fix: audit fixes — heuristic dedup, config paths, message atomicity, toggle defaults, memory counts, session cleanup

Author: ualtinok

packages/dashboard/src-tauri/src/config.rs

@@ -9,8 +9,22 @@ pub fn resolve_user_config_path() -> PathBuf {
     config_dir.join("opencode").join("magic-context.jsonc")
 }
 
+/// Resolve the active magic-context config path for a project.
+/// Checks root first, then `.opencode/` alt path. Returns the first that exists,
+/// or root path as default for new config creation.
 pub fn resolve_project_config_path(project_path: &str) -> PathBuf {
-    PathBuf::from(project_path).join("magic-context.jsonc")
+    let root_config = PathBuf::from(project_path).join("magic-context.jsonc");
+    if root_config.exists() {
+        return root_config;
+    }
+    let alt_config = PathBuf::from(project_path)
+        .join(".opencode")
+        .join("magic-context.jsonc");
+    if alt_config.exists() {
+        return alt_config;
+    }
+    // Default to root path for new configs
+    root_config
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone)]

packages/dashboard/src-tauri/src/db.rs

@@ -70,6 +70,7 @@ pub fn open_readwrite(path: &PathBuf) -> Result<Connection, rusqlite::Error> {
     let conn = Connection::open(path)?;
     conn.pragma_update(None, "journal_mode", "WAL")?;
     conn.pragma_update(None, "busy_timeout", 5000)?;
+    conn.pragma_update(None, "foreign_keys", "ON")?;
     Ok(conn)
 }
 

packages/dashboard/src/components/ConfigEditor/ConfigEditor.tsx

@@ -622,11 +622,11 @@ function ConfigForm(props: {
                   <label class="toggle-switch">
                     <input
                       type="checkbox"
-                      checked={getNestedValue(formData(), "dreamer.enabled") as boolean ?? true}
+                      checked={getNestedValue(formData(), "dreamer.enabled") as boolean ?? false}
                       onChange={(e) => handleFieldChange("dreamer.enabled", e.currentTarget.checked)}
                     />
                     <span class="toggle-slider" />
-                    <span class="toggle-label">{(getNestedValue(formData(), "dreamer.enabled") as boolean ?? true) ? "Enabled" : "Disabled"}</span>
+                    <span class="toggle-label">{(getNestedValue(formData(), "dreamer.enabled") as boolean ?? false) ? "Enabled" : "Disabled"}</span>
                   </label>
                 </div>
 
@@ -652,11 +652,11 @@ function ConfigForm(props: {
                   <label class="toggle-switch">
                     <input
                       type="checkbox"
-                      checked={getNestedValue(formData(), "dreamer.inject_docs") as boolean ?? true}
+                      checked={getNestedValue(formData(), "dreamer.inject_docs") as boolean ?? false}
                       onChange={(e) => handleFieldChange("dreamer.inject_docs", e.currentTarget.checked)}
                     />
                     <span class="toggle-slider" />
-                    <span class="toggle-label">{(getNestedValue(formData(), "dreamer.inject_docs") as boolean ?? true) ? "Enabled" : "Disabled"}</span>
+                    <span class="toggle-label">{(getNestedValue(formData(), "dreamer.inject_docs") as boolean ?? false) ? "Enabled" : "Disabled"}</span>
                   </label>
                 </div>
               </div>
@@ -739,11 +739,11 @@ function ConfigForm(props: {
                 <label class="toggle-switch">
                   <input
                     type="checkbox"
-                    checked={getNestedValue(formData(), "sidekick.enabled") as boolean ?? true}
+                    checked={getNestedValue(formData(), "sidekick.enabled") as boolean ?? false}
                     onChange={(e) => handleFieldChange("sidekick.enabled", e.currentTarget.checked)}
                   />
                   <span class="toggle-slider" />
-                  <span class="toggle-label">{(getNestedValue(formData(), "sidekick.enabled") as boolean ?? true) ? "Enabled" : "Disabled"}</span>
+                  <span class="toggle-label">{(getNestedValue(formData(), "sidekick.enabled") as boolean ?? false) ? "Enabled" : "Disabled"}</span>
                 </label>
               </div>
 

packages/plugin/src/features/magic-context/memory/storage-memory.ts

@@ -619,19 +619,18 @@ export function getMemoryCountsByStatus(db: Database, projectPath: string): Memo
     for (const row of rows) {
         counts.ids.push(row.id);
 
-        if (row.status === "active") {
+        // Count merged memories separately — they should not also count as archived
+        if (typeof row.superseded_by_memory_id === "number") {
+            counts.merged += 1;
+            counts.mergedIds.push(row.id);
+        } else if (row.status === "active") {
             counts.active += 1;
         } else if (row.status === "permanent") {
             counts.permanent += 1;
         } else {
             counts.archived += 1;
             counts.archivedIds.push(row.id);
         }
-
-        if (typeof row.superseded_by_memory_id === "number") {
-            counts.merged += 1;
-            counts.mergedIds.push(row.id);
-        }
     }
 
     counts.ids.sort((left, right) => left - right);

packages/plugin/src/features/magic-context/plugin-messages.ts

@@ -21,7 +21,7 @@ import type { Database } from "bun:sqlite";
 
 export type MessageDirection = "server_to_tui" | "tui_to_server";
 
-export type MessageType = "toast" | "dialog_confirm" | "dialog_result" | "state_update";
+export type MessageType = "toast" | "dialog_confirm" | "dialog_result" | "state_update" | "action";
 
 export interface PluginMessage {
     id: number;
@@ -136,17 +136,23 @@ export function consumeMessages(
     }
 
     const query = `SELECT * FROM plugin_messages WHERE ${conditions.join(" AND ")} ORDER BY created_at ASC`;
-    const rows = db.prepare(query).all(...params);
-    const messages = rows.filter(isPluginMessageRow).map(toPluginMessage);
-
-    if (messages.length > 0) {
-        const ids = messages.map((m) => m.id);
-        db.prepare(
-            `UPDATE plugin_messages SET consumed_at = ? WHERE id IN (${ids.map(() => "?").join(",")})`,
-        ).run(now, ...ids);
-    }
 
-    // Periodic cleanup of old messages
+    // Atomic read+mark: transaction prevents TUI and server from consuming the same messages
+    const messages = db.transaction(() => {
+        const rows = db.prepare(query).all(...params);
+        const result = rows.filter(isPluginMessageRow).map(toPluginMessage);
+
+        if (result.length > 0) {
+            const ids = result.map((m) => m.id);
+            db.prepare(
+                `UPDATE plugin_messages SET consumed_at = ? WHERE id IN (${ids.map(() => "?").join(",")})`,
+            ).run(now, ...ids);
+        }
+
+        return result;
+    })();
+
+    // Periodic cleanup of old messages (outside transaction — non-critical)
     db.prepare("DELETE FROM plugin_messages WHERE created_at < ?").run(now - CLEANUP_THRESHOLD_MS);
 
     return messages;

packages/plugin/src/features/magic-context/storage-meta-session.ts

@@ -76,6 +76,7 @@ export function clearSession(db: Database, sessionId: string): void {
         db.prepare("DELETE FROM notes WHERE session_id = ? AND type = 'session'").run(sessionId);
         db.prepare("DELETE FROM recomp_compartments WHERE session_id = ?").run(sessionId);
         db.prepare("DELETE FROM recomp_facts WHERE session_id = ?").run(sessionId);
+        db.prepare("DELETE FROM user_memory_candidates WHERE session_id = ?").run(sessionId);
         clearIndexedMessages(db, sessionId);
     })();
 }

packages/plugin/src/features/magic-context/storage-meta.test.ts

@@ -83,7 +83,7 @@ describe("storage-meta", () => {
             //#then
             // 2 transactions: outer clearSession + nested clearIndexedMessages
             expect(db.transaction).toHaveBeenCalledTimes(2);
-            expect(db.prepare).toHaveBeenCalledTimes(12);
+            expect(db.prepare).toHaveBeenCalledTimes(13);
         });
     });
 });

packages/plugin/src/hooks/magic-context/heuristic-cleanup.ts

@@ -150,12 +150,13 @@ export function applyHeuristicCleanup(
 function extractToolInfo(
     part: Record<string, unknown>,
 ): { toolName: string; args: unknown } | null {
-    // OpenCode format: { type: "tool", state: { tool: "name", input: {...} } }
-    if (part.type === "tool" && typeof part.state === "object" && part.state !== null) {
-        const state = part.state as Record<string, unknown>;
-        if (typeof state.tool === "string" && DEDUP_SAFE_TOOLS.has(state.tool)) {
-            return { toolName: state.tool, args: state.input ?? {} };
-        }
+    // OpenCode format: { type: "tool", tool: "name", callID: "...", state: { input: {...}, output: "..." } }
+    if (part.type === "tool" && typeof part.tool === "string" && DEDUP_SAFE_TOOLS.has(part.tool)) {
+        const state =
+            typeof part.state === "object" && part.state !== null
+                ? (part.state as Record<string, unknown>)
+                : {};
+        return { toolName: part.tool, args: state.input ?? {} };
     }
     // Tool-invocation format: { type: "tool-invocation", toolName: "name", args: {...} }
     if (

packages/plugin/src/plugin/tui-action-consumer.ts

@@ -27,7 +27,7 @@ export function startTuiActionConsumer(args: {
     const timer = setInterval(() => {
         try {
             const db = openDatabase();
-            const actions = consumeMessages(db, "tui_to_server", { type: "action" as never });
+            const actions = consumeMessages(db, "tui_to_server", { type: "action" });
 
             for (const msg of actions) {
                 const command = msg.payload.command;

scripts/wait-release.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Wait for the GitHub Actions release workflow to complete for a given tag.
+# Usage: ./scripts/wait-release.sh v0.6.1
+# Polls every 5 seconds, exits 0 on success, 1 on failure.
+
+set -euo pipefail
+
+TAG="${1:?Usage: wait-release.sh <tag>}"
+REPO="cortexkit/opencode-magic-context"
+INTERVAL=5
+
+echo "⏳ Waiting for release workflow on ${TAG}..."
+
+while true; do
+  # Get the latest run for the release workflow triggered by this tag
+  RUN_JSON=$(gh run list --repo "$REPO" --workflow release.yml --branch "$TAG" --limit 1 --json status,conclusion,databaseId 2>/dev/null || echo "[]")
+
+  STATUS=$(echo "$RUN_JSON" | jq -r '.[0].status // "not_found"')
+  CONCLUSION=$(echo "$RUN_JSON" | jq -r '.[0].conclusion // ""')
+  RUN_ID=$(echo "$RUN_JSON" | jq -r '.[0].databaseId // ""')
+
+  if [ "$STATUS" = "not_found" ]; then
+    printf "\r  Workflow not started yet..."
+    sleep "$INTERVAL"
+    continue
+  fi
+
+  if [ "$STATUS" = "completed" ]; then
+    if [ "$CONCLUSION" = "success" ]; then
+      echo ""
+      echo "✅ Release workflow succeeded (run $RUN_ID)"
+      echo "   https://github.com/$REPO/actions/runs/$RUN_ID"
+      exit 0
+    else
+      echo ""
+      echo "❌ Release workflow failed: conclusion=$CONCLUSION (run $RUN_ID)"
+      echo "   https://github.com/$REPO/actions/runs/$RUN_ID"
+      exit 1
+    fi
+  fi
+
+  printf "\r  Status: %-12s (run $RUN_ID)" "$STATUS"
+  sleep "$INTERVAL"
+done