25168703213

Committed 30 Apr 2026 01:40PM UTC coverage: 64.302% (+0.02%) from 64.281%

Build # 25168703213

Build Type

push

github

Committed by

web-flow

Commit Message

Support CIMD as preferred OAuth client registration for thv run (#5085)

* Support CIMD as preferred OAuth client registration for thv run

When a remote authorization server advertises
client_id_metadata_document_supported in its discovery document,
thv run now presents https://toolhive.dev/oauth/client-metadata.json
as its client_id instead of performing a DCR round-trip. Falls back
to DCR gracefully if the AS rejects the CIMD client_id.

The CIMD check runs inside PerformOAuthFlow before the DCR gate so
it works regardless of which issuer discovery path was taken
(configured issuer, realm-derived, or resource metadata).

Includes hack/mock-cimd-server for local E2E testing.

Closes #4826

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Fix lint issues and resolve pkg/oauth → pkg/oauthproto rename

- Move cimd.go and cimd_test.go to pkg/oauthproto, update package declaration
- Update imports from pkg/oauth to pkg/oauthproto in handler.go and handler_test.go
- Fix CodeQL SSRF alert in mock-cimd-server: validate redirect_uri is localhost
  before making outbound request; use io.Discard to drain response body
- Fix revive lint: unused parameter, redefined builtin min
- Fix errcheck lint: handle resp.Body.Close error

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Clean up: remove manual test artifacts, extend E2E mock server

- Remove hack/mock-cimd-server: was added for a manual test session but
  has no E2E test coverage and does not belong in the final PR
- Remove toolhive-client-metadata.json: the authoritative copy is in the
  infra repo (stacklok/infra#4549) where it gets deployed to
  https://toolhive.dev/oauth/client-metadata.json via CloudFront
- Add client_id_metadata_document_supported: true to test/e2e/oidc_mock.go
  discovery document so the existing E2E mock server is CIMD-capable for
  future integration tests

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* A... (continued)

Coverage Stats

34 of 74 new or added lines in 5 files covered. (45.95%)

5 existing lines in 3 files now uncovered.

61205 of 95184 relevant lines covered (64.3%)

59.89 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

37.39

/pkg/auth/remote/handler.go

stacklok / toolhive / 25168703213

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous