25382253119

Committed 05 May 2026 02:23PM UTC coverage: 64.683% (+0.02%) from 64.665%

Build # 25382253119

Build Type

push

github

Committed by

web-flow

Commit Message

Wire authserver DCR resolver and add structured logs (#5044)

* Wire authserver DCR resolver and add structured logs

Implements Phase 2 steps 2d/2g of the DCR story (#5039):

- EmbeddedAuthServer now owns an in-memory DCRCredentialStore and calls
  resolveDCRCredentials for any OAuth2 upstream with DCRConfig. The
  resolved ClientSecret is overlaid on the built upstream.OAuth2Config
  after buildPureOAuth2Config (whose signature and body remain
  intentionally unchanged) so that RFC 7591-obtained credentials flow
  through the same execution path as file/env-resolved secrets.
- Each UpstreamRunConfig element is shallow-copied and its OAuth2
  sub-config is deep-copied before DCR resolution, preserving the
  caller's RunConfig.Upstreams slice per .claude/rules/go-style.md
  "Copy Before Mutating Caller Input".
- resolveDCRCredentials emits structured logs: Debug on cache hit with
  dcr_age_days, an additional Warn when the cached registration exceeds
  dcrStaleAgeThreshold (90 days), and Error with a "step" attribute
  identifying which phase failed on every error path.
- The /oauth/register handler upgrades its success log to Info with
  upstream, issuer, client_id, software_id, token_endpoint_auth_method,
  and scopes. SoftwareID is threaded through DCRRequest validation so
  incoming "software_id" is captured. A small helper guards against a
  nil embedded *fosite.Config (a legitimate test-only condition).
- isTransientNetworkError's permanent-4xx branch now emits a Warn with
  a DCR remediation hint before returning false unchanged. The
  MonitoredTokenSource gains an optional SetUpstreamContext setter so
  the upstream and client_id fields can be threaded into the log
  without breaking the existing NewMonitoredTokenSource contract.
- Integration tests exercise the full DCR boot path against a mock AS,
  verify the cache-hit short-circuit issues zero additional HTTP
  requests, and assert the caller's original RunConfig.Upstreams slice
  element ... (continued)

Coverage Stats

217 of 287 new or added lines in 9 files covered. (75.61%)

9 existing lines in 3 files now uncovered.

62870 of 97197 relevant lines covered (64.68%)

59.82 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

88.54

/pkg/authserver/runner/embeddedauthserver.go

stacklok / toolhive / 25382253119

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous