openfused 0.4.0 → 0.4.2

package/README.md

@@ -242,6 +242,48 @@ Any MCP client (Claude Desktop, Claude Code, Cursor) can use OpenFused as a tool
 
 13 tools: `context_read/write/append`, `profile_read/write`, `inbox_list/send`, `shared_list/read/write`, `status`, `peer_list/add`.
 
+## Hosted Mailbox
+
+No server? No problem. Register your keys and get a free inbox at `inbox.openfused.dev`:
+
+```bash
+# Register with the hosted mailbox as your endpoint
+openfuse register --endpoint https://inbox.openfused.dev
+
+# Anyone can now send you messages
+openfuse send your-name "hello"
+
+# You pull messages whenever you're online
+openfuse inbox list
+```
+
+No server to run. No port to open. No tunnel to configure. Messages wait in the mailbox until your agent wakes up and pulls them. It's email for agents.
+
+The paid tier ($5/mo) gets a dedicated store at `{name}.openfused.dev` with full context, shared files, knowledge base, and custom Worker code.
+
+## A2A Compatibility
+
+OpenFused speaks the [A2A protocol](https://github.com/a2aproject/A2A) (Google/Linux Foundation). The daemon exposes a standard A2A facade over the file-native store:
+
+```bash
+# Start daemon with A2A enabled
+openfused serve --store ./my-store --token "$OPENFUSE_TOKEN"
+
+# A2A clients can now:
+# - Discover your agent at /.well-known/agent-card.json
+# - Send tasks via POST /message/send
+# - Stream progress via POST /message/stream (SSE)
+# - Check results via GET /tasks/{id}
+```
+
+A2A is how agents talk. OpenFused is where agents think. The daemon translates HTTP to files and files to HTTP — any agent picks up tasks by reading files, reports progress by writing files. No runtime lock-in.
+
+```bash
+# CLI task management
+openfuse tasks list --token "$OPENFUSE_TOKEN"
+openfuse tasks get <task-id> --token "$OPENFUSE_TOKEN"
+```
+
 ## Docker
 
 ```bash
@@ -260,18 +302,36 @@ openfused serve --store ./my-context --port 2053
 
 # Public mode — PROFILE.md + inbox + outbox pickup (for WAN/tunnels)
 openfused serve --store ./my-context --port 2053 --public
-```
 
-Public mode endpoints:
+# With auth and task GC
+openfused serve --store ./my-context --token "$OPENFUSE_TOKEN" --gc-days 7
+```
 
-| Endpoint | Method | Purpose |
-|----------|--------|---------|
-| `/` | GET | Service info |
-| `/profile` | GET | Your PROFILE.md (public address card) |
-| `/config` | GET | Your public keys (JSON) |
-| `/inbox` | POST | Accept signed messages (rejects invalid signatures) |
-| `/outbox/{name}` | GET | Pickup replies addressed to `{name}` (fingerprint-verified) |
-| `/outbox/{name}/{path}` | DELETE | ACK a received message (moves to .sent/) |
+| Flag | Purpose |
+|------|---------|
+| `--token` / `OPENFUSE_TOKEN` | Bearer token for A2A routes |
+| `--gc-days N` | Auto-delete terminal tasks older than N days (default: 7) |
+| `--public` | Restrict to PROFILE.md + inbox only |
+
+Rate limiting, IP filtering, and TLS belong at the reverse proxy layer (nginx, Caddy, cloudflared). The daemon focuses on application logic.
