github mksglu/context-mode v1.0.141
on GitHub

3 hours ago

v1.0.141

Three independent bugs, three independent fixes. One closes the v1.0.139 follow-on; one closes a silent-success-on-clone-failure regression in ctx-upgrade; one finally opens the curl/wget escape hatch for Pi users.

Fixes

OpenCode/KiloCode plugin: bare strings + boolean strings now coerce correctly (#627). v1.0.139 added inputSchema.parse(args) to the OpenCode native bridge so coerce-preprocessors finally fire (closed #621). v1.0.141 widens two coercion paths the prior fix didn't cover: (a) coerceJsonArray now lifts bare non-empty strings into [val] for the bare-query case (previously crashed when callers passed queries: "foo" instead of queries: ["foo"]); (b) new coerceBoolean helper maps only literal "true" / "false" to actual booleans, passing everything else through unchanged. Applied to ctx_execute.background and ctx_purge.confirm. We deliberately refused z.coerce.boolean() because Boolean("false") === true would silently invert intent — security-critical for ctx_purge.confirm. Closes #627.

ctx-upgrade no longer reports success when the git clone fails (#628). When Step 1 git clone threw (Windows spawnSync cmd.exe ETIMEDOUT per the reporter, or any network/npm/manifest failure), the catch block logged "GitHub pull failed" + "Continuing with hooks/settings fix..." and let Steps 3-7 run successfully against the OLD on-disk install. The process exited 0, the checklist marked [x] Built and installed vNEW, but installed_plugins.json + per-version cache dir stayed at vOLD. Claude Code then kept offering the same upgrade forever (drift trap; the reporter's only escape was hand-editing installed_plugins.json). v1.0.141 mirrors the proven #514 algo-defense pattern — sets process.exitCode = 1 on Step 1/2 failure, removes the misleading "Continuing..." line, adds a drift warning (In-place files were NOT updated) and a recovery hint. Steps 3-7 still run (hooks may need refresh regardless) but exit is non-zero so the user sees the failure. Closes #628.

Pi adapter: curl/wget escape hatch for when MCP bridge dies (#625). Pi's BLOCKED_BASH_PATTERNS was a flat list — when the MCP bridge died mid-session, the agent was trapped: no ctx_fetch_and_index (MCP gone) AND no curl/wget (Pi's pre-MCP block). v1.0.141 mirrors the proven segment-level routing logic from hooks/core/routing.mjs:660-722: new stripQuotedContent() (heredocs + single/double quotes) eliminates false positives like gh ... --search "...curl..."; new isSafeCurlWget() allows silent + file-output forms (-s -o file.html) but still blocks verbose/stdout-alias variants. Chained commands (&&/||/;) split per-segment — every curl/wget segment must pass independently. Language-level HTTP (inline fetch('http, requests.get() still blocked unconditionally. Closes #625.

Tests

  • 9 new tests in existing tests/opencode-plugin.test.ts (#627)
  • 1 new test in existing tests/cli/upgrade-verifies-binding.test.ts (#628)
  • 9 new tests in existing Slice 3: PreToolUse routing enforcement block of tests/pi-extension.test.ts (#625)
  • All slotted into existing files per CONTRIBUTING L275 — no new test files
  • Full suite: 3362+ pass (baseline preserved)

Compatibility

15 adapters, 3 OS. No schema migration. engines.node >= 22.5.0 preserved.

Upgrade

npm install -g context-mode@latest
# Restart Claude Code (Cmd+Q + reopen)

Pi users on v1.0.140 and earlier: after upgrade, restart Pi. The curl/wget escape hatch only activates on fresh process boot.

Credits

  • Reporter who flagged #627 with concrete repro across both Kilo and OpenCode
  • Reporter who diagnosed #628 with installed_plugins.json divergence evidence
  • Reporter who flagged #625 — the original BLOCKED_BASH_PATTERNS pre-dated the segment-level routing logic we shipped in routing.mjs (commit a9e6c14, Mar 2026) and never got the upgrade
Check out latest releases or
releases around mksglu/context-mode v1.0.141

Don't miss a new context-mode release

NewReleases is sending notifications on new releases.

Get notifications