From 81977be2b40d4d2fd8ba75701f252e6581fba595 Mon Sep 17 00:00:00 2001 From: Saurabh Jain Date: Sun, 5 Apr 2026 01:49:32 +0200 Subject: [PATCH 1/3] fix: reject client_secret without client_id to prevent wrong-tenant data If client_secret (license key) is set without client_id, the SDK would silently use 'community' as the tenant identity. All data would be stored under the wrong tenant, causing data loss on upgrade when client_id is eventually set correctly. --- axonflow/client.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/axonflow/client.py b/axonflow/client.py index f007534..478502c 100644 --- a/axonflow/client.py +++ b/axonflow/client.py @@ -390,6 +390,12 @@ def __init__( } # Always send Basic auth — server derives tenant from clientId. # Uses effective client_id ("community" default when not configured). + # Reject client_secret without client_id — licensed mode must specify tenant. + if client_secret and not client_id: + raise ValueError( + "client_id is required when client_secret is set. " + "Set client_id to your tenant identity to avoid data being stored under the wrong tenant." + ) effective_client_id = client_id or "community" credentials = f"{effective_client_id}:{client_secret or ''}" encoded = base64.b64encode(credentials.encode()).decode() From 9b701cb2070ce4e6e3f0e431c5f15bdb611609de Mon Sep 17 00:00:00 2001 From: Saurabh Jain Date: Sun, 5 Apr 2026 01:57:49 +0200 Subject: [PATCH 2/3] fix: wrap long line to pass ruff linter (100 char limit) --- axonflow/client.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/axonflow/client.py b/axonflow/client.py index 478502c..cd9cc4d 100644 --- a/axonflow/client.py +++ b/axonflow/client.py @@ -394,7 +394,8 @@ def __init__( if client_secret and not client_id: raise ValueError( "client_id is required when client_secret is set. " - "Set client_id to your tenant identity to avoid data being stored under the wrong tenant." + "Set client_id to your tenant identity to avoid " + "data being stored under the wrong tenant." ) effective_client_id = client_id or "community" credentials = f"{effective_client_id}:{client_secret or ''}" From d6d46af72abd514b8822a37235ae2c178ed6404a Mon Sep 17 00:00:00 2001 From: Saurabh Jain Date: Sun, 5 Apr 2026 02:00:42 +0200 Subject: [PATCH 3/3] fix: assign error message to variable per ruff EM101 rule --- axonflow/client.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/axonflow/client.py b/axonflow/client.py index cd9cc4d..8a3880a 100644 --- a/axonflow/client.py +++ b/axonflow/client.py @@ -392,11 +392,12 @@ def __init__( # Uses effective client_id ("community" default when not configured). # Reject client_secret without client_id — licensed mode must specify tenant. if client_secret and not client_id: - raise ValueError( + msg = ( "client_id is required when client_secret is set. " "Set client_id to your tenant identity to avoid " "data being stored under the wrong tenant." ) + raise ValueError(msg) effective_client_id = client_id or "community" credentials = f"{effective_client_id}:{client_secret or ''}" encoded = base64.b64encode(credentials.encode()).decode()