@zereight/mcp-gitlab 2.1.15 → 2.1.17

package/build/test/nullish-tool-arguments-schema.test.js

@@ -0,0 +1,99 @@
+import assert from "node:assert/strict";
+import { describe, test } from "node:test";
+import { CreateDraftNoteSchema, CreateLabelSchema, ExecuteGraphQLSchema, GetBranchDiffsSchema, UpdateMergeRequestDiscussionNoteSchema, } from "../schemas.js";
+import { sanitizeToolArguments } from "../utils/tool-args.js";
+const PROJECT_ID = "group/project";
+const MERGE_REQUEST_IID = "1";
+function parseAfterSanitize(toolName, raw, parse) {
+    return parse(sanitizeToolArguments(toolName, raw));
+}
+describe("When validating tool arguments after sanitization", () => {
+    describe("with create_draft_note", () => {
+        test("should accept position with null SHAs after sanitize and schema preprocess", () => {
+            const parsed = parseAfterSanitize("create_draft_note", {
+                project_id: PROJECT_ID,
+                merge_request_iid: MERGE_REQUEST_IID,
+                body: "Test note",
+                position: {
+                    base_sha: null,
+                    head_sha: null,
+                    start_sha: null,
+                    position_type: "text",
+                },
+            }, value => CreateDraftNoteSchema.parse(value));
+            assert.equal(parsed.position, undefined);
+        });
+        test("should accept position with nullable old_line after sanitize", () => {
+            const parsed = parseAfterSanitize("create_draft_note", {
+                project_id: PROJECT_ID,
+                merge_request_iid: MERGE_REQUEST_IID,
+                body: "Test note",
+                position: {
+                    base_sha: "base",
+                    head_sha: "head",
+                    start_sha: "start",
+                    position_type: "text",
+                    new_path: "file.ts",
+                    old_line: null,
+                    new_line: 10,
+                },
+            }, value => CreateDraftNoteSchema.parse(value));
+            assert.equal(parsed.position?.old_line, null);
+            assert.equal(parsed.position?.new_line, 10);
+        });
+    });
+    describe("with update_merge_request_discussion_note", () => {
+        test("should accept body plus resolved null after sanitize", () => {
+            const parsed = parseAfterSanitize("update_merge_request_discussion_note", {
+                project_id: PROJECT_ID,
+                merge_request_iid: MERGE_REQUEST_IID,
+                discussion_id: "d1",
+                note_id: "n1",
+                body: "updated",
+                resolved: null,
+            }, value => UpdateMergeRequestDiscussionNoteSchema.parse(value));
+            assert.equal(parsed.body, "updated");
+            assert.equal(parsed.resolved, undefined);
+        });
+        test("should reject when only resolved null remains after sanitize", () => {
+            assert.throws(() => parseAfterSanitize("update_merge_request_discussion_note", {
+                project_id: PROJECT_ID,
+                merge_request_iid: MERGE_REQUEST_IID,
+                discussion_id: "d1",
+                note_id: "n1",
+                resolved: null,
+            }, value => UpdateMergeRequestDiscussionNoteSchema.parse(value)), /At least one of 'body' or 'resolved'/);
+        });
+    });
+    describe("with get_branch_diffs", () => {
+        test("should ignore unknown commit null field from older clients", () => {
+            const parsed = parseAfterSanitize("get_branch_diffs", {
+                project_id: PROJECT_ID,
+                from: "main",
+                to: "dev",
+                commit: null,
+            }, value => GetBranchDiffsSchema.parse(value));
+            assert.equal(Object.hasOwn(parsed, "commit"), false);
+        });
+    });
+    describe("with execute_graphql", () => {
+        test("should preserve explicit null variable values after sanitize", () => {
+            const parsed = parseAfterSanitize("execute_graphql", {
+                query: "mutation($id: ID) { updateProject(input: { id: $id }) { project { id } } }",
+                variables: { id: null },
+            }, value => ExecuteGraphQLSchema.parse(value));
+            assert.equal(parsed.variables?.id, null);
+        });
+    });
+    describe("with create_label", () => {
+        test("should preserve explicit null priority after sanitize", () => {
+            const parsed = parseAfterSanitize("create_label", {
+                project_id: PROJECT_ID,
+                name: "priority-null",
+                color: "#112233",
+                priority: null,
+            }, value => CreateLabelSchema.parse(value));
+            assert.equal(parsed.priority, null);
+        });
+    });
+});

package/build/test/schema-tests.js

@@ -723,6 +723,54 @@ function runGitLabMergeRequestSchemaTests() {
             },
             validate: (data) => data.milestone === undefined,
         },
+        {
+            name: 'schema:gitlab_merge_request:labels-string-array',
+            input: {
+                ...baseMergeRequest,
+                labels: ['bug', 'enhancement'],
+            },
+            validate: (data) => Array.isArray(data.labels) &&
+                data.labels.length === 2 &&
+                data.labels[0] === 'bug' &&
+                data.labels[1] === 'enhancement',
+        },
+        {
+            name: 'schema:gitlab_merge_request:labels-object-array',
+            input: {
+                ...baseMergeRequest,
+                labels: [
+                    {
+                        id: 1,
+                        name: 'bug',
+                        color: '#ff0000',
+                        text_color: '#ffffff',
+                        description: null,
+                        description_html: null,
+                    },
+                    {
+                        id: 2,
+                        name: 'enhancement',
+                        color: '#00ff00',
+                        text_color: '#000000',
+                        description: 'Improvements',
+                        description_html: '<p>Improvements</p>',
+                    },
+                ],
+            },
+            validate: (data) => Array.isArray(data.labels) &&
+                data.labels.length === 2 &&
+                data.labels[0].name === 'bug' &&
+                data.labels[0].id === '1' &&
+                data.labels[1].name === 'enhancement' &&
+                data.labels[1].id === '2',
+        },
+        {
+            name: 'schema:gitlab_merge_request:labels-omitted',
+            input: {
+                ...baseMergeRequest,
+            },
+            validate: (data) => data.labels === undefined,
+        },
     ];
     let passed = 0;
     let failed = 0;
@@ -955,6 +1003,71 @@ function runLabelsCoercionSchemaTests() {
     console.log(`\nResults: ${passed} passed, ${failed} failed`);
     return { passed, failed };
 }
+function runApprovedByUsernamesSchemaTests() {
+    console.log('\n=== ListMergeRequestsSchema approved_by_usernames Tests ===');
+    const cases = [
+        {
+            name: 'schema:list_merge_requests:approved_by_usernames-native-array',
+            input: { approved_by_usernames: ['alice', 'bob'] },
+            expected: ['alice', 'bob'],
+        },
+        {
+            name: 'schema:list_merge_requests:approved_by_usernames-stringified-array',
+            input: { approved_by_usernames: '["alice","bob"]' },
+            expected: ['alice', 'bob'],
+        },
+        {
+            name: 'schema:list_merge_requests:approved_by_usernames-omitted',
+            input: {},
+            expected: undefined,
+        },
+    ];
+    let passed = 0;
+    let failed = 0;
+    cases.forEach(testCase => {
+        const result = { name: testCase.name, status: 'failed' };
+        const parsed = ListMergeRequestsSchema.safeParse(testCase.input);
+        if (testCase.shouldFail) {
+            if (parsed.success) {
+                result.error = 'Expected schema validation to fail';
+            }
+            else {
+                result.status = 'passed';
+            }
+        }
+        else if (!parsed.success) {
+            result.error = parsed.error?.message || 'Schema validation failed';
+        }
+        else {
+            const actual = parsed.data['approved_by_usernames'];
+            if (testCase.expected === undefined) {
+                result.status = actual === undefined ? 'passed' : 'failed';
+                if (actual !== undefined) {
+                    result.error = `Expected approved_by_usernames to be undefined, got ${JSON.stringify(actual)}`;
+                }
+            }
+            else {
+                const match = Array.isArray(actual) &&
+                    actual.length === testCase.expected.length &&
+                    testCase.expected.every((v, i) => actual[i] === v);
+                result.status = match ? 'passed' : 'failed';
+                if (!match) {
+                    result.error = `Expected ${JSON.stringify(testCase.expected)}, got ${JSON.stringify(actual)}`;
+                }
+            }
+        }
+        if (result.status === 'passed') {
+            passed++;
+            console.log(`✅ ${result.name}`);
+        }
+        else {
+            failed++;
+            console.log(`❌ ${result.name}: ${result.error}`);
+        }
+    });
+    console.log(`\nResults: ${passed} passed, ${failed} failed`);
+    return { passed, failed };
+}
 function runListLabelsSchemaTests() {
     console.log('\n=== List Labels Schema Tests ===');
     const cases = [
@@ -1284,13 +1397,14 @@ if (import.meta.url === `file://${process.argv[1]}`) {
     const emojiReactionResult = runEmojiReactionSchemaTests();
     const repositorySchemaResult = runGitLabRepositorySchemaTests();
     const labelsCoercionResult = runLabelsCoercionSchemaTests();
+    const approvedByUsernamesResult = runApprovedByUsernamesSchemaTests();
     const listLabelsResult = runListLabelsSchemaTests();
     const treeItemResult = runGitLabTreeItemSchemaTests();
     const repositoryTreeResult = runGetRepositoryTreeSchemaTests();
     const gitLabUserFullResult = runGitLabUserFullSchemaTests();
     const gitLabMarkdownUploadResult = runGitLabMarkdownUploadSchemaTests();
-    const totalPassed = getFileContentsResult.passed + fileContentResult.passed + createPipelineResult.passed + commitStatusResult.passed + createIssueNoteResult.passed + getMergeRequestResult.passed + listMergeRequestPipelinesResult.passed + gitLabMergeRequestResult.passed + emojiReactionResult.passed + repositorySchemaResult.passed + labelsCoercionResult.passed + listLabelsResult.passed + treeItemResult.passed + repositoryTreeResult.passed + gitLabUserFullResult.passed + gitLabMarkdownUploadResult.passed;
-    const totalFailed = getFileContentsResult.failed + fileContentResult.failed + createPipelineResult.failed + commitStatusResult.failed + createIssueNoteResult.failed + getMergeRequestResult.failed + listMergeRequestPipelinesResult.failed + gitLabMergeRequestResult.failed + emojiReactionResult.failed + repositorySchemaResult.failed + labelsCoercionResult.failed + listLabelsResult.failed + treeItemResult.failed + repositoryTreeResult.failed + gitLabUserFullResult.failed + gitLabMarkdownUploadResult.failed;
+    const totalPassed = getFileContentsResult.passed + fileContentResult.passed + createPipelineResult.passed + commitStatusResult.passed + createIssueNoteResult.passed + getMergeRequestResult.passed + listMergeRequestPipelinesResult.passed + gitLabMergeRequestResult.passed + emojiReactionResult.passed + repositorySchemaResult.passed + labelsCoercionResult.passed + approvedByUsernamesResult.passed + listLabelsResult.passed + treeItemResult.passed + repositoryTreeResult.passed + gitLabUserFullResult.passed + gitLabMarkdownUploadResult.passed;
+    const totalFailed = getFileContentsResult.failed + fileContentResult.failed + createPipelineResult.failed + commitStatusResult.failed + createIssueNoteResult.failed + getMergeRequestResult.failed + listMergeRequestPipelinesResult.failed + gitLabMergeRequestResult.failed + emojiReactionResult.failed + repositorySchemaResult.failed + labelsCoercionResult.failed + approvedByUsernamesResult.failed + listLabelsResult.failed + treeItemResult.failed + repositoryTreeResult.failed + gitLabUserFullResult.failed + gitLabMarkdownUploadResult.failed;
     console.log(`\nTotal Results: ${totalPassed} passed, ${totalFailed} failed`);
     if (totalFailed > 0) {
         process.exit(1);

package/build/test/test-ci-variables.js

@@ -0,0 +1,306 @@
+import { describe, test, before, after } from "node:test";
+import assert from "node:assert";
+import { spawn } from "child_process";
+import { MockGitLabServer, findMockServerPort } from "./utils/mock-gitlab-server.js";
+const MOCK_TOKEN = "glpat-mock-token-ci-variables";
+const TEST_PROJECT_ID = "123";
+const TEST_GROUP_ID = "my-group";
+const TEST_VAR_KEY = "DB_URL";
+const TEST_GROUP_VAR_KEY = "SHARED_SECRET";
+const TEST_HIDDEN_VAR_KEY = "HIDDEN_VAR";
+const TEST_SCOPE = "production";
+const MOCK_PROJECT_VARIABLE = {
+    variable_type: "env_var",
+    key: TEST_VAR_KEY,
+    value: "postgres://localhost/db",
+    protected: false,
+    masked: true,
+    raw: false,
+    environment_scope: "*",
+    description: "Database connection URL",
+};
+const MOCK_GROUP_VARIABLE = {
+    variable_type: "env_var",
+    key: TEST_GROUP_VAR_KEY,
+    value: "s3cr3t",
+    protected: false,
+    masked: true,
+    raw: false,
+    environment_scope: "*",
+    description: null,
+};
+const MOCK_HIDDEN_PROJECT_VARIABLE = {
+    ...MOCK_PROJECT_VARIABLE,
+    key: TEST_HIDDEN_VAR_KEY,
+    value: null,
+    hidden: true,
+    description: null,
+};
+async function callTool(toolName, args, env) {
+    return new Promise((resolve, reject) => {
+        const proc = spawn("node", ["build/index.js"], {
+            stdio: ["pipe", "pipe", "pipe"],
+            env: { ...process.env, ...env },
+        });
+        let output = "";
+        let errorOutput = "";
+        proc.stdout?.on("data", (d) => (output += d));
+        proc.stderr?.on("data", (d) => (errorOutput += d));
+        proc.on("close", code => {
+            if (code !== 0) {
+                return reject(new Error(`Process exited with code ${code}: ${errorOutput}`));
+            }
+            const line = output.split("\n").find(l => l.startsWith("{"));
+            if (!line)
+                return reject(new Error("No JSON output found"));
+            try {
+                const response = JSON.parse(line);
+                if (response.error) {
+                    reject(new Error(response.error?.message ?? String(response.error)));
+                }
+                else {
+                    const content = response.result?.content?.[0]?.text;
+                    resolve(content ? JSON.parse(content) : response.result);
+                }
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+        proc.stdin?.end(JSON.stringify({
+            jsonrpc: "2.0",
+            id: 1,
+            method: "tools/call",
+            params: { name: toolName, arguments: args },
+        }) + "\n");
+    });
+}
+describe("CI/CD variable tools", () => {
+    let mockServer;
+    let mockPort;
+    let baseEnv;
+    let lastReceivedFilterScope;
+    before(async () => {
+        mockPort = await findMockServerPort();
+        mockServer = new MockGitLabServer({ port: mockPort, validTokens: [MOCK_TOKEN] });
+        // --- Project variable endpoints ---
+        mockServer.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/variables`, (_req, res) => {
+            res.json([MOCK_PROJECT_VARIABLE]);
+        });
+        mockServer.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/variables/${TEST_VAR_KEY}`, (req, res) => {
+            const scope = req.query["filter[environment_scope]"];
+            lastReceivedFilterScope = scope;
+            res.json({ ...MOCK_PROJECT_VARIABLE, environment_scope: scope ?? "*" });
+        });
+        mockServer.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/variables/${TEST_HIDDEN_VAR_KEY}`, (_req, res) => {
+            res.json(MOCK_HIDDEN_PROJECT_VARIABLE);
+        });
+        mockServer.addMockHandler("post", `/projects/${TEST_PROJECT_ID}/variables`, (req, res) => {
+            res.status(201).json({ ...MOCK_PROJECT_VARIABLE, ...req.body });
+        });
+        mockServer.addMockHandler("put", `/projects/${TEST_PROJECT_ID}/variables/${TEST_VAR_KEY}`, (req, res) => {
+            const scope = req.query["filter[environment_scope]"];
+            lastReceivedFilterScope = scope;
+            res.json({ ...MOCK_PROJECT_VARIABLE, ...req.body, environment_scope: scope ?? "*" });
+        });
+        mockServer.addMockHandler("delete", `/projects/${TEST_PROJECT_ID}/variables/${TEST_VAR_KEY}`, (req, res) => {
+            lastReceivedFilterScope = req.query["filter[environment_scope]"];
+            res.status(204).send();
+        });
+        // --- Group variable endpoints ---
+        mockServer.addMockHandler("get", `/groups/${TEST_GROUP_ID}/variables`, (_req, res) => {
+            res.json([MOCK_GROUP_VARIABLE]);
+        });
+        mockServer.addMockHandler("get", `/groups/${TEST_GROUP_ID}/variables/${TEST_GROUP_VAR_KEY}`, (_req, res) => {
+            res.json(MOCK_GROUP_VARIABLE);
+        });
+        mockServer.addMockHandler("post", `/groups/${TEST_GROUP_ID}/variables`, (req, res) => {
+            res.status(201).json({ ...MOCK_GROUP_VARIABLE, ...req.body });
+        });
+        mockServer.addMockHandler("put", `/groups/${TEST_GROUP_ID}/variables/${TEST_GROUP_VAR_KEY}`, (req, res) => {
+            res.json({ ...MOCK_GROUP_VARIABLE, ...req.body });
+        });
+        mockServer.addMockHandler("delete", `/groups/${TEST_GROUP_ID}/variables/${TEST_GROUP_VAR_KEY}`, (_req, res) => {
+            res.status(204).send();
+        });
+        await mockServer.start();
+        baseEnv = {
+            GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+            GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
+            GITLAB_TOOLSETS: "variables",
+        };
+    });
+    after(async () => {
+        await mockServer.stop();
+    });
+    // --- Project variable tests ---
+    test("list_project_variables returns variable array", async () => {
+        const result = await callTool("list_project_variables", { project_id: TEST_PROJECT_ID }, baseEnv);
+        assert.ok(Array.isArray(result));
+        assert.strictEqual(result.length, 1);
+        assert.strictEqual(result[0].key, TEST_VAR_KEY);
+        assert.strictEqual(result[0].value, MOCK_PROJECT_VARIABLE.value);
+        assert.strictEqual(result[0].masked, true);
+    });
+    test("get_project_variable returns single variable", async () => {
+        const result = await callTool("get_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY }, baseEnv);
+        assert.strictEqual(result.key, TEST_VAR_KEY);
+        assert.strictEqual(result.environment_scope, "*");
+        assert.strictEqual(result.variable_type, "env_var");
+    });
+    test("get_project_variable returns hidden variable with null value", async () => {
+        const result = await callTool("get_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_HIDDEN_VAR_KEY }, baseEnv);
+        assert.strictEqual(result.key, TEST_HIDDEN_VAR_KEY);
+        assert.strictEqual(result.value, null);
+        assert.strictEqual(result.hidden, true);
+    });
+    test("create_project_variable returns created variable", async () => {
+        const result = await callTool("create_project_variable", {
+            project_id: TEST_PROJECT_ID,
+            key: TEST_VAR_KEY,
+            value: "new-value",
+            masked: true,
+        }, baseEnv);
+        assert.strictEqual(result.key, TEST_VAR_KEY);
+        assert.strictEqual(result.value, "new-value");
+    });
+    test("update_project_variable returns updated variable", async () => {
+        const result = await callTool("update_project_variable", {
+            project_id: TEST_PROJECT_ID,
+            key: TEST_VAR_KEY,
+            value: "updated-value",
+        }, baseEnv);
+        assert.strictEqual(result.value, "updated-value");
+    });
+    test("delete_project_variable returns success status", async () => {
+        const result = await callTool("delete_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY }, baseEnv);
+        assert.strictEqual(result.status, "success");
+        assert.ok(result.message.includes(TEST_VAR_KEY));
+    });
+    // --- Group variable tests ---
+    test("list_group_variables returns variable array", async () => {
+        const result = await callTool("list_group_variables", { group_id: TEST_GROUP_ID }, baseEnv);
+        assert.ok(Array.isArray(result));
+        assert.strictEqual(result.length, 1);
+        assert.strictEqual(result[0].key, TEST_GROUP_VAR_KEY);
+        assert.strictEqual(result[0].masked, true);
+    });
+    test("get_group_variable returns single variable", async () => {
+        const result = await callTool("get_group_variable", { group_id: TEST_GROUP_ID, key: TEST_GROUP_VAR_KEY }, baseEnv);
+        assert.strictEqual(result.key, TEST_GROUP_VAR_KEY);
+        assert.strictEqual(result.variable_type, "env_var");
+    });
+    test("create_group_variable returns created variable", async () => {
+        const result = await callTool("create_group_variable", {
+            group_id: TEST_GROUP_ID,
+            key: TEST_GROUP_VAR_KEY,
+            value: "new-secret",
+            masked: true,
+        }, baseEnv);
+        assert.strictEqual(result.key, TEST_GROUP_VAR_KEY);
+        assert.strictEqual(result.value, "new-secret");
+    });
+    test("update_group_variable returns updated variable", async () => {
+        const result = await callTool("update_group_variable", {
+            group_id: TEST_GROUP_ID,
+            key: TEST_GROUP_VAR_KEY,
+            value: "updated-secret",
+        }, baseEnv);
+        assert.strictEqual(result.value, "updated-secret");
+    });
+    test("delete_group_variable returns success status", async () => {
+        const result = await callTool("delete_group_variable", { group_id: TEST_GROUP_ID, key: TEST_GROUP_VAR_KEY }, baseEnv);
+        assert.strictEqual(result.status, "success");
+        assert.ok(result.message.includes(TEST_GROUP_VAR_KEY));
+    });
+    // --- filter[environment_scope] tests ---
+    test("get_project_variable passes filter[environment_scope] to GitLab", async () => {
+        lastReceivedFilterScope = undefined;
+        const result = await callTool("get_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY, filter: { environment_scope: TEST_SCOPE } }, baseEnv);
+        assert.strictEqual(lastReceivedFilterScope, TEST_SCOPE);
+        assert.strictEqual(result.environment_scope, TEST_SCOPE);
+    });
+    test("update_project_variable passes filter[environment_scope] to GitLab", async () => {
+        lastReceivedFilterScope = undefined;
+        const result = await callTool("update_project_variable", {
+            project_id: TEST_PROJECT_ID,
+            key: TEST_VAR_KEY,
+            value: "scoped-value",
+            filter: { environment_scope: TEST_SCOPE },
+        }, baseEnv);
+        assert.strictEqual(lastReceivedFilterScope, TEST_SCOPE);
+        assert.strictEqual(result.environment_scope, TEST_SCOPE);
+    });
+    test("delete_project_variable passes filter[environment_scope] to GitLab", async () => {
+        lastReceivedFilterScope = undefined;
+        const result = await callTool("delete_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY, filter: { environment_scope: TEST_SCOPE } }, baseEnv);
+        assert.strictEqual(lastReceivedFilterScope, TEST_SCOPE);
+        assert.strictEqual(result.status, "success");
+    });
+    // --- Toolset behaviour ---
+    test("variables tools are absent when toolset is not activated", async () => {
+        return new Promise((resolve, reject) => {
+            const proc = spawn("node", ["build/index.js"], {
+                stdio: ["pipe", "pipe", "pipe"],
+                env: {
+                    ...process.env,
+                    GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+                    GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
+                    // No GITLAB_TOOLSETS — default toolsets only
+                },
+            });
+            let output = "";
+            proc.stdout?.on("data", (d) => (output += d));
+            proc.on("close", () => {
+                try {
+                    const line = output.split("\n").find(l => l.startsWith("{"));
+                    if (!line)
+                        return reject(new Error("No JSON output found"));
+                    const response = JSON.parse(line);
+                    const names = (response.result?.tools ?? []).map((t) => t.name);
+                    assert.ok(!names.includes("list_project_variables"), "tool should not be in default toolset");
+                    assert.ok(!names.includes("create_project_variable"), "tool should not be in default toolset");
+                    assert.ok(!names.includes("list_group_variables"), "tool should not be in default toolset");
+                    resolve();
+                }
+                catch (e) {
+                    reject(e);
+                }
+            });
+            proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
+        });
+    });
+    test("write tools are absent from tools/list in read-only mode", async () => {
+        return new Promise((resolve, reject) => {
+            const proc = spawn("node", ["build/index.js"], {
+                stdio: ["pipe", "pipe", "pipe"],
+                env: { ...process.env, ...baseEnv, GITLAB_READ_ONLY_MODE: "true" },
+            });
+            let output = "";
+            proc.stdout?.on("data", (d) => (output += d));
+            proc.on("close", () => {
+                try {
+                    const line = output.split("\n").find(l => l.startsWith("{"));
+                    if (!line)
+                        return reject(new Error("No JSON output found"));
+                    const response = JSON.parse(line);
+                    const names = (response.result?.tools ?? []).map((t) => t.name);
+                    assert.ok(!names.includes("create_project_variable"), "create should be absent in read-only mode");
+                    assert.ok(!names.includes("update_project_variable"), "update should be absent in read-only mode");
+                    assert.ok(!names.includes("delete_project_variable"), "delete should be absent in read-only mode");
+                    assert.ok(!names.includes("create_group_variable"), "create should be absent in read-only mode");
+                    assert.ok(!names.includes("delete_group_variable"), "delete should be absent in read-only mode");
+                    assert.ok(names.includes("list_project_variables"), "list should be present in read-only mode");
+                    assert.ok(names.includes("get_project_variable"), "get should be present in read-only mode");
+                    assert.ok(names.includes("list_group_variables"), "list should be present in read-only mode");
+                    assert.ok(names.includes("get_group_variable"), "get should be present in read-only mode");
+                    resolve();
+                }
+                catch (e) {
+                    reject(e);
+                }
+            });
+            proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
+        });
+    });
+});

package/build/test/test-geteffectiveprojectid.js

@@ -271,6 +271,7 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
                     REMOTE_AUTHORIZATION: 'true',
                     GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
                     GITLAB_PROJECT_ID: DEFAULT_PROJECT_ID,
+                    GITLAB_TOOLSETS: 'variables',
                 }
             });
             servers.push(server);
@@ -317,6 +318,26 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
                 assert.ok(error.message.includes('create_group is not allowed'), 'Should mention create_group');
             }
         });
+        test('should reject list_group_variables when GITLAB_PROJECT_ID is set', async () => {
+            try {
+                await client.callTool('list_group_variables', { group_id: 'my-group' });
+                assert.fail('Should have rejected list_group_variables');
+            }
+            catch (error) {
+                assert.ok(error instanceof Error);
+                assert.ok(error.message.includes('list_group_variables is not allowed'), 'Should mention list_group_variables');
+            }
+        });
+        test('should reject get_group_variable when GITLAB_PROJECT_ID is set', async () => {
+            try {
+                await client.callTool('get_group_variable', { group_id: 'my-group', key: 'SHARED_SECRET' });
+                assert.fail('Should have rejected get_group_variable');
+            }
+            catch (error) {
+                assert.ok(error instanceof Error);
+                assert.ok(error.message.includes('get_group_variable is not allowed'), 'Should mention get_group_variable');
+            }
+        });
         test('should allow get_project (non-mutator) when GITLAB_PROJECT_ID is set', async () => {
             const result = await client.callTool('get_project', { project_id: '' });
             assert.ok(result.content, 'Should have content');
@@ -348,6 +369,7 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
                     REMOTE_AUTHORIZATION: 'true',
                     GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
                     GITLAB_ALLOWED_PROJECT_IDS: DEFAULT_PROJECT_ID,
+                    GITLAB_TOOLSETS: 'variables',
                 }
             });
             servers.push(server);
@@ -394,6 +416,26 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
                 assert.ok(error.message.includes('create_group is not allowed'), 'Should mention create_group');
             }
         });
+        test('should reject list_group_variables with GITLAB_ALLOWED_PROJECT_IDS', async () => {
+            try {
+                await client.callTool('list_group_variables', { group_id: 'my-group' });
+                assert.fail('Should have rejected list_group_variables');
+            }
+            catch (error) {
+                assert.ok(error instanceof Error);
+                assert.ok(error.message.includes('list_group_variables is not allowed'), 'Should mention list_group_variables');
+            }
+        });
+        test('should reject get_group_variable with GITLAB_ALLOWED_PROJECT_IDS', async () => {
+            try {
+                await client.callTool('get_group_variable', { group_id: 'my-group', key: 'SHARED_SECRET' });
+                assert.fail('Should have rejected get_group_variable');
+            }
+            catch (error) {
+                assert.ok(error instanceof Error);
+                assert.ok(error.message.includes('get_group_variable is not allowed'), 'Should mention get_group_variable');
+            }
+        });
         test('should allow get_project (non-mutator) with GITLAB_ALLOWED_PROJECT_IDS', async () => {
             const result = await client.callTool('get_project', { project_id: '' });
             assert.ok(result.content, 'Should have content');

package/build/test/test-list-merge-requests.js

@@ -103,4 +103,23 @@ describe('list_merge_requests', () => {
         assert.ok(Array.isArray(mrs), 'Response should be an array');
         assert.strictEqual(mrs.length, 2, 'Should return 2 mock MRs');
     });
+    test('forwards approved_by_usernames in bracket-array form', async () => {
+        let capturedUrl;
+        mockGitLab.addMockHandler('get', '/merge_requests', (req, res) => {
+            capturedUrl = req.originalUrl;
+            res.json([]);
+        });
+        try {
+            await callListMergeRequests({ approved_by_usernames: ['alice', 'bob'] }, {
+                GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
+                GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+            });
+            assert.ok(capturedUrl, 'Mock handler should have received a request');
+            assert.match(capturedUrl, /approved_by_usernames%5B%5D=alice/, 'Request URL should contain approved_by_usernames[]=alice (URL-encoded)');
+            assert.match(capturedUrl, /approved_by_usernames%5B%5D=bob/, 'Request URL should contain approved_by_usernames[]=bob (URL-encoded)');
+        }
+        finally {
+            mockGitLab.clearCustomHandlers();
+        }
+    });
 });

package/build/test/test-toolset-filtering.js

@@ -33,6 +33,7 @@ const TOOLSET_TOOL_COUNTS = {
     workitems: 18,
     webhooks: 3,
     groups: 1,
+    variables: 10,
 };
 const LEGACY_PIPELINE_TOOL_COUNT = TOOLSET_TOOL_COUNTS.pipelines + TOOLSET_TOOL_COUNTS.ci;
 const DEFAULT_TOOLSETS = [
@@ -55,6 +56,7 @@ const NON_DEFAULT_TOOLSETS = [
     "workitems",
     "webhooks",
     "search",
+    "variables",
 ];
 // discover_tools meta-tool is always force-injected (Step 5.5)
 const DISCOVER_TOOLS_COUNT = 1;
@@ -78,6 +80,7 @@ const TOOLSET_SAMPLE_TOOLS = {
     search: ["search_code", "search_project_code", "search_group_code"],
     webhooks: ["list_webhooks", "list_webhook_events", "get_webhook_event"],
     groups: ["create_group"],
+    variables: ["list_project_variables", "create_project_variable", "delete_project_variable", "list_group_variables", "create_group_variable", "delete_group_variable"],
 };
 // --- Helpers ---
 async function launchMcpServer(mockGitLabUrl, mcpPort, extraEnv = {}) {