npm - remote-agents - Versions diffs - 0.1.11 → 0.1.12 - Mend

remote-agents 0.1.11 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -141,6 +141,10 @@ remote-agents install --room dev --token <secret> --relay wss://<your-relay-host
 ```bash
 remote-agents-relay --bind 0.0.0.0:8080
 # agents/MCP then use relay_url = ws://<host>:8080
+# optional: --token <secret> to gate room access at the relay;
+#           --idle-timeout-secs <n> to reap silently-dead sockets (default 90, 0 disables)
+# monitoring: GET /health, /api/rooms (all active rooms + counts),
+#             /api/room/:room (one room's agents)
 ```
 **Cloudflare Worker:**
@@ -232,6 +236,7 @@ the registered entry.
 | `list_agents` | List agents connected to the relay room |
 | `fleet_exec` / `fleet_read` / `fleet_write` / `fleet_git` / `fleet_search` | Run an operation across the fleet — `target = all \| tag1,tag2 \| os:<family>` |
 | `file_search` / `file_stat` / `send_file` / `transfer_get` | Find files on a host, and move a file host→host (UDP, SHA-256 verified) |
+| `tunnel_start` / `tunnel_list` / `tunnel_stop` | Expose a host's local port at a public `*.trycloudflare.com` URL via a Cloudflare quick tunnel (`cloudflared` auto-downloaded; Edit/Bypass) |
 | `mapreduce` | Distributed map/reduce over the fleet (shell map/reduce functions) |
 Each agent advertises platform metadata (OS family, distro, kernel, shell) and

package/install.js CHANGED Viewed

@@ -5,6 +5,7 @@
 const fs = require("fs");
 const path = require("path");
 const https = require("https");
+const crypto = require("crypto");
 const { version } = require("./package.json");
 const REPO = "47-ronn/tunshell_mcp_agents";
@@ -42,6 +43,66 @@ function download(url, dest, redirects = 0) {
 const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+// GET a small text resource into memory (follows redirects). Used for the
+// checksum sidecar.
+function httpGetText(url, redirects = 0) {
+  return new Promise((resolve, reject) => {
+    if (redirects > 10) return reject(new Error("too many redirects"));
+    https
+      .get(url, { headers: { "User-Agent": "remote-agents-installer" } }, (res) => {
+        if ([301, 302, 303, 307, 308].includes(res.statusCode)) {
+          res.resume();
+          return resolve(httpGetText(res.headers.location, redirects + 1));
+        }
+        if (res.statusCode !== 200) {
+          res.resume();
+          return reject(new Error(`HTTP ${res.statusCode} for ${url}`));
+        }
+        let body = "";
+        res.setEncoding("utf8");
+        res.on("data", (c) => (body += c));
+        res.on("end", () => resolve(body));
+      })
+      .on("error", reject);
+  });
+}
+// SHA-256 of a file as lowercase hex.
+function sha256File(file) {
+  return new Promise((resolve, reject) => {
+    const h = crypto.createHash("sha256");
+    const s = fs.createReadStream(file);
+    s.on("data", (d) => h.update(d));
+    s.on("end", () => resolve(h.digest("hex")));
+    s.on("error", reject);
+  });
+}
+// Verify `dest` against the `<url>.sha256` sidecar published with the release.
+// Throws on mismatch (a corrupt/tampered download). If the sidecar is absent
+// (older releases) or malformed, skips verification and returns false — so the
+// installer stays compatible with releases that predate checksums.
+// `fetchText`/`hashFile` are injectable for tests.
+async function verifyChecksum(url, dest, fetchText = httpGetText, hashFile = sha256File) {
+  let doc;
+  try {
+    doc = await fetchText(`${url}.sha256`);
+  } catch {
+    console.warn("remote-agents: no checksum published for this release; skipping verification");
+    return false;
+  }
+  const expected = (doc.trim().split(/\s+/)[0] || "").toLowerCase();
+  if (!/^[0-9a-f]{64}$/.test(expected)) {
+    console.warn("remote-agents: malformed checksum; skipping verification");
+    return false;
+  }
+  const actual = (await hashFile(dest)).toLowerCase();
+  if (actual !== expected) {
+    throw new Error(`checksum mismatch (expected ${expected}, got ${actual})`);
+  }
+  return true;
+}
 // Retry transient download failures (flaky networks / CDN hiccups) with a small
 // linear backoff. `doDownload`/`wait` are injectable for testing.
 async function downloadWithRetry(url, dest, attempts = 3, doDownload = download, wait = sleep) {
@@ -87,14 +148,21 @@ async function main() {
   console.log(`remote-agents: downloading ${asset} (v${version})…`);
   try {
     await downloadWithRetry(url, dest);
-    if (!t.exe) fs.chmodSync(dest, 0o755);
-    console.log(`remote-agents: installed ${dest}`);
   } catch (e) {
     console.error(`remote-agents: failed to download binary: ${e.message}`);
     console.error(`  URL: ${url}`);
     console.error(`  Ensure a release tagged v${version} exists with that asset.`);
     process.exit(1);
   }
+  try {
+    await verifyChecksum(url, dest);
+  } catch (e) {
+    try { fs.unlinkSync(dest); } catch {}
+    console.error(`remote-agents: ${e.message}; the download was corrupt or tampered.`);
+    process.exit(1);
+  }
+  if (!t.exe) fs.chmodSync(dest, 0o755);
+  console.log(`remote-agents: installed ${dest}`);
 }
 // Only download when run as the postinstall script, not when require()'d by tests.
@@ -102,4 +170,4 @@ if (require.main === module) {
   main();
 }
-module.exports = { target, downloadWithRetry };
+module.exports = { target, downloadWithRetry, verifyChecksum, sha256File };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "remote-agents",
-  "version": "0.1.11",
+  "version": "0.1.12",
   "mcpName": "io.github.47-ronn/remote-agents",
   "description": "Unified MCP server for controlling fleets of remote machines through AI agents (Claude, opencode)",
   "keywords": [