@structured-world/gitlab-mcp 6.62.1 → 7.0.1

package/dist/src/middleware/oauth-auth.js

@@ -14,36 +14,36 @@ const config_2 = require("../config");
 async function oauthAuthMiddleware(req, res, next) {
     const config = (0, config_1.loadOAuthConfig)();
     if (!config) {
-        sendUnauthorized(req, res, "server_error", "OAuth not configured");
+        sendUnauthorized(req, res, 'server_error', 'OAuth not configured');
         return;
     }
     const authHeader = req.headers.authorization;
     if (!authHeader) {
-        sendUnauthorized(req, res, "unauthorized", "Missing Authorization header");
+        sendUnauthorized(req, res, 'unauthorized', 'Missing Authorization header');
         return;
     }
-    if (!authHeader.startsWith("Bearer ")) {
-        sendUnauthorized(req, res, "unauthorized", "Invalid Authorization header format. Expected: Bearer <token>");
+    if (!authHeader.startsWith('Bearer ')) {
+        sendUnauthorized(req, res, 'unauthorized', 'Invalid Authorization header format. Expected: Bearer <token>');
         return;
     }
     const token = authHeader.slice(7);
     if (!token) {
-        sendUnauthorized(req, res, "unauthorized", "Empty Bearer token");
+        sendUnauthorized(req, res, 'unauthorized', 'Empty Bearer token');
         return;
     }
     const payload = (0, token_utils_1.verifyMCPToken)(token, config.sessionSecret);
     if (!payload) {
-        sendUnauthorized(req, res, "invalid_token", "Token is invalid or expired");
+        sendUnauthorized(req, res, 'invalid_token', 'Token is invalid or expired');
         return;
     }
     const sessionId = payload.sid;
     const session = session_store_1.sessionStore.getSession(sessionId);
     if (!session) {
-        sendUnauthorized(req, res, "invalid_token", "Session not found or expired");
+        sendUnauthorized(req, res, 'invalid_token', 'Session not found or expired');
         return;
     }
     if (session.mcpAccessToken !== token) {
-        sendUnauthorized(req, res, "invalid_token", "Token has been superseded");
+        sendUnauthorized(req, res, 'invalid_token', 'Token has been superseded');
         return;
     }
     if ((0, token_utils_1.isTokenExpiringSoon)(session.gitlabTokenExpiry)) {
@@ -54,19 +54,19 @@ async function oauthAuthMiddleware(req, res, next) {
                 gitlabRefreshToken: newTokens.refresh_token,
                 gitlabTokenExpiry: (0, token_utils_1.calculateTokenExpiry)(newTokens.expires_in),
             });
-            (0, logger_1.logDebug)("GitLab token refreshed during request", {
+            (0, logger_1.logDebug)('GitLab token refreshed during request', {
                 sessionId: (0, logger_1.truncateId)(sessionId),
             });
         }
         catch (error) {
-            (0, logger_1.logError)("Failed to refresh GitLab token during request", { err: error });
-            sendUnauthorized(req, res, "invalid_token", "GitLab token refresh failed. Please re-authenticate.");
+            (0, logger_1.logError)('Failed to refresh GitLab token during request', { err: error });
+            sendUnauthorized(req, res, 'invalid_token', 'GitLab token refresh failed. Please re-authenticate.');
             return;
         }
     }
     const updatedSession = session_store_1.sessionStore.getSession(sessionId);
     if (!updatedSession) {
-        sendUnauthorized(req, res, "invalid_token", "Session lost during token refresh");
+        sendUnauthorized(req, res, 'invalid_token', 'Session lost during token refresh');
         return;
     }
     res.locals.oauthSessionId = updatedSession.id;
@@ -75,7 +75,7 @@ async function oauthAuthMiddleware(req, res, next) {
     res.locals.gitlabUsername = updatedSession.gitlabUsername;
     res.locals.gitlabApiUrl = updatedSession.gitlabApiUrl ?? config_2.GITLAB_BASE_URL;
     res.locals.instanceLabel = updatedSession.instanceLabel;
-    (0, logger_1.logDebug)("OAuth session validated, passing to route handler", {
+    (0, logger_1.logDebug)('OAuth session validated, passing to route handler', {
         sessionId: (0, logger_1.truncateId)(updatedSession.id),
         method: req.method,
         path: req.path,
@@ -92,7 +92,7 @@ async function optionalOAuthMiddleware(req, res, next) {
         return;
     }
     const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith("Bearer ")) {
+    if (!authHeader?.startsWith('Bearer ')) {
         next();
         return;
     }
@@ -120,8 +120,8 @@ async function optionalOAuthMiddleware(req, res, next) {
     next();
 }
 function sendUnauthorized(req, res, error, description) {
-    (0, logger_1.logWarn)("Authentication rejected", {
-        event: "auth_rejected",
+    (0, logger_1.logWarn)('Authentication rejected', {
+        event: 'auth_rejected',
         ...(0, request_logger_1.getMinimalRequestContext)(req),
         reason: error,
         description,
@@ -131,7 +131,7 @@ function sendUnauthorized(req, res, error, description) {
         error_description: description,
     };
     const baseUrl = (0, metadata_1.getBaseUrl)(req);
-    res.setHeader("WWW-Authenticate", `Bearer realm="gitlab-mcp", resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`);
+    res.setHeader('WWW-Authenticate', `Bearer realm="gitlab-mcp", resource_metadata="${baseUrl}/.well-known/oauth-protected-resource"`);
     res.status(401).json(response);
 }
 //# sourceMappingURL=oauth-auth.js.map

package/dist/src/middleware/rate-limiter.d.ts

@@ -1,4 +1,4 @@
-import { RequestHandler } from "express";
+import { RequestHandler } from 'express';
 export declare function stopCleanup(): void;
 export declare function rateLimiterMiddleware(): RequestHandler;
 export declare function getRateLimitStats(): {

package/dist/src/middleware/rate-limiter.js

@@ -22,7 +22,7 @@ function startCleanup() {
             }
         }
         if (cleaned > 0) {
-            (0, logger_1.logDebug)("Rate limiter cleanup: removed expired entries", { cleaned });
+            (0, logger_1.logDebug)('Rate limiter cleanup: removed expired entries', { cleaned });
         }
     }, CLEANUP_INTERVAL_MS);
     cleanupInterval.unref();
@@ -34,14 +34,14 @@ function stopCleanup() {
     }
 }
 function getIpAddress(req) {
-    return req.ip ?? req.socket.remoteAddress ?? "unknown";
+    return req.ip ?? req.socket.remoteAddress ?? 'unknown';
 }
 function isAuthenticated(req, res) {
     const oauthSessionId = res.locals.oauthSessionId;
     if (oauthSessionId) {
         return true;
     }
-    const mcpSessionId = req.headers["mcp-session-id"];
+    const mcpSessionId = req.headers['mcp-session-id'];
     if (mcpSessionId) {
         return true;
     }
@@ -70,14 +70,14 @@ function checkRateLimit(key, windowMs, maxRequests) {
     };
 }
 function setRateLimitHeaders(res, info) {
-    res.set("X-RateLimit-Limit", info.total.toString());
-    res.set("X-RateLimit-Remaining", info.remaining.toString());
-    res.set("X-RateLimit-Reset", Math.ceil(info.resetAt / 1000).toString());
+    res.set('X-RateLimit-Limit', info.total.toString());
+    res.set('X-RateLimit-Remaining', info.remaining.toString());
+    res.set('X-RateLimit-Reset', Math.ceil(info.resetAt / 1000).toString());
 }
 function rateLimiterMiddleware() {
     startCleanup();
     return (req, res, next) => {
-        if (req.path === "/health") {
+        if (req.path === '/health') {
             next();
             return;
         }
@@ -87,33 +87,33 @@ function rateLimiterMiddleware() {
                 next();
                 return;
             }
-            const sessionId = res.locals.oauthSessionId || req.headers["mcp-session-id"];
+            const sessionId = res.locals.oauthSessionId || req.headers['mcp-session-id'];
             const key = `session:${sessionId}`;
             const info = checkRateLimit(key, config_1.RATE_LIMIT_SESSION_WINDOW_MS, config_1.RATE_LIMIT_SESSION_MAX_REQUESTS);
             setRateLimitHeaders(res, info);
             const usagePercent = (info.used / info.total) * 100;
             if (info.allowed && usagePercent >= 80) {
-                const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)("session", sessionId, info.used, info.total, info.resetAt);
-                (0, logger_1.logDebug)("Approaching session rate limit threshold", {
-                    event: "rate_limit_warning",
+                const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)('session', sessionId, info.used, info.total, info.resetAt);
+                (0, logger_1.logDebug)('Approaching session rate limit threshold', {
+                    event: 'rate_limit_warning',
                     ...(0, request_logger_1.getMinimalRequestContext)(req),
                     rateLimit: rateLimitInfo,
                 });
             }
             if (!info.allowed) {
                 const retryAfter = Math.ceil((info.resetAt - Date.now()) / 1000);
-                const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)("session", sessionId, info.used, info.total, info.resetAt);
-                (0, logger_1.logWarn)("Session rate limit exceeded", {
-                    event: "rate_limit_exceeded",
+                const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)('session', sessionId, info.used, info.total, info.resetAt);
+                (0, logger_1.logWarn)('Session rate limit exceeded', {
+                    event: 'rate_limit_exceeded',
                     ...(0, request_logger_1.getMinimalRequestContext)(req),
                     rateLimit: rateLimitInfo,
                     hasOAuthSession: !!res.locals.oauthSessionId,
-                    hasMcpSessionHeader: !!req.headers["mcp-session-id"],
+                    hasMcpSessionHeader: !!req.headers['mcp-session-id'],
                 });
-                res.set("Retry-After", retryAfter.toString());
+                res.set('Retry-After', retryAfter.toString());
                 res.status(429).json({
-                    error: "Too Many Requests",
-                    message: "Session rate limit exceeded. Please slow down your requests.",
+                    error: 'Too Many Requests',
+                    message: 'Session rate limit exceeded. Please slow down your requests.',
                     retryAfter,
                     limit: info.total,
                     remaining: info.remaining,
@@ -134,31 +134,31 @@ function rateLimiterMiddleware() {
         setRateLimitHeaders(res, info);
         const usagePercent = (info.used / info.total) * 100;
         if (info.allowed && usagePercent >= 80) {
-            const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)("ip", ip, info.used, info.total, info.resetAt);
-            (0, logger_1.logDebug)("Approaching IP rate limit threshold", {
-                event: "rate_limit_warning",
+            const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)('ip', ip, info.used, info.total, info.resetAt);
+            (0, logger_1.logDebug)('Approaching IP rate limit threshold', {
+                event: 'rate_limit_warning',
                 ...(0, request_logger_1.getMinimalRequestContext)(req),
                 rateLimit: rateLimitInfo,
-                authClassification: "anonymous",
-                authReason: "no OAuth session and no MCP-Session-Id header",
+                authClassification: 'anonymous',
+                authReason: 'no OAuth session and no MCP-Session-Id header',
             });
         }
         if (!info.allowed) {
             const retryAfter = Math.ceil((info.resetAt - Date.now()) / 1000);
-            const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)("ip", ip, info.used, info.total, info.resetAt);
-            const mcpSessionHeader = req.headers["mcp-session-id"];
-            (0, logger_1.logWarn)("IP rate limit exceeded", {
-                event: "rate_limit_exceeded",
+            const rateLimitInfo = (0, request_logger_1.buildRateLimitInfo)('ip', ip, info.used, info.total, info.resetAt);
+            const mcpSessionHeader = req.headers['mcp-session-id'];
+            (0, logger_1.logWarn)('IP rate limit exceeded', {
+                event: 'rate_limit_exceeded',
                 ...(0, request_logger_1.getMinimalRequestContext)(req),
                 rateLimit: rateLimitInfo,
-                authClassification: "anonymous",
-                authReason: "no OAuth session and no MCP-Session-Id header",
+                authClassification: 'anonymous',
+                authReason: 'no OAuth session and no MCP-Session-Id header',
                 mcpSessionId: (0, request_logger_1.truncateId)(mcpSessionHeader),
             });
-            res.set("Retry-After", retryAfter.toString());
+            res.set('Retry-After', retryAfter.toString());
             res.status(429).json({
-                error: "Too Many Requests",
-                message: "Rate limit exceeded. Please authenticate or slow down your requests.",
+                error: 'Too Many Requests',
+                message: 'Rate limit exceeded. Please authenticate or slow down your requests.',
                 retryAfter,
                 limit: info.total,
                 remaining: info.remaining,

package/dist/src/middleware/response-write-timeout.d.ts

@@ -0,0 +1,2 @@
+import type { Request, Response, NextFunction } from 'express';
+export declare function responseWriteTimeoutMiddleware(): (req: Request, res: Response, next: NextFunction) => void;

package/dist/src/middleware/response-write-timeout.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.responseWriteTimeoutMiddleware = responseWriteTimeoutMiddleware;
+const zod_1 = require("zod");
+const config_1 = require("../config");
+const logger_1 = require("../logger");
+const mcpSessionIdSchema = zod_1.z
+    .union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())])
+    .optional()
+    .transform((value) => (Array.isArray(value) ? value[0] : value));
+function normalizeContentType(value) {
+    if (typeof value === 'string')
+        return value.toLowerCase();
+    if (Array.isArray(value))
+        return value.join(',').toLowerCase();
+    return '';
+}
+function responseWriteTimeoutMiddleware() {
+    return (req, res, next) => {
+        if (config_1.RESPONSE_WRITE_TIMEOUT_MS <= 0) {
+            next();
+            return;
+        }
+        let writeTimer;
+        const originalWriteHead = res.writeHead.bind(res);
+        res.writeHead = (...args) => {
+            const result = originalWriteHead(...args);
+            if (!writeTimer) {
+                const isSSE = normalizeContentType(res.getHeader('content-type')).includes('text/event-stream');
+                if (!isSSE) {
+                    writeTimer = setTimeout(() => {
+                        if (!res.writableFinished && !res.destroyed) {
+                            res.locals = res.locals ?? {};
+                            res.locals.writeTimedOut = true;
+                            const parsedSessionId = mcpSessionIdSchema.safeParse(req.headers['mcp-session-id']);
+                            const sessionId = parsedSessionId.success ? parsedSessionId.data : undefined;
+                            (0, logger_1.logWarn)('Response write timeout — destroying zombie connection', {
+                                method: req.method,
+                                path: req.path,
+                                timeoutMs: config_1.RESPONSE_WRITE_TIMEOUT_MS,
+                                sessionId,
+                                reason: 'write_timeout',
+                            });
+                            res.destroy();
+                        }
+                    }, config_1.RESPONSE_WRITE_TIMEOUT_MS);
+                }
+            }
+            return result;
+        };
+        const cleanup = () => {
+            if (writeTimer) {
+                clearTimeout(writeTimer);
+                writeTimer = undefined;
+            }
+        };
+        res.on('finish', cleanup);
+        res.on('close', cleanup);
+        next();
+    };
+}
+//# sourceMappingURL=response-write-timeout.js.map

package/dist/src/middleware/response-write-timeout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-write-timeout.js","sourceRoot":"","sources":["../../../src/middleware/response-write-timeout.ts"],"names":[],"mappings":";;AAiDA,wEA0EC;AAvGD,6BAAwB;AACxB,sCAAsD;AACtD,sCAAoC;AAGpC,MAAM,kBAAkB,GAAG,OAAC;KACzB,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;KACxC,QAAQ,EAAE;KACV,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;AAInE,SAAS,oBAAoB,CAAC,KAA6C;IACzE,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC;IAC1D,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/D,OAAO,EAAE,CAAC;AACZ,CAAC;AAaD,SAAgB,8BAA8B;IAC5C,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAE/D,IAAI,kCAAyB,IAAI,CAAC,EAAE,CAAC;YACnC,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,IAAI,UAAqD,CAAC;QAI1D,MAAM,iBAAiB,GAAG,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAEX,CAAC;QAErC,GAA0C,CAAC,SAAS,GAAG,CACtD,GAAG,IAAsC,EAC/B,EAAE;YAIZ,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,IAAI,CAAC,CAAC;YAG1C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CACxE,mBAAmB,CACpB,CAAC;gBAEF,IAAI,CAAC,KAAK,EAAE,CAAC;oBAMX,UAAU,GAAG,UAAU,CAAC,GAAG,EAAE;wBAC3B,IAAI,CAAC,GAAG,CAAC,gBAAgB,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;4BAE5C,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;4BAC9B,GAAG,CAAC,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;4BAEhC,MAAM,eAAe,GAAG,kBAAkB,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;4BACpF,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;4BAC7E,IAAA,gBAAO,EAAC,uDAAuD,EAAE;gCAC/D,MAAM,EAAE,GAAG,CAAC,MAAM;gCAClB,IAAI,EAAE,GAAG,CAAC,IAAI;gCACd,SAAS,EAAE,kCAAyB;gCACpC,SAAS;gCACT,MAAM,EAAE,eAAe;6BACxB,CAAC,CAAC;4BAEH,GAAG,CAAC,OAAO,EAAE,CAAC;wBAChB,CAAC;oBACH,CAAC,EAAE,kCAAyB,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,IAAI,UAAU,EAAE,CAAC;gBACf,YAAY,CAAC,UAAU,CAAC,CAAC;gBACzB,UAAU,GAAG,SAAS,CAAC;YACzB,CAAC;QACH,CAAC,CAAC;QAGF,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC1B,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEzB,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/src/oauth/config.d.ts

@@ -1,4 +1,4 @@
-import { z } from "zod";
+import { z } from 'zod';
 declare const OAuthConfigSchema: z.ZodObject<{
     enabled: z.ZodLiteral<true>;
     sessionSecret: z.ZodString;

package/dist/src/oauth/config.js

@@ -12,10 +12,10 @@ const zod_1 = require("zod");
 const logger_1 = require("../logger");
 const OAuthConfigSchema = zod_1.z.object({
     enabled: zod_1.z.literal(true),
-    sessionSecret: zod_1.z.string().min(32, "OAUTH_SESSION_SECRET must be at least 32 characters"),
-    gitlabClientId: zod_1.z.string().min(1, "GITLAB_OAUTH_CLIENT_ID is required"),
+    sessionSecret: zod_1.z.string().min(32, 'OAUTH_SESSION_SECRET must be at least 32 characters'),
+    gitlabClientId: zod_1.z.string().min(1, 'GITLAB_OAUTH_CLIENT_ID is required'),
     gitlabClientSecret: zod_1.z.string().optional(),
-    gitlabScopes: zod_1.z.string().default("api,read_user"),
+    gitlabScopes: zod_1.z.string().default('api,read_user'),
     tokenTtl: zod_1.z.number().positive().default(3600),
     refreshTokenTtl: zod_1.z.number().positive().default(604800),
     devicePollInterval: zod_1.z.number().positive().default(5),
@@ -26,7 +26,7 @@ function loadOAuthConfig() {
     if (cachedOAuthConfig !== undefined) {
         return cachedOAuthConfig;
     }
-    if (process.env.OAUTH_ENABLED !== "true") {
+    if (process.env.OAUTH_ENABLED !== 'true') {
         cachedOAuthConfig = null;
         (0, logger_1.logDebug)("OAuth mode disabled (OAUTH_ENABLED !== 'true')");
         return null;
@@ -36,27 +36,27 @@ function loadOAuthConfig() {
         sessionSecret: process.env.OAUTH_SESSION_SECRET,
         gitlabClientId: process.env.GITLAB_OAUTH_CLIENT_ID,
         gitlabClientSecret: process.env.GITLAB_OAUTH_CLIENT_SECRET,
-        gitlabScopes: process.env.GITLAB_OAUTH_SCOPES ?? "api,read_user",
-        tokenTtl: parseInt(process.env.OAUTH_TOKEN_TTL ?? "3600", 10),
-        refreshTokenTtl: parseInt(process.env.OAUTH_REFRESH_TOKEN_TTL ?? "604800", 10),
-        devicePollInterval: parseInt(process.env.OAUTH_DEVICE_POLL_INTERVAL ?? "5", 10),
-        deviceTimeout: parseInt(process.env.OAUTH_DEVICE_TIMEOUT ?? "300", 10),
+        gitlabScopes: process.env.GITLAB_OAUTH_SCOPES ?? 'api,read_user',
+        tokenTtl: parseInt(process.env.OAUTH_TOKEN_TTL ?? '3600', 10),
+        refreshTokenTtl: parseInt(process.env.OAUTH_REFRESH_TOKEN_TTL ?? '604800', 10),
+        devicePollInterval: parseInt(process.env.OAUTH_DEVICE_POLL_INTERVAL ?? '5', 10),
+        deviceTimeout: parseInt(process.env.OAUTH_DEVICE_TIMEOUT ?? '300', 10),
     });
     if (!result.success) {
         const errorMessages = result.error.issues
-            .map(e => `${e.path.join(".")}: ${e.message}`)
-            .join(", ");
+            .map((e) => `${e.path.join('.')}: ${e.message}`)
+            .join(', ');
         throw new Error(`Invalid OAuth configuration: ${errorMessages}`);
     }
     cachedOAuthConfig = result.data;
-    (0, logger_1.logInfo)("OAuth mode enabled with valid configuration");
+    (0, logger_1.logInfo)('OAuth mode enabled with valid configuration');
     return result.data;
 }
 class ConfigurationError extends Error {
     guidance;
     constructor(guidance) {
-        super("Missing required configuration");
-        this.name = "ConfigurationError";
+        super('Missing required configuration');
+        this.name = 'ConfigurationError';
         this.guidance = guidance;
     }
 }
@@ -83,7 +83,7 @@ function validateStaticConfig() {
     if (!process.env.GITLAB_TOKEN) {
         throw new ConfigurationError(MISSING_TOKEN_GUIDANCE);
     }
-    (0, logger_1.logDebug)("Static token mode: GITLAB_TOKEN configured");
+    (0, logger_1.logDebug)('Static token mode: GITLAB_TOKEN configured');
 }
 function isOAuthEnabled() {
     return loadOAuthConfig() !== null;
@@ -93,12 +93,12 @@ function resetOAuthConfigCache() {
 }
 function getAuthModeDescription() {
     if (isOAuthEnabled()) {
-        return "OAuth mode (per-user authentication via GitLab Device Flow)";
+        return 'OAuth mode (per-user authentication via GitLab Device Flow)';
     }
     if (process.env.GITLAB_TOKEN) {
-        return "Static token mode (shared GITLAB_TOKEN)";
+        return 'Static token mode (shared GITLAB_TOKEN)';
     }
-    return "Unauthenticated mode (tools/list only, tool calls require GITLAB_TOKEN)";
+    return 'Unauthenticated mode (tools/list only, tool calls require GITLAB_TOKEN)';
 }
 function isStaticTokenConfigured() {
     return !!process.env.GITLAB_TOKEN;

