Skip to content

v0.5.0 — dashboard, editable PII policy, hardened firewall

Choose a tag to compare

View all tags
@Arun-kc Arun-kc released this 01 Jun 11:12
· 150 commits to main since this release
v0.5.0
14759ae
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights — the launch release: a read-only dashboard ([ui] extra), an editable PII enforcement policy, a substantially hardened SQL firewall, a zero-config SaaS demo pack, and a full Mintlify docs site. The publish pipeline is fixed so the wheel actually ships the dashboard.

Upgrade note — no store migration (SCHEMA_VERSION stays 14). Install the dashboard with pip install schemabrain[ui]; schemabrain dashboard binds to 127.0.0.1 only.

Added

  • Read-only dashboard ([ui] extra) — local FastAPI sidecar + static Next.js UI via schemabrain dashboard (127.0.0.1 only): schema/entity browser, PII Ledger, Refusal UI, Audit Viewer, Boardroom Brief; entity drilldown shows metrics + canonical joins. (#125, #126, #127, #129, #130, #132)
  • Editable PII policyschemabrain policy {show, apply, tag} + a pii_policy.yaml overlay + a read-only dashboard view; the catastrophic-leak floor is always-on and can't be overridden away. (#155)
  • SaaS demo pack (new bundled default) — 12 tables / 84 columns / 12 entities / 5 metrics / 8 joins covering all three catastrophic-PII legs; init applies it for $0 with no API key. Bundled packs are now a named registry (e-commerce stays as fallback). (#143, #164, #167)
  • schemabrain doctor --verify — no-API-key mock-agent MCP smoke + environment preflight. (#116)
  • schemabrain init host selection (Claude Desktop / Code / Cursor / Windsurf) with detection; --host manual / --print-only prints the snippet without writing. (#115, #146)
  • serve query guardrails — --statement-timeout-ms (30s) and --max-rows-per-result (10000); 0 opts out. (#116, #151)
  • Store ↔ YAML round-trip — entities/metrics/joins export[-all], schemabrain apply, schemabrain diff (CI exit codes), init --emit-yaml-dir, and public *_to_yaml serialisers. (#113)
  • audit verify --since <spec> (hex-prefix / duration / ISO cursor) and an audit list status + cost-class footer. (#112)
  • doctor probes pg_stat_statements (advisory). (#145)

Changed

  • Agent steering moved into the MCP initialize instructions field (no user-pasted snippet); interactive --pii-block default aligned with --yes + docs. (#142)
  • get_metric validates limit in-body (typed malformed_name envelope) and reports a truncated flag; the metric executor uses a NullPool engine. (#117, #165)

Security

  • Catastrophic-leak floor (credential, payment_card, government_id) enforced at every read path including the get_metric aggregate path; operator overrides can't strip it. (#154, #156, #157, #162)
  • Catastrophic column names no longer disclosed via redacted_columns or the unknown-column hint. (#174)
  • PII classifier hardened — auth-secret + internationalised + concatenated/abbreviated shapes; RULE_COUNT 46 → 60. (#152, #158, #161)
  • serve rejects control chars in quoted identifiers, refuses MIN/MAX over PII, fails closed on untagged columns; redaction centralised. (#150, #153, #154)
  • Safe-by-default --pii-block across serve / init / build_server / WizardConfig (catastrophic-leak set; explicit '' to disable). (#110, #162)
  • Pinned the Hugging Face Hub model revision (B615 / CWE-494); added a 19-file firewall-bypass regression corpus. (#147, #149)

Fixed

  • get_metric refusal envelope surfaces only blocked_categories (no probe oracle); describe_entity always redacts catastrophic column descriptions. (#110)
  • PII verdicts labelled by attribution (floor_blocked vs operator policy). (#160)
  • Publish pipeline builds the dashboard export with uv build --wheel, so the wheel ships it and advertises [ui]. (#163)
  • Deterministic dashboard PII-category ordering; closed 7 launch-blockers via firewall hardening + fastembed reliability. (#132, #147)

Documentation

  • Full Mintlify site — mechanism explainers, per-client setup (Claude Desktop / Code / Cursor / Windsurf / Zed / Codex), comparisons, Works-with + security posture, threat model, First 5 Queries, dashboard guide, CLI reference. (#118, #120, #121, #122, #123, #124, #133, #135, #136, #140, #144, #145)
  • Docs recast onto the SaaS demo; store-path default corrected to ./schemabrain.db; README + substrate fact-check and link repair. (#137, #138, #141, #166, #172, #173)

Internal

  • Bundled-pack registry refactor; stale-comment / attribution hygiene; dependency bumps (dorny/paths-filter 3 → 4, opentelemetry-sdk). (#104, #106, #111, #119, #148, #164)

Install: pip install schemabrain[ui]==0.5.0

— Full changelog: https://github.com/Arun-kc/schemabrain/blob/main/CHANGELOG.md

Assets 2
Loading