pub fn open_trusted(
endpoint: &str,
repo_chosen: bool,
cfg: &LayeredConfig,
) -> Result<Arc<dyn Transport>, DispatchError>Expand description
Open a transport for endpoint only after the per-endpoint
credential-trust gate (#97) approves it.
This is the single choke point through which push / fetch / pull
(and named-remote callers in #175) MUST build a transport: it runs
crate::config::endpoint_credential_trust — keyed on the resolved
ENDPOINT and its repo_chosen provenance — before constructing
the transport, so a credential-bearing HTTP/S3 transport is never
instantiated for a repo-chosen endpoint the user hasn’t trusted.
repo_chosen is true when the endpoint came from repo-scoped
config (the flat remote_endpoint or a remote.<name>.url),
false when it came from the user / an explicit CLI argument. Trust
is per ENDPOINT, never per remote name.