feat: organization session policy SDK methods

[srinivaskarre-sk]

Summary

• Adds get_organization_session_policy and update_organization_session_policy methods to OrganizationClient
• Imports and exposes OrganizationSessionPolicySettings, SessionPolicySource, and TimeUnit from generated proto stubs
• Regenerates gRPC stubs from local proto sources
• Adds generate-local Makefile target

Test plan

• make lint passes
• Verify get_organization_session_policy returns current policy for an org
• Verify update_organization_session_policy with SessionPolicySource.CUSTOM applies custom timeouts
• Verify update_organization_session_policy with SessionPolicySource.APPLICATION reverts to defaults

Summary by CodeRabbit

• New Features

  • Organization session policy management: view, set custom session policies (absolute and idle timeouts), and revert to application defaults.

• Tests

  • Added end-to-end tests validating session policy defaults, custom settings, revert behavior, and idle-timeout handling.

• Chores

  • Build/tooling: added local proto generation support and updated VCS ignores to skip local proto artifacts.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds OrganizationClient methods to get and update organization session policies (including optional absolute and idle timeout fields), a test suite validating default and custom policy behavior, and Makefile/gitignore updates to support generating protos from a local repository.

Changes

Organization Session Policy Management

Layer / File(s)	Summary
OrganizationClient session policy methods scalekit/organization.py	Imports session policy protobuf types and adds get_organization_session_policy() and update_organization_session_policy() methods; update conditionally populates absolute and idle timeout fields using protobuf wrapper types.
Session policy integration tests tests/test_organization_session_policy.py	Adds TestOrganizationSessionPolicy suite: setup/teardown create/delete org, asserts default APPLICATION policy, sets CUSTOM with timeouts, reverts to APPLICATION, and tests disabling idle timeout.

Local Proto Generation Support

Layer / File(s)	Summary
Local proto generation & build configuration Makefile, .gitignore	Adds LOCAL_PROTO_REPO and generate-local Makefile target that runs buf generate against a local proto checkout with failure rollback and cleanup; updates .gitignore to ignore proto/.

Sequence Diagram

sequenceDiagram
  participant Client
  participant OrganizationClient
  participant OrganizationService
  Client->>OrganizationClient: get_organization_session_policy(org_id)
  OrganizationClient->>OrganizationService: GetOrganizationSessionPolicy RPC
  OrganizationService-->>OrganizationClient: OrganizationSessionPolicySettings
  OrganizationClient-->>Client: policy (source, timeouts)
  Client->>OrganizationClient: update_organization_session_policy(org_id, CUSTOM, timeouts)
  OrganizationClient->>OrganizationService: UpdateOrganizationSessionPolicy RPC
  OrganizationService-->>OrganizationClient: updated settings
  OrganizationClient-->>Client: updated policy

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through code to tweak a rule,
Policies now bend to custom tool,
Timeouts set and defaults restored,
Proto builds local, traps ignored,
A tiny rabbit dances, changelog ruled.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.60% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: organization session policy SDK methods' clearly and directly summarizes the main change: adding organization session policy SDK methods to the client.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch b_org_session_policy_v1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

Makefile (1)

113-129: ⚡ Quick win

Extract generate-local body into a helper to reduce drift and lint noise.

This recipe is long and duplicates flow already present in generate; factoring it out improves maintainability and addresses the checkmake warning.

♻️ Suggested direction

-generate-local: tools-check
-	`@echo` "Using local proto sources from $(LOCAL_PROTO_REPO)..."
-	`@set` -euo pipefail; \
-	... \
-	$(MAKE) cleanup
-	`@echo` "Code generation complete."
+generate-local: tools-check
+	@./scripts/generate-local.sh "$(LOCAL_PROTO_REPO)" "$(TEMP_DIR)" "$(SCALEKIT_DIR)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 113 - 129, Extract the long recipe body from the
generate-local target into a shared helper target (e.g., generate_local_helper
or generate_common_generate) and have generate-local simply invoke that helper;
move the shell block that sets prepared, rollback_if_needed(), trap, calls to
$(MAKE) prepare/restore/generate_init_files/cleanup, and the buf generate
$(LOCAL_PROTO_REPO) --include-imports line into the helper so both generate and
generate-local can call it, preserving use of variables TEMP_DIR, SCALEKIT_DIR,
LOCAL_PROTO_REPO and the exact control flow (prepared flag, trap, rsync
rollback) to avoid behavioral changes and to satisfy the lint/checkmake rule.

tests/test_organization_session_policy.py (1)

71-77: ⚡ Quick win

Revert test should verify persisted state with a follow-up fetch.

Line 71–77 currently validates only the immediate update response. Add a get_organization_session_policy assertion after revert to confirm the stored policy source is actually APPLICATION.

Suggested test hardening

         reverted = self.scalekit_client.organization.update_organization_session_policy(
             organization_id=org_id,
             policy_source=SessionPolicyType.APPLICATION,
         )

         self.assertIsNotNone(reverted)
         self.assertEqual(reverted.policy_source, SessionPolicyType.APPLICATION)
+        fetched = self.scalekit_client.organization.get_organization_session_policy(
+            organization_id=org_id
+        )
+        self.assertEqual(fetched.policy_source, SessionPolicyType.APPLICATION)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_organization_session_policy.py` around lines 71 - 77, The test
currently asserts only the immediate response from
scalekit_client.organization.update_organization_session_policy (reverted) but
does not verify persisted state; after calling
update_organization_session_policy with
policy_source=SessionPolicyType.APPLICATION, call
scalekit_client.organization.get_organization_session_policy(org_id) and assert
the returned policy_source equals SessionPolicyType.APPLICATION to confirm
persistence; keep the existing reverted assertions and add the additional fetch
+ assertion using the same org_id and SessionPolicyType.APPLICATION.

scalekit/organization.py (1)

243-297: ⚡ Quick win

Add client-side validation for incompatible policy arguments.

Line 273 onward builds requests even for inconsistent combinations (e.g., timeout value without unit, or custom timeout fields with SessionPolicyType.APPLICATION). Guarding these in the SDK improves error clarity and prevents avoidable bad requests.

Proposed validation patch

     def update_organization_session_policy(
         self,
         organization_id: str,
         policy_source: SessionPolicyType,
         absolute_session_timeout: Optional[int] = None,
         absolute_session_timeout_unit: Optional[TimeUnit] = None,
         idle_session_timeout_enabled: Optional[bool] = None,
         idle_session_timeout: Optional[int] = None,
         idle_session_timeout_unit: Optional[TimeUnit] = None,
     ) -> OrganizationSessionPolicySettings:
@@
+        if absolute_session_timeout is not None and absolute_session_timeout_unit is None:
+            raise ValueError("absolute_session_timeout_unit is required when absolute_session_timeout is provided")
+        if idle_session_timeout is not None and idle_session_timeout_unit is None:
+            raise ValueError("idle_session_timeout_unit is required when idle_session_timeout is provided")
+        if policy_source == SessionPolicyType.APPLICATION and any(
+            v is not None
+            for v in (
+                absolute_session_timeout,
+                absolute_session_timeout_unit,
+                idle_session_timeout_enabled,
+                idle_session_timeout,
+                idle_session_timeout_unit,
+            )
+        ):
+            raise ValueError("Do not pass custom timeout fields when policy_source is APPLICATION")
+
         req = UpdateOrganizationSessionPolicyRequest(
             organization_id=organization_id,
             policy_source=policy_source,
         )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scalekit/organization.py` around lines 243 - 297, The
update_organization_session_policy method currently builds requests for
inconsistent argument combinations; add client-side validation in
update_organization_session_policy to (1) reject any custom timeout fields
(absolute_session_timeout, absolute_session_timeout_unit,
idle_session_timeout_enabled, idle_session_timeout, idle_session_timeout_unit)
when policy_source == SessionPolicyType.APPLICATION, (2) require that an
absolute timeout value and absolute_session_timeout_unit are provided together
(if one is set the other must be set), and (3) require that idle_session_timeout
and idle_session_timeout_unit are provided together (and treat
idle_session_timeout_enabled as only valid with SessionPolicyType.CUSTOM). When
validation fails, raise a ValueError with a clear message referencing the
offending parameters so callers get immediate, explicit feedback before the gRPC
call.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Makefile`:
- Around line 113-129: Extract the long recipe body from the generate-local
target into a shared helper target (e.g., generate_local_helper or
generate_common_generate) and have generate-local simply invoke that helper;
move the shell block that sets prepared, rollback_if_needed(), trap, calls to
$(MAKE) prepare/restore/generate_init_files/cleanup, and the buf generate
$(LOCAL_PROTO_REPO) --include-imports line into the helper so both generate and
generate-local can call it, preserving use of variables TEMP_DIR, SCALEKIT_DIR,
LOCAL_PROTO_REPO and the exact control flow (prepared flag, trap, rsync
rollback) to avoid behavioral changes and to satisfy the lint/checkmake rule.

In `@scalekit/organization.py`:
- Around line 243-297: The update_organization_session_policy method currently
builds requests for inconsistent argument combinations; add client-side
validation in update_organization_session_policy to (1) reject any custom
timeout fields (absolute_session_timeout, absolute_session_timeout_unit,
idle_session_timeout_enabled, idle_session_timeout, idle_session_timeout_unit)
when policy_source == SessionPolicyType.APPLICATION, (2) require that an
absolute timeout value and absolute_session_timeout_unit are provided together
(if one is set the other must be set), and (3) require that idle_session_timeout
and idle_session_timeout_unit are provided together (and treat
idle_session_timeout_enabled as only valid with SessionPolicyType.CUSTOM). When
validation fails, raise a ValueError with a clear message referencing the
offending parameters so callers get immediate, explicit feedback before the gRPC
call.

In `@tests/test_organization_session_policy.py`:
- Around line 71-77: The test currently asserts only the immediate response from
scalekit_client.organization.update_organization_session_policy (reverted) but
does not verify persisted state; after calling
update_organization_session_policy with
policy_source=SessionPolicyType.APPLICATION, call
scalekit_client.organization.get_organization_session_policy(org_id) and assert
the returned policy_source equals SessionPolicyType.APPLICATION to confirm
persistence; keep the existing reverted assertions and add the additional fetch
+ assertion using the same org_id and SessionPolicyType.APPLICATION.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: db36111b-635c-4b82-85a9-7bd13b89e209

📥 Commits

Reviewing files that changed from the base of the PR and between 67e7171 and bdcae9c.

📒 Files selected for processing (36)

• .gitignore
• Makefile
• scalekit/organization.py
• scalekit/v1/agentkit_logs/__init__.py
• scalekit/v1/agentkit_logs/agentkit_analytics_pb2.py
• scalekit/v1/agentkit_logs/agentkit_analytics_pb2.pyi
• scalekit/v1/agentkit_logs/agentkit_analytics_pb2_grpc.py
• scalekit/v1/agentkit_logs/agentkit_logs_pb2.py
• scalekit/v1/agentkit_logs/agentkit_logs_pb2.pyi
• scalekit/v1/agentkit_logs/agentkit_logs_pb2_grpc.py
• scalekit/v1/auth/auth_pb2.py
• scalekit/v1/auth/auth_pb2.pyi
• scalekit/v1/clients/clients_pb2.py
• scalekit/v1/clients/clients_pb2.pyi
• scalekit/v1/commons/commons_pb2.py
• scalekit/v1/commons/commons_pb2.pyi
• scalekit/v1/connected_accounts/connected_accounts_pb2.py
• scalekit/v1/connected_accounts/connected_accounts_pb2.pyi
• scalekit/v1/connected_accounts/connected_accounts_pb2_grpc.py
• scalekit/v1/connections/connections_pb2.py
• scalekit/v1/connections/connections_pb2.pyi
• scalekit/v1/domains/domains_pb2.py
• scalekit/v1/domains/domains_pb2.pyi
• scalekit/v1/domains/domains_pb2_grpc.py
• scalekit/v1/environments/environments_pb2.py
• scalekit/v1/environments/environments_pb2.pyi
• scalekit/v1/options/options_pb2.py
• scalekit/v1/options/options_pb2.pyi
• scalekit/v1/organizations/organizations_pb2.py
• scalekit/v1/organizations/organizations_pb2.pyi
• scalekit/v1/organizations/organizations_pb2_grpc.py
• scalekit/v1/providers/providers_pb2.py
• scalekit/v1/providers/providers_pb2.pyi
• scalekit/v1/tools/tools_pb2.py
• scalekit/v1/tools/tools_pb2.pyi
• tests/test_organization_session_policy.py

[srinivaskarre-sk]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 113-129: The generate-local target's failure rollback
(rollback_if_needed) only restores $(SCALEKIT_DIR) and leaves $(TEMP_DIR) and
intermediate generated directories behind; update rollback_if_needed (and the
EXIT trap handling) so that on failure it also deletes $(TEMP_DIR) and any
intermediate generated output directories created during buf generate, and
ensure the trap is removed or prepared reset on successful completion (after
prepare/restore/generate_init_files/cleanup) so cleanup isn't skipped; reference
the generate-local target, rollback_if_needed function, TEMP_DIR, SCALEKIT_DIR,
the trap 'rollback_if_needed' EXIT, and the existing prepare/restore/cleanup
steps when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 119e479d-b7c7-453b-9a94-d8bbd5365815

📥 Commits

Reviewing files that changed from the base of the PR and between 8c84f5b and 2db5d33.

📒 Files selected for processing (2)

• .gitignore
• Makefile

✅ Files skipped from review due to trivial changes (1)

• .gitignore