feat: add GITLAB_LOCK_PROJECT environment variable

agent · agent · commit a102e94e4020 · 2025-07-04T10:23:51.000+02:00
Add ability to lock the MCP server to a single GitLab project by setting
GITLAB_LOCK_PROJECT=true. When enabled, the server will only allow access
to the project specified in GITLAB_PROJECT_ID and deny access to any other
projects with a clear error message.

This is useful for:
- Enhanced security by restricting access to a single project
- Preventing accidental operations on wrong projects
- Creating dedicated MCP instances for specific projects
diff --git a/README.md b/README.md
@@ -25,6 +25,8 @@ When using with the Claude App, you need to set up your API key and URLs directl
       "env": {
         "GITLAB_PERSONAL_ACCESS_TOKEN": "your_gitlab_token",
         "GITLAB_API_URL": "your_gitlab_api_url",
+        "GITLAB_PROJECT_ID": "your_project_id", // Optional: default project
+        "GITLAB_LOCK_PROJECT": "false", // Optional: lock to single project
         "GITLAB_READ_ONLY_MODE": "false",
         "USE_GITLAB_WIKI": "false", // use wiki api?
         "USE_MILESTONE": "false", // use milestone api?
@@ -168,6 +170,7 @@ $ sh scripts/image_push.sh docker_user_name
 - `GITLAB_PERSONAL_ACCESS_TOKEN`: Your GitLab personal access token.
 - `GITLAB_API_URL`: Your GitLab API URL. (Default: `https://gitlab.com/api/v4`)
 - `GITLAB_PROJECT_ID`: Default project ID. If set, Overwrite this value when making an API request.
+- `GITLAB_LOCK_PROJECT`: When set to 'true', locks the MCP server to only access the project specified in `GITLAB_PROJECT_ID`. Any attempts to access other projects will be denied. Requires `GITLAB_PROJECT_ID` to be set.
 - `GITLAB_READ_ONLY_MODE`: When set to 'true', restricts the server to only expose read-only operations. Useful for enhanced security or when write access is not needed. Also useful for using with Cursor and it's 40 tool limit.
 - `USE_GITLAB_WIKI`: When set to 'true', enables the wiki-related tools (list_wiki_pages, get_wiki_page, create_wiki_page, update_wiki_page, delete_wiki_page). By default, wiki features are disabled.
 - `USE_MILESTONE`: When set to 'true', enables the milestone-related tools (list_milestones, get_milestone, create_milestone, edit_milestone, delete_milestone, get_milestone_issue, get_milestone_merge_requests, promote_milestone, get_milestone_burndown_events). By default, milestone features are disabled.
diff --git a/index.ts b/index.ts
@@ -826,12 +826,18 @@ function normalizeGitLabApiUrl(url?: string): string {
 // Use the normalizeGitLabApiUrl function to handle various URL formats
 const GITLAB_API_URL = normalizeGitLabApiUrl(process.env.GITLAB_API_URL || "");
 const GITLAB_PROJECT_ID = process.env.GITLAB_PROJECT_ID;
+const GITLAB_LOCK_PROJECT = process.env.GITLAB_LOCK_PROJECT === "true";
 
 if (!GITLAB_PERSONAL_ACCESS_TOKEN) {
   console.error("GITLAB_PERSONAL_ACCESS_TOKEN environment variable is not set");
   process.exit(1);
 }
 
+if (GITLAB_LOCK_PROJECT && !GITLAB_PROJECT_ID) {
+  console.error("GITLAB_PROJECT_ID must be set when GITLAB_LOCK_PROJECT is enabled");
+  process.exit(1);
+}
+
 /**
  * Utility function for handling GitLab API errors
  * API 에러 처리를 위한 유틸리티 함수 (Utility function for handling API errors)
@@ -857,8 +863,18 @@ async function handleGitLabError(response: import("node-fetch").Response): Promi
 /**
  * @param {string} projectId - The project ID parameter passed to the function
  * @returns {string} The project ID to use for the API call
+ * @throws {Error} If GITLAB_LOCK_PROJECT is enabled and a different project is requested
  */
 function getEffectiveProjectId(projectId: string): string {
+  if (GITLAB_LOCK_PROJECT) {
+    if (!GITLAB_PROJECT_ID) {
+      throw new Error("GITLAB_PROJECT_ID must be set when GITLAB_LOCK_PROJECT is enabled");
+    }
+    if (projectId && projectId !== GITLAB_PROJECT_ID) {
+      throw new Error(`Access denied: This MCP server is locked to project ${GITLAB_PROJECT_ID}. Cannot access project ${projectId}`);
+    }
+    return GITLAB_PROJECT_ID;
+  }
   return GITLAB_PROJECT_ID || projectId;
 }
 
