From 801a8718b2ba4ea6e1d0502ff72ec51b891eda3e Mon Sep 17 00:00:00 2001 From: Daniel Oliveira Date: Tue, 7 Jul 2026 16:32:24 +0100 Subject: [PATCH] chore(release): 0.4.0 --- CHANGELOG.md | 50 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3525341..fdf14d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.4.0] — 2026-07-07 + +### Security + +- The ReadOnly statement whitelist now unwraps and validates parenthesized + query heads (`(SELECT ...)`, alone or combined via `UNION` / `INTERSECT` / + `EXCEPT`, with trailing `ORDER BY` / `LIMIT` / `OFFSET` / `FETCH` clauses). + Previously a statement starting with `(` carried no readable verb and was + waved through unvalidated. Statements whose shape cannot be read are now + rejected instead of assumed harmless. +- Whitelist recursion depth is bounded (64 nested query heads), so an + adversarial run of nested parentheses is rejected cleanly instead of + crashing the process with an uncatchable `StackOverflowException`. +- Bumped the transitive native `SQLitePCLRaw.lib.e_sqlite3` to 3.53.3 — + the 2.1.11 that `Microsoft.EntityFrameworkCore.Sqlite` brings in has a + known high-severity vulnerability (GHSA-2m69-gcr7-jv3q). + +### Changed + +- The executor's wrapper transaction now uses the provider-default isolation + level instead of `ReadUncommitted` in ReadOnly mode, eliminating dirty + reads on SQL Server (uncommitted data the LLM would present as fact). + SQLite ReadOnly uses a deferred `BEGIN`, which is compatible with + `PRAGMA query_only`. +- The schema description is now cached for the application lifetime (on the + options singleton, keyed by `DbContext` type) instead of per request scope + — the EF model walk and the connection open for server info run once. +- README now states explicitly that include/exclude is schema hiding, not + access control: the executor does not block SQL referencing excluded + tables or columns, so genuinely sensitive data must be protected with + database permissions. + +### Fixed + +- `AgentQLChatOptions.MaxOutputTokens` was documented but never applied; it + now flows into chat requests whenever the per-request options leave it + unset. +- The Anthropic provider honors an explicitly configured `Endpoint` instead + of silently ignoring it. +- The self-correction guard no longer skips a genuine user question that + merely mentions `` when restating the question; only + messages that start with the injected reminder tag are skipped. +- A malformed `WITH x AS (` with an unterminated body no longer throws + inside the whitelist validator; it is reported as malformed and + neutralized like any other violation. + ## [0.3.0] — 2026-06-10 ### Added @@ -83,7 +129,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 and the `Microsoft.Extensions.AI` plugin bridge (OpenAI, Anthropic, Ollama). - Blazor demo app, README with usage guide, and NuGet packaging + publish workflow. -[Unreleased]: https://github.com/daniel3303/AgentQL/compare/v0.2.1...HEAD +[Unreleased]: https://github.com/daniel3303/AgentQL/compare/v0.4.0...HEAD +[0.4.0]: https://github.com/daniel3303/AgentQL/compare/v0.3.0...v0.4.0 +[0.3.0]: https://github.com/daniel3303/AgentQL/compare/v0.2.1...v0.3.0 [0.2.1]: https://github.com/daniel3303/AgentQL/compare/v0.2.0...v0.2.1 [0.2.0]: https://github.com/daniel3303/AgentQL/compare/v0.1.3...v0.2.0 [0.1.3]: https://github.com/daniel3303/AgentQL/compare/v0.1.2...v0.1.3