context-mode 1.0.153 → 1.0.154

package/.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Claude Code plugins by Mert Koseoğlu",
-    "version": "1.0.153"
+    "version": "1.0.154"
   },
   "plugins": [
     {
       "name": "context-mode",
       "source": "./",
       "description": "Claude Code MCP plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-      "version": "1.0.153",
+      "version": "1.0.154",
       "author": {
         "name": "Mert Koseoğlu"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.153",
+  "version": "1.0.154",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.153",
+  "version": "1.0.154",
   "description": "MCP server that saves 98% of your context window with session continuity. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and automatic state restore across compactions.",
   "author": {
     "name": "Mert Koseoğlu",

package/.openclaw-plugin/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.153",
+  "version": "1.0.154",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/.openclaw-plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.153",
+  "version": "1.0.154",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
   "author": {
     "name": "Mert Koseoğlu",

package/hooks/core/formatters.mjs

@@ -18,14 +18,50 @@ export const formatters = {
         permissionDecision: "ask",
       },
     }),
-    modify: (updatedInput) => ({
-      hookSpecificOutput: {
-        hookEventName: "PreToolUse",
-        permissionDecision: "allow",
-        permissionDecisionReason: "Routed to context-mode sandbox",
-        updatedInput,
-      },
-    }),
+    // Tool-aware modify handling for claude-code:
+    //
+    // - Bash redirect (updatedInput.command): CC v2.1.x ignores
+    //   `updatedInput.command` substitution under `permissionDecision: "allow"`
+    //   — original command runs unchanged. Verified via /diagnose Phase 4
+    //   forced-deny probe: only `permissionDecision: "deny"` is honored for
+    //   Bash blocking. Emit deny + extract echo payload into
+    //   `permissionDecisionReason`.
+    //
+    // - Agent prompt injection (updatedInput.prompt): CC honors
+    //   allow+updatedInput for Agent tool — modified prompt reaches the
+    //   subagent. Keep modify shape so subagent routing-block injection works.
+    //
+    // - Any other shape: pass through as modify and let CC decide.
+    //
+    // Other adapters (gemini-cli, vscode-copilot, etc.) keep their own modify
+    // semantics — their hosts implement updatedInput differently or not at all.
+    modify: (updatedInput) => {
+      const ui = updatedInput ?? {};
+      const isBashCommandRedirect = "command" in ui;
+      if (!isBashCommandRedirect) {
+        return {
+          hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            updatedInput: ui,
+          },
+        };
+      }
+      // routing.mjs wraps the redirect guidance in `echo "..."` form.
+      // Extract the quoted payload as the deny reason. Fall back to a generic
+      // ADR-0003 CASE A message if the shape doesn't match.
+      const cmd = ui.command ?? "";
+      const m = cmd.match(/^echo\s+"(.+)"$/s);
+      const reason = m
+        ? m[1]
+        : "Redirected to ctx_execute / ctx_fetch_and_index. Call ctx_execute(language, code) to fetch and derive your answer in one round trip, or call ctx_fetch_and_index(url, source) when you want to query the response later via ctx_search. Both have full network access. Retry the same call on a transient DNS error (EAI_AGAIN, ETIMEDOUT, ENETUNREACH).";
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: reason,
+        },
+      };
+    },
     context: (additionalContext) => ({
       hookSpecificOutput: {
         hookEventName: "PreToolUse",

package/hooks/formatters/claude-code.mjs

@@ -54,14 +54,50 @@ export function formatDecision(decision) {
         },
       };
 
-    case "modify":
+    case "modify": {
       if (isHeadless()) return null;
+
+      // Tool-aware modify handling:
+      //
+      // - Bash redirect (updatedInput.command): CC v2.1.x ignores
+      //   `updatedInput.command` substitution under `permissionDecision: "allow"`
+      //   — original command runs unchanged. Verified via /diagnose Phase 4
+      //   forced-deny probe: only `permissionDecision: "deny"` is honored for
+      //   Bash blocking. Emit deny + extract echo payload into
+      //   `permissionDecisionReason`.
+      //
+      // - Agent prompt injection (updatedInput.prompt): CC honors allow+updatedInput
+      //   for the Agent tool — the modified prompt actually reaches the subagent.
+      //   Keep the original modify shape so subagent routing-block injection works.
+      //
+      // - Any other shape: pass through as modify (no command, no prompt — let
+      //   CC decide if the field is honored).
+      const ui = decision.updatedInput ?? {};
+      const isBashCommandRedirect = "command" in ui;
+      if (!isBashCommandRedirect) {
+        return {
+          hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            updatedInput: ui,
+          },
+        };
+      }
+      // routing.mjs wraps the redirect guidance in `echo "..."` form.
+      // Extract the quoted payload as the deny reason. Fall back to a generic
+      // ADR-0003 CASE A message if the shape doesn't match.
+      const cmd = ui.command ?? "";
+      const m = cmd.match(/^echo\s+"(.+)"$/s);
+      const reason = m
+        ? m[1]
+        : "Redirected to ctx_execute / ctx_fetch_and_index. Call ctx_execute(language, code) to fetch and derive your answer in one round trip, or call ctx_fetch_and_index(url, source) when you want to query the response later via ctx_search. Both have full network access. Retry the same call on a transient DNS error (EAI_AGAIN, ETIMEDOUT, ENETUNREACH).";
       return {
         hookSpecificOutput: {
           hookEventName: "PreToolUse",
-          updatedInput: decision.updatedInput,
+          permissionDecision: "deny",
+          permissionDecisionReason: reason,
         },
       };
+    }
 
     case "context":
       return {

package/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.153",
+  "version": "1.0.154",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.153",
+  "version": "1.0.154",
   "type": "module",
   "description": "MCP plugin that saves 98% of your context window. Works with Claude Code, Gemini CLI, VS Code Copilot, OpenCode, and Codex CLI. Sandboxed code execution, FTS5 knowledge base, and intent-driven search.",
   "author": "Mert Koseoğlu",