@zereight/mcp-gitlab 2.0.33 → 2.0.34

package/README.md

@@ -336,7 +336,7 @@ docker run -i --rm \
 - `GITLAB_OAUTH_REDIRECT_URI`: The OAuth callback URL. Default: `http://127.0.0.1:8888/callback`
 - `GITLAB_OAUTH_TOKEN_PATH`: Custom path to store the OAuth token. Default: `~/.gitlab-mcp-token.json`
 - `REMOTE_AUTHORIZATION`: When set to 'true', enables remote per-session authorization via HTTP headers. In this mode:
-  - The server accepts GitLab PAT tokens from HTTP headers (`Authorization: Bearer <token>` or `Private-Token: <token>`) on a per-session basis
+  - The server accepts GitLab PAT tokens from HTTP headers (`Authorization: Bearer <token>`, `Private-Token: <token>` or `Job-Token: <token>`) on a per-session basis
   - `GITLAB_PERSONAL_ACCESS_TOKEN` environment variable is **not required** and ignored
   - Only works with **Streamable HTTP transport** (`STREAMABLE_HTTP=true`) because session management was already handled by the transport layer
   - **SSE transport is disabled** - attempting to use SSE with remote authorization will cause the server to exit with an error
@@ -400,6 +400,7 @@ docker run -i --rm \
 - `SSE`: When set to 'true', enables the Server-Sent Events transport.
 - `STREAMABLE_HTTP`: When set to 'true', enables the Streamable HTTP transport. If both **SSE** and **STREAMABLE_HTTP** are set to 'true', the server will prioritize Streamable HTTP over SSE transport.
 - `GITLAB_COMMIT_FILES_PER_PAGE`: The number of files per page that GitLab returns for commit diffs. This value should match the server-side GitLab setting. Adjust this if your GitLab instance uses a custom per-page value for commit diffs.
+- `GITLAB_REPO_FILE_ENCODING`: Encoding for repository file create/update and related commit payloads sent to the GitLab API. Use `text` (default) or `base64`. Equivalent CLI: `--repo-file-encoding=text|base64`.
 
 #### Performance & Security Configuration
 
@@ -407,6 +408,16 @@ docker run -i --rm \
 - `MAX_SESSIONS`: Maximum number of concurrent sessions allowed. Default: `1000`. Valid range: 1-10000. When limit is reached, new connections are rejected with HTTP 503.
 - `MAX_REQUESTS_PER_MINUTE`: Rate limit per session in requests per minute. Default: `60`. Valid range: 1-1000. Exceeded requests return HTTP 429.
 - `PORT`: Server port. Default: `3002`. Valid range: 1-65535.
+- `HTTP_PROXY`: HTTP proxy server URL for outgoing requests. Example: `http://proxy.example.com:8080`. Supports HTTP/HTTPS and SOCKS proxies (URLs starting with `socks://` or `socks5://`). CLI arg: `--http-proxy`
+- `HTTPS_PROXY`: HTTPS proxy server URL for outgoing requests. Example: `https://proxy.example.com:8080`. Supports HTTP/HTTPS and SOCKS proxies. CLI arg: `--https-proxy`
+- `NO_PROXY`: Comma-separated list of hosts that should bypass the proxy. Supports:
+  - Exact hostname matches (e.g., `localhost`, `gitlab.internal.com`)
+  - Domain suffix matches (e.g., `.internal.com` matches any subdomain)
+  - IP addresses (e.g., `127.0.0.1`, `192.168.1.1`)
+  - Port-specific matches (e.g., `example.com:443`)
+  - Wildcard `*` to bypass proxy for all hosts
+  - Example: `NO_PROXY=localhost,127.0.0.1,.internal.com`
+  - CLI arg: `--no-proxy`
 
 #### Monitoring Endpoints
 

package/build/gitlab-client-pool.js

@@ -4,6 +4,64 @@ import { HttpProxyAgent } from "http-proxy-agent";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { SocksProxyAgent } from "socks-proxy-agent";
 import fs from "fs";
+/**
+ * Checks if a URL should bypass the proxy based on NO_PROXY patterns.
+ * Supports:
+ * - Exact hostname matches (e.g., "localhost", "gitlab.example.com")
+ * - Domain suffix matches (e.g., ".example.com" matches "gitlab.example.com")
+ * - IP addresses (e.g., "127.0.0.1", "192.168.1.1")
+ * - Wildcard "*" to bypass all proxies
+ * - Port-specific matches (e.g., "example.com:8080")
+ *
+ * @param url The URL to check
+ * @param noProxy Comma-separated list of patterns from NO_PROXY
+ * @returns true if the URL should bypass the proxy, false otherwise
+ */
+function shouldBypassProxy(url, noProxy) {
+    if (!noProxy) {
+        return false;
+    }
+    // Parse URL to get hostname and port
+    let hostname;
+    let port;
+    let protocol;
+    try {
+        const parsedUrl = new URL(url);
+        hostname = parsedUrl.hostname.toLowerCase();
+        protocol = parsedUrl.protocol;
+        // Use explicit port if provided, otherwise use default port based on protocol
+        port = parsedUrl.port || (protocol === 'https:' ? '443' : '80');
+    }
+    catch {
+        return false;
+    }
+    // Split NO_PROXY into patterns and trim whitespace
+    const patterns = noProxy.split(',').map(p => p.trim().toLowerCase()).filter(p => p.length > 0);
+    for (const pattern of patterns) {
+        // Wildcard matches everything
+        if (pattern === '*') {
+            return true;
+        }
+        // Handle port-specific patterns (e.g., "example.com:8080")
+        const [patternHost, patternPort] = pattern.split(':');
+        // If pattern specifies a port, check if it matches
+        if (patternPort && port !== patternPort) {
+            continue;
+        }
+        // Check for domain suffix match (e.g., ".example.com")
+        if (patternHost.startsWith('.')) {
+            const suffix = patternHost.substring(1);
+            if (hostname === suffix || hostname.endsWith('.' + suffix)) {
+                return true;
+            }
+        }
+        // Check for exact hostname match
+        else if (hostname === patternHost) {
+            return true;
+        }
+    }
+    return false;
+}
 /**
  * Manages a pool of HTTP/HTTPS agents for different GitLab API URLs.
  * This allows the server to efficiently handle requests to multiple GitLab instances
@@ -23,7 +81,7 @@ export class GitLabClientPool {
      * @returns A `ClientAgents` object containing the configured agents.
      */
     createAgentsForUrl(apiUrl) {
-        const { httpProxy, httpsProxy, rejectUnauthorized, caCertPath } = this.options;
+        const { httpProxy, httpsProxy, noProxy, rejectUnauthorized, caCertPath } = this.options;
         const url = new URL(apiUrl);
         let sslOptions = {};
         if (rejectUnauthorized === false) {
@@ -38,10 +96,12 @@ export class GitLabClientPool {
                 throw new Error(`Failed to read CA certificate: ${caCertPath}`);
             }
         }
+        // Check if this URL should bypass the proxy
+        const bypassProxy = shouldBypassProxy(apiUrl, noProxy);
         let httpAgent;
         let httpsAgent;
-        // Configure HTTP agent with proxy if specified
-        if (httpProxy) {
+        // Configure HTTP agent with proxy if specified and not bypassed
+        if (httpProxy && !bypassProxy) {
             httpAgent = httpProxy.startsWith("socks")
                 ? new SocksProxyAgent(httpProxy)
                 : new HttpProxyAgent(httpProxy);
@@ -49,8 +109,8 @@ export class GitLabClientPool {
         else {
             httpAgent = new Agent({ keepAlive: true });
         }
-        // Configure HTTPS agent with proxy and SSL options if specified
-        if (httpsProxy) {
+        // Configure HTTPS agent with proxy and SSL options if specified and not bypassed
+        if (httpsProxy && !bypassProxy) {
             httpsAgent = httpsProxy.startsWith("socks")
                 // The `as any` cast is used here to bypass a TypeScript type mismatch error.
