context-mode 1.0.128 → 1.0.129

package/.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Claude Code plugins by Mert Koseoğlu",
-    "version": "1.0.128"
+    "version": "1.0.129"
   },
   "plugins": [
     {
       "name": "context-mode",
       "source": "./",
       "description": "Claude Code MCP plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-      "version": "1.0.128",
+      "version": "1.0.129",
       "author": {
         "name": "Mert Koseoğlu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.128",
+  "version": "1.0.129",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.openclaw-plugin/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.128",
+  "version": "1.0.129",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/.openclaw-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.128",
+  "version": "1.0.129",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
   "author": {
     "name": "Mert Koseoğlu",

package/build/adapters/detect.d.ts

@@ -34,12 +34,20 @@ export declare function __seedClaudeCodePluginCacheMissForTests(): void;
  *     `resolveProjectDir({ strictPlatform })` to form the candidate list,
  *     and by Pi's bridge to scrub foreign workspace vars on child spawn.
  *   - `identification`: env var only signals which host is running; carries
- *     no project path. NEVER scrubbed (some are load-bearing, e.g.
- *     CLAUDE_PLUGIN_ROOT for hook integrations).
+ *     no project path. PRESERVED in normal operation (some are load-bearing
+ *     for hook integrations on the host that owns them, e.g. CLAUDE_PLUGIN_ROOT
+ *     for Claude Code's hook context).
  *
  * Issue #545 — algorithmic env-leak fix. The split allows resolveProjectDir
  * to derive ALLOW (own workspace vars) and BAN (other platforms' workspace
  * vars) sets from a single registry, satisfying MUST-3 (15 adapters equal).
+ *
+ * Issue #561 — FOREIGN identification vars MUST be scrubbed when spawning a
+ * child under a different host (e.g. Pi spawning context-mode child must
+ * scrub Claude Code identification vars CLAUDE_CODE_ENTRYPOINT /
+ * CLAUDE_PLUGIN_ROOT to prevent detectPlatform() in the child from
+ * misidentifying the host as claude-code and writing Pi's data into
+ * ~/.claude/context-mode/). See `foreignIdentificationEnv()` below.
  */
 export type EnvVarRole = "workspace" | "identification";
 export interface PlatformEnvEntry {
@@ -78,6 +86,26 @@ export declare function workspaceEnvVarsFor(platform: PlatformId): string[];
  * workspace vars from spawned MCP child) and by the matrix regression test.
  */
 export declare function foreignWorkspaceEnv(platform: PlatformId): Set<string>;
+/**
+ * Issue #561 — return the union of identification env vars from ALL
+ * platforms EXCEPT the given one. Sibling of `foreignWorkspaceEnv`,
+ * filtered on `role === "identification"` instead of "workspace".
+ *
+ * Consumed by Pi's bridge env scrub: when Pi spawns the context-mode
+ * MCP child, the child inherits the host shell env including any
+ * identification vars set by a co-resident Claude Code session
+ * (CLAUDE_CODE_ENTRYPOINT / CLAUDE_PLUGIN_ROOT). Without scrubbing,
+ * `detectPlatform()` in the child falls through env priority order and
+ * resolves to claude-code first — Pi's session data then writes into
+ * `~/.claude/context-mode/` instead of Pi's own dir. Scrubbing FOREIGN
+ * identification vars (everyone else's) preserves Pi's OWN identification
+ * vars (PI_CONFIG_DIR / PI_SESSION_FILE / PI_COMPILED) so the child still
+ * detects pi correctly.
+ *
+ * Algorithmic, registry-driven — adding adapter #16 grows the scrub
+ * automatically (no edit to mcp-bridge.ts).
+ */
+export declare function foreignIdentificationEnv(platform: PlatformId): Set<string>;
 /**
  * Sync map from platform identifier → home-relative path segments where that
  * platform stores its config. Mirrors the `super([...])` argument passed by

package/build/adapters/detect.js

@@ -222,6 +222,37 @@ export function foreignWorkspaceEnv(platform) {
     }
     return ban;
 }
+/**
+ * Issue #561 — return the union of identification env vars from ALL
+ * platforms EXCEPT the given one. Sibling of `foreignWorkspaceEnv`,
+ * filtered on `role === "identification"` instead of "workspace".
+ *
+ * Consumed by Pi's bridge env scrub: when Pi spawns the context-mode
+ * MCP child, the child inherits the host shell env including any
+ * identification vars set by a co-resident Claude Code session
+ * (CLAUDE_CODE_ENTRYPOINT / CLAUDE_PLUGIN_ROOT). Without scrubbing,
+ * `detectPlatform()` in the child falls through env priority order and
+ * resolves to claude-code first — Pi's session data then writes into
+ * `~/.claude/context-mode/` instead of Pi's own dir. Scrubbing FOREIGN
+ * identification vars (everyone else's) preserves Pi's OWN identification
+ * vars (PI_CONFIG_DIR / PI_SESSION_FILE / PI_COMPILED) so the child still
+ * detects pi correctly.
+ *
+ * Algorithmic, registry-driven — adding adapter #16 grows the scrub
+ * automatically (no edit to mcp-bridge.ts).
+ */
+export function foreignIdentificationEnv(platform) {
+    const ban = new Set();
+    for (const [p, vars] of PLATFORM_ENV_VARS) {
+        if (p === platform)
+            continue;
+        for (const v of vars) {
+            if (v.role === "identification")
+                ban.add(v.name);
+        }
+    }
+    return ban;
+}
 /**
  * Sync map from platform identifier → home-relative path segments where that
  * platform stores its config. Mirrors the `super([...])` argument passed by

package/build/adapters/pi/mcp-bridge.js

@@ -22,7 +22,7 @@
  */
 import { spawn, execSync } from "node:child_process";
 import { detectRuntimes } from "../../runtime.js";
-import { foreignWorkspaceEnv } from "../detect.js";
+import { foreignWorkspaceEnv, foreignIdentificationEnv } from "../detect.js";
 // ── Fork-bomb prevention (#516) ──────────────────────────────────────
 //
 // Original bug: `spawn(process.execPath, [serverScript])` recursively
@@ -154,12 +154,27 @@ export class MCPStdioClient {
         // and Pi's sessions write into the wrong project. The ban list is
         // derived ALGORITHMICALLY from PLATFORM_ENV_VARS (every other adapter's
         // workspace-role vars), so adding adapter #16 grows the scrub
-        // automatically — no edit to this file. Identification vars
-        // (CLAUDE_PLUGIN_ROOT etc.) and the universal escape hatch
-        // (CONTEXT_MODE_PROJECT_DIR) are NEVER scrubbed.
+        // automatically — no edit to this file. Pi's own workspace vars and
+        // the universal escape hatch (CONTEXT_MODE_PROJECT_DIR) are NEVER
+        // scrubbed.
         for (const banned of foreignWorkspaceEnv("pi")) {
             delete childEnv[banned];
         }
+        // Issue #561 — scrub foreign IDENTIFICATION env vars before spawn.
+        //
+        // Foreign identification vars hijack detectPlatform() — must scrub
+        // when spawning child under a different host (#561). When Pi runs
+        // co-resident with Claude Code, the inherited shell env carries
+        // CLAUDE_CODE_ENTRYPOINT and CLAUDE_PLUGIN_ROOT; the spawned MCP
+        // child's detectPlatform() then walks PLATFORM_ENV_VARS in priority
+        // order (claude-code first), returns claude-code, and Pi's session
+        // data lands in ~/.claude/context-mode/ instead of Pi's own dir.
+        // Pi's OWN identification vars (PI_CONFIG_DIR / PI_SESSION_FILE /
+        // PI_COMPILED) are excluded from the ban set so the child still
+        // detects pi correctly.
+        for (const banned of foreignIdentificationEnv("pi")) {
+            delete childEnv[banned];
+        }
         this._spawnEnv = childEnv;
         this.child = spawn(runtime, [this.serverScript], {
             // Pipe stderr (#472 round-3): swallowing it via "ignore" hides

package/build/db-base.js

@@ -316,18 +316,15 @@ export function applyWALPragmas(db) {
         db.pragma("mmap_size = 268435456");
     }
     catch { /* unsupported runtime */ }
-    // v1.0.128 — Issue #560 SECONDARY defense for single-writer enforcement.
-    // The .lock file (acquireDbLock in SQLiteBase ctor) is PRIMARY — it
-    // surfaces the conflicting PID with a clear UX message. EXCLUSIVE locking
-    // closes the narrow race window between lockfile claim + the actual
-    // `new Database(...)` open: a parallel process passing the lockfile
-    // check would still get SQLITE_BUSY from this pragma. Wrapped in
-    // try/catch identical to mmap_size — backends that don't expose
-    // locking_mode (or pragma at all) still get the lockfile floor.
-    try {
-        db.pragma("locking_mode = EXCLUSIVE");
-    }
-    catch { /* unsupported runtime */ }
+    // NOTE: `locking_mode = EXCLUSIVE` is intentionally NOT applied here.
+    // Multi-writer scenarios are valid: `ContentStore` (FTS5 shared
+    // knowledge base) is opened concurrently from multiple sessions on the
+    // SAME db file by design — applying EXCLUSIVE here would deadlock the
+    // second instance and break documented `withRetry`-based BUSY handling.
+    // Single-writer enforcement (lockfile + EXCLUSIVE) lives in
+    // `SQLiteBase` ctor which is opted into by per-project DBs (SessionDB).
+    // Different DB paths from different worktrees/sessions ARE concurrent
+    // by design — the lockfile is per-dbPath, not per-process.
 }
 // ─────────────────────────────────────────────────────────
 // DB file helpers
@@ -507,11 +504,35 @@ export class SQLiteBase {
         // tmpdir-prefix check inside the helper — defaultDBPath() output
         // (per-process tmp DBs) does not contend, so it never claims a lock.
         acquireDbLock({ dbPath });
+        // v1.0.129 — single source of truth for skip decision. Both lockfile
+        // (above) and EXCLUSIVE pragma (below) MUST share the same skip-gate:
+        // tests open SessionDB twice on the same tmpdir path to exercise
+        // multi-writer scenarios; if EXCLUSIVE fires here when lockfile didn't,
+        // the second open hits SQLITE_BUSY on its FIRST pragma call inside
+        // applyWALPragmas — caused 82 test failures during v1.0.128 verification.
+        const skipExclusive = dbPath.startsWith(tmpdir());
         cleanOrphanedWALFiles(dbPath);
         let db;
         try {
             db = new Database(dbPath, { timeout: 30000 });
             applyWALPragmas(db);
+            // v1.0.128 — Issue #560 SECONDARY defense for SQLiteBase callers (single-writer
+            // DBs like SessionDB). The .lock file (acquireDbLock above) is PRIMARY — it
+            // surfaces the conflicting PID with a clear UX message. EXCLUSIVE locking
+            // closes the narrow race window between lockfile claim + the actual
+            // `new Database(...)` open: a parallel process passing the lockfile
+            // check would still get SQLITE_BUSY from this pragma. Wrapped in try/catch —
+            // backends that don't expose locking_mode (or pragma at all) still get the
+            // lockfile floor. NOTE: NOT applied in `applyWALPragmas` because multi-writer
+            // callers (ContentStore — FTS5 shared knowledge base across sessions) rely
+            // on the default SHARED locking mode + withRetry to handle SQLITE_BUSY.
+            // Skip on tmpdir paths to match acquireDbLock's skip-gate.
+            if (!skipExclusive) {
+                try {
+                    db.pragma("locking_mode = EXCLUSIVE");
+                }
+                catch { /* unsupported runtime */ }
+            }
         }
         catch (err) {
             const msg = err instanceof Error ? err.message : String(err);
@@ -521,6 +542,12 @@ export class SQLiteBase {
                 try {
                     db = new Database(dbPath, { timeout: 30000 });
                     applyWALPragmas(db);
+                    if (!skipExclusive) {
+                        try {
+                            db.pragma("locking_mode = EXCLUSIVE");
+                        }
+                        catch { /* unsupported runtime */ }
+                    }
                 }
                 catch (retryErr) {
                     // Free the lock before bubbling — caller can never reach