@zereight/mcp-gitlab 2.0.25 → 2.0.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +40 -0
  2. package/build/index.js +520 -136
  3. package/build/schemas.js +268 -90
  4. package/build/test/test-download-attachment.js +144 -0
  5. package/build/test/test-toolset-filtering.js +451 -0
  6. package/build/test-resolve-issue-note.js +127 -0
  7. package/package.json +3 -2
package/build/test/test-download-attachment.js ADDED
@@ -0,0 +1,144 @@
1
+ import { describe, test, before, after } from 'node:test';
2
+ import assert from 'node:assert';
3
+ import { spawn } from 'node:child_process';
4
+ import fs from 'node:fs';
5
+ import { MockGitLabServer, findMockServerPort } from './utils/mock-gitlab-server.js';
6
+ const MOCK_TOKEN = 'glpat-mock-token-12345';
7
+ const TEST_PROJECT_ID = '123';
8
+ const TEST_SECRET = 'testsecret123';
9
+ // Minimum valid 1x1 transparent PNG
10
+ const MINIMAL_PNG_BUF = Buffer.from('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==', 'base64');
11
+ // Unique suffix per test run to avoid conflicts on concurrent executions
12
+ const RUN_ID = Math.random().toString(36).slice(2, 8);
13
+ /**
14
+ * Spawn build/index.js, send a single download_attachment JSON-RPC call, and
15
+ * return the raw parsed JSON-RPC response (either {result:...} or {error:...}).
16
+ */
17
+ function callDownloadAttachment(args, env, timeoutMs = 15_000) {
18
+ return new Promise((resolve, reject) => {
19
+ const proc = spawn('node', ['build/index.js'], {
20
+ stdio: ['pipe', 'pipe', 'pipe'],
21
+ env: { ...process.env, ...env, GITLAB_READ_ONLY_MODE: 'true' },
22
+ });
23
+ const timer = setTimeout(() => {
24
+ proc.kill();
25
+ reject(new Error(`Process timed out after ${timeoutMs}ms`));
26
+ }, timeoutMs);
27
+ let stdout = '';
28
+ let stderr = '';
29
+ proc.stdout?.on('data', (d) => (stdout += d.toString()));
30
+ proc.stderr?.on('data', (d) => (stderr += d.toString()));
31
+ proc.on('error', (err) => {
32
+ clearTimeout(timer);
33
+ reject(new Error(`Failed to spawn process: ${err.message}`));
34
+ });
35
+ proc.on('close', () => {
36
+ clearTimeout(timer);
37
+ // Find the JSON-RPC response line matching our request id
38
+ const lines = stdout.split('\n').filter(l => l.trim().startsWith('{'));
39
+ for (const line of lines) {
40
+ try {
41
+ const parsed = JSON.parse(line);
42
+ if (parsed.id === 1) {
43
+ resolve(parsed);
44
+ return;
45
+ }
46
+ }
47
+ catch { /* try next line */ }
48
+ }
49
+ reject(new Error(`No matching JSON-RPC response found.\nstderr: ${stderr}`));
50
+ });
51
+ proc.stdin?.end(JSON.stringify({
52
+ jsonrpc: '2.0',
53
+ id: 1,
54
+ method: 'tools/call',
55
+ params: { name: 'download_attachment', arguments: args },
56
+ }) + '\n');
57
+ });
58
+ }
59
+ describe('download_attachment', () => {
60
+ let mockGitLab;
61
+ let env;
62
+ before(async () => {
63
+ const port = await findMockServerPort(9100);
64
+ mockGitLab = new MockGitLabServer({ port, validTokens: [MOCK_TOKEN] });
65
+ await mockGitLab.start();
66
+ env = {
67
+ GITLAB_API_URL: `${mockGitLab.getUrl()}/api/v4`,
68
+ GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
69
+ };
70
+ // PNG upload endpoint
71
+ mockGitLab.addMockHandler('get', `/projects/${TEST_PROJECT_ID}/uploads/${TEST_SECRET}/image.png`, (_req, res) => { res.set('Content-Type', 'image/png').send(MINIMAL_PNG_BUF); });
72
+ // Plain-text upload endpoint
73
+ mockGitLab.addMockHandler('get', `/projects/${TEST_PROJECT_ID}/uploads/${TEST_SECRET}/document.txt`, (_req, res) => { res.set('Content-Type', 'text/plain').send('hello world'); });
74
+ });
75
+ after(async () => {
76
+ await mockGitLab.stop();
77
+ });
78
+ test('image file without local_path returns base64 image content block', async () => {
79
+ const raw = await callDownloadAttachment({ project_id: TEST_PROJECT_ID, secret: TEST_SECRET, filename: 'image.png' }, env);
80
+ const content = raw.result?.content;
81
+ assert.ok(Array.isArray(content), 'result.content should be an array');
82
+ const imageBlock = content.find(c => c.type === 'image');
83
+ assert.ok(imageBlock, 'Should contain an image content block');
84
+ assert.strictEqual(imageBlock.mimeType, 'image/png', 'mimeType should be image/png');
85
+ assert.ok(typeof imageBlock.data === 'string' && imageBlock.data.length > 0, 'Image block should have non-empty base64 data');
86
+ });
87
+ test('non-image file is saved to disk and returns file_path', async () => {
88
+ const raw = await callDownloadAttachment({ project_id: TEST_PROJECT_ID, secret: TEST_SECRET, filename: 'document.txt' }, env);
89
+ const text = raw.result?.content?.[0]?.text;
90
+ assert.ok(text, 'Should have text content');
91
+ const parsed = JSON.parse(text);
92
+ try {
93
+ assert.strictEqual(parsed.success, true, 'success should be true');
94
+ assert.ok(typeof parsed.file_path === 'string', 'file_path should be a string');
95
+ assert.ok(parsed.file_path.endsWith('document.txt'), 'file_path should end with document.txt');
96
+ }
97
+ finally {
98
+ if (parsed.file_path && fs.existsSync(parsed.file_path)) {
99
+ fs.unlinkSync(parsed.file_path);
100
+ }
101
+ }
102
+ });
103
+ test('image file with local_path is saved to disk and returns file_path', async () => {
104
+ // Must be a relative path – the implementation rejects absolute paths as traversal
105
+ const localPath = `omc-test-save-${RUN_ID}`;
106
+ try {
107
+ const raw = await callDownloadAttachment({ project_id: TEST_PROJECT_ID, secret: TEST_SECRET, filename: 'image.png', local_path: localPath }, env);
108
+ const text = raw.result?.content?.[0]?.text;
109
+ assert.ok(text, 'Should have text content');
110
+ const parsed = JSON.parse(text);
111
+ assert.strictEqual(parsed.success, true, 'success should be true');
112
+ assert.ok(typeof parsed.file_path === 'string', 'file_path should be a string');
113
+ assert.ok(parsed.file_path.includes('image.png'), 'file_path should include image.png');
114
+ }
115
+ finally {
116
+ fs.rmSync(localPath, { recursive: true, force: true });
117
+ }
118
+ });
119
+ test('local_path with ".." returns path traversal error', async () => {
120
+ const raw = await callDownloadAttachment({ project_id: TEST_PROJECT_ID, secret: TEST_SECRET, filename: 'image.png', local_path: '../../../tmp' }, env);
121
+ // MCP SDK may return a JSON-RPC error or an isError content block; both must mention "traversal"
122
+ const isRpcError = typeof raw.error?.message === 'string' &&
123
+ raw.error.message.toLowerCase().includes('traversal');
124
+ const isContentError = Array.isArray(raw.result?.content) &&
125
+ raw.result.content.some(c => typeof c.text === 'string' && c.text.toLowerCase().includes('traversal'));
126
+ assert.ok(isRpcError || isContentError, 'Should return an error mentioning directory traversal');
127
+ });
128
+ test('non-existent local_path directory is auto-created before saving', async () => {
129
+ const baseDir = `omc-test-newdir-${RUN_ID}`;
130
+ const localPath = `${baseDir}/subdir`;
131
+ fs.rmSync(baseDir, { recursive: true, force: true });
132
+ try {
133
+ const raw = await callDownloadAttachment({ project_id: TEST_PROJECT_ID, secret: TEST_SECRET, filename: 'document.txt', local_path: localPath }, env);
134
+ const text = raw.result?.content?.[0]?.text;
135
+ assert.ok(text, 'Should have text content');
136
+ const parsed = JSON.parse(text);
137
+ assert.strictEqual(parsed.success, true, 'success should be true');
138
+ assert.ok(fs.existsSync(parsed.file_path), 'Saved file should exist on disk');
139
+ }
140
+ finally {
141
+ fs.rmSync(baseDir, { recursive: true, force: true });
142
+ }
143
+ });
144
+ });
package/build/test/test-toolset-filtering.js ADDED
@@ -0,0 +1,451 @@
1
+ /**
2
+ * Toolset Filtering Test Suite
3
+ *
4
+ * Tests GITLAB_TOOLSETS, GITLAB_TOOLS, and their interaction with
5
+ * legacy flags (USE_GITLAB_WIKI, USE_PIPELINE, USE_MILESTONE),
6
+ * GITLAB_READ_ONLY_MODE, and GITLAB_DENIED_TOOLS_REGEX.
7
+ */
8
+ import { describe, test, after, before } from "node:test";
9
+ import assert from "node:assert";
10
+ import { launchServer, findAvailablePort, cleanupServers, TransportMode, HOST, } from "./utils/server-launcher.js";
11
+ import { MockGitLabServer, findMockServerPort, } from "./utils/mock-gitlab-server.js";
12
+ import { CustomHeaderClient } from "./clients/custom-header-client.js";
13
+ const MOCK_TOKEN = "glpat-toolset-test-token";
14
+ // Port bases (offset from other test suites to avoid collisions)
15
+ const MOCK_PORT_BASE = 9200;
16
+ const MCP_PORT_BASE = 3200;
17
+ // Known tool counts per toolset (from TOOLSET_DEFINITIONS)
18
+ const TOOLSET_TOOL_COUNTS = {
19
+ merge_requests: 31,
20
+ issues: 14,
21
+ repositories: 7,
22
+ branches: 4,
23
+ projects: 8,
24
+ labels: 5,
25
+ pipelines: 12,
26
+ milestones: 9,
27
+ wiki: 5,
28
+ releases: 7,
29
+ users: 5,
30
+ };
31
+ const DEFAULT_TOOLSETS = [
32
+ "merge_requests",
33
+ "issues",
34
+ "repositories",
35
+ "branches",
36
+ "projects",
37
+ "labels",
38
+ "releases",
39
+ "users",
40
+ ];
41
+ const NON_DEFAULT_TOOLSETS = ["pipelines", "milestones", "wiki"];
42
+ const DEFAULT_TOOL_COUNT = DEFAULT_TOOLSETS.reduce((sum, id) => sum + TOOLSET_TOOL_COUNTS[id], 0);
43
+ const ALL_TOOLSET_TOOL_COUNT = Object.values(TOOLSET_TOOL_COUNTS).reduce((sum, c) => sum + c, 0);
44
+ // Representative tools per toolset for spot-checking
45
+ const TOOLSET_SAMPLE_TOOLS = {
46
+ merge_requests: ["merge_merge_request", "create_merge_request_thread", "list_draft_notes"],
47
+ issues: ["create_issue", "list_issues", "create_note"],
48
+ repositories: ["search_repositories", "get_file_contents", "push_files"],
49
+ branches: ["create_branch", "list_commits"],
50
+ projects: ["get_project", "list_namespaces", "list_group_iterations"],
51
+ labels: ["list_labels", "create_label"],
52
+ pipelines: ["list_pipelines", "create_pipeline", "cancel_pipeline_job"],
53
+ milestones: ["list_milestones", "create_milestone", "get_milestone_burndown_events"],
54
+ wiki: ["list_wiki_pages", "create_wiki_page"],
55
+ releases: ["list_releases", "create_release", "download_release_asset"],
56
+ users: ["get_users", "upload_markdown", "download_attachment"],
57
+ };
58
+ // --- Helpers ---
59
+ async function launchMcpServer(mockGitLabUrl, mcpPort, extraEnv = {}) {
60
+ return launchServer({
61
+ mode: TransportMode.STREAMABLE_HTTP,
62
+ port: mcpPort,
63
+ timeout: 10000,
64
+ env: {
65
+ STREAMABLE_HTTP: "true",
66
+ REMOTE_AUTHORIZATION: "true",
67
+ GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
68
+ ...extraEnv,
69
+ },
70
+ });
71
+ }
72
+ async function getToolNames(mcpUrl) {
73
+ const client = new CustomHeaderClient({
74
+ authorization: `Bearer ${MOCK_TOKEN}`,
75
+ });
76
+ await client.connect(mcpUrl);
77
+ const result = await client.listTools();
78
+ await client.disconnect();
79
+ return result.tools.map((t) => t.name);
80
+ }
81
+ function assertContainsAll(actual, expected, label) {
82
+ for (const name of expected) {
83
+ assert.ok(actual.includes(name), `${label}: expected tool "${name}" to be present`);
84
+ }
85
+ }
86
+ function assertContainsNone(actual, excluded, label) {
87
+ for (const name of excluded) {
88
+ assert.ok(!actual.includes(name), `${label}: expected tool "${name}" to be absent`);
89
+ }
90
+ }
91
+ // --- Tests ---
92
+ let mockGitLab;
93
+ let mockGitLabUrl;
94
+ let portCounter = 0;
95
+ async function nextMcpPort() {
96
+ return findAvailablePort(MCP_PORT_BASE + portCounter++ * 10);
97
+ }
98
+ describe("Toolset Filtering", () => {
99
+ before(async () => {
100
+ const mockPort = await findMockServerPort(MOCK_PORT_BASE);
101
+ mockGitLab = new MockGitLabServer({
102
+ port: mockPort,
103
+ validTokens: [MOCK_TOKEN],
104
+ });
105
+ await mockGitLab.start();
106
+ mockGitLabUrl = mockGitLab.getUrl();
107
+ console.log(`Mock GitLab: ${mockGitLabUrl}`);
108
+ });
109
+ after(async () => {
110
+ if (mockGitLab)
111
+ await mockGitLab.stop();
112
+ });
113
+ // ---- 1. Default behavior (no GITLAB_TOOLSETS / GITLAB_TOOLS) ----
114
+ describe("defaults (no GITLAB_TOOLSETS)", () => {
115
+ let server;
116
+ let tools;
117
+ before(async () => {
118
+ const port = await nextMcpPort();
119
+ server = await launchMcpServer(mockGitLabUrl, port);
120
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
121
+ });
122
+ after(() => cleanupServers([server]));
123
+ test("returns expected default tool count", () => {
124
+ assert.strictEqual(tools.length, DEFAULT_TOOL_COUNT);
125
+ });
126
+ test("includes tools from every default toolset", () => {
127
+ for (const id of DEFAULT_TOOLSETS) {
128
+ assertContainsAll(tools, TOOLSET_SAMPLE_TOOLS[id], id);
129
+ }
130
+ });
131
+ test("excludes non-default toolsets (pipelines, milestones, wiki)", () => {
132
+ for (const id of NON_DEFAULT_TOOLSETS) {
133
+ assertContainsNone(tools, TOOLSET_SAMPLE_TOOLS[id], id);
134
+ }
135
+ });
136
+ test("excludes execute_graphql (not in any toolset)", () => {
137
+ assertContainsNone(tools, ["execute_graphql"], "unassigned");
138
+ });
139
+ });
140
+ // ---- 2. Single toolset ----
141
+ describe("GITLAB_TOOLSETS=issues", () => {
142
+ let server;
143
+ let tools;
144
+ before(async () => {
145
+ const port = await nextMcpPort();
146
+ server = await launchMcpServer(mockGitLabUrl, port, {
147
+ GITLAB_TOOLSETS: "issues",
148
+ });
149
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
150
+ });
151
+ after(() => cleanupServers([server]));
152
+ test("returns only issue tools", () => {
153
+ assert.strictEqual(tools.length, TOOLSET_TOOL_COUNTS.issues);
154
+ });
155
+ test("includes issue sample tools", () => {
156
+ assertContainsAll(tools, TOOLSET_SAMPLE_TOOLS.issues, "issues");
157
+ });
158
+ test("excludes merge_requests tools", () => {
159
+ assertContainsNone(tools, TOOLSET_SAMPLE_TOOLS.merge_requests, "merge_requests");
160
+ });
161
+ });
162
+ // ---- 3. GITLAB_TOOLSETS=all ----
163
+ describe("GITLAB_TOOLSETS=all", () => {
164
+ let server;
165
+ let tools;
166
+ before(async () => {
167
+ const port = await nextMcpPort();
168
+ server = await launchMcpServer(mockGitLabUrl, port, {
169
+ GITLAB_TOOLSETS: "all",
170
+ });
171
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
172
+ });
173
+ after(() => cleanupServers([server]));
174
+ test("returns all toolset tools", () => {
175
+ assert.strictEqual(tools.length, ALL_TOOLSET_TOOL_COUNT);
176
+ });
177
+ test("includes pipelines, milestones, and wiki", () => {
178
+ for (const id of NON_DEFAULT_TOOLSETS) {
179
+ assertContainsAll(tools, TOOLSET_SAMPLE_TOOLS[id], id);
180
+ }
181
+ });
182
+ test("still excludes execute_graphql", () => {
183
+ assertContainsNone(tools, ["execute_graphql"], "unassigned");
184
+ });
185
+ });
186
+ // ---- 4. GITLAB_TOOLS (individual tools, additive) ----
187
+ describe("GITLAB_TOOLS=list_pipelines,execute_graphql", () => {
188
+ let server;
189
+ let tools;
190
+ before(async () => {
191
+ const port = await nextMcpPort();
192
+ server = await launchMcpServer(mockGitLabUrl, port, {
193
+ GITLAB_TOOLS: "list_pipelines,execute_graphql",
194
+ });
195
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
196
+ });
197
+ after(() => cleanupServers([server]));
198
+ test("returns default tools plus the two individual tools", () => {
199
+ assert.strictEqual(tools.length, DEFAULT_TOOL_COUNT + 2);
200
+ });
201
+ test("includes the individually added tools", () => {
202
+ assertContainsAll(tools, ["list_pipelines", "execute_graphql"], "individual");
203
+ });
204
+ test("does not include other pipeline tools", () => {
205
+ assertContainsNone(tools, ["create_pipeline", "cancel_pipeline"], "other pipelines");
206
+ });
207
+ });
208
+ // ---- 5. Toolset + individual tools combined ----
209
+ describe("GITLAB_TOOLSETS=issues + GITLAB_TOOLS=list_pipelines,get_pipeline", () => {
210
+ let server;
211
+ let tools;
212
+ before(async () => {
213
+ const port = await nextMcpPort();
214
+ server = await launchMcpServer(mockGitLabUrl, port, {
215
+ GITLAB_TOOLSETS: "issues",
216
+ GITLAB_TOOLS: "list_pipelines,get_pipeline",
217
+ });
218
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
219
+ });
220
+ after(() => cleanupServers([server]));
221
+ test("returns issue tools + 2 individual pipeline tools", () => {
222
+ assert.strictEqual(tools.length, TOOLSET_TOOL_COUNTS.issues + 2);
223
+ });
224
+ test("includes issue tools and the two pipeline tools", () => {
225
+ assertContainsAll(tools, TOOLSET_SAMPLE_TOOLS.issues, "issues");
226
+ assertContainsAll(tools, ["list_pipelines", "get_pipeline"], "individual");
227
+ });
228
+ test("excludes other pipeline tools", () => {
229
+ assertContainsNone(tools, ["create_pipeline", "cancel_pipeline"], "other pipelines");
230
+ });
231
+ });
232
+ // ---- 6. Legacy flag USE_PIPELINE as additive override ----
233
+ describe("GITLAB_TOOLSETS=issues + USE_PIPELINE=true", () => {
234
+ let server;
235
+ let tools;
236
+ before(async () => {
237
+ const port = await nextMcpPort();
238
+ server = await launchMcpServer(mockGitLabUrl, port, {
239
+ GITLAB_TOOLSETS: "issues",
240
+ USE_PIPELINE: "true",
241
+ });
242
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
243
+ });
244
+ after(() => cleanupServers([server]));
245
+ test("returns issue tools + all pipeline tools", () => {
246
+ assert.strictEqual(tools.length, TOOLSET_TOOL_COUNTS.issues + TOOLSET_TOOL_COUNTS.pipelines);
247
+ });
248
+ test("includes all pipeline tools via legacy flag", () => {
249
+ assertContainsAll(tools, TOOLSET_SAMPLE_TOOLS.pipelines, "pipelines");
250
+ });
251
+ });
252
+ // ---- 7. Legacy flag USE_GITLAB_WIKI ----
253
+ describe("USE_GITLAB_WIKI=true (no GITLAB_TOOLSETS)", () => {
254
+ let server;
255
+ let tools;
256
+ before(async () => {
257
+ const port = await nextMcpPort();
258
+ server = await launchMcpServer(mockGitLabUrl, port, {
259
+ USE_GITLAB_WIKI: "true",
260
+ });
261
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
262
+ });
263
+ after(() => cleanupServers([server]));
264
+ test("returns default tools + wiki tools", () => {
265
+ assert.strictEqual(tools.length, DEFAULT_TOOL_COUNT + TOOLSET_TOOL_COUNTS.wiki);
266
+ });
267
+ test("includes wiki tools", () => {
268
+ assertContainsAll(tools, TOOLSET_SAMPLE_TOOLS.wiki, "wiki");
269
+ });
270
+ });
271
+ // ---- 8. Read-only mode applied after toolset filter ----
272
+ describe("GITLAB_TOOLSETS=issues + GITLAB_READ_ONLY_MODE=true", () => {
273
+ let server;
274
+ let tools;
275
+ // Read-only issue tools (from readOnlyTools set in index.ts)
276
+ const readOnlyIssueTools = [
277
+ "list_issues",
278
+ "my_issues",
