Skip to content

feat: v8.0.0 — Row-Level Security default-on + identity model enforced#393

Merged
saurabhjain1592 merged 1 commit into
mainfrom
sync/enterprise-20260522-181436-26304464678
May 22, 2026
Merged

feat: v8.0.0 — Row-Level Security default-on + identity model enforced#393
saurabhjain1592 merged 1 commit into
mainfrom
sync/enterprise-20260522-181436-26304464678

Conversation

@saurabhjain1592

Copy link
Copy Markdown
Member

v8.0.0 platform release — Row-Level Security default-on + identity model enforced

This sync brings v8.0.0 to the community mirror. The release activates Row-Level Security as the default tenant-isolation mechanism and separates three previously-conflated identifiers: org_id (customer organization), client_id (API credential), and license deployment identity.

Customer impact

  • SDK / plugin / HTTP API consumers: no breaking change. JSON field names unchanged, X-Tenant-ID accepted as deprecated alias, Basic Auth keeps working.
  • Direct DB consumers under the application role: breaking — axonflow_app_role is now the default connection role and SELECTs return zero rows unless app.current_org_id is set first. See the v8 upgrade guide for the deployment-shape decision tree.
  • Direct SQL consumers of custom_roles / role_assignments: breaking — tenant_id column renamed to org_id (migration 111).
  • Self-hosted operators: the new AXONFLOW_DB_USE_APP_ROLE env defaults to true. Run scripts/operators/provision-app-role.sh before upgrade. Community single-tenant deployments only need AXONFLOW_DB_APP_ROLE_URL; multi-tenant + multi-node + marketplace shapes additionally need AXONFLOW_DB_PLATFORM_ADMIN_URL.

What's in the release

Identity model

  • org_id / client_id / deployment_id separated across schema, license payload V3, and HTTP headers. X-Client-ID becomes the canonical API-credential header; X-Tenant-ID accepted as deprecated alias through v8. Agent auth middleware overwrites any caller-supplied X-Client-ID with its own auth-derived value before forwarding — spoofed inbound headers have no effect.
  • axonflow_app_role (NOBYPASSRLS) + axonflow_platform_admin (BYPASSRLS) Postgres roles created by migration; provisioned via scripts/operators/provision-app-role.sh. AWS CFN-integrated deployments auto-provision on stack updates.

Row-Level Security enforcement

  • WithOrgScope(ctx, db, orgID, fn) + WithOrgAndTenantScope(ctx, db, orgID, tenantID, fn) transaction-scoped wrappers cover every hot-path write into an RLS-gated table.
  • SECURITY DEFINER auth-bootstrap helpers across migrations 104, 108, 109 — covering the SELECT/UPDATE auth path, the in-VPC AWS-deployment variant, and pre-auth INSERT/UPDATE helpers.
  • FORCE ROW LEVEL SECURITY across migrations 098/099/101/102/103/106/107 on audit, identity, configuration, and SSO tables.

Operational safety

  • OpenAppRoleConnection + OpenPlatformAdminConnection open the request-traffic pool and cross-org admin pool with assertConnectedRole boot-time guards.
  • RequirePlatformAdminOrFatal refuse-to-boot guard on five cross-org worker categories. Misconfigured deployments fail loudly.
  • AST regression guard in the agent test suite fails CI on any new bare INSERT / UPDATE / DELETE into an RLS-gated table.
  • MCP cache-miss path stamps auth context (TenantID/OrgID/ClientID/AuthKind) on r.Context().
  • Production-posture E2E mode in scripts/setup-e2e-testing.sh exercises the agent under axonflow_app_role with provisioned roles.
  • scripts/operators/provision-app-role.sh + scripts/deployment/v9_self_hosted_preflight.sh for the self-hosted operator path.
  • Local-dev docker-compose pins AXONFLOW_DB_USE_APP_ROLE=false; override to true after running provision-app-role.sh.
  • AXONFLOW_MIGRATIONS_PATH env override for non-Docker deployment topologies.
  • Migrations 042 and 069 made idempotent.
  • agent_heartbeats UPSERT wrapped under FORCE RLS; tenant-deletion handler routes via the platform admin pool.

Security

  • Admin-API anonymous-callable hole closed. Admin operations now require Basic Auth in all environments.

Telemetry

  • v8.1.0 SDKs (Go / Python / TypeScript / Java) + Rust v0.3.1 emit org_id alongside the existing instance / endpoint / deployment-mode fields in the heartbeat payload. AXONFLOW_TELEMETRY=off remains the sole opt-out.

Compatibility

  • Existing licenses keep working through v8 — no regeneration required.
  • tenant_id columns retained as deprecated aliases; X-Tenant-ID header accepted.

SDK + plugin floor (advertised on /health)

Component Min Recommended
Go / Python / TypeScript / Java SDKs v8.0.0 v8.1.0
Rust SDK v0.2.0 v0.3.1
openclaw plugin v2.4.0 v2.4.0
claude-code / cursor / codex plugins v1.4.0 v1.4.0

Migration

See the v8 upgrade guide for:

  • The deployment-shape decision tree (community single-tenant vs enterprise multi-tenant)
  • Simple-path community upgrade (3 steps)
  • Source-fork audit recipe for self-hosted operators with customized handlers
  • Verification commands

Full release notes at https://docs.getaxonflow.com/docs/releases/v8-0-0/.

…-org admin routing

The v8.0.0 platform release activates Row-Level Security as the default tenant-isolation mechanism and separates the three previously-conflated identifiers: org_id (customer organization), client_id (API credential), and license deployment identity.

The agent, orchestrator, and customer-portal binaries now connect to the application database as `axonflow_app_role` (non-owner, NOBYPASSRLS) by default. Cross-org workers route through `axonflow_platform_admin` (BYPASSRLS) via the new AXONFLOW_DB_PLATFORM_ADMIN_URL env var. FORCE ROW LEVEL SECURITY is now load-bearing on identity, audit, configuration, and SSO tables.

For customers using only the SDKs, plugins, or HTTP API there is no breaking change — JSON field names are unchanged, the X-Tenant-ID header is accepted as a deprecated alias, and Basic Auth credentials keep working.

Breaking changes:
- AXONFLOW_DB_USE_APP_ROLE defaults to true. Self-hosted deployments must set AXONFLOW_DB_APP_ROLE_URL before upgrade. Deployments running cross-org workers (Marketplace metering, NodeMonitor, community-saas sweep / recovery / tenant-delete) additionally need AXONFLOW_DB_PLATFORM_ADMIN_URL. Single-tenant community deployments only need AXONFLOW_DB_APP_ROLE_URL.
- Direct SQL against the application database under axonflow_app_role must SET app.current_org_id before reads. Use axonflow_platform_admin (or master) for legitimate cross-org access.
- custom_roles and role_assignments tables: tenant_id column renamed to org_id (migration 111). RLS policies rewritten with canonical *_org_id_isolation shape.

Key additions:
- WithOrgScope and WithOrgAndTenantScope transaction-scoped wrappers cover every hot-path RLS-gated write.
- OpenAppRoleConnection and OpenPlatformAdminConnection connection helpers with assertConnectedRole boot-time role-assertion guards.
- RequirePlatformAdminOrFatal refuse-to-boot guard on five cross-org worker categories. Misconfigured deployments fail loudly at boot.
- SECURITY DEFINER auth-bootstrap helpers across migrations 104, 108, 109 covering SELECT/UPDATE auth path, in-VPC AWS variant, and pre-auth INSERT/UPDATE helpers.
- FORCE ROW LEVEL SECURITY across migrations 098/099/101/102/103/106/107 on audit, identity, configuration, and SSO tables.
- AST regression guard fails CI on any new bare INSERT/UPDATE/DELETE into an RLS-gated table.
- MCP cache-miss path stamps the four auth context keys on r.Context().
- X-Client-ID header spoof protection: agent overwrites caller-supplied value with auth-derived value before forwarding.
- Production-posture E2E mode + scripts/operators/provision-app-role.sh + AWS CFN auto-provisioning.
- AXONFLOW_MIGRATIONS_PATH env override; migrations 042 and 069 made idempotent.
- agent_heartbeats UPSERT wrapped under FORCE RLS; tenant-deletion handler routes via the platform admin pool.

Security:
- Admin-API anonymous-callable hole closed. Admin operations now require Basic Auth in all environments.

Telemetry:
- v8.1.0 SDKs emit org_id alongside instance / endpoint / deployment-mode fields in the heartbeat payload. AXONFLOW_TELEMETRY=off remains the sole opt-out.

SDK + plugin floor (advertised on /health):
- Min SDK v8.0.0 (unchanged); Recommended SDK v8.1.0 (Go / Python / TypeScript / Java) + Rust v0.3.1.
- Min plugins openclaw v2.4.0 / claude-code v1.4.0 / cursor v1.4.0 / codex v1.4.0; Recommended unchanged.

For the v8 upgrade decision tree and step-by-step migration recipe, see https://docs.getaxonflow.com/docs/deployment/v8-to-v9-migration/.

Signed-off-by: Saurabh Jain <saurabh.jain@getaxonflow.com>
Signed-off-by: AxonFlow Team <bot@getaxonflow.com>
@saurabhjain1592 saurabhjain1592 added the community-sync Sync from enterprise repository label May 22, 2026
@saurabhjain1592 saurabhjain1592 merged commit d970cda into main May 22, 2026
28 of 31 checks passed
@saurabhjain1592 saurabhjain1592 deleted the sync/enterprise-20260522-181436-26304464678 branch May 22, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community-sync Sync from enterprise repository

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants