@cyanheads/git-mcp-server 2.14.0 → 2.14.2

package/README.md

@@ -7,7 +7,7 @@
 
 <div align="center">
 
-[![Version](https://img.shields.io/badge/Version-2.14.0-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/git-mcp-server/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.11-blueviolet.svg?style=flat-square)](https://bun.sh/)
+[![Version](https://img.shields.io/badge/Version-2.14.2-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.29.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/git-mcp-server/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^6.0.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.3.11-blueviolet.svg?style=flat-square)](https://bun.sh/)
 
 </div>
 
@@ -17,15 +17,15 @@
 
 28 git operations organized into seven categories:
 
-| Category                  | Tools                                                                                                                          | Description                                                                             |
-| :------------------------ | :----------------------------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------- |
-| **Repository Management** | `git_init`, `git_clone`, `git_status`, `git_clean`                                                                             | Initialize repos, clone from remotes, check status, clean untracked files               |
-| **Staging & Commits**     | `git_add`, `git_commit`, `git_diff`                                                                                            | Stage changes, create commits, compare changes                                          |
-| **History & Inspection**  | `git_log`, `git_show`, `git_blame`, `git_reflog`                                                                               | View commit history, inspect objects, trace authorship, view ref logs                   |
-| **Analysis**              | `git_changelog_analyze`                                                                                                        | Gather git context and instructions for LLM-driven changelog analysis                   |
-| **Branching & Merging**   | `git_branch`, `git_checkout`, `git_merge`, `git_rebase`, `git_cherry_pick`                                                     | Manage branches, switch contexts, integrate changes, apply specific commits             |
-| **Remote Operations**     | `git_remote`, `git_fetch`, `git_pull`, `git_push`                                                                              | Configure remotes, fetch updates, synchronize repositories, publish changes             |
-| **Advanced Workflows**    | `git_tag`, `git_stash`, `git_reset`, `git_worktree`, `git_set_working_dir`, `git_clear_working_dir`, `git_wrapup_instructions` | Tag releases, stash changes, reset state, manage worktrees, set/clear session directory |
+| Category                  | Tools                                                                                                                          | Description                                                                                                         |
+| :------------------------ | :----------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------ |
+| **Repository Management** | `git_init`, `git_clone`, `git_status`, `git_clean`                                                                             | Initialize repos, clone from remotes, check status, clean untracked files                                           |
+| **Staging & Commits**     | `git_add`, `git_commit`, `git_diff`                                                                                            | Stage changes, create commits, compare changes                                                                      |
+| **History & Inspection**  | `git_log`, `git_show`, `git_blame`, `git_reflog`                                                                               | View commit history, inspect objects, trace authorship, view ref logs                                               |
+| **Analysis**              | `git_changelog_analyze`                                                                                                        | Gather git context and instructions for LLM-driven changelog analysis                                               |
+| **Branching & Merging**   | `git_branch`, `git_checkout`, `git_merge`, `git_rebase`, `git_cherry_pick`                                                     | Manage branches, switch contexts, integrate changes, apply specific commits                                         |
+| **Remote Operations**     | `git_remote`, `git_fetch`, `git_pull`, `git_push`                                                                              | Configure remotes, fetch updates, synchronize repositories, publish changes                                         |
+| **Advanced Workflows**    | `git_tag`, `git_stash`, `git_reset`, `git_worktree`, `git_set_working_dir`, `git_clear_working_dir`, `git_wrapup_instructions` | Tag releases (list/create/delete/verify), stash changes, reset state, manage worktrees, set/clear session directory |
 
 ## Resources
 

package/dist/index.js

@@ -15284,7 +15284,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@cyanheads/git-mcp-server",
-    version: "2.13.0",
+    version: "2.14.2",
     mcpName: "io.github.cyanheads/git-mcp-server",
     description: "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
     main: "dist/index.js",
@@ -134454,6 +134454,7 @@ function parseFilesChanged(stdout) {
   return files;
 }
 // src/services/git/providers/cli/operations/tags/tag.ts
+init_errors3();
 async function executeTag(options, context, execGit) {
   try {
     const args = [];
@@ -134572,6 +134573,17 @@ async function executeTag(options, context, execGit) {
         };
         return deleteResult;
       }
+      case "verify": {
+        if (!options.tagName) {
+          throw new Error("Tag name is required for verify operation");
+        }
+        const cmd = buildGitCommand({
+          command: "tag",
+          args: ["-v", options.tagName]
+        });
+        const result = await execGit(cmd, context.workingDirectory, context.requestContext, { allowNonZeroExit: true });
+        return parseVerifyOutput(options.tagName, result.stderr, result.exitCode ?? 0);
+      }
       default:
         throw new Error("Unknown tag operation mode");
     }
@@ -134579,6 +134591,93 @@ async function executeTag(options, context, execGit) {
     throw mapGitError(error48, "tag");
   }
 }
+function parseVerifyOutput(tagName, stderr, exitCode) {
+  if (/^error: tag '.+' not found/m.test(stderr)) {
+    throw new McpError(-32600 /* InvalidRequest */, `Tag not found: ${tagName}`, { tagName });
+  }
+  const base = {
+    mode: "verify",
+    verifiedTag: tagName,
+    rawOutput: stderr
+  };
+  if (/^error: no signature found$/m.test(stderr)) {
+    return {
+      ...base,
+      verified: false,
+      warning: "Tag has no signature. Create with a signing key and `GIT_SIGN_COMMITS=true` to produce a signed tag."
+    };
+  }
+  if (/gpg\.ssh\.allowedSignersFile needs to be configured/.test(stderr) || /No principal matched/.test(stderr)) {
+    return {
+      ...base,
+      verified: false,
+      signatureType: "ssh",
+      warning: "SSH signature verification requires `gpg.ssh.allowedSignersFile` to be configured. The tag may be validly signed; this environment cannot verify it."
+    };
+  }
+  const gpgBadMatch = /(?:gpg|gpgsm): BAD signature from "([^"]+)"/.exec(stderr);
+  if (gpgBadMatch) {
+    return {
+      ...base,
+      verified: false,
+      signatureType: stderr.includes("gpgsm:") ? "x509" : "gpg",
+      signerIdentity: gpgBadMatch[1],
+      warning: "Signature does not validate (BAD signature)."
+    };
+  }
+  const sshBadMatch = /Signature verification failed.*? for "([^"]+)"|Could not verify signature/i.exec(stderr);
+  if (sshBadMatch && exitCode !== 0) {
+    const result = {
+      ...base,
+      verified: false,
+      signatureType: "ssh",
+      warning: "SSH signature does not validate."
+    };
+    if (sshBadMatch[1])
+      result.signerIdentity = sshBadMatch[1];
+    return result;
+  }
+  const gpgGoodMatch = /gpg: Good signature from "([^"]+)"/.exec(stderr);
+  if (gpgGoodMatch) {
+    const result = {
+      ...base,
+      verified: true,
+      signatureType: "gpg",
+      signerIdentity: gpgGoodMatch[1]
+    };
+    const keyMatch = /using \S+ key ([0-9A-Fa-f]{8,})/.exec(stderr);
+    if (keyMatch)
+      result.signerKey = keyMatch[1];
+    return result;
+  }
+  const x509GoodMatch = /gpgsm: Good signature from "([^"]+)"/.exec(stderr);
+  if (x509GoodMatch) {
+    return {
+      ...base,
+      verified: true,
+      signatureType: "x509",
+      signerIdentity: x509GoodMatch[1]
+    };
+  }
+  const sshGoodMatch = /Good "git" signature for (.+?) with \S+ key (SHA256:\S+)/.exec(stderr);
+  if (sshGoodMatch) {
+    return {
+      ...base,
+      verified: true,
+      signatureType: "ssh",
+      signerIdentity: sshGoodMatch[1].trim(),
+      signerKey: sshGoodMatch[2]
+    };
+  }
+  if (exitCode === 0) {
+    return { ...base, verified: true };
+  }
+  return {
+    ...base,
+    verified: false,
+    warning: "Verification failed but the output format was not recognized. See `rawOutput` for details."
+  };
+}
 // src/services/git/providers/cli/operations/stash/stash.ts
 async function executeStash(options, context, execGit) {
   try {
@@ -148014,20 +148113,22 @@ init_zod();
 init_errors3();
 var TOOL_NAME27 = "git_tag";
 var TOOL_TITLE27 = "Git Tag";
-var TOOL_DESCRIPTION27 = "Manage tags: list all tags, create a new tag, or delete a tag. Tags are used to mark specific points in history (releases, milestones).";
+var TOOL_DESCRIPTION27 = "Manage tags: list all tags, create a new tag, delete a tag, or verify a signed tag. Tags are used to mark specific points in history (releases, milestones). Verify runs `git tag -v` and returns a structured result distinguishing unsigned tags, missing trust configuration, bad signatures, and valid signatures.";
 var InputSchema27 = exports_external.object({
   path: PathSchema,
-  mode: exports_external.enum(["list", "create", "delete"]).default("list").describe("The tag operation to perform."),
-  tagName: TagNameSchema.optional().describe("Tag name for create/delete operations."),
+  mode: exports_external.enum(["list", "create", "delete", "verify"]).default("list").describe("The tag operation to perform."),
+  tagName: TagNameSchema.optional().describe("Tag name for create/delete/verify operations."),
   commit: CommitRefSchema.optional().describe("Commit to tag (default: HEAD for create operation)."),
   message: exports_external.string().optional().describe("Tag message. Providing a message always produces an annotated tag (git does not support messages on lightweight tags). For release tags, summarize notable changes."),
   annotated: exports_external.boolean().default(false).describe('Create an annotated tag with a default "Tag <name>" message. Only effective when no message is provided and signing is disabled — otherwise the tag is always annotated.'),
-  force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete).")
+  force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete)."),
+  limit: LimitSchema.describe("For list mode: cap the number of tags returned (applied at the git command via `--count=N`). Use on repos with many tags.")
 });
 var TagInfoSchema = exports_external.object({
   name: exports_external.string().describe("Tag name."),
   commit: exports_external.string().describe("Commit hash the tag points to."),
-  message: exports_external.string().optional().describe("Tag message (for annotated tags)."),
+  message: exports_external.string().optional().describe("First line of the tag annotation (annotated tags only). See `annotationBody` for the remainder."),
+  annotationBody: exports_external.string().optional().describe("Remaining annotation body after the subject line (annotated tags only)."),
   tagger: exports_external.string().optional().describe("Tagger name and email."),
   timestamp: exports_external.number().int().optional().describe("Tag creation timestamp.")
 });
@@ -148038,10 +148139,17 @@ var OutputSchema28 = exports_external.object({
   created: exports_external.string().optional().describe("Created tag name (for create mode)."),
   deleted: exports_external.string().optional().describe("Deleted tag name (for delete mode)."),
   signed: exports_external.boolean().optional().describe("Whether the created tag was signed. Only populated for create mode. False when GIT_SIGN_COMMITS=false or when signing failed and fell back to unsigned."),
-  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback.")
+  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback."),
+  verifiedTag: exports_external.string().optional().describe("Verified tag name (for verify mode). Echoes the input so callers can correlate results in batched flows."),
+  verified: exports_external.boolean().optional().describe("Whether the signature validated (for verify mode). `false` for unsigned tags, missing trust config, bad signatures, or unparseable output — inspect `warning` to distinguish."),
+  signatureType: exports_external.enum(["gpg", "ssh", "x509"]).optional().describe("Signature algorithm family when detectable from `git tag -v` output (verify mode). Absent for unsigned tags or unparseable output."),
+  signerIdentity: exports_external.string().optional().describe("Signer identity as emitted by git — e.g., `Name <email>` for GPG or the SSH principal. Verify mode only."),
+  signerKey: exports_external.string().optional().describe("Key material emitted by git — GPG fingerprint/key ID or SSH key fingerprint (`SHA256:…`). Verify mode only; absent when git did not surface it."),
+  warning: exports_external.string().optional().describe("Populated on verify failure with a human-readable reason distinguishing unsigned tags, missing trust configuration, bad signatures, and unparseable output."),
+  rawOutput: exports_external.string().optional().describe("Raw stderr from `git tag -v` for callers that need the full verification output (verify mode only).")
 });
 async function gitTagLogic(input, { provider, targetPath, appContext }) {
-  if ((input.mode === "create" || input.mode === "delete") && !input.tagName) {
+  if ((input.mode === "create" || input.mode === "delete" || input.mode === "verify") && !input.tagName) {
     throw new McpError(-32602 /* InvalidParams */, `Tag name is required for ${input.mode} operation.`);
   }
   const tagOptions = {
@@ -148058,6 +148166,9 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (input.message !== undefined) {
     tagOptions.message = normalizeMessage(input.message);
   }
+  if (input.limit !== undefined) {
+    tagOptions.limit = input.limit;
+  }
   const result = await provider.tag(tagOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -148076,6 +148187,27 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (result.signingWarning) {
     output.signingWarning = result.signingWarning;
   }
+  if (result.verifiedTag !== undefined) {
+    output.verifiedTag = result.verifiedTag;
+  }
+  if (result.verified !== undefined) {
+    output.verified = result.verified;
+  }
+  if (result.signatureType !== undefined) {
+    output.signatureType = result.signatureType;
+  }
+  if (result.signerIdentity !== undefined) {
+    output.signerIdentity = result.signerIdentity;
+  }
+  if (result.signerKey !== undefined) {
+    output.signerKey = result.signerKey;
+  }
+  if (result.warning !== undefined) {
+    output.warning = result.warning;
+  }
+  if (result.rawOutput !== undefined) {
+    output.rawOutput = result.rawOutput;
+  }
   return output;
 }
 function filterGitTagOutput(result, level) {
@@ -148084,10 +148216,16 @@ function filterGitTagOutput(result, level) {
       success: result.success,
       mode: result.mode,
       ...result.signed !== undefined && { signed: result.signed },
-      ...result.signingWarning && { signingWarning: result.signingWarning }
+      ...result.signingWarning && { signingWarning: result.signingWarning },
+      ...result.verified !== undefined && { verified: result.verified },
+      ...result.warning && { warning: result.warning }
     };
   }
-  return result;
+  if (level === "full") {
+    return result;
+  }
+  const { rawOutput: _raw, ...rest } = result;
+  return rest;
 }
 var responseFormatter27 = createJsonFormatter({
   filter: filterGitTagOutput

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/git-mcp-server",
-  "version": "2.14.0",
+  "version": "2.14.2",
   "mcpName": "io.github.cyanheads/git-mcp-server",
   "description": "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
   "main": "dist/index.js",