Skip to main content

AxonFlow v9.2.0 Release Notes

v9.2.0 is a minor release focused on audit assurance and read-only governance. It adds a single-config read-only posture for MCP that is enforced all the way down to the database, makes the platform's audit trail tamper-evident by signing each decision record and capturing those signatures on the live decision path, ships a turnkey exporter that streams decision records to your SIEM or central object store, and stamps the cross-border transfer basis onto the canonical audit record automatically. It also fixes a class of compliance policies that were silently not enforcing on the decision API and gateway. Schema changes are additive and backward-compatible, and the new capabilities are all opt-in. There are two behavior changes to note on upgrade, both in the Fixed section below: a set of seeded compliance policies that were silently inert now enforce on the decision API and gateway, and indirect prompt-injection patterns returned in tool or connector output are now sanitized by default on the response plane. Otherwise it is a drop-in upgrade from v9.1.x.

Added

Read-only MCP posture, enforced at the database

Some MCP deployments should never mutate anything: a connector wired to a production database for analytics, an evaluation environment, an agent that is only ever meant to read. v9.2.0 adds a single configuration switch, MCP_READ_ONLY, that turns the entire MCP surface into a read-only posture. When it is set, every write-path MCP call is blocked across all of the planes that consult the policy engine (the policy-check and check-input paths, the tools-execute and resources-query paths, and the gateway pre-check), classified by a verb tokenizer and a SQL statement classifier that masks string literals and comments and rejects stacked statements, SELECT ... INTO, EXPLAIN ANALYZE, and other write-capable constructs. The classifier fails closed: anything it cannot confidently prove is read-only is treated as a write and blocked.

Because policy classification is a guard rather than a guarantee, v9.2.0 adds a defense-in-depth backstop at the connector layer: read-only queries now open their database transaction in read-only mode, so a write that somehow slips past the verb gate is rejected by the database itself (PostgreSQL returns SQLSTATE 25006, "cannot execute ... in a read-only transaction"). With the switch off, the connector path is byte-for-byte unchanged.

Set MCP_READ_ONLY=true to enable the posture. It is off by default.

Tamper-evident audit signing, now on the live decision path, with verify endpoints

v9.2.0 makes the audit trail tamper-evident. Each decision record is signed with a per-record Ed25519 signature and linked into a hash chain (prev_hash plus a chain sequence number), so removing, reordering, or editing any record breaks the chain and is detectable after the fact. Appends are serialized with an advisory lock so the chain stays consistent under concurrency, and each record can be verified standalone offline against the published digest pre-image.

Two things land in this release: the signing now runs on the live decision path (the platform writes a signed record as decisions are made, rather than only verifying records after the fact), and two read-only verification endpoints are exposed so an auditor can check integrity without database access:

  • GET /api/v1/audit/chains/{chainID}/verify verifies an entire chain is intact.
  • GET /api/v1/audit/records/{recordID}/verify verifies a single record against its signature and chain position.

Signing is configured with AXONFLOW_AUDIT_SIGNING_KEY (the active key) and AXONFLOW_AUDIT_VERIFY_KEYS (one or more public keys trusted for verification, which makes key rotation possible without invalidating older records). It is opt-in and is a no-op when no signing key is configured.

Turnkey SIEM / central-store audit exporter

For teams that consolidate audit evidence in a SIEM or a central object store, v9.2.0 adds a built-in exporter that ships every decision record to an external sink off the request hot path. A non-blocking queue with a bounded timeout and a circuit breaker means the exporter never adds latency to or blocks an enforcement decision; if the sink is unreachable, records are dropped with a counter and a warning rather than back-pressuring the platform. It is wired as a recording decorator, so enabling it requires no call-site changes, and it is disabled by default.

Configure it with AXONFLOW_AUDIT_SINK (the sink type) plus the S3 variables (AXONFLOW_AUDIT_S3_* for bucket, prefix, and region). With the S3 sink, each decision is written to a key of the form <prefix>/YYYY/MM/DD/<decision_id>.json. A new axonflow_central_store_records_total metric reports exported and dropped counts.

Automatic cross-border transfer-basis stamping (Enterprise)

Enterprise deployments subject to Indonesia's UU PDP now get cross-border transfer evidence without an integration chore. At LLM-forward time the platform auto-stamps the Pasal 56 cross-border transfer basis (and the derived destination data_residency) onto the canonical audit record, and the OJK cross-border export reads that same canonical row. The transfer basis is resolved by precedence: an explicit per-request value wins, then a per-organization default (AXONFLOW_ORG_TRANSFER_BASIS), then a global default (AXONFLOW_DEFAULT_TRANSFER_BASIS). Configured values are validated against the canonical transfer-basis forms at load; an invalid value is rejected and the row is left unstamped rather than written with a fabricated basis. data_residency is derived from the resolved provider and never fabricated. The fields surface on the GET /api/v1/decisions feed.

This is Enterprise-only and a no-op in community builds, where the columns stay null and behavior is byte-identical.

Fixed

Indirect prompt-injection is now governed on the response plane

AxonFlow already governed indirect prompt-injection patterns (instruction-override, role-reassignment, system-prompt exfiltration, and template/bracket markers) on the request plane, but a tool or connector response could return the same patterns in a free-text field (for example a back-office note) and re-enter the model's context ungoverned. v9.2.0 closes that gap: those injection patterns are now evaluated on the response and tool-output plane as well.

The default response-plane action is redact (sanitize): the sentence, line, or clause containing the injection is removed (JSON-aware, preserving valid structure and sibling fields), so no injectable instruction reaches the model, while surrounding legitimate data passes through. You can override the action per organization to warn or block, and the input plane still blocks. Behavior change: a tool or connector response carrying one of these injection patterns now has the injection-bearing statement removed by default.

Compliance policies now enforce on the decision API and gateway

A set of seeded compliance policies (EU AI Act, RBI, SEBI, and MAS FEAT) carried category names that had drifted from the canonical compliance-* category constants the decision API filters on. Because the decision-API and gateway pre-check match categories exactly, those policies were silently inert on those paths: they were present but never selected. v9.2.0 canonicalizes the affected categories at their source so the policies are matched and enforced on /decide and the gateway as intended. No new policies were added. Behavior change: deployments running these seeded compliance packs will start enforcing them on the decision API and gateway after upgrading.

OJK cross-border export reads the canonical audit record

The OJK cross-border transfer export previously read a legacy audit table while the canonical per-request decision row lived elsewhere. v9.2.0 repoints the export to the canonical audit record (the same record the new transfer-basis stamping writes), consolidating cross-border evidence onto one source of truth.

Upgrading

v9.2.0 is a drop-in upgrade from v9.1.x. Database migrations apply automatically on startup and add columns to the canonical audit record without changing existing behavior. Every new capability in this release is opt-in: the read-only MCP posture, audit signing, and the SIEM exporter are all off until you set their configuration, and the cross-border stamping only writes when a transfer basis is configured or supplied. No configuration changes are required to upgrade. Two things to check first: if you run any of the seeded EU AI Act, RBI, SEBI, or MAS FEAT compliance policies and relied on their prior (silently non-enforcing) behavior on the decision API or gateway, those policies now match and enforce after upgrading. Review your compliance policy actions before rolling out if that is a concern. Separately, a tool or connector response carrying one of the indirect prompt-injection patterns is now sanitized by default on the response plane, with the injection-bearing statement removed; override the response-plane action per organization if you need a different posture.

# Community
docker compose pull && docker compose up -d

# Enterprise
docker compose -f docker-compose.yml -f docker-compose.enterprise.yml pull
docker compose -f docker-compose.yml -f docker-compose.enterprise.yml up -d

In-VPC Enterprise (AWS CFN)

Redeploy with the v9.2.0 images. Migrations apply automatically on startup. To adopt the new capabilities, set the relevant configuration (MCP_READ_ONLY, AXONFLOW_AUDIT_SIGNING_KEY / AXONFLOW_AUDIT_VERIFY_KEYS, AXONFLOW_AUDIT_SINK plus the S3 variables, and the transfer-basis defaults) on the appropriate services.

Community-SaaS users

No action required.

  • Audit Logging, the canonical decision record that signing, the SIEM exporter, and cross-border stamping all build on.
  • MCP Overview, the governed MCP surface the read-only posture applies to.
  • v9.1.0 Release Notes, the audit-coverage CI gate and built-in policy inventory this release builds on.
  • Version Compatibility, how SDK and platform versions track each other.
Last updated on