stacklok / toolhive / 26875109919

coverage: 65.857%. Remained the same
26875109919

push

github

web-flow 
Expose CIMD config in MCPExternalAuthConfig CRD (#5384)

* Validate CIMD scope, grant_types and response_types against AS policy

C3 - Thread ScopesSupported into NewCIMDStorageDecorator so CIMD scope
     handling is consistent with DCR. Uses registration.ValidateScopes
     (same function as the DCR handler) to validate declared scopes
     against the AS allowlist and compute the effective scope list.
     When ScopesSupported is unset, the document's declared scopes are
     used directly; omitted scopes default to DefaultScopes.

C4 - Reject CIMD documents that declare grant_types or response_types
     the embedded AS does not support for public clients
     (authorization_code + refresh_token; code). Consistent with DCR
     which returns invalid_client_metadata for the same cases.

buildFositeClient now receives pre-computed scopes from fetch() rather
than re-parsing doc.Scope, matching the DCR handler pattern where scope
computation and validation happen before client construction.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Expose CIMD config in MCPExternalAuthConfig CRD

Adds EmbeddedAuthServerCIMDConfig to the CRD so operators can enable
CIMD through the normal VirtualMCPServer manifest workflow instead of
writing runconfig.json directly. Resolves the TODO(cimd) comment in
pkg/authserver/config.go.

The new cimd field on EmbeddedAuthServerConfig maps to
authserver.CIMDRunConfig in the generated RunConfig. CacheFallbackTTL
is stored as a Go duration string in the CRD (e.g. "5m") and parsed
to time.Duration by the converter.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Update PR5 converter for CacheFallbackTTL string type

CIMDRunConfig.CacheFallbackTTL changed from time.Duration to string in
PR3. The operator converter now passes the string through unchanged;
parsing to time.Duration happens in resolveCIMDConfig in the runner,
after CIMDRunConfig.Validate() has already confirmed t... (continued)

12 of 26 new or added lines in 3 files covered. (46.15%)

5 existing lines in 2 files now uncovered.

66396 of 100818 relevant lines covered (65.86%)

63.76 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.17
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available