Skip to content

Releases: getaxonflow/axonflow-codex-plugin

v1.7.0

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 18 Jul 00:42
7e4a9c8

Changed

  • Audit payload now sends caller_name to identify the calling
    plugin, dual-sent with the legacy tool_type for the deprecation
    window
    (#82; axonflow-enterprise#2912, sub-issue of epic #2905).
    tool_type was being (ab)used to carry the caller's identity
    ("codex") rather than describing a tool's type. The platform side
    (axonflow-enterprise#2953, shipped in platform 9.11.0) adds the correctly-named caller_name
    field and resolves caller_name → tool_type → default, writing only
    caller_name on new rows; tool_type remains a deprecated legacy
    fallback that pre-#2953 platforms still honor. Both send sites —
    scripts/post-tool-audit.sh and scripts/pre-tool-check.sh's
    blocked-attempt audit entry — now send both caller_name: "codex"
    and tool_type: "codex". Dual-send is exact on a 9.11.0+ platform
    (caller_name wins) and status-quo on any pre-#2953 platform (the
    legacy tool_type still attributes the row), so the plugin can ship
    on the marketplace ahead of a customer's platform upgrade without a
    silent audit-attribution regression — critical here because a
    pre-#2953 agent drops the unknown caller_name and defaults an absent
    tool_type to "claude_code", misattributing every codex row.
    tool_type will be dropped once the platform floor includes #2953.
    This matches the transition pattern across the claude/cursor/openclaw
    siblings. The host-CLI shim (tests/host-cli-shim/run.sh, CI-gated)
    now asserts the on-the-wire audit_tool_call payload carries both
    keys, so a silent revert fails CI rather than passing on
    request-count alone.

v1.5.2 — Cross-plugin cooldown env override + cache-layout doc fix + org_id in heartbeat

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 23 May 16:01
ec78c6d

Cross-plugin consistency follow-up — overridable auth-failure cooldown, cache-layout documentation fix, and org_id in the telemetry heartbeat.

Added

  • org_id field in the telemetry heartbeat body. Brings the Codex plugin's telemetry up to parity with the platform — every heartbeat now identifies which deployment-organization emitted it. Three sources in precedence order: ORG_ID env var, tenant_id from ~/.config/axonflow/try-registration.json, or the local-dev-org sentinel. Honors AXONFLOW_TELEMETRY=off. See getaxonflow.com/privacy/ for the customer-facing commitment.

Changed

  • 401 auth-failure cooldown is now overridable via AXONFLOW_AUTH_FAILURE_COOLDOWN_SECONDS (canonical name shared with the cursor and claude plugins). Default behavior is unchanged — unset = 300s. Malformed values (non-integer, zero, negative) fall back to 300s so a typo in the env var can't silently disable the back-off. Useful for testing and tuning; production deployments continue to use the default.

  • scripts/telemetry-ping.sh header comment softened from "Anonymous telemetry heartbeat" to "Telemetry heartbeat" alongside the org_id addition.

Fixed

  • scripts/upgrade-prompt.sh Cache layout header now lists auth-failure-prompt-last-shown. The header block at the top of the file previously documented only throttle-until and upgrade-prompt-last-shown; the third cache file added in v1.5.1 was created on disk but missing from the doc-header table. Documentation-only fix; no behavior change.

Compatibility: requires AxonFlow platform v7.9.0+.

v1.5.1 — Throttle on HTTP 401 to prevent auth-storm retry loops

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 23 May 16:01
3d011c3

Fixes an auth-storm regression where invalid or expired credentials caused a tight 401 retry loop — one customer observed 716 retries in 24h against the audit endpoint from a single source IP.

Fixed

  • HTTP 401 from the AxonFlow agent no longer triggers a tight retry loop. The hook scripts' envelope handler previously only detected HTTP 429 (daily-quota) and HTTP 403 (graduated / Pro-only) — a 401 fell through to the JSON-RPC parser, exited 0 (fail-open), and the next tool call immediately re-fired the same 401. A new helper in scripts/upgrade-prompt.sh stamps a 5-minute throttle on any HTTP 401 with limit_type=auth_failure, wired into both pre- and post-tool hooks. Subsequent hook fires short-circuit on the throttle-until file until the deadline passes, breaking the loop. On the first 401 of each UTC day the user sees a stderr nudge naming the failure and pointing at https://getaxonflow.com/dashboard for credential refresh.

