feat(hubspot): read-only by default via HUBSPOT_READ_ONLY (#77)

Jott4 · web-flow · commit 7d8d1224116f · 2026-06-10T16:03:11.000-03:00
Write tools (create/update/delete object, create/delete association,
send/update thread) are only registered when HUBSPOT_READ_ONLY=false.
Default exposes 11 read tools. Bumps to 1.1.0. Adds server.test.ts.
diff --git a/packages/hubspot/README.md b/packages/hubspot/README.md
@@ -12,29 +12,41 @@ export HUBSPOT_ACCESS_TOKEN="pat-na1-xxxxxxxx"
 
 Suggested scopes: `crm.objects.contacts.*`, `crm.objects.companies.*`, `crm.objects.deals.*`, `tickets`, `crm.schemas.*`, `conversations.read`, `conversations.write`.
 
+## Read-only mode
+
+By default the server runs in **read-only mode** — only the 11 read tools are registered, write tools are not exposed. To enable the 7 write tools, set:
+
+```bash
+export HUBSPOT_READ_ONLY=false
+```
+
+Any value other than the literal string `false` (or unset) keeps read-only mode on.
+
 ## Tools
 
 ### CRM objects (generic by `objectType`)
 
 `objectType` accepts standard objects (`contacts`, `companies`, `deals`, `tickets`), activities (`notes`, `tasks`, `calls`, `emails`, `meetings`) or a custom `objectTypeId` (e.g. `2-12345`).
 
+> Write tools (marked ✏️) are only registered when `HUBSPOT_READ_ONLY=false`.
+
 | Tool | Description |
 |------|-------------|
 | `list_objects` | List records of an object type with pagination |
 | `get_object` | Get a record by ID or unique `idProperty` |
-| `create_object` | Create a record with properties and optional associations |
-| `update_object` | Update a record's properties |
-| `delete_object` | Archive (soft-delete) a record |
 | `search_objects` | Search with `filterGroups`, free-text `query`, sorting and pagination |
 | `batch_read_objects` | Read up to 100 records in one request |
+| ✏️ `create_object` | Create a record with properties and optional associations |
+| ✏️ `update_object` | Update a record's properties |
+| ✏️ `delete_object` | Archive (soft-delete) a record |
 
 ### Associations (v4)
 
 | Tool | Description |
 |------|-------------|
 | `list_associations` | List associated records of a target type for a source record |
-| `create_association` | Default (unlabeled) or labeled association between two records |
-| `delete_association` | Remove all associations between two records |
+| ✏️ `create_association` | Default (unlabeled) or labeled association between two records |
+| ✏️ `delete_association` | Remove all associations between two records |
 
 ### Metadata
 
@@ -51,8 +63,8 @@ Suggested scopes: `crm.objects.contacts.*`, `crm.objects.companies.*`, `crm.obje
 | `list_threads` | List threads, optionally filtered by inbox/status |
 | `get_thread` | Get a thread by ID |
 | `list_thread_messages` | Message history of a thread |
-| `send_thread_message` | Send an outbound message through an existing channel |
-| `update_thread` | Update thread status (OPEN/CLOSED) or archived flag |
+| ✏️ `send_thread_message` | Send an outbound message through an existing channel |
+| ✏️ `update_thread` | Update thread status (OPEN/CLOSED) or archived flag |
 
