openfused 0.3.9 → 0.3.11

package/README.md

@@ -241,10 +241,20 @@ The daemon has two modes:
 # Full mode — serves everything to trusted LAN peers
 openfused serve --store ./my-context --port 9781
 
-# Public mode — only PROFILE.md + inbox (for WAN/tunnels)
+# Public mode — PROFILE.md + inbox + outbox pickup (for WAN/tunnels)
 openfused serve --store ./my-context --port 9781 --public
 ```
 
+Public mode endpoints:
+
+| Endpoint | Method | Purpose |
+|----------|--------|---------|
+| `/` | GET | Service info |
+| `/profile` | GET | Your PROFILE.md (public address card) |
+| `/config` | GET | Your public keys (JSON) |
+| `/inbox` | POST | Accept signed messages (rejects invalid signatures) |
+| `/outbox/{name}` | GET | Pickup replies addressed to `{name}` (encrypted) |
+
 ## File Watching
 
 `openfuse watch` combines three things:

package/dist/cli.js

@@ -8,7 +8,7 @@ import * as registry from "./registry.js";
 import { fingerprint } from "./crypto.js";
 import { resolve, join } from "node:path";
 import { readFile } from "node:fs/promises";
-const VERSION = "0.3.9";
+const VERSION = "0.3.11";
 const program = new Command();
 program
     .name("openfuse")
@@ -544,8 +544,13 @@ program
     const reg = registry.resolveRegistry(opts.registry);
     try {
         const manifest = await registry.discover(name, reg);
-        const config = await store.readConfig();
-        // Auto-import key (untrusted)
+        // Auto-import key (untrusted) + add as peer so future `openfuse sync` can
+        // deliver replies and pull context. Key is deliberately NOT trusted — the user
+        // must explicitly `openfuse key trust <name>` after out-of-band verification.
+        // NOTE: manifest data comes from the registry and is attacker-controlled.
+        // The endpoint URL is stored as-is; a malicious entry could point at an internal
+        // service. Sync will pull from it — consider validating URL scheme/host.
+        let config = await store.readConfig();
         if (!config.keyring.some((e) => e.signingKey === manifest.publicKey)) {
             config.keyring.push({
                 name: manifest.name,
@@ -556,10 +561,16 @@ program
                 trusted: false,
                 added: new Date().toISOString(),
             });
-            await store.writeConfig(config);
-            console.log(`Imported key for ${manifest.name} from registry [untrusted]`);
-            console.log(`  Run \`openfuse key trust ${manifest.name}\` to trust`);
         }
+        if (manifest.endpoint && !config.peers.some((p) => p.name === manifest.name)) {
+            config.peers.push({
+                id: (await import("nanoid")).nanoid(12),
+                name: manifest.name,
+                url: manifest.endpoint,
+                access: "read",
+            });
+        }
+        await store.writeConfig(config);
         const filename = await store.sendInbox(name, message);
         // Try direct HTTP delivery if endpoint is http(s)
         if (manifest.endpoint.startsWith("http")) {

package/dist/mcp.js

@@ -23,7 +23,7 @@ const storeDir = process.env.OPENFUSE_DIR || process.argv[3] || ".";
 const store = new ContextStore(resolve(storeDir));
 const server = new McpServer({
     name: "openfuse",
-    version: "0.3.9",
+    version: "0.3.11",
 });
 // --- Context ---
 server.tool("context_read", "Read the agent's CONTEXT.md (working memory)", async () => {

package/dist/sync.js

@@ -153,6 +153,35 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
             errors.push(`${dir}/: ${e.message}`);
         }
     }
+    // Pull peer's outbox for messages addressed to us (HTTP version).
+    // The peer's daemon filters to _to-{myName}.json, but the JSON body is untrusted —
+    // a malicious peer controls every field. We must sanitize before using any value
+    // in a filename to prevent path traversal (e.g. from="../../.keys/evil").
+    const config = await store.readConfig();
+    const myName = config.name;
+    const inboxDir = join(store.root, "inbox");
+    await mkdir(inboxDir, { recursive: true });
+    try {
+        const resp = await fetch(`${baseUrl}/outbox/${myName}`);
+        if (resp.ok) {
+            const messages = (await resp.json());
+            for (const msg of messages) {
+                const ts = (msg.timestamp || new Date().toISOString()).replace(/[:.]/g, "-");
+                const from = msg.from || "unknown";
+                // SECURITY: sanitize remote-controlled values before constructing local filenames.
+                // Without this, a malicious "from" like "../../.keys/x" could write outside inbox/.
+                const safeFrom = from.replace(/[^a-zA-Z0-9\-_]/g, "");
+                const safeTs = ts.replace(/[^a-zA-Z0-9\-_]/g, "");
+                const fname = `${safeTs}_from-${safeFrom}_to-${myName}.json`;
+                const dest = join(inboxDir, fname);
+                if (!existsSync(dest)) {
+                    await writeFile(dest, JSON.stringify(msg, null, 2));
+                    pulled.push(`outbox→${fname}`);
+                }
+            }
+        }
+    }
+    catch { }
     // Push outbox → peer inbox
     const outboxDir = join(store.root, "outbox");
     if (existsSync(outboxDir)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openfused",
-  "version": "0.3.9",
+  "version": "0.3.11",
   "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",