fix: critical problem in cwd cursor, claude

Author: ivklgn

.archcore/plugin/cwd-guard-for-cursor-and-claude.idea.md

@@ -0,0 +1,97 @@
+---
+title: "Cross-Host CWD Sanity Guard for Cursor and Claude Code MCP"
+status: accepted
+tags:
+  - "cursor"
+  - "claude-code"
+  - "multi-host"
+  - "plugin"
+---
+
+## Idea
+
+Extend the existing Codex cache-cwd guard in `bin/archcore` (Step 0b) with a cross-host sanity check (Step 0c) that refuses to start the archcore MCP server when cwd does not look like a user project root, plus ship a `cursor.mcp.json` template and README guidance so users register the server with `cwd: "${workspaceFolder}"` from the start.
+
+Three cooperating pieces:
+
+1. **`bin/archcore` Step 0c — cross-host sanity guard.** When invoked as `archcore mcp` and the bypass env vars are unset, refuse if cwd is `/`, `$HOME`, `$CLAUDE_PLUGIN_ROOT`, `$CURSOR_PLUGIN_ROOT`, or a directory without any of these project markers: `.git`, `.archcore`, `package.json`, `go.mod`, `pyproject.toml`, `Cargo.toml`, `pom.xml`, `build.gradle`, `build.gradle.kts`. The refusal prints per-host fix instructions (Cursor: add `cwd: "${workspaceFolder}"`; Claude: launch from project dir; Codex: install shell wrapper). $HOME and the plugin-root env vars are compared via `cd "$VAR" && pwd -P` so symlinked install dirs match too.
+
+2. **`cursor.mcp.json` template at the plugin root.** Cursor plugin manifests do not register MCP servers — users configure them in `~/.cursor/mcp.json` or `.cursor/mcp.json`. We ship a canonical snippet with `cwd: "${workspaceFolder}"` *and* `env.ARCHCORE_CWD: "${workspaceFolder}"` (belt-and-braces; the launcher honors `ARCHCORE_CWD` in Step 0 even on hosts that ignore `cwd`).
+
+3. **`bin/archcore` stderr diagnostic.** On every `archcore mcp` start, one line on stderr: `[archcore mcp] cwd=<X> archcore_dir=<X>/.archcore (exists|missing)`. Surfaces in Cursor's MCP server panel and Claude Code's `/mcp` output, so users can verify which project the server actually attached to.
+
+## Value
+
+**Before.** A single global `~/.cursor/mcp.json` entry without `cwd` made archcore stick to whichever workspace Cursor opened first, leaking that project's `.archcore/` into every other project the user opened later. Diagnosis time: hours — the MCP responded successfully with plausible-looking but wrong documents. Same failure class hit Claude Code in multi-repo workspaces and when launched not from a project root.
+
+**After.** Wrong cwd is converted from a silent successful read of the wrong project into a loud refusal with a per-host one-line fix. The diagnostic line on every start gives users a positive confirmation of which project the server is attached to. The template snippet makes the correct setup the obvious copy-paste.
+
+## Possible Implementation
+
+Shipped:
+
+- `bin/archcore`:
+  - Resolves `ARCHCORE_ALLOW_ANY_CWD` (canonical) with `ARCHCORE_ALLOW_PLUGIN_CWD` (back-compat alias) into `_archcore_allow_any_cwd`. Both Step 0b and Step 0c honor it.
+  - **Step 0c**: cross-host sanity guard with five refuse conditions (filesystem root, `$HOME`, `$CLAUDE_PLUGIN_ROOT`, `$CURSOR_PLUGIN_ROOT`, no project markers). Refusal message lists the per-host fix and the escape hatch. Step 0b (cache-cwd refusal) remains the first line of defense for Codex and prints the wrapper recipe inline.
+  - **Diagnostic**: one stderr line per `archcore mcp` start with the resolved cwd and `.archcore/` presence.
+- `cursor.mcp.json` at the plugin root: snippet that users copy into their `.cursor/mcp.json` (or `~/.cursor/mcp.json` if pinning with `cwd: "${workspaceFolder}"`).
+- `README.md`: new "Cursor: project-scoped MCP setup" block under the Cursor install steps with the snippet, the rationale, and a pointer to the refusal log line.
+- `Makefile`: `cursor.mcp.json` added to `JSON_FILES` so `make check-json` validates it.
+- `test/unit/launcher.bats`: new cases for Step 0c (HOME refuse, plugin-root refuse, no-marker refuse, `.git`-marker pass, `.archcore`-marker pass, `package.json`-marker pass, `ARCHCORE_CWD`-rebase pass, `ARCHCORE_ALLOW_ANY_CWD` bypass, legacy `ARCHCORE_ALLOW_PLUGIN_CWD` alias still works, diagnostic-log presence/absence). Existing cases adapted by adding `.git` to fake plugin install / user project fixtures and `2>/dev/null` to assertions that pin exact stdout.
+- `test/structure/cursor-plugin.bats` (new): pins the `cursor.mcp.json` contract — `cwd: "${workspaceFolder}"` and `env.ARCHCORE_CWD: "${workspaceFolder}"` must both be present; `command` must invoke `archcore` with `args[0] == "mcp"`; README must reference the template.
+
+## Risks and Constraints
+
+- **False positives on minimal projects.** A user opening a brand-new directory before `git init` (no project markers yet) hits the guard. Mitigation: error message includes the escape hatch (`ARCHCORE_ALLOW_ANY_CWD=1`) and lists the markers; the common workflow is `git init` before invoking archcore anyway.
+- **Resolved-symlink comparison.** `$HOME`, `$CLAUDE_PLUGIN_ROOT`, `$CURSOR_PLUGIN_ROOT` are all compared via `cd "$VAR" 2>/dev/null && pwd -P` so symlinked install dirs match too. If the env var points at a non-existent path, the check silently skips (no false refusal). Important on macOS where `$HOME=/Users/<u>` but `pwd -P` on `cd $HOME` yields the same — and on Linux distros where `/home/<u>` is symlinked.
+- **Stderr noise from the diagnostic.** One line per MCP start. Cursor's MCP server panel and Claude Code's `/mcp` show stderr — that is exactly where users want this. Not visible to chat output.
+- **Cross-host neutrality.** Step 0c has no host detection — it refuses based on cwd alone. The fix instructions cover all three hosts. Codex was already protected by Step 0b; Step 0c piggybacks safely (escape hatch + Codex-specific cwd marker `*/plugins/cache/*` already handled in 0b first).
+- **`cursor.mcp.json` is a template, not an auto-installed file.** Cursor does not pick it up from the plugin root. Users copy the snippet into their own config. Auto-install would require a host hook (Cursor `sessionStart`) and risk overwriting user configs — rejected for now.
+
+## Verification
+
+A/B reproducer against the launcher (no MCP host required). **Important:** isolate `CLAUDE_PLUGIN_DATA` / `XDG_DATA_HOME` to a scratch dir — otherwise the launcher exec's any locally cached real CLI binary and you end up testing the live server instead of the launcher.
+
+```sh
+PLUGIN=/path/to/plugin
+TMP=$(mktemp -d)
+PETPROJECT="$TMP/pet"
+SCRATCH_CACHE="$TMP/scratch-cache"
+mkdir -p "$PETPROJECT" "$SCRATCH_CACHE"
+(cd "$PETPROJECT" && git init -q && mkdir .archcore)
+
+# Common env: no archcore on PATH, cache directories pointed at scratch (miss),
+# ARCHCORE_SKIP_DOWNLOAD=1 so we exit at the download step with a "not cached"
+# message instead of fetching from GitHub.
+common_env=(env -i HOME="$HOME" PATH=/usr/bin:/bin USER="$USER" LANG=C TERM=xterm
+            CLAUDE_PLUGIN_DATA="$SCRATCH_CACHE" XDG_DATA_HOME="$SCRATCH_CACHE"
+            ARCHCORE_SKIP_DOWNLOAD=1)
+
+# 1) BAD cwd ($HOME) -> guard refuses
+(cd "$HOME" && "${common_env[@]}" "$PLUGIN/bin/archcore" mcp 2>&1) \
+  | grep -q "Refusing to start MCP"
+
+# 2) BAD cwd (plain tmpdir, no markers) -> "no project markers"
+(cd "$TMP" && "${common_env[@]}" "$PLUGIN/bin/archcore" mcp 2>&1) \
+  | grep -q "no project markers"
+
+# 3) GOOD cwd (has .git + .archcore) -> guard passes, hits cache miss
+(cd "$PETPROJECT" && "${common_env[@]}" "$PLUGIN/bin/archcore" mcp 2>&1) \
+  | grep -q "not cached"
+
+# 4) ARCHCORE_ALLOW_ANY_CWD=1 lets a bad cwd through
+(cd "$HOME" && "${common_env[@]}" ARCHCORE_ALLOW_ANY_CWD=1 "$PLUGIN/bin/archcore" mcp 2>&1) \
+  | grep -q "not cached"
+
+# 5) Back-compat: legacy ARCHCORE_ALLOW_PLUGIN_CWD=1 alias still works
+(cd "$HOME" && "${common_env[@]}" ARCHCORE_ALLOW_PLUGIN_CWD=1 "$PLUGIN/bin/archcore" mcp 2>&1) \
+  | grep -q "not cached"
+
+# 6) Diagnostic stderr line emitted on every successful mcp start
+(cd "$PETPROJECT" && "${common_env[@]}" "$PLUGIN/bin/archcore" mcp 2>&1) \
+  | grep -qE '\[archcore mcp\] cwd=.*\(exists\)'
+
+rm -rf "$TMP"
+```
+
+Bats coverage: `bats test/unit/launcher.bats test/structure/cursor-plugin.bats` exercises the same matrix in isolation (mock archcore + scratch tmpdirs). 42 tests across the two files, all green.

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "archcore",
   "description": "Make your AI agent code with your project's architecture, rules, and decisions.",
-  "version": "0.3.14",
+  "version": "0.3.15",
   "author": {
     "name": "Archcore"
   },

.codex-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "archcore",
   "description": "Make your AI agent code with your project's architecture, rules, and decisions.",
-  "version": "0.3.14",
+  "version": "0.3.15",
   "author": {
     "name": "Archcore"
   },

.cursor-plugin/plugin.json

@@ -2,7 +2,7 @@
   "name": "archcore",
   "displayName": "Archcore",
   "description": "Make your AI agent code with your project's architecture, rules, and decisions.",
-  "version": "0.3.14",
+  "version": "0.3.15",
   "author": {
     "name": "Archcore"
   },

Makefile

@@ -6,7 +6,8 @@ ALL_SCRIPTS := $(BIN_SCRIPTS) $(LIB_SCRIPTS)
 JSON_FILES := .claude-plugin/plugin.json .claude-plugin/marketplace.json \
               .cursor-plugin/plugin.json .cursor-plugin/marketplace.json \
               .codex-plugin/plugin.json .codex.mcp.json .agents/plugins/marketplace.json \
-              hooks/hooks.json hooks/cursor.hooks.json hooks/codex.hooks.json .mcp.json
+              hooks/hooks.json hooks/cursor.hooks.json hooks/codex.hooks.json \
+              .mcp.json cursor.mcp.json
 
 .PHONY: test test-codex-smoke lint check-json check-perms verify all
 

README.md

@@ -32,6 +32,31 @@ claude plugin install archcore@archcore-plugins
 
 Cursor reads the repo's `marketplace.json`, shows the plugin, and installs it.
 
+> **Cursor: project-scoped MCP setup (important)**
+>
+> The Cursor plugin manifest does not register MCP servers (Cursor manages MCP through `~/.cursor/mcp.json` or `.cursor/mcp.json` instead). You configure `archcore` once, in one of those files. **Always pin the working directory** — otherwise a global registration leaks one project's docs into every other project.
+>
+> Use this snippet (also shipped as [`cursor.mcp.json`](./cursor.mcp.json) at the plugin root):
+>
+> ```json
+> {
+>   "mcpServers": {
+>     "archcore": {
+>       "command": "archcore",
+>       "args": ["mcp"],
+>       "cwd": "${workspaceFolder}",
+>       "env": { "ARCHCORE_CWD": "${workspaceFolder}" }
+>     }
+>   }
+> }
+> ```
+>
+> - `cwd: "${workspaceFolder}"` — Cursor expands this to the active project root on every server spawn, so each window's MCP attaches to the right `.archcore/`.
+> - `env.ARCHCORE_CWD` — belt-and-braces. If Cursor or another host ever fails to honor `cwd` (Claude Code's `cwd` field is silently ignored, [#17565](https://github.com/anthropics/claude-code/issues/17565)), the bundled `bin/archcore` launcher `cd`s to `$ARCHCORE_CWD` before exec.
+> - `command: "archcore"` — assumes the CLI is on `PATH` (via `curl install.sh`, `go install`, etc.). To use the launcher bundled with the plugin instead, set `command` to the absolute path of `bin/archcore` inside the installed plugin directory.
+>
+> The launcher refuses to start the MCP server if cwd looks wrong (`$HOME`, `/`, plugin install dir, or a directory with no project markers) and prints actionable instructions on stderr. If you see `[archcore launcher] Refusing to start MCP …` in Cursor's MCP server panel, the `cwd` field is missing or wrong.
+
 **Codex CLI** — requires Codex CLI v0.117.0+ (March 2026 plugin system):
 
 ```bash

bin/archcore

@@ -51,6 +51,15 @@ if [ -n "${ARCHCORE_CWD:-}" ] && [ -d "$ARCHCORE_CWD" ]; then
   cd "$ARCHCORE_CWD" 2>/dev/null || true
 fi
 
+# Resolve the bypass flag once. ARCHCORE_ALLOW_ANY_CWD is the canonical name
+# covering both legacy Codex cache-cwd guard (0b) and the cross-host sanity
+# guard (0c). ARCHCORE_ALLOW_PLUGIN_CWD is kept as a back-compat alias —
+# anyone already setting it for the old guard keeps working.
+_archcore_allow_any_cwd=0
+if [ "${ARCHCORE_ALLOW_ANY_CWD:-0}" = "1" ] || [ "${ARCHCORE_ALLOW_PLUGIN_CWD:-0}" = "1" ]; then
+  _archcore_allow_any_cwd=1
+fi
+
 # --- 0b. Guard: refuse to start MCP from this plugin's install dir ---
 #
 # Without a shell wrapper that sets ARCHCORE_CWD, Codex spawns the MCP child
@@ -69,10 +78,9 @@ fi
 # Step 0 (above) has already cd'd to $ARCHCORE_CWD when set, so reaching
 # here with cache cwd means the wrapper was not installed.
 #
-# Escape hatch: set ARCHCORE_ALLOW_PLUGIN_CWD=1 to bypass (only for plugin
-# maintainers running MCP against the plugin's own docs intentionally).
+# Escape hatch: ARCHCORE_ALLOW_ANY_CWD=1 (or legacy ARCHCORE_ALLOW_PLUGIN_CWD=1).
 if [ "${1:-}" = "mcp" ] \
-   && [ "${ARCHCORE_ALLOW_PLUGIN_CWD:-0}" != "1" ] \
+   && [ "$_archcore_allow_any_cwd" != "1" ] \
    && [ -f .codex-plugin/plugin.json ] \
    && [ -f .codex.mcp.json ] \
    && [ -f bin/archcore ]
@@ -93,6 +101,91 @@ then
   esac
 fi
 
+# --- 0c. Cross-host sanity guard: cwd must look like a user project ---
+#
+# Cursor and Claude Code spawn stdio MCP servers with cwd inherited from the
+# host process. That cwd can be wrong in several real-world ways:
+#   - global ~/.cursor/mcp.json registers archcore without `cwd:
+#     "${workspaceFolder}"` → first workspace folder leaks into every project
+#   - Claude Code's `cwd` field in .mcp.json is silently ignored
+#     (anthropics/claude-code#17565)
+#   - host launched from $HOME or the plugin install dir
+#
+# The archcore CLI uses os.Getwd() to find `.archcore/` (no --root flag, no
+# env override on CLI side). Silent wrong-cwd = silent wrong project — the
+# exact failure mode this guard exists to prevent.
+#
+# Refuse when:
+#   - subcommand is `mcp`
+#   - bypass not set (ARCHCORE_ALLOW_ANY_CWD / ARCHCORE_ALLOW_PLUGIN_CWD)
+#   - cwd matches one of the hard-bad locations, OR has no project marker
+#
+# Project markers checked: .git, .archcore, package.json, go.mod,
+# pyproject.toml, Cargo.toml, pom.xml, build.gradle, build.gradle.kts.
+# Anything else (Makefile, README.md, etc.) is too generic to count.
+if [ "${1:-}" = "mcp" ] && [ "$_archcore_allow_any_cwd" != "1" ]; then
+  _cwd=$(pwd -P)
+  _refuse=0
+  _refuse_reason=""
+
+  if [ "$_cwd" = "/" ]; then
+    _refuse=1; _refuse_reason="cwd is the filesystem root (/)"
+  elif [ -n "${HOME:-}" ] \
+       && [ -d "$HOME" ] \
+       && [ "$_cwd" = "$(cd "$HOME" 2>/dev/null && pwd -P)" ]; then
+    _refuse=1; _refuse_reason="cwd is \$HOME ($HOME) — not a project root"
+  elif [ -n "${CLAUDE_PLUGIN_ROOT:-}" ] \
+       && [ -d "$CLAUDE_PLUGIN_ROOT" ] \
+       && [ "$_cwd" = "$(cd "$CLAUDE_PLUGIN_ROOT" 2>/dev/null && pwd -P)" ]; then
+    _refuse=1; _refuse_reason="cwd is \$CLAUDE_PLUGIN_ROOT — the plugin install dir, not your project"
+  elif [ -n "${CURSOR_PLUGIN_ROOT:-}" ] \
+       && [ -d "$CURSOR_PLUGIN_ROOT" ] \
+       && [ "$_cwd" = "$(cd "$CURSOR_PLUGIN_ROOT" 2>/dev/null && pwd -P)" ]; then
+    _refuse=1; _refuse_reason="cwd is \$CURSOR_PLUGIN_ROOT — the plugin install dir, not your project"
+  elif [ ! -e .git ] \
+       && [ ! -d .archcore ] \
+       && [ ! -f package.json ] \
+       && [ ! -f go.mod ] \
+       && [ ! -f pyproject.toml ] \
+       && [ ! -f Cargo.toml ] \
+       && [ ! -f pom.xml ] \
+       && [ ! -f build.gradle ] \
+       && [ ! -f build.gradle.kts ]; then
+    _refuse=1; _refuse_reason="cwd has no project markers (.git, .archcore, package.json, go.mod, pyproject.toml, Cargo.toml, pom.xml, build.gradle)"
+  fi
+
+  if [ "$_refuse" = "1" ]; then
+    printf '[archcore launcher] Refusing to start MCP — %s.\n' "$_refuse_reason" >&2
+    printf '  cwd: %s\n' "$_cwd" >&2
+    printf '  The archcore MCP server reads .archcore/ relative to its cwd. Wrong cwd = wrong project.\n' >&2
+    printf '  Fix one of:\n' >&2
+    # shellcheck disable=SC2016  # literal Cursor placeholder ${workspaceFolder}; not a shell var
+    printf '    Cursor:  in .cursor/mcp.json (or ~/.cursor/mcp.json), add  "cwd": "${workspaceFolder}"  to the archcore entry.\n' >&2
+    printf '             See README "Cursor: project-scoped MCP setup" for the full snippet.\n' >&2
+    # shellcheck disable=SC2016  # literal backticks around `claude` / `cwd` for user-facing prose
+    printf '    Claude:  start `claude` from your project directory — Claude Code ignores the `cwd` mcp field.\n' >&2
+    # shellcheck disable=SC2016  # literal shell snippet; do not expand $PWD/$argv here
+    printf '    Codex:   install the shell wrapper:  codex() { ARCHCORE_CWD="$PWD" command codex "$@"; }\n' >&2
+    printf '  Escape hatch (only if you know cwd is correct):  ARCHCORE_ALLOW_ANY_CWD=1\n' >&2
+    exit 1
+  fi
+fi
+
+# --- Diagnostic: one-line stderr log of the resolved cwd for MCP starts ---
+#
+# Surfaces in Cursor's MCP server panel and Claude Code's `/mcp` output, so
+# users can verify at a glance which project the server actually attached to.
+if [ "${1:-}" = "mcp" ]; then
+  _cwd_log=$(pwd -P)
+  if [ -d "$_cwd_log/.archcore" ]; then
+    _archcore_state="exists"
+  else
+    _archcore_state="missing"
+  fi
+  printf '[archcore mcp] cwd=%s archcore_dir=%s/.archcore (%s)\n' \
+    "$_cwd_log" "$_cwd_log" "$_archcore_state" >&2
+fi
+
 # --- 1. $ARCHCORE_BIN override ---
 if [ -n "${ARCHCORE_BIN:-}" ] && [ -x "$ARCHCORE_BIN" ]; then
   exec "$ARCHCORE_BIN" "$@"

cursor.mcp.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "archcore": {
+      "command": "archcore",
+      "args": ["mcp"],
+      "cwd": "${workspaceFolder}",
+      "env": {
+        "ARCHCORE_CWD": "${workspaceFolder}"
+      }
+    }
+  }
+}