npm - @zereight/mcp-gitlab - Versions diffs - 2.1.20 → 2.1.21 - Mend

@zereight/mcp-gitlab 2.1.20 → 2.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/build/index.js +23 -4
package/build/test/utils/graphql-query.test.js +33 -0
package/build/test/utils/wiki-title.test.js +21 -0
package/build/utils/graphql-query.js +52 -0
package/build/utils/wiki-title.js +17 -0
package/package.json +2 -2

package/build/index.js CHANGED Viewed

@@ -128,6 +128,8 @@ import { createGitLabOAuthProvider } from "./oauth-proxy.js";
 import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
 import { normalizeGitLabApiUrl } from "./utils/url.js";
 import { estimateMergeCommitCount, filterDiffsByPatterns, summarizeWebhookEvents } from "./utils/helpers.js";
+import { graphqlQueryContainsWriteOperation } from "./utils/graphql-query.js";
+import { resolveNestedWikiUpdateTitle } from "./utils/wiki-title.js";
 import { cleanMutuallyExclusiveIdUsernameOptions, LIST_MERGE_REQUESTS_ID_USERNAME_PAIRS, sanitizeToolArguments, } from "./utils/tool-args.js";
 import { parseSearchReplaceBlocks, applySearchReplace, applyUnifiedDiff, } from "./utils/patch-helper.js";
 import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
@@ -4594,8 +4596,15 @@ async function createWikiPage(projectId, title, content, format) {
 async function updateWikiPage(projectId, slug, title, content, format) {
     projectId = decodeURIComponent(projectId); // Decode project ID
     const body = {};
-    if (title)
-        body.title = title;
+    if (title) {
+        if (slug.includes("/") && !title.includes("/")) {
+            const existing = await getWikiPage(projectId, slug);
+            body.title = resolveNestedWikiUpdateTitle(slug, title, existing.title);
+        }
+        else {
+            body.title = title;
+        }
+    }
     if (content)
         body.content = content;
     if (format)
@@ -4672,8 +4681,15 @@ async function createGroupWikiPage(groupId, title, content, format) {
 async function updateGroupWikiPage(groupId, slug, title, content, format) {
     groupId = decodeURIComponent(groupId); // Decode group ID
     const body = {};
-    if (title)
-        body.title = title;
+    if (title) {
+        if (slug.includes("/") && !title.includes("/")) {
+            const existing = await getGroupWikiPage(groupId, slug);
+            body.title = resolveNestedWikiUpdateTitle(slug, title, existing.title);
+        }
+        else {
+            body.title = title;
+        }
+    }
     if (content)
         body.content = content;
     if (format)
@@ -6357,6 +6373,9 @@ async function handleToolCall(params) {
         switch (params.name) {
             case "execute_graphql": {
                 const args = ExecuteGraphQLSchema.parse(params.arguments);
+                if (GITLAB_READ_ONLY_MODE && graphqlQueryContainsWriteOperation(args.query)) {
+                    throw new Error("execute_graphql does not allow mutation or subscription operations in read-only mode");
+                }
                 const apiUrl = new URL(getEffectiveApiUrl());
                 // Build GraphQL endpoint preserving any instance subpath (e.g. /gitlab)
                 const restPath = apiUrl.pathname || ""; // e.g. /api/v4 or /gitlab/api/v4

package/build/test/utils/graphql-query.test.js ADDED Viewed

@@ -0,0 +1,33 @@
+import assert from "node:assert/strict";
+import { describe, test } from "node:test";
+import { graphqlQueryContainsWriteOperation } from "../../utils/graphql-query.js";
+describe("When graphqlQueryContainsWriteOperation runs", () => {
+    describe("with read-only GraphQL documents", () => {
+        test("should allow explicit query operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("query { project(fullPath: \"g/p\") { id } }"), false);
+        });
+        test("should allow shorthand query operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("{ project { id } }"), false);
+        });
+        test("should ignore mutation text inside comments", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("# mutation destroy\nquery { project { id } }"), false);
+        });
+        test("should ignore mutation text inside string literals", () => {
+            assert.equal(graphqlQueryContainsWriteOperation('query { search(query: "mutation") { nodes { id } } }'), false);
+        });
+    });
+    describe("with write GraphQL documents", () => {
+        test("should detect mutation operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation('mutation { destroyProject(input: { projectId: "gid://gitlab/Project/1" }) { errors } }'), true);
+        });
+        test("should detect subscription operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("subscription { mergeRequestCreated { id } }"), true);
+        });
+        test("should detect write operations in multi-operation documents", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("query A { a } mutation B { b }"), true);
+        });
+        test("should detect semicolon-separated write operations", () => {
+            assert.equal(graphqlQueryContainsWriteOperation("query A { a }; mutation B { b }"), true);
+        });
+    });
+});

package/build/test/utils/wiki-title.test.js ADDED Viewed

@@ -0,0 +1,21 @@
+import assert from "node:assert/strict";
+import { describe, test } from "node:test";
+import { resolveNestedWikiUpdateTitle } from "../../utils/wiki-title.js";
+describe("When resolveNestedWikiUpdateTitle runs", () => {
+    describe("with nested wiki slugs", () => {
+        test("should prefix leaf titles using the existing hierarchical title", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("00-map/infra-servers", "infra servers v2", "00-map/infra servers"), "00-map/infra servers v2");
+        });
+        test("should prefix leaf titles using the slug parent when the existing title is flat", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("00-map/infra-servers", "infra servers v2", "infra servers"), "00-map/infra servers v2");
+        });
+        test("should keep full hierarchical titles unchanged", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("00-map/infra-servers", "00-map/infra servers v2", "00-map/infra servers"), "00-map/infra servers v2");
+        });
+    });
+    describe("with flat wiki slugs", () => {
+        test("should keep leaf titles unchanged", () => {
+            assert.equal(resolveNestedWikiUpdateTitle("infra-servers", "infra servers v2", "infra servers"), "infra servers v2");
+        });
+    });
+});

