@sleep2agi/commhub-server 0.5.0-preview.1 → 0.5.0-preview.10

package/README.md

@@ -0,0 +1,99 @@
+# @sleep2agi/commhub-server
+
+AI Agent 通信中枢 — MCP Server + SSE Push + REST API。
+
+## 快速启动
+
+```bash
+# 需要 Bun
+bunx @sleep2agi/commhub-server
+
+# 或指定端口 + auth
+PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
+```
+
+启动后:
+- MCP: `http://0.0.0.0:9200/mcp` (Claude Code / Codex 连接)
+- SSE: `http://0.0.0.0:9200/events/:alias` (Agent 实时推送)
+- REST: `http://0.0.0.0:9200/api/*` (Dashboard / 监控)
+- Health: `http://0.0.0.0:9200/health`
+
+## MCP 工具 (17 个)
+
+### Agent 端 (从 Agent 调用)
+| 工具 | 说明 |
+|------|------|
+| `report_status` | 心跳 + 状态更新 (idle/working/blocked/error/offline) |
+| `report_completion` | 任务完成汇报 |
+| `get_inbox` | 拉取待办任务 |
+| `ack_inbox` | 确认收到任务 |
+
+### Hub 端 (从指挥室 / Dashboard 调用)
+| 工具 | 说明 |
+|------|------|
+| `send_task` | 下发任务 (+ 可选 ttl_seconds) |
+| `send_message` | 发消息 (不触发 Agent 处理) |
+| `send_reply` | 回复任务 (replied/failed/cancelled + in_reply_to) |
+| `send_ack` | 确认任务 (不入 inbox) |
+| `retry_task` | 重试失败/过期/取消的任务 |
+| `cancel_task` | 取消待处理任务 |
+| `reassign_task` | 转移任务到另一个 Agent |
+| `get_task` | 查询任务详情 |
+| `get_all_status` | 全局状态面板 |
+| `get_session_status` | 单 session 详情 |
+| `broadcast` | 群发消息 |
+
+## REST API
+
+| 端点 | 方法 | 说明 |
+|------|------|------|
+| `/health` | GET | 健康检查 (无需 auth) |
+| `/api/status` | GET | 所有 session |
+| `/api/tasks` | GET | 任务列表 (支持 status/from_name/to_name/task_id/limit 过滤) |
+| `/api/nodes` | GET | 节点持久化信息 |
+| `/api/task_events` | GET | 任务审计日志 |
+| `/api/messages` | GET | 消息列表 |
+| `/api/completions` | GET | 完成记录 |
+| `/mcp` | POST | MCP Streamable HTTP |
+
+## 数据库 (6 表)
+
+SQLite WAL 模式, 自动创建在 `~/.commhub/commhub.db`
+
+| 表 | 说明 |
+|---|------|
+| `sessions` | 运行时 session (21 列, 含 node_id/session_id/channels) |
+| `inbox` | 消息队列 (13 列, 含 in_reply_to/scope) |
+| `tasks` | 任务生命周期 (17 列, 完整状态机) |
+| `nodes` | 持久化节点身份 (11 列, 独立于 session) |
+| `completions` | 完成记录 (7 列) |
+| `task_events` | 审计日志 (7 列, 每次状态变化记录) |
+
+任务状态机:
+```
+created → delivered → acked → running → replied
+                                      → failed → retry → delivered
+                                      → cancelled
+delivered → expired (5min patrol)
+delivered/acked/running → reassign → delivered (新agent)
+```
+
+## 环境变量
+
+| 变量 | 默认 | 说明 |
+|------|------|------|
+| `PORT` | 9200 | 监听端口 |
+| `HOST` | 0.0.0.0 | 监听地址 |
+| `COMMHUB_AUTH_TOKEN` | (无) | Bearer token 鉴权 |
+| `COMMHUB_DB` | ~/.commhub/commhub.db | 数据库路径 |
+
+## 鉴权
+
+设置 `COMMHUB_AUTH_TOKEN` 后, 所有端点需要 Bearer token:
+- Header: `Authorization: Bearer <token>`
+- 或 Query: `?token=<token>`
+- `/health` 不需要 auth
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.1",
+  "version": "0.5.0-preview.10",
   "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts

@@ -0,0 +1,134 @@
+/**
+ * V3 Auth module — user registration, login, token management
+ */
+import { db, generateId, hashPassword, hashToken, generateToken, uuidv4 } from "./db.js";
+
+export interface AuthUser {
+  user_id: string;
+  username: string;
+  display_name: string | null;
+  email: string | null;
+  role: string;
+}
+
+export interface AuthResult {
+  ok: boolean;
+  error?: string;
+  user?: AuthUser;
+  token?: string;
+}
+
+export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
+  if (!username || username.length < 2) return { ok: false, error: "username must be at least 2 characters" };
+  if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
+  if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
+
+  const existing = db.query<any, [string]>("SELECT user_id FROM users WHERE username = ?1").get(username);
+  if (existing) return { ok: false, error: "username already taken" };
+
+  const userId = generateId("u");
+  const pwHash = hashPassword(password);
+
+  db.run(
+    "INSERT INTO users (user_id, username, password_hash, email, display_name) VALUES (?1, ?2, ?3, ?4, ?5)",
+    [userId, username, pwHash, email || null, displayName || username]
+  );
+
+  // Auto-create default network
+  const networkId = generateId("net");
+  db.run(
+    "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, "default", userId, "Auto-created default network"]
+  );
+
+  // Auto-create API token
+  const token = generateToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, networkId, "default", "full"]
+  );
+
+  return {
+    ok: true,
+    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: "user" },
+    token,
+  };
+}
+
+export function login(username: string, password: string): AuthResult {
+  const user = db.query<any, [string]>(
+    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1"
+  ).get(username);
+
+  if (!user) return { ok: false, error: "invalid username or password" };
+  if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
+
+  // Find or create token
+  let tokenRow = db.query<any, [string]>(
+    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1"
+  ).get(user.user_id);
+
+  let token: string;
+  if (tokenRow) {
+    // Generate new token (rotate)
+    token = generateToken();
+    db.run("UPDATE api_tokens SET token_hash = ?1, last_used_at = datetime('now') WHERE token_id = ?2",
+      [hashToken(token), tokenRow.token_id]);
+  } else {
+    token = generateToken();
+    const tokenId = generateId("tok");
+    const networkId = db.query<any, [string]>(
+      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1"
+    ).get(user.user_id)?.network_id;
+    db.run(
+      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
+    );
+  }
+
+  return {
+    ok: true,
+    user: { user_id: user.user_id, username: user.username, display_name: user.display_name, email: user.email, role: user.role },
+    token,
+  };
+}
+
+export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
+  const tHash = hashToken(token);
+  const row = db.query<any, [string]>(
+    `SELECT t.user_id, t.network_id, t.scope, u.username, u.display_name, u.email, u.role
+     FROM api_tokens t JOIN users u ON t.user_id = u.user_id
+     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`
+  ).get(tHash);
+
+  if (!row) return null;
+
+  // Update last_used
+  db.run("UPDATE api_tokens SET last_used_at = datetime('now') WHERE token_hash = ?1", [tHash]);
+
+  return {
+    user: { user_id: row.user_id, username: row.username, display_name: row.display_name, email: row.email, role: row.role },
+    networkId: row.network_id,
+  };
+}
+
+export function getUserNetworks(userId: string) {
+  return db.query<any, [string]>(
+    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at"
+  ).all(userId);
+}
+
+export function createNetwork(userId: string, name: string, description?: string) {
+  const existing = db.query<any, [string, string]>(
+    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2"
+  ).get(userId, name);
+  if (existing) return { ok: false, error: "network name already exists" };
+
+  const networkId = generateId("net");
+  db.run(
+    "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, name, userId, description || null]
+  );
+  return { ok: true, network_id: networkId, network_name: name };
+}

package/src/db.ts

@@ -115,7 +115,126 @@ db.exec(`
   CREATE INDEX IF NOT EXISTS idx_tasks_created ON tasks(created_at);
 `);
 
+// nodes table (V2 Sprint 2) — persistent node identity, separate from runtime sessions
+db.exec(`
+  CREATE TABLE IF NOT EXISTS nodes (
+    node_id       TEXT PRIMARY KEY,
+    node_name     TEXT NOT NULL,
+    alias         TEXT,
+    runtime       TEXT,
+    model         TEXT,
+    config_path   TEXT,
+    channels      TEXT,
+    server        TEXT,
+    hostname      TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_nodes_name ON nodes(node_name);
+  CREATE INDEX IF NOT EXISTS idx_nodes_alias ON nodes(alias);
+`);
+
+// task_events table (V2 Sprint 2) — audit log for task state changes
+db.exec(`
+  CREATE TABLE IF NOT EXISTS task_events (
+    id            INTEGER PRIMARY KEY AUTOINCREMENT,
+    task_id       TEXT NOT NULL,
+    from_status   TEXT,
+    to_status     TEXT NOT NULL,
+    actor         TEXT NOT NULL DEFAULT 'system',
+    detail        TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_task_events_task_time ON task_events(task_id, created_at DESC);
+  CREATE INDEX IF NOT EXISTS idx_task_events_created ON task_events(created_at);
+`);
+
+// ── V3: users table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS users (
+    user_id       TEXT PRIMARY KEY,
+    username      TEXT UNIQUE NOT NULL,
+    password_hash TEXT NOT NULL,
+    email         TEXT,
+    display_name  TEXT,
+    role          TEXT DEFAULT 'user',
+    created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
+`);
+
+// ── V3: networks table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS networks (
+    network_id    TEXT PRIMARY KEY,
+    network_name  TEXT NOT NULL,
+    owner_id      TEXT NOT NULL,
+    description   TEXT,
+    settings      TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    UNIQUE(owner_id, network_name)
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_networks_owner ON networks(owner_id);
+`);
+
+// ── V3: api_tokens table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS api_tokens (
+    token_id      TEXT PRIMARY KEY,
+    token_hash    TEXT NOT NULL,
+    user_id       TEXT NOT NULL,
+    network_id    TEXT,
+    name          TEXT NOT NULL DEFAULT 'default',
+    scope         TEXT DEFAULT 'full',
+    expires_at    TEXT,
+    last_used_at  TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_tokens_hash ON api_tokens(token_hash);
+  CREATE INDEX IF NOT EXISTS idx_tokens_user ON api_tokens(user_id);
+`);
+
+// ── V3: add network_id to existing tables ──
+for (const table of ["sessions", "nodes", "tasks", "inbox", "task_events"]) {
+  try { db.exec(`ALTER TABLE ${table} ADD COLUMN network_id TEXT`); } catch {}
+}
+try { db.exec("CREATE INDEX IF NOT EXISTS idx_sessions_network ON sessions(network_id)"); } catch {}
+try { db.exec("CREATE INDEX IF NOT EXISTS idx_tasks_network ON tasks(network_id)"); } catch {}
+try { db.exec("CREATE INDEX IF NOT EXISTS idx_nodes_network ON nodes(network_id)"); } catch {}
+
 // Helpers
 export function uuidv4(): string {
   return crypto.randomUUID();
 }
+
+export function generateId(prefix: string): string {
+  return `${prefix}_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+}
+
+export function hashPassword(password: string): string {
+  return new Bun.CryptoHasher("sha256").update(`anet:${password}`).digest("hex");
+}
+
+export function hashToken(token: string): string {
+  return new Bun.CryptoHasher("sha256").update(token).digest("hex");
+}
+
+export function generateToken(): string {
+  return `atok_${crypto.randomUUID().replace(/-/g, "")}`;
+}
+
+export function logTaskEvent(taskId: string, fromStatus: string | null, toStatus: string, actor: string, detail?: string) {
+  try {
+    db.run(
+      "INSERT INTO task_events (task_id, from_status, to_status, actor, detail) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [taskId, fromStatus, toStatus, actor, detail ?? null]
+    );
+  } catch {}
+}

package/src/index.ts

@@ -2,8 +2,9 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
-import { db } from "./db.js";
+import { db, logTaskEvent } from "./db.js";
 import { createSSEStream, pushEvent, pushBroadcast, getSSEStats } from "./push.js";
+import { register, login, resolveToken, getUserNetworks, createNetwork, type AuthUser } from "./auth.js";
 
 const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
@@ -84,6 +85,11 @@ setInterval(() => {
     );
     if (result.changes > 0) {
       console.log(`[patrol] expired ${result.changes} stale task(s)`);
+      // Log events for expired tasks
+      const expired = db.query<{ task_id: string }, []>(
+        "SELECT task_id FROM tasks WHERE status = 'expired' AND completed_at >= datetime('now', '-1 minute')"
+      ).all();
+      for (const t of expired) logTaskEvent(t.task_id, null, "expired", "patrol");
     }
   } catch {}
 }, 5 * 60 * 1000);
@@ -135,6 +141,91 @@ Bun.serve({
       return createSSEStream(sessionName);
     }
 
+    // ── V3: Auth endpoints (public) ──
+    if (url.pathname === "/api/auth/register" && req.method === "POST") {
+      try {
+        const body = await req.json() as any;
+        const result = register(body.username, body.password, body.email, body.display_name);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+
+    if (url.pathname === "/api/auth/login" && req.method === "POST") {
+      try {
+        const body = await req.json() as any;
+        const result = login(body.username, body.password);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 401 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+
+    if (url.pathname === "/api/auth/me" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networks = getUserNetworks(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, user: resolved.user, networks, current_network: resolved.networkId }));
+    }
+
+    // ── V3: Network management ──
+    if (url.pathname === "/api/networks" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networks = getUserNetworks(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, networks }));
+    }
+
+    if (url.pathname === "/api/networks" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = createNetwork(resolved.user.user_id, body.name, body.description);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+
+    // ── V3: Admin APIs (require auth) ──
+    if (url.pathname === "/api/users" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved || resolved.user.role !== "admin") {
+        return withCors(req, Response.json({ ok: false, error: "admin required" }, { status: 403 }));
+      }
+      const users = db.query("SELECT user_id, username, display_name, email, role, created_at FROM users ORDER BY created_at").all();
+      return withCors(req, Response.json({ ok: true, users }));
+    }
+
+    const netDetailMatch = url.pathname.match(/^\/api\/networks\/([^/]+)$/);
+    if (netDetailMatch && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networkId = netDetailMatch[1];
+      const network = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+      if (!network) return withCors(req, Response.json({ ok: false, error: "network not found" }, { status: 404 }));
+      // Get network stats
+      const nodeCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(networkId);
+      const sessionCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
+      const taskStats = db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(networkId);
+      return withCors(req, Response.json({
+        ok: true, network,
+        stats: { nodes: nodeCount?.cnt || 0, sessions: sessionCount?.cnt || 0, tasks: taskStats },
+      }));
+    }
+
     // ── REST: health (public, no auth) ──
     if (url.pathname === "/health") {
       const count = db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM sessions").get();
@@ -281,6 +372,50 @@ Bun.serve({
       return withCors(req, Response.json({ ok: true, messages: rows }));
     }
 
+    // ── REST: stats summary ──
+    if (url.pathname === "/api/stats") {
+      const taskStats = db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      const sessionStats = db.query<any, []>("SELECT status, COUNT(*) as count FROM sessions GROUP BY status").all();
+      const totalTasks = db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM tasks").get();
+      const totalNodes = db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM nodes").get();
+      const recentTasks = db.query<any, []>(
+        "SELECT task_id, from_name, to_name, status, created_at FROM tasks ORDER BY created_at DESC LIMIT 5"
+      ).all();
+      return withCors(req, Response.json({
+        ok: true,
+        tasks: { total: totalTasks?.cnt || 0, by_status: taskStats },
+        sessions: { by_status: sessionStats },
+        nodes: { total: totalNodes?.cnt || 0 },
+        recent_tasks: recentTasks,
+      }));
+    }
+
+    // ── REST: task events (V2 Sprint 2) ──
+    if (url.pathname === "/api/task_events") {
+      const taskId = url.searchParams.get("task_id");
+      const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 500);
+      let sql = "SELECT * FROM task_events";
+      const params: any[] = [];
+      if (taskId) { sql += " WHERE task_id = ?1"; params.push(taskId); }
+      sql += " ORDER BY created_at DESC LIMIT ?";
+      params.push(limit);
+      const rows = db.query(sql).all(...params);
+      return withCors(req, Response.json({ ok: true, events: rows, count: rows.length }));
+    }
+
+    // ── REST: nodes table (V2 Sprint 2) ──
+    if (url.pathname === "/api/nodes") {
+      const nodeId = url.searchParams.get("node_id");
+      const alias = url.searchParams.get("alias");
+      let sql = "SELECT * FROM nodes WHERE 1=1";
+      const params: any[] = [];
+      if (nodeId) { sql += ` AND node_id = ?${params.length + 1}`; params.push(nodeId); }
+      if (alias) { sql += ` AND alias = ?${params.length + 1}`; params.push(alias); }
+      sql += " ORDER BY updated_at DESC";
+      const rows = db.query(sql).all(...params);
+      return withCors(req, Response.json({ ok: true, nodes: rows, count: rows.length }));
+    }
+
     // ── REST: tasks table (V2) ──
     if (url.pathname === "/api/tasks") {
       const taskId = url.searchParams.get("task_id");
@@ -299,7 +434,8 @@ Bun.serve({
       params.push(limit);
 
       const rows = db.query(sql).all(...params);
-      return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length }));
+      const stats = db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length, stats }));
     }
 
     // ── REST: recent completions ──

package/src/tools.ts

@@ -1,6 +1,6 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod/v4";
-import { db, uuidv4 } from "./db.js";
+import { db, uuidv4, logTaskEvent } from "./db.js";
 import { pushEvent, pushBroadcast } from "./push.js";
 
 function ts(): string {
@@ -34,8 +34,10 @@ export function registerTools(server: McpServer, clientIP?: string) {
       session_id: z.string().max(200).optional().describe("Runtime session/thread ID"),
       config_path: z.string().max(1000).optional().describe("Config file path"),
       channels: z.string().max(2000).optional().describe("JSON array of channels"),
+      model: z.string().max(200).optional().describe("AI model name"),
+      node_name: z.string().max(200).optional().describe("Stable node display name (may differ from alias)"),
     },
-    async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels }) => {
+    async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels, model: mdl, node_name: nn }) => {
       console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}`);
       const trimmedOutput = output?.slice(0, 4000);
 
@@ -76,11 +78,41 @@ export function registerTools(server: McpServer, clientIP?: string) {
       // V2: sync tasks table — report_status(working) → tasks.running
       if (status === "working" && task) {
         try {
-          db.run(
+          const runResult = db.run(
             `UPDATE tasks SET status = 'running', started_at = datetime('now')
              WHERE to_name = ?1 AND status IN ('delivered', 'acked') AND content = ?2`,
             [alias, task]
           );
+          if (runResult.changes > 0) {
+            // Find task_id for logging
+            const t = db.query<{ task_id: string }, [string, string]>(
+              "SELECT task_id FROM tasks WHERE to_name = ?1 AND content = ?2 AND status = 'running' ORDER BY started_at DESC LIMIT 1"
+            ).get(alias, task);
+            if (t) logTaskEvent(t.task_id, null, "running", alias);
+          }
+        } catch {}
+      }
+
+      // V2: upsert nodes table for persistent node identity
+      if (node_id) {
+        try {
+          // Extract runtime from agent field (e.g., "agent-node:codex" → "codex-sdk")
+          const nodeRuntime = ag?.includes(":") ? ag.split(":")[1] + "-sdk" : ag ?? null;
+          db.run(
+            `INSERT INTO nodes (node_id, node_name, alias, runtime, model, config_path, channels, server, hostname, updated_at)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, datetime('now'))
+             ON CONFLICT(node_id) DO UPDATE SET
+               node_name = COALESCE(?2, nodes.node_name),
+               alias = COALESCE(?3, nodes.alias),
+               runtime = COALESCE(?4, nodes.runtime),
+               model = COALESCE(?5, nodes.model),
+               config_path = COALESCE(?6, nodes.config_path),
+               channels = COALESCE(?7, nodes.channels),
+               server = COALESCE(?8, nodes.server),
+               hostname = COALESCE(?9, nodes.hostname),
+               updated_at = datetime('now')`,
+            [node_id, nn || alias, alias, nodeRuntime, mdl ?? null, config_path ?? null, channels ?? null, srv ?? null, hn ?? null]
+          );
         } catch {}
       }
 
@@ -155,6 +187,11 @@ export function registerTools(server: McpServer, clientIP?: string) {
         }
 
         db.run("COMMIT");
+        // Log event after commit
+        const updatedTaskId = taskUpdate.changes > 0 ? task : (db.query<{ task_id: string }, [string]>(
+          "SELECT task_id FROM tasks WHERE to_name = ?1 AND status = 'replied' ORDER BY completed_at DESC LIMIT 1"
+        ).get(alias)?.task_id);
+        if (updatedTaskId) logTaskEvent(updatedTaskId, null, "replied", alias, "report_completion");
       } catch (e) {
         try { db.run("ROLLBACK"); } catch {}
         throw e;
@@ -209,10 +246,11 @@ export function registerTools(server: McpServer, clientIP?: string) {
       }
       // V2: sync tasks table — ack_inbox means delivered→acked
       try {
-        db.run(
+        const ackResult = db.run(
           `UPDATE tasks SET status = 'acked' WHERE task_id = ?1 AND status = 'delivered'`,
           [message_id]
         );
+        if (ackResult.changes > 0) logTaskEvent(message_id, "delivered", "acked", alias);
       } catch {}
       return {
         content: [{ type: "text" as const, text: JSON.stringify({ ok: true }) }],
@@ -295,8 +333,9 @@ export function registerTools(server: McpServer, clientIP?: string) {
       priority: z.enum(["high", "normal", "low"]).optional().default("normal"),
       context: z.string().max(10000).optional(),
       from_session: z.string().max(200).optional().default("hub"),
+      ttl_seconds: z.number().min(1).max(86400).optional().describe("Task TTL in seconds (default: 3600)"),
     },
-    async ({ alias, task, priority, context, from_session }) => {
+    async ({ alias, task, priority, context, from_session, ttl_seconds }) => {
       console.log(`[${ts()}] ${from_session} → send_task → ${alias}: ${task.slice(0, 60)}${priority === "high" ? " [HIGH]" : ""}`);
       const id = uuidv4();
       // 事务：inbox + tasks 双写
@@ -309,10 +348,11 @@ export function registerTools(server: McpServer, clientIP?: string) {
         );
         db.run(
           `INSERT INTO tasks (task_id, from_name, to_name, priority, status, content, requires_response, created_at, delivered_at, expires_at)
-           VALUES (?1, ?2, ?3, ?4, 'delivered', ?5, 'reply', datetime('now'), datetime('now'), datetime('now', '+1 hour'))`,
-          [id, from_session, alias, priority, task]
+           VALUES (?1, ?2, ?3, ?4, 'delivered', ?5, 'reply', datetime('now'), datetime('now'), datetime('now', ?6))`,
+          [id, from_session, alias, priority, task, `+${ttl_seconds || 3600} seconds`]
         );
         db.run("COMMIT");
+        logTaskEvent(id, null, "delivered", from_session, `→ ${alias}`);
       } catch (e) {
         try { db.run("ROLLBACK"); } catch {}
         throw e;
@@ -391,6 +431,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
     async ({ alias, text, in_reply_to, status: replyStatus, from_session }) => {
       console.log(`[${ts()}] ${from_session} → send_reply (${replyStatus}) → ${alias}: ${text.slice(0, 60)}`);
       const id = uuidv4();
+      let replyLogged = false;
       try {
         db.run("BEGIN IMMEDIATE");
         db.run(
@@ -408,6 +449,8 @@ export function registerTools(server: McpServer, clientIP?: string) {
           );
           if (result.changes === 0) {
             console.log(`[${ts()}] ⚠ send_reply: task ${in_reply_to?.slice(0, 8)} not found or already terminal`);
+          } else {
+            replyLogged = true;
           }
         }
         db.run("COMMIT");
@@ -416,6 +459,9 @@ export function registerTools(server: McpServer, clientIP?: string) {
         throw e;
       }
 
+      // Log event after commit (outside transaction)
+      if (replyLogged && in_reply_to) logTaskEvent(in_reply_to, null, replyStatus, from_session, text.slice(0, 200));
+
       const session = db.query<any, [string]>("SELECT status FROM sessions WHERE alias = ?1").get(alias);
       pushEvent(alias, { type: "new_reply", from: from_session, message_id: id, in_reply_to, status: replyStatus });
 
@@ -442,6 +488,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
         `UPDATE tasks SET status = 'acked' WHERE task_id = ?1 AND status IN ('created', 'delivered')`,
         [task_id]
       );
+      if (result.changes > 0) logTaskEvent(task_id, "delivered", "acked", from_session);
       return {
         content: [{
           type: "text" as const,
@@ -451,6 +498,170 @@ export function registerTools(server: McpServer, clientIP?: string) {
     }
   );
 
+  // ── V2: retry_task (重新投递失败/过期任务) ──
+  server.tool(
+    "retry_task",
+    "Retry a failed, expired, or cancelled task. Resets status to delivered and re-queues in inbox.",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to retry"),
+      from_session: z.string().max(200).optional().default("hub"),
+    },
+    async ({ task_id, from_session }) => {
+      console.log(`[${ts()}] ${from_session} → retry_task → ${task_id.slice(0, 8)}`);
+      // Find the original task
+      const task = db.query<any, [string]>(
+        "SELECT * FROM tasks WHERE task_id = ?1"
+      ).get(task_id);
+      if (!task) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };
+      }
+      if (!["failed", "expired", "cancelled"].includes(task.status)) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: `task status is ${task.status}, not retryable` }) }] };
+      }
+      try {
+        db.run("BEGIN IMMEDIATE");
+        // Reset task status
+        db.run(
+          `UPDATE tasks SET status = 'delivered', result = NULL, completed_at = NULL, started_at = NULL, delivered_at = datetime('now'), expires_at = datetime('now', '+1 hour')
+           WHERE task_id = ?1`,
+          [task_id]
+        );
+        // Re-queue in inbox with new ID (original ID may already exist)
+        const retryInboxId = uuidv4();
+        db.run(
+          `INSERT INTO inbox (id, session_name, type, priority, content, from_session, requires_response)
+           VALUES (?1, ?2, 'task', ?3, ?4, ?5, 'reply')`,
+          [retryInboxId, task.to_name, task.priority, task.content, from_session]
+        );
+        db.run("COMMIT");
+        logTaskEvent(task_id, task.status, "delivered", from_session, "retry");
+      } catch (e) {
+        try { db.run("ROLLBACK"); } catch {}
+        throw e;
+      }
+      // SSE push
+      pushEvent(task.to_name, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
+      return {
+        content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, retried_to: task.to_name }) }],
+      };
+    }
+  );
+
+  // ── V2: get_task (查询任务状态) ──
+  server.tool(
+    "get_task",
+    "Get task details by task_id. Returns status, result, timestamps.",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to query"),
+    },
+    async ({ task_id }) => {
+      const task = db.query<any, [string]>("SELECT * FROM tasks WHERE task_id = ?1").get(task_id);
+      return {
+        content: [{
+          type: "text" as const,
+          text: JSON.stringify(task ? { ok: true, task } : { ok: false, error: "task not found" }),
+        }],
+      };
+    }
+  );
+
+  // ── V2: list_tasks (查询任务列表) ──
+  server.tool(
+    "list_tasks",
+    "List tasks with filters. Agents can query their own pending/running tasks.",
+    {
+      alias: z.string().max(200).optional().describe("Filter by to_name (target agent)"),
+      status: z.string().max(50).optional().describe("Filter by status"),
+      from_name: z.string().max(200).optional().describe("Filter by sender"),
+      limit: z.number().min(1).max(100).optional().default(20),
+    },
+    async ({ alias, status, from_name, limit }) => {
+      let sql = "SELECT task_id, from_name, to_name, priority, status, content, result, created_at, completed_at FROM tasks WHERE 1=1";
+      const params: any[] = [];
+      if (alias) { sql += ` AND to_name = ?${params.length + 1}`; params.push(alias); }
+      if (status) { sql += ` AND status = ?${params.length + 1}`; params.push(status); }
+      if (from_name) { sql += ` AND from_name = ?${params.length + 1}`; params.push(from_name); }
+      sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
+      params.push(limit);
+      const tasks = db.query(sql).all(...params);
+
+      // Stats
+      const stats = db.query<any, []>(
+        "SELECT status, COUNT(*) as count FROM tasks GROUP BY status"
+      ).all();
+
+      return {
+        content: [{
+          type: "text" as const,
+          text: JSON.stringify({ ok: true, tasks, count: tasks.length, stats }),
+        }],
+      };
+    }
+  );
+
+  // ── V2: cancel_task (取消任务) ──
+  server.tool(
+    "cancel_task",
+    "Cancel a pending task. Works on delivered/acked/running tasks.",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to cancel"),
+      reason: z.string().max(1000).optional().describe("Cancellation reason"),
+      from_session: z.string().max(200).optional().default("hub"),
+    },
+    async ({ task_id, reason, from_session }) => {
+      console.log(`[${ts()}] ${from_session} → cancel_task → ${task_id.slice(0, 8)}`);
+      const result = db.run(
+        `UPDATE tasks SET status = 'cancelled', result = ?1, completed_at = datetime('now')
+         WHERE task_id = ?2 AND status IN ('created', 'delivered', 'acked', 'running')`,
+        [reason || "cancelled by " + from_session, task_id]
+      );
+      // Also ack the inbox entry to prevent agent from picking it up
+      if (result.changes > 0) {
+        db.run("UPDATE inbox SET acked = 1 WHERE id = ?1 AND acked = 0", [task_id]);
+        logTaskEvent(task_id, null, "cancelled", from_session, reason || undefined);
+      }
+      return {
+        content: [{ type: "text" as const, text: JSON.stringify({ ok: result.changes > 0, task_id, cancelled: result.changes > 0 }) }],
+      };
+    }
+  );
+
+  // ── V2: reassign_task (转移任务到另一个 agent) ──
+  server.tool(
+    "reassign_task",
+    "Reassign a task to a different agent. Works on any non-terminal task (delivered/acked/running).",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to reassign"),
+      new_alias: z.string().min(1).max(200).describe("Target agent alias"),
+      from_session: z.string().max(200).optional().default("hub"),
+    },
+    async ({ task_id, new_alias, from_session }) => {
+      console.log(`[${ts()}] ${from_session} → reassign_task → ${task_id.slice(0, 8)} → ${new_alias}`);
+      const task = db.query<any, [string]>("SELECT * FROM tasks WHERE task_id = ?1").get(task_id);
+      if (!task) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };
+      if (["replied", "failed", "cancelled", "expired"].includes(task.status)) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: `task is terminal (${task.status})` }) }] };
+      }
+      const oldAlias = task.to_name;
+      try {
+        db.run("BEGIN IMMEDIATE");
+        // Ack old inbox to prevent original agent from picking it up
+        db.run("UPDATE inbox SET acked = 1 WHERE id = ?1 AND acked = 0", [task_id]);
+        db.run("UPDATE tasks SET to_name = ?1, status = 'delivered', started_at = NULL, delivered_at = datetime('now') WHERE task_id = ?2", [new_alias, task_id]);
+        const newInboxId = uuidv4();
+        db.run("INSERT INTO inbox (id, session_name, type, priority, content, from_session, requires_response) VALUES (?1, ?2, 'task', ?3, ?4, ?5, 'reply')",
+          [newInboxId, new_alias, task.priority, task.content, from_session]);
+        db.run("COMMIT");
+        logTaskEvent(task_id, task.status, "delivered", from_session, `reassign: ${oldAlias} → ${new_alias}`);
+      } catch (e) {
+        try { db.run("ROLLBACK"); } catch {}
+        throw e;
+      }
+      pushEvent(new_alias, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
+      return { content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, reassigned_from: oldAlias, reassigned_to: new_alias }) }] };
+    }
+  );
+
   server.tool(
     "broadcast",
     "Send a message to multiple sessions.",