Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 49 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [0.4.0] — 2026-07-07

### Security

- The ReadOnly statement whitelist now unwraps and validates parenthesized
query heads (`(SELECT ...)`, alone or combined via `UNION` / `INTERSECT` /
`EXCEPT`, with trailing `ORDER BY` / `LIMIT` / `OFFSET` / `FETCH` clauses).
Previously a statement starting with `(` carried no readable verb and was
waved through unvalidated. Statements whose shape cannot be read are now
rejected instead of assumed harmless.
- Whitelist recursion depth is bounded (64 nested query heads), so an
adversarial run of nested parentheses is rejected cleanly instead of
crashing the process with an uncatchable `StackOverflowException`.
- Bumped the transitive native `SQLitePCLRaw.lib.e_sqlite3` to 3.53.3 —
the 2.1.11 that `Microsoft.EntityFrameworkCore.Sqlite` brings in has a
known high-severity vulnerability (GHSA-2m69-gcr7-jv3q).

### Changed

- The executor's wrapper transaction now uses the provider-default isolation
level instead of `ReadUncommitted` in ReadOnly mode, eliminating dirty
reads on SQL Server (uncommitted data the LLM would present as fact).
SQLite ReadOnly uses a deferred `BEGIN`, which is compatible with
`PRAGMA query_only`.
- The schema description is now cached for the application lifetime (on the
options singleton, keyed by `DbContext` type) instead of per request scope
— the EF model walk and the connection open for server info run once.
- README now states explicitly that include/exclude is schema hiding, not
access control: the executor does not block SQL referencing excluded
tables or columns, so genuinely sensitive data must be protected with
database permissions.

### Fixed

- `AgentQLChatOptions.MaxOutputTokens` was documented but never applied; it
now flows into chat requests whenever the per-request options leave it
unset.
- The Anthropic provider honors an explicitly configured `Endpoint` instead
of silently ignoring it.
- The self-correction guard no longer skips a genuine user question that
merely mentions `<system-reminder>` when restating the question; only
messages that start with the injected reminder tag are skipped.
- A malformed `WITH x AS (` with an unterminated body no longer throws
inside the whitelist validator; it is reported as malformed and
neutralized like any other violation.

## [0.3.0] — 2026-06-10

### Added
Expand Down Expand Up @@ -83,7 +129,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
and the `Microsoft.Extensions.AI` plugin bridge (OpenAI, Anthropic, Ollama).
- Blazor demo app, README with usage guide, and NuGet packaging + publish workflow.

[Unreleased]: https://github.com/daniel3303/AgentQL/compare/v0.2.1...HEAD
[Unreleased]: https://github.com/daniel3303/AgentQL/compare/v0.4.0...HEAD
[0.4.0]: https://github.com/daniel3303/AgentQL/compare/v0.3.0...v0.4.0
[0.3.0]: https://github.com/daniel3303/AgentQL/compare/v0.2.1...v0.3.0
[0.2.1]: https://github.com/daniel3303/AgentQL/compare/v0.2.0...v0.2.1
[0.2.0]: https://github.com/daniel3303/AgentQL/compare/v0.1.3...v0.2.0
[0.1.3]: https://github.com/daniel3303/AgentQL/compare/v0.1.2...v0.1.3
Expand Down