@gethmy/mcp 2.8.2 → 2.8.3

package/dist/cli.js

@@ -6357,9 +6357,10 @@ function appendToToml(filePath, section, content, options = {}) {
   }
   try {
     const existing = readFileSync6(filePath, "utf-8");
-    if (existing.includes(section)) {
+    if (existing.includes(`[${section}]`)) {
       if (options.force) {
-        const updated = existing.replace(new RegExp(`\\[${section.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\][\\s\\S]*?(?=\\[|$)`), content.trim() + `
+        const escaped = section.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const updated = existing.replace(new RegExp(`(?:#[^\\n]*\\n)*\\[${escaped}\\][\\s\\S]*?(?=\\n\\[|$)`), content.trim() + `
 
 `);
         writeFileSync4(filePath, updated, { mode: 420 });
@@ -6433,6 +6434,53 @@ function getWriteSummary(files, options = {}) {
 }
 
 // src/tui/setup.ts
+var SAFE_HARMONY_TOOLS = [
+  "harmony_get_card",
+  "harmony_get_card_by_short_id",
+  "harmony_search_cards",
+  "harmony_get_board",
+  "harmony_get_context",
+  "harmony_list_projects",
+  "harmony_list_workspaces",
+  "harmony_get_card_links",
+  "harmony_get_card_attachments",
+  "harmony_get_card_external_links",
+  "harmony_get_comments",
+  "harmony_get_plan",
+  "harmony_list_plans",
+  "harmony_get_agent_session",
+  "harmony_get_workspace_members",
+  "harmony_resolve_links",
+  "harmony_recall",
+  "harmony_memory_search",
+  "harmony_generate_prompt",
+  "harmony_create_card",
+  "harmony_update_card",
+  "harmony_move_card",
+  "harmony_assign_card",
+  "harmony_create_subtask",
+  "harmony_toggle_subtask",
+  "harmony_add_label_to_card",
+  "harmony_remove_label_from_card",
+  "harmony_create_label",
+  "harmony_add_comment",
+  "harmony_update_comment",
+  "harmony_add_link_to_card",
+  "harmony_remove_link_from_card",
+  "harmony_start_agent_session",
+  "harmony_update_agent_progress",
+  "harmony_end_agent_session",
+  "harmony_set_project_context",
+  "harmony_set_workspace_context",
+  "harmony_create_plan",
+  "harmony_update_plan",
+  "harmony_advance_plan",
+  "harmony_remember",
+  "harmony_relate",
+  "harmony_update_memory",
+  "harmony_process_command",
+  "harmony_sync"
+];
 var GLOBAL_SKILLS_DIR = join7(homedir6(), ".agents", "skills");
 var API_URL = "https://app.gethmy.com/api";
 async function registerMcpServer() {
@@ -6455,9 +6503,7 @@ async function writeMcpConfigFallback(home) {
   }
   let settings = {};
   if (existsSync9(settingsPath)) {
-    try {
-      settings = JSON.parse(readFileSync7(settingsPath, "utf-8"));
-    } catch {}
+    settings = JSON.parse(readFileSync7(settingsPath, "utf-8"));
   }
   const mcpServers = settings.mcpServers || {};
   mcpServers.harmony = {
@@ -6467,6 +6513,31 @@ async function writeMcpConfigFallback(home) {
   settings.mcpServers = mcpServers;
   writeFileSync5(settingsPath, JSON.stringify(settings, null, 2));
 }
+async function allowlistHarmonyTools(home, allowAll) {
+  const { readFileSync: readFileSync7, writeFileSync: writeFileSync5, mkdirSync: mkdirSync6, existsSync: existsSync9 } = await import("node:fs");
+  const settingsPath = join7(home, ".claude", "settings.json");
+  const settingsDir = dirname3(settingsPath);
+  if (!existsSync9(settingsDir)) {
+    mkdirSync6(settingsDir, { recursive: true });
+  }
+  let settings = {};
+  if (existsSync9(settingsPath)) {
+    settings = JSON.parse(readFileSync7(settingsPath, "utf-8"));
+  }
+  const permissions = settings.permissions || {};
+  const allow = Array.isArray(permissions.allow) ? permissions.allow : [];
+  const hasBlanket = allow.includes("mcp__harmony") || allow.includes("mcp__harmony__*");
+  const wanted = allowAll ? ["mcp__harmony"] : SAFE_HARMONY_TOOLS.map((t) => `mcp__harmony__${t}`);
+  const missing = hasBlanket ? [] : wanted.filter((r) => !allow.includes(r));
+  if (missing.length === 0) {
+    return "already";
+  }
+  allow.push(...missing);
+  permissions.allow = allow;
+  settings.permissions = permissions;
+  writeFileSync5(settingsPath, JSON.stringify(settings, null, 2));
+  return "added";
+}
 async function validateApiKey(apiKey, apiUrl = API_URL) {
   try {
     const response = await fetch(`${apiUrl}/v1/workspaces`, {
@@ -7231,6 +7302,26 @@ async function runSetup(options = {}) {
       }
     }
   }
+  if (claudeDetected || selectedAgents.includes("claude")) {
+    const allowAll = options.allowAllTools === true;
