AxonFlow v8.5.1 Release Notes

Released 2026-06-08. A patch release: the agent now writes the licensed tier into the database at boot, so the portal and other database consumers no longer lag what /health reports on a fresh install; and a new fail-closed dev-mode token endpoint lets non-production deployments mint a user_token without hand-running a signing script. Additive migration only — no breaking changes.

Headline: licensed tier reconciled into the database at boot

On a fresh install the agent validated the deployment license and reported the correct tier at /health, but the licensed tier was held only in agent memory and never written to the organizations table. Every database consumer — the customer portal UI, node-limit enforcement, and compliance-evidence paths — reads organizations.tier, which is seeded Community. The result was a tier-reporting divergence: a valid Enterprise license could show Community everywhere except /health until request traffic happened to trigger a lazy promotion.

v8.5.1 fixes it at the source. After validating the deployment license, the agent upserts the deployment organization's tier and max_nodes to the licensed values at boot, using a new RLS-safe SECURITY DEFINER migration so the write clears FORCE ROW LEVEL SECURITY on organizations without giving the request path elevated privileges.

At boot, no traffic required. A fresh Enterprise install reports Enterprise in the portal and in the database immediately after startup.
Idempotent. The promotion writes only when the tier or node limit actually differs, so re-boots are no-ops.
Non-fatal. If the write fails, it's logged and startup continues — the in-memory tier (and /health) are unaffected.

No action is required; the promotion runs automatically on the next boot of the upgraded agent.

New: dev-mode token endpoint (`POST /api/v1/dev/token`)

Local development and CI integrations need a valid user_token to exercise the enterprise request paths, which previously meant hand-running a JWT signing script. v8.5.1 adds a convenience endpoint that mints a short-lived HS256 user_token from the authenticated Basic-auth credential.

It is fail-closed by design and is never reachable in production:

Registered only in a non-production deployment. The route exists only when an explicitly non-production ENVIRONMENT, DEPLOYMENT_MODE, or DEPLOYMENT_KIND is set. In any other case the route is not registered and returns 404.
503 when it can't mint safely. When the endpoint is registered but JWT_SECRET is not configured, it returns 503 rather than attempting to mint a token.
Scoped to the caller. The minted token's tenant is inherited from the Basic-auth username, so a caller can only mint a token for its own tenant.
Algorithm-pinned. The token is signed with HS256, pinned at verification to prevent algorithm-confusion.

This endpoint is a developer convenience for non-production environments only. Production deployments never register it.

Documentation

The architecture documentation gains a "Five Runtime Modes" overview with Decision / MAP / WCP sequence diagrams describing how governance is enforced in each runtime mode.

SDK versions

No SDK release accompanies v8.5.1 — the recommended SDK versions are unchanged from v8.5.0 (Go / Python / TypeScript / Java at 8.4.0, Rust at 0.6.0; minimum floor 8.0.0). SDK and platform versions are independent and each follow their own semver.

What's NOT changed

No breaking changes. All existing SDKs, plugins, and API consumers continue to work unchanged.
Additive migration only. The tier-promotion helper is a new, idempotent migration; existing deployments are unaffected beyond the one-time tier reconciliation.
Existing endpoints unchanged. Proxy Mode (POST /api/request), Gateway Mode (POST /api/policy/pre-check), the OpenAI-compatible endpoint (POST /v1/chat/completions), and Decision Mode (POST /api/v1/decide) all keep their existing contracts.

Upgrade notes

Self-hosted (Docker / `docker compose up`)

Pull the v8.5.1 image and restart. The tier reconciliation runs automatically at boot:

docker compose pull
docker compose up -d

A valid Enterprise license now reports Enterprise in the portal immediately after startup — no request traffic required. If you previously worked around the divergence by manually updating organizations.tier, that's no longer necessary.

In-VPC Enterprise (AWS CFN)

No action required. The v8.5.1 images are drop-in; the tier promotion runs on the next agent boot.

Community-SaaS users

No action required.

Using the dev-mode token endpoint (non-production only)

In a non-production deployment (an explicitly non-production ENVIRONMENT / DEPLOYMENT_MODE / DEPLOYMENT_KIND) with JWT_SECRET configured, mint a user_token from your Basic-auth credential:

curl -X POST http://localhost:8080/api/v1/dev/token \
  -u "<tenant-username>:<license-key>"

The endpoint returns 404 outside a non-production deployment and 503 if JWT_SECRET is unset.

Migration resources

Decision Mode architecture — PDP/PEP pattern, request/response shape, runtime modes.
v8.5.0 Release Notes — Decision Mode request-context propagation, durable audit rows, multi-arch images.
v8.4.0 Release Notes — OpenAI-compatible gateway + self-hosted deployment alignment.

Headline: licensed tier reconciled into the database at boot​

New: dev-mode token endpoint (POST /api/v1/dev/token)​

Documentation​

SDK versions​

What's NOT changed​

Upgrade notes​

Self-hosted (Docker / docker compose up)​

In-VPC Enterprise (AWS CFN)​

Community-SaaS users​

Using the dev-mode token endpoint (non-production only)​

Migration resources​