stacklok / toolhive / 25216196995
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 711
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.48% (+0.1%) from 64.357%
25216196995

push

github

web-flow 
Add authserver DCR credential store and resolver (#5042)

* Add authserver DCR credential store and resolver

Implements Phase 2 steps 2f/2c of the DCR story (#5038):

- DCRCredentialStore interface with in-memory implementation keyed by
  (Issuer, RedirectURI, ScopesHash). No TTL — RFC 7591 registrations
  are long-lived and only purged by explicit deregistration. The
  ScopesHash tuple is designed to compose a Redis key segment in
  Phase 3 without redefining the canonical form.
- resolveDCRCredentials performs cache lookup, authorization server
  metadata discovery (or direct registration endpoint), explicit
  endpoint override, auth-method intersection against the preference
  order private_key_jwt > client_secret_basic > client_secret_post >
  none, synthesis of {origin}/register when metadata omits
  registration_endpoint, and a single call to
  oauthproto.RegisterClientDynamically with the initial access token
  injected as Authorization: Bearer via a wrapping RoundTripper.
- Resolution stored before returning, per the write-durable-first
  rule in .claude/rules/go-style.md.

Address code review feedback on DCR resolver

Fixed issues from code review:

- HIGH: DCRUpstreamConfig.DiscoveryURL now honoured. Added
  oauthproto.FetchAuthorizationServerMetadataFromURL which fetches
  the operator-configured URL exactly (no well-known-path fallback)
  and enforces RFC 8414 §3.3 issuer equality. Updated field doc
  comments to match behaviour.
- HIGH: TestResolveDCRCredentials_CacheHitShortCircuits rewritten
  to wire the count-everything server as the issuer and assert
  totalRequests == 0, so a regression that moved discovery before
  the cache lookup would actually fail the test.
- MEDIUM: Added tests for discovered-scopes fallback and empty-scope
  omitted-field branches.
- MEDIUM: Exposed oauthproto.NewDefaultDCRClient so newDCRHTTPClient
  inherits the canonical DCR timeout policy rather than duplicating
  it — future timeout changes propagate au... (continued)

438 of 474 new or added lines in 5 files covered. (92.41%)

34 existing lines in 4 files now uncovered.

61782 of 95816 relevant lines covered (64.48%)

60.2 hits per line

Uncovered Changes

Lines Coverage File
34
91.56
 pkg/authserver/runner/dcr.go
2
94.54
 4.34% pkg/oauthproto/discovery.go

Coverage Regressions

Lines Coverage File
12
75.09
 -4.33% pkg/client/config.go
12
67.9
 -14.81% pkg/client/discovery.go
8
23.56
 -4.6% pkg/client/manager.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 25216196995.1 711
64.48
 GitHub Action Run
Source Files on build 25216196995