feat(server): add runtime auth and namespace scoping

sdks/typescript/src/generated/funcs/agents-get-evaluator.ts

@@ -37,8 +37,7 @@ import { Result } from "../types/fp.js";
  *     agent_name: Agent identifier
  *     evaluator_name: Name of the evaluator
  *     db: Database session (injected)
- *     namespace_key: Resolved namespace; agents in another namespace
- *         return 404 (non-disclosing).
+ *     principal: Authorized request principal
  *
  * Returns:
  *     EvaluatorSchemaItem with schema details

sdks/typescript/src/generated/funcs/agents-get.ts

@@ -38,8 +38,7 @@ import { Result } from "../types/fp.js";
  * Args:
  *     agent_name: Agent identifier
  *     db: Database session (injected)
- *     namespace_key: Resolved namespace; agents in another namespace
- *         return 404 (non-disclosing).
+ *     principal: Authorized request principal
  *
  * Returns:
  *     GetAgentResponse with agent metadata and step list

sdks/typescript/src/generated/funcs/agents-init.ts

@@ -51,6 +51,7 @@ import { Result } from "../types/fp.js";
  * Args:
  *     request: Agent metadata and step schemas
  *     db: Database session (injected)
+ *     principal: Authorized request principal
  *
  * Returns:
  *     InitAgentResponse with created flag and the effective controls

sdks/typescript/src/generated/funcs/agents-list-controls.ts

@@ -53,7 +53,7 @@ import { Result } from "../types/fp.js";
  *     target_type: Optional opaque target kind (paired with target_id)
  *     target_id: Optional opaque target identifier (paired with target_type)
  *     db: Database session (injected)
- *     namespace_key: Namespace scoping for the resolution (injected)
+ *     principal: Authorized request principal
  *
  * Returns:
  *     AgentControlsResponse with controls matching the requested state filters

sdks/typescript/src/generated/funcs/agents-list-evaluators.ts

@@ -42,8 +42,7 @@ import { Result } from "../types/fp.js";
  *     cursor: Optional cursor for pagination (name of last evaluator from previous page)
  *     limit: Pagination limit (default 20, max 100)
  *     db: Database session (injected)
- *     namespace_key: Resolved namespace; agents in another namespace
- *         return 404 (non-disclosing).
+ *     principal: Authorized request principal
  *
  * Returns:
  *     ListEvaluatorsResponse with evaluator schemas and pagination

sdks/typescript/src/generated/funcs/agents-list.ts

@@ -42,7 +42,7 @@ import { Result } from "../types/fp.js";
  *     limit: Pagination limit (default 20, max 100)
  *     name: Optional name filter (case-insensitive partial match)
  *     db: Database session (injected)
- *     namespace_key: Resolved namespace for the request
+ *     principal: Authorized request principal
  *
  * Returns:
  *     ListAgentsResponse with agent summaries and pagination info

sdks/typescript/src/generated/funcs/agents-update.ts

@@ -40,6 +40,7 @@ import { Result } from "../types/fp.js";
  *     agent_name: Agent identifier
  *     request: Lists of step/evaluator identifiers to remove
  *     db: Database session (injected)
+ *     principal: Authorized request principal
  *
  * Returns:
  *     PatchAgentResponse with lists of actually removed items

sdks/typescript/src/generated/funcs/auth-runtime-token-exchange.ts

@@ -32,11 +32,10 @@ import { Result } from "../types/fp.js";
  * @remarks
  * Mint a short-lived runtime token for the requested target.
  *
- * The caller's credential is authenticated and authorized by the
- * installed default authorizer; the resulting :class:`Principal`
- * supplies the actor identity and (when the upstream surfaces it)
- * the grant scopes and expiry. This endpoint then mints a local HS256
- * token whose lifetime cannot outlive the upstream grant.
+ * The caller's credential is authenticated and authorized before the
+ * resolved principal supplies the actor identity, grant scopes, and
+ * expiry. This endpoint then mints a local HS256 token whose lifetime
+ * cannot outlive the grant.
  *
  * Runtime auth must be enabled via
  * ``AGENT_CONTROL_RUNTIME_TOKEN_SECRET``; otherwise the endpoint

sdks/typescript/src/generated/funcs/control-bindings-create.ts

@@ -32,12 +32,8 @@ import { Result } from "../types/fp.js";
  * @remarks
  * Attach a control to an opaque external target.
  *
- * Each binding row is scoped to the request namespace as resolved by
- * ``get_namespace_key``. The auth chain still runs via
- * ``require_operation`` for authentication and authorization, but the
- * storage namespace is taken from the same resolver the rest of the
- * server uses so binding writes and runtime reads stay in lockstep
- * until auth-derived namespace resolution lands across every endpoint.
+ * Each binding row is scoped to the namespace associated with the
+ * authenticated request.
  */
 export function controlBindingsCreate(
   client: AgentControlSDKCore,

sdks/typescript/src/generated/funcs/control-bindings-delete.ts

@@ -36,7 +36,7 @@ import { Result } from "../types/fp.js";
  * See the GET-by-id docstring for the authorization scope: this route
  * is namespace-wide because the target identifiers are not available
  * before the binding is loaded. Use ``POST /by-key:delete`` for
- * target-scoped detach that forwards the target to the authorizer.
+ * target-scoped detach that includes the target in the request context.
  */
 export function controlBindingsDelete(
   client: AgentControlSDKCore,

sdks/typescript/src/generated/funcs/control-bindings-get.ts

@@ -34,12 +34,11 @@ import { Result } from "../types/fp.js";
  * Read a single control binding by surrogate ID.
  *
  * Authorization is namespace-wide: the binding's target identifiers
- * are not forwarded to the upstream because they are only discoverable
- * after the row is loaded, and ``require_operation`` is single-pass.
+ * are not available until after the row is loaded.
  * Callers whose authorization model requires per-target permissions
  * should use the natural-key endpoints (``PUT /by-key``,
  * ``POST /by-key:delete``) and the target-filtered list endpoint, all
- * of which forward ``(target_type, target_id)`` to the authorizer.
+ * of which include ``(target_type, target_id)`` in the request context.
  */
 export function controlBindingsGet(
   client: AgentControlSDKCore,

sdks/typescript/src/generated/funcs/control-bindings-list.ts

@@ -35,8 +35,7 @@ import { Result } from "../types/fp.js";
  * cursor-based pagination. Bindings are ordered by ID descending
  * (newest first). The cursor is opaque to clients: pass back the
  * ``next_cursor`` value verbatim to fetch the following page. The
- * storage namespace is resolved by ``get_namespace_key`` so this
- * listing stays in lockstep with the rest of the server's reads.
+ * storage namespace is resolved from the authenticated request.
  */
 export function controlBindingsList(
   client: AgentControlSDKCore,

sdks/typescript/src/generated/funcs/control-bindings-update.ts

@@ -36,7 +36,7 @@ import { Result } from "../types/fp.js";
  * See the GET-by-id docstring for the authorization scope: this route
  * is namespace-wide because the target identifiers are not available
  * before the binding is loaded. Use ``PUT /by-key`` for target-scoped
- * upserts that forward the target to the authorizer.
+ * upserts that include the target in the request context.
  */
 export function controlBindingsUpdate(
   client: AgentControlSDKCore,

sdks/typescript/src/generated/sdk/agents.ts

@@ -39,7 +39,7 @@ export class Agents extends ClientSDK {
    *     limit: Pagination limit (default 20, max 100)
    *     name: Optional name filter (case-insensitive partial match)
    *     db: Database session (injected)
-   *     namespace_key: Resolved namespace for the request
+   *     principal: Authorized request principal
    *
    * Returns:
    *     ListAgentsResponse with agent summaries and pagination info
@@ -80,6 +80,7 @@ export class Agents extends ClientSDK {
    * Args:
    *     request: Agent metadata and step schemas
    *     db: Database session (injected)
+   *     principal: Authorized request principal
    *
    * Returns:
    *     InitAgentResponse with created flag and the effective controls
@@ -106,8 +107,7 @@ export class Agents extends ClientSDK {
    * Args:
    *     agent_name: Agent identifier
    *     db: Database session (injected)
-   *     namespace_key: Resolved namespace; agents in another namespace
-   *         return 404 (non-disclosing).
+   *     principal: Authorized request principal
    *
    * Returns:
    *     GetAgentResponse with agent metadata and step list
@@ -140,6 +140,7 @@ export class Agents extends ClientSDK {
    *     agent_name: Agent identifier
    *     request: Lists of step/evaluator identifiers to remove
    *     db: Database session (injected)
+   *     principal: Authorized request principal
    *
    * Returns:
    *     PatchAgentResponse with lists of actually removed items
@@ -185,7 +186,7 @@ export class Agents extends ClientSDK {
    *     target_type: Optional opaque target kind (paired with target_id)
    *     target_id: Optional opaque target identifier (paired with target_type)
    *     db: Database session (injected)
-   *     namespace_key: Namespace scoping for the resolution (injected)
+   *     principal: Authorized request principal
    *
    * Returns:
    *     AgentControlsResponse with controls matching the requested state filters
@@ -256,8 +257,7 @@ export class Agents extends ClientSDK {
    *     cursor: Optional cursor for pagination (name of last evaluator from previous page)
    *     limit: Pagination limit (default 20, max 100)
    *     db: Database session (injected)
-   *     namespace_key: Resolved namespace; agents in another namespace
-   *         return 404 (non-disclosing).
+   *     principal: Authorized request principal
    *
    * Returns:
    *     ListEvaluatorsResponse with evaluator schemas and pagination
@@ -287,8 +287,7 @@ export class Agents extends ClientSDK {
    *     agent_name: Agent identifier
    *     evaluator_name: Name of the evaluator
    *     db: Database session (injected)
-   *     namespace_key: Resolved namespace; agents in another namespace
-   *         return 404 (non-disclosing).
+   *     principal: Authorized request principal
    *
    * Returns:
    *     EvaluatorSchemaItem with schema details

