@hasna/todos 0.5.1 → 0.6.1

package/dist/cli/index.js

@@ -2332,6 +2332,36 @@ var init_database = __esm(() => {
   );
   CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
   INSERT OR IGNORE INTO _migrations (id) VALUES (5);
+  `,
+    `
+  CREATE TABLE IF NOT EXISTS audit_log (
+    id TEXT PRIMARY KEY,
+    entity_type TEXT NOT NULL CHECK(entity_type IN ('task', 'plan', 'project', 'api_key', 'comment')),
+    entity_id TEXT NOT NULL,
+    action TEXT NOT NULL CHECK(action IN ('create', 'update', 'delete', 'start', 'complete', 'lock', 'unlock')),
+    actor TEXT,
+    changes TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_audit_entity ON audit_log(entity_type, entity_id);
+  CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_log(created_at);
+
+  CREATE TABLE IF NOT EXISTS webhooks (
+    id TEXT PRIMARY KEY,
+    url TEXT NOT NULL,
+    events TEXT NOT NULL DEFAULT '[]',
+    secret TEXT,
+    active INTEGER NOT NULL DEFAULT 1,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS rate_limits (
+    key TEXT PRIMARY KEY,
+    count INTEGER NOT NULL DEFAULT 0,
+    window_start TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  INSERT OR IGNORE INTO _migrations (id) VALUES (6);
   `
   ];
 });
@@ -2539,9 +2569,12 @@ function listTasks(filter = {}, db) {
     params.push(filter.plan_id);
   }
   const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  const limitVal = filter.limit || 100;
+  const offsetVal = filter.offset || 0;
+  params.push(limitVal, offsetVal);
   const rows = d.query(`SELECT * FROM tasks ${where} ORDER BY
        CASE priority WHEN 'critical' THEN 0 WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 END,
-       created_at DESC`).all(...params);
+       created_at DESC LIMIT ? OFFSET ?`).all(...params);
   return rows.map(rowToTask);
 }
 function updateTask(id, input, db) {
@@ -8082,6 +8115,163 @@ var init_api_keys = __esm(() => {
   init_database();
 });
 
+// src/db/audit.ts
+function rowToEntry(row) {
+  return {
+    ...row,
+    changes: row.changes ? JSON.parse(row.changes) : null
+  };
+}
+function logAudit(entityType, entityId, action, actor, changes, db) {
+  const d = db || getDatabase();
+  d.run(`INSERT INTO audit_log (id, entity_type, entity_id, action, actor, changes, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`, [uuid(), entityType, entityId, action, actor || null, changes ? JSON.stringify(changes) : null, now()]);
+}
+function getAuditLog(entityType, entityId, limit = 50, offset = 0, db) {
+  const d = db || getDatabase();
+  const conditions = [];
+  const params = [];
+  if (entityType) {
+    conditions.push("entity_type = ?");
+    params.push(entityType);
+  }
+  if (entityId) {
+    conditions.push("entity_id = ?");
+    params.push(entityId);
+  }
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  params.push(limit, offset);
+  const rows = d.query(`SELECT * FROM audit_log ${where} ORDER BY created_at DESC LIMIT ? OFFSET ?`).all(...params);
+  return rows.map(rowToEntry);
+}
+var init_audit = __esm(() => {
+  init_database();
+});
+
+// src/db/webhooks.ts
+function rowToWebhook(row) {
+  return {
+    ...row,
+    events: JSON.parse(row.events),
+    active: row.active === 1
+  };
+}
+function createWebhook(input, db) {
+  const d = db || getDatabase();
+  const id = uuid();
+  d.run(`INSERT INTO webhooks (id, url, events, secret, created_at)
+     VALUES (?, ?, ?, ?, ?)`, [id, input.url, JSON.stringify(input.events || []), input.secret || null, now()]);
+  return getWebhook(id, d);
+}
+function getWebhook(id, db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT * FROM webhooks WHERE id = ?").get(id);
+  return row ? rowToWebhook(row) : null;
+}
+function listWebhooks(db) {
+  const d = db || getDatabase();
+  return d.query("SELECT * FROM webhooks ORDER BY created_at DESC").all().map(rowToWebhook);
+}
+function deleteWebhook(id, db) {
+  const d = db || getDatabase();
+  return d.run("DELETE FROM webhooks WHERE id = ?", [id]).changes > 0;
+}
+async function dispatchWebhooks(event, payload, db) {
+  const d = db || getDatabase();
+  const rows = d.query("SELECT * FROM webhooks WHERE active = 1").all();
+  const webhooks = rows.map(rowToWebhook).filter((w) => w.events.length === 0 || w.events.includes(event));
+  for (const webhook of webhooks) {
+    try {
+      const headers = { "Content-Type": "application/json" };
