flwr 1.21.0__py3-none-any.whl → 1.23.0__py3-none-any.whl

flwr/clientapp/mod/centraldp_mods.py

@@ -16,13 +16,26 @@
 
 
 from collections import OrderedDict
-from logging import INFO, WARN
+from logging import ERROR, INFO
 from typing import cast
 
-from flwr.client.typing import ClientAppCallable
-from flwr.common import Array, ArrayRecord, Context, Message, MessageType, log
-from flwr.common.differential_privacy import compute_clip_model_update
-from flwr.common.differential_privacy_constants import KEY_CLIPPING_NORM
+from flwr.app import Error
+from flwr.clientapp.typing import ClientAppCallable
+from flwr.common import (
+    Array,
+    ArrayRecord,
+    ConfigRecord,
+    Context,
+    Message,
+    MetricRecord,
+    log,
+)
+from flwr.common.constant import ErrorCode
+from flwr.common.differential_privacy import (
+    compute_adaptive_clip_model_update,
+    compute_clip_model_update,
+)
+from flwr.common.differential_privacy_constants import KEY_CLIPPING_NORM, KEY_NORM_BIT
 
 
 # pylint: disable=too-many-return-statements
@@ -46,33 +59,15 @@ def fixedclipping_mod(
 
     Typically, fixedclipping_mod should be the last to operate on params.
     """
-    if msg.metadata.message_type != MessageType.TRAIN:
-        return call_next(msg, ctxt)
-
     if len(msg.content.array_records) != 1:
-        log(
-            WARN,
-            "fixedclipping_mod is designed to work with a single ArrayRecord. "
-            "Skipping.",
-        )
-        return call_next(msg, ctxt)
-
+        return _handle_multi_record_err("fixedclipping_mod", msg, ArrayRecord)
     if len(msg.content.config_records) != 1:
-        log(
-            WARN,
-            "fixedclipping_mod is designed to work with a single ConfigRecord. "
-            "Skipping.",
-        )
-        return call_next(msg, ctxt)
+        return _handle_multi_record_err("fixedclipping_mod", msg, ConfigRecord)
 
     # Get keys in the single ConfigRecord
     keys_in_config = set(next(iter(msg.content.config_records.values())).keys())
     if KEY_CLIPPING_NORM not in keys_in_config:
-        raise KeyError(
-            f"The {KEY_CLIPPING_NORM} value is not supplied by the "
-            f"`DifferentialPrivacyClientSideFixedClipping` wrapper at"
-            f" the server side."
-        )
+        return _handle_no_key_err("fixedclipping_mod", msg)
     # Record array record communicated to client and clipping norm
     original_array_record = next(iter(msg.content.array_records.values()))
     clipping_norm = cast(
@@ -86,26 +81,16 @@ def fixedclipping_mod(
     if out_msg.has_error():
         return out_msg
 
-    # Ensure there is a single ArrayRecord
+    # Ensure reply has a single ArrayRecord
     if len(out_msg.content.array_records) != 1:
-        log(
-            WARN,
-            "fixedclipping_mod is designed to work with a single ArrayRecord. "
-            "Skipping.",
-        )
-        return out_msg
+        return _handle_multi_record_err("fixedclipping_mod", out_msg, ArrayRecord)
 
     new_array_record_key, client_to_server_arrecord = next(
         iter(out_msg.content.array_records.items())
     )
     # Ensure keys in returned ArrayRecord match those in the one sent from server
-    if set(original_array_record.keys()) != set(client_to_server_arrecord.keys()):
-        log(
-            WARN,
-            "fixedclipping_mod: Keys in ArrayRecord must match those from the model "
-            "that the ClientApp received. Skipping.",
-        )
-        return out_msg
+    if list(original_array_record.keys()) != list(client_to_server_arrecord.keys()):
+        return _handle_array_key_mismatch_err("fixedclipping_mod", out_msg)
 
     client_to_server_ndarrays = client_to_server_arrecord.to_numpy_ndarrays()
     # Clip the client update
@@ -130,3 +115,134 @@ def fixedclipping_mod(
         )
     )
     return out_msg
+
+
+def adaptiveclipping_mod(
+    msg: Message, ctxt: Context, call_next: ClientAppCallable
+) -> Message:
+    """Client-side adaptive clipping modifier.
+
+    This mod needs to be used with the DifferentialPrivacyClientSideAdaptiveClipping
+    server-side strategy wrapper.
+
+    The wrapper sends the clipping_norm value to the client.
+
+    This mod clips the client model updates before sending them to the server.
+
+    It also sends KEY_NORM_BIT to the server for computing the new clipping value.
+
+    It operates on messages of type `MessageType.TRAIN`.
+
+    Notes
+    -----
+    Consider the order of mods when using multiple.
+
+    Typically, adaptiveclipping_mod should be the last to operate on params.
+    """
+    if len(msg.content.array_records) != 1:
+        return _handle_multi_record_err("adaptiveclipping_mod", msg, ArrayRecord)
+    if len(msg.content.config_records) != 1:
+        return _handle_multi_record_err("adaptiveclipping_mod", msg, ConfigRecord)
+
+    # Get keys in the single ConfigRecord
+    keys_in_config = set(next(iter(msg.content.config_records.values())).keys())
+    if KEY_CLIPPING_NORM not in keys_in_config:
+        return _handle_no_key_err("adaptiveclipping_mod", msg)
+
+    # Record array record communicated to client and clipping norm
+    original_array_record = next(iter(msg.content.array_records.values()))
+    clipping_norm = cast(
+        float, next(iter(msg.content.config_records.values()))[KEY_CLIPPING_NORM]
+    )
+
+    # Call inner app
+    out_msg = call_next(msg, ctxt)
+
+    # Check if the msg has error
+    if out_msg.has_error():
+        return out_msg
+
+    # Ensure reply has a single ArrayRecord
+    if len(out_msg.content.array_records) != 1:
+        return _handle_multi_record_err("adaptiveclipping_mod", out_msg, ArrayRecord)
+
+    # Ensure reply has a single MetricRecord
+    if len(out_msg.content.metric_records) != 1:
+        return _handle_multi_record_err("adaptiveclipping_mod", out_msg, MetricRecord)
+
+    new_array_record_key, client_to_server_arrecord = next(
+        iter(out_msg.content.array_records.items())
+    )
+
+    # Ensure keys in returned ArrayRecord match those in the one sent from server
+    if list(original_array_record.keys()) != list(client_to_server_arrecord.keys()):
+        return _handle_array_key_mismatch_err("adaptiveclipping_mod", out_msg)
+
+    client_to_server_ndarrays = client_to_server_arrecord.to_numpy_ndarrays()
+    # Clip the client update
+    norm_bit = compute_adaptive_clip_model_update(
+        client_to_server_ndarrays,
+        original_array_record.to_numpy_ndarrays(),
+        clipping_norm,
+    )
+    log(
+        INFO,
+        "adaptiveclipping_mod: ndarrays are clipped by value: %.4f.",
+        clipping_norm,
+    )
+    # Replace outgoing ArrayRecord's Array while preserving their keys
+    out_msg.content.array_records[new_array_record_key] = ArrayRecord(
+        OrderedDict(
+            {
+                k: Array(v)
+                for k, v in zip(
+                    client_to_server_arrecord.keys(), client_to_server_ndarrays
+                )
+            }
+        )
+    )
+    # Add to the MetricRecords the norm bit (recall reply messages only contain
+    # one MetricRecord)
+    metric_record_key = list(out_msg.content.metric_records.keys())[0]
+    # We cast it to `int` because MetricRecord does not support `bool` values
+    out_msg.content.metric_records[metric_record_key][KEY_NORM_BIT] = int(norm_bit)
+    return out_msg
+
+
+def _handle_err(msg: Message, reason: str) -> Message:
+    """Log and return error message."""
+    log(ERROR, reason)
+    return Message(
+        Error(code=ErrorCode.MOD_FAILED_PRECONDITION, reason=reason),
+        reply_to=msg,
+    )
+
+
+def _handle_multi_record_err(mod_name: str, msg: Message, record_type: type) -> Message:
+    """Log and return multi-record error."""
+    cnt = sum(isinstance(_, record_type) for _ in msg.content.values())
+    return _handle_err(
+        msg,
+        f"{mod_name} expects exactly one {record_type.__name__}, "
+        f"but found {cnt} {record_type.__name__}(s).",
+    )
+
+
+def _handle_no_key_err(mod_name: str, msg: Message) -> Message:
+    """Log and return no-key error."""
+    return _handle_err(
+        msg,
+        f"{mod_name} requires the key '{KEY_CLIPPING_NORM}' to be present in the "
+        "ConfigRecord, but it was not found. "
+        "Please ensure the `DifferentialPrivacyClientSideFixedClipping` wrapper "
+        "is used in the ServerApp.",
+    )
+
+
+def _handle_array_key_mismatch_err(mod_name: str, msg: Message) -> Message:
+    """Create array-key-mismatch error reasons."""
+    return _handle_err(
+        msg,
+        f"{mod_name} expects the keys in the ArrayRecord of the reply message to match "
+        "those from the ArrayRecord that the ClientApp received, but they do not.",
+    )

flwr/clientapp/mod/localdp_mod.py

@@ -0,0 +1,169 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Local DP modifier."""
+
+
+from collections import OrderedDict
+from logging import INFO
+
+import numpy as np
+
+from flwr.clientapp.typing import ClientAppCallable
+from flwr.common import Array, ArrayRecord
+from flwr.common.context import Context
+from flwr.common.differential_privacy import (
+    add_gaussian_noise_inplace,
+    compute_clip_model_update,
+)
+from flwr.common.logger import log
+from flwr.common.message import Message
+
+from .centraldp_mods import _handle_array_key_mismatch_err, _handle_multi_record_err
+
+
+class LocalDpMod:
+    """Modifier for local differential privacy.
+
+    This mod clips the client model updates and
+    adds noise to the params before sending them to the server.
+
+    It operates on messages of type `MessageType.TRAIN`.
+
+    Parameters
+    ----------
+    clipping_norm : float
+        The value of the clipping norm.
+    sensitivity : float
+        The sensitivity of the client model.
+    epsilon : float
+        The privacy budget.
+        Smaller value of epsilon indicates a higher level of privacy protection.
+    delta : float
+        The failure probability.
+        The probability that the privacy mechanism
+        fails to provide the desired level of privacy.
+        A smaller value of delta indicates a stricter privacy guarantee.
+
+    Examples
+    --------
+    Create an instance of the local DP mod and add it to the client-side mods::
+
+        local_dp_mod = LocalDpMod( ... )
+        app = fl.client.ClientApp(mods=[local_dp_mod])
+    """
+
+    def __init__(
+        self, clipping_norm: float, sensitivity: float, epsilon: float, delta: float
+    ) -> None:
+        if clipping_norm <= 0:
+            raise ValueError("The clipping norm should be a positive value.")
+
+        if sensitivity < 0:
+            raise ValueError("The sensitivity should be a non-negative value.")
+
+        if epsilon < 0:
+            raise ValueError("Epsilon should be a non-negative value.")
+
+        if delta < 0:
+            raise ValueError("Delta should be a non-negative value.")
+
+        self.clipping_norm = clipping_norm
+        self.sensitivity = sensitivity
+        self.epsilon = epsilon
+        self.delta = delta
+
+    def __call__(
+        self, msg: Message, ctxt: Context, call_next: ClientAppCallable
+    ) -> Message:
+        """Perform local DP on the client model parameters.
+
+        Parameters
+        ----------
+        msg : Message
+            The message received from the ServerApp.
+        ctxt : Context
+            The context of the ClientApp.
+        call_next : ClientAppCallable
+            The callable to call the next mod (or the ClientApp) in the chain.
+
+        Returns
+        -------
+        Message
+            The modified message to be sent back to the server.
+        """
+        if len(msg.content.array_records) != 1:
+            return _handle_multi_record_err("LocalDpMod", msg, ArrayRecord)
+
+        # Record array record communicated to client and clipping norm
+        original_array_record = next(iter(msg.content.array_records.values()))
+
+        # Call inner app
+        out_msg = call_next(msg, ctxt)
+
+        # Check if the msg has error
+        if out_msg.has_error():
+            return out_msg
+
+        # Ensure reply has a single ArrayRecord
+        if len(out_msg.content.array_records) != 1:
+            return _handle_multi_record_err("LocalDpMod", out_msg, ArrayRecord)
+
+        new_array_record_key, client_to_server_arrecord = next(
+            iter(out_msg.content.array_records.items())
+        )
+
+        # Ensure keys in returned ArrayRecord match those in the one sent from server
+        if list(original_array_record.keys()) != list(client_to_server_arrecord.keys()):
+            return _handle_array_key_mismatch_err("LocalDpMod", out_msg)
+
+        client_to_server_ndarrays = client_to_server_arrecord.to_numpy_ndarrays()
+
+        # Clip the client update
+        compute_clip_model_update(
+            client_to_server_ndarrays,
+            original_array_record.to_numpy_ndarrays(),
+            self.clipping_norm,
+        )
+        log(
+            INFO,
+            "LocalDpMod: parameters are clipped by value: %.4f.",
+            self.clipping_norm,
+        )
+
+        std_dev = (
+            self.sensitivity * np.sqrt(2 * np.log(1.25 / self.delta)) / self.epsilon
+        )
+        add_gaussian_noise_inplace(
+            client_to_server_ndarrays,
+            std_dev,
+        )
+        log(
+            INFO,
+            "LocalDpMod: local DP noise with %.4f stddev added to parameters",
+            std_dev,
+        )
+
+        # Replace outgoing ArrayRecord's Array while preserving their keys
+        out_msg.content[new_array_record_key] = ArrayRecord(
+            OrderedDict(
+                {
+                    k: Array(v)
+                    for k, v in zip(
+                        client_to_server_arrecord.keys(), client_to_server_ndarrays
+                    )
+                }
+            )
+        )
+        return out_msg

flwr/clientapp/typing.py

@@ -0,0 +1,22 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Custom types for Flower clients."""
+
+
+from typing import Callable
+
+from flwr.common import Context, Message
+
+ClientAppCallable = Callable[[Message, Context], Message]

flwr/{client/clientapp → clientapp}/utils.py

@@ -19,7 +19,7 @@ from logging import DEBUG
 from pathlib import Path
 from typing import Callable, Optional
 
-from flwr.client.client_app import ClientApp, LoadClientAppError
+from flwr.clientapp.client_app import ClientApp, LoadClientAppError
 from flwr.common.config import (
     get_flwr_dir,
     get_metadata_from_config,

flwr/common/constant.py

@@ -17,6 +17,8 @@
 
 from __future__ import annotations
 
+import os
+
 TRANSPORT_TYPE_GRPC_BIDI = "grpc-bidi"
 TRANSPORT_TYPE_GRPC_RERE = "grpc-rere"
 TRANSPORT_TYPE_GRPC_ADAPTER = "grpc-adapter"
@@ -60,7 +62,9 @@ HEARTBEAT_DEFAULT_INTERVAL = 30
 HEARTBEAT_CALL_TIMEOUT = 5
 HEARTBEAT_BASE_MULTIPLIER = 0.8
 HEARTBEAT_RANDOM_RANGE = (-0.1, 0.1)
-HEARTBEAT_MAX_INTERVAL = 1e300
+HEARTBEAT_MIN_INTERVAL = 10
+HEARTBEAT_MAX_INTERVAL = 1800  # 30 minutes
+HEARTBEAT_INTERVAL_INF = 1e300  # Large value, disabling heartbeats
 HEARTBEAT_PATIENCE = 2
 RUN_FAILURE_DETAILS_NO_HEARTBEAT = "No heartbeat received from the run."
 
@@ -70,13 +74,23 @@ NODE_ID_NUM_BYTES = 8
 
 # Constants for FAB
 APP_DIR = "apps"
-FAB_ALLOWED_EXTENSIONS = {".py", ".toml", ".md"}
 FAB_CONFIG_FILE = "pyproject.toml"
 FAB_DATE = (2024, 10, 1, 0, 0, 0)
 FAB_HASH_TRUNCATION = 8
 FAB_MAX_SIZE = 10 * 1024 * 1024  # 10 MB
 FLWR_DIR = ".flwr"  # The default Flower directory: ~/.flwr/
 FLWR_HOME = "FLWR_HOME"  # If set, override the default Flower directory
+# FAB file include patterns (gitignore-style patterns)
+FAB_INCLUDE_PATTERNS = (
+    "**/*.py",
+    "**/*.toml",
+    "**/*.md",
+)
+# FAB file exclude patterns (gitignore-style patterns)
+FAB_EXCLUDE_PATTERNS = (
+    "**/__pycache__/**",
+    FAB_CONFIG_FILE,  # Exclude the original pyproject.toml
+)
 
 # Constant for SuperLink
 SUPERLINK_NODE_ID = 1
@@ -109,14 +123,14 @@ LOG_UPLOAD_INTERVAL = 0.2  # Minimum interval between two log uploads
 # Retry configurations
 MAX_RETRY_DELAY = 20  # Maximum delay duration between two consecutive retries.
 
-# Constants for user authentication
+# Constants for account authentication
 CREDENTIALS_DIR = ".credentials"
-AUTH_TYPE_JSON_KEY = "auth-type"  # For key name in JSON file
-AUTH_TYPE_YAML_KEY = "auth_type"  # For key name in YAML file
+AUTHN_TYPE_JSON_KEY = "authn-type"  # For key name in JSON file
+AUTHN_TYPE_YAML_KEY = "authn_type"  # For key name in YAML file
 ACCESS_TOKEN_KEY = "flwr-oidc-access-token"
 REFRESH_TOKEN_KEY = "flwr-oidc-refresh-token"
 
-# Constants for user authorization
+# Constants for account authorization
 AUTHZ_TYPE_YAML_KEY = "authz_type"  # For key name in YAML file
 
 # Constants for node authentication
@@ -135,7 +149,9 @@ GC_THRESHOLD = 200_000_000  # 200 MB
 # Constants for Inflatable
 HEAD_BODY_DIVIDER = b"\x00"
 HEAD_VALUE_DIVIDER = " "
-MAX_ARRAY_CHUNK_SIZE = 20_971_520  # 20 MB
+FLWR_PRIVATE_MAX_ARRAY_CHUNK_SIZE = int(
+    os.getenv("FLWR_PRIVATE_MAX_ARRAY_CHUNK_SIZE", "5242880")
+)  # 5 MB
 
 # Constants for serialization
 INT64_MAX_VALUE = 9223372036854775807  # (1 << 63) - 1
@@ -144,8 +160,12 @@ INT64_MAX_VALUE = 9223372036854775807  # (1 << 63) - 1
 FLWR_APP_TOKEN_LENGTH = 128  # Length of the token used
 
 # Constants for object pushing and pulling
-MAX_CONCURRENT_PUSHES = 8  # Default maximum number of concurrent pushes
-MAX_CONCURRENT_PULLS = 8  # Default maximum number of concurrent pulls
+FLWR_PRIVATE_MAX_CONCURRENT_OBJ_PUSHES = int(
+    os.getenv("FLWR_PRIVATE_MAX_CONCURRENT_OBJ_PUSHES", "2")
+)  # Default maximum number of concurrent pushes
+FLWR_PRIVATE_MAX_CONCURRENT_OBJ_PULLS = int(
+    os.getenv("FLWR_PRIVATE_MAX_CONCURRENT_OBJ_PULLS", "2")
+)  # Default maximum number of concurrent pulls
 PULL_MAX_TIME = 7200  # Default maximum time to wait for pulling objects
 PULL_MAX_TRIES_PER_OBJECT = 500  # Default maximum number of tries to pull an object
 PULL_INITIAL_BACKOFF = 1  # Initial backoff time for pulling objects
@@ -154,7 +174,13 @@ PULL_BACKOFF_CAP = 10  # Maximum backoff time for pulling objects
 
 # ControlServicer constants
 RUN_ID_NOT_FOUND_MESSAGE = "Run ID not found"
-NO_USER_AUTH_MESSAGE = "ControlServicer initialized without user authentication"
+NO_ACCOUNT_AUTH_MESSAGE = "ControlServicer initialized without account authentication"
+NO_ARTIFACT_PROVIDER_MESSAGE = "ControlServicer initialized without artifact provider"
+PULL_UNFINISHED_RUN_MESSAGE = "Cannot pull artifacts for an unfinished run"
+SUPERNODE_NOT_CREATED_FROM_CLI_MESSAGE = "Invalid SuperNode credentials"
+PUBLIC_KEY_ALREADY_IN_USE_MESSAGE = "Public key already in use"
+PUBLIC_KEY_NOT_VALID = "The provided public key is not valid"
+NODE_NOT_FOUND_MESSAGE = "Node ID not found for account"
 
 
 class MessageType:
@@ -200,6 +226,7 @@ class ErrorCode:
     MESSAGE_UNAVAILABLE = 3
     REPLY_MESSAGE_UNAVAILABLE = 4
     NODE_UNAVAILABLE = 5
+    MOD_FAILED_PRECONDITION = 6
 
     def __new__(cls) -> ErrorCode:
         """Prevent instantiation."""
@@ -242,12 +269,23 @@ class CliOutputFormat:
         raise TypeError(f"{cls.__name__} cannot be instantiated.")
 
