stacklok / toolhive / 22965231106
64%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 547
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.113% (+0.08%) from 64.036%
22965231106

push

github

web-flow 
Add tool annotation context for Cedar/HTTP authz (#4102)

* Add tool annotation context for Cedar/HTTP authz

Cedar policies can reference entity attributes like
`resource.readOnlyHint == true`, but tool annotations were never
reaching the authorizers. This adds context-based annotation injection
so both Cedar and HTTP PDP authorizers can use MCP tool annotations
(readOnlyHint, destructiveHint, idempotentHint, openWorldHint) in
authorization decisions.

- Add ToolAnnotations struct and context helpers in authorizers package
- Cedar authorizer merges annotations into resource entity attributes
- HTTP PDP authorizer includes annotations in PORC context
- Foundation for annotation cache (PR 2) and vmcp flow (PR 3)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Harden tool annotation authz against attribute collisions

Reverse the Cedar mergeContexts order so standard resource attributes
(name, operation, feature) are applied last and cannot be overwritten by
annotation keys. Guard HTTP PDP annotation enrichment to tool-call
operations only. Add slog.Warn when enrichPORCWithAnnotations encounters
unexpected types instead of silently discarding context. Document the
trust boundary (annotations must come from the server-side registry) and
the asymmetric exposure paths between Cedar and HTTP authorizers.

Add unit tests for enrichPORCWithAnnotations (8 cases) and Cedar
attribute collision safety (5 cases).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Move AuthorizeWithJWTClaims back to original position in file

Restore the original method ordering so the PR diff only shows the
actual logic changes, not a spurious move.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

58 of 60 new or added lines in 3 files covered. (96.67%)

7 existing lines in 3 files now uncovered.

48069 of 74975 relevant lines covered (64.11%)

74.47 hits per line

New Missed Lines in Diff

Lines Coverage File
2
82.98
 3.27% pkg/authz/authorizers/http/core.go

Uncovered Existing Lines

Lines Coverage File
2
57.52
 -1.77% pkg/networking/port.go
2
94.67
 -1.33% pkg/vmcp/composer/dag_executor.go
3
80.31
 -0.26% pkg/transport/proxy/httpsse/http_proxy.go
Jobs
ID Job ID Ran Files Coverage
1 22965231106.1 547
64.11
 GitHub Action Run
Source Files on build 22965231106