stacklok / toolhive / 27790954246
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 764
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.173% (+0.005%) from 67.168%
27790954246

push

github

web-flow 
Add MCPAuthzConfig ref-resolution foundation (#5559)

* Add MCPAuthzConfig ref-resolution foundation

Foundation (Stage 1 of #4778's re-derivation) for making spec.authzConfigRef
enforce at runtime. Purely additive: no workload controller is wired yet and
the inline spec.authzConfig path is untouched.

- Add controllerutil ref-helpers in authz_ref.go: GetAuthzConfigForWorkload,
  ValidateAuthzConfigReady, AddAuthzConfigRefOptions (resolves a referenced
  MCPAuthzConfig into a runner authz.Config for any registered backend —
  cedarv1 and httpv1 — via the authorizers factory), and the
  EnsureAuthzConfigMapFromRef / GenerateAuthzVolumeConfigFromRef materialization
  helpers mirroring the inline ones.
- Export and move BuildFullAuthzConfigJSON from the MCPAuthzConfig controller
  into controllerutil so both the config controller and the workload controllers
  share it without an import cycle; the controller now calls the shared helper.
- Add the AuthzConfigHash status field to MCPServer, MCPRemoteProxy, and
  VirtualMCPServer, plus ConditionAuthzConfigRefValidated and reason constants,
  mirroring the OIDCConfigRef equivalents.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Regenerate CRD manifests and docs for AuthzConfigHash

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on authz ref helpers

- Guard EnsureAuthzConfigMapFromRef with ValidateAuthzConfigReady so the
  exported helper never materializes a ConfigMap from a config flagged invalid
  (defense in depth; no extra I/O — the object is already fetched). (F2)
- Clarify the authzRefConfigMapName doc comment: the ConfigMap *name* is
  distinct from the inline path, while the *volume* name and mount path are
  deliberately shared (inline and ref are mutually exclusive via CRD
  XValidation, so a workload mounts at most one authz volume). (F3)
- Restore the nil data/factory assertions on BuildFullAuthzConfigJSON's error
  bran... (continued)

102 of 125 new or added lines in 2 files covered. (81.6%)

15 existing lines in 4 files now uncovered.

69507 of 103475 relevant lines covered (67.17%)

63.69 hits per line

Uncovered Changes

Lines Coverage File
23
81.45
 cmd/thv-operator/pkg/controllerutil/authz_ref.go

Coverage Regressions

Lines Coverage File
6
71.7
 -1.93% pkg/runner/config.go
5
61.48
 -0.44% pkg/workloads/manager.go
2
96.47
 0.0% pkg/authserver/storage/memory.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 27790954246.1 764
67.17
 GitHub Action Run
Source Files on build 27790954246