@zereight/mcp-gitlab 2.0.21 → 2.0.23

package/README.md

@@ -6,12 +6,8 @@
 
 ## @zereight/mcp-gitlab
 
-[![smithery badge](https://smithery.ai/badge/@zereight/gitlab-mcp)](https://smithery.ai/server/@zereight/gitlab-mcp)
-
 GitLab MCP(Model Context Protocol) Server. **Includes bug fixes and improvements over the original GitLab MCP server.**
 
-<a href="https://glama.ai/mcp/servers/7jwbk4r6d7"><img width="380" height="200" src="https://glama.ai/mcp/servers/7jwbk4r6d7/badge" alt="gitlab mcp MCP server" /></a>
-
 ## Usage
 
 ### Using with Claude App, Cline, Roo Code, Cursor, Kilo Code
@@ -94,6 +90,38 @@ Then configure the MCP server with OAuth:
 }
 ```
 
+#### Using CLI Arguments (for clients with env var issues)
+
+Some MCP clients (like GitHub Copilot CLI) have issues with environment variables. Use CLI arguments instead:
+
+```json
+{
+  "mcpServers": {
+    "gitlab": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "@zereight/mcp-gitlab",
+        "--token=YOUR_GITLAB_TOKEN",
+        "--api-url=https://gitlab.com/api/v4"
+      ],
+      "tools": ["*"]
+    }
+  }
+}
+```
+
+**Available CLI arguments:**
+
+- `--token` - GitLab Personal Access Token (replaces `GITLAB_PERSONAL_ACCESS_TOKEN`)
+- `--api-url` - GitLab API URL (replaces `GITLAB_API_URL`)
+- `--read-only=true` - Enable read-only mode (replaces `GITLAB_READ_ONLY_MODE`)
+- `--use-wiki=true` - Enable wiki API (replaces `USE_GITLAB_WIKI`)
+- `--use-milestone=true` - Enable milestone API (replaces `USE_MILESTONE`)
+- `--use-pipeline=true` - Enable pipeline API (replaces `USE_PIPELINE`)
+
+CLI arguments take precedence over environment variables.
+
 #### vscode .vscode/mcp.json
 
 **Using OAuth2 (Non-Confidential - Recommended):**
@@ -491,7 +519,7 @@ The token is stored per session (identified by `mcp-session-id` header) and reus
 67. `play_pipeline_job` - Run a manual pipeline job
 68. `retry_pipeline_job` - Retry a failed or canceled pipeline job
 69. `cancel_pipeline_job` - Cancel a running pipeline job
-70. `list_merge_requests` - List merge requests in a GitLab project with filtering options
+70. `list_merge_requests` - List merge requests globally or in a specific GitLab project with filtering options (project_id is now optional)
 71. `list_milestones` - List milestones in a GitLab project with filtering options
 72. `get_milestone` - Get details of a specific milestone
 73. `create_milestone` - Create a new milestone in a GitLab project

package/build/index.js

@@ -1,28 +1,45 @@
 #!/usr/bin/env node
+// Parse CLI arguments
+const args = process.argv.slice(2);
+const cliArgs = {};
+for (let i = 0; i < args.length; i++) {
+    const arg = args[i];
+    if (arg.startsWith('--')) {
+        const [key, value] = arg.slice(2).split('=');
+        if (value) {
+            cliArgs[key] = value;
+        }
+        else if (i + 1 < args.length && !args[i + 1].startsWith('--')) {
+            cliArgs[key] = args[++i];
+        }
+    }
+}
+function getConfig(cliKey, envKey, defaultValue) {
+    return cliArgs[cliKey] || process.env[envKey] || defaultValue;
+}
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
-import { AsyncLocalStorage } from "async_hooks";
+import { AsyncLocalStorage } from "node:async_hooks";
 import express from "express";
 import fetchCookie from "fetch-cookie";
-import fs from "fs";
+import fs from "node:fs";
 import { HttpProxyAgent } from "http-proxy-agent";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import nodeFetch from "node-fetch";
-import path, { dirname } from "path";
+import path, { dirname } from "node:path";
 import { SocksProxyAgent } from "socks-proxy-agent";
 import { CookieJar, parse as parseCookie } from "tough-cookie";
-import { fileURLToPath } from "url";
+import { fileURLToPath, URL } from "node:url";
 import { z } from "zod";
 import { zodToJsonSchema } from "zod-to-json-schema";
 import { initializeOAuth } from "./oauth.js";
 import { GitLabClientPool } from "./gitlab-client-pool.js";
 // Add type imports for proxy agents
-import { Agent } from "http";
-import { Agent as HttpsAgent } from "https";
-import { URL } from "url";
+import { Agent } from "node:http";
+import { Agent as HttpsAgent } from "node:https";
 import { BulkPublishDraftNotesSchema, CancelPipelineJobSchema, CancelPipelineSchema, CreateBranchSchema, CreateDraftNoteSchema, CreateIssueLinkSchema, CreateIssueNoteSchema, CreateIssueSchema, CreateLabelSchema, // Added
 CreateMergeRequestNoteSchema, CreateMergeRequestDiscussionNoteSchema, CreateMergeRequestSchema, CreateMergeRequestThreadSchema, CreateNoteSchema, CreateOrUpdateFileSchema, CreatePipelineSchema, CreateProjectMilestoneSchema, CreateRepositorySchema, CreateWikiPageSchema, DeleteDraftNoteSchema, DeleteIssueLinkSchema, DeleteIssueSchema, DeleteLabelSchema, DeleteProjectMilestoneSchema, DeleteWikiPageSchema, DeleteMergeRequestNoteSchema, EditProjectMilestoneSchema, ForkRepositorySchema, GetBranchDiffsSchema, GetCommitDiffSchema, GetCommitSchema, GetDraftNoteSchema, GetFileContentsSchema, GetIssueLinkSchema, GetIssueSchema, GetLabelSchema, GetMergeRequestDiffsSchema, GetMergeRequestSchema, GetMilestoneBurndownEventsSchema, GetMilestoneIssuesSchema, GetMilestoneMergeRequestsSchema, GetNamespaceSchema, 
 // pipeline job schemas
@@ -32,8 +49,8 @@ GitLabDiscussionNoteSchema, // Added
 GitLabDiscussionSchema, 
 // Draft Notes Schemas
 GitLabDraftNoteSchema, GitLabForkSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabTreeSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
-ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, MergeMergeRequestSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema } from "./schemas.js";
-import { randomUUID } from "crypto";
+ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListMergeRequestVersionsSchema, GetMergeRequestVersionSchema, GitLabMergeRequestVersionSchema, GitLabMergeRequestVersionDetailSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, MergeMergeRequestSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema, } from "./schemas.js";
+import { randomUUID } from "node:crypto";
 import { pino } from "pino";
 const logger = pino({
     level: process.env.LOG_LEVEL || "info",
@@ -68,8 +85,8 @@ try {
         SERVER_VERSION = packageJson.version || SERVER_VERSION;
     }
 }
-catch (error) {
-    // Warning: Could not read version from package.json - silently continue
+catch {
+    // Intentionally ignored: version read failure is non-critical
 }
 const server = new Server({
     name: "better-gitlab-mcp-server",
@@ -87,9 +104,9 @@ function validateConfiguration() {
     // Validate SESSION_TIMEOUT_SECONDS
     const timeoutStr = process.env.SESSION_TIMEOUT_SECONDS;
     if (timeoutStr) {
-        const timeout = parseInt(timeoutStr);
+        const timeout = Number.parseInt(timeoutStr, 10);
         // Allow values >=1 for testing purposes, but recommend 60-86400 for production
-        if (isNaN(timeout) || timeout < 1 || timeout > 86400) {
+        if (Number.isNaN(timeout) || timeout < 1 || timeout > 86400) {
             errors.push(`SESSION_TIMEOUT_SECONDS must be between 1 and 86400 seconds, got: ${timeoutStr}`);
         }
         if (timeout < 60) {
@@ -99,80 +116,85 @@ function validateConfiguration() {
     // Validate MAX_SESSIONS
     const maxSessionsStr = process.env.MAX_SESSIONS;
     if (maxSessionsStr) {
-        const maxSessions = parseInt(maxSessionsStr);
-        if (isNaN(maxSessions) || maxSessions < 1 || maxSessions > 10000) {
+        const maxSessions = Number.parseInt(maxSessionsStr, 10);
+        if (Number.isNaN(maxSessions) || maxSessions < 1 || maxSessions > 10000) {
             errors.push(`MAX_SESSIONS must be between 1 and 10000, got: ${maxSessionsStr}`);
         }
     }
     // Validate MAX_REQUESTS_PER_MINUTE
     const maxReqStr = process.env.MAX_REQUESTS_PER_MINUTE;
     if (maxReqStr) {
-        const maxReq = parseInt(maxReqStr);
-        if (isNaN(maxReq) || maxReq < 1 || maxReq > 1000) {
+        const maxReq = Number.parseInt(maxReqStr, 10);
+        if (Number.isNaN(maxReq) || maxReq < 1 || maxReq > 1000) {
             errors.push(`MAX_REQUESTS_PER_MINUTE must be between 1 and 1000, got: ${maxReqStr}`);
         }
     }
     // Validate PORT
-    const portStr = process.env.PORT;
+    const portStr = getConfig('port', 'PORT');
     if (portStr) {
-        const port = parseInt(portStr);
-        if (isNaN(port) || port < 1 || port > 65535) {
+        const port = Number.parseInt(portStr, 10);
+        if (Number.isNaN(port) || port < 1 || port > 65535) {
             errors.push(`PORT must be between 1 and 65535, got: ${portStr}`);
         }
     }
     // Validate GITLAB_API_URL format
-    const apiUrls = process.env.GITLAB_API_URL?.split(',') || [];
+    const apiUrls = getConfig('api-url', 'GITLAB_API_URL')?.split(",") || [];
     if (apiUrls.length > 0) {
         for (const url of apiUrls) {
             try {
                 new URL(url.trim());
             }
-            catch (error) {
+            catch {
                 errors.push(`GITLAB_API_URL contains an invalid URL: ${url.trim()}`);
             }
         }
     }
     // Validate auth configuration
-    const remoteAuth = process.env.REMOTE_AUTHORIZATION === "true";
-    const useOAuth = process.env.GITLAB_USE_OAUTH === "true";
-    const hasToken = !!process.env.GITLAB_PERSONAL_ACCESS_TOKEN;
-    const hasCookie = !!process.env.GITLAB_AUTH_COOKIE_PATH;
+    const remoteAuth = getConfig('remote-auth', 'REMOTE_AUTHORIZATION') === "true";
+    const useOAuth = getConfig('use-oauth', 'GITLAB_USE_OAUTH') === "true";
+    const hasToken = !!getConfig('token', 'GITLAB_PERSONAL_ACCESS_TOKEN');
+    const hasCookie = !!getConfig('cookie-path', 'GITLAB_AUTH_COOKIE_PATH');
     if (!remoteAuth && !useOAuth && !hasToken && !hasCookie) {
-        errors.push('Either GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_AUTH_COOKIE_PATH, GITLAB_USE_OAUTH=true, or REMOTE_AUTHORIZATION=true must be set');
+        errors.push('Either --token, --cookie-path, --use-oauth=true, or --remote-auth=true must be set (or use environment variables)');
     }
-    if (ENABLE_DYNAMIC_API_URL && !REMOTE_AUTHORIZATION) {
-        errors.push('ENABLE_DYNAMIC_API_URL=true requires REMOTE_AUTHORIZATION=true');
+    const enableDynamicApiUrl = getConfig('enable-dynamic-api-url', 'ENABLE_DYNAMIC_API_URL') === "true";
+    if (enableDynamicApiUrl && !remoteAuth) {
+        errors.push("ENABLE_DYNAMIC_API_URL=true requires REMOTE_AUTHORIZATION=true");
     }
     if (errors.length > 0) {
-        logger.error('Configuration validation failed:');
+        logger.error("Configuration validation failed:");
         errors.forEach(err => logger.error(`  - ${err}`));
         process.exit(1);
     }
-    logger.info('Configuration validation passed');
+    logger.info("Configuration validation passed");
 }
-const GITLAB_PERSONAL_ACCESS_TOKEN = process.env.GITLAB_PERSONAL_ACCESS_TOKEN;
+const GITLAB_PERSONAL_ACCESS_TOKEN = getConfig('token', 'GITLAB_PERSONAL_ACCESS_TOKEN');
 let OAUTH_ACCESS_TOKEN = null;
-const GITLAB_AUTH_COOKIE_PATH = process.env.GITLAB_AUTH_COOKIE_PATH;
-const USE_OAUTH = process.env.GITLAB_USE_OAUTH === "true";
-const IS_OLD = process.env.GITLAB_IS_OLD === "true";
-const GITLAB_READ_ONLY_MODE = process.env.GITLAB_READ_ONLY_MODE === "true";
-const GITLAB_DENIED_TOOLS_REGEX = process.env.GITLAB_DENIED_TOOLS_REGEX ? new RegExp(process.env.GITLAB_DENIED_TOOLS_REGEX) : undefined;
-const USE_GITLAB_WIKI = process.env.USE_GITLAB_WIKI === "true";
-const USE_MILESTONE = process.env.USE_MILESTONE === "true";
-const USE_PIPELINE = process.env.USE_PIPELINE === "true";
-const SSE = process.env.SSE === "true";
-const STREAMABLE_HTTP = process.env.STREAMABLE_HTTP === "true";
-const REMOTE_AUTHORIZATION = process.env.REMOTE_AUTHORIZATION === "true";
-const ENABLE_DYNAMIC_API_URL = process.env.ENABLE_DYNAMIC_API_URL === "true";
-const SESSION_TIMEOUT_SECONDS = process.env.SESSION_TIMEOUT_SECONDS ? parseInt(process.env.SESSION_TIMEOUT_SECONDS) : 3600;
-const HOST = process.env.HOST || "127.0.0.1";
-const PORT = process.env.PORT || 3002;
+const GITLAB_AUTH_COOKIE_PATH = getConfig('cookie-path', 'GITLAB_AUTH_COOKIE_PATH');
+const USE_OAUTH = getConfig('use-oauth', 'GITLAB_USE_OAUTH') === "true";
+const IS_OLD = getConfig('is-old', 'GITLAB_IS_OLD') === "true";
+const GITLAB_READ_ONLY_MODE = getConfig('read-only', 'GITLAB_READ_ONLY_MODE') === "true";
+const GITLAB_DENIED_TOOLS_REGEX = getConfig('denied-tools-regex', 'GITLAB_DENIED_TOOLS_REGEX')
+    ? new RegExp(getConfig('denied-tools-regex', 'GITLAB_DENIED_TOOLS_REGEX'))
+    : undefined;
+const USE_GITLAB_WIKI = getConfig('use-wiki', 'USE_GITLAB_WIKI') === "true";
+const USE_MILESTONE = getConfig('use-milestone', 'USE_MILESTONE') === "true";
+const USE_PIPELINE = getConfig('use-pipeline', 'USE_PIPELINE') === "true";
+const SSE = getConfig('sse', 'SSE') === "true";
+const STREAMABLE_HTTP = getConfig('streamable-http', 'STREAMABLE_HTTP') === "true";
+const REMOTE_AUTHORIZATION = getConfig('remote-auth', 'REMOTE_AUTHORIZATION') === "true";
+const ENABLE_DYNAMIC_API_URL = getConfig('enable-dynamic-api-url', 'ENABLE_DYNAMIC_API_URL') === "true";
+const SESSION_TIMEOUT_SECONDS = Number.parseInt(getConfig('session-timeout', 'SESSION_TIMEOUT_SECONDS', '3600'), 10);
+const HOST = getConfig('host', 'HOST') || '127.0.0.1';
+const PORT = Number.parseInt(getConfig('port', 'PORT', '3002'), 10);
 // Add proxy configuration
-const HTTP_PROXY = process.env.HTTP_PROXY;
-const HTTPS_PROXY = process.env.HTTPS_PROXY;
-const NODE_TLS_REJECT_UNAUTHORIZED = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-const GITLAB_CA_CERT_PATH = process.env.GITLAB_CA_CERT_PATH;
-const GITLAB_POOL_MAX_SIZE = process.env.GITLAB_POOL_MAX_SIZE ? parseInt(process.env.GITLAB_POOL_MAX_SIZE) : 100;
+const HTTP_PROXY = getConfig('http-proxy', 'HTTP_PROXY');
+const HTTPS_PROXY = getConfig('https-proxy', 'HTTPS_PROXY');
+const NODE_TLS_REJECT_UNAUTHORIZED = getConfig('tls-reject-unauthorized', 'NODE_TLS_REJECT_UNAUTHORIZED');
+const GITLAB_CA_CERT_PATH = getConfig('ca-cert-path', 'GITLAB_CA_CERT_PATH');
+const GITLAB_POOL_MAX_SIZE = getConfig('pool-max-size', 'GITLAB_POOL_MAX_SIZE')
+    ? Number.parseInt(getConfig('pool-max-size', 'GITLAB_POOL_MAX_SIZE'), 10)
+    : 100;
 let sslOptions = undefined;
 if (NODE_TLS_REJECT_UNAUTHORIZED === "0") {
     sslOptions = { rejectUnauthorized: false };
@@ -204,7 +226,9 @@ httpsAgent = httpsAgent || new HttpsAgent(sslOptions);
 httpAgent = httpAgent || new Agent();
 // Initialize the client pool for managing multiple GitLab instances
 const clientPool = new GitLabClientPool({
-    apiUrls: (process.env.GITLAB_API_URL || "https://gitlab.com").split(',').map(normalizeGitLabApiUrl),
+    apiUrls: (process.env.GITLAB_API_URL || "https://gitlab.com")
+        .split(",")
+        .map(normalizeGitLabApiUrl),
     httpProxy: HTTP_PROXY,
     httpsProxy: HTTPS_PROXY,
     rejectUnauthorized: NODE_TLS_REJECT_UNAUTHORIZED !== "0",
@@ -235,7 +259,11 @@ const createCookieJar = () => {
             if (parts.length >= 7) {
                 const [domain, , path, secure, expires, name, value] = parts;
                 // Build cookie string in standard format
-                const cookieStr = `${name}=${value}; Domain=${domain}; Path=${path}${secure === "TRUE" ? "; Secure" : ""}${expires !== "0" ? `; Expires=${new Date(parseInt(expires) * 1000).toUTCString()}` : ""}`;
+                const secureFlag = secure === "TRUE" ? "; Secure" : "";
+                const expiresFlag = expires === "0"
+                    ? ""
+                    : `; Expires=${new Date(Number.parseInt(expires, 10) * 1000).toUTCString()}`;
+                const cookieStr = `${name}=${value}; Domain=${domain}; Path=${path}${secureFlag}${expiresFlag}`;
                 // Use tough-cookie's parse function for robust parsing
                 const cookie = parseCookie(cookieStr);
                 if (cookie) {
@@ -276,8 +304,8 @@ async function ensureSessionForRequest() {
             // Small delay to ensure cookies are fully processed
             await new Promise(resolve => setTimeout(resolve, 100));
         }
-        catch (error) {
-            // Ignore session establishment errors
+        catch {
+            // Intentionally ignored: session establishment errors are non-critical
         }
     }
 }
@@ -299,9 +327,9 @@ function buildAuthHeaders() {
     if (REMOTE_AUTHORIZATION) {
         const ctx = sessionAuthStore.getStore();
         logger.debug({ context: ctx }, "buildAuthHeaders: session context");
-        if (ctx && ctx.token) {
+        if (ctx?.token) {
             return {
-                [ctx.header]: ctx.header === 'Authorization' ? `Bearer ${ctx.token}` : ctx.token
+                [ctx.header]: ctx.header === "Authorization" ? `Bearer ${ctx.token}` : ctx.token,
             };
         }
         return {}; // No auth headers if no session context
@@ -309,7 +337,7 @@ function buildAuthHeaders() {
     // Standard mode: prioritize OAuth token, then fall back to environment token
     const token = OAUTH_ACCESS_TOKEN || GITLAB_PERSONAL_ACCESS_TOKEN;
     if (IS_OLD && token) {
-        return { 'Private-Token': String(token) };
+        return { "Private-Token": String(token) };
     }
     if (token) {
         return { Authorization: `Bearer ${token}` };
@@ -324,7 +352,7 @@ function buildAuthHeaders() {
 function getEffectiveApiUrl() {
     if (ENABLE_DYNAMIC_API_URL) {
         const ctx = sessionAuthStore.getStore();
-        if (ctx && ctx.apiUrl) {
+        if (ctx?.apiUrl) {
             return ctx.apiUrl;
         }
         logger.warn({ ctx }, "getEffectiveApiUrl: No context or apiUrl found, falling back to default");
@@ -349,7 +377,46 @@ const getFetchConfig = () => {
         agent: agent,
     };
 };
-const toJSONSchema = (schema) => zodToJsonSchema(schema, { $refStrategy: 'none' });
+const toJSONSchema = (schema) => {
+    const jsonSchema = zodToJsonSchema(schema, { $refStrategy: 'none' });
+    // Post-process to fix nullable/optional fields that should truly be optional
+    function fixNullableOptional(obj) {
+        if (obj && typeof obj === 'object') {
+            // If this object has properties, process them
+            if (obj.properties) {
+                const requiredSet = new Set(obj.required || []);
+                Object.keys(obj.properties).forEach(key => {
+                    const prop = obj.properties[key];
+                    // Handle fields that can be null or omitted
+                    // If a property has type: ["object", "null"] or anyOf with null, it should not be required
+                    if (prop.anyOf && prop.anyOf.some((t) => t.type === 'null')) {
+                        requiredSet.delete(key);
+                    }
+                    else if (Array.isArray(prop.type) && prop.type.includes('null')) {
+                        requiredSet.delete(key);
+                    }
+                    // Recursively process nested objects
+                    obj.properties[key] = fixNullableOptional(prop);
+                });
+                // Normalize the required array after processing all properties
+                if (requiredSet.size > 0) {
+                    obj.required = Array.from(requiredSet);
+                }
+                else if (Object.prototype.hasOwnProperty.call(obj, 'required')) {
+                    delete obj.required;
+                }
+            }
+            // Process anyOf/allOf/oneOf
+            ['anyOf', 'allOf', 'oneOf'].forEach(combiner => {
+                if (obj[combiner]) {
+                    obj[combiner] = obj[combiner].map(fixNullableOptional);
+                }
+            });
+        }
+        return obj;
+    }
+    return fixNullableOptional(jsonSchema);
+};
 // Define all available tools
 const allTools = [
     {
@@ -422,6 +489,16 @@ const allTools = [
         description: "List merge request diffs with pagination support (Either mergeRequestIid or branchName must be provided)",
         inputSchema: toJSONSchema(ListMergeRequestDiffsSchema),
     },
+    {
+        name: "list_merge_request_versions",
+        description: "List all versions of a merge request",
+        inputSchema: toJSONSchema(ListMergeRequestVersionsSchema),
+    },
+    {
+        name: "get_merge_request_version",
+        description: "Get a specific version of a merge request",
+        inputSchema: toJSONSchema(GetMergeRequestVersionSchema),
+    },
     {
         name: "get_branch_diffs",
         description: "Get the changes/diffs between two branches or commits in a GitLab project",
@@ -443,7 +520,7 @@ const allTools = [
         inputSchema: toJSONSchema(CreateMergeRequestThreadSchema),
     },
     {
-        name: 'resolve_merge_request_thread',
+        name: "resolve_merge_request_thread",
         description: "Resolve a thread on a merge request",
         inputSchema: toJSONSchema(ResolveMergeRequestThreadSchema),
     },
@@ -483,7 +560,7 @@ const allTools = [
         inputSchema: toJSONSchema(GetMergeRequestNoteSchema),
     },
     {
-        name: 'get_merge_request_notes',
+        name: "get_merge_request_notes",
         description: "List notes for a merge request",
         inputSchema: toJSONSchema(GetMergeRequestNotesSchema),
     },
@@ -739,7 +816,7 @@ const allTools = [
     },
     {
         name: "list_merge_requests",
-        description: "List merge requests in a GitLab project with filtering options",
+        description: "List merge requests. Without project_id, lists MRs assigned to the authenticated user by default (use scope='all' for all accessible MRs). With project_id, lists MRs for that specific project.",
         inputSchema: toJSONSchema(ListMergeRequestsSchema),
     },
     {
@@ -869,12 +946,14 @@ const allTools = [
     },
 ];
 // Define which tools are read-only
-const readOnlyTools = [
+const readOnlyTools = new Set([
     "search_repositories",
     "execute_graphql",
     "get_file_contents",
     "get_merge_request",
     "get_merge_request_diffs",
+    "list_merge_request_versions",
+    "get_merge_request_version",
     "get_branch_diffs",
     "mr_discussions",
     "list_issues",
@@ -919,18 +998,18 @@ const readOnlyTools = [
     "list_releases",
     "get_release",
     "download_release_asset",
-];
+]);
 // Define which tools are related to wiki and can be toggled by USE_GITLAB_WIKI
-const wikiToolNames = [
+const wikiToolNames = new Set([
     "list_wiki_pages",
     "get_wiki_page",
     "create_wiki_page",
     "update_wiki_page",
     "delete_wiki_page",
     "upload_wiki_attachment",
-];
+]);
 // Define which tools are related to milestones and can be toggled by USE_MILESTONE
-const milestoneToolNames = [
+const milestoneToolNames = new Set([
     "list_milestones",
     "get_milestone",
     "create_milestone",
@@ -940,9 +1019,9 @@ const milestoneToolNames = [
     "get_milestone_merge_requests",
     "promote_milestone",
     "get_milestone_burndown_events",
-];
+]);
 // Define which tools are related to pipelines and can be toggled by USE_PIPELINE
-const pipelineToolNames = [
+const pipelineToolNames = new Set([
     "list_pipelines",
     "get_pipeline",
     "list_pipeline_jobs",
@@ -955,7 +1034,7 @@ const pipelineToolNames = [
     "play_pipeline_job",
     "retry_pipeline_job",
     "cancel_pipeline_job",
-];
+]);
 /**
  * Smart URL handling for GitLab API
  *
@@ -976,11 +1055,17 @@ function normalizeGitLabApiUrl(url) {
     return normalizedUrl;
 }
 // Use the normalizeGitLabApiUrl function to handle various URL formats
-const GITLAB_API_URLS = (process.env.GITLAB_API_URL || "https://gitlab.com").split(',').map(normalizeGitLabApiUrl);
+const GITLAB_API_URLS = (process.env.GITLAB_API_URL || "https://gitlab.com")
+    .split(",")
+    .map(normalizeGitLabApiUrl);
 const GITLAB_API_URL = GITLAB_API_URLS[0];
 const GITLAB_PROJECT_ID = process.env.GITLAB_PROJECT_ID;
-const GITLAB_ALLOWED_PROJECT_IDS = process.env.GITLAB_ALLOWED_PROJECT_IDS?.split(',').map(id => id.trim()).filter(Boolean) || [];
-const GITLAB_COMMIT_FILES_PER_PAGE = process.env.GITLAB_COMMIT_FILES_PER_PAGE ? parseInt(process.env.GITLAB_COMMIT_FILES_PER_PAGE) : 20;
+const GITLAB_ALLOWED_PROJECT_IDS = process.env.GITLAB_ALLOWED_PROJECT_IDS?.split(",")
+    .map(id => id.trim())
+    .filter(Boolean) || [];
+const GITLAB_COMMIT_FILES_PER_PAGE = process.env.GITLAB_COMMIT_FILES_PER_PAGE
+    ? Number.parseInt(process.env.GITLAB_COMMIT_FILES_PER_PAGE, 10)
+    : 20;
 // Validate authentication configuration
 if (REMOTE_AUTHORIZATION) {
     // Remote authorization mode: token comes from HTTP headers
@@ -1037,11 +1122,11 @@ function getEffectiveProjectId(projectId) {
         }
         // If a project ID is provided, check if it's in the whitelist
         if (projectId && !GITLAB_ALLOWED_PROJECT_IDS.includes(projectId)) {
-            throw new Error(`Access denied: Project ${projectId} is not in the allowed project list: ${GITLAB_ALLOWED_PROJECT_IDS.join(', ')}`);
+            throw new Error(`Access denied: Project ${projectId} is not in the allowed project list: ${GITLAB_ALLOWED_PROJECT_IDS.join(", ")}`);
         }
         // If no project ID provided but we have multiple allowed projects, require an explicit choice
         if (!projectId && GITLAB_ALLOWED_PROJECT_IDS.length > 1) {
-            throw new Error(`Multiple projects allowed (${GITLAB_ALLOWED_PROJECT_IDS.join(', ')}). Please specify a project ID.`);
+            throw new Error(`Multiple projects allowed (${GITLAB_ALLOWED_PROJECT_IDS.join(", ")}). Please specify a project ID.`);
         }
         return projectId || GITLAB_ALLOWED_PROJECT_IDS[0];
     }
@@ -1229,15 +1314,19 @@ async function listIssues(projectId, options = {}) {
     return z.array(GitLabIssueSchema).parse(data);
 }
 /**
- * List merge requests in a GitLab project with optional filtering
+ * List merge requests globally or for a specific GitLab project
  *
- * @param {string} projectId - The ID or URL-encoded path of the project
+ * @param {string} [projectId] - The ID or URL-encoded path of the project.
+ *                               If omitted, lists MRs assigned to the authenticated user by default.
  * @param {Object} options - Optional filtering parameters
  * @returns {Promise<GitLabMergeRequest[]>} List of merge requests
  */
 async function listMergeRequests(projectId, options = {}) {
-    projectId = decodeURIComponent(projectId); // Decode project ID
-    const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests`);
+    const decodedProjectId = projectId ? decodeURIComponent(projectId) : undefined;
+    const endpoint = decodedProjectId
+        ? `${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(decodedProjectId))}/merge_requests`
+        : `${getEffectiveApiUrl()}/merge_requests`;
+    const url = new URL(endpoint);
     // Add all query parameters
     Object.entries(options).forEach(([key, value]) => {
         if (value !== undefined) {
@@ -1469,18 +1558,22 @@ async function listDiscussions(projectId, resourceType, resourceIid, options = {
     // Extract pagination headers
     const pagination = {
         x_next_page: response.headers.get("x-next-page")
-            ? parseInt(response.headers.get("x-next-page"))
+            ? Number.parseInt(response.headers.get("x-next-page"), 10)
             : null,
-        x_page: response.headers.get("x-page") ? parseInt(response.headers.get("x-page")) : undefined,
+        x_page: response.headers.get("x-page")
+            ? Number.parseInt(response.headers.get("x-page"), 10)
+            : undefined,
         x_per_page: response.headers.get("x-per-page")
-            ? parseInt(response.headers.get("x-per-page"))
+            ? Number.parseInt(response.headers.get("x-per-page"), 10)
             : undefined,
         x_prev_page: response.headers.get("x-prev-page")
-            ? parseInt(response.headers.get("x-prev-page"))
+            ? Number.parseInt(response.headers.get("x-prev-page"), 10)
+            : null,
+        x_total: response.headers.get("x-total")
+            ? Number.parseInt(response.headers.get("x-total"), 10)
             : null,
-        x_total: response.headers.get("x-total") ? parseInt(response.headers.get("x-total")) : null,
         x_total_pages: response.headers.get("x-total-pages")
-            ? parseInt(response.headers.get("x-total-pages"))
+            ? Number.parseInt(response.headers.get("x-total-pages"), 10)
             : null,
     };
     return PaginatedDiscussionsResponseSchema.parse({
@@ -1877,10 +1970,10 @@ async function searchProjects(query, page = 1, perPage = 20) {
     const totalCount = response.headers.get("x-total");
     const totalPages = response.headers.get("x-total-pages");
     // GitLab API doesn't return these headers for results > 10,000
-    const count = totalCount ? parseInt(totalCount) : projects.length;
+    const count = totalCount ? Number.parseInt(totalCount, 10) : projects.length;
     return GitLabSearchResponseSchema.parse({
         count,
-        total_pages: totalPages ? parseInt(totalPages) : Math.ceil(count / perPage),
+        total_pages: totalPages ? Number.parseInt(totalPages, 10) : Math.ceil(count / perPage),
         current_page: page,
         items: projects,
     });
@@ -1902,7 +1995,7 @@ async function createRepository(options) {
             visibility: options.visibility,
             initialize_with_readme: options.initialize_with_readme,
             default_branch: "main",
-            path: options.name.toLowerCase().replace(/\s+/g, "-"),
+            path: options.name.toLowerCase().replaceAll(/\s+/g, "-"),
         }),
     });
     if (!response.ok) {
@@ -2246,7 +2339,7 @@ async function publishDraftNote(projectId, mergeRequestIid, draftNoteId) {
     }
     // Handle empty response (204 No Content) or successful response
     const responseText = await response.text();
-    if (!responseText || responseText.trim() === '') {
+    if (!responseText || responseText.trim() === "") {
         // Return a success indicator for empty responses
         return {
             id: draftNoteId.toString(),
@@ -2256,7 +2349,7 @@ async function publishDraftNote(projectId, mergeRequestIid, draftNoteId) {
             updated_at: new Date().toISOString(),
             system: false,
             noteable_id: mergeRequestIid.toString(),
-            noteable_type: "MergeRequest"
+            noteable_type: "MergeRequest",
         };
     }
     try {
@@ -2275,7 +2368,7 @@ async function publishDraftNote(projectId, mergeRequestIid, draftNoteId) {
             updated_at: new Date().toISOString(),
             system: false,
             noteable_id: mergeRequestIid.toString(),
-            noteable_type: "MergeRequest"
+            noteable_type: "MergeRequest",
         };
     }
 }
@@ -2299,7 +2392,7 @@ async function bulkPublishDraftNotes(projectId, mergeRequestIid) {
     }
     // Handle empty response (204 No Content) or successful response
     const responseText = await response.text();
-    if (!responseText || responseText.trim() === '') {
+    if (!responseText || responseText.trim() === "") {
         // Return empty array for successful bulk publish with no content
         return [];
     }
@@ -2350,7 +2443,6 @@ async function createMergeRequestThread(projectId, mergeRequestIid, body, positi
     projectId = decodeURIComponent(projectId); // Decode project ID
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/discussions`);
     const payload = { body };
-    // Add optional parameters if provided
     if (position) {
         payload.position = position;
     }
@@ -2366,6 +2458,46 @@ async function createMergeRequestThread(projectId, mergeRequestIid, body, positi
     const data = await response.json();
     return GitLabDiscussionSchema.parse(data);
 }
+/**
+ * List all versions of a merge request
+ * 병합 요청의 모든 버전 목록 조회
+ *
+ * @param {string} projectId - The ID or URL-encoded path of the project
+ * @param {number} mergeRequestIid - The internal ID of the merge request
+ * @returns {Promise<GitLabMergeRequestVersion[]>} List of merge request versions
+ */
+async function listMergeRequestVersions(projectId, mergeRequestIid) {
+    projectId = decodeURIComponent(projectId); // Decode project ID
+    const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/versions`);
+    const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return z.array(GitLabMergeRequestVersionSchema).parse(data);
+}
+/**
+ * Get a specific version of a merge request
+ * 병합 요청의 특정 버전 상세 정보 조회
+ *
+ * @param {string} projectId - The ID or URL-encoded path of the project
+ * @param {number} mergeRequestIid - The internal ID of the merge request
+ * @param {number} versionId - The ID of the version
+ * @returns {Promise<GitLabMergeRequestVersionDetail>} The merge request version details
+ */
+async function getMergeRequestVersion(projectId, mergeRequestIid, versionId, unidiff) {
+    projectId = decodeURIComponent(projectId); // Decode project ID
+    const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/versions/${versionId}`);
+    if (unidiff !== undefined) {
+        url.searchParams.append("unidiff", String(unidiff));
+    }
+    const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabMergeRequestVersionDetailSchema.parse(data);
+}
 /**
  * List all namespaces
  * 사용 가능한 모든 네임스페이스 목록 조회
@@ -3023,7 +3155,7 @@ async function cancelPipelineJob(projectId, jobId, force) {
     projectId = decodeURIComponent(projectId);
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/jobs/${jobId}/cancel`);
     if (force !== undefined) {
-        url.searchParams.append('force', force.toString());
+        url.searchParams.append("force", force.toString());
     }
     const response = await fetch(url.toString(), {
         ...getFetchConfig(),
@@ -3740,24 +3872,19 @@ async function downloadReleaseAsset(projectId, tagName, directAssetPath) {
     return await response.text();
 }
 server.setRequestHandler(ListToolsRequestSchema, async () => {
-    // In remote auth mode, retrieve session context from AsyncLocalStorage
-    // This ensures the context is available even when called from SDK's async chains
-    const sessionContext = REMOTE_AUTHORIZATION ? sessionAuthStore.getStore() : null;
     // Apply read-only filter first
     const tools0 = GITLAB_READ_ONLY_MODE
-        ? allTools.filter(tool => readOnlyTools.includes(tool.name))
+        ? allTools.filter(tool => readOnlyTools.has(tool.name))
         : allTools;
     // Toggle wiki tools by USE_GITLAB_WIKI flag
-    const tools1 = USE_GITLAB_WIKI
-        ? tools0
-        : tools0.filter(tool => !wikiToolNames.includes(tool.name));
+    const tools1 = USE_GITLAB_WIKI ? tools0 : tools0.filter(tool => !wikiToolNames.has(tool.name));
     // Toggle milestone tools by USE_MILESTONE flag
-    const tools2 = USE_MILESTONE
-        ? tools1
-        : tools1.filter(tool => !milestoneToolNames.includes(tool.name));
+    const tools2 = USE_MILESTONE ? tools1 : tools1.filter(tool => !milestoneToolNames.has(tool.name));
     // Toggle pipeline tools by USE_PIPELINE flag
-    let tools = USE_PIPELINE ? tools2 : tools2.filter(tool => !pipelineToolNames.includes(tool.name));
-    tools = GITLAB_DENIED_TOOLS_REGEX ? tools.filter(tool => !GITLAB_DENIED_TOOLS_REGEX.test(tool.name)) : tools;
+    let tools = USE_PIPELINE ? tools2 : tools2.filter(tool => !pipelineToolNames.has(tool.name));
+    tools = GITLAB_DENIED_TOOLS_REGEX
+        ? tools.filter(tool => !GITLAB_DENIED_TOOLS_REGEX.test(tool.name))
+        : tools;
     // <<< START: Gemini 호환성을 위해 $schema 제거 >>>
     tools = tools.map(tool => {
         // inputSchema가 존재하고 객체인지 확인
@@ -4006,21 +4133,21 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: "Merge request note deleted successfully" }],
                 };
             }
-            case 'get_merge_request_note': {
+            case "get_merge_request_note": {
                 const args = GetMergeRequestNoteSchema.parse(params.arguments);
                 const note = await getMergeRequestNote(args.project_id, args.merge_request_iid, args.note_id);
                 return {
                     content: [{ type: "text", text: JSON.stringify(note, null, 2) }],
                 };
             }
-            case 'get_merge_request_notes': {
+            case "get_merge_request_notes": {
                 const args = GetMergeRequestNotesSchema.parse(params.arguments);
                 const notes = await getMergeRequestNotes(args.project_id, args.merge_request_iid, args.sort, args.order_by);
                 return {
                     content: [{ type: "text", text: JSON.stringify(notes, null, 2) }],
                 };
             }
-            case 'update_merge_request_note': {
+            case "update_merge_request_note": {
                 const args = UpdateMergeRequestNoteSchema.parse(params.arguments);
                 const note = await updateMergeRequestNote(args.project_id, args.merge_request_iid, args.note_id, args.body);
                 return {
@@ -4062,6 +4189,20 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: JSON.stringify(changes, null, 2) }],
                 };
             }
+            case "list_merge_request_versions": {
+                const args = ListMergeRequestVersionsSchema.parse(params.arguments);
+                const versions = await listMergeRequestVersions(args.project_id, args.merge_request_iid);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(versions, null, 2) }],
+                };
+            }
+            case "get_merge_request_version": {
+                const args = GetMergeRequestVersionSchema.parse(params.arguments);
+                const version = await getMergeRequestVersion(args.project_id, args.merge_request_iid, args.version_id, args.unidiff);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(version, null, 2) }],
+                };
+            }
             case "update_merge_request": {
                 const args = UpdateMergeRequestSchema.parse(params.arguments);
                 const { project_id, merge_request_iid, source_branch, ...options } = args;
@@ -4745,7 +4886,9 @@ async function handleToolCall(params) {
                 const args = DownloadAttachmentSchema.parse(params.arguments);
                 const filePath = await downloadAttachment(args.project_id, args.secret, args.filename, args.local_path);
                 return {
-                    content: [{ type: "text", text: JSON.stringify({ success: true, file_path: filePath }, null, 2) }],
+                    content: [
+                        { type: "text", text: JSON.stringify({ success: true, file_path: filePath }, null, 2) },
+                    ],
                 };
             }
             case "list_events": {
@@ -4917,8 +5060,8 @@ async function startStreamableHTTPServer() {
     const streamableTransports = {};
     const authTimeouts = {};
     // Configuration and limits
-    const MAX_SESSIONS = parseInt(process.env.MAX_SESSIONS || '1000');
-    const MAX_REQUESTS_PER_MINUTE = parseInt(process.env.MAX_REQUESTS_PER_MINUTE || '60');
+    const MAX_SESSIONS = Number.parseInt(process.env.MAX_SESSIONS || "1000", 10);
+    const MAX_REQUESTS_PER_MINUTE = Number.parseInt(process.env.MAX_REQUESTS_PER_MINUTE || "60", 10);
     // Metrics tracking
     const metrics = {
         activeSessions: 0,
@@ -4938,7 +5081,7 @@ async function startStreamableHTTPServer() {
         // GitLab PAT format: glpat-xxxxx (min 20 chars)
         if (token.length < 20)
             return false;
-        if (!/^[a-zA-Z0-9_\.-]+$/.test(token))
+        if (!/^[-a-zA-Z0-9_.]+$/.test(token))
             return false;
         return true;
     };
@@ -4963,9 +5106,9 @@ async function startStreamableHTTPServer() {
      * Returns null if no auth found or invalid format
      */
     const parseAuthHeaders = (req) => {
-        const authHeader = req.headers['authorization'] || '';
-        const privateToken = req.headers['private-token'] || '';
-        const dynamicApiUrl = req.headers['x-gitlab-api-url']?.trim();
+        const authHeader = req.headers["authorization"] || "";
+        const privateToken = req.headers["private-token"] || "";
+        const dynamicApiUrl = req.headers["x-gitlab-api-url"]?.trim();
         let apiUrl = GITLAB_API_URL; // Default API URL
         // Only process dynamic URL if the feature is enabled
         if (ENABLE_DYNAMIC_API_URL && dynamicApiUrl) {
@@ -4973,7 +5116,7 @@ async function startStreamableHTTPServer() {
                 new URL(dynamicApiUrl); // Ensure it's a valid URL format
                 apiUrl = normalizeGitLabApiUrl(dynamicApiUrl);
             }
-            catch (e) {
+            catch {
                 logger.warn(`Invalid X-GitLab-API-URL provided: ${dynamicApiUrl}. Auth will fail.`);
                 return null; // Reject if URL is malformed
             }
@@ -4983,13 +5126,16 @@ async function startStreamableHTTPServer() {
         let header = null;
         if (privateToken) {
             token = privateToken.trim();
-            header = 'Private-Token';
+            header = "Private-Token";
         }
         else if (authHeader) {
-            const match = authHeader.match(/^Bearer\s+(.+)$/i);
+            // Use \S+ instead of .+ to prevent ReDoS attacks
+            // \S+ only matches non-whitespace, so trim() is technically unnecessary,
+            // but we keep it for defensive coding and backward compatibility
+            const match = /^Bearer\s+(\S+)$/i.exec(authHeader);
             if (match) {
                 token = match[1].trim();
-                header = 'Authorization';
+                header = "Authorization";
             }
         }
         // Validate token and return AuthData object
@@ -5044,8 +5190,8 @@ async function startStreamableHTTPServer() {
         if (REMOTE_AUTHORIZATION && sessionId && !checkRateLimit(sessionId)) {
             metrics.rejectedByRateLimit++;
             res.status(429).json({
-                error: 'Rate limit exceeded',
-                message: `Maximum ${MAX_REQUESTS_PER_MINUTE} requests per minute allowed`
+                error: "Rate limit exceeded",
+                message: `Maximum ${MAX_REQUESTS_PER_MINUTE} requests per minute allowed`,
             });
             return;
         }
@@ -5053,8 +5199,8 @@ async function startStreamableHTTPServer() {
         if (!sessionId && Object.keys(streamableTransports).length >= MAX_SESSIONS) {
             metrics.rejectedByCapacity++;
             res.status(503).json({
-                error: 'Server capacity reached',
-                message: `Maximum ${MAX_SESSIONS} concurrent sessions allowed. Please try again later.`
+                error: "Server capacity reached",
+                message: `Maximum ${MAX_SESSIONS} concurrent sessions allowed. Please try again later.`,
             });
             return;
         }
@@ -5066,8 +5212,8 @@ async function startStreamableHTTPServer() {
                 if (!authData) {
                     metrics.authFailures++;
                     res.status(401).json({
-                        error: 'Missing Authorization or Private-Token header',
-                        message: 'Remote authorization is enabled. Please provide Authorization or Private-Token header.'
+                        error: "Missing Authorization or Private-Token header",
+                        message: "Remote authorization is enabled. Please provide Authorization or Private-Token header.",
                     });
                     return;
                 }
@@ -5156,7 +5302,7 @@ async function startStreamableHTTPServer() {
                 header: authData.header,
                 token: authData.token,
                 lastUsed: authData.lastUsed,
-                apiUrl: authData.apiUrl
+                apiUrl: authData.apiUrl,
             };
             // Run the entire request handling within AsyncLocalStorage context
             await sessionAuthStore.run(ctx, handleRequest);
@@ -5171,7 +5317,7 @@ async function startStreamableHTTPServer() {
         res.setHeader("Allow", "POST, DELETE");
         res.status(405).json({
             error: "Method Not Allowed",
-            message: "GET /mcp is not supported when STREAMABLE_HTTP is enabled. Use POST to communicate with the MCP server."
+            message: "GET /mcp is not supported when STREAMABLE_HTTP is enabled. Use POST to communicate with the MCP server.",
         });
     });
     // Metrics endpoint
@@ -5187,14 +5333,14 @@ async function startStreamableHTTPServer() {
                 maxRequestsPerMinute: MAX_REQUESTS_PER_MINUTE,
                 sessionTimeoutSeconds: SESSION_TIMEOUT_SECONDS,
                 remoteAuthEnabled: REMOTE_AUTHORIZATION,
-            }
+            },
         });
     });
     // Health check endpoint
     app.get("/health", (_req, res) => {
         const isHealthy = Object.keys(streamableTransports).length < MAX_SESSIONS;
         res.status(isHealthy ? 200 : 503).json({
-            status: isHealthy ? 'healthy' : 'degraded',
+            status: isHealthy ? "healthy" : "degraded",
             activeSessions: Object.keys(streamableTransports).length,
             maxSessions: MAX_SESSIONS,
             uptime: process.uptime(),
@@ -5238,7 +5384,7 @@ async function startStreamableHTTPServer() {
         logger.info(`${signal} received, starting graceful shutdown...`);
         // Stop accepting new connections
         httpServer.close(() => {
-            logger.info('HTTP server closed');
+            logger.info("HTTP server closed");
         });
         // Close all active sessions
         const sessionIds = Object.keys(streamableTransports);
@@ -5263,12 +5409,12 @@ async function startStreamableHTTPServer() {
         Object.keys(authTimeouts).forEach(sessionId => {
             clearAuthTimeout(sessionId);
         });
-        logger.info('Graceful shutdown complete');
+        logger.info("Graceful shutdown complete");
         process.exit(0);
     };
     // Register signal handlers
-    process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
-    process.on('SIGINT', () => gracefulShutdown('SIGINT'));
+    process.on("SIGTERM", () => gracefulShutdown("SIGTERM"));
+    process.on("SIGINT", () => gracefulShutdown("SIGINT"));
 }
 /**
  * Initialize server with specific transport mode
@@ -5289,10 +5435,11 @@ async function initializeServerByTransportMode(mode) {
             logger.warn("Starting GitLab MCP Server with Streamable HTTP transport");
             await startStreamableHTTPServer();
             break;
-        default:
+        default: {
             // This should never happen with proper enum usage, but TypeScript requires it
             const exhaustiveCheck = mode;
             throw new Error(`Unknown transport mode: ${exhaustiveCheck}`);
+        }
     }
 }
 /**

package/build/schemas.js

@@ -792,12 +792,12 @@ export const GitLabDiscussionNoteSchema = z.object({
     position: z
         .object({
         // Only present for DiffNote
-        base_sha: z.string().optional(),
-        start_sha: z.string().optional(),
-        head_sha: z.string().optional(),
+        base_sha: z.string().nullable().optional(),
+        start_sha: z.string().nullable().optional(),
+        head_sha: z.string().nullable().optional(),
         old_path: z.string().nullable().optional().describe("File path before change"),
         new_path: z.string().nullable().optional().describe("File path after change"),
-        position_type: z.enum(["text", "image", "file"]).optional(),
+        position_type: z.enum(["text", "image", "file"]).nullable().optional(),
         new_line: z
             .number()
             .nullable()
@@ -808,11 +808,11 @@ export const GitLabDiscussionNoteSchema = z.object({
             .nullable()
             .optional()
             .describe("Line number in the original file (before changes). Used for deleted lines and context lines. Null for newly added lines."),
-        line_range: LineRangeSchema.nullable().optional(), // For multi-line diff notes
-        width: z.number().optional(), // For image diff notes
-        height: z.number().optional(), // For image diff notes
-        x: z.number().optional(), // For image diff notes
-        y: z.number().optional(), // For image diff notes
+        line_range: LineRangeSchema.nullable().optional(), // Accept any value for line_range including null
+        width: z.number().nullable().optional(), // For image diff notes
+        height: z.number().nullable().optional(), // For image diff notes
+        x: z.number().nullable().optional(), // For image diff notes
+        y: z.number().nullable().optional(), // For image diff notes
     })
         .passthrough() // Allow additional fields
         .optional(),
@@ -1049,6 +1049,16 @@ export const ListMergeRequestDiffsSchema = GetMergeRequestSchema.extend({
         .optional()
         .describe("Present diffs in the unified diff format. Default is false. Introduced in GitLab 16.5."),
 });
+// Merge Request Versions API operation schemas
+export const ListMergeRequestVersionsSchema = ProjectParamsSchema.extend({
+    merge_request_iid: z.coerce.string().describe("The internal ID of the merge request"),
+});
+export const GetMergeRequestVersionSchema = ListMergeRequestVersionsSchema.extend({
+    version_id: z.coerce.string().describe("The ID of the merge request diff version"),
+    unidiff: z.boolean()
+        .optional()
+        .describe("Present diffs in the unified diff format. Default is false. Introduced in GitLab 16.5."),
+});
 export const CreateNoteSchema = z.object({
     project_id: z.coerce.string().describe("Project ID or namespace/project_path"),
     noteable_type: z
@@ -1105,7 +1115,7 @@ export const ListIssuesSchema = z
 // Merge Requests API operation schemas
 export const ListMergeRequestsSchema = z
     .object({
-    project_id: z.coerce.string().describe("Project ID or URL-encoded path"),
+    project_id: z.coerce.string().optional().describe("Project ID or URL-encoded path (optional - if not provided, lists all merge requests the user has access to)"),
     assignee_id: z.coerce
         .string()
         .optional()
@@ -1418,6 +1428,7 @@ export const MergeRequestThreadPositionCreateSchema = z.object({
     x: z.number().optional().describe("IMAGE DIFFS ONLY: X coordinate on the image (for position_type='image')."),
     y: z.number().optional().describe("IMAGE DIFFS ONLY: Y coordinate on the image (for position_type='image')."),
 });
+// Schema for creating/sending position to GitLab API (stricter)
 export const MergeRequestThreadPositionSchema = z.object({
     base_sha: z
         .string()
@@ -1454,18 +1465,22 @@ export const MergeRequestThreadPositionSchema = z.object({
     line_range: LineRangeSchema.nullable().optional().describe("MULTILINE COMMENTS: Specify start/end line positions for commenting on multiple lines. Alternative to single old_line/new_line."),
     width: z
         .number()
+        .nullable()
         .optional()
         .describe("IMAGE DIFFS ONLY: Width of the image (for position_type='image')."),
     height: z
         .number()
+        .nullable()
         .optional()
         .describe("IMAGE DIFFS ONLY: Height of the image (for position_type='image')."),
     x: z
         .number()
+        .nullable()
         .optional()
         .describe("IMAGE DIFFS ONLY: X coordinate on the image (for position_type='image')."),
     y: z
         .number()
+        .nullable()
         .optional()
         .describe("IMAGE DIFFS ONLY: Y coordinate on the image (for position_type='image')."),
 });
@@ -1502,7 +1517,7 @@ export const ListDraftNotesSchema = ProjectParamsSchema.extend({
 export const CreateDraftNoteSchema = ProjectParamsSchema.extend({
     merge_request_iid: z.coerce.string().describe("The IID of a merge request"),
     body: z.string().describe("The content of the draft note"),
-    position: MergeRequestThreadPositionCreateSchema.optional().describe("Position when creating a diff note"),
+    position: MergeRequestThreadPositionSchema.optional().describe("Position when creating a diff note"),
     resolve_discussion: z.boolean().optional().describe("Whether to resolve the discussion when publishing"),
 });
 // Update draft note schema
@@ -1510,7 +1525,7 @@ export const UpdateDraftNoteSchema = ProjectParamsSchema.extend({
     merge_request_iid: z.coerce.string().describe("The IID of a merge request"),
     draft_note_id: z.coerce.string().describe("The ID of the draft note"),
     body: z.string().optional().describe("The content of the draft note"),
-    position: MergeRequestThreadPositionCreateSchema.optional().describe("Position when creating a diff note"),
+    position: MergeRequestThreadPositionSchema.optional().describe("Position when creating a diff note"),
     resolve_discussion: z.boolean().optional().describe("Whether to resolve the discussion when publishing"),
 });
 // Delete draft note schema
@@ -1785,6 +1800,22 @@ export const GetProjectEventsSchema = z.object({
     page: z.number().optional().describe("Returns the specified results page. Default: 1"),
     per_page: z.number().optional().describe("Number of results per page. Default: 20"),
 });
+// Merge Request Versions schemas - Response schemas based on GitLab API documentation
+export const GitLabMergeRequestVersionSchema = z.object({
+    id: z.number(),
+    head_commit_sha: z.string(),
+    base_commit_sha: z.string(),
+    start_commit_sha: z.string(),
+    created_at: z.string(),
+    merge_request_id: z.number(),
+    state: z.string(),
+    real_size: z.string(),
+    patch_id_sha: z.string(),
+});
+export const GitLabMergeRequestVersionDetailSchema = GitLabMergeRequestVersionSchema.extend({
+    commits: z.array(GitLabCommitSchema),
+    diffs: z.array(GitLabDiffSchema),
+});
 // GraphQL generic execution schema
 export const ExecuteGraphQLSchema = z.object({
     query: z.string().describe("GraphQL query string"),

package/build/test/test-list-merge-requests.js

@@ -0,0 +1,106 @@
+import { describe, test, before, after } from 'node:test';
+import assert from 'node:assert';
+import { spawn } from 'child_process';
+import { MockGitLabServer, findMockServerPort } from './utils/mock-gitlab-server.js';
+const MOCK_TOKEN = 'glpat-mock-token-12345';
+const TEST_PROJECT_ID = '123';
+// Helper to run the MCP tool
+async function callListMergeRequests(args = {}, env) {
+    return new Promise((resolve, reject) => {
+        const proc = spawn('node', ['build/index.js'], {
+            stdio: ['pipe', 'pipe', 'pipe'],
+            env: {
+                ...process.env,
+                ...env,
+                GITLAB_READ_ONLY_MODE: 'true'
+            }
+        });
+        let output = '';
+        let errorOutput = '';
+        proc.stdout?.on('data', d => output += d);
+        proc.stderr?.on('data', d => errorOutput += d);
+        proc.on('close', (code) => {
+            if (code !== 0)
+                return reject(new Error(`Process exited with code ${code}: ${errorOutput}`));
+            // Find the JSON line in stdout
+            const line = output.split('\n').find(l => l.startsWith('{'));
+            if (!line)
+                return reject(new Error('No JSON output found'));
+            try {
+                const response = JSON.parse(line);
+                if (response.error) {
+                    reject(response.error);
+                }
+                else {
+                    // Parse the tool result content
+                    const content = response.result?.content?.[0]?.text;
+                    if (content) {
+                        try {
+                            resolve(JSON.parse(content));
+                        }
+                        catch (e) {
+                            reject(new Error(`Failed to parse tool output JSON: ${content}`));
+                        }
+                    }
+                    else {
+                        // Fallback for direct result (if changed in future) or empty
+                        resolve(response.result);
+                    }
+                }
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+        proc.stdin?.end(JSON.stringify({
+            jsonrpc: "2.0", id: 1, method: "tools/call",
+            params: { name: "list_merge_requests", arguments: args }
+        }) + '\n');
+    });
+}
+describe('list_merge_requests', () => {
+    let mockGitLab;
+    let mockGitLabUrl;
+    before(async () => {
+        const mockPort = await findMockServerPort(9000);
+        mockGitLab = new MockGitLabServer({
+            port: mockPort,
+            validTokens: [MOCK_TOKEN]
+        });
+        await mockGitLab.start();
+        mockGitLabUrl = mockGitLab.getUrl();
+    });
+    after(async () => {
+        await mockGitLab.stop();
+    });
+    test('lists global merge requests (no project_id)', async () => {
+        const mrs = await callListMergeRequests({}, {
+            GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
+            GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN
+        });
+        assert.ok(Array.isArray(mrs), 'Response should be an array');
+        assert.strictEqual(mrs.length, 2, 'Should return 2 mock MRs');
+        // Schema coerces project_id to string
+        assert.strictEqual(String(mrs[0].project_id), '123', 'MR should have correct project_id');
+    });
+    test('lists project-specific merge requests', async () => {
+        const mrs = await callListMergeRequests({ project_id: TEST_PROJECT_ID }, {
+            GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
+            GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN
+        });
+        assert.ok(Array.isArray(mrs), 'Response should be an array');
+        assert.strictEqual(mrs.length, 2, 'Should return 2 mock MRs');
+        assert.strictEqual(mrs[0].title, 'Test MR 1');
+    });
+    test('filters global merge requests', async () => {
+        // Note: The mock server returns static data, so filtering won't actually filter the results
+        // unless we implement filtering logic in the mock.
+        // But we can verify the call succeeds.
+        const mrs = await callListMergeRequests({ state: 'opened' }, {
+            GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
+            GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN
+        });
+        assert.ok(Array.isArray(mrs), 'Response should be an array');
+        assert.strictEqual(mrs.length, 2, 'Should return 2 mock MRs');
+    });
+});

package/build/test/utils/mock-gitlab-server.js

@@ -139,15 +139,71 @@ export class MockGitLabServer {
                 }
             });
         });
+        // GET /api/v4/merge_requests - List all merge requests (global)
+        this.app.get('/api/v4/merge_requests', (req, res) => {
+            res.json([
+                {
+                    id: 1,
+                    iid: 1,
+                    project_id: 123,
+                    title: 'Test MR 1',
+                    description: 'Description for MR 1',
+                    state: 'opened',
+                    created_at: '2024-01-01T00:00:00Z',
+                    updated_at: '2024-01-01T00:00:00Z',
+                    merged_at: null,
+                    closed_at: null,
+                    target_branch: 'main',
+                    source_branch: 'feature-1',
+                    web_url: 'https://gitlab.mock/project/123/merge_requests/1',
+                    merge_commit_sha: null,
+                    author: {
+                        id: 1,
+                        username: 'test-user',
+                        name: 'Test User'
+                    }
+                },
+                {
+                    id: 2,
+                    iid: 2,
+                    project_id: 123,
+                    title: 'Test MR 2',
+                    description: 'Description for MR 2',
+                    state: 'merged',
+                    created_at: '2024-01-02T00:00:00Z',
+                    updated_at: '2024-01-03T00:00:00Z',
+                    merged_at: '2024-01-03T00:00:00Z',
+                    closed_at: null,
+                    target_branch: 'main',
+                    source_branch: 'feature-2',
+                    web_url: 'https://gitlab.mock/project/123/merge_requests/2',
+                    merge_commit_sha: 'abcdef1234567890',
+                    author: {
+                        id: 1,
+                        username: 'test-user',
+                        name: 'Test User'
+                    }
+                }
+            ]);
+        });
         // GET /api/v4/projects/:projectId/merge_requests - List merge requests
         this.app.get('/api/v4/projects/:projectId/merge_requests', (req, res) => {
             res.json([
                 {
                     id: 1,
                     iid: 1,
+                    project_id: 123,
                     title: 'Test MR 1',
+                    description: 'Description for MR 1',
                     state: 'opened',
                     created_at: '2024-01-01T00:00:00Z',
+                    updated_at: '2024-01-01T00:00:00Z',
+                    merged_at: null,
+                    closed_at: null,
+                    target_branch: 'main',
+                    source_branch: 'feature-1',
+                    web_url: 'https://gitlab.mock/project/123/merge_requests/1',
+                    merge_commit_sha: null,
                     author: {
                         id: 1,
                         username: 'test-user',
@@ -157,9 +213,18 @@ export class MockGitLabServer {
                 {
                     id: 2,
                     iid: 2,
+                    project_id: 123,
                     title: 'Test MR 2',
+                    description: 'Description for MR 2',
                     state: 'merged',
                     created_at: '2024-01-02T00:00:00Z',
+                    updated_at: '2024-01-03T00:00:00Z',
+                    merged_at: '2024-01-03T00:00:00Z',
+                    closed_at: null,
+                    target_branch: 'main',
+                    source_branch: 'feature-2',
+                    web_url: 'https://gitlab.mock/project/123/merge_requests/2',
+                    merge_commit_sha: 'abcdef1234567890',
                     author: {
                         id: 1,
                         username: 'test-user',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.0.21",
+  "version": "2.0.23",
   "description": "MCP server for using the GitLab API",
   "license": "MIT",
   "author": "zereight",
@@ -27,13 +27,14 @@
     "watch": "tsc --watch",
     "deploy": "npm publish --access public",
     "changelog": "auto-changelog -p",
-    "test": "node test/validate-api.js && npm run test:remote-auth",
-    "test:integration": "node test/validate-api.js",
+    "test": "npm run test:all",
+    "test:all": "npm run build && npm run test:mock && npm run test:live",
+    "test:mock": "npx tsx --test test/remote-auth-simple-test.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts",
+    "test:live": "node test/validate-api.js && tsx test/readonly-mcp-tests.ts",
     "test:remote-auth": "npm run build && npx tsx --test test/remote-auth-simple-test.ts",
-    "test:server": "npm run build && node build/test/test-all-transport-server.js",
     "test:mcp:readonly": "tsx test/readonly-mcp-tests.ts",
     "test:oauth": "tsx test/oauth-tests.ts",
-    "test:all": "npm run test && npm run test:mcp:readonly && npm run test:oauth",
+    "test:list-merge-requests": "npm run build && tsx test/test-list-merge-requests.ts",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
     "format": "prettier --write \"**/*.{js,ts,json,md}\"",