124"
   },
   "plugins": [
     {
       "name": "context-mode",
       "source": "./",
       "description": "Claude Code MCP plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-      "version": "1.0.123",
+      "version": "1.0.124",
       "author": {
         "name": "Mert Koseoğlu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.123",
+  "version": "1.0.124",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.openclaw-plugin/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.123",
+  "version": "1.0.124",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/.openclaw-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.123",
+  "version": "1.0.124",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
   "author": {
     "name": "Mert Koseoğlu",

package/build/adapters/detect.d.ts

@@ -29,11 +29,55 @@ export declare function __resetClaudeCodePluginCacheForTests(): void;
  */
 export declare function __seedClaudeCodePluginCacheMissForTests(): void;
 /**
- * High-confidence env vars per platform, checked in priority order.
- * Single source of truth — consumed by detectPlatform() below and by
- * tests that need to clear platform-related env vars deterministically.
+ * Tag for each PLATFORM_ENV_VARS row.
+ *   - `workspace`: env var names a project/working directory. Used by
+ *     `resolveProjectDir({ strictPlatform })` to form the candidate list,
+ *     and by Pi's bridge to scrub foreign workspace vars on child spawn.
+ *   - `identification`: env var only signals which host is running; carries
+ *     no project path. NEVER scrubbed (some are load-bearing, e.g.
+ *     CLAUDE_PLUGIN_ROOT for hook integrations).
+ *
+ * Issue #545 — algorithmic env-leak fix. The split allows resolveProjectDir
+ * to derive ALLOW (own workspace vars) and BAN (other platforms' workspace
+ * vars) sets from a single registry, satisfying MUST-3 (15 adapters equal).
+ */
+export type EnvVarRole = "workspace" | "identification";
+export interface PlatformEnvEntry {
+    readonly name: string;
+    readonly role: EnvVarRole;
+    /**
+     * When `false`, this entry is NOT used as a high-confidence detection
+     * signal — only consumed by `workspaceEnvVarsFor`/`foreignWorkspaceEnv`
+     * (project-dir cascade and bridge env scrub). Use for consumer-set
+     * workspace vars that the host runtime never emits itself, so that a
+     * stale env var on an unrelated host does not misclassify the platform.
+     * Default: `true` (entry participates in detection).
+     *
+     * Issue #542 — PI_PROJECT_DIR / PI_WORKSPACE_DIR are consumer-set and
+     * MUST NOT trigger Pi detection on their own.
+     */
+    readonly detect?: boolean;
+}
+export declare const PLATFORM_ENV_VARS: ReadonlyMap<PlatformId, readonly PlatformEnvEntry[]>;
+/**
+ * Backwards-compat shim: legacy `string[]` shape used by detection logic and
+ * by tests that iterate the registry to clear env vars. Always returns the
+ * names in registry order.
+ */
+export declare function getEnvVarNames(platform: PlatformId): string[];
+/**
+ * Issue #545 — return only role=workspace env var names for a platform, in
+ * registry order. Empty array for adapters with no workspace var (e.g.
+ * codex, kilo, zed, antigravity, openclaw, kiro). Consumed by
+ * `resolveProjectDir({ strictPlatform })` to build the cascade.
+ */
+export declare function workspaceEnvVarsFor(platform: PlatformId): string[];
+/**
+ * Issue #545 — return the union of workspace env vars from ALL platforms
+ * EXCEPT the given one. Consumed by Pi's bridge env scrub (strip foreign
+ * workspace vars from spawned MCP child) and by the matrix regression test.
  */
-export declare const PLATFORM_ENV_VARS: readonly [readonly ["claude-code", readonly ["CLAUDE_CODE_ENTRYPOINT", "CLAUDE_PLUGIN_ROOT", "CLAUDE_PROJECT_DIR", "CLAUDE_SESSION_ID"]], readonly ["antigravity", readonly ["ANTIGRAVITY_CLI_ALIAS"]], readonly ["cursor", readonly ["CURSOR_TRACE_ID", "CURSOR_CLI"]], readonly ["kilo", readonly ["KILO", "KILO_PID"]], readonly ["opencode", readonly ["OPENCODE", "OPENCODE_PID"]], readonly ["zed", readonly ["ZED_SESSION_ID", "ZED_TERM"]], readonly ["codex", readonly ["CODEX_THREAD_ID", "CODEX_CI"]], readonly ["gemini-cli", readonly ["GEMINI_PROJECT_DIR", "GEMINI_CLI"]], readonly ["vscode-copilot", readonly ["VSCODE_PID", "VSCODE_CWD"]], readonly ["jetbrains-copilot", readonly ["IDEA_INITIAL_DIRECTORY"]], readonly ["qwen-code", readonly ["QWEN_PROJECT_DIR"]], readonly ["omp", readonly ["PI_CODING_AGENT_DIR"]], readonly ["pi", readonly ["PI_CONFIG_DIR", "PI_SESSION_FILE", "PI_COMPILED"]]];
+export declare function foreignWorkspaceEnv(platform: PlatformId): Set<string>;
 /**
  * Sync map from platform identifier → home-relative path segments where that
  * platform stores its config. Mirrors the `super([...])` argument passed by

package/build/adapters/detect.js

@@ -59,10 +59,15 @@ export function __seedClaudeCodePluginCacheMissForTests() {
 }
 /**
  * High-confidence env vars per platform, checked in priority order.
- * Single source of truth — consumed by detectPlatform() below and by
- * tests that need to clear platform-related env vars deterministically.
+ * Single source of truth — consumed by detectPlatform() below, by
+ * `resolveProjectDir({ strictPlatform })` for cascade construction, and by
+ * Pi's bridge env scrub. Tests also iterate this map to clear platform-
+ * related env vars deterministically.
+ *
+ * The map shape is `Map<PlatformId, ReadonlyArray<PlatformEnvEntry>>`. Use
+ * `getEnvVarNames(p)` to get just the names (legacy `string[]` shape).
  */
-export const PLATFORM_ENV_VARS = [
+const _PLATFORM_ENV_VARS_RAW = [
     // Order matters: forks listed BEFORE the fork's parent so collision
     // detection works. Every entry verified against platform's own runtime
     // source code (PR #376 follow-up: full audit, May 2026 — see git blame).
@@ -75,49 +80,84 @@ export const PLATFORM_ENV_VARS = [
     // are the disambiguators for issue #539 (Claude Code running inside a
     // VS Code integrated terminal that has VSCODE_PID set). They MUST be
     // checked here so detect resolves to claude-code BEFORE falling through
-    // to vscode-copilot at line 70 below.
+    // to vscode-copilot below.
     ["claude-code", [
-            "CLAUDE_CODE_ENTRYPOINT",
-            "CLAUDE_PLUGIN_ROOT",
-            "CLAUDE_PROJECT_DIR",
-            "CLAUDE_SESSION_ID",
+            { name: "CLAUDE_CODE_ENTRYPOINT", role: "identification" },
+            { name: "CLAUDE_PLUGIN_ROOT", role: "identification" },
+            { name: "CLAUDE_PROJECT_DIR", role: "workspace" },
+            { name: "CLAUDE_SESSION_ID", role: "identification" },
         ]],
     // antigravity (Electron/VSCode fork) — google-gemini/gemini-cli
     // packages/core/src/ide/detect-ide.ts checks ANTIGRAVITY_CLI_ALIAS as the
     // canonical Antigravity marker. Listed before vscode-copilot.
-    ["antigravity", ["ANTIGRAVITY_CLI_ALIAS"]],
+    ["antigravity", [
+            { name: "ANTIGRAVITY_CLI_ALIAS", role: "identification" },
+        ]],
     // cursor (VSCode fork) — listed before vscode-copilot. CURSOR_TRACE_ID has
     // 800+ hits in major OSS detection libs (Vercel Next.js, Bun, Google
-    // gemini-cli, Nx, CrewAI).
-    ["cursor", ["CURSOR_TRACE_ID", "CURSOR_CLI"]],
+    // gemini-cli, Nx, CrewAI). CURSOR_CWD is the documented workspace var
+    // (issue #521) — listed first so workspace cascade picks it up.
+    ["cursor", [
+            { name: "CURSOR_CWD", role: "workspace" },
+            { name: "CURSOR_TRACE_ID", role: "identification" },
+            { name: "CURSOR_CLI", role: "identification" },
+        ]],
     // kilo (OpenCode fork) — Kilo-Org/kilocode packages/opencode/src/index.ts:138 + 139
-    // sets `process.env.KILO = 1` + `process.env.KILO_PID = String(process.pid)`. 
-    ["kilo", ["KILO", "KILO_PID"]],
+    // sets `process.env.KILO = 1` + `process.env.KILO_PID = String(process.pid)`.
+    ["kilo", [
+            { name: "KILO", role: "identification" },
+            { name: "KILO_PID", role: "identification" },
+        ]],
     // opencode — sst/opencode packages/opencode/src/index.ts:108-109 sets
     // OPENCODE=1 + OPENCODE_PID=<pid> on every CLI invocation.
-    ["opencode", ["OPENCODE", "OPENCODE_PID"]],
+    // OPENCODE_PROJECT_DIR is the documented workspace var (consumed by the
+    // legacy resolver cascade) — listed first so the workspace cascade picks
+    // it up under strict mode.
+    ["opencode", [
+            { name: "OPENCODE_PROJECT_DIR", role: "workspace" },
+            { name: "OPENCODE", role: "identification" },
+            { name: "OPENCODE_PID", role: "identification" },
+        ]],
     // zed — zed-industries/zed crates/terminal/src/terminal.rs sets ZED_TERM=true
     // in `insert_zed_terminal_env()`. Google's gemini-cli uses ZED_SESSION_ID.
-    ["zed", ["ZED_SESSION_ID", "ZED_TERM"]],
+    ["zed", [
+            { name: "ZED_SESSION_ID", role: "identification" },
+            { name: "ZED_TERM", role: "identification" },
+        ]],
     // codex — openai/codex codex-rs/core/src/exec_env.rs sets CODEX_THREAD_ID
     // per exec; unified_exec/process_manager.rs sets CODEX_CI in CI mode.
-    ["codex", ["CODEX_THREAD_ID", "CODEX_CI"]],
+    ["codex", [
+            { name: "CODEX_THREAD_ID", role: "identification" },
+            { name: "CODEX_CI", role: "identification" },
+        ]],
     // gemini-cli — GEMINI_PROJECT_DIR per google-gemini/gemini-cli
     // docs/hooks/index.md; GEMINI_CLI is the MCP-server sentinel.
-    ["gemini-cli", ["GEMINI_PROJECT_DIR", "GEMINI_CLI"]],
+    ["gemini-cli", [
+            { name: "GEMINI_PROJECT_DIR", role: "workspace" },
+            { name: "GEMINI_CLI", role: "identification" },
+        ]],
     // vscode-copilot — VSCODE_PID + VSCODE_CWD set by microsoft/vscode bootstrap.
     // Listed AFTER cursor and antigravity since they inherit these vars as forks.
-    ["vscode-copilot", ["VSCODE_PID", "VSCODE_CWD"]],
+    ["vscode-copilot", [
+            { name: "VSCODE_CWD", role: "workspace" },
+            { name: "VSCODE_PID", role: "identification" },
+        ]],
     // jetbrains-copilot — IDEA_INITIAL_DIRECTORY set by JetBrains launcher.
     // (IDEA_HOME and JETBRAINS_CLIENT_ID removed — no source-line evidence.)
-    ["jetbrains-copilot", ["IDEA_INITIAL_DIRECTORY"]],
+    ["jetbrains-copilot", [
+            { name: "IDEA_INITIAL_DIRECTORY", role: "workspace" },
+        ]],
     // qwen-code — QWEN_PROJECT_DIR per QwenLM/qwen-code docs/users/features/hooks.md.
     // (QWEN_SESSION_ID removed — 0 hits in qwen-code repository.)
-    ["qwen-code", ["QWEN_PROJECT_DIR"]],
+    ["qwen-code", [
+            { name: "QWEN_PROJECT_DIR", role: "workspace" },
+        ]],
     // omp (can1357/oh-my-pi). PI_CODING_AGENT_DIR is the upstream
     // agent-dir override per `packages/utils/src/dirs.ts:193`. Listed
     // BEFORE pi so OMP is not misclassified as Pi when both are installed.
-    ["omp", ["PI_CODING_AGENT_DIR"]],
+    ["omp", [
+            { name: "PI_CODING_AGENT_DIR", role: "workspace" },
+        ]],
     // pi — Issue #542 marker correction. PI_PROJECT_DIR is a consumer-set
     // var (read by src/adapters/pi/extension.ts) but is NOT auto-set by
     // the Pi runtime — verified against
@@ -126,11 +166,62 @@ export const PLATFORM_ENV_VARS = [
     // PI_CONFIG_DIR (config dir override), PI_SESSION_FILE (active session
     // path), and PI_COMPILED (binary build marker). PI_CODING_AGENT_DIR is
     // owned by OMP above; keep it there.
-    ["pi", ["PI_CONFIG_DIR", "PI_SESSION_FILE", "PI_COMPILED"]],
+    //
+    // Issue #545 — PI_WORKSPACE_DIR / PI_PROJECT_DIR are workspace vars set
+    // by Pi's bridge so the resolver picks them up under strict mode.
+    // PI_WORKSPACE_DIR comes first (extension-set, freshest) before
+    // PI_PROJECT_DIR (user override) per registry-author cascade order.
+    ["pi", [
+            // Issue #545 — workspace vars set by Pi's bridge so resolveProjectDir
+            // under strict mode picks them up. detect=false because PI_*_DIR are
+            // consumer-set and must NOT misclassify a non-Pi host as Pi (#542).
+            { name: "PI_WORKSPACE_DIR", role: "workspace", detect: false },
+            { name: "PI_PROJECT_DIR", role: "workspace", detect: false },
+            { name: "PI_CONFIG_DIR", role: "identification" },
+            { name: "PI_SESSION_FILE", role: "identification" },
+            { name: "PI_COMPILED", role: "identification" },
+        ]],
     // openclaw — removed (runtime never sets OPENCLAW_HOME or OPENCLAW_CLI;
     // detection falls through to ~/.openclaw/ config-dir tier below).
     // kiro — not listed (no auto-set process env vars; ~/.kiro/ config-dir tier).
 ];
+export const PLATFORM_ENV_VARS = new Map(_PLATFORM_ENV_VARS_RAW);
+/**
+ * Backwards-compat shim: legacy `string[]` shape used by detection logic and
+ * by tests that iterate the registry to clear env vars. Always returns the
+ * names in registry order.
+ */
+export function getEnvVarNames(platform) {
+    return (PLATFORM_ENV_VARS.get(platform) ?? []).map((e) => e.name);
+}
+/**
+ * Issue #545 — return only role=workspace env var names for a platform, in
+ * registry order. Empty array for adapters with no workspace var (e.g.
+ * codex, kilo, zed, antigravity, openclaw, kiro). Consumed by
+ * `resolveProjectDir({ strictPlatform })` to build the cascade.
+ */
+export function workspaceEnvVarsFor(platform) {
+    return (PLATFORM_ENV_VARS.get(platform) ?? [])
+        .filter((e) => e.role === "workspace")
+        .map((e) => e.name);
+}
+/**
+ * Issue #545 — return the union of workspace env vars from ALL platforms
+ * EXCEPT the given one. Consumed by Pi's bridge env scrub (strip foreign
+ * workspace vars from spawned MCP child) and by the matrix regression test.
+ */
+export function foreignWorkspaceEnv(platform) {
+    const ban = new Set();
+    for (const [p, vars] of PLATFORM_ENV_VARS) {
+        if (p === platform)
+            continue;
+        for (const v of vars) {
+            if (v.role === "workspace")
+                ban.add(v.name);
+        }
+    }
+    return ban;
+}
 /**
  * Sync map from platform identifier → home-relative path segments where that
  * platform stores its config. Mirrors the `super([...])` argument passed by
@@ -204,7 +295,7 @@ export function detectPlatform(clientInfo) {
     }
     // ── High confidence: environment variables ─────────────
     for (const [platform, vars] of PLATFORM_ENV_VARS) {
-        if (vars.some((v) => process.env[v])) {
+        if (vars.some((v) => v.detect !== false && process.env[v.name])) {
             // Issue #539 belt-and-suspenders: VSCODE_PID/VSCODE_CWD are exported
             // by VS Code into EVERY child process — including a Claude Code CLI
             // launched from the integrated terminal. If env vars alone want to
@@ -224,7 +315,7 @@ export function detectPlatform(clientInfo) {
             return {
                 platform,
                 confidence: "high",
-                reason: `${vars.join(" or ")} env var set`,
+                reason: `${vars.filter((v) => v.detect !== false).map((v) => v.name).join(" or ")} env var set`,
             };
         }
     }

package/build/adapters/opencode/plugin.js

@@ -102,7 +102,7 @@ function getPlatform() {
     for (const [platform, vars] of PLATFORM_ENV_VARS) {
         if (platform !== "kilo" && platform !== "opencode")
             continue;
-        if (vars.some((v) => process.env[v])) {
+        if (vars.some((v) => process.env[v.name])) {
             return platform;
         }
     }

package/build/adapters/pi/extension.d.ts

@@ -31,5 +31,33 @@ export declare let _mcpBridgeReady: Promise<void>;
  * Exported for unit tests.
  */
 export declare function isPiShortCircuitArgv(argv: readonly string[]): boolean;
+/**
+ * Issue #545 — Pi workspace resolver.
+ *
+ * Pi's runtime sets PI_CONFIG_DIR to ~/.pi (its CONFIG dir, not the user's
+ * project). The extension previously used this as the project anchor, which
+ * meant every Pi session re-rooted under ~/.pi — collapsing all of a user's
+ * projects into a single phantom workspace. This helper picks the user's
+ * actual project directory while NEVER returning a path equal to or under
+ * ~/.pi/.
+ *
+ * Cascade:
+ *   1. PI_WORKSPACE_DIR — set by Pi's bridge (extension-set, freshest)
+ *   2. PI_PROJECT_DIR   — legacy/user override
+ *   3. PWD              — shell-set, survives process.chdir
+ *   4. cwd              — last resort
+ *
+ * Each candidate is rejected if it equals ~/.pi or lives under ~/.pi/. If
+ * every candidate is poisoned, falls back to homedir() as a safe non-config
+ * anchor — caller may still render a "no project context" notice but the
+ * function stays total.
+ */
+export declare function resolvePiWorkspaceDir(opts: {
+    env: Record<string, string | undefined>;
+    pwd: string | undefined;
+    cwd: string;
+    /** Optional override for tests; defaults to `os.homedir()`. */
+    home?: string;
+}): string;
 /** Pi extension default export. Called once by Pi runtime with the extension API. */
 export default function piExtension(pi: any): void;

package/build/adapters/pi/extension.js

@@ -12,6 +12,7 @@
  */
 import { createHash } from "node:crypto";
 import { existsSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
 import { join, resolve, dirname } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { SessionDB } from "../../session/db.js";
@@ -228,16 +229,65 @@ export function isPiShortCircuitArgv(argv) {
         return false;
     return PI_SHORT_CIRCUIT_TOKENS.has(argv[0]);
 }
+/**
+ * Issue #545 — Pi workspace resolver.
+ *
+ * Pi's runtime sets PI_CONFIG_DIR to ~/.pi (its CONFIG dir, not the user's
+ * project). The extension previously used this as the project anchor, which
+ * meant every Pi session re-rooted under ~/.pi — collapsing all of a user's
+ * projects into a single phantom workspace. This helper picks the user's
+ * actual project directory while NEVER returning a path equal to or under
+ * ~/.pi/.
+ *
+ * Cascade:
+ *   1. PI_WORKSPACE_DIR — set by Pi's bridge (extension-set, freshest)
+ *   2. PI_PROJECT_DIR   — legacy/user override
+ *   3. PWD              — shell-set, survives process.chdir
+ *   4. cwd              — last resort
+ *
+ * Each candidate is rejected if it equals ~/.pi or lives under ~/.pi/. If
+ * every candidate is poisoned, falls back to homedir() as a safe non-config
+ * anchor — caller may still render a "no project context" notice but the
+ * function stays total.
+ */
+export function resolvePiWorkspaceDir(opts) {
+    const home = opts.home ?? homedir();
+    const piConfigDir = join(home, ".pi");
+    const isUnderPi = (p) => {
+        if (!p)
+            return true;
+        if (p === piConfigDir)
+            return true;
+        // Match both POSIX (/) and Windows (\) child-of relations.
+        return p.startsWith(piConfigDir + "/") || p.startsWith(piConfigDir + "\\");
+    };
+    const candidates = [
+        opts.env.PI_WORKSPACE_DIR,
+        opts.env.PI_PROJECT_DIR,
+        opts.pwd,
+        opts.cwd,
+    ];
+    for (const c of candidates) {
+        if (c && !isUnderPi(c))
+            return c;
+    }
+    return home;
+}
 // ── Extension entry point ────────────────────────────────
 /** Pi extension default export. Called once by Pi runtime with the extension API. */
 export default function piExtension(pi) {
     const buildDir = dirname(fileURLToPath(import.meta.url));
     const pluginRoot = resolve(buildDir, "..", "..", "..");
-    // Issue #542 — Pi's runtime sets PI_CONFIG_DIR (not PI_PROJECT_DIR).
-    // PI_PROJECT_DIR remains supported as a legacy override for callers
-    // that historically synthesized it. Cwd is the universal final
-    // fallback.
-    const projectDir = process.env.PI_CONFIG_DIR || process.env.PI_PROJECT_DIR || process.cwd();
+    // Issue #545 — Pi workspace resolver. PI_CONFIG_DIR is Pi's CONFIG dir
+    // (~/.pi), NOT the user's workspace; using it as the project anchor
+    // collapsed every Pi session into a single phantom workspace. The
+    // dedicated resolver picks PI_WORKSPACE_DIR > PI_PROJECT_DIR > PWD > cwd
+    // and refuses to return any path under ~/.pi/.
+    const projectDir = resolvePiWorkspaceDir({
+        env: process.env,
+        pwd: process.env.PWD,
+        cwd: process.cwd(),
+    });
     const db = getOrCreateDB();
     // ── 1. session_start — Initialize session ──────────────
     pi.on("session_start", (_event, ctx) => {

package/build/adapters/pi/mcp-bridge.js

@@ -22,6 +22,7 @@
  */
 import { spawn, execSync } from "node:child_process";
 import { detectRuntimes } from "../../runtime.js";
+import { foreignWorkspaceEnv } from "../detect.js";
 // ── Fork-bomb prevention (#516) ──────────────────────────────────────
 //
 // Original bug: `spawn(process.execPath, [serverScript])` recursively
@@ -145,6 +146,20 @@ export class MCPStdioClient {
             ...this.env,
             [BRIDGE_DEPTH_ENV]: String(Number.isFinite(depth) ? depth + 1 : 1),
         };
+        // Issue #545 — scrub foreign workspace env vars before spawn.
+        //
+        // Pi's MCP bridge inherits the host shell env (including a prior
+        // `claude` invocation's CLAUDE_PROJECT_DIR). Without this scrub, the
+        // spawned MCP server resolves getProjectDir() to the foreign workspace
+        // and Pi's sessions write into the wrong project. The ban list is
+        // derived ALGORITHMICALLY from PLATFORM_ENV_VARS (every other adapter's
+        // workspace-role vars), so adding adapter #16 grows the scrub
+        // automatically — no edit to this file. Identification vars
+        // (CLAUDE_PLUGIN_ROOT etc.) and the universal escape hatch
+        // (CONTEXT_MODE_PROJECT_DIR) are NEVER scrubbed.
+        for (const banned of foreignWorkspaceEnv("pi")) {
+            delete childEnv[banned];
+        }
         this._spawnEnv = childEnv;
         this.child = spawn(runtime, [this.serverScript], {
             // Pipe stderr (#472 round-3): swallowing it via "ignore" hides

package/build/server.js

@@ -197,18 +197,30 @@ function getProjectDir() {
     // modified Claude Code session's cwd — wrong project entirely. Gate the
     // path on detected platform so non-Claude hosts skip the heuristic and
     // fall through to PWD/cwd cleanly.
+    //
+    // Issue #545 (v1.0.124): pass strictPlatform for ALL adapters so the
+    // env-var cascade is built ALGORITHMICALLY from the platform's own
+    // workspace vars + universal escape hatch — foreign workspace vars (e.g.
+    // CLAUDE_PROJECT_DIR leaked into Pi's MCP child env from the user's shell)
+    // cannot win, regardless of cascade order. start.mjs intentionally does
+    // NOT pass strictPlatform — host detection is unreliable at the entrypoint
+    // and the legacy literal cascade is preserved there for semver safety.
     let transcriptsRoot;
+    let strictPlatform;
     try {
-        if (detectPlatform().platform === "claude-code") {
+        const detected = detectPlatform().platform;
+        strictPlatform = detected;
+        if (detected === "claude-code") {
             transcriptsRoot = join(homedir(), ".claude", "projects");
         }
     }
-    catch { /* detection failure — leave undefined, resolver skips heuristic */ }
+    catch { /* detection failure — leave both undefined, resolver uses legacy cascade */ }
     return resolveProjectDir({
         env: process.env,
         cwd: process.cwd(),
         pwd: process.env.PWD,
         transcriptsRoot,
+        strictPlatform,
     });
 }
 /**

package/build/util/project-dir.d.ts

@@ -1,3 +1,4 @@
+import type { PlatformId } from "../adapters/types.js";
 /**
  * Project-dir resolution helpers — shared between `start.mjs` (the MCP entry
  * point) and `src/server.ts getProjectDir()` (the consumer).
@@ -76,4 +77,14 @@ export declare function resolveProjectDir(opts: {
     pwd: string | undefined;
     /** Optional override; production code passes `~/.claude/projects`. */
     transcriptsRoot?: string;
+    /**
+     * Issue #545 — opt-in tightening. When set, the candidate list is built
+     * algorithmically from `workspaceEnvVarsFor(strictPlatform)` plus the
+     * universal escape hatch. Foreign workspace vars (e.g. CLAUDE_PROJECT_DIR
+     * leaked into Pi's MCP child env) cannot win, regardless of cascade order.
+     *
+     * When `undefined`, the legacy literal candidate order is used (semver lock
+     * for `start.mjs` and any non-strict consumer).
+     */
+    strictPlatform?: PlatformId;
 }): string;

package/build/util/project-dir.js

@@ -1,5 +1,32 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { workspaceEnvVarsFor } from "../adapters/detect.js";
+/**
+ * Universal escape hatch. NEVER appears in any platform's foreignWorkspaceEnv()
+ * (because it isn't registered in PLATFORM_ENV_VARS), so it survives strict
+ * mode and bridge env scrubs. Documented as the cross-strict user override
+ * for every adapter (set in `~/.<host>/mcp.json` env when nothing else works).
+ */
+const UNIVERSAL_WORKSPACE_ENV = ["CONTEXT_MODE_PROJECT_DIR"];
+/**
+ * Frozen legacy candidate list — preserves bit-for-bit behavior of every
+ * non-strict caller (`start.mjs` and any caller that doesn't pass
+ * `strictPlatform`). Order is locked for semver compatibility.
+ *
+ * If a new adapter is added, DO NOT add its workspace var here — register it
+ * in `PLATFORM_ENV_VARS` and let strict callers pick it up via
+ * `workspaceEnvVarsFor(platform)`. Strict mode is the default forward path.
+ */
+const LEGACY_NON_STRICT_CANDIDATES = [
+    "CLAUDE_PROJECT_DIR",
+    "GEMINI_PROJECT_DIR",
+    "VSCODE_CWD",
+    "OPENCODE_PROJECT_DIR",
+    "PI_PROJECT_DIR",
+    "IDEA_INITIAL_DIRECTORY",
+    "CURSOR_CWD",
+    "CONTEXT_MODE_PROJECT_DIR",
+];
 /**
  * Project-dir resolution helpers — shared between `start.mjs` (the MCP entry
  * point) and `src/server.ts getProjectDir()` (the consumer).
@@ -145,26 +172,17 @@ export function resolveProjectDirFromTranscript(opts) {
  *      operation of project-independent tools (sandbox execute, fetch).
  */
 export function resolveProjectDir(opts) {
-    const { env, cwd, pwd, transcriptsRoot } = opts;
-    const candidates = [
-        env.CLAUDE_PROJECT_DIR,
-        env.GEMINI_PROJECT_DIR,
-        env.VSCODE_CWD,
-        env.OPENCODE_PROJECT_DIR,
-        env.PI_PROJECT_DIR,
-        env.IDEA_INITIAL_DIRECTORY,
-        // Issue #521: Cursor MCP env override. The cursor adapter already
-        // trusts CURSOR_CWD for hook input resolution (adapters/cursor/index.ts:581);
-        // mirror that trust here so ctx_stats / SessionDB / hash see the workspace
-        // path on Cursor. Whether Cursor itself sets this on MCP child spawn is
-        // unconfirmed — but documenting it as a supported override gives users a
-        // documented escape hatch (`~/.cursor/mcp.json` env: { CURSOR_CWD: "..." }).
-        env.CURSOR_CWD,
-        env.CONTEXT_MODE_PROJECT_DIR,
-    ];
-    for (const c of candidates) {
-        if (c && !isPluginInstallPath(c))
-            return c;
+    const { env, cwd, pwd, transcriptsRoot, strictPlatform } = opts;
+    // Build candidate list. Strict path: own workspace vars + universal escape
+    // hatch — NO foreign workspace vars, in any order, can win. Non-strict
+    // path: frozen legacy literal order for backwards compatibility.
+    const candidateVars = strictPlatform
+        ? [...workspaceEnvVarsFor(strictPlatform), ...UNIVERSAL_WORKSPACE_ENV]
+        : LEGACY_NON_STRICT_CANDIDATES;
+    for (const name of candidateVars) {
+        const v = env[name];
+        if (v && !isPluginInstallPath(v))
+            return v;
     }
     if (transcriptsRoot) {
         const fromTranscript = resolveProjectDirFromTranscript({ projectsRoot: transcriptsRoot });