Modularize oauth21, add gitignore-aware listing with pagination, enforce mypy strict mode

- Split monolithic oauth21.py into a package with _jwt, _pkce, _dpop,
  _resource, _server, and _types modules
- Add offset pagination to workspace_list_files and workspace_search_text;
  return pagination cursor in response
- Respect .gitignore and .agignore rules in list_files and search_text
- Enable mypy disallow_untyped_defs globally with targeted overrides
- Add Architecture Decision Records for P1 primitives, Code Mode sandbox,
  OAuth/DPoP, and MCP Streamable HTTP
- Raise CI coverage threshold to 85%

Author: johnteee

.github/workflows/ci.yml

@@ -27,7 +27,7 @@ jobs:
           pip install -e ".[dev]"
 
       - name: Run tests
-        run: pytest --cov=teaagent --cov-report=term-missing
+        run: pytest --cov=teaagent --cov-report=term-missing --cov-fail-under=85
 
   lint:
     runs-on: ubuntu-latest

docs/adr/0002-p1-primitives.md

@@ -0,0 +1,43 @@
+# ADR 0002: P1 Primitives
+
+## Status
+
+Accepted for P1 implementation.
+
+## Decision
+
+Include trace recording, execution context compaction, eval framework, in-memory RAG,
+skill review, and AI-BOM generation as P1 primitives on top of the P0 agent harness.
+
+Each primitive follows the same no-external-dependency policy as P0 (stdlib only).
+
+## Rationale
+
+These primitives compose naturally with the agent harness without inventing new
+interfaces:
+
+- **TraceRecorder** records the agent's observation stream for replay and debugging.
+- **ContextCompactor** compresses long observation lists into summaries, keeping
+  prompts within model context windows.
+- **Eval framework** lets teams measure agent performance on representative tasks
+  before shipping model/prompt changes.
+- **InMemoryRetriever** and **KnowledgeGraph** provide lightweight RAG so the
+  agent can query project knowledge without a vector database.
+- **SkillReview** audits skill content for security and correctness.
+- **AIBOM** generates a bill-of-materials for the agent's dependencies.
+
+## Consequences
+
+- RAG components (`InMemoryRetriever`, `KnowledgeGraph`) are deliberately in-memory
+  so that P2 can swap in GraphQLite-backed persistence without changing the agent
+  contract.
+- Eval framework is deterministic and does not call live LLMs; it uses pre-recorded
+  decision sequences.
+- These primitives add no mandatory dependencies beyond the Python standard library.
+
+## Alternatives Considered
+
+- **LangChain/LlamaIndex for RAG**: Rejected — adds 50+ transitive dependencies
+  for what is essentially tf-idf similarity search.
+- **pytest for evals**: Rejected — eval is harness-level, not test-level. The eval
+  framework is embedded so the agent can self-assess.

docs/adr/0003-p2-code-mode-sandbox.md

@@ -0,0 +1,43 @@
+# ADR 0003: Code Mode Child-Process Sandbox
+
+## Status
+
+Accepted for P2 implementation.
+
+## Decision
+
+Execute LLM-generated Python code in a detached child process with AST allow-list
+validation, CPU-time limits, wall-clock timeouts, and best-effort memory limits.
+Reject container-level isolation, seccomp, and V8 isolates as P2 scope.
+
+## Rationale
+
+- AST allow-list validation (`ALLOWED_NODES`) prevents imports, attribute access,
+  function definitions, and other dangerous constructs at parse time.
+- A `multiprocessing.Process` boundary isolates the child's address space from
+  the parent. Even if `exec()` corrupts the child, the parent survives.
+- `RLIMIT_CPU` provides a hard CPU-time ceiling.
+- Wall-clock timeout via `process.join(timeout)` prevents hung code.
+- `RLIMIT_AS` provides advisory memory limits; it is silently no-op on macOS
+  (macOS rejects `RLIMIT_AS` lowering) but the wall/CPU timeouts still bound
+  the attack surface.
+
+## Consequences
+
+- Code Mode is safe for *advisory* local data manipulation but is **not**
+  a production-grade sandbox. The child process shares the parent's filesystem
+  view, network namespace, and process namespace.
+- Production deployment should layer containers, seccomp profiles, or a managed
+  execution service on top of this implementation.
+- The `SAFE_BUILTINS` list is deliberately small (math, collection constructors).
+  Expanding it requires an ADR and threat model review.
+
+## Alternatives Considered
+
+- **subinterpreters (PEP 554)**: Not available in Python 3.9; too bleeding-edge.
+- **Docker/container per execution**: Latency of ~1s per Code Mode call makes
+  it impractical for the dozens of calls an agent may make in one run.
+- **V8/QuickJS isolate via PyMiniRacer or similar**: Adds a C extension dependency
+  and a second language runtime; violates the "stdlib-only P0" policy.
+- **RestrictedPython**: Transforms source code but still executes in-process;
+  offers no resource limits. Rejected in favor of the process boundary.

