npm - @oliverames/ynab-mcp-server - Versions diffs - 2.1.0 → 3.0.0 - Mend

@oliverames/ynab-mcp-server 2.1.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +174 -51
package/docs/privacy.md +51 -0
package/index.js +663 -117
package/package.json +13 -6
package/scripts/build-mcpb.mjs +5 -5
package/scripts/check-release-consistency.mjs +12 -4
package/scripts/smoke-list-tools.mjs +6 -1
package/scripts/test-safety-model.mjs +132 -3

package/package.json CHANGED Viewed

@@ -1,34 +1,41 @@
 {
   "name": "@oliverames/ynab-mcp-server",
-  "version": "2.1.0",
-  "description": "YNAB MCP server with full API coverage",
+  "version": "3.0.0",
+  "description": "Local MCP server for YNAB budget operations",
   "type": "module",
   "main": "index.js",
   "bin": {
+    "mcp-server-for-ynab": "index.js",
     "ynab-mcp-server": "index.js"
   },
   "files": [
     "index.js",
     "scripts/",
     "assets/icon.png",
-    "docs/hosted-oauth-connector.md"
+    "docs/hosted-oauth-connector.md",
+    "docs/privacy.md"
   ],
   "scripts": {
     "start": "node index.js",
-    "pretest": "node --input-type=module -e \"await import('@modelcontextprotocol/sdk/client/index.js')\" >/dev/null 2>&1 || npm ci --silent --no-audit --no-fund",
+    "deps:ensure": "node --input-type=module -e \"await import('@modelcontextprotocol/sdk/client/index.js')\" >/dev/null 2>&1 || npm ci --silent --no-audit --no-fund",
+    "pretest": "npm run deps:ensure",
     "test": "node test.js",
+    "presmoke:list-tools": "npm run deps:ensure",
     "smoke:list-tools": "node scripts/smoke-list-tools.mjs",
+    "presmoke:review-unapproved": "npm run deps:ensure",
     "smoke:review-unapproved": "node scripts/smoke-review-unapproved.mjs",
+    "presmoke:batch-verify": "npm run deps:ensure",
     "smoke:batch-verify": "node scripts/smoke-batch-verify.mjs",
     "release:check": "node scripts/check-release-consistency.mjs",
     "release:check:registry": "node scripts/check-release-consistency.mjs --registry",
     "build:mcpb": "node scripts/build-mcpb.mjs",
+    "pretest:safety": "npm run deps:ensure",
     "test:safety": "node scripts/test-safety-model.mjs"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
-    "ynab": "^2.5.0",
-    "zod": "^4.3.6"
+    "ynab": "^4.1.0",
+    "zod": "^4.4.3"
   },
   "engines": {
     "node": ">=18"

package/scripts/build-mcpb.mjs CHANGED Viewed

@@ -10,7 +10,7 @@ const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
 const pkg = JSON.parse(fs.readFileSync(path.join(projectRoot, "package.json"), "utf8"));
 const force = process.argv.includes("--force");
 const distDir = path.join(projectRoot, "dist");
-const outputPath = path.join(distDir, `ynab-mcp-server-${pkg.version}.mcpb`);
+const outputPath = path.join(distDir, `mcp-server-for-ynab-${pkg.version}.mcpb`);
 if (fs.existsSync(outputPath) && !force) {
   console.error(`Refusing to overwrite existing artifact: ${outputPath}`);
@@ -52,10 +52,10 @@ copyFile("assets/icon.png");
 writeJson("manifest.json", {
   manifest_version: "0.3",
-  name: "ynab-mcp-server",
-  display_name: "YNAB MCP Server",
+  name: "mcp-server-for-ynab",
+  display_name: "MCP Server for YNAB",
   version: pkg.version,
-  description: "Complete MCP server for YNAB budget operations.",
+  description: "Local MCP server for YNAB budget operations.",
   author: {
     name: "Oliver Ames",
     url: "https://github.com/oliverames",
@@ -84,7 +84,7 @@ writeJson("manifest.json", {
   tools_generated: true,
   keywords: ["mcp", "model-context-protocol", "ynab", "budgeting", "personal-finance"],
   license: "MIT",
-  privacy_policies: ["https://www.ynab.com/privacy-policy"],
+  privacy_policies: ["https://github.com/oliverames/ynab-mcp-server/blob/main/docs/privacy.md"],
   compatibility: {
     platforms: ["darwin", "win32", "linux"],
     runtimes: {

