AxonFlow v9.2.2 Release Notes
v9.2.2 is a maintenance patch on v9.2.1. It closes a gap on the agent's check_policy MCP advisory tool: the allow path now runs the same PII redaction the check-input enforcement path already runs, so a tool call carrying PII is flagged for a masked retry instead of executing with the raw value. It also updates the bundled Java example dependencies to clear a set of dependency CVEs. There are no breaking API, schema, or migration changes — the new response fields are additive — and it is a drop-in upgrade from v9.2.1.
This release ships together with Claude Code plugin v1.7.0, which consumes the new redaction fields described below to deny a redact-policy tool call and retry it with engine-masked content. See Recommended Claude Code plugin.
Fixed in v9.2.2
check_policy now redacts PII on its allow path
The agent's check_policy MCP advisory tool returned an allow verdict without running PII detection on the statement it was asked about. As a result a tool call carrying PII — for example a Write whose content held an Indonesian NIK — could execute with the raw value before the agent was prompted to retry with a masked version.
v9.2.2 runs the same input redaction on the check_policy allow path that the check-input enforcement gate already runs. When redaction fires, the tool now returns requires_redaction: true together with a redacted_statement carrying the masked content, so a policy-enforcement point — such as the Claude Code plugin's pre-tool hook — can deny the first call and re-issue it with the masked statement. Clean statements are unaffected: they return an allow verdict without requires_redaction, exactly as before. The outcome is recorded on the canonical decision record as a mcp-plane redaction.
This release also fixes a latent nil-pointer dereference in input-policy evaluation: when the engine fails closed and blocks a request without attributing a specific policy (for example the database is unavailable and graceful degradation is off), the logging path no longer dereferences the absent policy reference.
Security in v9.2.2
Java example dependencies updated
The Jackson dependencies used by the bundled Java example projects are updated to 2.22.0 to clear CVE-2026-54512, CVE-2026-54513, and CVE-2026-54515, restoring a green dependency scan. This change is confined to the example projects; it does not affect the platform runtime or any AxonFlow SDK.
Recommended Claude Code plugin: v1.7.0
The recommended Claude Code plugin moves from v1.6.0 to v1.7.0 in this train. v1.7.0 uses the requires_redaction / redacted_statement fields added above: when a redact policy fires on a tool call, the plugin's pre-tool hook denies the first call and retries it with the engine-masked content, so the model never sees the raw PII. Pairing plugin v1.7.0 with platform v9.2.2 is what makes that deny-and-retry behavior work end to end — v9.2.1 and earlier do not return the redaction fields the plugin relies on.
Upgrading
v9.2.2 is a drop-in upgrade from v9.2.1. There are no migrations, configuration changes, or behavior changes outside the check_policy allow path described above. Pull the v9.2.2 images and restart.
# Community
docker compose pull && docker compose up -d
# Enterprise
docker compose -f docker-compose.yml -f docker-compose.enterprise.yml pull
docker compose -f docker-compose.yml -f docker-compose.enterprise.yml up -d
In-VPC Enterprise (AWS CFN)
Redeploy with the v9.2.2 images. No migrations or configuration changes are required.
Community-SaaS users
No action required.
To get the deny-and-retry behavior in Claude Code, also upgrade the plugin to v1.7.0 — see the Claude Code integration guide.
Related resources
- v9.2.1 Release Notes, the patch this builds on, which reproduces the full v9.2.0 feature set.
- Claude Code Integration, the plugin that consumes the new redaction fields.
- Audit Logging, the canonical decision record the
check_policyredaction is written to. - Version Compatibility, how SDK and platform versions track each other.
