0.5.0 Release Notes

Release date: 2026-06-19

Summary

0.5.0 introduces a production-ready security gateway layer with JWT authentication, a YAML policy engine for multi-tenant query filter injection, token-bucket rate limiting, hot-reloaded policy rules, and query templates. It also adds standalone FUSION statement syntax, late-interaction multivector (ColBERT/ColPali), a high-throughput JSON payload converter (including a Python SDK HTTP client interceptor), and a Streamlit Security Playground web console.

106 files changed. 16,176 insertions, 1,080 deletions across 35 commits.

Highlights

Security Gateway & AST Filter Injection

The Connect RPC gateway now enforces resource access controls, tenant isolation, and audit logging at the AST level:

JWT Verification — Validates tokens against JWKS supporting RSA, EC, and Ed25519.
AST Transformation Policy Engine — Parses QQL into ASTs, checks claims, merges policy constraints recursively into AST query filters (supports =, !=, in, not_in) before plan compilation.
Policy Reloading & Rate Limiting — Zero-restart YAML reloading via fsnotify, token-bucket rate limiting per caller subject.
Audit Logging — Structured JSON audit logs via context-passed logging.

Late-Interaction Multivector Support

Multivector Collection

CREATE COLLECTION docs ( dense VECTOR(384, COSINE), colbert VECTOR(128, COSINE) WITH MULTIVECTOR (comparator = 'max_sim') WITH HNSW (m = 0) )

Standalone `FUSION` Statements

Standalone FUSION

WITH dense AS (QUERY 'care' USING dense LIMIT 200), sparse AS (QUERY 'care' USING sparse LIMIT 300) FUSION RRF LIMIT 10 PREFETCH (dense, sparse)

Payload Converter & SDK Interceptor

qql-go convert — Translates raw REST JSON payloads (stdin, file, or HTTP request format) to equivalent QQL.
110-payload regression suite — all_payloads.json covers PDF retrieval, 3-level nested prefetch, score_threshold, offset, group_by, 2D multivector query, wrapped endpoints, batch mixed recommend+search, insert with named vectors.
SDK Interceptor — Python HTTP hook (sdks/python/qql_intercept.py) intercepting standard python SDK calls and translating them into QQL queries.
ConvertJSONBytesToQQL — pkg/qql exposes zero-allocation []byte API to skip string copies on high-throughput paths.

Red-Teaming Core Gaps Closed

Hardened the compiler, parser, and execution plan engine:

Recursive Scoping — Subqueries inside nested CTE chains recursively inherit parent scopes for correct execution plan compilation.
Named Vector Updates — Support custom target vector mutations: UPDATE collection SET VECTOR 'vector_name' = [...] WHERE id = <id>.
Zero Division Default Value — Adds default divisor support: a / b [default=0.0].
Decay Function Validations — Validates constant parameters and supports decay keywords as an alias for midpoint inside decay functions.

Behavior Hardening & Constraints

Feature	Change Description
Unquoted Payload Keys	Unquoted keys colliding with QQL reserved keywords (like `type`, `limit`, `using`) inside `INSERT` payload maps now raise parsing errors. Use quoted keys instead (`{'type': 'document'}`).
Non-Constant Decay Parameters	Non-constant expressions passed to decay `scale`, `midpoint`, or `decay` parameters now fail fast at compilation time instead of failing silently.
UUID format leniency	`ToPointID` falls back to `NewIDUUID` if string point IDs fail uint64 parsing, allowing mock IDs (e.g. `pt-1`) in CLI scripts.

Validation

Terminal

go run docs/dev_tasks.go release-validate --version 0.5.0 [1/4] Version sync...        OK [2/4] Quality checks...      OK (gofmt, go vet, go test, go build) [3/4] Building binary...     OK [4/4] Binary version...      qql-go version 0.5.0 — OK

Known Limits

Full Changelog

See CHANGELOG.md.