@sleep2agi/commhub-server 0.8.1-preview.2 → 0.8.1-preview.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sleep2agi/commhub-server",
-  "version": "0.8.1-preview.2",
+  "version": "0.8.1-preview.4",
   "description": "CommHub Server — AI Agent communication hub with MCP protocol, multi-network isolation, user auth, and 17 MCP tools.",
   "type": "module",
   "main": "src/index.ts",

package/src/db.ts

@@ -19,6 +19,18 @@ db.exec(`
     output        TEXT,
     progress      INTEGER DEFAULT 0,
     score         REAL,
+    cpu_load_1min REAL,
+    cpu_cores     INTEGER,
+    mem_total_gb  REAL,
+    mem_used_gb   REAL,
+    mem_avail_gb  REAL,
+    disk_total_gb REAL,
+    disk_used_gb  REAL,
+    disk_avail_gb REAL,
+    process_rss_bytes INTEGER,
+    process_cpu_pct REAL,
+    process_uptime_seconds REAL,
+    process_in_flight_count INTEGER,
     network_id    TEXT NOT NULL DEFAULT 'default',
     registered_at TEXT NOT NULL DEFAULT (datetime('now')),
     updated_at    TEXT NOT NULL DEFAULT (datetime('now')),
@@ -55,7 +67,7 @@ db.exec(`
 
 // ── V2 schema migration (ALTER TABLE, safe to re-run) ──
 
-// sessions: add node_id, session_id, config_path, channels, last_seen_at, model
+// sessions: add node_id, session_id, config_path, channels, last_seen_at, model, host telemetry
 for (const col of [
   { name: "node_id", def: "TEXT" },
   { name: "session_id", def: "TEXT" },
@@ -63,10 +75,51 @@ for (const col of [
   { name: "channels", def: "TEXT" },
   { name: "last_seen_at", def: "TEXT" },
   { name: "model", def: "TEXT" },
+  { name: "cpu_load_1min", def: "REAL" },
+  { name: "cpu_cores", def: "INTEGER" },
+  { name: "mem_total_gb", def: "REAL" },
+  { name: "mem_used_gb", def: "REAL" },
+  { name: "mem_avail_gb", def: "REAL" },
+  { name: "disk_total_gb", def: "REAL" },
+  { name: "disk_used_gb", def: "REAL" },
+  { name: "disk_avail_gb", def: "REAL" },
+  { name: "process_rss_bytes", def: "INTEGER" },
+  { name: "process_cpu_pct", def: "REAL" },
+  { name: "process_uptime_seconds", def: "REAL" },
+  { name: "process_in_flight_count", def: "INTEGER" },
 ]) {
   try { db.exec(`ALTER TABLE sessions ADD COLUMN ${col.name} ${col.def}`); } catch {}
 }
 
+db.exec(`
+  CREATE TABLE IF NOT EXISTS agent_telemetry (
+    id                      TEXT PRIMARY KEY,
+    network_id              TEXT NOT NULL DEFAULT 'default',
+    resume_id               TEXT,
+    alias                   TEXT,
+    hostname                TEXT,
+    ip                      TEXT,
+    cpu_load_1min           REAL,
+    cpu_cores               INTEGER,
+    mem_total_gb            REAL,
+    mem_used_gb             REAL,
+    mem_avail_gb            REAL,
+    disk_total_gb           REAL,
+    disk_used_gb            REAL,
+    disk_avail_gb           REAL,
+    process_rss_bytes       INTEGER,
+    process_cpu_pct         REAL,
+    process_uptime_seconds  REAL,
+    process_in_flight_count INTEGER,
+    created_at              TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE INDEX IF NOT EXISTS idx_agent_telemetry_host_time
+    ON agent_telemetry(network_id, hostname, ip, created_at);
+  CREATE INDEX IF NOT EXISTS idx_agent_telemetry_alias_time
+    ON agent_telemetry(network_id, alias, created_at);
+`);
+
 // inbox: add in_reply_to, requires_response, expires_at, scope
 for (const col of [
   { name: "in_reply_to", def: "TEXT" },
@@ -376,6 +429,19 @@ function migrateSessionsNetworkAliasUnique() {
         config_path   TEXT,
         channels      TEXT,
         last_seen_at  TEXT,
+        model         TEXT,
+        cpu_load_1min REAL,
+        cpu_cores     INTEGER,
+        mem_total_gb  REAL,
+        mem_used_gb   REAL,
+        mem_avail_gb  REAL,
+        disk_total_gb REAL,
+        disk_used_gb  REAL,
+        disk_avail_gb REAL,
+        process_rss_bytes INTEGER,
+        process_cpu_pct REAL,
+        process_uptime_seconds REAL,
+        process_in_flight_count INTEGER,
         network_id    TEXT NOT NULL DEFAULT 'default',
         UNIQUE (network_id, alias)
       )
@@ -384,12 +450,18 @@ function migrateSessionsNetworkAliasUnique() {
       INSERT OR REPLACE INTO sessions_migrated (
         resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version,
         status, task, output, progress, score, registered_at, updated_at, node_id,
-        session_id, config_path, channels, last_seen_at, network_id
+        session_id, config_path, channels, last_seen_at, model, cpu_load_1min,
+        cpu_cores, mem_total_gb, mem_used_gb, mem_avail_gb, disk_total_gb,
+        disk_used_gb, disk_avail_gb, process_rss_bytes, process_cpu_pct,
+        process_uptime_seconds, process_in_flight_count, network_id
       )
       SELECT
         resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version,
         status, task, output, progress, score, registered_at, updated_at, node_id,
-        session_id, config_path, channels, last_seen_at,
+        session_id, config_path, channels, last_seen_at, model, cpu_load_1min,
+        cpu_cores, mem_total_gb, mem_used_gb, mem_avail_gb, disk_total_gb,
+        disk_used_gb, disk_avail_gb, process_rss_bytes, process_cpu_pct,
+        process_uptime_seconds, process_in_flight_count,
         COALESCE(NULLIF(network_id, ''), 'default')
       FROM sessions
       ORDER BY updated_at

package/src/index.ts

@@ -229,6 +229,104 @@ function singleNetworkId(scope: RestNetworkScope): string | null {
   return null;
 }
 
+function sqliteTime(date: Date): string {
+  return date.toISOString().replace("T", " ").slice(0, 19);
+}
+
+function parseSqliteTime(value: string | null | undefined): number {
+  if (!value) return 0;
+  const normalized = value.includes("T") ? value : `${value.replace(" ", "T")}Z`;
+  const ts = Date.parse(normalized);
+  return Number.isFinite(ts) ? ts : 0;
+}
+
+function cpuPct(load: number | null | undefined, cores: number | null | undefined): number | null {
+  if (typeof load !== "number" || typeof cores !== "number" || cores <= 0) return null;
+  return Math.round((load / cores) * 1000) / 10;
+}
+
+function serverAlertLevel(row: any): { level: "green" | "yellow" | "red"; alerts: string[] } {
+  const alerts: string[] = [];
+  const pct = cpuPct(row?.cpu_load_1min, row?.cpu_cores);
+  if (pct !== null && pct >= 80) alerts.push(`cpu ${pct}%`);
+  if (typeof row?.mem_avail_gb === "number" && row.mem_avail_gb < 0.5) alerts.push(`memory ${row.mem_avail_gb}GB available`);
+  if (typeof row?.disk_avail_gb === "number" && row.disk_avail_gb < 1) alerts.push(`disk ${row.disk_avail_gb}GB available`);
+  if (alerts.length > 0) return { level: "red", alerts };
+
+  if (pct !== null && pct >= 60) alerts.push(`cpu ${pct}%`);
+  if (typeof row?.mem_avail_gb === "number" && row.mem_avail_gb < 1) alerts.push(`memory ${row.mem_avail_gb}GB available`);
+  if (typeof row?.disk_avail_gb === "number" && row.disk_avail_gb < 5) alerts.push(`disk ${row.disk_avail_gb}GB available`);
+  return { level: alerts.length > 0 ? "yellow" : "green", alerts };
+}
+
+function agentHealthChip(status: unknown, lastSeen: string | null | undefined): "online" | "offline" | "stale" {
+  if (String(status || "").toLowerCase() === "offline") return "offline";
+  const ts = parseSqliteTime(lastSeen);
+  if (!ts || Date.now() - ts > 5 * 60 * 1000) return "stale";
+  return "online";
+}
+
+function bucketTelemetry(rows: any[], fromMs: number, bucketMs: number) {
+  const buckets = new Map<number, {
+    ts: number;
+    count: number;
+    cpu_pct_sum: number;
+    cpu_pct_count: number;
+    cpu_load_sum: number;
+    cpu_load_count: number;
+    mem_avail_min: number | null;
+    mem_used_max: number | null;
+    disk_avail_min: number | null;
+    disk_used_max: number | null;
+  }>();
+
+  for (const row of rows) {
+    const ts = parseSqliteTime(row.created_at);
+    if (!ts || ts < fromMs) continue;
+    const bucketTs = Math.floor(ts / bucketMs) * bucketMs;
+    const bucket = buckets.get(bucketTs) ?? {
+      ts: bucketTs,
+      count: 0,
+      cpu_pct_sum: 0,
+      cpu_pct_count: 0,
+      cpu_load_sum: 0,
+      cpu_load_count: 0,
+      mem_avail_min: null,
+      mem_used_max: null,
+      disk_avail_min: null,
+      disk_used_max: null,
+    };
+    bucket.count += 1;
+    const pct = cpuPct(row.cpu_load_1min, row.cpu_cores);
+    if (pct !== null) {
+      bucket.cpu_pct_sum += pct;
+      bucket.cpu_pct_count += 1;
+    }
+    if (typeof row.cpu_load_1min === "number") {
+      bucket.cpu_load_sum += row.cpu_load_1min;
+      bucket.cpu_load_count += 1;
+    }
+    if (typeof row.mem_avail_gb === "number") bucket.mem_avail_min = bucket.mem_avail_min === null ? row.mem_avail_gb : Math.min(bucket.mem_avail_min, row.mem_avail_gb);
+    if (typeof row.mem_used_gb === "number") bucket.mem_used_max = bucket.mem_used_max === null ? row.mem_used_gb : Math.max(bucket.mem_used_max, row.mem_used_gb);
+    if (typeof row.disk_avail_gb === "number") bucket.disk_avail_min = bucket.disk_avail_min === null ? row.disk_avail_gb : Math.min(bucket.disk_avail_min, row.disk_avail_gb);
+    if (typeof row.disk_used_gb === "number") bucket.disk_used_max = bucket.disk_used_max === null ? row.disk_used_gb : Math.max(bucket.disk_used_max, row.disk_used_gb);
+    buckets.set(bucketTs, bucket);
+  }
+
+  return Array.from(buckets.values())
+    .sort((a, b) => a.ts - b.ts)
+    .map((b) => ({
+      ts: new Date(b.ts).toISOString(),
+      count: b.count,
+      cpu_pct: b.cpu_pct_count ? Math.round((b.cpu_pct_sum / b.cpu_pct_count) * 10) / 10 : null,
+      cpu_load_1min: b.cpu_load_count ? Math.round((b.cpu_load_sum / b.cpu_load_count) * 100) / 100 : null,
+      mem_avail_gb: b.mem_avail_min,
+      mem_used_gb: b.mem_used_max,
+      disk_avail_gb: b.disk_avail_min,
+      disk_used_gb: b.disk_used_max,
+    }));
+}
+
 function canRestWriteNetwork(authCtx: { userId: string; networkId: string | null } | null, networkId: string | null, isAdmin: boolean): boolean {
   if (!authCtx) return true; // legacy global token or open dev mode
   if (isAdmin) return true;
@@ -266,7 +364,7 @@ function corsHeaders(req: Request): Record<string, string> {
   const allowed = CORS_ORIGINS.includes(origin) ? origin : "";
   return {
     "Access-Control-Allow-Origin": allowed,
-    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
     "Access-Control-Allow-Headers": "Content-Type, Authorization",
     "Access-Control-Max-Age": "86400",
   };
@@ -841,6 +939,172 @@ Bun.serve({
       return withCors(req, Response.json({ ok: true, sessions, summary }));
     }
 
+    // ── REST: aggregate agents by physical server ──
+    if (url.pathname === "/api/servers") {
+      const cutoff = new Date(Date.now() - 10 * 60 * 1000).toISOString().replace("T", " ").slice(0, 19);
+      const staleParams: any[] = [cutoff];
+      let staleSql = "UPDATE sessions SET status = 'offline' WHERE updated_at < ?1 AND status != 'offline'";
+      staleSql = addNetworkScope(staleSql, staleParams, restScope);
+      db.run(staleSql, staleParams);
+
+      const params: any[] = [];
+      let sql = `
+        SELECT hostname, ip, cpu_load_1min, cpu_cores, mem_avail_gb, mem_used_gb,
+               COALESCE(last_seen_at, updated_at) AS last_seen
+        FROM sessions
+        WHERE 1=1
+      `;
+      sql = addNetworkScope(sql, params, restScope);
+      sql += " ORDER BY COALESCE(last_seen_at, updated_at) DESC";
+
+      const grouped = new Map<string, {
+        hostname: string;
+        ip: string;
+        agent_count: number;
+        cpu_load_1min: number | null;
+        cpu_cores: number | null;
+        mem_avail_gb: number | null;
+        mem_used_gb: number | null;
+        last_seen: string | null;
+      }>();
+
+      for (const row of db.all<any>(sql, ...params)) {
+        const hostname = row.hostname || "unknown";
+        const ip = row.ip || "unknown";
+        const key = `${hostname}\u0000${ip}`;
+        const existing = grouped.get(key);
+        if (existing) {
+          existing.agent_count += 1;
+          continue;
+        }
+        grouped.set(key, {
+          hostname,
+          ip,
+          agent_count: 1,
+          cpu_load_1min: row.cpu_load_1min ?? null,
+          cpu_cores: row.cpu_cores ?? null,
+          mem_avail_gb: row.mem_avail_gb ?? null,
+          mem_used_gb: row.mem_used_gb ?? null,
+          last_seen: row.last_seen ?? null,
+        });
+      }
+
+      return withCors(req, Response.json(Array.from(grouped.values())));
+    }
+
+    const serverDetailMatch = url.pathname.match(/^\/api\/server\/([^/]+)\/(health|agents)$/);
+    if (serverDetailMatch && req.method === "GET") {
+      const host = decodeURIComponent(serverDetailMatch[1]);
+      const detailKind = serverDetailMatch[2];
+      if (!host) return withCors(req, Response.json({ ok: false, error: "host required" }, { status: 400 }));
+
+      const cutoff = sqliteTime(new Date(Date.now() - 10 * 60 * 1000));
+      const staleParams: any[] = [cutoff];
+      let staleSql = "UPDATE sessions SET status = 'offline' WHERE updated_at < ?1 AND status != 'offline'";
+      staleSql = addNetworkScope(staleSql, staleParams, restScope);
+      db.run(staleSql, staleParams);
+
+      if (detailKind === "agents") {
+        const params: any[] = [host, host];
+        let sql = `
+          SELECT alias, agent, status, task, progress, model, hostname, ip,
+                 cpu_load_1min, cpu_cores, mem_avail_gb, mem_used_gb, mem_total_gb,
+                 disk_avail_gb, disk_used_gb, disk_total_gb,
+                 process_rss_bytes, process_cpu_pct, process_uptime_seconds, process_in_flight_count,
+                 COALESCE(last_seen_at, updated_at) AS last_seen
+          FROM sessions
+          WHERE (hostname = ?1 OR ip = ?2)
+        `;
+        sql = addNetworkScope(sql, params, restScope);
+        sql += " ORDER BY alias";
+        const agents = db.all<any>(sql, ...params).map((s) => ({
+          alias: s.alias,
+          runtime: normalizeRuntime(s.agent),
+          raw_agent: s.agent ?? null,
+          model: s.model ?? null,
+          status: s.status ?? "offline",
+          task: s.task ?? null,
+          progress: s.progress ?? 0,
+          last_seen: s.last_seen ?? null,
+          health: agentHealthChip(s.status, s.last_seen),
+          hostname: s.hostname ?? null,
+          ip: s.ip ?? null,
+          telemetry: {
+            cpu_load_1min: s.cpu_load_1min ?? null,
+            cpu_cores: s.cpu_cores ?? null,
+            cpu_pct: cpuPct(s.cpu_load_1min, s.cpu_cores),
+            mem_total_gb: s.mem_total_gb ?? null,
+            mem_used_gb: s.mem_used_gb ?? null,
+            mem_avail_gb: s.mem_avail_gb ?? null,
+            disk_total_gb: s.disk_total_gb ?? null,
+            disk_used_gb: s.disk_used_gb ?? null,
+            disk_avail_gb: s.disk_avail_gb ?? null,
+            process_rss_bytes: s.process_rss_bytes ?? null,
+            process_cpu_pct: s.process_cpu_pct ?? null,
+            process_uptime_seconds: s.process_uptime_seconds ?? null,
+            process_in_flight_count: s.process_in_flight_count ?? null,
+          },
+        }));
+        if (agents.length === 0) return withCors(req, Response.json({ ok: false, error: "server not found" }, { status: 404 }));
+        return withCors(req, Response.json({ ok: true, host, agent_count: agents.length, agents }));
+      }
+
+      const latestParams: any[] = [host, host];
+      let latestSql = `
+        SELECT hostname, ip, COUNT(*) OVER () AS agent_count,
+               cpu_load_1min, cpu_cores, mem_total_gb, mem_used_gb, mem_avail_gb,
+               disk_total_gb, disk_used_gb, disk_avail_gb,
+               COALESCE(last_seen_at, updated_at) AS last_seen
+        FROM sessions
+        WHERE (hostname = ?1 OR ip = ?2)
+      `;
+      latestSql = addNetworkScope(latestSql, latestParams, restScope);
+      latestSql += " ORDER BY COALESCE(last_seen_at, updated_at) DESC LIMIT 1";
+      const latest = db.get<any>(latestSql, ...latestParams);
+      if (!latest) return withCors(req, Response.json({ ok: false, error: "server not found" }, { status: 404 }));
+
+      const since24h = sqliteTime(new Date(Date.now() - 24 * 60 * 60 * 1000));
+      const histParams: any[] = [host, host, since24h];
+      let histSql = `
+        SELECT created_at, cpu_load_1min, cpu_cores, mem_total_gb, mem_used_gb, mem_avail_gb,
+               disk_total_gb, disk_used_gb, disk_avail_gb
+        FROM agent_telemetry
+        WHERE (hostname = ?1 OR ip = ?2) AND created_at >= ?3
+      `;
+      histSql = addNetworkScope(histSql, histParams, restScope);
+      histSql += " ORDER BY created_at ASC";
+      const historyRows = db.all<any>(histSql, ...histParams);
+      const now = Date.now();
+      const alert = serverAlertLevel(latest);
+
+      return withCors(req, Response.json({
+        ok: true,
+        host,
+        hostname: latest.hostname ?? null,
+        ip: latest.ip ?? null,
+        agent_count: latest.agent_count ?? 0,
+        alert_level: alert.level,
+        alerts: alert.alerts,
+        latest: {
+          cpu_load_1min: latest.cpu_load_1min ?? null,
+          cpu_cores: latest.cpu_cores ?? null,
+          cpu_pct: cpuPct(latest.cpu_load_1min, latest.cpu_cores),
+          mem_total_gb: latest.mem_total_gb ?? null,
+          mem_used_gb: latest.mem_used_gb ?? null,
+          mem_avail_gb: latest.mem_avail_gb ?? null,
+          disk_total_gb: latest.disk_total_gb ?? null,
+          disk_used_gb: latest.disk_used_gb ?? null,
+          disk_avail_gb: latest.disk_avail_gb ?? null,
+          last_seen: latest.last_seen ?? null,
+        },
+        history: {
+          "5m": bucketTelemetry(historyRows, now - 5 * 60 * 1000, 60 * 1000),
+          "1h": bucketTelemetry(historyRows, now - 60 * 60 * 1000, 5 * 60 * 1000),
+          "24h": bucketTelemetry(historyRows, now - 24 * 60 * 60 * 1000, 60 * 60 * 1000),
+        },
+      }));
+    }
+
     // ── REST: send task ──
     if (url.pathname === "/api/task" && req.method === "POST") {
       let raw: unknown;
@@ -1109,6 +1373,52 @@ Bun.serve({
       return withCors(req, Response.json({ ok: true, events: rows, count: rows.length }));
     }
 
+    // ── REST: delete node (Dashboard/CLI remote cleanup) ──
+    const nodeDeleteMatch = url.pathname.match(/^\/api\/nodes\/([^/]+)$/);
+    if (nodeDeleteMatch && req.method === "DELETE") {
+      const ref = decodeURIComponent(nodeDeleteMatch[1]);
+      const params: any[] = [ref, ref, ref];
+      let sql = "SELECT * FROM nodes WHERE (node_id = ?1 OR node_name = ?2 OR alias = ?3)";
+      sql = addNetworkScope(sql, params, restScope);
+      sql += " ORDER BY updated_at DESC LIMIT 1";
+      const node = db.get<any>(sql, ...params);
+      if (!node) return withCors(req, Response.json({ ok: false, error: "node not found" }, { status: 404 }));
+
+      const nodeNetId = node.network_id ?? singleNetworkId(restScope);
+      if (!canRestWriteNetwork(restAuth, nodeNetId, isAdmin)) {
+        return withCors(req, Response.json({ ok: false, error: "permission_denied" }, { status: 403 }));
+      }
+
+      db.transaction(() => {
+        db.run("DELETE FROM nodes WHERE node_id = ?1", [node.node_id]);
+        if (node.alias) {
+          db.run(
+            "DELETE FROM sessions WHERE alias = ?1 AND (network_id = ?2 OR (?2 IS NULL AND network_id IS NULL))",
+            [node.alias, node.network_id ?? null]
+          );
+        }
+      });
+
+      if (node.alias) {
+        pushEvent(node.alias, {
+          type: "node_deleted",
+          node_id: node.node_id,
+          node_name: node.node_name,
+          alias: node.alias,
+          network_id: node.network_id ?? null,
+        }, node.network_id ?? null);
+      }
+
+      return withCors(req, Response.json({
+        ok: true,
+        deleted: true,
+        node_id: node.node_id,
+        node_name: node.node_name,
+        alias: node.alias,
+        network_id: node.network_id ?? null,
+      }));
+    }
+
     // ── REST: nodes table (V2 Sprint 2) ──
     if (url.pathname === "/api/nodes") {
       const nodeId = url.searchParams.get("node_id");

package/src/tools.ts

@@ -29,6 +29,16 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     return !!role && role !== "viewer"; // owner/admin/member can write
   };
 
+  const writeDeniedReply = (effectiveNetworkId?: string | null, action = "write") => {
+    const netId = enforceNetworkId ?? effectiveNetworkId ?? null;
+    const message = !netId
+      ? "network_id required (utok current_network is null; pass explicit network_id from /api/auth/me networks[0].network_id)"
+      : action === "send_task"
+        ? "Viewer role cannot send tasks"
+        : "Viewer role cannot write to this network";
+    return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied", message }) }] };
+  };
+
   const addScope = (sql: string, params: any[], networkId?: string | null, column = "network_id"): string => {
     if (!networkId) return sql;
     sql += ` AND ${column} = ?${params.length + 1}`;
@@ -109,25 +119,57 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
       model: z.string().max(200).optional().describe("AI model name"),
       node_name: z.string().max(200).optional().describe("Stable node display name (may differ from alias)"),
       network_id: z.string().max(200).optional().describe("Network this agent belongs to"),
+      host: z.object({
+        hostname: z.string().max(200).optional(),
+        ip: z.string().max(200).optional(),
+        cpu_load_1min: z.number().nullable().optional(),
+        cpu_cores: z.number().nullable().optional(),
+        mem_total_gb: z.number().nullable().optional(),
+        mem_used_gb: z.number().nullable().optional(),
+        mem_avail_gb: z.number().nullable().optional(),
+        disk_total_gb: z.number().nullable().optional(),
+        disk_used_gb: z.number().nullable().optional(),
+        disk_avail_gb: z.number().nullable().optional(),
+      }).optional().describe("Host telemetry reported by agent-node"),
+      process_telemetry: z.object({
+        rss: z.number().nullable().optional(),
+        cpu_pct: z.number().nullable().optional(),
+        uptime_seconds: z.number().nullable().optional(),
+        in_flight_count: z.number().nullable().optional(),
+      }).optional().describe("Per-agent process telemetry reported by agent-node"),
     },
-    async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels, model: mdl, node_name: nn, network_id: netId }) => {
+    async ({ resume_id, alias, status, task, output, score, progress, server: srv, hostname: hn, agent: ag, project_dir: pd, version: ver, tmux_name: tmux, node_id, session_id, config_path, channels, model: mdl, node_name: nn, network_id: netId, host, process_telemetry: proc }) => {
       const effectiveNetId = getNetworkId(netId);
       const sessionNetId = effectiveNetId ?? "default";
       if (!callerTokenIsNetwork || !enforceNetworkId) {
         return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "network_token_required" }) }] };
       }
       if (!canWrite(effectiveNetId)) {
-        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+        return writeDeniedReply(effectiveNetId);
       }
       console.log(`[${ts()}] ${alias} (${resume_id.slice(0, 8)}) → report_status: ${status}${task ? " | " + task.slice(0, 60) : ""}${effectiveNetId ? " [net]" : ""}`);
       const trimmedOutput = output?.slice(0, 4000);
+      const hostHostname = host?.hostname || hn || null;
+      const hostIp = host?.ip || clientIP || null;
+      const cpuLoad1m = typeof host?.cpu_load_1min === "number" ? host.cpu_load_1min : null;
+      const cpuCores = typeof host?.cpu_cores === "number" ? host.cpu_cores : null;
+      const memTotalGb = typeof host?.mem_total_gb === "number" ? host.mem_total_gb : null;
+      const memUsedGb = typeof host?.mem_used_gb === "number" ? host.mem_used_gb : null;
+      const memAvailGb = typeof host?.mem_avail_gb === "number" ? host.mem_avail_gb : null;
+      const diskTotalGb = typeof host?.disk_total_gb === "number" ? host.disk_total_gb : null;
+      const diskUsedGb = typeof host?.disk_used_gb === "number" ? host.disk_used_gb : null;
+      const diskAvailGb = typeof host?.disk_avail_gb === "number" ? host.disk_avail_gb : null;
+      const processRssBytes = typeof proc?.rss === "number" ? proc.rss : null;
+      const processCpuPct = typeof proc?.cpu_pct === "number" ? proc.cpu_pct : null;
+      const processUptimeSeconds = typeof proc?.uptime_seconds === "number" ? proc.uptime_seconds : null;
+      const processInFlightCount = typeof proc?.in_flight_count === "number" ? proc.in_flight_count : null;
 
       db.transaction(() => {
         // Only delete same-alias sessions within the same network
         db.run("DELETE FROM sessions WHERE alias = ?1 AND resume_id != ?2 AND network_id = ?3", [alias, resume_id, sessionNetId]);
         db.run(
-          `INSERT INTO sessions (resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version, status, task, output, progress, score, node_id, session_id, config_path, channels, network_id, model, last_seen_at, updated_at)
-           VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, ?20, datetime('now'), datetime('now'))
+          `INSERT INTO sessions (resume_id, alias, tmux_name, server, ip, hostname, agent, project_dir, version, status, task, output, progress, score, node_id, session_id, config_path, channels, network_id, model, cpu_load_1min, cpu_cores, mem_total_gb, mem_used_gb, mem_avail_gb, disk_total_gb, disk_used_gb, disk_avail_gb, process_rss_bytes, process_cpu_pct, process_uptime_seconds, process_in_flight_count, last_seen_at, updated_at)
+           VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, ?19, ?20, ?21, ?22, ?23, ?24, ?25, ?26, ?27, ?28, ?29, ?30, ?31, ?32, datetime('now'), datetime('now'))
            ON CONFLICT(resume_id) DO UPDATE SET
              alias = COALESCE(?2, sessions.alias), tmux_name = COALESCE(?3, sessions.tmux_name),
              server = COALESCE(?4, sessions.server), ip = COALESCE(?5, sessions.ip),
@@ -139,9 +181,28 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
              session_id = COALESCE(?16, sessions.session_id), config_path = COALESCE(?17, sessions.config_path),
              channels = COALESCE(?18, sessions.channels), network_id = COALESCE(?19, sessions.network_id),
              model = COALESCE(?20, sessions.model),
+             cpu_load_1min = COALESCE(?21, sessions.cpu_load_1min),
+             cpu_cores = COALESCE(?22, sessions.cpu_cores),
+             mem_total_gb = COALESCE(?23, sessions.mem_total_gb),
+             mem_used_gb = COALESCE(?24, sessions.mem_used_gb),
+             mem_avail_gb = COALESCE(?25, sessions.mem_avail_gb),
+             disk_total_gb = COALESCE(?26, sessions.disk_total_gb),
+             disk_used_gb = COALESCE(?27, sessions.disk_used_gb),
+             disk_avail_gb = COALESCE(?28, sessions.disk_avail_gb),
+             process_rss_bytes = COALESCE(?29, sessions.process_rss_bytes),
+             process_cpu_pct = COALESCE(?30, sessions.process_cpu_pct),
+             process_uptime_seconds = COALESCE(?31, sessions.process_uptime_seconds),
+             process_in_flight_count = COALESCE(?32, sessions.process_in_flight_count),
              last_seen_at = datetime('now'), updated_at = datetime('now')`,
-          [resume_id, alias, tmux ?? null, srv ?? null, clientIP ?? null, hn ?? null, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null, sessionNetId, mdl ?? null]
+          [resume_id, alias, tmux ?? null, srv ?? null, hostIp, hostHostname, ag ?? null, pd ?? null, ver ?? null, status, task ?? null, trimmedOutput ?? null, progress ?? null, score ?? null, node_id ?? null, session_id ?? null, config_path ?? null, channels ?? null, sessionNetId, mdl ?? null, cpuLoad1m, cpuCores, memTotalGb, memUsedGb, memAvailGb, diskTotalGb, diskUsedGb, diskAvailGb, processRssBytes, processCpuPct, processUptimeSeconds, processInFlightCount]
         );
+        if (host || proc) {
+          db.run(
+            `INSERT INTO agent_telemetry (id, network_id, resume_id, alias, hostname, ip, cpu_load_1min, cpu_cores, mem_total_gb, mem_used_gb, mem_avail_gb, disk_total_gb, disk_used_gb, disk_avail_gb, process_rss_bytes, process_cpu_pct, process_uptime_seconds, process_in_flight_count, created_at)
+             VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?11, ?12, ?13, ?14, ?15, ?16, ?17, ?18, datetime('now'))`,
+            [uuidv4(), sessionNetId, resume_id, alias, hostHostname, hostIp, cpuLoad1m, cpuCores, memTotalGb, memUsedGb, memAvailGb, diskTotalGb, diskUsedGb, diskAvailGb, processRssBytes, processCpuPct, processUptimeSeconds, processInFlightCount]
+          );
+        }
       });
 
       // V2: sync tasks table — report_status(working) → tasks.running
@@ -225,7 +286,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     async ({ alias, task, result, artifacts, score, duration_minutes, network_id: netId }) => {
       const effectiveNetId = getNetworkId(netId);
       if (!canWrite(effectiveNetId)) {
-        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+        return writeDeniedReply(effectiveNetId);
       }
       console.log(`[${ts()}] ${alias} → report_completion: ${task.slice(0, 60)}${effectiveNetId ? " [net]" : ""}`);
       const id = uuidv4();
@@ -337,7 +398,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ alias, message_id, response }) => {
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${alias} → ack_inbox: ${message_id.slice(0, 8)}`);
       const ackParams: any[] = [message_id, alias];
       let ackSql = "UPDATE inbox SET acked = 1 WHERE id = ?1 AND session_name = ?2";
@@ -478,7 +539,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
 
       // Role check: viewer cannot send tasks
       if (!canWrite(effectiveNetId)) {
-        return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied", message: "Viewer role cannot send tasks" }) }] };
+        return writeDeniedReply(effectiveNetId, "send_task");
       }
 
       // License check
@@ -557,7 +618,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ alias, message, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${from_session} → send_message → ${alias}: ${message.slice(0, 60)}`);
       const id = uuidv4();
       db.run(
@@ -598,7 +659,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ alias, text, in_reply_to, status: replyStatus, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${from_session} → send_reply (${replyStatus}) → ${alias}: ${text.slice(0, 60)}`);
       const id = uuidv4();
       const replyLogged = db.transaction(() => {
@@ -673,7 +734,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ task_id, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${from_session} → send_ack → task ${task_id.slice(0, 8)}`);
       const updateParams: any[] = [task_id];
       let updateSql = "UPDATE tasks SET status = 'acked' WHERE task_id = ?1 AND status IN ('created', 'delivered')";
@@ -699,7 +760,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ task_id, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${from_session} → retry_task → ${task_id.slice(0, 8)}`);
       // Find the original task
       const taskParams: any[] = [task_id];
@@ -810,7 +871,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ task_id, reason, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${from_session} → cancel_task → ${task_id.slice(0, 8)}`);
       const updateParams: any[] = [reason || "cancelled by " + from_session, task_id];
       let updateSql = `UPDATE tasks SET status = 'cancelled', result = ?1, completed_at = datetime('now')
@@ -842,7 +903,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ task_id, new_alias, from_session: _fromIn }) => { const from_session = defaultFrom(_fromIn);
       const effectiveNetId = getNetworkId(null);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] ${from_session} → reassign_task → ${task_id.slice(0, 8)} → ${new_alias}`);
       const taskParams: any[] = [task_id];
       let taskSql = "SELECT * FROM tasks WHERE task_id = ?1";
@@ -886,7 +947,7 @@ export function registerTools(server: McpServer, clientIP?: string, enforceNetwo
     },
     async ({ message, filter_server, filter_status, network_id: netId }) => {
       const effectiveNetId = getNetworkId(netId);
-      if (!canWrite(effectiveNetId)) return { content: [{ type: "text" as const, text: JSON.stringify({ ok: false, error: "permission_denied" }) }] };
+      if (!canWrite(effectiveNetId)) return writeDeniedReply(effectiveNetId);
       console.log(`[${ts()}] hub → broadcast: ${message.slice(0, 60)}${effectiveNetId ? " [net=" + effectiveNetId.slice(0, 12) + "]" : ""}`);
       let sql = "SELECT alias, network_id FROM sessions WHERE alias IS NOT NULL";
       const params: any[] = [];