mksglu/context-mode v1.0.97

on GitHub

Security & Correctness Fixes

Critical follow-up to v1.0.96's plugin cache self-heal — addresses 7 issues found by parallel agent army review.

Fixes

1. Path traversal guard — installPath from installed_plugins.json now validated to be inside ~/.claude/plugins/cache/ before creating symlinks. Prevents arbitrary filesystem writes from corrupted registry.
2. Layer 4 hook registration — global heal hook now registers in ~/.claude/settings.json SessionStart. Previously was dead code (Claude Code doesn't auto-discover files in ~/.claude/hooks/).
3. Bundle mode symlink target — server.ts mid-session heal used wrong directory in bundled mode. Now uses pluginRoot pattern matching other tools.
4. Dangling symlink recovery — lstatSync + unlinkSync before symlinkSync in all 3 layers. Previously, a broken symlink at the registry path would silently prevent healing (EEXIST).
5. Exact key match — uses === "context-mode@context-mode" instead of includes("context-mode") to prevent matching unrelated plugins.
6. Clean imports — removed dead lstatSync import, eliminated unnecessary dynamic import.
7. Test accuracy — tests now verify .mjs deployment (not .sh) and settings.json registration.

Related Claude Code issues

• anthropics/claude-code#46915
• anthropics/claude-code#29074
• anthropics/claude-code#36245
• anthropics/claude-code#45997

Tests

• 13 cache heal integration tests (dangling symlink, path traversal, exact match, settings.json registration)
• 1809 total tests passing, 0 failures