Releases: getaxonflow/axonflow-codex-plugin
Release list
v1.7.0
Changed
- Audit payload now sends
caller_nameto identify the calling
plugin, dual-sent with the legacytool_typefor the deprecation
window (#82; axonflow-enterprise#2912, sub-issue of epic #2905).
tool_typewas being (ab)used to carry the caller's identity
("codex") rather than describing a tool's type. The platform side
(axonflow-enterprise#2953, shipped in platform 9.11.0) adds the correctly-namedcaller_name
field and resolvescaller_name → tool_type → default, writing only
caller_nameon new rows;tool_typeremains a deprecated legacy
fallback that pre-#2953 platforms still honor. Both send sites —
scripts/post-tool-audit.shandscripts/pre-tool-check.sh's
blocked-attempt audit entry — now send bothcaller_name: "codex"
andtool_type: "codex". Dual-send is exact on a 9.11.0+ platform
(caller_namewins) and status-quo on any pre-#2953 platform (the
legacytool_typestill attributes the row), so the plugin can ship
on the marketplace ahead of a customer's platform upgrade without a
silent audit-attribution regression — critical here because a
pre-#2953 agent drops the unknowncaller_nameand defaults an absent
tool_typeto"claude_code", misattributing every codex row.
tool_typewill be dropped once the platform floor includes #2953.
This matches the transition pattern across the claude/cursor/openclaw
siblings. The host-CLI shim (tests/host-cli-shim/run.sh, CI-gated)
now asserts the on-the-wireaudit_tool_callpayload carries both
keys, so a silent revert fails CI rather than passing on
request-count alone.
v1.5.2 — Cross-plugin cooldown env override + cache-layout doc fix + org_id in heartbeat
Cross-plugin consistency follow-up — overridable auth-failure cooldown, cache-layout documentation fix, and org_id in the telemetry heartbeat.
Added
org_idfield in the telemetry heartbeat body. Brings the Codex plugin's telemetry up to parity with the platform — every heartbeat now identifies which deployment-organization emitted it. Three sources in precedence order:ORG_IDenv var,tenant_idfrom~/.config/axonflow/try-registration.json, or thelocal-dev-orgsentinel. HonorsAXONFLOW_TELEMETRY=off. See getaxonflow.com/privacy/ for the customer-facing commitment.
Changed
-
401 auth-failure cooldown is now overridable via
AXONFLOW_AUTH_FAILURE_COOLDOWN_SECONDS(canonical name shared with the cursor and claude plugins). Default behavior is unchanged — unset = 300s. Malformed values (non-integer, zero, negative) fall back to 300s so a typo in the env var can't silently disable the back-off. Useful for testing and tuning; production deployments continue to use the default. -
scripts/telemetry-ping.shheader comment softened from "Anonymous telemetry heartbeat" to "Telemetry heartbeat" alongside theorg_idaddition.
Fixed
scripts/upgrade-prompt.shCache layout header now listsauth-failure-prompt-last-shown. The header block at the top of the file previously documented onlythrottle-untilandupgrade-prompt-last-shown; the third cache file added in v1.5.1 was created on disk but missing from the doc-header table. Documentation-only fix; no behavior change.
Compatibility: requires AxonFlow platform v7.9.0+.
v1.5.1 — Throttle on HTTP 401 to prevent auth-storm retry loops
Fixes an auth-storm regression where invalid or expired credentials caused a tight 401 retry loop — one customer observed 716 retries in 24h against the audit endpoint from a single source IP.
Fixed
- HTTP 401 from the AxonFlow agent no longer triggers a tight retry loop. The hook scripts' envelope handler previously only detected HTTP 429 (daily-quota) and HTTP 403 (graduated / Pro-only) — a 401 fell through to the JSON-RPC parser, exited 0 (fail-open), and the next tool call immediately re-fired the same 401. A new helper in
scripts/upgrade-prompt.shstamps a 5-minute throttle on any HTTP 401 withlimit_type=auth_failure, wired into both pre- and post-tool hooks. Subsequent hook fires short-circuit on the throttle-until file until the deadline passes, breaking the loop. On the first 401 of each UTC day the user sees a stderr nudge naming the failure and pointing at https://getaxonflow.com/dashboard for credential refresh.
