xero-mcp 1.3.0 → 2.0.0-beta

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2025 John Zhang
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2025 John Zhang
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,109 +1,129 @@
-# Xero MCP Server
-
-![](https://badge.mcpx.dev?type=server "MCP Server")
-[![smithery badge](https://smithery.ai/badge/xero-mcp)](https://smithery.ai/server/@john-zhang-dev/xero-mcp)
-
-This MCP server allows Clients to interact with [Xero Accounting Software](https://www.xero.com).
-
-## Get Started
-
-1. Make sure [node](https://nodejs.org) and [Claude Desktop](https://claude.ai/download) are installed.
-
-2. Create an OAuth 2.0 app in Xero to get a _CLIENT_ID_ and _CLIENT_SECRET_.
-
-   - Create a free Xero user account (if you don't have one)
-   - Login to Xero Developer center https://developer.xero.com/app/manage/
-   - Click New app
-   - Enter a name for your app
-   - Select Web app
-   - Provide a valid URL (can be anything valid eg. https://www.myapp.com)
-   - Enter redirect URI: `http://localhost:5000/callback`
-   - Tick to Accept the Terms & Conditions and click Create app
-   - On the left-hand side of the screen select Configuration
-   - Click Generate a secret
-
-3. Modify `claude_desktop_config.json` file
-
-   ```json
-   {
-     "mcpServers": {
-       "xero-mcp": {
-         "command": "npx",
-         "args": ["-y", "xero-mcp@latest"],
-         "env": {
-           "XERO_CLIENT_ID": "YOUR_CLIENT_ID",
-           "XERO_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
-           "XERO_REDIRECT_URI": "http://localhost:5000/callback"
-         }
-       }
-     }
-   }
-   ```
-
-4. Restart Claude Desktop
-
-5. When the Client decides to access a Xero tool for the first time, a Xero login page will pop up to ask your consent. Complete the auth flow and manually close the web page (as the Xero page will not auto close in this version)
-
-   **Privacy alert: after completing the Xero OAuth2 flow, your Xero data may go through the LLM that you use. If you are doing testing you should authorize to your [Xero Demo Company](https://central.xero.com/s/article/Use-the-demo-company).**
-
-## Tools
-
-- `authenticate`
-
-  Authenticate with Xero using OAuth2
-
-- `get_balance_sheet`
-
-  Retrieves report for balancesheet
-
-- `list_accounts`
-
-  Retrieves the full chart of accounts
-
-- `list_bank_transactions`
-
-  Retrieves any spent or received money transactions
-
-- `list_contacts`
-
-  Retrieves all contacts in a Xero organisation
-
-- `list_invoices`
-
-  Retrieves sales invoices or purchase bills
-
-- `list_journals`
-
-  Retrieves journals
-
-- `list_organisations`
-
-  Retrieves Xero organisation details
-
-- `list_payments`
-
-  Retrieves payments for invoices and credit notes
-
-- `list_quotes`
-
-  Retrieves sales quotes
-
-## Examples
-
-- "Visualize my financial position over the last month"
-
-    <img src="https://github.com/john-zhang-dev/assets/blob/main/xero-mcp/demo1.jpg?raw=true" width=50% height=50%>
-
-- "Track my spendings over last week"
-
-    <img src="https://github.com/john-zhang-dev/assets/blob/main/xero-mcp/demo2.jpg?raw=true" width=50% height=50%>
-
-## WIP Features
-
-- Tools that allow new transactions to be added to Xero
-
-If you have additional requirements, please open an issue on this github repository.
-
-## License
-
-MIT
+# Xero MCP Server
+
+![](https://badge.mcpx.dev?type=server "MCP Server")
+[![smithery badge](https://smithery.ai/badge/@john-zhang-dev/xero-mcp)](https://smithery.ai/server/@john-zhang-dev/xero-mcp)
+
+This MCP server allows Clients to interact with [Xero Accounting Software](https://www.xero.com).
+
+## Get Started
+
+1. Make sure [node](https://nodejs.org) and [Claude Desktop](https://claude.ai/download) are installed.
+
+2. Create an OAuth 2.0 app in Xero to get a _CLIENT_ID_ and _CLIENT_SECRET_.
+
+   - Create a free Xero user account (if you don't have one)
+   - Login to Xero Developer center https://developer.xero.com/app/manage/
+   - Click New app
+   - Enter a name for your app
+   - Select Web app
+   - Provide a valid URL (can be anything valid eg. https://www.myapp.com)
+   - Enter redirect URI: `http://localhost:5000/callback`
+   - Tick to Accept the Terms & Conditions and click Create app
+   - On the left-hand side of the screen select Configuration
+   - Click Generate a secret
+
+3. Modify `claude_desktop_config.json` file:
+
+   Go to Settings -> Developers -> Local MCP Servers -> Edit Config
+
+   ```json
+   {
+     "mcpServers": {
+       "xero-mcp": {
+         "command": "npx",
+         "args": ["-y", "xero-mcp@latest"],
+         "env": {
+           "XERO_CLIENT_ID": "YOUR_CLIENT_ID",
+           "XERO_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
+           "XERO_REDIRECT_URI": "http://localhost:5000/callback"
+         }
+       }
+     }
+   }
+   ```
+
+4. Restart Claude Desktop, or from Claude Desktop Menu:
+
+  Developer -> Reload MCP Configuration
+
+5. When the Client decides to access a Xero tool for the first time, a Xero login page will pop up to ask your consent. Complete the auth flow and manually close the web page (as the Xero page will not auto close in this version)
+
+   **Privacy alert: after completing the Xero OAuth2 flow, your Xero data may go through the LLM that you use. If you are doing testing you should authorize to your [Xero Demo Company](https://central.xero.com/s/article/Use-the-demo-company).**
+
+## Tools
+
+- `authenticate`
+
+  Authenticate with Xero using OAuth2
+
+- `create_bank_transactions`
+
+  Creates one or more spent or received money transaction
+
+- `create_contacts`
+
+  Creates one or multiple contacts in a Xero organisation
+
+- `get_balance_sheet`
+
+  Retrieves report for balancesheet
+
+- `get_bank_transaction`
+
+  Retrieves a single spent or received money transaction by its Xero bank transaction ID
+
+- `get_invoice`
+
+  Retrieves a single sales invoice or purchase bill by its Xero invoice ID
+
+- `list_accounts`
+
+  Retrieves the full chart of accounts
+
+- `list_bank_transactions`
+
+  Retrieves any spent or received money transactions
+
+- `list_contacts`
+
+  Retrieves all contacts in a Xero organisation
+
+- `list_invoices`
+
+  Retrieves sales invoices or purchase bills
+
+- `list_organisations`
+
+  Retrieves Xero organisation details
+
+- `list_payments`
+
+  Retrieves payments for invoices and credit notes
+
+- `list_quotes`
+
+  Retrieves sales quotes
+
+- `update_bank_transaction`
+
+  Updates an existing spent or received money transaction (e.g. line items, contact, bank account) by bank transaction ID
+
+- `update_invoice`
+
+  Updates an existing sales invoice or purchase bill (typically a draft), including line items and account codes
+
+## Examples
+
+- "Visualize my financial position over the last month"
+
+    <img src="https://github.com/john-zhang-dev/assets/blob/main/xero-mcp/demo1.jpg?raw=true" width=50% height=50%>
+
+- "Track my spendings over last week"
+
+    <img src="https://github.com/john-zhang-dev/assets/blob/main/xero-mcp/demo2.jpg?raw=true" width=50% height=50%>
+
+- "Add all transactions from the monthly statement into my revenue account (account code 201) as receive money"
+
+## License
+
+MIT

