feat(framework): Wire serverappio and clientappio auth interceptors

[msheller]

Issue

*Apps can impersonate each other when calling *AppIo RPCs.

Description

Not all AppIo RPCs authenticate the calling *App, such that an *App could potentially impersonate another. In particular, the token used to authenticate the calling *App is only used in some of the RPCs.

Proposal

This is a BEHAVIOR CHANGING PR that wires the new appio auth token interceptor into the ServerAppIo and ClientAppIo servers and clients.

Note the additions beyond RFC PRs 2&3 (will update the RFC).

Explanation

This PR adds the following changes:
RFC PR 2: ServerAppIo end-to-end wiring:

• Wire server interceptor in ServerAppIo gRPC server startup.
• Wire client metadata interceptor in ServerApp executor path (GrpcGrid/serverapp app).
• Add ServerAppIo auth integration tests.

RFC PR 3: ClientAppIo end-to-end wiring:

• Wire server interceptor in ClientAppIo server startup.
• Wire client metadata interceptor in ClientApp executor runtime.
• Add ClientAppIo auth integration tests.
• Add policy table and factory for ClientAppIo
• Add ClientAppIo tests for interceptors and policy table.

Token Lifecycle Fix:

• PushAppOutputs no longer deletes token.
• Token deletion moved to UpdateRunStatus(FINISHED).
• Added dedicated integration coverage for that lifecycle.

Additional Asks:

• GrpcGrid now requires a non-empty, keyword-only token.

Checklist

• Implement proposed change
• Write tests
• Update documentation
• Address LLM-reviewer comments, if applicable (e.g., GitHub Copilot)
• Make CI checks pass
• Ping maintainers on Slack (channel #contributions)

Any other comments?

We are deferring run_id and token consistency checks, which have far-reaching impacts on our tests. This should be included in our cleanup PR. These checks will ensure all claimed run_id and token values match in requests and in interceptor metadata.

[Copilot]

Pull request overview

This PR wires token-auth gRPC interceptors into the ServerAppIo and ClientAppIo APIs (server- and client-side), adds policy coverage for ClientAppIo RPCs, and adjusts token lifecycle handling so tokens are deleted when a run finishes (rather than during PushAppOutputs).

Changes:

• Add/wire AppIo token auth interceptors for ServerAppIo and ClientAppIo servers/clients, plus policy maps/tests.
• Enforce token usage in GrpcGrid/SimulationIoConnection wiring and add unit/integration tests for interceptor behavior.
• Move ServerAppIo token deletion from PushAppOutputs to UpdateRunStatus(FINISHED) with dedicated integration coverage.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
framework/py/flwr/supernode/start_client_internal.py	Wires ClientAppIo server interceptor into SuperNode ClientAppIo gRPC server startup.
framework/py/flwr/supernode/servicer/clientappio/clientappio_auth_integration_test.py	New integration tests asserting ClientAppIo protected vs no-auth RPC behavior.
framework/py/flwr/supernode/runtime/run_clientapp_test.py	New unit test asserting ClientApp runtime attaches token client interceptor to the channel.
framework/py/flwr/supernode/runtime/run_clientapp.py	Adds AppIo token client interceptor to ClientApp runtime channel creation.
framework/py/flwr/supercore/interceptors/appio_token_interceptor_test.py	Extends interceptor/policy tests to include ClientAppIo policy coverage and factory behavior.
framework/py/flwr/supercore/interceptors/appio_token_interceptor.py	Adds ClientAppIo interceptor factory and imports ClientAppIo policy map.
framework/py/flwr/supercore/interceptors/init.py	Exports the ClientAppIo interceptor factory helper.
framework/py/flwr/supercore/auth/policy.py	Adds ClientAppIo per-method token policy map alongside ServerAppIo policy map.
framework/py/flwr/supercore/auth/init.py	Exposes ClientAppIo policy map from the auth package.
framework/py/flwr/simulation/simulationio_connection_test.py	New unit tests asserting SimulationIoConnection passes token interceptor and enforces non-empty token.
framework/py/flwr/simulation/simulationio_connection.py	Requires non-empty keyword-only token and attaches token interceptor to outbound ServerAppIo calls.
framework/py/flwr/simulation/app_test.py	New unit test ensuring simulation runtime passes token into SimulationIoConnection.
framework/py/flwr/simulation/app.py	Passes token into SimulationIoConnection.
framework/py/flwr/server/superlink/serverappio/serverappio_token_lifecycle_integration_test.py	New integration tests covering token retention on PushAppOutputs and deletion on UpdateRunStatus(FINISHED).
framework/py/flwr/server/superlink/serverappio/serverappio_servicer_test.py	Updates tests to use token-auth metadata interceptor on the default test channel.
framework/py/flwr/server/superlink/serverappio/serverappio_servicer.py	Moves token deletion to UpdateRunStatus(FINISHED) and stops deleting on PushAppOutputs.
framework/py/flwr/server/superlink/serverappio/serverappio_grpc.py	Wires ServerAppIo server interceptor into gRPC server startup.
framework/py/flwr/server/superlink/serverappio/serverappio_auth_integration_test.py	New integration tests asserting ServerAppIo protected vs no-auth RPC behavior.
framework/py/flwr/server/serverapp/app.py	Passes token into GrpcGrid creation for ServerApp runtime.
framework/py/flwr/server/grid/grpc_grid_test.py	Updates GrpcGrid construction to require token and adds tests for interceptor wiring and empty-token rejection.
framework/py/flwr/server/grid/grpc_grid.py	Requires non-empty keyword-only token and attaches token interceptor to outbound ServerAppIo calls.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.