@gitscrum-studio/mcp-server 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 GitScrum
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,250 @@
+<p align="center">
+  <img src="https://site-assets.gitscrum.com/vscode/gitscrum-white.png" alt="GitScrum" width="160"/>
+</p>
+
+<h1 align="center">GitScrum Studio MCP Server</h1>
+
+<p align="center">
+  Model Context Protocol server for GitScrum.<br/>
+  Ship faster with AI-powered project management.
+</p>
+
+<p align="center">
+  <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/license-MIT-000?style=flat-square" alt="MIT License"></a>
+  <a href="https://github.com/gitscrum-core/mcp-server/actions"><img src="https://img.shields.io/badge/tests-378_passing-000?style=flat-square" alt="Tests"></a>
+</p>
+
+<br/>
+
+## Overview
+
+GitScrum Studio MCP Server connects AI assistants to your [GitScrum](https://gitscrum.com) workspace via the [Model Context Protocol](https://modelcontextprotocol.io). It gives Claude, GitHub Copilot, Cursor, and any MCP-compatible client full operational access to your project management stack — tasks, sprints, time tracking, user stories, epics, kanban workflows, team discussions, wiki, notes, client CRM, invoicing, proposals, budget tracking, analytics dashboards, standup reports, and activity feeds.
+
+Everything your team does in the GitScrum web app, your AI assistant can now do through conversation.
+
+```
+You:    "What's on my plate today?"
+Assistant: Fetches your tasks due today across all projects.
+
+You:    "Create a sprint for next week with the top 5 backlog items"
+Assistant: Creates the sprint, assigns tasks, and sets the timeline.
+
+You:    "Show me which projects are over budget"
+Assistant: Returns burn-down data and flags at-risk projects.
+
+You:    "Send the Q1 proposal to Acme Corp"
+Assistant: Creates the proposal, attaches the client, and sends it.
+
+You:    "What did the team ship this week?"
+Assistant: Generates a standup digest with completed work and blockers.
+```
+
+**29 tools. 160+ operations. Zero context switching.**
+
+---
+
+## Quick start
+
+### Install
+
+```bash
+npx -y @gitscrum-studio/mcp-server
+```
+
+### Configure your client
+
+<details>
+<summary><strong>Claude Desktop</strong></summary>
+
+Edit the configuration file:
+
+- **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`
+- **Windows:** `%APPDATA%\Claude\claude_desktop_config.json`
+
+```json
+{
+  "mcpServers": {
+    "gitscrum": {
+      "command": "npx",
+      "args": ["-y", "@gitscrum-studio/mcp-server"]
+    }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>VS Code / Cursor</strong></summary>
+
+Add to `.vscode/mcp.json` or your MCP settings:
+
+```json
+{
+  "servers": {
+    "gitscrum": {
+      "command": "npx",
+      "args": ["-y", "@gitscrum-studio/mcp-server"]
+    }
+  }
+}
+```
+</details>
+
+### Authenticate
+
+Tell your AI assistant: **"Login to GitScrum"**
+
+The server initiates an [OAuth 2.0 Device Authorization Grant](https://datatracker.ietf.org/doc/html/rfc8628) flow. You authorize in the browser — credentials are never shared with the MCP server.
+
+---
+
+## Tools
+
+Each tool uses a consolidated `action` parameter, reducing LLM context tokens by ~80% compared to individual tool definitions.
+
+### Core
+
+| Tool | Actions | Docs |
+|:-----|:--------|:-----|
+| `task` | `my` `today` `get` `create` `update` `complete` `subtasks` `filter` `by_code` `duplicate` `move` `notifications` | [tasks](docs/tools/tasks.md) |
+| `sprint` | `list` `all` `get` `kpis` `create` `update` `stats` `reports` `progress` `metrics` | [sprints](docs/tools/sprints.md) |
+| `workspace` | `list` `get` | [projects](docs/tools/projects.md) |
+| `project` | `list` `get` `stats` `tasks` `workflows` `types` `efforts` `labels` `members` | [projects](docs/tools/projects.md) |
+| `time` | `active` `start` `stop` `logs` `analytics` `team` `reports` `productivity` `timeline` | [time-tracking](docs/tools/time-tracking.md) |
+
+### Planning
+
+| Tool | Actions | Docs |
+|:-----|:--------|:-----|
+| `user_story` | `list` `get` `create` `update` `all` | [user-stories](docs/tools/user-stories.md) |
+| `epic` | `list` `create` `update` | [epics](docs/tools/epics.md) |
+| `label` | `list` `create` `update` `attach` `detach` `toggle` | [labels](docs/tools/labels.md) |
+| `task_type` | `list` `create` `update` `assign` | [task-types](docs/tools/task-types.md) |
+| `workflow` | `create` `update` | [workflows](docs/tools/workflows.md) |
+
+### Collaboration
+
+| Tool | Actions | Docs |
+|:-----|:--------|:-----|
+| `discussion` | `all` `channels` `channel` `messages` `send` `search` `unread` `mark_read` `create_channel` `update_channel` | [discussions](docs/tools/discussions.md) |
+| `comment` | `list` `add` `update` | [comments](docs/tools/comments.md) |
+| `wiki` | `list` `get` `create` `update` `search` | [wiki](docs/tools/wiki.md) |
+| `note` | `list` `get` `create` `update` `share` `revisions` | [notevault](docs/tools/notevault.md) |
+| `note_folder` | `list` `create` `update` `move` | [notevault](docs/tools/notevault.md) |
+| `search` | — | [search](docs/tools/search.md) |
+
+### ClientFlow CRM
+
+| Tool | Actions | Docs |
+|:-----|:--------|:-----|
+| `client` | `list` `get` `create` `update` `contacts` `interactions` `add_interaction` | [clientflow](docs/tools/clientflow.md) |
+| `invoice` | `list` `get` `stats` `create` `update` `issue` `send` `mark_paid` | [clientflow](docs/tools/clientflow.md) |
+| `proposal` | `list` `get` `stats` `create` `update` `send` `approve` `reject` `convert` | [clientflow](docs/tools/clientflow.md) |
+| `clientflow_dashboard` | 8 reports | [clientflow](docs/tools/clientflow.md) |
+| `clientflow_cross_workspace` | 4 reports | [clientflow](docs/tools/clientflow.md) |
+
+### Insights <sup>PRO</sup>
+
+| Tool | Actions | Docs |
+|:-----|:--------|:-----|
+| `standup` | `summary` `completed` `blockers` `team` `stuck` `digest` `contributors` | [standup](docs/tools/standup.md) |
+| `analytics` | 10 reports | [analytics](docs/tools/analytics.md) |
+| `activity` | `feed` `user_feed` `notifications` `activities` `task_workflow` | [activity](docs/tools/activity.md) |
+| `budget` | `projects_at_risk` `overview` `consumption` `burn_down` `alerts` `events` | [budget](docs/tools/budget.md) |
+
+### Authentication
+
+| Tool | Description | Docs |
+|:-----|:------------|:-----|
+| `auth_login` | Initiate device code flow | [auth](docs/tools/auth.md) |
+| `auth_complete` | Complete authorization | [auth](docs/tools/auth.md) |
+| `auth_status` | Check session status | [auth](docs/tools/auth.md) |
+| `auth_logout` | Clear stored credentials | [auth](docs/tools/auth.md) |
+
+Full reference: [docs/TOOLS.md](docs/TOOLS.md)
+
+---
+
+## Security
+
+The server is designed around the **principle of least privilege**.
+
+| Layer | Protection |
+|:------|:-----------|
+| **Operations** | Only CREATE, READ, UPDATE. DELETE is blocked at MCP and API layers. |
+| **Authentication** | OAuth 2.0 Device Grant — credentials never touch the server. |
+| **Token storage** | Local filesystem with restricted permissions. |
+| **Rate limiting** | Automatic lockout after failed auth attempts. |
+
+Destructive operations must be performed in the [GitScrum Studio](https://studio.gitscrum.com).
+
+Full details: [docs/SECURITY.md](docs/SECURITY.md)
+
+Found a vulnerability? Report privately to **security@gitscrum.com**.
+
+---
+
+## Documentation
+
+| | |
+|:--|:--|
+| **[Usage Guide](docs/USAGE.md)** | Practical examples and common workflows |
+| **[Tools Reference](docs/TOOLS.md)** | All 29 tools with parameters and response shapes |
+| **[Per-Tool Guides](docs/tools/)** | Deep-dive into each tool module |
+| **[Security](docs/SECURITY.md)** | Security model, token handling, threat mitigations |
+| **[Development](docs/DEVELOPMENT.md)** | Local setup, architecture, testing, contribution |
+| **[Changelog](CHANGELOG.md)** | Version history and migration notes |
+
+---
+
+## Development
+
+```bash
+git clone https://github.com/gitscrum-core/mcp-server.git
+cd mcp-server
+npm install
+npm run build
+npm test          # 378 tests across 22 suites
+```
+
+Inspect locally with the MCP Inspector:
+
+```bash
+npx @modelcontextprotocol/inspector node dist/index.js
+```
+
+| Requirement | Version |
+|:------------|:--------|
+| Node.js | >= 18.0.0 |
+| npm | >= 8.0.0 |
+
+Full guide: [docs/DEVELOPMENT.md](docs/DEVELOPMENT.md)
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+```bash
+git checkout -b feature/my-feature
+# make changes, add tests
+npm test
+git commit -m "feat: describe your change"
+```
+
+---
+
+## License
+
+MIT — see [LICENSE](LICENSE).
+
+---
+
+<p align="center">
+  <a href="https://gitscrum.com">Website</a>&nbsp;&nbsp;·&nbsp;&nbsp;<a href="https://docs.gitscrum.com/en/mcp">Docs</a>&nbsp;&nbsp;·&nbsp;&nbsp;<a href="https://github.com/gitscrum-core/mcp-server/issues">Issues</a>&nbsp;&nbsp;·&nbsp;&nbsp;<a href="CHANGELOG.md">Changelog</a>
+</p>
+
+<p align="center">
+  Built by <a href="https://gitscrum.com/en">GitScrum</a>
+</p>

package/dist/auth/DeviceAuthenticator.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Device Authorization Flow
+ *
+ * Implements OAuth 2.0 Device Authorization Grant (RFC 8628)
+ * Allows MCP to authenticate users via browser login.
+ *
+ * Flow:
+ * 1. MCP requests device code from API
+ * 2. User opens verification URL in browser (contains device_code)
+ * 3. User logs in (Google, GitHub, or email/password)
+ * 4. User clicks "Authorize" - no manual code entry needed
+ * 5. MCP polls for token until authorized
+ *
+ * @module @gitscrum-studio/mcp-server/auth
+ */
+export interface DeviceCodeResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    verification_uri_complete: string;
+    expires_in: number;
+    interval: number;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    scope: string;
+}
+/**
+ * Handles Device Authorization Flow for CLI/MCP authentication
+ */
+export declare class DeviceAuthenticator {
+    private apiUrl;
+    constructor(apiUrl?: string);
+    /**
+     * MCP Client ID - must match OAuthClientRegistry on the API
+     */
+    private static readonly MCP_CLIENT_ID;
+    /**
+     * Start the device authorization flow
+     * Returns the device code info that should be shown to the user
+     */
+    requestDeviceCode(): Promise<DeviceCodeResponse>;
+    /**
+     * Poll for the access token
+     * Should be called repeatedly until success or error (other than pending)
+     */
+    pollForToken(deviceCode: string): Promise<TokenResponse | null>;
+}
+//# sourceMappingURL=DeviceAuthenticator.d.ts.map

package/dist/auth/DeviceAuthenticator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeviceAuthenticator.d.ts","sourceRoot":"","sources":["../../src/auth/DeviceAuthenticator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,yBAAyB,EAAE,MAAM,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;CACf;AAOD;;GAEG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,CAAC,EAAE,MAAM;IAI3B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAA0C;IAE/E;;;OAGG;IACG,iBAAiB,IAAI,OAAO,CAAC,kBAAkB,CAAC;IA4BtD;;;OAGG;IACG,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;CAgCtE"}

package/dist/auth/DeviceAuthenticator.js

@@ -0,0 +1,89 @@
+/**
+ * Device Authorization Flow
+ *
+ * Implements OAuth 2.0 Device Authorization Grant (RFC 8628)
+ * Allows MCP to authenticate users via browser login.
+ *
+ * Flow:
+ * 1. MCP requests device code from API
+ * 2. User opens verification URL in browser (contains device_code)
+ * 3. User logs in (Google, GitHub, or email/password)
+ * 4. User clicks "Authorize" - no manual code entry needed
+ * 5. MCP polls for token until authorized
+ *
+ * @module @gitscrum-studio/mcp-server/auth
+ */
+/**
+ * Handles Device Authorization Flow for CLI/MCP authentication
+ */
+export class DeviceAuthenticator {
+    apiUrl;
+    constructor(apiUrl) {
+        this.apiUrl = apiUrl || process.env.GITSCRUM_API_URL || "https://services.gitscrum.com";
+    }
+    /**
+     * MCP Client ID - must match OAuthClientRegistry on the API
+     */
+    static MCP_CLIENT_ID = "9e8d7c6b-5a4f-3e2d-1c0b-a9b8c7d6e5f4";
+    /**
+     * Start the device authorization flow
+     * Returns the device code info that should be shown to the user
+     */
+    async requestDeviceCode() {
+        const url = `${this.apiUrl}/oauth/device/code`;
+        try {
+            const response = await fetch(url, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "Accept": "application/json",
+                    "X-Client-Source": "mcp-server",
+                },
+                body: JSON.stringify({ client_id: DeviceAuthenticator.MCP_CLIENT_ID }),
+            });
+            if (!response.ok) {
+                const error = await response.json();
+                throw new Error(error.error_description || `API error: ${response.status} ${response.statusText}`);
+            }
+            return response.json();
+        }
+        catch (error) {
+            if (error instanceof TypeError && error.message.includes("fetch")) {
+                throw new Error(`Network error: Unable to connect to ${url}. Is the API server running?`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Poll for the access token
+     * Should be called repeatedly until success or error (other than pending)
+     */
+    async pollForToken(deviceCode) {
+        const response = await fetch(`${this.apiUrl}/oauth/device/token`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "Accept": "application/json",
+                "X-Client-Source": "mcp-server",
+            },
+            body: JSON.stringify({
+                device_code: deviceCode,
+                grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+            }),
+        });
+        if (!response.ok) {
+            const error = await response.json();
+            // These are expected while waiting for user authorization
+            if (error.error === "authorization_pending") {
+                return null; // Keep polling
+            }
+            if (error.error === "slow_down") {
+                return null; // Keep polling, but slower
+            }
+            // These are terminal errors
+            throw new Error(error.error_description || error.error);
+        }
+        return response.json();
+    }
+}
+//# sourceMappingURL=DeviceAuthenticator.js.map

package/dist/auth/DeviceAuthenticator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DeviceAuthenticator.js","sourceRoot":"","sources":["../../src/auth/DeviceAuthenticator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAuBH;;GAEG;AACH,MAAM,OAAO,mBAAmB;IACtB,MAAM,CAAS;IAEvB,YAAY,MAAe;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,+BAA+B,CAAC;IAC1F,CAAC;IAED;;OAEG;IACK,MAAM,CAAU,aAAa,GAAG,sCAAsC,CAAC;IAE/E;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,oBAAoB,CAAC;QAE/C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,QAAQ,EAAE,kBAAkB;oBAC5B,iBAAiB,EAAE,YAAY;iBAChC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,aAAa,EAAE,CAAC;aACvE,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAe,CAAC;gBACjD,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,iBAAiB,IAAI,cAAc,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;YACrG,CAAC;YAED,OAAO,QAAQ,CAAC,IAAI,EAAiC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,SAAS,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClE,MAAM,IAAI,KAAK,CAAC,uCAAuC,GAAG,8BAA8B,CAAC,CAAC;YAC5F,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,UAAkB;QACnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,qBAAqB,EAAE;YAChE,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;gBAC5B,iBAAiB,EAAE,YAAY;aAChC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,WAAW,EAAE,UAAU;gBACvB,UAAU,EAAE,8CAA8C;aAC3D,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAe,CAAC;YAEjD,0DAA0D;YAC1D,IAAI,KAAK,CAAC,KAAK,KAAK,uBAAuB,EAAE,CAAC;gBAC5C,OAAO,IAAI,CAAC,CAAC,eAAe;YAC9B,CAAC;YAED,IAAI,KAAK,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,CAAC,2BAA2B;YAC1C,CAAC;YAED,4BAA4B;YAC5B,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAA4B,CAAC;IACnD,CAAC"}

package/dist/auth/RateLimiter.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Rate Limiter for Authentication
+ *
+ * Protects against brute force attacks by limiting login attempts.
+ * Uses in-memory storage (resets on server restart).
+ */
+export declare class RateLimiter {
+    private static readonly MAX_ATTEMPTS;
+    private static readonly WINDOW_MS;
+    private static readonly LOCKOUT_MS;
+    private static readonly CLEANUP_INTERVAL_MS;
+    private storage;
+    private storageFile;
+    constructor();
+    /**
+     * Load rate limit data from disk
+     */
+    private loadStorage;
+    /**
+     * Save rate limit data to disk
+     */
+    private saveStorage;
+    /**
+     * Normalize identifier (lowercase email)
+     */
+    private normalizeKey;
+    /**
+     * Clean up old records
+     */
+    private cleanup;
+    /**
+     * Check if login is allowed for the given identifier
+     * Returns: { allowed: boolean, retryAfter?: number, message?: string }
+     */
+    check(identifier: string): {
+        allowed: boolean;
+        retryAfter?: number;
+        remainingAttempts?: number;
+        message?: string;
+    };
+    /**
+     * Record a failed login attempt
+     */
+    recordFailure(identifier: string): void;
+    /**
+     * Clear attempts on successful login
+     */
+    recordSuccess(identifier: string): void;
+    /**
+     * Get rate limit info for display
+     */
+    getInfo(): {
+        maxAttempts: number;
+        windowMinutes: number;
+        lockoutMinutes: number;
+    };
+}
+//# sourceMappingURL=RateLimiter.d.ts.map

package/dist/auth/RateLimiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimiter.d.ts","sourceRoot":"","sources":["../../src/auth/RateLimiter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAiBH,qBAAa,WAAW;IAEtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAK;IACzC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAkB;IACnD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAkB;IACpD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAkB;IAE7D,OAAO,CAAC,OAAO,CAAmB;IAClC,OAAO,CAAC,WAAW,CAAS;;IAS5B;;OAEG;IACH,OAAO,CAAC,WAAW;IAenB;;OAEG;IACH,OAAO,CAAC,WAAW;IAgBnB;;OAEG;IACH,OAAO,CAAC,YAAY;IAIpB;;OAEG;IACH,OAAO,CAAC,OAAO;IAwBf;;;OAGG;IACH,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG;QACzB,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB;IA0DD;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IA0BvC;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAMvC;;OAEG;IACH,OAAO,IAAI;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;KACxB;CAOF"}

package/dist/auth/RateLimiter.js

@@ -0,0 +1,181 @@
+/**
+ * Rate Limiter for Authentication
+ *
+ * Protects against brute force attacks by limiting login attempts.
+ * Uses in-memory storage (resets on server restart).
+ */
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+export class RateLimiter {
+    // Configuration
+    static MAX_ATTEMPTS = 5;
+    static WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+    static LOCKOUT_MS = 30 * 60 * 1000; // 30 minutes lockout
+    static CLEANUP_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
+    storage;
+    storageFile;
+    constructor() {
+        // Persist rate limit data to prevent bypass via restart
+        const configDir = path.join(os.homedir(), ".gitscrum");
+        this.storageFile = path.join(configDir, "rate-limit.json");
+        this.storage = this.loadStorage();
+    }
+    /**
+     * Load rate limit data from disk
+     */
+    loadStorage() {
+        try {
+            if (fs.existsSync(this.storageFile)) {
+                const data = JSON.parse(fs.readFileSync(this.storageFile, "utf-8"));
+                return {
+                    attempts: data.attempts || {},
+                    lastCleanup: data.lastCleanup || Date.now(),
+                };
+            }
+        }
+        catch {
+            // Ignore errors, start fresh
+        }
+        return { attempts: {}, lastCleanup: Date.now() };
+    }
+    /**
+     * Save rate limit data to disk
+     */
+    saveStorage() {
+        try {
+            const configDir = path.dirname(this.storageFile);
+            if (!fs.existsSync(configDir)) {
+                fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+            }
+            fs.writeFileSync(this.storageFile, JSON.stringify(this.storage, null, 2), { mode: 0o600 });
+        }
+        catch {
+            // Ignore save errors - rate limiting still works in memory
+        }
+    }
+    /**
+     * Normalize identifier (lowercase email)
+     */
+    normalizeKey(identifier) {
+        return identifier.toLowerCase().trim();
+    }
+    /**
+     * Clean up old records
+     */
+    cleanup() {
+        const now = Date.now();
+        // Only cleanup once per hour
+        if (now - this.storage.lastCleanup < RateLimiter.CLEANUP_INTERVAL_MS) {
+            return;
+        }
+        const windowStart = now - RateLimiter.WINDOW_MS;
+        for (const key of Object.keys(this.storage.attempts)) {
+            const record = this.storage.attempts[key];
+            // Remove if outside window AND not locked
+            if (record.firstAttempt < windowStart &&
+                (!record.lockedUntil || record.lockedUntil < now)) {
+                delete this.storage.attempts[key];
+            }
+        }
+        this.storage.lastCleanup = now;
+        this.saveStorage();
+    }
+    /**
+     * Check if login is allowed for the given identifier
+     * Returns: { allowed: boolean, retryAfter?: number, message?: string }
+     */
+    check(identifier) {
+        this.cleanup();
+        const key = this.normalizeKey(identifier);
+        const now = Date.now();
+        const record = this.storage.attempts[key];
+        // No previous attempts
+        if (!record) {
+            return {
+                allowed: true,
+                remainingAttempts: RateLimiter.MAX_ATTEMPTS
+            };
+        }
+        // Check if currently locked out
+        if (record.lockedUntil && record.lockedUntil > now) {
+            const retryAfter = Math.ceil((record.lockedUntil - now) / 1000);
+            const minutes = Math.ceil(retryAfter / 60);
+            return {
+                allowed: false,
+                retryAfter,
+                message: `Too many failed login attempts. Please try again in ${minutes} minute${minutes > 1 ? 's' : ''}.`,
+            };
+        }
+        // Check if window has expired (reset counter)
+        if (now - record.firstAttempt > RateLimiter.WINDOW_MS) {
+            delete this.storage.attempts[key];
+            this.saveStorage();
+            return {
+                allowed: true,
+                remainingAttempts: RateLimiter.MAX_ATTEMPTS
+            };
+        }
+        // Check remaining attempts
+        const remainingAttempts = RateLimiter.MAX_ATTEMPTS - record.count;
+        if (remainingAttempts <= 0) {
+            // Lock the account
+            record.lockedUntil = now + RateLimiter.LOCKOUT_MS;
+            this.saveStorage();
+            const minutes = Math.ceil(RateLimiter.LOCKOUT_MS / 1000 / 60);
+            return {
+                allowed: false,
+                retryAfter: Math.ceil(RateLimiter.LOCKOUT_MS / 1000),
+                message: `Too many failed login attempts. Account locked for ${minutes} minutes.`,
+            };
+        }
+        return {
+            allowed: true,
+            remainingAttempts
+        };
+    }
+    /**
+     * Record a failed login attempt
+     */
+    recordFailure(identifier) {
+        const key = this.normalizeKey(identifier);
+        const now = Date.now();
+        let record = this.storage.attempts[key];
+        if (!record || now - record.firstAttempt > RateLimiter.WINDOW_MS) {
+            // Start new window
+            record = {
+                count: 1,
+                firstAttempt: now,
+                lockedUntil: null,
+            };
+        }
+        else {
+            record.count++;
+            // Check if should lock
+            if (record.count >= RateLimiter.MAX_ATTEMPTS) {
+                record.lockedUntil = now + RateLimiter.LOCKOUT_MS;
+            }
+        }
+        this.storage.attempts[key] = record;
+        this.saveStorage();
+    }
+    /**
+     * Clear attempts on successful login
+     */
+    recordSuccess(identifier) {
+        const key = this.normalizeKey(identifier);
+        delete this.storage.attempts[key];
+        this.saveStorage();
+    }
+    /**
+     * Get rate limit info for display
+     */
+    getInfo() {
+        return {
+            maxAttempts: RateLimiter.MAX_ATTEMPTS,
+            windowMinutes: Math.ceil(RateLimiter.WINDOW_MS / 1000 / 60),
+            lockoutMinutes: Math.ceil(RateLimiter.LOCKOUT_MS / 1000 / 60),
+        };
+    }
+}
+//# sourceMappingURL=RateLimiter.js.map

package/dist/auth/RateLimiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimiter.js","sourceRoot":"","sources":["../../src/auth/RateLimiter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAazB,MAAM,OAAO,WAAW;IACtB,gBAAgB;IACR,MAAM,CAAU,YAAY,GAAG,CAAC,CAAC;IACjC,MAAM,CAAU,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;IACzD,MAAM,CAAU,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,qBAAqB;IAClE,MAAM,CAAU,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;IAE/D,OAAO,CAAmB;IAC1B,WAAW,CAAS;IAE5B;QACE,wDAAwD;QACxD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;QACvD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QAC3D,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACpC,CAAC;IAED;;OAEG;IACK,WAAW;QACjB,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;gBACpE,OAAO;oBACL,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;oBAC7B,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE;iBAC5C,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,6BAA6B;QAC/B,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,WAAW;QACjB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACjD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5D,CAAC;YACD,EAAE,CAAC,aAAa,CACd,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EACrC,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;QAC7D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,UAAkB;QACrC,OAAO,UAAU,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACzC,CAAC;IAED;;OAEG;IACK,OAAO;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,6BAA6B;QAC7B,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,WAAW,CAAC,mBAAmB,EAAE,CAAC;YACrE,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC;QAEhD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAE1C,0CAA0C;YAC1C,IAAI,MAAM,CAAC,YAAY,GAAG,WAAW;gBACjC,CAAC,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,GAAG,GAAG,CAAC,EAAE,CAAC;gBACtD,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC;QAC/B,IAAI,CAAC,WAAW,EAAE,CAAC;IACrB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAkB;QAMtB,IAAI,CAAC,OAAO,EAAE,CAAC;QAEf,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAE1C,uBAAuB;QACvB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,iBAAiB,EAAE,WAAW,CAAC,YAAY;aAC5C,CAAC;QACJ,CAAC;QAED,gCAAgC;QAChC,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,GAAG,GAAG,EAAE,CAAC;YACnD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAChE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,UAAU;gBACV,OAAO,EAAE,uDAAuD,OAAO,UAAU,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG;aAC3G,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,GAAG,GAAG,MAAM,CAAC,YAAY,GAAG,WAAW,CAAC,SAAS,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,iBAAiB,EAAE,WAAW,CAAC,YAAY;aAC5C,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,MAAM,iBAAiB,GAAG,WAAW,CAAC,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC;QAElE,IAAI,iBAAiB,IAAI,CAAC,EAAE,CAAC;YAC3B,mBAAmB;YACnB,MAAM,CAAC,WAAW,GAAG,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC;YAClD,IAAI,CAAC,WAAW,EAAE,CAAC;YAEnB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;gBACpD,OAAO,EAAE,sDAAsD,OAAO,WAAW;aAClF,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,UAAkB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAExC,IAAI,CAAC,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,YAAY,GAAG,WAAW,CAAC,SAAS,EAAE,CAAC;YACjE,mBAAmB;YACnB,MAAM,GAAG;gBACP,KAAK,EAAE,CAAC;gBACR,YAAY,EAAE,GAAG;gBACjB,WAAW,EAAE,IAAI;aAClB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,EAAE,CAAC;YAEf,uBAAuB;YACvB,IAAI,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,YAAY,EAAE,CAAC;gBAC7C,MAAM,CAAC,WAAW,GAAG,GAAG,GAAG,WAAW,CAAC,UAAU,CAAC;YACpD,CAAC;QACH,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;QACpC,IAAI,CAAC,WAAW,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,UAAkB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,WAAW,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,OAAO;QAKL,OAAO;YACL,WAAW,EAAE,WAAW,CAAC,YAAY;YACrC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,GAAG,IAAI,GAAG,EAAE,CAAC;YAC3D,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,GAAG,IAAI,GAAG,EAAE,CAAC;SAC9D,CAAC;IACJ,CAAC"}