+    const message = allowAll ? "Allowlist EVERY Harmony tool without confirmation, including destructive ones (delete/archive/api-key/invite)?" : "Allowlist common Harmony tools (reads + create/update/move/comment) so /hmy doesn't prompt each time? Destructive tools (delete/archive/api-key/invite) will still ask.";
+    const allowTools = await p3.confirm({ message, initialValue: true });
+    if (p3.isCancel(allowTools)) {
+      p3.cancel("Setup cancelled.");
+      process.exit(0);
+    }
+    if (allowTools) {
+      try {
+        const result = await allowlistHarmonyTools(home, allowAll);
+        const scope = allowAll ? "all tools" : "safe tools";
+        console.log(`  ${colors.success("✓")} ${colors.dim(formatPath(join7(home, ".claude", "settings.json"), home))} ${colors.dim(result === "added" ? `(${scope} allowlisted)` : `(${scope} already allowlisted)`)}`);
+      } catch {
+        p3.log.warning("Could not allowlist Harmony tools. Run /permissions in Claude Code and choose “always allow” for Harmony, or add mcp__harmony to permissions.allow in ~/.claude/settings.json.");
+      }
+    } else {
+      console.log(`  ${colors.dim("Skipped tool allowlist — you'll be prompted per tool, or run /permissions in Claude Code later.")}`);
+    }
+  }
   if (selectedWorkspaceId || selectedProjectId) {
     const localConfig = {};
     if (selectedWorkspaceId)
@@ -7361,7 +7452,7 @@ program.command("reset").description("Remove stored configuration").action(() =>
   console.log(`
 To reconfigure, run: npx @gethmy/mcp setup`);
 });
-program.command("setup").description("Smart setup wizard for Harmony MCP (recommended)").argument("[slug]", "Project slug — resolves to workspace + project in one step (e.g. harmony-6590761b)").option("-f, --force", "Overwrite existing configuration files").option("-k, --api-key <key>", "API key (skips prompt)").option("-e, --email <email>", "Your email for auto-assignment").option("-a, --agents <agents...>", "Agents to configure: claude, codex, cursor, windsurf").option("-l, --local", "Install skills locally in project directory").option("-g, --global", "Install skills globally (recommended)").option("-w, --workspace <id>", "Set workspace context (UUID)").option("-p, --project <id>", "Set project context (UUID)").option("--skip-context", "Skip workspace/project selection").option("--skip-docs", "Skip project docs scaffold/verification").option("--new", "Create a new account (skip the choice prompt)").option("-n, --name <name>", "Full name (for account creation)").action(async (slug, options) => {
+program.command("setup").description("Smart setup wizard for Harmony MCP (recommended)").argument("[slug]", "Project slug — resolves to workspace + project in one step (e.g. harmony-6590761b)").option("-f, --force", "Overwrite existing configuration files").option("-k, --api-key <key>", "API key (skips prompt)").option("-e, --email <email>", "Your email for auto-assignment").option("-a, --agents <agents...>", "Agents to configure: claude, codex, cursor, windsurf").option("-l, --local", "Install skills locally in project directory").option("-g, --global", "Install skills globally (recommended)").option("-w, --workspace <id>", "Set workspace context (UUID)").option("-p, --project <id>", "Set project context (UUID)").option("--skip-context", "Skip workspace/project selection").option("--skip-docs", "Skip project docs scaffold/verification").option("--new", "Create a new account (skip the choice prompt)").option("-n, --name <name>", "Full name (for account creation)").option("--allow-all-tools", "Allowlist every Harmony tool (incl. destructive: delete/archive/api-key/invite) without confirmation. Default allowlists only read + routine-write tools; destructive tools keep prompting.").action(async (slug, options) => {
   await runSetup({
     force: options.force,
     apiKey: options.apiKey,
@@ -7374,7 +7465,8 @@ program.command("setup").description("Smart setup wizard for Harmony MCP (recomm
     skipContext: options.skipContext,
     skipDocs: options.skipDocs,
     newAccount: options.new,
-    name: options.name
+    name: options.name,
+    allowAllTools: options.allowAllTools
   });
 });
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gethmy/mcp",
-  "version": "2.8.2",
+  "version": "2.8.3",
   "description": "MCP server for Harmony Kanban board - enables AI coding agents to manage your boards",
   "publishConfig": {
     "access": "public"

