fix(server): preserve default runtime auth fallback

Author: abhinav-galileo

server/src/agent_control_server/auth_framework/config.py

@@ -16,8 +16,8 @@
   :class:`NoAuthProvider`, ``api_key`` uses
   :class:`HeaderAuthProvider`, and ``jwt`` uses
   :class:`LocalJwtVerifyProvider`. When the mode is unset, startup
-  preserves historical behavior by selecting ``jwt`` if
-  ``AGENT_CONTROL_RUNTIME_TOKEN_SECRET`` is set, otherwise ``api_key``.
+  selects ``jwt`` if ``AGENT_CONTROL_RUNTIME_TOKEN_SECRET`` is set;
+  otherwise runtime falls through to the default authorizer.
   The ``runtime.token_exchange`` operation continues to flow through
   the default authorizer because the exchange itself is shaped like a
   management call (forward credential, get grant).
@@ -96,10 +96,11 @@ def configure_auth_from_env() -> None:
     Runtime flow:
 
     - ``AGENT_CONTROL_RUNTIME_AUTH_MODE=none``: :class:`NoAuthProvider`.
-    - ``AGENT_CONTROL_RUNTIME_AUTH_MODE=api_key`` (default when no runtime
-      token secret is configured): :class:`HeaderAuthProvider`.
+    - ``AGENT_CONTROL_RUNTIME_AUTH_MODE=api_key``: :class:`HeaderAuthProvider`.
     - ``AGENT_CONTROL_RUNTIME_AUTH_MODE=jwt`` (default when a runtime token
       secret is configured): :class:`LocalJwtVerifyProvider`.
+    - unset mode without a runtime token secret: fall through to the default
+      authorizer.
 
     Clears any previously-installed default and operation overrides
     before installing fresh ones, so reconfiguration cannot leave
@@ -121,20 +122,26 @@ def configure_auth_from_env() -> None:
     set_authorizer(default)
     _active_providers.append(default)
 
-    runtime_provider = _build_runtime_provider(runtime_mode, _runtime_auth_config)
-    set_authorizer(runtime_provider, operation=Operation.RUNTIME_USE)
-    _active_providers.append(runtime_provider)
-    if runtime_mode == "jwt":
+    if runtime_mode == "default":
         _logger.info(
-            "Runtime auth provider: jwt override installed for %s",
+            "Runtime auth provider: default authorizer handles %s",
             Operation.RUNTIME_USE.value,
         )
     else:
-        _logger.info(
-            "Runtime auth provider: %s override installed for %s",
-            runtime_mode,
-            Operation.RUNTIME_USE.value,
-        )
+        runtime_provider = _build_runtime_provider(runtime_mode, _runtime_auth_config)
+        set_authorizer(runtime_provider, operation=Operation.RUNTIME_USE)
+        _active_providers.append(runtime_provider)
+        if runtime_mode == "jwt":
+            _logger.info(
+                "Runtime auth provider: jwt override installed for %s",
+                Operation.RUNTIME_USE.value,
+            )
+        else:
+            _logger.info(
+                "Runtime auth provider: %s override installed for %s",
+                runtime_mode,
+                Operation.RUNTIME_USE.value,
+            )
 
 
 async def teardown_auth() -> None:
@@ -242,7 +249,7 @@ def _parse_extra_forward_headers(raw: str | None) -> tuple[str, ...]:
 def _resolve_runtime_mode() -> str:
     raw = os.environ.get(_RUNTIME_MODE_ENV)
     if raw is None or not raw.strip():
-        return "jwt" if os.environ.get(_RUNTIME_TOKEN_SECRET_ENV) else "api_key"
+        return "jwt" if os.environ.get(_RUNTIME_TOKEN_SECRET_ENV) else "default"
 
     mode = raw.strip().lower()
     if mode in {"none", "no_auth"}:

server/tests/test_auth_framework.py

@@ -7,7 +7,6 @@
 
 import httpx
 import pytest
-
 from agent_control_server.auth_framework.core import (
     Operation,
     Principal,
@@ -700,7 +699,6 @@ def test_runtime_token_rejects_naive_upstream_expires_at():
 def test_runtime_token_rejects_management_token_passed_to_runtime_verify():
     """A token without ``domain=runtime`` must be rejected by runtime verify."""
     import jwt
-
     from agent_control_server.auth_framework.runtime_token import (
         RuntimeTokenError,
         verify_runtime_token,
@@ -1053,13 +1051,13 @@ def test_build_default_provider_accepts_none_mode(monkeypatch):
     assert isinstance(auth_config._build_default_provider(), NoAuthProvider)
 
 
-def test_resolve_runtime_mode_defaults_to_api_key_without_secret(monkeypatch):
+def test_resolve_runtime_mode_defaults_to_default_without_secret(monkeypatch):
     from agent_control_server.auth_framework import config as auth_config
 
     monkeypatch.delenv("AGENT_CONTROL_RUNTIME_AUTH_MODE", raising=False)
     monkeypatch.delenv("AGENT_CONTROL_RUNTIME_TOKEN_SECRET", raising=False)
 
-    assert auth_config._resolve_runtime_mode() == "api_key"
+    assert auth_config._resolve_runtime_mode() == "default"
 
 
 def test_resolve_runtime_mode_defaults_to_jwt_with_secret(monkeypatch):
@@ -1099,6 +1097,44 @@ def test_configure_runtime_api_key_ignores_jwt_secret(monkeypatch):
     assert auth_config.runtime_auth_config() is None
 
 
+def test_configure_runtime_unset_preserves_no_auth_default(monkeypatch):
+    from agent_control_server.auth_framework import config as auth_config
+
+    clear_authorizers()
+
+    monkeypatch.setenv("AGENT_CONTROL_AUTH_MODE", "none")
+    monkeypatch.delenv("AGENT_CONTROL_RUNTIME_AUTH_MODE", raising=False)
+    monkeypatch.delenv("AGENT_CONTROL_RUNTIME_TOKEN_SECRET", raising=False)
+
+    auth_config.configure_auth_from_env()
+
+    assert isinstance(get_authorizer(Operation.RUNTIME_USE), NoAuthProvider)
+    assert auth_config.runtime_auth_config() is None
+
+
+@pytest.mark.asyncio
+async def test_configure_runtime_unset_preserves_http_upstream_default(monkeypatch):
+    from agent_control_server.auth_framework import config as auth_config
+
+    clear_authorizers()
+
+    monkeypatch.setenv("AGENT_CONTROL_AUTH_MODE", "http_upstream")
+    monkeypatch.setenv("AGENT_CONTROL_AUTH_UPSTREAM_URL", "https://auth.example.test/check")
+    monkeypatch.delenv("AGENT_CONTROL_RUNTIME_AUTH_MODE", raising=False)
+    monkeypatch.delenv("AGENT_CONTROL_RUNTIME_TOKEN_SECRET", raising=False)
+
+    try:
+        auth_config.configure_auth_from_env()
+
+        default_provider = get_authorizer(Operation.CONTROLS_READ)
+        runtime_provider = get_authorizer(Operation.RUNTIME_USE)
+        assert isinstance(default_provider, HttpUpstreamAuthProvider)
+        assert runtime_provider is default_provider
+        assert auth_config.runtime_auth_config() is None
+    finally:
+        await auth_config.teardown_auth()
+
+
 @pytest.mark.asyncio
 async def test_configure_http_upstream_management_with_jwt_runtime(monkeypatch):
     from agent_control_server.auth_framework import config as auth_config