@tenonhq/dovetail-mcp 0.0.2 → 0.0.5

package/README.md

@@ -1,8 +1,15 @@
 # @tenonhq/dovetail-mcp
 
-MCP server exposing **read-only** ClickUp / Gmail / Google Calendar / ServiceNow
-tools backed by the existing Dovetail integration packages. Phase 1 — write
-operations are deliberately out of scope (see PRD).
+MCP server exposing read tools for ClickUp / Gmail / Google Calendar / ServiceNow
+plus **gated Phase-2 ClickUp writes**, backed by the existing Dovetail
+integration packages. Gmail / Calendar / ServiceNow remain read-only.
+
+ClickUp writes are gated by the **operator-controlled** `SINC_MCP_WRITES_ENABLE=1`
+env flag — off by default, the server cannot write at all. When the flag is on,
+each write call also requires `confirm:true`; without it the tool returns a
+dry-run preview. `confirm:true` is a preview/speed-bump (the calling agent can
+set it itself), not a human-in-the-loop checkpoint — the env flag is the real
+boundary.
 
 ## Install
 
@@ -32,16 +39,18 @@ clear "not configured" error.
 | `SINC_MCP_SN_TABLE_OVERRIDE`| Allow specific denied tables (comma-separated) |
 | `SINC_MCP_TELEMETRY_DISABLE`| `1`/`true` to skip telemetry writes |
 | `SINC_MCP_TELEMETRY_PATH`   | Override `~/.dovetail-mcp/telemetry.jsonl` |
+| `SINC_MCP_WRITES_ENABLE`    | `1` to enable the gated ClickUp write tools (off by default) |
 
 > **OAuth scope warning:** Dovetail's existing Google refresh tokens are
 > issued with **write-capable** scopes (`gmail.modify`, `calendar`).
-> dovetail-mcp enforces read-only at the handler level (we never import the
-> upstream write functions and ESLint blocks new such imports), but the token
-> itself can write Gmail/Calendar. Re-running `dovetail-google-auth` setup
+> dovetail-mcp never imports Gmail/Calendar write functions (ESLint + the static
+> scan block them), so it cannot write Gmail/Calendar even though the token
+> could. (ClickUp writes are the one allowed write surface — see below.)
+> Re-running `dovetail-google-auth` setup
 > with `gmail.readonly` + `calendar.readonly` scopes is recommended for
 > defence-in-depth and is tracked separately.
 
-## Tools (12)
+## Tools (16)
 
 | Tool                            | Purpose                                        |
 |---------------------------------|------------------------------------------------|
@@ -49,6 +58,10 @@ clear "not configured" error.
 | `clickup_get_task`              | Fetch a single task by ID                      |
 | `clickup_search_tasks`          | Substring search across team tasks             |
 | `clickup_get_team_sync`         | 7-stage pipeline JSON (Blocked → Ready for Release) |
+| `clickup_update_task` 🔒        | **Gated write** — update name/markdown/status/priority |
+| `clickup_set_custom_field` 🔒   | **Gated write** — set one custom-field value   |
+| `clickup_create_task` 🔒        | **Gated write** — create a task in a list      |
+| `clickup_link_tasks` 🔒         | **Gated write** — link two tasks               |
 | `gmail_get_unread`              | Unread inbox emails                            |
 | `gmail_get_starred`             | Starred emails                                 |
 | `gmail_search`                  | Gmail query syntax                             |
@@ -62,6 +75,14 @@ ServiceNow deny-list (default): `sys_user_password`, `sys_user_token`,
 `sys_credential`, `sys_secret`, `sys_user_grmember`, `sys_audit`. Override
 per-table with `SINC_MCP_SN_TABLE_OVERRIDE=table_a,table_b`.
 
+🔒 **Gated writes (Phase 2).** The four ClickUp write tools are inert unless
+`SINC_MCP_WRITES_ENABLE=1` is set — that's the operator-controlled gate. When
+on, calls return a dry-run preview unless `confirm:true` is passed; the
+`confirm` flag is a preview affordance, not a human checkpoint (the calling
+agent can set it itself). Target a custom ID (e.g. `DEV-225`) with
+`customTaskIds:true` + `teamId`. Gmail, Calendar, and ServiceNow stay
+read-only.
+
 ## Run
 
 ```bash
@@ -141,19 +162,29 @@ Every tool call appends one JSON line to `~/.dovetail-mcp/telemetry.jsonl`
 Disable with `SINC_MCP_TELEMETRY_DISABLE=1`. Override the path with
 `SINC_MCP_TELEMETRY_PATH=/tmp/foo.jsonl`. Rotate manually for v1.
 
-## Read-only enforcement
+## Write-surface enforcement
 
-Three layers:
+Writes are confined to **one declared module** — `src/tools/clickup-write.ts` —
+which may use only the ClickUp write functions. Every other tool module stays
+read-only. Three layers enforce this:
 
-1. **Imports.** Tool modules import only the read functions from each upstream
-   Dovetail package; write functions are never imported.
-2. **ESLint** (`.eslintrc.json` `no-restricted-imports`) blocks import of any
-   write function from `dovetail-clickup` / `dovetail-gmail` /
-   `dovetail-google-calendar` / `dovetail-servicenow`.
+1. **Imports.** Read tool modules import only read functions; the write module
+   imports only `createTask` / `updateTask` / `setCustomField` / `linkTask`.
+2. **ESLint** (`.eslintrc.json` `no-restricted-imports`) blocks write imports
+   from `dovetail-clickup` / `dovetail-gmail` / `dovetail-google-calendar` /
+   `dovetail-servicenow`, with a scoped `overrides` entry that permits the
+   ClickUp writes **only** in `clickup-write.ts` (Gmail/Calendar/SN still banned
+   even there).
 3. **Static scan test** (`src/tests/readonly-imports.test.ts`) reads every
-   `src/tools/*.ts` and asserts no occurrence of forbidden symbols, including
-   `client.claude.*` (the ServiceNow write namespace, which can't be blocked
-   at the import level since it's a property access).
+   `src/tools/*.ts` and asserts no forbidden write symbol appears — including
+   `client.claude.*` (the ServiceNow write namespace). The lone exception is the
+   declared write module's ClickUp allowlist (`WRITE_MODULE_ALLOW`); a new file
+   cannot opt itself in.
+
+At runtime, writes are gated by the operator-controlled `SINC_MCP_WRITES_ENABLE=1`
+flag (see "Gated writes" above). A per-call `confirm:true` switches the tool
+from preview to apply; it is *not* a human checkpoint — the calling agent can
+satisfy it itself, so it functions as a preview affordance, not a second factor.
 
 ## Troubleshooting
 

package/dist/config.d.ts

@@ -24,6 +24,7 @@ export interface SincMcpConfig {
     clickup?: ClickUpConfig;
     google?: GoogleConfig;
     servicenowSafety: ServiceNowSafetyConfig;
+    writesEnabled: boolean;
 }
 export interface ConfigLoadResult {
     config: SincMcpConfig;

package/dist/config.js

@@ -41,7 +41,8 @@ function loadConfig() {
         config: {
             clickup: clickup,
             google: google,
-            servicenowSafety: loadServiceNowSafety()
+            servicenowSafety: loadServiceNowSafety(),
+            writesEnabled: process.env.SINC_MCP_WRITES_ENABLE === "1"
         },
         missing: { clickup: clickupMissing, google: googleMissing }
     };

package/dist/index.d.ts

@@ -1,8 +1,9 @@
 /**
  * @tenonhq/dovetail-mcp
  *
- * MCP server exposing read-only tools for ClickUp, Gmail, Google Calendar,
- * and ServiceNow, backed by the existing Dovetail integration packages.
+ * MCP server exposing read tools for ClickUp, Gmail, Google Calendar, and
+ * ServiceNow, plus gated Phase-2 ClickUp write tools, backed by the existing
+ * Dovetail integration packages.
  *
  * Library exports here are consumed by tests and by alternate hosts
  * (e.g. an HTTP transport in the future). The bin entry lives in server.ts.

package/dist/index.js

@@ -2,8 +2,9 @@
 /**
  * @tenonhq/dovetail-mcp
  *
- * MCP server exposing read-only tools for ClickUp, Gmail, Google Calendar,
- * and ServiceNow, backed by the existing Dovetail integration packages.
+ * MCP server exposing read tools for ClickUp, Gmail, Google Calendar, and
+ * ServiceNow, plus gated Phase-2 ClickUp write tools, backed by the existing
+ * Dovetail integration packages.
  *
  * Library exports here are consumed by tests and by alternate hosts
  * (e.g. an HTTP transport in the future). The bin entry lives in server.ts.
@@ -37,7 +38,10 @@ function buildDepsFromEnv() {
         missingDescription: missingDescription
     };
     if (loaded.config.clickup) {
-        deps.clickup = { config: loaded.config.clickup };
+        deps.clickup = {
+            config: loaded.config.clickup,
+            writesEnabled: loaded.config.writesEnabled
+        };
     }
     if (loaded.config.google) {
         deps.gmail = { config: loaded.config.google };

package/dist/registry.d.ts

@@ -13,7 +13,7 @@ import type { ClickUpDeps } from "./tools/clickup";
 import type { GmailDeps } from "./tools/gmail";
 import type { CalendarDeps } from "./tools/calendar";
 import type { ServiceNowDeps } from "./tools/servicenow";
-export declare var TOOL_NAMES: readonly ["clickup_list_tasks", "clickup_get_task", "clickup_search_tasks", "clickup_get_team_sync", "gmail_get_unread", "gmail_get_starred", "gmail_search", "gmail_get_action_required", "calendar_get_today", "calendar_get_week", "calendar_get_event", "servicenow_query_table"];
+export declare var TOOL_NAMES: readonly ["clickup_list_tasks", "clickup_get_task", "clickup_search_tasks", "clickup_get_team_sync", "clickup_update_task", "clickup_set_custom_field", "clickup_create_task", "clickup_link_tasks", "gmail_get_unread", "gmail_get_starred", "gmail_search", "gmail_get_action_required", "calendar_get_today", "calendar_get_week", "calendar_get_event", "servicenow_query_table"];
 export type ToolName = typeof TOOL_NAMES[number];
 export interface RegistryDeps {
     clickup?: ClickUpDeps;

package/dist/registry.js

@@ -19,6 +19,7 @@ const gmail_1 = require("./schemas/gmail");
 const calendar_1 = require("./schemas/calendar");
 const servicenow_1 = require("./schemas/servicenow");
 const clickup_2 = require("./tools/clickup");
+const clickup_write_1 = require("./tools/clickup-write");
 const gmail_2 = require("./tools/gmail");
 const calendar_2 = require("./tools/calendar");
 const servicenow_2 = require("./tools/servicenow");
@@ -27,6 +28,10 @@ exports.TOOL_NAMES = [
     "clickup_get_task",
     "clickup_search_tasks",
     "clickup_get_team_sync",
+    "clickup_update_task",
+    "clickup_set_custom_field",
+    "clickup_create_task",
+    "clickup_link_tasks",
     "gmail_get_unread",
     "gmail_get_starred",
     "gmail_search",
@@ -72,6 +77,38 @@ function buildDescriptors(deps) {
                 return (0, clickup_2.clickupGetTeamSync)(args, deps.clickup);
             })
         },
+        {
+            name: "clickup_update_task",
+            description: "Gated write: update a ClickUp task (name, markdownContent, status, priority). Requires SINC_MCP_WRITES_ENABLE=1; returns a dry-run preview unless confirm:true. Use customTaskIds:true + teamId to target a custom ID like DEV-225.",
+            shape: clickup_1.clickupUpdateTaskSchema.shape,
+            handler: requireConfig(clickupReady, "ClickUp", deps.missingDescription, function (args) {
+                return (0, clickup_write_1.clickupUpdateTask)(args, deps.clickup);
+            })
+        },
+        {
+            name: "clickup_set_custom_field",
+            description: "Gated write: set one custom-field value on a task (POST /task/{id}/field/{fieldId}). Requires SINC_MCP_WRITES_ENABLE=1; dry-run unless confirm:true. value shape: string for text/url, option id for drop_down, { add:[], rem:[] } for users.",
+            shape: clickup_1.clickupSetCustomFieldSchema.shape,
+            handler: requireConfig(clickupReady, "ClickUp", deps.missingDescription, function (args) {
+                return (0, clickup_write_1.clickupSetCustomField)(args, deps.clickup);
+            })
+        },
+        {
+            name: "clickup_create_task",
+            description: "Gated write: create a ClickUp task in a list (markdownContent, status, priority, assignees, customFields). Requires SINC_MCP_WRITES_ENABLE=1; dry-run unless confirm:true.",
+            shape: clickup_1.clickupCreateTaskSchema.shape,
+            handler: requireConfig(clickupReady, "ClickUp", deps.missingDescription, function (args) {
+                return (0, clickup_write_1.clickupCreateTask)(args, deps.clickup);
+            })
+        },
+        {
+            name: "clickup_link_tasks",
+            description: "Gated write: link two ClickUp tasks (POST /task/{id}/link/{linksTo}). Requires SINC_MCP_WRITES_ENABLE=1; dry-run unless confirm:true. Use customTaskIds:true + teamId for custom IDs.",
+            shape: clickup_1.clickupLinkTasksSchema.shape,
+            handler: requireConfig(clickupReady, "ClickUp", deps.missingDescription, function (args) {
+                return (0, clickup_write_1.clickupLinkTasks)(args, deps.clickup);
+            })
+        },
         {
             name: "gmail_get_unread",
             description: "Fetch unread emails from the inbox.",

package/dist/schemas/clickup.d.ts

@@ -43,3 +43,119 @@ export type ClickupListTasksInput = z.infer<typeof clickupListTasksSchema>;
 export type ClickupGetTaskInput = z.infer<typeof clickupGetTaskSchema>;
 export type ClickupSearchTasksInput = z.infer<typeof clickupSearchTasksSchema>;
 export type ClickupGetTeamSyncInput = z.infer<typeof clickupGetTeamSyncSchema>;
+export declare var clickupUpdateTaskSchema: z.ZodObject<{
+    taskId: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+    markdownContent: z.ZodOptional<z.ZodString>;
+    status: z.ZodOptional<z.ZodString>;
+    priority: z.ZodOptional<z.ZodNumber>;
+    customTaskIds: z.ZodOptional<z.ZodBoolean>;
+    teamId: z.ZodOptional<z.ZodString>;
+    confirm: z.ZodOptional<z.ZodBoolean>;
+}, "strict", z.ZodTypeAny, {
+    taskId: string;
+    name?: string | undefined;
+    priority?: number | undefined;
+    status?: string | undefined;
+    confirm?: boolean | undefined;
+    teamId?: string | undefined;
+    markdownContent?: string | undefined;
+    customTaskIds?: boolean | undefined;
+}, {
+    taskId: string;
+    name?: string | undefined;
+    priority?: number | undefined;
+    status?: string | undefined;
+    confirm?: boolean | undefined;
+    teamId?: string | undefined;
+    markdownContent?: string | undefined;
+    customTaskIds?: boolean | undefined;
+}>;
+export declare var clickupSetCustomFieldSchema: z.ZodObject<{
+    taskId: z.ZodString;
+    fieldId: z.ZodString;
+    value: z.ZodUnknown;
+    customTaskIds: z.ZodOptional<z.ZodBoolean>;
+    teamId: z.ZodOptional<z.ZodString>;
+    confirm: z.ZodOptional<z.ZodBoolean>;
+}, "strict", z.ZodTypeAny, {
+    taskId: string;
+    fieldId: string;
+    value?: unknown;
+    confirm?: boolean | undefined;
+    teamId?: string | undefined;
