stacklok / toolhive / 27954375881
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 764
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.164% (+0.02%) from 67.147%
27954375881

push

github

web-flow 
Wire MCPAuthzConfig references into the MCPRemoteProxy controller (#5564)

* Wire MCPAuthzConfig references into the MCPRemoteProxy controller

Implements Stage 3 of the MCPAuthzConfig ref-wiring design: resolves
spec.authzConfigRef for MCPRemoteProxy at runtime (all registered
backends via the existing authz factory).

Mirrors the MCPServer (Stage 2) pattern:
- handleAuthzConfig: fetches + validates the ref, tracks ConfigHash,
  sets/clears AuthzConfigRefValidated condition (nil-ref removes
  condition so it never lingers stale-True)
- fetchAndValidateAuthzConfig: sets NotFound/NotValid conditions with
  the appropriate reason constants
- mapAuthzConfigToMCPRemoteProxy + SetupWithManager watch: re-queues
  referencing proxies when the shared config changes
- ensureAuthzConfigMapForProxy: also materializes the ref-derived
  authz ConfigMap (EnsureAuthzConfigMapFromRef) alongside the
  existing inline ConfigMap path
- buildVolumesForProxy: mounts the ref ConfigMap under the same
  authz-config volume (only when inline is absent — duplicate guard)
- createRunConfigFromMCPRemoteProxy: calls AddAuthzConfigRefOptions
  to inject authz into the runner RunConfig

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Add MCPRemoteProxy authzConfigRef envtest integration test

Mirrors the MCPServer Stage 2 integration suite: drives the registered
MCPRemoteProxy controller against envtest with a pre-seeded MCPAuthzConfig
and asserts the observable runtime wiring:
- valid ref (cedarv1 AND httpv1) sets AuthzConfigRefValidated=True,
  tracks the hash, and materializes the <name>-authz-ref ConfigMap the
  proxy mounts
- a config hash bump re-reconciles the proxy via the MCPAuthzConfig watch
- the config going invalid flips the condition to False/NotValid
- an initially-invalid ref surfaces NotValid

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Drop stale AuthzConfigRef staging note from CRD docs

The AuthzConfigRef fie... (continued)

92 of 128 new or added lines in 4 files covered. (71.88%)

6 existing lines in 3 files now uncovered.

69622 of 103660 relevant lines covered (67.16%)

62.95 hits per line

Uncovered Changes

Lines Coverage File
34
65.36
 0.69% cmd/thv-operator/controllers/mcpremoteproxy_controller.go
2
71.49
 -0.47% cmd/thv-operator/controllers/mcpremoteproxy_runconfig.go

Coverage Regressions

Lines Coverage File
3
97.37
 -0.53% pkg/authz/authorizers/cedar/core.go
2
93.94
 -6.06% pkg/foreach/foreach.go
1
65.36
 0.69% cmd/thv-operator/controllers/mcpremoteproxy_controller.go
Jobs
ID Job ID Ran Files Coverage
1 27954375881.1 764
67.16
 GitHub Action Run
Source Files on build 27954375881