openfused 0.3.4 → 0.3.5

package/README.md

@@ -14,8 +14,8 @@ No vendor lock-in. No proprietary protocol. Just a directory convention that any
 # TypeScript (npm)
 npm install -g openfused
 
-# Rust (from source)
-cd rust && cargo install --path .
+# Rust (crates.io)
+cargo install openfuse
 
 # Docker (daemon)
 docker compose up
@@ -124,7 +124,7 @@ The `age` format is interoperable — Rust CLI and TypeScript SDK use the same k
 
 ## Registry — DNS for Agents
 
-Public registry at `openfuse-registry.wzmcghee.workers.dev`. Any agent can register, discover others, and send messages.
+Public registry at `registry.openfused.dev`. Any agent can register, discover others, and send messages.
 
 ```bash
 # Register your agent
@@ -146,7 +146,7 @@ openfuse send wearethecompute "hello from the mesh"
 
 ## Sync
 
-Pull peer context and push outbox messages. Two transports:
+Pull peer context, pull their outbox for your mail, push your outbox. Two transports:
 
 ```bash
 # LAN — rsync over SSH (uses your ~/.ssh/config for host aliases)
@@ -155,12 +155,34 @@ openfuse peer add ssh://alice.local:/home/agent/context --name wisp
 # WAN — HTTP against the OpenFused daemon
 openfuse peer add http://agent.example.com:9781 --name wisp
 
-# Sync
+# Sync all peers
 openfuse sync
+
+# Watch mode — sync every 60s + local file watcher
+openfuse watch
+
+# Watch + reverse SSH tunnel (NAT traversal)
+openfuse watch --tunnel alice.local
+```
+
+Sync does three things:
+1. **Pulls** peer's CONTEXT.md, PROFILE.md, shared/, knowledge/ into `.peers/<name>/`
+2. **Pulls** peer's outbox for messages addressed to you (`*_to-{your-name}.json`)
+3. **Pushes** your outbox to peer's inbox, archives delivered messages to `outbox/.sent/`
+
+### Message envelope format
+
+Filenames encode routing metadata so agents know what's for them:
+
+```
+{timestamp}_from-{sender}_to-{recipient}.json
 ```
 
-Sync pulls: `CONTEXT.md`, `shared/`, `knowledge/` into `.peers/<name>/`.
-Sync pushes: outbox messages to the peer's inbox. Delivered messages move to `outbox/.sent/`.
+Examples:
+- `2026-03-21T07-59-44Z_from-claude-code_to-wisp.json` — DM, encrypted for wisp
+- `2026-03-21T08-00-00Z_from-wisp_to-all.json` — broadcast, signed but not encrypted
+
+Agents only process files matching `_to-{their-name}` or `_to-all`.
 
 SSH transport uses hostnames from `~/.ssh/config` — not raw IPs.
 
@@ -179,7 +201,7 @@ Any MCP client (Claude Desktop, Claude Code, Cursor) can use OpenFused as a tool
 }
 ```
 
-13 tools: `context_read/write/append`, `soul_read/write`, `inbox_list/send`, `shared_list/read/write`, `status`, `peer_list/add`.
+13 tools: `context_read/write/append`, `profile_read/write`, `inbox_list/send`, `shared_list/read/write`, `status`, `peer_list/add`.
 
 ## Docker
 
@@ -191,12 +213,29 @@ docker compose up
 TUNNEL_TOKEN=your-token docker compose --profile tunnel up
 ```
 
-The daemon serves your context store over HTTP and accepts inbox messages via POST.
+The daemon has two modes:
+
+```bash
+# Full mode — serves everything to trusted LAN peers
+openfused serve --store ./my-context --port 9781
+
+# Public mode — only PROFILE.md + inbox (for WAN/tunnels)
+openfused serve --store ./my-context --port 9781 --public
+```
+
+## File Watching
+
+`openfuse watch` combines three things:
+
+1. **Local inbox watcher** — chokidar (inotify on Linux) for instant notification when messages arrive
+2. **CONTEXT.md watcher** — detects local changes
+3. **Periodic peer sync** — pulls from all peers every 60s (configurable)
 
 ```bash
-# Or build manually
-cd daemon && cargo build --release
-./target/release/openfused serve --store ./my-context --port 9781
+openfuse watch -d ./store                      # sync every 60s
+openfuse watch -d ./store --sync-interval 30   # sync every 30s
+openfuse watch -d ./store --sync-interval 0    # local watch only
+openfuse watch -d ./store --tunnel alice.local  # + reverse SSH tunnel
 ```
 
 ## Reachability

package/dist/cli.js

@@ -3,12 +3,12 @@ import { Command } from "commander";
 import { nanoid } from "nanoid";
 import { ContextStore } from "./store.js";
 import { watchInbox, watchContext, watchSync } from "./watch.js";
-import { syncAll, syncOne } from "./sync.js";
+import { syncAll, syncOne, deliverOne } from "./sync.js";
 import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
 import { resolve } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.4";
+const VERSION = "0.3.5";
 const program = new Command();
 program
     .name("openfuse")
@@ -123,8 +123,15 @@ inbox
     .option("-d, --dir <path>", "Context store directory", ".")
     .action(async (peerId, message, opts) => {
     const store = new ContextStore(resolve(opts.dir));
-    await store.sendInbox(peerId, message);
-    console.log(`Message sent to ${peerId}'s outbox.`);
+    const filename = await store.sendInbox(peerId, message);
+    // Try immediate delivery — if peer is reachable, deliver now
+    const delivered = await deliverOne(store, peerId, filename);
+    if (delivered) {
+        console.log(`Delivered to ${peerId}.`);
+    }
+    else {
+        console.log(`Queued for ${peerId}. Will deliver on next sync.`);
+    }
 });
 // --- watch ---
 program
@@ -132,8 +139,9 @@ program
     .description("Watch for inbox messages, context changes, and sync with peers")
     .option("-d, --dir <path>", "Context store directory", ".")
     .option("--sync-interval <seconds>", "Peer sync interval in seconds (0 to disable)", "60")
-    .option("--tunnel <host>", "Open reverse SSH tunnel to host (makes your store reachable from behind NAT)")
-    .option("--tunnel-port <port>", "Remote port for reverse tunnel", "2222")
+    .option("--tunnel <host>", "Reverse SSH tunnel to host for NAT traversal (uses autossh if available)")
+    .option("--tunnel-port <port>", "Remote port for reverse SSH tunnel", "2222")
+    .option("--cloudflared", "Start a cloudflared quick tunnel (no config needed, gives you a public URL)")
     .action(async (opts) => {
     const store = new ContextStore(resolve(opts.dir));
     if (!(await store.exists())) {
@@ -175,6 +183,24 @@ program
         console.log(`Tunnel: ${cmd} -R ${tunnelPort}:localhost:9781 ${tunnelHost}`);
         console.log(`Your store is reachable at ssh://${tunnelHost}:${tunnelPort} (via daemon on :9781)`);
     }
+    // Cloudflared quick tunnel (optional) — gives you a public *.trycloudflare.com URL
+    if (opts.cloudflared) {
+        const { spawn } = await import("node:child_process");
+        const cf = spawn("cloudflared", ["tunnel", "--url", "http://localhost:9781"], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        cf.on("error", (e) => console.error(`[cloudflared] failed: ${e.message}. Install: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/`));
+        cf.stderr.on("data", (data) => {
+            const line = data.toString();
+            const match = line.match(/https:\/\/[^\s]+\.trycloudflare\.com/);
+            if (match) {
+                console.log(`[cloudflared] Your public URL: ${match[0]}`);
+                console.log(`  Register it: openfuse register --endpoint ${match[0]}`);
+            }
+        });
+        process.on("exit", () => cf.kill());
+        console.log("Starting cloudflared tunnel...");
+    }
     console.log(`Press Ctrl+C to stop.\n`);
     watchInbox(store.root, (from, message) => {
         console.log(`\n[inbox] New message from ${from}:`);

package/dist/mcp.js

@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.4",
+    version: "0.3.5",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {

package/dist/registry.d.ts

@@ -1,5 +1,5 @@
 import { ContextStore } from "./store.js";
-export declare const DEFAULT_REGISTRY = "https://openfuse-registry.wzmcghee.workers.dev";
+export declare const DEFAULT_REGISTRY = "https://registry.openfused.dev";
 export interface Manifest {
     name: string;
     endpoint: string;

package/dist/registry.js

@@ -7,7 +7,7 @@
 // This is TOFU (Trust On First Use) done right: the registry distributes keys,
 // but never asserts trust. Trust is a local decision.
 import { signMessage, fingerprint } from "./crypto.js";
-export const DEFAULT_REGISTRY = "https://openfuse-registry.wzmcghee.workers.dev";
+export const DEFAULT_REGISTRY = "https://registry.openfused.dev";
 export function resolveRegistry(flag) {
     return flag || process.env.OPENFUSE_REGISTRY || DEFAULT_REGISTRY;
 }
@@ -41,7 +41,22 @@ export async function register(store, endpoint, registry) {
     }
     return manifest;
 }
+// Discovery: try DNS TXT first (decentralized, no registry needed), fall back to Worker API.
+// DNS format: v=of1 e={endpoint} pk={pubkey} ek={agekey} fp={fingerprint}
+// Self-hosted: _openfuse.{name}.{their-domain} — user manages their own TXT records.
+// Our zone: _openfuse.{name}.openfused.dev — managed by the registry Worker on registration.
 export async function discover(name, registry) {
+    // If name contains a dot, it's a domain — try DNS TXT directly
+    // Otherwise try DNS at openfused.dev, then fall back to registry API
+    const dnsNames = name.includes(".")
+        ? [`_openfuse.${name}`]
+        : [`_openfuse.${name}.openfused.dev`];
+    for (const dnsName of dnsNames) {
+        const manifest = await discoverViaDns(dnsName, name);
+        if (manifest)
+            return manifest;
+    }
+    // Fall back to registry API
     const resp = await fetch(`${registry.replace(/\/$/, "")}/discover/${name}`);
     if (!resp.ok) {
         const body = await resp.json().catch(() => ({ error: `HTTP ${resp.status}` }));
@@ -49,6 +64,43 @@ export async function discover(name, registry) {
     }
     return (await resp.json());
 }
+async function discoverViaDns(dnsName, agentName) {
+    try {
+        // Use DNS-over-HTTPS (Cloudflare 1.1.1.1) to resolve TXT records
+        const resp = await fetch(`https://1.1.1.1/dns-query?name=${encodeURIComponent(dnsName)}&type=TXT`, {
+            headers: { "Accept": "application/dns-json" },
+        });
+        if (!resp.ok)
+            return null;
+        const data = await resp.json();
+        if (!data.Answer || data.Answer.length === 0)
+            return null;
+        // Parse v=of1 format from TXT record
+        const txt = data.Answer[0].data.replace(/"/g, "");
+        if (!txt.startsWith("v=of1"))
+            return null;
+        const fields = {};
+        for (const part of txt.split(" ")) {
+            const [k, v] = part.split("=", 2);
+            if (k && v)
+                fields[k] = v;
+        }
+        if (!fields.e || !fields.pk)
+            return null;
+        return {
+            name: agentName,
+            endpoint: fields.e,
+            publicKey: fields.pk,
+            encryptionKey: fields.ek || undefined,
+            fingerprint: fields.fp || "",
+            created: "",
+            capabilities: ["inbox", "shared", "knowledge"],
+        };
+    }
+    catch {
+        return null;
+    }
+}
 // Revocation is permanent and self-authenticated: the agent signs its own revocation
 // with the key being revoked. No admin needed — if you have the private key, you can kill it.
 export async function revoke(store, registry) {

package/dist/store.d.ts

@@ -28,7 +28,7 @@ export declare class ContextStore {
     writeContext(content: string): Promise<void>;
     readProfile(): Promise<string>;
     writeProfile(content: string): Promise<void>;
-    sendInbox(peerId: string, message: string): Promise<void>;
+    sendInbox(peerId: string, message: string): Promise<string>;
     readInbox(): Promise<Array<{
         file: string;
         content: string;

package/dist/store.js

