toolhive icon indicating copy to clipboard operation
toolhive copied to clipboard
Published 3 weeks ago verified publisher icon stacklok

Update build-env proposal with secure credential handling

Open JAORMX opened this issue 3 weeks ago • 1 comments

Summary

  • Add --from-secret and --from-env flags to set-build-env command for secure credential handling
  • Add build_env_from_secrets and build_env_from_shell config sections
  • Update security considerations to document URL-embedded credentials approach
  • No template changes required - uses existing ENV injection mechanism

Context

This addresses the need for authenticated registry access during protocol builds (npx://, uvx://, go://) without storing credentials in plaintext in the ToolHive configuration file.

Security: Multi-Stage Build Isolation

All protocol build templates use multi-stage Docker builds. The BuildEnv variables are only set in the builder stage and are not inherited by the final image:

Template Builder Stage Final Stage What's Copied
npx.tmpl FROM node:22-alpine AS builder FROM node:22-alpine node_modules, package.json, package-lock.json
uvx.tmpl FROM python:3.13-slim AS builder FROM python:3.13-slim /opt/uv-tools
go.tmpl FROM golang:1.25-alpine AS builder FROM alpine:3.22 /app/mcp-server binary

Each FROM instruction starts a fresh image - ENV variables from previous stages are not inherited. Credentials used during the build phase do not appear in the final container image.

Test plan

  • [ ] Review proposal changes for completeness
  • [ ] Discuss approach with team

🤖 Generated with Claude Code

JAORMX avatar Dec 02 '25 23:12 JAORMX

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 56.58%. Comparing base (71ec710) to head (4543071). :warning: Report is 7 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2859   +/-   ##
=======================================
  Coverage   56.58%   56.58%           
=======================================
  Files         322      322           
  Lines       31243    31243           
=======================================
  Hits        17679    17679           
  Misses      12049    12049           
  Partials     1515     1515

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Dec 02 '25 23:12 codecov[bot]