openfused 0.3.10 → 0.3.12

package/README.md

@@ -241,10 +241,20 @@ The daemon has two modes:
 # Full mode — serves everything to trusted LAN peers
 openfused serve --store ./my-context --port 9781
 
-# Public mode — only PROFILE.md + inbox (for WAN/tunnels)
+# Public mode — PROFILE.md + inbox + outbox pickup (for WAN/tunnels)
 openfused serve --store ./my-context --port 9781 --public
 ```
 
+Public mode endpoints:
+
+| Endpoint | Method | Purpose |
+|----------|--------|---------|
+| `/` | GET | Service info |
+| `/profile` | GET | Your PROFILE.md (public address card) |
+| `/config` | GET | Your public keys (JSON) |
+| `/inbox` | POST | Accept signed messages (rejects invalid signatures) |
+| `/outbox/{name}` | GET | Pickup replies addressed to `{name}` (encrypted) |
+
 ## File Watching
 
 `openfuse watch` combines three things:

package/dist/cli.js

@@ -8,7 +8,7 @@ import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
 import { resolve, join } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.10";
+const VERSION = "0.3.12";
 const program = new Command();
 program
     .name("openfuse")
@@ -544,7 +544,12 @@ program
     const reg = registry.resolveRegistry(opts.registry);
     try {
         const manifest = await registry.discover(name, reg);
-        // Auto-import key + add as peer so `openfuse sync` works for replies
+        // Auto-import key (untrusted) + add as peer so future `openfuse sync` can
+        // deliver replies and pull context. Key is deliberately NOT trusted — the user
+        // must explicitly `openfuse key trust <name>` after out-of-band verification.
+        // NOTE: manifest data comes from the registry and is attacker-controlled.
+        // The endpoint URL is stored as-is; a malicious entry could point at an internal
+        // service. Sync will pull from it — consider validating URL scheme/host.
         let config = await store.readConfig();
         if (!config.keyring.some((e) => e.signingKey === manifest.publicKey)) {
             config.keyring.push({

package/dist/mcp.js

@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.10",
+    version: "0.3.12",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {

package/dist/registry.d.ts

@@ -1,5 +1,5 @@
 import { ContextStore } from "./store.js";
-export declare const DEFAULT_REGISTRY = "https://openfuse-registry.wzmcghee.workers.dev";
+export declare const DEFAULT_REGISTRY = "https://registry.openfused.dev";
 export interface Manifest {
     name: string;
     endpoint: string;

package/dist/registry.js

@@ -7,8 +7,8 @@
 // This is TOFU (Trust On First Use) done right: the registry distributes keys,
 // but never asserts trust. Trust is a local decision.
 import { signMessage, fingerprint } from "./crypto.js";
-// Custom domain pending propagation — use Worker URL as fallback
-export const DEFAULT_REGISTRY = "https://openfuse-registry.wzmcghee.workers.dev";
+// Registry API lives on .dev (product layer). DNS TXT records on .net (protocol layer).
+export const DEFAULT_REGISTRY = "https://registry.openfused.dev";
 export function resolveRegistry(flag) {
     return flag || process.env.OPENFUSE_REGISTRY || DEFAULT_REGISTRY;
 }

package/dist/store.js

@@ -172,10 +172,10 @@ export class ContextStore {
         const entry = config.keyring.find((e) => e.name === peerId || e.address.startsWith(`${peerId}@`));
         let signed;
         if (entry?.encryptionKey) {
-            signed = await signAndEncrypt(this.root, config.id, message, entry.encryptionKey);
+            signed = await signAndEncrypt(this.root, config.name, message, entry.encryptionKey);
         }
         else {
-            signed = await signMessage(this.root, config.id, message);
+            signed = await signMessage(this.root, config.name, message);
         }
         // Envelope filename encodes routing metadata so sync can match outbox files to peers
         // without parsing JSON. Colons/dots replaced to stay filesystem-safe across OS.

package/dist/sync.js

@@ -153,7 +153,10 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
             errors.push(`${dir}/: ${e.message}`);
         }
     }
-    // Pull peer's outbox for messages addressed to us (HTTP version)
+    // Pull peer's outbox for messages addressed to us (HTTP version).
+    // The peer's daemon filters to _to-{myName}.json, but the JSON body is untrusted —
+    // a malicious peer controls every field. We must sanitize before using any value
+    // in a filename to prevent path traversal (e.g. from="../../.keys/evil").
     const config = await store.readConfig();
     const myName = config.name;
     const inboxDir = join(store.root, "inbox");
@@ -165,7 +168,11 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
             for (const msg of messages) {
                 const ts = (msg.timestamp || new Date().toISOString()).replace(/[:.]/g, "-");
                 const from = msg.from || "unknown";
-                const fname = `${ts}_from-${from}_to-${myName}.json`;
+                // SECURITY: sanitize remote-controlled values before constructing local filenames.
+                // Without this, a malicious "from" like "../../.keys/x" could write outside inbox/.
+                const safeFrom = from.replace(/[^a-zA-Z0-9\-_]/g, "");
+                const safeTs = ts.replace(/[^a-zA-Z0-9\-_]/g, "");
+                const fname = `${safeTs}_from-${safeFrom}_to-${myName}.json`;
                 const dest = join(inboxDir, fname);
                 if (!existsSync(dest)) {
                     await writeFile(dest, JSON.stringify(msg, null, 2));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openfused",
-  "version": "0.3.10",
+  "version": "0.3.12",
   "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",