feat: integrate claude-context-mode as core feature (CYPACK-872)#930
feat: integrate claude-context-mode as core feature (CYPACK-872)#930cyrusagent wants to merge 10 commits intomainfrom
Conversation
- Add context-mode npm dependency to packages/edge-worker/package.json - Extend RepositoryConfigSchema with optional contextMode.enabled field - Add context-mode MCP server entry in buildMcpConfig() after slack server - Gate context-mode to claude runner only via excludeContextMode option - Conditionally exclude based on repository.contextMode?.enabled !== false Relates to CYPACK-873 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds PreToolUse hooks to buildAgentRunnerConfig() in EdgeWorker that guide Claude to use context-mode MCP tools for URL fetching operations, preserving context window space without blocking tool execution. - Bash hook: detects curl/wget patterns and suggests context-mode:fetch_and_index - WebFetch hook: always suggests context-mode:fetch_and_index - Hooks only active when runnerType === 'claude' and contextMode enabled - Exports PreToolUseHookInput from cyrus-claude-runner Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… context-mode control - Add `contextModeLevel?: "full" | "light" | "disabled"` field to SubroutineDefinition - Wire contextModeLevel through buildAgentRunnerConfig() to control context-mode MCP server and PreToolUse hooks per subroutine - "disabled": excludes both MCP server and PreToolUse hooks - "light": includes MCP server but skips PreToolUse hooks - "full" (default/undefined): full context-mode active - Update registry: gitCommit/ghPr → "light", changelogUpdate → "disabled" Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a SessionStart hook to buildAgentRunnerConfig() that injects additionalContext guidance about context-mode MCP tools at the start of each session. This teaches Claude which tools are available and when to prefer them over standard tools. Hook is gated by contextModeHooksEnabled (Claude runner + context-mode enabled + level !== 'light'), providing guidance for all six tools: execute, execute_file, batch_execute, fetch_and_index, index, search. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…877) Log context-mode enabled/disabled state in buildAgentRunnerConfig() for each session. Logs at info level when enabled (with level and hooks status), debug level when disabled (with runner type, repoEnabled, and level). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@cyrusagent do a code review of this, and a security review of https://github.com/mksglu/claude-context-mode |
|
I can't connect to your local environment because the Cyrus process isn't running. Run |
|
This repository is not configured with Cyrus. Please add it at https://app.atcyrus.com/repos to start using Cyrus here. |
|
Now I have all the information needed. Here's my review: Code Review: PR #930Issues Found1. CRITICAL: mcpConfig["context-mode"] = {
command: "npx",
args: ["-y", "context-mode", "start"],
};
Recommendation: Pin to a specific version ( 2. HIGH: Unrelated changes bundled in PR The Codex SDK bump ( 3. MEDIUM: Hook closures capture no session-scoped state but are recreated per session The 4. LOW: Two call sites now pass undefined, // mcpOptions
currentSubroutine?.contextModeLevel, // per-subroutine context-mode controlThis is getting unwieldy with 12+ positional parameters. Consider refactoring to an options object. 5. Design: Per-subroutine levels are well-designed The Security Review:
|
| # | Finding | Severity |
|---|---|---|
| 1 | Arbitrary code execution with no OS-level sandboxing — code runs with full user permissions, no chroot/Docker/namespace isolation | CRITICAL |
| 2 | AWS/GitHub/NPM credentials passed to all executed code — #buildSafeEnv() passes AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN, SSH_AUTH_SOCK to every subprocess |
HIGH |
| 3 | No network egress controls — executed code can make arbitrary outbound connections, enabling credential exfiltration | HIGH |
| 4 | File path traversal — execute_file and index tools resolve paths with resolve() which follows ../ — no containment check against project root |
HIGH |
| 5 | Deny-pattern bypass — splitChainedCommands doesn't handle $(...), backtick substitution, eval, subshells, or variable expansion |
MEDIUM |
| 6 | Fail-open security model — server-side security checks catch-and-continue on error, allowing all commands through | MEDIUM |
| 7 | Self-heal code modifies ~/.claude/settings.json — the hooks/start scripts rewrite global Claude settings and plugin registry files |
MEDIUM |
| 8 | Auto-install without lockfile — start.mjs uses npm install --no-package-lock for runtime deps |
MEDIUM |
| 9 | Elastic License 2.0 — not OSI-approved open source; prohibits offering as a managed/hosted service — needs legal review for Cyrus's SaaS model | MEDIUM |
| 10 | Committed bundle file — server.bundle.mjs is minified; could contain code not in readable source |
LOW |
Critical Concern: Credential Exfiltration Path
A prompt injection attack could instruct Claude to:
- Use
context-mode:executewith Python/JS code that reads environment variables - POST credentials to an attacker-controlled URL
- No defense layer prevents this — the deny-pattern firewall doesn't catch data exfiltration via code
Recommendations Before Merging
- Do not use
npx -y— pin version, use local install - Fork and strip the self-heal/self-update code (hooks,
start.mjsself-heal, CLI upgrade) - Remove credential passthrough from
#buildSafeEnv()or make it an explicit opt-in allowlist - Add path containment — validate resolved paths are within project root
- Legal review of Elastic License 2.0 compatibility with Cyrus's business model
- Verify the committed bundle matches source by rebuilding
Verdict
Not recommended to merge as-is. The feature concept (context window optimization via MCP) is valuable, but the external dependency carries significant security risk — especially the credential passthrough and unsandboxed code execution. The npx -y ... latest pattern compounds this by making every session vulnerable to supply chain attacks.
Recommended path: fork the repo, harden it (strip self-heal, restrict env passthrough, add path containment), pin the version, and integrate the hardened fork.
2 participants
Summary
contextModeLevelcontrol (full/light/disabled) so each subroutine gets appropriate context optimizationSub-Issues
Key Changes
packages/edge-worker/src/EdgeWorker.ts—buildMcpConfig()extended with context-mode MCP server (Claude-only, enabled by default); PreToolUse + SessionStart hooks; per-subroutine wiring; metrics loggingpackages/core/src/config-schemas.ts—contextMode: { enabled?: boolean }field on RepositoryConfigpackages/edge-worker/src/procedures/types.ts—contextModeLevel?: "full" | "light" | "disabled"on SubroutineDefinitionpackages/edge-worker/src/procedures/registry.ts— git-commit/gh-pr set to "light", changelog-update set to "disabled"packages/claude-runner/src/index.ts—PreToolUseHookInputtype re-exportedpackages/edge-worker/package.json—context-modenpm dependency addedTest plan
pnpm typecheckpasses across all packagespnpm test:packages:run— 537/537 edge-worker tests pass (verified at each phase)contextMode: { enabled: false }🤖 Generated with Claude Code