openfused 0.3.5 → 0.3.7

package/README.md

@@ -1,6 +1,6 @@
 # OpenFused
 
-Decentralized context mesh for AI agents. Encrypted messaging, peer sync, agent registry. The protocol is files.
+The file protocol for AI agent context. Encrypted, signed, peer-to-peer.
 
 ## What is this?
 
@@ -10,25 +10,32 @@ No vendor lock-in. No proprietary protocol. Just a directory convention that any
 
 ## Install
 
+Review the source at [github.com/wearethecompute/openfused](https://github.com/wearethecompute/openfused) before installing.
+
 ```bash
-# TypeScript (npm)
+# TypeScript (npm) — package: openfused
 npm install -g openfused
 
-# Rust (crates.io)
+# Rust (crates.io) — package: openfuse
 cargo install openfuse
 
 # Docker (daemon)
 docker compose up
 ```
 
+**Security:** Only public keys (signing + age recipient) are ever transmitted to peers or the registry. Private keys never leave `.keys/`. All key files are created with `chmod 600`.
+
 ## Quick Start
 
 ```bash
+# Agent context store
 openfuse init --name "my-agent"
-```
 
-This creates a context store:
+# Shared workspace (multi-agent collaboration)
+openfuse init --name "project-alpha" --workspace
+```
 
+### Agent store:
 ```
 CONTEXT.md     — working memory (what's happening now)
 PROFILE.md     — public address card (name, endpoint, keys)
@@ -36,19 +43,34 @@ inbox/         — messages from other agents (encrypted)
 outbox/        — sent message copies (moved to .sent/ after delivery)
 shared/        — files shared with the mesh (plaintext)
 knowledge/     — persistent knowledge base
-history/       — conversation & decision logs
+history/       — archived [DONE] context (via openfuse compact)
 .keys/         — ed25519 signing + age encryption keypairs
 .mesh.json     — mesh config, peers, keyring
 .peers/        — synced peer context (auto-populated)
 ```
 
+### Shared workspace:
+```
+CHARTER.md     — workspace purpose, rules, member list
+CONTEXT.md     — shared working memory (all agents read/write)
+tasks/         — task coordination
+messages/      — agent-to-agent DMs (messages/{recipient}/)
+_broadcast/    — all-hands announcements
+shared/        — shared files
+history/       — archived [DONE] context
+```
+
 ## Usage
 
 ```bash
-# Read/update context
+# Read/update context (auto-timestamps appended entries)
 openfuse context
 openfuse context --append "## Update\nFinished the research phase."
 
+# Mark work as done, then compact to history/
+# (edit CONTEXT.md, add [DONE] to the header, then:)
+openfuse compact
+
 # Send a message (auto-encrypted if peer's age key is on file)
 openfuse inbox send agent-bob "Check out shared/findings.md"
 

package/dist/cli.js

@@ -8,18 +8,19 @@ import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
 import { resolve } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.5";
+const VERSION = "0.3.7";
 const program = new Command();
 program
     .name("openfuse")
-    .description("Decentralized context mesh for AI agents. The protocol is files.")
+    .description("The file protocol for AI agent context. Encrypted, signed, peer-to-peer.")
     .version(VERSION);
 // --- init ---
 program
     .command("init")
-    .description("Initialize a new context store")
+    .description("Initialize a new context store or shared workspace")
     .option("-n, --name <name>", "Agent name", "agent")
     .option("-d, --dir <path>", "Directory to init", ".")
+    .option("--workspace", "Initialize as a shared workspace (CHARTER.md + tasks/ + messages/ + _broadcast/)")
     .action(async (opts) => {
     const store = new ContextStore(resolve(opts.dir));
     if (await store.exists()) {
@@ -27,14 +28,27 @@ program
         process.exit(1);
     }
     const id = nanoid(12);
-    await store.init(opts.name, id);
-    const config = await store.readConfig();
-    console.log(`Initialized context store: ${store.root}`);
-    console.log(`  Agent ID: ${id}`);
-    console.log(`  Name: ${opts.name}`);
-    console.log(`  Signing key: ${config.publicKey}`);
-    console.log(`  Encryption key: ${config.encryptionKey}`);
-    console.log(`  Fingerprint: ${fingerprint(config.publicKey)}`);
+    if (opts.workspace) {
+        await store.initWorkspace(opts.name, id);
+        console.log(`Initialized shared workspace: ${store.root}`);
+        console.log(`  Workspace: ${opts.name} (${id})`);
+        console.log(`\nStructure:`);
+        console.log(`  CHARTER.md   — workspace rules and purpose`);
+        console.log(`  CONTEXT.md   — shared working memory`);
+        console.log(`  tasks/       — task coordination`);
+        console.log(`  messages/    — agent-to-agent DMs`);
+        console.log(`  _broadcast/  — all-hands messages`);
+    }
+    else {
+        await store.init(opts.name, id);
+        const config = await store.readConfig();
+        console.log(`Initialized context store: ${store.root}`);
+        console.log(`  Agent ID: ${id}`);
+        console.log(`  Name: ${opts.name}`);
+        console.log(`  Signing key: ${config.publicKey}`);
+        console.log(`  Encryption key: ${config.encryptionKey}`);
+        console.log(`  Fingerprint: ${fingerprint(config.publicKey)}`);
+    }
 });
 // --- status ---
 program
@@ -73,7 +87,8 @@ program
     else if (opts.append) {
         const existing = await store.readContext();
         const text = opts.append.replace(/\\n/g, "\n");
-        await store.writeContext(existing + "\n" + text);
+        const timestamp = `<!-- openfuse:added: ${new Date().toISOString()} -->`;
+        await store.writeContext(existing + "\n" + timestamp + "\n" + text);
         console.log("Context appended.");
     }
     else {
@@ -117,6 +132,40 @@ inbox
         console.log(opts.raw ? msg.content : msg.wrappedContent);
     }
 });
+inbox
+    .command("archive [file]")
+    .description("Archive inbox message(s) to inbox/.read/ — specific file or --all")
+    .option("-d, --dir <path>", "Context store directory", ".")
+    .option("--all", "Archive all inbox messages")
+    .action(async (file, opts) => {
+    const store = new ContextStore(resolve(opts.dir));
+    const { readdir: rd, mkdir, rename } = await import("node:fs/promises");
+    const { join, basename } = await import("node:path");
+    const inboxDir = join(store.root, "inbox");
+    const readDir = join(inboxDir, ".read");
+    await mkdir(readDir, { recursive: true });
+    if (opts.all) {
+        const files = (await rd(inboxDir)).filter(f => f.endsWith(".json") || f.endsWith(".md"));
+        for (const f of files)
+            await rename(join(inboxDir, f), join(readDir, f));
+        console.log(`Archived ${files.length} messages.`);
+    }
+    else if (file) {
+        const safe = basename(file);
+        try {
+            await rename(join(inboxDir, safe), join(readDir, safe));
+            console.log(`Archived: ${safe}`);
+        }
+        catch {
+            console.error(`Not found in inbox: ${safe}`);
+            process.exit(1);
+        }
+    }
+    else {
+        console.error("Specify a filename or use --all");
+        process.exit(1);
+    }
+});
 inbox
     .command("send <peerId> <message>")
     .description("Send a message to a peer's inbox")
@@ -224,6 +273,21 @@ program
     }
     await new Promise(() => { });
 });
+// --- compact ---
+program
+    .command("compact")
+    .description("Move [DONE] sections from CONTEXT.md to history/")
+    .option("-d, --dir <path>", "Context store directory", ".")
+    .action(async (opts) => {
+    const store = new ContextStore(resolve(opts.dir));
+    const { moved, kept } = await store.compactContext();
+    if (moved === 0) {
+        console.log("Nothing to compact. Mark sections with [DONE] to archive them.");
+    }
+    else {
+        console.log(`Compacted: ${moved} done, ${kept} kept.`);
+    }
+});
 // --- share ---
 program
     .command("share <file>")
@@ -335,19 +399,25 @@ key
         console.log(`Key already in keyring (fingerprint: ${fp})`);
         return;
     }
+    const autoTrust = config.autoTrust ?? false;
     config.keyring.push({
         name,
         address: opts.address ?? "",
         signingKey,
         encryptionKey: opts.encryptionKey,
         fingerprint: fp,
-        trusted: false,
+        trusted: autoTrust,
         added: new Date().toISOString(),
     });
     await store.writeConfig(config);
     console.log(`Imported key for: ${name}`);
     console.log(`  Fingerprint: ${fp}`);
-    console.log(`\nKey is NOT trusted yet. Run: openfuse key trust ${name}`);
+    if (autoTrust) {
+        console.log(`  Auto-trusted (workspace mode)`);
+    }
+    else {
+        console.log(`\nKey is NOT trusted yet. Run: openfuse key trust ${name}`);
+    }
 });
 key
     .command("trust <name>")

package/dist/mcp.js

@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.5",
+    version: "0.3.7",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {

package/dist/registry.js

@@ -44,13 +44,13 @@ export async function register(store, endpoint, registry) {
 // Discovery: try DNS TXT first (decentralized, no registry needed), fall back to Worker API.
 // DNS format: v=of1 e={endpoint} pk={pubkey} ek={agekey} fp={fingerprint}
 // Self-hosted: _openfuse.{name}.{their-domain} — user manages their own TXT records.
-// Our zone: _openfuse.{name}.openfused.dev — managed by the registry Worker on registration.
+// Our zone: _openfuse.{name}.openfused.net — managed by the registry Worker on registration.
 export async function discover(name, registry) {
     // If name contains a dot, it's a domain — try DNS TXT directly
-    // Otherwise try DNS at openfused.dev, then fall back to registry API
+    // Otherwise try DNS at openfused.net, then fall back to registry API
     const dnsNames = name.includes(".")
         ? [`_openfuse.${name}`]
-        : [`_openfuse.${name}.openfused.dev`];
+        : [`_openfuse.${name}.openfused.net`];
     for (const dnsName of dnsNames) {
         const manifest = await discoverViaDns(dnsName, name);
         if (manifest)

package/dist/store.d.ts

@@ -8,6 +8,7 @@ export interface MeshConfig {
     peers: PeerConfig[];
     keyring: KeyringEntry[];
     trustedKeys?: string[];
+    autoTrust?: boolean;
 }
 export interface PeerConfig {
     id: string;
@@ -22,10 +23,15 @@ export declare class ContextStore {
     get configPath(): string;
     exists(): Promise<boolean>;
     init(name: string, id: string): Promise<void>;
+    initWorkspace(name: string, id: string): Promise<void>;
     readConfig(): Promise<MeshConfig>;
     writeConfig(config: MeshConfig): Promise<void>;
     readContext(): Promise<string>;
     writeContext(content: string): Promise<void>;
+    compactContext(): Promise<{
+        moved: number;
+        kept: number;
+    }>;
     readProfile(): Promise<string>;
     writeProfile(content: string): Promise<void>;
     sendInbox(peerId: string, message: string): Promise<string>;

package/dist/store.js

@@ -11,7 +11,7 @@
 //   .keys/      — Ed25519 + age keypairs (gitignored)
 //   .mesh.json  — config, peer list, keyring
 // No database, no daemon required. `ls` is your status command.
-import { readFile, writeFile, mkdir, readdir } from "node:fs/promises";
+import { readFile, writeFile, mkdir, readdir, appendFile } from "node:fs/promises";
 import { join, resolve } from "node:path";
 import { existsSync } from "node:fs";
 import { generateKeys, signMessage, signAndEncrypt, verifyMessage, decryptMessage, deserializeSignedMessage, serializeSignedMessage, wrapExternalMessage, fingerprint, } from "./crypto.js";
@@ -54,6 +54,35 @@ export class ContextStore {
         };
         await this.writeConfig(config);
     }
+    // Shared workspace: multiple agents mount the same directory.
+    // CHARTER.md = system prompt (purpose, rules). CONTEXT.md = shared working memory.
+    // tasks/ for coordination, messages/{agent}/ for DMs, _broadcast/ for all-hands.
+    async initWorkspace(name, id) {
+        await mkdir(this.root, { recursive: true });
+        for (const dir of ["tasks", "messages", "_broadcast", "shared", "history"]) {
+            await mkdir(join(this.root, dir), { recursive: true });
+        }
+        const templatesDir = new URL("../templates/", import.meta.url).pathname;
+        for (const file of ["CHARTER.md", "CONTEXT.md"]) {
+            const templatePath = join(templatesDir, file);
+            const destPath = join(this.root, file);
+            if (!existsSync(destPath)) {
+                const content = await readFile(templatePath, "utf-8");
+                await writeFile(destPath, content);
+            }
+        }
+        // Workspaces auto-trust: all imported keys are trusted by default.
+        // Safe because workspaces are private — you control who joins.
+        const config = {
+            id,
+            name,
+            created: new Date().toISOString(),
+            peers: [],
+            keyring: [],
+            autoTrust: true,
+        };
+        await this.writeConfig(config);
+    }
     async readConfig() {
         const raw = await readFile(this.configPath, "utf-8");
         const config = JSON.parse(raw);
@@ -91,6 +120,45 @@ export class ContextStore {
     async writeContext(content) {
         await writeFile(join(this.root, "CONTEXT.md"), content);
     }
+    // --- Context compaction ---
+    // Agents mark sections as [DONE] when work is complete. `openfuse compact`
+    // moves done sections to history/YYYY-MM-DD.md, keeping CONTEXT.md lean.
+    // Sections are delimited by markdown headers (## or ###).
+    async compactContext() {
+        const content = await this.readContext();
+        const lines = content.split("\n");
+        const kept = [];
+        const done = [];
+        let current = [];
+        let currentDone = false;
+        const flush = () => {
+            if (current.length > 0) {
+                (currentDone ? done : kept).push(current.join("\n"));
+                current = [];
+                currentDone = false;
+            }
+        };
+        for (const line of lines) {
+            if (/^#{1,3}\s/.test(line)) {
+                flush();
+                currentDone = /\[DONE\]/i.test(line);
+            }
+            current.push(line);
+        }
+        flush();
+        if (done.length === 0)
+            return { moved: 0, kept: kept.length };
+        // Write kept sections back to CONTEXT.md
+        await this.writeContext(kept.join("\n\n") || "# Context\n\n*Working memory — what's happening right now.*\n");
+        // Append done sections to history/YYYY-MM-DD.md
+        const historyDir = join(this.root, "history");
+        await mkdir(historyDir, { recursive: true });
+        const dateStr = new Date().toISOString().split("T")[0];
+        const historyFile = join(historyDir, `${dateStr}.md`);
+        const header = existsSync(historyFile) ? "\n---\n\n" : `# Context History — ${dateStr}\n\n`;
+        await appendFile(historyFile, header + done.join("\n\n") + "\n");
+        return { moved: done.length, kept: kept.length };
+    }
     async readProfile() {
         return readFile(join(this.root, "PROFILE.md"), "utf-8");
     }
@@ -128,7 +196,13 @@ export class ContextStore {
             const signed = deserializeSignedMessage(raw);
             if (signed) {
                 const sigValid = verifyMessage(signed);
-                const trusted = config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
+                // autoTrust (workspace mode): any key in keyring is trusted, but key must still
+                // be present — prevents random internet keys from appearing verified in a workspace
+                // that's accidentally exposed to the network.
+                const inKeyring = config.keyring.some((k) => k.signingKey.trim() === signed.publicKey.trim());
+                const trusted = config.autoTrust
+                    ? inKeyring
+                    : config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
                 const verified = sigValid && trusted;
                 let content;
                 if (signed.encrypted) {

package/dist/sync.js

@@ -35,6 +35,9 @@ function parseUrl(url) {
         if (/[;|`$]/.test(host)) {
             throw new Error("Invalid SSH URL: host contains shell metacharacters");
         }
+        if (/[;|`$&(){}]/.test(path)) {
+            throw new Error("Invalid SSH URL: path contains shell metacharacters");
+        }
         return { type: "ssh", host, path };
     }
     throw new Error(`Unknown URL scheme: ${url}. Use http:// or ssh://`);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "openfused",
-  "version": "0.3.5",
-  "description": "Decentralized context mesh for AI agents. Encrypted sync, signed messaging, MCP server. The protocol is files.",
+  "version": "0.3.7",
+  "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",
   "bin": {
@@ -47,7 +47,7 @@
     "ai",
     "agent",
     "context",
-    "mesh",
+    "messaging",
     "fuse",
     "decentralized",
     "openclaw",

package/templates/CHARTER.md

@@ -0,0 +1,18 @@
+# Charter
+
+## Purpose
+_What is this workspace for? What are we building?_
+
+## Members
+_Who participates in this workspace?_
+
+## Rules
+- Agents mark completed work with `[DONE]` in CONTEXT.md
+- Messages to all members go in `_broadcast/`
+- Direct messages go in `messages/{recipient}/`
+- Tasks are tracked in `tasks/`
+
+## Conventions
+- Sign all messages
+- Encrypt DMs, broadcast in plaintext
+- Check CONTEXT.md before starting new work