0.22.1
New- Support setting checkForUpdates, hideSystrayIcon, transparentProxyEnable, transparentProxyEnforce, transparentProxyFail, transparentProxyAllowQuic as mcx preference settings.
0.22.0
Changed- Bumped the minimum supported macOS version to 15.0.
- No longer start the desktop app during the base package postinstall.
- Replace custom MDM post-install scripts with managed preference settings. Note: MDM deployments that upgrade to this version should remove the custom post-install script.
- Fix transparent proxy toggle knob rendering.
0.21.1
Changed- Rewrote the macOS menu bar: faster and more efficient.
- Transparent proxy toggle now stays in sync and gives clearer feedback when toggled.
- Transparent proxy toggle now requires being logged in with a working CA.
0.21.0
New- Support the Gemini API as an LLM technology.
- Add support for using the detected resource (hostname and port match) in CEL expressions in network rules.
0.17.1
Changed- Fall back to password authentication for MFA challenges when Touch ID is not available
0.17.0
New- Support autodetection of Postgres, MySQL, and MongoDB connections via the transparent proxy and in network rules
- Support TLS interception for Postgres, MySQL, and MongoDB connections through
formal connect/formal lslocal proxy
- Rename the MacOS bundle from
Formal DesktoptoFormal - Surface “Formal” in certificate trust settings dialog instead of “security” during installation
- Fix a bug where the CA trust dialog would not appear during MacOS package installation via MDM
- Fix a bug where
formal transparent-proxy statuswould report the extension not being installed when it actually was
0.15.4
Fixed- Fix an issue where MySQL connections could crash the agent when the client did not send connection attributes
0.15.3
Fixed- Fix a bug where network rules weren’t passing HTTP resources properly to connector listeners with smart routing enabled.
0.15.2
Changed- Allow protocol detection on HTTP requests when the TLS client hello doesn’t specify an ALPN protocol
- Improve performance of non-interactive
formal ls
- Fix a bug where network rules were lost after disabling and re-enabling the transparent proxy
0.15.1
Fixed- Fix a bug where transparent connections to a resource would hang if there was a previous direct connection to the local listener for that resource
0.15.0
New- Initial release of headless Linux deb package
- Automatically generate and trust transparent proxy CA certificate on Linux
0.14.3
Fixed- Fix a bug where Postgres connections from GSS-enabled clients could hang when using the local TCP port instead of the Unix socket.
0.14.2
Changed- Improve performance of forwarding transparently proxied HTTP traffic to the Connector
0.13.0
New- Emit HTTP policy evaluation inputs alongside logs
- Add support for MongoDB SCRAM-SHA-256 authentication
- Improve policy evaluation latency
0.12.0
New- Support protocol autodetection for LLM requests
- Persist logs to disk so they survive network outages, capped at 1 GB
- Support encrypting logs with asymmetric encryption keys
- Improve network rule format for readability. See our “Guide: Desktop App Setup” for more information.
- Simplify the codesigning configuration of our macOS Desktop App. See our “Guide: Desktop App Setup” for more information.
0.11.0
New- Add an
uninstallcommand to completely remove Formal from the machine - Add an
input.sourcefield to allow policies to differentiate desktop policy enforcement from connector policy enforcement
- Improve performance of fetching updates from the control plane
- Improve performance of
formal ls
0.10.1
New- Support filling out Forms using
formal form fill
- Change macOS CA trust dialog back to the default Security dialog
0.9.21
New- Support Codex block messages
- Support HTTP header rewrites for HTTP technology
- Decrease bundle size by 50%
- Rename transparent proxy to transparent mode
- Rename
ca installfor Linux toca trustfor macOS-Linux parity
0.9.17
New- By default, block QUIC traffic when the transparent proxy is enabled. Control this via the
allow_quicconfiguration parameter. - Support Claude Chat for LLM sessions when
allow_quicis false.
0.9.15
New- Support auto-classification of HTTP and MCP traffic
- Support device trust for MongoDB
- Install the network extension as part of the installer
0.9.14
New- Support desktop evaluation and logging of MCP traffic
- Support network rules that don’t require resources
- Indicate to users that sudo is required for
formal ca trust - Use total input tokens instead of input tokens
- Correct CA installation out of sync race conditions
0.9.12
New- Support LLM header rewrites
- Remove the
--only-agents,--transparent, and--local-tlsflags
0.9.9
New- Support policy enforcement for the MCP technology without a connector
- New
formal transparent-proxy installandformal transparent-proxy uninstallcommands
0.9.8
Changed- Add Formal CA to keychain via installer
- Support policy enforcement for HTTP resources without a connector
- Support connection process and user information in network rules
0.8.2
New- Separate TLS settings for LLM technology
- Emit session events for LLM technology sessions
0.8.0
New- Support connecting with
--transparentmode - Support connecting with
--only-agentsmode - Support connecting with
--local-tlsmode - Pass process ancestor information
- Support LLM technology
- Reject CLI arguments for formal-agent
0.7.2
Fixed- Fixed a bug where the resource alias was used for smart routing rather than the resource name.
0.7.1
New- Added support for resource aliases
- Added a
--launchargument toformal connectto launch the appropriate CLI program after connecting (for examplepsqlorssh).
- Fixed a bug where the interactive
formal lsparent process didn’t exit when launching a CLI program, obscuring connection errors and policy block messages.
0.7.0
Changed- Improved
formal lsperformance by moving search filtering server-side - Reduced unnecessary API calls during credential renewal
0.6.0
Fixed- Fixed a bug where the desktop app CLI would attempt to launch the agent when run without a TTY.
- Note: this introduces a small breaking change where running
formalwithout a TTY will now exit with an error and show help text. Please runformal agentinstead.
- Note: this introduces a small breaking change where running
0.5.6
Fixed- Fix a bug where the desktop app would timeout when listing resources in non-interactive mode
0.4.4
Changed- It is no longer required to specify a resource name with
formal disconnect. By default, it disconnects all resources.
0.4.3
New- Added support for Windows.
- Added support for wrapping AWS S3 commands to funnel traffic through the Connector.
- Change SSH config configuration to be compatible with SCP via the Connector.
- Change SSH config configuration to be use resource names as SSH host names.
0.4.2
Fixed- Fixed a build issue where the desktop app would not provide an icon on Linux.
0.2.5
New- Implemented pagination of resources to reduce startup delay of
formal ls.
- Reworked connecting/disconnecting to resources to be asynchronous, which prevents a connection from blocking the TUI from rendering.
- Fixed a bug where the desktop app would show multiple instances of the same resource while filtering and connecting.
- Fixed a bug where the autolaunch functionality could freeze the TUI.
0.2.4
New- Added support for using token authentication in headless mode.
- Introduced a configurable timeout for the
formal agentcommand with--timeout.
- Changed the
formal lscommand to lazily load resources and show a loading spinner instead of blocking the TUI from launching.
0.2.3
New- Added a
formal agentcommand to launch the Formal Agent through the CLI. - Added a headless mode, which can be launched through
formal agent --headlessand allows usage of the Formal Desktop without a GUI. See Desktop App for more details.
0.2.2
New- Added the ability to open a
psqlsession automatically when connecting to a PostgreSQL resource throughformal ls. - Added a permanent “latest” URL to download the latest version of the desktop app on Linux.
- Fixed a bug where the desktop app could become unresponsive when connecting to a resource.
0.1.0
New- Added support for configuring the SSH client (i.e.,
~/.ssh/config) to more seamlessly connect to SSH, EC2, and ECS Fargate resources using theformal lsUI
0.0.91
Fixed- Fixed versioning issue
0.0.90
Fixed- Fixed versioning issue
0.0.89
New- Added a link to download the latest version of the desktop app if an update is available
0.0.88
Changed- Ensured errors are printed to
stderrrather thanstdoutto provide a clean output stream to users
0.0.87
New- Exposed certain classes of connection errors between the local proxy and the Formal Connector to users
0.0.86
Fixed- Fixed authentication failures
0.0.85
New- Added support for using
formal@<native-user>as the username to specify the native user
0.0.84
New- Added support for
jsonoption toformal auth credentials -o
0.0.83
New- Added support for
jsonoption toformal auth credentials -o
0.0.82
Fixed- Avoided crashing on EOF for
postgres
0.0.81
Fixed- Fixed desktop app auth status
0.0.80
Fixed- Fixed desktop app auth status
0.0.79
New- Added support for MongoDB smart routing
0.0.78
Fixed- Fixed typo in error message
missing S3 resource name
0.0.77
New- Added support for TCP Proxy and Relays
0.0.75
Changed- Removed the use of AWS profile
0.0.74
Changed- Removed the use of AWS profile
0.0.73
Changed- Added more efficient routing
0.0.72
Fixed- Fixed support for
dynamodb
0.0.71
New- Added resource subdomain to Kubernetes resources for connectors
0.0.70
New- Added support for connectors
0.0.69
New- Added support for basic auth for
clickhouse
0.0.68
New- Added resource to policy evaluation
0.0.67
Changed- Updated desktop app to renew key every 18 hours
0.0.66
New- Added support for connector in policy evaluation
0.0.65
Changed- Updated log message for fetchCABundle
0.0.64
Changed- Added more logs to the
dynamodbcommand
0.0.63
Changed- Removed posthog
0.0.62
Fixed- Fixed AWS CLI
0.0.61
Fixed- Fixed AWS CLI
0.0.60
New- Added AWS CLI to building process
0.0.59
New- Added support for certificate bundle
dynamodb
0.0.58
New- Added support for API Token expiration