Compatibility: requires AxonFlow platform v7.9.0+.

v1.5.0 — Terminology: tenant_id → client_id in user-facing output

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 23 May 16:00
f3797d6

Aligns the Codex plugin's user-facing output with AxonFlow's v9 terminology — tenant_id becomes client_id in scripts/recover.sh status output.

Changed

  • scripts/recover.sh status (and verify) output: tenant_id label is now client_id. Same value, new user-facing term. Aligns Codex plugin output with the rest of AxonFlow's v9 terminology (the org_idclient_id ↔ deployment-license-identity three-identifier model). For this release, the output carries a parenthetical bridge note ((formerly tenant_id)) so existing users connect the old and new terms without surprise. The bridge note will be removed in v1.6.0.

    Cosmetic only — no config change is required. The on-disk registration file at ~/.config/axonflow/try-registration.json continues to use the tenant_id JSON key, and ~/.codex/axonflow.toml continues to use tenant_id = "..." (file-format compat with installed base); only the human-readable status output reads client_id. Wire-level X-Axonflow-Client header is unchanged. The agent-side MCP tool axonflow_get_tenant_id keeps its name.

    Action required for users who scripted around the old output: if your tooling greps for tenant_id in scripts/recover.sh status stdout, update to grep for client_id (or use the underlying config files which still carry the legacy key).

  • README install-flow examples updated to use client_id terminology consistently.


Compatibility: requires AxonFlow platform v7.9.0+.

v1.4.0 — Decision History API + policy_version recorded on every decision + telemetry simplification

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 09 May 15:31
119bef7

Companion plugin release to AxonFlow agent v7.9.0. Adds the new decision-history surface to Codex and brings the plugin onto the v1 telemetry schema.

Added

  • list-recent-decisions skill — surfaces the caller's recent governance decisions via the new list_recent_decisions MCP tool from Codex. Tier-throttled per the platform's Free/Pro window+limit; Free callers hitting the cap see the upgrade envelope rendered to the host.

Telemetry

  • AXONFLOW_TELEMETRY=off is the sole opt-out for the plugin heartbeat — same single-lever model as the SDKs.
  • Heartbeat payload v1 schema additions: telemetry_type: "plugin", endpoint_type (localhost | private_network | remote | unknown), deployment_mode (self_hosted | community_saas | unknown). Set AXONFLOW_TRY=1 if your stack proxies a custom hostname into try.getaxonflow.com so heartbeats classify as community_saas correctly.

Compatibility: requires AxonFlow platform v7.9.0+. Existing v1.3.x callers continue to work; the new skill activates when paired with v7.9.0+.

v1.3.0 — V1 Plugin Pro upgrade-prompt envelope + 5 new MCP tools surfaced

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 07 May 20:59
de59d87

Companion plugin release to AxonFlow agent v7.7.0. Surfaces the V1
Plugin Pro structured upgrade envelope to the operator on Community
SaaS rate-limit hits and documents 5 new agent-callable MCP tools.

Added

  • V1 Plugin Pro upgrade-prompt envelope handling in both
    pre-tool-check.sh (PreToolUse-equivalent) and post-tool-audit.sh
    (PostToolUse-equivalent) hooks. When the agent returns a 429
    (daily-quota) or 403 (graduated / Pro-only) with the structured
    envelope shape, the plugin:

    • Parses upgrade.wording + upgrade.buy_url and prints a single-line
      nudge to stderr (e.g. [AxonFlow] Daily limit reached on Free tier (200 events). Pro raises this to 2,000/day. Resets at midnight UTC.).
      Surfaced at most once per UTC day so it doesn't spam every hook.
    • Honours Retry-After / resets_at by stamping a back-off file at
      ${XDG_CACHE_HOME:-~/.cache}/axonflow/throttle-until. Subsequent hook
      fires fall open locally without re-hammering the agent until the
      deadline passes. Prevents the silent-retry pattern (581 retries in
      18h pre-envelope) that motivated this work.
  • References to the 5 new agent-callable MCP tools in the README.
    The agent can answer "what's my tenant ID?", "what would I get on Pro?", and related questions directly via:

    • axonflow_get_tenant_id — Free + Pro, no gate.
    • axonflow_list_pro_features — Free + Pro, locked feature list.
    • axonflow_request_approval — Free 1/7d rolling, Pro unlimited.
    • axonflow_create_tenant_policy — Free 2 active max, Pro unlimited.
    • axonflow_get_cost_estimate — Pro-only, hidden from Free tools/list.

    Auto-discovered via the existing MCP HTTP transport — no client-side
    registration needed.

Changed

  • README "Pro tier license token" section corrected to the locked V1
    numbers: 2,000 events/day (was 1,000), unlimited custom policies,
    unlimited HITL approvals, and the LLM cost pre-flight feature added.
  • README MCP-tools section renumbered from "10 MCP tools" to "15 MCP
    tools" to include the new V1 Pro tier-identity / tier-capability tools.
  • pro-tier-status skill — prefer the local
    scripts/recover.sh status over the MCP tool
    for tenant_id / tier
    queries. The local script reads state directly and answers without
    an agent round-trip. Faster, works offline, and works exactly when
    the user typically asks ("the agent isn't reachable, what's my
    tenant ID for Stripe Checkout?"). The MCP tool stays as a
    documented fallback for the rare cases where server-truth matters
    (revocation, clock skew, server-side overrides). Same flip applied
    to claude / cursor sister plugins.

Internal

  • runtime-e2e/v1_pro_envelope_surface/ — drives a fresh Free-tier
    tenant past the 200/day cap on try.getaxonflow.com, asserts the
    plugin's envelope helper prints the locked V1 wording to stderr
    and stamps a throttle deadline.
  • Added tests/test-upgrade-prompt.sh — 21 unit assertions across 8
    scenarios for every branch of the envelope handler.
  • Added tests/test-skill-status-prefers-local.sh — 4 content assertions
    locking the local-first SKILL.md ordering in; wired into
    .github/workflows/test.yml. The sister axonflow-claude-plugin
    ships the runtime proof that the wording flip changes downstream
    LLM behaviour (structurally identical wording across the three
    plugins).

v1.2.0 — V1 paid Pro tier wire-up + X-Axonflow-Client header

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 06 May 13:43
7c37d5c

Companion plugin release to platform v7.7.0. Surfaces the V1 SaaS Plugin
Pro tier — license token paste activates Pro features immediately, plus
the agent-side scope-validation header on every governed request via
.mcp.json's http_headers block.

Added

  • X-Axonflow-Client: codex/<version> header on every governed
    agent request. Declared via .mcp.json's http_headers block (set up
    by scripts/install-mcp-with-headers.sh at install time) and exported
    as ${AXONFLOW_CLIENT_HEADER} by pre-tool-check.sh on every
    hook-invoke. Agents at v7.7.0+ derive request scope from this header
    and reject cross-quadrant token misuse (e.g. a SaaS Plugin Pro token
    paired with an SDK request) at the validator boundary. Older agents
    (pre-v7.7.0) ignore the header and continue to work unchanged.

Changed

  • scripts/recover.sh status tier line now surfaces Pro license expiry date. The status output's tier line parses the JWT exp claim from the configured Pro license token and renders one of three shapes: Pro tier active (expires YYYY-MM-DD, N days remaining) when active, Free tier (Pro expired YYYY-MM-DD — visit https://getaxonflow.com/pricing/ to renew) when the token is on disk but its exp has passed (plugin will not forward an expired token), or Free tier (no AXON- license token configured) when no token is loaded. Lets users see their renewal date without hitting the agent and catches the lapsed-token state before their next governed call. Display only — JWT signature validation remains the platform's job. Pre-existing Pro tier active and Free tier substring assertions still hold.
  • scripts/recover.sh status now surfaces tenant_id + upgrade URL. Free-tier users need to find their tenant_id (cs_<uuid>) to paste into the Stripe Checkout custom field at getaxonflow.com/pricing/. The status output now reads ~/.config/axonflow/try-registration.json (the auto-bootstrap registration file) and prints the tenant_id alongside endpoint + license-token state. Adds an upgrade line (default https://getaxonflow.com/pricing/, override via AXONFLOW_UPGRADE_URL) and copy-paste-ready upgrade instructions. Token still redacted to last 4 chars (no full bearer credential in stdout — see PR #41).

