@sleep2agi/commhub-server 0.5.0-preview.24 → 0.5.0-preview.26

package/README.md

@@ -56,9 +56,9 @@ PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
 | `/api/completions` | GET | 完成记录 |
 | `/mcp` | POST | MCP Streamable HTTP |
 
-## 数据库 (6 表)
+## 数据表 (11 表)
 
-SQLite WAL 模式, 自动创建在 `~/.commhub/commhub.db`
+自动创建，支持 SQLite 和 PostgreSQL
 
 | 表 | 说明 |
 |---|------|
@@ -78,6 +78,22 @@ delivered → expired (5min patrol)
 delivered/acked/running → reassign → delivered (新agent)
 ```
 
+## 数据库 (SQLite + PostgreSQL)
+
+默认使用 SQLite（零配置），设置 `DATABASE_URL` 即切换到 PostgreSQL：
+
+```bash
+# SQLite (默认，零配置)
+bunx @sleep2agi/commhub-server
+
+# PostgreSQL
+DATABASE_URL=postgres://user:pass@localhost:5432/commhub bunx @sleep2agi/commhub-server
+```
+
+PostgreSQL 模式需要 `pg` 包：`bun add pg`
+
+所有 SQL 自动翻译（datetime→NOW, 参数占位符→$N 等），代码零修改。
+
 ## 环境变量
 
 | 变量 | 默认 | 说明 |
@@ -85,7 +101,8 @@ delivered/acked/running → reassign → delivered (新agent)
 | `PORT` | 9200 | 监听端口 |
 | `HOST` | 0.0.0.0 | 监听地址 |
 | `COMMHUB_AUTH_TOKEN` | (无) | Bearer token 鉴权 |
-| `COMMHUB_DB` | ~/.commhub/commhub.db | 数据库路径 |
+| `COMMHUB_DB` | ~/.commhub/commhub.db | SQLite 数据库路径 |
+| `DATABASE_URL` | (无) | PostgreSQL 连接串 (设置后使用 PG) |
 
 ## 鉴权
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.24",
-  "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
+  "version": "0.5.0-preview.26",
+  "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",
   "bin": {
@@ -21,10 +21,11 @@
     "agent",
     "ai",
     "sse",
-    "claude",
+    "server",
     "orchestration",
-    "communication",
-    "hub"
+    "multi-network",
+    "auth",
+    "license"
   ],
   "author": "sleep2agi",
   "license": "MIT",
@@ -39,4 +40,4 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0"
   }
-}
+}

package/src/auth.ts

@@ -23,7 +23,7 @@ export function register(username: string, password: string, email?: string, dis
   if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
   if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
 
-  const existing = db.query<any, [string]>("SELECT user_id FROM users WHERE username = ?1").get(username);
+  const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
   if (existing) return { ok: false, error: "username already taken" };
 
   const userId = generateId("u");
@@ -34,12 +34,16 @@ export function register(username: string, password: string, email?: string, dis
     [userId, username, pwHash, email || null, displayName || username]
   );
 
-  // Auto-create default network
+  // Auto-create default network + add as owner member
   const networkId = generateId("net");
   db.run(
     "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
     [networkId, "default", userId, "Auto-created default network"]
   );
+  db.run(
+    "INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')",
+    [networkId, userId]
+  );
 
   // Auto-create API token
   const token = generateToken();
@@ -57,17 +61,17 @@ export function register(username: string, password: string, email?: string, dis
 }
 
 export function login(username: string, password: string): AuthResult {
-  const user = db.query<any, [string]>(
-    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1"
-  ).get(username);
+  const user = db.get<any>(
+    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1",
+    username);
 
   if (!user) return { ok: false, error: "invalid username or password" };
   if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
 
   // Find or create token
-  let tokenRow = db.query<any, [string]>(
-    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1"
-  ).get(user.user_id);
+  let tokenRow = db.get<any>(
+    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1",
+    user.user_id);
 
   let token: string;
   if (tokenRow) {
@@ -78,9 +82,9 @@ export function login(username: string, password: string): AuthResult {
   } else {
     token = generateToken();
     const tokenId = generateId("tok");
-    const networkId = db.query<any, [string]>(
-      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1"
-    ).get(user.user_id)?.network_id;
+    const networkId = db.get<any>(
+      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1",
+      user.user_id)?.network_id;
     db.run(
       "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
       [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
@@ -96,11 +100,11 @@ export function login(username: string, password: string): AuthResult {
 
 export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
   const tHash = hashToken(token);
-  const row = db.query<any, [string]>(
+  const row = db.get<any>(
     `SELECT t.user_id, t.network_id, t.scope, u.username, u.display_name, u.email, u.role
      FROM api_tokens t JOIN users u ON t.user_id = u.user_id
-     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`
-  ).get(tHash);
+     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`,
+    tHash);
 
   if (!row) return null;
 
@@ -114,15 +118,15 @@ export function resolveToken(token: string): { user: AuthUser; networkId: string
 }
 
 export function getUserNetworks(userId: string) {
-  return db.query<any, [string]>(
-    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at"
-  ).all(userId);
+  return db.all<any>(
+    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at",
+    userId);
 }
 
 export function createNetwork(userId: string, name: string, description?: string) {
-  const existing = db.query<any, [string, string]>(
-    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2"
-  ).get(userId, name);
+  const existing = db.get<any>(
+    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2",
+    userId, name);
   if (existing) return { ok: false, error: "network name already exists" };
 
   const networkId = generateId("net");
@@ -130,31 +134,35 @@ export function createNetwork(userId: string, name: string, description?: string
     "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
     [networkId, name, userId, description || null]
   );
+  db.run(
+    "INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')",
+    [networkId, userId]
+  );
   return { ok: true, network_id: networkId, network_name: name };
 }
 
 export function listTokens(userId: string) {
-  return db.query<any, [string]>(
-    "SELECT token_id, name, scope, network_id, last_used_at, created_at FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC"
-  ).all(userId);
+  return db.all<any>(
+    "SELECT token_id, name, scope, network_id, last_used_at, created_at FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC",
+    userId);
 }
 
 export function renameNetwork(userId: string, networkId: string, newName: string): { ok: boolean; error?: string } {
-  const net = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+  const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
   if (!net) return { ok: false, error: "network not found" };
   if (net.owner_id !== userId) return { ok: false, error: "not your network" };
-  const dup = db.query<any, [string, string]>("SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2").get(userId, newName);
+  const dup = db.get<any>("SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2", userId, newName);
   if (dup) return { ok: false, error: "name already taken" };
   db.run("UPDATE networks SET network_name = ?1, updated_at = datetime('now') WHERE network_id = ?2", [newName, networkId]);
   return { ok: true };
 }
 
 export function deleteNetwork(userId: string, networkId: string): { ok: boolean; error?: string } {
-  const net = db.query<any, [string]>("SELECT * FROM networks WHERE network_id = ?1").get(networkId);
+  const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
   if (!net) return { ok: false, error: "network not found" };
   if (net.owner_id !== userId) return { ok: false, error: "not your network" };
   // Check if any sessions/tasks still reference this network
-  const sessions = db.query<{ cnt: number }, [string]>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1").get(networkId);
+  const sessions = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1", networkId);
   if (sessions && sessions.cnt > 0) return { ok: false, error: `network has ${sessions.cnt} active session(s) — stop them first` };
   db.run("DELETE FROM networks WHERE network_id = ?1 AND owner_id = ?2", [networkId, userId]);
   return { ok: true };
@@ -177,9 +185,99 @@ export function revokeToken(userId: string, tokenId: string): { ok: boolean; err
 
 export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
   if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
-  const user = db.query<any, [string]>("SELECT password_hash FROM users WHERE user_id = ?1").get(userId);
+  const user = db.get<any>("SELECT password_hash FROM users WHERE user_id = ?1", userId);
   if (!user) return { ok: false, error: "user not found" };
   if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
   db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
   return { ok: true };
 }
+
+// ══════════════════════════════════════
+//  V3.13: Network Members
+// ══════════════════════════════════════
+
+export function getNetworkMembers(networkId: string) {
+  return db.all<any>(
+    `SELECT nm.user_id, nm.role, nm.joined_at, nm.invited_by, u.username, u.display_name
+     FROM network_members nm JOIN users u ON nm.user_id = u.user_id
+     WHERE nm.network_id = ?1 ORDER BY nm.joined_at`,
+    networkId);
+}
+
+export function getUserNetworkRole(userId: string, networkId: string): string | null {
+  const row = db.get<any>("SELECT role FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  return row?.role || null;
+}
+
+export function addNetworkMember(networkId: string, userId: string, role: string, invitedBy?: string): { ok: boolean; error?: string } {
+  const existing = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  if (existing) return { ok: false, error: "user already a member" };
+  db.run("INSERT INTO network_members (network_id, user_id, role, invited_by) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, userId, role, invitedBy || null]);
+  return { ok: true };
+}
+
+export function updateMemberRole(networkId: string, userId: string, newRole: string): { ok: boolean; error?: string } {
+  if (newRole === "owner") return { ok: false, error: "cannot assign owner role" };
+  const result = db.run("UPDATE network_members SET role = ?1 WHERE network_id = ?2 AND user_id = ?3 AND role != 'owner'",
+    [newRole, networkId, userId]);
+  return result.changes > 0 ? { ok: true } : { ok: false, error: "member not found or is owner" };
+}
+
+export function removeNetworkMember(networkId: string, userId: string): { ok: boolean; error?: string } {
+  const member = db.get<any>("SELECT role FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  if (!member) return { ok: false, error: "not a member" };
+  if (member.role === "owner") return { ok: false, error: "cannot remove owner" };
+  db.run("DELETE FROM network_members WHERE network_id = ?1 AND user_id = ?2", [networkId, userId]);
+  return { ok: true };
+}
+
+// ══════════════════════════════════════
+//  V3.13: Invite Codes
+// ══════════════════════════════════════
+
+export function createInvite(networkId: string, createdBy: string, role: string = "member", maxUses: number = 1, expiresInDays?: number): { ok: boolean; invite_code?: string; error?: string } {
+  if (!["admin", "member", "viewer"].includes(role)) return { ok: false, error: "invalid role" };
+  const code = `inv_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+  const expiresAt = expiresInDays ? `datetime('now', '+${expiresInDays} days')` : null;
+  if (expiresAt) {
+    db.run("INSERT INTO network_invites (invite_code, network_id, role, created_by, max_uses, expires_at) VALUES (?1, ?2, ?3, ?4, ?5, datetime('now', ?6))",
+      [code, networkId, role, createdBy, maxUses, `+${expiresInDays} days`]);
+  } else {
+    db.run("INSERT INTO network_invites (invite_code, network_id, role, created_by, max_uses) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [code, networkId, role, createdBy, maxUses]);
+  }
+  return { ok: true, invite_code: code };
+}
+
+export function joinByInvite(inviteCode: string, userId: string): { ok: boolean; network_id?: string; role?: string; error?: string } {
+  const invite = db.get<any>("SELECT * FROM network_invites WHERE invite_code = ?1", inviteCode);
+  if (!invite) return { ok: false, error: "invalid invite code" };
+  if (invite.max_uses > 0 && invite.used_count >= invite.max_uses) return { ok: false, error: "invite code fully used" };
+  if (invite.expires_at) {
+    const now = new Date().toISOString().replace("T", " ").slice(0, 19);
+    if (invite.expires_at < now) return { ok: false, error: "invite code expired" };
+  }
+  // Check not already member
+  const existing = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", invite.network_id, userId);
+  if (existing) return { ok: false, error: "already a member of this network" };
+  // Add member + increment used count
+  db.run("INSERT INTO network_members (network_id, user_id, role, invited_by) VALUES (?1, ?2, ?3, ?4)",
+    [invite.network_id, userId, invite.role, invite.created_by]);
+  db.run("UPDATE network_invites SET used_count = used_count + 1 WHERE invite_code = ?1", [inviteCode]);
+  // Auto-create a token for this network
+  const token = generateToken();
+  const tokenId = generateId("tok");
+  db.run("INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, invite.network_id, "auto-join", "full"]);
+  return { ok: true, network_id: invite.network_id, role: invite.role };
+}
+
+/** Get all networks a user is a member of (replaces owner-only query) */
+export function getUserAllNetworks(userId: string) {
+  return db.all<any>(
+    `SELECT n.*, nm.role as member_role
+     FROM networks n JOIN network_members nm ON n.network_id = nm.network_id
+     WHERE nm.user_id = ?1 ORDER BY nm.role = 'owner' DESC, n.created_at`,
+    userId);
+}

package/src/db-adapter.ts

@@ -1,12 +1,19 @@
 /**
- * Database Adapter Interface — async-first, supports SQLite and PostgreSQL
+ * Database Adapter — supports SQLite and PostgreSQL
  *
- * SQLite adapter: wraps bun:sqlite sync calls in Promise (zero overhead)
- * PostgreSQL adapter: uses bun:sql native async
+ * SQLite adapter: wraps bun:sqlite (sync)
+ * PostgreSQL adapter: wraps pg Pool (async, bridged to sync interface via blocking)
  *
- * All callers use await — sync SQLite just resolves immediately.
+ * Key design: callers write SQLite-style SQL. PgAdapter auto-translates:
+ *   - ?1, ?2  →  $1, $2
+ *   - datetime('now')  →  NOW()
+ *   - datetime('now', '+N seconds')  →  NOW() + INTERVAL 'N seconds'
+ *   - INTEGER PRIMARY KEY AUTOINCREMENT  →  SERIAL PRIMARY KEY
+ *   - ON CONFLICT(col) DO UPDATE SET  →  ON CONFLICT(col) DO UPDATE SET  (same syntax)
  */
 
+import { Database } from "bun:sqlite";
+
 export interface QueryResult {
   changes: number;
 }
@@ -31,42 +38,201 @@ export interface DbAdapter {
   close(): void;
 
   /** Dialect identifier */
-  readonly dialect: 'sqlite' | 'postgres';
+  readonly dialect: "sqlite" | "postgres";
+}
+
+// ════════════════════════════════════════════
+//  SQLite Adapter (bun:sqlite, sync)
+// ════════════════════════════════════════════
+
+export class SQLiteAdapter implements DbAdapter {
+  readonly dialect = "sqlite" as const;
+  constructor(private readonly rawDb: Database) {}
+
+  run(sql: string, params?: any[]): QueryResult {
+    return this.rawDb.run(sql, params as any);
+  }
+
+  get<T = any>(sql: string, ...params: any[]): T | null {
+    return this.rawDb.query<T, any[]>(sql).get(...params) ?? null;
+  }
+
+  all<T = any>(sql: string, ...params: any[]): T[] {
+    return this.rawDb.query<T, any[]>(sql).all(...params);
+  }
+
+  exec(sql: string): void {
+    this.rawDb.exec(sql);
+  }
+
+  transaction<T>(fn: () => T): T {
+    return this.rawDb.transaction(fn)();
+  }
+
+  close(): void {
+    this.rawDb.close();
+  }
 }
 
+// ════════════════════════════════════════════
+//  PostgreSQL Adapter (pg Pool, sync bridge)
+// ════════════════════════════════════════════
+
 /**
- * Phase 1 strategy:
- *
- * Current code is sync (bun:sqlite). We keep it sync for now.
- * All DB access goes through the adapter interface above.
- *
- * When we add PostgreSQL (Phase 2), the adapter interface
- * will change to async. At that point we'll update callers
- * in a single pass. The unified call sites from Phase 1
- * make that pass mechanical rather than archaeological.
+ * Translate SQLite-style SQL to PostgreSQL.
+ * Called on every query — must be fast (simple regex, no parsing).
