stacklok / toolhive / 26060621765

Committed 18 May 2026 09:09PM UTC coverage: 65.512% (-0.009%) from 65.521%

Build # 26060621765

Build Type

push

github

Committed by

Commit Message

Wire HeaderForward into vMCP per-session HTTP client (#5301)

* Wire HeaderForward into vMCP session HTTP client

PR #5239 added HeaderForward support to the startup capability-discovery client at pkg/vmcp/client/client.go, but the per-session MCP HTTP client in pkg/vmcp/session/internal/backend builds a parallel transport chain (DefaultTransport -> auth -> identity) that never reads target.HeaderForward. Every post-initialize MCP call (tools/list, tools/call, ...) therefore reaches the upstream without user-configured headers, leaving features like GitHub Copilot's X-MCP-Toolsets filter silently broken in v0.27.2.

Construct a single secrets.EnvironmentProvider at connector build time, plumb it into createMCPClient, and wrap the shared chain with BuildHeaderForwardTripper as the outermost stage so vMCP auth/identity headers still win on overlapping names. Export the existing helper from pkg/vmcp/client so the session backend can reuse it without duplication.

* Tighten HeaderForward test coverage and docs

Fix the inverted chain-ordering comments on mcp_session.go's transport
chain assembly and on headerForwardRoundTripper.RoundTrip. The outermost
wrapper runs FIRST on the outbound request, so header-forward injects
onto a request without auth/identity headers and the inner stages then
overwrite with Set(). The previous wording claimed the opposite. The
production behaviour is unchanged; only the doc text moved.

Replace headerCapturingBackend with the shared fakeBackend by adding
headersByMethod / headersFor and a tools/call handler. This removes a
near-duplicate fake server in the session backend tests.

Extend the header-forward test to cover overlap precedence (an inner
auth stage's value wins on the wire when both sides set the same name)
and AddHeadersFromSecret end-to-end via t.Setenv against the env-backed
secrets provider. Add a restricted-name rejection case to prove the
resolveHeaderForward guard is wired into the session-side... (continued)

Coverage Stats

15 of 15 new or added lines in 1 file covered. (100.0%)

22 existing lines in 6 files now uncovered.

64793 of 98903 relevant lines covered (65.51%)

62.75 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.17

/pkg/transport/proxy/httpsse/http_proxy.go

Source Not Available