• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In
Warning: This build has drifted.
The coverage report for this pull request build may be inaccurate because its base commit is no longer the HEAD of its target branch.
This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

    • Learn more: For more information on this, see Tracking coverage changes for pull request builds.
    • Fix now: For a quick fix, rebase this PR at GitHub. Your next report should be accurate.
    • Prevent going forward: To avoid this issue with future PRs, see these Recommended CI Configurations.
New Repo Setting:
INCLUDE COVERAGE % WITH WARNINGS ABOUT DRIFTED BUILDS?

Enabling this setting will include a (potentially inaccurate) coverage % with warning messages in status updates for drifted builds.

Adjust setting

dunglas / mercure / 28740718414
84%
master: 93%

Build:
Build:
LAST BUILD BRANCH: dependabot/github_actions/goreleaser/goreleaser-action-7.2.3
DEFAULT BRANCH: master
Ran 05 Jul 2026 12:28PM UTC
Jobs 1
Files 24
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

05 Jul 2026 12:17PM UTC coverage: 84.18%. Remained the same
28740718414

Pull #1262

github

dunglas
spec: address IETF/OAuth/HTTP review findings

Applies the reviewer-flagged normative fixes to the draft:

- Resolve the RFC 9068 conformance contradiction: the access token is
  structured and validated as an RFC 9068 JWT access token with the self-issued
  deviations defined in Token Validation, instead of a blanket "follows the
  profile" that the minimal self-issued token cannot meet.
- Bind the verification key to the issuer: with multiple trusted issuers the
  signature MUST be verified only with key material for the token's iss, and iss
  validation is required whenever an authorization server is trusted (not only
  when advertised); self-issued-only hubs that skip iss MUST use a hub-unique
  aud.
- Define query-string parsing (application/x-www-form-urlencoded parser of the
  URL standard; constraints apply to decoded names/values) and reject the
  pre-1.0 `topic` parameter and invalid matcher values with 400.
- Name the reserved-namespace resolution algorithm (WHATWG URL parser, same as
  URL Pattern), require dot-segment removal, and define behavior for
  non-URL-reference topics.
- Require hubs to serialize multi-line `data` as one SSE data: field per line,
  note CR/CRLF normalization, and add `data` to the field-injection analysis as
  a security requirement.
- Make the HTML (Server-Sent Events) reference normative at every citation
  site.

Also: typ accepts application/at+jwt (RFC 7515 4.1.9); exp explicitly required;
error codes carried in the WWW-Authenticate challenge with resource_metadata on
all challenges; resource is REQUIRED (not SHOULD) in published metadata; add the
Well-Known Status field and use IESG as the mercure_cookie change controller;
cite RFC 7396 and JSON-LD 1.1 instead of the obsoleted RFC 7386 and JSON-LD 1.0.
Pull Request #1262: spec!: OAuth 2.0 authorization, two matcher types, IETF-style pass

1857 of 2206 relevant lines covered (84.18%)

51.01 hits per line

Jobs
ID Job ID Ran Files Coverage
1 0 - 28740718414.1 05 Jul 2026 12:28PM UTC 24
84.18
GitHub Action Run
Source Files on build 28740718414
  • Tree
  • List 24
  • Changed 0
  • Source Changed 0
  • Coverage Changed 0
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Pull Request #1262
  • PR Base - main (#27288854155)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc