stacklok / toolhive / 23747951132
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 586
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.492% (+0.009%) from 65.483%
23747951132

push

github

web-flow 
Add scoped and user secret providers with system key isolation (#4229)

* Add scoped and user secret providers with system key isolation

Introduces ScopedProvider and UserProvider wrappers that isolate
system-managed secrets (registry tokens, workload auth, enterprise
login) from user-managed secrets using a reserved __thv_<scope>_
key prefix.

Also adds BulkDeleteSecrets to the Provider interface so Cleanup
operations on both wrappers are handled atomically in a single write
on EncryptedManager, consistent with how other lifecycle operations
work across read-only providers (no-op) and writable providers.

Part of #4192.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix paralleltest linter errors in scoped_test.go

Add t.Parallel() inside all t.Run closures and move ctx into
each subtest to satisfy the paralleltest and tparallel linters.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Update copyright year to 2026 in modified files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add missing tests for BulkDeleteSecrets and Cleanup methods

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Address review feedback on scoped secret providers

- Add SecretScope typed string for scope constants (ScopeRegistry,
  ScopeWorkloads, ScopeAuth) so callers get compile-time safety
- Rename inner → provider in ScopedProvider and UserProvider structs
- Replace package-level scopedKey() with getScopedKey()/getScopePrefix()
  methods on ScopedProvider for better encapsulation
- Rename BulkDeleteSecrets → DeleteSecrets across all providers,
  tests, and mocks to better reflect the operation semantics
- Include operation name (get/set/delete) in ErrReservedKeyName error
  messages for clearer diagnostics
- Split TestEncryptedManager_BulkDeleteSecrets into four focused
  parallel tests (deletesSpecifiedKeys, persistsToDisk,
  emptyListIsNoop, nonExistentKeysNoError)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthrop... (continued)

143 of 156 new or added lines in 6 files covered. (91.67%)

37 existing lines in 5 files now uncovered.

52778 of 80587 relevant lines covered (65.49%)

63.71 hits per line

Uncovered Changes

Lines Coverage File
4
76.19
 0.19% pkg/secrets/encrypted.go
3
71.43
 -2.9% pkg/secrets/1password.go
3
93.02
 -6.98% pkg/secrets/environment.go
3
93.88
 -6.12% pkg/secrets/fallback.go

Coverage Regressions

Lines Coverage File
14
74.44
 -5.19% pkg/client/config.go
11
68.42
 -14.47% pkg/client/discovery.go
8
23.56
 -4.6% pkg/client/manager.go
2
73.2
 -0.65% pkg/runner/config.go
2
82.81
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 23747951132.1 586
65.49
 GitHub Action Run
Source Files on build 23747951132