stacklok / toolhive / 24251374421
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 616
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.394% (-0.1%) from 65.501%
24251374421

push

github

web-flow 
Move CheckCreateServer policy check before image download (#4734)

* Move CheckCreateServer policy check before image download

The policy gate check was buried deep inside Runner.Run(), after image
download and auth/middleware initialization. Users had to wait for the
full image pull before learning their server was rejected by policy.

Split GetMCPServer into ResolveMCPServer (fast registry lookup) and
PullMCPServerImage (slow download), then check the policy gate between
the two. All three entry points (CLI, API, MCP handler) now share
EnforcePolicyAndPullImage which enforces the gate, skips pull for K8s
and remote servers, and delegates the actual pull to an injectable
ImagePuller. The existing check in Runner.Run stays as defense-in-depth.

Additional hardening from review:
- Remove fragile hoisted nil imageCtx; EnforcePolicyAndPullImage now
  accepts a pullTimeout and creates its own child context
- Remove dead GetMCPServer wrapper (no production callers)
- Defer ImageManager creation to protocol-scheme branch only, avoiding
  an expensive Docker daemon ping for registry lookups
- Add nil-runConfig test case for EnforcePolicyAndPullImage
- Document ActivePolicyGate export intent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Skip redundant Docker daemon ping for protocol-scheme images

For protocol-scheme images (npx://, uvx://, go://), ResolveMCPServer
already creates an ImageManager to build the image. The subsequent call
to PullMCPServerImage was creating a second ImageManager (and Docker
daemon connection) only to confirm the image already exists locally.

Add a locallyBuilt parameter to EnforcePolicyAndPullImage so callers
can signal when the image was built from a protocol scheme, skipping
the unnecessary pull.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

27 of 66 new or added lines in 7 files covered. (40.91%)

85 existing lines in 6 files now uncovered.

56179 of 85909 relevant lines covered (65.39%)

62.66 hits per line

Uncovered Changes

Lines Coverage File
15
30.3
 -4.26% pkg/runner/retriever/retriever.go
13
30.75
 -0.29% cmd/thv/app/run_flags.go
8
50.38
 -2.42% pkg/mcp/server/run_server.go
2
72.82
 0.16% pkg/api/v1/workload_service.go
1
3.94
 0.0% cmd/thv/app/group.go

Coverage Regressions

Lines Coverage File
33
10.71
 -16.84% pkg/container/images/registry.go
24
20.0
 -60.0% pkg/container/images/keychain.go
18
30.3
 -4.26% pkg/runner/retriever/retriever.go
6
0.0
 -28.57% pkg/container/images/image.go
2
73.63
 -0.64% pkg/runner/config.go
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
Jobs
ID Job ID Ran Files Coverage
1 24251374421.1 616
65.39
 GitHub Action Run
Source Files on build 24251374421