feat: regenerate controlplane client with DrivePermission types (ENG-2761)

[devin-ai-integration]

Summary

Regenerates the controlplane API client from the updated OpenAPI spec on main, following the merge of controlplane#4582 (ENG-2761 per-drive ACL enforcement).

New generated types:

• DrivePermission — permission entry on DriveSpec.permissions controlling which workloads can access a drive
• DrivePermissionLabels — label selector for workload matching (AND semantics)
• DrivePermissionMode — enum for access mode (ro / rw)

Also picks up other spec changes (Application CRUD endpoints, CustomDomainSpec updates, etc.) and applies repo-wide ruff format + ruff check --fix.

Link to Devin session: https://app.devin.ai/sessions/b02184131e02423089176e050314e167
Requested by: @drappier-charles

---

Note

New commit replaces raw httpx usage in the drive ACL integration test with the generated update_drive API client, addressing a code quality concern. The previously flagged drive_spec.py permissions deserialization issue remains unchanged.

^{Written by Mendral for commit bdde339.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[mendral-app]

✅ Linked to Linear issue ENG-2761 — status already In Progress, PR attached to issue.

Note

Posted by Linear Issue Enforcer · Tag @mendral-app with feedback.

[mendral-app]

🔀 Component Interaction Diagram

This PR regenerates the controlplane client, introducing Drive Permission types (ENG-2761) and Application CRUD endpoints. Here's how the new components interact:

sequenceDiagram
    participant SDK as SDK User
    participant Client as API Client
    participant AppAPI as applications/ API
    participant DriveAPI as drives/ API
    participant Models as models/

    Note over SDK, Models: Drive Permissions Flow (ENG-2761)
    SDK->>Client: Configure drive access
    Client->>DriveAPI: PUT /drives/{id} (DriveSpec)
    DriveAPI->>Models: DriveSpec.permissions[]
    Models->>Models: DrivePermission(labels, mode, path)
    Models->>Models: DrivePermissionLabels (AND match)
    Models->>Models: DrivePermissionMode (ro/rw)
    DriveAPI-->>Client: Drive with ACL applied

    Note over SDK, Models: Application CRUD Flow (new)
    SDK->>Client: Manage applications
    Client->>AppAPI: POST /applications (create)
    AppAPI->>Models: Application + ApplicationSpec
    Models->>Models: AppRevision + AppRevisionConfiguration
    AppAPI-->>Client: Application (with AppUrl)
    Client->>AppAPI: GET /applications (list, paginate)
    AppAPI->>Models: ApplicationList + ListApplicationsAnchor/Sort
    AppAPI-->>Client: Paginated results
    Client->>AppAPI: GET /applications/{id}/revisions
    AppAPI-->>Client: AppRevision[]

    Note over SDK, Models: Custom Domain Updates
    SDK->>Client: Create custom domain
    Client->>AppAPI: POST custom domain
    AppAPI->>Models: CustomDomainSpec + SubjectAlternativeNamesItem
    AppAPI-->>Client: Domain configured

Loading

Summary of Key Flows

Area	What's New
Drive Permissions	DriveSpec now holds up to 3 DrivePermission entries. Each permission uses label-based workload matching (AND semantics) with ro/rw access modes and optional path scoping. Empty permissions = open access.
Application CRUD	Full lifecycle API: create, get, list (with pagination/sorting), update, delete. Supports revision tracking and custom domain binding.
Custom Domains	CustomDomainSpec updated with Subject Alternative Names (replaces old subdomain model).

📝 Note: This is a generated client regeneration (42 files, +3217/-732). Changes are primarily auto-generated types and endpoints from the updated OpenAPI spec, plus repo-wide ruff formatting.

Note

Posted by PR Sequence Diagram · Tag @mendral-app with feedback.

[devin-ai-integration]

Re: the permissions initialized to [] instead of UNSET — this is a systemic pattern across all generated list fields (ports, revisions, volumes, etc.). The openapi-python-client generator always initializes lists to [] outside the UNSET guard in from_dict. Manually editing drive_spec.py would be overwritten on the next regeneration. The proper fix belongs in the Jinja template (list_property.py.jinja). Not addressing in this PR since it affects all generated models equally.

[mendral-app]

🧪 Testing Guide

What this PR addresses

Regenerates the controlplane API client from the updated OpenAPI spec to add per-drive ACL enforcement (ENG-2761) and Application CRUD support. Key additions:

• DrivePermission, DrivePermissionLabels, DrivePermissionMode — control which workloads can access a drive based on label matching and access mode (ro/rw)
• DriveSpec.permissions field enabling ACL on individual drives
• Full Application lifecycle types and endpoints (Application, ApplicationSpec, AppRevision, etc.)
• New integration test suite for drive ACL scenarios

Steps to reproduce / exercise the new behavior

Since this is primarily generated client code + a new test suite, focus on:

1. Run the new drive ACL integration tests:

   pytest tests/integration/core/sandbox/test_drive_acl.py -v

   This exercises: open-access drives, label-match/mismatch, read-only enforcement, multiple permissions (OR logic), AND logic within a single permission, path scoping, permission updates, and wildcard matching.

2. Run existing integration tests to verify no regressions:

   pytest tests/integration/ -v

3. Verify model imports work correctly:

   from blaxel.core.client.models import (
       DrivePermission,
       DrivePermissionLabels,
       DrivePermissionMode,
       Application,
       ApplicationSpec,
       AppRevision,
   )

4. Spot-check generated model behavior:

   from blaxel.core.client.models import DrivePermission, DrivePermissionMode, DrivePermissionLabels
   
   perm = DrivePermission(
       labels=DrivePermissionLabels.from_dict({"app": "my-agent"}),
       mode=DrivePermissionMode.READ_WRITE,
       path="/data",
   )
   assert perm.to_dict()["mode"] == "rw"

What to verify (expected behavior)

• ✅ All existing tests pass without modification (formatting-only changes to test files are cosmetic)
• ✅ DriveSpec now accepts an optional permissions list (max 3); when unset/empty, all workloads retain access (backward-compatible)
• ✅ New Application API endpoints (create, get, list, update, delete, list_revisions, create_custom_domain) are importable and structurally correct
• ✅ DrivePermissionMode enum maps to ro and rw string values
• ✅ The new test_drive_acl.py integration test covers the full ACL matrix (open access, label match/mismatch, read-only, OR/AND logic, path scoping, updates, wildcards)
• ✅ No removed public exports — CustomDomainSubdomain removal is intentional per spec update

Note

Posted by PR Testing Guide · Tag @mendral-app with feedback.

[mendral-app]

Needs attention

The new commit is a small, correct improvement to the test. The import and usage of the generated client are valid. The previous comment on drive_spec.py:77 (permissions initialized to [] instead of UNSET) remains unaddressed — acknowledged by the PR description as a known generator issue left intentionally.

_{Tag @mendral-app with feedback or questions. View session}