Skip to content

[AAASM-4664] ✨ (init): Add allow_insecure opt-in to init_assembly#263

Merged
Chisanan232 merged 3 commits into
masterfrom
v0.0.1/AAASM-4664/init_allow_insecure_optin
Jul 15, 2026
Merged

[AAASM-4664] ✨ (init): Add allow_insecure opt-in to init_assembly#263
Chisanan232 merged 3 commits into
masterfrom
v0.0.1/AAASM-4664/init_allow_insecure_optin

Conversation

@Chisanan232

@Chisanan232 Chisanan232 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Description

Follow-up to AAASM-4655 (merged), which made resolve_gateway_grpc_endpoint
fail-closed on a derived plaintext (http://) native register channel to a
non-loopback host. That guard accepts an allow_insecure kwarg, but
init_assembly() exposed no public way to opt in — unlike op_control.connect().

This PR adds an optional keyword-only allow_insecure: bool = False param to
init_assembly() and threads it to
resolve_gateway_grpc_endpoint(..., allow_insecure=...), mirroring op-control's
naming and semantics. The default False preserves the secure-by-default
behavior from AAASM-4655 unchanged: a plaintext register to a non-loopback host
is still refused unless the operator explicitly opts in for a trusted network.
Loopback and https:// targets always pass regardless of the flag.

Type of Change

  • ✨ New feature

Breaking Changes

  • No

The new parameter is keyword-only with a False default; existing callers and
the production fail-closed posture are unchanged.

Related Issues

  • Related JIRA ticket: AAASM-4664
  • Follows: AAASM-4655 (secure-by-default register guard)

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • Manual testing performed

Added regression tests in test/unit/core/test_init_registration.py:

  • default (allow_insecure omitted) refuses a plaintext non-loopback register
    and dials no register call;
  • allow_insecure=True threads through and the native register is dialed against
    the derived non-loopback gRPC endpoint.

Local verification (changed files clean): ruff check passed; ruff format
clean on changed files; mypy clean under pre-commit; the new tests pass
(26 passed). Pre-existing mypy/format drift in untouched files (missing
optional native _core cdylib, grpc stubs, unrelated format drift) is present
identically on remote/master and out of scope.

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Comments added for complex logic
  • Documentation updated if needed
  • All tests passing

🤖 Generated with Claude Code

https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6

Chisanan232 and others added 3 commits July 15, 2026 21:56
Thread an optional keyword-only allow_insecure (default False) from
init_assembly through to resolve_gateway_grpc_endpoint, mirroring the
op-control connect() opt-in. Default False preserves the secure-by-default
register guard from AAASM-4655: a derived plaintext http:// register channel
to a non-loopback host stays refused unless the operator explicitly opts in
for a trusted network.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6
Add the allow_insecure kwarg to the init_assembly public-API signature and a
short "Insecure transport opt-in" subsection explaining the fail-closed default
and the trusted-network-only opt-in for a plaintext non-loopback register.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6
Regression tests for AAASM-4664: with allow_insecure omitted, init refuses a
plaintext http:// register channel to a non-loopback host (no register dialed);
with allow_insecure=True it threads through and the native register is dialed
against the derived non-loopback gRPC endpoint.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HMnPRm9T3fdrS4uNYXkzg6
@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud

Copy link
Copy Markdown

@Chisanan232

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code — PR review

Verdict: ✅ Ready to approve & merge.

1. CI: Green (19✓ / 7 skipped / 0 failures).

2. Scope vs AAASM-4664: covered — public keyword-only allow_insecure: bool = False added to init_assembly(), threaded to the sole resolve_gateway_grpc_endpoint(..., allow_insecure=...) call site; docstring + README documented as a trusted-network-only opt-in mirroring op_control; 2 regression tests (default refuses non-loopback plaintext + dials nothing; allow_insecure=True permits & dials).

3. Side effects: none. Additive kwarg with False default → the AAASM-4655 secure-by-default behavior is byte-for-byte unchanged for every existing caller; only an explicit allow_insecure=True alters behavior. 26 tests pass.

4. Front-end: N/A.

No changes requested.

@Chisanan232

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code — review confirmed ✅

Re-reviewed this session's PR. CI fully green (19✓ / 7 skipped / 0 failures). Scope complete vs AAASM-4664 (public allow_insecure opt-in + docstring/README + 2 regression tests). Side effects: none — additive keyword-only param defaulting False, so every existing caller behaves identically; only an explicit allow_insecure=True changes behavior, and production stays fail-closed by default. FE: N/A. Ready to approve & merge.

@Chisanan232 Chisanan232 merged commit 7a68ed5 into master Jul 15, 2026
26 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-4664/init_allow_insecure_optin branch July 15, 2026 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant