Revert "release: v0.4.2"

This reverts commit 65ab758.

Author: loookashow

docs/changelog.md

@@ -5,17 +5,6 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
-
-## [0.4.2] - 2026-03-10
-
-### Fixed
-
-- **Secure Management/Flux signing with query parameters**:
-  - `SecureKeyAuth` now signs only the URL path (without query string)
-  - aligns SDK signatures with server-side verification and Management auth docs
-  - prevents `401 authentication_failed` / `Invalid signature` on requests with query params
-
 ## [0.4.1] - 2026-03-05
 
 ### Fixed
@@ -99,8 +88,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Error handling guide
 - Code examples
 
-[Unreleased]: https://github.com/foxnose/python-sdk/compare/v0.4.2...HEAD
-[0.4.2]: https://github.com/foxnose/python-sdk/compare/v0.4.1...v0.4.2
 [0.4.1]: https://github.com/foxnose/python-sdk/compare/v0.4.0...v0.4.1
 [0.4.0]: https://github.com/foxnose/python-sdk/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/foxnose/python-sdk/compare/v0.2.0...v0.3.0

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "foxnose-sdk"
-version = "0.4.2"
+version = "0.4.1"
 description = "Official Python client for FoxNose Management and Flux APIs"
 readme = "README.md"
 license = {text = "Apache-2.0"}

src/foxnose_sdk/__init__.py

@@ -154,4 +154,4 @@
     "APIRef",
 ]
 
-__version__ = "0.4.2"
+__version__ = "0.4.1"

src/foxnose_sdk/auth/secure.py

@@ -51,9 +51,9 @@ def build_headers(self, request: RequestData) -> Mapping[str, str]:
         timestamp = self._clock().astimezone(dt.timezone.utc).replace(microsecond=0)
         timestamp_str = timestamp.strftime("%Y-%m-%dT%H:%M:%SZ")
         parsed = urlparse(request.url)
-        # Query parameters are excluded from the signature payload.
-        # Server-side verification signs request.path without querystring.
         path = parsed.path or "/"
+        if parsed.query:
+            path = f"{path}?{parsed.query}"
         body_hash = hashlib.sha256(body).hexdigest()
         data_to_sign = f"{path}|{body_hash}|{timestamp_str}".encode("utf-8")
         signature = self._private_key.sign(data_to_sign, ec.ECDSA(hashes.SHA256()))

tests/test_auth_strategies.py

@@ -52,33 +52,7 @@ def test_secure_auth_produces_verifiable_signature():
     signature_b64 = headers["Authorization"].split(":", 1)[1]
     signature = base64.b64decode(signature_b64)
     body_hash = hashlib.sha256(body).hexdigest()
-    expected = f"/api/test|{body_hash}|2024-02-20T18:00:00Z".encode("utf-8")
-    public_obj.verify(signature, expected, ec.ECDSA(hashes.SHA256()))
-
-
-def test_secure_auth_ignores_query_params_in_signature():
-    public_key, private_key, public_obj = _generate_keys()
-    fixed_time = dt.datetime(2024, 2, 20, 18, 0, 0, tzinfo=dt.timezone.utc)
-    auth = SecureKeyAuth(
-        public_key=public_key, private_key=private_key, clock=lambda: fixed_time
-    )
-    body = b""
-    request = RequestData(
-        method="GET",
-        url="https://example.com/v1/env/folders/tree/item/?path=benchmark_jobs",
-        path="/v1/env/folders/tree/item/?path=benchmark_jobs",
-        body=body,
-    )
-    headers = auth.build_headers(request)
-
-    signature_b64 = headers["Authorization"].split(":", 1)[1]
-    signature = base64.b64decode(signature_b64)
-    body_hash = hashlib.sha256(body).hexdigest()
-    expected = (
-        f"/v1/env/folders/tree/item/|{body_hash}|2024-02-20T18:00:00Z".encode(
-            "utf-8"
-        )
-    )
+    expected = f"/api/test?foo=bar|{body_hash}|2024-02-20T18:00:00Z".encode("utf-8")
     public_obj.verify(signature, expected, ec.ECDSA(hashes.SHA256()))