stacklok / toolhive / 25732412599
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 727
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.048% (+0.03%) from 65.014%
25732412599

push

github

web-flow 
Allow operators to inject baseline scopes into DCR registrations (#5233)

* Add BaselineClientScopes to embedded auth CRD

Some DCR clients narrow the scope field at /oauth/register but later
request additional scopes at /oauth/authorize, getting rejected with
invalid_scope. RFC 7591 §3.1.1 explicitly permits the AS to override
the registered scope, so let operators declare a baseline set that the
embedded auth server unions into every DCR registration.

This commit only adds the CRD field. The plumbing through RunConfig,
the runner, the server provider, and the DCR handler comes in
subsequent commits.

Refs #5224

* Plumb BaselineClientScopes into auth server RunConfig

Add the BaselineClientScopes field on the on-disk RunConfig and copy
it from the CRD's EmbeddedAuthServerConfig in the operator-side
builder. The runtime Config and the DCR handler are wired in
subsequent commits; startup validation that the baseline is a subset
of ScopesSupported lands with the next commit.

Refs #5224

* Validate baseline scopes are subset of supported

If an operator configures baseline_client_scopes with a value missing
from scopes_supported, the embedded DCR handler would later register
clients with a scope the server does not advertise, and fosite would
reject those clients at /oauth/authorize with invalid_scope. Catching
the misconfiguration at startup gives operators a clear error instead
of debugging silent rejections in production.

Add RunConfig.Validate() with a subset check, and call it from the
runner entry point before any secret resolution or HTTP wiring.
errors.Join wraps the (currently single) sub-check so future
RunConfig invariants compose without dropping existing checks.

Refs #5224

* Resolve baseline scopes into runtime Config

Add BaselineClientScopes to the runtime Config struct and copy it
from RunConfig in the runner's resolvedCfg block. The DCR handler
needs the baseline at request time, so it must travel through the
runtime Config the sam... (continued)

97 of 105 new or added lines in 10 files covered. (92.38%)

4 existing lines in 2 files now uncovered.

64131 of 98591 relevant lines covered (65.05%)

61.81 hits per line

Uncovered Changes

Lines Coverage File
4
45.03
 -0.05% cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go
2
89.04
 -0.35% pkg/authserver/runner/embeddedauthserver.go
2
86.11
 -0.44% pkg/authserver/server/provider.go

Coverage Regressions

Lines Coverage File
2
73.63
 -0.64% pkg/runner/config.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 25732412599.1 727
65.05
 GitHub Action Run
Source Files on build 25732412599