Release v2.0.4

@axonflow/openclaw v2.0.4

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

openclaw.plugin.json declared configSchema.additionalProperties: false but did not list userEmail in properties, even though the plugin's runtime config resolver (src/config.ts) reads userEmail from pluginConfig and forwards it as the X-User-Email header on every request. OpenClaw's plugin loader runs the published configSchema against the user's pluginConfig; when validation fails (because of the unknown property), the loader emits a single [plugins] axonflow-governance invalid config: ... log line and skips the plugin entirely — it never registers, no hooks fire, and tool calls execute completely ungoverned.

In practice this affected every user who followed the documented configuration path for the override workflow. client.createOverride(), client.revokeOverride(), client.listOverrides() all require userEmail to be set (the endpoints reject calls without user identity with HTTP 401), and client.explainDecision() needs it for correct per-user scoping. Setting it via pluginConfig.userEmail — which is what the README, the SKILL.md on ClawHub, and the rest of the documentation describe — failed schema validation, disabled the plugin silently, and left the user with neither governance nor an obvious error.

Fixed

• pluginConfig.userEmail is now accepted by the configSchema. Added "userEmail": { "type": "string" } to openclaw.plugin.json properties, plus a matching uiHints.userEmail block so portal UIs render a labelled input with placeholder and help text. Plugin runtime behaviour was already correct in v2.0.0+ — only the schema gate was rejecting it.

Why this is a patch (not a minor)

The capability already existed in code; we're closing the schema gap that prevented the documented pluginConfig path from reaching it. Pure additive change to the schema — no existing valid config breaks.

Upgrade

openclaw plugins install @axonflow/openclaw@latest. No code changes required on your side. If your config currently sets userEmail and the plugin was being silently disabled, it will now register and start enforcing policy on the next plugin reload.

Documentation: Community SaaS reframed as exploration-only

The README "Where your data goes" section now leads with Self-hosted (recommended for any real use) as the primary deployment path and demotes Community SaaS to a clearly labelled "for early exploration only" section. Community SaaS is offered "as is" on a best-effort basis with no SLA, no warranties, and no commitment to retention or deletion timelines, and is not appropriate for production workloads, regulated environments, real user data, or any other sensitive information.

The reframing surfaces three production-fit alternatives:

• Self-host AxonFlow Community Edition for any real workload (data stays within your boundary).
• Community Edition with an Evaluation License for production with real users on the open core (free 90 days).
• AxonFlow Enterprise for regulated industries with SLOs and contractual commitments.

Plugin runtime behaviour is unchanged — Community SaaS auto-bootstrap still happens on zero-config installs, with the AXONFLOW_COMMUNITY_SAAS=0 opt-out documented in v2.0.0+.

---

Release v2.0.3

@axonflow/openclaw v2.0.3

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

The v2.0.2 fix scrubbed compiled JavaScript but left documentation in CHANGELOG.md, README.md, and policies/README.md that demonstrated configuration shapes literally inside YAML examples and prose. ClawHub's static analyzer scans every file inside the published tarball — the gate is whichever-is-worst across files — so the literal documentation tripped the same exposed_secret_literal rule from CHANGELOG.md line 5 and continued to block install of v2.0.2 even though the compiled artifact was clean.

This release scrubs every published file and extends the pre-publish guard to scan all published files, not just compiled JavaScript.

Fixed

• clawhub:@axonflow/openclaw install no longer blocked. The published CHANGELOG.md, README.md, and policies/README.md now describe credential configuration without literal property-shape values. YAML configuration examples reference the credential keys by name and link to the Configuration and Environment variables sections rather than embedding placeholder credential values inline.

Changed

• Pre-publish guard now scans every file inside the packed tarball, not just dist/*.js. scripts/check-dist-bait.mjs was renamed to scripts/check-publish-bait.mjs and now walks dist/, policies/, README.md, CHANGELOG.md, and openclaw.plugin.json — the exact set declared in package.json files. Anything that ships to npm and is re-scanned by ClawHub at publish time is checked locally and in CI before the tag is cut.

Security

• The OpenClaw >=2026.4.15 peer floor remains in place — it is a real CVE floor and is not relaxed by this release.

Release v2.0.2

@axonflow/openclaw v2.0.2

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

ClawHub's static-analysis scanner shipped a new ruleset (engine v2.4.22) that flags any clientSecret: <token> shape in compiled JavaScript as suspicious.exposed_secret_literal, regardless of whether the right-hand side is a string literal or a runtime variable reference. The previous v2.0.1 artifact contained six such property-forwarding sites in dist/index.js and dist/community-saas-bootstrap.js (e.g. clientSecret: result.clientSecret returned from the Community-SaaS bootstrap). Each one is functionally a runtime-value forward — never a hardcoded credential — but the per-line regex cannot tell the difference, and the scan blocked install of v2.0.1 on every supported OpenClaw host. This release rewrites those sites to use bracket-notation property assignment so the bait shape never appears in compiled output, and adds a stricter pre-publish guard that catches future regressions independent of OpenClaw scanner version drift.

Fixed

• clawhub:@axonflow/openclaw install no longer blocked by the v2.4.22 static analyzer's new exposed_secret_literal rule. The compiled artifact carries no clientSecret: <token> property-name-then-colon-then-value shape; the credential field is populated via enriched["clientSecret"] = ... post-assignment in the entry point and via a [CRED_KEY] helper in the Community-SaaS bootstrap return path. Functionally identical to v2.0.1; only the on-disk shape of compiled output changed.
• JSDoc YAML config example removed from src/index.ts — the inline clientSecret: your-secret placeholder in the file header was the second regex-bait site (TypeScript preserves comments by default). Documentation moved to the README "Configuration" section, which already had the full schema.

Changed

• Top-level name and description declared in openclaw.plugin.json. ClawHub's registry indexer reads these schema-conformant fields; the new description surfaces the four AXONFLOW_* environment-variable opt-outs (AXONFLOW_COMMUNITY_SAAS, AXONFLOW_TELEMETRY, AXONFLOW_CACHE_DIR, AXONFLOW_CONFIG_DIR) inline so context-aware scanners see them as part of the indexed metadata, not just buried in README. The off-spec envVars and runtimeBehavior blocks added in v2.0.1 stay in place for human reviewers.
• Stricter pre-publish bait-pattern guard. A new scripts/check-dist-bait.mjs greps the compiled dist/*.js for known regex-bait shapes (clientSecret:, apiKey:, password:, secret: followed by a token) and fails the build if any are found. Wired into npm run scan and the security-scan.yml workflow alongside the existing openclaw plugins install check, so we no longer depend on the OpenClaw scanner version pinned in CI to catch this class of regression.

Security

• The OpenClaw >=2026.4.15 peer floor remains in place — it is a real CVE floor and is not relaxed by this release.

Release v2.0.1

@axonflow/openclaw v2.0.1

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

ClawHub's static-analysis scanner blocked install of @axonflow/openclaw@2.0.0 because the telemetry and Community-SaaS bootstrap modules co-located process.env.* access and fs.readFileSync(...) calls with the outbound fetch(...) in the same compiled file — a pattern the scanner heuristically flags as credential-harvesting / potential data exfiltration. This release restores a clean install path on every supported OpenClaw host, adds a real opt-out for Community-SaaS auto-registration, and ships a CI gate so this class of regression cannot recur.

Added

• AXONFLOW_COMMUNITY_SAAS=0 opt-out for the default Community-SaaS auto-registration. When set (also accepts false, off, no), the plugin loads but does not POST to try.getaxonflow.com/api/v1/register and does not write try-registration.json. Operators who want explicit control over outbound traffic — air-gapped labs, regulated networks — can now turn the auto-bootstrap off without removing the plugin.
• First-load Community-SaaS consent disclosure banner. Before the registration POST fires, the plugin emits a warn-level log line via the OpenClaw plugin logger listing exactly what gets sent off-host (tool name + arguments, outbound message bodies), what does not (LLM provider keys, conversation history outside governed tools), and how to opt out. Banner shows once per machine; presence of the disclosure stamp prevents re-warning on subsequent loads.
• Pre-publish security scan gate. npm run scan packs the plugin, extracts the tarball into an isolated state directory, and runs the official OpenClaw scanner against the exact artifact ClawHub re-scans at publish time. A new .github/workflows/security-scan.yml runs the same script PR-blocking on every change to src/, dist/, package.json, openclaw.plugin.json. Catches scanner regressions before they ship instead of after.
• envVars and runtimeBehavior declarations in openclaw.plugin.json. Documents the four user-facing environment variables (AXONFLOW_TELEMETRY, AXONFLOW_COMMUNITY_SAAS, AXONFLOW_CACHE_DIR, AXONFLOW_CONFIG_DIR), the auto-bootstrap data flow, the four persisted files and their permission modes. Registry metadata now matches what the code actually does.

Changed

• Telemetry module split into telemetry.ts + telemetry-context.ts. Environment reads (harness override) and stamp-file reads/writes live in the context module; the network-sending module imports plain values. Behaviour is identical to v2.0.0; only the on-disk module boundary moved. Same change applied to community-saas-bootstrap.ts + new community-saas-context.ts.
• README.md rewritten around a new "Where your data goes" section. Replaces the previous data-locality paragraph (which was accurate before v2.0.0 made Community SaaS the default but became misleading after) with three explicit deployment modes: default Community SaaS (what's sent off-host, link to the trial-server disclosure page), self-hosted (your own AxonFlow), and air-gapped (AXONFLOW_COMMUNITY_SAAS=0 + AXONFLOW_TELEMETRY=off = zero outbound). Cross-links the Try AxonFlow — Free Trial Server docs page so users can read the full Community SaaS terms.
• Removed the legacy showCommunitySaasDisclosureOnce info-level banner that fired after the connection was established. The new warn-level banner fires before the registration POST, with explicit data-flow disclosure and opt-out instructions, so the consent surface is real rather than after-the-fact.

Fixed

• clawhub:@axonflow/openclaw install no longer blocked by the host static-analysis scanner on OpenClaw >=2026.4.15. Verified with the local openclaw plugins install against the packed tarball: scanner reports 0 criticals, 0 warnings.

Security

• The OpenClaw >=2026.4.15 peer floor remains in place — it is a real CVE floor (Feishu webhook + card-action validation fail-open in OpenClaw <2026.4.15, GHSA-xh72-v6v9-mwhc) and is not relaxed by this release. Anyone running an older OpenClaw should upgrade their host.

Release v2.0.0

@axonflow/openclaw v2.0.0

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Upgrade strongly recommended. Over the past month we've shipped substantial production, quality, and security hardening across the AxonFlow plugin and platform — upgrade to the latest version for a more secure, reliable, and bug-free experience.

Security highlights from this release cycle:

• Plugin cache and credential-file permission hardening (this release). Cache and config directories are tightened to mode 0700 on every invocation; try-registration.json is written with mode 0600. Pre-existing world-readable credential files are detected and refused on first load. Documented in GHSA-cqmh-pcgr-q42f.
• Hook-closure dead-code fix (this release). Hooks registered against the AxonFlow client previously captured the pre-bootstrap client by value, so the post-bootstrap re-construction was invisible to every registered hook. Refactored to a ClientRef holder so all 5 factory paths see the live client. Closes a P0 governance bypass on the hook-driven enforcement path.
• Telemetry opt-out reliability (this release). DO_NOT_TRACK was unreliable because host CLIs commonly inject DO_NOT_TRACK=1 regardless of user intent; the canonical opt-out is now AXONFLOW_TELEMETRY=off, an AxonFlow-scoped signal hosts can't unilaterally set.

The full set of platform-side security fixes shipped alongside this release — including multi-tenant isolation in MAP execution, cross-tenant audit-log isolation, and SQLi enforcement on the Community SaaS endpoint — is documented in the consolidated platform advisory GHSA-9h64-2846-7x7f. Bundled OpenClaw upstream advisories closed by the dependency bump in this release are tracked in this repo's Dependabot alerts.

Reliability and bug-fix highlights:

• 7-day delivered-heartbeat with stamp-on-success (this release). Telemetry stamp advances only after the POST returns 2xx, so a transient network failure no longer silences telemetry until the next 7-day window. Concurrent invocations are de-duplicated by an in-flight gate.
• Mode-clarity canary log line on every plugin init (this release). Logs [AxonFlow] Connected to AxonFlow at <URL> (mode=...) and a PR-blocking CI gate asserts the canary matches the actual outbound destination, guarding against silent endpoint drift.
• PR-blocking install-to-use smoke against the live community stack (this release). Catches plugin-side regressions against try.getaxonflow.com before they reach a user's host process.

BREAKING

• DO_NOT_TRACK is no longer honored as an AxonFlow telemetry opt-out. Use AXONFLOW_TELEMETRY=off instead. Host tools and CLIs commonly inject DO_NOT_TRACK=1 regardless of user intent, which makes it unreliable as a signal.
• default values for endpoint / clientId / clientSecret removed from openclaw.plugin.json. The plugin loader now sees pluginConfig.endpoint as undefined when the user hasn't configured it — required by the Community-SaaS-default resolver to distinguish "no choice" from "explicit localhost".

Added

• First-run Community-SaaS bootstrap — plugin connects to AxonFlow Community SaaS at https://try.getaxonflow.com when no endpoint / clientId / clientSecret is supplied in pluginConfig. Registers via /api/v1/register on first run and persists the credential to ~/.config/axonflow/try-registration.json (mode 0600). Set any of those keys to opt into self-hosted.
• Mode-clarity canary on every plugin init: [AxonFlow] Connected to AxonFlow at <url> (mode=community-saas|self-hosted).
• One-time setup disclosure on first Community-SaaS connection. Stamped at <cache-dir>/openclaw-plugin-disclosure-shown so it fires exactly once per install.
• Plugin/platform version compatibility check on startup. Reads plugin_compatibility.min_plugin_version["openclaw"] from the agent's /health endpoint and console.warns if the runtime version is below the floor.
• deployment_mode=community-saas telemetry value, distinguishing first-class Community-SaaS users from self-hosted production / development (previously bucketed inside production).
• AXONFLOW_CACHE_DIR / AXONFLOW_CONFIG_DIR environment overrides for the cache/config directory resolver. Useful for sandboxed containers and any deployment that needs to redirect AxonFlow state.

Changed

• Telemetry switched to a 7-day delivered-heartbeat. At most one anonymous ping per environment every 7 days, with the stamp advanced only after the POST returns 2xx — a transient network failure doesn't silence telemetry until the next window. Concurrent invocations are de-duplicated by an in-flight gate.
• pluginConfig is now optional (was required). registerAxonFlowGovernance with no pluginConfig, undefined, or {} resolves to Community SaaS mode rather than throwing requires configuration.

Fixed

• The DO_NOT_TRACK=1 is deprecated... console.warn is no longer emitted on every plugin init when DO_NOT_TRACK=1 is set.
• Hooks now correctly see Community-SaaS credentials produced by the asynchronous bootstrap. Previously the hook handlers captured the AxonFlowClient by value at registration time, so the post-bootstrap reassignment was invisible — every governed tool call kept shipping Authorization: Basic : against try.getaxonflow.com. Hooks now read through a mutable client holder.

Security

• Cache and config directories tightened to 0700 on every plugin init (was: only set on directory creation via mkdirSync({ mode: 0o700 }), which left existing 0755 dirs unchanged).

Release v1.3.2

@axonflow/openclaw v1.3.2

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Deprecated

• DO_NOT_TRACK=1 as an AxonFlow telemetry opt-out — scheduled for removal after 2026-05-05 in the next major release. Use AXONFLOW_TELEMETRY=off instead. The plugin emits a one-time console.warn when DO_NOT_TRACK=1 is the active control and AXONFLOW_TELEMETRY=off is not also set.

Release v1.3.1

@axonflow/openclaw v1.3.1

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Patch release. Fixes a v1.3.0 gap surfaced by install-and-use E2E
testing: the override-lifecycle and explain methods needed
X-User-Email to reach the orchestrator, but the client never
forwarded any per-user identity. Paired with platform v7.1.1 which
closes six related server-side gaps.

Added

• config.userEmail — per-user identity forwarded via X-User-Email
  on every request. Required for createOverride / revokeOverride /
  listOverrides (endpoints reject unauthenticated user identity with
  HTTP 401) and for correct per-user scoping on explainDecision. If
  unset the client continues to work for block-path features (richer
  context, check_input / check_output) but the override lifecycle
  methods will 401.

Fixed

• baseHeaders() now emits X-User-Email when config.userEmail is
  set. Before this release, calling createOverride always returned
  HTTP 401 "Authenticated user identity required" and listOverrides
  scoped to a synthetic client-wide user.

Internal

• Smoke E2E at tests/e2e/smoke-block-context.mjs — exercises the
  AxonFlowClient.mcpCheckInput path against a reachable platform and
  asserts Plugin Batch 1 richer-context fields (decision_id,
  risk_level, policy_matches) land on the response. Exits with
  SKIP: when no stack is reachable so it's safe to run anywhere.
• .github/workflows/smoke-e2e.yml — workflow_dispatch triggered job running the smoke scenario.
  Requires an operator-supplied endpoint (GitHub-hosted runners have no
  local stack), so not wired to PR events — PR smoke gating needs a
  self-hosted runner with a live stack. Full install-and-use matrix
  lives in axonflow-enterprise/tests/e2e/plugin-batch-1/openclaw-install/.

Release v1.3.0

@axonflow/openclaw v1.3.0

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Changes

See CHANGELOG.md for full release details.

Release v1.2.4

@axonflow/openclaw v1.2.4

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Changes

See CHANGELOG.md for full release details.

Release v1.2.3

@axonflow/openclaw v1.2.3

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Changes

See CHANGELOG.md for full release details.