• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28513302228
68%

Build:
DEFAULT BRANCH: main
Ran 01 Jul 2026 11:17AM UTC
Jobs 1
Files 779
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

01 Jul 2026 11:11AM UTC coverage: 67.558% (+0.05%) from 67.513%
28513302228

push

github

web-flow
Add XAA auth strategy CRD support (#5691)

The XAA (Cross-Application Access) outgoing auth strategy exists only as
runtime config with no declarative surface, so it cannot be configured
through the operator. Wire it into the CRDs and supply the conversion
needed to turn that config into a runtime strategy.

- Add an XAASpec to the MCPExternalAuthConfig CRD and surface XAA on the
  VirtualMCPServer CRD, both documented as EXPERIMENTAL since ID-JAG
  (draft-ietf-oauth-identity-assertion-authz-grant) is not yet a standard.
- Add a converter that maps the CRD spec to the runtime XAAConfig and
  register it with the auth converter registry.
- Wire XAA IdP/target client secrets through env vars in inline
  (externalAuthConfigRef) mode, mirroring tokenExchange, so confidential-client
  XAA configs work outside discovered mode.
- Add an optional SubjectTokenType field defaulting to the id_token URN,
  with CRD validation restricting it to a single allowed value for now so
  SAML upstream support can be added later without an API break.
- Auto-populate SubjectProviderName for XAA on the operator reconcile path,
  matching token_exchange and aws_sts.
- Validate XAA strategies in the vMCP config validator, add an HTTPS pattern to
  idpTokenUrl, and warn at wire-up on unauthenticated Step B or plain-HTTP
  target token URLs.
- Relax targetResource to optional per ID-JAG draft section 4.3 (RFC 8707
  resource is OPTIONAL) and correct its documentation.
- Consolidate the duplicated first-upstream-provider resolution into
  authserver.ResolveFirstUpstreamName.

Closes #5681

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

215 of 235 new or added lines in 14 files covered. (91.49%)

11 existing lines in 4 files now uncovered.

71198 of 105388 relevant lines covered (67.56%)

63.56 hits per line

Uncovered Changes

Lines Coverage ∆ File
11
45.26
0.19% cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go
4
76.85
1.62% cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go
3
74.63
-0.84% cmd/thv-operator/pkg/controllerutil/tokenexchange.go
2
80.93
0.46% cmd/thv-operator/controllers/virtualmcpserver_deployment.go

Coverage Regressions

Lines Coverage ∆ File
6
72.15
-1.9% pkg/runner/config.go
3
80.56
-0.7% pkg/transport/proxy/httpsse/http_proxy.go
1
76.85
1.62% cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go
1
61.78
0.26% pkg/workloads/manager.go
Jobs
ID Job ID Ran Files Coverage
1 28513302228.1 01 Jul 2026 11:17AM UTC 779
67.56
GitHub Action Run
Source Files on build 28513302228
  • Tree
  • List 779
  • Changed 17
  • Source Changed 13
  • Coverage Changed 17
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28513302228
  • f49526f6 on github
  • Prev Build on main (#28501889433)
  • Next Build on main (#28515035203)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc