Skip to content

v0.4.0 — OAuth + Streamable HTTP

Choose a tag to compare

View all tags
@nalyk nalyk released this 04 May 12:57
· 67 commits to main since this release
v0.4.0
6afe40a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

A feature release adding OAuth per-connection authentication and the MCP Streamable HTTP transport. Backward compatible — PAT mode and stdio/SSE transports continue to work unchanged.

✨ Added

  • OAuth per-connection authentication (AUTH_MODE=oauth): new createMcpServer(token) factory creates isolated Server + GitLabApi instances per connection using the Bearer token from the Authorization header. PAT mode (default) is unchanged.
  • Streamable HTTP transport (USE_STREAMABLE_HTTP=true): implements the MCP Streamable HTTP spec on POST/GET/DELETE /mcp with MCP-Session-Id session management. Cross-protocol session-id collisions and unknown sessions return 400 JSON-RPC errors.
  • CORS origin allowlist (CORS_ALLOW_ORIGINS): OAuth mode default-denies browser origins; PAT mode keeps permissive * for local dev. Vary: Origin set when echoing.
  • /healthz endpoint with active session count and configurable threshold (HEALTHZ_MAX_SESSIONS, default 10000); returns 503 with {"status":"unhealthy","reason":"session_limit_exceeded","sessions":<n>} when exceeded — meaningful signal for Kubernetes probes.
  • AUTH_MODE startup validation: invalid values exit with process.exit(1) and a clear message.
  • 17 new vitest cases covering Bearer extraction, Streamable HTTP lifecycle, cross-protocol collision, /healthz, and CORS handling. Total: 58 tests pass.
  • docs/OPERATIONS.md — operations guide (K8s probes, env var reference, troubleshooting).

🔧 Changed

  • src/transport.ts reorganized with helper functions for clarity + testability.
  • Memory-leak hardening on Streamable HTTP connect() failure (initializedSid capture + best-effort close() + idempotent transports[sid] === transport cleanup).
  • Legacy SSE cleanup is now idempotent and registered on both req.close and transport.onclose; transport map entry created only after successful connect().

🔐 Provenance

Published with npm Trusted Publishing — Sigstore-signed SLSA v1 provenance attestation. Verify with npm view @yoda.digital/gitlab-mcp-server@0.4.0 dist.attestations.

👏 Credits

  • Implementation: @ecthelion77 (Olivier Gintrand)
  • Maintainer rebase fixup + release packaging: @nalyk
  • Reviewed via #28 → merged via #42

Full notes: CHANGELOG.md.

Assets 2
Loading