fix: v0.45.1 — refuse multi-repo workspace parent (cross-project index bleed)

.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Token Pilot — save 60-90% tokens when AI reads code",
-    "version": "0.45.0"
+    "version": "0.45.1"
   },
   "plugins": [
     {
       "name": "token-pilot",
       "source": "./",
       "description": "Reduces token consumption by 60-90% via AST-aware lazy file reading, structural symbol navigation, and cross-session tool-usage analytics. 23 MCP tools + 25 subagents + budget watchdog hooks.",
-      "version": "0.45.0",
+      "version": "0.45.1",
       "author": {
         "name": "Digital-Threads"
       },

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "token-pilot",
-  "version": "0.45.0",
+  "version": "0.45.1",
   "description": "Saves 60-90% tokens on AI code reading. AST-aware lazy reads, symbol navigation, find_usages, structural git diff/log, edit-safety guard, Task-routing matcher, cross-session telemetry (errors + diagnostics), 25 tp-* subagents tiered to haiku/sonnet/opus with budget watchdog.",
   "author": {
     "name": "Digital-Threads",

CHANGELOG.md

@@ -5,7 +5,28 @@ All notable changes to Token Pilot will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.45.0] - 2026-06-11
+## [0.45.1] - 2026-06-11
+
+### Fixed — refuse a multi-repo workspace parent (cross-project index bleed)
+
+`start.sh` always passes an explicit project root (`${CLAUDE_PROJECT_DIR:-$USER_CWD}`)
+to the server, so `startServer`'s git-root **narrowing only runs in the
+`!explicitRoot` branch — which is never taken**. When the session is launched
+from a non-git workspace parent that nests several project repos (e.g.
+`/work/loom` holding `token-pilot`, `loom-host`, `aimux`, …), the raw parent was
+used verbatim and ast-index indexed **every** sibling into one index. Symbol
+lookups then bled across projects — `find_usages` / `read_symbol` returning
+matches from the wrong repo, or `symbol not found`. `isDangerousRoot` only
+caught system/home dirs, so the parent slipped through.
+
+New guard `isMultiRepoParent(root)` (in `core/validation.ts`) detects a non-git
+directory with ≥2 immediate child git repos. When the resolved root matches,
+ast-index is disabled (`skipAstIndex`) and a warning tells the user to set
+`CLAUDE_PROJECT_DIR` to the specific project — fail safe instead of bleeding.
+Wired into `startServer` and the `server.ts` MCP-roots auto-detect. Single-repo
+roots, monorepos, and roots that are themselves a git repo are unaffected.
+
+
 
 ### Changed — default tool profile is now `full` (adoption fix)
 

agents/tp-api-surface-tracker.md

@@ -9,7 +9,7 @@ tools:
   - mcp__token-pilot__read_symbol
   - Bash
 model: haiku
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: dd184501203fa7f3c73f419c4ffbe33c4be75400cb64a7a51733a3fe23f6e085
 requiredMcpServers:
   - "token-pilot"

agents/tp-audit-scanner.md

@@ -11,7 +11,7 @@ tools:
   - Grep
   - Read
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: d172f600bf32277ea6eb4cbbee4542ddd698a986dcd96997d33930561964569b
 requiredMcpServers:
   - "token-pilot"

agents/tp-commit-writer.md

@@ -8,7 +8,7 @@ tools:
   - mcp__token-pilot__test_summary
   - mcp__token-pilot__outline
   - Bash
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: de64a406b5176de19f7422619c7de7949b1f28865f225402c9cea9255f377428
 requiredMcpServers:
   - "token-pilot"

agents/tp-context-engineer.md

@@ -13,7 +13,7 @@ tools:
   - Edit
   - Glob
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 68b32af2dacd82ebe52c4eec93edb903d452688274c3065218270627c564d8b0
 requiredMcpServers:
   - "token-pilot"

agents/tp-dead-code-finder.md

@@ -11,7 +11,7 @@ tools:
   - Grep
   - Read
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: d9b7f5b7ae6f4ae21305c775361bcab097cc774370a6d976c093571d46d55021
 requiredMcpServers:
   - "token-pilot"

agents/tp-debugger.md

@@ -12,7 +12,7 @@ tools:
   - Read
   - Bash
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 052413de8d92377edcde6ae5c823f5378db304baccfa29e8866467f42553a500
 requiredMcpServers:
   - "token-pilot"

agents/tp-dep-health.md

@@ -9,7 +9,7 @@ tools:
   - Bash
   - Read
 model: haiku
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: e14dc57493d816f8c2e017963e2ef5f66bea50fd0b805a80e8a0d97c968427e7
 requiredMcpServers:
   - "token-pilot"

agents/tp-doc-writer.md

@@ -13,7 +13,7 @@ tools:
   - Edit
   - Glob
 model: haiku
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 57d741794ab40e31a7ac49c68ea39a9088f5827cdef866ce81bfca1b7c9180cf
 requiredMcpServers:
   - "token-pilot"

agents/tp-history-explorer.md

@@ -10,7 +10,7 @@ tools:
   - Bash
   - Read
 model: haiku
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 7b70fa76a60e3c58a1de4f56c32c0f166424137e203a0cf1c8654e7c9235d904
 requiredMcpServers:
   - "token-pilot"

agents/tp-impact-analyzer.md

@@ -12,7 +12,7 @@ tools:
   - mcp__token-pilot__read_symbols
   - Read
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 351a987e11eba63852f5431a16d8eb53104f4f689f82fdcc5a2bf4db948ba92f
 requiredMcpServers:
   - "token-pilot"

agents/tp-incident-timeline.md

@@ -8,7 +8,7 @@ tools:
   - mcp__token-pilot__read_symbol
   - Bash
 model: inherit
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: de5722bfea374eaab096c1ae635c37879e7a91370ee3cd0532f4240be03c91eb
 requiredMcpServers:
   - "token-pilot"

agents/tp-incremental-builder.md

@@ -13,7 +13,7 @@ tools:
   - Edit
   - Bash
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 375a824d0d847bb5453ec594c7a62ad566ee7e4d92717b0473f771f1a0477c60
 requiredMcpServers:
   - "token-pilot"

agents/tp-migration-scout.md

@@ -11,7 +11,7 @@ tools:
   - Grep
   - Glob
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 0334de1bf99b431b65359637d125cda7c44c6f780eb92c57cc538715b1939536
 requiredMcpServers:
   - "token-pilot"

agents/tp-onboard.md

@@ -10,7 +10,7 @@ tools:
   - mcp__token-pilot__smart_read
   - mcp__token-pilot__smart_read_many
   - mcp__token-pilot__read_section
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 832e95633fbc8e9b0c10f3e540a327d4be062fb4b3f17a6cce6be13f414e2927
 requiredMcpServers:
   - "token-pilot"

agents/tp-performance-profiler.md

@@ -11,7 +11,7 @@ tools:
   - Bash
   - Read
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: b61f06380d80798fa2e49d37bcba0653495bee04dd6bdbc1feff9a75607b0508
 requiredMcpServers:
   - "token-pilot"

agents/tp-pr-reviewer.md

@@ -11,7 +11,7 @@ tools:
   - mcp__token-pilot__read_for_edit
   - Read
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: f83f50d05b4f70285ae7afed2b1a406fc436df56e61a0aedbfb31edc7f2b6e66
 requiredMcpServers:
   - "token-pilot"

agents/tp-refactor-planner.md

@@ -8,7 +8,7 @@ tools:
   - mcp__token-pilot__outline
   - mcp__token-pilot__read_symbol
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: c5f6fc122c89e16e5cf774045f92169ee3468555320b898171ba13eca5323550
 requiredMcpServers:
   - "token-pilot"

agents/tp-review-impact.md

@@ -9,7 +9,7 @@ tools:
   - mcp__token-pilot__module_info
   - Bash
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 8ef3c3341cbfed4eb8dd130126a9683edc57e378c92ff0ca764d584fd941c55c
 requiredMcpServers:
   - "token-pilot"

agents/tp-run.md

@@ -16,7 +16,7 @@ tools:
   - Glob
   - Bash
 model: haiku
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 2b08618d34a61f00aafccbda9fed6d83243296dedb83440edbd2d5c28bb6dbc4
 requiredMcpServers:
   - "token-pilot"

agents/tp-session-restorer.md

@@ -9,7 +9,7 @@ tools:
   - mcp__token-pilot__session_budget
   - Bash
   - Read
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 529374ed728f5eed5b758b3be3da65624783c0bf0c1a253d7d661a843eb5f767
 requiredMcpServers:
   - "token-pilot"

agents/tp-ship-coordinator.md

@@ -11,7 +11,7 @@ tools:
   - Read
   - Grep
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: a60f6ae110eb3138064bce074e8ba26fa0ce5f4659df1624a9d9d3646803391b
 requiredMcpServers:
   - "token-pilot"

agents/tp-spec-writer.md

@@ -9,7 +9,7 @@ tools:
   - Read
   - Write
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: c7a4e8b39228fd5158528f389c924c5ff2d98c4b9b05ee0106d54a26c5dc1350
 requiredMcpServers:
   - "token-pilot"

agents/tp-test-coverage-gapper.md

@@ -10,7 +10,7 @@ tools:
   - mcp__token-pilot__test_summary
   - Glob
   - Grep
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: be81eed53a3720d146cf89e4a14a7a56577633f7c84c234c412ab70d64c05b11
 requiredMcpServers:
   - "token-pilot"

agents/tp-test-triage.md

@@ -8,7 +8,7 @@ tools:
   - mcp__token-pilot__find_usages
   - mcp__token-pilot__read_symbol
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 362ecf4cb03b059421ea26933473700900073dc38b3a7fe271208dfb1ae14f90
 requiredMcpServers:
   - "token-pilot"

agents/tp-test-writer.md

@@ -13,7 +13,7 @@ tools:
   - Edit
   - Bash
 model: sonnet
-token_pilot_version: "0.45.0"
+token_pilot_version: "0.45.1"
 token_pilot_body_hash: 269f2fe22ff4517c277d3f56ca67d8a5527b93290ab21079a83ba7af22c1b5a9
 requiredMcpServers:
   - "token-pilot"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "token-pilot",
-  "version": "0.45.0",
+  "version": "0.45.1",
   "description": "Save up to 80% tokens when AI reads code — MCP server for token-efficient code navigation, AST-aware structural reading instead of dumping full files into context window",
   "type": "module",
   "main": "dist/index.js",

src/core/validation.ts

@@ -1,4 +1,5 @@
 import { resolve, relative } from "node:path";
+import { existsSync, readdirSync } from "node:fs";
 
 /**
  * v0.33.0 (B9) — coerce an `unknown` argument value to an integer.
@@ -851,3 +852,40 @@ export function isDangerousRoot(root: string): boolean {
   if (/^[A-Z]:\\(?:Users)?$/i.test(normalized)) return true;
   return false;
 }
+
+/**
+ * Detect a non-git workspace parent that nests multiple sibling git
+ * repos. Handing such a directory to ast-index would index every
+ * sibling into one index, bleeding symbols across unrelated projects
+ * (find_usages / read_symbol returning matches from the wrong repo).
+ *
+ * Returns true only when BOTH hold:
+ *   - `root` itself is NOT a git repo (no `.git` entry), AND
+ *   - `root` has >= 2 immediate child directories that each contain a
+ *     `.git` entry — a directory for a normal repo, a file for a
+ *     submodule / worktree.
+ *
+ * Fail-open: a missing path, an unreadable directory, a single child
+ * repo, or a root that is itself a repo all return false, so legitimate
+ * single-project and monorepo layouts are never disabled.
+ */
+export function isMultiRepoParent(root: string): boolean {
+  if (!root) return false;
+  let entries;
+  try {
+    // A root that is itself a git repo is a single project — vendored
+    // repos or submodules underneath are intentional, not a parent.
+    if (existsSync(resolve(root, ".git"))) return false;
+    entries = readdirSync(root, { withFileTypes: true });
+  } catch {
+    return false;
+  }
+  let repoChildren = 0;
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (existsSync(resolve(root, entry.name, ".git"))) {
+      if (++repoChildren >= 2) return true;
+    }
+  }
+  return false;
+}

src/index.ts

@@ -53,7 +53,7 @@ import {
   isNewerVersion,
 } from "./ast-index/binary-manager.js";
 import { loadConfig } from "./config/loader.js";
-import { isDangerousRoot } from "./core/validation.js";
+import { isDangerousRoot, isMultiRepoParent } from "./core/validation.js";
 import type { HookMode } from "./types.js";
 import { runSummaryPipeline } from "./hooks/summary-pipeline.js";
 import { formatDenyMessage } from "./hooks/format-deny-message.js";
@@ -775,6 +775,22 @@ export async function startServer(cliArgs: string[] = process.argv.slice(2)) {
     );
   }
 
+  // Guard: refuse a non-git workspace parent that nests multiple sibling
+  // git repos. start.sh always passes an explicit root, so the git-detect
+  // narrowing above is skipped; without this guard a parent like
+  // `/work/loom` (holding several project repos) would be indexed whole,
+  // bleeding symbols across unrelated projects.
+  const multiRepoParent =
+    !isDangerousRoot(projectRoot) && isMultiRepoParent(projectRoot);
+  if (multiRepoParent) {
+    console.error(
+      `[token-pilot] WARNING: project root "${projectRoot}" contains multiple git repos.\n` +
+        `  ast-index will be disabled to avoid cross-project index bleed.\n` +
+        `  Fix: set CLAUDE_PROJECT_DIR to the specific project, or\n` +
+        `  configure mcpServers with "args": ["/path/to/project"].`,
+    );
+  }
+
   // Non-blocking update check for all components (logs to stderr, never blocks startup)
   const config = await loadConfig(projectRoot);
   const binaryStatus = await findBinary(config.astIndex.binaryPath);
@@ -831,7 +847,7 @@ export async function startServer(cliArgs: string[] = process.argv.slice(2)) {
     });
 
   const server = await createServer(projectRoot, {
-    skipAstIndex: isDangerousRoot(projectRoot),
+    skipAstIndex: isDangerousRoot(projectRoot) || multiRepoParent,
     enforcementMode: parseEnforcementMode(process.env.TOKEN_PILOT_MODE),
   });
   const transport = new StdioServerTransport();