stacklok / toolhive / 23841820976

coverage: 65.523% (-0.02%) from 65.542%
23841820976

push

github

web-flow 
Wire all secret callers to scoped and user providers (#4465)

* Add migration window fallback to ScopedProvider.GetSecret

When a user upgrades ToolHive, system secrets may still exist under
bare keys (e.g. BEARER_TOKEN_foo) until the secret scope migration
completes. If migration fails or hasn't run yet, ScopedProvider
callers would be unable to find their secrets under the new scoped
key (__thv_workloads_BEARER_TOKEN_foo), breaking workload auth.

Add a transparent fallback in ScopedProvider.GetSecret: on a
not-found response for the scoped key, also try the bare (pre-
migration) key. Once migration completes and bare keys are deleted,
the fallback finds nothing and becomes a natural no-op — no config
check or injection needed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix paralleltest linter error in migration fallback test

Add t.Parallel() to TestScopedProvider_GetSecret_MigrationFallback and
its subtests to satisfy the paralleltest linter requirement.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Wire all secret callers to scoped and user providers

Update every call site that creates a secrets provider to use the
appropriate wrapper introduced in Phase 1:

- System callers (workload auth tokens, registry credentials, build auth
  files) now use CreateScopedSecretProvider, placing secrets under the
  __thv_<scope>_ prefix and hiding them from user-facing commands.
- User-facing callers (thv secret commands, REST API, MCP tool server,
  header secrets, build-env-from-secrets) now use CreateUserSecretProvider,
  blocking access to __thv_* reserved keys.
- RunConfig.WithSecrets and ValidateSecrets now accept separate system and
  user providers so auth-token resolution and --secret flag resolution use
  the correct scope independently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Add E2E tests for system key protection in user-facing secret commands

Verify that the UserProvider wiring in CLI sec... (continued)

23 of 69 new or added lines in 15 files covered. (33.33%)

42 existing lines in 7 files now uncovered.

53168 of 81144 relevant lines covered (65.52%)

65.13 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.38
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available