Compatibility: requires AxonFlow platform v7.9.0+.
v1.5.0 — Terminology: tenant_id → client_id in user-facing output
Aligns the Codex plugin's user-facing output with AxonFlow's v9 terminology — tenant_id becomes client_id in scripts/recover.sh status output.
Changed
-
scripts/recover.sh status(andverify) output:tenant_idlabel is nowclient_id. Same value, new user-facing term. Aligns Codex plugin output with the rest of AxonFlow's v9 terminology (theorg_id↔client_id↔ deployment-license-identity three-identifier model). For this release, the output carries a parenthetical bridge note ((formerly tenant_id)) so existing users connect the old and new terms without surprise. The bridge note will be removed in v1.6.0.Cosmetic only — no config change is required. The on-disk registration file at
~/.config/axonflow/try-registration.jsoncontinues to use thetenant_idJSON key, and~/.codex/axonflow.tomlcontinues to usetenant_id = "..."(file-format compat with installed base); only the human-readable status output readsclient_id. Wire-levelX-Axonflow-Clientheader is unchanged. The agent-side MCP toolaxonflow_get_tenant_idkeeps its name.Action required for users who scripted around the old output: if your tooling greps for
tenant_idinscripts/recover.sh statusstdout, update to grep forclient_id(or use the underlying config files which still carry the legacy key). -
README install-flow examples updated to use
client_idterminology consistently.
Compatibility: requires AxonFlow platform v7.9.0+.
v1.4.0 — Decision History API + policy_version recorded on every decision + telemetry simplification
Companion plugin release to AxonFlow agent v7.9.0. Adds the new decision-history surface to Codex and brings the plugin onto the v1 telemetry schema.
Added
list-recent-decisionsskill — surfaces the caller's recent governance decisions via the newlist_recent_decisionsMCP tool from Codex. Tier-throttled per the platform's Free/Pro window+limit; Free callers hitting the cap see the upgrade envelope rendered to the host.
Telemetry
AXONFLOW_TELEMETRY=offis the sole opt-out for the plugin heartbeat — same single-lever model as the SDKs.- Heartbeat payload v1 schema additions:
telemetry_type: "plugin",endpoint_type(localhost | private_network | remote | unknown),deployment_mode(self_hosted | community_saas | unknown). SetAXONFLOW_TRY=1if your stack proxies a custom hostname into try.getaxonflow.com so heartbeats classify ascommunity_saascorrectly.
Compatibility: requires AxonFlow platform v7.9.0+. Existing v1.3.x callers continue to work; the new skill activates when paired with v7.9.0+.
v1.3.0 — V1 Plugin Pro upgrade-prompt envelope + 5 new MCP tools surfaced
Companion plugin release to AxonFlow agent v7.7.0. Surfaces the V1
Plugin Pro structured upgrade envelope to the operator on Community
SaaS rate-limit hits and documents 5 new agent-callable MCP tools.
Added
-
V1 Plugin Pro upgrade-prompt envelope handling in both
pre-tool-check.sh(PreToolUse-equivalent) andpost-tool-audit.sh
(PostToolUse-equivalent) hooks. When the agent returns a 429
(daily-quota) or 403 (graduated / Pro-only) with the structured
envelope shape, the plugin:- Parses
upgrade.wording+upgrade.buy_urland prints a single-line
nudge to stderr (e.g.[AxonFlow] Daily limit reached on Free tier (200 events). Pro raises this to 2,000/day. Resets at midnight UTC.).
Surfaced at most once per UTC day so it doesn't spam every hook. - Honours
Retry-After/resets_atby stamping a back-off file at
${XDG_CACHE_HOME:-~/.cache}/axonflow/throttle-until. Subsequent hook
fires fall open locally without re-hammering the agent until the
deadline passes. Prevents the silent-retry pattern (581 retries in
18h pre-envelope) that motivated this work.
- Parses
-
References to the 5 new agent-callable MCP tools in the README.
The agent can answer"what's my tenant ID?","what would I get on Pro?", and related questions directly via:axonflow_get_tenant_id— Free + Pro, no gate.axonflow_list_pro_features— Free + Pro, locked feature list.axonflow_request_approval— Free 1/7d rolling, Pro unlimited.axonflow_create_tenant_policy— Free 2 active max, Pro unlimited.axonflow_get_cost_estimate— Pro-only, hidden from Freetools/list.
