(v1.4.5) update READMEs, bug fix, and bump version to v1.4.5

Author: rookiestar28

README.md

@@ -7,12 +7,115 @@ A continuous, real-time runtime diagnostics suite for ComfyUI featuring **LLM-po
 ## Latest Updates (Jan 2026)
 
 <details>
-<summary><strong>Update (v1.4.1, Jan 2026)</strong> - Click to expand</summary>
+<summary><strong>🔴 Major Fix: R0/R13 Pipeline Governance & Plugin Security (v1.4.5)</strong></summary>
+
+**Security Hardening:**
+
+- **SSRF Protection++**: Replaced substring checks with host/port parsing; blocked outbound redirects (`allow_redirects=False`)
+- **Outbound Sanitization Funnel**: Single boundary (`outbound.py`) ensuring all external payloads are sanitized; `privacy_mode=none` only for verified local LLMs
+
+**Plugin Trust System:**
+
+- **Safe-by-default**: Plugins disabled by default, requires explicit allowlist + manifest/SHA256
+- **Trust Taxonomy**: `trusted | unsigned | untrusted | blocked` classification
+- **Filesystem Hardening**: realpath containment, symlink rejection, size limits, strict filename rules
+- **Optional HMAC Signature**: Shared-secret integrity verification (not public-key signing)
+
+**Pipeline Governance:**
+
+- **Metadata Contract**: Schema versioning + end-of-run validation + quarantine for invalid keys
+- **Dependency Policy**: `requires/provides` enforcement; missing deps → stage skipped, status `degraded`
+- **Logger Backpressure**: `DroppingQueue` with priority-aware eviction + drop metrics
+- **Prestartup Handoff**: Clean logger uninstall before SmartLogger takes over
+
+**Observability:**
+
+- `/doctor/health` endpoint with queue metrics, drop counters, SSRF blocks, pipeline status
+
+**Test Results**: 159 Python tests passed | 17 Phase 2 gate tests
+
+</details>
+
+---
+
+<details>
+<summary><strong>🟡 Enhancement: T11/T12/A8 - CI Gates & Plugin Tooling</strong></summary>
+
+**T11 - Phase 2 Release CI Gate:**
+
+- GitHub Actions workflow (`phase2-release-gate.yml`) enforcing 4 pytest suites + E2E
+- Local validator script (`scripts/phase2_gate.py`) with `--fast` and `--e2e` modes
+
+**T12 - Outbound Safety Static Checker:**
+
+- AST-based analyzer (`scripts/check_outbound_safety.py`) detecting bypass patterns
+- 6 detection rules: `RAW_FIELD_IN_PAYLOAD`, `DANGEROUS_FALLBACK`, `POST_WITHOUT_SANITIZATION`, etc.
+- CI workflow + 8 unit tests + documentation (`docs/OUTBOUND_SAFETY.md`)
+
+**A8 - Plugin Migration Tooling:**
+
+- `scripts/plugin_manifest.py`: Generate manifest with SHA256 hash
+- `scripts/plugin_allowlist.py`: Scan plugins and suggest config
+- `scripts/plugin_validator.py`: Validate manifests and config
+- `scripts/plugin_hmac_sign.py`: Optional HMAC signature generation
+- Documentation: `docs/PLUGIN_MIGRATION.md`, `docs/PLUGIN_GUIDE.md` updates
+
+</details>
+
+---
+
+<details>
+<summary><strong>🟡 Enhancement: S1/S3 - CSP Documentation & Telemetry</strong></summary>
+
+**S1 - CSP Compliance Documentation:**
+
+- Verified all assets load locally (`web/lib/`); CDN URLs are fallback-only
+- Added "CSP Compatibility" section to README
+- Code audit complete (manual verification pending)
+
+**S3 - Local Telemetry Infrastructure:**
+
+- Backend: `telemetry.py` with TelemetryStore, RateLimiter, PII detection
+- 6 API endpoints: `/doctor/telemetry/{status,buffer,track,clear,export,toggle}`
+- Frontend: Settings UI controls for telemetry management
+- Security: Origin check (403 cross-origin), 1KB payload limit, field whitelist
+- **Default OFF**: No recording/network until explicitly enabled
+- 81 i18n strings (9 keys × 9 languages)
+
+**Test Results**: 27 telemetry unit tests | 8 E2E tests
+
+</details>
+
+---
+
+<details>
+<summary><strong>🟡 Enhancement: E2E Runner Hardening & Trust/Health UI</strong></summary>
+
+**E2E Runner Hardening (WSL `/mnt/c` Support):**
+
+- Fixed Playwright transform cache permission issues on WSL
+- Added writable temp dir under repo (`.tmp/playwright`)
+- `PW_PYTHON` override for cross-platform compatibility
+
+**Trust & Health UI Panel:**
+
+- Added "Trust & Health" panel in Settings tab
+- Displays: pipeline_status, ssrf_blocked, dropped_logs
+- Plugin trust list with badges and reasons
+- `GET /doctor/plugins` scan-only endpoint (no code import)
+
+**Test Results**: 61/61 E2E tests | 159/159 Python tests
+
+</details>
+
+---
+
+<details>
+<summary><strong>🟢 Previous Update (v1.4.0)</strong></summary>
 
 - A7 Preact migration completed across Phases 5A–5C (Chat/Stats islands, registry, shared rendering, robust fallbacks).
-- F15 Resolution Marking UI: mark the latest error as Resolved/Unresolved/Ignored from Statistics; status persists and reflects on load.
-- Integration hardening: fixed resolution_status plumbing and strengthened Playwright E2E coverage.
-- UI fixes: Locate Node button persistence and sidebar tooltip timing.
+- Integration hardening: strengthened Playwright E2E coverage.
+- UI fixes: Sidebar tooltip timing.
 
 </details>
 

i18n.py

@@ -232,14 +232,19 @@
         "status_update_failed": "Failed to update status",
         # S3: Telemetry UI
         "telemetry_label": "Anonymous Telemetry",
-        "telemetry_description": "Send anonymous usage data to help improve Doctor",
+        "telemetry_description": "Send anonymous usage data to help improve Doctor (Under Construction)",
         "telemetry_view_buffer": "View Buffer",
         "telemetry_clear_all": "Clear All",
         "telemetry_export": "Export",
         "telemetry_buffer_count": "Currently buffered: {n} events",
         "telemetry_upload_none": "Upload destination: None (local only)",
         "telemetry_cleared": "Telemetry buffer cleared",
         "telemetry_confirm_clear": "Clear all telemetry data?",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "Trust & Health",
+        "trust_health_hint": "Fetch /doctor/health and plugin trust report (scan-only).",
+        "refresh_btn": "Refresh",
+        "plugins_none_found": "No plugins found.",
     },
     "zh_TW": {
         "info_title": "資訊",
@@ -371,14 +376,19 @@
         "status_update_failed": "更新狀態失敗",
         # S3: Telemetry UI
         "telemetry_label": "匿名遙測",
-        "telemetry_description": "發送匿名使用資料以幫助改善 Doctor",
+        "telemetry_description": "發送匿名使用資料以幫助改善 Doctor (建設中)",
         "telemetry_view_buffer": "查看緩衝區",
         "telemetry_clear_all": "全部清除",
         "telemetry_export": "匯出",
         "telemetry_buffer_count": "目前緩衝：{n} 個事件",
         "telemetry_upload_none": "上傳目的地：無（僅本地）",
         "telemetry_cleared": "遙測緩衝區已清除",
         "telemetry_confirm_clear": "清除所有遙測資料？",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "信任與健康",
+        "trust_health_hint": "取得 /doctor/health 與插件信任報告（僅掃描）。",
+        "refresh_btn": "重新整理",
+        "plugins_none_found": "找不到插件。",
     },
     "zh_CN": {
         "info_title": "信息",
@@ -509,14 +519,19 @@
         "status_update_failed": "更新状态失败",
         # S3: Telemetry UI
         "telemetry_label": "匿名遥测",
-        "telemetry_description": "发送匿名使用数据以帮助改进 Doctor",
+        "telemetry_description": "发送匿名使用数据以帮助改进 Doctor (建设中)",
         "telemetry_view_buffer": "查看缓冲区",
         "telemetry_clear_all": "全部清除",
         "telemetry_export": "导出",
         "telemetry_buffer_count": "当前缓冲：{n} 个事件",
         "telemetry_upload_none": "上传目的地：无（仅本地）",
         "telemetry_cleared": "遥测缓冲区已清除",
         "telemetry_confirm_clear": "清除所有遥测数据？",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "信任与健康",
+        "trust_health_hint": "获取 /doctor/health 和插件信任报告（仅扫描）。",
+        "refresh_btn": "刷新",
+        "plugins_none_found": "未找到插件。",
     },
     "ja": {
         "info_title": "情報",
@@ -647,14 +662,19 @@
         "status_update_failed": "ステータスの更新に失敗しました",
         # S3: Telemetry UI
         "telemetry_label": "匿名テレメトリ",
-        "telemetry_description": "Doctor の改善のために匿名の使用データを送信",
+        "telemetry_description": "Doctor の改善のために匿名の使用データを送信 (建設中)",
         "telemetry_view_buffer": "バッファを表示",
         "telemetry_clear_all": "すべてクリア",
         "telemetry_export": "エクスポート",
         "telemetry_buffer_count": "現在バッファ: {n} イベント",
         "telemetry_upload_none": "アップロード先: なし（ローカルのみ）",
         "telemetry_cleared": "テレメトリバッファがクリアされました",
         "telemetry_confirm_clear": "すべてのテレメトリデータをクリアしますか？",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "信頼と健全性",
+        "trust_health_hint": "/doctor/health とプラグイン信頼レポートを取得（スキャンのみ）。",
+        "refresh_btn": "更新",
+        "plugins_none_found": "プラグインが見つかりません。",
     },
     "de": {
         "info_title": "INFO",
@@ -785,14 +805,19 @@
         "status_update_failed": "Status konnte nicht aktualisiert werden",
         # S3: Telemetry UI
         "telemetry_label": "Anonyme Telemetrie",
-        "telemetry_description": "Anonyme Nutzungsdaten senden, um Doctor zu verbessern",
+        "telemetry_description": "Anonyme Nutzungsdaten senden, um Doctor zu verbessern (Im Aufbau)",
         "telemetry_view_buffer": "Puffer anzeigen",
         "telemetry_clear_all": "Alle löschen",
         "telemetry_export": "Exportieren",
         "telemetry_buffer_count": "Aktuell gepuffert: {n} Ereignisse",
         "telemetry_upload_none": "Upload-Ziel: Keins (nur lokal)",
         "telemetry_cleared": "Telemetrie-Puffer geleert",
         "telemetry_confirm_clear": "Alle Telemetriedaten löschen?",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "Vertrauen & Gesundheit",
+        "trust_health_hint": "/doctor/health und Plugin-Vertrauensbericht abrufen (nur Scannen).",
+        "refresh_btn": "Aktualisieren",
+        "plugins_none_found": "Keine Plugins gefunden.",
     },
     "fr": {
         "info_title": "INFO",
@@ -923,14 +948,19 @@
         "status_update_failed": "Échec de la mise à jour du statut",
         # S3: Telemetry UI
         "telemetry_label": "Télémétrie anonyme",
-        "telemetry_description": "Envoyer des données d'utilisation anonymes pour améliorer Doctor",
+        "telemetry_description": "Envoyer des données d'utilisation anonymes pour améliorer Doctor (En construction)",
         "telemetry_view_buffer": "Voir le tampon",
         "telemetry_clear_all": "Tout effacer",
         "telemetry_export": "Exporter",
         "telemetry_buffer_count": "Actuellement en tampon : {n} événements",
         "telemetry_upload_none": "Destination : Aucune (local uniquement)",
         "telemetry_cleared": "Tampon de télémétrie effacé",
         "telemetry_confirm_clear": "Effacer toutes les données de télémétrie ?",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "Confiance et Santé",
+        "trust_health_hint": "Récupérer /doctor/health et le rapport de confiance des plugins (scan uniquement).",
+        "refresh_btn": "Actualiser",
+        "plugins_none_found": "Aucun plugin trouvé.",
     },
     "it": {
         "info_title": "INFO",
@@ -1061,14 +1091,19 @@
         "status_update_failed": "Aggiornamento stato fallito",
         # S3: Telemetry UI
         "telemetry_label": "Telemetria anonima",
-        "telemetry_description": "Invia dati di utilizzo anonimi per migliorare Doctor",
+        "telemetry_description": "Invia dati di utilizzo anonimi per migliorare Doctor (In costruzione)",
         "telemetry_view_buffer": "Visualizza buffer",
         "telemetry_clear_all": "Cancella tutto",
         "telemetry_export": "Esporta",
         "telemetry_buffer_count": "Attualmente nel buffer: {n} eventi",
         "telemetry_upload_none": "Destinazione: Nessuna (solo locale)",
         "telemetry_cleared": "Buffer di telemetria cancellato",
         "telemetry_confirm_clear": "Cancellare tutti i dati di telemetria?",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "Fiducia e Salute",
+        "trust_health_hint": "Recupera /doctor/health e rapporto sulla fiducia dei plugin (solo scansione).",
+        "refresh_btn": "Aggiorna",
+        "plugins_none_found": "Nessun plugin trovato.",
     },
     "es": {
         "info_title": "INFO",
@@ -1199,14 +1234,19 @@
         "status_update_failed": "Error al actualizar el estado",
         # S3: Telemetry UI
         "telemetry_label": "Telemetría anónima",
-        "telemetry_description": "Enviar datos de uso anónimos para mejorar Doctor",
+        "telemetry_description": "Enviar datos de uso anónimos para mejorar Doctor (En construcción)",
         "telemetry_view_buffer": "Ver búfer",
         "telemetry_clear_all": "Borrar todo",
         "telemetry_export": "Exportar",
         "telemetry_buffer_count": "Actualmente en búfer: {n} eventos",
         "telemetry_upload_none": "Destino: Ninguno (solo local)",
         "telemetry_cleared": "Búfer de telemetría borrado",
         "telemetry_confirm_clear": "¿Borrar todos los datos de telemetría?",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "Confianza y Salud",
+        "trust_health_hint": "Obtener /doctor/health y reporte de confianza de plugins (solo escaneo).",
+        "refresh_btn": "Actualizar",
+        "plugins_none_found": "No se encontraron plugins.",
     },
     "ko": {
         "info_title": "정보",
@@ -1337,14 +1377,19 @@
         "status_update_failed": "상태 업데이트 실패",
         # S3: Telemetry UI
         "telemetry_label": "익명 텔레메트리",
-        "telemetry_description": "Doctor 개선을 위해 익명 사용 데이터 전송",
+        "telemetry_description": "Doctor 개선을 위해 익명 사용 데이터 전송 (공사 중)",
         "telemetry_view_buffer": "버퍼 보기",
         "telemetry_clear_all": "모두 삭제",
         "telemetry_export": "내보내기",
         "telemetry_buffer_count": "현재 버퍼: {n}개 이벤트",
         "telemetry_upload_none": "업로드 대상: 없음 (로컬만)",
         "telemetry_cleared": "텔레메트리 버퍼 삭제됨",
         "telemetry_confirm_clear": "모든 텔레메트리 데이터를 삭제하시겠습니까?",
+        # Trust & Health Panel (Phase 2)
+        "trust_health_title": "신뢰 및 상태",
+        "trust_health_hint": "/doctor/health 및 플러그인 신뢰 보고서 가져오기(스캔 전용).",
+        "refresh_btn": "새로고침",
+        "plugins_none_found": "플러그인을 찾을 수 없습니다.",
     },
 }
 

pyproject.toml

@@ -1,7 +1,7 @@
 [project]
 name = "comfyui-doctor"
 description = "A real-time runtime diagnostics suite for ComfyUI, featuring interactive debugging chat, and 50+ fix patterns. Automatically intercepts terminal output from startup, and delivers prioritized fix suggestions with node-level context extraction. Now supports JSON-based pattern management with hot-reload and full i18n support for 9 languages."
-version = "1.4.1"
+version = "1.4.5"
 license = {text = "MIT"}
 readme = "README.md"
 requires-python = ">=3.10"