@sleep2agi/commhub-server 0.5.0-preview.24 → 0.5.0-preview.25

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.24",
-  "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
+  "version": "0.5.0-preview.25",
+  "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",
   "bin": {
@@ -21,10 +21,11 @@
     "agent",
     "ai",
     "sse",
-    "claude",
+    "server",
     "orchestration",
-    "communication",
-    "hub"
+    "multi-network",
+    "auth",
+    "license"
   ],
   "author": "sleep2agi",
   "license": "MIT",
@@ -39,4 +40,4 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0"
   }
-}
+}

package/src/auth.ts

@@ -23,7 +23,7 @@ export function register(username: string, password: string, email?: string, dis
   if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
   if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
 
-  const existing = db.query<any, [string]>("SELECT user_id FROM users WHERE username = ?1").get(username);
+  const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
   if (existing) return { ok: false, error: "username already taken" };
 
   const userId = generateId("u");
@@ -57,17 +57,17 @@ export function register(username: string, password: string, email?: string, dis
 }
 
 export function login(username: string, password: string): AuthResult {
-  const user = db.query<any, [string]>(
-    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1"
-  ).get(username);
+  const user = db.get<any>(
+    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1",
+    username);
 
   if (!user) return { ok: false, error: "invalid username or password" };
   if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
 
   // Find or create token
-  let tokenRow = db.query<any, [string]>(
-    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1"
-  ).get(user.user_id);
+  let tokenRow = db.get<any>(
+    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1",
+    user.user_id);
 
   let token: string;
   if (tokenRow) {
@@ -78,9 +78,9 @@ export function login(username: string, password: string): AuthResult {
   } else {
     token = generateToken();
     const tokenId = generateId("tok");
-    const networkId = db.query<any, [string]>(
-      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1"
-    ).get(user.user_id)?.network_id;
+    const networkId = db.get<any>(
+      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1",
+      user.user_id)?.network_id;
     db.run(
       "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
       [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
@@ -96,11 +96,11 @@ export function login(username: string, password: string): AuthResult {
 
 export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
   const tHash = hashToken(token);
-  const row = db.query<any, [string]>(
+  const row = db.get<any>(
     `SELECT t.user_id, t.network_id, t.scope, u.username, u.display_name, u.email, u.role
      FROM api_tokens t JOIN users u ON t.user_id = u.user_id
-     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`
-  ).get(tHash);
+     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`,
+    tHash);
 
   if (!row) return null;
 
@@ -114,15 +114,15 @@ export function resolveToken(token: string): { user: AuthUser; networkId: string
 }
 
 export function getUserNetworks(userId: string) {
-  return db.query<any, [string]>(
-    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at"
-  ).all(userId);
+  return db.all<any>(
+    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at",
+    userId);
 }
 
 export function createNetwork(userId: string, name: string, description?: string) {
-  const existing = db.query<any, [string, string]>(
-    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2"
-  ).get(userId, name);
+  const existing = db.get<any>(
+    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2",
+    userId, name);
   if (existing) return { ok: false, error: "network name already exists" };
 
   const networkId = generateId("net");
@@ -134,27 +134,27 @@ export function createNetwork(userId: string, name: string, description?: string
 }
 
 export function listTokens(userId: string) {
-  return db.query<any, [string]>(
-    "SELECT token_id, name, scope, network_id, last_used_at, created_at FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC"
-  ).all(userId);
+  return db.all<any>(
+    "SELECT token_id, name, scope, network_id, last_used_at, created_at FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC",
+    userId);
 }
 
 export function renameNetwork(userId: string, networkId: string, newName: string): { ok: boolean; error?: string } {
-  const net = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+  const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
   if (!net) return { ok: false, error: "network not found" };
   if (net.owner_id !== userId) return { ok: false, error: "not your network" };
-  const dup = db.query<any, [string, string]>("SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2").get(userId, newName);
+  const dup = db.get<any>("SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2", userId, newName);
   if (dup) return { ok: false, error: "name already taken" };
   db.run("UPDATE networks SET network_name = ?1, updated_at = datetime('now') WHERE network_id = ?2", [newName, networkId]);
   return { ok: true };
 }
 
 export function deleteNetwork(userId: string, networkId: string): { ok: boolean; error?: string } {
-  const net = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+  const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
   if (!net) return { ok: false, error: "network not found" };
   if (net.owner_id !== userId) return { ok: false, error: "not your network" };
   // Check if any sessions/tasks still reference this network
-  const sessions = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
+  const sessions = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1", networkId);
   if (sessions && sessions.cnt > 0) return { ok: false, error: `network has ${sessions.cnt} active session(s) — stop them first` };
   db.run("DELETE FROM networks WHERE network_id = ?1 AND owner_id = ?2", [networkId, userId]);
   return { ok: true };
@@ -177,7 +177,7 @@ export function revokeToken(userId: string, tokenId: string): { ok: boolean; err
 
 export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
   if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
-  const user = db.query<any, [string]>("SELECT password_hash FROM users WHERE user_id = ?1").get(userId);
+  const user = db.get<any>("SELECT password_hash FROM users WHERE user_id = ?1", userId);
   if (!user) return { ok: false, error: "user not found" };
   if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
   db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);

package/src/db-adapter.ts

@@ -1,12 +1,19 @@
 /**
- * Database Adapter Interface — async-first, supports SQLite and PostgreSQL
+ * Database Adapter — supports SQLite and PostgreSQL
  *
- * SQLite adapter: wraps bun:sqlite sync calls in Promise (zero overhead)
- * PostgreSQL adapter: uses bun:sql native async
+ * SQLite adapter: wraps bun:sqlite (sync)
+ * PostgreSQL adapter: wraps pg Pool (async, bridged to sync interface via blocking)
  *
- * All callers use await — sync SQLite just resolves immediately.
+ * Key design: callers write SQLite-style SQL. PgAdapter auto-translates:
+ *   - ?1, ?2  →  $1, $2
+ *   - datetime('now')  →  NOW()
+ *   - datetime('now', '+N seconds')  →  NOW() + INTERVAL 'N seconds'
+ *   - INTEGER PRIMARY KEY AUTOINCREMENT  →  SERIAL PRIMARY KEY
+ *   - ON CONFLICT(col) DO UPDATE SET  →  ON CONFLICT(col) DO UPDATE SET  (same syntax)
  */
 
+import { Database } from "bun:sqlite";
+
 export interface QueryResult {
   changes: number;
 }
@@ -31,42 +38,212 @@ export interface DbAdapter {
   close(): void;
 
   /** Dialect identifier */
-  readonly dialect: 'sqlite' | 'postgres';
+  readonly dialect: "sqlite" | "postgres";
+}
+
+// ════════════════════════════════════════════
+//  SQLite Adapter (bun:sqlite, sync)
+// ════════════════════════════════════════════
+
+export class SQLiteAdapter implements DbAdapter {
+  readonly dialect = "sqlite" as const;
+  constructor(private readonly rawDb: Database) {}
+
+  run(sql: string, params?: any[]): QueryResult {
+    return this.rawDb.run(sql, params as any);
+  }
+
+  get<T = any>(sql: string, ...params: any[]): T | null {
+    return this.rawDb.query<T, any[]>(sql).get(...params) ?? null;
+  }
+
+  all<T = any>(sql: string, ...params: any[]): T[] {
+    return this.rawDb.query<T, any[]>(sql).all(...params);
+  }
+
+  exec(sql: string): void {
+    this.rawDb.exec(sql);
+  }
+
+  transaction<T>(fn: () => T): T {
+    return this.rawDb.transaction(fn)();
+  }
+
+  close(): void {
+    this.rawDb.close();
+  }
 }
 
+// ════════════════════════════════════════════
+//  PostgreSQL Adapter (pg Pool, sync bridge)
+// ════════════════════════════════════════════
+
 /**
- * Phase 1 strategy:
- *
- * Current code is sync (bun:sqlite). We keep it sync for now.
- * All DB access goes through the adapter interface above.
- *
- * When we add PostgreSQL (Phase 2), the adapter interface
- * will change to async. At that point we'll update callers
- * in a single pass. The unified call sites from Phase 1
- * make that pass mechanical rather than archaeological.
+ * Translate SQLite-style SQL to PostgreSQL.
+ * Called on every query — must be fast (simple regex, no parsing).
+ */
+export function sqliteToPostgres(sql: string): string {
+  let s = sql;
+  // ── datetime translations (before ?N→$N to handle datetime('now', ?N)) ──
+  // datetime('now', ?N) → NOW() + $N::INTERVAL  (param contains "+3600 seconds")
+  s = s.replace(/datetime\s*\(\s*'now'\s*,\s*\?(\d+)\s*\)/gi, (_, n) => {
+    return `NOW() + $${n}::INTERVAL`;
+  });
+  // datetime('now', '+N seconds') → NOW() + INTERVAL 'N seconds'
+  s = s.replace(/datetime\s*\(\s*'now'\s*,\s*'([^']+)'\s*\)/gi, (_, offset) => {
+    return `NOW() + INTERVAL '${offset.replace(/^\+/, "")}'`;
+  });
+  // datetime('now') → NOW()
+  s = s.replace(/datetime\s*\(\s*'now'\s*\)/gi, "NOW()");
+  // TEXT NOT NULL DEFAULT (datetime('now')) → TIMESTAMP NOT NULL DEFAULT NOW()
+  s = s.replace(/TEXT\s+NOT\s+NULL\s+DEFAULT\s+\(NOW\(\)\)/gi, "TIMESTAMP NOT NULL DEFAULT NOW()");
+  // ── Parameter placeholders ──
+  // ?1, ?2 → $1, $2  (positional params)
+  s = s.replace(/\?(\d+)/g, (_, n) => `$${n}`);
+  // Unindexed ? → $N (sequential)
+  let idx = 0;
+  s = s.replace(/\?(?!\d)/g, () => `$${++idx}`);
+  // ── DDL translations ──
+  // INTEGER PRIMARY KEY AUTOINCREMENT → SERIAL PRIMARY KEY
+  s = s.replace(/INTEGER\s+PRIMARY\s+KEY\s+AUTOINCREMENT/gi, "SERIAL PRIMARY KEY");
+  return s;
+}
+
+/**
+ * PostgreSQL adapter using pg Pool.
  *
- * Why not async-first now?
- * - bun:sqlite is sync, wrapping in Promise adds noise
- * - All MCP tool handlers are already async, so the future
- *   migration is: db.run() → await db.run(), straightforward
- * - 750+ lines of tools.ts would need gratuitous await for zero benefit today
+ * Design: uses synchronous blocking via Bun's subprocess or
+ * deasync-style approach. Since Bun MCP handlers are async,
+ * we store a pool and use blocking queries via pg's synchronous mode.
  *
- * The contract: every DB call goes through adapter methods,
- * never through raw db.query() or db.run() on the bun:sqlite object.
- * This is what makes Phase 2 feasible.
+ * NOTE: This adapter uses `pg` npm package in synchronous mode.
+ * For production, the interface should be async. This sync bridge
+ * works for the current codebase where MCP handlers are async
+ * but DB calls are sync within them.
  */
+export class PgAdapter implements DbAdapter {
+  readonly dialect = "postgres" as const;
+  private pool: any; // pg.Pool
+  private client: any; // dedicated sync client
 
-/** SQL helpers for cross-dialect compatibility */
-export function sqlNow(dialect: 'sqlite' | 'postgres'): string {
-  return dialect === 'postgres' ? 'NOW()' : "datetime('now')";
-}
+  constructor(connectionString: string) {
+    // Dynamic import of pg — only loaded when DATABASE_URL is set
+    try {
+      const pg = require("pg");
+      this.pool = new pg.Pool({ connectionString, max: 10 });
+      // Get a dedicated client for sync operations
+      // We use execSync pattern for blocking
+    } catch (e) {
+      throw new Error(
+        "PostgreSQL support requires 'pg' package. Install with: bun add pg\n" +
+        `  Original error: ${(e as Error).message}`
+      );
+    }
+  }
+
+  /**
+   * Execute a blocking query against PG.
+   * Uses Bun's ability to block on promises in sync context.
+   */
+  private querySync(sql: string, params?: any[]): any {
+    const pgSql = sqliteToPostgres(sql);
+    // Bun supports top-level await and can block — use a shared promise pattern
+    // For sync bridge, we use a worker or subprocess
+    // Simplest approach: use pg's synchronous query via dedicated connection
+    const result = this._blockingQuery(pgSql, params);
+    return result;
+  }
+
+  private _blockingQuery(sql: string, params?: any[]): any {
+    // Use Bun.spawnSync to run a node script that executes the query
+    // This is a pragmatic sync bridge until we migrate to async interface
+    const script = `
+      const { Pool } = require('pg');
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      pool.query(${JSON.stringify(sql)}, ${JSON.stringify(params || [])})
+        .then(r => { process.stdout.write(JSON.stringify({ rows: r.rows, rowCount: r.rowCount })); pool.end(); })
+        .catch(e => { process.stdout.write(JSON.stringify({ error: e.message })); pool.end(); process.exit(1); });
+    `;
+    const proc = Bun.spawnSync(["node", "-e", script], {
+      env: { ...process.env },
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const out = proc.stdout.toString().trim();
+    if (proc.exitCode !== 0) {
+      const errOut = proc.stderr.toString().trim();
+      throw new Error(`PG query failed: ${errOut || out}`);
+    }
+    return JSON.parse(out);
+  }
+
+  run(sql: string, params?: any[]): QueryResult {
+    if (sql.trim().toUpperCase().startsWith("PRAGMA")) {
+      return { changes: 0 }; // Skip SQLite PRAGMAs
+    }
+    const result = this.querySync(sql, params);
+    return { changes: result.rowCount ?? 0 };
+  }
 
-export function sqlAddSeconds(dialect: 'sqlite' | 'postgres', seconds: number | string): string {
-  return dialect === 'postgres'
-    ? `NOW() + INTERVAL '${seconds} seconds'`
-    : `datetime('now', '+${seconds} seconds')`;
+  get<T = any>(sql: string, ...params: any[]): T | null {
+    const result = this.querySync(sql, params.length > 0 ? params : undefined);
+    return (result.rows?.[0] as T) ?? null;
+  }
+
+  all<T = any>(sql: string, ...params: any[]): T[] {
+    const result = this.querySync(sql, params.length > 0 ? params : undefined);
+    return (result.rows as T[]) ?? [];
+  }
+
+  exec(sql: string): void {
+    if (sql.trim().toUpperCase().startsWith("PRAGMA")) return; // Skip
+    // Split multiple statements and execute each
+    const statements = sql.split(";").map(s => s.trim()).filter(s => s.length > 0);
+    for (const stmt of statements) {
+      this.querySync(stmt);
+    }
+  }
+
+  transaction<T>(fn: () => T): T {
+    this.querySync("BEGIN");
+    try {
+      const result = fn();
+      this.querySync("COMMIT");
+      return result;
+    } catch (e) {
+      try { this.querySync("ROLLBACK"); } catch {}
+      throw e;
+    }
+  }
+
+  close(): void {
+    try { this.pool?.end(); } catch {}
+  }
 }
 
-export function sqlPlaceholder(dialect: 'sqlite' | 'postgres', index: number): string {
-  return dialect === 'postgres' ? `$${index}` : `?${index}`;
+// ════════════════════════════════════════════
+//  Factory
+// ════════════════════════════════════════════
+
+/**
+ * Create the appropriate adapter based on environment.
+ * - DATABASE_URL starts with "postgres://" → PgAdapter
+ * - Otherwise → SQLiteAdapter with COMMHUB_DB or default path
+ */
+export function createAdapter(): DbAdapter {
+  const dbUrl = process.env.DATABASE_URL;
+  if (dbUrl && (dbUrl.startsWith("postgres://") || dbUrl.startsWith("postgresql://"))) {
+    console.log("[commhub] database: PostgreSQL");
+    return new PgAdapter(dbUrl);
+  }
+  // Default: SQLite
+  const { mkdirSync } = require("fs");
+  const { dirname } = require("path");
+  const dbPath = process.env.COMMHUB_DB || `${process.env.HOME}/.commhub/commhub.db`;
+  mkdirSync(dirname(dbPath), { recursive: true });
+  console.log(`[commhub] database: ${dbPath}`);
+  const rawDb = new Database(dbPath);
+  rawDb.exec("PRAGMA journal_mode=WAL");
+  rawDb.exec("PRAGMA busy_timeout=5000");
+  return new SQLiteAdapter(rawDb);
 }

package/src/db.ts

@@ -1,14 +1,6 @@
-import { Database } from "bun:sqlite";
-import { mkdirSync } from "fs";
-import { dirname } from "path";
+import { createAdapter, type DbAdapter } from "./db-adapter";
 
-const DB_PATH = process.env.COMMHUB_DB || `${process.env.HOME}/.commhub/commhub.db`;
-mkdirSync(dirname(DB_PATH), { recursive: true });
-
-console.log(`[commhub] database: ${DB_PATH}`);
-export const db = new Database(DB_PATH);
-db.exec("PRAGMA journal_mode=WAL");
-db.exec("PRAGMA busy_timeout=5000");
+export const db: DbAdapter = createAdapter();
 
 // Schema
 db.exec(`
@@ -238,7 +230,7 @@ db.exec(`
 `);
 
 // Auto-create trial license on first run
-const existingLicense = db.query<any, []>("SELECT id FROM licenses LIMIT 1").get();
+const existingLicense = db.get<any>("SELECT id FROM licenses LIMIT 1");
 if (!existingLicense) {
   const trialId = crypto.randomUUID().replace(/-/g, "").slice(0, 12);
   db.run(

package/src/index.ts

@@ -128,9 +128,8 @@ setInterval(() => {
     if (result.changes > 0) {
       console.log(`[patrol] expired ${result.changes} stale task(s)`);
       // Log events for expired tasks
-      const expired = db.query<{ task_id: string }, []>(
-        "SELECT task_id FROM tasks WHERE status = 'expired' AND completed_at >= datetime('now', '-1 minute')"
-      ).all();
+      const expired = db.all<{ task_id: string }>(
+        "SELECT task_id FROM tasks WHERE status = 'expired' AND completed_at >= datetime('now', '-1 minute')");
       for (const t of expired) logTaskEvent(t.task_id, null, "expired", "patrol");
     }
   } catch {}
@@ -188,7 +187,7 @@ Bun.serve({
 
     // ── V3: License endpoints ──
     if (url.pathname === "/api/license" && req.method === "GET") {
-      const license = db.query<any, []>("SELECT * FROM licenses ORDER BY created_at LIMIT 1").get();
+      const license = db.get<any>("SELECT * FROM licenses ORDER BY created_at LIMIT 1");
       if (!license) return withCors(req, Response.json({ ok: true, status: "no_license" }));
       const now = new Date().toISOString().replace("T", " ").slice(0, 19);
       const expired = license.expires_at && license.expires_at < now;
@@ -283,7 +282,7 @@ Bun.serve({
           db.run(`UPDATE users SET ${updates.join(", ")} WHERE user_id = ?${params.length}`, params);
         }
         // Re-fetch
-        const user = db.query<any, [string]>("SELECT user_id, username, display_name, email, role FROM users WHERE user_id = ?1").get(resolved.user.user_id);
+        const user = db.get<any>("SELECT user_id, username, display_name, email, role FROM users WHERE user_id = ?1", resolved.user.user_id);
         return withCors(req, Response.json({ ok: true, user }));
       } catch (e: any) {
         return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
@@ -373,7 +372,7 @@ Bun.serve({
       if (!resolved || resolved.user.role !== "admin") {
         return withCors(req, Response.json({ ok: false, error: "admin required" }, { status: 403 }));
       }
-      const users = db.query("SELECT user_id, username, display_name, email, role, created_at FROM users ORDER BY created_at").all();
+      const users = db.all("SELECT user_id, username, display_name, email, role, created_at FROM users ORDER BY created_at");
       return withCors(req, Response.json({ ok: true, users }));
     }
 
@@ -384,16 +383,16 @@ Bun.serve({
       const resolved = resolveToken(token);
       if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
       const networkId = netDetailMatch[1];
-      const network = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+      const network = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
       if (!network) return withCors(req, Response.json({ ok: false, error: "network not found" }, { status: 404 }));
       // Ownership check: only owner or admin can view
       if (network.owner_id !== resolved.user.user_id && resolved.user.role !== "admin") {
         return withCors(req, Response.json({ ok: false, error: "access denied" }, { status: 403 }));
       }
       // Get network stats
-      const nodeCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(networkId);
-      const sessionCount = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
-      const taskStats = db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(networkId);
+      const nodeCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1", networkId);
+      const sessionCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1", networkId);
+      const taskStats = db.all<any>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status", networkId);
       return withCors(req, Response.json({
         ok: true, network,
         stats: { nodes: nodeCount?.cnt || 0, sessions: sessionCount?.cnt || 0, tasks: taskStats },
@@ -430,9 +429,9 @@ Bun.serve({
 
     // ── REST: health (public, no auth) ──
     if (url.pathname === "/health") {
-      const count = db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM sessions").get();
+      const count = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM sessions");
       const sse = getSSEStats();
-      const license = db.query<any, []>("SELECT type, expires_at FROM licenses LIMIT 1").get();
+      const license = db.get<any>("SELECT type, expires_at FROM licenses LIMIT 1");
       return withCors(req, Response.json({
         ok: true,
         version: "1.0.0-preview",
@@ -461,7 +460,7 @@ Bun.serve({
       const sql = netFilter
         ? "SELECT * FROM sessions WHERE network_id = ?1 ORDER BY updated_at DESC"
         : "SELECT * FROM sessions ORDER BY updated_at DESC";
-      const sessions = netFilter ? db.query(sql).all(netFilter) : db.query(sql).all();
+      const sessions = netFilter ? db.all(sql, netFilter) : db.all(sql);
       return withCors(req, Response.json({ ok: true, sessions }));
     }
 
@@ -486,9 +485,9 @@ Bun.serve({
         [id, body.alias, body.priority, body.task, fromSession]
       );
       // SSE push: 秒达
-      const pending = db.query<{ cnt: number }, [string]>(
-        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0"
-      ).get(body.alias);
+      const pending = db.get<{ cnt: number }>(
+        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0",
+        body.alias);
       pushEvent(body.alias, { type: "new_task", inbox_count: pending?.cnt ?? 1, priority: body.priority, from: fromSession });
       return withCors(req, Response.json({ ok: true, message_id: id }));
     }
@@ -510,7 +509,7 @@ Bun.serve({
       const params: any[] = [];
       if (body.filter_server) { sql += " AND server = ?"; params.push(body.filter_server); }
       if (body.filter_status) { sql += " AND status = ?"; params.push(body.filter_status); }
-      const targets = db.query<{ alias: string }, any[]>(sql).all(...params);
+      const targets = db.all<{ alias: string }>(sql, ...params);
       const ids: string[] = [];
       for (const t of targets) {
         const id = crypto.randomUUID();
@@ -577,9 +576,9 @@ Bun.serve({
     if (url.pathname === "/api/messages") {
       const limit = Number(url.searchParams.get("limit")) || 100;
       const since = url.searchParams.get("since") ?? new Date(Date.now() - 3600000).toISOString().replace("T", " ").slice(0, 19);
-      const rows = db.query(
-        "SELECT id, session_name as to_alias, from_session as from_alias, type, priority, content, created_at FROM inbox WHERE created_at >= ?1 ORDER BY created_at DESC LIMIT ?2"
-      ).all(since, limit);
+      const rows = db.all(
+        "SELECT id, session_name as to_alias, from_session as from_alias, type, priority, content, created_at FROM inbox WHERE created_at >= ?1 ORDER BY created_at DESC LIMIT ?2",
+        since, limit);
       return withCors(req, Response.json({ ok: true, messages: rows }));
     }
 
@@ -588,20 +587,20 @@ Bun.serve({
       const n = url.searchParams.get("network_id");
       // Parameterized queries to prevent SQL injection
       const taskStats = n
-        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(n)
-        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+        ? db.all<any>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status", n)
+        : db.all<any>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status");
       const sessionStats = n
-        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM sessions WHERE network_id = ?1 GROUP BY status").all(n)
-        : db.query<any, []>("SELECT status, COUNT(*) as count FROM sessions GROUP BY status").all();
+        ? db.all<any>("SELECT status, COUNT(*) as count FROM sessions WHERE network_id = ?1 GROUP BY status", n)
+        : db.all<any>("SELECT status, COUNT(*) as count FROM sessions GROUP BY status");
       const totalTasks = n
-        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM tasks WHERE network_id = ?1").get(n)
-        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM tasks").get();
+        ? db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM tasks WHERE network_id = ?1", n)
+        : db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM tasks");
       const totalNodes = n
-        ? db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1").get(n)
-        : db.query<{ cnt: number }, []>("SELECT COUNT(*) as cnt FROM nodes").get();
+        ? db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM nodes WHERE network_id = ?1", n)
+        : db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM nodes");
       const recentTasks = n
-        ? db.query<any, [string]>("SELECT task_id, from_name, to_name, status, created_at FROM tasks WHERE network_id = ?1 ORDER BY created_at DESC LIMIT 5").all(n)
-        : db.query<any, []>("SELECT task_id, from_name, to_name, status, created_at FROM tasks ORDER BY created_at DESC LIMIT 5").all();
+        ? db.all<any>("SELECT task_id, from_name, to_name, status, created_at FROM tasks WHERE network_id = ?1 ORDER BY created_at DESC LIMIT 5", n)
+        : db.all<any>("SELECT task_id, from_name, to_name, status, created_at FROM tasks ORDER BY created_at DESC LIMIT 5");
       return withCors(req, Response.json({
         ok: true,
         network_id: n || null,
@@ -629,7 +628,7 @@ Bun.serve({
       if (userId && resolved.user.role === "admin") { sql += ` AND user_id = ?${params.length + 1}`; params.push(userId); }
       sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
       params.push(limit);
-      const logs = db.query(sql).all(...params);
+      const logs = db.all(sql, ...params);
       return withCors(req, Response.json({ ok: true, logs, count: logs.length }));
     }
 
@@ -642,7 +641,7 @@ Bun.serve({
       if (taskId) { sql += " WHERE task_id = ?1"; params.push(taskId); }
       sql += " ORDER BY created_at DESC LIMIT ?";
       params.push(limit);
-      const rows = db.query(sql).all(...params);
+      const rows = db.all(sql, ...params);
       return withCors(req, Response.json({ ok: true, events: rows, count: rows.length }));
     }
 
@@ -657,7 +656,7 @@ Bun.serve({
       if (nodeId) { sql += ` AND node_id = ?${params.length + 1}`; params.push(nodeId); }
       if (alias) { sql += ` AND alias = ?${params.length + 1}`; params.push(alias); }
       sql += " ORDER BY updated_at DESC";
-      const rows = db.query(sql).all(...params);
+      const rows = db.all(sql, ...params);
       return withCors(req, Response.json({ ok: true, nodes: rows, count: rows.length }));
     }
 
@@ -680,17 +679,17 @@ Bun.serve({
       sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
       params.push(limit);
 
-      const rows = db.query(sql).all(...params);
+      const rows = db.all(sql, ...params);
       const stats = netFilter
-        ? db.query<any, [string]>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status").all(netFilter)
-        : db.query<any, []>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status").all();
+        ? db.all<any>("SELECT status, COUNT(*) as count FROM tasks WHERE network_id = ?1 GROUP BY status", netFilter)
+        : db.all<any>("SELECT status, COUNT(*) as count FROM tasks GROUP BY status");
       return withCors(req, Response.json({ ok: true, tasks: rows, count: rows.length, stats }));
     }
 
     // ── REST: recent completions ──
     if (url.pathname === "/api/completions") {
       const since = url.searchParams.get("since") ?? new Date(Date.now() - 86400000).toISOString();
-      const rows = db.query("SELECT * FROM completions WHERE completed_at >= ?1 ORDER BY completed_at DESC LIMIT 100").all(since);
+      const rows = db.all("SELECT * FROM completions WHERE completed_at >= ?1 ORDER BY completed_at DESC LIMIT 100", since);
       return withCors(req, Response.json({ ok: true, completions: rows }));
     }
 

package/src/tools.ts

@@ -45,9 +45,8 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}${effectiveNetId ? " [net]" : ""}`);
       const trimmedOutput = output?.slice(0, 4000);
 
-      try {
-        db.run("BEGIN IMMEDIATE");
-        // Only delete same-alias sessions within the same network (prevent cross-network alias conflict)
+      db.transaction(() => {
+        // Only delete same-alias sessions within the same network
         if (effectiveNetId) {
           db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2 AND network_id = ?3", [alias, resume_id, effectiveNetId]);
         } else {
@@ -57,33 +56,19 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
           `INSERT INTO sessions (resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version, status, task, output, progress, score, node_id, session_id, config_path, channels, network_id, last_seen_at, updated_at)
            VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, datetime('now'), datetime('now'))
            ON CONFLICT(resume_id) DO UPDATE SET
-             alias = COALESCE(?2, sessions.alias),
-             tmux_name = COALESCE(?3, sessions.tmux_name),
-             server = COALESCE(?4, sessions.server),
-             ip = COALESCE(?5, sessions.ip),
-             hostname = COALESCE(?6, sessions.hostname),
-             agent = COALESCE(?7, sessions.agent),
-             project_dir = COALESCE(?8, sessions.project_dir),
-             version = COALESCE(?9, sessions.version),
-             status = ?10,
-             task = COALESCE(?11, sessions.task),
-             output = COALESCE(?12, sessions.output),
-             progress = COALESCE(?13, sessions.progress),
-             score = COALESCE(?14, sessions.score),
-             node_id = COALESCE(?15, sessions.node_id),
-             session_id = COALESCE(?16, sessions.session_id),
-             config_path = COALESCE(?17, sessions.config_path),
-             channels = COALESCE(?18, sessions.channels),
-             network_id = COALESCE(?19, sessions.network_id),
-             last_seen_at = datetime('now'),
-             updated_at = datetime('now')`,
+             alias = COALESCE(?2, sessions.alias), tmux_name = COALESCE(?3, sessions.tmux_name),
+             server = COALESCE(?4, sessions.server), ip = COALESCE(?5, sessions.ip),
+             hostname = COALESCE(?6, sessions.hostname), agent = COALESCE(?7, sessions.agent),
+             project_dir = COALESCE(?8, sessions.project_dir), version = COALESCE(?9, sessions.version),
+             status = ?10, task = COALESCE(?11, sessions.task),
+             output = COALESCE(?12, sessions.output), progress = COALESCE(?13, sessions.progress),
+             score = COALESCE(?14, sessions.score), node_id = COALESCE(?15, sessions.node_id),
+             session_id = COALESCE(?16, sessions.session_id), config_path = COALESCE(?17, sessions.config_path),
+             channels = COALESCE(?18, sessions.channels), network_id = COALESCE(?19, sessions.network_id),
+             last_seen_at = datetime('now'), updated_at = datetime('now')`,
           [resume_id, alias, tmux ?? null, srv ?? null, clientIP ?? null, hn ?? null, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null, netId ?? null]
         );
-        db.run("COMMIT");
-      } catch (e) {
-        try { db.run("ROLLBACK"); } catch {}
-        throw e;
-      }
+      });
 
       // V2: sync tasks table — report_status(working) → tasks.running
       if (status === "working" && task) {
@@ -95,9 +80,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
           );
           if (runResult.changes > 0) {
             // Find task_id for logging
-            const t = db.query<{ task_id: string }, [string, string]>(
-              "SELECT task_id FROM tasks WHERE to_name = ?1 AND content = ?2 AND status = 'running' ORDER BY started_at DESC LIMIT 1"
-            ).get(alias, task);
+            const t = db.get<{ task_id: string }>(
+              "SELECT task_id FROM tasks WHERE to_name = ?1 AND content = ?2 AND status = 'running' ORDER BY started_at DESC LIMIT 1",
+              alias, task);
             if (t) logTaskEvent(t.task_id, null, "running", alias);
           }
         } catch {}
@@ -127,9 +112,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       }
 
       // inbox uses alias for routing
-      const row = db.query<{ cnt: number }, [string]>(
-        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0"
-      ).get(alias);
+      const row = db.get<{ cnt: number }>(
+        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0",
+        alias);
 
       return {
         content: [
@@ -161,51 +146,40 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     async ({ alias, task, result, artifacts, score, duration_minutes }) => {
       console.log(`[${ts()}] ${alias} → report_completion: ${task.slice(0, 60)}`);
       const id = uuidv4();
-      try {
-        db.run("BEGIN IMMEDIATE");
+      const taskUpdateChanges = db.transaction(() => {
         db.run(
           `INSERT INTO completions (id, session_name, task, result, artifacts, score, duration_minutes)
            VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)`,
           [id, alias, task, result, artifacts ? JSON.stringify(artifacts) : null, score ?? null, duration_minutes ?? null]
         );
-
         db.run(
           `UPDATE sessions SET status = 'idle', task = NULL, progress = 0, updated_at = datetime('now')
            WHERE alias = ?1`,
           [alias]
         );
-
         // V2: sync tasks table — try by task_id first, then by content
-        const taskUpdate = db.run(
+        const tu = db.run(
           `UPDATE tasks SET status = 'replied', result = ?1, completed_at = datetime('now')
            WHERE task_id = ?2 AND status IN ('delivered', 'acked', 'running')`,
           [result.slice(0, 4000), task]
         );
-        if (taskUpdate.changes === 0) {
-          // fallback: match most recent task by to_name + content (legacy path)
-          const match = db.query<{ task_id: string }, [string, string]>(
+        if (tu.changes === 0) {
+          const match = db.get<{ task_id: string }>(
             `SELECT task_id FROM tasks WHERE to_name = ?1 AND content = ?2
-             AND status IN ('delivered', 'acked', 'running') ORDER BY created_at DESC LIMIT 1`
-          ).get(alias, task);
+             AND status IN ('delivered', 'acked', 'running') ORDER BY created_at DESC LIMIT 1`,
+            alias, task);
           if (match) {
-            db.run(
-              `UPDATE tasks SET status = 'replied', result = ?1, completed_at = datetime('now')
-               WHERE task_id = ?2`,
-              [result.slice(0, 4000), match.task_id]
-            );
+            db.run(`UPDATE tasks SET status = 'replied', result = ?1, completed_at = datetime('now') WHERE task_id = ?2`,
+              [result.slice(0, 4000), match.task_id]);
           }
         }
-
-        db.run("COMMIT");
-        // Log event after commit
-        const updatedTaskId = taskUpdate.changes > 0 ? task : (db.query<{ task_id: string }, [string]>(
-          "SELECT task_id FROM tasks WHERE to_name = ?1 AND status = 'replied' ORDER BY completed_at DESC LIMIT 1"
-        ).get(alias)?.task_id);
-        if (updatedTaskId) logTaskEvent(updatedTaskId, null, "replied", alias, "report_completion");
-      } catch (e) {
-        try { db.run("ROLLBACK"); } catch {}
-        throw e;
-      }
+        return tu.changes;
+      });
+      // Log event after transaction
+      const updatedTaskId = taskUpdateChanges > 0 ? task : (db.get<{ task_id: string }>(
+        "SELECT task_id FROM tasks WHERE to_name = ?1 AND status = 'replied' ORDER BY completed_at DESC LIMIT 1",
+        alias)?.task_id);
+      if (updatedTaskId) logTaskEvent(updatedTaskId, null, "replied", alias, "report_completion");
 
       return {
         content: [{ type: "text" as const, text: JSON.stringify({ ok: true, completion_id: id }) }],
@@ -221,16 +195,16 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       limit: z.number().min(1).max(100).optional().default(10),
     },
     async ({ alias, limit }) => {
-      const rows0 = db.query<{ cnt: number }, [string]>(
-        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0"
-      ).get(alias);
+      const rows0 = db.get<{ cnt: number }>(
+        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0",
+        alias);
       console.log(`[${ts()}] ${alias} → get_inbox: ${rows0?.cnt ?? 0} pending messages`);
-      const rows = db.query<any, [string, number]>(
+      const rows = db.all(
         `SELECT id, type, priority, content, context, from_session, created_at
          FROM inbox WHERE session_name = ?1 AND acked = 0
          ORDER BY CASE priority WHEN 'high' THEN 0 WHEN 'normal' THEN 1 ELSE 2 END, created_at
-         LIMIT ?2`
-      ).all(alias, limit);
+         LIMIT ?2`,
+        alias, limit);
 
       return {
         content: [{ type: "text" as const, text: JSON.stringify({ ok: true, messages: rows }) }],
@@ -294,12 +268,11 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
         if (filter_status) { sql += " AND status = ?"; params.push(filter_status); }
         if (filter_server) { sql += " AND server = ?"; params.push(filter_server); }
         sql += " ORDER BY updated_at DESC";
-        return db.query(sql).all(...params);
-      })();
+        return db.all(sql, ...params);
+      });
 
-      const summary = db.query<any, []>(
-        "SELECT status, COUNT(*) as count FROM sessions GROUP BY status"
-      ).all();
+      const summary = db.all(
+        "SELECT status, COUNT(*) as count FROM sessions GROUP BY status");
 
       return {
         content: [
@@ -318,13 +291,13 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     { alias: z.string().min(1).max(200).describe("Session alias") },
     async ({ alias }) => {
       console.log(`[${ts()}] hub → get_session_status: ${alias}`);
-      const session = db.query("SELECT * FROM sessions WHERE alias = ?1").get(alias);
-      const pending = db.query<{ cnt: number }, [string]>(
-        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0"
-      ).get(alias);
-      const recent = db.query(
-        "SELECT * FROM completions WHERE session_name = ?1 ORDER BY completed_at DESC LIMIT 5"
-      ).all(alias);
+      const session = db.get("SELECT * FROM sessions WHERE alias = ?1", alias);
+      const pending = db.get<{ cnt: number }>(
+        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0",
+        alias);
+      const recent = db.all(
+        "SELECT * FROM completions WHERE session_name = ?1 ORDER BY completed_at DESC LIMIT 5",
+        alias);
 
       return {
         content: [
@@ -353,7 +326,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       const effectiveNetId = getNetworkId(netId);
 
       // License check
-      const license = db.query<any, []>("SELECT type, expires_at FROM licenses ORDER BY created_at LIMIT 1").get();
+      const license = db.get<any>("SELECT type, expires_at FROM licenses ORDER BY created_at LIMIT 1");
       if (license?.expires_at) {
         const now = new Date().toISOString().replace("T", " ").slice(0, 19);
         if (license.expires_at < now) {
@@ -367,8 +340,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       console.log(`[${ts()}] ${from_session} → send_task → ${alias}: ${task.slice(0, 60)}${priority === "high" ? " [HIGH]" : ""}`);
       const id = uuidv4();
       // 事务：inbox + tasks 双写
-      try {
-        db.run("BEGIN IMMEDIATE");
+      db.transaction(() => {
         db.run(
           `INSERT INTO inbox (id, session_name, type, priority, content, context, from_session, requires_response, network_id)
            VALUES (?1, ?2, 'task', ?3, ?4, ?5, ?6, 'reply', ?7)`,
@@ -379,19 +351,15 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
            VALUES (?1, ?2, ?3, ?4, 'delivered', ?5, 'reply', datetime('now'), datetime('now'), datetime('now', ?6), ?7)`,
           [id, from_session, alias, priority, task, `+${ttl_seconds || 3600} seconds`, effectiveNetId]
         );
-        db.run("COMMIT");
-        logTaskEvent(id, null, "delivered", from_session, `→ ${alias}`);
-      } catch (e) {
-        try { db.run("ROLLBACK"); } catch {}
-        throw e;
-      }
+      });
+      logTaskEvent(id, null, "delivered", from_session, `→ ${alias}`);
 
-      const session = db.query<any, [string]>("SELECT status FROM sessions WHERE alias = ?1").get(alias);
+      const session = db.get<any>("SELECT status FROM sessions WHERE alias = ?1", alias);
 
       // SSE push by alias
-      const pending = db.query<{ cnt: number }, [string]>(
-        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0"
-      ).get(alias);
+      const pending = db.get<{ cnt: number }>(
+        "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0",
+        alias);
       pushEvent(alias, { type: "new_task", inbox_count: pending?.cnt ?? 1, priority, from: from_session });
 
       return {
@@ -426,7 +394,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
         [id, alias, message, from_session]
       );
 
-      const session = db.query<any, [string]>("SELECT status FROM sessions WHERE alias = ?1").get(alias);
+      const session = db.get<any>("SELECT status FROM sessions WHERE alias = ?1", alias);
 
       pushEvent(alias, { type: "new_message", message, from: from_session, message_id: id });
 
@@ -459,9 +427,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     async ({ alias, text, in_reply_to, status: replyStatus, from_session }) => {
       console.log(`[${ts()}] ${from_session} → send_reply (${replyStatus}) → ${alias}: ${text.slice(0, 60)}`);
       const id = uuidv4();
-      let replyLogged = false;
-      try {
-        db.run("BEGIN IMMEDIATE");
+      const replyLogged = db.transaction(() => {
         db.run(
           `INSERT INTO inbox (id, session_name, type, priority, content, from_session, in_reply_to, requires_response)
            VALUES (?1, ?2, 'reply', 'normal', ?3, ?4, ?5, 'none')`,
@@ -477,20 +443,17 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
           );
           if (result.changes === 0) {
             console.log(`[${ts()}] ⚠ send_reply: task ${in_reply_to?.slice(0, 8)} not found or already terminal`);
-          } else {
-            replyLogged = true;
+            return false;
           }
+          return true;
         }
-        db.run("COMMIT");
-      } catch (e) {
-        try { db.run("ROLLBACK"); } catch {}
-        throw e;
-      }
+        return false;
+      });
 
       // Log event after commit (outside transaction)
       if (replyLogged && in_reply_to) logTaskEvent(in_reply_to, null, replyStatus, from_session, text.slice(0, 200));
 
-      const session = db.query<any, [string]>("SELECT status FROM sessions WHERE alias = ?1").get(alias);
+      const session = db.get<any>("SELECT status FROM sessions WHERE alias = ?1", alias);
       pushEvent(alias, { type: "new_reply", from: from_session, message_id: id, in_reply_to, status: replyStatus });
 
       return {
@@ -537,17 +500,14 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     async ({ task_id, from_session }) => {
       console.log(`[${ts()}] ${from_session} → retry_task → ${task_id.slice(0, 8)}`);
       // Find the original task
-      const task = db.query<any, [string]>(
-        "SELECT * FROM tasks WHERE task_id = ?1"
-      ).get(task_id);
+      const task = db.get<any>("SELECT * FROM tasks WHERE task_id = ?1", task_id);
       if (!task) {
         return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };
       }
       if (!["failed", "expired", "cancelled"].includes(task.status)) {
         return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: `task status is ${task.status}, not retryable` }) }] };
       }
-      try {
-        db.run("BEGIN IMMEDIATE");
+      db.transaction(() => {
         // Reset task status
         db.run(
           `UPDATE tasks SET status = 'delivered', result = NULL, completed_at = NULL, started_at = NULL, delivered_at = datetime('now'), expires_at = datetime('now', '+1 hour')
@@ -561,12 +521,8 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
            VALUES (?1, ?2, 'task', ?3, ?4, ?5, 'reply')`,
           [retryInboxId, task.to_name, task.priority, task.content, from_session]
         );
-        db.run("COMMIT");
-        logTaskEvent(task_id, task.status, "delivered", from_session, "retry");
-      } catch (e) {
-        try { db.run("ROLLBACK"); } catch {}
-        throw e;
-      }
+      });
+      logTaskEvent(task_id, task.status, "delivered", from_session, "retry");
       // SSE push
       pushEvent(task.to_name, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
       return {
@@ -583,7 +539,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       task_id: z.string().min(1).max(200).describe("Task ID to query"),
     },
     async ({ task_id }) => {
-      const task = db.query<any, [string]>("SELECT * FROM tasks WHERE task_id = ?1").get(task_id);
+      const task = db.get<any>("SELECT * FROM tasks WHERE task_id = ?1", task_id);
       return {
         content: [{
           type: "text" as const,
@@ -614,12 +570,11 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       if (from_name) { sql += ` AND from_name = ?${params.length + 1}`; params.push(from_name); }
       sql += ` ORDER BY created_at DESC LIMIT ?${params.length + 1}`;
       params.push(limit);
-      const tasks = db.query(sql).all(...params);
+      const tasks = db.all(sql, ...params);
 
       // Stats
-      const stats = db.query<any, []>(
-        "SELECT status, COUNT(*) as count FROM tasks GROUP BY status"
-      ).all();
+      const stats = db.all(
+        "SELECT status, COUNT(*) as count FROM tasks GROUP BY status");
 
       return {
         content: [{
@@ -668,26 +623,21 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ task_id, new_alias, from_session }) => {
       console.log(`[${ts()}] ${from_session} → reassign_task → ${task_id.slice(0, 8)} → ${new_alias}`);
-      const task = db.query<any, [string]>("SELECT * FROM tasks WHERE task_id = ?1").get(task_id);
+      const task = db.get<any>("SELECT * FROM tasks WHERE task_id = ?1", task_id);
       if (!task) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };
       if (["replied", "failed", "cancelled", "expired"].includes(task.status)) {
         return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: `task is terminal (${task.status})` }) }] };
       }
       const oldAlias = task.to_name;
-      try {
-        db.run("BEGIN IMMEDIATE");
+      db.transaction(() => {
         // Ack old inbox to prevent original agent from picking it up
         db.run("UPDATE inbox SET acked = 1 WHERE id = ?1 AND acked = 0", [task_id]);
         db.run("UPDATE tasks SET to_name = ?1, status = 'delivered', started_at = NULL, delivered_at = datetime('now') WHERE task_id = ?2", [new_alias, task_id]);
         const newInboxId = uuidv4();
         db.run("INSERT INTO inbox (id, session_name, type, priority, content, from_session, requires_response) VALUES (?1, ?2, 'task', ?3, ?4, ?5, 'reply')",
           [newInboxId, new_alias, task.priority, task.content, from_session]);
-        db.run("COMMIT");
-        logTaskEvent(task_id, task.status, "delivered", from_session, `reassign: ${oldAlias} → ${new_alias}`);
-      } catch (e) {
-        try { db.run("ROLLBACK"); } catch {}
-        throw e;
-      }
+      });
+      logTaskEvent(task_id, task.status, "delivered", from_session, `reassign: ${oldAlias} → ${new_alias}`);
       pushEvent(new_alias, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
       return { content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, reassigned_from: oldAlias, reassigned_to: new_alias }) }] };
     }
@@ -710,7 +660,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       if (filter_server) { sql += " AND server = ?"; params.push(filter_server); }
       if (filter_status) { sql += " AND status = ?"; params.push(filter_status); }
 
-      const targets = db.query<{ alias: string }, any[]>(sql).all(...params);
+      const targets = db.all<{ alias: string }>(sql, ...params);
       const ids: string[] = [];
 
       for (const t of targets) {
@@ -759,7 +709,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       sql += ` ORDER BY completed_at DESC LIMIT ?${paramIdx}`;
       params.push(limit);
 
-      const rows = db.query(sql).all(...params);
+      const rows = db.all(sql, ...params);
       return {
         content: [{ type: "text" as const, text: JSON.stringify({ ok: true, completions: rows }) }],
       };