npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@inteeka/task-cli

v0.2.34

Published

Task — agentic CLI for working through CLI-eligible tickets locally with Claude Code

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

moliverinkmoliverinkismailzaidiinkismailzaidiinkarysalarysal

Keywords

Readme

@inteeka/task-cli

The standalone agentic CLI for Inteeka Task. Authenticate with your dashboard account, link a repo to a project, fetch CLI-eligible tickets, and let Claude Code work through them — with hard guardrails that never let the agent touch configuration, lockfiles, or anything outside source code.

Install

npm i -g @inteeka/task-cli
# or, in a workspace:
pnpm add -g @inteeka/task-cli

You'll also need Claude Code on your PATH. task doctor will tell you if it's missing.

Quickstart

task login                   # OAuth device flow against your dashboard
cd /path/to/your/repo
task link --project myproj   # writes .task/config.json
task tickets                 # lists CLI-eligible tickets
task work --next             # picks the next eligible ticket and runs the agent

Authorisation model — why some commands fail with "CLI access is not enabled"

Three independent gates protect every CLI run. All three must be true at the moment of the request:

  1. Per-membership cli_access — your membership on the org has the toggle enabled by an admin from the dashboard's Agentic CLI page.
  2. Per-ticket cli_eligible — a human has explicitly opted this ticket in for autonomous work, with a confirmation step in the dashboard.
  3. Per-schedule enabled — for scheduled runs, the schedule isn't paused locally or remotely disabled by an admin.

Default-deny on all three. A leaked credential lands the attacker on a CLI that can't see any tickets.

Source-code guardrail (Layer A + Layer B)

The CLI never lets the agent modify build/TS configuration, env files, registry config (.npmrc/.yarnrc), CI files, or anything matching *.config.* at the repo root.

Dependency changes are allowed: the agent may edit package.json and lockfiles and run package-manager install/add/remove commands — adding a missing dependency is routine ticket work, not a security boundary. Registry config stays protected because repointing the registry is a supply-chain attack surface.

  • Layer A — the system prompt that ships to Claude includes the denylist verbatim and tells the agent to stop if the ticket needs such a change.
  • Layer B — after the agent finishes, git diff --cached --name-only (and the unstaged diff + untracked files) is intersected against the denylist. If anything matches: the working tree is restored, the commit is aborted, the run is recorded as guardrail_blocked, and the CLI exits with code 4. No commit ever lands when Layer B fires.

Project admins can extend the denylist via the Protected Paths tab on the dashboard's Agentic CLI page (e.g. prisma/schema.prisma, terraform/**) — including re-adding package.json to freeze dependencies for a specific project.

Commands

Auth

| Command | What it does | | ------------------- | -------------------------------------------------------------------------------------------------- | | task login | OAuth device flow; stores access + refresh tokens in ~/.config/task/credentials.json (mode 0600) | | task logout | Revoke the session server-side and clear local credentials | | task whoami | Show signed-in user, session, and authorised projects | | task auth refresh | Force a token refresh (mostly automatic) |

Project linking

| Command | What it does | | --------------------------------------------- | --------------------------------------------------------------- | | task link [--org <slug>] [--project <slug>] | Link the current repo to a project, writing .task/config.json | | task unlink | Remove the link | | task projects | List authorised projects | | task status | Show auth + link + git state |

Tickets

| Command | What it does | | -------------------------------------------------------- | ----------------------------------------------- | | task tickets [--status <s>] [--limit N] [--cursor <c>] | List CLI-eligible tickets in the linked project | | task ticket show <id> | Show one ticket | | task ticket open <id> | Open the ticket in your browser | | task ticket status <id> <slug> | Update a ticket status | | task ticket comment <id> "<text>" | Add a comment (author type cli) |

Agentic execution

task work [<id>] [--auto] [--dry-run] [--no-push] [--max N] [--silent]
task work --next                          # alias for --auto --max 1

The work pipeline:

  1. POST cli.run.started to the server.
  2. Spawn claude with the source-code denylist + --allowedTools whitelist.
  3. Run the post-agent diff guardrail.
  4. On violation → restore working tree, POST cli.run.guardrail_blocked, exit 4.
  5. On clean diff → commit (and push by default), POST cli.run.completed.
  6. If --max > 1, loop to next eligible ticket.

Scheduled tasks

task scheduled-task add nightly --cron "0 2 * * *" --max 5
task scheduled-task list
task scheduled-task pause nightly
task scheduled-task resume nightly
task scheduled-task remove nightly
task scheduled-task run nightly                  # run once now
task scheduled-task logs nightly --limit 20

Schedules register with the host OS (launchd / cron / Task Scheduler) AND mirror to the server. Admins can remotely disable a schedule from the dashboard; the next run detects it and exits with code 6 — without retry-storming.

Run history

| Command | What it does | | -------------------------------------------------------------- | ---------------------------------------------------- | | task runs list [--limit N] [--ticket <id>] [--schedule <id>] | List runs | | task runs show <id> | Show a single run | | task runs logs <id> | Stream agent output captured during a --silent run |

Config + diagnostics

| Command | What it does | | -------------------------- | ----------------------------------------------------- | | task config get/set/list | Read or update ~/.config/task/config.json | | task doctor | Verify auth, claude, git, scheduler, API connectivity | | task version | Print the version |

Exit codes

| Code | Meaning | | ---- | -------------------------------------------------------------------------- | | 0 | Success (or "no eligible tickets" — scheduled runs treat this as expected) | | 1 | Generic error | | 2 | Misconfiguration (no creds, no link, missing claude) | | 3 | Unauthorised — credentials wiped | | 4 | Guardrail blocked the run | | 5 | Network unreachable | | 6 | Schedule was disabled by an admin |

Threat model summary

  • Credentials live in ~/.config/task/credentials.json mode 0600. No tokens are logged.
  • Refresh tokens are one-time-use; rotation is enforced server-side. Replay of a rotated refresh token revokes the entire session and writes a cli.token.replay_detected audit row.
  • All authorisation logic lives in the API. The CLI never decides "you have access" client-side beyond holding the access token.
  • The agent's --allowedTools whitelist and the protected-paths denylist are imported from @task/constants — one source of truth across the dashboard, the system prompt, and the diff guardrail.

Source

github.com/inteeka/task (private). The CLI lives in apps/cli/.