26828008342

Committed 02 Jun 2026 02:53PM UTC coverage: 65.848% (-0.06%) from 65.905%

Build # 26828008342

Build Type

push

github

Committed by

web-flow

Commit Message

Add upgrade apply for the CLI and API (#5411)

* Add Applier for upgrading workloads in place

Detecting an available upgrade is only useful if users can apply it
while keeping their configuration. Add the apply path that the CLI and
API will drive.

Add upgrade.Applier: it reloads the workload's saved config, re-runs the
check on fresh state (so a stale result can never drive an apply),
resolves the candidate from the registry, and rebuilds the run config
preserving the full user configuration — auth, authz, audit, telemetry,
tools filters, volumes, secrets, ports, permission profile, and more —
changing only the image, merged env/secrets, and re-resolved registry
URLs. New required env vars surface through the injected validator.

Crucially, the candidate image is verified and pulled (and the policy
gate runs) before the destructive stop/delete/start, so a missing or
unverifiable image leaves the running workload untouched — there is no
rollback once UpdateWorkload begins. Verification uses the same path as
thv run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add upgrade apply for the CLI and API

With the Applier in place, expose it to users. This lets CLI users and
API clients apply an upgrade while preserving their configuration,
instead of manually re-running a workload with a new image.

Add a thv upgrade apply <name> command. It runs the check, shows the
candidate image, new env vars, and any permission/transport/network
posture drift, then prompts for confirmation. --dry-run reports the plan
without applying; --env/--secret supply values for newly required
variables; --yes (or a non-interactive shell) skips the prompt and fails
loudly on missing required values; --image-verification mirrors thv run.

Add POST /api/v1beta/workloads/{name}/upgrade, delegating to the same
Applier so all clients share one apply path. The API path is always
non-interactive (detached validator) and sources image verification from
server... (continued)

Coverage Stats

84 of 187 new or added lines in 3 files covered. (44.92%)

18 existing lines in 4 files now uncovered.

66371 of 100794 relevant lines covered (65.85%)

62.14 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

77.66

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 26828008342

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous