claude-task-master 0.1.1__py3-none-any.whl → 0.1.3__py3-none-any.whl

claude_task_master/auth/password.py

@@ -0,0 +1,332 @@
+"""Password hashing and verification utilities for Claude Task Master.
+
+This module provides secure password hashing using bcrypt via passlib,
+along with environment variable configuration and password comparison.
+
+Environment Variables:
+    CLAUDETM_PASSWORD: The password for authenticating API/MCP requests.
+    CLAUDETM_PASSWORD_HASH: Pre-hashed password (bcrypt) for production use.
+
+Security Notes:
+    - Always use CLAUDETM_PASSWORD_HASH in production to avoid plaintext passwords in env
+    - Passwords are compared using constant-time comparison to prevent timing attacks
+    - bcrypt automatically handles salting and multiple rounds
+"""
+
+from __future__ import annotations
+
+import logging
+import os
+import secrets
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    pass
+
+logger = logging.getLogger(__name__)
+
+# Environment variable names
+ENV_PASSWORD = "CLAUDETM_PASSWORD"
+ENV_PASSWORD_HASH = "CLAUDETM_PASSWORD_HASH"
+
+# =============================================================================
+# Exceptions
+# =============================================================================
+
+
+class AuthenticationError(Exception):
+    """Base exception for authentication errors."""
+
+    pass
+
+
+class PasswordNotConfiguredError(AuthenticationError):
+    """Raised when password authentication is required but not configured."""
+
+    def __init__(self, message: str | None = None) -> None:
+        """Initialize the exception.
+
+        Args:
+            message: Optional custom message. Defaults to standard message.
+        """
+        default_message = (
+            f"Password not configured. Set {ENV_PASSWORD} or {ENV_PASSWORD_HASH} "
+            "environment variable."
+        )
+        super().__init__(message or default_message)
+
+
+class InvalidPasswordError(AuthenticationError):
+    """Raised when password verification fails."""
+
+    def __init__(self, message: str = "Invalid password") -> None:
+        """Initialize the exception.
+
+        Args:
+            message: Custom error message.
+        """
+        super().__init__(message)
+
+
+# =============================================================================
+# Password Hashing
+# =============================================================================
+
+# Try to import passlib for bcrypt hashing
+try:
+    from passlib.context import CryptContext
+
+    # Create a bcrypt context for password hashing
+    # Using bcrypt with default rounds (12) for security
+    _pwd_context: CryptContext | None = CryptContext(
+        schemes=["bcrypt"],
+        deprecated="auto",
+        bcrypt__rounds=12,
+    )
+    PASSLIB_AVAILABLE = True
+except ImportError:
+    _pwd_context = None
+    PASSLIB_AVAILABLE = False
+
+
+def _ensure_passlib() -> None:
+    """Ensure passlib is available, raise ImportError if not.
+
+    Raises:
+        ImportError: If passlib[bcrypt] is not installed.
+    """
+    if not PASSLIB_AVAILABLE:
+        raise ImportError(
+            "passlib[bcrypt] not installed. Install with: "
+            "pip install 'claude-task-master[api]' or pip install 'passlib[bcrypt]'"
+        )
+
+
+def _truncate_password_for_bcrypt(password: str) -> str:
+    """Truncate password to bcrypt's 72-byte limit.
+
+    bcrypt has a fundamental 72-byte password limit. Passwords longer than
+    72 bytes (when UTF-8 encoded) must be truncated. This is done at a
+    character boundary to avoid breaking multi-byte characters.
+
+    Args:
+        password: The password to potentially truncate.
+
+    Returns:
+        The password truncated to at most 72 bytes when UTF-8 encoded.
+    """
+    # Encode to bytes to check actual byte length
+    encoded = password.encode("utf-8")
+    if len(encoded) <= 72:
+        return password
+
+    # Truncate at byte boundary, then decode
+    # We need to be careful not to break a multi-byte character
+    truncated = encoded[:72]
+    # Find the last complete character by decoding with error handling
+    # If truncation breaks a multi-byte character, we need to go back
+    while True:
+        try:
+            return truncated.decode("utf-8")
+        except UnicodeDecodeError:
+            truncated = truncated[:-1]
+            if not truncated:
+                # This shouldn't happen with valid UTF-8 input
+                return password[:72]
+
+
+def hash_password(password: str) -> str:
+    """Hash a password using bcrypt.
+
+    Args:
+        password: The plaintext password to hash.
+
+    Returns:
+        The bcrypt hash of the password.
+
+    Raises:
+        ImportError: If passlib[bcrypt] is not installed.
+        ValueError: If password is empty.
+
+    Note:
+        bcrypt has a 72-byte password limit. Passwords longer than 72 bytes
+        (when UTF-8 encoded) will be truncated. This is a bcrypt limitation,
+        not a security concern for most use cases.
+
+    Example:
+        >>> hashed = hash_password("my_secret_password")
+        >>> hashed.startswith("$2b$")  # bcrypt hash format
+        True
+    """
+    _ensure_passlib()
+
+    if not password:
+        raise ValueError("Password cannot be empty")
+
+    # Truncate to bcrypt's 72-byte limit
+    password = _truncate_password_for_bcrypt(password)
+
+    assert _pwd_context is not None  # ensured by _ensure_passlib
+    result: str = _pwd_context.hash(password)
+    return result
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a password against a bcrypt hash.
+
+    This function uses constant-time comparison to prevent timing attacks.
+
+    Args:
+        plain_password: The plaintext password to verify.
+        hashed_password: The bcrypt hash to verify against.
+
+    Returns:
+        True if the password matches, False otherwise.
+
+    Raises:
+        ImportError: If passlib[bcrypt] is not installed.
+
+    Note:
+        bcrypt has a 72-byte password limit. Passwords are truncated to
+        match the behavior during hashing.
+
+    Example:
+        >>> hashed = hash_password("my_password")
+        >>> verify_password("my_password", hashed)
+        True
+        >>> verify_password("wrong_password", hashed)
+        False
+    """
+    _ensure_passlib()
+
+    if not plain_password or not hashed_password:
+        return False
+
+    try:
+        # Truncate to bcrypt's 72-byte limit (must match hash_password behavior)
+        plain_password = _truncate_password_for_bcrypt(plain_password)
+
+        assert _pwd_context is not None  # ensured by _ensure_passlib
+        result: bool = _pwd_context.verify(plain_password, hashed_password)
+        return result
+    except Exception:
+        # Any exception during verification means the password is invalid
+        # This includes malformed hashes
+        return False
+
+
+def verify_password_plaintext(plain_password: str, expected_password: str) -> bool:
+    """Verify a password against a plaintext expected password.
+
+    Uses constant-time comparison to prevent timing attacks.
+
+    Args:
+        plain_password: The password to verify.
+        expected_password: The expected plaintext password.
+
+    Returns:
+        True if passwords match, False otherwise.
+    """
+    if not plain_password or not expected_password:
+        return False
+
+    return secrets.compare_digest(plain_password, expected_password)
+
+
+# =============================================================================
+# Environment Configuration
+# =============================================================================
+
+
+def get_password_from_env() -> str | None:
+    """Get the configured password from environment variables.
+
+    Checks for password configuration in order of preference:
+    1. CLAUDETM_PASSWORD_HASH - pre-hashed bcrypt password (recommended for production)
+    2. CLAUDETM_PASSWORD - plaintext password (for development/testing)
+
+    Returns:
+        The configured password (plaintext) or password hash, or None if not configured.
+
+    Note:
+        When CLAUDETM_PASSWORD is set, it returns the plaintext password.
+        When CLAUDETM_PASSWORD_HASH is set, it returns the hash.
+        The caller should use is_password_hash() to determine which type was returned.
+    """
+    # First check for pre-hashed password (production)
+    password_hash = os.getenv(ENV_PASSWORD_HASH)
+    if password_hash:
+        return password_hash
+
+    # Fall back to plaintext password (development)
+    password = os.getenv(ENV_PASSWORD)
+    if password:
+        return password
+
+    return None
+
+
+def is_password_hash(value: str) -> bool:
+    """Check if a value appears to be a bcrypt hash.
+
+    Args:
+        value: The value to check.
+
+    Returns:
+        True if the value looks like a bcrypt hash, False otherwise.
+    """
+    if not value:
+        return False
+
+    # bcrypt hashes start with $2a$, $2b$, or $2y$ followed by cost factor
+    return value.startswith(("$2a$", "$2b$", "$2y$"))
+
+
+def require_password_from_env() -> str:
+    """Get the configured password, raising an error if not configured.
+
+    Returns:
+        The configured password or password hash.
+
+    Raises:
+        PasswordNotConfiguredError: If no password is configured.
+    """
+    password = get_password_from_env()
+    if password is None:
+        raise PasswordNotConfiguredError()
+    return password
+
+
+def authenticate(provided_password: str) -> bool:
+    """Authenticate a provided password against the configured password.
+
+    This function handles both plaintext and hashed password configurations:
+    - If CLAUDETM_PASSWORD_HASH is set, verifies against the hash
+    - If CLAUDETM_PASSWORD is set, compares plaintext (constant-time)
+
+    Args:
+        provided_password: The password to authenticate.
+
+    Returns:
+        True if authentication succeeds, False otherwise.
+
+    Raises:
+        PasswordNotConfiguredError: If no password is configured.
+    """
+    configured = require_password_from_env()
+
+    if is_password_hash(configured):
+        # Verify against bcrypt hash
+        return verify_password(provided_password, configured)
+    else:
+        # Compare plaintext (constant-time)
+        return verify_password_plaintext(provided_password, configured)
+
+
+def is_auth_enabled() -> bool:
+    """Check if password authentication is enabled.
+
+    Returns:
+        True if a password is configured, False otherwise.
+    """
+    return get_password_from_env() is not None

claude_task_master/bin/claudetm

@@ -33,7 +33,7 @@ set -euo pipefail
 
 # Script version - synchronized with Python package version
 # This should be kept in sync using scripts/sync_version.py
-SCRIPT_VERSION="0.1.1"
+SCRIPT_VERSION="0.1.2"
 
 # Configuration file location
 CONFIG_DIR=".claude-task-master"

claude_task_master/cli.py

@@ -7,6 +7,8 @@ from rich.console import Console
 
 from . import __version__
 from .cli_commands.config import register_config_commands
+from .cli_commands.control import register_control_commands
+from .cli_commands.fix_pr import register_fix_pr_command
 from .cli_commands.github import register_github_commands
 from .cli_commands.info import register_info_commands
 from .cli_commands.workflow import register_workflow_commands
@@ -65,6 +67,8 @@ register_workflow_commands(app)  # start, resume
 register_info_commands(app)  # status, plan, logs, context, progress
 register_github_commands(app)  # ci-status, ci-logs, pr-comments, pr-status
 register_config_commands(app)  # config init, config show, config path
+register_control_commands(app)  # pause, stop, config-update
+register_fix_pr_command(app)  # fix-pr
 
 
 @app.command()

claude_task_master/cli_commands/__init__.py

@@ -1,6 +1,7 @@
 """CLI command modules for Claude Task Master."""
 
 from .config import register_config_commands
+from .fix_pr import register_fix_pr_command
 from .github import register_github_commands
 from .info import register_info_commands
 from .workflow import register_workflow_commands
@@ -10,4 +11,5 @@ __all__ = [
     "register_info_commands",
     "register_github_commands",
     "register_config_commands",
+    "register_fix_pr_command",
 ]

claude_task_master/cli_commands/ci_helpers.py

@@ -0,0 +1,114 @@
+"""CI helper functions for fix-pr command."""
+
+from __future__ import annotations
+
+import time
+from typing import TYPE_CHECKING, Any
+
+from ..core import console
+
+if TYPE_CHECKING:
+    from ..github import GitHubClient, PRStatus
+
+
+# Polling intervals
+CI_POLL_INTERVAL = 10  # seconds between CI checks (matches orchestrator)
+CI_START_WAIT = 30  # seconds to wait for CI to start after push
+
+
+def is_check_pending(check: dict[str, Any]) -> bool:
+    """Check if a CI check or status is still pending.
+
+    Handles both CheckRun (GitHub Actions) and StatusContext (external services like CodeRabbit).
+
+    CheckRun states:
+        - status: QUEUED, IN_PROGRESS, COMPLETED
+        - conclusion: success, failure, etc. (only set when COMPLETED)
+
+    StatusContext states:
+        - state: PENDING, EXPECTED, SUCCESS, FAILURE, ERROR
+        - Maps to both status and conclusion in our normalized format
+
+    Args:
+        check: Normalized check detail dictionary.
+
+    Returns:
+        True if the check is still pending, False if complete.
+    """
+    status = (check.get("status") or "").upper()
+    conclusion = check.get("conclusion")
+
+    # StatusContext with PENDING or EXPECTED state is still waiting
+    # (These get mapped to both status and conclusion)
+    if status in ("PENDING", "EXPECTED"):
+        return True
+
+    # CheckRun is pending if not completed or has no conclusion yet
+    if status not in ("COMPLETED",) and conclusion is None:
+        return True
+
+    return False
+
+
+def wait_for_ci_complete(github_client: GitHubClient, pr_number: int) -> PRStatus:
+    """Wait for all CI checks to complete.
+
+    Fetches required checks from branch protection and waits for all of them
+    to report, even if they haven't started yet (like CodeRabbit).
+
+    Args:
+        github_client: GitHub client for API calls.
+        pr_number: PR number to check.
+
+    Returns:
+        Final PRStatus after all checks complete.
+    """
+    console.info(f"Waiting for CI checks on PR #{pr_number}...")
+
+    # Get required checks from branch protection (once at start)
+    status = github_client.get_pr_status(pr_number)
+    required_checks = set(github_client.get_required_status_checks(status.base_branch))
+
+    while True:
+        status = github_client.get_pr_status(pr_number)
+
+        # Get reported check names
+        reported = {check.get("name", "") for check in status.check_details}
+
+        # Find required checks that haven't reported yet
+        missing = required_checks - reported
+
+        # Count pending checks (in progress or not yet complete)
+        pending = [
+            check.get("name", "unknown")
+            for check in status.check_details
+            if is_check_pending(check)
+        ]
+
+        # All pending = running checks + missing required checks
+        all_waiting = list(missing) + pending
+
+        if not all_waiting:
+            # All checks reported - verify no conflicts
+            if status.mergeable == "CONFLICTING":
+                console.warning("⚠ PR has merge conflicts")
+            return status
+
+        # Build status summary
+        passed = status.checks_passed
+        failed = status.checks_failed
+        status_parts = []
+        if passed:
+            status_parts.append(f"{passed} passed")
+        if failed:
+            status_parts.append(f"{failed} failed")
+        status_summary = f" ({', '.join(status_parts)})" if status_parts else ""
+
+        # Show what we're waiting for
+        console.info(
+            f"⏳ Waiting for {len(all_waiting)} check(s): "
+            f"{', '.join(all_waiting[:3])}{'...' if len(all_waiting) > 3 else ''}"
+            f"{status_summary}"
+        )
+
+        time.sleep(CI_POLL_INTERVAL)

