@zereight/mcp-gitlab 2.1.16 → 2.1.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +14 -0
  2. package/build/index.js +348 -21
  3. package/build/schemas.js +178 -16
  4. package/build/test/schema-tests.js +105 -3
  5. package/build/test/test-ci-variables.js +306 -0
  6. package/build/test/test-dependency-proxy.js +191 -0
  7. package/build/test/test-geteffectiveprojectid.js +102 -0
  8. package/build/test/test-toolset-filtering.js +6 -0
  9. package/build/tools/registry.js +108 -2
  10. package/package.json +2 -2
package/build/test/test-ci-variables.js ADDED
@@ -0,0 +1,306 @@
1
+ import { describe, test, before, after } from "node:test";
2
+ import assert from "node:assert";
3
+ import { spawn } from "child_process";
4
+ import { MockGitLabServer, findMockServerPort } from "./utils/mock-gitlab-server.js";
5
+ const MOCK_TOKEN = "glpat-mock-token-ci-variables";
6
+ const TEST_PROJECT_ID = "123";
7
+ const TEST_GROUP_ID = "my-group";
8
+ const TEST_VAR_KEY = "DB_URL";
9
+ const TEST_GROUP_VAR_KEY = "SHARED_SECRET";
10
+ const TEST_HIDDEN_VAR_KEY = "HIDDEN_VAR";
11
+ const TEST_SCOPE = "production";
12
+ const MOCK_PROJECT_VARIABLE = {
13
+ variable_type: "env_var",
14
+ key: TEST_VAR_KEY,
15
+ value: "postgres://localhost/db",
16
+ protected: false,
17
+ masked: true,
18
+ raw: false,
19
+ environment_scope: "*",
20
+ description: "Database connection URL",
21
+ };
22
+ const MOCK_GROUP_VARIABLE = {
23
+ variable_type: "env_var",
24
+ key: TEST_GROUP_VAR_KEY,
25
+ value: "s3cr3t",
26
+ protected: false,
27
+ masked: true,
28
+ raw: false,
29
+ environment_scope: "*",
30
+ description: null,
31
+ };
32
+ const MOCK_HIDDEN_PROJECT_VARIABLE = {
33
+ ...MOCK_PROJECT_VARIABLE,
34
+ key: TEST_HIDDEN_VAR_KEY,
35
+ value: null,
36
+ hidden: true,
37
+ description: null,
38
+ };
39
+ async function callTool(toolName, args, env) {
40
+ return new Promise((resolve, reject) => {
41
+ const proc = spawn("node", ["build/index.js"], {
42
+ stdio: ["pipe", "pipe", "pipe"],
43
+ env: { ...process.env, ...env },
44
+ });
45
+ let output = "";
46
+ let errorOutput = "";
47
+ proc.stdout?.on("data", (d) => (output += d));
48
+ proc.stderr?.on("data", (d) => (errorOutput += d));
49
+ proc.on("close", code => {
50
+ if (code !== 0) {
51
+ return reject(new Error(`Process exited with code ${code}: ${errorOutput}`));
52
+ }
53
+ const line = output.split("\n").find(l => l.startsWith("{"));
54
+ if (!line)
55
+ return reject(new Error("No JSON output found"));
56
+ try {
57
+ const response = JSON.parse(line);
58
+ if (response.error) {
59
+ reject(new Error(response.error?.message ?? String(response.error)));
60
+ }
61
+ else {
62
+ const content = response.result?.content?.[0]?.text;
63
+ resolve(content ? JSON.parse(content) : response.result);
64
+ }
65
+ }
66
+ catch (e) {
67
+ reject(e);
68
+ }
69
+ });
70
+ proc.stdin?.end(JSON.stringify({
71
+ jsonrpc: "2.0",
72
+ id: 1,
73
+ method: "tools/call",
74
+ params: { name: toolName, arguments: args },
75
+ }) + "\n");
76
+ });
77
+ }
78
+ describe("CI/CD variable tools", () => {
79
+ let mockServer;
80
+ let mockPort;
81
+ let baseEnv;
82
+ let lastReceivedFilterScope;
83
+ before(async () => {
84
+ mockPort = await findMockServerPort();
85
+ mockServer = new MockGitLabServer({ port: mockPort, validTokens: [MOCK_TOKEN] });
86
+ // --- Project variable endpoints ---
87
+ mockServer.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/variables`, (_req, res) => {
88
+ res.json([MOCK_PROJECT_VARIABLE]);
89
+ });
90
+ mockServer.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/variables/${TEST_VAR_KEY}`, (req, res) => {
91
+ const scope = req.query["filter[environment_scope]"];
92
+ lastReceivedFilterScope = scope;
93
+ res.json({ ...MOCK_PROJECT_VARIABLE, environment_scope: scope ?? "*" });
94
+ });
95
+ mockServer.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/variables/${TEST_HIDDEN_VAR_KEY}`, (_req, res) => {
96
+ res.json(MOCK_HIDDEN_PROJECT_VARIABLE);
97
+ });
98
+ mockServer.addMockHandler("post", `/projects/${TEST_PROJECT_ID}/variables`, (req, res) => {
99
+ res.status(201).json({ ...MOCK_PROJECT_VARIABLE, ...req.body });
100
+ });
101
+ mockServer.addMockHandler("put", `/projects/${TEST_PROJECT_ID}/variables/${TEST_VAR_KEY}`, (req, res) => {
102
+ const scope = req.query["filter[environment_scope]"];
103
+ lastReceivedFilterScope = scope;
104
+ res.json({ ...MOCK_PROJECT_VARIABLE, ...req.body, environment_scope: scope ?? "*" });
105
+ });
106
+ mockServer.addMockHandler("delete", `/projects/${TEST_PROJECT_ID}/variables/${TEST_VAR_KEY}`, (req, res) => {
107
+ lastReceivedFilterScope = req.query["filter[environment_scope]"];
108
+ res.status(204).send();
109
+ });
110
+ // --- Group variable endpoints ---
111
+ mockServer.addMockHandler("get", `/groups/${TEST_GROUP_ID}/variables`, (_req, res) => {
112
+ res.json([MOCK_GROUP_VARIABLE]);
113
+ });
114
+ mockServer.addMockHandler("get", `/groups/${TEST_GROUP_ID}/variables/${TEST_GROUP_VAR_KEY}`, (_req, res) => {
115
+ res.json(MOCK_GROUP_VARIABLE);
116
+ });
117
+ mockServer.addMockHandler("post", `/groups/${TEST_GROUP_ID}/variables`, (req, res) => {
118
+ res.status(201).json({ ...MOCK_GROUP_VARIABLE, ...req.body });
119
+ });
120
+ mockServer.addMockHandler("put", `/groups/${TEST_GROUP_ID}/variables/${TEST_GROUP_VAR_KEY}`, (req, res) => {
121
+ res.json({ ...MOCK_GROUP_VARIABLE, ...req.body });
122
+ });
123
+ mockServer.addMockHandler("delete", `/groups/${TEST_GROUP_ID}/variables/${TEST_GROUP_VAR_KEY}`, (_req, res) => {
124
+ res.status(204).send();
125
+ });
126
+ await mockServer.start();
127
+ baseEnv = {
128
+ GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
129
+ GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
130
+ GITLAB_TOOLSETS: "variables",
131
+ };
132
+ });
133
+ after(async () => {
134
+ await mockServer.stop();
135
+ });
136
+ // --- Project variable tests ---
137
+ test("list_project_variables returns variable array", async () => {
138
+ const result = await callTool("list_project_variables", { project_id: TEST_PROJECT_ID }, baseEnv);
139
+ assert.ok(Array.isArray(result));
140
+ assert.strictEqual(result.length, 1);
141
+ assert.strictEqual(result[0].key, TEST_VAR_KEY);
142
+ assert.strictEqual(result[0].value, MOCK_PROJECT_VARIABLE.value);
143
+ assert.strictEqual(result[0].masked, true);
144
+ });
145
+ test("get_project_variable returns single variable", async () => {
146
+ const result = await callTool("get_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY }, baseEnv);
147
+ assert.strictEqual(result.key, TEST_VAR_KEY);
148
+ assert.strictEqual(result.environment_scope, "*");
149
+ assert.strictEqual(result.variable_type, "env_var");
150
+ });
151
+ test("get_project_variable returns hidden variable with null value", async () => {
152
+ const result = await callTool("get_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_HIDDEN_VAR_KEY }, baseEnv);
153
+ assert.strictEqual(result.key, TEST_HIDDEN_VAR_KEY);
154
+ assert.strictEqual(result.value, null);
155
+ assert.strictEqual(result.hidden, true);
156
+ });
157
+ test("create_project_variable returns created variable", async () => {
158
+ const result = await callTool("create_project_variable", {
159
+ project_id: TEST_PROJECT_ID,
160
+ key: TEST_VAR_KEY,
161
+ value: "new-value",
162
+ masked: true,
163
+ }, baseEnv);
164
+ assert.strictEqual(result.key, TEST_VAR_KEY);
165
+ assert.strictEqual(result.value, "new-value");
166
+ });
167
+ test("update_project_variable returns updated variable", async () => {
168
+ const result = await callTool("update_project_variable", {
169
+ project_id: TEST_PROJECT_ID,
170
+ key: TEST_VAR_KEY,
171
+ value: "updated-value",
172
+ }, baseEnv);
173
+ assert.strictEqual(result.value, "updated-value");
174
+ });
175
+ test("delete_project_variable returns success status", async () => {
176
+ const result = await callTool("delete_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY }, baseEnv);
177
+ assert.strictEqual(result.status, "success");
178
+ assert.ok(result.message.includes(TEST_VAR_KEY));
179
+ });
180
+ // --- Group variable tests ---
181
+ test("list_group_variables returns variable array", async () => {
182
+ const result = await callTool("list_group_variables", { group_id: TEST_GROUP_ID }, baseEnv);
183
+ assert.ok(Array.isArray(result));
184
+ assert.strictEqual(result.length, 1);
185
+ assert.strictEqual(result[0].key, TEST_GROUP_VAR_KEY);
186
+ assert.strictEqual(result[0].masked, true);
187
+ });
188
+ test("get_group_variable returns single variable", async () => {
189
+ const result = await callTool("get_group_variable", { group_id: TEST_GROUP_ID, key: TEST_GROUP_VAR_KEY }, baseEnv);
190
+ assert.strictEqual(result.key, TEST_GROUP_VAR_KEY);
191
+ assert.strictEqual(result.variable_type, "env_var");
192
+ });
193
+ test("create_group_variable returns created variable", async () => {
194
+ const result = await callTool("create_group_variable", {
195
+ group_id: TEST_GROUP_ID,
196
+ key: TEST_GROUP_VAR_KEY,
197
+ value: "new-secret",
198
+ masked: true,
199
+ }, baseEnv);
200
+ assert.strictEqual(result.key, TEST_GROUP_VAR_KEY);
201
+ assert.strictEqual(result.value, "new-secret");
202
+ });
203
+ test("update_group_variable returns updated variable", async () => {
204
+ const result = await callTool("update_group_variable", {
205
+ group_id: TEST_GROUP_ID,
206
+ key: TEST_GROUP_VAR_KEY,
207
+ value: "updated-secret",
208
+ }, baseEnv);
209
+ assert.strictEqual(result.value, "updated-secret");
210
+ });
211
+ test("delete_group_variable returns success status", async () => {
212
+ const result = await callTool("delete_group_variable", { group_id: TEST_GROUP_ID, key: TEST_GROUP_VAR_KEY }, baseEnv);
213
+ assert.strictEqual(result.status, "success");
214
+ assert.ok(result.message.includes(TEST_GROUP_VAR_KEY));
215
+ });
216
+ // --- filter[environment_scope] tests ---
217
+ test("get_project_variable passes filter[environment_scope] to GitLab", async () => {
218
+ lastReceivedFilterScope = undefined;
219
+ const result = await callTool("get_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY, filter: { environment_scope: TEST_SCOPE } }, baseEnv);
220
+ assert.strictEqual(lastReceivedFilterScope, TEST_SCOPE);
221
+ assert.strictEqual(result.environment_scope, TEST_SCOPE);
222
+ });
223
+ test("update_project_variable passes filter[environment_scope] to GitLab", async () => {
224
+ lastReceivedFilterScope = undefined;
225
+ const result = await callTool("update_project_variable", {
226
+ project_id: TEST_PROJECT_ID,
227
+ key: TEST_VAR_KEY,
228
+ value: "scoped-value",
229
+ filter: { environment_scope: TEST_SCOPE },
230
+ }, baseEnv);
231
+ assert.strictEqual(lastReceivedFilterScope, TEST_SCOPE);
232
+ assert.strictEqual(result.environment_scope, TEST_SCOPE);
233
+ });
234
+ test("delete_project_variable passes filter[environment_scope] to GitLab", async () => {
235
+ lastReceivedFilterScope = undefined;
236
+ const result = await callTool("delete_project_variable", { project_id: TEST_PROJECT_ID, key: TEST_VAR_KEY, filter: { environment_scope: TEST_SCOPE } }, baseEnv);
237
+ assert.strictEqual(lastReceivedFilterScope, TEST_SCOPE);
238
+ assert.strictEqual(result.status, "success");
239
+ });
240
+ // --- Toolset behaviour ---
241
+ test("variables tools are absent when toolset is not activated", async () => {
242
+ return new Promise((resolve, reject) => {
243
+ const proc = spawn("node", ["build/index.js"], {
244
+ stdio: ["pipe", "pipe", "pipe"],
245
+ env: {
246
+ ...process.env,
247
+ GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
248
+ GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
249
+ // No GITLAB_TOOLSETS — default toolsets only
250
+ },
251
+ });
252
+ let output = "";
253
+ proc.stdout?.on("data", (d) => (output += d));
254
+ proc.on("close", () => {
255
+ try {
256
+ const line = output.split("\n").find(l => l.startsWith("{"));
257
+ if (!line)
258
+ return reject(new Error("No JSON output found"));
259
+ const response = JSON.parse(line);
260
+ const names = (response.result?.tools ?? []).map((t) => t.name);
261
+ assert.ok(!names.includes("list_project_variables"), "tool should not be in default toolset");
262
+ assert.ok(!names.includes("create_project_variable"), "tool should not be in default toolset");
263
+ assert.ok(!names.includes("list_group_variables"), "tool should not be in default toolset");
264
+ resolve();
265
+ }
266
+ catch (e) {
267
+ reject(e);
268
+ }
269
+ });
270
+ proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
271
+ });
272
+ });
273
+ test("write tools are absent from tools/list in read-only mode", async () => {
274
+ return new Promise((resolve, reject) => {
275
+ const proc = spawn("node", ["build/index.js"], {
276
+ stdio: ["pipe", "pipe", "pipe"],
277
+ env: { ...process.env, ...baseEnv, GITLAB_READ_ONLY_MODE: "true" },
278
+ });
279
+ let output = "";
280
+ proc.stdout?.on("data", (d) => (output += d));
281
+ proc.on("close", () => {
282
+ try {
283
+ const line = output.split("\n").find(l => l.startsWith("{"));
284
+ if (!line)
285
+ return reject(new Error("No JSON output found"));
286
+ const response = JSON.parse(line);
287
+ const names = (response.result?.tools ?? []).map((t) => t.name);
288
+ assert.ok(!names.includes("create_project_variable"), "create should be absent in read-only mode");
289
+ assert.ok(!names.includes("update_project_variable"), "update should be absent in read-only mode");
290
+ assert.ok(!names.includes("delete_project_variable"), "delete should be absent in read-only mode");
291
+ assert.ok(!names.includes("create_group_variable"), "create should be absent in read-only mode");
292
+ assert.ok(!names.includes("delete_group_variable"), "delete should be absent in read-only mode");
293
+ assert.ok(names.includes("list_project_variables"), "list should be present in read-only mode");
294
+ assert.ok(names.includes("get_project_variable"), "get should be present in read-only mode");
295
+ assert.ok(names.includes("list_group_variables"), "list should be present in read-only mode");
296
+ assert.ok(names.includes("get_group_variable"), "get should be present in read-only mode");
297
+ resolve();
298
+ }
299
+ catch (e) {
300
+ reject(e);
301
+ }
302
+ });
303
+ proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
304
+ });
305
+ });
306
+ });
package/build/test/test-dependency-proxy.js ADDED
@@ -0,0 +1,191 @@
1
+ import { describe, test, before, after } from "node:test";
2
+ import assert from "node:assert";
3
+ import { spawn } from "child_process";
4
+ import { MockGitLabServer, findMockServerPort } from "./utils/mock-gitlab-server.js";
5
+ const MOCK_TOKEN = "glpat-mock-token-dependency-proxy";
6
+ const TEST_GROUP_PATH = "my-group";
7
+ async function callTool(toolName, args, env) {
8
+ return new Promise((resolve, reject) => {
9
+ const proc = spawn("node", ["build/index.js"], {
10
+ stdio: ["pipe", "pipe", "pipe"],
11
+ env: { ...process.env, ...env },
12
+ });
13
+ let output = "";
14
+ let errorOutput = "";
15
+ proc.stdout?.on("data", (d) => (output += d));
16
+ proc.stderr?.on("data", (d) => (errorOutput += d));
17
+ proc.on("close", code => {
18
+ if (code !== 0) {
19
+ return reject(new Error(`Process exited with code ${code}: ${errorOutput}`));
20
+ }
21
+ const line = output.split("\n").find(l => l.startsWith("{"));
22
+ if (!line)
23
+ return reject(new Error("No JSON output found"));
24
+ try {
25
+ const response = JSON.parse(line);
26
+ if (response.error) {
27
+ reject(new Error(response.error?.message ?? String(response.error)));
28
+ }
29
+ else {
30
+ const content = response.result?.content?.[0]?.text;
31
+ resolve(content ? JSON.parse(content) : response.result);
32
+ }
33
+ }
34
+ catch (e) {
35
+ reject(e);
36
+ }
37
+ });
38
+ proc.stdin?.end(JSON.stringify({
39
+ jsonrpc: "2.0",
40
+ id: 1,
41
+ method: "tools/call",
42
+ params: { name: toolName, arguments: args },
43
+ }) + "\n");
44
+ });
45
+ }
46
+ describe("dependency proxy tools", () => {
47
+ let mockServer;
48
+ let mockPort;
49
+ let baseEnv;
50
+ before(async () => {
51
+ mockPort = await findMockServerPort();
52
+ mockServer = new MockGitLabServer({ port: mockPort, validTokens: [MOCK_TOKEN] });
53
+ // Mock GraphQL endpoint for get/list operations
54
+ mockServer.addRootHandler("post", "/api/graphql", (req, res) => {
55
+ const { query } = req.body;
56
+ if (query.includes("updateDependencyProxySettings")) {
57
+ res.json({ data: { updateDependencyProxySettings: { errors: [] } } });
58
+ }
59
+ else if (query.includes("dependencyProxySetting")) {
60
+ res.json({
61
+ data: {
62
+ group: {
63
+ dependencyProxySetting: { enabled: true },
64
+ dependencyProxyBlobCount: 3,
65
+ dependencyProxyTotalSize: "15728640",
66
+ dependencyProxyImagePrefix: `localhost:${mockPort}/my-group/dependency_proxy/containers`,
67
+ dependencyProxyImageTtlPolicy: { enabled: true, ttl: 90 },
68
+ },
69
+ },
70
+ });
71
+ }
72
+ else if (query.includes("dependencyProxyBlobs")) {
73
+ res.json({
74
+ data: {
75
+ group: {
76
+ dependencyProxyBlobs: {
77
+ nodes: [
78
+ { fileName: "sha256:abc123", size: "5 MiB", createdAt: "2026-01-01T00:00:00Z" },
79
+ { fileName: "sha256:def456", size: "10 MiB", createdAt: "2026-01-02T00:00:00Z" },
80
+ ],
81
+ pageInfo: { hasNextPage: false, endCursor: null },
82
+ },
83
+ },
84
+ },
85
+ });
86
+ }
87
+ else {
88
+ res.status(400).json({ errors: [{ message: "Unexpected GraphQL query" }] });
89
+ }
90
+ });
91
+ // Mock REST endpoint for purge
92
+ mockServer.addMockHandler("delete", `/groups/${TEST_GROUP_PATH}/dependency_proxy/cache`, (_req, res) => {
93
+ res.status(202).send();
94
+ });
95
+ await mockServer.start();
96
+ baseEnv = {
97
+ GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
98
+ GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
99
+ GITLAB_TOOLSETS: "dependency_proxy",
100
+ };
101
+ });
102
+ after(async () => {
103
+ await mockServer.stop();
104
+ });
105
+ test("get_dependency_proxy_settings returns enabled status and blob info", async () => {
106
+ const result = await callTool("get_dependency_proxy_settings", { group_id: TEST_GROUP_PATH }, baseEnv);
107
+ assert.strictEqual(result.enabled, true);
108
+ assert.strictEqual(result.blob_count, 3);
109
+ assert.strictEqual(result.total_size, "15728640");
110
+ assert.ok(result.ttl_policy?.enabled);
111
+ });
112
+ test("list_dependency_proxy_blobs returns blobs with string sizes", async () => {
113
+ const result = await callTool("list_dependency_proxy_blobs", { group_id: TEST_GROUP_PATH }, baseEnv);
114
+ assert.ok(Array.isArray(result.blobs));
115
+ assert.strictEqual(result.blobs.length, 2);
116
+ assert.strictEqual(typeof result.blobs[0].size, "string");
117
+ assert.strictEqual(result.blobs[0].file_name, "sha256:abc123");
118
+ });
119
+ test("purge_dependency_proxy_cache returns scheduled status", async () => {
120
+ const result = await callTool("purge_dependency_proxy_cache", { group_id: TEST_GROUP_PATH }, baseEnv);
121
+ assert.strictEqual(result.status, "success");
122
+ assert.ok(result.message.includes("scheduled"));
123
+ });
124
+ test("update_dependency_proxy_settings enables the proxy and returns settings", async () => {
125
+ const result = await callTool("update_dependency_proxy_settings", { group_id: TEST_GROUP_PATH, enabled: true }, baseEnv);
126
+ assert.strictEqual(result.enabled, true);
127
+ });
128
+ test("update_dependency_proxy_settings rejects empty options", async () => {
129
+ await assert.rejects(() => callTool("update_dependency_proxy_settings", { group_id: TEST_GROUP_PATH }, baseEnv), /At least one of enabled, identity, or secret must be provided/);
130
+ });
131
+ test("dependency_proxy tools are absent when toolset is not activated", async () => {
132
+ return new Promise((resolve, reject) => {
133
+ const proc = spawn("node", ["build/index.js"], {
134
+ stdio: ["pipe", "pipe", "pipe"],
135
+ env: {
136
+ ...process.env,
137
+ GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
138
+ GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
139
+ // No GITLAB_TOOLSETS — default toolsets only
140
+ },
141
+ });
142
+ let output = "";
143
+ proc.stdout?.on("data", (d) => (output += d));
144
+ proc.on("close", () => {
145
+ try {
146
+ const line = output.split("\n").find(l => l.startsWith("{"));
147
+ if (!line)
148
+ return reject(new Error("No JSON output found"));
149
+ const response = JSON.parse(line);
150
+ const tools = response.result?.tools ?? [];
151
+ const names = tools.map(t => t.name);
152
+ assert.ok(!names.includes("get_dependency_proxy_settings"), "tool should not be in default toolset");
153
+ assert.ok(!names.includes("purge_dependency_proxy_cache"), "tool should not be in default toolset");
154
+ resolve();
155
+ }
156
+ catch (e) {
157
+ reject(e);
158
+ }
159
+ });
160
+ proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
161
+ });
162
+ });
163
+ test("write tools are absent from tools/list in read-only mode", async () => {
164
+ return new Promise((resolve, reject) => {
165
+ const proc = spawn("node", ["build/index.js"], {
166
+ stdio: ["pipe", "pipe", "pipe"],
167
+ env: { ...process.env, ...baseEnv, GITLAB_READ_ONLY_MODE: "true" },
168
+ });
169
+ let output = "";
170
+ proc.stdout?.on("data", (d) => (output += d));
171
+ proc.on("close", () => {
172
+ try {
173
+ const line = output.split("\n").find(l => l.startsWith("{"));
174
+ if (!line)
175
+ return reject(new Error("No JSON output found"));
176
+ const response = JSON.parse(line);
177
+ const names = (response.result?.tools ?? []).map((t) => t.name);
178
+ assert.ok(!names.includes("purge_dependency_proxy_cache"), "purge should be absent in read-only mode");
179
+ assert.ok(!names.includes("update_dependency_proxy_settings"), "update should be absent in read-only mode");
180
+ assert.ok(names.includes("get_dependency_proxy_settings"), "get should be present in read-only mode");
181
+ assert.ok(names.includes("list_dependency_proxy_blobs"), "list should be present in read-only mode");