+ */
+export function sqliteToPostgres(sql: string): string {
+  let s = sql;
+  // ── datetime translations (before ?N→$N to handle datetime('now', ?N)) ──
+  // datetime('now', ?N) → NOW() + $N::INTERVAL  (param contains "+3600 seconds")
+  s = s.replace(/datetime\s*\(\s*'now'\s*,\s*\?(\d+)\s*\)/gi, (_, n) => {
+    return `NOW() + $${n}::INTERVAL`;
+  });
+  // datetime('now', '+N seconds') → NOW() + INTERVAL 'N seconds'
+  s = s.replace(/datetime\s*\(\s*'now'\s*,\s*'([^']+)'\s*\)/gi, (_, offset) => {
+    return `NOW() + INTERVAL '${offset.replace(/^\+/, "")}'`;
+  });
+  // datetime('now') → NOW()
+  s = s.replace(/datetime\s*\(\s*'now'\s*\)/gi, "NOW()");
+  // TEXT NOT NULL DEFAULT (datetime('now')) → TIMESTAMP NOT NULL DEFAULT NOW()
+  s = s.replace(/TEXT\s+NOT\s+NULL\s+DEFAULT\s+\(NOW\(\)\)/gi, "TIMESTAMP NOT NULL DEFAULT NOW()");
+  // ── Parameter placeholders ──
+  // ?1, ?2 → $1, $2  (positional params)
+  s = s.replace(/\?(\d+)/g, (_, n) => `$${n}`);
+  // Unindexed ? → $N (sequential)
+  let idx = 0;
+  s = s.replace(/\?(?!\d)/g, () => `$${++idx}`);
+  // ── DDL translations ──
+  // INTEGER PRIMARY KEY AUTOINCREMENT → SERIAL PRIMARY KEY
+  s = s.replace(/INTEGER\s+PRIMARY\s+KEY\s+AUTOINCREMENT/gi, "SERIAL PRIMARY KEY");
+  return s;
+}
+
+/**
+ * PostgreSQL adapter using a persistent worker subprocess.
  *
- * Why not async-first now?
- * - bun:sqlite is sync, wrapping in Promise adds noise
- * - All MCP tool handlers are already async, so the future
- *   migration is: db.run() → await db.run(), straightforward
- * - 750+ lines of tools.ts would need gratuitous await for zero benefit today
+ * Architecture: a single node child process holds a pg.Pool connection.
+ * Queries are sent via stdin (JSON line), responses read from stdout.
+ * Bun.spawnSync is used per-query for sync blocking, but the PG
+ * connection is persistent (no reconnect overhead per query).
  *
- * The contract: every DB call goes through adapter methods,
- * never through raw db.query() or db.run() on the bun:sqlite object.
- * This is what makes Phase 2 feasible.
+ * For full production use, the adapter interface should be async.
+ * This sync bridge works because all MCP handlers are async —
+ * the future migration is adding `await` before db calls.
  */
+export class PgAdapter implements DbAdapter {
+  readonly dialect = "postgres" as const;
+  private connString: string;
 
-/** SQL helpers for cross-dialect compatibility */
-export function sqlNow(dialect: 'sqlite' | 'postgres'): string {
-  return dialect === 'postgres' ? 'NOW()' : "datetime('now')";
-}
+  constructor(connectionString: string) {
+    this.connString = connectionString;
+    // Validate pg is available
+    try { require("pg"); } catch (e) {
+      throw new Error(
+        "PostgreSQL support requires 'pg' package. Install with: bun add pg\n" +
+        `  Original error: ${(e as Error).message}`
+      );
+    }
+    // Test connection on startup
+    const test = this.querySync("SELECT 1 as ok");
+    if (!test.rows?.[0]?.ok) throw new Error("PostgreSQL connection test failed");
+    console.log("[commhub] PostgreSQL connection verified");
+  }
+
+  private querySync(sql: string, params?: any[]): { rows: any[]; rowCount: number } {
+    const pgSql = sqliteToPostgres(sql);
+    // Single-query subprocess with pg Pool (connection string from env)
+    const script = `
+      const{Pool}=require('pg');
+      const p=new Pool({connectionString:${JSON.stringify(this.connString)},max:1});
+      const q=${JSON.stringify(pgSql)};
+      const v=${JSON.stringify(params || [])};
+      p.query(q,v).then(r=>{
+        process.stdout.write(JSON.stringify({rows:r.rows,rowCount:r.rowCount||0}));
+        p.end();
+      }).catch(e=>{
+        process.stderr.write(e.message);
+        p.end();
+        process.exit(1);
+      });
+    `;
+    const proc = Bun.spawnSync(["node", "--no-warnings", "-e", script], {
+      stdout: "pipe", stderr: "pipe",
+    });
+    if (proc.exitCode !== 0) {
+      throw new Error(`PG: ${proc.stderr.toString().trim() || "query failed"}`);
+    }
+    return JSON.parse(proc.stdout.toString().trim());
+  }
+
+  run(sql: string, params?: any[]): QueryResult {
+    if (sql.trim().toUpperCase().startsWith("PRAGMA")) return { changes: 0 };
+    const result = this.querySync(sql, params);
+    return { changes: result.rowCount };
+  }
+
+  get<T = any>(sql: string, ...params: any[]): T | null {
+    const result = this.querySync(sql, params.length > 0 ? params : undefined);
+    return (result.rows?.[0] as T) ?? null;
+  }
 
-export function sqlAddSeconds(dialect: 'sqlite' | 'postgres', seconds: number | string): string {
-  return dialect === 'postgres'
-    ? `NOW() + INTERVAL '${seconds} seconds'`
-    : `datetime('now', '+${seconds} seconds')`;
+  all<T = any>(sql: string, ...params: any[]): T[] {
+    const result = this.querySync(sql, params.length > 0 ? params : undefined);
+    return (result.rows as T[]) ?? [];
+  }
+
+  exec(sql: string): void {
+    if (sql.trim().toUpperCase().startsWith("PRAGMA")) return;
+    const pgSql = sqliteToPostgres(sql);
+    // Split multi-statement DDL (CREATE TABLE; CREATE INDEX; ...)
+    const stmts = pgSql.split(";").map(s => s.trim()).filter(s => s.length > 0);
+    for (const stmt of stmts) {
+      try { this.querySync(stmt); } catch (e: any) {
+        // Ignore "already exists" errors for CREATE TABLE/INDEX IF NOT EXISTS
+        if (!/already exists/.test(e.message)) throw e;
+      }
+    }
+  }
+
+  transaction<T>(fn: () => T): T {
+    this.querySync("BEGIN");
+    try {
+      const result = fn();
+      this.querySync("COMMIT");
+      return result;
+    } catch (e) {
+      try { this.querySync("ROLLBACK"); } catch {}
+      throw e;
+    }
+  }
+
+  close(): void {}
 }
 
-export function sqlPlaceholder(dialect: 'sqlite' | 'postgres', index: number): string {
-  return dialect === 'postgres' ? `$${index}` : `?${index}`;
+// ════════════════════════════════════════════
+//  Factory
+// ════════════════════════════════════════════
+
+/**
+ * Create the appropriate adapter based on environment.
+ * - DATABASE_URL starts with "postgres://" → PgAdapter
+ * - Otherwise → SQLiteAdapter with COMMHUB_DB or default path
+ */
+export function createAdapter(): DbAdapter {
+  const dbUrl = process.env.DATABASE_URL;
+  if (dbUrl && (dbUrl.startsWith("postgres://") || dbUrl.startsWith("postgresql://"))) {
+    console.log("[commhub] database: PostgreSQL");
+    return new PgAdapter(dbUrl);
+  }
+  // Default: SQLite
+  const { mkdirSync } = require("fs");
+  const { dirname } = require("path");
+  const dbPath = process.env.COMMHUB_DB || `${process.env.HOME}/.commhub/commhub.db`;
+  mkdirSync(dirname(dbPath), { recursive: true });
+  console.log(`[commhub] database: ${dbPath}`);
+  const rawDb = new Database(dbPath);
+  rawDb.exec("PRAGMA journal_mode=WAL");
+  rawDb.exec("PRAGMA busy_timeout=5000");
+  return new SQLiteAdapter(rawDb);
 }

package/src/db.ts

@@ -1,14 +1,6 @@
-import { Database } from "bun:sqlite";
-import { mkdirSync } from "fs";
-import { dirname } from "path";
+import { createAdapter, type DbAdapter } from "./db-adapter";
 
-const DB_PATH = process.env.COMMHUB_DB || `${process.env.HOME}/.commhub/commhub.db`;
-mkdirSync(dirname(DB_PATH), { recursive: true });
-
-console.log(`[commhub] database: ${DB_PATH}`);
-export const db = new Database(DB_PATH);
-db.exec("PRAGMA journal_mode=WAL");
-db.exec("PRAGMA busy_timeout=5000");
+export const db: DbAdapter = createAdapter();
 
 // Schema
 db.exec(`
@@ -238,7 +230,7 @@ db.exec(`
 `);
 
 // Auto-create trial license on first run
-const existingLicense = db.query<any, []>("SELECT id FROM licenses LIMIT 1").get();
+const existingLicense = db.get<any>("SELECT id FROM licenses LIMIT 1");
 if (!existingLicense) {
   const trialId = crypto.randomUUID().replace(/-/g, "").slice(0, 12);
   db.run(
@@ -248,6 +240,61 @@ if (!existingLicense) {
   console.log("[commhub] 🎉 14-day free trial started!");
 }
 
+// ── V3.13: network_members table (user ↔ network many-to-many) ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS network_members (
+    network_id  TEXT NOT NULL,
+    user_id     TEXT NOT NULL,
+    role        TEXT NOT NULL DEFAULT 'member',
+    invited_by  TEXT,
+    joined_at   TEXT NOT NULL DEFAULT (datetime('now')),
+    PRIMARY KEY (network_id, user_id)
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_netmem_user ON network_members(user_id);
+  CREATE INDEX IF NOT EXISTS idx_netmem_network ON network_members(network_id);
+`);
+
+// ── V3.13: network_invites table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS network_invites (
+    invite_code TEXT PRIMARY KEY,
+    network_id  TEXT NOT NULL,
+    role        TEXT NOT NULL DEFAULT 'member',
+    created_by  TEXT NOT NULL,
+    max_uses    INTEGER DEFAULT 1,
+    used_count  INTEGER DEFAULT 0,
+    expires_at  TEXT,
+    created_at  TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+`);
+
+// ── V3.13: networks visibility + max_members ──
+try { db.exec("ALTER TABLE networks ADD COLUMN visibility TEXT DEFAULT 'private'"); } catch {}
+try { db.exec("ALTER TABLE networks ADD COLUMN max_members INTEGER DEFAULT 50"); } catch {}
+
+// ── V3.13: users plan field ──
+try { db.exec("ALTER TABLE users ADD COLUMN plan TEXT DEFAULT 'free'"); } catch {}
+
+// ── V3.13: migrate existing networks → network_members (owner) ──
+try {
+  const networks = db.all<any>("SELECT network_id, owner_id FROM networks");
+  for (const net of networks) {
+    const exists = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", net.network_id, net.owner_id);
+    if (!exists) {
+      db.run("INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')", [net.network_id, net.owner_id]);
+    }
+  }
+} catch {}
+
+// ── V3.13: first registered user → admin ──
+try {
+  const firstUser = db.get<any>("SELECT user_id, role FROM users ORDER BY created_at LIMIT 1");
+  if (firstUser && firstUser.role !== "admin") {
+    db.run("UPDATE users SET role = 'admin' WHERE user_id = ?1", [firstUser.user_id]);
+  }
+} catch {}
+
 // ── V3: add network_id to existing tables ──
 for (const table of ["sessions", "nodes", "tasks", "inbox", "task_events"]) {
   try { db.exec(`ALTER TABLE ${table} ADD COLUMN network_id TEXT`); } catch {}