Skip to content

feat: v8.5.1 -- licensed tier reconciled at boot + dev-mode token endpoint#412

Merged
saurabhjain1592 merged 1 commit into
mainfrom
sync/enterprise-20260608-013622-27111207270
Jun 8, 2026
Merged

feat: v8.5.1 -- licensed tier reconciled at boot + dev-mode token endpoint#412
saurabhjain1592 merged 1 commit into
mainfrom
sync/enterprise-20260608-013622-27111207270

Conversation

@saurabhjain1592

Copy link
Copy Markdown
Member

v8.5.1 sync

Licensed tier now reconciled into the database at boot

On a fresh install the agent validated the deployment license and reported the correct tier at /health, but the licensed tier was held only in agent memory and never written to the organizations table — which every DB consumer (portal UI, node-limit enforcement, compliance-evidence) reads. v8.5.1 fixes it at the source: after license validation the agent upserts the deployment org's tier/max_nodes at boot via a new RLS-safe SECURITY DEFINER migration (clears FORCE ROW LEVEL SECURITY without elevating the request path). Idempotent and non-fatal. A fresh Enterprise install now reports Enterprise in the portal and DB immediately, no request traffic required.

Dev-mode token endpoint — POST /api/v1/dev/token

Non-production developer convenience: mints a short-lived HS256 user_token from the authenticated Basic-auth credential so local/CI integrations don't hand-run a JWT script. Fail-closed: the route is only registered in a non-production ENVIRONMENT/DEPLOYMENT_MODE/DEPLOYMENT_KIND (else 404), and returns 503 if JWT_SECRET is unset. Tenant inherited from the Basic-auth username; HS256-pinned. Never reachable in production.

Documentation

"Five Runtime Modes" architecture overview + Decision / MAP / WCP sequence diagrams.

Version

All version sites bumped to 8.5.1.

Review checklist

  • No enterprise-only content leaked
  • No partner/customer names in synced source or docs
  • CHANGELOG v8.5.1 entry present (edition-structured)
  • VERSION reads 8.5.1
  • Multi-arch manifest verified for all 6 images

…point

Patch release synced from enterprise. No breaking changes; additive migration only.

Fixed (Community):
- Licensed tier is now written into the database at boot. After validating the
  deployment license, the agent upserts the deployment organization's tier and
  max_nodes to the licensed values via a new RLS-safe SECURITY DEFINER migration,
  so the portal UI, node-limit enforcement, and compliance-evidence paths no
  longer lag the in-memory tier (surfaced at /health) on a fresh install. The
  promotion is idempotent (writes only when tier/limit differs) and non-fatal.

Added (Community):
- Dev-mode token endpoint: POST /api/v1/dev/token. In an explicitly
  non-production deployment, mints a short-lived HS256 user_token from the
  authenticated Basic-auth credential so local and CI integrations don't have to
  hand-run a JWT signing script. Fail-closed: the route is only registered when a
  non-production ENVIRONMENT / DEPLOYMENT_MODE / DEPLOYMENT_KIND is set (else 404),
  and returns 503 if JWT_SECRET is not configured. Tenant inherited from the
  Basic-auth username; signing algorithm pinned to HS256. Never reachable in production.

Documentation:
- Architecture: "Five Runtime Modes" overview with Decision / MAP / WCP sequence
  diagrams describing how governance is enforced in each runtime mode.

Version: all version sites bumped to 8.5.1.
Signed-off-by: AxonFlow Team <bot@getaxonflow.com>
@saurabhjain1592 saurabhjain1592 added the community-sync Sync from enterprise repository label Jun 8, 2026
@saurabhjain1592 saurabhjain1592 enabled auto-merge June 8, 2026 01:37
@saurabhjain1592 saurabhjain1592 added this pull request to the merge queue Jun 8, 2026
Merged via the queue into main with commit 80cf62a Jun 8, 2026
39 checks passed
@saurabhjain1592 saurabhjain1592 deleted the sync/enterprise-20260608-013622-27111207270 branch June 8, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community-sync Sync from enterprise repository

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants