26472499695

Committed 26 May 2026 08:12PM UTC coverage: 65.914% (+0.02%) from 65.894%

Build # 26472499695

Build Type

push

github

Committed by

web-flow

Commit Message

Wire CIMD config through embedded AS and enable storage decorator (#5348)

* Wire CIMD config through embedded AS and enable storage decorator

Phase 2 PR 3 — config threading and server wiring.

Config chain: RunConfig.CIMD → Config.CIMD* → AuthorizationServerParams
→ AuthorizationServerConfig → discovery handler.

Changes:
- config.go: add CIMDRunConfig struct and CIMD* fields to Config;
  defaults (256 entries, 5 min fallback TTL) applied in applyDefaults();
  validation (cacheMaxSize >= 1 when enabled) in Validate()
- runner/embeddedauthserver.go: add resolveCIMDConfig helper to unpack
  nullable *CIMDRunConfig; populate Config.CIMD* from RunConfig.CIMD
- server/provider.go: add CIMDEnabled to AuthorizationServerParams and
  AuthorizationServerConfig; wire through NewAuthorizationServerConfig
- server_impl.go: wrap storage with CIMDStorageDecorator when enabled
  (after legacy migration, before createProvider — decorator must be in
  place before fosite holds a reference to the storage instance);
  pass CIMDEnabled to AuthorizationServerParams
- server/handlers/discovery.go: set ClientIDMetadataDocumentSupported
  in buildOAuthMetadata() — both OAuth AS and OIDC discovery endpoints
  advertise CIMD support when enabled

CIMD is opt-in (disabled by default) to avoid introducing outbound
HTTPS fetching in existing deployments without explicit operator action.

Relates to #4825

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address PR review feedback on CIMD wiring and add missing tests

- Fix CacheFallbackTTL comment to say it is a fixed TTL (not fallback);
  matches the fix already applied in PR #5343
- Add TODO(cimd) comment above CIMDRunConfig noting the CRD exposure gap
- Add discovery handler tests: CIMDEnabled=true advertises the flag,
  CIMDEnabled=false omits it, for both AS metadata and OIDC endpoints
- Add config defaults tests: CIMDEnabled=true fills in cache size/TTL
  defaults; CIMDEnabled=false leaves zero f... (continued)

Coverage Stats

73 of 81 new or added lines in 7 files covered. (90.12%)

5 existing lines in 2 files now uncovered.

65395 of 99212 relevant lines covered (65.91%)

60.59 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

88.41

/pkg/authserver/runner/embeddedauthserver.go

stacklok / toolhive / 26472499695

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous