Skip to content

Releases: AgamiAI/agami-core

v0.3.8

Choose a tag to compare

@ashwin-agami ashwin-agami released this 06 Jul 12:02
ca963bc

Added

  • OAuth refresh tokens — no more hourly re-login on the self-hosted server. The token
    endpoint now issues a refresh_token and supports the refresh_token grant (RFC 6749 §6),
    so a connected client (claude.ai) silently renews the short-lived access token instead of
    redoing the full login every hour. Refresh tokens rotate on each use with reuse
    detection
    (replaying a rotated/stolen token revokes the whole family), are stored hashed,
    never in plaintext
    , and are revocable. Access tokens stay short-lived (1h). Both lifetimes are
    now env-configurable (AGAMI_ACCESS_TOKEN_TTL / AGAMI_REFRESH_TOKEN_TTL, seconds) with the
    same defaults when unset (access 1h, refresh 30-day idle). No action needed on upgrade — the
    new oauth_refresh_token table migrates in automatically on boot.

v0.3.7

Choose a tag to compare

@ashwin-agami ashwin-agami released this 06 Jul 08:15
208ab0d

Added

  • Read-only database user guidance. /agami-connect and /agami-deploy now
    recommend connecting agami with a read-only database user — agami only ever
    runs read-only SELECT queries, so read access is all it needs. A new
    readonly-grants.md ships copy-paste
    CREATE USER / GRANT SELECT SQL for every supported dialect (Postgres/Redshift,
    MySQL, Snowflake, SQL Server, Oracle, Databricks, Trino, BigQuery). Ask agami for
    "the read-only grant" to get the exact SQL for your database.

Changed

  • Self-host compose caps container log growth. Every service now uses the
    json-file driver with max-size: 10m / max-file: 3 (≤30 MB per container), so
    a long-running deploy on a small VM can't silently fill the disk — no VM-side
    daemon.json step needed. Also silenced a harmless CLOUDFLARE_TUNNEL_TOKEN … not set warning on non-tunnel deploys.

Fixed

  • list_datasources no longer reports empty on a self-hosted server. On a
    served deployment the warehouse/model is reached through the store, and the local
    credentials file never ships to the container — but list_datasources was the
    one tool still reading only that file, so it always returned "No profiles found …
    run agami-connect", even while get_datasource_schema and execute_sql worked
    against the deployed model. Because clients are told to call it first, they'd
    conclude nothing was connected. It now enumerates the served models from the store
    (the same seam every other tool already uses), and only falls back to the
    credentials file for the local plugin.

Security

  • Hardened the read-only execute_sql gate. SQL execution now runs through a
    single guard (sql_guard) at the shared executor, so the stdio server, the hosted
    HTTP server, the skills, and cron are all protected identically (previously the
    check lived only on the MCP tool path; a direct python -m execute_sql call — used
    by the skills and cron — was unguarded). Beyond "must start with SELECT/WITH",
    it now rejects multi-statement SQL (including bypasses hidden in string literals,
    comments, or double-quoted identifiers), data-modifying CTEs, transaction-control /
    session-state / prepared statements, SELECT ... INTO, row-level locks, and
    dangerous server-side functions (pg_read_file, lo_export, dblink,
    copy_program, pg_sleep, advisory locks, query_to_xml, …). Legitimate analytics
    SQL is unaffected — a large false-positive corpus pins that. Enforcement is not
    bypassable via --no-safety (that flag only skips the semantic-model pass).
  • Closed a dollar-quote statement-stacking bypass in that gate. A ' inside a
    Postgres/Snowflake/DuckDB $$…$$ (or $tag$…$tag$) string desynced the literal
    stripper and could smuggle a second statement (SELECT $$'$$ ; DROP TABLE x -- ')
    past the multi-statement check. The gate now neutralizes comments and string /
    dollar literals in a single lexer-faithful pass (first-opened construct wins),
    refuses dialect-ambiguous MySQL comment forms (a bare --x and executable
    /*! … */ comments), and also blocks sequence writes (setval/nextval) and
    server/replication control
    (pg_stat_reset*, pg_switch_wal, pg_drop_replication_slot, …). The guard module
    is also now packaged in the built wheel (it was missing from py-modules, which
    would have broken import sql_guard in an installed/containerized deploy).

v0.3.6

Choose a tag to compare

@ashwin-agami ashwin-agami released this 04 Jul 13:54
0dad16d

Deploy lifecycle UX — first-run polish + a safe, upgrade-aware re-run.

Changed

  • /agami-deploy is easier to use and safe to re-run. The config file is now a visible agami.env (not a hidden .env), and the skill opens it for you. A re-run upgrades in place, non-destructively: your typed password/secret and DSN are kept, any setting new in a version is surfaced (e.g. DATASOURCE_URL), and the image tag bumps only when you pass one — so a model update is just re-run + restart, and a version upgrade tells you what's new.
  • Multi-datasource deploys are an explicit choice. With more than one model, the skill asks which to deploy (all or a subset) and names the per-datasource DATASOURCE_URL__<NAME> to set; dropping one on a re-run removes it cleanly.

Specs: ACE-030, ACE-031. PRs: #78, #79.

v0.3.5

Choose a tag to compare

@ashwin-agami ashwin-agami released this 04 Jul 08:13
07ef93c

Self-host deploy fixes from a field run-through.

Fixed

  • Deploy no longer crash-loops on artifact permissions. The team server runs as a non-root container user; the model is now staged world-readable, so the boot-time load can't fail Permission denied on ORGANIZATION.md.
  • claude.ai connects to a self-hosted server. /mcp no longer answers the bare URL with a 307 the MCP client won't follow — normalized server-side, works on every profile (incl. Caddy-less Cloud Run).

Changed

  • Warehouse credentials come from DATASOURCE_URL (env), not a mounted file. Env-first, file-fallback — one code path. The self-host bundle ships no secret: local/ (credentials, .pgpass) is never staged, and a re-run purges any stale copy.

Specs: ACE-026, ACE-027, ACE-029. PRs: #74, #75, #76.

v0.3.4

Choose a tag to compare

@ashwin-agami ashwin-agami released this 03 Jul 05:03
3cad49c

Fix: sm discover (the table-prune step of a real-DB onboarding) no longer crashes with ModuleNotFoundError on a pip/marketplace install — it resolves the prune-page renderer via the plugin root.

Also: docs refreshed (README slimmed, PyPI install surfaced, changelog backfilled) and internal cleanup (spec-ID references removed from the public repo; dead-code + test hygiene).

v0.3.3

Choose a tag to compare

@ashwin-agami ashwin-agami released this 02 Jul 04:17
77ad938

Ships the 0.3.2 marketplace run-through fixes — all 8 issues resolved.

OCR-033 (#67)sm hardened as the single install chokepoint (semantic_model.cli readiness + cwd path isolation + PEP-668 --break-system-packages tier); promote_credentials.py + setup_desktop_mcp.py migrated to the _agami_lib resolver + sm install delegation. Fixes real-DB credential promotion and /agami-serve on marketplace installs.

OCR-034 (#68) — sample "watch it build" (6B) codifies its carve-outs and opens the model-explorer; the preflight no longer invents a main profile on first run; agami-query guardrail against hand-rolled model dumps.

v0.3.2

Choose a tag to compare

@ashwin-agami ashwin-agami released this 01 Jul 10:01
9101f26

First PyPI publish of agami-core (trusted publishing). Bundles the OCR-030/031/032 marketplace-install fixes: bundled query lib, resolver-style model-build install, and pip install agami-core[model] now resolving from PyPI. Also republishes the GHCR server image.

v0.3.1

Choose a tag to compare

@ashwin-agami ashwin-agami released this 01 Jul 09:50
94f8933

Patch release.

Fix (self-host): the plugin's runtime scripts now resolve the agami-core library in a marketplace install — the library is bundled with the plugin, so agami-connect works out of the box with no pip install. (Fixes a regression where a fresh install failed on import agami_paths.)

Repo hygiene: removed internal design docs; relocated a dev-only preview tool.

Update the plugin to 0.3.1 to get the fix. Container image:

docker pull ghcr.io/agamiai/agami-core:0.3.1

v0.3.0

Choose a tag to compare

@ashwin-agami ashwin-agami released this 29 Jun 08:24
3f7f9a4

First tagged release of agami-core.

Self-host the server in one stack. agami-core now ships a secure-by-default deploy package (Caddy auto-TLS, internal Postgres, OAuth + admin) and a pre-built multi-arch container image so a team can stand up a shareable MCP server their Claude connects to.

Pull the image:

docker pull ghcr.io/agamiai/agami-core:0.3.0

Available for linux/amd64 and linux/arm64.