stacklok / toolhive / 24531375418 / 1
66%
main: 66%

DEFAULT BRANCH: main
Ran
Files 635
Run time 22s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 66.098% (-0.04%) from 66.139%
24531375418.1

push

github

web-flow 
Replace groups parameter with variadic parents on entity factory (#4901)

CreatePrincipalEntity previously accepted groups []string and
internally created THVGroup entities with empty parent sets. This
caused a merge-order hazard: dynamically created THVGroup entities
overwrote any static ones loaded from entities_json, severing
parent relationships defined there (e.g. a group that is a child
of a role in a transitive hierarchy).

Refactor CreatePrincipalEntity to accept parents ...cedar.EntityUID
so callers pass pre-built parent UIDs. The function no longer inserts
separate THVGroup entities into the entity map, preserving the static
entity hierarchy from entities_json. Add the same variadic parents
parameter to CreateResourceEntity for server-scoped policies (#4769).

CreateEntitiesForRequest still converts groups to THVGroup parent UIDs
on the principal but the entity map now contains exactly 3 entries
(principal, action, resource) instead of 3+N.

E2E tested in a Kind cluster with real Okta and Entra ID tokens.
Proxy debug logs confirm the refactored entity hierarchy:

  Okta JWT: { "groups": ["Everyone", "engineering"] }
  Entra JWT: { "roles": ["mcp-admin", "developer"] }

  Both produce entityCount:3 with THVGroup parent UIDs on the
  principal entity. Cedar policies using "principal in THVGroup::..."
  evaluate correctly -- the parent UIDs are sufficient for Cedar's
  "in" operator without separate THVGroup entities in the map.

Fixes #4765

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

57498 of 86989 relevant lines covered (66.1%)

62.7 hits per line

Source Files on job 24531375418.1