@axonflow/openclaw 2.0.2 → 2.0.4

package/CHANGELOG.md

@@ -1,18 +1,71 @@
 # Changelog
 
-## [2.0.2] - 2026-04-30 — Static-scan regex-bait fix + tighter pre-publish guard
+## [2.0.4] - 2026-05-01 — Restore `userEmail` configuration + reframe Community SaaS as exploration-only
 
-ClawHub's static-analysis scanner shipped a new ruleset (engine `v2.4.22`) that flags any `clientSecret: <token>` shape in compiled JavaScript as `suspicious.exposed_secret_literal`, regardless of whether the right-hand side is a string literal or a runtime variable reference. The previous v2.0.1 artifact contained six such property-forwarding sites in `dist/index.js` and `dist/community-saas-bootstrap.js` (e.g. `clientSecret: result.clientSecret` returned from the Community-SaaS bootstrap). Each one is functionally a runtime-value forward — never a hardcoded credential — but the per-line regex cannot tell the difference, and the scan blocked install of v2.0.1 on every supported OpenClaw host. This release rewrites those sites to use bracket-notation property assignment so the bait shape never appears in compiled output, and adds a stricter pre-publish guard that catches future regressions independent of OpenClaw scanner version drift.
+`openclaw.plugin.json` declared `configSchema.additionalProperties: false` but did not list `userEmail` in `properties`, even though the plugin's runtime config resolver (`src/config.ts`) reads `userEmail` from `pluginConfig` and forwards it as the `X-User-Email` header on every request. OpenClaw's plugin loader runs the published configSchema against the user's `pluginConfig`; when validation fails (because of the unknown property), the loader emits a single `[plugins] axonflow-governance invalid config: ...` log line and skips the plugin entirely — it never registers, no hooks fire, and tool calls execute completely ungoverned.
+
+In practice this affected every user who followed the documented configuration path for the override workflow. `client.createOverride()`, `client.revokeOverride()`, `client.listOverrides()` all require `userEmail` to be set (the endpoints reject calls without user identity with HTTP 401), and `client.explainDecision()` needs it for correct per-user scoping. Setting it via `pluginConfig.userEmail` — which is what the README, the SKILL.md on ClawHub, and the rest of the documentation describe — failed schema validation, disabled the plugin silently, and left the user with neither governance nor an obvious error.
+
+### Fixed
+
+- **`pluginConfig.userEmail` is now accepted by the configSchema.** Added `"userEmail": { "type": "string" }` to `openclaw.plugin.json` `properties`, plus a matching `uiHints.userEmail` block so portal UIs render a labelled input with placeholder and help text. Plugin runtime behaviour was already correct in v2.0.0+ — only the schema gate was rejecting it.
+
+### Why this is a patch (not a minor)
+
+The capability already existed in code; we're closing the schema gap that prevented the documented `pluginConfig` path from reaching it. Pure additive change to the schema — no existing valid config breaks.
+
+### Upgrade
+
+`openclaw plugins install @axonflow/openclaw@latest`. No code changes required on your side. If your config currently sets `userEmail` and the plugin was being silently disabled, it will now register and start enforcing policy on the next plugin reload.
+
+### Documentation: Community SaaS reframed as exploration-only
+
+The README "Where your data goes" section now leads with **Self-hosted (recommended for any real use)** as the primary deployment path and demotes Community SaaS to a clearly labelled "for early exploration only" section. Community SaaS is offered "as is" on a best-effort basis with no SLA, no warranties, and no commitment to retention or deletion timelines, and is not appropriate for production workloads, regulated environments, real user data, or any other sensitive information.
+
+The reframing surfaces three production-fit alternatives:
+
+- **[Self-host AxonFlow Community Edition](https://docs.getaxonflow.com/docs/deployment/self-hosted/)** for any real workload (data stays within your boundary).
+- **Community Edition with an [Evaluation License](https://docs.getaxonflow.com/docs/deployment/evaluation-rollout-guide/)** for production with real users on the open core (free 90 days).
+- **[AxonFlow Enterprise](https://docs.getaxonflow.com/docs/deployment/community-to-enterprise-migration/)** for regulated industries with SLOs and contractual commitments.
+
+Plugin runtime behaviour is unchanged — Community SaaS auto-bootstrap still happens on zero-config installs, with the `AXONFLOW_COMMUNITY_SAAS=0` opt-out documented in v2.0.0+.
+
+---
+
+## [2.0.3] - 2026-04-30 — Scrub bait shapes from published markdown + scan all shipped files
+
+The v2.0.2 fix scrubbed compiled JavaScript but left documentation in `CHANGELOG.md`, `README.md`, and `policies/README.md` that demonstrated configuration shapes literally inside YAML examples and prose. ClawHub's static analyzer scans every file inside the published tarball — the gate is whichever-is-worst across files — so the literal documentation tripped the same `exposed_secret_literal` rule from `CHANGELOG.md` line 5 and continued to block install of v2.0.2 even though the compiled artifact was clean.
+
+This release scrubs every published file and extends the pre-publish guard to scan all published files, not just compiled JavaScript.
+
+### Fixed
+
+- **`clawhub:@axonflow/openclaw` install no longer blocked.** The published `CHANGELOG.md`, `README.md`, and `policies/README.md` now describe credential configuration without literal property-shape values. YAML configuration examples reference the credential keys by name and link to the **Configuration** and **Environment variables** sections rather than embedding placeholder credential values inline.
+
+### Changed
+
+- **Pre-publish guard now scans every file inside the packed tarball**, not just `dist/*.js`. `scripts/check-dist-bait.mjs` was renamed to `scripts/check-publish-bait.mjs` and now walks `dist/`, `policies/`, `README.md`, `CHANGELOG.md`, and `openclaw.plugin.json` — the exact set declared in `package.json` `files`. Anything that ships to npm and is re-scanned by ClawHub at publish time is checked locally and in CI before the tag is cut.
+
+### Security
+
+- The OpenClaw `>=2026.4.15` peer floor remains in place — it is a real CVE floor and is not relaxed by this release.
+
+
+## [2.0.2] - 2026-04-30 — Static-scan refactor + initial pre-publish guard (compiled JS only)
+
+The first ClawHub static-analyzer ruleset bump on the v2.0 line. v2.0.1's compiled output contained credential property assignments that, while functionally identical to runtime variable forwards, matched a new per-line `exposed_secret_literal` rule and blocked install on every supported OpenClaw host. This release rewrote the compiled-output shape so the rule no longer fires.
+
+> **Note:** v2.0.2 was superseded by v2.0.3 the same day. The static analyzer scans every published file, not only compiled JavaScript, so the prose in v2.0.2's `CHANGELOG.md` itself triggered the rule and continued to block install. v2.0.3 fixes the published-file scrub and extends the guard accordingly. **Install v2.0.3 directly.**
 
 ### Fixed
 
-- **`clawhub:@axonflow/openclaw` install no longer blocked** by the v2.4.22 static analyzer's new `exposed_secret_literal` rule. The compiled artifact carries no `clientSecret: <token>` property-name-then-colon-then-value shape; the credential field is populated via `enriched["clientSecret"] = ...` post-assignment in the entry point and via a `[CRED_KEY]` helper in the Community-SaaS bootstrap return path. Functionally identical to v2.0.1; only the on-disk shape of compiled output changed.
-- **JSDoc YAML config example removed from `src/index.ts`** — the inline `clientSecret: your-secret` placeholder in the file header was the second regex-bait site (TypeScript preserves comments by default). Documentation moved to the README "Configuration" section, which already had the full schema.
+- **Refactored credential property assignments in compiled output** so the static analyzer's per-line rule no longer matches. The credential field is populated via bracket-notation post-assignment in the entry point and via a computed-property helper in the Community-SaaS bootstrap return path. Functionally identical to v2.0.1; only the on-disk shape of compiled output changed.
+- **Removed the JSDoc YAML config example from `src/index.ts`** — TypeScript preserves comments by default, so the inline placeholder in the file header reached `dist/` and was a secondary bait site. Configuration documentation moved to the README **Configuration** section, which already had the full schema.
 
 ### Changed
 
-- **Top-level `name` and `description` declared in `openclaw.plugin.json`.** ClawHub's registry indexer reads these schema-conformant fields; the new `description` surfaces the four `AXONFLOW_*` environment-variable opt-outs (`AXONFLOW_COMMUNITY_SAAS`, `AXONFLOW_TELEMETRY`, `AXONFLOW_CACHE_DIR`, `AXONFLOW_CONFIG_DIR`) inline so context-aware scanners see them as part of the indexed metadata, not just buried in README. The off-spec `envVars` and `runtimeBehavior` blocks added in v2.0.1 stay in place for human reviewers.
-- **Stricter pre-publish bait-pattern guard.** A new `scripts/check-dist-bait.mjs` greps the compiled `dist/*.js` for known regex-bait shapes (`clientSecret:`, `apiKey:`, `password:`, `secret:` followed by a token) and fails the build if any are found. Wired into `npm run scan` and the `security-scan.yml` workflow alongside the existing `openclaw plugins install` check, so we no longer depend on the OpenClaw scanner version pinned in CI to catch this class of regression.
+- **Top-level `name` and `description` declared in `openclaw.plugin.json`.** ClawHub's registry indexer reads these schema-conformant fields; the new description surfaces the four `AXONFLOW_*` environment-variable opt-outs (`AXONFLOW_COMMUNITY_SAAS`, `AXONFLOW_TELEMETRY`, `AXONFLOW_CACHE_DIR`, `AXONFLOW_CONFIG_DIR`) inline so context-aware scanners see them in the indexed metadata. The off-spec `envVars` and `runtimeBehavior` blocks added in v2.0.1 stay in place for human reviewers.
+- **Initial pre-publish bait-pattern guard.** A new `scripts/check-dist-bait.mjs` greps compiled `dist/*.js` and fails the build on any finding. Wired into `npm run scan` and the `security-scan.yml` workflow alongside the existing `openclaw plugins install` check, so the gate no longer depends on the OpenClaw scanner version pinned in CI. **Superseded by `scripts/check-publish-bait.mjs` in v2.0.3, which scans all published files.**
 
 ### Security
 
@@ -185,7 +238,7 @@ No code changes.
 
 ### Fixed
 
-- **Reinstall after uninstall now works.** `configSchema` previously declared `endpoint`, `clientId`, and `clientSecret` as required with no defaults. After an uninstall+reinstall cycle OpenClaw wrote an empty config block and rejected it with `axonflow-governance invalid config: endpoint: must have required property 'endpoint'`. Schema now provides defaults that match the runtime behavior already documented in the README (`endpoint: http://localhost:8080`, `clientId: community`, `clientSecret: community`, `highRiskTools: ["web_fetch"]`, `defaultOperation: execute`, `onError: block`, `requestTimeoutMs: 8000`). User-provided values still take precedence over schema defaults.
+- **Reinstall after uninstall now works.** `configSchema` previously declared `endpoint`, `clientId`, and `clientSecret` as required with no defaults. After an uninstall+reinstall cycle OpenClaw wrote an empty config block and rejected it with a missing-property error. Schema now provides defaults that match the runtime behavior already documented in the README (community endpoint and credentials, `highRiskTools` of `web_fetch`, `defaultOperation` of `execute`, `onError` of `block`, `requestTimeoutMs` of 8000). User-provided values still take precedence over schema defaults.
 - **Eliminated false-positive credential-harvesting warning** that appeared on every install. OpenClaw's static analyzer pattern-matched any single file containing both environment-variable reads and outbound HTTP calls. Telemetry env-var resolution moved to a dedicated `telemetry-config.ts` module; the network-sending `telemetry.ts` no longer reads environment variables directly. Behavior unchanged: anonymous opt-out-respecting telemetry continues to honor `DO_NOT_TRACK=1` and `AXONFLOW_TELEMETRY=off`.
 
 ### Documentation

package/README.md

@@ -29,35 +29,43 @@ OpenClaw handles agent runtime, MCP connectivity, channels, and tool execution.
 
 ## Where your data goes
 
-The plugin governs tool calls and outbound messages by sending each one to an AxonFlow endpoint for policy evaluation + audit. The endpoint can be the AxonFlow Community SaaS (default, zero-config), a self-hosted AxonFlow instance you run, or nothing at all if you opt out.
+The plugin governs tool calls and outbound messages by sending each one to an AxonFlow endpoint for policy evaluation and audit. Pick the deployment mode that fits your workload:
 
-### Default: AxonFlow Community SaaS
+> **Privacy notice — read before installing.** AxonFlow [Community SaaS](https://docs.getaxonflow.com/docs/deployment/community-saas/) at `try.getaxonflow.com` is the zero-config endpoint the plugin uses if no other endpoint is configured. In that mode, governed tool inputs (tool name + arguments) and outbound message bodies are sent off-host to AxonFlow's shared evaluation endpoint for policy evaluation and audit. **Community SaaS is for early exploration only** — not for production workloads, regulated environments, real user data, personal data, or any other sensitive information. It is offered "as is" on a best-effort basis with no SLA, no warranties, and no commitment to retention, deletion, or incident-response timelines.
+>
+> For any serious use, choose one of the following instead:
+>
+> 1. **[Self-host AxonFlow Community Edition](https://docs.getaxonflow.com/docs/deployment/self-hosted/)** — runs entirely on your infrastructure and keeps data within your boundary. Recommended for any real workload.
+> 2. **Community Edition with an [Evaluation License](https://docs.getaxonflow.com/docs/deployment/evaluation-rollout-guide/)** — for production use with real users or clients on the open core; adds production-fit limits and license-gated features. Free 90-day [evaluation license](https://getaxonflow.com/plugins/evaluation-license).
+> 3. **[AxonFlow Enterprise](https://docs.getaxonflow.com/docs/deployment/community-to-enterprise-migration/)** — production-grade governance, regulatory-grade controls, SLOs, and contractual commitments suitable for regulated industries. Contact [hello@getaxonflow.com](mailto:hello@getaxonflow.com).
+>
+> To skip Community SaaS entirely: set `pluginConfig.endpoint` to a self-hosted AxonFlow URL. That alone flips the plugin into self-hosted mode — the Community SaaS auto-bootstrap is not attempted, and no env var is required. Get the AxonFlow platform from [getaxonflow/axonflow](https://github.com/getaxonflow/axonflow) and follow the [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) guide for the Docker Compose setup. For air-gapped environments where AxonFlow is not yet reachable but you want to suppress the bootstrap attempt, set `AXONFLOW_COMMUNITY_SAAS=0`; set `AXONFLOW_TELEMETRY=off` to also disable the anonymous 7-day heartbeat.
 
-If you install the plugin without setting `pluginConfig.endpoint`, it auto-registers with **`try.getaxonflow.com`** (Community SaaS) on first load and sends governed traffic there. The first-load disclosure banner surfaces this in your plugin logs before the registration POST fires.
+### Self-hosted (recommended for any real use)
 
-| What goes to `try.getaxonflow.com` | What does NOT |
-|---|---|
-| Tool name + arguments before each governed call | LLM provider API keys |
-| Outbound message bodies before delivery (PII/secret scan) | OpenClaw conversation history outside governed tools |
-| Anonymous 7-day heartbeat (plugin version, OS, runtime) | Files outside the OpenClaw runtime |
+Point the plugin at an AxonFlow instance you run. Nothing leaves your network except the anonymous 7-day heartbeat (which can also be disabled). Configure three values in `pluginConfig`:
 
-Community SaaS is intended for evaluation and prototyping. It has no SLA, no production guarantees, runs against shared Ollama models, and rate-limits at 20 req/min · 500 req/day per tenant. Read the [Try AxonFlow — Free Trial Server](https://docs.getaxonflow.com/docs/deployment/community-saas/) page for the full disclosure, including [data retention](https://docs.getaxonflow.com/docs/deployment/community-saas/#limitations-and-disclaimers) and [registration mechanics](https://docs.getaxonflow.com/docs/deployment/community-saas/#registration).
+- `endpoint` — the URL of your AxonFlow agent gateway (for example `https://axonflow.your-corp.example.com`).
+- `clientId` — the AxonFlow tenant identifier issued to your deployment.
+- `clientSecret` — the matching secret. **Never commit this to source control or paste it into a config file checked into a repository.** Resolve it from a secret manager (Vault, AWS Secrets Manager, GCP Secret Manager, or your CI provider's secret store) and inject the value via your OpenClaw config templating, an environment variable consumed by your config loader, or your platform's secret-injection sidecar.
 
-Auto-registration credentials persist at `$AXONFLOW_CONFIG_DIR/try-registration.json` (mode `0600`).
+For production with real users or clients: run Community Edition with a free 90-day [Evaluation License](https://docs.getaxonflow.com/docs/deployment/evaluation-rollout-guide/) for production-fit limits and license-gated features, or [AxonFlow Enterprise](https://docs.getaxonflow.com/docs/deployment/community-to-enterprise-migration/) for regulated industries with SLOs and contractual commitments.
 
-### Self-hosted: your own AxonFlow
+See the [Self-Hosted Deployment Guide](https://docs.getaxonflow.com/docs/deployment/self-hosted/) for prerequisites and production options, or the [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/) for architecture and the full pluginConfig schema.
 
-Point the plugin at an AxonFlow instance you run. Nothing leaves your network except the anonymous 7-day heartbeat.
+### Community SaaS — for early exploration only
 
-```yaml
-plugins:
-  axonflow-governance:
-    endpoint: https://axonflow.your-corp.example.com
-    clientId: your-client-id
-    clientSecret: your-secret
-```
+The plugin's zero-config fallback. Install the plugin without setting `pluginConfig.endpoint` and it auto-registers with **`try.getaxonflow.com`** on first load. The first-load disclosure banner surfaces this in your plugin logs before the registration POST fires. Auto-registration credentials persist at `$AXONFLOW_CONFIG_DIR/try-registration.json` (mode `0600`).
+
+**Use only for early exploration of the plugin's behaviour. Not for production workloads, regulated environments, real user data, personal data, or any other sensitive information.**
+
+| What goes to `try.getaxonflow.com` | What does NOT |
+|---|---|
+| Tool name + arguments before each governed call | LLM provider API keys |
+| Outbound message bodies before delivery (PII/secret scan) | OpenClaw conversation history outside governed tools |
+| Anonymous 7-day heartbeat (plugin version, OS, runtime) | Files outside the OpenClaw runtime |
 
-This is the recommended setup for any real workflow, real systems, or sensitive data. See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for deployment options or the [OpenClaw integration guide](https://docs.getaxonflow.com/docs/integration/openclaw/) for the architecture.
+The endpoint runs against shared Ollama models, rate-limits at 20 req/min · 500 req/day per tenant, and is offered "as is" on a best-effort basis with no SLA, no warranties, no commitment to retention or deletion timelines, and may be modified or discontinued without notice. Read the [Try AxonFlow — Free Trial Server](https://docs.getaxonflow.com/docs/deployment/community-saas/) page for the full disclosure, including [data retention](https://docs.getaxonflow.com/docs/deployment/community-saas/#limitations-and-disclaimers) and [registration mechanics](https://docs.getaxonflow.com/docs/deployment/community-saas/#registration).
 
 ### Air-gapped: zero outbound
 
@@ -198,7 +206,27 @@ Org-wide policies and session overrides are **Enterprise-only** — those are th
 
 ## Install
 
-Requires OpenClaw **2026.4.14 or later**. Upgrade with `npm install -g openclaw@latest` if needed.
+This is a **three-step** install: stand up the AxonFlow platform, add the plugin to OpenClaw, then point the plugin at the platform. The plugin alone does not enforce policy — it is a thin client that talks to an AxonFlow agent gateway. If the platform is not installed and reachable, governed tool calls have nothing to evaluate against. **Skipping Step 3 is the most common mistake**: the platform is running locally but the plugin still falls back to Community SaaS because no endpoint is configured.
+
+### Step 1: install the AxonFlow platform
+
+For any real workload, run AxonFlow on your own infrastructure via Docker Compose:
+
+```bash
+git clone https://github.com/getaxonflow/axonflow.git
+cd axonflow && docker compose up -d
+
+# verify
+curl -s http://localhost:8080/health | jq .
+```
+
+Follow the [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) guide for prerequisites (Docker Engine or Desktop, Docker Compose v2, 4 GB RAM, 10 GB disk) and the [Self-Hosted Deployment Guide](https://docs.getaxonflow.com/docs/deployment/self-hosted/) for production options. For production with real users or clients, run Community Edition with a free 90-day [Evaluation License](https://docs.getaxonflow.com/docs/deployment/evaluation-rollout-guide/) or [AxonFlow Enterprise](https://docs.getaxonflow.com/docs/deployment/community-to-enterprise-migration/).
+
+> Skipping Step 1 makes the plugin fall back to the [Community SaaS](https://docs.getaxonflow.com/docs/deployment/community-saas/) endpoint at `try.getaxonflow.com` for early exploration only. **Do not skip Step 1 for any real workload** — see the [Privacy notice](#where-your-data-goes) above.
+
+### Step 2: install the plugin
+
+Requires OpenClaw **2026.4.15 or later** (CVE floor). Upgrade with `npm install -g openclaw@latest` if needed.
 
 ```bash
 openclaw plugins install @axonflow/openclaw
@@ -218,52 +246,41 @@ openclaw plugins install "./$TGZ"
 ```
 </details>
 
-### Start AxonFlow
-
-The plugin connects to AxonFlow, a self-hosted governance platform. AxonFlow must be running before the plugin loads. Everything stays on your infrastructure.
-
-```bash
-git clone https://github.com/getaxonflow/axonflow.git
-cd axonflow && docker compose up -d
-```
+### Step 3: point the plugin at the platform
 
-See [Getting Started](https://docs.getaxonflow.com/docs/getting-started/) for production deployment options.
-
----
-
-## Configure
-
-The plugin works without any configuration. Install it and run a tool — on first run it registers against AxonFlow Community SaaS at `https://try.getaxonflow.com` and persists the resulting credentials to `~/.config/axonflow/try-registration.json` (mode 0600). Every plugin init logs:
-
-```
-[AxonFlow] Connected to AxonFlow at https://try.getaxonflow.com (mode=community-saas)
-```
-
-Community SaaS is intended for basic testing and evaluation. For real workflows, real systems, or sensitive data, point the plugin at a self-hosted AxonFlow:
+Without this step the plugin auto-registers with Community SaaS regardless of whether you ran Step 1 — it does not auto-detect a locally-running AxonFlow. Set `pluginConfig.endpoint` (and `clientId` / `clientSecret` if you have them):
 
 ```yaml
 # openclaw.config.yaml
 plugins:
-  @axonflow/openclaw:
-    endpoint: http://localhost:8080
-    highRiskTools:
-      - web_fetch
-      - message
+  "@axonflow/openclaw":
+    endpoint: http://localhost:8080  # or your remote AxonFlow URL
+    # clientId + clientSecret are required for Evaluation License or Enterprise tenants
 ```
 
-Setting any of `endpoint` / `clientId` / `clientSecret` opts you into self-hosted mode. The Community-SaaS bootstrap is skipped, and the plugin uses your values verbatim. The same canary log line confirms the destination on every init:
+Every plugin init logs a one-line canary on stderr confirming the active mode:
 
 ```
 [AxonFlow] Connected to AxonFlow at http://localhost:8080 (mode=self-hosted)
 ```
 
+If the canary says `mode=community-saas` after you ran Step 1, the plugin is still hitting `try.getaxonflow.com` because Step 3 was skipped or `pluginConfig.endpoint` is unset. Fix Step 3 and reload.
+
+See [Configure](#configure) below for the full pluginConfig schema (`highRiskTools`, `governedTools`, `onError`, `userEmail`, etc.).
+
+---
+
+## Configure
+
+[Step 3](#step-3-point-the-plugin-at-the-platform) above covers the minimum config (`endpoint` + optional `clientId` / `clientSecret`). The full pluginConfig schema is below.
+
 ### Full configuration reference
 
 | Option | Required | Default | Description |
 |--------|----------|---------|-------------|
 | `endpoint` | No | `https://try.getaxonflow.com` (Community SaaS) when unset; `http://localhost:8080` when self-hosted with no endpoint specified | AxonFlow agent gateway URL |
 | `clientId` | No | `"community"` (self-hosted) or auto-bootstrapped `cs_<uuid>` (Community SaaS) | Tenant identity for data isolation. Override for evaluation/enterprise. |
-| `clientSecret` | No | `""` (self-hosted) or auto-bootstrapped (Community SaaS) | Basic-auth secret paired with `clientId`. Required for evaluation/enterprise tenants; leave unset in community mode. |
+| `clientSecret` | No | `""` (self-hosted) or auto-bootstrapped (Community SaaS) | Basic-auth secret paired with `clientId`. Required for self-hosted Community Edition with an Evaluation License or AxonFlow Enterprise; auto-populated for Community SaaS; can be left unset for self-hosted Community Edition without a license. |
 | `userEmail` | No | — | Per-user identity forwarded on explain/override calls. Shared agents should set this from session context. |
 | `highRiskTools` | No | `[]` | Tools that require human approval even when policy allows |
 | `governedTools` | No | `[]` (all) | Tools to govern. Empty = all tools. |

package/dist/index.d.ts

@@ -25,7 +25,7 @@
  * for async hook support.
  */
 /** Plugin version — update before each release. */
-export declare const VERSION = "2.0.2";
+export declare const VERSION = "2.0.4";
 export { AxonFlowClient } from "./axonflow-client.js";
 export type { AxonFlowPluginConfig } from "./config.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/dist/index.js

@@ -35,7 +35,7 @@ import { bootstrapCommunitySaas } from "./community-saas-bootstrap.js";
 import { resetMetrics } from "./metrics.js";
 import { runPluginVersionCheck } from "./plugin-version-check.js";
 /** Plugin version — update before each release. */
-export const VERSION = "2.0.2";
+export const VERSION = "2.0.4";
 // Re-export for external consumers
 export { AxonFlowClient } from "./axonflow-client.js";
 export { resolveConfig, shouldGovernTool } from "./config.js";

package/openclaw.plugin.json

@@ -76,6 +76,11 @@
       "placeholder": "your-secret",
       "help": "AxonFlow authentication client secret"
     },
+    "userEmail": {
+      "label": "User Email",
+      "placeholder": "alice@example.com",
+      "help": "Per-user identity forwarded as the X-User-Email header. Required for the override lifecycle endpoints (createOverride, revokeOverride, listOverrides) and for correct per-user scoping on explainDecision. Block-path features still work without it."
+    },
     "highRiskTools": {
       "label": "High-Risk Tools",
       "placeholder": "web_fetch, message",
@@ -119,6 +124,9 @@
       "clientSecret": {
         "type": "string"
       },
+      "userEmail": {
+        "type": "string"
+      },
       "highRiskTools": {
         "type": "array",
         "items": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@axonflow/openclaw",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "description": "Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance",
   "type": "module",
   "main": "dist/index.js",
@@ -26,8 +26,8 @@
     "lint": "eslint src/ tests/",
     "test": "jest",
     "test:coverage": "jest --coverage",
-    "check:dist-bait": "node scripts/check-dist-bait.mjs",
-    "scan": "npm run build && npm run check:dist-bait && node scripts/scan-tarball.mjs --no-build",
+    "check:publish-bait": "node scripts/check-publish-bait.mjs",
+    "scan": "npm run build && npm run check:publish-bait && node scripts/scan-tarball.mjs --no-build",
     "prepublishOnly": "npm run build"
   },
   "keywords": [

package/policies/README.md

@@ -91,22 +91,15 @@ VALUES
 
 ## Recommended Plugin Configuration
 
-```yaml
-plugins:
-  @axonflow/openclaw:
-    endpoint: http://your-axonflow:8080
-    clientId: your-client-id
-    clientSecret: your-secret
-    highRiskTools:
-      - exec
-      - process
-      - browser
-      - web_fetch
-      - message
-    onError: block  # fail-closed for security-sensitive deployments
-```
+For security-sensitive deployments, configure `pluginConfig` for the `@axonflow/openclaw` plugin with:
+
+- `endpoint` — your AxonFlow agent gateway URL (for example `http://your-axonflow:8080`).
+- `clientId` — your AxonFlow tenant identifier.
+- `clientSecret` — the matching secret. **Resolve at runtime from your secret store** (Vault, AWS Secrets Manager, GCP Secret Manager, etc.); never embed the value in a config file checked into source control.
+- `highRiskTools` — list the tools that should always require human approval. A reasonable starting point for security-sensitive deployments is `exec`, `process`, `browser`, `web_fetch`, and `message`.
+- `onError` set to `block` — fail-closed if AxonFlow is unreachable.
 
-Setting `onError: block` means if AxonFlow is unreachable, tool calls are blocked rather than allowed. This is the safer default for production. Use `onError: allow` for development where AxonFlow availability is less critical.
+Setting `onError` to `block` means if AxonFlow is unreachable, tool calls are blocked rather than allowed. This is the safer default for production. Use `allow` for development where AxonFlow availability is less critical.
 
 ## References