fix(server): align controls auth metadata

Author: abhinav-galileo

server/src/agent_control_server/endpoints/controls.py

@@ -551,6 +551,7 @@ async def create_control(
     response_model=GetControlSchemaResponse,
     summary="Get control definition JSON schema",
     response_description="JSON schema for ControlDefinition",
+    openapi_extra={"security": []},
 )
 # Public schema metadata: no tenant state, no auth operation.
 async def get_control_schema() -> GetControlSchemaResponse:

server/src/agent_control_server/main.py

@@ -347,6 +347,15 @@ def custom_openapi() -> dict[str, Any]:
     if "JSONValue" in schemas:
         schemas["JSONValue"] = {"description": "Any JSON value"}
 
+    controls_schema_path = f"{api_v1_prefix}/controls/schema"
+    controls_schema_operation = (
+        openapi_schema.get("paths", {})
+        .get(controls_schema_path, {})
+        .get("get")
+    )
+    if isinstance(controls_schema_operation, dict):
+        controls_schema_operation["security"] = []
+
     app.openapi_schema = openapi_schema
     return app.openapi_schema
 

server/tests/test_controls_auth.py

@@ -16,6 +16,34 @@
 _TEMPLATES_URL = "/api/v1/control-templates"
 
 
+def _valid_template_render_payload() -> dict[str, object]:
+    return {
+        "template": {
+            "description": "Regex denial template",
+            "parameters": {
+                "pattern": {
+                    "type": "regex_re2",
+                    "label": "Pattern",
+                },
+            },
+            "definition_template": {
+                "description": "Template-backed control",
+                "execution": "server",
+                "scope": {"step_types": ["llm"], "stages": ["pre"]},
+                "condition": {
+                    "selector": {"path": "input"},
+                    "evaluator": {
+                        "name": "regex",
+                        "config": {"pattern": {"$param": "pattern"}},
+                    },
+                },
+                "action": {"decision": "deny"},
+            },
+        },
+        "template_values": {"pattern": "hello"},
+    }
+
+
 def _create_control(client: TestClient, name: str | None = None) -> int:
     payload = {
         "name": name or f"control-{uuid.uuid4().hex[:12]}",
@@ -65,6 +93,13 @@ def test_schema_endpoint_reachable_with_non_admin_key(
     assert resp.status_code == 200, resp.text
 
 
+def test_schema_endpoint_openapi_is_public(client: TestClient) -> None:
+    schema = client.app.openapi()
+
+    operation = schema["paths"][f"{_CONTROLS_URL}/schema"]["get"]
+    assert operation.get("security") == []
+
+
 # ---------------------------------------------------------------------------
 # CONTROLS_READ operations: AUTHENTICATED suffices.
 # ---------------------------------------------------------------------------
@@ -209,7 +244,7 @@ def test_non_admin_cannot_validate_control_data(
         json={"data": VALID_CONTROL_PAYLOAD},
     )
 
-    # Then: validation is admin-only
+    # Then: validation requires CONTROLS_CREATE.
     assert resp.status_code == 403, resp.text
 
 
@@ -218,10 +253,10 @@ def test_non_admin_cannot_render_template(non_admin_client: TestClient) -> None:
     # When: a non-admin attempts to render a template
     resp = non_admin_client.post(
         f"{_TEMPLATES_URL}/render",
-        json={"template": {}, "template_values": {}},
+        json=_valid_template_render_payload(),
     )
 
-    # Then: rendering is admin-only
+    # Then: rendering requires CONTROLS_CREATE.
     assert resp.status_code == 403, resp.text
 
 
@@ -275,7 +310,7 @@ def test_unauthenticated_cannot_render_template(
     # When: a client without credentials attempts to render
     resp = unauthenticated_client.post(
         f"{_TEMPLATES_URL}/render",
-        json={"template": {}, "template_values": {}},
+        json=_valid_template_render_payload(),
     )
 
     # Then: the request is rejected
@@ -311,4 +346,3 @@ def test_no_auth_mode_allows_writes_without_credentials(
     # Then: the create succeeds because auth is disabled at the provider
     assert resp.status_code == 200, resp.text
     assert "control_id" in resp.json()
-