@memtensor/memos-local-openclaw-plugin 1.0.4-beta.5 → 1.0.4-beta.7

package/skill/memos-memory-guide/SKILL.md

@@ -1,17 +1,22 @@
 ---
 name: memos-memory-guide
-description: "Use the MemOS Local memory system to search and use the user's past conversations. Use this skill whenever the user refers to past chats, their own preferences or history, or when you need to answer from prior context. When auto-recall returns nothing (long or unclear user query), generate your own short search query and call memory_search. Available tools: memory_search, memory_get, memory_write_public, task_summary, skill_get, skill_search, skill_install, skill_publish, skill_unpublish, memory_timeline, memory_viewer."
+description: "Use the MemOS Local memory system to search and use the user's past conversations. Use this skill whenever the user refers to past chats, their own preferences or history, or when you need to answer from prior context. When auto-recall returns nothing (long or unclear user query), generate your own short search query and call memory_search. Available tools: memory_search, memory_get, memory_write_public, memory_share, memory_unshare, task_summary, skill_get, skill_search, skill_install, skill_publish, skill_unpublish, network_memory_detail, network_skill_pull, network_team_info, memory_timeline, memory_viewer."
 ---
 
 # MemOS Local Memory — Agent Guide
 
-This skill describes how to use the MemOS memory tools so you can reliably search and use the user's long-term conversation history, query Hub-shared team data, share tasks, and discover or pull reusable skills.
+This skill describes how to use the MemOS memory tools so you can reliably search and use the user's long-term conversation history, query team-shared data, share tasks, and discover or pull reusable skills.
+
+Two sharing planes exist and must not be confused:
+
+- **Local agent sharing:** visible to agents in the same OpenClaw workspace only.
+- **Team sharing:** visible to teammates through the configured team server.
 
 ## How memory is provided each turn
 
 - **Automatic recall (hook):** At the start of each turn, the system runs a memory search using the user's current message and injects relevant past memories into your context. You do not need to call any tool for that.
 - **When that is not enough:** If the user's message is very long, vague, or the automatic search returns **no memories**, you should **generate your own short, focused query** and call `memory_search` yourself.
-- **Memory isolation:** Each agent can only see its own local private memories and local `public` memories. Hub-shared data only appears when you search with `scope="group"` or `scope="all"`.
+- **Memory isolation:** Each agent can only see its own local private memories and local `public` memories. Team-shared data only appears when you search with `scope="group"` or `scope="all"`.
 
 ## Tools — what they do and when to call
 
@@ -24,9 +29,10 @@ This skill describes how to use the MemOS memory tools so you can reliably searc
   - You need to search with a different angle (e.g. filter by `role='user'`).
 - **Parameters:**
   - `query` (string, **required**) — Natural language search query.
-  - `maxResults` (number, optional) — Max results, default 20, max 20.
-  - `minScore` (number, optional) — Minimum score 0–1, default 0.45, floor 0.35.
-  - `role` (string, optional) — Filter by role: `'user'`, `'assistant'`, or `'tool'`. Use `'user'` to find what the user said.
+  - `scope` (string, optional) — `'local'` (default) for current agent + local shared memories, or `'group'` / `'all'` to include team-shared memories.
+  - `maxResults` (number, optional) — Increase when the first search is too narrow.
+  - `minScore` (number, optional) — Lower slightly if recall is too strict.
+  - `role` (string, optional) — Filter local results by `'user'`, `'assistant'`, `'tool'`, or `'system'`.
 
 ### memory_get
 
@@ -38,12 +44,32 @@ This skill describes how to use the MemOS memory tools so you can reliably searc
 
 ### memory_write_public
 
-- **What it does:** Write a piece of information to public memory. Public memories are visible to all agents during `memory_search`. Use for shared knowledge, team decisions, or cross-agent coordination information.
-- **When to call:** In multi-agent or collaborative scenarios, when you have persistent information useful to everyone (e.g. shared decisions, conventions, configurations, workflows). Do not write session-only or purely private content.
+- **What it does:** Create a brand new local shared memory. These memories are visible to all agents in the same OpenClaw workspace during `memory_search`. This does **not** publish anything to the team server.
+- **When to call:** In multi-agent or collaborative scenarios, when you want to create a new persistent shared note from scratch (e.g. shared decisions, conventions, configurations, workflows). Do not use it if you already have a specific memory chunk to expose.
 - **Parameters:**
-  - `content` (string, **required**) — The content to write to public memory.
+  - `content` (string, **required**) — The content to write to local shared memory.
   - `summary` (string, optional) — Short summary of the content.
 
+### memory_share
+
+- **What it does:** Share an existing memory either with local OpenClaw agents, to the team, or to both.
+- **When to call:** You already have a useful memory chunk and want to expose it beyond the current agent.
+- **Do not use when:** You are creating a new shared note from scratch. In that case use `memory_write_public`.
+- **Parameters:**
+  - `chunkId` (string, **required**) — Existing memory chunk ID.
+  - `target` (string, optional) — `'agents'` (default), `'hub'`, or `'both'`.
+  - `visibility` (string, optional) — Team visibility when target includes team: `'public'` (default) or `'group'`.
+  - `groupId` (string, optional) — Optional team group ID when `visibility='group'`.
+
+### memory_unshare
+
+- **What it does:** Remove an existing memory from local agent sharing, team sharing, or both.
+- **When to call:** A memory should no longer be visible outside the current agent or should be removed from the team.
+- **Parameters:**
+  - `chunkId` (string, **required**) — Existing memory chunk ID.
+  - `target` (string, optional) — `'agents'`, `'hub'`, or `'all'` (default).
+  - `privateOwner` (string, optional) — Rare fallback only for older public memories that have no recorded original owner.
+
 ### task_summary
 
 - **What it does:** Get the detailed summary of a complete task: title, status, narrative summary, and related skills. Use when `memory_search` returns a hit with a `task_id` and you need the full story. Preserves critical information: URLs, file paths, commands, error codes, step-by-step instructions.
@@ -62,11 +88,11 @@ This skill describes how to use the MemOS memory tools so you can reliably searc
 
 ### skill_search
 
-- **What it does:** Search available skills by natural language. Searches your own skills, public skills, or both — controlled by the `scope` parameter.
+- **What it does:** Search available skills by natural language. Searches your own skills, local shared skills, or both. It can also include team skills.
 - **When to call:** The current task requires a capability or guide you don't have. Use `skill_search` to find one first; after finding it, use `skill_get` to read it, then `skill_install` to load it for future turns.
 - **Parameters:**
   - `query` (string, **required**) — Natural language description of the needed skill.
-  - `scope` (string, optional) — Search scope: `'mix'` (default, self + public), `'self'` (own only), `'public'` (public only).
+  - `scope` (string, optional) — `'mix'` (default, self + local shared), `'self'`, `'public'` (local shared only), or `'group'` / `'all'` to include team results.
 
 ### skill_install
 
@@ -77,40 +103,46 @@ This skill describes how to use the MemOS memory tools so you can reliably searc
 
 ### skill_publish
 
-- **What it does:** Make a skill public so other agents can discover and install it via `skill_search`.
-- **When to call:** You have a useful skill that other agents could benefit from, and you want to share it.
+- **What it does:** Share a skill with local agents, or publish it to the team.
+- **When to call:** You have a useful skill that other agents or your team could benefit from.
 - **Parameters:**
   - `skillId` (string, **required**) — The skill ID to publish.
+  - `target` (string, optional) — `'agents'` (default) or `'hub'`.
+  - `visibility` (string, optional) — When `target='hub'`, use `'public'` (default) or `'group'`.
+  - `groupId` (string, optional) — Optional team group ID when `target='hub'` and `visibility='group'`.
+  - `scope` (string, optional) — Backward-compatible alias for old calls. Prefer `target` + `visibility` in new calls.
 
 ### skill_unpublish
 
-- **What it does:** Make a skill private again. Other agents will no longer be able to discover it.
+- **What it does:** Stop local agent sharing, remove a team-published copy, or do both.
 - **When to call:** You want to stop sharing a previously published skill.
 - **Parameters:**
   - `skillId` (string, **required**) — The skill ID to unpublish.
+  - `target` (string, optional) — `'agents'` (default), `'hub'`, or `'all'`.
 
 ### network_memory_detail
 
-- **What it does:** Fetches the full content behind a Hub search hit.
-- **When to call:** A `memory_search` result came from the Hub and you need the full shared memory content.
+- **What it does:** Fetches the full content behind a team search hit.
+- **When to call:** A `memory_search` result came from the team and you need the full shared memory content.
 - **Parameters:** `remoteHitId`.
 
 ### task_share / task_unshare
 
-- **What they do:** Share a local task to the Hub, or remove it later.
+- **What they do:** Share a local task to the team, or remove it later.
 - **When to call:** A task is valuable to your group or to the whole team and should be discoverable via shared search.
 - **Parameters:** `taskId`, plus sharing visibility/scope when required.
 
 ### network_skill_pull
 
-- **What it does:** Pulls a Hub-shared skill bundle down into local storage.
-- **When to call:** `skill_search` found a useful Hub skill and you want to use it locally or offline.
+- **What it does:** Pulls a team-shared skill bundle down into local storage.
+- **When to call:** `skill_search` found a useful team skill and you want to use it locally or offline.
 - **Parameters:** `skillId`.
 
 ### network_team_info
 
-- **What it does:** Returns current Hub connection information, user, role, and groups.
+- **What it does:** Returns current team server connection information, user, role, and groups.
 - **When to call:** You need to confirm whether team sharing is configured or which groups the current client belongs to.
+- **Call this first before:** `memory_share(... target='hub'|'both')`, `memory_unshare(... target='hub'|'all')`, `task_share`, `task_unshare`, `skill_publish(... target='hub')`, `skill_unpublish(... target='hub'|'all')`, or `network_skill_pull`.
 - **Parameters:** none.
 
 ### memory_timeline
@@ -147,13 +179,19 @@ This skill describes how to use the MemOS memory tools so you can reliably searc
 6. **You need a capability/guide that you don't have**
    → Call `skill_search(query="...", scope="mix")` to discover available skills.
 
-7. **You have shared knowledge useful to all agents**
-   → Call `memory_write_public(content="...")` to persist it in public memory.
+7. **You have new shared knowledge useful to all local agents**
+   → Call `memory_write_public(content="...")`.
+
+8. **You already have an existing memory chunk and want to expose or hide it**
+   → Call `memory_share(chunkId="...", target="agents|hub|both")` or `memory_unshare(chunkId="...", target="agents|hub|all")`.
+
+9. **You are about to do anything team-sharing-related**
+   → Call `network_team_info()` first if team server availability is uncertain.
 
-8. **You want to share/stop sharing a skill with other agents**
-   → Call `skill_publish(skillId="...")` or `skill_unpublish(skillId="...")`.
+10. **You want to share/stop sharing a skill with local agents or team**
+   → Prefer `skill_publish(skillId="...", target="agents|hub", visibility=...)` and `skill_unpublish(skillId="...", target="agents|hub|all")`.
 
-9. **User asks where to see or manage their memories**
+11. **User asks where to see or manage their memories**
    → Call `memory_viewer()` and share the URL.
 
 ## Writing good search queries
@@ -168,6 +206,6 @@ This skill describes how to use the MemOS memory tools so you can reliably searc
 Each memory is tagged with an `owner` (e.g. `agent:main`, `agent:sales-bot`). This is handled **automatically** — you do not need to pass any owner parameter.
 
 - **Your memories:** All tools (`memory_search`, `memory_get`, `memory_timeline`) automatically scope queries to your agent's own memories.
-- **Public memories:** Memories marked as `public` are visible to all agents. Use `memory_write_public` to write shared knowledge.
+- **Local shared memories:** Memories marked as local shared are visible to all agents in the same OpenClaw workspace. Use `memory_write_public` to create them, or `memory_share(target='agents')` to expose an existing chunk.
 - **Cross-agent isolation:** You cannot see memories owned by other agents (unless they are public).
 - **How it works:** The system identifies your agent ID from the OpenClaw runtime context and applies owner filtering automatically on every search, recall, and retrieval.

package/src/capture/index.ts

@@ -33,6 +33,9 @@ const SENTINEL_FAST_RE = new RegExp(
 const ENVELOPE_PREFIX_RE =
   /^\s*\[(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s+\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}(?::\d{2})?\s+[A-Z]{3}[+-]\d{1,2}\]\s*/;
 
+const ENVELOPE_EXTRACT_RE =
+  /^\s*\[(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s+(\d{4}-\d{2}-\d{2})\s+(\d{2}:\d{2}(?::\d{2})?)\s+([A-Z]{3}[+-]\d{1,2})\]/;
+
 /**
  * Extract writable messages from a conversation turn.
  *
@@ -47,9 +50,11 @@ export function captureMessages(
   evidenceTag: string,
   log: Logger,
   owner?: string,
+  userSearchTime?: number,
 ): ConversationMessage[] {
   const now = Date.now();
   const result: ConversationMessage[] = [];
+  let lastTimestamp = 0;
 
   for (const msg of messages) {
     const role = msg.role as Role;
@@ -74,10 +79,19 @@ export function captureMessages(
     }
     if (!content.trim()) continue;
 
+    let ts: number;
+    if (role === "user" && userSearchTime && userSearchTime > 0) {
+      ts = userSearchTime;
+    } else {
+      ts = now;
+    }
+    if (ts <= lastTimestamp) ts = lastTimestamp + 1;
+    lastTimestamp = ts;
+
     result.push({
       role,
       content,
-      timestamp: now,
+      timestamp: ts,
       turnId,
       sessionKey,
       toolName: role === "tool" ? msg.toolName : undefined,
@@ -149,6 +163,20 @@ export function stripInboundMetadata(text: string): string {
   return stripEnvelopePrefix(result.join("\n")).trim();
 }
 
+function extractEnvelopeTimestamp(text: string): number | null {
+  const m = ENVELOPE_EXTRACT_RE.exec(text);
+  if (!m) return null;
+  const [, date, time, tz] = m;
+  const timeStr = time.includes(":") && time.split(":").length === 3 ? time : time + ":00";
+  const offsetMatch = tz.match(/([+-])(\d{1,2})$/);
+  const offsetStr = offsetMatch
+    ? `${offsetMatch[1]}${offsetMatch[2].padStart(2, "0")}:00`
+    : "+00:00";
+  const iso = `${date}T${timeStr}${offsetStr}`;
+  const ts = new Date(iso).getTime();
+  return Number.isNaN(ts) ? null : ts;
+}
+
 function stripEnvelopePrefix(text: string): string {
   return text.replace(ENVELOPE_PREFIX_RE, "");
 }

package/src/client/connector.ts

@@ -1,5 +1,5 @@
 import type { Logger, MemosLocalConfig } from "../types";
-import type { GroupInfo, UserRole, UserStatus } from "../sharing/types";
+import type { UserRole, UserStatus } from "../sharing/types";
 import type { SqliteStore } from "../storage/sqlite";
 import { hubRequestJson, normalizeHubUrl } from "./hub";
 
@@ -20,7 +20,6 @@ export interface HubStatusInfo {
     username: string;
     role: UserRole;
     status: UserStatus | string;
-    groups: GroupInfo[];
   };
 }
 
@@ -77,7 +76,6 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
               username: conn.username || "",
               role: "member",
               status: "pending",
-              groups: [],
             },
           };
         }
@@ -99,13 +97,6 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
               username: String(me.username ?? ""),
               role: String(me.role ?? "member") as UserRole,
               status: String(me.status ?? "active"),
-              groups: Array.isArray(me.groups)
-                ? me.groups.map((group: any) => ({
-                    id: String(group.id),
-                    name: String(group.name),
-                    description: typeof group.description === "string" ? group.description : undefined,
-                  }))
-                : [],
             },
           };
         }
@@ -118,7 +109,6 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
               username: conn.username || "",
               role: "member",
               status: "rejected",
-              groups: [],
             },
           };
         }
@@ -141,13 +131,6 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
         username: String(me.username ?? ""),
         role: String(me.role ?? "member") as UserRole,
         status: String(me.status ?? "active"),
-        groups: Array.isArray(me.groups)
-          ? me.groups.map((group: any) => ({
-              id: String(group.id),
-              name: String(group.name),
-              description: typeof group.description === "string" ? group.description : undefined,
-            }))
-          : [],
       },
     };
   } catch {
@@ -166,13 +149,24 @@ export async function autoJoinHub(
     throw new Error("hubAddress and teamToken are required for auto-join");
   }
   const hubUrl = normalizeHubUrl(hubAddress);
-  const hostname = typeof globalThis.process !== "undefined" ? (await import("os")).hostname() : "unknown";
-  const username = typeof globalThis.process !== "undefined" ? (await import("os")).userInfo().username : "user";
+  const osModule = typeof globalThis.process !== "undefined" ? await import("os") : null;
+  const hostname = osModule ? osModule.hostname() : "unknown";
+  const username = osModule ? osModule.userInfo().username : "user";
+  let clientIp = "";
+  if (osModule) {
+    const nets = osModule.networkInterfaces();
+    for (const name of Object.keys(nets)) {
+      for (const net of nets[name] ?? []) {
+        if (net.family === "IPv4" && !net.internal) { clientIp = net.address; break; }
+      }
+      if (clientIp) break;
+    }
+  }
 
   log.info(`Joining Hub at ${hubUrl} as "${username}"...`);
   const result = await hubRequestJson(hubUrl, "", "/api/v1/hub/join", {
     method: "POST",
-    body: JSON.stringify({ teamToken, username, deviceName: hostname }),
+    body: JSON.stringify({ teamToken, username, deviceName: hostname, clientIp }),
   }) as any;
 
   if (result.status === "pending") {

package/src/client/hub.ts

@@ -157,16 +157,34 @@ export async function hubUpdateUsername(
   return result;
 }
 
+let _cachedClientIp: string | null = null;
+function getClientIp(): string {
+  if (_cachedClientIp !== null) return _cachedClientIp;
+  try {
+    const os = require("os");
+    const nets = os.networkInterfaces();
+    for (const name of Object.keys(nets)) {
+      for (const net of nets[name] ?? []) {
+        if (net.family === "IPv4" && !net.internal) { _cachedClientIp = net.address; return _cachedClientIp!; }
+      }
+    }
+  } catch { /* browser or no os module */ }
+  _cachedClientIp = "";
+  return "";
+}
+
 export async function hubRequestJson(
   hubUrl: string,
   userToken: string,
   route: string,
   init: RequestInit = {},
 ): Promise<unknown> {
+  const clientIp = getClientIp();
   const res = await fetch(`${normalizeHubUrl(hubUrl)}${route}`, {
     ...init,
     headers: {
       authorization: `Bearer ${userToken}`,
+      ...(clientIp ? { "x-client-ip": clientIp } : {}),
       ...(init.body ? { "content-type": "application/json" } : {}),
       ...(init.headers ?? {}),
     },

package/src/client/skill-sync.ts

@@ -89,6 +89,20 @@ export async function publishSkillBundleToHub(
   }) as Promise<{ skillId: string; visibility: "public" | "group" }>;
 }
 
+export async function unpublishSkillBundleFromHub(
+  store: SqliteStore,
+  ctx: PluginContext,
+  input: { skillId: string; hubAddress?: string; userToken?: string },
+): Promise<{ ok: boolean }> {
+  const client = await resolveHubClient(store, ctx, { hubAddress: input.hubAddress, userToken: input.userToken });
+  return hubRequestJson(client.hubUrl, client.userToken, "/api/v1/hub/skills/unpublish", {
+    method: "POST",
+    body: JSON.stringify({
+      sourceSkillId: input.skillId,
+    }),
+  }) as Promise<{ ok: boolean }>;
+}
+
 export async function fetchHubSkillBundle(
   store: SqliteStore,
   ctx: PluginContext,

package/src/hub/server.ts

@@ -192,9 +192,14 @@ export class HubServer {
         return this.json(res, 403, { error: "invalid_team_token" });
       }
       const username = String(body.username || `user-${randomUUID().slice(0, 8)}`);
+      const joinIp = (typeof body.clientIp === "string" && body.clientIp)
+        || (req.headers["x-client-ip"] as string)?.trim()
+        || (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim()
+        || req.socket.remoteAddress || "";
       const existingUsers = this.opts.store.listHubUsers();
       const existingUser = existingUsers.find(u => u.username === username);
       if (existingUser) {
+        try { this.opts.store.updateHubUserActivity(existingUser.id, joinIp); } catch { /* best-effort */ }
         if (existingUser.status === "active") {
           const token = issueUserToken(
             { userId: existingUser.id, username: existingUser.username, role: existingUser.role, status: "active" },
@@ -216,6 +221,7 @@ export class HubServer {
         username,
         deviceName: typeof body.deviceName === "string" ? body.deviceName : undefined,
       });
+      try { this.opts.store.updateHubUserActivity(user.id, joinIp); } catch { /* best-effort */ }
       this.opts.log.info(`Hub: user "${username}" (${user.id}) registered as pending, awaiting admin approval`);
       return this.json(res, 200, { status: "pending", userId: user.id });
     }
@@ -272,9 +278,11 @@ export class HubServer {
       }
       const updated = this.userManager.updateUsername(auth.userId, newUsername);
       if (!updated) return this.json(res, 404, { error: "not_found" });
+      const ttlMs = updated.role === "admin" ? 3650 * 24 * 60 * 60 * 1000 : undefined;
       const newToken = issueUserToken(
         { userId: updated.id, username: newUsername, role: updated.role, status: updated.status },
         this.authSecret,
+        ttlMs,
       );
       this.userManager.approveUser(updated.id, newToken);
       this.opts.log.info(`Hub: user "${auth.userId}" renamed to "${newUsername}"`);
@@ -306,91 +314,62 @@ export class HubServer {
     if (req.method === "GET" && routePath === "/api/v1/hub/admin/users") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const users = this.opts.store.listHubUsers().filter(u => u.status === "active");
-      return this.json(res, 200, { users: users.map(u => ({ id: u.id, username: u.username, role: u.role, status: u.status })) });
+      const contribs = this.opts.store.getHubUserContributions();
+      return this.json(res, 200, { users: users.map(u => {
+        const c = contribs[u.id] || { memoryCount: 0, taskCount: 0, skillCount: 0 };
+        return {
+          id: u.id, username: u.username, role: u.role, status: u.status,
+          deviceName: u.deviceName, createdAt: u.createdAt, approvedAt: u.approvedAt,
+          lastIp: u.lastIp || "", lastActiveAt: u.lastActiveAt,
+          memoryCount: c.memoryCount, taskCount: c.taskCount, skillCount: c.skillCount,
+        };
+      }) });
     }
 
-    // ── Group management ──
-
-    if (req.method === "GET" && routePath === "/api/v1/hub/groups") {
+    if (req.method === "POST" && routePath === "/api/v1/hub/admin/change-role") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-      const groups = this.opts.store.listHubGroups();
-      return this.json(res, 200, { groups });
+      const body = await this.readJson(req);
+      const userId = String(body?.userId || "");
+      const newRole = String(body?.role || "");
+      if (!userId || (newRole !== "admin" && newRole !== "member")) return this.json(res, 400, { error: "invalid_params" });
+      const user = this.opts.store.getHubUser(userId);
+      if (!user || user.status !== "active") return this.json(res, 404, { error: "not_found" });
+      const updatedUser = { ...user, role: newRole as "admin" | "member" };
+      this.opts.store.upsertHubUser(updatedUser);
+      this.opts.log.info(`Hub: admin "${auth.userId}" changed role of "${userId}" to "${newRole}"`);
+      return this.json(res, 200, { ok: true, role: newRole });
     }
 
-    if (req.method === "POST" && routePath === "/api/v1/hub/groups") {
+    if (req.method === "POST" && routePath === "/api/v1/hub/admin/rename-user") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const body = await this.readJson(req);
-      const name = String(body.name || "").trim();
-      if (!name) return this.json(res, 400, { error: "name_required" });
-      const groupId = randomUUID();
-      this.opts.store.upsertHubGroup({
-        id: groupId,
-        name,
-        description: String(body.description || ""),
-        createdAt: Date.now(),
-      });
-      return this.json(res, 201, { id: groupId, name });
-    }
-
-    const groupDetailMatch = routePath.match(/^\/api\/v1\/hub\/groups\/([^/]+)$/);
-    if (groupDetailMatch) {
-      const groupId = decodeURIComponent(groupDetailMatch[1]);
-
-      if (req.method === "GET") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const group = this.opts.store.getHubGroupById(groupId);
-        if (!group) return this.json(res, 404, { error: "not_found" });
-        const members = this.opts.store.listHubGroupMembers(groupId);
-        return this.json(res, 200, { ...group, members });
+      const userId = String(body?.userId || "");
+      const newUsername = String(body?.username || "").trim();
+      if (!userId || !newUsername || newUsername.length < 2 || newUsername.length > 32) {
+        return this.json(res, 400, { error: "invalid_params", message: "userId and username (2-32 chars) required" });
       }
-
-      if (req.method === "PUT") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const existing = this.opts.store.getHubGroupById(groupId);
-        if (!existing) return this.json(res, 404, { error: "not_found" });
-        const body = await this.readJson(req);
-        this.opts.store.upsertHubGroup({
-          id: groupId,
-          name: String(body.name || existing.name).trim(),
-          description: String(body.description ?? existing.description),
-          createdAt: existing.createdAt,
-        });
-        return this.json(res, 200, { ok: true });
-      }
-
-      if (req.method === "DELETE") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const deleted = this.opts.store.deleteHubGroup(groupId);
-        if (!deleted) return this.json(res, 404, { error: "not_found" });
-        return this.json(res, 200, { ok: true });
+      if (this.userManager.isUsernameTaken(newUsername, userId)) {
+        return this.json(res, 409, { error: "username_taken", message: "Username already in use" });
       }
+      const user = this.opts.store.getHubUser(userId);
+      if (!user || user.status !== "active") return this.json(res, 404, { error: "not_found" });
+      const updated = { ...user, username: newUsername };
+      this.opts.store.upsertHubUser(updated);
+      this.opts.log.info(`Hub: admin "${auth.userId}" renamed user "${userId}" to "${newUsername}"`);
+      return this.json(res, 200, { ok: true, username: newUsername });
     }
 
