@zereight/mcp-gitlab 2.1.17 → 2.1.19

package/build/test/mcp-oauth-tests.js

@@ -79,7 +79,6 @@ function addOAuthEndpoints(mockGitLab, validToken, clientId, baseUrl) {
 // Test suite: Discovery endpoints
 // ---------------------------------------------------------------------------
 describe("MCP OAuth — Discovery Endpoints", () => {
-    let mcpUrl;
     let mcpBaseUrl;
     let mockGitLab;
     let servers = [];
@@ -94,7 +93,6 @@ describe("MCP OAuth — Discovery Endpoints", () => {
         addOAuthEndpoints(mockGitLab, MOCK_OAUTH_TOKEN, MOCK_CLIENT_ID, mockGitLabUrl);
         const mcpPort = await findAvailablePort(MCP_SERVER_PORT_BASE);
         mcpBaseUrl = `http://${HOST}:${mcpPort}`;
-        mcpUrl = `${mcpBaseUrl}/mcp`;
         const server = await launchServer({
             mode: TransportMode.STREAMABLE_HTTP,
             port: mcpPort,
@@ -285,13 +283,6 @@ describe("MCP OAuth — /mcp Auth Enforcement", () => {
 describe("MCP OAuth — BoundedClientCache", () => {
     // Access the internal class via a minimal provider (it's not exported directly)
     // by driving it through the public clientsStore API.
-    function makeClient(id, redirectUri = "https://example.com/cb") {
-        return {
-            client_id: id,
-            redirect_uris: [redirectUri],
-            token_endpoint_auth_method: "none",
-        };
-    }
     async function buildCachingProvider() {
         // Spin up a DCR stub that returns a stable client_id from the request body.
         // The stub reads client_id from the incoming body (set by the SDK's register
@@ -380,7 +371,7 @@ describe("MCP OAuth — createGitLabOAuthProvider", () => {
     test("verifyAccessToken throws on non-OK response", async () => {
         // Spin up a tiny local server that always returns 401
         const { createServer } = await import("node:http");
-        const stub = createServer((req, res) => {
+        const stub = createServer((_req, res) => {
             res.writeHead(401);
             res.end(JSON.stringify({ error: "invalid_token" }));
         });
@@ -599,3 +590,195 @@ describe("MCP OAuth — Header Auth Fallback", () => {
         console.log("  ✓ No auth still returns 401");
     });
 });
+// ---------------------------------------------------------------------------
+// Test suite: Group Allowlist (unit tests — exchangeAuthorizationCode)
+// ---------------------------------------------------------------------------
+describe("MCP OAuth — Group Allowlist", () => {
+    let stubServer;
+    let stubUrl;
+    // Mutable state lets each test control the stub's response without
+    // spinning up a new server.
+    let groupsForPage = () => [];
+    let totalPages = 1;
+    before(async () => {
+        const { createServer } = await import("node:http");
+        stubServer = createServer((req, res) => {
+            const url = new URL(req.url, "http://127.0.0.1");
+            res.setHeader("Content-Type", "application/json");
+            // Token exchange — passthrough mode calls POST /oauth/token
+            if (req.method === "POST" && url.pathname === "/oauth/token") {
+                res.writeHead(200).end(JSON.stringify({
+                    access_token: MOCK_OAUTH_TOKEN,
+                    token_type: "bearer",
+                    expires_in: 7200,
+                    refresh_token: "mock-refresh",
+                    scope: "api",
+                }));
+                return;
+            }
+            if (req.method === "GET" && url.pathname === "/api/v4/groups") {
+                const page = Number.parseInt(url.searchParams.get("page") ?? "1", 10);
+                res
+                    .writeHead(200, { "x-total-pages": String(totalPages) })
+                    .end(JSON.stringify(groupsForPage(page)));
+                return;
+            }
+            res.writeHead(404).end("{}");
+        });
+        await new Promise(resolve => stubServer.listen(0, "127.0.0.1", resolve));
+        const addr = stubServer.address();
+        stubUrl = `http://127.0.0.1:${addr.port}`;
+    });
+    after(() => {
+        stubServer.close();
+    });
+    async function makeProvider(allowedGroups = undefined, callbackProxyEnabled = false) {
+        const { createGitLabOAuthProvider } = await import("../oauth-proxy.js");
+        return createGitLabOAuthProvider(stubUrl, "test-app-id", "GitLab MCP Server", false, undefined, // customScopes
+        allowedGroups, callbackProxyEnabled, callbackProxyEnabled ? "https://mcp.example.test/callback" : "" // callbackUrl
+        );
+    }
+    function exchange(provider) {
+        return provider.exchangeAuthorizationCode({}, "mock-auth-code");
+    }
+    test("no allowedGroups — groups API not called, tokens returned", async () => {
+        const provider = await makeProvider(undefined);
+        groupsForPage = () => []; // wrong groups — proves endpoint isn't called
+        totalPages = 1;
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ No allowedGroups: token issued without group check");
+    });
+    test("user is direct member of the allowed group → token issued", async () => {
+        const provider = await makeProvider(["my-org"]);
+        groupsForPage = () => [{ full_path: "my-org" }];
+        totalPages = 1;
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ Direct group member: token issued");
+    });
+    test("user in first-level subgroup of allowed group → token issued", async () => {
+        const provider = await makeProvider(["my-org"]);
+        groupsForPage = () => [{ full_path: "my-org/team-a" }];
+        totalPages = 1;
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ First-level subgroup member: token issued");
+    });
+    test("user in nested subgroup → token issued", async () => {
+        const provider = await makeProvider(["my-org"]);
+        groupsForPage = () => [{ full_path: "my-org/team-a/squad-1" }];
+        totalPages = 1;
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ Nested subgroup member: token issued");
+    });
+    test("user not in any matching group → token issuance denied", async () => {
+        const provider = await makeProvider(["my-org"]);
+        groupsForPage = () => [{ full_path: "other-org" }];
+        totalPages = 1;
+        await assert.rejects(() => exchange(provider), (err) => {
+            assert.ok(err.message.includes("Access denied"), `Unexpected message: ${err.message}`);
+            return true;
+        });
+        console.log("  ✓ Non-member: token issuance denied");
+    });
+    test("prefix spoofing rejected — my-org2 does not match my-org", async () => {
+        const provider = await makeProvider(["my-org"]);
+        groupsForPage = () => [{ full_path: "my-org2" }];
+        totalPages = 1;
+        await assert.rejects(() => exchange(provider), (err) => {
+            assert.ok(err.message.includes("Access denied"), `Unexpected message: ${err.message}`);
+            return true;
+        });
+        console.log("  ✓ my-org2 correctly rejected (not a sub-path of my-org)");
+    });
+    test("user matches second of multiple allowed groups → token issued", async () => {
+        const provider = await makeProvider(["team-x", "my-org"]);
+        groupsForPage = () => [{ full_path: "my-org/backend" }];
+        totalPages = 1;
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ Match on second allowed group: token issued");
+    });
+    test("match found on page 2 of paginated groups response → token issued", async () => {
+        const provider = await makeProvider(["my-org"]);
+        totalPages = 2;
+        groupsForPage = page => page === 1 ? [{ full_path: "other-org" }] : [{ full_path: "my-org/team-b" }];
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ Group found on page 2: token issued");
+    });
+    test("user not in group across all pages → token issuance denied", async () => {
+        const provider = await makeProvider(["my-org"]);
+        totalPages = 2;
+        groupsForPage = () => [{ full_path: "other-org" }];
+        await assert.rejects(() => exchange(provider), (err) => {
+            assert.ok(err.message.includes("Access denied"), `Unexpected message: ${err.message}`);
+            return true;
+        });
+        console.log("  ✓ Non-member across all pages: token issuance denied");
+    });
+    test("callback-proxy exchange also enforces allowed groups", async () => {
+        const provider = await makeProvider(["my-org"], true);
+        groupsForPage = () => [{ full_path: "my-org/team-a" }];
+        totalPages = 1;
+        const proxyCode = "proxy-code-for-group-test";
+        const clientId = "test-client";
+        const redirectUri = "https://client.example.test/callback";
+        provider._storedTokens.set(proxyCode, {
+            tokens: {
+                access_token: MOCK_OAUTH_TOKEN,
+                token_type: "bearer",
+                expires_in: 7200,
+                refresh_token: "mock-refresh",
+                scope: "api",
+            },
+            clientId,
+            clientCodeChallenge: "",
+            clientRedirectUri: redirectUri,
+            createdAt: Date.now(),
+        });
+        const tokens = await provider.exchangeAuthorizationCode({
+            client_id: clientId,
+        }, proxyCode, undefined, redirectUri);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ Callback-proxy exchange enforces allowedGroups before issuing tokens");
+    });
+    test("callback-proxy exchange denies users outside allowed groups", async () => {
+        const provider = await makeProvider(["my-org"], true);
+        groupsForPage = () => [{ full_path: "other-org/team-a" }];
+        totalPages = 1;
+        const proxyCode = "proxy-code-for-group-deny-test";
+        const clientId = "test-client-deny";
+        const redirectUri = "https://client.example.test/callback";
+        provider._storedTokens.set(proxyCode, {
+            tokens: {
+                access_token: MOCK_OAUTH_TOKEN,
+                token_type: "bearer",
+                expires_in: 7200,
+                refresh_token: "mock-refresh",
+                scope: "api",
+            },
+            clientId,
+            clientCodeChallenge: "",
+            clientRedirectUri: redirectUri,
+            createdAt: Date.now(),
+        });
+        await assert.rejects(() => provider.exchangeAuthorizationCode({
+            client_id: clientId,
+        }, proxyCode, undefined, redirectUri), (err) => {
+            assert.ok(err.message.includes("Access denied"), `Unexpected message: ${err.message}`);
+            return true;
+        });
+        console.log("  ✓ Callback-proxy exchange denies users outside allowedGroups");
+    });
+    test("matching is case-insensitive", async () => {
+        const provider = await makeProvider(["My-Org"]);
+        groupsForPage = () => [{ full_path: "my-org/team-a" }];
+        totalPages = 1;
+        const tokens = await exchange(provider);
+        assert.strictEqual(tokens.access_token, MOCK_OAUTH_TOKEN);
+        console.log("  ✓ Case-insensitive match: token issued");
+    });
+});

package/build/test/remote-auth-simple-test.js

@@ -10,7 +10,6 @@ import { CustomHeaderClient } from './clients/custom-header-client.js';
 // Test constants
 const MOCK_TOKEN = 'glpat-mock-token-12345';
 const MOCK_JOB_TOKEN = 'glcbt-mock-job-token-9876';
-const TEST_PROJECT_ID = '123';
 // Port ranges to avoid collisions
 const MOCK_GITLAB_PORT_BASE = 9000;
 const MOCK_GITLAB_PORT_OFFSET = 500; // Offset for timeout test suite
@@ -22,6 +21,26 @@ const TIMEOUT_BUFFER_MS = 1000; // Extra time beyond timeout to ensure expiratio
 const TIMEOUT_TEST_WAIT_MS = SESSION_TIMEOUT_SECONDS * 1000 + TIMEOUT_BUFFER_MS;
 const KEEPALIVE_INTERVAL_MS = 2000; // Must be less than SESSION_TIMEOUT_SECONDS
 const KEEPALIVE_REQUEST_COUNT = 3; // Number of keepalive requests to test
+async function getMetrics(mcpUrl) {
+    const metricsUrl = mcpUrl.replace(/\/mcp$/, '/metrics');
+    const response = await fetch(metricsUrl);
+    assert.strictEqual(response.status, 200, 'metrics endpoint should be available');
+    return (await response.json());
+}
+async function waitForSessionDecrease(mcpUrl, beforeTimeout, timeoutMs = 3000) {
+    const startedAt = Date.now();
+    let last = await getMetrics(mcpUrl);
+    while (Date.now() - startedAt < timeoutMs) {
+        if (last.activeSessions < beforeTimeout.activeSessions &&
+            last.authenticatedSessions < beforeTimeout.authenticatedSessions) {
+            return;
+        }
+        await new Promise(resolve => setTimeout(resolve, 100));
+        last = await getMetrics(mcpUrl);
+    }
+    assert.ok(last.activeSessions < beforeTimeout.activeSessions, `activeSessions should decrease after timeout (${last.activeSessions} !< ${beforeTimeout.activeSessions})`);
+    assert.ok(last.authenticatedSessions < beforeTimeout.authenticatedSessions, `authenticatedSessions should decrease after timeout (${last.authenticatedSessions} !< ${beforeTimeout.authenticatedSessions})`);
+}
 console.log('🔐 Remote Authorization Test Suite');
 console.log('');
 describe('Remote Authorization - Basic Functionality', () => {
@@ -178,6 +197,7 @@ describe('Remote Authorization - Session Timeout', () => {
     test('session timeout expiration - inactivity expires auth', async () => {
         // Add a small delay to ensure server is ready/clean from previous test
         await new Promise(resolve => setTimeout(resolve, 1000));
+        const baseline = await getMetrics(mcpUrl);
         // Step 1: Connect WITH auth header to establish session
         const clientWithAuth = new CustomHeaderClient({
             'authorization': `Bearer ${MOCK_TOKEN}`
@@ -190,9 +210,14 @@ describe('Remote Authorization - Session Timeout', () => {
         const sessionId = clientWithAuth.getSessionId();
         assert.ok(sessionId, 'Session ID should exist');
         console.log(`  ℹ️  Session ID: ${sessionId}`);
+        const beforeTimeout = await getMetrics(mcpUrl);
+        assert.strictEqual(beforeTimeout.activeSessions, baseline.activeSessions + 1, 'Session should occupy one additional active slot');
+        assert.strictEqual(beforeTimeout.authenticatedSessions, baseline.authenticatedSessions + 1, 'Session should add one authenticated session');
         // Step 2: Wait for timeout WITHOUT making any requests
         console.log(`  ⏳ Waiting ${TIMEOUT_TEST_WAIT_MS / 1000}s for timeout without activity...`);
         await new Promise(resolve => setTimeout(resolve, TIMEOUT_TEST_WAIT_MS));
+        await waitForSessionDecrease(mcpUrl, beforeTimeout);
+        console.log('  ✓ Timeout closed transport and released active session slot');
         // Step 3: Try to make request WITHOUT auth header - should fail with 401
         try {
             const response = await fetch(mcpUrl, {

package/build/test/schema-tests.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env ts-node
-import { GetFileContentsSchema, GitLabFileContentSchema, GitLabRepositorySchema, CreatePipelineSchema, CreateCommitStatusSchema, ListCommitStatusesSchema, CreateIssueNoteSchema, CreateMergeRequestEmojiReactionSchema, CreateIssueEmojiReactionSchema, DeleteMergeRequestEmojiReactionSchema, DeleteIssueEmojiReactionSchema, CreateWorkItemEmojiReactionSchema, CreateWorkItemNoteEmojiReactionSchema, CreateIssueSchema, ListIssuesSchema, ListMergeRequestsSchema, ListLabelsSchema, GitLabMergeRequestSchema, GitLabTreeItemSchema, GetMergeRequestSchema, ListMergeRequestPipelinesSchema, GetRepositoryTreeSchema, GitLabUserFullSchema, GitLabMarkdownUploadSchema, } from '../schemas.js';
+import { GetFileContentsSchema, GitLabFileContentSchema, GitLabRepositorySchema, CreatePipelineSchema, CreateCommitStatusSchema, ListCommitStatusesSchema, CreateIssueNoteSchema, CreateMergeRequestEmojiReactionSchema, CreateIssueEmojiReactionSchema, DeleteMergeRequestEmojiReactionSchema, DeleteIssueEmojiReactionSchema, CreateWorkItemEmojiReactionSchema, CreateWorkItemNoteEmojiReactionSchema, CreateIssueSchema, ListIssuesSchema, ListMergeRequestsSchema, ListLabelsSchema, GitLabMergeRequestSchema, GitLabTreeItemSchema, GetMergeRequestSchema, ListMergeRequestPipelinesSchema, GetRepositoryTreeSchema, GitLabUserFullSchema, GitLabMarkdownUploadSchema, GitLabDependencyProxySchema, GitLabDependencyProxyBlobSchema, } from '../schemas.js';
 function runGetFileContentsSchemaTests() {
     console.log('🧪 Testing GetFileContentsSchema...');
     const cases = [
@@ -1385,6 +1385,106 @@ function runGitLabUserFullSchemaTests() {
     console.log(`\nResults: ${passed} passed, ${failed} failed`);
     return { passed, failed };
 }
+function runGitLabDependencyProxySchemaTests() {
+    console.log('🧪 Testing GitLabDependencyProxySchema...');
+    const cases = [
+        {
+            name: 'schema:dependency_proxy:minimal',
+            input: { enabled: true, blob_count: 0, total_size: '0' },
+            shouldFail: false,
+        },
