gitlab-mcp 1.1.0 → 1.2.0

package/package.json

@@ -1,8 +1,18 @@
 {
   "name": "gitlab-mcp",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "A MCP server for GitLab",
   "type": "module",
+  "bin": {
+    "gitlab-mcp": "dist/index.js",
+    "gitlab-mcp-http": "dist/http.js"
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md",
+    "docs"
+  ],
   "packageManager": "pnpm@10.28.1",
   "engines": {
     "node": ">=20.11.0"
@@ -17,6 +27,7 @@
   },
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
+    "prepack": "npm run build",
     "typecheck": "tsc --noEmit",
     "dev": "tsx watch src/index.ts",
     "dev:http": "tsx watch src/http.ts",
@@ -38,6 +49,7 @@
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
     "fetch-cookie": "^3.2.0",
+    "graphql": "^16.12.0",
     "open": "^11.0.0",
     "picomatch": "^4.0.3",
     "pino": "^10.3.1",

package/.dockerignore

@@ -1,7 +0,0 @@
-node_modules
-dist
-coverage
-.git
-.gitignore
-.vscode
-.DS_Store

package/.editorconfig

@@ -1,9 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-indent_style = space
-indent_size = 2
-end_of_line = lf
-insert_final_newline = true
-trim_trailing_whitespace = true

package/.env.example

@@ -1,75 +0,0 @@
-NODE_ENV=development
-LOG_LEVEL=info
-
-MCP_SERVER_NAME=gitlab-mcp
-MCP_SERVER_VERSION=0.1.0
-
-# Base API URL(s). Supports comma-separated multi-instance URLs.
-# Each URL will be normalized to /api/v4 automatically.
-GITLAB_API_URL=https://gitlab.com/api/v4
-
-# For stdio/local mode. In REMOTE_AUTHORIZATION mode this can stay empty.
-GITLAB_PERSONAL_ACCESS_TOKEN=
-
-# Optional built-in OAuth (PKCE)
-GITLAB_USE_OAUTH=false
-GITLAB_OAUTH_CLIENT_ID=
-GITLAB_OAUTH_CLIENT_SECRET=
-GITLAB_OAUTH_GITLAB_URL=
-GITLAB_OAUTH_REDIRECT_URI=http://127.0.0.1:8765/callback
-GITLAB_OAUTH_SCOPES=api
-GITLAB_OAUTH_TOKEN_PATH=~/.gitlab-mcp-oauth-token.json
-GITLAB_OAUTH_AUTO_OPEN_BROWSER=true
-
-# Tool/runtime policy
-GITLAB_READ_ONLY_MODE=false
-GITLAB_ALLOWED_PROJECT_IDS=
-GITLAB_ALLOWED_TOOLS=
-GITLAB_DENIED_TOOLS_REGEX=
-GITLAB_ALLOW_GRAPHQL_WITH_PROJECT_SCOPE=false
-
-# Output tuning
-GITLAB_RESPONSE_MODE=json
-GITLAB_MAX_RESPONSE_BYTES=200000
-GITLAB_HTTP_TIMEOUT_MS=20000
-GITLAB_ERROR_DETAIL_MODE=
-
-# Optional auth/runtime enhancements
-GITLAB_AUTH_COOKIE_PATH=
-GITLAB_COOKIE_WARMUP_PATH=/user
-GITLAB_TOKEN_SCRIPT=
-GITLAB_TOKEN_SCRIPT_TIMEOUT_MS=10000
-GITLAB_TOKEN_CACHE_SECONDS=300
-GITLAB_TOKEN_FILE=
-GITLAB_ALLOW_INSECURE_TOKEN_FILE=false
-
-# Cloudflare/proxy compatibility
-GITLAB_CLOUDFLARE_BYPASS=false
-GITLAB_USER_AGENT=
-GITLAB_ACCEPT_LANGUAGE=en-US,en;q=0.9
-
-# TLS safety guard (must acknowledge if disabled)
-NODE_TLS_REJECT_UNAUTHORIZED=
-GITLAB_ALLOW_INSECURE_TLS=false
-GITLAB_CA_CERT_PATH=
-HTTP_PROXY=
-HTTPS_PROXY=
-
-# Feature toggles
-USE_GITLAB_WIKI=true
-USE_MILESTONE=true
-USE_PIPELINE=true
-USE_RELEASE=true
-
-# Remote auth/session controls (for Streamable HTTP)
-REMOTE_AUTHORIZATION=false
-ENABLE_DYNAMIC_API_URL=false
-SESSION_TIMEOUT_SECONDS=3600
-MAX_SESSIONS=1000
-MAX_REQUESTS_PER_MINUTE=300
-
-# HTTP server
-HTTP_HOST=127.0.0.1
-HTTP_PORT=3333
-HTTP_JSON_ONLY=false
-SSE=false

package/.github/workflows/nodejs.yml

@@ -1,31 +0,0 @@
-name: Node CI
-
-on: [push]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        node-version: [22.x]
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10.28.1
-          run_install: false
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: "pnpm"
-      - name: pnpm install, build, and test
-        run: |
-          pnpm install --frozen-lockfile
-          pnpm build
-          pnpm test
-        env:
-          CI: true

package/.github/workflows/npm-publish.yml

@@ -1,31 +0,0 @@
-name: Node.js Package
-
-on:
-  release:
-    types: [created]
-
-jobs:
-  publish-npm:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10.28.1
-          run_install: false
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "22.x"
-          cache: "pnpm"
-          registry-url: "https://registry.npmjs.org"
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm build
-      - run: pnpm test
-      - run: npm publish --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_AUTH_TOKEN}}
-          CI: true

package/.husky/pre-commit

@@ -1 +0,0 @@
-npm run lint-staged

package/.nvmrc

@@ -1 +0,0 @@
-22

package/.prettierrc.json

@@ -1,6 +0,0 @@
-{
-  "semi": true,
-  "singleQuote": false,
-  "trailingComma": "none",
-  "printWidth": 100
-}

package/Dockerfile

@@ -1,20 +0,0 @@
-FROM node:22-alpine AS deps
-WORKDIR /app
-RUN corepack enable
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile
-
-FROM deps AS build
-COPY . .
-RUN pnpm build
-
-FROM node:22-alpine AS runtime
-WORKDIR /app
-ENV NODE_ENV=production
-RUN corepack enable
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --prod --frozen-lockfile
-COPY --from=build /app/dist ./dist
-COPY .env.example ./.env.example
-EXPOSE 3333
-CMD ["node", "dist/http.js"]

package/docker-compose.yml

@@ -1,10 +0,0 @@
-services:
-  gitlab-mcp:
-    build:
-      context: .
-      dockerfile: Dockerfile
-    env_file:
-      - .env
-    ports:
-      - "3333:3333"
-    restart: unless-stopped

package/eslint.config.js

@@ -1,23 +0,0 @@
-import js from "@eslint/js";
-import tseslint from "typescript-eslint";
-import prettier from "eslint-config-prettier";
-
-export default tseslint.config(
-  {
-    ignores: ["dist/**", "coverage/**", "node_modules/**", "other/**"]
-  },
-  js.configs.recommended,
-  ...tseslint.configs.recommended,
-  {
-    files: ["**/*.ts"],
-    rules: {
-      "@typescript-eslint/consistent-type-imports": [
-        "error",
-        {
-          prefer: "type-imports"
-        }
-      ]
-    }
-  },
-  prettier
-);

package/scripts/get-oauth-token.example.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Example external token script for GITLAB_TOKEN_SCRIPT.
-# The MCP server accepts either:
-# 1) Raw token on stdout
-# 2) JSON: {"access_token":"..."} or {"token":"..."}
-
-if [[ -n "${GITLAB_OAUTH_ACCESS_TOKEN:-}" ]]; then
-  printf '{"access_token":"%s"}\n' "${GITLAB_OAUTH_ACCESS_TOKEN}"
-  exit 0
-fi
-
-echo "GITLAB_OAUTH_ACCESS_TOKEN is not set" >&2
-exit 1

