@zereight/mcp-gitlab 2.0.2 → 2.0.4

package/build/{src/schemas.js → schemas.js}

@@ -20,7 +20,7 @@ export const GitLabPipelineSchema = z.object({
     duration: z.number().nullable().optional(),
     started_at: z.string().nullable().optional(),
     finished_at: z.string().nullable().optional(),
-    coverage: z.number().nullable().optional(),
+    coverage: z.coerce.number().nullable().optional(),
     user: z
         .object({
         id: z.coerce.string(),
@@ -58,7 +58,7 @@ export const GitLabPipelineJobSchema = z.object({
     name: z.string(),
     ref: z.string(),
     tag: flexibleBoolean,
-    coverage: z.number().nullable().optional(),
+    coverage: z.coerce.number().nullable().optional(),
     created_at: z.string(),
     started_at: z.string().nullable().optional(),
     finished_at: z.string().nullable().optional(),
@@ -1578,7 +1578,6 @@ export const GetCommitDiffSchema = z.object({
     project_id: z.coerce.string().describe("Project ID or complete URL-encoded path to project"),
     sha: z.string().describe("The commit hash or name of a repository branch or tag"),
 });
-export const GetCurrentUserSchema = z.object({});
 // Schema for listing issues assigned to the current user
 export const MyIssuesSchema = z.object({
     project_id: z.string().optional().describe("Project ID or URL-encoded path (optional when GITLAB_PROJECT_ID is set)"),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "description": "MCP server for using the GitLab API",
   "license": "MIT",
   "author": "zereight",
@@ -20,9 +20,7 @@
     "prepare": "npm run build",
     "dev": "npm run build && node build/index.js",
     "watch": "tsc --watch",
-    "npm:deploy": "npm publish --access public",
-    "npm:deploy:beta": "npm publish --access public --tag beta",
-    "generate-tools": "npx ts-node scripts/generate-tools-readme.ts",
+    "deploy": "npm publish --access public",
     "changelog": "auto-changelog -p",
     "test": "node test/validate-api.js",
     "test:integration": "node test/validate-api.js",
@@ -33,11 +31,8 @@
     "format:check": "prettier --check \"**/*.{js,ts,json,md}\""
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "1.13.3",
-    "@noble/hashes": "^1.8.0",
-    "@types/better-sqlite3": "^7.6.13",
+    "@modelcontextprotocol/sdk": "^1.10.0",
     "@types/node-fetch": "^2.6.12",
-    "better-sqlite3": "^12.2.0",
     "express": "^5.1.0",
     "fetch-cookie": "^3.1.0",
     "form-data": "^4.0.0",
@@ -47,7 +42,6 @@
     "pino": "^9.7.0",
     "pino-pretty": "^13.0.0",
     "socks-proxy-agent": "^8.0.5",
-    "sqlite3": "^5.1.7",
     "tough-cookie": "^5.1.2",
     "zod-to-json-schema": "^3.23.5"
   },

package/build/scripts/generate-tools-readme.js

@@ -1,41 +0,0 @@
-import fs from "fs";
-import path from "path";
-import { fileURLToPath } from "url";
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-async function main() {
-    const repoRoot = path.resolve(__dirname, "..");
-    const indexPath = path.join(repoRoot, "index.ts");
-    const readmePath = path.join(repoRoot, "README.md");
-    // 1. Read index.ts
-    const code = fs.readFileSync(indexPath, "utf-8");
-    // 2. Extract allTools array block
-    const match = code.match(/const allTools = \[([\s\S]*?)\];/);
-    if (!match) {
-        console.error("Unable to locate allTools array in index.ts");
-        process.exit(1);
-    }
-    const toolsBlock = match[1];
-    // 3. Parse tool entries
-    const toolRegex = /name:\s*"([^"]+)",[\s\S]*?description:\s*"([^"]+)"/g;
-    const tools = [];
-    let m;
-    while ((m = toolRegex.exec(toolsBlock)) !== null) {
-        tools.push({ name: m[1], description: m[2] });
-    }
-    // 4. Generate markdown
-    const lines = tools.map((tool, index) => {
-        return `${index + 1}. \`${tool.name}\` - ${tool.description}`;
-    });
-    const markdown = lines.join("\n");
-    // 5. Read README.md and replace between markers
-    const readme = fs.readFileSync(readmePath, "utf-8");
-    const updated = readme.replace(/<!-- TOOLS-START -->([\s\S]*?)<!-- TOOLS-END -->/, `<!-- TOOLS-START -->\n${markdown}\n<!-- TOOLS-END -->`);
-    // 6. Write back
-    fs.writeFileSync(readmePath, updated, "utf-8");
-    console.log("README.md tools section updated.");
-}
-main().catch(err => {
-    console.error(err);
-    process.exit(1);
-});

package/build/src/argon2wrapper.js

@@ -1,68 +0,0 @@
-import { argon2id } from '@noble/hashes/argon2';
-import { bytesToHex, hexToBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { randomBytes } from 'crypto';
-// Default options similar to @node-rs/argon2
-const DEFAULT_OPTIONS = {
-    t: 3, // iterations
-    m: 65536, // 64MB memory
-    p: 4, // parallelism
-    maxmem: 2 ** 32 - 1
-};
-/**
- * Hash a password using argon2id
- */
-export async function hash(password, options) {
-    const salt = options?.salt || randomBytes(16);
-    const passwordBytes = utf8ToBytes(password);
-    const hashBytes = argon2id(passwordBytes, salt, DEFAULT_OPTIONS);
-    // Store salt and hash together for verification later
-    // Format: salt:hash (both as hex)
-    return `${bytesToHex(salt)}:${bytesToHex(hashBytes)}`;
-}
-/**
- * Synchronous version of hash
- */
-export function hashSync(password, options) {
-    const salt = options?.salt || randomBytes(16);
-    const passwordBytes = utf8ToBytes(password);
-    const hashBytes = argon2id(passwordBytes, salt, DEFAULT_OPTIONS);
-    // Store salt and hash together for verification later
-    // Format: salt:hash (both as hex)
-    return `${bytesToHex(salt)}:${bytesToHex(hashBytes)}`;
-}
-/**
- * Verify a password against a hash
- */
-export async function verify(storedHash, password, options) {
-    try {
-        // If options.salt is provided, it means we're using the old format
-        // where salt was provided separately
-        if (options?.salt) {
-            const passwordBytes = utf8ToBytes(password);
-            const hashBytes = argon2id(passwordBytes, options.salt, DEFAULT_OPTIONS);
-            const newHash = bytesToHex(hashBytes);
-            // storedHash might be just the hash part without salt prefix
-            const hashPart = storedHash.includes(':') ? storedHash.split(':')[1] : storedHash;
-            return newHash === hashPart;
-        }
-        // New format: salt:hash
-        const [saltHex, hashHex] = storedHash.split(':');
-        if (!saltHex || !hashHex) {
-            return false;
-        }
-        const salt = hexToBytes(saltHex);
-        const passwordBytes = utf8ToBytes(password);
-        const computedHashBytes = argon2id(passwordBytes, salt, DEFAULT_OPTIONS);
-        const computedHashHex = bytesToHex(computedHashBytes);
-        return computedHashHex === hashHex;
-    }
-    catch (error) {
-        return false;
-    }
-}
-// Export as default object to match @node-rs/argon2 interface
-export default {
-    hash,
-    hashSync,
-    verify
-};

