@zereight/mcp-gitlab 2.1.18 → 2.1.20

package/README.ko.md

@@ -187,6 +187,7 @@ MCP 서버가 직접 로컬 브라우저 callback을 받을 때만 `GITLAB_OAUTH
 | `STREAMABLE_HTTP` | 예 | 반드시 `true` |
 | `GITLAB_OAUTH_CALLBACK_PROXY` | 선택 | MCP 서버의 고정 `/callback` URL을 사용하려면 `true` |
 | `GITLAB_OAUTH_SCOPES` | 선택 | 쉼표로 구분된 scope 목록(기본값: `api,read_api,read_user`) |
+| `GITLAB_ALLOWED_GROUPS` | 선택 | 쉼표로 구분된 GitLab 그룹 전체 경로 — 해당 그룹 및 하위 그룹 멤버만 토큰을 발급받을 수 있음 |
 
 > **`Unregistered redirect_uri` 문제 해결**
 >

package/README.md

@@ -208,6 +208,7 @@ exchanging credentials with GitLab on behalf of the client.
 | `STREAMABLE_HTTP`     | ✅       | Must be `true`                                             |
 | `GITLAB_OAUTH_CALLBACK_PROXY` | optional | Set to `true` to use the MCP server's fixed `/callback` URL |
 | `GITLAB_OAUTH_SCOPES` | optional | Comma-separated scopes (default: `api,read_api,read_user`) |
+| `GITLAB_ALLOWED_GROUPS` | optional | Comma-separated group full paths — only members (and subgroup members) may obtain a token |
 
 When `STREAMABLE_HTTP=true`, server-side `GITLAB_PERSONAL_ACCESS_TOKEN` or `GITLAB_JOB_TOKEN` require `REMOTE_AUTHORIZATION=true` or `GITLAB_MCP_OAUTH=true`.
 

package/README.zh-CN.md

@@ -187,6 +187,7 @@ OpenCode、MCPJam、Claude.ai 等远程 MCP 客户端可能会在授权时发送
 | `STREAMABLE_HTTP` | 是 | 必须为 `true` |
 | `GITLAB_OAUTH_CALLBACK_PROXY` | 可选 | 设置为 `true` 时使用 MCP 服务器固定的 `/callback` URL |
 | `GITLAB_OAUTH_SCOPES` | 可选 | 逗号分隔的 scope（默认：`api,read_api,read_user`） |
+| `GITLAB_ALLOWED_GROUPS` | 可选 | 逗号分隔的 GitLab 群组完整路径 — 仅该群组及其子群组的成员可获取令牌 |
 
 > **排查 `Unregistered redirect_uri`**
 >

package/build/config.js

@@ -57,6 +57,13 @@ export const GITLAB_OAUTH_SCOPES = GITLAB_OAUTH_SCOPES_RAW
     ? GITLAB_OAUTH_SCOPES_RAW.split(",").map((s) => s.trim()).filter(Boolean)
     : undefined;
 export const GITLAB_OAUTH_CALLBACK_PROXY = getConfig("oauth-callback-proxy", "GITLAB_OAUTH_CALLBACK_PROXY") === "true";
+export const GITLAB_ALLOWED_GROUPS = (() => {
+    const raw = getConfig("allowed-groups", "GITLAB_ALLOWED_GROUPS");
+    if (!raw)
+        return undefined;
+    const groups = raw.split(",").map((g) => g.trim()).filter(Boolean);
+    return groups.length > 0 ? groups : undefined;
+})();
 export const ENABLE_DYNAMIC_API_URL = getConfig("enable-dynamic-api-url", "ENABLE_DYNAMIC_API_URL") === "true";
 // ---------------------------------------------------------------------------
 // Stateless mode (multi-pod safe OAuth / session encoding)

package/build/index.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { getConfig, ENABLE_DYNAMIC_API_URL, GITLAB_AUTH_COOKIE_PATH, GITLAB_CA_CERT_PATH, GITLAB_JOB_TOKEN, GITLAB_MCP_OAUTH, GITLAB_OAUTH_APP_ID, GITLAB_OAUTH_SCOPES, GITLAB_OAUTH_CALLBACK_PROXY, GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_POOL_MAX_SIZE, GITLAB_READ_ONLY_MODE, GITLAB_TOOLSETS_RAW, GITLAB_TOOLS_RAW, HOST, HTTP_PROXY, HTTPS_PROXY, IS_OLD, MCP_SERVER_URL, NODE_TLS_REJECT_UNAUTHORIZED, NO_PROXY, OAUTH_STATELESS_CLIENT_TTL_SECONDS, OAUTH_STATELESS_MODE, OAUTH_STATELESS_PENDING_TTL_SECONDS, OAUTH_STATELESS_SESSION_TTL_SECONDS, OAUTH_STATELESS_STORED_TTL_SECONDS, PORT, REMOTE_AUTHORIZATION, SESSION_TIMEOUT_SECONDS, SSE, STREAMABLE_HTTP, USE_GITLAB_WIKI, USE_MILESTONE, USE_OAUTH, USE_PIPELINE, GITLAB_TOOL_POLICY_APPROVE_RAW, GITLAB_TOOL_POLICY_HIDDEN_RAW, } from "./config.js";
+import { getConfig, ENABLE_DYNAMIC_API_URL, GITLAB_AUTH_COOKIE_PATH, GITLAB_CA_CERT_PATH, GITLAB_JOB_TOKEN, GITLAB_MCP_OAUTH, GITLAB_OAUTH_APP_ID, GITLAB_OAUTH_SCOPES, GITLAB_OAUTH_CALLBACK_PROXY, GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_POOL_MAX_SIZE, GITLAB_READ_ONLY_MODE, GITLAB_TOOLSETS_RAW, GITLAB_TOOLS_RAW, HOST, HTTP_PROXY, HTTPS_PROXY, IS_OLD, MCP_SERVER_URL, NODE_TLS_REJECT_UNAUTHORIZED, NO_PROXY, OAUTH_STATELESS_CLIENT_TTL_SECONDS, OAUTH_STATELESS_MODE, OAUTH_STATELESS_PENDING_TTL_SECONDS, OAUTH_STATELESS_SESSION_TTL_SECONDS, OAUTH_STATELESS_STORED_TTL_SECONDS, PORT, REMOTE_AUTHORIZATION, SESSION_TIMEOUT_SECONDS, SSE, STREAMABLE_HTTP, USE_GITLAB_WIKI, USE_MILESTONE, USE_OAUTH, USE_PIPELINE, GITLAB_TOOL_POLICY_APPROVE_RAW, GITLAB_TOOL_POLICY_HIDDEN_RAW, GITLAB_ALLOWED_GROUPS, } from "./config.js";
 /** True when the server is running in remote/network mode (SSE or StreamableHTTP transport). */
 const IS_REMOTE = SSE || STREAMABLE_HTTP;
 /**
@@ -128,18 +128,18 @@ import { createGitLabOAuthProvider } from "./oauth-proxy.js";
 import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import { normalizeGitLabApiUrl } from "./utils/url.js";
 import { estimateMergeCommitCount, filterDiffsByPatterns, summarizeWebhookEvents } from "./utils/helpers.js";
-import { sanitizeToolArguments } from "./utils/tool-args.js";
+import { cleanMutuallyExclusiveIdUsernameOptions, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS, sanitizeToolArguments, } from "./utils/tool-args.js";
 import { parseSearchReplaceBlocks, applySearchReplace, applyUnifiedDiff, } from "./utils/patch-helper.js";
 import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
 import { GitLabClientPool } from "./gitlab-client-pool.js";
 import { allTools, readOnlyTools, destructiveTools, parseEnabledToolsets, parseIndividualTools, buildFeatureFlagOverrides, isToolInEnabledToolset, TOOLSET_DEFINITIONS, ALL_TOOLSET_IDS, } from "./tools/registry.js";
 import { BulkPublishDraftNotesSchema, CancelPipelineJobSchema, CancelPipelineSchema, CreateBranchSchema, CreateDraftNoteSchema, CreateIssueLinkSchema, CreateIssueNoteSchema, CreateIssueSchema, CreateIssueEmojiReactionSchema, CreateIssueNoteEmojiReactionSchema, ListIssueEmojiReactionsSchema, ListIssueNoteEmojiReactionsSchema, CreateLabelSchema, // Added
-CreateMergeRequestNoteSchema, CreateMergeRequestDiscussionNoteSchema, CreateMergeRequestEmojiReactionSchema, CreateMergeRequestNoteEmojiReactionSchema, ListMergeRequestEmojiReactionsSchema, ListMergeRequestNoteEmojiReactionsSchema, CreateMergeRequestSchema, CreateMergeRequestThreadSchema, CreateNoteSchema, CreateCommitStatusSchema, CreateOrUpdateFileSchema, CreatePipelineSchema, CreateProjectMilestoneSchema, CreateRepositorySchema, CreateGroupSchema, CreateWikiPageSchema, CreateGroupWikiPageSchema, DeleteBranchSchema, DeleteDraftNoteSchema, DeleteGroupWikiPageSchema, DeleteIssueLinkSchema, DeleteIssueSchema, DeleteIssueEmojiReactionSchema, DeleteIssueNoteEmojiReactionSchema, DeleteLabelSchema, DeleteProjectMilestoneSchema, DeleteWikiPageSchema, DeleteMergeRequestNoteSchema, DeleteMergeRequestEmojiReactionSchema, DeleteMergeRequestNoteEmojiReactionSchema, EditProjectMilestoneSchema, ForkRepositorySchema, GetBranchDiffsSchema, GetBranchSchema, GetCommitDiffSchema, GetCommitSchema, GetFileBlameSchema, GitLabBlameEntrySchema, GetDraftNoteSchema, GetFileContentsSchema, GetIssueLinkSchema, GetIssueSchema, GetLabelSchema, GetMergeRequestDiffsSchema, GetMergeRequestSchema, GetMilestoneBurndownEventsSchema, GetMilestoneIssuesSchema, GetMilestoneMergeRequestsSchema, GetDeploymentSchema, GetEnvironmentSchema, GetNamespaceSchema, GitLabCiLintResultSchema, GetPipelineJobOutputSchema, GetPipelineSchema, GetProjectMilestoneSchema, GetProjectSchema, GetRepositoryTreeSchema, GetUsersSchema, GetUserSchema, GitLabUserFullSchema, WhoAmISchema, GitLabCurrentUserSchema, GetWikiPageSchema, GitLabCommitSchema, GitLabCommitStatusSchema, GitLabCompareResultSchema, GitLabContentSchema, GitLabCreateUpdateFileResponseSchema, GitLabDiffSchema, 
+CreateMergeRequestNoteSchema, CreateMergeRequestDiscussionNoteSchema, CreateMergeRequestEmojiReactionSchema, CreateMergeRequestNoteEmojiReactionSchema, ListMergeRequestEmojiReactionsSchema, ListMergeRequestNoteEmojiReactionsSchema, CreateMergeRequestSchema, CreateMergeRequestThreadSchema, CreateNoteSchema, CreateCommitStatusSchema, CreateOrUpdateFileSchema, CreatePipelineSchema, CreateProjectMilestoneSchema, CreateRepositorySchema, CreateGroupSchema, CreateWikiPageSchema, CreateGroupWikiPageSchema, DeleteBranchSchema, GetProtectedBranchSchema, ListProtectedBranchesSchema, ProtectBranchSchema, UnprotectBranchSchema, UpdateDefaultBranchSchema, DeleteDraftNoteSchema, DeleteGroupWikiPageSchema, DeleteIssueLinkSchema, DeleteIssueSchema, DeleteIssueEmojiReactionSchema, DeleteIssueNoteEmojiReactionSchema, DeleteLabelSchema, DeleteProjectMilestoneSchema, DeleteWikiPageSchema, DeleteMergeRequestNoteSchema, DeleteMergeRequestEmojiReactionSchema, DeleteMergeRequestNoteEmojiReactionSchema, EditProjectMilestoneSchema, ForkRepositorySchema, GetBranchDiffsSchema, GetBranchSchema, GetCommitDiffSchema, GetCommitSchema, GetFileBlameSchema, GitLabBlameEntrySchema, GetDraftNoteSchema, GetFileContentsSchema, GetIssueLinkSchema, GetIssueSchema, GetLabelSchema, GetMergeRequestDiffsSchema, GetMergeRequestSchema, GetMilestoneBurndownEventsSchema, GetMilestoneIssuesSchema, GetMilestoneMergeRequestsSchema, GetDeploymentSchema, GetEnvironmentSchema, GetNamespaceSchema, GitLabCiLintResultSchema, GetPipelineJobOutputSchema, GetPipelineSchema, GetProjectMilestoneSchema, GetProjectSchema, GetRepositoryTreeSchema, GetUsersSchema, GetUserSchema, GitLabUserFullSchema, WhoAmISchema, GitLabCurrentUserSchema, GetWikiPageSchema, GitLabCommitSchema, GitLabCommitStatusSchema, GitLabCompareResultSchema, GitLabContentSchema, GitLabCreateUpdateFileResponseSchema, GitLabDiffSchema, 
 // Discussion Schemas
 GitLabDiscussionNoteSchema, // Added
 GitLabDiscussionSchema, 
 // Draft Notes Schemas
-GitLabDraftNoteSchema, GitLabForkSchema, GitLabBranchSchema, GitLabGroupSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestPipelineSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabDeploymentSchema, GitLabEnvironmentSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabTodoSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchBlobResultSchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitStatusesSchema, ListBranchesSchema, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, GitLabCiVariableSchema, ListProjectVariablesSchema, GetProjectVariableSchema, CreateProjectVariableSchema, UpdateProjectVariableSchema, DeleteProjectVariableSchema, ListGroupVariablesSchema, GetGroupVariableSchema, CreateGroupVariableSchema, UpdateGroupVariableSchema, DeleteGroupVariableSchema, GitLabDependencyProxySchema, GitLabDependencyProxyBlobSchema, GetDependencyProxySettingsSchema, UpdateDependencyProxySettingsSchema, ListDependencyProxyBlobsSchema, PurgeDependencyProxyCacheSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListTodosSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
+GitLabDraftNoteSchema, GitLabForkSchema, GitLabBranchSchema, GitLabProtectedBranchSchema, GitLabGroupSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestPipelineSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabDeploymentSchema, GitLabEnvironmentSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabTodoSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchBlobResultSchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitStatusesSchema, ListBranchesSchema, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, GitLabCiVariableSchema, ListProjectVariablesSchema, GetProjectVariableSchema, CreateProjectVariableSchema, UpdateProjectVariableSchema, DeleteProjectVariableSchema, ListGroupVariablesSchema, GetGroupVariableSchema, CreateGroupVariableSchema, UpdateGroupVariableSchema, DeleteGroupVariableSchema, GitLabDependencyProxySchema, GitLabDependencyProxyBlobSchema, GetDependencyProxySettingsSchema, UpdateDependencyProxySettingsSchema, ListDependencyProxyBlobsSchema, PurgeDependencyProxyCacheSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListTodosSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
 GetMergeRequestFileDiffSchema, ListMergeRequestChangedFilesSchema, ListMergeRequestDiscussionsSchema, ListMergeRequestPipelinesSchema, ListMergeRequestsSchema, ListMergeRequestVersionsSchema, GetMergeRequestVersionSchema, GitLabMergeRequestVersionSchema, GitLabMergeRequestVersionDetailSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListDeploymentsSchema, ListEnvironmentsSchema, ListPipelineTriggerJobsSchema, ValidateCiLintSchema, ValidateProjectCiLintSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, GetGroupWikiPageSchema, ListGroupWikiPagesSchema, UpdateGroupWikiPageSchema, MarkdownUploadSchema, MarkdownUploadRemoteSchema, DownloadAttachmentSchema, DownloadJobArtifactsSchema, GetJobArtifactFileSchema, GitLabArtifactEntrySchema, ListJobArtifactsSchema, MergeMergeRequestSchema, ApproveMergeRequestSchema, UnapproveMergeRequestSchema, GetMergeRequestApprovalStateSchema, GetMergeRequestConflictsSchema, GitLabMergeRequestApprovalsResponseSchema, GitLabMergeRequestApprovalStateSchema, MyIssuesSchema, MarkAllTodosDoneSchema, MarkTodoDoneSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchCodeSchema, SearchGroupCodeSchema, SearchProjectCodeSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateIssueDescriptionPatchSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestDiscussionNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, ListTagsSchema, GetTagSchema, CreateTagSchema, DeleteTagSchema, GetTagSignatureSchema, GitLabTagSchema, GitLabTagSignatureSchema, GetMergeRequestNotesSchema, GetMergeRequestNoteSchema, DeleteMergeRequestDiscussionNoteSchema, ResolveMergeRequestThreadSchema, GetWorkItemSchema, ListWorkItemsSchema, CreateWorkItemSchema, UpdateWorkItemSchema, ConvertWorkItemTypeSchema, ListWorkItemStatusesSchema, ListWorkItemNotesSchema, CreateWorkItemNoteSchema, CreateWorkItemEmojiReactionSchema, CreateWorkItemNoteEmojiReactionSchema, ListWorkItemEmojiReactionsSchema, ListWorkItemNoteEmojiReactionsSchema, DeleteWorkItemEmojiReactionSchema, DeleteWorkItemNoteEmojiReactionSchema, MoveWorkItemSchema, ListCustomFieldDefinitionsSchema, GetTimelineEventsSchema, CreateTimelineEventSchema, ListWebhooksSchema, ListWebhookEventsSchema, GetWebhookEventSchema, HealthCheckSchema, } from "./schemas.js";
 import { randomUUID, createCipheriv, createDecipheriv, randomBytes, createHash } from "node:crypto";
 import { pino } from "pino";
@@ -7074,7 +7074,8 @@ async function handleToolCall(params) {
             case "list_issues": {
                 const args = ListIssuesSchema.parse(params.arguments);
                 const { project_id, ...options } = args;
-                const issues = await listIssues(project_id, options);
+                const cleanedOptions = cleanMutuallyExclusiveIdUsernameOptions(options);
+                const issues = await listIssues(project_id, cleanedOptions);
                 return {
                     content: [{ type: "text", text: JSON.stringify(issues, null, 2) }],
                 };
@@ -7743,18 +7744,7 @@ async function handleToolCall(params) {
             }
             case "list_merge_requests": {
                 const { project_id, ...options } = ListMergeRequestsSchema.parse(params.arguments);
-                // GitLab API treats _id and _username as mutually exclusive for these fields.
-                // When both are provided, prefer _username and remove _id to avoid 400 errors.
-                const cleanedOptions = { ...options };
-                if (cleanedOptions.author_id && cleanedOptions.author_username) {
-                    delete cleanedOptions.author_id;
-                }
-                if (cleanedOptions.assignee_id && cleanedOptions.assignee_username) {
-                    delete cleanedOptions.assignee_id;
-                }
-                if (cleanedOptions.reviewer_id && cleanedOptions.reviewer_username) {
-                    delete cleanedOptions.reviewer_id;
-                }
+                const cleanedOptions = cleanMutuallyExclusiveIdUsernameOptions(options, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS);
                 const mergeRequests = await listMergeRequests(project_id, cleanedOptions);
                 return {
                     content: [{ type: "text", text: JSON.stringify(mergeRequests, null, 2) }],
@@ -8315,6 +8305,97 @@ async function handleToolCall(params) {
                     content: [{ type: "text", text: JSON.stringify({ status: "deleted", branch: args.branch_name }, null, 2) }],
                 };
             }
+            case "list_protected_branches": {
+                const args = ListProtectedBranchesSchema.parse(params.arguments);
+                const projectId = decodeURIComponent(args.project_id);
+                const effectiveProjectId = getEffectiveProjectId(projectId);
+                const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/protected_branches`);
+                if (args.search)
+                    url.searchParams.append("search", args.search);
+                if (args.page)
+                    url.searchParams.append("page", String(args.page));
+                if (args.per_page)
+                    url.searchParams.append("per_page", String(args.per_page));
+                const response = await fetch(url.toString(), {
+                    ...getFetchConfig(),
+                });
+                await handleGitLabError(response);
+                const data = z.array(GitLabProtectedBranchSchema).parse(await response.json());
+                return {
+                    content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+                };
+            }
+            case "get_protected_branch": {
+                const args = GetProtectedBranchSchema.parse(params.arguments);
+                const projectId = decodeURIComponent(args.project_id);
+                const effectiveProjectId = getEffectiveProjectId(projectId);
+                const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/protected_branches/${encodeURIComponent(args.branch_name)}`);
+                const response = await fetch(url.toString(), {
+                    ...getFetchConfig(),
+                });
+                await handleGitLabError(response);
+                const data = GitLabProtectedBranchSchema.parse(await response.json());
+                return {
+                    content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+                };
+            }
+            case "protect_branch": {
+                const args = ProtectBranchSchema.parse(params.arguments);
+                const projectId = decodeURIComponent(args.project_id);
+                const effectiveProjectId = getEffectiveProjectId(projectId);
+                const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/protected_branches`);
+                const body = { name: args.branch_name };
+                if (args.push_access_level !== undefined)
+                    body.push_access_level = args.push_access_level;
+                if (args.merge_access_level !== undefined)
+                    body.merge_access_level = args.merge_access_level;
+                if (args.unprotect_access_level !== undefined)
+                    body.unprotect_access_level = args.unprotect_access_level;
+                if (args.allow_force_push !== undefined)
+                    body.allow_force_push = args.allow_force_push;
+                if (args.code_owner_approval_required !== undefined)
+                    body.code_owner_approval_required = args.code_owner_approval_required;
+                const response = await fetch(url.toString(), {
+                    ...getFetchConfig(),
+                    method: "POST",
+                    body: JSON.stringify(body),
+                });
+                await handleGitLabError(response);
+                const data = GitLabProtectedBranchSchema.parse(await response.json());
+                return {
+                    content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+                };
+            }
+            case "unprotect_branch": {
+                const args = UnprotectBranchSchema.parse(params.arguments);
+                const projectId = decodeURIComponent(args.project_id);
+                const effectiveProjectId = getEffectiveProjectId(projectId);
+                const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}/protected_branches/${encodeURIComponent(args.branch_name)}`);
+                const response = await fetch(url.toString(), {
+                    ...getFetchConfig(),
+                    method: "DELETE",
+                });
+                await handleGitLabError(response);
+                return {
+                    content: [{ type: "text", text: JSON.stringify({ status: "unprotected", branch: args.branch_name }, null, 2) }],
+                };
+            }
+            case "update_default_branch": {
+                const args = UpdateDefaultBranchSchema.parse(params.arguments);
+                const projectId = decodeURIComponent(args.project_id);
+                const effectiveProjectId = getEffectiveProjectId(projectId);
+                const url = new URL(`${getEffectiveApiUrl()}/projects/${encodeURIComponent(effectiveProjectId)}`);
+                const response = await fetch(url.toString(), {
+                    ...getFetchConfig(),
+                    method: "PUT",
+                    body: JSON.stringify({ default_branch: args.default_branch }),
+                });
+                await handleGitLabError(response);
+                const data = await response.json();
+                return {
+                    content: [{ type: "text", text: JSON.stringify({ status: "updated", default_branch: args.default_branch, project: data }, null, 2) }],
+                };
+            }
             default:
                 throw new Error(`Unknown tool: ${params.name}`);
         }
@@ -8719,9 +8800,9 @@ async function startStreamableHTTPServer() {
         return null;
     };
     /**
-     * Set or reset timeout for session auth
+     * Set or reset timeout for session auth.
      * After SESSION_TIMEOUT_SECONDS of inactivity, the auth token is removed
-     * but the transport session remains active
+     * and the Streamable HTTP transport is closed so the session slot is released.
      */
     const setAuthTimeout = (sessionId) => {
         // Clear existing timeout if any
@@ -8733,6 +8814,13 @@ async function startStreamableHTTPServer() {
                 delete authBySession[sessionId];
                 delete authTimeouts[sessionId];
                 metrics.expiredSessions++;
+                // Close the transport to free the slot; without this, stale sessions accumulate and exhaust MAX_SESSIONS.
+                const transport = streamableTransports[sessionId];
+                if (transport) {
+                    transport.close().catch(err => {
+                        logger.error(`Error closing transport for expired session ${sessionId}:`, err);
+                    });
+                }
             }
         }, SESSION_TIMEOUT_SECONDS * 1000);
     };
@@ -8957,7 +9045,7 @@ async function startStreamableHTTPServer() {
                 storedTtlSeconds: OAUTH_STATELESS_STORED_TTL_SECONDS,
             }
             : null;
-        const oauthProvider = createGitLabOAuthProvider(gitlabBaseUrl, GITLAB_OAUTH_APP_ID, "GitLab MCP Server", GITLAB_READ_ONLY_MODE, GITLAB_OAUTH_SCOPES, GITLAB_OAUTH_CALLBACK_PROXY, callbackUrl, statelessOptions);
+        const oauthProvider = createGitLabOAuthProvider(gitlabBaseUrl, GITLAB_OAUTH_APP_ID, "GitLab MCP Server", GITLAB_READ_ONLY_MODE, GITLAB_OAUTH_SCOPES, GITLAB_ALLOWED_GROUPS, GITLAB_OAUTH_CALLBACK_PROXY, callbackUrl, statelessOptions);
         const scopesSupported = GITLAB_OAUTH_SCOPES ?? ["api", "read_api", "read_user"];
         // When server URL has a path (e.g. behind Kong), the SDK's well-known metadata
         // advertises root-level endpoints. Override to use path-prefixed endpoints.

package/build/oauth-proxy.js

@@ -127,7 +127,11 @@ class GitLabOAuthServerProvider {
     // serialised into opaque OAuth values and the in-memory caches above are
     // bypassed. Enabled independently of callback-proxy mode.
     _stateless;
-    constructor(gitlabBaseUrl, gitlabAppId, resourceName, readOnly, customScopes, callbackProxyEnabled = false, callbackUrl = "", stateless = null) {
+    // Group allowlist (optional). When set, tokens are rejected unless the
+    // authenticated user is a direct or inherited member of at least one group.
+    // Checked once at token issuance (exchangeAuthorizationCode), not per request.
+    _allowedGroups;
+    constructor(gitlabBaseUrl, gitlabAppId, resourceName, readOnly, customScopes, allowedGroups, callbackProxyEnabled = false, callbackUrl = "", stateless = null) {
         this._gitlabBaseUrl = gitlabBaseUrl;
         this._gitlabAppId = gitlabAppId;
         this._resourceName = resourceName;
@@ -137,6 +141,7 @@ class GitLabOAuthServerProvider {
                 : readOnly
                     ? REQUIRED_GITLAB_SCOPES_RO
                     : REQUIRED_GITLAB_SCOPES_RW;
+        this._allowedGroups = allowedGroups ?? null;
         this._callbackProxyEnabled = callbackProxyEnabled;
         this._callbackUrl = callbackUrl;
         this._stateless = stateless;
@@ -313,6 +318,7 @@ class GitLabOAuthServerProvider {
     }
     // ---- Token exchange ----------------------------------------------------
     async exchangeAuthorizationCode(client, authorizationCode, codeVerifier, redirectUri, resource) {
+        let tokens;
         if (this._callbackProxyEnabled) {
             // --- Callback proxy mode ---
             // The authorizationCode is a proxy code we generated in handleCallback().
@@ -373,32 +379,74 @@ class GitLabOAuthServerProvider {
                     throw new ServerError("PKCE verification failed");
                 }
             }
-            return entry.tokens;
+            tokens = entry.tokens;
         }
-        // --- Passthrough mode (original behavior) ---
-        const params = new URLSearchParams({
-            grant_type: "authorization_code",
-            client_id: this._gitlabAppId,
-            code: authorizationCode,
-        });
-        if (codeVerifier)
-            params.append("code_verifier", codeVerifier);
-        if (redirectUri)
-            params.append("redirect_uri", redirectUri);
-        if (resource)
-            params.append("resource", resource.href);
-        const response = await fetch(`${this._gitlabBaseUrl}/oauth/token`, {
-            method: "POST",
-            headers: { "Content-Type": "application/x-www-form-urlencoded" },
-            body: params.toString(),
-        });
-        if (!response.ok) {
-            const body = await response.text();
-            logger.error(`Token exchange failed (${response.status}): ${body}`);
-            throw new ServerError(`Token exchange failed: ${response.status}`);
+        else {
+            // --- Passthrough mode (original behavior) ---
+            const params = new URLSearchParams({
+                grant_type: "authorization_code",
+                client_id: this._gitlabAppId,
+                code: authorizationCode,
+            });
+            if (codeVerifier)
+                params.append("code_verifier", codeVerifier);
+            if (redirectUri)
+                params.append("redirect_uri", redirectUri);
+            if (resource)
+                params.append("resource", resource.href);
+            const response = await fetch(`${this._gitlabBaseUrl}/oauth/token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: params.toString(),
+            });
+            if (!response.ok) {
+                const body = await response.text();
+                logger.error(`Token exchange failed (${response.status}): ${body}`);
+                throw new ServerError(`Token exchange failed: ${response.status}`);
+            }
+            const data = await response.json();
+            tokens = OAuthTokensSchema.parse(data);
         }
-        const data = await response.json();
-        return OAuthTokensSchema.parse(data);
+        if (this._allowedGroups) {
+            const isMember = await this._checkGroupMembership(tokens.access_token);
+            if (!isMember) {
+                logger.warn({ allowedGroups: this._allowedGroups }, "Token issuance denied: user is not a member of any allowed group");
+                throw new ServerError("Access denied: user is not a member of an allowed group");
+            }
+        }
+        return tokens;
+    }
+    /**
+     * Returns true if the token owner belongs to at least one group whose
+     * full_path equals or is a sub-path of any configured allowed group.
+     *
+     * Example: allowedGroups=["my-org"] allows members of "my-org",
+     * "my-org/team-a", "my-org/team-a/squad-1", etc.
+     */
+    async _checkGroupMembership(token) {
+        const allowedPaths = this._allowedGroups.map((g) => g.toLowerCase());
+        let page = 1;
+        while (true) {
+            const res = await fetch(`${this._gitlabBaseUrl}/api/v4/groups?min_access_level=10&per_page=100&page=${page}`, {
+                headers: { Authorization: `Bearer ${token}` }
+            });
+            if (!res.ok)
+                break;
+            const groups = (await res.json());
+            if (groups.length === 0)
+                break;
+            const matched = groups.some((g) => {
+                const fp = g.full_path.toLowerCase();
+                return allowedPaths.some((allowed) => fp === allowed || fp.startsWith(`${allowed}/`));
+            });
+            if (matched)
+                return true;
+            const totalPages = Number.parseInt(res.headers.get("x-total-pages") ?? "1", 10);
+            if (page >= totalPages)
+                break;
+            page++;
+        }
+        return false;
     }
     // ---- Refresh token -----------------------------------------------------
     async exchangeRefreshToken(_client, refreshToken, scopes, resource) {
@@ -598,6 +646,6 @@ class GitLabOAuthServerProvider {
  *                        callback-proxy state is encoded into opaque OAuth values
  *                        instead of an in-memory cache, enabling multi-pod deploys.
  */
-export function createGitLabOAuthProvider(gitlabBaseUrl, gitlabAppId, resourceName = "GitLab MCP Server", readOnly = false, customScopes, callbackProxyEnabled = false, callbackUrl = "", stateless = null) {
-    return new GitLabOAuthServerProvider(gitlabBaseUrl, gitlabAppId, resourceName, readOnly, customScopes, callbackProxyEnabled, callbackUrl, stateless);
+export function createGitLabOAuthProvider(gitlabBaseUrl, gitlabAppId, resourceName = "GitLab MCP Server", readOnly = false, customScopes, allowedGroups, callbackProxyEnabled = false, callbackUrl = "", stateless = null) {
+    return new GitLabOAuthServerProvider(gitlabBaseUrl, gitlabAppId, resourceName, readOnly, customScopes, allowedGroups, callbackProxyEnabled, callbackUrl, stateless);
 }

package/build/schemas.js

@@ -1515,6 +1515,79 @@ export const ListBranchesSchema = ProjectParamsSchema.extend({
 export const DeleteBranchSchema = ProjectParamsSchema.extend({
     branch_name: z.string().describe("Name of the branch to delete"),
 });
+// Protected Branches related schemas
+export const ListProtectedBranchesSchema = ProjectParamsSchema.extend({
+    search: z.string().optional().describe("Search term to filter protected branches by name"),
+}).merge(PaginationOptionsSchema);
+export const GetProtectedBranchSchema = ProjectParamsSchema.extend({
+    branch_name: z.string().describe("Name of the protected branch"),
+});
+// String-aware boolean preprocessing: correctly handles "false" → false
+const stringBoolean = z.preprocess((val) => {
+    if (typeof val === "string") {
+        const lower = val.toLowerCase();
+        if (lower === "false" || lower === "0")
+            return false;
+        if (lower === "true" || lower === "1")
+            return true;
+    }
+    return val;
+}, z.boolean().optional());
+const protectedBranchAccessLevel = z.coerce
+    .number()
+    .int()
+    .refine((level) => [0, 30, 40, 60].includes(level), {
+    message: "Access level must be one of 0 (No access), 30 (Developer), 40 (Maintainer), or 60 (Admin)",
+});
+export const ProtectBranchSchema = z.preprocess((input) => {
+    if (typeof input !== "object" || input === null) {
+        return input;
+    }
+    const args = { ...input };
+    if (!args.branch_name && args.name) {
+        args.branch_name = args.name;
+    }
+    return args;
+}, ProjectParamsSchema.extend({
+    branch_name: z.string().describe("Branch name or wildcard pattern to protect"),
+    name: z
+        .string()
+        .optional()
+        .describe("Deprecated alias for branch_name; prefer branch_name for consistency"),
+    push_access_level: protectedBranchAccessLevel
+        .optional()
+        .describe("Access level for pushing (0=No access, 30=Developer, 40=Maintainer, 60=Admin). GitLab default applies when omitted."),
+    merge_access_level: protectedBranchAccessLevel
+        .optional()
+        .describe("Access level for merging (0=No access, 30=Developer, 40=Maintainer, 60=Admin). GitLab default applies when omitted."),
+    unprotect_access_level: protectedBranchAccessLevel
+        .optional()
+        .describe("Access level for unprotecting (0=No access, 30=Developer, 40=Maintainer, 60=Admin). GitLab default applies when omitted."),
+    allow_force_push: stringBoolean.describe("Allow force push to the protected branch. Default: false"),
+    code_owner_approval_required: stringBoolean.describe("Require code owner approval before merging (PREMIUM). Default: false"),
+}));
+export const UnprotectBranchSchema = ProjectParamsSchema.extend({
+    branch_name: z.string().describe("Name of the protected branch to unprotect"),
+});
+// Update default branch schema
+export const UpdateDefaultBranchSchema = ProjectParamsSchema.extend({
+    default_branch: z.string().describe("The new default branch name for the project"),
+});
+export const GitLabProtectedBranchAccessLevelSchema = z.object({
+    access_level: z.number().nullable().optional(),
+    access_level_description: z.string().optional(),
+    user_id: z.number().optional(),
+    group_id: z.number().optional(),
+});
+export const GitLabProtectedBranchSchema = z.object({
+    id: z.number().optional(),
+    name: z.string(),
+    push_access_levels: z.array(GitLabProtectedBranchAccessLevelSchema).optional(),
+    merge_access_levels: z.array(GitLabProtectedBranchAccessLevelSchema).optional(),
+    unprotect_access_levels: z.array(GitLabProtectedBranchAccessLevelSchema).optional(),
+    allow_force_push: z.boolean().optional(),
+    code_owner_approval_required: z.boolean().optional(),
+});
 export const GitLabBranchSchema = z.object({
     name: z.string(),
     commit: z.object({
@@ -1758,13 +1831,19 @@ export const ListIssuesSchema = z
     assignee_id: z.coerce
         .string()
         .optional()
-        .describe("Return issues assigned to the given user ID. user id or none or any"),
+        .describe("Return issues assigned to the given user ID (user id, none, or any). Mutually exclusive with assignee_username."),
     assignee_username: z
         .array(z.string())
         .optional()
-        .describe("Return issues assigned to the given username"),
-    author_id: z.coerce.string().optional().describe("Return issues created by the given user ID"),
-    author_username: z.string().optional().describe("Return issues created by the given username"),
+        .describe("Return issues assigned to the given username. Mutually exclusive with assignee_id."),
+    author_id: z.coerce
+        .string()
+        .optional()
+        .describe("Return issues created by the given user ID. Mutually exclusive with author_username."),
+    author_username: z
+        .string()
+        .optional()
+        .describe("Return issues created by the given username. Mutually exclusive with author_id."),
     confidential: z.coerce.boolean().optional().describe("Filter confidential or public issues"),
     created_after: z.string().optional().describe("Return issues created after the given time"),
     created_before: z.string().optional().describe("Return issues created before the given time"),