package/src/config/env.ts

@@ -1,171 +0,0 @@
-import "dotenv/config";
-
-import { z } from "zod";
-
-const logLevelSchema = z.enum(["fatal", "error", "warn", "info", "debug", "trace", "silent"]);
-
-const responseModeSchema = z.enum(["json", "compact-json", "yaml"]);
-const errorDetailModeSchema = z.enum(["safe", "full"]);
-
-function parseBoolean(value: string | undefined, fallback: boolean): boolean {
-  if (value === undefined) {
-    return fallback;
-  }
-
-  return value.toLowerCase() === "true";
-}
-
-function parseCsv(value: string | undefined): string[] {
-  if (!value) {
-    return [];
-  }
-
-  return value
-    .split(",")
-    .map((item) => item.trim())
-    .filter((item) => item.length > 0);
-}
-
-const envSchema = z.object({
-  NODE_ENV: z.enum(["development", "test", "production"]).default("development"),
-  LOG_LEVEL: logLevelSchema.default("info"),
-  MCP_SERVER_NAME: z.string().min(1).default("gitlab-mcp"),
-  MCP_SERVER_VERSION: z.string().min(1).default("0.1.0"),
-  GITLAB_API_URL: z.string().min(1).default("https://gitlab.com/api/v4"),
-  GITLAB_PERSONAL_ACCESS_TOKEN: z.string().min(1).optional(),
-  GITLAB_USE_OAUTH: z.enum(["true", "false"]).default("false"),
-  GITLAB_OAUTH_CLIENT_ID: z.string().optional(),
-  GITLAB_OAUTH_CLIENT_SECRET: z.string().optional(),
-  GITLAB_OAUTH_GITLAB_URL: z.string().optional(),
-  GITLAB_OAUTH_REDIRECT_URI: z.string().url().optional(),
-  GITLAB_OAUTH_SCOPES: z.string().default("api"),
-  GITLAB_OAUTH_TOKEN_PATH: z.string().optional(),
-  GITLAB_OAUTH_AUTO_OPEN_BROWSER: z.enum(["true", "false"]).default("true"),
-  GITLAB_READ_ONLY_MODE: z
-    .enum(["true", "false"])
-    .default("false")
-    .transform((value) => value === "true"),
-  GITLAB_ALLOWED_PROJECT_IDS: z.string().optional(),
-  GITLAB_ALLOWED_TOOLS: z.string().optional(),
-  GITLAB_DENIED_TOOLS_REGEX: z.string().optional(),
-  GITLAB_ALLOW_GRAPHQL_WITH_PROJECT_SCOPE: z.enum(["true", "false"]).default("false"),
-  GITLAB_RESPONSE_MODE: responseModeSchema.default("json"),
-  GITLAB_MAX_RESPONSE_BYTES: z.coerce.number().int().min(1024).max(2_000_000).default(200_000),
-  GITLAB_HTTP_TIMEOUT_MS: z.coerce.number().int().min(1_000).max(120_000).default(20_000),
-  GITLAB_ERROR_DETAIL_MODE: errorDetailModeSchema.optional(),
-  GITLAB_AUTH_COOKIE_PATH: z.string().optional(),
-  GITLAB_COOKIE_WARMUP_PATH: z.string().default("/user"),
-  GITLAB_CLOUDFLARE_BYPASS: z.enum(["true", "false"]).default("false"),
-  GITLAB_USER_AGENT: z.string().optional(),
-  GITLAB_ACCEPT_LANGUAGE: z.string().optional(),
-  GITLAB_TOKEN_SCRIPT: z.string().optional(),
-  GITLAB_TOKEN_SCRIPT_TIMEOUT_MS: z.coerce.number().int().min(500).max(120_000).default(10_000),
-  GITLAB_TOKEN_CACHE_SECONDS: z.coerce.number().int().min(0).max(86_400).default(300),
-  GITLAB_TOKEN_FILE: z.string().optional(),
-  GITLAB_ALLOW_INSECURE_TOKEN_FILE: z.enum(["true", "false"]).default("false"),
-  GITLAB_ALLOW_INSECURE_TLS: z.enum(["true", "false"]).default("false"),
-  NODE_TLS_REJECT_UNAUTHORIZED: z.string().optional(),
-  GITLAB_CA_CERT_PATH: z.string().optional(),
-  HTTP_PROXY: z.string().optional(),
-  HTTPS_PROXY: z.string().optional(),
-  USE_GITLAB_WIKI: z.enum(["true", "false"]).default("true"),
-  USE_MILESTONE: z.enum(["true", "false"]).default("true"),
-  USE_PIPELINE: z.enum(["true", "false"]).default("true"),
-  USE_RELEASE: z.enum(["true", "false"]).default("true"),
-  REMOTE_AUTHORIZATION: z.enum(["true", "false"]).default("false"),
-  ENABLE_DYNAMIC_API_URL: z.enum(["true", "false"]).default("false"),
-  SESSION_TIMEOUT_SECONDS: z.coerce.number().int().min(1).max(86_400).default(3_600),
-  MAX_SESSIONS: z.coerce.number().int().min(1).max(10_000).default(1_000),
-  MAX_REQUESTS_PER_MINUTE: z.coerce.number().int().min(1).max(10_000).default(300),
-  HTTP_HOST: z.string().min(1).default("127.0.0.1"),
-  HTTP_PORT: z.coerce.number().int().min(1).max(65_535).default(3333),
-  HTTP_JSON_ONLY: z.enum(["true", "false"]).default("false"),
-  SSE: z.enum(["true", "false"]).default("false")
-});
-
-const parsed = envSchema.safeParse(process.env);
-
-if (!parsed.success) {
-  const issues = parsed.error.issues
-    .map((issue) => `- ${issue.path.join(".") || "(root)"}: ${issue.message}`)
-    .join("\n");
-
-  throw new Error(`Invalid environment variables:\n${issues}`);
-}
-
-const data = parsed.data;
-const rawApiUrls = parseCsv(data.GITLAB_API_URL);
-
-if (rawApiUrls.length === 0) {
-  throw new Error("GITLAB_API_URL must contain at least one URL");
-}
-
-const normalizedApiUrls = rawApiUrls.map((item) => {
-  try {
-    return normalizeApiUrl(item);
-  } catch {
-    throw new Error(`Invalid GITLAB_API_URL entry: '${item}'`);
-  }
-});
-
-if (data.ENABLE_DYNAMIC_API_URL === "true" && data.REMOTE_AUTHORIZATION !== "true") {
-  throw new Error("ENABLE_DYNAMIC_API_URL=true requires REMOTE_AUTHORIZATION=true");
-}
-
-if (data.GITLAB_USE_OAUTH === "true" && !data.GITLAB_OAUTH_CLIENT_ID) {
-  throw new Error("GITLAB_USE_OAUTH=true requires GITLAB_OAUTH_CLIENT_ID");
-}
-
-if (data.SSE === "true" && data.REMOTE_AUTHORIZATION === "true") {
-  throw new Error("SSE=true is not compatible with REMOTE_AUTHORIZATION=true");
-}
-
-if (data.NODE_TLS_REJECT_UNAUTHORIZED === "0" && data.GITLAB_ALLOW_INSECURE_TLS !== "true") {
-  throw new Error(
-    "NODE_TLS_REJECT_UNAUTHORIZED=0 requires GITLAB_ALLOW_INSECURE_TLS=true acknowledgment"
-  );
-}
-
-export const env = {
-  ...data,
-  GITLAB_READ_ONLY_MODE: data.GITLAB_READ_ONLY_MODE,
-  GITLAB_ERROR_DETAIL_MODE:
-    data.GITLAB_ERROR_DETAIL_MODE ?? (data.NODE_ENV === "production" ? "safe" : "full"),
-  GITLAB_USE_OAUTH: parseBoolean(data.GITLAB_USE_OAUTH, false),
-  GITLAB_OAUTH_AUTO_OPEN_BROWSER: parseBoolean(data.GITLAB_OAUTH_AUTO_OPEN_BROWSER, true),
-  GITLAB_CLOUDFLARE_BYPASS: parseBoolean(data.GITLAB_CLOUDFLARE_BYPASS, false),
-  GITLAB_ALLOW_INSECURE_TOKEN_FILE: parseBoolean(data.GITLAB_ALLOW_INSECURE_TOKEN_FILE, false),
-  GITLAB_ALLOW_INSECURE_TLS: parseBoolean(data.GITLAB_ALLOW_INSECURE_TLS, false),
-  USE_GITLAB_WIKI: parseBoolean(data.USE_GITLAB_WIKI, true),
-  USE_MILESTONE: parseBoolean(data.USE_MILESTONE, true),
-  USE_PIPELINE: parseBoolean(data.USE_PIPELINE, true),
-  USE_RELEASE: parseBoolean(data.USE_RELEASE, true),
-  REMOTE_AUTHORIZATION: parseBoolean(data.REMOTE_AUTHORIZATION, false),
-  ENABLE_DYNAMIC_API_URL: parseBoolean(data.ENABLE_DYNAMIC_API_URL, false),
-  HTTP_JSON_ONLY: parseBoolean(data.HTTP_JSON_ONLY, false),
-  SSE: parseBoolean(data.SSE, false),
-  GITLAB_ALLOWED_PROJECT_IDS: parseCsv(data.GITLAB_ALLOWED_PROJECT_IDS),
-  GITLAB_ALLOWED_TOOLS: parseCsv(data.GITLAB_ALLOWED_TOOLS),
-  GITLAB_ALLOW_GRAPHQL_WITH_PROJECT_SCOPE: parseBoolean(
-    data.GITLAB_ALLOW_GRAPHQL_WITH_PROJECT_SCOPE,
-    false
-  ),
-  GITLAB_API_URLS: normalizedApiUrls,
-  GITLAB_API_URL: normalizedApiUrls[0] ?? normalizeApiUrl("https://gitlab.com/api/v4")
-};
-
-export type AppEnv = typeof env;
-
-function normalizeApiUrl(rawUrl: string): string {
-  const url = new URL(rawUrl);
-  const pathname = url.pathname.replace(/\/+$/, "");
-
-  if (pathname.endsWith("/api/v4")) {
-    url.pathname = pathname;
-    return url.toString();
-  }
-
-  url.pathname = `${pathname}/api/v4`.replace(/\/\//g, "/");
-
-  return url.toString();
-}