@starasia/task-management-mcp 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,148 +1,99 @@
1
1
  # Task Management MCP
2
2
 
3
- MCP server for Star Perkasa Technology Task Management API.
3
+ MCP server for Star Perkasa Technology Task Management.
4
4
 
5
- The server exposes read tools, dry-run-first write tools, and monitoring/reporting tools for spaces, projects, and tasks. It does **not** store a global user token in environment variables. Authorization is session-based: the AI agent must ask the active user for their bearer token, user id, and organization id, then call `set_auth_context` before using task tools.
5
+ Package ini membantu AI agent membaca, membuat, memperbarui, memantau, dan merangkum task melalui Task Management API dengan permission sesuai user aktif.
6
+
7
+ Server ini tidak menyimpan token global. Akses API memakai auth context runtime yang diberikan oleh user aktif melalui tool MCP.
6
8
 
7
9
  ## Requirements
8
10
 
9
11
  - Node.js 20+
10
- - Running `task-management-api`
11
- - A user-provided auth context at runtime:
12
- - bearer token
13
- - user id
14
- - organization id
12
+ - Access to a running Starasia Task Management API instance
15
13
 
16
- ## Package
14
+ ## Features
17
15
 
18
- Published package name:
16
+ - List spaces, projects, project members, workflow statuses, and tasks
17
+ - Get project and task detail
18
+ - Create single or bulk tasks
19
+ - Update task fields, status, and assignees
20
+ - Monitor overdue and stale tasks
21
+ - Summarize project progress, workload, and work reports
22
+ - Dry-run-first write tools for safer agent workflows
19
23
 
20
- ```text
21
- @starasia/task-management-mcp
22
- ```
24
+ ## Install
23
25
 
24
- Install from npm after a release lands on `main`:
26
+ Install global:
25
27
 
26
28
  ```bash
27
29
  npm install -g @starasia/task-management-mcp
28
30
  ```
29
31
 
30
- ## Install from source
32
+ Run manually for smoke test:
31
33
 
32
34
  ```bash
33
- npm install
34
- npm run build
35
+ task-management-mcp
35
36
  ```
36
37
 
37
- ## Runtime configuration
38
+ Or run without global install:
38
39
 
39
- Only non-user runtime settings should be configured as environment variables:
40
-
41
- ```text
42
- TASK_MANAGEMENT_API_BASE_URL=http://localhost:3000
43
- TASK_MANAGEMENT_TIMEOUT_MS=30000
44
- TASK_MANAGEMENT_MAX_BULK_SIZE=50
45
- TASK_MANAGEMENT_AUTH_TTL_MS=28800000
40
+ ```bash
41
+ npx -y @starasia/task-management-mcp
46
42
  ```
47
43
 
48
- Do **not** configure these as server env values:
44
+ ## Claude Code
45
+
46
+ Install global lalu daftarkan ke Claude Code:
49
47
 
50
- ```text
51
- TASK_MANAGEMENT_API_TOKEN
52
- TASK_MANAGEMENT_USER_ID
53
- TASK_MANAGEMENT_ORGANIZATION_ID
48
+ ```bash
49
+ npm install -g @starasia/task-management-mcp
50
+ claude mcp add --scope user task-management -- task-management-mcp
54
51
  ```
55
52
 
56
- Those values are user identity and permission context. The AI agent must request them from the user at runtime and call `set_auth_context`. `userId` is derived from the bearer token JWT `sub` claim, so it should not be configured as a server env value.
53
+ Alternatif tanpa install global:
57
54
 
58
- ## Hermes stdio config
55
+ ```bash
56
+ claude mcp add --scope user task-management -- npx -y @starasia/task-management-mcp
57
+ ```
59
58
 
60
- ```yaml
61
- mcp_servers:
62
- task_management_dev:
63
- command: "npx"
64
- args: ["-y", "@starasia/task-management-mcp"]
65
- env:
66
- TASK_MANAGEMENT_API_BASE_URL: "https://dev-task-management-api.example.com"
59
+ Verifikasi:
67
60
 
68
- task_management_prod:
69
- command: "npx"
70
- args: ["-y", "@starasia/task-management-mcp"]
71
- env:
72
- TASK_MANAGEMENT_API_BASE_URL: "https://task-management-api.example.com"
61
+ ```bash
62
+ claude mcp list
63
+ claude mcp get task-management
73
64
  ```
74
65
 
75
- With two MCP instances, tools are clearly separated by environment. The exact rendered tool names depend on the host. Hermes usually prefixes them by server name; Claude Code and Codex use their own MCP tool naming conventions.
66
+ ## Codex CLI
76
67
 
77
- ## Claude Code / Codex MCP config
68
+ Quick command:
78
69
 
79
- Use the same stdio command shape. Example:
80
-
81
- ```json
82
- {
83
- "mcpServers": {
84
- "task-management-dev": {
85
- "command": "npx",
86
- "args": ["-y", "@starasia/task-management-mcp"],
87
- "env": {
88
- "TASK_MANAGEMENT_API_BASE_URL": "https://dev-task-management-api.example.com"
89
- }
90
- },
91
- "task-management-prod": {
92
- "command": "npx",
93
- "args": ["-y", "@starasia/task-management-mcp"],
94
- "env": {
95
- "TASK_MANAGEMENT_API_BASE_URL": "https://task-management-api.example.com"
96
- }
97
- }
98
- }
99
- }
70
+ ```bash
71
+ codex mcp add task-management --command npx --args -y --args @starasia/task-management-mcp
100
72
  ```
101
73
 
102
- ## Auth flow for AI agents
103
-
104
- Before calling any task/space/project tool, the agent should:
74
+ Fallback via `~/.codex/config.toml`:
105
75
 
106
- 1. Call `get_auth_context_status`.
107
- 2. If `configured` is false, ask the active user for:
108
- - bearer token
109
- - organization id
110
- 3. Call `set_auth_context`:
111
-
112
- ```json
113
- {
114
- "bearerToken": "user-supplied-jwt-access-token",
115
- "organizationId": "organization-id",
116
- "environment": "dev",
117
- "validate": true
118
- }
76
+ ```toml
77
+ [mcp_servers.task_management]
78
+ command = "npx"
79
+ args = ["-y", "@starasia/task-management-mcp"]
119
80
  ```
120
81
 
121
- `set_auth_context` decodes the bearer token JWT payload and uses the `sub` claim as `userId`. If the token is not a JWT or does not contain a string `sub`, pass `userId` explicitly as an override:
82
+ ## JSON MCP Config
83
+
84
+ Untuk client lain yang memakai format JSON `mcpServers`:
122
85
 
123
86
  ```json
124
87
  {
125
- "bearerToken": "user-supplied-token",
126
- "userId": "explicit-user-id",
127
- "organizationId": "organization-id",
128
- "validate": true
88
+ "mcpServers": {
89
+ "task-management": {
90
+ "command": "npx",
91
+ "args": ["-y", "@starasia/task-management-mcp"]
92
+ }
93
+ }
129
94
  }
130
95
  ```
131
96
 
132
- `set_auth_context` validates the token with `GET /spaces` by default, stores the context only in the MCP process memory, and returns a masked status. It never returns the token. The context expires after `TASK_MANAGEMENT_AUTH_TTL_MS` milliseconds, default 8 hours.
133
-
134
- Important security note: for broad Claude Code / Codex compatibility, the bearer token is passed as a tool argument. That means it may transit the host application's conversation or debug surface before it reaches the MCP. Users should only provide tokens in trusted local agent sessions, prefer short-lived tokens, and call `clear_auth_context` when done.
135
-
136
- For separate dev/prod MCP instances, call `set_auth_context` separately on each instance because each process has its own in-memory session.
137
-
138
- When the user is done, call:
139
-
140
- ```text
141
- clear_auth_context
142
- ```
143
-
144
- If a tool is called before auth is configured, the MCP returns an error instructing the agent to ask the user for bearer token and organization id, then call `set_auth_context`. `userId` is derived from the token JWT `sub` claim unless an explicit override is provided.
145
-
146
97
  ## Tools
147
98
 
148
99
  ### Auth/session
@@ -165,17 +116,17 @@ If a tool is called before auth is configured, the MCP returns an error instruct
165
116
 
166
117
  ### Write tools
167
118
 
168
- Write tools default to `dryRun: true`. Set `dryRun: false` to execute.
119
+ Write tools default to `dryRun: true`. Set `dryRun: false` only when the user has approved the action.
169
120
 
170
121
  - `create_task`
171
122
  - `bulk_create_tasks`
172
123
  - `update_task`
173
124
  - `change_task_status`
174
- - `assign_task` — add assignees using numeric `ProjectMember.id` values
175
- - `unassign_task` — remove one assignee using numeric `ProjectMember.id`
176
- - `replace_task_assignees` — make the assignee set exactly match the provided `projectMemberIds`
125
+ - `assign_task`
126
+ - `unassign_task`
127
+ - `replace_task_assignees`
177
128
 
178
- `create_task.createdBy`, `assign_task.assignedBy`, and `replace_task_assignees.assignedBy` default to the active auth `userId` when omitted.
129
+ Assignee tools use project member ids from `list_project_members`.
179
130
 
180
131
  ### Monitoring/reporting
181
132
 
@@ -184,47 +135,28 @@ Write tools default to `dryRun: true`. Set `dryRun: false` to execute.
184
135
  - `workload_by_user`
185
136
  - `generate_work_report`
186
137
 
187
- ## API assumptions found from `task-management-api`
138
+ ## Auth model
188
139
 
189
- - Spaces are exposed at `GET /spaces`.
190
- - Projects are scoped by space: `/spaces/:spaceId/projects`.
191
- - Tasks are scoped by project: `/projects/:projectId/tasks`.
192
- - Cross-project task list is `GET /my-tasks` with `scope=me|all`.
193
- - The MCP forwards `Authorization`, `X-User-Id`, and `X-Organization-Id` from the active auth context.
194
- - Task creation currently requires `createdBy`; assignment uses numeric `ProjectMember.id` values.
140
+ Before using task tools, the agent should check whether an auth context is configured. If not, it should ask the active user for the required runtime credentials and call `set_auth_context`.
195
141
 
196
- ## Safety model
142
+ The MCP keeps auth context in process memory only, returns masked auth status, and never returns the bearer token from any tool.
197
143
 
198
- - User identity and bearer token are supplied at runtime, not baked into env.
199
- - Auth context is held in process memory only and expires by `TASK_MANAGEMENT_AUTH_TTL_MS`.
200
- - `get_auth_context_status` masks the token and only returns `hasToken: true/false`.
201
- - The API URL cannot be overridden by `set_auth_context`; it comes from the MCP instance env to avoid bearer-token exfiltration to arbitrary hosts.
202
- - For compatibility with Claude Code and Codex, the token is passed through the MCP tool call surface. Use trusted local sessions and short-lived tokens where possible.
203
- - Read tools require an active auth context.
204
- - Write tools are dry-run by default.
205
- - Bulk create has a configurable limit (`TASK_MANAGEMENT_MAX_BULK_SIZE`, default 50).
206
- - `bulk_create_tasks` can skip existing tasks by exact normalized title (`idempotency: "title"`).
207
- - The MCP does not bypass application permissions; it only calls HTTP endpoints with the active user's auth context.
144
+ Call `clear_auth_context` when the session is done.
145
+
146
+ ## Safety notes
147
+
148
+ - The MCP does not bypass application permissions.
149
+ - All API actions are performed using the active user's permission context.
150
+ - Write tools use dry-run mode by default.
151
+ - Bulk task creation supports idempotency by normalized title.
152
+ - Use this MCP only in trusted local agent sessions.
208
153
 
209
154
  ## Development
210
155
 
211
156
  ```bash
157
+ npm test
212
158
  npm run typecheck
213
159
  npm run lint
214
- npm test
215
160
  npm run build
216
161
  npm run pack:check
217
162
  ```
218
-
219
- ## CI/CD
220
-
221
- - `CI` runs on pull requests to `main`/`dev`, pushes to `dev`, and manual dispatch.
222
- - `CI` uses GitHub Environment `development` for Discord notification only.
223
- - `Release and Notify` runs on pushes to `main` and manual dispatch.
224
- - Release workflow validates typecheck, lint, test, build, and `npm pack --dry-run` before publishing.
225
- - Publish is skipped when the package version already exists on npm.
226
- - Required development secrets:
227
- - `DISCORD_WEBHOOK_URL`
228
- - Required production secrets:
229
- - `NPM_TOKEN`
230
- - `DISCORD_WEBHOOK_URL` (notification)
package/dist/config.js CHANGED
@@ -1,9 +1,11 @@
1
1
  import { z } from "zod";
2
+ import { BUILD_TASK_MANAGEMENT_API_BASE_URL } from "./generated-config.js";
3
+ const DEFAULT_TASK_MANAGEMENT_API_BASE_URL = BUILD_TASK_MANAGEMENT_API_BASE_URL || "http://localhost:3000";
2
4
  const envSchema = z.object({
3
5
  TASK_MANAGEMENT_API_BASE_URL: z
4
6
  .string()
5
7
  .url()
6
- .default("http://localhost:3000"),
8
+ .default(DEFAULT_TASK_MANAGEMENT_API_BASE_URL),
7
9
  TASK_MANAGEMENT_TIMEOUT_MS: z.coerce
8
10
  .number()
9
11
  .int()
@@ -1 +1 @@
1
- {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,4BAA4B,EAAE,CAAC;SAC5B,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,uBAAuB,CAAC;IACnC,0BAA0B,EAAE,CAAC,CAAC,MAAM;SACjC,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,OAAO,CAAC,MAAM,CAAC;IAClB,6BAA6B,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IAC7E,2BAA2B,EAAE,CAAC,CAAC,MAAM;SAClC,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;CAC/B,CAAC,CAAC;AAIH,MAAM,UAAU,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG;IAC1C,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC"}
1
+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,kCAAkC,EAAE,MAAM,uBAAuB,CAAC;AAE3E,MAAM,oCAAoC,GACxC,kCAAkC,IAAI,uBAAuB,CAAC;AAEhE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,4BAA4B,EAAE,CAAC;SAC5B,MAAM,EAAE;SACR,GAAG,EAAE;SACL,OAAO,CAAC,oCAAoC,CAAC;IAChD,0BAA0B,EAAE,CAAC,CAAC,MAAM;SACjC,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,OAAO,CAAC,MAAM,CAAC;IAClB,6BAA6B,EAAE,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;IAC7E,2BAA2B,EAAE,CAAC,CAAC,MAAM;SAClC,MAAM,EAAE;SACR,GAAG,EAAE;SACL,QAAQ,EAAE;SACV,OAAO,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;CAC/B,CAAC,CAAC;AAIH,MAAM,UAAU,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG;IAC1C,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC"}
@@ -0,0 +1 @@
1
+ export declare const BUILD_TASK_MANAGEMENT_API_BASE_URL = "https://task-management-api-323393867185.asia-southeast2.run.app";
@@ -0,0 +1,4 @@
1
+ // This file is generated by scripts/generate-build-config.mjs.
2
+ // BUILD_TASK_MANAGEMENT_API_BASE_URL is injected by CI for published builds.
3
+ export const BUILD_TASK_MANAGEMENT_API_BASE_URL = "https://task-management-api-323393867185.asia-southeast2.run.app";
4
+ //# sourceMappingURL=generated-config.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"generated-config.js","sourceRoot":"","sources":["../src/generated-config.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,6EAA6E;AAC7E,MAAM,CAAC,MAAM,kCAAkC,GAAG,kEAAkE,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@starasia/task-management-mcp",
3
- "version": "1.0.0",
3
+ "version": "1.0.2",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "description": "MCP server for Star Perkasa Technology Task Management API",
@@ -34,7 +34,7 @@
34
34
  },
35
35
  "scripts": {
36
36
  "test": "vitest run",
37
- "build": "tsc",
37
+ "build": "node scripts/generate-build-config.mjs && tsc",
38
38
  "dev": "tsx src/index.ts",
39
39
  "typecheck": "tsc --noEmit",
40
40
  "lint": "eslint src --ext .ts",