Extract shared loopback guard and fix small lint nits

JE-Chen · JE-Chen · commit 6bfed5cc3305 · 2026-04-21T16:02:57.000+08:00
Remove the duplicated _ensure_loopback copies in http_server.py and
tcp_server.py in favour of a new server/network_guards.ensure_loopback
helper. Rename log_message's `format` parameter to `format_str` to stop
shadowing the builtin, and rename the unused `args` in _cmd_ui to
_args so lint stops flagging it.
diff --git a/automation_file/__main__.py b/automation_file/__main__.py
@@ -98,7 +98,7 @@ def _cmd_http_server(args: argparse.Namespace) -> int:
     return 0
 
 
-def _cmd_ui(args: argparse.Namespace) -> int:
+def _cmd_ui(_args: argparse.Namespace) -> int:
     from automation_file.ui.launcher import launch_ui
 
     return launch_ui()
diff --git a/automation_file/server/http_server.py b/automation_file/server/http_server.py
@@ -11,16 +11,15 @@
 from __future__ import annotations
 
 import hmac
-import ipaddress
 import json
-import socket
 import threading
 from http import HTTPStatus
 from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
 
 from automation_file.core.action_executor import execute_action
 from automation_file.exceptions import TCPAuthException
 from automation_file.logging_config import file_automation_logger
+from automation_file.server.network_guards import ensure_loopback
 
 _DEFAULT_HOST = "127.0.0.1"
 _DEFAULT_PORT = 9944
@@ -30,8 +29,8 @@
 class _HTTPActionHandler(BaseHTTPRequestHandler):
     """POST /actions -> JSON results."""
 
-    def log_message(self, format: str, *args: object) -> None:
-        file_automation_logger.info("http_server: " + format, *args)
+    def log_message(self, format_str: str, *args: object) -> None:
+        file_automation_logger.info("http_server: " + format_str, *args)
 
     def do_POST(self) -> None:
         if self.path != "/actions":
@@ -100,20 +99,6 @@ def __init__(
         self.shared_secret: str | None = shared_secret
 
 
-def _ensure_loopback(host: str) -> None:
-    try:
-        infos = socket.getaddrinfo(host, None)
-    except socket.gaierror as error:
-        raise ValueError(f"cannot resolve host: {host}") from error
-    for info in infos:
-        ip_obj = ipaddress.ip_address(info[4][0])
-        if not ip_obj.is_loopback:
-            raise ValueError(
-                f"host {host} resolves to non-loopback {ip_obj}; pass allow_non_loopback=True "
-                "if exposure is intentional"
-            )
-
-
 def start_http_action_server(
     host: str = _DEFAULT_HOST,
     port: int = _DEFAULT_PORT,
@@ -122,7 +107,7 @@ def start_http_action_server(
 ) -> HTTPActionServer:
     """Start the HTTP action server on a background thread."""
     if not allow_non_loopback:
-        _ensure_loopback(host)
+        ensure_loopback(host)
     if allow_non_loopback and not shared_secret:
         file_automation_logger.warning(
             "http_server: non-loopback bind without shared_secret is insecure",
diff --git a/automation_file/server/network_guards.py b/automation_file/server/network_guards.py
@@ -0,0 +1,26 @@
+"""Network-binding guards shared by every embedded action server."""
+
+from __future__ import annotations
+
+import ipaddress
+import socket
+
+
+def ensure_loopback(host: str) -> None:
+    """Raise ``ValueError`` if ``host`` resolves to a non-loopback address.
+
+    Every resolved A / AAAA record must be loopback. The explicit error message
+    names the opt-out flag so callers are reminded that exposing a server
+    dispatching arbitrary registry commands is equivalent to a remote REPL.
+    """
+    try:
+        infos = socket.getaddrinfo(host, None)
+    except socket.gaierror as error:
+        raise ValueError(f"cannot resolve host: {host}") from error
+    for info in infos:
+        ip_obj = ipaddress.ip_address(info[4][0])
+        if not ip_obj.is_loopback:
+            raise ValueError(
+                f"host {host} resolves to non-loopback {ip_obj}; pass allow_non_loopback=True "
+                "if exposure is intentional"
+            )
diff --git a/automation_file/server/tcp_server.py b/automation_file/server/tcp_server.py
@@ -13,9 +13,7 @@
 from __future__ import annotations
 
 import hmac
-import ipaddress
 import json
-import socket
 import socketserver
 import sys
 import threading
@@ -24,6 +22,7 @@
 from automation_file.core.action_executor import execute_action
 from automation_file.exceptions import TCPAuthException
 from automation_file.logging_config import file_automation_logger
+from automation_file.server.network_guards import ensure_loopback
 
 _DEFAULT_HOST = "localhost"
 _DEFAULT_PORT = 9943
@@ -116,20 +115,6 @@ def __init__(
         self.shared_secret: str | None = shared_secret
 
 
-def _ensure_loopback(host: str) -> None:
-    try:
-        infos = socket.getaddrinfo(host, None)
-    except socket.gaierror as error:
-        raise ValueError(f"cannot resolve host: {host}") from error
-    for info in infos:
-        ip_obj = ipaddress.ip_address(info[4][0])
-        if not ip_obj.is_loopback:
-            raise ValueError(
-                f"host {host} resolves to non-loopback {ip_obj}; pass allow_non_loopback=True "
-                "if exposure is intentional"
-            )
-
-
 def start_autocontrol_socket_server(
     host: str = _DEFAULT_HOST,
     port: int = _DEFAULT_PORT,
@@ -143,7 +128,7 @@ def start_autocontrol_socket_server(
     address without a shared secret is strongly discouraged.
     """
     if not allow_non_loopback:
-        _ensure_loopback(host)
+        ensure_loopback(host)
     if allow_non_loopback and not shared_secret:
         file_automation_logger.warning(
             "tcp_server: non-loopback bind without shared_secret is insecure",
