chore(release): v1.2.0 — V1 paid Pro tier + X-Axonflow-Client header [skip-runtime-e2e]

.codex-plugin/marketplace.json

@@ -7,14 +7,14 @@
   },
   "metadata": {
     "description": "Runtime governance for OpenAI Codex. Policy enforcement on terminal commands, advisory governance via skills, PII detection, audit trails, and compliance-grade decision records.",
-    "version": "1.1.0"
+    "version": "1.2.0"
   },
   "plugins": [
     {
       "name": "axonflow",
       "source": "./",
       "description": "Policy enforcement, PII detection, and audit trails for OpenAI Codex. Hybrid governance — enforces policies on terminal commands (exec_command) via hooks, provides advisory governance for other tools via implicit-activation skills, and records compliance-grade audit trails. Self-hosted via Docker — all data stays on your infrastructure.",
-      "version": "1.1.0",
+      "version": "1.2.0",
       "author": {
         "name": "AxonFlow",
         "email": "hello@getaxonflow.com",

.codex-plugin/plugin.json

@@ -2,7 +2,7 @@
   "name": "axonflow",
   "displayName": "AxonFlow Governance",
   "description": "Policy enforcement, PII detection, and audit trails for OpenAI Codex. Hybrid governance — enforces policies on terminal commands (exec_command) via hooks, provides advisory governance for other tools via implicit-activation skills, and records compliance-grade audit trails. Self-hosted via Docker — all data stays on your infrastructure.",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "author": {
     "name": "AxonFlow",
     "email": "hello@getaxonflow.com",

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 ## [Unreleased]
 
+## [1.2.0] - 2026-05-06 — V1 paid Pro tier wire-up + X-Axonflow-Client header
+
+Companion plugin release to platform v7.7.0. Surfaces the V1 SaaS Plugin
+Pro tier — license token paste activates Pro features immediately, plus
+the agent-side scope-validation header on every governed request via
+`.mcp.json`'s `http_headers` block.
+
+### Added
+
+- **`X-Axonflow-Client: codex/<version>` header** on every governed
+  agent request. Declared via `.mcp.json`'s `http_headers` block (set up
+  by `scripts/install-mcp-with-headers.sh` at install time) and exported
+  as `${AXONFLOW_CLIENT_HEADER}` by `pre-tool-check.sh` on every
+  hook-invoke. Agents at v7.7.0+ derive request scope from this header
+  and reject cross-quadrant token misuse (e.g. a SaaS Plugin Pro token
+  paired with an SDK request) at the validator boundary. Older agents
+  (pre-v7.7.0) ignore the header and continue to work unchanged.
+
 ### Changed
 
 - **`scripts/recover.sh status` tier line now surfaces Pro license expiry date.** The status output's `tier` line parses the JWT `exp` claim from the configured Pro license token and renders one of three shapes: `Pro tier active (expires YYYY-MM-DD, N days remaining)` when active, `Free tier (Pro expired YYYY-MM-DD — visit https://getaxonflow.com/pro to renew)` when the token is on disk but its `exp` has passed (plugin will not forward an expired token), or `Free tier (no AXON- license token configured)` when no token is loaded. Lets users see their renewal date without hitting the agent and catches the lapsed-token state before their next governed call. Display only — JWT signature validation remains the platform's job. Pre-existing `Pro tier active` and `Free tier` substring assertions still hold.