Copy disabled (too large)
Download .txt
Showing preview only (21,313K chars total). Download the full file to get everything.
Repository: StacklokLabs/toolhive
Branch: main
Commit: 8c90184f1ab7
Files: 2093
Total size: 19.9 MB
Directory structure:
gitextract_h7f056_g/
├── .chainsaw.yaml
├── .claude/
│ ├── agents/
│ │ ├── bug-triage.md
│ │ ├── code-reviewer.md
│ │ ├── documentation-writer.md
│ │ ├── golang-code-writer.md
│ │ ├── kubernetes-expert.md
│ │ ├── mcp-protocol-expert.md
│ │ ├── oauth-expert.md
│ │ ├── security-advisor.md
│ │ ├── site-reliability-engineer.md
│ │ ├── tech-lead-orchestrator.md
│ │ ├── toolhive-expert.md
│ │ └── unit-test-writer.md
│ ├── rules/
│ │ ├── cli-commands.md
│ │ ├── go-style.md
│ │ ├── operator.md
│ │ ├── pr-creation.md
│ │ ├── security.md
│ │ ├── testing.md
│ │ └── vmcp-anti-patterns.md
│ ├── settings.json
│ └── skills/
│ ├── add-rule/
│ │ └── SKILL.md
│ ├── check-contribution/
│ │ └── SKILL.md
│ ├── code-review-assist/
│ │ └── SKILL.md
│ ├── deflake/
│ │ ├── SKILL.md
│ │ └── collect-flakes.py
│ ├── deploy-otel/
│ │ └── SKILL.md
│ ├── deploying-vmcp-locally/
│ │ └── SKILL.md
│ ├── doc-review/
│ │ ├── CHECKING.md
│ │ ├── EXAMPLES.md
│ │ └── SKILL.md
│ ├── implement-story/
│ │ └── SKILL.md
│ ├── pr-review/
│ │ ├── EXAMPLES-INLINE.md
│ │ ├── EXAMPLES-REPLY.md
│ │ └── SKILL.md
│ ├── release-notes/
│ │ ├── SKILL.md
│ │ └── TEMPLATE.md
│ ├── split-pr/
│ │ └── SKILL.md
│ ├── toolhive-release/
│ │ ├── SKILL.md
│ │ └── references/
│ │ └── WORKFLOW-REFERENCE.md
│ └── vmcp-review/
│ └── SKILL.md
├── .codespellrc
├── .gitattributes
├── .github/
│ ├── CODEOWNERS
│ ├── ISSUE_TEMPLATE/
│ │ ├── kubernetes-issue.md
│ │ └── report_bug.md
│ ├── actions/
│ │ └── compute-version/
│ │ └── action.yml
│ ├── ko-ci.yml
│ ├── license-header.txt
│ ├── pull_request_template.md
│ └── workflows/
│ ├── api-compat-noop.yml
│ ├── api-compat.yml
│ ├── claude.yml
│ ├── create-release-pr.yml
│ ├── create-release-tag.yml
│ ├── e2e-tests.yml
│ ├── helm-charts-test.yml
│ ├── helm-publish.yml
│ ├── image-build-and-publish.yml
│ ├── issue-triage.yml
│ ├── license-headers.yml
│ ├── lint.yml
│ ├── operator-ci.yml
│ ├── pr-size-justification-template.md
│ ├── pr-size-label-apply.yml
│ ├── pr-size-labeler.yml
│ ├── releaser.yml
│ ├── renovate-config-validation.yml
│ ├── run-on-main.yml
│ ├── run-on-pr.yml
│ ├── security-scan.yml
│ ├── skills-build-and-publish.yml
│ ├── spellcheck.yml
│ ├── test-e2e-lifecycle.yml
│ ├── test.yml
│ ├── verify-docgen.yml
│ └── verify-gen.yml
├── .gitignore
├── .golangci.yml
├── .goreleaser.yaml
├── .pre-commit-config.yaml
├── CLAUDE.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── MAINTAINERS.md
├── PROJECT
├── README.md
├── SECURITY.md
├── Taskfile.yml
├── VERSION
├── cmd/
│ ├── help/
│ │ ├── main.go
│ │ └── verify.sh
│ ├── thv/
│ │ ├── app/
│ │ │ ├── auth_flags.go
│ │ │ ├── build.go
│ │ │ ├── client.go
│ │ │ ├── commands.go
│ │ │ ├── common.go
│ │ │ ├── common_test.go
│ │ │ ├── config.go
│ │ │ ├── config_buildauthfile.go
│ │ │ ├── config_buildenv.go
│ │ │ ├── config_registryauth.go
│ │ │ ├── constants.go
│ │ │ ├── export.go
│ │ │ ├── flag_helpers.go
│ │ │ ├── group.go
│ │ │ ├── header_flags.go
│ │ │ ├── header_flags_test.go
│ │ │ ├── inspector/
│ │ │ │ └── version.go
│ │ │ ├── inspector.go
│ │ │ ├── inspector_test.go
│ │ │ ├── list.go
│ │ │ ├── llm.go
│ │ │ ├── llm_test.go
│ │ │ ├── logs.go
│ │ │ ├── mcp.go
│ │ │ ├── mcp_serve.go
│ │ │ ├── otel.go
│ │ │ ├── proxy.go
│ │ │ ├── proxy_stdio.go
│ │ │ ├── proxy_tunnel.go
│ │ │ ├── registry.go
│ │ │ ├── registry_convert.go
│ │ │ ├── registry_convert_test.go
│ │ │ ├── registry_login.go
│ │ │ ├── registry_logout.go
│ │ │ ├── restart.go
│ │ │ ├── rm.go
│ │ │ ├── run.go
│ │ │ ├── run_flags.go
│ │ │ ├── run_flags_test.go
│ │ │ ├── run_test.go
│ │ │ ├── runtime.go
│ │ │ ├── search.go
│ │ │ ├── secret.go
│ │ │ ├── secret_test.go
│ │ │ ├── server.go
│ │ │ ├── skill.go
│ │ │ ├── skill_build.go
│ │ │ ├── skill_builds.go
│ │ │ ├── skill_builds_remove.go
│ │ │ ├── skill_helpers.go
│ │ │ ├── skill_info.go
│ │ │ ├── skill_install.go
│ │ │ ├── skill_list.go
│ │ │ ├── skill_push.go
│ │ │ ├── skill_uninstall.go
│ │ │ ├── skill_validate.go
│ │ │ ├── status.go
│ │ │ ├── status_test.go
│ │ │ ├── stop.go
│ │ │ ├── tui.go
│ │ │ ├── ui/
│ │ │ │ ├── clients_setup.go
│ │ │ │ ├── clients_setup_test.go
│ │ │ │ ├── clients_status.go
│ │ │ │ ├── help.go
│ │ │ │ ├── log_handler.go
│ │ │ │ ├── selected_groups_test.go
│ │ │ │ ├── spinner.go
│ │ │ │ └── styles.go
│ │ │ ├── version.go
│ │ │ ├── vmcp.go
│ │ │ └── vmcp_test.go
│ │ └── main.go
│ ├── thv-operator/
│ │ ├── DESIGN.md
│ │ ├── README.md
│ │ ├── REGISTRY.md
│ │ ├── Taskfile.yml
│ │ ├── api/
│ │ │ ├── v1alpha1/
│ │ │ │ ├── doc.go
│ │ │ │ ├── groupversion_info.go
│ │ │ │ ├── types.go
│ │ │ │ └── zz_generated.deepcopy.go
│ │ │ └── v1beta1/
│ │ │ ├── conditions.go
│ │ │ ├── embeddingserver_types.go
│ │ │ ├── groupversion_info.go
│ │ │ ├── mcpexternalauthconfig_types.go
│ │ │ ├── mcpexternalauthconfig_types_test.go
│ │ │ ├── mcpgroup_types.go
│ │ │ ├── mcpoidcconfig_types.go
│ │ │ ├── mcpregistry_parse_test.go
│ │ │ ├── mcpregistry_types.go
│ │ │ ├── mcpremoteproxy_types.go
│ │ │ ├── mcpserver_types.go
│ │ │ ├── mcpserver_types_test.go
│ │ │ ├── mcpserverentry_types.go
│ │ │ ├── mcptelemetryconfig_types.go
│ │ │ ├── mcptelemetryconfig_types_test.go
│ │ │ ├── toolconfig_types.go
│ │ │ ├── virtualmcpcompositetooldefinition_types.go
│ │ │ ├── virtualmcpserver_types.go
│ │ │ ├── virtualmcpserver_types_test.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── config/
│ │ │ └── webhook/
│ │ │ └── manifests.yaml
│ │ ├── controllers/
│ │ │ ├── embeddingserver_controller.go
│ │ │ ├── embeddingserver_controller_test.go
│ │ │ ├── embeddingserver_default_imagepullsecrets_test.go
│ │ │ ├── helpers_test.go
│ │ │ ├── mcpexternalauthconfig_controller.go
│ │ │ ├── mcpexternalauthconfig_controller_test.go
│ │ │ ├── mcpgroup_controller.go
│ │ │ ├── mcpgroup_controller_test.go
│ │ │ ├── mcpoidcconfig_controller.go
│ │ │ ├── mcpoidcconfig_controller_test.go
│ │ │ ├── mcpregistry_controller.go
│ │ │ ├── mcpregistry_controller_test.go
│ │ │ ├── mcpremoteproxy_authserverref_test.go
│ │ │ ├── mcpremoteproxy_controller.go
│ │ │ ├── mcpremoteproxy_controller_test.go
│ │ │ ├── mcpremoteproxy_default_imagepullsecrets_test.go
│ │ │ ├── mcpremoteproxy_deployment.go
│ │ │ ├── mcpremoteproxy_deployment_test.go
│ │ │ ├── mcpremoteproxy_reconciler_test.go
│ │ │ ├── mcpremoteproxy_runconfig.go
│ │ │ ├── mcpremoteproxy_runconfig_test.go
│ │ │ ├── mcpremoteproxy_telemetryconfig_test.go
│ │ │ ├── mcpserver_authserverref_test.go
│ │ │ ├── mcpserver_authz_test.go
│ │ │ ├── mcpserver_controller.go
│ │ │ ├── mcpserver_default_imagepullsecrets_test.go
│ │ │ ├── mcpserver_externalauth_runconfig_test.go
│ │ │ ├── mcpserver_externalauth_test.go
│ │ │ ├── mcpserver_groupref_test.go
│ │ │ ├── mcpserver_invalid_podtemplate_reconcile_test.go
│ │ │ ├── mcpserver_oidcconfig_test.go
│ │ │ ├── mcpserver_platform_test.go
│ │ │ ├── mcpserver_pod_template_test.go
│ │ │ ├── mcpserver_podtemplatespec_builder_test.go
│ │ │ ├── mcpserver_rbac_test.go
│ │ │ ├── mcpserver_replicas_test.go
│ │ │ ├── mcpserver_resource_overrides_test.go
│ │ │ ├── mcpserver_restart_test.go
│ │ │ ├── mcpserver_runconfig.go
│ │ │ ├── mcpserver_runconfig_test.go
│ │ │ ├── mcpserver_spec_patch_test.go
│ │ │ ├── mcpserver_telemetry_cabundle_test.go
│ │ │ ├── mcpserver_telemetryconfig.go
│ │ │ ├── mcpserver_telemetryconfig_test.go
│ │ │ ├── mcpserver_test_helpers_test.go
│ │ │ ├── mcpserverentry_controller.go
│ │ │ ├── mcpserverentry_controller_test.go
│ │ │ ├── mcptelemetryconfig_controller.go
│ │ │ ├── mcptelemetryconfig_controller_test.go
│ │ │ ├── toolconfig_controller.go
│ │ │ ├── toolconfig_controller_edge_cases_test.go
│ │ │ ├── toolconfig_controller_test.go
│ │ │ ├── virtualmcpserver_controller.go
│ │ │ ├── virtualmcpserver_controller_test.go
│ │ │ ├── virtualmcpserver_default_imagepullsecrets_test.go
│ │ │ ├── virtualmcpserver_deployment.go
│ │ │ ├── virtualmcpserver_deployment_test.go
│ │ │ ├── virtualmcpserver_embedding.go
│ │ │ ├── virtualmcpserver_externalauth_test.go
│ │ │ ├── virtualmcpserver_hmac_secret_test.go
│ │ │ ├── virtualmcpserver_podtemplatespec_reconcile_test.go
│ │ │ ├── virtualmcpserver_podtemplatespec_test.go
│ │ │ ├── virtualmcpserver_telemetryconfig.go
│ │ │ ├── virtualmcpserver_telemetryconfig_test.go
│ │ │ ├── virtualmcpserver_vmcpconfig.go
│ │ │ ├── virtualmcpserver_vmcpconfig_test.go
│ │ │ └── virtualmcpserver_watch_test.go
│ │ ├── main.go
│ │ ├── main_test.go
│ │ ├── pkg/
│ │ │ ├── controllerutil/
│ │ │ │ ├── authserver.go
│ │ │ │ ├── authserver_test.go
│ │ │ │ ├── authz.go
│ │ │ │ ├── authz_test.go
│ │ │ │ ├── config.go
│ │ │ │ ├── config_test.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── externalauth.go
│ │ │ │ ├── externalauth_test.go
│ │ │ │ ├── maps.go
│ │ │ │ ├── maps_test.go
│ │ │ │ ├── oidc.go
│ │ │ │ ├── oidc_test.go
│ │ │ │ ├── oidc_volumes.go
│ │ │ │ ├── patch.go
│ │ │ │ ├── patch_test.go
│ │ │ │ ├── platform.go
│ │ │ │ ├── podtemplatespec_builder.go
│ │ │ │ ├── podtemplatespec_builder_test.go
│ │ │ │ ├── podtemplatespec_patch.go
│ │ │ │ ├── podtemplatespec_patch_test.go
│ │ │ │ ├── resources.go
│ │ │ │ ├── resources_test.go
│ │ │ │ ├── status.go
│ │ │ │ ├── status_test.go
│ │ │ │ ├── telemetry.go
│ │ │ │ ├── telemetry_test.go
│ │ │ │ ├── telemetry_volumes.go
│ │ │ │ ├── telemetry_volumes_test.go
│ │ │ │ ├── tokenexchange.go
│ │ │ │ ├── tools_config.go
│ │ │ │ └── tools_config_test.go
│ │ │ ├── httpclient/
│ │ │ │ ├── client.go
│ │ │ │ └── client_test.go
│ │ │ ├── imagepullsecrets/
│ │ │ │ ├── defaults.go
│ │ │ │ └── defaults_test.go
│ │ │ ├── kubernetes/
│ │ │ │ ├── client.go
│ │ │ │ ├── configmaps/
│ │ │ │ │ ├── configmaps.go
│ │ │ │ │ ├── configmaps_test.go
│ │ │ │ │ └── doc.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── rbac/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── rbac.go
│ │ │ │ │ └── rbac_test.go
│ │ │ │ └── secrets/
│ │ │ │ ├── doc.go
│ │ │ │ ├── secrets.go
│ │ │ │ └── secrets_test.go
│ │ │ ├── oidc/
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_resolver.go
│ │ │ │ ├── resolver.go
│ │ │ │ └── resolver_configref_test.go
│ │ │ ├── registryapi/
│ │ │ │ ├── config/
│ │ │ │ │ ├── config.go
│ │ │ │ │ ├── raw_config.go
│ │ │ │ │ └── raw_config_test.go
│ │ │ │ ├── deployment.go
│ │ │ │ ├── deployment_test.go
│ │ │ │ ├── manager.go
│ │ │ │ ├── manager_test.go
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_manager.go
│ │ │ │ ├── podtemplatespec.go
│ │ │ │ ├── podtemplatespec_test.go
│ │ │ │ ├── rbac.go
│ │ │ │ ├── rbac_test.go
│ │ │ │ ├── service.go
│ │ │ │ ├── service_test.go
│ │ │ │ ├── types.go
│ │ │ │ └── types_test.go
│ │ │ ├── runconfig/
│ │ │ │ ├── audit.go
│ │ │ │ ├── audit_test.go
│ │ │ │ ├── configmap/
│ │ │ │ │ └── checksum/
│ │ │ │ │ ├── checksum.go
│ │ │ │ │ └── checksum_test.go
│ │ │ │ ├── telemetry.go
│ │ │ │ └── telemetry_test.go
│ │ │ ├── spectoconfig/
│ │ │ │ ├── telemetry.go
│ │ │ │ └── telemetry_test.go
│ │ │ ├── validation/
│ │ │ │ ├── cedar_validation.go
│ │ │ │ ├── cedar_validation_test.go
│ │ │ │ ├── oidc_validation.go
│ │ │ │ ├── oidc_validation_test.go
│ │ │ │ ├── telemetry_validation.go
│ │ │ │ ├── url_validation.go
│ │ │ │ └── url_validation_test.go
│ │ │ ├── virtualmcpserverstatus/
│ │ │ │ ├── collector.go
│ │ │ │ ├── collector_test.go
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_collector.go
│ │ │ │ └── types.go
│ │ │ └── vmcpconfig/
│ │ │ ├── converter.go
│ │ │ ├── converter_test.go
│ │ │ └── validator.go
│ │ └── test-integration/
│ │ ├── embedding-server/
│ │ │ ├── embeddingserver_creation_test.go
│ │ │ ├── embeddingserver_update_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-external-auth/
│ │ │ ├── mcpexternalauthconfig_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-group/
│ │ │ ├── mcpgroup_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-oidc-config/
│ │ │ ├── mcpoidcconfig_controller_integration_test.go
│ │ │ ├── mcpoidcconfig_mcpremoteproxy_integration_test.go
│ │ │ ├── mcpoidcconfig_mcpserver_integration_test.go
│ │ │ ├── mcpoidcconfig_virtualmcpserver_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-registry/
│ │ │ ├── configmap_helpers.go
│ │ │ ├── deployment_update_test.go
│ │ │ ├── doc.go
│ │ │ ├── k8s_helpers.go
│ │ │ ├── registry_helpers.go
│ │ │ ├── registry_lifecycle_test.go
│ │ │ ├── registry_server_rbac_test.go
│ │ │ ├── registryserver_config_test.go
│ │ │ ├── status_helpers.go
│ │ │ ├── suite_test.go
│ │ │ └── timing_helpers.go
│ │ ├── mcp-remote-proxy/
│ │ │ ├── k8s_helpers.go
│ │ │ ├── mcpremoteproxy_authserverref_integration_test.go
│ │ │ ├── mcpremoteproxy_controller_integration_test.go
│ │ │ ├── mcpremoteproxy_imagepullsecrets_drift_test.go
│ │ │ ├── mcpremoteproxy_validation_integration_test.go
│ │ │ ├── remoteproxy_helpers.go
│ │ │ ├── status_helpers.go
│ │ │ └── suite_test.go
│ │ ├── mcp-server/
│ │ │ ├── mcpserver_authserverref_integration_test.go
│ │ │ ├── mcpserver_cel_validation_integration_test.go
│ │ │ ├── mcpserver_controller_integration_test.go
│ │ │ ├── mcpserver_imagepullsecrets_drift_test.go
│ │ │ ├── mcpserver_runconfig_integration_test.go
│ │ │ ├── mcpserver_sessionstorage_cel_test.go
│ │ │ ├── mcpserver_spec_patch_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-telemetry-config/
│ │ │ ├── mcptelemetryconfig_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-toolconfig/
│ │ │ ├── mcptoolconfig_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ └── virtualmcp/
│ │ ├── suite_test.go
│ │ ├── virtualmcpserver_compositetool_watch_test.go
│ │ ├── virtualmcpserver_elicitation_integration_test.go
│ │ ├── virtualmcpserver_externalauth_watch_test.go
│ │ ├── virtualmcpserver_imagepullsecrets_integration_test.go
│ │ ├── virtualmcpserver_podtemplatespec_integration_test.go
│ │ ├── virtualmcpserver_replicas_integration_test.go
│ │ ├── virtualmcpserver_sessionstorage_cel_test.go
│ │ └── virtualmcpserver_telemetryconfig_integration_test.go
│ ├── thv-proxyrunner/
│ │ ├── app/
│ │ │ ├── commands.go
│ │ │ └── run.go
│ │ └── main.go
│ └── vmcp/
│ ├── README.md
│ ├── app/
│ │ └── commands.go
│ └── main.go
├── codecov.yaml
├── config/
│ └── webhook/
│ └── manifests.yaml
├── containers/
│ └── egress-proxy/
│ └── Dockerfile
├── copilot_instructions.md
├── cr.yaml
├── ct.yaml
├── dco.md
├── deploy/
│ ├── charts/
│ │ ├── _templates.gotmpl
│ │ ├── operator/
│ │ │ ├── .helmignore
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── Chart.yaml
│ │ │ ├── README.md
│ │ │ ├── README.md.gotmpl
│ │ │ ├── ci/
│ │ │ │ ├── autoScalingEnabled-values.yaml
│ │ │ │ ├── default-values.yaml
│ │ │ │ ├── extraEnvVars-values.yaml
│ │ │ │ ├── extraPodAndContainerSecurityContext-values.yaml
│ │ │ │ ├── extraPodAnnotationsAndLabels-values.yaml
│ │ │ │ └── extraVolumes-values.yaml
│ │ │ ├── templates/
│ │ │ │ ├── _helpers.tpl
│ │ │ │ ├── clusterrole/
│ │ │ │ │ ├── role.yaml
│ │ │ │ │ └── rolebinding.yaml
│ │ │ │ ├── deployment.yaml
│ │ │ │ ├── hpa.yaml
│ │ │ │ ├── leader-election-role.yaml
│ │ │ │ └── serviceaccount.yaml
│ │ │ └── values.yaml
│ │ └── operator-crds/
│ │ ├── .helmignore
│ │ ├── CONTRIBUTING.md
│ │ ├── Chart.yaml
│ │ ├── README.md
│ │ ├── README.md.gotmpl
│ │ ├── ci/
│ │ │ └── default-values.yaml
│ │ ├── files/
│ │ │ └── crds/
│ │ │ ├── toolhive.stacklok.dev_embeddingservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpexternalauthconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpgroups.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpoidcconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpregistries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpremoteproxies.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpserverentries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptelemetryconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptoolconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_virtualmcpcompositetooldefinitions.yaml
│ │ │ └── toolhive.stacklok.dev_virtualmcpservers.yaml
│ │ ├── templates/
│ │ │ ├── toolhive.stacklok.dev_embeddingservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpexternalauthconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpgroups.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpoidcconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpregistries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpremoteproxies.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpserverentries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptelemetryconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptoolconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_virtualmcpcompositetooldefinitions.yaml
│ │ │ └── toolhive.stacklok.dev_virtualmcpservers.yaml
│ │ └── values.yaml
│ └── keycloak/
│ ├── README.md
│ ├── keycloak-dev.yaml
│ ├── mcpserver-with-auth.yaml
│ └── setup-realm.sh
├── docs/
│ ├── README.md
│ ├── arch/
│ │ ├── 00-overview.md
│ │ ├── 01-deployment-modes.md
│ │ ├── 02-core-concepts.md
│ │ ├── 03-transport-architecture.md
│ │ ├── 04-secrets-management.md
│ │ ├── 05-runconfig-and-permissions.md
│ │ ├── 06-registry-system.md
│ │ ├── 07-groups.md
│ │ ├── 08-workloads-lifecycle.md
│ │ ├── 09-operator-architecture.md
│ │ ├── 10-virtual-mcp-architecture.md
│ │ ├── 11-auth-server-storage.md
│ │ ├── 12-skills-system.md
│ │ ├── 13-vmcp-scalability.md
│ │ ├── README.md
│ │ ├── vmcp-library.md
│ │ └── vmcp-local.md
│ ├── authz.md
│ ├── cli/
│ │ ├── thv.md
│ │ ├── thv_build.md
│ │ ├── thv_client.md
│ │ ├── thv_client_list-registered.md
│ │ ├── thv_client_register.md
│ │ ├── thv_client_remove.md
│ │ ├── thv_client_setup.md
│ │ ├── thv_client_status.md
│ │ ├── thv_config.md
│ │ ├── thv_config_get-build-auth-file.md
│ │ ├── thv_config_get-build-env.md
│ │ ├── thv_config_get-ca-cert.md
│ │ ├── thv_config_get-registry.md
│ │ ├── thv_config_otel.md
│ │ ├── thv_config_otel_get-enable-prometheus-metrics-path.md
│ │ ├── thv_config_otel_get-endpoint.md
│ │ ├── thv_config_otel_get-env-vars.md
│ │ ├── thv_config_otel_get-insecure.md
│ │ ├── thv_config_otel_get-metrics-enabled.md
│ │ ├── thv_config_otel_get-sampling-rate.md
│ │ ├── thv_config_otel_get-tracing-enabled.md
│ │ ├── thv_config_otel_set-enable-prometheus-metrics-path.md
│ │ ├── thv_config_otel_set-endpoint.md
│ │ ├── thv_config_otel_set-env-vars.md
│ │ ├── thv_config_otel_set-insecure.md
│ │ ├── thv_config_otel_set-metrics-enabled.md
│ │ ├── thv_config_otel_set-sampling-rate.md
│ │ ├── thv_config_otel_set-tracing-enabled.md
│ │ ├── thv_config_otel_unset-enable-prometheus-metrics-path.md
│ │ ├── thv_config_otel_unset-endpoint.md
│ │ ├── thv_config_otel_unset-env-vars.md
│ │ ├── thv_config_otel_unset-insecure.md
│ │ ├── thv_config_otel_unset-metrics-enabled.md
│ │ ├── thv_config_otel_unset-sampling-rate.md
│ │ ├── thv_config_otel_unset-tracing-enabled.md
│ │ ├── thv_config_set-build-auth-file.md
│ │ ├── thv_config_set-build-env.md
│ │ ├── thv_config_set-ca-cert.md
│ │ ├── thv_config_set-registry.md
│ │ ├── thv_config_unset-build-auth-file.md
│ │ ├── thv_config_unset-build-env.md
│ │ ├── thv_config_unset-ca-cert.md
│ │ ├── thv_config_unset-registry.md
│ │ ├── thv_config_usage-metrics.md
│ │ ├── thv_export.md
│ │ ├── thv_group.md
│ │ ├── thv_group_create.md
│ │ ├── thv_group_list.md
│ │ ├── thv_group_rm.md
│ │ ├── thv_inspector.md
│ │ ├── thv_list.md
│ │ ├── thv_logs.md
│ │ ├── thv_logs_prune.md
│ │ ├── thv_mcp.md
│ │ ├── thv_mcp_list.md
│ │ ├── thv_mcp_list_prompts.md
│ │ ├── thv_mcp_list_resources.md
│ │ ├── thv_mcp_list_tools.md
│ │ ├── thv_mcp_serve.md
│ │ ├── thv_proxy.md
│ │ ├── thv_proxy_stdio.md
│ │ ├── thv_proxy_tunnel.md
│ │ ├── thv_registry.md
│ │ ├── thv_registry_convert.md
│ │ ├── thv_registry_info.md
│ │ ├── thv_registry_list.md
│ │ ├── thv_registry_login.md
│ │ ├── thv_registry_logout.md
│ │ ├── thv_rm.md
│ │ ├── thv_run.md
│ │ ├── thv_runtime.md
│ │ ├── thv_runtime_check.md
│ │ ├── thv_search.md
│ │ ├── thv_secret.md
│ │ ├── thv_secret_delete.md
│ │ ├── thv_secret_get.md
│ │ ├── thv_secret_list.md
│ │ ├── thv_secret_provider.md
│ │ ├── thv_secret_reset-keyring.md
│ │ ├── thv_secret_set.md
│ │ ├── thv_secret_setup.md
│ │ ├── thv_serve.md
│ │ ├── thv_skill.md
│ │ ├── thv_skill_build.md
│ │ ├── thv_skill_builds.md
│ │ ├── thv_skill_builds_remove.md
│ │ ├── thv_skill_info.md
│ │ ├── thv_skill_install.md
│ │ ├── thv_skill_list.md
│ │ ├── thv_skill_push.md
│ │ ├── thv_skill_uninstall.md
│ │ ├── thv_skill_validate.md
│ │ ├── thv_start.md
│ │ ├── thv_status.md
│ │ ├── thv_stop.md
│ │ ├── thv_tui.md
│ │ ├── thv_version.md
│ │ ├── thv_vmcp.md
│ │ ├── thv_vmcp_init.md
│ │ ├── thv_vmcp_serve.md
│ │ └── thv_vmcp_validate.md
│ ├── cli-best-practices.md
│ ├── error-handling.md
│ ├── examples/
│ │ ├── webhooks.json
│ │ └── webhooks.yaml
│ ├── kind/
│ │ ├── deploying-mcp-server-with-operator.md
│ │ ├── deploying-toolhive-operator.md
│ │ ├── ingress-port-forward.md
│ │ ├── ingress.md
│ │ └── setup-kind-cluster.md
│ ├── logging.md
│ ├── middleware.md
│ ├── observability.md
│ ├── operator/
│ │ ├── advanced-workflow-patterns.md
│ │ ├── composite-tools-quick-reference.md
│ │ ├── crd-api.md
│ │ ├── crd-ref-config.yaml
│ │ ├── restart-annotation.md
│ │ ├── templates/
│ │ │ └── markdown/
│ │ │ ├── gv_details.tpl
│ │ │ ├── gv_list.tpl
│ │ │ ├── type.tpl
│ │ │ └── type_members.tpl
│ │ ├── toolconfig-reconciliation.md
│ │ ├── virtualmcpcompositetooldefinition-guide.md
│ │ ├── virtualmcpserver-api.md
│ │ ├── virtualmcpserver-kubernetes-guide.md
│ │ └── virtualmcpserver-observability.md
│ ├── proposals/
│ │ └── README.md
│ ├── redis-storage.md
│ ├── registry/
│ │ ├── heuristics.md
│ │ ├── management.md
│ │ └── schema.md
│ ├── remote-mcp-authentication.md
│ ├── runtime-implementation-guide.md
│ ├── runtime-version-customization.md
│ ├── server/
│ │ ├── README.md
│ │ ├── docs.go
│ │ ├── swagger.json
│ │ └── swagger.yaml
│ └── telemetry-migration-guide.md
├── examples/
│ ├── authz-config-with-entities.json
│ ├── authz-config.json
│ ├── authz-httpv1-config.yaml
│ ├── mcpserver-with-audit.yaml
│ ├── operator/
│ │ ├── embedding-servers/
│ │ │ ├── README.md
│ │ │ ├── basic-embedding.yaml
│ │ │ ├── embedding-advanced.yaml
│ │ │ └── embedding-with-cache.yaml
│ │ ├── external-auth/
│ │ │ ├── complete_example.yaml
│ │ │ ├── mcpexternalauthconfig_basic.yaml
│ │ │ ├── mcpexternalauthconfig_minimal.yaml
│ │ │ ├── mcpremoteproxy_with_bearer_token.yaml
│ │ │ └── mcpserver_with_external_auth.yaml
│ │ ├── mcp-registries/
│ │ │ ├── mcpregistry-configyaml-api.yaml
│ │ │ ├── mcpregistry-configyaml-configmap.yaml
│ │ │ ├── mcpregistry-configyaml-git-auth.yaml
│ │ │ ├── mcpregistry-configyaml-minimal.yaml
│ │ │ ├── mcpregistry-configyaml-oauth.yaml
│ │ │ └── mcpregistry-configyaml-pgpass.yaml
│ │ ├── mcp-server-entries/
│ │ │ ├── mcpserverentry_basic.yaml
│ │ │ ├── mcpserverentry_mixed_group.yaml
│ │ │ ├── mcpserverentry_with_ca_bundle.yaml
│ │ │ ├── mcpserverentry_with_header_forward.yaml
│ │ │ └── mcpserverentry_with_token_exchange.yaml
│ │ ├── mcp-servers/
│ │ │ ├── mcpremoteproxy_with_oidcconfig_ref.yaml
│ │ │ ├── mcpserver_fetch.yaml
│ │ │ ├── mcpserver_fetch_otel.yaml
│ │ │ ├── mcpserver_fetch_tools_filter.yaml
│ │ │ ├── mcpserver_github.yaml
│ │ │ ├── mcpserver_mkp.yaml
│ │ │ ├── mcpserver_with_oidcconfig_ref.yaml
│ │ │ ├── mcpserver_with_pod_template.yaml
│ │ │ ├── mcpserver_with_resource_overrides.yaml
│ │ │ ├── mcpserver_with_restart_strategy.yaml
│ │ │ ├── mcpserver_yardstick_sse.yaml
│ │ │ ├── mcpserver_yardstick_stdio.yaml
│ │ │ └── mcpserver_yardstick_streamablehttp.yaml
│ │ ├── redis-storage/
│ │ │ ├── mcpexternalauthconfig-redis-storage.yaml
│ │ │ ├── redis-credentials.yaml
│ │ │ ├── redis-failover.yaml
│ │ │ └── sentinel-service.yaml
│ │ ├── tool-configs/
│ │ │ ├── toolconfig_basic.yaml
│ │ │ └── toolconfig_with_overrides.yaml
│ │ ├── vault/
│ │ │ ├── mcpserver-github-with-vault.yaml
│ │ │ └── setup-vault-dev.sh
│ │ └── virtual-mcps/
│ │ ├── composite_tool_complex.yaml
│ │ ├── composite_tool_simple.yaml
│ │ ├── composite_tool_with_elicitations.yaml
│ │ ├── vmcp_conflict_resolution.yaml
│ │ ├── vmcp_inline_incoming_auth.yaml
│ │ ├── vmcp_optimizer_all_options.yaml
│ │ ├── vmcp_optimizer_quickstart.yaml
│ │ ├── vmcp_production_full.yaml
│ │ ├── vmcp_simple_discovered.yaml
│ │ ├── vmcp_with_oidcconfig_ref.yaml
│ │ └── vmcp_with_telemetry_ref.yaml
│ ├── otel/
│ │ ├── README.md
│ │ ├── grafana-dashboards/
│ │ │ ├── toolhive-cli-mcp-grafana-dashboard-otel-scrape.json
│ │ │ ├── toolhive-mcp-grafana-dashboard-otel-remotewrite.json
│ │ │ ├── toolhive-mcp-grafana-dashboard-otel-scrape.json
│ │ │ └── toolhive-mcp-otel-semconv-dashboard.json
│ │ ├── otel-values.yaml
│ │ ├── prometheus-stack-values.yaml
│ │ └── tempo-values.yaml
│ ├── registry-with-remote-servers.json
│ └── vmcp-config.yaml
├── go.mod
├── go.sum
├── hack/
│ └── boilerplate.go.txt
├── pkg/
│ ├── api/
│ │ ├── docs.go
│ │ ├── errors/
│ │ │ ├── handler.go
│ │ │ └── handler_test.go
│ │ ├── openapi.go
│ │ ├── request_size_test.go
│ │ ├── scalar.go
│ │ ├── server.go
│ │ ├── server_test.go
│ │ └── v1/
│ │ ├── clients.go
│ │ ├── discovery.go
│ │ ├── groups.go
│ │ ├── groups_test.go
│ │ ├── healthcheck.go
│ │ ├── healthcheck_test.go
│ │ ├── registry.go
│ │ ├── registry_factory_test.go
│ │ ├── registry_test.go
│ │ ├── registry_timeout_test.go
│ │ ├── registry_v01.go
│ │ ├── registry_v01_servers.go
│ │ ├── registry_v01_servers_test.go
│ │ ├── registry_v01_skills.go
│ │ ├── registry_v01_skills_test.go
│ │ ├── secrets.go
│ │ ├── secrets_test.go
│ │ ├── skills.go
│ │ ├── skills_test.go
│ │ ├── skills_types.go
│ │ ├── version.go
│ │ ├── version_test.go
│ │ ├── workload_service.go
│ │ ├── workload_service_test.go
│ │ ├── workload_types.go
│ │ ├── workloads.go
│ │ ├── workloads_test.go
│ │ └── workloads_types_test.go
│ ├── audit/
│ │ ├── auditor.go
│ │ ├── auditor_test.go
│ │ ├── backend_info_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── event.go
│ │ ├── event_test.go
│ │ ├── mcp_events.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── workflow_auditor.go
│ │ ├── workflow_auditor_test.go
│ │ └── zz_generated.deepcopy.go
│ ├── auth/
│ │ ├── anonymous.go
│ │ ├── anonymous_test.go
│ │ ├── awssts/
│ │ │ ├── config.go
│ │ │ ├── errors.go
│ │ │ ├── exchange.go
│ │ │ ├── exchange_test.go
│ │ │ ├── middleware.go
│ │ │ ├── middleware_test.go
│ │ │ ├── role_mapper.go
│ │ │ ├── role_mapper_test.go
│ │ │ ├── signer.go
│ │ │ └── signer_test.go
│ │ ├── context.go
│ │ ├── context_test.go
│ │ ├── discovery/
│ │ │ ├── dcr_request.go
│ │ │ ├── discovery.go
│ │ │ ├── discovery_test.go
│ │ │ └── resource_metadata_test.go
│ │ ├── github_provider.go
│ │ ├── github_provider_test.go
│ │ ├── identity.go
│ │ ├── identity_test.go
│ │ ├── local.go
│ │ ├── local_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── monitored_token_source.go
│ │ ├── monitored_token_source_test.go
│ │ ├── oauth/
│ │ │ ├── flow.go
│ │ │ ├── flow_test.go
│ │ │ ├── manual.go
│ │ │ ├── manual_test.go
│ │ │ ├── non_caching_refresher.go
│ │ │ ├── oidc.go
│ │ │ ├── oidc_test.go
│ │ │ ├── resource_token_source.go
│ │ │ └── resource_token_source_test.go
│ │ ├── remote/
│ │ │ ├── bearer_token_source.go
│ │ │ ├── bearer_token_source_test.go
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── doc.go
│ │ │ ├── handler.go
│ │ │ ├── handler_test.go
│ │ │ ├── handler_test_helpers_test.go
│ │ │ ├── persisting_token_source.go
│ │ │ └── persisting_token_source_test.go
│ │ ├── secrets/
│ │ │ ├── secrets.go
│ │ │ └── secrets_test.go
│ │ ├── token.go
│ │ ├── token_test.go
│ │ ├── tokenexchange/
│ │ │ ├── exchange.go
│ │ │ ├── exchange_test.go
│ │ │ ├── middleware.go
│ │ │ └── middleware_test.go
│ │ ├── tokensource/
│ │ │ ├── preemptive_test.go
│ │ │ ├── tokensource.go
│ │ │ └── tokensource_test.go
│ │ ├── upstreamswap/
│ │ │ ├── middleware.go
│ │ │ └── middleware_test.go
│ │ ├── upstreamtoken/
│ │ │ ├── errors.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_token_reader.go
│ │ │ ├── service.go
│ │ │ ├── service_test.go
│ │ │ └── types.go
│ │ ├── utils.go
│ │ ├── utils_test.go
│ │ ├── well_known.go
│ │ └── well_known_test.go
│ ├── authserver/
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── docs.go
│ │ ├── integration_test.go
│ │ ├── oauthparams/
│ │ │ └── reserved.go
│ │ ├── refresher.go
│ │ ├── refresher_test.go
│ │ ├── runner/
│ │ │ ├── dcr.go
│ │ │ ├── dcr_store.go
│ │ │ ├── dcr_store_test.go
│ │ │ ├── dcr_test.go
│ │ │ ├── embeddedauthserver.go
│ │ │ ├── embeddedauthserver_test.go
│ │ │ └── redis_tls_test.go
│ │ ├── server/
│ │ │ ├── audience.go
│ │ │ ├── audience_test.go
│ │ │ ├── crypto/
│ │ │ │ ├── keys.go
│ │ │ │ ├── keys_test.go
│ │ │ │ ├── pkce.go
│ │ │ │ └── pkce_test.go
│ │ │ ├── doc.go
│ │ │ ├── handlers/
│ │ │ │ ├── authorize.go
│ │ │ │ ├── authorize_test.go
│ │ │ │ ├── callback.go
│ │ │ │ ├── callback_test.go
│ │ │ │ ├── dcr.go
│ │ │ │ ├── dcr_test.go
│ │ │ │ ├── discovery.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── handler.go
│ │ │ │ ├── handler_chain_test.go
│ │ │ │ ├── handlers_test.go
│ │ │ │ ├── helpers_test.go
│ │ │ │ ├── token.go
│ │ │ │ ├── token_test.go
│ │ │ │ ├── user.go
│ │ │ │ └── user_test.go
│ │ │ ├── keys/
│ │ │ │ ├── config.go
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_provider.go
│ │ │ │ ├── provider.go
│ │ │ │ ├── provider_test.go
│ │ │ │ └── types.go
│ │ │ ├── provider.go
│ │ │ ├── provider_test.go
│ │ │ ├── registration/
│ │ │ │ ├── client.go
│ │ │ │ ├── client_test.go
│ │ │ │ ├── dcr.go
│ │ │ │ └── dcr_test.go
│ │ │ └── session/
│ │ │ ├── session.go
│ │ │ └── session_test.go
│ │ ├── server.go
│ │ ├── server_impl.go
│ │ ├── server_test.go
│ │ ├── storage/
│ │ │ ├── config.go
│ │ │ ├── doc.go
│ │ │ ├── memory.go
│ │ │ ├── memory_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_storage.go
│ │ │ ├── redis.go
│ │ │ ├── redis_integration_test.go
│ │ │ ├── redis_keys.go
│ │ │ ├── redis_migrate.go
│ │ │ ├── redis_test.go
│ │ │ ├── redis_tls_test.go
│ │ │ ├── types.go
│ │ │ └── types_test.go
│ │ └── upstream/
│ │ ├── doc.go
│ │ ├── mocks/
│ │ │ └── mock_provider.go
│ │ ├── oauth2.go
│ │ ├── oauth2_test.go
│ │ ├── oidc.go
│ │ ├── oidc_test.go
│ │ ├── token_exchange.go
│ │ ├── token_exchange_test.go
│ │ ├── tokens.go
│ │ ├── tokens_test.go
│ │ ├── types.go
│ │ ├── userinfo_config.go
│ │ └── userinfo_config_test.go
│ ├── authz/
│ │ ├── annotation_cache.go
│ │ ├── annotation_cache_test.go
│ │ ├── authorizers/
│ │ │ ├── annotations.go
│ │ │ ├── annotations_test.go
│ │ │ ├── cedar/
│ │ │ │ ├── annotations_integration_test.go
│ │ │ │ ├── annotations_override_test.go
│ │ │ │ ├── core.go
│ │ │ │ ├── core_test.go
│ │ │ │ ├── entity.go
│ │ │ │ ├── entity_test.go
│ │ │ │ └── record_test.go
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── core.go
│ │ │ ├── http/
│ │ │ │ ├── claim_mapper.go
│ │ │ │ ├── claim_mapper_test.go
│ │ │ │ ├── config.go
│ │ │ │ ├── config_test.go
│ │ │ │ ├── core.go
│ │ │ │ ├── core_test.go
│ │ │ │ ├── enrichment_test.go
│ │ │ │ ├── http_client.go
│ │ │ │ ├── http_client_test.go
│ │ │ │ ├── integration_test.go
│ │ │ │ ├── porc.go
│ │ │ │ └── porc_test.go
│ │ │ ├── registry.go
│ │ │ └── registry_test.go
│ │ ├── authorizers.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── integration_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── response_filter.go
│ │ ├── response_filter_test.go
│ │ ├── tool_filter.go
│ │ └── tool_filter_test.go
│ ├── cache/
│ │ ├── validating_cache.go
│ │ └── validating_cache_test.go
│ ├── certs/
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── cli/
│ │ ├── tools_override.go
│ │ └── tools_override_test.go
│ ├── client/
│ │ ├── config.go
│ │ ├── config_editor.go
│ │ ├── config_editor_test.go
│ │ ├── config_test.go
│ │ ├── converter.go
│ │ ├── converter_test.go
│ │ ├── discovery.go
│ │ ├── discovery_test.go
│ │ ├── filter.go
│ │ ├── filter_test.go
│ │ ├── llm_gateway.go
│ │ ├── llm_gateway_test.go
│ │ ├── manager.go
│ │ ├── mocks/
│ │ │ └── mock_manager.go
│ │ ├── skills.go
│ │ ├── skills_test.go
│ │ └── test_support.go
│ ├── config/
│ │ ├── buildauthfile.go
│ │ ├── buildauthfile_test.go
│ │ ├── buildenv.go
│ │ ├── buildenv_test.go
│ │ ├── cacert.go
│ │ ├── cacert_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── errors.go
│ │ ├── errors_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── interface.go
│ │ ├── interface_test.go
│ │ ├── mocks/
│ │ │ └── mock_provider.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── singleton.go
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── container/
│ │ ├── docker/
│ │ │ ├── client.go
│ │ │ ├── client_config_test.go
│ │ │ ├── client_create_test.go
│ │ │ ├── client_deploy_test.go
│ │ │ ├── client_final_port_linux.go
│ │ │ ├── client_final_port_other.go
│ │ │ ├── client_helpers_test.go
│ │ │ ├── client_info_test.go
│ │ │ ├── client_list_test.go
│ │ │ ├── client_partial_match_test.go
│ │ │ ├── client_stop_test.go
│ │ │ ├── errors.go
│ │ │ ├── mocks_test.go
│ │ │ ├── register.go
│ │ │ ├── sdk/
│ │ │ │ ├── client_unix.go
│ │ │ │ ├── client_unix_test.go
│ │ │ │ ├── client_windows.go
│ │ │ │ └── factory.go
│ │ │ ├── squid.go
│ │ │ └── squid_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── images/
│ │ │ ├── image.go
│ │ │ ├── keychain.go
│ │ │ └── registry.go
│ │ ├── kubernetes/
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ ├── common.go
│ │ │ ├── common_test.go
│ │ │ ├── configmap.go
│ │ │ ├── configmap_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_configmap.go
│ │ │ ├── register.go
│ │ │ ├── security.go
│ │ │ └── security_test.go
│ │ ├── name.go
│ │ ├── name_test.go
│ │ ├── runtime/
│ │ │ ├── errors.go
│ │ │ ├── errors_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_runtime.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── registry.go
│ │ │ ├── registry_test.go
│ │ │ └── types.go
│ │ ├── runtimes.go
│ │ └── templates/
│ │ ├── go.tmpl
│ │ ├── npx.tmpl
│ │ ├── runtime_config.go
│ │ ├── runtime_config_test.go
│ │ ├── templates.go
│ │ ├── templates_test.go
│ │ └── uvx.tmpl
│ ├── core/
│ │ ├── workload.go
│ │ └── workload_test.go
│ ├── desktop/
│ │ ├── marker.go
│ │ ├── types.go
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── environment/
│ │ ├── environment.go
│ │ └── environment_test.go
│ ├── export/
│ │ ├── k8s.go
│ │ └── k8s_test.go
│ ├── fileutils/
│ │ ├── atomic.go
│ │ ├── atomic_test.go
│ │ ├── contained.go
│ │ ├── lock.go
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── foreach/
│ │ ├── foreach.go
│ │ └── foreach_test.go
│ ├── git/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── doc.go
│ │ ├── fs.go
│ │ ├── integration_test.go
│ │ └── types.go
│ ├── groups/
│ │ ├── cli_manager.go
│ │ ├── cli_manager_test.go
│ │ ├── crd_manager.go
│ │ ├── crd_manager_test.go
│ │ ├── errors.go
│ │ ├── group.go
│ │ ├── manager.go
│ │ ├── mocks/
│ │ │ └── mock_manager.go
│ │ ├── skills.go
│ │ └── skills_test.go
│ ├── healthcheck/
│ │ ├── healthcheck.go
│ │ └── healthcheck_test.go
│ ├── ignore/
│ │ ├── processor.go
│ │ └── processor_test.go
│ ├── json/
│ │ └── any.go
│ ├── k8s/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── namespace.go
│ │ ├── namespace_test.go
│ │ └── test_helpers.go
│ ├── labels/
│ │ ├── labels.go
│ │ └── labels_test.go
│ ├── llm/
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── manage.go
│ │ ├── manage_test.go
│ │ ├── proxy/
│ │ │ ├── proxy.go
│ │ │ └── proxy_test.go
│ │ ├── setup.go
│ │ ├── setup_test.go
│ │ ├── tokensource.go
│ │ └── tokensource_test.go
│ ├── llmgateway/
│ │ └── config.go
│ ├── lockfile/
│ │ ├── cleanup.go
│ │ └── cleanup_test.go
│ ├── mcp/
│ │ ├── client/
│ │ │ └── client.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── parser.go
│ │ ├── parser_integration_test.go
│ │ ├── parser_test.go
│ │ ├── response.go
│ │ ├── response_test.go
│ │ ├── server/
│ │ │ ├── get_server_logs.go
│ │ │ ├── handler.go
│ │ │ ├── handler_mock_test.go
│ │ │ ├── handler_test.go
│ │ │ ├── list_secrets.go
│ │ │ ├── list_secrets_test.go
│ │ │ ├── list_servers.go
│ │ │ ├── remove_server.go
│ │ │ ├── run_server.go
│ │ │ ├── search_registry.go
│ │ │ ├── server.go
│ │ │ ├── server_test.go
│ │ │ ├── set_secret.go
│ │ │ ├── set_secret_test.go
│ │ │ └── stop_server.go
│ │ ├── tool_filter.go
│ │ ├── tool_filter_test.go
│ │ ├── tool_middleware_test.go
│ │ ├── utils.go
│ │ └── utils_test.go
│ ├── migration/
│ │ ├── middleware_telemetry.go
│ │ ├── migration.go
│ │ ├── secret_scope.go
│ │ ├── telemetry_config.go
│ │ └── telemetry_config_test.go
│ ├── networking/
│ │ ├── fetch.go
│ │ ├── fetch_test.go
│ │ ├── http_client.go
│ │ ├── http_client_test.go
│ │ ├── http_error.go
│ │ ├── http_error_test.go
│ │ ├── port.go
│ │ ├── port_test.go
│ │ ├── utilities.go
│ │ └── utilities_test.go
│ ├── oauthproto/
│ │ ├── cimd.go
│ │ ├── cimd_test.go
│ │ ├── constants.go
│ │ ├── dcr.go
│ │ ├── dcr_test.go
│ │ ├── discovery.go
│ │ ├── discovery_test.go
│ │ ├── doc.go
│ │ ├── errors.go
│ │ ├── grants.go
│ │ ├── grants_test.go
│ │ ├── locality.go
│ │ ├── oauthtest/
│ │ │ └── fixtures.go
│ │ ├── redirect.go
│ │ └── redirect_test.go
│ ├── oidc/
│ │ ├── clientconfig.go
│ │ └── doc.go
│ ├── operator/
│ │ ├── accessors/
│ │ │ ├── mcpserver_accessor.go
│ │ │ └── mcpserver_accessor_test.go
│ │ └── telemetry/
│ │ ├── telemetry.go
│ │ └── telemetry_test.go
│ ├── process/
│ │ ├── detached.go
│ │ ├── find_unix.go
│ │ ├── find_windows.go
│ │ ├── kill_unix.go
│ │ ├── kill_windows.go
│ │ ├── pid_validation_test.go
│ │ ├── toolhive_proxy.go
│ │ ├── toolhive_proxy_test.go
│ │ ├── wait.go
│ │ └── wait_test.go
│ ├── ratelimit/
│ │ ├── internal/
│ │ │ └── bucket/
│ │ │ ├── bucket.go
│ │ │ └── bucket_test.go
│ │ ├── limiter.go
│ │ ├── limiter_test.go
│ │ ├── middleware.go
│ │ └── middleware_test.go
│ ├── recovery/
│ │ ├── recovery.go
│ │ └── recovery_test.go
│ ├── registry/
│ │ ├── api/
│ │ │ ├── client.go
│ │ │ ├── shared.go
│ │ │ ├── skills_client.go
│ │ │ └── skills_client_test.go
│ │ ├── auth/
│ │ │ ├── auth.go
│ │ │ ├── auth_test.go
│ │ │ ├── cache.go
│ │ │ ├── helpers_test.go
│ │ │ ├── issuer_validation.go
│ │ │ ├── login.go
│ │ │ ├── login_test.go
│ │ │ ├── transport.go
│ │ │ └── transport_test.go
│ │ ├── auth_manager.go
│ │ ├── auth_manager_test.go
│ │ ├── convert.go
│ │ ├── convert_test.go
│ │ ├── errors.go
│ │ ├── errors_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── legacyhint/
│ │ │ ├── legacyhint.go
│ │ │ └── legacyhint_test.go
│ │ ├── mocks/
│ │ │ ├── mock_provider.go
│ │ │ └── mock_service.go
│ │ ├── policy_gate.go
│ │ ├── policy_gate_test.go
│ │ ├── provider.go
│ │ ├── provider_api.go
│ │ ├── provider_base.go
│ │ ├── provider_cached.go
│ │ ├── provider_cached_authbug_test.go
│ │ ├── provider_local.go
│ │ ├── provider_remote.go
│ │ ├── provider_test.go
│ │ ├── schema_validation_test.go
│ │ ├── service.go
│ │ ├── service_test.go
│ │ ├── types_test.go
│ │ └── upstream_parser.go
│ ├── runner/
│ │ ├── config.go
│ │ ├── config_builder.go
│ │ ├── config_builder_test.go
│ │ ├── config_env_files_test.go
│ │ ├── config_test.go
│ │ ├── env.go
│ │ ├── env_files.go
│ │ ├── env_files_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── permissions.go
│ │ ├── permissions_test.go
│ │ ├── policy_gate.go
│ │ ├── policy_gate_test.go
│ │ ├── protocol.go
│ │ ├── protocol_test.go
│ │ ├── retriever/
│ │ │ ├── retriever.go
│ │ │ └── retriever_test.go
│ │ ├── runner.go
│ │ ├── runner_test.go
│ │ └── webhook_integration_test.go
│ ├── runtime/
│ │ └── setup.go
│ ├── script/
│ │ ├── description.go
│ │ ├── description_test.go
│ │ ├── executor.go
│ │ ├── internal/
│ │ │ ├── builtins/
│ │ │ │ ├── builtins.go
│ │ │ │ ├── builtins_test.go
│ │ │ │ ├── calltool.go
│ │ │ │ ├── parallel.go
│ │ │ │ └── tools.go
│ │ │ ├── conversions/
│ │ │ │ ├── result.go
│ │ │ │ ├── result_test.go
│ │ │ │ ├── starlark.go
│ │ │ │ ├── starlark_test.go
│ │ │ │ ├── toolname.go
│ │ │ │ └── toolname_test.go
│ │ │ └── core/
│ │ │ ├── execute.go
│ │ │ └── execute_test.go
│ │ ├── script.go
│ │ └── script_test.go
│ ├── secrets/
│ │ ├── 1password.go
│ │ ├── 1password_test.go
│ │ ├── aes/
│ │ │ ├── aes.go
│ │ │ └── aes_test.go
│ │ ├── clients/
│ │ │ ├── 1password.go
│ │ │ └── mocks/
│ │ │ └── mock_onepassword.go
│ │ ├── concurrency_test.go
│ │ ├── encrypted.go
│ │ ├── encrypted_test.go
│ │ ├── environment.go
│ │ ├── environment_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── fallback.go
│ │ ├── fallback_test.go
│ │ ├── integration_test.go
│ │ ├── keyring/
│ │ │ ├── composite.go
│ │ │ ├── composite_test.go
│ │ │ ├── dbus_wrapper.go
│ │ │ ├── interface.go
│ │ │ ├── keyctl_linux.go
│ │ │ ├── keyctl_linux_test.go
│ │ │ ├── keyctl_other.go
│ │ │ └── utils.go
│ │ ├── migration.go
│ │ ├── migration_test.go
│ │ ├── mocks/
│ │ │ ├── mock_onepassword.go
│ │ │ └── mock_provider.go
│ │ ├── scoped.go
│ │ ├── scoped_test.go
│ │ ├── types.go
│ │ └── types_test.go
│ ├── security/
│ │ ├── security.go
│ │ └── security_test.go
│ ├── sentry/
│ │ ├── sentry.go
│ │ └── sentry_test.go
│ ├── server/
│ │ └── discovery/
│ │ ├── discover.go
│ │ ├── discover_test.go
│ │ ├── discovery.go
│ │ ├── discovery_test.go
│ │ ├── health.go
│ │ └── health_test.go
│ ├── skills/
│ │ ├── client/
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ └── dto.go
│ │ ├── gitresolver/
│ │ │ ├── auth.go
│ │ │ ├── auth_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_resolver.go
│ │ │ ├── reference.go
│ │ │ ├── reference_test.go
│ │ │ ├── resolver.go
│ │ │ ├── resolver_test.go
│ │ │ ├── writer.go
│ │ │ └── writer_test.go
│ │ ├── installer.go
│ │ ├── installer_test.go
│ │ ├── mocks/
│ │ │ ├── mock_path_resolver.go
│ │ │ └── mock_service.go
│ │ ├── options.go
│ │ ├── parser.go
│ │ ├── parser_test.go
│ │ ├── project_root.go
│ │ ├── project_root_test.go
│ │ ├── service.go
│ │ ├── skillsvc/
│ │ │ ├── build.go
│ │ │ ├── build_test.go
│ │ │ ├── clients.go
│ │ │ ├── content.go
│ │ │ ├── content_test.go
│ │ │ ├── info_test.go
│ │ │ ├── install.go
│ │ │ ├── install_extraction.go
│ │ │ ├── install_git.go
│ │ │ ├── install_git_test.go
│ │ │ ├── install_oci.go
│ │ │ ├── install_oci_test.go
│ │ │ ├── install_registry_test.go
│ │ │ ├── install_test.go
│ │ │ ├── list.go
│ │ │ ├── local_build_marker.go
│ │ │ ├── oci.go
│ │ │ ├── oci_test.go
│ │ │ ├── pull_errors.go
│ │ │ ├── pull_errors_test.go
│ │ │ ├── registry.go
│ │ │ ├── scope.go
│ │ │ ├── service.go
│ │ │ ├── service_test.go
│ │ │ ├── testhelpers_test.go
│ │ │ ├── uninstall.go
│ │ │ └── uninstall_test.go
│ │ ├── types.go
│ │ ├── validator.go
│ │ └── validator_test.go
│ ├── state/
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── interface.go
│ │ ├── kubernetes.go
│ │ ├── kubernetes_test.go
│ │ ├── local.go
│ │ ├── mocks/
│ │ │ └── mock_store.go
│ │ └── runconfig.go
│ ├── storage/
│ │ ├── errors.go
│ │ ├── interfaces.go
│ │ ├── mocks/
│ │ │ └── mock_skill_store.go
│ │ ├── noop.go
│ │ ├── noop_test.go
│ │ └── sqlite/
│ │ ├── db.go
│ │ ├── db_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── migrations/
│ │ │ └── 001_create_entries_and_skills.sql
│ │ ├── migrations.go
│ │ ├── migrations_test.go
│ │ ├── skill_store.go
│ │ └── skill_store_test.go
│ ├── syncutil/
│ │ ├── atmost.go
│ │ └── atmost_test.go
│ ├── telemetry/
│ │ ├── attributes.go
│ │ ├── attributes_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── integration_test.go
│ │ ├── middleware.go
│ │ ├── middleware_sse_test.go
│ │ ├── middleware_test.go
│ │ ├── propagation.go
│ │ ├── propagation_test.go
│ │ ├── providers/
│ │ │ ├── otlp/
│ │ │ │ ├── config.go
│ │ │ │ ├── endpoint.go
│ │ │ │ ├── endpoint_test.go
│ │ │ │ ├── logging.go
│ │ │ │ ├── metrics.go
│ │ │ │ ├── metrics_test.go
│ │ │ │ ├── tls.go
│ │ │ │ ├── tls_test.go
│ │ │ │ ├── tracing.go
│ │ │ │ └── tracing_test.go
│ │ │ ├── prometheus/
│ │ │ │ ├── prometheus.go
│ │ │ │ └── prometheus_test.go
│ │ │ ├── providers.go
│ │ │ ├── providers_strategy.go
│ │ │ ├── providers_strategy_test.go
│ │ │ ├── providers_test.go
│ │ │ └── unified_test.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── serve.go
│ │ └── zz_generated.deepcopy.go
│ ├── templates/
│ │ ├── funcs.go
│ │ ├── references.go
│ │ └── references_test.go
│ ├── transport/
│ │ ├── bridge.go
│ │ ├── errors/
│ │ │ ├── errors.go
│ │ │ └── errors_test.go
│ │ ├── factory.go
│ │ ├── http.go
│ │ ├── http_remote_query_test.go
│ │ ├── http_test.go
│ │ ├── middleware/
│ │ │ ├── header_forward.go
│ │ │ ├── header_forward_test.go
│ │ │ ├── token_injection.go
│ │ │ ├── token_injection_test.go
│ │ │ ├── write_timeout.go
│ │ │ └── write_timeout_test.go
│ │ ├── proxy/
│ │ │ ├── httpsse/
│ │ │ │ ├── http_proxy.go
│ │ │ │ ├── http_proxy_integration_test.go
│ │ │ │ ├── http_proxy_test.go
│ │ │ │ └── pinger.go
│ │ │ ├── socket/
│ │ │ │ ├── socket_unix.go
│ │ │ │ └── socket_windows.go
│ │ │ ├── streamable/
│ │ │ │ ├── dispatcher.go
│ │ │ │ ├── streamable_proxy.go
│ │ │ │ ├── streamable_proxy_integration_test.go
│ │ │ │ ├── streamable_proxy_mcp_client_integration_test.go
│ │ │ │ ├── streamable_proxy_spec_test.go
│ │ │ │ ├── streamable_proxy_test.go
│ │ │ │ └── utils.go
│ │ │ └── transparent/
│ │ │ ├── backend_recovery_test.go
│ │ │ ├── backend_routing_test.go
│ │ │ ├── delete_session_test.go
│ │ │ ├── method_gate_test.go
│ │ │ ├── pinger.go
│ │ │ ├── pinger_test.go
│ │ │ ├── redirect_test.go
│ │ │ ├── remote_path_test.go
│ │ │ ├── response_processor.go
│ │ │ ├── session_id.go
│ │ │ ├── session_id_test.go
│ │ │ ├── sse_response_processor.go
│ │ │ ├── transparent_proxy.go
│ │ │ └── transparent_test.go
│ │ ├── session/
│ │ │ ├── errors.go
│ │ │ ├── jsonrpc_errors.go
│ │ │ ├── jsonrpc_errors_test.go
│ │ │ ├── manager.go
│ │ │ ├── manager_redis_test.go
│ │ │ ├── manager_test.go
│ │ │ ├── proxy_session.go
│ │ │ ├── redis_config.go
│ │ │ ├── serialization.go
│ │ │ ├── serialization_test.go
│ │ │ ├── session_data_storage.go
│ │ │ ├── session_data_storage_local.go
│ │ │ ├── session_data_storage_redis.go
│ │ │ ├── session_data_storage_test.go
│ │ │ ├── sse_session.go
│ │ │ ├── storage.go
│ │ │ ├── storage_local.go
│ │ │ ├── storage_redis.go
│ │ │ ├── storage_redis_test.go
│ │ │ ├── storage_test.go
│ │ │ └── streamable_session.go
│ │ ├── ssecommon/
│ │ │ ├── sse_common.go
│ │ │ └── sse_common_test.go
│ │ ├── stdio.go
│ │ ├── stdio_test.go
│ │ ├── streamable/
│ │ │ └── streamable.go
│ │ ├── tunnel/
│ │ │ └── ngrok/
│ │ │ └── tunnel_provider.go
│ │ ├── types/
│ │ │ ├── mocks/
│ │ │ │ ├── mock_transport.go
│ │ │ │ └── mock_tunnel_provider.go
│ │ │ ├── transport.go
│ │ │ ├── transport_test.go
│ │ │ └── tunnel.go
│ │ ├── url.go
│ │ └── url_test.go
│ ├── tui/
│ │ ├── actions.go
│ │ ├── form_helpers.go
│ │ ├── form_helpers_test.go
│ │ ├── helpers_test.go
│ │ ├── init.go
│ │ ├── inspector.go
│ │ ├── inspector_test.go
│ │ ├── json_tree.go
│ │ ├── json_tree_test.go
│ │ ├── keys.go
│ │ ├── logformat.go
│ │ ├── logformat_test.go
│ │ ├── logs.go
│ │ ├── logs_test.go
│ │ ├── main_test.go
│ │ ├── model.go
│ │ ├── proxylogs.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── search_test.go
│ │ ├── tools.go
│ │ ├── update.go
│ │ ├── update_inspector.go
│ │ ├── update_navigation.go
│ │ ├── update_registry.go
│ │ ├── update_search.go
│ │ ├── view.go
│ │ ├── view_helpers.go
│ │ ├── view_info.go
│ │ ├── view_inspector.go
│ │ ├── view_registry.go
│ │ └── view_statusbar.go
│ ├── updates/
│ │ ├── checker.go
│ │ ├── checker_test.go
│ │ ├── client.go
│ │ └── client_test.go
│ ├── usagemetrics/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── collector.go
│ │ ├── collector_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ └── types.go
│ ├── versions/
│ │ ├── version.go
│ │ └── version_test.go
│ ├── vmcp/
│ │ ├── aggregator/
│ │ │ ├── aggregator.go
│ │ │ ├── conflict_resolver.go
│ │ │ ├── conflict_resolver_test.go
│ │ │ ├── default_aggregator.go
│ │ │ ├── default_aggregator_test.go
│ │ │ ├── discoverer.go
│ │ │ ├── discoverer_test.go
│ │ │ ├── manual_resolver.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_interfaces.go
│ │ │ ├── prefix_resolver.go
│ │ │ ├── priority_resolver.go
│ │ │ ├── testhelpers_annotations_test.go
│ │ │ ├── testhelpers_test.go
│ │ │ ├── tool_adapter.go
│ │ │ ├── tool_adapter_annotations_test.go
│ │ │ └── tool_adapter_test.go
│ │ ├── auth/
│ │ │ ├── auth.go
│ │ │ ├── converters/
│ │ │ │ ├── aws_sts.go
│ │ │ │ ├── aws_sts_test.go
│ │ │ │ ├── external_auth_config.go
│ │ │ │ ├── header_injection.go
│ │ │ │ ├── header_injection_test.go
│ │ │ │ ├── interface.go
│ │ │ │ ├── registry_test.go
│ │ │ │ ├── token_exchange.go
│ │ │ │ ├── token_exchange_test.go
│ │ │ │ ├── unauthenticated.go
│ │ │ │ ├── unauthenticated_test.go
│ │ │ │ ├── upstream_inject.go
│ │ │ │ └── upstream_inject_test.go
│ │ │ ├── factory/
│ │ │ │ ├── authz_not_wired_test.go
│ │ │ │ ├── incoming.go
│ │ │ │ ├── incoming_keyprovider_test.go
│ │ │ │ ├── incoming_test.go
│ │ │ │ ├── incoming_upstream_test.go
│ │ │ │ ├── integration_test.go
│ │ │ │ ├── outgoing.go
│ │ │ │ └── outgoing_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_strategy.go
│ │ │ ├── outgoing_registry.go
│ │ │ ├── outgoing_registry_test.go
│ │ │ ├── strategies/
│ │ │ │ ├── aws_sts.go
│ │ │ │ ├── aws_sts_test.go
│ │ │ │ ├── constants.go
│ │ │ │ ├── header_injection.go
│ │ │ │ ├── header_injection_test.go
│ │ │ │ ├── tokenexchange.go
│ │ │ │ ├── tokenexchange_test.go
│ │ │ │ ├── unauthenticated.go
│ │ │ │ ├── unauthenticated_test.go
│ │ │ │ ├── upstream_inject.go
│ │ │ │ └── upstream_inject_test.go
│ │ │ └── types/
│ │ │ ├── doc.go
│ │ │ ├── types.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── cache/
│ │ │ ├── cache.go
│ │ │ └── cache_test.go
│ │ ├── cli/
│ │ │ ├── auth_server_config_test.go
│ │ │ ├── embedding_manager.go
│ │ │ ├── embedding_manager_test.go
│ │ │ ├── init.go
│ │ │ ├── init_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_container_factory.go
│ │ │ ├── optimizer_wiring_test.go
│ │ │ ├── serve.go
│ │ │ ├── serve_test.go
│ │ │ ├── validate.go
│ │ │ └── validate_test.go
│ │ ├── client/
│ │ │ ├── auth_propagation_integration_test.go
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ ├── meta_integration_test.go
│ │ │ └── mocks/
│ │ │ └── mock_outgoing_registry.go
│ │ ├── composer/
│ │ │ ├── composer.go
│ │ │ ├── composite_output_integration_test.go
│ │ │ ├── dag_executor.go
│ │ │ ├── dag_executor_test.go
│ │ │ ├── elicitation_handler.go
│ │ │ ├── elicitation_handler_test.go
│ │ │ ├── elicitation_integration_test.go
│ │ │ ├── foreach_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_sdk_elicitation_requester.go
│ │ │ ├── output_constructor.go
│ │ │ ├── output_constructor_test.go
│ │ │ ├── output_validator.go
│ │ │ ├── output_validator_test.go
│ │ │ ├── security_test.go
│ │ │ ├── state_store.go
│ │ │ ├── state_store_test.go
│ │ │ ├── template_expander.go
│ │ │ ├── template_expander_test.go
│ │ │ ├── testhelpers_test.go
│ │ │ ├── workflow_audit_integration_test.go
│ │ │ ├── workflow_context.go
│ │ │ ├── workflow_engine.go
│ │ │ ├── workflow_engine_test.go
│ │ │ ├── workflow_errors.go
│ │ │ ├── workflow_state_store.go
│ │ │ └── workflow_state_store_test.go
│ │ ├── config/
│ │ │ ├── composite_validation.go
│ │ │ ├── composite_validation_test.go
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── crd_cli_roundtrip_test.go
│ │ │ ├── defaults.go
│ │ │ ├── defaults_test.go
│ │ │ ├── doc.go
│ │ │ ├── foreach_validation_test.go
│ │ │ ├── validator.go
│ │ │ ├── validator_test.go
│ │ │ ├── yaml_loader.go
│ │ │ ├── yaml_loader_test.go
│ │ │ ├── yaml_loader_transform_test.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── conversion/
│ │ │ ├── content.go
│ │ │ ├── content_test.go
│ │ │ ├── conversion_test.go
│ │ │ └── meta.go
│ │ ├── discovery/
│ │ │ ├── context.go
│ │ │ ├── context_test.go
│ │ │ ├── manager.go
│ │ │ ├── manager_test.go
│ │ │ ├── middleware.go
│ │ │ ├── middleware_test.go
│ │ │ └── mocks/
│ │ │ └── mock_manager.go
│ │ ├── doc.go
│ │ ├── errors.go
│ │ ├── health/
│ │ │ ├── checker.go
│ │ │ ├── checker_test.go
│ │ │ ├── circuit_breaker.go
│ │ │ ├── circuit_breaker_test.go
│ │ │ ├── context/
│ │ │ │ ├── context.go
│ │ │ │ └── context_test.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── status.go
│ │ │ ├── status_builder_test.go
│ │ │ └── status_test.go
│ │ ├── internal/
│ │ │ └── compositetools/
│ │ │ ├── decorator.go
│ │ │ ├── decorator_test.go
│ │ │ ├── workflow_converter.go
│ │ │ └── workflow_converter_test.go
│ │ ├── k8s/
│ │ │ ├── backend_reconciler.go
│ │ │ ├── backend_reconciler_integration_test.go
│ │ │ ├── backend_reconciler_test.go
│ │ │ ├── manager.go
│ │ │ └── manager_test.go
│ │ ├── mocks/
│ │ │ ├── mock_backend_client.go
│ │ │ └── mock_registry.go
│ │ ├── optimizer/
│ │ │ ├── internal/
│ │ │ │ ├── similarity/
│ │ │ │ │ ├── cosine.go
│ │ │ │ │ ├── cosine_bench_test.go
│ │ │ │ │ ├── cosine_test.go
│ │ │ │ │ ├── tei_client.go
│ │ │ │ │ └── tei_client_test.go
│ │ │ │ ├── tokencounter/
│ │ │ │ │ ├── counter.go
│ │ │ │ │ └── counter_test.go
│ │ │ │ ├── toolstore/
│ │ │ │ │ ├── schema.sql
│ │ │ │ │ ├── sqlite_store.go
│ │ │ │ │ ├── sqlite_store_bench_test.go
│ │ │ │ │ └── sqlite_store_test.go
│ │ │ │ └── types/
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_types.go
│ │ │ │ └── types.go
│ │ │ ├── optimizer.go
│ │ │ └── optimizer_test.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── router/
│ │ │ ├── default_router.go
│ │ │ ├── default_router_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_router.go
│ │ │ ├── router.go
│ │ │ ├── session_router.go
│ │ │ └── session_router_test.go
│ │ ├── schema/
│ │ │ ├── array.go
│ │ │ ├── object.go
│ │ │ ├── primitive.go
│ │ │ ├── reflect.go
│ │ │ ├── reflect_test.go
│ │ │ ├── schema.go
│ │ │ └── schema_test.go
│ │ ├── server/
│ │ │ ├── adapter/
│ │ │ │ ├── capability_adapter.go
│ │ │ │ ├── capability_adapter_annotations_test.go
│ │ │ │ ├── capability_adapter_test.go
│ │ │ │ ├── handler_factory.go
│ │ │ │ ├── handler_factory_test.go
│ │ │ │ └── mocks/
│ │ │ │ └── mock_handler_factory.go
│ │ │ ├── annotation_enrichment.go
│ │ │ ├── annotation_enrichment_test.go
│ │ │ ├── backend_enrichment.go
│ │ │ ├── backend_enrichment_test.go
│ │ │ ├── health_monitoring_test.go
│ │ │ ├── health_test.go
│ │ │ ├── integration_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_watcher.go
│ │ │ ├── readiness_test.go
│ │ │ ├── sdk_elicitation_adapter.go
│ │ │ ├── sdk_elicitation_adapter_test.go
│ │ │ ├── server.go
│ │ │ ├── server_test.go
│ │ │ ├── session_management_integration_test.go
│ │ │ ├── session_management_realbackend_integration_test.go
│ │ │ ├── session_manager_interface.go
│ │ │ ├── sessionmanager/
│ │ │ │ ├── factory.go
│ │ │ │ ├── horizontal_scaling_integration_test.go
│ │ │ │ ├── session_manager.go
│ │ │ │ ├── session_manager_test.go
│ │ │ │ └── telemetry_test.go
│ │ │ ├── status.go
│ │ │ ├── status_reporting.go
│ │ │ ├── status_reporting_test.go
│ │ │ ├── status_test.go
│ │ │ ├── telemetry.go
│ │ │ ├── telemetry_integration_test.go
│ │ │ ├── telemetry_test.go
│ │ │ ├── testfactory_test.go
│ │ │ ├── testutil_test.go
│ │ │ ├── workflow_converter.go
│ │ │ ├── workflow_converter_test.go
│ │ │ └── write_timeout_integration_test.go
│ │ ├── session/
│ │ │ ├── admission.go
│ │ │ ├── admission_test.go
│ │ │ ├── connector_integration_test.go
│ │ │ ├── decorating_factory.go
│ │ │ ├── decorating_factory_test.go
│ │ │ ├── default_session.go
│ │ │ ├── default_session_test.go
│ │ │ ├── factory.go
│ │ │ ├── factory_metadata_test.go
│ │ │ ├── internal/
│ │ │ │ ├── backend/
│ │ │ │ │ ├── mcp_session.go
│ │ │ │ │ ├── mcp_session_test.go
│ │ │ │ │ ├── roundtripper_test.go
│ │ │ │ │ └── session.go
│ │ │ │ └── security/
│ │ │ │ ├── hijack_prevention_test.go
│ │ │ │ ├── restore_test.go
│ │ │ │ ├── security.go
│ │ │ │ └── security_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_factory.go
│ │ │ ├── optimizerdec/
│ │ │ │ ├── decorator.go
│ │ │ │ └── decorator_test.go
│ │ │ ├── session.go
│ │ │ ├── token_binding_test.go
│ │ │ └── types/
│ │ │ ├── mocks/
│ │ │ │ └── mock_session.go
│ │ │ └── session.go
│ │ ├── status/
│ │ │ ├── doc.go
│ │ │ ├── factory.go
│ │ │ ├── factory_test.go
│ │ │ ├── helpers.go
│ │ │ ├── k8s_reporter.go
│ │ │ ├── k8s_reporter_test.go
│ │ │ ├── logging_reporter.go
│ │ │ ├── logging_reporter_test.go
│ │ │ └── reporter.go
│ │ ├── types.go
│ │ ├── types_test.go
│ │ └── workloads/
│ │ ├── discoverer.go
│ │ ├── k8s.go
│ │ ├── k8s_test.go
│ │ └── mocks/
│ │ └── mock_discoverer.go
│ ├── webhook/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── errors.go
│ │ ├── errors_test.go
│ │ ├── mutating/
│ │ │ ├── config.go
│ │ │ ├── middleware.go
│ │ │ ├── middleware_test.go
│ │ │ ├── patch.go
│ │ │ └── patch_test.go
│ │ ├── signing.go
│ │ ├── signing_test.go
│ │ ├── types.go
│ │ ├── types_test.go
│ │ └── validating/
│ │ ├── config.go
│ │ ├── middleware.go
│ │ └── middleware_test.go
│ └── workloads/
│ ├── discoverer_adapter.go
│ ├── discoverer_adapter_test.go
│ ├── filter.go
│ ├── filter_test.go
│ ├── manager.go
│ ├── manager_test.go
│ ├── mocks/
│ │ └── mock_manager.go
│ ├── statuses/
│ │ ├── file_status.go
│ │ ├── file_status_test.go
│ │ ├── mocks/
│ │ │ └── mock_status_manager.go
│ │ ├── noop.go
│ │ ├── pid.go
│ │ ├── pid_test.go
│ │ ├── status.go
│ │ └── status_test.go
│ ├── sysproc_unix.go
│ ├── sysproc_windows.go
│ └── types/
│ ├── effective_transport_test.go
│ ├── errors/
│ │ └── errors.go
│ ├── labels.go
│ ├── labels_test.go
│ ├── types.go
│ ├── validate.go
│ ├── validate_test.go
│ └── workload_test.go
├── renovate.json
├── skills/
│ └── toolhive-cli-user/
│ ├── SKILL.md
│ └── references/
│ ├── COMMANDS.md
│ └── EXAMPLES.md
└── test/
├── e2e/
│ ├── README.md
│ ├── api_clients_test.go
│ ├── api_clients_validation_test.go
│ ├── api_discovery_test.go
│ ├── api_groups_test.go
│ ├── api_healthcheck_test.go
│ ├── api_helpers.go
│ ├── api_registry_test.go
│ ├── api_secrets_test.go
│ ├── api_skills_git_test.go
│ ├── api_skills_test.go
│ ├── api_version_test.go
│ ├── api_workload_lifecycle_test.go
│ ├── api_workloads_test.go
│ ├── audit_middleware_e2e_test.go
│ ├── chainsaw/
│ │ └── operator/
│ │ ├── multi-tenancy/
│ │ │ ├── cleanup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ └── chainsaw-test.yaml
│ │ │ ├── setup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ ├── assert-rbac-clusterrole.yaml
│ │ │ │ ├── assert-rbac-rolebinding-ns-1.yaml
│ │ │ │ ├── assert-rbac-rolebinding-ns-2.yaml
│ │ │ │ ├── assert-rbac-serviceaccount.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── namespace.yaml
│ │ │ └── test-scenarios/
│ │ │ ├── common/
│ │ │ │ ├── assert-proxy-svc-loadbalancer-ip.yaml
│ │ │ │ ├── proxy-svc-loadbalancer.yaml
│ │ │ │ ├── proxyrunner-role.yaml
│ │ │ │ ├── proxyrunner-rolebinding.yaml
│ │ │ │ └── proxyrunner-serviceaccount.yaml
│ │ │ ├── embeddingserver/
│ │ │ │ ├── assert-deployment-ns1-running.yaml
│ │ │ │ ├── assert-deployment-ns2-running.yaml
│ │ │ │ ├── assert-embeddingserver-ns1-running.yaml
│ │ │ │ ├── assert-embeddingserver-ns2-running.yaml
│ │ │ │ ├── assert-service-ns1-created.yaml
│ │ │ │ ├── assert-service-ns2-created.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ ├── embeddingserver-ns1.yaml
│ │ │ │ ├── embeddingserver-ns2.yaml
│ │ │ │ ├── namespace-1.yaml
│ │ │ │ └── namespace-2.yaml
│ │ │ ├── sse/
│ │ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── stdio/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── stdio-streamable-http/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ └── streamable-http/
│ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ ├── assert-mcpserver-running.yaml
│ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ ├── chainsaw-test.yaml
│ │ │ └── mcpserver.yaml
│ │ ├── single-tenancy/
│ │ │ ├── cleanup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ └── chainsaw-test.yaml
│ │ │ ├── setup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ ├── assert-rbac-clusterrole.yaml
│ │ │ │ ├── assert-rbac-clusterrolebinding.yaml
│ │ │ │ ├── assert-rbac-serviceaccount.yaml
│ │ │ │ └── chainsaw-test.yaml
│ │ │ └── test-scenarios/
│ │ │ ├── common/
│ │ │ │ ├── assert-proxy-svc-loadbalancer-ip.yaml
│ │ │ │ ├── proxy-svc-loadbalancer.yaml
│ │ │ │ ├── proxyrunner-role.yaml
│ │ │ │ ├── proxyrunner-rolebinding.yaml
│ │ │ │ └── proxyrunner-serviceaccount.yaml
│ │ │ ├── embeddingserver/
│ │ │ │ ├── basic/
│ │ │ │ │ ├── assert-deployment-running.yaml
│ │ │ │ │ ├── assert-embeddingserver-running.yaml
│ │ │ │ │ ├── assert-service-created.yaml
│ │ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ │ └── embeddingserver.yaml
│ │ │ │ ├── lifecycle/
│ │ │ │ │ ├── assert-deployment-running.yaml
│ │ │ │ │ ├── assert-deployment-scaled.yaml
│ │ │ │ │ ├── assert-embeddingserver-running.yaml
│ │ │ │ │ ├── assert-embeddingserver-scaled.yaml
│ │ │ │ │ ├── assert-service-created.yaml
│ │ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ │ ├── embeddingserver-initial.yaml
│ │ │ │ │ ├── embeddingserver-scaled.yaml
│ │ │ │ │ └── embeddingserver-updated-env.yaml
│ │ │ │ └── with-cache/
│ │ │ │ ├── assert-deployment-running.yaml
│ │ │ │ ├── assert-embeddingserver-running.yaml
│ │ │ │ ├── assert-pvc-created.yaml
│ │ │ │ ├── assert-service-created.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── embeddingserver.yaml
│ │ │ ├── pod-annotations/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-pod-annotations.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── sse/
│ │ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ ├── mcpserver.yaml
│ │ │ │ └── serviceaccount.yaml
│ │ │ ├── stdio/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── stdio-streamable-http/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── streamable-http/
│ │ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ └── vmcp/
│ │ │ ├── assert-oidc-security.yaml
│ │ │ ├── assert-vmcp-configmap.yaml
│ │ │ ├── assert-vmcp-deployment.yaml
│ │ │ ├── assert-vmcp-service.yaml
│ │ │ ├── assert-vmcp-status-ready.yaml
│ │ │ ├── audit-chainsaw-test.yaml
│ │ │ ├── basic/
│ │ │ │ └── chainsaw-test.yaml
│ │ │ ├── chainsaw-test.yaml
│ │ │ ├── controller-chainsaw-test.yaml
│ │ │ ├── mcpgroup-controller.yaml
│ │ │ ├── oidc-client-secret.yaml
│ │ │ ├── vmcp-controller.yaml
│ │ │ ├── vmcp-oidc-config.yaml
│ │ │ └── vmcp-with-oidc.yaml
│ │ └── validation/
│ │ ├── mcpexternalauthconfig/
│ │ │ └── chainsaw-test.yaml
│ │ └── virtualmcpserver/
│ │ └── chainsaw-test.yaml
│ ├── cimd_auth_helpers_test.go
│ ├── cimd_auth_test.go
│ ├── cli_llm_all_clients_test.go
│ ├── cli_llm_config_test.go
│ ├── cli_llm_setup_test.go
│ ├── cli_registry_convert_test.go
│ ├── cli_secrets_scoped_test.go
│ ├── cli_skills_test.go
│ ├── client_test.go
│ ├── desktop_validation_test.go
│ ├── e2e_suite_test.go
│ ├── export_test.go
│ ├── fetch_mcp_server_test.go
│ ├── group_list_e2e_test.go
│ ├── group_rm_test.go
│ ├── group_test.go
│ ├── health_check_zombie_test.go
│ ├── helpers.go
│ ├── http_pdp_authz_test.go
│ ├── images/
│ │ └── images.go
│ ├── inspector_autocleanup_test.go
│ ├── inspector_test.go
│ ├── list_group_e2e_test.go
│ ├── llm_gateway_mock.go
│ ├── mcp_client_helpers.go
│ ├── network_isolation_test.go
│ ├── oidc_mock.go
│ ├── osv_authz_test.go
│ ├── osv_mcp_server_test.go
│ ├── osv_streamable_http_mcp_server_test.go
│ ├── protocol_builds_e2e_test.go
│ ├── proxy_oauth_test.go
│ ├── proxy_stdio_test.go
│ ├── proxy_tunnel_e2e_test.go
│ ├── proxyrunner_graceful_shutdown_test.go
│ ├── remote_mcp_query_params_test.go
│ ├── remote_mcp_server_test.go
│ ├── restart_test.go
│ ├── restart_zombie_test.go
│ ├── rm_group_test.go
│ ├── run_tests.bat
│ ├── run_tests.sh
│ ├── sse_endpoint_rewrite_test.go
│ ├── stateless_proxy_test.go
│ ├── status_test.go
│ ├── stdio_proxy_over_streamable_http_mcp_server_test.go
│ ├── telemetry_metrics_validation_e2e_test.go
│ ├── telemetry_middleware_e2e_test.go
│ ├── thv-operator/
│ │ ├── acceptance_tests/
│ │ │ ├── helpers.go
│ │ │ ├── ratelimit_test.go
│ │ │ └── suite_test.go
│ │ ├── kind-config.yaml
│ │ ├── testutil/
│ │ │ ├── k8s.go
│ │ │ └── oidc.go
│ │ └── virtualmcp/
│ │ ├── README.md
│ │ ├── helpers.go
│ │ ├── mcpserver_scaling_test.go
│ │ ├── suite_test.go
│ │ ├── virtualmcp_aggregation_filtering_test.go
│ │ ├── virtualmcp_aggregation_overrides_test.go
│ │ ├── virtualmcp_auth_discovery_test.go
│ │ ├── virtualmcp_authserver_config_test.go
│ │ ├── virtualmcp_circuit_breaker_test.go
│ │ ├── virtualmcp_composite_defaultresults_test.go
│ │ ├── virtualmcp_composite_hidden_tools_test.go
│ │ ├── virtualmcp_composite_parallel_test.go
│ │ ├── virtualmcp_composite_referenced_test.go
│ │ ├── virtualmcp_composite_sequential_test.go
│ │ ├── virtualmcp_composite_validation_test.go
│ │ ├── virtualmcp_conflict_resolution_test.go
│ │ ├── virtualmcp_discovered_mode_test.go
│ │ ├── virtualmcp_excludeall_global_test.go
│ │ ├── virtualmcp_external_auth_test.go
│ │ ├── virtualmcp_optimizer_circuit_breaker_test.go
│ │ ├── virtualmcp_optimizer_composite_test.go
│ │ ├── virtualmcp_optimizer_multibackend_test.go
│ │ ├── virtualmcp_optimizer_test.go
│ │ ├── virtualmcp_redis_session_test.go
│ │ ├── virtualmcp_session_management_test.go
│ │ ├── virtualmcp_telemetry_test.go
│ │ ├── virtualmcp_toolconfig_test.go
│ │ ├── virtualmcp_yardstick_base_test.go
│ │ ├── virtualmcpserver_scaling_test.go
│ │ └── wait_for_tools_helpers.go
│ ├── thvignore_test.go
│ ├── unhealthy_workload_test.go
│ ├── vmcp_cli_features_test.go
│ ├── vmcp_cli_helpers_test.go
│ ├── vmcp_cli_test.go
│ ├── vmcp_infra_features_test.go
│ └── vmcp_optimizer_test.go
├── integration/
│ ├── authserver/
│ │ ├── authserver_integration_test.go
│ │ ├── helpers/
│ │ │ ├── authserver.go
│ │ │ ├── http_client.go
│ │ │ └── mock_upstream.go
│ │ └── runner_integration_test.go
│ └── vmcp/
│ ├── helpers/
│ │ ├── backend.go
│ │ ├── helpers_test.go
│ │ ├── mcp_client.go
│ │ └── vmcp_server.go
│ ├── vmcp_integration_test.go
│ └── vmcp_typing_integration_test.go
└── testkit/
├── sse_server.go
├── streamable_server.go
├── testkit.go
└── testkit_test.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .chainsaw.yaml
================================================
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Configuration
metadata:
name: default
spec:
timeouts:
apply: 30s
assert: 90s
error: 90s
parallel: 1
fullName: true
failFast: true
excludeTestRegex: '_.+'
forceTerminationGracePeriod: 5s
delayBeforeCleanup: 3s
template: false
================================================
FILE: .claude/agents/bug-triage.md
================================================
---
name: bug-triage
description: Triages GitHub issues by investigating whether they've been resolved in the codebase, recommending closures, and helping craft polite closure messages. Use when doing bug triage sessions or cleaning up stale issues.
tools: [Read, Glob, Grep, Bash]
model: inherit
---
# Bug Triage Agent
You specialize in reviewing GitHub issues, investigating their status in the codebase, and recommending actions.
## When to Invoke
Invoke when: Doing bug triage sessions, reviewing stale issues, investigating if an issue has been fixed, cleaning up the backlog.
Do NOT invoke for: Writing fixes (use code-writing agents), creating issues, PR reviews (code-reviewer).
## GitHub Access
Use the `gh` CLI (via Bash) to read, comment on, and close issues.
## Investigation Workflow
1. **Receive issue** from parent
2. **Search codebase** for affected code paths, commits, test cases
3. **Categorize** into outcome:
| Category | Criteria | Action |
|----------|----------|--------|
| **FIXED** | Bug was fixed, code resolves it | Close "completed", explain fix |
| **IMPLEMENTED** | Feature/enhancement was built | Close "completed", point to implementation |
| **WON'T DO** | Bandwidth/direction/low demand | Close "not_planned", polite explanation |
| **SUPERSEDED** | Replaced by different approach | Close "not_planned", explain alternative |
| **STILL VALID** | Unresolved | Leave open, add context |
| **NEEDS INFO** | Can't determine status | Comment asking for clarification |
## Output Format
```markdown
## Issue #NNN: [Title]
**Status:** [FIXED | IMPLEMENTED | WON'T DO | SUPERSEDED | STILL VALID | NEEDS INFO]
**Evidence:** [What you found, file paths, commits]
**Recommendation:** [Specific action]
**Suggested Comment:** [Draft message if closing]
```
## Closure Comment Tone
- Friendly and genuine, not corporate
- Honest about reasoning
- Appreciative of the reporter
- Open to revisiting when appropriate
**For FIXED:** Explain what was changed, thank for reporting.
**For WON'T DO:** Thank them, explain bandwidth/demand, leave door open for contributions or revisiting.
**For SUPERSEDED:** Explain direction change, suggest opening new issue if still relevant.
================================================
FILE: .claude/agents/code-reviewer.md
================================================
---
name: code-reviewer
description: Reviews code for ToolHive best practices, security patterns, Go conventions, and architectural consistency
tools: [Read, Glob, Grep]
model: inherit
color: yellow
---
# Code Reviewer Agent
You are a specialized code reviewer for the ToolHive project, ensuring code quality, security, and adherence to project conventions.
## When to Invoke
Invoke when: Reviewing PRs/changes, security audits, verifying Go best practices, checking test coverage.
Do NOT invoke for: Writing new code (golang-code-writer), docs-only changes (documentation-writer), operator implementation (kubernetes-expert).
## Review Checklist
### Code Organization
- [ ] Follows conventions in `.claude/rules/go-style.md`
### Issue Resolution
- [ ] PR fully addresses linked issues ("fixes", "closes", "resolves")
- [ ] PR partially addresses referenced issues ("ref", "relates to")
### Go Conventions
- [ ] Idiomatic style and naming
- [ ] Proper error handling (no ignored errors)
- [ ] Appropriate context.Context usage
- [ ] Resource cleanup (defer, Close())
### Security
- [ ] Secrets not hardcoded or logged
- [ ] Input validation and sanitization
- [ ] No credential exposure in errors or logs
- [ ] Cedar authorization correctly applied
### Testing
- [ ] Follows conventions in `.claude/rules/testing.md`
- [ ] Both success and failure paths tested
### vMCP Code (for `pkg/vmcp/` and `cmd/vmcp/`)
When reviewing changes that touch vMCP code, also run the `/vmcp-review` skill to check for vMCP-specific anti-patterns in addition to the standard review checklist above.
### Backwards Compatibility
- [ ] Changes won't break existing users
- [ ] API/CLI changes maintain compatibility or include deprecation warnings
- [ ] Breaking changes documented in PR description
## Review Process
1. **Understand the change**: Read code and its purpose
2. **Check conventions**: ToolHive and Go conventions
3. **Security review**: Look for security implications
4. **Test coverage**: Ensure appropriate tests exist
5. **Provide feedback**: Be specific, constructive, reference file paths
## Output Format
- **Required changes**: Must be fixed before merge
- **Suggestions**: Nice-to-have improvements
- **Questions**: Clarifications needed
## Related Skills
- **`/pr-review`**: Submit inline review comments or reply to/resolve review threads on GitHub PRs
================================================
FILE: .claude/agents/documentation-writer.md
================================================
---
name: documentation-writer
description: Maintains consistent documentation, updates CLI docs, and ensures documentation matches code behavior
tools: [Read, Write, Edit, Glob, Grep, Bash]
permissionMode: acceptEdits
model: inherit
---
# Documentation Writer Agent
You are a specialized documentation writer for the ToolHive project, ensuring clear, accurate, and consistent documentation.
## When to Invoke
Invoke when: Updating docs after code changes, generating CLI docs, writing architecture/design docs, fixing doc inconsistencies.
Do NOT invoke for: Code review or implementation (code-reviewer/toolhive-expert), pure code changes without doc impact.
## Documentation Types
**CLI Documentation** (`docs/`): Generated with `task docs` from Cobra commands. Include usage examples and flag documentation.
**Code Documentation**: Godoc comments for all public APIs. Format: `// FunctionName does X and returns Y`. Explain "why" not just "what".
**Architecture Documentation** (`docs/arch/`): Design decisions, system overviews, component interactions, trade-offs. See `docs/arch/README.md`.
## Style Guidelines
- Clear, active voice with concise sentences
- Concrete examples with code blocks and syntax highlighting
- Imperative mood for commit messages
- Include both "what" and "why" in explanations
- Cross-reference related documentation
## Key Files
- `README.md`: Project overview and quick start
- `CLAUDE.md`: Developer guidance for Claude Code
- `CONTRIBUTING.md`: Commit format and contribution guidelines
- `cmd/thv-operator/DESIGN.md`: Operator design decisions
## Process
1. Read code changes to understand new behavior
2. Identify documentation gaps
3. Check existing docs for related content to update
4. Write clearly with examples
5. Run `task docs` if command definitions changed
## Important Notes
- Follow commit guidelines in `CLAUDE.md`
- Prefer updating existing docs over creating new files
- Keep examples up-to-date with current API
## Related Skills
- **`/doc-review`**: Fact-check documentation for accuracy against the codebase
================================================
FILE: .claude/agents/golang-code-writer.md
================================================
---
name: golang-code-writer
description: Write, generate, or create new Go code — functions, structs, interfaces, methods, or complete packages
tools: [Read, Write, Edit, Glob, Grep, Bash]
permissionMode: acceptEdits
model: inherit
color: blue
---
# Go Code Writer Agent
You are an expert Go developer specializing in clean, efficient, idiomatic Go code.
## When to Invoke
Invoke when: Writing new Go functions, structs, interfaces, methods, packages, or scaffolding.
Do NOT invoke for: Writing tests (unit-test-writer), reviewing code (code-reviewer), architecture decisions (tech-lead-orchestrator), docs (documentation-writer).
## File Modification Rules
**CRITICAL: Always prefer editing existing files over creating new ones.**
- **Use the Edit tool** to modify existing files in place. NEVER create copies with `_new.go`, `_v2.go`, or similar suffixes.
- **Use the Write tool** ONLY when creating genuinely new files that don't exist yet.
- **Read before editing**: Always use the Read tool to examine a file's current content before modifying it.
- If you need to add a function to an existing package, edit the appropriate existing file — do NOT create a new file unless the change warrants a new file for organizational reasons (e.g., a new logical grouping).
## ToolHive Code Conventions
Follow Go style, error handling, logging, and testing conventions defined in `.claude/rules/go-style.md`, `.claude/rules/testing.md`, and `.claude/rules/cli-commands.md`. These rules are auto-loaded when touching matching files.
## Output
- Provide complete, runnable code with imports
- Examine existing code patterns before writing new code
- Brief explanations for complex logic or design decisions
## Coordinating with Other Agents
- **unit-test-writer**: For tests alongside new code
- **code-reviewer**: For reviewing completed code
- **tech-lead-orchestrator**: For architectural decisions
- **toolhive-expert**: For understanding existing patterns
================================================
FILE: .claude/agents/kubernetes-expert.md
================================================
---
name: kubernetes-expert
description: Specialized in Kubernetes operator patterns, CRDs, controllers, and cloud-native architecture for ToolHive
tools: [Read, Write, Edit, Glob, Grep, Bash, WebFetch]
model: inherit
color: blue
---
# Kubernetes Expert Agent
You are a specialized expert in Kubernetes operator patterns, CRDs, and controllers for the ToolHive project.
## When to Invoke
Invoke when:
- Working on the ToolHive Kubernetes operator
- Designing or modifying CRDs (MCPServer, MCPRegistry, etc.)
- Implementing controller reconciliation logic
- Making CRD attributes vs PodTemplateSpec decisions
Defer to: toolhive-expert (non-K8s container code), oauth-expert (auth details), code-reviewer (general review).
## Your Expertise
- Kubernetes operators, controllers, reconciliation loops, watch mechanisms
- CRDs: API design, schema validation, status conditions, subresources
- controller-runtime: Kubebuilder patterns, manager setup, client usage
- RBAC, pod security, resource management, leader election
- Testing: envtest, Chainsaw e2e tests
## Key Patterns
### Reconciliation Structure
```go
func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
// 1. Fetch resource (handle IsNotFound → return nil)
// 2. Handle deletion (check finalizers)
// 3. Validate spec (don't requeue invalid specs)
// 4. Create/update dependent resources
// 5. Update status (separate call: r.Status().Update())
// 6. Return result
}
```
### Common Pitfalls
- **Status is a subresource**: Use `r.Status().Update()`, not `r.Update()`
- **Finalizers**: Check `DeletionTimestamp.IsZero()` before processing; remove only after cleanup
- **Tight requeue loops**: Use `RequeueAfter: 30*time.Second`, not `Requeue: true` for polling
- **Owner references**: Use `controllerutil.SetControllerReference()` — can't cross namespaces
- **RBAC markers**: Add `+kubebuilder:rbac` for all resource accesses; use plural form
- **Breaking API changes**: Use new API version (v1alpha2) for incompatible changes
## Development Commands
See `.claude/rules/operator.md` for the full list of operator `task` commands.
## Resources
- Design decisions: `cmd/thv-operator/DESIGN.md`
- API Conventions: https://kubernetes.io/docs/reference/using-api/api-concepts/
- Kubebuilder Book: https://book.kubebuilder.io/
- controller-runtime: https://github.com/kubernetes-sigs/controller-runtime
## Your Approach
1. Read CRD types first to understand the API before implementation
2. Check `cmd/thv-operator/DESIGN.md` for established design principles
3. Review existing controllers for consistency
4. Test thoroughly: unit, integration (envtest), e2e (Chainsaw)
5. Consider backward compatibility for CRD changes
## Coordinating with Other Agents
- **oauth-expert**: OAuth/OIDC configuration in MCPExternalAuthConfig CRD
- **mcp-protocol-expert**: MCP server configuration and transport setup
- **toolhive-expert**: Non-K8s container runtime or general architecture
- **code-reviewer**: Final review of controller implementation
## Related Skills
- **`/deploying-vmcp-locally`**: Step-by-step guide for deploying and testing VirtualMCPServer in a local Kind cluster
- **`/check-contribution`**: Validate operator chart contribution practices (helm template, linting, docs, version bump) before committing
================================================
FILE: .claude/agents/mcp-protocol-expert.md
================================================
---
name: mcp-protocol-expert
description: "PROACTIVELY use for MCP protocol questions, transport implementations, JSON-RPC debugging, and spec compliance verification. Expert in MCP 2025-11-25 specification."
tools: [Read, Write, Edit, Glob, Grep, WebFetch]
model: inherit
---
# MCP Protocol Expert Agent
You are a specialized expert in the Model Context Protocol (MCP) specification and its implementation in ToolHive. Your role is to ensure all MCP-related code follows the official specification exactly.
## When to Invoke
**PROACTIVELY invoke when working on:**
- MCP transport protocols (stdio, Streamable HTTP, SSE)
- JSON-RPC message parsing, formatting, or debugging
- MCP server lifecycle (initialization, operation, shutdown)
- Capability negotiation, tasks, elicitation, or sampling
- Any code in `pkg/transport/`, `pkg/mcp/`, or `pkg/vmcp/`
Defer to: oauth-expert (OAuth/OIDC), kubernetes-expert (K8s operator), toolhive-expert (general architecture).
## Critical: Always Fetch Latest Spec
**Before providing MCP protocol guidance, ALWAYS use WebFetch to retrieve the relevant spec page.** MCP is actively evolving — the spec is the single source of truth.
### Spec URLs (2025-11-25)
- Main: https://modelcontextprotocol.io/specification/2025-11-25
- Transports: https://modelcontextprotocol.io/specification/2025-11-25/basic/transports
- Lifecycle: https://modelcontextprotocol.io/specification/2025-11-25/basic/lifecycle
- Authorization: https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization
- Security: https://modelcontextprotocol.io/specification/2025-11-25/basic/security_best_practices
- Tasks: https://modelcontextprotocol.io/specification/2025-11-25/basic/utilities/tasks
- Tools: https://modelcontextprotocol.io/specification/2025-11-25/server/tools
- Elicitation: https://modelcontextprotocol.io/specification/2025-11-25/client/elicitation
- MCP Auth Extensions: https://modelcontextprotocol.io/extensions/auth/overview
- Schema: https://modelcontextprotocol.io/specification/2025-11-25/schema
Check for newer spec versions — the date in the URL indicates version.
### Workflow
1. Use WebFetch to retrieve the relevant spec page
2. Cross-reference fetched spec with ToolHive's implementation
3. Provide guidance based on the latest spec
4. Explicitly note any discrepancies between spec and implementation
## Your Expertise
- **MCP Specification**: Authoritative protocol definition and compliance
- **Transport protocols**: stdio (preferred), Streamable HTTP, SSE (deprecated)
- **JSON-RPC 2.0**: Message format, request/response/notification patterns
- **Protocol lifecycle**: Initialization, capability negotiation, operation, shutdown
- **Tasks & Elicitation**: Long-running operations and user input collection (new in 2025-11-25)
- **Authorization**: OAuth 2.1, RFC 9728, RFC 8707, Client ID Metadata Documents
## Key ToolHive Files
- `pkg/transport/types/transport.go`: Transport interface definitions
- `pkg/transport/stdio.go`: stdio transport
- `pkg/transport/http.go`: HTTP transport
- `pkg/transport/proxy/streamable/`: Streamable HTTP proxy
- `pkg/transport/session/`: Session management
- `pkg/mcp/parser.go`: MCP JSON-RPC message parsing
## Your Approach
1. **Fetch latest spec first** before answering any protocol question
2. **Verify spec compliance** of ToolHive's implementation
3. **Be explicit about discrepancies** between spec and implementation
4. **Help with transport selection**: stdio for local, Streamable HTTP for networked
5. **Protocol debugging**: Analyze JSON-RPC exchanges against spec requirements
<critical_behaviors>
1. Fetch before answering — always use WebFetch for relevant spec pages
2. Spec is authoritative — if conflict with this doc, the fetched spec wins
3. Check for newer versions — look for dates newer than 2025-11-25
4. Call out discrepancies explicitly when ToolHive differs from spec
</critical_behaviors>
================================================
FILE: .claude/agents/oauth-expert.md
================================================
---
name: oauth-expert
description: Specialized in OAuth 2.0, OIDC, token exchange, and authentication flows for ToolHive
tools: [Read, Write, Edit, Glob, Grep, Bash, WebFetch]
model: inherit
---
# OAuth Standards Expert Agent
You are a specialized expert in OAuth 2.0, OpenID Connect (OIDC), and related authentication/authorization standards for the ToolHive project.
## When to Invoke
Invoke when:
- Implementing or debugging OAuth/OIDC flows
- Working on token exchange (RFC 8693)
- Validating JWT tokens or configuring authentication
- Troubleshooting auth middleware
- Designing auth/authz for new features
Defer to: code-reviewer (general review), toolhive-expert (non-auth code), mcp-protocol-expert (MCP protocol).
## Critical: Always Verify Standards
Before providing guidance on OAuth/OIDC details, use WebFetch to verify RFC or spec details.
### Key Resources
- RFC 6749 (OAuth 2.0): https://datatracker.ietf.org/doc/html/rfc6749
- RFC 8693 (Token Exchange): https://datatracker.ietf.org/doc/html/rfc8693
- RFC 7636 (PKCE): https://datatracker.ietf.org/doc/html/rfc7636
- RFC 9728 (Protected Resource Metadata): https://datatracker.ietf.org/doc/html/rfc9728
- RFC 8707 (Resource Indicators): https://datatracker.ietf.org/doc/html/rfc8707
- OIDC Core: https://openid.net/specs/openid-connect-core-1_0.html
- MCP Auth: https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization
## Your Expertise
- **OAuth 2.0/2.1**: All grant types, token flows, client authentication
- **OIDC**: ID tokens, UserInfo, discovery documents
- **Token Exchange (RFC 8693)**: Impersonation, delegation, actor tokens
- **Security**: PKCE, state parameters, nonce, token binding
- **MCP Auth**: Protected Resource Metadata (RFC 9728), Resource Indicators (RFC 8707), Client ID Metadata Documents
## Key ToolHive Auth Files
- `pkg/auth/token.go`: JWT parsing, validation, claims extraction
- `pkg/auth/middleware.go`: HTTP authentication middleware
- `pkg/auth/oauth/`: OAuth 2.0 and OIDC client implementations
- `pkg/auth/tokenexchange/`: RFC 8693 token exchange
- `pkg/auth/discovery/`: OAuth/OIDC discovery, RFC 9728 support
- `pkg/authserver/`: OAuth2 authorization server (Ory Fosite, PKCE, JWT/JWKS)
## MCP Authorization Model (2025-11-25)
### Client Registration Priority
1. Pre-registered credentials
2. Client ID Metadata Documents (PREFERRED — not yet implemented in ToolHive)
3. Dynamic Client Registration (current ToolHive approach)
4. User prompt (last resort)
### Required Security Measures
- **PKCE**: MUST use with S256 code challenge method
- **Resource Parameter**: MUST include RFC 8707 resource indicator
- **Audience Validation**: Servers MUST verify tokens were issued for them
- **Token Passthrough FORBIDDEN**: Never forward client tokens upstream
## Security Checklist
- JWT validation: signature, issuer, audience, expiration, nbf, iat
- PKCE for all public clients
- Bearer tokens only in Authorization header, never in query strings
- No tokens in logs or error messages
- Refresh token rotation when possible
- State parameter for CSRF protection
## Your Approach
1. **Check standards first** — WebFetch RFC details before answering
2. **Security first** — always consider security implications
3. **Test both paths** — success and error flows
4. **Follow RFCs** — adhere to MUST/SHOULD requirements
5. **Follow logging rules** in `.claude/rules/go-style.md` (especially: never log credentials)
================================================
FILE: .claude/agents/security-advisor.md
================================================
---
name: security-advisor
description: Security guidance for code reviews, architecture decisions, auth implementations, and threat modeling
tools: [Read, Glob, Grep]
model: inherit
---
# Security Advisor Agent
You are a Senior Security Engineer specializing in secure software development, threat modeling, and security code review.
## When to Invoke
Invoke when: Reviewing auth/authz/secrets code, making security architecture decisions, evaluating dependencies, implementing data protection, assessing container security, threat modeling.
Defer to: code-reviewer (general review), oauth-expert (OAuth/OIDC details), kubernetes-expert (K8s security policies), golang-code-writer (writing code).
## ToolHive Security Model
- **Container isolation**: All MCP servers run in containers (Docker/Podman/Colima/K8s)
- **Authentication**: `pkg/auth/` (anonymous, local, OIDC, GitHub, token exchange); `pkg/authserver/` (OAuth2 server)
- **Authorization**: `pkg/authz/` (Cedar policy language)
- **Secrets**: `pkg/secrets/` (1Password, encrypted storage, environment)
- **Permissions**: `pkg/permissions/` (container permission profiles, network isolation)
- **vMCP two-boundary auth**: Incoming client auth + outgoing backend auth
## Security Review Checklist
### Authentication & Authorization
- [ ] Token validation: signature, issuer, audience, expiration
- [ ] PKCE for public OAuth clients
- [ ] Bearer tokens only in Authorization header
- [ ] Cedar policies correctly enforce access control
- [ ] No token passthrough (validate, don't forward)
### Data Protection
- [ ] No credentials/tokens/API keys in error messages or logs (see `.claude/rules/go-style.md`)
- [ ] Secrets use `pkg/secrets/` providers, not hardcoded
- [ ] Proper encryption for data at rest and in transit
### Container Security
- [ ] Container images validated with certificate checks
- [ ] Permission profiles restrict capabilities
- [ ] No unnecessary privilege escalation
### Input Validation
- [ ] User input validated at system boundaries
- [ ] No command injection, XSS, SQL injection, OWASP Top 10
### Defensive Focus
- [ ] Security analysis is defensive, not offensive
- [ ] No credential discovery/harvesting code
## Your Approach
1. Identify potential security risks and vulnerabilities
2. Assess severity and exploitation likelihood
3. Provide specific remediation steps with priority
4. Suggest preventive measures
5. Consider ToolHive's deployment context (containers, K8s)
================================================
FILE: .claude/agents/site-reliability-engineer.md
================================================
---
name: site-reliability-engineer
description: Observability and monitoring guidance — OpenTelemetry instrumentation, metrics, tracing, and monitoring stack configuration
tools: [Read, Write, Edit, Glob, Grep, Bash]
permissionMode: acceptEdits
model: inherit
---
# Site Reliability Engineer Agent
You are an OpenTelemetry and observability expert specializing in Go applications and monitoring stack integration.
## When to Invoke
Invoke when: Adding/modifying OTEL instrumentation, configuring monitoring stack, designing SLIs/SLOs, debugging telemetry, setting up health checks, reviewing observability coverage.
Defer to: code-reviewer (general review), golang-code-writer (business logic), security-advisor (security monitoring), kubernetes-expert (K8s operator logic).
## ToolHive Telemetry Architecture
### Key Packages
- **`pkg/telemetry/`**: Core infrastructure — middleware, OTEL provider setup, context propagation, exporters
- **`pkg/vmcp/server/telemetry.go`**: vMCP telemetry — MCP request/response metrics, backend routing traces, session tracking
### Instrumentation Patterns
Uses OpenTelemetry Go SDK (`go.opentelemetry.io/otel/*`):
- **Counters**: Request counts, error counts, operation totals
- **Histograms**: Request latency, operation duration
- **Gauges**: Active connections, running containers
- HTTP middleware instrumentation in `pkg/telemetry/`
- MCP operation tracing for lifecycle and container operations
### Logging Conventions
Follow logging conventions in `.claude/rules/go-style.md`.
### Multi-Component Architecture
1. **CLI (`thv`)**: Local execution, minimal telemetry
2. **Operator (`thv-operator`)**: Reconciliation metrics, controller health
3. **vMCP (`vmcp`)**: Request metrics, backend health, session tracking, auth metrics
### Monitoring Stack
Prometheus, Grafana, OTEL Collector, Jaeger. Deploy with `/deploy-otel` skill.
## Your Approach
1. Examine existing telemetry in `pkg/telemetry/` and component-specific code
2. Reference specific file paths and function names
3. Provide Go code examples using OpenTelemetry SDK
4. Consider all components (CLI, operator, vMCP)
5. Include testing strategies for validating instrumentation
================================================
FILE: .claude/agents/tech-lead-orchestrator.md
================================================
---
name: tech-lead-orchestrator
description: Architectural oversight, task breakdown, and delegation for complex multi-component features
tools: [Read, Glob, Grep, Bash]
model: inherit
---
# Tech Lead Orchestrator Agent
You are a Senior Technical Lead providing architectural oversight, task breakdown, and work coordination across specialized agents.
## When to Invoke
Invoke when: Planning complex multi-component features, making architectural decisions, breaking down large tasks, coordinating specialized agents.
Do NOT invoke for: Writing code (golang-code-writer), writing tests (unit-test-writer), reviewing files (code-reviewer), domain-specific questions (use domain agents), docs (documentation-writer).
## Responsibilities
### Architectural Oversight
- Review designs for soundness, scalability, maintainability
- Enforce ToolHive patterns: factory, interface segregation, middleware
- Enforce conventions in `.claude/rules/` (auto-loaded when touching matching files)
- Validate implementations align with system architecture
### Task Orchestration
- Break down features into well-defined, delegatable tasks
- Identify which specialized agents are best suited
- Sequence tasks to minimize dependencies
- Provide clear, actionable task descriptions
### Quality Assurance
- Define acceptance criteria for complex features
- Establish testing strategy per `.claude/rules/testing.md`
- Ensure proper error handling and observability
- Verify architecture docs updated when components change
## Agent Delegation Guide
| Task | Agent |
|------|-------|
| Write Go code | golang-code-writer |
| Write unit tests | unit-test-writer |
| Review code | code-reviewer |
| K8s/operator work | kubernetes-expert |
| OAuth/OIDC | oauth-expert |
| MCP protocol | mcp-protocol-expert |
| Security guidance | security-advisor |
| Observability | site-reliability-engineer |
| Documentation | documentation-writer |
## Decision Framework
1. **Assess** technical complexity and scope
2. **Check** existing architecture docs and patterns
3. **Identify** architectural implications and dependencies
4. **Break down** into logical, testable components
5. **Delegate** to appropriate agents
6. **Review** outcomes and coordinate follow-up
## PR Size Awareness
Max **400 lines** production code, **10 files** per PR. If work exceeds limits, plan multiple PRs: foundation first (interfaces, abstractions), then features on top.
================================================
FILE: .claude/agents/toolhive-expert.md
================================================
---
name: toolhive-expert
description: Codebase knowledge, navigation, and implementation guidance — use for understanding existing code and patterns
tools: [Read, Glob, Grep, Bash]
color: green
model: inherit
---
# ToolHive Expert Agent
You are a specialized expert on the ToolHive codebase, architecture, and implementation patterns.
## When to Invoke
Invoke when:
- Navigating the codebase or understanding existing architecture
- Finding where functionality lives or how components interact
- Understanding design patterns and code organization
- Answering "how does X work?" questions about the codebase
Do NOT invoke for: Planning new features or breaking down tasks (tech-lead-orchestrator), writing code (golang-code-writer), reviewing code (code-reviewer).
Defer to: kubernetes-expert (operator), oauth-expert (auth), mcp-protocol-expert (MCP), documentation-writer (docs).
## Your Expertise
- ToolHive architecture, components, and system interactions
- Container runtimes: Docker, Colima, Podman, Kubernetes abstractions
- Virtual MCP Server: backend aggregation, routing, composite tools, two-boundary auth
- Security model: Cedar policies, auth/authz, secret management, container isolation
- Development workflows and implementation patterns
## Key Design Decisions
### Container Runtime Detection
Automatic order: Podman → Colima → Docker. Override with `TOOLHIVE_RUNTIME=kubernetes` or socket env vars (`TOOLHIVE_PODMAN_SOCKET`, `TOOLHIVE_COLIMA_SOCKET`, `TOOLHIVE_DOCKER_SOCKET`).
### Two-Boundary Authentication (vMCP)
```
MCP Client → [Incoming Auth] → vMCP → [Outgoing Auth] → Backend MCP Servers
```
- **Incoming**: OIDC/Anonymous for MCP clients; ToolHive can mint tokens as OAuth2 server
- **Outgoing**: RFC 8693 Token Exchange for service-to-service; per-backend auth config; token caching
### Architecture Patterns
- **Factory Pattern**: Container runtime selection, transport creation
- **Interface Segregation**: `pkg/container/runtime/types.go`, `pkg/transport/types/`
- **Middleware Pattern**: Auth, authz, telemetry HTTP middleware chain
- **Adapter Pattern**: Transport bridge (stdio to HTTP MCP)
## Development Commands
See `CLAUDE.md` for the full list of `task` commands.
## Your Approach
1. **Always examine the codebase first** before providing answers
2. **Reference specific files** when explaining concepts or suggesting changes
3. **Follow existing patterns** already established in the codebase
4. **Consider impacts**: dependencies, side effects, backward compatibility
5. **Security first**: container isolation, auth/authz, secret handling
## Coordinating with Other Agents
- **kubernetes-expert**: Operator CRDs, controllers, K8s-specific questions
- **oauth-expert**: Authentication flows, token handling, OAuth/OIDC
- **mcp-protocol-expert**: MCP spec compliance, transport protocols, JSON-RPC
- **code-reviewer**: Comprehensive code review before committing
- **documentation-writer**: Documentation updates or creation
================================================
FILE: .claude/agents/unit-test-writer.md
================================================
---
name: unit-test-writer
description: Write comprehensive unit tests for Go code — functions, methods, or components that need thorough test coverage
tools: [Read, Write, Edit, Glob, Grep, Bash]
permissionMode: acceptEdits
model: inherit
---
# Unit Test Writer Agent
You are a Go testing expert specializing in comprehensive, maintainable unit tests for the ToolHive project.
## When to Invoke
Invoke when: Writing unit tests, adding coverage, creating fixtures/helpers/mocks, improving test quality.
Do NOT invoke for: Production code (golang-code-writer), E2E tests (`test/e2e/`), code review (code-reviewer), CLI command testing (use E2E tests).
## ToolHive Testing Conventions
Follow testing conventions defined in `.claude/rules/testing.md` and Go style in `.claude/rules/go-style.md`. These rules are auto-loaded when touching test files.
## Test Design
- Analyze code for functionality, dependencies, edge cases
- Cover happy path, error conditions, boundary values, input validation
- Create mock expectations verifying correct interactions
- Focus on meaningful tests over raw coverage numbers
## Running Tests
```bash
task test # Unit tests
task test-coverage # With coverage
task gen # Generate mocks
```
## Coordinating with Other Agents
- **golang-code-writer**: When code needs modifications for testability
- **code-reviewer**: For reviewing test quality
- **toolhive-expert**: For understanding existing test patterns
================================================
FILE: .claude/rules/cli-commands.md
================================================
---
paths:
- "cmd/thv/app/**"
---
# CLI Command Rules
Applies to CLI command files in `cmd/thv/app/`.
## Thin Wrapper Principle
**CRITICAL**: CLI commands must be thin wrappers that delegate to business logic in `pkg/`.
The CLI layer is responsible ONLY for:
- Parsing flags and arguments (using Cobra)
- Calling business logic functions from `pkg/` packages
- Formatting output (text tables or JSON)
- Displaying errors to users
Business logic MUST live in `pkg/` packages (e.g., `pkg/workloads/`, `pkg/registry/`, `pkg/groups/`, `pkg/runner/`).
**Example**: `cmd/thv/app/list.go` delegates to `pkg/workloads.Manager.ListWorkloads()`
## Usability Requirements
- **Silent success**: No output on successful operations unless `--debug` is used
- **Actionable error messages**: Include hints pointing to relevant commands
- **Consistent flag names** across commands
- **Both output formats**: Support `--format json` and `--format text`
- **Helper functions**: Use `AddFormatFlag`, `AddGroupFlag`, `AddAllFlag` for common flags
- **Shell completion**: Include `ValidArgsFunction`
## Adding New Commands
1. Put business logic in `pkg/` first
2. Create command file in `cmd/thv/app/` as a thin wrapper
3. Follow patterns from existing commands (e.g., `list.go`, `run.go`, `status.go`)
4. Add command to `NewRootCmd()` in `commands.go`
5. Implement validation in `PreRunE`
6. Support both text and JSON output formats
7. Write E2E tests (primary testing strategy for CLI)
8. Update CLI documentation with `task docs`
## Testing
CLI commands are tested with **E2E tests** (`test/e2e/`), not unit tests. Only write CLI unit tests for output formatting or validation helper functions.
================================================
FILE: .claude/rules/go-style.md
================================================
---
paths:
- "**/*.go"
---
# Go Style Rules
Applies to all Go files in the project.
## File Organization
- Public methods in the top half of files, private methods in the bottom half
- Use interfaces for testability and runtime abstraction
- Separate business logic from transport/protocol concerns
- Keep packages focused on single responsibilities
## Interface Design
Check these whenever adding a method to an interface or defining a new type:
- **Minimal surface**: Don't add interface methods that duplicate the semantics of existing ones. If an existing method already answers the question (possibly with a side effect), don't add a separate method for the same check.
- **No silent no-ops**: A no-op that silently breaks callers who depend on the method working is a sign the interface is too broad. Narrow the interface or use a separate capability interface. Benign no-ops (e.g., `Close()` on an in-memory store) are fine.
- **Option pattern must be compile-time safe**: Never define a local anonymous interface inside an option and type-assert against it to check capability — a silent no-op results if the target doesn't implement it. (Returning an explicit error from an option for input validation is fine.) Two typesafe approaches:
- *Config struct field*: put the setting on the config struct (e.g., `types.Config.SessionStorage`) so all consumers see it at compile time.
- *Typed functional option*: use `func(*ConcreteType)` so the option only compiles against the correct receiver.
If you need to cast inside an option to check whether the target supports it, the option is on the wrong abstraction. See #4638.
- **Avoid parallel types that drift**: Don't define a separate config/data type that mirrors an existing one. Embed or reuse the original — two parallel structs require a conversion step and will diverge over time.
## Resource Leaks
Always pair resource acquisition with explicit release. Common patterns that leak:
- Goroutines with no exit condition or cancellation path
- Caches and maps that grow without a capacity limit or eviction policy
- Connections, files, or handles opened without a corresponding `Close()` (use `defer`)
- Tickers and timers whose `Stop()` is never called
When reviewing code that acquires a resource, ask: where does this get released, and what happens if the normal release path is never reached?
## Linting
All lint rules must be followed. Run `task lint-fix` before submitting. Do not suppress linter warnings with `//nolint` directives unless the violation is a confirmed false positive — fix the root cause instead.
## Validate Parsed Results
A successful parse (`err == nil`) only means the input was syntactically acceptable to the parser — not that it meets your requirements. Always validate the parsed result against what you actually need. Standard library parsers routinely accept more inputs than a given call site should allow.
## SPDX License Headers
All Go files require SPDX headers at the top:
```go
// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
// SPDX-License-Identifier: Apache-2.0
```
Use `task license-check` to verify, `task license-fix` to add automatically.
## Immutable Variable Assignment
Prefer immediately-invoked anonymous functions over mutable variables across branches:
```go
// Good: Immutable assignment
phase := func() PhaseType {
if someCondition {
return PhaseA
}
return PhaseDefault
}()
// Avoid: Mutable variable across branches
var phase PhaseType
if someCondition {
phase = PhaseA
} else {
phase = PhaseDefault
}
```
## Copy Before Mutating Caller Input
Never mutate a value passed in by a caller. Maps and slices have reference semantics — passing them copies the header but shares the underlying data, so mutations are visible to the caller. Pointer parameters (`*T`) directly expose the caller's original value. Plain struct values (`T`) are copies and safe to modify, but structs passed as `*T`, or whose fields include maps, slices, or pointers, can still reach caller-visible data through those fields. In-place mutation surprises callers, can cause data races, and breaks the assumption that the caller's original value is unchanged after the call.
Always copy the input first and mutate the copy:
```go
// Good
meta := maps.Clone(callerMeta)
meta["key"] = "value"
// Avoid
callerMeta["key"] = "value" // mutates the caller's map
```
Note that `maps.Clone` (and `slices.Clone`) perform a **shallow copy** — if map values or slice elements contain pointers, slices, or nested maps, mutating those nested values will still affect the caller's data. Use a deep copy when the value type requires it.
This applies to function parameters, values extracted from context, and values returned by storage/cache loads. If the function's doc comment does not explicitly state "the caller's value will be modified", treat all inputs as read-only.
## Keep Comments Synchronized With Code
When you change behavior, update every comment that describes it. A comment that contradicts the code is worse than no comment — it actively misleads future readers and causes incorrect changes.
- After any refactor, search for comments referencing the old behavior and update them.
- If a comment names a specific function, variable, or mechanism, verify the name is still accurate.
- Comments describing concurrency semantics (eviction timing, lazy vs. eager, which lock is held) are especially prone to drift — treat them as part of the implementation, not decoration.
## Constructor Validation: Fail Loudly on Invalid Input
Constructors must validate their required inputs and fail loudly (return an error or panic) rather than silently accepting invalid values and producing surprising behavior.
- Required parameters: check for nil and return a descriptive error.
- Numeric bounds: reject values outside the valid range (e.g., `capacity < 1`). Zero is Go's default — don't let it silently mean "unlimited" or "disabled".
- Enum/string config: reject unknown values explicitly; don't fall back silently to a default that the caller didn't request.
Misconfiguration that fails at startup is far easier to diagnose than misconfiguration that silently degrades behavior at runtime.
## One Synchronization Primitive Per Data Structure
Use a single synchronization mechanism per data set. Mixing `sync.Mutex` and `sync.Map` (or channels) on the same underlying data is a correctness hazard — future contributors cannot reason about which operations are atomic with respect to each other.
If atomicity requirements grow beyond what `sync.Map` provides (e.g., you need read-modify-write), replace it with a plain `map` guarded by a `sync.Mutex` for all operations. The performance difference at typical cardinalities is negligible compared to the clarity gained.
## Drain HTTP Response Bodies Before Closing
Always drain a response body before closing it in error paths. Closing without reading prevents `net/http` from reusing the underlying TCP connection, causing unnecessary connection churn.
```go
// Good
_, _ = io.Copy(io.Discard, resp.Body)
resp.Body.Close()
// Avoid — prevents connection reuse
resp.Body.Close()
```
This applies in every code path that discards a response early (error handling, retries, fallbacks).
## Write to Durable Storage Before Updating In-Memory State
When a write must update both durable storage (database, Redis, file) and an in-memory structure (cache, map, struct field), always write to the authoritative store first. Update local state only after the durable write succeeds.
- If the durable write fails, leave in-memory state unchanged — the next read will reload from the source of truth.
- If the process crashes after the durable write but before the in-memory update, the next read reloads correctly.
- Reversing the order leaves a window where in-memory state diverges permanently from durable state on any error.
## Error Handling
- Return errors by default — never silently swallow errors
- Comment ignored errors — explain why and typically log them
- No sensitive data in errors (no API keys, credentials, tokens, passwords)
- Use `errors.Is()` or `errors.As()` for error inspection (they properly unwrap errors)
- Use `fmt.Errorf` with `%w` to preserve error chains; don't wrap excessively
- Use `recover()` sparingly — only at top-level API/CLI boundaries
## Package API Surface
- Packages expose interfaces, result types, and constructors
- Constructors accept dependencies (interfaces/functions), runtime information
(identity, context), and config (in the caller's terms)
- Start without intermediate config types — introduce them when a concrete need
arises (runtime shape meaningfully differs from input, multiple config sources,
resolved secrets). Don't create a public type just to hold parsed values
between two internal functions
- Use `internal/` subpackages for implementation details that callers should not
depend on
- Public functions are a smell: if a function converts external types to internal
state, ask whether it can be folded into a constructor or belongs in the
caller's package
## Document Architectural Constraints on Exported Functions
When an exported function or constructor changes behavior based on injected infrastructure (storage backend, transport mode, external client), its doc comment must state what the injection does and does not solve. Callers cannot be expected to infer distributed-system constraints from the implementation.
Include at minimum:
- What the injected component enables (e.g., cross-replica metadata sharing).
- What it does *not* solve (e.g., cross-replica message delivery, fan-out).
- Any caller responsibility that follows (e.g., session affinity at the load balancer).
## Concurrency Comments
Keep comments about mutexes, locks, and concurrency accurate — they are easy to get wrong and mislead future readers:
- Only say a lock "must be held" or "is already held" if you have verified it at that call site.
- Do not claim an operation would deadlock without confirming that the lock in question would actually be re-acquired.
- When a comment describes a concurrency invariant (e.g., "called with mu held"), add it to the function's doc comment so it travels with the signature, not inline at the call site.
## Logging
- **Silent success** — no output at INFO or above for successful operations
- **DEBUG** for diagnostics (runtime detection, state transitions, config values)
- **INFO** sparingly — only for long-running operations like image pulls
- **WARN** for non-fatal issues (deprecations, fallback behavior, cleanup failures)
- **Never log** credentials, tokens, API keys, or passwords
## Prefer Existing Code and Packages Over From-Scratch Implementations
Before implementing any non-trivial functionality from scratch:
1. **Search the toolhive repo first** — check if an existing method, utility, or package already provides the functionality or something close enough to extend.
2. **Check the Go standard library** — the stdlib covers a wide surface area; prefer it over third-party packages when it fits.
3. **Look for existing Go packages** — search for well-maintained OSS libraries that solve the problem before writing custom implementations.
Implementing from scratch should be a last resort, justified by a specific gap no existing solution fills.
================================================
FILE: .claude/rules/operator.md
================================================
---
paths:
- "cmd/thv-operator/**"
- "test/e2e/chainsaw/**"
---
# Operator Rules
Applies to Kubernetes operator code and CRD definitions.
## CRD vs PodTemplateSpec
**Rule of thumb**: If it affects how the operator behaves or how the MCP server operates, it's a **CRD attribute**. If it affects where/how pods run, it's **PodTemplateSpec**.
**CRD Attributes** — use for business logic:
- Authentication methods
- Authorization policies
- MCP-specific configuration
- Application behavior
**PodTemplateSpec** — use for infrastructure:
- Node selection (nodeSelector, affinity)
- Resource requests/limits
- Volume mounts
- Security context, tolerations
See `cmd/thv-operator/DESIGN.md` for detailed decision guidelines.
## CRD Type Conventions
- Use `metav1.Duration` for duration fields in CRD types, not `string` or
integer seconds. It serializes as Go duration strings (`"1m0s"`, `"30s"`),
has built-in OpenAPI schema support, and is the standard Kubernetes convention.
## Development Workflow
- Always run `task operator-generate` after modifying CRD types
- Always run `task operator-manifests` after adding kubebuilder markers
- Always run `task crdref-gen` from `cmd/thv-operator/` after CRD changes to regenerate API docs (uses relative paths)
- Use `envtest` for integration testing, not real clusters
- Chainsaw tests require a real Kubernetes cluster
- Status writes must go through `controllerutil.MutateAndPatchStatus` — see the Status Writes section below
## Status Condition Parity
When adding a status condition to one CRD type, check all parallel types (e.g., `MCPServer` and `VirtualMCPServer`) for the same condition. Conditions that warn about misconfiguration or unsupported states should be consistent across types that share the same feature set — a gap means one type silently accepts invalid config that the other rejects.
## Status Writes
Use `controllerutil.MutateAndPatchStatus` for every status write — not `r.Status().Update` or inline `client.Status().Patch` (see #4633). The helper's doc comment is the authoritative spec.
When adding a status-write call site, check three things:
1. **Caller holds a freshly-`Get`ted object.** Reconciler-start writers do; writers that iterate `List` results (e.g., deletion-path fan-out in `MCPGroupReconciler`) do not and need a fresh `Get` before calling the helper.
2. **Caller is the sole owner of the entire `Status.Conditions` array.** Per-condition-type ownership is NOT enough. JSON merge-patch replaces the array wholesale for CRDs (the `+listType=map` marker is only honored by strategic-merge-patch), so any concurrent writer whose Patch lands between this caller's Get and Patch — on any condition type, not just the ones this caller touches — will be erased. A fresh `Get` narrows the TOCTOU window but does not eliminate it. If two code paths must write conditions on the same CRD (e.g., operator reconciler + in-pod `K8sReporter`), fix at the design level: consolidate to a single owner, or move one writer to a dedicated status field outside the array.
3. **Scalar fields the writer touches are not co-owned.** A stale-computed value different from the caller's snapshot will overwrite the live value — the helper cannot defend against this.
Do not use `MutateAndPatchStatus` for spec or metadata writes — those require optimistic locking (`client.MergeFromWithOptions(..., MergeFromWithOptimisticLock{})`). See #4767.
## Key Operator Commands
```bash
task operator-install-crds # Install CRDs
task operator-generate # Generate deepcopy, client code
task operator-manifests # Generate CRD YAML, RBAC
task operator-test # Run unit tests
task operator-e2e-test # Run e2e tests
task crdref-gen # Generate CRD API docs (run from cmd/thv-operator/)
```
## Spec / metadata patching
Never use `r.Update` on a CR spec or metadata: `Update` is a full PUT,
so any field our local copy does not track (e.g. `spec.authzConfig`
written by a separate authorization controller) gets zeroed on every
reconcile.
Use `controllerutil.MutateAndPatchSpec` instead. The helper wraps an
optimistic-lock merge patch: the body only contains fields the caller
changed, and `MergeFromWithOptimisticLock` sends `resourceVersion` as a
precondition, so if the server moved between our Get and Patch the
apiserver returns 409 and controller-runtime requeues with a fresh Get.
This is what protects `metadata.finalizers`. Merge-patch has no
array-append semantics — arrays are replaced wholesale — so when our
diff includes `finalizers` (e.g. an `AddFinalizer` call) it must have
been computed from an up-to-date snapshot. The 409 + requeue is what
guarantees that: any concurrent finalizer added by another controller
fails our precondition, and the next reconcile observes it via a fresh
Get before recomputing the diff.
```go
if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer, func(m *mcpv1beta1.MCPServer) {
controllerutil.AddFinalizer(m, MCPServerFinalizerName)
}); err != nil {
return ctrl.Result{}, err
}
```
Expect 409s as routine log noise once the external controller lands —
the guard doing its job, not a bug.
Status-subresource patching uses the sibling helper
`controllerutil.MutateAndPatchStatus` (see the "Status Writes" section
above).
================================================
FILE: .claude/rules/pr-creation.md
================================================
# PR Creation Rules
You MUST follow the template at `.github/pull_request_template.md` when creating pull requests. Do NOT skip or leave placeholder text in required sections.
## Required sections — do NOT omit these
- **Summary**: You MUST explain (1) WHY the change is needed and (2) WHAT changed. Lead with the motivation — the diff shows the code. Include issue references (`Closes #NNN` or `Fixes #NNN`) when a related issue exists; remove the `Fixes #` line entirely if there is none.
- **Type of change**: Check exactly one category. Do not leave all boxes unchecked.
- **Test plan**: Check every verification step you actually ran. You MUST check at least one item. For manual testing, describe exactly what you tested.
## Optional sections — remove entirely if not needed
Do NOT leave optional sections empty or with only placeholder/template text. Either fill them in or delete them.
- **Changes**: File-by-file table for PRs touching more than a few files.
- **Implementation plan**: Include when the PR was planned with an AI assistant. Paste the approved plan inside the collapsible `<details>` block. This gives reviewers visibility into the intended design and tradeoffs. Remove the section entirely for PRs that were not AI-planned.
- **Does this introduce a user-facing change?**: Describe the change from the user's perspective. Write "No" if not applicable.
- **Special notes for reviewers**: Non-obvious design decisions, known limitations, areas wanting extra scrutiny, or planned follow-up work.
## PR Scope
Each PR must contain only related changes. If a bug fix, refactor, or unrelated cleanup is discovered while working on a feature, open a separate PR for it. Mixed-scope PRs are harder to review and harder to revert cleanly.
## Style guidelines
- Keep the PR title under 70 characters, imperative mood, no trailing period.
- PR titles must NOT use conventional commit prefixes (`feat:`, `fix:`, `chore:`, etc.).
- Summary bullets MUST explain the "why" first, then the "what". Do not just list what files changed.
- When the PR is generated with Claude Code, include `Generated with [Claude Code](https://claude.com/claude-code)` at the bottom of the body.
================================================
FILE: .claude/rules/security.md
================================================
---
paths:
- "**/*.go"
---
# Security Rules
Applies to all Go files in the project.
## Don't Store Internal Addressing in Shared State
Never persist internal infrastructure addresses (hostnames, IPs, service URLs, pod names) into shared or external state stores (databases, caches, config passed to clients).
Internal addresses stored externally:
- Leak topology to anyone who can read the store
- May allow callers to bypass security middleware by using the stored address directly
- Couple your routing logic to volatile infrastructure state that changes independently
**Instead**: derive routing from stable, non-sensitive inputs (e.g. a session ID, a content hash, a logical name). If you must store a target, store a logical identifier and resolve it at use time through a path that enforces security controls.
## Route Through Security-Enforcing Components
Always route traffic through the component responsible for auth, rate limiting, or policy enforcement — never optimize past it.
A direct path that skips middleware is a vulnerability, not a performance improvement. If you find yourself type-asserting, casting, or reaching into an internal field to get a "more direct" address, stop and ask whether the shortcut bypasses any security boundary.
When multiple routing options exist (e.g. a proxy vs. a raw address), choose the one where security controls are guaranteed to be in the critical path.
## Prefer Stateless Routing Over Stored Routing
When routing can be derived deterministically from stable request properties, compute it on every request rather than storing it.
Storing routing decisions:
- Creates state that must be recovered correctly after restarts
- Introduces a window where stored state is stale or wrong
- Expands the attack surface of the state store
If the same input always maps to the same destination (consistent hashing, modular arithmetic, content addressing), there is no need to store the mapping. Remove the stored state and eliminate the recovery problem entirely.
## All Requests Must Pass Through the Proxy Runner
Every request to a managed container (MCP server or tool) must flow through the proxy runner (`pkg/runner/proxy`). Bypassing it is a vulnerability, not an optimization.
The proxy runner is the single enforcement point for:
- Authentication and authorization checks
- Secret injection and credential management
- Network policy and egress controls
- Audit logging
Any code that constructs a direct connection to a container — by using a raw host:port, reaching past the proxy interface, or type-asserting to an underlying transport — skips these controls entirely.
**If you find a code path that contacts a container without going through the proxy runner, treat it as a security bug and fix it.**
================================================
FILE: .claude/rules/testing.md
================================================
---
paths:
- "*_test.go"
- "test/**"
---
# Testing Rules
Applies to test files and test directories.
## Testing Strategy
- **`pkg/` packages**: Thorough unit test coverage (business logic lives here)
- **`cmd/thv/app/`**: Minimal unit tests (only output formatting, flag validation helpers)
- **CLI commands**: Tested primarily with E2E tests (`test/e2e/`), not unit tests
- **Integration tests**: Ginkgo/Gomega in package test files
- **Operator tests**: Chainsaw tests in `test/e2e/chainsaw/operator/`
## Mock Generation
- Use `go.uber.org/mock` (gomock) framework — never hand-write mocks
- Generate mocks with `mockgen` and place in `mocks/` subdirectories
- Generate with: `task gen`
## Assertions
- Prefer `require.NoError(t, err)` (from `github.com/stretchr/testify`) instead of `t.Fatal`
## Test Quality
1. **Structure**: Prefer table-driven (declarative) tests over imperative tests
2. **Redundancy**: Avoid overlapping test cases exercising the same code path
3. **Value**: Every test must add meaningful coverage — remove tests that don't
4. **Consolidation**: Consolidate small test functions into a single table-driven test when they test the same function
5. **Naming**: Test names must match what they actually assert — if the assertion changes, update the name too.
6. **Boilerplate**: Minimize setup code; extract shared setup into helpers with `t.Helper()`
## Running Operator E2E Tests
Operator E2E tests live in `test/e2e/thv-operator/` and require a Kind cluster. All tasks are defined in `cmd/thv-operator/Taskfile.yml` and must be run from the repo root with `task -d cmd/thv-operator <task>` (or `cd cmd/thv-operator && task <task>`).
**Full automated run** (creates cluster, deploys, tests, destroys on exit):
```
task -d cmd/thv-operator thv-operator-e2e-test
```
**Iterative manual workflow** (keep the cluster alive between test runs):
```
task -d cmd/thv-operator kind-setup-e2e # Kind cluster with NodePort mappings
task -d cmd/thv-operator operator-install-crds
task -d cmd/thv-operator operator-deploy-local # builds & loads local images via ko
task -d cmd/thv-operator thv-operator-e2e-test-run # re-run as many times as needed
task -d cmd/thv-operator kind-destroy # when done
```
**Cluster variants:**
- `kind-setup` — plain cluster, no port mappings (general use)
- `kind-setup-e2e` — cluster with NodePort mappings required by Ginkgo E2E tests
**Chainsaw (operator unit-level E2E):**
```
task -d cmd/thv-operator operator-e2e-test
```
Runs `chainsaw` against `test/e2e/chainsaw/operator/` scenarios. Installs `chainsaw` automatically if missing.
The Ginkgo suite runs with `--procs=8` and uses `kconfig.yaml` (written to repo root by the kind-setup tasks) as its `KUBECONFIG`.
## E2E Test Coverage
E2E tests must verify functional behavior, not just infrastructure state. Confirming that pods are ready or that counts are correct is not sufficient — the test must also exercise the actual code path (send traffic, trigger the feature) to prove it works end-to-end.
## Test Scope
Tests must only test code in the package under test. Do NOT test behavior of dependencies, external packages, or transitive functionality.
## Temp Directories
When tests need a temp directory that must pass validation rejecting symlinks, use a resolved temp dir:
```go
dir := t.TempDir()
resolved, _ := filepath.EvalSymlinks(dir)
```
On macOS, `t.TempDir()` often returns paths through `/var/folders/...` which is a symlink. See `pkg/skills/project_root_test.go` for a `resolvedTempDir(t)` helper.
## Environment Variables
Write tests isolated from other tests that may set the same env vars. Use `t.Setenv()` which auto-restores.
## Port Numbers
Use random ports (e.g., `net.Listen("tcp", ":0")`) to let the OS assign a free port. Do not use hardcoded port numbers — even large ones can clash with running services.
## Test Hooks in Production Structs
Avoid adding test-only hook fields (nil-checked `func()` fields) to production structs. A field documented as "nil in production" signals the concern belongs outside the production type. Preferred alternatives:
- **Interface seam**: Replace the internal component with an interface; tests inject a wrapper that adds the needed synchronization or observation.
- **Functional constructor options**: Expose hook injection only through a constructor option so the production call site stays clean.
- **Test at the observable boundary**: Control timing through the mock/stub's own behavior rather than hooking into production internals.
Existing instances in the codebase are legacy — do not expand them. When touching a struct that already has hook fields, consider extracting them as part of the change.
## Use `t.Cleanup` for Resource Teardown in Parallel Tests
In tests using `t.Parallel()`, always register resource teardown (stopping servers, closing connections, cancelling contexts) with `t.Cleanup`, not just `defer`.
In parallel tests, `defer` runs when the parent test function returns — which can happen before `t.Parallel()` subtests finish. `t.Cleanup` handlers are tied to the test's full lifecycle and run after all subtests complete, preventing leaked goroutines, ports, and connections.
Note: `require.*` uses `runtime.Goexit`, and panics unwind the stack — both run deferred functions. The difference is not about defers being skipped; it's about *when* they run relative to subtests.
```go
// Good — runs after all subtests complete
server := httptest.NewServer(handler)
t.Cleanup(server.Close)
// Avoid in parallel tests — may run before subtests finish
defer server.Close()
```
Make stop/close functions idempotent (`sync.Once`) when registering with both `t.Cleanup` and an explicit mid-test shutdown.
## Concurrent Tests: Always Add Timeouts to Blocking Barriers
Blocking operations in tests (`WaitGroup.Wait()`, channel receives, `sync.Cond.Wait()`) must have a timeout/fail-fast path. Without one, a panicking goroutine or regression in synchronization logic causes the test to hang until the global `go test` timeout.
```go
// Good: fail fast with a clear message
done := make(chan struct{})
go func() { wg.Wait(); close(done) }()
select {
case <-done:
case <-time.After(5 * time.Second):
t.Fatal("timeout waiting for goroutines to synchronize")
}
// Avoid: hangs indefinitely on deadlock
wg.Wait()
```
================================================
FILE: .claude/rules/vmcp-anti-patterns.md
================================================
---
paths:
- "pkg/vmcp/**/*.go"
- "cmd/vmcp/**/*.go"
---
# vMCP Anti-Pattern Rule
When reviewing or writing code in `pkg/vmcp/` or `cmd/vmcp/`, check changes against these anti-patterns. Flag any code that introduces or expands them.
## 1. Context Variable Coupling
Using `context.WithValue`/`ctx.Value` to pass domain data between middleware or from middleware to handlers. Creates invisible producer-consumer dependencies, ordering fragility, and silent degradation when values are missing.
**Detect**: `context.WithValue` in middleware setting domain data; `ctx.Value(someKey)` reads in handlers/routers/business logic; functions whose behavior depends on specific context values.
**Instead**: Push data onto `MultiSession` (handlers already have access); pass domain data as explicit function parameters; reserve context for trace IDs, cancellation, and deadlines only.
## 2. Repeated Request Body Read/Restore
Multiple middleware calling `io.ReadAll(r.Body)` then restoring with `io.NopCloser(bytes.NewReader(...))`. Fragile implicit contract — if any middleware forgets to restore, downstream handlers silently get an empty body.
**Detect**: `io.ReadAll(r.Body)` followed by `r.Body = io.NopCloser(bytes.NewReader(...))` in middleware; multiple middleware in the same chain parsing JSON from the request body.
**Instead**: Parse body once early in the pipeline; extend `ParsedMCPRequest` so all downstream consumers use the parsed representation; cache raw bytes alongside parsed form if needed for audit.
## 3. God Object: Server Struct
A single struct owning too many concerns (10+ fields spanning domains). Causes cognitive overload, makes subsystems untestable in isolation, and amplifies change risk.
**Detect**: Structs with 10+ fields spanning different domains; constructors >50 lines or with `nolint:gocyclo`; files >500 lines handling multiple unrelated concerns; multiple mutex fields protecting different state subsets.
**Instead**: Extract each concern into a self-contained module with its own `New()`/`Start()`/`Stop()`. Server struct should be a thin orchestrator composing pre-built subsystems.
## 4. Middleware Overuse
Business logic in HTTP middleware when behavior is specific to certain request types or belongs on a domain object. Adds cognitive load (10+ layer chains), wastes work on irrelevant requests, and creates invisible mutations.
**Detect**: Middleware that checks request method/type and returns early for most cases; middleware whose sole purpose is context stuffing (see #1); middleware that wraps `ResponseWriter` or reads request body (see #2).
**Instead**: Reserve middleware for truly cross-cutting concerns (recovery, telemetry, auth). Push behavior onto domain objects — e.g., annotation lookup as a method on `MultiSession` instead of middleware.
## 5. SDK Coupling Leaking Through Abstractions
SDK-specific patterns (e.g., mcp-go's two-phase session creation) escaping the adapter boundary and shaping internal architecture.
**Detect**: Code outside `adapter/` referencing SDK-specific concepts (hooks, placeholders, two-phase creation); session management with "re-check"/"double-check" patterns from SDK lifecycle race windows.
**Instead**: Keep the adapter layer thin and isolated. Internal session management should present a clean `CreateSession() -> (Session, error)` API. The two-phase dance should be invisible to callers.
## 6. Configuration Object Passed Everywhere
Threading a large `Config` struct (13+ fields) through constructors when each consumer only needs a small subset. Obscures dependencies, invites nil pointer panics, and bloats test setup.
**Detect**: Constructors accepting `*config.Config` but only accessing a few fields; nil checks on config sub-fields in business logic; test setup building large config structs with mostly zero/nil fields.
**Instead**: Each subsystem accepts only the config it needs via small, focused config types. Decompose the top-level config at the composition root before passing to constructors.
## 7. Mutable Shared State Through Context
Storing a mutable struct in context and having multiple middleware modify it in place. Violates the immutability convention, creates hidden mutation coupling, and risks data races in concurrent scenarios.
**Detect**: Middleware mutating fields on structs retrieved from context; structs stored in context with exported mutable fields; multiple middleware reading and writing the same context value.
**Instead**: Treat context values as immutable; create new values with `context.WithValue` if downstream needs to add info. Better yet, pass data explicitly (see #1).
## 8. Unnecessary Abstraction / Interface Modification
Introducing new abstractions (caches, wrapper types, new interface methods) or modifying stable interfaces to accommodate a single implementation's concern. A stable interface being modified is a sign that implementation details are leaking across boundaries.
**Detect**: New interface methods added to satisfy one implementation; wrapper types that add a layer but don't meaningfully change behavior; caches where every "hit" still requires a remote call; new abstractions without evidence (profiling, incidents) justifying the complexity; stable interfaces gaining methods that only one consumer needs.
**Instead**: Solve the concern internally to the component that needs it — don't push implementation-specific concerns onto shared interfaces. Start with the simplest approach and add abstraction only when there is concrete evidence it's needed.
## 9. Premature Optimization
Adding caches, connection pools, or other performance optimizations without evidence that the unoptimized path is a problem. These add complexity (invalidation logic, staleness risks, lifecycle management) that must be maintained regardless of whether the optimization provides measurable benefit.
**Detect**: Caches introduced without profiling data or load estimates showing the uncached path is too slow; connection pools or object pools where the allocation cost hasn't been measured; complexity added to avoid overhead (e.g., TLS handshakes, serialization) at request rates where the overhead is negligible.
**Instead**: Start with the straightforward implementation. Measure under realistic load. Add optimization only when measurements show it's needed, and document the evidence in the commit or PR description.
## 10. Mutable Domain Objects with Mutex Protection
Adding a mutex to a domain object and mutating it in place when state changes. This grows in complexity with every new mutation and makes objects harder to reason about under concurrency.
**Detect**: Mutex fields on domain structs; mutation methods on types that were previously read-only; in-place writes guarded by an object-level lock; multiple layers each holding their own mutex.
**Instead**: Ask whether the object can be reconstructed rather than mutated — rebuild from the source of truth and replace the reference. If mutation is truly necessary, centralize synchronization at one layer rather than distributing mutexes across multiple layers; everything below that layer is then single-threaded and much easier to reason about. Sharded locks for performance should only be introduced after profiling shows contention (see anti-pattern #9).
================================================
FILE: .claude/settings.json
================================================
{
"permissions": {
"allow": [
"Bash(go test:*)",
"Bash(task test)",
"Bash(task lint)",
"Bash(task lint-fix)",
"Bash(task license-fix)",
"Bash(golangci-lint run:*)",
"Bash(go doc:*)",
"WebFetch(domain:modelcontextprotocol.io)",
"Bash(pre-commit:*)",
"Bash(pre-commit run:*)",
"Bash(pre-commit install:*)",
"Bash(pre-commit autoupdate:*)",
"Bash(helm-docs:*)",
"Bash(codespell:*)",
"Bash(task operator-install-crds)",
"Bash(task operator-uninstall-crds)",
"Bash(task operator-deploy-latest)",
"Bash(task operator-deploy-local)",
"Bash(task operator-undeploy)",
"Bash(task operator-generate)",
"Bash(task operator-manifests)",
"Bash(task operator-test)",
"Bash(task operator-e2e-test)",
"Bash(task crdref-install)",
"Bash(task crdref-gen)",
"Bash(helm template:*)",
"Bash(git log:*)",
"Bash(ct lint:*)",
"Bash(helm-docs --dry-run)"
],
"deny": []
},
"hooks": {
"PostToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{
"type": "command",
"command": "cd \"$CLAUDE_PROJECT_DIR\" && changed_file=\"$CLAUDE_TOOL_ARG_file_path\"; if [ -n \"$changed_file\" ] && echo \"$changed_file\" | grep -q '\\.go$'; then task lint-fix 2>/dev/null; task license-fix 2>/dev/null; fi; exit 0"
}
]
}
]
},
"env": {
"CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "1"
}
}
================================================
FILE: .claude/skills/add-rule/SKILL.md
================================================
---
name: add-rule
description: Captures a team convention or best practice and adds it to the appropriate .claude/rules/ or .claude/agents/ file
---
# Add Rule — Capture a Team Convention
## Purpose
Formalize a convention, best practice, or correction into the project's `.claude/rules/` or `.claude/agents/` files so it applies automatically for all team members.
## Input
The user provides a convention in natural language. Examples:
- `/add-rule "prefer require.NoError over t.Fatal for error assertions"`
- `/add-rule "use context.Background() in tests, not context.TODO()"`
- `/add-rule "CLI commands must support --format json"`
If no argument is provided, ask: "What convention would you like to add?"
## Instructions
### 1. Understand the Convention
Parse the user's input to identify:
- **The rule**: What should or should not be done
- **The scope**: Which files or areas it applies to (Go code, tests, CLI, operator, etc.)
- **The reason**: Why this convention exists (ask if not provided — the "why" is critical for future developers to judge edge cases)
### 2. Find the Right Target File
**Rules vs Agents — key principle**: Rules define conventions; agents reference rules. Never duplicate rule content in agent files.
- **Rules files** (`.claude/rules/`): Auto-loaded based on `paths:` frontmatter globs when Claude touches matching files. These define the canonical conventions (style, testing patterns, error handling, etc.).
- **Agent files** (`.claude/agents/`): Define agent-specific behavior — persona, review checklist, output format, workflow steps. Agents inherit the full conversation context (including CLAUDE.md), so they already have access to all loaded rules. Agent files should *reference* rules (e.g., "Follows conventions in `.claude/rules/testing.md`"), never restate them.
Match the convention to an existing file based on scope:
| Scope | Target file | What goes here |
|-------|------------|----------------|
| General Go code | `.claude/rules/go-style.md` | Style, naming, error handling conventions |
| Test files | `.claude/rules/testing.md` | Testing patterns, framework usage |
| CLI commands | `.claude/rules/cli-commands.md` | CLI architecture, flag conventions |
| Kubernetes operator | `.claude/rules/operator.md` | CRD, controller conventions |
| PR creation | `.claude/rules/pr-creation.md` | PR format, review expectations |
| Agent workflow/persona | `.claude/agents/<agent-name>.md` | Agent-specific behavior, checklists, output format |
If no existing file fits, propose creating a new rule file with appropriate `paths:` frontmatter. New rule files need a glob pattern that determines when they auto-load.
**If the convention is about code** (how to write Go, test patterns, error handling), it belongs in a rules file — even if it's most relevant to a specific agent. The agent can reference the rule.
### 3. Draft the Addition
Read the target file and draft the new content:
- Match the style and formatting of existing rules in the file
- Place the rule in the most logical section (or propose a new section if needed)
- Keep it concise — one to three lines is ideal
- Include a brief rationale if the "why" isn't obvious from the rule itself
- Use code examples for conventions that benefit from showing good vs bad patterns
**Format examples:**
Simple rule:
```markdown
- Use `context.Background()` in tests, not `context.TODO()` — tests have no caller to propagate cancellation from
```
Rule with example:
```markdown
## Prefer Table-Driven Tests
Use table-driven tests over repeated test functions:
` ``go
// Good
tests := []struct{ name string; input int; want int }{...}
// Avoid: separate TestFoo1, TestFoo2, TestFoo3 functions
` ``
```
### 4. Present the Change
Show the user:
1. **Target file** and the section where the rule will be added
2. **The exact edit** — the lines being added in context
3. **A one-line confirmation prompt**: "Add this rule to `.claude/rules/testing.md`? (y/n)"
### 5. Apply on Confirmation
Use the Edit tool to add the rule to the target file. After applying:
- Verify the file is still well-structured
- If the rule was added to a rules file, mention that agents already pick it up automatically — rules are auto-loaded when matching files are touched, and agents inherit the full context. No agent file edits are needed unless the agent needs to explicitly reference the rule in a checklist.
## Edge Cases
- **Duplicate rule**: If a similar rule already exists, show it to the user and ask whether to update the existing rule or skip
- **Contradicts existing rule**: If the new convention contradicts an existing one, highlight the conflict and ask the user to resolve it
- **Too broad for one file**: If the convention spans multiple scopes, suggest adding it to CLAUDE.md instead or splitting into multiple rule additions
- **Personal preference vs team convention**: If the rule sounds personal (e.g., "I prefer tabs"), ask: "Is this a team-wide convention or a personal preference? Personal preferences go in your `~/.claude/` memory instead."
================================================
FILE: .claude/skills/check-contribution/SKILL.md
================================================
---
name: check-contribution
description: Validates operator chart contribution practices (helm template, ct lint, docs generation, version bump) before committing changes.
allowed-tools: [Bash, Read]
---
# Check Operator Chart Contribution Practices
Verify that all contribution guidelines from `deploy/charts/operator/CONTRIBUTING.md` are followed before committing Helm chart changes. Do not make any edits to files.
## Checks
### 1. Helm Template Validation
```bash
cd "$(git rev-parse --show-toplevel)"/deploy/charts/operator && helm template test .
```
Verify the output contains valid Kubernetes YAML without errors.
### 2. Chart Linting
```bash
ct lint
```
Report any linting errors or warnings.
### 3. Documentation Generation
```bash
helm-docs --dry-run
```
Verify that `values.yaml` variables are documented and the generated README.md matches.
### 4. Chart Version Bump
If chart files changed, verify:
- `deploy/charts/operator/Chart.yaml` version is bumped for operator changes
- `deploy/charts/operator-crds/Chart.yaml` version is bumped for CRD changes
- Version follows [SemVer](https://semver.org/) and bump type matches the change scope
## Output Format
```
✅ or ❌ Helm template renders successfully
✅ or ❌ Chart linting passes
✅ or ❌ Documentation up-to-date
✅ or ❌ Chart version bumped appropriately
```
Include specific errors for any failing checks with actionable remediation commands.
================================================
FILE: .claude/skills/code-review-assist/SKILL.md
================================================
---
name: code-review-assist
description: Augments human code review by summarizing changes, surfacing key review questions, assessing test coverage, and identifying low-risk sections. Use when reviewing a diff, PR, or code snippet as a senior review partner.
---
# Code Review Augmentation
## Purpose
Act as a senior review partner — not a replacement reviewer. Help the user understand and evaluate a code change faster, without rubber-stamping it.
## How This Differs from the `code-reviewer` Agent
The `code-reviewer` agent runs autonomously and checks for best practices, security patterns, and conventions. This skill is for **human-in-the-loop review sessions** — the user is actively reviewing PRs and making decisions. Your role is to prepare the user to review faster and more thoroughly, surface what matters most, draft comments collaboratively, and track what worked so the review process itself improves over time.
## Session Planning
When invoked without a specific PR, start by scoping the session:
1. **Discover PRs**: Use GitHub to find (a) open PRs requesting the user's review, (b) PRs merged in the last 2 days that the user hasn't reviewed yet (use a longer lookback only if the user requests it), and (c) open PRs the user has previously reviewed that have new pushes or comments since their last review (contributors may push updates without re-requesting review).
2. **Load only metadata**: Fetch PR title, author, description, and files-changed count. Do **not** load diffs during session planning — you only need high-level information to help the user prioritize.
3. **Present the list**: Show each PR with title, author, and a risk estimate (high/medium/low based on files changed, area of codebase, and change size). Also note any existing review activity — approved reviews, changes-requested, pending reviews from others, or review comments — so the user knows what's already been covered. If any PRs form a stack (one PR's base branch is another PR in the list), group them and note the dependency chain and what each PR in the stack is responsible for.
4. **Ask the user**:
- Which PRs to include — all open, all merged, or a subset?
- Preferred review order — chronological, highest-risk-first, or by author/area?
5. **Track coverage**: At the end of the session, report which PRs were reviewed, skipped, or deferred so nothing falls through the cracks.
If a specific PR is provided as an argument, skip session planning and go directly to the review.
## Instructions
Present PRs **one at a time**. Complete the full review structure for one PR, let the user respond, and only then move to the next. Do not batch multiple PR reviews into a single response.
When the user shares a code change (diff, PR, or code snippet) for review, structure your response in the sections below.
### 1. Change Summary
In 2-4 sentences, explain what this change does and why it appears to exist. State the apparent intent plainly. If the intent is unclear, say so — that's a review finding in itself.
### 2. Background
Before diving into the diff, establish context so the reviewer can understand what's being changed. Read the original files in the repository (not just the diff) and describe the existing design in terms of **owners** and **responsibilities**:
- **Owners** are the key types, interfaces, and functions involved in the change. Bold each owner when introducing it (e.g., **`ProxyHandler`**, **`ToolRegistry`**, **`Reconciler`**).
- **Responsibilities** are named, bolded behaviors that owners are accountable for (e.g., **request routing**, **connection lifecycle management**, **tool discovery**). Give each responsibility a clear name so it can be referenced throughout the review.
- When fine-grained responsibilities work together to fulfill a larger responsibility, say so explicitly (e.g., "**`Reconciler`** is responsible for **state synchronization**, which combines **drift detection** on the current spec with **desired-state application** to bring the cluster in line").
- When a responsibility isn't clearly owned by a single type — e.g., it's spread across multiple functions, or lives in package-level code without a clear home — call that out. Unclear ownership is useful context for evaluating whether the PR improves or worsens the situation.
Present this as a structured list of owner → responsibility mappings so the reviewer can quickly see who does what today. Only cover the owners relevant to the change — don't map the entire subsystem.
### 3. Important Changes
Describe how the change modifies the ownership and responsibility map established in Background. Use the same **bolded owner and responsibility names** to make the link explicit. For each significant change, categorize it:
- **New owners**: New types, interfaces, or functions introduced by this change and what responsibilities they take on.
- **New responsibilities**: Existing owners that gain new named behavior they didn't have before.
- **Shifted responsibilities**: A named responsibility that moved from one owner to another — state clearly where it lived before and where it lives now.
- **Modified responsibilities**: An existing named responsibility on an existing owner that now works differently — describe the behavioral delta.
Only include categories that apply. Skip trivial changes (renames, import reordering, formatting) — the reviewer can see those in the diff. Order by importance, not by file.
### 4. Key Concerns
Surface the 2-5 most important concerns about this change. Each concern MUST be prefixed with a [conventional comment](https://conventionalcomments.org/) severity label:
- **`blocker:`** — Must be resolved before merge. Broken functionality, silent no-ops that break contracts, security issues, data loss risks.
- **`suggestion:`** — Non-blocking recommendation. Better approaches, simplification opportunities, design improvements.
- **`nitpick:`** — Trivial, take-it-or-leave-it. Naming, minor style, const extraction.
- **`question:`** — Seeking clarification, not requesting a change.
When evaluating concerns, focus on:
- **Justification**: Is the problem this solves clear? Is this the right time/place to solve it?
- **Approach fit**: Could this be solved more simply? Are there obvious alternative approaches with better tradeoffs? If so, briefly sketch them.
- **Abstraction integrity**: All consumers of an interface should be able to treat implementations as fungible — no consumer should need to know or care which implementation is behind the interface. Check for these leaky abstraction signals:
- An interface method that only works correctly for one implementation (e.g., silently no-ops or panics for others)
- Type assertions or casts on the interface to access implementation-specific behavior
- Consumers behaving differently based on which implementation they have
- A new interface method added solely to serve one new implementation
- **Mutation of shared state**: Flag code that mutates long-lived or shared data structures (config objects, request structs, step definitions, cached values) rather than constructing new values. In-place mutation is a significant source of subtle bugs — the original data may be read again downstream, used concurrently, or assumed immutable by other callers. Prefer constructing a new value and passing it forward. When mutation is flagged, suggest the immutable alternative.
- **Complexity cost**: Does this change add abstractions, indirection, new dependencies, or conceptual overhead that may not be justified? Flag anything that makes the codebase harder to reason about.
- **Boundary concerns**: Does this change respect existing module/service boundaries, or does it blur them?
- **Necessity**: Is this the simplest approach that solves the problem? If the change introduces new interfaces, modifies stable interfaces, adds caches, or creates new abstraction layers — challenge it. A stable interface being modified to accommodate one implementation is a sign that concerns are leaking across boundaries. Ask: can this be solved internally to the component that needs it? Is there evidence (profiling, incidents) justifying the added complexity, or should we start simpler?
- **Premature optimization**: Does the change add caches, pools, or other performance machinery without evidence the unoptimized path is a problem? Optimizations add maintenance cost (invalidation, staleness, lifecycle management) regardless of whether they provide measurable benefit. Ask: has the straightforward approach been measured under realistic load?
### 5. Testing Assessment
Evaluate whether the change is well-tested relative to its risk:
- Are the important behaviors covered?
- Are edge cases and failure modes addressed?
- Are tests testing the right thing (behavior, not implementation details)?
- If tests are missing or weak, say specifically what should be tested.
- For validation or branching logic, enumerate the full input matrix (type × field combinations, flag × state permutations) and verify each cell is covered. Don't eyeball — be systematic.
### 6. vMCP Anti-Pattern Check
If the change touches files under `pkg/vmcp/` or `cmd/vmcp/`, also run the `vmcp-review` skill against those files. Don't reproduce the full vmcp-review report — instead, summarize the most important findings (must-fix and should-fix severity) inline with your Key Concerns. Link back to the specific anti-pattern by number (e.g., "see vMCP anti-pattern #8") so the reviewer can dig deeper if needed.
### 7. Reading Order (large changes only)
If the change is large, suggest a reading order — which files/sections to review carefully vs. skim.
### 8. Recommendation
End with one of: **Approve**, **Request Changes**, or **Skip** (e.g., the change is already well-covered by other reviewers or active discussion has moved past the point where new feedback is useful). Follow with a 1-2 sentence explanation grounding the recommendation in the key concerns above. This is a suggestion to the reviewer, not a final verdict.
## Review Session Tracking
When reviewing multiple PRs in a session, maintain a local file (`review-session-notes.md`) that documents what happened for each PR:
1. **After the user leaves comments or makes a decision**, record:
- What the skill surfaced vs. what the user actually commented on
- Where the skill's output aligned with the user's review
- Where the skill missed something the user caught, or flagged something the user didn't care about
- Whether the user had to arrive at the key insight through discussion rather than the initial review output
2. **At the end of the session** (or when the user asks to reflect), analyze the notes for patterns:
- Recurring gaps — types of issues the skill consistently misses
- False priorities — things the skill flags that the user consistently skips
- Discussion-dependent insights — conclusions the user reached through back-and-forth that the skill should surface directly
- Propose concrete updates to this skill, the vmcp-review skill, or `.claude/rules/` files based on what was learned
The goal is continuous improvement: each review session should make the next one more efficient.
## Comment Format
When drafting review comments, use [conventional comments](https://conventionalcomments.org/) format. Prefix every comment with a label that communicates severity:
- **`blocker:`** — Must be resolved before merge. Use for: broken functionality, silent no-ops that break contracts, security issues, data loss risks.
- **`suggestion:`** — Non-blocking recommendation. Use for: better approaches, simplification opportunities, design improvements.
- **`nitpick:`** — Trivial, take-it-or-leave-it. Use for: naming, minor style, const extraction.
- **`question:`** — Seeking clarification, not requesting a change.
Calibrate severity aggressively: a method that silently no-ops and breaks functionality for some implementations is a **blocker**, not a suggestion. When in doubt, err toward higher severity — the reviewer can always downgrade.
All draft comments must be presented to the user for review before posting — no exceptions. Do not submit an approval or summary comment body unless the user explicitly asks for one; a bare approval with no body is the default.
## Code Suggestions
When suggesting code changes in review comments, check `.claude/rules/` for project-specific patterns and conventions before writing code. Suggestions should follow the project's established style (e.g., the immediately-invoked function pattern for immutable assignment in Go). When requesting changes from external contributors, always provide concrete code examples showing the expected structure — don't just describe what you want in prose.
## Principles
- Never say "LGTM" or give a blanket approval. Surface what the human reviewer should think about, not the decision itself.
- Don't waste the reviewer's time on style nits, formatting, or naming unless it genuinely hurts readability. Assume linters handle that.
- Prioritize findings. Lead with whatever carries the most risk or warrants the most thought.
- Be direct. Say "this adds complexity that may not be justified" rather than hedging with "you might want to consider..."
- When suggesting alternatives, be concrete enough to evaluate but brief — a sentence or two, not a full implementation.
- Question the premise, not just the implementation. Don't accept that an abstraction, cache, or optimization should exist and then review its quality — first ask whether it should exist at all. The highest-value review feedback often eliminates complexity rather than improving it.
- If you lack context (e.g., you don't know the broader system), say what assumptions you're making and what context would change your assessment.
================================================
FILE: .claude/skills/deflake/SKILL.md
================================================
---
name: deflake
description: Finds flaky tests on the main branch by analyzing GitHub Actions failures, ranks them by frequency, and enters parallel plan mode to design deflake strategies. Use when you want to find and fix the flakiest tests.
---
# Deflake Tests
Discovers, ranks, and plans fixes for flaky tests by analyzing GitHub Actions failures on `main`.
## Arguments
```
/deflake # Full analysis: discover, rank, and plan fixes
/deflake --report # Report only: show flake rankings without planning fixes
/deflake --top N # Analyze and plan fixes for the top N flakes (default: 3)
```
---
## Phase 1: Collect and Rank Flakes
Run the collection script. It handles all deterministic data collection and aggregation. If CI log formats change over time, update the script directly.
```bash
python3 .claude/skills/deflake/collect-flakes.py
```
The script outputs three sections:
1. **FLAKE REPORT** — overall stats (total runs, failure rate, date range)
2. **RANKED FAILURES** — table sorted by failure count with job, mode, and test name
3. **FAILURE DETAILS** — per-test breakdown with links to each failed run
### Phase 1 complete
Read the script output and use it directly for the report. The LLM's only job in this phase is to **categorize** each entry as a flake, real bug, or infra issue:
- **Flake**: Appears multiple times intermittently, interspersed with successful runs
- **Real bug**: Appeared after a specific commit and every run after that failed until a fix landed. Check `git log` for related fixes
- **Infra flake**: Entries tagged `[INFRA]` by the script, or failures with mode `connection refused` / `infra`
---
## Phase 2: Present the Report
Present the script output as a formatted report. Add categorization (flake / real bug / infra) to each entry. Example format:
```markdown
## Flake Report — main branch
**Period**: 2026-04-01 to 2026-04-10
**Runs analyzed**: 23 total, 8 failed (35% failure rate)
### Top Flaky Tests
| Rank | Test | Job | Failures | Failure Mode |
|------|------|-----|----------|--------------|
| 1 | Workload lifecycle ... [It] should track ... | E2E (api-workloads) | 5/23 | timeout (120s) |
| 2 | ... | ... | ... | ... |
### Real Bugs (not flakes)
- [Test name] — Introduced by [commit], fixed by [commit/PR]
### Infra Failures
- [N] runs failed due to [description]
```
If the user passed `--report`, stop here. Otherwise continue to Phase 3.
---
## Phase 3: Plan Deflake Fixes
### 3.1 Parallel Investigation
For the top N flakes (default 3), launch **parallel agents** to investigate each one simultaneously.
For each flake, spawn an Agent (subagent_type: `general-purpose`) that:
1. **Reads the test code**: Find the test file, understand what it does and what behavior it's verifying
2. **Reads the production code**: Read all the production code that the test exercises — handlers, services, middleware, etc. Understand the code path end-to-end
3. **Maps test coverage for this feature**: Search the entire repo for all tests that cover this same feature or code path. Don't assume test locations — grep for the feature name, function names, and related keywords across the whole codebase. Tests may live in `_test.go` files alongside prod code, in `e2e/`, in `acceptance_test` files, or elsewhere. For each test found, document what it covers, what level it operates at (unit/integration/E2E), and whether it's stable or also flaky
4. **Reads the failure logs**: Get 2-3 example failure logs from different runs
5. **Identifies the root cause**: Why does this test fail intermittently?
- Timing-dependent (hardcoded sleeps, tight timeouts)?
- Resource contention (port conflicts, shared state)?
- Ordering dependency (relies on another test's side effects)?
- External dependency (network call, container pull)?
- Race condition (concurrent access, missing synchronization)?
6. **Proposes a fix strategy**: Following the deflake principles below, informed by the full picture of prod code and existing test coverage
**IMPORTANT**: Launch all agents in a single message so they run in parallel.
Wait for all agents to complete, then consolidate findings.
### 3.2 Present Deflake Plans
For each flake, present a high-level plan with alternatives considered:
```markdown
### Flake #N: [Test Name]
**Root cause**: [one-sentence explanation]
**Failure logs**: [links to 2-3 example runs]
**Options considered**:
1. [Option A] — [why it was rejected or chosen]
2. [Option B] — [why it was rejected or chosen]
3. [Option C] — [why it was rejected or chosen]
**Recommended approach**: [which option and why it's the best fit]
- [High-level description of the changes]
**Confidence**: High / Medium / Low
**Risk**: [What could go wrong with this approach]
```
Present all plans and wait for user feedback. The user may choose a different option, combine approaches, or ask for more investigation. Do NOT enter plan mode or start implementing until the user approves the approach for each flake.
### 3.3 Implement Approved Fixes
Once the user approves approaches, enter plan mode to design the detailed implementation. The plan should:
- Group related fixes (e.g., if multiple tests share the same root cause)
- Order by impact (fix the flake that fails most often first)
- Each fix should be its own commit for easy revert
---
## Deflake Principles
These principles guide all fix proposals. **Prefer simplifying code and tests over adding complexity.**
### Prefer removal over addition
- Delete flaky tests only if they're duplicative with other **stable tests at the same level**
- If multiple E2E tests cover fine-grained behavior for one feature, move the fine-grained cases to unit tests and keep a single E2E smoke test
- Never remove **all** E2E coverage for a feature — at least one smoke test must remain
- Remove unnecessary setup/teardown that introduces timing sensitivity
### Fix the test, not the production code
- If flakiness exposes a real bug, fix the production code
- Do NOT add complexity to production code just to make a flaky test pass (retry logic, test-only hooks, feature flags)
- Ask: what's the intention of this test? Can we capture it in a more reliable form?
### Fix options
- **Delete the test** if redundant (keeping at least one E2E smoke test per feature)
- **Rewrite as a unit test** if the behavior can be tested without integration
- **Refactor hard-to-test code** so the behavior under test can be easily isolated and reliably examined
- **Reduce scope** — test one thing instead of a full lifecycle
- **Use polling with short intervals** instead of fixed sleeps (e.g., `Eventually` with 1s poll interval)
- **Increase timeouts** — only as a last resort, and only for `Eventually`/`Consistently` matchers, not arbitrary `time.Sleep`
### Anti-patterns to avoid
- Adding `time.Sleep()` to "fix" timing issues
- Adding retry loops around flaky assertions
- Marking tests as `[Flaky]` or `Skip` without fixing them
- Adding production code complexity (feature flags, test modes) to make tests pass
- Increasing parallelism limits or resource requests as a band-aid
================================================
FILE: .claude/skills/deflake/collect-flakes.py
================================================
#!/usr/bin/env python3
"""Collect and rank flaky tests from GitHub Actions on main."""
import json
import re
import subprocess
import sys
from collections import defaultdict
from concurrent.futures import ThreadPoolExecutor, as_completed
REPO = "stacklok/toolhive"
WORKFLOW_NAME = "Main build"
PER_PAGE = 100
MAX_PAGES = 3 # Pages of all push-triggered workflow runs (not just Main build)
def gh_api(endpoint):
"""Call gh api and return parsed JSON."""
result = subprocess.run(
["gh", "api", endpoint],
capture_output=True, text=True, check=True,
)
return json.loads(result.stdout)
def fetch_all_runs():
"""Fetch workflow runs across multiple pages."""
all_runs = []
for page in range(1, MAX_PAGES + 1):
data = gh_api(
f"repos/{REPO}/actions/runs?branch=main&event=push"
f"&per_page={PER_PAGE}&page={page}"
)
runs = [r for r in data["workflow_runs"] if r["name"] == WORKFLOW_NAME]
all_runs.extend(runs)
if len(data["workflow_runs"]) < PER_PAGE:
break # No more pages
print(f"Fetched page {page}: {len(runs)} Main build runs", file=sys.stderr)
return all_runs
def get_failed_logs(run_id):
"""Get failed job logs for a run."""
result = subprocess.run(
["gh", "run", "view", str(run_id), "--repo", REPO, "--log-failed"],
capture_output=True, text=True,
)
return result.stdout + result.stderr
def strip_ansi(text):
"""Remove ANSI escape sequences."""
return re.sub(r'\x1b\[[0-9;]*m', '', text)
def extract_ginkgo_failures(log_lines):
"""Extract Ginkgo test names from [FAIL] lines."""
failures = []
for line in log_lines:
if '[FAIL]' not in line:
continue
clean = strip_ansi(line)
# Also strip literal ANSI-like codes that gh outputs as text
clean = re.sub(r'\[\d+;\d+m', '', clean)
clean = re.sub(r'\[0m', '', clean)
match = re.search(r'\[FAIL\]\s+(.*?\[It\]\s+[^\[]+)', clean)
if match:
test_name = match.group(1).strip()
failures.append(test_name)
return failures
def extract_unit_test_failures(log_lines):
"""Extract Go unit test names from ❌ lines."""
failures = []
for line in log_lines:
if '❌' not in line:
continue
clean = strip_ansi(line)
clean = re.sub(r'\[\d+;\d+m', '', clean)
clean = re.sub(r'\[0m', '', clean)
match = re.search(r'❌\s+(\S+)', clean)
if match:
test_name = match.group(1).strip()
failures.append(test_name)
return failures
def extract_job_name(line):
"""Extract job name from log line prefix."""
match = re.match(r'^(.+?)\t', line)
return match.group(1).strip() if match else "unknown"
def extract_failure_mode(log_text):
"""Determine failure mode from log content."""
clean = strip_ansi(log_text)
# Also strip literal ANSI-like codes
clean = re.sub(r'\[\d+;\d+m', '', clean)
clean = re.sub(r'\[0m', '', clean)
if re.search(r'Timed out after [\d.]+s', clean):
match = re.search(r'Timed out after ([\d.]+)s', clean)
return f"timeout ({match.group(1)}s)" if match else "timeout"
if 'Server should be running' in clean:
return "server startup timeout"
if 'panic:' in clean:
return "panic"
if 'connection refused' in clean.lower():
return "connection refused"
if 'Expected' in clean and 'to equal' in clean:
return "assertion"
return "assertion"
def find_failure_context(log_lines, test_name, fail_line_idx):
"""Find the [FAILED] block associated with a test near its [FAIL] summary line.
Ginkgo logs have two relevant markers:
- [FAILED] with the failure reason (e.g., "Timed out after 120s") — appears
in the failure block, potentially thousands of lines before the summary
- [FAIL] with the test name — appears in the summary section at the end
Search backwards from the [FAIL] line for the nearest [FAILED] block that
belongs to this test, then extract context around it.
"""
# Search backwards from the fail summary line for [FAILED].
# Ginkgo emits multiple [FAILED] lines per test failure — the first has
# the reason (e.g., "Timed out after 120s"), later ones are summaries.
# Collect all [FAILED] lines in the block and return context around them.
search_start = max(0, fail_line_idx - 5000)
failed_lines = []
for i in range(fail_line_idx, search_start, -1):
clean_line = strip_ansi(log_lines[i])
if '[FAILED]' in clean_line:
failed_lines.append(i)
if failed_lines:
# Use the earliest (first) [FAILED] line — it has the failure reason
earliest = min(failed_lines)
latest = max(failed_lines)
start = max(0, earliest - 5)
end = min(len(log_lines), latest + 5)
return "\n".join(log_lines[start:end])
# Fallback: use lines around the [FAIL] summary
start = max(0, fail_line_idx - 50)
return "\n".join(log_lines[start:fail_line_idx + 1])
def main():
# Fetch all recent runs on main (paginated)
all_runs = fetch_all_runs()
failed_runs = [r for r in all_runs if r["conclusion"] == "failure"]
success_runs = [r for r in all_runs if r["conclusion"] == "success"]
total = len(all_runs)
num_failed = len(failed_runs)
print(f"=== FLAKE REPORT ===")
print(f"Total Main build runs on main: {total}")
print(f"Failed: {num_failed}")
print(f"Succeeded: {len(success_runs)}")
print(f"Failure rate: {num_failed/total*100:.1f}%" if total > 0 else "N/A")
if all_runs:
dates = sorted(r["created_at"][:10] for r in all_runs)
print(f"Period: {dates[0]} to {dates[-1]}")
print()
# Collect failures from each run — fetch logs in parallel
test_failures = defaultdict(list) # test_name -> [{run_id, date, job, mode}]
def process_run(run):
"""Fetch logs and extract failures for a single run."""
run_id = run["id"]
run_date = run["created_at"][:10]
run_title = run["display_title"]
print(f"Fetching logs for run {run_id} ({run_date}: {run_title[:60]})...",
file=sys.stderr)
log_text = get_failed_logs(run_id)
log_lines = log_text.splitlines()
results = []
# Extract Ginkgo failures
ginkgo_fails = extract_ginkgo_failures(log_lines)
for test_name in ginkgo_fails:
job = "unknown"
fail_line_idx = None
for i, line in enumerate(log_lines):
if '[FAIL]' in line and test_name.split('[It]')[0].strip()[:20] in strip_ansi(line):
job = extract_job_name(line)
fail_line_idx = i
break
# Find the [FAILED] block for this test to get accurate failure mode
if fail_line_idx is not None:
test_log = find_failure_context(log_lines, test_name, fail_line_idx)
else:
test_log = log_text
mode = extract_failure_mode(test_log)
results.append((test_name, {
"run_id": run_id, "date": run_date, "job": job, "mode": mode,
}))
# Extract unit test failures
unit_fails = extract_unit_test_failures(log_lines)
for test_name in unit_fails:
if '/' in test_name:
parent = test_name.split('/')[0]
if parent in unit_fails:
continue
job = "unknown"
fail_line_idx = None
for i, line in enumerate(log_lines):
if '❌' in line and test_name in line:
job = extract_job_name(line)
fail_line_idx = i
break
# Extract per-test log context (50 lines before the ❌ line)
if fail_line_idx is not None:
start = max(0, fail_line_idx - 50)
test_log = "\n".join(log_lines[start:fail_line_idx + 1])
else:
test_log = log_text
mode = extract_failure_mode(test_log)
results.append((test_name, {
"run_id": run_id, "date": run_date, "job": job, "mode": mode,
}))
# Infra-only failures
if not ginkgo_fails and not unit_fails:
results.append(("[INFRA] " + run_title[:80], {
"run_id": run_id, "date": run_date, "job": "infra", "mode": "infra",
}))
return results
with ThreadPoolExecutor(max_workers=8) as pool:
futures = {pool.submit(process_run, run): run for run in failed_runs}
for future in as_completed(futures):
run = futures[future]
try:
for test_name, occurrence in future.result():
test_failures[test_name].append(occurrence)
except Exception as e:
print(f"Warning: failed to process run {run['id']}: {e}",
file=sys.stderr)
# Sort by failure count descending
ranked = sorted(test_failures.items(), key=lambda x: -len(x[1]))
# Print ranked table
print()
print("=== RANKED FAILURES ===")
print(f"{'Rank':<5} {'Count':<6} {'Job':<45} {'Mode':<25} {'Test'}")
print("-" * 140)
for i, (test_name, occurrences) in enumerate(ranked, 1):
job = occurrences[0]["job"]
mode = occurrences[0]["mode"]
count = len(occurrences)
print(f"{i:<5} {count:<6} {job:<45} {mode:<25} {test_name}")
# Print details per failure
print()
print("=== FAILURE DETAILS ===")
for test_name, occurrences in ranked:
print(f"\n## {test_name}")
print(f" Failures: {len(occurrences)}/{total} runs")
for occ in occurrences:
url = f"https://github.com/{REPO}/actions/runs/{occ['run_id']}"
print(f" - {occ['date']} | {occ['mode']} | {occ['job']} | {url}")
if __name__ == "__main__":
main()
================================================
FILE: .claude/skills/deploy-otel/SKILL.md
================================================
---
name: deploy-otel
description: Deploy the OpenTelemetry observability stack (Prometheus, Grafana, OTEL Collector) to a Kind cluster for testing toolhive telemetry. Use when you need to set up monitoring, metrics collection, or observability infrastructure.
allowed-tools: Bash, Read
---
# Deploy OTEL Observability Stack
Deploy a complete OpenTelemetry observability stack to a Kind cluster for testing ToolHives telemetry capabilities.
## Steps
### 1. Verify Prerequisites
Check that required tools are installed:
```bash
echo "Checking prerequisites..."
command -v kind >/dev/null 2>&1 || { echo "ERROR: kind is not installed"; exit 1; }
command -v helm >/dev/null 2>&1 || { echo "ERROR: helm is not installed"; exit 1; }
command -v kubectl >/dev/null 2>&1 || { echo "ERROR: kubectl is not installed"; exit 1; }
echo "All prerequisites met."
```
### 2. Create Kind Cluster
Create the Kind cluster if it doesn't exist:
```bash
CLUSTER_NAME="toolhive"
if kind get clusters 2>/dev/null | grep -q "^${CLUSTER_NAME}$"; then
echo "Kind cluster '${CLUSTER_NAME}' already exists"
else
echo "Creating Kind cluster '${CLUSTER_NAME}'..."
kind create cluster --name ${CLUSTER_NAME}
fi
# Export kubeconfig
kind get kubeconfig --name ${CLUSTER_NAME} > kconfig.yaml
echo "Kubeconfig written to kconfig.yaml"
```
### 3. Add Helm Repositories
```bash
echo "Adding Helm repositories..."
helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update
echo "Helm repositories updated."
```
### 4. Install Prometheus/Grafana Stack
```bash
echo "Installing kube-prometheus-stack..."
helm upgrade -i kube-prometheus-stack prometheus-community/kube-prometheus-stack \
-f examples/otel/prometheus-stack-values.yaml \
-n monitoring --create-namespace \
--kubeconfig kconfig.yaml \
--wait --timeout 5m
echo "Prometheus/Grafana stack installed."
```
### 5. Install Tempo for Distributed Tracing
```bash
echo "Installing Grafana Tempo..."
helm upgrade -i tempo grafana/tempo \
-f examples/otel/tempo-values.yaml \
-n monitoring \
--kubeconfig kconfig.yaml \
--wait --timeout 3m
echo "Grafana Tempo installed."
```
### 6. Install OpenTelemetry Collector
```bash
echo "Installing OpenTelemetry Collector..."
helm upgrade -i otel-collector open-telemetry/opentelemetry-collector \
-f examples/otel/otel-values.yaml \
-n monitoring \
--kubeconfig kconfig.yaml \
--wait --timeout 3m
echo "OpenTelemetry Collector installed."
```
### 7. Verify Deployment
```bash
echo "Verifying deployment..."
kubectl get pods -n monitoring --kubeconfig kconfig.yaml
```
### 8. Display Access Instructions
```bash
cat <<'EOF'
=== OTEL Stack Deployment Complete ===
To access the UIs, run these port-forward commands:
# Grafana (admin / admin)
kubectl port-forward -n monitoring svc/kube-prometheus-stack-grafana 3000:3000 --kubeconfig kconfig.yaml
# Prometheus
kubectl port-forward -n monitoring svc/kube-prometheus-stack-prometheus 9090:9090 --kubeconfig kconfig.yaml
EOF
```
## Troubleshooting
If Helm installations fail due to incompatible values, it may be because the Helm charts have been updated and our `values.yaml` files are no longer compatible.
**Chart Documentation:**
- OpenTelemetry Collector: https://github.com/open-telemetry/opentelemetry-helm-charts/tree/main/charts/opentelemetry-collector
- Prometheus Stack: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
- Tempo: https://github.com/grafana/helm-charts/tree/main/charts/tempo
**If you encounter issues:**
1. Check the chart's `values.yaml` for schema changes in the versions of the Charts we are using
2. Compare with our values files in `examples/otel/`
3. Create an issue at: https://github.com/stacklok/toolhive/issues describing what the issue is and recommend a fix
## What This Deploys
| Component | Description |
|-----------|-------------|
| Prometheus | Metrics storage, scrapes OTEL collector on port 8889 |
| Grafana | Visualization dashboards (admin/admin) |
| Tempo | Distributed tracing backend, receives traces from OTEL Collector |
| OTEL Collector | Receives OTLP metrics/traces, exports to Prometheus and Tempo |
## Cleanup
To remove everything:
```bash
task kind-destroy
```
Or manually:
```bash
kind delete cluster --name toolhive
rm -f kconfig.yaml
```
================================================
FILE: .claude/skills/deploying-vmcp-locally/SKILL.md
================================================
---
name: deploying-vmcp-locally
description: Deploys a VirtualMCPServer configuration locally for manual testing and verification
---
# Deploying vMCP Locally
This skill helps you deploy and test VirtualMCPServer configurations in a local Kind cluster for manual verification.
## Prerequisites
Before using this skill, ensure you have:
- [Kind](https://kind.sigs.k8s.io/) installed
- [kubectl](https://kubernetes.io/docs/tasks/tools/) installed
- [Task](https://taskfile.dev/installation/) installed
- [Helm](https://helm.sh/) installed
- A cloned copy of the toolhive repository
## Instructions
### 1. Set up the local cluster
If no Kind cluster exists, create one with the ToolHive operator:
```bash
# From the toolhive repository root
task kind-with-toolhive-operator
```
This creates a Kind cluster named `toolhive` with:
- Nginx ingress controller
- ToolHive CRDs installed
- ToolHive operator deployed
### 2. For development/testing with local changes
If you need to test local code changes:
```bash
# Set up cluster with e2e port mappings
task kind-setup-e2e
# Install CRDs
task operator-install-crds
# Build and deploy local operator image
task operator-deploy-local
```
### 3. Apply the VirtualMCPServer configuration
Apply the YAML configuration you want to test:
```bash
kubectl apply -f <path-to-vmcp-yaml> --kubeconfig kconfig.yaml
```
### 4. Verify deployment
Check the VirtualMCPServer status:
```bash
# List all VirtualMCPServers
kubectl get virtualmcpserver --kubeconfig kconfig.yaml
# Get detailed status
kubectl get virtualmcpserver <name> -o yaml --kubeconfig kconfig.yaml
# Check operator logs for issues
kubectl logs -n toolhive-system -l app.kubernetes.io/name=thv-operator --kubeconfig kconfig.yaml
```
### 5. Test the vMCP endpoint
For NodePort service type (useful for local testing):
```bash
# Get the NodePort
kubectl get svc vmcp-<name> -o jsonpath='{.spec.ports[0].nodePort}' --kubeconfig kconfig.yaml
# Test the endpoint (port will be on localhost when using kind-setup-e2e)
curl http://localhost:<nodeport>/mcp
```
For ClusterIP (default), use port-forward:
```bash
kubectl port-forward svc/vmcp-<name> 4483:4483 --kubeconfig kconfig.yaml
curl http://localhost:4483/mcp
```
### 6. Test MCP protocol
Use an MCP client to verify tool discovery and execution:
```bash
# Initialize MCP session
curl -X POST http://localhost:<port>/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc": "2.0", "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "test", "version": "1.0"}}, "id": 1}'
# List tools
curl -X POST http://localhost:<port>/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc": "2.0", "method": "tools/list", "id": 2}'
```
### 7. Clean up
When done testing:
```bash
# Remove specific resources
kubectl delete -f <path-to-vmcp-yaml> --kubeconfig kconfig.yaml
# Or destroy the entire cluster
task kind-destroy
```
## Example YAML files
Reference example configurations are in `examples/operator/virtual-mcps/`:
| File | Description |
|------|-------------|
| `vmcp_simple_discovered.yaml` | Basic discovered mode configuration |
| `vmcp_conflict_resolution.yaml` | Tool conflict handling strategies |
| `vmcp_inline_incoming_auth.yaml` | Inline authentication configuration |
| `vmcp_production_full.yaml` | Full production configuration |
| `composite_tool_simple.yaml` | Simple composite tool workflow |
| `composite_tool_complex.yaml` | Complex multi-step workflows |
| `composite_tool_with_elicitations.yaml` | Workflows with user prompts |
## Troubleshooting
### VirtualMCPServer stuck in Pending phase
Check that:
1. The MCPGroup exists and is Ready
2. All backend MCPServers in the group are Running
3. The operator has permissions to create the vMCP deployment
```bash
kubectl describe virtualmcpserver <name> --kubeconfig kconfig.yaml
kubectl get mcpgroup --kubeconfig kconfig.yaml
kubectl get mcpserver --kubeconfig kconfig.yaml
```
### Backend servers not discovered
Verify backend servers have the correct `groupRef`:
```bash
kubectl get mcpserver -o custom-columns=NAME:.metadata.name,GROUP:.spec.groupRef --kubeconfig kconfig.yaml
```
### Authentication issues
For testing, use anonymous auth:
```yaml
incomingAuth:
type: anonymous
authzConfig:
type: inline
inline:
policies:
- 'permit(principal, action, resource);'
```
================================================
FILE: .claude/skills/doc-review/CHECKING.md
================================================
# Checking documentation claims
When a documentation claims something it is important to check it for accuracy.
When doing that, be proactive in launching agents - when the documentation
claims something works certain way, launch @agent-toolhive-expert to provide
the fact-checking for you.
When the documentation contains a diagram, such as mermaid, launch an agent
to confirm if the flow work this way or not.
When the documentation contains an example of running toolhive, check the
arguments and command line options for accuracy and check if the example
aligns with what it is supposed to achieve.
================================================
FILE: .claude/skills/doc-review/EXAMPLES.md
================================================
# Examples of documentation checks
## The documentation contains a flow digram
Launch an instance of @agent-toolhive-expert and confirm that the diagram is in line
with how the system described in the diagram works.
## The documentation contains examples of thv command line
Launch an instance of @agent-toolhive-expert and confirm the command line example for accuracy
## The documentation contains Kubernetes manifest
Launch an instance of @agent-toolhive-expert and confirm the manifest aligns with the CRDs
## The documentation contains a link to a markdown file
Launch an instance of the Explore agent and confirm the link is valid and points to an existing file
================================================
FILE: .claude/skills/doc-review/SKILL.md
================================================
---
name: doc-review
description: Reviews documentation for factual accuracy
---
# Documentation Review
## Instructions
1. Read the documentation you are instructed to review
2. Make sure that all claims about how toolhive works are accurate
3. Make sure that all examples are based in how toolhive really works, check for formatting, typos and overall accuracy
4. Make sure that all links point to existing files and the content of the links matches what it should
## Fact-checking claims in the documentation
See [CHECKING.md](CHECKING.md) on instructions on how to check claims in the docs.
You have some examples on how to fact-check in [EXAMPLES.md](EXAMPLES.md)
## Your report
- Do not suggest inline changes
- Present findings and put each into a todo list. The user will then go through them and review manually
================================================
FILE: .claude/skills/implement-story/SKILL.md
================================================
---
name: implement-story
description: Implements a GitHub user story from planning through PR creation, with research, codebase analysis, and structured commits.
---
# Implement User Story
Takes a GitHub user story issue and produces well-organized PR(s) that reliably meet the acceptance criteria.
## Arguments
The user provides a GitHub issue number or URL. Example:
```
/implement-story #4550
/implement-story https://github.com/stacklok/toolhive/issues/4550
```
---
## Phase 1: Gather Context
### 1.1 Read the Issue
Fetch the issue body using GitHub tools. Extract:
- **User story**: The "As a / I want / so that" statement
- **Acceptance criteria**: The checkbox list — this is the contract
- **Context links**: RFC links, related issues, dependencies
- **Out of scope**: What NOT to do
### 1.2 Fetch RFC Context
If the issue links to an RFC (look for `THV-XXXX` references or links to `toolhive-rfcs`):
1. Clone or locate the RFC repo locally (check `../toolhive-rfcs/` first)
2. Read the full RFC document
3. Extract design decisions relevant to this story — config shapes, algorithm details, error formats, key schemas, etc.
If no RFC is linked, skip this step.
### 1.3 Find Related Stories
Search for sibling stories that share context with this one. These inform how to factor the code for extensibility:
```bash
# Search by keywords from the issue title
gh search issues "<keywords>" --repo stacklok/toolhive --state open --limit 10
# Search for issues linking to the same RFC
gh search issues "THV-XXXX" --repo stacklok/toolhive --limit 10
```
For each related story, read its acceptance criteria. Ask:
- Will a future story need to extend a type, interface, or package I'm creating?
- Should I define an interface now that a sibling story will implement later?
- Are there naming conventions or patterns I should establish that siblings will follow?
**Do not implement sibling stories.** Design internal interfaces so they can be
extended without refactoring, but do not add config fields, CRD types, or
user-facing API surface for functionality that isn't implemented in this PR.
Unused config confuses users and reviewers.
### 1.4 Research the Codebase
Use the Explore agent or direct search to understand:
1. **Where does this change fit?** Identify the packages, files, and functions that need modification.
2. **What patterns exist?** Find analogous features already implemented. For example, if adding a new middleware, study how existing middleware (auth, mcp-parser, authz) is registered and wired.
3. **What gets generated?** Identify files that are auto-generated (CRD manifests, mocks, docs) so you know what to regenerate.
4. **What tests exist?** Find the test patterns used for similar features (table-driven tests, testcontainers, Chainsaw E2E).
Document your findings before writing any code.
---
## Phase 2: Plan the Work
### 2.1 Map AC to Changes
For each acceptance criterion, identify:
- Which files need to change
- Whether it's new code or a modification
- What tests verify it (unit, integration, or E2E)
### 2.2 Decide PR Strategy
Evaluate the total scope against the project's PR guidelines:
- **< 10 files changed** (excluding tests, generated code, docs)
- **< 400 lines of code changed** (excluding tests, generated code, docs)
If the story fits in one PR, use a single PR. If not, split into multiple PRs following these patterns:
1. **Foundation first**: New types, interfaces, packages
2. **Wiring second**: Integration into existing code (middleware chain, reconciler, CRD)
3. **Tests alongside**: Each PR includes its own tests
4. **Generated code with its trigger**: CRD type changes + `task operator-manifests operator-generate` output in the same PR
### 2.3 Present the High-Level Plan
First, show the user a high-level plan covering PR boundaries and what each PR delivers.
Do NOT include commit-level details yet — get alignment on the split first.
```markdown
## Implementation Plan
**Story**: #XXXX — [title]
**PRs**: [1 or N]
### PR 1: [title]
- [what this PR introduces and why]
- **AC covered**: [which acceptance criteria]
### PR 2: [title] (if needed)
- [what this PR introduces and why]
- **AC covered**: [which acceptance criteria]
```
Wait for user approval on the PR split. Adjust if the user has feedback.
### 2.4 Plan Each PR in Detail
Once the user approves the high-level split, enter plan mode for the first PR.
In plan mode, explore the codebase and design commit boundaries, file changes,
and test strategy. Present the detailed plan for user approval before writing code.
For subsequent PRs, enter plan mode again once CI is green for the previous PR.
---
## Phase 3: Implement
### 3.1 Create a Branch
```bash
git checkout -b <user>/<short-description> main
```
### 3.2 Write Code
Implement the changes from the plan. Follow these principles:
- **Match existing patterns**: Don't invent new conventions. Study the codebase and follow what's there.
- **Design for siblings**: If related stories will extend this code, use interfaces and clear extension points. But don't build speculative abstractions — just leave the door open.
- **Tests are not optional**: Every AC that says "Unit:" or "E2E:" must have a corresponding test. Write tests as you go, not at the end.
- **Core vs integration**: Core domain logic (algorithms, data structures, config
parsing) can be introduced standalone — it's a testable unit of behavior.
Integration concerns (protocol adapters, transport-specific formatting,
middleware glue) should be introduced alongside the code that consumes them.
If nothing in the PR calls a function, ask whether it belongs in a later PR.
- **Don't ship unused config surface**: If a story explicitly marks something
as out of scope, do not add config fields, CRD attributes, or API surface
for it. Design internal interfaces to be extensible, but only introduce
user-facing configuration when the corresponding logic ships in the same PR.
### 3.3 Commit Per the Plan
Follow the commit boundaries from the plan. Each commit should:
- Be independently compilable (`go build ./...` passes)
- Have a clear, descriptive message
- Group related changes (e.g., don't mix CRD type changes with middleware logic)
### 3.4 Run Regeneration Tasks
After changes that affect generated artifacts, run the appropriate tasks:
| Change Type | Regeneration Command |
|-------------|---------------------|
| CRD type definitions (`api/v1beta1/*_types.go`) | `task operator-manifests operator-generate` |
| Mock interfaces | `task gen` |
| CLI commands or API endpoints | `task docs` |
| Helm chart values | `task helm-docs` |
| Any Go file | `task license-fix` |
Run these **before committing** the related changes. Include the generated output in the same commit as the trigger.
---
## Phase 4: Create PR
### 4.1 Push and Create PR
Follow the PR template at `.github/pull_request_template.md` and the rules in `.claude/rules/pr-creation.md`:
- Title: under 70 chars, imperative mood, no conventional commit prefix
- Summary: why first, then what. Reference the issue with `Closes #XXXX`
- Type of change: check exactly one
- Test plan: check every verification step actually run
### 4.2 Verify AC Coverage
Before submitting, review each acceptance criterion from the issue:
- [ ] Is there code that implements it?
- [ ] Is there a test that verifies it?
- [ ] Has the test passed?
If any AC is not covered, either implement it or flag it to the user with a reason.
### 4.3 Babysit CI
After pushing, monitor CI status:
```bash
gh pr checks <pr-number> --repo stacklok/toolhive --watch
```
If CI fails:
1. Read the failure logs
2. Fix the issue
3. Push the fix as a new commit (don't amend — keep the history clean for review)
4. Re-check CI
### 4.4 Multi-PR Workflow
If the story spans multiple PRs:
1. Create the first PR targeting `main`
2. After merge, create subsequent PRs targeting `main`
3. Each PR references the story issue (`Part of #XXXX`)
4. The final PR uses `Closes #XXXX`
---
## Edge Cases
- **AC references another story**: If an acceptance criterion depends on work from another story (e.g., "STORY-001 core middleware exists"), check if that story is merged. If not, flag it to the user.
- **Generated code is large**: CRD manifest regeneration can produce hundreds of lines of diff. This is expected — note it in the PR description under "Special notes for reviewers."
- **Tests require infrastructure**: E2E tests may need a Kind cluster, Redis, or Keycloak. Document the setup in the test plan. Don't skip the test — write it even if the user will run it separately.
- **RFC is ambiguous**: If the RFC doesn't specify a detail needed for implementation, make a pragmatic choice, document it in a code comment, and flag it in the PR description.
================================================
FILE: .claude/skills/pr-review/EXAMPLES-INLINE.md
================================================
# PR Inline Review Examples
Common use cases and examples for submitting PR reviews with inline comments.
## Example 1: Simple Inline Review (No Suggestions)
**Use case**: Pointing out issues that require discussion or complex fixes
**Command:**
```bash
gh api -X POST repos/stacklok/toolhive/pulls/2165/reviews --input /tmp/pr-review-comments.json
```
**JSON:**
```json
{
"body": "Found several architectural concerns that need discussion",
"event": "COMMENT",
"comments": [
{
"path": "docs/arch/02-core-concepts.md",
"line": 605,
"body": "This diagram doesn't accurately reflect the actual architecture. The Workload struct only contains metadata, not direct references to Runtime and Transport. These relationships are managed by WorkloadManager and Runner.\n\nWe should discuss how to simplify this while keeping it accurate.\n\nEvidence: pkg/core/workload.go, pkg/workloads/manager.go"
},
{
"path": "pkg/runner/config.go",
"line": 136,
"body": "The documentation mentions only 8 fields but RunConfig has 39 serializable fields. Should we document all of them or create a categorized reference?\n\nEvidence: pkg/runner/config.go:32-157"
}
]
}
```
**When to use:**
- Issues require discussion or design decisions
- Changes are too complex for inline suggestions
- Multiple files need coordinated changes
- User needs to provide context or make choices
---
## Example 2: Quick Fixes with Suggestions
**Use case**: Simple corrections that can be committed directly
**JSON:**
```json
{
"body": "Documentation corrections with suggested fixes",
"event": "COMMENT",
"comments": [
{
"path": "docs/arch/02-core-concepts.md",
"line": 238,
"body": "File path reference is incorrect: `pkg/registry/registry.go` does not exist.\n\n```suggestion\n- Registry manager: `pkg/registry/provider.go`\n```\n\nThe registry functionality is split across multiple files in `pkg/registry/`.\n\nEvidence: Verified via codebase exploration"
},
{
"path": "docs/arch/02-core-concepts.md",
"line": 597,
"body": "File path is incorrect.\n\n```suggestion\n- Health checker: `pkg/healthcheck/healthcheck.go`\n```\n\nEvidence: Verified via codebase exploration"
},
{
"path": "docs/arch/02-core-concepts.md",
"line": 127,
"body": "Middleware type name is incorrect. The code uses `authorization`, not `authz`.\n\n```suggestion\n7. **Authorization** (`authorization`) - Cedar policy evaluation\n```\n\nEvidence: pkg/authz/middleware.go:211"
}
]
}
```
**When to use:**
- Typos or incorrect file paths
- Simple one-line corrections
- Version numbers or constants
- Formatting fixes
---
## Example 3: Mixed Review (Some with Suggestions, Some Without)
**Use case**: Combination of quick fixes and items needing discussion
**JSON:**
```json
{
"body": "Documentation review: found quick fixes and items for discussion",
"event": "COMMENT",
"comments": [
{
"path": "docs/arch/02-core-concepts.md",
"line": 329,
"body": "Command examples are incorrect:\n\n```suggestion\n- `thv client list-registered` - List all registered clients\n- `thv client setup` - Interactively setup clients\n- `thv client status` - Show installation status\n- `thv client register <client>` - Register a specific client\n- `thv client remove <client>` - Remove a client\n```\n\nEvidence: cmd/thv/app/client.go:36-41"
},
{
"path": "docs/arch/02-core-concepts.md",
"line": 136,
"body": "The key fields list is incomplete. RunConfig has 39 serializable fields, but only 8 are listed here.\n\nNotable missing fields include: `name`, `cmdArgs`, `secrets`, `oidcConfig`, `authzConfig`, `auditConfig`, `telemetryConfig`, `group`, `toolsFilter`, `toolsOverride`, `isolateNetwork`, `proxyMode`, and many others.\n\nShould we either:\n1. Categorize fields by purpose (Identity, Security, Middleware, etc.), or\n2. Add a reference to the complete list in `05-runconfig-and-permissions.md`?\n\nEvidence: pkg/runner/config.go:32-157"
},
{
"path": "docs/arch/02-core-concepts.md",
"line": 627,
"body": "The request flow diagram is incomplete. It shows only 4 middleware types but there are 8 middleware types defined in the codebase.\n\nMissing middleware: Token Exchange, Tool Filter, Tool Call Filter, and Telemetry.\n\nComplete flow should include:\n`Auth → [Token Exchange] → [Tool Filter] → [Tool Call Filter] → Parser → [Telemetry] → [Authorization] → [Audit] → Container`\n\n(Brackets indicate conditional middleware that are only present if configured)\n\nEvidence: pkg/runner/middleware.go:16-27"
}
]
}
```
**When to use:**
- Mix of simple and complex issues
- Some items have clear fixes, others need discussion
- Want to provide suggestions where possible but leave complex items open
---
## Example 4: Multi-line Suggestion
**Use case**: Fixing multiple lines or a larger code block
**JSON:**
```json
{
"body": "Correcting middleware list with complete and accurate information",
"event": "COMMENT",
"comments": [
{
"path": "docs/arch/02-core-concepts.md",
"line": 110,
"body": "The middleware list should include all 8 types with the correct name for Authorization:\n\n```suggestion\n**Eight middleware types:**\n\n1. **Authentication** (`auth`) - JWT token validation\n2. **Token Exchange** (`tokenexchange`) - OAuth token exchange\n3. **MCP Parser** (`mcp-parser`) - JSON-RPC parsing\n4. **Tool Filter** (`tool-filter`) - Filter and override tools in `tools/list` responses\n5. **Tool Call Filter** (`tool-call-filter`) - Validate and map `tools/call` requests\n6. **Telemetry** (`telemetry`) - OpenTelemetry instrumentation\n7. **Authorization** (`authorization`) - Cedar policy evaluation\n8. **Audit** (`audit`) - Request logging\n```\n\nEvidence: pkg/runner/middleware.go:16-27, pkg/authz/middleware.go:211"
}
]
}
```
**When to use:**
- Correcting lists or tables
- Updating code blocks
- Fixing multiple related lines together
- Ensuring consistent formatting across lines
---
## Example 5: Request Changes (Blocking Review)
**Use case**: Critical issues that must be fixed before merge
**JSON:**
```json
{
"body": "Critical inaccuracies found in documentation that must be corrected before merge",
"event": "REQUEST_CHANGES",
"comments": [
{
"path": "docs/arch/02-core-concepts.md",
"line": 238,
"body": "**CRITICAL**: This file path does not exist and will break documentation links.\n\n```suggestion\n- Registry manager: `pkg/registry/provider.go`\n```\n\nEvidence: Verified via codebase exploration"
},
{
"path": "docs/arch/02-core-concepts.md",
"line": 329,
"body": "**CRITICAL**: These commands don't exist and users will get errors if they try to use them.\n\n```suggestion\n- `thv client list-registered` - List all registered clients\n- `thv client setup` - Interactively setup clients\n- `thv client status` - Show installation status\n```\n\nEvidence: cmd/thv/app/client.go:36-41"
}
]
}
```
**When to use:**
- Critical bugs or security issues
- Documentation that will mislead users
- Breaking changes without proper migration
- Must be fixed before merge
---
## Example 6: Approval with Minor Suggestions
**Use case**: Approving PR but offering optional improvements
**JSON:**
```json
{
"body": "LGTM! Just a few minor suggestions for improvement.",
"event": "APPROVE",
"comments": [
{
"path": "docs/arch/02-core-concepts.md",
"line": 597,
"body": "Minor: This file path could be more accurate.\n\n```suggestion\n- Health checker: `pkg/healthcheck/healthcheck.go`\n```\n\n(Not blocking - can be fixed in a follow-up if preferred)\n\nEvidence: Verified via codebase exploration"
}
]
}
```
**When to use:**
- PR is generally good, minor improvements available
- Non-blocking suggestions for quality improvements
- Optional refactoring or cleanup suggestions
- Style or consistency improvements
---
## Tips for Each Scenario
### For Simple Reviews (No Suggestions)
- Focus on clear problem descriptions
- Ask questions when context is needed
- Provide references to relevant code
- Suggest next steps or alternatives
### For Reviews with Suggestions
- Always read the current content first
- Match the existing formatting exactly
- Test the suggestion if possible
- Keep suggestions focused and minimal
### For Mixed Reviews
- Put suggestions first (quick wins)
- Group related comments together
- Use clear markdown formatting
- Distinguish between blocking and non-blocking issues
### For Blocking Reviews
- Use `REQUEST_CHANGES` event
- Mark critical items clearly (e.g., **CRITICAL**)
- Provide suggestions where possible for faster resolution
- Explain impact of not fixing the issue
### For Approvals
- Use `APPROVE` event
- Mark suggestions as optional/non-blocking
- Acknowledge good work in the summary
- Keep suggestions truly minor/optional
================================================
FILE: .claude/skills/pr-review/EXAMPLES-REPLY.md
================================================
# PR Review Reply Examples
Common scenarios with actual commands for replying to and resolving GitHub PR review comments.
## Example 1: Simple "Fixed in Commit" Reply
**Scenario:** Copilot suggested fixing nolint comment spacing. You fixed it in commit c4bb55d.
### Step 1: Get the comment ID
```bash
gh api repos/stacklok/toolhive-registry-server/pulls/20/comments | jq '.[] | {id, path, line, body: .body[0:100], author: .user.login}'
```
**Output:**
```json
{
"id": 2445150488,
"path": "pkg/versions/version.go",
"line": 24,
"body": "Corrected spacing in nolint comment...",
"author": "copilot-pull-request-reviewer"
}
```
### Step 2: Reply to the comment
```bash
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445150488/replies \
-f body="Fixed in c4bb55d"
```
### Step 3: Get the thread ID
```bash
gh api graphql -f query='
query {
repository(owner: "stacklok", name: "toolhive-registry-server") {
pullRequest(number: 20) {
reviewThreads(first: 20) {
nodes {
id
isResolved
comments(first: 5) {
nodes {
id
body
author { login }
}
}
}
}
}
}
}' | jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.comments.nodes[0].id == 2445150488) | {threadId: .id, isResolved}'
```
**Output:**
```json
{
"threadId": "PRRT_kwDOP_5nS85emMpx",
"isResolved": false
}
```
### Step 4: Resolve the thread
```bash
gh api graphql -f query='
mutation {
resolveReviewThread(input: {threadId: "PRRT_kwDOP_5nS85emMpx"}) {
thread {
id
isResolved
}
}
}'
```
**Output:**
```json
{
"data": {
"resolveReviewThread": {
"thread": {
"id": "PRRT_kwDOP_5nS85emMpx",
"isResolved": true
}
}
}
}
```
---
## Example 2: Batch Processing Multiple Fixed Comments
**Scenario:** Multiple comments fixed in the same commit. Process them all at once.
### Step 1: Get all unresolved comments
```bash
gh api graphql -f query='
query {
repository(owner: "stacklok", name: "toolhive-registry-server") {
pullRequest(number: 20) {
reviewThreads(first: 20) {
nodes {
id
isResolved
comments(first: 10) {
nodes {
id
path
line
body
author { login }
}
}
}
}
}
}
}' | jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false)'
```
### Step 2: Present to user for approval
```
Found 2 unresolved threads fixed in commit c4bb55d:
1. pkg/versions/version.go:24 - "Fix nolint spacing"
2. cmd/thv-registry-api/app/commands.go:53 - "Handle GetString error"
Reply "Fixed in c4bb55d" to both and resolve? (y/n)
```
### Step 3: Reply to each comment (if user approves)
```bash
# Reply to first comment
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445150488/replies \
-f body="Fixed in c4bb55d"
# Reply to second comment
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445150511/replies \
-f body="Fixed in c4bb55d"
```
### Step 4: Resolve both threads
```bash
# Resolve first thread
gh api graphql -f query='
mutation {
resolveReviewThread(input: {threadId: "PRRT_kwDOP_5nS85emMpx"}) {
thread { id isResolved }
}
}'
# Resolve second thread
gh api graphql -f query='
mutation {
resolveReviewThread(input: {threadId: "PRRT_kwDOP_5nS85emMqG"}) {
thread { id isResolved }
}
}'
```
---
## Example 3: Answering a Question (Don't Auto-Resolve)
**Scenario:** Reviewer asks why you chose a specific approach. Answer but wait for acknowledgment.
### Step 1: Draft response for user approval
```
Reviewer asked: "Why use buffered channel here?"
Draft response:
"Good question! The buffered channel prevents blocking when the producer
is faster than the consumer. In our case, the metrics collector can
generate events faster than the writer can persist them, so the buffer
(size 100) acts as a temporary queue to smooth out the bursts.
Alternative would be unbuffered channel, but that would slow down the
collector. I've added a comment in the code to explain this trade-off."
Send this response? (y/n/edit)
```
### Step 2: Send reply (after user approval)
```bash
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445160000/replies \
-f body="Good question! The buffered channel prevents blocking when the producer is faster than the consumer. In our case, the metrics collector can generate events faster than the writer can persist them, so the buffer (size 100) acts as a temporary queue to smooth out the bursts.
Alternative would be unbuffered channel, but that would slow down the collector. I've added a comment in the code to explain this trade-off."
```
### Step 3: Don't resolve yet
**Important:** Leave the thread unresolved until the reviewer acknowledges or approves your answer.
---
## Example 4: Disagree Respectfully
**Scenario:** Reviewer suggests a change you don't think is needed. Explain your reasoning.
### Step 1: Draft respectful disagreement
```
Reviewer suggested: "Extract this into a separate function"
Draft response:
"I considered this, but decided against it for a few reasons:
1. The logic is only used once in this specific context
2. Extracting would require passing 4 parameters
3. The current form keeps the error handling localized
However, if you feel strongly about it, I'm happy to refactor! Let me
know your thoughts.
Related discussion: https://github.com/org/repo/discussions/123"
Send this response? (y/n/edit)
```
### Step 2: Send and wait for discussion
Don't resolve - this is now a discussion thread. Resolve only after reaching agreement.
---
## Example 5: Already Fixed in Earlier Commit
**Scenario:** Reviewer comments on something already fixed before the review was submitted.
### Response:
```bash
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445170000/replies \
-f body="Good catch! This was actually already fixed in an earlier commit (ab956b8) before this review. The updated code now handles this case correctly.
See: https://github.com/stacklok/toolhive-registry-server/commit/ab956b8#diff-abc123"
```
Then resolve immediately since it's already addressed.
---
## Example 6: Need More Context
**Scenario:** Review comment isn't clear. Ask for clarification.
### Response:
```bash
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445180000/replies \
-f body="Thanks for the feedback! Could you clarify what you mean by 'handle the edge case'?
Are you referring to:
- When the input is nil?
- When the slice is empty?
- When the index is out of bounds?
Once I understand which case you're concerned about, I'll make sure it's properly handled."
```
Leave unresolved until clarified and fixed.
---
## Example 7: Acknowledge Non-Blocking Suggestion
**Scenario:** Reviewer made an optional suggestion you won't implement right now.
### Response:
```bash
gh api -X POST repos/stacklok/toolhive-registry-server/pulls/20/comments/2445190000/replies \
-f body="Great suggestion! I agree this would be a nice improvement.
For this PR, I'd like to keep the scope focused on the immediate fix, but I've created issue #456 to track this enhancement for a future PR.
Thanks for the idea!"
```
Resolve after user approves (since you've addressed it by creating an issue).
---
## Command Reference
### Get all PR comments with details
```bash
gh api repos/{owner}/{repo}/pulls/{pr}/comments | \
jq '.[] | {id, path, line, author: .user.login, body: .body[0:100]}'
```
### Reply to a specific comment
```bash
gh api -X POST repos/{owner}/{repo}/pulls/{pr}/comments/{comment_id}/replies \
-f body="Your reply message"
```
### Get all review threads (to find thread IDs)
```bash
gh api graphql -f query='
query {
repository(owner: "{owner}", name: "{repo}") {
pullRequest(number: {pr}) {
reviewThreads(first: 20) {
nodes {
id
isResolved
comments(first: 10) {
nodes {
id
body
author { login }
}
}
}
}
}
}
}'
```
### Find thread ID for a specific comment
```bash
gh api graphql -f query='...' | \
jq '.data.repository.pullRequest.reviewThreads.nodes[] |
select(.comments.nodes[0].id == COMMENT_ID) |
{threadId: .id, isResolved}'
```
### Resolve a thread
```bash
gh api graphql -f query='
mutation {
resolveReviewThread(input: {threadId: "{thread_id}"}) {
thread {
id
isResolved
}
}
}'
```
### Unresolve a thread (if needed)
```bash
gh api graphql -f query='
mutation {
unresolveReviewThread(input: {threadId: "{thread_id}"}) {
thread {
id
isResolved
}
}
}'
```
---
## Tips for Each Scenario
### For "Fixed in Commit" Responses
- Include the short SHA (first 7 chars)
- Optionally link to the commit or diff
- Resolve immediately after replying
- Batch process multiple if same commit
### For Questions
- Draft answer first, get user approval
- Be thorough but concise
- Include links to relevant docs/code
- Don't auto-resolve - wait for acknowledgment
### For Disagreements
- Be respectful and explain reasoning
- Offer alternatives or compromise
- Link to relevant discussions or standards
- Never resolve - let discussion conclude naturally
### For Clarifications
- Ask specific questions
- Offer multiple interpretations
- Be open to learning
- Resolve only after understanding and fixing
### For Optional Suggestions
- Acknowledge the value
- Explain if deferring (create issue)
- Thank the reviewer
- Can resolve if properly acknowledged
================================================
FILE: .claude/skills/pr-review/SKILL.md
================================================
---
name: pr-review
description: Submit inline review comments to GitHub PRs and reply to/resolve review threads using the GitHub CLI and GraphQL API.
---
# PR Review
Submit inline review comments to GitHub Pull Requests and reply to/resolve review threads using the GitHub CLI.
## Prerequisites
- GitHub CLI (`gh`) must be installed and authenticated
- User must have write access to the repository
- PR must exist and be open
---
## Part 1: Submitting Inline Review Comments
### Workflow
1. **Collect findings**: The user will provide you with:
- Repository owner and name (or detect from current directory)
- PR number
- A list of findings, each containing:
- File path (relative to repo root)
- Line number
- Comment body/description
- (Optional) Suggested fix if it's a simple change
2. **Read current content**: If providing suggestions, use the Read tool to see the exact current content
3. **Create review JSON**: Build a JSON structure at `/tmp/pr-review-comments.json`:
```json
{
"body": "Overall review summary",
"event": "COMMENT",
"comments": [
{
"path": "path/to/file.ext",
"line": 123,
"body": "Comment text with optional suggestion"
}
]
}
```
4. **Submit review**: Use GitHub CLI:
```bash
gh api -X POST repos/{owner}/{repo}/pulls/{pr_number}/reviews --input /tmp/pr-review-comments.json
```
5. **Return URL**: Extract and return the review URL from the response
### JSON Structure
#### Top-level fields
- `body` (required): Overall review summary
- `event` (required): `"COMMENT"`, `"APPROVE"`, or `"REQUEST_CHANGES"`
- `comments` (required): Array of comment objects
#### Comment object fields
- `path` (required): File path relative to repository root
- `line` (required): Line number (positive integer)
- `body` (required): Comment text (supports markdown)
### Inline Code Suggestions
GitHub supports inline code suggestions that users can commit directly from the PR UI.
#### When to Use Suggestions
**Good candidates:**
- Fixing typos or incorrect file paths
- Correcting simple syntax errors
- Updating version numbers or constants
- Renaming variables or functions
- Fixing formatting or indentation
- Adding missing content
**Not suitable:**
- Complex logic changes requiring multiple files
- Changes that need testing or validation
- Architectural changes requiring discussion
- Changes requiring user decision/context
#### Suggestion Syntax
**Single-line:**
````markdown
Description of the issue.
```suggestion
corrected line of code
```
Evidence: reference
````
**Multi-line:**
````markdown
Description of the issue.
```suggestion
first corrected line
second corrected line
third corrected line
```
Evidence: reference
````
### Submitting Best Practices
- Be specific with line numbers and file paths
- Provide evidence (link to code/documentation)
- Be constructive - suggest fixes, not just problems
- Use markdown formatting for clarity
- Include context explaining why it's an issue
#### When Including Suggestions
1. Read the current line(s) using Read tool first
2. Provide exact replacement text
3. Match existing formatting and style
4. Verify syntax is correct
5. One suggestion block per comment
#### Review Strategy
1. Group related findings into a single review
2. Put simple fixes with suggestions first
3. Use appropriate event type
4. Write clear summary in `body`
### Output Format
Report after submission:
- Review ID and URL
- Number of comments submitted
- Number with suggestions
- PR title and number
---
## Part 2: Replying to and Resolving Review Comments
### Workflow
#### 1. Gather Review Comments
Fetch all review comments from the PR and present them organized by:
- Status: unresolved vs resolved
- Type: suggestions, questions, nitpicks, critical issues
- Author: group by reviewer
**For each comment show:**
- Author and timestamp
- File and line number
- Comment body
- Any existing replies
- Resolution status
#### 2. Analyze and Recommend
For each unresolved comment, provide a recommendation:
**If code needs fixing:**
- "Recommendation: Fix the issue, then reply with commit SHA and resolve"
**If it's a question:**
- "Recommendation: Answer the question, wait for acknowledgment before resolving"
**If it's a suggestion to consider:**
- "Recommendation: Discuss trade-offs, decide with user whether to implement"
**If already addressed:**
- "Recommendation: Reply with commit reference and resolve immediately"
#### 3. Get User Decisions
**Present summary:**
```
Found 5 unresolved review comments:
1. [Critical] pkg/versions/version.go:24 - @Copilot
"Fix nolint spacing"
Status: Fixed in commit c4bb55d
Recommendation: Reply "Fixed in c4bb55d" and resolve
2. [Question] pkg/server/handler.go:45 - @reviewer
"Why use buffered channel here?"
Status: Needs answer
Recommendation: Draft response for your review
How would you like to proceed?
- Reply and resolve all fixed items (1)
- Draft responses for questions (2)
- Process individually
- Custom approach
```
#### 4. Execute User's Choice
Based on user decisions:
- Draft reply messages for approval
- Submit replies after user confirms
- Resolve threads only when user approves
#### 5. Report Results
After processing, show:
- What was done (replied/resolved)
- What remains (still needs attention)
- Any errors or issues
- Next steps if any
### Interactive Decision Points
#### Before Replying
**Ask:** "Here's my draft reply: '{message}'. Send this?"
- User can edit, approve, or skip
#### Before Resolving
**Ask:** "Mark this thread as resolved?"
- Only if issue is truly addressed
- User may want to wait for reviewer acknowledgment
#### For Bulk Operations
**Ask:** "I found 5 comments fixed in commit abc123. Reply 'Fixed in abc123' to all and resolve?"
- Show list of affected comments
- Let user review before executing
### Reply Best Practices
- **Be specific**: Reference commit SHAs when applicable
- **Be helpful**: Explain reasoning, not just "fixed"
- **Be respectful**: Thank reviewers for feedback
- **Use markdown**: Format code, lists, links
### When to Resolve
**Resolve when:**
- Issue is fixed and committed
- Question answered and acknowledged
- Discussion concluded with agreement
- User confirms it's complete
**Don't auto-resolve:**
- Without user confirmation
- When still discussing
- When waiting for reviewer response
- When unsure about the fix
---
## Command Reference
### Submit a review
```bash
gh api -X POST repos/{owner}/{repo}/pulls/{pr}/reviews --input /tmp/pr-review-comments.json
```
### Get all PR comments with details
```bash
gh api repos/{owner}/{repo}/pulls/{pr}/comments | \
jq '.[] | {id, path, line, author: .user.login, body: .body[0:100]}'
```
### Reply to a specific comment
```bash
gh api -X POST repos/{owner}/{repo}/pulls/{pr}/comments/{comment_id}/replies \
-f body="Your reply message"
```
### Get all review threads (to find thread IDs)
```bash
gh api graphql -f query='
query {
repository(owner: "{owner}", name: "{repo}") {
pullRequest(number: {pr}) {
reviewThreads(first: 20) {
nodes {
id
isResolved
comments(first: 10) {
nodes {
id
body
author { login }
}
}
}
}
}
}
}'
```
### Resolve a thread
```bash
gh api graphql -f query='
mutation {
resolveReviewThread(input: {threadId: "{thread_id}"}) {
thread {
id
isResolved
}
}
}'
```
### Unresolve a thread
```bash
gh api graphql -f query='
mutation {
unresolveReviewThread(input: {threadId: "{thread_id}"}) {
thread {
id
isResolved
}
}
}'
```
## Error Handling
- **401 Unauthorized**: Run `gh auth login`
- **404 Not Found**: Verify PR number and repo access
- **422 Unprocessable Entity**: Check JSON format
- **Invalid line number**: Ensure line exists at PR's commit
## See Also
- [Inline Review Examples](EXAMPLES-INLINE.md) - Examples of submitting review comments
- [Reply Examples](EXAMPLES-REPLY.md) - Examples of replying to and resolving review comments
================================================
FILE: .claude/skills/release-notes/SKILL.md
================================================
---
name: release-notes
description: Generates polished GitHub release notes for a ToolHive release by analyzing every merged PR, cross-referencing linked issues, dispatching expert agents to assess breaking changes, and producing a formatted release body. Use when the user provides a GitHub release URL, tag name, or says "release notes".
---
# Release Notes Generator
Produces publication-ready GitHub release notes by deeply analyzing every PR
merged between two version tags.
## Arguments
```
/release-notes https://github.com/stacklok/toolhive/releases/tag/v0.18.0
/release-notes v0.18.0
```
**Input**: `$ARGUMENTS` — a GitHub release URL or a tag name.
---
## Phase 1: Gather Raw Data
### Step 1: Resolve the release and prior tag
```bash
# If given a URL, extract the tag from the path
# Then find the immediately preceding release tag
gh release view <tag> --json tagName,name,body,publishedAt
git tag --sort=-v:refname | grep -A1 "^<tag>$" | tail -1
```
Store:
- `CURRENT_TAG` (e.g., `v0.18.0`)
- `PREVIOUS_TAG` (e.g., `v0.17.0`)
- `PUBLISHED_AT` date
### Step 2: Get the auto-generated changelog
Fetch the existing release body. GitHub's auto-generated "What's Changed" block
(PR title by @author with links) will be preserved verbatim as the commit log
at the bottom of the final output. Save it as `AUTO_CHANGELOG`.
### Step 3: List all PRs between tags
```bash
gh api repos/stacklok/toolhive/compare/{PREVIOUS_TAG}...{CURRENT_TAG} \
--jq '.commits[] | "\(.sha[0:8]) \(.commit.message | split("\n")[0])"'
```
Extract every PR number from commit messages (look for `(#NNNN)` suffixes).
Exclude the release PR itself (e.g., "Release vX.Y.Z").
### Step 3b: Separate dependency PRs
Filter out PRs authored by `renovate[bot]`, `dependabot[bot]`, or with labels
containing `dependencies`. These go directly into the **Dependencies** section —
they do not need expert review or further classification. Record them separately.
### Step 4: Fetch PR details
For each PR, fetch:
- Title, labels, body
- Whether the "Breaking change" checkbox is checked in the body
- Linked issues (look for `Closes #N`, `Fixes #N`, `Part of #N`, `Resolves #N`)
- Migration guide content (if present in the PR body)
```bash
gh pr view <number> --json title,labels,body
```
### Step 5: Fetch linked issue details
For each unique linked issue number, fetch title and labels:
```bash
gh issue view <number> --json title,labels
```
### Step 6: Identify new contributors
Check the auto-generated changelog for the "New Contributors" section. Extract
author handles.
---
## Phase 2: Classify Changes
### Step 1: Initial triage
Dependency PRs (from Step 3b) are already separated — skip them here.
Categorize each remaining PR into one of the categories below. Check the
signals **in this priority order** — earlier signals are more reliable:
1. **Linked issue labels** — if the linked issue has a `breaking-change` label,
classify as Breaking regardless of whether the PR checkbox is checked.
2. **PR body content** — look for explicit "breaking" mentions, removal of
fields/APIs, or JSON tag renames. Note: a migration guide alone does NOT
mean breaking — deprecations often include migration guides too. The key
question is whether the old behavior/field/API **still works**. If yes,
it's a deprecation. If no, it's breaking.
3. **PR labels** — `breaking`, `enhancement`, `bug`, etc.
4. **Breaking change checkbox** — least reliable; often unchecked even on
genuinely breaking PRs.
| Category | Criteria |
|----------|----------|
| **Breaking** | Old behavior/field/API **no longer works** — linked issue labeled `breaking-change`, OR "Breaking change" checkbox checked, OR PR labels contain `breaking`, OR PR removes fields/endpoints/flags without backwards compatibility |
| **Deprecation** | PR introduces new deprecation warnings or marks fields as deprecated |
| **New Feature** | Labels contain `enhancement`/`feature`, OR PR adds new user-facing capability |
| **Bug Fix** | Labels contain `bug`, OR PR title/body indicates a fix |
| **Misc** | Everything else — refactors, test improvements, CI, docs, internal cleanup |
**Overlap rule:** If a PR belongs to multiple categories (e.g., both a new
feature AND a breaking change), always classify it in the **most urgent**
category. The priority order is: Breaking > Deprecation > Bug Fix > New Feature > Misc.
The PR can still be mentioned in a secondary section (e.g., a breaking API
change can also appear under New Features for its positive user impact), but its
primary home is always the most urgent category.
### Step 2: Identify ambiguous PRs
Any PR that touches CRD types, API surfaces, wire formats, authentication flows,
or MCP protocol behavior but is NOT already classified as breaking needs expert
review. Flag these for Phase 3.
Heuristics for flagging:
- Modifies files in `cmd/thv-operator/api/` or CRD manifests
- Changes JSON/YAML struct tags (especially renames — these cause silent etcd
data loss on existing resources)
- Removes CRD fields, API fields, CLI flags, or enum values
- Alters authentication, token handling, or middleware wiring
- Changes MCP message formats or transport behavior
- Renames or removes public Go types/methods consumed by external packages
- Changes default values, config semantics, or HTTP status codes
For flagged PRs, always fetch the diff summary so agents have concrete data:
```bash
gh pr diff <number> --stat
```
---
## Phase 3: Expert Breaking-Change Assessment
### Step 1: Map PRs to expert agents
For flagged PRs and confirmed breaking PRs, dispatch the appropriate expert
agent to assess impact and write migration guidance.
| Change Area | Agent | What to ask |
|-------------|-------|-------------|
| CRD types, operator, Helm | `kubernetes-expert` | Is this a breaking CRD change? What manifests break? What's the migration path? |
| MCP transport, protocol messages | `mcp-protocol-expert` | Does this break MCP clients or change wire behavior? |
| Auth flows, OIDC, tokens, Cedar | `oauth-expert` | Does this break existing auth configurations? |
| API endpoints, CLI commands | `toolhive-expert` | Does this break CLI users or API consumers? |
| Observability, metrics, tracing | `site-reliability-engineer` | Does this change metric names, trace attributes, or dashboard contracts? |
### Step 2: Launch agents in parallel
For each flagged PR, include in the agent prompt:
- The PR title, number, and full body
- The linked issue title and body (if any)
- The diff summary (`gh pr diff <number> --stat`)
- The question: "Is this a breaking change? If yes, who is affected and what is
the migration path? If no, explain why it's safe."
**When a PR has no labels, no checkbox, no migration guide, and no issue
references** — the agent MUST read the actual code changes to make a
determination. Tell the agent to examine the PR diff and the affected source
files directly rather than relying on metadata. This is the fallback for
under-documented PRs.
**Launch all agents in a single message** so they run in parallel.
### Step 3: Collect verdicts
Each agent returns one of:
- **Breaking** — with affected audience, impact description, and migration steps
- **Deprecation** — with timeline and recommended replacement
- **Not breaking** — with rationale for why it's safe
Update the classification from Phase 2 with agent verdicts. If an agent
overrides the initial classification (e.g., flags something as breaking that
wasn't initially caught), trust the domain expert.
---
## Phase 4: Compose Release Notes
Read the template at [TEMPLATE.md](TEMPLATE.md) and use it to assemble the
final release body. **Omit any section that has zero entries** — do not include
empty headers.
---
## Phase 5: Present and Publish
### Step 1: Present the draft
Show the complete release notes to the user. Highlight:
- How many breaking changes were found (and which agents confirmed them)
- Any PRs where the breaking-change assessment was uncertain
- Any PRs with no linked issues (less context available)
### Step 2: Wait for approval
Ask:
> "Ready to publish these release notes?
> 1. **Publish** — update the GitHub release with these notes
> 2. **Revise** — tell me what to change
> 3. **Export** — save to a file instead of publishing"
### Step 3: Save to file
Always write the final release notes to `release-notes-<tag>.md` in the repo
root (e.g., `release-notes-v0.19.0.md`). This gives the user a reviewable
artifact before anything is published.
### Step 4: Publish (if approved)
If the user chose "Publish", push the notes to the GitHub release:
```bash
gh release edit <CURRENT_TAG> --notes-file release-notes-<tag>.md
```
---
## Important Notes
- **Read every PR body** — do not skip PRs or rely only on titles. The breaking
change checkbox, migration guides, and linked issues are in the body.
- **Cross-reference issues** — issue labels and descriptions often contain
context that the PR body lacks (e.g., an issue labeled `breaking` when the PR
isn't).
- **Trust expert agents** for domain-specific breaking-change assessments. If
the kubernetes-expert says a CRD change is breaking, it is breaking.
- **When in doubt, flag it** — it's better to ask the user about a potentially
breaking change than to miss it. Present the evidence and let them decide.
- **Preserve the auto-generated changelog verbatim** — do not reformat, reorder,
or edit the GitHub "What's Changed" block. It's the raw record.
- **Omit empty sections** — if there are no breaking changes, no deprecations,
or no new contributors, leave those sections out entirely. Do not include
headers with no content beneath them.
## Usage Examples
```
/release-notes https://github.com/stacklok/toolhive/releases/tag/v0.18.0
/release-notes v0.18.0
/release-notes v0.15.0
```
================================================
FILE: .claude/skills/release-notes/TEMPLATE.md
================================================
# Release Notes Template
Use this template to produce the final release notes body. Omit any section
that has zero entries — do not include empty headers.
Replace placeholders (`<...>`) with actual content. Emoji shortcodes are written
literally here for clarity — render them as actual emoji in the final output.
---
```markdown
# 🚀 **Toolhive vX.Y.Z is live!**
<one-to-two sentence theme summary of this release>
## ⚠️ Breaking Changes
<for each breaking change:>
- **<title>** — <one-liner: what breaks and what to do> ([migration guide](#migration-guide-anchor))
<for each breaking change, a collapsible migration guide:>
<details>
<summary><strong>Migration guide: <title></strong></summary>
<description of who is affected>
### Before
```yaml
<old manifest or config>
```
### After
```yaml
<new manifest or config>
```
### Migration steps
1. <step>
2. <step>
3. <step>
*PR: [#NNN](https://github.com/stacklok/toolhive/pull/NNN) — Closes [#NNN](https://github.com/stacklok/toolhive/issues/NNN)*
</details>
## 🔄 Deprecations
<for each NEW deprecation in this release — do not carry forward old ones:>
- **`field.or.feature`** deprecated in favour of `replacement` — will be removed in <version> ([#NNN](https://github.com/stacklok/toolhive/pull/NNN))
## 🆕 New Features
- <one-sentence user impact> ([#NNN](https://github.com/stacklok/toolhive/pull/NNN))
## 🐛 Bug Fixes
- <one-sentence description> ([#NNN](https://github.com/stacklok/toolhive/pull/NNN))
## 🧹 Misc
- <one-sentence description> ([#NNN](https://github.com/stacklok/toolhive/pull/NNN))
## 📦 Dependencies
<table of dependency updates from renovate/dependabot PRs:>
| Module | Version |
|--------|---------|
| `module/name` | vX.Y.Z |
👋 Welcome to our newest contributors: **@handle** 🎉
<details>
<summary><strong>Full commit log</strong></summary>
<paste the GitHub auto-generated "What's Changed" block here verbatim,
including PR titles, @author links, and the "New Contributors" sub-section
if present>
</details>
🔗 Full changelog: https://github.com/stacklok/toolhive/compare/vPREVIOUS...vCURRENT
```
---
## Section rules
| Section | When to include | Content guidance |
|---------|----------------|------------------|
| Breaking Changes | At least one breaking change confirmed by expert agent or PR checkbox | One-liner at top + collapsible migration guide with before/after examples |
| Deprecations | At least one NEW deprecation introduced in this release | One-liner with replacement, removal version, and PR link |
| New Features | At least one user-facing feature added | One sentence, lead with user impact, PR link at end |
| Bug Fixes | At least one bug fixed | One sentence, PR link at end |
| Misc | Any internal changes (refactors, tests, CI, naming) | One sentence, PR link at end |
| Dependencies | Any renovate/dependabot PRs | Table of module name + version |
| New Contributors | GitHub auto-generated section lists new contributors | Celebrate them by handle |
| Full Commit Log | Always | Verbatim GitHub auto-generated "What's Changed" block inside `<details>` |
## Writing guidelines
- **One sentence per bullet** — lead with user impact, not implementation detail.
- **Breaking change one-liners** must say what breaks and what the user must do.
- **Migration guides** always include before/after YAML or code, plus numbered steps.
- **Do not reformat the auto-generated commit log** — paste it exactly as GitHub produces it.
- **Link PRs** as `[#NNN](url)` — not bare numbers.
================================================
FILE: .claude/skills/split-pr/SKILL.md
================================================
---
name: split-pr
description: Analyzes current changes and suggests how to split them into smaller, reviewable PRs
---
# Split Large PR into Smaller Changes
## Purpose
Help developers break down large changesets into logical, reviewable pull requests. This skill analyzes the current diff and proposes a splitting strategy that keeps changes atomic and reviewable.
## Instructions
### 1. Analyze Current Changes
Run these commands to understand the scope:
```bash
# Get detailed file statistics
git diff main...HEAD --stat
# List all changed files
git diff main...HEAD --name-only
# Show commit history for context
git log main...HEAD --oneline
# Count non-generated files changed
git diff main...HEAD --name-only | grep -v 'vendor/' | grep -v '\.pb\.go$' | grep -v 'zz_generated' | grep -v '^docs/' | wc -l
# Count lines changed (excluding generated code)
git diff main...HEAD --stat -- . ':(exclude)vendor/*' ':(exclude)*.pb.go' ':(exclude)zz_generated*' ':(exclude)docs/*' | tail -1
```
### 2. Evaluate Size and Complexity
Assess whether the changes exceed recommended limits:
- **Target limits per PR**:
- < 10 files changed (excluding tests, generated code, docs)
- < 400 lines of code changed (excluding tests, generated code, docs)
- Changes represent one logical unit of work
If changes exceed these limits or mix multiple concerns, proceed to split analysis.
### 3. Identify Logical Groupings
Examine the changed files and identify natural boundaries:
- **By component/package**: Group changes by the package or component they affect
- **By layer**: Separate model changes, business logic, API changes, CLI changes
- **By concern**: Separate refactoring from new features, bug fixes from enhancements
- **By dependency**: Identify which changes depend on others
Use these commands to help:
```bash
# Group changed files by directory
git diff main...HEAD --name-only | grep -v 'vendor/' | grep -v '\.pb\.go$' | cut -d'/' -f1-2 | sort | uniq -c
# Show changes by package
git diff main...HEAD --name-only | grep '\.go$' | grep -v '_test\.go$' | cut -d'/' -f1-3 | sort | uniq -c
```
### 4. Propose Split Strategy
Create a structured plan with multiple PRs:
For each proposed PR, specify:
- **PR Name**: Brief description (e.g., "Add base container interface")
- **Purpose**: What this PR accomplishes and why it's needed
- **Files included**: List of files that would be in this PR
- **Estimated size**: Approximate lines changed
- **Dependencies**: Which other proposed PRs this depends on (if any)
- **Test coverage**: What tests are included
- **Order**: Suggest the sequence for creating PRs (e.g., "Create this first")
### 5. Recommend Creation Order
Determine the optimal order for creating PRs:
1. **Foundation PRs first**: New interfaces, base types, shared utilities
2. **Refactoring PRs second**: Changes that use the new foundation
3. **Feature PRs last**: New functionality that builds on the foundation
4. **Independent PRs anytime**: Changes that don't depend on others
### 6. Present Action Plan
Provide a clear, actionable plan:
```markdown
## Proposed PR Split
### Summary
Currently [X] files changed with [Y] lines modified. Recommend splitting into [N] PRs:
### PR 1: [Name] (Create First)
**Purpose**: [What and why]
**Files**:
- path/to/file1.go
- path/to/file2.go
**Size**: ~100 LOC
**Dependencies**: None
**Tests**: Includes unit tests for new functionality
### PR 2: [Name] (After PR 1)
**Purpose**: [What and why]
**Files**:
- path/to/file3.go
**Size**: ~150 LOC
**Dependencies**: Requires PR 1 (uses new interface)
**Tests**: Integration tests
[... continue for each PR ...]
## Next Steps
1. Would you like me to help create PR 1 first?
2. Should I create a tracking issue for the overall work?
3. Any changes to this split strategy?
```
## Best Practices
### Splitting Principles
- **Each PR should pass tests independently**: Don't create PRs that break builds
- **Prefer multiple small PRs over one large PR**: Easier to review and revert
- **Keep related changes together**: Don't artificially split code that changes together
- **Foundation before features**: Establish abstractions before using them
- **Use feature flags for incomplete work**: If a feature spans multiple PRs
### Common Split Patterns
1. **Refactoring + Feature**:
- PR 1: Extract interface and refactor existing code
- PR 2: Add new feature using the interface
2. **Multi-layer Feature**:
- PR 1: Add data models and database changes
- PR 2: Add business logic layer
- PR 3: Add API endpoints
- PR 4: Add CLI commands
3. **Package Restructuring**:
- PR 1: Create new package structure (empty or minimal)
- PR 2: Move code to new structure
- PR 3: Update imports and references
- PR 4: Clean up old structure
4. **Kubernetes Operator Changes**:
- PR 1: Update CRD definitions and generate code
- PR 2: Update controller logic
- PR 3: Add validation and defaulting
- PR 4: Update documentation and examples
### What NOT to Split
- **Atomic refactorings**: Renaming that touches many files but is one logical change
- **Generated code updates**: Proto, CRD, mock updates should stay together
- **Dependency updates**: Keep go.mod and vendor changes in one PR
- **Tightly coupled changes**: Changes that don't make sense independently
## Examples
### Example 1: Adding New CLI Command
**Current state**: 8 files changed, 450 lines
**Split strategy**:
- PR 1: Add business logic to `pkg/` package (3 files, 200 lines)
- PR 2: Add CLI command and E2E tests (5 files, 250 lines)
**Rationale**: Business logic is independently testable and reusable
### Example 2: Refactoring + Feature
**Current state**: 15 files changed, 800 lines
**Split strategy**:
- PR 1: Extract common interface (2 files, 100 lines)
- PR 2: Refactor existing implementations to use interface (6 files, 300 lines)
- PR 3: Add new implementation with feature (7 files, 400 lines)
**Rationale**: Each PR is independently valuable and testable
### Example 3: Operator Enhancement
**Current state**: 12 files changed, 600 lines
**Split strategy**:
- PR 1: Update CRD with new fields and generate code (4 files, 150 lines, mostly generated)
- PR 2: Update controller to handle new fields (5 files, 300 lines)
- PR 3: Add validation webhook (3 files, 150 lines)
**Rationale**: Each PR represents a complete vertical slice of functionality
## User Interaction
After presenting the split strategy:
1. **Ask for feedback**: "Does this split make sense for your workflow?"
2. **Offer to adjust**: Be flexible based on user's preferences
3. **Help with first PR**: "Would you like me to help create PR 1?"
4. **Create tracking**: "Should I create a GitHub issue to track all PRs?"
## Notes
- **Be pragmatic**: The goal is reviewable PRs, not arbitrary rules
- **Consider the team**: Some teams prefer different split strategies
- **Document dependencies**: Make it clear which PRs block others
- **Test independently**: Each PR should pass CI/CD checks
================================================
FILE: .claude/skills/toolhive-release/SKILL.md
================================================
---
name: toolhive-release
description: Creates ToolHive release PRs by analyzing commits since the last release, categorizing changes, recommending semantic version bump type (major/minor/patch), and triggering the release workflow. Use when cutting a release, preparing a new version, checking what changed since last release, or when the user mentions "release", "version bump", or "cut a release".
---
# ToolHive Release
Automates the ToolHive release process by analyzing changes and triggering the release PR workflow.
## When to Use
- When cutting a new ToolHive release
- When checking what's changed since the last release
- When deciding between patch, minor, or major version bump
- When the user says "release", "cut a release", "new version", or "version bump"
## Instructions
### Step 1: Find the Last Release
```bash
git tag --sort=-v:refname | head -1
```
This returns the most recent version tag (e.g., `v0.8.3`).
### Step 2: List Commits Since Last Release
```bash
git log <last-tag>..HEAD --oneline --no-merges
```
Count the commits:
```bash
git log <last-tag>..HEAD --oneline --no-merges | wc -l
```
### Step 3: Categorize Changes
Analyze each commit and categorize into:
| Category | Description | Version Impact |
|----------|-------------|----------------|
| **New Features** | New functionality, new commands, new APIs | Minor bump |
| **Bug Fixes** | Fixes to existing functionality | Patch bump |
| **Breaking Changes** | API changes, removed features, incompatible changes | Major bump |
| **Improvements** | Enhancements to existing features, refactoring | Patch or Minor |
| **Tests/CI** | Test additions, CI/CD changes | No impact |
| **Documentation** | Doc updates, README changes | No impact |
| **Dependencies** | Dependency updates (Renovate PRs) | Patch bump |
### Step 4: Recommend Version Bump
Based on the categorization:
- **Major** (`X.0.0`): Any breaking changes present
- **Minor** (`0.X.0`): New features without breaking changes
- **Patch** (`0.0.X`): Only bug fixes, dependency updates, improvements
Present the recommendation with justification to the user.
### Step 5: Trigger the Release Workflow
**IMPORTANT**: Present the analysis and recommendation to the user and WAIT for explicit confirmation before proceeding.
After user confirms the bump type, use the GitHub MCP tool to trigger the workflow:
```
mcp__github__run_workflow(
owner: "stacklok",
repo: "toolhive",
workflow_id: "create-release-pr.yml",
ref: "main",
inputs: { "bump_type": "<patch|minor|major>" }
)
```
### Step 6: Monitor and Report
1. Get the workflow run status:
```
mcp__github__list_workflow_runs(
owner: "stacklok",
repo: "toolhive",
workflow_id: "create-release-pr.yml",
per_page: 1
)
```
2. Poll until completion (check the `status` field until it shows "completed"):
```
mcp__github__get_workflow_run(
owner: "stacklok",
repo: "toolhive",
run_id: <run_id from step 1>
)
```
3. Find the created PR:
```
mcp__github__list_pull_requests(
owner: "stacklok",
repo: "toolhive",
state: "open",
sort: "created",
direction: "desc",
per_page: 5
)
```
Look for the PR with title matching "Release v<new-version>".
Report the PR URL to the user.
## Release Workflow Chain
For reference, here's what happens after the PR is merged:
1. **create-release-pr.yml** (manual) → Creates PR with version bumps
2. **create-release-tag.yml** (auto on VERSION change) → Creates git tag + GitHub Release
3. **releaser.yml** (auto on release publish) → Builds binaries, images, Helm charts
See [WORKFLOW-REFERENCE.md](references/WORKFLOW-REFERENCE.md) for detailed workflow documentation.
## Example Output
```
## Commits since v0.8.3 (24 commits)
### New Features
- OAuth Authorization Server (#3531, #3513, #3520, #3488)
- ExcludeAll for VirtualMCPServer (#3499)
- Generic PrefixHandlers (#3524)
### Bug Fixes
- OAuth token refresh context cancellation (#3539)
- Custom YAML unmarshalers for registry metadata (#3545)
### Improvements
- Logging updates (#3546, #3547)
### Tests/CI/Docs
- E2E tests for secrets management (#3485)
- Dependency updates
**Recommendation: Minor release (0.9.0)**
New features (OAuth auth server, ExcludeAll) warrant a minor version bump.
```
## Error Handling
- **No tags found**: Repository may not have any releases yet. Check `git tag` output.
- **Workflow trigger fails**: Ensure GitHub MCP server is configured and has proper permissions. The token needs `actions:write` scope.
- **PR not found**: The workflow may still be running. Poll `mcp__github__get_workflow_run` until status is "completed", then search for the PR.
- **Workflow run failed**: Use `mcp__github__get_workflow_run` to check the `conclusion` field. If "failure", use `mcp__github__get_job_logs` to investigate.
================================================
FILE: .claude/skills/toolhive-release/references/WORKFLOW-REFERENCE.md
================================================
# ToolHive Release Workflow Reference
Detailed documentation of the ToolHive release workflow chain.
## Workflow Overview
```
┌─────────────────────────┐
│ create-release-pr.yml │ ← Manual trigger (workflow_dispatch)
│ (bump_type input) │
└───────────┬─────────────┘
│ Creates PR with version bumps
▼
┌─────────────────────────┐
│ PR Review & Merge │ ← Human review
│ (commit: Release vX.Y.Z)│
└───────────┬─────────────┘
│ VERSION file changes on main
▼
┌─────────────────────────┐
│ create-release-tag.yml │ ← Auto trigger (push to main, VERSION changed)
│ │
└───────────┬─────────────┘
│ Creates tag + GitHub Release
▼
┌─────────────────────────┐
│ releaser.yml │ ← Auto trigger (release published)
│ │
└───────────┬─────────────┘
│
├── verify-release (tag matches VERSION)
├── release-binaries (GoReleaser, cosign, SBOM)
├── image-build-and-push (container images)
├── publish-helm (Helm charts to GHCR)
└── update-docs-website (trigger docs PR)
```
## Workflow 1: create-release-pr.yml
**Trigger**: Manual (`workflow_dispatch`)
**Input**: `bump_type` (patch | minor | major)
**What it does**:
1. Uses `stacklok/releaseo` action to:
- Read current version from `VERSION` file
- Bump version according to `bump_type`
- Update `VERSION` file
- Update additional files:
- `deploy/charts/operator-crds/Chart.yaml` (version, appVersion)
- `deploy/charts/operator/Chart.yaml` (version, appVersion with `v` prefix)
- `deploy/charts/operator/values.yaml` (operator.image, toolhiveRunnerImage, vmcpImage)
- Run `helm-docs --chart-search-root=deploy/charts`
- Create PR with branch `release/vX.Y.Z`
**Output**: PR number and URL
## Workflow 2: create-release-tag.yml
**Trigger**: Push to `main` that changes `VERSION` file
**What it does**:
1. Read and validate VERSION file (must be valid semver)
2. Verify commit came from release PR:
- Commit message matches `Release vX.Y.Z` or merge from `release/vX.Y.Z`
- Version in commit message matches VERSION file
3. Check if tag already exists (skip if so)
4. Create annotated git tag `vX.Y.Z`
5. Push tag using a GitHub App installation token (required to trigger downstream workflows; `GITHUB_TOKEN`-authored events do not)
6. Create GitHub Release with auto-generated notes
**Requirements**:
- GitHub App installed on the repo with `contents: write` permission
- `RELEASE_APP_CLIENT_ID` repository **variable** (the app's Client ID)
- `RELEASE_APP_PRIVATE_KEY` repository **secret** (the app's private key in PEM)
## Workflow 3: releaser.yml
**Trigger**: `release` event with type `published`
**Jobs**:
### verify-release
- Confirms git tag matches VERSION file content
### compute-build-flags
- Extracts commit SHA, date, version, tree-state for ldflags
### release-binaries
- Builds test binary and verifies version matches tag
- Runs GoReleaser for all platforms (linux, darwin, windows × amd64, arm64)
- Signs with cosign (keyless)
- Generates SBOMs with Syft
- Publishes to:
- GitHub Release assets
- Homebrew tap (`HOMEBREW_TAP_GITHUB_TOKEN`)
- Winget (`WINGET_GITHUB_TOKEN`)
### image-build-and-push
- Builds container images for:
- thv
- thv-operator
- thv-proxyrunner
- vmcp
- Signs images with cosign
- Pushes to GHCR
### publish-helm
- Verifies tag matches VERSION
- Packages and pushes Helm charts to GHCR
### update-docs-website
- Triggers PR to docs repository with new version
### notify-release-failure
- Sends Slack notification if any job fails
**Requirements**:
- `GITHUB_TOKEN` (automatic)
- `HOMEBREW_TAP_GITHUB_TOKEN`
- `WINGET_GITHUB_TOKEN`
- `DOCS_REPO_DISPATCH_TOKEN`
- `SLACK_TOOLHIVE_RELEASE_WEBHOOK_URL`
## Files Updated by Release
| File | Fields Updated |
|------|----------------|
| `VERSION` | Full version number (e.g., `0.9.0`) |
| `deploy/charts/operator-crds/Chart.yaml` | `version`, `appVersion` |
| `deploy/charts/operator/Chart.yaml` | `version`, `appVersion` (with `v` prefix) |
| `deploy/charts/operator/values.yaml` | `operator.image`, `operator.toolhiveRunnerImage`, `operator.vmcpImage` |
| `deploy/charts/*/README.md` | Regenerated by helm-docs |
## Semantic Versioning Guidelines
| Change Type | Version Bump | Example |
|-------------|--------------|---------|
| Breaking API changes | Major | 0.8.3 → 1.0.0 |
| Removed features | Major | 0.8.3 → 1.0.0 |
| New features (backward compatible) | Minor | 0.8.3 → 0.9.0 |
| New CLI commands | Minor | 0.8.3 → 0.9.0 |
| New CRD fields | Minor | 0.8.3 → 0.9.0 |
| Bug fixes | Patch | 0.8.3 → 0.8.4 |
| Performance improvements | Patch | 0.8.3 → 0.8.4 |
| Dependency updates | Patch | 0.8.3 → 0.8.4 |
| Documentation only | Patch | 0.8.3 → 0.8.4 |
## Troubleshooting
### Reference already exists when creating release PR
If a previous Create Release PR run failed after creating the branch but before opening the PR, the branch (e.g. `release/v0.11.1`) is left behind. The next run fails with "Reference already exists" because releaseo cannot create the same branch again.
**Fix**: The workflow now includes a cleanup step that deletes the target release branch before running releaseo, allowing retries to succeed. Simply re-run the workflow.
### PR not triggering create-release-tag
- Ensure commit message matches expected pattern: `Release vX.Y.Z`
- Check that VERSION file was actually modified in the PR
### Tag creation fails
- Tag may already exist: `git tag | grep vX.Y.Z`
- Release GitHub App may be uninstalled, or the `RELEASE_APP_CLIENT_ID` variable / `RELEASE_APP_PRIVATE_KEY` secret may be missing or stale
- App may lack `contents: write` permission on the repo
### Releaser workflow fails
- Check VERSION file matches the tag
- Verify all required secrets are configured
- Check Slack for failure notification with details
### Helm chart publish fails
- Verify tag matches VERSION file
- Check GHCR authentication
================================================
FILE: .claude/skills/vmcp-review/SKILL.md
================================================
---
name: vmcp-review
description: Reviews vMCP code changes for known anti-patterns that make the codebase harder to understand or more brittle. Use when reviewing PRs, planning features, or refactoring vMCP code.
---
# vMCP Code Review
## Purpose
Review code in `pkg/vmcp/` and `cmd/vmcp/` for known anti-patterns that increase cognitive load, create brittle dependencies, or undermine testability. This skill is used both for reviewing proposed changes and for auditing existing code.
## Instructions
### 1. Determine Scope
Identify the files to review:
- If reviewing a PR or diff, examine only the changed files under `pkg/vmcp/` and `cmd/vmcp/`
- If auditing a package, examine all `.go` files in the target package
- Skip files outside the vMCP codebase — this skill is vMCP-specific
### 2. Anti-Pattern Detection
For each file under review, check against the anti-patterns defined in `.claude/rules/vmcp-anti-patterns.md` (which is auto-loaded when vMCP files are read). Not every anti-pattern applies to every file — use judgment about which checks are relevant based on what the code does.
For each finding, classify severity:
- **Must fix**: The anti-pattern is being introduced or significantly expanded by this change
- **Should fix**: The anti-pattern exists in touched code and the change is a good opportunity to address it
- **Note**: The anti-pattern exists in nearby code but is not directly related to this change — flag for awareness only
### 3. Present Findings
Structure your report as:
```markdown
## vMCP Review: [scope description]
### Must Fix
- **[Anti-pattern name]** in `path/to/file.go:line`: [What's wrong and what to do instead]
### Should Fix
- **[Anti-pattern name]** in `path/to/file.go:line`: [What's wrong and what to do instead]
### Notes
- **[Anti-pattern name]** in `path/to/file.go:line`: [Brief description, for awareness]
### Clean
No issues found for: [list anti-patterns that were checked and passed]
```
If no issues are found, say so explicitly — a clean review is valuable signal.
## What This Skill Does NOT Cover
- General Go style issues (use `golangci-lint` for that)
- Security vulnerabilities (use the security-advisor agent)
- Test quality (use the unit-test-writer agent)
- Non-vMCP code (use the general code-reviewer agent)
- Performance issues (unless they stem from an anti-pattern like repeated body parsing)
================================================
FILE: .codespellrc
================================================
[codespell]
ignore-words-list = NotIn,notin,AfterAll,ND,aks,deriver,te,clientA,AtMost,atmost,convertIn
skip = *.svg,*.mod,*.sum
================================================
FILE: .gitattributes
================================================
# This file is documented at https://git-scm.com/docs/gitattributes.
# Linguist-specific attributes are documented at
# https://github.com/github/linguist.
docs/cli/thv*.md linguist-generated=true
docs/operator/crd-api.md linguist-generated=true
docs/server/docs.go linguist-generated=true
docs/server/swagger.* linguist-generated=true
================================================
FILE: .github/CODEOWNERS
================================================
# Default reviewer
* @JAORMX
# AI Agent Configuration (changes here affect what AI agents can do in CI)
CLAUDE.md @JAORMX @jhrozek @rdimitrov @jerm-dro
.claude/ @JAORMX @jhrozek @rdimitrov @jerm-dro
.claude/skills/ @JAORMX @jhrozek @rdimitrov @jerm-dro
.claude/agents/ @JAORMX @jhrozek @rdimitrov @jerm-dro
.claude/rules/ @JAORMX @jhrozek @rdimitrov @jerm-dro
# CLI (thv)
cmd/thv/ @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
cmd/help/ @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
docs/cli/ @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
test/e2e/ @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
# HTTP API (ToolHive server)
pkg/api/ @JAORMX @amirejaz
docs/server/ @JAORMX @amirejaz
# Kubernetes (operator + proxyrunner + charts)
cmd/thv-operator/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
cmd/thv-proxyrunner/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
deploy/charts/operator/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
deploy/charts/operator-crds/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
config/webhook/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
test/e2e/chainsaw/operator/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
test/e2e/thv-operator/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
docs/operator/ @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
# vMCP (Virtual MCP)
cmd/vmcp/ @JAORMX @yrobla @jhrozek @jerm-dro @amirejaz
pkg/vmcp/ @JAORMX @yrobla @jhrozek @jerm-dro @amirejaz
test/integration/vmcp/ @JAORMX @yrobla @jhrozek @jerm-dro @amirejaz
# Core Runtime & Lifecycle
pkg/workloads/ @JAORMX @amirejaz @lujunsan
pkg/runner/ @JAORMX @amirejaz @lujunsan
pkg/runtime/ @JAORMX @amirejaz @lujunsan
pkg/state/ @JAORMX @amirejaz @lujunsan
pkg/config/ @JAORMX @amirejaz @lujunsan
pkg/migration/ @JAORMX @amirejaz @lujunsan
pkg/groups/ @JAORMX @amirejaz @lujunsan
pkg/client/ @JAORMX @amirejaz @lujunsan
# Infrastructure Abstractions
pkg/container/ @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
pkg/transport/ @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
pkg/mcp/ @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
pkg/networking/ @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
pkg/labels/ @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
pkg/process/ @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
# Registry & Distribution
pkg/registry/ @JAORMX @rdimitrov
.github/workflows/update-registry.yml @JAORMX @rdimitrov
# Security & Policy
pkg/auth/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/authz/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/oauth/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/authserver/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/secrets/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/permissions/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/container/verifier/ @jhrozek @JAORMX @ChrisJBurns @yrobla
pkg/audit/ @jhrozek @JAORMX @ChrisJBurns @yrobla
# Observability
pkg/telemetry/ @ChrisJBurns @JAORMX @yrobla @jerm-dro
pkg/usagemetrics/ @ChrisJBurns @JAORMX @yrobla @jerm-dro
pkg/logger/ @ChrisJBurns @JAORMX @yrobla @jerm-dro
pkg/recovery/ @ChrisJBurns @JAORMX @yrobla @jerm-dro
# Architecture docs
docs/arch/ @JAORMX @amirejaz @yrobla @rdimitrov @ChrisJBurns @jhrozek
================================================
FILE: .github/ISSUE_TEMPLATE/kubernetes-issue.md
================================================
---
name: Kubernetes Issue / Feature Request
about: Issues or feature requests relating to ToolHive a Kubernetes Context (ToolHive Operator, Helm Charts, general Kubernetes etc)
title: ''
labels: kubernetes
---
================================================
FILE: .github/ISSUE_TEMPLATE/report_bug.md
================================================
---
name: Bug Report
about: Report a bug to help us improve
labels: bug
---
## Bug description
Clearly describe the bug you encountered.
## Steps to reproduce
Provide steps or commands needed to reproduce the issue.
## Expected behavior
Explain what you expected to happen.
## Actual behavior
Explain what actually happened.
## Environment (if relevant)
- OS/version:
- ToolHive version:
## Additional context
Any additional information or logs you think might help.
================================================
FILE: .github/actio
gitextract_h7f056_g/
├── .chainsaw.yaml
├── .claude/
│ ├── agents/
│ │ ├── bug-triage.md
│ │ ├── code-reviewer.md
│ │ ├── documentation-writer.md
│ │ ├── golang-code-writer.md
│ │ ├── kubernetes-expert.md
│ │ ├── mcp-protocol-expert.md
│ │ ├── oauth-expert.md
│ │ ├── security-advisor.md
│ │ ├── site-reliability-engineer.md
│ │ ├── tech-lead-orchestrator.md
│ │ ├── toolhive-expert.md
│ │ └── unit-test-writer.md
│ ├── rules/
│ │ ├── cli-commands.md
│ │ ├── go-style.md
│ │ ├── operator.md
│ │ ├── pr-creation.md
│ │ ├── security.md
│ │ ├── testing.md
│ │ └── vmcp-anti-patterns.md
│ ├── settings.json
│ └── skills/
│ ├── add-rule/
│ │ └── SKILL.md
│ ├── check-contribution/
│ │ └── SKILL.md
│ ├── code-review-assist/
│ │ └── SKILL.md
│ ├── deflake/
│ │ ├── SKILL.md
│ │ └── collect-flakes.py
│ ├── deploy-otel/
│ │ └── SKILL.md
│ ├── deploying-vmcp-locally/
│ │ └── SKILL.md
│ ├── doc-review/
│ │ ├── CHECKING.md
│ │ ├── EXAMPLES.md
│ │ └── SKILL.md
│ ├── implement-story/
│ │ └── SKILL.md
│ ├── pr-review/
│ │ ├── EXAMPLES-INLINE.md
│ │ ├── EXAMPLES-REPLY.md
│ │ └── SKILL.md
│ ├── release-notes/
│ │ ├── SKILL.md
│ │ └── TEMPLATE.md
│ ├── split-pr/
│ │ └── SKILL.md
│ ├── toolhive-release/
│ │ ├── SKILL.md
│ │ └── references/
│ │ └── WORKFLOW-REFERENCE.md
│ └── vmcp-review/
│ └── SKILL.md
├── .codespellrc
├── .gitattributes
├── .github/
│ ├── CODEOWNERS
│ ├── ISSUE_TEMPLATE/
│ │ ├── kubernetes-issue.md
│ │ └── report_bug.md
│ ├── actions/
│ │ └── compute-version/
│ │ └── action.yml
│ ├── ko-ci.yml
│ ├── license-header.txt
│ ├── pull_request_template.md
│ └── workflows/
│ ├── api-compat-noop.yml
│ ├── api-compat.yml
│ ├── claude.yml
│ ├── create-release-pr.yml
│ ├── create-release-tag.yml
│ ├── e2e-tests.yml
│ ├── helm-charts-test.yml
│ ├── helm-publish.yml
│ ├── image-build-and-publish.yml
│ ├── issue-triage.yml
│ ├── license-headers.yml
│ ├── lint.yml
│ ├── operator-ci.yml
│ ├── pr-size-justification-template.md
│ ├── pr-size-label-apply.yml
│ ├── pr-size-labeler.yml
│ ├── releaser.yml
│ ├── renovate-config-validation.yml
│ ├── run-on-main.yml
│ ├── run-on-pr.yml
│ ├── security-scan.yml
│ ├── skills-build-and-publish.yml
│ ├── spellcheck.yml
│ ├── test-e2e-lifecycle.yml
│ ├── test.yml
│ ├── verify-docgen.yml
│ └── verify-gen.yml
├── .gitignore
├── .golangci.yml
├── .goreleaser.yaml
├── .pre-commit-config.yaml
├── CLAUDE.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── MAINTAINERS.md
├── PROJECT
├── README.md
├── SECURITY.md
├── Taskfile.yml
├── VERSION
├── cmd/
│ ├── help/
│ │ ├── main.go
│ │ └── verify.sh
│ ├── thv/
│ │ ├── app/
│ │ │ ├── auth_flags.go
│ │ │ ├── build.go
│ │ │ ├── client.go
│ │ │ ├── commands.go
│ │ │ ├── common.go
│ │ │ ├── common_test.go
│ │ │ ├── config.go
│ │ │ ├── config_buildauthfile.go
│ │ │ ├── config_buildenv.go
│ │ │ ├── config_registryauth.go
│ │ │ ├── constants.go
│ │ │ ├── export.go
│ │ │ ├── flag_helpers.go
│ │ │ ├── group.go
│ │ │ ├── header_flags.go
│ │ │ ├── header_flags_test.go
│ │ │ ├── inspector/
│ │ │ │ └── version.go
│ │ │ ├── inspector.go
│ │ │ ├── inspector_test.go
│ │ │ ├── list.go
│ │ │ ├── llm.go
│ │ │ ├── llm_test.go
│ │ │ ├── logs.go
│ │ │ ├── mcp.go
│ │ │ ├── mcp_serve.go
│ │ │ ├── otel.go
│ │ │ ├── proxy.go
│ │ │ ├── proxy_stdio.go
│ │ │ ├── proxy_tunnel.go
│ │ │ ├── registry.go
│ │ │ ├── registry_convert.go
│ │ │ ├── registry_convert_test.go
│ │ │ ├── registry_login.go
│ │ │ ├── registry_logout.go
│ │ │ ├── restart.go
│ │ │ ├── rm.go
│ │ │ ├── run.go
│ │ │ ├── run_flags.go
│ │ │ ├── run_flags_test.go
│ │ │ ├── run_test.go
│ │ │ ├── runtime.go
│ │ │ ├── search.go
│ │ │ ├── secret.go
│ │ │ ├── secret_test.go
│ │ │ ├── server.go
│ │ │ ├── skill.go
│ │ │ ├── skill_build.go
│ │ │ ├── skill_builds.go
│ │ │ ├── skill_builds_remove.go
│ │ │ ├── skill_helpers.go
│ │ │ ├── skill_info.go
│ │ │ ├── skill_install.go
│ │ │ ├── skill_list.go
│ │ │ ├── skill_push.go
│ │ │ ├── skill_uninstall.go
│ │ │ ├── skill_validate.go
│ │ │ ├── status.go
│ │ │ ├── status_test.go
│ │ │ ├── stop.go
│ │ │ ├── tui.go
│ │ │ ├── ui/
│ │ │ │ ├── clients_setup.go
│ │ │ │ ├── clients_setup_test.go
│ │ │ │ ├── clients_status.go
│ │ │ │ ├── help.go
│ │ │ │ ├── log_handler.go
│ │ │ │ ├── selected_groups_test.go
│ │ │ │ ├── spinner.go
│ │ │ │ └── styles.go
│ │ │ ├── version.go
│ │ │ ├── vmcp.go
│ │ │ └── vmcp_test.go
│ │ └── main.go
│ ├── thv-operator/
│ │ ├── DESIGN.md
│ │ ├── README.md
│ │ ├── REGISTRY.md
│ │ ├── Taskfile.yml
│ │ ├── api/
│ │ │ ├── v1alpha1/
│ │ │ │ ├── doc.go
│ │ │ │ ├── groupversion_info.go
│ │ │ │ ├── types.go
│ │ │ │ └── zz_generated.deepcopy.go
│ │ │ └── v1beta1/
│ │ │ ├── conditions.go
│ │ │ ├── embeddingserver_types.go
│ │ │ ├── groupversion_info.go
│ │ │ ├── mcpexternalauthconfig_types.go
│ │ │ ├── mcpexternalauthconfig_types_test.go
│ │ │ ├── mcpgroup_types.go
│ │ │ ├── mcpoidcconfig_types.go
│ │ │ ├── mcpregistry_parse_test.go
│ │ │ ├── mcpregistry_types.go
│ │ │ ├── mcpremoteproxy_types.go
│ │ │ ├── mcpserver_types.go
│ │ │ ├── mcpserver_types_test.go
│ │ │ ├── mcpserverentry_types.go
│ │ │ ├── mcptelemetryconfig_types.go
│ │ │ ├── mcptelemetryconfig_types_test.go
│ │ │ ├── toolconfig_types.go
│ │ │ ├── virtualmcpcompositetooldefinition_types.go
│ │ │ ├── virtualmcpserver_types.go
│ │ │ ├── virtualmcpserver_types_test.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── config/
│ │ │ └── webhook/
│ │ │ └── manifests.yaml
│ │ ├── controllers/
│ │ │ ├── embeddingserver_controller.go
│ │ │ ├── embeddingserver_controller_test.go
│ │ │ ├── embeddingserver_default_imagepullsecrets_test.go
│ │ │ ├── helpers_test.go
│ │ │ ├── mcpexternalauthconfig_controller.go
│ │ │ ├── mcpexternalauthconfig_controller_test.go
│ │ │ ├── mcpgroup_controller.go
│ │ │ ├── mcpgroup_controller_test.go
│ │ │ ├── mcpoidcconfig_controller.go
│ │ │ ├── mcpoidcconfig_controller_test.go
│ │ │ ├── mcpregistry_controller.go
│ │ │ ├── mcpregistry_controller_test.go
│ │ │ ├── mcpremoteproxy_authserverref_test.go
│ │ │ ├── mcpremoteproxy_controller.go
│ │ │ ├── mcpremoteproxy_controller_test.go
│ │ │ ├── mcpremoteproxy_default_imagepullsecrets_test.go
│ │ │ ├── mcpremoteproxy_deployment.go
│ │ │ ├── mcpremoteproxy_deployment_test.go
│ │ │ ├── mcpremoteproxy_reconciler_test.go
│ │ │ ├── mcpremoteproxy_runconfig.go
│ │ │ ├── mcpremoteproxy_runconfig_test.go
│ │ │ ├── mcpremoteproxy_telemetryconfig_test.go
│ │ │ ├── mcpserver_authserverref_test.go
│ │ │ ├── mcpserver_authz_test.go
│ │ │ ├── mcpserver_controller.go
│ │ │ ├── mcpserver_default_imagepullsecrets_test.go
│ │ │ ├── mcpserver_externalauth_runconfig_test.go
│ │ │ ├── mcpserver_externalauth_test.go
│ │ │ ├── mcpserver_groupref_test.go
│ │ │ ├── mcpserver_invalid_podtemplate_reconcile_test.go
│ │ │ ├── mcpserver_oidcconfig_test.go
│ │ │ ├── mcpserver_platform_test.go
│ │ │ ├── mcpserver_pod_template_test.go
│ │ │ ├── mcpserver_podtemplatespec_builder_test.go
│ │ │ ├── mcpserver_rbac_test.go
│ │ │ ├── mcpserver_replicas_test.go
│ │ │ ├── mcpserver_resource_overrides_test.go
│ │ │ ├── mcpserver_restart_test.go
│ │ │ ├── mcpserver_runconfig.go
│ │ │ ├── mcpserver_runconfig_test.go
│ │ │ ├── mcpserver_spec_patch_test.go
│ │ │ ├── mcpserver_telemetry_cabundle_test.go
│ │ │ ├── mcpserver_telemetryconfig.go
│ │ │ ├── mcpserver_telemetryconfig_test.go
│ │ │ ├── mcpserver_test_helpers_test.go
│ │ │ ├── mcpserverentry_controller.go
│ │ │ ├── mcpserverentry_controller_test.go
│ │ │ ├── mcptelemetryconfig_controller.go
│ │ │ ├── mcptelemetryconfig_controller_test.go
│ │ │ ├── toolconfig_controller.go
│ │ │ ├── toolconfig_controller_edge_cases_test.go
│ │ │ ├── toolconfig_controller_test.go
│ │ │ ├── virtualmcpserver_controller.go
│ │ │ ├── virtualmcpserver_controller_test.go
│ │ │ ├── virtualmcpserver_default_imagepullsecrets_test.go
│ │ │ ├── virtualmcpserver_deployment.go
│ │ │ ├── virtualmcpserver_deployment_test.go
│ │ │ ├── virtualmcpserver_embedding.go
│ │ │ ├── virtualmcpserver_externalauth_test.go
│ │ │ ├── virtualmcpserver_hmac_secret_test.go
│ │ │ ├── virtualmcpserver_podtemplatespec_reconcile_test.go
│ │ │ ├── virtualmcpserver_podtemplatespec_test.go
│ │ │ ├── virtualmcpserver_telemetryconfig.go
│ │ │ ├── virtualmcpserver_telemetryconfig_test.go
│ │ │ ├── virtualmcpserver_vmcpconfig.go
│ │ │ ├── virtualmcpserver_vmcpconfig_test.go
│ │ │ └── virtualmcpserver_watch_test.go
│ │ ├── main.go
│ │ ├── main_test.go
│ │ ├── pkg/
│ │ │ ├── controllerutil/
│ │ │ │ ├── authserver.go
│ │ │ │ ├── authserver_test.go
│ │ │ │ ├── authz.go
│ │ │ │ ├── authz_test.go
│ │ │ │ ├── config.go
│ │ │ │ ├── config_test.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── externalauth.go
│ │ │ │ ├── externalauth_test.go
│ │ │ │ ├── maps.go
│ │ │ │ ├── maps_test.go
│ │ │ │ ├── oidc.go
│ │ │ │ ├── oidc_test.go
│ │ │ │ ├── oidc_volumes.go
│ │ │ │ ├── patch.go
│ │ │ │ ├── patch_test.go
│ │ │ │ ├── platform.go
│ │ │ │ ├── podtemplatespec_builder.go
│ │ │ │ ├── podtemplatespec_builder_test.go
│ │ │ │ ├── podtemplatespec_patch.go
│ │ │ │ ├── podtemplatespec_patch_test.go
│ │ │ │ ├── resources.go
│ │ │ │ ├── resources_test.go
│ │ │ │ ├── status.go
│ │ │ │ ├── status_test.go
│ │ │ │ ├── telemetry.go
│ │ │ │ ├── telemetry_test.go
│ │ │ │ ├── telemetry_volumes.go
│ │ │ │ ├── telemetry_volumes_test.go
│ │ │ │ ├── tokenexchange.go
│ │ │ │ ├── tools_config.go
│ │ │ │ └── tools_config_test.go
│ │ │ ├── httpclient/
│ │ │ │ ├── client.go
│ │ │ │ └── client_test.go
│ │ │ ├── imagepullsecrets/
│ │ │ │ ├── defaults.go
│ │ │ │ └── defaults_test.go
│ │ │ ├── kubernetes/
│ │ │ │ ├── client.go
│ │ │ │ ├── configmaps/
│ │ │ │ │ ├── configmaps.go
│ │ │ │ │ ├── configmaps_test.go
│ │ │ │ │ └── doc.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── rbac/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── rbac.go
│ │ │ │ │ └── rbac_test.go
│ │ │ │ └── secrets/
│ │ │ │ ├── doc.go
│ │ │ │ ├── secrets.go
│ │ │ │ └── secrets_test.go
│ │ │ ├── oidc/
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_resolver.go
│ │ │ │ ├── resolver.go
│ │ │ │ └── resolver_configref_test.go
│ │ │ ├── registryapi/
│ │ │ │ ├── config/
│ │ │ │ │ ├── config.go
│ │ │ │ │ ├── raw_config.go
│ │ │ │ │ └── raw_config_test.go
│ │ │ │ ├── deployment.go
│ │ │ │ ├── deployment_test.go
│ │ │ │ ├── manager.go
│ │ │ │ ├── manager_test.go
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_manager.go
│ │ │ │ ├── podtemplatespec.go
│ │ │ │ ├── podtemplatespec_test.go
│ │ │ │ ├── rbac.go
│ │ │ │ ├── rbac_test.go
│ │ │ │ ├── service.go
│ │ │ │ ├── service_test.go
│ │ │ │ ├── types.go
│ │ │ │ └── types_test.go
│ │ │ ├── runconfig/
│ │ │ │ ├── audit.go
│ │ │ │ ├── audit_test.go
│ │ │ │ ├── configmap/
│ │ │ │ │ └── checksum/
│ │ │ │ │ ├── checksum.go
│ │ │ │ │ └── checksum_test.go
│ │ │ │ ├── telemetry.go
│ │ │ │ └── telemetry_test.go
│ │ │ ├── spectoconfig/
│ │ │ │ ├── telemetry.go
│ │ │ │ └── telemetry_test.go
│ │ │ ├── validation/
│ │ │ │ ├── cedar_validation.go
│ │ │ │ ├── cedar_validation_test.go
│ │ │ │ ├── oidc_validation.go
│ │ │ │ ├── oidc_validation_test.go
│ │ │ │ ├── telemetry_validation.go
│ │ │ │ ├── url_validation.go
│ │ │ │ └── url_validation_test.go
│ │ │ ├── virtualmcpserverstatus/
│ │ │ │ ├── collector.go
│ │ │ │ ├── collector_test.go
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_collector.go
│ │ │ │ └── types.go
│ │ │ └── vmcpconfig/
│ │ │ ├── converter.go
│ │ │ ├── converter_test.go
│ │ │ └── validator.go
│ │ └── test-integration/
│ │ ├── embedding-server/
│ │ │ ├── embeddingserver_creation_test.go
│ │ │ ├── embeddingserver_update_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-external-auth/
│ │ │ ├── mcpexternalauthconfig_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-group/
│ │ │ ├── mcpgroup_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-oidc-config/
│ │ │ ├── mcpoidcconfig_controller_integration_test.go
│ │ │ ├── mcpoidcconfig_mcpremoteproxy_integration_test.go
│ │ │ ├── mcpoidcconfig_mcpserver_integration_test.go
│ │ │ ├── mcpoidcconfig_virtualmcpserver_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-registry/
│ │ │ ├── configmap_helpers.go
│ │ │ ├── deployment_update_test.go
│ │ │ ├── doc.go
│ │ │ ├── k8s_helpers.go
│ │ │ ├── registry_helpers.go
│ │ │ ├── registry_lifecycle_test.go
│ │ │ ├── registry_server_rbac_test.go
│ │ │ ├── registryserver_config_test.go
│ │ │ ├── status_helpers.go
│ │ │ ├── suite_test.go
│ │ │ └── timing_helpers.go
│ │ ├── mcp-remote-proxy/
│ │ │ ├── k8s_helpers.go
│ │ │ ├── mcpremoteproxy_authserverref_integration_test.go
│ │ │ ├── mcpremoteproxy_controller_integration_test.go
│ │ │ ├── mcpremoteproxy_imagepullsecrets_drift_test.go
│ │ │ ├── mcpremoteproxy_validation_integration_test.go
│ │ │ ├── remoteproxy_helpers.go
│ │ │ ├── status_helpers.go
│ │ │ └── suite_test.go
│ │ ├── mcp-server/
│ │ │ ├── mcpserver_authserverref_integration_test.go
│ │ │ ├── mcpserver_cel_validation_integration_test.go
│ │ │ ├── mcpserver_controller_integration_test.go
│ │ │ ├── mcpserver_imagepullsecrets_drift_test.go
│ │ │ ├── mcpserver_runconfig_integration_test.go
│ │ │ ├── mcpserver_sessionstorage_cel_test.go
│ │ │ ├── mcpserver_spec_patch_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-telemetry-config/
│ │ │ ├── mcptelemetryconfig_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ ├── mcp-toolconfig/
│ │ │ ├── mcptoolconfig_controller_integration_test.go
│ │ │ └── suite_test.go
│ │ └── virtualmcp/
│ │ ├── suite_test.go
│ │ ├── virtualmcpserver_compositetool_watch_test.go
│ │ ├── virtualmcpserver_elicitation_integration_test.go
│ │ ├── virtualmcpserver_externalauth_watch_test.go
│ │ ├── virtualmcpserver_imagepullsecrets_integration_test.go
│ │ ├── virtualmcpserver_podtemplatespec_integration_test.go
│ │ ├── virtualmcpserver_replicas_integration_test.go
│ │ ├── virtualmcpserver_sessionstorage_cel_test.go
│ │ └── virtualmcpserver_telemetryconfig_integration_test.go
│ ├── thv-proxyrunner/
│ │ ├── app/
│ │ │ ├── commands.go
│ │ │ └── run.go
│ │ └── main.go
│ └── vmcp/
│ ├── README.md
│ ├── app/
│ │ └── commands.go
│ └── main.go
├── codecov.yaml
├── config/
│ └── webhook/
│ └── manifests.yaml
├── containers/
│ └── egress-proxy/
│ └── Dockerfile
├── copilot_instructions.md
├── cr.yaml
├── ct.yaml
├── dco.md
├── deploy/
│ ├── charts/
│ │ ├── _templates.gotmpl
│ │ ├── operator/
│ │ │ ├── .helmignore
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── Chart.yaml
│ │ │ ├── README.md
│ │ │ ├── README.md.gotmpl
│ │ │ ├── ci/
│ │ │ │ ├── autoScalingEnabled-values.yaml
│ │ │ │ ├── default-values.yaml
│ │ │ │ ├── extraEnvVars-values.yaml
│ │ │ │ ├── extraPodAndContainerSecurityContext-values.yaml
│ │ │ │ ├── extraPodAnnotationsAndLabels-values.yaml
│ │ │ │ └── extraVolumes-values.yaml
│ │ │ ├── templates/
│ │ │ │ ├── _helpers.tpl
│ │ │ │ ├── clusterrole/
│ │ │ │ │ ├── role.yaml
│ │ │ │ │ └── rolebinding.yaml
│ │ │ │ ├── deployment.yaml
│ │ │ │ ├── hpa.yaml
│ │ │ │ ├── leader-election-role.yaml
│ │ │ │ └── serviceaccount.yaml
│ │ │ └── values.yaml
│ │ └── operator-crds/
│ │ ├── .helmignore
│ │ ├── CONTRIBUTING.md
│ │ ├── Chart.yaml
│ │ ├── README.md
│ │ ├── README.md.gotmpl
│ │ ├── ci/
│ │ │ └── default-values.yaml
│ │ ├── files/
│ │ │ └── crds/
│ │ │ ├── toolhive.stacklok.dev_embeddingservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpexternalauthconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpgroups.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpoidcconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpregistries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpremoteproxies.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpserverentries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptelemetryconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptoolconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_virtualmcpcompositetooldefinitions.yaml
│ │ │ └── toolhive.stacklok.dev_virtualmcpservers.yaml
│ │ ├── templates/
│ │ │ ├── toolhive.stacklok.dev_embeddingservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpexternalauthconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpgroups.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpoidcconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpregistries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpremoteproxies.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpserverentries.yaml
│ │ │ ├── toolhive.stacklok.dev_mcpservers.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptelemetryconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_mcptoolconfigs.yaml
│ │ │ ├── toolhive.stacklok.dev_virtualmcpcompositetooldefinitions.yaml
│ │ │ └── toolhive.stacklok.dev_virtualmcpservers.yaml
│ │ └── values.yaml
│ └── keycloak/
│ ├── README.md
│ ├── keycloak-dev.yaml
│ ├── mcpserver-with-auth.yaml
│ └── setup-realm.sh
├── docs/
│ ├── README.md
│ ├── arch/
│ │ ├── 00-overview.md
│ │ ├── 01-deployment-modes.md
│ │ ├── 02-core-concepts.md
│ │ ├── 03-transport-architecture.md
│ │ ├── 04-secrets-management.md
│ │ ├── 05-runconfig-and-permissions.md
│ │ ├── 06-registry-system.md
│ │ ├── 07-groups.md
│ │ ├── 08-workloads-lifecycle.md
│ │ ├── 09-operator-architecture.md
│ │ ├── 10-virtual-mcp-architecture.md
│ │ ├── 11-auth-server-storage.md
│ │ ├── 12-skills-system.md
│ │ ├── 13-vmcp-scalability.md
│ │ ├── README.md
│ │ ├── vmcp-library.md
│ │ └── vmcp-local.md
│ ├── authz.md
│ ├── cli/
│ │ ├── thv.md
│ │ ├── thv_build.md
│ │ ├── thv_client.md
│ │ ├── thv_client_list-registered.md
│ │ ├── thv_client_register.md
│ │ ├── thv_client_remove.md
│ │ ├── thv_client_setup.md
│ │ ├── thv_client_status.md
│ │ ├── thv_config.md
│ │ ├── thv_config_get-build-auth-file.md
│ │ ├── thv_config_get-build-env.md
│ │ ├── thv_config_get-ca-cert.md
│ │ ├── thv_config_get-registry.md
│ │ ├── thv_config_otel.md
│ │ ├── thv_config_otel_get-enable-prometheus-metrics-path.md
│ │ ├── thv_config_otel_get-endpoint.md
│ │ ├── thv_config_otel_get-env-vars.md
│ │ ├── thv_config_otel_get-insecure.md
│ │ ├── thv_config_otel_get-metrics-enabled.md
│ │ ├── thv_config_otel_get-sampling-rate.md
│ │ ├── thv_config_otel_get-tracing-enabled.md
│ │ ├── thv_config_otel_set-enable-prometheus-metrics-path.md
│ │ ├── thv_config_otel_set-endpoint.md
│ │ ├── thv_config_otel_set-env-vars.md
│ │ ├── thv_config_otel_set-insecure.md
│ │ ├── thv_config_otel_set-metrics-enabled.md
│ │ ├── thv_config_otel_set-sampling-rate.md
│ │ ├── thv_config_otel_set-tracing-enabled.md
│ │ ├── thv_config_otel_unset-enable-prometheus-metrics-path.md
│ │ ├── thv_config_otel_unset-endpoint.md
│ │ ├── thv_config_otel_unset-env-vars.md
│ │ ├── thv_config_otel_unset-insecure.md
│ │ ├── thv_config_otel_unset-metrics-enabled.md
│ │ ├── thv_config_otel_unset-sampling-rate.md
│ │ ├── thv_config_otel_unset-tracing-enabled.md
│ │ ├── thv_config_set-build-auth-file.md
│ │ ├── thv_config_set-build-env.md
│ │ ├── thv_config_set-ca-cert.md
│ │ ├── thv_config_set-registry.md
│ │ ├── thv_config_unset-build-auth-file.md
│ │ ├── thv_config_unset-build-env.md
│ │ ├── thv_config_unset-ca-cert.md
│ │ ├── thv_config_unset-registry.md
│ │ ├── thv_config_usage-metrics.md
│ │ ├── thv_export.md
│ │ ├── thv_group.md
│ │ ├── thv_group_create.md
│ │ ├── thv_group_list.md
│ │ ├── thv_group_rm.md
│ │ ├── thv_inspector.md
│ │ ├── thv_list.md
│ │ ├── thv_logs.md
│ │ ├── thv_logs_prune.md
│ │ ├── thv_mcp.md
│ │ ├── thv_mcp_list.md
│ │ ├── thv_mcp_list_prompts.md
│ │ ├── thv_mcp_list_resources.md
│ │ ├── thv_mcp_list_tools.md
│ │ ├── thv_mcp_serve.md
│ │ ├── thv_proxy.md
│ │ ├── thv_proxy_stdio.md
│ │ ├── thv_proxy_tunnel.md
│ │ ├── thv_registry.md
│ │ ├── thv_registry_convert.md
│ │ ├── thv_registry_info.md
│ │ ├── thv_registry_list.md
│ │ ├── thv_registry_login.md
│ │ ├── thv_registry_logout.md
│ │ ├── thv_rm.md
│ │ ├── thv_run.md
│ │ ├── thv_runtime.md
│ │ ├── thv_runtime_check.md
│ │ ├── thv_search.md
│ │ ├── thv_secret.md
│ │ ├── thv_secret_delete.md
│ │ ├── thv_secret_get.md
│ │ ├── thv_secret_list.md
│ │ ├── thv_secret_provider.md
│ │ ├── thv_secret_reset-keyring.md
│ │ ├── thv_secret_set.md
│ │ ├── thv_secret_setup.md
│ │ ├── thv_serve.md
│ │ ├── thv_skill.md
│ │ ├── thv_skill_build.md
│ │ ├── thv_skill_builds.md
│ │ ├── thv_skill_builds_remove.md
│ │ ├── thv_skill_info.md
│ │ ├── thv_skill_install.md
│ │ ├── thv_skill_list.md
│ │ ├── thv_skill_push.md
│ │ ├── thv_skill_uninstall.md
│ │ ├── thv_skill_validate.md
│ │ ├── thv_start.md
│ │ ├── thv_status.md
│ │ ├── thv_stop.md
│ │ ├── thv_tui.md
│ │ ├── thv_version.md
│ │ ├── thv_vmcp.md
│ │ ├── thv_vmcp_init.md
│ │ ├── thv_vmcp_serve.md
│ │ └── thv_vmcp_validate.md
│ ├── cli-best-practices.md
│ ├── error-handling.md
│ ├── examples/
│ │ ├── webhooks.json
│ │ └── webhooks.yaml
│ ├── kind/
│ │ ├── deploying-mcp-server-with-operator.md
│ │ ├── deploying-toolhive-operator.md
│ │ ├── ingress-port-forward.md
│ │ ├── ingress.md
│ │ └── setup-kind-cluster.md
│ ├── logging.md
│ ├── middleware.md
│ ├── observability.md
│ ├── operator/
│ │ ├── advanced-workflow-patterns.md
│ │ ├── composite-tools-quick-reference.md
│ │ ├── crd-api.md
│ │ ├── crd-ref-config.yaml
│ │ ├── restart-annotation.md
│ │ ├── templates/
│ │ │ └── markdown/
│ │ │ ├── gv_details.tpl
│ │ │ ├── gv_list.tpl
│ │ │ ├── type.tpl
│ │ │ └── type_members.tpl
│ │ ├── toolconfig-reconciliation.md
│ │ ├── virtualmcpcompositetooldefinition-guide.md
│ │ ├── virtualmcpserver-api.md
│ │ ├── virtualmcpserver-kubernetes-guide.md
│ │ └── virtualmcpserver-observability.md
│ ├── proposals/
│ │ └── README.md
│ ├── redis-storage.md
│ ├── registry/
│ │ ├── heuristics.md
│ │ ├── management.md
│ │ └── schema.md
│ ├── remote-mcp-authentication.md
│ ├── runtime-implementation-guide.md
│ ├── runtime-version-customization.md
│ ├── server/
│ │ ├── README.md
│ │ ├── docs.go
│ │ ├── swagger.json
│ │ └── swagger.yaml
│ └── telemetry-migration-guide.md
├── examples/
│ ├── authz-config-with-entities.json
│ ├── authz-config.json
│ ├── authz-httpv1-config.yaml
│ ├── mcpserver-with-audit.yaml
│ ├── operator/
│ │ ├── embedding-servers/
│ │ │ ├── README.md
│ │ │ ├── basic-embedding.yaml
│ │ │ ├── embedding-advanced.yaml
│ │ │ └── embedding-with-cache.yaml
│ │ ├── external-auth/
│ │ │ ├── complete_example.yaml
│ │ │ ├── mcpexternalauthconfig_basic.yaml
│ │ │ ├── mcpexternalauthconfig_minimal.yaml
│ │ │ ├── mcpremoteproxy_with_bearer_token.yaml
│ │ │ └── mcpserver_with_external_auth.yaml
│ │ ├── mcp-registries/
│ │ │ ├── mcpregistry-configyaml-api.yaml
│ │ │ ├── mcpregistry-configyaml-configmap.yaml
│ │ │ ├── mcpregistry-configyaml-git-auth.yaml
│ │ │ ├── mcpregistry-configyaml-minimal.yaml
│ │ │ ├── mcpregistry-configyaml-oauth.yaml
│ │ │ └── mcpregistry-configyaml-pgpass.yaml
│ │ ├── mcp-server-entries/
│ │ │ ├── mcpserverentry_basic.yaml
│ │ │ ├── mcpserverentry_mixed_group.yaml
│ │ │ ├── mcpserverentry_with_ca_bundle.yaml
│ │ │ ├── mcpserverentry_with_header_forward.yaml
│ │ │ └── mcpserverentry_with_token_exchange.yaml
│ │ ├── mcp-servers/
│ │ │ ├── mcpremoteproxy_with_oidcconfig_ref.yaml
│ │ │ ├── mcpserver_fetch.yaml
│ │ │ ├── mcpserver_fetch_otel.yaml
│ │ │ ├── mcpserver_fetch_tools_filter.yaml
│ │ │ ├── mcpserver_github.yaml
│ │ │ ├── mcpserver_mkp.yaml
│ │ │ ├── mcpserver_with_oidcconfig_ref.yaml
│ │ │ ├── mcpserver_with_pod_template.yaml
│ │ │ ├── mcpserver_with_resource_overrides.yaml
│ │ │ ├── mcpserver_with_restart_strategy.yaml
│ │ │ ├── mcpserver_yardstick_sse.yaml
│ │ │ ├── mcpserver_yardstick_stdio.yaml
│ │ │ └── mcpserver_yardstick_streamablehttp.yaml
│ │ ├── redis-storage/
│ │ │ ├── mcpexternalauthconfig-redis-storage.yaml
│ │ │ ├── redis-credentials.yaml
│ │ │ ├── redis-failover.yaml
│ │ │ └── sentinel-service.yaml
│ │ ├── tool-configs/
│ │ │ ├── toolconfig_basic.yaml
│ │ │ └── toolconfig_with_overrides.yaml
│ │ ├── vault/
│ │ │ ├── mcpserver-github-with-vault.yaml
│ │ │ └── setup-vault-dev.sh
│ │ └── virtual-mcps/
│ │ ├── composite_tool_complex.yaml
│ │ ├── composite_tool_simple.yaml
│ │ ├── composite_tool_with_elicitations.yaml
│ │ ├── vmcp_conflict_resolution.yaml
│ │ ├── vmcp_inline_incoming_auth.yaml
│ │ ├── vmcp_optimizer_all_options.yaml
│ │ ├── vmcp_optimizer_quickstart.yaml
│ │ ├── vmcp_production_full.yaml
│ │ ├── vmcp_simple_discovered.yaml
│ │ ├── vmcp_with_oidcconfig_ref.yaml
│ │ └── vmcp_with_telemetry_ref.yaml
│ ├── otel/
│ │ ├── README.md
│ │ ├── grafana-dashboards/
│ │ │ ├── toolhive-cli-mcp-grafana-dashboard-otel-scrape.json
│ │ │ ├── toolhive-mcp-grafana-dashboard-otel-remotewrite.json
│ │ │ ├── toolhive-mcp-grafana-dashboard-otel-scrape.json
│ │ │ └── toolhive-mcp-otel-semconv-dashboard.json
│ │ ├── otel-values.yaml
│ │ ├── prometheus-stack-values.yaml
│ │ └── tempo-values.yaml
│ ├── registry-with-remote-servers.json
│ └── vmcp-config.yaml
├── go.mod
├── go.sum
├── hack/
│ └── boilerplate.go.txt
├── pkg/
│ ├── api/
│ │ ├── docs.go
│ │ ├── errors/
│ │ │ ├── handler.go
│ │ │ └── handler_test.go
│ │ ├── openapi.go
│ │ ├── request_size_test.go
│ │ ├── scalar.go
│ │ ├── server.go
│ │ ├── server_test.go
│ │ └── v1/
│ │ ├── clients.go
│ │ ├── discovery.go
│ │ ├── groups.go
│ │ ├── groups_test.go
│ │ ├── healthcheck.go
│ │ ├── healthcheck_test.go
│ │ ├── registry.go
│ │ ├── registry_factory_test.go
│ │ ├── registry_test.go
│ │ ├── registry_timeout_test.go
│ │ ├── registry_v01.go
│ │ ├── registry_v01_servers.go
│ │ ├── registry_v01_servers_test.go
│ │ ├── registry_v01_skills.go
│ │ ├── registry_v01_skills_test.go
│ │ ├── secrets.go
│ │ ├── secrets_test.go
│ │ ├── skills.go
│ │ ├── skills_test.go
│ │ ├── skills_types.go
│ │ ├── version.go
│ │ ├── version_test.go
│ │ ├── workload_service.go
│ │ ├── workload_service_test.go
│ │ ├── workload_types.go
│ │ ├── workloads.go
│ │ ├── workloads_test.go
│ │ └── workloads_types_test.go
│ ├── audit/
│ │ ├── auditor.go
│ │ ├── auditor_test.go
│ │ ├── backend_info_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── event.go
│ │ ├── event_test.go
│ │ ├── mcp_events.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── workflow_auditor.go
│ │ ├── workflow_auditor_test.go
│ │ └── zz_generated.deepcopy.go
│ ├── auth/
│ │ ├── anonymous.go
│ │ ├── anonymous_test.go
│ │ ├── awssts/
│ │ │ ├── config.go
│ │ │ ├── errors.go
│ │ │ ├── exchange.go
│ │ │ ├── exchange_test.go
│ │ │ ├── middleware.go
│ │ │ ├── middleware_test.go
│ │ │ ├── role_mapper.go
│ │ │ ├── role_mapper_test.go
│ │ │ ├── signer.go
│ │ │ └── signer_test.go
│ │ ├── context.go
│ │ ├── context_test.go
│ │ ├── discovery/
│ │ │ ├── dcr_request.go
│ │ │ ├── discovery.go
│ │ │ ├── discovery_test.go
│ │ │ └── resource_metadata_test.go
│ │ ├── github_provider.go
│ │ ├── github_provider_test.go
│ │ ├── identity.go
│ │ ├── identity_test.go
│ │ ├── local.go
│ │ ├── local_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── monitored_token_source.go
│ │ ├── monitored_token_source_test.go
│ │ ├── oauth/
│ │ │ ├── flow.go
│ │ │ ├── flow_test.go
│ │ │ ├── manual.go
│ │ │ ├── manual_test.go
│ │ │ ├── non_caching_refresher.go
│ │ │ ├── oidc.go
│ │ │ ├── oidc_test.go
│ │ │ ├── resource_token_source.go
│ │ │ └── resource_token_source_test.go
│ │ ├── remote/
│ │ │ ├── bearer_token_source.go
│ │ │ ├── bearer_token_source_test.go
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── doc.go
│ │ │ ├── handler.go
│ │ │ ├── handler_test.go
│ │ │ ├── handler_test_helpers_test.go
│ │ │ ├── persisting_token_source.go
│ │ │ └── persisting_token_source_test.go
│ │ ├── secrets/
│ │ │ ├── secrets.go
│ │ │ └── secrets_test.go
│ │ ├── token.go
│ │ ├── token_test.go
│ │ ├── tokenexchange/
│ │ │ ├── exchange.go
│ │ │ ├── exchange_test.go
│ │ │ ├── middleware.go
│ │ │ └── middleware_test.go
│ │ ├── tokensource/
│ │ │ ├── preemptive_test.go
│ │ │ ├── tokensource.go
│ │ │ └── tokensource_test.go
│ │ ├── upstreamswap/
│ │ │ ├── middleware.go
│ │ │ └── middleware_test.go
│ │ ├── upstreamtoken/
│ │ │ ├── errors.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_token_reader.go
│ │ │ ├── service.go
│ │ │ ├── service_test.go
│ │ │ └── types.go
│ │ ├── utils.go
│ │ ├── utils_test.go
│ │ ├── well_known.go
│ │ └── well_known_test.go
│ ├── authserver/
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── docs.go
│ │ ├── integration_test.go
│ │ ├── oauthparams/
│ │ │ └── reserved.go
│ │ ├── refresher.go
│ │ ├── refresher_test.go
│ │ ├── runner/
│ │ │ ├── dcr.go
│ │ │ ├── dcr_store.go
│ │ │ ├── dcr_store_test.go
│ │ │ ├── dcr_test.go
│ │ │ ├── embeddedauthserver.go
│ │ │ ├── embeddedauthserver_test.go
│ │ │ └── redis_tls_test.go
│ │ ├── server/
│ │ │ ├── audience.go
│ │ │ ├── audience_test.go
│ │ │ ├── crypto/
│ │ │ │ ├── keys.go
│ │ │ │ ├── keys_test.go
│ │ │ │ ├── pkce.go
│ │ │ │ └── pkce_test.go
│ │ │ ├── doc.go
│ │ │ ├── handlers/
│ │ │ │ ├── authorize.go
│ │ │ │ ├── authorize_test.go
│ │ │ │ ├── callback.go
│ │ │ │ ├── callback_test.go
│ │ │ │ ├── dcr.go
│ │ │ │ ├── dcr_test.go
│ │ │ │ ├── discovery.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── handler.go
│ │ │ │ ├── handler_chain_test.go
│ │ │ │ ├── handlers_test.go
│ │ │ │ ├── helpers_test.go
│ │ │ │ ├── token.go
│ │ │ │ ├── token_test.go
│ │ │ │ ├── user.go
│ │ │ │ └── user_test.go
│ │ │ ├── keys/
│ │ │ │ ├── config.go
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_provider.go
│ │ │ │ ├── provider.go
│ │ │ │ ├── provider_test.go
│ │ │ │ └── types.go
│ │ │ ├── provider.go
│ │ │ ├── provider_test.go
│ │ │ ├── registration/
│ │ │ │ ├── client.go
│ │ │ │ ├── client_test.go
│ │ │ │ ├── dcr.go
│ │ │ │ └── dcr_test.go
│ │ │ └── session/
│ │ │ ├── session.go
│ │ │ └── session_test.go
│ │ ├── server.go
│ │ ├── server_impl.go
│ │ ├── server_test.go
│ │ ├── storage/
│ │ │ ├── config.go
│ │ │ ├── doc.go
│ │ │ ├── memory.go
│ │ │ ├── memory_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_storage.go
│ │ │ ├── redis.go
│ │ │ ├── redis_integration_test.go
│ │ │ ├── redis_keys.go
│ │ │ ├── redis_migrate.go
│ │ │ ├── redis_test.go
│ │ │ ├── redis_tls_test.go
│ │ │ ├── types.go
│ │ │ └── types_test.go
│ │ └── upstream/
│ │ ├── doc.go
│ │ ├── mocks/
│ │ │ └── mock_provider.go
│ │ ├── oauth2.go
│ │ ├── oauth2_test.go
│ │ ├── oidc.go
│ │ ├── oidc_test.go
│ │ ├── token_exchange.go
│ │ ├── token_exchange_test.go
│ │ ├── tokens.go
│ │ ├── tokens_test.go
│ │ ├── types.go
│ │ ├── userinfo_config.go
│ │ └── userinfo_config_test.go
│ ├── authz/
│ │ ├── annotation_cache.go
│ │ ├── annotation_cache_test.go
│ │ ├── authorizers/
│ │ │ ├── annotations.go
│ │ │ ├── annotations_test.go
│ │ │ ├── cedar/
│ │ │ │ ├── annotations_integration_test.go
│ │ │ │ ├── annotations_override_test.go
│ │ │ │ ├── core.go
│ │ │ │ ├── core_test.go
│ │ │ │ ├── entity.go
│ │ │ │ ├── entity_test.go
│ │ │ │ └── record_test.go
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── core.go
│ │ │ ├── http/
│ │ │ │ ├── claim_mapper.go
│ │ │ │ ├── claim_mapper_test.go
│ │ │ │ ├── config.go
│ │ │ │ ├── config_test.go
│ │ │ │ ├── core.go
│ │ │ │ ├── core_test.go
│ │ │ │ ├── enrichment_test.go
│ │ │ │ ├── http_client.go
│ │ │ │ ├── http_client_test.go
│ │ │ │ ├── integration_test.go
│ │ │ │ ├── porc.go
│ │ │ │ └── porc_test.go
│ │ │ ├── registry.go
│ │ │ └── registry_test.go
│ │ ├── authorizers.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── integration_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── response_filter.go
│ │ ├── response_filter_test.go
│ │ ├── tool_filter.go
│ │ └── tool_filter_test.go
│ ├── cache/
│ │ ├── validating_cache.go
│ │ └── validating_cache_test.go
│ ├── certs/
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── cli/
│ │ ├── tools_override.go
│ │ └── tools_override_test.go
│ ├── client/
│ │ ├── config.go
│ │ ├── config_editor.go
│ │ ├── config_editor_test.go
│ │ ├── config_test.go
│ │ ├── converter.go
│ │ ├── converter_test.go
│ │ ├── discovery.go
│ │ ├── discovery_test.go
│ │ ├── filter.go
│ │ ├── filter_test.go
│ │ ├── llm_gateway.go
│ │ ├── llm_gateway_test.go
│ │ ├── manager.go
│ │ ├── mocks/
│ │ │ └── mock_manager.go
│ │ ├── skills.go
│ │ ├── skills_test.go
│ │ └── test_support.go
│ ├── config/
│ │ ├── buildauthfile.go
│ │ ├── buildauthfile_test.go
│ │ ├── buildenv.go
│ │ ├── buildenv_test.go
│ │ ├── cacert.go
│ │ ├── cacert_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── errors.go
│ │ ├── errors_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── interface.go
│ │ ├── interface_test.go
│ │ ├── mocks/
│ │ │ └── mock_provider.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── singleton.go
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── container/
│ │ ├── docker/
│ │ │ ├── client.go
│ │ │ ├── client_config_test.go
│ │ │ ├── client_create_test.go
│ │ │ ├── client_deploy_test.go
│ │ │ ├── client_final_port_linux.go
│ │ │ ├── client_final_port_other.go
│ │ │ ├── client_helpers_test.go
│ │ │ ├── client_info_test.go
│ │ │ ├── client_list_test.go
│ │ │ ├── client_partial_match_test.go
│ │ │ ├── client_stop_test.go
│ │ │ ├── errors.go
│ │ │ ├── mocks_test.go
│ │ │ ├── register.go
│ │ │ ├── sdk/
│ │ │ │ ├── client_unix.go
│ │ │ │ ├── client_unix_test.go
│ │ │ │ ├── client_windows.go
│ │ │ │ └── factory.go
│ │ │ ├── squid.go
│ │ │ └── squid_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── images/
│ │ │ ├── image.go
│ │ │ ├── keychain.go
│ │ │ └── registry.go
│ │ ├── kubernetes/
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ ├── common.go
│ │ │ ├── common_test.go
│ │ │ ├── configmap.go
│ │ │ ├── configmap_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_configmap.go
│ │ │ ├── register.go
│ │ │ ├── security.go
│ │ │ └── security_test.go
│ │ ├── name.go
│ │ ├── name_test.go
│ │ ├── runtime/
│ │ │ ├── errors.go
│ │ │ ├── errors_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_runtime.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── registry.go
│ │ │ ├── registry_test.go
│ │ │ └── types.go
│ │ ├── runtimes.go
│ │ └── templates/
│ │ ├── go.tmpl
│ │ ├── npx.tmpl
│ │ ├── runtime_config.go
│ │ ├── runtime_config_test.go
│ │ ├── templates.go
│ │ ├── templates_test.go
│ │ └── uvx.tmpl
│ ├── core/
│ │ ├── workload.go
│ │ └── workload_test.go
│ ├── desktop/
│ │ ├── marker.go
│ │ ├── types.go
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── environment/
│ │ ├── environment.go
│ │ └── environment_test.go
│ ├── export/
│ │ ├── k8s.go
│ │ └── k8s_test.go
│ ├── fileutils/
│ │ ├── atomic.go
│ │ ├── atomic_test.go
│ │ ├── contained.go
│ │ ├── lock.go
│ │ ├── validation.go
│ │ └── validation_test.go
│ ├── foreach/
│ │ ├── foreach.go
│ │ └── foreach_test.go
│ ├── git/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── doc.go
│ │ ├── fs.go
│ │ ├── integration_test.go
│ │ └── types.go
│ ├── groups/
│ │ ├── cli_manager.go
│ │ ├── cli_manager_test.go
│ │ ├── crd_manager.go
│ │ ├── crd_manager_test.go
│ │ ├── errors.go
│ │ ├── group.go
│ │ ├── manager.go
│ │ ├── mocks/
│ │ │ └── mock_manager.go
│ │ ├── skills.go
│ │ └── skills_test.go
│ ├── healthcheck/
│ │ ├── healthcheck.go
│ │ └── healthcheck_test.go
│ ├── ignore/
│ │ ├── processor.go
│ │ └── processor_test.go
│ ├── json/
│ │ └── any.go
│ ├── k8s/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── namespace.go
│ │ ├── namespace_test.go
│ │ └── test_helpers.go
│ ├── labels/
│ │ ├── labels.go
│ │ └── labels_test.go
│ ├── llm/
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── manage.go
│ │ ├── manage_test.go
│ │ ├── proxy/
│ │ │ ├── proxy.go
│ │ │ └── proxy_test.go
│ │ ├── setup.go
│ │ ├── setup_test.go
│ │ ├── tokensource.go
│ │ └── tokensource_test.go
│ ├── llmgateway/
│ │ └── config.go
│ ├── lockfile/
│ │ ├── cleanup.go
│ │ └── cleanup_test.go
│ ├── mcp/
│ │ ├── client/
│ │ │ └── client.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── parser.go
│ │ ├── parser_integration_test.go
│ │ ├── parser_test.go
│ │ ├── response.go
│ │ ├── response_test.go
│ │ ├── server/
│ │ │ ├── get_server_logs.go
│ │ │ ├── handler.go
│ │ │ ├── handler_mock_test.go
│ │ │ ├── handler_test.go
│ │ │ ├── list_secrets.go
│ │ │ ├── list_secrets_test.go
│ │ │ ├── list_servers.go
│ │ │ ├── remove_server.go
│ │ │ ├── run_server.go
│ │ │ ├── search_registry.go
│ │ │ ├── server.go
│ │ │ ├── server_test.go
│ │ │ ├── set_secret.go
│ │ │ ├── set_secret_test.go
│ │ │ └── stop_server.go
│ │ ├── tool_filter.go
│ │ ├── tool_filter_test.go
│ │ ├── tool_middleware_test.go
│ │ ├── utils.go
│ │ └── utils_test.go
│ ├── migration/
│ │ ├── middleware_telemetry.go
│ │ ├── migration.go
│ │ ├── secret_scope.go
│ │ ├── telemetry_config.go
│ │ └── telemetry_config_test.go
│ ├── networking/
│ │ ├── fetch.go
│ │ ├── fetch_test.go
│ │ ├── http_client.go
│ │ ├── http_client_test.go
│ │ ├── http_error.go
│ │ ├── http_error_test.go
│ │ ├── port.go
│ │ ├── port_test.go
│ │ ├── utilities.go
│ │ └── utilities_test.go
│ ├── oauthproto/
│ │ ├── cimd.go
│ │ ├── cimd_test.go
│ │ ├── constants.go
│ │ ├── dcr.go
│ │ ├── dcr_test.go
│ │ ├── discovery.go
│ │ ├── discovery_test.go
│ │ ├── doc.go
│ │ ├── errors.go
│ │ ├── grants.go
│ │ ├── grants_test.go
│ │ ├── locality.go
│ │ ├── oauthtest/
│ │ │ └── fixtures.go
│ │ ├── redirect.go
│ │ └── redirect_test.go
│ ├── oidc/
│ │ ├── clientconfig.go
│ │ └── doc.go
│ ├── operator/
│ │ ├── accessors/
│ │ │ ├── mcpserver_accessor.go
│ │ │ └── mcpserver_accessor_test.go
│ │ └── telemetry/
│ │ ├── telemetry.go
│ │ └── telemetry_test.go
│ ├── process/
│ │ ├── detached.go
│ │ ├── find_unix.go
│ │ ├── find_windows.go
│ │ ├── kill_unix.go
│ │ ├── kill_windows.go
│ │ ├── pid_validation_test.go
│ │ ├── toolhive_proxy.go
│ │ ├── toolhive_proxy_test.go
│ │ ├── wait.go
│ │ └── wait_test.go
│ ├── ratelimit/
│ │ ├── internal/
│ │ │ └── bucket/
│ │ │ ├── bucket.go
│ │ │ └── bucket_test.go
│ │ ├── limiter.go
│ │ ├── limiter_test.go
│ │ ├── middleware.go
│ │ └── middleware_test.go
│ ├── recovery/
│ │ ├── recovery.go
│ │ └── recovery_test.go
│ ├── registry/
│ │ ├── api/
│ │ │ ├── client.go
│ │ │ ├── shared.go
│ │ │ ├── skills_client.go
│ │ │ └── skills_client_test.go
│ │ ├── auth/
│ │ │ ├── auth.go
│ │ │ ├── auth_test.go
│ │ │ ├── cache.go
│ │ │ ├── helpers_test.go
│ │ │ ├── issuer_validation.go
│ │ │ ├── login.go
│ │ │ ├── login_test.go
│ │ │ ├── transport.go
│ │ │ └── transport_test.go
│ │ ├── auth_manager.go
│ │ ├── auth_manager_test.go
│ │ ├── convert.go
│ │ ├── convert_test.go
│ │ ├── errors.go
│ │ ├── errors_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── legacyhint/
│ │ │ ├── legacyhint.go
│ │ │ └── legacyhint_test.go
│ │ ├── mocks/
│ │ │ ├── mock_provider.go
│ │ │ └── mock_service.go
│ │ ├── policy_gate.go
│ │ ├── policy_gate_test.go
│ │ ├── provider.go
│ │ ├── provider_api.go
│ │ ├── provider_base.go
│ │ ├── provider_cached.go
│ │ ├── provider_cached_authbug_test.go
│ │ ├── provider_local.go
│ │ ├── provider_remote.go
│ │ ├── provider_test.go
│ │ ├── schema_validation_test.go
│ │ ├── service.go
│ │ ├── service_test.go
│ │ ├── types_test.go
│ │ └── upstream_parser.go
│ ├── runner/
│ │ ├── config.go
│ │ ├── config_builder.go
│ │ ├── config_builder_test.go
│ │ ├── config_env_files_test.go
│ │ ├── config_test.go
│ │ ├── env.go
│ │ ├── env_files.go
│ │ ├── env_files_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ ├── permissions.go
│ │ ├── permissions_test.go
│ │ ├── policy_gate.go
│ │ ├── policy_gate_test.go
│ │ ├── protocol.go
│ │ ├── protocol_test.go
│ │ ├── retriever/
│ │ │ ├── retriever.go
│ │ │ └── retriever_test.go
│ │ ├── runner.go
│ │ ├── runner_test.go
│ │ └── webhook_integration_test.go
│ ├── runtime/
│ │ └── setup.go
│ ├── script/
│ │ ├── description.go
│ │ ├── description_test.go
│ │ ├── executor.go
│ │ ├── internal/
│ │ │ ├── builtins/
│ │ │ │ ├── builtins.go
│ │ │ │ ├── builtins_test.go
│ │ │ │ ├── calltool.go
│ │ │ │ ├── parallel.go
│ │ │ │ └── tools.go
│ │ │ ├── conversions/
│ │ │ │ ├── result.go
│ │ │ │ ├── result_test.go
│ │ │ │ ├── starlark.go
│ │ │ │ ├── starlark_test.go
│ │ │ │ ├── toolname.go
│ │ │ │ └── toolname_test.go
│ │ │ └── core/
│ │ │ ├── execute.go
│ │ │ └── execute_test.go
│ │ ├── script.go
│ │ └── script_test.go
│ ├── secrets/
│ │ ├── 1password.go
│ │ ├── 1password_test.go
│ │ ├── aes/
│ │ │ ├── aes.go
│ │ │ └── aes_test.go
│ │ ├── clients/
│ │ │ ├── 1password.go
│ │ │ └── mocks/
│ │ │ └── mock_onepassword.go
│ │ ├── concurrency_test.go
│ │ ├── encrypted.go
│ │ ├── encrypted_test.go
│ │ ├── environment.go
│ │ ├── environment_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── fallback.go
│ │ ├── fallback_test.go
│ │ ├── integration_test.go
│ │ ├── keyring/
│ │ │ ├── composite.go
│ │ │ ├── composite_test.go
│ │ │ ├── dbus_wrapper.go
│ │ │ ├── interface.go
│ │ │ ├── keyctl_linux.go
│ │ │ ├── keyctl_linux_test.go
│ │ │ ├── keyctl_other.go
│ │ │ └── utils.go
│ │ ├── migration.go
│ │ ├── migration_test.go
│ │ ├── mocks/
│ │ │ ├── mock_onepassword.go
│ │ │ └── mock_provider.go
│ │ ├── scoped.go
│ │ ├── scoped_test.go
│ │ ├── types.go
│ │ └── types_test.go
│ ├── security/
│ │ ├── security.go
│ │ └── security_test.go
│ ├── sentry/
│ │ ├── sentry.go
│ │ └── sentry_test.go
│ ├── server/
│ │ └── discovery/
│ │ ├── discover.go
│ │ ├── discover_test.go
│ │ ├── discovery.go
│ │ ├── discovery_test.go
│ │ ├── health.go
│ │ └── health_test.go
│ ├── skills/
│ │ ├── client/
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ └── dto.go
│ │ ├── gitresolver/
│ │ │ ├── auth.go
│ │ │ ├── auth_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_resolver.go
│ │ │ ├── reference.go
│ │ │ ├── reference_test.go
│ │ │ ├── resolver.go
│ │ │ ├── resolver_test.go
│ │ │ ├── writer.go
│ │ │ └── writer_test.go
│ │ ├── installer.go
│ │ ├── installer_test.go
│ │ ├── mocks/
│ │ │ ├── mock_path_resolver.go
│ │ │ └── mock_service.go
│ │ ├── options.go
│ │ ├── parser.go
│ │ ├── parser_test.go
│ │ ├── project_root.go
│ │ ├── project_root_test.go
│ │ ├── service.go
│ │ ├── skillsvc/
│ │ │ ├── build.go
│ │ │ ├── build_test.go
│ │ │ ├── clients.go
│ │ │ ├── content.go
│ │ │ ├── content_test.go
│ │ │ ├── info_test.go
│ │ │ ├── install.go
│ │ │ ├── install_extraction.go
│ │ │ ├── install_git.go
│ │ │ ├── install_git_test.go
│ │ │ ├── install_oci.go
│ │ │ ├── install_oci_test.go
│ │ │ ├── install_registry_test.go
│ │ │ ├── install_test.go
│ │ │ ├── list.go
│ │ │ ├── local_build_marker.go
│ │ │ ├── oci.go
│ │ │ ├── oci_test.go
│ │ │ ├── pull_errors.go
│ │ │ ├── pull_errors_test.go
│ │ │ ├── registry.go
│ │ │ ├── scope.go
│ │ │ ├── service.go
│ │ │ ├── service_test.go
│ │ │ ├── testhelpers_test.go
│ │ │ ├── uninstall.go
│ │ │ └── uninstall_test.go
│ │ ├── types.go
│ │ ├── validator.go
│ │ └── validator_test.go
│ ├── state/
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── interface.go
│ │ ├── kubernetes.go
│ │ ├── kubernetes_test.go
│ │ ├── local.go
│ │ ├── mocks/
│ │ │ └── mock_store.go
│ │ └── runconfig.go
│ ├── storage/
│ │ ├── errors.go
│ │ ├── interfaces.go
│ │ ├── mocks/
│ │ │ └── mock_skill_store.go
│ │ ├── noop.go
│ │ ├── noop_test.go
│ │ └── sqlite/
│ │ ├── db.go
│ │ ├── db_test.go
│ │ ├── factory.go
│ │ ├── factory_test.go
│ │ ├── migrations/
│ │ │ └── 001_create_entries_and_skills.sql
│ │ ├── migrations.go
│ │ ├── migrations_test.go
│ │ ├── skill_store.go
│ │ └── skill_store_test.go
│ ├── syncutil/
│ │ ├── atmost.go
│ │ └── atmost_test.go
│ ├── telemetry/
│ │ ├── attributes.go
│ │ ├── attributes_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── doc.go
│ │ ├── integration_test.go
│ │ ├── middleware.go
│ │ ├── middleware_sse_test.go
│ │ ├── middleware_test.go
│ │ ├── propagation.go
│ │ ├── propagation_test.go
│ │ ├── providers/
│ │ │ ├── otlp/
│ │ │ │ ├── config.go
│ │ │ │ ├── endpoint.go
│ │ │ │ ├── endpoint_test.go
│ │ │ │ ├── logging.go
│ │ │ │ ├── metrics.go
│ │ │ │ ├── metrics_test.go
│ │ │ │ ├── tls.go
│ │ │ │ ├── tls_test.go
│ │ │ │ ├── tracing.go
│ │ │ │ └── tracing_test.go
│ │ │ ├── prometheus/
│ │ │ │ ├── prometheus.go
│ │ │ │ └── prometheus_test.go
│ │ │ ├── providers.go
│ │ │ ├── providers_strategy.go
│ │ │ ├── providers_strategy_test.go
│ │ │ ├── providers_test.go
│ │ │ └── unified_test.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── serve.go
│ │ └── zz_generated.deepcopy.go
│ ├── templates/
│ │ ├── funcs.go
│ │ ├── references.go
│ │ └── references_test.go
│ ├── transport/
│ │ ├── bridge.go
│ │ ├── errors/
│ │ │ ├── errors.go
│ │ │ └── errors_test.go
│ │ ├── factory.go
│ │ ├── http.go
│ │ ├── http_remote_query_test.go
│ │ ├── http_test.go
│ │ ├── middleware/
│ │ │ ├── header_forward.go
│ │ │ ├── header_forward_test.go
│ │ │ ├── token_injection.go
│ │ │ ├── token_injection_test.go
│ │ │ ├── write_timeout.go
│ │ │ └── write_timeout_test.go
│ │ ├── proxy/
│ │ │ ├── httpsse/
│ │ │ │ ├── http_proxy.go
│ │ │ │ ├── http_proxy_integration_test.go
│ │ │ │ ├── http_proxy_test.go
│ │ │ │ └── pinger.go
│ │ │ ├── socket/
│ │ │ │ ├── socket_unix.go
│ │ │ │ └── socket_windows.go
│ │ │ ├── streamable/
│ │ │ │ ├── dispatcher.go
│ │ │ │ ├── streamable_proxy.go
│ │ │ │ ├── streamable_proxy_integration_test.go
│ │ │ │ ├── streamable_proxy_mcp_client_integration_test.go
│ │ │ │ ├── streamable_proxy_spec_test.go
│ │ │ │ ├── streamable_proxy_test.go
│ │ │ │ └── utils.go
│ │ │ └── transparent/
│ │ │ ├── backend_recovery_test.go
│ │ │ ├── backend_routing_test.go
│ │ │ ├── delete_session_test.go
│ │ │ ├── method_gate_test.go
│ │ │ ├── pinger.go
│ │ │ ├── pinger_test.go
│ │ │ ├── redirect_test.go
│ │ │ ├── remote_path_test.go
│ │ │ ├── response_processor.go
│ │ │ ├── session_id.go
│ │ │ ├── session_id_test.go
│ │ │ ├── sse_response_processor.go
│ │ │ ├── transparent_proxy.go
│ │ │ └── transparent_test.go
│ │ ├── session/
│ │ │ ├── errors.go
│ │ │ ├── jsonrpc_errors.go
│ │ │ ├── jsonrpc_errors_test.go
│ │ │ ├── manager.go
│ │ │ ├── manager_redis_test.go
│ │ │ ├── manager_test.go
│ │ │ ├── proxy_session.go
│ │ │ ├── redis_config.go
│ │ │ ├── serialization.go
│ │ │ ├── serialization_test.go
│ │ │ ├── session_data_storage.go
│ │ │ ├── session_data_storage_local.go
│ │ │ ├── session_data_storage_redis.go
│ │ │ ├── session_data_storage_test.go
│ │ │ ├── sse_session.go
│ │ │ ├── storage.go
│ │ │ ├── storage_local.go
│ │ │ ├── storage_redis.go
│ │ │ ├── storage_redis_test.go
│ │ │ ├── storage_test.go
│ │ │ └── streamable_session.go
│ │ ├── ssecommon/
│ │ │ ├── sse_common.go
│ │ │ └── sse_common_test.go
│ │ ├── stdio.go
│ │ ├── stdio_test.go
│ │ ├── streamable/
│ │ │ └── streamable.go
│ │ ├── tunnel/
│ │ │ └── ngrok/
│ │ │ └── tunnel_provider.go
│ │ ├── types/
│ │ │ ├── mocks/
│ │ │ │ ├── mock_transport.go
│ │ │ │ └── mock_tunnel_provider.go
│ │ │ ├── transport.go
│ │ │ ├── transport_test.go
│ │ │ └── tunnel.go
│ │ ├── url.go
│ │ └── url_test.go
│ ├── tui/
│ │ ├── actions.go
│ │ ├── form_helpers.go
│ │ ├── form_helpers_test.go
│ │ ├── helpers_test.go
│ │ ├── init.go
│ │ ├── inspector.go
│ │ ├── inspector_test.go
│ │ ├── json_tree.go
│ │ ├── json_tree_test.go
│ │ ├── keys.go
│ │ ├── logformat.go
│ │ ├── logformat_test.go
│ │ ├── logs.go
│ │ ├── logs_test.go
│ │ ├── main_test.go
│ │ ├── model.go
│ │ ├── proxylogs.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── search_test.go
│ │ ├── tools.go
│ │ ├── update.go
│ │ ├── update_inspector.go
│ │ ├── update_navigation.go
│ │ ├── update_registry.go
│ │ ├── update_search.go
│ │ ├── view.go
│ │ ├── view_helpers.go
│ │ ├── view_info.go
│ │ ├── view_inspector.go
│ │ ├── view_registry.go
│ │ └── view_statusbar.go
│ ├── updates/
│ │ ├── checker.go
│ │ ├── checker_test.go
│ │ ├── client.go
│ │ └── client_test.go
│ ├── usagemetrics/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── collector.go
│ │ ├── collector_test.go
│ │ ├── middleware.go
│ │ ├── middleware_test.go
│ │ └── types.go
│ ├── versions/
│ │ ├── version.go
│ │ └── version_test.go
│ ├── vmcp/
│ │ ├── aggregator/
│ │ │ ├── aggregator.go
│ │ │ ├── conflict_resolver.go
│ │ │ ├── conflict_resolver_test.go
│ │ │ ├── default_aggregator.go
│ │ │ ├── default_aggregator_test.go
│ │ │ ├── discoverer.go
│ │ │ ├── discoverer_test.go
│ │ │ ├── manual_resolver.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_interfaces.go
│ │ │ ├── prefix_resolver.go
│ │ │ ├── priority_resolver.go
│ │ │ ├── testhelpers_annotations_test.go
│ │ │ ├── testhelpers_test.go
│ │ │ ├── tool_adapter.go
│ │ │ ├── tool_adapter_annotations_test.go
│ │ │ └── tool_adapter_test.go
│ │ ├── auth/
│ │ │ ├── auth.go
│ │ │ ├── converters/
│ │ │ │ ├── aws_sts.go
│ │ │ │ ├── aws_sts_test.go
│ │ │ │ ├── external_auth_config.go
│ │ │ │ ├── header_injection.go
│ │ │ │ ├── header_injection_test.go
│ │ │ │ ├── interface.go
│ │ │ │ ├── registry_test.go
│ │ │ │ ├── token_exchange.go
│ │ │ │ ├── token_exchange_test.go
│ │ │ │ ├── unauthenticated.go
│ │ │ │ ├── unauthenticated_test.go
│ │ │ │ ├── upstream_inject.go
│ │ │ │ └── upstream_inject_test.go
│ │ │ ├── factory/
│ │ │ │ ├── authz_not_wired_test.go
│ │ │ │ ├── incoming.go
│ │ │ │ ├── incoming_keyprovider_test.go
│ │ │ │ ├── incoming_test.go
│ │ │ │ ├── incoming_upstream_test.go
│ │ │ │ ├── integration_test.go
│ │ │ │ ├── outgoing.go
│ │ │ │ └── outgoing_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_strategy.go
│ │ │ ├── outgoing_registry.go
│ │ │ ├── outgoing_registry_test.go
│ │ │ ├── strategies/
│ │ │ │ ├── aws_sts.go
│ │ │ │ ├── aws_sts_test.go
│ │ │ │ ├── constants.go
│ │ │ │ ├── header_injection.go
│ │ │ │ ├── header_injection_test.go
│ │ │ │ ├── tokenexchange.go
│ │ │ │ ├── tokenexchange_test.go
│ │ │ │ ├── unauthenticated.go
│ │ │ │ ├── unauthenticated_test.go
│ │ │ │ ├── upstream_inject.go
│ │ │ │ └── upstream_inject_test.go
│ │ │ └── types/
│ │ │ ├── doc.go
│ │ │ ├── types.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── cache/
│ │ │ ├── cache.go
│ │ │ └── cache_test.go
│ │ ├── cli/
│ │ │ ├── auth_server_config_test.go
│ │ │ ├── embedding_manager.go
│ │ │ ├── embedding_manager_test.go
│ │ │ ├── init.go
│ │ │ ├── init_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_container_factory.go
│ │ │ ├── optimizer_wiring_test.go
│ │ │ ├── serve.go
│ │ │ ├── serve_test.go
│ │ │ ├── validate.go
│ │ │ └── validate_test.go
│ │ ├── client/
│ │ │ ├── auth_propagation_integration_test.go
│ │ │ ├── client.go
│ │ │ ├── client_test.go
│ │ │ ├── meta_integration_test.go
│ │ │ └── mocks/
│ │ │ └── mock_outgoing_registry.go
│ │ ├── composer/
│ │ │ ├── composer.go
│ │ │ ├── composite_output_integration_test.go
│ │ │ ├── dag_executor.go
│ │ │ ├── dag_executor_test.go
│ │ │ ├── elicitation_handler.go
│ │ │ ├── elicitation_handler_test.go
│ │ │ ├── elicitation_integration_test.go
│ │ │ ├── foreach_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_sdk_elicitation_requester.go
│ │ │ ├── output_constructor.go
│ │ │ ├── output_constructor_test.go
│ │ │ ├── output_validator.go
│ │ │ ├── output_validator_test.go
│ │ │ ├── security_test.go
│ │ │ ├── state_store.go
│ │ │ ├── state_store_test.go
│ │ │ ├── template_expander.go
│ │ │ ├── template_expander_test.go
│ │ │ ├── testhelpers_test.go
│ │ │ ├── workflow_audit_integration_test.go
│ │ │ ├── workflow_context.go
│ │ │ ├── workflow_engine.go
│ │ │ ├── workflow_engine_test.go
│ │ │ ├── workflow_errors.go
│ │ │ ├── workflow_state_store.go
│ │ │ └── workflow_state_store_test.go
│ │ ├── config/
│ │ │ ├── composite_validation.go
│ │ │ ├── composite_validation_test.go
│ │ │ ├── config.go
│ │ │ ├── config_test.go
│ │ │ ├── crd_cli_roundtrip_test.go
│ │ │ ├── defaults.go
│ │ │ ├── defaults_test.go
│ │ │ ├── doc.go
│ │ │ ├── foreach_validation_test.go
│ │ │ ├── validator.go
│ │ │ ├── validator_test.go
│ │ │ ├── yaml_loader.go
│ │ │ ├── yaml_loader_test.go
│ │ │ ├── yaml_loader_transform_test.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── conversion/
│ │ │ ├── content.go
│ │ │ ├── content_test.go
│ │ │ ├── conversion_test.go
│ │ │ └── meta.go
│ │ ├── discovery/
│ │ │ ├── context.go
│ │ │ ├── context_test.go
│ │ │ ├── manager.go
│ │ │ ├── manager_test.go
│ │ │ ├── middleware.go
│ │ │ ├── middleware_test.go
│ │ │ └── mocks/
│ │ │ └── mock_manager.go
│ │ ├── doc.go
│ │ ├── errors.go
│ │ ├── health/
│ │ │ ├── checker.go
│ │ │ ├── checker_test.go
│ │ │ ├── circuit_breaker.go
│ │ │ ├── circuit_breaker_test.go
│ │ │ ├── context/
│ │ │ │ ├── context.go
│ │ │ │ └── context_test.go
│ │ │ ├── monitor.go
│ │ │ ├── monitor_test.go
│ │ │ ├── status.go
│ │ │ ├── status_builder_test.go
│ │ │ └── status_test.go
│ │ ├── internal/
│ │ │ └── compositetools/
│ │ │ ├── decorator.go
│ │ │ ├── decorator_test.go
│ │ │ ├── workflow_converter.go
│ │ │ └── workflow_converter_test.go
│ │ ├── k8s/
│ │ │ ├── backend_reconciler.go
│ │ │ ├── backend_reconciler_integration_test.go
│ │ │ ├── backend_reconciler_test.go
│ │ │ ├── manager.go
│ │ │ └── manager_test.go
│ │ ├── mocks/
│ │ │ ├── mock_backend_client.go
│ │ │ └── mock_registry.go
│ │ ├── optimizer/
│ │ │ ├── internal/
│ │ │ │ ├── similarity/
│ │ │ │ │ ├── cosine.go
│ │ │ │ │ ├── cosine_bench_test.go
│ │ │ │ │ ├── cosine_test.go
│ │ │ │ │ ├── tei_client.go
│ │ │ │ │ └── tei_client_test.go
│ │ │ │ ├── tokencounter/
│ │ │ │ │ ├── counter.go
│ │ │ │ │ └── counter_test.go
│ │ │ │ ├── toolstore/
│ │ │ │ │ ├── schema.sql
│ │ │ │ │ ├── sqlite_store.go
│ │ │ │ │ ├── sqlite_store_bench_test.go
│ │ │ │ │ └── sqlite_store_test.go
│ │ │ │ └── types/
│ │ │ │ ├── mocks/
│ │ │ │ │ └── mock_types.go
│ │ │ │ └── types.go
│ │ │ ├── optimizer.go
│ │ │ └── optimizer_test.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ ├── router/
│ │ │ ├── default_router.go
│ │ │ ├── default_router_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_router.go
│ │ │ ├── router.go
│ │ │ ├── session_router.go
│ │ │ └── session_router_test.go
│ │ ├── schema/
│ │ │ ├── array.go
│ │ │ ├── object.go
│ │ │ ├── primitive.go
│ │ │ ├── reflect.go
│ │ │ ├── reflect_test.go
│ │ │ ├── schema.go
│ │ │ └── schema_test.go
│ │ ├── server/
│ │ │ ├── adapter/
│ │ │ │ ├── capability_adapter.go
│ │ │ │ ├── capability_adapter_annotations_test.go
│ │ │ │ ├── capability_adapter_test.go
│ │ │ │ ├── handler_factory.go
│ │ │ │ ├── handler_factory_test.go
│ │ │ │ └── mocks/
│ │ │ │ └── mock_handler_factory.go
│ │ │ ├── annotation_enrichment.go
│ │ │ ├── annotation_enrichment_test.go
│ │ │ ├── backend_enrichment.go
│ │ │ ├── backend_enrichment_test.go
│ │ │ ├── health_monitoring_test.go
│ │ │ ├── health_test.go
│ │ │ ├── integration_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_watcher.go
│ │ │ ├── readiness_test.go
│ │ │ ├── sdk_elicitation_adapter.go
│ │ │ ├── sdk_elicitation_adapter_test.go
│ │ │ ├── server.go
│ │ │ ├── server_test.go
│ │ │ ├── session_management_integration_test.go
│ │ │ ├── session_management_realbackend_integration_test.go
│ │ │ ├── session_manager_interface.go
│ │ │ ├── sessionmanager/
│ │ │ │ ├── factory.go
│ │ │ │ ├── horizontal_scaling_integration_test.go
│ │ │ │ ├── session_manager.go
│ │ │ │ ├── session_manager_test.go
│ │ │ │ └── telemetry_test.go
│ │ │ ├── status.go
│ │ │ ├── status_reporting.go
│ │ │ ├── status_reporting_test.go
│ │ │ ├── status_test.go
│ │ │ ├── telemetry.go
│ │ │ ├── telemetry_integration_test.go
│ │ │ ├── telemetry_test.go
│ │ │ ├── testfactory_test.go
│ │ │ ├── testutil_test.go
│ │ │ ├── workflow_converter.go
│ │ │ ├── workflow_converter_test.go
│ │ │ └── write_timeout_integration_test.go
│ │ ├── session/
│ │ │ ├── admission.go
│ │ │ ├── admission_test.go
│ │ │ ├── connector_integration_test.go
│ │ │ ├── decorating_factory.go
│ │ │ ├── decorating_factory_test.go
│ │ │ ├── default_session.go
│ │ │ ├── default_session_test.go
│ │ │ ├── factory.go
│ │ │ ├── factory_metadata_test.go
│ │ │ ├── internal/
│ │ │ │ ├── backend/
│ │ │ │ │ ├── mcp_session.go
│ │ │ │ │ ├── mcp_session_test.go
│ │ │ │ │ ├── roundtripper_test.go
│ │ │ │ │ └── session.go
│ │ │ │ └── security/
│ │ │ │ ├── hijack_prevention_test.go
│ │ │ │ ├── restore_test.go
│ │ │ │ ├── security.go
│ │ │ │ └── security_test.go
│ │ │ ├── mocks/
│ │ │ │ └── mock_factory.go
│ │ │ ├── optimizerdec/
│ │ │ │ ├── decorator.go
│ │ │ │ └── decorator_test.go
│ │ │ ├── session.go
│ │ │ ├── token_binding_test.go
│ │ │ └── types/
│ │ │ ├── mocks/
│ │ │ │ └── mock_session.go
│ │ │ └── session.go
│ │ ├── status/
│ │ │ ├── doc.go
│ │ │ ├── factory.go
│ │ │ ├── factory_test.go
│ │ │ ├── helpers.go
│ │ │ ├── k8s_reporter.go
│ │ │ ├── k8s_reporter_test.go
│ │ │ ├── logging_reporter.go
│ │ │ ├── logging_reporter_test.go
│ │ │ └── reporter.go
│ │ ├── types.go
│ │ ├── types_test.go
│ │ └── workloads/
│ │ ├── discoverer.go
│ │ ├── k8s.go
│ │ ├── k8s_test.go
│ │ └── mocks/
│ │ └── mock_discoverer.go
│ ├── webhook/
│ │ ├── client.go
│ │ ├── client_test.go
│ │ ├── config.go
│ │ ├── config_test.go
│ │ ├── errors.go
│ │ ├── errors_test.go
│ │ ├── mutating/
│ │ │ ├── config.go
│ │ │ ├── middleware.go
│ │ │ ├── middleware_test.go
│ │ │ ├── patch.go
│ │ │ └── patch_test.go
│ │ ├── signing.go
│ │ ├── signing_test.go
│ │ ├── types.go
│ │ ├── types_test.go
│ │ └── validating/
│ │ ├── config.go
│ │ ├── middleware.go
│ │ └── middleware_test.go
│ └── workloads/
│ ├── discoverer_adapter.go
│ ├── discoverer_adapter_test.go
│ ├── filter.go
│ ├── filter_test.go
│ ├── manager.go
│ ├── manager_test.go
│ ├── mocks/
│ │ └── mock_manager.go
│ ├── statuses/
│ │ ├── file_status.go
│ │ ├── file_status_test.go
│ │ ├── mocks/
│ │ │ └── mock_status_manager.go
│ │ ├── noop.go
│ │ ├── pid.go
│ │ ├── pid_test.go
│ │ ├── status.go
│ │ └── status_test.go
│ ├── sysproc_unix.go
│ ├── sysproc_windows.go
│ └── types/
│ ├── effective_transport_test.go
│ ├── errors/
│ │ └── errors.go
│ ├── labels.go
│ ├── labels_test.go
│ ├── types.go
│ ├── validate.go
│ ├── validate_test.go
│ └── workload_test.go
├── renovate.json
├── skills/
│ └── toolhive-cli-user/
│ ├── SKILL.md
│ └── references/
│ ├── COMMANDS.md
│ └── EXAMPLES.md
└── test/
├── e2e/
│ ├── README.md
│ ├── api_clients_test.go
│ ├── api_clients_validation_test.go
│ ├── api_discovery_test.go
│ ├── api_groups_test.go
│ ├── api_healthcheck_test.go
│ ├── api_helpers.go
│ ├── api_registry_test.go
│ ├── api_secrets_test.go
│ ├── api_skills_git_test.go
│ ├── api_skills_test.go
│ ├── api_version_test.go
│ ├── api_workload_lifecycle_test.go
│ ├── api_workloads_test.go
│ ├── audit_middleware_e2e_test.go
│ ├── chainsaw/
│ │ └── operator/
│ │ ├── multi-tenancy/
│ │ │ ├── cleanup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ └── chainsaw-test.yaml
│ │ │ ├── setup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ ├── assert-rbac-clusterrole.yaml
│ │ │ │ ├── assert-rbac-rolebinding-ns-1.yaml
│ │ │ │ ├── assert-rbac-rolebinding-ns-2.yaml
│ │ │ │ ├── assert-rbac-serviceaccount.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── namespace.yaml
│ │ │ └── test-scenarios/
│ │ │ ├── common/
│ │ │ │ ├── assert-proxy-svc-loadbalancer-ip.yaml
│ │ │ │ ├── proxy-svc-loadbalancer.yaml
│ │ │ │ ├── proxyrunner-role.yaml
│ │ │ │ ├── proxyrunner-rolebinding.yaml
│ │ │ │ └── proxyrunner-serviceaccount.yaml
│ │ │ ├── embeddingserver/
│ │ │ │ ├── assert-deployment-ns1-running.yaml
│ │ │ │ ├── assert-deployment-ns2-running.yaml
│ │ │ │ ├── assert-embeddingserver-ns1-running.yaml
│ │ │ │ ├── assert-embeddingserver-ns2-running.yaml
│ │ │ │ ├── assert-service-ns1-created.yaml
│ │ │ │ ├── assert-service-ns2-created.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ ├── embeddingserver-ns1.yaml
│ │ │ │ ├── embeddingserver-ns2.yaml
│ │ │ │ ├── namespace-1.yaml
│ │ │ │ └── namespace-2.yaml
│ │ │ ├── sse/
│ │ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── stdio/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── stdio-streamable-http/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ └── streamable-http/
│ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ ├── assert-mcpserver-running.yaml
│ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ ├── chainsaw-test.yaml
│ │ │ └── mcpserver.yaml
│ │ ├── single-tenancy/
│ │ │ ├── cleanup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ └── chainsaw-test.yaml
│ │ │ ├── setup/
│ │ │ │ ├── assert-crd.yaml
│ │ │ │ ├── assert-operator-ready.yaml
│ │ │ │ ├── assert-rbac-clusterrole.yaml
│ │ │ │ ├── assert-rbac-clusterrolebinding.yaml
│ │ │ │ ├── assert-rbac-serviceaccount.yaml
│ │ │ │ └── chainsaw-test.yaml
│ │ │ └── test-scenarios/
│ │ │ ├── common/
│ │ │ │ ├── assert-proxy-svc-loadbalancer-ip.yaml
│ │ │ │ ├── proxy-svc-loadbalancer.yaml
│ │ │ │ ├── proxyrunner-role.yaml
│ │ │ │ ├── proxyrunner-rolebinding.yaml
│ │ │ │ └── proxyrunner-serviceaccount.yaml
│ │ │ ├── embeddingserver/
│ │ │ │ ├── basic/
│ │ │ │ │ ├── assert-deployment-running.yaml
│ │ │ │ │ ├── assert-embeddingserver-running.yaml
│ │ │ │ │ ├── assert-service-created.yaml
│ │ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ │ └── embeddingserver.yaml
│ │ │ │ ├── lifecycle/
│ │ │ │ │ ├── assert-deployment-running.yaml
│ │ │ │ │ ├── assert-deployment-scaled.yaml
│ │ │ │ │ ├── assert-embeddingserver-running.yaml
│ │ │ │ │ ├── assert-embeddingserver-scaled.yaml
│ │ │ │ │ ├── assert-service-created.yaml
│ │ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ │ ├── embeddingserver-initial.yaml
│ │ │ │ │ ├── embeddingserver-scaled.yaml
│ │ │ │ │ └── embeddingserver-updated-env.yaml
│ │ │ │ └── with-cache/
│ │ │ │ ├── assert-deployment-running.yaml
│ │ │ │ ├── assert-embeddingserver-running.yaml
│ │ │ │ ├── assert-pvc-created.yaml
│ │ │ │ ├── assert-service-created.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── embeddingserver.yaml
│ │ │ ├── pod-annotations/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-pod-annotations.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── sse/
│ │ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ ├── mcpserver.yaml
│ │ │ │ └── serviceaccount.yaml
│ │ │ ├── stdio/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── stdio-streamable-http/
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ ├── streamable-http/
│ │ │ │ ├── assert-mcpserver-headless-svc.yaml
│ │ │ │ ├── assert-mcpserver-pod-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-running.yaml
│ │ │ │ ├── assert-mcpserver-proxy-runner-svc.yaml
│ │ │ │ ├── assert-mcpserver-running.yaml
│ │ │ │ ├── assert-mcpserver-svc.yaml
│ │ │ │ ├── chainsaw-test.yaml
│ │ │ │ └── mcpserver.yaml
│ │ │ └── vmcp/
│ │ │ ├── assert-oidc-security.yaml
│ │ │ ├── assert-vmcp-configmap.yaml
│ │ │ ├── assert-vmcp-deployment.yaml
│ │ │ ├── assert-vmcp-service.yaml
│ │ │ ├── assert-vmcp-status-ready.yaml
│ │ │ ├── audit-chainsaw-test.yaml
│ │ │ ├── basic/
│ │ │ │ └── chainsaw-test.yaml
│ │ │ ├── chainsaw-test.yaml
│ │ │ ├── controller-chainsaw-test.yaml
│ │ │ ├── mcpgroup-controller.yaml
│ │ │ ├── oidc-client-secret.yaml
│ │ │ ├── vmcp-controller.yaml
│ │ │ ├── vmcp-oidc-config.yaml
│ │ │ └── vmcp-with-oidc.yaml
│ │ └── validation/
│ │ ├── mcpexternalauthconfig/
│ │ │ └── chainsaw-test.yaml
│ │ └── virtualmcpserver/
│ │ └── chainsaw-test.yaml
│ ├── cimd_auth_helpers_test.go
│ ├── cimd_auth_test.go
│ ├── cli_llm_all_clients_test.go
│ ├── cli_llm_config_test.go
│ ├── cli_llm_setup_test.go
│ ├── cli_registry_convert_test.go
│ ├── cli_secrets_scoped_test.go
│ ├── cli_skills_test.go
│ ├── client_test.go
│ ├── desktop_validation_test.go
│ ├── e2e_suite_test.go
│ ├── export_test.go
│ ├── fetch_mcp_server_test.go
│ ├── group_list_e2e_test.go
│ ├── group_rm_test.go
│ ├── group_test.go
│ ├── health_check_zombie_test.go
│ ├── helpers.go
│ ├── http_pdp_authz_test.go
│ ├── images/
│ │ └── images.go
│ ├── inspector_autocleanup_test.go
│ ├── inspector_test.go
│ ├── list_group_e2e_test.go
│ ├── llm_gateway_mock.go
│ ├── mcp_client_helpers.go
│ ├── network_isolation_test.go
│ ├── oidc_mock.go
│ ├── osv_authz_test.go
│ ├── osv_mcp_server_test.go
│ ├── osv_streamable_http_mcp_server_test.go
│ ├── protocol_builds_e2e_test.go
│ ├── proxy_oauth_test.go
│ ├── proxy_stdio_test.go
│ ├── proxy_tunnel_e2e_test.go
│ ├── proxyrunner_graceful_shutdown_test.go
│ ├── remote_mcp_query_params_test.go
│ ├── remote_mcp_server_test.go
│ ├── restart_test.go
│ ├── restart_zombie_test.go
│ ├── rm_group_test.go
│ ├── run_tests.bat
│ ├── run_tests.sh
│ ├── sse_endpoint_rewrite_test.go
│ ├── stateless_proxy_test.go
│ ├── status_test.go
│ ├── stdio_proxy_over_streamable_http_mcp_server_test.go
│ ├── telemetry_metrics_validation_e2e_test.go
│ ├── telemetry_middleware_e2e_test.go
│ ├── thv-operator/
│ │ ├── acceptance_tests/
│ │ │ ├── helpers.go
│ │ │ ├── ratelimit_test.go
│ │ │ └── suite_test.go
│ │ ├── kind-config.yaml
│ │ ├── testutil/
│ │ │ ├── k8s.go
│ │ │ └── oidc.go
│ │ └── virtualmcp/
│ │ ├── README.md
│ │ ├── helpers.go
│ │ ├── mcpserver_scaling_test.go
│ │ ├── suite_test.go
│ │ ├── virtualmcp_aggregation_filtering_test.go
│ │ ├── virtualmcp_aggregation_overrides_test.go
│ │ ├── virtualmcp_auth_discovery_test.go
│ │ ├── virtualmcp_authserver_config_test.go
│ │ ├── virtualmcp_circuit_breaker_test.go
│ │ ├── virtualmcp_composite_defaultresults_test.go
│ │ ├── virtualmcp_composite_hidden_tools_test.go
│ │ ├── virtualmcp_composite_parallel_test.go
│ │ ├── virtualmcp_composite_referenced_test.go
│ │ ├── virtualmcp_composite_sequential_test.go
│ │ ├── virtualmcp_composite_validation_test.go
│ │ ├── virtualmcp_conflict_resolution_test.go
│ │ ├── virtualmcp_discovered_mode_test.go
│ │ ├── virtualmcp_excludeall_global_test.go
│ │ ├── virtualmcp_external_auth_test.go
│ │ ├── virtualmcp_optimizer_circuit_breaker_test.go
│ │ ├── virtualmcp_optimizer_composite_test.go
│ │ ├── virtualmcp_optimizer_multibackend_test.go
│ │ ├── virtualmcp_optimizer_test.go
│ │ ├── virtualmcp_redis_session_test.go
│ │ ├── virtualmcp_session_management_test.go
│ │ ├── virtualmcp_telemetry_test.go
│ │ ├── virtualmcp_toolconfig_test.go
│ │ ├── virtualmcp_yardstick_base_test.go
│ │ ├── virtualmcpserver_scaling_test.go
│ │ └── wait_for_tools_helpers.go
│ ├── thvignore_test.go
│ ├── unhealthy_workload_test.go
│ ├── vmcp_cli_features_test.go
│ ├── vmcp_cli_helpers_test.go
│ ├── vmcp_cli_test.go
│ ├── vmcp_infra_features_test.go
│ └── vmcp_optimizer_test.go
├── integration/
│ ├── authserver/
│ │ ├── authserver_integration_test.go
│ │ ├── helpers/
│ │ │ ├── authserver.go
│ │ │ ├── http_client.go
│ │ │ └── mock_upstream.go
│ │ └── runner_integration_test.go
│ └── vmcp/
│ ├── helpers/
│ │ ├── backend.go
│ │ ├── helpers_test.go
│ │ ├── mcp_client.go
│ │ └── vmcp_server.go
│ ├── vmcp_integration_test.go
│ └── vmcp_typing_integration_test.go
└── testkit/
├── sse_server.go
├── streamable_server.go
├── testkit.go
└── testkit_test.go
Showing preview only (1,516K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (14495 symbols across 1460 files)
FILE: .claude/skills/deflake/collect-flakes.py
function gh_api (line 17) | def gh_api(endpoint):
function fetch_all_runs (line 26) | def fetch_all_runs():
function get_failed_logs (line 42) | def get_failed_logs(run_id):
function strip_ansi (line 51) | def strip_ansi(text):
function extract_ginkgo_failures (line 56) | def extract_ginkgo_failures(log_lines):
function extract_unit_test_failures (line 73) | def extract_unit_test_failures(log_lines):
function extract_job_name (line 89) | def extract_job_name(line):
function extract_failure_mode (line 95) | def extract_failure_mode(log_text):
function find_failure_context (line 115) | def find_failure_context(log_lines, test_name, fail_line_idx):
function main (line 148) | def main():
FILE: cmd/help/main.go
constant fmTemplate (line 21) | fmTemplate = `---
function filePrepender (line 35) | func filePrepender(filename string) string {
function linkHandler (line 44) | func linkHandler(filename string) string {
function main (line 49) | func main() {
FILE: cmd/thv-operator/api/v1alpha1/types.go
type EmbeddingServer (line 25) | type EmbeddingServer struct
type EmbeddingServerList (line 36) | type EmbeddingServerList struct
type MCPExternalAuthConfig (line 54) | type MCPExternalAuthConfig struct
type MCPExternalAuthConfigList (line 65) | type MCPExternalAuthConfigList struct
type MCPGroup (line 83) | type MCPGroup struct
type MCPGroupList (line 94) | type MCPGroupList struct
type MCPOIDCConfig (line 112) | type MCPOIDCConfig struct
type MCPOIDCConfigList (line 123) | type MCPOIDCConfigList struct
type MCPRegistry (line 142) | type MCPRegistry struct
type MCPRegistryList (line 153) | type MCPRegistryList struct
type MCPRemoteProxy (line 172) | type MCPRemoteProxy struct
type MCPRemoteProxyList (line 183) | type MCPRemoteProxyList struct
type MCPServer (line 202) | type MCPServer struct
type MCPServerList (line 213) | type MCPServerList struct
type MCPServerEntry (line 232) | type MCPServerEntry struct
type MCPServerEntryList (line 243) | type MCPServerEntryList struct
type MCPTelemetryConfig (line 262) | type MCPTelemetryConfig struct
type MCPTelemetryConfigList (line 273) | type MCPTelemetryConfigList struct
type MCPToolConfig (line 290) | type MCPToolConfig struct
type MCPToolConfigList (line 301) | type MCPToolConfigList struct
type VirtualMCPCompositeToolDefinition (line 321) | type VirtualMCPCompositeToolDefinition struct
type VirtualMCPCompositeToolDefinitionList (line 332) | type VirtualMCPCompositeToolDefinitionList struct
type VirtualMCPServer (line 351) | type VirtualMCPServer struct
type VirtualMCPServerList (line 362) | type VirtualMCPServerList struct
function init (line 370) | func init() {
FILE: cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go
method DeepCopyInto (line 28) | func (in *EmbeddingServer) DeepCopyInto(out *EmbeddingServer) {
method DeepCopy (line 37) | func (in *EmbeddingServer) DeepCopy() *EmbeddingServer {
method DeepCopyObject (line 47) | func (in *EmbeddingServer) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 55) | func (in *EmbeddingServerList) DeepCopyInto(out *EmbeddingServerList) {
method DeepCopy (line 69) | func (in *EmbeddingServerList) DeepCopy() *EmbeddingServerList {
method DeepCopyObject (line 79) | func (in *EmbeddingServerList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 87) | func (in *MCPExternalAuthConfig) DeepCopyInto(out *MCPExternalAuthConfig) {
method DeepCopy (line 96) | func (in *MCPExternalAuthConfig) DeepCopy() *MCPExternalAuthConfig {
method DeepCopyObject (line 106) | func (in *MCPExternalAuthConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 114) | func (in *MCPExternalAuthConfigList) DeepCopyInto(out *MCPExternalAuthCo...
method DeepCopy (line 128) | func (in *MCPExternalAuthConfigList) DeepCopy() *MCPExternalAuthConfigLi...
method DeepCopyObject (line 138) | func (in *MCPExternalAuthConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 146) | func (in *MCPGroup) DeepCopyInto(out *MCPGroup) {
method DeepCopy (line 155) | func (in *MCPGroup) DeepCopy() *MCPGroup {
method DeepCopyObject (line 165) | func (in *MCPGroup) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 173) | func (in *MCPGroupList) DeepCopyInto(out *MCPGroupList) {
method DeepCopy (line 187) | func (in *MCPGroupList) DeepCopy() *MCPGroupList {
method DeepCopyObject (line 197) | func (in *MCPGroupList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 205) | func (in *MCPOIDCConfig) DeepCopyInto(out *MCPOIDCConfig) {
method DeepCopy (line 214) | func (in *MCPOIDCConfig) DeepCopy() *MCPOIDCConfig {
method DeepCopyObject (line 224) | func (in *MCPOIDCConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 232) | func (in *MCPOIDCConfigList) DeepCopyInto(out *MCPOIDCConfigList) {
method DeepCopy (line 246) | func (in *MCPOIDCConfigList) DeepCopy() *MCPOIDCConfigList {
method DeepCopyObject (line 256) | func (in *MCPOIDCConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 264) | func (in *MCPRegistry) DeepCopyInto(out *MCPRegistry) {
method DeepCopy (line 273) | func (in *MCPRegistry) DeepCopy() *MCPRegistry {
method DeepCopyObject (line 283) | func (in *MCPRegistry) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 291) | func (in *MCPRegistryList) DeepCopyInto(out *MCPRegistryList) {
method DeepCopy (line 305) | func (in *MCPRegistryList) DeepCopy() *MCPRegistryList {
method DeepCopyObject (line 315) | func (in *MCPRegistryList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 323) | func (in *MCPRemoteProxy) DeepCopyInto(out *MCPRemoteProxy) {
method DeepCopy (line 332) | func (in *MCPRemoteProxy) DeepCopy() *MCPRemoteProxy {
method DeepCopyObject (line 342) | func (in *MCPRemoteProxy) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 350) | func (in *MCPRemoteProxyList) DeepCopyInto(out *MCPRemoteProxyList) {
method DeepCopy (line 364) | func (in *MCPRemoteProxyList) DeepCopy() *MCPRemoteProxyList {
method DeepCopyObject (line 374) | func (in *MCPRemoteProxyList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 382) | func (in *MCPServer) DeepCopyInto(out *MCPServer) {
method DeepCopy (line 391) | func (in *MCPServer) DeepCopy() *MCPServer {
method DeepCopyObject (line 401) | func (in *MCPServer) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 409) | func (in *MCPServerEntry) DeepCopyInto(out *MCPServerEntry) {
method DeepCopy (line 418) | func (in *MCPServerEntry) DeepCopy() *MCPServerEntry {
method DeepCopyObject (line 428) | func (in *MCPServerEntry) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 436) | func (in *MCPServerEntryList) DeepCopyInto(out *MCPServerEntryList) {
method DeepCopy (line 450) | func (in *MCPServerEntryList) DeepCopy() *MCPServerEntryList {
method DeepCopyObject (line 460) | func (in *MCPServerEntryList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 468) | func (in *MCPServerList) DeepCopyInto(out *MCPServerList) {
method DeepCopy (line 482) | func (in *MCPServerList) DeepCopy() *MCPServerList {
method DeepCopyObject (line 492) | func (in *MCPServerList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 500) | func (in *MCPTelemetryConfig) DeepCopyInto(out *MCPTelemetryConfig) {
method DeepCopy (line 509) | func (in *MCPTelemetryConfig) DeepCopy() *MCPTelemetryConfig {
method DeepCopyObject (line 519) | func (in *MCPTelemetryConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 527) | func (in *MCPTelemetryConfigList) DeepCopyInto(out *MCPTelemetryConfigLi...
method DeepCopy (line 541) | func (in *MCPTelemetryConfigList) DeepCopy() *MCPTelemetryConfigList {
method DeepCopyObject (line 551) | func (in *MCPTelemetryConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 559) | func (in *MCPToolConfig) DeepCopyInto(out *MCPToolConfig) {
method DeepCopy (line 568) | func (in *MCPToolConfig) DeepCopy() *MCPToolConfig {
method DeepCopyObject (line 578) | func (in *MCPToolConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 586) | func (in *MCPToolConfigList) DeepCopyInto(out *MCPToolConfigList) {
method DeepCopy (line 600) | func (in *MCPToolConfigList) DeepCopy() *MCPToolConfigList {
method DeepCopyObject (line 610) | func (in *MCPToolConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 618) | func (in *VirtualMCPCompositeToolDefinition) DeepCopyInto(out *VirtualMC...
method DeepCopy (line 627) | func (in *VirtualMCPCompositeToolDefinition) DeepCopy() *VirtualMCPCompo...
method DeepCopyObject (line 637) | func (in *VirtualMCPCompositeToolDefinition) DeepCopyObject() runtime.Ob...
method DeepCopyInto (line 645) | func (in *VirtualMCPCompositeToolDefinitionList) DeepCopyInto(out *Virtu...
method DeepCopy (line 659) | func (in *VirtualMCPCompositeToolDefinitionList) DeepCopy() *VirtualMCPC...
method DeepCopyObject (line 669) | func (in *VirtualMCPCompositeToolDefinitionList) DeepCopyObject() runtim...
method DeepCopyInto (line 677) | func (in *VirtualMCPServer) DeepCopyInto(out *VirtualMCPServer) {
method DeepCopy (line 686) | func (in *VirtualMCPServer) DeepCopy() *VirtualMCPServer {
method DeepCopyObject (line 696) | func (in *VirtualMCPServer) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 704) | func (in *VirtualMCPServerList) DeepCopyInto(out *VirtualMCPServerList) {
method DeepCopy (line 718) | func (in *VirtualMCPServerList) DeepCopy() *VirtualMCPServerList {
method DeepCopyObject (line 728) | func (in *VirtualMCPServerList) DeepCopyObject() runtime.Object {
FILE: cmd/thv-operator/api/v1beta1/conditions.go
constant ConditionTypeValid (line 8) | ConditionTypeValid = "Valid"
constant ConditionTypeDeletionBlocked (line 9) | ConditionTypeDeletionBlocked = "DeletionBlocked"
FILE: cmd/thv-operator/api/v1beta1/embeddingserver_types.go
constant ConditionModelReady (line 16) | ConditionModelReady = "ModelReady"
constant ConditionVolumeReady (line 19) | ConditionVolumeReady = "VolumeReady"
constant ConditionReasonModelDownloading (line 27) | ConditionReasonModelDownloading = "ModelDownloading"
constant ConditionReasonModelReady (line 29) | ConditionReasonModelReady = "ModelReady"
constant ConditionReasonModelFailed (line 31) | ConditionReasonModelFailed = "ModelFailed"
constant ConditionReasonVolumeCreating (line 34) | ConditionReasonVolumeCreating = "VolumeCreating"
constant ConditionReasonVolumeReady (line 36) | ConditionReasonVolumeReady = "VolumeReady"
constant ConditionReasonVolumeFailed (line 38) | ConditionReasonVolumeFailed = "VolumeFailed"
type EmbeddingServerSpec (line 42) | type EmbeddingServerSpec struct
type ModelCacheConfig (line 112) | type ModelCacheConfig struct
type EmbeddingResourceOverrides (line 136) | type EmbeddingResourceOverrides struct
type EmbeddingStatefulSetOverrides (line 151) | type EmbeddingStatefulSetOverrides struct
type EmbeddingServerStatus (line 161) | type EmbeddingServerStatus struct
type EmbeddingServerPhase (line 191) | type EmbeddingServerPhase
constant EmbeddingServerPhasePending (line 195) | EmbeddingServerPhasePending EmbeddingServerPhase = "Pending"
constant EmbeddingServerPhaseDownloading (line 198) | EmbeddingServerPhaseDownloading EmbeddingServerPhase = "Downloading"
constant EmbeddingServerPhaseReady (line 201) | EmbeddingServerPhaseReady EmbeddingServerPhase = "Ready"
constant EmbeddingServerPhaseFailed (line 204) | EmbeddingServerPhaseFailed EmbeddingServerPhase = "Failed"
constant EmbeddingServerPhaseTerminating (line 207) | EmbeddingServerPhaseTerminating EmbeddingServerPhase = "Terminating"
type EmbeddingServer (line 221) | type EmbeddingServer struct
method GetName (line 239) | func (e *EmbeddingServer) GetName() string {
method GetNamespace (line 244) | func (e *EmbeddingServer) GetNamespace() string {
method GetPort (line 249) | func (e *EmbeddingServer) GetPort() int32 {
method GetReplicas (line 257) | func (e *EmbeddingServer) GetReplicas() int32 {
method IsModelCacheEnabled (line 265) | func (e *EmbeddingServer) IsModelCacheEnabled() bool {
method GetImagePullPolicy (line 273) | func (e *EmbeddingServer) GetImagePullPolicy() string {
type EmbeddingServerList (line 232) | type EmbeddingServerList struct
function init (line 280) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go
constant ExternalAuthTypeTokenExchange (line 18) | ExternalAuthTypeTokenExchange ExternalAuthType = "tokenExchange"
constant ExternalAuthTypeHeaderInjection (line 21) | ExternalAuthTypeHeaderInjection ExternalAuthType = "headerInjection"
constant ExternalAuthTypeBearerToken (line 25) | ExternalAuthTypeBearerToken ExternalAuthType = "bearerToken"
constant ExternalAuthTypeUnauthenticated (line 30) | ExternalAuthTypeUnauthenticated ExternalAuthType = "unauthenticated"
constant ExternalAuthTypeEmbeddedAuthServer (line 34) | ExternalAuthTypeEmbeddedAuthServer ExternalAuthType = "embeddedAuthServer"
constant ExternalAuthTypeAWSSts (line 37) | ExternalAuthTypeAWSSts ExternalAuthType = "awsSts"
constant ExternalAuthTypeUpstreamInject (line 41) | ExternalAuthTypeUpstreamInject ExternalAuthType = "upstreamInject"
type ExternalAuthType (line 45) | type ExternalAuthType
type MCPExternalAuthConfigSpec (line 60) | type MCPExternalAuthConfigSpec struct
type TokenExchangeConfig (line 101) | type TokenExchangeConfig struct
type HeaderInjectionConfig (line 154) | type HeaderInjectionConfig struct
type BearerTokenConfig (line 168) | type BearerTokenConfig struct
type EmbeddedAuthServerConfig (line 176) | type EmbeddedAuthServerConfig struct
method SyntheticIdentityUpstreams (line 994) | func (c *EmbeddedAuthServerConfig) SyntheticIdentityUpstreams() []stri...
type TokenLifespanConfig (line 241) | type TokenLifespanConfig struct
type UpstreamProviderType (line 265) | type UpstreamProviderType
constant UpstreamProviderTypeOIDC (line 269) | UpstreamProviderTypeOIDC UpstreamProviderType = "oidc"
constant UpstreamProviderTypeOAuth2 (line 272) | UpstreamProviderTypeOAuth2 UpstreamProviderType = "oauth2"
type UpstreamProviderConfig (line 276) | type UpstreamProviderConfig struct
method AdditionalAuthorizationParams (line 979) | func (p *UpstreamProviderConfig) AdditionalAuthorizationParams() map[s...
type OIDCUpstreamConfig (line 304) | type OIDCUpstreamConfig struct
type OAuth2UpstreamConfig (line 357) | type OAuth2UpstreamConfig struct
type TokenResponseMapping (line 418) | type TokenResponseMapping struct
type UserInfoConfig (line 444) | type UserInfoConfig struct
type UserInfoFieldMapping (line 478) | type UserInfoFieldMapping struct
constant AuthServerStorageTypeMemory (line 504) | AuthServerStorageTypeMemory AuthServerStorageType = "memory"
constant AuthServerStorageTypeRedis (line 507) | AuthServerStorageTypeRedis AuthServerStorageType = "redis"
type AuthServerStorageType (line 511) | type AuthServerStorageType
type AuthServerStorageConfig (line 514) | type AuthServerStorageConfig struct
type RedisStorageConfig (line 533) | type RedisStorageConfig struct
type RedisSentinelConfig (line 582) | type RedisSentinelConfig struct
type SentinelServiceRef (line 605) | type SentinelServiceRef struct
type RedisTLSConfig (line 622) | type RedisTLSConfig struct
type RedisACLUserConfig (line 635) | type RedisACLUserConfig struct
type SecretKeyRef (line 650) | type SecretKeyRef struct
type AWSStsConfig (line 663) | type AWSStsConfig struct
type RoleMapping (line 730) | type RoleMapping struct
type UpstreamInjectSpec (line 767) | type UpstreamInjectSpec struct
constant ConditionTypeIdentitySynthesized (line 784) | ConditionTypeIdentitySynthesized = "IdentitySynthesized"
constant ConditionReasonIdentitySynthesizedActive (line 791) | ConditionReasonIdentitySynthesizedActive = "OAuth2UpstreamWithoutUserInfo"
constant ConditionReasonIdentitySynthesizedInactive (line 795) | ConditionReasonIdentitySynthesizedInactive = "AllUpstreamsHaveUserInfo"
type MCPExternalAuthConfigStatus (line 799) | type MCPExternalAuthConfigStatus struct
type MCPExternalAuthConfig (line 836) | type MCPExternalAuthConfig struct
method Validate (line 859) | func (r *MCPExternalAuthConfig) Validate() error {
method validateTypeConfigConsistency (line 890) | func (r *MCPExternalAuthConfig) validateTypeConfigConsistency() error {
method validateEmbeddedAuthServer (line 928) | func (r *MCPExternalAuthConfig) validateEmbeddedAuthServer() error {
method validateUpstreamProvider (line 960) | func (*MCPExternalAuthConfig) validateUpstreamProvider(index int, prov...
method validateAWSSts (line 1023) | func (r *MCPExternalAuthConfig) validateAWSSts() error {
type MCPExternalAuthConfigList (line 847) | type MCPExternalAuthConfigList struct
function ValidateAdditionalAuthorizationParams (line 1014) | func ValidateAdditionalAuthorizationParams(prefix string, params map[str...
function init (line 1074) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types_test.go
function TestMCPExternalAuthConfig_Validate (line 14) | func TestMCPExternalAuthConfig_Validate(t *testing.T) {
function TestMCPExternalAuthConfig_validateEmbeddedAuthServer (line 305) | func TestMCPExternalAuthConfig_validateEmbeddedAuthServer(t *testing.T) {
function TestMCPExternalAuthConfig_validateUpstreamProvider (line 432) | func TestMCPExternalAuthConfig_validateUpstreamProvider(t *testing.T) {
function TestEmbeddedAuthServerConfig_SyntheticIdentityUpstreams (line 601) | func TestEmbeddedAuthServerConfig_SyntheticIdentityUpstreams(t *testing....
FILE: cmd/thv-operator/api/v1beta1/mcpgroup_types.go
type MCPGroupSpec (line 11) | type MCPGroupSpec struct
type MCPGroupStatus (line 18) | type MCPGroupStatus struct
type MCPGroupPhase (line 64) | type MCPGroupPhase
constant MCPGroupPhaseReady (line 68) | MCPGroupPhaseReady MCPGroupPhase = "Ready"
constant MCPGroupPhasePending (line 71) | MCPGroupPhasePending MCPGroupPhase = "Pending"
constant MCPGroupPhaseFailed (line 74) | MCPGroupPhaseFailed MCPGroupPhase = "Failed"
constant ConditionTypeMCPServersChecked (line 79) | ConditionTypeMCPServersChecked = "MCPServersChecked"
constant ConditionReasonListMCPServersFailed (line 84) | ConditionReasonListMCPServersFailed = "ListMCPServersCheckFailed"
constant ConditionReasonListMCPServersSucceeded (line 85) | ConditionReasonListMCPServersSucceeded = "ListMCPServersCheckSucceeded"
type MCPGroup (line 98) | type MCPGroup struct
type MCPGroupList (line 109) | type MCPGroupList struct
function init (line 115) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpoidcconfig_types.go
constant MCPOIDCConfigTypeKubernetesServiceAccount (line 15) | MCPOIDCConfigTypeKubernetesServiceAccount MCPOIDCConfigSourceType = "kub...
constant MCPOIDCConfigTypeInline (line 18) | MCPOIDCConfigTypeInline MCPOIDCConfigSourceType = "inline"
constant ConditionTypeOIDCConfigValid (line 24) | ConditionTypeOIDCConfigValid = ConditionTypeValid
constant ConditionReasonOIDCConfigValid (line 27) | ConditionReasonOIDCConfigValid = "ConfigValid"
constant ConditionReasonOIDCConfigInvalid (line 30) | ConditionReasonOIDCConfigInvalid = "ConfigInvalid"
type MCPOIDCConfigSourceType (line 34) | type MCPOIDCConfigSourceType
type MCPOIDCConfigSpec (line 44) | type MCPOIDCConfigSpec struct
type KubernetesServiceAccountOIDCConfig (line 63) | type KubernetesServiceAccountOIDCConfig struct
type InlineOIDCSharedConfig (line 100) | type InlineOIDCSharedConfig struct
constant WorkloadKindMCPServer (line 153) | WorkloadKindMCPServer = "MCPServer"
constant WorkloadKindVirtualMCPServer (line 154) | WorkloadKindVirtualMCPServer = "VirtualMCPServer"
constant WorkloadKindMCPRemoteProxy (line 155) | WorkloadKindMCPRemoteProxy = "MCPRemoteProxy"
type WorkloadReference (line 160) | type WorkloadReference struct
type MCPOIDCConfigStatus (line 173) | type MCPOIDCConfigStatus struct
type MCPOIDCConfig (line 209) | type MCPOIDCConfig struct
method Validate (line 260) | func (r *MCPOIDCConfig) Validate() error {
method validateTypeConfigConsistency (line 266) | func (r *MCPOIDCConfig) validateTypeConfigConsistency() error {
type MCPOIDCConfigList (line 220) | type MCPOIDCConfigList struct
type MCPOIDCConfigReference (line 228) | type MCPOIDCConfigReference struct
function init (line 276) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpregistry_parse_test.go
function marshalToRawJSON (line 17) | func marshalToRawJSON(t *testing.T, v any) apiextensionsv1.JSON {
function TestParseVolumes (line 24) | func TestParseVolumes(t *testing.T) {
function TestParseVolumeMounts (line 115) | func TestParseVolumeMounts(t *testing.T) {
FILE: cmd/thv-operator/api/v1beta1/mcpregistry_types.go
type MCPRegistrySpec (line 17) | type MCPRegistrySpec struct
method ParseVolumes (line 254) | func (s *MCPRegistrySpec) ParseVolumes() ([]corev1.Volume, error) {
method ParseVolumeMounts (line 268) | func (s *MCPRegistrySpec) ParseVolumeMounts() ([]corev1.VolumeMount, e...
type MCPRegistryStatus (line 150) | type MCPRegistryStatus struct
type MCPRegistryPhase (line 180) | type MCPRegistryPhase
constant MCPRegistryPhasePending (line 184) | MCPRegistryPhasePending MCPRegistryPhase = "Pending"
constant MCPRegistryPhaseReady (line 187) | MCPRegistryPhaseReady MCPRegistryPhase = "Ready"
constant MCPRegistryPhaseFailed (line 190) | MCPRegistryPhaseFailed MCPRegistryPhase = "Failed"
constant MCPRegistryPhaseTerminating (line 193) | MCPRegistryPhaseTerminating MCPRegistryPhase = "Terminating"
constant ConditionReasonRegistryReady (line 199) | ConditionReasonRegistryReady = "Ready"
constant ConditionReasonRegistryNotReady (line 202) | ConditionReasonRegistryNotReady = "NotReady"
type MCPRegistry (line 216) | type MCPRegistry struct
method GetAPIResourceName (line 234) | func (r *MCPRegistry) GetAPIResourceName() string {
method HasPodTemplateSpec (line 243) | func (r *MCPRegistry) HasPodTemplateSpec() bool {
method GetPodTemplateSpecRaw (line 248) | func (r *MCPRegistry) GetPodTemplateSpecRaw() *runtime.RawExtension {
type MCPRegistryList (line 227) | type MCPRegistryList struct
function init (line 238) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpremoteproxy_types.go
type HeaderForwardConfig (line 11) | type HeaderForwardConfig struct
type HeaderFromSecret (line 26) | type HeaderFromSecret struct
type MCPRemoteProxySpec (line 39) | type MCPRemoteProxySpec struct
type MCPRemoteProxyStatus (line 142) | type MCPRemoteProxyStatus struct
type MCPRemoteProxyPhase (line 193) | type MCPRemoteProxyPhase
constant MCPRemoteProxyPhasePending (line 197) | MCPRemoteProxyPhasePending MCPRemoteProxyPhase = "Pending"
constant MCPRemoteProxyPhaseReady (line 200) | MCPRemoteProxyPhaseReady MCPRemoteProxyPhase = "Ready"
constant MCPRemoteProxyPhaseFailed (line 203) | MCPRemoteProxyPhaseFailed MCPRemoteProxyPhase = "Failed"
constant MCPRemoteProxyPhaseTerminating (line 206) | MCPRemoteProxyPhaseTerminating MCPRemoteProxyPhase = "Terminating"
constant ConditionTypeReady (line 212) | ConditionTypeReady = "Ready"
constant ConditionTypeRemoteAvailable (line 215) | ConditionTypeRemoteAvailable = "RemoteAvailable"
constant ConditionTypeAuthConfigured (line 218) | ConditionTypeAuthConfigured = "AuthConfigured"
constant ConditionTypeMCPRemoteProxyGroupRefValidated (line 221) | ConditionTypeMCPRemoteProxyGroupRefValidated = "GroupRefValidated"
constant ConditionTypeMCPRemoteProxyToolConfigValidated (line 224) | ConditionTypeMCPRemoteProxyToolConfigValidated = "ToolConfigValidated"
constant ConditionTypeMCPRemoteProxyTelemetryConfigRefValidated (line 227) | ConditionTypeMCPRemoteProxyTelemetryConfigRefValidated = "TelemetryConfi...
constant ConditionTypeMCPRemoteProxyExternalAuthConfigValidated (line 230) | ConditionTypeMCPRemoteProxyExternalAuthConfigValidated = "ExternalAuthCo...
constant ConditionTypeMCPRemoteProxyAuthServerRefValidated (line 233) | ConditionTypeMCPRemoteProxyAuthServerRefValidated = "AuthServerRefValida...
constant ConditionTypeConfigurationValid (line 236) | ConditionTypeConfigurationValid = "ConfigurationValid"
constant ConditionReasonDeploymentReady (line 242) | ConditionReasonDeploymentReady = "DeploymentReady"
constant ConditionReasonDeploymentNotReady (line 245) | ConditionReasonDeploymentNotReady = "DeploymentNotReady"
constant ConditionReasonRemoteURLReachable (line 248) | ConditionReasonRemoteURLReachable = "RemoteURLReachable"
constant ConditionReasonRemoteURLUnreachable (line 251) | ConditionReasonRemoteURLUnreachable = "RemoteURLUnreachable"
constant ConditionReasonAuthValid (line 254) | ConditionReasonAuthValid = "AuthValid"
constant ConditionReasonAuthInvalid (line 257) | ConditionReasonAuthInvalid = "AuthInvalid"
constant ConditionReasonMissingOIDCConfig (line 260) | ConditionReasonMissingOIDCConfig = "MissingOIDCConfig"
constant ConditionReasonMCPRemoteProxyGroupRefValidated (line 263) | ConditionReasonMCPRemoteProxyGroupRefValidated = "GroupRefIsValid"
constant ConditionReasonMCPRemoteProxyGroupRefNotFound (line 266) | ConditionReasonMCPRemoteProxyGroupRefNotFound = "GroupRefNotFound"
constant ConditionReasonMCPRemoteProxyGroupRefNotReady (line 269) | ConditionReasonMCPRemoteProxyGroupRefNotReady = "GroupRefNotReady"
constant ConditionReasonMCPRemoteProxyToolConfigValid (line 272) | ConditionReasonMCPRemoteProxyToolConfigValid = "ToolConfigValid"
constant ConditionReasonMCPRemoteProxyToolConfigNotFound (line 275) | ConditionReasonMCPRemoteProxyToolConfigNotFound = "ToolConfigNotFound"
constant ConditionReasonMCPRemoteProxyToolConfigFetchError (line 278) | ConditionReasonMCPRemoteProxyToolConfigFetchError = "ToolConfigFetchError"
constant ConditionReasonMCPRemoteProxyTelemetryConfigRefValid (line 281) | ConditionReasonMCPRemoteProxyTelemetryConfigRefValid = "TelemetryConfigR...
constant ConditionReasonMCPRemoteProxyTelemetryConfigRefNotFound (line 284) | ConditionReasonMCPRemoteProxyTelemetryConfigRefNotFound = "TelemetryConf...
constant ConditionReasonMCPRemoteProxyTelemetryConfigRefInvalid (line 287) | ConditionReasonMCPRemoteProxyTelemetryConfigRefInvalid = "TelemetryConfi...
constant ConditionReasonMCPRemoteProxyTelemetryConfigRefFetchError (line 290) | ConditionReasonMCPRemoteProxyTelemetryConfigRefFetchError = "TelemetryCo...
constant ConditionReasonMCPRemoteProxyExternalAuthConfigValid (line 293) | ConditionReasonMCPRemoteProxyExternalAuthConfigValid = "ExternalAuthConf...
constant ConditionReasonMCPRemoteProxyExternalAuthConfigNotFound (line 296) | ConditionReasonMCPRemoteProxyExternalAuthConfigNotFound = "ExternalAuthC...
constant ConditionReasonMCPRemoteProxyExternalAuthConfigFetchError (line 299) | ConditionReasonMCPRemoteProxyExternalAuthConfigFetchError = "ExternalAut...
constant ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream (line 303) | ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream = "MultiUps...
constant ConditionReasonMCPRemoteProxyAuthServerRefValid (line 306) | ConditionReasonMCPRemoteProxyAuthServerRefValid = "AuthServerRefValid"
constant ConditionReasonMCPRemoteProxyAuthServerRefNotFound (line 309) | ConditionReasonMCPRemoteProxyAuthServerRefNotFound = "AuthServerRefNotFo...
constant ConditionReasonMCPRemoteProxyAuthServerRefFetchError (line 312) | ConditionReasonMCPRemoteProxyAuthServerRefFetchError = "AuthServerRefFet...
constant ConditionReasonMCPRemoteProxyAuthServerRefInvalidKind (line 315) | ConditionReasonMCPRemoteProxyAuthServerRefInvalidKind = "AuthServerRefIn...
constant ConditionReasonMCPRemoteProxyAuthServerRefInvalidType (line 318) | ConditionReasonMCPRemoteProxyAuthServerRefInvalidType = "AuthServerRefIn...
constant ConditionReasonMCPRemoteProxyAuthServerRefMultiUpstream (line 321) | ConditionReasonMCPRemoteProxyAuthServerRefMultiUpstream = "MultiUpstream...
constant ConditionReasonConfigurationValid (line 324) | ConditionReasonConfigurationValid = "ConfigurationValid"
constant ConditionReasonOIDCIssuerInsecure (line 327) | ConditionReasonOIDCIssuerInsecure = "OIDCIssuerInsecure"
constant ConditionReasonOIDCIssuerInvalid (line 330) | ConditionReasonOIDCIssuerInvalid = "OIDCIssuerInvalid"
constant ConditionReasonAuthzPolicySyntaxInvalid (line 333) | ConditionReasonAuthzPolicySyntaxInvalid = "AuthzPolicySyntaxInvalid"
constant ConditionReasonAuthzConfigMapNotFound (line 336) | ConditionReasonAuthzConfigMapNotFound = "AuthzConfigMapNotFound"
constant ConditionReasonHeaderSecretNotFound (line 339) | ConditionReasonHeaderSecretNotFound = "HeaderSecretNotFound"
constant ConditionReasonRemoteURLInvalid (line 342) | ConditionReasonRemoteURLInvalid = "RemoteURLInvalid"
constant ConditionReasonJWKSURLInvalid (line 345) | ConditionReasonJWKSURLInvalid = "JWKSURLInvalid"
type MCPRemoteProxy (line 360) | type MCPRemoteProxy struct
method GetName (line 382) | func (m *MCPRemoteProxy) GetName() string {
method GetNamespace (line 387) | func (m *MCPRemoteProxy) GetNamespace() string {
method GetProxyPort (line 392) | func (m *MCPRemoteProxy) GetProxyPort() int32 {
type MCPRemoteProxyList (line 371) | type MCPRemoteProxyList struct
function init (line 377) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpserver_types.go
constant ConditionGroupRefValidated (line 16) | ConditionGroupRefValidated = "GroupRefValidated"
constant ConditionPodTemplateValid (line 19) | ConditionPodTemplateValid = "PodTemplateValid"
constant ConditionReasonReady (line 24) | ConditionReasonReady = "Ready"
constant ConditionReasonNotReady (line 27) | ConditionReasonNotReady = "NotReady"
constant ConditionReasonGroupRefValidated (line 32) | ConditionReasonGroupRefValidated = "GroupRefIsValid"
constant ConditionReasonGroupRefNotFound (line 35) | ConditionReasonGroupRefNotFound = "GroupRefNotFound"
constant ConditionReasonGroupRefNotReady (line 38) | ConditionReasonGroupRefNotReady = "GroupRefNotReady"
constant ConditionReasonPodTemplateValid (line 43) | ConditionReasonPodTemplateValid = "ValidPodTemplateSpec"
constant ConditionReasonPodTemplateInvalid (line 46) | ConditionReasonPodTemplateInvalid = "InvalidPodTemplateSpec"
constant ConditionCABundleRefValidated (line 52) | ConditionCABundleRefValidated = "CABundleRefValidated"
constant ConditionOIDCConfigRefValidated (line 58) | ConditionOIDCConfigRefValidated = "OIDCConfigRefValidated"
constant ConditionReasonOIDCConfigRefValid (line 63) | ConditionReasonOIDCConfigRefValid = "OIDCConfigRefValid"
constant ConditionReasonOIDCConfigRefNotFound (line 66) | ConditionReasonOIDCConfigRefNotFound = "OIDCConfigRefNotFound"
constant ConditionReasonOIDCConfigRefNotValid (line 69) | ConditionReasonOIDCConfigRefNotValid = "OIDCConfigRefNotValid"
constant ConditionReasonOIDCConfigRefError (line 72) | ConditionReasonOIDCConfigRefError = "OIDCConfigRefError"
constant ConditionReasonCABundleRefValid (line 77) | ConditionReasonCABundleRefValid = "CABundleRefValid"
constant ConditionReasonCABundleRefNotFound (line 80) | ConditionReasonCABundleRefNotFound = "CABundleRefNotFound"
constant ConditionReasonCABundleRefInvalid (line 83) | ConditionReasonCABundleRefInvalid = "CABundleRefInvalid"
constant ConditionTypeExternalAuthConfigValidated (line 88) | ConditionTypeExternalAuthConfigValidated = "ExternalAuthConfigValidated"
constant ConditionReasonExternalAuthConfigMultiUpstream (line 94) | ConditionReasonExternalAuthConfigMultiUpstream = "MultiUpstreamNotSuppor...
constant ConditionTypeAuthServerRefValidated (line 99) | ConditionTypeAuthServerRefValidated = "AuthServerRefValidated"
constant ConditionReasonAuthServerRefValid (line 104) | ConditionReasonAuthServerRefValid = "AuthServerRefValid"
constant ConditionReasonAuthServerRefNotFound (line 107) | ConditionReasonAuthServerRefNotFound = "AuthServerRefNotFound"
constant ConditionReasonAuthServerRefFetchError (line 110) | ConditionReasonAuthServerRefFetchError = "AuthServerRefFetchError"
constant ConditionReasonAuthServerRefInvalidKind (line 113) | ConditionReasonAuthServerRefInvalidKind = "AuthServerRefInvalidKind"
constant ConditionReasonAuthServerRefInvalidType (line 116) | ConditionReasonAuthServerRefInvalidType = "AuthServerRefInvalidType"
constant ConditionReasonAuthServerRefMultiUpstream (line 119) | ConditionReasonAuthServerRefMultiUpstream = "MultiUpstreamNotSupported"
constant ConditionTelemetryConfigRefValidated (line 123) | ConditionTelemetryConfigRefValidated = "TelemetryConfigRefValidated"
constant ConditionReasonTelemetryConfigRefValid (line 127) | ConditionReasonTelemetryConfigRefValid = "TelemetryConfigRefValid"
constant ConditionReasonTelemetryConfigRefNotFound (line 130) | ConditionReasonTelemetryConfigRefNotFound = "TelemetryConfigRefNotFound"
constant ConditionReasonTelemetryConfigRefInvalid (line 133) | ConditionReasonTelemetryConfigRefInvalid = "TelemetryConfigRefInvalid"
constant ConditionReasonTelemetryConfigRefError (line 136) | ConditionReasonTelemetryConfigRefError = "TelemetryConfigRefError"
constant ConditionStdioReplicaCapped (line 140) | ConditionStdioReplicaCapped = "StdioReplicaCapped"
constant ConditionReasonStdioReplicaCapped (line 144) | ConditionReasonStdioReplicaCapped = "StdioTransportCapAt1"
constant ConditionReasonStdioReplicaCapNotActive (line 146) | ConditionReasonStdioReplicaCapNotActive = "StdioReplicaCapNotActive"
constant ConditionSessionStorageWarning (line 150) | ConditionSessionStorageWarning = "SessionStorageWarning"
constant ConditionReasonSessionStorageMissing (line 154) | ConditionReasonSessionStorageMissing = "SessionStorageMissingForReplicas"
constant ConditionReasonSessionStorageConfigured (line 156) | ConditionReasonSessionStorageConfigured = "SessionStorageConfigured"
constant ConditionReasonSessionStorageNotApplicable (line 158) | ConditionReasonSessionStorageNotApplicable = "SessionStorageWarningNotAp...
constant ConditionRateLimitConfigValid (line 162) | ConditionRateLimitConfigValid = "RateLimitConfigValid"
constant ConditionReasonRateLimitConfigValid (line 166) | ConditionReasonRateLimitConfigValid = "RateLimitConfigValid"
constant ConditionReasonRateLimitPerUserRequiresAuth (line 168) | ConditionReasonRateLimitPerUserRequiresAuth = "PerUserRequiresAuth"
constant ConditionReasonRateLimitNotApplicable (line 170) | ConditionReasonRateLimitNotApplicable = "RateLimitNotApplicable"
constant SessionStorageProviderRedis (line 174) | SessionStorageProviderRedis = "redis"
type MCPServerSpec (line 183) | type MCPServerSpec struct
type ResourceOverrides (line 358) | type ResourceOverrides struct
type ProxyDeploymentOverrides (line 369) | type ProxyDeploymentOverrides struct
type ResourceMetadataOverrides (line 391) | type ResourceMetadataOverrides struct
type EnvVar (line 402) | type EnvVar struct
type Volume (line 413) | type Volume struct
type ResourceRequirements (line 433) | type ResourceRequirements struct
type ResourceList (line 444) | type ResourceList struct
type SecretRef (line 455) | type SecretRef struct
type SessionStorageConfig (line 479) | type SessionStorageConfig struct
type RateLimitConfig (line 511) | type RateLimitConfig struct
type RateLimitBucket (line 534) | type RateLimitBucket struct
type ToolRateLimitConfig (line 555) | type ToolRateLimitConfig struct
constant PermissionProfileTypeBuiltin (line 573) | PermissionProfileTypeBuiltin = "builtin"
constant PermissionProfileTypeConfigMap (line 576) | PermissionProfileTypeConfigMap = "configmap"
constant AuthzConfigTypeConfigMap (line 582) | AuthzConfigTypeConfigMap = "configMap"
constant AuthzConfigTypeInline (line 585) | AuthzConfigTypeInline = "inline"
type PermissionProfileRef (line 589) | type PermissionProfileRef struct
type PermissionProfileSpec (line 608) | type PermissionProfileSpec struct
type NetworkPermissions (line 625) | type NetworkPermissions struct
type OutboundNetworkPermissions (line 637) | type OutboundNetworkPermissions struct
type CABundleSource (line 655) | type CABundleSource struct
type AuthzConfigRef (line 668) | type AuthzConfigRef struct
type ConfigMapAuthzRef (line 686) | type ConfigMapAuthzRef struct
type ExternalAuthConfigRef (line 699) | type ExternalAuthConfigRef struct
type AuthServerRef (line 708) | type AuthServerRef struct
type ToolConfigRef (line 722) | type ToolConfigRef struct
type MCPGroupRef (line 730) | type MCPGroupRef struct
method GetName (line 738) | func (r *MCPGroupRef) GetName() string {
type InlineAuthzConfig (line 746) | type InlineAuthzConfig struct
type AuditConfig (line 760) | type AuditConfig struct
type PrometheusConfig (line 769) | type PrometheusConfig struct
type OpenTelemetryTracingConfig (line 777) | type OpenTelemetryTracingConfig struct
type OpenTelemetryMetricsConfig (line 791) | type OpenTelemetryMetricsConfig struct
type MCPServerStatus (line 799) | type MCPServerStatus struct
type MCPServerPhase (line 850) | type MCPServerPhase
constant MCPServerPhasePending (line 854) | MCPServerPhasePending MCPServerPhase = "Pending"
constant MCPServerPhaseReady (line 857) | MCPServerPhaseReady MCPServerPhase = "Ready"
constant MCPServerPhaseFailed (line 860) | MCPServerPhaseFailed MCPServerPhase = "Failed"
constant MCPServerPhaseTerminating (line 863) | MCPServerPhaseTerminating MCPServerPhase = "Terminating"
constant MCPServerPhaseStopped (line 866) | MCPServerPhaseStopped MCPServerPhase = "Stopped"
type MCPServer (line 880) | type MCPServer struct
method GetName (line 898) | func (m *MCPServer) GetName() string {
method GetNamespace (line 903) | func (m *MCPServer) GetNamespace() string {
method GetProxyPort (line 908) | func (m *MCPServer) GetProxyPort() int32 {
method GetMCPPort (line 916) | func (m *MCPServer) GetMCPPort() int32 {
type MCPServerList (line 891) | type MCPServerList struct
function init (line 923) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcpserver_types_test.go
function TestSessionStorageConfigJSONRoundtrip (line 16) | func TestSessionStorageConfigJSONRoundtrip(t *testing.T) {
function TestRateLimitConfigJSONRoundtrip (line 70) | func TestRateLimitConfigJSONRoundtrip(t *testing.T) {
function TestMCPServerSpecScalingFieldsJSONRoundtrip (line 119) | func TestMCPServerSpecScalingFieldsJSONRoundtrip(t *testing.T) {
FILE: cmd/thv-operator/api/v1beta1/mcpserverentry_types.go
type MCPServerEntrySpec (line 13) | type MCPServerEntrySpec struct
type MCPServerEntryStatus (line 50) | type MCPServerEntryStatus struct
type MCPServerEntryPhase (line 69) | type MCPServerEntryPhase
constant MCPServerEntryPhaseValid (line 73) | MCPServerEntryPhaseValid MCPServerEntryPhase = "Valid"
constant MCPServerEntryPhasePending (line 76) | MCPServerEntryPhasePending MCPServerEntryPhase = "Pending"
constant MCPServerEntryPhaseFailed (line 79) | MCPServerEntryPhaseFailed MCPServerEntryPhase = "Failed"
constant ConditionTypeMCPServerEntryValid (line 88) | ConditionTypeMCPServerEntryValid = ConditionTypeValid
constant ConditionTypeMCPServerEntryGroupRefValidated (line 91) | ConditionTypeMCPServerEntryGroupRefValidated = ConditionGroupRefValidated
constant ConditionTypeMCPServerEntryAuthConfigValidated (line 95) | ConditionTypeMCPServerEntryAuthConfigValidated = ConditionTypeExternalAu...
constant ConditionTypeMCPServerEntryCABundleRefValidated (line 99) | ConditionTypeMCPServerEntryCABundleRefValidated = ConditionCABundleRefVa...
constant ConditionTypeMCPServerEntryRemoteURLValidated (line 103) | ConditionTypeMCPServerEntryRemoteURLValidated = "RemoteURLValidated"
constant ConditionReasonMCPServerEntryValid (line 111) | ConditionReasonMCPServerEntryValid = "ConfigValid"
constant ConditionReasonMCPServerEntryInvalid (line 114) | ConditionReasonMCPServerEntryInvalid = "ConfigInvalid"
constant ConditionReasonMCPServerEntryGroupRefValidated (line 117) | ConditionReasonMCPServerEntryGroupRefValidated = ConditionReasonGroupRef...
constant ConditionReasonMCPServerEntryGroupRefNotFound (line 120) | ConditionReasonMCPServerEntryGroupRefNotFound = ConditionReasonGroupRefN...
constant ConditionReasonMCPServerEntryGroupRefNotReady (line 123) | ConditionReasonMCPServerEntryGroupRefNotReady = ConditionReasonGroupRefN...
constant ConditionReasonMCPServerEntryAuthConfigValid (line 126) | ConditionReasonMCPServerEntryAuthConfigValid = "AuthConfigValid"
constant ConditionReasonMCPServerEntryAuthConfigNotFound (line 129) | ConditionReasonMCPServerEntryAuthConfigNotFound = "AuthConfigNotFound"
constant ConditionReasonMCPServerEntryAuthConfigNotConfigured (line 132) | ConditionReasonMCPServerEntryAuthConfigNotConfigured = "AuthConfigNotCon...
constant ConditionReasonMCPServerEntryCABundleRefValid (line 135) | ConditionReasonMCPServerEntryCABundleRefValid = ConditionReasonCABundleR...
constant ConditionReasonMCPServerEntryCABundleRefNotFound (line 138) | ConditionReasonMCPServerEntryCABundleRefNotFound = ConditionReasonCABund...
constant ConditionReasonMCPServerEntryCABundleRefNotConfigured (line 141) | ConditionReasonMCPServerEntryCABundleRefNotConfigured = "CABundleRefNotC...
constant ConditionReasonMCPServerEntryRemoteURLValid (line 144) | ConditionReasonMCPServerEntryRemoteURLValid = "RemoteURLValid"
constant ConditionReasonMCPServerEntryRemoteURLInvalid (line 148) | ConditionReasonMCPServerEntryRemoteURLInvalid = ConditionReasonRemoteURL...
type MCPServerEntry (line 164) | type MCPServerEntry struct
type MCPServerEntryList (line 175) | type MCPServerEntryList struct
function init (line 181) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcptelemetryconfig_types.go
constant maxK8sVolumeName (line 14) | maxK8sVolumeName = 63
constant telemetryCABundleVolumePrefix (line 16) | telemetryCABundleVolumePrefix = "otel-ca-bundle-"
constant maxTelemetryCABundleConfigMapName (line 18) | maxTelemetryCABundleConfigMapName = maxK8sVolumeName - len(telemetryCABu...
type SensitiveHeader (line 24) | type SensitiveHeader struct
type MCPTelemetryOTelConfig (line 45) | type MCPTelemetryOTelConfig struct
type MCPTelemetryConfigSpec (line 106) | type MCPTelemetryConfigSpec struct
type MCPTelemetryConfigStatus (line 117) | type MCPTelemetryConfigStatus struct
type MCPTelemetryConfig (line 153) | type MCPTelemetryConfig struct
method Validate (line 191) | func (r *MCPTelemetryConfig) Validate() error {
method validateEndpointRequiresSignals (line 203) | func (r *MCPTelemetryConfig) validateEndpointRequiresSignals() error {
method validateSensitiveHeaders (line 220) | func (r *MCPTelemetryConfig) validateSensitiveHeaders() error {
method validateCABundle (line 243) | func (r *MCPTelemetryConfig) validateCABundle() error {
type MCPTelemetryConfigList (line 164) | type MCPTelemetryConfigList struct
type MCPTelemetryConfigReference (line 173) | type MCPTelemetryConfigReference struct
function init (line 268) | func init() {
FILE: cmd/thv-operator/api/v1beta1/mcptelemetryconfig_types_test.go
function TestMCPTelemetryConfig_Validate (line 14) | func TestMCPTelemetryConfig_Validate(t *testing.T) {
function TestMCPTelemetryConfig_validateCABundle (line 157) | func TestMCPTelemetryConfig_validateCABundle(t *testing.T) {
FILE: cmd/thv-operator/api/v1beta1/toolconfig_types.go
constant ConditionToolConfigValid (line 13) | ConditionToolConfigValid = ConditionTypeValid
constant ConditionReasonToolConfigValidationSucceeded (line 18) | ConditionReasonToolConfigValidationSucceeded = "ValidationSucceeded"
constant ConditionReasonToolConfigValidationFailed (line 20) | ConditionReasonToolConfigValidationFailed = "ValidationFailed"
type MCPToolConfigSpec (line 26) | type MCPToolConfigSpec struct
type ToolAnnotationsOverride (line 43) | type ToolAnnotationsOverride struct
type ToolOverride (line 68) | type ToolOverride struct
type MCPToolConfigStatus (line 84) | type MCPToolConfigStatus struct
type MCPToolConfig (line 120) | type MCPToolConfig struct
type MCPToolConfigList (line 131) | type MCPToolConfigList struct
function init (line 137) | func init() {
FILE: cmd/thv-operator/api/v1beta1/virtualmcpcompositetooldefinition_types.go
type VirtualMCPCompositeToolDefinitionSpec (line 15) | type VirtualMCPCompositeToolDefinitionSpec struct
type VirtualMCPCompositeToolDefinitionStatus (line 20) | type VirtualMCPCompositeToolDefinitionStatus struct
type ValidationStatus (line 52) | type ValidationStatus
constant ValidationStatusValid (line 56) | ValidationStatusValid ValidationStatus = "Valid"
constant ValidationStatusInvalid (line 59) | ValidationStatusInvalid ValidationStatus = "Invalid"
constant ValidationStatusUnknown (line 62) | ValidationStatusUnknown ValidationStatus = "Unknown"
constant ConditionTypeWorkflowValidated (line 68) | ConditionTypeWorkflowValidated = "WorkflowValidated"
constant ConditionReasonValidationSuccess (line 76) | ConditionReasonValidationSuccess = "ValidationSuccess"
constant ConditionReasonValidationFailed (line 79) | ConditionReasonValidationFailed = "ValidationFailed"
constant ConditionReasonSchemaInvalid (line 82) | ConditionReasonSchemaInvalid = "SchemaInvalid"
constant ConditionReasonTemplateInvalid (line 85) | ConditionReasonTemplateInvalid = "TemplateInvalid"
constant ConditionReasonDependencyCycle (line 88) | ConditionReasonDependencyCycle = "DependencyCycle"
constant ConditionReasonToolNotFound (line 91) | ConditionReasonToolNotFound = "ToolNotFound"
constant ConditionReasonWorkflowReady (line 94) | ConditionReasonWorkflowReady = "WorkflowReady"
constant ConditionReasonWorkflowNotReady (line 97) | ConditionReasonWorkflowNotReady = "WorkflowNotReady"
type VirtualMCPCompositeToolDefinition (line 114) | type VirtualMCPCompositeToolDefinition struct
method Validate (line 134) | func (r *VirtualMCPCompositeToolDefinition) Validate() error {
method GetValidationErrors (line 140) | func (r *VirtualMCPCompositeToolDefinition) GetValidationErrors() []st...
type VirtualMCPCompositeToolDefinitionList (line 125) | type VirtualMCPCompositeToolDefinitionList struct
function init (line 147) | func init() {
FILE: cmd/thv-operator/api/v1beta1/virtualmcpserver_types.go
type VirtualMCPServerSpec (line 20) | type VirtualMCPServerSpec struct
type EmbeddingServerRef (line 150) | type EmbeddingServerRef struct
type IncomingAuthConfig (line 161) | type IncomingAuthConfig struct
type OutgoingAuthConfig (line 182) | type OutgoingAuthConfig struct
type BackendAuthConfig (line 202) | type BackendAuthConfig struct
constant BackendStatusReady (line 220) | BackendStatusReady = "ready"
constant BackendStatusUnavailable (line 221) | BackendStatusUnavailable = "unavailable"
constant BackendStatusDegraded (line 222) | BackendStatusDegraded = "degraded"
constant BackendStatusUnknown (line 223) | BackendStatusUnknown = "unknown"
constant BackendStatusUnauthenticated (line 224) | BackendStatusUnauthenticated = "unauthenticated"
type VirtualMCPServerStatus (line 232) | type VirtualMCPServerStatus struct
type VirtualMCPServerPhase (line 280) | type VirtualMCPServerPhase
constant VirtualMCPServerPhasePending (line 284) | VirtualMCPServerPhasePending VirtualMCPServerPhase = "Pending"
constant VirtualMCPServerPhaseReady (line 287) | VirtualMCPServerPhaseReady VirtualMCPServerPhase = "Ready"
constant VirtualMCPServerPhaseDegraded (line 290) | VirtualMCPServerPhaseDegraded VirtualMCPServerPhase = "Degraded"
constant VirtualMCPServerPhaseFailed (line 293) | VirtualMCPServerPhaseFailed VirtualMCPServerPhase = "Failed"
constant ConditionTypeVirtualMCPServerReady (line 300) | ConditionTypeVirtualMCPServerReady = "Ready"
constant ConditionTypeVirtualMCPServerGroupRefValidated (line 303) | ConditionTypeVirtualMCPServerGroupRefValidated = "GroupRefValidated"
constant ConditionTypeCompositeToolRefsValidated (line 306) | ConditionTypeCompositeToolRefsValidated = "CompositeToolRefsValidated"
constant ConditionTypeVirtualMCPServerPodTemplateSpecValid (line 308) | ConditionTypeVirtualMCPServerPodTemplateSpecValid = "PodTemplateSpecValid"
constant ConditionTypeVirtualMCPServerBackendsDiscovered (line 311) | ConditionTypeVirtualMCPServerBackendsDiscovered = "BackendsDiscovered"
constant ConditionTypeEmbeddingServerReady (line 314) | ConditionTypeEmbeddingServerReady = "EmbeddingServerReady"
constant ConditionTypeAuthServerConfigValidated (line 317) | ConditionTypeAuthServerConfigValidated = "AuthServerConfigValidated"
constant ConditionTypeAuthzUpstreamSelectionWarning (line 323) | ConditionTypeAuthzUpstreamSelectionWarning = "AuthzUpstreamSelectionWarn...
constant ConditionTypeVirtualMCPServerTelemetryConfigRefValidated (line 326) | ConditionTypeVirtualMCPServerTelemetryConfigRefValidated = "TelemetryCon...
constant ConditionReasonIncomingAuthValid (line 332) | ConditionReasonIncomingAuthValid = "IncomingAuthValid"
constant ConditionReasonIncomingAuthInvalid (line 335) | ConditionReasonIncomingAuthInvalid = "IncomingAuthInvalid"
constant ConditionReasonVirtualMCPServerGroupRefValid (line 338) | ConditionReasonVirtualMCPServerGroupRefValid = "GroupRefValid"
constant ConditionReasonVirtualMCPServerGroupRefNotFound (line 341) | ConditionReasonVirtualMCPServerGroupRefNotFound = "GroupRefNotFound"
constant ConditionReasonVirtualMCPServerGroupRefNotReady (line 344) | ConditionReasonVirtualMCPServerGroupRefNotReady = "GroupRefNotReady"
constant ConditionReasonCompositeToolRefsValid (line 347) | ConditionReasonCompositeToolRefsValid = "CompositeToolRefsValid"
constant ConditionReasonCompositeToolRefNotFound (line 350) | ConditionReasonCompositeToolRefNotFound = "CompositeToolRefNotFound"
constant ConditionReasonCompositeToolRefInvalid (line 353) | ConditionReasonCompositeToolRefInvalid = "CompositeToolRefInvalid"
constant ConditionReasonVirtualMCPServerPodTemplateSpecValid (line 356) | ConditionReasonVirtualMCPServerPodTemplateSpecValid = "PodTemplateSpecVa...
constant ConditionReasonVirtualMCPServerPodTemplateSpecInvalid (line 359) | ConditionReasonVirtualMCPServerPodTemplateSpecInvalid = "InvalidPodTempl...
constant ConditionReasonVirtualMCPServerBackendsDiscoveredSuccessfully (line 362) | ConditionReasonVirtualMCPServerBackendsDiscoveredSuccessfully = "Backend...
constant ConditionReasonVirtualMCPServerBackendDiscoveryFailed (line 365) | ConditionReasonVirtualMCPServerBackendDiscoveryFailed = "BackendDiscover...
constant ConditionReasonVirtualMCPServerDeploymentFailed (line 368) | ConditionReasonVirtualMCPServerDeploymentFailed = "DeploymentFailed"
constant ConditionReasonVirtualMCPServerDeploymentReady (line 371) | ConditionReasonVirtualMCPServerDeploymentReady = "DeploymentReady"
constant ConditionReasonVirtualMCPServerDeploymentNotReady (line 374) | ConditionReasonVirtualMCPServerDeploymentNotReady = "DeploymentNotReady"
constant ConditionReasonEmbeddingServerReady (line 377) | ConditionReasonEmbeddingServerReady = "EmbeddingServerReady"
constant ConditionReasonEmbeddingServerNotFound (line 380) | ConditionReasonEmbeddingServerNotFound = "EmbeddingServerNotFound"
constant ConditionReasonEmbeddingServerNotReady (line 383) | ConditionReasonEmbeddingServerNotReady = "EmbeddingServerNotReady"
constant ConditionReasonAuthServerConfigValid (line 386) | ConditionReasonAuthServerConfigValid = "AuthServerConfigValid"
constant ConditionReasonAuthServerConfigInvalid (line 389) | ConditionReasonAuthServerConfigInvalid = "AuthServerConfigInvalid"
constant ConditionReasonAuthzRequiresUpstream (line 396) | ConditionReasonAuthzRequiresUpstream = "AuthzRequiresUpstream"
constant ConditionReasonAuthzUpstreamAutoSelected (line 401) | ConditionReasonAuthzUpstreamAutoSelected = "AuthzUpstreamAutoSelected"
constant ConditionReasonVirtualMCPServerTelemetryConfigRefValid (line 404) | ConditionReasonVirtualMCPServerTelemetryConfigRefValid = "TelemetryConfi...
constant ConditionReasonVirtualMCPServerTelemetryConfigRefNotFound (line 407) | ConditionReasonVirtualMCPServerTelemetryConfigRefNotFound = "TelemetryCo...
constant ConditionReasonVirtualMCPServerTelemetryConfigRefInvalid (line 410) | ConditionReasonVirtualMCPServerTelemetryConfigRefInvalid = "TelemetryCon...
constant ConditionReasonVirtualMCPServerTelemetryConfigRefFetchError (line 413) | ConditionReasonVirtualMCPServerTelemetryConfigRefFetchError = "Telemetry...
constant BackendAuthTypeDiscovered (line 419) | BackendAuthTypeDiscovered = "discovered"
constant BackendAuthTypeExternalAuthConfigRef (line 422) | BackendAuthTypeExternalAuthConfigRef = "externalAuthConfigRef"
constant WorkflowStepTypeToolCall (line 428) | WorkflowStepTypeToolCall = "tool"
constant WorkflowStepTypeElicitation (line 431) | WorkflowStepTypeElicitation = "elicitation"
constant ErrorActionAbort (line 437) | ErrorActionAbort = "abort"
constant ErrorActionContinue (line 440) | ErrorActionContinue = "continue"
constant ErrorActionRetry (line 443) | ErrorActionRetry = "retry"
type VirtualMCPServer (line 458) | type VirtualMCPServer struct
method GetProxyPort (line 477) | func (*VirtualMCPServer) GetProxyPort() int32 {
method ResolveGroupName (line 482) | func (r *VirtualMCPServer) ResolveGroupName() string {
method Validate (line 488) | func (r *VirtualMCPServer) Validate() error {
method validateEmbeddingServer (line 534) | func (r *VirtualMCPServer) validateEmbeddingServer() error {
method validateBackendAuth (line 563) | func (*VirtualMCPServer) validateBackendAuth(backendName string, auth ...
method validateAggregation (line 594) | func (r *VirtualMCPServer) validateAggregation() error {
method validateCompositeTools (line 646) | func (r *VirtualMCPServer) validateCompositeTools() error {
type VirtualMCPServerList (line 469) | type VirtualMCPServerList struct
function init (line 669) | func init() {
FILE: cmd/thv-operator/api/v1beta1/virtualmcpserver_types_test.go
function TestVirtualMCPServerPhaseTransitions (line 18) | func TestVirtualMCPServerPhaseTransitions(t *testing.T) {
function TestVirtualMCPServerConditions (line 89) | func TestVirtualMCPServerConditions(t *testing.T) {
function TestVirtualMCPServerDefaultValues (line 140) | func TestVirtualMCPServerDefaultValues(t *testing.T) {
function TestVirtualMCPServerNamespaceIsolation (line 167) | func TestVirtualMCPServerNamespaceIsolation(t *testing.T) {
function TestConflictResolutionStrategies (line 202) | func TestConflictResolutionStrategies(t *testing.T) {
function TestBackendAuthConfigTypes (line 262) | func TestBackendAuthConfigTypes(t *testing.T) {
function TestCompositeToolStepDependencies (line 318) | func TestCompositeToolStepDependencies(t *testing.T) {
function TestValidateEmbeddingServer (line 387) | func TestValidateEmbeddingServer(t *testing.T) {
function TestVirtualMCPServerSpecScalingFieldsJSONRoundtrip (line 484) | func TestVirtualMCPServerSpecScalingFieldsJSONRoundtrip(t *testing.T) {
function TestMCPGroupRef_GetName (line 539) | func TestMCPGroupRef_GetName(t *testing.T) {
function TestVirtualMCPServer_Validate_RequiresGroupRef (line 559) | func TestVirtualMCPServer_Validate_RequiresGroupRef(t *testing.T) {
function TestVirtualMCPServer_ResolveGroupName (line 605) | func TestVirtualMCPServer_ResolveGroupName(t *testing.T) {
FILE: cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go
method DeepCopyInto (line 31) | func (in *AWSStsConfig) DeepCopyInto(out *AWSStsConfig) {
method DeepCopy (line 48) | func (in *AWSStsConfig) DeepCopy() *AWSStsConfig {
method DeepCopyInto (line 58) | func (in *AuditConfig) DeepCopyInto(out *AuditConfig) {
method DeepCopy (line 63) | func (in *AuditConfig) DeepCopy() *AuditConfig {
method DeepCopyInto (line 73) | func (in *AuthServerRef) DeepCopyInto(out *AuthServerRef) {
method DeepCopy (line 78) | func (in *AuthServerRef) DeepCopy() *AuthServerRef {
method DeepCopyInto (line 88) | func (in *AuthServerStorageConfig) DeepCopyInto(out *AuthServerStorageCo...
method DeepCopy (line 98) | func (in *AuthServerStorageConfig) DeepCopy() *AuthServerStorageConfig {
method DeepCopyInto (line 108) | func (in *AuthzConfigRef) DeepCopyInto(out *AuthzConfigRef) {
method DeepCopy (line 123) | func (in *AuthzConfigRef) DeepCopy() *AuthzConfigRef {
method DeepCopyInto (line 133) | func (in *BackendAuthConfig) DeepCopyInto(out *BackendAuthConfig) {
method DeepCopy (line 143) | func (in *BackendAuthConfig) DeepCopy() *BackendAuthConfig {
method DeepCopyInto (line 153) | func (in *BearerTokenConfig) DeepCopyInto(out *BearerTokenConfig) {
method DeepCopy (line 163) | func (in *BearerTokenConfig) DeepCopy() *BearerTokenConfig {
method DeepCopyInto (line 173) | func (in *CABundleSource) DeepCopyInto(out *CABundleSource) {
method DeepCopy (line 183) | func (in *CABundleSource) DeepCopy() *CABundleSource {
method DeepCopyInto (line 193) | func (in *ConfigMapAuthzRef) DeepCopyInto(out *ConfigMapAuthzRef) {
method DeepCopy (line 198) | func (in *ConfigMapAuthzRef) DeepCopy() *ConfigMapAuthzRef {
method DeepCopyInto (line 208) | func (in *EmbeddedAuthServerConfig) DeepCopyInto(out *EmbeddedAuthServer...
method DeepCopy (line 240) | func (in *EmbeddedAuthServerConfig) DeepCopy() *EmbeddedAuthServerConfig {
method DeepCopyInto (line 250) | func (in *EmbeddingResourceOverrides) DeepCopyInto(out *EmbeddingResourc...
method DeepCopy (line 270) | func (in *EmbeddingResourceOverrides) DeepCopy() *EmbeddingResourceOverr...
method DeepCopyInto (line 280) | func (in *EmbeddingServer) DeepCopyInto(out *EmbeddingServer) {
method DeepCopy (line 289) | func (in *EmbeddingServer) DeepCopy() *EmbeddingServer {
method DeepCopyObject (line 299) | func (in *EmbeddingServer) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 307) | func (in *EmbeddingServerList) DeepCopyInto(out *EmbeddingServerList) {
method DeepCopy (line 321) | func (in *EmbeddingServerList) DeepCopy() *EmbeddingServerList {
method DeepCopyObject (line 331) | func (in *EmbeddingServerList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 339) | func (in *EmbeddingServerRef) DeepCopyInto(out *EmbeddingServerRef) {
method DeepCopy (line 344) | func (in *EmbeddingServerRef) DeepCopy() *EmbeddingServerRef {
method DeepCopyInto (line 354) | func (in *EmbeddingServerSpec) DeepCopyInto(out *EmbeddingServerSpec) {
method DeepCopy (line 395) | func (in *EmbeddingServerSpec) DeepCopy() *EmbeddingServerSpec {
method DeepCopyInto (line 405) | func (in *EmbeddingServerStatus) DeepCopyInto(out *EmbeddingServerStatus) {
method DeepCopy (line 417) | func (in *EmbeddingServerStatus) DeepCopy() *EmbeddingServerStatus {
method DeepCopyInto (line 427) | func (in *EmbeddingStatefulSetOverrides) DeepCopyInto(out *EmbeddingStat...
method DeepCopy (line 438) | func (in *EmbeddingStatefulSetOverrides) DeepCopy() *EmbeddingStatefulSe...
method DeepCopyInto (line 448) | func (in *EnvVar) DeepCopyInto(out *EnvVar) {
method DeepCopy (line 453) | func (in *EnvVar) DeepCopy() *EnvVar {
method DeepCopyInto (line 463) | func (in *ExternalAuthConfigRef) DeepCopyInto(out *ExternalAuthConfigRef) {
method DeepCopy (line 468) | func (in *ExternalAuthConfigRef) DeepCopy() *ExternalAuthConfigRef {
method DeepCopyInto (line 478) | func (in *HeaderForwardConfig) DeepCopyInto(out *HeaderForwardConfig) {
method DeepCopy (line 497) | func (in *HeaderForwardConfig) DeepCopy() *HeaderForwardConfig {
method DeepCopyInto (line 507) | func (in *HeaderFromSecret) DeepCopyInto(out *HeaderFromSecret) {
method DeepCopy (line 517) | func (in *HeaderFromSecret) DeepCopy() *HeaderFromSecret {
method DeepCopyInto (line 527) | func (in *HeaderInjectionConfig) DeepCopyInto(out *HeaderInjectionConfig) {
method DeepCopy (line 537) | func (in *HeaderInjectionConfig) DeepCopy() *HeaderInjectionConfig {
method DeepCopyInto (line 547) | func (in *IncomingAuthConfig) DeepCopyInto(out *IncomingAuthConfig) {
method DeepCopy (line 562) | func (in *IncomingAuthConfig) DeepCopy() *IncomingAuthConfig {
method DeepCopyInto (line 572) | func (in *InlineAuthzConfig) DeepCopyInto(out *InlineAuthzConfig) {
method DeepCopy (line 582) | func (in *InlineAuthzConfig) DeepCopy() *InlineAuthzConfig {
method DeepCopyInto (line 592) | func (in *InlineOIDCSharedConfig) DeepCopyInto(out *InlineOIDCSharedConf...
method DeepCopy (line 607) | func (in *InlineOIDCSharedConfig) DeepCopy() *InlineOIDCSharedConfig {
method DeepCopyInto (line 617) | func (in *KubernetesServiceAccountOIDCConfig) DeepCopyInto(out *Kubernet...
method DeepCopy (line 627) | func (in *KubernetesServiceAccountOIDCConfig) DeepCopy() *KubernetesServ...
method DeepCopyInto (line 637) | func (in *MCPExternalAuthConfig) DeepCopyInto(out *MCPExternalAuthConfig) {
method DeepCopy (line 646) | func (in *MCPExternalAuthConfig) DeepCopy() *MCPExternalAuthConfig {
method DeepCopyObject (line 656) | func (in *MCPExternalAuthConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 664) | func (in *MCPExternalAuthConfigList) DeepCopyInto(out *MCPExternalAuthCo...
method DeepCopy (line 678) | func (in *MCPExternalAuthConfigList) DeepCopy() *MCPExternalAuthConfigLi...
method DeepCopyObject (line 688) | func (in *MCPExternalAuthConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 696) | func (in *MCPExternalAuthConfigSpec) DeepCopyInto(out *MCPExternalAuthCo...
method DeepCopy (line 731) | func (in *MCPExternalAuthConfigSpec) DeepCopy() *MCPExternalAuthConfigSp...
method DeepCopyInto (line 741) | func (in *MCPExternalAuthConfigStatus) DeepCopyInto(out *MCPExternalAuth...
method DeepCopy (line 758) | func (in *MCPExternalAuthConfigStatus) DeepCopy() *MCPExternalAuthConfig...
method DeepCopyInto (line 768) | func (in *MCPGroup) DeepCopyInto(out *MCPGroup) {
method DeepCopy (line 777) | func (in *MCPGroup) DeepCopy() *MCPGroup {
method DeepCopyObject (line 787) | func (in *MCPGroup) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 795) | func (in *MCPGroupList) DeepCopyInto(out *MCPGroupList) {
method DeepCopy (line 809) | func (in *MCPGroupList) DeepCopy() *MCPGroupList {
method DeepCopyObject (line 819) | func (in *MCPGroupList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 827) | func (in *MCPGroupRef) DeepCopyInto(out *MCPGroupRef) {
method DeepCopy (line 832) | func (in *MCPGroupRef) DeepCopy() *MCPGroupRef {
method DeepCopyInto (line 842) | func (in *MCPGroupSpec) DeepCopyInto(out *MCPGroupSpec) {
method DeepCopy (line 847) | func (in *MCPGroupSpec) DeepCopy() *MCPGroupSpec {
method DeepCopyInto (line 857) | func (in *MCPGroupStatus) DeepCopyInto(out *MCPGroupStatus) {
method DeepCopy (line 884) | func (in *MCPGroupStatus) DeepCopy() *MCPGroupStatus {
method DeepCopyInto (line 894) | func (in *MCPOIDCConfig) DeepCopyInto(out *MCPOIDCConfig) {
method DeepCopy (line 903) | func (in *MCPOIDCConfig) DeepCopy() *MCPOIDCConfig {
method DeepCopyObject (line 913) | func (in *MCPOIDCConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 921) | func (in *MCPOIDCConfigList) DeepCopyInto(out *MCPOIDCConfigList) {
method DeepCopy (line 935) | func (in *MCPOIDCConfigList) DeepCopy() *MCPOIDCConfigList {
method DeepCopyObject (line 945) | func (in *MCPOIDCConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 953) | func (in *MCPOIDCConfigReference) DeepCopyInto(out *MCPOIDCConfigReferen...
method DeepCopy (line 963) | func (in *MCPOIDCConfigReference) DeepCopy() *MCPOIDCConfigReference {
method DeepCopyInto (line 973) | func (in *MCPOIDCConfigSpec) DeepCopyInto(out *MCPOIDCConfigSpec) {
method DeepCopy (line 988) | func (in *MCPOIDCConfigSpec) DeepCopy() *MCPOIDCConfigSpec {
method DeepCopyInto (line 998) | func (in *MCPOIDCConfigStatus) DeepCopyInto(out *MCPOIDCConfigStatus) {
method DeepCopy (line 1015) | func (in *MCPOIDCConfigStatus) DeepCopy() *MCPOIDCConfigStatus {
method DeepCopyInto (line 1025) | func (in *MCPRegistry) DeepCopyInto(out *MCPRegistry) {
method DeepCopy (line 1034) | func (in *MCPRegistry) DeepCopy() *MCPRegistry {
method DeepCopyObject (line 1044) | func (in *MCPRegistry) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1052) | func (in *MCPRegistryList) DeepCopyInto(out *MCPRegistryList) {
method DeepCopy (line 1066) | func (in *MCPRegistryList) DeepCopy() *MCPRegistryList {
method DeepCopyObject (line 1076) | func (in *MCPRegistryList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1084) | func (in *MCPRegistrySpec) DeepCopyInto(out *MCPRegistrySpec) {
method DeepCopy (line 1118) | func (in *MCPRegistrySpec) DeepCopy() *MCPRegistrySpec {
method DeepCopyInto (line 1128) | func (in *MCPRegistryStatus) DeepCopyInto(out *MCPRegistryStatus) {
method DeepCopy (line 1140) | func (in *MCPRegistryStatus) DeepCopy() *MCPRegistryStatus {
method DeepCopyInto (line 1150) | func (in *MCPRemoteProxy) DeepCopyInto(out *MCPRemoteProxy) {
method DeepCopy (line 1159) | func (in *MCPRemoteProxy) DeepCopy() *MCPRemoteProxy {
method DeepCopyObject (line 1169) | func (in *MCPRemoteProxy) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1177) | func (in *MCPRemoteProxyList) DeepCopyInto(out *MCPRemoteProxyList) {
method DeepCopy (line 1191) | func (in *MCPRemoteProxyList) DeepCopy() *MCPRemoteProxyList {
method DeepCopyObject (line 1201) | func (in *MCPRemoteProxyList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1209) | func (in *MCPRemoteProxySpec) DeepCopyInto(out *MCPRemoteProxySpec) {
method DeepCopy (line 1270) | func (in *MCPRemoteProxySpec) DeepCopy() *MCPRemoteProxySpec {
method DeepCopyInto (line 1280) | func (in *MCPRemoteProxyStatus) DeepCopyInto(out *MCPRemoteProxyStatus) {
method DeepCopy (line 1292) | func (in *MCPRemoteProxyStatus) DeepCopy() *MCPRemoteProxyStatus {
method DeepCopyInto (line 1302) | func (in *MCPServer) DeepCopyInto(out *MCPServer) {
method DeepCopy (line 1311) | func (in *MCPServer) DeepCopy() *MCPServer {
method DeepCopyObject (line 1321) | func (in *MCPServer) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1329) | func (in *MCPServerEntry) DeepCopyInto(out *MCPServerEntry) {
method DeepCopy (line 1338) | func (in *MCPServerEntry) DeepCopy() *MCPServerEntry {
method DeepCopyObject (line 1348) | func (in *MCPServerEntry) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1356) | func (in *MCPServerEntryList) DeepCopyInto(out *MCPServerEntryList) {
method DeepCopy (line 1370) | func (in *MCPServerEntryList) DeepCopy() *MCPServerEntryList {
method DeepCopyObject (line 1380) | func (in *MCPServerEntryList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1388) | func (in *MCPServerEntrySpec) DeepCopyInto(out *MCPServerEntrySpec) {
method DeepCopy (line 1413) | func (in *MCPServerEntrySpec) DeepCopy() *MCPServerEntrySpec {
method DeepCopyInto (line 1423) | func (in *MCPServerEntryStatus) DeepCopyInto(out *MCPServerEntryStatus) {
method DeepCopy (line 1435) | func (in *MCPServerEntryStatus) DeepCopy() *MCPServerEntryStatus {
method DeepCopyInto (line 1445) | func (in *MCPServerList) DeepCopyInto(out *MCPServerList) {
method DeepCopy (line 1459) | func (in *MCPServerList) DeepCopy() *MCPServerList {
method DeepCopyObject (line 1469) | func (in *MCPServerList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1477) | func (in *MCPServerSpec) DeepCopyInto(out *MCPServerSpec) {
method DeepCopy (line 1583) | func (in *MCPServerSpec) DeepCopy() *MCPServerSpec {
method DeepCopyInto (line 1593) | func (in *MCPServerStatus) DeepCopyInto(out *MCPServerStatus) {
method DeepCopy (line 1605) | func (in *MCPServerStatus) DeepCopy() *MCPServerStatus {
method DeepCopyInto (line 1615) | func (in *MCPTelemetryConfig) DeepCopyInto(out *MCPTelemetryConfig) {
method DeepCopy (line 1624) | func (in *MCPTelemetryConfig) DeepCopy() *MCPTelemetryConfig {
method DeepCopyObject (line 1634) | func (in *MCPTelemetryConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1642) | func (in *MCPTelemetryConfigList) DeepCopyInto(out *MCPTelemetryConfigLi...
method DeepCopy (line 1656) | func (in *MCPTelemetryConfigList) DeepCopy() *MCPTelemetryConfigList {
method DeepCopyObject (line 1666) | func (in *MCPTelemetryConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1674) | func (in *MCPTelemetryConfigReference) DeepCopyInto(out *MCPTelemetryCon...
method DeepCopy (line 1679) | func (in *MCPTelemetryConfigReference) DeepCopy() *MCPTelemetryConfigRef...
method DeepCopyInto (line 1689) | func (in *MCPTelemetryConfigSpec) DeepCopyInto(out *MCPTelemetryConfigSp...
method DeepCopy (line 1704) | func (in *MCPTelemetryConfigSpec) DeepCopy() *MCPTelemetryConfigSpec {
method DeepCopyInto (line 1714) | func (in *MCPTelemetryConfigStatus) DeepCopyInto(out *MCPTelemetryConfig...
method DeepCopy (line 1731) | func (in *MCPTelemetryConfigStatus) DeepCopy() *MCPTelemetryConfigStatus {
method DeepCopyInto (line 1741) | func (in *MCPTelemetryOTelConfig) DeepCopyInto(out *MCPTelemetryOTelConf...
method DeepCopy (line 1780) | func (in *MCPTelemetryOTelConfig) DeepCopy() *MCPTelemetryOTelConfig {
method DeepCopyInto (line 1790) | func (in *MCPToolConfig) DeepCopyInto(out *MCPToolConfig) {
method DeepCopy (line 1799) | func (in *MCPToolConfig) DeepCopy() *MCPToolConfig {
method DeepCopyObject (line 1809) | func (in *MCPToolConfig) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1817) | func (in *MCPToolConfigList) DeepCopyInto(out *MCPToolConfigList) {
method DeepCopy (line 1831) | func (in *MCPToolConfigList) DeepCopy() *MCPToolConfigList {
method DeepCopyObject (line 1841) | func (in *MCPToolConfigList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 1849) | func (in *MCPToolConfigSpec) DeepCopyInto(out *MCPToolConfigSpec) {
method DeepCopy (line 1866) | func (in *MCPToolConfigSpec) DeepCopy() *MCPToolConfigSpec {
method DeepCopyInto (line 1876) | func (in *MCPToolConfigStatus) DeepCopyInto(out *MCPToolConfigStatus) {
method DeepCopy (line 1893) | func (in *MCPToolConfigStatus) DeepCopy() *MCPToolConfigStatus {
method DeepCopyInto (line 1903) | func (in *ModelCacheConfig) DeepCopyInto(out *ModelCacheConfig) {
method DeepCopy (line 1913) | func (in *ModelCacheConfig) DeepCopy() *ModelCacheConfig {
method DeepCopyInto (line 1923) | func (in *NetworkPermissions) DeepCopyInto(out *NetworkPermissions) {
method DeepCopy (line 1933) | func (in *NetworkPermissions) DeepCopy() *NetworkPermissions {
method DeepCopyInto (line 1943) | func (in *OAuth2UpstreamConfig) DeepCopyInto(out *OAuth2UpstreamConfig) {
method DeepCopy (line 1975) | func (in *OAuth2UpstreamConfig) DeepCopy() *OAuth2UpstreamConfig {
method DeepCopyInto (line 1985) | func (in *OIDCUpstreamConfig) DeepCopyInto(out *OIDCUpstreamConfig) {
method DeepCopy (line 2012) | func (in *OIDCUpstreamConfig) DeepCopy() *OIDCUpstreamConfig {
method DeepCopyInto (line 2022) | func (in *OpenTelemetryMetricsConfig) DeepCopyInto(out *OpenTelemetryMet...
method DeepCopy (line 2027) | func (in *OpenTelemetryMetricsConfig) DeepCopy() *OpenTelemetryMetricsCo...
method DeepCopyInto (line 2037) | func (in *OpenTelemetryTracingConfig) DeepCopyInto(out *OpenTelemetryTra...
method DeepCopy (line 2042) | func (in *OpenTelemetryTracingConfig) DeepCopy() *OpenTelemetryTracingCo...
method DeepCopyInto (line 2052) | func (in *OutboundNetworkPermissions) DeepCopyInto(out *OutboundNetworkP...
method DeepCopy (line 2067) | func (in *OutboundNetworkPermissions) DeepCopy() *OutboundNetworkPermiss...
method DeepCopyInto (line 2077) | func (in *OutgoingAuthConfig) DeepCopyInto(out *OutgoingAuthConfig) {
method DeepCopy (line 2094) | func (in *OutgoingAuthConfig) DeepCopy() *OutgoingAuthConfig {
method DeepCopyInto (line 2104) | func (in *PermissionProfileRef) DeepCopyInto(out *PermissionProfileRef) {
method DeepCopy (line 2109) | func (in *PermissionProfileRef) DeepCopy() *PermissionProfileRef {
method DeepCopyInto (line 2119) | func (in *PermissionProfileSpec) DeepCopyInto(out *PermissionProfileSpec) {
method DeepCopy (line 2139) | func (in *PermissionProfileSpec) DeepCopy() *PermissionProfileSpec {
method DeepCopyInto (line 2149) | func (in *PrometheusConfig) DeepCopyInto(out *PrometheusConfig) {
method DeepCopy (line 2154) | func (in *PrometheusConfig) DeepCopy() *PrometheusConfig {
method DeepCopyInto (line 2164) | func (in *ProxyDeploymentOverrides) DeepCopyInto(out *ProxyDeploymentOve...
method DeepCopy (line 2185) | func (in *ProxyDeploymentOverrides) DeepCopy() *ProxyDeploymentOverrides {
method DeepCopyInto (line 2195) | func (in *RateLimitBucket) DeepCopyInto(out *RateLimitBucket) {
method DeepCopy (line 2201) | func (in *RateLimitBucket) DeepCopy() *RateLimitBucket {
method DeepCopyInto (line 2211) | func (in *RateLimitConfig) DeepCopyInto(out *RateLimitConfig) {
method DeepCopy (line 2233) | func (in *RateLimitConfig) DeepCopy() *RateLimitConfig {
method DeepCopyInto (line 2243) | func (in *RedisACLUserConfig) DeepCopyInto(out *RedisACLUserConfig) {
method DeepCopy (line 2258) | func (in *RedisACLUserConfig) DeepCopy() *RedisACLUserConfig {
method DeepCopyInto (line 2268) | func (in *RedisSentinelConfig) DeepCopyInto(out *RedisSentinelConfig) {
method DeepCopy (line 2283) | func (in *RedisSentinelConfig) DeepCopy() *RedisSentinelConfig {
method DeepCopyInto (line 2293) | func (in *RedisStorageConfig) DeepCopyInto(out *RedisStorageConfig) {
method DeepCopy (line 2318) | func (in *RedisStorageConfig) DeepCopy() *RedisStorageConfig {
method DeepCopyInto (line 2328) | func (in *RedisTLSConfig) DeepCopyInto(out *RedisTLSConfig) {
method DeepCopy (line 2338) | func (in *RedisTLSConfig) DeepCopy() *RedisTLSConfig {
method DeepCopyInto (line 2348) | func (in *ResourceList) DeepCopyInto(out *ResourceList) {
method DeepCopy (line 2353) | func (in *ResourceList) DeepCopy() *ResourceList {
method DeepCopyInto (line 2363) | func (in *ResourceMetadataOverrides) DeepCopyInto(out *ResourceMetadataO...
method DeepCopy (line 2382) | func (in *ResourceMetadataOverrides) DeepCopy() *ResourceMetadataOverrid...
method DeepCopyInto (line 2392) | func (in *ResourceOverrides) DeepCopyInto(out *ResourceOverrides) {
method DeepCopy (line 2407) | func (in *ResourceOverrides) DeepCopy() *ResourceOverrides {
method DeepCopyInto (line 2417) | func (in *ResourceRequirements) DeepCopyInto(out *ResourceRequirements) {
method DeepCopy (line 2424) | func (in *ResourceRequirements) DeepCopy() *ResourceRequirements {
method DeepCopyInto (line 2434) | func (in *RoleMapping) DeepCopyInto(out *RoleMapping) {
method DeepCopy (line 2444) | func (in *RoleMapping) DeepCopy() *RoleMapping {
method DeepCopyInto (line 2454) | func (in *SecretKeyRef) DeepCopyInto(out *SecretKeyRef) {
method DeepCopy (line 2459) | func (in *SecretKeyRef) DeepCopy() *SecretKeyRef {
method DeepCopyInto (line 2469) | func (in *SecretRef) DeepCopyInto(out *SecretRef) {
method DeepCopy (line 2474) | func (in *SecretRef) DeepCopy() *SecretRef {
method DeepCopyInto (line 2484) | func (in *SensitiveHeader) DeepCopyInto(out *SensitiveHeader) {
method DeepCopy (line 2490) | func (in *SensitiveHeader) DeepCopy() *SensitiveHeader {
method DeepCopyInto (line 2500) | func (in *SentinelServiceRef) DeepCopyInto(out *SentinelServiceRef) {
method DeepCopy (line 2505) | func (in *SentinelServiceRef) DeepCopy() *SentinelServiceRef {
method DeepCopyInto (line 2515) | func (in *SessionStorageConfig) DeepCopyInto(out *SessionStorageConfig) {
method DeepCopy (line 2525) | func (in *SessionStorageConfig) DeepCopy() *SessionStorageConfig {
method DeepCopyInto (line 2535) | func (in *TokenExchangeConfig) DeepCopyInto(out *TokenExchangeConfig) {
method DeepCopy (line 2550) | func (in *TokenExchangeConfig) DeepCopy() *TokenExchangeConfig {
method DeepCopyInto (line 2560) | func (in *TokenLifespanConfig) DeepCopyInto(out *TokenLifespanConfig) {
method DeepCopy (line 2565) | func (in *TokenLifespanConfig) DeepCopy() *TokenLifespanConfig {
method DeepCopyInto (line 2575) | func (in *TokenResponseMapping) DeepCopyInto(out *TokenResponseMapping) {
method DeepCopy (line 2580) | func (in *TokenResponseMapping) DeepCopy() *TokenResponseMapping {
method DeepCopyInto (line 2590) | func (in *ToolAnnotationsOverride) DeepCopyInto(out *ToolAnnotationsOver...
method DeepCopy (line 2620) | func (in *ToolAnnotationsOverride) DeepCopy() *ToolAnnotationsOverride {
method DeepCopyInto (line 2630) | func (in *ToolConfigRef) DeepCopyInto(out *ToolConfigRef) {
method DeepCopy (line 2635) | func (in *ToolConfigRef) DeepCopy() *ToolConfigRef {
method DeepCopyInto (line 2645) | func (in *ToolOverride) DeepCopyInto(out *ToolOverride) {
method DeepCopy (line 2655) | func (in *ToolOverride) DeepCopy() *ToolOverride {
method DeepCopyInto (line 2665) | func (in *ToolRateLimitConfig) DeepCopyInto(out *ToolRateLimitConfig) {
method DeepCopy (line 2680) | func (in *ToolRateLimitConfig) DeepCopy() *ToolRateLimitConfig {
method DeepCopyInto (line 2690) | func (in *UpstreamInjectSpec) DeepCopyInto(out *UpstreamInjectSpec) {
method DeepCopy (line 2695) | func (in *UpstreamInjectSpec) DeepCopy() *UpstreamInjectSpec {
method DeepCopyInto (line 2705) | func (in *UpstreamProviderConfig) DeepCopyInto(out *UpstreamProviderConf...
method DeepCopy (line 2720) | func (in *UpstreamProviderConfig) DeepCopy() *UpstreamProviderConfig {
method DeepCopyInto (line 2730) | func (in *UserInfoConfig) DeepCopyInto(out *UserInfoConfig) {
method DeepCopy (line 2747) | func (in *UserInfoConfig) DeepCopy() *UserInfoConfig {
method DeepCopyInto (line 2757) | func (in *UserInfoFieldMapping) DeepCopyInto(out *UserInfoFieldMapping) {
method DeepCopy (line 2777) | func (in *UserInfoFieldMapping) DeepCopy() *UserInfoFieldMapping {
method DeepCopyInto (line 2787) | func (in *VirtualMCPCompositeToolDefinition) DeepCopyInto(out *VirtualMC...
method DeepCopy (line 2796) | func (in *VirtualMCPCompositeToolDefinition) DeepCopy() *VirtualMCPCompo...
method DeepCopyObject (line 2806) | func (in *VirtualMCPCompositeToolDefinition) DeepCopyObject() runtime.Ob...
method DeepCopyInto (line 2814) | func (in *VirtualMCPCompositeToolDefinitionList) DeepCopyInto(out *Virtu...
method DeepCopy (line 2828) | func (in *VirtualMCPCompositeToolDefinitionList) DeepCopy() *VirtualMCPC...
method DeepCopyObject (line 2838) | func (in *VirtualMCPCompositeToolDefinitionList) DeepCopyObject() runtim...
method DeepCopyInto (line 2846) | func (in *VirtualMCPCompositeToolDefinitionSpec) DeepCopyInto(out *Virtu...
method DeepCopy (line 2852) | func (in *VirtualMCPCompositeToolDefinitionSpec) DeepCopy() *VirtualMCPC...
method DeepCopyInto (line 2862) | func (in *VirtualMCPCompositeToolDefinitionStatus) DeepCopyInto(out *Vir...
method DeepCopy (line 2884) | func (in *VirtualMCPCompositeToolDefinitionStatus) DeepCopy() *VirtualMC...
method DeepCopyInto (line 2894) | func (in *VirtualMCPServer) DeepCopyInto(out *VirtualMCPServer) {
method DeepCopy (line 2903) | func (in *VirtualMCPServer) DeepCopy() *VirtualMCPServer {
method DeepCopyObject (line 2913) | func (in *VirtualMCPServer) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 2921) | func (in *VirtualMCPServerList) DeepCopyInto(out *VirtualMCPServerList) {
method DeepCopy (line 2935) | func (in *VirtualMCPServerList) DeepCopy() *VirtualMCPServerList {
method DeepCopyObject (line 2945) | func (in *VirtualMCPServerList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 2953) | func (in *VirtualMCPServerSpec) DeepCopyInto(out *VirtualMCPServerSpec) {
method DeepCopy (line 3014) | func (in *VirtualMCPServerSpec) DeepCopy() *VirtualMCPServerSpec {
method DeepCopyInto (line 3024) | func (in *VirtualMCPServerStatus) DeepCopyInto(out *VirtualMCPServerStat...
method DeepCopy (line 3043) | func (in *VirtualMCPServerStatus) DeepCopy() *VirtualMCPServerStatus {
method DeepCopyInto (line 3053) | func (in *Volume) DeepCopyInto(out *Volume) {
method DeepCopy (line 3058) | func (in *Volume) DeepCopy() *Volume {
method DeepCopyInto (line 3068) | func (in *WorkloadReference) DeepCopyInto(out *WorkloadReference) {
method DeepCopy (line 3073) | func (in *WorkloadReference) DeepCopy() *WorkloadReference {
FILE: cmd/thv-operator/controllers/embeddingserver_controller.go
type EmbeddingServerReconciler (line 36) | type EmbeddingServerReconciler struct
method Reconcile (line 74) | func (r *EmbeddingServerReconciler) Reconcile(ctx context.Context, req...
method performValidations (line 136) | func (r *EmbeddingServerReconciler) performValidations(
method handleDeletion (line 158) | func (r *EmbeddingServerReconciler) handleDeletion(
method ensureFinalizer (line 181) | func (r *EmbeddingServerReconciler) ensureFinalizer(
method ensureStatefulSet (line 198) | func (r *EmbeddingServerReconciler) ensureStatefulSet(
method ensureService (line 259) | func (r *EmbeddingServerReconciler) ensureService(
method serviceNeedsUpdate (line 307) | func (*EmbeddingServerReconciler) serviceNeedsUpdate(
method validateAndUpdatePodTemplateStatus (line 352) | func (r *EmbeddingServerReconciler) validateAndUpdatePodTemplateStatus(
method statefulSetForEmbedding (line 406) | func (r *EmbeddingServerReconciler) statefulSetForEmbedding(
method buildVolumeClaimTemplates (line 463) | func (r *EmbeddingServerReconciler) buildVolumeClaimTemplates(
method buildEmbeddingContainer (line 512) | func (r *EmbeddingServerReconciler) buildEmbeddingContainer(embedding ...
method buildEnvVars (line 562) | func (*EmbeddingServerReconciler) buildEnvVars(embedding *mcpv1beta1.E...
method buildLivenessProbe (line 595) | func (*EmbeddingServerReconciler) buildLivenessProbe(embedding *mcpv1b...
method buildReadinessProbe (line 611) | func (*EmbeddingServerReconciler) buildReadinessProbe(embedding *mcpv1...
method applyResourceRequirements (line 627) | func (*EmbeddingServerReconciler) applyResourceRequirements(embedding ...
method buildPodTemplate (line 660) | func (r *EmbeddingServerReconciler) buildPodTemplate(
method applyPodTemplateSpecToStatefulSet (line 696) | func (*EmbeddingServerReconciler) applyPodTemplateSpecToStatefulSet(
method applyStatefulSetOverrides (line 739) | func (*EmbeddingServerReconciler) applyStatefulSetOverrides(
method serviceForEmbedding (line 777) | func (r *EmbeddingServerReconciler) serviceForEmbedding(
method labelsForEmbedding (line 824) | func (*EmbeddingServerReconciler) labelsForEmbedding(embedding *mcpv1b...
method statefulSetNeedsUpdate (line 834) | func (r *EmbeddingServerReconciler) statefulSetNeedsUpdate(
method statefulSetMetadataChanged (line 870) | func (*EmbeddingServerReconciler) statefulSetMetadataChanged(currentSt...
method findEmbeddingContainers (line 884) | func (*EmbeddingServerReconciler) findEmbeddingContainers(
method containerNeedsUpdate (line 907) | func (*EmbeddingServerReconciler) containerNeedsUpdate(existingContain...
method podTemplateMetadataChanged (line 930) | func (*EmbeddingServerReconciler) podTemplateMetadataChanged(currentSt...
method updateEmbeddingServerStatus (line 941) | func (r *EmbeddingServerReconciler) updateEmbeddingServerStatus(
method finalizeEmbeddingServer (line 1006) | func (r *EmbeddingServerReconciler) finalizeEmbeddingServer(ctx contex...
method SetupWithManager (line 1023) | func (r *EmbeddingServerReconciler) SetupWithManager(mgr ctrl.Manager)...
constant embeddingContainerName (line 52) | embeddingContainerName = "embedding"
constant embeddingFinalizerName (line 55) | embeddingFinalizerName = "embeddingserver.toolhive.stacklok.dev/finalizer"
constant modelCacheMountPath (line 58) | modelCacheMountPath = "/data"
FILE: cmd/thv-operator/controllers/embeddingserver_controller_test.go
constant testNamespaceDefault (line 27) | testNamespaceDefault = "default"
function TestEmbeddingServer_GetPort (line 29) | func TestEmbeddingServer_GetPort(t *testing.T) {
function TestEmbeddingServer_GetReplicas (line 64) | func TestEmbeddingServer_GetReplicas(t *testing.T) {
function TestEmbeddingServer_IsModelCacheEnabled (line 100) | func TestEmbeddingServer_IsModelCacheEnabled(t *testing.T) {
function TestEmbeddingServer_GetImagePullPolicy (line 144) | func TestEmbeddingServer_GetImagePullPolicy(t *testing.T) {
function TestEmbeddingServerPodTemplateSpecValidation (line 189) | func TestEmbeddingServerPodTemplateSpecValidation(t *testing.T) {
function TestEmbeddingServer_Labels (line 239) | func TestEmbeddingServer_Labels(t *testing.T) {
function TestEmbeddingServer_ModelCacheConfig (line 260) | func TestEmbeddingServer_ModelCacheConfig(t *testing.T) {
function createEmbeddingServerTestScheme (line 334) | func createEmbeddingServerTestScheme() *runtime.Scheme {
function createTestEmbeddingServer (line 342) | func createTestEmbeddingServer(name, namespace, image, model string) *mc...
function TestReconcile_NotFound (line 357) | func TestReconcile_NotFound(t *testing.T) {
function TestReconcile_CreateResources (line 384) | func TestReconcile_CreateResources(t *testing.T) {
function TestStatefulSetNeedsUpdate (line 446) | func TestStatefulSetNeedsUpdate(t *testing.T) {
function TestHandleDeletion (line 515) | func TestHandleDeletion(t *testing.T) {
function TestEnsureStatefulSet (line 615) | func TestEnsureStatefulSet(t *testing.T) {
function TestUpdateEmbeddingServerStatus (line 716) | func TestUpdateEmbeddingServerStatus(t *testing.T) {
function TestEmbeddingServer_PodTemplateSpec_PreservesUserFields (line 816) | func TestEmbeddingServer_PodTemplateSpec_PreservesUserFields(t *testing....
function TestEmbeddingServer_PodTemplateSpec_SoftFailFallback (line 1076) | func TestEmbeddingServer_PodTemplateSpec_SoftFailFallback(t *testing.T) {
function TestEmbeddingServer_PodTemplateSpec_EmptyObjectIsNoOp (line 1133) | func TestEmbeddingServer_PodTemplateSpec_EmptyObjectIsNoOp(t *testing.T) {
FILE: cmd/thv-operator/controllers/embeddingserver_default_imagepullsecrets_test.go
function TestEmbeddingServer_DefaultImagePullSecrets (line 25) | func TestEmbeddingServer_DefaultImagePullSecrets(t *testing.T) {
FILE: cmd/thv-operator/controllers/helpers_test.go
constant conditionTypeValid (line 18) | conditionTypeValid = mcpv1beta1.ConditionTypeValid
function podTemplateSpecToRawExtension (line 21) | func podTemplateSpecToRawExtension(t *testing.T, pts *corev1.PodTemplate...
FILE: cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go
constant ExternalAuthConfigFinalizerName (line 29) | ExternalAuthConfigFinalizerName = "mcpexternalauthconfig.toolhive.stackl...
constant externalAuthConfigRequeueDelay (line 32) | externalAuthConfigRequeueDelay = 500 * time.Millisecond
constant authServerRefKindMCPExternalAuthConfig (line 36) | authServerRefKindMCPExternalAuthConfig = "MCPExternalAuthConfig"
type MCPExternalAuthConfigReconciler (line 40) | type MCPExternalAuthConfigReconciler struct
method Reconcile (line 52) | func (r *MCPExternalAuthConfigReconciler) Reconcile(ctx context.Contex...
method calculateConfigHash (line 149) | func (*MCPExternalAuthConfigReconciler) calculateConfigHash(spec mcpv1...
method applyIdentitySynthesizedCondition (line 158) | func (*MCPExternalAuthConfigReconciler) applyIdentitySynthesizedCondit...
method handleConfigHashChange (line 191) | func (r *MCPExternalAuthConfigReconciler) handleConfigHashChange(
method handleDeletion (line 247) | func (r *MCPExternalAuthConfigReconciler) handleDeletion(
method findReferencingMCPServers (line 299) | func (r *MCPExternalAuthConfigReconciler) findReferencingMCPServers(
method findReferencingMCPRemoteProxies (line 345) | func (r *MCPExternalAuthConfigReconciler) findReferencingMCPRemoteProx...
method findReferencingWorkloads (line 391) | func (r *MCPExternalAuthConfigReconciler) findReferencingWorkloads(
method SetupWithManager (line 418) | func (r *MCPExternalAuthConfigReconciler) SetupWithManager(mgr ctrl.Ma...
method mapMCPServerToExternalAuthConfig (line 435) | func (r *MCPExternalAuthConfigReconciler) mapMCPServerToExternalAuthCo...
method mapMCPRemoteProxyToExternalAuthConfig (line 494) | func (r *MCPExternalAuthConfigReconciler) mapMCPRemoteProxyToExternalA...
method updateReferencingWorkloads (line 551) | func (r *MCPExternalAuthConfigReconciler) updateReferencingWorkloads(
function GetExternalAuthConfigForMCPServer (line 576) | func GetExternalAuthConfigForMCPServer(
FILE: cmd/thv-operator/controllers/mcpexternalauthconfig_controller_test.go
function TestMCPExternalAuthConfigReconciler_calculateConfigHash (line 23) | func TestMCPExternalAuthConfigReconciler_calculateConfigHash(t *testing....
function TestMCPExternalAuthConfigReconciler_Reconcile (line 121) | func TestMCPExternalAuthConfigReconciler_Reconcile(t *testing.T) {
function TestMCPExternalAuthConfigReconciler_findReferencingWorkloads (line 265) | func TestMCPExternalAuthConfigReconciler_findReferencingWorkloads(t *tes...
function TestGetExternalAuthConfigForMCPServer (line 347) | func TestGetExternalAuthConfigForMCPServer(t *testing.T) {
function TestMCPExternalAuthConfigReconciler_handleDeletion (line 462) | func TestMCPExternalAuthConfigReconciler_handleDeletion(t *testing.T) {
function TestMCPExternalAuthConfigReconciler_ConfigChangeTriggersReconciliation (line 591) | func TestMCPExternalAuthConfigReconciler_ConfigChangeTriggersReconciliat...
function TestMCPExternalAuthConfigReconciler_ReferencingWorkloadsUpdatedWithoutHashChange (line 698) | func TestMCPExternalAuthConfigReconciler_ReferencingWorkloadsUpdatedWith...
function TestMCPExternalAuthConfigReconciler_ReferencingWorkloadsRemovedOnServerDeletion (line 786) | func TestMCPExternalAuthConfigReconciler_ReferencingWorkloadsRemovedOnSe...
function TestMCPExternalAuthConfigReconciler_findReferencingWorkloads_authServerRef (line 874) | func TestMCPExternalAuthConfigReconciler_findReferencingWorkloads_authSe...
function TestMCPExternalAuthConfigReconciler_findReferencingWorkloads_bothRefsOnSameServer (line 960) | func TestMCPExternalAuthConfigReconciler_findReferencingWorkloads_bothRe...
function TestMCPExternalAuthConfigReconciler_findReferencingMCPServers_deduplicates (line 1063) | func TestMCPExternalAuthConfigReconciler_findReferencingMCPServers_dedup...
function TestMCPExternalAuthConfigReconciler_findReferencingWorkloads_mcpRemoteProxy (line 1124) | func TestMCPExternalAuthConfigReconciler_findReferencingWorkloads_mcpRem...
function TestMCPExternalAuthConfigReconciler_IdentitySynthesizedCondition (line 1229) | func TestMCPExternalAuthConfigReconciler_IdentitySynthesizedCondition(t ...
function TestMCPExternalAuthConfigReconciler_IdentitySynthesizedTransitionsOnValidationFailure (line 1374) | func TestMCPExternalAuthConfigReconciler_IdentitySynthesizedTransitionsO...
function findCondition (line 1467) | func findCondition(conditions []metav1.Condition, t string) *metav1.Cond...
FILE: cmd/thv-operator/controllers/mcpgroup_controller.go
constant MCPGroupFinalizerName (line 26) | MCPGroupFinalizerName = "toolhive.stacklok.dev/mcpgroup-finalizer"
type MCPGroupReconciler (line 30) | type MCPGroupReconciler struct
method Reconcile (line 46) | func (r *MCPGroupReconciler) Reconcile(ctx context.Context, req ctrl.R...
method updateGroupMemberStatus (line 87) | func (r *MCPGroupReconciler) updateGroupMemberStatus(
method handleListFailure (line 150) | func (r *MCPGroupReconciler) handleListFailure(
method populateServerStatus (line 189) | func (*MCPGroupReconciler) populateServerStatus(
method populateRemoteProxyStatus (line 206) | func (*MCPGroupReconciler) populateRemoteProxyStatus(
method populateEntryStatus (line 223) | func (*MCPGroupReconciler) populateEntryStatus(
method handleDeletion (line 240) | func (r *MCPGroupReconciler) handleDeletion(ctx context.Context, mcpGr...
method findReferencingMCPServers (line 300) | func (r *MCPGroupReconciler) findReferencingMCPServers(
method findReferencingMCPRemoteProxies (line 316) | func (r *MCPGroupReconciler) findReferencingMCPRemoteProxies(
method findReferencingMCPServerEntries (line 332) | func (r *MCPGroupReconciler) findReferencingMCPServerEntries(
method updateReferencingServersOnDeletion (line 348) | func (r *MCPGroupReconciler) updateReferencingServersOnDeletion(
method updateReferencingRemoteProxiesOnDeletion (line 375) | func (r *MCPGroupReconciler) updateReferencingRemoteProxiesOnDeletion(
method updateReferencingEntriesOnDeletion (line 402) | func (r *MCPGroupReconciler) updateReferencingEntriesOnDeletion(
method findMCPGroupForMCPServer (line 425) | func (r *MCPGroupReconciler) findMCPGroupForMCPServer(ctx context.Cont...
method findMCPGroupForMCPRemoteProxy (line 464) | func (r *MCPGroupReconciler) findMCPGroupForMCPRemoteProxy(ctx context...
method findMCPGroupForMCPServerEntry (line 505) | func (r *MCPGroupReconciler) findMCPGroupForMCPServerEntry(ctx context...
method SetupWithManager (line 541) | func (r *MCPGroupReconciler) SetupWithManager(mgr ctrl.Manager) error {
FILE: cmd/thv-operator/controllers/mcpgroup_controller_test.go
constant testGroupName (line 24) | testGroupName = "test-group"
function TestMCPGroupReconciler_Reconcile_BasicLogic (line 29) | func TestMCPGroupReconciler_Reconcile_BasicLogic(t *testing.T) {
function TestMCPGroupReconciler_ServerFiltering (line 252) | func TestMCPGroupReconciler_ServerFiltering(t *testing.T) {
function TestMCPGroupReconciler_findMCPGroupForMCPServer (line 400) | func TestMCPGroupReconciler_findMCPGroupForMCPServer(t *testing.T) {
function TestMCPGroupReconciler_GroupNotFound (line 571) | func TestMCPGroupReconciler_GroupNotFound(t *testing.T) {
function TestMCPGroupReconciler_Conditions (line 622) | func TestMCPGroupReconciler_Conditions(t *testing.T) {
function TestMCPGroupReconciler_Finalizer (line 759) | func TestMCPGroupReconciler_Finalizer(t *testing.T) {
function TestMCPGroupReconciler_Deletion (line 830) | func TestMCPGroupReconciler_Deletion(t *testing.T) {
function TestMCPGroupReconciler_findReferencingMCPServers (line 992) | func TestMCPGroupReconciler_findReferencingMCPServers(t *testing.T) {
function TestMCPGroupReconciler_findReferencingMCPRemoteProxies (line 1123) | func TestMCPGroupReconciler_findReferencingMCPRemoteProxies(t *testing.T) {
function TestMCPGroupReconciler_findMCPGroupForMCPRemoteProxy (line 1262) | func TestMCPGroupReconciler_findMCPGroupForMCPRemoteProxy(t *testing.T) {
function TestMCPGroupReconciler_updateReferencingRemoteProxiesOnDeletion (line 1429) | func TestMCPGroupReconciler_updateReferencingRemoteProxiesOnDeletion(t *...
FILE: cmd/thv-operator/controllers/mcpoidcconfig_controller.go
constant OIDCConfigFinalizerName (line 29) | OIDCConfigFinalizerName = "mcpoidcconfig.toolhive.stacklok.dev/finalizer"
constant oidcConfigRequeueDelay (line 32) | oidcConfigRequeueDelay = 500 * time.Millisecond
type MCPOIDCConfigReconciler (line 40) | type MCPOIDCConfigReconciler struct
method Reconcile (line 53) | func (r *MCPOIDCConfigReconciler) Reconcile(ctx context.Context, req c...
method calculateConfigHash (line 149) | func (*MCPOIDCConfigReconciler) calculateConfigHash(spec mcpv1beta1.MC...
method handleDeletion (line 157) | func (r *MCPOIDCConfigReconciler) handleDeletion(
method findReferencingWorkloads (line 205) | func (r *MCPOIDCConfigReconciler) findReferencingWorkloads(
method SetupWithManager (line 251) | func (r *MCPOIDCConfigReconciler) SetupWithManager(mgr ctrl.Manager) e...
method mapVirtualMCPServerToOIDCConfig (line 318) | func (r *MCPOIDCConfigReconciler) mapVirtualMCPServerToOIDCConfig(
method mapMCPRemoteProxyToOIDCConfig (line 365) | func (r *MCPOIDCConfigReconciler) mapMCPRemoteProxyToOIDCConfig(
FILE: cmd/thv-operator/controllers/mcpoidcconfig_controller_test.go
function TestMCPOIDCConfigReconciler_calculateConfigHash (line 23) | func TestMCPOIDCConfigReconciler_calculateConfigHash(t *testing.T) {
function TestMCPOIDCConfigReconciler_ReconcileNotFound (line 90) | func TestMCPOIDCConfigReconciler_ReconcileNotFound(t *testing.T) {
function TestMCPOIDCConfigReconciler_SteadyStateNoOp (line 120) | func TestMCPOIDCConfigReconciler_SteadyStateNoOp(t *testing.T) {
function TestMCPOIDCConfigReconciler_ValidationRecovery (line 189) | func TestMCPOIDCConfigReconciler_ValidationRecovery(t *testing.T) {
function TestMCPOIDCConfigReconciler_handleDeletion (line 277) | func TestMCPOIDCConfigReconciler_handleDeletion(t *testing.T) {
function TestMCPOIDCConfigReconciler_ConfigChangeTriggersHashUpdate (line 341) | func TestMCPOIDCConfigReconciler_ConfigChangeTriggersHashUpdate(t *testi...
function TestMCPOIDCConfigReconciler_ValidationFailureSetsCondition (line 419) | func TestMCPOIDCConfigReconciler_ValidationFailureSetsCondition(t *testi...
function TestMCPOIDCConfig_Validate (line 481) | func TestMCPOIDCConfig_Validate(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpregistry_controller.go
constant DefaultControllerRetryAfterConstant (line 33) | DefaultControllerRetryAfterConstant = time.Minute * 5
type MCPRegistryReconciler (line 44) | type MCPRegistryReconciler struct
method Reconcile (line 92) | func (r *MCPRegistryReconciler) Reconcile(ctx context.Context, req ctr...
method SetupWithManager (line 224) | func (r *MCPRegistryReconciler) SetupWithManager(mgr ctrl.Manager) err...
method updateRegistryStatus (line 239) | func (r *MCPRegistryReconciler) updateRegistryStatus(
method finalizeMCPRegistry (line 308) | func (r *MCPRegistryReconciler) finalizeMCPRegistry(ctx context.Contex...
method validatePodTemplate (line 450) | func (*MCPRegistryReconciler) validatePodTemplate(
function NewMCPRegistryReconciler (line 55) | func NewMCPRegistryReconciler(
function setRegistryReadyCondition (line 297) | func setRegistryReadyCondition(registry *mcpv1beta1.MCPRegistry, status ...
function validateSpec (line 330) | func validateSpec(mcpRegistry *mcpv1beta1.MCPRegistry) error {
function validatePGPassSecretRef (line 354) | func validatePGPassSecretRef(ref *corev1.SecretKeySelector) error {
function validateReservedNames (line 369) | func validateReservedNames(spec *mcpv1beta1.MCPRegistrySpec, userPTS *co...
function validateMountPathCollisions (line 411) | func validateMountPathCollisions(spec *mcpv1beta1.MCPRegistrySpec, userP...
FILE: cmd/thv-operator/controllers/mcpregistry_controller_test.go
function toRawJSONSlice (line 34) | func toRawJSONSlice[T any](t *testing.T, items []T) []apiextensionsv1.JS...
function newMCPRegistryTestScheme (line 46) | func newMCPRegistryTestScheme(t *testing.T) *runtime.Scheme {
function newMCPRegistryWithFinalizer (line 58) | func newMCPRegistryWithFinalizer(name, namespace string) *mcpv1beta1.MCP...
function TestMCPRegistryReconciler_Reconcile (line 71) | func TestMCPRegistryReconciler_Reconcile(t *testing.T) {
function TestValidateSpec (line 448) | func TestValidateSpec(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_authserverref_test.go
function TestMCPRemoteProxyReconciler_handleAuthServerRef (line 22) | func TestMCPRemoteProxyReconciler_handleAuthServerRef(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_controller.go
type MCPRemoteProxyReconciler (line 40) | type MCPRemoteProxyReconciler struct
method Reconcile (line 69) | func (r *MCPRemoteProxyReconciler) Reconcile(ctx context.Context, req ...
method validateAndHandleConfigs (line 104) | func (r *MCPRemoteProxyReconciler) validateAndHandleConfigs(ctx contex...
method ensureAllResources (line 181) | func (r *MCPRemoteProxyReconciler) ensureAllResources(ctx context.Cont...
method ensureAuthzConfigMapForProxy (line 221) | func (r *MCPRemoteProxyReconciler) ensureAuthzConfigMapForProxy(ctx co...
method getRunConfigChecksum (line 231) | func (r *MCPRemoteProxyReconciler) getRunConfigChecksum(
method ensureDeployment (line 253) | func (r *MCPRemoteProxyReconciler) ensureDeployment(
method ensureService (line 318) | func (r *MCPRemoteProxyReconciler) ensureService(
method ensureServiceURL (line 366) | func (r *MCPRemoteProxyReconciler) ensureServiceURL(ctx context.Contex...
method validateSpec (line 376) | func (r *MCPRemoteProxyReconciler) validateSpec(ctx context.Context, p...
method failValidation (line 423) | func (r *MCPRemoteProxyReconciler) failValidation(proxy *mcpv1beta1.MC...
method recordValidationEvent (line 430) | func (r *MCPRemoteProxyReconciler) recordValidationEvent(proxy *mcpv1b...
method validateAuthzPolicySyntax (line 448) | func (*MCPRemoteProxyReconciler) validateAuthzPolicySyntax(
method validateK8sRefs (line 460) | func (r *MCPRemoteProxyReconciler) validateK8sRefs(
method handleToolConfig (line 542) | func (r *MCPRemoteProxyReconciler) handleToolConfig(ctx context.Contex...
method handleTelemetryConfig (line 607) | func (r *MCPRemoteProxyReconciler) handleTelemetryConfig(ctx context.C...
method handleExternalAuthConfig (line 697) | func (r *MCPRemoteProxyReconciler) handleExternalAuthConfig(ctx contex...
method handleAuthServerRef (line 780) | func (r *MCPRemoteProxyReconciler) handleAuthServerRef(ctx context.Con...
method handleOIDCConfig (line 891) | func (r *MCPRemoteProxyReconciler) handleOIDCConfig(ctx context.Contex...
method fetchAndValidateOIDCConfig (line 953) | func (r *MCPRemoteProxyReconciler) fetchAndValidateOIDCConfig(
method updateOIDCConfigReferencingWorkloads (line 1011) | func (r *MCPRemoteProxyReconciler) updateOIDCConfigReferencingWorkloads(
method validateGroupRef (line 1040) | func (r *MCPRemoteProxyReconciler) validateGroupRef(ctx context.Contex...
method ensureRBACResources (line 1084) | func (r *MCPRemoteProxyReconciler) ensureRBACResources(ctx context.Con...
method imagePullSecretsForRemoteProxy (line 1111) | func (r *MCPRemoteProxyReconciler) imagePullSecretsForRemoteProxy(
method updateMCPRemoteProxyStatus (line 1122) | func (r *MCPRemoteProxyReconciler) updateMCPRemoteProxyStatus(ctx cont...
method deploymentNeedsUpdate (line 1244) | func (r *MCPRemoteProxyReconciler) deploymentNeedsUpdate(
method containerNeedsUpdate (line 1281) | func (r *MCPRemoteProxyReconciler) containerNeedsUpdate(
method deploymentMetadataNeedsUpdate (line 1340) | func (*MCPRemoteProxyReconciler) deploymentMetadataNeedsUpdate(
method podTemplateMetadataNeedsUpdate (line 1379) | func (r *MCPRemoteProxyReconciler) podTemplateMetadataNeedsUpdate(
method podSpecNeedsUpdate (line 1409) | func (r *MCPRemoteProxyReconciler) podSpecNeedsUpdate(
method serviceNeedsUpdate (line 1419) | func (*MCPRemoteProxyReconciler) serviceNeedsUpdate(service *corev1.Se...
method mapOIDCConfigToMCPRemoteProxy (line 1462) | func (r *MCPRemoteProxyReconciler) mapOIDCConfigToMCPRemoteProxy(
method mapTelemetryConfigToMCPRemoteProxy (line 1495) | func (r *MCPRemoteProxyReconciler) mapTelemetryConfigToMCPRemoteProxy(
method SetupWithManager (line 1526) | func (r *MCPRemoteProxyReconciler) SetupWithManager(mgr ctrl.Manager) ...
function setConfigurationInvalidCondition (line 437) | func setConfigurationInvalidCondition(proxy *mcpv1beta1.MCPRemoteProxy, ...
function labelsForMCPRemoteProxy (line 1200) | func labelsForMCPRemoteProxy(name string) map[string]string {
function proxyRunnerServiceAccountNameForRemoteProxy (line 1212) | func proxyRunnerServiceAccountNameForRemoteProxy(proxyName string) string {
function serviceAccountNameForRemoteProxy (line 1218) | func serviceAccountNameForRemoteProxy(proxy *mcpv1beta1.MCPRemoteProxy) ...
function createProxyServiceName (line 1227) | func createProxyServiceName(proxyName string) string {
function createProxyServiceURL (line 1232) | func createProxyServiceURL(proxyName, namespace string, port int32) stri...
FILE: cmd/thv-operator/controllers/mcpremoteproxy_controller_test.go
function TestMCPRemoteProxyValidateSpec (line 41) | func TestMCPRemoteProxyValidateSpec(t *testing.T) {
function TestMCPRemoteProxyReconcile_CreateResources (line 130) | func TestMCPRemoteProxyReconcile_CreateResources(t *testing.T) {
function TestMCPRemoteProxyReconcile_NotFound (line 225) | func TestMCPRemoteProxyReconcile_NotFound(t *testing.T) {
function TestHandleToolConfig (line 251) | func TestHandleToolConfig(t *testing.T) {
function TestHandleExternalAuthConfig (line 498) | func TestHandleExternalAuthConfig(t *testing.T) {
function TestLabelsForMCPRemoteProxy (line 800) | func TestLabelsForMCPRemoteProxy(t *testing.T) {
function TestServiceNameGeneration (line 816) | func TestServiceNameGeneration(t *testing.T) {
function TestEnsureRBACResources (line 850) | func TestEnsureRBACResources(t *testing.T) {
function TestMCPRemoteProxyEnsureRBACResources_Update (line 909) | func TestMCPRemoteProxyEnsureRBACResources_Update(t *testing.T) {
function TestMCPRemoteProxyEnsureRBACResources_Idempotency (line 992) | func TestMCPRemoteProxyEnsureRBACResources_Idempotency(t *testing.T) {
function TestMCPRemoteProxyEnsureRBACResources_CustomServiceAccount (line 1053) | func TestMCPRemoteProxyEnsureRBACResources_CustomServiceAccount(t *testi...
function TestMCPRemoteProxyEnsureRBACResources_ImagePullSecrets (line 1114) | func TestMCPRemoteProxyEnsureRBACResources_ImagePullSecrets(t *testing.T) {
function TestUpdateMCPRemoteProxyStatus (line 1174) | func TestUpdateMCPRemoteProxyStatus(t *testing.T) {
function TestGetToolConfigForMCPRemoteProxy (line 1311) | func TestGetToolConfigForMCPRemoteProxy(t *testing.T) {
function TestGetExternalAuthConfigForMCPRemoteProxy (line 1349) | func TestGetExternalAuthConfigForMCPRemoteProxy(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_default_imagepullsecrets_test.go
function TestMCPRemoteProxy_DefaultImagePullSecrets (line 29) | func TestMCPRemoteProxy_DefaultImagePullSecrets(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_deployment.go
method deploymentForMCPRemoteProxy (line 24) | func (r *MCPRemoteProxyReconciler) deploymentForMCPRemoteProxy(
method buildContainerArgs (line 104) | func (*MCPRemoteProxyReconciler) buildContainerArgs() []string {
method buildVolumesForProxy (line 113) | func (*MCPRemoteProxyReconciler) buildVolumesForProxy(
method addTelemetryCABundleVolumes (line 150) | func (r *MCPRemoteProxyReconciler) addTelemetryCABundleVolumes(
method buildEnvVarsForProxy (line 172) | func (r *MCPRemoteProxyReconciler) buildEnvVarsForProxy(
method buildOIDCClientSecretEnvVars (line 240) | func (r *MCPRemoteProxyReconciler) buildOIDCClientSecretEnvVars(
function buildHeaderForwardSecretEnvVars (line 272) | func buildHeaderForwardSecretEnvVars(proxy *mcpv1beta1.MCPRemoteProxy) [...
method buildDeploymentMetadata (line 300) | func (*MCPRemoteProxyReconciler) buildDeploymentMetadata(
method buildPodTemplateMetadata (line 328) | func (*MCPRemoteProxyReconciler) buildPodTemplateMetadata(
method buildSecurityContexts (line 355) | func (r *MCPRemoteProxyReconciler) buildSecurityContexts(
method buildContainerPorts (line 373) | func (*MCPRemoteProxyReconciler) buildContainerPorts(proxy *mcpv1beta1.M...
method serviceForMCPRemoteProxy (line 382) | func (r *MCPRemoteProxyReconciler) serviceForMCPRemoteProxy(
method buildServiceMetadata (line 426) | func (*MCPRemoteProxyReconciler) buildServiceMetadata(
FILE: cmd/thv-operator/controllers/mcpremoteproxy_deployment_test.go
function TestDeploymentForMCPRemoteProxy (line 36) | func TestDeploymentForMCPRemoteProxy(t *testing.T) {
function TestServiceForMCPRemoteProxy (line 220) | func TestServiceForMCPRemoteProxy(t *testing.T) {
function TestBuildResourceRequirements (line 327) | func TestBuildResourceRequirements(t *testing.T) {
function TestBuildHeaderForwardSecretEnvVars (line 380) | func TestBuildHeaderForwardSecretEnvVars(t *testing.T) {
function TestBuildHealthProbe (line 523) | func TestBuildHealthProbe(t *testing.T) {
function TestEnsureDeployment (line 539) | func TestEnsureDeployment(t *testing.T) {
function TestEnsureService (line 643) | func TestEnsureService(t *testing.T) {
function TestMCPRemoteProxyDeploymentNeedsUpdate_EmbeddedAuthLegacyEnvStable (line 703) | func TestMCPRemoteProxyDeploymentNeedsUpdate_EmbeddedAuthLegacyEnvStable...
function TestMCPRemoteProxyDeploymentNeedsUpdate_EmbeddedAuthAuthServerRefEnvStable (line 765) | func TestMCPRemoteProxyDeploymentNeedsUpdate_EmbeddedAuthAuthServerRefEn...
function TestMCPRemoteProxyDeploymentNeedsUpdate_TokenExchangeDoesNotDrift (line 828) | func TestMCPRemoteProxyDeploymentNeedsUpdate_TokenExchangeDoesNotDrift(t...
function TestMCPRemoteProxyDeploymentNeedsUpdate_ImagePullSecretsDrift (line 883) | func TestMCPRemoteProxyDeploymentNeedsUpdate_ImagePullSecretsDrift(t *te...
function TestBuildEnvVarsForProxy (line 982) | func TestBuildEnvVarsForProxy(t *testing.T) {
function TestMCPRemoteProxyServiceNeedsUpdate (line 1222) | func TestMCPRemoteProxyServiceNeedsUpdate(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_reconciler_test.go
function TestMCPRemoteProxyFullReconciliation (line 42) | func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
function TestMCPRemoteProxyConfigChangePropagation (line 315) | func TestMCPRemoteProxyConfigChangePropagation(t *testing.T) {
function TestMCPRemoteProxyStatusProgression (line 402) | func TestMCPRemoteProxyStatusProgression(t *testing.T) {
function TestCommonHelpers (line 487) | func TestCommonHelpers(t *testing.T) {
function TestEnsureAuthzConfigMapShared (line 552) | func TestEnsureAuthzConfigMapShared(t *testing.T) {
function TestRBACClientIntegration (line 608) | func TestRBACClientIntegration(t *testing.T) {
function TestGenerateTokenExchangeEnvVarsShared (line 677) | func TestGenerateTokenExchangeEnvVarsShared(t *testing.T) {
function TestValidateSpecConfigurationConditions (line 726) | func TestValidateSpecConfigurationConditions(t *testing.T) {
function TestValidateAndHandleConfigs (line 878) | func TestValidateAndHandleConfigs(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_runconfig.go
method ensureRunConfigConfigMap (line 27) | func (r *MCPRemoteProxyReconciler) ensureRunConfigConfigMap(ctx context....
method createRunConfigFromMCPRemoteProxy (line 73) | func (r *MCPRemoteProxyReconciler) createRunConfigFromMCPRemoteProxy(
method resolveAndAddOIDCConfig (line 181) | func (r *MCPRemoteProxyReconciler) resolveAndAddOIDCConfig(
method validateRunConfigForRemoteProxy (line 223) | func (*MCPRemoteProxyReconciler) validateRunConfigForRemoteProxy(ctx con...
function labelsForRunConfigRemoteProxy (line 262) | func labelsForRunConfigRemoteProxy(proxyName string) map[string]string {
function addHeaderForwardConfigOptions (line 273) | func addHeaderForwardConfigOptions(proxy *mcpv1beta1.MCPRemoteProxy, opt...
method resolveToolConfig (line 303) | func (r *MCPRemoteProxyReconciler) resolveToolConfig(
method addTelemetryOptions (line 333) | func (r *MCPRemoteProxyReconciler) addTelemetryOptions(
FILE: cmd/thv-operator/controllers/mcpremoteproxy_runconfig_test.go
function TestCreateRunConfigFromMCPRemoteProxy (line 39) | func TestCreateRunConfigFromMCPRemoteProxy(t *testing.T) {
function TestCreateRunConfigFromMCPRemoteProxy_WithTokenExchange (line 313) | func TestCreateRunConfigFromMCPRemoteProxy_WithTokenExchange(t *testing....
function TestCreateRunConfigFromMCPRemoteProxy_WithBearerToken (line 451) | func TestCreateRunConfigFromMCPRemoteProxy_WithBearerToken(t *testing.T) {
function TestValidateRunConfigForRemoteProxy (line 656) | func TestValidateRunConfigForRemoteProxy(t *testing.T) {
function TestEnsureRunConfigConfigMapForRemoteProxy (line 769) | func TestEnsureRunConfigConfigMapForRemoteProxy(t *testing.T) {
function TestLabelsForRunConfigRemoteProxy (line 848) | func TestLabelsForRunConfigRemoteProxy(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpremoteproxy_telemetryconfig_test.go
function TestHandleTelemetryConfig_MCPRemoteProxy (line 19) | func TestHandleTelemetryConfig_MCPRemoteProxy(t *testing.T) {
function TestMapTelemetryConfigToMCPRemoteProxy (line 259) | func TestMapTelemetryConfigToMCPRemoteProxy(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_authserverref_test.go
function TestMCPServerReconciler_handleAuthServerRef (line 23) | func TestMCPServerReconciler_handleAuthServerRef(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_authz_test.go
function TestEnsureAuthzConfigMap (line 24) | func TestEnsureAuthzConfigMap(t *testing.T) {
function TestEnsureAuthzConfigMap_Updates (line 162) | func TestEnsureAuthzConfigMap_Updates(t *testing.T) {
function TestGenerateAuthzVolumeConfig (line 249) | func TestGenerateAuthzVolumeConfig(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_controller.go
type MCPServerReconciler (line 47) | type MCPServerReconciler struct
method detectPlatform (line 144) | func (r *MCPServerReconciler) detectPlatform(ctx context.Context) (kub...
method Reconcile (line 172) | func (r *MCPServerReconciler) Reconcile(ctx context.Context, req ctrl....
method validateGroupRef (line 503) | func (r *MCPServerReconciler) validateGroupRef(ctx context.Context, mc...
method validateCABundleRef (line 560) | func (r *MCPServerReconciler) validateCABundleRef(ctx context.Context,...
method updateCABundleStatus (line 618) | func (r *MCPServerReconciler) updateCABundleStatus(ctx context.Context...
method validateAndUpdatePodTemplateStatus (line 638) | func (r *MCPServerReconciler) validateAndUpdatePodTemplateStatus(ctx c...
method handleRestartAnnotation (line 700) | func (r *MCPServerReconciler) handleRestartAnnotation(ctx context.Cont...
method performRestart (line 770) | func (r *MCPServerReconciler) performRestart(ctx context.Context, mcpS...
method getRunConfigChecksum (line 785) | func (r *MCPServerReconciler) getRunConfigChecksum(
method performRollingRestart (line 797) | func (r *MCPServerReconciler) performRollingRestart(ctx context.Contex...
method performImmediateRestart (line 825) | func (r *MCPServerReconciler) performImmediateRestart(ctx context.Cont...
method handleToolConfig (line 854) | func (r *MCPServerReconciler) handleToolConfig(ctx context.Context, m ...
method ensureRBACResources (line 897) | func (r *MCPServerReconciler) ensureRBACResources(ctx context.Context,...
method imagePullSecretsForMCPServer (line 943) | func (r *MCPServerReconciler) imagePullSecretsForMCPServer(
method deploymentForMCPServer (line 957) | func (r *MCPServerReconciler) deploymentForMCPServer(
method serviceForMCPServer (line 1322) | func (r *MCPServerReconciler) serviceForMCPServer(ctx context.Context,...
method updateMCPServerStatus (line 1444) | func (r *MCPServerReconciler) updateMCPServerStatus(ctx context.Contex...
method deleteIfExists (line 1534) | func (r *MCPServerReconciler) deleteIfExists(ctx context.Context, obj ...
method finalizeMCPServer (line 1551) | func (r *MCPServerReconciler) finalizeMCPServer(ctx context.Context, m...
method deploymentNeedsUpdate (line 1580) | func (r *MCPServerReconciler) deploymentNeedsUpdate(
method handleExternalAuthConfig (line 1933) | func (r *MCPServerReconciler) handleExternalAuthConfig(ctx context.Con...
method handleAuthServerRef (line 1999) | func (r *MCPServerReconciler) handleAuthServerRef(ctx context.Context,...
method handleOIDCConfig (line 2109) | func (r *MCPServerReconciler) handleOIDCConfig(ctx context.Context, m ...
method fetchAndValidateOIDCConfig (line 2166) | func (r *MCPServerReconciler) fetchAndValidateOIDCConfig(
method updateOIDCConfigReferencingWorkloads (line 2222) | func (r *MCPServerReconciler) updateOIDCConfigReferencingWorkloads(
method ensureAuthzConfigMap (line 2249) | func (r *MCPServerReconciler) ensureAuthzConfigMap(ctx context.Context...
method validateStdioReplicaCap (line 2292) | func (r *MCPServerReconciler) validateStdioReplicaCap(ctx context.Cont...
method validateSessionStorageForReplicas (line 2321) | func (r *MCPServerReconciler) validateSessionStorageForReplicas(ctx co...
method validateRateLimitConfig (line 2357) | func (r *MCPServerReconciler) validateRateLimitConfig(ctx context.Cont...
method SetupWithManager (line 2397) | func (r *MCPServerReconciler) SetupWithManager(mgr ctrl.Manager) error {
constant mcpContainerName (line 111) | mcpContainerName = "mcp"
constant MCPServerFinalizerName (line 114) | MCPServerFinalizerName = "mcpserver.toolhive.stacklok.dev/finalizer"
constant RestartedAtAnnotationKey (line 118) | RestartedAtAnnotationKey = "mcpserver.toolhive.stacklok.dev/res...
constant RestartStrategyAnnotationKey (line 119) | RestartStrategyAnnotationKey = "mcpserver.toolhive.stacklok.dev/res...
constant LastProcessedRestartAnnotationKey (line 120) | LastProcessedRestartAnnotationKey = "mcpserver.toolhive.stacklok.dev/las...
constant RestartStrategyRolling (line 125) | RestartStrategyRolling = "rolling"
constant RestartStrategyImmediate (line 126) | RestartStrategyImmediate = "immediate"
constant authzLabelKey (line 132) | authzLabelKey = "toolhive.stacklok.io/authz"
constant authzLabelValueInline (line 135) | authzLabelValueInline = "inline"
constant defaultTerminationGracePeriodSeconds (line 138) | defaultTerminationGracePeriodSeconds = int64(30)
constant stdioTransport (line 140) | stdioTransport = "stdio"
function setCABundleRefCondition (line 548) | func setCABundleRefCondition(mcpServer *mcpv1beta1.MCPServer, status met...
function setReadyCondition (line 626) | func setReadyCondition(mcpServer *mcpv1beta1.MCPServer, status metav1.Co...
function checkContainerError (line 1378) | func checkContainerError(containerStatus corev1.ContainerStatus) (bool, ...
function areAllContainersReady (line 1397) | func areAllContainersReady(containerStatuses []corev1.ContainerStatus) b...
function categorizePodStatus (line 1410) | func categorizePodStatus(pod corev1.Pod) (running, pending, failed int, ...
function serviceNeedsUpdate (line 1827) | func serviceNeedsUpdate(service *corev1.Service, mcpServer *mcpv1beta1.M...
function resourceRequirementsForMCPServer (line 1872) | func resourceRequirementsForMCPServer(m *mcpv1beta1.MCPServer) corev1.Re...
function mcpServerServiceAccountName (line 1896) | func mcpServerServiceAccountName(mcpServerName string) string {
function labelsForMCPServer (line 1902) | func labelsForMCPServer(name string) map[string]string {
function labelsForInlineAuthzConfig (line 1914) | func labelsForInlineAuthzConfig(name string) map[string]string {
function getToolhiveRunnerImage (line 1921) | func getToolhiveRunnerImage() string {
function setOIDCConfigRefCondition (line 2210) | func setOIDCConfigRefCondition(m *mcpv1beta1.MCPServer, status metav1.Co...
function int32Ptr (line 2256) | func int32Ptr(i int32) *int32 {
function int64Ptr (line 2261) | func int64Ptr(i int64) *int64 {
function resolveDeploymentReplicas (line 2268) | func resolveDeploymentReplicas(mcpTransport string, specReplicas *int32)...
function setStdioReplicaCappedCondition (line 2279) | func setStdioReplicaCappedCondition(mcpServer *mcpv1beta1.MCPServer, sta...
function setSessionStorageCondition (line 2308) | func setSessionStorageCondition(mcpServer *mcpv1beta1.MCPServer, status ...
function setRateLimitConfigCondition (line 2343) | func setRateLimitConfigCondition(mcpServer *mcpv1beta1.MCPServer, status...
FILE: cmd/thv-operator/controllers/mcpserver_default_imagepullsecrets_test.go
function TestEnsureRBACResources_DefaultImagePullSecrets (line 27) | func TestEnsureRBACResources_DefaultImagePullSecrets(t *testing.T) {
function TestDeploymentNeedsUpdate_DefaultImagePullSecrets (line 102) | func TestDeploymentNeedsUpdate_DefaultImagePullSecrets(t *testing.T) {
function TestDeploymentForMCPServer_DefaultImagePullSecrets (line 119) | func TestDeploymentForMCPServer_DefaultImagePullSecrets(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_externalauth_runconfig_test.go
function TestAddExternalAuthConfigOptions (line 37) | func TestAddExternalAuthConfigOptions(t *testing.T) {
function TestCreateRunConfigFromMCPServer_WithExternalAuth (line 637) | func TestCreateRunConfigFromMCPServer_WithExternalAuth(t *testing.T) {
function TestGenerateTokenExchangeEnvVars (line 880) | func TestGenerateTokenExchangeEnvVars(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_externalauth_test.go
function TestMCPServerReconciler_handleExternalAuthConfig (line 34) | func TestMCPServerReconciler_handleExternalAuthConfig(t *testing.T) {
function TestMCPServerReconciler_handleExternalAuthConfig_SameNamespace (line 262) | func TestMCPServerReconciler_handleExternalAuthConfig_SameNamespace(t *t...
function TestMCPServerReconciler_handleExternalAuthConfig_HashUpdateTrigger (line 326) | func TestMCPServerReconciler_handleExternalAuthConfig_HashUpdateTrigger(...
function TestMCPServerReconciler_handleExternalAuthConfig_NoHashInConfig (line 403) | func TestMCPServerReconciler_handleExternalAuthConfig_NoHashInConfig(t *...
FILE: cmd/thv-operator/controllers/mcpserver_groupref_test.go
function TestMCPServerReconciler_ValidateGroupRef (line 23) | func TestMCPServerReconciler_ValidateGroupRef(t *testing.T) {
function TestMCPServerReconciler_GroupRefValidation_Integration (line 205) | func TestMCPServerReconciler_GroupRefValidation_Integration(t *testing.T) {
function TestMCPServerReconciler_GroupRefCrossNamespace (line 302) | func TestMCPServerReconciler_GroupRefCrossNamespace(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_invalid_podtemplate_reconcile_test.go
function TestMCPServerReconciler_InvalidPodTemplateSpec (line 27) | func TestMCPServerReconciler_InvalidPodTemplateSpec(t *testing.T) {
function TestDeploymentArgsWithInvalidPodTemplateSpec (line 182) | func TestDeploymentArgsWithInvalidPodTemplateSpec(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_oidcconfig_test.go
function TestMCPServerReconciler_handleOIDCConfig (line 23) | func TestMCPServerReconciler_handleOIDCConfig(t *testing.T) {
function TestMCPServerReconciler_updateOIDCConfigReferencingWorkloads (line 214) | func TestMCPServerReconciler_updateOIDCConfigReferencingWorkloads(t *tes...
function TestMCPServerReconciler_handleOIDCConfig_ConditionPersistedOnRecovery (line 260) | func TestMCPServerReconciler_handleOIDCConfig_ConditionPersistedOnRecove...
function TestMCPOIDCConfigReconciler_handleDeletion_BlocksWhenReferenced (line 321) | func TestMCPOIDCConfigReconciler_handleDeletion_BlocksWhenReferenced(t *...
function TestMCPOIDCConfigReconciler_handleDeletion_AllowsWhenNotReferenced (line 360) | func TestMCPOIDCConfigReconciler_handleDeletion_AllowsWhenNotReferenced(...
function TestMCPOIDCConfigReconciler_handleDeletion_IgnoresCrossNamespaceRef (line 397) | func TestMCPOIDCConfigReconciler_handleDeletion_IgnoresCrossNamespaceRef...
function conditionStatusPtr (line 439) | func conditionStatusPtr(s metav1.ConditionStatus) *metav1.ConditionStatus {
FILE: cmd/thv-operator/controllers/mcpserver_platform_test.go
function TestMCPServerReconciler_DetectPlatform_Success (line 21) | func TestMCPServerReconciler_DetectPlatform_Success(t *testing.T) {
function TestMCPServerReconciler_DetectPlatform_Error (line 69) | func TestMCPServerReconciler_DetectPlatform_Error(t *testing.T) {
function TestMCPServerReconciler_DeploymentForMCPServer_Kubernetes (line 91) | func TestMCPServerReconciler_DeploymentForMCPServer_Kubernetes(t *testin...
function TestMCPServerReconciler_DeploymentForMCPServer_OpenShift (line 163) | func TestMCPServerReconciler_DeploymentForMCPServer_OpenShift(t *testing...
function TestMCPServerReconciler_DeploymentForMCPServer_PlatformDetectionError (line 241) | func TestMCPServerReconciler_DeploymentForMCPServer_PlatformDetectionErr...
function TestMCPServerReconciler_DeploymentForMCPServer_EnvironmentOverride (line 288) | func TestMCPServerReconciler_DeploymentForMCPServer_EnvironmentOverride(...
FILE: cmd/thv-operator/controllers/mcpserver_pod_template_test.go
function TestDeploymentForMCPServerWithPodTemplateSpec (line 24) | func TestDeploymentForMCPServerWithPodTemplateSpec(t *testing.T) {
function TestDeploymentForMCPServerSecretsProviderEnv (line 170) | func TestDeploymentForMCPServerSecretsProviderEnv(t *testing.T) {
function TestDeploymentForMCPServerWithSecrets (line 200) | func TestDeploymentForMCPServerWithSecrets(t *testing.T) {
function TestProxyRunnerSecurityContext (line 310) | func TestProxyRunnerSecurityContext(t *testing.T) {
function TestProxyRunnerStructuredLogsEnvVar (line 357) | func TestProxyRunnerStructuredLogsEnvVar(t *testing.T) {
function boolPtr (line 404) | func boolPtr(b bool) *bool {
FILE: cmd/thv-operator/controllers/mcpserver_podtemplatespec_builder_test.go
function TestMCPServerPodTemplateSpec_AllCombinations (line 19) | func TestMCPServerPodTemplateSpec_AllCombinations(t *testing.T) {
function TestMCPServerPodTemplateSpec_SecretEnvVarNaming (line 208) | func TestMCPServerPodTemplateSpec_SecretEnvVarNaming(t *testing.T) {
function TestMCPServerPodTemplateSpec_NilInputWithSecrets (line 255) | func TestMCPServerPodTemplateSpec_NilInputWithSecrets(t *testing.T) {
function findMCPContainer (line 274) | func findMCPContainer(containers []corev1.Container) *corev1.Container {
FILE: cmd/thv-operator/controllers/mcpserver_rbac_test.go
type testContext (line 26) | type testContext struct
method ensureRBACResources (line 46) | func (tc *testContext) ensureRBACResources() error {
method assertServiceAccountExists (line 50) | func (tc *testContext) assertServiceAccountExists(t *testing.T) {
method assertRoleExists (line 62) | func (tc *testContext) assertRoleExists(t *testing.T) {
method assertRoleBindingExists (line 75) | func (tc *testContext) assertRoleBindingExists(t *testing.T) {
method assertAllRBACResourcesExist (line 103) | func (tc *testContext) assertAllRBACResourcesExist(t *testing.T) {
function setupTest (line 33) | func setupTest(name, namespace string) *testContext {
function TestEnsureRBACResources_ServiceAccount_Creation (line 110) | func TestEnsureRBACResources_ServiceAccount_Creation(t *testing.T) {
function TestEnsureRBACResources_ServiceAccount_Update (line 120) | func TestEnsureRBACResources_ServiceAccount_Update(t *testing.T) {
function TestEnsureRBACResources_Role_Creation (line 140) | func TestEnsureRBACResources_Role_Creation(t *testing.T) {
function TestEnsureRBACResources_Role_Update (line 150) | func TestEnsureRBACResources_Role_Update(t *testing.T) {
function TestEnsureRBACResources_RoleBinding_Creation (line 176) | func TestEnsureRBACResources_RoleBinding_Creation(t *testing.T) {
function TestEnsureRBACResources_RoleBinding_Update (line 186) | func TestEnsureRBACResources_RoleBinding_Update(t *testing.T) {
function TestEnsureRBACResources_MultipleNamespaces (line 217) | func TestEnsureRBACResources_MultipleNamespaces(t *testing.T) {
function TestEnsureRBACResources_ResourceNames (line 241) | func TestEnsureRBACResources_ResourceNames(t *testing.T) {
function TestEnsureRBACResources_NoChangesNeeded (line 262) | func TestEnsureRBACResources_NoChangesNeeded(t *testing.T) {
function TestEnsureRBACResources_Idempotency (line 312) | func TestEnsureRBACResources_Idempotency(t *testing.T) {
function TestEnsureRBACResources_CustomServiceAccount (line 324) | func TestEnsureRBACResources_CustomServiceAccount(t *testing.T) {
function TestEnsureRBACResources_ImagePullSecrets (line 384) | func TestEnsureRBACResources_ImagePullSecrets(t *testing.T) {
function createTestMCPServer (line 427) | func createTestMCPServer(name, namespace string) *mcpv1beta1.MCPServer {
function createTestScheme (line 441) | func createTestScheme() *runtime.Scheme {
FILE: cmd/thv-operator/controllers/mcpserver_replicas_test.go
function TestReplicaBehavior (line 24) | func TestReplicaBehavior(t *testing.T) {
function TestConfigUpdatePreservesReplicas (line 179) | func TestConfigUpdatePreservesReplicas(t *testing.T) {
function TestUpdateMCPServerStatusScaledToZero (line 265) | func TestUpdateMCPServerStatusScaledToZero(t *testing.T) {
function TestUpdateMCPServerStatusReadyReplicas (line 336) | func TestUpdateMCPServerStatusReadyReplicas(t *testing.T) {
function TestDefaultCreationHasNilReplicas (line 460) | func TestDefaultCreationHasNilReplicas(t *testing.T) {
function TestResolveDeploymentReplicasNil (line 511) | func TestResolveDeploymentReplicasNil(t *testing.T) {
function TestResolveDeploymentReplicas1 (line 517) | func TestResolveDeploymentReplicas1(t *testing.T) {
function TestResolveDeploymentReplicas3SSE (line 524) | func TestResolveDeploymentReplicas3SSE(t *testing.T) {
function TestResolveDeploymentReplicasStdioCap (line 531) | func TestResolveDeploymentReplicasStdioCap(t *testing.T) {
function TestTerminationGracePeriodSet (line 540) | func TestTerminationGracePeriodSet(t *testing.T) {
function TestSpecDrivenReplicasNil (line 572) | func TestSpecDrivenReplicasNil(t *testing.T) {
function TestSpecDrivenReplicas3 (line 604) | func TestSpecDrivenReplicas3(t *testing.T) {
function TestStdioCapConditionSet (line 640) | func TestStdioCapConditionSet(t *testing.T) {
function TestSessionStorageWarningSet (line 691) | func TestSessionStorageWarningSet(t *testing.T) {
function TestSessionStorageWarningCleared (line 741) | func TestSessionStorageWarningCleared(t *testing.T) {
function TestCategorizePodStatusExcludesTerminatingPods (line 794) | func TestCategorizePodStatusExcludesTerminatingPods(t *testing.T) {
function TestUpdateMCPServerStatusExcludesTerminatingPods (line 864) | func TestUpdateMCPServerStatusExcludesTerminatingPods(t *testing.T) {
function TestRateLimitConfigValidation (line 983) | func TestRateLimitConfigValidation(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_resource_overrides_test.go
function TestMCPServerDeploymentNeedsUpdate_EmbeddedAuthLegacyEnvStable (line 32) | func TestMCPServerDeploymentNeedsUpdate_EmbeddedAuthLegacyEnvStable(t *t...
function TestMCPServerDeploymentNeedsUpdate_EmbeddedAuthAuthServerRefEnvStable (line 101) | func TestMCPServerDeploymentNeedsUpdate_EmbeddedAuthAuthServerRefEnvStab...
function TestMCPServerDeploymentNeedsUpdate_TokenExchangeDoesNotDrift (line 162) | func TestMCPServerDeploymentNeedsUpdate_TokenExchangeDoesNotDrift(t *tes...
function TestResourceOverrides (line 215) | func TestResourceOverrides(t *testing.T) {
function TestMergeStringMaps (line 596) | func TestMergeStringMaps(t *testing.T) {
function TestDeploymentNeedsUpdateProxyEnv (line 641) | func TestDeploymentNeedsUpdateProxyEnv(t *testing.T) {
function TestMCPServerDeploymentNeedsUpdate_ImagePullSecretsDrift (line 827) | func TestMCPServerDeploymentNeedsUpdate_ImagePullSecretsDrift(t *testing...
function TestMCPServerSessionAffinityNone (line 923) | func TestMCPServerSessionAffinityNone(t *testing.T) {
function TestMCPServerServiceNeedsUpdate (line 949) | func TestMCPServerServiceNeedsUpdate(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_restart_test.go
type restartTestContext (line 26) | type restartTestContext struct
method createDeployment (line 53) | func (tc *restartTestContext) createDeployment() {
method createPods (line 84) | func (tc *restartTestContext) createPods(count int) {
method setRestartAnnotation (line 107) | func (tc *restartTestContext) setRestartAnnotation(timestamp string, s...
method setLastRestartRequest (line 118) | func (tc *restartTestContext) setLastRestartRequest(timestamp time.Tim...
method handleRestartAnnotation (line 129) | func (tc *restartTestContext) handleRestartAnnotation() (bool, error) {
method assertDeploymentPodTemplateAnnotationUpdated (line 157) | func (tc *restartTestContext) assertDeploymentPodTemplateAnnotationUpd...
method assertPodsDeleted (line 176) | func (tc *restartTestContext) assertPodsDeleted(_ int) {
method assertLastRestartRequestUpdated (line 191) | func (tc *restartTestContext) assertLastRestartRequestUpdated(expected...
function setupRestartTest (line 33) | func setupRestartTest(t *testing.T) *restartTestContext {
function TestHandleRestartAnnotation_NoAnnotation (line 211) | func TestHandleRestartAnnotation_NoAnnotation(t *testing.T) {
function TestHandleRestartAnnotation_InvalidTimestamp (line 221) | func TestHandleRestartAnnotation_InvalidTimestamp(t *testing.T) {
function TestHandleRestartAnnotation_AlreadyProcessed (line 232) | func TestHandleRestartAnnotation_AlreadyProcessed(t *testing.T) {
function TestHandleRestartAnnotation_RollingRestart_Success (line 246) | func TestHandleRestartAnnotation_RollingRestart_Success(t *testing.T) {
function TestHandleRestartAnnotation_RollingRestart_DefaultStrategy (line 264) | func TestHandleRestartAnnotation_RollingRestart_DefaultStrategy(t *testi...
function TestHandleRestartAnnotation_RollingRestart_DeploymentNotFound (line 282) | func TestHandleRestartAnnotation_RollingRestart_DeploymentNotFound(t *te...
function TestHandleRestartAnnotation_ImmediateRestart_Success (line 296) | func TestHandleRestartAnnotation_ImmediateRestart_Success(t *testing.T) {
function TestHandleRestartAnnotation_ImmediateRestart_NoPods (line 315) | func TestHandleRestartAnnotation_ImmediateRestart_NoPods(t *testing.T) {
function TestHandleRestartAnnotation_UnknownStrategy (line 329) | func TestHandleRestartAnnotation_UnknownStrategy(t *testing.T) {
function TestHandleRestartAnnotation_MultipleSequentialRequests (line 347) | func TestHandleRestartAnnotation_MultipleSequentialRequests(t *testing.T) {
function TestHandleRestartAnnotation_DifferentStrategies (line 378) | func TestHandleRestartAnnotation_DifferentStrategies(t *testing.T) {
function TestPerformRollingRestart_Success (line 421) | func TestPerformRollingRestart_Success(t *testing.T) {
function TestPerformRollingRestart_ExistingAnnotations (line 448) | func TestPerformRollingRestart_ExistingAnnotations(t *testing.T) {
function TestPerformImmediateRestart_Success (line 487) | func TestPerformImmediateRestart_Success(t *testing.T) {
function TestPerformImmediateRestart_NoPods (line 500) | func TestPerformImmediateRestart_NoPods(t *testing.T) {
function TestPerformRestart_ValidStrategies (line 508) | func TestPerformRestart_ValidStrategies(t *testing.T) {
function TestHandleRestartAnnotation_ErrorPaths (line 537) | func TestHandleRestartAnnotation_ErrorPaths(t *testing.T) {
function TestPerformRollingRestart_ErrorPaths (line 582) | func TestPerformRollingRestart_ErrorPaths(t *testing.T) {
function TestPerformImmediateRestart_ErrorPaths (line 619) | func TestPerformImmediateRestart_ErrorPaths(t *testing.T) {
function TestReconcile_HandleRestartAnnotation_ErrorPaths (line 657) | func TestReconcile_HandleRestartAnnotation_ErrorPaths(t *testing.T) {
type mockFailingClient (line 708) | type mockFailingClient struct
method Get (line 717) | func (m *mockFailingClient) Get(ctx context.Context, key client.Object...
method List (line 724) | func (m *mockFailingClient) List(ctx context.Context, list client.Obje...
method Update (line 731) | func (m *mockFailingClient) Update(ctx context.Context, obj client.Obj...
method Patch (line 744) | func (m *mockFailingClient) Patch(
method Delete (line 755) | func (m *mockFailingClient) Delete(ctx context.Context, obj client.Obj...
FILE: cmd/thv-operator/controllers/mcpserver_runconfig.go
constant defaultProxyHost (line 30) | defaultProxyHost = "0.0.0.0"
constant defaultAPITimeout (line 33) | defaultAPITimeout = 15 * time.Second
method ensureRunConfigConfigMap (line 36) | func (r *MCPServerReconciler) ensureRunConfigConfigMap(ctx context.Conte...
method createRunConfigFromMCPServer (line 84) | func (r *MCPServerReconciler) createRunConfigFromMCPServer(m *mcpv1beta1...
function populateScalingConfig (line 294) | func populateScalingConfig(runConfig *runner.RunConfig, m *mcpv1beta1.MC...
function labelsForRunConfig (line 321) | func labelsForRunConfig(mcpServerName string) map[string]string {
method validateRunConfig (line 330) | func (r *MCPServerReconciler) validateRunConfig(ctx context.Context, con...
method validateRequiredFields (line 369) | func (*MCPServerReconciler) validateRequiredFields(config *runner.RunCon...
method validateTransportAndPorts (line 386) | func (*MCPServerReconciler) validateTransportAndPorts(config *runner.Run...
function validateTransportType (line 399) | func validateTransportType(transport transporttypes.TransportType) error {
function validateProxyMode (line 416) | func validateProxyMode(transport transporttypes.TransportType, proxyMode...
function validatePorts (line 439) | func validatePorts(transport transporttypes.TransportType, port, targetP...
method validateHost (line 465) | func (*MCPServerReconciler) validateHost(config *runner.RunConfig) error {
method validateEnvironmentVariables (line 482) | func (*MCPServerReconciler) validateEnvironmentVariables(config *runner....
method validateVolumeMounts (line 501) | func (*MCPServerReconciler) validateVolumeMounts(config *runner.RunConfi...
method validateSecrets (line 522) | func (*MCPServerReconciler) validateSecrets(config *runner.RunConfig) er...
method validateToolsFilter (line 541) | func (*MCPServerReconciler) validateToolsFilter(config *runner.RunConfig...
function convertEnvVarsFromMCPServer (line 555) | func convertEnvVarsFromMCPServer(envs []mcpv1beta1.EnvVar) map[string]st...
function convertVolumesFromMCPServer (line 567) | func convertVolumesFromMCPServer(vols []mcpv1beta1.Volume) []string {
FILE: cmd/thv-operator/controllers/mcpserver_runconfig_test.go
constant testImage (line 32) | testImage = "test-image:latest"
constant sseProxyMode (line 33) | sseProxyMode = "sse"
constant streamableHTTPProxyMode (line 34) | streamableHTTPProxyMode = "streamable-http"
function createRunConfigTestScheme (line 37) | func createRunConfigTestScheme() *runtime.Scheme {
function createTestMCPServerWithConfig (line 44) | func createTestMCPServerWithConfig(name, namespace, image string, envVar...
function TestCreateRunConfigFromMCPServer (line 60) | func TestCreateRunConfigFromMCPServer(t *testing.T) {
function TestDeterministicConfigMapGeneration (line 528) | func TestDeterministicConfigMapGeneration(t *testing.T) {
function TestEnsureRunConfigConfigMap (line 663) | func TestEnsureRunConfigConfigMap(t *testing.T) {
function TestValidateRunConfig (line 981) | func TestValidateRunConfig(t *testing.T) {
function TestLabelsForRunConfig (line 1183) | func TestLabelsForRunConfig(t *testing.T) {
function TestEnsureRunConfigConfigMapCompleteFlow (line 1196) | func TestEnsureRunConfigConfigMapCompleteFlow(t *testing.T) {
function TestMCPServerModificationScenarios (line 1282) | func TestMCPServerModificationScenarios(t *testing.T) {
function TestEnsureRunConfigConfigMap_WithVaultInjection (line 1443) | func TestEnsureRunConfigConfigMap_WithVaultInjection(t *testing.T) {
function TestPopulateScalingConfig (line 1559) | func TestPopulateScalingConfig(t *testing.T) {
function TestCreateRunConfigFromMCPServer_RateLimiting (line 1715) | func TestCreateRunConfigFromMCPServer_RateLimiting(t *testing.T) {
function TestCreateRunConfigFromMCPServer_SetsMCPServerGeneration (line 1786) | func TestCreateRunConfigFromMCPServer_SetsMCPServerGeneration(t *testing...
FILE: cmd/thv-operator/controllers/mcpserver_spec_patch_test.go
type patchRecordingClient (line 34) | type patchRecordingClient struct
method Patch (line 45) | func (c *patchRecordingClient) Patch(
method lastMCPServerPatchBody (line 66) | func (c *patchRecordingClient) lastMCPServerPatchBody() string {
type recordedPatch (line 40) | type recordedPatch struct
function TestMCPServerSpecPatchesAreOptimisticLock (line 84) | func TestMCPServerSpecPatchesAreOptimisticLock(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_telemetry_cabundle_test.go
function TestDeploymentForMCPServer_TelemetryCABundleVolume (line 20) | func TestDeploymentForMCPServer_TelemetryCABundleVolume(t *testing.T) {
function TestDeploymentForMCPServer_TelemetryCABundleVolume_FetchError (line 180) | func TestDeploymentForMCPServer_TelemetryCABundleVolume_FetchError(t *te...
FILE: cmd/thv-operator/controllers/mcpserver_telemetryconfig.go
method handleTelemetryConfig (line 23) | func (r *MCPServerReconciler) handleTelemetryConfig(ctx context.Context,...
function getTelemetryConfigForMCPServer (line 112) | func getTelemetryConfigForMCPServer(
method mapTelemetryConfigToServers (line 138) | func (r *MCPServerReconciler) mapTelemetryConfigToServers(
FILE: cmd/thv-operator/controllers/mcpserver_telemetryconfig_test.go
function TestGetTelemetryConfigForMCPServer (line 18) | func TestGetTelemetryConfigForMCPServer(t *testing.T) {
function TestGetTelemetryConfigForMCPServer_NamespacedLookup (line 122) | func TestGetTelemetryConfigForMCPServer_NamespacedLookup(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcpserver_test_helpers_test.go
type mockPlatformDetector (line 16) | type mockPlatformDetector struct
method DetectPlatform (line 21) | func (m *mockPlatformDetector) DetectPlatform(_ *rest.Config) (kuberne...
function newTestMCPServerReconciler (line 29) | func newTestMCPServerReconciler(
FILE: cmd/thv-operator/controllers/mcpserverentry_controller.go
constant mcpServerEntryRequeueDelay (line 28) | mcpServerEntryRequeueDelay = 500 * time.Millisecond
constant mcpServerEntryAuthConfigRefField (line 31) | mcpServerEntryAuthConfigRefField = "spec.externalAuthConfigRef.name"
constant mcpServerEntryCABundleRefField (line 34) | mcpServerEntryCABundleRefField = "spec.caBundleRef.configMapRef.name"
type MCPServerEntryReconciler (line 40) | type MCPServerEntryReconciler struct
method Reconcile (line 51) | func (r *MCPServerEntryReconciler) Reconcile(ctx context.Context, req ...
method SetupWithManager (line 105) | func (r *MCPServerEntryReconciler) SetupWithManager(mgr ctrl.Manager) ...
method validateGroupRef (line 159) | func (r *MCPServerEntryReconciler) validateGroupRef(
method validateExternalAuthConfigRef (line 207) | func (r *MCPServerEntryReconciler) validateExternalAuthConfigRef(
method validateCABundleRef (line 256) | func (r *MCPServerEntryReconciler) validateCABundleRef(
method validateRemoteURL (line 305) | func (*MCPServerEntryReconciler) validateRemoteURL(
method updateOverallStatus (line 330) | func (*MCPServerEntryReconciler) updateOverallStatus(
method findEntriesForAuthConfig (line 357) | func (r *MCPServerEntryReconciler) findEntriesForAuthConfig(
method findEntriesForGroup (line 391) | func (r *MCPServerEntryReconciler) findEntriesForGroup(
method findEntriesForConfigMap (line 426) | func (r *MCPServerEntryReconciler) findEntriesForConfigMap(
FILE: cmd/thv-operator/controllers/mcpserverentry_controller_test.go
constant testEntryName (line 24) | testEntryName = "test-entry"
constant testEntryNS (line 25) | testEntryNS = "default"
constant testAuthConfig (line 26) | testAuthConfig = "test-auth-config"
constant testCAConfigMap (line 27) | testCAConfigMap = "test-ca-bundle"
constant testEntryGroupRef (line 28) | testEntryGroupRef = "test-group"
function newEntryScheme (line 32) | func newEntryScheme(t *testing.T) *runtime.Scheme {
function newEntryFakeClient (line 41) | func newEntryFakeClient(t *testing.T, scheme *runtime.Scheme, objs ...cl...
function newMCPGroup (line 51) | func newMCPGroup(phase mcpv1beta1.MCPGroupPhase) *mcpv1beta1.MCPGroup {
function newMCPServerEntry (line 64) | func newMCPServerEntry(
function newMCPExternalAuthConfig (line 85) | func newMCPExternalAuthConfig(name, namespace string) *mcpv1beta1.MCPExt...
function newConfigMap (line 98) | func newConfigMap(name, namespace string) *corev1.ConfigMap {
function assertCondition (line 111) | func assertCondition(
function TestMCPServerEntryReconciler_Reconcile (line 125) | func TestMCPServerEntryReconciler_Reconcile(t *testing.T) {
function TestMCPGroupReconciler_MCPServerEntryIntegration (line 397) | func TestMCPGroupReconciler_MCPServerEntryIntegration(t *testing.T) {
function TestMCPGroupReconciler_EntryDeletionHandler (line 475) | func TestMCPGroupReconciler_EntryDeletionHandler(t *testing.T) {
FILE: cmd/thv-operator/controllers/mcptelemetryconfig_controller.go
constant TelemetryConfigFinalizerName (line 29) | TelemetryConfigFinalizerName = "mcptelemetryconfig.toolhive.stacklok.dev...
constant telemetryConfigRequeueDelay (line 32) | telemetryConfigRequeueDelay = 500 * time.Millisecond
type MCPTelemetryConfigReconciler (line 39) | type MCPTelemetryConfigReconciler struct
method Reconcile (line 52) | func (r *MCPTelemetryConfigReconciler) Reconcile(ctx context.Context, ...
method SetupWithManager (line 144) | func (r *MCPTelemetryConfigReconciler) SetupWithManager(mgr ctrl.Manag...
method mapMCPRemoteProxyToTelemetryConfig (line 211) | func (r *MCPTelemetryConfigReconciler) mapMCPRemoteProxyToTelemetryCon...
method mapVirtualMCPServerToTelemetryConfig (line 257) | func (r *MCPTelemetryConfigReconciler) mapVirtualMCPServerToTelemetryC...
method calculateConfigHash (line 301) | func (*MCPTelemetryConfigReconciler) calculateConfigHash(spec mcpv1bet...
method handleDeletion (line 307) | func (r *MCPTelemetryConfigReconciler) handleDeletion(
method findReferencingWorkloads (line 356) | func (r *MCPTelemetryConfigReconciler) findReferencingWorkloads(
FILE: cmd/thv-operator/controllers/mcptelemetryconfig_controller_test.go
function TestMCPTelemetryConfigReconciler_calculateConfigHash (line 22) | func TestMCPTelemetryConfigReconciler_calculateConfigHash(t *testing.T) {
function TestMCPTelemetryConfigReconciler_ReconcileNotFound (line 70) | func TestMCPTelemetryConfigReconciler_ReconcileNotFound(t *testing.T) {
function TestMCPTelemetryConfigReconciler_SteadyStateNoOp (line 100) | func TestMCPTelemetryConfigReconciler_SteadyStateNoOp(t *testing.T) {
function TestMCPTelemetryConfigReconciler_ValidationRecovery (line 163) | func TestMCPTelemetryConfigReconciler_ValidationRecovery(t *testing.T) {
function TestMCPTelemetryConfigReconciler_handleDeletion (line 252) | func TestMCPTelemetryConfigReconciler_handleDeletion(t *testing.T) {
function TestMCPTelemetryConfigReconciler_ConfigChangeTriggersHashUpdate (line 309) | func TestMCPTelemetryConfigReconciler_ConfigChangeTriggersHashUpdate(t *...
function TestMCPTelemetryConfigReconciler_ValidationFailureSetsCondition (line 381) | func TestMCPTelemetryConfigReconciler_ValidationFailureSetsCondition(t *...
function TestMCPTelemetryConfig_Validate (line 447) | func TestMCPTelemetryConfig_Validate(t *testing.T) {
function TestMCPTelemetryConfigReconciler_ConditionOnlyUpdate (line 550) | func TestMCPTelemetryConfigReconciler_ConditionOnlyUpdate(t *testing.T) {
function TestMCPTelemetryConfigReconciler_ReferenceTracking (line 620) | func TestMCPTelemetryConfigReconciler_ReferenceTracking(t *testing.T) {
function TestMCPTelemetryConfigReconciler_handleDeletion_BlocksWhenReferenced (line 712) | func TestMCPTelemetryConfigReconciler_handleDeletion_BlocksWhenReference...
function TestMCPTelemetryConfigReconciler_handleDeletion_AllowsWhenNotReferenced (line 767) | func TestMCPTelemetryConfigReconciler_handleDeletion_AllowsWhenNotRefere...
function TestMCPTelemetryConfigReconciler_handleDeletion_NoFinalizerIsNoOp (line 818) | func TestMCPTelemetryConfigReconciler_handleDeletion_NoFinalizerIsNoOp(t...
function newTelemetrySpec (line 856) | func newTelemetrySpec(endpoint string, tracing, metrics bool) mcpv1beta1...
FILE: cmd/thv-operator/controllers/toolconfig_controller.go
constant ToolConfigFinalizerName (line 29) | ToolConfigFinalizerName = "toolhive.stacklok.dev/toolconfig-finalizer"
constant finalizerRequeueDelay (line 32) | finalizerRequeueDelay = 500 * time.Millisecond
type ToolConfigReconciler (line 36) | type ToolConfigReconciler struct
method Reconcile (line 48) | func (r *ToolConfigReconciler) Reconcile(ctx context.Context, req ctrl...
method handleConfigHashChange (line 121) | func (r *ToolConfigReconciler) handleConfigHashChange(
method calculateConfigHash (line 176) | func (*ToolConfigReconciler) calculateConfigHash(spec mcpv1beta1.MCPTo...
method handleDeletion (line 181) | func (r *ToolConfigReconciler) handleDeletion(ctx context.Context, too...
method findReferencingWorkloads (line 227) | func (r *ToolConfigReconciler) findReferencingWorkloads(
method findReferencingMCPServers (line 242) | func (r *ToolConfigReconciler) findReferencingMCPServers(
method SetupWithManager (line 257) | func (r *ToolConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
FILE: cmd/thv-operator/controllers/toolconfig_controller_edge_cases_test.go
function TestToolConfigReconciler_EdgeCases (line 24) | func TestToolConfigReconciler_EdgeCases(t *testing.T) {
function TestToolConfigReconciler_ErrorScenarios (line 188) | func TestToolConfigReconciler_ErrorScenarios(t *testing.T) {
type errorClient (line 239) | type errorClient struct
method List (line 244) | func (c *errorClient) List(ctx context.Context, list client.ObjectList...
function TestToolConfigReconciler_ComplexScenarios (line 251) | func TestToolConfigReconciler_ComplexScenarios(t *testing.T) {
FILE: cmd/thv-operator/controllers/toolconfig_controller_test.go
function TestToolConfigReconciler_calculateConfigHash (line 24) | func TestToolConfigReconciler_calculateConfigHash(t *testing.T) {
function TestToolConfigReconciler_Reconcile (line 103) | func TestToolConfigReconciler_Reconcile(t *testing.T) {
function TestToolConfigReconciler_findReferencingWorkloads (line 241) | func TestToolConfigReconciler_findReferencingWorkloads(t *testing.T) {
function TestToolConfigReconciler_ReferencingWorkloadsUpdatedWithoutHashChange (line 314) | func TestToolConfigReconciler_ReferencingWorkloadsUpdatedWithoutHashChan...
function TestToolConfigReconciler_ReferencingWorkloadsRemovedOnServerDeletion (line 397) | func TestToolConfigReconciler_ReferencingWorkloadsRemovedOnServerDeletio...
function TestToolConfigReconciler_ValidConditionObservedGeneration (line 475) | func TestToolConfigReconciler_ValidConditionObservedGeneration(t *testin...
FILE: cmd/thv-operator/controllers/virtualmcpserver_controller.go
constant OutgoingAuthSourceDiscovered (line 51) | OutgoingAuthSourceDiscovered = "discovered"
constant OutgoingAuthSourceInline (line 53) | OutgoingAuthSourceInline = "inline"
constant authContextDefault (line 56) | authContextDefault = "default"
constant authContextBackendPrefix (line 57) | authContextBackendPrefix = "backend:"
constant authContextDiscoveredPrefix (line 58) | authContextDiscoveredPrefix = "discovered:"
type AuthConfigError (line 69) | type AuthConfigError struct
type SpecValidationError (line 81) | type SpecValidationError struct
method Error (line 85) | func (e *SpecValidationError) Error() string {
type VirtualMCPServerReconciler (line 102) | type VirtualMCPServerReconciler struct
method Reconcile (line 138) | func (r *VirtualMCPServerReconciler) Reconcile(ctx context.Context, re...
method validateSpec (line 245) | func (r *VirtualMCPServerReconciler) validateSpec(
method applyStatusUpdates (line 271) | func (r *VirtualMCPServerReconciler) applyStatusUpdates(
method runValidations (line 314) | func (r *VirtualMCPServerReconciler) runValidations(
method runAuthValidations (line 377) | func (r *VirtualMCPServerReconciler) runAuthValidations(
method validateSessionStorageForReplicas (line 424) | func (*VirtualMCPServerReconciler) validateSessionStorageForReplicas(
method validateAuthServerConfig (line 457) | func (*VirtualMCPServerReconciler) validateAuthServerConfig(
method applyAuthServerIdentitySynthesizedCondition (line 524) | func (*VirtualMCPServerReconciler) applyAuthServerIdentitySynthesizedC...
method validateAuthzUpstreamAvailable (line 570) | func (*VirtualMCPServerReconciler) validateAuthzUpstreamAvailable(
method handleSpecValidationError (line 650) | func (r *VirtualMCPServerReconciler) handleSpecValidationError(
method validateGroupRef (line 669) | func (r *VirtualMCPServerReconciler) validateGroupRef(
method validateCompositeToolRefs (line 727) | func (r *VirtualMCPServerReconciler) validateCompositeToolRefs(
method validateAndUpdatePodTemplateStatus (line 810) | func (r *VirtualMCPServerReconciler) validateAndUpdatePodTemplateStatus(
method ensureAllResources (line 863) | func (r *VirtualMCPServerReconciler) ensureAllResources(
method ensureAuthSecretsValid (line 961) | func (r *VirtualMCPServerReconciler) ensureAuthSecretsValid(
method ensureRBACResources (line 1000) | func (r *VirtualMCPServerReconciler) ensureRBACResources(
method imagePullSecretsForVMCP (line 1045) | func (r *VirtualMCPServerReconciler) imagePullSecretsForVMCP(
method ensureHMACSecret (line 1057) | func (r *VirtualMCPServerReconciler) ensureHMACSecret(
method validateHMACSecret (line 1142) | func (*VirtualMCPServerReconciler) validateHMACSecret(
method getVmcpConfigChecksum (line 1208) | func (r *VirtualMCPServerReconciler) getVmcpConfigChecksum(
method ensureDeployment (line 1247) | func (r *VirtualMCPServerReconciler) ensureDeployment(
method ensureService (line 1350) | func (r *VirtualMCPServerReconciler) ensureService(
method ensureServiceURL (line 1422) | func (*VirtualMCPServerReconciler) ensureServiceURL(
method deploymentNeedsUpdate (line 1433) | func (r *VirtualMCPServerReconciler) deploymentNeedsUpdate(
method containerNeedsUpdate (line 1481) | func (r *VirtualMCPServerReconciler) containerNeedsUpdate(
method deploymentMetadataNeedsUpdate (line 1527) | func (*VirtualMCPServerReconciler) deploymentMetadataNeedsUpdate(
method podTemplateMetadataNeedsUpdate (line 1560) | func (r *VirtualMCPServerReconciler) podTemplateMetadataNeedsUpdate(
method podTemplateSpecNeedsUpdate (line 1588) | func (*VirtualMCPServerReconciler) podTemplateSpecNeedsUpdate(
method imagePullSecretsNeedsUpdate (line 1627) | func (r *VirtualMCPServerReconciler) imagePullSecretsNeedsUpdate(
method serviceNeedsUpdate (line 1651) | func (*VirtualMCPServerReconciler) serviceNeedsUpdate(
method determineStatusFromBackends (line 1772) | func (*VirtualMCPServerReconciler) determineStatusFromBackends(
method determineStatusFromPods (line 1830) | func (r *VirtualMCPServerReconciler) determineStatusFromPods(
method updateVirtualMCPServerStatus (line 1876) | func (r *VirtualMCPServerReconciler) updateVirtualMCPServerStatus(
method serviceAccountNameForVmcp (line 1963) | func (*VirtualMCPServerReconciler) serviceAccountNameForVmcp(vmcp *mcp...
method convertExternalAuthConfigToStrategy (line 2008) | func (*VirtualMCPServerReconciler) convertExternalAuthConfigToStrategy(
method convertBackendAuthConfigToVMCP (line 2041) | func (r *VirtualMCPServerReconciler) convertBackendAuthConfigToVMCP(
method listMCPServersAsMap (line 2073) | func (r *VirtualMCPServerReconciler) listMCPServersAsMap(
method listMCPRemoteProxiesAsMap (line 2089) | func (r *VirtualMCPServerReconciler) listMCPRemoteProxiesAsMap(
method listMCPServerEntriesAsMap (line 2105) | func (r *VirtualMCPServerReconciler) listMCPServerEntriesAsMap(
method discoverExternalAuthConfigs (line 2123) | func (r *VirtualMCPServerReconciler) discoverExternalAuthConfigs(
method getExternalAuthConfigNameFromWorkload (line 2205) | func (*VirtualMCPServerReconciler) getExternalAuthConfigNameFromWorkload(
method buildOutgoingAuthConfig (line 2249) | func (r *VirtualMCPServerReconciler) buildOutgoingAuthConfig(
method validateEmbeddingServerRef (line 2409) | func (r *VirtualMCPServerReconciler) validateEmbeddingServerRef(
method mapEmbeddingServerToVirtualMCPServer (line 2454) | func (r *VirtualMCPServerReconciler) mapEmbeddingServerToVirtualMCPSer...
method SetupWithManager (line 2486) | func (r *VirtualMCPServerReconciler) SetupWithManager(mgr ctrl.Manager...
method mapMCPGroupToVirtualMCPServer (line 2524) | func (r *VirtualMCPServerReconciler) mapMCPGroupToVirtualMCPServer(ctx...
method mapMCPServerToVirtualMCPServer (line 2561) | func (r *VirtualMCPServerReconciler) mapMCPServerToVirtualMCPServer(ct...
method mapMCPRemoteProxyToVirtualMCPServer (line 2639) | func (r *VirtualMCPServerReconciler) mapMCPRemoteProxyToVirtualMCPServer(
method mapMCPServerEntryToVirtualMCPServer (line 2720) | func (r *VirtualMCPServerReconciler) mapMCPServerEntryToVirtualMCPServer(
method mapExternalAuthConfigToVirtualMCPServer (line 2789) | func (r *VirtualMCPServerReconciler) mapExternalAuthConfigToVirtualMCP...
method mapToolConfigToVirtualMCPServer (line 2822) | func (r *VirtualMCPServerReconciler) mapToolConfigToVirtualMCPServer(c...
method vmcpReferencesToolConfig (line 2850) | func (*VirtualMCPServerReconciler) vmcpReferencesToolConfig(vmcp *mcpv...
method vmcpReferencesExternalAuthConfig (line 2867) | func (r *VirtualMCPServerReconciler) vmcpReferencesExternalAuthConfig(
method mcpGroupBackendsReferenceExternalAuthConfig (line 2908) | func (r *VirtualMCPServerReconciler) mcpGroupBackendsReferenceExternal...
method mapCompositeToolDefinitionToVirtualMCPServer (line 2974) | func (r *VirtualMCPServerReconciler) mapCompositeToolDefinitionToVirtu...
method vmcpReferencesCompositeToolDefinition (line 3005) | func (*VirtualMCPServerReconciler) vmcpReferencesCompositeToolDefinition(
method handleConfigRefs (line 3173) | func (r *VirtualMCPServerReconciler) handleConfigRefs(
method handleOIDCConfig (line 3187) | func (r *VirtualMCPServerReconciler) handleOIDCConfig(
method updateOIDCConfigReferencingWorkloads (line 3272) | func (r *VirtualMCPServerReconciler) updateOIDCConfigReferencingWorklo...
method mapOIDCConfigToVirtualMCPServer (line 3295) | func (r *VirtualMCPServerReconciler) mapOIDCConfigToVirtualMCPServer(
type statusDecision (line 1739) | type statusDecision struct
function countBackendHealth (line 1751) | func countBackendHealth(ctx context.Context, backends []mcpv1beta1.Disco...
function labelsForVirtualMCPServer (line 1933) | func labelsForVirtualMCPServer(name string) map[string]string {
function vmcpServiceAccountName (line 1947) | func vmcpServiceAccountName(vmcpName string) string {
function outgoingAuthSource (line 1953) | func outgoingAuthSource(vmcp *mcpv1beta1.VirtualMCPServer) string {
function vmcpServiceName (line 1986) | func vmcpServiceName(vmcpName string) string {
function vmcpConfigMapName (line 1992) | func vmcpConfigMapName(vmcpName string) string {
function createVmcpServiceURL (line 1999) | func createVmcpServiceURL(vmcpName, namespace string, port int32) string {
function injectSubjectProviderIfNeeded (line 2318) | func injectSubjectProviderIfNeeded(
function resolveFirstUpstreamProvider (line 2357) | func resolveFirstUpstreamProvider(embeddedCfg *mcpv1beta1.EmbeddedAuthSe...
function convertBackendsToStaticBackends (line 2368) | func convertBackendsToStaticBackends(
function setAuthConfigConditions (line 3036) | func setAuthConfigConditions(
function generateHMACSecret (line 3158) | func generateHMACSecret() (string, error) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_controller_test.go
constant testChecksumValue (line 44) | testChecksumValue = "test-checksum-123"
constant testVmcpName (line 45) | testVmcpName = "test-vmcp"
function TestVirtualMCPServerValidateGroupRef (line 49) | func TestVirtualMCPServerValidateGroupRef(t *testing.T) {
function TestVirtualMCPServerEnsureRBACResources (line 213) | func TestVirtualMCPServerEnsureRBACResources(t *testing.T) {
function TestVirtualMCPServerEnsureRBACResources_ImagePullSecrets (line 293) | func TestVirtualMCPServerEnsureRBACResources_ImagePullSecrets(t *testing...
function TestVirtualMCPServerEnsureRBACResources_Update (line 340) | func TestVirtualMCPServerEnsureRBACResources_Update(t *testing.T) {
function TestVirtualMCPServerEnsureRBACResources_Idempotency (line 424) | func TestVirtualMCPServerEnsureRBACResources_Idempotency(t *testing.T) {
function TestVirtualMCPServerEnsureRBACResources_InlineMode (line 486) | func TestVirtualMCPServerEnsureRBACResources_InlineMode(t *testing.T) {
function TestVirtualMCPServerEnsureRBACResources_DiscoveredMode (line 556) | func TestVirtualMCPServerEnsureRBACResources_DiscoveredMode(t *testing.T) {
function TestVirtualMCPServerEnsureRBACResources_CustomServiceAccount (line 623) | func TestVirtualMCPServerEnsureRBACResources_CustomServiceAccount(t *tes...
function TestVirtualMCPServerEnsureDeployment (line 684) | func TestVirtualMCPServerEnsureDeployment(t *testing.T) {
function TestVirtualMCPServerEnsureService (line 767) | func TestVirtualMCPServerEnsureService(t *testing.T) {
function TestVirtualMCPServerServiceType (line 815) | func TestVirtualMCPServerServiceType(t *testing.T) {
function TestVirtualMCPServerServiceNeedsUpdate (line 877) | func TestVirtualMCPServerServiceNeedsUpdate(t *testing.T) {
function TestVirtualMCPServerUpdateStatus (line 1000) | func TestVirtualMCPServerUpdateStatus(t *testing.T) {
function TestVirtualMCPServerLabels (line 1147) | func TestVirtualMCPServerLabels(t *testing.T) {
function TestVirtualMCPServerNaming (line 1161) | func TestVirtualMCPServerNaming(t *testing.T) {
function TestVirtualMCPServerAuthConfiguredCondition (line 1185) | func TestVirtualMCPServerAuthConfiguredCondition(t *testing.T) {
function TestVirtualMCPServerReconcile_NotFound (line 1394) | func TestVirtualMCPServerReconcile_NotFound(t *testing.T) {
function TestVirtualMCPServerApplyStatusUpdates (line 1426) | func TestVirtualMCPServerApplyStatusUpdates(t *testing.T) {
function TestVirtualMCPServerApplyStatusUpdates_ResourceNotFound (line 1557) | func TestVirtualMCPServerApplyStatusUpdates_ResourceNotFound(t *testing....
function TestVirtualMCPServerEnsureAllResources_Errors (line 1596) | func TestVirtualMCPServerEnsureAllResources_Errors(t *testing.T) {
function TestVirtualMCPServerContainerNeedsUpdate (line 1670) | func TestVirtualMCPServerContainerNeedsUpdate(t *testing.T) {
function TestVirtualMCPServerDeploymentMetadataNeedsUpdate (line 1937) | func TestVirtualMCPServerDeploymentMetadataNeedsUpdate(t *testing.T) {
function TestVirtualMCPServerPodTemplateMetadataNeedsUpdate (line 2020) | func TestVirtualMCPServerPodTemplateMetadataNeedsUpdate(t *testing.T) {
function TestVirtualMCPServerDeploymentNeedsUpdate (line 2154) | func TestVirtualMCPServerDeploymentNeedsUpdate(t *testing.T) {
function TestVirtualMCPServerReconcile_HappyPath (line 2328) | func TestVirtualMCPServerReconcile_HappyPath(t *testing.T) {
function TestVirtualMCPServerReconcile_ValidateGroupRefError (line 2461) | func TestVirtualMCPServerReconcile_ValidateGroupRefError(t *testing.T) {
function TestVirtualMCPServerReconcile_GroupNotReady (line 2517) | func TestVirtualMCPServerReconcile_GroupNotReady(t *testing.T) {
function TestVirtualMCPServerReconcile_GetError (line 2582) | func TestVirtualMCPServerReconcile_GetError(t *testing.T) {
function TestVirtualMCPServerEnsureDeployment_ConfigMapNotFound (line 2613) | func TestVirtualMCPServerEnsureDeployment_ConfigMapNotFound(t *testing.T) {
function TestVirtualMCPServerEnsureDeployment_CreateDeployment (line 2649) | func TestVirtualMCPServerEnsureDeployment_CreateDeployment(t *testing.T) {
function TestVirtualMCPServerEnsureDeployment_UpdateDeployment (line 2706) | func TestVirtualMCPServerEnsureDeployment_UpdateDeployment(t *testing.T) {
function TestVirtualMCPServerEnsureDeployment_NoUpdateNeeded (line 2789) | func TestVirtualMCPServerEnsureDeployment_NoUpdateNeeded(t *testing.T) {
function TestVirtualMCPServerEnsureService_CreateService (line 2876) | func TestVirtualMCPServerEnsureService_CreateService(t *testing.T) {
function TestVirtualMCPServerEnsureService_UpdateService (line 2918) | func TestVirtualMCPServerEnsureService_UpdateService(t *testing.T) {
function TestVirtualMCPServerEnsureService_NoUpdateNeeded (line 2980) | func TestVirtualMCPServerEnsureService_NoUpdateNeeded(t *testing.T) {
function TestVirtualMCPServerValidateEmbeddingServerRef (line 3036) | func TestVirtualMCPServerValidateEmbeddingServerRef(t *testing.T) {
function TestVirtualMCPServerEnsureDeployment_ReplicaSync_SpecDriven (line 3214) | func TestVirtualMCPServerEnsureDeployment_ReplicaSync_SpecDriven(t *test...
function TestVirtualMCPServerEnsureDeployment_ReplicaSync_NilPassthrough (line 3294) | func TestVirtualMCPServerEnsureDeployment_ReplicaSync_NilPassthrough(t *...
function mustBuildEnvVarsForVmcp (line 3374) | func mustBuildEnvVarsForVmcp(r *VirtualMCPServerReconciler, vmcp *mcpv1b...
function TestGetExternalAuthConfigNameFromWorkload (line 3383) | func TestGetExternalAuthConfigNameFromWorkload(t *testing.T) {
function TestDiscoveredRBACRulesIncludeMCPServerEntries (line 3511) | func TestDiscoveredRBACRulesIncludeMCPServerEntries(t *testing.T) {
function TestVirtualMCPServerValidateAuthzUpstreamAvailable (line 3537) | func TestVirtualMCPServerValidateAuthzUpstreamAvailable(t *testing.T) {
function TestVirtualMCPServerValidateAuthzUpstreamAvailable_ClearsStaleWarning (line 3718) | func TestVirtualMCPServerValidateAuthzUpstreamAvailable_ClearsStaleWarni...
function TestVirtualMCPServerValidateAuthServerConfig_IdentitySynthesizedCondition (line 3779) | func TestVirtualMCPServerValidateAuthServerConfig_IdentitySynthesizedCon...
function TestVirtualMCPServerReconciler_IdentitySynthesizedTransitionsOnValidationFailure (line 3870) | func TestVirtualMCPServerReconciler_IdentitySynthesizedTransitionsOnVali...
FILE: cmd/thv-operator/controllers/virtualmcpserver_default_imagepullsecrets_test.go
function TestVirtualMCPServer_DefaultImagePullSecrets (line 31) | func TestVirtualMCPServer_DefaultImagePullSecrets(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_deployment.go
constant podTemplateSpecHashAnnotation (line 38) | podTemplateSpecHashAnnotation = "toolhive.stacklok.io/podtemplatespec-hash"
constant imagePullRefsHashAnnotation (line 49) | imagePullRefsHashAnnotation = "toolhive.stacklok.io/imagepullsecrets-hash"
constant logLevelDebug (line 52) | logLevelDebug = "debug"
constant vmcpDefaultPort (line 55) | vmcpDefaultPort = int32(4483)
constant vmcpLivenessInitialDelay (line 64) | vmcpLivenessInitialDelay = int32(30)
constant vmcpLivenessPeriod (line 65) | vmcpLivenessPeriod = int32(10)
constant vmcpLivenessTimeout (line 66) | vmcpLivenessTimeout = int32(5)
constant vmcpLivenessFailures (line 67) | vmcpLivenessFailures = int32(3)
constant vmcpReadinessInitialDelay (line 70) | vmcpReadinessInitialDelay = int32(15)
constant vmcpReadinessPeriod (line 71) | vmcpReadinessPeriod = int32(5)
constant vmcpReadinessTimeout (line 72) | vmcpReadinessTimeout = int32(3)
constant vmcpReadinessFailures (line 73) | vmcpReadinessFailures = int32(3)
constant vmcpTerminationGracePeriodSeconds (line 76) | vmcpTerminationGracePeriodSeconds = int64(30)
constant vmcpDefaultCPURequest (line 80) | vmcpDefaultCPURequest = "100m"
constant vmcpDefaultMemoryRequest (line 81) | vmcpDefaultMemoryRequest = "128Mi"
constant vmcpDefaultCPULimit (line 82) | vmcpDefaultCPULimit = "500m"
constant vmcpDefaultMemoryLimit (line 83) | vmcpDefaultMemoryLimit = "512Mi"
method deploymentForVirtualMCPServer (line 137) | func (r *VirtualMCPServerReconciler) deploymentForVirtualMCPServer(
method buildContainerArgsForVmcp (line 263) | func (*VirtualMCPServerReconciler) buildContainerArgsForVmcp(
method buildVolumesForVmcp (line 284) | func (r *VirtualMCPServerReconciler) buildVolumesForVmcp(
method buildEnvVarsForVmcp (line 332) | func (r *VirtualMCPServerReconciler) buildEnvVarsForVmcp(
method buildOIDCEnvVars (line 378) | func (r *VirtualMCPServerReconciler) buildOIDCEnvVars(
method buildHMACSecretEnvVar (line 419) | func (*VirtualMCPServerReconciler) buildHMACSecretEnvVar(vmcp *mcpv1beta...
method buildRedisPasswordEnvVar (line 437) | func (*VirtualMCPServerReconciler) buildRedisPasswordEnvVar(vmcp *mcpv1b...
method buildOutgoingAuthEnvVars (line 457) | func (r *VirtualMCPServerReconciler) buildOutgoingAuthEnvVars(
method discoverExternalAuthConfigSecrets (line 498) | func (r *VirtualMCPServerReconciler) discoverExternalAuthConfigSecrets(
method discoverInlineExternalAuthConfigSecrets (line 567) | func (r *VirtualMCPServerReconciler) discoverInlineExternalAuthConfigSec...
method getExternalAuthConfigSecretEnvVar (line 615) | func (r *VirtualMCPServerReconciler) getExternalAuthConfigSecretEnvVar(
method buildDeploymentMetadataForVmcp (line 693) | func (r *VirtualMCPServerReconciler) buildDeploymentMetadataForVmcp(
function imagePullSecretsHash (line 730) | func imagePullSecretsHash(secrets []corev1.LocalObjectReference) (string...
method buildPodTemplateMetadata (line 748) | func (*VirtualMCPServerReconciler) buildPodTemplateMetadata(
method buildSecurityContextsForVmcp (line 763) | func (r *VirtualMCPServerReconciler) buildSecurityContextsForVmcp(
method buildContainerPortsForVmcp (line 782) | func (*VirtualMCPServerReconciler) buildContainerPortsForVmcp(
method serviceForVirtualMCPServer (line 793) | func (r *VirtualMCPServerReconciler) serviceForVirtualMCPServer(
method buildServiceMetadataForVmcp (line 845) | func (*VirtualMCPServerReconciler) buildServiceMetadataForVmcp(
function getVmcpImage (line 858) | func getVmcpImage() string {
method validateSecretReferences (line 879) | func (r *VirtualMCPServerReconciler) validateSecretReferences(
method validateBackendAuthSecrets (line 923) | func (*VirtualMCPServerReconciler) validateBackendAuthSecrets(
method validateSecretKeyRef (line 935) | func (r *VirtualMCPServerReconciler) validateSecretKeyRef(
method applyPodTemplateSpecToDeployment (line 977) | func (*VirtualMCPServerReconciler) applyPodTemplateSpecToDeployment(
constant caBundleBasePath (line 1016) | caBundleBasePath = "/etc/toolhive/ca-bundles"
function caBundleMountPath (line 1021) | func caBundleMountPath(entryName string, caBundleRef *mcpv1beta1.CABundl...
function caBundleVolumeName (line 1038) | func caBundleVolumeName(entryName string) string {
method buildCABundleVolumesForEntries (line 1058) | func (r *VirtualMCPServerReconciler) buildCABundleVolumesForEntries(
FILE: cmd/thv-operator/controllers/virtualmcpserver_deployment_test.go
function TestDeploymentForVirtualMCPServer (line 40) | func TestDeploymentForVirtualMCPServer(t *testing.T) {
function TestDeploymentForVirtualMCPServer_WithRedisPassword (line 96) | func TestDeploymentForVirtualMCPServer_WithRedisPassword(t *testing.T) {
function TestBuildContainerArgsForVmcp (line 144) | func TestBuildContainerArgsForVmcp(t *testing.T) {
function TestBuildVolumesForVmcp (line 198) | func TestBuildVolumesForVmcp(t *testing.T) {
function TestBuildEnvVarsForVmcp (line 228) | func TestBuildEnvVarsForVmcp(t *testing.T) {
function TestBuildRedisPasswordEnvVar (line 265) | func TestBuildRedisPasswordEnvVar(t *testing.T) {
function TestBuildDeploymentMetadataForVmcp (line 323) | func TestBuildDeploymentMetadataForVmcp(t *testing.T) {
function TestBuildPodTemplateMetadata (line 342) | func TestBuildPodTemplateMetadata(t *testing.T) {
function TestBuildSecurityContextsForVmcp (line 362) | func TestBuildSecurityContextsForVmcp(t *testing.T) {
function TestBuildContainerPortsForVmcp (line 383) | func TestBuildContainerPortsForVmcp(t *testing.T) {
function TestServiceForVirtualMCPServer (line 403) | func TestServiceForVirtualMCPServer(t *testing.T) {
function TestServiceForVirtualMCPServerSessionAffinityNone (line 443) | func TestServiceForVirtualMCPServerSessionAffinityNone(t *testing.T) {
function TestBuildServiceMetadataForVmcp (line 472) | func TestBuildServiceMetadataForVmcp(t *testing.T) {
function TestGetVmcpImage (line 493) | func TestGetVmcpImage(t *testing.T) {
function TestDeploymentNeedsUpdate (line 530) | func TestDeploymentNeedsUpdate(t *testing.T) {
function TestServiceNeedsUpdate (line 553) | func TestServiceNeedsUpdate(t *testing.T) {
function TestCABundleMountPath (line 581) | func TestCABundleMountPath(t *testing.T) {
function TestCABundleVolumeName (line 631) | func TestCABundleVolumeName(t *testing.T) {
function TestBuildCABundleVolumesForEntries (line 697) | func TestBuildCABundleVolumesForEntries(t *testing.T) {
function TestDeploymentForVirtualMCPServer_ImagePullSecrets (line 876) | func TestDeploymentForVirtualMCPServer_ImagePullSecrets(t *testing.T) {
function TestDeploymentForVirtualMCPServer_ImagePullSecrets_UpdatePath (line 980) | func TestDeploymentForVirtualMCPServer_ImagePullSecrets_UpdatePath(t *te...
function TestImagePullSecretsHash (line 1096) | func TestImagePullSecretsHash(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_embedding.go
method isEmbeddingServerReady (line 21) | func (r *VirtualMCPServerReconciler) isEmbeddingServerReady(
method resolveEmbeddingServiceURL (line 56) | func (r *VirtualMCPServerReconciler) resolveEmbeddingServiceURL(
function embeddingServerNameForVMCP (line 75) | func embeddingServerNameForVMCP(vmcp *mcpv1beta1.VirtualMCPServer) string {
FILE: cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go
function TestConvertExternalAuthConfigToStrategy (line 29) | func TestConvertExternalAuthConfigToStrategy(t *testing.T) {
function TestBuildOutgoingAuthConfig (line 213) | func TestBuildOutgoingAuthConfig(t *testing.T) {
function TestConvertBackendAuthConfigToVMCP (line 757) | func TestConvertBackendAuthConfigToVMCP(t *testing.T) {
function TestGenerateUniqueTokenExchangeEnvVarName (line 853) | func TestGenerateUniqueTokenExchangeEnvVarName(t *testing.T) {
function TestGenerateUniqueHeaderInjectionEnvVarName (line 911) | func TestGenerateUniqueHeaderInjectionEnvVarName(t *testing.T) {
function awsStsStrategy (line 968) | func awsStsStrategy(subjectProviderName string) *authtypes.BackendAuthSt...
function tokenExchangeStrategy (line 979) | func tokenExchangeStrategy(subjectProviderName string) *authtypes.Backen...
function embeddedAuthServerCfg (line 990) | func embeddedAuthServerCfg(upstreamNames ...string) *mcpv1beta1.Embedded...
function TestInjectSubjectProviderIfNeeded (line 1003) | func TestInjectSubjectProviderIfNeeded(t *testing.T) {
function TestBuildOutgoingAuthConfig_SubjectProviderInjection (line 1136) | func TestBuildOutgoingAuthConfig_SubjectProviderInjection(t *testing.T) {
function TestDiscoverExternalAuthConfigSecrets_DeterministicOrdering (line 1250) | func TestDiscoverExternalAuthConfigSecrets_DeterministicOrdering(t *test...
function TestDiscoverInlineExternalAuthConfigSecrets_DeterministicOrdering (line 1435) | func TestDiscoverInlineExternalAuthConfigSecrets_DeterministicOrdering(t...
function TestBuildOutgoingAuthConfig_InlineBackendSubjectProviderInjection (line 1578) | func TestBuildOutgoingAuthConfig_InlineBackendSubjectProviderInjection(t...
FILE: cmd/thv-operator/controllers/virtualmcpserver_hmac_secret_test.go
function TestGenerateHMACSecret (line 15) | func TestGenerateHMACSecret(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_podtemplatespec_reconcile_test.go
constant testPodTemplateNamespace (line 26) | testPodTemplateNamespace = "test-namespace"
constant testPodTemplateVmcpName (line 27) | testPodTemplateVmcpName = "test-vmcp"
constant testPodTemplateGroupName (line 28) | testPodTemplateGroupName = "test-group"
function TestVirtualMCPServerPodTemplateSpecDeterministic (line 33) | func TestVirtualMCPServerPodTemplateSpecDeterministic(t *testing.T) {
function TestVirtualMCPServerPodTemplateSpecPreservesContainer (line 111) | func TestVirtualMCPServerPodTemplateSpecPreservesContainer(t *testing.T) {
function TestVirtualMCPServerPodTemplateSpecNeedsUpdate (line 178) | func TestVirtualMCPServerPodTemplateSpecNeedsUpdate(t *testing.T) {
function TestVirtualMCPServerPodTemplateSpecResourceOverride (line 290) | func TestVirtualMCPServerPodTemplateSpecResourceOverride(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_podtemplatespec_test.go
function TestVirtualMCPServerPodTemplateSpecBuilder (line 15) | func TestVirtualMCPServerPodTemplateSpecBuilder(t *testing.T) {
function TestVirtualMCPServerPodTemplateSpecValidation (line 81) | func TestVirtualMCPServerPodTemplateSpecValidation(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_telemetryconfig.go
method handleTelemetryConfig (line 27) | func (r *VirtualMCPServerReconciler) handleTelemetryConfig(
method mapTelemetryConfigToVirtualMCPServer (line 99) | func (r *VirtualMCPServerReconciler) mapTelemetryConfigToVirtualMCPServer(
FILE: cmd/thv-operator/controllers/virtualmcpserver_telemetryconfig_test.go
function TestHandleTelemetryConfig_VirtualMCPServer (line 20) | func TestHandleTelemetryConfig_VirtualMCPServer(t *testing.T) {
function TestMapTelemetryConfigToVirtualMCPServer (line 211) | func TestMapTelemetryConfigToVirtualMCPServer(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig.go
method ensureVmcpConfigConfigMap (line 34) | func (r *VirtualMCPServerReconciler) ensureVmcpConfigConfigMap(
method populateOptimizerEmbeddingService (line 145) | func (r *VirtualMCPServerReconciler) populateOptimizerEmbeddingService(
method populateOptimizerFromRef (line 175) | func (r *VirtualMCPServerReconciler) populateOptimizerFromRef(
function labelsForVmcpConfig (line 204) | func labelsForVmcpConfig(vmcpName string) map[string]string {
method discoverBackendsWithMetadata (line 214) | func (r *VirtualMCPServerReconciler) discoverBackendsWithMetadata(
method buildTransportMap (line 246) | func (r *VirtualMCPServerReconciler) buildTransportMap(
method buildCABundlePathMap (line 304) | func (r *VirtualMCPServerReconciler) buildCABundlePathMap(
function extractInlineBackendNames (line 343) | func extractInlineBackendNames(vmcp *mcpv1beta1.VirtualMCPServer) []stri...
function determineValidInlineBackends (line 355) | func determineValidInlineBackends(authConfig *vmcpconfig.OutgoingAuthCon...
method processOutgoingAuth (line 374) | func (r *VirtualMCPServerReconciler) processOutgoingAuth(
FILE: cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go
function newNoOpMockResolver (line 37) | func newNoOpMockResolver(t *testing.T) *oidcmocks.MockResolver {
function newTestConverter (line 45) | func newTestConverter(t *testing.T, resolver *oidcmocks.MockResolver) *v...
function TestCreateVmcpConfigFromVirtualMCPServer (line 56) | func TestCreateVmcpConfigFromVirtualMCPServer(t *testing.T) {
function TestConvertOutgoingAuth (line 98) | func TestConvertOutgoingAuth(t *testing.T) {
function TestConvertBackendAuthConfig (line 174) | func TestConvertBackendAuthConfig(t *testing.T) {
function TestConvertAggregation (line 270) | func TestConvertAggregation(t *testing.T) {
function TestConvertCompositeTools (line 367) | func TestConvertCompositeTools(t *testing.T) {
function TestEnsureVmcpConfigConfigMap (line 452) | func TestEnsureVmcpConfigConfigMap(t *testing.T) {
function TestSetAuthConfigConditions (line 514) | func TestSetAuthConfigConditions(t *testing.T) {
function TestValidateVmcpConfig (line 952) | func TestValidateVmcpConfig(t *testing.T) {
function TestLabelsForVmcpConfig (line 991) | func TestLabelsForVmcpConfig(t *testing.T) {
function TestYAMLMarshalingDeterminism (line 1004) | func TestYAMLMarshalingDeterminism(t *testing.T) {
function TestVirtualMCPServerReconciler_CompositeToolRefs_EndToEnd (line 1111) | func TestVirtualMCPServerReconciler_CompositeToolRefs_EndToEnd(t *testin...
function TestVirtualMCPServerReconciler_CompositeToolRefs_MergeInlineAndReferenced (line 1233) | func TestVirtualMCPServerReconciler_CompositeToolRefs_MergeInlineAndRefe...
function TestVirtualMCPServerReconciler_CompositeToolRefs_NotFound (line 1351) | func TestVirtualMCPServerReconciler_CompositeToolRefs_NotFound(t *testin...
function TestConfigMapContent_DynamicMode (line 1414) | func TestConfigMapContent_DynamicMode(t *testing.T) {
function TestConfigMapContent_StaticMode_InlineOverrides (line 1498) | func TestConfigMapContent_StaticMode_InlineOverrides(t *testing.T) {
function TestConfigMapContent_StaticModeWithDiscovery (line 1605) | func TestConfigMapContent_StaticModeWithDiscovery(t *testing.T) {
function TestConvertBackendsToStaticBackends_SkipsInvalidBackends (line 1745) | func TestConvertBackendsToStaticBackends_SkipsInvalidBackends(t *testing...
function TestStaticModeTransportConstants (line 1787) | func TestStaticModeTransportConstants(t *testing.T) {
function TestOptimizerEmbeddingServiceURL (line 1813) | func TestOptimizerEmbeddingServiceURL(t *testing.T) {
function TestConfigMapContent_SessionStorage (line 1957) | func TestConfigMapContent_SessionStorage(t *testing.T) {
function TestEnsureVmcpConfigConfigMap_AuthServerIntegrationValidationError (line 2084) | func TestEnsureVmcpConfigConfigMap_AuthServerIntegrationValidationError(...
function TestConvertBackendsToStaticBackends_WithCABundlePathMap (line 2195) | func TestConvertBackendsToStaticBackends_WithCABundlePathMap(t *testing....
function TestBuildCABundlePathMap (line 2306) | func TestBuildCABundlePathMap(t *testing.T) {
FILE: cmd/thv-operator/controllers/virtualmcpserver_watch_test.go
function TestMapMCPGroupToVirtualMCPServer (line 33) | func TestMapMCPGroupToVirtualMCPServer(t *testing.T) {
function TestMapMCPGroupToVirtualMCPServer_InvalidObject (line 197) | func TestMapMCPGroupToVirtualMCPServer_InvalidObject(t *testing.T) {
function TestMapMCPServerToVirtualMCPServer (line 223) | func TestMapMCPServerToVirtualMCPServer(t *testing.T) {
function TestMapMCPServerToVirtualMCPServer_InvalidObject (line 447) | func TestMapMCPServerToVirtualMCPServer_InvalidObject(t *testing.T) {
function TestMapMCPRemoteProxyToVirtualMCPServer (line 473) | func TestMapMCPRemoteProxyToVirtualMCPServer(t *testing.T) {
function TestMapMCPRemoteProxyToVirtualMCPServer_InvalidObject (line 697) | func TestMapMCPRemoteProxyToVirtualMCPServer_InvalidObject(t *testing.T) {
function TestMapExternalAuthConfigToVirtualMCPServer (line 724) | func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) {
function TestMapToolConfigToVirtualMCPServer (line 1126) | func TestMapToolConfigToVirtualMCPServer(t *testing.T) {
function TestVmcpReferencesToolConfig (line 1292) | func TestVmcpReferencesToolConfig(t *testing.T) {
function TestVmcpReferencesExternalAuthConfig (line 1393) | func TestVmcpReferencesExternalAuthConfig(t *testing.T) {
function TestMapEmbeddingServerToVirtualMCPServer (line 1796) | func TestMapEmbeddingServerToVirtualMCPServer(t *testing.T) {
function TestMapEmbeddingServerToVirtualMCPServer_InvalidObject (line 1933) | func TestMapEmbeddingServerToVirtualMCPServer_InvalidObject(t *testing.T) {
FILE: cmd/thv-operator/main.go
constant featureServer (line 47) | featureServer = "ENABLE_SERVER"
constant featureRegistry (line 48) | featureRegistry = "ENABLE_REGISTRY"
constant featureVMCP (line 49) | featureVMCP = "ENABLE_VMCP"
function init (line 57) | func init() {
function main (line 64) | func main() {
function setupControllersAndWebhooks (line 154) | func setupControllersAndWebhooks(mgr ctrl.Manager, imagePullSecretsDefau...
function setupGroupRefFieldIndexes (line 218) | func setupGroupRefFieldIndexes(mgr ctrl.Manager) error {
function setupServerControllers (line 277) | func setupServerControllers(mgr ctrl.Manager, imagePullSecretsDefaults i...
function setupRegistryController (line 361) | func setupRegistryController(mgr ctrl.Manager, imagePullSecretsDefaults ...
function setupAggregationControllers (line 375) | func setupAggregationControllers(mgr ctrl.Manager, imagePullSecretsDefau...
function isFeatureEnabled (line 401) | func isFeatureEnabled(envVar string, defaultValue bool) bool {
function getDefaultNamespaces (line 422) | func getDefaultNamespaces() map[string]cache.Config {
FILE: cmd/thv-operator/main_test.go
function TestIsFeatureEnabled (line 15) | func TestIsFeatureEnabled(t *testing.T) {
function TestControllerDependencies (line 157) | func TestControllerDependencies(t *testing.T) {
function TestFeatureFlagConstants (line 165) | func TestFeatureFlagConstants(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/authserver.go
constant AuthServerKeysVolumePrefix (line 27) | AuthServerKeysVolumePrefix = "authserver-signing-key-"
constant AuthServerHMACVolumePrefix (line 30) | AuthServerHMACVolumePrefix = "authserver-hmac-secret-"
constant RedisTLSCACertVolumePrefix (line 33) | RedisTLSCACertVolumePrefix = "redis-tls-ca-"
constant RedisTLSCACertMountPath (line 36) | RedisTLSCACertMountPath = "/etc/toolhive/authserver/redis-tls"
constant RedisTLSCACertFileName (line 39) | RedisTLSCACertFileName = "ca.crt"
constant RedisSentinelTLSCACertFileName (line 42) | RedisSentinelTLSCACertFileName = "sentinel-ca.crt"
constant AuthServerKeysMountPath (line 45) | AuthServerKeysMountPath = "/etc/toolhive/authserver/keys"
constant AuthServerHMACMountPath (line 48) | AuthServerHMACMountPath = "/etc/toolhive/authserver/hmac"
constant AuthServerKeyFilePattern (line 51) | AuthServerKeyFilePattern = "key-%d.pem"
constant AuthServerHMACFilePattern (line 54) | AuthServerHMACFilePattern = "hmac-%d"
constant UpstreamClientSecretEnvVar (line 60) | UpstreamClientSecretEnvVar = "TOOLHIVE_UPSTREAM_CLIENT_SECRET"
constant DefaultSentinelPort (line 63) | DefaultSentinelPort = 26379
type upstreamSecretBinding (line 70) | type upstreamSecretBinding struct
function buildUpstreamSecretBindings (line 79) | func buildUpstreamSecretBindings(
function EmbeddedAuthServerConfigName (line 96) | func EmbeddedAuthServerConfigName(
function GenerateAuthServerConfigByName (line 116) | func GenerateAuthServerConfigByName(
function GenerateAuthServerVolumes (line 150) | func GenerateAuthServerVolumes(
function GenerateAuthServerEnvVars (line 274) | func GenerateAuthServerEnvVars(
function AddEmbeddedAuthServerConfigOptions (line 369) | func AddEmbeddedAuthServerConfigOptions(
function validateOIDCConfigForEmbeddedAuthServer (line 430) | func validateOIDCConfigForEmbeddedAuthServer(oidcConfig *oidc.OIDCConfig...
function BuildAuthServerRunConfig (line 463) | func BuildAuthServerRunConfig(
function buildStorageRunConfig (line 529) | func buildStorageRunConfig(
function convertRedisTLSConfig (line 603) | func convertRedisTLSConfig(cfg *mcpv1beta1.RedisTLSConfig, isSentinel bo...
function resolveSentinelAddrs (line 621) | func resolveSentinelAddrs(
function defaultRedirectURI (line 655) | func defaultRedirectURI(resourceURL string) string {
function buildUpstreamRunConfig (line 663) | func buildUpstreamRunConfig(
function buildUserInfoRunConfig (line 732) | func buildUserInfoRunConfig(
function ValidateAndAddAuthServerRefOptions (line 755) | func ValidateAndAddAuthServerRefOptions(
function AddAuthServerRefOptions (line 791) | func AddAuthServerRefOptions(
FILE: cmd/thv-operator/pkg/controllerutil/authserver_test.go
function TestGenerateAuthServerVolumes (line 28) | func TestGenerateAuthServerVolumes(t *testing.T) {
function TestGenerateAuthServerVolumes_RedisTLS (line 193) | func TestGenerateAuthServerVolumes_RedisTLS(t *testing.T) {
function TestGenerateAuthServerEnvVars (line 342) | func TestGenerateAuthServerEnvVars(t *testing.T) {
function TestGenerateAuthServerConfigByName (line 526) | func TestGenerateAuthServerConfigByName(t *testing.T) {
function TestBuildAuthServerRunConfig (line 686) | func TestBuildAuthServerRunConfig(t *testing.T) {
function TestAddEmbeddedAuthServerConfigOptions_Validation (line 1193) | func TestAddEmbeddedAuthServerConfigOptions_Validation(t *testing.T) {
function TestVolumePathPatterns (line 1314) | func TestVolumePathPatterns(t *testing.T) {
function TestGenerateAuthServerEnvVars_RedisCredentials (line 1343) | func TestGenerateAuthServerEnvVars_RedisCredentials(t *testing.T) {
function TestResolveSentinelAddrs (line 1489) | func TestResolveSentinelAddrs(t *testing.T) {
function TestBuildStorageRunConfig (line 1570) | func TestBuildStorageRunConfig(t *testing.T) {
function TestBuildAuthServerRunConfig_WithRedisStorage (line 1813) | func TestBuildAuthServerRunConfig_WithRedisStorage(t *testing.T) {
function TestAddAuthServerRefOptions (line 1855) | func TestAddAuthServerRefOptions(t *testing.T) {
function TestValidateAndAddAuthServerRefOptions (line 2031) | func TestValidateAndAddAuthServerRefOptions(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/authz.go
constant DefaultAuthzKey (line 29) | DefaultAuthzKey = "authz.json"
function GenerateAuthzVolumeConfig (line 33) | func GenerateAuthzVolumeConfig(
function EnsureAuthzConfigMap (line 113) | func EnsureAuthzConfigMap(
function addAuthzInlineConfigOptions (line 169) | func addAuthzInlineConfigOptions(
function AddAuthzConfigOptions (line 200) | func AddAuthzConfigOptions(
FILE: cmd/thv-operator/pkg/controllerutil/authz_test.go
function TestGenerateAuthzVolumeConfig (line 22) | func TestGenerateAuthzVolumeConfig(t *testing.T) {
function TestGenerateAuthzVolumeConfigInlineConfigMapName (line 140) | func TestGenerateAuthzVolumeConfigInlineConfigMapName(t *testing.T) {
function TestEnsureAuthzConfigMap (line 157) | func TestEnsureAuthzConfigMap(t *testing.T) {
function TestAddAuthzConfigOptions (line 322) | func TestAddAuthzConfigOptions(t *testing.T) {
function getKey (line 679) | func getKey(namespace, name string) struct {
FILE: cmd/thv-operator/pkg/controllerutil/config.go
function CalculateConfigHash (line 26) | func CalculateConfigHash[T any](spec T) string {
function FindReferencingMCPServers (line 54) | func FindReferencingMCPServers(
function FindReferencingMCPRemoteProxies (line 81) | func FindReferencingMCPRemoteProxies(
function CompareWorkloadRefs (line 105) | func CompareWorkloadRefs(a, b mcpv1beta1.WorkloadReference) int {
function SortWorkloadRefs (line 115) | func SortWorkloadRefs(refs []mcpv1beta1.WorkloadReference) {
function WorkloadRefsEqual (line 121) | func WorkloadRefsEqual(a, b []mcpv1beta1.WorkloadReference) bool {
function FindWorkloadRefsFromMCPServers (line 130) | func FindWorkloadRefsFromMCPServers(
function GetToolConfigForMCPRemoteProxy (line 150) | func GetToolConfigForMCPRemoteProxy(
function GetExternalAuthConfigForMCPRemoteProxy (line 173) | func GetExternalAuthConfigForMCPRemoteProxy(
function GetTelemetryConfigForMCPRemoteProxy (line 199) | func GetTelemetryConfigForMCPRemoteProxy(
function GetTelemetryConfigForVirtualMCPServer (line 227) | func GetTelemetryConfigForVirtualMCPServer(
function GetExternalAuthConfigByName (line 252) | func GetExternalAuthConfigByName(
FILE: cmd/thv-operator/pkg/controllerutil/config_test.go
function TestCalculateConfigHash (line 18) | func TestCalculateConfigHash(t *testing.T) {
function TestFindReferencingMCPServers (line 92) | func TestFindReferencingMCPServers(t *testing.T) {
function TestSortWorkloadRefs (line 309) | func TestSortWorkloadRefs(t *testing.T) {
function TestWorkloadRefsEqual (line 347) | func TestWorkloadRefsEqual(t *testing.T) {
function TestFindWorkloadRefsFromMCPServers (line 397) | func TestFindWorkloadRefsFromMCPServers(t *testing.T) {
function TestGetTelemetryConfigForMCPRemoteProxy (line 463) | func TestGetTelemetryConfigForMCPRemoteProxy(t *testing.T) {
function TestGetTelemetryConfigForVirtualMCPServer (line 558) | func TestGetTelemetryConfigForVirtualMCPServer(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/externalauth.go
function GenerateUniqueTokenExchangeEnvVarName (line 24) | func GenerateUniqueTokenExchangeEnvVarName(configName string) string {
function GenerateUniqueHeaderInjectionEnvVarName (line 39) | func GenerateUniqueHeaderInjectionEnvVarName(configName string) string {
function GenerateHeaderForwardSecretEnvVarName (line 56) | func GenerateHeaderForwardSecretEnvVarName(proxyName, headerName string)...
FILE: cmd/thv-operator/pkg/controllerutil/externalauth_test.go
function TestGenerateUniqueTokenExchangeEnvVarName (line 14) | func TestGenerateUniqueTokenExchangeEnvVarName(t *testing.T) {
function TestGenerateUniqueHeaderInjectionEnvVarName (line 61) | func TestGenerateUniqueHeaderInjectionEnvVarName(t *testing.T) {
function TestGenerateHeaderForwardSecretEnvVarName (line 108) | func TestGenerateHeaderForwardSecretEnvVarName(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/maps.go
function MapIsSubset (line 8) | func MapIsSubset(subset, superset map[string]string) bool {
FILE: cmd/thv-operator/pkg/controllerutil/maps_test.go
function TestMapIsSubset (line 12) | func TestMapIsSubset(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/oidc.go
function GetOIDCConfigForServer (line 19) | func GetOIDCConfigForServer(
function GenerateOIDCClientSecretEnvVar (line 43) | func GenerateOIDCClientSecretEnvVar(
FILE: cmd/thv-operator/pkg/controllerutil/oidc_test.go
function TestGenerateOIDCClientSecretEnvVar (line 20) | func TestGenerateOIDCClientSecretEnvVar(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/oidc_volumes.go
function AddOIDCConfigRefCABundleVolumes (line 17) | func AddOIDCConfigRefCABundleVolumes(
FILE: cmd/thv-operator/pkg/controllerutil/patch.go
function MutateAndPatchSpec (line 60) | func MutateAndPatchSpec[T client.Object](
FILE: cmd/thv-operator/pkg/controllerutil/patch_test.go
type specPatchRecordingClient (line 25) | type specPatchRecordingClient struct
method Patch (line 32) | func (c *specPatchRecordingClient) Patch(
method lastBody (line 46) | func (c *specPatchRecordingClient) lastBody() string {
function buildSpecTestClient (line 55) | func buildSpecTestClient(t *testing.T, seed *mcpv1beta1.MCPServer) (*spe...
function TestMutateAndPatchSpec_AppliesMutationWithOptimisticLock (line 74) | func TestMutateAndPatchSpec_AppliesMutationWithOptimisticLock(t *testing...
function TestMutateAndPatchSpec_DeepCopyIsolatesOriginal (line 138) | func TestMutateAndPatchSpec_DeepCopyIsolatesOriginal(t *testing.T) {
function TestMutateAndPatchSpec_Propagates409Conflict (line 172) | func TestMutateAndPatchSpec_Propagates409Conflict(t *testing.T) {
function TestMutateAndPatchSpec_RejectsNilObj (line 201) | func TestMutateAndPatchSpec_RejectsNilObj(t *testing.T) {
function TestMutateAndPatchSpec_PreservesDisjointSpecFields (line 234) | func TestMutateAndPatchSpec_PreservesDisjointSpecFields(t *testing.T) {
function TestMutateAndPatchSpec_NoOpMutateStillPatches (line 293) | func TestMutateAndPatchSpec_NoOpMutateStillPatches(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/platform.go
type PlatformDetectorInterface (line 19) | type PlatformDetectorInterface interface
type SharedPlatformDetector (line 24) | type SharedPlatformDetector struct
method DetectPlatform (line 47) | func (s *SharedPlatformDetector) DetectPlatform(ctx context.Context) (...
function NewSharedPlatformDetector (line 32) | func NewSharedPlatformDetector() *SharedPlatformDetector {
function NewSharedPlatformDetectorWithDetector (line 39) | func NewSharedPlatformDetectorWithDetector(detector kubernetes.PlatformD...
FILE: cmd/thv-operator/pkg/controllerutil/podtemplatespec_builder.go
type PodTemplateSpecBuilder (line 19) | type PodTemplateSpecBuilder struct
method WithServiceAccount (line 52) | func (b *PodTemplateSpecBuilder) WithServiceAccount(serviceAccount *st...
method WithSecrets (line 61) | func (b *PodTemplateSpecBuilder) WithSecrets(secrets []mcpv1beta1.Secr...
method Build (line 113) | func (b *PodTemplateSpecBuilder) Build() *corev1.PodTemplateSpec {
method isEmpty (line 121) | func (b *PodTemplateSpecBuilder) isEmpty() bool {
function NewPodTemplateSpecBuilder (line 27) | func NewPodTemplateSpecBuilder(userTemplateRaw *runtime.RawExtension, co...
function parsePodTemplateSpec (line 146) | func parsePodTemplateSpec(raw *runtime.RawExtension) (*corev1.PodTemplat...
FILE: cmd/thv-operator/pkg/controllerutil/podtemplatespec_builder_test.go
constant testContainerName (line 16) | testContainerName = "test-container"
function TestNewPodTemplateSpecBuilder (line 18) | func TestNewPodTemplateSpecBuilder(t *testing.T) {
function TestNewPodTemplateSpecBuilder_EmptyContainerName (line 51) | func TestNewPodTemplateSpecBuilder_EmptyContainerName(t *testing.T) {
function TestPodTemplateSpecBuilder_Build (line 60) | func TestPodTemplateSpecBuilder_Build(t *testing.T) {
function TestPodTemplateSpecBuilder_WithServiceAccount (line 108) | func TestPodTemplateSpecBuilder_WithServiceAccount(t *testing.T) {
function TestPodTemplateSpecBuilder_WithSecrets (line 138) | func TestPodTemplateSpecBuilder_WithSecrets(t *testing.T) {
function TestPodTemplateSpecBuilder_isEmpty (line 211) | func TestPodTemplateSpecBuilder_isEmpty(t *testing.T) {
function TestPodTemplateSpecBuilder_Chaining (line 238) | func TestPodTemplateSpecBuilder_Chaining(t *testing.T) {
function ptr (line 257) | func ptr(s string) *string {
FILE: cmd/thv-operator/pkg/controllerutil/podtemplatespec_patch.go
function ApplyPodTemplateSpecPatch (line 47) | func ApplyPodTemplateSpecPatch(base corev1.PodTemplateSpec, patch []byte...
FILE: cmd/thv-operator/pkg/controllerutil/podtemplatespec_patch_test.go
function TestApplyPodTemplateSpecPatch (line 15) | func TestApplyPodTemplateSpecPatch(t *testing.T) {
FILE: cmd/thv-operator/pkg/controllerutil/resources.go
function BuildResourceRequirements (line 22) | func Bui
Copy disabled (too large)
Download .json
Condensed preview — 2093 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (22,872K chars).
[
{
"path": ".chainsaw.yaml",
"chars": 301,
"preview": "apiVersion: chainsaw.kyverno.io/v1alpha1\nkind: Configuration\nmetadata:\n name: default\nspec:\n timeouts:\n apply: 30s\n"
},
{
"path": ".claude/agents/bug-triage.md",
"chars": 2211,
"preview": "---\nname: bug-triage\ndescription: Triages GitHub issues by investigating whether they've been resolved in the codebase, "
},
{
"path": ".claude/agents/code-reviewer.md",
"chars": 2377,
"preview": "---\nname: code-reviewer\ndescription: Reviews code for ToolHive best practices, security patterns, Go conventions, and ar"
},
{
"path": ".claude/agents/documentation-writer.md",
"chars": 2082,
"preview": "---\nname: documentation-writer\ndescription: Maintains consistent documentation, updates CLI docs, and ensures documentat"
},
{
"path": ".claude/agents/golang-code-writer.md",
"chars": 1969,
"preview": "---\nname: golang-code-writer\ndescription: Write, generate, or create new Go code — functions, structs, interfaces, metho"
},
{
"path": ".claude/agents/kubernetes-expert.md",
"chars": 3347,
"preview": "---\nname: kubernetes-expert\ndescription: Specialized in Kubernetes operator patterns, CRDs, controllers, and cloud-nativ"
},
{
"path": ".claude/agents/mcp-protocol-expert.md",
"chars": 3926,
"preview": "---\nname: mcp-protocol-expert\ndescription: \"PROACTIVELY use for MCP protocol questions, transport implementations, JSON-"
},
{
"path": ".claude/agents/oauth-expert.md",
"chars": 3449,
"preview": "---\nname: oauth-expert\ndescription: Specialized in OAuth 2.0, OIDC, token exchange, and authentication flows for ToolHiv"
},
{
"path": ".claude/agents/security-advisor.md",
"chars": 2475,
"preview": "---\nname: security-advisor\ndescription: Security guidance for code reviews, architecture decisions, auth implementations"
},
{
"path": ".claude/agents/site-reliability-engineer.md",
"chars": 2194,
"preview": "---\nname: site-reliability-engineer\ndescription: Observability and monitoring guidance — OpenTelemetry instrumentation, "
},
{
"path": ".claude/agents/tech-lead-orchestrator.md",
"chars": 2431,
"preview": "---\nname: tech-lead-orchestrator\ndescription: Architectural oversight, task breakdown, and delegation for complex multi-"
},
{
"path": ".claude/agents/toolhive-expert.md",
"chars": 2986,
"preview": "---\nname: toolhive-expert\ndescription: Codebase knowledge, navigation, and implementation guidance — use for understandi"
},
{
"path": ".claude/agents/unit-test-writer.md",
"chars": 1471,
"preview": "---\nname: unit-test-writer\ndescription: Write comprehensive unit tests for Go code — functions, methods, or components t"
},
{
"path": ".claude/rules/cli-commands.md",
"chars": 1692,
"preview": "---\npaths:\n - \"cmd/thv/app/**\"\n---\n\n# CLI Command Rules\n\nApplies to CLI command files in `cmd/thv/app/`.\n\n## Thin Wrapp"
},
{
"path": ".claude/rules/go-style.md",
"chars": 11387,
"preview": "---\npaths:\n - \"**/*.go\"\n---\n\n# Go Style Rules\n\nApplies to all Go files in the project.\n\n## File Organization\n- Public m"
},
{
"path": ".claude/rules/operator.md",
"chars": 5304,
"preview": "---\npaths:\n - \"cmd/thv-operator/**\"\n - \"test/e2e/chainsaw/**\"\n---\n\n# Operator Rules\n\nApplies to Kubernetes operator co"
},
{
"path": ".claude/rules/pr-creation.md",
"chars": 2196,
"preview": "# PR Creation Rules\n\nYou MUST follow the template at `.github/pull_request_template.md` when creating pull requests. Do "
},
{
"path": ".claude/rules/security.md",
"chars": 2778,
"preview": "---\npaths:\n - \"**/*.go\"\n---\n\n# Security Rules\n\nApplies to all Go files in the project.\n\n## Don't Store Internal Address"
},
{
"path": ".claude/rules/testing.md",
"chars": 6360,
"preview": "---\npaths:\n - \"*_test.go\"\n - \"test/**\"\n---\n\n# Testing Rules\n\nApplies to test files and test directories.\n\n## Testing S"
},
{
"path": ".claude/rules/vmcp-anti-patterns.md",
"chars": 7312,
"preview": "---\npaths:\n - \"pkg/vmcp/**/*.go\"\n - \"cmd/vmcp/**/*.go\"\n---\n\n# vMCP Anti-Pattern Rule\n\nWhen reviewing or writing code i"
},
{
"path": ".claude/settings.json",
"chars": 1526,
"preview": "{\n \"permissions\": {\n \"allow\": [\n \"Bash(go test:*)\",\n \"Bash(task test)\",\n \"Bash(task lint)\",\n \"Ba"
},
{
"path": ".claude/skills/add-rule/SKILL.md",
"chars": 5073,
"preview": "---\nname: add-rule\ndescription: Captures a team convention or best practice and adds it to the appropriate .claude/rules"
},
{
"path": ".claude/skills/check-contribution/SKILL.md",
"chars": 1419,
"preview": "---\nname: check-contribution\ndescription: Validates operator chart contribution practices (helm template, ct lint, docs "
},
{
"path": ".claude/skills/code-review-assist/SKILL.md",
"chars": 13843,
"preview": "---\nname: code-review-assist\ndescription: Augments human code review by summarizing changes, surfacing key review questi"
},
{
"path": ".claude/skills/deflake/SKILL.md",
"chars": 7153,
"preview": "---\nname: deflake\ndescription: Finds flaky tests on the main branch by analyzing GitHub Actions failures, ranks them by "
},
{
"path": ".claude/skills/deflake/collect-flakes.py",
"chars": 10057,
"preview": "#!/usr/bin/env python3\n\"\"\"Collect and rank flaky tests from GitHub Actions on main.\"\"\"\n\nimport json\nimport re\nimport sub"
},
{
"path": ".claude/skills/deploy-otel/SKILL.md",
"chars": 4513,
"preview": "---\nname: deploy-otel\ndescription: Deploy the OpenTelemetry observability stack (Prometheus, Grafana, OTEL Collector) to"
},
{
"path": ".claude/skills/deploying-vmcp-locally/SKILL.md",
"chars": 4424,
"preview": "---\nname: deploying-vmcp-locally\ndescription: Deploys a VirtualMCPServer configuration locally for manual testing and ve"
},
{
"path": ".claude/skills/doc-review/CHECKING.md",
"chars": 607,
"preview": "# Checking documentation claims\n\nWhen a documentation claims something it is important to check it for accuracy.\n\nWhen d"
},
{
"path": ".claude/skills/doc-review/EXAMPLES.md",
"chars": 672,
"preview": "# Examples of documentation checks\n\n## The documentation contains a flow digram\nLaunch an instance of @agent-toolhive-ex"
},
{
"path": ".claude/skills/doc-review/SKILL.md",
"chars": 828,
"preview": "---\nname: doc-review\ndescription: Reviews documentation for factual accuracy\n---\n\n# Documentation Review\n\n## Instruction"
},
{
"path": ".claude/skills/implement-story/SKILL.md",
"chars": 8820,
"preview": "---\nname: implement-story\ndescription: Implements a GitHub user story from planning through PR creation, with research, "
},
{
"path": ".claude/skills/pr-review/EXAMPLES-INLINE.md",
"chars": 9004,
"preview": "# PR Inline Review Examples\n\nCommon use cases and examples for submitting PR reviews with inline comments.\n\n## Example 1"
},
{
"path": ".claude/skills/pr-review/EXAMPLES-REPLY.md",
"chars": 9841,
"preview": "# PR Review Reply Examples\n\nCommon scenarios with actual commands for replying to and resolving GitHub PR review comment"
},
{
"path": ".claude/skills/pr-review/SKILL.md",
"chars": 8191,
"preview": "---\nname: pr-review\ndescription: Submit inline review comments to GitHub PRs and reply to/resolve review threads using t"
},
{
"path": ".claude/skills/release-notes/SKILL.md",
"chars": 9849,
"preview": "---\nname: release-notes\ndescription: Generates polished GitHub release notes for a ToolHive release by analyzing every m"
},
{
"path": ".claude/skills/release-notes/TEMPLATE.md",
"chars": 3514,
"preview": "# Release Notes Template\n\nUse this template to produce the final release notes body. Omit any section\nthat has zero entr"
},
{
"path": ".claude/skills/split-pr/SKILL.md",
"chars": 7026,
"preview": "---\nname: split-pr\ndescription: Analyzes current changes and suggests how to split them into smaller, reviewable PRs\n---"
},
{
"path": ".claude/skills/toolhive-release/SKILL.md",
"chars": 4796,
"preview": "---\nname: toolhive-release\ndescription: Creates ToolHive release PRs by analyzing commits since the last release, catego"
},
{
"path": ".claude/skills/toolhive-release/references/WORKFLOW-REFERENCE.md",
"chars": 6082,
"preview": "# ToolHive Release Workflow Reference\n\nDetailed documentation of the ToolHive release workflow chain.\n\n## Workflow Overv"
},
{
"path": ".claude/skills/vmcp-review/SKILL.md",
"chars": 2392,
"preview": "---\nname: vmcp-review\ndescription: Reviews vMCP code changes for known anti-patterns that make the codebase harder to un"
},
{
"path": ".codespellrc",
"chars": 128,
"preview": "[codespell]\nignore-words-list = NotIn,notin,AfterAll,ND,aks,deriver,te,clientA,AtMost,atmost,convertIn\nskip = *.svg,*.mo"
},
{
"path": ".gitattributes",
"chars": 337,
"preview": "# This file is documented at https://git-scm.com/docs/gitattributes.\n# Linguist-specific attributes are documented at\n# "
},
{
"path": ".github/CODEOWNERS",
"chars": 4435,
"preview": "# Default reviewer\n* @JAORMX\n\n# AI Agent Configuration (changes here affect what AI ag"
},
{
"path": ".github/ISSUE_TEMPLATE/kubernetes-issue.md",
"chars": 211,
"preview": "---\nname: Kubernetes Issue / Feature Request\nabout: Issues or feature requests relating to ToolHive a Kubernetes Context"
},
{
"path": ".github/ISSUE_TEMPLATE/report_bug.md",
"chars": 473,
"preview": "---\nname: Bug Report\nabout: Report a bug to help us improve\nlabels: bug\n---\n\n## Bug description\nClearly describe the bug"
},
{
"path": ".github/actions/compute-version/action.yml",
"chars": 1345,
"preview": "name: 'Compute Version Number'\ndescription: 'Computes a semantic version string based on the branch/tag context'\noutputs"
},
{
"path": ".github/ko-ci.yml",
"chars": 1518,
"preview": "builds:\n - id: thv\n dir: ./cmd/thv\n ldflags:\n - -s -w\n - -X github.com/stacklok/toolhive/pkg/versions.V"
},
{
"path": ".github/license-header.txt",
"chars": 90,
"preview": "SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\nSPDX-License-Identifier: Apache-2.0\n"
},
{
"path": ".github/pull_request_template.md",
"chars": 2731,
"preview": "## Summary\n\n<!--\nREQUIRED. You MUST explain:\n1. WHY this change is needed (the problem or motivation)\n2. WHAT changed (c"
},
{
"path": ".github/workflows/api-compat-noop.yml",
"chars": 1426,
"preview": "name: API Compatibility\n\n# No-op companion to api-compat.yml. Its sole purpose is to satisfy the\n# required `CRD Schema "
},
{
"path": ".github/workflows/api-compat.yml",
"chars": 7975,
"preview": "name: API Compatibility\n\n# This workflow guards the stability of the v1beta1 operator API surface.\n#\n# A breaking CRD sc"
},
{
"path": ".github/workflows/claude.yml",
"chars": 3149,
"preview": "name: Claude PR Assistant\n\non:\n issue_comment:\n types: [created]\n pull_request_review_comment:\n types: [created]"
},
{
"path": ".github/workflows/create-release-pr.yml",
"chars": 4193,
"preview": "# Create Release PR workflow using releaseo\n#\n# This workflow automates release PR creation by:\n# 1. Bumping the version"
},
{
"path": ".github/workflows/create-release-tag.yml",
"chars": 8420,
"preview": "# Create Release Tag Workflow\n#\n# This workflow is triggered when the VERSION file is updated on main.\n# It verifies the"
},
{
"path": ".github/workflows/e2e-tests.yml",
"chars": 4821,
"preview": "name: E2E Tests\n\non:\n workflow_call:\n\npermissions:\n contents: read\n\njobs:\n build-binary:\n name: Build ToolHive Bin"
},
{
"path": ".github/workflows/helm-charts-test.yml",
"chars": 2503,
"preview": "name: Helm Charts\n\non:\n workflow_call:\n\npermissions:\n contents: read\n\njobs:\n lint-and-test:\n name: Lint and Test H"
},
{
"path": ".github/workflows/helm-publish.yml",
"chars": 6689,
"preview": "name: Publish Helm Charts\n\non:\n workflow_call:\n\nenv:\n REGISTRY: ghcr.io\n\njobs:\n verify-tag:\n name: Verify Tag\n "
},
{
"path": ".github/workflows/image-build-and-publish.yml",
"chars": 13324,
"preview": "name: Build and Sign Image\n\non:\n workflow_call:\n\njobs:\n image-build-and-publish:\n name: Build and Publish Main Imag"
},
{
"path": ".github/workflows/issue-triage.yml",
"chars": 5154,
"preview": "name: Claude Issue Triage\non:\n issues:\n types: [opened]\n\njobs:\n triage-issue:\n name: Triage Issue\n runs-on: u"
},
{
"path": ".github/workflows/license-headers.yml",
"chars": 1089,
"preview": "# SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n# SPDX-License-Identifier: Apache-2.0\n\nname: License Headers\n\non"
},
{
"path": ".github/workflows/lint.yml",
"chars": 1502,
"preview": "name: Linting\n\non:\n workflow_call:\n\npermissions:\n contents: read\n\njobs:\n lint-go-code:\n name: Lint Go Code\n run"
},
{
"path": ".github/workflows/operator-ci.yml",
"chars": 7469,
"preview": "name: Operator CI\n\non:\n workflow_call:\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n operator-tests:\n "
},
{
"path": ".github/workflows/pr-size-justification-template.md",
"chars": 763,
"preview": "## Large PR Detected\n\nThis PR exceeds 1000 lines of changes and requires justification before it can be reviewed.\n\n### H"
},
{
"path": ".github/workflows/pr-size-label-apply.yml",
"chars": 8747,
"preview": "name: PR Size Labeler - Apply and Enforce\n\non:\n workflow_run:\n workflows: [\"PR Size Labeler - Calculate\"]\n types:"
},
{
"path": ".github/workflows/pr-size-labeler.yml",
"chars": 2275,
"preview": "name: PR Size Labeler - Calculate\n\non:\n pull_request:\n types: [opened, synchronize, reopened, edited]\n\npermissions:\n"
},
{
"path": ".github/workflows/releaser.yml",
"chars": 13647,
"preview": "#\n# Copyright 2025 Stacklok, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use "
},
{
"path": ".github/workflows/renovate-config-validation.yml",
"chars": 1536,
"preview": "name: Renovate Config Validation\n\non:\n workflow_call:\n workflow_dispatch:\n pull_request:\n paths:\n - 'renovate"
},
{
"path": ".github/workflows/run-on-main.yml",
"chars": 1568,
"preview": "# These set of workflows run on every push to the main branch\nname: Main build\n\non:\n workflow_dispatch:\n push:\n bra"
},
{
"path": ".github/workflows/run-on-pr.yml",
"chars": 1453,
"preview": "# These set of workflows run on every push to the main branch\nname: PR Checks\n\non:\n workflow_dispatch:\n pull_request:\n"
},
{
"path": ".github/workflows/security-scan.yml",
"chars": 4229,
"preview": "name: Security Scan\n\non:\n workflow_call:\n workflow_dispatch:\n push:\n branches: [ main ]\n pull_request:\n branch"
},
{
"path": ".github/workflows/skills-build-and-publish.yml",
"chars": 4186,
"preview": "#\n# Copyright 2025 Stacklok, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use "
},
{
"path": ".github/workflows/spellcheck.yml",
"chars": 468,
"preview": "name: Spellcheck\n\npermissions:\n contents: read\n\non:\n workflow_call:\n\njobs:\n codespell:\n name: Codespell\n runs-o"
},
{
"path": ".github/workflows/test-e2e-lifecycle.yml",
"chars": 5449,
"preview": "name: E2E Tests Lifecycle\n\non:\n workflow_dispatch:\n pull_request:\n paths:\n - 'cmd/vmcp/**'\n - 'cmd/thv-op"
},
{
"path": ".github/workflows/test.yml",
"chars": 2605,
"preview": "name: Tests\n\non:\n workflow_call:\n\npermissions:\n contents: read\n\njobs:\n test-go-code:\n name: Test Go Code (${{ matr"
},
{
"path": ".github/workflows/verify-docgen.yml",
"chars": 507,
"preview": "name: Docgen\n\non:\n workflow_call:\n\njobs:\n verify-swagger-docs:\n name: Verify Swagger Documentation\n runs-on: ubu"
},
{
"path": ".github/workflows/verify-gen.yml",
"chars": 1656,
"preview": "name: Codegen\n\non:\n workflow_call:\n\npermissions:\n contents: read\n\njobs:\n verify-code-generation:\n name: Verify Cod"
},
{
"path": ".gitignore",
"chars": 586,
"preview": "# Binaries for programs and plugins\n*.exe\n*.exe~\n*.dll\n*.so\n*.dylib\n\n# Test binary, built with `go test -c`\n*.test\n\n# Ou"
},
{
"path": ".golangci.yml",
"chars": 4852,
"preview": "version: \"2\"\nrun:\n issues-exit-code: 1\noutput:\n formats:\n text:\n path: stdout\n print-linter-name: true\n "
},
{
"path": ".goreleaser.yaml",
"chars": 3745,
"preview": "# yaml-language-server: $schema=https://goreleaser.com/static/schema.json\nproject_name: toolhive\nversion: 2\n# This secti"
},
{
"path": ".pre-commit-config.yaml",
"chars": 592,
"preview": "repos:\n - repo: https://github.com/norwoodj/helm-docs\n rev: v1.2.0\n hooks:\n - id: helm-docs\n args:\n "
},
{
"path": "CLAUDE.md",
"chars": 5321,
"preview": "# CLAUDE.md\n\nThis file provides guidance to Claude Code when working with this repository.\n\n## Project Overview\n\nToolHiv"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 3219,
"preview": "# Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, we as\ncontributors and"
},
{
"path": "CONTRIBUTING.md",
"chars": 8307,
"preview": "# Contributing to ToolHive <!-- omit from toc -->\n\nFirst off, thank you for taking the time to contribute to ToolHive! :"
},
{
"path": "LICENSE",
"chars": 11344,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MAINTAINERS.md",
"chars": 3262,
"preview": "# ToolHive Contribution and Maintainership\n\nWe welcome additional contributors to ToolHive, including maintainers. ToolH"
},
{
"path": "PROJECT",
"chars": 364,
"preview": "domain: toolhive.stacklok.dev\nlayout:\n- go.kubebuilder.io/v3\nprojectName: thv-operator\nrepo: github.com/stacklok/toolhiv"
},
{
"path": "README.md",
"chars": 11747,
"preview": "<picture>\n <source media=\"(prefers-color-scheme: dark)\" srcset=\"docs/images/toolhive-byline-white.svg\">\n <img src=\"doc"
},
{
"path": "SECURITY.md",
"chars": 6967,
"preview": "# Security Policy\n\nThe ToolHive community take security seriously! We appreciate your efforts to\ndisclose your findings "
},
{
"path": "Taskfile.yml",
"chars": 11755,
"preview": "version: '3'\n\nincludes:\n operator:\n taskfile: ./cmd/thv-operator/Taskfile.yml\n flatten: true\n\ntasks:\n docs:\n "
},
{
"path": "VERSION",
"chars": 7,
"preview": "0.26.1\n"
},
{
"path": "cmd/help/main.go",
"chars": 1614,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package main is the "
},
{
"path": "cmd/help/verify.sh",
"chars": 785,
"preview": "#!/usr/bin/env bash\nset -e\n\n# Verify that generated CLI docs are up-to-date.\ntmpdir=$(mktemp -d)\ngo run cmd/help/main.go"
},
{
"path": "cmd/thv/app/auth_flags.go",
"chars": 9670,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/build.go",
"chars": 4925,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/client.go",
"chars": 13370,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/commands.go",
"chars": 4529,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package app provides"
},
{
"path": "cmd/thv/app/common.go",
"chars": 7544,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/common_test.go",
"chars": 5821,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/config.go",
"chars": 11648,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/config_buildauthfile.go",
"chars": 8984,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/config_buildenv.go",
"chars": 8286,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/config_registryauth.go",
"chars": 3054,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/constants.go",
"chars": 271,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\n// Output "
},
{
"path": "cmd/thv/app/export.go",
"chars": 4026,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/flag_helpers.go",
"chars": 1729,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/group.go",
"chars": 9992,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/header_flags.go",
"chars": 4764,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/header_flags_test.go",
"chars": 5914,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/inspector/version.go",
"chars": 419,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package inspector co"
},
{
"path": "cmd/thv/app/inspector.go",
"chars": 7841,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/inspector_test.go",
"chars": 1604,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/list.go",
"chars": 5005,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/llm.go",
"chars": 16389,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/llm_test.go",
"chars": 20109,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/logs.go",
"chars": 8603,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/mcp.go",
"chars": 11493,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/mcp_serve.go",
"chars": 2344,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/otel.go",
"chars": 18425,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/proxy.go",
"chars": 18664,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/proxy_stdio.go",
"chars": 1748,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/proxy_tunnel.go",
"chars": 4418,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/registry.go",
"chars": 10732,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/registry_convert.go",
"chars": 5058,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/registry_convert_test.go",
"chars": 4388,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/registry_login.go",
"chars": 2598,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/registry_logout.go",
"chars": 783,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/restart.go",
"chars": 5986,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/rm.go",
"chars": 4985,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/run.go",
"chars": 18773,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/run_flags.go",
"chars": 47810,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/run_flags_test.go",
"chars": 29602,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/run_test.go",
"chars": 1248,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/runtime.go",
"chars": 2557,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/search.go",
"chars": 3186,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/secret.go",
"chars": 18141,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/secret_test.go",
"chars": 7938,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/server.go",
"chars": 7517,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill.go",
"chars": 291,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_build.go",
"chars": 1302,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_builds.go",
"chars": 1682,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_builds_remove.go",
"chars": 775,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_helpers.go",
"chars": 2260,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_info.go",
"chars": 2426,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_install.go",
"chars": 2514,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_list.go",
"chars": 2565,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_push.go",
"chars": 728,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_uninstall.go",
"chars": 1441,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/skill_validate.go",
"chars": 1592,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/status.go",
"chars": 4057,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/status_test.go",
"chars": 5060,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/stop.go",
"chars": 5858,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/tui.go",
"chars": 3626,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/ui/clients_setup.go",
"chars": 7567,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package ui provides "
},
{
"path": "cmd/thv/app/ui/clients_setup_test.go",
"chars": 4153,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage ui\n\nimport (\n\t\""
},
{
"path": "cmd/thv/app/ui/clients_status.go",
"chars": 3404,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage ui\n\nimport (\n\t\""
},
{
"path": "cmd/thv/app/ui/help.go",
"chars": 7171,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage ui\n\nimport (\n\t\""
},
{
"path": "cmd/thv/app/ui/log_handler.go",
"chars": 2170,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage ui\n\nimport (\n\t\""
},
{
"path": "cmd/thv/app/ui/selected_groups_test.go",
"chars": 2537,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage ui\n\nimport (\n\t\""
},
{
"path": "cmd/thv/app/ui/spinner.go",
"chars": 3519,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage ui\n\nimport (\n\t\""
},
{
"path": "cmd/thv/app/ui/styles.go",
"chars": 9054,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package ui provides "
},
{
"path": "cmd/thv/app/version.go",
"chars": 2038,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/vmcp.go",
"chars": 5623,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/app/vmcp_test.go",
"chars": 1498,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage app\n\nimport (\n\t"
},
{
"path": "cmd/thv/main.go",
"chars": 4122,
"preview": "// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package main is the "
},
{
"path": "cmd/thv-operator/DESIGN.md",
"chars": 4359,
"preview": "# Design & Decisions\n\nThis document captures architectural decisions and design patterns for the ToolHive Operator.\n\n## "
},
{
"path": "cmd/thv-operator/README.md",
"chars": 10641,
"preview": "# ToolHive Kubernetes Operator\n\nThe ToolHive Kubernetes Operator manages MCP (Model Context Protocol) servers and regist"
},
{
"path": "cmd/thv-operator/REGISTRY.md",
"chars": 20639,
"preview": "# MCPRegistry Reference\n\n## Overview\n\nMCPRegistry is a Kubernetes Custom Resource that manages MCP (Model Context Protoc"
},
{
"path": "cmd/thv-operator/Taskfile.yml",
"chars": 17102,
"preview": "version: '3'\n\nvars:\n CRD_DIR: config/crd/bases\n DOCS_OUT: '{{.ROOT_DIR}}/docs/operator/crd-api.md'\n CRDREF_CONFIG: '{"
},
{
"path": "cmd/thv-operator/api/v1alpha1/doc.go",
"chars": 865,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package v1alpha1 con"
},
{
"path": "cmd/thv-operator/api/v1alpha1/groupversion_info.go",
"chars": 629,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1alpha1\n\nimpor"
},
{
"path": "cmd/thv-operator/api/v1alpha1/types.go",
"chars": 17609,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1alpha1\n\nimpor"
},
{
"path": "cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go",
"chars": 22195,
"preview": "//go:build !ignore_autogenerated\n\n/*\nCopyright 2025 Stacklok\n\nLicensed under the Apache License, Version 2.0 (the \"Licen"
},
{
"path": "cmd/thv-operator/api/v1beta1/conditions.go",
"chars": 272,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\n// Sha"
},
{
"path": "cmd/thv-operator/api/v1beta1/embeddingserver_types.go",
"chars": 10306,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/groupversion_info.go",
"chars": 784,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package v1beta1 cont"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go",
"chars": 48338,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types_test.go",
"chars": 20549,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpgroup_types.go",
"chars": 3558,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpoidcconfig_types.go",
"chars": 11695,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpregistry_parse_test.go",
"chars": 4921,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpregistry_types.go",
"chars": 11368,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpremoteproxy_types.go",
"chars": 18275,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpserver_types.go",
"chars": 36781,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpserver_types_test.go",
"chars": 4565,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcpserverentry_types.go",
"chars": 8377,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcptelemetryconfig_types.go",
"chars": 11271,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/mcptelemetryconfig_types_test.go",
"chars": 7790,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/toolconfig_types.go",
"chars": 5183,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/virtualmcpcompositetooldefinition_types.go",
"chars": 6389,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/virtualmcpserver_types.go",
"chars": 29544,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/virtualmcpserver_types_test.go",
"chars": 15110,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage v1beta1\n\nimport"
},
{
"path": "cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go",
"chars": 92309,
"preview": "//go:build !ignore_autogenerated\n\n/*\nCopyright 2025 Stacklok\n\nLicensed under the Apache License, Version 2.0 (the \"Licen"
},
{
"path": "cmd/thv-operator/config/webhook/manifests.yaml",
"chars": 1478,
"preview": "---\napiVersion: admissionregistration.k8s.io/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n name: validating-webhoo"
},
{
"path": "cmd/thv-operator/controllers/embeddingserver_controller.go",
"chars": 36559,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// Package controllers "
},
{
"path": "cmd/thv-operator/controllers/embeddingserver_controller_test.go",
"chars": 33333,
"preview": "// SPDX-License-Identifier: Apache-2.0\n\npackage controllers\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com"
},
{
"path": "cmd/thv-operator/controllers/embeddingserver_default_imagepullsecrets_test.go",
"chars": 2209,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage controllers\n\nim"
},
{
"path": "cmd/thv-operator/controllers/helpers_test.go",
"chars": 849,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage controllers\n\nim"
},
{
"path": "cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go",
"chars": 24361,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage controllers\n\nim"
},
{
"path": "cmd/thv-operator/controllers/mcpexternalauthconfig_controller_test.go",
"chars": 45920,
"preview": "// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\npackage controllers\n\nim"
}
]
// ... and 1893 more files (download for full content)
About this extraction
This page contains the full source code of the StacklokLabs/toolhive GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 2093 files (19.9 MB), approximately 5.3M tokens, and a symbol index with 14495 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.