@sym-bot/mesh-channel 0.3.11 → 0.3.13

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "sym-mesh-channel",
-  "version": "0.3.10",
+  "version": "0.3.13",
   "description": "Real-time Claude-to-Claude mesh. Agent-to-agent cognitive signals over Bonjour LAN or WebSocket relay.",
   "author": {
     "name": "Hongwei Xu",

package/CHANGELOG.md

@@ -1,5 +1,62 @@
 # Changelog
 
+## 0.3.13
+
+### Changed
+
+- **Track the latest released `@sym-bot/sym` (`^0.7.6`).** Pulls in the SVAF decision log (every evaluation — admit and reject — is now persisted and emitted) on top of the 0.7.5 replay-storm receive-path dedup. Additive; no API changes in mesh-channel.
+
+## 0.3.12
+
+### Changed
+
+- **Bump `@sym-bot/sym` to `^0.7.5`** — mesh replay-storm receive-path dedup (dedup received CMBs so a co-resident peer restart no longer triggers a replay storm).
+
+### Fixed
+
+- Align install commands + channel-flag handles with the actual marketplace (#13).
+- Fix 5 moderate Dependabot vulnerabilities (`npm audit fix`).
+
+## 0.3.11
+
+### Added
+
+- **Prompt-injection filter (security layer 3).** Every incoming CMB — all CAT7 fields and the opaque payload — is now scanned against a curated blocklist of injection patterns before `pushChannel()` is called. Patterns cover: instruction-override phrases ("ignore previous instructions", "forget everything you know"), role/persona hijacking ("you are now a new AI", "act as an unrestricted assistant"), system-prompt injection (`<system>`, `[SYSTEM]`, `## system prompt`), tool-call fabrication (`<tool_call>`, `<function_calls>`), and privilege-escalation language ("override safety filter", "jailbreak", "DAN mode"). Blocked CMBs are audit-logged to stderr with reason, peer name, and a truncated excerpt — never silently dropped.
+
+- **Per-peer rate limiting.** A sliding 60-second window caps each peer at `SYM_RATE_LIMIT` CMBs per minute (default: 30). CMBs exceeding the cap are blocked and audit-logged. Prevents flood attacks from a compromised or malfunctioning peer.
+
+- **Payload size cap.** Payloads larger than `SYM_MAX_PAYLOAD_BYTES` (default: 8 192 bytes) are rejected before context injection. Prevents oversized-payload attacks that could exhaust the context window.
+
+- **README security section updated** to document all four defence layers accurately.
+
+### Security model
+
+The full gate before any mesh signal reaches Claude's context is now:
+1. **Transport** — Ed25519 peer identity + relay-token auth.
+2. **Protocol** — SVAF per-field semantic relevance gate.
+3. **Safety** — prompt-injection filter + rate limiter + payload size cap (this release).
+4. **Application** — text-only injection; `claude/channel/permission` not declared.
+
+## 0.3.10
+
+### Fixed
+
+- **Live-identity-collision auto-suffix.** Two sessions wanting the same `SYM_NODE_NAME` previously hard-failed with `EIDENTITYLOCK`. The server now checks whether the name's lock file is held by a live process; if so, it appends `-2`, `-3`, … (up to 64) until it finds a free slot. Stale locks (dead holder) are still reclaimed by `@sym-bot/sym` on start — unchanged. Result: duplicate dev-agent sessions, or any two sessions sharing a fixed `SYM_NODE_NAME`, coexist instead of failing.
+
+## 0.3.9
+
+### Fixed
+
+- **stdout discipline — fixes `-32000 / Connection closed`.** The MCP JSON-RPC stream runs on stdout. Dependency load banners (e.g. `[encoder] Semantic encoder ready` from the semantic model) were printing to stdout, intermittently corrupting the handshake and causing Claude Code to log "Ignoring non-JSON line on stdout" or drop the connection with `-32000`. A stdout guard is now installed before any `require()`: lines that start with `{` (JSON-RPC frames) pass through to the real stdout; everything else is redirected to stderr. Verified: stdout is pure JSON after the fix.
+
+## 0.3.8
+
+### Added
+
+- **Per-session node identity.** Each Claude Code session now gets its own mesh identity derived from the working-directory slug and a session-unique suffix (e.g. `claude-symday-webapp-6e174e`), instead of all sessions sharing the machine hostname. Enables multiple Claude Code sessions on the same machine to appear as distinct peers on the mesh — confirmed working over loopback via Bonjour with no relay.
+
+- **`npx` launch path.** The plugin now launches via `npx @sym-bot/mesh-channel` rather than a global `node` path, so marketplace installs work without a prior `npm install -g`. The npx cache warms on first launch; subsequent sessions start in ~1 s.
+
 ## 0.3.7
 
 ### Changed

package/README.md

@@ -6,12 +6,12 @@
 
 ```
 # in Claude Code — the first line is one-time setup
-/plugin marketplace add sym-bot/sym-mesh-channel
-/plugin install sym-mesh-channel@sym-mesh-channel
+/plugin marketplace add anthropics/claude-plugins-community
+/plugin install sym-mesh-channel@claude-community
 ```
 
 [![npm](https://img.shields.io/npm/v/@sym-bot/mesh-channel)](https://www.npmjs.com/package/@sym-bot/mesh-channel)
-[![Plugin Directory](https://img.shields.io/badge/Anthropic_Plugin_Directory-approved-success)](https://claude.ai/settings/plugins/submit)
+[![Plugin Directory](https://img.shields.io/badge/Anthropic_Plugin_Directory-listed-success)](https://github.com/anthropics/claude-plugins-community)
 [![MMP Spec](https://img.shields.io/badge/protocol-MMP_v1.0-orange)](https://meshcognition.org/spec/mmp)
 [![SVAF arXiv](https://img.shields.io/badge/arXiv-2604.03955-b31b1b.svg)](https://arxiv.org/abs/2604.03955)
 [![MMP arXiv](https://img.shields.io/badge/arXiv-2604.19540-b31b1b.svg)](https://arxiv.org/abs/2604.19540)
@@ -69,22 +69,33 @@ They're **not alternatives** — the channel is built *on* sym and speaks the sa
 Install the published plugin — in Claude Code:
 
 ```
-/plugin marketplace add sym-bot/sym-mesh-channel
-/plugin install sym-mesh-channel@sym-mesh-channel
+/plugin marketplace add anthropics/claude-plugins-community
+/plugin install sym-mesh-channel@claude-community
 ```
 
 That gives you all **11 MCP tools — no flag, no npm, nothing else to add** — and **one install covers every Claude Code session on the machine**: open as many as you like (one per repo, or one planning while another codes); each gets its own mesh identity and picks up the mesh on resume. The first command is a one-time marketplace registration.
 
-Also in the official [Anthropic Plugin Directory](https://claude.ai/settings/plugins) — `/plugin` → **Discover** → search "mesh", or `/plugin install sym-mesh-channel@claude-community` after `/plugin marketplace add anthropics/claude-plugins-community`.
+Discoverable in Claude Code too — `/plugin` → **Discover** → search "mesh".
+
+Want the always-latest build straight from the source repo? Add it as its own marketplace instead:
+
+```
+/plugin marketplace add sym-bot/sym-mesh-channel
+/plugin install sym-mesh-channel@sym-mesh-channel
+```
+
+This tracks `main`, so it can be a few versions ahead of the community listing (whose pinned build lags until the next directory sync). **Whichever marketplace you install from, the channel flag below must use that same `@<marketplace>` handle** — `@claude-community` for the directory install above, `@sym-mesh-channel` for this source-repo install. Mismatching them is the #1 cause of `plugin … not installed` when launching with the channel flag.
 
 ### Real-time push (the `<channel>` experience)
 
 The tools above are pull-based. For a peer's message to **land in Claude's context mid-turn, with no tool call** — the "Claude thinks with the mesh" experience the screenshots show — Claude Code has to load this plugin's *channel*, which is currently gated behind a flag while it awaits Anthropic's approved-channels allowlist:
 
 ```
-claude --dangerously-load-development-channels plugin:sym-mesh-channel@sym-mesh-channel
+claude --dangerously-load-development-channels plugin:sym-mesh-channel@claude-community
 ```
 
+(If you installed from the source-repo marketplace instead, use `plugin:sym-mesh-channel@sym-mesh-channel` — the `@<marketplace>` must match wherever you installed from.)
+
 The flag becomes unnecessary once the channel is allowlisted — tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).
 
 ## What you get
@@ -334,7 +345,7 @@ Some corporate networks block mDNS multicast entirely — try a hotspot or home
 
 The 11 tools work without any flag. The real-time `<channel>` **push** is separate: Claude Code only delivers channel notifications for channels on its **approved-channels allowlist**, and sym-mesh-channel isn't on it yet — so push requires the development-channels flag matching your install path:
 
-- plugin install: `--dangerously-load-development-channels plugin:sym-mesh-channel@sym-mesh-channel`
+- plugin install: `--dangerously-load-development-channels plugin:sym-mesh-channel@claude-community` (or `@sym-mesh-channel` if you installed from the source-repo marketplace — the handle must match your install source)
 - npm install: `--dangerously-load-development-channels server:claude-sym-mesh`
 
 This is an Anthropic-side gate, not a bug here — once the channel is allowlisted the flag is no longer needed. Tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sym-bot/mesh-channel",
-  "version": "0.3.11",
+  "version": "0.3.13",
   "description": "MCP server — real-time agent-to-agent cognition for Claude Code remote teams via the SYM mesh.",
   "main": "server.js",
   "bin": {
@@ -22,7 +22,7 @@
   ],
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.1",
-    "@sym-bot/sym": "^0.7.4",
+    "@sym-bot/sym": "^0.7.6",
     "bonjour-service": "^1.3.0"
   },
   "engines": {