context-mode 1.0.148 → 1.0.150

package/build/store-directory.js

@@ -0,0 +1,254 @@
+/**
+ * walkDirectory — bounded recursive directory walker for ctx_index (#687).
+ *
+ * Issue: ctx_index refused directory paths via the security gate at
+ * src/store.ts:845 ("refusing to index <path>: not a regular file"). The gate
+ * is a TOCTOU defense from #442 round-3 and MUST be preserved — directory
+ * support is layered as a separate concern here. Each file produced by
+ * walkDirectory is then read via the existing per-file
+ * `openSync + fstatSync.isFile()` invariant in `ContentStore.index()`.
+ *
+ * Reported by @matiasduartee across 4 clients × Windows 11.
+ * https://github.com/anthropic-experimental/context-mode/issues/687
+ *
+ * Design constraints:
+ *   - No new dependencies (avoid the `ignore` package — issue #687 Diagnose).
+ *   - Cross-OS: path.sep / path.join everywhere, never raw "/" string ops.
+ *   - Symlink cycle detection via a resolved-path Set.
+ *   - Symlink-escape rejection: refuse to follow symlinks that resolve outside
+ *     the rootPath (defense-in-depth alongside per-file checkFilePathDenyPolicy).
+ *   - FTS5-blowup guard: hard cap maxFiles (default 200, per Architect).
+ */
+import { readdirSync, statSync, lstatSync, realpathSync, existsSync, readFileSync, } from "node:fs";
+import { join, extname, relative, sep, resolve } from "node:path";
+const DEFAULT_EXCLUDES = [
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    ".next",
+    "coverage",
+    ".venv",
+    "__pycache__",
+    ".DS_Store",
+];
+const DEFAULT_EXTENSIONS = [
+    ".md",
+    ".mdx",
+    ".txt",
+    ".json",
+    ".yaml",
+    ".yml",
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".py",
+    ".rs",
+    ".go",
+    ".sh",
+];
+const DEFAULT_MAX_DEPTH = 5;
+const DEFAULT_MAX_FILES = 200;
+/**
+ * Convert a simple glob pattern (`*`, `**`, `?`) to a RegExp. Anchors at
+ * boundaries so `node_modules` matches `node_modules` AND `node_modules/pkg`.
+ * Patterns are matched against POSIX-style relative paths (forward slashes)
+ * to give consistent behavior across macOS / Windows.
+ */
+function globToRegExp(pattern) {
+    // Escape regex metachars except glob ones.
+    let re = "";
+    for (let i = 0; i < pattern.length; i++) {
+        const c = pattern[i];
+        if (c === "*") {
+            if (pattern[i + 1] === "*") {
+                re += ".*";
+                i++;
+            }
+            else {
+                re += "[^/]*";
+            }
+        }
+        else if (c === "?") {
+            re += "[^/]";
+        }
+        else if ("\\^$.|+()[]{}".includes(c)) {
+            re += "\\" + c;
+        }
+        else {
+            re += c;
+        }
+    }
+    return new RegExp(`^${re}$`);
+}
+/** Match a posix-style relative path against any of the patterns. */
+function matchesAny(relPosix, patterns) {
+    if (patterns.length === 0)
+        return false;
+    const basename = relPosix.split("/").pop() ?? relPosix;
+    for (const p of patterns) {
+        // Bare names match basename OR any path segment.
+        if (!p.includes("/") && !p.includes("*")) {
+            if (basename === p)
+                return true;
+            if (relPosix.split("/").includes(p))
+                return true;
+            continue;
+        }
+        const re = globToRegExp(p);
+        if (re.test(relPosix))
+            return true;
+        if (re.test(basename))
+            return true;
+    }
+    return false;
+}
+/**
+ * Parse a .gitignore file into a list of patterns. Comments and blank lines
+ * are stripped. Negation (`!`) is not supported — kept conservative.
+ */
+function parseGitignore(rootPath) {
+    const giPath = join(rootPath, ".gitignore");
+    if (!existsSync(giPath))
+        return [];
+    try {
+        const text = readFileSync(giPath, "utf-8");
+        return text
+            .split(/\r?\n/)
+            .map(l => l.trim())
+            .filter(l => l.length > 0 && !l.startsWith("#") && !l.startsWith("!"))
+            .map(l => l.replace(/^\//, "").replace(/\/$/, ""));
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Convert an absolute path under rootPath to a POSIX-style relative path
+ * so glob matching is identical across macOS/Linux/Windows.
+ */
+function toPosixRel(rootPath, absPath) {
+    const rel = relative(rootPath, absPath);
+    return rel.split(sep).join("/");
+}
+/**
+ * Walk `rootPath` recursively under the given bounds and return absolute file
