23863487953
65%

Ran 01 Apr 2026 06:13PM UTC

Jobs 1

Files 598

Run time 2min

Badge

Embed ▾

Committed 01 Apr 2026 06:07PM UTC coverage: 65.611% (+0.09%) from 65.521%

Build # 23863487953

Build Type

push

github

Committed by

web-flow

Commit Message

Enforce Cedar policies on upstream IDP token claims (#4448)

- Cedar policies could not reference upstream IDP claims (e.g. GitHub login, Okta groups) because the Cedar authorizer always evaluated against ToolHive-issued JWT claims, while upstream tokens stored in `identity.UpstreamTokens` were never read.
- Two additional gaps made group-based policies entirely non-functional: `Identity.Groups` was never populated despite a code comment saying authorization logic "MUST" do this extraction, and `CreatePrincipalEntity` always produced empty `Parents` sets, making `principal in THVGroup::"engineering"` always evaluate to false.
- This change wires all three gaps: adds a `PrimaryUpstreamProvider` config option to the Cedar authorizer so it can read upstream IDP token claims, adds `ExtractGroupsFromClaims` to populate groups from those claims, and updates `CreatePrincipalEntity`/`CreateEntitiesForRequest` to build the `THVGroup` parent entity hierarchy so Cedar's `in` operator works for group membership.

Coverage Stats

144 of 155 new or added lines in 5 files covered. (92.9%)

9 existing lines in 4 files now uncovered.

53614 of 81715 relevant lines covered (65.61%)

65.03 hits per line

Uncovered Changes

Lines	Coverage	∆	File
6	75.14	0.86%	pkg/runner/config_builder.go
3	74.4	0.67%	pkg/runner/middleware.go
2	96.23	0.18%	pkg/authz/authorizers/cedar/core.go

Coverage Regressions

Lines	Coverage	∆	File
3	71.85	-1.11%	pkg/ignore/processor.go
3	79.38	-0.77%	pkg/transport/proxy/httpsse/http_proxy.go
2	94.77	-1.31%	pkg/vmcp/composer/dag_executor.go
1	75.14	0.86%	pkg/runner/config_builder.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	23863487953.1	01 Apr 2026 06:13PM UTC	598	65.61	GitHub Action Run

stacklok / toolhive / 23863487953
65%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Coverage Regressions

Jobs

Source Files on build 23863487953

stacklok / toolhive / 23863487953 65%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Coverage Regressions

Jobs

Source Files on build 23863487953

stacklok / toolhive / 23863487953
65%

README BADGES
x