npm - copilot-money-mcp - Versions diffs - 1.6.1 → 2.0.0 - Mend

copilot-money-mcp 1.6.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/PRIVACY.md CHANGED Viewed

@@ -14,6 +14,21 @@ The server operates in two modes:
 - **Read-only mode (default):** Reads data exclusively from your local Copilot Money database cache. No network requests are made.
 - **Write mode (opt-in, `--write` flag):** Adds the ability to modify your Copilot Money data. Because Copilot Money is backed by Google Firebase/Firestore, write operations require authenticated network requests to Firebase/Firestore on your behalf. See the [Write Mode and Network Access](#write-mode-and-network-access) section below.
+## Important: Data Shared With AI Providers
+**The MCP server itself is local, but the AI assistant you connect it to is not.** When you use this server with a hosted AI model (Claude Desktop, ChatGPT, Gemini, Cursor, or any other MCP-compatible client that relies on a cloud-hosted model), the tool responses containing your Copilot Money data — transactions, balances, account names, merchants, categories, holdings, and so on — are sent to that AI provider so the model can answer your question.
+**That means your financial data will leave your machine and be transmitted to a third-party AI provider**, such as:
+- **Anthropic** (if you use Claude Desktop or any Claude-powered client)
+- **OpenAI** (if you use ChatGPT, GPT-based tools, or Cursor with GPT models)
+- **Google** (if you use Gemini or any Google-hosted model)
+- **Any other AI provider** whose model your MCP client connects to
+Each provider has its own privacy policy, data retention, and training-data practices, which apply to this data once it is transmitted. This project has no control over how those providers handle your data.
+**By using this MCP server with a hosted AI model, you are knowingly and voluntarily sharing your financial data with the provider of that model. You must be comfortable with that trade-off.** If you are not, do not use this tool — consider waiting for an official Copilot Money integration, or running a fully local model that does not transmit data off your machine.
 ## Data Collection
 **We do not collect, store, or transmit any of your data to our servers or any third party.** The server has no backend, no analytics, and no telemetry.
@@ -52,7 +67,7 @@ This database contains:
 ## Data Usage
 Data read from your local database is used exclusively to:
-1. Respond to queries from Claude Desktop via the Model Context Protocol (MCP)
+1. Respond to queries from an AI client (Claude Desktop, ChatGPT, Cursor, etc.) via the Model Context Protocol (MCP)
 2. Perform local calculations (e.g., spending aggregations, category summaries)
 3. Filter and search transactions based on your requests
@@ -63,12 +78,12 @@ All processing happens in memory on your local machine. No data is persisted out
 ## Data Sharing
-**We do not share your data with anyone.**
+**This project does not collect or share your data with anyone.** However, please read the section above on [Data Shared With AI Providers](#important-data-shared-with-ai-providers) — the AI model you connect this server to will receive your financial data as part of normal MCP tool-call responses.
 - No data is sent to our servers (we don't have servers)
-- No data is sent to third parties for analytics, advertising, or tracking
-- No data is sent to Anthropic (beyond what Claude Desktop processes locally)
-- No analytics or crash reports are transmitted
+- No data is sent to third parties for analytics, advertising, or tracking by this project
+- No analytics or crash reports are transmitted by this project
+- **Your AI provider (Anthropic, OpenAI, Google, or whichever model you use) will receive your Copilot Money data** as part of answering your queries — governed by that provider's privacy policy, not this project's
 In opt-in write mode, requested changes are sent directly from your machine to Google Firebase/Firestore using your own Copilot Money credentials. This is the same backend Copilot Money itself uses to persist your data — no intermediary server operated by this project is involved. This traffic is governed by Google's and Copilot Money's own privacy policies.
@@ -86,8 +101,8 @@ In opt-in write mode, requested changes are sent directly from your machine to G
 ### Your Control
 You maintain full control over your data:
-- The server only runs when you explicitly start it via Claude Desktop
-- You can stop the server at any time by closing Claude Desktop
+- The server only runs when you explicitly start it via your MCP client
+- You can stop the server at any time by closing your MCP client
 - You can uninstall the server at any time
 - Your Copilot Money data remains in its original location
 - **Write mode is strictly opt-in:** Write tools are unavailable unless you explicitly start the server with `--write`. Without this flag, the server cannot modify your Copilot Money data even if instructed to do so
@@ -116,18 +131,19 @@ Network traffic in write mode is subject to:
 - [Google's Privacy Policy](https://policies.google.com/privacy) (as Firebase/Firestore is operated by Google)
 - Copilot Money's own terms and privacy policy (as you are modifying data on their backend)
-## Claude Desktop Integration
+## AI Client Integration
-When integrated with Claude Desktop:
-- Queries are processed by Claude via MCP protocol
-- Claude may temporarily process your financial data to answer questions
-- This processing happens according to [Anthropic's Privacy Policy](https://www.anthropic.com/privacy)
-- You control what queries are sent to Claude
+When integrated with an AI client such as Claude Desktop, ChatGPT, Cursor, or Gemini:
+- Your queries and the tool responses produced by this server are processed by the underlying AI model
+- To answer your questions, the AI model will see the Copilot Money data returned by tool calls (transactions, balances, merchants, categories, holdings, etc.)
+- This data is transmitted to and processed by the AI provider (Anthropic, OpenAI, Google, or another third party, depending on which model you use) according to **that provider's** privacy policy and data retention terms — not this project's
+- Relevant policies include [Anthropic's Privacy Policy](https://www.anthropic.com/privacy), [OpenAI's Privacy Policy](https://openai.com/policies/privacy-policy), and [Google's Privacy Policy](https://policies.google.com/privacy)
+- You control what queries you send and which AI client you connect to this server
 ## Third-Party Services
 This server does not integrate with any third-party services beyond:
-- **Claude Desktop** (optional, required for AI-powered queries)
+- **Your MCP client's AI provider** (required only if you use the server for AI-powered queries; optional if you call tools programmatically) — e.g., Anthropic (Claude Desktop), OpenAI (ChatGPT, Cursor with GPT), Google (Gemini). Your Copilot Money data is shared with this provider as part of normal MCP tool-call responses. See [Data Shared With AI Providers](#important-data-shared-with-ai-providers).
 - **Copilot Money** (reads the local database created by the app)
 - **Google Firebase / Firestore** (only in opt-in write mode; this is Copilot Money's own backend, accessed directly with your own Copilot Money credentials)
@@ -155,4 +171,8 @@ For privacy-related questions or concerns:
 ## Summary
-**In short:** This server is a local-first tool that reads your Copilot Money data to enable AI-powered queries via Claude Desktop. In its default read-only mode, your data never leaves your machine. If you explicitly opt in to write mode with the `--write` flag, the server can additionally apply your requested changes by talking directly to Copilot Money's own Firebase/Firestore backend using your own credentials. We never collect, store, or transmit your financial information to servers operated by this project — we don't have any.
+**In short:** This server is a local-first tool that reads your Copilot Money data to enable AI-powered queries via an MCP client such as Claude Desktop, ChatGPT, Cursor, or Gemini. This project never collects, stores, or transmits your financial information to servers operated by this project — we don't have any.
+**However, the AI assistant you connect this server to will see your Copilot Money data** in order to answer your questions, and that data will be transmitted to the corresponding AI provider (Anthropic, OpenAI, Google, or another third party) according to that provider's privacy policy. By using this MCP server with a hosted AI model, you knowingly accept sharing your financial data with that provider. If you are not comfortable with that, do not use this tool.
+If you explicitly opt in to write mode with the `--write` flag, the server can additionally apply your requested changes by talking directly to Copilot Money's own Firebase/Firestore backend using your own credentials.

package/README.md CHANGED Viewed

@@ -6,22 +6,20 @@
 [![Node.js 18+](https://img.shields.io/badge/node-18+-green.svg)](https://nodejs.org/)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.3-blue.svg)](https://www.typescriptlang.org/)
 [![Tests](https://img.shields.io/badge/tests-1400+-brightgreen.svg)](https://github.com/ignaciohermosillacornejo/copilot-money-mcp)
-[![Tools](https://img.shields.io/badge/tools-35-blue.svg)](https://github.com/ignaciohermosillacornejo/copilot-money-mcp)
+[![Tools](https://img.shields.io/badge/tools-17-blue.svg)](https://github.com/ignaciohermosillacornejo/copilot-money-mcp)
 ## Disclaimer
 **This is an independent, community-driven project and is not affiliated with, endorsed by, or associated with Copilot Money or its parent company in any way.** This tool was created by an independent developer to enable AI-powered queries of locally cached data. "Copilot Money" is a trademark of its respective owner.
-## Overview
-An [MCP](https://modelcontextprotocol.io/) server that gives AI assistants access to your Copilot Money personal finance data. It reads from the locally cached Firestore database (LevelDB + Protocol Buffers) on your Mac. **Reads are 100% local with zero network requests.** Optional write mode (opt-in via `--write`) sends your requested changes directly to Copilot Money's Firebase/Firestore backend — the same backend the Copilot Money app itself uses — authenticated with your own credentials, never through any third-party service.
+> [!NOTE]
+> **Write tools are temporarily unavailable.** Copilot Money has restricted direct Firestore writes from third-party clients. The 18 write tools in this repo still exist as source, but the published CLI runs read-only. A replacement write path is being evaluated. Reads are unaffected.
-**35 tools** across spending, investments, budgets, goals, and more:
+## Overview
-- **17 read tools** — query transactions, accounts, holdings, balances, categories, recurring charges, budgets, goals, investment performance, and more
-- **18 write tools** (opt-in) — consolidate transaction changes, manage tags, create budgets, update recurring items, and organize your finances
+An [MCP](https://modelcontextprotocol.io/) server that gives AI assistants access to your Copilot Money personal finance data. It reads from the locally cached Firestore database (LevelDB + Protocol Buffers) on your Mac. **Reads are 100% local with zero network requests.**
-**Read-only by default.** Write tools require explicitly starting the server with `--write` to enable.
+**17 read tools** across spending, investments, budgets, goals, and more — query transactions, accounts, holdings, balances, categories, recurring charges, budgets, goals, and investment performance.
 ## Privacy First
@@ -29,10 +27,13 @@ We never collect, store, or transmit your data to any server operated by this pr
 - No analytics, telemetry, or tracking of any kind
 - Reads are fully local — zero network requests
-- Read-only by default (write tools disabled unless you pass `--write`)
-- In opt-in write mode, requests go directly from your machine to Copilot Money's own Firebase/Firestore backend using your own credentials — never through any third-party service
 - Open source — verify the code yourself
+> [!IMPORTANT]
+> **Heads up about AI providers.** While this server itself runs locally and never sends your data to any server operated by this project, **the AI assistant you connect it to (Claude, ChatGPT, Gemini, etc.) will see your Copilot Money data** as part of answering your questions. That means your financial data will be transmitted to and processed by the provider of whichever model you choose — **Anthropic, OpenAI, Google, or another third party** — subject to that provider's own privacy policy and data retention terms.
+>
+> **By using this MCP server with a hosted AI model, you are knowingly sharing your financial data with that AI provider.** Only use this tool if you are comfortable with that trade-off. If you are not, consider waiting for an official Copilot Money integration or using a fully local model.
 ## Quick Start
 ### Prerequisites
@@ -136,18 +137,6 @@ Uses `get_budgets`, `get_goals`, `get_goal_history`.
 Uses `get_recurring_transactions`.
-### Organizing Your Finances (Write Mode)
-> "Categorize all my Uber transactions as transportation"
-> "Tag my vacation spending with #vacation"
-> "Create a $500 monthly dining budget"
-> "Set up Netflix as a monthly recurring charge"
-Uses write tools like `update_transaction`, `create_budget`, `update_recurring`, and more. Requires `--write` flag.
 ## Available Tools
 ### Read Tools (17)
@@ -172,33 +161,11 @@ Uses write tools like `update_transaction`, `create_budget`, `update_recurring`,
 | `get_cache_info` | Local cache metadata — date range, transaction count, cache age. |
 | `refresh_database` | Reload data from disk. Cache auto-refreshes every 5 minutes. |
-### Write Tools (18) — requires `--write` flag
-| Category | Tools |
-|----------|-------|
-| **Transactions** | `update_transaction` (multi-field patch), `review_transactions` |
-| **Tags** | `create_tag`, `update_tag`, `delete_tag` |
-| **Categories** | `create_category`, `update_category`, `delete_category` |
-| **Budgets** | `create_budget`, `update_budget`, `delete_budget` |
-| **Goals** | `create_goal`, `update_goal`, `delete_goal` |
-| **Recurring** | `create_recurring`, `update_recurring`, `set_recurring_state`, `delete_recurring` |
+### Write Tools — temporarily unavailable
-## Write Mode
-By default, the server starts in **read-only mode**. To enable write tools, start the server with the `--write` flag:
-```json
-{
-  "mcpServers": {
-    "copilot-money": {
-      "command": "copilot-money-mcp",
-      "args": ["--write"]
-    }
-  }
-}
-```
+Copilot Money has restricted direct Firestore writes from third-party clients, so the 18 write tools (`update_transaction`, `create_budget`, `create_goal`, `update_recurring`, etc.) no longer succeed against the live backend. The code still lives in `src/` and the tool schemas are preserved for reference and future work, but the published `copilot-money-mcp` CLI runs in read-only mode. Passing `--write` prints a notice and still starts read-only.
-Write tools modify your Copilot Money data by sending authenticated requests directly to Copilot Money's Firebase/Firestore backend — the same backend the Copilot Money app uses — so your changes are immediately reflected in your account. Writes authenticate using a Firebase refresh token extracted from your local Copilot Money session; your credentials never leave your machine except in the authenticated request to Google's Firebase/Firestore endpoints. No third-party services are involved. See [PRIVACY.md](PRIVACY.md) for full details.
+A replacement write path (via Copilot Money's GraphQL web API) is being evaluated; progress will be tracked in the repo issues.
 ## Configuration