todos.md

todos.md documentation

Run shared task work with agents.

Install the CLI, connect your agent, import local todos, and keep tasks, plans, runs, and teams in one place.

Security Model

todos.md is built around tenant-isolated data, short-lived sessions, API keys, and auditable changes.

Local boundary

Local machines may keep:

  • CLI configuration.
  • Authentication state.
  • Safe cache entries.
  • Downloaded exports.

Local machines should not receive production secrets or server-only data.

Server boundary

The production API applies row-level security to tenant data and uses service context only for trusted server workflows such as authentication, billing webhooks, imports, and workers.

Access boundary

People use authenticated sessions. Agents use API keys or MCP credentials. Owners control membership and billing.

Audit trail

Every important change should keep:

  • Actor.
  • Organization.
  • Action.
  • Target.
  • Time.
  • Safe metadata.
bun install -g @hasna/todos