npm - @hasna/todos - Versions diffs - 0.4.0 → 0.5.0 - Mend

@hasna/todos 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -2319,6 +2319,19 @@ var init_database = __esm(() => {
   ALTER TABLE tasks ADD COLUMN plan_id TEXT REFERENCES plans(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_plan ON tasks(plan_id);
   INSERT OR IGNORE INTO _migrations (id) VALUES (4);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    key_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (5);
   `
   ];
 });
@@ -8015,6 +8028,60 @@ ${text}` }] };
   });
 });
+// src/db/api-keys.ts
+function generateApiKey() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return "td_" + Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hashKey(key) {
+  const encoder = new TextEncoder;
+  const data = encoder.encode(key);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createApiKey(input, db) {
+  const d = db || getDatabase();
+  const id = uuid();
+  const timestamp = now();
+  const key = generateApiKey();
+  const keyHash = await hashKey(key);
+  const keyPrefix = key.slice(0, 10) + "...";
+  d.run(`INSERT INTO api_keys (id, name, key_hash, key_prefix, created_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?)`, [id, input.name, keyHash, keyPrefix, timestamp, input.expires_at || null]);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE id = ?").get(id);
+  return { ...row, key };
+}
+function listApiKeys(db) {
+  const d = db || getDatabase();
+  return d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys ORDER BY created_at DESC").all();
+}
+function deleteApiKey(id, db) {
+  const d = db || getDatabase();
+  const result = d.run("DELETE FROM api_keys WHERE id = ?", [id]);
+  return result.changes > 0;
+}
+async function validateApiKey(key, db) {
+  const d = db || getDatabase();
+  const keyHash = await hashKey(key);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE key_hash = ?").get(keyHash);
+  if (!row)
+    return null;
+  if (row.expires_at && new Date(row.expires_at) < new Date) {
+    return null;
+  }
+  d.run("UPDATE api_keys SET last_used_at = ? WHERE id = ?", [now(), row.id]);
+  return row;
+}
+function hasAnyApiKeys(db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT COUNT(*) as count FROM api_keys").get();
+  return (row?.count ?? 0) > 0;
+}
+var init_api_keys = __esm(() => {
+  init_database();
+});
 // src/server/serve.ts
 var exports_serve = {};
 __export(exports_serve, {
@@ -8092,6 +8159,20 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
     }
     const method = req.method;
     const port = getPort();
+    if (path.startsWith("/api/") && !path.startsWith("/api/system/") && !path.startsWith("/api/keys")) {
+      const hasKeys = hasAnyApiKeys();
+      if (hasKeys) {
+        const authHeader = req.headers.get("authorization");
+        const apiKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+        if (!apiKey) {
+          return json({ error: "API key required. Pass via Authorization: Bearer <key>" }, 401, port);
+        }
+        const valid = await validateApiKey(apiKey);
+        if (!valid) {
+          return json({ error: "Invalid or expired API key" }, 403, port);
+        }
+      }
+    }
     if (path === "/api/tasks" && method === "GET") {
       try {
         const filter = {};
@@ -8478,12 +8559,61 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
         return json({ error: e instanceof Error ? e.message : "Failed to delete project" }, 500, port);
       }
     }
+    if (path === "/api/keys" && method === "GET") {
+      try {
+        const keys = listApiKeys();
+        return json(keys, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to list API keys" }, 500, port);
+      }
+    }
+    if (path === "/api/keys" && method === "POST") {
+      try {
+        const contentLength = parseInt(req.headers.get("content-length") || "0", 10);
+        if (contentLength > MAX_BODY_SIZE)
+          return json({ error: "Request body too large" }, 413, port);
+        const body = await parseJsonBody(req);
+        if (!body)
+          return json({ error: "Invalid JSON" }, 400, port);
+        if (!body.name || typeof body.name !== "string") {
+          return json({ error: "Missing required field: name" }, 400, port);
+        }
+        const parsed = createApiKeySchema.safeParse(body);
+        if (!parsed.success) {
+          return json({ error: "Invalid request body" }, 400, port);
+        }
+        const apiKey = await createApiKey(parsed.data);
+        return json(apiKey, 201, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to create API key" }, 500, port);
+      }
+    }
+    const keyDeleteMatch = path.match(/^\/api\/keys\/([^/]+)$/);
+    if (keyDeleteMatch && method === "DELETE") {
+      try {
+        const id = keyDeleteMatch[1];
+        const deleted = deleteApiKey(id);
+        if (!deleted)
+          return json({ error: "API key not found" }, 404, port);
+        return json({ deleted: true }, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to delete API key" }, 500, port);
+      }
+    }
+    if (path === "/api/keys/status" && method === "GET") {
+      try {
+        const enabled = hasAnyApiKeys();
+        return json({ auth_enabled: enabled }, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to check auth status" }, 500, port);
+      }
+    }
     if (method === "OPTIONS") {
       return new Response(null, {
         headers: {
           "Access-Control-Allow-Origin": `http://localhost:${port}`,
           "Access-Control-Allow-Methods": "GET, POST, PATCH, DELETE, OPTIONS",
-          "Access-Control-Allow-Headers": "Content-Type"
+          "Access-Control-Allow-Headers": "Content-Type, Authorization"
         }
       });
     }
@@ -8559,7 +8689,7 @@ Dashboard not found at: ${dashboardDir}`);
   }
   return server2;
 }
-var MIME_TYPES, SECURITY_HEADERS, MAX_BODY_SIZE, createTaskSchema, updateTaskSchema, createProjectSchema, createCommentSchema, createPlanSchema, updatePlanSchema, agentSchema;
+var MIME_TYPES, SECURITY_HEADERS, MAX_BODY_SIZE, createTaskSchema, updateTaskSchema, createProjectSchema, createCommentSchema, createPlanSchema, updatePlanSchema, createApiKeySchema, agentSchema;
 var init_serve = __esm(() => {
   init_zod();
   init_tasks();
@@ -8567,6 +8697,7 @@ var init_serve = __esm(() => {
   init_plans();
   init_database();
   init_comments();
+  init_api_keys();
   init_search();
   MIME_TYPES = {
     ".html": "text/html; charset=utf-8",
@@ -8630,6 +8761,10 @@ var init_serve = __esm(() => {
     description: exports_external.string().optional(),
     status: exports_external.enum(["active", "completed", "archived"]).optional()
   });
+  createApiKeySchema = exports_external.object({
+    name: exports_external.string(),
+    expires_at: exports_external.string().optional()
+  });
   agentSchema = exports_external.object({
     agent_id: exports_external.string().optional()
   });

package/dist/index.d.ts CHANGED Viewed

@@ -178,6 +178,25 @@ export interface CreateSessionInput {
   metadata?: Record<string, unknown>;
 }
+// API Key
+export interface ApiKey {
+  id: string;
+  name: string;
+  key_prefix: string;
+  created_at: string;
+  last_used_at: string | null;
+  expires_at: string | null;
+}
+export interface ApiKeyWithSecret extends ApiKey {
+  key: string; // full key, only returned on creation
+}
+export interface CreateApiKeyInput {
+  name: string;
+  expires_at?: string;
+}
 // DB row types (raw from SQLite - JSON fields are strings)
 export interface TaskRow {
   id: string;

package/dist/index.js CHANGED Viewed

@@ -164,6 +164,19 @@ var MIGRATIONS = [
   ALTER TABLE tasks ADD COLUMN plan_id TEXT REFERENCES plans(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_plan ON tasks(plan_id);
   INSERT OR IGNORE INTO _migrations (id) VALUES (4);
+  `,
+  `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    key_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (5);
   `
 ];
 var _db = null;
@@ -858,6 +871,56 @@ function deleteSession(id, db) {
   const result = d.run("DELETE FROM sessions WHERE id = ?", [id]);
   return result.changes > 0;
 }
+// src/db/api-keys.ts
+function generateApiKey() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return "td_" + Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hashKey(key) {
+  const encoder = new TextEncoder;
+  const data = encoder.encode(key);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createApiKey(input, db) {
+  const d = db || getDatabase();
+  const id = uuid();
+  const timestamp = now();
+  const key = generateApiKey();
+  const keyHash = await hashKey(key);
+  const keyPrefix = key.slice(0, 10) + "...";
+  d.run(`INSERT INTO api_keys (id, name, key_hash, key_prefix, created_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?)`, [id, input.name, keyHash, keyPrefix, timestamp, input.expires_at || null]);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE id = ?").get(id);
+  return { ...row, key };
+}
+function listApiKeys(db) {
+  const d = db || getDatabase();
+  return d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys ORDER BY created_at DESC").all();
+}
+function deleteApiKey(id, db) {
+  const d = db || getDatabase();
+  const result = d.run("DELETE FROM api_keys WHERE id = ?", [id]);
+  return result.changes > 0;
+}
+async function validateApiKey(key, db) {
+  const d = db || getDatabase();
+  const keyHash = await hashKey(key);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE key_hash = ?").get(keyHash);
+  if (!row)
+    return null;
+  if (row.expires_at && new Date(row.expires_at) < new Date) {
+    return null;
+  }
+  d.run("UPDATE api_keys SET last_used_at = ? WHERE id = ?", [now(), row.id]);
+  return row;
+}
+function hasAnyApiKeys(db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT COUNT(*) as count FROM api_keys").get();
+  return (row?.count ?? 0) > 0;
+}
 // src/lib/search.ts
 function rowToTask2(row) {
   return {
@@ -1468,6 +1531,7 @@ function syncWithAgents(agents, taskListIdByAgent, projectId, direction = "both"
   return { pushed, pulled, errors };
 }
 export {
+  validateApiKey,
   updateTask,
   updateSessionActivity,
   updateProject,
@@ -1488,6 +1552,8 @@ export {
   listProjects,
   listPlans,
   listComments,
+  listApiKeys,
+  hasAnyApiKeys,
   getTaskWithRelations,
   getTaskDependents,
   getTaskDependencies,
@@ -1504,11 +1570,13 @@ export {
   deleteProject,
   deletePlan,
   deleteComment,
+  deleteApiKey,
   defaultSyncAgents,
   createTask,
   createSession,
   createProject,
   createPlan,
+  createApiKey,
   completeTask,
   closeDatabase,
   addDependency,

package/dist/mcp/index.js CHANGED Viewed

@@ -4206,6 +4206,19 @@ var MIGRATIONS = [
   ALTER TABLE tasks ADD COLUMN plan_id TEXT REFERENCES plans(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_plan ON tasks(plan_id);
   INSERT OR IGNORE INTO _migrations (id) VALUES (4);
+  `,
+  `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    key_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (5);
   `
 ];
 var _db = null;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/todos",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Universal task management for AI coding agents - CLI + MCP server + interactive TUI",
   "type": "module",
   "main": "dist/index.js",