                 // The `socks-proxy-agent` documentation indicates that TLS options like
@@ -72,6 +132,31 @@ export class GitLabClientPool {
      * @returns The corresponding `Agent` for the URL's protocol.
      */
     getOrCreateAgentForUrl(apiUrl) {
+        const agents = this.getOrCreateAgentsForUrl(apiUrl);
+        const url = new URL(apiUrl);
+        return url.protocol === "https:" ? agents.httpsAgent : agents.httpAgent;
+    }
+    /**
+     * Returns an agent-selection function for use with node-fetch's `agent` option.
+     * The returned function picks the correct HTTP or HTTPS agent based on the
+     * request URL's protocol. This is critical for self-hosted GitLab instances
+     * where the server may redirect between HTTP and HTTPS (e.g., when
+     * `external_url` differs from the actual internal protocol).
+     * @param apiUrl The base API URL used to look up or create the agent pair.
+     * @returns A function `(parsedURL: URL) => Agent` suitable for node-fetch.
+     */
+    getAgentFunctionForUrl(apiUrl) {
+        const agents = this.getOrCreateAgentsForUrl(apiUrl);
+        return (parsedURL) => {
+            return parsedURL.protocol === "https:" ? agents.httpsAgent : agents.httpAgent;
+        };
+    }
+    /**
+     * Ensures agents exist for the given API URL and returns the pair.
+     * @param apiUrl The full URL of the request.
+     * @returns The `ClientAgents` (both HTTP and HTTPS agents) for the URL.
+     */
+    getOrCreateAgentsForUrl(apiUrl) {
         const url = new URL(apiUrl);
         const baseUrl = `${url.protocol}//${url.host}${url.pathname.substring(0, url.pathname.lastIndexOf('/api/v4') + '/api/v4'.length)}`;
         if (!this.clients.has(baseUrl)) {
@@ -86,7 +171,7 @@ export class GitLabClientPool {
             // This should not happen given the logic above, but it satisfies TypeScript
             throw new Error(`Failed to create or get client for URL: ${baseUrl}`);
         }
-        return url.protocol === "https:" ? agents.httpsAgent : agents.httpAgent;
+        return agents;
     }
     /**
      * Retrieves the client agents for a specific base API URL.
@@ -110,4 +195,21 @@ export class GitLabClientPool {
         }
         return this.clients.get(defaultUrl);
     }
+    /**
+     * Destroy all pooled agents and clear pool state.
+     * This should be called on graceful shutdown so sockets are closed
+     * and the process can exit cleanly.
+     */
+    closeAll() {
+        for (const [, agents] of this.clients) {
+            const destroyIfSupported = (agent) => {
+                if (agent && typeof agent.destroy === "function") {
+                    agent.destroy();
+                }
+            };
+            destroyIfSupported(agents.httpAgent);
+            destroyIfSupported(agents.httpsAgent);
+        }
+        this.clients.clear();
+    }
 }

package/build/index.js

@@ -50,7 +50,7 @@ GitLabDiscussionNoteSchema, // Added
 GitLabDiscussionSchema, 
 // Draft Notes Schemas
 GitLabDraftNoteSchema, GitLabForkSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabDeploymentSchema, GitLabEnvironmentSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabTreeSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
-ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListMergeRequestVersionsSchema, GetMergeRequestVersionSchema, GitLabMergeRequestVersionSchema, GitLabMergeRequestVersionDetailSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListDeploymentsSchema, ListEnvironmentsSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, DownloadJobArtifactsSchema, GetJobArtifactFileSchema, GitLabArtifactEntrySchema, ListJobArtifactsSchema, MergeMergeRequestSchema, ApproveMergeRequestSchema, UnapproveMergeRequestSchema, GetMergeRequestApprovalStateSchema, GitLabMergeRequestApprovalsResponseSchema, GitLabMergeRequestApprovalStateSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema, ListWebhooksSchema, ListWebhookEventsSchema, GetWebhookEventSchema, } from "./schemas.js";
+ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListMergeRequestVersionsSchema, GetMergeRequestVersionSchema, GitLabMergeRequestVersionSchema, GitLabMergeRequestVersionDetailSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListDeploymentsSchema, ListEnvironmentsSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, DownloadJobArtifactsSchema, GetJobArtifactFileSchema, GitLabArtifactEntrySchema, ListJobArtifactsSchema, MergeMergeRequestSchema, ApproveMergeRequestSchema, UnapproveMergeRequestSchema, GetMergeRequestApprovalStateSchema, GetMergeRequestConflictsSchema, GitLabMergeRequestApprovalsResponseSchema, GitLabMergeRequestApprovalStateSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema, ListWebhooksSchema, ListWebhookEventsSchema, GetWebhookEventSchema, } from "./schemas.js";
 import { randomUUID } from "node:crypto";
 import { pino } from "pino";
 const logger = pino({
@@ -314,6 +314,7 @@ const PORT = Number.parseInt(getConfig("port", "PORT", "3002"), 10);
 // Add proxy configuration
 const HTTP_PROXY = getConfig("http-proxy", "HTTP_PROXY");
 const HTTPS_PROXY = getConfig("https-proxy", "HTTPS_PROXY");
+const NO_PROXY = getConfig("no-proxy", "NO_PROXY");
 const NODE_TLS_REJECT_UNAUTHORIZED = getConfig("tls-reject-unauthorized", "NODE_TLS_REJECT_UNAUTHORIZED");
 const GITLAB_CA_CERT_PATH = getConfig("ca-cert-path", "GITLAB_CA_CERT_PATH");
 const GITLAB_POOL_MAX_SIZE = getConfig("pool-max-size", "GITLAB_POOL_MAX_SIZE")
@@ -355,6 +356,7 @@ const clientPool = new GitLabClientPool({
         .map(normalizeGitLabApiUrl),
     httpProxy: HTTP_PROXY,
     httpsProxy: HTTPS_PROXY,
+    noProxy: NO_PROXY,
     rejectUnauthorized: NODE_TLS_REJECT_UNAUTHORIZED !== "0",
     caCertPath: GITLAB_CA_CERT_PATH,
     poolMaxSize: GITLAB_POOL_MAX_SIZE,
@@ -535,7 +537,7 @@ function getEffectiveApiUrl() {
  */
 const getFetchConfig = () => {
     const effectiveApiUrl = getEffectiveApiUrl();
-    const agent = clientPool.getOrCreateAgentForUrl(effectiveApiUrl);
+    const agent = clientPool.getAgentFunctionForUrl(effectiveApiUrl);
     return {
         headers: { ...BASE_HEADERS, ...buildAuthHeaders() },
         agent: agent,
@@ -603,6 +605,11 @@ const allTools = [
         description: "Get merge request approval details including approvers (uses approval_state when available, falls back to approvals endpoint)",
         inputSchema: toJSONSchema(GetMergeRequestApprovalStateSchema),
     },
+    {
+        name: "get_merge_request_conflicts",
+        description: "Get the conflicts of a merge request in a GitLab project",
+        inputSchema: toJSONSchema(GetMergeRequestConflictsSchema),
+    },
     {
         name: "execute_graphql",
         description: "Execute a GitLab GraphQL query",
@@ -1235,6 +1242,7 @@ const readOnlyTools = new Set([
     "get_release",
     "download_release_asset",
     "get_merge_request_approval_state",
+    "get_merge_request_conflicts",
     "list_webhooks",
     "list_webhook_events",
     "get_webhook_event",
@@ -1291,6 +1299,7 @@ const TOOLSET_DEFINITIONS = [
             "approve_merge_request",
             "unapprove_merge_request",
             "get_merge_request_approval_state",
+            "get_merge_request_conflicts",
             "get_merge_request",
             "get_merge_request_diffs",
             "list_merge_request_diffs",
@@ -1583,6 +1592,9 @@ const GITLAB_ALLOWED_PROJECT_IDS = process.env.GITLAB_ALLOWED_PROJECT_IDS?.split
 const GITLAB_COMMIT_FILES_PER_PAGE = process.env.GITLAB_COMMIT_FILES_PER_PAGE
     ? Number.parseInt(process.env.GITLAB_COMMIT_FILES_PER_PAGE, 10)
     : 20;
+const GITLAB_REPO_FILE_ENCODING = getConfig("repo-file-encoding", "GITLAB_REPO_FILE_ENCODING", "text") === "base64"
+    ? "base64"
+    : "text";
 // Validate authentication configuration
 if (REMOTE_AUTHORIZATION) {
     // Remote authorization mode: token comes from HTTP headers
@@ -1598,7 +1610,7 @@ if (REMOTE_AUTHORIZATION) {
     }
     logger.info("Remote authorization enabled: tokens will be read from HTTP headers");
 }
-else if (!USE_OAUTH && !GITLAB_PERSONAL_ACCESS_TOKEN && !GITLAB_AUTH_COOKIE_PATH) {
+else if (!USE_OAUTH && !GITLAB_PERSONAL_ACCESS_TOKEN && !GITLAB_JOB_TOKEN && !GITLAB_AUTH_COOKIE_PATH) {
     // Standard mode: token must be in environment (unless using OAuth)
     logger.error("GITLAB_PERSONAL_ACCESS_TOKEN environment variable is not set");
     logger.info("Either set GITLAB_PERSONAL_ACCESS_TOKEN or enable OAuth with GITLAB_USE_OAUTH=true");
@@ -1647,7 +1659,14 @@ function getEffectiveProjectId(projectId) {
         }
         return projectId || GITLAB_ALLOWED_PROJECT_IDS[0];
     }
-    return GITLAB_PROJECT_ID || projectId;
+    // Prioritize the passed projectId over GITLAB_PROJECT_ID to allow querying different projects
+    if (projectId) {
+        return projectId;
+    }
+    if (GITLAB_PROJECT_ID) {
+        return GITLAB_PROJECT_ID;
+    }
+    throw new Error("No project ID provided and GITLAB_PROJECT_ID is not set");
 }
 /**
  * Create a fork of a GitLab project
@@ -2344,6 +2363,12 @@ async function updateMergeRequestNote(projectId, mergeRequestIid, noteId, body)
     const data = await response.json();
     return GitLabDiscussionNoteSchema.parse(data);
 }
+function encodeRepoFilePayloadContent(content) {
+    if (GITLAB_REPO_FILE_ENCODING === "base64") {
+        return Buffer.from(content).toString("base64");
+    }
+    return content;
+}
 /**
  * Create or update a file in a GitLab project
  * 파일 생성 또는 업데이트
@@ -2362,9 +2387,9 @@ async function createOrUpdateFile(projectId, filePath, content, commitMessage, b
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/repository/files/${encodedPath}`);
     const body = {
         branch,
-        content,
+        content: encodeRepoFilePayloadContent(content),
         commit_message: commitMessage,
-        encoding: "text",
+        encoding: GITLAB_REPO_FILE_ENCODING,
         ...(previousPath ? { previous_path: previousPath } : {}),
     };
     // Check if file exists
@@ -2436,8 +2461,8 @@ async function createTree(projectId, files, ref) {
         body: JSON.stringify({
             files: files.map(file => ({
                 file_path: file.path,
-                content: file.content,
-                encoding: "text",
+                content: encodeRepoFilePayloadContent(file.content),
+                encoding: GITLAB_REPO_FILE_ENCODING,
             })),
         }),
     });
@@ -2474,8 +2499,8 @@ async function createCommit(projectId, message, branch, actions) {
             actions: actions.map(action => ({
                 action: "create",
                 file_path: action.path,
-                content: action.content,
-                encoding: "text",
+                content: encodeRepoFilePayloadContent(action.content),
+                encoding: GITLAB_REPO_FILE_ENCODING,
             })),
         }),
     });
@@ -3007,6 +3032,23 @@ async function getMergeRequestApprovalState(projectId, mergeRequestIid) {
         source_endpoint: "approval_state",
     };
 }
+/**
+ * Get the conflicts of a merge request
+ *
+ * @param {string} projectId - The ID or URL-encoded path of the project
+ * @param {string | number} mergeRequestIid - The internal ID of the merge request
+ * @returns {Promise<Record<string, unknown>>} The merge request conflicts
+ */
+async function getMergeRequestConflicts(projectId, mergeRequestIid) {
+    projectId = decodeURIComponent(projectId);
+    const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/conflicts`);
+    const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
+        method: "GET",
+    });
+    await handleGitLabError(response);
+    return (await response.json());
+}
 async function getMergeRequestApprovalsFallback(projectId, mergeRequestIid) {
     const approvalsUrl = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/approvals`);
     const approvalsResponse = await fetch(approvalsUrl.toString(), {
@@ -3088,7 +3130,7 @@ noteableIid, body) {
  * @returns {Promise<GitLabDraftNote[]>} Array of draft notes
  */
 async function getDraftNote(project_id, merge_request_iid, draft_note_id) {
-    const response = await fetch(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(project_id)}/merge_requests/${merge_request_iid}/draft_notes/${draft_note_id}`);
+    const response = await fetch(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(project_id)}/merge_requests/${merge_request_iid}/draft_notes/${draft_note_id}`, { ...getFetchConfig() });
     if (!response.ok) {
         const errorText = await response.text();
         throw new Error(`GitLab API error: ${response.status} ${response.statusText}\n${errorText}`);
@@ -4181,11 +4223,8 @@ async function createPipeline(projectId, ref, variables, inputs) {
         body.inputs = inputs;
     }
     const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
         method: "POST",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-        },
         body: JSON.stringify(body),
     });
     await handleGitLabError(response);
@@ -4203,11 +4242,8 @@ async function retryPipeline(projectId, pipelineId) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/pipelines/${pipelineId}/retry`);
     const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
         method: "POST",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-        },
     });
     await handleGitLabError(response);
     const data = await response.json();
@@ -4224,11 +4260,8 @@ async function cancelPipeline(projectId, pipelineId) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/pipelines/${pipelineId}/cancel`);
     const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
         method: "POST",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-        },
     });
     await handleGitLabError(response);
     const data = await response.json();
@@ -4319,13 +4352,7 @@ async function getRepositoryTree(options) {
         queryParams.append("page_token", options.page_token);
     if (options.pagination)
         queryParams.append("pagination", options.pagination);
-    const headers = {
-        ...BASE_HEADERS,
-        ...buildAuthHeaders(),
-    };
-    const response = await fetch(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(options.project_id))}/repository/tree?${queryParams.toString()}`, {
-        headers,
-    });
+    const response = await fetch(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(options.project_id))}/repository/tree?${queryParams.toString()}`, { ...getFetchConfig() });
     if (response.status === 404) {
         throw new Error("Repository or path not found");
     }
@@ -4786,15 +4813,12 @@ async function markdownUpload(projectId, filePath) {
         contentType: "application/octet-stream",
     });
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/uploads`);
+    const defaultFetchConfig = getFetchConfig();
+    delete defaultFetchConfig.headers["Content-Type"]; // Let form-data set the correct Content-Type with boundary
     const response = await fetch(url.toString(), {
+        ...defaultFetchConfig,
         method: "POST",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-            // Remove Content-Type header to let form-data set it with boundary
-            "Content-Type": undefined,
-        },
-        body: form,
+        body: form
     });
     if (!response.ok) {
         await handleGitLabError(response);
@@ -4820,11 +4844,8 @@ async function downloadAttachment(projectId, secret, filename, localPath) {
     const effectiveProjectId = getEffectiveProjectId(projectId);
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/uploads/${secret}/${filename}`);
     const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
         method: "GET",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-        },
     });
     if (!response.ok) {
         await handleGitLabError(response);
@@ -4871,13 +4892,7 @@ async function listEvents(options = {}) {
             url.searchParams.append(key, value.toString());
         }
     });
-    const response = await fetch(url.toString(), {
-        method: "GET",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-        },
-    });
+    const response = await fetch(url.toString(), { ...getFetchConfig() });
     if (!response.ok) {
         await handleGitLabError(response);
     }
@@ -4899,13 +4914,7 @@ async function getProjectEvents(projectId, options = {}) {
             url.searchParams.append(key, value.toString());
         }
     });
-    const response = await fetch(url.toString(), {
-        method: "GET",
-        headers: {
-            ...BASE_HEADERS,
-            ...buildAuthHeaders(),
-        },
-    });
+    const response = await fetch(url.toString(), { ...getFetchConfig() });
     if (!response.ok) {
         await handleGitLabError(response);
     }
@@ -5396,6 +5405,13 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: JSON.stringify(approvalState, null, 2) }],
                 };
             }
+            case "get_merge_request_conflicts": {
+                const args = GetMergeRequestConflictsSchema.parse(params.arguments);
+                const conflicts = await getMergeRequestConflicts(args.project_id, args.merge_request_iid);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(conflicts, null, 2) }],
+                };
+            }
             case "mr_discussions": {
                 const args = ListMergeRequestDiscussionsSchema.parse(params.arguments);
                 const { project_id, merge_request_iid, ...options } = args;
@@ -6306,6 +6322,10 @@ function determineTransportMode() {
 async function startStdioServer() {
     const serverInstance = createServer();
     const transport = new StdioServerTransport();
+    transport.onclose = () => {
+        logger.info("Stdio transport closed, releasing client pool");
+        clientPool.closeAll();
+    };
     await serverInstance.connect(transport);
 }
 /**
@@ -6314,6 +6334,7 @@ async function startStdioServer() {
 async function startSSEServer() {
     const app = express();
     const transports = {};
+    let shuttingDown = false;
     app.get("/sse", async (_, res) => {
         const serverInstance = createServer();
         const transport = new SSEServerTransport("/messages", res);
@@ -6340,12 +6361,35 @@ async function startSSEServer() {
             transport: TransportMode.SSE,
         });
     });
-    app.listen(Number(PORT), HOST, () => {
+    const httpServer = app.listen(Number(PORT), HOST, () => {
         logger.info(`GitLab MCP Server running with SSE transport`);
         const colorGreen = "\x1b[32m";
         const colorReset = "\x1b[0m";
         logger.info(`${colorGreen}Endpoint: http://${HOST}:${PORT}/sse${colorReset}`);
     });
+    const shutdown = async (signal) => {
+        if (shuttingDown)
+            return;
+        shuttingDown = true;
+        logger.info(`${signal} received, shutting down SSE server...`);
+        httpServer.close(() => logger.info("SSE HTTP server closed"));
+        await Promise.allSettled(Object.values(transports).map(async (transport) => {
+            try {
+                await transport.close();
+            }
+            catch (error) {
+                logger.error("Error closing SSE transport:", error);
+            }
+        }));
+        clientPool.closeAll();
+        process.exit(0);
+    };
+    process.on("SIGTERM", () => {
+        void shutdown("SIGTERM");
+    });
+    process.on("SIGINT", () => {
+        void shutdown("SIGINT");
+    });
 }
 /**
  * Start server with Streamable HTTP transport
@@ -6399,10 +6443,12 @@ async function startStreamableHTTPServer() {
     /**
      * Parse authentication from request headers
      * Returns null if no auth found or invalid format
+     * Supports: JOB-TOKEN header, Private-Token header, Authorization Bearer header
      */
     const parseAuthHeaders = (req) => {
         const authHeader = req.headers["authorization"] || "";
         const privateToken = req.headers["private-token"] || "";
+        const jobToken = req.headers["job-token"] || "";
         const dynamicApiUrl = req.headers["x-gitlab-api-url"]?.trim();
         let apiUrl = GITLAB_API_URL; // Default API URL
         // Only process dynamic URL if the feature is enabled
@@ -6419,7 +6465,11 @@ async function startStreamableHTTPServer() {
         // Extract token
         let token = null;
         let header = null;
-        if (privateToken) {
+        if (jobToken) {
+            token = jobToken.trim();
+            header = "JOB-TOKEN";
+        }
+        else if (privateToken) {
             token = privateToken.trim();
             header = "Private-Token";
         }
@@ -6507,8 +6557,8 @@ async function startStreamableHTTPServer() {
                 if (!authData) {
                     metrics.authFailures++;
                     res.status(401).json({
-                        error: "Missing Authorization or Private-Token header",
-                        message: "Remote authorization is enabled. Please provide Authorization or Private-Token header.",
+                        error: "Missing Authorization, Private-Token, or JOB-TOKEN header",
+                        message: "Remote authorization is enabled. Please provide Authorization, Private-Token, or JOB-TOKEN header.",
                     });
                     return;
                 }
@@ -6706,6 +6756,7 @@ async function startStreamableHTTPServer() {
         Object.keys(authTimeouts).forEach(sessionId => {
             clearAuthTimeout(sessionId);
         });
+        clientPool.closeAll();
         logger.info("Graceful shutdown complete");
         process.exit(0);
     };

package/build/oauth.js

@@ -1,3 +1,4 @@
+import * as crypto from "crypto";
 import * as fs from "fs";
 import * as os from "os";
 import * as path from "path";
@@ -10,7 +11,11 @@ import { pino } from "pino";
 const logger = pino({
     name: "gitlab-mcp-oauth",
     level: process.env.LOG_LEVEL || "info",
-});
+}, pino.destination(2));
+function escapeHtml(str) {
+    const map = { "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" };
+    return String(str).replace(/[&<>"']/g, c => map[c] || c);
+}
 // Track pending auth requests across multiple MCP instances
 const pendingAuthRequests = new Map();
 /**
@@ -225,7 +230,7 @@ export class GitLabOAuth {
      */
     async startOAuthFlow() {
         const callbackPort = parseInt(new URL(this.config.redirectUri).port || "8888");
-        const requestId = Math.random().toString(36).substring(7);
+        const requestId = crypto.randomUUID();
         // Check if port is already in use
         const portInUse = await isPortInUse(callbackPort);
         if (portInUse) {
@@ -250,7 +255,7 @@ export class GitLabOAuth {
         const requestIdToOAuthInstance = new Map();
         return new Promise((resolve, reject) => {
             // Create initial request
-            const state = Math.random().toString(36).substring(7);
+            const state = crypto.randomUUID();
             stateToRequestId.set(state, initialRequestId);
             requestIdToOAuthInstance.set(initialRequestId, this);
             const timeout = setTimeout(() => {
@@ -271,7 +276,7 @@ export class GitLabOAuth {
                         }
                         logger.info(`Received auth request from another instance: ${newRequestId}`);
                         // Create a new OAuth flow for this request
-                        const newState = Math.random().toString(36).substring(7);
+                        const newState = crypto.randomUUID();
                         stateToRequestId.set(newState, newRequestId);
                         // Store a reference to use the same OAuth config
                         requestIdToOAuthInstance.set(newRequestId, this);
@@ -315,7 +320,7 @@ export class GitLabOAuth {
                 <html>
                   <body>
                     <h1>Authentication Failed</h1>
-                    <p>Error: ${error}</p>
+                    <p>Error: ${escapeHtml(String(error))}</p>
                     <p>You can close this window.</p>
                   </body>
                 </html>
@@ -523,7 +528,7 @@ export async function initializeOAuthClient(gitlabUrl = "https://gitlab.com") {
         clientSecret,
         redirectUri,
         gitlabUrl,
-        scopes: ["api"],
+        scopes: [process.env.GITLAB_READ_ONLY_MODE === "true" ? "read_api" : "api"],
         tokenStoragePath,
     });
     // Single call: triggers browser flow if needed, or reads cached token

package/build/schemas.js

@@ -1333,6 +1333,9 @@ export const GitLabMergeRequestApprovalStateSchema = z.object({
 export const GetMergeRequestApprovalStateSchema = ProjectParamsSchema.extend({
     merge_request_iid: z.coerce.string().describe("The IID of the merge request"),
 });
+export const GetMergeRequestConflictsSchema = ProjectParamsSchema.extend({
+    merge_request_iid: z.coerce.string().describe("The IID of the merge request"),
+});
 export const GetMergeRequestDiffsSchema = GetMergeRequestSchema.extend({
     view: z.enum(["inline", "parallel"]).optional().describe("Diff view type"),
     excluded_file_patterns: z