stacklok / toolhive / 24162773446

coverage: 64.942% (-0.02%) from 64.962%
24162773446

push

github

web-flow 
Wire rate limit middleware into proxy runner chain (#4652)

* Add rate limit HTTP middleware with error helpers

Implement the rate limit middleware factory and handler that wires into
the proxy runner middleware chain.

The handler:
- Passes through when MCP parser context is missing (non-JSON-RPC
  requests like health checks and SSE streams)
- Only rate-limits tools/call requests; other methods pass through
- Fails open on Redis errors (logs warning, allows request)
- Returns HTTP 429 with JSON-RPC -32029 error and Retry-After header

The factory pings Redis at startup with a 5s timeout to fail fast on
misconfiguration rather than silently failing open on every request.

Tests use a dummy Limiter implementation to verify handler behavior
without Redis: allowed, rejected, fail-open, missing context
passthrough, and non-tools/call passthrough.

Part of #4551

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Wire rate limit middleware into proxy runner chain

Register the rate limit middleware factory and add it to the proxy
runner middleware chain, positioned after MCP parser (needs tool name
from context) and before validating webhooks.

The operator reconciler maps spec.rateLimiting directly to the
RunConfig, carrying the CRD type without intermediate config types.
The middleware factory creates a Redis client from session storage
config and builds the Limiter at startup.

Move populateScalingConfig before PopulateMiddlewareConfigs in the
reconciler so SessionRedis config is available when the rate limit
middleware reads it. Validate that Redis session storage is configured
when rate limiting is enabled, with a clear error message.

Part of #4551

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add E2E acceptance tests for rate limiting

Ginkgo-based E2E tests that deploy Redis and an MCPServer with rate
limiting in a Kind cluster and verify runtime enforcement:

- AC7: Send requests exceeding the shar... (continued)

84 of 132 new or added lines in 4 files covered. (63.64%)

19 existing lines in 5 files now uncovered.

55023 of 84726 relevant lines covered (64.94%)

63.36 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.38
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available