package/scripts/check-release-consistency.mjs CHANGED Viewed

@@ -41,7 +41,15 @@ assert(lock.version === version, `package-lock root version matches ${version}`)
 assert(lock.packages?.[""]?.version === version, `package-lock package version matches ${version}`);
 assert(indexJs.includes(`version: "${version}"`), `index.js McpServer version matches ${version}`);
-const registeredToolCount = [...indexJs.matchAll(/server\.registerTool\(/g)].length;
+const registeredToolNames = [...indexJs.matchAll(/^\s*registerTool\(\s*\n\s*"([^"]+)"/gm)]
+  .map((match) => match[1]);
+const registeredToolCount = registeredToolNames
+  .filter((name) => !name.startsWith("ynab_"))
+  .length;
+const discoveryHelpers = ["ynab_auth_status", "ynab_tool_index", "ynab_tool_execute", "ynab_write_tool_execute"];
+for (const helperName of discoveryHelpers) {
+  assert(registeredToolNames.includes(helperName), `discovery helper ${helperName} is registered`);
+}
 const readmeToolCounts = [...new Set(
   [...readme.matchAll(/\b(\d+) tools\b/gi)].map((match) => Number(match[1]))
 )];
@@ -63,12 +71,12 @@ assert(
     : `README has stale release link versions: ${staleReleaseVersions.join(", ")}`
 );
-const mcpbVersions = [...readme.matchAll(/ynab-mcp-server-(\d+\.\d+\.\d+)\.mcpb/g)].map((match) => match[1]);
+const mcpbVersions = [...readme.matchAll(/(?:ynab-mcp-server|mcp-server-for-ynab)-(\d+\.\d+\.\d+)\.mcpb/g)].map((match) => match[1]);
 const staleMcpbVersions = [...new Set(mcpbVersions.filter((mcpbVersion) => mcpbVersion !== version))];
 assert(
-  staleMcpbVersions.length === 0 && mcpbVersions.length > 0,
+  staleMcpbVersions.length === 0,
   staleMcpbVersions.length === 0
-    ? `README MCPB artifact references match ${version}`
+    ? (mcpbVersions.length > 0 ? `README MCPB artifact references match ${version}` : "README has no MCPB artifact references")
     : `README has stale MCPB artifact versions: ${staleMcpbVersions.join(", ")}`
 );

package/scripts/smoke-list-tools.mjs CHANGED Viewed

@@ -7,10 +7,15 @@ const requiredTools = [
   "get_transactions",
   "search_categories",
   "search_payees",
+  "ynab_auth_status",
+  "ynab_tool_index",
+  "ynab_tool_execute",
 ];
 const options = parseSmokeOptions();
-const requiredWriteTools = process.env.YNAB_ALLOW_WRITES === "1" ? ["update_transactions"] : [];
+const requiredWriteTools = process.env.YNAB_ALLOW_WRITES === "1"
+  ? ["update_transactions", "approve_transactions", "ynab_write_tool_execute"]
+  : [];
 await withSmokeClient(options, async (client, params) => {
   const result = await client.listTools();

package/scripts/test-safety-model.mjs CHANGED Viewed

@@ -1,4 +1,6 @@
 import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
 import { fileURLToPath } from "node:url";
 import path from "node:path";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
@@ -21,10 +23,13 @@ const writeTools = [
   "update_transaction",
   "delete_transaction",
   "update_transactions",
+  "approve_transactions",
+  "reassign_payee_transactions",
   "import_transactions",
   "create_scheduled_transaction",
   "update_scheduled_transaction",
   "delete_scheduled_transaction",
+  "ynab_write_tool_execute",
 ];
 const requiredReadTools = [
@@ -44,6 +49,7 @@ function buildEnv(overrides = {}) {
   );
   env.YNAB_API_TOKEN = "test-token-for-list-tools";
   env.YNAB_RATE_LIMIT_PER_HOUR = "0";
+  env.YNAB_DISABLE_AGENT_CONFIG_FALLBACK = "1";
   for (const [key, value] of Object.entries(overrides)) {
     if (value === undefined) {
@@ -56,7 +62,7 @@ function buildEnv(overrides = {}) {
   return env;
 }
-async function listTools(overrides = {}) {
+async function withTestClient(overrides, callback) {
   const client = new Client({
     name: "ynab-safety-model-test",
     version: "1.0.0",
@@ -72,18 +78,51 @@ async function listTools(overrides = {}) {
   try {
     await client.connect(transport);
-    const response = await client.listTools();
-    return response.tools;
+    return await callback(client);
   } finally {
     await client.close();
   }
 }
+async function listTools(overrides = {}) {
+  return withTestClient(overrides, async (client) => {
+    const response = await client.listTools();
+    return response.tools;
+  });
+}
+async function callJsonTool(name, overrides = {}, input = {}) {
+  return withTestClient(overrides, async (client) => {
+    const response = await client.callTool({ name, arguments: input });
+    const textItem = response.content?.find((item) => item.type === "text" && item.text);
+    assert.ok(textItem, `${name} returned text content`);
+    return {
+      isError: !!response.isError,
+      payload: JSON.parse(textItem.text),
+    };
+  });
+}
+function tempHome() {
+  return fs.mkdtempSync(path.join(os.tmpdir(), "ynab-mcp-safety-"));
+}
 const readOnlyTools = await listTools({ YNAB_ALLOW_WRITES: undefined });
 const readOnlyNames = new Set(readOnlyTools.map((tool) => tool.name));
+const readOnlyToolsByName = new Map(readOnlyTools.map((tool) => [tool.name, tool]));
+const discoveryOnlyTools = await listTools({
+  YNAB_API_TOKEN: undefined,
+  YNAB_API_TOKEN_FILE: undefined,
+  YNAB_OP_PATH: undefined,
+  YNAB_BUDGET_ID: undefined,
+  YNAB_ALLOW_WRITES: undefined,
+});
+const discoveryOnlyNames = new Set(discoveryOnlyTools.map((tool) => tool.name));
 for (const name of requiredReadTools) {
   assert.ok(readOnlyNames.has(name), `expected read tool ${name} to be available by default`);
+  assert.ok(discoveryOnlyNames.has(name), `expected read tool ${name} to be discoverable without auth`);
 }
 for (const name of writeTools) {
@@ -98,6 +137,11 @@ for (const tool of readOnlyTools) {
   );
 }
+assert.ok(
+  readOnlyToolsByName.get("get_transactions")?.inputSchema?.properties?.untilDate,
+  "expected get_transactions to expose untilDate for YNAB API v1.85 transaction listings",
+);
 const writableTools = await listTools({ YNAB_ALLOW_WRITES: "1" });
 const writableNames = new Set(writableTools.map((tool) => tool.name));
@@ -125,4 +169,89 @@ assert.equal(
   "expected delete_scheduled_transaction to be annotated destructive",
 );
+function requiresConfirmedTrue(tool) {
+  const schema = tool?.inputSchema || {};
+  const confirmed = schema.properties?.confirmed;
+  return Array.isArray(schema.required)
+    && schema.required.includes("confirmed")
+    && (confirmed?.const === true || confirmed?.enum?.includes(true));
+}
+for (const name of ["approve_transactions", "reassign_payee_transactions", "ynab_write_tool_execute"]) {
+  assert.ok(
+    requiresConfirmedTrue(destructiveTools.get(name)),
+    `expected ${name} to require confirmed:true in its input schema`,
+  );
+}
+{
+  const home = tempHome();
+  fs.mkdirSync(path.join(home, ".codex"), { recursive: true });
+  fs.writeFileSync(path.join(home, ".codex", "config.toml"), [
+    "[shell_environment_policy.set]",
+    "YNAB_API_TOKEN = \"codex-config-token\"",
+    "YNAB_BUDGET_ID = \"codex-budget-id\"",
+    "YNAB_ALLOW_WRITES = \"1\"",
+    "",
+  ].join("\n"));
+  const { payload } = await callJsonTool("ynab_auth_status", {
+    HOME: home,
+    YNAB_API_TOKEN: undefined,
+    YNAB_API_TOKEN_FILE: undefined,
+    YNAB_OP_PATH: undefined,
+    YNAB_BUDGET_ID: undefined,
+    YNAB_ALLOW_WRITES: undefined,
+    YNAB_DISABLE_AGENT_CONFIG_FALLBACK: undefined,
+  });
+  assert.equal(payload.authenticated, true, "expected Codex config fallback token to authenticate");
+  assert.equal(payload.credential_source, "codex_shell_environment");
+  assert.equal(payload.default_budget_id_configured, true);
+  assert.equal(payload.writes_enabled, true);
+}
+{
+  const home = tempHome();
+  fs.mkdirSync(path.join(home, ".claude"), { recursive: true });
+  fs.writeFileSync(path.join(home, ".claude", "settings.json"), JSON.stringify({
+    env: {
+      YNAB_API_TOKEN: "claude-settings-token",
+      YNAB_BUDGET_ID: "claude-budget-id",
+    },
+  }));
+  const { payload } = await callJsonTool("ynab_auth_status", {
+    HOME: home,
+    YNAB_API_TOKEN: undefined,
+    YNAB_API_TOKEN_FILE: undefined,
+    YNAB_OP_PATH: undefined,
+    YNAB_BUDGET_ID: undefined,
+    YNAB_ALLOW_WRITES: undefined,
+    YNAB_DISABLE_AGENT_CONFIG_FALLBACK: undefined,
+  });
+  assert.equal(payload.authenticated, true, "expected Claude settings fallback token to authenticate");
+  assert.equal(payload.credential_source, "claude_settings_env");
+  assert.equal(payload.default_budget_id_configured, true);
+}
+{
+  const home = tempHome();
+  const { isError, payload } = await callJsonTool("get_user", {
+    HOME: home,
+    YNAB_API_TOKEN: undefined,
+    YNAB_API_TOKEN_FILE: undefined,
+    YNAB_OP_PATH: undefined,
+    YNAB_BUDGET_ID: undefined,
+    YNAB_ALLOW_WRITES: undefined,
+    YNAB_DISABLE_AGENT_CONFIG_FALLBACK: undefined,
+  });
+  assert.equal(isError, true, "expected missing credentials to fail before YNAB API call");
+  assert.equal(payload.error, "missing_credentials");
+  assert.equal(payload.auth.authenticated, false);
+  assert.ok(payload.auth.setup.prompt_for_agent.includes("password manager"));
+}
 console.log("Safety model checks passed");