-    const groupMembersMatch = routePath.match(/^\/api\/v1\/hub\/groups\/([^/]+)\/members$/);
-    if (groupMembersMatch) {
-      const groupId = decodeURIComponent(groupMembersMatch[1]);
-
-      if (req.method === "POST") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const group = this.opts.store.getHubGroupById(groupId);
-        if (!group) return this.json(res, 404, { error: "group_not_found" });
-        const body = await this.readJson(req);
-        const userId = String(body.userId || "");
-        if (!userId) return this.json(res, 400, { error: "userId_required" });
-        const user = this.opts.store.getHubUser(userId);
-        if (!user) return this.json(res, 404, { error: "user_not_found" });
-        this.opts.store.addHubGroupMember(groupId, userId);
-        return this.json(res, 200, { ok: true });
-      }
-
-      if (req.method === "DELETE") {
-        if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
-        const body = await this.readJson(req);
-        const userId = String(body.userId || "");
-        if (!userId) return this.json(res, 400, { error: "userId_required" });
-        this.opts.store.removeHubGroupMember(groupId, userId);
-        return this.json(res, 200, { ok: true });
-      }
+    if (req.method === "POST" && routePath === "/api/v1/hub/admin/remove-user") {
+      if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
+      const body = await this.readJson(req);
+      const userId = String(body?.userId || "");
+      if (!userId) return this.json(res, 400, { error: "missing_user_id" });
+      if (userId === auth.userId) return this.json(res, 400, { error: "cannot_remove_self" });
+      const cleanResources = body?.cleanResources === true;
+      const deleted = this.opts.store.deleteHubUser(userId, cleanResources);
+      if (!deleted) return this.json(res, 404, { error: "not_found" });
+      this.opts.log.info(`Hub: admin "${auth.userId}" removed user "${userId}" (cleanResources=${cleanResources})`);
+      return this.json(res, 200, { ok: true });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/tasks/share") {
@@ -639,8 +618,12 @@ export class HubServer {
     if (adminTaskDeleteMatch) {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const taskId = decodeURIComponent(adminTaskDeleteMatch[1]);
+      const taskInfo = this.opts.store.getHubTaskById(taskId);
       const deleted = this.opts.store.deleteHubTaskById(taskId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      if (taskInfo) {
+        this.opts.store.insertHubNotification({ id: randomUUID(), userId: taskInfo.sourceUserId, type: "resource_removed", resource: "task", title: taskInfo.title });
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -654,8 +637,12 @@ export class HubServer {
     if (adminSkillDeleteMatch) {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const skillId = decodeURIComponent(adminSkillDeleteMatch[1]);
+      const skillInfo = this.opts.store.getHubSkillById(skillId);
       const deleted = this.opts.store.deleteHubSkillById(skillId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      if (skillInfo) {
+        this.opts.store.insertHubNotification({ id: randomUUID(), userId: skillInfo.sourceUserId, type: "resource_removed", resource: "skill", title: skillInfo.name });
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -669,8 +656,12 @@ export class HubServer {
     if (adminMemoryDeleteMatch) {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const memoryId = decodeURIComponent(adminMemoryDeleteMatch[1]);
+      const memInfo = this.opts.store.getHubMemoryById(memoryId);
       const deleted = this.opts.store.deleteHubMemoryById(memoryId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      if (memInfo) {
+        this.opts.store.insertHubNotification({ id: randomUUID(), userId: memInfo.sourceUserId, type: "resource_removed", resource: "memory", title: memInfo.summary || memInfo.id });
+      }
       return this.json(res, 200, { ok: true });
     }
 
@@ -693,6 +684,25 @@ export class HubServer {
       });
     }
 
+    if (req.method === "GET" && routePath === "/api/v1/hub/notifications") {
+      const unread = (new URL(req.url!, `http://${req.headers.host}`)).searchParams.get("unread") === "1";
+      const list = this.opts.store.listHubNotifications(auth.userId, { unreadOnly: unread, limit: 50 });
+      const unreadCount = this.opts.store.countUnreadHubNotifications(auth.userId);
+      return this.json(res, 200, { notifications: list, unreadCount });
+    }
+
+    if (req.method === "POST" && routePath === "/api/v1/hub/notifications/read") {
+      const body = await this.readJson(req);
+      const ids = Array.isArray(body.ids) ? body.ids as string[] : undefined;
+      this.opts.store.markHubNotificationsRead(auth.userId, ids);
+      return this.json(res, 200, { ok: true });
+    }
+
+    if (req.method === "POST" && routePath === "/api/v1/hub/notifications/clear") {
+      this.opts.store.clearHubNotifications(auth.userId);
+      return this.json(res, 200, { ok: true });
+    }
+
     return this.json(res, 404, { error: "not_found" });
   }
 
@@ -706,6 +716,10 @@ export class HubServer {
     if (!user || user.status !== "active") return null;
     const hash = createHash("sha256").update(token).digest("hex");
     if (user.tokenHash !== hash) return null;
+    const clientIp = (req.headers["x-client-ip"] as string)?.trim()
+      || (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim()
+      || req.socket.remoteAddress || "";
+    try { this.opts.store.updateHubUserActivity(user.id, clientIp); } catch { /* best-effort */ }
     return {
       userId: user.id,
       username: user.username,