stacklok / toolhive / 23553452916
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 579
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.414% (+0.09%) from 65.32%
23553452916

push

github

web-flow 
Enrich Identity with upstream tokens and simplify upstreamswap (#4355)

* Add UpstreamTokens field to Identity with redacted serialization

The auth middleware will populate upstream provider access tokens on
the Identity struct, allowing downstream middleware (upstreamswap) to
read tokens without coupling to the storage layer. MarshalJSON redacts
token values while preserving provider keys, and both nil and empty
maps are omitted via omitempty.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add UpstreamTokenReader interface and bulk token retrieval

Introduce a narrow UpstreamTokenReader interface that decouples the auth
middleware from storage internals. InProcessService.GetAllValidTokens
performs a bulk read of all upstream providers for a session, refreshing
expired tokens transparently and falling back to expired tokens when
refresh fails.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Thread UpstreamTokenReader through middleware runner and auth factory

Add GetUpstreamTokenReader to MiddlewareRunner so the auth middleware
can access the bulk token reader for identity enrichment. The runner
stores the reader as a separate field (set alongside the token service)
avoiding type assertions. GetAuthenticationMiddleware now accepts
variadic TokenValidatorOption for forward-compatible option passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Enrich Identity with upstream tokens during JWT validation

Add WithUpstreamTokenReader option to TokenValidator that loads all
upstream provider tokens from storage when a tsid claim is present
in the JWT. The enrichment happens between claimsToIdentity and
context injection, populating Identity.UpstreamTokens for downstream
middleware consumption.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Simplify upstreamswap to read from Identity.UpstreamTokens

Replace the ServiceGetter/GetValidTokens pattern with ... (continued)

146 of 150 new or added lines in 10 files covered. (97.33%)

121 existing lines in 5 files now uncovered.

51632 of 78931 relevant lines covered (65.41%)

72.84 hits per line

New Missed Lines in Diff

Lines Coverage File
1
72.09
 0.0% pkg/auth/utils.go
1
38.88
 -0.1% pkg/runner/runner.go
2
83.78
 -4.1% pkg/auth/middleware.go

Uncovered Existing Lines

Lines Coverage File
3
71.85
 -1.11% pkg/ignore/processor.go
6
88.3
 -1.67% pkg/authserver/runner/embeddedauthserver.go
8
94.97
 0.16% pkg/authserver/config.go
27
0.0
 0.0% pkg/vmcp/auth/types/zz_generated.deepcopy.go
77
76.03
 5.05% pkg/vmcp/config/validator.go
Jobs
ID Job ID Ran Files Coverage
1 23553452916.1 579
65.41
 GitHub Action Run
Source Files on build 23553452916