npm - @sleep2agi/commhub-server - Versions diffs - 0.5.0-preview.27 → 0.5.0-preview.28 - Mend

@sleep2agi/commhub-server 0.5.0-preview.27 → 0.5.0-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -18,7 +18,7 @@ PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
 - REST: `http://0.0.0.0:9200/api/*` (Dashboard / 监控)
 - Health: `http://0.0.0.0:9200/health`
-## MCP 工具 (17 个)
+## MCP 工具 (18 个)
 ### Agent 端 (从 Agent 调用)
 | 工具 | 说明 |
@@ -43,22 +43,50 @@ PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
 | `get_session_status` | 单 session 详情 |
 | `broadcast` | 群发消息 |
-## REST API
+## REST API (27 端点)
 | 端点 | 方法 | 说明 |
 |------|------|------|
 | `/health` | GET | 健康检查 (无需 auth) |
+| `/mcp` | POST | MCP Streamable HTTP |
+| **认证** | | |
+| `/api/auth/register` | POST | 注册 → utok_ + ntok_ |
+| `/api/auth/login` | POST | 登录 → utok_ |
+| `/api/auth/me` | GET | 当前用户信息 |
+| `/api/auth/me` | PUT | 修改资料 |
+| `/api/auth/password` | POST | 修改密码 |
+| `/api/auth/tokens` | GET | Token 列表 |
+| `/api/auth/tokens` | POST | 创建 Token |
+| `/api/auth/tokens/:id` | DELETE | 撤销 Token |
+| `/api/auth/node-token` | POST | 创建节点网络 Token (ntok_) |
+| **网络** | | |
+| `/api/networks` | GET | 我的网络列表（成员网络） |
+| `/api/networks` | POST | 创建网络 |
+| `/api/networks/:id` | GET | 网络详情 + 统计 |
+| `/api/networks/:id` | PUT | 重命名网络 |
+| `/api/networks/:id` | DELETE | 删除网络 |
+| `/api/networks/:id/members` | GET | 成员列表 |
+| `/api/networks/:id/members` | POST | 添加成员 |
+| `/api/networks/:id/members/:uid` | PUT | 修改成员角色 |
+| `/api/networks/:id/members/:uid` | DELETE | 移除成员 |
+| `/api/networks/:id/invite` | POST | 生成邀请码 |
+| `/api/networks/join` | POST | 用邀请码加入 |
+| **数据** | | |
 | `/api/status` | GET | 所有 session |
-| `/api/tasks` | GET | 任务列表 (支持 status/from_name/to_name/task_id/limit 过滤) |
-| `/api/nodes` | GET | 节点持久化信息 |
-| `/api/task_events` | GET | 任务审计日志 |
+| `/api/tasks` | GET | 任务列表 |
+| `/api/nodes` | GET | 节点信息 |
+| `/api/stats` | GET | 统计汇总 |
 | `/api/messages` | GET | 消息列表 |
 | `/api/completions` | GET | 完成记录 |
-| `/mcp` | POST | MCP Streamable HTTP |
+| `/api/task_events` | GET | 任务审计日志 |
+| `/api/audit-log` | GET | 操作审计日志 |
+| `/api/users` | GET | 用户列表 (admin) |
+| `/api/license` | GET | License 状态 |
+| `/api/license/activate` | POST | 激活授权码 |
-## 数据表 (11 表)
+## 数据表 (13 表)
-自动创建，支持 SQLite 和 PostgreSQL
+自动创建，SQLite
 | 表 | 说明 |
 |---|------|
@@ -68,6 +96,13 @@ PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
 | `nodes` | 持久化节点身份 (11 列, 独立于 session) |
 | `completions` | 完成记录 (7 列) |
 | `task_events` | 审计日志 (7 列, 每次状态变化记录) |
+| `users` | 用户 (username/password_hash/role/plan) |
+| `networks` | 网络 (name/owner/visibility/max_members) |
+| `api_tokens` | API Token (utok_/ntok_/atok_ + scope + network) |
+| `audit_log` | 操作审计 (user/action/target/ip) |
+| `licenses` | License (type/expires/limits) |
+| `network_members` | 网络成员 (user ↔ network + role) |
+| `network_invites` | 邀请码 (code/role/max_uses/expires) |
 任务状态机:
 ```

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.27",
+  "version": "0.5.0-preview.28",
   "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts CHANGED Viewed

@@ -22,6 +22,7 @@ export interface AuthResult {
 export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
   if (!username || username.length < 2) return { ok: false, error: "username must be at least 2 characters" };
+  if (username.length > 50) return { ok: false, error: "username too long (max 50)" };
   if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
   if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
@@ -157,7 +158,23 @@ export function getUserNetworks(userId: string) {
     userId);
 }
+// Quota limits by plan
+const QUOTAS: Record<string, { max_networks_owned: number; max_networks_joined: number }> = {
+  free:  { max_networks_owned: 2, max_networks_joined: 3 },
+  pro:   { max_networks_owned: 10, max_networks_joined: 20 },
+  admin: { max_networks_owned: Infinity, max_networks_joined: Infinity },
+};
 export function createNetwork(userId: string, name: string, description?: string) {
+  // Quota check
+  const user = db.get<any>("SELECT plan, role FROM users WHERE user_id = ?1", userId);
+  const plan = user?.role === "admin" ? "admin" : (user?.plan || "free");
+  const quota = QUOTAS[plan] || QUOTAS.free;
+  const ownedCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM networks WHERE owner_id = ?1", userId);
+  if ((ownedCount?.cnt || 0) >= quota.max_networks_owned) {
+    return { ok: false, error: `quota exceeded: max ${quota.max_networks_owned} networks for ${plan} plan` };
+  }
   const existing = db.get<any>(
     "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2",
     userId, name);
@@ -203,6 +220,11 @@ export function deleteNetwork(userId: string, networkId: string): { ok: boolean;
 }
 export function createToken(userId: string, name: string, networkId?: string): { ok: boolean; token?: string; token_id?: string; error?: string } {
+  // Security: verify user is a member of the target network
+  if (networkId) {
+    const role = getUserNetworkRole(userId, networkId);
+    if (!role) return { ok: false, error: "not a member of this network" };
+  }
   const token = generateToken();
   const tokenId = generateId("tok");
   db.run(

package/src/db-adapter.ts CHANGED Viewed

@@ -50,7 +50,7 @@ export class SQLiteAdapter implements DbAdapter {
   constructor(private readonly rawDb: Database) {}
   run(sql: string, params?: any[]): QueryResult {
-    return this.rawDb.run(sql, params as any);
+    return params ? this.rawDb.run(sql, params as any) : this.rawDb.run(sql);
   }
   get<T = any>(sql: string, ...params: any[]): T | null {

package/src/index.ts CHANGED Viewed

@@ -33,12 +33,12 @@ setInterval(() => {
 }, 300000);
 // ── Factory: 每个请求创建新的 McpServer（stateless 模式）──
-function createServer(clientIP?: string, enforceNetworkId?: string | null): McpServer {
+function createServer(clientIP?: string, enforceNetworkId?: string | null, enforceUserId?: string | null): McpServer {
   const server = new McpServer({
     name: "commhub",
     version: "0.5.0",
   });
-  registerTools(server, clientIP, enforceNetworkId);
+  registerTools(server, clientIP, enforceNetworkId, enforceUserId);
   return server;
 }
@@ -164,10 +164,18 @@ Bun.serve({
       // V3: resolve token → enforce network_id in all MCP tools
       const authCtx = resolveRequestAuth(req);
       const enforceNetId = authCtx?.networkId || null;
+      // utok_ (no network binding) cannot use MCP — only ntok_/atok_/global token
+      if (authCtx && !authCtx.networkId) {
+        return withCors(req, Response.json({
+          jsonrpc: "2.0",
+          error: { code: -32000, message: "User token (utok_) cannot access MCP. Use a network token (ntok_) instead." },
+          id: null,
+        }, { status: 403 }));
+      }
       const transport = new WebStandardStreamableHTTPServerTransport({
         sessionIdGenerator: undefined,
       });
-      const server = createServer(clientIP, enforceNetId);
+      const server = createServer(clientIP, enforceNetId, authCtx?.userId || null);
       await server.connect(transport);
       const response = await transport.handleRequest(req);
       // Disconnect after response to prevent McpServer leak
@@ -261,7 +269,7 @@ Bun.serve({
       if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
       const resolved = resolveToken(token);
       if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
-      const networks = getUserNetworks(resolved.user.user_id);
+      const networks = getUserAllNetworks(resolved.user.user_id);
       return withCors(req, Response.json({ ok: true, user: resolved.user, networks, current_network: resolved.networkId }));
     }
@@ -363,7 +371,12 @@ Bun.serve({
       if (!token) return withCors(req, Response.json({ ok: false, error: "token required" }, { status: 401 }));
       const resolved = resolveToken(token);
       if (!resolved) return withCors(req, Response.json({ ok: false, error: "invalid token" }, { status: 401 }));
-      // V3.13: return all networks user is a member of (not just owner)
+      // V3.13: ntok_ can only see its bound network; utok_ sees all member networks
+      if (resolved.networkId) {
+        // ntok_ — only return the bound network
+        const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", resolved.networkId);
+        return withCors(req, Response.json({ ok: true, networks: net ? [net] : [] }));
+      }
       const networks = getUserAllNetworks(resolved.user.user_id);
       return withCors(req, Response.json({ ok: true, networks }));
     }
@@ -469,8 +482,9 @@ Bun.serve({
       const networkId = netDetailMatch[1];
       const network = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
       if (!network) return withCors(req, Response.json({ ok: false, error: "network not found" }, { status: 404 }));
-      // Ownership check: only owner or admin can view
-      if (network.owner_id !== resolved.user.user_id && resolved.user.role !== "admin") {
+      // Membership check: must be a member or system admin
+      const viewerRole = getUserNetworkRole(resolved.user.user_id, networkId);
+      if (!viewerRole && resolved.user.role !== "admin") {
         return withCors(req, Response.json({ ok: false, error: "access denied" }, { status: 403 }));
       }
       // Get network stats
@@ -536,11 +550,18 @@ Bun.serve({
     const authErr = requireAuth(req);
     if (authErr) return withCors(req, authErr);
+    // Resolve network scope for REST queries — enforce isolation
+    // Token-bound networkId takes precedence (ntok_ → forced), then query param
+    const restAuth = resolveRequestAuth(req);
+    const isAdmin = restAuth?.username && db.get<any>("SELECT role FROM users WHERE username = ?1", restAuth.username)?.role === "admin";
+    // ntok_ token has networkId forced; utok_ has null (uses query param or admin sees all)
+    const restNetId = restAuth?.networkId || url.searchParams.get("network_id") || null;
     // ── REST: all sessions status ──
     if (url.pathname === "/api/status") {
       const cutoff = new Date(Date.now() - 10 * 60 * 1000).toISOString().replace("T", " ").slice(0, 19);
       db.run("UPDATE sessions SET status = 'offline' WHERE updated_at < ?1 AND status != 'offline'", [cutoff]);
-      const netFilter = url.searchParams.get("network_id");
+      const netFilter = restNetId;
       const sql = netFilter
         ? "SELECT * FROM sessions WHERE network_id = ?1 ORDER BY updated_at DESC"
         : "SELECT * FROM sessions ORDER BY updated_at DESC";
@@ -750,7 +771,7 @@ Bun.serve({
       const status = url.searchParams.get("status");
       const toName = url.searchParams.get("to_name");
       const fromName = url.searchParams.get("from_name");
-      const netFilter = url.searchParams.get("network_id");
+      const netFilter = restNetId || url.searchParams.get("network_id");  // token-enforced takes priority
       const limit = Math.min(Number(url.searchParams.get("limit")) || 50, 200);
       let sql = "SELECT * FROM tasks WHERE 1=1";

package/src/tools.ts CHANGED Viewed

@@ -2,14 +2,24 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod/v4";
 import { db, uuidv4, logTaskEvent } from "./db.js";
 import { pushEvent, pushBroadcast } from "./push.js";
+import { getUserNetworkRole } from "./auth.js";
 function ts(): string {
   return new Date().toTimeString().slice(0, 8);
 }
-export function registerTools(server: McpServer, clientIP?: string, enforceNetworkId?: string | null) {
+export function registerTools(server: McpServer, clientIP?: string, enforceNetworkId?: string | null, enforceUserId?: string | null) {
   // If enforceNetworkId is set, override any client-supplied network_id
   const getNetworkId = (clientNetId?: string | null) => enforceNetworkId ?? clientNetId ?? null;
+  // Check if the user has write access to the enforced network
+  // utok_ (no networkId) cannot do MCP writes — only ntok_/atok_ with network binding can
+  const canWrite = (): boolean => {
+    if (!enforceUserId) return true; // legacy global token mode, allow
+    if (!enforceNetworkId) return false; // utok_ has no network → cannot write MCP
+    const role = getUserNetworkRole(enforceUserId, enforceNetworkId);
+    return !!role && role !== "viewer"; // owner/admin/member can write, viewer cannot
+  };
   // ═══════════════════════════════════════════
   //  Child Agent Tools (4)
   // ═══════════════════════════════════════════
@@ -66,7 +76,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
              session_id = COALESCE(?16, sessions.session_id), config_path = COALESCE(?17, sessions.config_path),
              channels = COALESCE(?18, sessions.channels), network_id = COALESCE(?19, sessions.network_id),
              last_seen_at = datetime('now'), updated_at = datetime('now')`,
-          [resume_id, alias, tmux ?? null, srv ?? null, clientIP ?? null, hn ?? null, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null, netId ?? null]
+          [resume_id, alias, tmux ?? null, srv ?? null, clientIP ?? null, hn ?? null, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null, effectiveNetId ?? null]
         );
       });
@@ -325,6 +335,11 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     async ({ alias, task, priority, context, from_session, ttl_seconds, network_id: netId }) => {
       const effectiveNetId = getNetworkId(netId);
+      // Role check: viewer cannot send tasks
+      if (!canWrite()) {
+        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied", message: "Viewer role cannot send tasks" }) }] };
+      }
       // License check
       const license = db.get<any>("SELECT type, expires_at FROM licenses ORDER BY created_at LIMIT 1");
       if (license?.expires_at) {
@@ -386,6 +401,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       from_session: z.string().max(200).optional().default("hub"),
     },
     async ({ alias, message, from_session }) => {
+      if (!canWrite()) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → send_message → ${alias}: ${message.slice(0, 60)}`);
       const id = uuidv4();
       db.run(
@@ -425,6 +441,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       from_session: z.string().max(200).optional().default("hub"),
     },
     async ({ alias, text, in_reply_to, status: replyStatus, from_session }) => {
+      if (!canWrite()) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → send_reply (${replyStatus}) → ${alias}: ${text.slice(0, 60)}`);
       const id = uuidv4();
       const replyLogged = db.transaction(() => {
@@ -498,6 +515,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       from_session: z.string().max(200).optional().default("hub"),
     },
     async ({ task_id, from_session }) => {
+      if (!canWrite()) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → retry_task → ${task_id.slice(0, 8)}`);
       // Find the original task
       const task = db.get<any>("SELECT * FROM tasks WHERE task_id = ?1", task_id);
@@ -595,6 +613,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       from_session: z.string().max(200).optional().default("hub"),
     },
     async ({ task_id, reason, from_session }) => {
+      if (!canWrite()) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → cancel_task → ${task_id.slice(0, 8)}`);
       const result = db.run(
         `UPDATE tasks SET status = 'cancelled', result = ?1, completed_at = datetime('now')
@@ -622,6 +641,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       from_session: z.string().max(200).optional().default("hub"),
     },
     async ({ task_id, new_alias, from_session }) => {
+      if (!canWrite()) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → reassign_task → ${task_id.slice(0, 8)} → ${new_alias}`);
       const task = db.get<any>("SELECT * FROM tasks WHERE task_id = ?1", task_id);
       if (!task) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "task not found" }) }] };