stacklok / toolhive-studio / 24656787005
70%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 458
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.732% (+0.2%) from 65.526%
24656787005

push

github

web-flow 
fix(ipc): validate workload payload on utils:get-workload-available-tools handler (#2037)

* fix(ipc): validate workload payload on utils:get-workload-available-tools handler

The handler previously forwarded the raw `workload` argument straight to
getWorkloadAvailableTools, which expects the generated CoreWorkload type.
An earlier attempt (#1978) introduced a local `Workload` interface with
`name: string` and an `isWorkload` guard that only checked `typeof value' ===
`object`, so it neither matched the real type nor actually enforced a name.

- Add `isCoreWorkload` that rejects non-objects, `null`, and arrays, and
  validates `name`, `url`, `transport_type`, `proxy_mode`, `port`, and
  `remote` match their declared types when present
- Throw a `TypeError` at the IPC boundary for malformed payloads instead of
  forwarding them into the AI SDK / MCP client
- Reuse `GithubComStacklokToolhivePkgCoreWorkload` from
  `@common/api/generated/types.gen` rather than defining a parallel type

* refactor(preload): type getWorkloadAvailableTools workload as CoreWorkload

The preload wrapper and `UtilsAPI` interface both typed the workload
parameter as `unknown`, which hid the real contract from callers and
prevented the TypeScript compiler from catching misuse. The only caller
(`customize-tools/page.tsx`) already passes a CoreWorkload, so no call-site
changes are needed.

- Import `GithubComStacklokToolhivePkgCoreWorkload` and use it for both the
  runtime wrapper and the exported `UtilsAPI` type

* fix(ipc): tighten workload validation on utils:get-workload-available-tools

Address Copilot review on #2037: the previous guard accepted any string
for transport_type / proxy_mode and any number for port, so prototype
keys like `__proto__` would fall through into createTransport, and
`NaN` / non-http URLs could reach `new URL(...)` at the transport layer.

- Restrict `transport_type` to {stdio, streamable-http, sse} and
  `proxy_mode` to {sse, streamable-http} via ex... (continued)

3621 of 6020 branches covered (60.15%)

30 of 30 new or added lines in 1 file covered. (100.0%)

5743 of 8737 relevant lines covered (65.73%)

120.27 hits per line

Jobs
ID Job ID Ran Files Coverage
1 24656787005.1 458
65.73
 GitHub Action Run
Source Files on build 24656787005