feat: v8.5.1 -- licensed tier reconciled at boot + dev-mode token endpoint#412
Merged
Merged
Conversation
…point Patch release synced from enterprise. No breaking changes; additive migration only. Fixed (Community): - Licensed tier is now written into the database at boot. After validating the deployment license, the agent upserts the deployment organization's tier and max_nodes to the licensed values via a new RLS-safe SECURITY DEFINER migration, so the portal UI, node-limit enforcement, and compliance-evidence paths no longer lag the in-memory tier (surfaced at /health) on a fresh install. The promotion is idempotent (writes only when tier/limit differs) and non-fatal. Added (Community): - Dev-mode token endpoint: POST /api/v1/dev/token. In an explicitly non-production deployment, mints a short-lived HS256 user_token from the authenticated Basic-auth credential so local and CI integrations don't have to hand-run a JWT signing script. Fail-closed: the route is only registered when a non-production ENVIRONMENT / DEPLOYMENT_MODE / DEPLOYMENT_KIND is set (else 404), and returns 503 if JWT_SECRET is not configured. Tenant inherited from the Basic-auth username; signing algorithm pinned to HS256. Never reachable in production. Documentation: - Architecture: "Five Runtime Modes" overview with Decision / MAP / WCP sequence diagrams describing how governance is enforced in each runtime mode. Version: all version sites bumped to 8.5.1. Signed-off-by: AxonFlow Team <bot@getaxonflow.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v8.5.1 sync
Licensed tier now reconciled into the database at boot
On a fresh install the agent validated the deployment license and reported the correct tier at
/health, but the licensed tier was held only in agent memory and never written to theorganizationstable — which every DB consumer (portal UI, node-limit enforcement, compliance-evidence) reads. v8.5.1 fixes it at the source: after license validation the agent upserts the deployment org'stier/max_nodesat boot via a new RLS-safeSECURITY DEFINERmigration (clearsFORCE ROW LEVEL SECURITYwithout elevating the request path). Idempotent and non-fatal. A fresh Enterprise install now reports Enterprise in the portal and DB immediately, no request traffic required.Dev-mode token endpoint —
POST /api/v1/dev/tokenNon-production developer convenience: mints a short-lived HS256
user_tokenfrom the authenticated Basic-auth credential so local/CI integrations don't hand-run a JWT script. Fail-closed: the route is only registered in a non-productionENVIRONMENT/DEPLOYMENT_MODE/DEPLOYMENT_KIND(else404), and returns503ifJWT_SECRETis unset. Tenant inherited from the Basic-auth username; HS256-pinned. Never reachable in production.Documentation
"Five Runtime Modes" architecture overview + Decision / MAP / WCP sequence diagrams.
Version
All version sites bumped to 8.5.1.
Review checklist