Release v2.3.3

@axonflow/openclaw v2.3.3

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Patch release. No runtime behaviour change. Single substantive improvement: artifact format migration that closes the visible "Legacy ZIP" badge on the ClawHub listing.

Fixed

• ClawHub publish migrated from Legacy ZIP → ClawPack via clawhub@0.12.3. .github/workflows/publish.yml Install ClawHub CLI step pinned from clawhub@0.12.0 to clawhub@0.12.3. v0.12.2 (2026-05-02 21:45 UTC) shipped the CLI fix for v0.12.1's tarball-bytes-mismatch regression ("publish code plugins as clawpacks and allow legacy package downloads"); v0.12.3 (2026-05-06) added monorepo support + dry-run --metadata-only + scope-owner inference. Verified working locally via clawhub package pack + clawhub package publish . --dry-run against this repo at v2.3.2 — clean ClawPack tarball with correct sha256/integrity. Closes the "Legacy ZIP — may have compatibility issues" artifact badge on the ClawHub listing and lifts the verification tier from source-linked (lowest) to the modern plugin architecture.

  Safety net unchanged: existing verify-clawhub-install job runs openclaw plugins install clawhub:@axonflow/openclaw@<version> on every publish and fails fast on any bytes-mismatch — same gate that broke v2.0.5/v2.0.6 visibly during the v0.12.1 regression. If broken, revert path is documented in feedback_plugin_manifest_envvars_hygiene.md and feedback_clawhub_cli_v0_12_1_tarball_regression.md (clawhub@0.12.0 + folder upload).

Internal

• ClawScan Credentials review concern remains open and is upstream-blocked. Architectural research (memory: feedback_plugin_manifest_envvars_hygiene.md) confirmed that the env-vars schema landed in clawhub@0.7.0 (2026-02-16) is skill-side only: parsed from SKILL.md frontmatter into the registry capabilities block for skills. Code plugins (this artifact) have no analogous envVars schema slot in their capabilities indexing today — the registry stores bundledSkills, capabilityTags, commandNames, configSchema, executesCode, hooks, providers, etc., but no envVars. The earlier v2.3.1 / v2.3.2 / v2.3.3-WIP attempts to close this client-side via openclaw.plugin.json envVars, README.md table, and a SKILL.md frontmatter file at the package root were all wrong-layer fixes — adding a SKILL.md to a code plugin's root would either be inert (right) or cause OpenClaw runtime to inject our governance prose into the agent's system prompt (wrong, since we're a code plugin that registers hooks, not a skill that injects prompts).

  Path forward: the actual fix is upstream in ClawHub (analog of openclaw/clawhub#350 for skills, but for code-plugin capabilities.envVars). Until that ships, the "Review" verdict on the Credentials dimension is acceptable — plugin remains installable; reviewer text is balanced ("These variables are related to AxonFlow, not unrelated services"). Static Analysis verdict stays Benign; ClawPack format moves the visible badge.

---

v2.3.0 — feature release (carried forward, 5h ago)

Companion plugin release to AxonFlow agent v7.7.0. Surfaces the V1
Plugin Pro structured upgrade envelope to the operator on Community
SaaS rate-limit hits, and adds 5 new agent-callable Pro tools so
OpenClaw agents reach the same V1 Pro toolset that the
axonflow-claude-plugin / axonflow-cursor-plugin /
axonflow-codex-plugin plugins auto-discover from the AxonFlow agent's
MCP server. Total agent-callable tools: 5 → 10.

Added

• V1 Plugin Pro upgrade-prompt envelope handling in
  src/upgrade-prompt.ts — sourced into axonflow-client.ts so every
  4xx response from mcpCheckInput / mcpCheckOutput runs through
  envelope detection. When the agent returns a 429 (daily-quota) or
  403 (graduated / Pro-only) with the structured envelope shape:

  • Parses upgrade.wording + upgrade.buy_url and forwards it to the
    host plugin logger (api.logger.info) at most once per UTC day.
    Surfaced to OpenClaw operators via the standard plugin log channel.
  • Honours Retry-After / resets_at by stamping a back-off file at
    ${AXONFLOW_CACHE_DIR or platform default}/throttle-until.
    governance.ts checks the gate before each governed call and
    short-circuits during the back-off window (no thundering-herd
    retries against the agent).
  • Handles both bare and JSON-RPC-wrapped envelope shapes (the latter
    is what the new V1 Pro MCP tools deliver via writeMCPGateError).

• axonflow_get_tenant_id agent-callable tool — returns the
  install's tenant_id, current tier (Free / Pro / pro_expired),
  endpoint, and the locked V1 upgrade URLs. The other three plugin
  hosts (claude / cursor / codex) get this tool from the agent's MCP
  server via auto-discovery; OpenClaw doesn't proxy that MCP server,
  so we register a local equivalent built from the same status surface
  recover.sh status exposes. Keeps cross-plugin behaviour consistent
  for the "what's my tenant ID?" question.

• Four V1 Plugin Pro proxy tools registered locally so OpenClaw
  agents reach the same V1 Pro toolset that axonflow-claude-plugin /
  axonflow-cursor-plugin / axonflow-codex-plugin auto-discover from
  the agent's MCP server. OpenClaw doesn't proxy
  /api/v1/mcp-server tools/list, so these are registered as
  code-defined AgentToolDefs whose execute() forwards to the agent
  via a single new AxonFlowClient.callMCPTool(name, args) helper:

  • axonflow_request_approval — Free 1/7d rolling, Pro unlimited.
  • axonflow_create_tenant_policy — Free 2 active max, Pro unlimited.
  • axonflow_get_cost_estimate — Pro-only; Free callers get the
    locked V1 feature_pro_only envelope.
  • axonflow_list_pro_features — Free + Pro, locked feature list
    (5 differentiators + $9.99 / 90-day pricing).

  Total agent-callable tools: 5 → 10 (combining axonflow_get_tenant_id
  above with these four).

• clawhub/2.3.0/SKILL.md — frozen per-version skill record for the
  v2.3.0 release. Documents the new agent-callable tools alongside the
  existing 5 governance tools.

Fixed

• AxonFlowClient.handleEnvelope — pre-filter on
  status === 429 || status === 403 was dropping JSON-RPC-wrapped
  envelope responses that come back over HTTP 200 with
  result.isError = true (the path the agent's
  mcp_v1_pro_tools.go writeMCPGateError uses). Removed the
  pre-filter; handleV1Envelope already encodes the full
  status-vs-shape decision and now sees all three envelope-bearing
  paths (429 daily-quota, 403 graduated / Pro-only, 200 + JSON-RPC
  gate). The 4 new proxy tools depend on the 200 path; without this
  fix, Free callers got the envelope content as a generic kind=ok
  result instead of a clean kind=envelope with the upgrade prompt
  surfaced.

Internal

• tests/upgrade-prompt.test.ts — 26 unit assertions across
  detectEnvelope, retryAfterMs, resolveDeadlineMs,
  isThrottleActive, shouldShowPromptToday, the full handleEnvelope
  state machine, and the V1_LIMIT_TYPES locked enumeration.
• runtime-e2e/v1_pro_envelope_surface/ — drives the compiled
  dist/upgrade-prompt.js against a live 429 envelope captured from
  a Free-tier tenant on try.getaxonflow.com past the 200/day cap.
• runtime-e2e/v1_pro_proxy_tools/ — drives the compiled
  dist/agent-tools.js + dist/axonflow-client.js against a real
  registered tenant on https://try.getaxonflow.com. Asserts
  end-to-end that all 5 V1 Pro agent-callable tools dispatch
  correctly: axonflow_list_pro_features returns the locked
  5-differentiators shape; axonflow_get_cost_estimate on a Free
  tenant lands the feature_pro_only envelope with the locked buy
  URL + logger wording + stamped throttle file (and the subsequent
  agent-tool execute() honours the throttle gate);
  axonflow_request_approval and axonflow_create_tenant_policy
  return non-empty approval_id / policy_id on first Free call,
  with top-level success: true alongside submitted: true /
  created: true on the response body.
• tests/agent-tools.test.ts + tests/registration.test.ts —
  updated for the new tool count (5 → 10).

Versions touched

• package.json: 2.2.0 → 2.3.0
• package-lock.json: 2.2.0 → 2.3.0
• src/version.ts (VERSION constant — Jest asserts parity): 2.2.0 → 2.3.0
• This CHANGELOG entry

Release v2.3.2

@axonflow/openclaw v2.3.2

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Patch release. No runtime behaviour change. Three durable improvements landing in lockstep:

Fixed

• README.md ## Environment variables section now declares every AXONFLOW_* env var the plugin recognizes. Promoted from ### (sub-section under "Where your data goes") to ## for top-level prominence; added the same three entries v2.3.1 added to openclaw.plugin.json envVars but missed in the README:

  • AXONFLOW_ENDPOINT
  • AXONFLOW_RECOVERY_TIMEOUT_MS
  • AXONFLOW_UPGRADE_URL

  README.md is the prose ClawScan reads for the plugin's ClawHub listing (in package.json files allowlist + not in .clawhubignore); v2.3.1's manifest-only fix didn't reach this surface because ClawHub's stored capabilities block has no envVars schema slot to index openclaw.plugin.json envVars from. README.md is the actual user-and-reviewer-visible declaration.

Added

• .github/workflows/manifest-envvars-coverage.yml: new CI gate enforcing three-way coverage between (1) AXONFLOW_* references in src/ + bin/, (2) openclaw.plugin.json envVars keys, (3) README.md ## Environment variables table entries. Runs on every PR touching those paths and on main pushes; fails fast on drift. Internal-only vars (AXONFLOW_HARNESS*, AXONFLOW_LOGS, AXONFLOW_OPENAPI*, AXONFLOW_CHECKPOINT_URL, AXONFLOW_CLIENT_*) excluded from the check — these are SDK-side or test-only and don't belong in the plugin manifest.

• .github/workflows/publish.yml preflight cumulative-notes rule: when releasing a patch (Z>0) within 24h of the parent feature minor (X.Y.0), the preflight automatically appends the parent minor's CHANGELOG section to the GH release body. Closes the v2.3.1 regression where the most-clicked discovery surface (latest-tag landing page) hid the v2.3.0 V1 Plugin Pro feature work behind a hygiene-only patch summary. Same-day patches now ship cumulative release notes by default; >24h patches keep their narrow scope. CHANGELOG.md remains semver-organized (each version its own ## [X.Y.Z] section).

---

v2.3.0 — feature release (carried forward, 4h ago)

Companion plugin release to AxonFlow agent v7.7.0. Surfaces the V1
Plugin Pro structured upgrade envelope to the operator on Community
SaaS rate-limit hits, and adds 5 new agent-callable Pro tools so
OpenClaw agents reach the same V1 Pro toolset that the
axonflow-claude-plugin / axonflow-cursor-plugin /
axonflow-codex-plugin plugins auto-discover from the AxonFlow agent's
MCP server. Total agent-callable tools: 5 → 10.

Added

• V1 Plugin Pro upgrade-prompt envelope handling in
  src/upgrade-prompt.ts — sourced into axonflow-client.ts so every
  4xx response from mcpCheckInput / mcpCheckOutput runs through
  envelope detection. When the agent returns a 429 (daily-quota) or
  403 (graduated / Pro-only) with the structured envelope shape:

  • Parses upgrade.wording + upgrade.buy_url and forwards it to the
    host plugin logger (api.logger.info) at most once per UTC day.
    Surfaced to OpenClaw operators via the standard plugin log channel.
  • Honours Retry-After / resets_at by stamping a back-off file at
    ${AXONFLOW_CACHE_DIR or platform default}/throttle-until.
    governance.ts checks the gate before each governed call and
    short-circuits during the back-off window (no thundering-herd
    retries against the agent).
  • Handles both bare and JSON-RPC-wrapped envelope shapes (the latter
    is what the new V1 Pro MCP tools deliver via writeMCPGateError).

• axonflow_get_tenant_id agent-callable tool — returns the
  install's tenant_id, current tier (Free / Pro / pro_expired),
  endpoint, and the locked V1 upgrade URLs. The other three plugin
  hosts (claude / cursor / codex) get this tool from the agent's MCP
  server via auto-discovery; OpenClaw doesn't proxy that MCP server,
  so we register a local equivalent built from the same status surface
  recover.sh status exposes. Keeps cross-plugin behaviour consistent
  for the "what's my tenant ID?" question.

• Four V1 Plugin Pro proxy tools registered locally so OpenClaw
  agents reach the same V1 Pro toolset that axonflow-claude-plugin /
  axonflow-cursor-plugin / axonflow-codex-plugin auto-discover from
  the agent's MCP server. OpenClaw doesn't proxy
  /api/v1/mcp-server tools/list, so these are registered as
  code-defined AgentToolDefs whose execute() forwards to the agent
  via a single new AxonFlowClient.callMCPTool(name, args) helper:

  • axonflow_request_approval — Free 1/7d rolling, Pro unlimited.
  • axonflow_create_tenant_policy — Free 2 active max, Pro unlimited.
  • axonflow_get_cost_estimate — Pro-only; Free callers get the
    locked V1 feature_pro_only envelope.
  • axonflow_list_pro_features — Free + Pro, locked feature list
    (5 differentiators + $9.99 / 90-day pricing).

  Total agent-callable tools: 5 → 10 (combining axonflow_get_tenant_id
  above with these four).

• clawhub/2.3.0/SKILL.md — frozen per-version skill record for the
  v2.3.0 release. Documents the new agent-callable tools alongside the
  existing 5 governance tools.

Fixed

• AxonFlowClient.handleEnvelope — pre-filter on
  status === 429 || status === 403 was dropping JSON-RPC-wrapped
  envelope responses that come back over HTTP 200 with
  result.isError = true (the path the agent's
  mcp_v1_pro_tools.go writeMCPGateError uses). Removed the
  pre-filter; handleV1Envelope already encodes the full
  status-vs-shape decision and now sees all three envelope-bearing
  paths (429 daily-quota, 403 graduated / Pro-only, 200 + JSON-RPC
  gate). The 4 new proxy tools depend on the 200 path; without this
  fix, Free callers got the envelope content as a generic kind=ok
  result instead of a clean kind=envelope with the upgrade prompt
  surfaced.

Internal

• tests/upgrade-prompt.test.ts — 26 unit assertions across
  detectEnvelope, retryAfterMs, resolveDeadlineMs,
  isThrottleActive, shouldShowPromptToday, the full handleEnvelope
  state machine, and the V1_LIMIT_TYPES locked enumeration.
• runtime-e2e/v1_pro_envelope_surface/ — drives the compiled
  dist/upgrade-prompt.js against a live 429 envelope captured from
  a Free-tier tenant on try.getaxonflow.com past the 200/day cap.
• runtime-e2e/v1_pro_proxy_tools/ — drives the compiled
  dist/agent-tools.js + dist/axonflow-client.js against a real
  registered tenant on https://try.getaxonflow.com. Asserts
  end-to-end that all 5 V1 Pro agent-callable tools dispatch
  correctly: axonflow_list_pro_features returns the locked
  5-differentiators shape; axonflow_get_cost_estimate on a Free
  tenant lands the feature_pro_only envelope with the locked buy
  URL + logger wording + stamped throttle file (and the subsequent
  agent-tool execute() honours the throttle gate);
  axonflow_request_approval and axonflow_create_tenant_policy
  return non-empty approval_id / policy_id on first Free call,
  with top-level success: true alongside submitted: true /
  created: true on the response body.
• tests/agent-tools.test.ts + tests/registration.test.ts —
  updated for the new tool count (5 → 10).

Versions touched

• package.json: 2.2.0 → 2.3.0
• package-lock.json: 2.2.0 → 2.3.0
• src/version.ts (VERSION constant — Jest asserts parity): 2.2.0 → 2.3.0
• This CHANGELOG entry

Release v2.3.1

@axonflow/openclaw v2.3.1

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

v2.3.1 is the recommended version on the v2.3.x line. It carries the full v2.3.0 V1 Plugin Pro feature set plus a manifest-hygiene patch (no behaviour change) — see both sections below.

---

v2.3.1 — Manifest envVars completeness + test-script field-name hygiene

Patch release on top of v2.3.0. No runtime behaviour change. Two narrow fixes:

Fixed

• openclaw.plugin.json envVars block now declares every AXONFLOW_* env var that ship-time code references. Adds three entries that were documented in clawhub/2.3.0/SKILL.md and used by dist/ / bin/ but missing from the manifest's envVars block:

  • AXONFLOW_ENDPOINT — overrides pluginConfig.endpoint; primary self-hosted-mode entry point.
  • AXONFLOW_RECOVERY_TIMEOUT_MS — per-HTTP timeout for the axonflow-openclaw-recover CLI (default 10000).
  • AXONFLOW_UPGRADE_URL — overrides upgrade URL surfaced by axonflow-openclaw-status (default https://getaxonflow.com/pricing/).

  Closes the v2.3.0 ClawScan review's "Credentials" dimension concern.

Internal

• runtime-e2e/v1_pro_envelope_surface/test.sh: synthetic test-tenant secret literal renamed testpass → synth-tok- to avoid triggering generic secret-scanner heuristics on dev machines. Test scripts are not shipped to npm or ClawHub — dev-only file hygiene.

---

v2.3.0 — V1 Plugin Pro envelope + 5 new agent-callable Pro tools (cross-plugin parity)

The substantive feature release. v2.3.1 inherits all of this.

Companion plugin release to AxonFlow agent v7.7.0. Surfaces the V1
Plugin Pro structured upgrade envelope to the operator on Community
SaaS rate-limit hits, and adds 5 new agent-callable Pro tools so
OpenClaw agents reach the same V1 Pro toolset that the
axonflow-claude-plugin / axonflow-cursor-plugin /
axonflow-codex-plugin plugins auto-discover from the AxonFlow agent's
MCP server. Total agent-callable tools: 5 → 10.

Added

• V1 Plugin Pro upgrade-prompt envelope handling in
  src/upgrade-prompt.ts — sourced into axonflow-client.ts so every
  4xx response from mcpCheckInput / mcpCheckOutput runs through
  envelope detection. When the agent returns a 429 (daily-quota) or
  403 (graduated / Pro-only) with the structured envelope shape:

  • Parses upgrade.wording + upgrade.buy_url and forwards it to the
    host plugin logger (api.logger.info) at most once per UTC day.
    Surfaced to OpenClaw operators via the standard plugin log channel.
  • Honours Retry-After / resets_at by stamping a back-off file at
    ${AXONFLOW_CACHE_DIR or platform default}/throttle-until.
    governance.ts checks the gate before each governed call and
    short-circuits during the back-off window (no thundering-herd
    retries against the agent).
  • Handles both bare and JSON-RPC-wrapped envelope shapes (the latter
    is what the new V1 Pro MCP tools deliver via writeMCPGateError).

• axonflow_get_tenant_id agent-callable tool — returns the
  install's tenant_id, current tier (Free / Pro / pro_expired),
  endpoint, and the locked V1 upgrade URLs. The other three plugin
  hosts (claude / cursor / codex) get this tool from the agent's MCP
  server via auto-discovery; OpenClaw doesn't proxy that MCP server,
  so we register a local equivalent built from the same status surface
  recover.sh status exposes. Keeps cross-plugin behaviour consistent
  for the "what's my tenant ID?" question.

• Four V1 Plugin Pro proxy tools registered locally so OpenClaw
  agents reach the same V1 Pro toolset that axonflow-claude-plugin /
  axonflow-cursor-plugin / axonflow-codex-plugin auto-discover from
  the agent's MCP server. OpenClaw doesn't proxy
  /api/v1/mcp-server tools/list, so these are registered as
  code-defined AgentToolDefs whose execute() forwards to the agent
  via a single new AxonFlowClient.callMCPTool(name, args) helper:

  • axonflow_request_approval — Free 1/7d rolling, Pro unlimited.
  • axonflow_create_tenant_policy — Free 2 active max, Pro unlimited.
  • axonflow_get_cost_estimate — Pro-only; Free callers get the
    locked V1 feature_pro_only envelope.
  • axonflow_list_pro_features — Free + Pro, locked feature list
    (5 differentiators + $9.99 / 90-day pricing).

  Total agent-callable tools: 5 → 10 (combining axonflow_get_tenant_id
  above with these four).

• clawhub/2.3.0/SKILL.md — frozen per-version skill record for the
  v2.3.0 release. Documents the new agent-callable tools alongside the
  existing 5 governance tools.

Fixed

• AxonFlowClient.handleEnvelope — pre-filter on
  status === 429 || status === 403 was dropping JSON-RPC-wrapped
  envelope responses that come back over HTTP 200 with
  result.isError = true (the path the agent's
  mcp_v1_pro_tools.go writeMCPGateError uses). Removed the
  pre-filter; handleV1Envelope already encodes the full
  status-vs-shape decision and now sees all three envelope-bearing
  paths (429 daily-quota, 403 graduated / Pro-only, 200 + JSON-RPC
  gate). The 4 new proxy tools depend on the 200 path; without this
  fix, Free callers got the envelope content as a generic kind=ok
  result instead of a clean kind=envelope with the upgrade prompt
  surfaced.

Internal

• tests/upgrade-prompt.test.ts — 26 unit assertions across
  detectEnvelope, retryAfterMs, resolveDeadlineMs,
  isThrottleActive, shouldShowPromptToday, the full handleEnvelope
  state machine, and the V1_LIMIT_TYPES locked enumeration.
• runtime-e2e/v1_pro_envelope_surface/ — drives the compiled
  dist/upgrade-prompt.js against a live 429 envelope captured from
  a Free-tier tenant on try.getaxonflow.com past the 200/day cap.
• runtime-e2e/v1_pro_proxy_tools/ — drives the compiled
  dist/agent-tools.js + dist/axonflow-client.js against a real
  registered tenant on https://try.getaxonflow.com. Asserts
  end-to-end that all 5 V1 Pro agent-callable tools dispatch
  correctly: axonflow_list_pro_features returns the locked
  5-differentiators shape; axonflow_get_cost_estimate on a Free
  tenant lands the feature_pro_only envelope with the locked buy
  URL + logger wording + stamped throttle file (and the subsequent
  agent-tool execute() honours the throttle gate);
  axonflow_request_approval and axonflow_create_tenant_policy
  return non-empty approval_id / policy_id on first Free call,
  with top-level success: true alongside submitted: true /
  created: true on the response body.
• tests/agent-tools.test.ts + tests/registration.test.ts —
  updated for the new tool count (5 → 10).

Versions touched

• package.json: 2.2.0 → 2.3.0
• package-lock.json: 2.2.0 → 2.3.0
• src/version.ts (VERSION constant — Jest asserts parity): 2.2.0 → 2.3.0
• This CHANGELOG entry

Release v2.3.0

@axonflow/openclaw v2.3.0

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Companion plugin release to AxonFlow agent v7.7.0. Surfaces the V1
Plugin Pro structured upgrade envelope to the operator on Community
SaaS rate-limit hits, and adds 5 new agent-callable Pro tools so
OpenClaw agents reach the same V1 Pro toolset that the
axonflow-claude-plugin / axonflow-cursor-plugin /
axonflow-codex-plugin plugins auto-discover from the AxonFlow agent's
MCP server. Total agent-callable tools: 5 → 10.

Added

• V1 Plugin Pro upgrade-prompt envelope handling in
  src/upgrade-prompt.ts — sourced into axonflow-client.ts so every
  4xx response from mcpCheckInput / mcpCheckOutput runs through
  envelope detection. When the agent returns a 429 (daily-quota) or
  403 (graduated / Pro-only) with the structured envelope shape:

  • Parses upgrade.wording + upgrade.buy_url and forwards it to the
    host plugin logger (api.logger.info) at most once per UTC day.
    Surfaced to OpenClaw operators via the standard plugin log channel.
  • Honours Retry-After / resets_at by stamping a back-off file at
    ${AXONFLOW_CACHE_DIR or platform default}/throttle-until.
    governance.ts checks the gate before each governed call and
    short-circuits during the back-off window (no thundering-herd
    retries against the agent).
  • Handles both bare and JSON-RPC-wrapped envelope shapes (the latter
    is what the new V1 Pro MCP tools deliver via writeMCPGateError).

• axonflow_get_tenant_id agent-callable tool — returns the
  install's tenant_id, current tier (Free / Pro / pro_expired),
  endpoint, and the locked V1 upgrade URLs. The other three plugin
  hosts (claude / cursor / codex) get this tool from the agent's MCP
  server via auto-discovery; OpenClaw doesn't proxy that MCP server,
  so we register a local equivalent built from the same status surface
  recover.sh status exposes. Keeps cross-plugin behaviour consistent
  for the "what's my tenant ID?" question.

• Four V1 Plugin Pro proxy tools registered locally so OpenClaw
  agents reach the same V1 Pro toolset that axonflow-claude-plugin /
  axonflow-cursor-plugin / axonflow-codex-plugin auto-discover from
  the agent's MCP server. OpenClaw doesn't proxy
  /api/v1/mcp-server tools/list, so these are registered as
  code-defined AgentToolDefs whose execute() forwards to the agent
  via a single new AxonFlowClient.callMCPTool(name, args) helper:

  • axonflow_request_approval — Free 1/7d rolling, Pro unlimited.
  • axonflow_create_tenant_policy — Free 2 active max, Pro unlimited.
  • axonflow_get_cost_estimate — Pro-only; Free callers get the
    locked V1 feature_pro_only envelope.
  • axonflow_list_pro_features — Free + Pro, locked feature list
    (5 differentiators + $9.99 / 90-day pricing).

  Total agent-callable tools: 5 → 10 (combining axonflow_get_tenant_id
  above with these four).

• clawhub/2.3.0/SKILL.md — frozen per-version skill record for the
  v2.3.0 release. Documents the new agent-callable tools alongside the
  existing 5 governance tools.

Fixed

• AxonFlowClient.handleEnvelope — pre-filter on
  status === 429 || status === 403 was dropping JSON-RPC-wrapped
  envelope responses that come back over HTTP 200 with
  result.isError = true (the path the agent's
  mcp_v1_pro_tools.go writeMCPGateError uses). Removed the
  pre-filter; handleV1Envelope already encodes the full
  status-vs-shape decision and now sees all three envelope-bearing
  paths (429 daily-quota, 403 graduated / Pro-only, 200 + JSON-RPC
  gate). The 4 new proxy tools depend on the 200 path; without this
  fix, Free callers got the envelope content as a generic kind=ok
  result instead of a clean kind=envelope with the upgrade prompt
  surfaced.

