AxonFlow v8.3.0 Release Notes
Released 2026-05-27. Indonesia regulatory compliance coverage (PII detection, OJK module, UU PDP breach notification) and production-ready OTel observability exporter configurations for Datadog and Grafana. SDKs updated to v8.3.0 (Rust v0.5.0). No breaking changes.
Headline: Indonesia compliance — PII detection + OJK + UU PDP
AxonFlow now ships built-in support for Indonesian financial regulation and data protection. The pii-indonesia category detects eight national identifier patterns. The OJK enterprise module adds six compliance API endpoints. UU PDP breach notification enforces Article 46 required fields and 72-hour SLA deadlines.
PII detection (Community)
Eight context-anchored patterns in the pii-indonesia category:
| Pattern | Description |
|---|---|
| NIK (Nomor Induk Kependudukan) | National ID — 16 digits, province-code validated against 34 provinces |
| NPWP legacy | Tax ID — 15-digit format |
| NPWP new | Tax ID — 16-digit format, context-anchored |
| +62 phone | Indonesian mobile numbers |
| BCA account | Bank Central Asia account numbers |
| Mandiri account | Bank Mandiri account numbers |
| BRI account | Bank Rakyat Indonesia account numbers |
| BNI account | Bank Negara Indonesia account numbers |
All bank account and NPWP patterns are context-anchored to minimize false positives against credit card numbers, UUIDs, and timestamps.
# Test Indonesia PII detection
curl -X POST http://localhost:8080/api/policy/pre-check \
-H "Content-Type: application/json" \
-d '{
"query": "Customer NIK is 3201234567890001",
"mode": "gateway",
"client_id": "test"
}'
OJK compliance module (Enterprise)
Six API endpoints under /api/v1/ojk/:
| Endpoint | Method | Description |
|---|---|---|
/api/v1/ojk/audit/export | POST | Export audit data in JSON, CSV, or XML format |
/api/v1/ojk/audit/export/{id} | GET | Check export job status |
/api/v1/ojk/audit/retention | GET | Query retention status by data type |
/api/v1/ojk/audit/readiness | GET | Validate compliance readiness checklist |
/api/v1/ojk/breach/notify | POST | Submit UU PDP breach notification |
/api/v1/ojk/dashboard | GET | Compliance dashboard summary |
Set AXONFLOW_COMPLIANCE_REGION=ID to enforce a 1825-day (5-year) minimum retention floor per OJK AI governance requirements.
UU PDP breach notification (Enterprise)
Article 46 compliant breach notification with required fields, 72-hour SLA calculation, and MOCDA (Ministry of Communication and Digital Affairs) as default notification authority. Integrates with the OJK audit export pipeline for end-to-end compliance traceability.
Cross-border transfer audit fields (Enterprise)
New columns on audit tables for logging cross-border data transfer metadata required by Indonesian financial regulators — origin jurisdiction, destination jurisdiction, transfer basis, and data classification.
OTel Observability Exporters
Pre-built OTel Collector configurations for routing decision spans (emitted by the v8.2.0 decision tracer) to production monitoring backends.
Datadog APM
export DD_API_KEY=<your-key>
export DD_SITE=datadoghq.com
docker compose -f docker-compose.yml -f docker-compose.otel-datadog.yml up -d
All decision.*, org.id, and tenant.id span attributes are exported as Datadog APM tags, searchable in the trace explorer and usable in monitors.
Grafana + Tempo + Prometheus
docker compose -f docker-compose.yml -f docker-compose.otel-grafana.yml up -d
open http://localhost:3000 # Grafana (admin/admin)
Brings up five services: OTel Collector, Tempo (trace storage), Prometheus (metrics), Grafana (dashboards), and the AxonFlow agent. The OTel Collector's spanmetrics connector generates calls_total and duration_milliseconds Prometheus metrics from decision spans, labeled by verdict, stage, org, and tenant.
Decision Mode Grafana Dashboard
A 9-panel dashboard ships at grafana/dashboards/decision-mode-overview.json: decision rate, verdict distribution donut, error rate, latency P50/P95/P99, decisions by stage, policy trigger rate, per-tenant volume, deny rate table, and latency heatmap. Template variables $org_id and $tenant_id filter all panels.
LangSmith Trace Correlation
The W3C trace_id returned in every decision response can be passed as LangSmith run metadata for side-by-side correlation of LLM execution traces and governance decisions. No code changes on the AxonFlow side — see Observability Exporters for Python and TypeScript examples.
Industry migrations
Four new migrations under industry/banking/:
| Migration | Description |
|---|---|
| 500 | OJK compliance tables |
| 501 | OJK policy templates |
| 502 | Audit cross-border fields |
| 503 | Breach notification tables |
SDK updates
| SDK | Version | What's new |
|---|---|---|
| Python | v8.3.0 | pii-indonesia category constant, data_residency + transfer_basis audit fields |
| TypeScript | v8.3.0 | Same |
| Go | v8.3.0 | Same, plus OJKAssessment typed response for Enterprise callers |
| Java | v8.3.0 | Same |
| Rust (preview) | v0.5.0 | pii-indonesia category, cross-border audit fields |
Minimum SDK floor remains v8.0.0. Existing v8.2.0 callers keep working unchanged.
Examples
Three new curl-based examples for Indonesia compliance:
examples/indonesia-compliance/http/decision-mode-indonesia-pii.sh— PII detection via Decision Modeexamples/indonesia-compliance/http/ojk-audit-export.sh— OJK audit data exportexamples/indonesia-compliance/http/ojk-breach-notification.sh— UU PDP breach notification
Fixed
-
PII detection ordering for Indonesia patterns. Detection categories are now evaluated in deterministic registration order. Previously, category evaluation order was map-iteration-dependent, which could cause inconsistent results when multiple categories matched.
-
Migration 501 schema. OJK policy template migration updated to use the current
policy_templatesschema (withdisplay_name,subcategory,template,variables,tagscolumns) instead of the legacy schema. -
Shared policy type export.
PolicyCheckResult.Reasonfield correctly exports asstringfor use across packages.
What's NOT changed
- No breaking changes. All existing SDKs, plugins, and API consumers continue to work unchanged.
- SDK versions: Recommended Python / TypeScript / Go / Java at v8.3.0; Rust preview at v0.5.0. Minimum: v8.0.0. Previous SDK versions keep working.
- Plugin versions: Recommended claude / cursor / codex at v1.5.2; openclaw at v2.6.1. Unchanged from v8.2.0.
Upgrade notes
Self-hosted Community (Docker / docker compose up)
Pull the v8.3.0 image. Four industry migrations (500–503) apply automatically on startup if AXONFLOW_COMPLIANCE_REGION=ID is set. PII detection for Indonesian identifiers is available immediately — no configuration required beyond the standard PII_ACTION setting.
In-VPC Enterprise
No preflight required for v8.2.x to v8.3.0. Existing licenses, credentials, and DSN secrets keep working. To enable the OJK module, set AXONFLOW_COMPLIANCE_REGION=ID.
Community-SaaS users
No action required. Indonesia PII detection is available at all tiers.
SDK users
Existing v8.2.0 SDK callers keep working. Upgrade to v8.3.0 to access the pii-indonesia category constant and cross-border audit fields.
Migration resources
- Observability Exporters — Datadog, Grafana/Tempo, and LangSmith setup guide.
- v8.2.0 Release Notes — Decision Mode, OTel tracing, ecosystem integrations.
- v8.1.0 Release Notes — HITL outbound webhook + Idempotency-Key dedup.
- v8.0.0 Release Notes — the headline v8 release with FORCE RLS and application-role default flip.
- v7 → v8 Migration Guide — deployment-shape decision tree and simple-path community upgrade.
