context-mode 1.0.153 → 1.0.155

package/hooks/core/formatters.mjs

@@ -18,14 +18,50 @@ export const formatters = {
         permissionDecision: "ask",
       },
     }),
-    modify: (updatedInput) => ({
-      hookSpecificOutput: {
-        hookEventName: "PreToolUse",
-        permissionDecision: "allow",
-        permissionDecisionReason: "Routed to context-mode sandbox",
-        updatedInput,
-      },
-    }),
+    // Tool-aware modify handling for claude-code:
+    //
+    // - Bash redirect (updatedInput.command): CC v2.1.x ignores
+    //   `updatedInput.command` substitution under `permissionDecision: "allow"`
+    //   — original command runs unchanged. Verified via /diagnose Phase 4
+    //   forced-deny probe: only `permissionDecision: "deny"` is honored for
+    //   Bash blocking. Emit deny + extract echo payload into
+    //   `permissionDecisionReason`.
+    //
+    // - Agent prompt injection (updatedInput.prompt): CC honors
+    //   allow+updatedInput for Agent tool — modified prompt reaches the
+    //   subagent. Keep modify shape so subagent routing-block injection works.
+    //
+    // - Any other shape: pass through as modify and let CC decide.
+    //
+    // Other adapters (gemini-cli, vscode-copilot, etc.) keep their own modify
+    // semantics — their hosts implement updatedInput differently or not at all.
+    modify: (updatedInput) => {
+      const ui = updatedInput ?? {};
+      const isBashCommandRedirect = "command" in ui;
+      if (!isBashCommandRedirect) {
+        return {
+          hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            updatedInput: ui,
+          },
+        };
+      }
+      // routing.mjs wraps the redirect guidance in `echo "..."` form.
+      // Extract the quoted payload as the deny reason. Fall back to a generic
+      // ADR-0003 CASE A message if the shape doesn't match.
+      const cmd = ui.command ?? "";
+      const m = cmd.match(/^echo\s+"(.+)"$/s);
+      const reason = m
+        ? m[1]
+        : "Redirected to ctx_execute / ctx_fetch_and_index. Call ctx_execute(language, code) to fetch and derive your answer in one round trip, or call ctx_fetch_and_index(url, source) when you want to query the response later via ctx_search. Both have full network access. Retry the same call on a transient DNS error (EAI_AGAIN, ETIMEDOUT, ENETUNREACH).";
+      return {
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "deny",
+          permissionDecisionReason: reason,
+        },
+      };
+    },
     context: (additionalContext) => ({
       hookSpecificOutput: {
         hookEventName: "PreToolUse",

package/hooks/formatters/claude-code.mjs

@@ -54,14 +54,50 @@ export function formatDecision(decision) {
         },
       };
 
-    case "modify":
+    case "modify": {
       if (isHeadless()) return null;
+
+      // Tool-aware modify handling:
+      //
+      // - Bash redirect (updatedInput.command): CC v2.1.x ignores
+      //   `updatedInput.command` substitution under `permissionDecision: "allow"`
+      //   — original command runs unchanged. Verified via /diagnose Phase 4
+      //   forced-deny probe: only `permissionDecision: "deny"` is honored for
+      //   Bash blocking. Emit deny + extract echo payload into
+      //   `permissionDecisionReason`.
+      //
+      // - Agent prompt injection (updatedInput.prompt): CC honors allow+updatedInput
+      //   for the Agent tool — the modified prompt actually reaches the subagent.
+      //   Keep the original modify shape so subagent routing-block injection works.
+      //
+      // - Any other shape: pass through as modify (no command, no prompt — let
+      //   CC decide if the field is honored).
+      const ui = decision.updatedInput ?? {};
+      const isBashCommandRedirect = "command" in ui;
+      if (!isBashCommandRedirect) {
+        return {
+          hookSpecificOutput: {
+            hookEventName: "PreToolUse",
+            updatedInput: ui,
+          },
+        };
+      }
+      // routing.mjs wraps the redirect guidance in `echo "..."` form.
+      // Extract the quoted payload as the deny reason. Fall back to a generic
+      // ADR-0003 CASE A message if the shape doesn't match.
+      const cmd = ui.command ?? "";
+      const m = cmd.match(/^echo\s+"(.+)"$/s);
+      const reason = m
+        ? m[1]
+        : "Redirected to ctx_execute / ctx_fetch_and_index. Call ctx_execute(language, code) to fetch and derive your answer in one round trip, or call ctx_fetch_and_index(url, source) when you want to query the response later via ctx_search. Both have full network access. Retry the same call on a transient DNS error (EAI_AGAIN, ETIMEDOUT, ENETUNREACH).";
       return {
         hookSpecificOutput: {
           hookEventName: "PreToolUse",
-          updatedInput: decision.updatedInput,
+          permissionDecision: "deny",
+          permissionDecisionReason: reason,
         },
       };
+    }
 
     case "context":
       return {

package/hooks/platform-bridge.mjs

@@ -0,0 +1,207 @@
+// hooks/platform-bridge.mjs — Fire-and-forget event forwarder.
+// Reads ~/.context-mode/platform.json {api_key, platform_url}.
+// POSTs every event to ${platform_url}/events.
+// Privacy: redacts secrets + normalizes $HOME before send.
+// Backward-compat (PRD §5.3 Upgrade Lag): v1 events_url → platform_url; token → api_key.
+
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+
+const CACHE_TTL_MS = 60_000;
+const FETCH_TIMEOUT_MS = 2_000;
+const MAX_FIELD_LEN = 200;
+const MAX_DEPTH = 4;
+
+// Negative-cache sentinel — distinguishes "uninitialized" (null) from
+// "we checked recently and there's no config" (NO_CONFIG). Without this,
+// the unconfigured-user path would hit fs.readFileSync on every event.
+const NO_CONFIG = Symbol("no-config");
+
+let _cache = null;
+let _cacheLoadedAt = 0;
+let _warned = false; // dedupe stderr — log first failure only, reset on success
+let _fsLoads = 0;    // test-only counter: how many times readConfig hit the FS
+
+// === Cross-platform config path (bug-free across Win/Linux/Mac/WSL) ===
+export function configPath() {
+  if (process.platform === "win32") {
+    const appdata = process.env.APPDATA;
+    if (appdata) return path.join(appdata, "context-mode", "platform.json");
+    // Fallback if APPDATA unset (rare — Git Bash without env)
+    return path.join(os.homedir(), "AppData", "Roaming", "context-mode", "platform.json");
+  }
+  if (process.env.XDG_CONFIG_HOME) {
+    return path.join(process.env.XDG_CONFIG_HOME, "context-mode", "platform.json");
+  }
+  return path.join(os.homedir(), ".context-mode", "platform.json");
+}
+
+function warn(msg) {
+  if (_warned) return;
+  _warned = true;
+  process.stderr.write(`[context-mode] ${msg}\n`);
+}
+
+// v1 events_url + token alias kept for Upgrade Lag (PRD §5.3).
+// Stray fields (version, hostname, device_id, endpoints.sessions, routes) silently ignored.
+function normalizeConfig(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const api_key = raw.api_key ?? raw.token;
+  let platform_url = raw.platform_url;
+  if (!platform_url && raw.endpoints?.events) platform_url = String(raw.endpoints.events).replace(/\/events$/, "");
+  if (!platform_url && raw.events_url) platform_url = String(raw.events_url).replace(/\/events$/, "");
+  if (typeof api_key !== "string" || !api_key.startsWith("ctxm_")) return null;
+  if (typeof platform_url !== "string" || !platform_url) return null;
+  return { api_key, platform_url: platform_url.replace(/\/$/, "") };
+}
+
+function readConfig() {
+  const now = Date.now();
+  // Cache hit — covers BOTH positive (config object) and negative (NO_CONFIG) results.
+  if (_cache !== null && now - _cacheLoadedAt < CACHE_TTL_MS) {
+    return _cache === NO_CONFIG ? null : _cache;
+  }
+  _cacheLoadedAt = now;
+  _fsLoads++;
+  const cfgPath = configPath();
+
+  let raw;
+  try {
+    raw = fs.readFileSync(cfgPath, "utf8");
+  } catch (e) {
+    if (e.code !== "ENOENT") warn(`cannot read ${cfgPath}: ${e.code || e.message}`);
+    _cache = NO_CONFIG;
+    return null;
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (e) {
+    warn(`${cfgPath} is not valid JSON: ${e.message}`);
+    _cache = NO_CONFIG;
+    return null;
+  }
+
+  const normalized = normalizeConfig(parsed);
+  if (!normalized) {
+    warn(`${cfgPath} schema invalid — expected {api_key (ctxm_*), platform_url}`);
+    _cache = NO_CONFIG;
+    return null;
+  }
+
+  _warned = false; // success — re-arm warning for future failures
+  _cache = normalized;
+  return _cache;
+}
+
+// === Gate — cheap boolean for callers that want to skip allocations entirely ===
+// `session-loaders.mjs` uses this BEFORE the per-event forwarding loop so the
+// loop never executes when ~/.context-mode/platform.json is missing. Honors
+// the same 60s TTL as readConfig() — first call hits the FS, subsequent calls
+// within the TTL return the cached decision (positive or negative).
+export function hasPlatformConfig() {
+  return readConfig() !== null;
+}
+
+// === URL construction (single endpoint per ADR-0006) ===
+export function buildUrl(cfg, _eventType) {
+  return `${cfg.platform_url}/events`;
+}
+
+// === Privacy: secret + PII redaction ===
+const SECRETS = [
+  /\b(?:ghp|gho|ghs|ghu|github_pat)_[A-Za-z0-9_]{20,}\b/g, // GitHub
+  /\bAKIA[0-9A-Z]{16}\b/g,                                 // AWS
+  /\bsk-(?:ant|proj)?-?[A-Za-z0-9_-]{32,}\b/g,             // OpenAI/Anthropic
+  /\beyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g, // JWT
+  /\bxox[bpoas]-[A-Za-z0-9-]{10,}\b/g,                     // Slack
+  /\bglpat-[A-Za-z0-9_-]{20,}\b/g,                         // GitLab
+  /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,   // emails
+  /\b\d{3}-\d{2}-\d{4}\b/g,                                // SSN-like
+];
+const HOME = os.homedir();
+const USER_DIR_RE = /(\/Users\/|\/home\/|\\+Users\\+)[^/\\]+/g;
+
+function privacyTransform(s) {
+  if (typeof s !== "string") return s;
+  let out = s.split(HOME).join("<HOME>")
+    .replace(USER_DIR_RE, (m) => m.replace(/[^/\\]+$/, "<USER>"));
+  for (const re of SECRETS) out = out.replace(re, "[REDACTED]");
+  return out;
+}
+
+function walk(obj, depth) {
+  if (depth > MAX_DEPTH) return "[depth-limited]";
+  if (obj == null) return obj;
+  if (typeof obj === "string") {
+    const cleaned = privacyTransform(obj);
+    return cleaned.length > MAX_FIELD_LEN ? cleaned.slice(0, MAX_FIELD_LEN) + "…[truncated]" : cleaned;
+  }
+  if (Array.isArray(obj)) return obj.slice(0, 50).map((x) => walk(x, depth + 1));
+  if (typeof obj === "object") {
+    const out = {};
+    for (const [k, v] of Object.entries(obj)) out[k] = walk(v, depth + 1);
+    return out;
+  }
+  return obj;
+}
+
+export function sanitizeEvent(event) {
+  return event && typeof event === "object" ? walk(event, 0) : event;
+}
+
+// === Public API ===
+export async function maybeForward(event, platform, opts = {}) {
+  const cfg = readConfig();
+  if (!cfg) return;
+
+  const ev = sanitizeEvent(event);
+  const ctrl = new AbortController();
+  const t = setTimeout(() => ctrl.abort(), FETCH_TIMEOUT_MS);
+
+  try {
+    const res = await fetch(buildUrl(cfg, ev.type), {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${cfg.api_key}`,
+        "Content-Type": "application/json",
+        "X-Source-Platform": platform,
+        "X-Schema-Version": "2",
+      },
+      body: JSON.stringify({
+        tool: ev.type,
+        category: ev.category,
+        error: ev.category === "error" ? 1 : 0,
+        ts: opts.ts ?? Math.floor(Date.now() / 1000),
+        platform,
+        project: opts.project,
+        session_category: ev.category,
+        session_type: ev.type,
+        session_data: typeof ev.data === "string" ? ev.data : undefined,
+      }),
+      signal: ctrl.signal,
+    });
+    if (res.status === 401) { _cache = null; _cacheLoadedAt = 0; }
+    else if (res.status === 429) {
+      process.stderr.write(`[context-mode-platform] rate limited (retry after ${res.headers.get("Retry-After")}s)\n`);
+    }
+    return { ok: res.ok, status: res.status };
+  } catch (e) {
+    return { ok: false, status: 0, error: e.message };
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+export const _internal = {
+  readConfig,
+  normalizeConfig,
+  buildUrl,
+  sanitizeEvent,
+  privacyTransform,
+  configPath,
+  resetState: () => { _cache = null; _cacheLoadedAt = 0; _warned = false; _fsLoads = 0; },
+  get fsLoads() { return _fsLoads; },
+};

package/hooks/session-loaders.mjs

@@ -10,6 +10,9 @@ import { join } from "node:path";
 import { pathToFileURL } from "node:url";
 import { existsSync } from "node:fs";
 
+import { hasPlatformConfig, maybeForward } from "./platform-bridge.mjs";
+import { detectPlatformFromEnv } from "./core/platform-detect.mjs";
+
 export function createSessionLoaders(hookDir) {
   // Auto-detect bundle directory: bundles live in hooks/ root, not platform subdirs.
   // If hookDir itself has bundles, use it; otherwise go up one level.
@@ -96,5 +99,17 @@ export function attributeAndInsertEvents(db, sessionId, events, input, projectDi
       db.insertEvent(sessionId, events[i], hookName, attributions[i], bytesList?.[i]);
     }
   }
+
+  // PRD-context-as-a-service §5.2 — Forwarder injection.
+  // Gated: the per-event loop never runs when ~/.context-mode/platform.json
+  // is missing. hasPlatformConfig() is a single cached probe (60s TTL), so
+  // the unconfigured-user path costs at most one syscall per minute.
+  if (hasPlatformConfig()) {
+    const platform = detectPlatformFromEnv();
+    for (let i = 0; i < events.length; i++) {
+      maybeForward({ ...events[i], session_id: sessionId, ...attributions[i] }, platform);
+    }
+  }
+
   return attributions;
 }

package/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "name": "Context Mode",
   "kind": "tool",
   "description": "OpenClaw plugin that saves 98% of your context window. Sandboxed code execution in 11 languages, FTS5 knowledge base with BM25 ranking, and intent-driven search.",
-  "version": "1.0.153",
+  "version": "1.0.155",
   "sandbox": {
     "mode": "permissive",
     "filesystem_access": "full",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "context-mode",
-  "version": "1.0.153",
+  "version": "1.0.155",
   "type": "module",
   "description": "MCP plugin that saves 98% of your context window. Works with Claude Code, Gemini CLI, VS Code Copilot, OpenCode, and Codex CLI. Sandboxed code execution, FTS5 knowledge base, and intent-driven search.",
   "author": "Mert Koseoğlu",