From f82fff91b6c57d2831f820a0393f9130f29baa31 Mon Sep 17 00:00:00 2001 From: Saurabh Jain Date: Fri, 10 Jul 2026 02:11:10 +0200 Subject: [PATCH 1/2] fix(examples): pin poms to SDK 8.5.1; fail loud on tenant-mismatch 403 Release-gate smoke against a live enterprise stack (v9.6.1, epic #2861) surfaced two example-level issues: - Example poms pinned stale SDK versions (basic at 6.1.0, the rest at 8.5.0), so smoke runs resolved remote Maven artifacts instead of the locally built 8.5.1 under test. Pin all four to 8.5.1. - basic swallowed a 403 tenant-mismatch rejection as a policy block and exited 0: the agent's error body carries a literal "blocked":false key, which trips the SDK's handleErrorResponse body.contains("blocked") heuristic and misclassifies the 403 as PolicyViolationException. Until the library fix ships, the example treats a Tenant mismatch message as the auth failure it is and exits 1 with a pointer to the AXONFLOW_CLIENT_ID/user-token tenant pairing requirement. Verified against the live stack: all four examples exit 0 with real LLM round-trips, and basic exits 1 on a deliberately mismatched client-id/token pairing. Signed-off-by: Saurabh Jain --- examples/basic/pom.xml | 2 +- .../java/com/getaxonflow/examples/Basic.java | 16 ++++++++++++++-- examples/explain-decision/pom.xml | 2 +- examples/list-decisions/pom.xml | 2 +- examples/wcp-retry-idempotency/pom.xml | 2 +- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/examples/basic/pom.xml b/examples/basic/pom.xml index cc1252d..321c610 100644 --- a/examples/basic/pom.xml +++ b/examples/basic/pom.xml @@ -24,7 +24,7 @@ com.getaxonflow axonflow-sdk - 6.1.0 + 8.5.1 diff --git a/examples/basic/src/main/java/com/getaxonflow/examples/Basic.java b/examples/basic/src/main/java/com/getaxonflow/examples/Basic.java index f8f5c67..fb59b84 100644 --- a/examples/basic/src/main/java/com/getaxonflow/examples/Basic.java +++ b/examples/basic/src/main/java/com/getaxonflow/examples/Basic.java @@ -107,8 +107,20 @@ private static void proxyLLMCallStep(AxonFlow client, String clientId) { System.out.printf(" Success: %s%n", response.isSuccess()); System.out.printf(" Blocked: %s%n", response.isBlocked()); } catch (PolicyViolationException e) { - // Policy block is a valid outcome — community policies can match - // the demo query depending on configuration. + // SDK <= 8.5.1 misclassifies 403 auth rejections as policy + // violations: every agent error body carries a literal + // "blocked":false key, which trips handleErrorResponse's + // body.contains("blocked") heuristic. Until the library fix + // ships, treat tenant mismatch as the auth failure it is — + // otherwise a wrong AXONFLOW_CLIENT_ID (it must match the + // user token's tenant) sails through the smoke with exit 0. + if (e.getMessage() != null && e.getMessage().contains("Tenant mismatch")) { + System.err.println("proxyLLMCall failed (auth): " + e.getMessage() + + " — AXONFLOW_CLIENT_ID must match the user token's tenant"); + System.exit(1); + } + // Genuine policy block is a valid outcome — community policies + // can match the demo query depending on configuration. System.out.printf(" Blocked by policy: %s%n", e.getMessage()); } catch (AuthenticationException | ConnectionException e) { // These are real failures: bad creds or stack down. Fail loud. diff --git a/examples/explain-decision/pom.xml b/examples/explain-decision/pom.xml index 5f68122..c8453e8 100644 --- a/examples/explain-decision/pom.xml +++ b/examples/explain-decision/pom.xml @@ -25,7 +25,7 @@ com.getaxonflow axonflow-sdk - 8.5.0 + 8.5.1 diff --git a/examples/list-decisions/pom.xml b/examples/list-decisions/pom.xml index fd1aab1..5b1c46b 100644 --- a/examples/list-decisions/pom.xml +++ b/examples/list-decisions/pom.xml @@ -24,7 +24,7 @@ com.getaxonflow axonflow-sdk - 8.5.0 + 8.5.1 diff --git a/examples/wcp-retry-idempotency/pom.xml b/examples/wcp-retry-idempotency/pom.xml index 11f313f..0197587 100644 --- a/examples/wcp-retry-idempotency/pom.xml +++ b/examples/wcp-retry-idempotency/pom.xml @@ -22,7 +22,7 @@ com.getaxonflow axonflow-sdk - 8.5.0 + 8.5.1 From b536a78691fd48529547f0ee639145c5ddcc1758 Mon Sep 17 00:00:00 2001 From: Saurabh Jain Date: Fri, 10 Jul 2026 02:15:49 +0200 Subject: [PATCH 2/2] chore(ci): retrigger DoD gate after skip-runtime-e2e escape hatch No-diff commit: the DoD workflow only runs on opened/synchronize/reopened, so the [skip-runtime-e2e] title + justification body edit needs a fresh synchronize event to be evaluated against the updated payload. Signed-off-by: Saurabh Jain