@zereight/mcp-gitlab 2.1.21 → 2.1.23

package/build/index.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { getConfig, ENABLE_DYNAMIC_API_URL, GITLAB_AUTH_COOKIE_PATH, GITLAB_CA_CERT_PATH, GITLAB_JOB_TOKEN, GITLAB_MCP_OAUTH, GITLAB_OAUTH_APP_ID, GITLAB_OAUTH_SCOPES, GITLAB_OAUTH_CALLBACK_PROXY, GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_POOL_MAX_SIZE, GITLAB_READ_ONLY_MODE, GITLAB_TOOLSETS_RAW, GITLAB_TOOLS_RAW, HOST, HTTP_PROXY, HTTPS_PROXY, IS_OLD, MCP_SERVER_URL, NODE_TLS_REJECT_UNAUTHORIZED, NO_PROXY, OAUTH_STATELESS_CLIENT_TTL_SECONDS, OAUTH_STATELESS_MODE, OAUTH_STATELESS_PENDING_TTL_SECONDS, OAUTH_STATELESS_SESSION_TTL_SECONDS, OAUTH_STATELESS_STORED_TTL_SECONDS, PORT, REMOTE_AUTHORIZATION, SESSION_TIMEOUT_SECONDS, SSE, STREAMABLE_HTTP, USE_GITLAB_WIKI, USE_MILESTONE, USE_OAUTH, USE_PIPELINE, GITLAB_TOOL_POLICY_APPROVE_RAW, GITLAB_TOOL_POLICY_HIDDEN_RAW, GITLAB_ALLOWED_GROUPS, } from "./config.js";
+import { getConfig, ENABLE_DYNAMIC_API_URL, GITLAB_AUTH_COOKIE_PATH, GITLAB_CA_CERT_PATH, GITLAB_JOB_TOKEN, GITLAB_MCP_OAUTH, GITLAB_OAUTH_APP_ID, GITLAB_OAUTH_SCOPES, GITLAB_OAUTH_CALLBACK_PROXY, GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_POOL_MAX_SIZE, GITLAB_READ_ONLY_MODE, GITLAB_TOOLSETS_RAW, GITLAB_TOOLS_RAW, HOST, HTTP_PROXY, HTTPS_PROXY, IS_OLD, MCP_SERVER_URL, NODE_TLS_REJECT_UNAUTHORIZED, NO_PROXY, OAUTH_STATELESS_CLIENT_TTL_SECONDS, OAUTH_STATELESS_MODE, OAUTH_STATELESS_PENDING_TTL_SECONDS, OAUTH_STATELESS_SESSION_TTL_SECONDS, OAUTH_STATELESS_STORED_TTL_SECONDS, PORT, REMOTE_AUTHORIZATION, SESSION_TIMEOUT_SECONDS, SSE, STREAMABLE_HTTP, MCP_TRUST_PROXY, USE_GITLAB_WIKI, USE_MILESTONE, USE_OAUTH, USE_PIPELINE, GITLAB_TOOL_POLICY_APPROVE_RAW, GITLAB_TOOL_POLICY_HIDDEN_RAW, GITLAB_OAUTH_ALLOWED_GROUPS_RAW, GITLAB_ALLOWED_GROUPS_RAW, GITLAB_OAUTH_ALLOWED_GROUPS, } from "./config.js";
 /** True when the server is running in remote/network mode (SSE or StreamableHTTP transport). */
 const IS_REMOTE = SSE || STREAMABLE_HTTP;
 /**
@@ -59,17 +59,74 @@ function decryptDownloadToken(tokenStr) {
         return null;
     }
 }
+function getLastHeaderValue(value) {
+    const raw = Array.isArray(value) ? value[value.length - 1] : value;
+    if (!raw)
+        return undefined;
+    const parts = raw.split(",").map(part => part.trim()).filter(Boolean);
+    return parts.length > 0 ? parts[parts.length - 1] : undefined;
+}
+function unquoteHeaderValue(value) {
+    if (value.length >= 2 && value.startsWith('"') && value.endsWith('"')) {
+        return value.slice(1, -1).replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+    }
+    return value;
+}
+function getForwardedPublicBaseUrl(req) {
+    if (!MCP_TRUST_PROXY)
+        return undefined;
+    const forwarded = getLastHeaderValue(req.headers.forwarded);
+    const forwardedValues = {};
+    if (forwarded) {
+        for (const part of forwarded.split(";")) {
+            const separator = part.indexOf("=");
+            if (separator <= 0)
+                continue;
+            const key = part.slice(0, separator).trim().toLowerCase();
+            const value = unquoteHeaderValue(part.slice(separator + 1).trim());
+            if (key && value)
+                forwardedValues[key] = value;
+        }
+    }
+    const proto = (forwardedValues.proto || getLastHeaderValue(req.headers["x-forwarded-proto"]))?.toLowerCase();
+    const host = forwardedValues.host || getLastHeaderValue(req.headers["x-forwarded-host"]);
+    if (!proto || !host || !/^https?$/.test(proto))
+        return undefined;
+    if (/[\s/\\]/.test(host))
+        return undefined;
+    const prefix = getLastHeaderValue(req.headers["x-forwarded-prefix"]);
