DreamFactory v7.6.0

DreamFactory v7.6.0 launches governed AI/LLM connectivity as a first-class platform capability — a new AI Connection service type (df-ai), an AI chat experience over your own data (df-ai-chat), and an AI Gateway analytics dashboard backed by per-tool-call MCP audit logging. It also extends the security hardening pass to the full connector, authentication, and integration surface (SQL injection, SSRF, LDAP/SOQL/JS injection, zip-slip, JWKS/JWT validation, secret redaction, and more across ~20 packages), modernizes the MongoDB stack off the abandoned jenssegers/mongodb driver, and forward-ports every package to Laravel 13 compatibility. The admin interface gains AI management screens, a reusable RBAC role-scope control, overview landing pages, portable config-package export, and GitHub-linked server scripts.

New Features

AI Connection Service (df-ai) — COMMERCIAL

A new ai_connection service type providing unified, governed REST access to LLM providers, exposed as DreamFactory endpoints with role-based access control and identity passthrough.

• Providers: Anthropic (Claude), OpenAI (GPT), xAI (Grok), Ollama (local), and any OpenAI-compatible endpoint
• Resources per service:
  • POST /{service}/completion — single-turn text completion
  • POST /{service}/chat — multi-turn conversation
  • POST /{service}/embeddings — vector embeddings
  • GET /{service}/models — list available models
  • GET /{service}/health — provider health check
  • GET /{service}/usage — usage statistics and token counts
• df-core adds an AI_CHAT service-type group so AI services slot into the standard service taxonomy

AI Chat Over Your Data (df-ai-chat) — COMMERCIAL

A new package to chat with your DreamFactory-governed data using AI together with MCP tools — combining the AI Connection service and the MCP server so agents reason over live data through existing role-based access controls.

AI Gateway Analytics Dashboard (Admin UI + df-mcp-server)

• New AI Gateway dashboard in the admin interface: cost tracking, per-application attribution, multi-dimensional cost charts, most-expensive-call drill-downs, latency percentiles with deltas and sparklines, budget UI, and a dedicated MCP section
• Backed by new per-tool-call request logging and a Gateway aggregator endpoint in df-mcp-server, with an mcp:prune-request-logs command and configurable retention
• AI usage analytics surface through /_internal/ai/usage, reading the ai_usage_log

Admin UI: AI Management

• Full configuration screens for AI Connection services — model picker, "test connection" with saved-key fallback, chip-style picker for allowed roles, and inline code-block rendering
• Browser-based AI chat UI at /ai/chat ("Conversations") with a prerequisites picker panel above the chat-service config form
• AI navigation split into Connections / Chat / MCP sub-routes

Admin UI: RBAC Role Scope

• New reusable df-role-scope component and scope route, wired into the RBAC navigation, for scoping role access (including service_id=0 wildcard handling) — embedded directly in the AI chat-service config form

Admin UI: Overview Landing Pages & Config Package Export

• New overview landing pages with service-category tiles and config-package tooling
• df-system adds portable config-package export, surfaced through the new admin UI config-package tools

GitHub-Linked Server Scripts

• df-script + admin UI: scripts can now be linked to GitHub with a repository explorer, live fetch, and webhook-based cache invalidation
• df-script adds an _event metadata object (pre/post, service, script name) accessible inside scripts, plus a recursion guard for file-script services whose trigger path matches the file service

Snowflake Enhancements (df-snowflake)

• Snowflake key-pair authentication
• Stored-function handlers, including cross-database/cross-schema function calls, with a dedicated SnowflakeFunctionSchema and payload-driven parameter filtering

Security

This release extends DreamFactory's security hardening to the full connector, auth, and integration surface.

Authentication & Identity

• df-user: hardened AlternateAuth against filter injection and plaintext/MD5 handling
• df-oauth: strict redirect-host matching, rejection of credentials embedded in URLs, and constant-time comparison (hash_equals)
• df-oidc: never trust id_token claims without signature validation; JWKS algorithm allowlist (RS256/RS384/RS512 only)
• df-saml: JWT requirement for metadata-endpoint access; bumped onelogin/php-saml to ^4.3.1
• df-adldap: ldap_escape on user-supplied values and sanitized LDAP group-filter fragments
• df-mcp-server: hardened OAuth flow, daemon shared-secret, and Referrer-Policy

SQL & Query Injection

• df-database: validate relationship-filter PK values; quote identifiers in DDL helpers; validate CREATE TABLE options append; harden single-id relationship upsert filter
• df-sqldb: parameterized MySQL + PostgreSQL getTableConstraints schema lookups and routine/schema metadata lookups
• df-sqlsrv: quote INOUT parameter values in T-SQL SET statements (dblib/FreeTDS path); parameterize schema-name interpolation; quote identifiers in dropColumns
• df-oracledb: parameterize OracleSchema lookups; quote dropColumns identifiers
• df-snowflake: removed eval() from loadParameters; parameterized routine lookups
• df-salesforce: validate SOQL identifiers before concatenation
• df-mongodb: reject MongoDB filter operators that execute server-side JavaScript

SSRF, File & Transport Safety

• df-soap: SSRF, TLS-bypass, and symlink-traversal hardening
• df-file: refuse zip entries that escape the extraction target (zip-slip); refuse asFullPath() results that escape the storage root
• df-email: validate URL imports; configurable, hardened allowlist for the Local mailer executable
• df-scheduler: gate crontab install to CLI only, lock it, and escape the path

Secrets & Logging

• df-logger: redact credentials before shipping log payloads to a remote aggregator
• df-cache: unit-separator delimiter in cache keys to prevent key collisions
• df-limits: bucket numeric/UUID/hash path segments in the rate-limit endpoint key (prevents key explosion)

Data Layer

MongoDB Driver Modernization

• df-mongodb (0.22.1) and df-mongo-logs (1.3.1) migrated from the abandoned jenssegers/mongodb to the maintained mongodb/laravel-mongodb ^5.7. The mongodb connection driver name and LOGSDB_* variables are unchanged — existing Mongo services and logging keep working without configuration changes.
• df-mongodb: preserved nested field paths (no longer rewrites _id.Id → _id), maintaining correct dot notation

Connector Fixes

• df-sqlsrv: fixed null values in Additional SQL Statements causing service errors at startup
• df-sqldb (pgsql): correctly detect primary keys when loading columns
• df-databricks: fixed connector creation; removed a dead reserved-keyword class (Function) that could trigger a PHP parse error
• df-dremio: fixed connector installation issues
• df-azure-ad: fixed get/set inheritance for role-per-app fields
• df-email: allow the default sendmail transport
• df-logger: correct Monolog v3 log-level integer conversion

Admin UI Fixes

• Event Scripts: fixed the "Add path to file" radial not saving state and not clearing service details in the event-script service config screen
• API Docs: pinned swagger-ui to 4.15.5 to restore the API Docs UI
• Overview tiles navigate on first click and remain stable across dashboard pages; category pages render before data loads; clicks no longer blocked by the loading overlay
• AI UI: corrected camelCase form-key handling, hid ai_service_id/ai_role_id when type is ai_chat, stopped sending the masked api_key, improved light-mode legibility, and aligned font sizing
• Performance: reduced navigation churn and cached AI usage lookup datasets

Platform & Compatibility

Laravel 13 Forward-Compatibility

• Every package was updated for Laravel 13 compatibility (e.g., replacing the removed Connection::withTablePrefix() with the L13 Grammar($this) constructor in df-sqlsrv, and dispatchNow()→ Bus::dispatchSync() in df-script)
• df-core adds PHP 8.5 readiness fixes (autoload preloading and incomplete-class guards around cached schema/CORS reads)

Upgrade Notes

• Security fixes are cumulative — upgrading is recommended for all deployments. This release hardens SQL injection, SSRF, LDAP/SOQL injection, server-side-JS injection, zip-slip, JWT/JWKS validation, secret logging, and crontab handling across ~20 packages.
• Platform baseline is unchanged from 7.5.0 (PHP 8.3 / Laravel 11). No host-level upgrade is required — this is an in-place upgrade. All packages are now Laravel 13-ready, but 7.6.0 ships on the validated L11 stack.
• MongoDB driver swap: df-mongodb and df-mongo-logs now use mongodb/laravel-mongodb instead of the deprecated jenssegers/mongodb. The mongodb connection driver name and LOGSDB_* variables are unchanged; ensure the mongodb PHP extension is present (already included in the official Docker images).
• MongoDB field paths: nested _id field paths are now preserved in dot notation. If you built downstream logic around the previous _id.Id → _id rewrite, re-verify those queries.
• OIDC/SAML hardening: OIDC now enforces id_token signature validation and an RS256/384/512 JWKS allowlist; SAML requires a JWT for metadata-endpoint access and bumps onelogin/php-saml. Verify identity-provider configurations after upgrading.
• Standard upgrade process applies for all other changes. Existing services, roles, and API keys are preserved.