package/build/src/authentication.js

@@ -1,78 +0,0 @@
-import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
-import { config } from './config.js';
-import { createGitLabOAuthProvider } from './oauth.js';
-import { logger } from './logger.js';
-/**
- * Configure authentication middleware based on the configuration
- * Supports OAuth2, PAT passthrough, and static PAT modes
- */
-export async function configureAuthentication(app) {
-    // Default middleware that does nothing
-    let authMiddleware = undefined;
-    // OAuth2 mode
-    if (config.GITLAB_OAUTH2_CLIENT_ID) {
-        logger.warn("Configuring GitLab OAuth2 proxy authentication");
-        logger.warn("Please note that GitLab OAuth2 proxy authentication is not yet fully supported. Use this feature at your own risk");
-        // Create the provider
-        const provider = await createGitLabOAuthProvider();
-        // Add the callback handler route BEFORE the OAuth router
-        app.get("/callback", (req, res) => provider.handleOAuthCallback(req, res));
-        // Set up OAuth2 proxy router
-        const oauth2Router = provider.createOAuth2Router();
-        app.use(oauth2Router);
-        // Create token verifier and bearer auth middleware
-        const tokenVerifier = provider.createTokenVerifier();
-        const bearerAuthMiddleware = requireBearerAuth({
-            verifier: tokenVerifier,
-            resourceMetadataUrl: `${config.GITLAB_OAUTH2_BASE_URL}/.well-known/oauth-protected-resource`
-        });
-        authMiddleware = (req, res, next) => {
-            // Ensure GitLab-Token header is not set in OAuth2 mode
-            const gitlabToken = req.headers["gitlab-token"];
-            if (gitlabToken) {
-                res.status(401).send("Gitlab-Token header must not be set when MCP is running in OAuth2 mode");
-                return;
-            }
-            bearerAuthMiddleware(req, res, next);
-        };
-    }
-    // PAT passthrough mode
-    else if (config.GITLAB_PAT_PASSTHROUGH) {
-        logger.info("Configuring GitLab PAT passthrough authentication. Users must set the Gitlab-Token header in their requests");
-        authMiddleware = (req, res, next) => {
-            // Check the Gitlab-Token header
-            const token = req.headers["gitlab-token"];
-            if (!token) {
-                res.status(401).send("Please set a Gitlab-Token header in your request");
-                return;
-            }
-            if (typeof token !== "string") {
-                res.status(401).send("Gitlab-Token must only be set once");
-                return;
-            }
-            req.auth = {
-                token: token,
-                clientId: "!passthrough",
-                scopes: [],
-            };
-            next();
-        };
-    }
-    // Static PAT mode
-    else if (config.GITLAB_PERSONAL_ACCESS_TOKEN) {
-        logger.info("Configuring static GitLab Personal Access Token authentication");
-        const accessToken = config.GITLAB_PERSONAL_ACCESS_TOKEN;
-        authMiddleware = (req, res, next) => {
-            req.auth = {
-                token: accessToken,
-                clientId: "!global",
-                scopes: [],
-            };
-            next();
-        };
-    }
-    if (authMiddleware === undefined) {
-        throw new Error("No authMiddleware configured. This is a bug. Please report it.");
-    }
-    return authMiddleware;
-}

package/build/src/authhelpers.js

@@ -1,44 +0,0 @@
-import { config } from "./config.js";
-import { CookieJar, parse as parseCookie } from "tough-cookie";
-import fs from "fs";
-import path from "path";
-// Create cookie jar with clean Netscape file parsing
-export const createCookieJar = () => {
-    if (!config.GITLAB_AUTH_COOKIE_PATH)
-        return undefined;
-    try {
-        const cookiePath = config.GITLAB_AUTH_COOKIE_PATH.startsWith("~/")
-            ? path.join(process.env.HOME || "", config.GITLAB_AUTH_COOKIE_PATH.slice(2))
-            : config.GITLAB_AUTH_COOKIE_PATH;
-        const jar = new CookieJar();
-        const cookieContent = fs.readFileSync(cookiePath, "utf8");
-        cookieContent.split("\n").forEach(line => {
-            // Handle #HttpOnly_ prefix
-            if (line.startsWith("#HttpOnly_")) {
-                line = line.slice(10);
-            }
-            // Skip comments and empty lines
-            if (line.startsWith("#") || !line.trim()) {
-                return;
-            }
-            // Parse Netscape format: domain, flag, path, secure, expires, name, value
-            const parts = line.split("\t");
-            if (parts.length >= 7) {
-                const [domain, , path, secure, expires, name, value] = parts;
-                // Build cookie string in standard format
-                const cookieStr = `${name}=${value}; Domain=${domain}; Path=${path}${secure === "TRUE" ? "; Secure" : ""}${expires !== "0" ? `; Expires=${new Date(parseInt(expires) * 1000).toUTCString()}` : ""}`;
-                // Use tough-cookie's parse function for robust parsing
-                const cookie = parseCookie(cookieStr);
-                if (cookie) {
-                    const url = `${secure === "TRUE" ? "https" : "http"}://${domain.startsWith(".") ? domain.slice(1) : domain}`;
-                    jar.setCookieSync(cookie, url);
-                }
-            }
-        });
-        return jar;
-    }
-    catch (error) {
-        console.error("Error loading cookie file:", error);
-        return undefined;
-    }
-};

package/build/src/config.js

@@ -1,99 +0,0 @@
-export const unsafeDefaultArgon2Salt = "change-me-in-production";
-export const config = {
-    HOST: process.env.HOST || '127.0.0.1',
-    PORT: process.env.PORT || 3002,
-    SSE: process.env.SSE === "true",
-    STREAMABLE_HTTP: process.env.STREAMABLE_HTTP === "true",
-    IS_OLD: process.env.GITLAB_IS_OLD === "true",
-    GITLAB_READ_ONLY_MODE: process.env.GITLAB_READ_ONLY_MODE === "true",
-    USE_GITLAB_WIKI: process.env.USE_GITLAB_WIKI === "true",
-    USE_MILESTONE: process.env.USE_MILESTONE === "true",
-    USE_PIPELINE: process.env.USE_PIPELINE === "true",
-    // Add proxy configuration
-    HTTP_PROXY: process.env.HTTP_PROXY,
-    HTTPS_PROXY: process.env.HTTPS_PROXY,
-    NODE_TLS_REJECT_UNAUTHORIZED: process.env.NODE_TLS_REJECT_UNAUTHORIZED,
-    GITLAB_CA_CERT_PATH: process.env.GITLAB_CA_CERT_PATH,
-    // Use the normalizeGitLabApiUrl function to handle various URL formats
-    GITLAB_API_URL: normalizeGitLabApiUrl(process.env.GITLAB_API_URL || undefined),
-    GITLAB_PROJECT_ID: process.env.GITLAB_PROJECT_ID,
-    ARGON2_SALT: process.env.ARGON2_SALT || unsafeDefaultArgon2Salt,
-    // Configure cookie auth path, for gitlab instances which require it
-    // TODO: investigate the consequences of this with oauth2 and pat passthrough. should it only be used in PAT mode and not passthrough?
-    GITLAB_AUTH_COOKIE_PATH: process.env.GITLAB_AUTH_COOKIE_PATH,
-    // only one of GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_OAUTH2_CLIENT_ID, GITLAB_PAT_PASSTHROUGH
-    // Gitlab PAT configuration. use this PAT to authenticate all requests
-    GITLAB_PERSONAL_ACCESS_TOKEN: process.env.GITLAB_PERSONAL_ACCESS_TOKEN,
-    // Gitlab PAT passthrough. pass through the PRIVATE-TOKEN header to make the request to the Gitlab API
-    // should be "true" to enable
-    GITLAB_PAT_PASSTHROUGH: process.env.GITLAB_PAT_PASSTHROUGH === "true",
-    // GitLab OAuth2 configuration
-    GITLAB_OAUTH2_CLIENT_ID: process.env.GITLAB_OAUTH2_CLIENT_ID,
-    GITLAB_OAUTH2_CLIENT_SECRET: process.env.GITLAB_OAUTH2_CLIENT_SECRET,
-    GITLAB_OAUTH2_REDIRECT_URL: process.env.GITLAB_OAUTH2_REDIRECT_URL,
-    // we need a database in order for the oauth2 provider to persist clients across restarts.
-    GITLAB_OAUTH2_DB_PATH: process.env.GITLAB_OAUTH2_DB_PATH || ":memory:",
-    // base url matters for the redirect url, i think?
-    GITLAB_OAUTH2_BASE_URL: process.env.GITLAB_OAUTH2_BASE_URL, // http://localhost:3002
-    // TODO: maybe thse can be formed based off of the ISSUER_URL? im not sure... (could introduce problems if gitlab ever changes these endpoints, though i doubt they will)
-    GITLAB_OAUTH2_TOKEN_URL: process.env.GITLAB_OAUTH2_TOKEN_URL, // https://gitlab.com/oauth/token
-    GITLAB_OAUTH2_AUTHORIZATION_URL: process.env.GITLAB_OAUTH2_AUTHORIZATION_URL, // https://gitlab.com/oauth/authorize
-    GITLAB_OAUTH2_REVOCATION_URL: process.env.GITLAB_OAUTH2_REVOCATION_URL, // https://gitlab.com/oauth/revoke
-    GITLAB_OAUTH2_INTROSPECTION_URL: process.env.GITLAB_OAUTH2_INTROSPECTION_URL, // https://gitlab.com/oauth/introspect
-    GITLAB_OAUTH2_REGISTRATION_URL: process.env.GITLAB_OAUTH2_REGISTRATION_URL, // ?
-    GITLAB_OAUTH2_ISSUER_URL: process.env.GITLAB_OAUTH2_ISSUER_URL, // https://gitlab.com
-};
-export const validateConfiguration = () => {
-    // Check if using default ARGON2_SALT
-    if (config.ARGON2_SALT === unsafeDefaultArgon2Salt) {
-        console.error('\n' + '='.repeat(80));
-        console.error('⚠️  WARNING: USING DEFAULT ARGON2_SALT VALUE!');
-        console.error('='.repeat(80));
-        console.error('');
-        console.error('You are using the default ARGON2_SALT value which is INSECURE.');
-        console.error('This salt is publicly known and makes your password hashes vulnerable.');
-        console.error('');
-        console.error('Please set the ARGON2_SALT environment variable to a unique, random value:');
-        console.error('  export ARGON2_SALT="your-unique-random-salt-here"');
-        console.error('');
-        console.error('You can generate a secure salt with:');
-        console.error('  openssl rand -base64 32');
-        console.error('');
-        console.error('='.repeat(80) + '\n');
-    }
-    // check that only one of GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_OAUTH2_CLIENT_ID, GITLAB_PAT_PASSTHROUGH is set
-    const onlyOnOf = [
-        config.GITLAB_PERSONAL_ACCESS_TOKEN,
-        config.GITLAB_OAUTH2_CLIENT_ID,
-        config.GITLAB_PAT_PASSTHROUGH
-    ];
-    const countOfSet = onlyOnOf.filter(x => !!x).length;
-    const allVariableNames = "GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_OAUTH2_CLIENT_ID, GITLAB_PAT_PASSTHROUGH";
-    if (countOfSet == 0) {
-        console.error(`One of the following variables must be set: ${allVariableNames}`);
-        process.exit(1);
-    }
-    if (countOfSet > 1) {
-        console.error(`Only one of the following variables can be set: ${allVariableNames}`);
-        process.exit(1);
-    }
-};
-/**
- * Smart URL handling for GitLab API
- *
- * @param {string | undefined} url - Input GitLab API URL
- * @returns {string} Normalized GitLab API URL with /api/v4 path
- */
-function normalizeGitLabApiUrl(url) {
-    if (!url) {
-        return "https://gitlab.com/api/v4";
-    }
-    // Remove trailing slash if present
-    let normalizedUrl = url.endsWith("/") ? url.slice(0, -1) : url;
-    // Check if URL already has /api/v4
-    if (!normalizedUrl.endsWith("/api/v4") && !normalizedUrl.endsWith("/api/v4/")) {
-        // Append /api/v4 if not already present
-        normalizedUrl = `${normalizedUrl}/api/v4`;
-    }
-    return normalizedUrl;
-}