🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

✅ Linked to Linear issue ENG-2761 — status already In Progress, PR attached to issue.

🔀 Component Interaction Diagram

This PR regenerates the controlplane client, introducing Drive Permission types (ENG-2761) and Application CRUD endpoints. Here's how the new components interact:

sequenceDiagram
    participant SDK as SDK User
    participant Client as API Client
    participant AppAPI as applications/ API
    participant DriveAPI as drives/ API
    participant Models as models/

    Note over SDK, Models: Drive Permissions Flow (ENG-2761)
    SDK->>Client: Configure drive access
    Client->>DriveAPI: PUT /drives/{id} (DriveSpec)
    DriveAPI->>Models: DriveSpec.permissions[]
    Models->>Models: DrivePermission(labels, mode, path)
    Models->>Models: DrivePermissionLabels (AND match)
    Models->>Models: DrivePermissionMode (ro/rw)
    DriveAPI-->>Client: Drive with ACL applied

    Note over SDK, Models: Application CRUD Flow (new)
    SDK->>Client: Manage applications
    Client->>AppAPI: POST /applications (create)
    AppAPI->>Models: Application + ApplicationSpec
    Models->>Models: AppRevision + AppRevisionConfiguration
    AppAPI-->>Client: Application (with AppUrl)
    Client->>AppAPI: GET /applications (list, paginate)
    AppAPI->>Models: ApplicationList + ListApplicationsAnchor/Sort
    AppAPI-->>Client: Paginated results
    Client->>AppAPI: GET /applications/{id}/revisions
    AppAPI-->>Client: AppRevision[]

    Note over SDK, Models: Custom Domain Updates
    SDK->>Client: Create custom domain
    Client->>AppAPI: POST custom domain
    AppAPI->>Models: CustomDomainSpec + SubjectAlternativeNamesItem
    AppAPI-->>Client: Domain configured

Summary of Key Flows

📝 Note: This is a generated client regeneration (42 files, +3217/-732). Changes are primarily auto-generated types and endpoints from the updated OpenAPI spec, plus repo-wide ruff formatting.

Re: the permissions initialized to [] instead of UNSET — this is a systemic pattern across all generated list fields (ports, revisions, volumes, etc.). The openapi-python-client generator always initializes lists to [] outside the UNSET guard in from_dict. Manually editing drive_spec.py would be overwritten on the next regeneration. The proper fix belongs in the Jinja template (list_property.py.jinja). Not addressing in this PR since it affects all generated models equally.

🧪 Testing Guide

What this PR addresses

Regenerates the controlplane API client from the updated OpenAPI spec to add per-drive ACL enforcement (ENG-2761) and Application CRUD support. Key additions:

• DrivePermission, DrivePermissionLabels, DrivePermissionMode — control which workloads can access a drive based on label matching and access mode (ro/rw)
• DriveSpec.permissions field enabling ACL on individual drives
• Full Application lifecycle types and endpoints (Application, ApplicationSpec, AppRevision, etc.)
• New integration test suite for drive ACL scenarios

Steps to reproduce / exercise the new behavior

Since this is primarily generated client code + a new test suite, focus on:

1. Run the new drive ACL integration tests:

   pytest tests/integration/core/sandbox/test_drive_acl.py -v

   This exercises: open-access drives, label-match/mismatch, read-only enforcement, multiple permissions (OR logic), AND logic within a single permission, path scoping, permission updates, and wildcard matching.

2. Run existing integration tests to verify no regressions:

   pytest tests/integration/ -v

3. Verify model imports work correctly:

   from blaxel.core.client.models import (
       DrivePermission,
       DrivePermissionLabels,
       DrivePermissionMode,
       Application,
       ApplicationSpec,
       AppRevision,
   )

4. Spot-check generated model behavior:

   from blaxel.core.client.models import DrivePermission, DrivePermissionMode, DrivePermissionLabels
   
   perm = DrivePermission(
       labels=DrivePermissionLabels.from_dict({"app": "my-agent"}),
       mode=DrivePermissionMode.READ_WRITE,
       path="/data",
   )
   assert perm.to_dict()["mode"] == "rw"

What to verify (expected behavior)

• ✅ All existing tests pass without modification (formatting-only changes to test files are cosmetic)
• ✅ DriveSpec now accepts an optional permissions list (max 3); when unset/empty, all workloads retain access (backward-compatible)
• ✅ New Application API endpoints (create, get, list, update, delete, list_revisions, create_custom_domain) are importable and structurally correct
• ✅ DrivePermissionMode enum maps to ro and rw string values
• ✅ The new test_drive_acl.py integration test covers the full ACL matrix (open access, label match/mismatch, read-only, OR/AND logic, path scoping, updates, wildcards)
• ✅ No removed public exports — CustomDomainSubdomain removal is intentional per spec update