yvgude/lean-ctx v3.8.3

on GitHub

Added

• lean-ctx doctor overhead (#572): per-client fixed-cost report — how many
  tokens your editor pays every session for tool schemas, instructions and
  rules files, with duplicate detection across CLAUDE.md/.cursorrules/AGENTS.md.
• lean-ctx rules dedup [--apply] (#578): finds and removes lean-ctx-owned
  duplicate rule files and stale marked blocks across editors. The
  .cursorrules template is now a pointer to the canonical rules, and the
  compression block is no longer double-injected for Cursor.

Changed

• Token-efficiency epic, phase 1 (#571) — fixed per-session overhead cut
  from ~13.7K to ~6.0K tokens on a typical setup:
  • Lean default tool surface (#575): setup no longer pins a
    tool_profile; the default surface is 13 lazy-core tools instead of 61.
    lean-ctx tools lean/reset manage it explicitly.
  • Schema diet (#576): core tool descriptions and schemas trimmed
    3031→1935 tokens (−36%); large action enums folded into pipe-delimited
    descriptions; a budget regression test keeps it from creeping back.
  • Instructions cap (#579): the static instruction skeleton stays ≤400
    tokens (Off/Compact CRP) / ≤500 (TDD); the decoder block is mode-aware and
    canonical rule blocks were condensed.
  • Honest metrics (#573): dashboard, footer and ledger report observed
    tokens only — the modeled 2.5× grep baseline moves to the estimated
    series; ctx_cost splits cached vs uncached input at cache-read pricing;
    the benchmark measures the real CCP resume payload.
  • Self-describing outputs (#580): plain notation uses real language
    keywords (struct/trait/pub), and TDD symbol outputs carry a minimal
    inline legend (≤15 tokens) so agents never guess the notation.
• Codex hook: native rewrite instead of block-and-retry (#399, community
  contribution): on Codex ≥ 0.20 the PreToolUse hook now returns
  updatedInput to rewrite shell commands through lean-ctx in place — no more
  deny + model-retry round-trip per command.

Security

• Bumped the postgres crate family past three fresh RUSTSEC advisories
  (unbounded SCRAM iteration DoS, hstore/DataRow decode panics) — found by
  cargo-deny the moment they were published; lean-ctx never exposed the
  vulnerable paths to untrusted servers (#399).

Fixed

• lean-ctx overview flooded the terminal with thousands of node_modules
  entries on projects without a top-level .git (#400): the ignore crate
  only applies .gitignore files inside git repositories — in a monorepo
  whose subprojects carry their own .gitignore but whose root is not a git
  repo, every scanner walked node_modules wholesale (74k+ files in the
  report). Two-part fix, applied to all 15 directory walkers (graph/BM25/
  trigram index builders, ctx_impact, ctx_search/ctx_tree/ctx_glob,
  CLI scans): a shared walk_filter now prunes unambiguous vendor dirs
  (node_modules, __pycache__, bower_components, virtualenvs with a
  pyvenv.cfg) regardless of git state, and require_git(false) makes
  .gitignore files effective without a .git directory. Explicit roots
  stay reachable (ctx_tree node_modules/react works), and
  respect_gitignore=false remains the escape hatch for searching inside
  vendor dirs.
• macOS privacy prompts ("lean-ctx would like to access …") fired repeatedly
  while the MCP server was running (#356 follow-up): editors spawn the
  user-level MCP server with cwd == $HOME. A ctx_search/ctx_tree/
  ctx_glob call whose path fell back to "." then walked the entire
  home directory — every stat under ~/Library, ~/Desktop, ~/Pictures
  trips a TCC prompt (Calendar/Reminders/AddressBook/Photos), and the walk
  burned 10–20 s per call. The index builders already refused broad roots;
  the direct walk fallbacks did not. All three walk tools now share that same
  root policy (new walk_guard): relative paths are absolutized against the
  process cwd first — so lean-ctx grep/ls inside a real project keep
  working — and broad or privacy-protected roots ($HOME, /, ~/Library,
  TCC dirs without project markers) return an actionable error telling the
  agent to pass an explicit project path instead of silently scanning.
• ctx_impact reported C# classes as leaf nodes when consumers had no
  using directive (#398): C# resolves types in the same namespace without
  any import, and DI-style code never news its dependencies — so a class
  consumed only as a type (constructor parameter, field, property, base
  class, generic argument) produced zero graph edges and a false-negative
  "no files depend on X". The property-graph builder now extracts type
  usages from the AST (fields, parameters, returns, base lists, generics,
  casts, typeof) for C# and Java — the two supported languages with implicit
  same-namespace/package visibility — and links consumer files to defining
  files with type_ref edges, which impact_analysis already traverses.
  Names defined in more than 3 files are skipped as too generic to attribute.
• Same root cause, second symptom: classes consumed only as a type were
  flagged by the dead_code smell — its SQL already exempted type_ref
  targets, but nothing ever created those edges. The builder now also emits
  symbol-level type_ref edges, so DI-consumed classes no longer show up as
  dead code while genuinely unreferenced ones still do.
• Both property-graph builder paths (default and minimal) now share one
  analysis pass and definition index, so the fix applies regardless of build
  features.

Upgrade

lean-ctx update                 # recommended (auto-downloads + refreshes shell hooks)
cargo install lean-ctx          # or
npm update -g lean-ctx-bin      # or
brew upgrade lean-ctx

Note: After upgrading via cargo/npm/brew, run lean-ctx setup to refresh shell aliases. lean-ctx update does this automatically.

Full Changelog: v3.8.3...v3.8.3