@zereight/mcp-gitlab 2.1.24 → 2.1.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/README.md +5 -0
  2. package/build/config.js +1 -0
  3. package/build/index.js +644 -324
  4. package/build/oauth.js +65 -3
  5. package/build/schemas.js +475 -197
  6. package/build/test/dynamic-api-url-test.js +3 -3
  7. package/build/test/oauth-tests.js +39 -0
  8. package/build/test/remote-auth-simple-test.js +13 -2
  9. package/build/test/schema-tests.js +51 -0
  10. package/build/test/streamable-http-concurrent-session.test.js +92 -0
  11. package/build/test/streamable-http-unauthenticated-discovery.test.js +113 -0
  12. package/build/test/test-ci-catalog.js +177 -0
  13. package/build/test/test-create-repository.js +120 -0
  14. package/build/test/test-list-issues.js +15 -3
  15. package/build/test/test-toolset-filtering.js +6 -5
  16. package/build/test/test-update-project.js +112 -0
  17. package/build/test/utils/forwarded-public-base-url.test.js +38 -0
  18. package/build/tools/registry.js +26 -3
  19. package/build/utils/forwarded-public-base-url.js +62 -0
  20. package/build/utils/schema.js +15 -1
  21. package/package.json +4 -2
package/README.md CHANGED
@@ -267,8 +267,13 @@ the token to GitLab on behalf of the caller.
267
267
  | `REMOTE_AUTHORIZATION` | ✅ | Set to `true` to enable |
268
268
  | `STREAMABLE_HTTP` | ✅ | Must be `true` |
269
269
  | `ENABLE_DYNAMIC_API_URL` | optional | Allow per-request GitLab URL via `X-GitLab-API-URL` header |
270
+ | `GITLAB_ALLOW_UNAUTHENTICATED_TOOL_DISCOVERY` | optional | Allow unauthenticated `initialize`, `notifications/initialized`, and `tools/list` only (tool calls still require auth) |
270
271
  | `MCP_TRUST_PROXY` | optional | Trust `Forwarded` / `X-Forwarded-*` headers behind a reverse proxy (download URLs, Express `req.ip`, OAuth rate limits) |
271
272
 
273
+ `GITLAB_ALLOW_UNAUTHENTICATED_TOOL_DISCOVERY=true` is intended for MCP gateways
274
+ or admin UIs that need to inspect tool metadata before a user provides a GitLab
275
+ token. Leave it disabled unless the tool list is safe to expose in your deployment.
276
+
272
277
  When `MCP_SERVER_URL` is not set, remote download URLs fall back to the local
273
278
  server address. Set `MCP_TRUST_PROXY=true` only if the server is reachable through a
274
279
  trusted reverse proxy and direct client access to the MCP server is blocked.
package/build/config.js CHANGED
@@ -47,6 +47,7 @@ export const SSE = getConfig("sse", "SSE") === "true";
47
47
  export const STREAMABLE_HTTP = getConfig("streamable-http", "STREAMABLE_HTTP") === "true";
48
48
  export const REMOTE_AUTHORIZATION = getConfig("remote-auth", "REMOTE_AUTHORIZATION") === "true";
49
49
  export const GITLAB_MCP_OAUTH = getConfig("mcp-oauth", "GITLAB_MCP_OAUTH") === "true";
50
+ export const GITLAB_ALLOW_UNAUTHENTICATED_TOOL_DISCOVERY = getConfig("allow-unauthenticated-tool-discovery", "GITLAB_ALLOW_UNAUTHENTICATED_TOOL_DISCOVERY") === "true";
50
51
  export const MCP_TRUST_PROXY = getConfig("mcp-trust-proxy", "MCP_TRUST_PROXY") === "true";
51
52
  // ---------------------------------------------------------------------------
52
53
  // OAuth / MCP OAuth