openfused 0.3.19 → 0.3.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.js +3 -5
  2. package/package.json +1 -1
package/dist/cli.js CHANGED
@@ -635,11 +635,9 @@ program
635
635
  const reg = registry.resolveRegistry(opts.registry);
636
636
  try {
637
637
  const manifest = await registry.discover(name, reg);
638
- // Auto-import key + add as peer. Keys discovered from openfused.net DNS
639
- // are auto-trusted: the registry verified the Ed25519 signature before
640
- // creating the TXT record, and DNSSEC is enabled on the zone. Keys from
641
- // self-hosted domains remain untrusted (user must verify out-of-band).
642
- const dnsDiscovered = !name.includes(".") || name.endsWith(".openfused.net");
638
+ // Auto-import key + add as peer. Keys are untrusted by default.
639
+ // Trust is a local decision use `openfuse key trust <name>` after verifying.
640
+ const dnsDiscovered = false; // never auto-trust user must explicitly trust
643
641
  let config = await store.readConfig();
644
642
  if (!config.keyring.some((e) => e.signingKey === manifest.publicKey)) {
645
643
  config.keyring.push({
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "openfused",
3
- "version": "0.3.19",
3
+ "version": "0.3.20",
4
4
  "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
5
5
  "license": "MIT",
6
6
  "type": "module",