@sleep2agi/commhub-server 0.5.0-preview.25 → 0.5.0-preview.27

package/README.md

@@ -56,9 +56,9 @@ PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
 | `/api/completions` | GET | 完成记录 |
 | `/mcp` | POST | MCP Streamable HTTP |
 
-## 数据库 (6 表)
+## 数据表 (11 表)
 
-SQLite WAL 模式, 自动创建在 `~/.commhub/commhub.db`
+自动创建，支持 SQLite 和 PostgreSQL
 
 | 表 | 说明 |
 |---|------|
@@ -78,6 +78,22 @@ delivered → expired (5min patrol)
 delivered/acked/running → reassign → delivered (新agent)
 ```
 
+## 数据库 (SQLite + PostgreSQL)
+
+默认使用 SQLite（零配置），设置 `DATABASE_URL` 即切换到 PostgreSQL：
+
+```bash
+# SQLite (默认，零配置)
+bunx @sleep2agi/commhub-server
+
+# PostgreSQL
+DATABASE_URL=postgres://user:pass@localhost:5432/commhub bunx @sleep2agi/commhub-server
+```
+
+PostgreSQL 模式需要 `pg` 包：`bun add pg`
+
+所有 SQL 自动翻译（datetime→NOW, 参数占位符→$N 等），代码零修改。
+
 ## 环境变量
 
 | 变量 | 默认 | 说明 |
@@ -85,7 +101,8 @@ delivered/acked/running → reassign → delivered (新agent)
 | `PORT` | 9200 | 监听端口 |
 | `HOST` | 0.0.0.0 | 监听地址 |
 | `COMMHUB_AUTH_TOKEN` | (无) | Bearer token 鉴权 |
-| `COMMHUB_DB` | ~/.commhub/commhub.db | 数据库路径 |
+| `COMMHUB_DB` | ~/.commhub/commhub.db | SQLite 数据库路径 |
+| `DATABASE_URL` | (无) | PostgreSQL 连接串 (设置后使用 PG) |
 
 ## 鉴权
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.25",
+  "version": "0.5.0-preview.27",
   "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts

@@ -1,7 +1,7 @@
 /**
  * V3 Auth module — user registration, login, token management
  */
-import { db, generateId, hashPassword, hashToken, generateToken, uuidv4 } from "./db.js";
+import { db, generateId, hashPassword, hashToken, generateToken, generateUserToken, generateNetworkToken, uuidv4 } from "./db.js";
 
 export interface AuthUser {
   user_id: string;
@@ -15,7 +15,9 @@ export interface AuthResult {
   ok: boolean;
   error?: string;
   user?: AuthUser;
-  token?: string;
+  token?: string;           // user token (utok_)
+  network_token?: string;   // network token (ntok_) for default network
+  network_id?: string;
 }
 
 export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
@@ -26,33 +28,51 @@ export function register(username: string, password: string, email?: string, dis
   const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
   if (existing) return { ok: false, error: "username already taken" };
 
+  // First user → auto admin
+  const userCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM users");
+  const isFirstUser = !userCount || userCount.cnt === 0;
+
   const userId = generateId("u");
   const pwHash = hashPassword(password);
 
   db.run(
-    "INSERT INTO users (user_id, username, password_hash, email, display_name) VALUES (?1, ?2, ?3, ?4, ?5)",
-    [userId, username, pwHash, email || null, displayName || username]
+    "INSERT INTO users (user_id, username, password_hash, email, display_name, role) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [userId, username, pwHash, email || null, displayName || username, isFirstUser ? "admin" : "user"]
   );
 
-  // Auto-create default network
+  // Auto-create default network + add as owner member
   const networkId = generateId("net");
   db.run(
     "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
     [networkId, "default", userId, "Auto-created default network"]
   );
+  db.run(
+    "INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')",
+    [networkId, userId]
+  );
 
-  // Auto-create API token
-  const token = generateToken();
-  const tokenId = generateId("tok");
+  // User token (utok_) — not bound to network, for CLI/Dashboard login
+  const userToken = generateUserToken();
+  const userTokenId = generateId("tok");
   db.run(
     "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
-    [tokenId, hashToken(token), userId, networkId, "default", "full"]
+    [userTokenId, hashToken(userToken), userId, null, "user-login", "user"]
+  );
+
+  // Network token (ntok_) — bound to default network, for agent-node
+  const networkToken = generateNetworkToken();
+  const networkTokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [networkTokenId, hashToken(networkToken), userId, networkId, "default-network", "network"]
   );
 
   return {
     ok: true,
-    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: "user" },
-    token,
+    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: isFirstUser ? "admin" : "user" },
+    token: userToken,
+    network_token: networkToken,
+    network_id: networkId,
   };
 }
 
@@ -64,36 +84,54 @@ export function login(username: string, password: string): AuthResult {
   if (!user) return { ok: false, error: "invalid username or password" };
   if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
 
-  // Find or create token
-  let tokenRow = db.get<any>(
-    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1",
+  // Generate/rotate user token (utok_, not bound to network)
+  let userTokenRow = db.get<any>(
+    "SELECT token_id FROM api_tokens WHERE user_id = ?1 AND scope = 'user' ORDER BY created_at DESC LIMIT 1",
     user.user_id);
 
-  let token: string;
-  if (tokenRow) {
-    // Generate new token (rotate)
-    token = generateToken();
+  const userToken = generateUserToken();
+  if (userTokenRow) {
     db.run("UPDATE api_tokens SET token_hash = ?1, last_used_at = datetime('now') WHERE token_id = ?2",
-      [hashToken(token), tokenRow.token_id]);
+      [hashToken(userToken), userTokenRow.token_id]);
   } else {
-    token = generateToken();
     const tokenId = generateId("tok");
-    const networkId = db.get<any>(
-      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1",
-      user.user_id)?.network_id;
     db.run(
-      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
-      [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
+      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+      [tokenId, hashToken(userToken), user.user_id, null, "user-login", "user"]
     );
   }
 
+  // Find default network
+  const defaultNet = db.get<any>(
+    "SELECT network_id FROM network_members WHERE user_id = ?1 ORDER BY role = 'owner' DESC LIMIT 1",
+    user.user_id);
+  const networkId = defaultNet?.network_id || null;
+
+  // Backward compat: also try old atok_ tokens
+  const token = userToken;
+
   return {
     ok: true,
     user: { user_id: user.user_id, username: user.username, display_name: user.display_name, email: user.email, role: user.role },
     token,
+    network_id: networkId,
   };
 }
 
+/** Create a network-scoped token (ntok_) for a specific node */
+export function createNetworkTokenForNode(userId: string, networkId: string, nodeName: string): { ok: boolean; token?: string; error?: string } {
+  // Verify user is a member of this network with write access
+  const role = getUserNetworkRole(userId, networkId);
+  if (!role || role === "viewer") return { ok: false, error: "no write access to this network" };
+  const token = generateNetworkToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, networkId, `node:${nodeName}`, "network"]
+  );
+  return { ok: true, token };
+}
+
 export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
   const tHash = hashToken(token);
   const row = db.get<any>(
@@ -130,6 +168,10 @@ export function createNetwork(userId: string, name: string, description?: string
     "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
     [networkId, name, userId, description || null]
   );
+  db.run(
+    "INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')",
+    [networkId, userId]
+  );
   return { ok: true, network_id: networkId, network_name: name };
 }
 
@@ -183,3 +225,93 @@ export function changePassword(userId: string, oldPassword: string, newPassword:
   db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
   return { ok: true };
 }
+
+// ══════════════════════════════════════
+//  V3.13: Network Members
+// ══════════════════════════════════════
+
+export function getNetworkMembers(networkId: string) {
+  return db.all<any>(
+    `SELECT nm.user_id, nm.role, nm.joined_at, nm.invited_by, u.username, u.display_name
+     FROM network_members nm JOIN users u ON nm.user_id = u.user_id
+     WHERE nm.network_id = ?1 ORDER BY nm.joined_at`,
+    networkId);
+}
+
+export function getUserNetworkRole(userId: string, networkId: string): string | null {
+  const row = db.get<any>("SELECT role FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  return row?.role || null;
+}
+
+export function addNetworkMember(networkId: string, userId: string, role: string, invitedBy?: string): { ok: boolean; error?: string } {
+  const existing = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  if (existing) return { ok: false, error: "user already a member" };
+  db.run("INSERT INTO network_members (network_id, user_id, role, invited_by) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, userId, role, invitedBy || null]);
+  return { ok: true };
+}
+
+export function updateMemberRole(networkId: string, userId: string, newRole: string): { ok: boolean; error?: string } {
+  if (newRole === "owner") return { ok: false, error: "cannot assign owner role" };
+  const result = db.run("UPDATE network_members SET role = ?1 WHERE network_id = ?2 AND user_id = ?3 AND role != 'owner'",
+    [newRole, networkId, userId]);
+  return result.changes > 0 ? { ok: true } : { ok: false, error: "member not found or is owner" };
+}
+
+export function removeNetworkMember(networkId: string, userId: string): { ok: boolean; error?: string } {
+  const member = db.get<any>("SELECT role FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  if (!member) return { ok: false, error: "not a member" };
+  if (member.role === "owner") return { ok: false, error: "cannot remove owner" };
+  db.run("DELETE FROM network_members WHERE network_id = ?1 AND user_id = ?2", [networkId, userId]);
+  return { ok: true };
+}
+
+// ══════════════════════════════════════
+//  V3.13: Invite Codes
+// ══════════════════════════════════════
+
+export function createInvite(networkId: string, createdBy: string, role: string = "member", maxUses: number = 1, expiresInDays?: number): { ok: boolean; invite_code?: string; error?: string } {
+  if (!["admin", "member", "viewer"].includes(role)) return { ok: false, error: "invalid role" };
+  const code = `inv_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+  const expiresAt = expiresInDays ? `datetime('now', '+${expiresInDays} days')` : null;
+  if (expiresAt) {
+    db.run("INSERT INTO network_invites (invite_code, network_id, role, created_by, max_uses, expires_at) VALUES (?1, ?2, ?3, ?4, ?5, datetime('now', ?6))",
+      [code, networkId, role, createdBy, maxUses, `+${expiresInDays} days`]);
+  } else {
+    db.run("INSERT INTO network_invites (invite_code, network_id, role, created_by, max_uses) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [code, networkId, role, createdBy, maxUses]);
+  }
+  return { ok: true, invite_code: code };
+}
+
+export function joinByInvite(inviteCode: string, userId: string): { ok: boolean; network_id?: string; role?: string; error?: string } {
+  const invite = db.get<any>("SELECT * FROM network_invites WHERE invite_code = ?1", inviteCode);
+  if (!invite) return { ok: false, error: "invalid invite code" };
+  if (invite.max_uses > 0 && invite.used_count >= invite.max_uses) return { ok: false, error: "invite code fully used" };
+  if (invite.expires_at) {
+    const now = new Date().toISOString().replace("T", " ").slice(0, 19);
+    if (invite.expires_at < now) return { ok: false, error: "invite code expired" };
+  }
+  // Check not already member
+  const existing = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", invite.network_id, userId);
+  if (existing) return { ok: false, error: "already a member of this network" };
+  // Add member + increment used count
+  db.run("INSERT INTO network_members (network_id, user_id, role, invited_by) VALUES (?1, ?2, ?3, ?4)",
+    [invite.network_id, userId, invite.role, invite.created_by]);
+  db.run("UPDATE network_invites SET used_count = used_count + 1 WHERE invite_code = ?1", [inviteCode]);
+  // Auto-create a token for this network
+  const token = generateToken();
+  const tokenId = generateId("tok");
+  db.run("INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, invite.network_id, "auto-join", "full"]);
+  return { ok: true, network_id: invite.network_id, role: invite.role };
+}
+
+/** Get all networks a user is a member of (replaces owner-only query) */
+export function getUserAllNetworks(userId: string) {
+  return db.all<any>(
+    `SELECT n.*, nm.role as member_role
+     FROM networks n JOIN network_members nm ON n.network_id = nm.network_id
+     WHERE nm.user_id = ?1 ORDER BY nm.role = 'owner' DESC, n.created_at`,
+    userId);
+}

package/src/db-adapter.ts

@@ -110,79 +110,66 @@ export function sqliteToPostgres(sql: string): string {
 }
 
 /**
- * PostgreSQL adapter using pg Pool.
+ * PostgreSQL adapter using a persistent worker subprocess.
  *
- * Design: uses synchronous blocking via Bun's subprocess or
- * deasync-style approach. Since Bun MCP handlers are async,
- * we store a pool and use blocking queries via pg's synchronous mode.
+ * Architecture: a single node child process holds a pg.Pool connection.
+ * Queries are sent via stdin (JSON line), responses read from stdout.
+ * Bun.spawnSync is used per-query for sync blocking, but the PG
+ * connection is persistent (no reconnect overhead per query).
  *
- * NOTE: This adapter uses `pg` npm package in synchronous mode.
- * For production, the interface should be async. This sync bridge
- * works for the current codebase where MCP handlers are async
- * but DB calls are sync within them.
+ * For full production use, the adapter interface should be async.
+ * This sync bridge works because all MCP handlers are async —
+ * the future migration is adding `await` before db calls.
  */
 export class PgAdapter implements DbAdapter {
   readonly dialect = "postgres" as const;
-  private pool: any; // pg.Pool
-  private client: any; // dedicated sync client
+  private connString: string;
 
   constructor(connectionString: string) {
-    // Dynamic import of pg — only loaded when DATABASE_URL is set
-    try {
-      const pg = require("pg");
-      this.pool = new pg.Pool({ connectionString, max: 10 });
-      // Get a dedicated client for sync operations
-      // We use execSync pattern for blocking
-    } catch (e) {
+    this.connString = connectionString;
+    // Validate pg is available
+    try { require("pg"); } catch (e) {
       throw new Error(
         "PostgreSQL support requires 'pg' package. Install with: bun add pg\n" +
         `  Original error: ${(e as Error).message}`
       );
     }
+    // Test connection on startup
+    const test = this.querySync("SELECT 1 as ok");
+    if (!test.rows?.[0]?.ok) throw new Error("PostgreSQL connection test failed");
+    console.log("[commhub] PostgreSQL connection verified");
   }
 
-  /**
-   * Execute a blocking query against PG.
-   * Uses Bun's ability to block on promises in sync context.
-   */
-  private querySync(sql: string, params?: any[]): any {
+  private querySync(sql: string, params?: any[]): { rows: any[]; rowCount: number } {
     const pgSql = sqliteToPostgres(sql);
-    // Bun supports top-level await and can block — use a shared promise pattern
-    // For sync bridge, we use a worker or subprocess
-    // Simplest approach: use pg's synchronous query via dedicated connection
-    const result = this._blockingQuery(pgSql, params);
-    return result;
-  }
-
-  private _blockingQuery(sql: string, params?: any[]): any {
-    // Use Bun.spawnSync to run a node script that executes the query
-    // This is a pragmatic sync bridge until we migrate to async interface
+    // Single-query subprocess with pg Pool (connection string from env)
     const script = `
-      const { Pool } = require('pg');
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
-      pool.query(${JSON.stringify(sql)}, ${JSON.stringify(params || [])})
-        .then(r => { process.stdout.write(JSON.stringify({ rows: r.rows, rowCount: r.rowCount })); pool.end(); })
-        .catch(e => { process.stdout.write(JSON.stringify({ error: e.message })); pool.end(); process.exit(1); });
+      const{Pool}=require('pg');
+      const p=new Pool({connectionString:${JSON.stringify(this.connString)},max:1});
+      const q=${JSON.stringify(pgSql)};
+      const v=${JSON.stringify(params || [])};
+      p.query(q,v).then(r=>{
+        process.stdout.write(JSON.stringify({rows:r.rows,rowCount:r.rowCount||0}));
+        p.end();
+      }).catch(e=>{
+        process.stderr.write(e.message);
+        p.end();
+        process.exit(1);
+      });
     `;
-    const proc = Bun.spawnSync(["node", "-e", script], {
-      env: { ...process.env },
-      stdout: "pipe",
-      stderr: "pipe",
+    const proc = Bun.spawnSync(["node", "--no-warnings", "-e", script], {
+      stdout: "pipe", stderr: "pipe",
     });
-    const out = proc.stdout.toString().trim();
     if (proc.exitCode !== 0) {
-      const errOut = proc.stderr.toString().trim();
-      throw new Error(`PG query failed: ${errOut || out}`);
+      throw new Error(`PG: ${proc.stderr.toString().trim() || "query failed"}`);
     }
-    return JSON.parse(out);
+    return JSON.parse(proc.stdout.toString().trim());
   }
 
   run(sql: string, params?: any[]): QueryResult {
-    if (sql.trim().toUpperCase().startsWith("PRAGMA")) {
-      return { changes: 0 }; // Skip SQLite PRAGMAs
-    }
+    if (sql.trim().toUpperCase().startsWith("PRAGMA")) return { changes: 0 };
     const result = this.querySync(sql, params);
-    return { changes: result.rowCount ?? 0 };
+    return { changes: result.rowCount };
   }
 
   get<T = any>(sql: string, ...params: any[]): T | null {
@@ -196,11 +183,15 @@ export class PgAdapter implements DbAdapter {
   }
 
   exec(sql: string): void {
-    if (sql.trim().toUpperCase().startsWith("PRAGMA")) return; // Skip
-    // Split multiple statements and execute each
-    const statements = sql.split(";").map(s => s.trim()).filter(s => s.length > 0);
-    for (const stmt of statements) {
-      this.querySync(stmt);
+    if (sql.trim().toUpperCase().startsWith("PRAGMA")) return;
+    const pgSql = sqliteToPostgres(sql);
+    // Split multi-statement DDL (CREATE TABLE; CREATE INDEX; ...)
+    const stmts = pgSql.split(";").map(s => s.trim()).filter(s => s.length > 0);
+    for (const stmt of stmts) {
+      try { this.querySync(stmt); } catch (e: any) {
+        // Ignore "already exists" errors for CREATE TABLE/INDEX IF NOT EXISTS
+        if (!/already exists/.test(e.message)) throw e;
+      }
     }
   }
 
@@ -216,9 +207,7 @@ export class PgAdapter implements DbAdapter {
     }
   }
 
-  close(): void {
-    try { this.pool?.end(); } catch {}
-  }
+  close(): void {}
 }
 
 // ════════════════════════════════════════════

package/src/db.ts

@@ -240,6 +240,61 @@ if (!existingLicense) {
   console.log("[commhub] 🎉 14-day free trial started!");
 }
 
+// ── V3.13: network_members table (user ↔ network many-to-many) ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS network_members (
+    network_id  TEXT NOT NULL,
+    user_id     TEXT NOT NULL,
+    role        TEXT NOT NULL DEFAULT 'member',
+    invited_by  TEXT,
+    joined_at   TEXT NOT NULL DEFAULT (datetime('now')),
+    PRIMARY KEY (network_id, user_id)
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_netmem_user ON network_members(user_id);
+  CREATE INDEX IF NOT EXISTS idx_netmem_network ON network_members(network_id);
+`);
+
+// ── V3.13: network_invites table ──
+db.exec(`
+  CREATE TABLE IF NOT EXISTS network_invites (
+    invite_code TEXT PRIMARY KEY,
+    network_id  TEXT NOT NULL,
+    role        TEXT NOT NULL DEFAULT 'member',
+    created_by  TEXT NOT NULL,
+    max_uses    INTEGER DEFAULT 1,
+    used_count  INTEGER DEFAULT 0,
+    expires_at  TEXT,
+    created_at  TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+`);
+
+// ── V3.13: networks visibility + max_members ──
+try { db.exec("ALTER TABLE networks ADD COLUMN visibility TEXT DEFAULT 'private'"); } catch {}
+try { db.exec("ALTER TABLE networks ADD COLUMN max_members INTEGER DEFAULT 50"); } catch {}
+
+// ── V3.13: users plan field ──
+try { db.exec("ALTER TABLE users ADD COLUMN plan TEXT DEFAULT 'free'"); } catch {}
+
+// ── V3.13: migrate existing networks → network_members (owner) ──
+try {
+  const networks = db.all<any>("SELECT network_id, owner_id FROM networks");
+  for (const net of networks) {
+    const exists = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", net.network_id, net.owner_id);
+    if (!exists) {
+      db.run("INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')", [net.network_id, net.owner_id]);
+    }
+  }
+} catch {}
+
+// ── V3.13: first registered user → admin ──
+try {
+  const firstUser = db.get<any>("SELECT user_id, role FROM users ORDER BY created_at LIMIT 1");
+  if (firstUser && firstUser.role !== "admin") {
+    db.run("UPDATE users SET role = 'admin' WHERE user_id = ?1", [firstUser.user_id]);
+  }
+} catch {}
+
 // ── V3: add network_id to existing tables ──
 for (const table of ["sessions", "nodes", "tasks", "inbox", "task_events"]) {
   try { db.exec(`ALTER TABLE ${table} ADD COLUMN network_id TEXT`); } catch {}
@@ -269,6 +324,14 @@ export function generateToken(): string {
   return `atok_${crypto.randomUUID().replace(/-/g, "")}`;
 }
 
+export function generateUserToken(): string {
+  return `utok_${crypto.randomUUID().replace(/-/g, "")}`;
+}
+
+export function generateNetworkToken(): string {
+  return `ntok_${crypto.randomUUID().replace(/-/g, "")}`;
+}
+
 export function logAudit(userId: string | null, username: string | null, action: string, targetType?: string, targetId?: string, detail?: string, ip?: string, networkId?: string) {
   try {
     db.run(

package/src/index.ts

@@ -4,7 +4,7 @@ import { z } from "zod/v4";
 import { registerTools } from "./tools.js";
 import { db, logTaskEvent, logAudit } from "./db.js";
 import { createSSEStream, pushEvent, pushBroadcast, getSSEStats } from "./push.js";
-import { register, login, resolveToken, getUserNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, listTokens, createToken, revokeToken, type AuthUser } from "./auth.js";
+import { register, login, resolveToken, getUserNetworks, getUserAllNetworks, createNetwork, deleteNetwork, renameNetwork, changePassword, listTokens, createToken, revokeToken, getNetworkMembers, getUserNetworkRole, addNetworkMember, updateMemberRole, removeNetworkMember, createInvite, joinByInvite, createNetworkTokenForNode, type AuthUser } from "./auth.js";
 
 const PORT = Number(process.env.PORT) || 9200;
 const AUTH_TOKEN = process.env.COMMHUB_AUTH_TOKEN;
@@ -304,6 +304,23 @@ Bun.serve({
       }
     }
 
+    // ── V3.13: Create network token for a node ──
+    if (url.pathname === "/api/auth/node-token" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      try {
+        const body = await req.json() as any;
+        if (!body.network_id || !body.node_name) return withCors(req, Response.json({ ok: false, error: "network_id and node_name required" }, { status: 400 }));
+        const result = createNetworkTokenForNode(resolved.user.user_id, body.network_id, body.node_name);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "node_token_created", "network", body.network_id, body.node_name);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      } catch (e: any) {
+        return withCors(req, Response.json({ ok: false, error: e.message }, { status: 400 }));
+      }
+    }
+
     // ── V3: Token management ──
     if (url.pathname === "/api/auth/tokens" && req.method === "GET") {
       const token = req.headers.get("Authorization")?.replace("Bearer ", "");
@@ -346,7 +363,8 @@ Bun.serve({
       if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
       const resolved = resolveToken(token);
       if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
-      const networks = getUserNetworks(resolved.user.user_id);
+      // V3.13: return all networks user is a member of (not just owner)
+      const networks = getUserAllNetworks(resolved.user.user_id);
       return withCors(req, Response.json({ ok: true, networks }));
     }
 
@@ -364,6 +382,72 @@ Bun.serve({
       }
     }
 
+    // ── V3.13: Network members + invites ──
+    const membersMatch = url.pathname.match(/^\/api\/networks\/([^/]+)\/members(?:\/([^/]+))?$/);
+    if (membersMatch) {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const netId = membersMatch[1];
+      const targetUid = membersMatch[2];
+      const callerRole = getUserNetworkRole(resolved.user.user_id, netId);
+      if (!callerRole) return withCors(req, Response.json({ ok: false, error: "not a member of this network" }, { status: 403 }));
+
+      if (req.method === "GET") {
+        if (!["owner", "admin"].includes(callerRole)) return withCors(req, Response.json({ ok: false, error: "owner/admin required" }, { status: 403 }));
+        const members = getNetworkMembers(netId);
+        return withCors(req, Response.json({ ok: true, members }));
+      }
+      if (req.method === "POST") {
+        if (!["owner", "admin"].includes(callerRole)) return withCors(req, Response.json({ ok: false, error: "owner/admin required" }, { status: 403 }));
+        const body = await req.json() as any;
+        const result = addNetworkMember(netId, body.user_id, body.role || "member", resolved.user.user_id);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "member_added", "network", netId, `${body.user_id} as ${body.role || "member"}`);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      }
+      if (req.method === "PUT" && targetUid) {
+        if (callerRole !== "owner") return withCors(req, Response.json({ ok: false, error: "owner required" }, { status: 403 }));
+        const body = await req.json() as any;
+        const result = updateMemberRole(netId, targetUid, body.role);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "member_role_changed", "network", netId, `${targetUid} → ${body.role}`);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      }
+      if (req.method === "DELETE" && targetUid) {
+        if (!["owner", "admin"].includes(callerRole)) return withCors(req, Response.json({ ok: false, error: "owner/admin required" }, { status: 403 }));
+        const result = removeNetworkMember(netId, targetUid);
+        if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "member_removed", "network", netId, targetUid);
+        return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+      }
+    }
+
+    if (url.pathname.match(/^\/api\/networks\/([^/]+)\/invite$/) && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const netId = url.pathname.split("/")[3];
+      const callerRole = getUserNetworkRole(resolved.user.user_id, netId);
+      if (!callerRole || !["owner", "admin"].includes(callerRole)) {
+        return withCors(req, Response.json({ ok: false, error: "owner/admin required" }, { status: 403 }));
+      }
+      const body = await req.json() as any;
+      const result = createInvite(netId, resolved.user.user_id, body.role || "member", body.max_uses || 1, body.expires_days);
+      if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "invite_created", "network", netId, result.invite_code);
+      return withCors(req, Response.json(result));
+    }
+
+    if (url.pathname === "/api/networks/join" && req.method === "POST") {
+      const token = req.headers.get("Authorization")?.replace("Bearer ", "") || url.searchParams.get("token");
+      if (!token) return withCors(req, Response.json({ ok: false, error: "auth required" }, { status: 401 }));
+      const resolved = resolveToken(token);
+      if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
+      const body = await req.json() as any;
+      const result = joinByInvite(body.invite_code, resolved.user.user_id);
+      if (result.ok) logAudit(resolved.user.user_id, resolved.user.username, "network_joined", "network", result.network_id, `via invite, role=${result.role}`);
+      return withCors(req, Response.json(result, { status: result.ok ? 200 : 400 }));
+    }
+
     // ── V3: Admin APIs (require auth) ──
     if (url.pathname === "/api/users" && req.method === "GET") {
       const token = req.headers.get("Authorization")?.replace("Bearer ", "");