@zereight/mcp-gitlab 2.0.34 → 2.0.36

package/build/index.js

@@ -37,20 +37,23 @@ import { fileURLToPath, URL } from "node:url";
 import { z } from "zod";
 import { zodToJsonSchema } from "zod-to-json-schema";
 import { initializeOAuthClient } from "./oauth.js";
+import { createGitLabOAuthProvider } from "./oauth-proxy.js";
+import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
 import { GitLabClientPool } from "./gitlab-client-pool.js";
 // Add type imports for proxy agents
 import { Agent } from "node:http";
 import { Agent as HttpsAgent } from "node:https";
 import { BulkPublishDraftNotesSchema, CancelPipelineJobSchema, CancelPipelineSchema, CreateBranchSchema, CreateDraftNoteSchema, CreateIssueLinkSchema, CreateIssueNoteSchema, CreateIssueSchema, CreateLabelSchema, // Added
-CreateMergeRequestNoteSchema, CreateMergeRequestDiscussionNoteSchema, CreateMergeRequestSchema, CreateMergeRequestThreadSchema, CreateNoteSchema, CreateOrUpdateFileSchema, CreatePipelineSchema, CreateProjectMilestoneSchema, CreateRepositorySchema, CreateWikiPageSchema, DeleteDraftNoteSchema, DeleteIssueLinkSchema, DeleteIssueSchema, DeleteLabelSchema, DeleteProjectMilestoneSchema, DeleteWikiPageSchema, DeleteMergeRequestNoteSchema, EditProjectMilestoneSchema, ForkRepositorySchema, GetBranchDiffsSchema, GetCommitDiffSchema, GetCommitSchema, GetDraftNoteSchema, GetFileContentsSchema, GetIssueLinkSchema, GetIssueSchema, GetLabelSchema, GetMergeRequestDiffsSchema, GetMergeRequestSchema, GetMilestoneBurndownEventsSchema, GetMilestoneIssuesSchema, GetMilestoneMergeRequestsSchema, GetDeploymentSchema, GetEnvironmentSchema, GetNamespaceSchema, 
+CreateMergeRequestNoteSchema, CreateMergeRequestDiscussionNoteSchema, CreateMergeRequestSchema, CreateMergeRequestThreadSchema, CreateNoteSchema, CreateOrUpdateFileSchema, CreatePipelineSchema, CreateProjectMilestoneSchema, CreateRepositorySchema, CreateWikiPageSchema, CreateGroupWikiPageSchema, DeleteDraftNoteSchema, DeleteGroupWikiPageSchema, DeleteIssueLinkSchema, DeleteIssueSchema, DeleteLabelSchema, DeleteProjectMilestoneSchema, DeleteWikiPageSchema, DeleteMergeRequestNoteSchema, EditProjectMilestoneSchema, ForkRepositorySchema, GetBranchDiffsSchema, GetCommitDiffSchema, GetCommitSchema, GetDraftNoteSchema, GetFileContentsSchema, GetIssueLinkSchema, GetIssueSchema, GetLabelSchema, GetMergeRequestDiffsSchema, GetMergeRequestSchema, GetMilestoneBurndownEventsSchema, GetMilestoneIssuesSchema, GetMilestoneMergeRequestsSchema, GetDeploymentSchema, GetEnvironmentSchema, GetNamespaceSchema, 
 // pipeline job schemas
 GetPipelineJobOutputSchema, GetPipelineSchema, GetProjectMilestoneSchema, GetProjectSchema, GetRepositoryTreeSchema, GetUsersSchema, GetWikiPageSchema, GitLabCommitSchema, GitLabCompareResultSchema, GitLabContentSchema, GitLabCreateUpdateFileResponseSchema, GitLabDiffSchema, 
 // Discussion Schemas
 GitLabDiscussionNoteSchema, // Added
 GitLabDiscussionSchema, 
 // Draft Notes Schemas
-GitLabDraftNoteSchema, GitLabForkSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabDeploymentSchema, GitLabEnvironmentSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabTreeSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
-ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListMergeRequestVersionsSchema, GetMergeRequestVersionSchema, GitLabMergeRequestVersionSchema, GitLabMergeRequestVersionDetailSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListDeploymentsSchema, ListEnvironmentsSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, DownloadJobArtifactsSchema, GetJobArtifactFileSchema, GitLabArtifactEntrySchema, ListJobArtifactsSchema, MergeMergeRequestSchema, ApproveMergeRequestSchema, UnapproveMergeRequestSchema, GetMergeRequestApprovalStateSchema, GetMergeRequestConflictsSchema, GitLabMergeRequestApprovalsResponseSchema, GitLabMergeRequestApprovalStateSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema, ListWebhooksSchema, ListWebhookEventsSchema, GetWebhookEventSchema, } from "./schemas.js";
+GitLabDraftNoteSchema, GitLabForkSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabDeploymentSchema, GitLabEnvironmentSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchBlobResultSchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabTreeSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
+GetMergeRequestFileDiffSchema, ListMergeRequestChangedFilesSchema, ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListMergeRequestVersionsSchema, GetMergeRequestVersionSchema, GitLabMergeRequestVersionSchema, GitLabMergeRequestVersionDetailSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListDeploymentsSchema, ListEnvironmentsSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, GetGroupWikiPageSchema, ListGroupWikiPagesSchema, UpdateGroupWikiPageSchema, MarkdownUploadSchema, DownloadAttachmentSchema, DownloadJobArtifactsSchema, GetJobArtifactFileSchema, GitLabArtifactEntrySchema, ListJobArtifactsSchema, MergeMergeRequestSchema, ApproveMergeRequestSchema, UnapproveMergeRequestSchema, GetMergeRequestApprovalStateSchema, GetMergeRequestConflictsSchema, GitLabMergeRequestApprovalsResponseSchema, GitLabMergeRequestApprovalStateSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchCodeSchema, SearchGroupCodeSchema, SearchProjectCodeSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema, GetWorkItemSchema, ListWorkItemsSchema, CreateWorkItemSchema, UpdateWorkItemSchema, ConvertWorkItemTypeSchema, ListWorkItemStatusesSchema, ListWorkItemNotesSchema, CreateWorkItemNoteSchema, MoveWorkItemSchema, ListCustomFieldDefinitionsSchema, GetTimelineEventsSchema, CreateTimelineEventSchema, ListWebhooksSchema, ListWebhookEventsSchema, GetWebhookEventSchema, } from "./schemas.js";
 import { randomUUID } from "node:crypto";
 import { pino } from "pino";
 const logger = pino({
@@ -152,7 +155,7 @@ function createServer() {
         // Manually retrieve the session context using the session ID passed in the request.
         // This is a robust workaround for AsyncLocalStorage context loss.
         const sessionId = request.params.sessionId;
-        if (REMOTE_AUTHORIZATION && sessionId && authBySession[sessionId]) {
+        if ((REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) && sessionId && authBySession[sessionId]) {
             const authData = authBySession[sessionId];
             const sessionContext = {
                 sessionId,
@@ -228,8 +231,37 @@ function validateConfiguration() {
     const hasToken = !!getConfig("token", "GITLAB_PERSONAL_ACCESS_TOKEN");
     const hasJobToken = !!getConfig("job-token", "GITLAB_JOB_TOKEN");
     const hasCookie = !!getConfig("cookie-path", "GITLAB_AUTH_COOKIE_PATH");
-    if (!remoteAuth && !useOAuth && !hasToken && !hasJobToken && !hasCookie) {
-        errors.push("Either --token, --job-token, --cookie-path, --use-oauth=true, or --remote-auth=true must be set (or use environment variables)");
+    const mcpOAuth = getConfig("mcp-oauth", "GITLAB_MCP_OAUTH") === "true";
+    const mcpServerUrl = getConfig("mcp-server-url", "MCP_SERVER_URL");
+    if (!remoteAuth && !useOAuth && !hasToken && !hasJobToken && !hasCookie && !mcpOAuth) {
+        errors.push("Either --token, --job-token, --cookie-path, --use-oauth=true, --remote-auth=true, or --mcp-oauth=true must be set (or use environment variables)");
+    }
+    if (mcpOAuth) {
+        if (!mcpServerUrl) {
+            errors.push("MCP_SERVER_URL is required when GITLAB_MCP_OAUTH=true (e.g. https://mcp.example.com)");
+        }
+        else {
+            try {
+                const u = new URL(mcpServerUrl);
+                const isInsecure = u.protocol !== "https:";
+                const isLocalhost = u.hostname === "localhost" || u.hostname === "127.0.0.1";
+                const allowInsecure = process.env.MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL === "true";
+                if (isInsecure && !isLocalhost && !allowInsecure) {
+                    errors.push("MCP_SERVER_URL must use HTTPS in production " +
+                        "(set MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL=true for local dev)");
+                }
+            }
+            catch {
+                errors.push(`MCP_SERVER_URL is not a valid URL: ${mcpServerUrl}`);
+            }
+        }
+        if (!getConfig("api-url", "GITLAB_API_URL")) {
+            errors.push("GITLAB_API_URL is required when GITLAB_MCP_OAUTH=true");
+        }
+        if (!getConfig("oauth-app-id", "GITLAB_OAUTH_APP_ID")) {
+            errors.push("GITLAB_OAUTH_APP_ID is required when GITLAB_MCP_OAUTH=true " +
+                "(create an OAuth application in GitLab Admin with the required scopes)");
+        }
     }
     const enableDynamicApiUrl = getConfig("enable-dynamic-api-url", "ENABLE_DYNAMIC_API_URL") === "true";
     if (enableDynamicApiUrl && !remoteAuth) {
@@ -283,7 +315,8 @@ const GITLAB_DENIED_TOOLS_REGEX = (() => {
     }
     // Reject patterns with nested quantifiers that can cause catastrophic backtracking (ReDoS)
     // e.g., (a+)+, (a*)+, (a+)*, (a{1,})+
-    const NESTED_QUANTIFIER_PATTERN = /(\(.*[+*?].*\)|\[.*\])[+*?]|\(\?[^:)]/;
+    // Note: lookahead (?!), (?=), lookbehind (?<), and named groups (?<name>) are safe and allowed
+    const NESTED_QUANTIFIER_PATTERN = /(\(.*[+*?].*\)|\[.*\])[+*?]/;
     if (NESTED_QUANTIFIER_PATTERN.test(pattern)) {
         logger.error(`GITLAB_DENIED_TOOLS_REGEX contains potentially unsafe nested quantifiers. Ignoring.`);
         return undefined;
@@ -307,6 +340,13 @@ const GITLAB_TOOLS_RAW = getConfig("tools", "GITLAB_TOOLS");
 const SSE = getConfig("sse", "SSE") === "true";
 const STREAMABLE_HTTP = getConfig("streamable-http", "STREAMABLE_HTTP") === "true";
 const REMOTE_AUTHORIZATION = getConfig("remote-auth", "REMOTE_AUTHORIZATION") === "true";
+const GITLAB_MCP_OAUTH = getConfig("mcp-oauth", "GITLAB_MCP_OAUTH") === "true";
+const MCP_SERVER_URL = getConfig("mcp-server-url", "MCP_SERVER_URL");
+const GITLAB_OAUTH_APP_ID = getConfig("oauth-app-id", "GITLAB_OAUTH_APP_ID");
+const GITLAB_OAUTH_SCOPES_RAW = getConfig("oauth-scopes", "GITLAB_OAUTH_SCOPES");
+const GITLAB_OAUTH_SCOPES = GITLAB_OAUTH_SCOPES_RAW
+    ? GITLAB_OAUTH_SCOPES_RAW.split(",").map((s) => s.trim()).filter(Boolean)
+    : undefined;
 const ENABLE_DYNAMIC_API_URL = getConfig("enable-dynamic-api-url", "ENABLE_DYNAMIC_API_URL") === "true";
 const SESSION_TIMEOUT_SECONDS = Number.parseInt(getConfig("session-timeout", "SESSION_TIMEOUT_SECONDS", "3600"), 10);
 const HOST = getConfig("host", "HOST") || "127.0.0.1";
@@ -482,11 +522,11 @@ const BASE_HEADERS = {
 };
 /**
  * Build authentication headers dynamically based on context
- * In REMOTE_AUTHORIZATION mode, reads from AsyncLocalStorage session context
+ * In REMOTE_AUTHORIZATION or GITLAB_MCP_OAUTH mode, reads from AsyncLocalStorage session context
  * Otherwise, uses environment token (OAuth token is refreshed lazily before each tool call)
  */
 function buildAuthHeaders() {
-    if (REMOTE_AUTHORIZATION) {
+    if (REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) {
         const ctx = sessionAuthStore.getStore();
         logger.debug({ context: ctx }, "buildAuthHeaders: session context");
         if (ctx?.token) {
@@ -496,11 +536,10 @@ function buildAuthHeaders() {
         }
         return {}; // No auth headers if no session context
     }
-    // CI job tokens use a dedicated header (not Bearer/Private-Token)
-    if (GITLAB_JOB_TOKEN) {
-        return { "JOB-TOKEN": String(GITLAB_JOB_TOKEN) };
-    }
-    // Standard mode: prioritize OAuth token, then fall back to environment token
+    // Standard mode: PAT preferred over job token (broader permissions).
+    // OAuth token takes priority over PAT when both are set.
+    // NOTE: Changed in PR #400 — previously GITLAB_JOB_TOKEN had highest priority.
+    // If both GITLAB_PERSONAL_ACCESS_TOKEN and GITLAB_JOB_TOKEN are set, PAT wins.
     const token = OAUTH_ACCESS_TOKEN || GITLAB_PERSONAL_ACCESS_TOKEN;
     if (IS_OLD && token) {
         return { "Private-Token": String(token) };
@@ -508,6 +547,10 @@ function buildAuthHeaders() {
     if (token) {
         return { Authorization: `Bearer ${token}` };
     }
+    // Fall back to CI job token
+    if (GITLAB_JOB_TOKEN) {
+        return { "JOB-TOKEN": String(GITLAB_JOB_TOKEN) };
+    }
     return {};
 }
 /**
@@ -670,11 +713,32 @@ const allTools = [
         description: "Get the changes/diffs of a merge request (Either mergeRequestIid or branchName must be provided)",
         inputSchema: toJSONSchema(GetMergeRequestDiffsSchema),
     },
+    {
+        name: "list_merge_request_changed_files",
+        description: "STEP 1 of code review workflow. " +
+            "Returns ONLY the list of changed file paths in a merge request — WITHOUT diff content. " +
+            "Call this first to get file paths, then call get_merge_request_file_diff with multiple files in a single batched call (recommended 3-5 files per call). " +
+            "This avoids loading the entire diff payload at once and reduces API calls. " +
+            "Supports excluded_file_patterns filtering using regex. " +
+            "Returns: new_path, old_path, new_file, deleted_file, renamed_file flags for each file. " +
+            "(Either mergeRequestIid or branchName must be provided)",
+        inputSchema: toJSONSchema(ListMergeRequestChangedFilesSchema),
+    },
     {
         name: "list_merge_request_diffs",
         description: "List merge request diffs with pagination support (Either mergeRequestIid or branchName must be provided)",
         inputSchema: toJSONSchema(ListMergeRequestDiffsSchema),
     },
+    {
+        name: "get_merge_request_file_diff",
+        description: "STEP 2 of code review workflow. " +
+            "Get diffs for one or more files from a merge request. " +
+            "Call list_merge_request_changed_files first to get file paths, then pass them as an array to fetch their diffs efficiently. " +
+            "Batching multiple files (recommended 3-5) is supported and preferred over individual requests. " +
+            "Returns an array of results - one per requested file path. Files not found are returned with error messages. " +
+            "(Either mergeRequestIid or branchName must be provided)",
+        inputSchema: toJSONSchema(GetMergeRequestFileDiffSchema),
+    },
     {
         name: "list_merge_request_versions",
         description: "List all versions of a merge request",
@@ -797,7 +861,7 @@ const allTools = [
     },
     {
         name: "create_issue_note",
-        description: "Add a new note to an existing issue thread",
+        description: "Add a note to an issue. Creates a top-level comment, or replies to a discussion thread if discussion_id is provided",
         inputSchema: toJSONSchema(CreateIssueNoteSchema),
     },
     {
@@ -935,6 +999,31 @@ const allTools = [
         description: "Delete a wiki page from a GitLab project",
         inputSchema: toJSONSchema(DeleteWikiPageSchema),
     },
+    {
+        name: "list_group_wiki_pages",
+        description: "List wiki pages in a GitLab group",
+        inputSchema: toJSONSchema(ListGroupWikiPagesSchema),
+    },
+    {
+        name: "get_group_wiki_page",
+        description: "Get details of a specific group wiki page",
+        inputSchema: toJSONSchema(GetGroupWikiPageSchema),
+    },
+    {
+        name: "create_group_wiki_page",
+        description: "Create a new wiki page in a GitLab group",
+        inputSchema: toJSONSchema(CreateGroupWikiPageSchema),
+    },
+    {
+        name: "update_group_wiki_page",
+        description: "Update an existing wiki page in a GitLab group",
+        inputSchema: toJSONSchema(UpdateGroupWikiPageSchema),
+    },
+    {
+        name: "delete_group_wiki_page",
+        description: "Delete a wiki page from a GitLab group",
+        inputSchema: toJSONSchema(DeleteGroupWikiPageSchema),
+    },
     {
         name: "get_repository_tree",
         description: "Get the repository tree for a GitLab project (list files and directories)",
@@ -1165,6 +1254,68 @@ const allTools = [
         description: "Download a release asset file by direct asset path",
         inputSchema: toJSONSchema(DownloadReleaseAssetSchema),
     },
+    // --- Work item tools (GraphQL-based) ---
+    {
+        name: "get_work_item",
+        description: "Get a single work item with full details including status, hierarchy (parent/children), type, labels, assignees, and all widgets.",
+        inputSchema: toJSONSchema(GetWorkItemSchema),
+    },
+    {
+        name: "list_work_items",
+        description: "List work items in a project with filters (type, state, search, assignees, labels). Returns items with status and hierarchy info.",
+        inputSchema: toJSONSchema(ListWorkItemsSchema),
+    },
+    {
+        name: "create_work_item",
+        description: "Create a new work item (issue, task, incident, test_case, epic, key_result, objective, requirement, ticket). Supports setting title, description, labels, assignees, weight, parent, health status, start/due dates, milestone, and confidentiality.",
+        inputSchema: toJSONSchema(CreateWorkItemSchema),
+    },
+    {
+        name: "update_work_item",
+        description: "Update a work item. Can modify title, description, labels, assignees, weight, state, status, parent hierarchy, children, health status, start/due dates, milestone, confidentiality, linked items, and custom fields.",
+        inputSchema: toJSONSchema(UpdateWorkItemSchema),
+    },
+    {
+        name: "convert_work_item_type",
+        description: "Convert a work item to a different type (e.g. issue to task, task to incident).",
+        inputSchema: toJSONSchema(ConvertWorkItemTypeSchema),
+    },
+    {
+        name: "list_work_item_statuses",
+        description: "List available statuses for a work item type in a project. Requires GitLab Premium/Ultimate with configurable statuses.",
+        inputSchema: toJSONSchema(ListWorkItemStatusesSchema),
+    },
+    {
+        name: "list_custom_field_definitions",
+        description: "List available custom field definitions for a work item type in a project. Returns field names, types, and IDs needed for setting custom fields via update_work_item.",
+        inputSchema: toJSONSchema(ListCustomFieldDefinitionsSchema),
+    },
+    {
+        name: "move_work_item",
+        description: "Move a work item (issue, task, etc.) to a different project. Uses GitLab GraphQL issueMove mutation.",
+        inputSchema: toJSONSchema(MoveWorkItemSchema),
+    },
+    {
+        name: "list_work_item_notes",
+        description: "List notes and discussions on a work item. Returns threaded discussions with author, body, timestamps, and system/internal flags.",
+        inputSchema: toJSONSchema(ListWorkItemNotesSchema),
+    },
+    {
+        name: "create_work_item_note",
+        description: "Add a note/comment to a work item. Supports Markdown, internal notes, and threaded replies.",
+        inputSchema: toJSONSchema(CreateWorkItemNoteSchema),
+    },
+    // --- Incident timeline event tools ---
+    {
+        name: "get_timeline_events",
+        description: "List timeline events for an incident. Returns chronological events with notes, timestamps, and tags (Start time, End time, Impact detected, etc.).",
+        inputSchema: toJSONSchema(GetTimelineEventsSchema),
+    },
+    {
+        name: "create_timeline_event",
+        description: "Create a timeline event on an incident. Supports tags: 'Start time', 'End time', 'Impact detected', 'Response initiated', 'Impact mitigated', 'Cause identified'.",
+        inputSchema: toJSONSchema(CreateTimelineEventSchema),
+    },
     {
         name: "list_webhooks",
         description: "List all configured webhooks for a GitLab project or group. Provide either project_id or group_id.",
@@ -1180,17 +1331,42 @@ const allTools = [
         description: "Get full details of a specific webhook event by ID, including request/response payloads. Searches up to 500 most recent events.",
         inputSchema: toJSONSchema(GetWebhookEventSchema),
     },
+    {
+        name: "search_code",
+        description: "Search for code across all projects on the GitLab instance (requires advanced search or exact code search to be enabled). If exact code search (Zoekt) is enabled, the search query supports rich syntax including file:, lang:, sym: filters.",
+        inputSchema: toJSONSchema(SearchCodeSchema),
+    },
+    {
+        name: "search_project_code",
+        description: "Search for code within a specific GitLab project (requires advanced search or exact code search to be enabled). If exact code search (Zoekt) is enabled, the search query supports rich syntax including file:, lang:, sym: filters.",
+        inputSchema: toJSONSchema(SearchProjectCodeSchema),
+    },
+    {
+        name: "search_group_code",
+        description: "Search for code within a specific GitLab group (requires advanced search or exact code search to be enabled). If exact code search (Zoekt) is enabled, the search query supports rich syntax including file:, lang:, sym: filters.",
+        inputSchema: toJSONSchema(SearchGroupCodeSchema),
+    },
 ];
 // Define which tools are read-only
 const readOnlyTools = new Set([
     "search_repositories",
+    "search_code",
+    "search_project_code",
+    "search_group_code",
     "execute_graphql",
     "get_file_contents",
     "get_merge_request",
     "get_merge_request_diffs",
+    "list_merge_request_changed_files",
+    "list_merge_request_diffs",
+    "get_merge_request_file_diff",
     "list_merge_request_versions",
     "get_merge_request_version",
     "get_branch_diffs",
+    "get_merge_request_note",
+    "get_merge_request_notes",
+    "get_draft_note",
+    "list_draft_notes",
     "mr_discussions",
     "list_issues",
     "my_issues",
@@ -1229,6 +1405,8 @@ const readOnlyTools = new Set([
     "get_milestone_burndown_events",
     "list_wiki_pages",
     "get_wiki_page",
+    "list_group_wiki_pages",
+    "get_group_wiki_page",
     "get_users",
     "list_commits",
     "get_commit",
@@ -1242,6 +1420,12 @@ const readOnlyTools = new Set([
     "get_release",
     "download_release_asset",
     "get_merge_request_approval_state",
+    "get_work_item",
+    "list_work_items",
+    "list_work_item_statuses",
+    "list_custom_field_definitions",
+    "list_work_item_notes",
+    "get_timeline_events",
     "get_merge_request_conflicts",
     "list_webhooks",
     "list_webhook_events",
@@ -1254,6 +1438,11 @@ const wikiToolNames = new Set([
     "create_wiki_page",
     "update_wiki_page",
     "delete_wiki_page",
+    "list_group_wiki_pages",
+    "get_group_wiki_page",
+    "create_group_wiki_page",
+    "update_group_wiki_page",
+    "delete_group_wiki_page",
     "upload_wiki_attachment",
 ]);
 // Define which tools are related to milestones and can be toggled by USE_MILESTONE
@@ -1302,7 +1491,9 @@ const TOOLSET_DEFINITIONS = [
             "get_merge_request_conflicts",
             "get_merge_request",
             "get_merge_request_diffs",
+            "list_merge_request_changed_files",
             "list_merge_request_diffs",
+            "get_merge_request_file_diff",
             "list_merge_request_versions",
             "get_merge_request_version",
             "update_merge_request",
@@ -1446,6 +1637,11 @@ const TOOLSET_DEFINITIONS = [
             "create_wiki_page",
             "update_wiki_page",
             "delete_wiki_page",
+            "list_group_wiki_pages",
+            "get_group_wiki_page",
+            "create_group_wiki_page",
+            "update_group_wiki_page",
+            "delete_group_wiki_page",
         ]),
     },
     {
@@ -1472,6 +1668,24 @@ const TOOLSET_DEFINITIONS = [
             "download_attachment",
         ]),
     },
+    {
+        id: "workitems",
+        isDefault: false,
+        tools: new Set([
+            "get_work_item",
+            "list_work_items",
+            "create_work_item",
+            "update_work_item",
+            "convert_work_item_type",
+            "list_work_item_statuses",
+            "list_custom_field_definitions",
+            "move_work_item",
+            "list_work_item_notes",
+            "create_work_item_note",
+            "get_timeline_events",
+            "create_timeline_event",
+        ]),
+    },
     {
         id: "webhooks",
         isDefault: false,
@@ -1481,6 +1695,11 @@ const TOOLSET_DEFINITIONS = [
             "get_webhook_event",
         ]),
     },
+    {
+        id: "search",
+        isDefault: false,
+        tools: new Set(["search_code", "search_project_code", "search_group_code"]),
+    },
 ];
 // Derived lookup: tool name → toolset ID
 const TOOLSET_BY_TOOL_NAME = new Map();
@@ -1610,7 +1829,20 @@ if (REMOTE_AUTHORIZATION) {
     }
     logger.info("Remote authorization enabled: tokens will be read from HTTP headers");
 }
-else if (!USE_OAUTH && !GITLAB_PERSONAL_ACCESS_TOKEN && !GITLAB_JOB_TOKEN && !GITLAB_AUTH_COOKIE_PATH) {
+if (GITLAB_MCP_OAUTH) {
+    if (SSE) {
+        logger.error("GITLAB_MCP_OAUTH=true is not compatible with SSE transport mode");
+        logger.error("Please use STREAMABLE_HTTP=true instead");
+        process.exit(1);
+    }
+    if (!STREAMABLE_HTTP) {
+        logger.error("GITLAB_MCP_OAUTH=true requires STREAMABLE_HTTP=true");
+        logger.error("Set STREAMABLE_HTTP=true to enable MCP OAuth");
+        process.exit(1);
+    }
+    logger.info("MCP OAuth enabled: GitLab OAuth proxy active (Private-Token/JOB-TOKEN headers bypass OAuth)");
+}
+if (!REMOTE_AUTHORIZATION && !GITLAB_MCP_OAUTH && !USE_OAUTH && !GITLAB_PERSONAL_ACCESS_TOKEN && !GITLAB_JOB_TOKEN && !GITLAB_AUTH_COOKIE_PATH) {
     // Standard mode: token must be in environment (unless using OAuth)
     logger.error("GITLAB_PERSONAL_ACCESS_TOKEN environment variable is not set");
     logger.info("Either set GITLAB_PERSONAL_ACCESS_TOKEN or enable OAuth with GITLAB_USE_OAUTH=true");
@@ -1772,28 +2004,19 @@ async function getFileContents(projectId, filePath, ref) {
     }
     return parsedData;
 }
-/**
- * Create a new issue in a GitLab project
- * 이슈 생성 (Create an issue)
- *
- * @param {string} projectId - The ID or URL-encoded path of the project
- * @param {z.infer<typeof CreateIssueOptionsSchema>} options - Issue creation options
- * @returns {Promise<GitLabIssue>} The created issue
- */
 async function createIssue(projectId, options) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const effectiveProjectId = getEffectiveProjectId(projectId);
     const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/issues`);
+    // Build request body, converting labels array to comma-separated string
+    const body = { ...options };
+    if (body.labels && Array.isArray(body.labels)) {
+        body.labels = body.labels.join(",");
+    }
     const response = await fetch(url.toString(), {
         ...getFetchConfig(),
         method: "POST",
-        body: JSON.stringify({
-            title: options.title,
-            description: options.description,
-            assignee_ids: options.assignee_ids,
-            milestone_id: options.milestone_id,
-            labels: options.labels?.join(","),
-        }),
+        body: JSON.stringify(body),
     });
     // Handle bad request
     if (response.status === 400) {
@@ -1943,6 +2166,1392 @@ async function deleteIssue(projectId, issueIid) {
     });
     await handleGitLabError(response);
 }
+// --- GraphQL helper ---
+/**
+ * Execute a GraphQL query against the GitLab instance.
+ * Reusable helper for work item operations.
+ */
+async function executeGraphQL(query, variables = {}) {
+    const apiUrl = new URL(getEffectiveApiUrl());
+    const restPath = apiUrl.pathname || "";
+    const idx = restPath.lastIndexOf("/api/v4");
+    const prefix = idx >= 0 ? restPath.slice(0, idx) : "";
+    const graphqlUrl = process.env.GITLAB_GRAPHQL_URL || `${apiUrl.origin}${prefix}/api/graphql`;
+    const response = await fetch(graphqlUrl, {
+        ...getFetchConfig(),
+        method: "POST",
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
+        body: JSON.stringify({ query, variables }),
+    });
+    if (!response.ok) {
+        const errorBody = await response.text();
+        throw new Error(`GraphQL request failed (${response.status}): ${errorBody}`);
+    }
+    const json = await response.json();
+    if (json.errors && json.errors.length > 0) {
+        throw new Error(`GraphQL errors: ${json.errors.map((e) => e.message).join(", ")}`);
+    }
+    return json.data;
+}
+/**
+ * Resolve a project path and issue IID to a work item GraphQL GID.
+ */
+async function resolveWorkItemGID(projectId, issueIid) {
+    projectId = decodeURIComponent(projectId);
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    // First get the project path via REST (needed for GraphQL namespace query)
+    const projectUrl = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}`);
+    const projectResponse = await fetch(projectUrl.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(projectResponse);
+    const project = await projectResponse.json();
+    const projectPath = project.path_with_namespace;
+    // Resolve work item GID via GraphQL
+    const data = await executeGraphQL(`query($path: ID!, $iid: String!) {
+      namespace(fullPath: $path) {
+        workItem(iid: $iid) {
+          id
+        }
+      }
+    }`, { path: projectPath, iid: String(issueIid) });
+    if (!data.namespace?.workItem?.id) {
+        throw new Error(`Work item #${issueIid} not found in project ${projectPath}`);
+    }
+    return { workItemGID: data.namespace.workItem.id, projectPath };
+}
+/**
+ * Resolve label names and usernames to GitLab GIDs in a single GraphQL call.
+ */
+async function resolveNamesToIds(projectPath, labelNames, usernames) {
+    if (!labelNames?.length && !usernames?.length) {
+        return { labelIds: [], userIds: [] };
+    }
+    const data = await executeGraphQL(`query($path: ID!, $usernames: [String!]!) {
+      project(fullPath: $path) { labels(includeAncestorGroups: true, first: 250) { nodes { id title } } }
+      users(usernames: $usernames) { nodes { id username } }
+    }`, { path: projectPath, usernames: usernames || [] });
+    const labelIds = (labelNames || []).map(name => {
+        const label = data.project.labels.nodes.find(l => l.title === name);
+        if (!label)
+            throw new Error(`Label '${name}' not found in project`);
+        return label.id;
+    });
+    const userIds = (usernames || []).map(name => {
+        const user = data.users.nodes.find(u => u.username === name);
+        if (!user)
+            throw new Error(`User '${name}' not found`);
+        return user.id;
+    });
+    return { labelIds, userIds };
+}
+// --- Work item type conversion ---
+/**
+ * Map user-facing type names to GitLab WorkItemType names for GraphQL queries.
+ */
+const WORK_ITEM_TYPE_NAMES = {
+    issue: "Issue",
+    task: "Task",
+    incident: "Incident",
+    test_case: "Test Case",
+    epic: "Epic",
+    key_result: "Key Result",
+    objective: "Objective",
+    requirement: "Requirement",
+    ticket: "Ticket",
+};
+/**
+ * Get the GraphQL GID for a work item type by querying the project's available types.
+ */
+async function resolveWorkItemTypeGID(projectPath, typeName) {
+    const targetName = WORK_ITEM_TYPE_NAMES[typeName];
+    if (!targetName) {
+        throw new Error(`Unknown work item type: ${typeName}`);
+    }
+    const data = await executeGraphQL(`query($path: ID!) {
+      namespace(fullPath: $path) {
+        workItemTypes {
+          nodes {
+            id
+            name
+          }
+        }
+      }
+    }`, { path: projectPath });
+    const typeNode = data.namespace?.workItemTypes?.nodes?.find((n) => n.name === targetName);
+    if (!typeNode) {
+        throw new Error(`Work item type '${targetName}' not found in project ${projectPath}`);
+    }
+    return typeNode.id;
+}
+/**
+ * Convert an issue to a different work item type using GraphQL.
+ */
+async function convertIssueType(projectId, issueIid, newType) {
+    const { workItemGID, projectPath } = await resolveWorkItemGID(projectId, issueIid);
+    const workItemTypeGID = await resolveWorkItemTypeGID(projectPath, newType);
+    const data = await executeGraphQL(`mutation($id: WorkItemID!, $typeId: WorkItemsTypeID!) {
+      workItemConvert(input: { id: $id, workItemTypeId: $typeId }) {
+        workItem {
+          id
+          workItemType { name }
+        }
+        errors
+      }
+    }`, { id: workItemGID, typeId: workItemTypeGID });
+    if (data.workItemConvert.errors?.length > 0) {
+        throw new Error(`Conversion failed: ${data.workItemConvert.errors.join(", ")}`);
+    }
+    return {
+        id: data.workItemConvert.workItem.id,
+        type: data.workItemConvert.workItem.workItemType.name,
+    };
+}
+// --- Work item hierarchy ---
+/**
+ * Set a parent for a work item (issue hierarchy).
+ */
+async function setIssueParent(projectId, issueIid, parentProjectId, parentIssueIid) {
+    const { workItemGID } = await resolveWorkItemGID(projectId, issueIid);
+    const { workItemGID: parentGID } = await resolveWorkItemGID(parentProjectId, parentIssueIid);
+    const data = await executeGraphQL(`mutation($id: WorkItemID!, $parentId: WorkItemID!) {
+      workItemUpdate(input: { id: $id, hierarchyWidget: { parentId: $parentId } }) {
+        workItem { id }
+        errors
+      }
+    }`, { id: workItemGID, parentId: parentGID });
+    if (data.workItemUpdate.errors?.length > 0) {
+        throw new Error(`Failed to set parent: ${data.workItemUpdate.errors.join(", ")}`);
+    }
+    return { id: workItemGID, parentId: parentGID };
+}
+/**
+ * Remove the parent from a work item.
+ */
+async function removeIssueParent(projectId, issueIid) {
+    const { workItemGID } = await resolveWorkItemGID(projectId, issueIid);
+    const data = await executeGraphQL(`mutation($id: WorkItemID!) {
+      workItemUpdate(input: { id: $id, hierarchyWidget: { parentId: null } }) {
+        workItem { id }
+        errors
+      }
+    }`, { id: workItemGID });
+    if (data.workItemUpdate.errors?.length > 0) {
+        throw new Error(`Failed to remove parent: ${data.workItemUpdate.errors.join(", ")}`);
+    }
+}
+/**
+ * List children of a work item (hierarchy widget).
+ */
+async function listIssueChildren(projectId, issueIid) {
+    projectId = decodeURIComponent(projectId);
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    // Get project path
+    const projectUrl = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}`);
+    const projectResponse = await fetch(projectUrl.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(projectResponse);
+    const project = await projectResponse.json();
+    const data = await executeGraphQL(`query($path: ID!, $iid: String!) {
+      namespace(fullPath: $path) {
+        workItem(iid: $iid) {
+          id
+          title
+          widgets {
+            __typename
+            ... on WorkItemWidgetHierarchy {
+              parent {
+                id
+                title
+                webUrl
+                workItemType { name }
+              }
+              children {
+                nodes {
+                  id
+                  title
+                  state
+                  webUrl
+                  workItemType { name }
+                }
+              }
+            }
+          }
+        }
+      }
+    }`, { path: project.path_with_namespace, iid: String(issueIid) });
+    if (!data.namespace?.workItem) {
+        throw new Error(`Work item #${issueIid} not found`);
+    }
+    // Extract hierarchy widget
+    const hierarchyWidget = data.namespace.workItem.widgets?.find((w) => w.__typename === "WorkItemWidgetHierarchy");
+    return {
+        id: data.namespace.workItem.id,
+        title: data.namespace.workItem.title,
+        parent: hierarchyWidget?.parent || null,
+        children: hierarchyWidget?.children?.nodes || [],
+    };
+}
+/**
+ * Add a child to a parent work item.
+ */
+async function addIssueChild(projectId, issueIid, childProjectId, childIssueIid) {
+    const { workItemGID: parentGID } = await resolveWorkItemGID(projectId, issueIid);
+    const { workItemGID: childGID } = await resolveWorkItemGID(childProjectId, childIssueIid);
+    const data = await executeGraphQL(`mutation($id: WorkItemID!, $childId: WorkItemID!) {
+      workItemUpdate(input: { id: $id, hierarchyWidget: { childrenIds: [$childId] } }) {
+        workItem { id }
+        errors
+      }
+    }`, { id: parentGID, childId: childGID });
+    if (data.workItemUpdate.errors?.length > 0) {
+        throw new Error(`Failed to add child: ${data.workItemUpdate.errors.join(", ")}`);
+    }
+    return { parentId: parentGID, childId: childGID };
+}
+/**
+ * Remove a child from a parent work item by setting the child's parent to null.
+ */
+async function removeIssueChild(projectId, issueIid, childProjectId, childIssueIid) {
+    // Removing a child is done by removing the parent from the child
+    await removeIssueParent(childProjectId, childIssueIid);
+}
+// --- Work item status ---
+/**
+ * List available statuses for a work item type in a project.
+ * Requires Premium/Ultimate with configurable statuses enabled.
+ */
+async function listIssueStatuses(projectId, workItemType = "issue") {
+    projectId = decodeURIComponent(projectId);
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    // Get project path
+    const projectUrl = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}`);
+    const projectResponse = await fetch(projectUrl.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(projectResponse);
+    const project = await projectResponse.json();
+    const typeName = WORK_ITEM_TYPE_NAMES[workItemType] || "Issue";
+    const data = await executeGraphQL(`query($path: ID!, $typeName: IssueType) {
+      namespace(fullPath: $path) {
+        workItemTypes(name: $typeName) {
+          nodes {
+            id
+            name
+            supportedConversionTypes { id name }
+            widgetDefinitions {
+              __typename
+              ... on WorkItemWidgetDefinitionStatus {
+                allowedStatuses {
+                  id
+                  name
+                  iconName
+                  color
+                  position
+                }
+              }
+              ... on WorkItemWidgetDefinitionHierarchy {
+                allowedChildTypes { nodes { id name } }
+                allowedParentTypes { nodes { id name } }
+              }
+            }
+          }
+        }
+      }
+    }`, { path: project.path_with_namespace, typeName: typeName.replace(/ /g, "_").toUpperCase() });
+    const typeNodes = data.namespace?.workItemTypes?.nodes;
+    if (!typeNodes || typeNodes.length === 0) {
+        throw new Error(`Work item type '${typeName}' not found in project`);
+    }
+    const typeNode = typeNodes[0];
+    // Extract statuses from the status widget definition
+    const statusWidget = typeNode.widgetDefinitions?.find((w) => w.__typename === "WorkItemWidgetDefinitionStatus");
+    const statuses = statusWidget?.allowedStatuses || [];
+    // Extract hierarchy info
+    const hierarchyWidget = typeNode.widgetDefinitions?.find((w) => w.__typename === "WorkItemWidgetDefinitionHierarchy");
+    const result = {
+        work_item_type: typeNode.name,
+        statuses_available: statuses.length > 0,
+        statuses,
+    };
+    // Add supported conversion types
+    const conversionTypes = typeNode.supportedConversionTypes || [];
+    if (conversionTypes.length > 0) {
+        result.supported_conversion_types = conversionTypes.map((t) => t.name);
+    }
+    // Add allowed child/parent types
+    const childTypes = hierarchyWidget?.allowedChildTypes?.nodes || [];
+    const parentTypes = hierarchyWidget?.allowedParentTypes?.nodes || [];
+    if (childTypes.length > 0) {
+        result.allowed_child_types = childTypes.map((t) => t.name);
+    }
+    if (parentTypes.length > 0) {
+        result.allowed_parent_types = parentTypes.map((t) => t.name);
+    }
+    return result;
+}
+/**
+ * List available custom field definitions for a work item type.
+ */
+async function listCustomFieldDefinitions(projectId, workItemType = "issue") {
+    const projectPath = await resolveProjectPath(projectId);
+    const typeName = WORK_ITEM_TYPE_NAMES[workItemType] || "Issue";
+    const data = await executeGraphQL(`query($path: ID!, $typeName: IssueType) {
+      namespace(fullPath: $path) {
+        workItemTypes(name: $typeName) {
+          nodes {
+            id
+            name
+            widgetDefinitions {
+              __typename
+              ... on WorkItemWidgetDefinitionCustomFields {
+                customFieldValues {
+                  customField {
+                    id
+                    name
+                    fieldType
+                    selectOptions { id value }
+                    workItemTypes { id name }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }`, { path: projectPath, typeName: typeName.replace(/ /g, "_").toUpperCase() });
+    const typeNodes = data.namespace?.workItemTypes?.nodes;
+    if (!typeNodes || typeNodes.length === 0) {
+        throw new Error(`Work item type '${typeName}' not found in project`);
+    }
+    const typeNode = typeNodes[0];
+    const customFieldsWidget = typeNode.widgetDefinitions?.find((w) => w.__typename === "WorkItemWidgetDefinitionCustomFields");
+    const fields = (customFieldsWidget?.customFieldValues || []).map((cfv) => {
+        const cf = cfv.customField;
+        const field = {
+            id: cf?.id,
+            name: cf?.name,
+            type: cf?.fieldType,
+        };
+        const options = cf?.selectOptions || [];
+        if (options.length > 0)
+            field.selectOptions = options;
+        const types = (cf?.workItemTypes || []).map((t) => t.name);
+        if (types.length > 0)
+            field.workItemTypes = types;
+        return field;
+    });
+    return {
+        work_item_type: typeNode.name,
+        custom_fields: fields,
+    };
+}
+/**
+ * Move a work item to a different project.
+ */
+async function moveWorkItem(projectId, iid, targetProjectId) {
+    const projectPath = await resolveProjectPath(projectId);
+    const targetPath = await resolveProjectPath(targetProjectId);
+    const data = await executeGraphQL(`mutation($projectPath: ID!, $iid: String!, $targetProjectPath: ID!) {
+      issueMove(input: { projectPath: $projectPath, iid: $iid, targetProjectPath: $targetProjectPath }) {
+        issue { id iid webUrl }
+        errors
+      }
+    }`, { projectPath: projectPath, iid: String(iid), targetProjectPath: targetPath });
+    if (data.issueMove.errors?.length > 0) {
+        throw new Error(`Failed to move work item: ${data.issueMove.errors.join(", ")}`);
+    }
+    return data.issueMove.issue;
+}
+/**
+ * List notes/discussions on a work item.
+ */
+async function listWorkItemNotes(projectId, iid, options = {}) {
+    const projectPath = await resolveProjectPath(projectId);
+    const data = await executeGraphQL(`query($path: ID!, $iid: String!, $pageSize: Int, $after: String, $sort: WorkItemDiscussionsSort) {
+      namespace(fullPath: $path) {
+        workItem(iid: $iid) {
+          id
+          widgets(onlyTypes: [NOTES]) {
+            ... on WorkItemWidgetNotes {
+              discussionLocked
+              discussions(first: $pageSize, after: $after, filter: ALL_NOTES, sort: $sort) {
+                pageInfo { hasNextPage endCursor }
+                nodes {
+                  id
+                  resolved
+                  resolvable
+                  notes {
+                    nodes {
+                      id
+                      body
+                      system
+                      internal
+                      createdAt
+                      lastEditedAt
+                      author { username }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }`, {
+        path: projectPath,
+        iid: String(iid),
+        pageSize: options.page_size || 20,
+        after: options.after || null,
+        sort: options.sort || "CREATED_ASC",
+    });
+    const workItem = data.namespace?.workItem;
+    if (!workItem) {
+        throw new Error(`Work item #${iid} not found in project ${projectPath}`);
+    }
+    const notesWidget = workItem.widgets?.find((w) => w.discussions);
+    const discussions = notesWidget?.discussions;
+    // Flatten to lean output
+    const items = (discussions?.nodes || []).map((d) => {
+        const notes = (d.notes?.nodes || []).map((n) => {
+            const note = {
+                id: n.id,
+                author: n.author?.username,
+                body: n.body,
+                createdAt: n.createdAt,
+            };
+            if (n.system)
+                note.system = true;
+            if (n.internal)
+                note.internal = true;
+            if (n.lastEditedAt)
+                note.lastEditedAt = n.lastEditedAt;
+            return note;
+        });
+        const discussion = { id: d.id, notes };
+        if (d.resolved)
+            discussion.resolved = true;
+        if (d.resolvable)
+            discussion.resolvable = true;
+        return discussion;
+    });
+    return {
+        discussions: items,
+        pageInfo: discussions?.pageInfo || {},
+    };
+}
+/**
+ * Create a note on a work item.
+ */
+async function createWorkItemNote(projectId, iid, body, options = {}) {
+    const { workItemGID } = await resolveWorkItemGID(projectId, iid);
+    const varDefs = ["$noteableId: NoteableID!", "$body: String!"];
+    const inputParts = ["noteableId: $noteableId", "body: $body"];
+    const variables = { noteableId: workItemGID, body };
+    if (options.internal) {
+        varDefs.push("$internal: Boolean");
+        inputParts.push("internal: $internal");
+        variables.internal = true;
+    }
+    if (options.discussion_id) {
+        varDefs.push("$discussionId: DiscussionID");
+        inputParts.push("discussionId: $discussionId");
+        variables.discussionId = options.discussion_id;
+    }
+    const data = await executeGraphQL(`mutation(${varDefs.join(", ")}) {
+      createNote(input: { ${inputParts.join(", ")} }) {
+        note {
+          id
+          body
+          discussion { id }
+        }
+        errors
+      }
+    }`, variables);
+    if (data.createNote.errors?.length > 0) {
+        throw new Error(`Failed to create note: ${data.createNote.errors.join(", ")}`);
+    }
+    return data.createNote.note;
+}
+// --- Incident Timeline Events ---
+/**
+ * List timeline events for an incident.
+ */
+async function getTimelineEvents(projectId, incidentIid) {
+    const { workItemGID, projectPath } = await resolveWorkItemGID(projectId, incidentIid);
+    // Timeline events expect gid://gitlab/Issue/... not gid://gitlab/WorkItem/...
+    const incidentGID = workItemGID.replace("/WorkItem/", "/Issue/");
+    const data = await executeGraphQL(`query($fullPath: ID!, $incidentId: IssueID!) {
+      project(fullPath: $fullPath) {
+        incidentManagementTimelineEvents(incidentId: $incidentId) {
+          nodes {
+            id
+            note
+            noteHtml
+            action
+            occurredAt
+            createdAt
+            timelineEventTags {
+              nodes {
+                id
+                name
+              }
+            }
+          }
+        }
+      }
+    }`, { fullPath: projectPath, incidentId: incidentGID });
+    const events = data.project?.incidentManagementTimelineEvents?.nodes || [];
+    return events.map((e) => {
+        const event = {
+            id: e.id,
+            note: e.note,
+            action: e.action,
+            occurredAt: e.occurredAt,
+            createdAt: e.createdAt,
+        };
+        if (e.noteHtml)
+            event.noteHtml = e.noteHtml;
+        const tags = (e.timelineEventTags?.nodes || []).map((t) => t.name);
+        if (tags.length > 0)
+            event.tags = tags;
+        return event;
+    });
+}
+/**
+ * Create a timeline event on an incident.
+ */
+async function createTimelineEvent(projectId, incidentIid, note, occurredAt, tagNames) {
+    const { workItemGID } = await resolveWorkItemGID(projectId, incidentIid);
+    // Timeline events expect gid://gitlab/Issue/... not gid://gitlab/WorkItem/...
+    const incidentGID = workItemGID.replace("/WorkItem/", "/Issue/");
+    const variables = {
+        input: {
+            incidentId: incidentGID,
+            note,
+            occurredAt,
+        },
+    };
+    if (tagNames && tagNames.length > 0) {
+        variables.input.timelineEventTagNames = tagNames;
+    }
+    const data = await executeGraphQL(`mutation CreateTimelineEvent($input: TimelineEventCreateInput!) {
+      timelineEventCreate(input: $input) {
+        timelineEvent {
+          id
+          note
+          noteHtml
+          action
+          occurredAt
+          createdAt
+          timelineEventTags {
+            nodes {
+              id
+              name
+            }
+          }
+        }
+        errors
+      }
+    }`, variables);
+    if (data.timelineEventCreate.errors?.length > 0) {
+        throw new Error(`Failed to create timeline event: ${data.timelineEventCreate.errors.join(", ")}`);
+    }
+    const e = data.timelineEventCreate.timelineEvent;
+    const result = {
+        id: e.id,
+        note: e.note,
+        action: e.action,
+        occurredAt: e.occurredAt,
+        createdAt: e.createdAt,
+    };
+    if (e.noteHtml)
+        result.noteHtml = e.noteHtml;
+    const tags = (e.timelineEventTags?.nodes || []).map((t) => t.name);
+    if (tags.length > 0)
+        result.tags = tags;
+    return result;
+}
+/**
+ * Update the severity of an incident.
+ * Accepts projectPath directly to avoid redundant REST calls when called from updateWorkItem.
+ */
+async function updateIncidentSeverity(projectPath, incidentIid, severity) {
+    const data = await executeGraphQL(`mutation($projectPath: ID!, $severity: IssuableSeverity!, $iid: String!) {
+      issueSetSeverity(input: { iid: $iid, severity: $severity, projectPath: $projectPath }) {
+        errors
+        issue {
+          iid
+          id
+          severity
+        }
+      }
+    }`, { projectPath, severity, iid: String(incidentIid) });
+    if (data.issueSetSeverity.errors?.length > 0) {
+        throw new Error(`Failed to set severity: ${data.issueSetSeverity.errors.join(", ")}`);
+    }
+    return data.issueSetSeverity.issue;
+}
+/**
+ * Update the escalation status of an incident.
+ * Accepts projectPath directly to avoid redundant REST calls when called from updateWorkItem.
+ */
+async function updateIncidentEscalationStatus(projectPath, incidentIid, status) {
+    const data = await executeGraphQL(`mutation($projectPath: ID!, $status: IssueEscalationStatus!, $iid: String!) {
+      issueSetEscalationStatus(input: { projectPath: $projectPath, status: $status, iid: $iid }) {
+        errors
+        issue {
+          id
+          escalationStatus
+        }
+      }
+    }`, { projectPath, status, iid: String(incidentIid) });
+    if (data.issueSetEscalationStatus.errors?.length > 0) {
+        throw new Error(`Failed to set escalation status: ${data.issueSetEscalationStatus.errors.join(", ")}`);
+    }
+    return data.issueSetEscalationStatus.issue;
+}
+/**
+ * Set the status of a work item.
+ */
+async function setIssueStatus(projectId, issueIid, status) {
+    const { workItemGID } = await resolveWorkItemGID(projectId, issueIid);
+    const data = await executeGraphQL(`mutation($id: WorkItemID!, $status: WorkItemsStatusesStatusID!) {
+      workItemUpdate(input: { id: $id, statusWidget: { status: $status } }) {
+        workItem {
+          id
+          widgets {
+            __typename
+            ... on WorkItemWidgetStatus {
+              status { id name category color }
+            }
+          }
+        }
+        errors
+      }
+    }`, { id: workItemGID, status });
+    if (data.workItemUpdate.errors?.length > 0) {
+        throw new Error(`Failed to set status: ${data.workItemUpdate.errors.join(", ")}`);
+    }
+    // Extract the current status from the response
+    const statusWidget = data.workItemUpdate.workItem?.widgets?.find((w) => w.__typename === "WorkItemWidgetStatus");
+    return {
+        id: data.workItemUpdate.workItem.id,
+        status: statusWidget?.status || null,
+    };
+}
+/**
+ * Resolve a project ID (numeric or path) to its full path_with_namespace.
+ */
+async function resolveProjectPath(projectId) {
+    projectId = decodeURIComponent(projectId);
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const projectUrl = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}`);
+    const projectResponse = await fetch(projectUrl.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(projectResponse);
+    const project = await projectResponse.json();
+    return project.path_with_namespace;
+}
+/**
+ * Get a single work item with all widget data.
+ */
+async function getWorkItem(projectId, iid) {
+    const projectPath = await resolveProjectPath(projectId);
+    const data = await executeGraphQL(`query($path: ID!, $iid: String!) {
+      namespace(fullPath: $path) {
+        workItem(iid: $iid) {
+          id
+          iid
+          title
+          state
+          description
+          webUrl
+          confidential
+          author { username }
+          createdAt
+          closedAt
+          workItemType { name }
+          widgets {
+            __typename
+            ... on WorkItemWidgetHierarchy {
+              hasChildren hasParent
+              parent { id iid title webUrl workItemType { name } namespace { fullPath } }
+              children { nodes { id iid title state webUrl workItemType { name } namespace { fullPath } } }
+            }
+            ... on WorkItemWidgetStatus { status { id name category color iconName position } }
+            ... on WorkItemWidgetCustomFields {
+              customFieldValues {
+                __typename
+                customField { id name fieldType }
+                ... on WorkItemNumberFieldValue { value }
+                ... on WorkItemTextFieldValue { value }
+                ... on WorkItemSelectFieldValue {
+                  selectedOptions { id value }
+                }
+              }
+            }
+            ... on WorkItemWidgetLabels { labels { nodes { id title color } } }
+            ... on WorkItemWidgetAssignees { assignees { nodes { id username name } } }
+            ... on WorkItemWidgetWeight { weight rolledUpWeight rolledUpCompletedWeight }
+            ... on WorkItemWidgetHealthStatus { healthStatus }
+            ... on WorkItemWidgetStartAndDueDate { startDate dueDate }
+            ... on WorkItemWidgetMilestone { milestone { id title } }
+            ... on WorkItemWidgetLinkedItems {
+              blocked blockedByCount blockingCount
+              linkedItems { nodes { linkType workItem { id iid title state webUrl workItemType { name } namespace { fullPath } } } }
+            }
+            ... on WorkItemWidgetTimeTracking {
+              timeEstimate totalTimeSpent
+            }
+            ... on WorkItemWidgetDevelopment {
+              willAutoCloseByMergeRequest
+              relatedBranches { nodes { name } }
+              relatedMergeRequests {
+                nodes { iid title webUrl state sourceBranch }
+              }
+              closingMergeRequests {
+                nodes {
+                  mergeRequest { iid title webUrl state sourceBranch }
+                }
+              }
+              featureFlags { nodes { name active } }
+            }
+            ... on WorkItemWidgetIteration {
+              iteration { id title startDate dueDate webUrl iterationCadence { id title } }
+            }
+            ... on WorkItemWidgetProgress { progress }
+            ... on WorkItemWidgetColor { color textColor }
+          }
+        }
+      }
+    }`, { path: projectPath, iid: String(iid) });
+    if (!data.namespace?.workItem) {
+        throw new Error(`Work item #${iid} not found in project ${projectPath}`);
+    }
+    const wi = data.namespace.workItem;
+    const widgets = wi.widgets || [];
+    // Flatten widget data into a clean response
+    const hierarchyWidget = widgets.find((w) => w.__typename === "WorkItemWidgetHierarchy");
+    const statusWidget = widgets.find((w) => w.__typename === "WorkItemWidgetStatus");
+    const labelsWidget = widgets.find((w) => w.__typename === "WorkItemWidgetLabels");
+    const assigneesWidget = widgets.find((w) => w.__typename === "WorkItemWidgetAssignees");
+    const weightWidget = widgets.find((w) => w.__typename === "WorkItemWidgetWeight");
+    const healthStatusWidget = widgets.find((w) => w.__typename === "WorkItemWidgetHealthStatus");
+    const datesWidget = widgets.find((w) => w.__typename === "WorkItemWidgetStartAndDueDate");
+    const milestoneWidget = widgets.find((w) => w.__typename === "WorkItemWidgetMilestone");
+    const linkedItemsWidget = widgets.find((w) => w.__typename === "WorkItemWidgetLinkedItems");
+    const timeTrackingWidget = widgets.find((w) => w.__typename === "WorkItemWidgetTimeTracking");
+    const developmentWidget = widgets.find((w) => w.__typename === "WorkItemWidgetDevelopment");
+    const customFieldsWidget = widgets.find((w) => w.__typename === "WorkItemWidgetCustomFields");
+    // Build response, omitting null/empty values to keep output lean
+    const result = {
+        id: wi.id,
+        iid: wi.iid,
+        title: wi.title,
+        state: wi.state,
+        type: wi.workItemType?.name,
+        webUrl: wi.webUrl,
+    };
+    if (wi.description)
+        result.description = wi.description;
+    if (wi.confidential)
+        result.confidential = true;
+    if (wi.author?.username)
+        result.author = wi.author.username;
+    if (wi.createdAt)
+        result.createdAt = wi.createdAt;
+    if (wi.closedAt)
+        result.closedAt = wi.closedAt;
+    if (statusWidget?.status)
+        result.status = { name: statusWidget.status.name, id: statusWidget.status.id, category: statusWidget.status.category };
+    const labels = (labelsWidget?.labels?.nodes || []).map((l) => l.title);
+    if (labels.length > 0)
+        result.labels = labels;
+    const assignees = (assigneesWidget?.assignees?.nodes || []).map((a) => a.username);
+    if (assignees.length > 0)
+        result.assignees = assignees;
+    if (weightWidget?.weight != null) {
+        result.weight = weightWidget.weight;
+        if (weightWidget.rolledUpWeight != null)
+            result.rolledUpWeight = weightWidget.rolledUpWeight;
+        if (weightWidget.rolledUpCompletedWeight != null)
+            result.rolledUpCompletedWeight = weightWidget.rolledUpCompletedWeight;
+    }
+    if (healthStatusWidget?.healthStatus)
+        result.healthStatus = healthStatusWidget.healthStatus;
+    if (datesWidget?.startDate)
+        result.startDate = datesWidget.startDate;
+    if (datesWidget?.dueDate)
+        result.dueDate = datesWidget.dueDate;
+    if (milestoneWidget?.milestone)
+        result.milestone = { id: milestoneWidget.milestone.id, title: milestoneWidget.milestone.title };
+    const iterationWidget = widgets.find((w) => w.__typename === "WorkItemWidgetIteration");
+    if (iterationWidget?.iteration) {
+        result.iteration = {
+            id: iterationWidget.iteration.id,
+            title: iterationWidget.iteration.title,
+            startDate: iterationWidget.iteration.startDate,
+            dueDate: iterationWidget.iteration.dueDate,
+        };
+    }
+    const progressWidget = widgets.find((w) => w.__typename === "WorkItemWidgetProgress");
+    if (progressWidget?.progress != null)
+        result.progress = progressWidget.progress;
+    const colorWidget = widgets.find((w) => w.__typename === "WorkItemWidgetColor");
+    if (colorWidget?.color)
+        result.color = colorWidget.color;
+    if (hierarchyWidget?.parent)
+        result.parent = { iid: hierarchyWidget.parent.iid, title: hierarchyWidget.parent.title, type: hierarchyWidget.parent.workItemType?.name, project: hierarchyWidget.parent.namespace?.fullPath, webUrl: hierarchyWidget.parent.webUrl };
+    const children = hierarchyWidget?.children?.nodes || [];
+    if (children.length > 0)
+        result.children = children.map((c) => ({ iid: c.iid, title: c.title, state: c.state, type: c.workItemType?.name, project: c.namespace?.fullPath, webUrl: c.webUrl }));
+    if (linkedItemsWidget?.blocked)
+        result.blocked = true;
+    if (linkedItemsWidget?.blockedByCount > 0)
+        result.blockedByCount = linkedItemsWidget.blockedByCount;
+    if (linkedItemsWidget?.blockingCount > 0)
+        result.blockingCount = linkedItemsWidget.blockingCount;
+    const linkedNodes = linkedItemsWidget?.linkedItems?.nodes || [];
+    if (linkedNodes.length > 0) {
+        result.linkedItems = linkedNodes.map((n) => ({
+            linkType: n.linkType,
+            iid: n.workItem?.iid,
+            title: n.workItem?.title,
+            state: n.workItem?.state,
+            type: n.workItem?.workItemType?.name,
+            project: n.workItem?.namespace?.fullPath,
+            webUrl: n.workItem?.webUrl,
+        }));
+    }
+    if (timeTrackingWidget?.timeEstimate > 0)
+        result.timeEstimate = timeTrackingWidget.timeEstimate;
+    if (timeTrackingWidget?.totalTimeSpent > 0)
+        result.totalTimeSpent = timeTrackingWidget.totalTimeSpent;
+    // Development: only include if there's actual data
+    const relatedMRs = developmentWidget?.relatedMergeRequests?.nodes || [];
+    const closingMRs = (developmentWidget?.closingMergeRequests?.nodes || []).map((n) => n.mergeRequest);
+    const branches = developmentWidget?.relatedBranches?.nodes || [];
+    const flags = developmentWidget?.featureFlags?.nodes || [];
+    if (relatedMRs.length > 0 || closingMRs.length > 0 || branches.length > 0 || flags.length > 0) {
+        const dev = {};
+        if (relatedMRs.length > 0)
+            dev.relatedMergeRequests = relatedMRs;
+        if (closingMRs.length > 0)
+            dev.closingMergeRequests = closingMRs;
+        if (branches.length > 0)
+            dev.relatedBranches = branches.map((b) => b.name);
+        if (flags.length > 0)
+            dev.featureFlags = flags;
+        result.development = dev;
+    }
+    const cfValues = (customFieldsWidget?.customFieldValues || []).filter((cfv) => cfv.value != null || cfv.selectedOptions != null);
+    if (cfValues.length > 0) {
+        result.customFields = cfValues.map((cfv) => ({
+            name: cfv.customField?.name,
+            type: cfv.customField?.fieldType,
+            value: cfv.value ?? cfv.selectedOptions ?? null,
+        }));
+    }
+    return result;
+}
+/**
+ * List work items in a project with filters.
+ */
+async function listWorkItems(projectId, options) {
+    const projectPath = await resolveProjectPath(projectId);
+    // Map type names to GraphQL enum values
+    const typeMap = {
+        issue: "ISSUE",
+        task: "TASK",
+        incident: "INCIDENT",
+        test_case: "TEST_CASE",
+        epic: "EPIC",
+        key_result: "KEY_RESULT",
+        objective: "OBJECTIVE",
+        requirement: "REQUIREMENT",
+        ticket: "TICKET",
+    };
+    const variables = {
+        path: projectPath,
+        first: options.first || 20,
+    };
+    if (options.types && options.types.length > 0) {
+        variables.types = options.types.map((t) => typeMap[t] || t.replace(/ /g, "_").toUpperCase());
+    }
+    if (options.state) {
+        variables.state = options.state === "opened" ? "opened" : "closed";
+    }
+    if (options.search) {
+        variables.search = options.search;
+    }
+    if (options.assignee_usernames && options.assignee_usernames.length > 0) {
+        variables.assigneeUsernames = options.assignee_usernames;
+    }
+    if (options.label_names && options.label_names.length > 0) {
+        variables.labelName = options.label_names;
+    }
+    if (options.after) {
+        variables.after = options.after;
+    }
+    const data = await executeGraphQL(`query($path: ID!, $types: [IssueType!], $state: IssuableState, $search: String, $assigneeUsernames: [String!], $labelName: [String!], $first: Int, $after: String) {
+      project(fullPath: $path) {
+        workItems(types: $types, state: $state, search: $search, assigneeUsernames: $assigneeUsernames, labelName: $labelName, first: $first, after: $after) {
+          nodes {
+            id iid title state webUrl workItemType { name }
+            widgets {
+              __typename
+              ... on WorkItemWidgetStatus { status { id name category color } }
+              ... on WorkItemWidgetLabels { labels { nodes { title } } }
+              ... on WorkItemWidgetAssignees { assignees { nodes { username } } }
+              ... on WorkItemWidgetWeight { weight }
+              ... on WorkItemWidgetHealthStatus { healthStatus }
+              ... on WorkItemWidgetStartAndDueDate { startDate dueDate }
+              ... on WorkItemWidgetMilestone { milestone { id title } }
+            }
+          }
+          pageInfo { hasNextPage endCursor }
+        }
+      }
+    }`, variables);
+    const workItems = data.project?.workItems?.nodes || [];
+    const pageInfo = data.project?.workItems?.pageInfo || {};
+    // Flatten widget data for each item
+    const items = workItems.map((wi) => {
+        const widgets = wi.widgets || [];
+        const statusWidget = widgets.find((w) => w.__typename === "WorkItemWidgetStatus");
+        const labelsWidget = widgets.find((w) => w.__typename === "WorkItemWidgetLabels");
+        const assigneesWidget = widgets.find((w) => w.__typename === "WorkItemWidgetAssignees");
+        const weightWidget = widgets.find((w) => w.__typename === "WorkItemWidgetWeight");
+        const healthStatusWidget = widgets.find((w) => w.__typename === "WorkItemWidgetHealthStatus");
+        const datesWidget = widgets.find((w) => w.__typename === "WorkItemWidgetStartAndDueDate");
+        const milestoneWidget = widgets.find((w) => w.__typename === "WorkItemWidgetMilestone");
+        const item = {
+            iid: wi.iid,
+            title: wi.title,
+            state: wi.state,
+            type: wi.workItemType?.name,
+            webUrl: wi.webUrl,
+        };
+        if (statusWidget?.status)
+            item.status = statusWidget.status.name;
+        const labels = (labelsWidget?.labels?.nodes || []).map((l) => l.title);
+        if (labels.length > 0)
+            item.labels = labels;
+        const assignees = (assigneesWidget?.assignees?.nodes || []).map((a) => a.username);
+        if (assignees.length > 0)
+            item.assignees = assignees;
+        if (weightWidget?.weight != null)
+            item.weight = weightWidget.weight;
+        if (healthStatusWidget?.healthStatus)
+            item.healthStatus = healthStatusWidget.healthStatus;
+        if (datesWidget?.startDate)
+            item.startDate = datesWidget.startDate;
+        if (datesWidget?.dueDate)
+            item.dueDate = datesWidget.dueDate;
+        if (milestoneWidget?.milestone)
+            item.milestone = milestoneWidget.milestone.title;
+        return item;
+    });
+    return { items, pageInfo };
+}
+/**
+ * Create a new work item using GraphQL.
+ */
+async function createWorkItem(projectId, options) {
+    const projectPath = await resolveProjectPath(projectId);
+    const typeName = options.type || "issue";
+    const typeGID = await resolveWorkItemTypeGID(projectPath, typeName);
+    // Build the input dynamically - only include widgets that have values
+    const inputFields = [
+        "$projectPath: ID!",
+        "$title: String!",
+        "$typeId: WorkItemsTypeID!",
+    ];
+    const inputValues = [
+        "namespacePath: $projectPath",
+        "title: $title",
+        "workItemTypeId: $typeId",
+    ];
+    const variables = {
+        projectPath,
+        title: options.title,
+        typeId: typeGID,
+    };
+    if (options.description !== undefined) {
+        inputFields.push("$description: String!");
+        inputValues.push("descriptionWidget: { description: $description }");
+        variables.description = options.description;
+    }
+    // Resolve label names and usernames to GIDs in a single GraphQL call
+    const { labelIds, userIds } = await resolveNamesToIds(projectPath, options.labels, options.assignee_usernames);
+    if (labelIds.length > 0) {
+        inputFields.push("$labelIds: [LabelID!]!");
+        inputValues.push("labelsWidget: { labelIds: $labelIds }");
+        variables.labelIds = labelIds;
+    }
+    if (options.weight !== undefined) {
+        inputFields.push("$weight: Int");
+        inputValues.push("weightWidget: { weight: $weight }");
+        variables.weight = options.weight;
+    }
+    // Resolve parent GID if provided
+    if (options.parent_iid !== undefined) {
+        const { workItemGID: parentGID } = await resolveWorkItemGID(projectId, options.parent_iid);
+        inputFields.push("$parentId: WorkItemID");
+        inputValues.push("hierarchyWidget: { parentId: $parentId }");
+        variables.parentId = parentGID;
+    }
+    if (userIds.length > 0) {
+        inputFields.push("$assigneeIds: [UserID!]!");
+        inputValues.push("assigneesWidget: { assigneeIds: $assigneeIds }");
+        variables.assigneeIds = userIds;
+    }
+    if (options.health_status !== undefined) {
+        inputFields.push("$healthStatus: HealthStatus");
+        inputValues.push("healthStatusWidget: { healthStatus: $healthStatus }");
+        variables.healthStatus = options.health_status;
+    }
+    // Start and due date widget - combine into one widget
+    if (options.start_date !== undefined || options.due_date !== undefined) {
+        const dateParts = [];
+        if (options.start_date !== undefined) {
+            inputFields.push("$startDate: Date");
+            dateParts.push("startDate: $startDate");
+            variables.startDate = options.start_date;
+        }
+        if (options.due_date !== undefined) {
+            inputFields.push("$dueDate: Date");
+            dateParts.push("dueDate: $dueDate");
+            variables.dueDate = options.due_date;
+        }
+        inputValues.push(`startAndDueDateWidget: { ${dateParts.join(", ")} }`);
+    }
+    if (options.milestone_id !== undefined) {
+        // Convert numeric ID to GID format if needed
+        const milestoneGID = options.milestone_id.startsWith("gid://")
+            ? options.milestone_id
+            : `gid://gitlab/Milestone/${options.milestone_id}`;
+        inputFields.push("$milestoneId: MilestoneID");
+        inputValues.push("milestoneWidget: { milestoneId: $milestoneId }");
+        variables.milestoneId = milestoneGID;
+    }
+    if (options.iteration_id !== undefined) {
+        const iterationGID = options.iteration_id.startsWith("gid://")
+            ? options.iteration_id
+            : `gid://gitlab/Iteration/${options.iteration_id}`;
+        inputFields.push("$iterationId: IterationID");
+        inputValues.push("iterationWidget: { iterationId: $iterationId }");
+        variables.iterationId = iterationGID;
+    }
+    if (options.confidential !== undefined) {
+        inputFields.push("$confidential: Boolean");
+        inputValues.push("confidential: $confidential");
+        variables.confidential = options.confidential;
+    }
+    const mutation = `mutation(${inputFields.join(", ")}) {
+    workItemCreate(input: { ${inputValues.join(", ")} }) {
+      workItem {
+        id
+        iid
+        title
+        webUrl
+        workItemType { name }
+      }
+      errors
+    }
+  }`;
+    const data = await executeGraphQL(mutation, variables);
+    if (data.workItemCreate.errors?.length > 0) {
+        throw new Error(`Failed to create work item: ${data.workItemCreate.errors.join(", ")}`);
+    }
+    const wi = data.workItemCreate.workItem;
+    return {
+        id: wi.id,
+        iid: wi.iid,
+        title: wi.title,
+        type: wi.workItemType?.name,
+        webUrl: wi.webUrl,
+    };
+}
+/**
+ * Update a work item - consolidated handler for title, description, labels, assignees,
+ * weight, state, status, parent, and children operations.
+ */
+async function updateWorkItem(projectId, iid, options) {
+    const { workItemGID, projectPath } = await resolveWorkItemGID(projectId, iid);
+    // Build the main workItemUpdate mutation dynamically
+    const inputParts = ["id: $id"];
+    const varDefs = ["$id: WorkItemID!"];
+    const variables = { id: workItemGID };
+    if (options.title !== undefined) {
+        varDefs.push("$title: String");
+        inputParts.push("title: $title");
+        variables.title = options.title;
+    }
+    if (options.description !== undefined) {
+        varDefs.push("$description: String!");
+        inputParts.push("descriptionWidget: { description: $description }");
+        variables.description = options.description;
+    }
+    // Resolve label names and usernames to GIDs in a single GraphQL call
+    const allLabelNames = [...(options.add_labels || []), ...(options.remove_labels || [])];
+    const needsResolve = allLabelNames.length > 0 || options.assignee_usernames?.length;
+    const { labelIds: resolvedLabelIds, userIds } = needsResolve
+        ? await resolveNamesToIds(projectPath, allLabelNames.length > 0 ? allLabelNames : undefined, options.assignee_usernames)
+        : { labelIds: [], userIds: [] };
+    if (options.add_labels || options.remove_labels) {
+        const labelParts = [];
+        let offset = 0;
+        if (options.add_labels && options.add_labels.length > 0) {
+            const addIds = resolvedLabelIds.slice(0, options.add_labels.length);
+            offset = options.add_labels.length;
+            varDefs.push("$addLabelIds: [LabelID!]");
+            labelParts.push("addLabelIds: $addLabelIds");
+            variables.addLabelIds = addIds;
+        }
+        if (options.remove_labels && options.remove_labels.length > 0) {
+            const removeIds = resolvedLabelIds.slice(offset);
+            varDefs.push("$removeLabelIds: [LabelID!]");
+            labelParts.push("removeLabelIds: $removeLabelIds");
+            variables.removeLabelIds = removeIds;
+        }
+        if (labelParts.length > 0) {
+            inputParts.push(`labelsWidget: { ${labelParts.join(", ")} }`);
+        }
+    }
+    if (userIds.length > 0) {
+        varDefs.push("$assigneeIds: [UserID!]!");
+        inputParts.push("assigneesWidget: { assigneeIds: $assigneeIds }");
+        variables.assigneeIds = userIds;
+    }
+    if (options.state_event !== undefined) {
+        varDefs.push("$stateEvent: WorkItemStateEvent");
+        inputParts.push("stateEvent: $stateEvent");
+        variables.stateEvent = options.state_event === "close" ? "CLOSE" : "REOPEN";
+    }
+    if (options.weight !== undefined) {
+        varDefs.push("$weight: Int");
+        inputParts.push("weightWidget: { weight: $weight }");
+        variables.weight = options.weight;
+    }
+    if (options.status !== undefined) {
+        varDefs.push("$status: WorkItemsStatusesStatusID");
+        inputParts.push("statusWidget: { status: $status }");
+        variables.status = options.status;
+    }
+    if (options.health_status !== undefined) {
+        varDefs.push("$healthStatus: HealthStatus");
+        inputParts.push("healthStatusWidget: { healthStatus: $healthStatus }");
+        variables.healthStatus = options.health_status;
+    }
+    // Start and due date widget - combine into one widget
+    if (options.start_date !== undefined || options.due_date !== undefined) {
+        const dateParts = [];
+        if (options.start_date !== undefined) {
+            varDefs.push("$startDate: Date");
+            dateParts.push("startDate: $startDate");
+            variables.startDate = options.start_date;
+        }
+        if (options.due_date !== undefined) {
+            varDefs.push("$dueDate: Date");
+            dateParts.push("dueDate: $dueDate");
+            variables.dueDate = options.due_date;
+        }
+        inputParts.push(`startAndDueDateWidget: { ${dateParts.join(", ")} }`);
+    }
+    if (options.milestone_id !== undefined) {
+        // Convert numeric ID to GID format if needed
+        const milestoneGID = options.milestone_id.startsWith("gid://")
+            ? options.milestone_id
+            : `gid://gitlab/Milestone/${options.milestone_id}`;
+        varDefs.push("$milestoneId: MilestoneID");
+        inputParts.push("milestoneWidget: { milestoneId: $milestoneId }");
+        variables.milestoneId = milestoneGID;
+    }
+    if (options.iteration_id !== undefined) {
+        const iterationGID = options.iteration_id.startsWith("gid://")
+            ? options.iteration_id
+            : `gid://gitlab/Iteration/${options.iteration_id}`;
+        varDefs.push("$iterationId: IterationID");
+        inputParts.push("iterationWidget: { iterationId: $iterationId }");
+        variables.iterationId = iterationGID;
+    }
+    if (options.confidential !== undefined) {
+        varDefs.push("$confidential: Boolean");
+        inputParts.push("confidential: $confidential");
+        variables.confidential = options.confidential;
+    }
+    // Custom fields widget
+    if (options.custom_fields && options.custom_fields.length > 0) {
+        const cfValues = options.custom_fields.map(cf => {
+            const cfId = cf.custom_field_id.startsWith("gid://")
+                ? cf.custom_field_id
+                : `gid://gitlab/IssuablesCustomField/${cf.custom_field_id}`;
+            const val = { customFieldId: cfId };
+            if (cf.text_value !== undefined)
+                val.textValue = cf.text_value;
+            if (cf.number_value !== undefined)
+                val.numberValue = cf.number_value;
+            if (cf.selected_option_ids !== undefined)
+                val.selectedOptionIds = cf.selected_option_ids;
+            if (cf.date_value !== undefined)
+                val.dateValue = cf.date_value;
+            return val;
+        });
+        varDefs.push("$customFieldsWidget: [WorkItemWidgetCustomFieldValueInputType!]");
+        inputParts.push("customFieldsWidget: $customFieldsWidget");
+        variables.customFieldsWidget = cfValues;
+    }
+    // Hierarchy: set parent or remove parent
+    if (options.remove_parent) {
+        inputParts.push("hierarchyWidget: { parentId: null }");
+    }
+    else if (options.parent_iid !== undefined) {
+        const parentProjectId = options.parent_project_id || projectId;
+        const { workItemGID: parentGID } = await resolveWorkItemGID(parentProjectId, options.parent_iid);
+        varDefs.push("$parentId: WorkItemID");
+        inputParts.push("hierarchyWidget: { parentId: $parentId }");
+        variables.parentId = parentGID;
+    }
+    // Execute the main update mutation
+    const mutation = `mutation(${varDefs.join(", ")}) {
+    workItemUpdate(input: { ${inputParts.join(", ")} }) {
+      workItem {
+        id
+        iid
+        title
+        state
+        webUrl
+        workItemType { name }
+        widgets {
+          __typename
+          ... on WorkItemWidgetStatus { status { id name category color } }
+          ... on WorkItemWidgetLabels { labels { nodes { title } } }
+          ... on WorkItemWidgetAssignees { assignees { nodes { username } } }
+          ... on WorkItemWidgetWeight { weight }
+          ... on WorkItemWidgetHierarchy {
+            parent { id title workItemType { name } }
+          }
+          ... on WorkItemWidgetHealthStatus { healthStatus }
+          ... on WorkItemWidgetStartAndDueDate { startDate dueDate }
+          ... on WorkItemWidgetMilestone { milestone { id title } }
+        }
+      }
+      errors
+    }
+  }`;
+    const data = await executeGraphQL(mutation, variables);
+    if (data.workItemUpdate.errors?.length > 0) {
+        throw new Error(`Failed to update work item: ${data.workItemUpdate.errors.join(", ")}`);
+    }
+    // Handle children_to_add: use separate workItemUpdate call with hierarchyWidget.childrenIds
+    if (options.children_to_add && options.children_to_add.length > 0) {
+        const childGIDs = [];
+        for (const child of options.children_to_add) {
+            const { workItemGID: childGID } = await resolveWorkItemGID(child.project_id, child.iid);
+            childGIDs.push(childGID);
+        }
+        const addData = await executeGraphQL(`mutation($id: WorkItemID!, $childrenIds: [WorkItemID!]!) {
+        workItemUpdate(input: { id: $id, hierarchyWidget: { childrenIds: $childrenIds } }) {
+          errors
+        }
+      }`, { id: workItemGID, childrenIds: childGIDs });
+        if (addData.workItemUpdate.errors?.length > 0) {
+            throw new Error(`Failed to add children: ${addData.workItemUpdate.errors.join(", ")}`);
+        }
+    }
+    // Handle children_to_remove: remove parent from each child
+    if (options.children_to_remove && options.children_to_remove.length > 0) {
+        for (const child of options.children_to_remove) {
+            await removeIssueParent(child.project_id, child.iid);
+        }
+    }
+    // Handle linked_items_to_add: use workItemAddLinkedItems mutation
+    if (options.linked_items_to_add && options.linked_items_to_add.length > 0) {
+        // Group by link_type since each mutation call needs a single linkType
+        const groupedByType = {};
+        for (const item of options.linked_items_to_add) {
+            const linkType = item.link_type || "RELATED";
+            if (!groupedByType[linkType])
+                groupedByType[linkType] = [];
+            const { workItemGID: targetGID } = await resolveWorkItemGID(item.project_id, item.iid);
+            groupedByType[linkType].push(targetGID);
+        }
+        for (const [linkType, targetGIDs] of Object.entries(groupedByType)) {
+            const addLinkedData = await executeGraphQL(`mutation($id: WorkItemID!, $workItemsIds: [WorkItemID!]!, $linkType: WorkItemRelatedLinkType!) {
+          workItemAddLinkedItems(input: { id: $id, workItemsIds: $workItemsIds, linkType: $linkType }) {
+            errors
+          }
+        }`, { id: workItemGID, workItemsIds: targetGIDs, linkType });
+            if (addLinkedData.workItemAddLinkedItems.errors?.length > 0) {
+                throw new Error(`Failed to add linked items: ${addLinkedData.workItemAddLinkedItems.errors.join(", ")}`);
+            }
+        }
+    }
+    // Handle linked_items_to_remove: use workItemRemoveLinkedItems mutation
+    if (options.linked_items_to_remove && options.linked_items_to_remove.length > 0) {
+        const targetGIDs = [];
+        for (const item of options.linked_items_to_remove) {
+            const { workItemGID: targetGID } = await resolveWorkItemGID(item.project_id, item.iid);
+            targetGIDs.push(targetGID);
+        }
+        const removeLinkedData = await executeGraphQL(`mutation($id: WorkItemID!, $workItemsIds: [WorkItemID!]!) {
+        workItemRemoveLinkedItems(input: { id: $id, workItemsIds: $workItemsIds }) {
+          errors
+        }
+      }`, { id: workItemGID, workItemsIds: targetGIDs });
+        if (removeLinkedData.workItemRemoveLinkedItems.errors?.length > 0) {
+            throw new Error(`Failed to remove linked items: ${removeLinkedData.workItemRemoveLinkedItems.errors.join(", ")}`);
+        }
+    }
+    // Handle incident-specific fields via separate mutations
+    if (options.severity !== undefined) {
+        await updateIncidentSeverity(projectPath, iid, options.severity);
+    }
+    if (options.escalation_status !== undefined) {
+        await updateIncidentEscalationStatus(projectPath, iid, options.escalation_status);
+    }
+    // Flatten the response
+    const wi = data.workItemUpdate.workItem;
+    const widgets = wi?.widgets || [];
+    const statusW = widgets.find((w) => w.__typename === "WorkItemWidgetStatus");
+    const labelsW = widgets.find((w) => w.__typename === "WorkItemWidgetLabels");
+    const assigneesW = widgets.find((w) => w.__typename === "WorkItemWidgetAssignees");
+    const weightW = widgets.find((w) => w.__typename === "WorkItemWidgetWeight");
+    const hierarchyW = widgets.find((w) => w.__typename === "WorkItemWidgetHierarchy");
+    const healthStatusW = widgets.find((w) => w.__typename === "WorkItemWidgetHealthStatus");
+    const datesW = widgets.find((w) => w.__typename === "WorkItemWidgetStartAndDueDate");
+    const milestoneW = widgets.find((w) => w.__typename === "WorkItemWidgetMilestone");
+    return {
+        id: wi.id,
+        iid: wi.iid,
+        title: wi.title,
+        state: wi.state,
+        type: wi.workItemType?.name,
+        webUrl: wi.webUrl,
+        status: statusW?.status || null,
+        labels: (labelsW?.labels?.nodes || []).map((l) => l.title),
+        assignees: (assigneesW?.assignees?.nodes || []).map((a) => a.username),
+        weight: weightW?.weight ?? null,
+        parent: hierarchyW?.parent || null,
+        healthStatus: healthStatusW?.healthStatus || null,
+        startDate: datesW?.startDate || null,
+        dueDate: datesW?.dueDate || null,
+        milestone: milestoneW?.milestone || null,
+        children_added: options.children_to_add?.length || 0,
+        children_removed: options.children_to_remove?.length || 0,
+        linked_items_added: options.linked_items_to_add?.length || 0,
+        linked_items_removed: options.linked_items_to_remove?.length || 0,
+        ...(options.severity !== undefined && { severity: options.severity }),
+        ...(options.escalation_status !== undefined && { escalation_status: options.escalation_status }),
+    };
+}
 /**
  * List all issue links for a specific issue
  * 이슈 관계 목록 조회
@@ -2234,14 +3843,17 @@ async function updateIssueNote(projectId, issueIid, discussionId, noteId, body,
  * Create a note in an issue discussion
  * @param {string} projectId - The ID or URL-encoded path of the project
  * @param {number} issueIid - The IID of an issue
- * @param {string} discussionId - The ID of a thread
+ * @param {string} [discussionId] - The ID of a thread (omit for top-level note)
  * @param {string} body - The content of the new note
  * @param {string} [createdAt] - The creation date of the note (ISO 8601 format)
  * @returns {Promise<GitLabDiscussionNote>} The created note
  */
 async function createIssueNote(projectId, issueIid, discussionId, body, createdAt) {
     projectId = decodeURIComponent(projectId); // Decode project ID
-    const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/issues/${issueIid}/discussions/${discussionId}/notes`);
+    const basePath = `${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/issues/${issueIid}`;
+    const url = new URL(discussionId
+        ? `${basePath}/discussions/${discussionId}/notes`
+        : `${basePath}/notes`);
     const payload = { body };
     if (createdAt) {
         payload.created_at = createdAt;
@@ -2550,6 +4162,52 @@ async function searchProjects(query, page = 1, perPage = 20) {
         items: projects,
     });
 }
+/**
+ * Search for code blobs using GitLab Search API
+ * Supports global, project-level, and group-level search
+ */
+async function searchBlobs(params) {
+    let basePath;
+    if (params.project_id) {
+        const decodedProjectId = decodeURIComponent(params.project_id);
+        const projectId = encodeURIComponent(getEffectiveProjectId(decodedProjectId));
+        basePath = `${getEffectiveApiUrl()}/projects/${projectId}/search`;
+    }
+    else if (params.group_id) {
+        const groupId = encodeURIComponent(decodeURIComponent(params.group_id));
+        basePath = `${getEffectiveApiUrl()}/groups/${groupId}/search`;
+    }
+    else {
+        basePath = `${getEffectiveApiUrl()}/search`;
+    }
+    const url = new URL(basePath);
+    url.searchParams.append("scope", "blobs");
+    url.searchParams.append("search", params.search);
+    if (params.ref) {
+        url.searchParams.append("ref", params.ref);
+    }
+    if (params.page) {
+        url.searchParams.append("page", params.page.toString());
+    }
+    if (params.per_page) {
+        url.searchParams.append("per_page", params.per_page.toString());
+    }
+    if (params.filename) {
+        url.searchParams.append("filename", params.filename);
+    }
+    if (params.path) {
+        url.searchParams.append("path", params.path);
+    }
+    if (params.extension) {
+        url.searchParams.append("extension", params.extension);
+    }
+    const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return z.array(GitLabSearchBlobResultSchema).parse(data);
+}
 /**
  * Create a new GitLab repository
  * 새 저장소 생성
@@ -2884,6 +4542,99 @@ async function listMergeRequestDiffs(projectId, mergeRequestIid, branchName, pag
     await handleGitLabError(response);
     return await response.json(); // Return full response including commits, diff_refs, changes, etc.
 }
+/**
+ * Returns the list of changed files in a merge request WITHOUT diff content.
+ * Use this as STEP 1 of code review: get file paths, then fetch diffs in batches
+ * with getMergeRequestFileDiff to avoid loading the entire diff payload at once.
+ *
+ * @param {string} projectId - The ID or URL-encoded path of the project
+ * @param {number|string} [mergeRequestIid] - The internal ID of the merge request
+ * @param {string} [branchName] - The name of the source branch (used to resolve MR if iid not provided)
+ * @param {string[]} [excludedFilePatterns] - Regex patterns to exclude files from the result
+ * @returns {Promise<any[]>} Array of changed file metadata (new_path, old_path, new_file, deleted_file, renamed_file)
+ */
+async function listMergeRequestChangedFiles(projectId, mergeRequestIid, branchName, excludedFilePatterns) {
+    projectId = decodeURIComponent(projectId);
+    if (!mergeRequestIid && !branchName) {
+        throw new Error("Either mergeRequestIid or branchName must be provided");
+    }
+    if (branchName && !mergeRequestIid) {
+        const mergeRequest = await getMergeRequest(projectId, undefined, branchName);
+        mergeRequestIid = mergeRequest.iid;
+    }
+    const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/changes`);
+    const response = await fetch(url.toString(), { ...getFetchConfig() });
+    await handleGitLabError(response);
+    const data = (await response.json());
+    const rawFiles = (data.changes || []).map((f) => ({
+        new_path: f.new_path,
+        old_path: f.old_path,
+        new_file: f.new_file,
+        deleted_file: f.deleted_file,
+        renamed_file: f.renamed_file,
+    }));
+    return filterDiffsByPatterns(rawFiles, excludedFilePatterns);
+}
+/**
+ * Get diffs for specific files from a merge request.
+ * Use this as STEP 2 of code review: pass file paths obtained from
+ * listMergeRequestChangedFiles to fetch their diffs efficiently.
+ *
+ * @param {string} projectId - The ID or URL-encoded path of the project
+ * @param {string[]} filePaths - List of file paths to retrieve diffs for
+ * @param {number|string} [mergeRequestIid] - The internal ID of the merge request
+ * @param {string} [branchName] - The name of the source branch (used to resolve MR if iid not provided)
+ * @param {boolean} [unidiff] - Return diff in unified diff format
+ * @returns {Promise<any[]>} Array of diff objects for each requested file, or error objects for files not found
+ */
+async function getMergeRequestFileDiff(projectId, filePaths, mergeRequestIid, branchName, unidiff) {
+    projectId = decodeURIComponent(projectId);
+    if (!mergeRequestIid && !branchName) {
+        throw new Error("Either mergeRequestIid or branchName must be provided");
+    }
+    if (branchName && !mergeRequestIid) {
+        const mergeRequest = await getMergeRequest(projectId, undefined, branchName);
+        mergeRequestIid = mergeRequest.iid;
+    }
+    // Paginate through /diffs once, collecting all requested files.
+    // More efficient than N separate searches when fetching multiple files.
+    const remaining = new Set(filePaths);
+    const results = [];
+    let page = 1;
+    const perPage = 20;
+    while (remaining.size > 0) {
+        const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/merge_requests/${mergeRequestIid}/diffs`);
+        url.searchParams.append("page", page.toString());
+        url.searchParams.append("per_page", perPage.toString());
+        if (unidiff) {
+            url.searchParams.append("unidiff", "true");
+        }
+        const response = await fetch(url.toString(), { ...getFetchConfig() });
+        await handleGitLabError(response);
+        const items = (await response.json());
+        if (!Array.isArray(items) || items.length === 0) {
+            break;
+        }
+        for (const item of items) {
+            if (remaining.has(item.new_path) || remaining.has(item.old_path)) {
+                results.push(item);
+                remaining.delete(item.new_path);
+                remaining.delete(item.old_path);
+            }
+        }
+        if (items.length < perPage) {
+            break;
+        }
+        page++;
+    }
+    for (const notFound of remaining) {
+        results.push({
+            error: `File not found in merge request diffs: ${notFound}`,
+            hint: "Use list_merge_request_changed_files to verify the correct file paths.",
+        });
+    }
+    return results;
+}
 /**
  * Get branch comparison diffs
  *
@@ -3870,6 +5621,84 @@ async function deleteWikiPage(projectId, slug) {
     });
     await handleGitLabError(response);
 }
+/**
+ * List wiki pages in a GitLab group
+ */
+async function listGroupWikiPages(groupId, options = {}) {
+    groupId = decodeURIComponent(groupId); // Decode group ID
+    const url = new URL(`${getEffectiveApiUrl()}/groups/${encodeURIComponent(groupId)}/wikis`);
+    if (options.page)
+        url.searchParams.append("page", options.page.toString());
+    if (options.per_page)
+        url.searchParams.append("per_page", options.per_page.toString());
+    if (options.with_content)
+        url.searchParams.append("with_content", options.with_content.toString());
+    const response = await fetch(url.toString(), {
+        ...getFetchConfig(),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabWikiPageSchema.array().parse(data);
+}
+/**
+ * Get a specific group wiki page
+ */
+async function getGroupWikiPage(groupId, slug) {
+    groupId = decodeURIComponent(groupId); // Decode group ID
+    const response = await fetch(`${getEffectiveApiUrl()}/groups/${encodeURIComponent(groupId)}/wikis/${encodeURIComponent(slug)}`, { ...getFetchConfig() });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabWikiPageSchema.parse(data);
+}
+/**
+ * Create a new group wiki page
+ */
+async function createGroupWikiPage(groupId, title, content, format) {
+    groupId = decodeURIComponent(groupId); // Decode group ID
+    const body = { title, content };
+    if (format)
+        body.format = format;
+    const response = await fetch(`${getEffectiveApiUrl()}/groups/${encodeURIComponent(groupId)}/wikis`, {
+        ...getFetchConfig(),
+        method: "POST",
+        body: JSON.stringify(body),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabWikiPageSchema.parse(data);
+}
+/**
+ * Update an existing group wiki page
+ */
+async function updateGroupWikiPage(groupId, slug, title, content, format) {
+    groupId = decodeURIComponent(groupId); // Decode group ID
+    const body = {};
+    if (title)
+        body.title = title;
+    if (content)
+        body.content = content;
+    if (format)
+        body.format = format;
+    const response = await fetch(`${getEffectiveApiUrl()}/groups/${encodeURIComponent(groupId)}/wikis/${encodeURIComponent(slug)}`, {
+        ...getFetchConfig(),
+        method: "PUT",
+        body: JSON.stringify(body),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabWikiPageSchema.parse(data);
+}
+/**
+ * Delete a group wiki page
+ */
+async function deleteGroupWikiPage(groupId, slug) {
+    groupId = decodeURIComponent(groupId); // Decode group ID
+    const response = await fetch(`${getEffectiveApiUrl()}/groups/${encodeURIComponent(groupId)}/wikis/${encodeURIComponent(slug)}`, {
+        ...getFetchConfig(),
+        method: "DELETE",
+    });
+    await handleGitLabError(response);
+}
 /**
  * List pipelines in a GitLab project
  *
@@ -5198,6 +7027,51 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: JSON.stringify(results, null, 2) }],
                 };
             }
+            case "search_code": {
+                const args = SearchCodeSchema.parse(params.arguments);
+                const results = await searchBlobs({
+                    search: args.search,
+                    filename: args.filename,
+                    path: args.path,
+                    extension: args.extension,
+                    page: args.page,
+                    per_page: args.per_page,
+                });
+                return {
+                    content: [{ type: "text", text: JSON.stringify(results, null, 2) }],
+                };
+            }
+            case "search_project_code": {
+                const args = SearchProjectCodeSchema.parse(params.arguments);
+                const results = await searchBlobs({
+                    search: args.search,
+                    project_id: args.project_id,
+                    ref: args.ref,
+                    filename: args.filename,
+                    path: args.path,
+                    extension: args.extension,
+                    page: args.page,
+                    per_page: args.per_page,
+                });
+                return {
+                    content: [{ type: "text", text: JSON.stringify(results, null, 2) }],
+                };
+            }
+            case "search_group_code": {
+                const args = SearchGroupCodeSchema.parse(params.arguments);
+                const results = await searchBlobs({
+                    search: args.search,
+                    group_id: args.group_id,
+                    filename: args.filename,
+                    path: args.path,
+                    extension: args.extension,
+                    page: args.page,
+                    per_page: args.per_page,
+                });
+                return {
+                    content: [{ type: "text", text: JSON.stringify(results, null, 2) }],
+                };
+            }
             case "create_repository": {
                 if (GITLAB_PROJECT_ID) {
                     throw new Error("Direct project ID is set. So fork_repository is not allowed");
@@ -5347,6 +7221,13 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: JSON.stringify(filteredDiffs, null, 2) }],
                 };
             }
+            case "list_merge_request_changed_files": {
+                const args = ListMergeRequestChangedFilesSchema.parse(params.arguments);
+                const files = await listMergeRequestChangedFiles(args.project_id, args.merge_request_iid, args.source_branch, args.excluded_file_patterns);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(files, null, 2) }],
+                };
+            }
             case "list_merge_request_diffs": {
                 const args = ListMergeRequestDiffsSchema.parse(params.arguments);
                 const changes = await listMergeRequestDiffs(args.project_id, args.merge_request_iid, args.source_branch, args.page, args.per_page, args.unidiff);
@@ -5354,6 +7235,13 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: JSON.stringify(changes, null, 2) }],
                 };
             }
+            case "get_merge_request_file_diff": {
+                const args = GetMergeRequestFileDiffSchema.parse(params.arguments);
+                const fileDiff = await getMergeRequestFileDiff(args.project_id, args.file_paths, args.merge_request_iid, args.source_branch, args.unidiff);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(fileDiff, null, 2) }],
+                };
+            }
             case "list_merge_request_versions": {
                 const args = ListMergeRequestVersionsSchema.parse(params.arguments);
                 const versions = await listMergeRequestVersions(args.project_id, args.merge_request_iid);
@@ -5680,6 +7568,93 @@ async function handleToolCall(params) {
                     ],
                 };
             }
+            case "get_work_item": {
+                const args = GetWorkItemSchema.parse(params.arguments);
+                const result = await getWorkItem(args.project_id, args.iid);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "list_work_items": {
+                const args = ListWorkItemsSchema.parse(params.arguments);
+                const { project_id, ...options } = args;
+                const result = await listWorkItems(project_id, options);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "create_work_item": {
+                const args = CreateWorkItemSchema.parse(params.arguments);
+                const { project_id, ...options } = args;
+                const result = await createWorkItem(project_id, options);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "update_work_item": {
+                const args = UpdateWorkItemSchema.parse(params.arguments);
+                const { project_id, iid, ...options } = args;
+                const result = await updateWorkItem(project_id, iid, options);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "convert_work_item_type": {
+                const args = ConvertWorkItemTypeSchema.parse(params.arguments);
+                const result = await convertIssueType(args.project_id, args.iid, args.new_type);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "list_work_item_statuses": {
+                const args = ListWorkItemStatusesSchema.parse(params.arguments);
+                const result = await listIssueStatuses(args.project_id, args.work_item_type);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "list_custom_field_definitions": {
+                const args = ListCustomFieldDefinitionsSchema.parse(params.arguments);
+                const result = await listCustomFieldDefinitions(args.project_id, args.work_item_type);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "move_work_item": {
+                const args = MoveWorkItemSchema.parse(params.arguments);
+                const result = await moveWorkItem(args.project_id, args.iid, args.target_project_id);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "list_work_item_notes": {
+                const args = ListWorkItemNotesSchema.parse(params.arguments);
+                const result = await listWorkItemNotes(args.project_id, args.iid, args);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "create_work_item_note": {
+                const args = CreateWorkItemNoteSchema.parse(params.arguments);
+                const result = await createWorkItemNote(args.project_id, args.iid, args.body, args);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "get_timeline_events": {
+                const args = GetTimelineEventsSchema.parse(params.arguments);
+                const result = await getTimelineEvents(args.project_id, args.incident_iid);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
+            case "create_timeline_event": {
+                const args = CreateTimelineEventSchema.parse(params.arguments);
+                const result = await createTimelineEvent(args.project_id, args.incident_iid, args.note, args.occurred_at, args.tag_names);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(result, null, 2) }],
+                };
+            }
             case "list_labels": {
                 const args = ListLabelsSchema.parse(params.arguments);
                 const labels = await listLabels(args.project_id, args);
@@ -5775,6 +7750,53 @@ async function handleToolCall(params) {
                     ],
                 };
             }
+            case "list_group_wiki_pages": {
+                const { group_id, page, per_page, with_content } = ListGroupWikiPagesSchema.parse(params.arguments);
+                const wikiPages = await listGroupWikiPages(group_id, {
+                    page,
+                    per_page,
+                    with_content,
+                });
+                return {
+                    content: [{ type: "text", text: JSON.stringify(wikiPages, null, 2) }],
+                };
+            }
+            case "get_group_wiki_page": {
+                const { group_id, slug } = GetGroupWikiPageSchema.parse(params.arguments);
+                const wikiPage = await getGroupWikiPage(group_id, slug);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(wikiPage, null, 2) }],
+                };
+            }
+            case "create_group_wiki_page": {
+                const { group_id, title, content, format } = CreateGroupWikiPageSchema.parse(params.arguments);
+                const wikiPage = await createGroupWikiPage(group_id, title, content, format);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(wikiPage, null, 2) }],
+                };
+            }
+            case "update_group_wiki_page": {
+                const { group_id, slug, title, content, format } = UpdateGroupWikiPageSchema.parse(params.arguments);
+                const wikiPage = await updateGroupWikiPage(group_id, slug, title, content, format);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(wikiPage, null, 2) }],
+                };
+            }
+            case "delete_group_wiki_page": {
+                const { group_id, slug } = DeleteGroupWikiPageSchema.parse(params.arguments);
+                await deleteGroupWikiPage(group_id, slug);
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: JSON.stringify({
+                                status: "success",
+                                message: "Group wiki page deleted successfully",
+                            }, null, 2),
+                        },
+                    ],
+                };
+            }
             case "get_repository_tree": {
                 const args = GetRepositoryTreeSchema.parse(params.arguments);
                 const tree = await getRepositoryTree(args);
@@ -5989,8 +8011,20 @@ async function handleToolCall(params) {
                 };
             }
             case "list_merge_requests": {
-                const args = ListMergeRequestsSchema.parse(params.arguments);
-                const mergeRequests = await listMergeRequests(args.project_id, args);
+                const { project_id, ...options } = ListMergeRequestsSchema.parse(params.arguments);
+                // GitLab API treats _id and _username as mutually exclusive for these fields.
+                // When both are provided, prefer _username and remove _id to avoid 400 errors.
+                const cleanedOptions = { ...options };
+                if (cleanedOptions.author_id && cleanedOptions.author_username) {
+                    delete cleanedOptions.author_id;
+                }
+                if (cleanedOptions.assignee_id && cleanedOptions.assignee_username) {
+                    delete cleanedOptions.assignee_id;
+                }
+                if (cleanedOptions.reviewer_id && cleanedOptions.reviewer_username) {
+                    delete cleanedOptions.reviewer_id;
+                }
+                const mergeRequests = await listMergeRequests(project_id, cleanedOptions);
                 return {
                     content: [{ type: "text", text: JSON.stringify(mergeRequests, null, 2) }],
                 };
@@ -6440,10 +8474,19 @@ async function startStreamableHTTPServer() {
         session.count++;
         return true;
     };
+    /**
+     * Check whether the request carries a raw header auth token (Private-Token or JOB-TOKEN).
+     * Used to decide whether to bypass OAuth validation.
+     */
+    const hasHeaderAuth = (req) => {
+        return !!(req.headers["private-token"] ||
+            req.headers["job-token"]);
+    };
     /**
      * Parse authentication from request headers
      * Returns null if no auth found or invalid format
-     * Supports: JOB-TOKEN header, Private-Token header, Authorization Bearer header
+     * Supports: Private-Token header, JOB-TOKEN header, Authorization Bearer header
+     * Priority: Private-Token > JOB-TOKEN > Authorization Bearer
      */
     const parseAuthHeaders = (req) => {
         const authHeader = req.headers["authorization"] || "";
@@ -6462,17 +8505,18 @@ async function startStreamableHTTPServer() {
                 return null; // Reject if URL is malformed
             }
         }
-        // Extract token
+        // Extract token — priority: Private-Token > JOB-TOKEN > Authorization Bearer
+        // PATs are preferred over job tokens because they carry broader permissions.
         let token = null;
         let header = null;
-        if (jobToken) {
-            token = jobToken.trim();
-            header = "JOB-TOKEN";
-        }
-        else if (privateToken) {
+        if (privateToken) {
             token = privateToken.trim();
             header = "Private-Token";
         }
+        else if (jobToken) {
+            token = jobToken.trim();
+            header = "JOB-TOKEN";
+        }
         else if (authHeader) {
             // Use \S+ instead of .+ to prevent ReDoS attacks
             // \S+ only matches non-whitespace, so trim() is technically unnecessary,
@@ -6526,13 +8570,68 @@ async function startStreamableHTTPServer() {
     };
     // Configure Express middleware
     app.use(express.json());
+    // MCP OAuth — mount auth router and prepare bearer-auth middleware
+    if (GITLAB_MCP_OAUTH) {
+        // Trust first proxy so express-rate-limit uses X-Forwarded-For for real client IP.
+        // Only enabled in OAuth mode where the server is typically behind a reverse proxy.
+        app.set("trust proxy", 1);
+        const gitlabBaseUrl = GITLAB_API_URL.replace(/\/api\/v4\/?$/, "").replace(/\/$/, "");
+        const issuerUrl = new URL(MCP_SERVER_URL);
+        const oauthProvider = createGitLabOAuthProvider(gitlabBaseUrl, GITLAB_OAUTH_APP_ID, "GitLab MCP Server", GITLAB_READ_ONLY_MODE, GITLAB_OAUTH_SCOPES);
+        // Mounts /.well-known/oauth-authorization-server,
+        //        /.well-known/oauth-protected-resource,
+        //        /authorize, /token, /register, /revoke
+        app.use(mcpAuthRouter({
+            provider: oauthProvider,
+            issuerUrl,
+            baseUrl: issuerUrl,
+            scopesSupported: GITLAB_OAUTH_SCOPES ?? ["api", "read_api", "read_user"],
+            resourceName: "GitLab MCP Server",
+        }));
+        // Expose provider so the /mcp route middleware can reference it
+        app._mcpOAuthProvider = oauthProvider;
+    }
+    // Build bearer-auth middleware — no-op unless GITLAB_MCP_OAUTH is enabled.
+    // Unauthenticated requests receive 401 + WWW-Authenticate header, which is
+    // exactly what Claude.ai needs to trigger the OAuth browser flow.
+    //
+    // Header auth fallback: if Private-Token or JOB-TOKEN headers are present,
+    // OAuth validation is skipped and the raw token is used directly per-session.
+    // Note: Authorization: Bearer is always treated as an OAuth token and goes
+    // through OAuth validation — use Private-Token for PAT-based header auth.
+    const oauthBearerAuth = GITLAB_MCP_OAUTH
+        ? requireBearerAuth({
+            verifier: app._mcpOAuthProvider,
+            requiredScopes: [],
+        })
+        : undefined;
+    const mcpBearerAuth = GITLAB_MCP_OAUTH
+        ? (req, res, next) => {
+            const privateToken = req.headers["private-token"] || "";
+            const jobToken = req.headers["job-token"] || "";
+            if (privateToken || jobToken) {
+                // Validate the raw token before bypassing OAuth
+                const authData = parseAuthHeaders(req);
+                if (authData) {
+                    next();
+                    return;
+                }
+                res.status(401).json({
+                    error: "Invalid Private-Token or JOB-TOKEN header",
+                    message: "The provided token failed validation. Check the token value and format.",
+                });
+                return;
+            }
+            oauthBearerAuth(req, res, next);
+        }
+        : (_req, _res, next) => next();
     // Streamable HTTP endpoint - handles both session creation and message handling
-    app.post("/mcp", async (req, res) => {
+    app.post("/mcp", mcpBearerAuth, async (req, res) => {
         const sessionId = req.headers["mcp-session-id"];
         // Track request
         metrics.requestsProcessed++;
         // Rate limiting check for existing sessions
-        if (REMOTE_AUTHORIZATION && sessionId && !checkRateLimit(sessionId)) {
+        if ((REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) && sessionId && !checkRateLimit(sessionId)) {
             metrics.rejectedByRateLimit++;
             res.status(429).json({
                 error: "Rate limit exceeded",
@@ -6557,8 +8656,8 @@ async function startStreamableHTTPServer() {
                 if (!authData) {
                     metrics.authFailures++;
                     res.status(401).json({
-                        error: "Missing Authorization, Private-Token, or JOB-TOKEN header",
-                        message: "Remote authorization is enabled. Please provide Authorization, Private-Token, or JOB-TOKEN header.",
+                        error: "Missing Private-Token, JOB-TOKEN, or Authorization header",
+                        message: "Remote authorization is enabled. Please provide Private-Token, JOB-TOKEN, or Authorization header.",
                     });
                     return;
                 }
@@ -6582,6 +8681,52 @@ async function startStreamableHTTPServer() {
                 // First request without session - will fail in initialization
             }
         }
+        // MCP OAuth mode — either header auth (PAT/job token) or OAuth Bearer token.
+        // Header auth takes precedence: if Private-Token or JOB-TOKEN is present the
+        // OAuth middleware was bypassed and we store the raw token per-session.
+        // Otherwise req.auth is populated by requireBearerAuth; store the OAuth token.
+        if (GITLAB_MCP_OAUTH) {
+            const headerAuthData = hasHeaderAuth(req) ? parseAuthHeaders(req) : null;
+            if (headerAuthData) {
+                if (headerAuthData && sessionId) {
+                    if (!authBySession[sessionId]) {
+                        authBySession[sessionId] = headerAuthData;
+                        logger.info(`Session ${sessionId}: stored ${headerAuthData.header} header (header auth)`);
+                        setAuthTimeout(sessionId);
+                    }
+                    else {
+                        authBySession[sessionId] = {
+                            ...authBySession[sessionId],
+                            header: headerAuthData.header,
+                            token: headerAuthData.token,
+                            lastUsed: Date.now(),
+                        };
+                        setAuthTimeout(sessionId);
+                    }
+                }
+            }
+            else {
+                const authInfo = req.auth;
+                if (authInfo?.token && sessionId) {
+                    if (!authBySession[sessionId]) {
+                        authBySession[sessionId] = {
+                            header: "Authorization",
+                            token: authInfo.token,
+                            lastUsed: Date.now(),
+                            apiUrl: GITLAB_API_URL,
+                        };
+                        logger.info(`Session ${sessionId}: stored OAuth token (client: ${authInfo.clientId})`);
+                        setAuthTimeout(sessionId);
+                    }
+                    else {
+                        // Update token on every request — the client may have refreshed it
+                        authBySession[sessionId].token = authInfo.token;
+                        authBySession[sessionId].lastUsed = Date.now();
+                        setAuthTimeout(sessionId);
+                    }
+                }
+            }
+        }
         // Handle request with proper AsyncLocalStorage context
         const handleRequest = async () => {
             try {
@@ -6609,6 +8754,31 @@ async function startStreamableHTTPServer() {
                                     setAuthTimeout(newSessionId);
                                 }
                             }
+                            // Store OAuth token for newly created session in MCP OAuth mode.
+                            // If Private-Token or JOB-TOKEN headers are present, prefer them.
+                            if (GITLAB_MCP_OAUTH && !authBySession[newSessionId]) {
+                                if (hasHeaderAuth(req)) {
+                                    const authData = parseAuthHeaders(req);
+                                    if (authData) {
+                                        authBySession[newSessionId] = authData;
+                                        logger.info(`Session ${newSessionId}: stored ${authData.header} header (header auth)`);
+                                        setAuthTimeout(newSessionId);
+                                    }
+                                }
+                                else {
+                                    const authInfo = req.auth;
+                                    if (authInfo?.token) {
+                                        authBySession[newSessionId] = {
+                                            header: "Authorization",
+                                            token: authInfo.token,
+                                            lastUsed: Date.now(),
+                                            apiUrl: GITLAB_API_URL,
+                                        };
+                                        logger.info(`Session ${newSessionId}: stored OAuth token (client: ${authInfo.clientId})`);
+                                        setAuthTimeout(newSessionId);
+                                    }
+                                }
+                            }
                         },
                     });
                     // Set up cleanup handler when transport closes
@@ -6618,7 +8788,7 @@ async function startStreamableHTTPServer() {
                             logger.warn(`Streamable HTTP transport closed for session ${sid}, cleaning up`);
                             delete streamableTransports[sid];
                             metrics.activeSessions--;
-                            if (REMOTE_AUTHORIZATION) {
+                            if (REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) {
                                 cleanupSessionAuth(sid);
                                 delete sessionRequestCounts[sid];
                                 logger.info(`Session ${sid}: cleaned up auth mapping`);
@@ -6641,8 +8811,8 @@ async function startStreamableHTTPServer() {
                 });
             }
         };
-        // Execute with auth context in remote mode
-        if (REMOTE_AUTHORIZATION && sessionId && authBySession[sessionId]) {
+        // Execute with auth context in remote mode (REMOTE_AUTHORIZATION or GITLAB_MCP_OAUTH)
+        if ((REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) && sessionId && authBySession[sessionId]) {
             const authData = authBySession[sessionId];
             const ctx = {
                 sessionId,
@@ -6655,7 +8825,7 @@ async function startStreamableHTTPServer() {
             await sessionAuthStore.run(ctx, handleRequest);
         }
         else {
-            // Standard execution (no remote auth or no session yet)
+            // Standard execution (no per-session auth or no session yet)
             await handleRequest();
         }
     });
@@ -6673,6 +8843,7 @@ async function startStreamableHTTPServer() {
             ...metrics,
             activeSessions: Object.keys(streamableTransports).length,
             authenticatedSessions: Object.keys(authBySession).length,
+            gitlabClientPool: clientPool.getStats(),
             uptime: process.uptime(),
             memoryUsage: process.memoryUsage(),
             config: {
@@ -6680,6 +8851,7 @@ async function startStreamableHTTPServer() {
                 maxRequestsPerMinute: MAX_REQUESTS_PER_MINUTE,
                 sessionTimeoutSeconds: SESSION_TIMEOUT_SECONDS,
                 remoteAuthEnabled: REMOTE_AUTHORIZATION,
+                mcpOAuthEnabled: GITLAB_MCP_OAUTH,
             },
         });
     });
@@ -6705,7 +8877,7 @@ async function startStreamableHTTPServer() {
             try {
                 await transport.close();
                 logger.info(`Explicitly closed session via DELETE request: ${sessionId}`);
-                if (REMOTE_AUTHORIZATION) {
+                if (REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) {
                     cleanupSessionAuth(sessionId);
                     delete sessionRequestCounts[sessionId];
                     logger.info(`Session ${sessionId}: cleaned up auth mapping on DELETE`);
@@ -6741,7 +8913,7 @@ async function startStreamableHTTPServer() {
                 const transport = streamableTransports[sessionId];
                 if (transport) {
                     await transport.close();
-                    if (REMOTE_AUTHORIZATION) {
+                    if (REMOTE_AUTHORIZATION || GITLAB_MCP_OAUTH) {
                         cleanupSessionAuth(sessionId);
                         delete sessionRequestCounts[sessionId];
                     }