@hasna/todos 0.4.1 → 0.5.1

package/dist/cli/index.js

@@ -2319,6 +2319,19 @@ var init_database = __esm(() => {
   ALTER TABLE tasks ADD COLUMN plan_id TEXT REFERENCES plans(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_plan ON tasks(plan_id);
   INSERT OR IGNORE INTO _migrations (id) VALUES (4);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    key_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (5);
   `
   ];
 });
@@ -8015,6 +8028,60 @@ ${text}` }] };
   });
 });
 
+// src/db/api-keys.ts
+function generateApiKey() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return "td_" + Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hashKey(key) {
+  const encoder = new TextEncoder;
+  const data = encoder.encode(key);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createApiKey(input, db) {
+  const d = db || getDatabase();
+  const id = uuid();
+  const timestamp = now();
+  const key = generateApiKey();
+  const keyHash = await hashKey(key);
+  const keyPrefix = key.slice(0, 10) + "...";
+  d.run(`INSERT INTO api_keys (id, name, key_hash, key_prefix, created_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?)`, [id, input.name, keyHash, keyPrefix, timestamp, input.expires_at || null]);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE id = ?").get(id);
+  return { ...row, key };
+}
+function listApiKeys(db) {
+  const d = db || getDatabase();
+  return d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys ORDER BY created_at DESC").all();
+}
+function deleteApiKey(id, db) {
+  const d = db || getDatabase();
+  const result = d.run("DELETE FROM api_keys WHERE id = ?", [id]);
+  return result.changes > 0;
+}
+async function validateApiKey(key, db) {
+  const d = db || getDatabase();
+  const keyHash = await hashKey(key);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE key_hash = ?").get(keyHash);
+  if (!row)
+    return null;
+  if (row.expires_at && new Date(row.expires_at) < new Date) {
+    return null;
+  }
+  d.run("UPDATE api_keys SET last_used_at = ? WHERE id = ?", [now(), row.id]);
+  return row;
+}
+function hasAnyApiKeys(db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT COUNT(*) as count FROM api_keys").get();
+  return (row?.count ?? 0) > 0;
+}
+var init_api_keys = __esm(() => {
+  init_database();
+});
+
 // src/server/serve.ts
 var exports_serve = {};
 __export(exports_serve, {
@@ -8092,18 +8159,35 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
     }
     const method = req.method;
     const port = getPort();
+    if (path.startsWith("/api/") && !path.startsWith("/api/system/") && !path.startsWith("/api/keys")) {
+      const hasKeys = hasAnyApiKeys();
+      if (hasKeys) {
+        const authHeader = req.headers.get("authorization");
+        const apiKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+        if (!apiKey) {
+          return json({ error: "API key required. Pass via Authorization: Bearer <key>" }, 401, port);
+        }
+        const valid = await validateApiKey(apiKey);
+        if (!valid) {
+          return json({ error: "Invalid or expired API key" }, 403, port);
+        }
+      }
+    }
     if (path === "/api/tasks" && method === "GET") {
       try {
         const filter = {};
         const status = url.searchParams.get("status");
         const priority = url.searchParams.get("priority");
         const projectId = url.searchParams.get("project_id");
+        const planId = url.searchParams.get("plan_id");
         if (status)
           filter.status = status;
         if (priority)
           filter.priority = priority;
         if (projectId)
           filter.project_id = projectId;
+        if (planId)
+          filter.plan_id = planId;
         const tasks = listTasks(filter);
         const projectCache = new Map;
         const planCache = new Map;
@@ -8466,6 +8550,39 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
         return json({ error: e instanceof Error ? e.message : "Failed to delete plan" }, 500, port);
       }
     }
+    const projectGetMatch = path.match(/^\/api\/projects\/([^/]+)$/);
+    if (projectGetMatch && method === "GET") {
+      try {
+        const id = projectGetMatch[1];
+        const project = getProject(id);
+        if (!project)
+          return json({ error: "Project not found" }, 404, port);
+        return json(project, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to get project" }, 500, port);
+      }
+    }
+    const projectPatchMatch = path.match(/^\/api\/projects\/([^/]+)$/);
+    if (projectPatchMatch && method === "PATCH") {
+      try {
+        const id = projectPatchMatch[1];
+        const contentLength = parseInt(req.headers.get("content-length") || "0", 10);
+        if (contentLength > MAX_BODY_SIZE)
+          return json({ error: "Request body too large" }, 413, port);
+        const body = await parseJsonBody(req);
+        if (!body)
+          return json({ error: "Invalid JSON" }, 400, port);
+        const project = updateProject(id, {
+          name: typeof body.name === "string" ? body.name : undefined,
+          description: typeof body.description === "string" ? body.description : body.description === null ? "" : undefined,
+          task_list_id: typeof body.task_list_id === "string" ? body.task_list_id : body.task_list_id === null ? "" : undefined
+        });
+        return json(project, 200, port);
+      } catch (e) {
+        const status = e instanceof Error && e.name === "ProjectNotFoundError" ? 404 : 500;
+        return json({ error: e instanceof Error ? e.message : "Failed to update project" }, status, port);
+      }
+    }
     const projectDeleteMatch = path.match(/^\/api\/projects\/([^/]+)$/);
     if (projectDeleteMatch && method === "DELETE") {
       try {
@@ -8478,12 +8595,61 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
         return json({ error: e instanceof Error ? e.message : "Failed to delete project" }, 500, port);
       }
     }
+    if (path === "/api/keys" && method === "GET") {
+      try {
+        const keys = listApiKeys();
+        return json(keys, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to list API keys" }, 500, port);
+      }
+    }
+    if (path === "/api/keys" && method === "POST") {
+      try {
+        const contentLength = parseInt(req.headers.get("content-length") || "0", 10);
+        if (contentLength > MAX_BODY_SIZE)
+          return json({ error: "Request body too large" }, 413, port);
+        const body = await parseJsonBody(req);
+        if (!body)
+          return json({ error: "Invalid JSON" }, 400, port);
+        if (!body.name || typeof body.name !== "string") {
+          return json({ error: "Missing required field: name" }, 400, port);
+        }
+        const parsed = createApiKeySchema.safeParse(body);
+        if (!parsed.success) {
+          return json({ error: "Invalid request body" }, 400, port);
+        }
+        const apiKey = await createApiKey(parsed.data);
+        return json(apiKey, 201, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to create API key" }, 500, port);
+      }
+    }
+    const keyDeleteMatch = path.match(/^\/api\/keys\/([^/]+)$/);
+    if (keyDeleteMatch && method === "DELETE") {
+      try {
+        const id = keyDeleteMatch[1];
+        const deleted = deleteApiKey(id);
+        if (!deleted)
+          return json({ error: "API key not found" }, 404, port);
+        return json({ deleted: true }, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to delete API key" }, 500, port);
+      }
+    }
+    if (path === "/api/keys/status" && method === "GET") {
+      try {
+        const enabled = hasAnyApiKeys();
+        return json({ auth_enabled: enabled }, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to check auth status" }, 500, port);
+      }
+    }
     if (method === "OPTIONS") {
       return new Response(null, {
         headers: {
           "Access-Control-Allow-Origin": `http://localhost:${port}`,
           "Access-Control-Allow-Methods": "GET, POST, PATCH, DELETE, OPTIONS",
-          "Access-Control-Allow-Headers": "Content-Type"
+          "Access-Control-Allow-Headers": "Content-Type, Authorization"
         }
       });
     }
@@ -8559,7 +8725,7 @@ Dashboard not found at: ${dashboardDir}`);
   }
   return server2;
 }
-var MIME_TYPES, SECURITY_HEADERS, MAX_BODY_SIZE, createTaskSchema, updateTaskSchema, createProjectSchema, createCommentSchema, createPlanSchema, updatePlanSchema, agentSchema;
+var MIME_TYPES, SECURITY_HEADERS, MAX_BODY_SIZE, createTaskSchema, updateTaskSchema, createProjectSchema, createCommentSchema, createPlanSchema, updatePlanSchema, createApiKeySchema, agentSchema;
 var init_serve = __esm(() => {
   init_zod();
   init_tasks();
@@ -8567,6 +8733,7 @@ var init_serve = __esm(() => {
   init_plans();
   init_database();
   init_comments();
+  init_api_keys();
   init_search();
   MIME_TYPES = {
     ".html": "text/html; charset=utf-8",
@@ -8630,6 +8797,10 @@ var init_serve = __esm(() => {
     description: exports_external.string().optional(),
     status: exports_external.enum(["active", "completed", "archived"]).optional()
   });
+  createApiKeySchema = exports_external.object({
+    name: exports_external.string(),
+    expires_at: exports_external.string().optional()
+  });
   agentSchema = exports_external.object({
     agent_id: exports_external.string().optional()
   });

package/dist/index.d.ts

@@ -178,6 +178,25 @@ export interface CreateSessionInput {
   metadata?: Record<string, unknown>;
 }
 
+// API Key
+export interface ApiKey {
+  id: string;
+  name: string;
+  key_prefix: string;
+  created_at: string;
+  last_used_at: string | null;
+  expires_at: string | null;
+}
+
+export interface ApiKeyWithSecret extends ApiKey {
+  key: string; // full key, only returned on creation
+}
+
+export interface CreateApiKeyInput {
+  name: string;
+  expires_at?: string;
+}
+
 // DB row types (raw from SQLite - JSON fields are strings)
 export interface TaskRow {
   id: string;

package/dist/index.js

@@ -164,6 +164,19 @@ var MIGRATIONS = [
   ALTER TABLE tasks ADD COLUMN plan_id TEXT REFERENCES plans(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_plan ON tasks(plan_id);
   INSERT OR IGNORE INTO _migrations (id) VALUES (4);
+  `,
+  `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    key_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (5);
   `
 ];
 var _db = null;
@@ -858,6 +871,56 @@ function deleteSession(id, db) {
   const result = d.run("DELETE FROM sessions WHERE id = ?", [id]);
   return result.changes > 0;
 }
+// src/db/api-keys.ts
+function generateApiKey() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return "td_" + Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function hashKey(key) {
+  const encoder = new TextEncoder;
+  const data = encoder.encode(key);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function createApiKey(input, db) {
+  const d = db || getDatabase();
+  const id = uuid();
+  const timestamp = now();
+  const key = generateApiKey();
+  const keyHash = await hashKey(key);
+  const keyPrefix = key.slice(0, 10) + "...";
+  d.run(`INSERT INTO api_keys (id, name, key_hash, key_prefix, created_at, expires_at)
+     VALUES (?, ?, ?, ?, ?, ?)`, [id, input.name, keyHash, keyPrefix, timestamp, input.expires_at || null]);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE id = ?").get(id);
+  return { ...row, key };
+}
+function listApiKeys(db) {
+  const d = db || getDatabase();
+  return d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys ORDER BY created_at DESC").all();
+}
+function deleteApiKey(id, db) {
+  const d = db || getDatabase();
+  const result = d.run("DELETE FROM api_keys WHERE id = ?", [id]);
+  return result.changes > 0;
+}
+async function validateApiKey(key, db) {
+  const d = db || getDatabase();
+  const keyHash = await hashKey(key);
+  const row = d.query("SELECT id, name, key_prefix, created_at, last_used_at, expires_at FROM api_keys WHERE key_hash = ?").get(keyHash);
+  if (!row)
+    return null;
+  if (row.expires_at && new Date(row.expires_at) < new Date) {
+    return null;
+  }
+  d.run("UPDATE api_keys SET last_used_at = ? WHERE id = ?", [now(), row.id]);
+  return row;
+}
+function hasAnyApiKeys(db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT COUNT(*) as count FROM api_keys").get();
+  return (row?.count ?? 0) > 0;
+}
 // src/lib/search.ts
 function rowToTask2(row) {
   return {
@@ -1468,6 +1531,7 @@ function syncWithAgents(agents, taskListIdByAgent, projectId, direction = "both"
   return { pushed, pulled, errors };
 }
 export {
+  validateApiKey,
   updateTask,
   updateSessionActivity,
   updateProject,
@@ -1488,6 +1552,8 @@ export {
   listProjects,
   listPlans,
   listComments,
+  listApiKeys,
+  hasAnyApiKeys,
   getTaskWithRelations,
   getTaskDependents,
   getTaskDependencies,
@@ -1504,11 +1570,13 @@ export {
   deleteProject,
   deletePlan,
   deleteComment,
+  deleteApiKey,
   defaultSyncAgents,
   createTask,
   createSession,
   createProject,
   createPlan,
+  createApiKey,
   completeTask,
   closeDatabase,
   addDependency,

package/dist/mcp/index.js

@@ -4206,6 +4206,19 @@ var MIGRATIONS = [
   ALTER TABLE tasks ADD COLUMN plan_id TEXT REFERENCES plans(id) ON DELETE SET NULL;
   CREATE INDEX IF NOT EXISTS idx_tasks_plan ON tasks(plan_id);
   INSERT OR IGNORE INTO _migrations (id) VALUES (4);
+  `,
+  `
+  CREATE TABLE IF NOT EXISTS api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    key_hash TEXT NOT NULL UNIQUE,
+    key_prefix TEXT NOT NULL,
+    created_at TEXT NOT NULL DEFAULT (datetime('now')),
+    last_used_at TEXT,
+    expires_at TEXT
+  );
+  CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
+  INSERT OR IGNORE INTO _migrations (id) VALUES (5);
   `
 ];
 var _db = null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/todos",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "description": "Universal task management for AI coding agents - CLI + MCP server + interactive TUI",
   "type": "module",
   "main": "dist/index.js",