feat(server): add runtime auth and namespace scoping#214
Open
abhinav-galileo wants to merge 5 commits intoabhi/controls-auth-frameworkfrom
Open
feat(server): add runtime auth and namespace scoping#214abhinav-galileo wants to merge 5 commits intoabhi/controls-auth-frameworkfrom
abhinav-galileo wants to merge 5 commits intoabhi/controls-auth-frameworkfrom
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
abhinav-galileo
force-pushed
the
abhi/runtime-auth-namespace-cutover
branch
from
09cb289 to
19fa65c
Compare
abhinav-galileo
changed the title
abhinav-galileo
force-pushed
the
abhi/controls-auth-framework
branch
from
ad586bb to
3a5b7e4
Compare
abhinav-galileo
force-pushed
the
abhi/runtime-auth-namespace-cutover
branch
from
259397b to
097b42d
Compare
Add explicit none, api_key, and jwt runtime auth modes, including a generic no-auth provider. Move controls, bindings, policies, agents, and evaluation storage lookups onto principal namespace scoping. Cover auth mode selection and principal namespace isolation with server tests.
…stream The default forward set (X-API-Key, Authorization, Cookie) only covers credential headers Agent Control itself reads. Deployments whose upstream authenticates against a different header name (e.g., a deployer-specific API-key header) had no way to surface that credential through HttpUpstreamAuthProvider — the inbound header reached AC but never crossed the upstream call. Add an extra_forward_headers config field on HttpUpstreamConfig (defaulting to the empty tuple) that operators populate via the new AGENT_CONTROL_AUTH_UPSTREAM_EXTRA_FORWARD_HEADERS env var (comma- separated). The provider's _forward_headers iterates over the union of the default set and the extras, deduplicating case-insensitively so a duplicate name (cross-set or within extras) does not produce two copies on the wire. Tests: - forwards a configured extra header alongside defaults - default forward set unchanged when extras are empty - extras dedupe against defaults case-insensitively - _parse_extra_forward_headers parametric: None / empty / single / multiple / whitespace / empty-entries / case-folded duplicates - configure_auth_from_env threads the parsed tuple onto the provider Lint clean, typecheck clean, full server suite (747) green.
abhinav-galileo
force-pushed
the
abhi/runtime-auth-namespace-cutover
branch
from
af54543 to
479ca86
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
none,api_key, andjwt.Stack
Testing
make prepushon the stacked branch in feat(sdk): add runtime token auth #215.