npm - @sym-bot/mesh-channel - Versions diffs - 0.3.9 → 0.3.11 - Mend

@sym-bot/mesh-channel 0.3.9 → 0.3.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude-plugin/marketplace.json +2 -2
package/.claude-plugin/plugin.json +1 -1
package/.mcp.json +1 -1
package/README.md +19 -8
package/package.json +1 -1
package/server.js +130 -4

package/.claude-plugin/marketplace.json CHANGED Viewed

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Real-time communication and collaboration among Claude Code sessions — agent-to-agent cognitive signals over Bonjour LAN or WebSocket relay, on the Mesh Memory Protocol (MMP).",
-    "version": "0.3.9"
+    "version": "0.3.11"
   },
   "plugins": [
     {
       "name": "sym-mesh-channel",
       "source": "./",
       "description": "Real-time communication and collaboration among Claude Code sessions. Turns Claude Code into a peer node on the SYM mesh — two or more sessions discover each other via Bonjour (LAN) or a WebSocket relay (cross-network) and exchange structured cognitive signals as channel notifications. Each peer has its own Ed25519 identity, SVAF content gating, and local memory. Built on the Mesh Memory Protocol (MMP), an open peer-to-peer protocol for multi-agent collective intelligence.",
-      "version": "0.3.9",
+      "version": "0.3.11",
       "author": {
         "name": "Hongwei Xu",
         "email": "hongwei@sym.bot"

package/.claude-plugin/plugin.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sym-mesh-channel",
-  "version": "0.3.9",
+  "version": "0.3.10",
   "description": "Real-time Claude-to-Claude mesh. Agent-to-agent cognitive signals over Bonjour LAN or WebSocket relay.",
   "author": {
     "name": "Hongwei Xu",

package/.mcp.json CHANGED Viewed

@@ -4,7 +4,7 @@
       "command": "npx",
       "args": [
         "-y",
-        "@sym-bot/mesh-channel@0.3.9"
+        "@sym-bot/mesh-channel@0.3.10"
       ],
       "env": {
         "SYM_RELAY_URL": "${user_config.relay_url}",

package/README.md CHANGED Viewed

@@ -66,16 +66,26 @@ They're **not alternatives** — the channel is built *on* sym and speaks the sa
 ## Quick start
-Install the published plugin from the SYM marketplace — in Claude Code:
+Install the published plugin — in Claude Code:
 ```
 /plugin marketplace add sym-bot/sym-mesh-channel
 /plugin install sym-mesh-channel@sym-mesh-channel
 ```
-That's the whole setup: all 11 MCP tools, plus peer messages appearing in Claude's context mid-turn with no tool call — the "Claude thinks with the mesh" experience the screenshots above show. **One install covers every Claude Code session on the machine** — open as many as you like (one per repo, or one planning while another codes); each picks up the mesh on resume. The first command is a one-time marketplace registration.
+That gives you all **11 MCP tools — no flag, no npm, nothing else to add** — and **one install covers every Claude Code session on the machine**: open as many as you like (one per repo, or one planning while another codes); each gets its own mesh identity and picks up the mesh on resume. The first command is a one-time marketplace registration.
-Also in the official [Anthropic Plugin Directory](https://claude.ai/settings/plugins) — browse `/plugin` → **Discover** and search "mesh", or install from `@claude-community` after `/plugin marketplace add anthropics/claude-plugins-community`. If real-time `<channel>` notifications don't arrive, see [Troubleshooting](#channel-notifications-never-arrive-even-though-peers-are-connected).
+Also in the official [Anthropic Plugin Directory](https://claude.ai/settings/plugins) — `/plugin` → **Discover** → search "mesh", or `/plugin install sym-mesh-channel@claude-community` after `/plugin marketplace add anthropics/claude-plugins-community`.
+### Real-time push (the `<channel>` experience)
+The tools above are pull-based. For a peer's message to **land in Claude's context mid-turn, with no tool call** — the "Claude thinks with the mesh" experience the screenshots show — Claude Code has to load this plugin's *channel*, which is currently gated behind a flag while it awaits Anthropic's approved-channels allowlist:
+```
+claude --dangerously-load-development-channels plugin:sym-mesh-channel@sym-mesh-channel
+```
+The flag becomes unnecessary once the channel is allowlisted — tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).
 ## What you get
@@ -248,13 +258,14 @@ Both peers must use the same relay URL and token to land on the same channel. Th
 ## Security
-Defence in depth. Three layers, all must pass before a mesh signal reaches Claude's context:
+Four layers, all must pass before a mesh signal reaches Claude's context:
 1. **Transport.** Ed25519 peer identity on LAN + relay-token authentication on cross-network. Unauthenticated sources cannot reach `pushChannel()`.
 2. **Protocol.** [SVAF](https://arxiv.org/abs/2604.03955) per-field content gating — evaluates each incoming CMB across 7 semantic dimensions and rejects irrelevant signals before they enter cognitive state.
-3. **Application.** Text-only context injection, no code execution, no permission relay (`claude/channel/permission` is explicitly not declared).
+3. **Safety.** Prompt-injection filter — pattern-matches every CAT7 field and payload against a curated blocklist of instruction-override, role-hijacking, system-prompt injection, tool-call fabrication, and privilege-escalation patterns. Matched CMBs are blocked and audit-logged to stderr; no silent drops. Per-peer rate limiting (default 30 CMBs/min, configurable via `SYM_RATE_LIMIT`) and a payload size cap (`SYM_MAX_PAYLOAD_BYTES`, default 8 KB) prevent flood and oversized-payload attacks.
+4. **Application.** Text-only context injection, no code execution, no permission relay (`claude/channel/permission` is explicitly not declared).
-**Optional peer allowlist.** Set `SYM_ALLOWED_PEERS=claude-mac,claude-win` to restrict which authenticated peers can push to Claude's context. When empty (default), all authenticated peers are accepted.
+**Optional peer allowlist.** Set `SYM_ALLOWED_PEERS=claude-mac,claude-win` to restrict which authenticated peers can push to Claude's context. When empty (default), all authenticated peers pass layers 1–4.
 See [SECURITY.md](SECURITY.md) for the full threat model.
@@ -321,12 +332,12 @@ Some corporate networks block mDNS multicast entirely — try a hotspot or home
 ### `<channel>` notifications never arrive even though peers are connected
-The published plugin loads the channel on its own. If `<channel>` notifications still don't arrive, real-time push may not yet be enabled on your account — as a fallback, launch Claude Code with the development-channels flag matching your install path:
+The 11 tools work without any flag. The real-time `<channel>` **push** is separate: Claude Code only delivers channel notifications for channels on its **approved-channels allowlist**, and sym-mesh-channel isn't on it yet — so push requires the development-channels flag matching your install path:
 - plugin install: `--dangerously-load-development-channels plugin:sym-mesh-channel@sym-mesh-channel`
 - npm install: `--dangerously-load-development-channels server:claude-sym-mesh`
-The tools work regardless; only the async push surface may be gated. Status tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).
+This is an Anthropic-side gate, not a bug here — once the channel is allowlisted the flag is no longer needed. Tracked in [anthropics/claude-plugins-official#1512](https://github.com/anthropics/claude-plugins-official/issues/1512).
 ### `sym_status` says "Relay: connected" when you didn't configure one

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sym-bot/mesh-channel",
-  "version": "0.3.9",
+  "version": "0.3.11",
   "description": "MCP server — real-time agent-to-agent cognition for Claude Code remote teams via the SYM mesh.",
   "main": "server.js",
   "bin": {

package/server.js CHANGED Viewed

@@ -211,7 +211,26 @@ function defaultNodeName() {
   }
   return `claude-${clean(require('os').hostname())}`;
 }
-const NODE_NAME = process.env.SYM_NODE_NAME || defaultNodeName();
+// Live-collision auto-suffix (v0.3.10): @sym-bot/sym already reclaims STALE locks
+// (dead holder), so crashed sessions self-heal. But two LIVE sessions wanting the
+// same name — a duplicate dev agent, or two sessions sharing a fixed SYM_NODE_NAME
+// — would hard-fail with EIDENTITYLOCK. Resolve the name up front: if the base is
+// held by a live process, append -2/-3/… so the second session coexists instead of
+// failing. A dead or absent holder keeps the base name (sym reclaims it on start).
+function resolveNodeName(base) {
+  const fs = require('fs'), os = require('os'), path = require('path');
+  const alive = (pid) => { try { process.kill(pid, 0); return true; } catch (e) { return e.code === 'EPERM'; } };
+  for (let i = 0; i < 64; i++) {
+    const name = i === 0 ? base : `${base}-${i + 1}`;
+    try {
+      const pid = parseInt(fs.readFileSync(path.join(os.homedir(), '.sym', 'nodes', name, 'lock.pid'), 'utf8').trim(), 10);
+      if (pid && alive(pid)) continue; // live holder → try the next suffix
+    } catch { /* no lock file → name is free */ }
+    return name; // free, or a stale lock sym will reclaim on start()
+  }
+  return base;
+}
+const NODE_NAME = resolveNodeName(process.env.SYM_NODE_NAME || defaultNodeName());
 // ── Mesh group (MMP §5.8) ──────────────────────────────────
 //
@@ -273,15 +292,18 @@ function registerNodeHandlers(n) {
     if (entry.source === NODE_NAME || entry.cmb?.createdBy === NODE_NAME) return;
     const source = entry.source || entry.cmb?.createdBy || 'unknown';
     if (!isPeerAllowed(source)) return;
-    const focus = entry.cmb?.fields?.focus?.text || entry.content || '';
-    const mood = entry.cmb?.fields?.mood?.text || '';
+    const fields = entry.cmb?.fields || {};
+    const payload = entry.cmb?.payload;
+    const sec = checkSecurity(source, fields, payload);
+    if (!sec.safe) { securityAudit(sec.reason, source, sec.excerpt); return; }
+    const focus = fields?.focus?.text || entry.content || '';
+    const mood = fields?.mood?.text || '';
     const moodSuffix = mood && mood !== 'neutral' ? ` (mood: ${mood})` : '';
     // Store the rendered CMB body so the agent can sym_fetch it by [mNNN] ID.
     // When the CMB carries an opaque payload alongside CAT7 fields, append a
     // PAYLOAD section to the stored body so sym_fetch returns it intact;
     // header gains a [+payload Nb] indicator so the receiver knows there's
     // structured data beyond CAT7 and should sym_fetch to consume it.
-    const payload = entry.cmb?.payload;
     const hasPayload = payload !== undefined && payload !== null;
     let body = entry.content || focus;
     let payloadSuffix = '';
@@ -299,6 +321,8 @@ function registerNodeHandlers(n) {
   n.on('message', (from, content) => {
     if (!isPeerAllowed(from)) return;
+    const sec = checkSecurity(from, { focus: { text: content } }, null);
+    if (!sec.safe) { securityAudit(sec.reason, from, sec.excerpt); return; }
     const msgId = storeMessage(from, content);
     const header = extractCompactHeader(from, content);
     pushChannel('message', `[${from}] ${header} [${msgId}]`);
@@ -885,6 +909,108 @@ function isPeerAllowed(peerName) {
   return ALLOWED_PEERS.includes(peerName);
 }
+// ── Security: Prompt-Injection Filter (v0.3.11) ──────────────
+// SVAF gates on semantic relevance; this layer gates on safety.
+// It runs on every CAT7 field and payload before pushChannel —
+// the last line of defence before content enters Claude's context.
+//
+// Attack model: a peer with a valid Ed25519 identity sends a CMB
+// whose fields look topically relevant (passes SVAF) but whose
+// content contains instruction-override patterns designed to hijack
+// the receiving Claude session ("ignore previous instructions",
+// role-play overrides, tool-call fabrication, etc.).
+//
+// Strategy: pattern-match on the serialized content of all CAT7
+// fields and the opaque payload. On match: block + audit-log to
+// stderr. Never silently drop — the operator must be able to see
+// what was rejected and why.
+const INJECTION_PATTERNS = [
+  // Classic instruction overrides
+  /ignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|context|rules?|guidelines?)/i,
+  /disregard\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|context|rules?)/i,
+  /forget\s+(everything|all)\s+(you('ve)?\s+)?(know|been\s+told|learned)/i,
+  // Role / persona hijacking
+  /you\s+are\s+now\s+(a\s+|an\s+)?(new\s+)?(ai|assistant|model|system|gpt|claude|llm)/i,
+  /act\s+as\s+(a\s+|an\s+)?(different|new|unrestricted|jailbroken|evil|rogue)/i,
+  /pretend\s+(you\s+)?(are|have\s+no)\s+(restrictions?|rules?|guidelines?|ethics?)/i,
+  /new\s+(persona|personality|mode|role)\s*:/i,
+  // System prompt injection
+  /<\s*system\s*>/i,
+  /\[SYSTEM\]/,
+  /##\s*system\s+prompt/i,
+  /---\s*system\s*---/i,
+  // Tool / function call fabrication
+  /<\s*tool_call\s*>/i,
+  /<\s*function_calls?\s*>/i,
+  /\{"type"\s*:\s*"tool_use"/,
+  // Privilege / capability escalation
+  /you\s+(now\s+)?(have|possess)\s+(full|unrestricted|admin|root|elevated)\s+(access|permissions?|capabilities?)/i,
+  /override\s+(safety|content|ethical?|policy)\s+(filter|check|guard|restriction)/i,
+  /jailbreak/i,
+  /DAN\s+mode/i,
+];
+const PAYLOAD_SIZE_LIMIT = parseInt(process.env.SYM_MAX_PAYLOAD_BYTES || '8192', 10);
+// Per-peer rate limiter: sliding window, default 30 CMBs/min.
+const RATE_LIMIT = parseInt(process.env.SYM_RATE_LIMIT || '30', 10);
+const RATE_WINDOW_MS = 60_000;
+const peerWindows = new Map(); // peerName → timestamp[]
+function isRateLimited(peer) {
+  const now = Date.now();
+  const window = (peerWindows.get(peer) || []).filter(t => now - t < RATE_WINDOW_MS);
+  window.push(now);
+  peerWindows.set(peer, window);
+  return window.length > RATE_LIMIT;
+}
+function securityAudit(reason, peer, excerpt) {
+  const safe = String(excerpt).replace(/[\r\n]+/g, ' ').slice(0, 120);
+  process.stderr.write(`[sym-security] BLOCKED reason=${reason} peer=${peer} excerpt="${safe}"\n`);
+}
+// Returns { safe: true } or { safe: false, reason, excerpt }.
+function checkSecurity(peer, fields, payload) {
+  // 1. Rate limit
+  if (isRateLimited(peer)) {
+    return { safe: false, reason: 'rate-limit', excerpt: `>${RATE_LIMIT} CMBs/min` };
+  }
+  // 2. Payload size cap
+  if (payload !== undefined && payload !== null) {
+    const size = JSON.stringify(payload).length;
+    if (size > PAYLOAD_SIZE_LIMIT) {
+      return { safe: false, reason: 'payload-too-large', excerpt: `${size}b > ${PAYLOAD_SIZE_LIMIT}b limit` };
+    }
+  }
+  // 3. Prompt injection scan across all text surfaces
+  const surfaces = [
+    ...Object.values(fields || {}).map(v =>
+      typeof v === 'string' ? v : (typeof v === 'object' && v?.text ? v.text : '')
+    ),
+    payload !== undefined && payload !== null
+      ? (typeof payload === 'string' ? payload : JSON.stringify(payload))
+      : '',
+  ].filter(Boolean);
+  for (const surface of surfaces) {
+    for (const pattern of INJECTION_PATTERNS) {
+      if (pattern.test(surface)) {
+        return { safe: false, reason: 'injection-pattern', excerpt: surface.slice(0, 200) };
+      }
+    }
+  }
+  return { safe: true };
+}
 // ── Mesh Events → Channel Notifications ──────────────────────
 function pushChannel(eventType, data) {