feat(server): migrate controls routes to auth framework#212
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
abhinav-galileo
changed the title
abhinav-galileo
force-pushed
the
abhi/controls-auth-framework
branch
from
ad586bb to
3a5b7e4
Compare
abhinav-galileo
force-pushed
the
abhi/controls-auth-framework
branch
2 times, most recently
from
e75cbb7 to
2935d2d
Compare
namrataghadi-galileo
approved these changes
May 14, 2026
abhinav-galileo
force-pushed
the
abhi/controls-auth-framework
branch
from
2935d2d to
0a8aeb6
Compare
Mirrors #204's bindings migration: replaces require_admin_key and router-level require_api_key with require_operation(CONTROLS_*) on every protected route on /controls and on /control-templates/render. Both routers now mount with the non-validating get_api_key_from_header so the framework owns authentication and authorization, with the extractor attached purely so the generated OpenAPI advertises X-API-Key. GET /controls/schema is intentionally left without a require_operation dependency: it returns a static model schema with no tenant state and routing it through the framework would force the upstream provider to handle a meta-only operation that has no permission semantics. POST /controls/validate and POST /control-templates/render are wired to CONTROLS_CREATE rather than CONTROLS_READ. Both exercise the authoring materialization path and exist to support the create / set- data flow; a caller who cannot create controls has no use for the result. Backwards-incompatible for OSS deployments that previously called these routes with non-admin keys; deployments that want the old behavior can override with HeaderAuthProvider(operation_access={...}). Storage namespace continues to come from get_namespace_key, matching the bindings migration in #204. The unified principal-derived cutover across /controls, /policies, /agents, and /evaluation is a follow-up.
…utes Move auth-framework rationale on /controls/schema, /controls/validate, and /control-templates/render from route docstrings into normal code comments. The docstrings flow into the generated TypeScript SDK as public API documentation, so internal terminology like ``require_operation`` and "upstream authorizer" should not appear there. Function-level comments preserve the rationale for readers of the source. Also remove the skipped placeholder test for the project-scoped credential deny scenario; that scenario depends on a deployment-side provider configuration that is not part of the OSS server, so tracking it as a permanent skipped test in this repo was the wrong home for it. Regenerate the TypeScript SDK to drop the leaked rationale lines.
abhinav-galileo
force-pushed
the
abhi/controls-auth-framework
branch
from
fba36df to
3cd0ee1
Compare
galileo-automation
pushed a commit
that referenced
this pull request
May 28, 2026
## [2.6.0](ts-sdk-v2.5.0...ts-sdk-v2.6.0) (2026-05-28) ### Features * **evaluators:** add new lluna client ([#213](#213)) ([f65beb9](f65beb9)) * **sdk:** add otel support ([#177](#177)) ([9530368](9530368)) * **sdk:** add runtime token auth ([#215](#215)) ([6cc0f38](6cc0f38)) * **server:** add control clone-and-bind endpoint ([#229](#229)) ([1728bf9](1728bf9)) * **server:** add runtime auth and namespace scoping ([#214](#214)) ([56e44fe](56e44fe)) * **server:** allow host-owned logging setup ([#227](#227)) ([c0fd159](c0fd159)) * **server:** bundle migrations in wheel and add agent-control-migrate ([#209](#209)) ([8c5c35e](8c5c35e)) * **server:** migrate controls routes to auth framework ([#212](#212)) ([764bd4b](764bd4b)) ### Bug Fixes * **examples:** declare local SDK workspace deps ([#222](#222)) ([d22aa1d](d22aa1d)) * **sdk:** Get trace context from provider ([#211](#211)) ([1efe30f](1efe30f)) * **sdk-ts:** normalize generated client ([#231](#231)) ([1c097d2](1c097d2)) * **server:** make observability migration retry-safe ([#226](#226)) ([b9dd00d](b9dd00d)) * **server:** prevent migration lock transactions ([#224](#224)) ([e65a2f4](e65a2f4)) * **server:** scope auth upstream CA to HTTP provider ([#232](#232)) ([7a0ce21](7a0ce21)) * **ui:** fix editing of controls in the UI ([#218](#218)) ([981e33d](981e33d)), closes [#Risk](https://github.com/agentcontrol/agent-control/issues/Risk)
Collaborator
|
🎉 This PR is included in version 2.6.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/controlsand/control-templates/renderonto operation-based auth.GET /controls/schemapublic because it returns static metadata.CONTROLS_CREATEfor validate and render because both use the authoring path.Behavior Change
POST /controls/validateandPOST /control-templates/rendernow require create access under the default header provider.Testing
make prepushon the stacked branch in feat(sdk): add runtime token auth #215.