@zereight/mcp-gitlab 2.1.19 → 2.1.21

package/build/index.js

@@ -128,7 +128,9 @@ import { createGitLabOAuthProvider } from "./oauth-proxy.js";
 import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import { normalizeGitLabApiUrl } from "./utils/url.js";
 import { estimateMergeCommitCount, filterDiffsByPatterns, summarizeWebhookEvents } from "./utils/helpers.js";
-import { sanitizeToolArguments } from "./utils/tool-args.js";
+import { graphqlQueryContainsWriteOperation } from "./utils/graphql-query.js";
+import { resolveNestedWikiUpdateTitle } from "./utils/wiki-title.js";
+import { cleanMutuallyExclusiveIdUsernameOptions, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS, sanitizeToolArguments, } from "./utils/tool-args.js";
 import { parseSearchReplaceBlocks, applySearchReplace, applyUnifiedDiff, } from "./utils/patch-helper.js";
 import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
 import { GitLabClientPool } from "./gitlab-client-pool.js";
@@ -4594,8 +4596,15 @@ async function createWikiPage(projectId, title, content, format) {
 async function updateWikiPage(projectId, slug, title, content, format) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const body = {};
-    if (title)
-        body.title = title;
+    if (title) {
+        if (slug.includes("/") && !title.includes("/")) {
+            const existing = await getWikiPage(projectId, slug);
+            body.title = resolveNestedWikiUpdateTitle(slug, title, existing.title);
+        }
+        else {
+            body.title = title;
+        }
+    }
     if (content)
         body.content = content;
     if (format)
@@ -4672,8 +4681,15 @@ async function createGroupWikiPage(groupId, title, content, format) {
 async function updateGroupWikiPage(groupId, slug, title, content, format) {
     groupId = decodeURIComponent(groupId); // Decode group ID
     const body = {};
-    if (title)
-        body.title = title;
+    if (title) {
+        if (slug.includes("/") && !title.includes("/")) {
+            const existing = await getGroupWikiPage(groupId, slug);
+            body.title = resolveNestedWikiUpdateTitle(slug, title, existing.title);
+        }
+        else {
+            body.title = title;
+        }
+    }
     if (content)
         body.content = content;
     if (format)
@@ -6357,6 +6373,9 @@ async function handleToolCall(params) {
         switch (params.name) {
             case "execute_graphql": {
                 const args = ExecuteGraphQLSchema.parse(params.arguments);
+                if (GITLAB_READ_ONLY_MODE && graphqlQueryContainsWriteOperation(args.query)) {
+                    throw new Error("execute_graphql does not allow mutation or subscription operations in read-only mode");
+                }
                 const apiUrl = new URL(getEffectiveApiUrl());
                 // Build GraphQL endpoint preserving any instance subpath (e.g. /gitlab)
                 const restPath = apiUrl.pathname || ""; // e.g. /api/v4 or /gitlab/api/v4
@@ -7074,7 +7093,8 @@ async function handleToolCall(params) {
             case "list_issues": {
                 const args = ListIssuesSchema.parse(params.arguments);
                 const { project_id, ...options } = args;
-                const issues = await listIssues(project_id, options);
+                const cleanedOptions = cleanMutuallyExclusiveIdUsernameOptions(options);
+                const issues = await listIssues(project_id, cleanedOptions);
                 return {
                     content: [{ type: "text", text: JSON.stringify(issues, null, 2) }],
                 };
@@ -7743,18 +7763,7 @@ async function handleToolCall(params) {
             }
             case "list_merge_requests": {
                 const { project_id, ...options } = ListMergeRequestsSchema.parse(params.arguments);
-                // GitLab API treats _id and _username as mutually exclusive for these fields.
-                // When both are provided, prefer _username and remove _id to avoid 400 errors.
-                const cleanedOptions = { ...options };
-                if (cleanedOptions.author_id && cleanedOptions.author_username) {
-                    delete cleanedOptions.author_id;
-                }
-                if (cleanedOptions.assignee_id && cleanedOptions.assignee_username) {
-                    delete cleanedOptions.assignee_id;
-                }
-                if (cleanedOptions.reviewer_id && cleanedOptions.reviewer_username) {
-                    delete cleanedOptions.reviewer_id;
-                }
+                const cleanedOptions = cleanMutuallyExclusiveIdUsernameOptions(options, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS);
                 const mergeRequests = await listMergeRequests(project_id, cleanedOptions);
                 return {
                     content: [{ type: "text", text: JSON.stringify(mergeRequests, null, 2) }],

package/build/schemas.js

@@ -1831,13 +1831,19 @@ export const ListIssuesSchema = z
     assignee_id: z.coerce
         .string()
         .optional()
-        .describe("Return issues assigned to the given user ID. user id or none or any"),
+        .describe("Return issues assigned to the given user ID (user id, none, or any). Mutually exclusive with assignee_username."),
     assignee_username: z
         .array(z.string())
         .optional()
-        .describe("Return issues assigned to the given username"),
-    author_id: z.coerce.string().optional().describe("Return issues created by the given user ID"),
-    author_username: z.string().optional().describe("Return issues created by the given username"),
+        .describe("Return issues assigned to the given username. Mutually exclusive with assignee_id."),
+    author_id: z.coerce
+        .string()
+        .optional()
+        .describe("Return issues created by the given user ID. Mutually exclusive with author_username."),
+    author_username: z
+        .string()
+        .optional()
+        .describe("Return issues created by the given username. Mutually exclusive with author_id."),
     confidential: z.coerce.boolean().optional().describe("Filter confidential or public issues"),
     created_after: z.string().optional().describe("Return issues created after the given time"),
     created_before: z.string().optional().describe("Return issues created before the given time"),

package/build/test/test-list-issues.js

@@ -0,0 +1,111 @@
+import { describe, test, before, after } from "node:test";
+import assert from "node:assert";
+import { spawn } from "child_process";
+import { MockGitLabServer, findMockServerPort } from "./utils/mock-gitlab-server.js";
+const MOCK_TOKEN = "glpat-mock-token-12345";
+const TEST_PROJECT_ID = "123";
+async function callListIssues(args = {}, env) {
+    return new Promise((resolve, reject) => {
+        const proc = spawn("node", ["build/index.js"], {
+            stdio: ["pipe", "pipe", "pipe"],
+            env: {
+                ...process.env,
+                ...env,
+                GITLAB_READ_ONLY_MODE: "true",
+            },
+        });
+        let output = "";
+        let errorOutput = "";
+        proc.stdout?.on("data", d => (output += d));
+        proc.stderr?.on("data", d => (errorOutput += d));
+        proc.on("close", code => {
+            if (code !== 0) {
+                return reject(new Error(`Process exited with code ${code}: ${errorOutput}`));
+            }
+            const line = output.split("\n").find(l => l.startsWith("{"));
+            if (!line) {
+                return reject(new Error("No JSON output found"));
+            }
+            try {
+                const response = JSON.parse(line);
+                if (response.error) {
+                    reject(response.error);
+                }
+                else {
+                    const content = response.result?.content?.[0]?.text;
+                    if (content) {
+                        try {
+                            resolve(JSON.parse(content));
+                        }
+                        catch {
+                            reject(new Error(`Failed to parse tool output JSON: ${content}`));
+                        }
+                    }
+                    else {
+                        resolve(response.result);
+                    }
+                }
+            }
+            catch (e) {
+                reject(e);
+            }
+        });
+        proc.stdin?.end(JSON.stringify({
+            jsonrpc: "2.0",
+            id: 1,
+            method: "tools/call",
+            params: { name: "list_issues", arguments: args },
+        }) + "\n");
+    });
+}
+describe("list_issues", () => {
+    let mockGitLab;
+    let mockGitLabUrl;
+    before(async () => {
+        const mockPort = await findMockServerPort(9000);
+        mockGitLab = new MockGitLabServer({
+            port: mockPort,
+            validTokens: [MOCK_TOKEN],
+        });
+        await mockGitLab.start();
+        mockGitLabUrl = mockGitLab.getUrl();
+    });
+    after(async () => {
+        await mockGitLab.stop();
+    });
+    test("lists project-specific issues", async () => {
+        const issues = await callListIssues({ project_id: TEST_PROJECT_ID }, {
+            GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
+            GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+        });
+        assert.ok(Array.isArray(issues), "Response should be an array");
+        assert.strictEqual(issues.length, 1, "Should return 1 mock issue");
+        const firstIssue = issues[0];
+        assert.ok(firstIssue && typeof firstIssue === "object" && "title" in firstIssue);
+        const title = Reflect.get(firstIssue, "title");
+        assert.strictEqual(title, "Test Issue 1");
+    });
+    test("prefers author_username over author_id when both are provided", async () => {
+        let capturedUrl;
+        mockGitLab.addMockHandler("get", `/projects/${TEST_PROJECT_ID}/issues`, (req, res) => {
+            capturedUrl = req.originalUrl;
+            res.json([]);
+        });
+        try {
+            await callListIssues({
+                project_id: TEST_PROJECT_ID,
+                author_id: "42",
+                author_username: "alice",
+            }, {
+                GITLAB_API_URL: `${mockGitLabUrl}/api/v4`,
+                GITLAB_PERSONAL_ACCESS_TOKEN: MOCK_TOKEN,
+            });
+            assert.ok(capturedUrl, "Mock handler should have received a request");
+            assert.match(capturedUrl, /author_username=alice/, "Request should include author_username");
+            assert.doesNotMatch(capturedUrl, /author_id=/, "Request should not include author_id");
+        }
+        finally {
+            mockGitLab.clearCustomHandlers();
+        }
+    });
+});

package/build/test/utils/graphql-query.test.js

@@ -0,0 +1,33 @@
+import assert from "node:assert/strict";
+import { describe, test } from "node:test";
+import { graphqlQueryContainsWriteOperation } from "../../utils/graphql-query.js";
+describe("When graphqlQueryContainsWriteOperation runs", () => {
+    describe("with read-only GraphQL documents", () => {
+        test("should allow explicit query operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("query { project(fullPath: \"g/p\") { id } }"), false);
+        });
+        test("should allow shorthand query operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("{ project { id } }"), false);
+        });
+        test("should ignore mutation text inside comments", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("# mutation destroy\nquery { project { id } }"), false);
+        });
+        test("should ignore mutation text inside string literals", () => {
+            assert.equal(graphqlQueryContainsWriteOperation('query { search(query: "mutation") { nodes { id } } }'), false);
+        });
+    });
+    describe("with write GraphQL documents", () => {
+        test("should detect mutation operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation('mutation { destroyProject(input: { projectId: "gid://gitlab/Project/1" }) { errors } }'), true);
+        });
+        test("should detect subscription operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("subscription { mergeRequestCreated { id } }"), true);
+        });
+        test("should detect write operations in multi-operation documents", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("query A { a } mutation B { b }"), true);
+        });
+        test("should detect semicolon-separated write operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("query A { a }; mutation B { b }"), true);
+        });
+    });
+});

package/build/test/utils/tool-args.test.js

@@ -1,6 +1,6 @@
 import assert from "node:assert/strict";
 import { describe, test } from "node:test";
-import { sanitizeToolArguments } from "../../utils/tool-args.js";
+import { cleanMutuallyExclusiveIdUsernameOptions, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS, sanitizeToolArguments, } from "../../utils/tool-args.js";
 describe("When sanitizeToolArguments runs", () => {
     describe("with top-level null optionals", () => {
         test("should omit null and undefined keys for generic tools", () => {
@@ -73,3 +73,50 @@ describe("When sanitizeToolArguments runs", () => {
         });
     });
 });
+describe("When cleanMutuallyExclusiveIdUsernameOptions runs", () => {
+    describe("with list_issues author filters", () => {
+        test("should drop author_id when author_username is also set", () => {
+            const result = cleanMutuallyExclusiveIdUsernameOptions({
+                author_id: "42",
+                author_username: "alice",
+                state: "opened",
+            });
+            assert.deepEqual(result, {
+                author_username: "alice",
+                state: "opened",
+            });
+        });
+    });
+    describe("with list_issues assignee filters", () => {
+        test("should drop assignee_id when assignee_username is also set", () => {
+            const result = cleanMutuallyExclusiveIdUsernameOptions({
+                assignee_id: "7",
+                assignee_username: ["bob"],
+            });
+            assert.deepEqual(result, {
+                assignee_username: ["bob"],
+            });
+        });
+        test("should keep assignee_id when assignee_username is an empty array", () => {
+            const result = cleanMutuallyExclusiveIdUsernameOptions({
+                assignee_id: "7",
+                assignee_username: [],
+            });
+            assert.deepEqual(result, {
+                assignee_id: "7",
+                assignee_username: [],
+            });
+        });
+    });
+    describe("with list_merge_requests reviewer filters", () => {
+        test("should drop reviewer_id when reviewer_username is also set", () => {
+            const result = cleanMutuallyExclusiveIdUsernameOptions({
+                reviewer_id: "3",
+                reviewer_username: "carol",
+            }, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS);
+            assert.deepEqual(result, {
+                reviewer_username: "carol",
+            });
+        });
+    });
+});

package/build/test/utils/wiki-title.test.js

@@ -0,0 +1,21 @@
+import assert from "node:assert/strict";
+import { describe, test } from "node:test";
+import { resolveNestedWikiUpdateTitle } from "../../utils/wiki-title.js";
+describe("When resolveNestedWikiUpdateTitle runs", () => {
+    describe("with nested wiki slugs", () => {
+        test("should prefix leaf titles using the existing hierarchical title", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("00-map/infra-servers", "infra servers v2", "00-map/infra servers"), "00-map/infra servers v2");
+        });
+        test("should prefix leaf titles using the slug parent when the existing title is flat", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("00-map/infra-servers", "infra servers v2", "infra servers"), "00-map/infra servers v2");
+        });
+        test("should keep full hierarchical titles unchanged", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("00-map/infra-servers", "00-map/infra servers v2", "00-map/infra servers"), "00-map/infra servers v2");
+        });
+    });
+    describe("with flat wiki slugs", () => {
+        test("should keep leaf titles unchanged", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("infra-servers", "infra servers v2", "infra servers"), "infra servers v2");
+        });
+    });
+});

package/build/utils/graphql-query.js

@@ -0,0 +1,52 @@
+function stripGraphQLCommentsAndStrings(source) {
+    let result = "";
+    let i = 0;
+    while (i < source.length) {
+        const ch = source[i];
+        if (ch === "#") {
+            while (i < source.length && source[i] !== "\n" && source[i] !== "\r") {
+                i++;
+            }
+            result += " ";
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            const quote = ch;
+            i++;
+            while (i < source.length) {
+                if (source[i] === "\\") {
+                    i = Math.min(i + 2, source.length);
+                    continue;
+                }
+                if (source[i] === quote) {
+                    i++;
+                    break;
+                }
+                i++;
+            }
+            result += " ";
+            continue;
+        }
+        if (source.slice(i, i + 3) === '"""') {
+            i += 3;
+            while (i < source.length && source.slice(i, i + 3) !== '"""') {
+                i++;
+            }
+            if (i < source.length) {
+                i += 3;
+            }
+            result += " ";
+            continue;
+        }
+        result += ch;
+        i++;
+    }
+    return result;
+}
+export function graphqlQueryContainsWriteOperation(query) {
+    const normalized = stripGraphQLCommentsAndStrings(query).trim();
+    if (!normalized) {
+        return false;
+    }
+    return /(?:^|[};]\s*)(mutation|subscription)\b/.test(normalized);
+}

