v1.7.0

ComfyUI-Doctor v1.7.0

Highlights

This release delivers two major improvements:

• New end-user diagnostics workflows (community feedback and data-driven signature packs)
• Stronger security boundaries across write APIs, outbound networking, and server-side secrets

New Features

Quick Community Feedback (GitHub PR)

• Added a new Quick Community Feedback panel in the Statistics tab.
• Added backend APIs:
  • POST /doctor/feedback/preview
  • POST /doctor/feedback/submit
• Supports sanitized payload preview before submit.
• Supports append-only feedback files and server-side GitHub PR creation flow.
• Added regression and E2E coverage for preview/submit paths.

Data-Driven Diagnostics Signature Packs

• Added JSON-based signature pack architecture for proactive diagnostics.
• Added schema + loader/validator + builtin pack data.
• Signature matches now include machine-readable metadata (confidence + provenance) for better traceability.
• Added dedicated validation and runtime cap test coverage.

Sidebar i18n Expansion

• Localized newly added sidebar items and flows related to:
  • Quick Community Feedback
  • Advanced Key Store related UI text
• Improved multilingual consistency for newly introduced controls and status strings.

Security and Hardening

Unified Admin Guard for Write-Sensitive Routes

• Consolidated write-sensitive endpoints under consistent admin authorization behavior.
• Includes state mutation routes such as:
  • statistics resolution update
  • telemetry clear/toggle
  • health issue acknowledgment
  • resumable job mutation (resume / cancel)
• Reduces route-level auth drift and prevents inconsistent protection gaps.

SSRF DNS-Rebinding Hardening

• Extended outbound URL validation with DNS resolution checks.
• Added fail-closed behavior for resolution failures/timeouts.
• Blocks hostnames resolving to restricted/private/metadata IP ranges.
• Added deterministic regression coverage for DNS-rebinding patterns.

Server Secret Store Hardening

• Added optional encryption-at-rest support for server-side secret storage.
• Preserved backward compatibility with legacy plaintext file migration behavior.
• Added stronger Windows ACL hardening path (best-effort).
• Added stricter guard paths for missing encryption prerequisites.

Outbound Proxy Trust Boundary Hardening

• Shared outbound HTTP session no longer inherits ambient proxy environment variables by default.
• Added explicit proxy policy control:
  • secure default: strict_off
  • explicit opt-in: inherit_env
• Added runtime diagnostics visibility of effective proxy policy in /doctor/health.

Dependency and Maintenance Updates

• Security dependency update:
  • Bumped rollup to 4.59.0 (Dependabot PR merged).
• README and localized docs were synced/fixed for recently shipped features.

Upgrade Notes

• If your deployment relies on environment proxy variables, explicitly enable proxy inheritance via policy configuration.
• Write-sensitive API integrations should ensure admin credentials/tokens are supplied consistently.
• For stronger secret protection in shared/production environments, configure encryption-at-rest key settings instead of relying on plaintext fallback behavior.

Validation Summary

• Added targeted tests for:
  • admin guard route coverage
  • SSRF DNS behavior
  • secret store encryption/ACL behavior
  • outbound proxy policy and trust_env wiring
  • feedback PR flow
  • diagnostics signature packs
• Full project validation gate passed during implementation:
  • detect-secrets
  • pre-commit all hooks
  • backend full unit tests
  • frontend Playwright E2E

v1.6.5

ComfyUI-Doctor v1.6.5

Highlights

• Added fail-closed external enrichment safety foundation (policy + confirmation + redacted audit).
• Added resumable long-job APIs with checkpoint persistence.
• Added runtime guardrails (ENV-driven) and wired them into core runtime paths.
• Expanded validation coverage (desktop failure-injection, isolation contracts, opt-in online API lane).
• Enforced full pre-push test gate (failed tests block push).

Key Changes

• New APIs:
  • GET /doctor/jobs/{job_id}
  • POST /doctor/jobs/{job_id}/resume
  • POST /doctor/jobs/{job_id}/cancel
  • GET /doctor/providers/{provider_id}/status
• LLM output cleanup applied to /doctor/analyze and non-stream /doctor/chat.
• Runtime guardrails are now runtime-only (not persisted to config.json).
• Sidebar header now shows version/repository metadata more reliably.
• Added Node Health scoring to statistics output.

Dev/Test

• Added one-command full-test scripts:
  • Windows: scripts/run_full_tests_windows.ps1 (.venv)
  • Linux/WSL: scripts/run_full_tests_linux.sh (.venv-wsl on WSL)
• Scripts bootstrap required tooling (pre-commit, detect-secrets, Playwright Chromium).
• Added git pre-push hook gate running mandatory full tests.

Notes

• Streaming chunk-level hidden-marker cleanup remains a follow-up item.
• Online provider tests are opt-in (RUN_ONLINE_API_TESTS=true) and safe-skip without credentials.

v1.6.3

Dual-Mode API Key Strategy Release

• Implemented Dual-Mode API Key Strategy: frontend no longer persists API keys; the input is session-only by default.
• Added a default-collapsed Advanced Key Store (server-side) section with explicit save/delete actions and provider status badges.
• Backend key resolution now prioritizes request key → provider-specific ENV → generic ENV → optional server store.
• Legacy frontend-stored keys are migrated once to runtime memory, then cleared from persisted settings.
• UI includes inline risk guidance: server-side storage uses plaintext secrets.json; ENV remains the recommended path.

v1.6.0

• Desktop/Portable/Git-clone robustness hardening: all persistence now writes to one canonical Doctor data dir (history, logs, telemetry, config, diagnostics), with best‑effort legacy migration.
• Frontend stability improvements: safer UI text loading + settings persistence behavior aligned with ComfyUI/CI test harness.
• Statistics upgrades: reset button for error statistics and unbounded history support (with guardrails/notes in implementation).
• Trust & Health moved into Statistics: fetch /doctor/health and show plugin trust report (scan-only) from the Statistics tab.
• Anonymous Telemetry moved into Statistics: toggle + view buffer/clear/export controls.
• F14 Proactive Diagnostics: intent detection + diagnostics banner/stage badges in Statistics to help identify likely workflow intent and common issues faster.
• T14 Frontend unit tests: added Vitest-based unit test suite to reduce regression risk beyond E2E.

v1.5.5

Statistics Reset + Smarter AI Prompts + Statistics Tab Consolidation

• Added a Reset control in the Statistics tab to clear error history and restart stats tracking (POST /doctor/statistics/reset).

• Moved Trust & Health and Anonymous Telemetry from Settings → Statistics (Telemetry remains opt-in and local-only).

• Improved AI debugging context: summary-first prompting and better error context extraction; Chat auto-analysis now sends a concise summary instead of pasting the full traceback as the user message (full context is still provided via backend error_context).

• Hardened frontend reliability with error boundaries and related UI stability improvements.

• Improved E2E/WSL2 developer experience with updated SOP and Playwright stability fixes (route cleanup, timeouts, artifact handling).

v1.5.0 - Smart Token Budget Management

v1.5.0 New Features:

R6: Exponential Backoff Retry

• Automatic retry for transient LLM API failures (429, 5xx errors)
• Configurable retry attempts (default: 3) with exponential backoff
• Jitter support to prevent thundering herd effects
• Per-provider retry settings via config.py

R7: Streaming Timeout Protection

• Chunk-level timeout monitoring for SSE streams
• Automatic stream termination on stall detection (default: 30s)
• Graceful error messaging when timeout occurs
• Prevents UI hang on unresponsive LLM providers

R12: Smart Token Budget Management

• Remote providers: Automatic context trimming to fit token limits (4.5K soft / 6K hard)
• Local providers: Opt-in gentle trimming with higher limits (12K / 16K)
• Progressive trimming strategy: workflow pruning → system info removal → traceback truncation
• Enhanced observability metadata: by-section token breakdown, step-by-step tracking
• A/B validation harness for quality assurance

v1.4.5

This release introduces significant enhancements in ecosystem security, pipeline governance, and observability (R0, R13). It also includes new CI gates (T11, T12) and essential tooling for the upcoming plugin migration (A8), along with optional local telemetry (S3).

🔴 Major Fix: Pipeline Governance & Plugin Security (R0/R13)

A comprehensive security hardening update focusing on server-side request forgery (SSRF) protection and a new plugin trust system.

Security Hardening:

• SSRF Protection++: Replaced substring checks with robust Host/Port parsing. Blocked all outbound redirects (allow_redirects=False) to prevent evasion.
• Outbound Sanitization Funnel: Introduced a single boundary (outbound.py) to ensure ALL external payloads are sanitized. privacy_mode=none usage is now restricted to verified local LLMs only.

Plugin Trust System:

• Safe-by-default: Plugins are now disabled by default and require an explicit Allowlist entry plus a Manifest with SHA256 hash.
• Trust Taxonomy: Plugins are classified as trusted, unsigned, untrusted, or blocked.
• Filesystem Hardening: Implemented strict containment via realpath, symlink rejection, file size limits, and rigorous filename rules.
• Optional HMAC Signature: added support for shared-secret integrity verification (distinct from public-key signing).

Pipeline Governance:

• Metadata Contract: Enforced schema versioning and post-run validation with a quarantine mechanism for invalid keys.
• Dependency Policy: Strict requires/provides enforcement. Missing dependencies cause a stage skip and set status to degraded.
• Logger Backpressure: Implemented a DroppingQueue with priority-aware eviction and drop metrics to prevent logger-induced bottlenecks.
• Prestartup Handoff: Ensuring a clean uninstall of the standard Logger before SmartLogger takes over.

Observability:

• New /doctor/health Endpoint: Exposes real-time queue metrics, drop counters, SSRF block counts, and overall pipeline status.

Enhancement: CI Gates & Plugin Tooling (T11/T12/A8)

T11 - Phase 2 Release CI Gate:

• GitHub Actions: New workflow (phase2-release-gate.yml) enforcing 4 pytest suites + E2E tests.
• Local Validator: Added scripts/phase2_gate.py supporting --fast and --e2e modes for local pre-flight checks.

T12 - Outbound Safety Static Checker:

• AST-based Analyzer: New script (scripts/check_outbound_safety.py) detects security bypass patterns.
• Detection Rules: Covers RAW_FIELD_IN_PAYLOAD, DANGEROUS_FALLBACK, POST_WITHOUT_SANITIZATION, and more.

A8 - Plugin Migration Tooling:

• Manifest Generator: scripts/plugin_manifest.py for generating SHA256-hashed manifests.
• Validator & Signer: Scripts for plugin validation (plugin_validator.py) and optional HMAC signing (plugin_hmac_sign.py).

Enhancement: CSP Documentation & Telemetry (S1/S3)

S1 - CSP Compliance:

• Local Assets: Verified all web assets load from web/lib/. CDN URLs are used strictly as fallbacks.
• Documentation: Added a "CSP Compatibility" compliance section to the README.

S3 - Local Telemetry Infrastructure (Opt-in):

• Architecture: telemetry.py backend with TelemetryStore, RateLimiter, and PII scrubbing.
• Security: Origin checks (403 Forbidden for cross-origin), 1KB payload limits, and strict field allowlists.
• Privacy: OFF by default. No data recording or network activity occurs unless explicitly enabled by the user.
• UI: Added settings controls to manage telemetry preferences.

Enhancement: E2E Runner Hardening & Trust UI

E2E Runner Hardening:

• WSL Support: Fixed Playwright transform cache permission issues on WSL /mnt/c paths.
• Temp Directory: Added a writable .tmp/playwright directory under the repo root.
• Cross-Platform: Added PW_PYTHON override support.

Trust & Health UI Panel:

• New Panel: Added "Trust & Health" section to the Settings tab.
• Live Metrics: Displays pipeline_status, ssrf_blocked, and dropped_logs.
• Plugin List: Shows plugin trust status with badges and explicit reasons.
• Safe Scanning: New GET /doctor/plugins endpoint scans for plugins without importing their code.