stacklok / toolhive / 26169317888
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 730
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.484% (+0.005%) from 65.479%
26169317888

push

github

web-flow 
Preserve fresh per-request identity in vMCP backend transports (#5335)

* Preserve fresh per-request identity in vMCP backend transports

identityPropagatingRoundTripper (pkg/vmcp/client) and identityRoundTripper
(pkg/vmcp/session/internal/backend) captured the request identity once at
session/client-creation time and re-injected that snapshot on every
outgoing backend request, overriding the fresh identity placed on
req.Context() by auth.TokenValidator.Middleware. That fresh identity
carries upstream tokens transparently refreshed by
upstreamtoken.InProcessService.GetAllValidTokens, so overriding it
silently re-injected stale upstream access tokens for the entire
session lifetime — manifesting as a forced re-auth roughly every 24h.

The captured identity is now treated as a fallback: it is injected only
when req.Context() carries no identity. This preserves the existing
streamable-HTTP Close()/DELETE teardown path (mcp-go constructs that
request from context.Background(), which loses the per-request identity)
while letting normal backend calls use the freshly refreshed identity
from the request context.

Closes #5323

* Address code review feedback on identity-propagation fix

Fixed issues from code review:
- HIGH: Added higher-level regression test exercising the full transport
  chain against fakeBackend, asserting that a fresh identity placed on the
  per-request context drives the upstream Authorization header on tools/call
  while the captured session-init identity authenticates the initialize
  handshake. Manually verified the test fails under the pre-fix
  always-override behavior, so it is a true #5323 regression guard.
- MEDIUM: Documented the asymmetric health-check handling on the
  identityRoundTripper doc comment in mcp_session.go (no marker propagation
  here because health probes do not flow through session-backed clients).
- MEDIUM: Clarified that the fallback identity in httpBackendClient is
  captured per-call (not per-session) and ... (continued)

23 of 23 new or added lines in 2 files covered. (100.0%)

8 existing lines in 2 files now uncovered.

64641 of 98713 relevant lines covered (65.48%)

62.79 hits per line

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 26169317888.1 730
65.48
 GitHub Action Run
Source Files on build 26169317888