npm - openfused - Versions diffs - 0.3.6 → 0.3.9 - Mend

openfused 0.3.6 → 0.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # OpenFused
-Decentralized context mesh for AI agents. Encrypted messaging, peer sync, agent registry. The protocol is files.
+The file protocol for AI agent context. Encrypted, signed, peer-to-peer.
 ## What is this?

package/dist/cli.js CHANGED Viewed

@@ -6,13 +6,13 @@ import { watchInbox, watchContext, watchSync } from "./watch.js";
 import { syncAll, syncOne, deliverOne } from "./sync.js";
 import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
-import { resolve } from "node:path";
+import { resolve, join } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.6";
+const VERSION = "0.3.9";
 const program = new Command();
 program
     .name("openfuse")
-    .description("Decentralized context mesh for AI agents. The protocol is files.")
+    .description("The file protocol for AI agent context. Encrypted, signed, peer-to-peer.")
     .version(VERSION);
 // --- init ---
 program
@@ -399,19 +399,25 @@ key
         console.log(`Key already in keyring (fingerprint: ${fp})`);
         return;
     }
+    const autoTrust = config.autoTrust ?? false;
     config.keyring.push({
         name,
         address: opts.address ?? "",
         signingKey,
         encryptionKey: opts.encryptionKey,
         fingerprint: fp,
-        trusted: false,
+        trusted: autoTrust,
         added: new Date().toISOString(),
     });
     await store.writeConfig(config);
     console.log(`Imported key for: ${name}`);
     console.log(`  Fingerprint: ${fp}`);
-    console.log(`\nKey is NOT trusted yet. Run: openfuse key trust ${name}`);
+    if (autoTrust) {
+        console.log(`  Auto-trusted (workspace mode)`);
+    }
+    else {
+        console.log(`\nKey is NOT trusted yet. Run: openfuse key trust ${name}`);
+    }
 });
 key
     .command("trust <name>")
@@ -554,13 +560,46 @@ program
             console.log(`Imported key for ${manifest.name} from registry [untrusted]`);
             console.log(`  Run \`openfuse key trust ${manifest.name}\` to trust`);
         }
-        await store.sendInbox(name, message);
-        console.log(`Message queued in outbox for ${name}. Run \`openfuse sync\` to deliver.`);
+        const filename = await store.sendInbox(name, message);
+        // Try direct HTTP delivery if endpoint is http(s)
+        if (manifest.endpoint.startsWith("http")) {
+            try {
+                const body = await readFile(join(store.root, "outbox", filename), "utf-8");
+                const r = await fetch(`${manifest.endpoint.replace(/\/$/, "")}/inbox`, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body,
+                });
+                if (r.ok) {
+                    // Archive to .sent/
+                    const { mkdir, rename } = await import("node:fs/promises");
+                    const sentDir = join(store.root, "outbox", ".sent");
+                    await mkdir(sentDir, { recursive: true });
+                    await rename(join(store.root, "outbox", filename), join(sentDir, filename));
+                    console.log(`Delivered to ${name}.`);
+                }
+                else {
+                    console.log(`Queued for ${name}. Endpoint returned ${r.status}. Will deliver on next sync.`);
+                }
+            }
+            catch {
+                console.log(`Queued for ${name}. Will deliver on next sync.`);
+            }
+        }
+        else {
+            console.log(`Queued for ${name}. Run \`openfuse sync\` to deliver.`);
+        }
     }
     catch {
         // Not in registry — send as a peer message
-        await store.sendInbox(name, message);
-        console.log(`Message sent to ${name}'s outbox.`);
+        const filename = await store.sendInbox(name, message);
+        const delivered = await deliverOne(store, name, filename);
+        if (delivered) {
+            console.log(`Delivered to ${name}.`);
+        }
+        else {
+            console.log(`Queued for ${name}. Run \`openfuse sync\` to deliver.`);
+        }
     }
 });
 program.parse();

package/dist/mcp.js CHANGED Viewed

@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.6",
+    version: "0.3.9",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {

package/dist/registry.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { ContextStore } from "./store.js";
-export declare const DEFAULT_REGISTRY = "https://registry.openfused.dev";
+export declare const DEFAULT_REGISTRY = "https://openfuse-registry.wzmcghee.workers.dev";
 export interface Manifest {
     name: string;
     endpoint: string;

package/dist/registry.js CHANGED Viewed

@@ -7,7 +7,8 @@
 // This is TOFU (Trust On First Use) done right: the registry distributes keys,
 // but never asserts trust. Trust is a local decision.
 import { signMessage, fingerprint } from "./crypto.js";
-export const DEFAULT_REGISTRY = "https://registry.openfused.dev";
+// Custom domain pending propagation — use Worker URL as fallback
+export const DEFAULT_REGISTRY = "https://openfuse-registry.wzmcghee.workers.dev";
 export function resolveRegistry(flag) {
     return flag || process.env.OPENFUSE_REGISTRY || DEFAULT_REGISTRY;
 }
@@ -44,13 +45,13 @@ export async function register(store, endpoint, registry) {
 // Discovery: try DNS TXT first (decentralized, no registry needed), fall back to Worker API.
 // DNS format: v=of1 e={endpoint} pk={pubkey} ek={agekey} fp={fingerprint}
 // Self-hosted: _openfuse.{name}.{their-domain} — user manages their own TXT records.
-// Our zone: _openfuse.{name}.openfused.dev — managed by the registry Worker on registration.
+// Our zone: _openfuse.{name}.openfused.net — managed by the registry Worker on registration.
 export async function discover(name, registry) {
     // If name contains a dot, it's a domain — try DNS TXT directly
-    // Otherwise try DNS at openfused.dev, then fall back to registry API
+    // Otherwise try DNS at openfused.net, then fall back to registry API
     const dnsNames = name.includes(".")
         ? [`_openfuse.${name}`]
-        : [`_openfuse.${name}.openfused.dev`];
+        : [`_openfuse.${name}.openfused.net`];
     for (const dnsName of dnsNames) {
         const manifest = await discoverViaDns(dnsName, name);
         if (manifest)

package/dist/store.d.ts CHANGED Viewed

@@ -8,6 +8,7 @@ export interface MeshConfig {
     peers: PeerConfig[];
     keyring: KeyringEntry[];
     trustedKeys?: string[];
+    autoTrust?: boolean;
 }
 export interface PeerConfig {
     id: string;

package/dist/store.js CHANGED Viewed

@@ -71,12 +71,15 @@ export class ContextStore {
                 await writeFile(destPath, content);
             }
         }
+        // Workspaces auto-trust: all imported keys are trusted by default.
+        // Safe because workspaces are private — you control who joins.
         const config = {
             id,
             name,
             created: new Date().toISOString(),
             peers: [],
             keyring: [],
+            autoTrust: true,
         };
         await this.writeConfig(config);
     }
@@ -193,7 +196,13 @@ export class ContextStore {
             const signed = deserializeSignedMessage(raw);
             if (signed) {
                 const sigValid = verifyMessage(signed);
-                const trusted = config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
+                // autoTrust (workspace mode): any key in keyring is trusted, but key must still
+                // be present — prevents random internet keys from appearing verified in a workspace
+                // that's accidentally exposed to the network.
+                const inKeyring = config.keyring.some((k) => k.signingKey.trim() === signed.publicKey.trim());
+                const trusted = config.autoTrust
+                    ? inKeyring
+                    : config.keyring.some((k) => k.trusted && k.signingKey.trim() === signed.publicKey.trim());
                 const verified = sigValid && trusted;
                 let content;
                 if (signed.encrypted) {

package/dist/sync.js CHANGED Viewed

@@ -35,6 +35,9 @@ function parseUrl(url) {
         if (/[;|`$]/.test(host)) {
             throw new Error("Invalid SSH URL: host contains shell metacharacters");
         }
+        if (/[;|`$&(){}]/.test(path)) {
+            throw new Error("Invalid SSH URL: path contains shell metacharacters");
+        }
         return { type: "ssh", host, path };
     }
     throw new Error(`Unknown URL scheme: ${url}. Use http:// or ssh://`);

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "openfused",
-  "version": "0.3.6",
-  "description": "Decentralized context mesh for AI agents. Encrypted sync, signed messaging, MCP server. The protocol is files.",
+  "version": "0.3.9",
+  "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",
   "bin": {
@@ -47,7 +47,7 @@
     "ai",
     "agent",
     "context",
-    "mesh",
+    "messaging",
     "fuse",
     "decentralized",
     "openclaw",