+
+Endpoints:
+
+| Endpoint | Method | Auth | Purpose |
+|----------|--------|------|---------|
+| `/.well-known/agent-card.json` | GET | None | A2A agent discovery |
+| `/profile` | GET | None | PROFILE.md |
+| `/config` | GET | None | Public keys |
+| `/message/send` | POST | Bearer | Create A2A task |
+| `/message/stream` | POST | Bearer | Create task + SSE stream |
+| `/tasks` | GET | Bearer | List tasks |
+| `/tasks/{id}` | GET | Bearer | Get task |
+| `/tasks/{id}/cancel` | POST | Bearer | Cancel task |
+| `/tasks/{id}/subscribe` | POST | Bearer | SSE subscribe |
+| `/tasks/{id}/status` | POST | Bearer | Update task status |
+| `/tasks/{id}/artifacts` | POST | Bearer | Add artifact |
+| `/inbox` | POST | Ed25519 sig | Receive signed message |
+| `/outbox/{name}` | GET | Ed25519 challenge | Pull outbox |
 
 ## File Watching
 
@@ -292,10 +352,12 @@ openfuse watch -d ./store --tunnel your-server  # + reverse SSH tunnel
 
 | Scenario | Solution | Decentralized? |
 |----------|----------|----------------|
+| No server at all | `inbox.openfused.dev` hosted mailbox | Federated |
 | VPS agent | `openfused serve` — public IP | Yes |
 | Behind NAT + cloudflared | `openfused serve` + `cloudflared tunnel` | Yes |
 | Docker agent | Mount store as volume | Yes |
 | Pull-only agent | `openfuse sync` on cron — outbound only | Yes |
+| A2A ecosystem | Daemon with `--token` — standard A2A interface | Yes |
 
 ## Security
 
@@ -315,8 +377,13 @@ Hey, the research is done. Check shared/findings.md
 
 ### Hardening
 
-- Path traversal blocked (canonicalized paths, basename extraction)
+- Bearer token auth on A2A routes (constant-time comparison via subtle crate)
+- File locking on task.json (flock, prevents concurrent write corruption)
+- Task garbage collection (auto-deletes terminal tasks after configurable days)
+- Path traversal blocked (canonicalized paths, iterative `..` stripping, leading-dot rejection)
 - Daemon body size limit (1MB)
+- SSE stream timeout (30 minutes, prevents resource exhaustion)
+- GC canonicalizes paths before deletion (symlink traversal defense)
 - PROFILE.md is public; private config stays in your agent runtime (CLAUDE.md, etc.)
 - Registry rate-limited on all mutation endpoints
 - Outbox per-recipient subdirs with fingerprint binding (anti name-squatting)
@@ -324,6 +391,7 @@ Hey, the research is done. Check shared/findings.md
 - Sending requires recipient in keyring (no blind sends to unknown agents)
 - SSH URLs validated (no argument injection)
 - XML values escaped in message wrapping (no prompt injection via attributes)
+- Rate limiting, IP filtering, TLS belong at the proxy layer — the daemon does not duplicate them
 
 ## How agents communicate
 

package/dist/cli.js

@@ -617,88 +617,211 @@ program
     console.log(`  Created:        ${manifest.created}`);
 });
 // --- send ---
+// Helper: find the newest outbox file for a recipient
+import { readdirSync, statSync } from "node:fs";
+function findNewestOutboxFile(storeRoot, name) {
+    const outboxDir = join(storeRoot, "outbox");
+    try {
+        for (const entry of readdirSync(outboxDir)) {
+            if (entry.startsWith(`${name}-`) && statSync(join(outboxDir, entry)).isDirectory()) {
+                const files = readdirSync(join(outboxDir, entry))
+                    .filter((f) => f.endsWith(".json"))
+                    .sort()
+                    .reverse();
+                if (files.length > 0)
+                    return join(entry, files[0]);
+            }
+        }
+    }
+    catch { }
+    return "";
+}
 program
     .command("send <name> <message>")
-    .description("Send a message to an agent (resolves via registry)")
+    .description("Send a message to an agent")
     .option("-d, --dir <path>", "Context store directory", ".")
     .option("-r, --registry <url>", "Registry URL")
+    .option("--http", "Force HTTP delivery (uses registry endpoint)")
+    .option("--ssh", "Force SSH delivery (uses local peer SSH URL)")
     .action(async (name, message, opts) => {
     const store = new ContextStore(resolve(opts.dir));
     const reg = registry.resolveRegistry(opts.registry);
-    try {
-        const manifest = await registry.discover(name, reg);
-        // Auto-import key + add as peer. Keys are untrusted by default.
-        // Trust is a local decision — use `openfuse key trust <name>` after verifying.
-        const dnsDiscovered = false; // never auto-trust — user must explicitly trust
-        let config = await store.readConfig();
-        if (!config.keyring.some((e) => e.signingKey === manifest.publicKey)) {
-            config.keyring.push({
-                name: manifest.name,
-                address: `${manifest.name}@registry`,
-                signingKey: manifest.publicKey,
-                encryptionKey: manifest.encryptionKey,
-                fingerprint: manifest.fingerprint,
-                trusted: dnsDiscovered,
-                added: new Date().toISOString(),
-            });
-        }
-        if (manifest.endpoint && !config.peers.some((p) => p.name === manifest.name)) {
-            config.peers.push({
-                id: (await import("nanoid")).nanoid(12),
-                name: manifest.name,
-                url: manifest.endpoint,
-                access: "read",
-            });
-        }
-        await store.writeConfig(config);
-        const filename = await store.sendInbox(name, message);
-        // Try direct HTTP delivery if endpoint is http(s)
-        if (manifest.endpoint.startsWith("http")) {
-            try {
-                // SSRF check: registry endpoints are attacker-controlled
-                const { checkSsrf } = await import("./sync.js");
-                await checkSsrf(manifest.endpoint);
-                const body = await readFile(join(store.root, "outbox", filename), "utf-8");
-                const r = await fetch(`${manifest.endpoint.replace(/\/$/, "")}/inbox`, {
-                    method: "POST",
-                    headers: { "Content-Type": "application/json" },
-                    body,
+    let config = await store.readConfig();
+    // Ensure recipient is known — check local peers, then registry
+    const existingPeer = config.peers.find((p) => p.name === name);
+    let httpEndpoint = existingPeer?.url?.startsWith("http") ? existingPeer.url : "";
+    let sshUrl = existingPeer?.url?.startsWith("ssh") ? existingPeer.url : "";
+    // If --http forced or no local peer, discover from registry
+    if (opts.http || !existingPeer) {
+        try {
+            const manifest = await registry.discover(name, reg);
+            if (manifest.endpoint?.startsWith("http"))
+                httpEndpoint = manifest.endpoint;
+            // Auto-import key + add as peer
+            if (!config.keyring.some((e) => e.signingKey === manifest.publicKey)) {
+                config.keyring.push({
+                    name: manifest.name,
+                    address: `${manifest.name}@registry`,
+                    signingKey: manifest.publicKey,
+                    encryptionKey: manifest.encryptionKey,
+                    fingerprint: manifest.fingerprint,
+                    trusted: false,
+                    added: new Date().toISOString(),
                 });
-                if (r.ok) {
-                    // Archive to .sent/ within the recipient subdir
-                    const { mkdir, rename } = await import("node:fs/promises");
-                    const filePath = join(store.root, "outbox", filename);
-                    const dir = join(filePath, "..");
-                    const sentDir = join(dir, ".sent");
-                    const baseName = filename.includes("/") ? filename.split("/").pop() : filename;
-                    await mkdir(sentDir, { recursive: true });
-                    await rename(filePath, join(sentDir, baseName));
-                    console.log(`Delivered to ${name}.`);
-                }
-                else {
-                    console.log(`Queued for ${name}. Endpoint returned ${r.status}. Will deliver on next sync.`);
-                }
             }
-            catch {
-                console.log(`Queued for ${name}. Will deliver on next sync.`);
+            if (manifest.endpoint && !config.peers.some((p) => p.name === manifest.name)) {
+                config.peers.push({
+                    id: (await import("nanoid")).nanoid(12),
+                    name: manifest.name,
+                    url: manifest.endpoint,
+                    access: "read",
+                });
             }
+            await store.writeConfig(config);
         }
-        else if (manifest.endpoint) {
-            console.log(`Queued for ${name}. Run \`openfuse sync\` to deliver.`);
+        catch {
+            if (!existingPeer && !config.keyring.some((k) => k.name === name)) {
+                console.error(`Agent '${name}' not found in local peers or registry.`);
+                process.exit(1);
+            }
         }
-        else {
-            console.log(`Queued for ${name}. Key imported but ${name} has no endpoint — they'll need to pull from your outbox, or add a peer URL with \`openfuse peer add\`.`);
+    }
+    // Create signed message in outbox
+    await store.sendInbox(name, message);
+    const outboxFile = findNewestOutboxFile(store.root, name);
+    if (!outboxFile) {
+        console.log(`Queued for ${name}.`);
+        return;
+    }
+    // Determine delivery method
+    const forceHttp = opts.http;
+    const forceSsh = opts.ssh;
+    // --ssh: deliver via local peer SSH
+    if (forceSsh) {
+        if (!sshUrl) {
+            console.log(`Queued for ${name}. No SSH peer configured — use \`openfuse peer add ssh://...\`.`);
+            return;
         }
+        const delivered = await deliverOne(store, name, outboxFile);
+        console.log(delivered ? `Delivered to ${name} via SSH.` : `Queued for ${name}. SSH delivery failed — run \`openfuse sync\`.`);
+        return;
     }
-    catch {
-        // Not in registry — send as a peer message
-        const filename = await store.sendInbox(name, message);
-        const delivered = await deliverOne(store, name, filename);
-        if (delivered) {
-            console.log(`Delivered to ${name}.`);
+    // --http or default with HTTP endpoint: deliver via HTTP
+    if ((forceHttp || !sshUrl) && httpEndpoint) {
+        try {
+            const { checkSsrf } = await import("./sync.js");
+            await checkSsrf(httpEndpoint);
+            const body = await readFile(join(store.root, "outbox", outboxFile), "utf-8");
+            const inboxUrl = `${httpEndpoint.replace(/\/$/, "")}/inbox/${encodeURIComponent(name)}`;
+            const r = await fetch(inboxUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body,
+            });
+            if (r.ok) {
+                const { mkdir, rename } = await import("node:fs/promises");
+                const filePath = join(store.root, "outbox", outboxFile);
+                const sentDir = join(filePath, "..", ".sent");
+                const baseName = outboxFile.split("/").pop();
+                await mkdir(sentDir, { recursive: true });
+                await rename(filePath, join(sentDir, baseName));
+                console.log(`Delivered to ${name}.`);
+            }
+            else {
+                console.log(`Queued for ${name}. Endpoint returned ${r.status}.`);
+            }
         }
-        else {
+        catch (e) {
             console.log(`Queued for ${name}. Run \`openfuse sync\` to deliver.`);
+            if (process.env.DEBUG)
+                console.error(`  Delivery error: ${e.message}`);
+        }
+        return;
+    }
+    // Default: try local peer (SSH or HTTP)
+    if (existingPeer) {
+        const delivered = await deliverOne(store, name, outboxFile);
+        console.log(delivered ? `Delivered to ${name}.` : `Queued for ${name}. Run \`openfuse sync\` to deliver.`);
+        return;
+    }
+    console.log(`Queued for ${name}. No endpoint — they'll need to pull from your outbox.`);
+});
+// --- tasks (A2A) ---
+const tasks = program.command("tasks").description("Manage A2A tasks on the daemon");
+tasks
+    .command("list")
+    .description("List all tasks from the daemon")
+    .option("--url <url>", "Daemon URL", "http://127.0.0.1:2053")
+    .option("--token <token>", "Bearer token (also reads OPENFUSE_TOKEN env)")
+    .option("--json", "Output raw JSON")
+    .action(async (opts) => {
+    const token = opts.token || process.env.OPENFUSE_TOKEN;
+    const headers = { "Content-Type": "application/json" };
+    if (token)
+        headers["Authorization"] = `Bearer ${token}`;
+    const res = await fetch(`${opts.url}/tasks`, { headers });
+    if (!res.ok) {
+        const body = await res.text();
+        console.error(`Error ${res.status}: ${body}`);
+        process.exit(1);
+    }
+    const data = (await res.json());
+    if (opts.json) {
+        console.log(JSON.stringify(data.tasks, null, 2));
+        return;
+    }
+    if (data.tasks.length === 0) {
+        console.log("No tasks.");
+        return;
+    }
+    for (const t of data.tasks) {
+        const created = t._openfuse?.createdAt?.slice(0, 19) || "";
+        const msgs = t.history?.length || 0;
+        const arts = t.artifacts?.length || 0;
+        console.log(`  ${t.id}  [${t.status.state}]  ${msgs} msg, ${arts} artifact  ${created}`);
+    }
+});
+tasks
+    .command("get <id>")
+    .description("Get a specific task by ID")
+    .option("--url <url>", "Daemon URL", "http://127.0.0.1:2053")
+    .option("--token <token>", "Bearer token (also reads OPENFUSE_TOKEN env)")
+    .option("--json", "Output raw JSON")
+    .action(async (id, opts) => {
+    const token = opts.token || process.env.OPENFUSE_TOKEN;
+    const headers = { "Content-Type": "application/json" };
+    if (token)
+        headers["Authorization"] = `Bearer ${token}`;
+    const res = await fetch(`${opts.url}/tasks/${encodeURIComponent(id)}`, { headers });
+    if (!res.ok) {
+        const body = await res.text();
+        console.error(`Error ${res.status}: ${body}`);
+        process.exit(1);
+    }
+    const task = (await res.json());
+    if (opts.json) {
+        console.log(JSON.stringify(task, null, 2));
+        return;
+    }
+    console.log(`Task:    ${task.id}`);
+    console.log(`State:   ${task.status.state}`);
+    if (task.contextId)
+        console.log(`Context: ${task.contextId}`);
+    if (task._openfuse) {
+        console.log(`Created: ${task._openfuse.createdAt}`);
+        console.log(`Updated: ${task._openfuse.updatedAt}`);
+    }
+    if (task.history?.length > 0) {
+        console.log(`\nHistory (${task.history.length} messages):`);
+        for (const msg of task.history) {
+            const text = msg.parts?.map((p) => p.text).filter(Boolean).join(" ") || "(non-text)";
+            console.log(`  [${msg.role}] ${text.slice(0, 120)}`);
+        }
+    }
+    if (task.artifacts?.length > 0) {
+        console.log(`\nArtifacts (${task.artifacts.length}):`);
+        for (const a of task.artifacts) {
+            console.log(`  ${a.artifactId}: ${a.name || "(unnamed)"}`);
         }
     }
 });

package/dist/sync.js

@@ -103,7 +103,8 @@ export async function deliverOne(store, peerName, filename) {
         if (transport.type === "http") {
             await checkSsrf(transport.baseUrl);
             const body = await readFile(filePath, "utf-8");
-            const r = await fetch(`${transport.baseUrl}/inbox`, {
+            const inboxUrl = `${transport.baseUrl}/inbox/${encodeURIComponent(peerName)}`;
+            const r = await fetch(inboxUrl, {
                 method: "POST",
                 headers: { "Content-Type": "application/json" },
                 body,
@@ -243,7 +244,10 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
                 const safeFrom = from.replace(/[^a-zA-Z0-9\-_]/g, "");
                 const safeTs = ts.replace(/[^a-zA-Z0-9\-_]/g, "");
                 const fname = `${safeTs}_from-${safeFrom}_to-${myName}.json`;
-                const outboxFile = msg._outboxFile; // filename on sender's outbox
+                // Sanitize outboxFile — it comes from the remote peer's response and could
+                // contain path traversal characters (e.g., "../../inbox/important.json").
