stacklok / toolhive / 26060621765
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 730
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.512% (-0.009%) from 65.521%
26060621765

push

github

web-flow 
Wire HeaderForward into vMCP per-session HTTP client (#5301)

* Wire HeaderForward into vMCP session HTTP client

PR #5239 added HeaderForward support to the startup capability-discovery client at pkg/vmcp/client/client.go, but the per-session MCP HTTP client in pkg/vmcp/session/internal/backend builds a parallel transport chain (DefaultTransport -> auth -> identity) that never reads target.HeaderForward. Every post-initialize MCP call (tools/list, tools/call, ...) therefore reaches the upstream without user-configured headers, leaving features like GitHub Copilot's X-MCP-Toolsets filter silently broken in v0.27.2.

Construct a single secrets.EnvironmentProvider at connector build time, plumb it into createMCPClient, and wrap the shared chain with BuildHeaderForwardTripper as the outermost stage so vMCP auth/identity headers still win on overlapping names. Export the existing helper from pkg/vmcp/client so the session backend can reuse it without duplication.

Fixes #5289

* Tighten HeaderForward test coverage and docs

Fix the inverted chain-ordering comments on mcp_session.go's transport
chain assembly and on headerForwardRoundTripper.RoundTrip. The outermost
wrapper runs FIRST on the outbound request, so header-forward injects
onto a request without auth/identity headers and the inner stages then
overwrite with Set(). The previous wording claimed the opposite. The
production behaviour is unchanged; only the doc text moved.

Replace headerCapturingBackend with the shared fakeBackend by adding
headersByMethod / headersFor and a tools/call handler. This removes a
near-duplicate fake server in the session backend tests.

Extend the header-forward test to cover overlap precedence (an inner
auth stage's value wins on the wire when both sides set the same name)
and AddHeadersFromSecret end-to-end via t.Setenv against the env-backed
secrets provider. Add a restricted-name rejection case to prove the
resolveHeaderForward guard is wired into the session-side... (continued)

15 of 15 new or added lines in 1 file covered. (100.0%)

22 existing lines in 6 files now uncovered.

64793 of 98903 relevant lines covered (65.51%)

62.75 hits per line

Coverage Regressions

Lines Coverage File
6
20.11
 -3.45% pkg/client/manager.go
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
70.0
 -3.33% pkg/state/local.go
3
78.17
 -0.76% pkg/transport/proxy/httpsse/http_proxy.go
2
96.46
 0.0% pkg/authserver/storage/memory.go
2
93.94
 -6.06% pkg/foreach/foreach.go
Jobs
ID Job ID Ran Files Coverage
1 26060621765.1 730
65.51
 GitHub Action Run
Source Files on build 26060621765