npm - internaltool-mcp - Versions diffs - 1.0.0 → 1.3.0 - Mend

internaltool-mcp 1.0.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +436 -355
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -5,6 +5,9 @@
  * Usage (API key — recommended):
  *   npx internaltool-mcp --url https://your-server.com --token ilt_abc123...
  *
+ * Usage (scoped to one project):
+ *   npx internaltool-mcp --url https://your-server.com --token ilt_... --project <projectId>
+ *
  * Usage (email/password):
  *   npx internaltool-mcp --url https://your-server.com --email you@x.com --password secret
  *
@@ -15,10 +18,9 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'
 import { z } from 'zod'
-import { api, login, configure, BASE_URL } from './api-client.js'
+import { api, login, configure } from './api-client.js'
 // ── Parse CLI args ────────────────────────────────────────────────────────────
-// Supports: --url, --token, --email, --password
 const args = process.argv.slice(2)
 const getArg = (flag) => {
   const i = args.indexOf(flag)
@@ -29,19 +31,14 @@ const cliUrl      = getArg('--url')
 const cliToken    = getArg('--token')
 const cliEmail    = getArg('--email')
 const cliPassword = getArg('--password')
+const cliProject  = getArg('--project')   // optional: scope to one project
-// CLI args take precedence over env vars
 if (cliEmail)    process.env.INTERNALTOOL_EMAIL    = cliEmail
 if (cliPassword) process.env.INTERNALTOOL_PASSWORD = cliPassword
 configure({ url: cliUrl, token: cliToken })
-const server = new McpServer({
-  name: 'internaltool',
-  version: '1.0.0',
-})
-// ─── Helpers ────────────────────────────────────────────────────────────────
+// ── Helpers ───────────────────────────────────────────────────────────────────
 function text(value) {
   const str = typeof value === 'string' ? value : JSON.stringify(value, null, 2)
@@ -64,353 +61,437 @@ async function call(fn) {
   }
 }
-// ─── Auth ────────────────────────────────────────────────────────────────────
-server.tool(
-  'login',
-  'Authenticate with the InternalTool API. Required before using other tools unless INTERNALTOOL_EMAIL and INTERNALTOOL_PASSWORD env vars are configured.',
-  {
-    email:    z.string().email().describe('User email address'),
-    password: z.string().describe('User password'),
-  },
-  async ({ email, password }) => {
-    try {
-      const data = await login(email, password)
-      return text({ message: 'Login successful', user: data.user })
-    } catch (e) {
-      return errorText(e.message)
+// Guard: reject tool calls that target a project outside the scoped projectId
+function assertProjectScope(projectId) {
+  if (cliProject && projectId !== cliProject) {
+    throw new Error(`Access denied: this session is scoped to project ${cliProject}`)
+  }
+}
+// ── Runtime permission guard ───────────────────────────────────────────────────
+// Defense-in-depth: even if the startup role check is bypassed, these guards
+// re-verify the user's role before executing privileged operations.
+async function assertAdmin() {
+  const res = await api.get('/api/auth/me')
+  if (!res?.success) throw new Error('Unable to verify identity')
+  if (res.data.user.role !== 'admin') {
+    throw new Error('Access denied: admin role required')
+  }
+}
+// ── Tool registration functions ───────────────────────────────────────────────
+function registerAuthTools(server) {
+  server.tool(
+    'login',
+    'Authenticate with the InternalTool API. Not needed if INTERNALTOOL_TOKEN env var is set.',
+    {
+      email:    z.string().email().describe('User email address'),
+      password: z.string().describe('User password'),
+    },
+    async ({ email, password }) => {
+      try {
+        const data = await login(email, password)
+        return text({ message: 'Login successful', user: data.user })
+      } catch (e) {
+        return errorText(e.message)
+      }
+    }
+  )
+  server.tool(
+    'get_current_user',
+    'Get your profile — name, email, and role.',
+    {},
+    async () => call(() => api.get('/api/auth/me'))
+  )
+}
+function registerUserTools(server) {
+  server.tool(
+    'list_users',
+    'List users in the directory. Use this to find user IDs for task assignment.',
+    { search: z.string().optional().describe('Filter by name or email') },
+    async ({ search }) => {
+      const qs = search ? `?search=${encodeURIComponent(search)}` : ''
+      return call(() => api.get(`/api/users/directory${qs}`))
     }
+  )
+  server.tool(
+    'get_my_tasks',
+    'Get all tasks assigned to you. Optionally filter by column. Use this to find your active work before a hotfix or priority switch.',
+    {
+      column: z.enum(['backlog', 'todo', 'in_progress', 'in_review', 'done'])
+        .optional()
+        .describe('Filter to a specific column — e.g. "in_progress" to find your active task'),
+    },
+    async ({ column } = {}) => {
+      const qs = column ? `?column=${encodeURIComponent(column)}` : ''
+      return call(() => api.get(`/api/users/me/tasks${qs}`))
+    }
+  )
+}
+function registerProjectTools(server, { isAdmin, scopedProjectId }) {
+  // Admins see all projects. Members see only their assigned ones (API enforces this).
+  // If --project flag is set, list_projects is locked to that one project.
+  server.tool(
+    'list_projects',
+    scopedProjectId
+      ? `Show details of your assigned project (scoped to project ${scopedProjectId}).`
+      : 'List all projects you have access to.',
+    {},
+    async () => {
+      if (scopedProjectId) {
+        return call(() => api.get(`/api/projects/${scopedProjectId}`))
+      }
+      return call(() => api.get('/api/projects'))
+    }
+  )
+  server.tool(
+    'get_project',
+    'Get full project details including all tasks on the board.',
+    { projectId: z.string().describe("Project's MongoDB ObjectId") },
+    async ({ projectId }) => {
+      try { assertProjectScope(projectId) } catch (e) { return errorText(e.message) }
+      return call(() => api.get(`/api/projects/${projectId}`))
+    }
+  )
+  // Project creation/management — admin or project owner only
+  if (isAdmin) {
+    server.tool(
+      'create_project',
+      'Create a new project.',
+      {
+        name:               z.string().describe('Project name'),
+        memberIds:          z.array(z.string()).optional().describe('Initial member user IDs'),
+        githubRepoFullName: z.string().optional().describe("GitHub repo in 'owner/repo' format"),
+      },
+      async (args) => {
+      try { await assertAdmin() } catch (e) { return errorText(e.message) }
+      return call(() => api.post('/api/projects', args))
+    }
+    )
+    server.tool(
+      'update_project',
+      "Update a project's GitHub integration settings.",
+      {
+        projectId:           z.string().describe("Project's MongoDB ObjectId"),
+        githubRepoFullName:  z.string().optional().describe("GitHub repo 'owner/repo'. Pass '' to unlink."),
+        githubDefaultBranch: z.string().optional().describe('Default branch (default: main)'),
+      },
+      async ({ projectId, ...fields }) => {
+        try { assertProjectScope(projectId); await assertAdmin() } catch (e) { return errorText(e.message) }
+        return call(() => api.patch(`/api/projects/${projectId}`, fields))
+      }
+    )
+    server.tool(
+      'update_project_members',
+      'Replace the project member list. Owner is always preserved.',
+      {
+        projectId: z.string().describe("Project's MongoDB ObjectId"),
+        memberIds: z.array(z.string()).describe('Full replacement list of user IDs'),
+      },
+      async ({ projectId, memberIds }) => {
+        try { assertProjectScope(projectId); await assertAdmin() } catch (e) { return errorText(e.message) }
+        return call(() => api.patch(`/api/projects/${projectId}/members`, { memberIds }))
+      }
+    )
+    server.tool(
+      'delete_project',
+      'Permanently delete a project and all its tasks. Cannot be undone.',
+      { projectId: z.string().describe("Project's MongoDB ObjectId") },
+      async ({ projectId }) => {
+        try { assertProjectScope(projectId); await assertAdmin() } catch (e) { return errorText(e.message) }
+        return call(() => api.delete(`/api/projects/${projectId}`))
+      }
+    )
   }
-)
-server.tool(
-  'get_current_user',
-  'Get the currently authenticated user profile including name, email, and role.',
-  {},
-  async () => call(() => api.get('/api/auth/me'))
-)
-// ─── Users ───────────────────────────────────────────────────────────────────
-server.tool(
-  'list_users',
-  'List all users in the directory. Useful for finding user IDs when assigning tasks or adding project members.',
-  {
-    search: z.string().optional().describe('Filter users by name or email'),
-  },
-  async ({ search }) => {
-    const qs = search ? `?search=${encodeURIComponent(search)}` : ''
-    return call(() => api.get(`/api/users/directory${qs}`))
+}
+function registerTaskTools(server, { isAdmin, scopedProjectId }) {
+  server.tool(
+    'get_task',
+    'Get full details of a task including assignees, column, approval status, and park note.',
+    { taskId: z.string().describe("Task's MongoDB ObjectId") },
+    async ({ taskId }) => call(() => api.get(`/api/tasks/${taskId}`))
+  )
+  server.tool(
+    'create_task',
+    'Create a new task in a project. Project owner or admin only.',
+    {
+      projectId:      z.string().describe("Project's MongoDB ObjectId"),
+      title:          z.string().describe('Task title'),
+      description:    z.string().optional().describe('Short description'),
+      readmeMarkdown: z.string().optional().describe('Markdown implementation plan'),
+      priority:       z.enum(['low', 'medium', 'high', 'critical']).optional(),
+      column:         z.enum(['backlog', 'todo', 'in_progress', 'in_review', 'done']).optional(),
+      assignees:      z.array(z.string()).optional().describe('User IDs to assign'),
+    },
+    async ({ projectId, ...taskData }) => {
+      try { assertProjectScope(projectId) } catch (e) { return errorText(e.message) }
+      return call(() => api.post(`/api/projects/${projectId}/tasks`, taskData))
+    }
+  )
+  server.tool(
+    'update_task',
+    'Update task fields. Cannot edit readmeMarkdown or subtasks while approval is pending.',
+    {
+      taskId:         z.string().describe("Task's MongoDB ObjectId"),
+      title:          z.string().optional(),
+      description:    z.string().optional(),
+      readmeMarkdown: z.string().optional().describe('Markdown implementation plan'),
+      priority:       z.enum(['low', 'medium', 'high', 'critical']).optional(),
+      assignees:      z.array(z.string()).optional().describe('Replaces current assignees'),
+      subtasks:       z.array(z.object({
+        _id:   z.string().optional(),
+        title: z.string(),
+        done:  z.boolean().optional(),
+        order: z.number().optional(),
+      })).optional(),
+    },
+    async ({ taskId, ...fields }) => call(() => api.patch(`/api/tasks/${taskId}`, fields))
+  )
+  server.tool(
+    'move_task',
+    'Move a task to a different column. Requires approved README to move from planning to execution columns.',
+    {
+      taskId:  z.string().describe("Task's MongoDB ObjectId"),
+      column:  z.enum(['backlog', 'todo', 'in_progress', 'in_review', 'done']),
+      toIndex: z.number().int().min(0).default(0).describe('Position in column (0 = top)'),
+    },
+    async ({ taskId, column, toIndex }) =>
+      call(() => api.post(`/api/tasks/${taskId}/move`, { column, toIndex }))
+  )
+  server.tool(
+    'delete_task',
+    'Permanently delete a task. Project team member required.',
+    { taskId: z.string().describe("Task's MongoDB ObjectId") },
+    async ({ taskId }) => call(() => api.delete(`/api/tasks/${taskId}`))
+  )
+  server.tool(
+    'park_task',
+    'Pause a task and save your current work context.',
+    {
+      taskId:    z.string().describe("Task's MongoDB ObjectId"),
+      summary:   z.string().optional().describe('Work done so far'),
+      remaining: z.string().optional().describe('What still needs to be done'),
+      blockers:  z.string().optional().describe('What is blocking progress'),
+    },
+    async ({ taskId, summary = '', remaining = '', blockers = '' }) =>
+      call(() => api.patch(`/api/tasks/${taskId}/park`, { summary, remaining, blockers }))
+  )
+  server.tool(
+    'unpark_task',
+    'Resume a parked task.',
+    { taskId: z.string().describe("Task's MongoDB ObjectId") },
+    async ({ taskId }) => call(() => api.patch(`/api/tasks/${taskId}/unpark`, {}))
+  )
+}
+function registerIssueTools(server) {
+  server.tool(
+    'create_task_issue',
+    'Create a sub-issue/bug under a task.',
+    {
+      taskId:   z.string().describe("Task's MongoDB ObjectId"),
+      title:    z.string().describe('Issue title'),
+      severity: z.enum(['low', 'medium', 'high', 'critical']).optional(),
+    },
+    async ({ taskId, title, severity }) =>
+      call(() => api.post(`/api/tasks/${taskId}/issues`, { title, severity }))
+  )
+  server.tool(
+    'update_task_issue',
+    'Update a sub-issue status, severity, or title.',
+    {
+      taskId:   z.string().describe("Task's MongoDB ObjectId"),
+      issueId:  z.string().describe("Issue's sub-document ID"),
+      title:    z.string().optional(),
+      severity: z.enum(['low', 'medium', 'high', 'critical']).optional(),
+      status:   z.enum(['open', 'closed']).optional(),
+    },
+    async ({ taskId, issueId, ...fields }) =>
+      call(() => api.patch(`/api/tasks/${taskId}/issues/${issueId}`, fields))
+  )
+}
+function registerApprovalTools(server) {
+  server.tool(
+    'submit_task_for_approval',
+    'Submit a task implementation plan for review. README must be at least 80 characters.',
+    {
+      taskId:     z.string().describe("Task's MongoDB ObjectId"),
+      reviewerId: z.string().describe('User ID of the reviewer'),
+    },
+    async ({ taskId, reviewerId }) =>
+      call(() => api.post(`/api/tasks/${taskId}/approval/submit`, { reviewerId }))
+  )
+  server.tool(
+    'decide_task_approval',
+    'Approve or reject a task plan. Only the designated reviewer can call this.',
+    {
+      taskId:   z.string().describe("Task's MongoDB ObjectId"),
+      decision: z.enum(['approve', 'reject']),
+      note:     z.string().optional().describe('Reason for the decision'),
+    },
+    async ({ taskId, decision, note }) =>
+      call(() => api.post(`/api/tasks/${taskId}/approval/decide`, { decision, note }))
+  )
+}
+function registerCommentTools(server) {
+  server.tool(
+    'list_task_comments',
+    'List all comments on a task in chronological order.',
+    { taskId: z.string().describe("Task's MongoDB ObjectId") },
+    async ({ taskId }) => call(() => api.get(`/api/tasks/${taskId}/comments`))
+  )
+  server.tool(
+    'add_task_comment',
+    'Post a markdown comment on a task. Use @email to mention users.',
+    {
+      taskId: z.string().describe("Task's MongoDB ObjectId"),
+      body:   z.string().describe('Comment in markdown'),
+    },
+    async ({ taskId, body }) =>
+      call(() => api.post(`/api/tasks/${taskId}/comments`, { body }))
+  )
+  server.tool(
+    'get_task_activity',
+    'Get the activity/audit log for a task (last 100 events).',
+    { taskId: z.string().describe("Task's MongoDB ObjectId") },
+    async ({ taskId }) => call(() => api.get(`/api/tasks/${taskId}/activity`))
+  )
+}
+function registerNotificationTools(server) {
+  server.tool(
+    'list_notifications',
+    'List your recent notifications and unread count.',
+    {},
+    async () => call(() => api.get('/api/notifications'))
+  )
+  server.tool(
+    'mark_all_notifications_read',
+    'Mark all notifications as read.',
+    {},
+    async () => call(() => api.patch('/api/notifications/read-all', {}))
+  )
+  server.tool(
+    'delete_all_notifications',
+    'Clear all read notifications.',
+    {},
+    async () => call(() => api.delete('/api/notifications/clear'))
+  )
+}
+function registerGithubTools(server, { scopedProjectId }) {
+  server.tool(
+    'get_project_commits',
+    'Get recent GitHub commits for a project.',
+    {
+      projectId: z.string().describe("Project's MongoDB ObjectId"),
+      branch:    z.string().optional(),
+      perPage:   z.number().int().min(1).max(100).optional(),
+    },
+    async ({ projectId, branch, perPage }) => {
+      try { assertProjectScope(projectId) } catch (e) { return errorText(e.message) }
+      const params = new URLSearchParams()
+      if (branch)  params.set('sha', branch)
+      if (perPage) params.set('per_page', String(perPage))
+      const qs = params.toString() ? `?${params}` : ''
+      return call(() => api.get(`/api/projects/${projectId}/github/commits${qs}`))
+    }
+  )
+  server.tool(
+    'get_project_branches',
+    'Get GitHub branches for a project.',
+    { projectId: z.string().describe("Project's MongoDB ObjectId") },
+    async ({ projectId }) => {
+      try { assertProjectScope(projectId) } catch (e) { return errorText(e.message) }
+      return call(() => api.get(`/api/projects/${projectId}/github/branches`))
+    }
+  )
+}
+function registerAdminTools(server) {
+  server.tool(
+    'admin_list_users',
+    'List all users on the platform. Admin only.',
+    {},
+    async () => {
+      try { await assertAdmin() } catch (e) { return errorText(e.message) }
+      return call(() => api.get('/api/admin/users'))
+    }
+  )
+  server.tool(
+    'admin_get_analytics',
+    'Get platform-wide analytics. Admin only.',
+    {},
+    async () => {
+      try { await assertAdmin() } catch (e) { return errorText(e.message) }
+      return call(() => api.get('/api/admin/analytics'))
+    }
+  )
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+async function main() {
+  const server = new McpServer({ name: 'internaltool', version: '1.0.0' })
+  // Fetch the current user's role to determine which tools to expose
+  let role = 'member'
+  try {
+    const res = await api.get('/api/auth/me')
+    if (res?.success) role = res.data.user.role
+  } catch {
+    // If we can't reach the server yet, default to member (most restrictive)
   }
-)
-// ─── Projects ────────────────────────────────────────────────────────────────
-server.tool(
-  'list_projects',
-  'List all projects visible to the authenticated user with owner info and task counts.',
-  {},
-  async () => call(() => api.get('/api/projects'))
-)
-server.tool(
-  'get_project',
-  'Get full details of a project including members, GitHub integration settings, and ALL tasks on the board (all columns).',
-  {
-    projectId: z.string().describe("Project's MongoDB ObjectId"),
-  },
-  async ({ projectId }) => call(() => api.get(`/api/projects/${projectId}`))
-)
-server.tool(
-  'create_project',
-  'Create a new project. Only admins and members can create projects.',
-  {
-    name:                z.string().describe('Project name (required)'),
-    memberIds:           z.array(z.string()).optional().describe('Array of user IDs to add as initial members'),
-    githubRepoFullName:  z.string().optional().describe("GitHub repo in 'owner/repo' format, e.g. 'acme/backend'"),
-  },
-  async (args) => call(() => api.post('/api/projects', args))
-)
-server.tool(
-  'update_project',
-  'Update a project\'s GitHub integration settings (owner or admin only).',
-  {
-    projectId:            z.string().describe("Project's MongoDB ObjectId"),
-    githubRepoFullName:   z.string().optional().describe("GitHub repo in 'owner/repo' format. Pass empty string to unlink."),
-    githubDefaultBranch:  z.string().optional().describe("Default branch for merge-to-done automation (default: 'main')"),
-  },
-  async ({ projectId, ...fields }) => call(() => api.patch(`/api/projects/${projectId}`, fields))
-)
-server.tool(
-  'update_project_members',
-  'Replace the project member list. Owner is always preserved. Admin or project owner only.',
-  {
-    projectId:  z.string().describe("Project's MongoDB ObjectId"),
-    memberIds:  z.array(z.string()).describe('Array of user IDs that should be members (replaces current list)'),
-  },
-  async ({ projectId, memberIds }) =>
-    call(() => api.patch(`/api/projects/${projectId}/members`, { memberIds }))
-)
-server.tool(
-  'delete_project',
-  'Permanently delete a project and all its tasks, comments, and activity. Owner or admin only. Cannot be undone.',
-  {
-    projectId: z.string().describe("Project's MongoDB ObjectId"),
-  },
-  async ({ projectId }) => call(() => api.delete(`/api/projects/${projectId}`))
-)
-// ─── Tasks ───────────────────────────────────────────────────────────────────
-server.tool(
-  'get_task',
-  'Get full details of a task including title, description, column, priority, assignees, subtasks, issues, approval status, park note, and GitHub merge info.',
-  {
-    taskId: z.string().describe("Task's MongoDB ObjectId"),
-  },
-  async ({ taskId }) => call(() => api.get(`/api/tasks/${taskId}`))
-)
-server.tool(
-  'create_task',
-  'Create a new task in a project. Only the project owner or admin can create tasks.',
-  {
-    projectId:       z.string().describe("Project's MongoDB ObjectId"),
-    title:           z.string().describe('Task title (required)'),
-    description:     z.string().optional().describe('Short task description'),
-    readmeMarkdown:  z.string().optional().describe('Full markdown implementation plan for the task'),
-    priority:        z.enum(['low', 'medium', 'high', 'critical']).optional().describe('Priority level (default: medium)'),
-    column:          z.enum(['backlog', 'todo', 'in_progress', 'in_review', 'done']).optional().describe('Initial column (default: backlog)'),
-    assignees:       z.array(z.string()).optional().describe('Array of user IDs to assign'),
-  },
-  async ({ projectId, ...taskData }) =>
-    call(() => api.post(`/api/projects/${projectId}/tasks`, taskData))
-)
-server.tool(
-  'update_task',
-  'Update a task\'s fields. Assignee or project team member required. Cannot edit readmeMarkdown or subtasks while approval is pending.',
-  {
-    taskId:          z.string().describe("Task's MongoDB ObjectId"),
-    title:           z.string().optional().describe('New title'),
-    description:     z.string().optional().describe('New short description'),
-    readmeMarkdown:  z.string().optional().describe('Full markdown implementation plan (blocked during pending approval)'),
-    priority:        z.enum(['low', 'medium', 'high', 'critical']).optional().describe('New priority level'),
-    assignees:       z.array(z.string()).optional().describe('Array of user IDs — replaces current assignees (project members only)'),
-    subtasks:        z.array(z.object({
-      _id:   z.string().optional().describe('Existing subtask ID, or omit to create new'),
-      title: z.string(),
-      done:  z.boolean().optional(),
-      order: z.number().optional(),
-    })).optional().describe('Full replacement list of subtasks'),
-  },
-  async ({ taskId, ...fields }) => call(() => api.patch(`/api/tasks/${taskId}`, fields))
-)
-server.tool(
-  'move_task',
-  'Move a task to a different column on the kanban board. Moving from planning (backlog/todo) to execution columns requires an approved README plan. GitHub-linked projects block manual moves to "done".',
-  {
-    taskId:  z.string().describe("Task's MongoDB ObjectId"),
-    column:  z.enum(['backlog', 'todo', 'in_progress', 'in_review', 'done']).describe('Target column'),
-    toIndex: z.number().int().min(0).default(0).describe('Position in the column (0 = top)'),
-  },
-  async ({ taskId, column, toIndex }) =>
-    call(() => api.post(`/api/tasks/${taskId}/move`, { column, toIndex }))
-)
-server.tool(
-  'delete_task',
-  'Permanently delete a task and its comments, activity, and notifications. Project team member required. Cannot be undone.',
-  {
-    taskId: z.string().describe("Task's MongoDB ObjectId"),
-  },
-  async ({ taskId }) => call(() => api.delete(`/api/tasks/${taskId}`))
-)
-// ─── Park / Unpark ───────────────────────────────────────────────────────────
-server.tool(
-  'park_task',
-  'Park a task to temporarily pause it, capturing the current work context.',
-  {
-    taskId:    z.string().describe("Task's MongoDB ObjectId"),
-    summary:   z.string().optional().describe('Summary of work done so far (max 1000 chars)'),
-    remaining: z.string().optional().describe('What still needs to be done (max 1000 chars)'),
-    blockers:  z.string().optional().describe('What is blocking progress (max 500 chars)'),
-  },
-  async ({ taskId, summary = '', remaining = '', blockers = '' }) =>
-    call(() => api.patch(`/api/tasks/${taskId}/park`, { summary, remaining, blockers }))
-)
-server.tool(
-  'unpark_task',
-  'Unpark a previously parked task to resume work on it.',
-  {
-    taskId: z.string().describe("Task's MongoDB ObjectId"),
-  },
-  async ({ taskId }) => call(() => api.patch(`/api/tasks/${taskId}/unpark`, {}))
-)
-// ─── Issues ──────────────────────────────────────────────────────────────────
-server.tool(
-  'create_task_issue',
-  'Create a sub-issue/bug report under a task.',
-  {
-    taskId:      z.string().describe("Task's MongoDB ObjectId"),
-    title:       z.string().describe('Issue title'),
-    severity:    z.enum(['low', 'medium', 'high', 'critical']).optional().describe('Issue severity (default: medium)'),
-  },
-  async ({ taskId, title, severity }) =>
-    call(() => api.post(`/api/tasks/${taskId}/issues`, { title, severity }))
-)
-server.tool(
-  'update_task_issue',
-  'Update a sub-issue under a task (title, severity, or status).',
-  {
-    taskId:   z.string().describe("Task's MongoDB ObjectId"),
-    issueId:  z.string().describe("Issue's sub-document ID"),
-    title:    z.string().optional().describe('New issue title'),
-    severity: z.enum(['low', 'medium', 'high', 'critical']).optional().describe('New severity'),
-    status:   z.enum(['open', 'closed']).optional().describe('New status'),
-  },
-  async ({ taskId, issueId, ...fields }) =>
-    call(() => api.patch(`/api/tasks/${taskId}/issues/${issueId}`, fields))
-)
-// ─── Approval ────────────────────────────────────────────────────────────────
-server.tool(
-  'submit_task_for_approval',
-  'Submit a task\'s implementation plan (readmeMarkdown) for review. The README must be at least 50 characters.',
-  {
-    taskId:     z.string().describe("Task's MongoDB ObjectId"),
-    reviewerId: z.string().describe("User ID of the designated reviewer"),
-  },
-  async ({ taskId, reviewerId }) =>
-    call(() => api.post(`/api/tasks/${taskId}/approval/submit`, { reviewerId }))
-)
-server.tool(
-  'decide_task_approval',
-  'Approve or reject a task\'s implementation plan. Only the designated reviewer can call this.',
-  {
-    taskId:   z.string().describe("Task's MongoDB ObjectId"),
-    decision: z.enum(['approve', 'reject']).describe('Approval decision'),
-    note:     z.string().optional().describe('Optional note explaining the decision'),
-  },
-  async ({ taskId, decision, note }) =>
-    call(() => api.post(`/api/tasks/${taskId}/approval/decide`, { decision, note }))
-)
-// ─── Comments ────────────────────────────────────────────────────────────────
-server.tool(
-  'list_task_comments',
-  'List all comments on a task in chronological order.',
-  {
-    taskId: z.string().describe("Task's MongoDB ObjectId"),
-  },
-  async ({ taskId }) => call(() => api.get(`/api/tasks/${taskId}/comments`))
-)
-server.tool(
-  'add_task_comment',
-  'Add a markdown comment to a task. Mention users with @their@email.com to notify them.',
-  {
-    taskId: z.string().describe("Task's MongoDB ObjectId"),
-    body:   z.string().describe('Comment body in markdown. Use @email to mention users.'),
-  },
-  async ({ taskId, body }) =>
-    call(() => api.post(`/api/tasks/${taskId}/comments`, { body }))
-)
-// ─── Activity ────────────────────────────────────────────────────────────────
-server.tool(
-  'get_task_activity',
-  'Get the full activity/audit log for a task (last 100 events, newest first).',
-  {
-    taskId: z.string().describe("Task's MongoDB ObjectId"),
-  },
-  async ({ taskId }) => call(() => api.get(`/api/tasks/${taskId}/activity`))
-)
-// ─── Notifications ───────────────────────────────────────────────────────────
-server.tool(
-  'list_notifications',
-  'List recent notifications for the current user including unread count.',
-  {},
-  async () => call(() => api.get('/api/notifications'))
-)
-server.tool(
-  'mark_all_notifications_read',
-  'Mark all notifications as read.',
-  {},
-  async () => call(() => api.patch('/api/notifications/read-all', {}))
-)
-server.tool(
-  'delete_all_notifications',
-  'Clear/delete all notifications for the current user.',
-  {},
-  async () => call(() => api.delete('/api/notifications/clear'))
-)
-// ─── GitHub ──────────────────────────────────────────────────────────────────
-server.tool(
-  'get_project_commits',
-  'Get recent GitHub commits for a project. Requires the project to have a GitHub repo linked.',
-  {
-    projectId: z.string().describe("Project's MongoDB ObjectId"),
-    branch:    z.string().optional().describe('Branch name (defaults to project default branch)'),
-    perPage:   z.number().int().min(1).max(100).optional().describe('Number of commits to return (default: 20)'),
-  },
-  async ({ projectId, branch, perPage }) => {
-    const params = new URLSearchParams()
-    if (branch) params.set('sha', branch)
-    if (perPage) params.set('per_page', String(perPage))
-    const qs = params.toString() ? `?${params}` : ''
-    return call(() => api.get(`/api/projects/${projectId}/github/commits${qs}`))
+  const isAdmin        = role === 'admin'
+  const scopedProjectId = cliProject || null
+  const ctx            = { isAdmin, scopedProjectId }
+  // Register tools — admins get everything, members get their work scope only
+  registerAuthTools(server)
+  registerUserTools(server)
+  registerProjectTools(server, ctx)
+  registerTaskTools(server, ctx)
+  registerIssueTools(server)
+  registerApprovalTools(server)
+  registerCommentTools(server)
+  registerNotificationTools(server)
+  registerGithubTools(server, ctx)
+  if (isAdmin) {
+    registerAdminTools(server)
   }
-)
-server.tool(
-  'get_project_branches',
-  'Get GitHub branches for a project. Requires the project to have a GitHub repo linked.',
-  {
-    projectId: z.string().describe("Project's MongoDB ObjectId"),
-  },
-  async ({ projectId }) =>
-    call(() => api.get(`/api/projects/${projectId}/github/branches`))
-)
-// ─── Admin ───────────────────────────────────────────────────────────────────
-server.tool(
-  'admin_list_users',
-  'List all users in the system. Admin role required.',
-  {},
-  async () => call(() => api.get('/api/admin/users'))
-)
-server.tool(
-  'admin_get_analytics',
-  'Get platform-wide analytics. Admin role required.',
-  {},
-  async () => call(() => api.get('/api/admin/analytics'))
-)
-// ─── Start ───────────────────────────────────────────────────────────────────
-const transport = new StdioServerTransport()
-await server.connect(transport)
+  const transport = new StdioServerTransport()
+  await server.connect(transport)
+}
+main()

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "internaltool-mcp",
-  "version": "1.0.0",
+  "version": "1.3.0",
   "description": "MCP server for InternalTool — connect AI assistants (Claude Code, Cursor) to your project and task management platform",
   "type": "module",
   "main": "index.js",