nocfo-cli 1.5.2__tar.gz → 1.7.2__tar.gz

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: nocfo-cli
-Version: 1.5.2
+Version: 1.7.2
 Summary: NoCFO CLI, MCP server, and Cursor skill toolkit.
 License: MIT
 License-File: LICENSE

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api"
 
 [tool.poetry]
 name = "nocfo-cli"
-version = "1.5.2"
+version = "1.7.2"
 description = "NoCFO CLI, MCP server, and Cursor skill toolkit."
 authors = ["NoCFO"]
 readme = "README.md"

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/src/nocfo_toolkit/cli/app.py

@@ -121,19 +121,12 @@ def run_mcp_server(
             "context by exposing search_tools + call_tool."
         ),
     ),
-    skip_confirmation: bool = typer.Option(
-        False,
-        "--skip-confirmation/--require-confirmation",
-        help=(
-            "Skip interactive mutation confirmation elicitation. "
-            "Use only in trusted automation environments."
-        ),
-    ),
 ) -> None:
     """Run NoCFO MCP server over stdio or HTTP transport.
 
     Stdio mode accepts either NOCFO_JWT_TOKEN or NOCFO_API_TOKEN.
-    Optional NOCFO_CLIENT overrides default `nocfo-mcp` x-nocfo-client.
+    Optional NOCFO_CLIENT overrides default `nocfo-mcp` x-nocfo-client header.
+    Use `nocfo-agent` for internal agent MCP and `nocfo-mcp` for external MCP.
     HTTP oauth mode uses connector bearer verification + JWT exchange flow.
     """
 
@@ -173,12 +166,6 @@ def run_mcp_server(
         if env_tool_search
         else tool_search
     )
-    env_skip_confirmation = os.getenv("NOCFO_MCP_SKIP_CONFIRMATION", "").strip().lower()
-    skip_confirmation_enabled = (
-        env_skip_confirmation in {"1", "true", "yes", "on"}
-        if env_skip_confirmation
-        else skip_confirmation
-    )
 
     options = MCPServerOptions(
         auth_mode=auth_mode_value,
@@ -186,7 +173,6 @@ def run_mcp_server(
         required_scopes=scope_items,
         stateless_http=stateless_http,
         tool_search=tool_search_enabled,
-        skip_confirmation=skip_confirmation_enabled,
     )
 
     if transport_normalized == "http":

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/src/nocfo_toolkit/config.py

@@ -20,6 +20,10 @@ except ModuleNotFoundError:  # pragma: no cover - fallback for minimal environme
 DEFAULT_BASE_URL = "https://api-prd.nocfo.io"
 AUTH_HEADER_SCHEME = "Token"
 MIN_PAT_LENGTH = 8
+NOCFO_CLIENT_HEADER = "x-nocfo-client"
+NOCFO_CLIENT_MCP = "nocfo-mcp"
+NOCFO_CLIENT_AGENT = "nocfo-agent"
+NOCFO_CLIENT_DEFAULT = NOCFO_CLIENT_MCP
 
 
 class OutputFormat(str, Enum):

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/src/nocfo_toolkit/mcp/auth.py

@@ -23,7 +23,12 @@ from starlette.datastructures import MutableHeaders
 from starlette.responses import JSONResponse, Response
 from starlette.routing import Route
 
-from nocfo_toolkit.config import AUTH_HEADER_SCHEME, ToolkitConfig
+from nocfo_toolkit.config import (
+    AUTH_HEADER_SCHEME,
+    NOCFO_CLIENT_DEFAULT,
+    NOCFO_CLIENT_HEADER,
+    ToolkitConfig,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -47,11 +52,21 @@ def _split_csv(raw: str | None) -> list[str]:
 
 
 def _incoming_mcp_client() -> str | None:
-    headers = get_http_headers(include={"x-nocfo-client"})
-    nocfo_client = (headers.get("x-nocfo-client") or "").strip()
+    headers = get_http_headers(include={NOCFO_CLIENT_HEADER})
+    nocfo_client = (headers.get(NOCFO_CLIENT_HEADER) or "").strip()
     return nocfo_client or None
 