Added

  • V1 paid Pro tier — X-License-Token wire-up. When AXONFLOW_LICENSE_TOKEN is set in the environment, or license_token = "AXON-..." is present in ~/.codex/axonflow.toml, the plugin forwards the token as the X-License-Token HTTP header on every governed request (pre-tool policy check, post-tool audit + scan, and the long-lived MCP session). The agent's plugin-claim middleware validates the token's Ed25519 signature and database row, then enriches the request context with Pro-tier capabilities (longer audit retention, larger payload caps, higher daily quotas). Token absence is the free tier — no header is sent. Tokens that don't carry the canonical AXON- prefix are filtered out before the request leaves the plugin so the agent never sees garbage.
  • Credential & license-token recovery surface — scripts/recover.sh. Four sub-flows for users who need to manage credentials without leaving Codex:
    • request — POSTs /api/v1/recover with the user's email so the agent emails a magic link with a one-time token.
    • verify — POSTs /api/v1/recover/verify with the pasted token, then atomically persists the returned tenant_id, secret, endpoint, and email into ~/.codex/axonflow.toml (mode 0600, inside a 0700 parent). An existing license_token line is preserved so credential recovery never silently downgrades a Pro-tier user to the free tier.
    • apply-token — persists a freshly-issued AXON-... Pro-tier license token into the same TOML file.
    • status — reports the active endpoint, config file presence, license token presence, and current tier.
      The same script powers two new agent-callable skills (recover-credentials, pro-tier-status) so Codex can guide a user through the flow when they say "I lost my credentials" or "am I on Pro?". For automation and runtime tests the script also reads AXONFLOW_RECOVER_EMAIL, AXONFLOW_RECOVER_TOKEN, and AXONFLOW_LICENSE_TOKEN from the environment instead of prompting.
  • Runtime E2E coverage for both surfaces:
    • runtime-e2e/v1-paid-tier/test.sh — drives the pre-tool hook against a local capture server and asserts the X-License-Token header is sent (env, TOML, env-overrides-TOML, absence, malformed) plus the live agent middleware path when /health advertises plugin_claim_license.
    • runtime-e2e/recovery/test.sh — drives recover.sh against a local fake recovery agent and asserts the full request → verify → persist → status path, including replay rejection and license_token preservation across credential re-recovery.

Fixed

  • Upgrade-pointer URL aligned with the canonical pricing page. AXONFLOW_UPGRADE_URL default (the URL surfaced by scripts/recover.sh status and the pro-tier-status skill to free-tier users, plus embedded in the tier Free tier (Pro expired ... — visit ... to renew) line) is now https://getaxonflow.com/pricing/. The previous default https://getaxonflow.com/pro returned 404 — that page was referenced in PRDs but never built. The pricing page already resolves and carries the Plugin Pro $9.99 tier card with the Stripe buy button, so plugin status output now points free-tier users at a working URL. Override via AXONFLOW_UPGRADE_URL env var if needed. Same fix landed in companion plugin releases (openclaw-plugin v2.2.0, claude-plugin v1.2.0, cursor-plugin v1.2.0).

v1.1.0 — 4 read-side governance skills

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 04 May 10:00
25dc67a

Added

  • 4 new agent-callable governance skills. Codex agents can use the
    AxonFlow read-side governance surface directly in conversation:
    explain-decision, list-overrides, create-override, and
    revoke-override. Joins the existing audit-search skill for full
    read-side parity.

v1.0.0

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 29 Apr 23:40
ffbfa41

Upgrade strongly recommended. Over the past month we've shipped substantial production, quality, and security hardening across the AxonFlow plugin and platform — upgrade to the latest version for a more secure, reliable, and bug-free experience.

Security highlights from this release cycle:

  • Plugin cache and credential-file permission hardening (this release). ~/.config/axonflow/ and ~/.cache/axonflow/ are tightened to mode 0700 on every invocation (was: only set on creation, leaving pre-existing world-readable directories unchanged); try-registration.json is written with mode 0600. Pre-existing world-readable credential files are detected and refused on first load. Documented in GHSA-8wrg-fpx5-87f7.
  • Cross-platform bootstrap reliability (this release). macOS Community-SaaS bootstrap was silently no-op'ing because flock(1) is Linux-only; now uses a portable mkdir-based atomic lock with stale-lock reclamation, so first-install registration runs on macOS too.
  • Telemetry opt-out reliability (this release). DO_NOT_TRACK was unreliable because Codex CLI itself injects DO_NOT_TRACK=1 into hook subprocesses regardless of user intent; the canonical opt-out is now AXONFLOW_TELEMETRY=off, an AxonFlow-scoped signal hosts can't unilaterally set.

The full set of platform-side security fixes shipped alongside this release — including multi-tenant isolation in MAP execution, cross-tenant audit-log isolation, and SQLi enforcement on the Community SaaS endpoint — is documented in the consolidated platform advisory GHSA-9h64-2846-7x7f.

Reliability and bug-fix highlights:

  • 7-day delivered-heartbeat with stamp-on-success (this release). Telemetry stamp advances only after the POST returns 2xx, so a transient network failure no longer silences telemetry until the next 7-day window. Concurrent invocations are de-duplicated by an in-flight gate.
  • Mode-clarity canary log line on every hook init (this release). Stderr emits [AxonFlow] Connected to AxonFlow at <URL> (mode=...) and a PR-blocking CI gate asserts the canary matches the actual outbound destination, guarding against silent endpoint drift.
  • PR-blocking install-to-use smoke against the live community stack (this release). Catches plugin-side regressions against try.getaxonflow.com before they reach a user's terminal.

BREAKING

  • DO_NOT_TRACK is no longer honored as an AxonFlow telemetry opt-out. Use AXONFLOW_TELEMETRY=off instead. Host tools and CLIs commonly inject DO_NOT_TRACK=1 regardless of user intent, which makes it unreliable as a signal.

Added

  • First-run Community-SaaS bootstrap — plugin connects to AxonFlow Community SaaS at https://try.getaxonflow.com when neither AXONFLOW_ENDPOINT nor AXONFLOW_AUTH is set. Registers via /api/v1/register on first run and persists {tenant_id, secret, expires_at, endpoint} to ~/.config/axonflow/try-registration.json (mode 0600 inside a 0700 directory). Refuses to load a registration file with non-0600 permissions. HTTP 429 → 1-hour backoff. Existing self-hosted installs (AXONFLOW_ENDPOINT or AXONFLOW_AUTH set) are honoured untouched.
  • Mode-clarity canary on every hook init: [AxonFlow] Connected to AxonFlow at <URL> (mode=community-saas|self-hosted) on stderr. A CI gate parses this canary and asserts it matches the actual outbound destination.
  • One-time setup disclosure on first Community-SaaS connection. Stamped at ~/.cache/axonflow/codex-plugin-disclosure-shown so it fires exactly once per install.
  • Plugin/platform version compatibility check (scripts/version-check.sh). Queries the agent's /health endpoint and warns if the plugin runtime is below the platform's expected floor. Skippable via AXONFLOW_PLUGIN_VERSION_CHECK=off.

Changed

  • Telemetry switched to a 7-day delivered-heartbeat. At most one anonymous ping per environment every 7 days, with the stamp advanced only after the POST returns 2xx — a transient network failure doesn't silence telemetry until the next window. Concurrent invocations are de-duplicated by an in-flight gate.

Fixed

  • The DO_NOT_TRACK=1 is deprecated... warning is no longer emitted on every hook invocation when DO_NOT_TRACK=1 is set.
  • Telemetry heartbeat now correctly classifies Community-SaaS sessions (was tagged production because the bootstrap-injected AXONFLOW_AUTH shadowed the resolver, sending /health probes to localhost and platform_version=null with the wrong deployment_mode).
  • Bootstrap and heartbeat now run on macOS — flock(1) isn't on stock macOS, so the in-flight lock falls back to a mkdir-based atomic lock with stale-lock reclamation when flock is unavailable.

Security

  • ~/.config/axonflow/ and ~/.cache/axonflow/ permissions tightened to 0700 on every invocation (was: only set on creation via mkdir -m 0700, which left existing 0755 dirs unchanged).

v0.4.2

Choose a tag to compare

@saurabhjain1592 saurabhjain1592 released this 22 Apr 13:32
5d163ba

Deprecated

  • DO_NOT_TRACK=1 as an AxonFlow telemetry opt-out — scheduled for removal after 2026-05-05 in the next major release. Use AXONFLOW_TELEMETRY=off instead. The plugin's telemetry-ping.sh emits a one-time stderr warning when DO_NOT_TRACK=1 is the active control and AXONFLOW_TELEMETRY=off is not also set.