npm - openfused - Versions diffs - 0.4.3 → 0.4.5 - Mend

openfused 0.4.3 → 0.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -68,12 +68,10 @@ history/       — archived [DONE] context
 openfuse context
 openfuse context --append "## Update\nFinished the research phase."
-# Mark work as done, then compact to history/ (TS CLI only)
-# (edit CONTEXT.md, add [DONE] to the header, then:)
+# Mark work as done, then compact to history/# (edit CONTEXT.md, add [DONE] to the header, then:)
 openfuse compact
-# Add validity windows to time-sensitive context (TS CLI only)
-# <!-- validity: 6h --> for task state, 1d for sprint, 3d for architecture
+# Add validity windows to time-sensitive context# <!-- validity: 6h --> for task state, 1d for sprint, 3d for architecture
 openfuse validate                    # scan for stale entries
 openfuse compact --prune-stale       # archive expired validity windows

package/dist/cli.js CHANGED Viewed

@@ -185,15 +185,17 @@ inbox
     .option("-d, --dir <path>", "Context store directory", ".")
     .action(async (peerId, message, opts) => {
     const store = new ContextStore(resolve(opts.dir));
-    const filename = await store.sendInbox(peerId, message);
-    // Try immediate delivery — if peer is reachable, deliver now
-    const delivered = await deliverOne(store, peerId, filename);
-    if (delivered) {
-        console.log(`Delivered to ${peerId}.`);
-    }
-    else {
-        console.log(`Queued for ${peerId}. Will deliver on next sync.`);
+    await store.sendInbox(peerId, message);
+    // Find the outbox file we just created
+    const outboxFile = findNewestOutboxFile(store.root, peerId);
+    if (outboxFile) {
+        const delivered = await deliverOne(store, peerId, outboxFile);
+        if (delivered) {
+            console.log(`Delivered to ${peerId}.`);
+            return;
+        }
     }
+    console.log(`Queued for ${peerId}. Will deliver on next sync.`);
 });
 // --- watch ---
 program

package/dist/sync.js CHANGED Viewed

@@ -247,7 +247,9 @@ async function syncHttp(store, peer, baseUrl, peerDir) {
                 // Sanitize outboxFile — it comes from the remote peer's response and could
                 // contain path traversal characters (e.g., "../../inbox/important.json").
                 const rawOutboxFile = msg._outboxFile || "";
-                const outboxFile = rawOutboxFile.replace(/[^a-zA-Z0-9_\-. ]/g, "");
+                // Allow / for subdir paths (e.g., "name-FP/filename.json") but strip
+                // path traversal (..) and other dangerous chars.
+                const outboxFile = rawOutboxFile.replace(/\.\./g, "").replace(/[^a-zA-Z0-9_\-./ ]/g, "");
                 const dest = join(inboxDir, fname);
                 if (!existsSync(dest)) {
                     // Strip the _outboxFile metadata before saving
@@ -340,9 +342,14 @@ async function syncSsh(store, peer, host, remotePath, peerDir) {
     const pulled = [];
     const pushed = [];
     const errors = [];
+    const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
     for (const file of ["CONTEXT.md", "PROFILE.md"]) {
         try {
             await execFile("rsync", ["-az", `${host}:${remotePath}/${file}`, join(peerDir, file)]);
+            // Wrap in unverified tags — SSH-synced content is untrusted external input
+            const raw = sanitizePeerContent(await readFile(join(peerDir, file), "utf-8"));
+            const wrapped = `<external_content_unverified from="${esc(peer.name)}" file="${esc(file)}">\n${raw}\n</external_content_unverified>`;
+            await writeFile(join(peerDir, file), wrapped);
             pulled.push(file);
         }
         catch (e) {
@@ -354,6 +361,17 @@ async function syncSsh(store, peer, host, remotePath, peerDir) {
         await mkdir(localDir, { recursive: true });
         try {
             await execFile("rsync", ["-az", "--delete", `${host}:${remotePath}/${dir}/`, `${localDir}/`]);
+            // Wrap each file in unverified tags
+            const { readdirSync } = await import("node:fs");
+            for (const fname of readdirSync(localDir)) {
+                const fpath = join(localDir, fname);
+                try {
+                    const raw = sanitizePeerContent(await readFile(fpath, "utf-8"));
+                    const wrapped = `<external_content_unverified from="${esc(peer.name)}" file="${esc(`${dir}/${fname}`)}">\n${raw}\n</external_content_unverified>`;
+                    await writeFile(fpath, wrapped);
+                }
+                catch { }
+            }
             pulled.push(`${dir}/`);
         }
         catch (e) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "openfused",
-  "version": "0.4.3",
+  "version": "0.4.5",
   "mcpName": "io.github.openfused/openfuse-mcp",
   "description": "The file protocol for AI agent context. Encrypted, signed, peer-to-peer.",
   "license": "MIT",

package/wasm/openfused-core.wasm CHANGED Viewed

Binary file