 
+def resolve_nocfo_client(*, default_client: str | None = None) -> str:
+    """Resolve x-nocfo-client from incoming MCP request or configured default."""
+    incoming_client = _incoming_mcp_client()
+    if incoming_client:
+        return incoming_client
+    if default_client:
+        return default_client
+    return NOCFO_CLIENT_DEFAULT
+
+
 @dataclass(frozen=True)
 class MCPAuthOptions:
     """Runtime auth settings used by the MCP server."""
@@ -265,11 +280,13 @@ class JwtExchangeAuth(httpx.Auth):
         *,
         exchange_path: str = "/auth/jwt/",
         refresh_skew_seconds: int = 60,
+        default_client: str | None = None,
     ) -> None:
         self._exchange_path = (
             exchange_path if exchange_path.startswith("/") else f"/{exchange_path}"
         )
         self._refresh_skew_seconds = max(0, refresh_skew_seconds)
+        self._default_client = default_client
         self._cache: dict[str, tuple[str, int | None]] = {}
         self._locks: dict[str, asyncio.Lock] = {}
 
@@ -312,7 +329,7 @@ class JwtExchangeAuth(httpx.Auth):
         bearer_token = access.token if access else None
         if not bearer_token:
             raise RuntimeError("Missing OAuth bearer token for MCP request.")
-        incoming_nocfo_client = _incoming_mcp_client()
+        nocfo_client = resolve_nocfo_client(default_client=self._default_client)
 
         claims = access.claims if access and isinstance(access.claims, dict) else {}
         cache_key = self._cache_key(bearer_token, claims)
@@ -332,11 +349,7 @@ class JwtExchangeAuth(httpx.Auth):
                             "Authorization": f"Bearer {bearer_token}",
                             "Content-Type": "application/json",
                             "Accept": "application/json",
-                            **(
-                                {"x-nocfo-client": incoming_nocfo_client}
-                                if incoming_nocfo_client
-                                else {}
-                            ),
+                            NOCFO_CLIENT_HEADER: nocfo_client,
                         },
                         content=b"{}",
                     )
@@ -382,23 +395,25 @@ class JwtExchangeAuth(httpx.Auth):
                     self._cache[cache_key] = (jwt_token, self._decode_exp(jwt_token))
 
         request.headers["Authorization"] = f"{AUTH_HEADER_SCHEME} {jwt_token}"
-        if incoming_nocfo_client:
-            request.headers["x-nocfo-client"] = incoming_nocfo_client
+        request.headers[NOCFO_CLIENT_HEADER] = nocfo_client
         yield request
 
 
 class PassthroughAuth(httpx.Auth):
     """Forward incoming HTTP Authorization header to downstream API requests."""
 
+    def __init__(self, *, default_client: str | None = None) -> None:
+        self._default_client = default_client
+
     async def async_auth_flow(self, request: httpx.Request):
-        headers = get_http_headers(include={"authorization", "x-nocfo-client"})
+        headers = get_http_headers(include={"authorization", NOCFO_CLIENT_HEADER})
         authorization = headers.get("authorization")
         if not authorization:
             raise RuntimeError("Missing Authorization header for MCP passthrough mode.")
         request.headers["Authorization"] = authorization
-        nocfo_client = (headers.get("x-nocfo-client") or "").strip()
-        if nocfo_client:
-            request.headers["x-nocfo-client"] = nocfo_client
+        request.headers[NOCFO_CLIENT_HEADER] = resolve_nocfo_client(
+            default_client=self._default_client
+        )
         yield request
 
 

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/src/nocfo_toolkit/mcp/curated/bookkeeping/account.py

@@ -5,7 +5,7 @@ from __future__ import annotations
 from typing import Any
 
 from fastmcp.tools import tool
-from nocfo_toolkit.mcp.curated.confirmation import confirm_mutation
+from fastmcp.tools.tool import ToolAnnotations
 from nocfo_toolkit.mcp.curated.runtime import business_slug, get_client
 from nocfo_toolkit.mcp.curated.schemas import (
     AccountActionInput,
@@ -42,6 +42,12 @@ account_fields = (
 
 @tool(
     name="bookkeeping_accounts_list",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
     description="List bookkeeping accounts by account number, account range, name query, type, usage, or visibility. Use account numbers when talking with users.",
     output_schema=ListEnvelope[AccountListItem].model_json_schema(),
 )
@@ -63,6 +69,12 @@ async def bookkeeping_accounts_list(params: AccountListInput) -> dict[str, Any]:
 
 @tool(
     name="bookkeeping_account_retrieve",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
     description="Retrieve one account from bookkeeping_accounts_list.items[].tool_handle.",
 )
 async def bookkeeping_account_retrieve(
@@ -84,21 +96,18 @@ async def bookkeeping_account_retrieve(
 
 @tool(
     name="bookkeeping_account_create",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Create a bookkeeping account. Use account numbers and account names that match the user request.",
 )
 async def bookkeeping_account_create(params: PayloadInput) -> dict[str, Any]:
     args = params
     slug = await business_slug(args.business)
     path = f"/v1/business/{slug}/account/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_account_create",
-        target_resource={
-            "type": "account",
-            "id": str(args.payload.get("number") or args.payload.get("name") or "new"),
-        },
-        parameters=args.payload,
-    )
     result = await get_client().request(
         "POST",
         path,
@@ -110,6 +119,12 @@ async def bookkeeping_account_create(params: PayloadInput) -> dict[str, Any]:
 
 @tool(
     name="bookkeeping_account_update",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Update a bookkeeping account selected by account_number.",
 )
 async def bookkeeping_account_update(params: AccountPayloadInput) -> dict[str, Any]:
@@ -122,15 +137,6 @@ async def bookkeeping_account_update(params: AccountPayloadInput) -> dict[str, A
         business_slug=slug,
     )
     path = f"/v1/business/{slug}/account/{account_id}/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_account_update",
-        target_resource={
-            "type": "account",
-            "id": account_id,
-        },
-        parameters=args.payload,
-    )
     result = await get_client().request(
         "PATCH",
         path,
@@ -142,6 +148,12 @@ async def bookkeeping_account_update(params: AccountPayloadInput) -> dict[str, A
 
 @tool(
     name="bookkeeping_account_delete",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=True,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Delete a bookkeeping account selected by account_number.",
 )
 async def bookkeeping_account_delete(params: AccountNumberInput) -> dict[str, Any]:
@@ -154,14 +166,6 @@ async def bookkeeping_account_delete(params: AccountNumberInput) -> dict[str, An
         business_slug=slug,
     )
     path = f"/v1/business/{slug}/account/{account_id}/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_account_delete",
-        target_resource={
-            "type": "account",
-            "id": account_id,
-        },
-    )
     await get_client().request(
         "DELETE",
         path,
@@ -172,6 +176,12 @@ async def bookkeeping_account_delete(params: AccountNumberInput) -> dict[str, An
 
 @tool(
     name="bookkeeping_account_action",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Show or hide a bookkeeping account selected by account_number.",
 )
 async def bookkeeping_account_action(params: AccountActionInput) -> dict[str, Any]:
@@ -184,14 +194,6 @@ async def bookkeeping_account_action(params: AccountActionInput) -> dict[str, An
         business_slug=slug,
     )
     path = f"/v1/business/{slug}/account/{account_id}/{args.action.value}/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_account_action",
-        target_resource={
-            "type": "account",
-            "id": account_id,
-        },
-    )
     await get_client().request(
         "POST",
         path,

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/src/nocfo_toolkit/mcp/curated/bookkeeping/document.py

@@ -5,7 +5,7 @@ from __future__ import annotations
 from typing import Any
 
 from fastmcp.tools import tool
-from nocfo_toolkit.mcp.curated.confirmation import confirm_mutation
+from fastmcp.tools.tool import ToolAnnotations
 from nocfo_toolkit.mcp.curated.runtime import business_slug, get_client
 from nocfo_toolkit.mcp.curated.errors import raise_tool_error
 from nocfo_toolkit.mcp.curated.schemas import (
@@ -34,7 +34,13 @@ from nocfo_toolkit.mcp.curated.utils import decode_tool_handle, items
 
 @tool(
     name="bookkeeping_documents_list",
-    description="List bookkeeping documents by document number, dates, contact, tag, account number, workflow state, or query.",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
+    description="List bookkeeping documents by document number, dates, contact, tag, account number, VAT code/rate, workflow state, or query.",
     output_schema=ListEnvelope[DocumentListItem].model_json_schema(),
 )
 async def bookkeeping_documents_list(
@@ -68,6 +74,12 @@ async def bookkeeping_documents_list(
 
 @tool(
     name="bookkeeping_document_retrieve",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
     description="Retrieve one bookkeeping document from bookkeeping_documents_list.items[].tool_handle. Includes blueprint/entry/relation workflow summaries.",
 )
 async def bookkeeping_document_retrieve(
@@ -96,6 +108,12 @@ async def bookkeeping_document_retrieve(
 
 @tool(
     name="bookkeeping_document_create",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Create a bookkeeping document/business transaction. Blueprint is the editable posting plan; generated entries are returned for verification.",
 )
 async def bookkeeping_document_create(
@@ -112,15 +130,6 @@ async def bookkeeping_document_create(
         )
     body = await resolve_document_payload(slug, args.payload, is_patch=False)
     path = f"/v1/business/{slug}/document/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_document_create",
-        target_resource={
-            "type": "document",
-            "id": str(body.get("number") or body.get("description") or "new"),
-        },
-        parameters=body,
-    )
     created = await get_client().request(
         "POST",
         path,
@@ -141,6 +150,12 @@ async def bookkeeping_document_create(
 
 @tool(
     name="bookkeeping_document_update",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Update a document blueprint or metadata by document_number. This recalculates generated entries. If payload contains tag_names, those tags must already exist; create missing tags first with bookkeeping_tag_create.",
 )
 async def bookkeeping_document_update(
@@ -151,15 +166,6 @@ async def bookkeeping_document_update(
     document = await document_by_number(slug, args.document_number)
     body = await resolve_document_payload(slug, args.payload, is_patch=True)
     path = f"/v1/business/{slug}/document/{document['id']}/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_document_update",
-        target_resource={
-            "type": "document",
-            "id": int(document["id"]),
-        },
-        parameters=body,
-    )
     updated = await get_client().request(
         "PATCH",
         path,
@@ -179,6 +185,12 @@ async def bookkeeping_document_update(
 
 @tool(
     name="bookkeeping_document_delete",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=True,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Delete a bookkeeping document selected by document_number.",
 )
 async def bookkeeping_document_delete(
@@ -188,14 +200,6 @@ async def bookkeeping_document_delete(
     slug = await business_slug(args.business)
     document = await document_by_number(slug, args.document_number)
     path = f"/v1/business/{slug}/document/{document['id']}/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_document_delete",
-        target_resource={
-            "type": "document",
-            "id": int(document["id"]),
-        },
-    )
     await get_client().request(
         "DELETE",
         path,
@@ -206,6 +210,12 @@ async def bookkeeping_document_delete(
 
 @tool(
     name="bookkeeping_entries_list",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
     description="List realized journal entries for a document. Entries are generated from blueprint and are read-only in MCP.",
     output_schema=ListEnvelope[EntrySummary].model_json_schema(),
 )
@@ -227,6 +237,12 @@ async def bookkeeping_entries_list(
 
 @tool(
     name="bookkeeping_document_finalize_active_suggestion",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Apply the active accounting suggestion for a draft document and finalize it.",
 )
 async def bookkeeping_document_finalize_active_suggestion(
@@ -239,14 +255,6 @@ async def bookkeeping_document_finalize_active_suggestion(
         f"/v1/mcp/business/{slug}/documents/{document['id']}/"
         "actions/finalize_active_suggestion/"
     )
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_document_finalize_active_suggestion",
-        target_resource={
-            "type": "document",
-            "id": int(document["id"]),
-        },
-    )
     result = await get_client().request(
         "POST",
         path,
@@ -258,6 +266,12 @@ async def bookkeeping_document_finalize_active_suggestion(
 
 @tool(
     name="bookkeeping_document_action",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Run a state action on a document: lock, unlock, flag, or unflag.",
 )
 async def bookkeeping_document_action(
@@ -267,14 +281,6 @@ async def bookkeeping_document_action(
     slug = await business_slug(args.business)
     document = await document_by_number(slug, args.document_number)
     path = f"/v1/business/{slug}/document/{document['id']}/action/{args.action.value}/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_document_action",
-        target_resource={
-            "type": "document",
-            "id": int(document["id"]),
-        },
-    )
     result = await get_client().request(
         "POST",
         path,

{nocfo_cli-1.5.2 → nocfo_cli-1.7.2}/src/nocfo_toolkit/mcp/curated/bookkeeping/header.py

@@ -5,9 +5,9 @@ from __future__ import annotations
 from typing import Any
 
 from fastmcp.tools import tool
+from fastmcp.tools.tool import ToolAnnotations
 from fastmcp.exceptions import ToolError
 
-from nocfo_toolkit.mcp.curated.confirmation import confirm_mutation
 from nocfo_toolkit.mcp.curated.runtime import business_slug, get_client
 from nocfo_toolkit.mcp.curated.errors import raise_tool_error
 from nocfo_toolkit.mcp.curated.schemas import (
@@ -25,6 +25,12 @@ header_fields = ("id", "name", "type", "parent_id", "parent_ids", "level")
 
 @tool(
     name="bookkeeping_headers_list",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
     description="List optional account header hierarchy. Returns feature_disabled if headers are not enabled.",
     output_schema=ListEnvelope[HeaderSummary].model_json_schema(),
 )
@@ -55,6 +61,12 @@ async def bookkeeping_headers_list(params: HeaderListInput) -> dict[str, Any]:
 
 @tool(
     name="bookkeeping_header_retrieve",
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        destructiveHint=False,
+        idempotentHint=True,
+        openWorldHint=False,
+    ),
     description="Retrieve one account header by header_id from bookkeeping_headers_list.",
 )
 async def bookkeeping_header_retrieve(params: HeaderIdInput) -> dict[str, Any]:
@@ -70,21 +82,18 @@ async def bookkeeping_header_retrieve(params: HeaderIdInput) -> dict[str, Any]:
 
 @tool(
     name="bookkeeping_header_create",
+    annotations=ToolAnnotations(
+        readOnlyHint=False,
+        destructiveHint=False,
+        idempotentHint=False,
+        openWorldHint=False,
+    ),
     description="Create an account header when account headers are enabled for the business.",
 )
 async def bookkeeping_header_create(params: HeaderPayloadInput) -> dict[str, Any]:
     args = params
     slug = await business_slug(args.business)
     path = f"/v1/business/{slug}/header/"
-    await confirm_mutation(
-        business=slug,
-        tool_name="bookkeeping_header_create",
-        target_resource={
-            "type": "header",
-            "id": str(args.payload.get("name") or "new"),
-        },
-        parameters=args.payload,
-    )
     result = await get_client().request(
         "POST",
         path,