npm - @sleep2agi/commhub-server - Versions diffs - 0.5.0-preview.2 → 0.5.0-preview.21 - Mend

@sleep2agi/commhub-server 0.5.0-preview.2 → 0.5.0-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/src/index.ts CHANGED Viewed

@@ -2,33 +2,76 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
-import { db } from "./db.js";
+import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, pushBroadcast, getSSEStats } from "./push.js";
+import { register, login, resolveToken, getUserNetworks, createNetwork, changePassword, listTokens, createToken, revokeToken, type AuthUser } from "./auth.js";
 const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
+// ── Rate limiter (in-memory, per IP) ──
+const rateLimits = new Map<string, { count: number; resetAt: number }>();
+function checkRateLimit(ip: string, maxPerMinute = 60): boolean {
+  // Skip rate limiting for localhost/internal/unknown (dev/test)
+  if (!ip || ip === "unknown" || ip === "127.0.0.1" || ip === "::1") return true;
+  const now = Date.now();
+  const entry = rateLimits.get(ip);
+  if (!entry || now > entry.resetAt) {
+    rateLimits.set(ip, { count: 1, resetAt: now + 60000 });
+    return true;
+  }
+  if (entry.count >= maxPerMinute) return false;
+  entry.count++;
+  return true;
+}
+// Cleanup stale entries every 5 minutes
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, entry] of rateLimits) {
+    if (now > entry.resetAt) rateLimits.delete(ip);
+  }
+}, 300000);
 // ── Factory: 每个请求创建新的 McpServer（stateless 模式）──
-function createServer(clientIP?: string): McpServer {
+function createServer(clientIP?: string, enforceNetworkId?: string | null): McpServer {
   const server = new McpServer({
     name: "commhub",
-    version: "0.4.1",
+    version: "0.5.0",
   });
-  registerTools(server, clientIP);
+  registerTools(server, clientIP, enforceNetworkId);
   return server;
 }
 // ── Auth helper ─────────────────────────────────────
 function requireAuth(req: Request): Response | null {
-  if (!AUTH_TOKEN) return null; // no token = open mode (dev)
-  const header = req.headers.get("Authorization");
-  if (header === `Bearer ${AUTH_TOKEN}`) return null;
-  // Also check query param for MCP clients that can't set headers
+  const header = req.headers.get("Authorization")?.replace("Bearer ", "");
   const url = new URL(req.url);
-  if (url.searchParams.get("token") === AUTH_TOKEN) return null;
+  const token = header || url.searchParams.get("token") || "";
+  // V3: check api_tokens first
+  if (token) {
+    const resolved = resolveToken(token);
+    if (resolved) return null; // valid user token
+  }
+  // Legacy: check global COMMHUB_AUTH_TOKEN
+  if (!AUTH_TOKEN) return null; // no token = open mode (dev)
+  if (token === AUTH_TOKEN) return null;
   return Response.json({ error: "unauthorized" }, { status: 401 });
 }
+// Extract user + network from request token (for authorization)
+function resolveRequestAuth(req: Request): { userId: string; networkId: string | null; username: string } | null {
+  const header = req.headers.get("Authorization")?.replace("Bearer ", "");
+  const url = new URL(req.url);
+  const token = header || url.searchParams.get("token") || "";
+  if (!token) return null;
+  const resolved = resolveToken(token);
+  if (!resolved) return null;
+  return { userId: resolved.user.user_id, networkId: resolved.networkId, username: resolved.user.username };
+}
 // ── REST input schema ───────────────────────────────
 const TaskSchema = z.object({
   alias: z.string().min(1).max(200),
@@ -84,6 +127,11 @@ setInterval(() => {
     );
     if (result.changes > 0) {
       console.log(`[patrol] expired ${result.changes} stale task(s)`);
+      // Log events for expired tasks
+      const expired = db.query<{ task_id: string }, []>(
+        "SELECT task_id FROM tasks WHERE status = 'expired' AND completed_at >= datetime('now', '-1 minute')"
+      ).all();
+      for (const t of expired) logTaskEvent(t.task_id, null, "expired", "patrol");
     }
   } catch {}
 }, 5 * 60 * 1000);
@@ -114,10 +162,13 @@ Bun.serve({
       if (authErr) return withCors(req, authErr);
       const fwd = req.headers.get("x-forwarded-for");
       const clientIP = fwd ? fwd.split(",")[0].trim() : (req.headers.get("x-real-ip") ?? "unknown");
+      // V3: resolve token → enforce network_id in all MCP tools
+      const authCtx = resolveRequestAuth(req);
+      const enforceNetId = authCtx?.networkId || null;
       const transport = new WebStandardStreamableHTTPServerTransport({
         sessionIdGenerator: undefined,
       });
-      const server = createServer(clientIP);
+      const server = createServer(clientIP, enforceNetId);
       await server.connect(transport);
       const response = await transport.handleRequest(req);
       // Disconnect after response to prevent McpServer leak
@@ -135,6 +186,220 @@ Bun.serve({
       return createSSEStream(sessionName);
     }
+    // ── V3: License endpoints ──
+    if (url.pathname === "/api/license" && req.method === "GET") {
+      const license = db.query<any, []>("SELECT * FROM licenses ORDER BY created_at LIMIT 1").get();
+      if (!license) return withCors(req, Response.json({ ok: true, status: "no_license" }));
+      const now = new Date().toISOString().replace("T", " ").slice(0, 19);
+      const expired = license.expires_at && license.expires_at < now;
+      const daysLeft = license.expires_at
+        ? Math.max(0, Math.ceil((new Date(license.expires_at).getTime() - Date.now()) / 86400000))
+        : null;
+      return withCors(req, Response.json({
+        ok: true,
+        license: { type: license.type, expires_at: license.expires_at, days_left: daysLeft, expired },
+        limits: { max_agents: license.max_agents, max_networks: license.max_networks, max_tasks_day: license.max_tasks_day },
+      }));
+    }
+    if (url.pathname === "/api/license/activate" && req.method === "POST") {
+      try {
+        const body = await req.json() as any;
+        const key = body.key;
+        if (!key) return withCors(req, Response.json({ ok: false, error: "key required" }, { status: 400 }));
+        // For now: accept any key starting with "anet-" as valid pro license
+        if (!key.startsWith("anet-") || key.length < 16) {
+          return withCors(req, Response.json({ ok: false, error: "invalid license key" }, { status: 400 }));
+        }
+        // Upgrade existing license or create new
+        db.run("DELETE FROM licenses");
+        const licId = `lic_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+        db.run(
+          "INSERT INTO licenses (id, license_key, type, max_agents, max_networks, max_tasks_day, activated_at, expires_at) VALUES (?1, ?2, 'pro', 50, 10, 10000, datetime('now'), datetime('now', '+365 days'))",
+          [licId, key]
+        );
+        return withCors(req, Response.json({ ok: true, type: "pro", expires_in_days: 365 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    // ── V3: Auth endpoints (public) ──
+    if (url.pathname === "/api/auth/register" && req.method === "POST") {
+      const clientIP = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+      if (!checkRateLimit(clientIP, 30)) {
+        return withCors(req, Response.json({ ok: false, error: "too many requests, try again later" }, { status: 429 }));
+      }
+      try {
+        const body = await req.json() as any;
+        const result = register(body.username, body.password, body.email, body.display_name);
+        if (result.ok) logAudit(result.user!.user_id, body.username, "register", "user", result.user!.user_id);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    if (url.pathname === "/api/auth/login" && req.method === "POST") {
+      const clientIP = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+      if (!checkRateLimit(clientIP, 10)) {
+        logAudit(null, null, "login_rate_limited", "auth", null, clientIP);
+        return withCors(req, Response.json({ ok: false, error: "too many attempts, try again later" }, { status: 429 }));
+      }
+      try {
+        const body = await req.json() as any;
+        const result = login(body.username, body.password);
+        if (result.ok) logAudit(result.user!.user_id, body.username, "login", "user", result.user!.user_id);
+        else logAudit(null, body.username, "login_failed", "user", null, "invalid credentials");
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 401 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    if (url.pathname === "/api/auth/me" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networks = getUserNetworks(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, user: resolved.user, networks, current_network: resolved.networkId }));
+    }
+    if (url.pathname === "/api/auth/me" && req.method === "PUT") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const updates: string[] = [];
+        const params: any[] = [];
+        if (body.display_name) { updates.push(`display_name = ?${params.length + 1}`); params.push(body.display_name); }
+        if (body.email) { updates.push(`email = ?${params.length + 1}`); params.push(body.email); }
+        if (updates.length > 0) {
+          updates.push(`updated_at = datetime('now')`);
+          params.push(resolved.user.user_id);
+          db.run(`UPDATE users SET ${updates.join(", ")} WHERE user_id = ?${params.length}`, params);
+        }
+        // Re-fetch
+        const user = db.query<any, [string]>("SELECT user_id, username, display_name, email, role FROM users WHERE user_id = ?1").get(resolved.user.user_id);
+        return withCors(req, Response.json({ ok: true, user }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    if (url.pathname === "/api/auth/password" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = changePassword(resolved.user.user_id, body.old_password, body.new_password);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "password_changed", "user", resolved.user.user_id);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    // ── V3: Token management ──
+    if (url.pathname === "/api/auth/tokens" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const tokens = listTokens(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, tokens }));
+    }
+    if (url.pathname === "/api/auth/tokens" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = createToken(resolved.user.user_id, body.name || "api-token", body.network_id);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "token_created", "token", result.token_id);
+        return withCors(req, Response.json(result));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    const tokenDeleteMatch = url.pathname.match(/^\/api\/auth\/tokens\/([^/]+)$/);
+    if (tokenDeleteMatch && req.method === "DELETE") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const result = revokeToken(resolved.user.user_id, tokenDeleteMatch[1]);
+      if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "token_revoked", "token", tokenDeleteMatch[1]);
+      return withCors(req, Response.json(result, { status: result.ok ? 200 : 404 }));
+    }
+    // ── V3: Network management ──
+    if (url.pathname === "/api/networks" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networks = getUserNetworks(resolved.user.user_id);
+      return withCors(req, Response.json({ ok: true, networks }));
+    }
+    if (url.pathname === "/api/networks" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        const result = createNetwork(resolved.user.user_id, body.name, body.description);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+    // ── V3: Admin APIs (require auth) ──
+    if (url.pathname === "/api/users" && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved || resolved.user.role !== "admin") {
+        return withCors(req, Response.json({ ok: false, error: "admin required" }, { status: 403 }));
+      }
+      const users = db.query("SELECT user_id, username, display_name, email, role, created_at FROM users ORDER BY created_at").all();
+      return withCors(req, Response.json({ ok: true, users }));
+    }
+    const netDetailMatch = url.pathname.match(/^\/api\/networks\/([^/]+)$/);
+    if (netDetailMatch && req.method === "GET") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const networkId = netDetailMatch[1];
+      const network = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+      if (!network) return withCors(req, Response.json({ ok: false, error: "network not found" }, { status: 404 }));
+      // Ownership check: only owner or admin can view
+      if (network.owner_id !== resolved.user.user_id && resolved.user.role !== "admin") {
+        return withCors(req, Response.json({ ok: false, error: "access denied" }, { status: 403 }));
+      }
+      // Get network stats
+      const nodeCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(networkId);
+      const sessionCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
+      const taskStats = db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(networkId);
+      return withCors(req, Response.json({
+        ok: true, network,
+        stats: { nodes: nodeCount?.cnt || 0, sessions: sessionCount?.cnt || 0, tasks: taskStats },
+      }));
+    }
     // ── REST: health (public, no auth) ──
     if (url.pathname === "/health") {
       const count = db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM sessions").get();
@@ -159,7 +424,11 @@ Bun.serve({
     if (url.pathname === "/api/status") {
       const cutoff = new Date(Date.now() - 10 * 60 * 1000).toISOString().replace("T", " ").slice(0, 19);
       db.run("UPDATE sessions SET status = 'offline' WHERE updated_at < ?1 AND status != 'offline'", [cutoff]);
-      const sessions = db.query("SELECT * FROM sessions ORDER BY updated_at DESC").all();
+      const netFilter = url.searchParams.get("network_id");
+      const sql = netFilter
+        ? "SELECT * FROM sessions WHERE network_id = ?1 ORDER BY updated_at DESC"
+        : "SELECT * FROM sessions ORDER BY updated_at DESC";
+      const sessions = netFilter ? db.query(sql).all(netFilter) : db.query(sql).all();
       return withCors(req, Response.json({ ok: true, sessions }));
     }
@@ -281,12 +550,77 @@ Bun.serve({
       return withCors(req, Response.json({ ok: true, messages: rows }));
     }
+    // ── REST: stats summary ──
+    if (url.pathname === "/api/stats") {
+      const n = url.searchParams.get("network_id");
+      // Parameterized queries to prevent SQL injection
+      const taskStats = n
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(n)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      const sessionStats = n
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM sessions WHERE network_id = ?1 GROUP BY status").all(n)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM sessions GROUP BY status").all();
+      const totalTasks = n
+        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM tasks WHERE network_id = ?1").get(n)
+        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM tasks").get();
+      const totalNodes = n
+        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(n)
+        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM nodes").get();
+      const recentTasks = n
+        ? db.query<any, [string]>("SELECT task_id, from_name, to_name, status, created_at FROM tasks WHERE network_id = ?1 ORDER BY created_at DESC LIMIT 5").all(n)
+        : db.query<any, []>("SELECT task_id, from_name, to_name, status, created_at FROM tasks ORDER BY created_at DESC LIMIT 5").all();
+      return withCors(req, Response.json({
+        ok: true,
+        network_id: n || null,
+        tasks: { total: totalTasks?.cnt || 0, by_status: taskStats },
+        sessions: { by_status: sessionStats },
+        nodes: { total: totalNodes?.cnt || 0 },
+        recent_tasks: recentTasks,
+      }));
+    }
+    // ── REST: audit log (V3) ──
+    if (url.pathname === "/api/audit-log") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 200);
+      const action = url.searchParams.get("action");
+      const userId = url.searchParams.get("user_id");
+      let sql = "SELECT * FROM audit_log WHERE 1=1";
+      const params: any[] = [];
+      // Non-admin can only see own logs
+      if (resolved.user.role !== "admin") { sql += ` AND user_id = ?${params.length + 1}`; params.push(resolved.user.user_id); }
+      if (action) { sql += ` AND action = ?${params.length + 1}`; params.push(action); }
+      if (userId && resolved.user.role === "admin") { sql += ` AND user_id = ?${params.length + 1}`; params.push(userId); }
+      sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
+      params.push(limit);
+      const logs = db.query(sql).all(...params);
+      return withCors(req, Response.json({ ok: true, logs, count: logs.length }));
+    }
+    // ── REST: task events (V2 Sprint 2) ──
+    if (url.pathname === "/api/task_events") {
+      const taskId = url.searchParams.get("task_id");
+      const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 500);
+      let sql = "SELECT * FROM task_events";
+      const params: any[] = [];
+      if (taskId) { sql += " WHERE task_id = ?1"; params.push(taskId); }
+      sql += " ORDER BY created_at DESC LIMIT ?";
+      params.push(limit);
+      const rows = db.query(sql).all(...params);
+      return withCors(req, Response.json({ ok: true, events: rows, count: rows.length }));
+    }
     // ── REST: nodes table (V2 Sprint 2) ──
     if (url.pathname === "/api/nodes") {
       const nodeId = url.searchParams.get("node_id");
       const alias = url.searchParams.get("alias");
+      const netFilter = url.searchParams.get("network_id");
       let sql = "SELECT * FROM nodes WHERE 1=1";
       const params: any[] = [];
+      if (netFilter) { sql += ` AND network_id = ?${params.length + 1}`; params.push(netFilter); }
       if (nodeId) { sql += ` AND node_id = ?${params.length + 1}`; params.push(nodeId); }
       if (alias) { sql += ` AND alias = ?${params.length + 1}`; params.push(alias); }
       sql += " ORDER BY updated_at DESC";
@@ -300,10 +634,12 @@ Bun.serve({
       const status = url.searchParams.get("status");
       const toName = url.searchParams.get("to_name");
       const fromName = url.searchParams.get("from_name");
+      const netFilter = url.searchParams.get("network_id");
       const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 200);
       let sql = "SELECT * FROM tasks WHERE 1=1";
       const params: any[] = [];
+      if (netFilter) { sql += ` AND network_id = ?${params.length + 1}`; params.push(netFilter); }
       if (taskId) { sql += ` AND task_id = ?${params.length + 1}`; params.push(taskId); }
       if (status) { sql += ` AND status = ?${params.length + 1}`; params.push(status); }
       if (toName) { sql += ` AND to_name = ?${params.length + 1}`; params.push(toName); }
@@ -312,7 +648,10 @@ Bun.serve({
       params.push(limit);
       const rows = db.query(sql).all(...params);
-      return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length }));
+      const stats = netFilter
+        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(netFilter)
+        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+      return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length, stats }));
     }
     // ── REST: recent completions ──