stacklok / toolhive / 25815742990
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 729
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.346% (+0.1%) from 65.239%
25815742990

push

github

web-flow 
Migrate CLI OAuth flow to pkg/auth/dcr resolver (#5250)

* Migrate CLI OAuth flow to pkg/auth/dcr resolver

Sub-issue 4b of #5145. The CLI OAuth flow at
pkg/auth/discovery::PerformOAuthFlow used to call
oauthproto.RegisterClientDynamically directly, so it did not inherit the
review-property behaviours added during #5042 (S256 PKCE gating, RFC 7591
§3.2.1 expiry-driven refetch, bearer-token transport with redirect
refusal, panic recovery, singleflight deduplication). This commit routes
that call site through the shared pkg/auth/dcr resolver introduced in
sub-issue 4a (PR #5198) and pins the invariant with a CI grep guard.

Profile-neutral resolver input: pkg/auth/dcr now exposes a Request struct
that carries exactly the fields the resolver reads (issuer, redirect
URI, scopes, discovery URL or registration endpoint, optional explicit
endpoint overrides, initial access token, client name, public-client
flag). ResolveCredentials takes a Request and no longer imports
authserver / upstream domain types. The embedded-authserver adapter
helpers (needsDCR, consumeResolution, applyResolutionToOAuth2Config)
move to pkg/authserver/runner/dcr_adapter.go where they belong by
ownership.

CLI persistence model: option (b) from the issue. The resolver runs
against an in-memory dcr.CredentialStore scoped to one PerformOAuthFlow
invocation. Cross-invocation persistence is handled outside the resolver
by pkg/auth/remote/handler.go's existing CachedClientID /
CachedClientSecretRef fields, which already preserved cross-invocation
reuse and continue to do so unchanged. Wrapping the secretProvider into
a CredentialStore adapter (option (a)) was rejected as out-of-scope
churn — the existing remote-handler caching is sufficient.

PublicClient flag: a new bool on dcr.Request tells the resolver to
register as a public PKCE client (token_endpoint_auth_method=none).
The S256 gate still fires — the CLI surfaces a clear resolver error
rather than silently downgrading when upstream a... (continued)

226 of 248 new or added lines in 5 files covered. (91.13%)

5 existing lines in 3 files now uncovered.

64595 of 98850 relevant lines covered (65.35%)

61.38 hits per line

Uncovered Changes

Lines Coverage File
13
88.53
 1.75% pkg/auth/dcr/resolver.go
4
82.05
 4.77% pkg/auth/discovery/discovery.go
2
96.23
 pkg/authserver/runner/dcr_adapter.go
2
88.77
 -0.34% pkg/authserver/runner/embeddedauthserver.go
1
95.83
 -0.17% pkg/auth/dcr/store.go

Coverage Regressions

Lines Coverage File
2
93.94
 -6.06% pkg/foreach/foreach.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
1
88.53
 1.75% pkg/auth/dcr/resolver.go
Jobs
ID Job ID Ran Files Coverage
1 25815742990.1 729
65.35
 GitHub Action Run
Source Files on build 25815742990