# Backwards Incompatible Changes
This version adds support for mutual TLS authentication. Because Dolt SQL server now requests an optional client certificate, and will validate it if a client sends one, if customers have been sending an invalid client cert when connecting to a Dolt SQL server, that cert will now be validated and the connection will be refused.
Per Dolt’s versioning policy, this is a minor version bump because these changes may impact existing applications. Please reach out to us on GitHub or Discord if you have questions or need help with any of these changes.
Merged PRs
dolt

10082: go: sqle/dsess: autoincrement_tracker.go: Fix race condition in initialization.

When initializing the autoincrement_tracker, we look at the current value of the autoincrement sequence on the table across every branch. We do this concurrently, and take the highest value we find as the initial value to use across the dolt run.

This fixes a race condition which would cause us to calculate the wrong highest value across all branches.
10077: unsafe Tuple methods

Use the unsafe packages to read from ItemAccess and Tuple.GetField.

Additionally removes intermediate buffers when not necessary.
10076: Add a dolt checkout section to AGENT.md

Coding agents seem to assume that dolt checkout and call dolt_checkout() are sticky across SQL sessions. This causes agents to often write to main instead of their intended branch. This is an attempt to mitigate that behavior.
10072: Optionally enable branch activity stats

The branch_activity_table slows down the sql-server by 3%, so now you need to enable it if you want it to be functional.
10067: Add support for configuring a server's CA cert, and BATS tests for client-cert auth

Adds a new field in config.yaml to specify the certificate authority for a Dolt sql-server to use when validating client certificates. Also adds BATS tests for testing client-cert based authentication.

Note: the authentication logic for client-cert based auth lives in the go-mysql-server package, but the tests live in the dolt package. In the future, it would be ideal to move these tests to live in and run with go-mysql-server and then get reused to test dolt as well.

Depends on: Validate connection security properties dolthub/go-mysql-server#3298

Related to: Implement client certificate authentication dolthub/dolt#10008

go-mysql-server

3304: Support table functions with non-literal arguments in subqueries and lateral joins

This PR fixes several issues that prevent table functions from evaluating correctly when they take non-literal arguments and appear in subqueries or lateral joins.

8a5f5821120ca8b5306628cd18ad493f87a28413 fixes a problem where references to an outer scope that appear in the topmost scope of a subquery won't cause the subquery to be marked as containing out-of-scope references.
This caused the subquery to be seen as cacheable even though it isn't, which could cause incorrect query results
This also caused the analyzer to incorrectly generate a CrossJoin instead of a LateralCrossJoin, which would then cause the join planner to commute the join children even though it was not safe to do so. This would ultimately cause an out-of-bounds field access while building the table function.
0147ad3c3e522fa36552944d15adb1425cb22c1c fixes two other issues where join planning would drop the Lateral marker during join planning, resulting in generating a CrossJoin instead of a LateralCrossJoin
0e2b6da9d20228a9f3255b2b532f97eae9f34b80 fixes an oversight in the LateralCrossJoin RowIter that was causing rows from the parent and left scopes to not be passed into the right child

All three of these changes are required together in order to properly evaluate the newly added test queries.


3302: Wrap nullable hoisted filter in IsTrue

fixes dolthub/dolt#10070

Filters that evaluate to null in an EXISTS or IN subquery context should be treated the same as false. When hoisted out of the subquery, nullable filters need to be wrapped in an IsTrue expression to ensure that they are still treated the same as false when they evaluate to null.

Not doing so was causing a bug where rows were being dropped from NOT EXISTS if the filter evaluated to null. Since the filter expression was evaluated to null, the NOT expression wrapping it would evaluate to null as well. This caused the filter iterator to reject the row because it did not evaluate to true. Wrapping the filter expression with IsTrue ensures that nulls are then evaluated to false, which will then evaluate to true with NOT.
3298: Validate connection security properties

Extends authentication handlers to validate additional connection properties (e.g. SSL, X509 client cert, cert issuer, cert subject) when additional connection constraints have been configured for a user.

Note: tests for this functionality are in Add support for configuring a server's CA cert, and BATS tests for client-cert auth dolthub/dolt#10067

Related to Implement client certificate authentication dolthub/dolt#10008

Closed Issues

10079: Audit EXTRACT function to ensure it returns the correct values for 0, false, and true
9735: log function doesn't handle strings the same as MySql
10070: Unexpected Result in ANTI-JOIN

View the full release notes at https://github.com/dolthub/dolt/releases/tag/v1.77.0.