stacklok / toolhive / 28032267178
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 772
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.201% (-0.07%) from 67.274%
28032267178

push

github

web-flow 
Default network isolation to on for local MCP servers (#5583)

* Default network isolation to on for local servers

Locally-run MCP server containers previously shared the host network
unless the user explicitly passed --isolate-network. That left the host
network and Docker gateway reachable from inside MCP containers by
default, which is an unsafe default for a tool that runs arbitrary
server images.

Make network isolation the default for both local entry points:

- Flip the --isolate-network flag default to true for `thv run`. Users
  can still opt out with --isolate-network=false.
- Default the REST API to isolation-on. The request field is changed
  from bool to *bool so an omitted field can be distinguished from an
  explicit false; nil now resolves to enabled via a small helper.

With the default allow-all permission profile the egress proxy still
permits normal outbound traffic, so this only blocks host-directed
access. Kubernetes/operator behavior is unchanged: the operator does
not consume this flag or API field.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Opt e2e plumbing servers out of network isolation

With network isolation now defaulting on, every server started in the
e2e suite spins up the egress/DNS/ingress helper-container stack, which
pushed several tests past their start/stop timeouts and routed OSV's
outbound calls through the egress proxy.

Pass --isolate-network=false on the server runs that exercise proxy and
aggregation plumbing rather than isolation itself: the proxy-stdio
target server, the vMCP backend helper, and the OSV server runs (which
need direct outbound to api.osv.dev). The dedicated network_isolation
e2e test still exercises the isolation path explicitly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

9 of 9 new or added lines in 3 files covered. (100.0%)

87 existing lines in 6 files now uncovered.

70058 of 104251 relevant lines covered (67.2%)

65.03 hits per line

Coverage Regressions

Lines Coverage File
65
62.47
 -5.61% pkg/workloads/manager.go
6
20.11
 -3.45% pkg/client/manager.go
6
71.7
 -1.93% pkg/runner/config.go
5
0.0
 -100.0% pkg/workloads/sysproc_unix.go
3
73.79
 -2.91% pkg/state/local.go
2
96.47
 0.0% pkg/authserver/storage/memory.go
Jobs
ID Job ID Ran Files Coverage
1 28032267178.1 772
67.2
 GitHub Action Run
Source Files on build 28032267178