package/src/cli.ts

@@ -158,6 +158,10 @@ program
   .option("--skip-docs", "Skip project docs scaffold/verification")
   .option("--new", "Create a new account (skip the choice prompt)")
   .option("-n, --name <name>", "Full name (for account creation)")
+  .option(
+    "--allow-all-tools",
+    "Allowlist every Harmony tool (incl. destructive: delete/archive/api-key/invite) without confirmation. Default allowlists only read + routine-write tools; destructive tools keep prompting.",
+  )
   .action(async (slug, options) => {
     await runSetup({
       force: options.force,
@@ -176,6 +180,7 @@ program
       skipDocs: options.skipDocs,
       newAccount: options.new,
       name: options.name,
+      allowAllTools: options.allowAllTools,
     });
   });
 

package/src/tui/setup.ts

@@ -44,8 +44,68 @@ export interface SetupOptions {
   skipDocs?: boolean;
   newAccount?: boolean;
   name?: string;
+  allowAllTools?: boolean;
 }
 
+/**
+ * Harmony tools that are safe to run without per-call confirmation: reads and
+ * routine writes the /hmy flow leans on. Destructive or sensitive tools are
+ * deliberately ABSENT so they keep prompting — deletes, archives, API-key
+ * minting, and invitations are exactly where the permission prompt earns its
+ * keep, especially under autonomous agent runs. New tools default to prompting
+ * until someone classifies them here (safe failure mode). `--allow-all-tools`
+ * overrides this with a blanket grant.
+ */
+const SAFE_HARMONY_TOOLS = [
+  // Reads
+  "harmony_get_card",
+  "harmony_get_card_by_short_id",
+  "harmony_search_cards",
+  "harmony_get_board",
+  "harmony_get_context",
+  "harmony_list_projects",
+  "harmony_list_workspaces",
+  "harmony_get_card_links",
+  "harmony_get_card_attachments",
+  "harmony_get_card_external_links",
+  "harmony_get_comments",
+  "harmony_get_plan",
+  "harmony_list_plans",
+  "harmony_get_agent_session",
+  "harmony_get_workspace_members",
+  "harmony_resolve_links",
+  "harmony_recall",
+  "harmony_memory_search",
+  "harmony_generate_prompt",
+  // Routine writes
+  "harmony_create_card",
+  "harmony_update_card",
+  "harmony_move_card",
+  "harmony_assign_card",
+  "harmony_create_subtask",
+  "harmony_toggle_subtask",
+  "harmony_add_label_to_card",
+  "harmony_remove_label_from_card",
+  "harmony_create_label",
+  "harmony_add_comment",
+  "harmony_update_comment",
+  "harmony_add_link_to_card",
+  "harmony_remove_link_from_card",
+  "harmony_start_agent_session",
+  "harmony_update_agent_progress",
+  "harmony_end_agent_session",
+  "harmony_set_project_context",
+  "harmony_set_workspace_context",
+  "harmony_create_plan",
+  "harmony_update_plan",
+  "harmony_advance_plan",
+  "harmony_remember",
+  "harmony_relate",
+  "harmony_update_memory",
+  "harmony_process_command",
+  "harmony_sync",
+];
+
 // Central skills directory for global installation
 const GLOBAL_SKILLS_DIR = join(homedir(), ".agents", "skills");
 
@@ -87,14 +147,12 @@ async function writeMcpConfigFallback(home: string): Promise<void> {
     mkdirSync(settingsDir, { recursive: true });
   }
 
-  // Read existing settings or start fresh
+  // Read existing settings. If the file exists but doesn't parse, bail rather
+  // than overwrite — don't wipe a user's hand-edited settings.json to register
+  // one MCP server. The caller falls back to a manual-setup instruction.
   let settings: Record<string, unknown> = {};
   if (existsSync(settingsPath)) {
-    try {
-      settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
-    } catch {
-      // Invalid JSON, start fresh
-    }
+    settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
   }
 
   // Merge mcpServers config
@@ -109,6 +167,65 @@ async function writeMcpConfigFallback(home: string): Promise<void> {
   writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
 }
 
+/**
+ * Allowlist Harmony MCP tools in Claude Code settings so the /hmy flow runs
+ * without per-tool permission prompts. Merges rules into permissions.allow in
+ * ~/.claude/settings.json, preserving existing settings. Idempotent.
+ *
+ * Default (allowAll=false): writes a per-tool rule (`mcp__harmony__<tool>`) for
+ * each entry in SAFE_HARMONY_TOOLS only — destructive tools keep prompting.
+ * allowAll=true: writes the bare `mcp__harmony` rule (every tool, incl.
+ * destructive). The bare form grants all tools and is supported across all
+ * Claude Code versions.
+ */
+async function allowlistHarmonyTools(
+  home: string,
+  allowAll: boolean,
+): Promise<"added" | "already"> {
+  const { readFileSync, writeFileSync, mkdirSync, existsSync } = await import(
+    "node:fs"
+  );
+  const settingsPath = join(home, ".claude", "settings.json");
+  const settingsDir = dirname(settingsPath);
+
+  if (!existsSync(settingsDir)) {
+    mkdirSync(settingsDir, { recursive: true });
+  }
+
+  // Read existing settings. If the file exists but doesn't parse, bail rather
+  // than overwrite — clobbering a user's hand-edited settings.json to add a
+  // permission rule is never worth it. The caller surfaces the manual-fix path.
+  let settings: Record<string, unknown> = {};
+  if (existsSync(settingsPath)) {
+    settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
+  }
+
+  const permissions = (settings.permissions as Record<string, unknown>) || {};
+  const allow = Array.isArray(permissions.allow)
+    ? (permissions.allow as string[])
+    : [];
+
+  // A pre-existing blanket grant already covers everything either mode adds.
+  const hasBlanket =
+    allow.includes("mcp__harmony") || allow.includes("mcp__harmony__*");
+
+  const wanted = allowAll
+    ? ["mcp__harmony"]
+    : SAFE_HARMONY_TOOLS.map((t) => `mcp__harmony__${t}`);
+
+  const missing = hasBlanket ? [] : wanted.filter((r) => !allow.includes(r));
+  if (missing.length === 0) {
+    return "already";
+  }
+
+  allow.push(...missing);
+  permissions.allow = allow;
+  settings.permissions = permissions;
+
+  writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
+  return "added";
+}
+
 interface Workspace {
   id: string;
   name: string;
@@ -1187,6 +1304,38 @@ export async function runSetup(options: SetupOptions = {}): Promise<void> {
     }
   }
 
+  // Step 8c: Allowlist Harmony tools so /hmy runs without permission prompts.
+  // Default = safe subset (reads + routine writes); destructive tools still
+  // prompt. `--allow-all-tools` opts into a blanket grant.
+  if (claudeDetected || selectedAgents.includes("claude")) {
+    const allowAll = options.allowAllTools === true;
+    const message = allowAll
+      ? "Allowlist EVERY Harmony tool without confirmation, including destructive ones (delete/archive/api-key/invite)?"
+      : "Allowlist common Harmony tools (reads + create/update/move/comment) so /hmy doesn't prompt each time? Destructive tools (delete/archive/api-key/invite) will still ask.";
+    const allowTools = await p.confirm({ message, initialValue: true });
+    if (p.isCancel(allowTools)) {
+      p.cancel("Setup cancelled.");
+      process.exit(0);
+    }
+    if (allowTools) {
+      try {
+        const result = await allowlistHarmonyTools(home, allowAll);
+        const scope = allowAll ? "all tools" : "safe tools";
+        console.log(
+          `  ${colors.success("✓")} ${colors.dim(formatPath(join(home, ".claude", "settings.json"), home))} ${colors.dim(result === "added" ? `(${scope} allowlisted)` : `(${scope} already allowlisted)`)}`,
+        );
+      } catch {
+        p.log.warning(
+          "Could not allowlist Harmony tools. Run /permissions in Claude Code and choose “always allow” for Harmony, or add mcp__harmony to permissions.allow in ~/.claude/settings.json.",
+        );
+      }
+    } else {
+      console.log(
+        `  ${colors.dim("Skipped tool allowlist — you'll be prompted per tool, or run /permissions in Claude Code later.")}`,
+      );
+    }
+  }
+
   // Step 9: Save local context
   if (selectedWorkspaceId || selectedProjectId) {
     const localConfig: { workspaceId?: string; projectId?: string } = {};

package/src/tui/writer.ts

@@ -156,13 +156,14 @@ export function appendToToml(
   try {
     const existing = readFileSync(filePath, "utf-8");
 
-    if (existing.includes(section)) {
+    if (existing.includes(`[${section}]`)) {
       if (options.force) {
-        // Replace existing section
+        // Replace existing section, including any comment lines directly above
+        // it. The end anchor is `\n[` (a table header at line start) or EOF —
+        // NOT a bare `[`, so we don't stop early on the `[` inside `args = [...]`.
+        const escaped = section.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
         const updated = existing.replace(
-          new RegExp(
-            `\\[${section.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\][\\s\\S]*?(?=\\[|$)`,
-          ),
+          new RegExp(`(?:#[^\\n]*\\n)*\\[${escaped}\\][\\s\\S]*?(?=\\n\\[|$)`),
           content.trim() + "\n\n",
         );
         writeFileSync(filePath, updated, { mode: 0o644 });