meshcode 2.5.6__tar.gz → 2.5.8__tar.gz

{meshcode-2.5.6 → meshcode-2.5.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: meshcode
-Version: 2.5.6
+Version: 2.5.8
 Summary: Real-time communication between AI agents — Supabase-backed CLI
 Author-email: MeshCode <hello@meshcode.io>
 License: MIT

{meshcode-2.5.6 → meshcode-2.5.8}/meshcode/__init__.py

@@ -1,2 +1,2 @@
 """MeshCode — Real-time communication between AI agents."""
-__version__ = "2.5.6"
+__version__ = "2.5.8"

{meshcode-2.5.6 → meshcode-2.5.8}/meshcode/meshcode_mcp/backend.py

@@ -244,8 +244,8 @@ def send_message(project_id: str, from_agent: str, to_agent: str, payload: Any,
     if encrypted and api_key:
         mesh_key = get_mesh_key(api_key, project_id)
         if mesh_key:
-            encrypted_data = encrypt_payload(payload, mesh_key)
-            payload = {"_encrypted": encrypted_data}
+            encrypted_data = encrypt_payload(payload, mesh_key, aad=project_id)
+            payload = {"_encrypted": encrypted_data, "_aad": project_id}
             actual_encrypted = True
 
     # Use validated SECURITY DEFINER RPC when api_key is provided
@@ -302,6 +302,55 @@ def send_message(project_id: str, from_agent: str, to_agent: str, payload: Any,
 
 
 def read_inbox(project_id: str, agent: str, mark_read: bool = True, api_key: Optional[str] = None) -> List[Dict]:
+    # Use SECURITY DEFINER RPC when api_key is available (bypasses RLS safely)
+    if api_key:
+        rpc_result = sb_rpc("mc_read_inbox", {
+            "p_api_key": api_key,
+            "p_project_id": project_id,
+            "p_agent_name": agent,
+            "p_mark_read": mark_read,
+        })
+        if isinstance(rpc_result, dict) and rpc_result.get("ok"):
+            messages = rpc_result.get("messages", [])
+            if isinstance(messages, list):
+                # Auto-decrypt and ACK (mark_read already handled by RPC)
+                mesh_key = None
+                for m in messages:
+                    p = m.get("payload")
+                    if isinstance(p, dict) and "_encrypted" in p:
+                        if mesh_key is None:
+                            mesh_key = get_mesh_key(api_key, project_id)
+                        if mesh_key:
+                            decrypted = decrypt_payload(p["_encrypted"], mesh_key)
+                            if decrypted is not None:
+                                m["payload"] = decrypted
+                                m["_was_encrypted"] = True
+                if mark_read and messages:
+                    import datetime as _dt
+                    now = _dt.datetime.now(_dt.timezone.utc)
+                    def _is_stale_rpc(m):
+                        ts = m.get("created_at")
+                        if not ts:
+                            return True
+                        try:
+                            dt = _dt.datetime.fromisoformat(str(ts).replace("Z", "+00:00"))
+                            return (now - dt).total_seconds() > 60
+                        except Exception:
+                            return True
+                    ack_targets = {
+                        m.get("from_agent", "")
+                        for m in messages
+                        if m.get("type") not in ("ack", "broadcast") and _is_stale_rpc(m)
+                    }
+                    for sender in ack_targets:
+                        if sender:
+                            send_message(project_id, agent, sender,
+                                         {"text": f"{agent} read your message"},
+                                         msg_type="ack", api_key=api_key)
+                return messages
+        # If RPC doesn't exist yet, fall through to direct query
+
+    # Fallback: direct SELECT (tests/legacy — requires anon RLS bypass)
     messages = sb_select(
         "mc_messages",
         f"project_id=eq.{project_id}&to_agent=eq.{quote(agent)}&read=eq.false",
@@ -365,7 +414,19 @@ def read_inbox(project_id: str, agent: str, mark_read: bool = True, api_key: Opt
     return messages
 
 
-def count_pending(project_id: str, agent: str) -> int:
+def count_pending(project_id: str, agent: str, api_key: Optional[str] = None) -> int:
+    # Use SECURITY DEFINER RPC when api_key is available
+    if api_key:
+        result = sb_rpc("mc_count_pending", {
+            "p_api_key": api_key,
+            "p_project_id": project_id,
+            "p_agent_name": agent,
+        })
+        if isinstance(result, dict) and result.get("ok"):
+            return result.get("count", 0)
+        # Fall through to direct query if RPC doesn't exist yet
+
+    # Fallback: direct SELECT (tests/legacy)
     pending = sb_select(
         "mc_messages",
         f"project_id=eq.{project_id}&to_agent=eq.{quote(agent)}&read=eq.false&type=neq.ack",
@@ -396,8 +457,15 @@ def get_mesh_key(api_key: str, project_id: str) -> Optional[str]:
     return None
 
 
-def encrypt_payload(payload: Dict, hex_key: str) -> str:
-    """Encrypt a JSON payload using AES-256-GCM. Returns base64-encoded ciphertext."""
+def encrypt_payload(payload: Dict, hex_key: str, aad: Optional[str] = None) -> str:
+    """Encrypt a JSON payload using AES-256-GCM with optional AAD.
+
+    Args:
+        payload: JSON-serializable dict to encrypt.
+        hex_key: Hex-encoded AES-256 key.
+        aad: Additional Authenticated Data (e.g. project_id) to bind
+             ciphertext to context and prevent replay/swap attacks.
+    """
     import base64
     try:
         from cryptography.hazmat.primitives.ciphers.aead import AESGCM
@@ -406,14 +474,19 @@ def encrypt_payload(payload: Dict, hex_key: str) -> str:
     key = bytes.fromhex(hex_key)
     nonce = os.urandom(12)  # 96-bit nonce for GCM
     plaintext = json.dumps(payload).encode("utf-8")
+    aad_bytes = aad.encode("utf-8") if aad else None
     aesgcm = AESGCM(key)
-    ciphertext = aesgcm.encrypt(nonce, plaintext, None)
+    ciphertext = aesgcm.encrypt(nonce, plaintext, aad_bytes)
     # Format: base64(nonce + ciphertext)
     return base64.b64encode(nonce + ciphertext).decode("ascii")
 
 
-def decrypt_payload(encrypted_b64: str, hex_key: str) -> Optional[Dict]:
-    """Decrypt an AES-256-GCM encrypted payload. Returns None on failure."""
+def decrypt_payload(encrypted_b64: str, hex_key: str, aad: Optional[str] = None) -> Optional[Dict]:
+    """Decrypt an AES-256-GCM encrypted payload. Returns None on failure.
+
+    Tries with AAD first, falls back to no-AAD for backward compat
+    with messages encrypted before AAD was added.
+    """
     import base64
     try:
         from cryptography.hazmat.primitives.ciphers.aead import AESGCM
@@ -425,6 +498,15 @@ def decrypt_payload(encrypted_b64: str, hex_key: str) -> Optional[Dict]:
         nonce = raw[:12]
         ciphertext = raw[12:]
         aesgcm = AESGCM(key)
+        aad_bytes = aad.encode("utf-8") if aad else None
+        # Try with AAD first
+        if aad_bytes:
+            try:
+                plaintext = aesgcm.decrypt(nonce, ciphertext, aad_bytes)
+                return json.loads(plaintext.decode("utf-8"))
+            except Exception:
+                pass  # Fall through to no-AAD for backward compat
+        # Try without AAD (legacy messages)
         plaintext = aesgcm.decrypt(nonce, ciphertext, None)
         return json.loads(plaintext.decode("utf-8"))
     except Exception:

{meshcode-2.5.6 → meshcode-2.5.8}/meshcode/meshcode_mcp/server.py

@@ -748,9 +748,10 @@ SESSION START (do these IMMEDIATELY — don't wait for user input):
 1. meshcode_set_status(status="online", task="ready")
 2. meshcode_check() — read pending messages
 3. meshcode_tasks() — check for assigned/pending tasks and claim any unclaimed ones
-4. meshcode_status() — see who's online
-5. If other agents are online → meshcode_send them a greeting
-6. meshcode_wait() — enter the loop
+4. meshcode_auto_wake() — scan meshwork health, create tasks for issues found
+5. meshcode_status() — see who's online
+6. If other agents are online → meshcode_send them a greeting
+7. meshcode_wait() — enter the loop
 
 CRITICAL: You communicate by CALLING TOOLS, not by thinking or writing text.
 To talk to another agent → call meshcode_send(to="agent", message="...")
@@ -792,6 +793,9 @@ COMMANDER PROTOCOL (you are the team lead):
 - Keep the human informed with brief status updates at milestones.
 - You are autonomous: fix small issues yourself, delegate big ones.
 - After each sprint: consolidate learnings, update scratchpad, save to memory.
+- PROACTIVE MAINTENANCE: call meshcode_auto_wake() on session start and after
+  completing sprints. It scans meshwork health (stale agents, task backlog,
+  empty memories). Turn suggestions into real tasks — quality over quantity.
 """
     return base
 
@@ -1132,10 +1136,28 @@ def meshcode_send(to: str, message: Any, in_reply_to: Optional[str] = None,
     # Cross-mesh routing: if 'to' contains '@', parse as agent@meshwork
     if "@" in to:
         target_agent, target_meshwork = to.split("@", 1)
-        if sensitive or encrypted:
-            return {"error": "sensitive/encrypted messages cannot be sent cross-mesh"}
+        if sensitive and not encrypted:
+            return {"error": "sensitive messages must use encrypted=True for cross-mesh"}
         api_key = _get_api_key()
-        return be.sb_rpc("mc_send_cross_mesh", {
+
+        # Bridge re-encryption: encrypt payload with the TARGET mesh key so
+        # the receiving agent decrypts normally. Uses mc_get_cross_mesh_key
+        # RPC which validates the link exists before returning the key.
+        if encrypted:
+            key_result = be.sb_rpc("mc_get_cross_mesh_key", {
+                "p_api_key": api_key,
+                "p_source_project": PROJECT_NAME,
+                "p_target_project": target_meshwork,
+                "p_agent_name": AGENT_NAME,
+            })
+            if not isinstance(key_result, dict) or not key_result.get("ok"):
+                err = key_result.get("error", "unknown") if isinstance(key_result, dict) else "RPC failed"
+                return {"error": f"cross-mesh encryption failed: {err}"}
+            tgt_key = key_result["key"]
+            encrypted_data = be.encrypt_payload(payload, tgt_key)
+            payload = {"_encrypted": encrypted_data}
+
+        result = be.sb_rpc("mc_send_cross_mesh", {
             "p_api_key": api_key,
             "p_from_project": PROJECT_NAME,
             "p_from_agent": AGENT_NAME,
@@ -1144,6 +1166,9 @@ def meshcode_send(to: str, message: Any, in_reply_to: Optional[str] = None,
             "p_payload": payload,
             "p_type": "msg",
         })
+        if isinstance(result, dict) and result.get("ok") and encrypted:
+            result["encrypted"] = True
+        return result
 
     return be.send_message(_PROJECT_ID, AGENT_NAME, to, payload, msg_type="msg",
                            parent_msg_id=in_reply_to, sensitive=sensitive,
@@ -1402,7 +1427,7 @@ def meshcode_check(include_acks: bool = False, since: Optional[str] = None) -> D
         since: ISO-8601 timestamp. Only return messages newer than this.
                Use meshcode_remember("last_seen", ts) to persist across sessions.
     """
-    pending = be.count_pending(_PROJECT_ID, AGENT_NAME)
+    pending = be.count_pending(_PROJECT_ID, AGENT_NAME, api_key=_get_api_key())
     # Peek at realtime buffer WITHOUT draining — check is non-destructive
     realtime_buffered = _REALTIME.peek() if _REALTIME else []
     # Don't mark as seen — meshcode_check is a peek, not a consume
@@ -1578,6 +1603,89 @@ def meshcode_task_reject(task_id: str, feedback: str = "") -> Dict[str, Any]:
     })
 