+                const rawOutboxFile = msg._outboxFile || "";
+                const outboxFile = rawOutboxFile.replace(/[^a-zA-Z0-9_\-. ]/g, "");
                 const dest = join(inboxDir, fname);
                 if (!existsSync(dest)) {
                     // Strip the _outboxFile metadata before saving
@@ -285,7 +289,8 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
                     const relPath = `${entry.name}/${fname}`;
                     try {
                         const body = await readFile(join(subDir, fname), "utf-8");
-                        const r = await fetch(`${baseUrl}/inbox`, {
+                        const inboxUrl = `${baseUrl}/inbox/${encodeURIComponent(peer.name)}`;
+                        const r = await fetch(inboxUrl, {
                             method: "POST",
                             headers: { "Content-Type": "application/json" },
                             body,
@@ -308,7 +313,8 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
                     continue;
                 try {
                     const body = await readFile(join(outboxDir, entry.name), "utf-8");
-                    const r = await fetch(`${baseUrl}/inbox`, {
+                    const inboxUrl = `${baseUrl}/inbox/${encodeURIComponent(peer.name)}`;
+                    const r = await fetch(inboxUrl, {
                         method: "POST",
                         headers: { "Content-Type": "application/json" },
                         body,

package/dist/wasm-core.js

@@ -4,7 +4,7 @@
 // Networking (sync, registry, watch) stays in Node.js.
 import { WASI } from "node:wasi";
 import { readFileSync } from "node:fs";
-import { readFile, writeFile, mkdtemp, rm } from "node:fs/promises";
+import { readFile, mkdtemp, rm } from "node:fs/promises";
 import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { tmpdir } from "node:os";
@@ -23,11 +23,13 @@ function getModule() {
 }
 async function callWasm(storeRoot, args) {
     // Create a temp file to capture stdout (node:wasi doesn't support piping stdout directly)
+    // Restrictive permissions: 0o700 dir + 0o600 file — prevents other users from reading
+    // WASM output which may contain decrypted messages, keys, or config data.
     const tmpDir = await mkdtemp(join(tmpdir(), "openfuse-wasi-"));
+    const { chmodSync, openSync, closeSync } = await import("node:fs");
+    chmodSync(tmpDir, 0o700);
     const stdoutPath = join(tmpDir, "stdout");
-    await writeFile(stdoutPath, "");
-    const { openSync, closeSync } = await import("node:fs");
-    const fd = openSync(stdoutPath, "w");
+    const fd = openSync(stdoutPath, "w", 0o600);
     try {
         const wasi = new WASI({
             version: "preview1",
@@ -70,7 +72,7 @@ async function callWasm(storeRoot, args) {
 async function callWasmJson(storeRoot, args) {
     const { stdout, exitCode } = await callWasm(storeRoot, args);
     if (!stdout) {
-        throw new Error(`WASM returned empty output for: ${args.join(" ")}`);
+        throw new Error(`WASM returned empty output for command: ${args[0] ?? "unknown"}`);
     }
     const parsed = JSON.parse(stdout);
     if (exitCode !== 0 && parsed.error) {

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "openfused",
-  "version": "0.4.0",
+  "version": "0.4.2",
+  "mcpName": "io.github.openfused/openfuse-mcp",
   "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",
   "type": "module",
@@ -36,7 +37,7 @@
   },
   "devDependencies": {
     "@types/node": "^25.5.0",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
   },
   "engines": {
     "node": ">=20"