Update BitBucket integration to use API tokens instead of app passwords

Co-authored-by: NoahCardoza <10343470+NoahCardoza@users.noreply.github.com>

Author: Copilot

README.md

@@ -402,7 +402,7 @@ Choose which platform hosts your pull requests and code reviews.
 | **Provider** | **Setup** | **Notes** |
 |--------------|-----------|-----------|
 | **GitHub**   | `gh auth login` | Default. Integrated with GitHub Issues. |
-| **BitBucket** | Configure in `.iloom/settings.json` | Atlassian Cloud. Requires app password. See [BitBucket Setup](#bitbucket-setup) below. |
+| **BitBucket** | Configure in `.iloom/settings.json` | Atlassian Cloud. Requires API token. See [BitBucket Setup](#bitbucket-setup) below. |
 
 ### Jira Setup
 
@@ -476,21 +476,21 @@ To use BitBucket for pull requests, add this configuration:
 {
   "versionControl": {
     "bitbucket": {
-      "appPassword": "your-bitbucket-app-password"
+      "apiToken": "your-bitbucket-api-token"
     }
   }
 }
 ```
 
-**Generate a BitBucket App Password:**
+**Generate a BitBucket API Token:**
 1. Visit https://bitbucket.org/account/settings/app-passwords/
-2. Click "Create app password"
+2. Click "Create API token" (Note: App passwords were deprecated September 2025)
 3. Grant permissions: `repository:read`, `repository:write`, `pullrequest:read`, `pullrequest:write`
-4. Copy the password to `.iloom/settings.local.json`
+4. Copy the token to `.iloom/settings.local.json`
 
 **Configuration Options:**
 - `username`: Your BitBucket username
-- `appPassword`: App password (store in settings.local.json only!)
+- `apiToken`: API token (store in settings.local.json only!)
 - `workspace`: (Optional) BitBucket workspace, auto-detected from git remote if not provided
 - `repoSlug`: (Optional) Repository slug, auto-detected from git remote if not provided
 
@@ -531,7 +531,7 @@ Use Jira for issues and BitBucket for pull requests:
   },
   "versionControl": {
     "bitbucket": {
-      "appPassword": "your-bitbucket-app-password"
+      "apiToken": "your-bitbucket-api-token"
     }
   }
 }

src/lib/SettingsManager.ts

@@ -379,10 +379,10 @@ export const IloomSettingsSchema = z.object({
 						.string()
 						.min(1, 'BitBucket username cannot be empty')
 						.describe('BitBucket username'),
-					appPassword: z
+					apiToken: z
 						.string()
 						.optional()
-						.describe('BitBucket app password. SECURITY: Store in settings.local.json only, never commit to source control. Generate at: https://bitbucket.org/account/settings/app-passwords/'),
+						.describe('BitBucket API token. SECURITY: Store in settings.local.json only, never commit to source control. Generate at: https://bitbucket.org/account/settings/app-passwords/ (Note: App passwords deprecated Sep 2025, use API tokens)'),
 					workspace: z
 						.string()
 						.optional()
@@ -608,10 +608,10 @@ export const IloomSettingsSchemaNoDefaults = z.object({
 						.string()
 						.min(1, 'BitBucket username cannot be empty')
 						.describe('BitBucket username'),
-					appPassword: z
+					apiToken: z
 						.string()
 						.optional()
-						.describe('BitBucket app password. SECURITY: Store in settings.local.json only, never commit to source control. Generate at: https://bitbucket.org/account/settings/app-passwords/'),
+						.describe('BitBucket API token. SECURITY: Store in settings.local.json only, never commit to source control. Generate at: https://bitbucket.org/account/settings/app-passwords/ (Note: App passwords deprecated Sep 2025, use API tokens)'),
 					workspace: z
 						.string()
 						.optional()

src/lib/VCSProviderFactory.ts

@@ -45,13 +45,13 @@ export class VCSProviderFactory {
 				if (!bbSettings?.username) {
 					throw new Error('BitBucket username is required. Configure versionControl.bitbucket.username in .iloom/settings.json')
 				}
-				if (!bbSettings?.appPassword) {
-					throw new Error('BitBucket app password is required. Configure versionControl.bitbucket.appPassword in .iloom/settings.local.json')
+				if (!bbSettings?.apiToken) {
+					throw new Error('BitBucket API token is required. Configure versionControl.bitbucket.apiToken in .iloom/settings.local.json')
 				}
 
 				const bbConfig: BitBucketVCSConfig = {
 					username: bbSettings.username,
-					appPassword: bbSettings.appPassword,
+					apiToken: bbSettings.apiToken,
 				}
 
 				if (bbSettings.workspace) {

src/lib/providers/bitbucket/BitBucketApiClient.ts

@@ -9,7 +9,7 @@ import { getLogger } from '../../../utils/logger-context.js'
  */
 export interface BitBucketConfig {
 	username: string
-	appPassword: string // App password from BitBucket settings
+	apiToken: string // API token from BitBucket settings
 	workspace?: string // Optional, can be auto-detected from git remote
 	repoSlug?: string // Optional, can be auto-detected from git remote
 }
@@ -67,8 +67,11 @@ export interface BitBucketRepository {
 /**
  * BitBucketApiClient provides low-level REST API access to BitBucket
  * 
- * Authentication: Basic Auth with username and app password
+ * Authentication: Basic Auth with username and API token
  * API Reference: https://developer.atlassian.com/cloud/bitbucket/rest/intro/
+ * 
+ * Note: As of September 9, 2025, BitBucket app passwords can no longer be created.
+ * Use API tokens with scopes instead. All existing app passwords will be disabled on June 9, 2026.
  */
 export class BitBucketApiClient {
 	private readonly baseUrl = 'https://api.bitbucket.org/2.0'
@@ -77,8 +80,8 @@ export class BitBucketApiClient {
 	private readonly repoSlug: string | undefined
 
 	constructor(config: BitBucketConfig) {
-		// Create Basic Auth header
-		const credentials = Buffer.from(`${config.username}:${config.appPassword}`).toString('base64')
+		// Create Basic Auth header with API token
+		const credentials = Buffer.from(`${config.username}:${config.apiToken}`).toString('base64')
 		this.authHeader = `Basic ${credentials}`
 
 		this.workspace = config.workspace