context-mode 1.0.123 → 1.0.125

package/build/adapters/pi/extension.d.ts

@@ -31,5 +31,33 @@ export declare let _mcpBridgeReady: Promise<void>;
  * Exported for unit tests.
  */
 export declare function isPiShortCircuitArgv(argv: readonly string[]): boolean;
+/**
+ * Issue #545 — Pi workspace resolver.
+ *
+ * Pi's runtime sets PI_CONFIG_DIR to ~/.pi (its CONFIG dir, not the user's
+ * project). The extension previously used this as the project anchor, which
+ * meant every Pi session re-rooted under ~/.pi — collapsing all of a user's
+ * projects into a single phantom workspace. This helper picks the user's
+ * actual project directory while NEVER returning a path equal to or under
+ * ~/.pi/.
+ *
+ * Cascade:
+ *   1. PI_WORKSPACE_DIR — set by Pi's bridge (extension-set, freshest)
+ *   2. PI_PROJECT_DIR   — legacy/user override
+ *   3. PWD              — shell-set, survives process.chdir
+ *   4. cwd              — last resort
+ *
+ * Each candidate is rejected if it equals ~/.pi or lives under ~/.pi/. If
+ * every candidate is poisoned, falls back to homedir() as a safe non-config
+ * anchor — caller may still render a "no project context" notice but the
+ * function stays total.
+ */
+export declare function resolvePiWorkspaceDir(opts: {
+    env: Record<string, string | undefined>;
+    pwd: string | undefined;
+    cwd: string;
+    /** Optional override for tests; defaults to `os.homedir()`. */
+    home?: string;
+}): string;
 /** Pi extension default export. Called once by Pi runtime with the extension API. */
 export default function piExtension(pi: any): void;

package/build/adapters/pi/extension.js

@@ -12,6 +12,7 @@
  */
 import { createHash } from "node:crypto";
 import { existsSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
 import { join, resolve, dirname } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { SessionDB } from "../../session/db.js";
@@ -228,16 +229,65 @@ export function isPiShortCircuitArgv(argv) {
         return false;
     return PI_SHORT_CIRCUIT_TOKENS.has(argv[0]);
 }
+/**
+ * Issue #545 — Pi workspace resolver.
+ *
+ * Pi's runtime sets PI_CONFIG_DIR to ~/.pi (its CONFIG dir, not the user's
+ * project). The extension previously used this as the project anchor, which
+ * meant every Pi session re-rooted under ~/.pi — collapsing all of a user's
+ * projects into a single phantom workspace. This helper picks the user's
+ * actual project directory while NEVER returning a path equal to or under
+ * ~/.pi/.
+ *
+ * Cascade:
+ *   1. PI_WORKSPACE_DIR — set by Pi's bridge (extension-set, freshest)
+ *   2. PI_PROJECT_DIR   — legacy/user override
+ *   3. PWD              — shell-set, survives process.chdir
+ *   4. cwd              — last resort
+ *
+ * Each candidate is rejected if it equals ~/.pi or lives under ~/.pi/. If
+ * every candidate is poisoned, falls back to homedir() as a safe non-config
+ * anchor — caller may still render a "no project context" notice but the
+ * function stays total.
+ */
+export function resolvePiWorkspaceDir(opts) {
+    const home = opts.home ?? homedir();
+    const piConfigDir = join(home, ".pi");
+    const isUnderPi = (p) => {
+        if (!p)
+            return true;
+        if (p === piConfigDir)
+            return true;
+        // Match both POSIX (/) and Windows (\) child-of relations.
+        return p.startsWith(piConfigDir + "/") || p.startsWith(piConfigDir + "\\");
+    };
+    const candidates = [
+        opts.env.PI_WORKSPACE_DIR,
+        opts.env.PI_PROJECT_DIR,
+        opts.pwd,
+        opts.cwd,
+    ];
+    for (const c of candidates) {
+        if (c && !isUnderPi(c))
+            return c;
+    }
+    return home;
+}
 // ── Extension entry point ────────────────────────────────
 /** Pi extension default export. Called once by Pi runtime with the extension API. */
 export default function piExtension(pi) {
     const buildDir = dirname(fileURLToPath(import.meta.url));
     const pluginRoot = resolve(buildDir, "..", "..", "..");
-    // Issue #542 — Pi's runtime sets PI_CONFIG_DIR (not PI_PROJECT_DIR).
-    // PI_PROJECT_DIR remains supported as a legacy override for callers
-    // that historically synthesized it. Cwd is the universal final
-    // fallback.
-    const projectDir = process.env.PI_CONFIG_DIR || process.env.PI_PROJECT_DIR || process.cwd();
+    // Issue #545 — Pi workspace resolver. PI_CONFIG_DIR is Pi's CONFIG dir
+    // (~/.pi), NOT the user's workspace; using it as the project anchor
+    // collapsed every Pi session into a single phantom workspace. The
+    // dedicated resolver picks PI_WORKSPACE_DIR > PI_PROJECT_DIR > PWD > cwd
+    // and refuses to return any path under ~/.pi/.
+    const projectDir = resolvePiWorkspaceDir({
+        env: process.env,
+        pwd: process.env.PWD,
+        cwd: process.cwd(),
+    });
     const db = getOrCreateDB();
     // ── 1. session_start — Initialize session ──────────────
     pi.on("session_start", (_event, ctx) => {

package/build/adapters/pi/mcp-bridge.js

@@ -22,6 +22,7 @@
  */
 import { spawn, execSync } from "node:child_process";
 import { detectRuntimes } from "../../runtime.js";
+import { foreignWorkspaceEnv } from "../detect.js";
 // ── Fork-bomb prevention (#516) ──────────────────────────────────────
 //
 // Original bug: `spawn(process.execPath, [serverScript])` recursively
@@ -145,6 +146,20 @@ export class MCPStdioClient {
             ...this.env,
             [BRIDGE_DEPTH_ENV]: String(Number.isFinite(depth) ? depth + 1 : 1),
         };
+        // Issue #545 — scrub foreign workspace env vars before spawn.
+        //
+        // Pi's MCP bridge inherits the host shell env (including a prior
+        // `claude` invocation's CLAUDE_PROJECT_DIR). Without this scrub, the
+        // spawned MCP server resolves getProjectDir() to the foreign workspace
+        // and Pi's sessions write into the wrong project. The ban list is
+        // derived ALGORITHMICALLY from PLATFORM_ENV_VARS (every other adapter's
+        // workspace-role vars), so adding adapter #16 grows the scrub
+        // automatically — no edit to this file. Identification vars
+        // (CLAUDE_PLUGIN_ROOT etc.) and the universal escape hatch
+        // (CONTEXT_MODE_PROJECT_DIR) are NEVER scrubbed.
+        for (const banned of foreignWorkspaceEnv("pi")) {
+            delete childEnv[banned];
+        }
         this._spawnEnv = childEnv;
         this.child = spawn(runtime, [this.serverScript], {
             // Pipe stderr (#472 round-3): swallowing it via "ignore" hides

package/build/db-base.d.ts

@@ -61,11 +61,28 @@ export declare class NodeSQLiteAdapter {
  * bundled SQLite always ships with FTS5.
  */
 export declare function nodeSqliteHasFts5(DatabaseSync: any): boolean;
+/**
+ * Returns true when the current runtime ships a built-in SQLite binding:
+ * - Bun has `bun:sqlite` always
+ * - Node has `node:sqlite` since 22.5 (no flag since 22.13)
+ *
+ * Mirrors the helper in hooks/ensure-deps.mjs:61. Exported so the platform
+ * gate in loadDatabase() can be unit-tested without spawning a child
+ * process. `versionsOverride` and `bunOverride` are injection points for
+ * tests — production callers pass nothing.
+ *
+ * Widening the gate from `process.platform === "linux"` to this helper is
+ * required for Node 26 on macOS arm64 (#551): Node 26 removed
+ * `info.This()` from V8 PropertyCallbackInfo, breaking better-sqlite3
+ * 12.9.0's native compile. Using node:sqlite sidesteps the native addon
+ * entirely on every platform that has it.
+ */
+export declare function hasModernSqlite(versionsOverride?: NodeJS.ProcessVersions, bunOverride?: unknown): boolean;
 /**
  * Lazy-load the SQLite driver for the current runtime.
  * Bun → bun:sqlite via BunSQLiteAdapter (issue #45).
- * Linux Node → node:sqlite via NodeSQLiteAdapter when it ships FTS5 (#228, #461).
- * Other Node (or Linux Node without FTS5) → better-sqlite3 (native addon).
+ * Modern Node (>= 22.5) → node:sqlite via NodeSQLiteAdapter when it ships FTS5 (#228, #461, #551).
+ * Other Node (or modern Node without FTS5) → better-sqlite3 (native addon).
  */
 export declare function loadDatabase(): typeof DatabaseConstructor;
 /**

package/build/db-base.js

@@ -184,11 +184,39 @@ export function nodeSqliteHasFts5(DatabaseSync) {
         catch { /* probe never opened or already closed */ }
     }
 }
+/**
+ * Returns true when the current runtime ships a built-in SQLite binding:
+ * - Bun has `bun:sqlite` always
+ * - Node has `node:sqlite` since 22.5 (no flag since 22.13)
+ *
+ * Mirrors the helper in hooks/ensure-deps.mjs:61. Exported so the platform
+ * gate in loadDatabase() can be unit-tested without spawning a child
+ * process. `versionsOverride` and `bunOverride` are injection points for
+ * tests — production callers pass nothing.
+ *
+ * Widening the gate from `process.platform === "linux"` to this helper is
+ * required for Node 26 on macOS arm64 (#551): Node 26 removed
+ * `info.This()` from V8 PropertyCallbackInfo, breaking better-sqlite3
+ * 12.9.0's native compile. Using node:sqlite sidesteps the native addon
+ * entirely on every platform that has it.
+ */
+export function hasModernSqlite(versionsOverride, bunOverride) {
+    const bun = bunOverride !== undefined ? bunOverride : globalThis.Bun;
+    if (typeof bun !== "undefined" && bun !== null)
+        return true;
+    const versions = versionsOverride ?? process.versions;
+    const [majorStr, minorStr] = (versions.node ?? "0.0.0").split(".");
+    const major = Number(majorStr);
+    const minor = Number(minorStr);
+    if (!Number.isFinite(major) || !Number.isFinite(minor))
+        return false;
+    return major > 22 || (major === 22 && minor >= 5);
+}
 /**
  * Lazy-load the SQLite driver for the current runtime.
  * Bun → bun:sqlite via BunSQLiteAdapter (issue #45).
- * Linux Node → node:sqlite via NodeSQLiteAdapter when it ships FTS5 (#228, #461).
- * Other Node (or Linux Node without FTS5) → better-sqlite3 (native addon).
+ * Modern Node (>= 22.5) → node:sqlite via NodeSQLiteAdapter when it ships FTS5 (#228, #461, #551).
+ * Other Node (or modern Node without FTS5) → better-sqlite3 (native addon).
  */
 export function loadDatabase() {
     if (!_Database) {
@@ -211,13 +239,19 @@ export function loadDatabase() {
                 return adapter;
             };
         }
-        else if (process.platform === "linux") {
-            // Linux — try node:sqlite to avoid native addon SIGSEGV (nodejs/node#62515).
-            // node:sqlite is built into Node >= 22.5, no flag needed since 22.13.
-            // Probe FTS5 support before committing — some Linux Node builds ship
-            // node:sqlite without FTS5, which would silently break ctx_search (#461).
-            // The probe runs at most once per process (cached via _Database below),
-            // so the cost of opening an in-memory DatabaseSync is negligible.
+        else if (hasModernSqlite()) {
+            // Any Node >= 22.5 — try node:sqlite to avoid the native addon path
+            // entirely. Historically this was Linux-only (avoiding the Linux
+            // SIGSEGV per nodejs/node#62515, #228), but Node 26 also broke
+            // better-sqlite3's native compile on macOS arm64 by removing
+            // V8 `info.This()` (#551). The built-in `node:sqlite` ships its
+            // own SQLite, so it sidesteps both issues at once.
+            //
+            // Probe FTS5 support before committing — some Node builds ship
+            // node:sqlite without FTS5, which would silently break ctx_search
+            // (#461). The probe runs at most once per process (cached via
+            // _Database below), so the cost of an in-memory DatabaseSync is
+            // negligible.
             let DatabaseSync = null;
             try {
                 // Array.join() prevents esbuild from resolving the specifier at bundle time
@@ -236,16 +270,16 @@ export function loadDatabase() {
                 };
             }
             else {
-                // node:sqlite missing or built without FTS5 — fall through to better-sqlite3.
-                // Trade-off: this reintroduces the native-addon path that #228 routed
-                // around (Linux SIGSEGV per nodejs/node#62515). Deliberate — a visible
-                // crash on the rare unstable build is preferable to a silent
-                // "no such module: fts5" on every ctx_search call.
+                // node:sqlite missing or built without FTS5 — fall through to
+                // better-sqlite3. Trade-off: on Node 26 + macOS this may now hit
+                // the V8 ABI break (#551). A visible crash on the rare
+                // unstable build is preferable to silent "no such module: fts5"
+                // on every ctx_search call.
                 _Database = require("better-sqlite3");
             }
         }
         else {
-            // Non-Linux Node.js — use better-sqlite3.
+            // Old Node (< 22.5) without bun:sqlite — fall back to better-sqlite3.
             _Database = require("better-sqlite3");
         }
     }

package/build/executor.js

@@ -23,6 +23,7 @@ const SCRIPT_EXT = {
     perl: "pl",
     r: "R",
     elixir: "exs",
+    csharp: "csx",
 };
 /** Pure helper — exported for unit testing. Returns "script" or "script.<ext>". */
 export function buildScriptFilename(language, platform, shellPath) {
@@ -223,7 +224,7 @@ export class PolyglotExecutor {
             // .exe paths now (#506), but if it falls back to the bare "bun" string
             // on Windows that resolution typically goes through a `bun.cmd` shim
             // (npm i -g bun) which CreateProcess can't execute without cmd.exe.
-            const needsShell = isWin && ["tsx", "ts-node", "elixir", "bun"].includes(cmd[0]);
+            const needsShell = isWin && ["tsx", "ts-node", "elixir", "bun", "dotnet-script"].includes(cmd[0]);
             // On Windows with Git Bash, pass the script as `bash -c "source /posix/path"`
             // rather than `bash /path/to/script.sh`. This avoids MSYS2 path mangling
             // while still allowing MSYS_NO_PATHCONV to protect non-ASCII paths in commands.
@@ -412,6 +413,30 @@ export class PolyglotExecutor {
             "R_PROFILE", // site-wide R profile
             "R_PROFILE_USER", // user R profile
             "R_HOME", // R installation override
+            // .NET / C# — runtime/startup hooks, additional deps
+            "DOTNET_STARTUP_HOOKS", // injects managed assemblies on startup
+            "DOTNET_ADDITIONAL_DEPS", // additional .deps.json injection
+            "DOTNET_SHARED_STORE", // shared assembly probe path injection
+            "DOTNET_ROOT", // arbitrary .NET runtime override
+            "DOTNET_ROOT(x86)", // 32-bit override
+            "DOTNET_HOST_PATH", // host binary substitution
+            // .NET / C# — profiler attach (loads arbitrary DLL into dotnet host)
+            // and IPC-based debugger/IL injection. PR #546 follow-up.
+            // learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
+            "CORECLR_PROFILER", // CLSID of profiler to attach
+            "CORECLR_PROFILER_PATH", // path to profiler DLL
+            "CORECLR_PROFILER_PATH_32", // 32-bit specific profiler DLL
+            "CORECLR_PROFILER_PATH_64", // 64-bit specific profiler DLL
+            "CORECLR_PROFILER_PATH_ARM32", // ARM32 specific profiler DLL
+            "CORECLR_PROFILER_PATH_ARM64", // ARM64 specific profiler DLL
+            "CORECLR_ENABLE_PROFILING", // gates profiler load
+            "DOTNET_PROFILER_PATH", // cross-platform alias
+            "DOTNET_PROFILER_PATH_32",
+            "DOTNET_PROFILER_PATH_64",
+            "DOTNET_PROFILER_PATH_ARM32",
+            "DOTNET_PROFILER_PATH_ARM64",
+            "DOTNET_DiagnosticPorts", // peer attach via diagnostic IPC
+            "DOTNET_BUNDLE_EXTRACT_BASE_DIR", // single-file extraction hijack
             // Dynamic linker — shared library injection
             "LD_PRELOAD", // loads .so before all others (Linux)
             "DYLD_INSERT_LIBRARIES", // macOS equivalent of LD_PRELOAD
@@ -431,10 +456,17 @@ export class PolyglotExecutor {
             "GIT_SSH_COMMAND", // arbitrary ssh command
             "GIT_ASKPASS", // arbitrary credential command
         ]);
-        // Start with parent env, then strip dangerous vars and apply overrides
+        // Start with parent env, then strip dangerous vars and apply overrides.
+        // The `COMPlus_` prefix sweep covers every COMPlus_* synonym of the
+        // DOTNET_* runtime knobs (.NET back-compat alias — case-insensitive).
+        // PR #546 follow-up: closes the alias bypass for the explicit denylist
+        // entries above.
         const env = {};
         for (const [key, val] of Object.entries(process.env)) {
-            if (val !== undefined && !DENIED.has(key) && !key.startsWith("BASH_FUNC_")) {
+            if (val !== undefined &&
+                !DENIED.has(key) &&
+                !key.startsWith("BASH_FUNC_") &&
+                !/^COMPlus_/i.test(key)) {
                 env[key] = val;
             }
         }
@@ -508,6 +540,11 @@ export class PolyglotExecutor {
                 return `FILE_CONTENT_PATH <- ${escaped}\nfile_path <- FILE_CONTENT_PATH\nFILE_CONTENT <- readLines(FILE_CONTENT_PATH, warn=FALSE, encoding="UTF-8")\nFILE_CONTENT <- paste(FILE_CONTENT, collapse="\\n")\n${code}`;
             case "elixir":
                 return `file_content_path = ${escaped}\nfile_path = file_content_path\nfile_content = File.read!(file_content_path)\n${code}`;
+            case "csharp":
+                // .csx forbids `using` directives after any other top-level statement
+                // (CS1529). User code inside executeFile must use fully-qualified type
+                // names (e.g. `System.Text.Json.JsonDocument`) instead of `using`.
+                return `var FILE_CONTENT_PATH = ${escaped};\nvar file_path = FILE_CONTENT_PATH;\nvar FILE_CONTENT = System.IO.File.ReadAllText(FILE_CONTENT_PATH);\n${code}`;
         }
     }
 }

package/build/runtime.d.ts

@@ -1,5 +1,5 @@
 export declare function isAllowlistedShell(shellPath: string): boolean;
-export type Language = "javascript" | "typescript" | "python" | "shell" | "ruby" | "go" | "rust" | "php" | "perl" | "r" | "elixir";
+export type Language = "javascript" | "typescript" | "python" | "shell" | "ruby" | "go" | "rust" | "php" | "perl" | "r" | "elixir" | "csharp";
 export interface RuntimeInfo {
     command: string;
     available: boolean;
@@ -18,6 +18,7 @@ export interface RuntimeMap {
     perl: string | null;
     r: string | null;
     elixir: string | null;
+    csharp: string | null;
 }
 export declare function detectRuntimes(): RuntimeMap;
 export declare function hasBunRuntime(): boolean;

package/build/runtime.js

@@ -232,6 +232,7 @@ export function detectRuntimes() {
                 ? "r"
                 : null,
         elixir: commandExists("elixir") ? "elixir" : null,
+        csharp: commandExists("dotnet-script") ? "dotnet-script" : null,
     };
 }
 export function hasBunRuntime() {
@@ -269,6 +270,8 @@ export function getRuntimeSummary(runtimes) {
         lines.push(`  R:          ${runtimes.r} (${getVersion(runtimes.r)})`);
     if (runtimes.elixir)
         lines.push(`  Elixir:     ${runtimes.elixir} (${getVersion(runtimes.elixir)})`);
+    if (runtimes.csharp)
+        lines.push(`  C#:         ${runtimes.csharp} (${getVersion(runtimes.csharp)})`);
     if (!bunPreferred) {
         lines.push("");
         lines.push("  Tip: Install Bun for 3-5x faster JS/TS execution → https://bun.sh");
@@ -295,6 +298,8 @@ export function getAvailableLanguages(runtimes) {
         langs.push("r");
     if (runtimes.elixir)
         langs.push("elixir");
+    if (runtimes.csharp)
+        langs.push("csharp");
     return langs;
 }
 export function buildCommand(runtimes, language, filePath) {
@@ -376,5 +381,10 @@ export function buildCommand(runtimes, language, filePath) {
                 throw new Error("Elixir not available. Install elixir.");
             }
             return ["elixir", filePath];
+        case "csharp":
+            if (!runtimes.csharp) {
+                throw new Error("C# not available. Install dotnet-script via `dotnet tool install -g dotnet-script`.");
+            }
+            return [runtimes.csharp, filePath];
     }
 }

package/build/server.js

@@ -197,18 +197,30 @@ function getProjectDir() {
     // modified Claude Code session's cwd — wrong project entirely. Gate the
     // path on detected platform so non-Claude hosts skip the heuristic and
     // fall through to PWD/cwd cleanly.
+    //
+    // Issue #545 (v1.0.124): pass strictPlatform for ALL adapters so the
+    // env-var cascade is built ALGORITHMICALLY from the platform's own
+    // workspace vars + universal escape hatch — foreign workspace vars (e.g.
+    // CLAUDE_PROJECT_DIR leaked into Pi's MCP child env from the user's shell)
+    // cannot win, regardless of cascade order. start.mjs intentionally does
+    // NOT pass strictPlatform — host detection is unreliable at the entrypoint
+    // and the legacy literal cascade is preserved there for semver safety.
     let transcriptsRoot;
+    let strictPlatform;
     try {
-        if (detectPlatform().platform === "claude-code") {
+        const detected = detectPlatform().platform;
+        strictPlatform = detected;
+        if (detected === "claude-code") {
             transcriptsRoot = join(homedir(), ".claude", "projects");
         }
     }
-    catch { /* detection failure — leave undefined, resolver skips heuristic */ }
+    catch { /* detection failure — leave both undefined, resolver uses legacy cascade */ }
     return resolveProjectDir({
         env: process.env,
         cwd: process.cwd(),
         pwd: process.env.PWD,
         transcriptsRoot,
+        strictPlatform,
     });
 }
 /**
@@ -917,11 +929,12 @@ server.registerTool("ctx_execute", {
             "perl",
             "r",
             "elixir",
+            "csharp",
         ])
             .describe("Runtime language"),
         code: z
             .string()
-            .describe("Source code to execute. Use console.log (JS/TS), print (Python/Ruby/Perl/R), echo (Shell), echo (PHP), fmt.Println (Go), or IO.puts (Elixir) to output a summary to context."),
+            .describe("Source code to execute. Use console.log (JS/TS), print (Python/Ruby/Perl/R), echo (Shell), echo (PHP), fmt.Println (Go), IO.puts (Elixir), or Console.WriteLine (C#) to output a summary to context."),
         timeout: z
             .coerce.number()
             .optional()
@@ -1212,11 +1225,12 @@ server.registerTool("ctx_execute_file", {
             "perl",
             "r",
             "elixir",
+            "csharp",
         ])
             .describe("Runtime language"),
         code: z
             .string()
-            .describe("Code to process FILE_CONTENT (file_content in Elixir). Print summary via console.log/print/echo/IO.puts."),
+            .describe("Code to process FILE_CONTENT (file_content in Elixir). Print summary via console.log/print/echo/IO.puts/Console.WriteLine."),
         timeout: z
             .coerce.number()
             .optional()

package/build/util/project-dir.d.ts

@@ -1,3 +1,4 @@
+import type { PlatformId } from "../adapters/types.js";
 /**
  * Project-dir resolution helpers — shared between `start.mjs` (the MCP entry
  * point) and `src/server.ts getProjectDir()` (the consumer).
@@ -76,4 +77,14 @@ export declare function resolveProjectDir(opts: {
     pwd: string | undefined;
     /** Optional override; production code passes `~/.claude/projects`. */
     transcriptsRoot?: string;
+    /**
+     * Issue #545 — opt-in tightening. When set, the candidate list is built
+     * algorithmically from `workspaceEnvVarsFor(strictPlatform)` plus the
+     * universal escape hatch. Foreign workspace vars (e.g. CLAUDE_PROJECT_DIR
+     * leaked into Pi's MCP child env) cannot win, regardless of cascade order.
+     *
+     * When `undefined`, the legacy literal candidate order is used (semver lock
+     * for `start.mjs` and any non-strict consumer).
+     */
+    strictPlatform?: PlatformId;
 }): string;

package/build/util/project-dir.js

@@ -1,5 +1,32 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { workspaceEnvVarsFor } from "../adapters/detect.js";
+/**
+ * Universal escape hatch. NEVER appears in any platform's foreignWorkspaceEnv()
+ * (because it isn't registered in PLATFORM_ENV_VARS), so it survives strict
+ * mode and bridge env scrubs. Documented as the cross-strict user override
+ * for every adapter (set in `~/.<host>/mcp.json` env when nothing else works).
+ */
+const UNIVERSAL_WORKSPACE_ENV = ["CONTEXT_MODE_PROJECT_DIR"];
+/**
+ * Frozen legacy candidate list — preserves bit-for-bit behavior of every
+ * non-strict caller (`start.mjs` and any caller that doesn't pass
+ * `strictPlatform`). Order is locked for semver compatibility.
+ *
+ * If a new adapter is added, DO NOT add its workspace var here — register it
+ * in `PLATFORM_ENV_VARS` and let strict callers pick it up via
+ * `workspaceEnvVarsFor(platform)`. Strict mode is the default forward path.
+ */
+const LEGACY_NON_STRICT_CANDIDATES = [
+    "CLAUDE_PROJECT_DIR",
+    "GEMINI_PROJECT_DIR",
+    "VSCODE_CWD",
+    "OPENCODE_PROJECT_DIR",
+    "PI_PROJECT_DIR",
+    "IDEA_INITIAL_DIRECTORY",
+    "CURSOR_CWD",
+    "CONTEXT_MODE_PROJECT_DIR",
+];
 /**
  * Project-dir resolution helpers — shared between `start.mjs` (the MCP entry
  * point) and `src/server.ts getProjectDir()` (the consumer).
@@ -145,26 +172,17 @@ export function resolveProjectDirFromTranscript(opts) {
  *      operation of project-independent tools (sandbox execute, fetch).
  */
 export function resolveProjectDir(opts) {
-    const { env, cwd, pwd, transcriptsRoot } = opts;
-    const candidates = [
-        env.CLAUDE_PROJECT_DIR,
-        env.GEMINI_PROJECT_DIR,
-        env.VSCODE_CWD,
-        env.OPENCODE_PROJECT_DIR,
-        env.PI_PROJECT_DIR,
-        env.IDEA_INITIAL_DIRECTORY,
-        // Issue #521: Cursor MCP env override. The cursor adapter already
-        // trusts CURSOR_CWD for hook input resolution (adapters/cursor/index.ts:581);
-        // mirror that trust here so ctx_stats / SessionDB / hash see the workspace
-        // path on Cursor. Whether Cursor itself sets this on MCP child spawn is
-        // unconfirmed — but documenting it as a supported override gives users a
-        // documented escape hatch (`~/.cursor/mcp.json` env: { CURSOR_CWD: "..." }).
-        env.CURSOR_CWD,
-        env.CONTEXT_MODE_PROJECT_DIR,
-    ];
-    for (const c of candidates) {
-        if (c && !isPluginInstallPath(c))
-            return c;
+    const { env, cwd, pwd, transcriptsRoot, strictPlatform } = opts;
+    // Build candidate list. Strict path: own workspace vars + universal escape
+    // hatch — NO foreign workspace vars, in any order, can win. Non-strict
+    // path: frozen legacy literal order for backwards compatibility.
+    const candidateVars = strictPlatform
+        ? [...workspaceEnvVarsFor(strictPlatform), ...UNIVERSAL_WORKSPACE_ENV]
+        : LEGACY_NON_STRICT_CANDIDATES;
+    for (const name of candidateVars) {
+        const v = env[name];
+        if (v && !isPluginInstallPath(v))
+            return v;
     }
     if (transcriptsRoot) {
         const fromTranscript = resolveProjectDirFromTranscript({ projectsRoot: transcriptsRoot });