+21

apps/mcp/LICENSE

reviewed

··· 1 1 + MIT License 2 2 + 3 3 + Copyright (c) 2026 Kaneo MCP contributors 4 4 + 5 5 + Permission is hereby granted, free of charge, to any person obtaining a copy 6 6 + of this software and associated documentation files (the "Software"), to deal 7 7 + in the Software without restriction, including without limitation the rights 8 8 + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 9 + copies of the Software, and to permit persons to whom the Software is 10 10 + furnished to do so, subject to the following conditions: 11 11 + 12 12 + The above copyright notice and this permission notice shall be included in all 13 13 + copies or substantial portions of the Software. 14 14 + 15 15 + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 16 + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 17 + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 18 + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 19 + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 20 + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 21 + SOFTWARE.

+86

apps/mcp/README.md

reviewed

··· 1 1 + # Kaneo MCP server 2 2 + 3 3 + Model Context Protocol (stdio) server that talks to a [Kaneo](https://github.com/usekaneo/kaneo) instance using the OAuth 2.0 device authorization flow (RFC 8628), then calls Kaneo’s REST API with `Authorization: Bearer <token>`. 4 4 + 5 5 + **How MCP fits here:** clients (Cursor, Claude Desktop, etc.) start a **local process** and talk to it over **stdin/stdout** using the MCP protocol. This package ships a **`bin`** (`kaneo-mcp`) for installable CLIs. 6 6 + 7 7 + This package lives in the Kaneo monorepo at **`apps/mcp`**. 8 8 + 9 9 + ## Prerequisites 10 10 + 11 11 + - Node.js 20+ 12 12 + - A running Kaneo API (for example `http://localhost:1337`) and web app (for device approval UI). 13 13 + 14 14 + On the Kaneo server, allow this MCP client’s ID: 15 15 + 16 16 + ```bash 17 17 + DEVICE_AUTH_CLIENT_IDS=kaneo-cli,kaneo-mcp 18 18 + ``` 19 19 + 20 20 + If you omit `DEVICE_AUTH_CLIENT_IDS`, Kaneo defaults to allowing `kaneo-cli` only—you must include `kaneo-mcp` (or set `KANEO_MCP_CLIENT_ID` to an ID you have allowlisted). 21 21 + 22 22 + ## Environment 23 23 + 24 24 + | Variable | Description | 25 25 + |----------|-------------| 26 26 + | `KANEO_API_URL` | Kaneo API origin (default `http://localhost:1337`). Do not include `/api`. | 27 27 + | `KANEO_MCP_CLIENT_ID` | Device-flow client id (default `kaneo-mcp`). Must match `DEVICE_AUTH_CLIENT_IDS` on the server. | 28 28 + 29 29 + ## Install (published package) 30 30 + 31 31 + After publishing `@kaneo/mcp` to npm (or a private registry): 32 32 + 33 33 + ```bash 34 34 + npm install -g @kaneo/mcp 35 35 + kaneo-mcp 36 36 + ``` 37 37 + 38 38 + Or: 39 39 + 40 40 + ```bash 41 41 + npx @kaneo/mcp 42 42 + ``` 43 43 + 44 44 + The published tarball includes **`dist/`** and dependencies; `prepublishOnly` runs the TypeScript build before publish. 45 45 + 46 46 + ## Develop from source (inside this monorepo) 47 47 + 48 48 + From the **`kaneo/`** directory: 49 49 + 50 50 + ```bash 51 51 + pnpm install 52 52 + pnpm --filter @kaneo/mcp run build 53 53 + pnpm --filter @kaneo/mcp run start 54 54 + pnpm --filter @kaneo/mcp run test 55 55 + ``` 56 56 + 57 57 + Or with paths: 58 58 + 59 59 + ```bash 60 60 + pnpm -C apps/mcp run build 61 61 + ``` 62 62 + 63 63 + The CLI entry is `kaneo-mcp` in `package.json` `bin` → `./dist/index.js`. 64 64 + For **Cursor**, point the MCP command at **`…/kaneo/apps/mcp/dist/index.js`** (absolute path after build). 65 65 + 66 66 + ## Authentication 67 67 + 68 68 + On the first tool call that needs Kaneo, the server: 69 69 + 70 70 + 1. Requests a device code from `POST /api/auth/device/code` 71 71 + 2. Prints the verification URL and user code to **stderr** (stdout stays clean for MCP) 72 72 + 3. Tries to open the browser 73 73 + 4. Polls `POST /api/auth/device/token` until approved 74 74 + 5. Stores the access token under `~/.config/kaneo-mcp/credentials.json` (mode `0600`) 75 75 + 76 76 + ## Tools 77 77 + 78 78 + Session: `whoami`, `list_workspaces` 79 79 + 80 80 + Projects: `list_projects`, `get_project`, `create_project`, `update_project` 81 81 + 82 82 + Tasks: `list_tasks`, `get_task`, `create_task`, `update_task`, `move_task`, `update_task_status` 83 83 + 84 84 + Comments: `list_task_comments`, `create_task_comment` 85 85 + 86 86 + Labels: `list_workspace_labels`, `create_label`, `attach_label_to_task`, `detach_label_from_task`

+41

apps/mcp/package.json

reviewed

··· 1 1 + { 2 2 + "name": "@kaneo/mcp", 3 3 + "version": "0.1.0", 4 4 + "description": "Model Context Protocol (stdio) server for Kaneo — tasks, projects, labels, and device authorization", 5 5 + "license": "MIT", 6 6 + "type": "module", 7 7 + "bin": { 8 8 + "kaneo-mcp": "./dist/index.js" 9 9 + }, 10 10 + "files": [ 11 11 + "dist", 12 12 + "README.md", 13 13 + "LICENSE" 14 14 + ], 15 15 + "keywords": [ 16 16 + "mcp", 17 17 + "model-context-protocol", 18 18 + "kaneo", 19 19 + "stdio" 20 20 + ], 21 21 + "scripts": { 22 22 + "build": "tsc -p tsconfig.json", 23 23 + "prepublishOnly": "npm run build", 24 24 + "dev": "tsx watch src/index.ts", 25 25 + "start": "node dist/index.js", 26 26 + "test": "vitest run --config vitest.config.ts", 27 27 + "test:watch": "vitest --config vitest.config.ts" 28 28 + }, 29 29 + "dependencies": { 30 30 + "@modelcontextprotocol/sdk": "^1.26.0", 31 31 + "open": "^10.1.0", 32 32 + "zod": "^3.25.0" 33 33 + }, 34 34 + "devDependencies": { 35 35 + "@kaneo/typescript-config": "workspace:*", 36 36 + "@types/node": "^25.3.5", 37 37 + "tsx": "^4.21.0", 38 38 + "typescript": "^5.9.3", 39 39 + "vitest": "^4.1.2" 40 40 + } 41 41 + }

+95

apps/mcp/src/auth/auth-service.ts

reviewed

··· 1 1 + import open from "open"; 2 2 + import { pollDeviceAccessToken, requestDeviceCode } from "./device-flow.js"; 3 3 + import { 4 4 + clearCredentials, 5 5 + loadCredentials, 6 6 + type StoredCredentials, 7 7 + saveCredentials, 8 8 + } from "./token-store.js"; 9 9 + 10 10 + export type AuthServiceOptions = { 11 11 + baseUrl: string; 12 12 + clientId: string; 13 13 + }; 14 14 + 15 15 + export class AuthService { 16 16 + readonly baseUrl: string; 17 17 + readonly clientId: string; 18 18 + 19 19 + constructor(options: AuthServiceOptions) { 20 20 + this.baseUrl = options.baseUrl; 21 21 + this.clientId = options.clientId; 22 22 + } 23 23 + 24 24 + async clearToken(): Promise<void> { 25 25 + await clearCredentials(); 26 26 + } 27 27 + 28 28 + private async validateAccessToken(token: string): Promise<boolean> { 29 29 + const res = await fetch(`${this.baseUrl}/api/auth/get-session`, { 30 30 + headers: { Authorization: `Bearer ${token}` }, 31 31 + }); 32 32 + if (res.status === 401) { 33 33 + return false; 34 34 + } 35 35 + if (!res.ok) { 36 36 + return false; 37 37 + } 38 38 + const data = (await res.json().catch(() => null)) as { 39 39 + user?: { id?: string }; 40 40 + } | null; 41 41 + return Boolean(data?.user?.id); 42 42 + } 43 43 + 44 44 + private log(msg: string): void { 45 45 + console.error(`[kaneo-mcp] ${msg}`); 46 46 + } 47 47 + 48 48 + /** 49 49 + * Returns a valid access token, running the device authorization flow if needed. 50 50 + */ 51 51 + async getAccessToken(): Promise<string> { 52 52 + const cached = await loadCredentials(); 53 53 + if ( 54 54 + cached && 55 55 + cached.baseUrl === this.baseUrl && 56 56 + cached.clientId === this.clientId && 57 57 + cached.accessToken 58 58 + ) { 59 59 + const ok = await this.validateAccessToken(cached.accessToken); 60 60 + if (ok) { 61 61 + return cached.accessToken; 62 62 + } 63 63 + await this.clearToken(); 64 64 + } 65 65 + 66 66 + const code = await requestDeviceCode(this.baseUrl, this.clientId); 67 67 + const verifyUrl = code.verification_uri_complete || code.verification_uri; 68 68 + this.log( 69 69 + `Open ${verifyUrl} and approve this device. User code: ${code.user_code}`, 70 70 + ); 71 71 + 72 72 + try { 73 73 + await open(verifyUrl); 74 74 + } catch { 75 75 + this.log("Could not open a browser automatically; use the URL above."); 76 76 + } 77 77 + 78 78 + const accessToken = await pollDeviceAccessToken( 79 79 + this.baseUrl, 80 80 + this.clientId, 81 81 + code.device_code, 82 82 + code.interval, 83 83 + { log: (m) => this.log(m) }, 84 84 + ); 85 85 + 86 86 + const toStore: StoredCredentials = { 87 87 + version: 1, 88 88 + baseUrl: this.baseUrl, 89 89 + clientId: this.clientId, 90 90 + accessToken, 91 91 + }; 92 92 + await saveCredentials(toStore); 93 93 + return accessToken; 94 94 + } 95 95 + }

+144

apps/mcp/src/auth/device-flow.test.ts

reviewed

··· 1 1 + import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"; 2 2 + import { pollDeviceAccessToken, requestDeviceCode } from "./device-flow.js"; 3 3 + 4 4 + describe("requestDeviceCode", () => { 5 5 + const originalFetch = globalThis.fetch; 6 6 + 7 7 + afterEach(() => { 8 8 + globalThis.fetch = originalFetch; 9 9 + }); 10 10 + 11 11 + it("posts the client id and returns the parsed device code response", async () => { 12 12 + const fetchMock = vi.fn().mockResolvedValue( 13 13 + new Response( 14 14 + JSON.stringify({ 15 15 + device_code: "device-code", 16 16 + user_code: "user-code", 17 17 + verification_uri: "https://verify.example.com", 18 18 + interval: 5, 19 19 + expires_in: 1800, 20 20 + }), 21 21 + { status: 200 }, 22 22 + ), 23 23 + ); 24 24 + globalThis.fetch = fetchMock as typeof fetch; 25 25 + 26 26 + const result = await requestDeviceCode( 27 27 + "https://api.example.com", 28 28 + "kaneo-mcp", 29 29 + ); 30 30 + 31 31 + expect(result.device_code).toBe("device-code"); 32 32 + expect(fetchMock).toHaveBeenCalledWith( 33 33 + "https://api.example.com/api/auth/device/code", 34 34 + { 35 35 + method: "POST", 36 36 + headers: { "Content-Type": "application/json" }, 37 37 + body: JSON.stringify({ client_id: "kaneo-mcp" }), 38 38 + }, 39 39 + ); 40 40 + }); 41 41 + 42 42 + it("throws when the response body is missing the device code", async () => { 43 43 + globalThis.fetch = vi.fn().mockResolvedValue( 44 44 + new Response(JSON.stringify({ user_code: "missing-device-code" }), { 45 45 + status: 200, 46 46 + }), 47 47 + ) as typeof fetch; 48 48 + 49 49 + await expect( 50 50 + requestDeviceCode("https://api.example.com", "kaneo-mcp"), 51 51 + ).rejects.toThrow(/unexpected response/); 52 52 + }); 53 53 + }); 54 54 + 55 55 + describe("pollDeviceAccessToken", () => { 56 56 + const originalFetch = globalThis.fetch; 57 57 + 58 58 + beforeEach(() => { 59 59 + vi.useFakeTimers(); 60 60 + }); 61 61 + 62 62 + afterEach(() => { 63 63 + globalThis.fetch = originalFetch; 64 64 + vi.useRealTimers(); 65 65 + vi.restoreAllMocks(); 66 66 + }); 67 67 + 68 68 + it("keeps polling through authorization_pending until an access token is returned", async () => { 69 69 + const log = vi.fn(); 70 70 + const fetchMock = vi 71 71 + .fn() 72 72 + .mockResolvedValueOnce( 73 73 + new Response(JSON.stringify({ error: "authorization_pending" }), { 74 74 + status: 400, 75 75 + }), 76 76 + ) 77 77 + .mockResolvedValueOnce( 78 78 + new Response(JSON.stringify({ access_token: "token-123" }), { 79 79 + status: 200, 80 80 + }), 81 81 + ); 82 82 + globalThis.fetch = fetchMock as typeof fetch; 83 83 + 84 84 + const promise = pollDeviceAccessToken( 85 85 + "https://api.example.com", 86 86 + "kaneo-mcp", 87 87 + "device-code", 88 88 + 1, 89 89 + { log }, 90 90 + ); 91 91 + 92 92 + await vi.runAllTimersAsync(); 93 93 + 94 94 + await expect(promise).resolves.toBe("token-123"); 95 95 + expect(fetchMock).toHaveBeenCalledTimes(2); 96 96 + expect(log).toHaveBeenCalledWith("Waiting for device approval…"); 97 97 + }); 98 98 + 99 99 + it("increases the polling interval after slow_down", async () => { 100 100 + const timeoutSpy = vi.spyOn(globalThis, "setTimeout"); 101 101 + const fetchMock = vi 102 102 + .fn() 103 103 + .mockResolvedValueOnce( 104 104 + new Response(JSON.stringify({ error: "slow_down" }), { 105 105 + status: 400, 106 106 + }), 107 107 + ) 108 108 + .mockResolvedValueOnce( 109 109 + new Response(JSON.stringify({ access_token: "token-123" }), { 110 110 + status: 200, 111 111 + }), 112 112 + ); 113 113 + globalThis.fetch = fetchMock as typeof fetch; 114 114 + 115 115 + const promise = pollDeviceAccessToken( 116 116 + "https://api.example.com", 117 117 + "kaneo-mcp", 118 118 + "device-code", 119 119 + 1, 120 120 + ); 121 121 + 122 122 + await vi.runAllTimersAsync(); 123 123 + 124 124 + await expect(promise).resolves.toBe("token-123"); 125 125 + expect(timeoutSpy).toHaveBeenCalledWith(expect.any(Function), 6000); 126 126 + }); 127 127 + 128 128 + it("throws a helpful error when authorization is denied", async () => { 129 129 + globalThis.fetch = vi.fn().mockResolvedValue( 130 130 + new Response(JSON.stringify({ error: "access_denied" }), { 131 131 + status: 400, 132 132 + }), 133 133 + ) as typeof fetch; 134 134 + 135 135 + await expect( 136 136 + pollDeviceAccessToken( 137 137 + "https://api.example.com", 138 138 + "kaneo-mcp", 139 139 + "device-code", 140 140 + 1, 141 141 + ), 142 142 + ).rejects.toThrow("Device authorization was denied."); 143 143 + }); 144 144 + });

+106

apps/mcp/src/auth/device-flow.ts

reviewed

··· 1 1 + export type DeviceCodeResponse = { 2 2 + device_code: string; 3 3 + user_code: string; 4 4 + verification_uri: string; 5 5 + verification_uri_complete?: string; 6 6 + interval: number; 7 7 + expires_in: number; 8 8 + }; 9 9 + 10 10 + export type DeviceTokenErrorBody = { 11 11 + error?: string; 12 12 + error_description?: string; 13 13 + }; 14 14 + 15 15 + function sleep(ms: number): Promise<void> { 16 16 + return new Promise((r) => setTimeout(r, ms)); 17 17 + } 18 18 + 19 19 + export async function requestDeviceCode( 20 20 + baseUrl: string, 21 21 + clientId: string, 22 22 + ): Promise<DeviceCodeResponse> { 23 23 + const res = await fetch(`${baseUrl}/api/auth/device/code`, { 24 24 + method: "POST", 25 25 + headers: { "Content-Type": "application/json" }, 26 26 + body: JSON.stringify({ client_id: clientId }), 27 27 + }); 28 28 + const body = (await res.json().catch(() => ({}))) as 29 29 + | DeviceCodeResponse 30 30 + | DeviceTokenErrorBody; 31 31 + if (!res.ok) { 32 32 + throw new Error( 33 33 + `device/code failed (${res.status}): ${JSON.stringify(body)}`, 34 34 + ); 35 35 + } 36 36 + if (!("device_code" in body) || typeof body.device_code !== "string") { 37 37 + throw new Error(`device/code: unexpected response ${JSON.stringify(body)}`); 38 38 + } 39 39 + return body; 40 40 + } 41 41 + 42 42 + /** 43 43 + * Polls `/api/auth/device/token` until success or terminal error. 44 44 + * First attempt is immediate; subsequent attempts wait `interval` seconds (increased on `slow_down`). 45 45 + */ 46 46 + export async function pollDeviceAccessToken( 47 47 + baseUrl: string, 48 48 + clientId: string, 49 49 + deviceCode: string, 50 50 + initialIntervalSec: number, 51 51 + options?: { maxWaitMs?: number; log?: (msg: string) => void }, 52 52 + ): Promise<string> { 53 53 + const maxWait = options?.maxWaitMs ?? 30 * 60 * 1000; 54 54 + const log = options?.log ?? (() => {}); 55 55 + const started = Date.now(); 56 56 + let intervalMs = Math.max(1000, initialIntervalSec * 1000); 57 57 + 58 58 + for (let attempt = 0; Date.now() - started < maxWait; attempt++) { 59 59 + if (attempt > 0) { 60 60 + await sleep(intervalMs); 61 61 + } 62 62 + 63 63 + const res = await fetch(`${baseUrl}/api/auth/device/token`, { 64 64 + method: "POST", 65 65 + headers: { "Content-Type": "application/json" }, 66 66 + body: JSON.stringify({ 67 67 + grant_type: "urn:ietf:params:oauth:grant-type:device_code", 68 68 + device_code: deviceCode, 69 69 + client_id: clientId, 70 70 + }), 71 71 + }); 72 72 + 73 73 + const body = (await res.json().catch(() => ({}))) as { 74 74 + access_token?: string; 75 75 + error?: string; 76 76 + error_description?: string; 77 77 + }; 78 78 + 79 79 + if (res.ok && typeof body.access_token === "string") { 80 80 + return body.access_token; 81 81 + } 82 82 + 83 83 + const err = body.error; 84 84 + if (err === "authorization_pending") { 85 85 + log("Waiting for device approval…"); 86 86 + continue; 87 87 + } 88 88 + if (err === "slow_down") { 89 89 + intervalMs += 5000; 90 90 + log(`Rate limited (slow_down); polling every ${intervalMs / 1000}s`); 91 91 + continue; 92 92 + } 93 93 + if (err === "access_denied") { 94 94 + throw new Error("Device authorization was denied."); 95 95 + } 96 96 + if (err === "expired_token") { 97 97 + throw new Error("Device code expired; start login again."); 98 98 + } 99 99 + 100 100 + throw new Error( 101 101 + `device/token failed (${res.status}): ${JSON.stringify(body)}`, 102 102 + ); 103 103 + } 104 104 + 105 105 + throw new Error("Device authorization timed out waiting for approval."); 106 106 + }

+63

apps/mcp/src/auth/token-store.ts

reviewed

··· 1 1 + import { chmod, mkdir, readFile, unlink, writeFile } from "node:fs/promises"; 2 2 + import { homedir } from "node:os"; 3 3 + import path from "node:path"; 4 4 + 5 5 + export type StoredCredentials = { 6 6 + version: 1; 7 7 + baseUrl: string; 8 8 + clientId: string; 9 9 + accessToken: string; 10 10 + }; 11 11 + 12 12 + const FILE_MODE = 0o600; 13 13 + const DIR_MODE = 0o700; 14 14 + 15 15 + function configDir(): string { 16 16 + const base = 17 17 + process.env.XDG_CONFIG_HOME?.trim() || path.join(homedir(), ".config"); 18 18 + return path.join(base, "kaneo-mcp"); 19 19 + } 20 20 + 21 21 + export function credentialsPath(): string { 22 22 + return path.join(configDir(), "credentials.json"); 23 23 + } 24 24 + 25 25 + export async function loadCredentials(): Promise<StoredCredentials | null> { 26 26 + try { 27 27 + const raw = await readFile(credentialsPath(), "utf8"); 28 28 + const parsed = JSON.parse(raw) as StoredCredentials; 29 29 + if ( 30 30 + parsed?.version === 1 && 31 31 + typeof parsed.baseUrl === "string" && 32 32 + typeof parsed.clientId === "string" && 33 33 + typeof parsed.accessToken === "string" 34 34 + ) { 35 35 + return parsed; 36 36 + } 37 37 + return null; 38 38 + } catch { 39 39 + return null; 40 40 + } 41 41 + } 42 42 + 43 43 + export async function saveCredentials(data: StoredCredentials): Promise<void> { 44 44 + const dir = configDir(); 45 45 + await mkdir(dir, { recursive: true, mode: DIR_MODE }); 46 46 + const file = credentialsPath(); 47 47 + await writeFile(file, `${JSON.stringify(data, null, 2)}\n`, { 48 48 + mode: FILE_MODE, 49 49 + }); 50 50 + try { 51 51 + await chmod(file, FILE_MODE); 52 52 + } catch { 53 53 + /* ignore chmod failures on some FS */ 54 54 + } 55 55 + } 56 56 + 57 57 + export async function clearCredentials(): Promise<void> { 58 58 + try { 59 59 + await unlink(credentialsPath()); 60 60 + } catch { 61 61 + /* noop */ 62 62 + } 63 63 + }

+14

apps/mcp/src/index.ts

reviewed

··· 1 1 + #!/usr/bin/env node 2 2 + import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"; 3 3 + import { createMcpServer } from "./server.js"; 4 4 + 5 5 + async function main(): Promise<void> { 6 6 + const server = createMcpServer(); 7 7 + const transport = new StdioServerTransport(); 8 8 + await server.connect(transport); 9 9 + } 10 10 + 11 11 + main().catch((err: unknown) => { 12 12 + console.error(err); 13 13 + process.exit(1); 14 14 + });

+91

apps/mcp/src/kaneo/client.test.ts

reviewed

··· 1 1 + import { afterEach, describe, expect, it, vi } from "vitest"; 2 2 + import { KaneoClient } from "./client.js"; 3 3 + 4 4 + describe("KaneoClient", () => { 5 5 + const originalFetch = globalThis.fetch; 6 6 + 7 7 + afterEach(() => { 8 8 + globalThis.fetch = originalFetch; 9 9 + vi.restoreAllMocks(); 10 10 + }); 11 11 + 12 12 + it("adds auth and json headers for requests with a body", async () => { 13 13 + const auth = { 14 14 + getAccessToken: vi.fn().mockResolvedValue("token-123"), 15 15 + clearToken: vi.fn().mockResolvedValue(undefined), 16 16 + }; 17 17 + const fetchMock = vi 18 18 + .fn() 19 19 + .mockResolvedValue( 20 20 + new Response(JSON.stringify({ ok: true }), { status: 200 }), 21 21 + ); 22 22 + globalThis.fetch = fetchMock as typeof fetch; 23 23 + 24 24 + const client = new KaneoClient({ 25 25 + baseUrl: "https://api.example.com", 26 26 + auth: auth as never, 27 27 + }); 28 28 + 29 29 + await expect( 30 30 + client.json("/api/project", { 31 31 + method: "POST", 32 32 + body: JSON.stringify({ name: "Inbox" }), 33 33 + }), 34 34 + ).resolves.toEqual({ ok: true }); 35 35 + 36 36 + expect(fetchMock).toHaveBeenCalledTimes(1); 37 37 + const [, init] = fetchMock.mock.calls[0] as [string, RequestInit]; 38 38 + const headers = new Headers(init.headers); 39 39 + expect(headers.get("Authorization")).toBe("Bearer token-123"); 40 40 + expect(headers.get("Content-Type")).toBe("application/json"); 41 41 + }); 42 42 + 43 43 + it("clears the cached token and retries once after a 401", async () => { 44 44 + const auth = { 45 45 + getAccessToken: vi 46 46 + .fn() 47 47 + .mockResolvedValueOnce("expired-token") 48 48 + .mockResolvedValueOnce("fresh-token"), 49 49 + clearToken: vi.fn().mockResolvedValue(undefined), 50 50 + }; 51 51 + const fetchMock = vi 52 52 + .fn() 53 53 + .mockResolvedValueOnce(new Response("unauthorized", { status: 401 })) 54 54 + .mockResolvedValueOnce( 55 55 + new Response(JSON.stringify({ id: "task-1" }), { status: 200 }), 56 56 + ); 57 57 + globalThis.fetch = fetchMock as typeof fetch; 58 58 + 59 59 + const client = new KaneoClient({ 60 60 + baseUrl: "https://api.example.com", 61 61 + auth: auth as never, 62 62 + }); 63 63 + 64 64 + await expect(client.json("/api/task/task-1")).resolves.toEqual({ 65 65 + id: "task-1", 66 66 + }); 67 67 + expect(auth.clearToken).toHaveBeenCalledTimes(1); 68 68 + expect(fetchMock).toHaveBeenCalledTimes(2); 69 69 + }); 70 70 + 71 71 + it("surfaces api error messages when a request fails", async () => { 72 72 + const auth = { 73 73 + getAccessToken: vi.fn().mockResolvedValue("token-123"), 74 74 + clearToken: vi.fn().mockResolvedValue(undefined), 75 75 + }; 76 76 + globalThis.fetch = vi.fn().mockResolvedValue( 77 77 + new Response(JSON.stringify({ message: "Task not found" }), { 78 78 + status: 404, 79 79 + }), 80 80 + ) as typeof fetch; 81 81 + 82 82 + const client = new KaneoClient({ 83 83 + baseUrl: "https://api.example.com", 84 84 + auth: auth as never, 85 85 + }); 86 86 + 87 87 + await expect(client.json("/api/task/missing")).rejects.toThrow( 88 88 + "/api/task/missing: Task not found", 89 89 + ); 90 90 + }); 91 91 + });

+66

apps/mcp/src/kaneo/client.ts

reviewed

··· 1 1 + import type { AuthService } from "../auth/auth-service.js"; 2 2 + 3 3 + export type Json = 4 4 + | null 5 5 + | boolean 6 6 + | number 7 7 + | string 8 8 + | Json[] 9 9 + | { [key: string]: Json }; 10 10 + 11 11 + export class KaneoClient { 12 12 + readonly baseUrl: string; 13 13 + private readonly auth: AuthService; 14 14 + 15 15 + constructor(options: { baseUrl: string; auth: AuthService }) { 16 16 + this.baseUrl = options.baseUrl; 17 17 + this.auth = options.auth; 18 18 + } 19 19 + 20 20 + private async authorizedFetch( 21 21 + path: string, 22 22 + init?: RequestInit, 23 23 + didRetry = false, 24 24 + ): Promise<Response> { 25 25 + const token = await this.auth.getAccessToken(); 26 26 + const headers = new Headers(init?.headers); 27 27 + headers.set("Authorization", `Bearer ${token}`); 28 28 + if (init?.body != null && !headers.has("Content-Type")) { 29 29 + headers.set("Content-Type", "application/json"); 30 30 + } 31 31 + 32 32 + const url = `${this.baseUrl}${path.startsWith("/") ? path : `/${path}`}`; 33 33 + const res = await fetch(url, { ...init, headers }); 34 34 + 35 35 + if (res.status === 401 && !didRetry) { 36 36 + await this.auth.clearToken(); 37 37 + return this.authorizedFetch(path, init, true); 38 38 + } 39 39 + 40 40 + return res; 41 41 + } 42 42 + 43 43 + async json<T = Json>(path: string, init?: RequestInit): Promise<T> { 44 44 + const res = await this.authorizedFetch(path, init); 45 45 + const text = await res.text(); 46 46 + let body: unknown = null; 47 47 + if (text) { 48 48 + try { 49 49 + body = JSON.parse(text) as unknown; 50 50 + } catch { 51 51 + body = text; 52 52 + } 53 53 + } 54 54 + if (!res.ok) { 55 55 + const message = 56 56 + typeof body === "object" && 57 57 + body !== null && 58 58 + "message" in body && 59 59 + typeof (body as { message: unknown }).message === "string" 60 60 + ? (body as { message: string }).message 61 61 + : `HTTP ${res.status}`; 62 62 + throw new Error(`${path}: ${message} ${text}`); 63 63 + } 64 64 + return body as T; 65 65 + } 66 66 + }

+22

apps/mcp/src/kaneo/task-helpers.test.ts

reviewed

··· 1 1 + import { describe, expect, it } from "vitest"; 2 2 + import { buildFullTaskUpdateBody } from "./task-helpers.js"; 3 3 + 4 4 + describe("buildFullTaskUpdateBody", () => { 5 5 + it("merges patch onto existing task", () => { 6 6 + const body = buildFullTaskUpdateBody( 7 7 + { 8 8 + title: "T", 9 9 + description: "D", 10 10 + status: "open", 11 11 + priority: "low", 12 12 + projectId: "p1", 13 13 + position: 1, 14 14 + userId: "u1", 15 15 + }, 16 16 + { status: "done" }, 17 17 + ); 18 18 + expect(body.status).toBe("done"); 19 19 + expect(body.title).toBe("T"); 20 20 + expect(body.position).toBe(1); 21 21 + }); 22 22 + });

+127

apps/mcp/src/kaneo/task-helpers.ts

reviewed

··· 1 1 + const PRIORITIES = ["no-priority", "low", "medium", "high", "urgent"] as const; 2 2 + 3 3 + export type TaskPriority = (typeof PRIORITIES)[number]; 4 4 + 5 5 + export function isTaskPriority(v: string): v is TaskPriority { 6 6 + return (PRIORITIES as readonly string[]).includes(v); 7 7 + } 8 8 + 9 9 + export type TaskUpdatePatch = { 10 10 + title?: string; 11 11 + description?: string | null; 12 12 + status?: string; 13 13 + priority?: TaskPriority; 14 14 + projectId?: string; 15 15 + position?: number; 16 16 + startDate?: string | null; 17 17 + dueDate?: string | null; 18 18 + userId?: string | null; 19 19 + }; 20 20 + 21 21 + /** 22 22 + * Builds the JSON body for `PUT /api/task/:id` from an existing task plus a patch. 23 23 + */ 24 24 + export function buildFullTaskUpdateBody( 25 25 + existing: Record<string, unknown>, 26 26 + patch: TaskUpdatePatch, 27 27 + ): Record<string, string | number | undefined> { 28 28 + const positionRaw = patch.position ?? existing.position; 29 29 + const position = 30 30 + typeof positionRaw === "number" 31 31 + ? positionRaw 32 32 + : typeof positionRaw === "string" 33 33 + ? Number(positionRaw) 34 34 + : Number.NaN; 35 35 + if (!Number.isFinite(position)) { 36 36 + throw new Error( 37 37 + "Cannot update task: missing numeric `position` on existing task.", 38 38 + ); 39 39 + } 40 40 + 41 41 + const title = 42 42 + patch.title ?? 43 43 + (typeof existing.title === "string" ? existing.title : undefined); 44 44 + if (!title) { 45 45 + throw new Error("Cannot update task: missing title."); 46 46 + } 47 47 + 48 48 + const description = 49 49 + patch.description !== undefined 50 50 + ? patch.description === null 51 51 + ? "" 52 52 + : String(patch.description) 53 53 + : existing.description == null 54 54 + ? "" 55 55 + : String(existing.description); 56 56 + 57 57 + const status = 58 58 + patch.status ?? 59 59 + (typeof existing.status === "string" ? existing.status : undefined); 60 60 + if (!status) { 61 61 + throw new Error("Cannot update task: missing status."); 62 62 + } 63 63 + 64 64 + const priorityRaw = 65 65 + patch.priority ?? 66 66 + (typeof existing.priority === "string" ? existing.priority : undefined); 67 67 + if (!priorityRaw || !isTaskPriority(priorityRaw)) { 68 68 + throw new Error("Cannot update task: invalid or missing priority."); 69 69 + } 70 70 + 71 71 + const projectId = 72 72 + patch.projectId ?? 73 73 + (typeof existing.projectId === "string" ? existing.projectId : undefined); 74 74 + if (!projectId) { 75 75 + throw new Error("Cannot update task: missing projectId."); 76 76 + } 77 77 + 78 78 + const userId = 79 79 + patch.userId !== undefined 80 80 + ? patch.userId === null 81 81 + ? "" 82 82 + : patch.userId 83 83 + : typeof existing.userId === "string" 84 84 + ? existing.userId 85 85 + : undefined; 86 86 + 87 87 + const startDate = formatOptionalIso( 88 88 + patch.startDate !== undefined ? patch.startDate : existing.startDate, 89 89 + ); 90 90 + const dueDate = formatOptionalIso( 91 91 + patch.dueDate !== undefined ? patch.dueDate : existing.dueDate, 92 92 + ); 93 93 + 94 94 + const body: Record<string, string | number | undefined> = { 95 95 + title, 96 96 + description, 97 97 + status, 98 98 + priority: priorityRaw, 99 99 + projectId, 100 100 + position, 101 101 + }; 102 102 + 103 103 + if (startDate !== undefined) { 104 104 + body.startDate = startDate; 105 105 + } 106 106 + if (dueDate !== undefined) { 107 107 + body.dueDate = dueDate; 108 108 + } 109 109 + if (userId !== undefined) { 110 110 + body.userId = userId; 111 111 + } 112 112 + 113 113 + return body; 114 114 + } 115 115 + 116 116 + function formatOptionalIso(value: unknown): string | undefined { 117 117 + if (value === null || value === undefined) { 118 118 + return undefined; 119 119 + } 120 120 + if (value instanceof Date) { 121 121 + return value.toISOString(); 122 122 + } 123 123 + if (typeof value === "string") { 124 124 + return value; 125 125 + } 126 126 + return undefined; 127 127 + }

+20

apps/mcp/src/server.ts

reviewed

··· 1 1 + import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; 2 2 + import { AuthService } from "./auth/auth-service.js"; 3 3 + import { KaneoClient } from "./kaneo/client.js"; 4 4 + import { registerTools } from "./tools/register.js"; 5 5 + import { normalizeBaseUrl } from "./utils/normalize-base-url.js"; 6 6 + 7 7 + export function createMcpServer(): McpServer { 8 8 + const baseUrl = normalizeBaseUrl( 9 9 + process.env.KANEO_API_URL || "http://localhost:1337", 10 10 + ); 11 11 + const clientId = process.env.KANEO_MCP_CLIENT_ID || "kaneo-mcp"; 12 12 + const auth = new AuthService({ baseUrl, clientId }); 13 13 + const client = new KaneoClient({ baseUrl, auth }); 14 14 + const server = new McpServer({ 15 15 + name: "kaneo-mcp", 16 16 + version: "0.1.0", 17 17 + }); 18 18 + registerTools(server, { client }); 19 19 + return server; 20 20 + }

+141

apps/mcp/src/tools/register.test.ts

reviewed

··· 1 1 + import { describe, expect, it, vi } from "vitest"; 2 2 + import { registerTools } from "./register.js"; 3 3 + 4 4 + type RegisteredTool = { 5 5 + name: string; 6 6 + handler: (args: Record<string, unknown>) => Promise<{ 7 7 + content: Array<{ type: string; text: string }>; 8 8 + isError?: boolean; 9 9 + }>; 10 10 + }; 11 11 + 12 12 + function createServerMock() { 13 13 + const tools = new Map<string, RegisteredTool["handler"]>(); 14 14 + 15 15 + return { 16 16 + server: { 17 17 + registerTool: vi.fn( 18 18 + ( 19 19 + name: string, 20 20 + _config: unknown, 21 21 + handler: RegisteredTool["handler"], 22 22 + ) => { 23 23 + tools.set(name, handler); 24 24 + }, 25 25 + ), 26 26 + }, 27 27 + tools, 28 28 + }; 29 29 + } 30 30 + 31 31 + describe("registerTools", () => { 32 32 + it("registers the MCP tools", () => { 33 33 + const { server } = createServerMock(); 34 34 + const client = { json: vi.fn() }; 35 35 + 36 36 + registerTools(server as never, { client: client as never }); 37 37 + 38 38 + expect(server.registerTool).toHaveBeenCalled(); 39 39 + expect(server.registerTool).toHaveBeenCalledWith( 40 40 + "whoami", 41 41 + expect.any(Object), 42 42 + expect.any(Function), 43 43 + ); 44 44 + expect(server.registerTool).toHaveBeenCalledWith( 45 45 + "update_task", 46 46 + expect.any(Object), 47 47 + expect.any(Function), 48 48 + ); 49 49 + }); 50 50 + 51 51 + it("builds the expected query string for list_tasks", async () => { 52 52 + const { server, tools } = createServerMock(); 53 53 + const client = { 54 54 + json: vi.fn().mockResolvedValue([{ id: "task-1" }]), 55 55 + }; 56 56 + 57 57 + registerTools(server as never, { client: client as never }); 58 58 + 59 59 + const result = await tools.get("list_tasks")?.({ 60 60 + projectId: "project 1", 61 61 + status: "open", 62 62 + page: 2, 63 63 + sortOrder: "desc", 64 64 + }); 65 65 + 66 66 + expect(client.json).toHaveBeenCalledWith( 67 67 + "/api/task/tasks/project%201?status=open&page=2&sortOrder=desc", 68 68 + { method: "GET" }, 69 69 + ); 70 70 + expect(result).toEqual({ 71 71 + content: [ 72 72 + { 73 73 + type: "text", 74 74 + text: JSON.stringify([{ id: "task-1" }], null, 2), 75 75 + }, 76 76 + ], 77 77 + isError: false, 78 78 + }); 79 79 + }); 80 80 + 81 81 + it("fetches the current task and sends a full body for update_task", async () => { 82 82 + const { server, tools } = createServerMock(); 83 83 + const client = { 84 84 + json: vi 85 85 + .fn() 86 86 + .mockResolvedValueOnce({ 87 87 + title: "Draft spec", 88 88 + description: "Write docs", 89 89 + status: "open", 90 90 + priority: "medium", 91 91 + projectId: "project-1", 92 92 + position: 4, 93 93 + }) 94 94 + .mockResolvedValueOnce({ id: "task-1", status: "done" }), 95 95 + }; 96 96 + 97 97 + registerTools(server as never, { client: client as never }); 98 98 + 99 99 + const result = await tools.get("update_task")?.({ 100 100 + taskId: "task-1", 101 101 + status: "done", 102 102 + }); 103 103 + 104 104 + expect(client.json).toHaveBeenNthCalledWith(1, "/api/task/task-1", { 105 105 + method: "GET", 106 106 + }); 107 107 + expect(client.json).toHaveBeenNthCalledWith(2, "/api/task/task-1", { 108 108 + method: "PUT", 109 109 + body: JSON.stringify({ 110 110 + title: "Draft spec", 111 111 + description: "Write docs", 112 112 + status: "done", 113 113 + priority: "medium", 114 114 + projectId: "project-1", 115 115 + position: 4, 116 116 + }), 117 117 + }); 118 118 + expect(result?.isError).toBe(false); 119 119 + }); 120 120 + 121 121 + it("returns an MCP error result when the client request fails", async () => { 122 122 + const { server, tools } = createServerMock(); 123 123 + const client = { 124 124 + json: vi.fn().mockRejectedValue(new Error("boom")), 125 125 + }; 126 126 + 127 127 + registerTools(server as never, { client: client as never }); 128 128 + 129 129 + const result = await tools.get("whoami")?.({}); 130 130 + 131 131 + expect(result).toEqual({ 132 132 + content: [ 133 133 + { 134 134 + type: "text", 135 135 + text: JSON.stringify({ error: "boom" }, null, 2), 136 136 + }, 137 137 + ], 138 138 + isError: true, 139 139 + }); 140 140 + }); 141 141 + });

+412

apps/mcp/src/tools/register.ts

reviewed

··· 1 1 + import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js"; 2 2 + import type { CallToolResult } from "@modelcontextprotocol/sdk/types.js"; 3 3 + import { z } from "zod"; 4 4 + import type { KaneoClient } from "../kaneo/client.js"; 5 5 + import { buildFullTaskUpdateBody } from "../kaneo/task-helpers.js"; 6 6 + import { errorResult, textResult } from "../utils/mcp-result.js"; 7 7 + 8 8 + const prioritySchema = z.enum([ 9 9 + "no-priority", 10 10 + "low", 11 11 + "medium", 12 12 + "high", 13 13 + "urgent", 14 14 + ]); 15 15 + 16 16 + function run(fn: () => Promise<unknown>): Promise<CallToolResult> { 17 17 + return fn() 18 18 + .then((data) => textResult(data)) 19 19 + .catch((e: unknown) => 20 20 + errorResult(e instanceof Error ? e.message : String(e)), 21 21 + ); 22 22 + } 23 23 + 24 24 + export function registerTools( 25 25 + server: McpServer, 26 26 + ctx: { client: KaneoClient }, 27 27 + ): void { 28 28 + const { client } = ctx; 29 29 + 30 30 + server.registerTool( 31 31 + "whoami", 32 32 + { 33 33 + description: 34 34 + "Return the current Kaneo session and user for the cached device token.", 35 35 + inputSchema: z.object({}), 36 36 + }, 37 37 + async () => 38 38 + run(() => client.json("/api/auth/get-session", { method: "GET" })), 39 39 + ); 40 40 + 41 41 + server.registerTool( 42 42 + "list_workspaces", 43 43 + { 44 44 + description: 45 45 + "List workspaces (Better Auth organizations) the signed-in user can access.", 46 46 + inputSchema: z.object({}), 47 47 + }, 48 48 + async () => 49 49 + run(() => client.json("/api/auth/organization/list", { method: "GET" })), 50 50 + ); 51 51 + 52 52 + server.registerTool( 53 53 + "list_projects", 54 54 + { 55 55 + description: "List projects in a workspace.", 56 56 + inputSchema: z.object({ 57 57 + workspaceId: z.string().describe("Workspace ID"), 58 58 + includeArchived: z 59 59 + .boolean() 60 60 + .optional() 61 61 + .describe("Include archived projects"), 62 62 + }), 63 63 + }, 64 64 + async (args) => { 65 65 + const { workspaceId, includeArchived } = args; 66 66 + const qs = new URLSearchParams({ workspaceId }); 67 67 + if (includeArchived === true) { 68 68 + qs.set("includeArchived", "true"); 69 69 + } 70 70 + return run(() => 71 71 + client.json(`/api/project?${qs.toString()}`, { method: "GET" }), 72 72 + ); 73 73 + }, 74 74 + ); 75 75 + 76 76 + server.registerTool( 77 77 + "get_project", 78 78 + { 79 79 + description: "Get a single project by ID.", 80 80 + inputSchema: z.object({ id: z.string() }), 81 81 + }, 82 82 + async (args) => 83 83 + run(() => client.json(`/api/project/${encodeURIComponent(args.id)}`)), 84 84 + ); 85 85 + 86 86 + server.registerTool( 87 87 + "create_project", 88 88 + { 89 89 + description: "Create a project in a workspace.", 90 90 + inputSchema: z.object({ 91 91 + name: z.string(), 92 92 + workspaceId: z.string(), 93 93 + icon: z.string(), 94 94 + slug: z.string(), 95 95 + }), 96 96 + }, 97 97 + async (args) => 98 98 + run(() => 99 99 + client.json("/api/project", { 100 100 + method: "POST", 101 101 + body: JSON.stringify({ 102 102 + name: args.name, 103 103 + workspaceId: args.workspaceId, 104 104 + icon: args.icon, 105 105 + slug: args.slug, 106 106 + }), 107 107 + }), 108 108 + ), 109 109 + ); 110 110 + 111 111 + server.registerTool( 112 112 + "update_project", 113 113 + { 114 114 + description: "Update project metadata.", 115 115 + inputSchema: z.object({ 116 116 + id: z.string(), 117 117 + name: z.string(), 118 118 + icon: z.string(), 119 119 + slug: z.string(), 120 120 + description: z.string(), 121 121 + isPublic: z.boolean(), 122 122 + }), 123 123 + }, 124 124 + async (args) => 125 125 + run(() => 126 126 + client.json(`/api/project/${encodeURIComponent(args.id)}`, { 127 127 + method: "PUT", 128 128 + body: JSON.stringify({ 129 129 + name: args.name, 130 130 + icon: args.icon, 131 131 + slug: args.slug, 132 132 + description: args.description, 133 133 + isPublic: args.isPublic, 134 134 + }), 135 135 + }), 136 136 + ), 137 137 + ); 138 138 + 139 139 + const listTasksSchema = z.object({ 140 140 + projectId: z.string(), 141 141 + status: z.string().optional(), 142 142 + priority: z.string().optional(), 143 143 + assigneeId: z.string().optional(), 144 144 + page: z.number().int().positive().optional(), 145 145 + limit: z.number().int().positive().optional(), 146 146 + sortBy: z 147 147 + .enum(["createdAt", "priority", "dueDate", "position", "title", "number"]) 148 148 + .optional(), 149 149 + sortOrder: z.enum(["asc", "desc"]).optional(), 150 150 + dueBefore: z.string().optional(), 151 151 + dueAfter: z.string().optional(), 152 152 + }); 153 153 + 154 154 + server.registerTool( 155 155 + "list_tasks", 156 156 + { 157 157 + description: "List tasks for a project (optionally filtered/sorted).", 158 158 + inputSchema: listTasksSchema, 159 159 + }, 160 160 + async (args) => { 161 161 + const { projectId, ...rest } = args; 162 162 + const qs = new URLSearchParams(); 163 163 + for (const [k, v] of Object.entries(rest)) { 164 164 + if (v === undefined || v === null) { 165 165 + continue; 166 166 + } 167 167 + qs.set(k, String(v)); 168 168 + } 169 169 + const q = qs.toString(); 170 170 + const path = `/api/task/tasks/${encodeURIComponent(projectId)}${q ? `?${q}` : ""}`; 171 171 + return run(() => client.json(path, { method: "GET" })); 172 172 + }, 173 173 + ); 174 174 + 175 175 + server.registerTool( 176 176 + "get_task", 177 177 + { 178 178 + description: "Get a task by ID.", 179 179 + inputSchema: z.object({ taskId: z.string() }), 180 180 + }, 181 181 + async (args) => 182 182 + run(() => 183 183 + client.json(`/api/task/${encodeURIComponent(args.taskId)}`, { 184 184 + method: "GET", 185 185 + }), 186 186 + ), 187 187 + ); 188 188 + 189 189 + server.registerTool( 190 190 + "create_task", 191 191 + { 192 192 + description: "Create a task in a project.", 193 193 + inputSchema: z.object({ 194 194 + projectId: z.string(), 195 195 + title: z.string(), 196 196 + description: z.string(), 197 197 + priority: prioritySchema, 198 198 + status: z.string(), 199 199 + startDate: z.string().optional(), 200 200 + dueDate: z.string().optional(), 201 201 + userId: z.string().optional(), 202 202 + }), 203 203 + }, 204 204 + async (args) => { 205 205 + const body: Record<string, string | undefined> = { 206 206 + title: args.title, 207 207 + description: args.description, 208 208 + priority: args.priority, 209 209 + status: args.status, 210 210 + }; 211 211 + if (args.startDate !== undefined) { 212 212 + body.startDate = args.startDate; 213 213 + } 214 214 + if (args.dueDate !== undefined) { 215 215 + body.dueDate = args.dueDate; 216 216 + } 217 217 + if (args.userId !== undefined) { 218 218 + body.userId = args.userId; 219 219 + } 220 220 + return run(() => 221 221 + client.json(`/api/task/${encodeURIComponent(args.projectId)}`, { 222 222 + method: "POST", 223 223 + body: JSON.stringify(body), 224 224 + }), 225 225 + ); 226 226 + }, 227 227 + ); 228 228 + 229 229 + const updateTaskSchema = z.object({ 230 230 + taskId: z.string(), 231 231 + title: z.string().optional(), 232 232 + description: z.string().nullable().optional(), 233 233 + status: z.string().optional(), 234 234 + priority: prioritySchema.optional(), 235 235 + projectId: z.string().optional(), 236 236 + position: z.number().optional(), 237 237 + startDate: z.string().nullable().optional(), 238 238 + dueDate: z.string().nullable().optional(), 239 239 + userId: z.string().nullable().optional(), 240 240 + }); 241 241 + 242 242 + server.registerTool( 243 243 + "update_task", 244 244 + { 245 245 + description: 246 246 + "Update a task (fetches current task, merges fields, then full update).", 247 247 + inputSchema: updateTaskSchema, 248 248 + }, 249 249 + async (args) => { 250 250 + const { taskId, ...patch } = args; 251 251 + return run(async () => { 252 252 + const existing = (await client.json( 253 253 + `/api/task/${encodeURIComponent(taskId)}`, 254 254 + { method: "GET" }, 255 255 + )) as Record<string, unknown>; 256 256 + const body = buildFullTaskUpdateBody(existing, patch); 257 257 + return client.json(`/api/task/${encodeURIComponent(taskId)}`, { 258 258 + method: "PUT", 259 259 + body: JSON.stringify(body), 260 260 + }); 261 261 + }); 262 262 + }, 263 263 + ); 264 264 + 265 265 + server.registerTool( 266 266 + "move_task", 267 267 + { 268 268 + description: 269 269 + "Move a task to another project (and optional column status).", 270 270 + inputSchema: z.object({ 271 271 + taskId: z.string(), 272 272 + destinationProjectId: z.string(), 273 273 + destinationStatus: z.string().optional(), 274 274 + }), 275 275 + }, 276 276 + async (args) => 277 277 + run(() => 278 278 + client.json(`/api/task/move/${encodeURIComponent(args.taskId)}`, { 279 279 + method: "PUT", 280 280 + body: JSON.stringify({ 281 281 + destinationProjectId: args.destinationProjectId, 282 282 + ...(args.destinationStatus !== undefined 283 283 + ? { destinationStatus: args.destinationStatus } 284 284 + : {}), 285 285 + }), 286 286 + }), 287 287 + ), 288 288 + ); 289 289 + 290 290 + server.registerTool( 291 291 + "update_task_status", 292 292 + { 293 293 + description: "Update only the status (column) of a task.", 294 294 + inputSchema: z.object({ 295 295 + taskId: z.string(), 296 296 + status: z.string(), 297 297 + }), 298 298 + }, 299 299 + async (args) => 300 300 + run(() => 301 301 + client.json(`/api/task/status/${encodeURIComponent(args.taskId)}`, { 302 302 + method: "PUT", 303 303 + body: JSON.stringify({ status: args.status }), 304 304 + }), 305 305 + ), 306 306 + ); 307 307 + 308 308 + server.registerTool( 309 309 + "list_task_comments", 310 310 + { 311 311 + description: "List comments on a task.", 312 312 + inputSchema: z.object({ taskId: z.string() }), 313 313 + }, 314 314 + async (args) => 315 315 + run(() => 316 316 + client.json(`/api/comment/${encodeURIComponent(args.taskId)}`, { 317 317 + method: "GET", 318 318 + }), 319 319 + ), 320 320 + ); 321 321 + 322 322 + server.registerTool( 323 323 + "create_task_comment", 324 324 + { 325 325 + description: "Add a comment to a task.", 326 326 + inputSchema: z.object({ 327 327 + taskId: z.string(), 328 328 + content: z.string().min(1), 329 329 + }), 330 330 + }, 331 331 + async (args) => 332 332 + run(() => 333 333 + client.json(`/api/comment/${encodeURIComponent(args.taskId)}`, { 334 334 + method: "POST", 335 335 + body: JSON.stringify({ content: args.content }), 336 336 + }), 337 337 + ), 338 338 + ); 339 339 + 340 340 + server.registerTool( 341 341 + "list_workspace_labels", 342 342 + { 343 343 + description: "List labels defined in a workspace.", 344 344 + inputSchema: z.object({ workspaceId: z.string() }), 345 345 + }, 346 346 + async (args) => 347 347 + run(() => 348 348 + client.json( 349 349 + `/api/label/workspace/${encodeURIComponent(args.workspaceId)}`, 350 350 + { method: "GET" }, 351 351 + ), 352 352 + ), 353 353 + ); 354 354 + 355 355 + server.registerTool( 356 356 + "create_label", 357 357 + { 358 358 + description: 359 359 + "Create a label in a workspace (optionally attach to a task).", 360 360 + inputSchema: z.object({ 361 361 + name: z.string(), 362 362 + color: z.string(), 363 363 + workspaceId: z.string(), 364 364 + taskId: z.string().optional(), 365 365 + }), 366 366 + }, 367 367 + async (args) => 368 368 + run(() => 369 369 + client.json("/api/label", { 370 370 + method: "POST", 371 371 + body: JSON.stringify({ 372 372 + name: args.name, 373 373 + color: args.color, 374 374 + workspaceId: args.workspaceId, 375 375 + ...(args.taskId !== undefined ? { taskId: args.taskId } : {}), 376 376 + }), 377 377 + }), 378 378 + ), 379 379 + ); 380 380 + 381 381 + server.registerTool( 382 382 + "attach_label_to_task", 383 383 + { 384 384 + description: "Attach an existing label to a task.", 385 385 + inputSchema: z.object({ 386 386 + labelId: z.string(), 387 387 + taskId: z.string(), 388 388 + }), 389 389 + }, 390 390 + async (args) => 391 391 + run(() => 392 392 + client.json(`/api/label/${encodeURIComponent(args.labelId)}/task`, { 393 393 + method: "PUT", 394 394 + body: JSON.stringify({ taskId: args.taskId }), 395 395 + }), 396 396 + ), 397 397 + ); 398 398 + 399 399 + server.registerTool( 400 400 + "detach_label_from_task", 401 401 + { 402 402 + description: "Detach a label from its current task.", 403 403 + inputSchema: z.object({ labelId: z.string() }), 404 404 + }, 405 405 + async (args) => 406 406 + run(() => 407 407 + client.json(`/api/label/${encodeURIComponent(args.labelId)}/task`, { 408 408 + method: "DELETE", 409 409 + }), 410 410 + ), 411 411 + ); 412 412 + }

+17

apps/mcp/src/utils/mcp-result.ts

reviewed

··· 1 1 + import type { CallToolResult } from "@modelcontextprotocol/sdk/types.js"; 2 2 + 3 3 + export function textResult(data: unknown, isError = false): CallToolResult { 4 4 + return { 5 5 + content: [ 6 6 + { 7 7 + type: "text", 8 8 + text: typeof data === "string" ? data : JSON.stringify(data, null, 2), 9 9 + }, 10 10 + ], 11 11 + isError, 12 12 + }; 13 13 + } 14 14 + 15 15 + export function errorResult(message: string): CallToolResult { 16 16 + return textResult({ error: message }, true); 17 17 + }

+16

apps/mcp/src/utils/normalize-base-url.test.ts

reviewed

··· 1 1 + import { describe, expect, it } from "vitest"; 2 2 + import { normalizeBaseUrl } from "./normalize-base-url.js"; 3 3 + 4 4 + describe("normalizeBaseUrl", () => { 5 5 + it("strips trailing slashes", () => { 6 6 + expect(normalizeBaseUrl("http://localhost:1337/")).toBe( 7 7 + "http://localhost:1337", 8 8 + ); 9 9 + }); 10 10 + 11 11 + it("removes /api suffix from path", () => { 12 12 + expect(normalizeBaseUrl("http://localhost:1337/api")).toBe( 13 13 + "http://localhost:1337", 14 14 + ); 15 15 + }); 16 16 + });

+17

apps/mcp/src/utils/normalize-base-url.ts

reviewed

··· 1 1 + /** 2 2 + * Kaneo API base URL without trailing slash and without `/api` suffix. 3 3 + */ 4 4 + export function normalizeBaseUrl(raw: string): string { 5 5 + const trimmed = raw.trim().replace(/\/+$/, ""); 6 6 + try { 7 7 + const u = new URL(trimmed); 8 8 + let path = u.pathname.replace(/\/+$/, ""); 9 9 + if (path === "/api" || path.endsWith("/api")) { 10 10 + path = path.replace(/\/?api$/, "") || "/"; 11 11 + u.pathname = path; 12 12 + } 13 13 + return `${u.protocol}//${u.host}${path === "/" ? "" : path}`; 14 14 + } catch { 15 15 + return trimmed.replace(/\/api\/?$/, "").replace(/\/+$/, ""); 16 16 + } 17 17 + }

+12

apps/mcp/tsconfig.json

reviewed

··· 1 1 + { 2 2 + "extends": "../../packages/typescript-config/base.json", 3 3 + "compilerOptions": { 4 4 + "outDir": "dist", 5 5 + "rootDir": "src", 6 6 + "noEmit": false, 7 7 + "declaration": false, 8 8 + "declarationMap": false 9 9 + }, 10 10 + "include": ["src/**/*.ts"], 11 11 + "exclude": ["node_modules", "dist", "src/**/*.test.ts"] 12 12 + }

+9

apps/mcp/vitest.config.ts

reviewed

··· 1 1 + import { defineConfig } from "vitest/config"; 2 2 + 3 3 + export default defineConfig({ 4 4 + test: { 5 5 + globals: false, 6 6 + environment: "node", 7 7 + include: ["src/**/*.test.ts"], 8 8 + }, 9 9 + });

+47

pnpm-lock.yaml

reviewed

··· 158 158 specifier: ^4.1.2 159 159 version: 4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.4.0)(jsdom@29.0.1(@noble/hashes@2.0.1))(msw@2.12.10(@types/node@25.4.0)(typescript@5.9.3))(vite@7.3.1(@types/node@25.4.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) 160 160 161 161 + apps/mcp: 162 162 + dependencies: 163 163 + '@modelcontextprotocol/sdk': 164 164 + specifier: ^1.26.0 165 165 + version: 1.26.0(zod@3.25.76) 166 166 + open: 167 167 + specifier: ^10.1.0 168 168 + version: 10.2.0 169 169 + zod: 170 170 + specifier: ^3.25.0 171 171 + version: 3.25.76 172 172 + devDependencies: 173 173 + '@kaneo/typescript-config': 174 174 + specifier: workspace:* 175 175 + version: link:../../packages/typescript-config 176 176 + '@types/node': 177 177 + specifier: ^25.3.5 178 178 + version: 25.5.0 179 179 + tsx: 180 180 + specifier: ^4.21.0 181 181 + version: 4.21.0 182 182 + typescript: 183 183 + specifier: ^5.9.3 184 184 + version: 5.9.3 185 185 + vitest: 186 186 + specifier: ^4.1.2 187 187 + version: 4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(jsdom@29.0.1(@noble/hashes@2.0.1))(msw@2.12.10(@types/node@25.5.0)(typescript@5.9.3))(vite@7.3.1(@types/node@25.5.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) 188 188 + 161 189 apps/site: 162 190 dependencies: 163 191 '@base-ui/react': ··· 6405 6433 oniguruma-to-es@4.3.4: 6406 6434 resolution: {integrity: sha512-3VhUGN3w2eYxnTzHn+ikMI+fp/96KoRSVK9/kMTcFqj1NRDh2IhQCKvYxDnWePKRXY/AqH+Fuiyb7VHSzBjHfA==} 6407 6435 6436 6436 + open@10.2.0: 6437 6437 + resolution: {integrity: sha512-YgBpdJHPyQ2UE5x+hlSXcnejzAvD0b22U2OuAP+8OnlJT+PjWPxtgmGqKKc+RgTM63U9gN0YzrYc71R2WT/hTA==} 6438 6438 + engines: {node: '>=18'} 6439 6439 + 6408 6440 open@11.0.0: 6409 6441 resolution: {integrity: sha512-smsWv2LzFjP03xmvFoJ331ss6h+jixfA4UUV/Bsiyuu4YJPfN+FIQGOIiv4w9/+MoHkfkJ22UIaQWRVFRfH6Vw==} 6410 6442 engines: {node: '>=20'} ··· 7651 7683 optional: true 7652 7684 utf-8-validate: 7653 7685 optional: true 7686 7686 + 7687 7687 + wsl-utils@0.1.0: 7688 7688 + resolution: {integrity: sha512-h3Fbisa2nKGPxCpm89Hk33lBLsnaGBvctQopaBSOW/uIs6FTe1ATyAnKFJrzVs9vpGdsTe73WF3V4lIsk4Gacw==} 7689 7689 + engines: {node: '>=18'} 7654 7690 7655 7691 wsl-utils@0.3.1: 7656 7692 resolution: {integrity: sha512-g/eziiSUNBSsdDJtCLB8bdYEUMj4jR7AGeUo96p/3dTafgjHhpF4RiCFPiRILwjQoDXx5MqkBr4fwWtR3Ky4Wg==} ··· 14933 14969 regex: 6.1.0 14934 14970 regex-recursion: 6.0.2 14935 14971 14972 14972 + open@10.2.0: 14973 14973 + dependencies: 14974 14974 + default-browser: 5.5.0 14975 14975 + define-lazy-prop: 3.0.0 14976 14976 + is-inside-container: 1.0.0 14977 14977 + wsl-utils: 0.1.0 14978 14978 + 14936 14979 open@11.0.0: 14937 14980 dependencies: 14938 14981 default-browser: 5.5.0 ··· 16567 16610 wrappy@1.0.2: {} 16568 16611 16569 16612 ws@8.17.1: {} 16613 16613 + 16614 16614 + wsl-utils@0.1.0: 16615 16615 + dependencies: 16616 16616 + is-wsl: 3.1.1 16570 16617 16571 16618 wsl-utils@0.3.1: 16572 16619 dependencies: