@sleep2agi/commhub-server 0.5.0-preview.9 → 0.5.1

package/README.md

@@ -1,98 +1,157 @@
 # @sleep2agi/commhub-server
 
-AI Agent 通信中枢 — MCP Server + SSE Push + REST API。
+CommHub: MCP Streamable HTTP + SSE push + REST API for an AI agent network. Single-process Bun server, SQLite-backed, zero config.
 
-## 快速启动
+**v0.5.0 stable.** The supported path is to install the `anet` CLI (`@sleep2agi/agent-network` 2.0.0) and run `anet hub start`, which wires up port, default account, and config for you.
+
+## Quick start (verified)
 
 ```bash
-# 需要 Bun
+# Recommended — through the anet CLI
+npm install -g @sleep2agi/agent-network
+anet hub start
+#   • http://127.0.0.1:9200 (also bound to LAN)
+#   • SQLite at ~/.commhub/commhub.db
+#   • Default admin account auto-created: admin / anethub
+#   • Reset hint printed in the launch banner
+
+# Or directly via bunx (Bun required)
 bunx @sleep2agi/commhub-server
 
-# 或指定端口 + auth
+# With custom port / auth token
 PORT=9200 COMMHUB_AUTH_TOKEN=your-secret bunx @sleep2agi/commhub-server
 ```
 
-启动后:
-- MCP: `http://0.0.0.0:9200/mcp` (Claude Code / Codex 连接)
-- SSE: `http://0.0.0.0:9200/events/:alias` (Agent 实时推送)
-- REST: `http://0.0.0.0:9200/api/*` (Dashboard / 监控)
-- Health: `http://0.0.0.0:9200/health`
-
-## MCP 工具 (17 个)
-
-### Agent 端 (从 Agent 调用)
-| 工具 | 说明 |
-|------|------|
-| `report_status` | 心跳 + 状态更新 (idle/working/blocked/error/offline) |
-| `report_completion` | 任务完成汇报 |
-| `get_inbox` | 拉取待办任务 |
-| `ack_inbox` | 确认收到任务 |
-
-### Hub 端 (从指挥室 / Dashboard 调用)
-| 工具 | 说明 |
-|------|------|
-| `send_task` | 下发任务 (+ 可选 ttl_seconds) |
-| `send_message` | 发消息 (不触发 Agent 处理) |
-| `send_reply` | 回复任务 (replied/failed/cancelled + in_reply_to) |
-| `send_ack` | 确认任务 (不入 inbox) |
-| `retry_task` | 重试失败/过期/取消的任务 |
-| `cancel_task` | 取消待处理任务 |
-| `reassign_task` | 转移任务到另一个 Agent |
-| `get_task` | 查询任务详情 |
-| `get_all_status` | 全局状态面板 |
-| `get_session_status` | 单 session 详情 |
-| `broadcast` | 群发消息 |
+Once running:
+
+| Surface | URL |
+|---|---|
+| Health | `GET /health` |
+| MCP (Streamable HTTP) | `POST /mcp` |
+| SSE per-agent push | `GET /events/:alias` |
+| REST | `/api/*` |
+
+## Pairs with
+
+| Package | Version |
+|---|---|
+| [`@sleep2agi/agent-network`](https://www.npmjs.com/package/@sleep2agi/agent-network) | 2.0.0 |
+| [`@sleep2agi/agent-network-dashboard`](https://www.npmjs.com/package/@sleep2agi/agent-network-dashboard) | 0.1.0 |
+| [`@sleep2agi/agent-node`](https://www.npmjs.com/package/@sleep2agi/agent-node) | 2.1.1 |
+
+## MCP tools (18)
+
+### Agent-side
+| Tool | Description |
+|---|---|
+| `report_status` | Heartbeat + status (idle / working / blocked / error / offline) |
+| `report_completion` | Final completion payload |
+| `get_inbox` | Pull pending tasks |
+| `ack_inbox` | Acknowledge receipt |
+
+### Hub-side (used by Dashboard, Claude Code, peer agents)
+| Tool | Description |
+|---|---|
+| `send_task` | Dispatch a task (supports `ttl_seconds`) |
+| `send_message` | Send a chat message (no task lifecycle) |
+| `send_reply` | Reply to a task (`replied` / `failed` / `cancelled`, plus `in_reply_to`) |
+| `send_ack` | Acknowledge without inbox |
+| `retry_task` | Retry failed / expired / cancelled tasks |
+| `cancel_task` | Cancel a pending task |
+| `reassign_task` | Move a task to a different agent |
+| `get_task` | Fetch task details (used by peer-coordination polling) |
+| `get_all_status` | Global presence panel |
+| `get_session_status` | Per-session detail |
+| `broadcast` | Group send |
+| `list_tasks` | Task list, filterable by `network_id` |
+| `get_completions` | Completion history |
 
 ## REST API
 
-| 端点 | 方法 | 说明 |
-|------|------|------|
-| `/health` | GET | 健康检查 (无需 auth) |
-| `/api/status` | GET | 所有 session |
-| `/api/tasks` | GET | 任务列表 (支持 status/from_name/to_name/task_id/limit 过滤) |
-| `/api/nodes` | GET | 节点持久化信息 |
-| `/api/task_events` | GET | 任务审计日志 |
-| `/api/messages` | GET | 消息列表 |
-| `/api/completions` | GET | 完成记录 |
-| `/mcp` | POST | MCP Streamable HTTP |
-
-## 数据库 (6 表)
-
-SQLite WAL 模式, 自动创建在 `~/.commhub/commhub.db`
-
-| 表 | 说明 |
-|---|------|
-| `sessions` | 运行时 session (21 列, 含 node_id/session_id/channels) |
-| `inbox` | 消息队列 (13 列, 含 in_reply_to/scope) |
-| `tasks` | 任务生命周期 (17 列, 完整状态机) |
-| `nodes` | 持久化节点身份 (11 列, 独立于 session) |
-| `completions` | 完成记录 (7 列) |
-| `task_events` | 审计日志 (7 列, 每次状态变化记录) |
-
-任务状态机:
+The server exposes ~33 endpoints across health, auth, networks, and observability surfaces. The endpoints in use today by the verified flow are:
+
+| Method | Endpoint | Notes |
+|---|---|---|
+| GET | `/health` | No auth |
+| POST | `/mcp` | MCP entry |
+| POST | `/api/auth/register` | Bootstrap admin |
+| POST | `/api/auth/login` | Returns user token |
+| GET | `/api/auth/me` | Current user |
+| PUT | `/api/auth/me` | Edit profile |
+| POST | `/api/auth/password` | Change password |
+| GET / POST / DELETE | `/api/auth/tokens[…]` | Manage API tokens |
+| GET | `/api/status` | Sessions snapshot |
+| GET | `/api/tasks` | Task list (Dashboard) |
+| GET | `/api/messages` | Message list (Dashboard) |
+| GET | `/api/nodes` | Node directory |
+| GET | `/api/stats` | Aggregate stats |
+| GET | `/api/audit-log` | Audit trail |
+
+Network-management endpoints (`/api/networks…`) and `/api/license[…]` are present but are **not** part of the v2.0.0 verified flow — see *Not verified* below.
+
+Auth: `Authorization: Bearer <token>` header, or `?token=<token>` query.
+
+## SQLite schema (13 tables)
+
+Auto-created on first run.
+
+| Table | Purpose |
+|---|---|
+| `sessions` | Live agent sessions |
+| `inbox` | Pending messages and tasks |
+| `tasks` | Task state machine |
+| `nodes` | Persistent node identity |
+| `completions` | Final completion records |
+| `task_events` | Per-state audit |
+| `users` | Accounts |
+| `networks` | Workspaces |
+| `api_tokens` | `utok_` / `ntok_` / `atok_` tokens |
+| `audit_log` | Operation audit |
+| `licenses` | License placeholder |
+| `network_members` | Workspace membership |
+| `network_invites` | Invite codes |
+
+Task state machine:
+
 ```
 created → delivered → acked → running → replied
                                       → failed → retry → delivered
                                       → cancelled
-delivered → expired (5min patrol)
-delivered/acked/running → reassign → delivered (新agent)
+delivered → expired (5min watchdog)
+delivered/acked/running → reassign → delivered (new agent)
+```
+
+## PostgreSQL (experimental)
+
+Set `DATABASE_URL` to switch to PostgreSQL — the SQL layer auto-translates SQLite-isms (datetime, parameter placeholders) so application code is unchanged. Requires `bun add pg`. **Not in the v2.0.0 verified path.**
+
+```bash
+DATABASE_URL=postgres://user:pass@host:5432/commhub bunx @sleep2agi/commhub-server
 ```
 
-## 环境变量
+## Environment
+
+| Variable | Default | Notes |
+|---|---|---|
+| `PORT` | `9200` | listen port |
+| `HOST` | `0.0.0.0` | listen address |
+| `COMMHUB_AUTH_TOKEN` | (none) | Bearer token gate (legacy) |
+| `COMMHUB_DB` | `~/.commhub/commhub.db` | SQLite path |
+| `DATABASE_URL` | (none) | switches to PostgreSQL when set (unverified) |
+
+## Auth modes
+
+1. **V3 user system (default)** — `POST /api/auth/register` and `/api/auth/login` issue `utok_…` tokens; nodes get `ntok_…`.
+2. **Legacy global token** — set `COMMHUB_AUTH_TOKEN` and pass it as Bearer / query.
 
-| 变量 | 默认 | 说明 |
-|------|------|------|
-| `PORT` | 9200 | 监听端口 |
-| `HOST` | 0.0.0.0 | 监听地址 |
-| `COMMHUB_AUTH_TOKEN` | (无) | Bearer token 鉴权 |
-| `COMMHUB_DB` | ~/.commhub/commhub.db | 数据库路径 |
+`/health` is always public.
 
-## 鉴权
+## Not verified
 
-设置 `COMMHUB_AUTH_TOKEN` 后, 所有端点需要 Bearer token:
-- Header: `Authorization: Bearer <token>`
-- 或 Query: `?token=<token>`
-- `/health` 不需要 auth
+- `/api/networks*` (multi-network create / invite / member management) — code present, not E2E regressed.
+- `/api/license*` — placeholder for a future paid tier.
+- PostgreSQL backend — translation layer exists, no E2E run.
+- Telegram / WeChat / Feishu channel endpoints — out of scope for v2.0.0 verification.
 
 ## License
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.5.0-preview.9",
-  "description": "CommHub MCP Server — AI Agent communication hub with SSE push, MCP protocol, and REST API",
+  "version": "0.5.1",
+  "description": "CommHub Server \u2014 AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 18 MCP tools.",
   "type": "module",
   "main": "src/index.ts",
   "bin": {
@@ -21,16 +21,18 @@
     "agent",
     "ai",
     "sse",
-    "claude",
+    "server",
     "orchestration",
-    "communication",
-    "hub"
+    "multi-network",
+    "auth",
+    "license"
   ],
   "author": "sleep2agi",
   "license": "MIT",
+  "homepage": "https://anet.vansin.me",
   "repository": {
     "type": "git",
-    "url": "https://github.com/sleep2agi/agent-comm-hub",
+    "url": "https://github.com/sleep2agi/agent-network",
     "directory": "server"
   },
   "engines": {
@@ -39,4 +41,4 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0"
   }
-}
+}

package/src/auth.ts

@@ -1,7 +1,7 @@
 /**
  * V3 Auth module — user registration, login, token management
  */
-import { db, generateId, hashPassword, hashToken, generateToken, uuidv4 } from "./db.js";
+import { db, generateId, hashPassword, hashToken, generateToken, generateUserToken, generateNetworkToken, uuidv4 } from "./db.js";
 
 export interface AuthUser {
   user_id: string;
@@ -15,92 +15,125 @@ export interface AuthResult {
   ok: boolean;
   error?: string;
   user?: AuthUser;
-  token?: string;
+  token?: string;           // user token (utok_)
+  network_token?: string;   // network token (ntok_) for default network
+  network_id?: string;
 }
 
 export function register(username: string, password: string, email?: string, displayName?: string): AuthResult {
   if (!username || username.length < 2) return { ok: false, error: "username must be at least 2 characters" };
+  if (username.length > 50) return { ok: false, error: "username too long (max 50)" };
   if (!password || password.length < 6) return { ok: false, error: "password must be at least 6 characters" };
   if (!/^[a-zA-Z0-9_\-\u4e00-\u9fff]+$/.test(username)) return { ok: false, error: "username contains invalid characters" };
 