 
-class AuthType:
-    """User authentication types."""
+class AuthnType:
+    """Account authentication types."""
 
+    NOOP = "noop"
     OIDC = "oidc"
 
-    def __new__(cls) -> AuthType:
+    def __new__(cls) -> AuthnType:
+        """Prevent instantiation."""
+        raise TypeError(f"{cls.__name__} cannot be instantiated.")
+
+
+class AuthzType:
+    """Account authorization types."""
+
+    NOOP = "noop"
+
+    def __new__(cls) -> AuthzType:
         """Prevent instantiation."""
         raise TypeError(f"{cls.__name__} cannot be instantiated.")
 
@@ -278,3 +316,8 @@ class ExecPluginType:
         """Return all SuperExec plugin types."""
         # Filter all constants (uppercase) of the class
         return [v for k, v in vars(ExecPluginType).items() if k.isupper()]
+
+
+# Constants for No-op auth plugins
+NOOP_FLWR_AID = "<none>"
+NOOP_ACCOUNT_NAME = "sys_noauth"

flwr/common/exit/exit_code.py

@@ -41,10 +41,15 @@ class ExitCode:
 
     # SuperNode-specific exit codes (300-399)
     SUPERNODE_REST_ADDRESS_INVALID = 300
-    SUPERNODE_NODE_AUTH_KEYS_REQUIRED = 301
-    SUPERNODE_NODE_AUTH_KEYS_INVALID = 302
+    # SUPERNODE_NODE_AUTH_KEYS_REQUIRED = 301 --- DELETED ---
+    SUPERNODE_NODE_AUTH_KEY_INVALID = 302
+    SUPERNODE_STARTED_WITHOUT_TLS_BUT_NODE_AUTH_ENABLED = 303
 
     # SuperExec-specific exit codes (400-499)
+    SUPEREXEC_INVALID_PLUGIN_CONFIG = 400
+
+    # FlowerCLI-specific exit codes (500-599)
+    FLWRCLI_NODE_AUTH_PUBLIC_KEY_INVALID = 500
 
     # Common exit codes (600-699)
     COMMON_ADDRESS_INVALID = 600
@@ -101,17 +106,26 @@ EXIT_CODE_HELP = {
         "When using the REST API, please provide `https://` or "
         "`http://` before the server address (e.g. `http://127.0.0.1:8080`)"
     ),
-    ExitCode.SUPERNODE_NODE_AUTH_KEYS_REQUIRED: (
-        "Node authentication requires file paths to both "
-        "'--auth-supernode-private-key' and '--auth-supernode-public-key' "
-        "to be provided (providing only one of them is not sufficient)."
-    ),
-    ExitCode.SUPERNODE_NODE_AUTH_KEYS_INVALID: (
-        "Node authentication requires elliptic curve private and public key pair. "
-        "Please ensure that the file path points to a valid private/public key "
+    ExitCode.SUPERNODE_NODE_AUTH_KEY_INVALID: (
+        "Node authentication requires elliptic curve private key. "
+        "Please ensure that the file path points to a valid private key "
         "file and try again."
     ),
+    ExitCode.SUPERNODE_STARTED_WITHOUT_TLS_BUT_NODE_AUTH_ENABLED: (
+        "The private key for SuperNode authentication was provided, but TLS is not "
+        "enabled. Node authentication can only be used when TLS is enabled."
+    ),
     # SuperExec-specific exit codes (400-499)
+    ExitCode.SUPEREXEC_INVALID_PLUGIN_CONFIG: (
+        "The YAML configuration for the SuperExec plugin is invalid."
+    ),
+    # FlowerCLI-specific exit codes (500-599)
+    ExitCode.FLWRCLI_NODE_AUTH_PUBLIC_KEY_INVALID: (
+        "Node authentication requires a valid elliptic curve public key in the "
+        "SSH format and following a NIST standard elliptic curve (e.g. SECP384R1). "
+        "Please ensure that the file path points to a valid public key "
+        "file and try again."
+    ),
     # Common exit codes (600-699)
     ExitCode.COMMON_ADDRESS_INVALID: (
         "Please provide a valid URL, IPv4 or IPv6 address."