@@ -114,6 +114,7 @@ export class ContextStore {
         const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
         const filename = `${timestamp}_from-${config.name}_to-${peerId}.json`;
         await writeFile(join(this.root, "outbox", filename), serializeSignedMessage(signed));
+        return filename;
     }
     async readInbox() {
         const inboxDir = join(this.root, "inbox");

package/dist/sync.d.ts

@@ -5,5 +5,7 @@ export interface SyncResult {
     pushed: string[];
     errors: string[];
 }
+/** Try to deliver a single outbox message immediately. Returns true if delivered. */
+export declare function deliverOne(store: ContextStore, peerName: string, filename: string): Promise<boolean>;
 export declare function syncAll(store: ContextStore): Promise<SyncResult[]>;
 export declare function syncOne(store: ContextStore, peerName: string): Promise<SyncResult>;

package/dist/sync.js

@@ -39,6 +39,42 @@ function parseUrl(url) {
     }
     throw new Error(`Unknown URL scheme: ${url}. Use http:// or ssh://`);
 }
+/** Try to deliver a single outbox message immediately. Returns true if delivered. */
+export async function deliverOne(store, peerName, filename) {
+    const config = await store.readConfig();
+    const peer = config.peers.find((p) => p.name === peerName || p.id === peerName);
+    if (!peer)
+        return false;
+    const outboxDir = join(store.root, "outbox");
+    const filePath = join(outboxDir, filename);
+    if (!existsSync(filePath))
+        return false;
+    try {
+        const transport = parseUrl(peer.url);
+        if (transport.type === "http") {
+            const body = await readFile(filePath, "utf-8");
+            const r = await fetch(`${transport.baseUrl}/inbox`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body,
+            });
+            if (!r.ok)
+                return false;
+        }
+        else {
+            await execFile("rsync", [
+                "-az", filePath,
+                `${transport.host}:${transport.path}/inbox/${filename}`,
+            ]);
+        }
+        // Delivered — archive to .sent/
+        await archiveSent(outboxDir, filename);
+        return true;
+    }
+    catch {
+        return false; // stays in outbox for next sync
+    }
+}
 export async function syncAll(store) {
     const config = await store.readConfig();
     const results = [];
@@ -120,7 +156,7 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
         for (const fname of await readdir(outboxDir)) {
             if (!fname.endsWith(".json"))
                 continue;
-            if (!fname.includes(`_to-${peer.name}`) && !fname.includes(peer.id))
+            if (!fname.includes(`_to-${peer.name}.json`) && !fname.includes(peer.id))
                 continue;
             try {
                 const body = await readFile(join(outboxDir, fname), "utf-8");
@@ -180,6 +216,7 @@ async function syncSsh(store, peer, host, remotePath, peerDir) {
             "-az", "--ignore-existing",
             "--include", `*_to-${myName}.json`,
             "--include", `*_to-all.json`,
+            "--include", `*_${myName}.json`, // legacy format (pre-envelope)
             "--exclude", "*",
             `${host}:${remotePath}/outbox/`,
             `${inboxDir}/`,
@@ -197,7 +234,7 @@ async function syncSsh(store, peer, host, remotePath, peerDir) {
         for (const fname of await readdir(outboxDir)) {
             if (!fname.endsWith(".json"))
                 continue;
-            if (!fname.includes(`_to-${peer.name}`) && !fname.includes(peer.id))
+            if (!fname.includes(`_to-${peer.name}.json`) && !fname.includes(peer.id))
                 continue;
             try {
                 await execFile("rsync", ["-az", join(outboxDir, fname), `${host}:${remotePath}/inbox/${fname}`]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openfused",
-  "version": "0.3.4",
+  "version": "0.3.5",
   "description": "Decentralized context mesh for AI agents. Encrypted sync, signed messaging, MCP server. The protocol is files.",
   "license": "MIT",
   "type": "module",