+    customTaskIds?: boolean | undefined;
+}, {
+    taskId: string;
+    fieldId: string;
+    value?: unknown;
+    confirm?: boolean | undefined;
+    teamId?: string | undefined;
+    customTaskIds?: boolean | undefined;
+}>;
+export declare var clickupCreateTaskSchema: z.ZodObject<{
+    listId: z.ZodString;
+    name: z.ZodString;
+    markdownContent: z.ZodOptional<z.ZodString>;
+    status: z.ZodOptional<z.ZodString>;
+    priority: z.ZodOptional<z.ZodNumber>;
+    assignees: z.ZodOptional<z.ZodArray<z.ZodNumber, "many">>;
+    customFields: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        value: z.ZodUnknown;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        value?: unknown;
+    }, {
+        id: string;
+        value?: unknown;
+    }>, "many">>;
+    confirm: z.ZodOptional<z.ZodBoolean>;
+}, "strict", z.ZodTypeAny, {
+    name: string;
+    listId: string;
+    priority?: number | undefined;
+    status?: string | undefined;
+    confirm?: boolean | undefined;
+    markdownContent?: string | undefined;
+    assignees?: number[] | undefined;
+    customFields?: {
+        id: string;
+        value?: unknown;
+    }[] | undefined;
+}, {
+    name: string;
+    listId: string;
+    priority?: number | undefined;
+    status?: string | undefined;
+    confirm?: boolean | undefined;
+    markdownContent?: string | undefined;
+    assignees?: number[] | undefined;
+    customFields?: {
+        id: string;
+        value?: unknown;
+    }[] | undefined;
+}>;
+export declare var clickupLinkTasksSchema: z.ZodObject<{
+    taskId: z.ZodString;
+    linksTo: z.ZodString;
+    customTaskIds: z.ZodOptional<z.ZodBoolean>;
+    teamId: z.ZodOptional<z.ZodString>;
+    confirm: z.ZodOptional<z.ZodBoolean>;
+}, "strict", z.ZodTypeAny, {
+    taskId: string;
+    linksTo: string;
+    confirm?: boolean | undefined;
+    teamId?: string | undefined;
+    customTaskIds?: boolean | undefined;
+}, {
+    taskId: string;
+    linksTo: string;
+    confirm?: boolean | undefined;
+    teamId?: string | undefined;
+    customTaskIds?: boolean | undefined;
+}>;
+export type ClickupUpdateTaskInput = z.infer<typeof clickupUpdateTaskSchema>;
+export type ClickupSetCustomFieldInput = z.infer<typeof clickupSetCustomFieldSchema>;
+export type ClickupCreateTaskInput = z.infer<typeof clickupCreateTaskSchema>;
+export type ClickupLinkTasksInput = z.infer<typeof clickupLinkTasksSchema>;

package/dist/schemas/clickup.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.clickupGetTeamSyncSchema = exports.clickupSearchTasksSchema = exports.clickupGetTaskSchema = exports.clickupListTasksSchema = void 0;
+exports.clickupLinkTasksSchema = exports.clickupCreateTaskSchema = exports.clickupSetCustomFieldSchema = exports.clickupUpdateTaskSchema = exports.clickupGetTeamSyncSchema = exports.clickupSearchTasksSchema = exports.clickupGetTaskSchema = exports.clickupListTasksSchema = void 0;
 const zod_1 = require("zod");
 exports.clickupListTasksSchema = zod_1.z.object({
     teamId: zod_1.z.string().min(1).optional(),
@@ -18,3 +18,45 @@ exports.clickupSearchTasksSchema = zod_1.z.object({
 exports.clickupGetTeamSyncSchema = zod_1.z.object({
     teamId: zod_1.z.string().min(1).optional()
 }).strict();
+// --- Phase-2 gated write schemas ---
+// Every write carries an optional confirm flag. Without confirm:true the tool
+// returns a dry-run preview; with it, the write executes. customTaskIds:true
+// treats taskId as a custom ID (e.g. "DEV-225") and requires teamId — that
+// cross-field rule is enforced in clickup-write.ts (it can't live on the
+// schema because the MCP SDK consumes .shape, which a ZodEffects from
+// .refine() doesn't expose).
+exports.clickupUpdateTaskSchema = zod_1.z.object({
+    taskId: zod_1.z.string().min(1),
+    name: zod_1.z.string().min(1).optional(),
+    markdownContent: zod_1.z.string().optional(),
+    status: zod_1.z.string().min(1).optional(),
+    priority: zod_1.z.number().int().min(1).max(4).optional(),
+    customTaskIds: zod_1.z.boolean().optional(),
+    teamId: zod_1.z.string().min(1).optional(),
+    confirm: zod_1.z.boolean().optional()
+}).strict();
+exports.clickupSetCustomFieldSchema = zod_1.z.object({
+    taskId: zod_1.z.string().min(1),
+    fieldId: zod_1.z.string().min(1),
+    value: zod_1.z.unknown(),
+    customTaskIds: zod_1.z.boolean().optional(),
+    teamId: zod_1.z.string().min(1).optional(),
+    confirm: zod_1.z.boolean().optional()
+}).strict();
+exports.clickupCreateTaskSchema = zod_1.z.object({
+    listId: zod_1.z.string().min(1),
+    name: zod_1.z.string().min(1),
+    markdownContent: zod_1.z.string().optional(),
+    status: zod_1.z.string().min(1).optional(),
+    priority: zod_1.z.number().int().min(1).max(4).optional(),
+    assignees: zod_1.z.array(zod_1.z.number()).optional(),
+    customFields: zod_1.z.array(zod_1.z.object({ id: zod_1.z.string().min(1), value: zod_1.z.unknown() })).optional(),
+    confirm: zod_1.z.boolean().optional()
+}).strict();
+exports.clickupLinkTasksSchema = zod_1.z.object({
+    taskId: zod_1.z.string().min(1),
+    linksTo: zod_1.z.string().min(1),
+    customTaskIds: zod_1.z.boolean().optional(),
+    teamId: zod_1.z.string().min(1).optional(),
+    confirm: zod_1.z.boolean().optional()
+}).strict();

package/dist/tools/clickup-write.d.ts

@@ -0,0 +1,20 @@
+/**
+ * ClickUp gated write tools (Phase 2).
+ *
+ * This is the ONE declared write module. It is the single exception in
+ * tests/readonly-imports.test.ts and .eslintrc.json — every OTHER tool module
+ * must remain read-only.
+ *
+ * Gating:
+ *   1. Operator gate: deps.writesEnabled (SINC_MCP_WRITES_ENABLE=1), else
+ *      refuse. This is the only boundary an autonomous agent cannot self-flip.
+ *   2. Preview affordance: confirm:true in the args, else return a dry-run.
+ *      The calling agent can set confirm itself — this is a preview/speed-bump,
+ *      NOT a human-in-the-loop checkpoint.
+ */
+import { ClickUpDeps } from "./clickup";
+import { ClickupUpdateTaskInput, ClickupSetCustomFieldInput, ClickupCreateTaskInput, ClickupLinkTasksInput } from "../schemas/clickup";
+export declare function clickupUpdateTask(args: ClickupUpdateTaskInput, deps: ClickUpDeps): Promise<any>;
+export declare function clickupSetCustomField(args: ClickupSetCustomFieldInput, deps: ClickUpDeps): Promise<any>;
+export declare function clickupCreateTask(args: ClickupCreateTaskInput, deps: ClickUpDeps): Promise<any>;
+export declare function clickupLinkTasks(args: ClickupLinkTasksInput, deps: ClickUpDeps): Promise<any>;

package/dist/tools/clickup-write.js

@@ -0,0 +1,149 @@
+"use strict";
+/**
+ * ClickUp gated write tools (Phase 2).
+ *
+ * This is the ONE declared write module. It is the single exception in
+ * tests/readonly-imports.test.ts and .eslintrc.json — every OTHER tool module
+ * must remain read-only.
+ *
+ * Gating:
+ *   1. Operator gate: deps.writesEnabled (SINC_MCP_WRITES_ENABLE=1), else
+ *      refuse. This is the only boundary an autonomous agent cannot self-flip.
+ *   2. Preview affordance: confirm:true in the args, else return a dry-run.
+ *      The calling agent can set confirm itself — this is a preview/speed-bump,
+ *      NOT a human-in-the-loop checkpoint.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.clickupUpdateTask = clickupUpdateTask;
+exports.clickupSetCustomField = clickupSetCustomField;
+exports.clickupCreateTask = clickupCreateTask;
+exports.clickupLinkTasks = clickupLinkTasks;
+const dovetail_clickup_1 = require("@tenonhq/dovetail-clickup");
+const clickup_1 = require("./clickup");
+function ensureWritesEnabled(deps) {
+    if (!deps.writesEnabled) {
+        throw new Error("ClickUp writes are disabled. Set SINC_MCP_WRITES_ENABLE=1 to enable gated writes.");
+    }
+}
+/**
+ * Cross-field guard: customTaskIds:true requires teamId. ClickUp would
+ * otherwise return an opaque 401 (the same one this PR series set out to fix).
+ * Lives in the handler — not on the schema — because the MCP SDK consumes the
+ * raw object shape and would ignore a zod refinement.
+ */
+function ensureTeamIdWhenCustom(args) {
+    if (args.customTaskIds && (typeof args.teamId !== "string" || args.teamId.length === 0)) {
+        throw new Error("teamId is required when customTaskIds is true (ClickUp custom-ID lookups need ?team_id=…).");
+    }
+}
+var DRY_RUN_NOTE = "Dry run — no write performed. Re-run with confirm:true to apply.";
+async function clickupUpdateTask(args, deps) {
+    ensureWritesEnabled(deps);
+    ensureTeamIdWhenCustom(args);
+    if (!args.confirm) {
+        return {
+            dryRun: true,
+            action: "update_task",
+            taskId: args.taskId,
+            changes: {
+                name: args.name,
+                markdownContent: args.markdownContent,
+                status: args.status,
+                priority: args.priority
+            },
+            note: DRY_RUN_NOTE
+        };
+    }
+    var client = (0, clickup_1.resolveClient)(deps);
+    return await (0, dovetail_clickup_1.updateTask)({
+        client: client,
+        taskId: args.taskId,
+        name: args.name,
+        markdownContent: args.markdownContent,
+        status: args.status,
+        priority: args.priority,
+        customTaskIds: args.customTaskIds,
+        teamId: args.teamId
+    });
+}
+async function clickupSetCustomField(args, deps) {
+    ensureWritesEnabled(deps);
+    ensureTeamIdWhenCustom(args);
+    if (!args.confirm) {
+        return {
+            dryRun: true,
+            action: "set_custom_field",
+            taskId: args.taskId,
+            fieldId: args.fieldId,
+            value: args.value,
+            note: DRY_RUN_NOTE
+        };
+    }
+    var client = (0, clickup_1.resolveClient)(deps);
+    await (0, dovetail_clickup_1.setCustomField)({
+        client: client,
+        taskId: args.taskId,
+        fieldId: args.fieldId,
+        value: args.value,
+        customTaskIds: args.customTaskIds,
+        teamId: args.teamId
+    });
+    return { ok: true, action: "set_custom_field", taskId: args.taskId, fieldId: args.fieldId };
+}
+async function clickupCreateTask(args, deps) {
+    ensureWritesEnabled(deps);
+    if (!args.confirm) {
+        return {
+            dryRun: true,
+            action: "create_task",
+            listId: args.listId,
+            name: args.name,
+            fields: {
+                markdownContent: args.markdownContent,
+                status: args.status,
+                priority: args.priority,
+                assignees: args.assignees,
+                customFields: args.customFields
+            },
+            note: DRY_RUN_NOTE
+        };
+    }
+    var client = (0, clickup_1.resolveClient)(deps);
+    var customFields = args.customFields
+        ? args.customFields.map(function (cf) {
+            return { id: cf.id, value: cf.value };
+        })
+        : undefined;
+    return await (0, dovetail_clickup_1.createTask)({
+        client: client,
+        listId: args.listId,
+        name: args.name,
+        markdownContent: args.markdownContent,
+        status: args.status,
+        priority: args.priority,
+        assignees: args.assignees,
+        customFields: customFields
+    });
+}
+async function clickupLinkTasks(args, deps) {
+    ensureWritesEnabled(deps);
+    ensureTeamIdWhenCustom(args);
+    if (!args.confirm) {
+        return {
+            dryRun: true,
+            action: "link_tasks",
+            taskId: args.taskId,
+            linksTo: args.linksTo,
+            note: DRY_RUN_NOTE
+        };
+    }
+    var client = (0, clickup_1.resolveClient)(deps);
+    await (0, dovetail_clickup_1.linkTask)({
+        client: client,
+        taskId: args.taskId,
+        linksTo: args.linksTo,
+        customTaskIds: args.customTaskIds,
+        teamId: args.teamId
+    });
+    return { ok: true, action: "link_tasks", taskId: args.taskId, linksTo: args.linksTo };
+}

package/dist/tools/clickup.d.ts

@@ -12,7 +12,9 @@ import { TeamSyncJson } from "./teamsync";
 export interface ClickUpDeps {
     config: ClickUpConfig;
     clientFactory?: (config: ClickUpConfig) => AxiosInstance;
+    writesEnabled?: boolean;
 }
+export declare function resolveClient(deps: ClickUpDeps): AxiosInstance;
 export declare function clickupListTasks(args: ClickupListTasksInput, deps: ClickUpDeps): Promise<{
     tasks: any[];
     byStatus: Record<string, any[]>;

package/dist/tools/clickup.js

@@ -7,6 +7,7 @@
  * (.eslintrc.json) and asserted absent by tests/readonly-imports.test.ts.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveClient = resolveClient;
 exports.clickupListTasks = clickupListTasks;
 exports.clickupGetTask = clickupGetTask;
 exports.clickupSearchTasks = clickupSearchTasks;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tenonhq/dovetail-mcp",
-  "version": "0.0.2",
-  "description": "MCP server exposing read-only ClickUp / Gmail / Calendar / ServiceNow tools backed by the Dovetail integration packages.",
+  "version": "0.0.5",
+  "description": "MCP server exposing read tools for ClickUp / Gmail / Calendar / ServiceNow plus gated ClickUp writes, backed by the Dovetail integration packages.",
   "main": "./dist/index.js",
   "bin": {
     "dove-mcp": "./dist/server.js",
@@ -17,7 +17,7 @@
   "license": "GPL-3.0",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
-    "@tenonhq/dovetail-clickup": "^0.0.7",
+    "@tenonhq/dovetail-clickup": "^0.0.10",
     "@tenonhq/dovetail-gmail": "^0.0.7",
     "@tenonhq/dovetail-google-auth": "^0.0.9",
     "@tenonhq/dovetail-google-calendar": "^0.0.7",
@@ -32,7 +32,7 @@
     "typescript": "^5.2.2"
   },
   "engines": {
-    "node": ">=20.0.0"
+    "node": ">=22"
   },
   "files": [
     "dist"
@@ -42,9 +42,10 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/tenonhq/dovetail.git"
+    "url": "git+https://github.com/TenonHQ/Dovetail.git",
+    "directory": "packages/mcp"
   },
   "bugs": {
-    "url": "https://github.com/tenonhq/dovetail/issues"
+    "url": "https://github.com/TenonHQ/Dovetail/issues"
   }
 }