|XP is just a number|
But I have realized over the years that you get more respect from a client, and get taken advantage of less if you are hard and fast about scope creep.
It sounds like you have a good grip on this, so what follows is for folks who don't.
There are several ways to handle scope creep. One is to say NO and wave contracts. Two other ways come out of Agile: Let the customer reprioritize at the beginning of each iteration, before the team estimates the work and establishes a cut-off point. Or, if the customer must make a priority change during an iteration, have a conversation that goes something like this:
"We've estimated the change that you asked for as taking 12 hours. According to the way you and I prioritized the features when we planned this round, that means that features P, D, and Q will fall off the list, unless you're like to designate 12 hours worth of other features to defer. Your call."
A likely counter at first might be
"No, you don't get it. I need the new feature and the old ones. Do it all."
to which a sane response is
"I hear that you want this new feature and everything else we planned. And to keep the quality level commitment I made to you, I need to avoid overcommitting. If I were to ask the team to go into overtime, quality would suffer, and we'd both be paying the fallout for a long time. Neither of us really want that. So, to do this new feature, which you've said is important, we'll need to choose some other work to defer. Do you want to defer features P, D, and Q, or would you like to choose something else? Your call."
This shows your customer that you're honoring the larger agreement in a way that they can trust. It also prevents them from training you to bend over on command.
As a developer, this probably isn't a conversation you'll have with external customers. Your company probably has people who are much better skilled and practiced at such negotiations. More likely, you'll have a conversation like this with your internal customer (be that your management or product management). In dysfunctional organizations (i.e., in most companies) standing up to them can be very scary. You'll need to gauge how dangerous it is. But the consquences of not standing up with integrity and defending agreements can be very, very bleak.