feat: v8.0.0 — Row-Level Security default-on + identity model enforced#393
Merged
saurabhjain1592 merged 1 commit intoMay 22, 2026
Merged
Conversation
…-org admin routing The v8.0.0 platform release activates Row-Level Security as the default tenant-isolation mechanism and separates the three previously-conflated identifiers: org_id (customer organization), client_id (API credential), and license deployment identity. The agent, orchestrator, and customer-portal binaries now connect to the application database as `axonflow_app_role` (non-owner, NOBYPASSRLS) by default. Cross-org workers route through `axonflow_platform_admin` (BYPASSRLS) via the new AXONFLOW_DB_PLATFORM_ADMIN_URL env var. FORCE ROW LEVEL SECURITY is now load-bearing on identity, audit, configuration, and SSO tables. For customers using only the SDKs, plugins, or HTTP API there is no breaking change — JSON field names are unchanged, the X-Tenant-ID header is accepted as a deprecated alias, and Basic Auth credentials keep working. Breaking changes: - AXONFLOW_DB_USE_APP_ROLE defaults to true. Self-hosted deployments must set AXONFLOW_DB_APP_ROLE_URL before upgrade. Deployments running cross-org workers (Marketplace metering, NodeMonitor, community-saas sweep / recovery / tenant-delete) additionally need AXONFLOW_DB_PLATFORM_ADMIN_URL. Single-tenant community deployments only need AXONFLOW_DB_APP_ROLE_URL. - Direct SQL against the application database under axonflow_app_role must SET app.current_org_id before reads. Use axonflow_platform_admin (or master) for legitimate cross-org access. - custom_roles and role_assignments tables: tenant_id column renamed to org_id (migration 111). RLS policies rewritten with canonical *_org_id_isolation shape. Key additions: - WithOrgScope and WithOrgAndTenantScope transaction-scoped wrappers cover every hot-path RLS-gated write. - OpenAppRoleConnection and OpenPlatformAdminConnection connection helpers with assertConnectedRole boot-time role-assertion guards. - RequirePlatformAdminOrFatal refuse-to-boot guard on five cross-org worker categories. Misconfigured deployments fail loudly at boot. - SECURITY DEFINER auth-bootstrap helpers across migrations 104, 108, 109 covering SELECT/UPDATE auth path, in-VPC AWS variant, and pre-auth INSERT/UPDATE helpers. - FORCE ROW LEVEL SECURITY across migrations 098/099/101/102/103/106/107 on audit, identity, configuration, and SSO tables. - AST regression guard fails CI on any new bare INSERT/UPDATE/DELETE into an RLS-gated table. - MCP cache-miss path stamps the four auth context keys on r.Context(). - X-Client-ID header spoof protection: agent overwrites caller-supplied value with auth-derived value before forwarding. - Production-posture E2E mode + scripts/operators/provision-app-role.sh + AWS CFN auto-provisioning. - AXONFLOW_MIGRATIONS_PATH env override; migrations 042 and 069 made idempotent. - agent_heartbeats UPSERT wrapped under FORCE RLS; tenant-deletion handler routes via the platform admin pool. Security: - Admin-API anonymous-callable hole closed. Admin operations now require Basic Auth in all environments. Telemetry: - v8.1.0 SDKs emit org_id alongside instance / endpoint / deployment-mode fields in the heartbeat payload. AXONFLOW_TELEMETRY=off remains the sole opt-out. SDK + plugin floor (advertised on /health): - Min SDK v8.0.0 (unchanged); Recommended SDK v8.1.0 (Go / Python / TypeScript / Java) + Rust v0.3.1. - Min plugins openclaw v2.4.0 / claude-code v1.4.0 / cursor v1.4.0 / codex v1.4.0; Recommended unchanged. For the v8 upgrade decision tree and step-by-step migration recipe, see https://docs.getaxonflow.com/docs/deployment/v8-to-v9-migration/. Signed-off-by: Saurabh Jain <saurabh.jain@getaxonflow.com> Signed-off-by: AxonFlow Team <bot@getaxonflow.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v8.0.0 platform release — Row-Level Security default-on + identity model enforced
This sync brings v8.0.0 to the community mirror. The release activates Row-Level Security as the default tenant-isolation mechanism and separates three previously-conflated identifiers:
org_id(customer organization),client_id(API credential), and license deployment identity.Customer impact
X-Tenant-IDaccepted as deprecated alias, Basic Auth keeps working.axonflow_app_roleis now the default connection role and SELECTs return zero rows unlessapp.current_org_idis set first. See the v8 upgrade guide for the deployment-shape decision tree.custom_roles/role_assignments: breaking —tenant_idcolumn renamed toorg_id(migration 111).AXONFLOW_DB_USE_APP_ROLEenv defaults totrue. Runscripts/operators/provision-app-role.shbefore upgrade. Community single-tenant deployments only needAXONFLOW_DB_APP_ROLE_URL; multi-tenant + multi-node + marketplace shapes additionally needAXONFLOW_DB_PLATFORM_ADMIN_URL.What's in the release
Identity model
org_id/client_id/deployment_idseparated across schema, license payload V3, and HTTP headers.X-Client-IDbecomes the canonical API-credential header;X-Tenant-IDaccepted as deprecated alias through v8. Agent auth middleware overwrites any caller-suppliedX-Client-IDwith its own auth-derived value before forwarding — spoofed inbound headers have no effect.axonflow_app_role(NOBYPASSRLS) +axonflow_platform_admin(BYPASSRLS) Postgres roles created by migration; provisioned viascripts/operators/provision-app-role.sh. AWS CFN-integrated deployments auto-provision on stack updates.Row-Level Security enforcement
WithOrgScope(ctx, db, orgID, fn)+WithOrgAndTenantScope(ctx, db, orgID, tenantID, fn)transaction-scoped wrappers cover every hot-path write into an RLS-gated table.Operational safety
OpenAppRoleConnection+OpenPlatformAdminConnectionopen the request-traffic pool and cross-org admin pool withassertConnectedRoleboot-time guards.RequirePlatformAdminOrFatalrefuse-to-boot guard on five cross-org worker categories. Misconfigured deployments fail loudly.INSERT/UPDATE/DELETEinto an RLS-gated table.r.Context().scripts/setup-e2e-testing.shexercises the agent underaxonflow_app_rolewith provisioned roles.scripts/operators/provision-app-role.sh+scripts/deployment/v9_self_hosted_preflight.shfor the self-hosted operator path.AXONFLOW_DB_USE_APP_ROLE=false; override totrueafter running provision-app-role.sh.AXONFLOW_MIGRATIONS_PATHenv override for non-Docker deployment topologies.agent_heartbeatsUPSERT wrapped under FORCE RLS; tenant-deletion handler routes via the platform admin pool.Security
Telemetry
org_idalongside the existing instance / endpoint / deployment-mode fields in the heartbeat payload.AXONFLOW_TELEMETRY=offremains the sole opt-out.Compatibility
tenant_idcolumns retained as deprecated aliases;X-Tenant-IDheader accepted.SDK + plugin floor (advertised on
/health)Migration
See the v8 upgrade guide for:
Full release notes at https://docs.getaxonflow.com/docs/releases/v8-0-0/.