Skip to content

feat(sdk): add runtime token auth#215

Merged
abhinav-galileo merged 10 commits into
mainfrom
abhi/python-sdk-runtime-auth
May 15, 2026
Merged

feat(sdk): add runtime token auth#215
abhinav-galileo merged 10 commits into
mainfrom
abhi/python-sdk-runtime-auth

Conversation

@abhinav-galileo
Copy link
Copy Markdown
Collaborator

@abhinav-galileo abhinav-galileo commented May 7, 2026
edited
Loading

Summary

  • Add Python SDK runtime auth modes: auto, none, api_key, and jwt.
  • Exchange target-bound runtime tokens for target-bearing evaluation requests.
  • Cache runtime tokens per target, refresh before expiry, and retry once after a rejected runtime JWT.
  • Keep no-target, no-auth, and API-key evaluation paths unchanged.
  • Make the API-key header name configurable.

Stack

Testing

  • make prepush

@abhinav-galileo abhinav-galileo changed the title feat(sdk-python): add runtime token auth feat(sdk): add runtime token auth May 7, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.97753% with 25 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
sdks/python/src/agent_control/__init__.py 59.25% 11 Missing ⚠️
sdks/python/src/agent_control/runtime_auth.py 93.75% 11 Missing ⚠️
sdks/python/src/agent_control/client.py 98.29% 2 Missing ⚠️
...rc/agent_control/integrations/google_adk/plugin.py 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 2 times, most recently from 4fffcf2 to 99c86cf Compare May 7, 2026 17:41
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 09cb289 to 19fa65c Compare May 7, 2026 18:24
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 3 times, most recently from d52fb6b to 1485279 Compare May 8, 2026 11:22
This was referenced May 8, 2026
Merged
Merged
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 259397b to 097b42d Compare May 8, 2026 15:28
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 2 times, most recently from 73bd51c to 3894dd0 Compare May 8, 2026 16:07
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from af54543 to 479ca86 Compare May 8, 2026 16:57
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from d4b8a66 to a9796b6 Compare May 8, 2026 16:58
@abhinav-galileo abhinav-galileo marked this pull request as ready for review May 8, 2026 18:36
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 3 times, most recently from e934f08 to df2bb43 Compare May 11, 2026 10:33
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from dce333a to 69aaa49 Compare May 11, 2026 12:00
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from df2bb43 to 527a0a9 Compare May 11, 2026 12:00
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 69aaa49 to 4b778e3 Compare May 12, 2026 08:23
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 3 times, most recently from 585f6ba to 9b84888 Compare May 12, 2026 10:24
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from aa0bcce to 071a63a Compare May 14, 2026 18:22
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from 9b84888 to 26770a3 Compare May 14, 2026 18:22
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 071a63a to fe8488e Compare May 14, 2026 18:32
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 3 times, most recently from 31f40bf to 4e0e0d1 Compare May 15, 2026 09:12
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from ec82ad3 to c67ea44 Compare May 15, 2026 09:18
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch 2 times, most recently from 6941db1 to 83f9c2b Compare May 15, 2026 11:35
abhinav-galileo added a commit that referenced this pull request May 15, 2026
@abhinav-galileo
feat(server): migrate controls routes to auth framework (#212)
764bd4b 
## Summary

- Move `/controls` and `/control-templates/render` onto operation-based
auth.
- Keep `GET /controls/schema` public because it returns static metadata.
- Require `CONTROLS_CREATE` for validate and render because both use the
authoring path.
- Preserve no-auth deployment mode.

## Behavior Change

- `POST /controls/validate` and `POST /control-templates/render` now
require create access under the default header provider.

## Testing

- `make prepush` on the stacked branch in #215.
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from 83f9c2b to 978d4c7 Compare May 15, 2026 11:43
@abhinav-galileo abhinav-galileo force-pushed the abhi/runtime-auth-namespace-cutover branch from 1272698 to 8163931 Compare May 15, 2026 11:46
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from 978d4c7 to 00ce671 Compare May 15, 2026 11:47
Base automatically changed from abhi/runtime-auth-namespace-cutover to main May 15, 2026 12:08
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from 00ce671 to 905d126 Compare May 15, 2026 12:18
@abhinav-galileo
feat(sdk-python): add runtime token auth
23a5bae 
Exchange target-bound runtime tokens for evaluation requests when configured, cache them per target, and retry once after a 401.

Keep no-auth and API-key runtime flows on the existing request-auth path when token exchange is unavailable or disabled.
@abhinav-galileo
feat(sdk): make API key header name configurable
7827fec 
Default stays X-API-Key; pass api_key_header=... or set
AGENT_CONTROL_API_KEY_HEADER to override when the upstream auth
expects a different header.
@abhinav-galileo
fix(sdk): honor API key header for observability
4e648af
@abhinav-galileo
fix(sdk): keep JWT runtime evaluation target-bound
c8f0a97
@abhinav-galileo
fix(sdk): propagate custom API key header
87326cb
@abhinav-galileo
docs(sdk): note strict JWT runtime target requirement
b6b696f
@abhinav-galileo
fix(sdk): forward target context from decorators
7f4d71b
@abhinav-galileo
fix(sdk): harden runtime token auth
e2fd2c5
@abhinav-galileo
fix(sdk): bound runtime auth fallback cache
8c5677f
@abhinav-galileo
fix(sdk): isolate runtime auth client cache
3c958fb
@abhinav-galileo abhinav-galileo force-pushed the abhi/python-sdk-runtime-auth branch from 905d126 to 3c958fb Compare May 15, 2026 14:38
@abhinav-galileo abhinav-galileo merged commit 6cc0f38 into main May 15, 2026
6 checks passed
@abhinav-galileo abhinav-galileo deleted the abhi/python-sdk-runtime-auth branch May 15, 2026 15:42
galileo-automation pushed a commit that referenced this pull request May 28, 2026
@semantic-release-bot
chore(release): ts sdk v2.6.0 [skip ci]
a953da5 
## [2.6.0](ts-sdk-v2.5.0...ts-sdk-v2.6.0) (2026-05-28)

### Features

* **evaluators:** add new lluna client ([#213](#213)) ([f65beb9](f65beb9))
* **sdk:** add otel support ([#177](#177)) ([9530368](9530368))
* **sdk:** add runtime token auth ([#215](#215)) ([6cc0f38](6cc0f38))
* **server:** add control clone-and-bind endpoint ([#229](#229)) ([1728bf9](1728bf9))
* **server:** add runtime auth and namespace scoping ([#214](#214)) ([56e44fe](56e44fe))
* **server:** allow host-owned logging setup ([#227](#227)) ([c0fd159](c0fd159))
* **server:** bundle migrations in wheel and add agent-control-migrate ([#209](#209)) ([8c5c35e](8c5c35e))
* **server:** migrate controls routes to auth framework ([#212](#212)) ([764bd4b](764bd4b))

### Bug Fixes

* **examples:** declare local SDK workspace deps ([#222](#222)) ([d22aa1d](d22aa1d))
* **sdk:**  Get trace context from provider ([#211](#211)) ([1efe30f](1efe30f))
* **sdk-ts:** normalize generated client ([#231](#231)) ([1c097d2](1c097d2))
* **server:** make observability migration retry-safe ([#226](#226)) ([b9dd00d](b9dd00d))
* **server:** prevent migration lock transactions ([#224](#224)) ([e65a2f4](e65a2f4))
* **server:** scope auth upstream CA to HTTP provider ([#232](#232)) ([7a0ce21](7a0ce21))
* **ui:** fix editing of controls in the UI ([#218](#218)) ([981e33d](981e33d)), closes [#Risk](https://github.com/agentcontrol/agent-control/issues/Risk)
@galileo-automation
Copy link
Copy Markdown
Collaborator

galileo-automation commented May 28, 2026

🎉 This PR is included in version 2.6.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@namrataghadi-galileo namrataghadi-galileo namrataghadi-galileo approved these changes

@lan17 lan17 Awaiting requested review from lan17

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@abhinav-galileo @galileo-automation @namrataghadi-galileo