Add require_explicit_allow flag to plugin system to prevent auto-loading of opt-in plugins #10781
Description
Problem:
Plugin core integration work (e.g., BA-5580) causes auth plugins to be included in the package. Since allowed_plugins defaults to None (load all discovered plugins) and disabled_plugins defaults to None/empty, the auth plugin is automatically loaded on startup. However, auth plugin config is not present in existing deployments, causing manager startup failure.
This affects both:
-
Existing production sites upgrading to this version (no auth plugin config in their manager.toml)
-
New dev setups (halfstack.toml has no auth plugin config)
Solution:
Add a require_explicit_allow class variable (default False) to AbstractPlugin base class. Plugins that set require_explicit_allow = True will only be loaded when explicitly listed in allowed-plugins config.
Behavior change in BasePluginContext.discover_plugins():
-
allowlist=None (default): require_explicit_allow=True plugins are skipped, normal plugins load as before
-
allowlist=["auth.module"]: only plugins in allowlist load (existing behavior unchanged)
This is the ONLY change: when allowlist is None, require_explicit_allow=True plugins are skipped. All other behavior remains identical.
Implementation:
-
Add require_explicit_allow: ClassVar[bool] = False to AbstractPlugin
-
In BasePluginContext.discover_plugins(), after entrypoint.load(), check the flag: if require_explicit_allow=True and allowlist is None, skip with a log message
-
Auth plugin class sets require_explicit_allow = True
JIRA Issue: BA-5588