@sym-bot/mesh-channel 0.3.10 → 0.3.11

package/.claude-plugin/marketplace.json

@@ -1,19 +1,19 @@
 {
-  "name": "sym-bot",
+  "name": "sym-mesh-channel",
   "owner": {
     "name": "SYM.BOT",
     "email": "info@sym.bot"
   },
   "metadata": {
     "description": "Real-time communication and collaboration among Claude Code sessions — agent-to-agent cognitive signals over Bonjour LAN or WebSocket relay, on the Mesh Memory Protocol (MMP).",
-    "version": "0.3.10"
+    "version": "0.3.11"
   },
   "plugins": [
     {
       "name": "sym-mesh-channel",
       "source": "./",
       "description": "Real-time communication and collaboration among Claude Code sessions. Turns Claude Code into a peer node on the SYM mesh — two or more sessions discover each other via Bonjour (LAN) or a WebSocket relay (cross-network) and exchange structured cognitive signals as channel notifications. Each peer has its own Ed25519 identity, SVAF content gating, and local memory. Built on the Mesh Memory Protocol (MMP), an open peer-to-peer protocol for multi-agent collective intelligence.",
-      "version": "0.3.10",
+      "version": "0.3.11",
       "author": {
         "name": "Hongwei Xu",
         "email": "hongwei@sym.bot"

package/README.md

@@ -7,7 +7,7 @@
 ```
 # in Claude Code — the first line is one-time setup
 /plugin marketplace add sym-bot/sym-mesh-channel
-/plugin install sym-mesh-channel@sym-bot
+/plugin install sym-mesh-channel@sym-mesh-channel
 ```
 
 [![npm](https://img.shields.io/npm/v/@sym-bot/mesh-channel)](https://www.npmjs.com/package/@sym-bot/mesh-channel)
@@ -66,11 +66,11 @@ They're **not alternatives** — the channel is built *on* sym and speaks the sa
 
 ## Quick start
 
-Install the published plugin from the **sym-bot** marketplace — in Claude Code:
+Install the published plugin — in Claude Code:
 
 ```
 /plugin marketplace add sym-bot/sym-mesh-channel
-/plugin install sym-mesh-channel@sym-bot
+/plugin install sym-mesh-channel@sym-mesh-channel
 ```
 
 That gives you all **11 MCP tools — no flag, no npm, nothing else to add** — and **one install covers every Claude Code session on the machine**: open as many as you like (one per repo, or one planning while another codes); each gets its own mesh identity and picks up the mesh on resume. The first command is a one-time marketplace registration.
@@ -82,7 +82,7 @@ Also in the official [Anthropic Plugin Directory](https://claude.ai/settings/plu
 The tools above are pull-based. For a peer's message to **land in Claude's context mid-turn, with no tool call** — the "Claude thinks with the mesh" experience the screenshots show — Claude Code has to load this plugin's *channel*, which is currently gated behind a flag while it awaits Anthropic's approved-channels allowlist:
 
 ```
-claude --dangerously-load-development-channels plugin:sym-mesh-channel@sym-bot
+claude --dangerously-load-development-channels plugin:sym-mesh-channel@sym-mesh-channel
 ```
 
 The flag becomes unnecessary once the channel is allowlisted — tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).
@@ -258,13 +258,14 @@ Both peers must use the same relay URL and token to land on the same channel. Th
 
 ## Security
 
-Defence in depth. Three layers, all must pass before a mesh signal reaches Claude's context:
+Four layers, all must pass before a mesh signal reaches Claude's context:
 
 1. **Transport.** Ed25519 peer identity on LAN + relay-token authentication on cross-network. Unauthenticated sources cannot reach `pushChannel()`.
 2. **Protocol.** [SVAF](https://arxiv.org/abs/2604.03955) per-field content gating — evaluates each incoming CMB across 7 semantic dimensions and rejects irrelevant signals before they enter cognitive state.
-3. **Application.** Text-only context injection, no code execution, no permission relay (`claude/channel/permission` is explicitly not declared).
+3. **Safety.** Prompt-injection filter — pattern-matches every CAT7 field and payload against a curated blocklist of instruction-override, role-hijacking, system-prompt injection, tool-call fabrication, and privilege-escalation patterns. Matched CMBs are blocked and audit-logged to stderr; no silent drops. Per-peer rate limiting (default 30 CMBs/min, configurable via `SYM_RATE_LIMIT`) and a payload size cap (`SYM_MAX_PAYLOAD_BYTES`, default 8 KB) prevent flood and oversized-payload attacks.
+4. **Application.** Text-only context injection, no code execution, no permission relay (`claude/channel/permission` is explicitly not declared).
 
