fix(sdk): skip evaluation when no controls apply

[lan17]

Summary

• Make the SDK evaluation path a true no-op when no enabled control applies to the current step/stage.
• Prefilter both local (execution="sdk") and server (execution="server") controls using the same applicability rules before any evaluation work starts.
• Preserve the existing fail-open behavior for malformed server controls by still deferring those to the server.
• Add regression coverage for disabled and non-matching controls across both local and server execution.

Scope

• User-facing/API changes:
  • If no control applies to a step invocation, the SDK does nothing: no local control engine execution and no POST /api/v1/evaluation request.
• Internal changes:
  • Reuse the SDK control engine's applicability logic to determine whether local or server evaluation should run at all.
  • Extend local-evaluation tests to cover disabled, stage-mismatched, step-type-mismatched, step-name-mismatched, and regex-mismatched controls for both execution modes.
• Out of scope:
  • Server-side evaluation behavior when applicable controls do exist.
  • Broader control loading or caching changes.

Risk and Rollout

• Risk level: low
• Rollback plan:
  • Revert this PR to restore the previous behavior where the SDK entered evaluation as long as local or server controls existed for the agent.

Testing

• Added or updated automated tests
• Ran make check (or explained why not)
  • Ran make test, plus targeted ruff and mypy on the touched SDK files.
• Manually verified behavior

Checklist

• Linked issue/spec (if applicable)
  • Closes Skip evaluation entirely when no controls apply to the current step #123
• Updated docs/examples for user-facing changes
  • Not needed; behavior change is covered by tests.
• Included any required follow-up tasks
  • None.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[namrataghadi-galileo]

for control in controls:
        control_data = control.get("control")
        if not isinstance(control_data, dict):
            _logger.warning(f"Malformed control payload: {control}")
            return True

        if control_data.get("execution") != "server":
            continue

        try:
            control_def = ControlDefinition.model_validate(control_data)
            server_controls.append(
                _ControlAdapter(
                    id=control["id"],
                    name=control["name"],
                    control=control_def,
                )
            )
        except Exception:
            _logger.warning(f"Failed to parse server control: {control}")
            return True

    if not server_controls:
        return False

    return bool(_get_applicable_controls(server_controls, request, context="server"))

[namrataghadi-galileo]

NOTE: Adding server check, to ensure we are looking at server controls. If the intention is to look at both sdk as well as server controls, then we should rename this function appropriately.

if control_data.get("execution") != "server":
            continue

[namrataghadi-galileo]

or atleast call out the details in the DocString

[lan17]

Good call. The helper only ever receives the server subset after the execution partitioning in check_evaluation_with_local(), so I did not want to add a second execution == "server" check inside it and make the contract even less explicit.\n\nI pushed a small follow-up in 91f4596 that makes that assumption clearer instead: renamed the helper to _has_applicable_prefiltered_server_controls(...), renamed the input to server_control_payloads, and expanded the docstring to say that the caller has already partitioned by execution before calling it.\n\nSo behavior is unchanged, but the boundary should be much less surprising now.