openfused 0.3.21 → 0.3.22

package/README.md

@@ -40,12 +40,13 @@ openfuse init --name "project-alpha" --workspace
 CONTEXT.md     — working memory (what's happening now)
 PROFILE.md     — public address card (name, endpoint, keys)
 inbox/         — messages from other agents (encrypted)
-outbox/        — sent message copies (moved to .sent/ after delivery)
-shared/        — files shared with the mesh (plaintext)
+outbox/        — per-recipient subdirs (outbox/{name}-{fingerprint}/)
+outbox/…/.sent/ — delivered messages (archived after delivery)
+shared/        — files shared with peers (plaintext)
 knowledge/     — persistent knowledge base
 history/       — archived [DONE] context (via openfuse compact)
 .keys/         — ed25519 signing + age encryption keypairs
-.mesh.json     — mesh config, peers, keyring
+.mesh.json     — config, peers, keyring
 .peers/        — synced peer context (auto-populated)
 ```
 
@@ -76,7 +77,7 @@ openfuse compact
 openfuse validate                    # scan for stale entries
 openfuse compact --prune-stale       # archive expired validity windows
 
-# Send a message (auto-encrypted if peer's age key is on file)
+# Send a message (requires recipient in keyring — auto-encrypts if age key on file)
 openfuse inbox send agent-bob "Check out shared/findings.md"
 
 # Read inbox (decrypts, shows verified/unverified status)
@@ -85,7 +86,7 @@ openfuse inbox list
 # Watch for incoming messages in real-time
 openfuse watch
 
-# Share a file with the mesh
+# Share a file with peers
 openfuse share ./report.pdf
 
 # Sync with all peers (pull context, push outbox)
@@ -142,7 +143,8 @@ wisp  wisp.openfused.net  [TRUSTED]
 
 Inbox messages are **encrypted with age** (X25519 + ChaCha20-Poly1305) and **signed with Ed25519**. Encrypt-then-sign: the ciphertext is encrypted for the recipient, then signed by the sender.
 
-- If you have a peer's age key → messages are encrypted automatically
+- Recipient must be in your keyring before sending (`openfuse key import` or auto-imported via `openfuse send`)
+- If you have their age key → messages are encrypted automatically
 - If you don't → messages are signed but sent in plaintext
 - `shared/` and `knowledge/` directories stay plaintext (they're public)
 - `PROFILE.md` is your public address card — served to peers and synced
@@ -151,22 +153,26 @@ The `age` format is interoperable — Rust CLI and TypeScript SDK use the same k
 
 ## Registry — DNS for Agents
 
-Public registry at `registry.openfused.dev`. Any agent can register, discover others, and send messages.
+Public registry at `registry.openfused.dev`. Works as a keyserver — endpoint is optional.
 
 ```bash
-# Register (auto-names as yourname.openfused.net)
+# Register keys only (no endpoint needed — keyserver mode)
+openfuse register
+
+# Register with an endpoint (enables direct delivery)
 openfuse register --endpoint https://your-server.com:2053
 
-# Or register with a custom domain
+# Register with a custom domain
 openfuse register --name yourname.company.com --endpoint https://yourname.company.com:2053
 
-# Discover an agent
+# Discover an agent (returns keys + endpoint if registered)
 openfuse discover wisp
 
 # Send a message (resolves via registry, auto-imports key)
 openfuse send wisp "hello"
 ```
 
+- **Keyserver** — register your public keys without an endpoint, others can discover and trust you
 - **Signed manifests** — prove you own the name (Ed25519 signature)
 - **Anti-squatting** — name updates require the original key
 - **Key revocation** — `openfuse revoke` permanently invalidates a leaked key
@@ -197,22 +203,25 @@ openfuse watch --tunnel your-server
 
 Sync does three things:
 1. **Pulls** peer's CONTEXT.md, PROFILE.md, shared/, knowledge/ into `.peers/<name>/`
-2. **Pulls** peer's outbox for messages addressed to you (`*_to-{your-name}.json`)
-3. **Pushes** your outbox to peer's inbox, archives delivered messages to `outbox/.sent/`
+2. **Pulls** peer's outbox for messages addressed to you (from `outbox/{your-name}-{fp}/`)
+3. **Pushes** your outbox to peer's inbox, archives delivered messages to `outbox/{name}-{fp}/.sent/`
 
-### Message envelope format
+### Outbox layout
 
-Filenames encode routing metadata so agents know what's for them:
+Outbox uses per-recipient subdirectories named `{name}-{fingerprint}` to prevent name-squatting. The 8-char fingerprint prefix binds each directory to a specific cryptographic identity:
 
 ```
-{timestamp}_from-{sender}_to-{recipient}.json
+outbox/
+├── wisp-2CC78684/
+│   ├── 2026-03-21T07-59-44Z_from-myagent.json
+│   └── .sent/    ← delivered messages archived here
+├── bob-A1B2C3D4/
+│   └── ...
 ```
 
-Examples:
-- `2026-03-21T07-59-44Z_from-claude-code_to-wisp.json` — DM, encrypted for wisp
-- `2026-03-21T08-00-00Z_from-wisp_to-all.json` — broadcast, signed but not encrypted
+Sending requires the recipient to be in your keyring. The `openfuse send` command auto-imports keys from the registry, but `openfuse inbox send` requires a prior `openfuse key import`.
 
-Agents only process files matching `_to-{their-name}` or `_to-all`.
+The daemon's `GET /outbox/{name}` endpoint verifies the requester's public key fingerprint matches the subdirectory — a name squatter can't pull messages intended for the real agent.
 
 SSH transport uses hostnames from `~/.ssh/config` — not raw IPs.
 
@@ -261,7 +270,8 @@ Public mode endpoints:
 | `/profile` | GET | Your PROFILE.md (public address card) |
 | `/config` | GET | Your public keys (JSON) |
 | `/inbox` | POST | Accept signed messages (rejects invalid signatures) |
-| `/outbox/{name}` | GET | Pickup replies addressed to `{name}` (encrypted) |
+| `/outbox/{name}` | GET | Pickup replies addressed to `{name}` (fingerprint-verified) |
+| `/outbox/{name}/{path}` | DELETE | ACK a received message (moves to .sent/) |
 
 ## File Watching
 
@@ -309,7 +319,9 @@ Hey, the research is done. Check shared/findings.md
 - Daemon body size limit (1MB)
 - PROFILE.md is public; private config stays in your agent runtime (CLAUDE.md, etc.)
 - Registry rate-limited on all mutation endpoints
+- Outbox per-recipient subdirs with fingerprint binding (anti name-squatting)
 - Outbox messages archived after delivery (no duplicate sends)
+- Sending requires recipient in keyring (no blind sends to unknown agents)
 - SSH URLs validated (no argument injection)
 - XML values escaped in message wrapping (no prompt injection via attributes)
 

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { Command } from "commander";
 import { nanoid } from "nanoid";
-import { ContextStore, validateName } from "./store.js";
+import { ContextStore, validateName, resolveKeyring } from "./store.js";
 import { watchInbox, watchContext, watchSync } from "./watch.js";
 import { syncAll, syncOne, deliverOne } from "./sync.js";
 import * as registry from "./registry.js";
@@ -459,10 +459,19 @@ key
         console.log("Keyring is empty. Import keys with: openfuse key import <name> <keyfile>");
         return;
     }
+    // Detect name collisions for display
+    const nameCounts = new Map();
+    for (const e of config.keyring)
+        nameCounts.set(e.name, (nameCounts.get(e.name) || 0) + 1);
     for (const e of config.keyring) {
         const trust = e.trusted ? "[TRUSTED]" : "[untrusted]";
         const addr = e.address || "(no address)";
-        console.log(`${e.name}  ${addr}  ${trust}`);
+        const shortFp = e.fingerprint.replace(/:/g, "").slice(0, 8);
+        // Show fingerprint suffix when names collide so user knows how to disambiguate
+        const displayName = (nameCounts.get(e.name) || 0) > 1
+            ? `${e.name}:${shortFp}`
+            : e.name;
+        console.log(`${displayName}  ${addr}  ${trust}`);
         console.log(`  signing:    ${e.signingKey}`);
         console.log(`  encryption: ${e.encryptionKey ?? "(no age key)"}`);
         console.log(`  fingerprint: ${e.fingerprint}\n`);
@@ -504,33 +513,25 @@ key
     }
 });
 key
-    .command("trust <name>")
-    .description("Trust a key in the keyring")
+    .command("trust <query>")
+    .description("Trust a key in the keyring (name, name:fingerprint, or fingerprint)")
     .option("-d, --dir <path>", "Context store directory", ".")
