openfused 0.3.12 → 0.3.14

package/README.md

@@ -10,7 +10,7 @@ No vendor lock-in. No proprietary protocol. Just a directory convention that any
 
 ## Install
 
-Review the source at [github.com/wearethecompute/openfused](https://github.com/wearethecompute/openfused) before installing.
+Review the source at [github.com/openfused/openfused](https://github.com/openfused/openfused) before installing.
 
 ```bash
 # TypeScript (npm) — package: openfused
@@ -71,6 +71,11 @@ openfuse context --append "## Update\nFinished the research phase."
 # (edit CONTEXT.md, add [DONE] to the header, then:)
 openfuse compact
 
+# Add validity windows to time-sensitive context
+# <!-- validity: 6h --> for task state, 1d for sprint, 3d for architecture
+openfuse validate                    # scan for stale entries
+openfuse compact --prune-stale       # archive expired validity windows
+
 # Send a message (auto-encrypted if peer's age key is on file)
 openfuse inbox send agent-bob "Check out shared/findings.md"
 
@@ -107,7 +112,7 @@ openfuse key export
 # Import a peer's keys
 openfuse key import wisp ./wisp-signing.key \
   --encryption-key "age1xyz..." \
-  --address "wisp@alice.local"
+  --address "wisp.openfused.net"
 
 # Trust a key (verified messages show [VERIFIED])
 openfuse key trust wisp
@@ -127,7 +132,7 @@ my-agent  (self)
   encryption: age1r9qd5fpt...
   fingerprint: 0EC3:BE39:C64D:8F15:9DEF:B74C:F448:6645
 
-wisp  wisp@alice.local  [TRUSTED]
+wisp  wisp.openfused.net  [TRUSTED]
   signing:    8904f73e...
   encryption: age1z5wm7l4s...
   fingerprint: 2CC7:8684:42E5:B304:1AC2:D870:7E20:9871
@@ -150,13 +155,17 @@ Public registry at `registry.openfused.dev`. Any agent can register, discover ot
 
 ```bash
 # Register your agent
-openfuse register --endpoint ssh://alice.local:/home/agent/context
+# Registers as yourname.openfused.net
+openfuse register --endpoint https://your-server.com:2053
+
+# Or use your own domain:
+openfuse register --name yourname.company.com --endpoint https://yourname.company.com:2053
 
 # Discover an agent
-openfuse discover wearethecompute
+openfuse discover wisp
 
 # Send a message (resolves via registry, auto-imports key)
-openfuse send wearethecompute "hello from the mesh"
+openfuse send wisp "hello"
 ```
 
 - **Signed manifests** — prove you own the name (Ed25519 signature)
@@ -172,10 +181,10 @@ Pull peer context, pull their outbox for your mail, push your outbox. Two transp
 
 ```bash
 # LAN — rsync over SSH (uses your ~/.ssh/config for host aliases)
-openfuse peer add ssh://alice.local:/home/agent/context --name wisp
+openfuse peer add ssh://your-server:/home/agent/store --name wisp
 
 # WAN — HTTP against the OpenFused daemon
-openfuse peer add http://agent.example.com:9781 --name wisp
+openfuse peer add https://wisp.openfused.dev --name wisp
 
 # Sync all peers
 openfuse sync
@@ -184,7 +193,7 @@ openfuse sync
 openfuse watch
 
 # Watch + reverse SSH tunnel (NAT traversal)
-openfuse watch --tunnel alice.local
+openfuse watch --tunnel your-server
 ```
 
 Sync does three things:
@@ -239,10 +248,10 @@ The daemon has two modes:
 
 ```bash
 # Full mode — serves everything to trusted LAN peers
-openfused serve --store ./my-context --port 9781
+openfused serve --store ./my-context --port 2053
 
 # Public mode — PROFILE.md + inbox + outbox pickup (for WAN/tunnels)
-openfused serve --store ./my-context --port 9781 --public
+openfused serve --store ./my-context --port 2053 --public
 ```
 
 Public mode endpoints:
@@ -267,7 +276,7 @@ Public mode endpoints:
 openfuse watch -d ./store                      # sync every 60s
 openfuse watch -d ./store --sync-interval 30   # sync every 30s
 openfuse watch -d ./store --sync-interval 0    # local watch only
-openfuse watch -d ./store --tunnel alice.local  # + reverse SSH tunnel
+openfuse watch -d ./store --tunnel your-server  # + reverse SSH tunnel
 ```
 
 ## Reachability

package/dist/cli.js

@@ -1,14 +1,15 @@
 #!/usr/bin/env node
 import { Command } from "commander";
 import { nanoid } from "nanoid";
-import { ContextStore } from "./store.js";
+import { ContextStore, validateName } from "./store.js";
 import { watchInbox, watchContext, watchSync } from "./watch.js";
 import { syncAll, syncOne, deliverOne } from "./sync.js";
 import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
 import { resolve, join } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.12";
+import { parseValiditySections, buildValidityReport } from "./validity.js";
+const VERSION = "0.3.13";
 const program = new Command();
 program
     .name("openfuse")
@@ -28,6 +29,7 @@ program
         process.exit(1);
     }
     const id = nanoid(12);
+    validateName(opts.name, "Agent name");
     if (opts.workspace) {
         await store.initWorkspace(opts.name, id);
         console.log(`Initialized shared workspace: ${store.root}`);
@@ -68,7 +70,7 @@ program
     console.log(`Shared: ${s.sharedCount} files`);
     const latest = await registry.checkUpdate(VERSION);
     if (latest) {
-        console.error(`\n  Update available: ${VERSION} → ${latest} — https://github.com/wearethecompute/openfused/releases`);
+        console.error(`\n  Update available: ${VERSION} → ${latest} — https://github.com/openfused/openfused/releases`);
     }
 });
 // --- context ---
@@ -208,6 +210,15 @@ program
         const { spawn } = await import("node:child_process");
         const tunnelPort = opts.tunnelPort;
         const tunnelHost = opts.tunnel;
+        // Prevent SSH option injection: reject values that look like flags
+        if (tunnelHost.startsWith("-") || /\s/.test(tunnelHost)) {
+            console.error("Invalid --tunnel value: must be a hostname, not flags");
+            process.exit(1);
+        }
+        if (tunnelPort.startsWith("-") || /\s/.test(tunnelPort) || !/^\d+$/.test(tunnelPort)) {
+            console.error("Invalid --tunnel-port value: must be a numeric port");
+            process.exit(1);
+        }
         // Try autossh first, fall back to ssh
         const cmd = await (async () => {
             try {
@@ -220,8 +231,8 @@ program
             }
         })();
         const args = cmd === "autossh"
-            ? ["-M", "0", "-N", "-R", `${tunnelPort}:localhost:9781`, tunnelHost, "-o", "ServerAliveInterval=15", "-o", "ExitOnForwardFailure=yes"]
-            : ["-N", "-R", `${tunnelPort}:localhost:9781`, tunnelHost, "-o", "ServerAliveInterval=15", "-o", "ExitOnForwardFailure=yes"];
+            ? ["-M", "0", "-N", "-R", `${tunnelPort}:localhost:2053`, tunnelHost, "-o", "ServerAliveInterval=15", "-o", "ExitOnForwardFailure=yes"]
+            : ["-N", "-R", `${tunnelPort}:localhost:2053`, tunnelHost, "-o", "ServerAliveInterval=15", "-o", "ExitOnForwardFailure=yes"];
         const tunnel = spawn(cmd, args, { stdio: "ignore" });
         tunnel.on("error", (e) => console.error(`[tunnel] ${cmd} failed: ${e.message}`));
         tunnel.on("exit", (code) => {
@@ -229,13 +240,13 @@ program
                 console.error(`[tunnel] ${cmd} exited with code ${code}`);
         });
         process.on("exit", () => tunnel.kill());
-        console.log(`Tunnel: ${cmd} -R ${tunnelPort}:localhost:9781 ${tunnelHost}`);
-        console.log(`Your store is reachable at ssh://${tunnelHost}:${tunnelPort} (via daemon on :9781)`);
+        console.log(`Tunnel: ${cmd} -R ${tunnelPort}:localhost:2053 ${tunnelHost}`);
+        console.log(`Your store is reachable at ssh://${tunnelHost}:${tunnelPort} (via daemon on :2053)`);
     }
     // Cloudflared quick tunnel (optional) — gives you a public *.trycloudflare.com URL
     if (opts.cloudflared) {
         const { spawn } = await import("node:child_process");
-        const cf = spawn("cloudflared", ["tunnel", "--url", "http://localhost:9781"], {
+        const cf = spawn("cloudflared", ["tunnel", "--url", "http://localhost:2053"], {
             stdio: ["ignore", "pipe", "pipe"],
         });
         cf.on("error", (e) => console.error(`[cloudflared] failed: ${e.message}. Install: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/`));
@@ -278,14 +289,74 @@ program
     .command("compact")
     .description("Move [DONE] sections from CONTEXT.md to history/")
     .option("-d, --dir <path>", "Context store directory", ".")
+    .option("--prune-stale", "Also archive sections past their <!-- validity: --> window (confidence < 0.1)")
     .action(async (opts) => {
     const store = new ContextStore(resolve(opts.dir));
+    let prunedCount = 0;
+    if (opts.pruneStale) {
+        // Soft-expiry pruning: rewrite CONTEXT.md with stale sections stripped
+        const content = await store.readContext();
+        const sections = parseValiditySections(content);
+        const staleSections = sections.filter((s) => s.expired);
+        if (staleSections.length > 0) {
+            // Remove stale annotated sections from file
+            let updated = content;
+            for (const s of staleSections) {
+                // Strip the section text from the file (simple text removal)
+                updated = updated.replace(s.sectionText, "[STALE — archived by openfuse compact --prune-stale]");
+            }
+            await store.writeContext(updated);
+            prunedCount = staleSections.length;
+        }
+    }
     const { moved, kept } = await store.compactContext();
-    if (moved === 0) {
+    if (moved === 0 && prunedCount === 0) {
         console.log("Nothing to compact. Mark sections with [DONE] to archive them.");
     }
     else {
-        console.log(`Compacted: ${moved} done, ${kept} kept.`);
+        const parts = [];
+        if (moved > 0)
+            parts.push(`${moved} done`);
+        if (prunedCount > 0)
+            parts.push(`${prunedCount} stale`);
+        console.log(`Compacted: ${parts.join(", ")}, ${kept} kept.`);
+    }
+});
+// --- validate ---
+program
+    .command("validate")
+    .description("Scan CONTEXT.md for expired validity windows and report stale entries")
+    .option("-d, --dir <path>", "Context store directory", ".")
+    .option("--json", "Output as JSON")
+    .action(async (opts) => {
+    const store = new ContextStore(resolve(opts.dir));
+    if (!(await store.exists())) {
+        console.error("No context store found. Run `openfuse init` first.");
+        process.exit(1);
+    }
+    const content = await store.readContext();
+    const sections = parseValiditySections(content);
+    const report = buildValidityReport(sections);
+    if (opts.json) {
+        console.log(JSON.stringify(report, null, 2));
+        return;
+    }
+    if (report.total === 0) {
+        console.log("No validity-annotated sections found.");
+        console.log("Add `<!-- validity: 6h -->` before time-sensitive context entries.");
+        return;
+    }
+    console.log(`Validity check: ${report.fresh} fresh, ${report.stale} stale (of ${report.total} annotated)`);
+    if (report.stale > 0) {
+        console.log("\nStale sections (confidence < 0.1):");
+        for (const e of report.entries.filter((e) => e.expired)) {
+            const age = e.addedAt ? ` written ${e.addedAt}` : "";
+            console.log(`  [${e.ttlLabel} TTL${age}] ${e.preview}`);
+        }
+        console.log("\nRun `openfuse compact --prune-stale` to archive stale sections.");
+    }
+    else {
+        console.log("All annotated sections are within their validity windows. ✓");
     }
 });
 // --- share ---
@@ -327,14 +398,16 @@ peer
     const store = new ContextStore(resolve(opts.dir));
     const config = await store.readConfig();
     const peerId = nanoid(12);
+    const peerName = opts.name ?? `peer-${config.peers.length + 1}`;
+    validateName(peerName, "Peer name");
     config.peers.push({
         id: peerId,
-        name: opts.name ?? `peer-${config.peers.length + 1}`,
+        name: peerName,
         url,
         access: opts.access,
     });
     await store.writeConfig(config);
-    console.log(`Added peer: ${opts.name ?? peerId} (${url}) [${opts.access}]`);
+    console.log(`Added peer: ${peerName} (${url}) [${opts.access}]`);
 });
 peer
     .command("remove <id>")
@@ -496,16 +569,23 @@ program
     .command("register")
     .description("Register this agent in the public registry")
     .option("-d, --dir <path>", "Context store directory", ".")
+    .option("-n, --name <name>", "Full agent name (defaults to {storename}.openfused.net, or set your own domain)")
     .requiredOption("-e, --endpoint <url>", "Endpoint URL where peers can reach you")
     .option("-r, --registry <url>", "Registry URL")
     .action(async (opts) => {
     const store = new ContextStore(resolve(opts.dir));
     const reg = registry.resolveRegistry(opts.registry);
-    const manifest = await registry.register(store, opts.endpoint, reg);
+    const config = await store.readConfig();
+    const agentName = opts.name || `${config.name}.openfused.net`;
+    const manifest = await registry.register(store, opts.endpoint, reg, agentName);
     console.log(`Registered: ${manifest.name} [SIGNED]`);
     console.log(`  Endpoint:    ${manifest.endpoint}`);
     console.log(`  Fingerprint: ${manifest.fingerprint}`);
+    console.log(`  DNS:         _openfuse.${manifest.name}`);
     console.log(`  Registry:    ${reg}`);
+    console.log(`\nOthers can find you with:`);
+    console.log(`  openfuse discover ${manifest.name}`);
+    console.log(`  openfuse send ${manifest.name} "hello"`);
 });
 // --- discover ---
 program
@@ -575,6 +655,9 @@ program
         // Try direct HTTP delivery if endpoint is http(s)
         if (manifest.endpoint.startsWith("http")) {
             try {
+                // SSRF check: registry endpoints are attacker-controlled
+                const { checkSsrf } = await import("./sync.js");
+                await checkSsrf(manifest.endpoint);
                 const body = await readFile(join(store.root, "outbox", filename), "utf-8");
                 const r = await fetch(`${manifest.endpoint.replace(/\/$/, "")}/inbox`, {
                     method: "POST",

package/dist/crypto.d.ts

@@ -22,6 +22,12 @@ export declare function generateKeys(storeRoot: string): Promise<{
 export declare function hasKeys(storeRoot: string): Promise<boolean>;
 export declare function fingerprint(publicKey: string): string;
 export declare function loadAgeRecipient(storeRoot: string): Promise<string>;
+/** Sign a raw challenge string — used for outbox authentication.
+ * Returns { signature, publicKey } without the full SignedMessage envelope. */
+export declare function signChallenge(storeRoot: string, challenge: string): Promise<{
+    signature: string;
+    publicKey: string;
+}>;
 export declare function signMessage(storeRoot: string, from: string, message: string): Promise<SignedMessage>;
 export declare function signAndEncrypt(storeRoot: string, from: string, plaintext: string, recipientAgeKey: string): Promise<SignedMessage>;
 export declare function verifyMessage(signed: SignedMessage): boolean;

package/dist/crypto.js

@@ -63,6 +63,14 @@ export async function loadAgeRecipient(storeRoot) {
 async function loadAgeIdentity(storeRoot) {
     return (await readFile(join(storeRoot, KEY_DIR, "age.key"), "utf-8")).trim();
 }
+/** Sign a raw challenge string — used for outbox authentication.
+ * Returns { signature, publicKey } without the full SignedMessage envelope. */
+export async function signChallenge(storeRoot, challenge) {
+    const privateKey = await loadPrivateKey(storeRoot);
+    const publicKey = await loadPublicKeyHex(storeRoot);
+    const signature = sign(null, Buffer.from(challenge), privateKey).toString("base64");
+    return { signature, publicKey };
+}
 export async function signMessage(storeRoot, from, message) {
     const privateKey = await loadPrivateKey(storeRoot);
     const publicKey = await loadPublicKeyHex(storeRoot);

package/dist/mcp.js

@@ -8,7 +8,7 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
-import { ContextStore } from "./store.js";
+import { ContextStore, validateName } from "./store.js";
 import { resolve } from "node:path";
 // LLMs will pass whatever filenames users ask for — including "../../etc/shadow".
 // This is the trust boundary between the AI and the filesystem.
@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.12",
+    version: "0.3.13",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {
@@ -115,6 +115,7 @@ server.tool("peer_add", "Add a peer by URL (http:// for WAN, ssh://host:/path fo
     name: z.string().describe("Peer name"),
     access: z.enum(["read", "readwrite"]).default("read").describe("Access mode"),
 }, async ({ url, name, access }) => {
+    validateName(name, "Peer name");
     const { nanoid } = await import("nanoid");
     const config = await store.readConfig();
     const peerId = nanoid(12);

package/dist/registry.d.ts

@@ -16,7 +16,7 @@ export interface Manifest {
     rotatedFrom?: string;
 }
 export declare function resolveRegistry(flag?: string): string;
-export declare function register(store: ContextStore, endpoint: string, registry: string): Promise<Manifest>;
+export declare function register(store: ContextStore, endpoint: string, registry: string, name?: string): Promise<Manifest>;
 export declare function discover(name: string, registry: string): Promise<Manifest>;
 export declare function revoke(store: ContextStore, registry: string): Promise<void>;
 export declare function checkUpdate(currentVersion: string): Promise<string | null>;

package/dist/registry.js

@@ -12,12 +12,12 @@ export const DEFAULT_REGISTRY = "https://registry.openfused.dev";
 export function resolveRegistry(flag) {
     return flag || process.env.OPENFUSE_REGISTRY || DEFAULT_REGISTRY;
 }
-export async function register(store, endpoint, registry) {
+export async function register(store, endpoint, registry, name) {
     const config = await store.readConfig();
     if (!config.publicKey)
         throw new Error("No signing key — run `openfuse init` first");
     const manifest = {
-        name: config.name,
+        name: name || config.name,
         endpoint,
         publicKey: config.publicKey,
         encryptionKey: config.encryptionKey,

package/dist/store.d.ts

@@ -17,6 +17,9 @@ export interface PeerConfig {
     access: "read" | "readwrite";
     mountPath?: string;
 }
+/** Validate agent/peer names: alphanumeric + hyphens + underscores + dots, 1-64 chars.
+ *  Rejects path traversal (../, /, \) and rsync glob chars (*, ?, [). */
+export declare function validateName(name: string, label?: string): string;
 export declare class ContextStore {
     readonly root: string;
     constructor(root: string);

package/dist/store.js

@@ -16,6 +16,20 @@ import { join, resolve } from "node:path";
 import { existsSync } from "node:fs";
 import { generateKeys, signMessage, signAndEncrypt, verifyMessage, decryptMessage, deserializeSignedMessage, serializeSignedMessage, wrapExternalMessage, fingerprint, } from "./crypto.js";
 const STORE_DIRS = ["history", "knowledge", "inbox", "outbox", "shared", ".peers"];
+/** Validate agent/peer names: alphanumeric + hyphens + underscores + dots, 1-64 chars.
+ *  Rejects path traversal (../, /, \) and rsync glob chars (*, ?, [). */
+export function validateName(name, label = "Name") {
+    if (!name || name.length < 1 || name.length > 64) {
+        throw new Error(`${label} must be 1-64 characters`);
+    }
+    if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(name)) {
+        throw new Error(`${label} must start with alphanumeric and contain only a-z, 0-9, -, _, .`);
+    }
+    if (name.includes("..") || name.includes("/") || name.includes("\\")) {
+        throw new Error(`${label} contains invalid path characters`);
+    }
+    return name;
+}
 export class ContextStore {
     root;
     constructor(root) {
@@ -167,6 +181,7 @@ export class ContextStore {
     }
     // --- Inbox ---
     async sendInbox(peerId, message) {
+        validateName(peerId, "Recipient name");
         const config = await this.readConfig();
         // Look up peer's encryption key in keyring
         const entry = config.keyring.find((e) => e.name === peerId || e.address.startsWith(`${peerId}@`));

package/dist/sync.d.ts

@@ -1,4 +1,6 @@
 import { ContextStore } from "./store.js";
+/** Block SSRF: reject URLs pointing to private/reserved IP ranges. */
+export declare function checkSsrf(url: string): Promise<void>;
 export interface SyncResult {
     peerName: string;
     pulled: string[];

package/dist/sync.js

@@ -8,6 +8,29 @@ import { join } from "node:path";
 import { existsSync } from "node:fs";
 import { execFile as execFileCb } from "node:child_process";
 import { promisify } from "node:util";
+import dns from "node:dns/promises";
+/** Block SSRF: reject URLs pointing to private/reserved IP ranges. */
+export async function checkSsrf(url) {
+    const parsed = new URL(url);
+    const hostname = parsed.hostname.replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+    try {
+        const { address } = await dns.lookup(hostname);
+        const parts = address.split(".").map(Number);
+        if (address === "127.0.0.1" || address === "::1" || address === "0.0.0.0" ||
+            parts[0] === 10 ||
+            (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
+            (parts[0] === 192 && parts[1] === 168) ||
+            (parts[0] === 169 && parts[1] === 254) ||
+            address.startsWith("fc") || address.startsWith("fd") || address.startsWith("fe80")) {
+            throw new Error(`SSRF blocked: ${hostname} resolves to private address ${address}`);
+        }
+    }
+    catch (e) {
+        if (e.message.startsWith("SSRF blocked"))
+            throw e;
+        // DNS resolution failed — allow (could be .local or SSH alias)
+    }
+}
 const execFile = promisify(execFileCb);
 // Archive instead of delete: preserves audit trail and lets agents review what was sent.
 // Without this, sync would re-deliver the same message every cycle.
@@ -32,10 +55,10 @@ function parseUrl(url) {
         if (host.startsWith("-") || path.startsWith("-")) {
             throw new Error("Invalid SSH URL: host/path cannot start with '-'");
         }
-        if (/[;|`$]/.test(host)) {
+        if (/[;|`$&(){}\s\n\r]/.test(host)) {
             throw new Error("Invalid SSH URL: host contains shell metacharacters");
         }
-        if (/[;|`$&(){}]/.test(path)) {
+        if (/[;|`$&(){}\s\n\r]/.test(path)) {
             throw new Error("Invalid SSH URL: path contains shell metacharacters");
         }
         return { type: "ssh", host, path };
@@ -55,6 +78,7 @@ export async function deliverOne(store, peerName, filename) {
     try {
         const transport = parseUrl(peer.url);
         if (transport.type === "http") {
+            await checkSsrf(transport.baseUrl);
             const body = await readFile(filePath, "utf-8");
             const r = await fetch(`${transport.baseUrl}/inbox`, {
                 method: "POST",
@@ -114,6 +138,8 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
     const pulled = [];
     const pushed = [];
     const errors = [];
+    // SSRF check: block requests to private/reserved IPs
+    await checkSsrf(baseUrl);
     for (const file of ["CONTEXT.md", "PROFILE.md"]) {
         try {
             const resp = await fetch(`${baseUrl}/read/${file}`);
@@ -154,29 +180,56 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
         }
     }
     // Pull peer's outbox for messages addressed to us (HTTP version).
-    // The peer's daemon filters to _to-{myName}.json, but the JSON body is untrusted —
-    // a malicious peer controls every field. We must sanitize before using any value
-    // in a filename to prevent path traversal (e.g. from="../../.keys/evil").
+    // Authenticated: we sign a challenge proving we own this name, so the daemon
+    // only serves outbox to the actual recipient. Prevents metadata enumeration.
     const config = await store.readConfig();
     const myName = config.name;
     const inboxDir = join(store.root, "inbox");
     await mkdir(inboxDir, { recursive: true });
     try {
-        const resp = await fetch(`${baseUrl}/outbox/${myName}`);
+        const { signChallenge } = await import("./crypto.js");
+        const timestamp = new Date().toISOString();
+        const challenge = `OUTBOX:${myName}:${timestamp}`;
+        const { signature, publicKey } = await signChallenge(store.root, challenge);
+        const resp = await fetch(`${baseUrl}/outbox/${myName}`, {
+            headers: {
+                "X-OpenFuse-PublicKey": publicKey,
+                "X-OpenFuse-Signature": signature,
+                "X-OpenFuse-Timestamp": timestamp,
+            },
+        });
         if (resp.ok) {
             const messages = (await resp.json());
             for (const msg of messages) {
                 const ts = (msg.timestamp || new Date().toISOString()).replace(/[:.]/g, "-");
                 const from = msg.from || "unknown";
-                // SECURITY: sanitize remote-controlled values before constructing local filenames.
-                // Without this, a malicious "from" like "../../.keys/x" could write outside inbox/.
                 const safeFrom = from.replace(/[^a-zA-Z0-9\-_]/g, "");
                 const safeTs = ts.replace(/[^a-zA-Z0-9\-_]/g, "");
                 const fname = `${safeTs}_from-${safeFrom}_to-${myName}.json`;
+                const outboxFile = msg._outboxFile; // filename on sender's outbox
                 const dest = join(inboxDir, fname);
                 if (!existsSync(dest)) {
-                    await writeFile(dest, JSON.stringify(msg, null, 2));
+                    // Strip the _outboxFile metadata before saving
+                    const { _outboxFile, ...cleanMsg } = msg;
+                    await writeFile(dest, JSON.stringify(cleanMsg, null, 2));
                     pulled.push(`outbox→${fname}`);
+                    // ACK: tell sender to move this message to .sent/
+                    if (outboxFile) {
+                        try {
+                            const ackTs = new Date().toISOString();
+                            const ackChallenge = `ACK:${myName}:${outboxFile}:${ackTs}`;
+                            const ackSig = await signChallenge(store.root, ackChallenge);
+                            await fetch(`${baseUrl}/outbox/${myName}/${outboxFile}`, {
+                                method: "DELETE",
+                                headers: {
+                                    "X-OpenFuse-PublicKey": ackSig.publicKey,
+                                    "X-OpenFuse-Signature": ackSig.signature,
+                                    "X-OpenFuse-Timestamp": ackTs,
+                                },
+                            });
+                        }
+                        catch { } // best-effort ACK
+                    }
                 }
             }
         }

package/dist/validity.d.ts

@@ -0,0 +1,41 @@
+export interface ValidityAnnotation {
+    /** Validity window parsed from <!-- validity: ... --> */
+    ttlMs: number;
+    /** Written timestamp from <!-- openfuse:added: ISO --> (if present) */
+    addedAt?: Date;
+    /** True if confidence < 0.1 */
+    expired: boolean;
+    /** Soft confidence [0, 1]. 1.0 at write time, 0.5 at TTL, asymptotes to 0 */
+    confidence: number;
+    /** The section text following this annotation (until the next annotation or EOF) */
+    sectionText: string;
+}
+export interface ValidityReport {
+    total: number;
+    stale: number;
+    fresh: number;
+    entries: Array<{
+        preview: string;
+        addedAt: string | null;
+        ttlLabel: string;
+        confidence: number;
+        expired: boolean;
+    }>;
+}
+/** Parse a TTL label like "6h" or "3d" into milliseconds */
+export declare function parseTtlMs(value: string, unit: string): number;
+/** Soft-expiry confidence. Exponential decay: 1.0 at write, 0.5 at TTL, →0 over time. */
+export declare function computeConfidence(addedAt: Date | undefined, ttlMs: number, now?: Date): number;
+/**
+ * Parse CONTEXT.md content for validity-annotated sections.
+ * Each `<!-- validity: Xh -->` comment starts a new annotated section.
+ * Sections without validity annotations are skipped.
+ */
+export declare function parseValiditySections(content: string, now?: Date): ValidityAnnotation[];
+/** Build a human-readable report of validity window status */
+export declare function buildValidityReport(sections: ValidityAnnotation[]): ValidityReport;
+export declare const DEFAULT_TTL_TIERS: {
+    readonly task: number;
+    readonly sprint: number;
+    readonly architecture: number;
+};

package/dist/validity.js

@@ -0,0 +1,117 @@
+// --- Context validity windows ---
+// Agents often write context that's only valid for a bounded time window.
+// This module parses `<!-- validity: Xh -->` (or `1d`, `3d`) annotations
+// from CONTEXT.md, checks freshness against `<!-- openfuse:added: ISO -->`,
+// and provides soft-expiry confidence scoring via exponential decay.
+//
+// Design decisions:
+// - Advisory only: agents that don't understand validity annotations read
+//   CONTEXT.md normally. No schema enforcement.
+// - Decay starts at write time, reaches 0.5 at TTL, asymptotes toward 0.
+//   Agents can down-weight uncertain context rather than hard-drop it.
+// - "Stale" means confidence < 0.1 (roughly 3× TTL from write time).
+// --- Parsing ---
+const VALIDITY_RE = /<!--\s*validity:\s*(\d+)\s*(h|d)\s*(?:,\s*[^>]*)?\s*-->/i;
+const ADDED_RE = /<!--\s*openfuse:added:\s*([^\s>]+)\s*-->/i;
+/** Parse a TTL label like "6h" or "3d" into milliseconds */
+export function parseTtlMs(value, unit) {
+    const n = parseInt(value, 10);
+    if (unit.toLowerCase() === "d")
+        return n * 24 * 60 * 60 * 1000;
+    return n * 60 * 60 * 1000; // hours default
+}
+/** Soft-expiry confidence. Exponential decay: 1.0 at write, 0.5 at TTL, →0 over time. */
+export function computeConfidence(addedAt, ttlMs, now = new Date()) {
+    if (!addedAt) {
+        // No timestamp — treat as written "now" with full confidence
+        return 1.0;
+    }
+    const ageMs = now.getTime() - addedAt.getTime();
+    if (ageMs <= 0)
+        return 1.0;
+    // Exponential decay: confidence = 0.5 ^ (age / ttl)
+    return Math.pow(0.5, ageMs / ttlMs);
+}
+/**
+ * Parse CONTEXT.md content for validity-annotated sections.
+ * Each `<!-- validity: Xh -->` comment starts a new annotated section.
+ * Sections without validity annotations are skipped.
+ */
+export function parseValiditySections(content, now = new Date()) {
+    const results = [];
+    const lines = content.split("\n");
+    let inSection = false;
+    let currentTtlMs = 0;
+    let currentAddedAt;
+    let sectionLines = [];
+    const flushSection = () => {
+        if (!inSection)
+            return;
+        const confidence = computeConfidence(currentAddedAt, currentTtlMs, now);
+        results.push({
+            ttlMs: currentTtlMs,
+            addedAt: currentAddedAt,
+            expired: confidence < 0.1,
+            confidence,
+            sectionText: sectionLines.join("\n").trim(),
+        });
+        inSection = false;
+        sectionLines = [];
+        currentAddedAt = undefined;
+        currentTtlMs = 0;
+    };
+    for (const line of lines) {
+        const validityMatch = line.match(VALIDITY_RE);
+        if (validityMatch) {
+            flushSection();
+            currentTtlMs = parseTtlMs(validityMatch[1], validityMatch[2]);
+            inSection = true;
+            continue;
+        }
+        const addedMatch = line.match(ADDED_RE);
+        if (addedMatch && inSection && !currentAddedAt) {
+            const parsed = new Date(addedMatch[1]);
+            if (!isNaN(parsed.getTime())) {
+                currentAddedAt = parsed;
+            }
+            continue;
+        }
+        if (inSection) {
+            sectionLines.push(line);
+        }
+    }
+    flushSection();
+    return results;
+}
+/** Build a human-readable report of validity window status */
+export function buildValidityReport(sections) {
+    const entries = sections.map((s) => {
+        const preview = s.sectionText.split("\n").find((l) => l.trim()) ?? "(empty)";
+        const ttlMs = s.ttlMs;
+        const hours = ttlMs / (60 * 60 * 1000);
+        const ttlLabel = hours >= 24 ? `${Math.round(hours / 24)}d` : `${Math.round(hours)}h`;
+        return {
+            preview: preview.slice(0, 80),
+            addedAt: s.addedAt ? s.addedAt.toISOString() : null,
+            ttlLabel,
+            confidence: Math.round(s.confidence * 100) / 100,
+            expired: s.expired,
+        };
+    });
+    return {
+        total: sections.length,
+        stale: sections.filter((s) => s.expired).length,
+        fresh: sections.filter((s) => !s.expired).length,
+        entries,
+    };
+}
+// --- Default TTL tiers (from multi-agent swarm research) ---
+// Based on 20-agent, 20-run PDR evaluation dataset:
+//   task-state context (what I'm working on right now): ~6h half-life
+//   sprint-context (sprint goals, current approach): ~24h half-life
+//   project-architecture (design decisions, constraints): ~72h half-life
+export const DEFAULT_TTL_TIERS = {
+    task: 6 * 60 * 60 * 1000, // 6h
+    sprint: 24 * 60 * 60 * 1000, // 24h
+    architecture: 72 * 60 * 60 * 1000, // 72h
+};

package/dist/validity.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/validity.test.js

@@ -0,0 +1,199 @@
+// Tests for context validity window module
+// Run: node --import tsx/esm src/validity.test.ts
+// (or after build: node dist/validity.test.js)
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { parseTtlMs, computeConfidence, parseValiditySections, buildValidityReport, DEFAULT_TTL_TIERS, } from "./validity.js";
+// --- parseTtlMs ---
+describe("parseTtlMs", () => {
+    it("parses hours", () => {
+        assert.equal(parseTtlMs("6", "h"), 6 * 60 * 60 * 1000);
+    });
+    it("parses days", () => {
+        assert.equal(parseTtlMs("3", "d"), 3 * 24 * 60 * 60 * 1000);
+    });
+    it("parses 1d", () => {
+        assert.equal(parseTtlMs("1", "d"), 24 * 60 * 60 * 1000);
+    });
+    it("parses 24h", () => {
+        assert.equal(parseTtlMs("24", "H"), 24 * 60 * 60 * 1000);
+    });
+});
+// --- computeConfidence ---
+describe("computeConfidence", () => {
+    const ttl6h = 6 * 60 * 60 * 1000;
+    it("returns 1.0 when no addedAt (no timestamp)", () => {
+        assert.equal(computeConfidence(undefined, ttl6h), 1.0);
+    });
+    it("returns 1.0 at write time", () => {
+        const now = new Date("2026-03-21T12:00:00Z");
+        const addedAt = new Date("2026-03-21T12:00:00Z");
+        assert.equal(computeConfidence(addedAt, ttl6h, now), 1.0);
+    });
+    it("returns 0.5 at TTL boundary", () => {
+        const addedAt = new Date("2026-03-21T00:00:00Z");
+        const now = new Date("2026-03-21T06:00:00Z"); // exactly 6h later
+        const conf = computeConfidence(addedAt, ttl6h, now);
+        assert.ok(Math.abs(conf - 0.5) < 0.0001, `expected ~0.5, got ${conf}`);
+    });
+    it("returns ~0.25 at 2× TTL", () => {
+        const addedAt = new Date("2026-03-21T00:00:00Z");
+        const now = new Date("2026-03-21T12:00:00Z"); // 12h = 2× TTL
+        const conf = computeConfidence(addedAt, ttl6h, now);
+        assert.ok(Math.abs(conf - 0.25) < 0.0001, `expected ~0.25, got ${conf}`);
+    });
+    it("returns < 0.1 at 3.32× TTL (expired threshold)", () => {
+        const addedAt = new Date("2026-03-21T00:00:00Z");
+        const now = new Date("2026-03-21T20:00:00Z"); // 20h ≈ 3.33× TTL
+        const conf = computeConfidence(addedAt, ttl6h, now);
+        assert.ok(conf < 0.1, `expected < 0.1, got ${conf}`);
+    });
+    it("handles future addedAt gracefully (returns 1.0)", () => {
+        const addedAt = new Date("2026-03-22T00:00:00Z");
+        const now = new Date("2026-03-21T12:00:00Z");
+        assert.equal(computeConfidence(addedAt, ttl6h, now), 1.0);
+    });
+});
+// --- parseValiditySections ---
+describe("parseValiditySections", () => {
+    it("returns empty array when no validity annotations", () => {
+        const content = "# Context\n\nWorking on: auth refactor\n";
+        const sections = parseValiditySections(content);
+        assert.equal(sections.length, 0);
+    });
+    it("parses a single validity section with addedAt", () => {
+        const addedAt = "2026-03-21T10:00:00Z";
+        const now = new Date("2026-03-21T13:00:00Z"); // 3h after write
+        const content = [
+            "<!-- validity: 6h -->",
+            `<!-- openfuse:added: ${addedAt} -->`,
+            "Working on: auth refactor",
+            "Blocked on: IAM role",
+        ].join("\n");
+        const sections = parseValiditySections(content, now);
+        assert.equal(sections.length, 1);
+        assert.equal(sections[0].ttlMs, 6 * 60 * 60 * 1000);
+        // toISOString() returns .000Z suffix; just check the date round-trips
+        assert.ok(sections[0].addedAt instanceof Date);
+        assert.equal(sections[0].addedAt.getTime(), new Date(addedAt).getTime());
+        assert.ok(sections[0].confidence > 0.5, "should be > 0.5 at 3h of 6h TTL");
+        assert.equal(sections[0].expired, false);
+        assert.ok(sections[0].sectionText.includes("auth refactor"));
+    });
+    it("parses a section without addedAt (confidence = 1.0)", () => {
+        const content = [
+            "<!-- validity: 1d -->",
+            "Architecture: JWT with 15-minute expiry",
+        ].join("\n");
+        const sections = parseValiditySections(content);
+        assert.equal(sections.length, 1);
+        assert.equal(sections[0].addedAt, undefined);
+        assert.equal(sections[0].confidence, 1.0);
+        assert.equal(sections[0].expired, false);
+    });
+    it("marks expired sections correctly", () => {
+        const addedAt = "2026-03-20T00:00:00Z"; // 48h ago
+        const now = new Date("2026-03-22T00:00:00Z");
+        const content = [
+            "<!-- validity: 6h -->",
+            `<!-- openfuse:added: ${addedAt} -->`,
+            "Blocked on: IAM role",
+        ].join("\n");
+        const sections = parseValiditySections(content, now);
+        assert.equal(sections.length, 1);
+        assert.equal(sections[0].expired, true);
+        assert.ok(sections[0].confidence < 0.1);
+    });
+    it("parses multiple validity sections independently", () => {
+        const now = new Date("2026-03-22T00:00:00Z");
+        const freshAdded = "2026-03-21T23:00:00Z"; // 1h ago — fresh vs 6h TTL
+        const staleAdded = "2026-03-18T00:00:00Z"; // 96h ago — expired vs 24h TTL (0.5^4 = 0.0625 < 0.1)
+        const content = [
+            "# Context",
+            "",
+            "<!-- validity: 6h -->",
+            `<!-- openfuse:added: ${freshAdded} -->`,
+            "Working on: auth refactor",
+            "",
+            "<!-- validity: 1d -->",
+            `<!-- openfuse:added: ${staleAdded} -->`,
+            "Sprint goal: ship auth by Friday",
+        ].join("\n");
+        const sections = parseValiditySections(content, now);
+        assert.equal(sections.length, 2);
+        assert.equal(sections[0].expired, false);
+        assert.equal(sections[1].expired, true);
+    });
+    it("parses validity with component annotation", () => {
+        const content = [
+            "<!-- validity: 6h, component: auth-gateway -->",
+            "Working on: JWT refactor",
+        ].join("\n");
+        const sections = parseValiditySections(content);
+        assert.equal(sections.length, 1);
+        assert.equal(sections[0].ttlMs, 6 * 60 * 60 * 1000);
+    });
+    it("parses day-based TTL", () => {
+        const content = [
+            "<!-- validity: 3d -->",
+            "Architecture: microservices with shared auth layer",
+        ].join("\n");
+        const sections = parseValiditySections(content);
+        assert.equal(sections.length, 1);
+        assert.equal(sections[0].ttlMs, 3 * 24 * 60 * 60 * 1000);
+    });
+});
+// --- buildValidityReport ---
+describe("buildValidityReport", () => {
+    it("returns correct counts for mixed fresh/stale", () => {
+        const now = new Date("2026-03-22T00:00:00Z");
+        const freshAdded = "2026-03-21T23:00:00Z";
+        const staleAdded = "2026-03-20T00:00:00Z";
+        const content = [
+            "<!-- validity: 6h -->",
+            `<!-- openfuse:added: ${freshAdded} -->`,
+            "Working on: auth refactor",
+            "",
+            "<!-- validity: 6h -->",
+            `<!-- openfuse:added: ${staleAdded} -->`,
+            "Blocked on: IAM role (OLD)",
+        ].join("\n");
+        const sections = parseValiditySections(content, now);
+        const report = buildValidityReport(sections);
+        assert.equal(report.total, 2);
+        assert.equal(report.fresh, 1);
+        assert.equal(report.stale, 1);
+    });
+    it("formats ttlLabel correctly for hours and days", () => {
+        const content = [
+            "<!-- validity: 6h -->",
+            "Task context",
+            "",
+            "<!-- validity: 1d -->",
+            "Sprint context",
+            "",
+            "<!-- validity: 3d -->",
+            "Architecture context",
+        ].join("\n");
+        const sections = parseValiditySections(content);
+        const report = buildValidityReport(sections);
+        assert.equal(report.entries[0].ttlLabel, "6h");
+        assert.equal(report.entries[1].ttlLabel, "1d");
+        assert.equal(report.entries[2].ttlLabel, "3d");
+    });
+    it("truncates long section previews to 80 chars", () => {
+        const longLine = "A".repeat(100);
+        const content = `<!-- validity: 6h -->\n${longLine}`;
+        const sections = parseValiditySections(content);
+        const report = buildValidityReport(sections);
+        assert.ok(report.entries[0].preview.length <= 80);
+    });
+});
+// --- DEFAULT_TTL_TIERS ---
+describe("DEFAULT_TTL_TIERS", () => {
+    it("has expected values", () => {
+        assert.equal(DEFAULT_TTL_TIERS.task, 6 * 60 * 60 * 1000);
+        assert.equal(DEFAULT_TTL_TIERS.sprint, 24 * 60 * 60 * 1000);
+        assert.equal(DEFAULT_TTL_TIERS.architecture, 72 * 60 * 60 * 1000);
+    });
+});

package/dist/watch.js

@@ -7,8 +7,10 @@ import { readFile } from "node:fs/promises";
 import { join, basename } from "node:path";
 import { deserializeSignedMessage, verifyMessage, wrapExternalMessage } from "./crypto.js";
 import { syncAll } from "./sync.js";
+import { ContextStore } from "./store.js";
 export function watchInbox(storeRoot, callback) {
     const inboxDir = join(storeRoot, "inbox");
+    const store = new ContextStore(storeRoot);
     const handleFile = async (filePath) => {
         if (!filePath.endsWith(".json") && !filePath.endsWith(".md"))
             return;
@@ -16,15 +18,29 @@ export function watchInbox(storeRoot, callback) {
             const raw = await readFile(filePath, "utf-8");
             const signed = deserializeSignedMessage(raw);
             if (signed) {
-                const verified = verifyMessage(signed);
+                const sigValid = verifyMessage(signed);
+                // Check keyring for trust — not just signature math. Without this,
+                // any random keypair shows as [VERIFIED] in watch mode output.
+                let verified = false;
+                if (sigValid) {
+                    try {
+                        const config = await store.readConfig();
+                        const trusted = config.autoTrust
+                            ? config.keyring.some((k) => k.signingKey.trim() === signed.publicKey.trim())
+                            : config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
+                        verified = trusted;
+                    }
+                    catch { }
+                }
                 callback(signed.from, wrapExternalMessage(signed, verified), filePath, verified);
                 return;
             }
-            // Unsigned fallback
+            // Unsigned fallback — escape XML attributes to prevent injection
             const filename = basename(filePath).replace(/\.(md|json)$/, "");
             const parts = filename.split("_");
             const from = parts.slice(1).join("_");
-            const wrapped = `<external_message from="${from}" verified="false" status="UNVERIFIED">\n${raw}\n</external_message>`;
+            const esc = (s) => s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+            const wrapped = `<external_message from="${esc(from)}" verified="false" status="UNVERIFIED">\n${esc(raw)}\n</external_message>`;
             callback(from, wrapped, filePath, false);
         }
         catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openfused",
-  "version": "0.3.12",
+  "version": "0.3.14",
   "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",
@@ -40,9 +40,9 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/wearethecompute/openfused.git"
+    "url": "git+https://github.com/openfused/openfused.git"
   },
-  "homepage": "https://github.com/wearethecompute/openfused",
+  "homepage": "https://github.com/openfused/openfused",
   "keywords": [
     "ai",
     "agent",