ansible-core 2.19.0b3__py3-none-any.whl → 2.19.0b5__py3-none-any.whl

ansible/_internal/_templating/_jinja_common.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import abc
 import collections.abc as c
+import enum
 import inspect
 import itertools
 import typing as t
@@ -9,7 +10,7 @@ import typing as t
 from jinja2 import UndefinedError, StrictUndefined, TemplateRuntimeError
 from jinja2.utils import missing
 
-from ansible.module_utils.common.messages import ErrorSummary, Detail
+from ...module_utils._internal import _messages
 from ansible.constants import config
 from ansible.errors import AnsibleUndefinedVariable, AnsibleTypeError
 from ansible._internal._errors._handler import ErrorHandler
@@ -24,10 +25,16 @@ from ...module_utils.datatag import native_type_name
 _patch_jinja()  # apply Jinja2 patches before types are declared that are dependent on the changes
 
 
+class _SandboxMode(enum.Enum):
+    DEFAULT = enum.auto()
+    ALLOW_UNSAFE_ATTRIBUTES = enum.auto()
+
+
 class _TemplateConfig:
     allow_embedded_templates: bool = config.get_config_value("ALLOW_EMBEDDED_TEMPLATES")
     allow_broken_conditionals: bool = config.get_config_value('ALLOW_BROKEN_CONDITIONALS')
     jinja_extensions: list[str] = config.get_config_value('DEFAULT_JINJA2_EXTENSIONS')
+    sandbox_mode: _SandboxMode = _SandboxMode.__members__[config.get_config_value('_TEMPLAR_SANDBOX_MODE').upper()]
 
     unknown_type_encountered_handler = ErrorHandler.from_config('_TEMPLAR_UNKNOWN_TYPE_ENCOUNTERED')
     unknown_type_conversion_handler = ErrorHandler.from_config('_TEMPLAR_UNKNOWN_TYPE_CONVERSION')
@@ -55,7 +62,7 @@ class Marker(StrictUndefined, Tripwire):
 
     __slots__ = ('_marker_template_source',)
 
-    concrete_subclasses: t.ClassVar[set[type[Marker]]] = set()
+    _concrete_subclasses: t.ClassVar[set[type[Marker]]] = set()
 
     def __init__(
         self,
@@ -129,7 +136,7 @@ class Marker(StrictUndefined, Tripwire):
     def __init_subclass__(cls, **kwargs) -> None:
         if not inspect.isabstract(cls):
             _untaggable_types.add(cls)
-            cls.concrete_subclasses.add(cls)
+            cls._concrete_subclasses.add(cls)
 
     @classmethod
     def _init_class(cls):
@@ -197,8 +204,6 @@ class TruncationMarker(Marker):
     It will only be visible if the previous `Marker` was ignored/replaced instead of being tripped, which would raise an exception.
     """
 
-    # DTFIX-RELEASE: make this a singleton?
-
     __slots__ = ()
 
     def __init__(self) -> None:
@@ -252,28 +257,18 @@ class UndecryptableVaultError(_captured.AnsibleCapturedError):
 class VaultExceptionMarker(ExceptionMarker):
     """A `Marker` value that represents an error accessing a vaulted value during templating."""
 
-    __slots__ = ('_marker_undecryptable_ciphertext', '_marker_undecryptable_reason', '_marker_undecryptable_traceback')
+    __slots__ = ('_marker_undecryptable_ciphertext', '_marker_event')
 
-    def __init__(self, ciphertext: str, reason: str, traceback: str | None) -> None:
-        # DTFIX-RELEASE: when does this show up, should it contain more details?
-        #          see also CapturedExceptionMarker for a similar issue
+    def __init__(self, ciphertext: str, event: _messages.Event) -> None:
         super().__init__(hint='A vault exception marker was tripped.')
 
         self._marker_undecryptable_ciphertext = ciphertext
-        self._marker_undecryptable_reason = reason
-        self._marker_undecryptable_traceback = traceback
+        self._marker_event = event
 
     def _as_exception(self) -> Exception:
         return UndecryptableVaultError(
             obj=self._marker_undecryptable_ciphertext,
-            error_summary=ErrorSummary(
-                details=(
-                    Detail(
-                        msg=self._marker_undecryptable_reason,
-                    ),
-                ),
-                formatted_traceback=self._marker_undecryptable_traceback,
-            ),
+            event=self._marker_event,
         )
 
     def _disarm(self) -> str:
@@ -282,16 +277,12 @@ class VaultExceptionMarker(ExceptionMarker):
 
 def get_first_marker_arg(args: c.Sequence, kwargs: dict[str, t.Any]) -> Marker | None:
     """Utility method to inspect plugin args and return the first `Marker` encountered, otherwise `None`."""
-    # DTFIX-RELEASE: this may or may not need to be public API, move back to utils or once usage is wrapped in a decorator?
-    for arg in iter_marker_args(args, kwargs):
-        return arg
-
-    return None
+    # CAUTION: This function is exposed in public API as ansible.template.get_first_marker_arg.
+    return next(iter_marker_args(args, kwargs), None)
 
 
 def iter_marker_args(args: c.Sequence, kwargs: dict[str, t.Any]) -> t.Generator[Marker]:
     """Utility method to iterate plugin args and yield any `Marker` encountered."""
-    # DTFIX-RELEASE: this may or may not need to be public API, move back to utils or once usage is wrapped in a decorator?
     for arg in itertools.chain(args, kwargs.values()):
         if isinstance(arg, Marker):
             yield arg
@@ -306,7 +297,7 @@ class JinjaCallContext(NotifiableAccessContextBase):
     _mask = True
 
     def __init__(self, accept_lazy_markers: bool) -> None:
-        self._type_interest = frozenset() if accept_lazy_markers else frozenset(Marker.concrete_subclasses)
+        self._type_interest = frozenset() if accept_lazy_markers else frozenset(Marker._concrete_subclasses)
 
     def _notify(self, o: Marker) -> t.NoReturn:
         o.trip()
@@ -314,7 +305,7 @@ class JinjaCallContext(NotifiableAccessContextBase):
 
 def validate_arg_type(name: str, value: t.Any, allowed_type_or_types: type | tuple[type, ...], /) -> None:
     """Validate the type of the given argument while preserving context for Marker values."""
-    # DTFIX-RELEASE: find a home for this as a general-purpose utliity method and expose it after some API review
+    # DTFIX-FUTURE: find a home for this as a general-purpose utliity method and expose it after some API review
     if isinstance(value, allowed_type_or_types):
         return
 

ansible/_internal/_templating/_jinja_plugins.py

@@ -6,8 +6,12 @@ import collections.abc as c
 import dataclasses
 import datetime
 import functools
+import inspect
+import re
 import typing as t
 
+from jinja2 import defaults
+
 from ansible.module_utils._internal._ambient_context import AmbientContextBase
 from ansible.module_utils.common.collections import is_sequence
 from ansible.module_utils._internal._datatag import AnsibleTagHelper
@@ -115,7 +119,7 @@ class JinjaPluginIntercept(c.MutableMapping):
         except MarkerError as ex:
             return ex.source
         except Exception as ex:
-            raise AnsibleTemplatePluginRuntimeError(instance.plugin_type, instance.ansible_name) from ex  # DTFIX-RELEASE: which name to use? use plugin info?
+            raise AnsibleTemplatePluginRuntimeError(instance.plugin_type, instance.ansible_name) from ex  # DTFIX-FUTURE: which name to use? use plugin info?
 
     def _wrap_test(self, instance: AnsibleJinja2Plugin) -> t.Callable:
         """Intercept point for all test plugins to ensure that args are properly templated/lazified."""
@@ -127,7 +131,6 @@ class JinjaPluginIntercept(c.MutableMapping):
             if not isinstance(result, bool):
                 template = TemplateContext.current().template_value
 
-                # DTFIX-RELEASE: which name to use? use plugin info?
                 _display.deprecated(
                     msg=f"The test plugin {instance.ansible_name!r} returned a non-boolean result of type {type(result)!r}. "
                     "Test plugins must have a boolean result.",
@@ -254,7 +257,7 @@ def _invoke_lookup(*, plugin_name: str, lookup_terms: list, lookup_kwargs: dict[
         except MarkerError as ex:
             return ex.source
         except Exception as ex:
-            # DTFIX-RELEASE: convert this to the new error/warn/ignore context manager
+            # DTFIX-FUTURE: convert this to the new error/warn/ignore context manager
             if errors == 'warn':
                 _display.error_as_warning(
                     msg=f'An error occurred while running the lookup plugin {plugin_name!r}.',
@@ -339,3 +342,28 @@ def _wrap_plugin_output(o: t.Any) -> t.Any:
         o = list(o)
 
     return _AnsibleLazyTemplateMixin._try_create(o, LazyOptions.SKIP_TEMPLATES)
+
+
+_PLUGIN_SOURCES = dict(
+    filter=defaults.DEFAULT_FILTERS,
+    test=defaults.DEFAULT_TESTS,
+)
+
+
+def _get_builtin_short_description(plugin: object) -> str:
+    """
+    Make a reasonable effort to break a function docstring down to a single sentence.
+    We can't use the full docstring due to embedded formatting, particularly RST.
+    This isn't intended to be perfect, just good enough until we can write our own docs for these.
+    """
+    value = re.split(r'(\.|!|\s\(|:\s)', inspect.getdoc(plugin), 1)[0].replace('\n', ' ')
+
+    if value:
+        value += '.'
+
+    return value
+
+
+def get_jinja_builtin_plugin_descriptions(plugin_type: str) -> dict[str, str]:
+    """Returns a dictionary of Jinja builtin plugin names and their short descriptions."""
+    return {f'ansible.builtin.{name}': _get_builtin_short_description(plugin) for name, plugin in _PLUGIN_SOURCES[plugin_type].items() if name.isidentifier()}

ansible/_internal/_templating/_lazy_containers.py

@@ -43,7 +43,7 @@ _KNOWN_TYPES: t.Final[set[type]] = (
         TemplateModule,  # example: '{% import "importme.j2" as im %}{{ im | type_debug }}'
     }
     | set(PASS_THROUGH_SCALAR_VAR_TYPES)
-    | set(Marker.concrete_subclasses)
+    | set(Marker._concrete_subclasses)
 )
 """
 These types are known to the templating system.
@@ -195,7 +195,7 @@ class _AnsibleLazyTemplateMixin:
         Return an iterable that wraps each of the given elements in a lazy wrapper.
         Only elements wrapped this way will receive lazy processing when retrieved from the collection.
         """
-        # DTFIX-RELEASE: check relative performance of method-local vs stored generator expressions on implementations of this method
+        # DTFIX-FUTURE: check relative performance of method-local vs stored generator expressions on implementations of this method
         raise NotImplementedError()  # pragma: nocover
 
     def _proxy_or_render_lazy_value(self, key: t.Any, value: t.Any) -> t.Any:
@@ -346,13 +346,13 @@ class _AnsibleLazyTemplateDict(_AnsibleTaggedDict, _AnsibleLazyTemplateMixin):
         return super().__ne__(other)
 
     def __or__(self, other):
-        # DTFIX-RELEASE: support preservation of laziness when possible like we do for list
+        # DTFIX-FUTURE: support preservation of laziness when possible like we do for list
         # Both sides end up going through _proxy_or_render_lazy_value, so there's no Templar preservation needed.
         # In the future this could be made more lazy when both Templar instances are the same, or if per-value Templar tracking was used.
         return super().__or__(other)
 
     def __ror__(self, other):
-        # DTFIX-RELEASE: support preservation of laziness when possible like we do for list
+        # DTFIX-FUTURE: support preservation of laziness when possible like we do for list
         # Both sides end up going through _proxy_or_render_lazy_value, so there's no Templar preservation needed.
         # In the future this could be made more lazy when both Templar instances are the same, or if per-value Templar tracking was used.
         return super().__ror__(other)
@@ -549,7 +549,7 @@ class _AnsibleLazyAccessTuple(_AnsibleTaggedTuple, _AnsibleLazyTemplateMixin):
     created as a results of managed access.
     """
 
-    # DTFIX-RELEASE: ensure we have tests that explicitly verify this behavior
+    # DTFIX5: ensure we have tests that explicitly verify this behavior
 
     # nonempty __slots__ not supported for subtype of 'tuple'
 

ansible/_internal/_templating/_transform.py

@@ -5,39 +5,41 @@ from __future__ import annotations
 import dataclasses
 import typing as t
 
-from ansible.module_utils._internal import _traceback
-from ansible.module_utils.common.messages import PluginInfo, ErrorSummary, WarningSummary, DeprecationSummary
+from ansible.module_utils._internal import _traceback, _event_utils, _messages
 from ansible.parsing.vault import EncryptedString, VaultHelper
 from ansible.utils.display import Display
 
 from ._jinja_common import VaultExceptionMarker
-from .._errors import _captured, _utils
+from .._errors import _captured, _error_factory
+from .. import _event_formatting
 
 display = Display()
 
 
-def plugin_info(value: PluginInfo) -> dict[str, str]:
+def plugin_info(value: _messages.PluginInfo) -> dict[str, str]:
     """Render PluginInfo as a dictionary."""
     return dataclasses.asdict(value)
 
 
-def error_summary(value: ErrorSummary) -> str:
+def error_summary(value: _messages.ErrorSummary) -> str:
     """Render ErrorSummary as a formatted traceback for backward-compatibility with pre-2.19 TaskResult.exception."""
-    return value.formatted_traceback or '(traceback unavailable)'
+    if _traceback._is_traceback_enabled(_traceback.TracebackEvent.ERROR):
+        return _event_formatting.format_event_traceback(value.event)
 
+    return '(traceback unavailable)'
 
-def warning_summary(value: WarningSummary) -> str:
+
+def warning_summary(value: _messages.WarningSummary) -> str:
     """Render WarningSummary as a simple message string for backward-compatibility with pre-2.19 TaskResult.warnings."""
-    return value._format()
+    return _event_utils.format_event_brief_message(value.event)
 
 
-def deprecation_summary(value: DeprecationSummary) -> dict[str, t.Any]:
+def deprecation_summary(value: _messages.DeprecationSummary) -> dict[str, t.Any]:
     """Render DeprecationSummary as dict values for backward-compatibility with pre-2.19 TaskResult.deprecations."""
-    # DTFIX-RELEASE: reconsider which deprecation fields should be exposed here, taking into account that collection_name is to be deprecated
-    result = value._as_simple_dict()
-    result.pop('details')
+    transformed = _event_utils.deprecation_as_dict(value)
+    transformed.update(deprecator=value.deprecator)
 
-    return result
+    return transformed
 
 
 def encrypted_string(value: EncryptedString) -> str | VaultExceptionMarker:
@@ -47,17 +49,16 @@ def encrypted_string(value: EncryptedString) -> str | VaultExceptionMarker:
     except Exception as ex:
         return VaultExceptionMarker(
             ciphertext=VaultHelper.get_ciphertext(value, with_tags=True),
-            reason=_utils.get_chained_message(ex),
-            traceback=_traceback.maybe_extract_traceback(ex, _traceback.TracebackEvent.ERROR),
+            event=_error_factory.ControllerEventFactory.from_exception(ex, _traceback.is_traceback_enabled(_traceback.TracebackEvent.ERROR)),
         )
 
 
 _type_transform_mapping: dict[type, t.Callable[[t.Any], t.Any]] = {
     _captured.CapturedErrorSummary: error_summary,
-    PluginInfo: plugin_info,
-    ErrorSummary: error_summary,
-    WarningSummary: warning_summary,
-    DeprecationSummary: deprecation_summary,
+    _messages.PluginInfo: plugin_info,
+    _messages.ErrorSummary: error_summary,
+    _messages.WarningSummary: warning_summary,
+    _messages.DeprecationSummary: deprecation_summary,
     EncryptedString: encrypted_string,
 }
 """This mapping is consulted by `Templar.template` to provide custom views of some objects."""

ansible/_internal/_templating/_utils.py

@@ -99,7 +99,7 @@ Omit = object.__new__(_OmitType)
 _datatag._untaggable_types.add(_OmitType)
 
 
-# DTFIX-RELEASE: review these type sets to ensure they're not overly permissive/dynamic
+# DTFIX5: review these type sets to ensure they're not overly permissive/dynamic
 IGNORE_SCALAR_VAR_TYPES = {value for value in _datatag._ANSIBLE_ALLOWED_SCALAR_VAR_TYPES if not issubclass(value, str)}
 
 PASS_THROUGH_SCALAR_VAR_TYPES = _datatag._ANSIBLE_ALLOWED_SCALAR_VAR_TYPES | {

ansible/_internal/_testing.py

@@ -0,0 +1,26 @@
+"""
+Testing utilities for use in integration tests, not unit tests or non-test code.
+Provides better error behavior than Python's `assert` statement.
+"""
+
+from __future__ import annotations
+
+import contextlib
+import typing as t
+
+
+class _Checker:
+    @staticmethod
+    def check(value: object, msg: str | None = 'Value is not truthy.') -> None:
+        """Raise an `AssertionError` if the given `value` is not truthy."""
+        if not value:
+            raise AssertionError(msg)
+
+
+@contextlib.contextmanager
+def hard_fail_context(msg: str) -> t.Generator[_Checker]:
+    """Enter a context which converts all exceptions to `BaseException` and provides a `Checker` instance for making assertions."""
+    try:
+        yield _Checker()
+    except BaseException as ex:
+        raise BaseException(f"Hard failure: {msg}") from ex

ansible/_internal/_yaml/_dumper.py

@@ -32,7 +32,7 @@ class _BaseDumper(SafeDumper, metaclass=abc.ABCMeta):
 class AnsibleDumper(_BaseDumper):
     """A simple stub class that allows us to add representers for our custom types."""
 
-    # DTFIX-RELEASE: need a better way to handle serialization controls during YAML dumping
+    # DTFIX0: need a better way to handle serialization controls during YAML dumping
     def __init__(self, *args, dump_vault_tags: bool | None = None, **kwargs):
         super().__init__(*args, **kwargs)
 

ansible/_internal/_yaml/_errors.py

@@ -7,7 +7,7 @@ import typing as t
 from yaml import MarkedYAMLError
 from yaml.constructor import ConstructorError
 
-from ansible._internal._errors import _utils
+from ansible._internal._errors import _error_utils
 from ansible.errors import AnsibleParserError
 from ansible._internal._datatag._tags import Origin
 
@@ -34,7 +34,7 @@ class AnsibleYAMLParserError(AnsibleParserError):
         if isinstance(exception, MarkedYAMLError):
             origin = origin.replace(line_num=exception.problem_mark.line + 1, col_num=exception.problem_mark.column + 1)
 
-        source_context = _utils.SourceContext.from_origin(origin)
+        source_context = _error_utils.SourceContext.from_origin(origin)
 
         target_line = source_context.target_line or ''  # for these cases, we don't need to distinguish between None and empty string
 
@@ -66,12 +66,12 @@ class AnsibleYAMLParserError(AnsibleParserError):
         # There may be cases where there is a valid tab in a line that has other errors.
         # That's OK, users should "fix" their tab usage anyway -- at which point later error handling logic will hopefully find the real issue.
         elif (tab_idx := target_line.find('\t')) >= 0:
-            source_context = _utils.SourceContext.from_origin(origin.replace(col_num=tab_idx + 1))
+            source_context = _error_utils.SourceContext.from_origin(origin.replace(col_num=tab_idx + 1))
             message = "Tabs are usually invalid in YAML."
 
         # Check for unquoted templates.
         elif match := re.search(r'^\s*(?:-\s+)*(?:[\w\s]+:\s+)?(?P<value>\{\{.*}})', target_line):
-            source_context = _utils.SourceContext.from_origin(origin.replace(col_num=match.start('value') + 1))
+            source_context = _error_utils.SourceContext.from_origin(origin.replace(col_num=match.start('value') + 1))
             message = 'This may be an issue with missing quotes around a template block.'
             # FIXME: Use the captured value to show the actual fix required.
             help_text = """
@@ -95,7 +95,7 @@ Should be:
             # look for an unquoted colon in the value
             and (colon_match := re.search(r':($| )', target_fragment))
         ):
-            source_context = _utils.SourceContext.from_origin(origin.replace(col_num=value_match.start('value') + colon_match.start() + 1))
+            source_context = _error_utils.SourceContext.from_origin(origin.replace(col_num=value_match.start('value') + colon_match.start() + 1))
             message = 'Colons in unquoted values must be followed by a non-space character.'
             # FIXME: Use the captured value to show the actual fix required.
             help_text = """
@@ -114,7 +114,7 @@ Should be:
             first, last = suspected_value[0], suspected_value[-1]
 
             if first != last:  # "foo" in bar
-                source_context = _utils.SourceContext.from_origin(origin.replace(col_num=match.start('value') + 1))
+                source_context = _error_utils.SourceContext.from_origin(origin.replace(col_num=match.start('value') + 1))
                 message = 'Values starting with a quote must end with the same quote.'
                 # FIXME: Use the captured value to show the actual fix required, and use that same logic to improve the origin further.
                 help_text = """
@@ -127,7 +127,7 @@ Should be:
     raw: '"foo" in bar'
 """
             elif first == last and target_line.count(first) > 2:  # "foo" and "bar"
-                source_context = _utils.SourceContext.from_origin(origin.replace(col_num=match.start('value') + 1))
+                source_context = _error_utils.SourceContext.from_origin(origin.replace(col_num=match.start('value') + 1))
                 message = 'Values starting with a quote must end with the same quote, and not contain that quote.'
                 # FIXME: Use the captured value to show the actual fix required, and use that same logic to improve the origin further.
                 help_text = """

ansible/_internal/ansible_collections/ansible/_protomatter/plugins/filter/true_type.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 import typing as t
 
-from ansible.plugins import accept_args_markers
+from ansible.template import accept_args_markers
 
 
 @accept_args_markers

ansible/_internal/ansible_collections/ansible/_protomatter/plugins/filter/unmask.py

@@ -12,7 +12,7 @@ from ansible.errors import AnsibleError
 
 def unmask(value: object, type_names: str | list[str]) -> object:
     """
-    Internal filter to suppress automatic type transformation in Jinja (e.g., WarningMessageDetail, DeprecationMessageDetail, ErrorDetail).
+    Internal filter to suppress automatic type transformation in Jinja (e.g., WarningSummary, DeprecationSummary, ErrorSummary).
     Lazy collection caching is in play - the first attempt to access a value in a given lazy container must be with unmasking in place, or the transformed value
     will already be cached.
     """

ansible/cli/__init__.py

@@ -7,7 +7,6 @@ from __future__ import annotations
 
 import locale
 import os
-import signal
 import sys
 
 # We overload the ``ansible`` adhoc command to provide the functionality for
@@ -75,8 +74,6 @@ def initialize_locale():
 
 initialize_locale()
 
-
-import atexit
 import errno
 import getpass
 import subprocess
@@ -96,7 +93,7 @@ try:
     display = Display()
 except Exception as ex:
     if isinstance(ex, AnsibleError):
-        ex_msg = ' '.join((ex.message, ex._help_text)).strip()
+        ex_msg = ' '.join((ex.message, ex._help_text or '')).strip()
     else:
         ex_msg = str(ex)
 
@@ -112,17 +109,17 @@ from ansible.module_utils.six import string_types
 from ansible.module_utils.common.text.converters import to_bytes, to_text
 from ansible.module_utils.common.collections import is_sequence
 from ansible.module_utils.common.file import is_executable
-from ansible.module_utils.common.process import get_bin_path
 from ansible.parsing.dataloader import DataLoader
 from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret, VaultSecretsContext
 from ansible.plugins.loader import add_all_plugin_dirs, init_plugin_loader
 from ansible.release import __version__
-from ansible.utils._ssh_agent import SshAgentClient
 from ansible.utils.collection_loader import AnsibleCollectionConfig
 from ansible.utils.collection_loader._collection_finder import _get_collection_name_from_path
 from ansible.utils.path import unfrackpath
 from ansible.vars.manager import VariableManager
 from ansible.module_utils._internal import _deprecator
+from ansible._internal._ssh import _agent_launch
+
 
 try:
     import argcomplete
@@ -131,77 +128,6 @@ except ImportError:
     HAS_ARGCOMPLETE = False
 
 
-_SSH_AGENT_STDOUT_READ_TIMEOUT = 5  # seconds
-
-
-def _ssh_agent_timeout_handler(signum, frame):
-    raise TimeoutError
-
-
-def _launch_ssh_agent() -> None:
-    ssh_agent_cfg = C.config.get_config_value('SSH_AGENT')
-    match ssh_agent_cfg:
-        case 'none':
-            display.debug('SSH_AGENT set to none')
-            return
-        case 'auto':
-            try:
-                ssh_agent_bin = get_bin_path('ssh-agent')
-            except ValueError as e:
-                raise AnsibleError('SSH_AGENT set to auto, but cannot find ssh-agent binary') from e
-            ssh_agent_dir = os.path.join(C.DEFAULT_LOCAL_TMP, 'ssh_agent')
-            os.mkdir(ssh_agent_dir, 0o700)
-            sock = os.path.join(ssh_agent_dir, 'agent.sock')
-            display.vvv('SSH_AGENT: starting...')
-            try:
-                p = subprocess.Popen(
-                    [ssh_agent_bin, '-D', '-s', '-a', sock],
-                    stdin=subprocess.PIPE,
-                    stdout=subprocess.PIPE,
-                    stderr=subprocess.PIPE,
-                )
-            except OSError as e:
-                raise AnsibleError(
-                    f'Could not start ssh-agent: {e}'
-                ) from e
-
-            if p.poll() is not None:
-                raise AnsibleError(
-                    f'Could not start ssh-agent: rc={p.returncode} stderr="{p.stderr.read().decode()}"'
-                )
-
-            old_sigalrm_handler = signal.signal(signal.SIGALRM, _ssh_agent_timeout_handler)
-            signal.alarm(_SSH_AGENT_STDOUT_READ_TIMEOUT)
-            try:
-                stdout = p.stdout.read(13)
-            except TimeoutError:
-                stdout = b''
-            finally:
-                signal.alarm(0)
-                signal.signal(signal.SIGALRM, old_sigalrm_handler)
-
-            if stdout != b'SSH_AUTH_SOCK':
-                display.warning(
-                    f'The first 13 characters of stdout did not match the '
-                    f'expected SSH_AUTH_SOCK. This may not be the right binary, '
-                    f'or an incompatible agent: {stdout.decode()}'
-                )
-            display.vvv(f'SSH_AGENT: ssh-agent[{p.pid}] started and bound to {sock}')
-            atexit.register(p.terminate)
-        case _:
-            sock = ssh_agent_cfg
-
-    try:
-        with SshAgentClient(sock) as client:
-            client.list()
-    except Exception as e:
-        raise AnsibleError(
-            f'Could not communicate with ssh-agent using auth sock {sock}: {e}'
-        ) from e
-
-    os.environ['SSH_AUTH_SOCK'] = os.environ['ANSIBLE_SSH_AGENT'] = sock
-
-
 class CLI(ABC):
     """ code behind bin/ansible* programs """
 