-    .action(async (name, opts) => {
+    .action(async (query, opts) => {
     const store = new ContextStore(resolve(opts.dir));
     const config = await store.readConfig();
-    const entry = config.keyring.find((e) => e.name === name || e.fingerprint === name);
-    if (!entry) {
-        console.error(`Key not found: ${name}`);
-        process.exit(1);
-    }
+    const entry = resolveKeyring(config.keyring, query);
     entry.trusted = true;
     await store.writeConfig(config);
     console.log(`Trusted: ${entry.name} (${entry.fingerprint})`);
 });
 key
-    .command("untrust <name>")
-    .description("Revoke trust for a key")
+    .command("untrust <query>")
+    .description("Revoke trust for a key (name, name:fingerprint, or fingerprint)")
     .option("-d, --dir <path>", "Context store directory", ".")
-    .action(async (name, opts) => {
+    .action(async (query, opts) => {
     const store = new ContextStore(resolve(opts.dir));
     const config = await store.readConfig();
-    const entry = config.keyring.find((e) => e.name === name || e.fingerprint === name);
-    if (!entry) {
-        console.error(`Key not found: ${name}`);
-        process.exit(1);
-    }
+    const entry = resolveKeyring(config.keyring, query);
     entry.trusted = false;
     await store.writeConfig(config);
     console.log(`Revoked trust: ${entry.name} (${entry.fingerprint})`);
@@ -581,16 +582,19 @@ program
     .description("Register this agent in the public registry")
     .option("-d, --dir <path>", "Context store directory", ".")
     .option("-n, --name <name>", "Full agent name (defaults to {storename}.openfused.net, or set your own domain)")
-    .requiredOption("-e, --endpoint <url>", "Endpoint URL where peers can reach you")
+    .option("-e, --endpoint <url>", "Endpoint URL where peers can reach you (optional — keys-only registration without endpoint)")
     .option("-r, --registry <url>", "Registry URL")
     .action(async (opts) => {
     const store = new ContextStore(resolve(opts.dir));
     const reg = registry.resolveRegistry(opts.registry);
     const config = await store.readConfig();
     const agentName = opts.name || `${config.name}.openfused.net`;
-    const manifest = await registry.register(store, opts.endpoint, reg, agentName);
+    const manifest = await registry.register(store, opts.endpoint || "", reg, agentName);
     console.log(`Registered: ${manifest.name} [SIGNED]`);
-    console.log(`  Endpoint:    ${manifest.endpoint}`);
+    if (manifest.endpoint)
+        console.log(`  Endpoint:    ${manifest.endpoint}`);
+    else
+        console.log(`  Endpoint:    (none — keys-only registration)`);
     console.log(`  Fingerprint: ${manifest.fingerprint}`);
     console.log(`  DNS:         _openfuse.${manifest.name}`);
     console.log(`  Registry:    ${reg}`);
@@ -673,11 +677,14 @@ program
                     body,
                 });
                 if (r.ok) {
-                    // Archive to .sent/
+                    // Archive to .sent/ within the recipient subdir
                     const { mkdir, rename } = await import("node:fs/promises");
-                    const sentDir = join(store.root, "outbox", ".sent");
+                    const filePath = join(store.root, "outbox", filename);
+                    const dir = join(filePath, "..");
+                    const sentDir = join(dir, ".sent");
+                    const baseName = filename.includes("/") ? filename.split("/").pop() : filename;
                     await mkdir(sentDir, { recursive: true });
-                    await rename(join(store.root, "outbox", filename), join(sentDir, filename));
+                    await rename(filePath, join(sentDir, baseName));
                     console.log(`Delivered to ${name}.`);
                 }
                 else {
@@ -688,9 +695,12 @@ program
                 console.log(`Queued for ${name}. Will deliver on next sync.`);
             }
         }
-        else {
+        else if (manifest.endpoint) {
             console.log(`Queued for ${name}. Run \`openfuse sync\` to deliver.`);
         }
+        else {
+            console.log(`Queued for ${name}. Key imported but ${name} has no endpoint — they'll need to pull from your outbox, or add a peer URL with \`openfuse peer add\`.`);
+        }
     }
     catch {
         // Not in registry — send as a peer message

package/dist/crypto.d.ts

@@ -4,6 +4,7 @@ export interface SignedMessage {
     message: string;
     signature: string;
     publicKey: string;
+    encryptionKey?: string;
     encrypted?: boolean;
 }
 export interface KeyringEntry {

package/dist/crypto.js

@@ -77,7 +77,13 @@ export async function signMessage(storeRoot, from, message) {
     const timestamp = new Date().toISOString();
     const payload = Buffer.from(`${from}\n${timestamp}\n${message}`);
     const signature = sign(null, payload, privateKey).toString("base64");
-    return { from, timestamp, message, signature, publicKey, encrypted: false };
+    // Include our age public key so recipients can encrypt replies without DNS lookup
+    let encryptionKey;
+    try {
+        encryptionKey = await loadAgeRecipient(storeRoot);
+    }
+    catch { }
+    return { from, timestamp, message, signature, publicKey, encryptionKey, encrypted: false };
 }
 // --- Encrypt-then-sign ---
 // Encrypt first, then sign the ciphertext. This order matters:
@@ -93,7 +99,12 @@ export async function signAndEncrypt(storeRoot, from, plaintext, recipientAgeKey
     const timestamp = new Date().toISOString();
     const payload = Buffer.from(`${from}\n${timestamp}\n${encoded}`);
     const signature = sign(null, payload, privateKey).toString("base64");
-    return { from, timestamp, message: encoded, signature, publicKey, encrypted: true };
+    let encryptionKey;
+    try {
+        encryptionKey = await loadAgeRecipient(storeRoot);
+    }
+    catch { }
+    return { from, timestamp, message: encoded, signature, publicKey, encryptionKey, encrypted: true };
 }
 export function verifyMessage(signed) {
     try {

package/dist/registry.js

@@ -86,11 +86,11 @@ async function discoverViaDns(dnsName, agentName) {
             if (k && v)
                 fields[k] = v;
         }
-        if (!fields.e || !fields.pk)
+        if (!fields.pk)
             return null;
         return {
             name: agentName,
-            endpoint: fields.e,
+            endpoint: fields.e || "",
             publicKey: fields.pk,
             encryptionKey: fields.ek || undefined,
             fingerprint: fields.fp || "",

package/dist/store.d.ts

@@ -20,6 +20,9 @@ export interface PeerConfig {
 /** Validate agent/peer names: alphanumeric + hyphens + underscores + dots, 1-64 chars.
  *  Rejects path traversal (../, /, \) and rsync glob chars (*, ?, [). */
 export declare function validateName(name: string, label?: string): string;
+/** Resolve a keyring entry by name, name:fingerprint, or bare fingerprint prefix.
+ *  Throws if ambiguous (multiple matches) or not found. */
+export declare function resolveKeyring(keyring: KeyringEntry[], query: string): KeyringEntry;
 export declare class ContextStore {
     readonly root: string;
     constructor(root: string);

package/dist/store.js

@@ -30,6 +30,46 @@ export function validateName(name, label = "Name") {
     }
     return name;
 }
+/** Resolve a keyring entry by name, name:fingerprint, or bare fingerprint prefix.
+ *  Throws if ambiguous (multiple matches) or not found. */
+export function resolveKeyring(keyring, query) {
+    let name;
+    let fpPrefix;
+    if (query.includes(":")) {
+        // name:FINGERPRINT format — split on LAST colon group that looks like hex
+        const colonIdx = query.lastIndexOf(":");
+        const maybeFp = query.slice(colonIdx + 1);
+        if (/^[0-9a-fA-F]{4,16}$/.test(maybeFp)) {
+            name = query.slice(0, colonIdx);
+            fpPrefix = maybeFp.toUpperCase();
+        }
+        else {
+            name = query;
+        }
+    }
+    else {
+        name = query;
+    }
+    // Match by name (or address prefix)
+    let matches = keyring.filter((k) => k.name === name || k.address.startsWith(`${name}@`));
+    // If no name match, try bare fingerprint prefix
+    if (matches.length === 0 && /^[0-9a-fA-F]{4,16}$/.test(query)) {
+        const upper = query.toUpperCase();
+        matches = keyring.filter((k) => k.fingerprint.replace(/:/g, "").startsWith(upper));
+    }
+    // Filter by fingerprint prefix if provided
+    if (fpPrefix && matches.length > 1) {
+        matches = matches.filter((k) => k.fingerprint.replace(/:/g, "").startsWith(fpPrefix));
+    }
+    if (matches.length === 0) {
+        throw new Error(`Key not found: "${query}". Run: openfuse key list`);
+    }
+    if (matches.length > 1) {
+        const options = matches.map((k) => `  ${k.name}:${k.fingerprint.replace(/:/g, "").slice(0, 8)}  ${k.address}`).join("\n");
+        throw new Error(`Multiple keys match "${query}". Disambiguate with fingerprint:\n${options}`);
+    }
+    return matches[0];
+}
 export class ContextStore {
     root;
     constructor(root) {
@@ -181,24 +221,25 @@ export class ContextStore {
     }
     // --- Inbox ---
     async sendInbox(peerId, message) {
-        validateName(peerId, "Recipient name");
         const config = await this.readConfig();
-        // Look up peer's encryption key in keyring
-        const entry = config.keyring.find((e) => e.name === peerId || e.address.startsWith(`${peerId}@`));
+        // Resolve recipient from keyring — supports name, name:fingerprint, or bare fingerprint.
+        // Throws if ambiguous or not found.
+        const entry = resolveKeyring(config.keyring, peerId);
         let signed;
-        if (entry?.encryptionKey) {
+        if (entry.encryptionKey) {
             signed = await signAndEncrypt(this.root, config.name, message, entry.encryptionKey);
         }
         else {
             signed = await signMessage(this.root, config.name, message);
         }
-        // Envelope filename includes short fingerprint to disambiguate name collisions.
-        // If recipient isn't in keyring, omit fingerprint — keeps filenames matchable.
-        const shortFp = entry ? `-${entry.fingerprint.replace(/:/g, "").slice(0, 8)}` : "";
+        const shortFp = entry.fingerprint.replace(/:/g, "").slice(0, 8);
+        const recipientDir = `${peerId}-${shortFp}`;
+        const outboxDir = join(this.root, "outbox", recipientDir);
+        await mkdir(outboxDir, { recursive: true });
         const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
-        const filename = `${timestamp}_from-${config.name}_to-${peerId}${shortFp}.json`;
-        await writeFile(join(this.root, "outbox", filename), serializeSignedMessage(signed));
-        return filename;
+        const filename = `${timestamp}_from-${config.name}.json`;
+        await writeFile(join(outboxDir, filename), serializeSignedMessage(signed));
+        return `${recipientDir}/${filename}`;
     }
     async readInbox() {
         const inboxDir = join(this.root, "inbox");
@@ -212,13 +253,15 @@ export class ContextStore {
             const signed = deserializeSignedMessage(raw);
             if (signed) {
                 const sigValid = verifyMessage(signed);
-                // autoTrust (workspace mode): any key in keyring is trusted, but key must still
-                // be present — prevents random internet keys from appearing verified in a workspace
-                // that's accidentally exposed to the network.
-                const inKeyring = config.keyring.some((k) => k.signingKey.trim() === signed.publicKey.trim());
+                // Identity binding: verify BOTH that the key is trusted AND that the claimed
+                // sender name matches the name we associated with that key in our keyring.
+                // Without this, a trusted agent could forge the "from" field and impersonate
+                // someone else while still showing [VERIFIED].
+                const keyMatchesName = (k) => k.signingKey.trim() === signed.publicKey.trim() &&
+                    (k.name === signed.from || k.address.startsWith(`${signed.from}@`));
                 const trusted = config.autoTrust
-                    ? inKeyring
-                    : config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
+                    ? config.keyring.some(keyMatchesName)
+                    : config.keyring.some((k) => k.trusted && keyMatchesName(k));
                 const verified = sigValid && trusted;
                 let content;
                 if (signed.encrypted) {

package/dist/sync.d.ts

@@ -7,7 +7,8 @@ export interface SyncResult {
     pushed: string[];
     errors: string[];
 }
-/** Try to deliver a single outbox message immediately. Returns true if delivered. */
+/** Try to deliver a single outbox message immediately. Returns true if delivered.
+ *  filename can be "recipientDir/msg.json" (new) or "flat.json" (legacy). */
 export declare function deliverOne(store: ContextStore, peerName: string, filename: string): Promise<boolean>;
 export declare function syncAll(store: ContextStore): Promise<SyncResult[]>;
 export declare function syncOne(store: ContextStore, peerName: string): Promise<SyncResult>;

package/dist/sync.js

@@ -4,7 +4,7 @@
 // so agents reference hostnames, never raw IPs that change). Both transports do the same
 // thing: pull CONTEXT.md + PROFILE.md + shared/ + knowledge/, push outbox → peer inbox.
 import { readFile, writeFile, mkdir, readdir, rename } from "node:fs/promises";
-import { join } from "node:path";
+import { join, resolve } from "node:path";
 import { existsSync } from "node:fs";
 import { execFile as execFileCb } from "node:child_process";
 import { promisify } from "node:util";
@@ -47,10 +47,18 @@ function sanitizePeerContent(raw) {
 }
 // Archive instead of delete: preserves audit trail and lets agents review what was sent.
 // Without this, sync would re-deliver the same message every cycle.
-async function archiveSent(outboxDir, fname) {
-    const sentDir = join(outboxDir, ".sent");
+// relPath can be "file.json" (flat, legacy) or "recipientDir/file.json" (new subdir layout).
+async function archiveSent(outboxRoot, relPath) {
+    // Path traversal defense: resolve and verify we stay under outboxRoot
+    const fullPath = resolve(outboxRoot, relPath);
+    if (!fullPath.startsWith(resolve(outboxRoot) + "/")) {
+        throw new Error(`Path traversal blocked: ${relPath}`);
+    }
+    const dir = join(fullPath, "..");
+    const fname = relPath.includes("/") ? relPath.split("/").pop() : relPath;
+    const sentDir = join(dir, ".sent");
     await mkdir(sentDir, { recursive: true });
-    await rename(join(outboxDir, fname), join(sentDir, fname));
+    await rename(fullPath, join(sentDir, fname));
 }
 function parseUrl(url) {
     if (url.startsWith("http://") || url.startsWith("https://")) {
@@ -78,16 +86,18 @@ function parseUrl(url) {
     }
     throw new Error(`Unknown URL scheme: ${url}. Use http:// or ssh://`);
 }
-/** Try to deliver a single outbox message immediately. Returns true if delivered. */
+/** Try to deliver a single outbox message immediately. Returns true if delivered.
+ *  filename can be "recipientDir/msg.json" (new) or "flat.json" (legacy). */
 export async function deliverOne(store, peerName, filename) {
     const config = await store.readConfig();
     const peer = config.peers.find((p) => p.name === peerName || p.id === peerName);
     if (!peer)
         return false;
-    const outboxDir = join(store.root, "outbox");
-    const filePath = join(outboxDir, filename);
+    const outboxRoot = join(store.root, "outbox");
+    const filePath = join(outboxRoot, filename);
     if (!existsSync(filePath))
         return false;
+    const baseName = filename.includes("/") ? filename.split("/").pop() : filename;
     try {
         const transport = parseUrl(peer.url);
         if (transport.type === "http") {
@@ -104,11 +114,11 @@ export async function deliverOne(store, peerName, filename) {
         else {
             await execFile("rsync", [
                 "-az", filePath,
-                `${transport.host}:${transport.path}/inbox/${filename}`,
+                `${transport.host}:${transport.path}/inbox/${baseName}`,
             ]);
         }
         // Delivered — archive to .sent/
-        await archiveSent(outboxDir, filename);
+        await archiveSent(outboxRoot, filename);
         return true;
     }
     catch {
@@ -262,30 +272,57 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
         }
     }
     catch { }
-    // Push outbox → peer inbox
+    // Push outbox → peer inbox (scan subdirs named {peer}-{fp}/)
     const outboxDir = join(store.root, "outbox");
     if (existsSync(outboxDir)) {
-        for (const fname of await readdir(outboxDir)) {
-            if (!fname.endsWith(".json"))
-                continue;
-            if (!fname.includes(`_to-${peer.name}-`) && !fname.includes(`_to-${peer.name}.json`) && !fname.includes(peer.id))
-                continue;
-            try {
-                const body = await readFile(join(outboxDir, fname), "utf-8");
-                const r = await fetch(`${baseUrl}/inbox`, {
-                    method: "POST",
-                    headers: { "Content-Type": "application/json" },
-                    body,
-                });
-                if (r.ok) {
-                    await archiveSent(outboxDir, fname);
-                    pushed.push(fname);
+        for (const entry of await readdir(outboxDir, { withFileTypes: true })) {
+            // Match subdirs starting with peer name (new format: name-FINGERPRINT/)
+            if (entry.isDirectory() && entry.name.startsWith(`${peer.name}-`)) {
+                const subDir = join(outboxDir, entry.name);
+                for (const fname of await readdir(subDir)) {
+                    if (!fname.endsWith(".json"))
+                        continue;
+                    const relPath = `${entry.name}/${fname}`;
+                    try {
+                        const body = await readFile(join(subDir, fname), "utf-8");
+                        const r = await fetch(`${baseUrl}/inbox`, {
+                            method: "POST",
+                            headers: { "Content-Type": "application/json" },
+                            body,
+                        });
+                        if (r.ok) {
+                            await archiveSent(outboxDir, relPath);
+                            pushed.push(relPath);
+                        }
+                        else
+                            errors.push(`push ${relPath}: HTTP ${r.status}`);
+                    }
+                    catch (e) {
+                        errors.push(`push ${relPath}: ${e.message}`);
+                    }
                 }
-                else
-                    errors.push(`push ${fname}: HTTP ${r.status}`);
             }
-            catch (e) {
-                errors.push(`push ${fname}: ${e.message}`);
+            // Legacy flat files (pre-subdir format)
+            if (entry.isFile() && entry.name.endsWith(".json")) {
+                if (!entry.name.includes(`_to-${peer.name}-`) && !entry.name.includes(`_to-${peer.name}.json`))
+                    continue;
+                try {
+                    const body = await readFile(join(outboxDir, entry.name), "utf-8");
+                    const r = await fetch(`${baseUrl}/inbox`, {
+                        method: "POST",
+                        headers: { "Content-Type": "application/json" },
+                        body,
+                    });
+                    if (r.ok) {
+                        await archiveSent(outboxDir, entry.name);
+                        pushed.push(entry.name);
+                    }
+                    else
+                        errors.push(`push ${entry.name}: HTTP ${r.status}`);
+                }
+                catch (e) {
+                    errors.push(`push ${entry.name}: ${e.message}`);
+                }
             }
         }
     }
@@ -319,43 +356,104 @@ async function syncSsh(store, peer, host, remotePath, peerDir) {
     }
     // Pull peer's outbox for messages addressed to us — peer may be behind NAT
     // and can't push to us, so we grab messages they left in their outbox for us.
+    // New layout: outbox/{name}-{fp}/*.json — pull from all dirs starting with our name.
     const config = await store.readConfig();
     const myName = config.name;
     const inboxDir = join(store.root, "inbox");
     await mkdir(inboxDir, { recursive: true });
+    // New subdir format: pull outbox/{myName}-*/*.json into a temp dir (preserves structure),
+    // then move the .json files into inbox/ (flattened). rsync --include handles the filtering;
+    // we avoid ssh commands to prevent shell injection via host/path values.
+    const tmpPull = join(store.root, ".tmp-outbox-pull");
+    try {
+        await mkdir(tmpPull, { recursive: true });
+        await execFile("rsync", [
+            "-az", "--ignore-existing",
+            "--include", `${myName}-*/`,
+            "--include", `${myName}-*/*.json`,
+            "--exclude", "*",
+            `${host}:${remotePath}/outbox/`,
+            `${tmpPull}/`,
+        ]);
+        // Flatten: move .json files from subdirs into inbox/
+        if (existsSync(tmpPull)) {
+            for (const subEntry of await readdir(tmpPull, { withFileTypes: true })) {
+                if (!subEntry.isDirectory() || !subEntry.name.startsWith(`${myName}-`))
+                    continue;
+                const subPath = join(tmpPull, subEntry.name);
+                for (const fname of await readdir(subPath)) {
+                    if (!fname.endsWith(".json"))
+                        continue;
+                    const dest = join(inboxDir, fname);
+                    if (!existsSync(dest)) {
+                        await rename(join(subPath, fname), dest);
+                    }
+                }
+            }
+        }
+        pulled.push("outbox→inbox");
+    }
+    catch (e) {
+        if (!String(e.stderr || e.message).includes("No such file")) {
+            errors.push(`pull outbox (subdir): ${e.stderr || e.message}`);
+        }
+    }
+    finally {
+        // Clean up temp dir
+        try {
+            await (await import("node:fs/promises")).rm(tmpPull, { recursive: true, force: true });
+        }
+        catch { }
+    }
+    // Legacy flat format: outbox/*_to-{name}*.json
     try {
         await execFile("rsync", [
             "-az", "--ignore-existing",
-            "--include", `*_to-${myName}-*.json`, // new format with fingerprint
-            "--include", `*_to-${myName}.json`, // legacy format without fingerprint
+            "--include", `*_to-${myName}-*.json`,
+            "--include", `*_to-${myName}.json`,
             "--include", `*_to-all.json`,
-            "--include", `*_${myName}.json`, // pre-envelope legacy
             "--exclude", "*",
             `${host}:${remotePath}/outbox/`,
             `${inboxDir}/`,
         ]);
-        pulled.push("outbox→inbox");
     }
     catch (e) {
         if (!String(e.stderr || e.message).includes("No such file")) {
-            errors.push(`pull outbox: ${e.stderr || e.message}`);
+            errors.push(`pull outbox (legacy): ${e.stderr || e.message}`);
         }
     }
-    // Push our outbox → peer inbox
+    // Push our outbox → peer inbox (scan subdirs named {peer}-{fp}/)
     const outboxDir = join(store.root, "outbox");
     if (existsSync(outboxDir)) {
-        for (const fname of await readdir(outboxDir)) {
-            if (!fname.endsWith(".json"))
-                continue;
-            if (!fname.includes(`_to-${peer.name}-`) && !fname.includes(`_to-${peer.name}.json`) && !fname.includes(peer.id))
-                continue;
-            try {
-                await execFile("rsync", ["-az", join(outboxDir, fname), `${host}:${remotePath}/inbox/${fname}`]);
-                await archiveSent(outboxDir, fname);
-                pushed.push(fname);
+        for (const entry of await readdir(outboxDir, { withFileTypes: true })) {
+            if (entry.isDirectory() && entry.name.startsWith(`${peer.name}-`)) {
+                const subDir = join(outboxDir, entry.name);
+                for (const fname of await readdir(subDir)) {
+                    if (!fname.endsWith(".json"))
+                        continue;
+                    const relPath = `${entry.name}/${fname}`;
+                    try {
+                        await execFile("rsync", ["-az", join(subDir, fname), `${host}:${remotePath}/inbox/${fname}`]);
+                        await archiveSent(outboxDir, relPath);
+                        pushed.push(relPath);
+                    }
+                    catch (e) {
+                        errors.push(`push ${relPath}: ${e.stderr || e.message}`);
+                    }
+                }
             }
-            catch (e) {
-                errors.push(`push ${fname}: ${e.stderr || e.message}`);
+            // Legacy flat files
+            if (entry.isFile() && entry.name.endsWith(".json")) {
+                if (!entry.name.includes(`_to-${peer.name}-`) && !entry.name.includes(`_to-${peer.name}.json`))
+                    continue;
+                try {
+                    await execFile("rsync", ["-az", join(outboxDir, entry.name), `${host}:${remotePath}/inbox/${entry.name}`]);
+                    await archiveSent(outboxDir, entry.name);
+                    pushed.push(entry.name);
+                }
+                catch (e) {
+                    errors.push(`push ${entry.name}: ${e.stderr || e.message}`);
+                }
             }
         }
     }

package/dist/watch.js

@@ -19,15 +19,17 @@ export function watchInbox(storeRoot, callback) {
             const signed = deserializeSignedMessage(raw);
             if (signed) {
                 const sigValid = verifyMessage(signed);
-                // Check keyring for trust — not just signature math. Without this,
-                // any random keypair shows as [VERIFIED] in watch mode output.
+                // Identity binding: key must be trusted AND name must match the keyring entry.
+                // Prevents a trusted agent from impersonating someone else via forged "from" field.
                 let verified = false;
                 if (sigValid) {
                     try {
                         const config = await store.readConfig();
+                        const keyMatchesName = (k) => k.signingKey.trim() === signed.publicKey.trim() &&
+                            (k.name === signed.from || k.address.startsWith(`${signed.from}@`));
                         const trusted = config.autoTrust
-                            ? config.keyring.some((k) => k.signingKey.trim() === signed.publicKey.trim())
-                            : config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
+                            ? config.keyring.some(keyMatchesName)
+                            : config.keyring.some((k) => k.trusted && keyMatchesName(k));
                         verified = trusted;
                     }
                     catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openfused",
-  "version": "0.3.21",
+  "version": "0.3.22",
   "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",