docs/adr/0004-oauth-dpop.md

@@ -0,0 +1,45 @@
+# ADR 0004: OAuth 2.1 + DPoP with Optional Dependencies
+
+## Status
+
+Accepted for P2 implementation.
+
+## Decision
+
+Implement OAuth 2.1 Authorization Server and Resource Server with DPoP
+proof-of-possession directly in TeaAgent, using a zero-dependency HMAC-SHA256
+core with optional `cryptography` library for asymmetric DPoP signature
+verification (ES256/RS256).
+
+## Rationale
+
+- MCP Streamable HTTP requires authentication for non-loopback binds.
+  The minimal viable option is a bearer token, but bearer tokens are
+  replayable by any network observer.
+- DPoP (RFC 9449) binds access tokens to a client-generated asymmetric key pair,
+  preventing token replay. This is the only OAuth extension that materially
+  improves MCP transport security without requiring TLS.
+- HS256 is the only JWT algorithm available without `cryptography`. When DPoP
+  is disabled, HS256 access tokens are sufficient for the bearer token use case.
+- The optional-dependency design (`pip install teaagent[oauth]`) keeps the
+  P0 zero-dependency posture intact while making DPoP available on demand.
+
+## Consequences
+
+- The module was split into `oauth21/` submodules (`_jwt.py`, `_dpop.py`,
+  `_types.py`, `_server.py`, `_resource.py`, `_pkce.py`) at 851 lines for
+  maintainability.
+- Internal state (clients, codes, nonces) is in-memory dicts. Multi-process
+  or persistent deployments require an external store.
+- Key rotation, refresh tokens, and external client storage are deferred to
+  a future production-hardening ADR.
+- The `cryptography` import is conditional (`HAS_CRYPTOGRAPHY` flag);
+
+## Alternatives Considered
+
+- **Authlib**: Adds 10+ dependencies; overkill for a single JWT sign/verify
+  plus DPoP validation.
+- **PyJWT**: HMAC-only JWT is 20 lines; adding a dependency for it is waste.
+- **TLS-only (no DPoP)**: Rejected because the MCP server is designed to run
+  behind a reverse proxy and DPoP protects against replay even after TLS
+  termination.

docs/adr/0005-mcp-streamable-http.md

@@ -0,0 +1,47 @@
+# ADR 0005: MCP Streamable HTTP Transport
+
+## Status
+
+Accepted for P2 implementation.
+
+## Decision
+
+Expose the TeaAgent workspace tool pack to MCP clients over stdio JSON-RPC
+and Streamable HTTP (POST/GET/DELETE on `/mcp`) with `Mcp-Session-Id` session
+management, bearer-token/OAuth 2.1 guardrails, and Origin allowlisting.
+
+## Rationale
+
+- stdio JSON-RPC (`serve_mcp_stdio`) provides zero-config integration with
+  MCP clients that launch the server as a subprocess (Claude Desktop, Zed, etc.).
+- Streamable HTTP (`serve_mcp_http`) enables remote IDE agents, web-based
+  clients, and multi-session scenarios. It follows the MCP Streamable HTTP
+  draft with SSE-based streaming on GET and JSON-RPC on POST.
+- Session management via `Mcp-Session-Id` header prevents cross-session
+  confusion and supports session termination via DELETE.
+- Authentication is enforced at two layers:
+  1. CLI layer: refuses non-loopback binds without `--auth-token` or OAuth.
+  2. Library layer: `build_mcp_http_server()` raises `ValueError` on
+     non-loopback binds without `auth_token` or `oauth_server`.
+
+## Consequences
+
+- The server uses `ThreadingHTTPServer` from stdlib with a simple in-memory
+  `MCPSessionStore`. This is sufficient for single-machine use but not for
+  high-concurrency production deployments.
+- TLS is not implemented natively; a reverse proxy (nginx, Caddy) must
+  terminate TLS for external access.
+- DPoP nonce negotiation and OAuth metadata endpoints are served under the
+  same HTTP handler, enabling fully featured MCP authorization.
+- Batch JSON-RPC requests are supported; notifications (no `id`) return HTTP 202.
+
+## Alternatives Considered
+
+- **WebSocket transport**: MCP specification favors Streamable HTTP over
+  WebSocket for simpler HTTP semantics. SSE provides server-to-client push
+  without the WebSocket upgrade handshake.
+- **gRPC**: Rejected — MCP is JSON-RPC-based; gRPC would require a separate
+  protocol definition and client SDK.
+- **aiohttp/FastAPI**: Rejected — adds framework dependencies for what is
+  a single-path HTTP handler. `ThreadingHTTPServer` is sufficient for the
+  target scale (single-digit concurrent MCP clients).

pyproject.toml

@@ -43,12 +43,31 @@ pythonpath = ["."]
 python_version = "3.9"
 ignore_missing_imports = true
 exclude = ["tests/"]
-disallow_untyped_defs = false
-disallow_incomplete_defs = false
+disallow_untyped_defs = true
+disallow_incomplete_defs = true
 check_untyped_defs = true
 warn_unused_ignores = false
 warn_redundant_casts = true
 no_implicit_optional = true
 
+[[tool.mypy.overrides]]
+module = [
+    "teaagent.cli._agent_parsers",
+    "teaagent.cli._memory_parsers",
+    "teaagent.cli._mcp_parsers",
+    "teaagent.cli._misc_parsers",
+    "teaagent.cli._model_parsers",
+    "teaagent.code_mode",
+    "teaagent.llm",
+    "teaagent.llm_conformance",
+    "teaagent.mcp_http",
+    "teaagent.oauth21.*",
+    "teaagent.telemetry",
+    "teaagent.tui",
+    "teaagent.workspace_tools",
+]
+disallow_untyped_defs = false
+disallow_incomplete_defs = false
+
 [tool.ruff]
 extend-exclude = [".git", ".teaagent", "__pycache__", ".pytest_cache", ".venv", "build", "dist"]

teaagent/chat_agent.py

@@ -46,7 +46,7 @@ class ChatAgentConfig:
     approval_handler: Optional[ApprovalHandler] = None
 
     @classmethod
-    def from_root(cls, root: str | Path, **kwargs) -> 'ChatAgentConfig':
+    def from_root(cls, root: str | Path, **kwargs: Any) -> 'ChatAgentConfig':
         return cls(root=Path(root).resolve(), **kwargs)
 
 

teaagent/heartbeat.py

@@ -2,21 +2,21 @@
 
 import threading
 import time
+from collections.abc import Callable
 from typing import Optional
 
 from teaagent.audit import AuditLogger
 
 
 class Heartbeat:
-    """Periodic 'heartbeat' audit events for long-running runs."""
 
     def __init__(
         self,
         audit: AuditLogger,
         run_id: str,
         *,
         interval_seconds: float,
-        sleep=time.sleep,
+        sleep: Callable[[float], None] = time.sleep,
     ) -> None:
         if interval_seconds <= 0:
             raise ValueError('interval_seconds must be positive')
@@ -32,7 +32,7 @@ def __enter__(self) -> 'Heartbeat':
         self.start()
         return self
 
-    def __exit__(self, exc_type, exc, tb) -> None:
+    def __exit__(self, exc_type: object, exc_val: object, exc_tb: object) -> None:
         self.stop()
 
     def tick(self) -> None: