Release v2.1.1

- Include LICENSE in source and wheel distributions.

- Redact grant tokens in renewal-failure logs.

- Validate server endpoints and connect_timeout_s before connecting.

Author: mtingers

CHANGELOG.md

@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v2.1.1] - 2026-05-11
+
+### Fixed
+
+- Included `LICENSE` in source and wheel distributions via package metadata.
+- Redacted grant tokens in renewal-failure logs while retaining a short diagnostic prefix.
+- Validated server endpoint shape, host, port, and `connect_timeout_s` at construction / connection time.
+
 ## [v2.1.0] - 2026-05-10
 
 ### Added
@@ -40,6 +48,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Removed the v1 pub/sub signal client APIs; dflockd v2 focuses this package on distributed locks and semaphores.
 
+[v2.1.1]: https://github.com/mtingers/dflockd-client-py/releases/tag/v2.1.1
 [v2.1.0]: https://github.com/mtingers/dflockd-client-py/releases/tag/v2.1.0
 [v2.0.1]: https://github.com/mtingers/dflockd-client-py/releases/tag/v2.0.1
 [v2.0.0]: https://github.com/mtingers/dflockd-client-py/releases/tag/v2.0.0

pyproject.toml

@@ -1,9 +1,10 @@
 [project]
 name = "dflockd-client"
-version = "2.1.0"
+version = "2.1.1"
 description = "dflockd python client"
 readme = "README.md"
 license = "MIT"
+license-files = ["LICENSE"]
 authors = [{ name = "Matth Ingersoll", email = "matth@mtingers.com" }]
 requires-python = ">=3.12"
 dependencies = []

src/dflockd_client/_async.py

@@ -21,6 +21,8 @@
 from .sharding import (
     DEFAULT_SERVERS,
     ShardingStrategy,
+    _validate_server_endpoint,
+    _validate_servers,
     _validate_shard_index,
     stable_hash_shard,
 )
@@ -113,6 +115,8 @@ async def open_conn(
 ) -> AsyncConn:
     """Pass ``limit`` so :meth:`StreamReader.readline` can buffer a large
     ``stats`` JSON line (asyncio's default is 64 KiB, which is too small)."""
+    proto.validate_connect_timeout_s(connect_timeout_s)
+    host, port = _validate_server_endpoint(host, port)
     reader, writer = await asyncio.wait_for(
         asyncio.open_connection(
             host,
@@ -317,6 +321,7 @@ def __post_init__(self) -> None:
         proto.validate_key("key", self.key)
         proto.validate_timeout_s("acquire_timeout_s", self.acquire_timeout_s)
         proto.validate_lease_ttl_s(self.lease_ttl_s)
+        proto.validate_connect_timeout_s(self.connect_timeout_s)
         _validate_servers(self.servers)
         _validate_renew_ratio(self.renew_ratio)
 
@@ -595,7 +600,7 @@ def _log_renew_failure(self) -> None:
             "%s lost (renew failed): key=%s token=%s",
             type(self).__name__,
             self.key,
-            self.token,
+            proto.token_for_log(self.token),
         )
 
     def _update_lease(self, remaining: int) -> None:
@@ -608,11 +613,6 @@ def _update_lease(self, remaining: int) -> None:
 # ---------------------------------------------------------------------------
 
 
-def _validate_servers(servers: list[tuple[str, int]]) -> None:
-    if not servers:
-        raise ValueError("servers must be a non-empty list")
-
-
 def _validate_renew_ratio(ratio: float) -> None:
     if not 0 < ratio < 1:
         raise ValueError("renew_ratio must be between 0 and 1 (exclusive)")

src/dflockd_client/_protocol.py

@@ -19,6 +19,7 @@
 from __future__ import annotations
 
 import json
+import math
 import re
 from typing import Any, NoReturn, TypedDict, cast
 
@@ -141,6 +142,17 @@ def validate_auth_token(token: str) -> None:
         raise ValueError(f"auth token too long (max {MAX_AUTH_TOKEN_BYTES} bytes)")
 
 
+def validate_connect_timeout_s(value: float) -> None:
+    if isinstance(value, bool) or not isinstance(value, int | float):
+        raise TypeError("connect_timeout_s must be a number")
+    if isinstance(value, float) and not math.isfinite(value):
+        raise ValueError("connect_timeout_s must be finite")
+    if value <= 0:
+        raise ValueError("connect_timeout_s must be > 0")
+    if value > MAX_PROTOCOL_SECONDS:
+        raise ValueError(f"connect_timeout_s too large (max {MAX_PROTOCOL_SECONDS})")
+
+
 def validate_prefix(prefix: str) -> None:
     if prefix not in ("", "s"):
         raise ValueError(f"cmd_prefix must be '' or 's', got {prefix!r}")
@@ -194,6 +206,15 @@ def fence_from_token(token: str) -> int:
     return int(token[:16], 16)
 
 
+def token_for_log(token: str | None) -> str:
+    """Return a non-sensitive token label for diagnostic logs."""
+    if token is None:
+        return "<none>"
+    if len(token) <= 8:
+        return "<redacted>"
+    return f"{token[:8]}..."
+
+
 # ---------------------------------------------------------------------------
 # Encoders
 # ---------------------------------------------------------------------------

src/dflockd_client/_sync.py

@@ -31,6 +31,8 @@
 from .sharding import (
     DEFAULT_SERVERS,
     ShardingStrategy,
+    _validate_server_endpoint,
+    _validate_servers,
     _validate_shard_index,
     stable_hash_shard,
 )
@@ -133,6 +135,8 @@ def open_conn(
     The returned conn has ``connect_timeout_s`` set as its initial socket
     timeout; protocol functions override it per call.
     """
+    proto.validate_connect_timeout_s(connect_timeout_s)
+    host, port = _validate_server_endpoint(host, port)
     sock = _open_socket(host, port, connect_timeout_s, ssl_context)
     return SyncConn(sock)
 
@@ -365,6 +369,7 @@ def __post_init__(self) -> None:
         proto.validate_key("key", self.key)
         proto.validate_timeout_s("acquire_timeout_s", self.acquire_timeout_s)
         proto.validate_lease_ttl_s(self.lease_ttl_s)
+        proto.validate_connect_timeout_s(self.connect_timeout_s)
         _validate_servers(self.servers)
         _validate_renew_ratio(self.renew_ratio)
 
@@ -649,7 +654,7 @@ def _log_renew_failure(self, stop_event: threading.Event | None = None) -> None:
             "%s lost (renew failed): key=%s token=%s",
             type(self).__name__,
             self.key,
-            self.token,
+            proto.token_for_log(self.token),
         )
 
     def _update_lease(self, remaining: int) -> None:
@@ -662,11 +667,6 @@ def _update_lease(self, remaining: int) -> None:
 # ---------------------------------------------------------------------------
 
 
-def _validate_servers(servers: list[tuple[str, int]]) -> None:
-    if not servers:
-        raise ValueError("servers must be a non-empty list")
-
-
 def _validate_renew_ratio(ratio: float) -> None:
     if not 0 < ratio < 1:
         raise ValueError("renew_ratio must be between 0 and 1 (exclusive)")

src/dflockd_client/sharding.py

@@ -10,6 +10,30 @@
 ShardingStrategy = Callable[[str, int], int]
 
 DEFAULT_SERVERS: tuple[tuple[str, int], ...] = (("127.0.0.1", 6388),)
+MAX_TCP_PORT = 65535
+
+
+def _validate_server_endpoint(host: object, port: object) -> tuple[str, int]:
+    if not isinstance(host, str):
+        raise TypeError("server host must be a string")
+    if host == "":
+        raise ValueError("server host must not be empty")
+    if any(c in host for c in (" ", "\t", "\n", "\r")):
+        raise ValueError("server host must not contain whitespace")
+    if isinstance(port, bool) or not isinstance(port, int):
+        raise TypeError("server port must be an integer")
+    if not 0 < port <= MAX_TCP_PORT:
+        raise ValueError(f"server port must be between 1 and {MAX_TCP_PORT}")
+    return host, port
+
+
+def _validate_servers(servers: object) -> None:
+    if not isinstance(servers, list | tuple) or not servers:
+        raise ValueError("servers must be a non-empty list or tuple")
+    for server in servers:
+        if not isinstance(server, tuple) or len(server) != 2:
+            raise TypeError("servers must contain (host, port) tuples")
+        _validate_server_endpoint(server[0], server[1])
 
 
 def _validate_shard_index(index: object, num_servers: int) -> int:

tests/test_async_unit.py

@@ -381,6 +381,21 @@ def test_empty_servers(self):
         with pytest.raises(ValueError, match="non-empty"):
             da.DistributedLock(key="k", servers=[])
 
+    def test_invalid_server_shape_raises_at_construction(self):
+        with pytest.raises(TypeError, match="\\(host, port\\)"):
+            da.DistributedLock(
+                key="k",
+                servers=("127.0.0.1", 6388),  # type: ignore[arg-type]
+            )
+
+    def test_invalid_server_port_raises_at_construction(self):
+        with pytest.raises(ValueError, match="server port"):
+            da.DistributedLock(key="k", servers=[("127.0.0.1", 70000)])
+
+    def test_invalid_connect_timeout_raises_at_construction(self):
+        with pytest.raises(ValueError, match="connect_timeout_s"):
+            da.DistributedLock(key="k", connect_timeout_s=0)
+
     def test_renew_ratio_out_of_range(self):
         with pytest.raises(ValueError, match="renew_ratio"):
             da.DistributedLock(key="k", renew_ratio=1.0)
@@ -465,6 +480,16 @@ async def _proto_renew(self, conn: da.AsyncConn, token: str) -> int:
         assert lock.lease == 0
         assert cast(FakeConn, conn).closed is True
 
+    def test_renew_failure_log_redacts_token(self, caplog):
+        lock = da.DistributedLock(key="k")
+        lock.token = "0123456789abcdef0123456789abcdef"
+
+        with caplog.at_level("ERROR", logger="dflockd_client"):
+            lock._log_renew_failure()
+
+        assert "01234567..." in caplog.text
+        assert lock.token not in caplog.text
+
 
 class TestAsyncLifecycleCancellation:
     async def test_release_cancellation_still_clears_state(self):

tests/test_protocol.py

@@ -189,6 +189,29 @@ def test_rejects_too_long(self):
             proto.validate_auth_token("x" * (proto.MAX_AUTH_TOKEN_BYTES + 1))
 
 
+class TestValidateConnectTimeoutS:
+    def test_accepts_int_or_float(self):
+        proto.validate_connect_timeout_s(1)
+        proto.validate_connect_timeout_s(0.5)
+
+    def test_rejects_non_number(self):
+        with pytest.raises(TypeError, match="must be a number"):
+            proto.validate_connect_timeout_s("1")  # type: ignore[arg-type]
+
+    def test_rejects_bool(self):
+        with pytest.raises(TypeError, match="must be a number"):
+            proto.validate_connect_timeout_s(True)  # type: ignore[arg-type]
+
+    @pytest.mark.parametrize("bad", [0, -1, float("inf"), float("nan")])
+    def test_rejects_non_positive_or_non_finite(self, bad):
+        with pytest.raises(ValueError):
+            proto.validate_connect_timeout_s(bad)
+
+    def test_rejects_too_large(self):
+        with pytest.raises(ValueError, match="too large"):
+            proto.validate_connect_timeout_s(proto.MAX_PROTOCOL_SECONDS + 1)
+
+
 # ---------------------------------------------------------------------------
 # fence_from_token
 # ---------------------------------------------------------------------------
@@ -245,6 +268,20 @@ def test_is_re_exported_from_package(self):
         assert fence_from_token("0000000000000001" + "0" * 16) == 1
 
 
+class TestTokenForLog:
+    def test_none(self):
+        assert proto.token_for_log(None) == "<none>"
+
+    def test_short_token(self):
+        assert proto.token_for_log("short") == "<redacted>"
+
+    def test_long_token_redacts_tail(self):
+        token = "0123456789abcdef0123456789abcdef"
+        label = proto.token_for_log(token)
+        assert label == "01234567..."
+        assert token not in label
+
+
 # ---------------------------------------------------------------------------
 # encode_lines
 # ---------------------------------------------------------------------------

tests/test_sharding.py

@@ -2,7 +2,12 @@
 
 import pytest
 
-from dflockd_client.sharding import DEFAULT_SERVERS, stable_hash_shard
+from dflockd_client.sharding import (
+    DEFAULT_SERVERS,
+    _validate_server_endpoint,
+    _validate_servers,
+    stable_hash_shard,
+)
 
 
 class TestStableHashShard:
@@ -31,3 +36,43 @@ def test_distribution(self):
 
 def test_default_servers():
     assert DEFAULT_SERVERS == (("127.0.0.1", 6388),)
+
+
+class TestValidateServerEndpoint:
+    def test_valid(self):
+        assert _validate_server_endpoint("127.0.0.1", 6388) == ("127.0.0.1", 6388)
+
+    @pytest.mark.parametrize("host", ["", "bad host", "bad\nhost"])
+    def test_rejects_bad_host(self, host):
+        with pytest.raises(ValueError):
+            _validate_server_endpoint(host, 6388)
+
+    def test_rejects_non_string_host(self):
+        with pytest.raises(TypeError):
+            _validate_server_endpoint(127001, 6388)
+
+    @pytest.mark.parametrize("port", [0, -1, 65536])
+    def test_rejects_out_of_range_port(self, port):
+        with pytest.raises(ValueError):
+            _validate_server_endpoint("127.0.0.1", port)
+
+    @pytest.mark.parametrize("port", [True, "6388"])
+    def test_rejects_non_int_port(self, port):
+        with pytest.raises(TypeError):
+            _validate_server_endpoint("127.0.0.1", port)
+
+
+class TestValidateServers:
+    def test_valid_list(self):
+        _validate_servers([("127.0.0.1", 6388)])
+
+    def test_valid_tuple(self):
+        _validate_servers((("127.0.0.1", 6388),))
+
+    def test_rejects_empty(self):
+        with pytest.raises(ValueError, match="non-empty"):
+            _validate_servers([])
+
+    def test_rejects_single_endpoint_tuple(self):
+        with pytest.raises(TypeError, match="\\(host, port\\)"):
+            _validate_servers(("127.0.0.1", 6388))

tests/test_sync_unit.py

@@ -312,6 +312,21 @@ def test_empty_servers_raises(self):
         with pytest.raises(ValueError, match="non-empty"):
             ds.DistributedLock(key="k", servers=[])
 
+    def test_invalid_server_shape_raises_at_construction(self):
+        with pytest.raises(TypeError, match="\\(host, port\\)"):
+            ds.DistributedLock(
+                key="k",
+                servers=("127.0.0.1", 6388),  # type: ignore[arg-type]
+            )
+
+    def test_invalid_server_port_raises_at_construction(self):
+        with pytest.raises(ValueError, match="server port"):
+            ds.DistributedLock(key="k", servers=[("127.0.0.1", 70000)])
+
+    def test_invalid_connect_timeout_raises_at_construction(self):
+        with pytest.raises(ValueError, match="connect_timeout_s"):
+            ds.DistributedLock(key="k", connect_timeout_s=0)
+
     def test_renew_ratio_out_of_range(self):
         with pytest.raises(ValueError, match="renew_ratio"):
             ds.DistributedLock(key="k", renew_ratio=0)
@@ -432,6 +447,16 @@ def test_stopping_renew_failure_still_drops_broken_connection(self):
         assert lock.lease == 0
         assert cast(FakeConn, conn).closed is True
 
+    def test_renew_failure_log_redacts_token(self, caplog):
+        lock = ds.DistributedLock(key="k")
+        lock.token = "0123456789abcdef0123456789abcdef"
+
+        with caplog.at_level("ERROR", logger="dflockd_client"):
+            lock._log_renew_failure()
+
+        assert "01234567..." in caplog.text
+        assert lock.token not in caplog.text
+
     def test_old_renew_thread_stops_after_stop_event_replaced(self, monkeypatch):
         first_started = threading.Event()
         release_first = threading.Event()