go-clockify

module
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 20, 2026 License: MIT

README

clockify-mcp-go

A production-grade Model Context Protocol server for Clockify — plug any MCP client into your time-tracking workspace and let it log time, run reports, and manage projects on your behalf.

Go version Release MCP protocol

Works with Claude Code, Claude Desktop, Cursor, Codex, and anything else that speaks MCP.

Highlights

  • 124 tools — 33 always-on (timer, entries, projects, reports, …) plus 91 on-demand (invoices, scheduling, approvals, admin, …) across 11 activatable groups.
  • Resources & prompts — six clockify:// URI templates and five built-in prompt templates alongside the tool surface.
  • Four policy modesread_only, safe_core, standard, full — plus a dry-run preview for every destructive tool.
  • Three transports — stdio (default), streamable HTTP 2025-03-26 (shared services), opt-in gRPC behind a build tag. Cancellation, tools/list_changed, size limits, and malformed-JSON boundaries pinned with cross-transport parity tests.
  • Stdlib-only default build — zero external runtime dependencies; the default binary links no OpenTelemetry, gRPC, or protobuf symbols (verified in CI).
  • Signed releases — every binary and container image ships with cosign signatures, SPDX SBOM, and SLSA build provenance.

Contents

Install

# Go
go install github.com/apet97/go-clockify/cmd/clockify-mcp@latest

# npm (prebuilt binaries)
npx @anycli/clockify-mcp-go

# Or download a prebuilt binary from Releases:
# https://github.com/apet97/go-clockify/releases

Verify:

clockify-mcp --version

Get a Clockify API key from Profile → Advanced and export it:

export CLOCKIFY_API_KEY=your-key

Connect to an MCP client

Claude Code (CLI)
claude mcp add clockify -- clockify-mcp

Then set CLOCKIFY_API_KEY in your shell, or inline it: claude mcp add clockify -e CLOCKIFY_API_KEY=your-key -- clockify-mcp.

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "clockify": {
      "command": "clockify-mcp",
      "env": { "CLOCKIFY_API_KEY": "your-key" }
    }
  }
}
Cursor

Add to .cursor/mcp.json in your workspace:

{
  "mcpServers": {
    "clockify": {
      "command": "clockify-mcp",
      "env": { "CLOCKIFY_API_KEY": "your-key" }
    }
  }
}
Codex CLI

Add to your Codex MCP config:

{
  "mcpServers": {
    "clockify": {
      "command": "clockify-mcp",
      "env": { "CLOCKIFY_API_KEY": "your-key" }
    }
  }
}
npm wrapper (all clients)

If you installed via npm/npx, swap the command for:

{
  "command": "npx",
  "args": ["@anycli/clockify-mcp-go"]
}

Tool tiers

Tier 1 (33 tools, always loaded): timer, entries, projects, clients, tags, tasks, users, workspaces, reports, workflows, search, context.

Tier 2 (91 tools, 11 groups, on demand): invoices, expenses, scheduling, time off, approvals, shared reports, user admin, webhooks, custom fields, groups/holidays, project admin.

Call clockify_search_tools to discover and activate a Tier 2 group or a specific tool. Activation updates tools/list at runtime.

Policy modes

CLOCKIFY_POLICY controls which tools are exposed based on trust level:

Mode Read Write Delete Tier 2 Use case
read_only yes no no no Untrusted agents — observe only
safe_core yes allowlist no no Day-to-day time tracking
standard yes yes yes on demand Default — balanced
full yes yes yes yes Admin and automation

Introspection tools (clockify_whoami, clockify_policy_info, clockify_search_tools, clockify_resolve_debug) are always available regardless of policy.

Configuration

The essentials (regenerate with go run ./cmd/gen-config-docs -mode=all):

Variable Default Purpose
CLOCKIFY_API_KEY API key (required for stdio/http/grpc; optional for streamable_http)
CLOCKIFY_BOOTSTRAP_MODE full_tier1 Initial tool surface
CLOCKIFY_DEDUPE_MODE warn Duplicate entry detection
CLOCKIFY_DRY_RUN enabled Dry-run preview for destructive tools
CLOCKIFY_POLICY standard Tool-access policy tier
CLOCKIFY_RATE_LIMIT 120 Tool calls per 60s window (0=disabled)
CLOCKIFY_WORKSPACE_ID auto Workspace ID (auto-detected if only one)
MCP_ALLOW_DEV_BACKEND Permit memory/file backends for streamable_http (single-process only)
MCP_AUDIT_DURABILITY best_effort Audit persist-failure behaviour
MCP_AUTH_MODE Authentication mode (per-transport support varies; see matrix)
MCP_CONTROL_PLANE_AUDIT_CAP 0 File/memory audit cap (0=unbounded). Postgres uses retention instead.
MCP_CONTROL_PLANE_AUDIT_RETENTION 720h Audit retention [1h,8760h]; 0=off
MCP_CONTROL_PLANE_DSN memory Control-plane DSN: memory, file://, postgres://...
MCP_GRPC_BIND :9090 gRPC listen address (requires -tags=grpc)
MCP_HTTP_BIND :8080 HTTP listen address
MCP_HTTP_INLINE_METRICS_AUTH_MODE inherit_main_bearer Auth mode for inline /metrics
MCP_HTTP_INLINE_METRICS_ENABLED 0 Expose /metrics on the main HTTP listener
MCP_HTTP_LEGACY_POLICY warn Legacy HTTP startup behaviour
MCP_HTTP_MAX_BODY 4194304 Deprecated — use MCP_MAX_MESSAGE_SIZE. Deprecated alias for MCP_MAX_MESSAGE_SIZE
MCP_LOG_FORMAT text Log format (stderr; PII-scrubbed)
MCP_MAX_MESSAGE_SIZE 4194304 Max request size in bytes (primary knob); 0 < N <= 104857600
MCP_METRICS_AUTH_MODE static_bearer (when MCP_METRICS_BIND set) Auth mode for dedicated metrics listener
MCP_METRICS_BEARER_TOKEN Bearer token (>=16 chars) for static_bearer metrics
MCP_METRICS_BIND Dedicated metrics listener (optional; recommended for streamable_http)
MCP_OIDC_VERIFY_CACHE_TTL 60s OIDC verify cache TTL [1s,5m]
MCP_TRANSPORT stdio Transport mode; http is legacy POST-only (deprecated)

Run clockify-mcp --help for the complete list (60+ variables covering concurrency, timeouts, control plane, metrics, auth, and CORS).

Common workflows

Start and stop a timer:

→ clockify_start_timer { "project": "My Project" }
← { "ok": true, "action": "timer_started", "data": { "id": "abc123" } }

→ clockify_stop_timer {}
← { "ok": true, "action": "timer_stopped" }

Log time retroactively:

→ clockify_log_time { "project": "Project Alpha", "start": "today 9:00", "end": "today 11:00", "description": "Code review" }

Dry-run a destructive operation:

→ clockify_delete_entry { "entry_id": "abc123", "dry_run": true }
← { "dry_run": true, "preview": { "id": "abc123", "description": "Meeting" }, "note": "No changes were made." }

Activate a Tier 2 domain:

→ clockify_search_tools { "activate_group": "invoices" }
← { "activated": "invoices", "tool_count": 12 }

Architecture

Four clean layers: protocol core (internal/mcp/), Clockify client (internal/clockify/), tool surface (internal/tools/), and safety layer (internal/enforcement/). The protocol core has zero domain imports and plugs into the rest via Enforcement, Activator, Notifier, and ResourceProvider interfaces.

Docker

docker build -f deploy/Dockerfile -t clockify-mcp .
docker run -p 8080:8080 \
  -e CLOCKIFY_API_KEY=your-key \
  -e MCP_BEARER_TOKEN=your-secret-token \
  clockify-mcp

The repository also ships deploy/docker-compose.yml with a Caddy reverse proxy for TLS termination, and a Helm chart at deploy/helm/.

Build and test

make check   # fast inner loop: gofmt + go vet + go test
make verify  # full local pipeline: lint, coverage floors, fuzz-short,
             # build-tag checks, HTTP smoke, k8s render, govulncheck
             # (k8s/fips/vuln tiers auto-skip when their tools are missing)
make cover   # coverage report
make build   # binary with version from git tags

make verify mirrors the PR-blocking CI jobs that can run on a laptop — see CONTRIBUTING.md for the exact list of checks it runs locally versus the full CI set.

Go 1.25.9, stdlib only. Module path: github.com/apet97/go-clockify.

Compatibility

Component Version
MCP Protocol 2025-06-18 (back-compat: 2025-03-26, 2024-11-05)
Go 1.25.9+
Node.js (npm wrapper) 16+

Troubleshooting

No tools visible — Check CLOCKIFY_BOOTSTRAP_MODE. In minimal mode most tools are hidden; use clockify_search_tools to discover them.

401 Unauthorized — API key is invalid or expired. Generate a new one.

Multiple workspaces — Set CLOCKIFY_WORKSPACE_ID explicitly.

Tool not found — It may be a Tier 2 tool. Use clockify_search_tools to find and activate its group.

Dry-run not working — Ensure CLOCKIFY_DRY_RUN=enabled (default) and pass "dry_run": true in tool call parameters.

Stale tool list — Stdio clients receive notifications/tools/list_changed after activation; HTTP clients must re-fetch tools/list.

Deployment

Reference Kubernetes manifests live in deploy/k8s/ and deploy/helm/: Deployment (non-root distroless, read-only root FS, dropped capabilities), NetworkPolicy (default-deny), PodDisruptionBudget, ServiceMonitor, and a PrometheusRule with burn-rate alerts for a 99.9% SLO.

For a single-page operator overview that links the threat model, transports, auth modes, deployment targets, runbooks, and compliance posture, see docs/production-readiness.md.

Production Resources

Contributing

See CONTRIBUTING.md.

Support

License

MIT

Directories

Path Synopsis
cmd
clockify-mcp command
gen-config-docs command
Command gen-config-docs renders config/help documentation from the internal/config EnvSpec registry.
Command gen-config-docs renders config/help documentation from the internal/config EnvSpec registry.
internal
enforcement
Package enforcement provides the concrete Enforcement and Activator implementations that compose the safety subsystems (policy, rate limiting, dry-run, truncation, bootstrap) into the MCP server's pluggable interfaces.
Package enforcement provides the concrete Enforcement and Activator implementations that compose the safety subsystems (policy, rate limiting, dry-run, truncation, bootstrap) into the MCP server's pluggable interfaces.
jsonmergepatch
Package jsonmergepatch is a hand-rolled, stdlib-only implementation of JSON Merge Patch (RFC 7396).
Package jsonmergepatch is a hand-rolled, stdlib-only implementation of JSON Merge Patch (RFC 7396).
jsonpatch
Package jsonpatch implements RFC 6902 JSON Patch: a sequence of add, remove, replace operations that transforms one JSON document into another.
Package jsonpatch implements RFC 6902 JSON Patch: a sequence of add, remove, replace operations that transforms one JSON document into another.
jsonschema
Package jsonschema is a tiny stdlib-only JSON-schema validator scoped to the keyword subset that the Clockify MCP server's Tier 1 + Tier 2 tool input schemas actually use.
Package jsonschema is a tiny stdlib-only JSON-schema validator scoped to the keyword subset that the Clockify MCP server's Tier 1 + Tier 2 tool input schemas actually use.
logging
Package logging provides a stdlib-only slog.Handler decorator that scrubs sensitive values from log attributes before they reach the underlying handler.
Package logging provides a stdlib-only slog.Handler decorator that scrubs sensitive values from log attributes before they reach the underlying handler.
mcp
metrics
Package metrics provides a stdlib-only Prometheus text exposition format encoder.
Package metrics provides a stdlib-only Prometheus text exposition format encoder.
runtime
Package runtime wires the clockify-mcp process: it loads the config-derived dependencies (policy, rate limit, dedupe, dry-run, truncation, bootstrap) and owns transport dispatch.
Package runtime wires the clockify-mcp process: it loads the config-derived dependencies (policy, rate limit, dedupe, dry-run, truncation, bootstrap) and owns transport dispatch.
testharness
Package testharness wires the real MCP dispatch path (auth → enforcement pipeline → tool handler → Clockify client) against a fake Clockify upstream so tests can assert policy, auth, and idempotency properties end-to-end without bypassing the layers that enforce them.
Package testharness wires the real MCP dispatch path (auth → enforcement pipeline → tool handler → Clockify client) against a fake Clockify upstream so tests can assert policy, auth, and idempotency properties end-to-end without bypassing the layers that enforce them.
tracing
Package tracing is the stdlib-only tracing facade.
Package tracing is the stdlib-only tracing facade.
tracing/otel module
scripts
gen-tool-catalog command
gen-tool-catalog walks the Tier-1 registry and every Tier-2 group builder and emits a machine-readable catalog (JSON) and a human-readable rendering (Markdown) for docs/tool-catalog.{json,md}.
gen-tool-catalog walks the Tier-1 registry and every Tier-2 group builder and emits a machine-readable catalog (JSON) and a human-readable rendering (Markdown) for docs/tool-catalog.{json,md}.
tests
chaos command
Package main is the clockify-mcp chaos harness.
Package main is the clockify-mcp chaos harness.
harness
Package harness provides a unified TransportHarness interface that lets one test body exercise stdio, legacy HTTP, streamable HTTP, and gRPC in parallel.
Package harness provides a unified TransportHarness interface that lets one test body exercise stdio, legacy HTTP, streamable HTTP, and gRPC in parallel.
load command
Package main is the clockify-mcp load harness.
Package main is the clockify-mcp load harness.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL