@memtensor/memos-local-openclaw-plugin 1.0.4-beta.2 → 1.0.4-beta.20

package/src/hub/server.ts

@@ -14,6 +14,7 @@ type HubServerOptions = {
   config: MemosLocalConfig;
   dataDir: string;
   embedder?: Embedder;
+  defaultHubPort?: number;
 };
 
 type HubAuthState = {
@@ -34,6 +35,11 @@ export class HubServer {
   private static readonly RATE_LIMIT_SEARCH = 30;
   private rateBuckets = new Map<string, { count: number; windowStart: number }>();
 
+  private static readonly OFFLINE_THRESHOLD_MS = 2 * 60 * 1000;
+  private static readonly OFFLINE_CHECK_INTERVAL_MS = 30 * 1000;
+  private offlineCheckTimer?: ReturnType<typeof setInterval>;
+  private knownOnlineUsers = new Set<string>();
+
   constructor(private opts: HubServerOptions) {
     this.userManager = new HubUserManager(opts.store, opts.log);
     this.authStatePath = path.join(opts.dataDir, "hub-auth.json");
@@ -74,18 +80,31 @@ export class HubServer {
       }
     });
 
+    const MAX_PORT_RETRIES = 3;
+    let hubPort = this.port;
     await new Promise<void>((resolve, reject) => {
-      const onError = (err: Error) => {
-        this.server?.off("listening", onListening);
-        reject(err);
+      let retries = 0;
+      const onError = (err: NodeJS.ErrnoException) => {
+        if (err.code === "EADDRINUSE" && retries < MAX_PORT_RETRIES) {
+          retries++;
+          hubPort = this.port + retries;
+          this.opts.log.warn(`Hub port ${hubPort - 1} in use, trying ${hubPort}`);
+          this.server!.listen(hubPort, "0.0.0.0");
+        } else {
+          this.server?.off("listening", onListening);
+          reject(err);
+        }
       };
       const onListening = () => {
         this.server?.off("error", onError);
+        if (hubPort !== this.port) {
+          this.opts.log.info(`Hub started on fallback port ${hubPort} (configured: ${this.port})`);
+        }
         resolve();
       };
-      this.server!.once("error", onError);
+      this.server!.on("error", onError);
       this.server!.once("listening", onListening);
-      this.server!.listen(this.port, "0.0.0.0");
+      this.server!.listen(hubPort, "0.0.0.0");
     });
 
     const bootstrap = this.userManager.ensureBootstrapAdmin(
@@ -101,18 +120,40 @@ export class HubServer {
       this.opts.log.info(`memos-local: bootstrap admin token persisted to ${this.authStatePath}`);
     }
 
-    return `http://127.0.0.1:${this.port}`;
+    this.initOnlineTracking();
+    this.offlineCheckTimer = setInterval(() => this.checkOfflineUsers(), HubServer.OFFLINE_CHECK_INTERVAL_MS);
+
+    return `http://127.0.0.1:${hubPort}`;
   }
 
   async stop(): Promise<void> {
+    if (this.offlineCheckTimer) { clearInterval(this.offlineCheckTimer); this.offlineCheckTimer = undefined; }
     if (!this.server) return;
+
+    try {
+      const activeUsers = this.opts.store.listHubUsers("active");
+      const ownerId = this.authState.bootstrapAdminUserId || "";
+      for (const u of activeUsers) {
+        if (u.id === ownerId) continue;
+        try {
+          this.opts.store.insertHubNotification({
+            id: randomUUID(), userId: u.id, type: "hub_shutdown",
+            resource: "system", title: `Team server "${this.teamName}" has been shut down by the admin.`,
+          });
+        } catch { /* best-effort */ }
+      }
+    } catch { /* best-effort */ }
+
     const server = this.server;
     this.server = undefined;
     await new Promise<void>((resolve) => server.close(() => resolve()));
   }
 
   private get port(): number {
-    return this.opts.config.sharing?.hub?.port ?? 18800;
+    const configured = this.opts.config.sharing?.hub?.port;
+    const derived = this.opts.defaultHubPort;
+    if (derived && (!configured || configured === 18800)) return derived;
+    return configured ?? 18800;
   }
 
   private get teamName(): string {
@@ -160,6 +201,20 @@ export class HubServer {
     });
   }
 
+  private embedSkillAsync(skillId: string, name: string, description: string, sourceUserId: string, sourceSkillId: string): void {
+    const embedder = this.opts.embedder;
+    if (!embedder) return;
+    const text = `${name}: ${description}`;
+    embedder.embed([text]).then((vectors) => {
+      if (vectors[0]) {
+        this.opts.store.upsertHubSkillEmbedding(skillId, Array.from(vectors[0]), sourceUserId, sourceSkillId);
+        this.opts.log.info(`hub: embedded shared skill ${skillId}`);
+      }
+    }).catch((err) => {
+      this.opts.log.warn(`hub: embedding shared skill failed: ${err}`);
+    });
+  }
+
   private embedMemoryAsync(memoryId: string, summary: string, content: string): void {
     const embedder = this.opts.embedder;
     if (!embedder) return;
@@ -192,32 +247,74 @@ export class HubServer {
         return this.json(res, 403, { error: "invalid_team_token" });
       }
       const username = String(body.username || `user-${randomUUID().slice(0, 8)}`);
-      const existingUsers = this.opts.store.listHubUsers();
-      const existingUser = existingUsers.find(u => u.username === username);
+      const joinIp = (typeof body.clientIp === "string" && body.clientIp)
+        || (req.headers["x-client-ip"] as string)?.trim()
+        || (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim()
+        || req.socket.remoteAddress || "";
+      const identityKey = typeof body.identityKey === "string" ? body.identityKey.trim() : "";
+
+      let existingUser = identityKey
+        ? this.userManager.findByIdentityKey(identityKey)
+        : null;
+      if (!existingUser) {
+        const existingUsers = this.opts.store.listHubUsers();
+        existingUser = existingUsers.find(u => u.username === username && u.status !== "left" && u.status !== "removed") ?? null;
+      }
+
       if (existingUser) {
+        try { this.opts.store.updateHubUserActivity(existingUser.id, joinIp); } catch { /* best-effort */ }
+
         if (existingUser.status === "active") {
           const token = issueUserToken(
             { userId: existingUser.id, username: existingUser.username, role: existingUser.role, status: "active" },
             this.authSecret,
           );
           this.userManager.approveUser(existingUser.id, token);
-          return this.json(res, 200, { status: "active", userId: existingUser.id, userToken: token });
+          if (identityKey && !existingUser.identityKey) {
+            this.opts.store.upsertHubUser({ ...existingUser, identityKey });
+          }
+          return this.json(res, 200, { status: "active", userId: existingUser.id, userToken: token, identityKey: existingUser.identityKey || identityKey });
         }
         if (existingUser.status === "pending") {
-          return this.json(res, 200, { status: "pending", userId: existingUser.id });
+          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
+          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
         }
         if (existingUser.status === "rejected") {
-          this.userManager.resetToPending(existingUser.id);
-          this.opts.log.info(`Hub: rejected user "${username}" (${existingUser.id}) re-applied, reset to pending`);
-          return this.json(res, 200, { status: "pending", userId: existingUser.id });
+          if (body.reapply === true) {
+            this.userManager.resetToPending(existingUser.id);
+            this.notifyAdmins("user_join_request", "user", username, "");
+            this.opts.log.info(`Hub: rejected user "${username}" (${existingUser.id}) re-applied, reset to pending`);
+            return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+          }
+          return this.json(res, 200, { status: "rejected", userId: existingUser.id });
+        }
+        if (existingUser.status === "removed") {
+          this.userManager.rejoinUser(existingUser.id);
+          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
+          this.opts.log.info(`Hub: removed user "${username}" (${existingUser.id}) re-applied via rejoin, reset to pending`);
+          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+        }
+        if (existingUser.status === "left") {
+          this.userManager.rejoinUser(existingUser.id);
+          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
+          this.opts.log.info(`Hub: left user "${username}" (${existingUser.id}) re-applied via rejoin, reset to pending`);
+          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+        }
+        if (existingUser.status === "blocked") {
+          return this.json(res, 200, { status: "blocked", userId: existingUser.id });
         }
       }
+
+      const generatedIdentityKey = identityKey || randomUUID();
       const user = this.userManager.createPendingUser({
         username,
         deviceName: typeof body.deviceName === "string" ? body.deviceName : undefined,
+        identityKey: generatedIdentityKey,
       });
+      try { this.opts.store.updateHubUserActivity(user.id, joinIp); } catch { /* best-effort */ }
       this.opts.log.info(`Hub: user "${username}" (${user.id}) registered as pending, awaiting admin approval`);
-      return this.json(res, 200, { status: "pending", userId: user.id });
+      this.notifyAdmins("user_join_request", "user", username, "");
+      return this.json(res, 200, { status: "pending", userId: user.id, identityKey: generatedIdentityKey });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/registration-status") {
@@ -235,16 +332,42 @@ export class HubServer {
       if (user.status === "rejected") {
         return this.json(res, 200, { status: "rejected" });
       }
+      if (user.status === "blocked") {
+        return this.json(res, 200, { status: "blocked" });
+      }
+      if (user.status === "left") {
+        return this.json(res, 200, { status: "left" });
+      }
+      if (user.status === "removed") {
+        return this.json(res, 200, { status: "removed" });
+      }
       if (user.status === "active") {
         const token = issueUserToken(
           { userId: user.id, username: user.username, role: user.role, status: user.status },
           this.authSecret,
         );
+        this.userManager.approveUser(user.id, token);
         return this.json(res, 200, { status: "active", userToken: token });
       }
       return this.json(res, 200, { status: user.status });
     }
 
+    if (req.method === "POST" && routePath === "/api/v1/hub/withdraw-pending") {
+      const body = await this.readJson(req);
+      if (!body || body.teamToken !== this.teamToken) {
+        return this.json(res, 403, { error: "invalid_team_token" });
+      }
+      const userId = String(body.userId || "");
+      if (!userId) return this.json(res, 400, { error: "missing_user_id" });
+      const user = this.opts.store.getHubUser(userId);
+      if (!user) return this.json(res, 200, { ok: true });
+      if (user.status === "pending") {
+        this.userManager.markUserLeft(userId);
+        this.opts.log.info(`Hub: user "${user.username}" (${userId}) withdrew pending application`);
+      }
+      return this.json(res, 200, { ok: true });
+    }
+
     // All endpoints below require authentication + rate limiting
     const auth = this.authenticate(req);
     if (!auth) return this.json(res, 401, { error: "unauthorized" });
@@ -254,6 +377,18 @@ export class HubServer {
       return this.json(res, 429, { error: "rate_limit_exceeded", retryAfterMs: HubServer.RATE_WINDOW_MS });
     }
 
+    if (req.method === "POST" && routePath === "/api/v1/hub/heartbeat") {
+      return this.json(res, 200, { ok: true });
+    }
+
+    if (req.method === "POST" && routePath === "/api/v1/hub/leave") {
+      this.userManager.markUserLeft(auth.userId);
+      this.knownOnlineUsers.delete(auth.userId);
+      this.notifyAdmins("user_left", "user", auth.username, auth.userId);
+      this.opts.log.info(`Hub: user "${auth.username}" (${auth.userId}) left voluntarily, status set to "left"`);
+      return this.json(res, 200, { ok: true });
+    }
+
     if (req.method === "GET" && routePath === "/api/v1/hub/me") {
       const user = this.opts.store.getHubUser(auth.userId);
       if (!user) return this.json(res, 401, { error: "unauthorized" });
@@ -272,11 +407,17 @@ export class HubServer {
       }
       const updated = this.userManager.updateUsername(auth.userId, newUsername);
       if (!updated) return this.json(res, 404, { error: "not_found" });
+      const ttlMs = updated.role === "admin" ? 3650 * 24 * 60 * 60 * 1000 : undefined;
       const newToken = issueUserToken(
         { userId: updated.id, username: newUsername, role: updated.role, status: updated.status },
         this.authSecret,
+        ttlMs,
       );
       this.userManager.approveUser(updated.id, newToken);
+      if (updated.id === this.authState.bootstrapAdminUserId) {
+        this.authState.bootstrapAdminToken = newToken;
+        this.saveAuthState();
+      }
       this.opts.log.info(`Hub: user "${auth.userId}" renamed to "${newUsername}"`);
       return this.json(res, 200, { ok: true, username: newUsername, userToken: newToken });
     }
@@ -289,114 +430,136 @@ export class HubServer {
     if (req.method === "POST" && routePath === "/api/v1/hub/admin/approve-user") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const body = await this.readJson(req);
-      const token = issueUserToken({ userId: String(body.userId), username: String(body.username || ""), role: "member", status: "active" }, this.authSecret);
-      const approved = this.userManager.approveUser(String(body.userId), token);
+      const userId = String(body.userId);
+      const username = String(body.username || "");
+      const token = issueUserToken({ userId, username, role: "member", status: "active" }, this.authSecret);
+      const approved = this.userManager.approveUser(userId, token);
       if (!approved) return this.json(res, 404, { error: "not_found" });
+      try { this.opts.store.updateHubUserActivity(userId, ""); } catch { /* best-effort */ }
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "membership_approved",
+          resource: "user", title: `Your request to join team "${this.teamName}" has been approved. Welcome!`,
+        });
+      } catch { /* best-effort */ }
       return this.json(res, 200, { status: "active", token });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/admin/reject-user") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const body = await this.readJson(req);
-      const rejected = this.userManager.rejectUser(String(body.userId));
+      const userId = String(body.userId);
+      const rejected = this.userManager.rejectUser(userId);
       if (!rejected) return this.json(res, 404, { error: "not_found" });
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "membership_rejected",
+          resource: "user", title: `Your request to join team "${this.teamName}" has been declined.`,
+        });
+      } catch { /* best-effort */ }
       return this.json(res, 200, { status: "rejected" });
     }
 
     if (req.method === "GET" && routePath === "/api/v1/hub/admin/users") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const users = this.opts.store.listHubUsers().filter(u => u.status === "active");
-      return this.json(res, 200, { users: users.map(u => ({ id: u.id, username: u.username, role: u.role, status: u.status })) });
+      const contribs = this.opts.store.getHubUserContributions();
+      const ownerId = this.authState.bootstrapAdminUserId || "";
+      const now = Date.now();
+      return this.json(res, 200, { users: users.map(u => {
+        const c = contribs[u.id] || { memoryCount: 0, taskCount: 0, skillCount: 0 };
+        const isOnline = u.id === ownerId || (!!u.lastActiveAt && now - u.lastActiveAt < HubServer.OFFLINE_THRESHOLD_MS);
+        return {
+          id: u.id, username: u.username, role: u.role, status: u.status,
+          deviceName: u.deviceName, createdAt: u.createdAt, approvedAt: u.approvedAt,
+          lastIp: u.lastIp || "", lastActiveAt: u.lastActiveAt,
+          isOwner: u.id === ownerId, isOnline,
+          memoryCount: c.memoryCount, taskCount: c.taskCount, skillCount: c.skillCount,
+        };
+      }) });
     }
 
-    // ── Group management ──
-
-    if (req.method === "GET" && routePath === "/api/v1/hub/groups") {
+    if (req.method === "POST" && routePath === "/api/v1/hub/admin/change-role") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-      const groups = this.opts.store.listHubGroups();
-      return this.json(res, 200, { groups });
+      const body = await this.readJson(req);
+      const userId = String(body?.userId || "");
+      const newRole = String(body?.role || "");
+      if (!userId || (newRole !== "admin" && newRole !== "member")) return this.json(res, 400, { error: "invalid_params" });
+      if (newRole === "member" && userId === this.authState.bootstrapAdminUserId) {
+        return this.json(res, 403, { error: "cannot_demote_owner", message: "The hub owner cannot be demoted" });
+      }
+      const user = this.opts.store.getHubUser(userId);
+      if (!user || user.status !== "active") return this.json(res, 404, { error: "not_found" });
+      const updatedUser = { ...user, role: newRole as "admin" | "member" };
+      this.opts.store.upsertHubUser(updatedUser);
+      this.opts.log.info(`Hub: admin "${auth.userId}" changed role of "${userId}" to "${newRole}"`);
+      try {
+        const notifType = newRole === "admin" ? "role_promoted" : "role_demoted";
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: notifType,
+          resource: "user", title: `Your role in team "${this.teamName}" has been changed to ${newRole}.`,
+        });
+      } catch { /* best-effort */ }
+      return this.json(res, 200, { ok: true, role: newRole });
     }
 
-    if (req.method === "POST" && routePath === "/api/v1/hub/groups") {
+    if (req.method === "POST" && routePath === "/api/v1/hub/admin/rename-user") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const body = await this.readJson(req);
-      const name = String(body.name || "").trim();
-      if (!name) return this.json(res, 400, { error: "name_required" });
-      const groupId = randomUUID();
-      this.opts.store.upsertHubGroup({
-        id: groupId,
-        name,
-        description: String(body.description || ""),
-        createdAt: Date.now(),
-      });
-      return this.json(res, 201, { id: groupId, name });
-    }
-
-    const groupDetailMatch = routePath.match(/^\/api\/v1\/hub\/groups\/([^/]+)$/);
-    if (groupDetailMatch) {
-      const groupId = decodeURIComponent(groupDetailMatch[1]);
-
-      if (req.method === "GET") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const group = this.opts.store.getHubGroupById(groupId);
-        if (!group) return this.json(res, 404, { error: "not_found" });
-        const members = this.opts.store.listHubGroupMembers(groupId);
-        return this.json(res, 200, { ...group, members });
-      }
-
-      if (req.method === "PUT") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const existing = this.opts.store.getHubGroupById(groupId);
-        if (!existing) return this.json(res, 404, { error: "not_found" });
-        const body = await this.readJson(req);
-        this.opts.store.upsertHubGroup({
-          id: groupId,
-          name: String(body.name || existing.name).trim(),
-          description: String(body.description ?? existing.description),
-          createdAt: existing.createdAt,
-        });
-        return this.json(res, 200, { ok: true });
+      const userId = String(body?.userId || "");
+      const newUsername = String(body?.username || "").trim();
+      if (!userId || !newUsername || newUsername.length < 2 || newUsername.length > 32) {
+        return this.json(res, 400, { error: "invalid_params", message: "userId and username (2-32 chars) required" });
       }
-
-      if (req.method === "DELETE") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const deleted = this.opts.store.deleteHubGroup(groupId);
-        if (!deleted) return this.json(res, 404, { error: "not_found" });
-        return this.json(res, 200, { ok: true });
+      if (this.userManager.isUsernameTaken(newUsername, userId)) {
+        return this.json(res, 409, { error: "username_taken", message: "Username already in use" });
       }
-    }
-
-    const groupMembersMatch = routePath.match(/^\/api\/v1\/hub\/groups\/([^/]+)\/members$/);
-    if (groupMembersMatch) {
-      const groupId = decodeURIComponent(groupMembersMatch[1]);
-
-      if (req.method === "POST") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const group = this.opts.store.getHubGroupById(groupId);
-        if (!group) return this.json(res, 404, { error: "group_not_found" });
-        const body = await this.readJson(req);
-        const userId = String(body.userId || "");
-        if (!userId) return this.json(res, 400, { error: "userId_required" });
-        const user = this.opts.store.getHubUser(userId);
-        if (!user) return this.json(res, 404, { error: "user_not_found" });
-        this.opts.store.addHubGroupMember(groupId, userId);
-        return this.json(res, 200, { ok: true });
+      const user = this.opts.store.getHubUser(userId);
+      if (!user || user.status !== "active") return this.json(res, 404, { error: "not_found" });
+      const ttlMs = user.role === "admin" ? 3650 * 24 * 60 * 60 * 1000 : undefined;
+      const newToken = issueUserToken(
+        { userId: user.id, username: newUsername, role: user.role, status: user.status },
+        this.authSecret,
+        ttlMs,
+      );
+      this.userManager.approveUser(user.id, newToken);
+      const updated = this.opts.store.getHubUser(userId)!;
+      const finalUser = { ...updated, username: newUsername };
+      this.opts.store.upsertHubUser(finalUser);
+      if (userId === this.authState.bootstrapAdminUserId) {
+        this.authState.bootstrapAdminToken = newToken;
+        this.saveAuthState();
       }
+      this.opts.log.info(`Hub: admin "${auth.userId}" renamed user "${userId}" to "${newUsername}"`);
+      return this.json(res, 200, { ok: true, username: newUsername });
+    }
 
-      if (req.method === "DELETE") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const body = await this.readJson(req);
-        const userId = String(body.userId || "");
-        if (!userId) return this.json(res, 400, { error: "userId_required" });
-        this.opts.store.removeHubGroupMember(groupId, userId);
-        return this.json(res, 200, { ok: true });
-      }
+    if (req.method === "POST" && routePath === "/api/v1/hub/admin/remove-user") {
+      if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
+      const body = await this.readJson(req);
+      const userId = String(body?.userId || "");
+      if (!userId) return this.json(res, 400, { error: "missing_user_id" });
+      if (userId === auth.userId) return this.json(res, 400, { error: "cannot_remove_self" });
+      if (userId === this.authState.bootstrapAdminUserId) return this.json(res, 403, { error: "cannot_remove_owner", message: "The hub owner cannot be removed" });
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "membership_removed",
+          resource: "user", title: `You have been removed from team "${this.teamName}" by the admin.`,
+        });
+      } catch { /* best-effort */ }
+      const cleanResources = body?.cleanResources === true;
+      const deleted = this.opts.store.deleteHubUser(userId, cleanResources);
+      if (!deleted) return this.json(res, 404, { error: "not_found" });
+      this.knownOnlineUsers.delete(userId);
+      this.opts.log.info(`Hub: admin "${auth.userId}" removed user "${userId}" (cleanResources=${cleanResources})`);
+      return this.json(res, 200, { ok: true });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/tasks/share") {
       const body = await this.readJson(req);
       if (!body?.task) return this.json(res, 400, { error: "invalid_payload" });
       const task = { ...body.task, sourceUserId: auth.userId };
+      const existingTask = task.sourceTaskId ? this.opts.store.getHubTaskBySource(auth.userId, task.sourceTaskId) : null;
       this.opts.store.upsertHubTask(task);
       const chunks = Array.isArray(body.chunks) ? body.chunks : [];
       const chunkIds: string[] = [];
@@ -404,16 +567,23 @@ export class HubServer {
         this.opts.store.upsertHubChunk({ ...chunk, sourceUserId: auth.userId });
         chunkIds.push(chunk.id);
       }
-      // Async embedding: don't block the response
       if (this.opts.embedder && chunkIds.length > 0) {
         this.embedChunksAsync(chunkIds, chunks);
       }
+      if (!existingTask) {
+        this.notifyAdmins("resource_shared", "task", String(task.title || task.sourceTaskId || ""), auth.userId);
+      }
       return this.json(res, 200, { ok: true, chunks: chunkIds.length });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/tasks/unshare") {
       const body = await this.readJson(req);
-      this.opts.store.deleteHubTaskBySource(auth.userId, String(body.sourceTaskId));
+      const srcTaskId = String(body.sourceTaskId);
+      const existing = this.opts.store.getHubTaskBySource(auth.userId, srcTaskId);
+      this.opts.store.deleteHubTaskBySource(auth.userId, srcTaskId);
+      if (existing) {
+        this.notifyAdmins("resource_unshared", "task", existing.title || srcTaskId, auth.userId);
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -444,6 +614,9 @@ export class HubServer {
       if (this.opts.embedder) {
         this.embedMemoryAsync(memoryId, String(m.summary || ""), String(m.content || ""));
       }
+      if (!existing) {
+        this.notifyAdmins("resource_shared", "memory", String(m.summary || m.content?.slice(0, 60) || memoryId), auth.userId);
+      }
       return this.json(res, 200, { ok: true, memoryId, visibility });
     }
 
@@ -451,7 +624,11 @@ export class HubServer {
       const body = await this.readJson(req);
       const sourceChunkId = String(body?.sourceChunkId || "");
       if (!sourceChunkId) return this.json(res, 400, { error: "missing_source_chunk_id" });
+      const existing = this.opts.store.getHubMemoryBySource(auth.userId, sourceChunkId);
       this.opts.store.deleteHubMemoryBySource(auth.userId, sourceChunkId);
+      if (existing) {
+        this.notifyAdmins("resource_unshared", "memory", existing.summary || existing.content?.slice(0, 60) || sourceChunkId, auth.userId);
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -563,19 +740,70 @@ export class HubServer {
     }
 
     if (req.method === "GET" && routePath === "/api/v1/hub/skills") {
-      const hits = this.opts.store.searchHubSkills(String(url.searchParams.get("query") || ""), {
+      const skillQuery = String(url.searchParams.get("query") || "");
+      const skillMaxResults = Number(url.searchParams.get("maxResults") || 10);
+      const ftsSkillHits = this.opts.store.searchHubSkills(skillQuery, {
         userId: auth.userId,
-        maxResults: Number(url.searchParams.get("maxResults") || 10),
-      }).map(({ hit }) => ({
-        skillId: hit.id,
-        name: hit.name,
-        description: hit.description,
-        version: hit.version,
-        visibility: hit.visibility,
-        groupName: hit.group_name,
-        ownerName: hit.owner_name || "unknown",
-        qualityScore: hit.quality_score,
-      }));
+        maxResults: skillMaxResults * 2,
+      });
+
+      let mergedSkillIds: string[];
+      if (this.opts.embedder && skillQuery) {
+        try {
+          const [queryVec] = await this.opts.embedder.embed([skillQuery]);
+          if (queryVec) {
+            const skillEmbs = this.opts.store.getVisibleHubSkillEmbeddings();
+            const cosineSim = (vec: Float32Array) => {
+              let dot = 0, nA = 0, nB = 0;
+              for (let i = 0; i < queryVec.length && i < vec.length; i++) {
+                dot += queryVec[i] * vec[i]; nA += queryVec[i] * queryVec[i]; nB += vec[i] * vec[i];
+              }
+              return nA > 0 && nB > 0 ? dot / (Math.sqrt(nA) * Math.sqrt(nB)) : 0;
+            };
+            const vecScored = skillEmbs
+              .map(e => ({ id: e.skillId, score: cosineSim(e.vector) }))
+              .filter(e => e.score > 0.3)
+              .sort((a, b) => b.score - a.score)
+              .slice(0, skillMaxResults * 2);
+
+            const K = 60;
+            const rrfScores = new Map<string, number>();
+            ftsSkillHits.forEach(({ hit }, idx) => {
+              rrfScores.set(hit.id, (rrfScores.get(hit.id) ?? 0) + 1 / (K + idx + 1));
+            });
+            vecScored.forEach(({ id }, idx) => {
+              rrfScores.set(id, (rrfScores.get(id) ?? 0) + 1 / (K + idx + 1));
+            });
+            mergedSkillIds = [...rrfScores.entries()].sort((a, b) => b[1] - a[1]).slice(0, skillMaxResults).map(([id]) => id);
+          } else {
+            mergedSkillIds = ftsSkillHits.slice(0, skillMaxResults).map(({ hit }) => hit.id);
+          }
+        } catch {
+          mergedSkillIds = ftsSkillHits.slice(0, skillMaxResults).map(({ hit }) => hit.id);
+        }
+      } else {
+        mergedSkillIds = ftsSkillHits.slice(0, skillMaxResults).map(({ hit }) => hit.id);
+      }
+
+      const ftsSkillMap = new Map(ftsSkillHits.map(({ hit }) => [hit.id, hit]));
+      const hits = mergedSkillIds.map(id => {
+        const hit = ftsSkillMap.get(id);
+        if (hit) {
+          return {
+            skillId: hit.id, name: hit.name, description: hit.description,
+            version: hit.version, visibility: hit.visibility, groupName: hit.group_name,
+            ownerName: hit.owner_name || "unknown", ownerStatus: hit.owner_status || "",
+            qualityScore: hit.quality_score,
+          };
+        }
+        const skill = this.opts.store.getHubSkillById(id);
+        if (!skill) return null;
+        return {
+          skillId: skill.id, name: skill.name, description: skill.description,
+          version: skill.version, visibility: skill.visibility, groupName: "",
+          ownerName: "unknown", ownerStatus: "", qualityScore: skill.qualityScore,
+        };
+      }).filter(Boolean);
       return this.json(res, 200, { hits });
     }
 
@@ -601,6 +829,10 @@ export class HubServer {
         createdAt: existing?.createdAt ?? Date.now(),
         updatedAt: Date.now(),
       });
+      this.embedSkillAsync(skillId, String(metadata.name || sourceSkillId), String(metadata.description || ""), auth.userId, sourceSkillId);
+      if (!existing) {
+        this.notifyAdmins("resource_shared", "skill", String(metadata.name || sourceSkillId), auth.userId);
+      }
       return this.json(res, 200, { ok: true, skillId, visibility });
     }
 
@@ -623,7 +855,12 @@ export class HubServer {
 
     if (req.method === "POST" && routePath === "/api/v1/hub/skills/unpublish") {
       const body = await this.readJson(req);
-      this.opts.store.deleteHubSkillBySource(auth.userId, String(body?.sourceSkillId || ""));
+      const srcSkillId = String(body?.sourceSkillId || "");
+      const existing = this.opts.store.getHubSkillBySource(auth.userId, srcSkillId);
+      this.opts.store.deleteHubSkillBySource(auth.userId, srcSkillId);
+      if (existing) {
+        this.notifyAdmins("resource_unshared", "skill", existing.name || srcSkillId, auth.userId);
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -635,12 +872,48 @@ export class HubServer {
       return this.json(res, 200, { tasks });
     }
 
+    const hubTaskDetailMatch = req.method === "GET" ? routePath.match(/^\/api\/v1\/hub\/shared-tasks\/([^/]+)\/detail$/) : null;
+    if (hubTaskDetailMatch) {
+      const taskId = decodeURIComponent(hubTaskDetailMatch[1]);
+      const task = this.opts.store.getHubTaskById(taskId);
+      if (!task) return this.json(res, 404, { error: "not_found" });
+      const chunks = this.opts.store.listHubChunksByTaskId(taskId);
+      return this.json(res, 200, {
+        id: task.id, title: task.title, summary: task.summary,
+        startedAt: task.createdAt, endedAt: task.updatedAt,
+        chunks: chunks.map(c => ({ role: c.role, content: c.content, summary: c.summary, kind: c.kind, createdAt: c.createdAt })),
+      });
+    }
+
+    const hubSkillDetailMatch = req.method === "GET" ? routePath.match(/^\/api\/v1\/hub\/shared-skills\/([^/]+)\/detail$/) : null;
+    if (hubSkillDetailMatch) {
+      const skillId = decodeURIComponent(hubSkillDetailMatch[1]);
+      const skill = this.opts.store.getHubSkillById(skillId);
+      if (!skill) return this.json(res, 404, { error: "not_found" });
+      let files: Array<{ path: string; type: string; size: number }> = [];
+      try {
+        const bundle = JSON.parse(skill.bundle || "{}");
+        if (Array.isArray(bundle.files)) {
+          files = bundle.files.map((f: any) => ({ path: f.path ?? f.name ?? "unknown", type: f.type ?? "file", size: f.size ?? (f.content ? f.content.length : 0) }));
+        }
+      } catch { /* ignore parse error */ }
+      return this.json(res, 200, {
+        skill: { id: skill.id, name: skill.name, description: skill.description, version: skill.version, qualityScore: skill.qualityScore, status: "published" },
+        files,
+        versions: [],
+      });
+    }
+
     const adminTaskDeleteMatch = req.method === "DELETE" ? routePath.match(/^\/api\/v1\/hub\/admin\/shared-tasks\/([^/]+)$/) : null;
     if (adminTaskDeleteMatch) {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const taskId = decodeURIComponent(adminTaskDeleteMatch[1]);
+      const taskInfo = this.opts.store.getHubTaskById(taskId);
       const deleted = this.opts.store.deleteHubTaskById(taskId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      if (taskInfo) {
+        this.opts.store.insertHubNotification({ id: randomUUID(), userId: taskInfo.sourceUserId, type: "resource_removed", resource: "task", title: taskInfo.title });
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -654,8 +927,12 @@ export class HubServer {
     if (adminSkillDeleteMatch) {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const skillId = decodeURIComponent(adminSkillDeleteMatch[1]);
+      const skillInfo = this.opts.store.getHubSkillById(skillId);
       const deleted = this.opts.store.deleteHubSkillById(skillId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      if (skillInfo) {
+        this.opts.store.insertHubNotification({ id: randomUUID(), userId: skillInfo.sourceUserId, type: "resource_removed", resource: "skill", title: skillInfo.name });
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -669,8 +946,23 @@ export class HubServer {
     if (adminMemoryDeleteMatch) {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const memoryId = decodeURIComponent(adminMemoryDeleteMatch[1]);
+      const memInfo = this.opts.store.getHubMemoryById(memoryId);
       const deleted = this.opts.store.deleteHubMemoryById(memoryId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      if (memInfo) {
+        const payload = JSON.stringify({
+          memoryId,
+          sourceChunkId: memInfo.sourceChunkId,
+        });
+        this.opts.store.insertHubNotification({
+          id: randomUUID(),
+          userId: memInfo.sourceUserId,
+          type: "resource_removed",
+          resource: "memory",
+          title: memInfo.summary || memInfo.id,
+          message: payload,
+        });
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -693,9 +985,87 @@ export class HubServer {
       });
     }
 
+    if (req.method === "GET" && routePath === "/api/v1/hub/notifications") {
+      const unread = (new URL(req.url!, `http://${req.headers.host}`)).searchParams.get("unread") === "1";
+      const list = this.opts.store.listHubNotifications(auth.userId, { unreadOnly: unread, limit: 50 });
+      const unreadCount = this.opts.store.countUnreadHubNotifications(auth.userId);
+      return this.json(res, 200, { notifications: list, unreadCount });
+    }
+
+    if (req.method === "POST" && routePath === "/api/v1/hub/notifications/read") {
+      const body = await this.readJson(req);
+      const ids = Array.isArray(body.ids) ? body.ids as string[] : undefined;
+      this.opts.store.markHubNotificationsRead(auth.userId, ids);
+      return this.json(res, 200, { ok: true });
+    }
+
+    if (req.method === "POST" && routePath === "/api/v1/hub/notifications/clear") {
+      this.opts.store.clearHubNotifications(auth.userId);
+      return this.json(res, 200, { ok: true });
+    }
+
     return this.json(res, 404, { error: "not_found" });
   }
 
+  private notifyAdmins(type: string, resource: string, title: string, fromUserId: string, opts?: { dedup?: boolean; deduoWindowMs?: number }): void {
+    try {
+      const admins = this.opts.store.listHubUsers("active").filter(u => u.role === "admin" && u.id !== fromUserId);
+      for (const admin of admins) {
+        if (opts?.dedup && this.opts.store.hasRecentHubNotification(admin.id, type, resource, opts.deduoWindowMs ?? 300_000)) {
+          continue;
+        }
+        this.opts.store.insertHubNotification({ id: randomUUID(), userId: admin.id, type, resource, title });
+      }
+    } catch { /* best-effort */ }
+  }
+
+  private initOnlineTracking(): void {
+    try {
+      const ownerId = this.authState.bootstrapAdminUserId || "";
+      const users = this.opts.store.listHubUsers("active");
+      const now = Date.now();
+      for (const u of users) {
+        if (u.id === ownerId) continue;
+        if (u.lastActiveAt && now - u.lastActiveAt < HubServer.OFFLINE_THRESHOLD_MS) {
+          this.knownOnlineUsers.add(u.id);
+        }
+      }
+    } catch { /* best-effort */ }
+  }
+
+  private checkOfflineUsers(): void {
+    try {
+      const ownerId = this.authState.bootstrapAdminUserId || "";
+      const users = this.opts.store.listHubUsers("active");
+      const now = Date.now();
+      const currentlyOnline = new Set<string>();
+      for (const u of users) {
+        if (u.id === ownerId) continue;
+        if (u.lastActiveAt && now - u.lastActiveAt < HubServer.OFFLINE_THRESHOLD_MS) {
+          currentlyOnline.add(u.id);
+        }
+      }
+      for (const uid of this.knownOnlineUsers) {
+        if (!currentlyOnline.has(uid)) {
+          const user = users.find(u => u.id === uid);
+          if (user) {
+            this.notifyAdmins("user_offline", "user", user.username, uid);
+            this.opts.log.info(`Hub: user "${user.username}" (${uid}) went offline`);
+          }
+        }
+      }
+      for (const uid of currentlyOnline) {
+        if (!this.knownOnlineUsers.has(uid)) {
+          const user = users.find(u => u.id === uid);
+          if (user) {
+            this.notifyAdmins("user_online", "user", user.username, uid);
+          }
+        }
+      }
+      this.knownOnlineUsers = currentlyOnline;
+    } catch { /* best-effort */ }
+  }
+
   private authenticate(req: http.IncomingMessage) {
     const header = req.headers.authorization;
     if (!header || !header.startsWith("Bearer ")) return null;
@@ -706,6 +1076,10 @@ export class HubServer {
     if (!user || user.status !== "active") return null;
     const hash = createHash("sha256").update(token).digest("hex");
     if (user.tokenHash !== hash) return null;
+    const clientIp = (req.headers["x-client-ip"] as string)?.trim()
+      || (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim()
+      || req.socket.remoteAddress || "";
+    try { this.opts.store.updateHubUserActivity(user.id, clientIp); } catch { /* best-effort */ }
     return {
       userId: user.id,
       username: user.username,