You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
v9.6.1 is a patch on v9.6.0. It fixes a bug in the audit-search API where a session_id filter was silently ignored: the search endpoint accepted the request and returned 200 but dropped the filter, so drilling from a session-summary bucket into that session's individual records returned the tenant's records across every session in the time range instead of the one requested. Tenant isolation was never affected — the bug was confined to the session_id sub-filter, and the tenant scope every audit query enforces was always applied. It is a drop-in upgrade from v9.6.0, with no migration and no configuration change.
Highlights:
- The session_id filter on POST /api/v1/audit/search is now applied as a parameterized, tenant-scoped condition, so a search by session_id returns exactly that session's records. Aggregates from the session-summary endpoint itself were correct on v9.6.0 and are unchanged.
Migration: none. Full notes: https://docs.getaxonflow.com/docs/releases/v9-6-1
Signed-off-by: AxonFlow Team <bot@getaxonflow.com>
Co-authored-by: AxonFlow Team <bot@getaxonflow.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+10Lines changed: 10 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,6 +10,16 @@ community mirror, **Enterprise** changes are EE-only.
10
10
11
11
---
12
12
13
+
## [9.6.1] - 2026-07-08 (patch on 9.6.0: audit-search session_id drill-down)
14
+
15
+
**Patch.** Fixes a correctness bug in the audit-search API surfaced while documenting the v9.6.0 session-summary reporting: a `session_id` filter was silently dropped, so the per-session drill-down returned the tenant's rows across all sessions instead of the one requested. Within-tenant only; tenant isolation was never affected. No migration.
16
+
17
+
### Fixed
18
+
19
+
-**`session_id` filter on `POST /api/v1/audit/search` is now applied.***(Community)* The audit-search request handler's body-decode struct was missing the `session_id` field the query layer already supported, so a `session_id` filter was silently dropped and the session-summary "drill into this session" flow returned all of the tenant's rows across every session with a `200`. The filter now reaches the query as a parameterized, tenant-scoped condition, so drilling into a session bucket returns exactly that session's rows. Tenant scoping (from the trusted tenant header) was never affected. Pinned by a handler-level regression test and a runtime-e2e drill-down leg.
20
+
21
+
---
22
+
13
23
## [9.6.0] - 2026-07-07 (session-summary reporting API + Claude Code usage dashboard)
14
24
15
25
**Additive minor.** v9.6.0 turns the Claude Code and Cowork activity v9.5.0 began ingesting into reporting. A new session-summary API rolls governed activity into per-session (or per-user-day) buckets, additively enriched with the developer and session usage metrics when the OTLP ingest is wired; a new operator Grafana dashboard visualizes that usage; and the bundled Grafana datasources are provisioned with stable uids, closing a pre-existing bug that broke provisioned dashboards. One idempotent migration (`core/141`) auto-applies on deploy.
0 commit comments