1
65%
main: 65%

Ran 03 Apr 2026 08:47PM UTC

Files 604

Run time 15s

Badge

Embed ▾

Committed 03 Apr 2026 08:41PM UTC coverage: 65.172% (+0.005%) from 65.167%

Job # 23961481522.1

Build Type

push

github

Committed by

web-flow

Commit Message

Wire in-process JWKS key resolution for vMCP embedded auth server (#4526)

When the embedded auth server is active in vMCP (VirtualMCPServer), token validation was failing silently because the OIDC middleware fetched JWKS keys over HTTP from the proxy's own endpoint — a self-referential HTTP round-trip that required operators to set `insecureAllowHTTP` and/or `jwksAllowPrivateIP` just to make token validation work. These are insecure workarounds, and the failures were difficult to diagnose.

This PR extends the fix for the runner and proxy runner to vMCP. The embedded auth server's `KeyProvider` is now extracted in `runServe` and passed through to the OIDC middleware factory, where it is wired into the `TokenValidator` for in-process key resolution. HTTP JWKS fetch is retained as a fallback for key-ID misses and external OIDC providers.

Coverage Stats

54593 of 83768 relevant lines covered (65.17%)

63.24 hits per line

stacklok / toolhive / 23961481522 / 1
65%
main: 65%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 23961481522.1

stacklok / toolhive / 23961481522 / 1 65% main: 65%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 23961481522.1

stacklok / toolhive / 23961481522 / 1
65%
main: 65%

README BADGES
x