+      if (webhook.secret) {
+        const encoder = new TextEncoder;
+        const key = await crypto.subtle.importKey("raw", encoder.encode(webhook.secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        const body = JSON.stringify({ event, data: payload, timestamp: now() });
+        const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(body));
+        headers["X-Webhook-Signature"] = Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+        fetch(webhook.url, {
+          method: "POST",
+          headers,
+          body
+        }).catch(() => {});
+      } else {
+        fetch(webhook.url, {
+          method: "POST",
+          headers,
+          body: JSON.stringify({ event, data: payload, timestamp: now() })
+        }).catch(() => {});
+      }
+    } catch {}
+  }
+}
+var init_webhooks = __esm(() => {
+  init_database();
+});
+
+// src/lib/rate-limit.ts
+function cleanup() {
+  const now2 = Date.now();
+  if (now2 - lastCleanup < CLEANUP_INTERVAL)
+    return;
+  lastCleanup = now2;
+  for (const [key, entry] of windows) {
+    if (entry.resetAt < now2)
+      windows.delete(key);
+  }
+}
+function checkRateLimit(key, maxRequests, windowMs) {
+  cleanup();
+  const now2 = Date.now();
+  const entry = windows.get(key);
+  if (!entry || entry.resetAt < now2) {
+    windows.set(key, { count: 1, resetAt: now2 + windowMs });
+    return { allowed: true, remaining: maxRequests - 1, resetAt: now2 + windowMs };
+  }
+  entry.count++;
+  if (entry.count > maxRequests) {
+    return { allowed: false, remaining: 0, resetAt: entry.resetAt };
+  }
+  return { allowed: true, remaining: maxRequests - entry.count, resetAt: entry.resetAt };
+}
+var windows, CLEANUP_INTERVAL = 60000, lastCleanup;
+var init_rate_limit = __esm(() => {
+  windows = new Map;
+  lastCleanup = Date.now();
+});
+
+// src/lib/env.ts
+import { existsSync as existsSync6, readFileSync as readFileSync2 } from "fs";
+import { join as join6 } from "path";
+function loadEnv() {
+  const paths = [
+    join6(process.cwd(), ".env"),
+    join6(process.cwd(), ".env.local")
+  ];
+  for (const path of paths) {
+    if (!existsSync6(path))
+      continue;
+    const content = readFileSync2(path, "utf-8");
+    for (const line of content.split(`
+`)) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#"))
+        continue;
+      const eqIdx = trimmed.indexOf("=");
+      if (eqIdx === -1)
+        continue;
+      const key = trimmed.slice(0, eqIdx).trim();
+      let value = trimmed.slice(eqIdx + 1).trim();
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      }
+      if (!process.env[key]) {
+        process.env[key] = value;
+      }
+    }
+  }
+}
+var init_env = () => {};
+
 // src/server/serve.ts
 var exports_serve = {};
 __export(exports_serve, {
@@ -8089,27 +8279,27 @@ __export(exports_serve, {
   createFetchHandler: () => createFetchHandler
 });
 import { execSync } from "child_process";
-import { existsSync as existsSync6, readFileSync as readFileSync2 } from "fs";
-import { join as join6, dirname as dirname2, extname } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync3 } from "fs";
+import { join as join7, dirname as dirname2, extname } from "path";
 import { fileURLToPath } from "url";
 function resolveDashboardDir() {
   const candidates = [];
   try {
     const scriptDir = dirname2(fileURLToPath(import.meta.url));
-    candidates.push(join6(scriptDir, "..", "dashboard", "dist"));
-    candidates.push(join6(scriptDir, "..", "..", "dashboard", "dist"));
+    candidates.push(join7(scriptDir, "..", "dashboard", "dist"));
+    candidates.push(join7(scriptDir, "..", "..", "dashboard", "dist"));
   } catch {}
   if (process.argv[1]) {
     const mainDir = dirname2(process.argv[1]);
-    candidates.push(join6(mainDir, "..", "dashboard", "dist"));
-    candidates.push(join6(mainDir, "..", "..", "dashboard", "dist"));
+    candidates.push(join7(mainDir, "..", "dashboard", "dist"));
+    candidates.push(join7(mainDir, "..", "..", "dashboard", "dist"));
   }
-  candidates.push(join6(process.cwd(), "dashboard", "dist"));
+  candidates.push(join7(process.cwd(), "dashboard", "dist"));
   for (const candidate of candidates) {
-    if (existsSync6(candidate))
+    if (existsSync7(candidate))
       return candidate;
   }
-  return join6(process.cwd(), "dashboard", "dist");
+  return join7(process.cwd(), "dashboard", "dist");
 }
 function randomPort() {
   return 20000 + Math.floor(Math.random() * 20000);
@@ -8126,8 +8316,8 @@ function json(data, status = 200, port) {
 }
 function getPackageVersion() {
   try {
-    const pkgPath = join6(dirname2(fileURLToPath(import.meta.url)), "..", "..", "package.json");
-    return JSON.parse(readFileSync2(pkgPath, "utf-8")).version || "0.0.0";
+    const pkgPath = join7(dirname2(fileURLToPath(import.meta.url)), "..", "..", "package.json");
+    return JSON.parse(readFileSync3(pkgPath, "utf-8")).version || "0.0.0";
   } catch {
     return "0.0.0";
   }
@@ -8140,7 +8330,7 @@ async function parseJsonBody(req) {
   }
 }
 function serveStaticFile(filePath) {
-  if (!existsSync6(filePath))
+  if (!existsSync7(filePath))
     return null;
   const ext = extname(filePath);
   const contentType = MIME_TYPES[ext] || "application/octet-stream";
@@ -8149,8 +8339,9 @@ function serveStaticFile(filePath) {
   });
 }
 function createFetchHandler(getPort, dashboardDir, dashboardExists) {
+  loadEnv();
   const dir = dashboardDir || resolveDashboardDir();
-  const hasDashboard = dashboardExists ?? existsSync6(dir);
+  const hasDashboard = dashboardExists ?? existsSync7(dir);
   return async (req) => {
     const url = new URL(req.url);
     let path = url.pathname;
@@ -8162,17 +8353,37 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
     if (path.startsWith("/api/") && !path.startsWith("/api/system/") && !path.startsWith("/api/keys")) {
       const hasKeys = hasAnyApiKeys();
       if (hasKeys) {
-        const authHeader = req.headers.get("authorization");
-        const apiKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
-        if (!apiKey) {
-          return json({ error: "API key required. Pass via Authorization: Bearer <key>" }, 401, port);
-        }
-        const valid = await validateApiKey(apiKey);
-        if (!valid) {
-          return json({ error: "Invalid or expired API key" }, 403, port);
+        const origin = req.headers.get("origin") || "";
+        const referer = req.headers.get("referer") || "";
+        const isSameOrigin = origin.includes(`localhost:${port}`) || referer.includes(`localhost:${port}`);
+        if (!isSameOrigin) {
+          const authHeader = req.headers.get("authorization");
+          const apiKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+          if (!apiKey) {
+            return json({ error: "API key required. Pass via Authorization: Bearer <key>" }, 401, port);
+          }
+          const valid = await validateApiKey(apiKey);
+          if (!valid) {
+            return json({ error: "Invalid or expired API key" }, 403, port);
+          }
         }
       }
     }
+    if (path.startsWith("/api/")) {
+      const rateLimitKey = req.headers.get("authorization") || req.headers.get("x-forwarded-for") || "anonymous";
+      const rateResult = checkRateLimit(rateLimitKey, 100, 60000);
+      if (!rateResult.allowed) {
+        return new Response(JSON.stringify({ error: "Rate limit exceeded. Try again later." }), {
+          status: 429,
+          headers: {
+            "Content-Type": "application/json",
+            "Retry-After": String(Math.ceil((rateResult.resetAt - Date.now()) / 1000)),
+            "X-RateLimit-Remaining": "0",
+            ...SECURITY_HEADERS
+          }
+        });
+      }
+    }
     if (path === "/api/tasks" && method === "GET") {
       try {
         const filter = {};
@@ -8188,6 +8399,12 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           filter.project_id = projectId;
         if (planId)
           filter.plan_id = planId;
+        const limit = parseInt(url.searchParams.get("limit") || "100", 10);
+        const offset = parseInt(url.searchParams.get("offset") || "0", 10);
+        if (limit)
+          filter.limit = Math.min(limit, 500);
+        if (offset)
+          filter.offset = offset;
         const tasks = listTasks(filter);
         const projectCache = new Map;
         const planCache = new Map;
@@ -8265,6 +8482,8 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           agent_id: parsed.data.agent_id,
           status: parsed.data.status
         });
+        logAudit("task", task.id, "create", parsed.data.agent_id);
+        dispatchWebhooks("task.created", task);
         return json(task, 201, port);
       } catch (e) {
         return json({ error: e instanceof Error ? e.message : "Failed to create task" }, 500, port);
@@ -8298,6 +8517,8 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           tags: parsed.data.tags,
           metadata: parsed.data.metadata
         });
+        logAudit("task", id, "update", undefined, parsed.data);
+        dispatchWebhooks("task.updated", task);
         return json(task, 200, port);
       } catch (e) {
         const status = e instanceof Error && e.name === "VersionConflictError" ? 409 : 500;
@@ -8311,6 +8532,8 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
         const deleted = deleteTask(id);
         if (!deleted)
           return json({ error: "Task not found" }, 404, port);
+        logAudit("task", id, "delete");
+        dispatchWebhooks("task.deleted", { id });
         return json({ deleted: true }, 200, port);
       } catch (e) {
         return json({ error: e instanceof Error ? e.message : "Failed to delete task" }, 500, port);
@@ -8328,6 +8551,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           return json({ error: "Invalid request body" }, 400, port);
         const agentId = parsed.data.agent_id || "dashboard";
         const task = startTask(id, agentId);
+        logAudit("task", id, "start", agentId);
         return json(task, 200, port);
       } catch (e) {
         const status = e instanceof Error && e.name === "TaskNotFoundError" ? 404 : e instanceof Error && e.name === "LockError" ? 409 : 500;
@@ -8346,6 +8570,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           return json({ error: "Invalid request body" }, 400, port);
         const agentId = parsed.data.agent_id;
         const task = completeTask(id, agentId);
+        logAudit("task", id, "complete", agentId);
         return json(task, 200, port);
       } catch (e) {
         const status = e instanceof Error && e.name === "TaskNotFoundError" ? 404 : e instanceof Error && e.name === "LockError" ? 409 : 500;
@@ -8419,6 +8644,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           description: parsed.data.description,
           task_list_id: parsed.data.task_list_id
         });
+        logAudit("project", project.id, "create");
         return json(project, 201, port);
       } catch (e) {
         return json({ error: e instanceof Error ? e.message : "Failed to create project" }, 500, port);
@@ -8500,6 +8726,8 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           return json({ error: "Invalid request body" }, 400, port);
         }
         const plan = createPlan(parsed.data);
+        logAudit("plan", plan.id, "create");
+        dispatchWebhooks("plan.created", plan);
         return json(plan, 201, port);
       } catch (e) {
         return json({ error: e instanceof Error ? e.message : "Failed to create plan" }, 500, port);
@@ -8532,6 +8760,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           return json({ error: "Invalid request body" }, 400, port);
         }
         const plan = updatePlan(id, parsed.data);
+        logAudit("plan", id, "update", undefined, parsed.data);
         return json(plan, 200, port);
       } catch (e) {
         const status = e instanceof Error && e.name === "PlanNotFoundError" ? 404 : 500;
@@ -8545,6 +8774,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
         const deleted = deletePlan(id);
         if (!deleted)
           return json({ error: "Plan not found" }, 404, port);
+        logAudit("plan", id, "delete");
         return json({ deleted: true }, 200, port);
       } catch (e) {
         return json({ error: e instanceof Error ? e.message : "Failed to delete plan" }, 500, port);
@@ -8619,6 +8849,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
           return json({ error: "Invalid request body" }, 400, port);
         }
         const apiKey = await createApiKey(parsed.data);
+        logAudit("api_key", apiKey.id, "create");
         return json(apiKey, 201, port);
       } catch (e) {
         return json({ error: e instanceof Error ? e.message : "Failed to create API key" }, 500, port);
@@ -8644,6 +8875,56 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
         return json({ error: e instanceof Error ? e.message : "Failed to check auth status" }, 500, port);
       }
     }
+    if (path === "/api/audit" && method === "GET") {
+      try {
+        const entityType = url.searchParams.get("entity_type") || undefined;
+        const entityId = url.searchParams.get("entity_id") || undefined;
+        const limit = parseInt(url.searchParams.get("limit") || "50", 10);
+        const offset = parseInt(url.searchParams.get("offset") || "0", 10);
+        const entries = getAuditLog(entityType, entityId, Math.min(limit, 200), offset);
+        return json(entries, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to get audit log" }, 500, port);
+      }
+    }
+    if (path === "/api/webhooks" && method === "GET") {
+      try {
+        const webhooks = listWebhooks();
+        return json(webhooks, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to list webhooks" }, 500, port);
+      }
+    }
+    if (path === "/api/webhooks" && method === "POST") {
+      try {
+        const body = await parseJsonBody(req);
+        if (!body)
+          return json({ error: "Invalid JSON" }, 400, port);
+        if (!body.url || typeof body.url !== "string") {
+          return json({ error: "Missing required field: url" }, 400, port);
+        }
+        const webhook = createWebhook({
+          url: body.url,
+          events: Array.isArray(body.events) ? body.events : undefined,
+          secret: typeof body.secret === "string" ? body.secret : undefined
+        });
+        return json(webhook, 201, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to create webhook" }, 500, port);
+      }
+    }
+    const webhookDeleteMatch = path.match(/^\/api\/webhooks\/([^/]+)$/);
+    if (webhookDeleteMatch && method === "DELETE") {
+      try {
+        const id = webhookDeleteMatch[1];
+        const deleted = deleteWebhook(id);
+        if (!deleted)
+          return json({ error: "Webhook not found" }, 404, port);
+        return json({ deleted: true }, 200, port);
+      } catch (e) {
+        return json({ error: e instanceof Error ? e.message : "Failed to delete webhook" }, 500, port);
+      }
+    }
     if (method === "OPTIONS") {
       return new Response(null, {
         headers: {
@@ -8655,12 +8936,12 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
     }
     if (hasDashboard && (method === "GET" || method === "HEAD")) {
       if (path !== "/") {
-        const filePath = join6(dir, path);
+        const filePath = join7(dir, path);
         const res2 = serveStaticFile(filePath);
         if (res2)
           return res2;
       }
-      const indexPath = join6(dir, "index.html");
+      const indexPath = join7(dir, "index.html");
       const res = serveStaticFile(indexPath);
       if (res)
         return res;
@@ -8671,7 +8952,7 @@ function createFetchHandler(getPort, dashboardDir, dashboardExists) {
 async function startServer(port, options) {
   const shouldOpen = options?.open ?? true;
   const dashboardDir = resolveDashboardDir();
-  const dashboardExists = existsSync6(dashboardDir);
+  const dashboardExists = existsSync7(dashboardDir);
   if (!dashboardExists) {
     console.error(`
 Dashboard not found at: ${dashboardDir}`);
@@ -8735,6 +9016,10 @@ var init_serve = __esm(() => {
   init_comments();
   init_api_keys();
   init_search();
+  init_audit();
+  init_webhooks();
+  init_rate_limit();
+  init_env();
   MIME_TYPES = {
     ".html": "text/html; charset=utf-8",
     ".js": "application/javascript",
@@ -9890,13 +10175,13 @@ init_sync();
 init_config();
 import chalk from "chalk";
 import { execSync as execSync2 } from "child_process";
-import { existsSync as existsSync7, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
-import { basename, dirname as dirname3, join as join7, resolve as resolve2 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync3, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { basename, dirname as dirname3, join as join8, resolve as resolve2 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function getPackageVersion2() {
   try {
-    const pkgPath = join7(dirname3(fileURLToPath2(import.meta.url)), "..", "..", "package.json");
-    return JSON.parse(readFileSync3(pkgPath, "utf-8")).version || "0.0.0";
+    const pkgPath = join8(dirname3(fileURLToPath2(import.meta.url)), "..", "..", "package.json");
+    return JSON.parse(readFileSync4(pkgPath, "utf-8")).version || "0.0.0";
   } catch {
     return "0.0.0";
   }
@@ -10512,8 +10797,8 @@ hooks.command("install").description("Install Claude Code hooks for auto-sync").
     if (p)
       todosBin = p;
   } catch {}
-  const hooksDir = join7(process.cwd(), ".claude", "hooks");
-  if (!existsSync7(hooksDir))
+  const hooksDir = join8(process.cwd(), ".claude", "hooks");
+  if (!existsSync8(hooksDir))
     mkdirSync3(hooksDir, { recursive: true });
   const hookScript = `#!/usr/bin/env bash
 # Auto-generated by: todos hooks install
@@ -10538,11 +10823,11 @@ esac
 
 exit 0
 `;
-  const hookPath = join7(hooksDir, "todos-sync.sh");
+  const hookPath = join8(hooksDir, "todos-sync.sh");
   writeFileSync2(hookPath, hookScript);
   execSync2(`chmod +x "${hookPath}"`);
   console.log(chalk.green(`Hook script created: ${hookPath}`));
-  const settingsPath = join7(process.cwd(), ".claude", "settings.json");
+  const settingsPath = join8(process.cwd(), ".claude", "settings.json");
   const settings = readJsonFile2(settingsPath);
   if (!settings["hooks"]) {
     settings["hooks"] = {};
@@ -10589,40 +10874,40 @@ function getMcpBinaryPath() {
     if (p)
       return p;
   } catch {}
-  const bunBin = join7(HOME2, ".bun", "bin", "todos-mcp");
-  if (existsSync7(bunBin))
+  const bunBin = join8(HOME2, ".bun", "bin", "todos-mcp");
+  if (existsSync8(bunBin))
     return bunBin;
   return "todos-mcp";
 }
 function readJsonFile2(path) {
-  if (!existsSync7(path))
+  if (!existsSync8(path))
     return {};
   try {
-    return JSON.parse(readFileSync3(path, "utf-8"));
+    return JSON.parse(readFileSync4(path, "utf-8"));
   } catch {
     return {};
   }
 }
 function writeJsonFile2(path, data) {
   const dir = dirname3(path);
-  if (!existsSync7(dir))
+  if (!existsSync8(dir))
     mkdirSync3(dir, { recursive: true });
   writeFileSync2(path, JSON.stringify(data, null, 2) + `
 `);
 }
 function readTomlFile(path) {
-  if (!existsSync7(path))
+  if (!existsSync8(path))
     return "";
-  return readFileSync3(path, "utf-8");
+  return readFileSync4(path, "utf-8");
 }
 function writeTomlFile(path, content) {
   const dir = dirname3(path);
-  if (!existsSync7(dir))
+  if (!existsSync8(dir))
     mkdirSync3(dir, { recursive: true });
   writeFileSync2(path, content);
 }
 function registerClaude(binPath, global) {
-  const configPath = global ? join7(HOME2, ".claude", ".mcp.json") : join7(process.cwd(), ".mcp.json");
+  const configPath = global ? join8(HOME2, ".claude", ".mcp.json") : join8(process.cwd(), ".mcp.json");
   const config = readJsonFile2(configPath);
   if (!config["mcpServers"]) {
     config["mcpServers"] = {};
@@ -10637,7 +10922,7 @@ function registerClaude(binPath, global) {
   console.log(chalk.green(`Claude Code (${scope}): registered in ${configPath}`));
 }
 function unregisterClaude(global) {
-  const configPath = global ? join7(HOME2, ".claude", ".mcp.json") : join7(process.cwd(), ".mcp.json");
+  const configPath = global ? join8(HOME2, ".claude", ".mcp.json") : join8(process.cwd(), ".mcp.json");
   const config = readJsonFile2(configPath);
   const servers = config["mcpServers"];
   if (!servers || !("todos" in servers)) {
@@ -10650,7 +10935,7 @@ function unregisterClaude(global) {
   console.log(chalk.green(`Claude Code (${scope}): unregistered from ${configPath}`));
 }
 function registerCodex(binPath) {
-  const configPath = join7(HOME2, ".codex", "config.toml");
+  const configPath = join8(HOME2, ".codex", "config.toml");
   let content = readTomlFile(configPath);
   content = removeTomlBlock(content, "mcp_servers.todos");
   const block = `
@@ -10664,7 +10949,7 @@ args = []
   console.log(chalk.green(`Codex CLI: registered in ${configPath}`));
 }
 function unregisterCodex() {
-  const configPath = join7(HOME2, ".codex", "config.toml");
+  const configPath = join8(HOME2, ".codex", "config.toml");
   let content = readTomlFile(configPath);
   if (!content.includes("[mcp_servers.todos]")) {
     console.log(chalk.dim(`Codex CLI: todos not found in ${configPath}`));
@@ -10697,7 +10982,7 @@ function removeTomlBlock(content, blockName) {
 `);
 }
 function registerGemini(binPath) {
-  const configPath = join7(HOME2, ".gemini", "settings.json");
+  const configPath = join8(HOME2, ".gemini", "settings.json");
   const config = readJsonFile2(configPath);
   if (!config["mcpServers"]) {
     config["mcpServers"] = {};
@@ -10711,7 +10996,7 @@ function registerGemini(binPath) {
   console.log(chalk.green(`Gemini CLI: registered in ${configPath}`));