 
+# ----------------- PROACTIVE HEALTH SCAN -----------------
+
+@mcp.tool()
+@with_working_status
+def meshcode_auto_wake() -> Dict[str, Any]:
+    """Scan meshwork health and suggest maintenance tasks.
+
+    Checks: stale agents, task backlog, empty memories, unlinked meshworks.
+    Returns a list of suggested tasks the commander can create.
+    Call this on session start or periodically to keep the meshwork healthy.
+    """
+    api_key = _get_api_key()
+    suggestions: List[Dict[str, str]] = []
+
+    # 1. Check for stale agents (heartbeat >10 min, not offline/sleeping)
+    try:
+        agents = be.get_board(_PROJECT_ID)
+        import datetime as _dt
+        now = _dt.datetime.now(_dt.timezone.utc)
+        for a in agents:
+            if a.get("status") in ("offline", "sleeping", "done", "needs_setup"):
+                continue
+            hb = a.get("last_heartbeat")
+            if hb:
+                try:
+                    dt = _dt.datetime.fromisoformat(str(hb).replace("Z", "+00:00"))
+                    age_min = (now - dt).total_seconds() / 60
+                    if age_min > 10:
+                        suggestions.append({
+                            "title": f"Stale agent: {a['name']} ({int(age_min)}min no heartbeat)",
+                            "priority": "high",
+                            "assignee": "mesh-commander",
+                            "description": f"Agent {a['name']} shows status '{a.get('status')}' but last heartbeat was {int(age_min)} min ago. Force disconnect or investigate.",
+                        })
+                except Exception:
+                    pass
+    except Exception:
+        pass
+
+    # 2. Check task backlog — open tasks with no assignee
+    try:
+        task_result = be.task_list(api_key, _PROJECT_ID, AGENT_NAME, status_filter="open")
+        if isinstance(task_result, dict) and task_result.get("ok"):
+            open_tasks = task_result.get("tasks", [])
+            unassigned = [t for t in open_tasks if not t.get("assigned_to") or t.get("assigned_to") == "*"]
+            if len(unassigned) > 3:
+                suggestions.append({
+                    "title": f"Task backlog: {len(unassigned)} unassigned open tasks",
+                    "priority": "normal",
+                    "assignee": "mesh-commander",
+                    "description": "Review and assign or close stale tasks to keep the board clean.",
+                })
+    except Exception:
+        pass
+
+    # 3. Check for agents with zero memories
+    try:
+        for a in agents:
+            mem_result = be.sb_rpc("mc_recall_all", {
+                "p_api_key": api_key,
+                "p_project_id": _PROJECT_ID,
+                "p_agent_name": a["name"],
+            })
+            if isinstance(mem_result, dict) and mem_result.get("ok"):
+                memories = mem_result.get("memories", [])
+                if len(memories) == 0 and a.get("status") not in ("needs_setup",):
+                    suggestions.append({
+                        "title": f"Agent {a['name']} has zero memories",
+                        "priority": "normal",
+                        "assignee": a["name"],
+                        "description": "Agent should save learnings, patterns, and preferences to memory for cross-session persistence.",
+                    })
+    except Exception:
+        pass
+
+    return {
+        "ok": True,
+        "suggestions": suggestions,
+        "total": len(suggestions),
+        "note": "Use meshcode_task_create to turn suggestions into assigned tasks.",
+    }
+
+
 # ----------------- MESH LINK TOOLS -----------------
 
 @mcp.tool()
@@ -1972,7 +2080,15 @@ def history_resource() -> str:
 # ============================================================
 
 def _auto_update() -> None:
-    """Silently upgrade meshcode from PyPI in background on every launch."""
+    """Upgrade meshcode from PyPI in background — opt-in via MESHCODE_AUTO_UPDATE=1.
+
+    Disabled by default to mitigate supply chain risk: if the PyPI account
+    is compromised, every agent would silently install malicious code.
+    """
+    if os.environ.get("MESHCODE_AUTO_UPDATE", "0") != "1":
+        log.debug("[meshcode] Auto-update disabled (set MESHCODE_AUTO_UPDATE=1 to enable)")
+        return
+
     import threading
 
     def _upgrade():

{meshcode-2.5.6 → meshcode-2.5.8}/meshcode.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: meshcode
-Version: 2.5.6
+Version: 2.5.8
 Summary: Real-time communication between AI agents — Supabase-backed CLI
 Author-email: MeshCode <hello@meshcode.io>
 License: MIT

{meshcode-2.5.6 → meshcode-2.5.8}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "meshcode"
-version = "2.5.6"
+version = "2.5.8"
 description = "Real-time communication between AI agents — Supabase-backed CLI"
 readme = "README.md"
 license = {text = "MIT"}