> ## Documentation Index
> Fetch the complete documentation index at: https://docs.formal.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connector

> Release notes for Formal Connector

<Update label="July 8, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 2.0.0

  ### New

  * General availability of our overhauled system for syncing data between the Connector and the control plane.

  ## 1.55.2

  ### Fixed

  * Fix an issue where users could not log in over RDP with NLA using SPNEGO
</Update>

<Update label="July 7, 2026" tags={["Bug Fixes"]}>
  ## 1.55.1

  ### Fixed

  * Keep hashed UUID values as valid UUIDs so they can be written back to UUID columns
</Update>

<Update label="July 3, 2026" tags={["New Features"]}>
  ## 1.55.0

  ### New

  * Add IAM authentication for Redis on Amazon ElastiCache (Valkey 7.2+, Redis OSS 7+)
</Update>

<Update label="July 1, 2026" tags={["Bug Fixes"]}>
  ## 1.54.5

  ### Fixed

  * Fix an issue with NLA over SPNEGO in the RDP proxy

  ## 1.54.4

  ### Fixed

  * Allow RDP clients that authenticate over SPNEGO to connect

  ## 1.54.3

  ### Fixed

  * Fix an issue where large Snowflake query results could fail to load through the Connector
</Update>

<Update label="June 30, 2026" tags={["Improvements"]}>
  ## 1.54.2

  ### Changed

  * Add more detail to RDP connection logs to help diagnose handshake and negotiation failures
</Update>

<Update label="June 29, 2026" tags={["New Features","Improvements","Bug Fixes"]}>
  ## 1.54.1

  ### Changed

  * Improve logging for RDP connections that fail during the handshake, making these issues easier to diagnose

  ## 1.54.0

  ### New

  * Allow connection to upstream resources using mTLS
  * Mask JSON fields that are wrapped in casts or functions
  * Add support for the Redis Cluster protocol

  ### Fixed

  * Mask JSON fields whose keys contain special characters
  * Preserve JSON field types when masking
</Update>

<Update label="June 23, 2026" tags={["New Features","Bug Fixes"]}>
  ## 1.53.0

  ### New

  * Mask JSON fields however a query navigates to them, including path expressions and array-index access
  * Mask values stored directly in JSON arrays, including columns whose entire value is an array

  ### Fixed

  * Mask JSON fields combined with other columns inside a single output expression
  * Preserve valid JSON encoding when masking a field selected directly from a JSON column
  * Fix Postgres connections for stateless JWT machine users when clients send `options=-c ...` startup parameters
</Update>

<Update label="June 22, 2026" tags={["New Features","Bug Fixes"]}>
  ## 1.52.0

  ### New

  * Add Postgres support for field masking in JSON/JSONB columns

  ### Fixed

  * Fix an issue where fields nested inside JSON arrays were not always masked
</Update>

<Update label="June 19, 2026" tags={["New Features"]}>
  ## 1.51.0

  ### New

  * Encrypt sensitive log fields in the standard JWE format, so they can be decrypted with any standard JWE library
  * Add support for GCP Cloud KMS encryption keys
</Update>

<Update label="June 17, 2026" tags={["Bug Fixes"]}>
  ## 1.50.3

  ### Fixed

  * Ensure SSM sessions are cleaned up after resource connection tests
</Update>

<Update label="June 15, 2026" tags={["Improvements"]}>
  ## 1.50.2

  ### Changed

  * Improve performance of large Snowflake queries by streaming results directly when no masking policy applies

  ## 1.50.1

  ### Changed

  * Improve logging and policy evaluation on LLM requests by parsing OpenAI and Anthropic events
  * The `gcp_cloudsql` dial method now targets the Cloud SQL instance's private IP. The Connector must run in the instance's VPC, or in a peered or PSC-connected VPC.
  * Cloud SQL Admin API calls now identify the client as `formal-connector/<version>`
</Update>

<Update label="June 12, 2026" tags={["New Features","Bug Fixes"]}>
  ## 1.50.0

  ### New

  * Add support for resource dial configurations, enabling connection to Google Cloud SQL Postgres and MySQL instances natively

  ### Fixed

  * Preserve quoting in commands run through the SSH proxy
  * Keep standard output and standard error separate over the SSH proxy
</Update>

<Update label="June 10, 2026" tags={["Bug Fixes"]}>
  ## 1.49.12

  ### Fixed

  * Propagate stdin EOF through the SSH proxy

  ## 1.49.11

  ### Fixed

  * Sanitize assume role session names for SSM connections
</Update>

<Update label="June 9, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.49.10

  ### Fixed

  * Restore forwarding of `X-Formal-End-User-Identity` to HTTP resources

  ## 1.49.9

  ### New

  * Allow the policy engine to read environment variables prefixed by `FORMAL_POLICY_ENV_`
</Update>

<Update label="June 5, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.49.8

  ### New

  ### Changed

  * Send policy action details in logs along triggered policies, such as which columns a masking policy would affect
  * Improve policy evaluation performance

  ### Fixed

  * Fail loudly when the Connector can't handle a Snowflake request or response
</Update>

<Update label="June 4, 2026" tags={["Bug Fixes"]}>
  ## 1.49.7

  ### Fixed

  * Fix connector startup failure after issuance of a new TLS certificate
</Update>

<Update label="June 3, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.49.6

  ### Changed

  * Improve response policy evaluation performance

  ## 1.49.5

  ### Fixed

  * Fix connector policy inclusion bug for Kubernetes sessions
</Update>

<Update label="June 2, 2026" tags={["Improvements"]}>
  ## 1.49.4

  ### Changed

  * Improve connection pooling behavior for S3 connections
</Update>

<Update label="June 1, 2026" tags={["Improvements"]}>
  ## 1.49.3

  ### Changed

  * Improve policy evaluation performance
</Update>

<Update label="May 29, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.49.2

  ### Changed

  * Propagate upstream exit codes from SSH sessions

  ### Fixed

  * Fix failures when connecting to an EKS cluster in a different region than the Connector

  ## 1.49.1

  ### Changed

  * Improve S3 connection performance
</Update>

<Update label="May 27, 2026" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.49.0

  ### New

  * Add support for device trust on MySQL connections
  * Allow policies that match on the HTTP request hostname
  * Add or rewrite HTTP request headers from a policy
  * See which client application opened each MySQL connection in logs and policies
  * Add support for asymmetric AWS KMS keys

  ### Changed

  * Improve S3 connection performance
  * Improve MySQL health check performance
  * Cap on-disk log buffering to 90% of available disk space to avoid filling up the host
  * Improve on-disk log buffering reliability and performance

  ### Fixed

  * Show Formal block messages inside Codex when an action is blocked
</Update>

<Update label="May 19, 2026" tags={["Bug Fixes"]}>
  ## 1.48.2

  ### Fixed

  * Improve masking accuracy on CTE queries
</Update>

<Update label="May 18, 2026" tags={["Improvements"]}>
  ## 1.48.1

  ### Changed

  * Faster Connector startup when running multiple MySQL listeners
</Update>

<Update label="May 15, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.48.0

  ### New

  * Add support for GCP IAM authentication in the new MySQL proxy implementation

  ### Fixed

  * Respect the `disable` TLS configuration on backend connections in the new MySQL proxy
</Update>

<Update label="May 14, 2026" tags={["Bug Fixes"]}>
  ## 1.47.2

  ### Fixed

  * `hash.with_salt` masking now produces properly salted, non-reproducible outputs
  * Improve data label accuracy on `SELECT` query outputs
</Update>

<Update label="May 12, 2026" tags={["Bug Fixes"]}>
  ## 1.47.1

  ### Fixed

  * Ensure compatibility with strict Snowflake clients in DataFrame writeback flows
</Update>

<Update label="May 11, 2026" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.47.0

  ### New

  * Add device trust support for MongoDB

  ### Changed

  * MongoDB session policies are now enforced on every connection, not just SCRAM clients

  ### Fixed

  * Include Anthropic cache tokens in input token counting
  * Strip `X-Formal-*` headers before forwarding HTTP requests to upstream
</Update>

<Update label="May 8, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.46.0

  ### New

  * Add support for IAM (Assume Role) native users for S3

  ### Fixed

  * Fix Snowflake DataFrame writeback flows
</Update>

<Update label="May 6, 2026" tags={["New Features"]}>
  ## 1.45.2

  ### New

  * Add support for SSH certificate native users
</Update>

<Update label="May 1, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.45.1

  ### New

  * Add response policy support in the new MySQL proxy implementation
  * Support Postgres response-policy masking on advanced SQL queries (UNION, CTE, subqueries, JOIN).
  * Surface column lineage through more SQL expression shapes in policy inputs.

  ## 1.44.1

  ### Fixed

  * Fix keypair and password authentication for Snowflake resources
</Update>

<Update label="April 21, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.44.0

  ### New

  * Add support for request-level policies in the new MySQL proxy implementation

  ### Fixed

  * Fixed a Rego policy handling that could prevent data masking.
  * Fixed Snowflake data masking for non-string columns.

  ## 1.43.5

  ### New

  * Add 'input.native\_user\_assignment' as an available policy input.

  ### Fixed

  * Fix 'email\_mask\_while\_preserving' so that outputs match Formal documentation.
</Update>

<Update label="April 20, 2026" tags={["Improvements"]}>
  ## 1.43.4

  ### Improvements

  * Throttle SSM concurrency
  * Support custom block messages for Claude Code tool calls
</Update>

<Update label="April 19, 2026" tags={["Improvements"]}>
  ## 1.43.3

  ### Improvements

  * Improve parsing of Postgres `options` parameters
</Update>

<Update label="April 17, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.43.2

  ### Improvements

  * Improve performance of AWS IAM (assume role) authentication for RDS and SSM health checks

  ## 1.43.1

  ### Improvements

  * Allow S3 browser objects to be addressed using unescaped path segments. This creates a **breaking change** from previous versions where objects must be downloaded by appending `?download=1` to the URL rather than `/dl`.
  * Parse Hex tool metadata SQL comments in Snowflake

  ## 1.42.7

  ### Fixed

  * Fix TLS handling for Redis connections
</Update>

<Update label="April 16, 2026" tags={["Bug Fixes"]}>
  ## 1.42.6

  ### Fixed

  * Fix overly verbose debug-level logging for control plane updates
</Update>

<Update label="April 15, 2026" tags={["Bug Fixes"]}>
  ## 1.42.5

  ### Fixed

  * Parse Snowflake queries using `GROUPING SETS` with non-parenthesized items
  * Redact passwords in Snowflake `ALTER USER ... SET PASSWORD = ...` statements

  ## 1.42.4

  ### Fixed

  * Fix health checks for Redis resources
</Update>

<Update label="April 13, 2026" tags={["Improvements"]}>
  ## 1.42.3

  ### New

  * More gracefully handle SSM rate limiting errors
</Update>

<Update label="April 9, 2026" tags={["New Features"]}>
  ## 1.42.2

  ### New

  * Add `yolo_mode` to agent info for connector sessions
</Update>

<Update label="April 8, 2026" tags={["New Features"]}>
  ## 1.42.1

  ### New

  * Improve health checks for MCP resources

  ## 1.42.0

  ### New

  * Add TCP reachability health check for RDP resources
</Update>

<Update label="April 6, 2026" tags={["Improvements"]}>
  ## 1.41.10

  ### Changed

  * Inventory loading performance improvements
</Update>

<Update label="April 2, 2026" tags={["Improvements"]}>
  ## 1.41.7

  ### Changed

  * Remove welcome messages from the SSH proxy
  * Suppress noisy logging during device info signature verification
</Update>

<Update label="April 1, 2026" tags={["Improvements"]}>
  ## 1.41.5

  ### Changed

  * Improve robustness of SSM resource reachability checks
</Update>

<Update label="March 30, 2026" tags={["Improvements"]}>
  ## 1.41.4

  ### Changed

  * Improve speed of connector resource reachability checks
</Update>

<Update label="March 28, 2026" tags={["Improvements"]}>
  ## 1.41.3

  ### Changed

  * Improve performance of resource data loading at connector startup
  * Improve health check startup time
</Update>

<Update label="March 27, 2026" tags={["Improvements"]}>
  ## 1.41.2

  ### Changed

  * Increase snowflake connection concurrency limits
</Update>

<Update label="March 26, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.41.1

  ### Changed

  * Improve resource hostname loading performance at connector startup

  ### Fixed

  * Fix MySQL `USE` statements with smart routing
</Update>

<Update label="March 25, 2026" tags={["New Features"]}>
  ## 1.41.0

  ### New

  * Add support for Postgres query cancellation
</Update>

<Update label="March 23, 2026" tags={["New Features"]}>
  ## 1.40.12

  ### New

  * Add support for logging macOS process signatures in device info
</Update>

<Update label="March 22, 2026" tags={["New Features"]}>
  ## 1.40.9

  ### New

  * Add raw HTTP request and response bodies to policy inputs

  ## 1.40.8

  ### New

  * Add support for device info parsing for HTTP connections
</Update>

<Update label="March 19, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.40.7

  ### Fixed

  * Fix error logs when retrieving search paths in Postgres with GCP IAM Authentication

  ## 1.40.6

  ### New

  * Log bytes sent and received for SSH sessions
  * Log bind parameters for extended Postgres queries
</Update>

<Update label="March 16, 2026" tags={["Improvements"]}>
  ## 1.40.5

  ### Changed

  * Reliability and performance improvements
</Update>

<Update label="March 13, 2026" tags={["Bug Fixes"]}>
  ## 1.40.4

  ### Fixed

  * Improve MySQL access token syncing reliability
</Update>

<Update label="March 10, 2026" tags={["Bug Fixes"]}>
  ## 1.40.3

  ### Fixed

  * Fix a bug where Kubernetes API servers on port 443 were detected as duplicate contexts in kubeconfig files
</Update>

<Update label="March 9, 2026" tags={["New Features"]}>
  ## 1.40.2

  ### New

  * Support Omni end user identity propagation for Snowflake

  ## 1.40.1

  ### New

  * Add support for hosted AI providers (OpenAI, Anthropic, Gemini, Google Vertex AI, AWS Bedrock, Azure AI) for session analysis
</Update>

<Update label="March 5, 2026" tags={["New Features"]}>
  ## 1.40.0

  ### New

  * Introduce RDP protocol support with session-level logs and policies

  ### Changed

  * Migrate auth redirects from app.joinformal.com to app.formal.ai
</Update>

<Update label="March 2, 2026" tags={["New Features"]}>
  ## 1.39.1

  ### New

  * Surface `transaction_history` and `transaction_progress` in query policy inputs for postgres

  ## 1.39.0

  ### New

  * Add support for request-stage policy evaluation and end-user identity propagation for Redis

  ### Changed

  * Reduce log error noise for Postgres connections
</Update>

<Update label="February 26, 2026" tags={["Improvements"]}>
  ## 1.38.2

  ### Fixed

  * Support input conditions for time-based policy suspensions
</Update>

<Update label="February 25, 2026" tags={["Bug Fixes"]}>
  ## 1.38.1

  ### Fixed

  * Fixed an issue where changes to the PostgreSQL `search_path` were not properly tracked in the session state, causing unqualified table names (e.g., `pg_class`) to be resolved against outdated schema listings
</Update>

<Update label="February 23, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.38.0

  ### Changed

  * Restrict the Snowflake stage download proxy to known cloud storage endpoints (S3, Azure Blob, GCS) and cap decompressed response bodies at 256 MB
  * Enforce `ReadHeaderTimeout` on all HTTP-based proxy servers to mitigate slow-client resource exhaustion
  * Defer listener readiness until the initial control plane event stream catch-up completes, ensuring consistent configuration before accepting traffic

  ### Fixed

  * Support WebSocket-based `kubectl port-forward` introduced in kubectl v1.30+
  * Preserve parsed table context when best-effort inventory lookups fail, so policy evaluation still has access to table names and schemas
  * Resolve a concurrency issue in listener port lookups that could surface under high connection churn
</Update>

<Update label="February 20, 2026" tags={["New Features", "Bug Fixes"]}>
  ## 1.37.1

  ### Fixed

  * Fix PostgreSQL extended query protocol support for `PortalSuspended` messages when `Execute` is called with a row limit
  * Fix incorrect query attribution in PostgreSQL logs when standard queries (e.g. `BEGIN`) are sent between `Parse` and `Bind` in the extended query protocol

  ## 1.37.0

  ### New

  * General availability of stream session analysis for SSH, SSM, and Kubernetes exec sessions
</Update>

<Update label="February 19, 2026" tags={["New Features"]}>
  ## 1.36.5

  ### New

  * Add support for agent forwarding for SSH connections
</Update>

<Update label="February 18, 2026" tags={["New Features"]}>
  ## 1.36.4

  ### New

  * Add support for assuming roles from command line arguments for SSM (EC2 and ECS) connections
</Update>

<Update label="February 17, 2026" tags={["Bug Fixes"]}>
  ## 1.36.3

  ### Fixed

  * Fixed a bug with PostgreSQL health checks using GCP Cloud SQL IAM authentication
</Update>

<Update label="February 13, 2026" tags={["Bug Fixes"]}>
  ## 1.36.2

  ### Fixed

  * Fix PostgreSQL `table_paths` not including unqualified table names when session schemas are unavailable
</Update>

<Update label="February 12, 2026" tags={["New Features"]}>
  ## 1.36.1

  ### New

  * Add API Request verb for Kubernetes policy evaluations
</Update>

<Update label="February 9, 2026" tags={["New Features", "Improvements"]}>
  ## 1.36.0

  ### New

  * Add support for Kubernetes WebSockets, v5 stream protocol, and follow requests

  ### Fixed

  * Block PostgreSQL `COPY TO` (`\copy`) operations when response policies are configured
</Update>

<Update label="February 4, 2026" tags={["New Features", "Improvements"]}>
  ## 1.35.0

  ### New

  * Initial release of the Formal Connector on Google Cloud Artifact Registry

  ### Changed

  * Enhanced metadata extraction from PostgreSQL queries, enabling better policy evaluation against DML operations
</Update>

<Update label="February 3, 2026" tags={["Bug Fixes"]}>
  ## 1.34.10

  ### Fixed

  * Fix a bug with IAM (Assume Role) authentication for EKS clusters
</Update>

<Update label="January 31, 2026" tags={["New Features"]}>
  ## 1.34.9

  ### New

  * Customers can now specify the frequency of the resources health check
</Update>

<Update label="January 28, 2026" tags={["Improvements", "Bug Fixes"]}>
  ## 1.34.8

  ### Changed

  * Improve performance of policy evaluation

  ### Fixed

  * Fixed a bug where dry-run rewrite policies were being applied to requests
</Update>

<Update label="January 26, 2026" tags={["Improvements"]}>
  ## 1.34.6

  ### Changed

  * Improve performance of sending logs

  ## 1.34.5

  ### Changed

  * Improve performance of responses with many rows
</Update>

<Update label="January 23, 2026" tags={["Bug Fixes"]}>
  ## 1.34.4

  ### Fixed

  * Improve reliability of large snowflake arrow responses
</Update>

<Update label="January 22, 2026" tags={["New Features"]}>
  ## 1.34.3

  ### New

  * Emit the total number of bytes transferred during SFTP sessions in SSH session logs
</Update>

<Update label="January 21, 2026" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.34.2

  ### New

  * Support CEL expressions in policy suspension input conditions
  * Added rate-limiting support for postgres and mysql and refactored s3 rate-limiting

  ### Changed

  * Logs are now persisted to disk and retried automatically during Control Plane outages, preventing log loss
  * Support multiple policy suspensions for the same policy and identity id

  ### Fixed

  * Fixed a bug with the `nullify` redaction option
  * Fixed a bug where query-rewrite policies didn't allow adding `LIMIT 0`
</Update>

<Update label="January 12, 2026" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.34.1

  ### New

  * Support a custom OTEL metric collector hostname and port

  ### Changed

  * Improve the behavior of the Connector when Formal Control Plane can't be reached

  ## 1.34.0

  ### New

  * Smart routing is now available for MySQL resources when using the new proxy implementation

  ### Changed

  * Parallelized Rego policy evaluation to improve performance on large numbers of policies

  ### Fixed

  * Reduce log noise for timestamp formatting
  * Enforce stricter connection timeouts during SSH health checks
</Update>

<Update label="January 5, 2026" tags={["Bug Fixes"]}>
  ## 1.33.2

  ### Fixed

  * Reduce log noise for certain policy evaluations
</Update>

<Update label="December 23, 2025" tags={["New Features"]}>
  ## 1.33.1

  ### New

  * Add a parameter for request/response scope for HTTP AI body analysis
</Update>

<Update label="December 19, 2025" tags={["New Features", "Improvements"]}>
  ## 1.33.0

  ### New

  * Add support for MySQL end-user identity propagation in the new proxy implementation

  ### Changed

  * Include parsed query information in the new MySQL implementation logs
</Update>

<Update label="December 18, 2025" tags={["Bug Fixes"]}>
  ## 1.32.7

  ### Fixed

  * Fix connector startup failure when using spaces
</Update>

<Update label="December 17, 2025" tags={["Bug Fixes", "Improvements"]}>
  ## 1.32.6

  ### Changed

  * Add support for DynamoDB resource health checks

  ### Fixed

  * Address binary protocol issues affecting PlanetScale/Vitess connections when using prepared statements with the new MySQL proxy implementation
  * Fix DynamoDB authentication when using the desktop app
</Update>

<Update label="December 15, 2025" tags={["Bug Fixes"]}>
  ## 1.32.5

  ### Fixed

  * Fix end-user not appearing in logs for SSH connections
</Update>

<Update label="December 11, 2025" tags={["New Features", "Improvements"]}>
  ## 1.32.4

  ### Changed

  * Add support for gRPC resource health checks

  ## 1.32.3

  ### Changed

  * Add support for custom message and timeout parameters in MFA policy actions
</Update>

<Update label="December 9, 2025" tags={["New Features", "Bug Fixes"]}>
  ## 1.32.2

  ### New

  * Add support in the policy engine for tags on resources

  ## 1.32.1

  ### Fixed

  * Always use the incoming request port if it's different from the listener port for Snowflake S3 support
</Update>

<Update label="December 8, 2025" tags={["New Features"]}>
  ## 1.32.0

  ### New

  * Add a new MySQL proxy implementation. This is a fundamentally different and more robust implementation, starting with a minimal feature set that we plan to expand quickly. This feature is behind a feature flag, contact us to enable it for your organization.
  * Add MFA policy enforcement across all technologies via the Desktop App
</Update>

<Update label="December 7, 2025" tags={["Improvements"]}>
  ## 1.31.31

  ### Changed

  * Downgrade health check failure logs to debug level to reduce log noise
</Update>

<Update label="December 5, 2025" tags={["New Features", "Bug Fixes"]}>
  ## 1.31.30

  ### Fixed

  * Fix AWS RDS IAM authentication for resources in a different AWS region than the connector

  ## 1.31.29

  ### New

  * Log policy version in triggered policy logs
</Update>

<Update label="December 4, 2025" tags={["Bug Fixes"]}>
  ## 1.31.28

  ### Fixed

  * Fix a race condition on concurrent cache queries in BigQuery
</Update>

<Update label="November 24, 2025" tags={["New Features", "Improvements"]}>
  ## 1.31.26

  ### Changed

  * Emit `formal.connector.resource_health_check` metric for earlier health check failure stages

  ### Fixed

  * Fix window resize handling for SSH connections
</Update>

<Update label="November 14, 2025" tags={["New Features"]}>
  ## 1.31.22

  ### New

  * Add `formal.connector.resource_health_check` metric
</Update>

<Update label="November 12, 2025" tags={["New Features"]}>
  ## 1.31.21

  ### New

  * Support seamless authentication via the Formal console for the S3 browser. Users do not need to manually enter their Formal username and access token to access the S3 browser.
</Update>

<Update label="November 11, 2025" tags={["New Features","Bug Fixes","Improvements"]}>
  ## 1.31.20

  ### New

  * Add support for `scp` (SFTP) to the SSH proxy for SSH resources

  ### Fixed

  * Fix session log entry values for failed SSH logins.
</Update>

<Update label="November 6, 2025" tags={["New Features","Bug Fixes","Improvements"]}>
  ## 1.31.19

  ### New

  * Support optionally sending policy evaluation inputs to the Formal Control Plane based on log configuration settings.
  * Support "request" and "response" as evaluation stage names in policies instead of "pre\_request" and "post\_request".
  * Enable row-level filtering for Snowflake responses.

  ### Changed

  * Preserve end-user across BigQuery job lifecycle requests to avoid authentication failures when impersonation is used.

  ### Fixed

  * Fix session log entry values for SSM (EC2/ECS) resources.
  * Don't attempt to start the Connector state server if it can't write on disk.
</Update>

<Update label="October 29, 2025" tags={["New Features","Bug Fixes","Improvements"]}>
  ## 1.31.12

  ### New

  * Support cross-account AWS role assumption for EC2/ECS SSM
  * Support custom error messages for Postgres and MySQL request evaluation

  ### Fixed

  * Fix downloads for S3 objects with special characters in object keys
  * Fix S3 technology failures when using the AWS JavaScript SDK
</Update>

<Update label="October 14, 2025" tags={["New Features", "Bug Fixes"]}>
  ## 1.29.12

  ### New

  * Add AWS account ID and name to resource health check events for easier multi-account tracking

  ## 1.29.11

  ### Fixed

  * Fix S3 request logs to include formal user name, improving auditability
</Update>

<Update label="October 13, 2025" tags={["New Features", "Improvements"]}>
  ## 1.29.10

  ### New

  * Add per-bucket S3 health checks with autodiscovery, showing bucket names for faster diagnostics

  ## 1.29.9

  ### New

  * Add policy input logging for session and request stages with request/session IDs for better traceability
  * Add sync of autodiscovered S3 buckets to the connector, with pagination and live updates

  ### Changed

  * Standardize request/session ID propagation across connectors, including Snowflake IDs, for consistent logs
  * Enforce stricter policy engine capabilities for safer, more predictable evaluations
</Update>

<Update label="October 9, 2025" tags={["New Features","Bug Fixes","Improvements"]}>
  ## 1.29.8

  ### New

  * Add S3 bucket access metrics to policies for rate limiting and blocking
  * Add connector, resource, and space IDs to policy input logs for filtering

  ### Changed

  * Improve S3 access counting accuracy, include current request and drop daily counts

  * Add bucket, path, action, and last modified to S3 policy inputs for finer control

  * Provide richer user and query context in post-request policy checks across databases

  ### Fixed

  * Fix S3 auth failures to return 403 Forbidden with AWS-style XML

  * Fix MySQL auth to forward native error packets to clients
</Update>

<Update label="October 3, 2025" tags={["New Features","Bug Fixes"]}>
  ## 1.29.7

  ### New

  * Add structured S3 logs with action, bucket, path, and last-modified, consistent across access styles

  ### Fixed

  * Fix S3 PutObject authentication by honoring payload hashes and signing required headers to prevent auth errors
  * Fix query aggregation failures for long SQL statements in analytics to improve reliability
</Update>

<Update label="October 1, 2025" tags={["New Features","Improvements"]}>
  ## 1.29.6

  ### New

  * Add normalized SQL queries to datastore request logs for easier analysis
  * Add response-stage policy input logging in PostgreSQL, improving policy analysis

  ### Changed

  * Treat S3 hostnames as global endpoints, enabling ListBuckets and vhost/path access
</Update>

<Update label="September 29, 2025" tags={["New Features", "Bug Fixes"]}>
  ## 1.29.5

  ### Fixed

  * Fix column matching to ignore case and spaces, preventing mismatches from formatting differences

  ## 1.29.4

  ### New

  * Add support for MCP resources, enabling MCP traffic parsing and accurate technology logs for auditing
</Update>

<Update label="September 27, 2025" tags={["New Features","Bug Fixes"]}>
  ## 1.29.3

  ### New

  * Add AI satellite integration, enforcing one link only with data classifier to prevent conflicts
  * Add request log evaluation in policy backtests for fuller coverage
  * Add MySQL and MariaDB support for hashed tokens, avoiding password length limits

  ### Fixed

  * Fix HTTP response handling for non-JSON payloads to prevent misclassification
</Update>

<Update label="September 25, 2025" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.29.2

  ### Fixed

  * Fix TLS defaults when no config is present, restoring secure connections and preventing connection errors

  ## 1.29.1

  ### New

  * Add configurable retention for policy evaluation input logs

  ## 1.29.0

  ### New

  * Add AI satellite integration for HTTP with automatic fallback for compatibility
  * Add audit logs for frontend API create, update, delete actions for traceability

  ### Changed

  * Enforce required environment variables across environments to prevent misconfigurations
  * Include uses row data flag in policies for consistent behavior across services
</Update>

<Update label="September 18, 2025" tags={["New Features","Bug Fixes"]}>
  ## 1.28.10

  ### New

  * Add support for duplicate columns in SQL queries, ensuring results match source databases.

  ### Fixed

  * Fix returning MySQL responses when analysis fails, ensuring accurate error reporting.

  ## 1.28.9

  ### New

  * Add qualified wildcards (table.*, alias.*) and column alias detection for accurate multi-table queries

  ### Fixed

  * Fix metric setup with automatic startup retries, ensuring monitoring works when agents start late
</Update>

<Update label="September 16, 2025" tags={["Bug Fixes"]}>
  ## 1.28.8

  ### Fixed

  * Fix device trust errors in Postgres when using custom native usernames, preventing login failures.
</Update>

<Update label="September 13, 2025" tags={["Bug Fixes"]}>
  ## 1.28.7

  ### Fixed

  * Fix production connector image to include required files, preventing startup failures
</Update>

<Update label="September 12, 2025" tags={["New Features","Improvements"]}>
  ## 1.28.5

  ### Changed

  * Limit inventory to labeled objects, tracking label add/removal updates
</Update>

<Update label="September 11, 2025" tags={["New Features","Bug Fixes"]}>
  ## 1.28.4

  ### New

  * Add native DB user context to PostgreSQL policy checks
</Update>

<Update label="September 10, 2025" tags={["New Features","Improvements"]}>
  ## 1.28.3

  ### Changed

  * Change S3 health checks to use network connectivity
</Update>

<Update label="September 9, 2025" tags={["Bug Fixes","Improvements"]}>
  ## 1.28.2

  ### Changed

  * Improve MySQL query performance when policies are enabled
</Update>

<Update label="September 5, 2025" tags={["New Features", "Improvements"]}>
  ## 1.28.1

  ### New

  * Add multi stage resource health checks for HTTP, SSH, and SSM
  * Make the connector health check port configurable to prevent port conflicts in shared environments.

  ## 1.28.0

  ### New

  * Add resource health checks for Kubernetes, ClickHouse, and Snowflake with connection and authentication validation

  ### Changed

  * Remove policy evaluation details from logs
</Update>

<Update label="September 4, 2025" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.27.2

  ### Fixed

  * Fix incorrect query parameters in Postgres
  * Fix JIT SSO

  ### Changed

  * Update Datadog profiling: support agent URL via env vars, check reachability with retries to reduce startup errors

  ## 1.27.1

  ### New

  * Add auto-creation of MySQL discovery connections, preventing failures when no prior connection exists

  ## 1.27.0

  ### New

  * Add per-stage connection health logs covering network, security, login, and data
</Update>

<Update label="September 3, 2025" tags={["New Features","Improvements"]}>
  ## 1.26.11

  ### Changed

  * Apply log level changes from the UI instantly during CDC syncs, no restart needed
</Update>

<Update label="September 2, 2025" tags={["New Features","Bug Fixes","Improvements"]}>
  ## 1.26.10

  ### Changed

  * Standardize log timestamps for consistent parsing across tools

  ## 1.26.9

  ### New

  * Add support for MariaDB databases, expanding compatibility

  ### Fixed

  * Fix MySQL connection failures when clients omit auth plugin, improving compatibility with older clients

  ### Changed

  * Enable on-demand test connection checks from the Formal console for faster troubleshooting
</Update>

<Update label="August 29, 2025" tags={["New Features","Improvements"]}>
  ## 1.26.8

  ### New

  * Add password redaction for SQL queries in PostgreSQL and Snowflake, with CLI support
  * Add formal user type to SSH stream logs for clearer auditing

  ### Changed

  * Remove Redshift technology support
  * Remove query fingerprints from logs
</Update>

<Update label="August 28, 2025" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.26.7

  ### Changed

  * Stop publishing the Redshift connector, making it unavailable in new releases

  ## 1.26.6

  ### New

  * Add MCP technology support using HTTP flow, simplifying MCP integrations
  * Add native auth types: SSH key, Snowflake key, HTTP basic, bearer, API key
  * Enhance logging with unique request IDs, event types

  ### Fixed

  * Fix inconsistent stage labels in logs for clearer filtering
</Update>

<Update label="August 25, 2025" tags={["New Features","Improvements"]}>
  ## 1.26.5

  ### Changed

  * Allow startup without TLS when no certificate is provided, simplifying initial deployment; enable TLS later

  ## 1.26.4

  ### New

  * Add API to generate and upload CloudFormation templates, simplifying connector deployment automation

  ### Changed

  * Update TLS handling to run without a certificate, preventing errors in non-TLS environments
</Update>

<Update label="August 22, 2025" tags={["New Features", "Improvements", "Bug Fixes"]}>
  ## 1.26.3

  ### Fixed

  * Fix remote access checks for ECS clusters with cross-region configs, enabling successful connections
  * Fix empty service name display when connecting to ECS containers using a service ARN, improving clarity

  ## 1.26.2

  ### New

  * Add GCP autodiscovery for Compute Engine, GKE, and Cloud SQL to speed setup

  ### Fixed

  * Fix errors during data classification when JSON contains empty or null fields
  * Fix SSH session logs missing resource details on startup

  ### Changed

  * Remove field-level encryption, simplifying setup and avoiding unused complexity
</Update>

<Update label="August 21, 2025" tags={["New Features","Bug Fixes"]}>
  ## 1.26.1

  ### New

  * Add AI-driven scenario monitoring for Kubernetes exec with risk scores, policy enforcement, and session-end audit logs
  * Terminate Kubernetes exec sessions automatically when users become blocked

  ### Fixed

  * Fix typos in Kubernetes exec error messages for clearer troubleshooting
</Update>

<Update label="August 20, 2025" tags={["New Features","Bug Fixes","Improvements"]}>
  ## 1.26.0

  ### New

  * Add secure satellite and policy data loader connections with certificate loading, on-demand issuance, and auto renewal

  ### Changed

  * Ensure columns are consistently ordered at runtime for predictable output

  ### Fixed

  * Fix missing resource technology in session listings
</Update>

<Update label="August 13 - August 18, 2025" tags={["Bug Fixes", "Improvements"]}>
  ## 1.25.7

  **Fixed**

  * Fixed a bug in the TLS certificate renewal process

  ## 1.25.6

  **Changed**

  * Streamlined TLS certificate handling at connector startup

  ## 1.25.5

  **Fixed**

  * Fixed a bug that would prevent connector TLS certificates from being updated on renewal unless the connector is restarted

  ## 1.25.4

  **New**

  * Enabled satellite hostnames linked to a Connector to be configured from the Control Plane and read by the Connector
  * Added 'ConnectorName' attribute for better tracking and logging during telemetry operations

  ## 1.25.3

  **Changed**

  * Removed a specific MongoDB configuration created for a legacy client, streamlining the process for connecting to DocDB with client-side options

  ## 1.25.1

  **New**

  * Introduced metrics to monitor opened, closed, and currently active connections, enhancing visibility into connection management for performance optimization and troubleshooting
  * Implemented new metrics to monitor the number of received Control Plane pings, increasing observability of system interactions

  **Fixed**

  * Fixed some errors with S3 authentication

  ## 1.25.0

  **New**

  * Regularly send connector instance heartbeat as a gauge metric via OpenTelemetry, bolstering real-time monitoring capabilities
  * Default to starting up etcd without failing if the etcd cluster doesn't come up

  **Changed**

  * Cleaned up configuration and feature flag storage
</Update>

<Update label="August 1 - August 5, 2025" tags={["Improvements", "Bug Fixes"]}>
  ## 1.24.12

  **Changed**

  * Removed unnecessary quotes from table names when parsing SQL queries to make policies easier to write

  ## 1.24.11

  **Changed**

  * Moved classifier-related environment variables into the new `formal_resource_classifier_configuration` Control Plane objects

  ## 1.24.10

  **Fixed**

  * Fixed column detection issues with parsing UNION statements with wildcards within Common Table Expressions (CTEs)
</Update>

<Update label="July 22 - July 30, 2025" tags={["Improvements", "Bug Fixes"]}>
  ## 1.24.9

  **Changed**

  * Enhanced logging to include connector ID, improving traceability for debugging and monitoring purposes

  ## 1.24.8

  **Fixed**

  * Resolved connection issues in the MySQL proxy that were caused by handshake problems with MariaDB

  ## 1.24.7

  **New**

  * Enabled automatic connection to the first task's first container within a specified ECS service when no specific task or container is selected

  **Changed**

  * Simplified S3 connection establishment

  ## 1.24.6

  **Fixed**

  * Resolved issue with Snowflake private key authentication for enhanced connection security

  **Changed**

  * Removed unused PII\_SAMPLING\_RATE ensuring cleaner code base and improved performance

  **New**

  * Included desktop app device trust keys in critical data load process for strengthened data security

  ## 1.24.5

  **Fixed**

  * Improved robustness of desktop app device trust keys

  ## 1.24.4

  **Changed**

  * Improved logging around device trust signature verification errors

  ## 1.24.3

  **New**

  * Added stateless authentication support for Clickhouse

  **Fixed**

  * Fixed the parsing of device info to ensure accurate timestamping in UTC

  ## 1.24.2

  **Changed**

  * Reduced wait time for PROXY protocol headers from 10 seconds to 200 milliseconds, enhancing performance and speeding up the handling of new connections

  **Fixed**

  * Fixed MySQL column detection and data label matching for policies

  ## 1.24.1

  **New**

  * Implemented stateless authentication for Snowflake

  ## 1.24.0

  **New**

  * Introduced stateless JWT authentication for Kubernetes, PostgreSQL, HTTP, and SSH, enhancing security and streamlining user verification process
</Update>

<Update label="July 16 - July 22, 2025" tags={["New Features", "Improvements"]}>
  ## 1.23.6

  **Fixed**

  * Improved reliability for MySQL resources

  ## 1.23.2

  **Changed**

  * Enhanced MySQL error messages for better readability during the handshake process

  ## 1.23.1

  **New**

  * Added support for hashed token authentication for Postgres proxy, providing a new option for users facing length restrictions on database passwords

  ## 1.23.0

  **New**

  * Added support for SSH private key authentication to upstream, enhancing secure connection options

  **Changed**

  * Updated MySQL to utilize our unified SQL semantic analyzer, ensuring consistent behavior across databases
  * Enabled port fields in resources to be updated for more flexible configurations
</Update>

<Update label="July 2 - July 18, 2025" tags={["New Features", "Breaking Changes"]}>
  ## 1.22.2

  **New**

  * Introduced a readiness endpoint for the connector (on health check port 8080 `/ready`), allowing it to signify when all listeners are initialized and ready to receive traffic

  **Changed**

  * Achieved consistency in logging and assertion libraries across the system, improving reliability of error logging

  ## 1.22.1

  **New**

  * Added support for handling Snowflake positional reference syntax in SQL queries
  * Introduced capability to resolve Snowflake positional arguments based on actual column names from inventory
  * Extended support for LATERAL queries, enabling more complex SQL queries that depend on preceding tables' columns

  **Fixed**

  * Resolved possible crash when retrieving outbound IP in telemetry, improving stability

  **Changed**

  * Streamlined MySQL TLS environment variables into a centralized TLS config
  * Dropped ability of the connector to exit if a health check fails, boosting connector resilience

  ## 1.22.0

  **New**

  * Refactored log encryption configuration and improved encryption of exec streams (SSH, SSM, Kubernetes)

  **Breaking Change**

  * Removed the ability to configure log encryption and encryption keys via environment variables; such configuration will need to be done via the Formal console or Terraform provider
</Update>
