stacklok / toolhive / 25670981555 / 1
66%
main: 66%

DEFAULT BRANCH: main
Ran
Files 725
Run time 33s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.952% (+0.03%) from 64.924%
25670981555.1

push

github

web-flow 
Forward MCPServerEntry headerForward to vMCP outbound requests (#5239)

* Add wirefmt package and HeaderForwardConfig types

The wirefmt package centralizes the env-var encoding shared between the
operator (which emits TOOLHIVE_HEADER_FORWARD_<entry> manifests) and the
vMCP runtime (which parses them). HeaderForwardConfig and the Backend /
BackendTarget fields carry per-backend header forwarding state through
the vMCP domain types.

* Adopt wirefmt in MCPRemoteProxy controller

Replace the local SecretEnvVarName helpers with the shared wirefmt
encoder so the operator and vMCP runtime stay in lockstep on env-var
naming.

* Refactor externalauth helpers in operator controllerutil

Surfaced while wiring headerForward through the MCPRemoteProxy and
MCPServerEntry controllers. Tightens the helper contracts so callers
in the new code paths share the same lookup signature.

* Validate headerForward Secret refs on MCPServerEntry

The headerForward field already exists on the MCPServerEntry CRD; this
commit adds the reconciler validation that walks
spec.headerForward.addHeadersFromSecret, confirms each referenced
Secret exists in the namespace, and surfaces the result as a
HeaderSecretRefsValidated status condition. Mirrors the validation
MCPRemoteProxy already performs for its header Secret refs.

* Emit headerForward env vars from VirtualMCPServer deployment

The VirtualMCPServer reconciler now renders the entry-side
headerForward manifest into the vMCP pod env via the wirefmt encoding.
Plaintext values land directly; Secret-backed values become
valueFrom.secretKeyRef so the runtime never sees raw secret material
in CRD or pod spec.

* Apply headerForward in vMCP client

The HTTP client decorator injects per-backend headers (plaintext and
Secret-resolved) on every outbound request: list, call, and health
checks. Secret identifiers are resolved through the standard
EnvironmentProvider, so the client never holds raw secret values.

* Thread per-backend headerF... (continued)

63974 of 98495 relevant lines covered (64.95%)

62.33 hits per line

Source Files on job 25670981555.1