Bump toolhive-core to v0.0.21 and use shared redis client#5318
Merged
rdimitrov merged 3 commits intoMay 19, 2026
Merged
Conversation
The auth-server's storage package carried its own copy of the Redis connection layer (config types, TLS dialer, per-mode client construction, topology validation, timeout defaults). toolhive-core v0.0.21 ships a shared redis package designed to replace those duplicates so the next consumer migration can move stacklok-llm-gateway onto the same library without further drift. Replace the local RedisConfig/SentinelConfig/RedisTLSConfig/ACLUserConfig types and the buildTLSConfig/newTLSDialer/configureTLSDialer/validateConfig helpers with toolhive-core/redis.Config and NewClient. NewRedisStorage now takes a tcredis.Config plus the auth-server-specific keyPrefix; the constructor keeps the auth-server invariants (ACL password required, key prefix required) and delegates topology validation, defaults, TLS plumbing, and Ping verification to the shared package. The runner's convertRedisRunConfig now produces a tcredis.Config (ACL credentials resolved from env vars, durations parsed, CA cert file read). Topology checks that duplicated tcredis's Validate were dropped — those errors now surface from the shared package. Tests: delete the storage-side TLS helper tests (now exercising dependency code), trim the validation table down to the auth-server-specific cases, table-drive the three connection-failure tests, remove runner-side topology validation subtests, and update the env-var subtests to the new field layout. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
reyortiz3
requested review from
ChrisJBurns,
JAORMX,
jhrozek and
yrobla
as code owners
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5318 +/- ##
==========================================
+ Coverage 68.38% 68.40% +0.01%
==========================================
Files 620 620
Lines 63432 63316 -116
==========================================
- Hits 43378 43309 -69
+ Misses 16819 16774 -45
+ Partials 3235 3233 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Returning (username, password string, error) made it possible to swap the two same-typed values silently at the call site. Introduce an unexported redisACLCredentials struct so the role of each field is visible at the assignment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
size/L
…-shared-redis-client
github-actions
Bot
added
size/L
rdimitrov
approved these changes
May 19, 2026
rdimitrov
deleted the
worktree-bumpt-toolhive-core-auth-server-use-shared-redis-client
branch
9 tasks
reyortiz3
added a commit
that referenced
this pull request
May 19, 2026
pkg/transport/session carried its own Redis connection layer (RedisConfig, SentinelConfig, RedisTLSConfig, validateRedisConfig, buildRedisClient, buildRedisTLSConfig, timeout defaults). The auth-server migration in #5318 demonstrated the pattern for replacing that duplicated code with toolhive-core/redis; vmcp session storage and the proxy-runner session storage are the remaining consumers in this repo. Replace the local RedisConfig/SentinelConfig/RedisTLSConfig types and the validate/build helpers with tcredis.Config and tcredis.NewClient. NewRedisStorage and NewRedisSessionDataStorage now take (ctx, tcredis.Config, keyPrefix, ttl); the constructors keep the session-specific invariants (key prefix required, must end with ':', ttl > 0) and delegate connection-mode validation, timeout defaults, TLS plumbing, and Ping verification to the shared package. NewManagerWithRedis grows the same keyPrefix parameter so the wrapper matches the underlying storage signature. The vmcp server and proxy runner call sites build tcredis.Config in place (Addr, Password, DB) and pass keyPrefix separately; RedisPasswordEnvVar stays in the session package because pkg/runner reads it. Tests: TestValidateRedisConfig is removed (topology checks now live in tcredis); TestNewRedisStorageInvariants replaces it with the session-specific cases (key-prefix and ttl). TestNewRedisStorageACLAuth keeps its coverage but uses the new signature. The "invalid TLS CA cert" manager subtest is dropped (now exercising tcredis code). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
toolhive-core v0.0.21 ships a shared
redis/package (introduced in toolhive-core#108) that consolidates the Redis connection layer — config types, TLS dialer, per-mode client construction, topology validation, and timeout defaults — that the auth-server's storage package andpkg/transport/sessionhad each been carrying as a near-duplicate copy. Without this migration the next consumer (stacklok-llm-gateway) would have to land another copy and we'd keep paying the drift cost.This PR migrates the auth-server half of that consolidation.
pkg/transport/sessionis intentionally out of scope and will land in a follow-up.What changed
github.com/stacklok/toolhive-coreto v0.0.21 (transitive bumps:go-redis/v9→ v9.19.0,miniredis/v2→ v2.38.0).pkg/authserver/storage/redis.go: removed localRedisConfig,SentinelConfig,RedisTLSConfig,ACLUserConfig, theDefault*Timeoutconstants, and thebuildTLSConfig/newTLSDialer/configureTLSDialer/validateConfighelpers.NewRedisStoragenow takestcredis.ConfigpluskeyPrefixand delegates topology validation, defaults, TLS plumbing, and Ping verification to the shared package. Auth-server-specific invariants (ACL password required, key prefix required) stay in the constructor.pkg/authserver/runner/embeddedauthserver.go:convertRedisRunConfigproduces atcredis.Config; topology checks that duplicated tcredis'sValidatewere dropped — those errors now surface from the shared package.pkg/authserver/storage/redis_tls_test.go(now exercising dependency code per the testing rule), trimmed the validation table down to the two auth-server-specific cases, table-drove the three connection-failure tests, removed runner-side topology validation subtests, and updated env-var subtests to the new field layout (cfg.Username/cfg.Password/cfg.DB).Net: +146 / -805 lines.
Type of change
Test plan
Does this introduce a user-facing change?
No. Connection-mode behavior, TLS behavior, and configuration schema (`RedisRunConfig` JSON/YAML fields) are unchanged. Error messages for topology misconfiguration now come from the shared package (`redis: invalid configuration: ...`) instead of the auth-server's local validator.
Special notes for reviewers
NewRedisStorageno longer wraps the tcredis error — the `redis: ...` prefix already makes its origin clear.t.Setenvinside at.Parallel()parent or duplicating tcredis's test surface.unused writeand `rangeint` diagnostics in the touched test files are unrelated to this refactor.Generated with Claude Code