stacklok / toolhive / 24212190051
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 617
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.108% (+0.06%) from 65.053%
24212190051

push

github

web-flow 
Add per-user rate limit types and limiter support (#4692)

* Add per-user rate limit CRD types and CEL validation

Add PerUser field to RateLimitConfig and ToolRateLimitConfig so
administrators can configure per-user token bucket rate limits on
MCPServer. Make ToolRateLimitConfig.Shared optional since a tool
entry may now have only a perUser limit.

CEL admission validation enforces that perUser rate limiting
requires authentication (oidcConfig, oidcConfigRef, or
externalAuthConfigRef) at both server-level and per-tool level.
The existing "at least one scope" rule is updated to include
perUser alongside shared and tools.

Add RateLimitConfigValid condition type and reason constants for
use in the operator reconciler (wired in a following commit).

Part of #4550

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add RateLimitConfigValid status condition to reconciler

Validate that per-user rate limiting has authentication enabled at
reconciliation time (defense-in-depth alongside CEL admission).
Set RateLimitConfigValid condition with appropriate reason:
- RateLimitConfigValid when configuration is valid
- PerUserRequiresAuth when perUser is set without auth
- RateLimitNotApplicable when rate limiting is not configured

Part of #4550

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Support per-user buckets in rate limiter

Extend the limiter to create per-user token buckets keyed by userID.
Per-user buckets are stored as deferred specs (bucketSpec) at
construction time and materialized into TokenBucket structs at Allow()
time since the userID is request-scoped. bucket.New() only allocates
a struct (no I/O), so per-request creation is cheap.

All applicable buckets (shared server, shared per-tool, per-user
server, per-user per-tool) are checked atomically via ConsumeAll.
The Lua script's two-phase check-then-consume ensures a per-user
rejection does not drain the shared bucket.

Redis keys follow the RFC fo... (continued)

105 of 109 new or added lines in 3 files covered. (96.33%)

9 existing lines in 2 files now uncovered.

56680 of 87056 relevant lines covered (65.11%)

62.03 hits per line

Uncovered Changes

Lines Coverage File
4
58.8
 1.01% cmd/thv-operator/controllers/mcpserver_controller.go

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
79.38
 -0.77% pkg/transport/proxy/httpsse/http_proxy.go
Jobs
ID Job ID Ran Files Coverage
1 24212190051.1 617
65.11
 GitHub Action Run
Source Files on build 24212190051