context-mode 1.0.150 → 1.0.152

package/configs/kimi/hooks.json

@@ -0,0 +1,54 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash|Shell|Read|Edit|Write|WebFetch|Agent|ctx_execute|ctx_execute_file|ctx_batch_execute|ctx_fetch_and_index|ctx_search|ctx_index|mcp__",
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi pretooluse" }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi posttooluse" }
+        ]
+      }
+    ],
+    "SessionStart": [
+      {
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi sessionstart" }
+        ]
+      }
+    ],
+    "SessionEnd": [
+      {
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi sessionend" }
+        ]
+      }
+    ],
+    "PreCompact": [
+      {
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi precompact" }
+        ]
+      }
+    ],
+    "UserPromptSubmit": [
+      {
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi userpromptsubmit" }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          { "type": "command", "command": "context-mode hook kimi stop" }
+        ]
+      }
+    ]
+  }
+}

package/configs/pi/AGENTS.md

@@ -1,85 +1,3 @@
-# context-mode — MANDATORY routing rules
-
-context-mode MCP tools available. Rules protect context window from flooding. One unrouted command dumps 56 KB into context. Pi enforces routing via hooks (`tool_call` blocks `curl`/`wget`) AND these instructions. Hooks = hard enforcement; rules = completeness for redirections hooks cannot catch.
-
-## Think in Code — MANDATORY
-
-Analyze/count/filter/compare/search/parse/transform data: **write code** via `ctx_execute(language, code)`, `console.log()` only the answer. Do NOT read raw data into context. PROGRAM the analysis, not COMPUTE it. Pure JavaScript — Node.js built-ins only (`fs`, `path`, `child_process`). `try/catch`, handle `null`/`undefined`. One script replaces ten tool calls.
-
-## BLOCKED — do NOT use
-
-### curl / wget — FORBIDDEN (hook-enforced)
-Do NOT use `curl`/`wget` in `bash`. Pi hooks block these. Dumps raw HTTP into context.
-Use: `ctx_fetch_and_index(url, source)` or `ctx_execute(language: "javascript", code: "const r = await fetch(...)")`
-
-### Inline HTTP — FORBIDDEN
-No `node -e "fetch(..."`, `python -c "requests.get(..."`. Bypasses sandbox.
-Use: `ctx_execute(language, code)` — only stdout enters context
-
-### Direct web fetching — FORBIDDEN
-Raw HTML can exceed 100 KB.
-Use: `ctx_fetch_and_index(url, source)` then `ctx_search(queries)`
-
-## REDIRECTED — use sandbox
-
-### bash (>20 lines output)
-`bash` ONLY for: `git`, `mkdir`, `rm`, `mv`, `cd`, `ls`, `npm install`, `pip install`.
-Otherwise: `ctx_batch_execute(commands, queries)` or `ctx_execute(language: "shell", code: "...")`
-
-### read (for analysis)
-Reading to **edit** → `read` correct. Reading to **analyze/explore/summarize** → `ctx_execute_file(path, language, code)`.
-
-### grep / find (large results)
-Use `ctx_execute(language: "shell", code: "grep ...")` in sandbox.
-
-## Tool selection
-
-0. **MEMORY**: `ctx_search(sort: "timeline")` — after resume, check prior context before asking user.
-1. **GATHER**: `ctx_batch_execute(commands, queries)` — runs all commands, auto-indexes, returns search. ONE call replaces 30+. Each command: `{label: "header", command: "..."}`.
-2. **FOLLOW-UP**: `ctx_search(queries: ["q1", "q2", ...])` — all questions as array, ONE call (default relevance mode).
-3. **PROCESSING**: `ctx_execute(language, code)` | `ctx_execute_file(path, language, code)` — sandbox, only stdout enters context.
-4. **WEB**: `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` — raw HTML never enters context.
-5. **INDEX**: `ctx_index(content, source)` — store in FTS5 for later search.
-
-## Parallel I/O batches
-
-For multi-URL fetches or multi-API calls, **always** include `concurrency: N` (1-8):
-
-- `ctx_batch_execute(commands: [3+ network commands], concurrency: 5)` — gh, curl, dig, docker inspect, multi-region cloud queries
-- `ctx_fetch_and_index(requests: [{url, source}, ...], concurrency: 5)` — multi-URL batch fetch
-
-**Use concurrency 4-8** for I/O-bound work (network calls, API queries). **Keep concurrency 1** for CPU-bound (npm test, build, lint) or commands sharing state (ports, lock files, same-repo writes).
-
-GitHub API rate-limit: cap at 4 for `gh` calls.
-
-## Output
-
-Write artifacts to FILES — never inline. Return: file path + 1-line description.
-Descriptive source labels for `search(source: "label")`.
-
-## Session Continuity
-
-Skills, roles, and decisions persist for the entire session. Do not abandon them as the conversation grows.
-
-## Memory
-
-Session history is persistent and searchable. On resume, search BEFORE asking the user:
-
-| Need | Command |
-|------|---------|
-| What did we decide? | `ctx_search(queries: ["decision"], source: "decision", sort: "timeline")` |
-| What constraints exist? | `ctx_search(queries: ["constraint"], source: "constraint")` |
-
-DO NOT ask "what were we working on?" — SEARCH FIRST.
-If search returns 0 results, proceed as a fresh session.
-
-## ctx commands
-
-| Command | Action |
-|---------|--------|
-| `ctx stats` | Call `stats` MCP tool, display full output verbatim |
-| `ctx doctor` | Call `doctor` MCP tool, run returned shell command, display as checklist |
-| `ctx upgrade` | Call `upgrade` MCP tool, run returned shell command, display as checklist |
-| `ctx purge` | Call `purge` MCP tool with confirm: true. Warns before wiping knowledge base. |
-
-After /clear or /compact: knowledge base and session stats preserved. Use `ctx purge` to start fresh.
+# context-mode is active
+Use `ctx_*` tools. The extension injects routing rules — follow them.
+Note for Pi users: if this project also has CLAUDE.md, Pi.dev reads both files and duplicates routing instructions in context — remove one.

package/hooks/cache-heal-utils.mjs

@@ -29,7 +29,11 @@ import {
   writeFileSync,
   chmodSync,
   statSync,
+  readdirSync,
+  renameSync,
+  unlinkSync,
 } from "node:fs";
+import { join } from "node:path";
 
 /**
  * Convert any path string to forward slashes (matches normalize-hooks style,
@@ -209,6 +213,150 @@ export function selfHealCacheHealHook({
   return "healed";
 }
 
+/**
+ * Issue #710 — heal Claude Code's per-session shell snapshots.
+ *
+ * Claude Code writes a per-session snapshot at boot:
+ *   ~/.claude/shell-snapshots/snapshot-<shell>-<ts>-<rand>.sh
+ * Every Bash tool call `source`s that snapshot to reproduce the user env
+ * (refs/platforms/claude-code/src/utils/bash/ShellSnapshot.ts:269-336;
+ * sourced before every Bash tool call at bashProvider.ts:166). The snapshot
+ * bakes an `export PATH='…'` line containing the active context-mode
+ * `bin/` for the then-current cache version, e.g.
+ *   …/.claude/plugins/cache/context-mode/context-mode/1.0.146/bin
+ *
+ * /ctx-upgrade installs the new version and deletes the old cache dir
+ * mid-session, but it never touches the snapshot — so every subsequent
+ * Bash tool call fails with "Plugin directory does not exist: …/1.0.146"
+ * until the session restarts.
+ *
+ * This helper rewrites the version segment of every context-mode PATH
+ * entry in every snapshot under `snapshotsDir` to `currentVersion`.
+ * Anchored on the doubled `context-mode/context-mode/` segment so sibling
+ * plugins (`pm-skills/pm-toolkit`, `claude-adhd/claude-adhd`, …) and
+ * shape-spoofing entries (`evil-owner/context-mode/1.0.146`) are
+ * untouched.
+ *
+ * Layered like cache-heal-utils' brew-node fix:
+ *   Layer 1 — /ctx-upgrade calls this after install (cli.ts) so the
+ *             session that just upgraded sees the new bin on the next
+ *             Bash call.
+ *   Layer 2 — SessionStart hook calls this on every boot so a session
+ *             that started before /ctx-upgrade ran still self-heals.
+ *
+ * Write contract:
+ *   - Atomic: write to `<file>.tmp-<pid>-<ts>` then rename. Snapshots
+ *     are `source`d concurrently; a half-written file would crash the
+ *     bash subprocess mid-call.
+ *   - Idempotent: a snapshot already on `currentVersion` is not
+ *     re-written (mtime preserved). A snapshot with no context-mode
+ *     entry is not re-written.
+ *   - Best-effort: every I/O is wrapped; never throws. Telemetry shape
+ *     is `{ rewritten: string[] }` for caller logging.
+ *   - Cross-platform: handles both unix (`/Users/x/.claude/…`),
+ *     Cygwin/Git Bash (`/c/Users/x/.claude/…`), and Windows native
+ *     (`C:\Users\x\.claude\…`) path variants. ShellSnapshot.ts
+ *     writes paths using whatever shell wrote them, so all three
+ *     shapes can appear depending on the user's shell environment.
+ */
+export function rewriteShellSnapshots({ snapshotsDir, currentVersion }) {
+  const out = { rewritten: [] };
+  if (
+    !snapshotsDir ||
+    typeof snapshotsDir !== "string" ||
+    !currentVersion ||
+    typeof currentVersion !== "string"
+  ) {
+    return out;
+  }
+  let entries;
+  try {
+    if (!existsSync(snapshotsDir)) return out;
+    entries = readdirSync(snapshotsDir);
+  } catch {
+    return out;
+  }
+
+  // Match the version segment of any PATH entry of the form
+  //   …/plugins/cache/context-mode/context-mode/<VERSION>/bin
+  // across all three path shapes (`/`, `\`, mixed). The doubled
+  // `context-mode/context-mode/` is the trust anchor — it prevents
+  // shape-spoofing from another owner.
+  //
+  // Captures:
+  //   $1 — separator-tolerant prefix up to and including the second
+  //        `context-mode` segment + its trailing separator
+  //   $2 — version segment (no separators)
+  //   $3 — trailing separator + `bin`
+  const versionSegmentRe =
+    /(context-mode[/\\]context-mode[/\\])([^/\\]+)([/\\]bin)/g;
+
+  for (const name of entries) {
+    if (!name.endsWith(".sh")) continue;
+    const file = join(snapshotsDir, name);
+    let content;
+    try {
+      const st = statSync(file);
+      if (!st.isFile()) continue;
+      content = readFileSync(file, "utf-8");
+    } catch {
+      // Binary, unreadable, or vanished — skip.
+      continue;
+    }
+
+    let touched = false;
+    const next = content.replace(
+      versionSegmentRe,
+      (whole, prefix, version, suffix) => {
+        if (version === currentVersion) return whole;
+        touched = true;
+        return `${prefix}${currentVersion}${suffix}`;
+      },
+    );
+    if (!touched) continue;
+
+    // Atomic rename — never write directly to `file` because the
+    // snapshot may be sourced by a concurrent Bash subprocess.
+    const tmp = `${file}.tmp-${process.pid}-${Date.now()}`;
+    try {
+      writeFileSync(tmp, next, "utf-8");
+      renameSync(tmp, file);
+      out.rewritten.push(file);
+    } catch {
+      // Best-effort cleanup of the tmp file; never throw.
+      try {
+        unlinkSync(tmp);
+      } catch {
+        /* best effort */
+      }
+    }
+  }
+
+  return out;
+}
+
+/**
+ * Issue #710 Layer 2 — self-heal entry point for SessionStart.
+ *
+ * Resolves the snapshots directory + current version from the live
+ * environment (or accepts explicit overrides for tests) and delegates to
+ * `rewriteShellSnapshots`. Wrap-and-swallow; never throws.
+ *
+ * `pluginCacheRoot` is accepted to match the cache-heal-utils precedent
+ * surface but not yet used (the version segment alone is sufficient for
+ * the regex match — we don't need to walk the cache to know the right
+ * answer; the cli passes the version it just installed). Kept in the
+ * shape for forward-compat if a future heal pass needs to cross-check
+ * the on-disk symlink target.
+ */
+export function selfHealShellSnapshots({
+  snapshotsDir,
+  pluginCacheRoot: _pluginCacheRoot,
+  currentVersion,
+}) {
+  return rewriteShellSnapshots({ snapshotsDir, currentVersion });
+}
+
 /**
  * Ensure a script starts with `#!/usr/bin/env node` and has 0o755 mode.
  * Idempotent — leaves correctly-shebanged scripts unchanged.

package/hooks/core/formatters.mjs

@@ -106,6 +106,32 @@ export const formatters = {
     context: () => null, // Codex rejects additionalContext in PreToolUse (fails open)
   },
 
+  "kimi": {
+    // Kimi Code / Kimi CLI hook runners parse ONLY `permissionDecision === "deny"`
+    // for structured PreToolUse output. Anything else (ask / allow+updatedInput /
+    // additionalContext) is silently dropped, and the host's HookResult type has
+    // no `additionalContext` field at all.
+    //   Evidence: refs/platforms/kimi-code/packages/agent-core/src/session/hooks/
+    //     runner.ts:36-39,162-178  (HookSpecificOutputSchema + structuredOutput())
+    //   Evidence: refs/platforms/kimi-code/packages/agent-core/src/session/hooks/
+    //     types.ts:28-37            (HookResult has no additionalContext)
+    //   Evidence: refs/platforms/kimi-cli/src/kimi_cli/hooks/runner.py:62-89
+    //     (Python runtime behaves identically)
+    // This mirrors the codex precedent established at commit 607dc70 (#225),
+    // where the same upstream "deny-only" parser forced ask/modify/context to
+    // return null in the formatter rather than emit fields the host ignores.
+    deny: (reason) => ({
+      hookSpecificOutput: {
+        hookEventName: "PreToolUse",
+        permissionDecision: "deny",
+        permissionDecisionReason: reason,
+      },
+    }),
+    ask: () => null,     // Kimi runner ignores permissionDecision !== "deny"
+    modify: () => null,  // Kimi runner has no updatedInput channel
+    context: () => null, // Kimi HookResult has no additionalContext field
+  },
+
   "cursor": {
     deny: (reason) => ({
       permission: "deny",

package/hooks/core/routing.mjs

@@ -822,7 +822,15 @@ export function routePreToolUse(toolName, toolInput, projectDir, platform, sessi
     const fieldName = ["prompt", "request", "objective", "question", "query", "task"].find(f => f in toolInput) ?? "prompt";
     const prompt = toolInput[fieldName] ?? "";
 
-    const subagentBlock = createRoutingBlock(t, { includeCommands: false });
+    // Claude Code surfaces ctx_* as DEFERRED tools (schemas loaded via ToolSearch).
+    // Without a bootstrap step the subagent is told to use ctx_* tools it cannot yet
+    // invoke and stalls (see #724). Prepend the ToolSearch bootstrap for claude-code
+    // (the default when platform is unset). Other platforms don't defer, so skip it.
+    const isClaudeCode = !platform || platform === "claude-code";
+    const subagentBlock = createRoutingBlock(t, {
+      includeCommands: false,
+      toolSearchBootstrap: isClaudeCode,
+    });
 
     const updatedInput =
       subagentType === "Bash"

package/hooks/core/stdin.mjs

@@ -5,15 +5,86 @@
  * Uses event-based flowing mode to avoid two platform bugs:
  * - `for await (process.stdin)` hangs on macOS when piped via spawnSync
  * - `readFileSync(0)` throws EOF/EISDIR on Windows, EAGAIN on Linux
+ *
+ * Idle-timeout semantics (override via env `CONTEXT_MODE_HOOK_STDIN_IDLE_MS`,
+ * default 1500 ms):
+ * - EOF before any data → resolve("")  — the original well-behaved path.
+ * - EOF after data       → resolve(buffer) with BOM strip (#139 — Cursor on
+ *                          Windows can emit a leading U+FEFF that crashes
+ *                          downstream JSON.parse).
+ * - Idle with 0 bytes    → resolve("")  — covers hosts that hold the pipe open
+ *                          without ever closing it (issue #639 — Bun re-exec
+ *                          EOF path) so the hook still terminates.
+ * - Idle with > 0 bytes  → reject(Error) — partial data after a stall MUST NOT
+ *                          be silently truncated, otherwise downstream
+ *                          JSON.parse corrupts on large `tool_response`
+ *                          payloads (issue #242 — Gemini AfterTool >1MB).
+ *                          Visible non-zero exit is correct here; the host
+ *                          surfaces the failure in its hook diagnostics.
  */
 
 export function readStdin() {
   return new Promise((resolve, reject) => {
     let data = "";
+    const idleMs = Number(process.env.CONTEXT_MODE_HOOK_STDIN_IDLE_MS || 1500);
+    let done = false;
+    let timer;
+
+    const cleanup = () => {
+      clearTimeout(timer);
+      process.stdin.removeListener("data", onData);
+      process.stdin.removeListener("end", onEnd);
+      process.stdin.removeListener("error", onError);
+      try { process.stdin.pause(); } catch {}
+      try { process.stdin.destroy?.(); } catch {}
+    };
+    const resolveBuffer = () => {
+      if (done) return;
+      done = true;
+      cleanup();
+      // Preserves #139 BOM strip \u2014 applies on both EOF and idle-empty paths.
+      resolve(data.replace(/^\uFEFF/, ""));
+    };
+    const rejectIdle = () => {
+      if (done) return;
+      done = true;
+      cleanup();
+      reject(new Error(
+        `stdin idle for ${idleMs}ms with ${data.length} bytes buffered`,
+      ));
+    };
+    const onIdle = () => {
+      // Zero-buffer idle = host never wrote anything (issue #639). Resolve
+      // empty so the hook can no-op. Non-zero buffer = partial data, which
+      // must reject to avoid silent JSON.parse corruption (issue #242).
+      if (data.length === 0) {
+        resolveBuffer();
+      } else {
+        rejectIdle();
+      }
+    };
+    const arm = () => {
+      clearTimeout(timer);
+      timer = setTimeout(onIdle, idleMs);
+      timer.unref?.();
+    };
+    const onData = (chunk) => {
+      data += chunk;
+      arm();
+    };
+    const onEnd = () => resolveBuffer();
+    const onError = (error) => {
+      if (done) return;
+      done = true;
+      cleanup();
+      reject(error);
+    };
+
     process.stdin.setEncoding("utf-8");
-    process.stdin.on("data", (chunk) => { data += chunk; });
-    process.stdin.on("end", () => resolve(data.replace(/^\uFEFF/, "")));
-    process.stdin.on("error", reject);
+    process.stdin.on("data", onData);
+    process.stdin.on("end", onEnd);
+    process.stdin.on("error", onError);
     process.stdin.resume();
+    arm();
   });
 }

package/hooks/core/tool-naming.mjs

@@ -27,6 +27,7 @@ const TOOL_PREFIXES = {
   "zed":            (tool) => `mcp:context-mode:${tool}`,
   "cursor":         (tool) => tool,
   "codex":          (tool) => tool,
+  "kimi":           (tool) => `mcp__context-mode__${tool}`,
   "openclaw":       (tool) => tool,
   "pi":             (tool) => tool,
   "qwen-code":      (tool) => `mcp__context-mode__${tool}`,