@@ -636,10 +562,7 @@ class CLI(ABC):
         loader.set_vault_secrets(vault_secrets)
 
         if self.USES_CONNECTION:
-            try:
-                _launch_ssh_agent()
-            except Exception as e:
-                raise AnsibleError('Failed to launch ssh agent', orig_exc=e)
+            _agent_launch.launch_ssh_agent()
 
         # create the inventory, and filter it based on the subset specified (if any)
         inventory = InventoryManager(loader=loader, sources=options['inventory'], cache=(not options.get('flush_cache')))
@@ -750,7 +673,7 @@ class CLI(ABC):
             try:
                 raise AnsibleError("Unexpected Exception, this is probably a bug.") from ex
             except AnsibleError as ex2:
-                # DTFIX-RELEASE: clean this up so we're not hacking the internals- re-wrap in an AnsibleCLIUnhandledError that always shows TB, or?
+                # DTFIX-FUTURE: clean this up so we're not hacking the internals- re-wrap in an AnsibleCLIUnhandledError that always shows TB, or?
                 from ansible.module_utils._internal import _traceback
                 _traceback._is_traceback_enabled = lambda *_args, **_kwargs: True
                 display.error(ex2)

ansible/cli/arguments/option_helpers.py

@@ -16,10 +16,9 @@ import typing as t
 
 import yaml
 
-from jinja2 import __version__ as j2_version
-
 import ansible
 from ansible import constants as C
+from ansible._internal import _templating
 from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.common.yaml import HAS_LIBYAML, yaml_load
 from ansible.release import __version__
@@ -313,7 +312,7 @@ def version(prog=None):
     result.append("  ansible collection location = %s" % ':'.join(C.COLLECTIONS_PATHS))
     result.append("  executable location = %s" % sys.argv[0])
     result.append("  python version = %s (%s)" % (''.join(sys.version.splitlines()), to_native(sys.executable)))
-    result.append("  jinja version = %s" % j2_version)
+    result.append(f"  jinja version = {_templating.jinja2_version}")
     result.append(f"  pyyaml version = {yaml.__version__} ({libyaml_fragment})")
 
     return "\n".join(result)
@@ -535,13 +534,17 @@ def _tagged_type_factory(name: str, func: t.Callable[[str], object], /) -> t.Cal
     def tag_value(value: str) -> object:
         result = func(value)
 
-        if result is value:
+        if result is value or func is str:
             # Values which are not mutated are automatically trusted for templating.
             # The `is` reference equality is critically important, as other types may only alter the tags, so object equality is
             # not sufficient to prevent them being tagged as trusted when they should not.
+            # Explicitly include all usages using the `str` type factory since it strips tags.
             result = TrustedAsTemplate().tag(result)
 
-        return Origin(description=f'<CLI option {name!r}>').tag(result)
+        if not (origin := Origin.get_tag(value)):
+            origin = Origin(description=f'<CLI option {name!r}>')
+
+        return origin.tag(result)
 
     tag_value._name = name  # simplify debugging by attaching the argument name to the function