• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29408585325
68%

Build:
DEFAULT BRANCH: main
Ran 15 Jul 2026 10:39AM UTC
Jobs 1
Files 798
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

15 Jul 2026 10:34AM UTC coverage: 68.011% (+0.04%) from 67.969%
29408585325

push

github

web-flow
Stop SSE filter from leaking tools/list on undecodable lines (#5304)

* Stop SSE filter from leaking tools/list on undecodable lines

processSSEResponse used to write the entire raw upstream payload and
return whenever a single SSE data line failed jsonrpc2.DecodeMessage or
decoded to a non-Response message (e.g. a notifications/* frame). On a
tools/list reply that meant every subsequent data line, including the
real Response, reached the client unfiltered, silently bypassing the
cedar authorization filter and producing the superfluous WriteHeader
warning at response_filter.go:191.

Treat undecodable or non-Response data lines as pass-through for that
line only: fall through to the existing line writer instead of dumping
rawResponse. The explicit WriteHeader calls go away with them, which
also removes the double-header warning that surfaced the bug. Skipped
filtering on tools/list now emits a WARN so future bypasses are
visible in audit logs.

Adds a table-driven regression test covering both branches (decode
error and non-Response). It fails on the old code with the unfiltered
admin_tool entry reaching the recorder.

Closes #5257

* Broaden SSE filter logging and tests across list methods

Address review feedback on #5304:

The WARN log paths in processSSEResponse were gated on the
tools/list method, but the underlying bypass applies to every
method routed through requiresResponseFiltering (tools/list,
prompts/list, resources/list, find_tool). Drop the gating so
the WARN fires for any of them.

The regression test only exercised tools/list. Restructure it
into a method-by-preceding-line table so the same notification
and undecodable line cases run against prompts/list and
resources/list as well. Verified the WARN now logs for all
three methods and the unauthorized entry never reaches the
recorder.

* authz: drop disguised result frames and fix SSE line termination

A non-Response SSE frame carrying both a method field and a result (for
example notifi... (continued)

67 of 79 new or added lines in 1 file covered. (84.81%)

14 existing lines in 4 files now uncovered.

73504 of 108076 relevant lines covered (68.01%)

64.37 hits per line

Uncovered Changes

Lines Coverage ∆ File
12
82.25
7.12% pkg/authz/response_filter.go

Coverage Regressions

Lines Coverage ∆ File
6
72.15
-1.9% pkg/runner/config.go
3
97.37
-0.53% pkg/authz/authorizers/cedar/core.go
3
62.21
0.35% pkg/workloads/manager.go
2
96.04
0.0% pkg/authserver/storage/memory.go
Jobs
ID Job ID Ran Files Coverage
1 29408585325.1 15 Jul 2026 10:39AM UTC 798
68.01
GitHub Action Run
Source Files on build 29408585325
  • Tree
  • List 798
  • Changed 9
  • Source Changed 1
  • Coverage Changed 9
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29408585325
  • 24cbd8e9 on github
  • Prev Build on main (#29407568127)
  • Next Build on main (#29412915156)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc