DreamFactory latest version

« Changelog History

DreamFactory v7.6.0 Release Notes

• DreamFactory v7.6.0

  🔒 DreamFactory v7.6.0 launches governed AI/LLM connectivity as a first-class platform capability — a new AI Connection service type (df-ai), an AI chat experience over your own data (df-ai-chat), and an AI Gateway analytics dashboard backed by per-tool-call MCP audit logging. It also extends the security hardening pass to the full connector, authentication, and integration surface (SQL injection, SSRF, LDAP/SOQL/JS injection, zip-slip, JWKS/JWT validation, secret redaction, and more across ~20 packages), modernizes the MongoDB stack off the abandoned jenssegers/mongodb driver, and forward-ports every package to Laravel 13 compatibility. The admin interface gains AI management screens, a reusable RBAC role-scope control, overview landing pages, portable config-package export, and GitHub-linked server scripts.

  🆕 New Features

  AI Connection Service (df-ai) — COMMERCIAL

  A new ai_connection service type providing unified, governed REST access to LLM providers, exposed as DreamFactory endpoints with role-based access control and identity passthrough.

  • Providers: Anthropic (Claude), OpenAI (GPT), xAI (Grok), Ollama (local), and any OpenAI-compatible endpoint

  • Resources per service:

    • POST /{service}/completion — single-turn text completion
    • POST /{service}/chat — multi-turn conversation
    • POST /{service}/embeddings — vector embeddings
    • GET /{service}/models — list available models
    • GET /{service}/health — provider health check
    • GET /{service}/usage — usage statistics and token counts

  • df-core adds an AI_CHAT service-type group so AI services slot into the standard service taxonomy

  AI Chat Over Your Data (df-ai-chat) — COMMERCIAL

  📦 A new package to chat with your DreamFactory-governed data using AI together with MCP tools — combining the AI Connection service and the MCP server so agents reason over live data through existing role-based access controls.

  📈 AI Gateway Analytics Dashboard (Admin UI + df-mcp-server)

  • New AI Gateway dashboard in the admin interface: cost tracking, per-application attribution, multi-dimensional cost charts, most-expensive-call drill-downs, latency percentiles with deltas and sparklines, budget UI, and a dedicated MCP section
  • 🌲 Backed by new per-tool-call request logging and a Gateway aggregator endpoint in df-mcp-server, with an mcp:prune-request-logs command and configurable retention
  • AI usage analytics surface through /_internal/ai/usage, reading the ai_usage_log

  💻 Admin UI: AI Management

  • 💅 Full configuration screens for AI Connection services — model picker, "test connection" with saved-key fallback, chip-style picker for allowed roles, and inline code-block rendering
  • 💻 Browser-based AI chat UI at /ai/chat ("Conversations") with a prerequisites picker panel above the chat-service config form
  • AI navigation split into Connections / Chat / MCP sub-routes

  💻 Admin UI: RBAC Role Scope

  • 🆕 New reusable df-role-scope component and scope route, wired into the RBAC navigation, for scoping role access (including service_id=0 wildcard handling) — embedded directly in the AI chat-service config form

  📦 Admin UI: Overview Landing Pages & Config Package Export

  • 🆕 New overview landing pages with service-category tiles and config-package tooling
  • 📦 df-system adds portable config-package export , surfaced through the new admin UI config-package tools

  GitHub-Linked Server Scripts

  • 💻 df-script + admin UI: scripts can now be linked to GitHub with a repository explorer, live fetch, and webhook-based cache invalidation
  • 📇 df-script adds an _event metadata object (pre/post, service, script name) accessible inside scripts, plus a recursion guard for file-script services whose trigger path matches the file service

  Snowflake Enhancements (df-snowflake)

  • Snowflake key-pair authentication
  • 🛰 Stored-function handlers, including cross-database/cross-schema function calls, with a dedicated SnowflakeFunctionSchema and payload-driven parameter filtering

  🔒 Security

  🚀 This release extends DreamFactory's security hardening to the full connector, auth, and integration surface.

  Authentication & Identity

  • df-user: hardened AlternateAuth against filter injection and plaintext/MD5 handling
  • df-oauth: strict redirect-host matching, rejection of credentials embedded in URLs, and constant-time comparison (hash_equals)
  • df-oidc: never trust id_token claims without signature validation; JWKS algorithm allowlist (RS256/RS384/RS512 only)
  • df-saml: JWT requirement for metadata-endpoint access; bumped onelogin/php-saml to ^4.3.1
  • df-adldap: ldap_escape on user-supplied values and sanitized LDAP group-filter fragments
  • df-mcp-server: hardened OAuth flow, daemon shared-secret, and Referrer-Policy

  SQL & Query Injection

  • df-database: validate relationship-filter PK values; quote identifiers in DDL helpers; validate CREATE TABLE options append; harden single-id relationship upsert filter
  • df-sqldb: parameterized MySQL + PostgreSQL getTableConstraints schema lookups and routine/schema metadata lookups
  • df-sqlsrv: quote INOUT parameter values in T-SQL SET statements (dblib/FreeTDS path); parameterize schema-name interpolation; quote identifiers in dropColumns
  • df-oracledb: parameterize OracleSchema lookups; quote dropColumns identifiers
  • df-snowflake: removed eval() from loadParameters; parameterized routine lookups
  • df-salesforce: validate SOQL identifiers before concatenation
  • df-mongodb: reject MongoDB filter operators that execute server-side JavaScript

  SSRF, File & Transport Safety

  • df-soap: SSRF, TLS-bypass, and symlink-traversal hardening
  • df-file: refuse zip entries that escape the extraction target (zip-slip); refuse asFullPath() results that escape the storage root
  • df-email: validate URL imports; configurable, hardened allowlist for the Local mailer executable
  • ⏱ df-scheduler: gate crontab install to CLI only, lock it, and escape the path

  🌲 Secrets & Logging

  • df-logger: redact credentials before shipping log payloads to a remote aggregator
  • df-cache: unit-separator delimiter in cache keys to prevent key collisions
  • df-limits: bucket numeric/UUID/hash path segments in the rate-limit endpoint key (prevents key explosion)

  Data Layer

  MongoDB Driver Modernization

  • df-mongodb (0.22.1) and df-mongo-logs (1.3.1) migrated from the abandoned jenssegers/mongodb to the maintained mongodb/laravel-mongodb ^5.7. The mongodb connection driver name and LOGSDB_* variables are unchanged — existing Mongo services and logging keep working without configuration changes.
  • df-mongodb: preserved nested field paths (no longer rewrites _id.Id → _id), maintaining correct dot notation

  🛠 Connector Fixes

  • df-sqlsrv: fixed null values in Additional SQL Statements causing service errors at startup
  • df-sqldb (pgsql): correctly detect primary keys when loading columns
  • df-databricks: fixed connector creation; removed a dead reserved-keyword class (Function) that could trigger a PHP parse error
  • df-dremio: fixed connector installation issues
  • df-azure-ad: fixed get/set inheritance for role-per-app fields
  • df-email: allow the default sendmail transport
  • df-logger: correct Monolog v3 log-level integer conversion

  💻 Admin UI Fixes

  • 🛠 Event Scripts: fixed the "Add path to file" radial not saving state and not clearing service details in the event-script service config screen
  • ⏪ API Docs: pinned swagger-ui to 4.15.5 to restore the API Docs UI
  • Overview tiles navigate on first click and remain stable across dashboard pages; category pages render before data loads; clicks no longer blocked by the loading overlay
  • AI UI: corrected camelCase form-key handling, hid ai_service_id/ai_role_id when type is ai_chat, stopped sending the masked api_key, improved light-mode legibility, and aligned font sizing
  • 🐎 Performance: reduced navigation churn and cached AI usage lookup datasets

  Platform & Compatibility

  Laravel 13 Forward-Compatibility

  • ⚡️ Every package was updated for Laravel 13 compatibility (e.g., replacing the removed Connection::withTablePrefix() with the L13 Grammar($this) constructor in df-sqlsrv, and dispatchNow()→ Bus::dispatchSync() in df-script)
  • 🛠 df-core adds PHP 8.5 readiness fixes (autoload preloading and incomplete-class guards around cached schema/CORS reads)

  ⬆️ Upgrade Notes

  • 🚀 Security fixes are cumulative — upgrading is recommended for all deployments. This release hardens SQL injection, SSRF, LDAP/SOQL injection, server-side-JS injection, zip-slip, JWT/JWKS validation, secret logging, and crontab handling across ~20 packages.
  • Platform baseline is unchanged from 7.5.0 (PHP 8.3 / Laravel 11). No host-level upgrade is required — this is an in-place upgrade. All packages are now Laravel 13-ready, but 7.6.0 ships on the validated L11 stack.
  • MongoDB driver swap: df-mongodb and df-mongo-logs now use mongodb/laravel-mongodb instead of the deprecated jenssegers/mongodb. The mongodb connection driver name and LOGSDB_* variables are unchanged; ensure the mongodb PHP extension is present (already included in the official Docker images).
  • MongoDB field paths: nested _id field paths are now preserved in dot notation. If you built downstream logic around the previous _id.Id → _id rewrite, re-verify those queries.
  • OIDC/SAML hardening: OIDC now enforces id_token signature validation and an RS256/384/512 JWKS allowlist; SAML requires a JWT for metadata-endpoint access and bumps onelogin/php-saml. Verify identity-provider configurations after upgrading.
  • ⬆️ Standard upgrade process applies for all other changes. Existing services, roles, and API keys a...

Previous changes from v7.5.0

• DreamFactory v7.5.0

  🔒 DreamFactory v7.5.0 delivers a platform-wide 2026-04 security hardening pass (auth bypass, SQL injection, SSRF, unsafe deserialization, and timing-attack fixes across most packages), introduces GitHub as a first-class MCP utility service , adds a custom-tool lookup picker and unsaved-changes save guard to the admin UI, switches the MCP server from SSE streams to JSON responses with stale-stream eviction to prevent PHP worker lockups, and ships a new Jest + Playwright CI test harness for the admin interface.

  🆕 New Features

  GitHub MCP Utility Service

  • 🆕 New DreamFactory utility-service integration for GitHub — custom MCP tooling can call GitHub as a first-class service so AI agents reach repositories, issues, and pull requests without custom auth plumbing
  • 🔧 Admin UI elements for configuring the GitHub integration end-to-end

  Custom MCP Tool Lookup Picker

  • ➕ Added a lookup picker for custom MCP tools — admins can insert DreamFactory lookup values into custom-tool configuration through the UI instead of hand-typing keys
  • 👕 Inline JSON/JS lint-error display for custom tool bodies, with error notifications on static-header JSON

  Unsaved-Changes Guard for MCP Custom Tools

  • ➕ Added a save guard that detects unsaved custom-tool changes when saving an MCP service and surfaces a contextual popup with persist/discard options (replaces the previous silent-drop behavior)
  • 🛠 Fixed a related issue where custom tools were not persisted on first service creation or on re-save without IDs

  MCP OAuth Direct Redirect Workflow

  • 💻 MCP services can now declare an OAuth service for direct redirect — the MCP client is sent straight through the OAuth flow, skipping the DreamFactory UI login and removing a step from the desktop MCP connect experience

  🔒 Security

  Authentication & Authorization

  • df-core : Fixed auth bypass, widened the OAuth filter blocklist, removed token logging; reverted an earlier change that had narrowed OAuth method coverage so all meth
    ods are now protected again
  • df-core : Replaced rand() with random_int() in generateConfirmationCode()
  • df-core : Added /auth/ prefix to password-reset and email-invite URLs so they route through the authenticated handler
  • df-system : Removed the admin flag from password-reset email URLs
  • df-script : Replaced uniqid() with random_bytes(32) for script auth tokens
  • df-oauth : Fixed unsafe deserialization, a timing-attack vector, an open-redirect, and a name-field bug

  SQL Injection Hardening

  • df-sqldb : Fixed SQL injection in MySQL INOUT stored-procedure parameters (regression test added)
  • df-sqldb : Fixed SQL injection in ORDER BY, GROUP BY, filter, and expression handling; widened expression/filter checks from allowlist to blocklist
  • df-database : db_function template value substitution now uses quoteValue() to prevent injection via template expansion

  SSRF & Request Integrity

  • df-system : Added SSRF validation to import_url endpoints on Package, Import, and App resources
  • df-mcp-server : Fixed host-header injection, OAuth-redirect issues, and session leaks; CORS posture re-widened explicitly for MCP's inherently-external clients after
    being tightened in the scan

  💻 Admin UI

  • df-admin-interface : Added a same-origin check to handleRedirectIfPresent
  • df-admin-interface : Updated npm dependencies to eliminate critical CVEs surfaced by the scan

  MCP Server

  Transport & Stability

  • 👷 Switched MCP responses from SSE streams to JSON, with guards around remaining SSE streams to prevent PHP worker lockups when multiple MCP session connections arrive concurrently
  • Stale-SSE-stream eviction on reconnect — resolves 409 errors clients previously saw when reconnecting to an MCP session

  Custom Tools

  • 🛠 Fixed order-of-operations for custom-tool role checks against services — role rules now evaluate consistently with other service-level authorization
  • Custom tools persist correctly on first service creation and on re-save without IDs

  💻 Admin UI

  Event Scripts

  • Script Type dropdown now populates for services whose names contain underscores
  • 🛠 Fixed scriptMethod wiring and added fallback behavior when the method name is empty
  • Event-script services are fetched lazily on open (events on service selection), cutting initial page load on large instances
  • /system/event responses exempted from the snake→camelCase interceptor so event identifiers are returned raw

  Editor & Loading States

  • 👕 Permitted top-level await in the Ace JavaScript lint worker under module:true
  • 🛠 Fixed a stuck loading spinner that could persist after rapid concurrent requests

  SQL Databases

  • df-sqldb : Fixed a regression where null values in additional SQL init statements caused service errors at startup
  • 🔒 Blocklist-based filter/expression validation (from the security hardening above) now applies uniformly across all SQL connectors

  🐎 Performance

  • df-system : Added a services_only fast path to the system/event resource, avoiding a full event walk when callers only need the service enumeration
  • df-admin-interface : Deferred event-script fetching until the user opens the section, with a secondary fetch on service selection

  ✅ Testing & CI

  • df-admin-interface : Jest wired into CI with regression specs covering the 2026-04 fixes
  • df-admin-interface : Playwright scaffold with smoke specs and a dedicated CI workflow, scoped to manual/nightly to keep PR CI fast
  • df-admin-interface : UI automation affordances added and a discovery spec reporting navigation automation limits
  • df-admin-interface : Dropped the pre-existing lint gate from default CI (lint still runs, just non-blocking)
  • Test-suite hardening across df-sqldb (PHPUnit 9 compatibility, driver/host config, reliable cleanup), df-database (void return type on tearDown()), df-syst
    em(explicit admin auth, order-independent assertions, stronger fixture passwords), and*df-user* (fixture passwords updated for stronger strength policy)

  ⬆️ Upgrade Notes

  • 🚀 Security fixes are cumulative — upgrading is recommended for all deployments. The 2026-04 security scan covers auth bypass, SQL injection, SSRF, unsafe deserializati
    📦 on, and timing-attack vectors across multiple packages.
  • Password-reset / invite URLs now include an /auth/ prefix. Update any external tooling that parses or constructs DreamFactory reset URLs.
  • MCP transport : The MCP server now returns JSON instead of SSE for most flows. Compliant MCP clients require no changes — the switch is server-side and transparent.
  • MCP custom tool persistence : Tools that previously appeared to be "lost" on service creation in 7.4.x will now persist correctly; re-verify any that were affected.
  • Password strength policy : The df-user fixture-password hardening reflects a stronger strength policy. Deployments relying on weak programmatic passwords (e.g., old C
    ⚡️ I fixtures or seeded test accounts) may need to update them.
  • Platform baseline is unchanged from 7.4.x (PHP 8.3 / Laravel 11). No host-level upgrade is required.
  • ⬆️ Standard upgrade process applies for all other changes.

  Full Changelog : 7.4.5...7.5.0

• All Versions
• Previous v7.5.0