Releases: AgamiAI/agami-core
Release list
v0.3.8
Added
- OAuth refresh tokens — no more hourly re-login on the self-hosted server. The token
endpoint now issues arefresh_tokenand supports therefresh_tokengrant (RFC 6749 §6),
so a connected client (claude.ai) silently renews the short-lived access token instead of
redoing the full login every hour. Refresh tokens rotate on each use with reuse
detection (replaying a rotated/stolen token revokes the whole family), are stored hashed,
never in plaintext, and are revocable. Access tokens stay short-lived (1h). Both lifetimes are
now env-configurable (AGAMI_ACCESS_TOKEN_TTL/AGAMI_REFRESH_TOKEN_TTL, seconds) with the
same defaults when unset (access 1h, refresh 30-day idle). No action needed on upgrade — the
newoauth_refresh_tokentable migrates in automatically on boot.
v0.3.7
Added
- Read-only database user guidance.
/agami-connectand/agami-deploynow
recommend connecting agami with a read-only database user — agami only ever
runs read-only SELECT queries, so read access is all it needs. A new
readonly-grants.md ships copy-paste
CREATE USER/GRANT SELECTSQL for every supported dialect (Postgres/Redshift,
MySQL, Snowflake, SQL Server, Oracle, Databricks, Trino, BigQuery). Ask agami for
"the read-only grant" to get the exact SQL for your database.
Changed
- Self-host compose caps container log growth. Every service now uses the
json-filedriver withmax-size: 10m/max-file: 3(≤30 MB per container), so
a long-running deploy on a small VM can't silently fill the disk — no VM-side
daemon.jsonstep needed. Also silenced a harmlessCLOUDFLARE_TUNNEL_TOKEN … not setwarning on non-tunnel deploys.
Fixed
list_datasourcesno longer reports empty on a self-hosted server. On a
served deployment the warehouse/model is reached through the store, and the local
credentialsfile never ships to the container — butlist_datasourceswas the
one tool still reading only that file, so it always returned "No profiles found …
run agami-connect", even whileget_datasource_schemaandexecute_sqlworked
against the deployed model. Because clients are told to call it first, they'd
conclude nothing was connected. It now enumerates the served models from the store
(the same seam every other tool already uses), and only falls back to the
credentials file for the local plugin.
Security
- Hardened the read-only
execute_sqlgate. SQL execution now runs through a
single guard (sql_guard) at the shared executor, so the stdio server, the hosted
HTTP server, the skills, and cron are all protected identically (previously the
check lived only on the MCP tool path; a directpython -m execute_sqlcall — used
by the skills and cron — was unguarded). Beyond "must start withSELECT/WITH",
it now rejects multi-statement SQL (including bypasses hidden in string literals,
comments, or double-quoted identifiers), data-modifying CTEs, transaction-control /
session-state / prepared statements,SELECT ... INTO, row-level locks, and
dangerous server-side functions (pg_read_file,lo_export,dblink,
copy_program,pg_sleep, advisory locks,query_to_xml, …). Legitimate analytics
SQL is unaffected — a large false-positive corpus pins that. Enforcement is not
bypassable via--no-safety(that flag only skips the semantic-model pass). - Closed a dollar-quote statement-stacking bypass in that gate. A
'inside a
Postgres/Snowflake/DuckDB$$…$$(or$tag$…$tag$) string desynced the literal
stripper and could smuggle a second statement (SELECT $$'$$ ; DROP TABLE x -- ')
past the multi-statement check. The gate now neutralizes comments and string /
dollar literals in a single lexer-faithful pass (first-opened construct wins),
refuses dialect-ambiguous MySQL comment forms (a bare--xand executable
/*! … */comments), and also blocks sequence writes (setval/nextval) and
server/replication control
(pg_stat_reset*,pg_switch_wal,pg_drop_replication_slot, …). The guard module
is also now packaged in the built wheel (it was missing frompy-modules, which
would have brokenimport sql_guardin an installed/containerized deploy).
v0.3.6
Deploy lifecycle UX — first-run polish + a safe, upgrade-aware re-run.
Changed
/agami-deployis easier to use and safe to re-run. The config file is now a visibleagami.env(not a hidden.env), and the skill opens it for you. A re-run upgrades in place, non-destructively: your typed password/secret and DSN are kept, any setting new in a version is surfaced (e.g.DATASOURCE_URL), and the image tag bumps only when you pass one — so a model update is just re-run + restart, and a version upgrade tells you what's new.- Multi-datasource deploys are an explicit choice. With more than one model, the skill asks which to deploy (all or a subset) and names the per-datasource
DATASOURCE_URL__<NAME>to set; dropping one on a re-run removes it cleanly.
v0.3.5
Self-host deploy fixes from a field run-through.
Fixed
- Deploy no longer crash-loops on artifact permissions. The team server runs as a non-root container user; the model is now staged world-readable, so the boot-time load can't fail
Permission deniedonORGANIZATION.md. - claude.ai connects to a self-hosted server.
/mcpno longer answers the bare URL with a307the MCP client won't follow — normalized server-side, works on every profile (incl. Caddy-less Cloud Run).
Changed
- Warehouse credentials come from
DATASOURCE_URL(env), not a mounted file. Env-first, file-fallback — one code path. The self-host bundle ships no secret:local/(credentials,.pgpass) is never staged, and a re-run purges any stale copy.
v0.3.4
Fix: sm discover (the table-prune step of a real-DB onboarding) no longer crashes with ModuleNotFoundError on a pip/marketplace install — it resolves the prune-page renderer via the plugin root.
Also: docs refreshed (README slimmed, PyPI install surfaced, changelog backfilled) and internal cleanup (spec-ID references removed from the public repo; dead-code + test hygiene).
v0.3.3
Ships the 0.3.2 marketplace run-through fixes — all 8 issues resolved.
OCR-033 (#67) — sm hardened as the single install chokepoint (semantic_model.cli readiness + cwd path isolation + PEP-668 --break-system-packages tier); promote_credentials.py + setup_desktop_mcp.py migrated to the _agami_lib resolver + sm install delegation. Fixes real-DB credential promotion and /agami-serve on marketplace installs.
OCR-034 (#68) — sample "watch it build" (6B) codifies its carve-outs and opens the model-explorer; the preflight no longer invents a main profile on first run; agami-query guardrail against hand-rolled model dumps.
v0.3.2
First PyPI publish of agami-core (trusted publishing). Bundles the OCR-030/031/032 marketplace-install fixes: bundled query lib, resolver-style model-build install, and pip install agami-core[model] now resolving from PyPI. Also republishes the GHCR server image.
v0.3.1
Patch release.
Fix (self-host): the plugin's runtime scripts now resolve the agami-core library in a marketplace install — the library is bundled with the plugin, so agami-connect works out of the box with no pip install. (Fixes a regression where a fresh install failed on import agami_paths.)
Repo hygiene: removed internal design docs; relocated a dev-only preview tool.
Update the plugin to 0.3.1 to get the fix. Container image:
docker pull ghcr.io/agamiai/agami-core:0.3.1
v0.3.0
First tagged release of agami-core.
Self-host the server in one stack. agami-core now ships a secure-by-default deploy package (Caddy auto-TLS, internal Postgres, OAuth + admin) and a pre-built multi-arch container image so a team can stand up a shareable MCP server their Claude connects to.
Pull the image:
docker pull ghcr.io/agamiai/agami-core:0.3.0
Available for linux/amd64 and linux/arm64.