feat(license): inject X-Axonflow-Client header on every governed request#161
Merged
saurabhjain1592 merged 1 commit intomainfrom May 5, 2026
Merged
Conversation
Per ADR-050 §4, every governed client must set `X-Axonflow-Client: <client-id>/<version>` on every request to the agent so the agent can derive request scope (sdk) and validate it against the token's aud.scope via HasScope(). This PR: - Adds AxonFlowConfig.getClientHeader() which returns "sdk-java/<SDK_VERSION>". Sourced from the bundled SDK_VERSION; no env / config override (the consumer doesn't get to spoof its own client identity to the agent). - Stamps the header alongside User-Agent at every Request.Builder site in AxonFlow.java that already sets User-Agent (5 sites). - Stamps the header inside addAuthHeaders() so any builder that calls addAuthHeaders without explicit User-Agent (e.g. the providers listing path at AxonFlow.java:1922) also ships it. OkHttp's Builder.header() replaces, so the small overlap with the explicit per-site stamps just resets the same value. Test coverage: - ClientHeaderTest asserts X-Axonflow-Client is forwarded on proxyLLMCall and pins the agent-parseable "sdk-java/<semver>" format. - Full Maven test suite stays green: 1228 tests, 0 failures. Signed-off-by: Saurabh Jain <saurabhjain1592@gmail.com>
saurabhjain1592
added a commit
that referenced
this pull request
May 6, 2026
…se validation [skip-runtime-e2e] (#163) Companion release to platform v7.7.0. The Java SDK now sends X-Axonflow-Client: sdk-java/<version> on every governed request, which the agent (v7.7.0+) uses to derive SDK request scope and validate against any license token's audience claim per the ADR-050 license matrix. Single substantive change since v7.0.0 (#161 — header injection). Supporting commits since v7.0.0 (DCO sign-off docs, definition-of-done CI gate, v7.0.0 changelog typo correction) are infrastructure and not user-facing. No public API changes. Existing v7.0.x callers update <version>7.7.0</version> and rebuild against v7.7.0 with no source changes. Backward-compatible against pre-v7.7.0 agents (header silently dropped). [skip-runtime-e2e] — version + CHANGELOG bump only; the underlying header behavior shipped + was runtime-tested when #161 landed. Signed-off-by: Saurabh Jain <saurabhjain1592@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Per ADR-050 §4, every governed client must set
X-Axonflow-Client: <client-id>/<version>on every request to the agent.This is the sdk-java half of getaxonflow/axonflow-enterprise#1881.
Changes
AxonFlowConfig.java::getClientHeader()— new accessor returningsdk-java/<SDK_VERSION>. No config / env override (honest-99% per ADR-050 §4).AxonFlow.java— stampsX-Axonflow-Clientat everyRequest.Buildersite that already setsUser-Agent(5 sites) plus insideaddAuthHeaders()so any builder going through the central auth helper picks it up. OkHttp'sBuilder.header()replaces, so the small overlap is benign.ClientHeaderTest.java— new test (2 assertions: forwarded onproxyLLMCall+ format check).Verification
mvn test -Dtest=ClientHeaderTest— 2 / 2 passingmvn test— full suite: 1228 tests, 0 failures, 0 errors, BUILD SUCCESS