Internal

• tests/upgrade-prompt.test.ts — 26 unit assertions across
  detectEnvelope, retryAfterMs, resolveDeadlineMs,
  isThrottleActive, shouldShowPromptToday, the full handleEnvelope
  state machine, and the V1_LIMIT_TYPES locked enumeration.
• runtime-e2e/v1_pro_envelope_surface/ — drives the compiled
  dist/upgrade-prompt.js against a live 429 envelope captured from
  a Free-tier tenant on try.getaxonflow.com past the 200/day cap.
• runtime-e2e/v1_pro_proxy_tools/ — drives the compiled
  dist/agent-tools.js + dist/axonflow-client.js against a real
  registered tenant on https://try.getaxonflow.com. Asserts
  end-to-end that all 5 V1 Pro agent-callable tools dispatch
  correctly: axonflow_list_pro_features returns the locked
  5-differentiators shape; axonflow_get_cost_estimate on a Free
  tenant lands the feature_pro_only envelope with the locked buy
  URL + logger wording + stamped throttle file (and the subsequent
  agent-tool execute() honours the throttle gate);
  axonflow_request_approval and axonflow_create_tenant_policy
  return non-empty approval_id / policy_id on first Free call,
  with top-level success: true alongside submitted: true /
  created: true on the response body.
• tests/agent-tools.test.ts + tests/registration.test.ts —
  updated for the new tool count (5 → 10).

Versions touched

• package.json: 2.2.0 → 2.3.0
• package-lock.json: 2.2.0 → 2.3.0
• src/version.ts (VERSION constant — Jest asserts parity): 2.2.0 → 2.3.0
• This CHANGELOG entry

Release v2.2.0

@axonflow/openclaw v2.2.0

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Companion plugin release to platform v7.7.0. Surfaces the V1 SaaS Plugin
Pro tier — clawhub config set license-token <AXON-token> activates Pro
features immediately, plus the agent-side scope-validation header on
every governed request.

Added

• X-Axonflow-Client: openclaw/<version> header on every governed
  agent request. Set automatically by the axonflow-client.ts HTTP
  layer using the canonical VERSION constant from src/version.ts;
  not configurable. Agents at v7.7.0+ derive request scope from this
  header and reject cross-quadrant token misuse (e.g. a SaaS Plugin Pro
  token paired with an SDK request) at the validator boundary. Older
  agents (pre-v7.7.0) ignore the header and continue to work unchanged.

Added

• Status surface tier line + plugin-init canary now surface Pro license expiry date. The tier field in buildStatusReport() / formatStatusReport() / the axonflow-openclaw-status CLI parses the JWT exp claim from the configured Pro license token and renders one of three shapes: Pro (expires YYYY-MM-DD, N days remaining) when active, Free (Pro expired YYYY-MM-DD — visit https://getaxonflow.com/pricing/ to renew) when the token is on disk but its exp has passed (plugin will not forward an expired token), or Free (no Pro license configured) when no token is loaded. The plugin-init canary line emitted by registerAxonFlowGovernance matches the same three shapes so users notice their renewal window on every plugin reload. New exports: buildProTierInitLogLine, parseLicenseTokenExpiry, formatExpiryDate, daysUntil. New StatusReport fields: expires_at (YYYY-MM-DD UTC, nullable) and expires_in_days (integer, negative when expired, nullable). New StatusTier value "pro_expired" distinguishes a configured-but-lapsed token from "free" for renew-CTA rendering. Display only — JWT signature validation remains the platform's job. Tokens whose JWT body fails to parse fall back to the legacy Pro tier active — license token configured, X-License-Token will be forwarded on every governed request canary so byte-exact compat with mode-clarity assertions and any external grep on the v2.1.x string is preserved.
• axonflow-openclaw-status CLI for tenant + tier introspection. New bin script (npx @axonflow/openclaw axonflow-openclaw-status, also exported as buildStatusReport / formatStatusReport / resolveStatusInputs / redactLicenseToken / readPersistedTenantId from the package entry point) prints the user's tenant_id (read from $AXONFLOW_CONFIG_DIR/try-registration.json), the AxonFlow endpoint the plugin would talk to, and a tier indicator (Pro when AXONFLOW_LICENSE_TOKEN or pluginConfig.licenseToken is set, Free otherwise). Surfaces the upgrade URL on free, and a redacted preview of the license token (last 4 chars only — full token is never printed) on Pro. Closes the W4 paid-Pro launch UX gap where users had no way to read their tenant_id before pasting it into the Stripe checkout custom field. --json flag emits the same shape as machine-readable output.
• Pro tier activation via X-License-Token. New licenseToken pluginConfig field (and AXONFLOW_LICENSE_TOKEN env var, env wins) carries the AXON-prefixed plugin-claim token issued by AxonFlow Pro Stripe Checkout. When set, the plugin forwards it on every governed request via the X-License-Token header so the agent's plugin-claim middleware can apply Pro-tier entitlements (extended audit retention, higher quotas, license-gated capabilities). On every plugin init the canary log emits [AxonFlow] Pro tier active … alongside the existing connection canary so users always know the token is wired through. Free-tier installs are unaffected — when no token is configured the header is omitted entirely.
• axonflow-openclaw-recover CLI for Community-SaaS credential recovery. New bin script (npx @axonflow/openclaw axonflow-openclaw-recover <email>, also exported as requestRecovery / verifyRecovery / extractRecoveryToken / persistRecoveredCredentials from the package entry point) drives the platform's email-based recovery flow when try-registration.json is lost: posts to /api/v1/recover, prompts for the magic-link token (or accepts the full magic-link URL), posts to /api/v1/recover/verify, and persists the freshly-issued tenant_id + secret at $AXONFLOW_CONFIG_DIR/try-registration.json (mode 0o600) so the next plugin reload picks them up automatically. Magic-link tokens are one-shot and short-lived; replays return 401.
• runtime-e2e/v1_paid_tier/ — runtime-path test that drives both new features end-to-end against a live community-saas stack: confirms the Pro tier active canary fires, the agent's plugin-claim middleware counter increments after a governed call (proving X-License-Token reached the wire), and the recovery CLI completes the email → magic link → verify → persist → authenticate cycle with a fresh tenant_id.

Fixed

• runtime-e2e/v1_paid_tier/: pass when stack is long-running. Previously the test silently exited as PARTIAL PASS after Feature 1 whenever /api/v1/register returned 429, mislabeling the cause as "agent not in community-saas mode". The agent's per-IP rate limiter (5 calls per source-IP per hour, shared between /api/v1/register and /api/v1/recover) trips quickly when the test runs against a stack that has already absorbed any traffic in the current hour, which silently turns the recovery handler into a no-op (handler returns generic 202 to prevent enumeration). The test now sends a per-run synthetic source-IP via X-Forwarded-For (override with RUNTIME_E2E_XFF) so each run gets a fresh rate-limit bucket, and surfaces a real failure with a remediation hint when the bucket is somehow still saturated. Step 2g also now probes $AXONFLOW_ENDPOINT/api/request (the agent's primary Basic-auth surface) instead of $PERSISTED_ENDPOINT/api/v1/audit/tool-call — the persisted endpoint is hardcoded by the platform to https://try.getaxonflow.com and is correct for production users but useless for a runtime test pointing at a local stack, and the audit/tool-call route additionally requires the operator to have set AXONFLOW_INTERNAL_SERVICE_SECRET in non-Community deployments. Feature 1 PASSED, Feature 2 PASSED end-to-end on local docker-compose with v7.7.0.
• Upgrade-pointer URL aligned with the canonical pricing page. STATUS_DEFAULT_UPGRADE_URL (the URL surfaced by axonflow-openclaw-status to free-tier users, and embedded in the tier=Free (Pro expired ... — visit ... to renew) line) is now https://getaxonflow.com/pricing/. The previous default https://getaxonflow.com/pro returned 404 — that page was referenced in PRDs but never built. The pricing page already resolves and carries the Plugin Pro $9.99 tier card with the Stripe buy button, so plugin status output now points free-tier users at a working URL. Override via AXONFLOW_UPGRADE_URL env var if needed. Same fix landed in companion plugin releases (claude-plugin v1.2.0, cursor-plugin v1.2.0, codex-plugin v1.2.0).

Release v2.1.1

@axonflow/openclaw v2.1.1

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Fixed

• runtime-e2e/ now excluded from the ClawHub publish. The runtime
  E2E test harnesses are CI fixtures that drive a real OpenClaw agent
  against a live AxonFlow stack — they're not consumed by the plugin
  runtime. They were inadvertently shipped with the v2.1.0 artifact and
  the static-analysis scanner flagged five of them on a false-positive
  exfiltration heuristic that matched their HTTP Basic-auth header
  setup. Removing the surface area entirely is more durable than
  appealing the heuristic.

Release v2.1.0

@axonflow/openclaw v2.1.0

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

Added

• 5 agent-callable governance tools. OpenClaw agents can invoke
  AxonFlow's read-side governance surface directly through tool-calling:
  axonflow_audit_search, axonflow_explain_decision,
  axonflow_list_overrides, axonflow_create_override, and
  axonflow_revoke_override. Tools register when OpenClaw exposes
  registerTool (2026.3.22+); older runtimes log a one-line warning
  and continue with hooks only.
• userEmail config field. Required for axonflow_create_override
  and axonflow_revoke_override so the platform can scope overrides to
  the actual user. When absent, the override-write tools fail with a
  clear authentication error from the platform; read-side tools and the
  hook path continue to work.

Fixed

• Agent tools now surface platform outages as errors instead of empty
  results. Previously, a 5xx, network failure, or auth error on
  axonflow_audit_search, axonflow_list_overrides, or
  axonflow_explain_decision could be silently collapsed into "no audit
  events" / "no overrides" / "no explanation available" because the
  underlying client methods were written for CLI UX and swallow HTTP
  failures. The agent tools now use strict client variants that throw
  on transport / non-2xx, so a calling agent sees isError: true with
  the HTTP status instead of a misleading success.

Release v2.0.8

@axonflow/openclaw v2.0.8

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

v2.0.7 attempted CLI pin v0.12.0 + tarball arg and got Error: Path must be a folder from the publisher — tarball-arg support is a v0.12.1+ feature. The publish-clawhub job failed; v2.0.7 is on npm but never registered on ClawHub.

Falling back to the v2.0.4 baseline: CLI v0.12.0 + folder upload (Legacy ZIP). This is the only proven-working combination on ClawHub right now. Re-introduces the "Legacy ZIP" badge on the install page; install path works.

Changed

• .github/workflows/publish.yml publish-clawhub step uses folder upload (clawhub package publish .). Identical to the v2.0.4 publish step; CLI pin from v2.0.7 retained.

Carried forward (unchanged from v2.0.7)

• clawhub@0.12.0 pin in Install ClawHub CLI step
• verify-clawhub-install CI smoke job
• @anthropic-ai/sdk >=0.91.1 override
• permissions: contents: read on heartbeat-real-stack workflow

Upstream regression and follow-up

The underlying issue is in clawhub CLI v0.12.1+: published artifacts register as npm-pack (tgz) with bytes that don't match the recorded SHA-256, which breaks openclaw plugins install regardless of whether you upload a folder or a tarball. We've reproduced the failure across both upload modes on v0.12.1 and confirmed v0.12.0 still works for folder uploads. Once ClawHub addresses the v0.12.1+ regression upstream, we'll revisit the ClawPack tarball publish path and drop the Legacy ZIP badge.

Registry-state asymmetry

The release train this afternoon left npm and ClawHub in slightly different states:

• npm has 2.0.5, 2.0.6, 2.0.7, 2.0.8 (each version's publish job succeeded; npm publish is independent of ClawHub publish).
• ClawHub has 2.0.5, 2.0.6, 2.0.8 (v2.0.7's publish-clawhub job failed mid-workflow with Error: Path must be a folder, so v2.0.7 was never registered on ClawHub).

For most users on @latest this is invisible — both registries point at v2.0.8. Anyone explicitly pinning clawhub:@axonflow/openclaw@2.0.7 will hit "version not found"; in that case, either pin to 2.0.8 or drop the version pin entirely.

Upgrade

openclaw plugins install @axonflow/openclaw@latest. If you tried v2.0.5, v2.0.6, or v2.0.7 and hit any install error, retry — v2.0.8 should resolve cleanly.

---

Release v2.0.7

@axonflow/openclaw v2.0.7

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

v2.0.6 reverted to folder upload to escape v2.0.5's broken-install state but the install was still broken with a different error (ClawHub archive contents do not match files[] metadata for "@axonflow/openclaw@2.0.6": missing "package.json"). Both broken versions used clawhub CLI v0.12.1, which was published 2026-05-02 20:50 UTC — about two hours before our v2.0.5 ship.

v2.0.4 (last known-good install) was published 2026-04-30 with clawhub CLI v0.12.0 and still installs cleanly. The regression is in CLI v0.12.1's publish pipeline: regardless of whether you pass a folder or a tarball, the resulting artifact registers as npm-pack (tgz) with bytes that don't match the SHA-256 ClawHub records — breaking the install path.

Changed

• Pin clawhub@0.12.0 in .github/workflows/publish.yml. npm install -g clawhub (unpinned) was always pulling latest, which is why the regression hit on the next publish after v0.12.1 shipped. The pin holds until ClawHub fixes the upstream regression in v0.12.1+.
• Restore ClawPack tarball publish path. With CLI pinned to v0.12.0, clawhub package publish ./<tarball>.tgz returns to producing a publishable ClawPack artifact. Re-earns the ClawPack badge on the install page. If install still breaks despite the pin, v2.0.8 will revert to folder upload (Legacy ZIP).

Added

• verify-clawhub-install job in publish.yml. Runs openclaw plugins install clawhub:@axonflow/openclaw@<version> against the just-published version and fails the workflow if install errors. v2.0.5 + v2.0.6 both shipped to ClawHub successfully and verify-publish (which only checks npm propagation) reported success — but adopters could not install. This job closes the gap so future regressions in the ClawHub install path surface in CI within ~3 minutes of tag rather than via adopter reports.

Carried forward from v2.0.5/v2.0.6 (unchanged)

• @anthropic-ai/sdk >=0.91.1 override remains in package.json (closes the moderate GHSA on insecure default file permissions).
• Explicit permissions: contents: read remains on the Heartbeat Real-Stack E2E workflow (CodeQL parity).

Upgrade

openclaw plugins install @axonflow/openclaw@latest. If you were stuck on v2.0.5 or v2.0.6 with ClawHub archive integrity mismatch or missing "package.json" errors, retry — v2.0.7 should resolve cleanly via the pinned CLI's ClawPack path.

---

Release v2.0.6

@axonflow/openclaw v2.0.6

Installation

npm install @axonflow/openclaw

Or via OpenClaw plugin manager:

openclaw plugins install @axonflow/openclaw

v2.0.5 switched the ClawHub publish artifact from folder upload (Legacy ZIP) to the npm-pack tarball (ClawPack). That triggered two ClawHub-side regressions specific to the ClawPack handling path that left v2.0.5 unusable for adopters:

1. Install integrity mismatch. openclaw plugins install clawhub:@axonflow/openclaw@2.0.5 failed with ClawHub archive integrity mismatch: expected sha256-RJwSW6ANBH3JKUkP06oA++JY9r1XAx58NDWKCeD6hwQ=, got sha256-7gGhfvJM/LuF9HfTZG2EsbjkSoImPau6h2wt+nwlhKo=. The expected hash matched the published tarball; the bytes ClawHub's install endpoint actually served did not. ClawHub's CLI download path (clawhub package download) returned the correct bytes — only the install resolution path was broken.
2. LLM scanner hallucinated "missing implementation". ClawScan flagged dimensions at concern claiming "the bundle contains only package.json and openclaw.plugin.json", "implementation code is absent", and "registry presents this as an instruction-only skill with no code" — all factually false. ClawHub's own package record correctly tagged the artifact as family: "code-plugin" with npmFileCount: 70 and unpackedSize: 280368. Static Analysis (deterministic — reads actual bytes) returned Benign. Only the LLM scanner pipeline saw an incomplete prompt context.

Changed

• Revert ClawHub publish step to folder upload. .github/workflows/publish.yml now runs clawhub package publish . (folder) instead of clawhub package publish ./<tarball>.tgz. This re-introduces the "Legacy ZIP — may have compatibility issues" badge on the ClawHub install page but restores openclaw plugins install for every adopter. Trade-off accepted until ClawHub fixes the ClawPack handling path.

Carried forward from v2.0.5

• @anthropic-ai/sdk >=0.91.1 override remains in package.json (closes the moderate GHSA on insecure default file permissions; @anthropic-ai/sdk is a transitive dev-only dependency through the openclaw peerDep).
• Explicit permissions: contents: read remains on the Heartbeat Real-Stack E2E workflow (CodeQL parity).

Upgrade

openclaw plugins install @axonflow/openclaw@latest. No code or configuration changes on your side. If you tried to install v2.0.5 and hit ClawHub archive integrity mismatch, retry with v2.0.6 — install resolves cleanly via the Legacy ZIP path.

---