 ## Usage examples
 
diff --git a/packages/hubspot/package.json b/packages/hubspot/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@arvoretech/hubspot-mcp",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "HubSpot CRM MCP Server",
   "main": "dist/index.js",
   "type": "module",
@@ -17,8 +17,13 @@
     "test": "vitest run",
     "test:cov": "vitest run --coverage",
     "lint": "eslint src/**/*.ts",
-    "lint:fix": "eslint src/**/*.ts --fix"
+    "lint:fix": "eslint src/**/*.ts --fix",
+    "prepublishOnly": "pnpm build"
   },
+  "files": [
+    "dist",
+    "README.md"
+  ],
   "keywords": [
     "mcp",
     "hubspot",
diff --git a/packages/hubspot/src/server.test.ts b/packages/hubspot/src/server.test.ts
@@ -0,0 +1,75 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { HubSpotMCPServer } from "./server.js";
+
+const READ_TOOLS = [
+  "list_objects",
+  "get_object",
+  "search_objects",
+  "batch_read_objects",
+  "list_associations",
+  "list_pipelines",
+  "list_properties",
+  "list_inboxes",
+  "list_threads",
+  "get_thread",
+  "list_thread_messages",
+];
+
+const WRITE_TOOLS = [
+  "create_object",
+  "update_object",
+  "delete_object",
+  "create_association",
+  "delete_association",
+  "send_thread_message",
+  "update_thread",
+];
+
+function registeredToolNames(server: HubSpotMCPServer): string[] {
+  const internal = server as unknown as {
+    server: { _registeredTools?: Record<string, unknown> };
+  };
+  return Object.keys(internal.server._registeredTools ?? {});
+}
+
+describe("HubSpotMCPServer read-only mode", () => {
+  beforeEach(() => {
+    process.env.HUBSPOT_ACCESS_TOKEN = "fake-token";
+  });
+
+  afterEach(() => {
+    delete process.env.HUBSPOT_READ_ONLY;
+    delete process.env.HUBSPOT_ACCESS_TOKEN;
+  });
+
+  it("registers only read tools by default", () => {
+    delete process.env.HUBSPOT_READ_ONLY;
+    const names = registeredToolNames(new HubSpotMCPServer());
+
+    expect(names.sort()).toEqual([...READ_TOOLS].sort());
+    for (const w of WRITE_TOOLS) {
+      expect(names).not.toContain(w);
+    }
+  });
+
+  it("keeps read-only when HUBSPOT_READ_ONLY is any non-false value", () => {
+    process.env.HUBSPOT_READ_ONLY = "true";
+    const names = registeredToolNames(new HubSpotMCPServer());
+    expect(names.sort()).toEqual([...READ_TOOLS].sort());
+  });
+
+  it("registers write tools when HUBSPOT_READ_ONLY=false", () => {
+    process.env.HUBSPOT_READ_ONLY = "false";
+    const names = registeredToolNames(new HubSpotMCPServer());
+
+    for (const t of [...READ_TOOLS, ...WRITE_TOOLS]) {
+      expect(names).toContain(t);
+    }
+    expect(names.length).toBe(READ_TOOLS.length + WRITE_TOOLS.length);
+  });
+
+  it("throws without an access token", () => {
+    delete process.env.HUBSPOT_ACCESS_TOKEN;
+    expect(() => new HubSpotMCPServer()).toThrow(/HUBSPOT_ACCESS_TOKEN/);
+  });
+});
diff --git a/packages/hubspot/src/server.ts b/packages/hubspot/src/server.ts
@@ -26,13 +26,16 @@ import {
 export class HubSpotMCPServer {
   private readonly server: McpServer;
   private readonly tools: HubSpotMCPTools;
+  private readonly readOnly: boolean;
 
   constructor() {
     const accessToken = process.env.HUBSPOT_ACCESS_TOKEN;
     if (!accessToken) {
       throw new Error("Missing required env var: HUBSPOT_ACCESS_TOKEN");
     }
 
+    this.readOnly = process.env.HUBSPOT_READ_ONLY !== "false";
+
     this.server = new McpServer({
       name: "hubspot-mcp-server",
       version: "1.0.0",
@@ -41,10 +44,13 @@ export class HubSpotMCPServer {
     const client = new HubSpotClient(accessToken);
     this.tools = new HubSpotMCPTools(client);
 
-    this.setupTools();
+    this.setupReadTools();
+    if (!this.readOnly) {
+      this.setupWriteTools();
+    }
   }
 
-  private setupTools(): void {
+  private setupReadTools(): void {
     this.server.registerTool(
       "list_objects",
       {
@@ -66,37 +72,6 @@ export class HubSpotMCPServer {
       async (params) => this.tools.getObject(GetObjectParamsSchema.parse(params))
     );
 
-    this.server.registerTool(
-      "create_object",
-      {
-        title: "Create CRM Object",
-        description:
-          "Create a CRM record (contact, company, deal, ticket, note, task, call, email, meeting, or custom) with properties and optional associations.",
-        inputSchema: CreateObjectParamsSchema.shape,
-      },
-      async (params) => this.tools.createObject(CreateObjectParamsSchema.parse(params))
-    );
-
-    this.server.registerTool(
-      "update_object",
-      {
-        title: "Update CRM Object",
-        description: "Update a CRM record's properties by ID (or by a unique idProperty).",
-        inputSchema: UpdateObjectParamsSchema.shape,
-      },
-      async (params) => this.tools.updateObject(UpdateObjectParamsSchema.parse(params))
-    );
-
-    this.server.registerTool(
-      "delete_object",
-      {
-        title: "Delete CRM Object",
-        description: "Archive (soft-delete) a CRM record by ID.",
-        inputSchema: DeleteObjectParamsSchema.shape,
-      },
-      async (params) => this.tools.deleteObject(DeleteObjectParamsSchema.parse(params))
-    );
-
     this.server.registerTool(
       "search_objects",
       {
@@ -128,27 +103,6 @@ export class HubSpotMCPServer {
       async (params) => this.tools.listAssociations(ListAssociationsParamsSchema.parse(params))
     );
 
-    this.server.registerTool(
-      "create_association",
-      {
-        title: "Create Association",
-        description:
-          "Associate two records. Omit types for a default (unlabeled) association, or provide associationTypeId(s) for labeled associations.",
-        inputSchema: CreateAssociationParamsSchema.shape,
-      },
-      async (params) => this.tools.createAssociation(CreateAssociationParamsSchema.parse(params))
-    );
-
-    this.server.registerTool(
-      "delete_association",
-      {
-        title: "Delete Association",
-        description: "Remove all associations between two specific records.",
-        inputSchema: DeleteAssociationParamsSchema.shape,
-      },
-      async (params) => this.tools.deleteAssociation(DeleteAssociationParamsSchema.parse(params))
-    );
-
     this.server.registerTool(
       "list_pipelines",
       {
@@ -208,6 +162,60 @@ export class HubSpotMCPServer {
       },
       async (params) => this.tools.listThreadMessages(ListThreadMessagesParamsSchema.parse(params))
     );
+  }
+
+  private setupWriteTools(): void {
+    this.server.registerTool(
+      "create_object",
+      {
+        title: "Create CRM Object",
+        description:
+          "Create a CRM record (contact, company, deal, ticket, note, task, call, email, meeting, or custom) with properties and optional associations.",
+        inputSchema: CreateObjectParamsSchema.shape,
+      },
+      async (params) => this.tools.createObject(CreateObjectParamsSchema.parse(params))
+    );
+
+    this.server.registerTool(
+      "update_object",
+      {
+        title: "Update CRM Object",
+        description: "Update a CRM record's properties by ID (or by a unique idProperty).",
+        inputSchema: UpdateObjectParamsSchema.shape,
+      },
+      async (params) => this.tools.updateObject(UpdateObjectParamsSchema.parse(params))
+    );
+
+    this.server.registerTool(
+      "delete_object",
+      {
+        title: "Delete CRM Object",
+        description: "Archive (soft-delete) a CRM record by ID.",
+        inputSchema: DeleteObjectParamsSchema.shape,
+      },
+      async (params) => this.tools.deleteObject(DeleteObjectParamsSchema.parse(params))
+    );
+
+    this.server.registerTool(
+      "create_association",
+      {
+        title: "Create Association",
+        description:
+          "Associate two records. Omit types for a default (unlabeled) association, or provide associationTypeId(s) for labeled associations.",
+        inputSchema: CreateAssociationParamsSchema.shape,
+      },
+      async (params) => this.tools.createAssociation(CreateAssociationParamsSchema.parse(params))
+    );
+
+    this.server.registerTool(
+      "delete_association",
+      {
+        title: "Delete Association",
+        description: "Remove all associations between two specific records.",
+        inputSchema: DeleteAssociationParamsSchema.shape,
+      },
+      async (params) => this.tools.deleteAssociation(DeleteAssociationParamsSchema.parse(params))
+    );
 
     this.server.registerTool(
       "send_thread_message",
@@ -235,7 +243,9 @@ export class HubSpotMCPServer {
     try {
       const transport = new StdioServerTransport();
       await this.server.connect(transport);
-      console.error("✅ HubSpot MCP Server started");
+      console.error(
+        `✅ HubSpot MCP Server started (${this.readOnly ? "read-only" : "read-write"} mode)`
+      );
     } catch (error) {
       console.error(
         "Failed to start HubSpot MCP Server:",
