feat(v7.0.0): multi-tenant identity and governance profiles

.github/workflows/security.yml

@@ -234,6 +234,8 @@ jobs:
           scanners: 'secret'
           format: 'table'
           exit-code: '0'  # Informational (demo tokens trigger false positives)
+          timeout: '15m'  # Default 5m too short — Maven pom.xml resolution can be slow
+          skip-dirs: 'node_modules,vendor,.cache'
 
   # Docker Image Scans - Skip on PRs for speed
   trivy-docker-agent:

.gitleaks.toml

@@ -0,0 +1,30 @@
+# gitleaks configuration for axonflow-enterprise
+# Issue #1541: prevent any future hardcoded Ed25519 signing keys
+
+title = "AxonFlow Gitleaks Rules"
+
+[extend]
+useDefault = true
+
+[[rules]]
+id = "axonflow-ed25519-signing-key"
+description = "Hardcoded Ed25519 private seed near a *_SIGNING_KEY env var assignment"
+regex = '''(?i)(ENT|EVAL|ED25519|AXONFLOW_(ENT|EVAL))_SIGNING_KEY[[:space:]]*=[[:space:]]*["'][A-Za-z0-9+/]{42,44}={0,2}["']'''
+tags = ["key", "ed25519", "private-key"]
+keywords = ["SIGNING_KEY"]
+
+# Allow the load_signing_keys() helper which legitimately mentions the env vars
+# without ever assigning a hardcoded value.
+[allowlist]
+description = "Setup script load helpers + tests"
+paths = [
+    '''.*_test\.go$''',
+    '''.*_test\.py$''',
+    '''.*_test\.ts$''',
+    '''.*\.md$''',
+]
+regexes = [
+    '''SIGNING_KEY[[:space:]]*=[[:space:]]*""''',
+    '''SIGNING_KEY=\$\{''',
+    '''SIGNING_KEY=\$\(''',
+]

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+# Pre-commit hooks for axonflow-enterprise.
+# Run `pre-commit install` once to enable.
+# CI also runs these on every PR.
+#
+# Issue #1541: gitleaks rule prevents hardcoded Ed25519 signing keys.
+
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.21.2
+    hooks:
+      - id: gitleaks
+        name: Detect hardcoded secrets
+        description: Scan for hardcoded keys, tokens, and Ed25519 signing seeds
+        args: ["--config=.gitleaks.toml"]

docker-compose.community-saas.yml

@@ -0,0 +1,71 @@
+# AxonFlow Community SaaS Overlay
+# Local E2E testing for try.getaxonflow.com evaluation stack
+#
+# Usage:
+#   docker compose -f docker-compose.yml -f docker-compose.community-saas.yml up -d
+#
+# What this adds:
+#   - Ollama service with llama3.2 model (auto-pulled on first start)
+#   - DEPLOYMENT_MODE=community-saas for agent + orchestrator
+#   - Rate limits: 20/min, 500/day per tenant
+#   - POST /api/v1/register endpoint active (self-registration)
+#   - Ollama is the ONLY LLM provider (paid providers skipped)
+#
+# First start: ~3-5 minutes (model download). Subsequent starts: instant (volume).
+#
+# Services added:
+#   - Ollama:      localhost:11434
+
+services:
+  ollama:
+    image: ollama/ollama:latest
+    container_name: axonflow-ollama
+    restart: unless-stopped
+    ports:
+      - "11434:11434"
+    volumes:
+      - ollama-data:/root/.ollama
+    networks:
+      - axonflow-network
+    healthcheck:
+      test: ["CMD", "ollama", "list"]
+      interval: 15s
+      timeout: 10s
+      retries: 10
+      start_period: 30s
+
+  # One-shot init container: pulls llama3.2 model on first start.
+  # Exits cleanly when done. Subsequent starts skip if model already cached.
+  ollama-pull:
+    image: ollama/ollama:latest
+    container_name: axonflow-ollama-pull
+    restart: "no"
+    entrypoint: ["sh", "-c", "sleep 5 && OLLAMA_HOST=http://ollama:11434 ollama pull llama3.2:latest"]
+    depends_on:
+      ollama:
+        condition: service_healthy
+    networks:
+      - axonflow-network
+
+  axonflow-agent:
+    environment:
+      DEPLOYMENT_MODE: community-saas
+      OLLAMA_ENDPOINT: http://ollama:11434
+      OLLAMA_MODEL: llama3.2:latest
+      COMMUNITY_SAAS_MINUTE_LIMIT: "20"
+      COMMUNITY_SAAS_DAILY_LIMIT: "500"
+      # Empty = telemetry disabled locally (no DynamoDB in Docker)
+      COMMUNITY_SAAS_TELEMETRY_TABLE: ""
+    depends_on:
+      ollama:
+        condition: service_healthy
+
+  axonflow-orchestrator:
+    environment:
+      DEPLOYMENT_MODE: community-saas
+      OLLAMA_ENDPOINT: http://ollama:11434
+      OLLAMA_MODEL: llama3.2:latest
+
+volumes:
+  ollama-data:
+    driver: local

docker-compose.yml

@@ -87,7 +87,7 @@ services:
       DEPLOYMENT_MODE: ${DEPLOYMENT_MODE:-community}
       AXONFLOW_INTEGRATIONS: ${AXONFLOW_INTEGRATIONS:-}
       AXONFLOW_LICENSE_KEY: ${AXONFLOW_LICENSE_KEY:-}
-      AXONFLOW_VERSION: "${AXONFLOW_VERSION:-6.1.0}"
+      AXONFLOW_VERSION: "${AXONFLOW_VERSION:-7.0.0}"
 
       # Media governance (v4.5.0+) - set to "true" to enable in Community mode
       MEDIA_GOVERNANCE_ENABLED: ${MEDIA_GOVERNANCE_ENABLED:-}
@@ -223,7 +223,7 @@ services:
       PORT: 8081
       DEPLOYMENT_MODE: ${DEPLOYMENT_MODE:-community}
       AXONFLOW_LICENSE_KEY: ${AXONFLOW_LICENSE_KEY:-}
-      AXONFLOW_VERSION: "${AXONFLOW_VERSION:-6.1.0}"
+      AXONFLOW_VERSION: "${AXONFLOW_VERSION:-7.0.0}"
 
       # Media governance (v4.5.0+) - set to "true" to enable in Community mode
       MEDIA_GOVERNANCE_ENABLED: ${MEDIA_GOVERNANCE_ENABLED:-}

docs/COMPATIBILITY_MATRIX.md

@@ -6,7 +6,8 @@ This document maps platform versions to minimum SDK versions and the features ea
 
 | Platform Version | Min SDK Version | Recommended SDK | Key Features Added |
 |-----------------|----------------|-----------------|-------------------|
-| v6.0.0 | v5.0.0 (Go/TS/Java), v6.0.0 (Python) | v5.0.0 / v6.0.0 | OAuth2 Basic auth required, legacy engine removed, agent single entry point, Go module v5 |
+| v6.1.0 | v5.0.0 (Go/TS/Java), v6.0.0 (Python) | v5.1.0 / v6.1.0 | Mistral LLM provider, Cursor/Codex integration, GovernedTool adapter (TS/Go/Java), checkToolInput/checkToolOutput aliases |
+| v6.0.0 | v5.0.0 (Go/TS/Java), v6.0.0 (Python) | v5.1.0 / v6.1.0 | OAuth2 Basic auth required, legacy engine removed, agent single entry point, Go module v5 |
 | v5.0.0 | v4.0.0 | v4.1.0 | Removed `total_steps` from create workflow, MCP operation default `"execute"`, Go module v4 |
 | v4.8.0 | v3.8.0 | v3.8.0 | Version discovery, capability registry, User-Agent headers |
 | v4.7.0 | v3.7.0 | v3.7.0 | MCP check-input/check-output endpoints, circuit breaker pipeline |

docs/RBI_FREE_AI_COMPLIANCE.md

@@ -1,6 +1,6 @@
 # RBI FREE-AI Framework Compliance Guide
 
-*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0*
+*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0*
 
 This guide covers AxonFlow's compliance features for the Reserve Bank of India (RBI) Framework for Responsible and Ethical Enablement of AI (FREE-AI) published in August 2025.
 

docs/README.md

@@ -1,6 +1,6 @@
 # AxonFlow Documentation
 
-**Last Updated: April 2026** | **Platform: v6.0.0** | **SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0**
+**Last Updated: April 2026** | **Platform: v6.0.0** | **SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0**
 
 Public documentation for AxonFlow - synced to the Community Edition repository.
 
@@ -31,7 +31,7 @@ Configuration and how-to guides for common tasks.
 
 ## SDK Documentation
 
-AxonFlow provides official SDKs for Go, Python, Java, and TypeScript. SDK versions: Python v6.0.0, Go/TypeScript/Java v5.0.0.
+AxonFlow provides official SDKs for Go, Python, Java, and TypeScript. SDK versions: Python v6.1.0, Go/TypeScript/Java v5.1.0.
 
 | Document | Description |
 |----------|-------------|

docs/compliance/eu-ai-act.md

@@ -1,6 +1,6 @@
 # EU AI Act Compliance Guide
 
-*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0*
+*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0*
 
 AxonFlow provides comprehensive support for EU AI Act compliance. This guide covers the key features and APIs available for organizations operating AI systems in the European Union.
 

docs/compliance/rbi-free-ai.md

@@ -1,6 +1,6 @@
 # RBI FREE-AI Framework Compliance
 
-*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0*
+*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0*
 
 AxonFlow provides comprehensive compliance support for the Reserve Bank of India's **Framework for Responsible and Ethical Enablement of AI (FREE-AI)** guidelines for Indian banking institutions.
 

docs/compliance/sebi-ai-ml.md

@@ -1,6 +1,6 @@
 # SEBI AI/ML Guidelines Compliance
 
-*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0*
+*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0*
 
 AxonFlow provides compliance support for the Securities and Exchange Board of India's **Framework for AI/ML in Securities Markets** for regulated entities in India's capital markets.
 

docs/compliance/sebi-compliance.md

@@ -2,7 +2,7 @@
 
 > **Comprehensive reference:** For the full SEBI AI/ML framework mapping including API endpoints, policy templates, and audit export workflows, see [sebi-ai-ml.md](./sebi-ai-ml.md). This document focuses on Indian PII detection details and hands-on implementation examples.
 
-*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0*
+*Last updated: April 2026 | AxonFlow Platform v6.0.0 | SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0*
 
 This guide covers AxonFlow's compliance features for the Securities and Exchange Board of India (SEBI) AI/ML Guidelines (June 2025 Consultation Paper) and the Digital Personal Data Protection Act (DPDP) 2023.
 

docs/getting-started.md

@@ -1,6 +1,6 @@
 # Getting Started with AxonFlow
 
-**Last Updated: April 2026** | **Platform: v6.0.0** | **SDKs: Python v6.0.0, Go v5.0.0, TypeScript v5.0.0, Java v5.0.0**
+**Last Updated: April 2026** | **Platform: v6.0.0** | **SDKs: Python v6.1.0, Go v5.1.0, TypeScript v5.1.0, Java v5.1.0**
 
 **Get AxonFlow running locally in about 10 minutes.**
 

docs/guides/llm-providers.md

@@ -310,9 +310,11 @@ Use `EnabledLLMProviders` parameter for these AI model providers:
 
 | Provider ID | Purpose | Secret Name | Fields |
 |-------------|---------|-------------|--------|
-| `openai` | OpenAI GPT models | `openai-api-key` | (plain string) |
-| `anthropic` | Anthropic Claude models | `anthropic-api-key` | (plain string) |
-| `gemini` | Google Gemini models | `gemini-api-key` | (plain string) |
+| `openai` | OpenAI GPT models | `openai-credentials` | `{"api_key": "sk-..."}` |
+| `anthropic` | Anthropic Claude models | `anthropic-credentials` | `{"api_key": "sk-ant-..."}` |
+| `gemini` | Google Gemini models | `google-credentials` | `{"api_key": "AIza..."}` |
+| `azure` | Azure OpenAI | `azure-openai-credentials` | `{"endpoint": "...", "api_key": "...", "deployment": "..."}` |
+| `mistral` | Mistral AI | `mistral-credentials` | `{"api_key": "..."}` |
 | `bedrock` | AWS Bedrock (IAM auth) | N/A | Uses IAM role |
 | `ollama` | Self-hosted Ollama | N/A | Uses endpoint URL |
 

docs/llm/mistral.md

@@ -2,7 +2,7 @@
 
 **Last Updated:** April 2026
 
-**Platform Version:** v6.0.0 | **SDKs:** Python v6.0.0, Go/TypeScript/Java v5.0.0
+**Platform Version:** v6.0.0 | **SDKs:** Python v6.1.0, Go/TypeScript/Java v5.1.0
 
 AxonFlow supports Mistral AI models for LLM routing and orchestration. Mistral is a leading European AI company based in France, offering high-performance models with competitive pricing and EU data residency options.
 

docs/tutorials/README.md

@@ -17,7 +17,7 @@ Step-by-step tutorials for getting started with AxonFlow.
 
 ## SDKs
 
-SDK versions: Python v6.0.0, Go/TypeScript/Java v5.0.0.
+SDK versions: Python v6.1.0, Go/TypeScript/Java v5.1.0.
 
 | Language | Package | Repository |
 |----------|---------|------------|

examples/audit-logging/go/go.mod

@@ -3,6 +3,6 @@ module github.com/getaxonflow/axonflow/examples/audit-logging/go
 go 1.21
 
 require (
-	github.com/getaxonflow/axonflow-sdk-go/v5 v5.0.0
+	github.com/getaxonflow/axonflow-sdk-go/v5 v5.1.0
 	github.com/sashabaranov/go-openai v1.17.9
 )

examples/audit-logging/java/pom.xml

@@ -32,7 +32,7 @@
         <dependency>
             <groupId>com.getaxonflow</groupId>
             <artifactId>axonflow-sdk</artifactId>
-            <version>5.0.0</version>
+            <version>5.1.0</version>
         </dependency>
         <!-- Override transitive jackson-core for CVE fix -->
         <dependency>

examples/audit-logging/python/requirements.txt

@@ -1,3 +1,3 @@
-axonflow>=6.0.0
+axonflow>=6.1.0
 python-dotenv>=1.0.0
 openai>=1.0.0

examples/audit-logging/typescript/package.json

@@ -7,7 +7,7 @@
     "start": "ts-node index.ts"
   },
   "dependencies": {
-    "@axonflow/sdk": "^5.0.0",
+    "@axonflow/sdk": "^5.1.0",
     "dotenv": "^16.6.1",
     "openai": "^4.104.0"
   },

examples/code-governance/go/go.mod

@@ -2,6 +2,6 @@ module github.com/axonflow/examples/code-governance
 
 go 1.21
 
-require github.com/getaxonflow/axonflow-sdk-go/v5 v5.0.0
+require github.com/getaxonflow/axonflow-sdk-go/v5 v5.1.0
 
 

examples/code-governance/java/pom.xml

@@ -32,7 +32,7 @@
         <dependency>
             <groupId>com.getaxonflow</groupId>
             <artifactId>axonflow-sdk</artifactId>
-            <version>5.0.0</version>
+            <version>5.1.0</version>
         </dependency>
         <!-- Override transitive jackson-core for CVE fix -->
         <dependency>

examples/code-governance/python/requirements.txt

@@ -1,2 +1,2 @@
-axonflow>=6.0.0
+axonflow>=6.1.0
 python-dotenv>=1.0.0

examples/code-governance/typescript/package.json

@@ -9,7 +9,7 @@
     "start:built": "node dist/index.js"
   },
   "dependencies": {
-    "@axonflow/sdk": "^5.0.0",
+    "@axonflow/sdk": "^5.1.0",
     "dotenv": "^16.3.1"
   },
   "devDependencies": {

examples/cost-controls/enforcement/go/go.mod

@@ -2,4 +2,4 @@ module cost-controls-enforcement
 
 go 1.21
 
-require github.com/getaxonflow/axonflow-sdk-go/v5 v5.0.0
+require github.com/getaxonflow/axonflow-sdk-go/v5 v5.1.0

examples/cost-controls/enforcement/java/pom.xml

@@ -32,7 +32,7 @@
         <dependency>
             <groupId>com.getaxonflow</groupId>
             <artifactId>axonflow-sdk</artifactId>
-            <version>5.0.0</version>
+            <version>5.1.0</version>
         </dependency>
         <!-- Override transitive jackson-core for CVE fix -->
         <dependency>

examples/cost-controls/enforcement/python/requirements.txt

@@ -1 +1 @@
-axonflow>=6.0.0
+axonflow>=6.1.0

examples/cost-controls/enforcement/typescript/package.json

@@ -9,7 +9,7 @@
     "test": "npm run start"
   },
   "dependencies": {
-    "@axonflow/sdk": "^5.0.0"
+    "@axonflow/sdk": "^5.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",

examples/cost-controls/go/go.mod

@@ -2,4 +2,4 @@ module github.com/getaxonflow/axonflow/examples/cost-controls/go
 
 go 1.21
 
-require github.com/getaxonflow/axonflow-sdk-go/v5 v5.0.0
+require github.com/getaxonflow/axonflow-sdk-go/v5 v5.1.0

examples/cost-controls/java/pom.xml

@@ -32,7 +32,7 @@
         <dependency>
             <groupId>com.getaxonflow</groupId>
             <artifactId>axonflow-sdk</artifactId>
-            <version>5.0.0</version>
+            <version>5.1.0</version>
         </dependency>
         <!-- Override transitive jackson-core for CVE fix -->
         <dependency>

examples/cost-controls/python/requirements.txt

@@ -1 +1 @@
-axonflow>=6.0.0
+axonflow>=6.1.0

examples/cost-controls/typescript/package.json

@@ -8,7 +8,7 @@
     "start": "npx tsx src/index.ts"
   },
   "dependencies": {
-    "@axonflow/sdk": "^5.0.0"
+    "@axonflow/sdk": "^5.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",

examples/cost-estimation/go/go.mod

@@ -2,4 +2,4 @@ module cost-estimation
 
 go 1.21
 
-require github.com/getaxonflow/axonflow-sdk-go/v5 v5.0.0
+require github.com/getaxonflow/axonflow-sdk-go/v5 v5.1.0

examples/cost-estimation/java/pom.xml

@@ -32,7 +32,7 @@
         <dependency>
             <groupId>com.getaxonflow</groupId>
             <artifactId>axonflow-sdk</artifactId>
-            <version>5.0.0</version>
+            <version>5.1.0</version>
         </dependency>
         <!-- Override transitive jackson for GHSA-72hv-8253-57qq -->
         <dependency>

examples/cost-estimation/python/requirements.txt

@@ -1,3 +1,3 @@
-axonflow>=6.0.0
+axonflow>=6.1.0
 python-dotenv>=1.0.0
 requests>=2.31.0

examples/cost-estimation/typescript/package.json

@@ -8,7 +8,7 @@
     "start": "npx tsx index.ts"
   },
   "dependencies": {
-    "@axonflow/sdk": "^5.0.0",
+    "@axonflow/sdk": "^5.1.0",
     "dotenv": "^16.3.1"
   },
   "devDependencies": {