[AAASM-4664] ✨ (init): Add allow_insecure opt-in to init_assembly#263
Conversation
Thread an optional keyword-only allow_insecure (default False) from init_assembly through to resolve_gateway_grpc_endpoint, mirroring the op-control connect() opt-in. Default False preserves the secure-by-default register guard from AAASM-4655: a derived plaintext http:// register channel to a non-loopback host stays refused unless the operator explicitly opts in for a trusted network. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6
Add the allow_insecure kwarg to the init_assembly public-API signature and a short "Insecure transport opt-in" subsection explaining the fail-closed default and the trusted-network-only opt-in for a plaintext non-loopback register. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6
Regression tests for AAASM-4664: with allow_insecure omitted, init refuses a plaintext http:// register channel to a non-loopback host (no register dialed); with allow_insecure=True it threads through and the native register is dialed against the derived non-loopback gRPC endpoint. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
🤖 Claude Code — PR reviewVerdict: ✅ Ready to approve & merge. 1. CI: Green (19✓ / 7 skipped / 0 failures). 2. Scope vs AAASM-4664: covered — public keyword-only 3. Side effects: none. Additive kwarg with 4. Front-end: N/A. No changes requested. |
🤖 Claude Code — review confirmed ✅Re-reviewed this session's PR. CI fully green (19✓ / 7 skipped / 0 failures). Scope complete vs AAASM-4664 (public |



Description
Follow-up to AAASM-4655 (merged), which made
resolve_gateway_grpc_endpointfail-closed on a derived plaintext (
http://) nativeregisterchannel to anon-loopback host. That guard accepts an
allow_insecurekwarg, butinit_assembly()exposed no public way to opt in — unlikeop_control.connect().This PR adds an optional keyword-only
allow_insecure: bool = Falseparam toinit_assembly()and threads it toresolve_gateway_grpc_endpoint(..., allow_insecure=...), mirroring op-control'snaming and semantics. The default
Falsepreserves the secure-by-defaultbehavior from AAASM-4655 unchanged: a plaintext register to a non-loopback host
is still refused unless the operator explicitly opts in for a trusted network.
Loopback and
https://targets always pass regardless of the flag.Type of Change
Breaking Changes
The new parameter is keyword-only with a
Falsedefault; existing callers andthe production fail-closed posture are unchanged.
Related Issues
Testing
Added regression tests in
test/unit/core/test_init_registration.py:allow_insecureomitted) refuses a plaintext non-loopback registerand dials no register call;
allow_insecure=Truethreads through and the native register is dialed againstthe derived non-loopback gRPC endpoint.
Local verification (changed files clean):
ruff checkpassed;ruff formatclean on changed files;
mypyclean under pre-commit; the new tests pass(
26 passed). Pre-existingmypy/format drift in untouched files (missingoptional native
_corecdylib,grpcstubs, unrelated format drift) is presentidentically on
remote/masterand out of scope.Checklist
🤖 Generated with Claude Code
https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6