AxonFlow v8.5.2 Release Notes

Released 2026-06-08. A patch release covering two threads. The platform half closes a self-hosted / Enterprise MCP-governance gap: the agent now returns a parseable error on the OAuth-discovery probes MCP clients fire after a 401 (so a missing credential surfaces an actionable message instead of a cryptic failure), and the audit summary now counts policy denials as blocked. The portal half makes a self-hosted install loginable over plain HTTP and stops the dashboard from masking a fetch failure with a fabricated license. Additive migration only — no breaking changes. HTTPS/production deployments are unaffected and stay secure by default.

MCP plugin connection works on self-hosted and Enterprise agents

When an MCP client (such as the Claude Code plugin) connected to an Enterprise / in-VPC agent without a credential, the agent correctly returned 401 with a WWW-Authenticate: Basic challenge — but some clients respond to a 401 by probing OAuth-discovery endpoints (/.well-known/oauth-protected-resource, /.well-known/oauth-authorization-server, and related paths) and parsing each non-2xx body as an OAuth error. Those paths previously returned a plain-text 404 page not found, which the client could not parse — surfacing as /mcp → "axonflow failed (HTTP 404: Invalid OAuth error response … Raw body: 404 page not found)" and marking the server failed.

v8.5.2 makes the agent return a parseable, machine-readable JSON body for every unmatched route and OAuth-discovery probe, and the discovery responses name the real authentication mechanism (HTTP Basic via AXONFLOW_AUTH) while advertising no authorization server — so the client renders a clear "use Basic auth" message instead of crashing, and never starts an OAuth flow the agent can't complete.

Self-hosted Community Edition accepts unauthenticated governance calls — no credential needed.
Enterprise / in-VPC agents require HTTP Basic auth on every call, including the MCP connection. Set AXONFLOW_AUTH=base64(org_id:license_key) (and AXONFLOW_ENDPOINT). See Claude Code integration → Self-hosted / Enterprise authentication.

The client side ships in the claude-code and cursor plugins v1.5.3 (see Plugin versions below).

Audit summary counts policy denials as blocked

get_policy_stats and the portal compliance card under-reported blocks. A denied action is recorded with a deny decision, but the summary aggregation only counted decisions labelled blocked — so denials fell through to the "allowed" bucket. The result was a misleading 0 blocked / 100% compliance right after a real block (for example, an SSN caught by the PII policy).

v8.5.2 fixes the aggregation to count blocked, deny, and denied decisions as blocked in both the request-summary and the top-policies counts. This corrects the stats for every governance surface — the Claude Code / Cursor / Codex plugins and Decision Mode all record denials this way — so the compliance card and get_policy_stats now reflect blocks accurately.

Portal works over HTTP self-host (Enterprise)

Two complementary halves of the same symptom made a fresh self-hosted portal unusable over plain HTTP; both are fixed.

Login credential auto-provisioned at boot. In enterprise / in-vpc-* deployments the deployment organization is the portal login identity, but a fresh install created that organization without a password — so the portal had no login until someone ran manual SQL. The portal now bootstraps the deployment org's password from AXONFLOW_PORTAL_ADMIN_PASSWORD at startup: fail-closed (it refuses to boot in those modes if the password is unset rather than coming up un-loginable), no-clobber (an operator-set password is never overwritten on restart), and create-if-missing. A reset-portal-credential.sh operator script is included for recovery.
Session cookie Secure attribute is now conditional. The axonflow_session cookie was set with a hardcoded Secure attribute, which a browser silently drops over plain HTTP — so every authenticated request reached the auth middleware with no cookie and returned 401. The attribute is now gated on AXONFLOW_PORTAL_COOKIE_SECURE, which defaults to true (HTTPS/production unchanged); operators set it to false for an HTTP self-host or evaluation deployment on a trusted internal network. The bundled docker-compose.enterprise.yml defaults it to false for the local/eval HTTP flow.
The dashboard no longer fabricates a license on a fetch failure. When the license-status call failed, the dashboard previously substituted a hardcoded Community / DEVELOPER placeholder, which read as a real downgraded license. It now captures the error and renders an explicit "License status unavailable" state. Display-only; it does not change any entitlement.
Portal session lookup is now RLS-safe under the application role. The session lookup that runs before any organization context is established now goes through a new SECURITY DEFINER helper (additive migration), hardening the application-role posture. No effect on current deployments.

Plugin versions

Plugin versions: Recommended claude / cursor at v1.5.3, codex at v1.5.2, openclaw at v2.6.1; minimum floor v1.4.0. The claude-code and cursor plugins move to v1.5.3 for the MCP self-hosted / Enterprise connection fix; codex is unchanged (its fix was documentation-only).

SDK versions

No SDK release accompanies v8.5.2 — the recommended SDK versions are unchanged from v8.5.0 (Go / Python / TypeScript / Java at 8.4.0, Rust at 0.6.0; minimum floor 8.0.0). SDK and platform versions are independent and each follow their own semver.

What's NOT changed

No breaking changes. All existing SDKs, plugins, and API consumers continue to work unchanged.
Additive migration only. The portal session-lookup helper is a new, idempotent migration; existing deployments are unaffected.
HTTPS/production stays secure by default. AXONFLOW_PORTAL_COOKIE_SECURE defaults to true; the HTTP-self-host behavior is opt-in.
Existing endpoints unchanged. Proxy Mode (POST /api/request), Gateway Mode (POST /api/policy/pre-check), the OpenAI-compatible endpoint (POST /v1/chat/completions), and Decision Mode (POST /api/v1/decide) all keep their existing contracts.

Upgrade notes

Self-hosted (Docker / `docker compose up`)

Pull the v8.5.2 images and restart:

docker compose pull
docker compose up -d

For an HTTP self-host or evaluation deployment, set AXONFLOW_PORTAL_COOKIE_SECURE=false and AXONFLOW_PORTAL_ADMIN_PASSWORD (the bundled docker-compose.enterprise.yml already wires both). HTTPS/production deployments need no configuration change.

If you use the Claude Code or Cursor plugin against a self-hosted / Enterprise agent, upgrade the plugin to v1.5.3 and set AXONFLOW_AUTH=base64(org_id:license_key).

In-VPC Enterprise (AWS CFN)

No action required. The v8.5.2 images are drop-in; the additive migration runs on the next agent boot.

Community-SaaS users

No action required.

Migration resources

Claude Code integration — Self-hosted / Enterprise authentication for the plugin.
v8.5.1 Release Notes — licensed tier reconciled into the database at boot; dev-mode token endpoint.
v8.5.0 Release Notes — Decision Mode request-context propagation, durable audit rows, multi-arch images.

MCP plugin connection works on self-hosted and Enterprise agents​

Audit summary counts policy denials as blocked​

Portal works over HTTP self-host (Enterprise)​

Plugin versions​

SDK versions​

What's NOT changed​

Upgrade notes​

Self-hosted (Docker / docker compose up)​

In-VPC Enterprise (AWS CFN)​

Community-SaaS users​

Migration resources​