package/build/utils/graphql-query.js ADDED Viewed

@@ -0,0 +1,52 @@
+function stripGraphQLCommentsAndStrings(source) {
+    let result = "";
+    let i = 0;
+    while (i < source.length) {
+        const ch = source[i];
+        if (ch === "#") {
+            while (i < source.length && source[i] !== "\n" && source[i] !== "\r") {
+                i++;
+            }
+            result += " ";
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            const quote = ch;
+            i++;
+            while (i < source.length) {
+                if (source[i] === "\\") {
+                    i = Math.min(i + 2, source.length);
+                    continue;
+                }
+                if (source[i] === quote) {
+                    i++;
+                    break;
+                }
+                i++;
+            }
+            result += " ";
+            continue;
+        }
+        if (source.slice(i, i + 3) === '"""') {
+            i += 3;
+            while (i < source.length && source.slice(i, i + 3) !== '"""') {
+                i++;
+            }
+            if (i < source.length) {
+                i += 3;
+            }
+            result += " ";
+            continue;
+        }
+        result += ch;
+        i++;
+    }
+    return result;
+}
+export function graphqlQueryContainsWriteOperation(query) {
+    const normalized = stripGraphQLCommentsAndStrings(query).trim();
+    if (!normalized) {
+        return false;
+    }
+    return /(?:^|[};]\s*)(mutation|subscription)\b/.test(normalized);
+}

package/build/utils/wiki-title.js ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * Preserve nested wiki hierarchy when callers pass a leaf-only title on update.
+ */
+export function resolveNestedWikiUpdateTitle(slug, providedTitle, existingTitle) {
+    if (providedTitle.includes("/") || !slug.includes("/")) {
+        return providedTitle;
+    }
+    const titleParentIndex = existingTitle.lastIndexOf("/");
+    if (titleParentIndex >= 0) {
+        return `${existingTitle.slice(0, titleParentIndex)}/${providedTitle}`;
+    }
+    const slugParentIndex = slug.lastIndexOf("/");
+    if (slugParentIndex >= 0) {
+        return `${slug.slice(0, slugParentIndex)}/${providedTitle}`;
+    }
+    return providedTitle;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.1.20",
+  "version": "2.1.21",
   "mcpName": "io.github.zereight/gitlab-mcp",
   "description": "GitLab MCP server for projects, merge requests, issues, pipelines, wiki, releases, and more",
   "keywords": [
@@ -51,7 +51,7 @@
     "changelog": "auto-changelog -p",
     "test": "npm run test:all",
     "test:all": "npm run build && npm run test:mock && npm run test:live",
-    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && node --import tsx/esm --test test/streamable-http-static-token-auth.test.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-issues.ts && node --import tsx/esm --test test/test-merge-request-pipelines.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-upload-markdown.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-tags.ts && node --import tsx/esm --test test/test-protected-branches.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-ci-lint.ts && node --import tsx/esm --test test/test-todos.ts && node --import tsx/esm --test test/test-auth-retry.ts && node --import tsx/esm --test test/test-issue-description-patch.ts && node --import tsx/esm --test test/test-geteffectiveprojectid.ts && node --import tsx/esm --test test/test-get-file-blame.ts && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts && node --import tsx/esm --test test/utils/tool-args.test.ts && node --import tsx/esm --test test/utils/merge-request-position.test.ts && node --import tsx/esm --test test/nullish-tool-arguments-schema.test.ts && node --import tsx/esm --test test/test-ci-variables.ts && node --import tsx/esm --test test/test-dependency-proxy.ts",
+    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && node --import tsx/esm --test test/streamable-http-static-token-auth.test.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-issues.ts && node --import tsx/esm --test test/test-merge-request-pipelines.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-upload-markdown.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-tags.ts && node --import tsx/esm --test test/test-protected-branches.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-ci-lint.ts && node --import tsx/esm --test test/test-todos.ts && node --import tsx/esm --test test/test-auth-retry.ts && node --import tsx/esm --test test/test-issue-description-patch.ts && node --import tsx/esm --test test/test-geteffectiveprojectid.ts && node --import tsx/esm --test test/test-get-file-blame.ts && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts && node --import tsx/esm --test test/utils/tool-args.test.ts && node --import tsx/esm --test test/utils/graphql-query.test.ts && node --import tsx/esm --test test/utils/wiki-title.test.ts && node --import tsx/esm --test test/utils/merge-request-position.test.ts && node --import tsx/esm --test test/nullish-tool-arguments-schema.test.ts && node --import tsx/esm --test test/test-ci-variables.ts && node --import tsx/esm --test test/test-dependency-proxy.ts",
     "test:stateless": "npm run build && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts",
     "test:mcp-oauth": "npm run build && node --import tsx/esm --test test/mcp-oauth-tests.ts",
     "test:live": "node test/validate-api.js",