mcp-server-microsoft-tasks 0.1.0__tar.gz

mcp_server_microsoft_tasks-0.1.0/.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: MIT OR Apache-2.0
+# Default owners for everything
+* @XMV-Solutions-GmbH/open-source
+
+# Documentation can have different reviewers
+# /docs/ @XMV-Solutions-GmbH/docs-team

mcp_server_microsoft_tasks-0.1.0/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,42 @@
+---
+name: Bug Report
+about: Create a report to help us improve
+title: "[BUG] "
+labels: ["bug"]
+assignees: []
+---
+
+<!-- SPDX-License-Identifier: MIT OR Apache-2.0 -->
+
+## 🐛 Bug Description
+
+A clear and concise description of what the bug is.
+
+## 🔁 Steps to Reproduce
+
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+## 🧐 Expected Behaviour
+
+A clear and concise description of what you expected to happen.
+
+## 😯 Actual Behaviour
+
+A clear and concise description of what actually happened.
+
+## 📸 Screenshots
+
+If applicable, add screenshots to help explain your problem.
+
+## 💻 Environment
+
+- **OS:** [e.g. Linux, macOS, Windows]
+- **Version:** [e.g. 1.0.0]
+- **Toolchain:** [e.g. Rust 1.82, Node 20]
+
+## 📋 Additional Context
+
+Add any other context about the problem here.

mcp_server_microsoft_tasks-0.1.0/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,29 @@
+---
+name: Feature Request
+about: Suggest an idea for this project
+title: "[FEAT] "
+labels: ["enhancement"]
+assignees: []
+---
+
+<!-- SPDX-License-Identifier: MIT OR Apache-2.0 -->
+
+## ✨ Feature Description
+
+A clear and concise description of what the feature is.
+
+## 😫 Problem it Solves
+
+Describe the problem your proposal solves. "I'm always frustrated when..."
+
+## 💡 Possible Implementation
+
+Describes how you imagine the implementation.
+
+## 🔄 Alternatives Considered
+
+A clear and concise description of any alternative solutions or features you've considered.
+
+## 📋 Additional Context
+
+Add any other context or screenshots about the feature request here.

mcp_server_microsoft_tasks-0.1.0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,26 @@
+<!-- SPDX-License-Identifier: MIT OR Apache-2.0 -->
+
+## 📝 Description
+
+Please include a summary of the change and which issue is fixed.
+
+Fixes # (issue)
+
+## 🧪 Testing
+
+Please describe the tests that you ran to verify your changes.
+
+- [ ] Unit tests
+- [ ] Integration tests
+- [ ] Manual tests
+
+## ✅ Checklist
+
+- [ ] My code follows the code style of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes
+- [ ] Any dependent changes have been merged and published in downstream modules

mcp_server_microsoft_tasks-0.1.0/.github/copilot-instructions.md

@@ -0,0 +1,6 @@
+<!-- SPDX-License-Identifier: MIT OR Apache-2.0 -->
+# GitHub Copilot instructions
+
+This file exists because GitHub Copilot auto-discovers it. The actual brief for any AI agent in this repo — Copilot, Codex, Claude Code, Cursor, Aider, all of them — is **[`AGENTS.md`](../AGENTS.md)** at the repo root. Read that first; it's the same content for every tool.
+
+This file is intentionally minimal. If a Copilot-only convention ever becomes load-bearing (e.g. a Copilot-Chat-specific behaviour), capture it below this header — until then, this file is just a pointer so Copilot finds the brief at its conventional location.

mcp_server_microsoft_tasks-0.1.0/.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10

mcp_server_microsoft_tasks-0.1.0/.github/gh-scripts/assign-repo-to-team.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: MIT OR Apache-2.0
+#
+# assign-repo-to-team.sh
+#
+# Assigns the repository to a team with write access.
+# Configuration is loaded from repo.ini in the repository root.
+#
+# Usage:
+#   ./.github/gh-scripts/assign-repo-to-team.sh
+#
+# Environment variables can override repo.ini values:
+#   ORG, REPO, TEAM_SLUG
+
+set -euo pipefail
+
+# ---------------------------
+# Load configuration
+# ---------------------------
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+CONFIG_FILE="${REPO_ROOT}/repo.ini"
+
+if [[ -f "${CONFIG_FILE}" ]]; then
+  echo ">> Loading configuration from repo.ini"
+  # shellcheck source=/dev/null
+  source "${CONFIG_FILE}"
+else
+  echo "WARNING: repo.ini not found, using defaults/environment variables" >&2
+fi
+
+# ---------------------------
+# Configuration (override via env)
+# ---------------------------
+ORG="${ORG:-XMV-Solutions-GmbH}"
+REPO="${REPO:-oss-project-template}"
+TEAM_SLUG="${TEAM_SLUG:-open-source}"
+
+# ---------------------------
+# Helpers
+# ---------------------------
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || {
+    echo "ERROR: Missing required command: $1" >&2
+    exit 1
+  }
+}
+
+# ---------------------------
+# Preconditions
+# ---------------------------
+require_cmd gh
+
+if ! gh auth status >/dev/null 2>&1; then
+  echo "ERROR: gh is not authenticated. Run: gh auth login" >&2
+  exit 1
+fi
+
+# ---------------------------
+# Execute
+# ---------------------------
+FULL_REPO="${ORG}/${REPO}"
+
+echo ">> Granting write access to team '${TEAM_SLUG}' on repo '${FULL_REPO}'"
+
+gh api -X PUT "orgs/${ORG}/teams/${TEAM_SLUG}/repos/${ORG}/${REPO}" \
+  -H "Accept: application/vnd.github+json" \
+  -f permission="push"
+
+echo ">> Done."

mcp_server_microsoft_tasks-0.1.0/.github/gh-scripts/setup-branch-protection.sh

@@ -0,0 +1,173 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: MIT OR Apache-2.0
+#
+# setup-branch-protection.sh
+#
+# Sets PR-only branch protection for the default branch (usually main),
+# restricts direct pushes to a maintainer team, and requires CI status checks.
+# Configuration is loaded from repo.ini in the repository root.
+#
+# Usage:
+#   ./.github/gh-scripts/setup-branch-protection.sh
+#
+# Environment variables can override repo.ini values:
+#   ORG, REPO, BRANCH, TEAM_SLUG, REQUIRED_APPROVALS, etc.
+#
+# IMPORTANT:
+# The required status check contexts MUST match the workflow/job names.
+# Configure STATUS_CHECKS in repo.ini to match your CI workflow job names.
+
+set -euo pipefail
+
+# ---------------------------
+# Load configuration
+# ---------------------------
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+CONFIG_FILE="${REPO_ROOT}/repo.ini"
+
+if [[ -f "${CONFIG_FILE}" ]]; then
+  echo ">> Loading configuration from repo.ini"
+  # shellcheck source=/dev/null
+  source "${CONFIG_FILE}"
+else
+  echo "WARNING: repo.ini not found, using defaults/environment variables" >&2
+fi
+
+# ---------------------------
+# Configuration (override via env)
+# ---------------------------
+ORG="${ORG:-XMV-Solutions-GmbH}"
+REPO="${REPO:-oss-project-template}"
+BRANCH="${BRANCH:-main}"
+TEAM_SLUG="${TEAM_SLUG:-open-source}"
+
+# PR review rules
+REQUIRED_APPROVALS="${REQUIRED_APPROVALS:-0}"
+REQUIRE_CODEOWNER_REVIEWS="${REQUIRE_CODEOWNER_REVIEWS:-false}"
+DISMISS_STALE_REVIEWS="${DISMISS_STALE_REVIEWS:-true}"
+
+# Admin enforcement
+ENFORCE_ADMINS="${ENFORCE_ADMINS:-true}"
+
+# Required status checks (comma-separated string from repo.ini)
+# Format: "check1,check2" - commas separate checks, spaces are preserved within check names
+# Example: "CI / lint,CI / test" results in two checks: "CI / lint" and "CI / test"
+STATUS_CHECKS_STRING="${STATUS_CHECKS:-lint,test}"
+
+# Convert comma-separated string to array, preserving spaces within check names
+IFS=',' read -ra STATUS_CHECKS_ARRAY <<< "${STATUS_CHECKS_STRING}"
+
+# Optional: allow certain actors to push to main besides team
+EXTRA_USERS="${EXTRA_USERS:-}"
+EXTRA_APPS="${EXTRA_APPS:-}"
+
+FULL_REPO="${ORG}/${REPO}"
+
+# ---------------------------
+# Helpers
+# ---------------------------
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || {
+    echo "ERROR: Missing required command: $1" >&2
+    exit 1
+  }
+}
+
+split_csv_to_json_array() {
+  local csv="${1:-}"
+  if [[ -z "${csv}" ]]; then
+    echo "[]"
+    return
+  fi
+  local normalized
+  normalized="$(echo "${csv}" | sed 's/[[:space:]]//g')"
+  echo "${normalized}" | awk -F',' '{
+    printf("[");
+    for (i=1; i<=NF; i++) {
+      printf("\"%s\"", $i);
+      if (i<NF) printf(",");
+    }
+    printf("]");
+  }'
+}
+
+json_array_from_bash_array() {
+  # Print JSON array from STATUS_CHECKS_ARRAY bash array
+  printf '%s\n' "${STATUS_CHECKS_ARRAY[@]}" | jq -R . | jq -s .
+}
+
+# ---------------------------
+# Preconditions
+# ---------------------------
+require_cmd gh
+require_cmd jq
+
+if ! gh auth status >/dev/null 2>&1; then
+  echo "ERROR: gh is not authenticated. Run: gh auth login" >&2
+  exit 1
+fi
+
+echo ">> Repo: ${FULL_REPO}"
+gh repo view "${FULL_REPO}" >/dev/null
+
+echo ">> Team: ${ORG}/${TEAM_SLUG}"
+gh api "orgs/${ORG}/teams/${TEAM_SLUG}" >/dev/null
+
+USERS_JSON="$(split_csv_to_json_array "${EXTRA_USERS}")"
+APPS_JSON="$(split_csv_to_json_array "${EXTRA_APPS}")"
+CHECKS_JSON="$(json_array_from_bash_array)"
+
+echo ">> Required status checks:"
+echo "${CHECKS_JSON}" | jq -r '.[]' | sed 's/^/   - /'
+
+# ---------------------------
+# Apply protection
+# ---------------------------
+echo ">> Applying branch protection to ${FULL_REPO}:${BRANCH}"
+
+# Build the simplified JSON payload for the PUT request
+# Note: GitHub API strictness requires proper JSON types (booleans as true/false, not strings)
+PAYLOAD=$(jq -n \
+  --arg enforce_admins "$ENFORCE_ADMINS" \
+  --arg required_approvals "$REQUIRED_APPROVALS" \
+  --arg dismiss_stale "$DISMISS_STALE_REVIEWS" \
+  --arg code_owner "$REQUIRE_CODEOWNER_REVIEWS" \
+  --arg team_slug "$TEAM_SLUG" \
+  --argjson checks "$CHECKS_JSON" \
+  --argjson extra_users "$USERS_JSON" \
+  --argjson extra_apps "$APPS_JSON" \
+  '{
+    required_status_checks: {
+      strict: true,
+      contexts: $checks
+    },
+    enforce_admins: ($enforce_admins == "true"),
+    required_pull_request_reviews: {
+      dismiss_stale_reviews: ($dismiss_stale == "true"),
+      require_code_owner_reviews: ($code_owner == "true"),
+      required_approving_review_count: ($required_approvals | tonumber),
+      require_last_push_approval: false
+    },
+    restrictions: {
+      users: $extra_users,
+      teams: [$team_slug],
+      apps: $extra_apps
+    },
+    required_conversation_resolution: true,
+    allow_force_pushes: false,
+    allow_deletions: false
+  }'
+)
+
+echo ">> Config Payload generated"
+
+# Send the request
+echo "$PAYLOAD" | gh api -X PUT "repos/${FULL_REPO}/branches/${BRANCH}/protection" \
+  -H "Accept: application/vnd.github+json" \
+  --input - \
+  >/dev/null
+
+echo ">> Done."
+
+echo ">> NOTE: If checks don't exist yet, GitHub will not be able to enforce them until the workflow runs at least once."

mcp_server_microsoft_tasks-0.1.0/.github/workflows/HARNESS_JOB.md

@@ -0,0 +1,54 @@
+<!-- SPDX-License-Identifier: MIT OR Apache-2.0 -->
+# Harness job snippet
+
+Drop the YAML below into `ci.yml` once the project has a real external sandbox to test against. The harness layer is the **gate** per [`ENGINEERING_PRINCIPLES.md` § 5](../../ENGINEERING_PRINCIPLES.md): no feature ticket lands before this is green.
+
+The snippet is structured to match the rest of `ci.yml`. Two design choices are load-bearing:
+
+- **`needs: test`** — run only after lint and test pass, so we don't burn an external-API call when the basics are red.
+- **`if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository`** — skip silently on PRs from forks. Forks don't get repo secrets, so a fork PR running this job would fail with no useful signal. The skip-silently pattern is what the sister projects (sharepoint-mcp, outlook-mcp) settled on so external contributions aren't blocked on something they can't provide.
+
+Inside the job: restore the credential from a base64-encoded repo secret, write it where the harness expects, run the harness suite. The "skip when secret is empty" early-exit means a freshly-cloned project with no secret configured still lands in the green path until the maintainer flips the harness on.
+
+```yaml
+  harness:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - uses: actions/checkout@v6
+
+      # Replace the language-setup steps with the project's stack.
+      # Example for Python:
+      # - uses: actions/setup-python@v6
+      #   with:
+      #     python-version: "3.11"
+      # - uses: astral-sh/setup-uv@v7
+      # - run: uv sync --extra dev
+
+      - name: Restore harness credential from repo secret
+        env:
+          # Project-specific secret name. Sister projects use
+          # SHAREPOINT_HARNESS_TOKEN_JSON / OUTLOOK_HARNESS_TOKEN_JSON.
+          HARNESS_CRED_B64: ${{ secrets.HARNESS_CRED_B64 }}
+        run: |
+          if [ -z "$HARNESS_CRED_B64" ]; then
+            echo "::warning::HARNESS_CRED_B64 not set — harness tests will be skipped."
+            exit 0
+          fi
+          mkdir -p ~/.cache/<project-name>/harness
+          printf '%s' "$HARNESS_CRED_B64" | base64 -d > ~/.cache/<project-name>/harness/cred.json
+          chmod 600 ~/.cache/<project-name>/harness/cred.json
+          echo "Harness credential restored ($(wc -c < ~/.cache/<project-name>/harness/cred.json) bytes)."
+
+      - name: Run harness tests against the real external system
+        run: ./tests/run_tests.sh harness
+```
+
+## Required-status-checks update
+
+When you flip the harness job on, add `harness` to `STATUS_CHECKS` in `repo.ini` and re-run `.github/gh-scripts/setup-branch-protection.sh` so branch protection actually requires it.
+
+## Token rotation
+
+If the credential is a refresh token, it rotates every ~60–90 days for most providers. Add a recurring chore in `CLAUDE.md` and a `scripts/renew-harness-token.sh` (per [`ENGINEERING_PRINCIPLES.md` § 8](../../ENGINEERING_PRINCIPLES.md)) so renewing it is a one-command flow before CI starts failing on its own.

mcp_server_microsoft_tasks-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,119 @@
+# Three-job CI: lint / test / harness. Same shape as the sister
+# Microsoft-Graph MCP projects (sharepoint-mcp, outlook-mcp). The
+# harness job is gated behind a repo secret and skips silently when
+# absent, so PRs from forks don't get blocked.
+#
+# Per ENGINEERING_PRINCIPLES § 6 (CI vigilance): every push is watched
+# to completion; trunk red is a P0 incident.
+
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Lint Markdown
+        uses: DavidAnson/markdownlint-cli2-action@v23
+        with:
+          globs: |
+            **/*.md
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install package + dev dependencies
+        run: uv sync --extra dev
+
+      - name: ruff check
+        run: uv run ruff check src tests
+
+      - name: ruff format check
+        run: uv run ruff format --check src tests
+
+      - name: mypy
+        run: uv run mypy src/microsoft_tasks_mcp tests
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Compare licences
+        run: diff LICENSE LICENSE-MIT
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install package + dev dependencies
+        run: uv sync --extra dev
+
+      - name: Run unit + integration tests with coverage
+        run: ./tests/run_tests.sh
+
+      - name: Upload coverage to Codecov
+        if: ${{ hashFiles('coverage.xml') != '' }}
+        uses: codecov/codecov-action@v5
+        with:
+          files: coverage.xml
+          fail_ci_if_error: false
+          verbose: false
+
+  harness:
+    runs-on: ubuntu-latest
+    needs: test
+    # Run harness tests against the real Microsoft 365 sandbox using the
+    # cached refresh token from the MS_TASKS_HARNESS_TOKEN_JSON secret.
+    # Skips silently when the secret isn't available (e.g. on PRs from
+    # forks where secrets aren't passed) so external contributions
+    # aren't blocked on something they can't provide.
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install package + dev dependencies
+        run: uv sync --extra dev
+
+      - name: Restore harness token cache from secret
+        env:
+          TOKEN_B64: ${{ secrets.MS_TASKS_HARNESS_TOKEN_JSON }}
+        run: |
+          if [ -z "$TOKEN_B64" ]; then
+            echo "::warning::MS_TASKS_HARNESS_TOKEN_JSON not set — harness tests will be skipped."
+            exit 0
+          fi
+          mkdir -p ~/.cache/mcp-server-microsoft-tasks/harness
+          printf '%s' "$TOKEN_B64" | base64 -d > ~/.cache/mcp-server-microsoft-tasks/harness/token.json
+          chmod 600 ~/.cache/mcp-server-microsoft-tasks/harness/token.json
+          echo "Harness token cache restored ($(wc -c < ~/.cache/mcp-server-microsoft-tasks/harness/token.json) bytes)."
+
+      - name: Run harness tests against real Microsoft Graph
+        env:
+          # Use plain-file backend explicitly (CI runners have no keyring).
+          MS_TASKS_TOKEN_STORE: file
+        run: ./tests/run_tests.sh harness

mcp_server_microsoft_tasks-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,51 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write  # for PyPI Trusted Publisher (OIDC)
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/mcp-server-microsoft-tasks
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install package + dev dependencies
+        run: uv sync --extra dev
+
+      - name: Run unit + integration tests (gate)
+        run: ./tests/run_tests.sh
+
+      - name: Build wheel + sdist
+        run: uv build
+
+      - name: Publish to PyPI (OIDC Trusted Publisher)
+        # Requires PyPI Trusted Publisher configured for this repo +
+        # the `pypi` GH environment.
+        run: uv publish
+
+  github-release:
+    runs-on: ubuntu-latest
+    needs: build-and-publish
+    steps:
+      - uses: actions/checkout@v6
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v3
+        with:
+          generate_release_notes: true

mcp_server_microsoft_tasks-0.1.0/.gitignore

@@ -0,0 +1,31 @@
+# Claude Code per-machine settings (bypass permissions etc.)
+.claude/settings.local.json
+.claude/scheduled_tasks.lock
+.claude/scheduled_tasks.json
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.venv/
+venv/
+build/
+dist/
+
+# Editor / OS
+.vscode/
+.idea/
+*.swp
+.DS_Store
+
+# Local secrets / token caches (should never land in OSS repo)
+.env
+.env.local
+*.pem
+secrets/
+
+# Coverage artefacts
+.coverage
+.coverage.*
+coverage.xml
+htmlcov/

mcp_server_microsoft_tasks-0.1.0/.markdownlint.yaml

@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: MIT OR Apache-2.0
+# Markdownlint configuration
+# See: https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md
+
+# Disable line length rule - impractical for documentation with URLs
+MD013: false
+
+# Allow first heading to not be h1 (for templates with frontmatter)
+MD041: false
+
+# Disable table column style rule - we prefer aligned tables for readability
+MD060: false
+
+# Allow duplicate headings as long as they're not siblings.
+# This is required for Keep-a-Changelog: every release section has
+# its own "Added" / "Changed" / "Removed" subsections.
+MD024:
+  siblings_only: true