stacklok / toolhive / 25670981555
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 725
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.952% (+0.03%) from 64.924%
25670981555

push

github

web-flow 
Forward MCPServerEntry headerForward to vMCP outbound requests (#5239)

* Add wirefmt package and HeaderForwardConfig types

The wirefmt package centralizes the env-var encoding shared between the
operator (which emits TOOLHIVE_HEADER_FORWARD_<entry> manifests) and the
vMCP runtime (which parses them). HeaderForwardConfig and the Backend /
BackendTarget fields carry per-backend header forwarding state through
the vMCP domain types.

* Adopt wirefmt in MCPRemoteProxy controller

Replace the local SecretEnvVarName helpers with the shared wirefmt
encoder so the operator and vMCP runtime stay in lockstep on env-var
naming.

* Refactor externalauth helpers in operator controllerutil

Surfaced while wiring headerForward through the MCPRemoteProxy and
MCPServerEntry controllers. Tightens the helper contracts so callers
in the new code paths share the same lookup signature.

* Validate headerForward Secret refs on MCPServerEntry

The headerForward field already exists on the MCPServerEntry CRD; this
commit adds the reconciler validation that walks
spec.headerForward.addHeadersFromSecret, confirms each referenced
Secret exists in the namespace, and surfaces the result as a
HeaderSecretRefsValidated status condition. Mirrors the validation
MCPRemoteProxy already performs for its header Secret refs.

* Emit headerForward env vars from VirtualMCPServer deployment

The VirtualMCPServer reconciler now renders the entry-side
headerForward manifest into the vMCP pod env via the wirefmt encoding.
Plaintext values land directly; Secret-backed values become
valueFrom.secretKeyRef so the runtime never sees raw secret material
in CRD or pod spec.

* Apply headerForward in vMCP client

The HTTP client decorator injects per-backend headers (plaintext and
Secret-resolved) on every outbound request: list, call, and health
checks. Secret identifiers are resolved through the standard
EnvironmentProvider, so the client never holds raw secret values.

* Thread per-backend headerF... (continued)

281 of 371 new or added lines in 13 files covered. (75.74%)

18 existing lines in 5 files now uncovered.

63974 of 98495 relevant lines covered (64.95%)

62.33 hits per line

Uncovered Changes

Lines Coverage File
59
53.26
 -2.64% cmd/thv-operator/controllers/mcpserverentry_controller.go
15
74.77
 1.12% cmd/thv-operator/controllers/virtualmcpserver_deployment.go
14
82.28
 pkg/vmcp/client/header_forward.go
2
71.92
 0.54% pkg/vmcp/client/client.go

Coverage Regressions

Lines Coverage File
6
72.35
 -1.29% pkg/runner/config.go
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
71.85
 -1.11% pkg/ignore/processor.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
1
53.26
 -2.64% cmd/thv-operator/controllers/mcpserverentry_controller.go
Jobs
ID Job ID Ran Files Coverage
1 25670981555.1 725
64.95
 GitHub Action Run
Source Files on build 25670981555