@zereight/mcp-gitlab 2.1.4 → 2.1.6

package/build/test/stateless/session-id.test.js

@@ -0,0 +1,131 @@
+/**
+ * Unit tests for the sealed Mcp-Session-Id helpers.
+ */
+import assert from "node:assert/strict";
+import { randomBytes } from "node:crypto";
+import { describe, test } from "node:test";
+import { loadKeyMaterialFromEnv, looksLikeStatelessSessionId, mintSessionId, openSessionId, } from "../../stateless/index.js";
+function secret() {
+    return randomBytes(32).toString("base64url");
+}
+function load(current, previous) {
+    const env = {
+        OAUTH_STATELESS_SECRET: current,
+    };
+    if (previous)
+        env.OAUTH_STATELESS_SECRET_PREVIOUS = previous;
+    const m = loadKeyMaterialFromEnv(true, env);
+    assert.ok(m);
+    return m;
+}
+describe("mintSessionId / openSessionId", () => {
+    test("roundtrips across pods", () => {
+        const s = secret();
+        const a = load(s);
+        const b = load(s);
+        const sid = mintSessionId(a, {
+            header: "Authorization",
+            token: "glpat-ABCDEFG123456789-abcdef",
+            apiUrl: "https://gitlab.example.com/api/v4",
+        });
+        assert.ok(looksLikeStatelessSessionId(sid));
+        const opened = openSessionId(b, sid, 3600);
+        assert.ok(opened);
+        assert.equal(opened.h, "Authorization");
+        assert.equal(opened.t, "glpat-ABCDEFG123456789-abcdef");
+        assert.equal(opened.u, "https://gitlab.example.com/api/v4");
+    });
+    test("preserves Private-Token / JOB-TOKEN headers", () => {
+        const m = load(secret());
+        for (const h of ["Private-Token", "JOB-TOKEN"]) {
+            const sid = mintSessionId(m, {
+                header: h,
+                token: "some-token-value-at-least-20-chars",
+                apiUrl: "https://gitlab.example.com/api/v4",
+            });
+            const opened = openSessionId(m, sid, 3600);
+            assert.ok(opened);
+            assert.equal(opened.h, h);
+        }
+    });
+    test("rejects unknown header values", () => {
+        // Hand-craft a payload with a bogus header value. We do this by minting a
+        // legitimate token then mutating the decoded payload via a second mint
+        // won't work (AEAD). Instead, assert the helper rejects garbage input
+        // by tampering with an unrelated value and checking it still fails safely.
+        const m = load(secret());
+        const sid = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        // Truncate to force bad ciphertext on open.
+        const broken = sid.slice(0, -3);
+        assert.equal(openSessionId(m, broken, 3600), null);
+    });
+    test("expired sid rejected", () => {
+        const m = load(secret());
+        const past = Math.floor(Date.now() / 1000) - 10_000;
+        const sid = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+            now: () => past,
+        });
+        assert.equal(openSessionId(m, sid, 60), null);
+    });
+    test("different secret rejects", () => {
+        const a = load(secret());
+        const b = load(secret());
+        const sid = mintSessionId(a, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        assert.equal(openSessionId(b, sid, 3600), null);
+    });
+    test("rotation: sid minted under previous secret opens on rotated pod", () => {
+        const s1 = secret();
+        const s2 = secret();
+        const old = load(s1);
+        const rotated = load(s2, s1);
+        const sid = mintSessionId(old, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        const opened = openSessionId(rotated, sid, 3600);
+        assert.ok(opened);
+    });
+    test("looksLikeStatelessSessionId distinguishes legacy UUIDs", () => {
+        const m = load(secret());
+        const sid = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+        });
+        assert.ok(looksLikeStatelessSessionId(sid));
+        assert.ok(!looksLikeStatelessSessionId("a4f1c2b8-f2c4-4ee6-bc14-2b7ab0e6ab11"));
+        assert.ok(!looksLikeStatelessSessionId(""));
+    });
+    test("fresh sid has different iat each time (rotation on every refresh)", () => {
+        const m = load(secret());
+        const sid1 = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+            now: () => 1000,
+        });
+        const sid2 = mintSessionId(m, {
+            header: "Authorization",
+            token: "t".repeat(25),
+            apiUrl: "u",
+            now: () => 2000,
+        });
+        assert.notEqual(sid1, sid2);
+        const open1 = openSessionId(m, sid1, 3600, () => 2000);
+        const open2 = openSessionId(m, sid2, 3600, () => 2000);
+        assert.equal(open1.iat, 1000);
+        assert.equal(open2.iat, 2000);
+    });
+});

package/build/test/test-json-schema.js

@@ -0,0 +1,148 @@
+#!/usr/bin/env ts-node
+import { z } from "zod";
+import { toJSONSchema } from "../utils/schema.js";
+function assert(condition, message) {
+    if (!condition) {
+        throw new Error(message);
+    }
+}
+function runTests() {
+    console.log("Testing toJSONSchema utility...");
+    const results = [];
+    // Test 1: Required field extraction
+    try {
+        const schema = z.object({
+            requiredField: z.string(),
+            optionalField: z.string().optional(),
+        });
+        const result = toJSONSchema(schema);
+        assert(result.required?.includes("requiredField"), "requiredField should be in required array");
+        assert(!result.required?.includes("optionalField"), "optionalField should NOT be in required array");
+        results.push({ name: "required field extraction", status: "passed" });
+    }
+    catch (error) {
+        results.push({
+            name: "required field extraction",
+            status: "failed",
+            error: error.message,
+        });
+    }
+    // Test 2: Nullable fields
+    try {
+        const schema = z.object({
+            nullableField: z.string().nullable(),
+            requiredField: z.string(),
+        });
+        const result = toJSONSchema(schema);
+        assert(result.required?.includes("requiredField"), "requiredField should be in required array");
+        assert(!result.required?.includes("nullableField"), "nullableField should NOT be in required array");
+        results.push({ name: "nullable fields", status: "passed" });
+    }
+    catch (error) {
+        results.push({
+            name: "nullable fields",
+            status: "failed",
+            error: error.message,
+        });
+    }
+    // Test 3: Optional nullable fields
+    try {
+        const schema = z.object({
+            optionalNullable: z.string().optional().nullable(),
+            requiredField: z.string(),
+        });
+        const result = toJSONSchema(schema);
+        assert(result.required?.includes("requiredField"), "requiredField should be in required array");
+        assert(!result.required?.includes("optionalNullable"), "optionalNullable should NOT be in required array");
+        results.push({ name: "optional nullable fields", status: "passed" });
+    }
+    catch (error) {
+        results.push({
+            name: "optional nullable fields",
+            status: "failed",
+            error: error.message,
+        });
+    }
+    // Test 4: Fields with defaults
+    try {
+        const schema = z.object({
+            fieldWithDefault: z.string().default("default-value"),
+            requiredField: z.string(),
+        });
+        const result = toJSONSchema(schema);
+        assert(result.required?.includes("requiredField"), "requiredField should be in required array");
+        assert(!result.required?.includes("fieldWithDefault"), "fieldWithDefault should NOT be in required array");
+        assert(result.properties.fieldWithDefault.default === "default-value", "default value should be preserved");
+        results.push({ name: "fields with defaults", status: "passed" });
+    }
+    catch (error) {
+        results.push({
+            name: "fields with defaults",
+            status: "failed",
+            error: error.message,
+        });
+    }
+    // Test 5: Nested objects with shared property names
+    try {
+        const schema = z.object({
+            foo: z.string(), // Required at root
+            nested: z.object({
+                foo: z.string().optional(), // Optional in nested, shares name with root
+            }),
+        });
+        const result = toJSONSchema(schema);
+        assert(result.required?.includes("foo"), "root foo should be in required array");
+        assert(result.required?.includes("nested"), "nested object should be in required array");
+        assert(result.properties.nested.required === undefined, "nested foo should NOT be in required array");
+        results.push({
+            name: "nested objects with shared property names",
+            status: "passed",
+        });
+    }
+    catch (error) {
+        results.push({
+            name: "nested objects with shared property names",
+            status: "failed",
+            error: error.message,
+        });
+    }
+    // Test 6: Coerced fields
+    try {
+        const schema = z.object({
+            coercedField: z.coerce.string(),
+            optionalCoercedField: z.coerce.string().optional(),
+        });
+        const result = toJSONSchema(schema);
+        assert(result.required?.includes("coercedField"), "coercedField should be in required array (z.coerce without optional)");
+        assert(!result.required?.includes("optionalCoercedField"), "optionalCoercedField should NOT be in required array (z.coerce with optional)");
+        results.push({ name: "coerced fields", status: "passed" });
+    }
+    catch (error) {
+        results.push({
+            name: "coerced fields",
+            status: "failed",
+            error: error.message,
+        });
+    }
+    // Print results
+    const passed = results.filter((r) => r.status === "passed").length;
+    const failed = results.filter((r) => r.status === "failed").length;
+    console.log("\nTest Results:");
+    console.log("=".repeat(50));
+    results.forEach((result) => {
+        if (result.status === "passed") {
+            console.log(`  ${result.name}: ${result.status}`);
+        }
+        else {
+            console.log(`  ${result.name}: ${result.status}`);
+            console.log(`    Error: ${result.error}`);
+        }
+    });
+    console.log("=".repeat(50));
+    console.log(`Total: ${results.length} tests`);
+    console.log(`Passed: ${passed}`);
+    console.log(`Failed: ${failed}`);
+    return { passed, failed };
+}
+// Run tests
+runTests();

package/build/utils/schema.js

@@ -1,12 +1,38 @@
+import { z } from "zod";
 import { zodToJsonSchema } from "zod-to-json-schema";
 /**
  * Convert a Zod schema to JSON Schema, fixing nullable/optional fields
- * so they are not marked as required.
+ * so they are not marked as required, and extracting required fields from the Zod schema.
  */
 export const toJSONSchema = (schema) => {
     const jsonSchema = zodToJsonSchema(schema, { $refStrategy: "none" });
+    // Extract required fields from Zod schema
+    const zodRequiredFields = (() => {
+        if (schema instanceof z.ZodObject) {
+            const shape = schema.shape;
+            const requiredFields = [];
+            Object.entries(shape).forEach(([key, fieldDef]) => {
+                const zodType = fieldDef;
+                const typeName = zodType._def?.typeName;
+                // Check if field is wrapped in zod required types
+                const isRequired = [
+                    "ZodOptional",
+                    "ZodNullable",
+                    "ZodDefault",
+                    "ZodEffects",
+                    "ZodCatch",
+                    "ZodBranded",
+                ].includes(typeName);
+                if (!isRequired) {
+                    requiredFields.push(key);
+                }
+            });
+            return requiredFields;
+        }
+        return [];
+    })();
     // Post-process to fix nullable/optional fields and strip verbose keys
-    function fixNullableOptional(obj) {
+    function fixNullableOptional(obj, isRoot = false) {
         if (obj && typeof obj === "object") {
             // Strip $schema (meta-only, not needed for tool input validation)
             delete obj.$schema;
@@ -15,6 +41,14 @@ export const toJSONSchema = (schema) => {
             // If this object has properties, process them
             if (obj.properties) {
                 const requiredSet = new Set(obj.required || []);
+                // Add required fields extracted from Zod schema (only for root object)
+                if (isRoot) {
+                    zodRequiredFields.forEach(field => {
+                        if (obj.properties[field]) {
+                            requiredSet.add(field);
+                        }
+                    });
+                }
                 Object.keys(obj.properties).forEach(key => {
                     const prop = obj.properties[key];
                     // Handle fields that can be null or omitted
@@ -25,8 +59,8 @@ export const toJSONSchema = (schema) => {
                     else if (Array.isArray(prop.type) && prop.type.includes("null")) {
                         requiredSet.delete(key);
                     }
-                    // Recursively process nested objects
-                    obj.properties[key] = fixNullableOptional(prop);
+                    // Recursively process nested objects (not root)
+                    obj.properties[key] = fixNullableOptional(prop, false);
                 });
                 // Normalize the required array after processing all properties
                 if (requiredSet.size > 0) {
@@ -39,11 +73,11 @@ export const toJSONSchema = (schema) => {
             // Process anyOf/allOf/oneOf
             ["anyOf", "allOf", "oneOf"].forEach(combiner => {
                 if (obj[combiner]) {
-                    obj[combiner] = obj[combiner].map(fixNullableOptional);
+                    obj[combiner] = obj[combiner].map((item) => fixNullableOptional(item, false));
                 }
             });
         }
         return obj;
     }
-    return fixNullableOptional(jsonSchema);
+    return fixNullableOptional(jsonSchema, true);
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zereight/mcp-gitlab",
-  "version": "2.1.4",
+  "version": "2.1.6",
   "mcpName": "io.github.zereight/gitlab-mcp",
   "description": "GitLab MCP server for projects, merge requests, issues, pipelines, wiki, releases, and more",
   "keywords": [
@@ -51,11 +51,12 @@
     "changelog": "auto-changelog -p",
     "test": "npm run test:all",
     "test:all": "npm run build && npm run test:mock && npm run test:live",
-    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-auth-retry.ts",
+    "test:mock": "node --import tsx/esm --test test/remote-auth-simple-test.ts && node --import tsx/esm --test test/mcp-oauth-tests.ts && tsx test/oauth-tests.ts && tsx test/test-list-merge-requests.ts && tsx test/test-list-project-members.ts && tsx test/test-download-attachment.ts && node --import tsx/esm --test test/test-job-artifacts.ts && node --import tsx/esm --test test/test-deployment-tools.ts && node --import tsx/esm --test test/test-merge-request-approval-state-tools.ts && node --import tsx/esm --test test/test-search-code.ts && node --import tsx/esm --test test/test-toolset-filtering.ts && node --import tsx/esm --test test/test-auth-retry.ts && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts",
+    "test:stateless": "npm run build && node --import tsx/esm --test test/stateless/codec.test.ts test/stateless/client-id.test.ts test/stateless/callback-proxy.test.ts test/stateless/session-id.test.ts test/stateless/session-id-integration.test.ts test/stateless/config-ttl.test.ts",
     "test:mcp-oauth": "npm run build && node --import tsx/esm --test test/mcp-oauth-tests.ts",
     "test:live": "node test/validate-api.js",
     "test:remote-auth": "npm run build && node --import tsx/esm --test test/remote-auth-simple-test.ts",
-    "test:schema": "tsx test/schema-tests.ts",
+    "test:schema": "tsx test/schema-tests.ts && tsx test/test-json-schema.ts",
     "test:oauth": "tsx test/oauth-tests.ts",
     "test:list-merge-requests": "npm run build && tsx test/test-list-merge-requests.ts",
     "test:approvals": "npm run build && tsx test/test-merge-request-approvals.ts",