Auto-discovered via the existing MCP HTTP transport — no client-side
registration needed.
Changed
- README "Pro tier license token" section corrected to the locked V1
numbers: 2,000 events/day (was 1,000), unlimited custom policies,
unlimited HITL approvals, and the LLM cost pre-flight feature added. - README MCP-tools section renumbered from "10 MCP tools" to "15 MCP
tools" to include the new V1 Pro tier-identity / tier-capability tools. pro-tier-statusskill — prefer the local
scripts/recover.sh statusover the MCP tool for tenant_id / tier
queries. The local script reads state directly and answers without
an agent round-trip. Faster, works offline, and works exactly when
the user typically asks ("the agent isn't reachable, what's my
tenant ID for Stripe Checkout?"). The MCP tool stays as a
documented fallback for the rare cases where server-truth matters
(revocation, clock skew, server-side overrides). Same flip applied
to claude / cursor sister plugins.
Internal
runtime-e2e/v1_pro_envelope_surface/— drives a fresh Free-tier
tenant past the 200/day cap ontry.getaxonflow.com, asserts the
plugin's envelope helper prints the locked V1 wording to stderr
and stamps a throttle deadline.- Added
tests/test-upgrade-prompt.sh— 21 unit assertions across 8
scenarios for every branch of the envelope handler. - Added
tests/test-skill-status-prefers-local.sh— 4 content assertions
locking the local-first SKILL.md ordering in; wired into
.github/workflows/test.yml. The sisteraxonflow-claude-plugin
ships the runtime proof that the wording flip changes downstream
LLM behaviour (structurally identical wording across the three
plugins).
v1.2.0 — V1 paid Pro tier wire-up + X-Axonflow-Client header
Companion plugin release to platform v7.7.0. Surfaces the V1 SaaS Plugin
Pro tier — license token paste activates Pro features immediately, plus
the agent-side scope-validation header on every governed request via
.mcp.json's http_headers block.
Added
X-Axonflow-Client: codex/<version>header on every governed
agent request. Declared via.mcp.json'shttp_headersblock (set up
byscripts/install-mcp-with-headers.shat install time) and exported
as${AXONFLOW_CLIENT_HEADER}bypre-tool-check.shon every
hook-invoke. Agents at v7.7.0+ derive request scope from this header
and reject cross-quadrant token misuse (e.g. a SaaS Plugin Pro token
paired with an SDK request) at the validator boundary. Older agents
(pre-v7.7.0) ignore the header and continue to work unchanged.
Changed
scripts/recover.sh statustier line now surfaces Pro license expiry date. The status output'stierline parses the JWTexpclaim from the configured Pro license token and renders one of three shapes:Pro tier active (expires YYYY-MM-DD, N days remaining)when active,Free tier (Pro expired YYYY-MM-DD — visit https://getaxonflow.com/pricing/ to renew)when the token is on disk but itsexphas passed (plugin will not forward an expired token), orFree tier (no AXON- license token configured)when no token is loaded. Lets users see their renewal date without hitting the agent and catches the lapsed-token state before their next governed call. Display only — JWT signature validation remains the platform's job. Pre-existingPro tier activeandFree tiersubstring assertions still hold.scripts/recover.sh statusnow surfaces tenant_id + upgrade URL. Free-tier users need to find theirtenant_id(cs_<uuid>) to paste into the Stripe Checkout custom field atgetaxonflow.com/pricing/. The status output now reads~/.config/axonflow/try-registration.json(the auto-bootstrap registration file) and prints the tenant_id alongside endpoint + license-token state. Adds anupgradeline (defaulthttps://getaxonflow.com/pricing/, override viaAXONFLOW_UPGRADE_URL) and copy-paste-ready upgrade instructions. Token still redacted to last 4 chars (no full bearer credential in stdout — see PR #41).
Added
- V1 paid Pro tier —
X-License-Tokenwire-up. WhenAXONFLOW_LICENSE_TOKENis set in the environment, orlicense_token = "AXON-..."is present in~/.codex/axonflow.toml, the plugin forwards the token as theX-License-TokenHTTP header on every governed request (pre-tool policy check, post-tool audit + scan, and the long-lived MCP session). The agent's plugin-claim middleware validates the token's Ed25519 signature and database row, then enriches the request context with Pro-tier capabilities (longer audit retention, larger payload caps, higher daily quotas). Token absence is the free tier — no header is sent. Tokens that don't carry the canonicalAXON-prefix are filtered out before the request leaves the plugin so the agent never sees garbage. - Credential & license-token recovery surface —
scripts/recover.sh. Four sub-flows for users who need to manage credentials without leaving Codex:request— POSTs/api/v1/recoverwith the user's email so the agent emails a magic link with a one-time token.verify— POSTs/api/v1/recover/verifywith the pasted token, then atomically persists the returnedtenant_id,secret,endpoint, andemailinto~/.codex/axonflow.toml(mode0600, inside a0700parent). An existinglicense_tokenline is preserved so credential recovery never silently downgrades a Pro-tier user to the free tier.apply-token— persists a freshly-issuedAXON-...Pro-tier license token into the same TOML file.status— reports the active endpoint, config file presence, license token presence, and current tier.
The same script powers two new agent-callable skills (recover-credentials,pro-tier-status) so Codex can guide a user through the flow when they say "I lost my credentials" or "am I on Pro?". For automation and runtime tests the script also readsAXONFLOW_RECOVER_EMAIL,AXONFLOW_RECOVER_TOKEN, andAXONFLOW_LICENSE_TOKENfrom the environment instead of prompting.
- Runtime E2E coverage for both surfaces:
runtime-e2e/v1-paid-tier/test.sh— drives the pre-tool hook against a local capture server and asserts theX-License-Tokenheader is sent (env, TOML, env-overrides-TOML, absence, malformed) plus the live agent middleware path when/healthadvertisesplugin_claim_license.runtime-e2e/recovery/test.sh— drivesrecover.shagainst a local fake recovery agent and asserts the full request → verify → persist → status path, including replay rejection andlicense_tokenpreservation across credential re-recovery.
Fixed
- Upgrade-pointer URL aligned with the canonical pricing page.
AXONFLOW_UPGRADE_URLdefault (the URL surfaced byscripts/recover.sh statusand thepro-tier-statusskill to free-tier users, plus embedded in thetier Free tier (Pro expired ... — visit ... to renew)line) is nowhttps://getaxonflow.com/pricing/. The previous defaulthttps://getaxonflow.com/proreturned 404 — that page was referenced in PRDs but never built. The pricing page already resolves and carries the Plugin Pro $9.99 tier card with the Stripe buy button, so plugin status output now points free-tier users at a working URL. Override viaAXONFLOW_UPGRADE_URLenv var if needed. Same fix landed in companion plugin releases (openclaw-plugin v2.2.0, claude-plugin v1.2.0, cursor-plugin v1.2.0).
v1.1.0 — 4 read-side governance skills
Added
- 4 new agent-callable governance skills. Codex agents can use the
AxonFlow read-side governance surface directly in conversation:
explain-decision,list-overrides,create-override, and
revoke-override. Joins the existingaudit-searchskill for full
read-side parity.
v1.0.0
Upgrade strongly recommended. Over the past month we've shipped substantial production, quality, and security hardening across the AxonFlow plugin and platform — upgrade to the latest version for a more secure, reliable, and bug-free experience.
Security highlights from this release cycle:
- Plugin cache and credential-file permission hardening (this release).
~/.config/axonflow/and~/.cache/axonflow/are tightened to mode0700on every invocation (was: only set on creation, leaving pre-existing world-readable directories unchanged);try-registration.jsonis written with mode0600. Pre-existing world-readable credential files are detected and refused on first load. Documented inGHSA-8wrg-fpx5-87f7. - Cross-platform bootstrap reliability (this release). macOS Community-SaaS bootstrap was silently no-op'ing because
flock(1)is Linux-only; now uses a portablemkdir-based atomic lock with stale-lock reclamation, so first-install registration runs on macOS too. - Telemetry opt-out reliability (this release).
