stacklok / toolhive / 27980106310
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 772
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.182% (+0.1%) from 67.084%
27980106310

push

github

web-flow 
Wire MCPAuthzConfig references into VirtualMCPServer (Cedar-only) (#5580)

* Wire MCPAuthzConfig references into VirtualMCPServer

A VirtualMCPServer that sets spec.incomingAuth.authzConfigRef only had
the reference tracked for deletion protection — it never applied the
referenced policy at runtime. Resolve the reference and enforce it,
completing the workload-controller wiring started for MCPServer (#5563)
and MCPRemoteProxy (#5564).

vMCP's incoming-auth middleware is hard-coded to Cedar, so only cedarv1
MCPAuthzConfig resources are resolved; a non-Cedar reference fails fast
with a clear error rather than being carried through as inert config.
Generalizing the vMCP runtime to other backends is a separate follow-up.

- handleAuthzConfig mirrors handleOIDCConfig (statusManager-based):
  validates the ref, tracks AuthzConfigHash, sets AuthzConfigRefValidated,
  and clears both hash and condition on nil-ref. Fail-stale, not
  fail-open, on revocation (documented inline).
- Watch MCPAuthzConfig + map changes back to referencing VirtualMCPServers,
  plus the mcpauthzconfigs RBAC marker as the dependency source of truth.
- Converter resolveAuthzConfigRef resolves cedarv1 into vmcpconfig.AuthzConfig
  and guards inline-vs-ref mutual exclusion as defense-in-depth.
- Add SetAuthzConfigHash to the StatusManager interface and collector.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Regenerate VirtualMCPServer CRD docs and status mock

Generated output from the authzConfigRef wiring: refreshed CRD schema
description (staging note replaced with the cedarv1-only constraint),
CRD API docs, and the StatusManager mock for SetAuthzConfigHash.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add VirtualMCPServer authzConfigRef envtest integration test

Drives the registered VirtualMCPServer controller against envtest with a
pre-seeded MCPAuthzConfig, mirroring the MCPServer (#5563) and
MCPRemoteProxy (#5564) integratio... (continued)

142 of 176 new or added lines in 5 files covered. (80.68%)

11 existing lines in 4 files now uncovered.

70016 of 104219 relevant lines covered (67.18%)

65.13 hits per line

Uncovered Changes

Lines Coverage File
19
64.76
 0.76% cmd/thv-operator/controllers/virtualmcpserver_controller.go
8
39.51
 -2.05% cmd/thv-operator/pkg/virtualmcpserverstatus/mocks/mock_collector.go
7
91.47
 -0.42% cmd/thv-operator/pkg/vmcpconfig/converter.go

Coverage Regressions

Lines Coverage File
4
61.57
 5.12% pkg/workloads/manager.go
3
80.42
 -0.71% pkg/transport/proxy/httpsse/http_proxy.go
2
96.47
 0.0% pkg/authserver/storage/memory.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 27980106310.1 772
67.18
 GitHub Action Run
Source Files on build 27980106310