v1.0.0

Upgrade strongly recommended. Over the past month we've shipped substantial production, quality, and security hardening across the AxonFlow plugin and platform — upgrade to the latest version for a more secure, reliable, and bug-free experience.

Security highlights from this release cycle:

• Plugin cache and credential-file permission hardening (this release). ~/.config/axonflow/ and ~/.cache/axonflow/ are tightened to mode 0700 on every invocation (was: only set on creation, leaving pre-existing world-readable directories unchanged); try-registration.json is written with mode 0600. Pre-existing world-readable credential files are detected and refused on first load. Documented in GHSA-qgqh-qcq7-hqhm.
• Cross-platform bootstrap reliability (this release). macOS Community-SaaS bootstrap was silently no-op'ing because flock(1) is Linux-only; now uses a portable mkdir-based atomic lock with stale-lock reclamation, so first-install registration runs on macOS too.
• Telemetry opt-out reliability (this release). DO_NOT_TRACK was unreliable because Claude Code itself injects DO_NOT_TRACK=1 into hook subprocesses regardless of user intent; the canonical opt-out is now AXONFLOW_TELEMETRY=off, an AxonFlow-scoped signal hosts can't unilaterally set.

The full set of platform-side security fixes shipped alongside this release — including multi-tenant isolation in MAP execution, cross-tenant audit-log isolation, and SQLi enforcement on the Community SaaS endpoint — is documented in the consolidated platform advisory GHSA-9h64-2846-7x7f.

Reliability and bug-fix highlights:

• 7-day delivered-heartbeat with stamp-on-success (this release). Telemetry stamp advances only after the POST returns 2xx, so a transient network failure no longer silences telemetry until the next 7-day window. Concurrent invocations are de-duplicated by an in-flight gate.
• Mode-clarity canary log line on every hook init (this release). Stderr emits [AxonFlow] Connected to AxonFlow at <URL> (mode=...) and a PR-blocking CI gate asserts the canary matches the actual outbound destination, guarding against silent endpoint drift.
• PR-blocking install-to-use smoke against the live community stack (this release). Catches plugin-side regressions against try.getaxonflow.com before they reach a user's terminal.

BREAKING

• DO_NOT_TRACK is no longer honored as an AxonFlow telemetry opt-out. Use AXONFLOW_TELEMETRY=off instead. Host tools and CLIs commonly inject DO_NOT_TRACK=1 regardless of user intent, which makes it unreliable as a signal.

Added

• First-run Community-SaaS bootstrap — plugin connects to AxonFlow Community SaaS at https://try.getaxonflow.com when neither AXONFLOW_ENDPOINT nor AXONFLOW_AUTH is set. Registers via /api/v1/register on first run and persists {tenant_id, secret, expires_at, endpoint} to ~/.config/axonflow/try-registration.json (mode 0600 inside a 0700 directory). Refuses to load a registration file with non-0600 permissions. HTTP 429 → 1-hour backoff. Existing self-hosted installs (AXONFLOW_ENDPOINT or AXONFLOW_AUTH set) are honoured untouched.
• Mode-clarity canary on every hook init: [AxonFlow] Connected to AxonFlow at <URL> (mode=community-saas|self-hosted) on stderr. A CI gate parses this canary and asserts it matches the actual outbound destination.
• One-time setup disclosure on first Community-SaaS connection. Stamped at ~/.cache/axonflow/claude-code-plugin-disclosure-shown so it fires exactly once per install.
• Plugin/platform version compatibility check (scripts/version-check.sh). Queries the agent's /health endpoint and warns if the plugin runtime is below the platform's expected floor. Skippable via AXONFLOW_PLUGIN_VERSION_CHECK=off.

Changed

• Telemetry switched to a 7-day delivered-heartbeat. At most one anonymous ping per environment every 7 days, with the stamp advanced only after the POST returns 2xx — a transient network failure doesn't silence telemetry until the next window. Concurrent invocations are de-duplicated by an in-flight gate.

Fixed

• The DO_NOT_TRACK=1 is deprecated... warning is no longer emitted on every hook invocation when DO_NOT_TRACK=1 is set.
• Telemetry heartbeat now correctly classifies Community-SaaS sessions (was tagged production because the bootstrap-injected AXONFLOW_AUTH shadowed the resolver, sending /health probes to localhost and platform_version=null with the wrong deployment_mode).
• Bootstrap and heartbeat now run on macOS — flock(1) isn't on stock macOS, so the in-flight lock falls back to a mkdir-based atomic lock with stale-lock reclamation when flock is unavailable.

Security

• ~/.config/axonflow/ and ~/.cache/axonflow/ permissions tightened to 0700 on every invocation (was: only set on creation via mkdir -m 0700, which left existing 0755 dirs unchanged).

v0.5.2

Deprecated

• DO_NOT_TRACK=1 as an AxonFlow telemetry opt-out — scheduled for removal after 2026-05-05 in the next major release. Use AXONFLOW_TELEMETRY=off instead. The plugin's telemetry-ping.sh emits a one-time stderr warning when DO_NOT_TRACK=1 is the active control and AXONFLOW_TELEMETRY=off is not also set.

v0.5.1

[0.5.1] - 2026-04-19

Added

• Smoke E2E scenario at tests/e2e/smoke-block-context.sh — runs pre-tool-check.sh against a reachable AxonFlow stack and asserts the hook returns permissionDecision: deny with Plugin Batch 1 richer-context markers in the reason text. Exits 0 (SKIP:) when no stack is reachable.
• .github/workflows/smoke-e2e.yml — workflow_dispatch triggered job running the smoke scenario. Requires an operator-supplied endpoint (GitHub-hosted runners have no local stack), so not wired to PR events — PR smoke gating needs a self-hosted runner with a live stack.

Full install-and-use matrix (explain, override lifecycle, audit filter parity, cache invalidation) lives in axonflow-enterprise/tests/e2e/plugin-batch-1/claude-install/.

Compatibility

Companion to platform v7.1.1. No code changes vs v0.5.0 — the patch bump only adds the smoke E2E. Users on v0.5.0 against platform v7.1.1 still get the full richer-context block shape automatically.

v0.5.0 — Plugin Batch 1

[0.5.0] - 2026-04-18

Added

• Richer block context in hook responses. When the AxonFlow platform is
  v7.1.0+, block responses returned to Claude Code now include the
  decision_id, risk_level, and override availability. Users hitting a
  block see either [decision: <id>, risk: <level>, active override: <ov>]
  or a hint to call the explain_decision MCP tool. Older platforms see
  the prior terse message — fields are omitted when not returned.
• Access to platform MCP tools explain_decision, create_override,
  delete_override, list_overrides — exposed by the agent's MCP server.
  Agents can call these from within Claude Code via the MCP client.

Compatibility

Companion to platform v7.1.0 and SDKs at v5.4.0 / v6.4.0. Back-compatible
with older platforms — enriched fields are absent, and the hook falls back
to the v0.4.0 block-reason format.

v0.4.0

What's New

Telemetry

• Anonymous telemetry ping on first hook invocation. Sends plugin version, OS, architecture, bash version, and AxonFlow platform version to checkpoint.getaxonflow.com. No PII, no tool arguments, no policy data
• Stamp file guard at $HOME/.cache/axonflow/claude-code-plugin-telemetry-sent prevents repeat pings
• Opt out with DO_NOT_TRACK=1 or AXONFLOW_TELEMETRY=off

Fixed

• UTF-8 safe content truncation — Write and Edit content extraction uses character-level cut -c1-2000 instead of byte-level head -c 2000, preventing split multi-byte sequences
• Consistent curl error reporting — post-tool-audit.sh uses -sS matching pre-tool-check.sh

Changed

• Hook timeout increased from 10s to 15s for reliability on slower networks
• CI workflow suppresses telemetry with DO_NOT_TRACK=1
• SECURITY.md timestamp updated to April 2026

v0.3.1

Added

• Decision-matrix regression tests for the v0.3.0 hook fail-open/fail-closed behavior. Mock-server cases for every JSON-RPC error branch (method-not-found, invalid-params, internal, parse, unknown codes).

v0.3.0 — Hook fail-open hardening

See CHANGELOG.md. Hook fail-open/fail-closed hardening (matches axonflow-enterprise v6.2.0 #1545 Direction 3).

v0.2.0

Added

• AXONFLOW_TIMEOUT_SECONDS environment variable to tune Claude Code hook HTTP timeouts for remote or high-latency AxonFlow deployments.
• Plugin logo for marketplace and directory listings.
• SECURITY.md with plugin-specific vulnerability reporting guidance.

Changed

• README now clarifies that the Claude Code plugin itself does not send direct telemetry pings; telemetry settings apply to the underlying AxonFlow deployment and SDKs.

Security

• Pinned all GitHub Actions to immutable commit SHAs to prevent supply chain attacks.
• Added Dependabot configuration for weekly GitHub Actions updates.
• Added explicit permissions: contents: read to test workflow (least privilege).

Full Changelog: v0.1.0...v0.2.0

v0.1.0 — Policy Enforcement, PII Detection, and Audit Trails for Claude Code

What's included

• Automatic governance via PreToolUse/PostToolUse hooks — blocks dangerous commands (reverse shells, SSRF, credential access, path traversal), detects PII in tool outputs
• 6 MCP tools for explicit use: check_policy, check_output, audit_tool_call, list_policies, get_policy_stats, search_audit_events
• Compliance-grade audit trails for every governed tool call (allowed and blocked)
• Fail-open on network errors, fail-closed on auth/config errors

Installation

git clone https://github.com/getaxonflow/axonflow-claude-plugin.git
export AXONFLOW_ENDPOINT=http://localhost:8080
export CLAUDE_PLUGIN_ROOT=/path/to/axonflow-claude-plugin
claude --plugin-dir /path/to/axonflow-claude-plugin

Requires AxonFlow v6.0.0+.

Documentation

• Claude Code Integration Guide
• E2E Testing Playbook
• CHANGELOG