Thread factory through buildFullAuthzConfigJSON, drop redundant lookups

buildFullAuthzConfigJSON now returns the resolved AuthorizerFactory
alongside the envelope JSON, so validateAuthzConfig can dispatch
ValidateConfig directly without a second GetFactory call and without
re-Unmarshalling the JSON it just built.

Before: Validate() ran IsRegistered, buildFullAuthzConfigJSON ran
GetFactory, validateAuthzConfig re-Unmarshalled the envelope and ran
GetFactory again — three near-identical lookups for the same key on
every reconcile, with three slightly different error messages.

The authzConfigEnvelope struct is removed; nothing else consumed it.
Tests updated to assert the returned factory's ConfigKey matches the
expected nested envelope key, locking in the bidirectional contract.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: ChrisJBurns

cmd/thv-operator/controllers/mcpauthzconfig_controller.go

@@ -183,71 +183,53 @@ func (*MCPAuthzConfigReconciler) validateAuthzConfig(authzConfig *mcpv1beta1.MCP
 		return err
 	}
 
-	fullConfigJSON, err := buildFullAuthzConfigJSON(authzConfig.Spec)
+	// buildFullAuthzConfigJSON returns the registered factory alongside the
+	// envelope, so we don't have to re-Unmarshal the JSON or re-look-up the
+	// factory just to dispatch ValidateConfig.
+	fullConfigJSON, factory, err := buildFullAuthzConfigJSON(authzConfig.Spec)
 	if err != nil {
 		return err
 	}
-
-	// Parse and validate via the authorizer factory
-	var cfg authzConfigEnvelope
-	if err := json.Unmarshal(fullConfigJSON, &cfg); err != nil {
-		return fmt.Errorf("failed to parse reconstructed authz config: %w", err)
-	}
-	if cfg.Version == "" || cfg.Type == "" {
-		return fmt.Errorf("reconstructed config missing version or type")
-	}
-
-	factory := authorizers.GetFactory(cfg.Type)
-	if factory == nil {
-		return fmt.Errorf("unsupported authorizer type: %s (registered types: %v)",
-			cfg.Type, authorizers.RegisteredTypes())
-	}
-
 	return factory.ValidateConfig(fullConfigJSON)
 }
 
-// authzConfigEnvelope is a minimal struct for extracting version and type from reconstructed JSON.
-type authzConfigEnvelope struct {
-	Version string `json:"version"`
-	Type    string `json:"type"`
-}
-
 // buildFullAuthzConfigJSON reconstructs the full authorizer config JSON from a
-// MCPAuthzConfig spec. The result is the same format accepted by authorizers.Config
-// and used in ConfigMaps: {"version": "1.0", "type": "<type>", "<configKey>": {<config>}}.
-func buildFullAuthzConfigJSON(spec mcpv1beta1.MCPAuthzConfigSpec) ([]byte, error) {
+// MCPAuthzConfig spec and returns it alongside the resolved factory. The JSON
+// shape is the same one accepted by authorizers.Config and stored in
+// ConfigMaps: {"version": "1.0", "type": "<type>", "<configKey>": {<config>}}.
+// Returning the factory together with the JSON lets callers (notably
+// validateAuthzConfig) skip a second registry lookup.
+func buildFullAuthzConfigJSON(spec mcpv1beta1.MCPAuthzConfigSpec) ([]byte, authorizers.AuthorizerFactory, error) {
 	factory := authorizers.GetFactory(spec.Type)
 	if factory == nil {
-		return nil, fmt.Errorf("unsupported authorizer type: %s (registered types: %v)",
+		return nil, nil, fmt.Errorf("unsupported authorizer type: %s (registered types: %v)",
 			spec.Type, authorizers.RegisteredTypes())
 	}
 
-	configKey := factory.ConfigKey()
-
 	if len(spec.Config.Raw) == 0 {
-		return nil, fmt.Errorf("config field is empty")
+		return nil, nil, fmt.Errorf("config field is empty")
 	}
 
 	versionJSON, err := marshalJSONString(authzConfigVersion)
 	if err != nil {
-		return nil, fmt.Errorf("failed to marshal version: %w", err)
+		return nil, nil, fmt.Errorf("failed to marshal version: %w", err)
 	}
 	typeJSON, err := marshalJSONString(spec.Type)
 	if err != nil {
-		return nil, fmt.Errorf("failed to marshal type: %w", err)
+		return nil, nil, fmt.Errorf("failed to marshal type: %w", err)
 	}
 
 	fullConfig := map[string]json.RawMessage{
-		"version": versionJSON,
-		"type":    typeJSON,
-		configKey: spec.Config.Raw,
+		"version":           versionJSON,
+		"type":              typeJSON,
+		factory.ConfigKey(): spec.Config.Raw,
 	}
 
 	result, err := json.Marshal(fullConfig)
 	if err != nil {
-		return nil, fmt.Errorf("failed to marshal full authz config: %w", err)
+		return nil, nil, fmt.Errorf("failed to marshal full authz config: %w", err)
 	}
-	return result, nil
+	return result, factory, nil
 }
 
 // marshalJSONString marshals a string value to JSON, returning an error instead of panicking.

cmd/thv-operator/controllers/mcpauthzconfig_controller_test.go

@@ -101,14 +101,18 @@ func Test_buildFullAuthzConfigJSON(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			result, err := buildFullAuthzConfigJSON(tt.spec)
+			result, factory, err := buildFullAuthzConfigJSON(tt.spec)
 
 			if tt.expectError {
 				require.Error(t, err)
+				assert.Nil(t, factory, "factory must be nil when buildFullAuthzConfigJSON errors")
 				return
 			}
 
 			require.NoError(t, err)
+			require.NotNil(t, factory, "factory must accompany a successful build")
+			assert.Equal(t, tt.expectKey, factory.ConfigKey(),
+				"returned factory's ConfigKey must match the nested envelope key")
 
 			var parsed map[string]json.RawMessage
 			require.NoError(t, json.Unmarshal(result, &parsed), "Output must be valid JSON")
@@ -135,9 +139,10 @@ func Test_buildFullAuthzConfigJSON_EmptyConfigRaw(t *testing.T) {
 		Config: runtime.RawExtension{Raw: []byte{}},
 	}
 
-	result, err := buildFullAuthzConfigJSON(spec)
+	result, factory, err := buildFullAuthzConfigJSON(spec)
 	require.Error(t, err)
 	assert.Nil(t, result)
+	assert.Nil(t, factory, "factory must be nil when buildFullAuthzConfigJSON errors")
 	assert.Contains(t, err.Error(), "config field is empty")
 }