feat(server): add control clone-and-bind endpoint#229
Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
abhinav-galileo
force-pushed
the
feature/control-clone-and-bind
branch
4 times, most recently
from
a9266d5 to
4f47fd7
Compare
abhinav-galileo
force-pushed
the
feature/control-clone-and-bind
branch
4 times, most recently
from
749be08 to
7dcc23f
Compare
abhinav-galileo
force-pushed
the
feature/control-clone-and-bind
branch
from
7dcc23f to
831e8ce
Compare
abhinav-galileo
force-pushed
the
feature/control-clone-and-bind
branch
from
b1f5e2b to
58d9e14
Compare
Jw, why does it need to be inside transaction? We could do this via several API calls without making new ones right? |
Yes, this could be done with individual APIs, but that path would need a small refactor to preserve clone lineage consistently. This endpoint is mainly a transactional convenience API for the UI: clone + bind is one user action, and keeping it server-side avoids partial state and client-side cleanup logic if the bind step fails. |
## [2.6.0](ts-sdk-v2.5.0...ts-sdk-v2.6.0) (2026-05-28) ### Features * **evaluators:** add new lluna client ([#213](#213)) ([f65beb9](f65beb9)) * **sdk:** add otel support ([#177](#177)) ([9530368](9530368)) * **sdk:** add runtime token auth ([#215](#215)) ([6cc0f38](6cc0f38)) * **server:** add control clone-and-bind endpoint ([#229](#229)) ([1728bf9](1728bf9)) * **server:** add runtime auth and namespace scoping ([#214](#214)) ([56e44fe](56e44fe)) * **server:** allow host-owned logging setup ([#227](#227)) ([c0fd159](c0fd159)) * **server:** bundle migrations in wheel and add agent-control-migrate ([#209](#209)) ([8c5c35e](8c5c35e)) * **server:** migrate controls routes to auth framework ([#212](#212)) ([764bd4b](764bd4b)) ### Bug Fixes * **examples:** declare local SDK workspace deps ([#222](#222)) ([d22aa1d](d22aa1d)) * **sdk:** Get trace context from provider ([#211](#211)) ([1efe30f](1efe30f)) * **sdk-ts:** normalize generated client ([#231](#231)) ([1c097d2](1c097d2)) * **server:** make observability migration retry-safe ([#226](#226)) ([b9dd00d](b9dd00d)) * **server:** prevent migration lock transactions ([#224](#224)) ([e65a2f4](e65a2f4)) * **server:** scope auth upstream CA to HTTP provider ([#232](#232)) ([7a0ce21](7a0ce21)) * **ui:** fix editing of controls in the UI ([#218](#218)) ([981e33d](981e33d)), closes [#Risk](https://github.com/agentcontrol/agent-control/issues/Risk)
|
🎉 This PR is included in version 2.6.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
4 participants
Summary
controls.cloned_from_control_idpluscloned=true|falsefiltering onGET /api/v1/controls.POST /api/v1/controls/{control_id}/clone-and-bindto clone an active control and create a target binding in one transaction.GET /api/v1/controlsfor direct agents, policies, and target bindings, including each control'saction.attachment_target_type/attachment_target_idfilters before list pagination, so callers can list controls attached to a specific target.PATCH /api/v1/control-bindings/by-keyso target-scoped callers can enable or disable an existing binding without knowing the binding ID.AUTH_UPSTREAM_REJECTEDinstead of reporting them as local auth misconfiguration.Usage
Clone a control and bind the clone to a target:
{ "name": "optional-clone-name", "target_binding": { "target_type": "environment", "target_id": "prod", "enabled": true } }{ "id": 42, "name": "optional-clone-name", "cloned_from_control_id": 7, "binding_id": 99 }List root controls or cloned controls:
List controls with page-scoped attachment details:
List controls attached to a specific target:
When target filters are provided, the control list is filtered before pagination, and each returned control's
attachments.targetsis filtered to the same target.Each expanded control includes the normal control details,
action, and optional attachments:{ "id": 42, "name": "example-control", "description": "Example control", "action": { "decision": "deny", "steering_context": null }, "attachments": { "agents": [{ "agent_name": "example-agent" }], "policies": [{ "policy_id": 42 }], "targets": [ { "binding_id": 123, "target_type": "environment", "target_id": "prod", "enabled": true } ] } }Enable or disable an existing target binding by natural key:
{ "target_type": "environment", "target_id": "prod", "control_id": 42, "enabled": false }{ "success": true, "enabled": false }This PATCH route updates only existing bindings. It returns
CONTROL_BINDING_NOT_FOUNDinstead of creating a missing binding.For full target-binding pagination/filtering, callers can continue using
GET /api/v1/control-bindings.Validation
make models-testmake server-testmake sdk-testuv run --package agent-control-models ruff check --config pyproject.toml models/srcuv run --package agent-control-server ruff check --config pyproject.toml server/srcuv run --package agent-control ruff check --config pyproject.toml sdks/python/srcuv run --package agent-control-models mypy --config-file pyproject.toml models/srcuv run --package agent-control-server mypy --config-file pyproject.toml server/srcuv run --package agent-control mypy --config-file pyproject.toml sdks/python/srcmake sdk-ts-typecheckmake sdk-ts-name-checkmake sdk-ts-generate-check