-  const existing = db.query<any, [string]>("SELECT user_id FROM users WHERE username = ?1").get(username);
+  const existing = db.get<any>("SELECT user_id FROM users WHERE username = ?1", username);
   if (existing) return { ok: false, error: "username already taken" };
 
+  // First user → auto admin
+  const userCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM users");
+  const isFirstUser = !userCount || userCount.cnt === 0;
+
   const userId = generateId("u");
   const pwHash = hashPassword(password);
 
   db.run(
-    "INSERT INTO users (user_id, username, password_hash, email, display_name) VALUES (?1, ?2, ?3, ?4, ?5)",
-    [userId, username, pwHash, email || null, displayName || username]
+    "INSERT INTO users (user_id, username, password_hash, email, display_name, role) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [userId, username, pwHash, email || null, displayName || username, isFirstUser ? "admin" : "user"]
   );
 
-  // Auto-create default network
+  // Auto-create default network + add as owner member
   const networkId = generateId("net");
   db.run(
     "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
     [networkId, "default", userId, "Auto-created default network"]
   );
+  db.run(
+    "INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')",
+    [networkId, userId]
+  );
 
-  // Auto-create API token
-  const token = generateToken();
-  const tokenId = generateId("tok");
+  // User token (utok_) — not bound to network, for CLI/Dashboard login
+  const userToken = generateUserToken();
+  const userTokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [userTokenId, hashToken(userToken), userId, null, "user-login", "user"]
+  );
+
+  // Network token (ntok_) — bound to default network, for agent-node
+  const networkToken = generateNetworkToken();
+  const networkTokenId = generateId("tok");
   db.run(
     "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
-    [tokenId, hashToken(token), userId, networkId, "default", "full"]
+    [networkTokenId, hashToken(networkToken), userId, networkId, "default-network", "network"]
   );
 
   return {
     ok: true,
-    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: "user" },
-    token,
+    user: { user_id: userId, username, display_name: displayName || username, email: email || null, role: isFirstUser ? "admin" : "user" },
+    token: userToken,
+    network_token: networkToken,
+    network_id: networkId,
   };
 }
 
 export function login(username: string, password: string): AuthResult {
-  const user = db.query<any, [string]>(
-    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1"
-  ).get(username);
+  const user = db.get<any>(
+    "SELECT user_id, username, password_hash, display_name, email, role FROM users WHERE username = ?1",
+    username);
 
   if (!user) return { ok: false, error: "invalid username or password" };
   if (user.password_hash !== hashPassword(password)) return { ok: false, error: "invalid username or password" };
 
-  // Find or create token
-  let tokenRow = db.query<any, [string]>(
-    "SELECT token_id FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 1"
-  ).get(user.user_id);
-
-  let token: string;
-  if (tokenRow) {
-    // Generate new token (rotate)
-    token = generateToken();
-    db.run("UPDATE api_tokens SET token_hash = ?1, last_used_at = datetime('now') WHERE token_id = ?2",
-      [hashToken(token), tokenRow.token_id]);
-  } else {
-    token = generateToken();
-    const tokenId = generateId("tok");
-    const networkId = db.query<any, [string]>(
-      "SELECT network_id FROM networks WHERE owner_id = ?1 LIMIT 1"
-    ).get(user.user_id)?.network_id;
-    db.run(
-      "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name) VALUES (?1, ?2, ?3, ?4, ?5)",
-      [tokenId, hashToken(token), user.user_id, networkId || null, "login"]
-    );
-  }
+  // Issue a NEW user token — do NOT rotate/invalidate existing ones. Each
+  // login (cli, dashboard, second machine) gets its own row so they don't
+  // kick each other out of session. Tokens can be revoked via /api/auth/tokens.
+  const userToken = generateUserToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(userToken), user.user_id, null, "user-login", "user"]
+  );
+
+  // Find default network
+  const defaultNet = db.get<any>(
+    "SELECT network_id FROM network_members WHERE user_id = ?1 ORDER BY role = 'owner' DESC LIMIT 1",
+    user.user_id);
+  const networkId = defaultNet?.network_id || null;
+
+  // Backward compat: also try old atok_ tokens
+  const token = userToken;
 
   return {
     ok: true,
     user: { user_id: user.user_id, username: user.username, display_name: user.display_name, email: user.email, role: user.role },
     token,
+    network_id: networkId,
   };
 }
 
-export function resolveToken(token: string): { user: AuthUser; networkId: string | null } | null {
+/** Create a network-scoped token (ntok_) for a specific node */
+export function createNetworkTokenForNode(userId: string, networkId: string, nodeName: string): { ok: boolean; token?: string; error?: string } {
+  // Verify user is a member of this network with write access
+  const role = getUserNetworkRole(userId, networkId);
+  if (!role || role === "viewer") return { ok: false, error: "no write access to this network" };
+  const token = generateNetworkToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, networkId, `node:${nodeName}`, "network"]
+  );
+  return { ok: true, token };
+}
+
+export function resolveToken(token: string): { user: AuthUser; networkId: string | null; tokenName: string | null } | null {
   const tHash = hashToken(token);
-  const row = db.query<any, [string]>(
-    `SELECT t.user_id, t.network_id, t.scope, u.username, u.display_name, u.email, u.role
+  const row = db.get<any>(
+    `SELECT t.user_id, t.network_id, t.scope, t.name AS token_name,
+            u.username, u.display_name, u.email, u.role
      FROM api_tokens t JOIN users u ON t.user_id = u.user_id
-     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`
-  ).get(tHash);
+     WHERE t.token_hash = ?1 AND (t.expires_at IS NULL OR t.expires_at > datetime('now'))`,
+    tHash);
 
   if (!row) return null;
 
@@ -110,19 +143,40 @@ export function resolveToken(token: string): { user: AuthUser; networkId: string
   return {
     user: { user_id: row.user_id, username: row.username, display_name: row.display_name, email: row.email, role: row.role },
     networkId: row.network_id,
+    // tokenName carries the binding identity. For node-scoped ntok_, it's
+    // 'node:<alias>'; we strip the prefix and use it as the default
+    // from_session for any MCP send_task / send_message / etc, so peer
+    // agents see who actually called them (not 'hub').
+    tokenName: row.token_name || null,
   };
 }
 
 export function getUserNetworks(userId: string) {
-  return db.query<any, [string]>(
-    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at"
-  ).all(userId);
+  return db.all<any>(
+    "SELECT * FROM networks WHERE owner_id = ?1 ORDER BY created_at",
+    userId);
 }
 
+// Quota limits by plan
+const QUOTAS: Record<string, { max_networks_owned: number; max_networks_joined: number }> = {
+  free:  { max_networks_owned: 2, max_networks_joined: 3 },
+  pro:   { max_networks_owned: 10, max_networks_joined: 20 },
+  admin: { max_networks_owned: Infinity, max_networks_joined: Infinity },
+};
+
 export function createNetwork(userId: string, name: string, description?: string) {
-  const existing = db.query<any, [string, string]>(
-    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2"
-  ).get(userId, name);
+  // Quota check
+  const user = db.get<any>("SELECT plan, role FROM users WHERE user_id = ?1", userId);
+  const plan = user?.role === "admin" ? "admin" : (user?.plan || "free");
+  const quota = QUOTAS[plan] || QUOTAS.free;
+  const ownedCount = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM networks WHERE owner_id = ?1", userId);
+  if ((ownedCount?.cnt || 0) >= quota.max_networks_owned) {
+    return { ok: false, error: `quota exceeded: max ${quota.max_networks_owned} networks for ${plan} plan` };
+  }
+
+  const existing = db.get<any>(
+    "SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2",
+    userId, name);
   if (existing) return { ok: false, error: "network name already exists" };
 
   const networkId = generateId("net");
@@ -130,5 +184,156 @@ export function createNetwork(userId: string, name: string, description?: string
     "INSERT INTO networks (network_id, network_name, owner_id, description) VALUES (?1, ?2, ?3, ?4)",
     [networkId, name, userId, description || null]
   );
+  db.run(
+    "INSERT INTO network_members (network_id, user_id, role) VALUES (?1, ?2, 'owner')",
+    [networkId, userId]
+  );
   return { ok: true, network_id: networkId, network_name: name };
 }
+
+export function listTokens(userId: string) {
+  return db.all<any>(
+    "SELECT token_id, name, scope, network_id, last_used_at, created_at FROM api_tokens WHERE user_id = ?1 ORDER BY created_at DESC",
+    userId);
+}
+
+export function renameNetwork(userId: string, networkId: string, newName: string): { ok: boolean; error?: string } {
+  const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
+  if (!net) return { ok: false, error: "network not found" };
+  if (net.owner_id !== userId) return { ok: false, error: "not your network" };
+  const dup = db.get<any>("SELECT network_id FROM networks WHERE owner_id = ?1 AND network_name = ?2", userId, newName);
+  if (dup) return { ok: false, error: "name already taken" };
+  db.run("UPDATE networks SET network_name = ?1, updated_at = datetime('now') WHERE network_id = ?2", [newName, networkId]);
+  return { ok: true };
+}
+
+export function deleteNetwork(userId: string, networkId: string): { ok: boolean; error?: string } {
+  const net = db.get<any>("SELECT * FROM networks WHERE network_id = ?1", networkId);
+  if (!net) return { ok: false, error: "network not found" };
+  if (net.owner_id !== userId) return { ok: false, error: "not your network" };
+  // Check if any sessions/tasks still reference this network
+  const sessions = db.get<{ cnt: number }>("SELECT COUNT(*) as cnt FROM sessions WHERE network_id = ?1", networkId);
+  if (sessions && sessions.cnt > 0) return { ok: false, error: `network has ${sessions.cnt} active session(s) — stop them first` };
+  db.run("DELETE FROM networks WHERE network_id = ?1 AND owner_id = ?2", [networkId, userId]);
+  return { ok: true };
+}
+
+export function createToken(userId: string, name: string, networkId?: string): { ok: boolean; token?: string; token_id?: string; error?: string } {
+  // Security: verify user is a member of the target network
+  if (networkId) {
+    const role = getUserNetworkRole(userId, networkId);
+    if (!role) return { ok: false, error: "not a member of this network" };
+    if (role === "viewer") return { ok: false, error: "viewer cannot create full-access network tokens" };
+  }
+  const token = generateToken();
+  const tokenId = generateId("tok");
+  db.run(
+    "INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, networkId || null, name, "full"]
+  );
+  return { ok: true, token, token_id: tokenId };
+}
+
+export function revokeToken(userId: string, tokenId: string): { ok: boolean; error?: string } {
+  const result = db.run("DELETE FROM api_tokens WHERE token_id = ?1 AND user_id = ?2", [tokenId, userId]);
+  return result.changes > 0 ? { ok: true } : { ok: false, error: "token not found" };
+}
+
+export function changePassword(userId: string, oldPassword: string, newPassword: string): { ok: boolean; error?: string } {
+  if (!newPassword || newPassword.length < 6) return { ok: false, error: "new password must be at least 6 characters" };
+  const user = db.get<any>("SELECT password_hash FROM users WHERE user_id = ?1", userId);
+  if (!user) return { ok: false, error: "user not found" };
+  if (user.password_hash !== hashPassword(oldPassword)) return { ok: false, error: "incorrect current password" };
+  db.run("UPDATE users SET password_hash = ?1, updated_at = datetime('now') WHERE user_id = ?2", [hashPassword(newPassword), userId]);
+  return { ok: true };
+}
+
+// ══════════════════════════════════════
+//  V3.13: Network Members
+// ══════════════════════════════════════
+
+export function getNetworkMembers(networkId: string) {
+  return db.all<any>(
+    `SELECT nm.user_id, nm.role, nm.joined_at, nm.invited_by, u.username, u.display_name
+     FROM network_members nm JOIN users u ON nm.user_id = u.user_id
+     WHERE nm.network_id = ?1 ORDER BY nm.joined_at`,
+    networkId);
+}
+
+export function getUserNetworkRole(userId: string, networkId: string): string | null {
+  const row = db.get<any>("SELECT role FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  return row?.role || null;
+}
+
+export function addNetworkMember(networkId: string, userId: string, role: string, invitedBy?: string): { ok: boolean; error?: string } {
+  const existing = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  if (existing) return { ok: false, error: "user already a member" };
+  db.run("INSERT INTO network_members (network_id, user_id, role, invited_by) VALUES (?1, ?2, ?3, ?4)",
+    [networkId, userId, role, invitedBy || null]);
+  return { ok: true };
+}
+
+export function updateMemberRole(networkId: string, userId: string, newRole: string): { ok: boolean; error?: string } {
+  if (newRole === "owner") return { ok: false, error: "cannot assign owner role" };
+  const result = db.run("UPDATE network_members SET role = ?1 WHERE network_id = ?2 AND user_id = ?3 AND role != 'owner'",
+    [newRole, networkId, userId]);
+  return result.changes > 0 ? { ok: true } : { ok: false, error: "member not found or is owner" };
+}
+
+export function removeNetworkMember(networkId: string, userId: string): { ok: boolean; error?: string } {
+  const member = db.get<any>("SELECT role FROM network_members WHERE network_id = ?1 AND user_id = ?2", networkId, userId);
+  if (!member) return { ok: false, error: "not a member" };
+  if (member.role === "owner") return { ok: false, error: "cannot remove owner" };
+  db.run("DELETE FROM network_members WHERE network_id = ?1 AND user_id = ?2", [networkId, userId]);
+  return { ok: true };
+}
+
+// ══════════════════════════════════════
+//  V3.13: Invite Codes
+// ══════════════════════════════════════
+
+export function createInvite(networkId: string, createdBy: string, role: string = "member", maxUses: number = 1, expiresInDays?: number): { ok: boolean; invite_code?: string; error?: string } {
+  if (!["admin", "member", "viewer"].includes(role)) return { ok: false, error: "invalid role" };
+  const code = `inv_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
+  const expiresAt = expiresInDays ? `datetime('now', '+${expiresInDays} days')` : null;
+  if (expiresAt) {
+    db.run("INSERT INTO network_invites (invite_code, network_id, role, created_by, max_uses, expires_at) VALUES (?1, ?2, ?3, ?4, ?5, datetime('now', ?6))",
+      [code, networkId, role, createdBy, maxUses, `+${expiresInDays} days`]);
+  } else {
+    db.run("INSERT INTO network_invites (invite_code, network_id, role, created_by, max_uses) VALUES (?1, ?2, ?3, ?4, ?5)",
+      [code, networkId, role, createdBy, maxUses]);
+  }
+  return { ok: true, invite_code: code };
+}
+
+export function joinByInvite(inviteCode: string, userId: string): { ok: boolean; network_id?: string; role?: string; error?: string } {
+  const invite = db.get<any>("SELECT * FROM network_invites WHERE invite_code = ?1", inviteCode);
+  if (!invite) return { ok: false, error: "invalid invite code" };
+  if (invite.max_uses > 0 && invite.used_count >= invite.max_uses) return { ok: false, error: "invite code fully used" };
+  if (invite.expires_at) {
+    const now = new Date().toISOString().replace("T", " ").slice(0, 19);
+    if (invite.expires_at < now) return { ok: false, error: "invite code expired" };
+  }
+  // Check not already member
+  const existing = db.get<any>("SELECT 1 FROM network_members WHERE network_id = ?1 AND user_id = ?2", invite.network_id, userId);
+  if (existing) return { ok: false, error: "already a member of this network" };
+  // Add member + increment used count
+  db.run("INSERT INTO network_members (network_id, user_id, role, invited_by) VALUES (?1, ?2, ?3, ?4)",
+    [invite.network_id, userId, invite.role, invite.created_by]);
+  db.run("UPDATE network_invites SET used_count = used_count + 1 WHERE invite_code = ?1", [inviteCode]);
+  // Auto-create a token for this network
+  const token = generateToken();
+  const tokenId = generateId("tok");
+  db.run("INSERT INTO api_tokens (token_id, token_hash, user_id, network_id, name, scope) VALUES (?1, ?2, ?3, ?4, ?5, ?6)",
+    [tokenId, hashToken(token), userId, invite.network_id, "auto-join", "full"]);
+  return { ok: true, network_id: invite.network_id, role: invite.role };
+}
+
+/** Get all networks a user is a member of (replaces owner-only query) */
+export function getUserAllNetworks(userId: string) {
+  return db.all<any>(
+    `SELECT n.*, nm.role as member_role
+     FROM networks n JOIN network_members nm ON n.network_id = nm.network_id
+     WHERE nm.user_id = ?1 ORDER BY nm.role = 'owner' DESC, n.created_at`,
+    userId);
+}