Context
src/ksef2/clients/async_authenticated.py currently has _get_encryption_material() return tuple[bytes, bytes, bytes, str | None] and several callers unpack it as aes_key, iv, encrypted_key, public_key_id.
That tuple carries named workflow data, and three fields are plain bytes, so accidental ordering mistakes are not type-visible. The public get_encryption_key() can stay compatible if needed, but the internal contract should not rely on positional unpacking for named encryption material. [R14: No Dict Success Payloads]
Expected fix
Introduce a small named contract for internal encryption material, for example fields equivalent to:
aes_key: bytesiv: bytesencrypted_key: bytespublic_key_id: str | None
Use that contract through online session opening, batch session opening, and batch preparation. Keep model construction direct and local to the owning workflow instead of adding generic helpers. [R03: Build Models Directly]
Design note
Do not replace _open_online_session() with a nested _open_session() function inside online_session(). The current _AwaitableSession(self._open_online_session(...)) shape intentionally supports both await auth.online_session(...) and async with auth.online_session(...), while keeping the async orchestration in a normal method that sync generation can transform predictably. [R22: No Nested Private Functions By Default]
src/ksef2/clients/async_authenticated.py is the generator source for src/ksef2/clients/authenticated.py, so edit the async source and run just gen-sync.
Context
src/ksef2/clients/async_authenticated.pycurrently has_get_encryption_material()returntuple[bytes, bytes, bytes, str | None]and several callers unpack it asaes_key, iv, encrypted_key, public_key_id.That tuple carries named workflow data, and three fields are plain
bytes, so accidental ordering mistakes are not type-visible. The publicget_encryption_key()can stay compatible if needed, but the internal contract should not rely on positional unpacking for named encryption material. [R14: No Dict Success Payloads]Expected fix
Introduce a small named contract for internal encryption material, for example fields equivalent to:
aes_key: bytesiv: bytesencrypted_key: bytespublic_key_id: str | NoneUse that contract through online session opening, batch session opening, and batch preparation. Keep model construction direct and local to the owning workflow instead of adding generic helpers. [R03: Build Models Directly]
Design note
Do not replace
_open_online_session()with a nested_open_session()function insideonline_session(). The current_AwaitableSession(self._open_online_session(...))shape intentionally supports bothawait auth.online_session(...)andasync with auth.online_session(...), while keeping the async orchestration in a normal method that sync generation can transform predictably. [R22: No Nested Private Functions By Default]src/ksef2/clients/async_authenticated.pyis the generator source forsrc/ksef2/clients/authenticated.py, so edit the async source and runjust gen-sync.