1.54.1
Changed
- Improve logging for RDP connections that fail during the handshake, making these issues easier to diagnose
1.54.0
New
- Allow connection to upstream resources using mTLS
- Mask JSON fields that are wrapped in casts or functions
- Add support for the Redis Cluster protocol
Fixed
- Mask JSON fields whose keys contain special characters
- Preserve JSON field types when masking
1.53.0
New
- Mask JSON fields however a query navigates to them, including path expressions and array-index access
- Mask values stored directly in JSON arrays, including columns whose entire value is an array
Fixed
- Mask JSON fields combined with other columns inside a single output expression
- Preserve valid JSON encoding when masking a field selected directly from a JSON column
- Fix Postgres connections for stateless JWT machine users when clients send
options=-c ...startup parameters
1.50.2
Changed
- Improve performance of large Snowflake queries by streaming results directly when no masking policy applies
1.50.1
Changed
- Improve logging and policy evaluation on LLM requests by parsing OpenAI and Anthropic events
- The
gcp_cloudsqldial method now targets the Cloud SQL instance’s private IP. The Connector must run in the instance’s VPC, or in a peered or PSC-connected VPC. - Cloud SQL Admin API calls now identify the client as
formal-connector/<version>
1.49.0
New
- Add support for device trust on MySQL connections
- Allow policies that match on the HTTP request hostname
- Add or rewrite HTTP request headers from a policy
- See which client application opened each MySQL connection in logs and policies
- Add support for asymmetric AWS KMS keys
Changed
- Improve S3 connection performance
- Improve MySQL health check performance
- Cap on-disk log buffering to 90% of available disk space to avoid filling up the host
- Improve on-disk log buffering reliability and performance
Fixed
- Show Formal block messages inside Codex when an action is blocked
1.45.1
New
- Add response policy support in the new MySQL proxy implementation
- Support Postgres response-policy masking on advanced SQL queries (UNION, CTE, subqueries, JOIN).
- Surface column lineage through more SQL expression shapes in policy inputs.
1.44.1
Fixed
- Fix keypair and password authentication for Snowflake resources
1.44.0
New
- Add support for request-level policies in the new MySQL proxy implementation
Fixed
- Fixed a Rego policy handling that could prevent data masking.
- Fixed Snowflake data masking for non-string columns.
1.43.5
New
- Add ‘input.native_user_assignment’ as an available policy input.
Fixed
- Fix ‘email_mask_while_preserving’ so that outputs match Formal documentation.
1.43.2
Improvements
- Improve performance of AWS IAM (assume role) authentication for RDS and SSM health checks
1.43.1
Improvements
- Allow S3 browser objects to be addressed using unescaped path segments. This creates a breaking change from previous versions where objects must be downloaded by appending
?download=1to the URL rather than/dl. - Parse Hex tool metadata SQL comments in Snowflake
1.42.7
Fixed
- Fix TLS handling for Redis connections
1.38.0
Changed
- Restrict the Snowflake stage download proxy to known cloud storage endpoints (S3, Azure Blob, GCS) and cap decompressed response bodies at 256 MB
- Enforce
ReadHeaderTimeouton all HTTP-based proxy servers to mitigate slow-client resource exhaustion - Defer listener readiness until the initial control plane event stream catch-up completes, ensuring consistent configuration before accepting traffic
Fixed
- Support WebSocket-based
kubectl port-forwardintroduced in kubectl v1.30+ - Preserve parsed table context when best-effort inventory lookups fail, so policy evaluation still has access to table names and schemas
- Resolve a concurrency issue in listener port lookups that could surface under high connection churn
1.37.1
Fixed
- Fix PostgreSQL extended query protocol support for
PortalSuspendedmessages whenExecuteis called with a row limit - Fix incorrect query attribution in PostgreSQL logs when standard queries (e.g.
BEGIN) are sent betweenParseandBindin the extended query protocol
1.37.0
New
- General availability of stream session analysis for SSH, SSM, and Kubernetes exec sessions
1.34.2
New
- Support CEL expressions in policy suspension input conditions
- Added rate-limiting support for postgres and mysql and refactored s3 rate-limiting
Changed
- Logs are now persisted to disk and retried automatically during Control Plane outages, preventing log loss
- Support multiple policy suspensions for the same policy and identity id
Fixed
- Fixed a bug with the
nullifyredaction option - Fixed a bug where query-rewrite policies didn’t allow adding
LIMIT 0
1.34.1
New
- Support a custom OTEL metric collector hostname and port
Changed
- Improve the behavior of the Connector when Formal Control Plane can’t be reached
1.34.0
New
- Smart routing is now available for MySQL resources when using the new proxy implementation
Changed
- Parallelized Rego policy evaluation to improve performance on large numbers of policies
Fixed
- Reduce log noise for timestamp formatting
- Enforce stricter connection timeouts during SSH health checks
1.32.0
New
- Add a new MySQL proxy implementation. This is a fundamentally different and more robust implementation, starting with a minimal feature set that we plan to expand quickly. This feature is behind a feature flag, contact us to enable it for your organization.
- Add MFA policy enforcement across all technologies via the Desktop App
1.31.19
New
- Support optionally sending policy evaluation inputs to the Formal Control Plane based on log configuration settings.
- Support “request” and “response” as evaluation stage names in policies instead of “pre_request” and “post_request”.
- Enable row-level filtering for Snowflake responses.
Changed
- Preserve end-user across BigQuery job lifecycle requests to avoid authentication failures when impersonation is used.
Fixed
- Fix session log entry values for SSM (EC2/ECS) resources.
- Don’t attempt to start the Connector state server if it can’t write on disk.
1.29.10
New
- Add per-bucket S3 health checks with autodiscovery, showing bucket names for faster diagnostics
1.29.9
New
- Add policy input logging for session and request stages with request/session IDs for better traceability
- Add sync of autodiscovered S3 buckets to the connector, with pagination and live updates
Changed
- Standardize request/session ID propagation across connectors, including Snowflake IDs, for consistent logs
- Enforce stricter policy engine capabilities for safer, more predictable evaluations
1.29.8
New
- Add S3 bucket access metrics to policies for rate limiting and blocking
- Add connector, resource, and space IDs to policy input logs for filtering
Changed
- Improve S3 access counting accuracy, include current request and drop daily counts
- Add bucket, path, action, and last modified to S3 policy inputs for finer control
- Provide richer user and query context in post-request policy checks across databases
Fixed
- Fix S3 auth failures to return 403 Forbidden with AWS-style XML
- Fix MySQL auth to forward native error packets to clients
1.29.7
New
- Add structured S3 logs with action, bucket, path, and last-modified, consistent across access styles
Fixed
- Fix S3 PutObject authentication by honoring payload hashes and signing required headers to prevent auth errors
- Fix query aggregation failures for long SQL statements in analytics to improve reliability
1.29.3
New
- Add AI satellite integration, enforcing one link only with data classifier to prevent conflicts
- Add request log evaluation in policy backtests for fuller coverage
- Add MySQL and MariaDB support for hashed tokens, avoiding password length limits
Fixed
- Fix HTTP response handling for non-JSON payloads to prevent misclassification
1.29.2
Fixed
- Fix TLS defaults when no config is present, restoring secure connections and preventing connection errors
1.29.1
New
- Add configurable retention for policy evaluation input logs
1.29.0
New
- Add AI satellite integration for HTTP with automatic fallback for compatibility
- Add audit logs for frontend API create, update, delete actions for traceability
Changed
- Enforce required environment variables across environments to prevent misconfigurations
- Include uses row data flag in policies for consistent behavior across services
1.28.10
New
- Add support for duplicate columns in SQL queries, ensuring results match source databases.
Fixed
- Fix returning MySQL responses when analysis fails, ensuring accurate error reporting.
1.28.9
New
- Add qualified wildcards (table., alias.) and column alias detection for accurate multi-table queries
Fixed
- Fix metric setup with automatic startup retries, ensuring monitoring works when agents start late
1.28.1
New
- Add multi stage resource health checks for HTTP, SSH, and SSM
- Make the connector health check port configurable to prevent port conflicts in shared environments.
1.28.0
New
- Add resource health checks for Kubernetes, ClickHouse, and Snowflake with connection and authentication validation
Changed
- Remove policy evaluation details from logs
1.27.2
Fixed
- Fix incorrect query parameters in Postgres
- Fix JIT SSO
Changed
- Update Datadog profiling: support agent URL via env vars, check reachability with retries to reduce startup errors
1.27.1
New
- Add auto-creation of MySQL discovery connections, preventing failures when no prior connection exists
1.27.0
New
- Add per-stage connection health logs covering network, security, login, and data
1.26.10
Changed
- Standardize log timestamps for consistent parsing across tools
1.26.9
New
- Add support for MariaDB databases, expanding compatibility
Fixed
- Fix MySQL connection failures when clients omit auth plugin, improving compatibility with older clients
Changed
- Enable on-demand test connection checks from the Formal console for faster troubleshooting
1.26.7
Changed
- Stop publishing the Redshift connector, making it unavailable in new releases
1.26.6
New
- Add MCP technology support using HTTP flow, simplifying MCP integrations
- Add native auth types: SSH key, Snowflake key, HTTP basic, bearer, API key
- Enhance logging with unique request IDs, event types
Fixed
- Fix inconsistent stage labels in logs for clearer filtering
1.26.5
Changed
- Allow startup without TLS when no certificate is provided, simplifying initial deployment; enable TLS later
1.26.4
New
- Add API to generate and upload CloudFormation templates, simplifying connector deployment automation
Changed
- Update TLS handling to run without a certificate, preventing errors in non-TLS environments
1.26.3
Fixed
- Fix remote access checks for ECS clusters with cross-region configs, enabling successful connections
