stacklok / toolhive / 23841820976
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 593
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.523% (-0.02%) from 65.542%
23841820976

push

github

web-flow 
Wire all secret callers to scoped and user providers (#4465)

* Add migration window fallback to ScopedProvider.GetSecret

When a user upgrades ToolHive, system secrets may still exist under
bare keys (e.g. BEARER_TOKEN_foo) until the secret scope migration
completes. If migration fails or hasn't run yet, ScopedProvider
callers would be unable to find their secrets under the new scoped
key (__thv_workloads_BEARER_TOKEN_foo), breaking workload auth.

Add a transparent fallback in ScopedProvider.GetSecret: on a
not-found response for the scoped key, also try the bare (pre-
migration) key. Once migration completes and bare keys are deleted,
the fallback finds nothing and becomes a natural no-op — no config
check or injection needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix paralleltest linter error in migration fallback test

Add t.Parallel() to TestScopedProvider_GetSecret_MigrationFallback and
its subtests to satisfy the paralleltest linter requirement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Wire all secret callers to scoped and user providers

Update every call site that creates a secrets provider to use the
appropriate wrapper introduced in Phase 1:

- System callers (workload auth tokens, registry credentials, build auth
  files) now use CreateScopedSecretProvider, placing secrets under the
  __thv_<scope>_ prefix and hiding them from user-facing commands.
- User-facing callers (thv secret commands, REST API, MCP tool server,
  header secrets, build-env-from-secrets) now use CreateUserSecretProvider,
  blocking access to __thv_* reserved keys.
- RunConfig.WithSecrets and ValidateSecrets now accept separate system and
  user providers so auth-token resolution and --secret flag resolution use
  the correct scope independently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add E2E tests for system key protection in user-facing secret commands

Verify that the UserProvider wiring in CLI sec... (continued)

23 of 69 new or added lines in 15 files covered. (33.33%)

42 existing lines in 7 files now uncovered.

53168 of 81144 relevant lines covered (65.52%)

65.13 hits per line

Uncovered Changes

Lines Coverage File
19
57.14
 -11.15% pkg/auth/secrets/secrets.go
7
38.82
 -0.26% pkg/runner/runner.go
5
15.12
 0.0% cmd/thv/app/config_buildauthfile.go
2
18.67
 1.16% cmd/thv/app/config_buildenv.go
2
73.2
 0.0% pkg/runner/config.go
2
32.62
 0.0% pkg/runner/protocol.go
2
51.71
 0.0% pkg/workloads/manager.go
1
61.25
 0.0% cmd/thv/app/header_flags.go
1
30.56
 0.0% cmd/thv/app/registry_login.go
1
0.0
 0.0% cmd/thv/app/secret.go
1
35.56
 0.0% pkg/api/v1/secrets.go
1
26.47
 0.0% pkg/mcp/server/list_secrets.go
1
55.38
 0.0% pkg/mcp/server/set_secret.go
1
7.22
 0.0% pkg/runner/env.go

Coverage Regressions

Lines Coverage File
14
74.44
 -5.19% pkg/client/config.go
11
68.42
 -14.47% pkg/client/discovery.go
8
23.56
 -4.6% pkg/client/manager.go
3
79.38
 -0.77% pkg/transport/proxy/httpsse/http_proxy.go
3
83.02
 0.42% pkg/vmcp/composer/workflow_engine.go
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
1
38.82
 -0.26% pkg/runner/runner.go
Jobs
ID Job ID Ran Files Coverage
1 23841820976.1 593
65.52
 GitHub Action Run
Source Files on build 23841820976