 }
 function unregisterGemini() {
-  const configPath = join7(HOME2, ".gemini", "settings.json");
+  const configPath = join8(HOME2, ".gemini", "settings.json");
   const config = readJsonFile2(configPath);
   const servers = config["mcpServers"];
   if (!servers || !("todos" in servers)) {

package/dist/index.d.ts

@@ -135,6 +135,8 @@ export interface TaskFilter {
   session_id?: string;
   tags?: string[];
   include_subtasks?: boolean;
+  limit?: number;
+  offset?: number;
 }
 
 // Task dependency

package/dist/index.js

@@ -177,6 +177,36 @@ var MIGRATIONS = [
   );
   CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
   INSERT OR IGNORE INTO _migrations (id) VALUES (5);
+  `,
+  `
+  CREATE TABLE IF NOT EXISTS audit_log (
+    id TEXT PRIMARY KEY,
+    entity_type TEXT NOT NULL CHECK(entity_type IN ('task', 'plan', 'project', 'api_key', 'comment')),
+    entity_id TEXT NOT NULL,
+    action TEXT NOT NULL CHECK(action IN ('create', 'update', 'delete', 'start', 'complete', 'lock', 'unlock')),
+    actor TEXT,
+    changes TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_audit_entity ON audit_log(entity_type, entity_id);
+  CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_log(created_at);
+
+  CREATE TABLE IF NOT EXISTS webhooks (
+    id TEXT PRIMARY KEY,
+    url TEXT NOT NULL,
+    events TEXT NOT NULL DEFAULT '[]',
+    secret TEXT,
+    active INTEGER NOT NULL DEFAULT 1,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS rate_limits (
+    key TEXT PRIMARY KEY,
+    count INTEGER NOT NULL DEFAULT 0,
+    window_start TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  INSERT OR IGNORE INTO _migrations (id) VALUES (6);
   `
 ];
 var _db = null;
@@ -499,9 +529,12 @@ function listTasks(filter = {}, db) {
     params.push(filter.plan_id);
   }
   const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  const limitVal = filter.limit || 100;
+  const offsetVal = filter.offset || 0;
+  params.push(limitVal, offsetVal);
   const rows = d.query(`SELECT * FROM tasks ${where} ORDER BY
        CASE priority WHEN 'critical' THEN 0 WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 END,
-       created_at DESC`).all(...params);
+       created_at DESC LIMIT ? OFFSET ?`).all(...params);
   return rows.map(rowToTask);
 }
 function updateTask(id, input, db) {
@@ -1530,6 +1563,91 @@ function syncWithAgents(agents, taskListIdByAgent, projectId, direction = "both"
   }
   return { pushed, pulled, errors };
 }
+// src/db/audit.ts
+function rowToEntry(row) {
+  return {
+    ...row,
+    changes: row.changes ? JSON.parse(row.changes) : null
+  };
+}
+function logAudit(entityType, entityId, action, actor, changes, db) {
+  const d = db || getDatabase();
+  d.run(`INSERT INTO audit_log (id, entity_type, entity_id, action, actor, changes, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`, [uuid(), entityType, entityId, action, actor || null, changes ? JSON.stringify(changes) : null, now()]);
+}
+function getAuditLog(entityType, entityId, limit = 50, offset = 0, db) {
+  const d = db || getDatabase();
+  const conditions = [];
+  const params = [];
+  if (entityType) {
+    conditions.push("entity_type = ?");
+    params.push(entityType);
+  }
+  if (entityId) {
+    conditions.push("entity_id = ?");
+    params.push(entityId);
+  }
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  params.push(limit, offset);
+  const rows = d.query(`SELECT * FROM audit_log ${where} ORDER BY created_at DESC LIMIT ? OFFSET ?`).all(...params);
+  return rows.map(rowToEntry);
+}
+// src/db/webhooks.ts
+function rowToWebhook(row) {
+  return {
+    ...row,
+    events: JSON.parse(row.events),
+    active: row.active === 1
+  };
+}
+function createWebhook(input, db) {
+  const d = db || getDatabase();
+  const id = uuid();
+  d.run(`INSERT INTO webhooks (id, url, events, secret, created_at)
+     VALUES (?, ?, ?, ?, ?)`, [id, input.url, JSON.stringify(input.events || []), input.secret || null, now()]);
+  return getWebhook(id, d);
+}
+function getWebhook(id, db) {
+  const d = db || getDatabase();
+  const row = d.query("SELECT * FROM webhooks WHERE id = ?").get(id);
+  return row ? rowToWebhook(row) : null;
+}
+function listWebhooks(db) {
+  const d = db || getDatabase();
+  return d.query("SELECT * FROM webhooks ORDER BY created_at DESC").all().map(rowToWebhook);
+}
+function deleteWebhook(id, db) {
+  const d = db || getDatabase();
+  return d.run("DELETE FROM webhooks WHERE id = ?", [id]).changes > 0;
+}
+async function dispatchWebhooks(event, payload, db) {
+  const d = db || getDatabase();
+  const rows = d.query("SELECT * FROM webhooks WHERE active = 1").all();
+  const webhooks = rows.map(rowToWebhook).filter((w) => w.events.length === 0 || w.events.includes(event));
+  for (const webhook of webhooks) {
+    try {
+      const headers = { "Content-Type": "application/json" };
+      if (webhook.secret) {
+        const encoder = new TextEncoder;
+        const key = await crypto.subtle.importKey("raw", encoder.encode(webhook.secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        const body = JSON.stringify({ event, data: payload, timestamp: now() });
+        const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(body));
+        headers["X-Webhook-Signature"] = Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
+        fetch(webhook.url, {
+          method: "POST",
+          headers,
+          body
+        }).catch(() => {});
+      } else {
+        fetch(webhook.url, {
+          method: "POST",
+          headers,
+          body: JSON.stringify({ event, data: payload, timestamp: now() })
+        }).catch(() => {});
+      }
+    } catch {}
+  }
+}
 export {
   validateApiKey,
   updateTask,
@@ -1545,8 +1663,10 @@ export {
   resolvePartialId,
   resetDatabase,
   removeDependency,
+  logAudit,
   lockTask,
   loadConfig,
+  listWebhooks,
   listTasks,
   listSessions,
   listProjects,
@@ -1554,6 +1674,7 @@ export {
   listComments,
   listApiKeys,
   hasAnyApiKeys,
+  getWebhook,
   getTaskWithRelations,
   getTaskDependents,
   getTaskDependencies,
@@ -1564,7 +1685,10 @@ export {
   getPlan,
   getDatabase,
   getComment,
+  getAuditLog,
   ensureProject,
+  dispatchWebhooks,
+  deleteWebhook,
   deleteTask,
   deleteSession,
   deleteProject,
@@ -1572,6 +1696,7 @@ export {
   deleteComment,
   deleteApiKey,
   defaultSyncAgents,
+  createWebhook,
   createTask,
   createSession,
   createProject,

package/dist/mcp/index.js

@@ -4219,6 +4219,36 @@ var MIGRATIONS = [
   );
   CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);
   INSERT OR IGNORE INTO _migrations (id) VALUES (5);
+  `,
+  `
+  CREATE TABLE IF NOT EXISTS audit_log (
+    id TEXT PRIMARY KEY,
+    entity_type TEXT NOT NULL CHECK(entity_type IN ('task', 'plan', 'project', 'api_key', 'comment')),
+    entity_id TEXT NOT NULL,
+    action TEXT NOT NULL CHECK(action IN ('create', 'update', 'delete', 'start', 'complete', 'lock', 'unlock')),
+    actor TEXT,
+    changes TEXT,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+  CREATE INDEX IF NOT EXISTS idx_audit_entity ON audit_log(entity_type, entity_id);
+  CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_log(created_at);
+
+  CREATE TABLE IF NOT EXISTS webhooks (
+    id TEXT PRIMARY KEY,
+    url TEXT NOT NULL,
+    events TEXT NOT NULL DEFAULT '[]',
+    secret TEXT,
+    active INTEGER NOT NULL DEFAULT 1,
+    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  CREATE TABLE IF NOT EXISTS rate_limits (
+    key TEXT PRIMARY KEY,
+    count INTEGER NOT NULL DEFAULT 0,
+    window_start TEXT NOT NULL DEFAULT (datetime('now'))
+  );
+
+  INSERT OR IGNORE INTO _migrations (id) VALUES (6);
   `
 ];
 var _db = null;
@@ -4455,9 +4485,12 @@ function listTasks(filter = {}, db) {
     params.push(filter.plan_id);
   }
   const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+  const limitVal = filter.limit || 100;
+  const offsetVal = filter.offset || 0;
+  params.push(limitVal, offsetVal);
   const rows = d.query(`SELECT * FROM tasks ${where} ORDER BY
        CASE priority WHEN 'critical' THEN 0 WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 END,
-       created_at DESC`).all(...params);
+       created_at DESC LIMIT ? OFFSET ?`).all(...params);
   return rows.map(rowToTask);
 }
 function updateTask(id, input, db) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/todos",
-  "version": "0.5.1",
+  "version": "0.6.1",
   "description": "Universal task management for AI coding agents - CLI + MCP server + interactive TUI",
   "type": "module",
   "main": "dist/index.js",