+        {
+            name: 'schema:dependency_proxy:full',
+            input: {
+                enabled: true,
+                blob_count: 42,
+                total_size: '1234567890',
+                image_prefix: 'gitlab.example.com:5050/my-group/dependency_proxy/containers',
+                ttl_policy: { enabled: true, ttl: 90 },
+            },
+            shouldFail: false,
+        },
+        {
+            name: 'schema:dependency_proxy:nulls-allowed',
+            input: { enabled: false, blob_count: null, total_size: null, image_prefix: null, ttl_policy: null },
+            shouldFail: false,
+        },
+    ];
+    let passed = 0;
+    let failed = 0;
+    cases.forEach(testCase => {
+        const result = { name: testCase.name, status: 'failed' };
+        const parsed = GitLabDependencyProxySchema.safeParse(testCase.input);
+        if (testCase.shouldFail) {
+            result.status = parsed.success ? 'failed' : 'passed';
+            if (parsed.success)
+                result.error = 'Expected schema validation to fail';
+        }
+        else if (parsed.success) {
+            result.status = 'passed';
+        }
+        else {
+            result.error = parsed.error?.message || 'Schema validation failed';
+        }
+        if (result.status === 'passed') {
+            passed++;
+            console.log(`✅ ${result.name}`);
+        }
+        else {
+            failed++;
+            console.log(`❌ ${result.name}: ${result.error}`);
+        }
+    });
+    console.log(`\nResults: ${passed} passed, ${failed} failed`);
+    return { passed, failed };
+}
+function runGitLabDependencyProxyBlobSchemaTests() {
+    console.log('🧪 Testing GitLabDependencyProxyBlobSchema...');
+    const cases = [
+        {
+            name: 'schema:dependency_proxy_blob:basic',
+            input: { file_name: 'sha256:abc123', size: '2.5 MiB', created_at: '2026-01-01T00:00:00Z' },
+            shouldFail: false,
+        },
+        {
+            name: 'schema:dependency_proxy_blob:no-created-at',
+            input: { file_name: 'sha256:def456', size: '512 KiB' },
+            shouldFail: false,
+        },
+        {
+            name: 'schema:dependency_proxy_blob:size-must-be-string',
+            input: { file_name: 'sha256:ghi789', size: 12345 },
+            shouldFail: true,
+        },
+    ];
+    let passed = 0;
+    let failed = 0;
+    cases.forEach(testCase => {
+        const result = { name: testCase.name, status: 'failed' };
+        const parsed = GitLabDependencyProxyBlobSchema.safeParse(testCase.input);
+        if (testCase.shouldFail) {
+            result.status = parsed.success ? 'failed' : 'passed';
+            if (parsed.success)
+                result.error = 'Expected schema validation to fail';
+        }
+        else if (parsed.success) {
+            result.status = 'passed';
+        }
+        else {
+            result.error = parsed.error?.message || 'Schema validation failed';
+        }
+        if (result.status === 'passed') {
+            passed++;
+            console.log(`✅ ${result.name}`);
+        }
+        else {
+            failed++;
+            console.log(`❌ ${result.name}: ${result.error}`);
+        }
+    });
+    console.log(`\nResults: ${passed} passed, ${failed} failed`);
+    return { passed, failed };
+}
 if (import.meta.url === `file://${process.argv[1]}`) {
     const getFileContentsResult = runGetFileContentsSchemaTests();
     const fileContentResult = runGitLabFileContentSchemaTests();
@@ -1403,8 +1503,10 @@ if (import.meta.url === `file://${process.argv[1]}`) {
     const repositoryTreeResult = runGetRepositoryTreeSchemaTests();
     const gitLabUserFullResult = runGitLabUserFullSchemaTests();
     const gitLabMarkdownUploadResult = runGitLabMarkdownUploadSchemaTests();
-    const totalPassed = getFileContentsResult.passed + fileContentResult.passed + createPipelineResult.passed + commitStatusResult.passed + createIssueNoteResult.passed + getMergeRequestResult.passed + listMergeRequestPipelinesResult.passed + gitLabMergeRequestResult.passed + emojiReactionResult.passed + repositorySchemaResult.passed + labelsCoercionResult.passed + approvedByUsernamesResult.passed + listLabelsResult.passed + treeItemResult.passed + repositoryTreeResult.passed + gitLabUserFullResult.passed + gitLabMarkdownUploadResult.passed;
-    const totalFailed = getFileContentsResult.failed + fileContentResult.failed + createPipelineResult.failed + commitStatusResult.failed + createIssueNoteResult.failed + getMergeRequestResult.failed + listMergeRequestPipelinesResult.failed + gitLabMergeRequestResult.failed + emojiReactionResult.failed + repositorySchemaResult.failed + labelsCoercionResult.failed + approvedByUsernamesResult.failed + listLabelsResult.failed + treeItemResult.failed + repositoryTreeResult.failed + gitLabUserFullResult.failed + gitLabMarkdownUploadResult.failed;
+    const dependencyProxyResult = runGitLabDependencyProxySchemaTests();
+    const dependencyProxyBlobResult = runGitLabDependencyProxyBlobSchemaTests();
+    const totalPassed = getFileContentsResult.passed + fileContentResult.passed + createPipelineResult.passed + commitStatusResult.passed + createIssueNoteResult.passed + getMergeRequestResult.passed + listMergeRequestPipelinesResult.passed + gitLabMergeRequestResult.passed + emojiReactionResult.passed + repositorySchemaResult.passed + labelsCoercionResult.passed + approvedByUsernamesResult.passed + listLabelsResult.passed + treeItemResult.passed + repositoryTreeResult.passed + gitLabUserFullResult.passed + gitLabMarkdownUploadResult.passed + dependencyProxyResult.passed + dependencyProxyBlobResult.passed;
+    const totalFailed = getFileContentsResult.failed + fileContentResult.failed + createPipelineResult.failed + commitStatusResult.failed + createIssueNoteResult.failed + getMergeRequestResult.failed + listMergeRequestPipelinesResult.failed + gitLabMergeRequestResult.failed + emojiReactionResult.failed + repositorySchemaResult.failed + labelsCoercionResult.failed + approvedByUsernamesResult.failed + listLabelsResult.failed + treeItemResult.failed + repositoryTreeResult.failed + gitLabUserFullResult.failed + gitLabMarkdownUploadResult.failed + dependencyProxyResult.failed + dependencyProxyBlobResult.failed;
     console.log(`\nTotal Results: ${totalPassed} passed, ${totalFailed} failed`);
     if (totalFailed > 0) {
         process.exit(1);

package/build/test/stateless/callback-proxy.test.js

@@ -34,7 +34,7 @@ function loadMaterial(current, previous) {
     return m;
 }
 function makeProvider(material, { callbackProxy = true } = {}) {
-    return createGitLabOAuthProvider(GITLAB_BASE, "real-gitlab-app-id", "Test Server", false, undefined, callbackProxy, callbackProxy ? CALLBACK_URL : "", material
+    return createGitLabOAuthProvider(GITLAB_BASE, "real-gitlab-app-id", "Test Server", false, undefined, undefined, callbackProxy, callbackProxy ? CALLBACK_URL : "", material
         ? {
             material,
             clientTtlSeconds: 86400,

package/build/test/stateless/client-id.test.js

@@ -31,6 +31,7 @@ function loadMaterial(current, previous) {
 function makeProvider(material, { callbackProxy = false } = {}) {
     return createGitLabOAuthProvider("https://gitlab.example.com", "real-gitlab-app-id", "GitLab MCP Server (test)", false, // readOnly
     undefined, // customScopes
+    undefined, // allowedGroups
     callbackProxy, callbackProxy ? "https://mcp.example.com/callback" : "", material
         ? {
             material,

package/build/test/test-dependency-proxy.js

@@ -0,0 +1,191 @@
+import { describe, test, before, after } from "node:test";
+import assert from "node:assert";
+import { spawn } from "child_process";
+import { MockGitLabServer, findMockServerPort } from "./utils/mock-gitlab-server.js";
+const MOCK_TOKEN = "glpat-mock-token-dependency-proxy";
+const TEST_GROUP_PATH = "my-group";
+async function callTool(toolName, args, env) {
+    return new Promise((resolve, reject) => {
+        const proc = spawn("node", ["build/index.js"], {
+            stdio: ["pipe", "pipe", "pipe"],
+            env: { ...process.env, ...env },
+        });
+        let output = "";
+        let errorOutput = "";
+        proc.stdout?.on("data", (d) => (output += d));
+        proc.stderr?.on("data", (d) => (errorOutput += d));
+        proc.on("close", code => {
+            if (code !== 0) {
+                return reject(new Error(`Process exited with code ${code}: ${errorOutput}`));
+            }
+            const line = output.split("\n").find(l => l.startsWith("{"));
+            if (!line)
+                return reject(new Error("No JSON output found"));
+            try {
+                const response = JSON.parse(line);
+                if (response.error) {
+                    reject(new Error(response.error?.message ?? String(response.error)));
+                }
+                else {
+                    const content = response.result?.content?.[0]?.text;
+                    resolve(content ? JSON.parse(content) : response.result);
+                }
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+        proc.stdin?.end(JSON.stringify({
+            jsonrpc: "2.0",
+            id: 1,
+            method: "tools/call",
+            params: { name: toolName, arguments: args },
+        }) + "\n");
+    });
+}
+describe("dependency proxy tools", () => {
+    let mockServer;
+    let mockPort;
+    let baseEnv;
+    before(async () => {
+        mockPort = await findMockServerPort();
+        mockServer = new MockGitLabServer({ port: mockPort, validTokens: [MOCK_TOKEN] });
+        // Mock GraphQL endpoint for get/list operations
+        mockServer.addRootHandler("post", "/api/graphql", (req, res) => {
+            const { query } = req.body;
+            if (query.includes("updateDependencyProxySettings")) {
+                res.json({ data: { updateDependencyProxySettings: { errors: [] } } });
+            }
+            else if (query.includes("dependencyProxySetting")) {
+                res.json({
+                    data: {
+                        group: {
+                            dependencyProxySetting: { enabled: true },
+                            dependencyProxyBlobCount: 3,
+                            dependencyProxyTotalSize: "15728640",
+                            dependencyProxyImagePrefix: `localhost:${mockPort}/my-group/dependency_proxy/containers`,
+                            dependencyProxyImageTtlPolicy: { enabled: true, ttl: 90 },
+                        },
+                    },
+                });
+            }
+            else if (query.includes("dependencyProxyBlobs")) {
+                res.json({
+                    data: {
+                        group: {
+                            dependencyProxyBlobs: {
+                                nodes: [
+                                    { fileName: "sha256:abc123", size: "5 MiB", createdAt: "2026-01-01T00:00:00Z" },
+                                    { fileName: "sha256:def456", size: "10 MiB", createdAt: "2026-01-02T00:00:00Z" },
+                                ],
+                                pageInfo: { hasNextPage: false, endCursor: null },
+                            },
+                        },
+                    },
+                });
+            }
+            else {
+                res.status(400).json({ errors: [{ message: "Unexpected GraphQL query" }] });
+            }
+        });
+        // Mock REST endpoint for purge
+        mockServer.addMockHandler("delete", `/groups/${TEST_GROUP_PATH}/dependency_proxy/cache`, (_req, res) => {
+            res.status(202).send();
+        });
+        await mockServer.start();
+        baseEnv = {
+            GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+            GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
+            GITLAB_TOOLSETS: "dependency_proxy",
+        };
+    });
+    after(async () => {
+        await mockServer.stop();
+    });
+    test("get_dependency_proxy_settings returns enabled status and blob info", async () => {
+        const result = await callTool("get_dependency_proxy_settings", { group_id: TEST_GROUP_PATH }, baseEnv);
+        assert.strictEqual(result.enabled, true);
+        assert.strictEqual(result.blob_count, 3);
+        assert.strictEqual(result.total_size, "15728640");
+        assert.ok(result.ttl_policy?.enabled);
+    });
+    test("list_dependency_proxy_blobs returns blobs with string sizes", async () => {
+        const result = await callTool("list_dependency_proxy_blobs", { group_id: TEST_GROUP_PATH }, baseEnv);
+        assert.ok(Array.isArray(result.blobs));
