Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds initial documentation for Registry Server authorization and updates the Registry Server guide set to reflect the new “sources + registries” configuration model.
Changes:
- Introduces a new Registry Server Authorization guide (RBAC + claims-based scoping).
- Updates existing Registry Server docs to use sources/registries terminology and configuration examples.
- Wires the new authorization page into navigation and cross-links it from related guides.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| sidebars.ts | Adds the new authorization doc to the Registry Server sidebar section. |
| docs/toolhive/guides-registry/skills.mdx | Updates prerequisites/403 semantics and documents claims on skill publishing. |
| docs/toolhive/guides-registry/intro.mdx | Refreshes intro terminology (“managed source”) and adds authorization as a feature. |
| docs/toolhive/guides-registry/index.mdx | Updates landing page description and adds link to Authorization. |
| docs/toolhive/guides-registry/deployment.mdx | Updates “next steps” to include authorization and new terminology. |
| docs/toolhive/guides-registry/deploy-operator.mdx | Reworks wording around configuring sources and updates next-step links (incl. authz). |
| docs/toolhive/guides-registry/deploy-manual.mdx | Updates the sample config to the new sources + registries structure. |
| docs/toolhive/guides-registry/configuration.mdx | Major rewrite to document sources vs. registries, claims, and new examples. |
| docs/toolhive/guides-registry/authorization.mdx | New page describing RBAC + claims model, configuration, and examples. |
| docs/toolhive/guides-registry/authentication.mdx | Adds a callout and next-step link pointing readers to Authorization. |
rdimitrov
changed the title
2 tasks
rdimitrov
changed the title
danbarr
reviewed
Apr 13, 2026
Collaborator
danbarr
left a comment
danbarr
left a comment
There was a problem hiding this comment.
Summary
Strong, well-structured update — the new authorization.mdx page is clear and thorough, the configuration rewrite is accurate, and cross-linking across the section is solid. One factual contradiction needs resolving before merge; the rest are polish.
Primary issues
1. Git version precedence contradiction
configuration.mdx and deploy-operator.mdx give conflicting precedence orders for branch/tag/commit when multiple are specified.
configuration.mdx(Git repository source tip):commit > branch > tagdeploy-operator.mdx(Git source tip):commit > tag > branch
These should be verified against the source code and made consistent. One of them is wrong.
Secondary issues
| # | Location | Issue | Recommendation |
|---|---|---|---|
| 1 | authorization.mdx, intro + "How authorization works" |
The opening 3-layer claims description and the "How authorization works" section cover the same ground from slightly different angles (one uses 3 layers, one uses 2 levels). Readers hit duplicate framing before reaching the flowchart. | Collapse them: keep the flowchart and a single concise framing. The numbered list in the intro can be cut if "How authorization works" + the Mermaid diagram covers it. |
| 2 | authorization.mdx, "Claim containment" section (bottom paragraph) |
The behavior "entries with no claims are invisible to authenticated callers" is a counterintuitive gotcha — readers setting up Kubernetes or managed sources will naturally assume "no claims = public." It's buried in the final paragraph of a section about the containment algorithm. | Promote to a :::warning callout so it stands out. Something like: "Entries with no claims are not accessible to authenticated callers — only anonymous mode can see them. Attach claims to entries (via annotation or publish payload) to make them visible." |
| 3 | configuration.mdx, Kubernetes source :::info[How does it work?] admonition |
This admonition contains a full YAML example, a 9-row annotations reference table, a JSON response structure, and prose explanation. Per the project's style guide, admonitions that contain the only documentation for a concept should be promoted to a proper section with a heading and ToC entry. | Promote to a ## Kubernetes annotations reference section (or similar) so it's discoverable in the ToC. The "how it works" prose can stay as a brief note or be folded into the section intro. |
| 4 | skills.mdx, "API base path" section |
The section states all skills endpoints use /{registryName}/v0.1/x/dev.toolhive/skills, but the publish example uses POST /v1/entries and the delete example uses DELETE /v1/entries/skill/... — neither matches the stated base path. Pre-existing, but surfaces on any reading. |
Clarify that publish/delete use the /v1/entries admin endpoint, not the skills browse path, or correct the base path description to reflect that it applies only to GET operations. |
Collaborator
|
Follow-up on front matter descriptions: Two pages have
Suggested fixes:
|
ChrisJBurns
force-pushed
the
update-docs-toolhive-v0.17.0
branch
from
c031f2e to
45887a5
Compare
Breaking changes: - Update CRD phase values from Running to Ready for MCPServer, EmbeddingServer, and MCPRegistry across quickstarts, guides, and integration pages - Migrate MCPRegistry examples from v1 flat registries[] format to v2 sources[]/registries[] with configYAML recommended path - Remove PVC source type (no longer supported) - Remove Syncing phase from MCPRegistry status documentation - Remove auto-injection note for Kubernetes discovery sources New features: - Add MCPServerEntry (zero-infrastructure catalog entries) docs to K8s intro and vMCP configuration pages - Add caBundleRef for OTLP endpoints to telemetry guide - Add authServerRef for separating embedded auth from external token exchange to auth guide - Update standalone registry server config to v2 format Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix ConfigMap source example: use volumes/volumeMounts with file path instead of CRD-level configMapRef inside configYAML - Fix URL source example: use file.url instead of CRD-level url.endpoint inside configYAML - Fix file source docs: clarify file.path and file.url are mutually exclusive within the file block - Add MCPServerEntry transport options (sse and streamable-http) - Fix resource type count: "three" → "four" in K8s intro - Align "running" → "ready" in vMCP quickstart preceding text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restructure configuration docs to reflect the new two-level config model (sources + registries), add a dedicated authorization guide covering RBAC roles and claims-based access control, and update all related pages for cross-document consistency. Key changes: - Rewrite configuration.mdx for sources/registries split - Add authorization.mdx (roles, claims, /v1/me endpoint) - Replace claimMapping with authz-claims annotation docs - Document skills sync from external sources - Document multiple Kubernetes sources support - Add DNS subdomain naming requirement for source names - Update cross-references across deployment, skills, and intro pages - Fix broken anchor in remote-mcp-proxy.mdx Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
rdimitrov
changed the title
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Collaborator
|
Two items still outstanding from the earlier review: 1. Git version precedence contradiction (primary) The two pages still give different precedence orders for
One of these is wrong. Please verify against the source code and align them. 2. Oversized admonition in The |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
danbarr
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the Registry Server documentation to reflect the v1.0.0, v1.0.1, and v1.1.0 releases, which introduced a new configuration model, claims-based authorization, skills sync, an internal probe server, and auth-only mode.
Configuration model (v1.0.0)
configuration.mdxfor the new two-level config model:sources(data origins with sync/filter/claims) +registries(named API surfaces referencing sources)deploy-manual.mdxand related pagesAuthorization (v1.0.0)
authorization.mdxpage covering RBAC roles (superAdmin,manageSources,manageRegistries,manageEntries), claims-based access control, claim containment logic, publish claim validation, admin API scoping, and a complete multi-tenant exampleGET /v1/sources/{name}/entriesandGET /v1/registries/{name}/entriesadmin endpointsauthzcross-references from authentication, configuration, deployment, intro, skills, and index pagesPer-entry Kubernetes claims (v1.0.1)
claimMappingconfig withtoolhive.stacklok.dev/authz-claimsannotation documentationauthz-claimsto the Kubernetes annotation tableSkills (v1.0.0–v1.0.1)
statusquery parameter to skills listing endpointthv_reg_srv_skills_totalPrometheus metric to telemetry docsInternal probe server (v1.1.0)
--internal-addressCLI flag (default:8081) in configurationdeploy-manual.mdxKubernetes manifest: probes now target port 8081authentication.mdxpublic paths:/health,/readiness,/versionmoved to internal servertelemetry-metrics.mdxexcluded endpoints sectionAuth-only mode (v1.1.0)
authorization.mdxdocumenting auth-only mode (OAuth enabled,auth.authzomitted): all authenticated callers see all entries, startup warning loggedOther
GET /v1/meendpoint in authorization pagerolesvsroleclaim key mismatch in authorization example#kubernetes-registryanchor inremote-mcp-proxy.mdxcontributing.mdxChanged files
guides-registry/authorization.mdx/v1/meguides-registry/configuration.mdx--internal-addressflag, entry filteringguides-registry/authentication.mdxguides-registry/intro.mdxguides-registry/skills.mdxstatusquery param, skills sync from external sourcesguides-registry/deploy-operator.mdxguides-registry/deploy-manual.mdxguides-registry/telemetry-metrics.mdxskills_totalmetric, update excluded endpoints for internal serverguides-registry/deployment.mdxguides-registry/index.mdxsidebars.tsguides-k8s/remote-mcp-proxy.mdxcontributing.mdxTest plan
thvCLI in local env — CI will validate)🤖 Generated with Claude Code