read-only visibility into GitLab projects, issues, merge requests, and CI pipelines. Built to mirror the gcp/tailscale native connectors.
Key points
- GitLab (
/proxy/gitlab) — 5 read-only tools:list_projects,get_project,list_issues,list_merge_requests,list_pipelines(CI status). - Credential: a Personal Access Token scoped to
read_apionly, supplied via the broker env (GITLAB_TOKEN); secret in Secret Managergitlab-token, restored on rebuild by Ansible (same pattern asgithub-oauth-client-secret/tailscale-oauth-client-secret). Instance pinned byGITLAB_URL(defaulthttps://gitlab.com; set for self-hosted), never a tool parameter. - No write tools — deliberate, matching the gcp/tailscale read-first stance. Even if
a prompt-injected chat asked, a
read_apitoken cannot mutate anything. - Hardening in the adapter: project ids/paths are validated against a strict regex
and URL-encoded before hitting the API (blocks path/query injection);
per_pageis clamped (1–100); upstream errors map to sanitized messages that never leak the URL or token. - Security model (two independent layers): the credential is read-only at the GitLab scope level, and the connector implements only read verbs. Worst realistic abuse (prompt injection in a chat with broker tools): disclosure of project / issue / MR / pipeline metadata the token can already see. Nothing can be created, deleted, or reconfigured.
Add it as a client connector
Each broker connector is its own MCP endpoint — add GitLab in a Claude client at
https://bobsmcp.uk/proxy/gitlab/mcp (the trailing /mcp matters — see
gcp-mcp-standalone/adr/0007-per-connector-mcp-endpoint-urls). Connectors are
account-level, so adding it on desktop mirrors to the mobile app automatically.
Details
Code: BobMck/mcp-broker branch connectors, src/connectors/gitlab/ (10 unit tests;
full suite 902 green, ruff clean; merged via PR #1). Infra (gcp-mcp-standalone):
ansible/install.yml (fetch gitlab-token from Secret Manager → .env, no_log),
ansible/templates/settings.yaml.j2 (connector + allowed_connectors registration).
Go-live needs a read_api PAT stored as Secret Manager gitlab-token, then a deploy.
Related
Sources
wiki/projects/gcp-mcp-standalone/connectors-gitlab.md · git is the source of truth