+        assert.strictEqual(result.blobs.length, 2);
+        assert.strictEqual(typeof result.blobs[0].size, "string");
+        assert.strictEqual(result.blobs[0].file_name, "sha256:abc123");
+    });
+    test("purge_dependency_proxy_cache returns scheduled status", async () => {
+        const result = await callTool("purge_dependency_proxy_cache", { group_id: TEST_GROUP_PATH }, baseEnv);
+        assert.strictEqual(result.status, "success");
+        assert.ok(result.message.includes("scheduled"));
+    });
+    test("update_dependency_proxy_settings enables the proxy and returns settings", async () => {
+        const result = await callTool("update_dependency_proxy_settings", { group_id: TEST_GROUP_PATH, enabled: true }, baseEnv);
+        assert.strictEqual(result.enabled, true);
+    });
+    test("update_dependency_proxy_settings rejects empty options", async () => {
+        await assert.rejects(() => callTool("update_dependency_proxy_settings", { group_id: TEST_GROUP_PATH }, baseEnv), /At least one of enabled, identity, or secret must be provided/);
+    });
+    test("dependency_proxy tools are absent when toolset is not activated", async () => {
+        return new Promise((resolve, reject) => {
+            const proc = spawn("node", ["build/index.js"], {
+                stdio: ["pipe", "pipe", "pipe"],
+                env: {
+                    ...process.env,
+                    GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+                    GITLAB_API_URL: `http://localhost:${mockPort}/api/v4`,
+                    // No GITLAB_TOOLSETS — default toolsets only
+                },
+            });
+            let output = "";
+            proc.stdout?.on("data", (d) => (output += d));
+            proc.on("close", () => {
+                try {
+                    const line = output.split("\n").find(l => l.startsWith("{"));
+                    if (!line)
+                        return reject(new Error("No JSON output found"));
+                    const response = JSON.parse(line);
+                    const tools = response.result?.tools ?? [];
+                    const names = tools.map(t => t.name);
+                    assert.ok(!names.includes("get_dependency_proxy_settings"), "tool should not be in default toolset");
+                    assert.ok(!names.includes("purge_dependency_proxy_cache"), "tool should not be in default toolset");
+                    resolve();
+                }
+                catch (e) {
+                    reject(e);
+                }
+            });
+            proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
+        });
+    });
+    test("write tools are absent from tools/list in read-only mode", async () => {
+        return new Promise((resolve, reject) => {
+            const proc = spawn("node", ["build/index.js"], {
+                stdio: ["pipe", "pipe", "pipe"],
+                env: { ...process.env, ...baseEnv, GITLAB_READ_ONLY_MODE: "true" },
+            });
+            let output = "";
+            proc.stdout?.on("data", (d) => (output += d));
+            proc.on("close", () => {
+                try {
+                    const line = output.split("\n").find(l => l.startsWith("{"));
+                    if (!line)
+                        return reject(new Error("No JSON output found"));
+                    const response = JSON.parse(line);
+                    const names = (response.result?.tools ?? []).map((t) => t.name);
+                    assert.ok(!names.includes("purge_dependency_proxy_cache"), "purge should be absent in read-only mode");
+                    assert.ok(!names.includes("update_dependency_proxy_settings"), "update should be absent in read-only mode");
+                    assert.ok(names.includes("get_dependency_proxy_settings"), "get should be present in read-only mode");
+                    assert.ok(names.includes("list_dependency_proxy_blobs"), "list should be present in read-only mode");
+                    resolve();
+                }
+                catch (e) {
+                    reject(e);
+                }
+            });
+            proc.stdin?.end(JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} }) + "\n");
+        });
+    });
+});