182
+ resolve();
183
+ }
184
+ catch (e) {
185
+ reject(e);
186
+ }
187
+ });
188
+ proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
189
+ });
190
+ });
191
+ });
package/build/test/test-geteffectiveprojectid.js CHANGED
@@ -271,6 +271,7 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
271
271
  REMOTE_AUTHORIZATION: 'true',
272
272
  GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
273
273
  GITLAB_PROJECT_ID: DEFAULT_PROJECT_ID,
274
+ GITLAB_TOOLSETS: 'variables',
274
275
  }
275
276
  });
276
277
  servers.push(server);
@@ -317,6 +318,26 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
317
318
  assert.ok(error.message.includes('create_group is not allowed'), 'Should mention create_group');
318
319
  }
319
320
  });
321
+ test('should reject list_group_variables when GITLAB_PROJECT_ID is set', async () => {
322
+ try {
323
+ await client.callTool('list_group_variables', { group_id: 'my-group' });
324
+ assert.fail('Should have rejected list_group_variables');
325
+ }
326
+ catch (error) {
327
+ assert.ok(error instanceof Error);
328
+ assert.ok(error.message.includes('list_group_variables is not allowed'), 'Should mention list_group_variables');
329
+ }
330
+ });
331
+ test('should reject get_group_variable when GITLAB_PROJECT_ID is set', async () => {
332
+ try {
333
+ await client.callTool('get_group_variable', { group_id: 'my-group', key: 'SHARED_SECRET' });
334
+ assert.fail('Should have rejected get_group_variable');
335
+ }
336
+ catch (error) {
337
+ assert.ok(error instanceof Error);
338
+ assert.ok(error.message.includes('get_group_variable is not allowed'), 'Should mention get_group_variable');
339
+ }
340
+ });
320
341
  test('should allow get_project (non-mutator) when GITLAB_PROJECT_ID is set', async () => {
321
342
  const result = await client.callTool('get_project', { project_id: '' });
322
343
  assert.ok(result.content, 'Should have content');
@@ -348,6 +369,7 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
348
369
  REMOTE_AUTHORIZATION: 'true',
349
370
  GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
350
371
  GITLAB_ALLOWED_PROJECT_IDS: DEFAULT_PROJECT_ID,
372
+ GITLAB_TOOLSETS: 'variables',
351
373
  }
352
374
  });
353
375
  servers.push(server);
@@ -394,6 +416,26 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
394
416
  assert.ok(error.message.includes('create_group is not allowed'), 'Should mention create_group');
395
417
  }
396
418
  });
419
+ test('should reject list_group_variables with GITLAB_ALLOWED_PROJECT_IDS', async () => {
420
+ try {
421
+ await client.callTool('list_group_variables', { group_id: 'my-group' });
422
+ assert.fail('Should have rejected list_group_variables');
423
+ }
424
+ catch (error) {
425
+ assert.ok(error instanceof Error);
426
+ assert.ok(error.message.includes('list_group_variables is not allowed'), 'Should mention list_group_variables');
427
+ }
428
+ });
429
+ test('should reject get_group_variable with GITLAB_ALLOWED_PROJECT_IDS', async () => {
430
+ try {
431
+ await client.callTool('get_group_variable', { group_id: 'my-group', key: 'SHARED_SECRET' });
432
+ assert.fail('Should have rejected get_group_variable');
433
+ }
434
+ catch (error) {
435
+ assert.ok(error instanceof Error);
436
+ assert.ok(error.message.includes('get_group_variable is not allowed'), 'Should mention get_group_variable');
437
+ }
438
+ });
397
439
  test('should allow get_project (non-mutator) with GITLAB_ALLOWED_PROJECT_IDS', async () => {
398
440
  const result = await client.callTool('get_project', { project_id: '' });
399
441
  assert.ok(result.content, 'Should have content');
@@ -466,4 +508,64 @@ describe('getEffectiveProjectId', { concurrency: 1 }, () => {
466
508
  assert.ok(result.content, 'Should have content');
467
509
  });
468
510
  });
511
+ describe('GITLAB_PROJECT_ID guards dependency proxy tools', () => {
512
+ let mcpUrl;
513
+ let mockGitLab;
514
+ let servers = [];
515
+ let client;
516
+ before(async () => {
517
+ const mockPort = await findMockServerPort(9500);
518
+ mockGitLab = new MockGitLabServer({
519
+ port: mockPort,
520
+ validTokens: [MOCK_TOKEN],
521
+ });
522
+ await mockGitLab.start();
523
+ const mockGitLabUrl = mockGitLab.getUrl();
524
+ const mcpPort = await findAvailablePort(3500);
525
+ const server = await launchServer({
526
+ mode: TransportMode.STREAMABLE_HTTP,
527
+ port: mcpPort,
528
+ timeout: 5000,
529
+ env: {
530
+ REMOTE_AUTHORIZATION: 'true',
531
+ GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
532
+ GITLAB_PROJECT_ID: DEFAULT_PROJECT_ID,
533
+ GITLAB_TOOLSETS: 'dependency_proxy',
534
+ },
535
+ });
536
+ servers.push(server);
537
+ mcpUrl = `http://${HOST}:${mcpPort}/mcp`;
538
+ client = new CustomHeaderClient({
539
+ authorization: `Bearer ${MOCK_TOKEN}`,
540
+ });
541
+ await client.connect(mcpUrl);
542
+ });
543
+ after(async () => {
544
+ if (client)
545
+ await client.disconnect();
546
+ cleanupServers(servers);
547
+ if (mockGitLab)
548
+ await mockGitLab.stop();
549
+ });
550
+ test('should reject get_dependency_proxy_settings when GITLAB_PROJECT_ID is set', async () => {
551
+ try {
552
+ await client.callTool('get_dependency_proxy_settings', { group_id: 'my-group' });
553
+ assert.fail('Should have rejected get_dependency_proxy_settings');
554
+ }
555
+ catch (error) {
556
+ assert.ok(error instanceof Error);
557
+ assert.ok(error.message.includes('get_dependency_proxy_settings is not allowed'), 'Should mention get_dependency_proxy_settings');
558
+ }
559
+ });
560
+ test('should reject purge_dependency_proxy_cache when GITLAB_PROJECT_ID is set', async () => {
561
+ try {
562
+ await client.callTool('purge_dependency_proxy_cache', { group_id: 'my-group' });
563
+ assert.fail('Should have rejected purge_dependency_proxy_cache');
564
+ }
565
+ catch (error) {
566
+ assert.ok(error instanceof Error);
567
+ assert.ok(error.message.includes('purge_dependency_proxy_cache is not allowed'), 'Should mention purge_dependency_proxy_cache');
568
+ }
569
+ });
570
+ });
469
571
  }); // end wrapper describe
package/build/test/test-toolset-filtering.js CHANGED
@@ -33,6 +33,8 @@ const TOOLSET_TOOL_COUNTS = {
33
33
  workitems: 18,
34
34
  webhooks: 3,
35
35
  groups: 1,
36
+ variables: 10,
37
+ dependency_proxy: 4,
36
38
  };
37
39
  const LEGACY_PIPELINE_TOOL_COUNT = TOOLSET_TOOL_COUNTS.pipelines + TOOLSET_TOOL_COUNTS.ci;
38
40
  const DEFAULT_TOOLSETS = [
@@ -55,6 +57,8 @@ const NON_DEFAULT_TOOLSETS = [
55
57
  "workitems",
56
58
  "webhooks",
57
59
  "search",
60
+ "variables",
61
+ "dependency_proxy",
58
62
  ];
59
63
  // discover_tools meta-tool is always force-injected (Step 5.5)
60
64
  const DISCOVER_TOOLS_COUNT = 1;
@@ -78,6 +82,8 @@ const TOOLSET_SAMPLE_TOOLS = {
78
82
  search: ["search_code", "search_project_code", "search_group_code"],
79
83
  webhooks: ["list_webhooks", "list_webhook_events", "get_webhook_event"],
80
84
  groups: ["create_group"],
85
+ variables: ["list_project_variables", "create_project_variable", "delete_project_variable", "list_group_variables", "create_group_variable", "delete_group_variable"],
86
+ dependency_proxy: ["get_dependency_proxy_settings", "list_dependency_proxy_blobs", "purge_dependency_proxy_cache"],
81
87
  };
82
88
  // --- Helpers ---
83
89
  async function launchMcpServer(mockGitLabUrl, mcpPort, extraEnv = {}) {