@structured-world/gitlab-mcp 6.12.0 → 6.14.0

package/dist/src/main.js

@@ -3,7 +3,50 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const server_1 = require("./server");
 const logger_1 = require("./logger");
-(0, server_1.startServer)().catch((error) => {
+const profiles_1 = require("./profiles");
+function getProfileFromArgs() {
+    const args = process.argv.slice(2);
+    let profileName;
+    let profileCount = 0;
+    for (let i = 0; i < args.length; i++) {
+        if (args[i] === "--profile") {
+            const value = args[i + 1];
+            if (!value || value.startsWith("--")) {
+                logger_1.logger.error("--profile requires a profile name (e.g., --profile work)");
+                process.exit(1);
+            }
+            profileCount++;
+            if (profileCount === 1) {
+                profileName = value;
+            }
+        }
+    }
+    if (profileCount > 1) {
+        logger_1.logger.warn({ count: profileCount }, "Multiple --profile flags detected, using first value");
+    }
+    return profileName;
+}
+async function main() {
+    const profileName = getProfileFromArgs();
+    try {
+        const result = await (0, profiles_1.tryApplyProfileFromEnv)(profileName);
+        if (result) {
+            if ("profileName" in result) {
+                logger_1.logger.info({ profile: result.profileName, host: result.host }, "Using configuration profile");
+            }
+            else {
+                logger_1.logger.info({ preset: result.presetName }, "Using configuration preset");
+            }
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logger_1.logger.error({ error: message }, "Failed to load profile");
+        process.exit(1);
+    }
+    await (0, server_1.startServer)();
+}
+main().catch((error) => {
     logger_1.logger.error(`Failed to start GitLab MCP Server: ${String(error)}`);
     process.exit(1);
 });

package/dist/src/main.js.map

@@ -1 +1 @@
-{"version":3,"file":"main.js","sourceRoot":"","sources":["../../src/main.ts"],"names":[],"mappings":";;;AAEA,qCAAuC;AACvC,qCAAkC;AAGlC,IAAA,oBAAW,GAAE,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;IACrC,eAAM,CAAC,KAAK,CAAC,sCAAsC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../../src/main.ts"],"names":[],"mappings":";;;AAEA,qCAAuC;AACvC,qCAAkC;AAClC,yCAAoD;AAKpD,SAAS,kBAAkB;IACzB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,WAA+B,CAAC;IACpC,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAE1B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,eAAM,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;gBACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,YAAY,EAAE,CAAC;YACf,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;gBACvB,WAAW,GAAG,KAAK,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,eAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,sDAAsD,CAAC,CAAC;IAC/F,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAKD,KAAK,UAAU,IAAI;IAEjB,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,iCAAsB,EAAC,WAAW,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YAEX,IAAI,aAAa,IAAI,MAAM,EAAE,CAAC;gBAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAClD,6BAA6B,CAC9B,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,eAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,EAAE,4BAA4B,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAEf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,eAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,wBAAwB,CAAC,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAGD,MAAM,IAAA,oBAAW,GAAE,CAAC;AACtB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAc,EAAE,EAAE;IAC9B,eAAM,CAAC,KAAK,CAAC,sCAAsC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/src/profiles/applicator.d.ts

@@ -0,0 +1,19 @@
+import { Profile, Preset, ProfileValidationResult } from "./types";
+export interface ApplyProfileResult {
+    success: boolean;
+    profileName: string;
+    host: string;
+    appliedSettings: string[];
+    validation: ProfileValidationResult;
+}
+export interface ApplyPresetResult {
+    success: boolean;
+    presetName: string;
+    appliedSettings: string[];
+    validation: ProfileValidationResult;
+}
+export declare function applyProfile(profile: Profile, profileName: string): Promise<ApplyProfileResult>;
+export declare function applyPreset(preset: Preset, presetName: string): Promise<ApplyPresetResult>;
+export declare function loadAndApplyProfile(profileName: string): Promise<ApplyProfileResult>;
+export declare function loadAndApplyPreset(presetName: string): Promise<ApplyPresetResult>;
+export declare function tryApplyProfileFromEnv(cliProfileName?: string): Promise<ApplyProfileResult | ApplyPresetResult | undefined>;

package/dist/src/profiles/applicator.js

@@ -0,0 +1,250 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyProfile = applyProfile;
+exports.applyPreset = applyPreset;
+exports.loadAndApplyProfile = loadAndApplyProfile;
+exports.loadAndApplyPreset = loadAndApplyPreset;
+exports.tryApplyProfileFromEnv = tryApplyProfileFromEnv;
+const loader_1 = require("./loader");
+const logger_1 = require("../logger");
+const FEATURE_ENV_MAP = {
+    wiki: "USE_GITLAB_WIKI",
+    milestones: "USE_MILESTONE",
+    pipelines: "USE_PIPELINE",
+    labels: "USE_LABELS",
+    mrs: "USE_MRS",
+    files: "USE_FILES",
+    variables: "USE_VARIABLES",
+    workitems: "USE_WORKITEMS",
+    webhooks: "USE_WEBHOOKS",
+    snippets: "USE_SNIPPETS",
+    integrations: "USE_INTEGRATIONS",
+};
+async function applyProfile(profile, profileName) {
+    const appliedSettings = [];
+    const loader = new loader_1.ProfileLoader();
+    const validation = await loader.validateProfile(profile);
+    for (const warning of validation.warnings) {
+        logger_1.logger.warn({ profile: profileName }, warning);
+    }
+    if (!validation.valid) {
+        logger_1.logger.error({ profile: profileName, errors: validation.errors }, "Profile validation failed");
+        return {
+            success: false,
+            profileName,
+            host: profile.host,
+            appliedSettings,
+            validation,
+        };
+    }
+    const apiUrl = profile.api_url ?? `https://${profile.host}`;
+    process.env.GITLAB_API_URL = apiUrl;
+    appliedSettings.push(`GITLAB_API_URL=${apiUrl}`);
+    switch (profile.auth.type) {
+        case "pat":
+            if (profile.auth.token_env) {
+                const token = process.env[profile.auth.token_env];
+                if (token) {
+                    process.env.GITLAB_TOKEN = token;
+                    appliedSettings.push(`GITLAB_TOKEN=<from ${profile.auth.token_env}>`);
+                }
+            }
+            break;
+        case "oauth":
+            if (profile.auth.client_id_env) {
+                const clientId = process.env[profile.auth.client_id_env];
+                if (clientId) {
+                    process.env.GITLAB_OAUTH_CLIENT_ID = clientId;
+                    appliedSettings.push(`GITLAB_OAUTH_CLIENT_ID=<from ${profile.auth.client_id_env}>`);
+                }
+            }
+            if (profile.auth.client_secret_env) {
+                const clientSecret = process.env[profile.auth.client_secret_env];
+                if (clientSecret) {
+                    process.env.GITLAB_OAUTH_CLIENT_SECRET = clientSecret;
+                    appliedSettings.push(`GITLAB_OAUTH_CLIENT_SECRET=<from ${profile.auth.client_secret_env}>`);
+                }
+            }
+            process.env.OAUTH_ENABLED = "true";
+            appliedSettings.push("OAUTH_ENABLED=true");
+            break;
+        case "cookie":
+            if (profile.auth.cookie_path) {
+                process.env.GITLAB_AUTH_COOKIE_PATH = profile.auth.cookie_path;
+                appliedSettings.push(`GITLAB_AUTH_COOKIE_PATH=${profile.auth.cookie_path}`);
+            }
+            break;
+    }
+    if (profile.read_only) {
+        process.env.GITLAB_READ_ONLY_MODE = "true";
+        appliedSettings.push("GITLAB_READ_ONLY_MODE=true");
+    }
+    if (profile.allowed_projects && profile.allowed_projects.length > 0) {
+        process.env.GITLAB_ALLOWED_PROJECT_IDS = profile.allowed_projects.join(",");
+        appliedSettings.push(`GITLAB_ALLOWED_PROJECT_IDS=${profile.allowed_projects.join(",")}`);
+    }
+    if (profile.allowed_groups && profile.allowed_groups.length > 0) {
+        process.env.GITLAB_ALLOWED_GROUP_IDS = profile.allowed_groups.join(",");
+        appliedSettings.push(`GITLAB_ALLOWED_GROUP_IDS=${profile.allowed_groups.join(",")}`);
+    }
+    if (profile.allowed_tools && profile.allowed_tools.length > 0) {
+        process.env.GITLAB_ALLOWED_TOOLS = profile.allowed_tools.join(",");
+        appliedSettings.push(`GITLAB_ALLOWED_TOOLS=${profile.allowed_tools.join(",")}`);
+    }
+    if (profile.denied_tools_regex) {
+        process.env.GITLAB_DENIED_TOOLS_REGEX = profile.denied_tools_regex;
+        appliedSettings.push(`GITLAB_DENIED_TOOLS_REGEX=${profile.denied_tools_regex}`);
+    }
+    if (profile.denied_actions && profile.denied_actions.length > 0) {
+        process.env.GITLAB_DENIED_ACTIONS = profile.denied_actions.join(",");
+        appliedSettings.push(`GITLAB_DENIED_ACTIONS=${profile.denied_actions.join(",")}`);
+    }
+    if (profile.features) {
+        for (const [feature, envVar] of Object.entries(FEATURE_ENV_MAP)) {
+            const value = profile.features[feature];
+            if (value !== undefined) {
+                process.env[envVar] = value ? "true" : "false";
+                appliedSettings.push(`${envVar}=${value}`);
+            }
+        }
+    }
+    if (profile.timeout_ms) {
+        process.env.GITLAB_API_TIMEOUT_MS = String(profile.timeout_ms);
+        appliedSettings.push(`GITLAB_API_TIMEOUT_MS=${profile.timeout_ms}`);
+    }
+    if (profile.skip_tls_verify) {
+        process.env.SKIP_TLS_VERIFY = "true";
+        appliedSettings.push("SKIP_TLS_VERIFY=true");
+    }
+    if (profile.ssl_cert_path) {
+        process.env.SSL_CERT_PATH = profile.ssl_cert_path;
+        appliedSettings.push(`SSL_CERT_PATH=${profile.ssl_cert_path}`);
+    }
+    if (profile.ssl_key_path) {
+        process.env.SSL_KEY_PATH = profile.ssl_key_path;
+        appliedSettings.push(`SSL_KEY_PATH=${profile.ssl_key_path}`);
+    }
+    if (profile.ca_cert_path) {
+        process.env.GITLAB_CA_CERT_PATH = profile.ca_cert_path;
+        appliedSettings.push(`GITLAB_CA_CERT_PATH=${profile.ca_cert_path}`);
+    }
+    if (profile.default_project) {
+        process.env.GITLAB_PROJECT_ID = profile.default_project;
+        appliedSettings.push(`GITLAB_PROJECT_ID=${profile.default_project}`);
+    }
+    if (profile.default_namespace) {
+        process.env.GITLAB_DEFAULT_NAMESPACE = profile.default_namespace;
+        appliedSettings.push(`GITLAB_DEFAULT_NAMESPACE=${profile.default_namespace}`);
+    }
+    logger_1.logger.info({
+        profile: profileName,
+        host: profile.host,
+        authType: profile.auth.type,
+        readOnly: profile.read_only ?? false,
+        settingsCount: appliedSettings.length,
+    }, "Profile applied successfully");
+    return {
+        success: true,
+        profileName,
+        host: profile.host,
+        appliedSettings,
+        validation,
+    };
+}
+async function applyPreset(preset, presetName) {
+    const appliedSettings = [];
+    const loader = new loader_1.ProfileLoader();
+    const validation = await loader.validatePreset(preset);
+    for (const warning of validation.warnings) {
+        logger_1.logger.warn({ preset: presetName }, warning);
+    }
+    if (!validation.valid) {
+        logger_1.logger.error({ preset: presetName, errors: validation.errors }, "Preset validation failed");
+        return {
+            success: false,
+            presetName,
+            appliedSettings,
+            validation,
+        };
+    }
+    if (!process.env.GITLAB_API_URL && !process.env.GITLAB_TOKEN) {
+        logger_1.logger.warn({ preset: presetName }, "Preset applied but GITLAB_API_URL/GITLAB_TOKEN not set - connection may fail");
+    }
+    if (preset.read_only) {
+        process.env.GITLAB_READ_ONLY_MODE = "true";
+        appliedSettings.push("GITLAB_READ_ONLY_MODE=true");
+    }
+    if (preset.denied_tools_regex) {
+        process.env.GITLAB_DENIED_TOOLS_REGEX = preset.denied_tools_regex;
+        appliedSettings.push(`GITLAB_DENIED_TOOLS_REGEX=${preset.denied_tools_regex}`);
+    }
+    if (preset.denied_actions && preset.denied_actions.length > 0) {
+        process.env.GITLAB_DENIED_ACTIONS = preset.denied_actions.join(",");
+        appliedSettings.push(`GITLAB_DENIED_ACTIONS=${preset.denied_actions.join(",")}`);
+    }
+    if (preset.allowed_tools && preset.allowed_tools.length > 0) {
+        process.env.GITLAB_ALLOWED_TOOLS = preset.allowed_tools.join(",");
+        appliedSettings.push(`GITLAB_ALLOWED_TOOLS=${preset.allowed_tools.join(",")}`);
+    }
+    if (preset.features) {
+        for (const [feature, envVar] of Object.entries(FEATURE_ENV_MAP)) {
+            const value = preset.features[feature];
+            if (value !== undefined) {
+                process.env[envVar] = value ? "true" : "false";
+                appliedSettings.push(`${envVar}=${value}`);
+            }
+        }
+    }
+    if (preset.timeout_ms) {
+        process.env.GITLAB_API_TIMEOUT_MS = String(preset.timeout_ms);
+        appliedSettings.push(`GITLAB_API_TIMEOUT_MS=${preset.timeout_ms}`);
+    }
+    logger_1.logger.info({
+        preset: presetName,
+        readOnly: preset.read_only ?? false,
+        settingsCount: appliedSettings.length,
+    }, "Preset applied successfully");
+    return {
+        success: true,
+        presetName,
+        appliedSettings,
+        validation,
+    };
+}
+async function loadAndApplyProfile(profileName) {
+    const loader = new loader_1.ProfileLoader();
+    const profile = await loader.loadProfile(profileName);
+    return applyProfile(profile, profileName);
+}
+async function loadAndApplyPreset(presetName) {
+    const loader = new loader_1.ProfileLoader();
+    const preset = await loader.loadPreset(presetName);
+    return applyPreset(preset, presetName);
+}
+async function tryApplyProfileFromEnv(cliProfileName) {
+    const name = cliProfileName ?? process.env.GITLAB_PROFILE ?? (await getDefaultProfileName());
+    if (!name) {
+        logger_1.logger.debug("No profile specified, using environment variables directly");
+        return undefined;
+    }
+    try {
+        const loader = new loader_1.ProfileLoader();
+        const loaded = await loader.loadAny(name);
+        if (loaded.type === "profile") {
+            return await applyProfile(loaded.data, name);
+        }
+        else {
+            return await applyPreset(loaded.data, name);
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logger_1.logger.error({ profile: name, error: message }, "Failed to apply profile/preset");
+        throw error;
+    }
+}
+async function getDefaultProfileName() {
+    const loader = new loader_1.ProfileLoader();
+    return loader.getDefaultProfileName();
+}
+//# sourceMappingURL=applicator.js.map

package/dist/src/profiles/applicator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"applicator.js","sourceRoot":"","sources":["../../../src/profiles/applicator.ts"],"names":[],"mappings":";;AAkEA,oCAyKC;AAiBD,kCAkFC;AAcD,kDAIC;AAUD,gDAIC;AAWD,wDAyBC;AA1YD,qCAAyC;AACzC,sCAAmC;AASnC,MAAM,eAAe,GAA2B;IAC9C,IAAI,EAAE,iBAAiB;IACvB,UAAU,EAAE,eAAe;IAC3B,SAAS,EAAE,cAAc;IACzB,MAAM,EAAE,YAAY;IACpB,GAAG,EAAE,SAAS;IACd,KAAK,EAAE,WAAW;IAClB,SAAS,EAAE,eAAe;IAC1B,SAAS,EAAE,eAAe;IAC1B,QAAQ,EAAE,cAAc;IACxB,QAAQ,EAAE,cAAc;IACxB,YAAY,EAAE,kBAAkB;CACjC,CAAC;AAoCK,KAAK,UAAU,YAAY,CAChC,OAAgB,EAChB,WAAmB;IAEnB,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,IAAI,sBAAa,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IAGzD,KAAK,MAAM,OAAO,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QAC1C,eAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAGD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACtB,eAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAC/F,OAAO;YACL,OAAO,EAAE,KAAK;YACd,WAAW;YACX,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,eAAe;YACf,UAAU;SACX,CAAC;IACJ,CAAC;IAGD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,IAAI,WAAW,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,MAAM,CAAC;IACpC,eAAe,CAAC,IAAI,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAC;IAGjD,QAAQ,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1B,KAAK,KAAK;YACR,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAClD,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,KAAK,CAAC;oBACjC,eAAe,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;gBACxE,CAAC;YACH,CAAC;YACD,MAAM;QAER,KAAK,OAAO;YACV,IAAI,OAAO,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBACzD,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,CAAC,GAAG,CAAC,sBAAsB,GAAG,QAAQ,CAAC;oBAC9C,eAAe,CAAC,IAAI,CAAC,gCAAgC,OAAO,CAAC,IAAI,CAAC,aAAa,GAAG,CAAC,CAAC;gBACtF,CAAC;YACH,CAAC;YACD,IAAI,OAAO,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACnC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBACjE,IAAI,YAAY,EAAE,CAAC;oBACjB,OAAO,CAAC,GAAG,CAAC,0BAA0B,GAAG,YAAY,CAAC;oBACtD,eAAe,CAAC,IAAI,CAClB,oCAAoC,OAAO,CAAC,IAAI,CAAC,iBAAiB,GAAG,CACtE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,MAAM,CAAC;YACnC,eAAe,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;YAC3C,MAAM;QAER,KAAK,QAAQ;YACX,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC;gBAC/D,eAAe,CAAC,IAAI,CAAC,2BAA2B,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC9E,CAAC;YACD,MAAM;IACV,CAAC;IAGD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,MAAM,CAAC;QAC3C,eAAe,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,0BAA0B,GAAG,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5E,eAAe,CAAC,IAAI,CAAC,8BAA8B,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,IAAI,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxE,eAAe,CAAC,IAAI,CAAC,4BAA4B,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnE,eAAe,CAAC,IAAI,CAAC,wBAAwB,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,yBAAyB,GAAG,OAAO,CAAC,kBAAkB,CAAC;QACnE,eAAe,CAAC,IAAI,CAAC,6BAA6B,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,IAAI,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrE,eAAe,CAAC,IAAI,CAAC,yBAAyB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACpF,CAAC;IAGD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAChE,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAwC,CAAC,CAAC;YACzE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;gBAC/C,eAAe,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAGD,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC/D,eAAe,CAAC,IAAI,CAAC,yBAAyB,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,CAAC;IAGD,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,eAAe,GAAG,MAAM,CAAC;QACrC,eAAe,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAClD,eAAe,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QAChD,eAAe,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC;QACvD,eAAe,CAAC,IAAI,CAAC,uBAAuB,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IACtE,CAAC;IAGD,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG,OAAO,CAAC,eAAe,CAAC;QACxD,eAAe,CAAC,IAAI,CAAC,qBAAqB,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,wBAAwB,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACjE,eAAe,CAAC,IAAI,CAAC,4BAA4B,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAChF,CAAC;IAED,eAAM,CAAC,IAAI,CACT;QACE,OAAO,EAAE,WAAW;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI;QAC3B,QAAQ,EAAE,OAAO,CAAC,SAAS,IAAI,KAAK;QACpC,aAAa,EAAE,eAAe,CAAC,MAAM;KACtC,EACD,8BAA8B,CAC/B,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,IAAI;QACb,WAAW;QACX,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,eAAe;QACf,UAAU;KACX,CAAC;AACJ,CAAC;AAiBM,KAAK,UAAU,WAAW,CAAC,MAAc,EAAE,UAAkB;IAClE,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,IAAI,sBAAa,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAGvD,KAAK,MAAM,OAAO,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QAC1C,eAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAGD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACtB,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC;QAC5F,OAAO;YACL,OAAO,EAAE,KAAK;YACd,UAAU;YACV,eAAe;YACf,UAAU;SACX,CAAC;IACJ,CAAC;IAGD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC7D,eAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,UAAU,EAAE,EACtB,8EAA8E,CAC/E,CAAC;IACJ,CAAC;IAGD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,MAAM,CAAC;QAC3C,eAAe,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,yBAAyB,GAAG,MAAM,CAAC,kBAAkB,CAAC;QAClE,eAAe,CAAC,IAAI,CAAC,6BAA6B,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpE,eAAe,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClE,eAAe,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjF,CAAC;IAGD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YAChE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAuC,CAAC,CAAC;YACvE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;gBAC/C,eAAe,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC;IAGD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,qBAAqB,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9D,eAAe,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,eAAM,CAAC,IAAI,CACT;QACE,MAAM,EAAE,UAAU;QAClB,QAAQ,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK;QACnC,aAAa,EAAE,eAAe,CAAC,MAAM;KACtC,EACD,6BAA6B,CAC9B,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,IAAI;QACb,UAAU;QACV,eAAe;QACf,UAAU;KACX,CAAC;AACJ,CAAC;AAcM,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IAC3D,MAAM,MAAM,GAAG,IAAI,sBAAa,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IACtD,OAAO,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;AAC5C,CAAC;AAUM,KAAK,UAAU,kBAAkB,CAAC,UAAkB;IACzD,MAAM,MAAM,GAAG,IAAI,sBAAa,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,WAAW,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AACzC,CAAC;AAWM,KAAK,UAAU,sBAAsB,CAC1C,cAAuB;IAGvB,MAAM,IAAI,GAAG,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,CAAC,MAAM,qBAAqB,EAAE,CAAC,CAAC;IAE7F,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,eAAM,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,sBAAa,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1C,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,MAAM,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,eAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAClF,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAKD,KAAK,UAAU,qBAAqB;IAClC,MAAM,MAAM,GAAG,IAAI,sBAAa,EAAE,CAAC;IACnC,OAAO,MAAM,CAAC,qBAAqB,EAAE,CAAC;AACxC,CAAC"}

