fixed check_repo_allowed

Author: Nisha Saini

Containerfile

@@ -10,8 +10,5 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Copy source code (uses .containerignore)
 COPY . .
 
-# Expose port for HTTP transport (only used when MCP_TRANSPORT=http)
-EXPOSE 8085
-
 # Entrypoint
 CMD ["python", "gitlab_mcp_server.py"] 

Makefile

@@ -13,16 +13,12 @@ build:
 	podman build -t $(IMG) .
 
 # Notes:
-# - $(ENV_FILE) is expected to define the gitlab token & repos other vars are optional..
-# - The --tty option is used here since we might run this in a
-#   terminal, but for the mcp.json version we don't use --tty.
-# - You can use Ctrl-D to quit nicely.
+# - $(ENV_FILE) is expected to define the gitlab token & repos other vars are optional.
+# - This server runs in STDIO mode for MCP clients like Cursor.
+# - Use Ctrl-C to quit the server.
 run:
-	@podman run -i --tty --rm --env-file $(ENV_FILE) $(IMG)
-
-run-http:
-	@echo "🌐 Starting GitLab MCP server in HTTP mode"
-	@podman run -i --rm --env-file $(ENV_FILE) -p 8085:8085 -e MCP_TRANSPORT=http $(IMG)
+	@echo "🚀 Starting GitLab MCP server (STDIO mode)"
+	@podman run -i --rm --env-file $(ENV_FILE) $(IMG)
 
 clean:
 	podman rmi -i $(IMG)

README.md

@@ -29,8 +29,7 @@ make setup
    * Go to ${GITLAB_URL} if no custom gitlab defaults to public [gitlab.com](https://docs.gitlab.com/user/profile/personal_access_tokens/) and create a token
    * Edit the `.rh-gitlab-mcp.env` file in your home directory and paste in the token.
 
-To confirm it's working, run Cursor, go to Settings and click on "Tools &
-Integrations". Under MCP Tools you should see "gitlabMcp" with 7 tools enabled.
+To confirm it's working, run Cursor, go to Settings and click on "Tools & Integrations". Under MCP Tools you should see "gitlabMcp" with 8 tools enabled.
 
 
 ## Available Functions
@@ -205,4 +204,4 @@ Most functions support filtering:
 - Verify your GitLab token has proper permissions
 - Ensure you're a project member
 
-This read-only approach provides safer, more focused GitLab integration for monitoring and analysis workflows. 
+This read-only approach provides safer, more focused GitLab integration for monitoring and analysis workflows. 

example.env

@@ -14,12 +14,8 @@ MCP_ALLOWED_REPOS=redhat/edge/ci-cd/pipe-x/*
 # Optional: Custom GitLab URL (defaults to gitlab.com)
 GITLAB_URL=https://gitlab.com
 
-# Optional: Transport mode (stdio or http)
-MCP_TRANSPORT=stdio
-
-# HTTP Transport Configuration (only used when MCP_TRANSPORT=http)
+# HTTP Transport Configuration (HTTP-only mode)
 MCP_HOST=127.0.0.1
-MCP_PORT=8085
 
 # Recommended ports for multiple MCP servers:
 # GitLab MCP: 8086, Jira MCP: 8087, Other MCP: 8088, 8089, etc.

example.mcp.json

@@ -1,16 +1,16 @@
 {
   "mcpServers": {
-    "gitlabMCP": {
+    "gitlabMCP_STDIO": {
       "command": "podman",
       "args": [
         "run",
         "-i",
         "--rm",
         "--env-file",
         "~/.rh-gitlab-mcp.env",
-        "localhost/gitlab_mcp_server:latest"
+        "localhost/gitlab-mcp:latest"
       ],
-      "description": "A containerized MCP server to query gitlab projects"
+      "description": "A containerized GitLab MCP server using STDIO transport"
     }
   }
 }

gitlab_mcp_server.py

@@ -57,7 +57,7 @@ def __init__(self):
 
         # SSL Configuration options
         ssl_verify = os.getenv("MCP_SSL_VERIFY", "true").lower() == "true"
-        ssl_ca_bundle = os.getenv("SSL_CERT_FILE")  # Path to CA bundle file
+        ssl_ca_bundle = os.getenv("MCP_SSL_CA_BUNDLE")  # Path to CA bundle file
 
         # Build GitLab client configuration
         gitlab_config = {
@@ -342,7 +342,25 @@ async def search_repositories(search_term: Optional[str] = None, visibility: str
         # Filter results based on repository access permissions
         accessible_projects = []
         for project in projects:
-            if check_repo_allowed(str(project.id)):
+            # Check repo pattern directly without additional API call
+            project_path = project.path_with_namespace
+            is_allowed = False
+            
+            # Check against each allowed pattern
+            for allowed_pattern in config.allowed_repos:
+                allowed_pattern = allowed_pattern.strip()
+                
+                # Check if project ID matches (for backward compatibility)
+                if str(project.id) == allowed_pattern:
+                    is_allowed = True
+                    break
+                
+                # Check if project path matches the pattern
+                if match_repo_pattern(project_path, allowed_pattern):
+                    is_allowed = True
+                    break
+            
+            if is_allowed:
                 try:
                     repo_info = {
                         'id': project.id,
@@ -581,6 +599,108 @@ async def list_pipelines(request: PipelineListRequest) -> dict:
             "error": f"❌ Error listing pipelines: {str(e)}"
         }
 
+@mcp.tool()
+async def scan_group_failed_pipelines(limit: Optional[int] = 5) -> dict:
+    """🔍 Scan all projects in allowed groups for failed pipelines, sorted by timestamp"""
+    try:
+        # Security checks
+        security_error = security_check("read")
+        if security_error:
+            raise ValueError(security_error)
+        
+        all_failed_pipelines = []
+        scanned_projects = []
+        
+        # Get all accessible projects from search
+        try:
+            accessible_projects = config.gl.projects.list(all=True, per_page=100)
+        except Exception as e:
+            logger.warning(f"⚠️ Could not list all projects, trying owned projects: {e}")
+            accessible_projects = config.gl.projects.list(owned=True, per_page=100)
+        
+        # Filter projects that match allowed repo patterns
+        for project in accessible_projects:
+            # Check repo pattern directly without additional API call
+            project_path = project.path_with_namespace
+            is_allowed = False
+            
+            # Check against each allowed pattern
+            for allowed_pattern in config.allowed_repos:
+                allowed_pattern = allowed_pattern.strip()
+                
+                # Check if project ID matches (for backward compatibility)
+                if str(project.id) == allowed_pattern:
+                    is_allowed = True
+                    break
+                
+                # Check if project path matches the pattern
+                if match_repo_pattern(project_path, allowed_pattern):
+                    is_allowed = True
+                    break
+            
+            if is_allowed:
+                scanned_projects.append({
+                    'id': project.id,
+                    'name': project.name,
+                    'path_with_namespace': project.path_with_namespace
+                })
+                
+                try:
+                    # Get failed pipelines from this project
+                    failed_pipelines = project.pipelines.list(
+                        status='failed',
+                        per_page=limit,
+                        order_by='updated_at',
+                        sort='desc'
+                    )
+                    
+                    for pipeline in failed_pipelines:
+                        all_failed_pipelines.append({
+                            'project_id': project.id,
+                            'project_name': project.name,
+                            'project_path': project.path_with_namespace,
+                            'pipeline_id': pipeline.id,
+                            'status': pipeline.status,
+                            'ref': pipeline.ref,
+                            'sha': pipeline.sha,
+                            'source': getattr(pipeline, 'source', 'unknown'),
+                            'created_at': pipeline.created_at,
+                            'updated_at': pipeline.updated_at,
+                            'duration': pipeline.duration,
+                            'web_url': pipeline.web_url,
+                            'user': pipeline.user['name'] if hasattr(pipeline, 'user') and pipeline.user else 'System'
+                        })
+                        
+                except Exception as e:
+                    logger.warning(f"⚠️ Could not get pipelines for {project.path_with_namespace}: {e}")
+                    continue
+        
+        # Sort all failed pipelines by updated_at (most recent first)
+        all_failed_pipelines.sort(key=lambda x: x['updated_at'], reverse=True)
+        
+        # Take only the requested limit
+        limited_pipelines = all_failed_pipelines[:limit]
+        
+        message = f"🔍 Scanned {len(scanned_projects)} projects, found {len(limited_pipelines)} recent failed pipelines"
+        
+        logger.info(f"✅ Scanned {len(scanned_projects)} projects for failed pipelines")
+        return {
+            "success": True,
+            "message": message,
+            "scanned_projects_count": len(scanned_projects),
+            "scanned_projects": scanned_projects,
+            "failed_pipelines_count": len(limited_pipelines),
+            "failed_pipelines": limited_pipelines,
+            "total_failed_found": len(all_failed_pipelines)
+        }
+        
+    except Exception as e:
+        logger.error(f"❌ Error scanning group failed pipelines: {e}")
+        return {
+            "success": False,
+            "error": f"❌ Error scanning group failed pipelines: {str(e)}"
+        }
+
 @mcp.tool()
 async def list_jobs(request: JobListRequest) -> dict:
     """⚙️ List jobs in a pipeline - supports both project_id and project_name"""
@@ -808,40 +928,24 @@ async def list_latest_commits(request: CommitsRequest) -> dict:
 
 def main():
     """Main entry point for the FastMCP server."""
-    # Get transport mode from environment
-    transport_mode = os.getenv("MCP_TRANSPORT", "stdio").lower()
-    
     print("🚀 Starting GitLab MCP Server (FastMCP - Read-Only)...")
     print("📋 Available Tools:")
     print("   🔍 search_repositories - Search/filter repositories")
     print("   📋 list_issues - List project issues") 
     print("   🔀 list_merge_requests - List merge requests")
     print("   🏗️  list_pipelines - List CI/CD pipelines")
+    print("   🔍 scan_group_failed_pipelines - Scan all group projects for failed pipelines")
     print("   ⚙️  list_jobs - List pipeline jobs")
     print("   ❌ check_latest_failed_jobs - Check failed jobs")
     print("   📝 list_latest_commits - List recent commits")
     print(f"\n🔒 Security: Max {config.max_api_calls_per_hour} calls/hour")
     print(f"🔒 Actions: {config.allowed_actions}")
     print(f"🔗 GitLab: {config.gitlab_url}")
     print("📖 Query Support: Both project_id and project_name supported for flexible access")
-    print(f"🚀 Transport Mode: {transport_mode.upper()}")
-    
-    if transport_mode == "http":
-        # HTTP Transport configuration
-        host = os.getenv("MCP_HOST", "127.0.0.1")
-        port = int(os.getenv("MCP_PORT", "8085"))
-        
-        print(f"🌐 Starting HTTP server on {host}:{port}")
-        print("\n✅ FastMCP HTTP Server ready for connections!")
-        
-        # Run with HTTP transport
-        mcp.run(transport="http", host=host, port=port)
-    else:
-        # Default STDIO transport
-        print("\n✅ FastMCP STDIO Server ready for connections!")
-        
-        # Run with STDIO transport (default)
-        mcp.run()
+    print("\n✅ FastMCP Read-Only Server ready for connections!")
+
+    # Run the FastMCP server
+    mcp.run()
 
 if __name__ == "__main__":
-    main() 
+    main()