Skip to content

feat(server): add runtime auth and namespace scoping#214

Merged
abhinav-galileo merged 20 commits into
mainfrom
abhi/runtime-auth-namespace-cutover
May 15, 2026
Merged

feat(server): add runtime auth and namespace scoping#214
abhinav-galileo merged 20 commits into
mainfrom
abhi/runtime-auth-namespace-cutover

Conversation

@abhinav-galileo
Copy link
Copy Markdown
Collaborator

@abhinav-galileo abhinav-galileo commented May 7, 2026
edited
Loading

Summary

  • Add explicit runtime auth modes: none, api_key, and jwt.
  • Scope controls, bindings, policies, agents, and evaluation by the authenticated principal namespace.
  • Authorize runtime token exchange and runtime evaluation with target context.
  • Add configurable extra forwarded headers for HTTP upstream auth.

Stack

Testing

@codecov
Copy link
Copy Markdown

codecov Bot commented May 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 93.26683% with 27 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
server/src/agent_control_server/migrate.py 86.86% 13 Missing ⚠️
...erver/src/agent_control_server/endpoints/agents.py 91.66% 5 Missing ⚠️
...r/src/agent_control_server/endpoints/evaluation.py 73.68% 5 Missing ⚠️
.../src/agent_control_server/auth_framework/config.py 94.11% 4 Missing ⚠️

📢 Thoughts on this report? Let us know!

@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 09cb289 to 19fa65c Compare May 7, 2026 18:24
@abhinav-galileo abhinav-galileo changed the title feat(server): add runtime auth namespace cutover feat(server): add runtime auth and namespace scoping May 8, 2026
@abhinav-galileo abhinav-galileo mentioned this pull request May 8, 2026
Merged
@abhinav-galileo abhinav-galileo force-pushed the abhi/controls-auth-framework branch from ad586bb to 3a5b7e4 Compare May 8, 2026 15:28
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch 2 times, most recently from af54543 to 479ca86 Compare May 8, 2026 16:57
@abhinav-galileo abhinav-galileo marked this pull request as ready for review May 8, 2026 18:36
@abhinav-galileo abhinav-galileo force-pushed the abhi/controls-auth-framework branch from 8312b99 to e75cbb7 Compare May 11, 2026 12:00
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from dce333a to 69aaa49 Compare May 11, 2026 12:00
namrataghadi-galileo
namrataghadi-galileo reviewed May 11, 2026
View reviewed changes
Comment thread server/src/agent_control_server/auth_framework/providers/local_jwt.py Outdated
Comment thread server/src/agent_control_server/main.py Outdated
Comment thread server/src/agent_control_server/endpoints/evaluation.py
Comment thread server/tests/test_principal_namespace_flow.py
Comment thread server/src/agent_control_server/services/controls.py Outdated
Comment thread server/src/agent_control_server/auth_framework/config.py
@abhinav-galileo abhinav-galileo force-pushed the abhi/controls-auth-framework branch from e75cbb7 to 2935d2d Compare May 12, 2026 08:22
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 69aaa49 to 4b778e3 Compare May 12, 2026 08:23
@abhinav-galileo abhinav-galileo force-pushed the abhi/controls-auth-framework branch from 2935d2d to 0a8aeb6 Compare May 14, 2026 18:22
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch 3 times, most recently from fe8488e to 2a17f73 Compare May 14, 2026 18:39
namrataghadi-galileo
namrataghadi-galileo reviewed May 14, 2026
View reviewed changes
Comment thread server/src/agent_control_server/observability/store/base.py Outdated
@abhinav-galileo abhinav-galileo force-pushed the abhi/controls-auth-framework branch from fba36df to 3cd0ee1 Compare May 15, 2026 08:29
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch 2 times, most recently from ec82ad3 to c67ea44 Compare May 15, 2026 09:18
Base automatically changed from abhi/controls-auth-framework to main May 15, 2026 11:37
@abhinav-galileo
feat(server): add runtime auth namespace cutover
fbfcf4e 
Add explicit none, api_key, and jwt runtime auth modes, including a generic no-auth provider.

Move controls, bindings, policies, agents, and evaluation storage lookups onto principal namespace scoping.

Cover auth mode selection and principal namespace isolation with server tests.
@abhinav-galileo
chore(sdk-ts): regenerate client docs
4a87b4a
@abhinav-galileo
fix(server): address runtime auth review feedback
71fcd7b
@abhinav-galileo
feat(server): operator-configurable extra forwarded headers on HttpUp…
c0feed9 
…stream

The default forward set (X-API-Key, Authorization, Cookie) only covers
credential headers Agent Control itself reads. Deployments whose
upstream authenticates against a different header name (e.g., a
deployer-specific API-key header) had no way to surface that
credential through HttpUpstreamAuthProvider — the inbound header
reached AC but never crossed the upstream call.

Add an extra_forward_headers config field on HttpUpstreamConfig
(defaulting to the empty tuple) that operators populate via the new
AGENT_CONTROL_AUTH_UPSTREAM_EXTRA_FORWARD_HEADERS env var (comma-
separated). The provider's _forward_headers iterates over the union
of the default set and the extras, deduplicating case-insensitively
so a duplicate name (cross-set or within extras) does not produce two
copies on the wire.

Tests:
- forwards a configured extra header alongside defaults
- default forward set unchanged when extras are empty
- extras dedupe against defaults case-insensitively
- _parse_extra_forward_headers parametric: None / empty / single /
  multiple / whitespace / empty-entries / case-folded duplicates
- configure_auth_from_env threads the parsed tuple onto the provider

Lint clean, typecheck clean, full server suite (747) green.
@abhinav-galileo
fix(server): preserve default runtime auth fallback
5399d5d
@abhinav-galileo
fix(server): harden auth scoping
8c567da
@abhinav-galileo
docs(server): clarify upstream auth failure mapping
4e8e035
@abhinav-galileo
docs(server): explain target principal authorization
3189369
@abhinav-galileo
chore(sdk-ts): refresh generated client docs
e98207e
@abhinav-galileo
fix(server): sanitize jsonvalue openapi variants
068673e
@abhinav-galileo
fix(server): address runtime auth review feedback
08f85ca
@abhinav-galileo
fix(server): route evaluator and observability auth through framework
eeaba0b
@abhinav-galileo
fix(server): harden auth and namespace edges
e35a8a2
@abhinav-galileo
fix(server): keep bundled migration config reusable
6caf1b9
@abhinav-galileo
fix(server): require explicit observability namespace
1d5cfef
@abhinav-galileo
fix(server): serialize alembic migrations
50fd779
@abhinav-galileo
fix(server): update migration dispatch test config
8ce320a
@abhinav-galileo
fix(server): harden namespace rollout edges
3c46474
@abhinav-galileo
style(server): wrap upstream auth hint
8163931
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 1272698 to 8163931 Compare May 15, 2026 11:46
@abhinav-galileo abhinav-galileo mentioned this pull request May 15, 2026
Open
10 tasks
@abhinav-galileo abhinav-galileo merged commit 56e44fe into main May 15, 2026
6 checks passed
@abhinav-galileo abhinav-galileo deleted the abhi/runtime-auth-namespace-cutover branch May 15, 2026 12:08
galileo-automation pushed a commit that referenced this pull request May 28, 2026
@semantic-release-bot
chore(release): ts sdk v2.6.0 [skip ci]
a953da5 
## [2.6.0](ts-sdk-v2.5.0...ts-sdk-v2.6.0) (2026-05-28)

### Features

* **evaluators:** add new lluna client ([#213](#213)) ([f65beb9](f65beb9))
* **sdk:** add otel support ([#177](#177)) ([9530368](9530368))
* **sdk:** add runtime token auth ([#215](#215)) ([6cc0f38](6cc0f38))
* **server:** add control clone-and-bind endpoint ([#229](#229)) ([1728bf9](1728bf9))
* **server:** add runtime auth and namespace scoping ([#214](#214)) ([56e44fe](56e44fe))
* **server:** allow host-owned logging setup ([#227](#227)) ([c0fd159](c0fd159))
* **server:** bundle migrations in wheel and add agent-control-migrate ([#209](#209)) ([8c5c35e](8c5c35e))
* **server:** migrate controls routes to auth framework ([#212](#212)) ([764bd4b](764bd4b))

### Bug Fixes

* **examples:** declare local SDK workspace deps ([#222](#222)) ([d22aa1d](d22aa1d))
* **sdk:**  Get trace context from provider ([#211](#211)) ([1efe30f](1efe30f))
* **sdk-ts:** normalize generated client ([#231](#231)) ([1c097d2](1c097d2))
* **server:** make observability migration retry-safe ([#226](#226)) ([b9dd00d](b9dd00d))
* **server:** prevent migration lock transactions ([#224](#224)) ([e65a2f4](e65a2f4))
* **server:** scope auth upstream CA to HTTP provider ([#232](#232)) ([7a0ce21](7a0ce21))
* **ui:** fix editing of controls in the UI ([#218](#218)) ([981e33d](981e33d)), closes [#Risk](https://github.com/agentcontrol/agent-control/issues/Risk)
@galileo-automation
Copy link
Copy Markdown
Collaborator

galileo-automation commented May 28, 2026

🎉 This PR is included in version 2.6.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@namrataghadi-galileo namrataghadi-galileo namrataghadi-galileo approved these changes

@lan17 lan17 Awaiting requested review from lan17

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@abhinav-galileo @galileo-automation @namrataghadi-galileo