npm - @sleep2agi/commhub-server - Versions diffs - 0.5.0-preview.14 → 0.5.0-preview.16 - Mend

@sleep2agi/commhub-server 0.5.0-preview.14 → 0.5.0-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.14",
+  "version": "0.5.0-preview.16",
   "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
   "type": "module",
   "main": "src/index.ts",

package/src/db-adapter.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Database Adapter Interface — async-first, supports SQLite and PostgreSQL
+ *
+ * SQLite adapter: wraps bun:sqlite sync calls in Promise (zero overhead)
+ * PostgreSQL adapter: uses bun:sql native async
+ *
+ * All callers use await — sync SQLite just resolves immediately.
+ */
+export interface QueryResult {
+  changes: number;
+}
+export interface DbAdapter {
+  /** Execute a write query (INSERT/UPDATE/DELETE) */
+  run(sql: string, params?: any[]): QueryResult;
+  /** Query a single row */
+  get<T = any>(sql: string, ...params: any[]): T | null;
+  /** Query multiple rows */
+  all<T = any>(sql: string, ...params: any[]): T[];
+  /** Execute raw SQL (DDL) */
+  exec(sql: string): void;
+  /** Run a function inside a transaction */
+  transaction<T>(fn: () => T): T;
+  /** Close connection */
+  close(): void;
+  /** Dialect identifier */
+  readonly dialect: 'sqlite' | 'postgres';
+}
+/**
+ * Phase 1 strategy:
+ *
+ * Current code is sync (bun:sqlite). We keep it sync for now.
+ * All DB access goes through the adapter interface above.
+ *
+ * When we add PostgreSQL (Phase 2), the adapter interface
+ * will change to async. At that point we'll update callers
+ * in a single pass. The unified call sites from Phase 1
+ * make that pass mechanical rather than archaeological.
+ *
+ * Why not async-first now?
+ * - bun:sqlite is sync, wrapping in Promise adds noise
+ * - All MCP tool handlers are already async, so the future
+ *   migration is: db.run() → await db.run(), straightforward
+ * - 750+ lines of tools.ts would need gratuitous await for zero benefit today
+ *
+ * The contract: every DB call goes through adapter methods,
+ * never through raw db.query() or db.run() on the bun:sqlite object.
+ * This is what makes Phase 2 feasible.
+ */
+/** SQL helpers for cross-dialect compatibility */
+export function sqlNow(dialect: 'sqlite' | 'postgres'): string {
+  return dialect === 'postgres' ? 'NOW()' : "datetime('now')";
+}
+export function sqlAddSeconds(dialect: 'sqlite' | 'postgres', seconds: number | string): string {
+  return dialect === 'postgres'
+    ? `NOW() + INTERVAL '${seconds} seconds'`
+    : `datetime('now', '+${seconds} seconds')`;
+}
+export function sqlPlaceholder(dialect: 'sqlite' | 'postgres', index: number): string {
+  return dialect === 'postgres' ? `$${index}` : `?${index}`;
+}

package/src/index.ts CHANGED Viewed

@@ -10,26 +10,45 @@ const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
 // ── Factory: 每个请求创建新的 McpServer（stateless 模式）──
-function createServer(clientIP?: string): McpServer {
+function createServer(clientIP?: string, enforceNetworkId?: string | null): McpServer {
   const server = new McpServer({
     name: "commhub",
-    version: "0.4.1",
+    version: "0.5.0",
   });
-  registerTools(server, clientIP);
+  registerTools(server, clientIP, enforceNetworkId);
   return server;
 }
 // ── Auth helper ─────────────────────────────────────
 function requireAuth(req: Request): Response | null {
-  if (!AUTH_TOKEN) return null; // no token = open mode (dev)
-  const header = req.headers.get("Authorization");
-  if (header === `Bearer ${AUTH_TOKEN}`) return null;
-  // Also check query param for MCP clients that can't set headers
+  const header = req.headers.get("Authorization")?.replace("Bearer ", "");
   const url = new URL(req.url);
-  if (url.searchParams.get("token") === AUTH_TOKEN) return null;
+  const token = header || url.searchParams.get("token") || "";
+  // V3: check api_tokens first
+  if (token) {
+    const resolved = resolveToken(token);
+    if (resolved) return null; // valid user token
+  }
+  // Legacy: check global COMMHUB_AUTH_TOKEN
+  if (!AUTH_TOKEN) return null; // no token = open mode (dev)
+  if (token === AUTH_TOKEN) return null;
   return Response.json({ error: "unauthorized" }, { status: 401 });
 }
+// Extract user + network from request token (for authorization)
+function resolveRequestAuth(req: Request): { userId: string; networkId: string | null; username: string } | null {
+  const header = req.headers.get("Authorization")?.replace("Bearer ", "");
+  const url = new URL(req.url);
+  const token = header || url.searchParams.get("token") || "";
+  if (!token) return null;
+  const resolved = resolveToken(token);
+  if (!resolved) return null;
+  return { userId: resolved.user.user_id, networkId: resolved.networkId, username: resolved.user.username };
+}
 // ── REST input schema ───────────────────────────────
 const TaskSchema = z.object({
   alias: z.string().min(1).max(200),
@@ -120,10 +139,13 @@ Bun.serve({
       if (authErr) return withCors(req, authErr);
       const fwd = req.headers.get("x-forwarded-for");
       const clientIP = fwd ? fwd.split(",")[0].trim() : (req.headers.get("x-real-ip") ?? "unknown");
+      // V3: resolve token → enforce network_id in all MCP tools
+      const authCtx = resolveRequestAuth(req);
+      const enforceNetId = authCtx?.networkId || null;
       const transport = new WebStandardStreamableHTTPServerTransport({
         sessionIdGenerator: undefined,
       });
-      const server = createServer(clientIP);
+      const server = createServer(clientIP, enforceNetId);
       await server.connect(transport);
       const response = await transport.handleRequest(req);
       // Disconnect after response to prevent McpServer leak
@@ -243,6 +265,10 @@ Bun.serve({
       const networkId = netDetailMatch[1];
       const network = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
       if (!network) return withCors(req, Response.json({ ok: false, error: "network not found" }, { status: 404 }));
+      // Ownership check: only owner or admin can view
+      if (network.owner_id !== resolved.user.user_id && resolved.user.role !== "admin") {
+        return withCors(req, Response.json({ ok: false, error: "access denied" }, { status: 403 }));
+      }
       // Get network stats
       const nodeCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(networkId);
       const sessionCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
@@ -406,14 +432,22 @@ Bun.serve({
     // ── REST: stats summary ──
     if (url.pathname === "/api/stats") {
       const n = url.searchParams.get("network_id");
-      const nw = n ? ` WHERE network_id = '${n}'` : "";
-      const taskStats = db.query<any, []>(`SELECT status, COUNT(*) as count FROM tasks${nw} GROUP BY status`).all();
-      const sessionStats = db.query<any, []>(`SELECT status, COUNT(*) as count FROM sessions${nw} GROUP BY status`).all();
-      const totalTasks = db.query<{ cnt: number }, []>(`SELECT COUNT(*) as cnt FROM tasks${nw}`).get();
-      const totalNodes = db.query<{ cnt: number }, []>(`SELECT COUNT(*) as cnt FROM nodes${nw}`).get();
-      const recentTasks = db.query<any, []>(
-        `SELECT task_id, from_name, to_name, status, created_at FROM tasks${nw} ORDER BY created_at DESC LIMIT 5`
-      ).all();
+      // Parameterized queries to prevent SQL injection
+      const taskStats = n
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(n)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      const sessionStats = n
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM sessions WHERE network_id = ?1 GROUP BY status").all(n)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM sessions GROUP BY status").all();
+      const totalTasks = n
+        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM tasks WHERE network_id = ?1").get(n)
+        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM tasks").get();
+      const totalNodes = n
+        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(n)
+        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM nodes").get();
+      const recentTasks = n
+        ? db.query<any, [string]>("SELECT task_id, from_name, to_name, status, created_at FROM tasks WHERE network_id = ?1 ORDER BY created_at DESC LIMIT 5").all(n)
+        : db.query<any, []>("SELECT task_id, from_name, to_name, status, created_at FROM tasks ORDER BY created_at DESC LIMIT 5").all();
       return withCors(req, Response.json({
         ok: true,
         network_id: n || null,
@@ -493,8 +527,9 @@ Bun.serve({
       params.push(limit);
       const rows = db.query(sql).all(...params);
-      const statsFilter = netFilter ? ` WHERE network_id = '${netFilter}'` : "";
-      const stats = db.query<any, []>(`SELECT status, COUNT(*) as count FROM tasks${statsFilter} GROUP BY status`).all();
+      const stats = netFilter
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(netFilter)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
       return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length, stats }));
     }

package/src/tools.ts CHANGED Viewed

@@ -7,7 +7,9 @@ function ts(): string {
   return new Date().toTimeString().slice(0, 8);
 }
-export function registerTools(server: McpServer, clientIP?: string) {
+export function registerTools(server: McpServer, clientIP?: string, enforceNetworkId?: string | null) {
+  // If enforceNetworkId is set, override any client-supplied network_id
+  const getNetworkId = (clientNetId?: string | null) => enforceNetworkId ?? clientNetId ?? null;
   // ═══════════════════════════════════════════
   //  Child Agent Tools (4)
   // ═══════════════════════════════════════════
@@ -39,12 +41,18 @@ export function registerTools(server: McpServer, clientIP?: string) {
       network_id: z.string().max(200).optional().describe("Network this agent belongs to"),
     },
     async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels, model: mdl, node_name: nn, network_id: netId }) => {
-      console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}`);
+      const effectiveNetId = getNetworkId(netId);
+      console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}${effectiveNetId ? " [net]" : ""}`);
       const trimmedOutput = output?.slice(0, 4000);
       try {
         db.run("BEGIN IMMEDIATE");
-        db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2", [alias, resume_id]);
+        // Only delete same-alias sessions within the same network (prevent cross-network alias conflict)
+        if (effectiveNetId) {
+          db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2 AND network_id = ?3", [alias, resume_id, effectiveNetId]);
+        } else {
+          db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2", [alias, resume_id]);
+        }
         db.run(
           `INSERT INTO sessions (resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version, status, task, output, progress, score, node_id, session_id, config_path, channels, network_id, last_seen_at, updated_at)
            VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, datetime('now'), datetime('now'))
@@ -273,7 +281,8 @@ export function registerTools(server: McpServer, clientIP?: string) {
       network_id: z.string().max(200).optional().describe("Filter by network"),
     },
     async ({ filter_status, filter_server, network_id: netId }) => {
-      console.log(`[${ts()}] hub → get_all_status${filter_status ? ": filter=" + filter_status : ""}${netId ? " net=" + netId.slice(0, 12) : ""}`);
+      const effectiveNetId = getNetworkId(netId);
+      console.log(`[${ts()}] hub → get_all_status${filter_status ? ": filter=" + filter_status : ""}${effectiveNetId ? " net=" + effectiveNetId.slice(0, 12) : ""}`);
       const sessions = db.transaction(() => {
         const cutoff = new Date(Date.now() - 10 * 60 * 1000).toISOString().replace("T", " ").slice(0, 19);
@@ -281,7 +290,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
         let sql = "SELECT * FROM sessions WHERE 1=1";
         const params: any[] = [];
-        if (netId) { sql += " AND network_id = ?"; params.push(netId); }
+        if (effectiveNetId) { sql += " AND network_id = ?"; params.push(effectiveNetId); }
         if (filter_status) { sql += " AND status = ?"; params.push(filter_status); }
         if (filter_server) { sql += " AND server = ?"; params.push(filter_server); }
         sql += " ORDER BY updated_at DESC";
@@ -341,6 +350,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
       network_id: z.string().max(200).optional().describe("Network scope"),
     },
     async ({ alias, task, priority, context, from_session, ttl_seconds, network_id: netId }) => {
+      const effectiveNetId = getNetworkId(netId);
       console.log(`[${ts()}] ${from_session} → send_task → ${alias}: ${task.slice(0, 60)}${priority === "high" ? " [HIGH]" : ""}`);
       const id = uuidv4();
       // 事务：inbox + tasks 双写
@@ -349,12 +359,12 @@ export function registerTools(server: McpServer, clientIP?: string) {
         db.run(
           `INSERT INTO inbox (id, session_name, type, priority, content, context, from_session, requires_response, network_id)
            VALUES (?1, ?2, 'task', ?3, ?4, ?5, ?6, 'reply', ?7)`,
-          [id, alias, priority, task, context ?? null, from_session, netId ?? null]
+          [id, alias, priority, task, context ?? null, from_session, effectiveNetId]
         );
         db.run(
           `INSERT INTO tasks (task_id, from_name, to_name, priority, status, content, requires_response, created_at, delivered_at, expires_at, network_id)
            VALUES (?1, ?2, ?3, ?4, 'delivered', ?5, 'reply', datetime('now'), datetime('now'), datetime('now', ?6), ?7)`,
-          [id, from_session, alias, priority, task, `+${ttl_seconds || 3600} seconds`, netId ?? null]
+          [id, from_session, alias, priority, task, `+${ttl_seconds || 3600} seconds`, effectiveNetId]
         );
         db.run("COMMIT");
         logTaskEvent(id, null, "delivered", from_session, `→ ${alias}`);
@@ -582,9 +592,10 @@ export function registerTools(server: McpServer, clientIP?: string) {
       limit: z.number().min(1).max(100).optional().default(20),
     },
     async ({ alias, status, from_name, network_id: netId, limit }) => {
+      const effectiveNetId = getNetworkId(netId);
       let sql = "SELECT task_id, from_name, to_name, priority, status, content, result, created_at, completed_at FROM tasks WHERE 1=1";
       const params: any[] = [];
-      if (netId) { sql += ` AND network_id = ?${params.length + 1}`; params.push(netId); }
+      if (effectiveNetId) { sql += ` AND network_id = ?${params.length + 1}`; params.push(effectiveNetId); }
       if (alias) { sql += ` AND to_name = ?${params.length + 1}`; params.push(alias); }
       if (status) { sql += ` AND status = ?${params.length + 1}`; params.push(status); }
       if (from_name) { sql += ` AND from_name = ?${params.length + 1}`; params.push(from_name); }