package/dist/src/oauth/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/oauth/config.ts"],"names":[],"mappings":";;;AAqDA,0CAoCC;AA2CD,oDAKC;AAOD,wCAEC;AAKD,sDAEC;AAOD,wDAQC;AAOD,0DAEC;AAOD,gEAEC;AAnLD,6BAAwB;AACxB,sCAA8C;AAM9C,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IAEjC,OAAO,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAExB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,qDAAqD,CAAC;IAExF,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,oCAAoC,CAAC;IAEvE,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC;IAEjD,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7C,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAEtD,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;CAClD,CAAC,CAAC;AAUH,IAAI,iBAAiB,GAAmC,SAAS,CAAC;AAUlE,SAAgB,eAAe;IAE7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAGD,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;QACzC,iBAAiB,GAAG,IAAI,CAAC;QACzB,IAAA,iBAAQ,EAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC;IACd,CAAC;IAGD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC;QACzC,OAAO,EAAE,IAAa;QACtB,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAC/C,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;QAClD,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B;QAC1D,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,eAAe;QAChE,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,EAAE,EAAE,CAAC;QAC7D,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,QAAQ,EAAE,EAAE,CAAC;QAC9E,kBAAkB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,GAAG,EAAE,EAAE,CAAC;QAC/E,aAAa,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,KAAK,EAAE,EAAE,CAAC;KACvE,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aACtC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC7C,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC;IAChC,IAAA,gBAAO,EAAC,6CAA6C,CAAC,CAAC;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAOD,MAAa,kBAAmB,SAAQ,KAAK;IAC3B,QAAQ,CAAS;IAEjC,YAAY,QAAgB;QAC1B,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AARD,gDAQC;AAGD,MAAM,sBAAsB,GAAG;;;;;;;;;;;;;;;;;CAiB9B,CAAC;AAQF,SAAgB,oBAAoB;IAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9B,MAAM,IAAI,kBAAkB,CAAC,sBAAsB,CAAC,CAAC;IACvD,CAAC;IACD,IAAA,iBAAQ,EAAC,4CAA4C,CAAC,CAAC;AACzD,CAAC;AAOD,SAAgB,cAAc;IAC5B,OAAO,eAAe,EAAE,KAAK,IAAI,CAAC;AACpC,CAAC;AAKD,SAAgB,qBAAqB;IACnC,iBAAiB,GAAG,SAAS,CAAC;AAChC,CAAC;AAOD,SAAgB,sBAAsB;IACpC,IAAI,cAAc,EAAE,EAAE,CAAC;QACrB,OAAO,6DAA6D,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC7B,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,OAAO,yEAAyE,CAAC;AACnF,CAAC;AAOD,SAAgB,uBAAuB;IACrC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AACpC,CAAC;AAOD,SAAgB,0BAA0B;IACxC,OAAO,cAAc,EAAE,IAAI,uBAAuB,EAAE,CAAC;AACvD,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/oauth/config.ts"],"names":[],"mappings":";;;AAqDA,0CAoCC;AA2CD,oDAKC;AAOD,wCAEC;AAKD,sDAEC;AAOD,wDAQC;AAOD,0DAEC;AAOD,gEAEC;AAnLD,6BAAwB;AACxB,sCAA8C;AAM9C,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IAEjC,OAAO,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IAExB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,qDAAqD,CAAC;IAExF,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,oCAAoC,CAAC;IAEvE,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEzC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,eAAe,CAAC;IAEjD,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAE7C,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;IAEtD,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;CAClD,CAAC,CAAC;AAUH,IAAI,iBAAiB,GAAmC,SAAS,CAAC;AAUlE,SAAgB,eAAe;IAE7B,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAGD,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;QACzC,iBAAiB,GAAG,IAAI,CAAC;QACzB,IAAA,iBAAQ,EAAC,gDAAgD,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC;IACd,CAAC;IAGD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC;QACzC,OAAO,EAAE,IAAa;QACtB,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAC/C,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;QAClD,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B;QAC1D,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,eAAe;QAChE,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,MAAM,EAAE,EAAE,CAAC;QAC7D,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,QAAQ,EAAE,EAAE,CAAC;QAC9E,kBAAkB,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,GAAG,EAAE,EAAE,CAAC;QAC/E,aAAa,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,KAAK,EAAE,EAAE,CAAC;KACvE,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;aACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aAC/C,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC;IAChC,IAAA,gBAAO,EAAC,6CAA6C,CAAC,CAAC;IACvD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAOD,MAAa,kBAAmB,SAAQ,KAAK;IAC3B,QAAQ,CAAS;IAEjC,YAAY,QAAgB;QAC1B,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AARD,gDAQC;AAGD,MAAM,sBAAsB,GAAG;;;;;;;;;;;;;;;;;CAiB9B,CAAC;AAQF,SAAgB,oBAAoB;IAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9B,MAAM,IAAI,kBAAkB,CAAC,sBAAsB,CAAC,CAAC;IACvD,CAAC;IACD,IAAA,iBAAQ,EAAC,4CAA4C,CAAC,CAAC;AACzD,CAAC;AAOD,SAAgB,cAAc;IAC5B,OAAO,eAAe,EAAE,KAAK,IAAI,CAAC;AACpC,CAAC;AAKD,SAAgB,qBAAqB;IACnC,iBAAiB,GAAG,SAAS,CAAC;AAChC,CAAC;AAOD,SAAgB,sBAAsB;IACpC,IAAI,cAAc,EAAE,EAAE,CAAC;QACrB,OAAO,6DAA6D,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;QAC7B,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,OAAO,yEAAyE,CAAC;AACnF,CAAC;AAOD,SAAgB,uBAAuB;IACrC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AACpC,CAAC;AAOD,SAAgB,0BAA0B;IACxC,OAAO,cAAc,EAAE,IAAI,uBAAuB,EAAE,CAAC;AACvD,CAAC"}

package/dist/src/oauth/endpoints/authorize.d.ts

@@ -1,3 +1,3 @@
-import { Request, Response } from "express";
+import { Request, Response } from 'express';
 export declare function authorizeHandler(req: Request, res: Response): Promise<void>;
 export declare function pollHandler(req: Request, res: Response): Promise<void>;

package/dist/src/oauth/endpoints/authorize.js

@@ -13,31 +13,31 @@ const request_logger_1 = require("../../utils/request-logger");
 async function authorizeHandler(req, res) {
     const config = (0, config_1.loadOAuthConfig)();
     if (!config) {
-        sendError(req, res, 500, "server_error", "OAuth not configured");
+        sendError(req, res, 500, 'server_error', 'OAuth not configured');
         return;
     }
     const { client_id, redirect_uri, response_type, state, code_challenge, code_challenge_method } = req.query;
-    if (response_type !== "code") {
-        sendError(req, res, 400, "unsupported_response_type", 'Only "code" response type is supported');
+    if (response_type !== 'code') {
+        sendError(req, res, 400, 'unsupported_response_type', 'Only "code" response type is supported');
         return;
     }
     if (!client_id) {
-        sendError(req, res, 400, "invalid_request", "client_id is required");
+        sendError(req, res, 400, 'invalid_request', 'client_id is required');
         return;
     }
     if (!code_challenge) {
-        sendError(req, res, 400, "invalid_request", "code_challenge is required (PKCE)");
+        sendError(req, res, 400, 'invalid_request', 'code_challenge is required (PKCE)');
         return;
     }
-    if (code_challenge_method !== "S256") {
-        sendError(req, res, 400, "invalid_request", 'code_challenge_method must be "S256"');
+    if (code_challenge_method !== 'S256') {
+        sendError(req, res, 400, 'invalid_request', 'code_challenge_method must be "S256"');
         return;
     }
     if (redirect_uri) {
         await handleAuthorizationCodeFlow(req, res, config, {
             clientId: client_id,
             redirectUri: redirect_uri,
-            state: state ?? "",
+            state: state ?? '',
             codeChallenge: code_challenge,
             codeChallengeMethod: code_challenge_method,
         });
@@ -45,7 +45,7 @@ async function authorizeHandler(req, res) {
     else {
         await handleDeviceFlow(req, res, config, {
             clientId: client_id,
-            state: state ?? "",
+            state: state ?? '',
             codeChallenge: code_challenge,
             codeChallengeMethod: code_challenge_method,
         });
@@ -66,7 +66,7 @@ async function handleAuthorizationCodeFlow(req, res, config, params) {
         expiresAt: Date.now() + 10 * 60 * 1000,
     });
     const gitlabAuthUrl = (0, gitlab_device_flow_1.buildGitLabAuthUrl)(config, callbackUri, internalState);
-    (0, logger_1.logInfo)("Authorization Code Flow initiated, redirecting to GitLab", {
+    (0, logger_1.logInfo)('Authorization Code Flow initiated, redirecting to GitLab', {
         internalState: (0, logger_1.truncateId)(internalState),
         clientRedirectUri: params.redirectUri,
     });
@@ -89,7 +89,7 @@ async function handleDeviceFlow(req, res, config, params) {
             state: params.state,
             redirectUri: undefined,
         });
-        (0, logger_1.logInfo)("Device flow initiated for authorization", {
+        (0, logger_1.logInfo)('Device flow initiated for authorization', {
             flowState: (0, logger_1.truncateId)(flowState),
             userCode: deviceResponse.user_code,
         });
@@ -102,37 +102,37 @@ async function handleDeviceFlow(req, res, config, params) {
             pollUrl: `${baseUrl}/oauth/poll`,
             expiresIn: deviceResponse.expires_in,
         });
-        res.setHeader("Content-Type", "text/html");
+        res.setHeader('Content-Type', 'text/html');
         res.send(html);
     }
     catch (error) {
-        (0, logger_1.logError)("Failed to initiate device flow", { err: error });
-        sendError(req, res, 500, "server_error", "Failed to initiate authentication");
+        (0, logger_1.logError)('Failed to initiate device flow', { err: error });
+        sendError(req, res, 500, 'server_error', 'Failed to initiate authentication');
     }
 }
 async function pollHandler(req, res) {
     const config = (0, config_1.loadOAuthConfig)();
     if (!config) {
-        res.status(500).json({ error: "server_error" });
+        res.status(500).json({ error: 'server_error' });
         return;
     }
     const { flow_state } = req.query;
     if (!flow_state) {
         res
             .status(400)
-            .json({ status: "failed", error: "Missing flow_state" });
+            .json({ status: 'failed', error: 'Missing flow_state' });
         return;
     }
     const flow = session_store_1.sessionStore.getDeviceFlow(flow_state);
     if (!flow) {
-        res.status(400).json({ status: "expired", error: "Flow not found" });
+        res.status(400).json({ status: 'expired', error: 'Flow not found' });
         return;
     }
     if (Date.now() > flow.expiresAt) {
         session_store_1.sessionStore.deleteDeviceFlow(flow_state);
         res
             .status(400)
-            .json({ status: "expired", error: "Device code expired" });
+            .json({ status: 'expired', error: 'Device code expired' });
         return;
     }
     try {
@@ -153,8 +153,8 @@ async function pollHandler(req, res) {
             });
             session_store_1.sessionStore.createSession({
                 id: sessionId,
-                mcpAccessToken: "",
-                mcpRefreshToken: "",
+                mcpAccessToken: '',
+                mcpRefreshToken: '',
                 mcpTokenExpiry: 0,
                 gitlabAccessToken: tokenResponse.access_token,
                 gitlabRefreshToken: tokenResponse.refresh_token,
@@ -164,18 +164,18 @@ async function pollHandler(req, res) {
                 gitlabApiUrl: flow.selectedInstance ?? config_2.GITLAB_BASE_URL,
                 instanceLabel: flow.selectedInstanceLabel,
                 clientId: flow.clientId,
-                scopes: ["mcp:tools", "mcp:resources"],
+                scopes: ['mcp:tools', 'mcp:resources'],
                 createdAt: now,
                 updatedAt: now,
             });
             session_store_1.sessionStore.deleteDeviceFlow(flow_state);
-            (0, logger_1.logInfo)("Device flow authorization completed", {
+            (0, logger_1.logInfo)('Device flow authorization completed', {
                 sessionId: (0, logger_1.truncateId)(sessionId),
                 userId: userInfo.id,
                 username: userInfo.username,
             });
             const response = {
-                status: "complete",
+                status: 'complete',
                 redirect_uri: flow.redirectUri,
                 code: authCode,
                 state: flow.state ? flow.state : undefined,
@@ -183,25 +183,25 @@ async function pollHandler(req, res) {
             res.json(response);
         }
         else {
-            res.json({ status: "pending" });
+            res.json({ status: 'pending' });
         }
     }
     catch (error) {
-        const message = error instanceof Error ? error.message : "Unknown error";
-        if (message.includes("expired") || message.includes("denied") || message.includes("invalid")) {
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        if (message.includes('expired') || message.includes('denied') || message.includes('invalid')) {
             session_store_1.sessionStore.deleteDeviceFlow(flow_state);
-            res.json({ status: "failed", error: message });
+            res.json({ status: 'failed', error: message });
         }
         else {
-            (0, logger_1.logWarn)("Device flow poll error", { err: error });
-            res.json({ status: "pending" });
+            (0, logger_1.logWarn)('Device flow poll error', { err: error });
+            res.json({ status: 'pending' });
         }
     }
 }
 function sendError(req, res, status, error, description) {
-    (0, logger_1.logWarn)("OAuth authorize request failed", {
-        event: "oauth_error",
-        endpoint: "/authorize",
+    (0, logger_1.logWarn)('OAuth authorize request failed', {
+        event: 'oauth_error',
+        endpoint: '/authorize',
         ip: (0, request_logger_1.getIpAddress)(req),
         error,
         description,

package/dist/src/oauth/endpoints/callback.d.ts

@@ -1,2 +1,2 @@
-import { Request, Response } from "express";
+import { Request, Response } from 'express';
 export declare function callbackHandler(req: Request, res: Response): Promise<void>;