@hasna/todos 0.11.34 → 0.11.36

package/dist/cli/index.js

@@ -2908,6 +2908,22 @@ var init_migrations = __esm(() => {
   ALTER TABLE tasks ADD COLUMN cycle_id TEXT REFERENCES cycles(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_cycle ON tasks(cycle_id) WHERE cycle_id IS NOT NULL;
   INSERT OR IGNORE INTO _migrations (id) VALUES (49);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    prefix TEXT NOT NULL UNIQUE,
+    permissions TEXT NOT NULL DEFAULT '["*"]',
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT,
+    revoked_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_prefix ON api_keys(prefix);
+  CREATE INDEX IF NOT EXISTS idx_api_keys_active ON api_keys(revoked_at, expires_at);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (50);
   `
   ];
 });
@@ -3306,6 +3322,20 @@ function ensureSchema(db) {
   ensureIndex("CREATE INDEX IF NOT EXISTS idx_cycles_dates ON cycles(start_date, end_date)");
   ensureColumn("tasks", "cycle_id", "TEXT REFERENCES cycles(id) ON DELETE SET NULL");
   ensureIndex("CREATE INDEX IF NOT EXISTS idx_tasks_cycle ON tasks(cycle_id) WHERE cycle_id IS NOT NULL");
+  ensureTable("api_keys", `
+    CREATE TABLE api_keys (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      key_hash TEXT NOT NULL UNIQUE,
+      prefix TEXT NOT NULL UNIQUE,
+      permissions TEXT NOT NULL DEFAULT '["*"]',
+      created_at TEXT NOT NULL DEFAULT (datetime('now')),
+      last_used_at TEXT,
+      expires_at TEXT,
+      revoked_at TEXT
+    )`);
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_api_keys_prefix ON api_keys(prefix)");
+  ensureIndex("CREATE INDEX IF NOT EXISTS idx_api_keys_active ON api_keys(revoked_at, expires_at)");
 }
 function backfillTaskTags(db) {
   try {
@@ -7501,14 +7531,246 @@ var init_extract = __esm(() => {
   ]);
 });
 
+// src/db/agent-names.ts
+function normalizeAgentNameInput(name) {
+  return name.trim().toLowerCase();
+}
+function hasGeneratedNumericSuffix(name) {
+  return NUMERIC_SUFFIX_RE.test(normalizeAgentNameInput(name));
+}
+function isGenericAgentName(name) {
+  const normalized = normalizeAgentNameInput(name);
+  if (RESERVED_GENERIC_NAMES.has(normalized))
+    return true;
+  for (const generic of RESERVED_GENERIC_NAMES) {
+    if (normalized === `${generic}s`)
+      return true;
+    if (normalized.match(new RegExp(`^${generic}\\d+$`)))
+      return true;
+    if (normalized.match(new RegExp(`^${generic}[-_]\\d+$`)))
+      return true;
+  }
+  return false;
+}
+function isBlockedAgentName(name) {
+  const normalized = normalizeAgentNameInput(name);
+  return isGenericAgentName(normalized) || hasGeneratedNumericSuffix(normalized) || !ONE_WORD_NAME_RE.test(normalized);
+}
+function alphabeticSuffix(index) {
+  const letters = "abcdefghijklmnopqrstuvwxyz";
+  let value = index;
+  let suffix = "";
+  do {
+    suffix = letters[value % letters.length] + suffix;
+    value = Math.floor(value / letters.length) - 1;
+  } while (value >= 0);
+  return suffix;
+}
+function suggestAgentNames(existingNames = []) {
+  const existing = new Set([...existingNames].map(normalizeAgentNameInput));
+  const suggestions = PREFERRED_AGENT_NAMES.filter((name) => !existing.has(name));
+  for (let suffixIndex = 0;suggestions.length < 20 && suffixIndex < 1000; suffixIndex++) {
+    const suffix = alphabeticSuffix(suffixIndex);
+    for (const base of PREFERRED_AGENT_NAMES) {
+      const candidate = `${base}${suffix}`;
+      if (existing.has(candidate) || suggestions.includes(candidate))
+        continue;
+      suggestions.push(candidate);
+      if (suggestions.length >= 20)
+        break;
+    }
+  }
+  return suggestions;
+}
+function validateAgentName(name, existingNames = []) {
+  const normalized = normalizeAgentNameInput(name);
+  const suggestions = suggestAgentNames(existingNames).slice(0, 5);
+  if (!normalized) {
+    throw new InvalidAgentNameError(name, "choose a real one-word name instead of an empty value", suggestions);
+  }
+  if (/\s/.test(normalized)) {
+    throw new InvalidAgentNameError(name, "use a single word, preferably a Roman or Greek name", suggestions);
+  }
+  if (normalized.length < 3) {
+    throw new InvalidAgentNameError(name, "use a more distinctive name with at least three characters", suggestions);
+  }
+  if (isGenericAgentName(normalized)) {
+    throw new InvalidAgentNameError(name, "generic names like agent, agent-1, assistant, or worker-2 are reserved", suggestions);
+  }
+  if (hasGeneratedNumericSuffix(normalized)) {
+    throw new InvalidAgentNameError(name, "numbered suffix names are not allowed; pick a distinct human-readable name", suggestions);
+  }
+  if (!ONE_WORD_NAME_RE.test(normalized)) {
+    throw new InvalidAgentNameError(name, "use one word made of letters only, preferably a Roman or Greek name", suggestions);
+  }
+  return normalized;
+}
+function tableHasColumn(db, table, column) {
+  try {
+    return db.query(`PRAGMA table_info(${table})`).all().some((row) => row.name === column);
+  } catch {
+    return false;
+  }
+}
+function updateReferences(db, oldName, newName) {
+  const refs = [
+    ["tasks", "assigned_to"],
+    ["tasks", "agent_id"],
+    ["tasks", "locked_by"],
+    ["tasks", "assigned_by"],
+    ["plans", "agent_id"],
+    ["sessions", "agent_id"],
+    ["task_comments", "agent_id"],
+    ["task_history", "agent_id"],
+    ["webhooks", "agent_id"],
+    ["task_files", "agent_id"],
+    ["task_time_logs", "agent_id"],
+    ["task_watchers", "agent_id"],
+    ["task_checkpoints", "agent_id"],
+    ["task_heartbeats", "agent_id"],
+    ["project_agent_roles", "agent_id"]
+  ];
+  let changed = 0;
+  for (const [table, column] of refs) {
+    if (!tableHasColumn(db, table, column))
+      continue;
+    try {
+      changed += db.run(`UPDATE ${table} SET ${column} = ? WHERE LOWER(${column}) = ?`, [newName, oldName]).changes;
+    } catch {}
+  }
+  return changed;
+}
+function normalizeGeneratedAgentNames(db) {
+  const rows = db.query("SELECT * FROM agents ORDER BY created_at, id").all();
+  const existing = new Set(rows.map((agent) => normalizeAgentNameInput(agent.name)));
+  const renamed = [];
+  for (const agent of rows) {
+    const oldName = normalizeAgentNameInput(agent.name);
+    if (!isBlockedAgentName(oldName))
+      continue;
+    const candidates = suggestAgentNames(existing);
+    const replacement = candidates[0];
+    if (!replacement) {
+      throw new Error("No safe agent names are available for normalization");
+    }
+    existing.delete(oldName);
+    existing.add(replacement);
+    db.run("UPDATE agents SET name = ?, last_seen_at = ? WHERE id = ?", [replacement, now(), agent.id]);
+    const referenceUpdates = updateReferences(db, oldName, replacement);
+    renamed.push({
+      id: agent.id,
+      old_name: oldName,
+      new_name: replacement,
+      reference_updates: referenceUpdates
+    });
+  }
+  return renamed;
+}
+var InvalidAgentNameError, ROMAN_AGENT_NAMES, GREEK_AGENT_NAMES, NICE_AGENT_NAMES, PREFERRED_AGENT_NAMES, RESERVED_GENERIC_NAMES, NUMERIC_SUFFIX_RE, ONE_WORD_NAME_RE;
+var init_agent_names = __esm(() => {
+  init_database();
+  InvalidAgentNameError = class InvalidAgentNameError extends Error {
+    suggestions;
+    constructor(name, reason, suggestions = []) {
+      super(`Invalid agent name "${name}": ${reason}${suggestions.length > 0 ? `. Try: ${suggestions.join(", ")}` : ""}`);
+      this.name = "InvalidAgentNameError";
+      this.suggestions = suggestions;
+    }
+  };
+  ROMAN_AGENT_NAMES = [
+    "caesar",
+    "augustus",
+    "marcus",
+    "brutus",
+    "cicero",
+    "cato",
+    "nero",
+    "claudius",
+    "tiberius",
+    "hadrian",
+    "trajan",
+    "vespasian",
+    "domitian",
+    "caligula",
+    "commodus",
+    "livia",
+    "julia",
+    "octavia",
+    "claudia",
+    "agrippina",
+    "cornelia",
+    "valeria",
+    "fulvia",
+    "hortensia",
+    "fabia"
+  ];
+  GREEK_AGENT_NAMES = [
+    "athena",
+    "apollo",
+    "artemis",
+    "hera",
+    "iris",
+    "hector",
+    "achilles",
+    "odysseus",
+    "theseus",
+    "pericles",
+    "solon",
+    "sophia",
+    "thalia",
+    "calliope",
+    "clio",
+    "phoebe",
+    "daphne",
+    "leonidas",
+    "andromeda",
+    "cassander"
+  ];
+  NICE_AGENT_NAMES = [
+    "atlas",
+    "aurora",
+    "ember",
+    "nova",
+    "orion",
+    "rhea",
+    "selene",
+    "sirius",
+    "vesper",
+    "zephyr"
+  ];
+  PREFERRED_AGENT_NAMES = [
+    ...ROMAN_AGENT_NAMES,
+    ...GREEK_AGENT_NAMES,
+    ...NICE_AGENT_NAMES
+  ];
+  RESERVED_GENERIC_NAMES = new Set([
+    "agent",
+    "agents",
+    "ai",
+    "assistant",
+    "bot",
+    "coder",
+    "default",
+    "helper",
+    "model",
+    "system",
+    "user",
+    "worker"
+  ]);
+  NUMERIC_SUFFIX_RE = /[-_]\d+$/;
+  ONE_WORD_NAME_RE = /^[a-z]+$/;
+});
+
 // src/db/agents.ts
 var exports_agents = {};
 __export(exports_agents, {
   updateAgentActivity: () => updateAgentActivity,
   updateAgent: () => updateAgent,
   unarchiveAgent: () => unarchiveAgent,
+  suggestAgentNames: () => suggestAgentNames,
   releaseAgent: () => releaseAgent,
   registerAgent: () => registerAgent,
+  normalizeGeneratedAgentNames: () => normalizeGeneratedAgentNames,
   matchCapabilities: () => matchCapabilities,
   listAgents: () => listAgents,
   isAgentConflict: () => isAgentConflict,
@@ -7520,7 +7782,8 @@ __export(exports_agents, {
   getAgent: () => getAgent,
   deleteAgent: () => deleteAgent,
   autoReleaseStaleAgents: () => autoReleaseStaleAgents,
-  archiveAgent: () => archiveAgent
+  archiveAgent: () => archiveAgent,
+  InvalidAgentNameError: () => InvalidAgentNameError
 });
 function getActiveWindowMs() {
   const env = process.env["TODOS_AGENT_TIMEOUT_MS"];
@@ -7543,7 +7806,7 @@ function getAvailableNamesFromPool(pool, db) {
   autoReleaseStaleAgents(db);
   const cutoff = new Date(Date.now() - getActiveWindowMs()).toISOString();
   const activeNames = new Set(db.query("SELECT name FROM agents WHERE status = 'active' AND last_seen_at > ?").all(cutoff).map((r) => r.name.toLowerCase()));
-  return pool.filter((name) => !activeNames.has(name.toLowerCase()));
+  return pool.map(normalizeAgentNameInput).filter((name) => !activeNames.has(name));
 }
 function shortUuid() {
   return crypto.randomUUID().slice(0, 8);
@@ -7559,7 +7822,8 @@ function rowToAgent(row) {
 }
 function registerAgent(input, db) {
   const d = db || getDatabase();
-  const normalizedName = input.name.trim().toLowerCase();
+  const existingNames = d.query("SELECT name FROM agents").all().map((row) => row.name);
+  const normalizedName = validateAgentName(input.name, existingNames);
   const existing = getAgentByName(normalizedName, d);
   if (existing) {
     const lastSeenMs = new Date(existing.last_seen_at).getTime();
@@ -7692,7 +7956,8 @@ function updateAgent(id, input, db) {
   const sets = ["last_seen_at = ?"];
   const params = [now()];
   if (input.name !== undefined) {
-    const newName = input.name.trim().toLowerCase();
+    const existingNames = d.query("SELECT name FROM agents WHERE id != ?").all(id).map((row) => row.name);
+    const newName = validateAgentName(input.name, existingNames);
     const holder = getAgentByName(newName, d);
     if (holder && holder.id !== id) {
       const lastSeenMs = new Date(holder.last_seen_at).getTime();
@@ -7803,6 +8068,7 @@ function getCapableAgents(capabilities, opts, db) {
 }
 var init_agents = __esm(() => {
   init_database();
+  init_agent_names();
 });
 
 // src/db/task-lists.ts
@@ -7872,6 +8138,90 @@ var init_task_lists = __esm(() => {
   init_projects();
 });
 
+// src/db/api-keys.ts
+import { createHash, randomBytes, timingSafeEqual } from "crypto";
+function rowToRecord(row) {
+  return {
+    id: row.id,
+    name: row.name,
+    prefix: row.prefix,
+    permissions: JSON.parse(row.permissions || '["*"]'),
+    created_at: row.created_at,
+    last_used_at: row.last_used_at,
+    expires_at: row.expires_at,
+    revoked_at: row.revoked_at
+  };
+}
+function hashApiKey(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+function safeEqualHex(a, b) {
+  if (a.length !== b.length)
+    return false;
+  return timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+}
+function generatePlaintextKey() {
+  return `tdos_${randomBytes(32).toString("base64url")}`;
+}
+function createApiKey(input, db) {
+  const d = db || getDatabase();
+  const name = input.name.trim();
+  if (!name)
+    throw new Error("API key name is required");
+  const key = generatePlaintextKey();
+  const timestamp = now();
+  const id = uuid();
+  const prefix = key.slice(0, 12);
+  d.run(`INSERT INTO api_keys (id, name, key_hash, prefix, permissions, created_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`, [
+    id,
+    name,
+    hashApiKey(key),
+    prefix,
+    JSON.stringify(input.permissions?.length ? input.permissions : ["*"]),
+    timestamp,
+    input.expires_at || null
+  ]);
+  const row = d.query("SELECT * FROM api_keys WHERE id = ?").get(id);
+  return { key, record: rowToRecord(row) };
+}
+function listApiKeys(opts, db) {
+  const d = db || getDatabase();
+  const includeRevoked = opts?.include_revoked ?? false;
+  const sql = includeRevoked ? "SELECT * FROM api_keys ORDER BY created_at DESC" : "SELECT * FROM api_keys WHERE revoked_at IS NULL ORDER BY created_at DESC";
+  return d.query(sql).all().map(rowToRecord);
+}
+function hasActiveApiKeys(db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT COUNT(*) AS count FROM api_keys WHERE revoked_at IS NULL AND (expires_at IS NULL OR expires_at > ?)").get(now());
+  return (row?.count ?? 0) > 0;
+}
+function verifyApiKey(key, db) {
+  const d = db || getDatabase();
+  const candidateHash = hashApiKey(key);
+  const rows = d.query("SELECT * FROM api_keys WHERE revoked_at IS NULL AND (expires_at IS NULL OR expires_at > ?)").all(now());
+  for (const row of rows) {
+    if (!safeEqualHex(candidateHash, row.key_hash))
+      continue;
+    d.run("UPDATE api_keys SET last_used_at = ? WHERE id = ?", [now(), row.id]);
+    return rowToRecord({ ...row, last_used_at: now() });
+  }
+  return null;
+}
+function revokeApiKey(idOrPrefix, db) {
+  const d = db || getDatabase();
+  const identifier = idOrPrefix.trim();
+  const row = d.query("SELECT * FROM api_keys WHERE id = ? OR prefix = ?").get(identifier, identifier);
+  if (!row)
+    return null;
+  d.run("UPDATE api_keys SET revoked_at = ? WHERE id = ?", [now(), row.id]);
+  const updated = d.query("SELECT * FROM api_keys WHERE id = ?").get(row.id);
+  return rowToRecord(updated);
+}
+var init_api_keys = __esm(() => {
+  init_database();
+});
+
 // src/db/orgs.ts
 function rowToOrg(row) {
   return { ...row, metadata: JSON.parse(row.metadata || "{}") };
@@ -8317,31 +8667,37 @@ function handleDeleteProject(id, _ctx, json2) {
   return json2({ success: true });
 }
 async function handleAgentMe(_req, url, _ctx, json2, taskToSummary2) {
-  const name = url.searchParams.get("name");
-  if (!name)
-    return json2({ error: "Missing name param" }, 400);
-  const agentResult = registerAgent({ name });
-  if (isAgentConflict(agentResult))
-    return json2({ error: agentResult.message, conflict: true }, 409);
-  const agent = agentResult;
-  const tasks = listTasks({ assigned_to: name });
-  const agentIdTasks = listTasks({ agent_id: agent.id });
-  const allTasks = [...tasks, ...agentIdTasks.filter((t) => !tasks.some((tt) => tt.id === t.id))];
-  const pending = allTasks.filter((t) => t.status === "pending");
-  const inProgress = allTasks.filter((t) => t.status === "in_progress");
-  const completed = allTasks.filter((t) => t.status === "completed");
-  return json2({
-    agent,
-    pending_tasks: pending.map((t) => taskToSummary2(t)),
-    in_progress_tasks: inProgress.map((t) => taskToSummary2(t)),
-    stats: {
-      total: allTasks.length,
-      pending: pending.length,
-      in_progress: inProgress.length,
-      completed: completed.length,
-      completion_rate: allTasks.length > 0 ? Math.round(completed.length / allTasks.length * 100) : 0
-    }
-  });
+  try {
+    const name = url.searchParams.get("name");
+    if (!name)
+      return json2({ error: "Missing name param" }, 400);
+    const agentResult = registerAgent({ name });
+    if (isAgentConflict(agentResult))
+      return json2({ error: agentResult.message, conflict: true }, 409);
+    const agent = agentResult;
+    const tasks = listTasks({ assigned_to: agent.name });
+    const agentIdTasks = listTasks({ agent_id: agent.id });
+    const allTasks = [...tasks, ...agentIdTasks.filter((t) => !tasks.some((tt) => tt.id === t.id))];
+    const pending = allTasks.filter((t) => t.status === "pending");
+    const inProgress = allTasks.filter((t) => t.status === "in_progress");
+    const completed = allTasks.filter((t) => t.status === "completed");
+    return json2({
+      agent,
+      pending_tasks: pending.map((t) => taskToSummary2(t)),
+      in_progress_tasks: inProgress.map((t) => taskToSummary2(t)),
+      stats: {
+        total: allTasks.length,
+        pending: pending.length,
+        in_progress: inProgress.length,
+        completed: completed.length,
+        completion_rate: allTasks.length > 0 ? Math.round(completed.length / allTasks.length * 100) : 0
+      }
+    });
+  } catch (e) {
+    if (e instanceof InvalidAgentNameError)
+      return json2({ error: e.message, suggestions: e.suggestions }, 400);
+    return json2({ error: e instanceof Error ? e.message : "Failed to get agent profile" }, 500);
+  }
 }
 function handleAgentQueue(agentId, _ctx, json2, taskToSummary2) {
   const pending = listTasks({ status: "pending" });
@@ -8407,6 +8763,8 @@ async function handleRegisterAgent(req, _ctx, json2) {
       return json2({ error: result.message, conflict: true }, 409);
     return json2(result, 201);
   } catch (e) {
+    if (e instanceof InvalidAgentNameError)
+      return json2({ error: e.message, suggestions: e.suggestions }, 400);
     return json2({ error: e instanceof Error ? e.message : "Failed to register agent" }, 500);
   }
 }
@@ -8416,6 +8774,8 @@ async function handleUpdateAgent(id, req, _ctx, json2) {
     const agent = updateAgent(id, body);
     return json2(agent);
   } catch (e) {
+    if (e instanceof InvalidAgentNameError)
+      return json2({ error: e.message, suggestions: e.suggestions }, 400);
     return json2({ error: e instanceof Error ? e.message : "Failed to update agent" }, 500);
   }
 }
@@ -8652,14 +9012,26 @@ function resolveDashboardDir() {
   }
   return join9(process.cwd(), "dashboard", "dist");
 }
+function getProvidedApiKey(req) {
+  const headerKey = req.headers.get("x-api-key");
+  if (headerKey)
+    return headerKey.trim();
+  const auth = req.headers.get("authorization");
+  if (!auth)
+    return null;
+  return auth.replace(/^Bearer\s+/i, "").trim() || null;
+}
 function checkAuth(req, apiKey) {
-  if (!apiKey)
+  const generatedKeysEnabled = hasActiveApiKeys();
+  if (!apiKey && !generatedKeysEnabled)
     return null;
-  const provided = req.headers.get("x-api-key") || req.headers.get("authorization")?.replace("Bearer ", "");
-  if (!provided || provided !== apiKey) {
+  const provided = getProvidedApiKey(req);
+  const matchesEnvKey = Boolean(apiKey && provided && provided === apiKey);
+  const matchesGeneratedKey = Boolean(provided && verifyApiKey(provided));
+  if (!matchesEnvKey && !matchesGeneratedKey) {
     return new Response(JSON.stringify({ error: "Unauthorized" }), {
       status: 401,
-      headers: { "Content-Type": "application/json", ...SECURITY_HEADERS }
+      headers: { "Content-Type": "application/json", "WWW-Authenticate": "Bearer", ...SECURITY_HEADERS }
     });
   }
   return null;
@@ -9041,6 +9413,7 @@ Dashboard not found at: ${dashboardDir}`);
 var MIME_TYPES, SECURITY_HEADERS, rateLimitMap, RATE_LIMIT_WINDOW_MS = 60000, RATE_LIMIT_MAX = 120;
 var init_serve = __esm(() => {
   init_database();
+  init_api_keys();
   init_routes();
   MIME_TYPES = {
     ".html": "text/html; charset=utf-8",
@@ -14768,7 +15141,7 @@ var init_dist = __esm(() => {
     var nodeCrypto = __require2("crypto");
     module.exports = {
       postgresMd5PasswordHash,
-      randomBytes,
+      randomBytes: randomBytes2,
       deriveKey,
       sha256,
       hashByName,
@@ -14778,7 +15151,7 @@ var init_dist = __esm(() => {
     var webCrypto = nodeCrypto.webcrypto || globalThis.crypto;
     var subtleCrypto = webCrypto.subtle;
     var textEncoder = new TextEncoder;
-    function randomBytes(length) {
+    function randomBytes2(length) {
       return webCrypto.getRandomValues(Buffer.alloc(length));
     }
     async function md5(string) {
@@ -30986,8 +31359,8 @@ function registerAgentTools(server, { shouldRegisterTool, resolveId, formatError
     });
   }
   if (shouldRegisterTool("register_agent")) {
-    server.tool("register_agent", "Register an agent. Any name is allowed \u2014 the configured pool is advisory, not enforced. Returns a conflict error if the name is held by a recently-active agent.", {
-      name: exports_external2.string().describe("Agent name \u2014 any name is allowed. Use suggest_agent_name to see pool suggestions and avoid conflicts."),
+    server.tool("register_agent", "Register an agent with a distinctive one-word name. Generic/generated names like agent, agent-1, assistant, or worker-2 are rejected. Prefer Roman or Greek names from suggest_agent_name.", {
+      name: exports_external2.string().describe("Distinctive one-word agent name. Use suggest_agent_name first; avoid agent, agent-1, and other numbered generated names."),
       description: exports_external2.string().optional(),
       role: exports_external2.string().optional(),
       title: exports_external2.string().optional(),
@@ -31031,7 +31404,7 @@ Last seen: ${agent.last_seen_at}`
     });
   }
   if (shouldRegisterTool("suggest_agent_name")) {
-    server.tool("suggest_agent_name", "Get available agent names for a project. Shows configured pool, active agents, and suggestions. If no pool is configured, any name is allowed.", {
+    server.tool("suggest_agent_name", "Get available Roman/Greek-style agent names for a project. Use these instead of generic generated names.", {
       working_dir: exports_external2.string().optional().describe("Your working directory \u2014 used to look up the project's allowed name pool from config")
     }, async ({ working_dir }) => {
       try {
@@ -31039,8 +31412,30 @@ Last seen: ${agent.last_seen_at}`
         const cutoff = new Date(Date.now() - 30 * 60 * 1000).toISOString();
         const allActive = listAgents().filter((a) => a.last_seen_at > cutoff);
         if (!pool) {
+          const suggestions = getAvailableNamesFromPool([
+            "caesar",
+            "augustus",
+            "marcus",
+            "brutus",
+            "cicero",
+            "cato",
+            "nero",
+            "claudius",
+            "tiberius",
+            "hadrian",
+            "athena",
+            "apollo",
+            "artemis",
+            "iris",
+            "hector",
+            "sophia",
+            "thalia",
+            "phoebe",
+            "daphne"
+          ], getDatabase());
           const lines2 = [
-            "No agent pool configured \u2014 any name is allowed.",
+            "No project pool configured. Use a distinctive one-word name; generic generated names are blocked.",
+            `Suggested names: ${suggestions.slice(0, 8).join(", ")}`,
             allActive.length > 0 ? `Active agents (avoid these names): ${allActive.map((a) => `${a.name} (seen ${Math.round((Date.now() - new Date(a.last_seen_at).getTime()) / 60000)}m ago)`).join(", ")}` : "No active agents.",
             `
 To restrict names, configure agent_pool or project_pools in ~/.hasna/todos/config.json`
@@ -33644,6 +34039,27 @@ Use ${chalk5.cyan(`--agent ${result.id}`)} on future commands.`);
       handleError(e);
     }
   });
+  program2.command("agents-normalize").alias("normalize-agents").description("Rename invalid/generated agent names (agent, agent-1, name-2, two-word names) to safe one-word names").action(async () => {
+    const globalOpts = program2.opts();
+    try {
+      const db = getDatabase();
+      const renamed = normalizeGeneratedAgentNames(db);
+      if (globalOpts.json) {
+        output({ renamed, suggestions: suggestAgentNames(listAgents().map((agent) => agent.name)).slice(0, 5) }, true);
+        return;
+      }
+      if (renamed.length === 0) {
+        console.log(chalk5.green("No invalid or generated agent names found."));
+        return;
+      }
+      console.log(chalk5.green(`Normalized ${renamed.length} agent name(s):`));
+      for (const item of renamed) {
+        console.log(`  ${chalk5.cyan(item.id)} ${chalk5.red(item.old_name)} ${chalk5.dim("->")} ${chalk5.bold(item.new_name)} ${chalk5.dim(`(${item.reference_updates} reference updates)`)}`);
+      }
+    } catch (e) {
+      handleError(e);
+    }
+  });
   program2.command("agent-update <name>").alias("agents-update").description("Update an agent's description, role, or other fields").option("--description <text>", "New description").option("--role <role>", "New role").option("--title <title>", "New title").action(async (name, opts) => {
     const globalOpts = program2.opts();
     try {
@@ -33944,7 +34360,7 @@ function registerConfigServeCommands(program2) {
       console.log(JSON.stringify(config, null, 2));
     }
   });
-  program2.command("serve").description("Start the web dashboard").option("--port <port>", "Port number", "19427").option("--host <host>", "Host to bind (default: 127.0.0.1 localhost only, use 0.0.0.0 for all interfaces)").option("--no-open", "Don't open browser automatically").action(async (opts) => {
+  program2.command("serve").description("Start the web dashboard").option("--port <port>", "Port number", "19427").option("--host <host>", "Host to bind (default: 127.0.0.1 localhost only, use 0.0.0.0 for all interfaces)").option("--api-key <key>", "Require this API key for /api/* requests").option("--no-open", "Don't open browser automatically").action(async (opts) => {
     const { startServer: startServer2 } = await Promise.resolve().then(() => (init_serve(), exports_serve));
     const requestedPort = parseInt(opts.port, 10);
     let port = requestedPort;
@@ -33959,7 +34375,7 @@ function registerConfigServeCommands(program2) {
     if (port !== requestedPort) {
       console.log(`Port ${requestedPort} in use, using ${port}`);
     }
-    await startServer2(port, { open: opts.open !== false, host: opts.host });
+    await startServer2(port, { open: opts.open !== false, host: opts.host, apiKey: opts.apiKey });
   });
   program2.command("watch").description("Live-updating task list (refreshes every few seconds)").option("-s, --status <status>", "Filter by status (default: pending,in_progress)").option("-i, --interval <seconds>", "Refresh interval in seconds", "5").action(async (opts) => {
     const globalOpts = program2.opts();
@@ -36388,6 +36804,91 @@ Sync complete: ${totalPulled} task(s) pulled.`));
   });
 }
 
+// src/cli/commands/api-key-commands.ts
+init_api_keys();
+init_helpers();
+import chalk12 from "chalk";
+function registerApiKeyCommands(program2) {
+  const apiKeys = program2.command("api-keys").alias("api-key").description("Generate, list, and revoke API keys for secured app/API access");
+  apiKeys.command("create <name>").alias("generate").description("Generate a new API key. The plaintext key is shown once.").option("--expires-at <iso>", "Optional ISO timestamp when this key expires").option("--permissions <list>", "Comma-separated permissions (default: *)").action((name, opts) => {
+    const globalOpts = program2.opts();
+    try {
+      const permissions = opts.permissions ? opts.permissions.split(",").map((item) => item.trim()).filter(Boolean) : undefined;
+      const created = createApiKey({ name, permissions, expires_at: opts.expiresAt || null });
+      if (globalOpts.json) {
+        output(created, true);
+        return;
+      }
+      console.log(chalk12.green("API key generated:"));
+      console.log(`  ${chalk12.dim("ID:")}     ${created.record.id}`);
+      console.log(`  ${chalk12.dim("Name:")}   ${created.record.name}`);
+      console.log(`  ${chalk12.dim("Prefix:")} ${created.record.prefix}`);
+      console.log();
+      console.log(chalk12.yellow("Copy this key now. It will not be shown again:"));
+      console.log(created.key);
+    } catch (e) {
+      handleError(e);
+    }
+  });
+  apiKeys.command("list").description("List API keys without showing plaintext secrets").option("--include-revoked", "Include revoked keys").action((opts) => {
+    const globalOpts = program2.opts();
+    try {
+      const keys = listApiKeys({ include_revoked: opts.includeRevoked ?? false });
+      if (globalOpts.json) {
+        output(keys, true);
+        return;
+      }
+      if (keys.length === 0) {
+        console.log(chalk12.dim("No API keys found."));
+        return;
+      }
+      for (const key of keys) {
+        const state = key.revoked_at ? chalk12.red("revoked") : key.expires_at && key.expires_at < new Date().toISOString() ? chalk12.yellow("expired") : chalk12.green("active");
+        console.log(`${chalk12.cyan(key.id)} ${chalk12.bold(key.name)} ${chalk12.dim(key.prefix)} ${state}`);
+        if (key.last_used_at)
+          console.log(chalk12.dim(`  last used: ${key.last_used_at}`));
+        if (key.expires_at)
+          console.log(chalk12.dim(`  expires:   ${key.expires_at}`));
+      }
+    } catch (e) {
+      handleError(e);
+    }
+  });
+  apiKeys.command("revoke <id-or-prefix>").description("Revoke an API key by id or prefix").action((idOrPrefix) => {
+    const globalOpts = program2.opts();
+    try {
+      const revoked = revokeApiKey(idOrPrefix);
+      if (!revoked) {
+        throw new Error(`API key not found: ${idOrPrefix}`);
+      }
+      if (globalOpts.json) {
+        output(revoked, true);
+        return;
+      }
+      console.log(chalk12.green(`Revoked API key: ${revoked.name} (${revoked.prefix})`));
+    } catch (e) {
+      handleError(e);
+    }
+  });
+  apiKeys.command("verify <key>").description("Verify an API key locally without printing stored hashes").action((key) => {
+    const globalOpts = program2.opts();
+    try {
+      const record = verifyApiKey(key);
+      if (globalOpts.json) {
+        output({ valid: Boolean(record), key: record }, true);
+        return;
+      }
+      if (!record) {
+        console.error(chalk12.red("API key is invalid, revoked, or expired."));
+        process.exit(1);
+      }
+      console.log(chalk12.green(`API key valid: ${record.name} (${record.prefix})`));
+    } catch (e) {
+      handleError(e);
+    }
+  });
+}
+
 // src/cli/index.tsx
 var program2 = new Command;
 program2.name("todos").description("Universal task management for AI coding agents").version(getPackageVersion()).option("--project <path>", "Project path").option("-j, --json", "Output as JSON").option("--agent <name>", "Agent name").option("--session <id>", "Session ID");
@@ -36401,4 +36902,5 @@ registerCloudCommands2(program2);
 registerMcpHooksCommands(program2);
 registerDispatchCommands(program2);
 registerMachineCommands(program2);
+registerApiKeyCommands(program2);
 program2.parse();