1
66%
main: 66%

Ran 02 Apr 2026 08:17PM UTC

Files 601

Run time 15s

Badge

Embed ▾

Committed 02 Apr 2026 08:10PM UTC coverage: 65.396% (+0.06%) from 65.336%

Job # 23919797653.1

Build Type

push

github

Committed by

web-flow

Commit Message

Resolve JWKS keys in-process for embedded auth server (MCP server) (#4502)

When the embedded auth server is enabled, token validation currently fails silently because the token validator fetches JWKS keys over HTTP from the proxy's own endpoint. This self-referential HTTP call requires operators to set `insecureAllowHTTP` and/or `jwksAllowPrivateIP` flags — insecure workarounds that are difficult to debug when missing.

This PR eliminates the self-referential HTTP fetch by wiring the embedded auth server's `KeyProvider` directly into the token validator. When both components run in the same process, JWKS keys are resolved in-memory with a graceful fallback to HTTP for cases where the local provider cannot satisfy the request.

Note: this only addresses the issue for the runner and proxy runner - vMCP wiring will come in a separate change.

Coverage Stats

54415 of 83208 relevant lines covered (65.4%)

63.57 hits per line

stacklok / toolhive / 23919797653 / 1
66%
main: 66%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 23919797653.1

stacklok / toolhive / 23919797653 / 1 66% main: 66%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 23919797653.1

stacklok / toolhive / 23919797653 / 1
66%
main: 66%

README BADGES
x