Skip to content

fix(v7.6.1): governance overrides + audit-search response fixes#384

Merged
saurabhjain1592 merged 1 commit intomainfrom
sync/enterprise-20260504-092109-25311176354
May 4, 2026
Merged

fix(v7.6.1): governance overrides + audit-search response fixes#384
saurabhjain1592 merged 1 commit intomainfrom
sync/enterprise-20260504-092109-25311176354

Conversation

@saurabhjain1592
Copy link
Copy Markdown
Member

@saurabhjain1592 saurabhjain1592 commented May 4, 2026

v7.6.1 — patch release

Two user-visible bug fixes around the read-side governance surface; no new endpoints, no schema-breaking changes on existing responses. Companion to plugin releases axonflow-claude-plugin v1.1.0, axonflow-cursor-plugin v1.1.0, axonflow-codex-plugin v1.1.0, and axonflow-openclaw-plugin v2.1.0, which expose this surface as agent-callable tools and skills.

Note: the binary additionally contains internal scaffolding for upcoming work (free-tier email recovery, paid plugin-claim tier). These are not yet wired to any user-facing surface in this release — no new public endpoints, no behaviour change. They activate in a later release when the plugin and operator-facing pieces ship together.

Bug fixes

  • POST /api/v1/audit/search no longer returns entries: null on empty result sets. The response now consistently returns entries: [] so downstream clients that iterate the array (for entry of entries) or read its length without a null guard work correctly. Pre-existing callers that already handled the null case remain compatible.

  • POST /api/v1/overrides now rejects with HTTP 403 for severity=critical system policies. Authentication-bypass, time-based blind SQL injection, stacked DROP/DELETE/UPDATE/INSERT/EXEC, government IDs, and financial-PII patterns are no longer overridable; attempting to create a session override against any of them returns 403 "Critical-risk policies cannot be overridden". Pre-existing active overrides on these policies are revoked at upgrade time.

fix(v7.6.1): governance overrides + audit-search response fixes
63e5971 
PATCH release. Two user-visible bug fixes around the read-side governance
surface. Companion to plugin releases claude/cursor/codex 1.1.0 and
openclaw 2.1.0 which expose this surface as agent-callable tools.

Bug fixes:
- audit/search returns [] not null on empty result sets
- overrides 403 for severity=critical system policies (auth bypass,
  time-based blind SQLi, stacked DROP, government IDs, financial PII)

Note: binary contains dormant scaffolding for future work (free-tier
email recovery, paid plugin-claim tier) that is not yet wired to any
user-facing surface in this release.

Source Commits: b6d9678da,6b04a1d53,30e6e749a,5c8db6e64,51298828d,960df8869,43fb5e7bb,2129f6476,99457ac47,566f48889,66301c411,be5c41046,4be070591,c124d6135,407f36cef,73fe22624,62a707791,0cb3edf87,efde9b867,caedec77d,10f200aca,eafbfbf0d

Signed-off-by: AxonFlow Team <bot@getaxonflow.com>
@saurabhjain1592 saurabhjain1592 added the community-sync Sync from enterprise repository label May 4, 2026
@saurabhjain1592 saurabhjain1592 enabled auto-merge May 4, 2026 09:22
@saurabhjain1592 saurabhjain1592 added this pull request to the merge queue May 4, 2026
Merged via the queue into main with commit 7ebed27 May 4, 2026
32 checks passed
@saurabhjain1592 saurabhjain1592 deleted the sync/enterprise-20260504-092109-25311176354 branch May 4, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community-sync Sync from enterprise repository

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saurabhjain1592