Skip to content

Releases: daniel3303/AgentQL

v0.4.0

Choose a tag to compare

@daniel3303 daniel3303 released this 07 Jul 15:36
63061ab

Security

  • The ReadOnly statement whitelist now unwraps and validates parenthesized query heads ((SELECT ...), alone or combined via UNION / INTERSECT / EXCEPT, with trailing ORDER BY / LIMIT / OFFSET / FETCH clauses). Previously a statement starting with ( carried no readable verb and was waved through unvalidated. Statements whose shape cannot be read are now rejected instead of assumed harmless.
  • Whitelist recursion depth is bounded (64 nested query heads), so an adversarial run of nested parentheses is rejected cleanly instead of crashing the process with an uncatchable StackOverflowException.
  • Bumped the transitive native SQLitePCLRaw.lib.e_sqlite3 to 3.53.3 — the 2.1.11 that Microsoft.EntityFrameworkCore.Sqlite brings in has a known high-severity vulnerability (GHSA-2m69-gcr7-jv3q).

Changed

  • The executor's wrapper transaction now uses the provider-default isolation level instead of ReadUncommitted in ReadOnly mode, eliminating dirty reads on SQL Server (uncommitted data the LLM would present as fact). SQLite ReadOnly uses a deferred BEGIN, which is compatible with PRAGMA query_only.
  • The schema description is now cached for the application lifetime (on the options singleton, keyed by DbContext type) instead of per request scope — the EF model walk and the connection open for server info run once.
  • README now states explicitly that include/exclude is schema hiding, not access control: the executor does not block SQL referencing excluded tables or columns, so genuinely sensitive data must be protected with database permissions.

Fixed

  • AgentQLChatOptions.MaxOutputTokens was documented but never applied; it now flows into chat requests whenever the per-request options leave it unset.
  • The Anthropic provider honors an explicitly configured Endpoint instead of silently ignoring it.
  • The self-correction guard no longer skips a genuine user question that merely mentions <system-reminder> when restating the question; only messages that start with the injected reminder tag are skipped.
  • A malformed WITH x AS ( with an unterminated body no longer throws inside the whitelist validator; it is reported as malformed and neutralized like any other violation.

Full Changelog: v0.3.0...v0.4.0

v0.3.0

Choose a tag to compare

@daniel3303 daniel3303 released this 09 Jun 23:01
0f59e8d

Added

  • AgentQLPlugin.ExecuteQueryWithDescription(sqlQuery, resultDescription) — a variant of ExecuteQuery where the model also supplies a short description of the result set (column meanings, filters, caveats) in the same tool call. Hosts that hand the raw rows to an orchestrator can skip the final prose-generation turn entirely, cutting one model round-trip per question.
  • AgentQLPlugin.LastSuccessfulResult — per-scope capture of the last successful query (CapturedQueryResult: SQL, rows, row count, optional description), so hosts no longer need to wrap ExecuteQuery to harvest verified rows for charts or structured replies. Failed queries never overwrite a prior capture; a zero-row success is captured (it is an answer, not a failure).
  • SelfCorrectingChatClient recognises ExecuteQueryWithDescription as a grounding query (new ExecuteQueryWithDescriptionToolName constant), so the self-correction guard works identically with either execute variant.

Changed

  • GetDatabaseSchema workflow text and the self-correction reminder now refer to "the query execution tool" generically instead of naming ExecuteQuery, since hosts may expose either execute variant.

Full Changelog: v0.2.1...v0.3.0

v0.2.1

Choose a tag to compare

@daniel3303 daniel3303 released this 08 Jun 16:35
5558eed

Fixed

  • ReadOnly statement validator wrongly rejected WITH (CTE) queries whose CTE name was double-quoted (e.g. WITH "Summary" AS (...) SELECT ...) as "malformed", silently neutralising a valid read-only query into empty results. The identifier reader now handles double-quoted identifiers (and digits in unquoted names), so quoted CTEs execute normally. The recursive write-detection guard still rejects a writable body inside a quoted CTE.

See CHANGELOG.md.

v0.2.0

Choose a tag to compare

@daniel3303 daniel3303 released this 08 Jun 16:35
b6bbdc1

Added

  • Self-correction guard for the query agent (SelfCorrectingChatClient + UseAgentQLSelfCorrection). It wraps the function-invocation loop and re-prompts the model with a system reminder whenever a turn ends without an answer or an explicit ReportFailure — restating the question and telling the model to read the query error, fix the SQL, and retry. After MaxAttempts nudges it returns a configurable exhaustion message, so the agent never returns an empty answer. Enabled by default in AddAgentQLChat; tune it via the new configureSelfCorrection parameter.
  • .NET test infrastructure (unit + integration) with the project restructured into src/.
  • Integration tests isolated with Respawn.

See CHANGELOG.md.

v0.1.3

Choose a tag to compare

@daniel3303 daniel3303 released this 15 May 16:17
941162e

Fixed: increased NuGet package icon resolution to 512x512. See CHANGELOG.md.

v0.1.2

Choose a tag to compare

@daniel3303 daniel3303 released this 15 May 16:17
830c0f9

Changed: NuGet package icon — centered flat design. See CHANGELOG.md.

v0.1.1

Choose a tag to compare

@daniel3303 daniel3303 released this 15 May 16:17
fb90946

Fixed: NuGet repository URL, website, and authors metadata. See CHANGELOG.md.

v0.1.0

Choose a tag to compare

@daniel3303 daniel3303 released this 15 May 16:17
cba2e82

Initial release: EF Core schema introspection, safe SQL query execution, and the Microsoft.Extensions.AI plugin bridge (OpenAI, Anthropic, Ollama). See CHANGELOG.md.