This epic is to capture work to enable customers to configure MCP servers/clients in GitLab to add external context to GitLab Duo features. ### Background Self-managed GitLab installations can safely configure MCP connections directly in the UI because the customer controls their own infrastructure, security policies, and risk posture. They bear full responsibility for any connections they establish to external systems within their environment. For GitLab.com, however, we cannot allow arbitrary MCP configurations because it would require our multi-tenant platform to establish connections to unknown external systems across the internet. This would create significant security risks, compliance issues, and potential service reliability problems. Instead, we'll need to provide a curated set of vetted integrations and controlled connection methods to deliver similar value without compromising platform security. ### Iteration 1 - Self-Managed * Self-managed users can configure _any_ MCP servers in the UI. Configuration parameters may include: * **Server URL/Endpoint** - The base URL where the MCP server is hosted and accessible * **Authentication Credentials** - Typically an API key, OAuth token, or other authentication method * **Service Name/Identifier** - A unique name to identify this particular MCP service * **Tool Configuration** - Specific parameters for the tools provided by this MCP server * **Rate Limiting Settings** - Optional parameters to control usage and prevent abuse * Additional: * Connection timeout settings * Response format preferences * Permission scopes and access levels * Context retrieval parameters (e.g., maximum tokens to retrieve) * Custom headers or request parameters * users can access configured external context in the UI and the IDE * before accessing external context, users are prompted to allow/disallow the external call ### Iteration 2 - Gitlab.com * GitLab.com users can configure _specific, supported_ MCP servers in the UI. Configuration parameters may include: * **Authentication Credentials** - Typically an API key, OAuth token, or other authentication method * **Service Name/Identifier** - A unique name to identify this particular MCP service * **Tool Configuration** - Specific parameters for the tools provided by this MCP server * **Rate Limiting Settings** - Optional parameters to control usage and prevent abuse * Additional: * Connection timeout settings * Response format preferences * Permission scopes and access levels * Context retrieval parameters (e.g., maximum tokens to retrieve) * Custom headers or request parameters * users can access _specific, supported_ external context in the UI and the IDE * before accessing external context, users are prompted to allow/disallow the external call