@sleep2agi/commhub-server 0.5.0-preview.36 → 0.5.0-preview.38

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.36",
+  "version": "0.5.0-preview.38",
   "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/auth.ts

@@ -126,10 +126,11 @@ export function createNetworkTokenForNode(userId: string, networkId: string, nod
   return { ok: true, token };
 }
 
-export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
+export function resolveToken(token: string): { user: AuthUser; networkId: string | null; tokenName: string | null } | null {
   const tHash = hashToken(token);
   const row = db.get<any>(
-    `SELECT t.user_id, t.network_id, t.scope, u.username, u.display_name, u.email, u.role
+    `SELECT t.user_id, t.network_id, t.scope, t.name AS token_name,
+            u.username, u.display_name, u.email, u.role
      FROM api_tokens t JOIN users u ON t.user_id = u.user_id
      WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`,
     tHash);
@@ -142,6 +143,11 @@ export function resolveToken(token: string): { user: AuthUser; networkId: string
   return {
     user: { user_id: row.user_id, username: row.username, display_name: row.display_name, email: row.email, role: row.role },
     networkId: row.network_id,
+    // tokenName carries the binding identity. For node-scoped ntok_, it's
+    // 'node:<alias>'; we strip the prefix and use it as the default
+    // from_session for any MCP send_task / send_message / etc, so peer
+    // agents see who actually called them (not 'hub').
+    tokenName: row.token_name || null,
   };
 }
 

package/src/index.ts

@@ -42,12 +42,12 @@ setInterval(() => {
 }, 300000);
 
 // ── Factory: 每个请求创建新的 McpServer（stateless 模式）──
-function createServer(clientIP?: string, enforceNetworkId?: string | null, enforceUserId?: string | null): McpServer {
+function createServer(clientIP?: string, enforceNetworkId?: string | null, enforceUserId?: string | null, callerAlias?: string | null): McpServer {
   const server = new McpServer({
     name: "commhub",
     version: "0.5.0",
   });
-  registerTools(server, clientIP, enforceNetworkId, enforceUserId);
+  registerTools(server, clientIP, enforceNetworkId, enforceUserId, callerAlias);
   return server;
 }
 
@@ -70,15 +70,15 @@ function requireAuth(req: Request): Response | null {
   return Response.json({ error: "unauthorized" }, { status: 401 });
 }
 
-// Extract user + network from request token (for authorization)
-function resolveRequestAuth(req: Request): { userId: string; networkId: string | null; username: string } | null {
+// Extract user + network + token-binding identity from request token.
+function resolveRequestAuth(req: Request): { userId: string; networkId: string | null; username: string; tokenName: string | null } | null {
   const header = req.headers.get("Authorization")?.replace("Bearer ", "");
   const url = new URL(req.url);
   const token = header || url.searchParams.get("token") || "";
   if (!token) return null;
   const resolved = resolveToken(token);
   if (!resolved) return null;
-  return { userId: resolved.user.user_id, networkId: resolved.networkId, username: resolved.user.username };
+  return { userId: resolved.user.user_id, networkId: resolved.networkId, username: resolved.user.username, tokenName: resolved.tokenName };
 }
 
 type RestNetworkScope = {
@@ -242,10 +242,15 @@ Bun.serve({
       // (which logs in as a user) cannot call send_task.
       const authCtx = resolveRequestAuth(req);
       const enforceNetId = authCtx?.networkId || null;
+      // Derive the calling alias from the token name (e.g., 'node:视频审查')
+      // so peer agents see the real sender instead of 'hub' on send_task.
+      const callerAlias = authCtx?.tokenName?.startsWith("node:")
+        ? authCtx.tokenName.slice("node:".length)
+        : (authCtx?.username || null);
       const transport = new WebStandardStreamableHTTPServerTransport({
         sessionIdGenerator: undefined,
       });
-      const server = createServer(clientIP, enforceNetId, authCtx?.userId || null);
+      const server = createServer(clientIP, enforceNetId, authCtx?.userId || null, callerAlias);
       await server.connect(transport);
       const response = await transport.handleRequest(req);
       // Disconnect after response to prevent McpServer leak

package/src/tools.ts

@@ -8,7 +8,13 @@ function ts(): string {
   return new Date().toTimeString().slice(0, 8);
 }
 
-export function registerTools(server: McpServer, clientIP?: string, enforceNetworkId?: string | null, enforceUserId?: string | null) {
+export function registerTools(server: McpServer, clientIP?: string, enforceNetworkId?: string | null, enforceUserId?: string | null, callerAlias?: string | null) {
+  // Default from_session for outbound tools — extracted from the calling
+  // token's binding (ntok_ → node alias, utok_ → username). Without this,
+  // an agent's send_task call always claimed from='hub' and peer agents
+  // couldn't tell who actually asked them. Tool callers can still override
+  // by passing from_session explicitly.
+  const defaultFrom = (clientFrom?: string) => clientFrom || callerAlias || "hub";
   // If enforceNetworkId is set, override any client-supplied network_id
   const getNetworkId = (clientNetId?: string | null) => enforceNetworkId ?? clientNetId ?? null;
 
@@ -385,11 +391,11 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       task: z.string().min(1).max(10000).describe("Task content"),
       priority: z.enum(["high", "normal", "low"]).optional().default("normal"),
       context: z.string().max(10000).optional(),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
       ttl_seconds: z.number().min(1).max(86400).optional().describe("Task TTL in seconds (default: 3600)"),
       network_id: z.string().max(200).optional().describe("Network scope"),
     },
-    async ({ alias, task, priority, context, from_session, ttl_seconds, network_id: netId }) => {
+    async ({ alias, task, priority, context, from_session: _fromIn, ttl_seconds, network_id: netId }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(netId);
 
       // Role check: viewer cannot send tasks
@@ -428,12 +434,18 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
 
       const session = scopedSessionStatus(alias, effectiveNetId);
 
-      // SSE push by alias
+      // SSE push by alias.
+      // The SSE channel is keyed by alias (subscribers connected to /events/<alias>),
+      // not by network_id. Earlier we gated the push on a network-scoped session
+      // lookup, which silently dropped pushes whenever an agent registered with
+      // network_id=null but the sender supplied an explicit network_id (the
+      // exact mismatch hit by Dashboard tasks). Push unconditionally; the
+      // subscriber's own auth (ntok_) constrains who can listen.
       const pendingParams: any[] = [alias];
       let pendingSql = "SELECT COUNT(*) as cnt FROM inbox WHERE session_name = ?1 AND acked = 0";
       pendingSql = addScope(pendingSql, pendingParams, effectiveNetId);
       const pending = db.get<{ cnt: number }>(pendingSql, ...pendingParams);
-      if (session) pushEvent(alias, { type: "new_task", inbox_count: pending?.cnt ?? 1, priority, from: from_session });
+      pushEvent(alias, { type: "new_task", inbox_count: pending?.cnt ?? 1, priority, from: from_session });
 
       return {
         content: [
@@ -456,9 +468,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     {
       alias: z.string().min(1).max(200).describe("Target session alias"),
       message: z.string().min(1).max(10000).describe("Message content"),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
     },
-    async ({ alias, message, from_session }) => {
+    async ({ alias, message, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
       if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → send_message → ${alias}: ${message.slice(0, 60)}`);
@@ -471,7 +483,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
 
       const session = scopedSessionStatus(alias, effectiveNetId);
 
-      if (session) pushEvent(alias, { type: "new_message", message, from: from_session, message_id: id });
+      pushEvent(alias, { type: "new_message", message, from: from_session, message_id: id });
 
       return {
         content: [
@@ -497,9 +509,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       text: z.string().min(1).max(10000).describe("Reply content"),
       in_reply_to: z.string().max(200).optional().describe("Original task/message ID"),
       status: z.enum(["replied", "failed", "cancelled"]).optional().default("replied").describe("Task outcome"),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
     },
-    async ({ alias, text, in_reply_to, status: replyStatus, from_session }) => {
+    async ({ alias, text, in_reply_to, status: replyStatus, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
       if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → send_reply (${replyStatus}) → ${alias}: ${text.slice(0, 60)}`);
@@ -531,7 +543,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       if (replyLogged && in_reply_to) logTaskEvent(in_reply_to, null, replyStatus, from_session, text.slice(0, 200));
 
       const session = scopedSessionStatus(alias, effectiveNetId);
-      if (session) pushEvent(alias, { type: "new_reply", from: from_session, message_id: id, in_reply_to, status: replyStatus });
+      pushEvent(alias, { type: "new_reply", from: from_session, message_id: id, in_reply_to, status: replyStatus });
 
       return {
         content: [{
@@ -548,9 +560,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     "Acknowledge receipt of a task. Does NOT enter inbox. Updates task status only.",
     {
       task_id: z.string().min(1).max(200).describe("Task ID to acknowledge"),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
     },
-    async ({ task_id, from_session }) => {
+    async ({ task_id, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
       if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → send_ack → task ${task_id.slice(0, 8)}`);
@@ -574,9 +586,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     "Retry a failed, expired, or cancelled task. Resets status to delivered and re-queues in inbox.",
     {
       task_id: z.string().min(1).max(200).describe("Task ID to retry"),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
     },
-    async ({ task_id, from_session }) => {
+    async ({ task_id, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
       if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → retry_task → ${task_id.slice(0, 8)}`);
@@ -607,10 +619,8 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
         );
       });
       logTaskEvent(task_id, task.status, "delivered", from_session, "retry");
-      // SSE push
-      if (scopedSessionStatus(task.to_name, effectiveNetId ?? task.network_id)) {
-        pushEvent(task.to_name, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
-      }
+      // SSE push (unconditional — channel is keyed by alias, not network)
+      pushEvent(task.to_name, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
       return {
         content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, retried_to: task.to_name }) }],
       };
@@ -685,9 +695,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     {
       task_id: z.string().min(1).max(200).describe("Task ID to cancel"),
       reason: z.string().max(1000).optional().describe("Cancellation reason"),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
     },
-    async ({ task_id, reason, from_session }) => {
+    async ({ task_id, reason, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
       if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → cancel_task → ${task_id.slice(0, 8)}`);
@@ -717,9 +727,9 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     {
       task_id: z.string().min(1).max(200).describe("Task ID to reassign"),
       new_alias: z.string().min(1).max(200).describe("Target agent alias"),
-      from_session: z.string().max(200).optional().default("hub"),
+      from_session: z.string().max(200).optional(),
     },
-    async ({ task_id, new_alias, from_session }) => {
+    async ({ task_id, new_alias, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
       if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
       console.log(`[${ts()}] ${from_session} → reassign_task → ${task_id.slice(0, 8)} → ${new_alias}`);
@@ -749,9 +759,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
           [newInboxId, new_alias, task.priority, task.content, from_session, effectiveNetId ?? task.network_id ?? null]);
       });
       logTaskEvent(task_id, task.status, "delivered", from_session, `reassign: ${oldAlias} → ${new_alias}`);
-      if (scopedSessionStatus(new_alias, effectiveNetId ?? task.network_id)) {
-        pushEvent(new_alias, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
-      }
+      pushEvent(new_alias, { type: "new_task", inbox_count: 1, priority: task.priority, from: from_session });
       return { content: [{ type: "text" as const, text: JSON.stringify({ ok: true, task_id, reassigned_from: oldAlias, reassigned_to: new_alias }) }] };
     }
   );