DO_NOT_TRACKwas unreliable because Codex CLI itself injectsDO_NOT_TRACK=1into hook subprocesses regardless of user intent; the canonical opt-out is nowAXONFLOW_TELEMETRY=off, an AxonFlow-scoped signal hosts can't unilaterally set.
The full set of platform-side security fixes shipped alongside this release — including multi-tenant isolation in MAP execution, cross-tenant audit-log isolation, and SQLi enforcement on the Community SaaS endpoint — is documented in the consolidated platform advisory GHSA-9h64-2846-7x7f.
Reliability and bug-fix highlights:
- 7-day delivered-heartbeat with stamp-on-success (this release). Telemetry stamp advances only after the POST returns 2xx, so a transient network failure no longer silences telemetry until the next 7-day window. Concurrent invocations are de-duplicated by an in-flight gate.
- Mode-clarity canary log line on every hook init (this release). Stderr emits
[AxonFlow] Connected to AxonFlow at <URL> (mode=...)and a PR-blocking CI gate asserts the canary matches the actual outbound destination, guarding against silent endpoint drift. - PR-blocking install-to-use smoke against the live community stack (this release). Catches plugin-side regressions against
try.getaxonflow.combefore they reach a user's terminal.
BREAKING
DO_NOT_TRACKis no longer honored as an AxonFlow telemetry opt-out. UseAXONFLOW_TELEMETRY=offinstead. Host tools and CLIs commonly injectDO_NOT_TRACK=1regardless of user intent, which makes it unreliable as a signal.
Added
- First-run Community-SaaS bootstrap — plugin connects to AxonFlow Community SaaS at
https://try.getaxonflow.comwhen neitherAXONFLOW_ENDPOINTnorAXONFLOW_AUTHis set. Registers via/api/v1/registeron first run and persists{tenant_id, secret, expires_at, endpoint}to~/.config/axonflow/try-registration.json(mode 0600 inside a 0700 directory). Refuses to load a registration file with non-0600 permissions. HTTP 429 → 1-hour backoff. Existing self-hosted installs (AXONFLOW_ENDPOINTorAXONFLOW_AUTHset) are honoured untouched. - Mode-clarity canary on every hook init:
[AxonFlow] Connected to AxonFlow at <URL> (mode=community-saas|self-hosted)on stderr. A CI gate parses this canary and asserts it matches the actual outbound destination. - One-time setup disclosure on first Community-SaaS connection. Stamped at
~/.cache/axonflow/codex-plugin-disclosure-shownso it fires exactly once per install. - Plugin/platform version compatibility check (
scripts/version-check.sh). Queries the agent's/healthendpoint and warns if the plugin runtime is below the platform's expected floor. Skippable viaAXONFLOW_PLUGIN_VERSION_CHECK=off.
Changed
- Telemetry switched to a 7-day delivered-heartbeat. At most one anonymous ping per environment every 7 days, with the stamp advanced only after the POST returns 2xx — a transient network failure doesn't silence telemetry until the next window. Concurrent invocations are de-duplicated by an in-flight gate.
Fixed
- The
DO_NOT_TRACK=1 is deprecated...warning is no longer emitted on every hook invocation whenDO_NOT_TRACK=1is set. - Telemetry heartbeat now correctly classifies Community-SaaS sessions (was tagged
productionbecause the bootstrap-injectedAXONFLOW_AUTHshadowed the resolver, sending/healthprobes to localhost andplatform_version=nullwith the wrongdeployment_mode). - Bootstrap and heartbeat now run on macOS —
flock(1)isn't on stock macOS, so the in-flight lock falls back to amkdir-based atomic lock with stale-lock reclamation whenflockis unavailable.
Security
~/.config/axonflow/and~/.cache/axonflow/permissions tightened to0700on every invocation (was: only set on creation viamkdir -m 0700, which left existing 0755 dirs unchanged).
v0.4.2
Deprecated
DO_NOT_TRACK=1as an AxonFlow telemetry opt-out — scheduled for removal after 2026-05-05 in the next major release. UseAXONFLOW_TELEMETRY=offinstead. The plugin'stelemetry-ping.shemits a one-time stderr warning whenDO_NOT_TRACK=1is the active control andAXONFLOW_TELEMETRY=offis not also set.