openfused 0.3.6 → 0.3.7

package/README.md

@@ -1,6 +1,6 @@
 # OpenFused
 
-Decentralized context mesh for AI agents. Encrypted messaging, peer sync, agent registry. The protocol is files.
+The file protocol for AI agent context. Encrypted, signed, peer-to-peer.
 
 ## What is this?
 

package/dist/cli.js

@@ -8,11 +8,11 @@ import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
 import { resolve } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.6";
+const VERSION = "0.3.7";
 const program = new Command();
 program
     .name("openfuse")
-    .description("Decentralized context mesh for AI agents. The protocol is files.")
+    .description("The file protocol for AI agent context. Encrypted, signed, peer-to-peer.")
     .version(VERSION);
 // --- init ---
 program
@@ -399,19 +399,25 @@ key
         console.log(`Key already in keyring (fingerprint: ${fp})`);
         return;
     }
+    const autoTrust = config.autoTrust ?? false;
     config.keyring.push({
         name,
         address: opts.address ?? "",
         signingKey,
         encryptionKey: opts.encryptionKey,
         fingerprint: fp,
-        trusted: false,
+        trusted: autoTrust,
         added: new Date().toISOString(),
     });
     await store.writeConfig(config);
     console.log(`Imported key for: ${name}`);
     console.log(`  Fingerprint: ${fp}`);
-    console.log(`\nKey is NOT trusted yet. Run: openfuse key trust ${name}`);
+    if (autoTrust) {
+        console.log(`  Auto-trusted (workspace mode)`);
+    }
+    else {
+        console.log(`\nKey is NOT trusted yet. Run: openfuse key trust ${name}`);
+    }
 });
 key
     .command("trust <name>")

package/dist/mcp.js

@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.6",
+    version: "0.3.7",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {

package/dist/registry.js

@@ -44,13 +44,13 @@ export async function register(store, endpoint, registry) {
 // Discovery: try DNS TXT first (decentralized, no registry needed), fall back to Worker API.
 // DNS format: v=of1 e={endpoint} pk={pubkey} ek={agekey} fp={fingerprint}
 // Self-hosted: _openfuse.{name}.{their-domain} — user manages their own TXT records.
-// Our zone: _openfuse.{name}.openfused.dev — managed by the registry Worker on registration.
+// Our zone: _openfuse.{name}.openfused.net — managed by the registry Worker on registration.
 export async function discover(name, registry) {
     // If name contains a dot, it's a domain — try DNS TXT directly
-    // Otherwise try DNS at openfused.dev, then fall back to registry API
+    // Otherwise try DNS at openfused.net, then fall back to registry API
     const dnsNames = name.includes(".")
         ? [`_openfuse.${name}`]
-        : [`_openfuse.${name}.openfused.dev`];
+        : [`_openfuse.${name}.openfused.net`];
     for (const dnsName of dnsNames) {
         const manifest = await discoverViaDns(dnsName, name);
         if (manifest)

package/dist/store.d.ts

@@ -8,6 +8,7 @@ export interface MeshConfig {
     peers: PeerConfig[];
     keyring: KeyringEntry[];
     trustedKeys?: string[];
+    autoTrust?: boolean;
 }
 export interface PeerConfig {
     id: string;

package/dist/store.js

@@ -71,12 +71,15 @@ export class ContextStore {
                 await writeFile(destPath, content);
             }
         }
+        // Workspaces auto-trust: all imported keys are trusted by default.
+        // Safe because workspaces are private — you control who joins.
         const config = {
             id,
             name,
             created: new Date().toISOString(),
             peers: [],
             keyring: [],
+            autoTrust: true,
         };
         await this.writeConfig(config);
     }
@@ -193,7 +196,13 @@ export class ContextStore {
             const signed = deserializeSignedMessage(raw);
             if (signed) {
                 const sigValid = verifyMessage(signed);
-                const trusted = config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
+                // autoTrust (workspace mode): any key in keyring is trusted, but key must still
+                // be present — prevents random internet keys from appearing verified in a workspace
+                // that's accidentally exposed to the network.
+                const inKeyring = config.keyring.some((k) => k.signingKey.trim() === signed.publicKey.trim());
+                const trusted = config.autoTrust
+                    ? inKeyring
+                    : config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
                 const verified = sigValid && trusted;
                 let content;
                 if (signed.encrypted) {

package/dist/sync.js

@@ -35,6 +35,9 @@ function parseUrl(url) {
         if (/[;|`$]/.test(host)) {
             throw new Error("Invalid SSH URL: host contains shell metacharacters");
         }
+        if (/[;|`$&(){}]/.test(path)) {
+            throw new Error("Invalid SSH URL: path contains shell metacharacters");
+        }
         return { type: "ssh", host, path };
     }
     throw new Error(`Unknown URL scheme: ${url}. Use http:// or ssh://`);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "openfused",
-  "version": "0.3.6",
-  "description": "Decentralized context mesh for AI agents. Encrypted sync, signed messaging, MCP server. The protocol is files.",
+  "version": "0.3.7",
+  "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",
   "bin": {
@@ -47,7 +47,7 @@
     "ai",
     "agent",
     "context",
-    "mesh",
+    "messaging",
     "fuse",
     "decentralized",
     "openclaw",