package/build/Tools/Accounting/BankTransactions.js

@@ -1,9 +1,44 @@
 import { z } from "zod";
 import { XeroClientSession } from "../../XeroApiClient.js";
 import { XeroAccountingApiSchema } from "../../Resources/xero_accounting.js";
-import { parseArrayValues } from "../Utils/parseArrayValues.js";
-import { convertToCamelCase } from "../Utils/convertToCamelCase.js";
-import { sanitizeObject } from "../Utils/sanitizeValues.js";
+import { parseArrayValues } from "../../Utils/parseArrayValues.js";
+import { convertToCamelCase } from "../../Utils/convertToCamelCase.js";
+import { sanitizeObject } from "../../Utils/sanitizeValues.js";
+export const GetBankTransactionTool = {
+    requestSchema: {
+        name: "get_bank_transaction",
+        description: "Retrieves a single spent or received money transaction by its Xero bank transaction ID",
+        inputSchema: {
+            type: "object",
+            properties: {
+                bankTransactionID: {
+                    type: "string",
+                    description: "Xero-generated unique identifier for the bank transaction (UUID)",
+                },
+                unitdp: {
+                    type: "number",
+                    description: "Optional. Unit decimal places (e.g. 4) for unit amounts on line items",
+                },
+            },
+            required: ["bankTransactionID"],
+        },
+        output: { content: [{ type: "text", text: z.string() }] },
+    },
+    requestHandler: async (request) => {
+        const bankTransactionID = request.params.arguments
+            ?.bankTransactionID;
+        const unitdp = request.params.arguments?.unitdp;
+        const response = await XeroClientSession.xeroClient.accountingApi.getBankTransaction(XeroClientSession.activeTenantId(), bankTransactionID, unitdp);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(response.body.bankTransactions ?? []),
+                },
+            ],
+        };
+    },
+};
 export const ListBankTransactionsTool = {
     requestSchema: {
         name: "list_bank_transactions",
@@ -56,3 +91,56 @@ export const CreateBankTransactionsTool = {
         return { content: [{ type: "text", text: JSON.stringify(response.body) }] };
     },
 };
+export const UpdateBankTransactionTool = {
+    requestSchema: {
+        name: "update_bank_transaction",
+        description: "Updates an existing spent or received money transaction by its Xero bank transaction ID",
+        inputSchema: {
+            type: "object",
+            properties: {
+                bankTransactionID: {
+                    type: "string",
+                    description: "Xero generated unique identifier for the bank transaction (UUID)",
+                },
+                bankTransactions: {
+                    type: "object",
+                    description: "BankTransactions payload containing an array of bank transaction objects",
+                    properties: XeroAccountingApiSchema.components.schemas.BankTransactions.properties,
+                    example: '{ bankTransactions: [{ type: "SPEND", date: "2026-01-01", reference: "Expense Update", subTotal: 100, total: 115, totalTax: 15, lineItems: [{ accountCode: "401", description: "Taxi fare", lineAmount: 115 }], contact: { contactID: "00000000-0000-0000-0000-000000000000" }, bankAccount: { accountID: "6f7594f2-f059-4d56-9e67-47ac9733bfe9" }, status: "AUTHORISED" }]}',
+                },
+                unitdp: {
+                    type: "number",
+                    description: "Optional. Unit decimal places (e.g. 4) for unit amounts on line items",
+                },
+                idempotencyKey: {
+                    type: "string",
+                    description: "Optional idempotency key. Allows safe retries without duplicating processing",
+                },
+            },
+            required: ["bankTransactionID", "bankTransactions"],
+        },
+        output: { content: [{ type: "text", text: z.string() }] },
+    },
+    requestHandler: async (request) => {
+        const rawInputData = request.params.arguments;
+        const parsedData = parseArrayValues(rawInputData);
+        const bankTransactionID = parsedData?.bankTransactionID;
+        const unitdp = parsedData?.unitdp;
+        const idempotencyKey = parsedData?.idempotencyKey;
+        const rawBankTransactionsPayload = parsedData?.bankTransactions;
+        const bankTransactionsPayload = sanitizeObject(convertToCamelCase(rawBankTransactionsPayload));
+        if (!bankTransactionID) {
+            // Should be prevented by request schema, but keep a hard guard.
+            throw new Error("Missing required parameter: bankTransactionID");
+        }
+        const response = await XeroClientSession.xeroClient.accountingApi.updateBankTransaction(XeroClientSession.activeTenantId(), bankTransactionID, bankTransactionsPayload, unitdp, idempotencyKey);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(response.body ?? response.response?.status),
+                },
+            ],
+        };
+    },
+};

package/build/Tools/Accounting/Contacts.js

@@ -1,9 +1,9 @@
 import { XeroClientSession } from "../../XeroApiClient.js";
 import { z } from "zod";
 import { XeroAccountingApiSchema } from "../../Resources/xero_accounting.js";
-import { parseArrayValues } from "../Utils/parseArrayValues.js";
-import { convertToCamelCase } from "../Utils/convertToCamelCase.js";
-import { sanitizeObject } from "../Utils/sanitizeValues.js";
+import { parseArrayValues } from "../../Utils/parseArrayValues.js";
+import { convertToCamelCase } from "../../Utils/convertToCamelCase.js";
+import { sanitizeObject } from "../../Utils/sanitizeValues.js";
 export const ListContactsTool = {
     requestSchema: {
         name: "list_contacts",

package/build/Tools/Accounting/Invoices.js

@@ -1,5 +1,9 @@
 import { XeroClientSession } from "../../XeroApiClient.js";
 import { z } from "zod";
+import { XeroAccountingApiSchema } from "../../Resources/xero_accounting.js";
+import { parseArrayValues } from "../../Utils/parseArrayValues.js";
+import { convertToCamelCase } from "../../Utils/convertToCamelCase.js";
+import { sanitizeObject } from "../../Utils/sanitizeValues.js";
 export const ListInvoicesTool = {
     requestSchema: {
         name: "list_invoices",
@@ -32,3 +36,90 @@ export const ListInvoicesTool = {
         };
     },
 };
+export const GetInvoiceTool = {
+    requestSchema: {
+        name: "get_invoice",
+        description: "Retrieves a single sales invoice or purchase bill by its Xero invoice ID",
+        inputSchema: {
+            type: "object",
+            properties: {
+                invoiceID: {
+                    type: "string",
+                    description: "Xero-generated unique identifier for the invoice (UUID)",
+                },
+                unitdp: {
+                    type: "number",
+                    description: "Optional. Unit decimal places (e.g. 4) for unit amounts on line items",
+                },
+            },
+            required: ["invoiceID"],
+        },
+        output: { content: [{ type: "text", text: z.string() }] },
+    },
+    requestHandler: async (request) => {
+        const invoiceID = request.params.arguments?.invoiceID;
+        const unitdp = request.params.arguments?.unitdp;
+        const response = await XeroClientSession.xeroClient.accountingApi.getInvoice(XeroClientSession.activeTenantId(), invoiceID, unitdp);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(response.body.invoices ?? []),
+                },
+            ],
+        };
+    },
+};
+export const UpdateInvoiceTool = {
+    requestSchema: {
+        name: "update_invoice",
+        description: "Updates an existing sales invoice or purchase bill (typically a draft) to change fields like line items and account codes",
+        inputSchema: {
+            type: "object",
+            properties: {
+                invoiceID: {
+                    type: "string",
+                    description: "Xero generated unique identifier for the invoice (UUID)",
+                },
+                invoices: {
+                    type: "object",
+                    description: "Invoices payload containing an array of invoice objects",
+                    properties: XeroAccountingApiSchema.components.schemas.Invoices.properties,
+                    example: '{ invoices: [{ type: "ACCREC", contact: { contactId: "00000000-0000-0000-0000-000000000000" }, date: "2026-01-01", dueDate: "2026-01-15", lineItems: [{ description: "Service", quantity: 1, unitAmount: 100, accountCode: "400", tracking: [] }], reference: "Website Design", status: "DRAFT" }]}',
+                },
+                unitdp: {
+                    type: "number",
+                    description: "Optional. Unit decimal places (e.g. 4) for unit amounts on line items",
+                },
+                idempotencyKey: {
+                    type: "string",
+                    description: "Optional idempotency key. Allows safe retries without duplicating processing",
+                },
+            },
+            required: ["invoiceID", "invoices"],
+        },
+        output: { content: [{ type: "text", text: z.string() }] },
+    },
+    requestHandler: async (request) => {
+        const rawInputData = request.params.arguments;
+        const parsedData = parseArrayValues(rawInputData);
+        const invoiceID = parsedData?.invoiceID;
+        const unitdp = parsedData?.unitdp;
+        const idempotencyKey = parsedData?.idempotencyKey;
+        const rawInvoicesPayload = parsedData?.invoices;
+        const invoicesPayload = sanitizeObject(convertToCamelCase(rawInvoicesPayload));
+        if (!invoiceID) {
+            // Should be prevented by request schema, but keep a hard guard.
+            throw new Error("Missing required parameter: invoiceID");
+        }
+        const response = await XeroClientSession.xeroClient.accountingApi.updateInvoice(XeroClientSession.activeTenantId(), invoiceID, invoicesPayload, unitdp, idempotencyKey);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(response.body ?? response.response?.status),
+                },
+            ],
+        };
+    },
+};

package/build/Tools/McpToolsFactory.js

@@ -1,9 +1,8 @@
 import { ListAccountsTool } from "./Accounting/Accounts.js";
 import { AuthenticateTool } from "./Authenticate.js";
-import { CreateBankTransactionsTool, ListBankTransactionsTool } from "./Accounting/BankTransactions.js";
+import { CreateBankTransactionsTool, GetBankTransactionTool, ListBankTransactionsTool, UpdateBankTransactionTool, } from "./Accounting/BankTransactions.js";
 import { CreateContactsTool, ListContactsTool } from "./Accounting/Contacts.js";
-import { ListInvoicesTool } from "./Accounting/Invoices.js";
-import { ListJournalsTool } from "./Accounting/Journals.js";
+import { GetInvoiceTool, ListInvoicesTool, UpdateInvoiceTool, } from "./Accounting/Invoices.js";
 import { ListOrganisationsTool } from "./Accounting/Organisations.js";
 import { ListPaymentsTool } from "./Accounting/Payments.js";
 import { ListQuotesTool } from "./Accounting/Quotes.js";
@@ -14,14 +13,17 @@ export const McpToolsFactory = (function () {
         CreateBankTransactionsTool,
         CreateContactsTool,
         GetBalanceSheetTool,
+        GetBankTransactionTool,
+        GetInvoiceTool,
         ListAccountsTool,
         ListBankTransactionsTool,
         ListContactsTool,
         ListInvoicesTool,
-        ListJournalsTool,
         ListOrganisationsTool,
         ListPaymentsTool,
         ListQuotesTool,
+        UpdateBankTransactionTool,
+        UpdateInvoiceTool,
         // register new tools here alphabetically
     ];
     return {

package/build/{Tools/Utils → Utils}/sanitizeValues.js

@@ -3,25 +3,33 @@
  * 1. Removing javascript protocol
  * 2. Removing HTML tags
  * 3. Escaping special characters
- * 4. Trimming whitespace
+ * 4. Preventing SQL injections
+ * 5. Trimming whitespace
  */
 export function sanitizeValue(value) {
-    return value
-        // Remove javascript protocol
-        .replace(/javascript:/gi, '')
-        // Remove HTML tags
-        .replace(/<[^>]*>/g, '')
-        // Escape special characters (excluding quotes)
-        .replace(/[&<>]/g, char => {
+    if (typeof value !== 'string') {
+        return value;
+    }
+    let result = value;
+    // Remove javascript protocol
+    result = result.replace(/javascript:/gi, '');
+    // Remove HTML tags
+    result = result.replace(/<[^>]*>/g, '');
+    // Escape HTML special characters
+    result = result.replace(/[&<>]/g, char => {
         const escapeMap = {
             '&': '&amp;',
             '<': '&lt;',
             '>': '&gt;'
         };
         return escapeMap[char];
-    })
-        // Trim whitespace
-        .trim();
+    });
+    // Prevent SQL injection - escape single quotes
+    result = result.replace(/(['"])/g, match => {
+        return match === "'" ? "''" : match;
+    });
+    // Trim whitespace
+    return result.trim();
 }
 /**
  * Sanitizes all string values in an object recursively

package/build/{Tools/Utils → Utils}/sanitizeValues.test.js

@@ -14,6 +14,19 @@ describe('sanitizeValue', () => {
         expect(sanitizeValue('<')).toBe('&lt;');
         expect(sanitizeValue('>')).toBe('&gt;');
     });
+    it('prevents SQL injection', () => {
+        // Basic SQL injection patterns
+        expect(sanitizeValue("O'Connor")).toBe("O''Connor");
+        expect(sanitizeValue("' OR '1'='1")).toBe("'' OR ''1''=''1");
+        expect(sanitizeValue("'; DROP TABLE users; --")).toBe("''; DROP TABLE users; --");
+        // More complex SQL injection patterns
+        expect(sanitizeValue("' UNION SELECT username, password FROM users --")).toBe("'' UNION SELECT username, password FROM users --");
+        expect(sanitizeValue("' OR 1=1; UPDATE users SET password='hacked' WHERE username='admin'; --")).toBe("'' OR 1=1; UPDATE users SET password=''hacked'' WHERE username=''admin''; --");
+        expect(sanitizeValue("admin' --")).toBe("admin'' --");
+        expect(sanitizeValue("1' OR '1' = '1")).toBe("1'' OR ''1'' = ''1");
+        // Double quotes should remain unchanged (handled by parameterized queries)
+        expect(sanitizeValue('User "Admin"')).toBe('User "Admin"');
+    });
     it('trims whitespace', () => {
         expect(sanitizeValue('  hello  ')).toBe('hello');
         expect(sanitizeValue('\n\t\r  hello  \n\t\r')).toBe('hello');
@@ -21,11 +34,14 @@ describe('sanitizeValue', () => {
     it('handles multiple sanitization requirements', () => {
         expect(sanitizeValue('  javascript:alert("<script>")  ')).toBe('alert("")');
         expect(sanitizeValue('<div>Hello & World</div>')).toBe('Hello &amp; World');
+        expect(sanitizeValue("  <script>alert('DROP TABLE users');</script>  ")).toBe("alert(''DROP TABLE users'');");
+        expect(sanitizeValue("  <img src='x' onerror='alert(\"1\")'>admin' OR '1'='1  ")).toBe("admin'' OR ''1''=''1");
     });
 });
 describe('sanitizeObject', () => {
     it('handles primitive values', () => {
         expect(sanitizeObject('  <script>alert("xss")</script>  ')).toBe('alert("xss")');
+        expect(sanitizeObject("O'Connor")).toBe("O''Connor");
         expect(sanitizeObject(123)).toBe(123);
         expect(sanitizeObject(true)).toBe(true);
         expect(sanitizeObject(null)).toBe(null);
@@ -35,12 +51,16 @@ describe('sanitizeObject', () => {
         const input = [
             '  <script>alert("xss")</script>  ',
             'javascript:alert("xss")',
-            'Hello & World'
+            'Hello & World',
+            "admin' OR '1'='1",
+            "'; DROP TABLE users; --"
         ];
         const expected = [
             'alert("xss")',
             'alert("xss")',
-            'Hello &amp; World'
+            'Hello &amp; World',
+            "admin'' OR ''1''=''1",
+            "''; DROP TABLE users; --"
         ];
         expect(sanitizeObject(input)).toEqual(expected);
     });
@@ -49,14 +69,26 @@ describe('sanitizeObject', () => {
             name: '  <script>alert("xss")</script>  ',
             address: {
                 street: 'javascript:alert("xss")',
-                city: 'Hello & World'
+                city: 'Hello & World',
+                country: "O'Connor",
+                postalCode: "123' OR '1'='1"
+            },
+            credentials: {
+                username: "admin' --",
+                password: "'; UPDATE users SET password='hacked'; --"
             }
         };
         const expected = {
             name: 'alert("xss")',
             address: {
                 street: 'alert("xss")',
-                city: 'Hello &amp; World'
+                city: 'Hello &amp; World',
+                country: "O''Connor",
+                postalCode: "123'' OR ''1''=''1"
+            },
+            credentials: {
+                username: "admin'' --",
+                password: "''; UPDATE users SET password=''hacked''; --"
             }
         };
         expect(sanitizeObject(input)).toEqual(expected);
@@ -64,11 +96,19 @@ describe('sanitizeObject', () => {
     it('handles arrays of objects', () => {
         const input = [
             { name: '<script>alert("xss")</script>' },
-            { address: 'javascript:alert("xss")' }
+            { address: 'javascript:alert("xss")' },
+            {
+                username: "admin' OR '1'='1",
+                query: "'; DROP TABLE users; --"
+            }
         ];
         const expected = [
             { name: 'alert("xss")' },
-            { address: 'alert("xss")' }
+            { address: 'alert("xss")' },
+            {
+                username: "admin'' OR ''1''=''1",
+                query: "''; DROP TABLE users; --"
+            }
         ];
         expect(sanitizeObject(input)).toEqual(expected);
     });
@@ -77,7 +117,12 @@ describe('sanitizeObject', () => {
             level1: {
                 level2: {
                     level3: {
-                        value: '<script>alert("xss")</script>'
+                        value: '<script>alert("xss")</script>',
+                        sqlInjection: {
+                            query: "'; DROP TABLE users; --",
+                            condition: "admin' OR '1'='1",
+                            update: "'; UPDATE users SET password='hacked'; --"
+                        }
                     }
                 }
             }
@@ -86,7 +131,12 @@ describe('sanitizeObject', () => {
             level1: {
                 level2: {
                     level3: {
-                        value: 'alert("xss")'
+                        value: 'alert("xss")',
+                        sqlInjection: {
+                            query: "''; DROP TABLE users; --",
+                            condition: "admin'' OR ''1''=''1",
+                            update: "''; UPDATE users SET password=''hacked''; --"
+                        }
                     }
                 }
             }
@@ -107,12 +157,17 @@ describe('sanitizeObject', () => {
             array: [
                 'javascript:alert("xss")',
                 456,
-                false
+                false,
+                "admin' OR '1'='1"
             ],
             object: {
                 string: 'Hello & World',
                 number: 789,
-                boolean: false
+                boolean: false,
+                sqlInjection: {
+                    query: "'; DROP TABLE users; --",
+                    username: "admin' --"
+                }
             }
         };
         const expected = {
@@ -124,12 +179,17 @@ describe('sanitizeObject', () => {
             array: [
                 'alert("xss")',
                 456,
-                false
+                false,
+                "admin'' OR ''1''=''1"
             ],
             object: {
                 string: 'Hello &amp; World',
                 number: 789,
-                boolean: false
+                boolean: false,
+                sqlInjection: {
+                    query: "''; DROP TABLE users; --",
+                    username: "admin'' --"
+                }
             }
         };
         expect(sanitizeObject(input)).toEqual(expected);

package/build/XeroApiClient.js

@@ -3,7 +3,7 @@ import "dotenv/config";
 const client_id = process.env.XERO_CLIENT_ID;
 const client_secret = process.env.XERO_CLIENT_SECRET;
 const redirectUrl = process.env.XERO_REDIRECT_URI;
-const scopes = "offline_access openid profile accounting.transactions.read accounting.contacts.read accounting.journals.read accounting.reports.read";
+const scopes = "offline_access openid profile accounting.settings accounting.contacts accounting.invoices accounting.banktransactions accounting.payments.read accounting.reports.balancesheet.read";
 if (!client_id || !client_secret || !redirectUrl) {
     throw Error("Environment Variables not all set - please check your .env file in the project root or create one!");
 }

package/build/XeroMcpServer.js

@@ -1,9 +1,11 @@
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
-import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { CallToolRequestSchema, ErrorCode, ListResourceTemplatesRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, McpError, ReadResourceRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { McpToolsFactory } from "./Tools/McpToolsFactory.js";
 import { XeroAuthMiddleware } from "./Middlewares/XeroAuthMiddleware.js";
 import { ErrorMiddleware } from "./Middlewares/ErrorMiddleware.js";
+import { XeroAccountingApiSchema } from "./Resources/xero_accounting.js";
+const ACCOUNTING_OPENAPI_RESOURCE_URI = "xero-mcp://accounting/openapi.json";
 export class XeroMcpServer {
     mcpServer;
     constructor() {
@@ -13,11 +15,13 @@ export class XeroMcpServer {
         }, {
             capabilities: {
                 tools: {},
+                resources: {},
             },
         });
     }
     async start() {
         this.configureTools();
+        this.configureResources();
         const transport = new StdioServerTransport();
         await this.mcpServer.connect(transport);
         console.error("Xero MCP server running on stdio");
@@ -50,4 +54,31 @@ export class XeroMcpServer {
             });
         });
     }
+    configureResources() {
+        this.mcpServer.setRequestHandler(ListResourcesRequestSchema, async () => ({
+            resources: [
+                {
+                    uri: ACCOUNTING_OPENAPI_RESOURCE_URI,
+                    name: "Xero Accounting API (OpenAPI)",
+                    description: "OpenAPI 3.0 document for the Xero Accounting API (paths, operations, schemas). Use when you need request/response shapes or endpoint details beyond the bundled tools.",
+                    mimeType: "application/json",
+                },
+            ],
+        }));
+        this.mcpServer.setRequestHandler(ListResourceTemplatesRequestSchema, async () => ({ resourceTemplates: [] }));
+        this.mcpServer.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+            if (request.params.uri !== ACCOUNTING_OPENAPI_RESOURCE_URI) {
+                throw new McpError(ErrorCode.InvalidParams, `Resource not found: ${request.params.uri}`);
+            }
+            return {
+                contents: [
+                    {
+                        uri: ACCOUNTING_OPENAPI_RESOURCE_URI,
+                        mimeType: "application/json",
+                        text: JSON.stringify(XeroAccountingApiSchema),
+                    },
+                ],
+            };
+        });
+    }
 }

package/package.json

@@ -1,48 +1,48 @@
-{
-  "name": "xero-mcp",
-  "version": "1.3.0",
-  "description": "A Model Context Protocol server allows Clients to interact with Xero",
-  "author": "Jianyang Zhang",
-  "type": "module",
-  "main": "build/index.js",
-  "bin": {
-    "xero-mcp": "./build/index.js"
-  },
-  "scripts": {
-    "build": "tsc && node -e \"require('fs').chmodSync('build/index.js', '755')\"",
-    "start:dev": "tsx src/index.ts",
-    "test": "jest"
-  },
-  "files": [
-    "build",
-    "README.md"
-  ],
-  "keywords": [
-    "mcp",
-    "xero",
-    "modelcontextprotocol",
-    "AI",
-    "accounting"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/john-zhang-dev/xero-mcp.git"
-  },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.7.0",
-    "dotenv": "^16.4.7",
-    "open": "^10.1.0",
-    "xero-node": "^10.0.0",
-    "zod": "^3.24.2"
-  },
-  "devDependencies": {
-    "@types/jest": "^29.5.14",
-    "@types/node": "^22.13.10",
-    "jest": "^29.7.0",
-    "ts-jest": "^29.3.0",
-    "ts-node": "^10.9.2",
-    "tsx": "^4.19.3",
-    "typescript": "^5.8.2"
-  },
-  "license": "MIT"
+{
+  "name": "xero-mcp",
+  "version": "2.0.0-beta",
+  "description": "A Model Context Protocol server allows Clients to interact with Xero",
+  "author": "Jianyang Zhang",
+  "type": "module",
+  "main": "build/index.js",
+  "bin": {
+    "xero-mcp": "./build/index.js"
+  },
+  "scripts": {
+    "build": "tsc && node -e \"require('fs').chmodSync('build/index.js', '755')\"",
+    "start:dev": "tsx src/index.ts",
+    "test": "jest"
+  },
+  "files": [
+    "build",
+    "README.md"
+  ],
+  "keywords": [
+    "mcp",
+    "xero",
+    "modelcontextprotocol",
+    "AI",
+    "accounting"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/john-zhang-dev/xero-mcp.git"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.7.0",
+    "dotenv": "^16.4.7",
+    "open": "^10.1.0",
+    "xero-node": "^14.0.0",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.14",
+    "@types/node": "^25.5.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.3.0",
+    "ts-node": "^10.9.2",
+    "tsx": "^4.19.3",
+    "typescript": "^5.8.2"
+  },
+  "license": "MIT"
 }