-**Optional peer allowlist.** Set `SYM_ALLOWED_PEERS=claude-mac,claude-win` to restrict which authenticated peers can push to Claude's context. When empty (default), all authenticated peers are accepted.
+**Optional peer allowlist.** Set `SYM_ALLOWED_PEERS=claude-mac,claude-win` to restrict which authenticated peers can push to Claude's context. When empty (default), all authenticated peers pass layers 1–4.
 
 See [SECURITY.md](SECURITY.md) for the full threat model.
 
@@ -333,7 +334,7 @@ Some corporate networks block mDNS multicast entirely — try a hotspot or home
 
 The 11 tools work without any flag. The real-time `<channel>` **push** is separate: Claude Code only delivers channel notifications for channels on its **approved-channels allowlist**, and sym-mesh-channel isn't on it yet — so push requires the development-channels flag matching your install path:
 
-- plugin install: `--dangerously-load-development-channels plugin:sym-mesh-channel@sym-bot`
+- plugin install: `--dangerously-load-development-channels plugin:sym-mesh-channel@sym-mesh-channel`
 - npm install: `--dangerously-load-development-channels server:claude-sym-mesh`
 
 This is an Anthropic-side gate, not a bug here — once the channel is allowlisted the flag is no longer needed. Tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sym-bot/mesh-channel",
-  "version": "0.3.10",
+  "version": "0.3.11",
   "description": "MCP server — real-time agent-to-agent cognition for Claude Code remote teams via the SYM mesh.",
   "main": "server.js",
   "bin": {

package/server.js

@@ -292,15 +292,18 @@ function registerNodeHandlers(n) {
     if (entry.source === NODE_NAME || entry.cmb?.createdBy === NODE_NAME) return;
     const source = entry.source || entry.cmb?.createdBy || 'unknown';
     if (!isPeerAllowed(source)) return;
-    const focus = entry.cmb?.fields?.focus?.text || entry.content || '';
-    const mood = entry.cmb?.fields?.mood?.text || '';
+    const fields = entry.cmb?.fields || {};
+    const payload = entry.cmb?.payload;
+    const sec = checkSecurity(source, fields, payload);
+    if (!sec.safe) { securityAudit(sec.reason, source, sec.excerpt); return; }
+    const focus = fields?.focus?.text || entry.content || '';
+    const mood = fields?.mood?.text || '';
     const moodSuffix = mood && mood !== 'neutral' ? ` (mood: ${mood})` : '';
     // Store the rendered CMB body so the agent can sym_fetch it by [mNNN] ID.
     // When the CMB carries an opaque payload alongside CAT7 fields, append a
     // PAYLOAD section to the stored body so sym_fetch returns it intact;
     // header gains a [+payload Nb] indicator so the receiver knows there's
     // structured data beyond CAT7 and should sym_fetch to consume it.
-    const payload = entry.cmb?.payload;
     const hasPayload = payload !== undefined && payload !== null;
     let body = entry.content || focus;
     let payloadSuffix = '';
@@ -318,6 +321,8 @@ function registerNodeHandlers(n) {
 
   n.on('message', (from, content) => {
     if (!isPeerAllowed(from)) return;
+    const sec = checkSecurity(from, { focus: { text: content } }, null);
+    if (!sec.safe) { securityAudit(sec.reason, from, sec.excerpt); return; }
     const msgId = storeMessage(from, content);
     const header = extractCompactHeader(from, content);
     pushChannel('message', `[${from}] ${header} [${msgId}]`);
@@ -904,6 +909,108 @@ function isPeerAllowed(peerName) {
   return ALLOWED_PEERS.includes(peerName);
 }
 
+// ── Security: Prompt-Injection Filter (v0.3.11) ──────────────
+// SVAF gates on semantic relevance; this layer gates on safety.
+// It runs on every CAT7 field and payload before pushChannel —
+// the last line of defence before content enters Claude's context.
+//
+// Attack model: a peer with a valid Ed25519 identity sends a CMB
+// whose fields look topically relevant (passes SVAF) but whose
+// content contains instruction-override patterns designed to hijack
+// the receiving Claude session ("ignore previous instructions",
+// role-play overrides, tool-call fabrication, etc.).
+//
+// Strategy: pattern-match on the serialized content of all CAT7
+// fields and the opaque payload. On match: block + audit-log to
+// stderr. Never silently drop — the operator must be able to see
+// what was rejected and why.
+
+const INJECTION_PATTERNS = [
+  // Classic instruction overrides
+  /ignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|context|rules?|guidelines?)/i,
+  /disregard\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|context|rules?)/i,
+  /forget\s+(everything|all)\s+(you('ve)?\s+)?(know|been\s+told|learned)/i,
+
+  // Role / persona hijacking
+  /you\s+are\s+now\s+(a\s+|an\s+)?(new\s+)?(ai|assistant|model|system|gpt|claude|llm)/i,
+  /act\s+as\s+(a\s+|an\s+)?(different|new|unrestricted|jailbroken|evil|rogue)/i,
+  /pretend\s+(you\s+)?(are|have\s+no)\s+(restrictions?|rules?|guidelines?|ethics?)/i,
+  /new\s+(persona|personality|mode|role)\s*:/i,
+
+  // System prompt injection
+  /<\s*system\s*>/i,
+  /\[SYSTEM\]/,
+  /##\s*system\s+prompt/i,
+  /---\s*system\s*---/i,
+
+  // Tool / function call fabrication
+  /<\s*tool_call\s*>/i,
+  /<\s*function_calls?\s*>/i,
+  /\{"type"\s*:\s*"tool_use"/,
+
+  // Privilege / capability escalation
+  /you\s+(now\s+)?(have|possess)\s+(full|unrestricted|admin|root|elevated)\s+(access|permissions?|capabilities?)/i,
+  /override\s+(safety|content|ethical?|policy)\s+(filter|check|guard|restriction)/i,
+  /jailbreak/i,
+  /DAN\s+mode/i,
+];
+
+const PAYLOAD_SIZE_LIMIT = parseInt(process.env.SYM_MAX_PAYLOAD_BYTES || '8192', 10);
+
+// Per-peer rate limiter: sliding window, default 30 CMBs/min.
+const RATE_LIMIT = parseInt(process.env.SYM_RATE_LIMIT || '30', 10);
+const RATE_WINDOW_MS = 60_000;
+const peerWindows = new Map(); // peerName → timestamp[]
+
+function isRateLimited(peer) {
+  const now = Date.now();
+  const window = (peerWindows.get(peer) || []).filter(t => now - t < RATE_WINDOW_MS);
+  window.push(now);
+  peerWindows.set(peer, window);
+  return window.length > RATE_LIMIT;
+}
+
+function securityAudit(reason, peer, excerpt) {
+  const safe = String(excerpt).replace(/[\r\n]+/g, ' ').slice(0, 120);
+  process.stderr.write(`[sym-security] BLOCKED reason=${reason} peer=${peer} excerpt="${safe}"\n`);
+}
+
+// Returns { safe: true } or { safe: false, reason, excerpt }.
+function checkSecurity(peer, fields, payload) {
+  // 1. Rate limit
+  if (isRateLimited(peer)) {
+    return { safe: false, reason: 'rate-limit', excerpt: `>${RATE_LIMIT} CMBs/min` };
+  }
+
+  // 2. Payload size cap
+  if (payload !== undefined && payload !== null) {
+    const size = JSON.stringify(payload).length;
+    if (size > PAYLOAD_SIZE_LIMIT) {
+      return { safe: false, reason: 'payload-too-large', excerpt: `${size}b > ${PAYLOAD_SIZE_LIMIT}b limit` };
+    }
+  }
+
+  // 3. Prompt injection scan across all text surfaces
+  const surfaces = [
+    ...Object.values(fields || {}).map(v =>
+      typeof v === 'string' ? v : (typeof v === 'object' && v?.text ? v.text : '')
+    ),
+    payload !== undefined && payload !== null
+      ? (typeof payload === 'string' ? payload : JSON.stringify(payload))
+      : '',
+  ].filter(Boolean);
+
+  for (const surface of surfaces) {
+    for (const pattern of INJECTION_PATTERNS) {
+      if (pattern.test(surface)) {
+        return { safe: false, reason: 'injection-pattern', excerpt: surface.slice(0, 200) };
+      }
+    }
+  }
+
+  return { safe: true };
+}
+
 // ── Mesh Events → Channel Notifications ──────────────────────
 
 function pushChannel(eventType, data) {