package/dist/src/profiles/builtin/admin.yaml

@@ -0,0 +1,25 @@
+# Admin preset - full access to all features
+#
+# Use with caution - this preset enables all tools
+# including webhooks, integrations, and variables.
+#
+# Recommended only for GitLab administrators.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Full admin access - all features enabled"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: true
+  workitems: true
+  webhooks: true
+  snippets: true
+  integrations: true

package/dist/src/profiles/builtin/ci.yaml

@@ -0,0 +1,30 @@
+# CI/CD Bot preset - automation
+#
+# Minimal tools for CI/CD automation:
+# - Pipeline operations
+# - File management
+# - Variables access
+#
+# No access to development workflow tools.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "CI/CD Bot - minimal tools for automation"
+
+read_only: false
+
+features:
+  wiki: false
+  milestones: false
+  pipelines: true
+  labels: false
+  mrs: false
+  files: true
+  variables: true
+  workitems: false
+  webhooks: false
+  snippets: false
+  integrations: false
+
+# Block workflow-related operations
+denied_tools_regex: "^manage_(work_item|mr|label|milestone|wiki)"

package/dist/src/profiles/builtin/developer.yaml

@@ -0,0 +1,35 @@
+# Developer preset - standard development workflow
+#
+# Full access to development-related tools including:
+# - Code browsing and file management
+# - Work items and merge requests
+# - Labels and milestones
+#
+# Restricted access to admin-level features.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Standard developer access - no admin features"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false  # Requires elevated access
+  workitems: true
+  webhooks: false   # Admin only
+  snippets: true
+  integrations: false  # Admin only
+
+# Block dangerous actions
+denied_actions:
+  - "manage_repository:delete"
+  - "manage_webhook:create"
+  - "manage_webhook:update"
+  - "manage_webhook:delete"
+  - "manage_integration:update"

package/dist/src/profiles/builtin/devops.yaml

@@ -0,0 +1,28 @@
+# DevOps Engineer preset - CI/CD and infrastructure
+#
+# Focused on infrastructure and automation:
+# - Full pipeline management
+# - Variables and secrets
+# - Webhooks and integrations
+# - File operations for configs
+#
+# No access to development workflow tools (MRs, issues, wiki).
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "DevOps Engineer - CI/CD pipelines, variables, infrastructure"
+
+read_only: false
+
+features:
+  wiki: false
+  milestones: false
+  pipelines: true
+  labels: false
+  mrs: false
+  files: true
+  variables: true
+  workitems: false
+  webhooks: true
+  snippets: false
+  integrations: true

package/dist/src/profiles/builtin/gitlab-com.yaml

@@ -0,0 +1,35 @@
+# gitlab.com preset - rate-limit friendly
+#
+# Optimized for gitlab.com public instance:
+# - Standard development features enabled
+# - Rate-limit friendly restrictions
+# - Safe defaults for public projects
+#
+# Features that typically require elevated access are disabled.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Optimized for gitlab.com - respects rate limits, safe defaults"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false     # Often restricted on public projects
+  workitems: true
+  webhooks: false      # Requires maintainer+ access
+  snippets: true
+  integrations: false  # Requires admin access
+
+# Rate-limit friendly restrictions
+denied_actions:
+  # Pagination-heavy operations
+  - "browse_commits:list"
+  - "browse_pipelines:list"
+  # Operations that can trigger many API calls
+  - "manage_pipeline:retry"

package/dist/src/profiles/builtin/junior-dev.yaml

@@ -0,0 +1,30 @@
+# Junior Developer preset - day-to-day development
+#
+# Focused on core development tasks:
+# - Code browsing and file management
+# - Work items and merge requests
+# - Labels and snippets
+#
+# No access to pipelines, variables, or admin features.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Junior Developer - code, MRs, basic issue tracking"
+
+read_only: false
+
+features:
+  wiki: false
+  milestones: false
+  pipelines: false
+  labels: true
+  mrs: true
+  files: true
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: true
+  integrations: false
+
+# Block pipeline and admin operations
+denied_tools_regex: "^manage_(pipeline|variable|webhook)"

package/dist/src/profiles/builtin/pm.yaml

@@ -0,0 +1,31 @@
+# Project Manager preset - planning and tracking
+#
+# Focused on project management:
+# - Work items and milestones
+# - Merge request status tracking
+# - Wiki and documentation
+# - Labels for organization
+#
+# No access to code operations, pipelines, or technical features.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Project Manager - planning, tracking, documentation (no code ops)"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: false
+  labels: true
+  mrs: true
+  files: false
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: false
+  integrations: false
+
+# Block code and pipeline operations
+denied_tools_regex: "^manage_(files|pipeline|variable)"

package/dist/src/profiles/builtin/readonly.yaml

@@ -0,0 +1,28 @@
+# Read-only preset - safe browsing without write access
+#
+# Use this preset when you need to explore a GitLab instance
+# without any risk of modifying data.
+#
+# All write operations (create, update, delete) are blocked.
+#
+# NOTE: This is a PRESET, not a full profile.
+# It does NOT contain host or auth - those come from your
+# environment variables (GITLAB_API_URL, GITLAB_TOKEN).
+
+description: "Read-only access - blocks all write operations"
+
+read_only: true
+denied_tools_regex: "^manage_|^create_"
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false  # Variables often contain secrets
+  workitems: true
+  webhooks: false   # Webhooks are admin-level
+  snippets: true
+  integrations: false  # Integrations are admin-level

package/dist/src/profiles/builtin/senior-dev.yaml

@@ -0,0 +1,36 @@
+# Senior Developer preset - code review and pipeline monitoring
+#
+# Extended access for senior developers:
+# - Full code browsing and file management
+# - Work items and merge requests
+# - Pipeline monitoring (read-only)
+# - Wiki and documentation
+#
+# No control over pipelines, variables, or webhooks.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Senior Developer - code review, discussions, pipeline monitoring"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: false
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: true
+  integrations: false
+
+# Block pipeline control and webhook management
+denied_actions:
+  - "manage_pipeline:cancel"
+  - "manage_pipeline:retry"
+  - "manage_webhook:create"
+  - "manage_webhook:update"
+  - "manage_webhook:delete"

package/dist/src/profiles/builtin/team-lead.yaml

@@ -0,0 +1,37 @@
+# Team Lead preset - planning and oversight
+#
+# Focused on team management:
+# - Planning with milestones and work items
+# - Code review via merge requests
+# - Pipeline monitoring
+# - Wiki and documentation
+#
+# No access to sensitive variables or webhooks.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Team Lead - planning, milestones, team oversight, code review"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: true
+  integrations: false
+
+# Block sensitive operations
+denied_actions:
+  - "manage_variable:create"
+  - "manage_variable:update"
+  - "manage_variable:delete"
+  - "manage_webhook:create"
+  - "manage_webhook:update"
+  - "manage_webhook:delete"