When an HttpError occurs in Google Tasks tools, the error handler now checks
the HTTP status code before suggesting re-authentication. Re-auth messages are
only shown for 401 (Unauthorized) and 403 (Forbidden) errors.
This prevents misleading re-authentication suggestions for non-auth errors like
400 (Bad Request) with malformed arguments, allowing the LLM to focus on the
actual root cause instead of being misdirected by incorrect auth guidance.
The fix applies to both CLI mode (stdio legacy oauth) and MCP mode (OAuth 2.1).
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The consolidated manage_task tool bundles create/update/delete/move into a
single tool, making it impossible to deny just the delete action via tool
tiers or scope-based filtering.
This adds:
- A `manage` permission level for tasks (between readonly and full)
- A SERVICE_DENIED_ACTIONS registry mapping (service, level) to denied actions
- An is_action_denied() helper that tools call before executing actions
- Guards in manage_task and manage_task_list that reject denied actions
Usage: --permissions tasks:manage
Allows create, update, move. Denies delete.
tasks:full remains unchanged (all actions allowed).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Also:
* Creates placeholder parents for orphaned subtasks, grouping them together even though their parent isn't available.
* Performs sorting of tasks in a simpler way.
* Fixes mypy type warnings in tasks_tools.py so that mypy runs clean on this one file. See #194 for more info about type checking.
fixes#139
add comment from https://developers.google.com/workspace/tasks/reference/rest/v1/tasks/list about the parameter show_completed
When Google's web UI and Google's mobile apps complete a task, they also make it hidden. When using MCP, if you ask for your hidden tasks, the LLM won't find them if it doesn't know this.
