stacklok / toolhive / 25382253119
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 717
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.683% (+0.02%) from 64.665%
25382253119

push

github

web-flow 
Wire authserver DCR resolver and add structured logs (#5044)

* Wire authserver DCR resolver and add structured logs

Implements Phase 2 steps 2d/2g of the DCR story (#5039):

- EmbeddedAuthServer now owns an in-memory DCRCredentialStore and calls
  resolveDCRCredentials for any OAuth2 upstream with DCRConfig. The
  resolved ClientSecret is overlaid on the built upstream.OAuth2Config
  after buildPureOAuth2Config (whose signature and body remain
  intentionally unchanged) so that RFC 7591-obtained credentials flow
  through the same execution path as file/env-resolved secrets.
- Each UpstreamRunConfig element is shallow-copied and its OAuth2
  sub-config is deep-copied before DCR resolution, preserving the
  caller's RunConfig.Upstreams slice per .claude/rules/go-style.md
  "Copy Before Mutating Caller Input".
- resolveDCRCredentials emits structured logs: Debug on cache hit with
  dcr_age_days, an additional Warn when the cached registration exceeds
  dcrStaleAgeThreshold (90 days), and Error with a "step" attribute
  identifying which phase failed on every error path.
- The /oauth/register handler upgrades its success log to Info with
  upstream, issuer, client_id, software_id, token_endpoint_auth_method,
  and scopes. SoftwareID is threaded through DCRRequest validation so
  incoming "software_id" is captured. A small helper guards against a
  nil embedded *fosite.Config (a legitimate test-only condition).
- isTransientNetworkError's permanent-4xx branch now emits a Warn with
  a DCR remediation hint before returning false unchanged. The
  MonitoredTokenSource gains an optional SetUpstreamContext setter so
  the upstream and client_id fields can be threaded into the log
  without breaking the existing NewMonitoredTokenSource contract.
- Integration tests exercise the full DCR boot path against a mock AS,
  verify the cache-hit short-circuit issues zero additional HTTP
  requests, and assert the caller's original RunConfig.Upstreams slice
  element ... (continued)

217 of 287 new or added lines in 9 files covered. (75.61%)

9 existing lines in 3 files now uncovered.

62870 of 97197 relevant lines covered (64.68%)

59.82 hits per line

Uncovered Changes

Lines Coverage File
33
87.2
 -4.36% pkg/authserver/runner/dcr.go
19
36.41
 -1.04% pkg/runner/runner.go
12
79.92
 -1.45% pkg/auth/monitored_token_source.go
6
88.54
 -0.66% pkg/authserver/runner/embeddedauthserver.go

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
2
90.0
 -2.45% pkg/authserver/server/handlers/handler.go
1
87.2
 -4.36% pkg/authserver/runner/dcr.go
Jobs
ID Job ID Ran Files Coverage
1 25382253119.1 717
64.68
 GitHub Action Run
Source Files on build 25382253119