Releases: daniel3303/AgentQL
Releases · daniel3303/AgentQL
Release list
v0.4.0
Security
- The ReadOnly statement whitelist now unwraps and validates parenthesized query heads (
(SELECT ...), alone or combined viaUNION/INTERSECT/EXCEPT, with trailingORDER BY/LIMIT/OFFSET/FETCHclauses). Previously a statement starting with(carried no readable verb and was waved through unvalidated. Statements whose shape cannot be read are now rejected instead of assumed harmless. - Whitelist recursion depth is bounded (64 nested query heads), so an adversarial run of nested parentheses is rejected cleanly instead of crashing the process with an uncatchable
StackOverflowException. - Bumped the transitive native
SQLitePCLRaw.lib.e_sqlite3to 3.53.3 — the 2.1.11 thatMicrosoft.EntityFrameworkCore.Sqlitebrings in has a known high-severity vulnerability (GHSA-2m69-gcr7-jv3q).
Changed
- The executor's wrapper transaction now uses the provider-default isolation level instead of
ReadUncommittedin ReadOnly mode, eliminating dirty reads on SQL Server (uncommitted data the LLM would present as fact). SQLite ReadOnly uses a deferredBEGIN, which is compatible withPRAGMA query_only. - The schema description is now cached for the application lifetime (on the options singleton, keyed by
DbContexttype) instead of per request scope — the EF model walk and the connection open for server info run once. - README now states explicitly that include/exclude is schema hiding, not access control: the executor does not block SQL referencing excluded tables or columns, so genuinely sensitive data must be protected with database permissions.
Fixed
AgentQLChatOptions.MaxOutputTokenswas documented but never applied; it now flows into chat requests whenever the per-request options leave it unset.- The Anthropic provider honors an explicitly configured
Endpointinstead of silently ignoring it. - The self-correction guard no longer skips a genuine user question that merely mentions
<system-reminder>when restating the question; only messages that start with the injected reminder tag are skipped. - A malformed
WITH x AS (with an unterminated body no longer throws inside the whitelist validator; it is reported as malformed and neutralized like any other violation.
Full Changelog: v0.3.0...v0.4.0
v0.3.0
Added
AgentQLPlugin.ExecuteQueryWithDescription(sqlQuery, resultDescription)— a variant ofExecuteQuerywhere the model also supplies a short description of the result set (column meanings, filters, caveats) in the same tool call. Hosts that hand the raw rows to an orchestrator can skip the final prose-generation turn entirely, cutting one model round-trip per question.AgentQLPlugin.LastSuccessfulResult— per-scope capture of the last successful query (CapturedQueryResult: SQL, rows, row count, optional description), so hosts no longer need to wrapExecuteQueryto harvest verified rows for charts or structured replies. Failed queries never overwrite a prior capture; a zero-row success is captured (it is an answer, not a failure).SelfCorrectingChatClientrecognisesExecuteQueryWithDescriptionas a grounding query (newExecuteQueryWithDescriptionToolNameconstant), so the self-correction guard works identically with either execute variant.
Changed
GetDatabaseSchemaworkflow text and the self-correction reminder now refer to "the query execution tool" generically instead of namingExecuteQuery, since hosts may expose either execute variant.
Full Changelog: v0.2.1...v0.3.0
v0.2.1
Fixed
- ReadOnly statement validator wrongly rejected
WITH(CTE) queries whose CTE name was double-quoted (e.g.WITH "Summary" AS (...) SELECT ...) as "malformed", silently neutralising a valid read-only query into empty results. The identifier reader now handles double-quoted identifiers (and digits in unquoted names), so quoted CTEs execute normally. The recursive write-detection guard still rejects a writable body inside a quoted CTE.
See CHANGELOG.md.
v0.2.0
Added
- Self-correction guard for the query agent (
SelfCorrectingChatClient+UseAgentQLSelfCorrection). It wraps the function-invocation loop and re-prompts the model with a system reminder whenever a turn ends without an answer or an explicitReportFailure— restating the question and telling the model to read the query error, fix the SQL, and retry. AfterMaxAttemptsnudges it returns a configurable exhaustion message, so the agent never returns an empty answer. Enabled by default inAddAgentQLChat; tune it via the newconfigureSelfCorrectionparameter. - .NET test infrastructure (unit + integration) with the project restructured into
src/. - Integration tests isolated with Respawn.
See CHANGELOG.md.
v0.1.3
Fixed: increased NuGet package icon resolution to 512x512. See CHANGELOG.md.
v0.1.2
Changed: NuGet package icon — centered flat design. See CHANGELOG.md.
v0.1.1
Fixed: NuGet repository URL, website, and authors metadata. See CHANGELOG.md.
v0.1.0
Initial release: EF Core schema introspection, safe SQL query execution, and the Microsoft.Extensions.AI plugin bridge (OpenAI, Anthropic, Ollama). See CHANGELOG.md.