docs: enhance Agentics documentation with embedded video by gliozzo · Pull Request #2 · gliozzo/langflow

gliozzo · 2026-03-20T19:03:39Z

Add embedded YouTube tutorial video at the top of the page
Add introductory text for the video
Group research papers under Publications section
Add full academic citations for both Agentics papers
Remove redundant schema table from introduction
Improve overall readability and structure

* Remove hash history Custom component checks will be done directly through the component index. Removing hash history as it no longer fits into any planned functionality. * [autofix.ci] apply automated fixes * baseline format fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* chore: release nightlies from of release branch in preperation for the new release cycle strategy we will move the nightly to be run off the latest release branch. One caveat worth documenting: When we create the release branch we need to bump the verions for base and main immediately or else the ngihtly will run off the branch but will use a preveious release tag I also do not know how to deal with `merge-hash-history-to-main` in this case * chore: address valid code rabbit comments add clear error when branch does not exist make sure valid inputs is respected in the rest of the jobs/steps release_nightly.yml now uses nightly_tag_release instead of the old nightly_tag_main

* Add upgrade migration check to ci * [autofix.ci] apply automated fixes * Add fetch step * ruff * Add merge migration * Revert "Add merge migration" This reverts commit fd32424. backups * coderabbit suggestions 1. Shell hardening in workflow - set -euo pipefail, full path grep, quoted variables 2. _WORKSPACE_ROOT extracted as module constant (also addresses Cristhianzl's review comment about parents[5] duplication) 3. git missing returns None instead of raising FileNotFoundError 4. # noqa: S603 added to subprocess.run (fixes the Ruff CI failure) 5. FK noise filtering now also compares target table/column, not just ondelete/onupdate 6. Removed redundant git fetch origin main step (fetch-depth: 0 already fetches all branches) 7. Deduplicated Alembic config creation in _get_main_branch_head (moved before the if branch) 8. Simplified dict type hints (removed unnecessary dict[tuple, object]) * test: improve migration tests from PR review feedback - Narrow broad except clause to only wrap subprocess.run call - Add specific error messages for multi-head and unresolvable revisions - Remove redundant hardcoded schema test (covered by compare_metadata) - Fix SQLite FK noise filter to skip ondelete/onupdate comparison - Add downgrade verification to test_upgrade_from_main_branch - Add test file and workflow to CI trigger paths - Add prompt for follow-up PostgreSQL migration test PR Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * add engine check on downgrade * [autofix.ci] apply automated fixes * fix: harden CI error handling and test robustness - Set validationPassed=false when validator crashes so CI fails instead of passing silently - Wrap GitHub API calls in try-catch so comment-posting failures don't mask validation results - Preserve git stderr in warnings for better CI debugging - Add defensive handling for unexpected FK constraint shapes in SQLite noise filter - Clean up SQLite WAL/SHM/journal companion files in test teardown * Add explicit fetch to main * ruff * [autofix.ci] apply automated fixes * Add sqlite filter tests and remove redundant fetch --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

…gflow-ai#12190) * feat(deployments): unify dynamic payload passthrough across api and adapter * use datatime.timezone for python3.10 compatibility * use appropriate type vars in slots and sanitize error message * tweaks to schemas * use policy to avoid dump churn

…ai#12198) * fix: allow clearing Max Tokens field with Backspace/Delete Empty string input was being converted to 0 via Number(""), which triggered the min-value guard and snapped the field back to 1 before onChange could propagate. Adding an early return for empty input lets the field clear correctly, propagating null (no limit) downstream. * test: add IntComponent tests for handleInputChange clearing behavior Covers the regression where Backspace/Delete was blocked by the min-value guard, and verifies that below-min values still clamp correctly.

…ing sanitization (langflow-ai#12201)

…angflow-ai#12177) * add explicit left/right DataFrame inputs for merge operations * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * ruff style and checker fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…ai#12074) * fix: add dict to allowlist preventing TableInput data loss Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com> * test: add regression test for TableInput list[dict] preservation Regression test for: langflow-ai#12062 Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com> --------- Co-authored-by: DeyLak <DeyLak@users.noreply.github.com> Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com>

update pyproject versions 1.9.0

1.9.0 nightly fix

* checkout wxo deployment adapter implementation * checkout wxo deps and flow reqs impl * clean up / minor refactor with updated tests * major refactor: split up the implementation into folders and files * clean up logic * refactor and clean up of execution logic, improve type safety of "retry_create" helper, and remove dead code * remove unused wxo service file * remove "provider_name" arg and references * fix: harden watsonx orchestrate deployment adapter for PR readiness - Fix rollback AttributeError when agent_create_response is None - Fix NoneType access on params in list() when called without params - Fix inconsistent error types: use DeploymentNotFoundError in get/update - Fix typo "occured" -> "occurred" in all error prefix messages - Fix variable shadowing of fastapi.status in get_status() - Fix pre-existing test bugs (wrong exception types, stale method refs) - Fix e2e monkey-patching of non-existent service methods - Add structured logging to create, delete, retry, and rollback flows - Add jitter to retry backoff to avoid thundering herd - Add __repr__ to WxOCredentials that fully masks the API key - Extract hard-coded LLM model string to DEFAULT_WXO_AGENT_LLM constant - Remove commented-out snapshot update code - Expand test coverage from 24 to 75 tests covering retry logic, service methods, client auth, utilities, execution/status helpers, and artifact roundtrip * fix(deployment): fix bugs and harden watsonx orchestrate adapter - Fix update method silently discarding changes instead of sending them to the WXO API - Wrap all synchronous SDK calls in asyncio.to_thread to avoid blocking the event loop - Add error handling to get_status (was propagating raw exceptions) - Use DeploymentType enum values instead of raw strings for SUPPORTED_ADAPTER_DEPLOYMENT_TYPES - Fix type annotations in list method (list -> set) - Fix typo in comment (reccomend -> recommend) - Remove dead code: extract_agent_connection_ids, require_exclusive_resource, require_non_empty_string, resolve_health_environment_id, fetch_agent_release_status, normalize_release_status, resolve_lfx_runner_requirement, _pin_requirement_name, sync_langflow_tool_connections, create_langflow_flow_tool, resolve_snapshot_connections, and unused constants - Make assert_create_resources_available and validate_connection async - Make create_agent_run and get_agent_run async - Add tests for list_types, get_status error handling, and update side-effects - Update existing tests for async function signatures * actually remove the dead code from tools.py * properly await "validate_connection" * update e2e test file * add more scenarios to e2e test runner * refactor(watsonx-orchestrate): improve WxOClient encapsulation and error messages Encapsulate SDK private method access and endpoint paths inside WxOClient wrappers so callers never handle raw paths or touch internal _get/_post methods. Route all private HTTP calls through a single _base client auto-created in __post_init__, removing the externally constructed `base` field. Additionally fix double-period and redundant text in error messages produced by the ErrorPrefix + handler pattern, and update E2E/unit assertions to match the sanitised error output. Changes: - types.py: bake endpoint paths into wrapper signatures (post_run, get_run, upload_tool_artifact, get_agents_raw); auto-create _base via __post_init__; remove base from constructor - client.py: drop BaseWXOClient import and base= constructor arg - core/execution.py: pass run_id / query_suffix instead of raw paths - core/tools.py: pass tool_id instead of raw path - service.py: fix double-period in ErrorPrefix interpolation; remove redundant restatements in generic except handlers - tests: update _with_wxo_wrappers helper and test doubles to use _base; update FakeBaseClient._get to accept params - e2e: update rollback scenario detail_contains to match sanitised msg * skip import and tests of wxo adapter if current env is running python 3.10 * clarify random prefix / retry behavior * implement comments * fix: align watsonx adapter with updated deployment schema - Add `deployment_type` parameter to `get`, `update`, `redeploy`, `duplicate`, `delete`, `get_status`, and `undeploy_deployment` in WatsonxOrchestrateDeploymentService to match the updated BaseDeploymentService ABC - Update e2e script to use renamed `add_ids` field on SnapshotDeploymentBindingUpdate * remove non-interface method undeploy_deployment * implement listing configs and snapshots * add update implementation and improve http->deployment error translation and add tests * improve exception handling * checkout payload slot work * custom payload schema for update * new update implementation * stop passing client cache to helpers * add docs for ordereduniquests * improve import patterns and document future risks for wxo dependencies * remove global-variable prefixing of flows * ref: harden typing, DRY helpers, and correctness fixes - Replace `db: Any` with `db: AsyncSession` across client, config, and update_helpers modules - Extract `_ensure_dict` / `ensure_langflow_connections_binding` helpers to eliminate repeated nested-dict safety logic in tools.py and update_helpers.py, with documentation explaining why malformed API payloads are silently corrected rather than rejected - Use `PayloadSlot.parse()` for update payload validation instead of standalone helper; remove `parse_provider_update_payload` - Fix lambda late-binding with default-argument captures in service.py - Use `zip(strict=True)` in update_helpers for defensive mismatch detection - Replace O(n²) duplicate detection with `collections.Counter` in payloads.py - Simplify `dedupe_list` to `list(dict.fromkeys(...))` - Move type-annotation-only imports into TYPE_CHECKING blocks in types.py and config.py - Introduce `UPDATE_MAX_RETRIES` as a distinct constant from `CREATE_MAX_RETRIES` - Fix "watsonX" → "watsonx" casing in error messages - Clarify `get_status` docstring and `validate_connection` error message - Add TODO(deployments-cache) for client cache invalidation on credential updates * ref: drop client cache and adopt typed deployment context across the wxo adapter path, add request-context memoization with strict mixed-context guards, and lazily initialize wxo SDK clients. Add safer credential handling by storing only authenticators in WxOCredentials. Also improve provider error-detail extraction/messages and make the direct wxo E2E conflict scenario diagnostics and expectations more resilient. * use explicit naming for context class; providerId * fix error handling, retry safety, and exception diagnostics in wxo adapter - Raise DeploymentError on empty API responses instead of fabricating fake success in create_agent_run_result and get_agent_run - Elevate rollback failure logging from WARNING to ERROR for alerting - Apply retryable filter to retry_rollback to skip 401/403/409/422 - Preserve exception chains (from exc) instead of suppressing (from None) across service.py, utils.py, execution.py, and update_helpers.py - Broaden credential resolution catch to handle arbitrary DB exceptions - Separate status code dispatch from string heuristics in raise_for_status_and_detail to prevent misclassification - Add tests for all behavioral changes * [autofix.ci] apply automated fixes * fix: harden wxO adapter safety, immutability, and error diagnostics - Make WxOClient and WxOCredentials frozen dataclasses with eager SDK client initialization to eliminate thread-safety races from asyncio.to_thread workers and prevent post-construction mutation - Move instance_url validation and normalization into type __post_init__ - Raise DeploymentError on missing run_id instead of returning partial success with execution_id=None - Preserve exception chains (from exc) instead of suppressing (from None) across create, update, and delete service methods - Add warning logs when _ensure_dict replaces non-dict binding values and when _resolve_lfx_requirement falls back to minimum version - Initialize derived_spec before try block to prevent potential NameError - Log all ToolUploadBatchError errors before re-raising the first - Change SUPPORTED_ADAPTER_DEPLOYMENT_TYPES from mutable set to frozenset - Add tests for 409/422 error mapping in create, unsupported deployment type rejection, empty update rejection, zip artifact extraction paths, validate_connection negative paths, missing run_id, multiple deployment ID rejection, exception chain preservation, and _ensure_dict warning * [autofix.ci] apply automated fixes * fix ruff errors and and todo for status method * fix mypy errors * [autofix.ci] apply automated fixes --------- Co-authored-by: Jordan Frazier <jordan.frazier@datastax.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

fix 1.9.0 nightly

* fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * fix(mcp): Add schema-driven type conversion - Add schema-driven type conversion (str→dict, str→int, etc.) - normalize and unflatten tool arguments for MCP servers - Unflatten flattened keys (e.g. params.search) into nested objects * fix(mcp): handle dict type and array type in JSON schema for MCP tools - Support "type": ["string", "null"] (JSON Schema array type) - Normalize required to hashable elements (filter non-string entries) - Add unit tests for create_input_schema_from_json_schema * fix(mcp): map generic object type to dict for free-form params When JSON schema has {"type": "object"} with no properties, treat it as a free-form dict instead of building a nested Pydantic model. This allows MCP servers expecting arbitrary key-value params to receive proper dicts, and enables str→dict conversion via _normalize_arguments_for_mcp. - Add conditional in parse_type: empty properties → dict, else nested model - Add test_create_input_schema_generic_object_maps_to_dict * fix(mcp): exclude None from tool arguments sent to MCP servers * test_mcp: add more tests for datatypes * fix(mcp): parse JSON strings for nested model params (e.g. foreman-mcp) * fix(mcp): refactor _try_convert_value reducing repetition * fix(mcp): add missing tests for remaining use cases * fix(mcp): Fix mapping of None if expected is list, dict or str * Update nightly_build.yml --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com>

langflow-ai#12217) * fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (langflow-ai#12216) add-back-svg * fix: prevent overwriting user-selected global variables in provider config Previously, the apply_provider_variable_config_to_build_config function would automatically overwrite field values with environment variable keys whenever an env var was present, even if the user had already selected a different global variable. This fix adds a check to only auto-set the environment variable if: - The field is currently empty, OR - The field is not already configured to load from the database This preserves user selections while still providing automatic configuration for new/empty fields. Added comprehensive unit tests to verify: - Auto-setting env vars for empty fields - Preserving user-selected global variables - Overwriting hardcoded values (expected behavior) - Skipping when env var is not set - Applying component metadata correctly * [autofix.ci] apply automated fixes * style: use dictionary comprehension instead of for-loop Fixed PERF403 Ruff style warning by replacing for-loop with dictionary comprehension in update_projects_components_with_latest_component_versions * chore: retrigger CI build * test: improve test coverage and clarity for provider config - Renamed test_apply_provider_config_overwrites_hardcoded_value to test_apply_provider_config_replaces_hardcoded_with_env_var for clarity - Added test_apply_provider_config_idempotent_when_already_set to document idempotent behavior when value already matches env var key - Removed sensitive value from debug log message to prevent potential exposure of API keys or credentials These changes improve test coverage by documenting the no-op scenario and enhance security by avoiding logging of potentially sensitive data. * chore: retrigger CI build --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com>

…zation on watsonx test suite (langflow-ai#12212) * fix: Fixed CodeQL security scan about Incomplete URL substring sanitization * fix coderabbitai comments * fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * fix failing action * docs: add search icon (langflow-ai#12216) add-back-svg * Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx" This reverts commit 41eb034, reversing changes made to 4e51f4d. * Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx" This reverts commit 4e51f4d, reversing changes made to 530bddd. --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>

…#12230)

* docs-add-lfx-content-to-readme * github-link-syntax * allowlist-blocklist

…12189) * copy-page-component * copy-theme-and-add-button

* fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (langflow-ai#12216) add-back-svg * initial-content * cut-1.8-release-and-include-next-version * stage-1.8.0-and-next --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>

* remove-workflows-file-and-script * tag-hidden-endpoints * update-scripts-and-specs * fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (langflow-ai#12216) add-back-svg --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Debojit Kaushik <Kaushik.debojit@gmail.com>

langflow-ai#12227) * fix(security): prevent arbitrary file write via path traversal in file uploads * [autofix.ci] apply automated fixes --------- Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…oring (langflow-ai#12241) Add AI coding agent skills for code review, testing, and refactoring

…2221) * feat: add Windows support for Playwright tests in nightly builds - Add windows-latest as runner option in typescript_test.yml - Update Playwright browser installation to be OS-aware (Windows doesn't support --with-deps) - Add matrix strategy to nightly_build.yml to run tests on both Linux and Windows - Update Slack notifications to indicate multi-platform testing - Tests now run in parallel on ubuntu-latest and windows-latest This enables catching Windows-specific regressions early in the nightly build process. * fix: add shell: bash to all script steps for Windows compatibility Windows runners default to PowerShell which doesn't understand bash syntax. All steps with bash scripts now explicitly specify shell: bash to ensure cross-platform compatibility. * feat: make Windows Playwright tests non-blocking initially Add continue-on-error for Windows tests to allow nightly builds to succeed even if Windows-specific issues are found. This gives us visibility into Windows bugs without blocking releases. Windows tests will still run every night and report failures, but won't block the build. Once Windows tests are stable, we can remove this flag. * chore: fix white space chore: fix white space * fix: replace matrix strategy with separate jobs for Windows Playwright tests - GitHub Actions reusable workflows don't support matrix strategy - Split frontend-tests into frontend-tests-linux and frontend-tests-windows - Windows tests are non-blocking (continue-on-error: true) - Updated all job dependencies and Slack notification logic - Addresses PR review comment about matrix limitation * chore: trigger workflow validation refresh --------- Co-authored-by: Adam Aghili <Adam.Aghili@ibm.com>

…angflow-ai#12232) * fix: Foreign key violation on span table * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * address review comments --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

…pdates (langflow-ai#12252) * fix: use deepcopy to prevent shared reference mutation in component updates Copies template data via deepcopy when updating project components to prevent mutations from leaking between projects through all_types_dict. Also fixes edge updates to use the copied project data and adds cloneDeep in the frontend templatesGenerator. * fix: deepcopy mutable FIELD_FORMAT_ATTRIBUTES and add coverage test - Add deepcopy on field_dict[attr] assignment (line 192) to prevent shared references for mutable attributes like input_types, options, and fileTypes leaking back into all_types_dict - Add test_update_components_does_not_mutate_field_format_attributes to verify the fix covers the FIELD_FORMAT_ATTRIBUTES update path

* feat: upgrade to LangChain 1.0 - langchain ~=1.2.0 - langchain-core ~=1.2.3 - langchain-community ~=0.4.1 Updated all langchain-* integration packages to versions compatible with langchain-core 1.0+. * feat(lfx): add langchain-classic dependency for legacy agent classes LangChain 1.0 removed AgentExecutor and related classes to langchain-classic. This adds the dependency to maintain backward compatibility. * refactor(lfx): update imports for LangChain 1.0 compatibility - Move AgentExecutor, agent creators from langchain to langchain_classic - Move AsyncCallbackHandler from langchain.callbacks to langchain_core.callbacks - Move Chain, BaseChatMemory from langchain to langchain_classic - Update LANGCHAIN_IMPORT_STRING for code generation * fix(lfx): make sqlalchemy import lazy in session_scope LangChain 1.0 no longer includes sqlalchemy as a transitive dependency. Move the import inside the function where it's used to avoid import errors when sqlalchemy is not installed. * chore: update uv.lock for langchain-classic * feat: enable nv-ingest optional dependencies for langchain 1.0 - Uncomment nv-ingest-api and nv-ingest-client, update to >=26.1.0 (no longer has openai version conflict) - Bump datasets from <4.0.0 to <5.0.0 to allow fsspec>=2025.5.1 required by nv-ingest - Update mlx-vlm TODO comment with accurate blocking reason * chore: update nv-ingest to 26.1.1 nv-ingest 26.1.1 removes the openai dependency, resolving the conflict with langchain-openai>=1.0.0 (which requires openai>=1.109.1). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: enable mlx and mlx-vlm dependencies for langchain 1.0 opencv-python 4.13+ now supports numpy>=2, resolving the conflict with langchain-aws>=1.0.0 (which requires numpy>=2.2 on Python 3.12+). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix import order in callback.py Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: update imports to use langchain_classic for agent modules * [autofix.ci] apply automated fixes * fix: remove .item() calls in knowledge_bases.py * fix(lfx): import BaseMemory from langchain_classic for langchain 1.0 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * refactor: update deprecated langchain imports for langchain 1.0 - langchain.callbacks.base -> langchain_core.callbacks.base - langchain.tools -> langchain_core.tools - langchain.schema -> langchain_core.messages/documents - langchain.chains -> langchain_classic.chains - langchain.retrievers -> langchain_classic.retrievers - langchain.memory -> langchain_classic.memory - langchain.globals -> langchain_core.globals - langchain.docstore -> langchain_core.documents - langchain.prompts -> langchain_core.prompts Also simplified GoogleGenerativeAIEmbeddingsComponent to use native langchain-google-genai 4.x which now supports output_dimensionality. * [autofix.ci] apply automated fixes * fix: add _to_int helper for pandas sum() compatibility across Python versions * fix: update langfuse>=3.8.0 and fix cuga_agent.py (langflow-ai#11519) * fix: update langfuse>=3.8.0 and fix cuga_agent.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * feat: implement LangFuseTracer for langfuse v3 API compatibility and add unit tests * fix: upgrade cuga to 0.2.9 for langchain 1.0 compatibility * fix: improve error handling and return value in get_langchain_callback method * fix: update package versions for compatibility and improvements * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * fix: update langwatch dependency to version 0.10.0 for compatibility * fix: update environment variable for Langfuse host to LANGFUSE_BASE_URL * Update dependency versions in Youtube Analysis project - Downgraded googleapiclient from 2.188.0 to 2.154.0 - Updated langchain_core from 1.2.7 to 1.2.9 - Updated fastapi from 0.128.1 to 0.128.5 - Downgraded youtube_transcript_api from 1.2.4 to 1.2.3 - Changed langchain_core version from 1.2.7 to 0.3.81 - Cleared input_types in model selection # Conflicts: # src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt Chaining.json # src/backend/base/langflow/initial_setup/starter_projects/Basic Prompting.json # src/backend/base/langflow/initial_setup/starter_projects/Blog Writer.json # src/backend/base/langflow/initial_setup/starter_projects/Custom Component Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json # src/backend/base/langflow/initial_setup/starter_projects/Financial Report Parser.json # src/backend/base/langflow/initial_setup/starter_projects/Hybrid Search RAG.json # src/backend/base/langflow/initial_setup/starter_projects/Image Sentiment Analysis.json # src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json # src/backend/base/langflow/initial_setup/starter_projects/Invoice Summarizer.json # src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json # src/backend/base/langflow/initial_setup/starter_projects/Market Research.json # src/backend/base/langflow/initial_setup/starter_projects/Meeting Summary.json # src/backend/base/langflow/initial_setup/starter_projects/Memory Chatbot.json # src/backend/base/langflow/initial_setup/starter_projects/News Aggregator.json # src/backend/base/langflow/initial_setup/starter_projects/Nvidia Remix.json # src/backend/base/langflow/initial_setup/starter_projects/Pokédex Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Portfolio Website Code Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Price Deal Finder.json # src/backend/base/langflow/initial_setup/starter_projects/Research Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Research Translation Loop.json # src/backend/base/langflow/initial_setup/starter_projects/SEO Keyword Generator.json # src/backend/base/langflow/initial_setup/starter_projects/SaaS Pricing.json # src/backend/base/langflow/initial_setup/starter_projects/Search agent.json # src/backend/base/langflow/initial_setup/starter_projects/Sequential Tasks Agents.json # src/backend/base/langflow/initial_setup/starter_projects/Simple Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Social Media Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Text Sentiment Analysis.json # src/backend/base/langflow/initial_setup/starter_projects/Travel Planning Agents.json # src/backend/base/langflow/initial_setup/starter_projects/Twitter Thread Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Vector Store RAG.json # src/backend/base/langflow/initial_setup/starter_projects/Youtube Analysis.json * fix: handle InvalidRequestError during session rollback * update projects * ⚡️ Speed up method `LangFuseTracer.end` by 141% in PR langflow-ai#11114 (`feat/langchain-1.0`) (langflow-ai#11682) Optimize LangFuseTracer.end The optimized code achieves a **140% speedup** (8.23ms → 3.42ms) through two complementary optimizations: ## 1. Fast-path for Common Primitives in `serialize()` **What changed:** Added an early-exit check that returns immutable primitives (`str`, `int`, `float`, `bool`) directly when no truncation or special handling is needed: ```python if max_length is None and max_items is None and not to_str: if isinstance(obj, (str, int, float, bool)): return obj ``` **Why it's faster:** - The profiler shows `_serialize_dispatcher()` consumed **81.5% of runtime** in the original code (40.4ms out of 49.6ms) - This optimization reduced dispatcher calls from **8,040 to 1,013** (~87% reduction), as primitives now bypass the expensive pattern-matching dispatcher entirely - The fast-path check itself is extremely cheap: just two quick conditionals and an `isinstance()` check against a tuple of built-in types **When it helps:** This optimization is particularly effective for workloads with many primitive values in dictionaries and lists—which is exactly what the tracing use case provides (metadata dicts with strings, numbers, booleans). ## 2. Eliminate Redundant Serialization in `LangFuseTracer.end()` **What changed:** Serialize `inputs`, `outputs`, and `metadata` once each, then reuse the results: ```python inputs_ser = serialize(inputs) outputs_ser = serialize(outputs) metadata_ser = serialize(metadata) if metadata else None ``` **Why it's faster:** - The original code called `serialize()` **6 times total** (3 for `.update()` + 3 for `.update_trace()`) - The optimized version calls it **3 times**, then passes the cached results - Profiler shows the time spent in `serialize()` calls dropped from **72.2ms to 31.2ms** (~57% reduction) - This is pure elimination of redundant work—the same dictionaries were being serialized twice with identical results **Impact on workloads:** The `test_end_multiple_iterations_calls_end_each_time` test (500 iterations) demonstrates this matters in hot paths. If `LangFuseTracer.end()` is called frequently during flow execution, avoiding duplicate serialization provides compounding benefits. ## Combined Effect Both optimizations target the serialization bottleneck from different angles: - The fast-path reduces the cost of *each* serialize call by ~75% for primitive-heavy data - The caching reduces the *number* of serialize calls by 50% Together, they deliver the observed 140% speedup, with the optimization being especially effective for the common case of metadata dictionaries containing mostly primitive types. Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com> * refactor: reorder imports and simplify serialization logic for primitives * [autofix.ci] apply automated fixes * fix: update google dependency version to 0.4.0 in component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: pin z3-solver<4.15.7 to restore Linux wheels for Docker build z3-solver 4.15.7 dropped manylinux wheels, causing the Docker build to fail when trying to compile from source. Temporary pin until codeflash is removed. * [autofix.ci] apply automated fixes * fix: update google dependency version to 0.4.0 * [autofix.ci] apply automated fixes * fix: update langchain_core version to 1.2.17 in multiple starter project JSON files * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: update deprecated langchain imports to langchain_classic for 1.0 compatibility * fix: align langchain-chroma version in optional chroma dependency group * fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (langflow-ai#12216) add-back-svg * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * feat: fall back to langchain_classic for pre-1.0 imports in user components Old flows using removed langchain imports (e.g. langchain.memory, langchain.schema, langchain.chains) now resolve via langchain_classic at two levels: module-level for entirely removed modules, and attribute-level for removed attributes in modules that still exist in langchain 1.0. New langchain 1.0 imports are never affected since fallbacks only trigger on import failure. * urllib parse module import bug * Update component_index.json * [autofix.ci] apply automated fixes * chore: rebuild component index * [autofix.ci] apply automated fixes --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Harold Ship <harold.ship@gmail.com> Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com> Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com>

langflow-ai#12224) Pass github.event.pull_request.head.ref through env: instead of interpolating it directly into run: shell steps. This prevents bash from evaluating command substitutions embedded in malicious branch names before input validation runs. Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com>

…angflow-ai#12025) * fix: Fixes Kubernetes deployment crash on runtime_port parsing (langflow-ai#11968) (langflow-ai#11975) * feat: add runtime port validation for Kubernetes service discovery * test: add unit tests for runtime port validation in Settings * fix: improve runtime port validation to handle exceptions and edge cases Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai> * fix(frontend): show delete option for default session when it has messages (langflow-ai#11969) * feat: add documentation link to Guardrails component (langflow-ai#11978) * feat: add documentation link to Guardrails component * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * feat: traces v0 (langflow-ai#11689) (langflow-ai#11983) * feat: traces v0 v0 for traces includes: - filters: status, token usage range and datatime - accordian rows per trace Could add: - more filter options. Ecamples: session_id, trace_id and latency range * fix: token range * feat: create sidebar buttons for logs and trace add sidebar buttons for logs and trace remove lods canvas control * fix: fix duplicate trace ID insertion hopefully fix duplicate trace ID insertion on windows * fix: update tests and alembic tables for uts update tests and alembic tables for uts * chore: add session_id * chore: allo grouping by session_id and flow_id * chore: update race input output * chore: change run name to flow_name - flow_id was flow_name - trace_id now flow_name - flow_id * facelift * clean up and add testcases * clean up and add testcases * merge Alembic detected multiple heads * [autofix.ci] apply automated fixes * improve testcases * remodel files * chore: address gabriel simple changes address gabriel simple changes in traces.py and native.py * clean up and testcases * chore: address OTel and PG status comments langflow-ai#11689 (comment) langflow-ai#11689 (comment) * chore: OTel span naming convention model name is now set using name = f"{operation} {model_name}" if model_name else operation * add traces * feat: use uv sources for CPU-only PyTorch (langflow-ai#11884) * feat: use uv sources for CPU-only PyTorch Configure [tool.uv.sources] with pytorch-cpu index to avoid ~6GB CUDA dependencies in Docker images. This replaces hardcoded wheel URLs with a cleaner index-based approach. - Add pytorch-cpu index with explicit = true - Add torch/torchvision to [tool.uv.sources] - Add explicit torch/torchvision deps to trigger source override - Regenerate lockfile without nvidia/cuda/triton packages - Add required-environments for multi-platform support * fix: update regex to only replace name in [project] section The previous regex matched all lines starting with `name = "..."`, which incorrectly renamed the UV index `pytorch-cpu` to `langflow-nightly` during nightly builds. This caused `uv lock` to fail with: "Package torch references an undeclared index: pytorch-cpu" The new regex specifically targets the name field within the [project] section only, avoiding unintended replacements in other sections like [[tool.uv.index]]. * style: fix ruff quote style * fix: remove required-environments to fix Python 3.13 macOS x86_64 CI The required-environments setting was causing hard failures when packages like torch didn't have wheels for specific platform/Python combinations. Without this setting, uv resolves optimistically and handles missing wheels gracefully at runtime instead of failing during resolution. --------- * LE-270: Hydration and Console Log error (langflow-ai#11628) * LE-270: add fix hydration issues * LE-270: fix disable field on max token on language model --------- * test: add wait for selector in mcp server tests (langflow-ai#11883) * Add wait for selector in mcp server tests * [autofix.ci] apply automated fixes * Add more awit for selectors * [autofix.ci] apply automated fixes --------- * fix: reduce visual lag in frontend (langflow-ai#11686) * Reduce lag in frontend by batching react events and reducing minimval visual build time * Cleanup * [autofix.ci] apply automated fixes * add tests and improve code read * [autofix.ci] apply automated fixes * Remove debug log --------- * feat: lazy load imports for language model component (langflow-ai#11737) * Lazy load imports for language model component Ensures that only the necessary dependencies are required. For example, if OpenAI provider is used, it will now only import langchain_openai, rather than requiring langchain_anthropic, langchain_ibm, etc. * Add backwards-compat functions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Add exception handling * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * comp index * docs: azure default temperature (langflow-ai#11829) * change-azure-openai-default-temperature-to-1.0 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * [autofix.ci] apply automated fixes --------- * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix unit test? * add no-group dev to docker builds * [autofix.ci] apply automated fixes --------- * feat: generate requirements.txt from dependencies (langflow-ai#11810) * Base script to generate requirements Dymanically picks dependency for LanguageM Comp. Requires separate change to remove eager loading. * Lazy load imports for language model component Ensures that only the necessary dependencies are required. For example, if OpenAI provider is used, it will now only import langchain_openai, rather than requiring langchain_anthropic, langchain_ibm, etc. * Add backwards-compat functions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Add exception handling * Add CLI command to create reqs * correctly exclude langchain imports * Add versions to reqs * dynamically resolve provider imports for language model comp * Lazy load imports for reqs, some ruff fixes * Add dynamic resolves for embedding model comp * Add install hints * Add missing provider tests; add warnings in reqs script * Add a few warnings and fix install hint * update comments add logging * Package hints, warnings, comments, tests * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Add alias for watsonx * Fix anthropic for basic prompt, azure mapping * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * ruff * [autofix.ci] apply automated fixes * test formatting * ruff * [autofix.ci] apply automated fixes --------- * fix: add handle to file input to be able to receive text (langflow-ai#11825) * changed base file and file components to support muitiple files and files from messages * update component index * update input file component to clear value and show placeholder * updated starter projects * [autofix.ci] apply automated fixes * updated base file, file and video file to share robust file verification method * updated component index * updated templates * fix whitespaces * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * add file upload test for files fed through the handle * [autofix.ci] apply automated fixes * added tests and fixed things pointed out by revies * update component index * fixed test * ruff fixes * Update component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * updated component index * updated component index * removed handle from file input * Added functionality to use multiple files on the File Path, and to allow files on the langflow file system. * [autofix.ci] apply automated fixes * fixed lfx test * build component index --------- * docs: Add AGENTS.md development guide (langflow-ai#11922) * add AGENTS.md rule to project * change to agents-example * remove agents.md * add example description * chore: address cris I1 comment address cris I1 comment * chore: address cris I5 address cris I5 * chore: address cris I6 address cris I6 * chore: address cris R7 address cris R7 * fix testcase * chore: address cris R2 address cris R2 * restructure insight page into sidenav * added header and total run node * restructing branch * chore: address gab otel model changes address gab otel model changes will need no migration tables * chore: update alembic migration tables update alembic migration tables after model changes * add empty state for gropu sessions * remove invalid mock * test: update and add backend tests update and add backend tests * chore: address backend code rabbit comments address backend code rabbit comments * chore: address code rabbit frontend comments address code rabbit frontend comments * chore: test_native_tracer minor fix address c1 test_native_tracer minor fix address c1 * chore: address C2 + C3 address C2 + C3 * chore: address H1-H5 address H1-H5 * test: update test_native_tracer update test_native_tracer * fixes * chore: address M2 address m2 * chore: address M1 address M1 * dry changes, factorization * chore: fix 422 spam and clean comments fix 422 spam and clean comments * chore: address M12 address M12 * chore: address M3 address M3 * chore: address M4 address M4 * chore: address M5 address M5 * chore: clean up for M7, M9, M11 clean up for M7, M9, M11 * chore: address L2,L4,L5,L6 + any test address L2,L4,L5 and L6 + any test * chore: alembic + comment clean up alembic + comment clean up * chore: remove depricated test_traces file remove depricated test_traces file. test have all been moved to test_traces_api.py * fix datetime * chore: fix test_trace_api ge=0 is allowed now fix test_trace_api ge=0 is allowed now * chore: remove unused traces cost flow remove unused traces cost flow * fix traces test * fix traces test * fix traces test * fix traces test * fix traces test * chore: address gabriels otel coment address gabriels otel coment latest --------- Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com> Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com> Co-authored-by: cristhianzl <cristhian.lousa@gmail.com> Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com> Co-authored-by: Edwin Jose <edwin.jose@datastax.com> Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com> * fix(test): Fix superuser timeout test errors by replacing heavy clien… (langflow-ai#11982) fix(test): Fix superuser timeout test errors by replacing heavy client fixture (langflow-ai#11972) * fix super user timeout test error * fix fixture db test * remove canary test * [autofix.ci] apply automated fixes * flaky test --------- Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * refactor(components): Replace eager import with lazy loading in agentics module (langflow-ai#11974) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: add ondelete=CASCADE to TraceBase.flow_id to match migration (langflow-ai#12002) * fix: add ondelete=CASCADE to TraceBase.flow_id to match migration The migration file creates the trace table's flow_id foreign key with ondelete="CASCADE", but the model was missing this parameter. This mismatch caused the migration validator to block startup. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: add defensive migration to ensure trace.flow_id has CASCADE Adds a migration that ensures the trace.flow_id foreign key has ondelete=CASCADE. While the original migration already creates it with CASCADE, this provides a safety net for any databases that may have gotten into an inconsistent state. * fix: dynamically find FK constraint name in migration The original migration did not name the FK constraint, so it gets an auto-generated name that varies by database. This fix queries the database to find the actual constraint name before dropping it. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * fix: LE-456 - Update ButtonSendWrapper to handle building state and improve button functionality (langflow-ai#12000) * fix: Update ButtonSendWrapper to handle building state and improve button functionality * fix(frontend): rename stop button title to avoid Playwright selector conflict The "Stop building" title caused getByRole('button', { name: 'Stop' }) to match two elements, breaking Playwright tests in shards 19, 20, 22, 25. Renamed to "Cancel" to avoid the collision with the no-input stop button. * Fix: pydantic fail because output is list, instead of a dict (langflow-ai#11987) pydantic fail because output is list, instead of a dict Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> * refactor: Update guardrails icons (langflow-ai#12016) * Update guardrails.py Changing the heuristic threshold icons. The field was using the default icons. I added icons related to the security theme. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com> * feat: Clean up the modelinput unification * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update test_embedding_model_component.py * [autofix.ci] apply automated fixes * Revert to main for other files * More reversions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Handle first run more elegantly in astra * [autofix.ci] apply automated fixes * Fix knowledge embedding dialog (langflow-ai#12071) * fix: Handle message inputs when ingesting knowledge * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Update test_ingestion.py * [autofix.ci] apply automated fixes * fix: Unify the knowledge creation model selector * Revert tracing * Update ingestion.py * Rebuild comp index * [autofix.ci] apply automated fixes * Update test_ingestion.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update test_ingestion.py * Update component_index.json * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * [autofix.ci] apply automated fixes * Update comp index * Update test_astradb_base_component.py * Update Knowledge Ingestion.json * [autofix.ci] apply automated fixes * Fix broken tests * Cleanup from claude * [autofix.ci] apply automated fixes * Fix failing tests * Update test_unified_models.py * [autofix.ci] apply automated fixes * Update Nvidia Remix.json * Refactor ingest * Rebuild templates and component index * Fix test * [autofix.ci] apply automated fixes * Update component_index.json * [autofix.ci] apply automated fixes * test: add update_build_config visibility tests and PR review fixes (langflow-ai#12114) - Add update_build_config field-visibility tests to LanguageModelComponent, ToolCallingAgentComponent, and BatchRunComponent covering Ollama, WatsonX, OpenAI, and no-model-selected cases - Remove 16 stale @pytest.mark.skip tests from test_agent_component.py - Wire up validate_model_selection in agent.py for early input validation - Document AstraDB intentional use of lower-level update_model_options_in_build_config - Clarify model_kwargs info text to note provider-specific support Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Update embedding_model.py * fix: address PR review recommendations for feat-unify-models++ (langflow-ai#12116) - Fix 9 skipped tests in test_batch_run_component.py by replacing model list with _MockLLM instances, following the existing pattern used by test_with_config_failure_handling - Fix test_agent_component.py: set component.model to a valid list before calling get_agent_requirements() in the three max_tokens tests, since validate_model_selection now requires a list-format model - Replace os.environ direct reads in apply_provider_variable_config_to_build_config with get_all_variables_for_provider() (DB-first, env fallback), and pass user_id through from handle_model_input_update - Add deprecated stubs for update_provider_fields_visibility, _update_watsonx_fields, and _update_ollama_fields in model_config.py with DeprecationWarning pointing to handle_model_input_update - Fix typo: "deault" -> "default" in structured_output.py TODO comment - Add 4 new KnowledgeIngestionComponent tests: new-format model_selection metadata path, allow_duplicates=True, missing metadata file error, and _build_embedding_metadata without API key Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Ruff errors * Update test_ingestion.py * Update component index * Test updates * Update component_index.json * Update stable_hash_history.json * Template updates * Update batch_run.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update Youtube Analysis.json * Fix tests * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Some cleanup and refactoring * [autofix.ci] apply automated fixes * Update Nvidia Remix.json * Update Nvidia Remix.json * Update unified_models.py * Coderabbit AI review comments * Component index update * [autofix.ci] apply automated fixes * Template updates * [autofix.ci] apply automated fixes * Template update * [autofix.ci] apply automated fixes * Review comments addressed * [autofix.ci] apply automated fixes * Update component_index.json * Update stable_hash_history.json * [autofix.ci] apply automated fixes * Test updates * Update test_ingestion.py * Update test_ingestion.py * Update test_ingestion.py * [autofix.ci] apply automated fixes * More clear tooltip text * [autofix.ci] apply automated fixes * Template updates * Index and templates * [autofix.ci] apply automated fixes * Fix lambda build * Template updates * Rebuild comp index * [autofix.ci] apply automated fixes * Fix templates * Fix failing test * Update templates * Update comp index * [autofix.ci] apply automated fixes * API key field in astra db * Update starter * Update comp index * Starter proj update * Add api key to field order * Update test_unified_models.py * Update test_unified_models.py * [autofix.ci] apply automated fixes * Update setup.py * Update setup.py * Update component_index.json * [autofix.ci] apply automated fixes * Return embedding models directly in KB * [autofix.ci] apply automated fixes * Update component_index.json * fix: Refactor the unified models code * Ruff checks * Update flow_preparation.py * [autofix.ci] apply automated fixes * Update test_language_model_component.py * fix: prevent overwriting user-selected global variables in provider c… (langflow-ai#12217) * fix: nightly now properly gets 1.9.0 branch (langflow-ai#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (langflow-ai#12216) add-back-svg * fix: prevent overwriting user-selected global variables in provider config Previously, the apply_provider_variable_config_to_build_config function would automatically overwrite field values with environment variable keys whenever an env var was present, even if the user had already selected a different global variable. This fix adds a check to only auto-set the environment variable if: - The field is currently empty, OR - The field is not already configured to load from the database This preserves user selections while still providing automatic configuration for new/empty fields. Added comprehensive unit tests to verify: - Auto-setting env vars for empty fields - Preserving user-selected global variables - Overwriting hardcoded values (expected behavior) - Skipping when env var is not set - Applying component metadata correctly * [autofix.ci] apply automated fixes * style: use dictionary comprehension instead of for-loop Fixed PERF403 Ruff style warning by replacing for-loop with dictionary comprehension in update_projects_components_with_latest_component_versions * chore: retrigger CI build * test: improve test coverage and clarity for provider config - Renamed test_apply_provider_config_overwrites_hardcoded_value to test_apply_provider_config_replaces_hardcoded_with_env_var for clarity - Added test_apply_provider_config_idempotent_when_already_set to document idempotent behavior when value already matches env var key - Removed sensitive value from debug log message to prevent potential exposure of API keys or credentials These changes improve test coverage by documenting the no-op scenario and enhance security by avoiding logging of potentially sensitive data. * chore: retrigger CI build --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * Update build_config.py * [autofix.ci] apply automated fixes * Update build_config.py * Fix tests * fix: Dropdown issue with field population * Update test_unified_models.py * Clean up key config * [autofix.ci] apply automated fixes * fix tests * Fix tests * fix: Update tests * Update tests * Update test_tool_calling_agent.py * Update test_unified_models.py * Update test_tool_calling_agent.py * Update tests * Google AI generative embeddings fixes * [autofix.ci] apply automated fixes * Merge release branch * Template update * Merge release branch * [autofix.ci] apply automated fixes * Update openai_constants.py * Update openai_constants.py --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai> Co-authored-by: keval shah <kevalvirat@gmail.com> Co-authored-by: Antônio Alexandre Borges Lima <104531655+AntonioABLima@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com> Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com> Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com> Co-authored-by: cristhianzl <cristhian.lousa@gmail.com> Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com> Co-authored-by: Edwin Jose <edwin.jose@datastax.com> Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com> Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com> Co-authored-by: Lucas Democh <ldgoularte@gmail.com> Co-authored-by: Steve Haertel <stevehaertel@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com>

* fix: Wait for dynamic model fetch in Nvidia * [autofix.ci] apply automated fixes * Create test_nvidia_component.py * Update test_nvidia_component.py * [autofix.ci] apply automated fixes * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * [autofix.ci] apply automated fixes * Update test_nvidia_component.py * Update component_index.json * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: protect image downloads by flow ownership * test: add clarifying comments for image access review --------- Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com>

* fix: Support self-referential MCP JSON schema * Address comments from review

* fix: redact sensitive information from log output Mask or remove API keys, passwords, tokens, auth settings, and configuration values from logger calls and print statements to prevent clear-text exposure of credentials in logs. * fix: address code review feedback on sensitive info redaction - Restore full API key display in Windows fallback banner (masking defeated the purpose of showing the key for the only time) - Revert test helper masking in locust setup (developers need full credentials for load testing) - Add missing await on logger.adebug in agentic_mcp - Remove redundant duplicate log line in openai_responses * fix: replace unnecessary dict comprehension with dict() call --------- Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com>

chore: remove mypy from CI and dev dependencies mypy hasn't caught issues in a long time due to its lenient config (follow_imports=skip, ignore_missing_imports=true). We evaluated ty as a replacement but it lacks Pydantic and SQLModel support, producing too many false positives. Removing the type checker until a viable alternative matures.

* use-hackerone-and-remove-cve-list * link-to-ibm-hackerone * add-release-note * typo

…ow-ai#12319) * opensearch multimodal: support filters, adjust defaults Update OpenSearch multimodal vector store component to parse and apply filter_expression JSON to search queries, wrapping existing queries in a bool with filter clauses and applying limit (size) and min_score from the filter object when present. Also validate filter_expression JSON and raise a clear ValueError on parse errors. Adjust component inputs and defaults: remove "JSON" from input_types, change default auth_mode to "jwt", and set bearer_prefix default to false. Uses existing _coerce_filter_clauses helper to build filter clauses. * Update component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * resolve review comments * [autofix.ci] apply automated fixes * fix ruff errors * [autofix.ci] apply automated fixes * fix ruff errors * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: himavarshagoutham <himavarshajan17@gmail.com> Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com>

* initial-changes * fix-broken-links * Apply suggestions from code review Co-authored-by: April I. Murphy <36110273+aimurphy@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> --------- Co-authored-by: April I. Murphy <36110273+aimurphy@users.noreply.github.com>

…langflow-ai#12205) * feat: add pure flow-builder utilities to lfx Add flow_builder subpackage with pure functions for manipulating flow JSON dicts — component ops, edge creation with ReactFlow handle format, topological layout, and dynamic field detection. * feat: add MCP server for operating Langflow via REST API FastMCP server exposing 15 tools across auth, flow, component, connection, and execution groups. Agents can create flows, add and configure components, wire connections, and run flows against a Langflow server through MCP tool calls. * feat: add langflow-mcp-client console script entry point * fix: use dict comprehension in setup.py to fix PERF403 lint * fix: address PR review feedback on MCP client - Add asyncio.Lock to prevent race condition in _client() under concurrent access - Handle 204 No Content responses in delete() instead of calling resp.json() on empty body - Fix weak assertion in test_default_values * feat: auto-enable tool_mode when connecting component_as_tool describe_component_type now shows component_as_tool as an output for any component with tool_mode-capable outputs. When an agent connects via component_as_tool, tool_mode is auto-enabled — no extra step needed. * refactor: move MCP server from langflow-base to lfx The MCP server has no langflow dependencies — only httpx, mcp, and lfx.graph.flow_builder. Moving it to lfx.mcp makes it usable without installing langflow. Entry point: lfx-mcp. * feat: improve MCP server UX for agents - describe_component_type separates advanced fields from core ones - search_component_types accepts output_type filter - list_flows accepts query filter and includes ASCII graph repr - get_flow_info includes ASCII graph repr - add duplicate_flow tool - add list_starter_projects tool * feat: add use_starter_project tool and tests for new features - use_starter_project creates a flow from a starter template by name (starter projects aren't fetchable by ID via /flows/) - Tests for duplicate_flow, starter projects, graph repr, advanced fields, and output_type search * docs: improve MCP tool descriptions for agent clarity - Add server-level instructions with typical workflow guide - Remove internal implementation details from tool descriptions - Add cross-references between related tools - Mention component_as_tool and graph diagrams where relevant * docs: address subagent review feedback on tool descriptions - Document return values for create_flow, add_component - Clarify empty-query behavior for search_component_types - Distinguish get_component_info (instance) vs describe_component_type (type) - Explain connection type compatibility in instructions - Clarify configure_component trigger field behavior - State disconnect_components default when filters omitted * feat: add batch tool for multi-action requests Execute multiple actions in one call with $N.field references to chain results. An agent can build a complete flow in a single request instead of 6+ round trips. * feat: add create_flow_from_spec tool for compact text-based flow creation Accepts a compact text spec with nodes, edges (using real port names), and config sections. Agents generate a simple string instead of constructing nested JSON. Tool mode auto-enabled for component_as_tool. Handles Prompt Template dynamic variables by parsing {var} from template text and creating input fields. Cleans up flows on failure. Type coercion for numeric/boolean config values. * feat: add build_flow validation and create_flow_from_spec build_flow validates flows by building the graph server-side. create_flow_from_spec accepts a compact text spec with nodes, edges, and config. Validates by default (optional). Handles Prompt Template dynamic {variables}, auto-enables tool_mode for component_as_tool, cleans up on failure, coerces config types. * fix: isolate session state and harden MCP server * fix: move test_flow_builder into tests/unit so CI collects coverage * fix: address PR review feedback - Fix test fixture to use contextvars instead of stale module attributes - Raise ValueError on malformed spec lines instead of silently dropping - Disambiguate duplicate component types in flow_graph_repr - Narrow except Exception to ImportError in flow_graph_repr - Add action-index context to batch error messages - Fix stale/inaccurate docstrings (group count, "| ", field_name, category, build_flow) - Mention create_flow_from_spec in MCP instructions * feat: stream run_flow events via MCP progress notifications run_flow now consumes Langflow's SSE stream and relays token events to the MCP client via report_progress. Falls back to a regular POST if the stream yields no result. * test: add streaming integration tests for run_flow and stream_post * chore: rebuild component index * [autofix.ci] apply automated fixes * fix: handle Message dicts in str field param processing, add MCP logger param_handler's str case called unescape_string on list elements without type checking. On subsequent agent calls, chat history stores Message dicts in the list, causing 'dict' object has no attribute 'replace'. Added _coerce_str_value that extracts .text from Message/Data/dict objects. Added lfx logger to MCP server with streaming fallback warning. * feat: add flow builder tools, propose_field_edit, and flow_to_spec_summary - builder.py: builds flow dicts from text specs using local component registry with granular error handling per build phase - flow_builder_tools.py: 9 Langflow components for agent tooling (search, describe, get_field_value, propose_field_edit, add_component, remove_component, connect_components, configure_component, build_flow) - propose_field_edit generates validated JSON Patches with dry-run - flow_to_spec_summary converts flow dicts to compact summaries with IDs - Module-level event queue for real-time UI updates during streaming * [autofix.ci] apply automated fixes * feat: add get_build_results and get_component_output MCP tools Exposes per-component build data from the vertex_builds table: - get_build_results: returns all component outputs, validity, and errors from the last run -- useful for debugging which component failed - get_component_output: inspect a specific component's output from the last run to trace where the pipeline broke * feat: add flow management, iteration, and discovery MCP tools Response improvements: - spec_summary (component IDs + connection ports) in get_flow_info/list_flows - Merged components() tool: search or describe in one call Flow management tools: - validate_flow: polls build results with timeout, structured per-component errors - rename_flow: update name/description - export_flow: serialize to JSON with sensitive field redaction - update_flow_from_spec: declarative update with reference validation Component iteration tools: - freeze_component / unfreeze_component: skip re-execution during iteration - layout_flow_tool: re-layout after modifications Security: export_flow redacts API keys via redact_node before exposing to LLM. Includes 18 integration tests covering all new tools. * refactor: extract shared _node_id and validate_spec_references - _utils.py: shared node_id helper (was duplicated in component.py and layout.py) - spec.py: validate_spec_references extracted from three copies in create_flow_from_spec, update_flow_from_spec, and build_flow_from_spec * fix: add trailing slash to /api_key endpoint in MCP client login The FastAPI endpoint redirects /api_key to /api_key/ (307) and httpx drops the POST body on redirect, causing API key creation to fail silently during login. * fix: isolate session state and harden MCP server contextvars alone lose state between stdio tool calls. Add module-level fallback so login credentials persist across calls while still supporting per-session isolation for SSE transport. * feat: improve MCP server UX for agents - describe_component_type separates advanced fields from core ones - search_component_types accepts output_type filter - list_flows accepts query filter and includes ASCII graph repr - get_flow_info includes ASCII graph repr - add duplicate_flow tool - add list_starter_projects tool * feat: add use_starter_project tool and tests for new features - use_starter_project creates a flow from a starter template by name (starter projects aren't fetchable by ID via /flows/) - Tests for duplicate_flow, starter projects, graph repr, advanced fields, and output_type search * docs: improve MCP tool descriptions for agent clarity - Add server-level instructions with typical workflow guide - Remove internal implementation details from tool descriptions - Add cross-references between related tools - Mention component_as_tool and graph diagrams where relevant * docs: address subagent review feedback on tool descriptions - Document return values for create_flow, add_component - Clarify empty-query behavior for search_component_types - Distinguish get_component_info (instance) vs describe_component_type (type) - Explain connection type compatibility in instructions - Clarify configure_component trigger field behavior - State disconnect_components default when filters omitted * feat: add batch tool for multi-action requests Execute multiple actions in one call with $N.field references to chain results. An agent can build a complete flow in a single request instead of 6+ round trips. * feat: add create_flow_from_spec tool for compact text-based flow creation Accepts a compact text spec with nodes, edges (using real port names), and config sections. Agents generate a simple string instead of constructing nested JSON. Tool mode auto-enabled for component_as_tool. Handles Prompt Template dynamic variables by parsing {var} from template text and creating input fields. Cleans up flows on failure. Type coercion for numeric/boolean config values. * feat: add build_flow validation and create_flow_from_spec build_flow validates flows by building the graph server-side. create_flow_from_spec accepts a compact text spec with nodes, edges, and config. Validates by default (optional). Handles Prompt Template dynamic {variables}, auto-enables tool_mode for component_as_tool, cleans up on failure, coerces config types. * fix: address PR review feedback - Fix test fixture to use contextvars instead of stale module attributes - Raise ValueError on malformed spec lines instead of silently dropping - Disambiguate duplicate component types in flow_graph_repr - Narrow except Exception to ImportError in flow_graph_repr - Add action-index context to batch error messages - Fix stale/inaccurate docstrings (group count, "| ", field_name, category, build_flow) - Mention create_flow_from_spec in MCP instructions * feat: stream run_flow events via MCP progress notifications run_flow now consumes Langflow's SSE stream and relays token events to the MCP client via report_progress. Falls back to a regular POST if the stream yields no result. * test: add streaming integration tests for run_flow and stream_post * chore: rebuild component index * [autofix.ci] apply automated fixes * fix: handle Message dicts in str field param processing, add MCP logger param_handler's str case called unescape_string on list elements without type checking. On subsequent agent calls, chat history stores Message dicts in the list, causing 'dict' object has no attribute 'replace'. Added _coerce_str_value that extracts .text from Message/Data/dict objects. Added lfx logger to MCP server with streaming fallback warning. * feat: add flow builder tools, propose_field_edit, and flow_to_spec_summary - builder.py: builds flow dicts from text specs using local component registry with granular error handling per build phase - flow_builder_tools.py: 9 Langflow components for agent tooling (search, describe, get_field_value, propose_field_edit, add_component, remove_component, connect_components, configure_component, build_flow) - propose_field_edit generates validated JSON Patches with dry-run - flow_to_spec_summary converts flow dicts to compact summaries with IDs - Module-level event queue for real-time UI updates during streaming * [autofix.ci] apply automated fixes * feat: add get_build_results and get_component_output MCP tools Exposes per-component build data from the vertex_builds table: - get_build_results: returns all component outputs, validity, and errors from the last run -- useful for debugging which component failed - get_component_output: inspect a specific component's output from the last run to trace where the pipeline broke * feat: add flow management, iteration, and discovery MCP tools Response improvements: - spec_summary (component IDs + connection ports) in get_flow_info/list_flows - Merged components() tool: search or describe in one call Flow management tools: - validate_flow: polls build results with timeout, structured per-component errors - rename_flow: update name/description - export_flow: serialize to JSON with sensitive field redaction - update_flow_from_spec: declarative update with reference validation Component iteration tools: - freeze_component / unfreeze_component: skip re-execution during iteration - layout_flow_tool: re-layout after modifications Security: export_flow redacts API keys via redact_node before exposing to LLM. Includes 18 integration tests covering all new tools. * refactor: extract shared _node_id and validate_spec_references - _utils.py: shared node_id helper (was duplicated in component.py and layout.py) - spec.py: validate_spec_references extracted from three copies in create_flow_from_spec, update_flow_from_spec, and build_flow_from_spec * fix: update test fixture to use contextvars-based server API The mcp_client fixture was accessing mcp_server_module._client and ._registry directly, but these were replaced with contextvars (_client_var, _shared_client, _set_client, etc.) in the server module refactor. * [autofix.ci] apply automated fixes * fix: address review feedback on MCP server PR - Move flow_builder_tools out of components/ into mcp/ (fixes test_get_all) - Extract _set_frozen() helper to deduplicate freeze/unfreeze - Add missing tools to batch _TOOL_MAP - Fix sensitive field detection to use word-boundary matching - Unify redaction logic via shared is_sensitive_field() - Log skipped non-JSON SSE lines in stream_post - Rebuild component index * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * fix: gracefully handle server refresh failure in configure_component When a real_time_refresh field (e.g. model_name) is configured before its dependency (e.g. api_key), the server-side refresh fails. Instead of propagating a raw RuntimeError, the value is saved locally and a warning is returned telling the agent to set the credential first. --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Keval718 <kevalvirat@gmail.com> Co-authored-by: Eric Hare <ericrhare@gmail.com>

…ase (langflow-ai#12447) Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>

* feat(sdk): add langflow-sdk Python client package * feat(lfx): add Flow DevOps CLI toolkit * feat(api): add flow upsert, export normalization, ZIP upload * chore: CI coverage merge, Docker fixes, dependency updates * Address CQ5 review / import bug * Update test_status_command.py * Update test_status_command.py * Fix more tests * Review edits * Review edits * Fix tests * Follow up review updates * Refactor common client code * Update templates and comp index * [autofix.ci] apply automated fixes * Update test_database.py * Updates from review comments * Fix push interface to match the rest * Update push.py * Update push.py --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…i#12207) - Analyze 45-60 min CI bottleneck for pre-release builds - Document that both PyPI publishing and Docker builds wait for CI - Recommend skip_ci parameter with safeguards for urgent releases - Show 50% time savings (100 min → 50 min) for pre-releases - Include risk assessment and implementation guidelines Addresses LE-517

* fix: Access the appropriate attribute for chroma * Fix display of chunk metadata * [autofix.ci] apply automated fixes * Add some unit tests * Update ingestion.py * [autofix.ci] apply automated fixes * Review updates * Update component_index.json * Fix bug with ingestion * [autofix.ci] apply automated fixes * Update test_ingestion.py * Update test_ingestion.py --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Carlos Coelho <80289056+carlosrcoelho@users.noreply.github.com>

…angflow-ai#12466) * Display proper error messages and strip null params from tool calls * add connect other models option * fix model provider selection state * fix tests and ruff * revert mcp changes * [autofix.ci] apply automated fixes * fix handle not appearing properly * fix jest test * [autofix.ci] apply automated fixes * address qa fixes * add tests to validate be and fe * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * ruff style and checker * fix tests failuer --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* feat: add Langflow MCP Client settings page Add a new settings page that shows coding agents how to connect to Langflow via the lfx.mcp client. Includes setup instructions and JSON config for Bob (IBM) and Claude Code. * fix: clipboard guard and per-button copied state in MCP client page - Guard navigator.clipboard availability before calling writeText - Track copied state per button (command vs json) so visual feedback matches the action the user took

…i#12340) * feat: add Langflow MCP Client settings page Add a new settings page that shows coding agents how to connect to Langflow via the lfx.mcp client. Includes setup instructions and JSON config for Bob (IBM) and Claude Code. * fix: clipboard guard and per-button copied state in MCP client page - Guard navigator.clipboard availability before calling writeText - Track copied state per button (command vs json) so visual feedback matches the action the user took * feat: add flow events queue for MCP agent activity polling In-memory event queue service with cursor-based polling endpoint at GET/POST /api/v1/flows/{flow_id}/events. Enables the frontend to detect when MCP agents modify flows in near real-time. * feat: emit flow events from MCP tools and add notify_done tool Each mutating MCP tool now posts an event to the flow events queue after successful PATCH. Adds notify_done tool for explicit settle signaling to the frontend. * feat: add frontend flow event polling with canvas locking and toast - useFlowEvents hook with adaptive polling (5s idle, 1s active) - Canvas locks with "Agent is working..." badge during agent activity - Flow reloads and summary toast on settle * test: add tests for flow events hook and MCP event emission - 9 frontend tests for useFlowEvents hook (polling, accumulation, settle, errors) - 4 lfx tests for LangflowClient.post_event (payload, defaults, error suppression) - 7 lfx tests for MCP tool event emission (add/remove/configure/connect/disconnect/notify_done) * fix: add flow ownership check and fix thread-safety in event queue Endpoints now verify the authenticated user owns the flow before allowing event reads or writes. Also copies the event list inside the lock to prevent concurrent mutation during iteration. * fix: log warnings on event posting and polling failures Replace silent error suppression with logger.warning (backend) and console.warn (frontend) so failures are diagnosable while keeping best-effort semantics. * fix: show toast only on successful flow reload after agent settle Move toast into reloadFlow's onSuccess callback so users aren't told about changes that failed to load. Also fixes stale closure by adding missing useEffect dependencies. * test: improve coverage for flow events - Add cursor-ahead-of-events tests for get_since settle logic - Add flow ownership 404 test for events endpoints - Add event emission tests for freeze/unfreeze/layout/update_flow_from_spec - Use real flow IDs (from created flows) in API tests * test: add edge case coverage for flow events - flow_settled before cursor should not trigger settlement - create_flow_from_spec emits flow_settled after batch - Polling resumes at idle interval after settle - Simultaneous events + settled in single poll * fix: UX improvements for agent activity polling - Clear events after settle to prevent stale toast messages - Truncate toast to 3 summaries max ("and N more") - Block keyboard shortcuts (undo/redo/copy/paste/cut) during agent lock - Poll immediately on mount (no 5s blind spot) - Add concurrency guard to prevent overlapping polls - Guard against setState on unmounted component * test: add Playwright E2E test for agent events banner Verifies that posting events via the API triggers the "Agent is working..." banner on the canvas, and that a flow_settled event dismisses it. * refactor: consolidate lfx event tests into parameterized tests - Server tests: 10 identical copy-paste classes -> 1 parameterized test covering 9 tools, assertions check event type not exact summary - Client tests: merge redundant exception tests, test multiple error types in one test - Keep distinct tests for create_flow_from_spec and notify_done since they have unique behavior (batch settle vs explicit settle) * fix: UX improvements for agent events banner - Show latest event summary in banner (e.g. "Agent: Added Memory") - Slide-in entrance and slide-out exit animations - Minimum 2s display time so banner doesn't flash - Freeze banner text during exit animation - Text eases in when new events arrive * fix: canvas reload, locking, and toast formatting - Use applyFlowToCanvas for proper canvas reload on settle - Zoom to fit after reload instead of zooming to 200% - Lock icon shows "Agent Working" during agent activity - ReactFlow nodesDraggable/nodesConnectable respect agent lock - Toast shows grouped summary (e.g. "Agent removed 3 components") - Events preserved for consumer, cleared via clearEvents callback * fix: handle AUTO_LOGIN nullable user_id, remove double processFlows, fix pluralization - _verify_flow_owner now accepts flows with user_id=None (AUTO_LOGIN) - Remove redundant processFlows call (applyFlowToCanvas handles it) - Toast says "connections" not "components" for connection events * refactor: minor cleanup from code review - Remove unused FlowEventType export (only used internally) - Simplify nested ternary in toast pluralization * chore: remove test artifact * fix: harden flow events service and address review findings - Rewrite FlowEventsService to use diskcache for cross-worker event visibility (replaces in-memory dict) - Add Literal constraint and max_length to FlowEventCreate API model - Restore manual lock toggle (disabled during agent activity), serialize saves to prevent race conditions - Add AbortController to post-settle flow reload to prevent stale responses from overwriting wrong canvas - Clear agent-working state on terminal poll errors (401/403/404) so UI doesn't get permanently stuck - Make notify_done report warning status on delivery failure - Emit settle event on create_flow_from_spec rollback - Fix E2E test banner text assertion to match actual render - Add 14 new tests: cross-worker visibility, validation 422s, terminal error unlock, notify_done warning, rollback settle * fix: resolve CI failures in MemoizedCanvasControls and notify_done tests - Add waitFor() to lock toggle tests for async handleToggleLock - Patch logger in notify_done failure test to avoid I/O on closed file - Replace any[] with unknown[] in test mock type * fix: address remaining review feedback from erichare - Fix stale closure in banner effect using bannerVisibleRef - Add runtime event type validation in FlowEventsService.append() - Document diskcache ephemeral storage and multi-tab limitations

…rences

github-actions · 2026-04-03T02:35:32Z

✅ Migration Validation Passed

All migrations follow the Expand-Contract pattern correctly.

github-actions · 2026-04-03T02:40:58Z

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	28.06% (29449/104920)	64.69% (3758/5809)	30.05% (691/2299)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
3065	0 💤	0 ❌	0 🔥	4m 34s ⏱️

…flow-ai#12481) * fix: Build and install the langflow-sdk for lfx * Publish sdk as a nightly * Update ci.yml * Update python_test.yml * Update ci.yml

…#12470) security: upgrade dependencies to address CVE vulnerabilities Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local>

* fix: Properly grep for the langflow version * Mount the sdk where needed * Skip the sdk

…1996) * fix: add SSRF protection to URL component (PVR0699081) Add Server-Side Request Forgery (SSRF) protection to the URL component by integrating the existing validate_url_for_ssrf function. This prevents the component from being used to access internal resources like localhost, private IP ranges, and cloud metadata endpoints. The fix uses warn_only=True for backwards compatibility, matching the behavior of the API Request component. Full blocking will be enabled in the next major version (2.0). * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: enforce SSRF blocking and add env variables to .env.example - Change warn_only=False to actually block internal URLs when SSRF protection is enabled - Add LANGFLOW_SSRF_PROTECTION_ENABLED and LANGFLOW_SSRF_ALLOWED_HOSTS to .env.example - Update tests to reflect blocking mode When LANGFLOW_SSRF_PROTECTION_ENABLED=true, requests to private IPs, localhost, and cloud metadata endpoints will be blocked. * fix: correct .env.example to show empty default for SSRF protection The default is false, so .env.example should be empty (not true). * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: add SSRF protection to URL component (PVR0699081) Add Server-Side Request Forgery (SSRF) protection to the URL component by integrating the existing validate_url_for_ssrf function. This prevents the component from being used to access internal resources like localhost, private IP ranges, and cloud metadata endpoints. The fix uses warn_only=True for backwards compatibility, matching the behavior of the API Request component. Full blocking will be enabled in the next major version (2.0). * fix: enforce SSRF blocking and add env variables to .env.example - Change warn_only=False to actually block internal URLs when SSRF protection is enabled - Add LANGFLOW_SSRF_PROTECTION_ENABLED and LANGFLOW_SSRF_ALLOWED_HOSTS to .env.example - Update tests to reflect blocking mode When LANGFLOW_SSRF_PROTECTION_ENABLED=true, requests to private IPs, localhost, and cloud metadata endpoints will be blocked. * fix: correct .env.example to show empty default for SSRF protection The default is false, so .env.example should be empty (not true). * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…w-ai#12441) * fix(mcp): Stop sending API key as Bearer token in MCP client (langflow-ai#12349) * fix: replace unnecessary dict comprehension with dict() call * Update test_mcp_client.py --------- Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com> Co-authored-by: Eric Hare <ericrhare@gmail.com>

* curl-examples-and-tests * move-curl-examples * docs-add-existing-js-and-python-examples * add-python-and-js-examples * use-code-snippet-not-code-block * remove-unused-ts-files * add-gitignore-for-docs-pycache * test-api-commands-with-langflow-env-var * add-fixtures-and-makefile-tests-pass * no-action * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * block-ruff-check-for-docs-examples * add-horizontal-scrolling-and-pin-copy-button --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

increase-padding-for-sidebar-icons

…rences

jordanrfrazier and others added 30 commits March 16, 2026 10:42

fix: Resolve CodeQL false positives for path injection and URL substr…

94c94ad

…ing sanitization (langflow-ai#12201)

chore: update pyproject versions 1.9.0

facd0b1

update pyproject versions 1.9.0

fix: 1.9.0 nightly

13908b2

1.9.0 nightly fix

fix: 1.9.0 nightly (langflow-ai#12210)

11bda00

fix 1.9.0 nightly

fix: remove ibm-watsonx extra from complete installation (langflow-ai…

a820c6f

…#12230)

docs: lfx readme content (langflow-ai#11870)

2d32e52

* docs-add-lfx-content-to-readme * github-link-syntax * allowlist-blocklist

docs: add a copy to markdown button to docusaurus theme (langflow-ai#…

082b8e3

…12189) * copy-page-component * copy-theme-and-add-button

docs: Add AI coding agent skills for code review, testing, and refact…

3d1c122

…oring (langflow-ai#12241) Add AI coding agent skills for code review, testing, and refactoring

fix: protect image downloads by flow ownership (langflow-ai#12234)

04b4af6

* fix: protect image downloads by flow ownership * test: add clarifying comments for image access review --------- Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com>

erichare and others added 16 commits April 1, 2026 19:45

fix: Support self-referential MCP JSON schema (langflow-ai#12359)

5a0d36c

* fix: Support self-referential MCP JSON schema * Address comments from review

docs: point security reports to hackerone (langflow-ai#12368)

96c9035

* use-hackerone-and-remove-cve-list * link-to-ibm-hackerone * add-release-note * typo

fix: restore langflow-logo-color-black-solid.svg removed in docs rele…

61bc076

…ase (langflow-ai#12447) Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>

fix: Close popup when navigating to MCP settings (langflow-ai#12358)

103ef7d

Merge branch 'release-1.9.0' into docs/update-agentics-video-and-refe…

d0104ab

…rences

github-actions Bot added documentation Improvements or additions to documentation and removed documentation Improvements or additions to documentation labels Apr 3, 2026

erichare and others added 8 commits April 3, 2026 05:59

fix: Build and install the langflow-sdk for lfx (fixes nightly) (lang…

abd772f

…flow-ai#12481) * fix: Build and install the langflow-sdk for lfx * Publish sdk as a nightly * Update ci.yml * Update python_test.yml * Update ci.yml

fix: upgrade dependencies to address CVE vulnerabilities (langflow-ai…

63e6a1d

…#12470) security: upgrade dependencies to address CVE vulnerabilities Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local>

fix: Properly grep for the langflow version (langflow-ai#12486)

68642a8

* fix: Properly grep for the langflow version * Mount the sdk where needed * Skip the sdk

docs: increase padding for sidebars icons (langflow-ai#12480)

ed3820b

increase-padding-for-sidebar-icons

Merge branch 'release-1.9.0' into docs/update-agentics-video-and-refe…

941d4c7

…rences

github-actions Bot added documentation Improvements or additions to documentation and removed documentation Improvements or additions to documentation labels Apr 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: enhance Agentics documentation with embedded video#2

docs: enhance Agentics documentation with embedded video#2
gliozzo wants to merge 111 commits into
mainfrom
docs/update-agentics-video-and-references

gliozzo commented Mar 20, 2026

Uh oh!

github-actions Bot commented Apr 3, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 3, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

gliozzo commented Mar 20, 2026

Uh oh!

github-actions Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Frontend Unit Test Coverage Report

Coverage Summary

Unit Test Results

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

github-actions Bot commented Apr 3, 2026 •

edited

Loading

github-actions Bot commented Apr 3, 2026 •

edited

Loading