[v4] S3/Valkey helpers reject delimiter characters in tenantID — may break existing key patterns

## Context

In the v4 unification (PR #336), the S3 and Valkey tenant-key helpers added validation that rejects tenant IDs containing delimiter characters.

## Where to change

### S3 helpers
**File:** `commons/tenant-manager/s3/objectstorage.go` (v4.0.0-beta.2)

**Line 34** (`GetObjectStorageKey`):
```go
if strings.Contains(tenantID, "/") {
    return "", fmt.Errorf("tenantID must not contain path delimiter '/': %q", tenantID)
}
```

**Line 81** (`StripObjectStoragePrefix`):
```go
if strings.Contains(tenantID, "/") {
    return "", fmt.Errorf("tenantID must not contain path delimiter '/': %q", tenantID)
}
```

### Valkey helpers
**File:** `commons/tenant-manager/valkey/keys.go` (v4.0.0-beta.2)

**Line 26** (`GetKey`):
```go
if strings.Contains(tenantID, ":") {
    return "", fmt.Errorf("tenantID must not contain delimiter character ':': %q", tenantID)
}
```

**Line 55** (`GetPattern`):
```go
if strings.Contains(tenantID, ":") {
    return "", fmt.Errorf("tenantID must not contain delimiter character ':': %q", tenantID)
}
```

**Line 84** (`StripTenantPrefix`):
```go
if strings.Contains(tenantID, ":") {
    return "", fmt.Errorf("tenantID must not contain delimiter character ':': %q", tenantID)
}
```

### Affected consumers
- **fetcher** (v1.18.0) already uses `valkey.GetKeyFromContext` and `tms3.GetObjectStorageKeyForTenant` in multi-tenant code — needs to update all call sites from `string` to `(string, error)`

## Problem

### Breaking API change
v3 functions return `string`. v4 functions return `(string, error)`. Every call site needs to handle the new error return.

### Potential data compatibility issue
Current WorkOS tenant ID format (`org_xxx`) does not contain `/` or `:`, so validation passes. But this constraint is undocumented and could break if tenant ID format ever changes.

## Suggestion
- Document tenant ID character constraints in migration guide
- Consider making delimiter validation configurable or a warning during migration period
- Add a `ValidateTenantID()` function for use at tenant creation time (fail early) rather than at every key operation

## Raised by
Jefferson Rodrigues (CTO) during multi-tenant task force review.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[v4] S3/Valkey helpers reject delimiter characters in tenantID — may break existing key patterns #346

Context

Where to change

S3 helpers

Valkey helpers

Affected consumers

Problem

Breaking API change

Potential data compatibility issue

Suggestion

Raised by

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[v4] S3/Valkey helpers reject delimiter characters in tenantID — may break existing key patterns #346

Description

Context

Where to change

S3 helpers

Valkey helpers

Affected consumers

Problem

Breaking API change

Potential data compatibility issue

Suggestion

Raised by

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions