Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 | 17x 17x 17x 17x 17x 17x 17x 5x 5x 10x 3x 7x 3x 4x 17x 8x 7x 7x 2x 2x 1x 1x 1x 1x 3x 13x 9x 9x 1x 1x 1x 1x 1x 1x 3x 3x 3x 4x 4x 17x 1x | import * as z from 'zod';
import { BrowseAccessTokensSchema } from './schema-readonly';
import { ManageAccessTokenSchema } from './schema';
import { gitlab, toQuery } from '../../utils/gitlab-api';
import { ToolRegistry, EnhancedToolDefinition } from '../../types';
import { assertActionAllowed } from '../utils';
// Personal/project/group access tokens are Free tier. Project access tokens
// landed in 13.0, group access tokens in 14.7; the tool degrades per-action
// rather than gating the whole pair, so the lowest floor is declared here.
const FREE_REQ = { tier: 'free', minVersion: '13.0' } as const;
const NEW_TOKEN_NOTICE =
'This response contains a token value shown only once. Store it securely; it cannot be retrieved again.';
/**
* Wrap a create/rotate response so the secret it carries is explicitly flagged.
* The result is serialized to the tool output, so the marker travels with it.
*/
function flagSensitive(response: unknown): unknown {
Eif (response && typeof response === 'object') {
return {
...(response as Record<string, unknown>),
_meta: { sensitive: true, notice: NEW_TOKEN_NOTICE },
};
}
return response;
}
/**
* Resolve the REST collection path for a single-token action (get/rotate/revoke).
* A token belongs to exactly one scope: project, group, or the current user.
*/
function tokenBasePath(input: { project_id?: string; group_id?: string }): string {
if (input.project_id) {
return `projects/${encodeURIComponent(input.project_id)}/access_tokens`;
}
if (input.group_id) {
return `groups/${encodeURIComponent(input.group_id)}/access_tokens`;
}
return 'personal_access_tokens';
}
/**
* Access-tokens tools registry - 2 CQRS tools.
*
* browse_access_tokens (Query): list_personal, list_project, list_group, get
* manage_access_token (Command): create_project, create_group, rotate, revoke
*
* Backed by the GitLab REST access-token endpoints (no GraphQL surface exists).
* The personal/project/group scopes fold in as actions; get/rotate/revoke infer
* the scope from project_id / group_id. Gated behind USE_ACCESS_TOKENS. Free tier;
* project/group creation requires owner/admin on the namespace.
*/
export const accessTokensToolRegistry: ToolRegistry = new Map<string, EnhancedToolDefinition>([
// ============================================================================
// browse_access_tokens - CQRS Query Tool
// ============================================================================
[
'browse_access_tokens',
{
name: 'browse_access_tokens',
description:
"Inspect access tokens (CI/automation credentials). Actions: list_personal (the current user's PATs; admins may filter by user_id), list_project / list_group (a project's or group's tokens), get (a single token by ID - pass project_id or group_id for project/group tokens, neither for personal). Related: manage_access_token to create, rotate, or revoke.",
inputSchema: z.toJSONSchema(BrowseAccessTokensSchema),
requirements: { default: FREE_REQ },
gate: { envVar: 'USE_ACCESS_TOKENS', defaultValue: true },
handler: async (args: unknown): Promise<unknown> => {
const input = BrowseAccessTokensSchema.parse(args);
assertActionAllowed('browse_access_tokens', input.action);
switch (input.action) {
case 'list_personal': {
const { action: _action, ...query } = input;
return gitlab.get('personal_access_tokens', { query: toQuery(query, []) });
}
case 'list_project': {
const { action: _action, project_id, ...query } = input;
return gitlab.get(`projects/${encodeURIComponent(project_id)}/access_tokens`, {
query: toQuery(query, []),
});
}
case 'list_group': {
const { action: _action, group_id, ...query } = input;
return gitlab.get(`groups/${encodeURIComponent(group_id)}/access_tokens`, {
query: toQuery(query, []),
});
}
case 'get':
return gitlab.get(`${tokenBasePath(input)}/${input.token_id}`);
/* istanbul ignore next -- unreachable with Zod discriminatedUnion */
default:
throw new Error(`Unknown action: ${(input as { action: string }).action}`);
}
},
},
],
// ============================================================================
// manage_access_token - CQRS Command Tool
// ============================================================================
[
'manage_access_token',
{
name: 'manage_access_token',
description:
'Create, rotate, or revoke access tokens. Actions: create_project / create_group (issue a new token with name + scopes, returns the value once), rotate (revoke the old token and return a new value), revoke (delete a token permanently). For rotate/revoke pass project_id or group_id for project/group tokens, neither for personal. Related: browse_access_tokens to discover token IDs.',
inputSchema: z.toJSONSchema(ManageAccessTokenSchema),
requirements: { default: FREE_REQ },
gate: { envVar: 'USE_ACCESS_TOKENS', defaultValue: true },
handler: async (args: unknown): Promise<unknown> => {
const input = ManageAccessTokenSchema.parse(args);
assertActionAllowed('manage_access_token', input.action);
switch (input.action) {
case 'create_project': {
const { action: _action, project_id, ...body } = input;
const res = await gitlab.post(
`projects/${encodeURIComponent(project_id)}/access_tokens`,
{ body, contentType: 'json' },
);
return flagSensitive(res);
}
case 'create_group': {
const { action: _action, group_id, ...body } = input;
const res = await gitlab.post(`groups/${encodeURIComponent(group_id)}/access_tokens`, {
body,
contentType: 'json',
});
return flagSensitive(res);
}
case 'rotate': {
const body = input.expires_at ? { expires_at: input.expires_at } : {};
const res = await gitlab.post(`${tokenBasePath(input)}/${input.token_id}/rotate`, {
body,
contentType: 'json',
});
return flagSensitive(res);
}
case 'revoke': {
await gitlab.delete(`${tokenBasePath(input)}/${input.token_id}`);
return { revoked: true, token_id: input.token_id };
}
/* istanbul ignore next -- unreachable with Zod discriminatedUnion */
default:
throw new Error(`Unknown action: ${(input as { action: string }).action}`);
}
},
},
],
]);
/** Read-only tool names from the registry (for read-only mode filtering). */
export function getAccessTokensReadOnlyToolNames(): string[] {
return ['browse_access_tokens'];
}
|