stacklok / toolhive / 19550583742

push

github

Add support for baking build-time arguments in container ENTRYPOINTs (#2631)

Add build-time arguments support with secure template refactoring

Add buildArgs parameter to container templates, allowing required subcommands 
to be baked into the ENTRYPOINT at build time. Runtime arguments passed via 
"--" are appended after build args.

Key improvements:
- Add MCPPackageClean field that strips version suffixes in Go code with tests
- Simplify NPX to direct JSON array ENTRYPOINT (no shell wrapper needed)
- Simplify UVX to use clean package variable instead of shell expansion  
- Add validation to reject single quotes in buildArgs (prevents shell injection)
- Update thv build command to accept --build-arg flag
- Add comprehensive test coverage for all transport types

Template complexity reduction:
- NPX: 9 lines of shell script → 2 lines of JSON array (78% reduction)
- Version stripping: centralized, testable, handles scoped packages correctly
- Prevents NPX from re-pulling packages when @latest is specified

Security: Single quotes in buildArgs are validated and rejected to prevent 
command injection in UVX template's sh -c execution. NPX and GO use JSON 
arrays without shell interpretation and remain unaffected.

---------

Signed-off-by: Dan Barr <6922515+danbarr@users.noreply.github.com>
Co-authored-by: Dan Barr <6922515+danbarr@users.noreply.github.com>

22 of 29 new or added lines in 3 files covered. (75.86%)

24614 of 50402 relevant lines covered (48.84%)

60.66 hits per line