- Fix empty service name display when connecting to ECS containers using a service ARN, improving clarity
1.26.2
New
- Add GCP autodiscovery for Compute Engine, GKE, and Cloud SQL to speed setup
Fixed
- Fix errors during data classification when JSON contains empty or null fields
- Fix SSH session logs missing resource details on startup
Changed
- Remove field-level encryption, simplifying setup and avoiding unused complexity
1.25.7
Fixed- Fixed a bug in the TLS certificate renewal process
1.25.6
Changed- Streamlined TLS certificate handling at connector startup
1.25.5
Fixed- Fixed a bug that would prevent connector TLS certificates from being updated on renewal unless the connector is restarted
1.25.4
New- Enabled satellite hostnames linked to a Connector to be configured from the Control Plane and read by the Connector
- Added ‘ConnectorName’ attribute for better tracking and logging during telemetry operations
1.25.3
Changed- Removed a specific MongoDB configuration created for a legacy client, streamlining the process for connecting to DocDB with client-side options
1.25.1
New- Introduced metrics to monitor opened, closed, and currently active connections, enhancing visibility into connection management for performance optimization and troubleshooting
- Implemented new metrics to monitor the number of received Control Plane pings, increasing observability of system interactions
- Fixed some errors with S3 authentication
1.25.0
New- Regularly send connector instance heartbeat as a gauge metric via OpenTelemetry, bolstering real-time monitoring capabilities
- Default to starting up etcd without failing if the etcd cluster doesn’t come up
- Cleaned up configuration and feature flag storage
1.24.12
Changed- Removed unnecessary quotes from table names when parsing SQL queries to make policies easier to write
1.24.11
Changed- Moved classifier-related environment variables into the new
formal_resource_classifier_configurationControl Plane objects
1.24.10
Fixed- Fixed column detection issues with parsing UNION statements with wildcards within Common Table Expressions (CTEs)
1.24.9
Changed- Enhanced logging to include connector ID, improving traceability for debugging and monitoring purposes
1.24.8
Fixed- Resolved connection issues in the MySQL proxy that were caused by handshake problems with MariaDB
1.24.7
New- Enabled automatic connection to the first task’s first container within a specified ECS service when no specific task or container is selected
- Simplified S3 connection establishment
1.24.6
Fixed- Resolved issue with Snowflake private key authentication for enhanced connection security
- Removed unused PII_SAMPLING_RATE ensuring cleaner code base and improved performance
- Included desktop app device trust keys in critical data load process for strengthened data security
1.24.5
Fixed- Improved robustness of desktop app device trust keys
1.24.4
Changed- Improved logging around device trust signature verification errors
1.24.3
New- Added stateless authentication support for Clickhouse
- Fixed the parsing of device info to ensure accurate timestamping in UTC
1.24.2
Changed- Reduced wait time for PROXY protocol headers from 10 seconds to 200 milliseconds, enhancing performance and speeding up the handling of new connections
- Fixed MySQL column detection and data label matching for policies
1.24.1
New- Implemented stateless authentication for Snowflake
1.24.0
New- Introduced stateless JWT authentication for Kubernetes, PostgreSQL, HTTP, and SSH, enhancing security and streamlining user verification process
1.23.6
Fixed- Improved reliability for MySQL resources
1.23.2
Changed- Enhanced MySQL error messages for better readability during the handshake process
1.23.1
New- Added support for hashed token authentication for Postgres proxy, providing a new option for users facing length restrictions on database passwords
1.23.0
New- Added support for SSH private key authentication to upstream, enhancing secure connection options
- Updated MySQL to utilize our unified SQL semantic analyzer, ensuring consistent behavior across databases
- Enabled port fields in resources to be updated for more flexible configurations
1.22.2
New- Introduced a readiness endpoint for the connector (on health check port 8080
/ready), allowing it to signify when all listeners are initialized and ready to receive traffic
- Achieved consistency in logging and assertion libraries across the system, improving reliability of error logging
1.22.1
New- Added support for handling Snowflake positional reference syntax in SQL queries
- Introduced capability to resolve Snowflake positional arguments based on actual column names from inventory
- Extended support for LATERAL queries, enabling more complex SQL queries that depend on preceding tables’ columns
- Resolved possible crash when retrieving outbound IP in telemetry, improving stability
- Streamlined MySQL TLS environment variables into a centralized TLS config
- Dropped ability of the connector to exit if a health check fails, boosting connector resilience
1.22.0
New- Refactored log encryption configuration and improved encryption of exec streams (SSH, SSM, Kubernetes)
- Removed the ability to configure log encryption and encryption keys via environment variables; such configuration will need to be done via the Formal console or Terraform provider