27304005142

Committed 10 Jun 2026 08:23PM UTC coverage: 66.436% (-0.002%) from 66.438%

Build # 27304005142

Build Type

push

github

Committed by

web-flow

Commit Message

Cover Serve-path authz and annotation-enrichment omission (#5482)

* Cover Serve-path authz/annotation omission

P2.3 of the vMCP core refactor (epic #5419). The Serve-built *Server
must produce the MCP middleware chain WITHOUT the HTTP authz and
annotation-enrichment layers — authorization moves to the core admission
seam (#5438) — while the still-live server.New path keeps enforcing authz
with no regression.

The nil-guard mechanism already exists: Serve leaves cfg.AuthzMiddleware
nil (buildServeConfig does not map it), so the shared (*Server).Handler
guards at server.go:614/:622 skip both blocks. This change locks that
contract in and corrects forward-reference comments that the revised
plan made stale.

- Add TestServeOmitsAuthzAndAnnotation: a Serve-built server has
  config.AuthzMiddleware == nil and still builds its Handler.
- Add TestHandlerAppliesAuthzAndAnnotationOnlyWhenConfigured: the shared
  Handler applies both layers iff AuthzMiddleware != nil, proving it
  serves both modes and the blocks are not deleted.
- Sync stale #5441 comments: physical removal of the inert blocks moves
  to Phase 3 (#5445); the (Authz + optimizer) fail-fast moves to #5442
  with the core-enforcement switch; discovery-relocation attribution is
  #5442 only.

Physical deletion of the blocks and the optimizer+authz fail-fast are
out of scope here (deferred to #5445 and #5442 respectively), per the
issue's guard-don't-delete strategy.

Closes #5441

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review: drop brittle line numbers in test comment

Fixed issues from code review:
- MEDIUM: TestServeOmitsAuthzAndAnnotation's doc comment cited
  server.go:614/:622 for the authz/annotation blocks, but this PR's
  own chain-comment addition shifted those lines (:614 now points at
  the backend-enrichment guard). Refer to the blocks by their
  s.config.AuthzMiddleware != nil guard instead, matching the
  production comments and the "Keep Com... (continued)

Coverage Stats

67523 of 101636 relevant lines covered (66.44%)

63.74 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.02

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 27304005142

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous