MCP Plugin · Context Window Protection

ctx-mode

Raw tool output floods your context window.
context-mode keeps it in the sandbox — so your agent stays sharp.

without context-mode — context flooded (92%) with
200k token context window 28% used — focused & coherent
The Problem

Your context window is
not a log file.

agent-session — without context-mode
📢
Tool Output Floods
A single git log or ls -la dumps hundreds of lines directly into context. Multiply that by dozens of tool calls per session.
🌧
Reasoning Degrades
As tokens fill up, the model loses earlier instructions, forgets the task, and makes compounding mistakes. Long sessions collapse.
💸
Cost Explodes
Every context token is billed on every request. Raw output inflates costs exponentially across long agentic workflows.
How It Works

The Filter Pipeline.

🌞
Input — Chaos
batch_execute(commands, queries)
Agent issues commands and semantic questions in one call. Raw stdout never touches the context window — it goes directly to the isolated sandbox.
batch_execute(commands=["git log","ls -la"], queries=["recent changes"])
Stage 1 — Sandbox Execution
Rust Executor & Process Isolation
Commands run inside a hardened Rust executor with process group ownership, timeout guards, and path restrictions. Stdout is captured in-memory — not in your context.
// 163,840 bytes captured in sandbox, 0 bytes in context
📊
Stage 2 — FTS5 Indexing
SQLite Full-Text Search Index
All output is chunked and fed into an in-process SQLite FTS5 index. Millions of lines can be indexed in milliseconds and queried with natural language.
INSERT INTO fts(content, source) VALUES (stdout_chunk, cmd_name)
🔍
Stage 3 — Semantic Query
BM25-Ranked Fragment Retrieval
The agent's queries run against the index. Only top-ranked, relevant snippets are returned — not raw dumps. Signal without noise.
SELECT snippet(fts,...) WHERE fts MATCH ? ORDER BY rank LIMIT 5
Output — Clean
Focused Context Fragments
The agent receives only what it asked for. Context stays tight. The model stays focused. Costs drop. Long sessions remain coherent.
// 3 relevant fragments returned — not 4,000 lines
Without context-mode — context window
With context-mode — context window
Built with Claude

Five sessions.
One tool that watches itself.

01 — Architecture Debate
Where does the index live?
Claude pushed back on a shared daemon approach. "In-process SQLite is simpler, faster, and no socket race conditions." It was right. FTS5 in-process turned out to be the correct call from the start.
architecture
02 — The Rust Executor
Why Rust for a shell wrapper?
Claude made the case: process group ownership, cross-platform timeout signals, and no GIL blocking IO. The Rust executor became the hardened core of the whole system.
rust
03 — Security Review
Four blockers before ship
Claude ran a mid-build security audit and surfaced B1-B4: path traversal in multi-file mode, missing process-group kill on timeout, unvalidated MIME types, missing input sanitisation. All resolved.
security
04 — Edge Cases
String coercion nobody thought of
batch_execute accepted arrays for commands and queries — but Claude callers kept passing strings. Claude wrote the coercion layer and the regression tests that now prevent it from ever regressing.
testing
05 — The Recursive Loop
CLAUDE.md told Claude to use context-mode to build context-mode
Halfway through development, CLAUDE.md was updated to mandate context-mode for all commands. Claude was now using the tool it was building, to build it — live, in production, on every commit.
meta
“The CLAUDE.md said: use context-mode for all commands.
We were building context-mode.
Claude was now using the tool it was building —
to build the tool it was using.

This is not a metaphor. This is the git log.
commit 28f9c54 — fix(batch_execute): coerce string inputs — built using batch_execute