22134885056

Committed 18 Feb 2026 09:54AM UTC coverage: 62.214% (-0.004%) from 62.218%

Build # 22134885056

Build Type

push

github

Committed by

web-flow

Commit Message

Remove jwks_uri from Protected Resource Metadata response (#3853)

* Remove jwks_uri from Protected Resource Metadata response

RFC 9728 defines jwks_uri in PRM as the resource server's own signing
keys (e.g. FAPI message signing), not the authorization server's keys.

ToolHive's MCP servers don't sign responses, so the field should be
absent. Since lazy OIDC discovery (5fd6adb), the JWKS URL was empty at
handler construction time, producing "jwks_uri": "" which fails the MCP
TypeScript SDK's Zod validation and causes PRM to be silently discarded
by clients like Cursor.

Fixes: #3852

* Add regression issue link to jwks_uri absence test

Run Details

1 of 2 new or added lines in 2 files covered. (50.0%)

36 existing lines in 4 files now uncovered.

44830 of 72058 relevant lines covered (62.21%)

78.12 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.31

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 22134885056

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous