npm - @sleep2agi/commhub-server - Versions diffs - 0.5.0-preview.2 → 0.5.0-preview.20 - Mend

@sleep2agi/commhub-server 0.5.0-preview.2 → 0.5.0-preview.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,110 @@
+# @sleep2agi/commhub-server
+AI Agent 通信中枢 — MCP Server + SSE Push + REST API。
+## 快速启动
+```bash
+# 需要 Bun
+bunx @sleep2agi/commhub-server
+# 或指定端口 + auth
+PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
+```
+启动后:
+- MCP: `http://0.0.0.0:9200/mcp` (Claude Code / Codex 连接)
+- SSE: `http://0.0.0.0:9200/events/:alias` (Agent 实时推送)
+- REST: `http://0.0.0.0:9200/api/*` (Dashboard / 监控)
+- Health: `http://0.0.0.0:9200/health`
+## MCP 工具 (17 个)
+### Agent 端 (从 Agent 调用)
+| 工具 | 说明 |
+|------|------|
+| `report_status` | 心跳 + 状态更新 (idle/working/blocked/error/offline) |
+| `report_completion` | 任务完成汇报 |
+| `get_inbox` | 拉取待办任务 |
+| `ack_inbox` | 确认收到任务 |
+### Hub 端 (从指挥室 / Dashboard 调用)
+| 工具 | 说明 |
+|------|------|
+| `send_task` | 下发任务 (+ 可选 ttl_seconds) |
+| `send_message` | 发消息 (不触发 Agent 处理) |
+| `send_reply` | 回复任务 (replied/failed/cancelled + in_reply_to) |
+| `send_ack` | 确认任务 (不入 inbox) |
+| `retry_task` | 重试失败/过期/取消的任务 |
+| `cancel_task` | 取消待处理任务 |
+| `reassign_task` | 转移任务到另一个 Agent |
+| `get_task` | 查询任务详情 |
+| `get_all_status` | 全局状态面板 |
+| `get_session_status` | 单 session 详情 |
+| `broadcast` | 群发消息 |
+## REST API
+| 端点 | 方法 | 说明 |
+|------|------|------|
+| `/health` | GET | 健康检查 (无需 auth) |
+| `/api/status` | GET | 所有 session |
+| `/api/tasks` | GET | 任务列表 (支持 status/from_name/to_name/task_id/limit 过滤) |
+| `/api/nodes` | GET | 节点持久化信息 |
+| `/api/task_events` | GET | 任务审计日志 |
+| `/api/messages` | GET | 消息列表 |
+| `/api/completions` | GET | 完成记录 |
+| `/mcp` | POST | MCP Streamable HTTP |
+## 数据库 (6 表)
+SQLite WAL 模式, 自动创建在 `~/.commhub/commhub.db`
+| 表 | 说明 |
+|---|------|
+| `sessions` | 运行时 session (21 列, 含 node_id/session_id/channels) |
+| `inbox` | 消息队列 (13 列, 含 in_reply_to/scope) |
+| `tasks` | 任务生命周期 (17 列, 完整状态机) |
+| `nodes` | 持久化节点身份 (11 列, 独立于 session) |
+| `completions` | 完成记录 (7 列) |
+| `task_events` | 审计日志 (7 列, 每次状态变化记录) |
+任务状态机:
+```
+created → delivered → acked → running → replied
+                                      → failed → retry → delivered
+                                      → cancelled
+delivered → expired (5min patrol)
+delivered/acked/running → reassign → delivered (新agent)
+```
+## 环境变量
+| 变量 | 默认 | 说明 |
+|------|------|------|
+| `PORT` | 9200 | 监听端口 |
+| `HOST` | 0.0.0.0 | 监听地址 |
+| `COMMHUB_AUTH_TOKEN` | (无) | Bearer token 鉴权 |
+| `COMMHUB_DB` | ~/.commhub/commhub.db | 数据库路径 |
+## 鉴权
+两种认证方式:
+1. **V3 用户系统** (推荐): `POST /api/auth/register` → 获取 `atok_xxx` token
+2. **全局 token** (传统): `COMMHUB_AUTH_TOKEN` 环境变量
+Header: `Authorization: Bearer <token>` 或 Query: `?token=<token>`
+## V3 功能
+- **用户系统**: 注册/登录/Token 认证
+- **多网络**: 每个用户可创建多个独立网络
+- **网络隔离**: 不同网络的数据完全隔离
+- **试用授权**: 14 天免费试用, 到期需授权码
+- **审计日志**: 所有操作记录
+- **限流**: 注册 30/min, 登录 10/min (per IP)
+- `/health` 不需要 auth
+## License
+MIT

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.2",
+  "version": "0.5.0-preview.20",
   "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts ADDED Viewed

@@ -0,0 +1,143 @@
+/**
+ * V3 Auth module — user registration, login, token management
+ */
+import { db, generateId, hashPassword, hashToken, generateToken, uuidv4 } from "./db.js";
+export interface AuthUser {
+  user_id: string;
+  username: string;
+  display_name: string | null;
+  email: string | null;
+  role: string;
+}
+export interface AuthResult {
+  ok: boolean;
+  error?: string;
+  user?: AuthUser;
+  token?: string;
+}
+export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
+  if (!username || username.length < 2) return { ok: false, error: "username must be at least 2 characters" };
+  if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
+  if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
+  const existing = db.query<any, [string]>("SELECT user_id FROM users WHERE username = ?1").get(username);
+  if (existing) return { ok: false, error: "username already taken" };
+  const userId = generateId("u");
+  const pwHash = hashPassword(password);
+  db.run(
+    "INSERT INTO users (user_id, username, password_hash, email, display_name) VALUES (?1, ?2, ?3, ?4, ?5)",
+    [userId, username, pwHash, email || null, displayName || username]
+  );
+  // Auto-create default network
+  const networkId = generateId("net");
+  db.run(
+    "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, "default", userId, "Auto-created default network"]
+  );
+  // Auto-create API token
+  const token = generateToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, networkId, "default", "full"]
+  );
+  return {
+    ok: true,
+    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: "user" },
+    token,
+  };
+}
+export function login(username: string, password: string): AuthResult {
+  const user = db.query<any, [string]>(
+    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1"
+  ).get(username);
+  if (!user) return { ok: false, error: "invalid username or password" };
+  if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
+  // Find or create token
+  let tokenRow = db.query<any, [string]>(
+    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1"
+  ).get(user.user_id);
+  let token: string;
+  if (tokenRow) {
+    // Generate new token (rotate)
+    token = generateToken();
+    db.run("UPDATE api_tokens SET token_hash = ?1, last_used_at = datetime('now') WHERE token_id = ?2",
+      [hashToken(token), tokenRow.token_id]);
+  } else {
+    token = generateToken();
+    const tokenId = generateId("tok");
+    const networkId = db.query<any, [string]>(
+      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1"
+    ).get(user.user_id)?.network_id;
+    db.run(
+      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
+    );
+  }
+  return {
+    ok: true,
+    user: { user_id: user.user_id, username: user.username, display_name: user.display_name, email: user.email, role: user.role },
+    token,
+  };
+}
+export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
+  const tHash = hashToken(token);
+  const row = db.query<any, [string]>(
+    `SELECT t.user_id, t.network_id, t.scope, u.username, u.display_name, u.email, u.role
+     FROM api_tokens t JOIN users u ON t.user_id = u.user_id
+     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`
+  ).get(tHash);
+  if (!row) return null;
+  // Update last_used
+  db.run("UPDATE api_tokens SET last_used_at = datetime('now') WHERE token_hash = ?1", [tHash]);
+  return {
+    user: { user_id: row.user_id, username: row.username, display_name: row.display_name, email: row.email, role: row.role },
+    networkId: row.network_id,
+  };
+}
+export function getUserNetworks(userId: string) {
+  return db.query<any, [string]>(
+    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at"
+  ).all(userId);
+}
+export function createNetwork(userId: string, name: string, description?: string) {
+  const existing = db.query<any, [string, string]>(
+    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2"
+  ).get(userId, name);
+  if (existing) return { ok: false, error: "network name already exists" };
+  const networkId = generateId("net");
+  db.run(
+    "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, name, userId, description || null]
+  );
+  return { ok: true, network_id: networkId, network_name: name };
+}
+export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
+  if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
+  const user = db.query<any, [string]>("SELECT password_hash FROM users WHERE user_id = ?1").get(userId);
+  if (!user) return { ok: false, error: "user not found" };
+  if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
+  db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
+  return { ok: true };
+}

package/src/db-adapter.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Database Adapter Interface — async-first, supports SQLite and PostgreSQL
+ *
+ * SQLite adapter: wraps bun:sqlite sync calls in Promise (zero overhead)
+ * PostgreSQL adapter: uses bun:sql native async
+ *
+ * All callers use await — sync SQLite just resolves immediately.
+ */
+export interface QueryResult {
+  changes: number;
+}
+export interface DbAdapter {
+  /** Execute a write query (INSERT/UPDATE/DELETE) */
+  run(sql: string, params?: any[]): QueryResult;
+  /** Query a single row */
+  get<T = any>(sql: string, ...params: any[]): T | null;
+  /** Query multiple rows */
+  all<T = any>(sql: string, ...params: any[]): T[];
+  /** Execute raw SQL (DDL) */
+  exec(sql: string): void;
+  /** Run a function inside a transaction */
+  transaction<T>(fn: () => T): T;
+  /** Close connection */
+  close(): void;
+  /** Dialect identifier */
+  readonly dialect: 'sqlite' | 'postgres';
+}
+/**
+ * Phase 1 strategy:
+ *
+ * Current code is sync (bun:sqlite). We keep it sync for now.
+ * All DB access goes through the adapter interface above.
+ *
+ * When we add PostgreSQL (Phase 2), the adapter interface
+ * will change to async. At that point we'll update callers
+ * in a single pass. The unified call sites from Phase 1
+ * make that pass mechanical rather than archaeological.
+ *
+ * Why not async-first now?
+ * - bun:sqlite is sync, wrapping in Promise adds noise
+ * - All MCP tool handlers are already async, so the future
+ *   migration is: db.run() → await db.run(), straightforward
+ * - 750+ lines of tools.ts would need gratuitous await for zero benefit today
+ *
+ * The contract: every DB call goes through adapter methods,
+ * never through raw db.query() or db.run() on the bun:sqlite object.
+ * This is what makes Phase 2 feasible.
+ */
+/** SQL helpers for cross-dialect compatibility */
+export function sqlNow(dialect: 'sqlite' | 'postgres'): string {
+  return dialect === 'postgres' ? 'NOW()' : "datetime('now')";
+}
+export function sqlAddSeconds(dialect: 'sqlite' | 'postgres', seconds: number | string): string {
+  return dialect === 'postgres'
+    ? `NOW() + INTERVAL '${seconds} seconds'`
+    : `datetime('now', '+${seconds} seconds')`;
+}
+export function sqlPlaceholder(dialect: 'sqlite' | 'postgres', index: number): string {
+  return dialect === 'postgres' ? `$${index}` : `?${index}`;
+}

package/src/db.ts CHANGED Viewed

@@ -135,7 +135,162 @@ db.exec(`
   CREATE INDEX IF NOT EXISTS idx_nodes_alias ON nodes(alias);
 `);
+// task_events table (V2 Sprint 2) — audit log for task state changes
+db.exec(`
+  CREATE TABLE IF NOT EXISTS task_events (
+    id            INTEGER PRIMARY KEY AUTOINCREMENT,
+    task_id       TEXT NOT NULL,
+    from_status   TEXT,
+    to_status     TEXT NOT NULL,
+    actor         TEXT NOT NULL DEFAULT 'system',
+    detail        TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_task_events_task_time ON task_events(task_id, created_at DESC);
+  CREATE INDEX IF NOT EXISTS idx_task_events_created ON task_events(created_at);
+`);
+// ── V3: users table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS users (
+    user_id       TEXT PRIMARY KEY,
+    username      TEXT UNIQUE NOT NULL,
+    password_hash TEXT NOT NULL,
+    email         TEXT,
+    display_name  TEXT,
+    role          TEXT DEFAULT 'user',
+    created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
+`);
+// ── V3: networks table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS networks (
+    network_id    TEXT PRIMARY KEY,
+    network_name  TEXT NOT NULL,
+    owner_id      TEXT NOT NULL,
+    description   TEXT,
+    settings      TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    updated_at    TEXT NOT NULL DEFAULT (datetime('now')),
+    UNIQUE(owner_id, network_name)
+  );
+  CREATE INDEX IF NOT EXISTS idx_networks_owner ON networks(owner_id);
+`);
+// ── V3: api_tokens table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS api_tokens (
+    token_id      TEXT PRIMARY KEY,
+    token_hash    TEXT NOT NULL,
+    user_id       TEXT NOT NULL,
+    network_id    TEXT,
+    name          TEXT NOT NULL DEFAULT 'default',
+    scope         TEXT DEFAULT 'full',
+    expires_at    TEXT,
+    last_used_at  TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_tokens_hash ON api_tokens(token_hash);
+  CREATE INDEX IF NOT EXISTS idx_tokens_user ON api_tokens(user_id);
+`);
+// ── V3: audit_log table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS audit_log (
+    id            INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id       TEXT,
+    username      TEXT,
+    action        TEXT NOT NULL,
+    target_type   TEXT,
+    target_id     TEXT,
+    detail        TEXT,
+    ip            TEXT,
+    network_id    TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_log(created_at DESC);
+  CREATE INDEX IF NOT EXISTS idx_audit_user ON audit_log(user_id);
+  CREATE INDEX IF NOT EXISTS idx_audit_network ON audit_log(network_id);
+`);
+// ── V3: licenses table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS licenses (
+    id            TEXT PRIMARY KEY,
+    license_key   TEXT UNIQUE NOT NULL,
+    type          TEXT DEFAULT 'trial',
+    max_agents    INTEGER DEFAULT 5,
+    max_networks  INTEGER DEFAULT 3,
+    max_tasks_day INTEGER DEFAULT 500,
+    activated_at  TEXT,
+    expires_at    TEXT,
+    owner_id      TEXT,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+`);
+// Auto-create trial license on first run
+const existingLicense = db.query<any, []>("SELECT id FROM licenses LIMIT 1").get();
+if (!existingLicense) {
+  const trialId = crypto.randomUUID().replace(/-/g, "").slice(0, 12);
+  db.run(
+    "INSERT INTO licenses (id, license_key, type, expires_at) VALUES (?1, ?2, 'trial', datetime('now', '+14 days'))",
+    [`lic_${trialId}`, `trial-${trialId}`]
+  );
+  console.log("[commhub] 🎉 14-day free trial started!");
+}
+// ── V3: add network_id to existing tables ──
+for (const table of ["sessions", "nodes", "tasks", "inbox", "task_events"]) {
+  try { db.exec(`ALTER TABLE ${table} ADD COLUMN network_id TEXT`); } catch {}
+}
+try { db.exec("CREATE INDEX IF NOT EXISTS idx_sessions_network ON sessions(network_id)"); } catch {}
+try { db.exec("CREATE INDEX IF NOT EXISTS idx_tasks_network ON tasks(network_id)"); } catch {}
+try { db.exec("CREATE INDEX IF NOT EXISTS idx_nodes_network ON nodes(network_id)"); } catch {}
 // Helpers
 export function uuidv4(): string {
   return crypto.randomUUID();
 }
+export function generateId(prefix: string): string {
+  return `${prefix}_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+}
+export function hashPassword(password: string): string {
+  return new Bun.CryptoHasher("sha256").update(`anet:${password}`).digest("hex");
+}
+export function hashToken(token: string): string {
+  return new Bun.CryptoHasher("sha256").update(token).digest("hex");
+}
+export function generateToken(): string {
+  return `atok_${crypto.randomUUID().replace(/-/g, "")}`;
+}
+export function logAudit(userId: string | null, username: string | null, action: string, targetType?: string, targetId?: string, detail?: string, ip?: string, networkId?: string) {
+  try {
+    db.run(
+      "INSERT INTO audit_log (user_id, username, action, target_type, target_id, detail, ip, network_id) VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8)",
+      [userId, username, action, targetType ?? null, targetId ?? null, detail ?? null, ip ?? null, networkId ?? null]
+    );
+  } catch {}
+}
+export function logTaskEvent(taskId: string, fromStatus: string | null, toStatus: string, actor: string, detail?: string) {
+  try {
+    db.run(
+      "INSERT INTO task_events (task_id, from_status, to_status, actor, detail) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [taskId, fromStatus, toStatus, actor, detail ?? null]
+    );
+  } catch {}
+}

package/src/index.ts CHANGED Viewed

@@ -2,33 +2,76 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
-import { db } from "./db.js";
+import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, pushBroadcast, getSSEStats } from "./push.js";
+import { register, login, resolveToken, getUserNetworks, createNetwork, changePassword, type AuthUser } from "./auth.js";
 const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
+// ── Rate limiter (in-memory, per IP) ──
+const rateLimits = new Map<string, { count: number; resetAt: number }>();
+function checkRateLimit(ip: string, maxPerMinute = 60): boolean {
+  // Skip rate limiting for localhost/internal/unknown (dev/test)
+  if (!ip || ip === "unknown" || ip === "127.0.0.1" || ip === "::1") return true;
+  const now = Date.now();
+  const entry = rateLimits.get(ip);
+  if (!entry || now > entry.resetAt) {
+    rateLimits.set(ip, { count: 1, resetAt: now + 60000 });
+    return true;
+  }
+  if (entry.count >= maxPerMinute) return false;
+  entry.count++;
+  return true;
+}
+// Cleanup stale entries every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, entry] of rateLimits) {
+    if (now > entry.resetAt) rateLimits.delete(ip);
+  }
+}, 300000);
 // ── Factory: 每个请求创建新的 McpServer（stateless 模式）──
-function createServer(clientIP?: string): McpServer {
+function createServer(clientIP?: string, enforceNetworkId?: string | null): McpServer {
   const server = new McpServer({
     name: "commhub",
-    version: "0.4.1",
+    version: "0.5.0",
   });
-  registerTools(server, clientIP);
+  registerTools(server, clientIP, enforceNetworkId);
   return server;
 }
 // ── Auth helper ─────────────────────────────────────
 function requireAuth(req: Request): Response | null {
-  if (!AUTH_TOKEN) return null; // no token = open mode (dev)
-  const header = req.headers.get("Authorization");
-  if (header === `Bearer ${AUTH_TOKEN}`) return null;
-  // Also check query param for MCP clients that can't set headers
+  const header = req.headers.get("Authorization")?.replace("Bearer ", "");
   const url = new URL(req.url);
-  if (url.searchParams.get("token") === AUTH_TOKEN) return null;
+  const token = header || url.searchParams.get("token") || "";
+  // V3: check api_tokens first
+  if (token) {
+    const resolved = resolveToken(token);
+    if (resolved) return null; // valid user token
+  }
+  // Legacy: check global COMMHUB_AUTH_TOKEN
+  if (!AUTH_TOKEN) return null; // no token = open mode (dev)
+  if (token === AUTH_TOKEN) return null;
   return Response.json({ error: "unauthorized" }, { status: 401 });
 }
+// Extract user + network from request token (for authorization)
+function resolveRequestAuth(req: Request): { userId: string; networkId: string | null; username: string } | null {
+  const header = req.headers.get("Authorization")?.replace("Bearer ", "");
+  const url = new URL(req.url);
+  const token = header || url.searchParams.get("token") || "";
+  if (!token) return null;
+  const resolved = resolveToken(token);
+  if (!resolved) return null;
+  return { userId: resolved.user.user_id, networkId: resolved.networkId, username: resolved.user.username };
+}
 // ── REST input schema ───────────────────────────────
 const TaskSchema = z.object({
   alias: z.string().min(1).max(200),
@@ -84,6 +127,11 @@ setInterval(() => {
     );
     if (result.changes > 0) {
       console.log(`[patrol] expired ${result.changes} stale task(s)`);
+      // Log events for expired tasks
+      const expired = db.query<{ task_id: string }, []>(
+        "SELECT task_id FROM tasks WHERE status = 'expired' AND completed_at >= datetime('now', '-1 minute')"
+      ).all();
+      for (const t of expired) logTaskEvent(t.task_id, null, "expired", "patrol");
     }
   } catch {}
 }, 5 * 60 * 1000);
@@ -114,10 +162,13 @@ Bun.serve({
       if (authErr) return withCors(req, authErr);
       const fwd = req.headers.get("x-forwarded-for");
       const clientIP = fwd ? fwd.split(",")[0].trim() : (req.headers.get("x-real-ip") ?? "unknown");
+      // V3: resolve token → enforce network_id in all MCP tools
+      const authCtx = resolveRequestAuth(req);
+      const enforceNetId = authCtx?.networkId || null;
       const transport = new WebStandardStreamableHTTPServerTransport({
         sessionIdGenerator: undefined,
       });
-      const server = createServer(clientIP);
+      const server = createServer(clientIP, enforceNetId);
       await server.connect(transport);
       const response = await transport.handleRequest(req);
       // Disconnect after response to prevent McpServer leak
@@ -135,6 +186,184 @@ Bun.serve({
       return createSSEStream(sessionName);
     }
+    // ── V3: License endpoints ──
+    if (url.pathname === "/api/license" && req.method === "GET") {
+      const license = db.query<any, []>("SELECT * FROM licenses ORDER BY created_at LIMIT 1").get();
+      if (!license) return withCors(req, Response.json({ ok: true, status: "no_license" }));
+      const now = new Date().toISOString().replace("T", " ").slice(0, 19);
+      const expired = license.expires_at && license.expires_at < now;
+      const daysLeft = license.expires_at
+        ? Math.max(0, Math.ceil((new Date(license.expires_at).getTime() - Date.now()) / 86400000))
+        : null;
+      return withCors(req, Response.json({
+        ok: true,
+        license: { type: license.type, expires_at: license.expires_at, days_left: daysLeft, expired },
+        limits: { max_agents: license.max_agents, max_networks: license.max_networks, max_tasks_day: license.max_tasks_day },
+      }));
+    }
+    if (url.pathname === "/api/license/activate" && req.method === "POST") {
+      try {
+        const body = await req.json() as any;
+        const key = body.key;
+        if (!key) return withCors(req, Response.json({ ok: false, error: "key required" }, { status: 400 }));
+        // For now: accept any key starting with "anet-" as valid pro license
+        if (!key.startsWith("anet-") || key.length < 16) {
+          return withCors(req, Response.json({ ok: false, error: "invalid license key" }, { status: 400 }));
+        }
+        // Upgrade existing license or create new
+        db.run("DELETE FROM licenses");
+        const licId = `lic_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+        db.run(
+          "INSERT INTO licenses (id, license_key, type, max_agents, max_networks, max_tasks_day, activated_at, expires_at) VALUES (?1, ?2, 'pro', 50, 10, 10000, datetime('now'), datetime('now', '+365 days'))",
+          [licId, key]
+        );
+        return withCors(req, Response.json({ ok: true, type: "pro", expires_in_days: 365 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    // ── V3: Auth endpoints (public) ──
+    if (url.pathname === "/api/auth/register" && req.method === "POST") {
+      const clientIP = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+      if (!checkRateLimit(clientIP, 30)) {
+        return withCors(req, Response.json({ ok: false, error: "too many requests, try again later" }, { status: 429 }));
+      }
+      try {
+        const body = await req.json() as any;
+        const result = register(body.username, body.password, body.email, body.display_name);
+        if (result.ok) logAudit(result.user!.user_id, body.username, "register", "user", result.user!.user_id);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    if (url.pathname === "/api/auth/login" && req.method === "POST") {
+      const clientIP = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+      if (!checkRateLimit(clientIP, 10)) {
+        logAudit(null, null, "login_rate_limited", "auth", null, clientIP);
+        return withCors(req, Response.json({ ok: false, error: "too many attempts, try again later" }, { status: 429 }));
+      }
+      try {
+        const body = await req.json() as any;
+        const result = login(body.username, body.password);
+        if (result.ok) logAudit(result.user!.user_id, body.username, "login", "user", result.user!.user_id);
+        else logAudit(null, body.username, "login_failed", "user", null, "invalid credentials");
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 401 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    if (url.pathname === "/api/auth/me" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networks = getUserNetworks(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, user: resolved.user, networks, current_network: resolved.networkId }));
+    }
+    if (url.pathname === "/api/auth/me" && req.method === "PUT") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const updates: string[] = [];
+        const params: any[] = [];
+        if (body.display_name) { updates.push(`display_name = ?${params.length + 1}`); params.push(body.display_name); }
+        if (body.email) { updates.push(`email = ?${params.length + 1}`); params.push(body.email); }
+        if (updates.length > 0) {
+          updates.push(`updated_at = datetime('now')`);
+          params.push(resolved.user.user_id);
+          db.run(`UPDATE users SET ${updates.join(", ")} WHERE user_id = ?${params.length}`, params);
+        }
+        // Re-fetch
+        const user = db.query<any, [string]>("SELECT user_id, username, display_name, email, role FROM users WHERE user_id = ?1").get(resolved.user.user_id);
+        return withCors(req, Response.json({ ok: true, user }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    if (url.pathname === "/api/auth/password" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    // ── V3: Network management ──
+    if (url.pathname === "/api/networks" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networks = getUserNetworks(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, networks }));
+    }
+    if (url.pathname === "/api/networks" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = createNetwork(resolved.user.user_id, body.name, body.description);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    // ── V3: Admin APIs (require auth) ──
+    if (url.pathname === "/api/users" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved || resolved.user.role !== "admin") {
+        return withCors(req, Response.json({ ok: false, error: "admin required" }, { status: 403 }));
+      }
+      const users = db.query("SELECT user_id, username, display_name, email, role, created_at FROM users ORDER BY created_at").all();
+      return withCors(req, Response.json({ ok: true, users }));
+    }
+    const netDetailMatch = url.pathname.match(/^\/api\/networks\/([^/]+)$/);
+    if (netDetailMatch && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networkId = netDetailMatch[1];
+      const network = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+      if (!network) return withCors(req, Response.json({ ok: false, error: "network not found" }, { status: 404 }));
+      // Ownership check: only owner or admin can view
+      if (network.owner_id !== resolved.user.user_id && resolved.user.role !== "admin") {
+        return withCors(req, Response.json({ ok: false, error: "access denied" }, { status: 403 }));
+      }
+      // Get network stats
+      const nodeCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(networkId);
+      const sessionCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
+      const taskStats = db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(networkId);
+      return withCors(req, Response.json({
+        ok: true, network,
+        stats: { nodes: nodeCount?.cnt || 0, sessions: sessionCount?.cnt || 0, tasks: taskStats },
+      }));
+    }
     // ── REST: health (public, no auth) ──
     if (url.pathname === "/health") {
       const count = db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM sessions").get();
@@ -159,7 +388,11 @@ Bun.serve({
     if (url.pathname === "/api/status") {
       const cutoff = new Date(Date.now() - 10 * 60 * 1000).toISOString().replace("T", " ").slice(0, 19);
       db.run("UPDATE sessions SET status = 'offline' WHERE updated_at < ?1 AND status != 'offline'", [cutoff]);
-      const sessions = db.query("SELECT * FROM sessions ORDER BY updated_at DESC").all();
+      const netFilter = url.searchParams.get("network_id");
+      const sql = netFilter
+        ? "SELECT * FROM sessions WHERE network_id = ?1 ORDER BY updated_at DESC"
+        : "SELECT * FROM sessions ORDER BY updated_at DESC";
+      const sessions = netFilter ? db.query(sql).all(netFilter) : db.query(sql).all();
       return withCors(req, Response.json({ ok: true, sessions }));
     }
@@ -281,12 +514,77 @@ Bun.serve({
       return withCors(req, Response.json({ ok: true, messages: rows }));
     }
+    // ── REST: stats summary ──
+    if (url.pathname === "/api/stats") {
+      const n = url.searchParams.get("network_id");
+      // Parameterized queries to prevent SQL injection
+      const taskStats = n
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(n)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      const sessionStats = n
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM sessions WHERE network_id = ?1 GROUP BY status").all(n)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM sessions GROUP BY status").all();
+      const totalTasks = n
+        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM tasks WHERE network_id = ?1").get(n)
+        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM tasks").get();
+      const totalNodes = n
+        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(n)
+        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM nodes").get();
+      const recentTasks = n
+        ? db.query<any, [string]>("SELECT task_id, from_name, to_name, status, created_at FROM tasks WHERE network_id = ?1 ORDER BY created_at DESC LIMIT 5").all(n)
+        : db.query<any, []>("SELECT task_id, from_name, to_name, status, created_at FROM tasks ORDER BY created_at DESC LIMIT 5").all();
+      return withCors(req, Response.json({
+        ok: true,
+        network_id: n || null,
+        tasks: { total: totalTasks?.cnt || 0, by_status: taskStats },
+        sessions: { by_status: sessionStats },
+        nodes: { total: totalNodes?.cnt || 0 },
+        recent_tasks: recentTasks,
+      }));
+    }
+    // ── REST: audit log (V3) ──
+    if (url.pathname === "/api/audit-log") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 200);
+      const action = url.searchParams.get("action");
+      const userId = url.searchParams.get("user_id");
+      let sql = "SELECT * FROM audit_log WHERE 1=1";
+      const params: any[] = [];
+      // Non-admin can only see own logs
+      if (resolved.user.role !== "admin") { sql += ` AND user_id = ?${params.length + 1}`; params.push(resolved.user.user_id); }
+      if (action) { sql += ` AND action = ?${params.length + 1}`; params.push(action); }
+      if (userId && resolved.user.role === "admin") { sql += ` AND user_id = ?${params.length + 1}`; params.push(userId); }
+      sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
+      params.push(limit);
+      const logs = db.query(sql).all(...params);
+      return withCors(req, Response.json({ ok: true, logs, count: logs.length }));
+    }
+    // ── REST: task events (V2 Sprint 2) ──
+    if (url.pathname === "/api/task_events") {
+      const taskId = url.searchParams.get("task_id");
+      const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 500);
+      let sql = "SELECT * FROM task_events";
+      const params: any[] = [];
+      if (taskId) { sql += " WHERE task_id = ?1"; params.push(taskId); }
+      sql += " ORDER BY created_at DESC LIMIT ?";
+      params.push(limit);
+      const rows = db.query(sql).all(...params);
+      return withCors(req, Response.json({ ok: true, events: rows, count: rows.length }));
+    }
     // ── REST: nodes table (V2 Sprint 2) ──
     if (url.pathname === "/api/nodes") {
       const nodeId = url.searchParams.get("node_id");
       const alias = url.searchParams.get("alias");
+      const netFilter = url.searchParams.get("network_id");
       let sql = "SELECT * FROM nodes WHERE 1=1";
       const params: any[] = [];
+      if (netFilter) { sql += ` AND network_id = ?${params.length + 1}`; params.push(netFilter); }
       if (nodeId) { sql += ` AND node_id = ?${params.length + 1}`; params.push(nodeId); }
       if (alias) { sql += ` AND alias = ?${params.length + 1}`; params.push(alias); }
       sql += " ORDER BY updated_at DESC";
@@ -300,10 +598,12 @@ Bun.serve({
       const status = url.searchParams.get("status");
       const toName = url.searchParams.get("to_name");
       const fromName = url.searchParams.get("from_name");
+      const netFilter = url.searchParams.get("network_id");
       const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 200);
       let sql = "SELECT * FROM tasks WHERE 1=1";
       const params: any[] = [];
+      if (netFilter) { sql += ` AND network_id = ?${params.length + 1}`; params.push(netFilter); }
       if (taskId) { sql += ` AND task_id = ?${params.length + 1}`; params.push(taskId); }
       if (status) { sql += ` AND status = ?${params.length + 1}`; params.push(status); }
       if (toName) { sql += ` AND to_name = ?${params.length + 1}`; params.push(toName); }
@@ -312,7 +612,10 @@ Bun.serve({
       params.push(limit);
       const rows = db.query(sql).all(...params);
-      return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length }));
+      const stats = netFilter
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(netFilter)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length, stats }));
     }
     // ── REST: recent completions ──

package/src/tools.ts CHANGED Viewed

@@ -1,13 +1,15 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod/v4";
-import { db, uuidv4 } from "./db.js";
+import { db, uuidv4, logTaskEvent } from "./db.js";
 import { pushEvent, pushBroadcast } from "./push.js";
 function ts(): string {
   return new Date().toTimeString().slice(0, 8);
 }
-export function registerTools(server: McpServer, clientIP?: string) {
+export function registerTools(server: McpServer, clientIP?: string, enforceNetworkId?: string | null) {
+  // If enforceNetworkId is set, override any client-supplied network_id
+  const getNetworkId = (clientNetId?: string | null) => enforceNetworkId ?? clientNetId ?? null;
   // ═══════════════════════════════════════════
   //  Child Agent Tools (4)
   // ═══════════════════════════════════════════
@@ -35,17 +37,25 @@ export function registerTools(server: McpServer, clientIP?: string) {
       config_path: z.string().max(1000).optional().describe("Config file path"),
       channels: z.string().max(2000).optional().describe("JSON array of channels"),
       model: z.string().max(200).optional().describe("AI model name"),
+      node_name: z.string().max(200).optional().describe("Stable node display name (may differ from alias)"),
+      network_id: z.string().max(200).optional().describe("Network this agent belongs to"),
     },
-    async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels, model: mdl }) => {
-      console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}`);
+    async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels, model: mdl, node_name: nn, network_id: netId }) => {
+      const effectiveNetId = getNetworkId(netId);
+      console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}${effectiveNetId ? " [net]" : ""}`);
       const trimmedOutput = output?.slice(0, 4000);
       try {
         db.run("BEGIN IMMEDIATE");
-        db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2", [alias, resume_id]);
+        // Only delete same-alias sessions within the same network (prevent cross-network alias conflict)
+        if (effectiveNetId) {
+          db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2 AND network_id = ?3", [alias, resume_id, effectiveNetId]);
+        } else {
+          db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2", [alias, resume_id]);
+        }
         db.run(
-          `INSERT INTO sessions (resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version, status, task, output, progress, score, node_id, session_id, config_path, channels, last_seen_at, updated_at)
-           VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, datetime('now'), datetime('now'))
+          `INSERT INTO sessions (resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version, status, task, output, progress, score, node_id, session_id, config_path, channels, network_id, last_seen_at, updated_at)
+           VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, datetime('now'), datetime('now'))
            ON CONFLICT(resume_id) DO UPDATE SET
              alias = COALESCE(?2, sessions.alias),
              tmux_name = COALESCE(?3, sessions.tmux_name),
@@ -64,9 +74,10 @@ export function registerTools(server: McpServer, clientIP?: string) {
              session_id = COALESCE(?16, sessions.session_id),
              config_path = COALESCE(?17, sessions.config_path),
              channels = COALESCE(?18, sessions.channels),
+             network_id = COALESCE(?19, sessions.network_id),
              last_seen_at = datetime('now'),
              updated_at = datetime('now')`,
-          [resume_id, alias, tmux ?? null, srv ?? null, clientIP ?? null, hn ?? null, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null]
+          [resume_id, alias, tmux ?? null, srv ?? null, clientIP ?? null, hn ?? null, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null, netId ?? null]
         );
         db.run("COMMIT");
       } catch (e) {
@@ -77,11 +88,18 @@ export function registerTools(server: McpServer, clientIP?: string) {
       // V2: sync tasks table — report_status(working) → tasks.running
       if (status === "working" && task) {
         try {
-          db.run(
+          const runResult = db.run(
             `UPDATE tasks SET status = 'running', started_at = datetime('now')
              WHERE to_name = ?1 AND status IN ('delivered', 'acked') AND content = ?2`,
             [alias, task]
           );
+          if (runResult.changes > 0) {
+            // Find task_id for logging
+            const t = db.query<{ task_id: string }, [string, string]>(
+              "SELECT task_id FROM tasks WHERE to_name = ?1 AND content = ?2 AND status = 'running' ORDER BY started_at DESC LIMIT 1"
+            ).get(alias, task);
+            if (t) logTaskEvent(t.task_id, null, "running", alias);
+          }
         } catch {}
       }
@@ -103,7 +121,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
                server = COALESCE(?8, nodes.server),
                hostname = COALESCE(?9, nodes.hostname),
                updated_at = datetime('now')`,
-            [node_id, alias, alias, nodeRuntime, mdl ?? null, config_path ?? null, channels ?? null, srv ?? null, hn ?? null]
+            [node_id, nn || alias, alias, nodeRuntime, mdl ?? null, config_path ?? null, channels ?? null, srv ?? null, hn ?? null]
           );
         } catch {}
       }
@@ -179,6 +197,11 @@ export function registerTools(server: McpServer, clientIP?: string) {
         }
         db.run("COMMIT");
+        // Log event after commit
+        const updatedTaskId = taskUpdate.changes > 0 ? task : (db.query<{ task_id: string }, [string]>(
+          "SELECT task_id FROM tasks WHERE to_name = ?1 AND status = 'replied' ORDER BY completed_at DESC LIMIT 1"
+        ).get(alias)?.task_id);
+        if (updatedTaskId) logTaskEvent(updatedTaskId, null, "replied", alias, "report_completion");
       } catch (e) {
         try { db.run("ROLLBACK"); } catch {}
         throw e;
@@ -233,10 +256,11 @@ export function registerTools(server: McpServer, clientIP?: string) {
       }
       // V2: sync tasks table — ack_inbox means delivered→acked
       try {
-        db.run(
+        const ackResult = db.run(
           `UPDATE tasks SET status = 'acked' WHERE task_id = ?1 AND status = 'delivered'`,
           [message_id]
         );
+        if (ackResult.changes > 0) logTaskEvent(message_id, "delivered", "acked", alias);
       } catch {}
       return {
         content: [{ type: "text" as const, text: JSON.stringify({ ok: true }) }],
@@ -254,9 +278,11 @@ export function registerTools(server: McpServer, clientIP?: string) {
     {
       filter_status: z.string().max(50).optional(),
       filter_server: z.string().max(200).optional(),
+      network_id: z.string().max(200).optional().describe("Filter by network"),
     },
-    async ({ filter_status, filter_server }) => {
-      console.log(`[${ts()}] hub → get_all_status${filter_status ? ": filter=" + filter_status : ""}${filter_server ? " server=" + filter_server : ""}`);
+    async ({ filter_status, filter_server, network_id: netId }) => {
+      const effectiveNetId = getNetworkId(netId);
+      console.log(`[${ts()}] hub → get_all_status${filter_status ? ": filter=" + filter_status : ""}${effectiveNetId ? " net=" + effectiveNetId.slice(0, 12) : ""}`);
       const sessions = db.transaction(() => {
         const cutoff = new Date(Date.now() - 10 * 60 * 1000).toISOString().replace("T", " ").slice(0, 19);
@@ -264,6 +290,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
         let sql = "SELECT * FROM sessions WHERE 1=1";
         const params: any[] = [];
+        if (effectiveNetId) { sql += " AND network_id = ?"; params.push(effectiveNetId); }
         if (filter_status) { sql += " AND status = ?"; params.push(filter_status); }
         if (filter_server) { sql += " AND server = ?"; params.push(filter_server); }
         sql += " ORDER BY updated_at DESC";
@@ -319,24 +346,41 @@ export function registerTools(server: McpServer, clientIP?: string) {
       priority: z.enum(["high", "normal", "low"]).optional().default("normal"),
       context: z.string().max(10000).optional(),
       from_session: z.string().max(200).optional().default("hub"),
+      ttl_seconds: z.number().min(1).max(86400).optional().describe("Task TTL in seconds (default: 3600)"),
+      network_id: z.string().max(200).optional().describe("Network scope"),
     },
-    async ({ alias, task, priority, context, from_session }) => {
+    async ({ alias, task, priority, context, from_session, ttl_seconds, network_id: netId }) => {
+      const effectiveNetId = getNetworkId(netId);
+      // License check
+      const license = db.query<any, []>("SELECT type, expires_at FROM licenses ORDER BY created_at LIMIT 1").get();
+      if (license?.expires_at) {
+        const now = new Date().toISOString().replace("T", " ").slice(0, 19);
+        if (license.expires_at < now) {
+          return { content: [{ type: "text" as const, text: JSON.stringify({
+            ok: false, error: "license_expired",
+            message: "Trial expired. Activate a license: anet activate <key>",
+          }) }] };
+        }
+      }
       console.log(`[${ts()}] ${from_session} → send_task → ${alias}: ${task.slice(0, 60)}${priority === "high" ? " [HIGH]" : ""}`);
       const id = uuidv4();
       // 事务：inbox + tasks 双写
       try {
         db.run("BEGIN IMMEDIATE");
         db.run(
-          `INSERT INTO inbox (id, session_name, type, priority, content, context, from_session, requires_response)
-           VALUES (?1, ?2, 'task', ?3, ?4, ?5, ?6, 'reply')`,
-          [id, alias, priority, task, context ?? null, from_session]
+          `INSERT INTO inbox (id, session_name, type, priority, content, context, from_session, requires_response, network_id)
+           VALUES (?1, ?2, 'task', ?3, ?4, ?5, ?6, 'reply', ?7)`,
+          [id, alias, priority, task, context ?? null, from_session, effectiveNetId]
         );
         db.run(
-          `INSERT INTO tasks (task_id, from_name, to_name, priority, status, content, requires_response, created_at, delivered_at, expires_at)
-           VALUES (?1, ?2, ?3, ?4, 'delivered', ?5, 'reply', datetime('now'), datetime('now'), datetime('now', '+1 hour'))`,
-          [id, from_session, alias, priority, task]
+          `INSERT INTO tasks (task_id, from_name, to_name, priority, status, content, requires_response, created_at, delivered_at, expires_at, network_id)
+           VALUES (?1, ?2, ?3, ?4, 'delivered', ?5, 'reply', datetime('now'), datetime('now'), datetime('now', ?6), ?7)`,
+          [id, from_session, alias, priority, task, `+${ttl_seconds || 3600} seconds`, effectiveNetId]
         );
         db.run("COMMIT");
+        logTaskEvent(id, null, "delivered", from_session, `→ ${alias}`);
       } catch (e) {
         try { db.run("ROLLBACK"); } catch {}
         throw e;
@@ -415,6 +459,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
     async ({ alias, text, in_reply_to, status: replyStatus, from_session }) => {
       console.log(`[${ts()}] ${from_session} → send_reply (${replyStatus}) → ${alias}: ${text.slice(0, 60)}`);
       const id = uuidv4();
+      let replyLogged = false;
       try {
         db.run("BEGIN IMMEDIATE");
         db.run(
@@ -432,6 +477,8 @@ export function registerTools(server: McpServer, clientIP?: string) {
           );
           if (result.changes === 0) {
             console.log(`[${ts()}] ⚠ send_reply: task ${in_reply_to?.slice(0, 8)} not found or already terminal`);
+          } else {
+            replyLogged = true;
           }
         }
         db.run("COMMIT");
@@ -440,6 +487,9 @@ export function registerTools(server: McpServer, clientIP?: string) {
         throw e;
       }
+      // Log event after commit (outside transaction)
+      if (replyLogged && in_reply_to) logTaskEvent(in_reply_to, null, replyStatus, from_session, text.slice(0, 200));
       const session = db.query<any, [string]>("SELECT status FROM sessions WHERE alias = ?1").get(alias);
       pushEvent(alias, { type: "new_reply", from: from_session, message_id: id, in_reply_to, status: replyStatus });
@@ -466,6 +516,7 @@ export function registerTools(server: McpServer, clientIP?: string) {
         `UPDATE tasks SET status = 'acked' WHERE task_id = ?1 AND status IN ('created', 'delivered')`,
         [task_id]
       );
+      if (result.changes > 0) logTaskEvent(task_id, "delivered", "acked", from_session);
       return {
         content: [{
           type: "text" as const,
@@ -475,6 +526,173 @@ export function registerTools(server: McpServer, clientIP?: string) {
     }
   );
+  // ── V2: retry_task (重新投递失败/过期任务) ──
+  server.tool(
+    "retry_task",
+    "Retry a failed, expired, or cancelled task. Resets status to delivered and re-queues in inbox.",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to retry"),
+      from_session: z.string().max(200).optional().default("hub"),
+    },
+    async ({ task_id, from_session }) => {
+      console.log(`[${ts()}] ${from_session} → retry_task → ${task_id.slice(0, 8)}`);
+      // Find the original task
+      const task = db.query<any, [string]>(
+        "SELECT * FROM tasks WHERE task_id = ?1"
+      ).get(task_id);
+      if (!task) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };
+      }
+      if (!["failed", "expired", "cancelled"].includes(task.status)) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: `task status is ${task.status}, not retryable` }) }] };
+      }
+      try {
+        db.run("BEGIN IMMEDIATE");
+        // Reset task status
+        db.run(
+          `UPDATE tasks SET status = 'delivered', result = NULL, completed_at = NULL, started_at = NULL, delivered_at = datetime('now'), expires_at = datetime('now', '+1 hour')
+           WHERE task_id = ?1`,
+          [task_id]
+        );
+        // Re-queue in inbox with new ID (original ID may already exist)
+        const retryInboxId = uuidv4();
+        db.run(
+          `INSERT INTO inbox (id, session_name, type, priority, content, from_session, requires_response)
+           VALUES (?1, ?2, 'task', ?3, ?4, ?5, 'reply')`,
+          [retryInboxId, task.to_name, task.priority, task.content, from_session]
+        );
+        db.run("COMMIT");
+        logTaskEvent(task_id, task.status, "delivered", from_session, "retry");
+      } catch (e) {
+        try { db.run("ROLLBACK"); } catch {}
+        throw e;
+      }
+      // SSE push
+      pushEvent(task.to_name, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
+      return {
+        content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, retried_to: task.to_name }) }],
+      };
+    }
+  );
+  // ── V2: get_task (查询任务状态) ──
+  server.tool(
+    "get_task",
+    "Get task details by task_id. Returns status, result, timestamps.",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to query"),
+    },
+    async ({ task_id }) => {
+      const task = db.query<any, [string]>("SELECT * FROM tasks WHERE task_id = ?1").get(task_id);
+      return {
+        content: [{
+          type: "text" as const,
+          text: JSON.stringify(task ? { ok: true, task } : { ok: false, error: "task not found" }),
+        }],
+      };
+    }
+  );
+  // ── V2: list_tasks (查询任务列表) ──
+  server.tool(
+    "list_tasks",
+    "List tasks with filters. Agents can query their own pending/running tasks.",
+    {
+      alias: z.string().max(200).optional().describe("Filter by to_name (target agent)"),
+      status: z.string().max(50).optional().describe("Filter by status"),
+      from_name: z.string().max(200).optional().describe("Filter by sender"),
+      network_id: z.string().max(200).optional().describe("Filter by network"),
+      limit: z.number().min(1).max(100).optional().default(20),
+    },
+    async ({ alias, status, from_name, network_id: netId, limit }) => {
+      const effectiveNetId = getNetworkId(netId);
+      let sql = "SELECT task_id, from_name, to_name, priority, status, content, result, created_at, completed_at FROM tasks WHERE 1=1";
+      const params: any[] = [];
+      if (effectiveNetId) { sql += ` AND network_id = ?${params.length + 1}`; params.push(effectiveNetId); }
+      if (alias) { sql += ` AND to_name = ?${params.length + 1}`; params.push(alias); }
+      if (status) { sql += ` AND status = ?${params.length + 1}`; params.push(status); }
+      if (from_name) { sql += ` AND from_name = ?${params.length + 1}`; params.push(from_name); }
+      sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
+      params.push(limit);
+      const tasks = db.query(sql).all(...params);
+      // Stats
+      const stats = db.query<any, []>(
+        "SELECT status, COUNT(*) as count FROM tasks GROUP BY status"
+      ).all();
+      return {
+        content: [{
+          type: "text" as const,
+          text: JSON.stringify({ ok: true, tasks, count: tasks.length, stats }),
+        }],
+      };
+    }
+  );
+  // ── V2: cancel_task (取消任务) ──
+  server.tool(
+    "cancel_task",
+    "Cancel a pending task. Works on delivered/acked/running tasks.",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to cancel"),
+      reason: z.string().max(1000).optional().describe("Cancellation reason"),
+      from_session: z.string().max(200).optional().default("hub"),
+    },
+    async ({ task_id, reason, from_session }) => {
+      console.log(`[${ts()}] ${from_session} → cancel_task → ${task_id.slice(0, 8)}`);
+      const result = db.run(
+        `UPDATE tasks SET status = 'cancelled', result = ?1, completed_at = datetime('now')
+         WHERE task_id = ?2 AND status IN ('created', 'delivered', 'acked', 'running')`,
+        [reason || "cancelled by " + from_session, task_id]
+      );
+      // Also ack the inbox entry to prevent agent from picking it up
+      if (result.changes > 0) {
+        db.run("UPDATE inbox SET acked = 1 WHERE id = ?1 AND acked = 0", [task_id]);
+        logTaskEvent(task_id, null, "cancelled", from_session, reason || undefined);
+      }
+      return {
+        content: [{ type: "text" as const, text: JSON.stringify({ ok: result.changes > 0, task_id, cancelled: result.changes > 0 }) }],
+      };
+    }
+  );
+  // ── V2: reassign_task (转移任务到另一个 agent) ──
+  server.tool(
+    "reassign_task",
+    "Reassign a task to a different agent. Works on any non-terminal task (delivered/acked/running).",
+    {
+      task_id: z.string().min(1).max(200).describe("Task ID to reassign"),
+      new_alias: z.string().min(1).max(200).describe("Target agent alias"),
+      from_session: z.string().max(200).optional().default("hub"),
+    },
+    async ({ task_id, new_alias, from_session }) => {
+      console.log(`[${ts()}] ${from_session} → reassign_task → ${task_id.slice(0, 8)} → ${new_alias}`);
+      const task = db.query<any, [string]>("SELECT * FROM tasks WHERE task_id = ?1").get(task_id);
+      if (!task) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };
+      if (["replied", "failed", "cancelled", "expired"].includes(task.status)) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: `task is terminal (${task.status})` }) }] };
+      }
+      const oldAlias = task.to_name;
+      try {
+        db.run("BEGIN IMMEDIATE");
+        // Ack old inbox to prevent original agent from picking it up
+        db.run("UPDATE inbox SET acked = 1 WHERE id = ?1 AND acked = 0", [task_id]);
+        db.run("UPDATE tasks SET to_name = ?1, status = 'delivered', started_at = NULL, delivered_at = datetime('now') WHERE task_id = ?2", [new_alias, task_id]);
+        const newInboxId = uuidv4();
+        db.run("INSERT INTO inbox (id, session_name, type, priority, content, from_session, requires_response) VALUES (?1, ?2, 'task', ?3, ?4, ?5, 'reply')",
+          [newInboxId, new_alias, task.priority, task.content, from_session]);
+        db.run("COMMIT");
+        logTaskEvent(task_id, task.status, "delivered", from_session, `reassign: ${oldAlias} → ${new_alias}`);
+      } catch (e) {
+        try { db.run("ROLLBACK"); } catch {}
+        throw e;
+      }
+      pushEvent(new_alias, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
+      return { content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, reassigned_from: oldAlias, reassigned_to: new_alias }) }] };
+    }
+  );
   server.tool(
     "broadcast",
     "Send a message to multiple sessions.",
@@ -482,11 +700,13 @@ export function registerTools(server: McpServer, clientIP?: string) {
       message: z.string().min(1).max(10000),
       filter_server: z.string().max(200).optional(),
       filter_status: z.string().max(50).optional(),
+      network_id: z.string().max(200).optional().describe("Broadcast within a specific network"),
     },
-    async ({ message, filter_server, filter_status }) => {
-      console.log(`[${ts()}] hub → broadcast: ${message.slice(0, 60)}${filter_server ? " [server=" + filter_server + "]" : ""}`);
+    async ({ message, filter_server, filter_status, network_id: netId }) => {
+      console.log(`[${ts()}] hub → broadcast: ${message.slice(0, 60)}${netId ? " [net=" + netId.slice(0, 12) + "]" : ""}`);
       let sql = "SELECT alias FROM sessions WHERE alias IS NOT NULL";
       const params: any[] = [];
+      if (netId) { sql += " AND network_id = ?"; params.push(netId); }
       if (filter_server) { sql += " AND server = ?"; params.push(filter_server); }
       if (filter_status) { sql += " AND status = ?"; params.push(filter_status); }