package/build/utils/tool-args.js

@@ -20,3 +20,30 @@ export function sanitizeToolArguments(toolName, args) {
     }
     return result;
 }
+/** Pairs where GitLab rejects sending both *_id and *_username query params. */
+export const LIST_ISSUES_ID_USERNAME_PAIRS = [
+    ["author_id", "author_username"],
+    ["assignee_id", "assignee_username"],
+];
+export const LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS = [
+    ...LIST_ISSUES_ID_USERNAME_PAIRS,
+    ["reviewer_id", "reviewer_username"],
+];
+function hasUsernameFilterValue(value) {
+    if (Array.isArray(value)) {
+        return value.length > 0;
+    }
+    return Boolean(value);
+}
+/**
+ * When both id and username filters are set, GitLab returns 400. Prefer username and drop id.
+ */
+export function cleanMutuallyExclusiveIdUsernameOptions(options, pairs = LIST_ISSUES_ID_USERNAME_PAIRS) {
+    const cleaned = { ...options };
+    for (const [idKey, usernameKey] of pairs) {
+        if (cleaned[idKey] && hasUsernameFilterValue(cleaned[usernameKey])) {
+            delete cleaned[idKey];
+        }
+    }
+    return cleaned;
+}

package/build/utils/wiki-title.js

@@ -0,0 +1,17 @@
+/**
+ * Preserve nested wiki hierarchy when callers pass a leaf-only title on update.
+ */
+export function resolveNestedWikiUpdateTitle(slug, providedTitle, existingTitle) {
+    if (providedTitle.includes("/") || !slug.includes("/")) {
+        return providedTitle;
+    }
+    const titleParentIndex = existingTitle.lastIndexOf("/");
+    if (titleParentIndex >= 0) {
+        return `${existingTitle.slice(0, titleParentIndex)}/${providedTitle}`;
+    }
+    const slugParentIndex = slug.lastIndexOf("/");
+    if (slugParentIndex >= 0) {
+        return `${slug.slice(0, slugParentIndex)}/${providedTitle}`;
+    }
+    return providedTitle;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.1.19",
+  "version": "2.1.21",
   "mcpName": "io.github.zereight/gitlab-mcp",
   "description": "GitLab MCP server for projects, merge requests, issues, pipelines, wiki, releases, and more",
   "keywords": [
@@ -51,7 +51,7 @@
     "changelog": "auto-changelog -p",
     "test": "npm run test:all",
     "test:all": "npm run build && npm run test:mock && npm run test:live",
-    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && node --import tsx/esm --test test/streamable-http-static-token-auth.test.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && node --import tsx/esm --test test/test-merge-request-pipelines.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-upload-markdown.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-tags.ts && node --import tsx/esm --test test/test-protected-branches.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-ci-lint.ts && node --import tsx/esm --test test/test-todos.ts && node --import tsx/esm --test test/test-auth-retry.ts && node --import tsx/esm --test test/test-issue-description-patch.ts && node --import tsx/esm --test test/test-geteffectiveprojectid.ts && node --import tsx/esm --test test/test-get-file-blame.ts && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts && node --import tsx/esm --test test/utils/tool-args.test.ts && node --import tsx/esm --test test/utils/merge-request-position.test.ts && node --import tsx/esm --test test/nullish-tool-arguments-schema.test.ts && node --import tsx/esm --test test/test-ci-variables.ts && node --import tsx/esm --test test/test-dependency-proxy.ts",
+    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && node --import tsx/esm --test test/streamable-http-static-token-auth.test.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-issues.ts && node --import tsx/esm --test test/test-merge-request-pipelines.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-upload-markdown.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-tags.ts && node --import tsx/esm --test test/test-protected-branches.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-ci-lint.ts && node --import tsx/esm --test test/test-todos.ts && node --import tsx/esm --test test/test-auth-retry.ts && node --import tsx/esm --test test/test-issue-description-patch.ts && node --import tsx/esm --test test/test-geteffectiveprojectid.ts && node --import tsx/esm --test test/test-get-file-blame.ts && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts && node --import tsx/esm --test test/utils/tool-args.test.ts && node --import tsx/esm --test test/utils/graphql-query.test.ts && node --import tsx/esm --test test/utils/wiki-title.test.ts && node --import tsx/esm --test test/utils/merge-request-position.test.ts && node --import tsx/esm --test test/nullish-tool-arguments-schema.test.ts && node --import tsx/esm --test test/test-ci-variables.ts && node --import tsx/esm --test test/test-dependency-proxy.ts",
     "test:stateless": "npm run build && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts",
     "test:mcp-oauth": "npm run build && node --import tsx/esm --test test/mcp-oauth-tests.ts",
     "test:live": "node test/validate-api.js",