sdks/typescript/src/generated/sdk/auth.ts

@@ -14,11 +14,10 @@ export class Auth extends ClientSDK {
    * @remarks
    * Mint a short-lived runtime token for the requested target.
    *
-   * The caller's credential is authenticated and authorized by the
-   * installed default authorizer; the resulting :class:`Principal`
-   * supplies the actor identity and (when the upstream surfaces it)
-   * the grant scopes and expiry. This endpoint then mints a local HS256
-   * token whose lifetime cannot outlive the upstream grant.
+   * The caller's credential is authenticated and authorized before the
+   * resolved principal supplies the actor identity, grant scopes, and
+   * expiry. This endpoint then mints a local HS256 token whose lifetime
+   * cannot outlive the grant.
    *
    * Runtime auth must be enabled via
    * ``AGENT_CONTROL_RUNTIME_TOKEN_SECRET``; otherwise the endpoint

sdks/typescript/src/generated/sdk/control-bindings.ts

@@ -23,8 +23,7 @@ export class ControlBindings extends ClientSDK {
    * cursor-based pagination. Bindings are ordered by ID descending
    * (newest first). The cursor is opaque to clients: pass back the
    * ``next_cursor`` value verbatim to fetch the following page. The
-   * storage namespace is resolved by ``get_namespace_key`` so this
-   * listing stays in lockstep with the rest of the server's reads.
+   * storage namespace is resolved from the authenticated request.
    */
   async list(
     request?:
@@ -45,12 +44,8 @@ export class ControlBindings extends ClientSDK {
    * @remarks
    * Attach a control to an opaque external target.
    *
-   * Each binding row is scoped to the request namespace as resolved by
-   * ``get_namespace_key``. The auth chain still runs via
-   * ``require_operation`` for authentication and authorization, but the
-   * storage namespace is taken from the same resolver the rest of the
-   * server uses so binding writes and runtime reads stay in lockstep
-   * until auth-derived namespace resolution lands across every endpoint.
+   * Each binding row is scoped to the namespace associated with the
+   * authenticated request.
    */
   async create(
     request: models.CreateControlBindingRequest,
@@ -109,7 +104,7 @@ export class ControlBindings extends ClientSDK {
    * See the GET-by-id docstring for the authorization scope: this route
    * is namespace-wide because the target identifiers are not available
    * before the binding is loaded. Use ``POST /by-key:delete`` for
-   * target-scoped detach that forwards the target to the authorizer.
+   * target-scoped detach that includes the target in the request context.
    */
   async delete(
     request:
@@ -130,12 +125,11 @@ export class ControlBindings extends ClientSDK {
    * Read a single control binding by surrogate ID.
    *
    * Authorization is namespace-wide: the binding's target identifiers
-   * are not forwarded to the upstream because they are only discoverable
-   * after the row is loaded, and ``require_operation`` is single-pass.
+   * are not available until after the row is loaded.
    * Callers whose authorization model requires per-target permissions
    * should use the natural-key endpoints (``PUT /by-key``,
    * ``POST /by-key:delete``) and the target-filtered list endpoint, all
-   * of which forward ``(target_type, target_id)`` to the authorizer.
+   * of which include ``(target_type, target_id)`` in the request context.
    */
   async get(
     request:
@@ -158,7 +152,7 @@ export class ControlBindings extends ClientSDK {
    * See the GET-by-id docstring for the authorization scope: this route
    * is namespace-wide because the target identifiers are not available
    * before the binding is loaded. Use ``PUT /by-key`` for target-scoped
-   * upserts that forward the target to the authorizer.
+   * upserts that include the target in the request context.
    */
   async update(
     request:

server/src/agent_control_server/auth_framework/__init__.py

@@ -2,10 +2,9 @@
 
 Endpoints declare an :class:`Operation` they need; an installed
 :class:`RequestAuthorizer` decides whether the request is allowed and
-returns the resulting :class:`Principal`. Two providers ship in-tree:
-:class:`HeaderAuthProvider` (uses local credential checks) and
-:class:`HttpUpstreamAuthProvider` (delegates to a configurable
-upstream HTTP service).
+returns the resulting :class:`Principal`. Providers ship in-tree for
+disabled auth, local credential checks, upstream HTTP authorization,
+and local runtime-JWT verification.
 """
 
 from .core import (