feat(gitlab): add access, membership, and user-admin operations#5707
feat(gitlab): add access, membership, and user-admin operations#5707mzxchandra wants to merge 7 commits into
Conversation
Adds member, invitation, access-request, SAML group link, and user administration tools to the GitLab integration. Resource-scoped ops work against projects or groups; user-admin ops require an admin token. All tools reuse the existing host/SSRF guard via getGitLabApiBase and add a shared getGitLabResourcePath helper.
Adds the new operations to the block dropdown and tools access list, with a named access-level dropdown (enum in, integer out), first-class expires_at, a /members/all default (direct-only opt-in), resource-type selector, and member_role_id passthrough.
Covers the access_level enum-to-integer coercion, the /members/all default vs direct-only, the 409-duplicate-add soft success, invitation per-email error handling, user-status-action response parsing, and getGitLabResourcePath.
|
@mzxchandra is attempting to deploy a commit to the Sim Team on Vercel. A member of the Team first needs to authorize it. |
PR SummaryHigh Risk Overview The block gains conditional UI for project/group resource type, named access level dropdowns (coerced to GitLab integers at execution), optional expires at, invitation “leave unchanged” behavior, and admin user fields. New tools share Docs in Reviewed by Cursor Bugbot for commit d41d8f1. Bugbot is set up for automated code reviews on this repo. Configure here. |
Greptile SummaryThis PR expands the GitLab integration with access provisioning and user administration. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (3): Last reviewed commit: "fix(gitlab): make update-invitation acce..." | Re-trigger Greptile |
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
- update_user now sends admin:false so the Administrator switch can demote (an untouched switch stays undefined and leaves the flag unchanged) - expose the access-level dropdown for Update Invitation - normalize comma-separated invite emails so spaced multi-email input works
|
@cursor review |
Update Invitation now uses a dedicated dropdown that defaults to 'Leave unchanged', so updating only the expiration no longer silently resets the invitation's access level to Developer. The level is sent only when explicitly chosen.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit d41d8f1. Configure here.
Summary
Adds access / membership / user-administration operations to the existing GitLab block so teams can build native access-provisioning workflows (IT help-desk auto-provisioning) without dropping to a raw API block and hand-rolling auth.
This extends the block rather than splitting it — the admin boundary is handled by the existing per-operation access-control feature, not a second block.
New operations (27 tools):
/members/allby default, direct-only opt-in), add, update access level, removeAll resource-scoped ops work against projects or groups via a Resource Type selector. Every tool reuses the existing
getGitLabApiBase()host resolution + SSRF guard, and a new sharedgetGitLabResourcePath()helper.Design details:
access_levelis a named dropdown (Guest…Owner, full official enum) that serializes to the GitLab integer — no free-text integer guessing on a permissions call.expires_atis a first-class field so time-boxed grants are the default./members/all(includes inherited members) to avoid false "no access" answers, with a direct-only opt-in.hostparam + SSRF guard).member_role_idpassthrough for Ultimate custom roles.list_saml_group_linksships in the first cut so a workflow can detect SAML-governed groups before choosing an IdP-side vs GitLab-native member add.Type of Change
Testing
access_levelenum→integer coercion,/members/alldefault vs direct-only, the 409-duplicate-add soft success, invitation per-email error handling, user-status-action response parsing, andgetGitLabResourcePath.tools/index.test.ts,blocks/blocks.test.ts) pass: 202 tests green.tsc --noEmitand Biome are clean.Reviewers should focus on: the
config.paramscoercions inblocks/blocks/gitlab.ts(enum→int, id coercion happens at execution, never inconfig.tool), and the 409 handling intools/gitlab/add_member.ts.Not covered by automated tests: live end-to-end against a real GitLab instance (needs a sandbox + PAT; admin ops need an
admin_modetoken) — recommended as a manual smoke test before relying on the admin operations.Checklist
🤖 Generated with Claude Code