stacklok / toolhive / 23006149677

push

github

Split vmcp auth/authz middleware for annotation flow (#4115)

* Split vmcp auth/authz middleware for annotation flow

The vmcp middleware chain previously composed auth+parser+authz into a
single middleware, which meant authz ran before discovery could provide
tool annotations. This splits them so authz runs after discovery.

- NewIncomingAuthMiddleware returns auth and authz separately (4 values)
- Add annotation enrichment middleware between discovery and authz
- Authz now sees tool annotations from discovered capabilities
- New middleware ordering: auth+parser → audit → discovery →
  annotation-enrichment → authz → handler

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix review findings from annotation flow middleware split

Update stale middleware-chain comments in server.go to reflect the new
ordering that includes annotation-enrichment and authz layers. Add an
early-return guard to ParsingMiddleware so the double-application (once
in auth, once in server.go for the no-auth case) skips re-reading the
request body. Use the mcp.MethodToolsCall constant instead of a string
literal to satisfy goconst, and add a clarifying comment on why
convertAnnotations intentionally omits Title.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

70 of 82 new or added lines in 5 files covered. (85.37%)

48467 of 75411 relevant lines covered (64.27%)

74.26 hits per line