+    const safePrefix = prefix &&
+        prefix.startsWith("/") &&
+        !prefix.startsWith("//") &&
+        !prefix.includes("://") &&
+        !/[\s\\]/.test(prefix)
+        ? prefix.replace(/\/+$/, "")
+        : undefined;
+    try {
+        const baseUrl = new URL(`${proto}://${host}`);
+        if (baseUrl.username || baseUrl.password || baseUrl.pathname !== "/" || baseUrl.search || baseUrl.hash) {
+            return undefined;
+        }
+        if (safePrefix)
+            baseUrl.pathname = safePrefix;
+        return baseUrl.toString().replace(/\/$/, "");
+    }
+    catch {
+        return undefined;
+    }
+}
 /**
  * Build a URL pointing to the download proxy endpoint.
  * Embeds an encrypted auth token (and API URL for dynamic routing)
  * from the current session so the URL works standalone.
  */
 function buildDownloadUrl(type, params) {
-    const base = MCP_SERVER_URL || `http://${HOST}:${PORT}`;
+    const base = MCP_SERVER_URL || sessionAuthStore.getStore()?.publicBaseUrl || `http://${HOST}:${PORT}`;
     const baseUrl = new URL(base);
     // Preserve any path prefix (e.g. /gitlab-mcp) from the base URL
     const basePath = baseUrl.pathname.replace(/\/+$/, "");
-    const url = new URL(`${basePath}/downloads/${type}`, baseUrl.origin);
+    const safeBasePath = basePath ? `/${basePath.replace(/^\/+/, "")}` : "";
+    const url = new URL(`${safeBasePath}/downloads/${type}`, baseUrl.origin);
     for (const [key, value] of Object.entries(params)) {
         url.searchParams.set(key, value);
     }
@@ -126,6 +183,8 @@ import { z } from "zod";
 import { initializeOAuthClient } from "./oauth.js";
 import { createGitLabOAuthProvider } from "./oauth-proxy.js";
 import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { ipKeyGenerator } from "express-rate-limit";
+import { normalizeProxyClientIpForRateLimit } from "./utils/proxy-client-ip.js";
 import { normalizeGitLabApiUrl } from "./utils/url.js";
 import { estimateMergeCommitCount, filterDiffsByPatterns, summarizeWebhookEvents } from "./utils/helpers.js";
 import { graphqlQueryContainsWriteOperation } from "./utils/graphql-query.js";
@@ -429,6 +488,7 @@ function createServer() {
                     token: authData.token,
                     lastUsed: authData.lastUsed,
                     apiUrl: authData.apiUrl,
+                    publicBaseUrl: authData.publicBaseUrl,
                 };
                 // Run the handler within the retrieved context
                 const result = await sessionAuthStore.run(sessionContext, () => handleToolCall(request.params));
@@ -660,7 +720,7 @@ async function ensureValidOAuthToken() {
         logger.info("OAuth token refreshed successfully");
     }
     catch (error) {
-        logger.error("Failed to refresh OAuth token:", error);
+        logger.error({ err: error }, "Failed to refresh OAuth token");
         throw error;
     }
 }
@@ -856,6 +916,15 @@ const sessionAuthStore = new AsyncLocalStorage();
 // Session context map for storing auth data by session ID
 // This survives async boundaries where AsyncLocalStorage might not
 const authBySession = {};
+function withPublicBaseUrl(authData, publicBaseUrl, previous) {
+    const effectivePublicBaseUrl = publicBaseUrl || previous?.publicBaseUrl;
+    return effectivePublicBaseUrl ? { ...authData, publicBaseUrl: effectivePublicBaseUrl } : authData;
+}
+function updateSessionPublicBaseUrl(sessionId, publicBaseUrl) {
+    if (sessionId && publicBaseUrl && authBySession[sessionId]) {
+        authBySession[sessionId].publicBaseUrl = publicBaseUrl;
+    }
+}
 // Base headers without authentication
 const BASE_HEADERS = {
     Accept: "application/json",
@@ -1007,7 +1076,7 @@ async function handleGitLabError(response) {
         const errorBody = await response.text();
         // Check specifically for Rate Limit error
         if (response.status === 403 && errorBody.includes("User API Key Rate limit exceeded")) {
-            logger.error("GitLab API Rate Limit Exceeded:", errorBody);
+            logger.error({ err: errorBody }, "GitLab API Rate Limit Exceeded");
             logger.error("User API Key Rate limit exceeded. Please try again later.");
             throw new Error(`GitLab API Rate Limit Exceeded: ${errorBody}`);
         }
@@ -5431,7 +5500,7 @@ async function getUser(username) {
         return null;
     }
     catch (error) {
-        logger.error(`Error fetching user by username '${username}':`, error);
+        logger.error({ err: error }, `Error fetching user by username '${username}'`);
         return null;
     }
 }
@@ -5450,7 +5519,7 @@ async function getUsers(usernames) {
             users[username] = user;
         }
         catch (error) {
-            logger.error(`Error processing username '${username}':`, error);
+            logger.error({ err: error }, `Error processing username '${username}'`);
             users[username] = null;
         }
     }
@@ -6431,7 +6500,7 @@ async function handleToolCall(params) {
                     };
                 }
                 catch (forkError) {
-                    logger.error("Error forking repository:", forkError);
+                    logger.error({ err: forkError }, "Error forking repository");
                     let forkErrorMessage = "Failed to fork repository";
                     if (forkError instanceof Error) {
                         forkErrorMessage = `${forkErrorMessage}: ${forkError.message}`;
@@ -8635,7 +8704,7 @@ function registerDownloadProxy(app, maxRequestsPerMinute = Number.parseInt(proce
             }
         }
         catch (error) {
-            logger.error("Download proxy error:", error);
+            logger.error({ err: error }, "Download proxy error");
             if (!res.headersSent) {
                 res.status(502).json({ error: "Failed to proxy download from GitLab" });
             }
@@ -8647,6 +8716,9 @@ function registerDownloadProxy(app, maxRequestsPerMinute = Number.parseInt(proce
  */
 async function startSSEServer() {
     const app = express();
+    if (MCP_TRUST_PROXY) {
+        app.set("trust proxy", 1);
+    }
     const transports = {};
     let shuttingDown = false;
     app.get("/sse", async (_, res) => {
@@ -8691,7 +8763,7 @@ async function startSSEServer() {
                 await transport.close();
             }
             catch (error) {
-                logger.error("Error closing SSE transport:", error);
+                logger.error({ err: error }, "Error closing SSE transport");
             }
         }));
         clientPool.closeAll();
@@ -8995,6 +9067,7 @@ async function startStreamableHTTPServer() {
             token: effective.token,
             lastUsed: Date.now(),
             apiUrl: effective.apiUrl,
+            publicBaseUrl: getForwardedPublicBaseUrl(req),
         };
         // Step 4: create a fresh transport per request.
         const transport = isInit
@@ -9044,13 +9117,13 @@ async function startStreamableHTTPServer() {
         });
     };
     // Configure Express middleware
+    if (MCP_TRUST_PROXY) {
+        app.set("trust proxy", 1);
+    }
     app.use(express.json());
     registerDownloadProxy(app);
     // MCP OAuth — mount auth router and prepare bearer-auth middleware
     if (GITLAB_MCP_OAUTH) {
-        // Trust first proxy so express-rate-limit uses X-Forwarded-For for real client IP.
-        // Only enabled in OAuth mode where the server is typically behind a reverse proxy.
-        app.set("trust proxy", 1);
         const gitlabBaseUrl = GITLAB_API_URL.replace(/\/api\/v4\/?$/, "").replace(/\/$/, "");
         const issuerUrl = new URL(MCP_SERVER_URL);
         const callbackUrl = GITLAB_OAUTH_CALLBACK_PROXY
@@ -9064,7 +9137,7 @@ async function startStreamableHTTPServer() {
                 storedTtlSeconds: OAUTH_STATELESS_STORED_TTL_SECONDS,
             }
             : null;
-        const oauthProvider = createGitLabOAuthProvider(gitlabBaseUrl, GITLAB_OAUTH_APP_ID, "GitLab MCP Server", GITLAB_READ_ONLY_MODE, GITLAB_OAUTH_SCOPES, GITLAB_ALLOWED_GROUPS, GITLAB_OAUTH_CALLBACK_PROXY, callbackUrl, statelessOptions);
+        const oauthProvider = createGitLabOAuthProvider(gitlabBaseUrl, GITLAB_OAUTH_APP_ID, "GitLab MCP Server", GITLAB_READ_ONLY_MODE, GITLAB_OAUTH_SCOPES, GITLAB_OAUTH_ALLOWED_GROUPS, GITLAB_OAUTH_CALLBACK_PROXY, callbackUrl, statelessOptions);
         const scopesSupported = GITLAB_OAUTH_SCOPES ?? ["api", "read_api", "read_user"];
         // When server URL has a path (e.g. behind Kong), the SDK's well-known metadata
         // advertises root-level endpoints. Override to use path-prefixed endpoints.
@@ -9108,12 +9181,22 @@ async function startStreamableHTTPServer() {
         }
         // Mounts /.well-known/oauth-authorization-server (shadowed above when basePath set),
         //        /.well-known/oauth-protected-resource, /authorize, /token, /register, /revoke
+        // Some proxies include the port in X-Forwarded-For (e.g. "1.2.3.4:5678" or
+        // "[2001:db8::1]:5678"), which makes express-rate-limit throw
+        // ERR_ERL_INVALID_IP_ADDRESS. Strip the port first, then delegate to
+        // ipKeyGenerator for correct IPv6 subnet handling.
+        const rateLimitKeyGenerator = (req) => ipKeyGenerator(normalizeProxyClientIpForRateLimit(req.ip ?? ""));
+        const rateLimitOptions = { keyGenerator: rateLimitKeyGenerator };
         app.use(mcpAuthRouter({
             provider: oauthProvider,
             issuerUrl,
             baseUrl: issuerUrl,
             scopesSupported,
             resourceName: "GitLab MCP Server",
+            authorizationOptions: { rateLimit: rateLimitOptions },
+            tokenOptions: { rateLimit: rateLimitOptions },
+            revocationOptions: { rateLimit: rateLimitOptions },
+            clientRegistrationOptions: { rateLimit: rateLimitOptions },
         }));
         // Expose provider so the /mcp route middleware can reference it
         app._mcpOAuthProvider = oauthProvider;
@@ -9178,6 +9261,7 @@ async function startStreamableHTTPServer() {
     // Streamable HTTP endpoint - handles both session creation and message handling
     app.post("/mcp", mcpBearerAuth, async (req, res) => {
         const sessionId = readMcpSessionIdHeader(req);
+        const publicBaseUrl = getForwardedPublicBaseUrl(req);
         // Track request
         metrics.requestsProcessed++;
         // Stateless-mode branch: bypass authBySession / streamableTransports
@@ -9222,19 +9306,20 @@ async function startStreamableHTTPServer() {
                     return;
                 }
                 // Store auth for this session
-                authBySession[sessionId] = authData;
+                authBySession[sessionId] = withPublicBaseUrl(authData, publicBaseUrl);
                 logger.info(`Session ${sessionId}: stored ${authData.header} header`);
                 setAuthTimeout(sessionId);
             }
             else if (sessionId && authData) {
                 // Existing session: allow auth rotation/update
-                authBySession[sessionId] = authData;
+                authBySession[sessionId] = withPublicBaseUrl(authData, publicBaseUrl, authBySession[sessionId]);
                 logger.debug(`Session ${sessionId}: updated ${authData.header} header`);
                 setAuthTimeout(sessionId);
             }
             else if (sessionId && authBySession[sessionId]) {
                 // Existing session with stored auth: update last used time and reset timeout
                 authBySession[sessionId].lastUsed = Date.now();
+                updateSessionPublicBaseUrl(sessionId, publicBaseUrl);
                 setAuthTimeout(sessionId);
             }
             else if (!sessionId && !authData) {
@@ -9250,17 +9335,12 @@ async function startStreamableHTTPServer() {
             if (headerAuthData) {
                 if (headerAuthData && sessionId) {
                     if (!authBySession[sessionId]) {
-                        authBySession[sessionId] = headerAuthData;
+                        authBySession[sessionId] = withPublicBaseUrl(headerAuthData, publicBaseUrl);
                         logger.info(`Session ${sessionId}: stored ${headerAuthData.header} header (header auth)`);
                         setAuthTimeout(sessionId);
                     }
                     else {
-                        authBySession[sessionId] = {
-                            ...authBySession[sessionId],
-                            header: headerAuthData.header,
-                            token: headerAuthData.token,
-                            lastUsed: Date.now(),
-                        };
+                        authBySession[sessionId] = withPublicBaseUrl(headerAuthData, publicBaseUrl, authBySession[sessionId]);
                         setAuthTimeout(sessionId);
                     }
                 }
@@ -9274,6 +9354,7 @@ async function startStreamableHTTPServer() {
                             token: authInfo.token,
                             lastUsed: Date.now(),
                             apiUrl: GITLAB_API_URL,
+                            publicBaseUrl,
                         };
                         logger.info(`Session ${sessionId}: stored OAuth token (client: ${authInfo.clientId})`);
                         setAuthTimeout(sessionId);
@@ -9282,6 +9363,7 @@ async function startStreamableHTTPServer() {
                         // Update token on every request — the client may have refreshed it
                         authBySession[sessionId].token = authInfo.token;
                         authBySession[sessionId].lastUsed = Date.now();
+                        updateSessionPublicBaseUrl(sessionId, publicBaseUrl);
                         setAuthTimeout(sessionId);
                     }
                 }
@@ -9309,7 +9391,7 @@ async function startStreamableHTTPServer() {
                             if (REMOTE_AUTHORIZATION && !authBySession[newSessionId]) {
                                 const authData = parseAuthHeaders(req);
                                 if (authData) {
-                                    authBySession[newSessionId] = authData;
+                                    authBySession[newSessionId] = withPublicBaseUrl(authData, publicBaseUrl);
                                     logger.info(`Session ${newSessionId}: stored ${authData.header} header`);
                                     setAuthTimeout(newSessionId);
                                 }
@@ -9320,7 +9402,7 @@ async function startStreamableHTTPServer() {
                                 if (hasHeaderAuth(req)) {
                                     const authData = parseAuthHeaders(req);
                                     if (authData) {
-                                        authBySession[newSessionId] = authData;
+                                        authBySession[newSessionId] = withPublicBaseUrl(authData, publicBaseUrl);
                                         logger.info(`Session ${newSessionId}: stored ${authData.header} header (header auth)`);
                                         setAuthTimeout(newSessionId);
                                     }
@@ -9333,6 +9415,7 @@ async function startStreamableHTTPServer() {
                                             token: authInfo.token,
                                             lastUsed: Date.now(),
                                             apiUrl: GITLAB_API_URL,
+                                            publicBaseUrl,
                                         };
                                         logger.info(`Session ${newSessionId}: stored OAuth token (client: ${authInfo.clientId})`);
                                         setAuthTimeout(newSessionId);
@@ -9364,7 +9447,7 @@ async function startStreamableHTTPServer() {
                 }
             }
             catch (error) {
-                logger.error("Streamable HTTP error:", error);
+                logger.error({ err: error }, "Streamable HTTP error");
                 res.status(500).json({
                     error: "Internal server error",
                     message: error instanceof Error ? error.message : "Unknown error",
@@ -9380,6 +9463,7 @@ async function startStreamableHTTPServer() {
                 token: authData.token,
                 lastUsed: authData.lastUsed,
                 apiUrl: authData.apiUrl,
+                publicBaseUrl: authData.publicBaseUrl,
             };
             // Run the entire request handling within AsyncLocalStorage context
             await sessionAuthStore.run(ctx, handleRequest);
@@ -9447,7 +9531,7 @@ async function startStreamableHTTPServer() {
                 res.status(204).send();
             }
             catch (error) {
-                logger.error(`Error closing session ${sessionId}:`, error);
+                logger.error({ err: error }, `Error closing session ${sessionId}`);
                 res.status(500).json({ error: "Failed to close session" });
             }
         }
@@ -9482,7 +9566,7 @@ async function startStreamableHTTPServer() {
                 }
             }
             catch (error) {
-                logger.error(`Error closing session ${sessionId}:`, error);
+                logger.error({ err: error }, `Error closing session ${sessionId}`);
             }
         });
         await Promise.allSettled(closePromises);
@@ -9503,7 +9587,7 @@ async function startStreamableHTTPServer() {
  * Handle transport-specific initialization logic
  */
 async function initializeServerByTransportMode(mode) {
-    logger.info("Initializing server with transport mode:", mode);
+    logger.info({ mode }, "Initializing server with transport mode");
     switch (mode) {
         case TransportMode.STDIO:
             logger.warn("Starting GitLab MCP Server with stdio transport");
@@ -9543,7 +9627,7 @@ async function runServer() {
                 logger.info("OAuth authentication successful");
             }
             catch (error) {
-                logger.error("OAuth authentication failed:", error);
+                logger.error({ err: error }, "OAuth authentication failed");
                 process.exit(1);
             }
         }
@@ -9551,14 +9635,25 @@ async function runServer() {
         await initializeServerByTransportMode(transportMode);
         logger.info(`Configured GitLab API URLs: ${GITLAB_API_URLS.join(", ")}`);
         logger.info(`Default GitLab API URL: ${GITLAB_API_URL}`);
+        if (GITLAB_ALLOWED_GROUPS_RAW) {
+            if (GITLAB_OAUTH_ALLOWED_GROUPS_RAW) {
+                logger.warn("GITLAB_ALLOWED_GROUPS is set but ignored — GITLAB_OAUTH_ALLOWED_GROUPS takes precedence.");
+            }
+            else {
+                logger.warn("GITLAB_ALLOWED_GROUPS is deprecated. Use GITLAB_OAUTH_ALLOWED_GROUPS instead.");
+            }
+        }
+        if (GITLAB_OAUTH_ALLOWED_GROUPS) {
+            logger.info(`Group access control enabled for: ${GITLAB_OAUTH_ALLOWED_GROUPS.join(", ")}`);
+        }
     }
     catch (error) {
-        logger.error("Error initializing server:", error);
+        logger.error({ err: error }, "Error initializing server");
         process.exit(1);
     }
 }
 // 下記の２行を追記
 runServer().catch(error => {
-    logger.error("Fatal error in main():", error);
+    logger.fatal({ err: error }, "Fatal error in main()");
     process.exit(1);
 });

package/build/oauth.js

@@ -193,7 +193,7 @@ export class GitLabOAuth {
             logger.info(`Token saved to ${this.tokenStoragePath}`);
         }
         catch (error) {
-            logger.error("Failed to save token:", error);
+            logger.error({ err: error }, "Failed to save token");
             throw error;
         }
     }
@@ -209,7 +209,7 @@ export class GitLabOAuth {
             return JSON.parse(data);
         }
         catch (error) {
-            logger.error("Failed to load token:", error);
+            logger.error({ err: error }, "Failed to load token");
             return null;
         }
     }
@@ -240,7 +240,7 @@ export class GitLabOAuth {
                 return await requestAuthFromExistingServer(callbackPort, requestId);
             }
             catch (error) {
-                logger.error("Failed to connect to existing OAuth server:", error);
+                logger.error({ err: error }, "Failed to connect to existing OAuth server");
                 throw new Error(`Port ${callbackPort} is in use but cannot connect to existing OAuth server. Please close other instances or use a different port.`);
             }
         }
@@ -285,7 +285,7 @@ export class GitLabOAuth {
                         logger.info("Opening browser for new authentication request...");
                         logger.info(`If browser doesn't open, visit: ${authUrl}`);
                         open(authUrl).catch(err => {
-                            logger.error("Failed to open browser:", err);
+                            logger.error({ err }, "Failed to open browser");
                             logger.info(`Please manually open: ${authUrl}`);
                         });
                         // Wait for the auth to complete
@@ -430,7 +430,7 @@ export class GitLabOAuth {
                     }
                 }
                 catch (error) {
-                    logger.error("Error handling request:", error);
+                    logger.error({ err: error }, "Error handling request");
                     res.writeHead(500, { "Content-Type": "text/plain" });
                     res.end("Internal Server Error");
                 }
@@ -441,12 +441,12 @@ export class GitLabOAuth {
                 logger.info("Opening browser for authentication...");
                 logger.info(`If browser doesn't open, visit: ${authUrl}`);
                 open(authUrl).catch(err => {
-                    logger.error("Failed to open browser:", err);
+                    logger.error({ err }, "Failed to open browser");
                     logger.info(`Please manually open: ${authUrl}`);
                 });
             });
             server.on("error", error => {
-                logger.error("OAuth server error:", error);
+                logger.error({ err: error }, "OAuth server error");
                 const pending = pendingAuthRequests.get(initialRequestId);
                 if (pending) {
                     clearTimeout(pending.timeout);
@@ -474,7 +474,7 @@ export class GitLabOAuth {
                     this.saveToken(tokenData);
                 }
                 catch (error) {
-                    logger.error("Token refresh failed. Starting new OAuth flow...", error);
+                    logger.error({ err: error }, "Token refresh failed. Starting new OAuth flow...");
                     tokenData = await this.startOAuthFlow();
                 }
             }
@@ -496,7 +496,7 @@ export class GitLabOAuth {
             }
         }
         catch (error) {
-            logger.error("Failed to clear token:", error);
+            logger.error({ err: error }, "Failed to clear token");
         }
     }
     /**

package/build/schemas.js

@@ -467,7 +467,10 @@ export const RetryPipelineSchema = z.object({
     pipeline_id: z.coerce.string().describe("The ID of the pipeline to retry"),
 });
 // Schema for canceling a pipeline
-export const CancelPipelineSchema = RetryPipelineSchema;
+export const CancelPipelineSchema = z.object({
+    project_id: z.coerce.string().describe("Project ID or URL-encoded path"),
+    pipeline_id: z.coerce.string().describe("The ID of the pipeline to cancel"),
+});
 // Schema for the input parameters for pipeline job operations
 export const GetPipelineJobOutputSchema = z.object({
     project_id: z.coerce.string().describe("Project ID or URL-encoded path"),
@@ -1668,7 +1671,7 @@ export const MergeMergeRequestSchema = ProjectParamsSchema.extend({
         .boolean()
         .optional()
         .default(false)
-        .describe("If true, the merge request merges when the pipeline succeeds.in GitLab 17.11. Use"),
+        .describe("If true, the merge request merges when the pipeline succeeds. Deprecated in GitLab 17.11. Use `auto_merge` instead."),
     should_remove_source_branch: z.coerce
         .boolean()
         .optional()
@@ -2091,7 +2094,7 @@ export const ListLabelsSchema = z
     with_counts: z
         .coerce.boolean()
         .optional()
-        .describe("Whether or not to include issue and merge request counts"),
+        .describe("Whether to include issue and merge request counts"),
     include_ancestor_groups: z.coerce.boolean().optional().describe("Include ancestor groups"),
     search: z.string().optional().describe("Keyword to filter labels by"),
 })