fix: remove truststore.SSLContext injection to fix InsecureRequestWarning

[Leundai]

Summary

Removes the truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) injection from SslBypassRequestsAdapter.init_poolmanager() to fix InsecureRequestWarning reported by users streaming via the Python client on macOS.

SSL verification continues to work through the standard requests/urllib3 flow: the verify parameter (certifi CA bundle or custom trust_store_path) is already passed on every request by the conjure client.

Context

Users reported:

urllib3/connectionpool.py:1097: InsecureRequestWarning: Unverified HTTPS request is being made to host 'api.gov.nominal.io'

The truststore.SSLContext wrapper stores an internal _ctx and delegates wrap_socket to it. When urllib3 sets/reads verify_mode on the wrapper to track verification status (is_verified), this can interact poorly with the wrapper's internal context on certain platforms. The truststore library has a known open issue with this adapter pattern on macOS: sethmlarson/truststore#167

What changed

• Removed truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) injection from SslBypassRequestsAdapter.init_poolmanager()
• Removed now-unused import ssl and import truststore
• Updated docstrings

Important review considerations

1. Corporate network regression risk: The truststore SSLContext was added in feat: allow using truststore for ssl bypass #472 specifically to support corporate networks with custom CAs in their system trust store. This change means those users would need to either pass a trust_store_path explicitly or call truststore.inject_into_ssl() in their application. Reviewers should assess whether this trade-off is acceptable.

2. Root cause was not reproduced: The warning could not be reproduced on Linux (only reported on macOS + Python 3.13). The fix is based on code analysis + the upstream truststore#167 issue, not a confirmed reproduction.

3. truststore dependency is now unused but still listed in pyproject.toml — could be cleaned up in a follow-up.

4. SslBypassRequestsAdapter class name is now misleading since it no longer does anything SSL-related (just keep-alive). Renaming deferred to avoid scope creep.

---

Link to Devin run | Requested by: @Leundai

[devin-ai-integration]

Original prompt from Leo

SYSTEM:
=== BEGIN THREAD HISTORY (in #sw-python) ===
Charlie Kniffin (U07UPU73S3Y): I am using the client to stream, how do I make this stop

```/Users/charles/github/mavstream/.venv/lib/python3.13/site-packages/urllib3/connectionpool.py:1097: InsecureRequestWarning: Unverified HTTPS request is being made to host '<http://api.gov.nominal.io|api.gov.nominal.io>'. Adding certificate verification is strongly advised. See: <https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings>
  warnings.warn(```

Drake Eidukas (U07KPQL651B): The link tells you how

Drake Eidukas (U07KPQL651B): There's a bug somewhere introduced by us bumping a version of requests for a cve thing haven't had time to think about the warnings.

Alexander Reynolds (U07GQQ898RH): sorry just driving by here but if this warning is correct (i.e. if by default we are doing https request with no cert verification), this is unacceptable and needs to be addressed ASAP.

Leonardo Galindo-Frias (U098QFQP275): @Devin please replicate or find where this wanting is occurring in our client and prevent this from happening again.

provide some insight into what you've tested and or hypothesis you've formed
=== END THREAD HISTORY ===

Thread URL: https://nominal-io.slack.com/archives/C071TVD0GLC/p1770848143842509?thread_ts=1770848143.842509&cid=C071TVD0GLC

The latest message is the one right above that tagged you.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[greptile-apps]

Greptile Overview

Greptile Summary

Removes truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) injection from SslBypassRequestsAdapter.init_poolmanager() to fix InsecureRequestWarning on macOS + Python 3.13, caused by a known incompatibility between truststore's SSLContext wrapper and urllib3's is_verified tracking (truststore#167).

• SSL verification is preserved through the standard requests/urllib3 flow: verify (certifi CA bundle or custom trust_store_path) is passed on every request by the conjure client and multipart upload paths.
• Corporate network users with custom CAs can still use trust_store_path or call truststore.inject_into_ssl() at application startup.
• The truststore dependency in pyproject.toml is now unused and should be cleaned up in a follow-up.

Confidence Score: 4/5

• This PR is safe to merge; SSL verification is preserved through the standard requests/urllib3 verify parameter flow.
• The change is well-motivated by a known upstream issue (truststore#167). Code analysis confirms SSL verification is fully handled by the standard verify parameter passed through the conjure client and multipart upload paths. The only concern is the unused truststore dependency left in pyproject.toml, which is minor and acknowledged for follow-up.
• No files require special attention. The single changed file is straightforward — removal of SSL context injection with updated docstrings.

Important Files Changed

Filename	Overview
nominal/core/_utils/networking.py	Removes truststore.SSLContext injection from SslBypassRequestsAdapter.init_poolmanager() to fix InsecureRequestWarning on macOS. SSL verification continues to work through the standard requests/urllib3 verify parameter flow. The truststore dependency remains in pyproject.toml as unused.