+ * paths matching the filters. Pure synchronous traversal — no allocations
+ * beyond the result array. Symlink cycles are detected via a resolved-path
+ * Set; symlink escapes (resolving outside rootPath) are silently skipped.
+ */
+export function walkDirectory(rootPath, opts = {}) {
+    return walkDirectoryDetailed(rootPath, opts).files;
+}
+/**
+ * Same as walkDirectory but returns capped + totalSeen so callers can surface
+ * a "capped at N files" notice in their response.
+ */
+export function walkDirectoryDetailed(rootPath, opts = {}) {
+    const { include, exclude, maxDepth = DEFAULT_MAX_DEPTH, maxFiles = DEFAULT_MAX_FILES, extensions, respectGitignore = true, followSymlinks = false, } = opts;
+    // Normalize rootPath to its real path so symlink-escape detection is sound.
+    let rootReal;
+    try {
+        rootReal = realpathSync(rootPath);
+    }
+    catch {
+        return { files: [], capped: false, totalSeen: 0 };
+    }
+    const exts = (extensions && extensions.length > 0 ? extensions : DEFAULT_EXTENSIONS)
+        .map(e => (e.startsWith(".") ? e : "." + e).toLowerCase());
+    const excludes = [
+        ...DEFAULT_EXCLUDES,
+        ...(exclude ?? []),
+        ...(respectGitignore ? parseGitignore(rootReal) : []),
+    ];
+    const includes = include ?? [];
+    const out = [];
+    const visited = new Set([rootReal]);
+    let totalSeen = 0;
+    let capped = false;
+    function walk(absDir, depth) {
+        if (capped)
+            return;
+        if (depth > maxDepth)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(absDir, { withFileTypes: true });
+        }
+        catch {
+            return; // unreadable directory — skip silently
+        }
+        for (const ent of entries) {
+            if (capped)
+                return;
+            const absChild = join(absDir, ent.name);
+            const relPosix = toPosixRel(rootReal, absChild);
+            // Exclude check applies to both files and dirs — early prune.
+            if (matchesAny(relPosix, excludes))
+                continue;
+            // Include filter applies to files only — see below.
+            // Resolve symlinks once; reject escapes; track for cycle detection.
+            let isDirChild = ent.isDirectory();
+            let isFileChild = ent.isFile();
+            let isSymlink = false;
+            try {
+                const lst = lstatSync(absChild);
+                isSymlink = lst.isSymbolicLink();
+            }
+            catch {
+                continue;
+            }
+            if (isSymlink) {
+                if (!followSymlinks)
+                    continue;
+                let resolved;
+                try {
+                    resolved = realpathSync(absChild);
+                }
+                catch {
+                    continue; // dangling
+                }
+                // Symlink-escape: refuse to follow if the resolved target leaves rootReal.
+                const escapeRel = relative(rootReal, resolved);
+                if (escapeRel.startsWith("..") || resolve(escapeRel) === resolved) {
+                    // resolve(absolute) === absolute → target is absolute outside root
+                    if (escapeRel.startsWith(".."))
+                        continue;
+                }
+                if (visited.has(resolved))
+                    continue;
+                visited.add(resolved);
+                try {
+                    const st = statSync(resolved);
+                    isDirChild = st.isDirectory();
+                    isFileChild = st.isFile();
+                }
+                catch {
+                    continue;
+                }
+            }
+            if (isDirChild) {
+                walk(absChild, depth + 1);
+                continue;
+            }
+            if (!isFileChild)
+                continue;
+            // Extension filter.
+            const ext = extname(absChild).toLowerCase();
+            if (!exts.includes(ext))
+                continue;
+            // Include filter (if any): file must match at least one include pattern.
+            if (includes.length > 0 && !matchesAny(relPosix, includes))
+                continue;
+            totalSeen++;
+            if (out.length >= maxFiles) {
+                capped = true;
+                return;
+            }
+            out.push(absChild);
+        }
+    }
+    walk(rootReal, 0);
+    return { files: out, capped, totalSeen };
+}

package/build/store.d.ts

@@ -7,6 +7,7 @@
  * Use for documentation, API references, and any content where
  * you need EXACT text later — not summaries.
  */
+import { type WalkOptions } from "./store-directory.js";
 type SourceMatchMode = "like" | "exact";
 import type { IndexResult, SearchResult, StoreStats } from "./types.js";
 export type { IndexResult, SearchResult, StoreStats } from "./types.js";
@@ -51,6 +52,34 @@ export declare class ContentStore {
             eventId?: string;
         };
     }): IndexResult;
+    /**
+     * Index every file under a directory by walking it with `walkDirectory` and
+     * delegating each discovered file to `this.index({ path })`. The per-file
+     * `openSync + fstatSync.isFile()` security gate at line ~845 stays active
+     * for every file — directory support never bypasses the TOCTOU defense
+     * from #442 round-3.
+     *
+     * Reported by @matiasduartee in #687.
+     */
+    indexDirectory(opts: {
+        path: string;
+        source?: string;
+        attribution?: {
+            sessionId?: string;
+            eventId?: string;
+        };
+        /** Optional per-file deny check — runs INSIDE the walk loop so a denied
+         *  file does not even open a fd. Returns true to deny. */
+        perFileDeny?: (absPath: string) => boolean;
+    } & WalkOptions): {
+        filesIndexed: number;
+        totalChunks: number;
+        capped: boolean;
+        totalSeen: number;
+        denied: number;
+        failed: number;
+        label: string;
+    };
     /**
      * Index plain-text output (logs, build output, test results) by splitting
      * into fixed-size line groups. Unlike markdown indexing, this does not

package/build/store.js

@@ -13,6 +13,7 @@ import { readFileSync, readdirSync, unlinkSync, existsSync, statSync, openSync,
 import { createHash } from "node:crypto";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { walkDirectoryDetailed } from "./store-directory.js";
 // ─────────────────────────────────────────────────────────
 // Constants
 // ─────────────────────────────────────────────────────────
@@ -756,6 +757,51 @@ export class ContentStore {
         const contentHash = filePath ? createHash("sha256").update(text).digest("hex") : undefined;
         return withRetry(() => this.#insertChunks(chunks, label, text, filePath, contentHash, attribution));
     }
+    // ── Index Directory (#687) ──
+    /**
+     * Index every file under a directory by walking it with `walkDirectory` and
+     * delegating each discovered file to `this.index({ path })`. The per-file
+     * `openSync + fstatSync.isFile()` security gate at line ~845 stays active
+     * for every file — directory support never bypasses the TOCTOU defense
+     * from #442 round-3.
+     *
+     * Reported by @matiasduartee in #687.
+     */
+    indexDirectory(opts) {
+        const { path: rootPath, source, attribution, perFileDeny, ...walkOpts } = opts;
+        const walked = walkDirectoryDetailed(rootPath, walkOpts);
+        let filesIndexed = 0;
+        let totalChunks = 0;
+        let denied = 0;
+        let failed = 0;
+        for (const file of walked.files) {
+            if (perFileDeny && perFileDeny(file)) {
+                denied++;
+                continue;
+            }
+            try {
+                // Per-file source label so ctx_search(source: "<file>") still works.
+                const fileSource = source ? `${source}:${file}` : file;
+                const r = this.index({ path: file, source: fileSource, attribution });
+                filesIndexed++;
+                totalChunks += r.totalChunks;
+            }
+            catch {
+                // Per-file failure (e.g. fd-bound fstat rejection of a non-regular
+                // file that races between walk and read) — count + continue.
+                failed++;
+            }
+        }
+        return {
+            filesIndexed,
+            totalChunks,
+            capped: walked.capped,
+            totalSeen: walked.totalSeen,
+            denied,
+            failed,
+            label: source ?? rootPath,
+        };
+    }
     // ── Index Plain Text ──
     /**
      * Index plain-text output (logs, build output, test results) by splitting

package/build/tool-naming.d.ts

@@ -0,0 +1,4 @@
+export declare function getToolName(platform: string, bareTool: string): string;
+export type ToolNamer = (bareTool: string) => string;
+export declare function createToolNamer(platform: string): ToolNamer;
+export declare const KNOWN_PLATFORMS: string[];

package/build/tool-naming.js

@@ -0,0 +1,24 @@
+const TOOL_PREFIXES = {
+    "claude-code": (tool) => `mcp__plugin_context-mode_context-mode__${tool}`,
+    "gemini-cli": (tool) => `mcp__context-mode__${tool}`,
+    "antigravity": (tool) => `mcp__context-mode__${tool}`,
+    "opencode": (tool) => `context-mode_${tool}`,
+    "kilo": (tool) => `context-mode_${tool}`,
+    "vscode-copilot": (tool) => `context-mode_${tool}`,
+    "jetbrains-copilot": (tool) => `context-mode_${tool}`,
+    "kiro": (tool) => `@context-mode/${tool}`,
+    "zed": (tool) => `mcp:context-mode:${tool}`,
+    "cursor": (tool) => tool,
+    "codex": (tool) => tool,
+    "openclaw": (tool) => tool,
+    "pi": (tool) => tool,
+    "qwen-code": (tool) => `mcp__context-mode__${tool}`,
+};
+export function getToolName(platform, bareTool) {
+    const fn = TOOL_PREFIXES[platform] || TOOL_PREFIXES["claude-code"];
+    return fn(bareTool);
+}
+export function createToolNamer(platform) {
+    return (bareTool) => getToolName(platform, bareTool);
+}
+export const KNOWN_PLATFORMS = Object.keys(TOOL_PREFIXES);

package/build/util/plugin-cache-integrity.d.ts

@@ -22,6 +22,20 @@
  * (package.json files[]); a missing helper means the install is
  * fundamentally broken.
  */
+/**
+ * Files `start.mjs` needs to launch the MCP server, checked dependency-free
+ * (fs only) so this works even when the integrity helper
+ * (`scripts/plugin-cache-integrity.mjs`) is itself missing — a missing helper
+ * is itself a partial-install symptom, and the operator most needs to know
+ * whether the launch entrypoint survived.
+ *
+ * - `start.mjs` is the plugin `command` target (`.claude-plugin/plugin.json`)
+ *   and has NO fallback: if absent, `node ${CLAUDE_PLUGIN_ROOT}/start.mjs`
+ *   fails immediately and the MCP server never starts.
+ * - The server is loaded by start.mjs from `server.bundle.mjs`, falling back
+ *   to `build/server.js`; it is only "missing" when BOTH are absent.
+ */
+export declare function findMissingLaunchFiles(pluginRoot: string): string[];
 /**
  * Run the integrity check synchronously. If the helper module is
  * still loading (not yet cached) returns a FAIL with detail

package/build/util/plugin-cache-integrity.js

@@ -22,6 +22,8 @@
  * (package.json files[]); a missing helper means the install is
  * fundamentally broken.
  */
+import { existsSync } from "node:fs";
+import { join } from "node:path";
 let cached = null;
 let cachedError = null;
 async function loadHelper() {
@@ -67,6 +69,30 @@ async function loadHelper() {
 // intentionally — by the time any HealthCheck.check() runs (doctor
 // command, well after MCP server boot), the import has resolved.
 void loadHelper();
+/**
+ * Files `start.mjs` needs to launch the MCP server, checked dependency-free
+ * (fs only) so this works even when the integrity helper
+ * (`scripts/plugin-cache-integrity.mjs`) is itself missing — a missing helper
+ * is itself a partial-install symptom, and the operator most needs to know
+ * whether the launch entrypoint survived.
+ *
+ * - `start.mjs` is the plugin `command` target (`.claude-plugin/plugin.json`)
+ *   and has NO fallback: if absent, `node ${CLAUDE_PLUGIN_ROOT}/start.mjs`
+ *   fails immediately and the MCP server never starts.
+ * - The server is loaded by start.mjs from `server.bundle.mjs`, falling back
+ *   to `build/server.js`; it is only "missing" when BOTH are absent.
+ */
+export function findMissingLaunchFiles(pluginRoot) {
+    const missing = [];
+    if (!existsSync(join(pluginRoot, "start.mjs"))) {
+        missing.push("start.mjs");
+    }
+    if (!existsSync(join(pluginRoot, "server.bundle.mjs")) &&
+        !existsSync(join(pluginRoot, "build", "server.js"))) {
+        missing.push("server.bundle.mjs (or build/server.js)");
+    }
+    return missing;
+}
 /**
  * Run the integrity check synchronously. If the helper module is
  * still loading (not yet cached) returns a FAIL with detail
@@ -89,6 +115,21 @@ export function checkPluginCacheIntegritySync(pluginRoot) {
         };
     }
     if (cachedError) {
+        // The integrity helper (scripts/plugin-cache-integrity.mjs) ships in
+        // package.json files[]; if it failed to load, the install is already
+        // partial. Don't stop at "helper unavailable" — directly surface whether
+        // the launch entrypoint survived, because a missing start.mjs / server
+        // bundle is exactly what stops the MCP server from starting (and is what
+        // an interrupted /ctx-upgrade swap leaves behind).
+        const launchMissing = findMissingLaunchFiles(pluginRoot);
+        if (launchMissing.length > 0) {
+            return {
+                status: "FAIL",
+                detail: `partial install — critical launch files missing: ${launchMissing.join(", ")} ` +
+                    `(integrity helper also missing: ${cachedError}); the MCP server cannot start. ` +
+                    `Reinstall: npm install -g context-mode@latest`,
+            };
+        }
         return {
             status: "FAIL",
             detail: `integrity helper unavailable: ${cachedError}`,

package/build/util/project-dir.d.ts

@@ -60,6 +60,42 @@ export declare function resolveProjectDirFromTranscript(opts: {
     /** Test seam for maxAgeMs. Defaults to Date.now(). */
     nowMs?: number;
 }): string | undefined;
+/**
+ * Issue #45 / c4529042182 — recover the project-cwd from a Codex CLI
+ * session log when the spawned MCP child inherits a non-project cwd
+ * (e.g. $HOME when Codex was launched from anywhere outside the project).
+ *
+ * Codex writes its session transcripts to
+ * `${CODEX_HOME ?? ~/.codex}/sessions/<uuid>.jsonl`. The first line is a
+ * `SessionMeta` JSON struct whose `meta.cwd` field carries the literal
+ * project directory the CLI was launched from (see refs/platforms/codex/
+ * codex-rs SessionMeta). Codex publishes NO workspace env var to its child
+ * MCP processes — so unlike Claude/Pi/Cursor, we have no env signal at all.
+ * The session log is the strongest available signal.
+ *
+ * Mirror of `resolveProjectDirFromTranscript` for Claude Code; differences:
+ *   • Sessions live flat in `${codexHome}/sessions/*.jsonl` (no per-project
+ *     encoded subdir like Claude's `~/.claude/projects/<encoded>/`).
+ *   • The cwd is on `meta.cwd` (nested), not top-level `cwd`.
+ *
+ * Returns `null` when:
+ *   • `codexHome` or its `sessions/` subdir does not exist.
+ *   • No `.jsonl` files exist or none has a parseable `meta.cwd` string.
+ *   • The newest log is older than `transcriptMaxAgeMs` (multi-window guard).
+ *   • The resolved `meta.cwd` points at a plugin install path (poisoned).
+ */
+export declare function resolveCodexSessionCwd(opts?: {
+    /** Defaults to `process.env.CODEX_HOME ?? path.join(os.homedir(), ".codex")`. */
+    codexHome?: string;
+    /**
+     * Optional freshness guard — Codex appends to the active log while the
+     * session is running, so a stale log from days ago must not become a
+     * global project-dir signal.
+     */
+    transcriptMaxAgeMs?: number;
+    /** Test seam for transcriptMaxAgeMs. Defaults to Date.now(). */
+    now?: number;
+}): string | null;
 /**
  * Pure project-dir resolver. Mirror of the env-var chain inside
  * `src/server.ts getProjectDir()`, but takes its inputs explicitly so the
@@ -100,4 +136,11 @@ export declare function resolveProjectDir(opts: {
      * for `start.mjs` and any non-strict consumer).
      */
     strictPlatform?: PlatformId;
+    /**
+     * Issue #45 — override `${CODEX_HOME ?? ~/.codex}` for tests. When
+     * `strictPlatform === "codex"` and the env cascade yields nothing, the
+     * resolver reads `meta.cwd` from the newest session.jsonl under
+     * `${codexHome}/sessions/`.
+     */
+    codexHome?: string;
 }): string;

package/build/util/project-dir.js

@@ -1,4 +1,5 @@
 import * as fs from "node:fs";
+import * as os from "node:os";
 import * as path from "node:path";
 import { workspaceEnvVarsFor } from "../adapters/detect.js";
 /**
@@ -156,6 +157,94 @@ export function resolveProjectDirFromTranscript(opts) {
     catch { /* file vanished mid-read */ }
     return undefined;
 }
+/**
+ * Issue #45 / c4529042182 — recover the project-cwd from a Codex CLI
+ * session log when the spawned MCP child inherits a non-project cwd
+ * (e.g. $HOME when Codex was launched from anywhere outside the project).
+ *
+ * Codex writes its session transcripts to
+ * `${CODEX_HOME ?? ~/.codex}/sessions/<uuid>.jsonl`. The first line is a
+ * `SessionMeta` JSON struct whose `meta.cwd` field carries the literal
+ * project directory the CLI was launched from (see refs/platforms/codex/
+ * codex-rs SessionMeta). Codex publishes NO workspace env var to its child
+ * MCP processes — so unlike Claude/Pi/Cursor, we have no env signal at all.
+ * The session log is the strongest available signal.
+ *
+ * Mirror of `resolveProjectDirFromTranscript` for Claude Code; differences:
+ *   • Sessions live flat in `${codexHome}/sessions/*.jsonl` (no per-project
+ *     encoded subdir like Claude's `~/.claude/projects/<encoded>/`).
+ *   • The cwd is on `meta.cwd` (nested), not top-level `cwd`.
+ *
+ * Returns `null` when:
+ *   • `codexHome` or its `sessions/` subdir does not exist.
+ *   • No `.jsonl` files exist or none has a parseable `meta.cwd` string.
+ *   • The newest log is older than `transcriptMaxAgeMs` (multi-window guard).
+ *   • The resolved `meta.cwd` points at a plugin install path (poisoned).
+ */
+export function resolveCodexSessionCwd(opts) {
+    const codexHome = opts?.codexHome ?? process.env.CODEX_HOME ?? path.join(os.homedir(), ".codex");
+    const sessionsDir = path.join(codexHome, "sessions");
+    if (!fs.existsSync(sessionsDir))
+        return null;
+    let bestPath;
+    let bestMtime = 0;
+    try {
+        for (const f of fs.readdirSync(sessionsDir)) {
+            if (!f.endsWith(".jsonl"))
+                continue;
+            const fp = path.join(sessionsDir, f);
+            try {
+                const m = fs.statSync(fp).mtimeMs;
+                if (m > bestMtime) {
+                    bestMtime = m;
+                    bestPath = fp;
+                }
+            }
+            catch { /* skip */ }
+        }
+    }
+    catch {
+        return null;
+    }
+    if (!bestPath)
+        return null;
+    if (typeof opts?.transcriptMaxAgeMs === "number") {
+        const nowMs = opts.now ?? Date.now();
+        if (nowMs - bestMtime > opts.transcriptMaxAgeMs)
+            return null;
+    }
+    // Read first ~8KB; the SessionMeta JSON is line 1 and small. Stream-cap
+    // mirrors `resolveProjectDirFromTranscript` for memory safety on long logs.
+    try {
+        const fd = fs.openSync(bestPath, "r");
+        try {
+            const buf = Buffer.alloc(8192);
+            const bytes = fs.readSync(fd, buf, 0, buf.length, 0);
+            const text = buf.subarray(0, bytes).toString("utf-8");
+            const firstLine = text.split("\n", 1)[0];
+            if (!firstLine || !firstLine.trim())
+                return null;
+            try {
+                const obj = JSON.parse(firstLine);
+                const cwd = obj?.meta?.cwd;
+                if (typeof cwd !== "string" || cwd.length === 0)
+                    return null;
+                if (isPluginInstallPath(cwd))
+                    return null;
+                return cwd;
+            }
+            catch {
+                return null; /* malformed first line */
+            }
+        }
+        finally {
+            fs.closeSync(fd);
+        }
+    }
+    catch {
+        return null; /* file vanished mid-read */
+    }
+}
 /**
  * Pure project-dir resolver. Mirror of the env-var chain inside
  * `src/server.ts getProjectDir()`, but takes its inputs explicitly so the
@@ -177,7 +266,7 @@ export function resolveProjectDirFromTranscript(opts) {
  *      operation of project-independent tools (sandbox execute, fetch).
  */
 export function resolveProjectDir(opts) {
-    const { env, cwd, pwd, transcriptsRoot, transcriptMaxAgeMs, nowMs, strictPlatform } = opts;
+    const { env, cwd, pwd, transcriptsRoot, transcriptMaxAgeMs, nowMs, strictPlatform, codexHome, } = opts;
     // Build candidate list. Strict path: own workspace vars + universal escape
     // hatch — NO foreign workspace vars, in any order, can win. Non-strict
     // path: frozen legacy literal order for backwards compatibility.
@@ -198,6 +287,18 @@ export function resolveProjectDir(opts) {
         if (fromTranscript && !isPluginInstallPath(fromTranscript))
             return fromTranscript;
     }
+    // Issue #45 — Codex has no workspace env var, so when running under
+    // strictPlatform="codex" we fall back to the session-log heuristic
+    // between env and PWD. Non-codex platforms skip this branch entirely.
+    if (strictPlatform === "codex") {
+        const fromCodex = resolveCodexSessionCwd({
+            codexHome,
+            transcriptMaxAgeMs,
+            now: nowMs,
+        });
+        if (fromCodex)
+            return fromCodex;
+    }
     if (pwd && !isPluginInstallPath(pwd))
         return pwd;
     return cwd;