@memtensor/memos-local-openclaw-plugin 1.0.4-beta.9 → 1.0.4

package/src/capture/index.ts

@@ -167,8 +167,11 @@ export function stripInboundMetadata(text: string): string {
 /** Strip <think…>…</think> blocks emitted by DeepSeek-style reasoning models. */
 const THINKING_TAG_RE = /<think[\s>][\s\S]*?<\/think>\s*/gi;
 
+/** Unwrap <final>…</final> tags from MiniMax-style models (keep content, strip tags). */
+const FINAL_TAG_RE = /<\/?final\s*>/gi;
+
 function stripThinkingTags(text: string): string {
-  return text.replace(THINKING_TAG_RE, "");
+  return text.replace(THINKING_TAG_RE, "").replace(FINAL_TAG_RE, "").trim();
 }
 
 function extractEnvelopeTimestamp(text: string): number | null {

package/src/client/connector.ts

@@ -10,6 +10,7 @@ export interface HubSessionInfo {
   userToken: string;
   role: UserRole;
   connectedAt: number;
+  identityKey?: string;
 }
 
 export interface HubStatusInfo {
@@ -20,6 +21,7 @@ export interface HubStatusInfo {
     username: string;
     role: UserRole;
     status: UserStatus | string;
+    groups?: Array<{ id: string; name: string }>;
   };
 }
 
@@ -54,6 +56,8 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
             userToken: result.userToken,
             role: "member",
             connectedAt: Date.now(),
+            identityKey: persisted.identityKey || "",
+            lastKnownStatus: "active",
           });
           return store.getClientHubConnection()!;
         }
@@ -63,6 +67,12 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
         if (result.status === "rejected") {
           throw new Error("Join request was rejected by the Hub admin.");
         }
+        if (result.status === "blocked") {
+          throw new Error("Your account has been blocked by the Hub admin.");
+        }
+        if (result.status === "left" || result.status === "removed") {
+          log.info(`User status is "${result.status}", will try to rejoin.`);
+        }
       } catch (err) {
         if (err instanceof PendingApprovalError) throw err;
         log.warn(`registration-status check failed, falling back to autoJoinHub: ${err}`);
@@ -78,6 +88,7 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
 
   const hubUrl = normalizeHubUrl(hubAddress);
   const me = await hubRequestJson(hubUrl, userToken, "/api/v1/hub/me", { method: "GET" }) as any;
+  const persisted = store.getClientHubConnection();
   store.setClientHubConnection({
     hubUrl,
     userId: String(me.id),
@@ -85,6 +96,8 @@ export async function connectToHub(store: SqliteStore, config: MemosLocalConfig,
     userToken,
     role: String(me.role ?? "member") as UserRole,
     connectedAt: Date.now(),
+    identityKey: persisted?.identityKey || String(me.identityKey ?? ""),
+    lastKnownStatus: "active",
   });
   return store.getClientHubConnection()!;
 }
@@ -95,9 +108,13 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
   const hubAddress = conn?.hubUrl || (configHubAddress ? normalizeHubUrl(configHubAddress) : "");
   const userToken = conn?.userToken || config.sharing?.client?.userToken || "";
 
-  // If DB has a connection to a different Hub than config, the DB data is stale
   if (conn && configHubAddress && conn.hubUrl && normalizeHubUrl(configHubAddress) !== conn.hubUrl) {
-    store.clearClientHubConnection();
+    store.setClientHubConnection({
+      ...conn,
+      hubUrl: normalizeHubUrl(configHubAddress),
+      userToken: "",
+      lastKnownStatus: "hub_changed",
+    });
     return { connected: false, user: null };
   }
 
@@ -129,6 +146,8 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
             userToken: result.userToken,
             role: "member",
             connectedAt: Date.now(),
+            identityKey: conn.identityKey || "",
+            lastKnownStatus: "active",
           });
           const me = await hubRequestJson(normalizeHubUrl(hubAddress), result.userToken, "/api/v1/hub/me", { method: "GET" }) as any;
           return {
@@ -169,12 +188,10 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
     const latestRole = String(me.role ?? "member") as UserRole;
     if (conn && (conn.username !== latestUsername || conn.role !== latestRole)) {
       store.setClientHubConnection({
-        hubUrl: conn.hubUrl,
-        userId: conn.userId,
+        ...conn,
         username: latestUsername,
-        userToken: conn.userToken,
         role: latestRole,
-        connectedAt: conn.connectedAt,
+        lastKnownStatus: "active",
       });
     }
     return {
@@ -185,9 +202,63 @@ export async function getHubStatus(store: SqliteStore, config: MemosLocalConfig)
         username: latestUsername,
         role: latestRole,
         status: String(me.status ?? "active"),
+        groups: Array.isArray(me.groups) ? me.groups : [],
       },
     };
-  } catch {
+  } catch (err: any) {
+    const is401 = typeof err?.message === "string" && err.message.includes("(401)");
+    if (is401 && conn) {
+      const teamToken = config.sharing?.client?.teamToken ?? "";
+      if (hubAddress && teamToken) {
+        try {
+          const regResult = await hubRequestJson(normalizeHubUrl(hubAddress), "", "/api/v1/hub/registration-status", {
+            method: "POST",
+            body: JSON.stringify({ teamToken, userId: conn.userId }),
+          }) as any;
+          if (regResult.status === "active" && regResult.userToken) {
+            store.setClientHubConnection({
+              ...conn,
+              hubUrl: normalizeHubUrl(hubAddress),
+              userToken: regResult.userToken,
+              connectedAt: Date.now(),
+              lastKnownStatus: "active",
+            });
+            try {
+              const me = await hubRequestJson(normalizeHubUrl(hubAddress), regResult.userToken, "/api/v1/hub/me", { method: "GET" }) as any;
+              return {
+                connected: true,
+                hubUrl: normalizeHubUrl(hubAddress),
+                user: {
+                  id: String(me.id),
+                  username: String(me.username ?? ""),
+                  role: String(me.role ?? "member") as UserRole,
+                  status: String(me.status ?? "active"),
+                  groups: Array.isArray(me.groups) ? me.groups : [],
+                },
+              };
+            } catch { /* fall through to token-only return */ }
+            return {
+              connected: true,
+              hubUrl: normalizeHubUrl(hubAddress),
+              user: { id: conn.userId, username: conn.username || "", role: conn.role as UserRole || "member", status: "active" },
+            };
+          }
+          const realStatus = regResult.status as string;
+          store.setClientHubConnection({ ...conn, userToken: "", lastKnownStatus: realStatus });
+          return {
+            connected: false,
+            hubUrl: normalizeHubUrl(hubAddress),
+            user: { id: conn.userId, username: conn.username || "", role: "member", status: realStatus },
+          };
+        } catch { /* registration-status also failed, fall through */ }
+      }
+      store.setClientHubConnection({ ...conn, userToken: "", lastKnownStatus: "token_expired" });
+      return {
+        connected: false,
+        hubUrl: normalizeHubUrl(hubAddress),
+        user: { id: conn.userId, username: conn.username || "", role: "member", status: "token_expired" },
+      };
+    }
     return { connected: false, user: null };
   }
 }
@@ -218,12 +289,17 @@ export async function autoJoinHub(
     }
   }
 
+  const persisted = store.getClientHubConnection();
+  const existingIdentityKey = persisted?.identityKey || "";
+
   log.info(`Joining Hub at ${hubUrl} as "${username}"...`);
   const result = await hubRequestJson(hubUrl, "", "/api/v1/hub/join", {
     method: "POST",
-    body: JSON.stringify({ teamToken, username, deviceName: hostname, clientIp }),
+    body: JSON.stringify({ teamToken, username, deviceName: hostname, clientIp, identityKey: existingIdentityKey }),
   }) as any;
 
+  const returnedIdentityKey = String(result.identityKey || existingIdentityKey || "");
+
   if (result.status === "pending") {
     log.info(`Join request submitted, awaiting admin approval. userId=${result.userId}`);
     store.setClientHubConnection({
@@ -233,6 +309,8 @@ export async function autoJoinHub(
       userToken: "",
       role: "member",
       connectedAt: Date.now(),
+      identityKey: returnedIdentityKey,
+      lastKnownStatus: "pending",
     });
     throw new PendingApprovalError(result.userId);
   }
@@ -241,6 +319,10 @@ export async function autoJoinHub(
     throw new Error(`Join request was rejected by the Hub admin.`);
   }
 
+  if (result.status === "blocked") {
+    throw new Error(`Your account has been blocked by the Hub admin.`);
+  }
+
   if (!result.userToken) {
     throw new Error(`Hub join failed: ${JSON.stringify(result)}`);
   }
@@ -253,6 +335,8 @@ export async function autoJoinHub(
     userToken: result.userToken,
     role: "member",
     connectedAt: Date.now(),
+    identityKey: returnedIdentityKey,
+    lastKnownStatus: "active",
   });
   return store.getClientHubConnection()!;
 }

package/src/config.ts

@@ -128,7 +128,8 @@ export function resolveConfig(raw: Partial<MemosLocalConfig> | undefined, stateD
         userToken: cfg.sharing?.client?.userToken ?? "",
         teamToken: cfg.sharing?.client?.teamToken ?? "",
         pendingUserId: cfg.sharing?.client?.pendingUserId ?? "",
-      } : { hubAddress: "", userToken: "", teamToken: "", pendingUserId: "" };
+        nickname: cfg.sharing?.client?.nickname ?? "",
+      } : { hubAddress: "", userToken: "", teamToken: "", pendingUserId: "", nickname: "" };
       return { enabled, role, hub, client, capabilities: sharingCapabilities };
     })(),
   };

package/src/hub/server.ts

@@ -14,6 +14,7 @@ type HubServerOptions = {
   config: MemosLocalConfig;
   dataDir: string;
   embedder?: Embedder;
+  defaultHubPort?: number;
 };
 
 type HubAuthState = {
@@ -79,18 +80,31 @@ export class HubServer {
       }
     });
 
+    const MAX_PORT_RETRIES = 3;
+    let hubPort = this.port;
     await new Promise<void>((resolve, reject) => {
-      const onError = (err: Error) => {
-        this.server?.off("listening", onListening);
-        reject(err);
+      let retries = 0;
+      const onError = (err: NodeJS.ErrnoException) => {
+        if (err.code === "EADDRINUSE" && retries < MAX_PORT_RETRIES) {
+          retries++;
+          hubPort = this.port + retries;
+          this.opts.log.warn(`Hub port ${hubPort - 1} in use, trying ${hubPort}`);
+          this.server!.listen(hubPort, "0.0.0.0");
+        } else {
+          this.server?.off("listening", onListening);
+          reject(err);
+        }
       };
       const onListening = () => {
         this.server?.off("error", onError);
+        if (hubPort !== this.port) {
+          this.opts.log.info(`Hub started on fallback port ${hubPort} (configured: ${this.port})`);
+        }
         resolve();
       };
-      this.server!.once("error", onError);
+      this.server!.on("error", onError);
       this.server!.once("listening", onListening);
-      this.server!.listen(this.port, "0.0.0.0");
+      this.server!.listen(hubPort, "0.0.0.0");
     });
 
     const bootstrap = this.userManager.ensureBootstrapAdmin(
@@ -109,19 +123,37 @@ export class HubServer {
     this.initOnlineTracking();
     this.offlineCheckTimer = setInterval(() => this.checkOfflineUsers(), HubServer.OFFLINE_CHECK_INTERVAL_MS);
 
-    return `http://127.0.0.1:${this.port}`;
+    return `http://127.0.0.1:${hubPort}`;
   }
 
   async stop(): Promise<void> {
     if (this.offlineCheckTimer) { clearInterval(this.offlineCheckTimer); this.offlineCheckTimer = undefined; }
     if (!this.server) return;
+
+    try {
+      const activeUsers = this.opts.store.listHubUsers("active");
+      const ownerId = this.authState.bootstrapAdminUserId || "";
+      for (const u of activeUsers) {
+        if (u.id === ownerId) continue;
+        try {
+          this.opts.store.insertHubNotification({
+            id: randomUUID(), userId: u.id, type: "hub_shutdown",
+            resource: "system", title: `Team server "${this.teamName}" has been shut down by the admin.`,
+          });
+        } catch { /* best-effort */ }
+      }
+    } catch { /* best-effort */ }
+
     const server = this.server;
     this.server = undefined;
     await new Promise<void>((resolve) => server.close(() => resolve()));
   }
 
   private get port(): number {
-    return this.opts.config.sharing?.hub?.port ?? 18800;
+    const configured = this.opts.config.sharing?.hub?.port;
+    const derived = this.opts.defaultHubPort;
+    if (derived && (!configured || configured === 18800)) return derived;
+    return configured ?? 18800;
   }
 
   private get teamName(): string {
@@ -169,6 +201,20 @@ export class HubServer {
     });
   }
 
+  private embedSkillAsync(skillId: string, name: string, description: string, sourceUserId: string, sourceSkillId: string): void {
+    const embedder = this.opts.embedder;
+    if (!embedder) return;
+    const text = `${name}: ${description}`;
+    embedder.embed([text]).then((vectors) => {
+      if (vectors[0]) {
+        this.opts.store.upsertHubSkillEmbedding(skillId, Array.from(vectors[0]), sourceUserId, sourceSkillId);
+        this.opts.log.info(`hub: embedded shared skill ${skillId}`);
+      }
+    }).catch((err) => {
+      this.opts.log.warn(`hub: embedding shared skill failed: ${err}`);
+    });
+  }
+
   private embedMemoryAsync(memoryId: string, summary: string, content: string): void {
     const embedder = this.opts.embedder;
     if (!embedder) return;
@@ -205,40 +251,70 @@ export class HubServer {
         || (req.headers["x-client-ip"] as string)?.trim()
         || (req.headers["x-forwarded-for"] as string)?.split(",")[0]?.trim()
         || req.socket.remoteAddress || "";
-      const existingUsers = this.opts.store.listHubUsers();
-      const existingUser = existingUsers.find(u => u.username === username);
+      const identityKey = typeof body.identityKey === "string" ? body.identityKey.trim() : "";
+
+      let existingUser = identityKey
+        ? this.userManager.findByIdentityKey(identityKey)
+        : null;
+      if (!existingUser) {
+        const existingUsers = this.opts.store.listHubUsers();
+        existingUser = existingUsers.find(u => u.username === username && u.status !== "left" && u.status !== "removed") ?? null;
+      }
+
       if (existingUser) {
         try { this.opts.store.updateHubUserActivity(existingUser.id, joinIp); } catch { /* best-effort */ }
+
         if (existingUser.status === "active") {
           const token = issueUserToken(
             { userId: existingUser.id, username: existingUser.username, role: existingUser.role, status: "active" },
             this.authSecret,
           );
           this.userManager.approveUser(existingUser.id, token);
-          return this.json(res, 200, { status: "active", userId: existingUser.id, userToken: token });
+          if (identityKey && !existingUser.identityKey) {
+            this.opts.store.upsertHubUser({ ...existingUser, identityKey });
+          }
+          return this.json(res, 200, { status: "active", userId: existingUser.id, userToken: token, identityKey: existingUser.identityKey || identityKey });
         }
         if (existingUser.status === "pending") {
           this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
-          return this.json(res, 200, { status: "pending", userId: existingUser.id });
+          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
         }
         if (existingUser.status === "rejected") {
           if (body.reapply === true) {
             this.userManager.resetToPending(existingUser.id);
             this.notifyAdmins("user_join_request", "user", username, "");
             this.opts.log.info(`Hub: rejected user "${username}" (${existingUser.id}) re-applied, reset to pending`);
-            return this.json(res, 200, { status: "pending", userId: existingUser.id });
+            return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
           }
           return this.json(res, 200, { status: "rejected", userId: existingUser.id });
         }
+        if (existingUser.status === "removed") {
+          this.userManager.rejoinUser(existingUser.id);
+          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
+          this.opts.log.info(`Hub: removed user "${username}" (${existingUser.id}) re-applied via rejoin, reset to pending`);
+          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+        }
+        if (existingUser.status === "left") {
+          this.userManager.rejoinUser(existingUser.id);
+          this.notifyAdmins("user_join_request", "user", username, "", { dedup: true });
+          this.opts.log.info(`Hub: left user "${username}" (${existingUser.id}) re-applied via rejoin, reset to pending`);
+          return this.json(res, 200, { status: "pending", userId: existingUser.id, identityKey: existingUser.identityKey || identityKey });
+        }
+        if (existingUser.status === "blocked") {
+          return this.json(res, 200, { status: "blocked", userId: existingUser.id });
+        }
       }
+
+      const generatedIdentityKey = identityKey || randomUUID();
       const user = this.userManager.createPendingUser({
         username,
         deviceName: typeof body.deviceName === "string" ? body.deviceName : undefined,
+        identityKey: generatedIdentityKey,
       });
       try { this.opts.store.updateHubUserActivity(user.id, joinIp); } catch { /* best-effort */ }
       this.opts.log.info(`Hub: user "${username}" (${user.id}) registered as pending, awaiting admin approval`);
       this.notifyAdmins("user_join_request", "user", username, "");
-      return this.json(res, 200, { status: "pending", userId: user.id });
+      return this.json(res, 200, { status: "pending", userId: user.id, identityKey: generatedIdentityKey });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/registration-status") {
@@ -256,16 +332,42 @@ export class HubServer {
       if (user.status === "rejected") {
         return this.json(res, 200, { status: "rejected" });
       }
+      if (user.status === "blocked") {
+        return this.json(res, 200, { status: "blocked" });
+      }
+      if (user.status === "left") {
+        return this.json(res, 200, { status: "left" });
+      }
+      if (user.status === "removed") {
+        return this.json(res, 200, { status: "removed" });
+      }
       if (user.status === "active") {
         const token = issueUserToken(
           { userId: user.id, username: user.username, role: user.role, status: user.status },
           this.authSecret,
         );
+        this.userManager.approveUser(user.id, token);
         return this.json(res, 200, { status: "active", userToken: token });
       }
       return this.json(res, 200, { status: user.status });
     }
 
+    if (req.method === "POST" && routePath === "/api/v1/hub/withdraw-pending") {
+      const body = await this.readJson(req);
+      if (!body || body.teamToken !== this.teamToken) {
+        return this.json(res, 403, { error: "invalid_team_token" });
+      }
+      const userId = String(body.userId || "");
+      if (!userId) return this.json(res, 400, { error: "missing_user_id" });
+      const user = this.opts.store.getHubUser(userId);
+      if (!user) return this.json(res, 200, { ok: true });
+      if (user.status === "pending") {
+        this.userManager.markUserLeft(userId);
+        this.opts.log.info(`Hub: user "${user.username}" (${userId}) withdrew pending application`);
+      }
+      return this.json(res, 200, { ok: true });
+    }
+
     // All endpoints below require authentication + rate limiting
     const auth = this.authenticate(req);
     if (!auth) return this.json(res, 401, { error: "unauthorized" });
@@ -280,12 +382,10 @@ export class HubServer {
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/leave") {
-      try {
-        this.opts.store.updateHubUserActivity(auth.userId, "", 0);
-      } catch { /* best-effort */ }
+      this.userManager.markUserLeft(auth.userId);
       this.knownOnlineUsers.delete(auth.userId);
-      this.notifyAdmins("user_offline", "user", auth.username, auth.userId);
-      this.opts.log.info(`Hub: user "${auth.username}" (${auth.userId}) left voluntarily`);
+      this.notifyAdmins("user_left", "user", auth.username, auth.userId);
+      this.opts.log.info(`Hub: user "${auth.username}" (${auth.userId}) left voluntarily, status set to "left"`);
       return this.json(res, 200, { ok: true });
     }
 
@@ -314,6 +414,10 @@ export class HubServer {
         ttlMs,
       );
       this.userManager.approveUser(updated.id, newToken);
+      if (updated.id === this.authState.bootstrapAdminUserId) {
+        this.authState.bootstrapAdminToken = newToken;
+        this.saveAuthState();
+      }
       this.opts.log.info(`Hub: user "${auth.userId}" renamed to "${newUsername}"`);
       return this.json(res, 200, { ok: true, username: newUsername, userToken: newToken });
     }
@@ -326,18 +430,33 @@ export class HubServer {
     if (req.method === "POST" && routePath === "/api/v1/hub/admin/approve-user") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const body = await this.readJson(req);
-      const token = issueUserToken({ userId: String(body.userId), username: String(body.username || ""), role: "member", status: "active" }, this.authSecret);
-      const approved = this.userManager.approveUser(String(body.userId), token);
+      const userId = String(body.userId);
+      const username = String(body.username || "");
+      const token = issueUserToken({ userId, username, role: "member", status: "active" }, this.authSecret);
+      const approved = this.userManager.approveUser(userId, token);
       if (!approved) return this.json(res, 404, { error: "not_found" });
-      try { this.opts.store.updateHubUserActivity(String(body.userId), ""); } catch { /* best-effort */ }
+      try { this.opts.store.updateHubUserActivity(userId, ""); } catch { /* best-effort */ }
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "membership_approved",
+          resource: "user", title: `Your request to join team "${this.teamName}" has been approved. Welcome!`,
+        });
+      } catch { /* best-effort */ }
       return this.json(res, 200, { status: "active", token });
     }
 
     if (req.method === "POST" && routePath === "/api/v1/hub/admin/reject-user") {
       if (auth.role !== "admin") return this.json(res, 403, { error: "forbidden" });
       const body = await this.readJson(req);
-      const rejected = this.userManager.rejectUser(String(body.userId));
+      const userId = String(body.userId);
+      const rejected = this.userManager.rejectUser(userId);
       if (!rejected) return this.json(res, 404, { error: "not_found" });
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "membership_rejected",
+          resource: "user", title: `Your request to join team "${this.teamName}" has been declined.`,
+        });
+      } catch { /* best-effort */ }
       return this.json(res, 200, { status: "rejected" });
     }
 
@@ -374,6 +493,13 @@ export class HubServer {
       const updatedUser = { ...user, role: newRole as "admin" | "member" };
       this.opts.store.upsertHubUser(updatedUser);
       this.opts.log.info(`Hub: admin "${auth.userId}" changed role of "${userId}" to "${newRole}"`);
+      try {
+        const notifType = newRole === "admin" ? "role_promoted" : "role_demoted";
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: notifType,
+          resource: "user", title: `Your role in team "${this.teamName}" has been changed to ${newRole}.`,
+        });
+      } catch { /* best-effort */ }
       return this.json(res, 200, { ok: true, role: newRole });
     }
 
@@ -400,6 +526,10 @@ export class HubServer {
       const updated = this.opts.store.getHubUser(userId)!;
       const finalUser = { ...updated, username: newUsername };
       this.opts.store.upsertHubUser(finalUser);
+      if (userId === this.authState.bootstrapAdminUserId) {
+        this.authState.bootstrapAdminToken = newToken;
+        this.saveAuthState();
+      }
       this.opts.log.info(`Hub: admin "${auth.userId}" renamed user "${userId}" to "${newUsername}"`);
       return this.json(res, 200, { ok: true, username: newUsername });
     }
@@ -411,9 +541,16 @@ export class HubServer {
       if (!userId) return this.json(res, 400, { error: "missing_user_id" });
       if (userId === auth.userId) return this.json(res, 400, { error: "cannot_remove_self" });
       if (userId === this.authState.bootstrapAdminUserId) return this.json(res, 403, { error: "cannot_remove_owner", message: "The hub owner cannot be removed" });
+      try {
+        this.opts.store.insertHubNotification({
+          id: randomUUID(), userId, type: "membership_removed",
+          resource: "user", title: `You have been removed from team "${this.teamName}" by the admin.`,
+        });
+      } catch { /* best-effort */ }
       const cleanResources = body?.cleanResources === true;
       const deleted = this.opts.store.deleteHubUser(userId, cleanResources);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
+      this.knownOnlineUsers.delete(userId);
       this.opts.log.info(`Hub: admin "${auth.userId}" removed user "${userId}" (cleanResources=${cleanResources})`);
       return this.json(res, 200, { ok: true });
     }
@@ -603,19 +740,70 @@ export class HubServer {
     }
 
     if (req.method === "GET" && routePath === "/api/v1/hub/skills") {
-      const hits = this.opts.store.searchHubSkills(String(url.searchParams.get("query") || ""), {
+      const skillQuery = String(url.searchParams.get("query") || "");
+      const skillMaxResults = Number(url.searchParams.get("maxResults") || 10);
+      const ftsSkillHits = this.opts.store.searchHubSkills(skillQuery, {
         userId: auth.userId,
-        maxResults: Number(url.searchParams.get("maxResults") || 10),
-      }).map(({ hit }) => ({
-        skillId: hit.id,
-        name: hit.name,
-        description: hit.description,
-        version: hit.version,
-        visibility: hit.visibility,
-        groupName: hit.group_name,
-        ownerName: hit.owner_name || "unknown",
-        qualityScore: hit.quality_score,
-      }));
+        maxResults: skillMaxResults * 2,
+      });
+
+      let mergedSkillIds: string[];
+      if (this.opts.embedder && skillQuery) {
+        try {
+          const [queryVec] = await this.opts.embedder.embed([skillQuery]);
+          if (queryVec) {
+            const skillEmbs = this.opts.store.getVisibleHubSkillEmbeddings();
+            const cosineSim = (vec: Float32Array) => {
+              let dot = 0, nA = 0, nB = 0;
+              for (let i = 0; i < queryVec.length && i < vec.length; i++) {
+                dot += queryVec[i] * vec[i]; nA += queryVec[i] * queryVec[i]; nB += vec[i] * vec[i];
+              }
+              return nA > 0 && nB > 0 ? dot / (Math.sqrt(nA) * Math.sqrt(nB)) : 0;
+            };
+            const vecScored = skillEmbs
+              .map(e => ({ id: e.skillId, score: cosineSim(e.vector) }))
+              .filter(e => e.score > 0.3)
+              .sort((a, b) => b.score - a.score)
+              .slice(0, skillMaxResults * 2);
+
+            const K = 60;
+            const rrfScores = new Map<string, number>();
+            ftsSkillHits.forEach(({ hit }, idx) => {
+              rrfScores.set(hit.id, (rrfScores.get(hit.id) ?? 0) + 1 / (K + idx + 1));
+            });
+            vecScored.forEach(({ id }, idx) => {
+              rrfScores.set(id, (rrfScores.get(id) ?? 0) + 1 / (K + idx + 1));
+            });
+            mergedSkillIds = [...rrfScores.entries()].sort((a, b) => b[1] - a[1]).slice(0, skillMaxResults).map(([id]) => id);
+          } else {
+            mergedSkillIds = ftsSkillHits.slice(0, skillMaxResults).map(({ hit }) => hit.id);
+          }
+        } catch {
+          mergedSkillIds = ftsSkillHits.slice(0, skillMaxResults).map(({ hit }) => hit.id);
+        }
+      } else {
+        mergedSkillIds = ftsSkillHits.slice(0, skillMaxResults).map(({ hit }) => hit.id);
+      }
+
+      const ftsSkillMap = new Map(ftsSkillHits.map(({ hit }) => [hit.id, hit]));
+      const hits = mergedSkillIds.map(id => {
+        const hit = ftsSkillMap.get(id);
+        if (hit) {
+          return {
+            skillId: hit.id, name: hit.name, description: hit.description,
+            version: hit.version, visibility: hit.visibility, groupName: hit.group_name,
+            ownerName: hit.owner_name || "unknown", ownerStatus: hit.owner_status || "",
+            qualityScore: hit.quality_score,
+          };
+        }
+        const skill = this.opts.store.getHubSkillById(id);
+        if (!skill) return null;
+        return {
+          skillId: skill.id, name: skill.name, description: skill.description,
+          version: skill.version, visibility: skill.visibility, groupName: "",
+          ownerName: "unknown", ownerStatus: "", qualityScore: skill.qualityScore,
+        };
+      }).filter(Boolean);
       return this.json(res, 200, { hits });
     }
 
@@ -641,6 +829,7 @@ export class HubServer {
         createdAt: existing?.createdAt ?? Date.now(),
         updatedAt: Date.now(),
       });
+      this.embedSkillAsync(skillId, String(metadata.name || sourceSkillId), String(metadata.description || ""), auth.userId, sourceSkillId);
       if (!existing) {
         this.notifyAdmins("resource_shared", "skill", String(metadata.name || sourceSkillId), auth.userId);
       }
@@ -761,7 +950,18 @@ export class HubServer {
       const deleted = this.opts.store.deleteHubMemoryById(memoryId);
       if (!deleted) return this.json(res, 404, { error: "not_found" });
       if (memInfo) {
-        this.opts.store.insertHubNotification({ id: randomUUID(), userId: memInfo.sourceUserId, type: "resource_removed", resource: "memory", title: memInfo.summary || memInfo.id });
+        const payload = JSON.stringify({
+          memoryId,
+          sourceChunkId: memInfo.sourceChunkId,
+        });
+        this.opts.store.insertHubNotification({
+          id: randomUUID(),
+          userId: memInfo.sourceUserId,
+          type: "resource_removed",
+          resource: "memory",
+          title: memInfo.summary || memInfo.id,
+          message: payload,
+        });
       }
       return this.json(res, 200, { ok: true });
     }