feat(entries): add edit + delete via CLI and MCP

CLI:
  timebook entries edit <id> [-d desc] [-t 1h30m] [--start iso] [--end iso] [-p project] [-r rate]
  timebook entries delete <id>

MCP tools: update_entry (id + any combination of fields), delete_entry (id only). delete_entry annotated destructiveHint=true; update_entry destructiveHint=false (overwrite of mutable fields, not data loss).

Both surfaces hit the existing PUT /api/time-entries/:id and DELETE /:id, which already enforce the per-token authorship rule (token must have created the entry, or be admin, or be a JWT session). 403s and 404s get friendly messages instead of stack traces.

Partial-update flows through naturally: the API wrapper sends only the fields you pass; the backend's conditional spread leaves unset fields untouched.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ktamas77

src/commands/delete.ts

@@ -0,0 +1,26 @@
+import { c } from '../lib/colors.js';
+import { api, ApiError } from '../lib/api.js';
+
+/**
+ * Delete a single time entry. Server enforces:
+ *   - entry isn't locked (i.e., not on a sent invoice)
+ *   - the API token created this entry (or session/admin)
+ */
+export async function deleteCommand(id: string): Promise<void> {
+  try {
+    await api.deleteEntry(id);
+    console.log(c.green('✓ ') + `Deleted entry ${c.bold(id)}.`);
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 403) {
+      console.error(c.red('✗ ') + err.message);
+      process.exitCode = 1;
+      return;
+    }
+    if (err instanceof ApiError && err.status === 404) {
+      console.error(c.red('✗ ') + `Entry ${id} not found.`);
+      process.exitCode = 1;
+      return;
+    }
+    throw err;
+  }
+}

src/commands/edit.ts

@@ -0,0 +1,72 @@
+import { c } from '../lib/colors.js';
+import { api, ApiError } from '../lib/api.js';
+import { parseDuration, formatDuration } from '../lib/format.js';
+import { resolveProject } from '../lib/resolve.js';
+
+interface EditOptions {
+  description?: string;
+  duration?: string;
+  start?: string;
+  end?: string;
+  project?: string;
+  rate?: string;
+}
+
+/**
+ * Edit one or more fields on an existing entry. Any combination of flags is
+ * accepted — fields you don't pass are left as-is by the backend.
+ *
+ * Authorship rule (server-enforced): the API token must have created the
+ * entry, OR the caller is an admin, OR the request is JWT-session (web UI).
+ * If denied, the backend returns 403 with a helpful hint.
+ */
+export async function editCommand(id: string, opts: EditOptions): Promise<void> {
+  if (
+    opts.description === undefined &&
+    !opts.duration &&
+    !opts.start &&
+    !opts.end &&
+    !opts.project &&
+    !opts.rate
+  ) {
+    throw new Error(
+      'Nothing to update. Pass at least one of --description, --duration, --start, --end, --project, --rate.',
+    );
+  }
+
+  const payload: Record<string, unknown> = {};
+  if (opts.description !== undefined) payload.description = opts.description;
+  if (opts.duration) payload.duration = parseDuration(opts.duration);
+  if (opts.start) payload.startTime = new Date(opts.start).toISOString();
+  if (opts.end) payload.endTime = new Date(opts.end).toISOString();
+  if (opts.project) {
+    const project = await resolveProject(opts.project);
+    payload.projectId = project.id;
+  }
+  if (opts.rate) {
+    const { rates } = await api.listRates();
+    const found = rates.find((r) => r.id === opts.rate || r.name === opts.rate);
+    if (!found) throw new Error(`Rate not found: ${opts.rate}`);
+    payload.rateId = found.id;
+  }
+
+  try {
+    const { entry } = await api.updateEntry(id, payload);
+    const minutes = entry.duration ?? 0;
+    const projectName = entry.project?.name ?? entry.projectId;
+    console.log(c.green('✓ ') + `Updated ${c.bold(projectName)} — ${formatDuration(minutes)}`);
+    if (entry.description) console.log(c.dim(`  Note: ${entry.description}`));
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 403) {
+      console.error(c.red('✗ ') + err.message);
+      process.exitCode = 1;
+      return;
+    }
+    if (err instanceof ApiError && err.status === 404) {
+      console.error(c.red('✗ ') + `Entry ${id} not found.`);
+      process.exitCode = 1;
+      return;
+    }
+    throw err;
+  }
+}

src/index.ts

@@ -13,6 +13,8 @@ import { startCommand } from './commands/start.js';
 import { stopCommand } from './commands/stop.js';
 import { logCommand } from './commands/log.js';
 import { listClientsCommand, listEntriesCommand, listProjectsCommand } from './commands/list.js';
+import { editCommand } from './commands/edit.js';
+import { deleteCommand } from './commands/delete.js';
 import { runMcpServer } from './mcp/server.js';
 
 async function readVersion(): Promise<string> {
@@ -197,6 +199,48 @@ async function main(): Promise<void> {
       },
     );
 
+  entries
+    .command('edit <id>')
+    .description(
+      'Edit one or more fields on an entry. Any combination is valid; unset fields are left as-is.',
+    )
+    .option('-d, --description <text>', 'Description / note (pass empty string to clear)')
+    .option('-t, --duration <e.g. 1h30m>', 'Duration')
+    .option('--start <iso>', 'Start time (ISO-8601)')
+    .option('--end <iso>', 'End time (ISO-8601)')
+    .option('-p, --project <idOrName>', 'Reassign to another project')
+    .option('-r, --rate <idOrName>', 'Switch billable rate')
+    .action(
+      async (
+        id: string,
+        opts: {
+          description?: string;
+          duration?: string;
+          start?: string;
+          end?: string;
+          project?: string;
+          rate?: string;
+        },
+      ) => {
+        try {
+          await editCommand(id, opts);
+        } catch (err) {
+          fail(err);
+        }
+      },
+    );
+
+  entries
+    .command('delete <id>')
+    .description('Delete a time entry. Token must own it (or use the web UI / admin).')
+    .action(async (id: string) => {
+      try {
+        await deleteCommand(id);
+      } catch (err) {
+        fail(err);
+      }
+    });
+
   program
     .command('mcp')
     .description('Run as an MCP server (stdio) for AI agents like Claude or Codex.')

src/lib/api.ts

@@ -157,6 +157,25 @@ export const api = {
       invoiced?: boolean;
     } = {},
   ) => request<{ entries: TimeEntry[] }>('/api/time-entries', { query }),
+  updateEntry: (
+    id: string,
+    input: Partial<{
+      projectId: string;
+      description: string | null;
+      startTime: string;
+      endTime: string;
+      duration: number;
+      rateId: string | null;
+    }>,
+  ) =>
+    request<{ entry: TimeEntry }>(`/api/time-entries/${encodeURIComponent(id)}`, {
+      method: 'PUT',
+      body: input,
+    }),
+  deleteEntry: (id: string) =>
+    request<{ message: string }>(`/api/time-entries/${encodeURIComponent(id)}`, {
+      method: 'DELETE',
+    }),
 };
 
 // For login flow: validate a freshly-obtained token before storing it.

src/mcp/server.ts

@@ -46,6 +46,29 @@ const listEntriesInput = z.object({
   limit: z.number().int().min(1).max(500).optional(),
 });
 
+const updateEntryInput = z.object({
+  id: z.string().describe('Entry id (uuid) returned by list_entries.'),
+  description: z
+    .string()
+    .nullable()
+    .optional()
+    .describe('Set the entry note. Pass an empty string or null to clear.'),
+  duration: z
+    .string()
+    .optional()
+    .describe(
+      'New duration, e.g. "1h30m" or "45m". If set without start/end, only duration moves.',
+    ),
+  startTime: z.string().optional().describe('New start time (ISO-8601).'),
+  endTime: z.string().optional().describe('New end time (ISO-8601).'),
+  project: z.string().optional().describe('Reassign the entry to another project (id or name).'),
+  rate: z.string().optional().describe('Switch billable rate (id or name).'),
+});
+
+const deleteEntryInput = z.object({
+  id: z.string().describe('Entry id (uuid) to delete.'),
+});
+
 const TOOLS: Tool[] = [
   {
     name: 'whoami',
@@ -188,6 +211,56 @@ const TOOLS: Tool[] = [
     },
     annotations: { readOnlyHint: true, idempotentHint: true, openWorldHint: true },
   },
+  {
+    name: 'update_entry',
+    description:
+      'Edit one or more fields on an existing time entry. Any combination is valid; unset fields are left as-is. Server-enforced authorship rule: this token can only edit entries it created itself (sessions and admins bypass).',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Entry id (uuid).' },
+        description: {
+          type: ['string', 'null'],
+          description: 'New description / note. Pass empty string or null to clear.',
+        },
+        duration: {
+          type: 'string',
+          description: 'New duration, e.g. "1h30m" or "45m".',
+        },
+        startTime: { type: 'string', description: 'ISO-8601 start time.' },
+        endTime: { type: 'string', description: 'ISO-8601 end time.' },
+        project: { type: 'string', description: 'Reassign — project id or name.' },
+        rate: { type: 'string', description: 'New rate — id or name.' },
+      },
+      required: ['id'],
+      additionalProperties: false,
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false,
+      openWorldHint: true,
+    },
+  },
+  {
+    name: 'delete_entry',
+    description:
+      'Delete a time entry. Server enforces: not invoiced, and either this token created it or the caller is an admin / web session.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        id: { type: 'string', description: 'Entry id (uuid).' },
+      },
+      required: ['id'],
+      additionalProperties: false,
+    },
+    annotations: {
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: true,
+      openWorldHint: true,
+    },
+  },
 ];
 
 type ToolResult = CallToolResult;
@@ -303,6 +376,36 @@ async function handleTool(name: string, args: unknown): Promise<ToolResult> {
         const limit = input.limit ?? DEFAULT_ENTRY_LIMIT;
         return ok(entries.slice(0, limit));
       }
+      case 'update_entry': {
+        const input = updateEntryInput.parse(args ?? {});
+        const payload: Record<string, unknown> = {};
+        if (input.description !== undefined) payload.description = input.description;
+        if (input.duration) payload.duration = parseDuration(input.duration);
+        if (input.startTime) payload.startTime = new Date(input.startTime).toISOString();
+        if (input.endTime) payload.endTime = new Date(input.endTime).toISOString();
+        if (input.project) {
+          const project = await resolveProject(input.project);
+          payload.projectId = project.id;
+        }
+        if (input.rate) {
+          const { rates } = await api.listRates();
+          const found = rates.find((r) => r.id === input.rate || r.name === input.rate);
+          if (!found) return err(`Rate not found: ${input.rate}`);
+          payload.rateId = found.id;
+        }
+        if (Object.keys(payload).length === 0) {
+          return err(
+            'Nothing to update. Pass at least one of description, duration, startTime, endTime, project, rate.',
+          );
+        }
+        const result = await api.updateEntry(input.id, payload);
+        return ok(result);
+      }
+      case 'delete_entry': {
+        const input = deleteEntryInput.parse(args ?? {});
+        const result = await api.deleteEntry(input.id);
+        return ok(result);
+      }
       default:
         return err(`Unknown tool: ${name}`);
     }