stacklok / toolhive / 23790467898
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 589
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.574% (+0.03%) from 65.545%
23790467898

push

github

web-flow 
Enforce Cedar policies on optimizer find_tool and call_tool (#4385)

* Enforce Cedar policies on optimizer find_tool and call_tool

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Enforce Cedar policies on optimizer call_tool via authz middleware

Move Cedar authorization enforcement for the optimizer meta-tools out of
the vmcp session layer and into the authz HTTP middleware, keeping the
changes isolated to pkg/authz and the composition root (commands.go).

The previous approach threaded an authorizers.Authorizer through five
layers (incoming.go → commands.go → server.go → sessionmanager →
factory → decorator), creating coupling between the optimizer decorator
and the authorization system.

New approach:
- authz middleware intercepts tools/call for pass-through meta-tools:
  call_tool extracts the inner toolName from arguments and authorizes
  that backend tool; find_tool is allowed through as a discovery op.
- commands.go builds passThroughTools (find_tool, call_tool) when the
  optimizer is enabled and passes it to NewIncomingAuthMiddleware.
- incoming.go returns authzMw directly (as on main) instead of a raw
  authorizer; accepts passThroughTools to configure the middleware.
- server.go, sessionmanager, and the optimizer decorator revert to their
  main-branch signatures with no knowledge of the authorizer.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Enforce Cedar policies on optimizer find_tool response

find_tool calls were allowed through the authz middleware with no
response filtering, letting callers discover tool names, descriptions,
and schemas for tools they are not authorized to call.

- Add filterFindToolResponse to ResponseFilteringWriter: intercepts the
  find_tool CallToolResult, identifies the FindToolOutput payload by
  attempting to unmarshal each TextContent item (stronger than checking
  the type string), filters output.Tools through Cedar policy, and
  populates the annotati... (continued)

144 of 166 new or added lines in 7 files covered. (86.75%)

7 existing lines in 2 files now uncovered.

52989 of 80808 relevant lines covered (65.57%)

64.83 hits per line

Uncovered Changes

Lines Coverage File
14
3.21
 -0.06% cmd/vmcp/app/commands.go
6
74.16
 2.91% pkg/authz/response_filter.go
2
85.96
 2.41% pkg/authz/middleware.go

Coverage Regressions

Lines Coverage File
5
82.6
 -0.21% pkg/vmcp/composer/workflow_engine.go
2
95.68
 -1.44% pkg/vmcp/composer/template_expander.go
Jobs
ID Job ID Ran Files Coverage
1 23790467898.1 589
65.57
 GitHub Action Run
Source Files on build 23790467898