stacklok / toolhive / 24294392793
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 616
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.545% (+0.04%) from 65.501%
24294392793

push

github

web-flow 
Enforce non-registry-server policy gate for remote URL workloads (#4752)

* Enforce non-registry-server policy gate for remote URLs and at call site

Three gaps allowed a non_registry_servers policy (enforced: true, value:
false) to be bypassed when running remote MCP servers via URL:

- runner.go: CheckCreateServer was inside the `if RemoteURL == ""` block,
  so remote URL workloads skipped the gate on restart/foreground runs.
  Moved it outside the branch so it covers both local and remote.

- policy_gate.go: Added EagerCheckCreateServer so CLI and API layers can
  call the gate synchronously before detaching. This surfaces violations
  with a non-zero exit code in the calling process, not silently in a
  background worker log.

- run.go / workload_service.go: Call EagerCheckCreateServer before
  SaveState and RunWorkloadDetached so the CLI fails fast with exit 1
  and the API returns an error before persisting any state (preventing
  broken-state UI entries).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Apply EagerCheckCreateServer to runFromConfigFile path

The --from-config path called SaveState without a preceding policy
check, leaving the same race condition the previous commit fixed in
runSingleServer and CreateWorkloadFromRequest.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Apply EagerCheckCreateServer in run_server.go MCP tool path

EnforcePolicyAndPullImage returns nil early when
serverMetadata.IsRemote() == true, skipping CheckCreateServer entirely
for registry-defined remote servers launched via the embedded MCP tool.
This left saveAndRunServer able to persist state and spawn a detached
worker before any policy check ran.

Add EagerCheckCreateServer after EnforcePolicyAndPullImage and before
saveAndRunServer to close the gap, matching the pattern used in
runSingleServer and CreateWorkloadFromRequest.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 ... (continued)

9 of 20 new or added lines in 5 files covered. (45.0%)

4 existing lines in 2 files now uncovered.

56428 of 86090 relevant lines covered (65.55%)

62.96 hits per line

Uncovered Changes

Lines Coverage File
6
6.78
 -0.14% cmd/thv/app/run.go
3
49.25
 -1.13% pkg/mcp/server/run_server.go
2
37.7
 0.1% pkg/runner/runner.go

Coverage Regressions

Lines Coverage File
2
94.77
 -1.31% pkg/vmcp/composer/dag_executor.go
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
Jobs
ID Job ID Ran Files Coverage
1 24294392793.1 616
65.55
 GitHub Action Run
Source Files on build 24294392793