stacklok / toolhive / 26826473071
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 747
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.905% (+0.02%) from 65.889%
26826473071

push

github

web-flow 
Validate CIMD scope, grant_types and response_types against AS policy (#5385)

* Validate CIMD scope, grant_types and response_types against AS policy

C3 - Thread ScopesSupported into NewCIMDStorageDecorator so CIMD scope
     handling is consistent with DCR. Uses registration.ValidateScopes
     (same function as the DCR handler) to validate declared scopes
     against the AS allowlist and compute the effective scope list.
     When ScopesSupported is unset, the document's declared scopes are
     used directly; omitted scopes default to DefaultScopes.

C4 - Reject CIMD documents that declare grant_types or response_types
     the embedded AS does not support for public clients
     (authorization_code + refresh_token; code). Consistent with DCR
     which returns invalid_client_metadata for the same cases.

buildFositeClient now receives pre-computed scopes from fetch() rather
than re-parsing doc.Scope, matching the DCR handler pattern where scope
computation and validation happen before client construction.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address tgrunnagle review feedback on CIMD validation

F1  Move TestUnionScopes to registration package where UnionScopes lives;
    delete now-empty handlers/scopes.go and handlers/scopes_test.go
F2  Add assert.ErrorIs(ErrInvalidClient)/NotErrorIs(ErrNotFound) to
    all CIMD policy rejection tests to pin the error type change
F4  Replace 6 positional NewCIMDStorageDecorator args with
    CIMDDecoratorConfig struct — prevents silent swap of adjacent []string
F5  Omitted-scope now calls ValidateScopes(nil, scopesSupported) matching
    DCR: returns DefaultScopes when DefaultScopes ⊆ ScopesSupported,
    error otherwise (document must declare scope explicitly)
F6  Fix dcrErr.Error → dcrErr.ErrorDescription in scope validation hint
    so the human-readable description reaches the fosite hint field
F7  slices.Clone scope slices in CIMDDecoratorConfig constructor
F8  Fix b... (continued)

83 of 90 new or added lines in 5 files covered. (92.22%)

4 existing lines in 2 files now uncovered.

66305 of 100607 relevant lines covered (65.9%)

63.13 hits per line

Uncovered Changes

Lines Coverage File
5
84.42
 -1.67% pkg/authserver/server_impl.go
2
94.0
 0.14% pkg/authserver/storage/cimd_decorator.go

Coverage Regressions

Lines Coverage File
2
78.43
 -0.51% pkg/transport/proxy/httpsse/http_proxy.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 26826473071.1 747
65.9
 GitHub Action Run
Source Files on build 26826473071