From 42852173a2bd79ebcd5066f29ee7e6be63c7fde3 Mon Sep 17 00:00:00 2001
From: Tim Pearson <tim.pearson@gleim.com>
Date: Thu, 21 May 2026 21:34:14 -0400
Subject: [PATCH] fix: list_my_todos/list_my_events honor GITLAB_TOKEN fallback
 (1.18.1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both handlers had a guard that rejected the call when no per-request
userCredentials were supplied:

  if (!credentials) {
    throw new Error('... requires user authentication ...');
  }

That short-circuited the four-step token resolution in getClient(),
which is supposed to fall back to GITLAB_TOKEN for stdio / single-user
deployments. The token is a real user's PAT and currentUser /
GET /events resolve from it fine — the handler just never let the
client method run.

Same bug class as 1.15.1, which fixed the equivalent guard on write
tools. The me-scoped read tools were missed at that time because they
were added later (list_my_todos in 1.16.0, list_my_events earlier).

Reproduced via stdio with GITLAB_TOKEN env set:
  - 1.18.0: 'list_my_todos requires user authentication...'
  - With this fix: returns the user's todos.

Per-call userCredentials and HTTP Authorization: Bearer flows continue
to work unchanged — credentials, when present, still take precedence.
---
 .claude-plugin/plugin.json | 2 +-
 CHANGELOG.md               | 5 +++++
 package-lock.json          | 4 ++--
 package.json               | 2 +-
 src/tools.ts               | 6 ------
 5 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
index 8679e38..ea90799 100644
--- a/.claude-plugin/plugin.json
+++ b/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "gitlab-mcp",
   "description": "GitLab MCP server with GraphQL discovery and team activity tools",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "icon": "assets/logo.svg",
   "author": {
     "name": "Tim Pearson"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f87f4d8..cedb729 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.18.1] - 2026-05-21
+
+### Fixed
+- `list_my_todos` and `list_my_events` no longer reject the call when no per-request `userCredentials` are supplied. Both handlers had a guard that short-circuited the four-step token resolution in `getClient()`, so they failed with `requires user authentication — the to-do inbox is scoped to the caller` even when a valid `GITLAB_TOKEN` was configured. Same bug class as the 1.15.1 fix, which only patched the write tools. Reads now fall back to the env token like every other read tool. Per-call user credentials and HTTP `Authorization: Bearer` flows continue to work unchanged.
+
 ## [1.18.0] - 2026-05-21
 
 ### Fixed
diff --git a/package-lock.json b/package-lock.json
index 5b95735..8e8cfa4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@ttpears/gitlab-mcp-server",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@ttpears/gitlab-mcp-server",
-      "version": "1.18.0",
+      "version": "1.18.1",
       "license": "MIT",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.26.0",
diff --git a/package.json b/package.json
index e4ae39f..5bfbf8f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ttpears/gitlab-mcp-server",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "description": "GitLab MCP Server with GraphQL discovery",
   "main": "dist/index.js",
   "module": "./src/index.ts",
diff --git a/src/tools.ts b/src/tools.ts
index ab35c96..0748bab 100644
--- a/src/tools.ts
+++ b/src/tools.ts
@@ -1867,9 +1867,6 @@ const listMyTodosTool: Tool = {
   })),
   handler: async (input, client, userConfig) => {
     const credentials = input.userCredentials ? validateUserConfig(input.userCredentials) : userConfig;
-    if (!credentials) {
-      throw new Error('list_my_todos requires user authentication — the to-do inbox is scoped to the caller.');
-    }
     const groupPath = input.groupPath?.trim();
     const projectPath = input.projectPath?.trim();
     if (input.groupPath !== undefined && !groupPath) {
@@ -2012,9 +2009,6 @@ const listMyEventsTool: Tool = {
   })),
   handler: async (input, client, userConfig) => {
     const credentials = input.userCredentials ? validateUserConfig(input.userCredentials) : userConfig;
-    if (!credentials) {
-      throw new Error('list_my_events requires user authentication — the feed is scoped to the caller.');
-    }
     const { userCredentials, ...params } = input;
     return client.listMyEvents(params, credentials);
   },