279
+ "get_issue",
280
+ "list_issue_links",
281
+ "list_issue_discussions",
282
+ "get_issue_link",
283
+ ];
284
+ const writeIssueTools = [
285
+ "create_issue",
286
+ "update_issue",
287
+ "delete_issue",
288
+ "create_issue_note",
289
+ "update_issue_note",
290
+ "create_issue_link",
291
+ "delete_issue_link",
292
+ "create_note",
293
+ ];
294
+ before(async () => {
295
+ const port = await nextMcpPort();
296
+ server = await launchMcpServer(mockGitLabUrl, port, {
297
+ GITLAB_TOOLSETS: "issues",
298
+ GITLAB_READ_ONLY_MODE: "true",
299
+ });
300
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
301
+ });
302
+ after(() => cleanupServers([server]));
303
+ test("includes only read-only issue tools", () => {
304
+ assertContainsAll(tools, readOnlyIssueTools, "read-only issues");
305
+ });
306
+ test("excludes write issue tools", () => {
307
+ assertContainsNone(tools, writeIssueTools, "write issues");
308
+ });
309
+ test("returns correct count", () => {
310
+ assert.strictEqual(tools.length, readOnlyIssueTools.length);
311
+ });
312
+ });
313
+ // ---- 9. GITLAB_DENIED_TOOLS_REGEX applied after toolset filter ----
314
+ describe("GITLAB_TOOLSETS=issues + GITLAB_DENIED_TOOLS_REGEX=^(create_|delete_)", () => {
315
+ let server;
316
+ let tools;
317
+ before(async () => {
318
+ const port = await nextMcpPort();
319
+ server = await launchMcpServer(mockGitLabUrl, port, {
320
+ GITLAB_TOOLSETS: "issues",
321
+ GITLAB_DENIED_TOOLS_REGEX: "^(create_|delete_)",
322
+ });
323
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
324
+ });
325
+ after(() => cleanupServers([server]));
326
+ test("excludes tools matching the denial regex", () => {
327
+ const denied = tools.filter((t) => t.startsWith("create_") || t.startsWith("delete_"));
328
+ assert.strictEqual(denied.length, 0, `Should have no create_/delete_ tools, found: ${denied}`);
329
+ });
330
+ test("keeps non-matching issue tools", () => {
331
+ assertContainsAll(tools, ["list_issues", "my_issues", "get_issue", "update_issue", "update_issue_note"], "non-denied issues");
332
+ });
333
+ });
334
+ // ---- 10. Full combination: toolset + individual + legacy + read-only ----
335
+ describe("GITLAB_TOOLSETS=issues + GITLAB_TOOLS=list_pipelines + USE_GITLAB_WIKI=true + GITLAB_READ_ONLY_MODE=true", () => {
336
+ let server;
337
+ let tools;
338
+ before(async () => {
339
+ const port = await nextMcpPort();
340
+ server = await launchMcpServer(mockGitLabUrl, port, {
341
+ GITLAB_TOOLSETS: "issues",
342
+ GITLAB_TOOLS: "list_pipelines",
343
+ USE_GITLAB_WIKI: "true",
344
+ GITLAB_READ_ONLY_MODE: "true",
345
+ });
346
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
347
+ });
348
+ after(() => cleanupServers([server]));
349
+ test("includes read-only issue tools", () => {
350
+ assertContainsAll(tools, ["list_issues", "get_issue"], "read-only issues");
351
+ });
352
+ test("includes list_pipelines (read-only individual tool)", () => {
353
+ assertContainsAll(tools, ["list_pipelines"], "individual pipeline");
354
+ });
355
+ test("includes read-only wiki tools from legacy flag", () => {
356
+ assertContainsAll(tools, ["list_wiki_pages", "get_wiki_page"], "read-only wiki");
357
+ });
358
+ test("excludes write tools across all sources", () => {
359
+ assertContainsNone(tools, ["create_issue", "create_pipeline", "create_wiki_page"], "write tools");
360
+ });
361
+ });
362
+ // ---- 11. Redundant legacy flag (toolset already includes it) ----
363
+ describe("GITLAB_TOOLSETS=pipelines + USE_PIPELINE=true (redundant)", () => {
364
+ let server;
365
+ let tools;
366
+ before(async () => {
367
+ const port = await nextMcpPort();
368
+ server = await launchMcpServer(mockGitLabUrl, port, {
369
+ GITLAB_TOOLSETS: "pipelines",
370
+ USE_PIPELINE: "true",
371
+ });
372
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
373
+ });
374
+ after(() => cleanupServers([server]));
375
+ test("returns exactly pipeline tool count (no duplicates)", () => {
376
+ assert.strictEqual(tools.length, TOOLSET_TOOL_COUNTS.pipelines);
377
+ });
378
+ });
379
+ // ---- 12. GITLAB_TOOLS with tool already in enabled toolset (no dupes) ----
380
+ describe("GITLAB_TOOLSETS=issues + GITLAB_TOOLS=list_issues (already included)", () => {
381
+ let server;
382
+ let tools;
383
+ before(async () => {
384
+ const port = await nextMcpPort();
385
+ server = await launchMcpServer(mockGitLabUrl, port, {
386
+ GITLAB_TOOLSETS: "issues",
387
+ GITLAB_TOOLS: "list_issues",
388
+ });
389
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
390
+ });
391
+ after(() => cleanupServers([server]));
392
+ test("returns exactly issue tool count (no duplicates)", () => {
393
+ assert.strictEqual(tools.length, TOOLSET_TOOL_COUNTS.issues);
394
+ });
395
+ });
396
+ // ---- 13. Invalid toolset ID is silently ignored ----
397
+ describe("GITLAB_TOOLSETS=issues,nonexistent_toolset", () => {
398
+ let server;
399
+ let tools;
400
+ before(async () => {
401
+ const port = await nextMcpPort();
402
+ server = await launchMcpServer(mockGitLabUrl, port, {
403
+ GITLAB_TOOLSETS: "issues,nonexistent_toolset",
404
+ });
405
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
406
+ });
407
+ after(() => cleanupServers([server]));
408
+ test("returns only issue tools (invalid toolset ignored)", () => {
409
+ assert.strictEqual(tools.length, TOOLSET_TOOL_COUNTS.issues);
410
+ });
411
+ });
412
+ // ---- 14. GITLAB_TOOLS case-insensitive matching ----
413
+ describe("GITLAB_TOOLS with mixed-case tool names", () => {
414
+ let server;
415
+ let tools;
416
+ before(async () => {
417
+ const port = await nextMcpPort();
418
+ server = await launchMcpServer(mockGitLabUrl, port, {
419
+ GITLAB_TOOLS: "List_Pipelines,Execute_GraphQL",
420
+ });
421
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
422
+ });
423
+ after(() => cleanupServers([server]));
424
+ test("resolves mixed-case tool names to lowercase equivalents", () => {
425
+ assertContainsAll(tools, ["list_pipelines", "execute_graphql"], "case-insensitive tools");
426
+ });
427
+ test("returns default tools plus the two individual tools", () => {
428
+ assert.strictEqual(tools.length, DEFAULT_TOOL_COUNT + 2);
429
+ });
430
+ });
431
+ // ---- 15. GITLAB_TOOLS with unknown tool names ----
432
+ describe("GITLAB_TOOLS with unknown tool names", () => {
433
+ let server;
434
+ let tools;
435
+ before(async () => {
436
+ const port = await nextMcpPort();
437
+ server = await launchMcpServer(mockGitLabUrl, port, {
438
+ GITLAB_TOOLS: "list_pipelines,nonexistent_tool_xyz",
439
+ });
440
+ tools = await getToolNames(`http://${HOST}:${port}/mcp`);
441
+ });
442
+ after(() => cleanupServers([server]));
443
+ test("server starts normally and returns tools without crashing", () => {
444
+ assert.ok(tools.length > 0, "Should return at least some tools");
445
+ });
446
+ test("includes the valid individual tool but ignores the unknown one", () => {
447
+ assertContainsAll(tools, ["list_pipelines"], "valid individual tool");
448
+ assertContainsNone(tools, ["nonexistent_tool_xyz"], "unknown tool");
449
+ });
450
+ });
451
+ });