claude_task_master/cli_commands/control.py

@@ -0,0 +1,191 @@
+"""Control commands for Claude Task Master - pause, stop, resume, config."""
+
+from typing import Annotated, Any
+
+import typer
+from rich.console import Console
+
+from ..core.control import ControlManager
+from ..core.state import StateManager
+
+console = Console()
+
+
+def pause(
+    reason: Annotated[
+        str | None,
+        typer.Option("--reason", "-r", help="Reason for pausing the task"),
+    ] = None,
+) -> None:
+    """Pause a running task.
+
+    Pauses the current task, which can be resumed later using 'resume'.
+    Task must be in planning or working status to be paused.
+
+    Examples:
+        claudetm pause
+        claudetm pause --reason "Taking a break"
+    """
+    state_manager = StateManager()
+
+    if not state_manager.exists():
+        console.print("[yellow]No active task found.[/yellow]")
+        console.print("Use 'start' to begin a new task.")
+        raise typer.Exit(1)
+
+    try:
+        control = ControlManager(state_manager)
+
+        # Check if task can be paused
+        if not control.can_pause():
+            state = state_manager.load_state()
+            console.print(f"[red]Cannot pause task in '{state.status}' status.[/red]")
+            console.print("[dim]Task must be in 'planning' or 'working' status to pause.[/dim]")
+            raise typer.Exit(1)
+
+        # Pause the task
+        result = control.pause(reason)
+
+        console.print(f"[green]✓ {result.message}[/green]")
+
+        if result.details and result.details.get("reason"):
+            console.print(f"[dim]Reason: {result.details['reason']}[/dim]")
+        console.print("[dim]Use 'resume' to continue the task.[/dim]")
+
+        raise typer.Exit(0)
+
+    except typer.Exit:
+        raise
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        raise typer.Exit(1) from None
+
+
+def stop(
+    reason: Annotated[
+        str | None,
+        typer.Option("--reason", "-r", help="Reason for stopping the task"),
+    ] = None,
+    cleanup: Annotated[
+        bool,
+        typer.Option("--cleanup", "-c", help="Cleanup state files after stopping"),
+    ] = False,
+) -> None:
+    """Stop a running task.
+
+    Stops the current task. The task enters 'stopped' status and can be
+    resumed if needed. Use --cleanup to remove state files entirely.
+
+    Examples:
+        claudetm stop
+        claudetm stop --reason "Task completed"
+        claudetm stop --cleanup
+    """
+    state_manager = StateManager()
+
+    if not state_manager.exists():
+        console.print("[yellow]No active task found.[/yellow]")
+        raise typer.Exit(1)
+
+    try:
+        control = ControlManager(state_manager)
+
+        # Check if task can be stopped
+        if not control.can_stop():
+            state = state_manager.load_state()
+            console.print(f"[red]Cannot stop task in '{state.status}' status.[/red]")
+            console.print(
+                "[dim]Task must be in 'planning', 'working', 'blocked', or 'paused' status to stop.[/dim]"
+            )
+            raise typer.Exit(1)
+
+        # Stop the task
+        result = control.stop(reason, cleanup)
+
+        console.print(f"[green]✓ {result.message}[/green]")
+
+        if result.details:
+            if result.details.get("reason"):
+                console.print(f"[dim]Reason: {result.details['reason']}[/dim]")
+            if result.details.get("cleanup"):
+                console.print("[dim]State files cleaned up.[/dim]")
+
+        raise typer.Exit(0)
+
+    except typer.Exit:
+        raise
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        raise typer.Exit(1) from None
+
+
+def config_update(
+    auto_merge: bool | None = typer.Option(
+        None, "--auto-merge/--no-auto-merge", help="Set auto-merge option"
+    ),
+    max_sessions: int | None = typer.Option(None, "--max-sessions", "-n", help="Set max sessions"),
+    pause_on_pr: bool | None = typer.Option(
+        None, "--pause-on-pr/--no-pause-on-pr", help="Set pause on PR"
+    ),
+) -> None:
+    """Update task configuration at runtime.
+
+    Updates configuration options for the current task. Only specified
+    options are updated; others retain their current values.
+
+    Examples:
+        claudetm config-update --auto-merge
+        claudetm config-update --no-auto-merge --max-sessions 10
+        claudetm config-update --pause-on-pr
+    """
+    state_manager = StateManager()
+
+    if not state_manager.exists():
+        console.print("[yellow]No active task found.[/yellow]")
+        raise typer.Exit(1)
+
+    # Check if any options were provided
+    if all(v is None for v in [auto_merge, max_sessions, pause_on_pr]):
+        console.print("[yellow]No configuration options specified.[/yellow]")
+        console.print("Use --help to see available options.")
+        raise typer.Exit(1)
+
+    try:
+        control = ControlManager(state_manager)
+
+        # Build kwargs with only provided options
+        kwargs: dict[str, Any] = {}
+        if auto_merge is not None:
+            kwargs["auto_merge"] = auto_merge
+        if max_sessions is not None:
+            kwargs["max_sessions"] = max_sessions
+        if pause_on_pr is not None:
+            kwargs["pause_on_pr"] = pause_on_pr
+
+        # Update configuration
+        result = control.update_config(**kwargs)
+
+        console.print(f"[green]✓ {result.message}[/green]")
+
+        # Show current configuration
+        if result.details and result.details.get("current"):
+            current = result.details["current"]
+            console.print("\n[cyan]Current Configuration:[/cyan]")
+            console.print(f"  Auto-merge: {current.get('auto_merge')}")
+            console.print(f"  Max sessions: {current.get('max_sessions') or 'unlimited'}")
+            console.print(f"  Pause on PR: {current.get('pause_on_pr')}")
+
+        raise typer.Exit(0)
+
+    except typer.Exit:
+        raise
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        raise typer.Exit(1) from None
+
+
+def register_control_commands(app: typer.Typer) -> None:
+    """Register control commands with the Typer app."""
+    app.command()(pause)
+    app.command()(stop)
+    app.command()(config_update)