feat(deployments): unify payload passthrough from api to adapter by HzaRashid · Pull Request #12190 · langflow-ai/langflow

HzaRashid · 2026-03-14T03:05:52Z

Formalizes how provider-specific payloads flow through the deployment API first and then into the deployment adapter, establishing an API-to-adapter contract relationship, and provides a generalizable pattern for other adapter domains.

The deployment adapter exposes provider escape hatches on a shared set of fields across the full API → adapter path (for example provider_spec, provider_config, provider_data, and provider_result). This PR keeps those field names structurally aligned across layers while allowing each layer to define its own schema for the same field. In practice, API-side provider schemas in Langflow can include Langflow-referential entities (such as project/flow references or other Langflow-managed context) that must be validated and resolved first; mapper resolution then transforms that API payload into a Langflow-agnostic payload before it reaches adapter-side schemas. Before this PR, these escape hatches were largely untyped dict[str, Any] payloads.

What’s included

Grounded deployment payload flow:
- adapter-side escape hatches are represented as named slots
- Langflow maps API payloads into those slots via provider mappers
- both layers share slot names but can use different models per slot
Added shared payload contract primitives in lfx:
- PayloadSlot, AdapterPayloadValidationError, ProviderPayloadSchemas, AdapterPayload
- clear ownership docs in lfx.services.adapters.payload
Added deployment payload taxonomy in lfx:
- new deployment/payloads.py with canonical slot names and centralized TypeVars
- operation-specific outbound result slots (instead of one shared deployment_result):
  - deployment_create_result
  - deployment_operation_result
  - deployment_list_result
  - config_list_result
  - snapshot_list_result
  - plus existing execution/item/status slots
Genericized deployment schema usage to align with slot-specific typing:
- provider mixins now carry explicit generic payload types
- result/list models now use dedicated outbound TypeVars
- centralized TypeVar definitions in deployment/payloads.py (single source of truth)
Added adapter base contract hook:
- BaseDeploymentService.payload_schemas: ClassVar[DeploymentPayloadSchemas | None]
Added Langflow mapper base scaffolding:
- DeploymentApiPayloads (Langflow-owned API slot registry)
- BaseDeploymentMapper passthrough-first behavior with per-slot resolve_*/shape_* methods
- DeploymentMapperRegistry (+ type guard on registration)
Added package exports for new payload contract types in:
- lfx.services.adapters.__init__
- lfx.services.adapters.deployment.__init__
Added/updated docs:
- ownership boundaries in lfx payload modules
- generalized payload ownership section in PLUGGABLE_SERVICES.md (with deployments as example)

Why

Makes deployment adapter escape hatches explicit and typeable end-to-end.
Keeps adapter contracts Langflow-agnostic while letting Langflow own API-specific validation and reshaping.
Avoids over-coupling outbound payload shapes by splitting result slots per operation from the start.
Sets up future provider-specific OpenAPI enrichment through Langflow-owned DeploymentApiPayloads.

Test plan

make format_backend
make lint
uv run pytest src/backend/tests/unit/api/v1/test_deployment_mapper_base.py
uv run pytest src/backend/tests/unit/api/v1/test_deployment_mapper_base.py src/backend/tests/unit/api/v1/test_deployment_schemas.py
cd src/lfx && uv sync && uv run pytest tests/unit/services/deployment/test_payload_formalization.py

Notes

No concrete provider mapper implementation is included yet; this PR establishes the shared contract foundation and enforcement scaffolding.

Summary by CodeRabbit

New Features
- Added deployment payload mapping and validation framework with per-provider mapper support.
- Enhanced deployment API schemas with stronger type safety for provider-specific payloads.
Documentation
- Added section on payload contract ownership between API and adapter layers.
- Expanded error handling behavior documentation.
Tests
- Added comprehensive tests for deployment mapper and payload schema functionality.

coderabbitai · 2026-03-14T03:06:16Z

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f3c892f7-b918-4fab-b242-b263e4a75743

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

Walkthrough

Introduces a deployment payload mapping and validation framework spanning the LFX adapter layer and Langflow API. Adds payload slot primitives for validation, deployment mapper registries with provider-specific overrides, and generic-typed schemas enabling provider-specific payload handling across adapter and API boundaries.

Changes

Cohort / File(s)	Summary
Secrets baseline update `.secrets.baseline`	Updated timestamp and adjusted line numbers for secret keyword entries in test files.
Payload primitives and core infrastructure `src/lfx/src/lfx/services/adapters/payload.py`, `src/lfx/src/lfx/services/adapters/__init__.py`	New AdapterPayloadValidationError exception, PayloadSlot[T] generic validator wrapping Pydantic models, and ProviderPayloadSchemas registry base. Exports these primitives from adapters module.
Deployment payload taxonomy `src/lfx/src/lfx/services/adapters/deployment/payloads.py`, `src/lfx/src/lfx/services/adapters/deployment/__init__.py`, `src/lfx/src/lfx/services/adapters/deployment/base.py`	Introduces TypeVars for deployment payload shapes (DeploymentSpec, Config, Update, ExecutionInput, etc.), frozen DeploymentPayloadFields/DeploymentPayloadSchemas dataclasses defining canonical slot registry, and adds payload_schemas ClassVar to BaseDeploymentService.
Deployment API mapper layer `src/backend/base/langflow/api/v1/mappers/__init__.py`, `src/backend/base/langflow/api/v1/mappers/deployments/__init__.py`, `src/backend/base/langflow/api/v1/mappers/deployments/base.py`	New mapper infrastructure: BaseDeploymentMapper with resolve_* inbound and shape_* outbound methods performing optional payload validation via slots, DeploymentApiPayloads frozen dataclass, and DeploymentMapperRegistry for per-provider mapper overrides with default fallback.
Deployment schema generics refactoring `src/lfx/src/lfx/services/adapters/deployment/schema.py`	Replaces loose ProviderPayload typing with strongly-typed Generic classes parametrized by TypeVars (T_DeploymentSpec, T_DeploymentConfig, T_ProviderResult, etc.). Updates ProviderDataModel, ProviderResultModel, ProviderSpecModel, BaseDeploymentData, and all list/result types to carry provider-specific payloads via generics.
Tests for payload system `src/backend/tests/unit/api/v1/test_deployment_mapper_base.py`, `src/backend/tests/unit/api/v1/test_deployment_schemas.py`, `src/lfx/tests/unit/services/deployment/test_payload_formalization.py`	Validates BaseDeploymentMapper passthrough/validation behavior, DeploymentMapperRegistry registration and defaults, slot parse/dump round-trips, generic parametrization across schema types, and error handling via AdapterPayloadValidationError.
Documentation `src/lfx/PLUGGABLE_SERVICES.md`	Added "Payload Contract Ownership" section detailing adapter vs. API layer payload ownership, shared LFX slot primitives, and deployment-specific examples. Expanded error handling documentation with entry point, TOML, and configuration behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.54% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Quality And Coverage	⚠️ Warning	Test quality has significant gaps: inadequate coverage (2 new methods despite major schema changes), smoke tests lack behavior validation, low assertion density (73 across 28 tests), security vulnerability unfixed in AdapterPayloadValidationError message leaking secrets to logs, and insufficient AsyncSession testing.	Fix security vulnerability by removing {error} from AdapterPayloadValidationError message. Expand test_deployment_schemas.py with comprehensive error case tests. Replace smoke tests with behavior-validation tests. Add integration tests with real AsyncSession mocks and edge case testing for malformed payloads.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: unifying payload passthrough from the API layer to the adapter layer for deployments, which is the primary focus of this comprehensive PR.
Test Coverage For New Implementations	✅ Passed	The PR includes comprehensive test coverage with three test files (189+221+27=437 new lines) corresponding to major implementations (payload.py, payloads.py, base.py mappers). Test-to-code ratio of ~1.65:1 demonstrates substantial test coverage following proper Python naming conventions.
Test File Naming And Structure	✅ Passed	All test files follow pytest naming conventions, are located in appropriate directories, have descriptive test names, include proper markers and parametrization, and provide comprehensive coverage of positive, negative, and edge case scenarios.
Excessive Mock Usage Warning	✅ Passed	Three new test files demonstrate excellent test design with zero use of mock objects, instantiating real objects and performing direct assertions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch deployment-schema-unify

📝 Coding Plan

Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

github-actions · 2026-03-14T03:08:10Z

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	24.17% (8626/35678)	16.93% (4757/28093)	16.91% (1264/7474)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
2779	0 💤	0 ❌	0 🔥	48.544s ⏱️

codecov · 2026-03-14T03:09:37Z

Codecov Report

❌ Patch coverage is 98.97959% with 2 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-1.9.0@37cf0a1). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
...lfx/src/lfx/services/adapters/deployment/schema.py	95.23%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@               Coverage Diff                @@
##             release-1.9.0   #12190   +/-   ##
================================================
  Coverage                 ?   38.61%           
================================================
  Files                    ?     1633           
  Lines                    ?    80621           
  Branches                 ?    12155           
================================================
  Hits                     ?    31130           
  Misses                   ?    47739           
  Partials                 ?     1752

Flag	Coverage Δ
backend	`57.44% <100.00%> (?)`
frontend	`21.59% <ø> (?)`
lfx	`44.65% <98.56%> (?)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...d/base/langflow/api/v1/mappers/deployments/base.py	`100.00% <100.00%> (ø)`
...c/lfx/src/lfx/services/adapters/deployment/base.py	`100.00% <100.00%> (ø)`
...x/src/lfx/services/adapters/deployment/payloads.py	`100.00% <100.00%> (ø)`
...fx/src/lfx/services/adapters/deployment/service.py	`100.00% <ø> (ø)`
src/lfx/src/lfx/services/adapters/payload.py	`100.00% <100.00%> (ø)`
src/lfx/src/lfx/services/interfaces.py	`100.00% <ø> (ø)`
...lfx/src/lfx/services/adapters/deployment/schema.py	`94.66% <95.23%> (ø)`

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/lfx/src/lfx/services/adapters/deployment/schema.py (2)
187-197: ⚠️ Potential issue | 🟠 Major

These three payload-bearing models are missing Generic inheritance, breaking type specialization.

DeploymentConfig, DeploymentUpdate, and ExecutionCreate use unbound type variables (T_DeploymentConfig, T_DeploymentUpdate, T_ExecutionInput) in field annotations but inherit plain BaseModel instead of Generic. This prevents callers from specializing these models with concrete types and violates the typing pattern established elsewhere in the file (e.g., ProviderResultModel, ProviderDataModel).
Fix
-class DeploymentConfig(BaseModel):
+class DeploymentConfig(BaseModel, Generic[T_DeploymentConfig]):
@@
-class DeploymentUpdate(BaseModel):
+class DeploymentUpdate(BaseModel, Generic[T_DeploymentUpdate]):
@@
-class ExecutionCreate(BaseModel):
+class ExecutionCreate(BaseModel, Generic[T_ExecutionInput]):
Also applies to: 490-499, 535-543
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@src/lfx/src/lfx/services/adapters/deployment/schema.py` around lines 187 -
197, The three Pydantic models (DeploymentConfig, DeploymentUpdate,
ExecutionCreate) are using unbound type variables (T_DeploymentConfig,
T_DeploymentUpdate, T_ExecutionInput) in field annotations but currently inherit
only BaseModel; update each class signature to inherit Generic with the matching
type variable (e.g., class DeploymentConfig(BaseModel,
Generic[T_DeploymentConfig]) and similarly for DeploymentUpdate and
ExecutionCreate) and ensure Generic is imported from typing so the models can be
specialized with concrete types consistent with the pattern used by
ProviderResultModel/ProviderDataModel.
313-324: ⚠️ Potential issue | 🟠 Major

DeploymentCreateResult[_T] leaves provider_result untyped due to multi-inheritance.

The test assertion at lines 187-190 confirms that provider_result resolves to dict instead of the type parameter. When DeploymentCreateResult[_ResultModel] is instantiated, only T_DeploymentCreateResult binds to _ResultModel, while T_DeploymentSpec (from the inherited BaseDeploymentData → ProviderSpecModel[T_DeploymentSpec]) remains unbound and defaults to AdapterPayload, causing the provider_result field to lose its type parameterization.

This breaks the typed outbound contract. Compare with DeploymentOperationResult[_ResultModel], which inherits only from ProviderResultModel[T_DeploymentOperationResult] and correctly types provider_result as _ResultModel.

Resolve by either pinning T_DeploymentSpec to AdapterPayload explicitly in DeploymentCreateResult, or exposing both type parameters separately so callers can parameterize both the spec and result types independently.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@src/lfx/src/lfx/services/adapters/deployment/schema.py` around lines 313 -
324, DeploymentCreateResult currently leaves the spec type unbound so
provider_result becomes untyped; fix by binding the spec type when inheriting
BaseDeploymentData so both type variables are resolved—i.e., change the class
inheritance so DeploymentCreateResult inherits from
BaseDeploymentData[AdapterPayload] and
ProviderResultModel[T_DeploymentCreateResult] (or alternatively expose two
generics on DeploymentCreateResult so callers can supply both T_DeploymentSpec
and T_DeploymentCreateResult), ensuring symbols to update are
DeploymentCreateResult, BaseDeploymentData, ProviderResultModel,
T_DeploymentSpec, T_DeploymentCreateResult, and AdapterPayload.

🧹 Nitpick comments (2)

src/backend/tests/unit/api/v1/test_deployment_schemas.py (1)

199-222: Add strict-wrapper negative tests for unknown top-level fields.

These additions validate passthrough, but they don’t yet assert strict-wrapper rejection behavior for extra inputs on the same request surfaces.

🧪 Suggested test additions

 class TestSharedKernelProviderPayloadCompatibility:
@@
     def test_config_create_accepts_provider_config_dict_through_strict_wrapper(self):
         payload = DeploymentConfigCreate(
@@
         assert payload.raw_payload is not None
         assert payload.raw_payload.provider_config == {"timeout_s": 30, "flags": {"dry_run": True}}
+
+    def test_create_request_rejects_unknown_top_level_spec_fields(self):
+        with pytest.raises(ValidationError, match="Extra inputs"):
+            DeploymentCreateRequest(
+                provider_id=uuid4(),
+                spec={
+                    "name": "deployment",
+                    "description": "",
+                    "type": "agent",
+                    "provider_spec": {"region": "us-east-1"},
+                    "unknown_field": "x",
+                },
+            )
+
+    def test_config_create_rejects_unknown_top_level_raw_payload_fields(self):
+        with pytest.raises(ValidationError, match="Extra inputs"):
+            DeploymentConfigCreate(
+                raw_payload={
+                    "name": "cfg",
+                    "description": "cfg-desc",
+                    "provider_config": {"timeout_s": 30},
+                    "unknown_field": "x",
+                }
+            )

As per coding guidelines: "Test both sync and async code paths, mock external dependencies appropriately, test error handling and edge cases, validate input/output behavior."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/backend/tests/unit/api/v1/test_deployment_schemas.py` around lines 199 -
222, Add negative tests in TestSharedKernelProviderPayloadCompatibility that
assert the strict-wrapper rejects unknown top-level fields: add a test (e.g.,
test_create_request_rejects_unknown_top_level_field) that passes a spec
containing an extra unknown key alongside provider_spec to
DeploymentCreateRequest and asserts a pydantic.ValidationError is raised; and
add another test (e.g., test_config_create_rejects_unknown_top_level_field) that
passes raw_payload with an extra unknown top-level key to DeploymentConfigCreate
and asserts pydantic.ValidationError is raised. Use
pytest.raises(pydantic.ValidationError) to verify the strict-wrapper rejection
for the symbols DeploymentCreateRequest and DeploymentConfigCreate (and their
spec/raw_payload attributes).

src/backend/tests/unit/api/v1/test_deployment_mapper_base.py (1)

47-55: Add one configured outbound-slot case to this file.

All of the shape_* assertions currently run against BaseDeploymentMapper() with no outbound slots configured, so a shaper that ignores api_payloads.*_result / api_payloads.*_data would still pass. Please add at least one typed outbound slot and one invalid-payload assertion to cover the new contract end to end.

Also applies to: 144-162

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/backend/tests/unit/api/v1/test_deployment_mapper_base.py` around lines 47
- 55, The tests only exercise BaseDeploymentMapper with no outbound slots
configured (api_payloads as constructed), so add a case that configures at least
one outbound PayloadSlot (e.g., set api_payloads.deployment_update_outbound =
PayloadSlot(_ApiUpdate) or similar) and instantiate the mapper with that
outbound slot; then add a shape_* assertion that checks the mapper validates
outbound payload types (use the existing shape_* helpers to assert the correct
shaped outbound result) and include an invalid-payload assertion that supplies a
deliberately malformed payload for that outbound slot and asserts the mapper
raises/returns the expected validation error; update both the existing block
around api_payloads and the mirrored block at lines 144-162 to include the new
outbound-slot configuration and invalid-payload assertion so the contract is
covered end-to-end.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lfx/src/lfx/services/adapters/deployment/payloads.py`:
- Around line 11-28: The TypeVars T_DeploymentSpec...T_ListParamsPayload are
declared with default=AdapterPayload which conflicts with PayloadSlot (expects
T_Model bound=BaseModel) and prevents class-level parameterization; fix by
replacing those TypeVars used in PayloadSlot fields with BaseModel-bound
TypeVars (e.g., change T_DeploymentSpec = TypeVar("T_DeploymentSpec",
bound=BaseModel) etc.) or alternatively create a separate set of TypeVars for
model payloads (e.g., T_DeploymentSpecModel bound=BaseModel) while keeping the
adapter/unbounded TypeVars for schema usage, and then update
DeploymentPayloadFields to inherit Generic[...] with the appropriate TypeVar
names and adjust any schema.py usage to accept the new bound TypeVars.

In `@src/lfx/src/lfx/services/adapters/payload.py`:
- Around line 34-37: The exception currently includes the raw ValidationError
string in the public message which can leak input fragments; change the __init__
of the payload exception (the __init__(*, model_name: str, error:
ValidationError) method that sets self.model_name and self.error) to call
super().__init__ with a sanitized message that does NOT include the error
details (e.g. f"Invalid payload for '{model_name}'") while still assigning
self.error = error so the original ValidationError is retained on the instance
for internal debugging.

---

Outside diff comments:
In `@src/lfx/src/lfx/services/adapters/deployment/schema.py`:
- Around line 187-197: The three Pydantic models (DeploymentConfig,
DeploymentUpdate, ExecutionCreate) are using unbound type variables
(T_DeploymentConfig, T_DeploymentUpdate, T_ExecutionInput) in field annotations
but currently inherit only BaseModel; update each class signature to inherit
Generic with the matching type variable (e.g., class DeploymentConfig(BaseModel,
Generic[T_DeploymentConfig]) and similarly for DeploymentUpdate and
ExecutionCreate) and ensure Generic is imported from typing so the models can be
specialized with concrete types consistent with the pattern used by
ProviderResultModel/ProviderDataModel.
- Around line 313-324: DeploymentCreateResult currently leaves the spec type
unbound so provider_result becomes untyped; fix by binding the spec type when
inheriting BaseDeploymentData so both type variables are resolved—i.e., change
the class inheritance so DeploymentCreateResult inherits from
BaseDeploymentData[AdapterPayload] and
ProviderResultModel[T_DeploymentCreateResult] (or alternatively expose two
generics on DeploymentCreateResult so callers can supply both T_DeploymentSpec
and T_DeploymentCreateResult), ensuring symbols to update are
DeploymentCreateResult, BaseDeploymentData, ProviderResultModel,
T_DeploymentSpec, T_DeploymentCreateResult, and AdapterPayload.

---

Nitpick comments:
In `@src/backend/tests/unit/api/v1/test_deployment_mapper_base.py`:
- Around line 47-55: The tests only exercise BaseDeploymentMapper with no
outbound slots configured (api_payloads as constructed), so add a case that
configures at least one outbound PayloadSlot (e.g., set
api_payloads.deployment_update_outbound = PayloadSlot(_ApiUpdate) or similar)
and instantiate the mapper with that outbound slot; then add a shape_* assertion
that checks the mapper validates outbound payload types (use the existing
shape_* helpers to assert the correct shaped outbound result) and include an
invalid-payload assertion that supplies a deliberately malformed payload for
that outbound slot and asserts the mapper raises/returns the expected validation
error; update both the existing block around api_payloads and the mirrored block
at lines 144-162 to include the new outbound-slot configuration and
invalid-payload assertion so the contract is covered end-to-end.

In `@src/backend/tests/unit/api/v1/test_deployment_schemas.py`:
- Around line 199-222: Add negative tests in
TestSharedKernelProviderPayloadCompatibility that assert the strict-wrapper
rejects unknown top-level fields: add a test (e.g.,
test_create_request_rejects_unknown_top_level_field) that passes a spec
containing an extra unknown key alongside provider_spec to
DeploymentCreateRequest and asserts a pydantic.ValidationError is raised; and
add another test (e.g., test_config_create_rejects_unknown_top_level_field) that
passes raw_payload with an extra unknown top-level key to DeploymentConfigCreate
and asserts pydantic.ValidationError is raised. Use
pytest.raises(pydantic.ValidationError) to verify the strict-wrapper rejection
for the symbols DeploymentCreateRequest and DeploymentConfigCreate (and their
spec/raw_payload attributes).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e07471ac-7567-4485-905f-56d00e8f9087

📥 Commits

Reviewing files that changed from the base of the PR and between 1dafc75 and f9cbb0e.

📒 Files selected for processing (14)

.secrets.baseline
src/backend/base/langflow/api/v1/mappers/__init__.py
src/backend/base/langflow/api/v1/mappers/deployments/__init__.py
src/backend/base/langflow/api/v1/mappers/deployments/base.py
src/backend/tests/unit/api/v1/test_deployment_mapper_base.py
src/backend/tests/unit/api/v1/test_deployment_schemas.py
src/lfx/PLUGGABLE_SERVICES.md
src/lfx/src/lfx/services/adapters/__init__.py
src/lfx/src/lfx/services/adapters/deployment/__init__.py
src/lfx/src/lfx/services/adapters/deployment/base.py
src/lfx/src/lfx/services/adapters/deployment/payloads.py
src/lfx/src/lfx/services/adapters/deployment/schema.py
src/lfx/src/lfx/services/adapters/payload.py
src/lfx/tests/unit/services/deployment/test_payload_formalization.py

…dapter

* test: add upgrade migration check to ci (#12061) * Add upgrade migration check to ci * [autofix.ci] apply automated fixes * Add fetch step * ruff * Add merge migration * Revert "Add merge migration" This reverts commit fd32424739a758646e77c5967420198ff21b5970. backups * coderabbit suggestions 1. Shell hardening in workflow - set -euo pipefail, full path grep, quoted variables 2. _WORKSPACE_ROOT extracted as module constant (also addresses Cristhianzl's review comment about parents[5] duplication) 3. git missing returns None instead of raising FileNotFoundError 4. # noqa: S603 added to subprocess.run (fixes the Ruff CI failure) 5. FK noise filtering now also compares target table/column, not just ondelete/onupdate 6. Removed redundant git fetch origin main step (fetch-depth: 0 already fetches all branches) 7. Deduplicated Alembic config creation in _get_main_branch_head (moved before the if branch) 8. Simplified dict type hints (removed unnecessary dict[tuple, object]) * test: improve migration tests from PR review feedback - Narrow broad except clause to only wrap subprocess.run call - Add specific error messages for multi-head and unresolvable revisions - Remove redundant hardcoded schema test (covered by compare_metadata) - Fix SQLite FK noise filter to skip ondelete/onupdate comparison - Add downgrade verification to test_upgrade_from_main_branch - Add test file and workflow to CI trigger paths - Add prompt for follow-up PostgreSQL migration test PR Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * add engine check on downgrade * [autofix.ci] apply automated fixes * fix: harden CI error handling and test robustness - Set validationPassed=false when validator crashes so CI fails instead of passing silently - Wrap GitHub API calls in try-catch so comment-posting failures don't mask validation results - Preserve git stderr in warnings for better CI debugging - Add defensive handling for unexpected FK constraint shapes in SQLite noise filter - Clean up SQLite WAL/SHM/journal companion files in test teardown * Add explicit fetch to main * ruff * [autofix.ci] apply automated fixes * Add sqlite filter tests and remove redundant fetch --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(deployments): unify payload passthrough from api to adapter (#12190) * feat(deployments): unify dynamic payload passthrough across api and adapter * use datatime.timezone for python3.10 compatibility * use appropriate type vars in slots and sanitize error message * tweaks to schemas * use policy to avoid dump churn * fix: allow clearing Max Tokens field with Backspace/Delete (#12198) * fix: allow clearing Max Tokens field with Backspace/Delete Empty string input was being converted to 0 via Number(""), which triggered the min-value guard and snapped the field back to 1 before onChange could propagate. Adding an early return for empty input lets the field clear correctly, propagating null (no limit) downstream. * test: add IntComponent tests for handleInputChange clearing behavior Covers the regression where Backspace/Delete was blocked by the min-value guard, and verifies that below-min values still clamp correctly. * fix: Resolve CodeQL false positives for path injection and URL substring sanitization (#12201) * fix: Add explicit left/right DataFrame inputs for merge operations (#12177) * add explicit left/right DataFrame inputs for merge operations * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * ruff style and checker fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: add dict to allowlist preventing TableInput data loss (#12074) * fix: add dict to allowlist preventing TableInput data loss Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com> * test: add regression test for TableInput list[dict] preservation Regression test for: https://github.com/langflow-ai/langflow/issues/12062 Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com> --------- Co-authored-by: DeyLak <DeyLak@users.noreply.github.com> Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com> * chore: update pyproject versions 1.9.0 update pyproject versions 1.9.0 * fix: 1.9.0 nightly 1.9.0 nightly fix * feat: add wxO deployment adapter (#12079) * checkout wxo deployment adapter implementation * checkout wxo deps and flow reqs impl * clean up / minor refactor with updated tests * major refactor: split up the implementation into folders and files * clean up logic * refactor and clean up of execution logic, improve type safety of "retry_create" helper, and remove dead code * remove unused wxo service file * remove "provider_name" arg and references * fix: harden watsonx orchestrate deployment adapter for PR readiness - Fix rollback AttributeError when agent_create_response is None - Fix NoneType access on params in list() when called without params - Fix inconsistent error types: use DeploymentNotFoundError in get/update - Fix typo "occured" -> "occurred" in all error prefix messages - Fix variable shadowing of fastapi.status in get_status() - Fix pre-existing test bugs (wrong exception types, stale method refs) - Fix e2e monkey-patching of non-existent service methods - Add structured logging to create, delete, retry, and rollback flows - Add jitter to retry backoff to avoid thundering herd - Add __repr__ to WxOCredentials that fully masks the API key - Extract hard-coded LLM model string to DEFAULT_WXO_AGENT_LLM constant - Remove commented-out snapshot update code - Expand test coverage from 24 to 75 tests covering retry logic, service methods, client auth, utilities, execution/status helpers, and artifact roundtrip * fix(deployment): fix bugs and harden watsonx orchestrate adapter - Fix update method silently discarding changes instead of sending them to the WXO API - Wrap all synchronous SDK calls in asyncio.to_thread to avoid blocking the event loop - Add error handling to get_status (was propagating raw exceptions) - Use DeploymentType enum values instead of raw strings for SUPPORTED_ADAPTER_DEPLOYMENT_TYPES - Fix type annotations in list method (list -> set) - Fix typo in comment (reccomend -> recommend) - Remove dead code: extract_agent_connection_ids, require_exclusive_resource, require_non_empty_string, resolve_health_environment_id, fetch_agent_release_status, normalize_release_status, resolve_lfx_runner_requirement, _pin_requirement_name, sync_langflow_tool_connections, create_langflow_flow_tool, resolve_snapshot_connections, and unused constants - Make assert_create_resources_available and validate_connection async - Make create_agent_run and get_agent_run async - Add tests for list_types, get_status error handling, and update side-effects - Update existing tests for async function signatures * actually remove the dead code from tools.py * properly await "validate_connection" * update e2e test file * add more scenarios to e2e test runner * refactor(watsonx-orchestrate): improve WxOClient encapsulation and error messages Encapsulate SDK private method access and endpoint paths inside WxOClient wrappers so callers never handle raw paths or touch internal _get/_post methods. Route all private HTTP calls through a single _base client auto-created in __post_init__, removing the externally constructed `base` field. Additionally fix double-period and redundant text in error messages produced by the ErrorPrefix + handler pattern, and update E2E/unit assertions to match the sanitised error output. Changes: - types.py: bake endpoint paths into wrapper signatures (post_run, get_run, upload_tool_artifact, get_agents_raw); auto-create _base via __post_init__; remove base from constructor - client.py: drop BaseWXOClient import and base= constructor arg - core/execution.py: pass run_id / query_suffix instead of raw paths - core/tools.py: pass tool_id instead of raw path - service.py: fix double-period in ErrorPrefix interpolation; remove redundant restatements in generic except handlers - tests: update _with_wxo_wrappers helper and test doubles to use _base; update FakeBaseClient._get to accept params - e2e: update rollback scenario detail_contains to match sanitised msg * skip import and tests of wxo adapter if current env is running python 3.10 * clarify random prefix / retry behavior * implement comments * fix: align watsonx adapter with updated deployment schema - Add `deployment_type` parameter to `get`, `update`, `redeploy`, `duplicate`, `delete`, `get_status`, and `undeploy_deployment` in WatsonxOrchestrateDeploymentService to match the updated BaseDeploymentService ABC - Update e2e script to use renamed `add_ids` field on SnapshotDeploymentBindingUpdate * remove non-interface method undeploy_deployment * implement listing configs and snapshots * add update implementation and improve http->deployment error translation and add tests * improve exception handling * checkout payload slot work * custom payload schema for update * new update implementation * stop passing client cache to helpers * add docs for ordereduniquests * improve import patterns and document future risks for wxo dependencies * remove global-variable prefixing of flows * ref: harden typing, DRY helpers, and correctness fixes - Replace `db: Any` with `db: AsyncSession` across client, config, and update_helpers modules - Extract `_ensure_dict` / `ensure_langflow_connections_binding` helpers to eliminate repeated nested-dict safety logic in tools.py and update_helpers.py, with documentation explaining why malformed API payloads are silently corrected rather than rejected - Use `PayloadSlot.parse()` for update payload validation instead of standalone helper; remove `parse_provider_update_payload` - Fix lambda late-binding with default-argument captures in service.py - Use `zip(strict=True)` in update_helpers for defensive mismatch detection - Replace O(n²) duplicate detection with `collections.Counter` in payloads.py - Simplify `dedupe_list` to `list(dict.fromkeys(...))` - Move type-annotation-only imports into TYPE_CHECKING blocks in types.py and config.py - Introduce `UPDATE_MAX_RETRIES` as a distinct constant from `CREATE_MAX_RETRIES` - Fix "watsonX" → "watsonx" casing in error messages - Clarify `get_status` docstring and `validate_connection` error message - Add TODO(deployments-cache) for client cache invalidation on credential updates * ref: drop client cache and adopt typed deployment context across the wxo adapter path, add request-context memoization with strict mixed-context guards, and lazily initialize wxo SDK clients. Add safer credential handling by storing only authenticators in WxOCredentials. Also improve provider error-detail extraction/messages and make the direct wxo E2E conflict scenario diagnostics and expectations more resilient. * use explicit naming for context class; providerId * fix error handling, retry safety, and exception diagnostics in wxo adapter - Raise DeploymentError on empty API responses instead of fabricating fake success in create_agent_run_result and get_agent_run - Elevate rollback failure logging from WARNING to ERROR for alerting - Apply retryable filter to retry_rollback to skip 401/403/409/422 - Preserve exception chains (from exc) instead of suppressing (from None) across service.py, utils.py, execution.py, and update_helpers.py - Broaden credential resolution catch to handle arbitrary DB exceptions - Separate status code dispatch from string heuristics in raise_for_status_and_detail to prevent misclassification - Add tests for all behavioral changes * [autofix.ci] apply automated fixes * fix: harden wxO adapter safety, immutability, and error diagnostics - Make WxOClient and WxOCredentials frozen dataclasses with eager SDK client initialization to eliminate thread-safety races from asyncio.to_thread workers and prevent post-construction mutation - Move instance_url validation and normalization into type __post_init__ - Raise DeploymentError on missing run_id instead of returning partial success with execution_id=None - Preserve exception chains (from exc) instead of suppressing (from None) across create, update, and delete service methods - Add warning logs when _ensure_dict replaces non-dict binding values and when _resolve_lfx_requirement falls back to minimum version - Initialize derived_spec before try block to prevent potential NameError - Log all ToolUploadBatchError errors before re-raising the first - Change SUPPORTED_ADAPTER_DEPLOYMENT_TYPES from mutable set to frozenset - Add tests for 409/422 error mapping in create, unsupported deployment type rejection, empty update rejection, zip artifact extraction paths, validate_connection negative paths, missing run_id, multiple deployment ID rejection, exception chain preservation, and _ensure_dict warning * [autofix.ci] apply automated fixes * fix ruff errors and and todo for status method * fix mypy errors * [autofix.ci] apply automated fixes --------- Co-authored-by: Jordan Frazier <jordan.frazier@datastax.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: 1.9.0 nightly (#12210) fix 1.9.0 nightly * fix(mcp): Add schema-driven type conversion (#11796) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * fix(mcp): Add schema-driven type conversion - Add schema-driven type conversion (str→dict, str→int, etc.) - normalize and unflatten tool arguments for MCP servers - Unflatten flattened keys (e.g. params.search) into nested objects * fix(mcp): handle dict type and array type in JSON schema for MCP tools - Support "type": ["string", "null"] (JSON Schema array type) - Normalize required to hashable elements (filter non-string entries) - Add unit tests for create_input_schema_from_json_schema * fix(mcp): map generic object type to dict for free-form params When JSON schema has {"type": "object"} with no properties, treat it as a free-form dict instead of building a nested Pydantic model. This allows MCP servers expecting arbitrary key-value params to receive proper dicts, and enables str→dict conversion via _normalize_arguments_for_mcp. - Add conditional in parse_type: empty properties → dict, else nested model - Add test_create_input_schema_generic_object_maps_to_dict * fix(mcp): exclude None from tool arguments sent to MCP servers * test_mcp: add more tests for datatypes * fix(mcp): parse JSON strings for nested model params (e.g. foreman-mcp) * fix(mcp): refactor _try_convert_value reducing repetition * fix(mcp): add missing tests for remaining use cases * fix(mcp): Fix mapping of None if expected is list, dict or str * Update nightly_build.yml --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * fix: prevent overwriting user-selected global variables in provider c… (#12217) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * fix: prevent overwriting user-selected global variables in provider config Previously, the apply_provider_variable_config_to_build_config function would automatically overwrite field values with environment variable keys whenever an env var was present, even if the user had already selected a different global variable. This fix adds a check to only auto-set the environment variable if: - The field is currently empty, OR - The field is not already configured to load from the database This preserves user selections while still providing automatic configuration for new/empty fields. Added comprehensive unit tests to verify: - Auto-setting env vars for empty fields - Preserving user-selected global variables - Overwriting hardcoded values (expected behavior) - Skipping when env var is not set - Applying component metadata correctly * [autofix.ci] apply automated fixes * style: use dictionary comprehension instead of for-loop Fixed PERF403 Ruff style warning by replacing for-loop with dictionary comprehension in update_projects_components_with_latest_component_versions * chore: retrigger CI build * test: improve test coverage and clarity for provider config - Renamed test_apply_provider_config_overwrites_hardcoded_value to test_apply_provider_config_replaces_hardcoded_with_env_var for clarity - Added test_apply_provider_config_idempotent_when_already_set to document idempotent behavior when value already matches env var key - Removed sensitive value from debug log message to prevent potential exposure of API keys or credentials These changes improve test coverage by documenting the no-op scenario and enhance security by avoiding logging of potentially sensitive data. * chore: retrigger CI build --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * fix: Fixed CodeQL security scan about Incomplete URL substring sanitization on watsonx test suite (#12212) * fix: Fixed CodeQL security scan about Incomplete URL substring sanitization * fix coderabbitai comments * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * fix failing action * docs: add search icon (#12216) add-back-svg * Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx" This reverts commit 41eb034e1136f08fb4e5fe3748c14ff06c0c8a56, reversing changes made to 4e51f4d836885552b93258e0e797750a22a36e14. * Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx" This reverts commit 4e51f4d836885552b93258e0e797750a22a36e14, reversing changes made to 530bddd0a4193095bd575467d428d9d208e9c680. --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> * fix: remove ibm-watsonx extra from complete installation (#12230) * docs: lfx readme content (#11870) * docs-add-lfx-content-to-readme * github-link-syntax * allowlist-blocklist * docs: add a copy to markdown button to docusaurus theme (#12189) * copy-page-component * copy-theme-and-add-button * docs: add versioning (#12218) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * initial-content * cut-1.8-release-and-include-next-version * stage-1.8.0-and-next --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> * docs: replace api build automation (#12214) * remove-workflows-file-and-script * tag-hidden-endpoints * update-scripts-and-specs * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Debojit Kaushik <Kaushik.debojit@gmail.com> * fix: prevent arbitrary file write via path traversal in files endpoint (#12227) * fix(security): prevent arbitrary file write via path traversal in file uploads * [autofix.ci] apply automated fixes --------- Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * docs: Add AI coding agent skills for code review, testing, and refactoring (#12241) Add AI coding agent skills for code review, testing, and refactoring * feat: Add Windows Playwright testing to nightly builds (#12221) * feat: add Windows support for Playwright tests in nightly builds - Add windows-latest as runner option in typescript_test.yml - Update Playwright browser installation to be OS-aware (Windows doesn't support --with-deps) - Add matrix strategy to nightly_build.yml to run tests on both Linux and Windows - Update Slack notifications to indicate multi-platform testing - Tests now run in parallel on ubuntu-latest and windows-latest This enables catching Windows-specific regressions early in the nightly build process. * fix: add shell: bash to all script steps for Windows compatibility Windows runners default to PowerShell which doesn't understand bash syntax. All steps with bash scripts now explicitly specify shell: bash to ensure cross-platform compatibility. * feat: make Windows Playwright tests non-blocking initially Add continue-on-error for Windows tests to allow nightly builds to succeed even if Windows-specific issues are found. This gives us visibility into Windows bugs without blocking releases. Windows tests will still run every night and report failures, but won't block the build. Once Windows tests are stable, we can remove this flag. * chore: fix white space chore: fix white space * fix: replace matrix strategy with separate jobs for Windows Playwright tests - GitHub Actions reusable workflows don't support matrix strategy - Split frontend-tests into frontend-tests-linux and frontend-tests-windows - Windows tests are non-blocking (continue-on-error: true) - Updated all job dependencies and Slack notification logic - Addresses PR review comment about matrix limitation * chore: trigger workflow validation refresh --------- Co-authored-by: Adam Aghili <Adam.Aghili@ibm.com> * fix: Avoid foreign key violation on span table with topological sort (#12232) * fix: Foreign key violation on span table * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * address review comments --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix: use deepcopy to prevent shared reference mutation in component updates (#12252) * fix: use deepcopy to prevent shared reference mutation in component updates Copies template data via deepcopy when updating project components to prevent mutations from leaking between projects through all_types_dict. Also fixes edge updates to use the copied project data and adds cloneDeep in the frontend templatesGenerator. * fix: deepcopy mutable FIELD_FORMAT_ATTRIBUTES and add coverage test - Add deepcopy on field_dict[attr] assignment (line 192) to prevent shared references for mutable attributes like input_types, options, and fileTypes leaking back into all_types_dict - Add test_update_components_does_not_mutate_field_format_attributes to verify the fix covers the FIELD_FORMAT_ATTRIBUTES update path * feat: add support for Langchain 1.0 (#11114) * feat: upgrade to LangChain 1.0 - langchain ~=1.2.0 - langchain-core ~=1.2.3 - langchain-community ~=0.4.1 Updated all langchain-* integration packages to versions compatible with langchain-core 1.0+. * feat(lfx): add langchain-classic dependency for legacy agent classes LangChain 1.0 removed AgentExecutor and related classes to langchain-classic. This adds the dependency to maintain backward compatibility. * refactor(lfx): update imports for LangChain 1.0 compatibility - Move AgentExecutor, agent creators from langchain to langchain_classic - Move AsyncCallbackHandler from langchain.callbacks to langchain_core.callbacks - Move Chain, BaseChatMemory from langchain to langchain_classic - Update LANGCHAIN_IMPORT_STRING for code generation * fix(lfx): make sqlalchemy import lazy in session_scope LangChain 1.0 no longer includes sqlalchemy as a transitive dependency. Move the import inside the function where it's used to avoid import errors when sqlalchemy is not installed. * chore: update uv.lock for langchain-classic * feat: enable nv-ingest optional dependencies for langchain 1.0 - Uncomment nv-ingest-api and nv-ingest-client, update to >=26.1.0 (no longer has openai version conflict) - Bump datasets from <4.0.0 to <5.0.0 to allow fsspec>=2025.5.1 required by nv-ingest - Update mlx-vlm TODO comment with accurate blocking reason * chore: update nv-ingest to 26.1.1 nv-ingest 26.1.1 removes the openai dependency, resolving the conflict with langchain-openai>=1.0.0 (which requires openai>=1.109.1). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: enable mlx and mlx-vlm dependencies for langchain 1.0 opencv-python 4.13+ now supports numpy>=2, resolving the conflict with langchain-aws>=1.0.0 (which requires numpy>=2.2 on Python 3.12+). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix import order in callback.py Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: update imports to use langchain_classic for agent modules * [autofix.ci] apply automated fixes * fix: remove .item() calls in knowledge_bases.py * fix(lfx): import BaseMemory from langchain_classic for langchain 1.0 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * refactor: update deprecated langchain imports for langchain 1.0 - langchain.callbacks.base -> langchain_core.callbacks.base - langchain.tools -> langchain_core.tools - langchain.schema -> langchain_core.messages/documents - langchain.chains -> langchain_classic.chains - langchain.retrievers -> langchain_classic.retrievers - langchain.memory -> langchain_classic.memory - langchain.globals -> langchain_core.globals - langchain.docstore -> langchain_core.documents - langchain.prompts -> langchain_core.prompts Also simplified GoogleGenerativeAIEmbeddingsComponent to use native langchain-google-genai 4.x which now supports output_dimensionality. * [autofix.ci] apply automated fixes * fix: add _to_int helper for pandas sum() compatibility across Python versions * fix: update langfuse>=3.8.0 and fix cuga_agent.py (#11519) * fix: update langfuse>=3.8.0 and fix cuga_agent.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * feat: implement LangFuseTracer for langfuse v3 API compatibility and add unit tests * fix: upgrade cuga to 0.2.9 for langchain 1.0 compatibility * fix: improve error handling and return value in get_langchain_callback method * fix: update package versions for compatibility and improvements * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * fix: update langwatch dependency to version 0.10.0 for compatibility * fix: update environment variable for Langfuse host to LANGFUSE_BASE_URL * Update dependency versions in Youtube Analysis project - Downgraded googleapiclient from 2.188.0 to 2.154.0 - Updated langchain_core from 1.2.7 to 1.2.9 - Updated fastapi from 0.128.1 to 0.128.5 - Downgraded youtube_transcript_api from 1.2.4 to 1.2.3 - Changed langchain_core version from 1.2.7 to 0.3.81 - Cleared input_types in model selection # Conflicts: # src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt Chaining.json # src/backend/base/langflow/initial_setup/starter_projects/Basic Prompting.json # src/backend/base/langflow/initial_setup/starter_projects/Blog Writer.json # src/backend/base/langflow/initial_setup/starter_projects/Custom Component Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json # src/backend/base/langflow/initial_setup/starter_projects/Financial Report Parser.json # src/backend/base/langflow/initial_setup/starter_projects/Hybrid Search RAG.json # src/backend/base/langflow/initial_setup/starter_projects/Image Sentiment Analysis.json # src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json # src/backend/base/langflow/initial_setup/starter_projects/Invoice Summarizer.json # src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json # src/backend/base/langflow/initial_setup/starter_projects/Market Research.json # src/backend/base/langflow/initial_setup/starter_projects/Meeting Summary.json # src/backend/base/langflow/initial_setup/starter_projects/Memory Chatbot.json # src/backend/base/langflow/initial_setup/starter_projects/News Aggregator.json # src/backend/base/langflow/initial_setup/starter_projects/Nvidia Remix.json # src/backend/base/langflow/initial_setup/starter_projects/Pokédex Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Portfolio Website Code Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Price Deal Finder.json # src/backend/base/langflow/initial_setup/starter_projects/Research Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Research Translation Loop.json # src/backend/base/langflow/initial_setup/starter_projects/SEO Keyword Generator.json # src/backend/base/langflow/initial_setup/starter_projects/SaaS Pricing.json # src/backend/base/langflow/initial_setup/starter_projects/Search agent.json # src/backend/base/langflow/initial_setup/starter_projects/Sequential Tasks Agents.json # src/backend/base/langflow/initial_setup/starter_projects/Simple Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Social Media Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Text Sentiment Analysis.json # src/backend/base/langflow/initial_setup/starter_projects/Travel Planning Agents.json # src/backend/base/langflow/initial_setup/starter_projects/Twitter Thread Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Vector Store RAG.json # src/backend/base/langflow/initial_setup/starter_projects/Youtube Analysis.json * fix: handle InvalidRequestError during session rollback * update projects * ⚡️ Speed up method `LangFuseTracer.end` by 141% in PR #11114 (`feat/langchain-1.0`) (#11682) Optimize LangFuseTracer.end The optimized code achieves a **140% speedup** (8.23ms → 3.42ms) through two complementary optimizations: ## 1. Fast-path for Common Primitives in `serialize()` **What changed:** Added an early-exit check that returns immutable primitives (`str`, `int`, `float`, `bool`) directly when no truncation or special handling is needed: ```python if max_length is None and max_items is None and not to_str: if isinstance(obj, (str, int, float, bool)): return obj ``` **Why it's faster:** - The profiler shows `_serialize_dispatcher()` consumed **81.5% of runtime** in the original code (40.4ms out of 49.6ms) - This optimization reduced dispatcher calls from **8,040 to 1,013** (~87% reduction), as primitives now bypass the expensive pattern-matching dispatcher entirely - The fast-path check itself is extremely cheap: just two quick conditionals and an `isinstance()` check against a tuple of built-in types **When it helps:** This optimization is particularly effective for workloads with many primitive values in dictionaries and lists—which is exactly what the tracing use case provides (metadata dicts with strings, numbers, booleans). ## 2. Eliminate Redundant Serialization in `LangFuseTracer.end()` **What changed:** Serialize `inputs`, `outputs`, and `metadata` once each, then reuse the results: ```python inputs_ser = serialize(inputs) outputs_ser = serialize(outputs) metadata_ser = serialize(metadata) if metadata else None ``` **Why it's faster:** - The original code called `serialize()` **6 times total** (3 for `.update()` + 3 for `.update_trace()`) - The optimized version calls it **3 times**, then passes the cached results - Profiler shows the time spent in `serialize()` calls dropped from **72.2ms to 31.2ms** (~57% reduction) - This is pure elimination of redundant work—the same dictionaries were being serialized twice with identical results **Impact on workloads:** The `test_end_multiple_iterations_calls_end_each_time` test (500 iterations) demonstrates this matters in hot paths. If `LangFuseTracer.end()` is called frequently during flow execution, avoiding duplicate serialization provides compounding benefits. ## Combined Effect Both optimizations target the serialization bottleneck from different angles: - The fast-path reduces the cost of *each* serialize call by ~75% for primitive-heavy data - The caching reduces the *number* of serialize calls by 50% Together, they deliver the observed 140% speedup, with the optimization being especially effective for the common case of metadata dictionaries containing mostly primitive types. Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com> * refactor: reorder imports and simplify serialization logic for primitives * [autofix.ci] apply automated fixes * fix: update google dependency version to 0.4.0 in component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: pin z3-solver<4.15.7 to restore Linux wheels for Docker build z3-solver 4.15.7 dropped manylinux wheels, causing the Docker build to fail when trying to compile from source. Temporary pin until codeflash is removed. * [autofix.ci] apply automated fixes * fix: update google dependency version to 0.4.0 * [autofix.ci] apply automated fixes * fix: update langchain_core version to 1.2.17 in multiple starter project JSON files * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: update deprecated langchain imports to langchain_classic for 1.0 compatibility * fix: align langchain-chroma version in optional chroma dependency group * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * feat: fall back to langchain_classic for pre-1.0 imports in user components Old flows using removed langchain imports (e.g. langchain.memory, langchain.schema, langchain.chains) now resolve via langchain_classic at two levels: module-level for entirely removed modules, and attribute-level for removed attributes in modules that still exist in langchain 1.0. New langchain 1.0 imports are never affected since fallbacks only trigger on import failure. * urllib parse module import bug * Update component_index.json * [autofix.ci] apply automated fixes * chore: rebuild component index * [autofix.ci] apply automated fixes --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Harold Ship <harold.ship@gmail.com> Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com> Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * fix: prevent CI injection via unsanitized GitHub context interpolation (#12224) Pass github.event.pull_request.head.ref through env: instead of interpolating it directly into run: shell steps. This prevents bash from evaluating command substitutions embedded in malicious branch names before input validation runs. Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com> * feat: Refactor and Unify the ModelInput Selector Across Components (#12025) * fix: Fixes Kubernetes deployment crash on runtime_port parsing (#11968) (#11975) * feat: add runtime port validation for Kubernetes service discovery * test: add unit tests for runtime port validation in Settings * fix: improve runtime port validation to handle exceptions and edge cases Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai> * fix(frontend): show delete option for default session when it has messages (#11969) * feat: add documentation link to Guardrails component (#11978) * feat: add documentation link to Guardrails component * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * feat: traces v0 (#11689) (#11983) * feat: traces v0 v0 for traces includes: - filters: status, token usage range and datatime - accordian rows per trace Could add: - more filter options. Ecamples: session_id, trace_id and latency range * fix: token range * feat: create sidebar buttons for logs and trace add sidebar buttons for logs and trace remove lods canvas control * fix: fix duplicate trace ID insertion hopefully fix duplicate trace ID insertion on windows * fix: update tests and alembic tables for uts update tests and alembic tables for uts * chore: add session_id * chore: allo grouping by session_id and flow_id * chore: update race input output * chore: change run name to flow_name - flow_id was flow_name - trace_id now flow_name - flow_id * facelift * clean up and add testcases * clean up and add testcases * merge Alembic detected multiple heads * [autofix.ci] apply automated fixes * improve testcases * remodel files * chore: address gabriel simple changes address gabriel simple changes in traces.py and native.py * clean up and testcases * chore: address OTel and PG status comments https://github.com/langflow-ai/langflow/pull/11689#discussion_r2854630438 https://github.com/langflow-ai/langflow/pull/11689#discussion_r2854630446 * chore: OTel span naming convention model name is now set using name = f"{operation} {model_name}" if model_name else operation * add traces * feat: use uv sources for CPU-only PyTorch (#11884) * feat: use uv sources for CPU-only PyTorch Configure [tool.uv.sources] with pytorch-cpu index to avoid ~6GB CUDA dependencies in Docker images. This replaces hardcoded wheel URLs with a cleaner index-based approach. - Add pytorch-cpu index with explicit = true - Add torch/torchvision to [tool.uv.sources] - Add explicit torch/torchvision deps to trigger source override - Regenerate lockfile without nvidia/cuda/triton packages - Add required-environments for multi-platform support * fix: update regex to only replace name in [project] section The previous regex matched all lines starting with `name = "..."`, which incorrectly renamed the UV index `pytorch-cpu` to `langflow-nightly` during nightly builds. This caused `uv lock` to fail with: "Package torch references an undeclared index: pytorch-cpu" The new regex specifically targets the name field within the [project] section only, avoiding unintended replacements in other sections like [[tool.uv.index]]. * style: fix ruff quote style * fix: remove required-environments to fix Python 3.13 macOS x86_64 CI The required-environments setting was causing hard failures when packages like torch didn't have wheels for specific platform/Python combinations. Without this setting, uv resolves optimistically and handles missing wheels gracefully at runtime instead of failing during resolution. --------- * LE-270: Hydration and Console Log error (#11628) * LE-270: add fix hydration issues * LE-270: fix disable field on max token on language model --------- * test: add wait for selector in mcp server tests (#11883) * Add wait for selector in mcp server tests * [autofix.ci] apply automated fixes * Add more awit for selectors * [autofix.ci] apply automated fixes --------- * fix: reduce visual lag in frontend (#11686) * Reduce lag in frontend by batching react events and reducing minimval visual build time * Cleanup * [autofix.ci] apply automated fixes * add tests and improve code read * [autofix.ci] apply automated fixes * Remove debug log --------- * feat: lazy load imports for language model component (#11737) * Lazy load imports for language model component Ensures that only the necessary dependencies are required. For example, if OpenAI provider is used, it will now only import langchain_openai, rather than requiring langchain_anthropic, langchain_ibm, etc. * Add backwards-compat functions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Add exception handling * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * comp index * docs: azure default temperature (#11829) * change-azure-openai-default-temperature-to-1.0 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * [autofix.ci] apply automated fixes --------- * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix unit test? * add no-group dev to docker builds * [autofix.ci] apply automated fixes --------- * feat: generate requirements.txt from dependencies (#11810) * Base script to generate requirements Dymanically picks dependency for LanguageM Comp. Requires separate change to remove eager loading. * Lazy load imports for language model component Ensures that only the necessary dependencies are required. For example, if OpenAI provider is used, it will now only import langchain_openai, rather than requiring langchain_anthropic, langchain_ibm, etc. * Add backwards-compat functions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Add exception handling * Add CLI command to create reqs * correctly exclude langchain imports * Add versions to reqs * dynamically resolve provider imports for language model comp * Lazy load imports for reqs, some ruff fixes * Add dynamic resolves for embedding model comp * Add install hints * Add missing provider tests; add warnings in reqs script * Add a few warnings and fix install hint * update comments add logging * Package hints, warnings, comments, tests * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Add alias for watsonx * Fix anthropic for basic prompt, azure mapping * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * ruff * [autofix.ci] apply automated fixes * test formatting * ruff * [autofix.ci] apply automated fixes --------- * fix: add handle to file input to be able to receive text (#11825) * changed base file and file components to support muitiple files and files from messages * update component index * update input file component to clear value and show placeholder * updated starter projects * [autofix.ci] apply automated fixes * updated base file, file and video file to share robust file verification method * updated component index * updated templates * fix whitespaces * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * add file upload test for files fed through the handle * [autofix.ci] apply automated fixes * added tests and fixed things pointed out by revies * update component index * fixed test * ruff fixes * Update component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * updated component index * updated component index * removed handle from file input * Added functionality to use multiple files on the File Path, and to allow files on the langflow file system. * [autofix.ci] apply automated fixes * fixed lfx test * build component index --------- * docs: Add AGENTS.md development guide (#11922) * add AGENTS.md rule to project * change to agents-example * remove agents.md * add example description * chore: address cris I1 comment address cris I1 comment * chore: address cris I5 address cris I5 * chore: address cris I6 address cris I6 * chore: address cris R7 address cris R7 * fix testcase * chore: address cris R2 address cris R2 * restructure insight page into sidenav * added header and total run node * restructing branch * chore: address gab otel model changes address gab otel model changes will need no migration tables * chore: update alembic migration tables update alembic migration tables after model changes * add empty state for gropu sessions * remove invalid mock * test: update and add backend tests update and add backend tests * chore: address backend code rabbit comments address backend code rabbit comments * chore: address code rabbit frontend comments address code rabbit frontend comments * chore: test_native_tracer minor fix address c1 test_native_tracer minor fix address c1 * chore: address C2 + C3 address C2 + C3 * chore: address H1-H5 address H1-H5 * test: update test_native_tracer update test_native_tracer * fixes * chore: address M2 address m2 * chore: address M1 address M1 * dry changes, factorization * chore: fix 422 spam and clean comments fix 422 spam and clean comments * chore: address M12 address M12 * chore: address M3 address M3 * chore: address M4 address M4 * chore: address M5 address M5 * chore: clean up for M7, M9, M11 clean up for M7, M9, M11 * chore: address L2,L4,L5,L6 + any test address L2,L4,L5 and L6 + any test * chore: alembic + comment clean up alembic + comment clean up * chore: remove depricated test_traces file remove depricated test_traces file. test have all been moved to test_traces_api.py * fix datetime * chore: fix test_trace_api ge=0 is allowed now fix test_trace_api ge=0 is allowed now * chore: remove unused traces cost flow remove unused traces cost flow * fix traces test * fix traces test * fix traces test * fix traces test * fix traces test * chore: address gabriels otel coment address gabriels otel coment latest --------- Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com> Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com> Co-authored-by: cristhianzl <cristhian.lousa@gmail.com> Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com> Co-authored-by: Edwin Jose <edwin.jose@datastax.com> Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com> * fix(test): Fix superuser timeout test errors by replacing heavy clien… (#11982) fix(test): Fix superuser timeout test errors by replacing heavy client fixture (#11972) * fix super user timeout test error * fix fixture db test * remove canary test * [autofix.ci] apply automated fixes * flaky test --------- Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * refactor(components): Replace eager import with lazy loading in agentics module (#11974) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: add ondelete=CASCADE to TraceBase.flow_id to match migration (#12002) * fix: add ondelete=CASCADE to TraceBase.flow_id to match migration The migration file creates the trace table's flow_id foreign key with ondelete="CASCADE", but the model was missing this parameter. This mismatch caused the migration validator to block startup. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: add defensive migration to ensure trace.flow_id has CASCADE Adds a migration that ensures the trace.flow_id foreign key has ondelete=CASCADE. While the original migration already creates it with CASCADE, this provides a safety net for any databases that may have gotten into an inconsistent state. * fix: dynamically find FK constraint name in migration The original migration did not name the FK constraint, so it gets an auto-generated name that varies by database. This fix queries the database to find the actual constraint name before dropping it. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * fix: LE-456 - Update ButtonSendWrapper to handle building state and improve button functionality (#12000) * fix: Update ButtonSendWrapper to handle building state and improve button functionality * fix(frontend): rename stop button title to avoid Playwright selector conflict The "Stop building" title caused getByRole('button', { name: 'Stop' }) to match two elements, breaking Playwright tests in shards 19, 20, 22, 25. Renamed to "Cancel" to avoid the collision with the no-input stop button. * Fix: pydantic fail because output is list, instead of a dict (#11987) pydantic fail because output is list, instead of a dict Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> * refactor: Update guardrails icons (#12016) * Update guardrails.py Changing the heuristic threshold icons. The field was using the default icons. I added icons related to the security theme. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com> * feat: Clean up the modelinput unification * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update test_embedding_model_component.py * [autofix.ci] apply automated fixes * Revert to main for other files * More reversions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Handle first run more elegantly in astra * [autofix.ci] apply automated fixes * Fix knowledge embedding dialog (#12071) * fix: Handle message inputs when ingesting knowledge * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Update test_ingestion.py * [autofix.ci] apply automated fixes * fix: Unify the knowledge creation model selector * Revert tracing * Update ingestion.py * Rebuild comp index * [autofix.ci] apply automated fixes * Update test_ingestion.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update test_ingestion.py * Update component_index.json * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * [autofix.ci] apply automated fixes * Update comp index * Update test_astradb_base_component.py * Update Knowledge Ingestion.json * [autofix.ci] apply automated fixes * Fix broken tests * Cleanup from claude * [autofix.ci] apply automated fixes * Fix failing tests * Update test_unified_models.py * [autofix.ci] apply automated fixes * Update Nvidia Remix.json * Refactor ingest * Rebuild templates and component index * Fix test * [autofix.ci] apply automated fixes * Update component_index.json * [autofix.ci] apply automated fixes * test: add update_build_config visibility tests and PR review fixes (#12114) - Add update_build_config field-visibility tests to LanguageModelComponent, ToolCallingAgentComponent, and BatchRunComponent covering Ollama, WatsonX, OpenAI, and no-model-selected cases - Remove 16 stale @pytest.mark.skip tests from test_agent_component.py - Wire up validate_model_selection in agent.py for early input validation - Document AstraDB intentional use of lower-level update_model_options_in_build_config - Clarify model_kwargs info text to note provider-specific support Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Update embedding_model.py * fix: address PR review recommendations for feat-unify-models++ (#12116) - Fix 9 skipped tests in test_batch_run_component.py by replacing model list with _MockLLM instances, following the existing pattern used by test_with_config_failure_handling - Fix test_agent_component.py: set component.model to a valid list before calling get_agent_requirements() in the three max_tokens tests, since validate_model_selection now requires a list-format model - Replace os.environ direct reads in apply_provider_variable_config_to_build_config with get_all_variables_for_provider() (DB-first, env fallback), and pass user_id through from handle_model_input_update - Add deprecated stubs for update_provider_fields_visibility, _update_watsonx_fields, and _update_ollama_fields in model_config.py with DeprecationWarning pointing to handle_model_input_update - Fix typo: "deault" -> "default" in structured_output.py TODO comment - Add 4 new KnowledgeIngestionComponent tests: new-format model_selection metadata path, allow_duplicates=True, missing metadata file error, and _build_embedding_metadata without API key Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Ruff errors * Update test_ingestion.py * Update component index * Test updates * Update component_index.json * Update stable_hash_history.json * Template updates * Update batch_run.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update Youtube Analysis.json * Fix tests * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Some cleanup and refactoring * [autofix.ci] apply automated fixes * Update Nvidia Remix.json * Update Nvidia Remix.json * Update unified_models.py * Coderabbit AI review comments * Component index update * [autofix.ci] apply automated fixes * Template updates * [autofix.ci] apply automated fixes * Template update * [autofix.ci] apply automated fixes * Review comments addressed * [autofix.ci] apply automated fixes * Update component_index.json * Update stable_hash_history.json * [autofix.ci] apply automated fixes * Test updates * Update test_ingestion.py * Update test_ingestion.py * Update test_ingestion.py * [autofix.ci] apply automated fixes * More clear tooltip text * [autofix.ci] apply automated fixes * Template updates * Index and templates * [autofix.ci] apply automated fixes * Fix lambda build * Template updates * Rebuild comp index * [autofix.ci] apply automated fixes * Fix templates * Fix failing test * Update templates * Update comp index * [autofix.ci] apply automated fixes * API key field in astra db * Update starter * Update comp index * Starter proj update * Add api key to field order * Update test_unified_models.py * Update test_unified_models.py * [autofix.ci] apply automated fixes * Update setup.py * Update setup.py * Update component_index.json * [autofix.ci] apply automated fixes * Return embedding models directly in KB * [autofix.ci] apply automated fixes * Update component_index.json * fix: Refactor the unified models code * Ruff checks * Update flow_preparation.py * [autofix.ci] apply automated fixes * Update test_language_model_component.py * fix: prevent overwriting user-selected global variables in provider c… (#12217) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * fix: prevent overwriting user-selected global variables in provider config Previously, the apply_provider_variable_config_to_build_config function would automatically overwrite field values with environment variable keys whenever an env var was present, even if the user had already selected a different global variable. This fix adds a check to only auto-set the environment variable if: - The field is currently empty, OR - The field is not already configured to load from the database This preserves user selections while still providing automatic configuration for new/empty fields. Added comprehensive unit tests to verify: - Auto-setting env vars for empty fields - Preserving user-selected global variables - Overwriting hardcoded values (expected behavior) - Skipping when env var is not set - Applying component metadata correctly * [autofix.ci] apply automated fixes * style: use dictionary comprehension instead of for-loop Fixed PERF403 Ruff style warning by replacing for-loop with dictionary comprehension in update_projects_components_with_latest_component_versions * chore: retrigger CI build * test: improve test coverage and clarity for provider config - Renamed test_apply_provider_config_overwrites_hardcoded_value to test_apply_provider_config_replaces_hardcoded_with_env_var for clarity - Added test_apply_provider_config_idempotent_when_already_set to document idempotent behavior when value already matches env var key - Removed sensitive value from debug log message to prevent potential exposure of API keys or credentials These changes improve test coverage by documenting the no-op scenario and enhance security by avoiding logging of potentially sensitive data. * chore: retrigger CI build --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * Update build_config.py * [autofix.ci] apply automated fixes * Update build_config.py * Fix tests * fix: Dropdown issue with field population * Update test_unified_models.py * Clean up key config * [autofix.ci] apply automated fixes * fix tests * Fix tests * fix: Update tests * Update tests * Update test_tool_calling_agent.py * Update test_unified_models.py * Update test_tool_calling_agent.py * Update tests * Google AI generative embeddings fixes * [autofix.ci] apply automated fixes * Merge release branch * Template update * Merge release branch * [autofix.ci] apply automated fixes * Update openai_constants.py * Update openai_constants.py --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai> Co-authored-by: keval shah <kevalvirat@gmail.com> Co-authored-by: Antônio Alexandre Borges Lima <104531655+AntonioABLima@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com> Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com> Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com> Co-authored-by: cristhianzl <cristhian.lousa@gmail.com> Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com> Co-authored-by: Edwin Jose <edwin.jose@datastax.com> Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com> Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com> Co-authored-by: Lucas Democh <ldgoularte@gmail.com> Co-authored-by: Steve Haertel <stevehaertel@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com> * fix: Wait for dynamic model fetch in Nvidia (#12229) * fix: Wait for dynamic model fetch in Nvidia * [autofix.ci] apply automated fixes * Create test_nvidia_component.py * Update test_nvidia_component.py * [autofix.ci] apply automated fixes * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * [autofix.ci] apply automated fixes * Update test_nvidia_component.py * Update component_index.json * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix: protect image downloads by flow ownership (#12234) * fix: protect image downloads by flow ownership * test: add clarifying comments for image access review --------- Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com> * feat: Add Windows Playwright test fixes to RC (#12265) * feat: Add Windows Playwright tests to nightly builds - Add windows-latest to typescript_test.yml runner options - Add shell: bash to all script steps for cross-platform compatibility - Split Playwright installation into OS-aware steps (Linux uses --with-deps, Windows/macOS/self-hosted don't) - Fix artifact naming with OS prefix to prevent conflicts: blob-report-${{ runner.os }}-${{ matrix.shardIndex }} - Split frontend-tests into separate Linux and Windows jobs in nightly_build.yml - Add ref parameter to all test jobs to checkout code from release branch - Add resolve-release-branch to needs dependencies - Update Slack notifications to handle both Linux and Windows test results - Windows tests are non-blocking (not checked in release-nightly-build condition) - Update .secrets.baseline with new line number (263 -> 347) for LANGFLOW_ENG_SLACK_WEBHOOK_URL Fixes LE-566 * fix: Use contains() for self-hosted runner detection - Replace exact string equality (==, !=) with contains() for substring matching - Fixes issue when inputs.runs-on is array format: '["self-hosted", "linux", "ARM64", ...]' - Ensures self-hosted Linux runners correctly skip --with-deps flag Addresses CodeRabbit feedback on PR #12264 * fix: Sanitize folder names for CodeQL (#12263) * fix(deps): pin tar-fs to >=2.1.4 to fix symlink following vulnerability (#12078) Adds override for tar-fs in package.json to ensure versions prior to 2.1.4 are never resolved. Addresses CVE in tar-fs <2.1.4 (PVR0686558) where symlink validation bypass was possible with a crafted tarball. * fix: Rebuild the embedding model in the nv template (#12275) * fix: support ZIP file upload for flows and projects endpoints (#12253) * feat: support ZIP file upload for flows and projects endpoints Add ZIP upload support to both /flows/upload/ and /projects/upload/ endpoints, enabling round-trip download-then-upload workflows. Extract shared ZIP parsing logic into a dedicated utility with zip bomb protections (entry count and file size limits). Fix batch flow name deduplication to avoid infinite loops and DB collisions. Add tests for ZIP upload, empty ZIP rejection, and download-upload round-trip. * fix: add type annotation to satisfy mypy union narrowing * fix: address PR review for ZIP upload (#12253) - Add BadZipFile handling in extract_flows_from_zip for defense-in-depth - Wrap blocking Z…

) * feat(deployments): unify dynamic payload passthrough across api and adapter * use datatime.timezone for python3.10 compatibility * use appropriate type vars in slots and sanitize error message * tweaks to schemas * use policy to avoid dump churn

…) and file ingestion components with supporting fixes (langflow-ai#12713) * initial draft * update DS Star agent * chore(deps): use OpenDsStar 1.0.1 from PyPI * refactor: move OpenDsStar to namespace, update imports, remove agents shim * update open ds star version * improved logging * improved logging * fix: propagate source file path for DataFrame inputs in ingestion components DataFrame from CSV/Excel reads now carries the source file path via pandas attrs, so IngestionDescriber and FileContentRetriever can resolve the original file instead of searching per-row data keys. * feat: add files_ingestion component bundle and bump OpenDsStar to 1.0.8 Register files_ingestion as a sidebar bundle in the frontend and component registry. Update OpenDsStar dependency from 1.0.6 to 1.0.8. * Add file content retriever component and tests * Fix: Add tool_mode=True to FileContentRetriever outputs to prevent execution during build phase * Fix: Return empty DataFrame instead of raising error when file_path not provided during build * Update file content retriever component * refactor: rename IngestionDescriberComponent to FileDescriptionGeneratorComponent - Renamed class from IngestionDescriberComponent to FileDescriptionGeneratorComponent - Updated component name attribute and display name - Renamed files: ingestion_describer.py -> file_description_generator.py - Renamed test file: test_ingestion_describer.py -> test_file_description_generator.py - Updated all imports and references - Rebuilt component index BREAKING CHANGE: Component class name changed. Existing flows using IngestionDescriberComponent will need to be updated. * fix: improve FileContentRetriever tool descriptions for CodeAct agent - Add explicit warnings that tools expect string file paths only - Clarify that search results/Data objects should not be passed - Change error handling to raise ValueError (agents can handle exceptions) - Add build-phase safety (return empty results when no path provided) - Update tests to expect exceptions instead of error messages This fixes CodeAct agent failures where it was trying to pass search results (list of Data objects) to retrieve_content_as_dataframe() instead of extracting the file path string first. * fix: File Content Retriever now finds DataFrames with file_path in columns - Added caching for file maps to avoid rebuilding on each method call - Enhanced _get_file_maps() to check both attrs['source_file_path'] and 'file_path' column - Fixes agent issue where DataFrame from Read File component couldn't be found - Added test for DataFrame with file_path in columns scenario - All 30 tests pass (26 passed, 4 skipped) * fix: use to_csv() instead of to_string() for DataFrame text representation Fixes agent hanging issue when retrieving file content as DataFrame. The problem was that to_string() creates a formatted table representation that cannot be parsed as CSV. When agents called retrieve_content_as_dataframe(), it would try to parse this formatted text with pd.read_csv(), causing a ParserError and infinite retry loop. Changed to use to_csv(index=False) which produces valid CSV format that can be parsed back into a DataFrame when needed. - Maintains optimal performance by returning original DataFrame from dataframe_map - Only uses CSV text representation as fallback - All 26 tests pass - Works correctly for both text and tabular files * add agent template * improve agent template * bump OpenDsStar to 1.0.10 and update ingestion components Upgrade OpenDsStar dependency from 1.0.8 to 1.0.10 in both langflow-base and lfx pyproject.toml. Update file content retriever, file description generator, component tool, and custom component with related improvements. Expand test coverage for file content retriever. * fix FileContentRetriever multi-file data retrieval and add code_timeout The FileContentRetriever was broken for the multi-file case (when Read File outputs a DataFrame with file_path + text columns). Three bugs were fixed: 1. Multi-file DataFrame mapped to wrong data: When Read File produced a summary DataFrame (one row per file, columns = [file_path, text]), the retriever mapped each file_path to the entire 2-row summary DataFrame instead of extracting per-file content. The agent would get 2 rows instead of thousands of actual data rows. Fixed by iterating rows and extracting each file's text into text_map. 2. CSV text now eagerly parsed into DataFrames: For .csv/.tsv files in text_map that lack a pre-built DataFrame, _get_file_maps() now parses the text into a DataFrame eagerly during initialization. This makes retrieve_content_as_dataframe work for the multi-file case without needing upstream structured DataFrames. 3. Maps built once, not per tool call: The file maps were rebuilt on every tool call because component_tool.py deepcopy's the component, and the maps were only built lazily during retrieval. Now the early-return paths (empty file_path) eagerly call _get_file_maps() during component build time, so the cached maps survive deepcopy. This is critical for scalability with hundreds of large files. Additional changes: - Removed _is_likely_file_content heuristic that was incorrectly filtering out valid file content - Removed "Message" from input_types (was never handled) - Removed redundant inner import of DataFrame - Shortened error messages (cap available files to 5) - Added warning log for unsupported input types - Lazy CSV conversion: no longer eagerly converts structured DataFrames to CSV text in _get_file_maps, only converts on demand in retrieve_content - Added code_timeout input to OpenDsStarAgentComponent (default 60s, was hardcoded 30s) to prevent timeouts with large datasets - Added 19 unit tests covering all retrieval paths, caching, and the multi-file bug reproduction * disable as_dataframe tool from vector store to fix agent confusion The Chroma vector store's as_dataframe output was exposed as an agent tool, returning a 2-row file index DataFrame (file_path + text columns). The agent mistook this for actual data and tried to query 'price' on it, causing every query to fail with KeyError. Set tool_mode=False on the as_dataframe output so only search_documents is exposed as a tool from the vector store. The agent now follows the correct workflow: search_documents → get file path → retrieve_content_as_dataframe. * Revert "disable as_dataframe tool from vector store to fix agent confusion" This reverts commit e21c5dc649811f961175dd57f9e6651633a47582. * bump OpenDsStar to 1.0.15, improve ingestion component tool descriptions and caching - Upgrade OpenDsStar dependency from 1.0.10 to 1.0.15 - Add __deepcopy__ to FileContentRetriever to preserve cached maps across tool invocations - Add JSON format support for eager DataFrame parsing - Improve tool docstrings on FileContentRetriever and VectorStore for better agent usage - Enable tool_mode on VectorStore search and table outputs * support Message input in FileContentRetriever and FileDescriptionGenerator - Add file_path to Message metadata in base_file._extract_file_metadata - Accept Message type in FileContentRetriever.file_data input and handle it in _build_file_maps to extract file_path and text content - Handle Message input in FileDescriptionGenerator to extract file_path - Add tests for Message input: basic, missing file_path, and mixed types * fix FileContentRetriever not appearing in component sidebar - Remove forward reference to FileContentRetrieverComponent in __deepcopy__ that broke the exec-based template builder, silently preventing registration - Remove unnecessary cast() call in __deepcopy__ - Regenerate component_index.json (362 -> 363 components) - Update template JSON edge handles to include Message in input_types * add persistent directory, real-time logs, tool descriptions, and Merge Flows component FileContentRetriever: - Add persistent directory support for saving/loading text and DataFrame maps to disk - Split text storage into individual files (texts/) instead of single JSON - Guard against None file_data during tool deepcopy calls - Warn when maps are empty after building - Make Persistent Directory a visible (non-advanced) input FileDescriptionGenerator: - Switch from subprocess.run to Popen with real-time stderr streaming - Add configurable timeout input (default 1800s, was hardcoded 600s) - Stream subprocess progress to UI via self.log() Tool descriptions: - Add info field to Output model (excluded from serialization to avoid template pollution) - Fix stale tool metadata overwriting fresh descriptions in component.py - Each tool output now gets its own description instead of generic component description New components: - Add Merge Flows component to trigger multiple upstream flows from a single node Tests: - Add persistence tests (round-trip, skip duplicates, add new files, corrupted JSON, regression) - Update FileDescriptionGenerator tests for Popen-based subprocess * update Structured Data Agent template from UI re-export * update Structured Data Agent template * update Structured Data Agent template * update Structured Data Agent template * update Structured Data Agent template * update Structured Data Agent template * fix chardet perf, pipe deadlock, auto-sync, Chroma errors, and ingestion failure detection Performance: - Fix chardet.detect() scanning entire files (800s for 1.5GB) — sample first 100KB only - Default ascii detection to utf-8 (superset) to handle non-ASCII chars beyond sample - Fix subprocess stdout pipe deadlock — drain both stdout and stderr concurrently via select FileContentRetriever: - Add auto-sync: remove persisted entries for files no longer in file_data input - Clean up orphaned files from persistent directory on save FileDescriptionGenerator: - Fail with clear error when descriptions are not generated (grouped by error reason) - Increase default timeout from 1800s to 3600s via _DEFAULT_TIMEOUT_SECONDS constant - Remove fast-path code (moved to OpenDsStar) Chroma: - Add clear error messages for missing persist directory, corrupted DB, and initialization failures - Recreate persist directory if deleted between runs Other: - Add opendsstar_cache to .gitignore * Chore(release): merge release 1.9.0 into main (#12710) * test: add upgrade migration check to ci (#12061) * Add upgrade migration check to ci * [autofix.ci] apply automated fixes * Add fetch step * ruff * Add merge migration * Revert "Add merge migration" This reverts commit fd32424739a758646e77c5967420198ff21b5970. backups * coderabbit suggestions 1. Shell hardening in workflow - set -euo pipefail, full path grep, quoted variables 2. _WORKSPACE_ROOT extracted as module constant (also addresses Cristhianzl's review comment about parents[5] duplication) 3. git missing returns None instead of raising FileNotFoundError 4. # noqa: S603 added to subprocess.run (fixes the Ruff CI failure) 5. FK noise filtering now also compares target table/column, not just ondelete/onupdate 6. Removed redundant git fetch origin main step (fetch-depth: 0 already fetches all branches) 7. Deduplicated Alembic config creation in _get_main_branch_head (moved before the if branch) 8. Simplified dict type hints (removed unnecessary dict[tuple, object]) * test: improve migration tests from PR review feedback - Narrow broad except clause to only wrap subprocess.run call - Add specific error messages for multi-head and unresolvable revisions - Remove redundant hardcoded schema test (covered by compare_metadata) - Fix SQLite FK noise filter to skip ondelete/onupdate comparison - Add downgrade verification to test_upgrade_from_main_branch - Add test file and workflow to CI trigger paths - Add prompt for follow-up PostgreSQL migration test PR Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * add engine check on downgrade * [autofix.ci] apply automated fixes * fix: harden CI error handling and test robustness - Set validationPassed=false when validator crashes so CI fails instead of passing silently - Wrap GitHub API calls in try-catch so comment-posting failures don't mask validation results - Preserve git stderr in warnings for better CI debugging - Add defensive handling for unexpected FK constraint shapes in SQLite noise filter - Clean up SQLite WAL/SHM/journal companion files in test teardown * Add explicit fetch to main * ruff * [autofix.ci] apply automated fixes * Add sqlite filter tests and remove redundant fetch --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(deployments): unify payload passthrough from api to adapter (#12190) * feat(deployments): unify dynamic payload passthrough across api and adapter * use datatime.timezone for python3.10 compatibility * use appropriate type vars in slots and sanitize error message * tweaks to schemas * use policy to avoid dump churn * fix: allow clearing Max Tokens field with Backspace/Delete (#12198) * fix: allow clearing Max Tokens field with Backspace/Delete Empty string input was being converted to 0 via Number(""), which triggered the min-value guard and snapped the field back to 1 before onChange could propagate. Adding an early return for empty input lets the field clear correctly, propagating null (no limit) downstream. * test: add IntComponent tests for handleInputChange clearing behavior Covers the regression where Backspace/Delete was blocked by the min-value guard, and verifies that below-min values still clamp correctly. * fix: Resolve CodeQL false positives for path injection and URL substring sanitization (#12201) * fix: Add explicit left/right DataFrame inputs for merge operations (#12177) * add explicit left/right DataFrame inputs for merge operations * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * ruff style and checker fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: add dict to allowlist preventing TableInput data loss (#12074) * fix: add dict to allowlist preventing TableInput data loss Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com> * test: add regression test for TableInput list[dict] preservation Regression test for: https://github.com/langflow-ai/langflow/issues/12062 Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com> --------- Co-authored-by: DeyLak <DeyLak@users.noreply.github.com> Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com> * chore: update pyproject versions 1.9.0 update pyproject versions 1.9.0 * fix: 1.9.0 nightly 1.9.0 nightly fix * feat: add wxO deployment adapter (#12079) * checkout wxo deployment adapter implementation * checkout wxo deps and flow reqs impl * clean up / minor refactor with updated tests * major refactor: split up the implementation into folders and files * clean up logic * refactor and clean up of execution logic, improve type safety of "retry_create" helper, and remove dead code * remove unused wxo service file * remove "provider_name" arg and references * fix: harden watsonx orchestrate deployment adapter for PR readiness - Fix rollback AttributeError when agent_create_response is None - Fix NoneType access on params in list() when called without params - Fix inconsistent error types: use DeploymentNotFoundError in get/update - Fix typo "occured" -> "occurred" in all error prefix messages - Fix variable shadowing of fastapi.status in get_status() - Fix pre-existing test bugs (wrong exception types, stale method refs) - Fix e2e monkey-patching of non-existent service methods - Add structured logging to create, delete, retry, and rollback flows - Add jitter to retry backoff to avoid thundering herd - Add __repr__ to WxOCredentials that fully masks the API key - Extract hard-coded LLM model string to DEFAULT_WXO_AGENT_LLM constant - Remove commented-out snapshot update code - Expand test coverage from 24 to 75 tests covering retry logic, service methods, client auth, utilities, execution/status helpers, and artifact roundtrip * fix(deployment): fix bugs and harden watsonx orchestrate adapter - Fix update method silently discarding changes instead of sending them to the WXO API - Wrap all synchronous SDK calls in asyncio.to_thread to avoid blocking the event loop - Add error handling to get_status (was propagating raw exceptions) - Use DeploymentType enum values instead of raw strings for SUPPORTED_ADAPTER_DEPLOYMENT_TYPES - Fix type annotations in list method (list -> set) - Fix typo in comment (reccomend -> recommend) - Remove dead code: extract_agent_connection_ids, require_exclusive_resource, require_non_empty_string, resolve_health_environment_id, fetch_agent_release_status, normalize_release_status, resolve_lfx_runner_requirement, _pin_requirement_name, sync_langflow_tool_connections, create_langflow_flow_tool, resolve_snapshot_connections, and unused constants - Make assert_create_resources_available and validate_connection async - Make create_agent_run and get_agent_run async - Add tests for list_types, get_status error handling, and update side-effects - Update existing tests for async function signatures * actually remove the dead code from tools.py * properly await "validate_connection" * update e2e test file * add more scenarios to e2e test runner * refactor(watsonx-orchestrate): improve WxOClient encapsulation and error messages Encapsulate SDK private method access and endpoint paths inside WxOClient wrappers so callers never handle raw paths or touch internal _get/_post methods. Route all private HTTP calls through a single _base client auto-created in __post_init__, removing the externally constructed `base` field. Additionally fix double-period and redundant text in error messages produced by the ErrorPrefix + handler pattern, and update E2E/unit assertions to match the sanitised error output. Changes: - types.py: bake endpoint paths into wrapper signatures (post_run, get_run, upload_tool_artifact, get_agents_raw); auto-create _base via __post_init__; remove base from constructor - client.py: drop BaseWXOClient import and base= constructor arg - core/execution.py: pass run_id / query_suffix instead of raw paths - core/tools.py: pass tool_id instead of raw path - service.py: fix double-period in ErrorPrefix interpolation; remove redundant restatements in generic except handlers - tests: update _with_wxo_wrappers helper and test doubles to use _base; update FakeBaseClient._get to accept params - e2e: update rollback scenario detail_contains to match sanitised msg * skip import and tests of wxo adapter if current env is running python 3.10 * clarify random prefix / retry behavior * implement comments * fix: align watsonx adapter with updated deployment schema - Add `deployment_type` parameter to `get`, `update`, `redeploy`, `duplicate`, `delete`, `get_status`, and `undeploy_deployment` in WatsonxOrchestrateDeploymentService to match the updated BaseDeploymentService ABC - Update e2e script to use renamed `add_ids` field on SnapshotDeploymentBindingUpdate * remove non-interface method undeploy_deployment * implement listing configs and snapshots * add update implementation and improve http->deployment error translation and add tests * improve exception handling * checkout payload slot work * custom payload schema for update * new update implementation * stop passing client cache to helpers * add docs for ordereduniquests * improve import patterns and document future risks for wxo dependencies * remove global-variable prefixing of flows * ref: harden typing, DRY helpers, and correctness fixes - Replace `db: Any` with `db: AsyncSession` across client, config, and update_helpers modules - Extract `_ensure_dict` / `ensure_langflow_connections_binding` helpers to eliminate repeated nested-dict safety logic in tools.py and update_helpers.py, with documentation explaining why malformed API payloads are silently corrected rather than rejected - Use `PayloadSlot.parse()` for update payload validation instead of standalone helper; remove `parse_provider_update_payload` - Fix lambda late-binding with default-argument captures in service.py - Use `zip(strict=True)` in update_helpers for defensive mismatch detection - Replace O(n²) duplicate detection with `collections.Counter` in payloads.py - Simplify `dedupe_list` to `list(dict.fromkeys(...))` - Move type-annotation-only imports into TYPE_CHECKING blocks in types.py and config.py - Introduce `UPDATE_MAX_RETRIES` as a distinct constant from `CREATE_MAX_RETRIES` - Fix "watsonX" → "watsonx" casing in error messages - Clarify `get_status` docstring and `validate_connection` error message - Add TODO(deployments-cache) for client cache invalidation on credential updates * ref: drop client cache and adopt typed deployment context across the wxo adapter path, add request-context memoization with strict mixed-context guards, and lazily initialize wxo SDK clients. Add safer credential handling by storing only authenticators in WxOCredentials. Also improve provider error-detail extraction/messages and make the direct wxo E2E conflict scenario diagnostics and expectations more resilient. * use explicit naming for context class; providerId * fix error handling, retry safety, and exception diagnostics in wxo adapter - Raise DeploymentError on empty API responses instead of fabricating fake success in create_agent_run_result and get_agent_run - Elevate rollback failure logging from WARNING to ERROR for alerting - Apply retryable filter to retry_rollback to skip 401/403/409/422 - Preserve exception chains (from exc) instead of suppressing (from None) across service.py, utils.py, execution.py, and update_helpers.py - Broaden credential resolution catch to handle arbitrary DB exceptions - Separate status code dispatch from string heuristics in raise_for_status_and_detail to prevent misclassification - Add tests for all behavioral changes * [autofix.ci] apply automated fixes * fix: harden wxO adapter safety, immutability, and error diagnostics - Make WxOClient and WxOCredentials frozen dataclasses with eager SDK client initialization to eliminate thread-safety races from asyncio.to_thread workers and prevent post-construction mutation - Move instance_url validation and normalization into type __post_init__ - Raise DeploymentError on missing run_id instead of returning partial success with execution_id=None - Preserve exception chains (from exc) instead of suppressing (from None) across create, update, and delete service methods - Add warning logs when _ensure_dict replaces non-dict binding values and when _resolve_lfx_requirement falls back to minimum version - Initialize derived_spec before try block to prevent potential NameError - Log all ToolUploadBatchError errors before re-raising the first - Change SUPPORTED_ADAPTER_DEPLOYMENT_TYPES from mutable set to frozenset - Add tests for 409/422 error mapping in create, unsupported deployment type rejection, empty update rejection, zip artifact extraction paths, validate_connection negative paths, missing run_id, multiple deployment ID rejection, exception chain preservation, and _ensure_dict warning * [autofix.ci] apply automated fixes * fix ruff errors and and todo for status method * fix mypy errors * [autofix.ci] apply automated fixes --------- Co-authored-by: Jordan Frazier <jordan.frazier@datastax.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: 1.9.0 nightly (#12210) fix 1.9.0 nightly * fix(mcp): Add schema-driven type conversion (#11796) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * fix(mcp): Add schema-driven type conversion - Add schema-driven type conversion (str→dict, str→int, etc.) - normalize and unflatten tool arguments for MCP servers - Unflatten flattened keys (e.g. params.search) into nested objects * fix(mcp): handle dict type and array type in JSON schema for MCP tools - Support "type": ["string", "null"] (JSON Schema array type) - Normalize required to hashable elements (filter non-string entries) - Add unit tests for create_input_schema_from_json_schema * fix(mcp): map generic object type to dict for free-form params When JSON schema has {"type": "object"} with no properties, treat it as a free-form dict instead of building a nested Pydantic model. This allows MCP servers expecting arbitrary key-value params to receive proper dicts, and enables str→dict conversion via _normalize_arguments_for_mcp. - Add conditional in parse_type: empty properties → dict, else nested model - Add test_create_input_schema_generic_object_maps_to_dict * fix(mcp): exclude None from tool arguments sent to MCP servers * test_mcp: add more tests for datatypes * fix(mcp): parse JSON strings for nested model params (e.g. foreman-mcp) * fix(mcp): refactor _try_convert_value reducing repetition * fix(mcp): add missing tests for remaining use cases * fix(mcp): Fix mapping of None if expected is list, dict or str * Update nightly_build.yml --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * fix: prevent overwriting user-selected global variables in provider c… (#12217) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * fix: prevent overwriting user-selected global variables in provider config Previously, the apply_provider_variable_config_to_build_config function would automatically overwrite field values with environment variable keys whenever an env var was present, even if the user had already selected a different global variable. This fix adds a check to only auto-set the environment variable if: - The field is currently empty, OR - The field is not already configured to load from the database This preserves user selections while still providing automatic configuration for new/empty fields. Added comprehensive unit tests to verify: - Auto-setting env vars for empty fields - Preserving user-selected global variables - Overwriting hardcoded values (expected behavior) - Skipping when env var is not set - Applying component metadata correctly * [autofix.ci] apply automated fixes * style: use dictionary comprehension instead of for-loop Fixed PERF403 Ruff style warning by replacing for-loop with dictionary comprehension in update_projects_components_with_latest_component_versions * chore: retrigger CI build * test: improve test coverage and clarity for provider config - Renamed test_apply_provider_config_overwrites_hardcoded_value to test_apply_provider_config_replaces_hardcoded_with_env_var for clarity - Added test_apply_provider_config_idempotent_when_already_set to document idempotent behavior when value already matches env var key - Removed sensitive value from debug log message to prevent potential exposure of API keys or credentials These changes improve test coverage by documenting the no-op scenario and enhance security by avoiding logging of potentially sensitive data. * chore: retrigger CI build --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Steve Haertel <shaertel@ca.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * fix: Fixed CodeQL security scan about Incomplete URL substring sanitization on watsonx test suite (#12212) * fix: Fixed CodeQL security scan about Incomplete URL substring sanitization * fix coderabbitai comments * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * fix failing action * docs: add search icon (#12216) add-back-svg * Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx" This reverts commit 41eb034e1136f08fb4e5fe3748c14ff06c0c8a56, reversing changes made to 4e51f4d836885552b93258e0e797750a22a36e14. * Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx" This reverts commit 4e51f4d836885552b93258e0e797750a22a36e14, reversing changes made to 530bddd0a4193095bd575467d428d9d208e9c680. --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> * fix: remove ibm-watsonx extra from complete installation (#12230) * docs: lfx readme content (#11870) * docs-add-lfx-content-to-readme * github-link-syntax * allowlist-blocklist * docs: add a copy to markdown button to docusaurus theme (#12189) * copy-page-component * copy-theme-and-add-button * docs: add versioning (#12218) * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * initial-content * cut-1.8-release-and-include-next-version * stage-1.8.0-and-next --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> * docs: replace api build automation (#12214) * remove-workflows-file-and-script * tag-hidden-endpoints * update-scripts-and-specs * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg --------- Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Debojit Kaushik <Kaushik.debojit@gmail.com> * fix: prevent arbitrary file write via path traversal in files endpoint (#12227) * fix(security): prevent arbitrary file write via path traversal in file uploads * [autofix.ci] apply automated fixes --------- Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * docs: Add AI coding agent skills for code review, testing, and refactoring (#12241) Add AI coding agent skills for code review, testing, and refactoring * feat: Add Windows Playwright testing to nightly builds (#12221) * feat: add Windows support for Playwright tests in nightly builds - Add windows-latest as runner option in typescript_test.yml - Update Playwright browser installation to be OS-aware (Windows doesn't support --with-deps) - Add matrix strategy to nightly_build.yml to run tests on both Linux and Windows - Update Slack notifications to indicate multi-platform testing - Tests now run in parallel on ubuntu-latest and windows-latest This enables catching Windows-specific regressions early in the nightly build process. * fix: add shell: bash to all script steps for Windows compatibility Windows runners default to PowerShell which doesn't understand bash syntax. All steps with bash scripts now explicitly specify shell: bash to ensure cross-platform compatibility. * feat: make Windows Playwright tests non-blocking initially Add continue-on-error for Windows tests to allow nightly builds to succeed even if Windows-specific issues are found. This gives us visibility into Windows bugs without blocking releases. Windows tests will still run every night and report failures, but won't block the build. Once Windows tests are stable, we can remove this flag. * chore: fix white space chore: fix white space * fix: replace matrix strategy with separate jobs for Windows Playwright tests - GitHub Actions reusable workflows don't support matrix strategy - Split frontend-tests into frontend-tests-linux and frontend-tests-windows - Windows tests are non-blocking (continue-on-error: true) - Updated all job dependencies and Slack notification logic - Addresses PR review comment about matrix limitation * chore: trigger workflow validation refresh --------- Co-authored-by: Adam Aghili <Adam.Aghili@ibm.com> * fix: Avoid foreign key violation on span table with topological sort (#12232) * fix: Foreign key violation on span table * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * address review comments --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix: use deepcopy to prevent shared reference mutation in component updates (#12252) * fix: use deepcopy to prevent shared reference mutation in component updates Copies template data via deepcopy when updating project components to prevent mutations from leaking between projects through all_types_dict. Also fixes edge updates to use the copied project data and adds cloneDeep in the frontend templatesGenerator. * fix: deepcopy mutable FIELD_FORMAT_ATTRIBUTES and add coverage test - Add deepcopy on field_dict[attr] assignment (line 192) to prevent shared references for mutable attributes like input_types, options, and fileTypes leaking back into all_types_dict - Add test_update_components_does_not_mutate_field_format_attributes to verify the fix covers the FIELD_FORMAT_ATTRIBUTES update path * feat: add support for Langchain 1.0 (#11114) * feat: upgrade to LangChain 1.0 - langchain ~=1.2.0 - langchain-core ~=1.2.3 - langchain-community ~=0.4.1 Updated all langchain-* integration packages to versions compatible with langchain-core 1.0+. * feat(lfx): add langchain-classic dependency for legacy agent classes LangChain 1.0 removed AgentExecutor and related classes to langchain-classic. This adds the dependency to maintain backward compatibility. * refactor(lfx): update imports for LangChain 1.0 compatibility - Move AgentExecutor, agent creators from langchain to langchain_classic - Move AsyncCallbackHandler from langchain.callbacks to langchain_core.callbacks - Move Chain, BaseChatMemory from langchain to langchain_classic - Update LANGCHAIN_IMPORT_STRING for code generation * fix(lfx): make sqlalchemy import lazy in session_scope LangChain 1.0 no longer includes sqlalchemy as a transitive dependency. Move the import inside the function where it's used to avoid import errors when sqlalchemy is not installed. * chore: update uv.lock for langchain-classic * feat: enable nv-ingest optional dependencies for langchain 1.0 - Uncomment nv-ingest-api and nv-ingest-client, update to >=26.1.0 (no longer has openai version conflict) - Bump datasets from <4.0.0 to <5.0.0 to allow fsspec>=2025.5.1 required by nv-ingest - Update mlx-vlm TODO comment with accurate blocking reason * chore: update nv-ingest to 26.1.1 nv-ingest 26.1.1 removes the openai dependency, resolving the conflict with langchain-openai>=1.0.0 (which requires openai>=1.109.1). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: enable mlx and mlx-vlm dependencies for langchain 1.0 opencv-python 4.13+ now supports numpy>=2, resolving the conflict with langchain-aws>=1.0.0 (which requires numpy>=2.2 on Python 3.12+). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * style: fix import order in callback.py Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor: update imports to use langchain_classic for agent modules * [autofix.ci] apply automated fixes * fix: remove .item() calls in knowledge_bases.py * fix(lfx): import BaseMemory from langchain_classic for langchain 1.0 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * refactor: update deprecated langchain imports for langchain 1.0 - langchain.callbacks.base -> langchain_core.callbacks.base - langchain.tools -> langchain_core.tools - langchain.schema -> langchain_core.messages/documents - langchain.chains -> langchain_classic.chains - langchain.retrievers -> langchain_classic.retrievers - langchain.memory -> langchain_classic.memory - langchain.globals -> langchain_core.globals - langchain.docstore -> langchain_core.documents - langchain.prompts -> langchain_core.prompts Also simplified GoogleGenerativeAIEmbeddingsComponent to use native langchain-google-genai 4.x which now supports output_dimensionality. * [autofix.ci] apply automated fixes * fix: add _to_int helper for pandas sum() compatibility across Python versions * fix: update langfuse>=3.8.0 and fix cuga_agent.py (#11519) * fix: update langfuse>=3.8.0 and fix cuga_agent.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * feat: implement LangFuseTracer for langfuse v3 API compatibility and add unit tests * fix: upgrade cuga to 0.2.9 for langchain 1.0 compatibility * fix: improve error handling and return value in get_langchain_callback method * fix: update package versions for compatibility and improvements * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * fix: update langwatch dependency to version 0.10.0 for compatibility * fix: update environment variable for Langfuse host to LANGFUSE_BASE_URL * Update dependency versions in Youtube Analysis project - Downgraded googleapiclient from 2.188.0 to 2.154.0 - Updated langchain_core from 1.2.7 to 1.2.9 - Updated fastapi from 0.128.1 to 0.128.5 - Downgraded youtube_transcript_api from 1.2.4 to 1.2.3 - Changed langchain_core version from 1.2.7 to 0.3.81 - Cleared input_types in model selection # Conflicts: # src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt Chaining.json # src/backend/base/langflow/initial_setup/starter_projects/Basic Prompting.json # src/backend/base/langflow/initial_setup/starter_projects/Blog Writer.json # src/backend/base/langflow/initial_setup/starter_projects/Custom Component Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json # src/backend/base/langflow/initial_setup/starter_projects/Financial Report Parser.json # src/backend/base/langflow/initial_setup/starter_projects/Hybrid Search RAG.json # src/backend/base/langflow/initial_setup/starter_projects/Image Sentiment Analysis.json # src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json # src/backend/base/langflow/initial_setup/starter_projects/Invoice Summarizer.json # src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json # src/backend/base/langflow/initial_setup/starter_projects/Market Research.json # src/backend/base/langflow/initial_setup/starter_projects/Meeting Summary.json # src/backend/base/langflow/initial_setup/starter_projects/Memory Chatbot.json # src/backend/base/langflow/initial_setup/starter_projects/News Aggregator.json # src/backend/base/langflow/initial_setup/starter_projects/Nvidia Remix.json # src/backend/base/langflow/initial_setup/starter_projects/Pokédex Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Portfolio Website Code Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Price Deal Finder.json # src/backend/base/langflow/initial_setup/starter_projects/Research Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Research Translation Loop.json # src/backend/base/langflow/initial_setup/starter_projects/SEO Keyword Generator.json # src/backend/base/langflow/initial_setup/starter_projects/SaaS Pricing.json # src/backend/base/langflow/initial_setup/starter_projects/Search agent.json # src/backend/base/langflow/initial_setup/starter_projects/Sequential Tasks Agents.json # src/backend/base/langflow/initial_setup/starter_projects/Simple Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Social Media Agent.json # src/backend/base/langflow/initial_setup/starter_projects/Text Sentiment Analysis.json # src/backend/base/langflow/initial_setup/starter_projects/Travel Planning Agents.json # src/backend/base/langflow/initial_setup/starter_projects/Twitter Thread Generator.json # src/backend/base/langflow/initial_setup/starter_projects/Vector Store RAG.json # src/backend/base/langflow/initial_setup/starter_projects/Youtube Analysis.json * fix: handle InvalidRequestError during session rollback * update projects * ⚡️ Speed up method `LangFuseTracer.end` by 141% in PR #11114 (`feat/langchain-1.0`) (#11682) Optimize LangFuseTracer.end The optimized code achieves a **140% speedup** (8.23ms → 3.42ms) through two complementary optimizations: ## 1. Fast-path for Common Primitives in `serialize()` **What changed:** Added an early-exit check that returns immutable primitives (`str`, `int`, `float`, `bool`) directly when no truncation or special handling is needed: ```python if max_length is None and max_items is None and not to_str: if isinstance(obj, (str, int, float, bool)): return obj ``` **Why it's faster:** - The profiler shows `_serialize_dispatcher()` consumed **81.5% of runtime** in the original code (40.4ms out of 49.6ms) - This optimization reduced dispatcher calls from **8,040 to 1,013** (~87% reduction), as primitives now bypass the expensive pattern-matching dispatcher entirely - The fast-path check itself is extremely cheap: just two quick conditionals and an `isinstance()` check against a tuple of built-in types **When it helps:** This optimization is particularly effective for workloads with many primitive values in dictionaries and lists—which is exactly what the tracing use case provides (metadata dicts with strings, numbers, booleans). ## 2. Eliminate Redundant Serialization in `LangFuseTracer.end()` **What changed:** Serialize `inputs`, `outputs`, and `metadata` once each, then reuse the results: ```python inputs_ser = serialize(inputs) outputs_ser = serialize(outputs) metadata_ser = serialize(metadata) if metadata else None ``` **Why it's faster:** - The original code called `serialize()` **6 times total** (3 for `.update()` + 3 for `.update_trace()`) - The optimized version calls it **3 times**, then passes the cached results - Profiler shows the time spent in `serialize()` calls dropped from **72.2ms to 31.2ms** (~57% reduction) - This is pure elimination of redundant work—the same dictionaries were being serialized twice with identical results **Impact on workloads:** The `test_end_multiple_iterations_calls_end_each_time` test (500 iterations) demonstrates this matters in hot paths. If `LangFuseTracer.end()` is called frequently during flow execution, avoiding duplicate serialization provides compounding benefits. ## Combined Effect Both optimizations target the serialization bottleneck from different angles: - The fast-path reduces the cost of *each* serialize call by ~75% for primitive-heavy data - The caching reduces the *number* of serialize calls by 50% Together, they deliver the observed 140% speedup, with the optimization being especially effective for the common case of metadata dictionaries containing mostly primitive types. Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com> * refactor: reorder imports and simplify serialization logic for primitives * [autofix.ci] apply automated fixes * fix: update google dependency version to 0.4.0 in component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: pin z3-solver<4.15.7 to restore Linux wheels for Docker build z3-solver 4.15.7 dropped manylinux wheels, causing the Docker build to fail when trying to compile from source. Temporary pin until codeflash is removed. * [autofix.ci] apply automated fixes * fix: update google dependency version to 0.4.0 * [autofix.ci] apply automated fixes * fix: update langchain_core version to 1.2.17 in multiple starter project JSON files * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix: update deprecated langchain imports to langchain_classic for 1.0 compatibility * fix: align langchain-chroma version in optional chroma dependency group * fix: nightly now properly gets 1.9.0 branch (#12215) before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$' * docs: add search icon (#12216) add-back-svg * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * feat: fall back to langchain_classic for pre-1.0 imports in user components Old flows using removed langchain imports (e.g. langchain.memory, langchain.schema, langchain.chains) now resolve via langchain_classic at two levels: module-level for entirely removed modules, and attribute-level for removed attributes in modules that still exist in langchain 1.0. New langchain 1.0 imports are never affected since fallbacks only trigger on import failure. * urllib parse module import bug * Update component_index.json * [autofix.ci] apply automated fixes * chore: rebuild component index * [autofix.ci] apply automated fixes --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Harold Ship <harold.ship@gmail.com> Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com> Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Eric Hare <ericrhare@gmail.com> * fix: prevent CI injection via unsanitized GitHub context interpolation (#12224) Pass github.event.pull_request.head.ref through env: instead of interpolating it directly into run: shell steps. This prevents bash from evaluating command substitutions embedded in malicious branch names before input validation runs. Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com> * feat: Refactor and Unify the ModelInput Selector Across Components (#12025) * fix: Fixes Kubernetes deployment crash on runtime_port parsing (#11968) (#11975) * feat: add runtime port validation for Kubernetes service discovery * test: add unit tests for runtime port validation in Settings * fix: improve runtime port validation to handle exceptions and edge cases Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai> * fix(frontend): show delete option for default session when it has messages (#11969) * feat: add documentation link to Guardrails component (#11978) * feat: add documentation link to Guardrails component * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * feat: traces v0 (#11689) (#11983) * feat: traces v0 v0 for traces includes: - filters: status, token usage range and datatime - accordian rows per trace Could add: - more filter options. Ecamples: session_id, trace_id and latency range * fix: token range * feat: create sidebar buttons for logs and trace add sidebar buttons for logs and trace remove lods canvas control * fix: fix duplicate trace ID insertion hopefully fix duplicate trace ID insertion on windows * fix: update tests and alembic tables for uts update tests and alembic tables for uts * chore: add session_id * chore: allo grouping by session_id and flow_id * chore: update race input output * chore: change run name to flow_name - flow_id was flow_name - trace_id now flow_name - flow_id * facelift * clean up and add testcases * clean up and add testcases * merge Alembic detected multiple heads * [autofix.ci] apply automated fixes * improve testcases * remodel files * chore: address gabriel simple changes address gabriel simple changes in traces.py and native.py * clean up and testcases * chore: address OTel and PG status comments https://github.com/langflow-ai/langflow/pull/11689#discussion_r2854630438 https://github.com/langflow-ai/langflow/pull/11689#discussion_r2854630446 * chore: OTel span naming convention model name is now set using name = f"{operation} {model_name}" if model_name else operation * add traces * feat: use uv sources for CPU-only PyTorch (#11884) * feat: use uv sources for CPU-only PyTorch Configure [tool.uv.sources] with pytorch-cpu index to avoid ~6GB CUDA dependencies in Docker images. This replaces hardcoded wheel URLs with a cleaner index-based approach. - Add pytorch-cpu index with explicit = true - Add torch/torchvision to [tool.uv.sources] - Add explicit torch/torchvision deps to trigger source override - Regenerate lockfile without nvidia/cuda/triton packages - Add required-environments for multi-platform support * fix: update regex to only replace name in [project] section The previous regex matched all lines starting with `name = "..."`, which incorrectly renamed the UV index `pytorch-cpu` to `langflow-nightly` during nightly builds. This caused `uv lock` to fail with: "Package torch references an undeclared index: pytorch-cpu" The new regex specifically targets the name field within the [project] section only, avoiding unintended replacements in other sections like [[tool.uv.index]]. * style: fix ruff quote style * fix: remove required-environments to fix Python 3.13 macOS x86_64 CI The required-environments setting was causing hard failures when packages like torch didn't have wheels for specific platform/Python combinations. Without this setting, uv resolves optimistically and handles missing wheels gracefully at runtime instead of failing during resolution. --------- * LE-270: Hydration and Console Log error (#11628) * LE-270: add fix hydration issues * LE-270: fix disable field on max token on language model --------- * test: add wait for selector in mcp server tests (#11883) * Add wait for selector in mcp server tests * [autofix.ci] apply automated fixes * Add more awit for selectors * [autofix.ci] apply automated fixes --------- * fix: reduce visual lag in frontend (#11686) * Reduce lag in frontend by batching react events and reducing minimval visual build time * Cleanup * [autofix.ci] apply automated fixes * add tests and improve code read * [autofix.ci] apply automated fixes * Remove debug log --------- * feat: lazy load imports for language model component (#11737) * Lazy load imports for language model component Ensures that only the necessary dependencies are required. For example, if OpenAI provider is used, it will now only import langchain_openai, rather than requiring langchain_anthropic, langchain_ibm, etc. * Add backwards-compat functions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Add exception handling * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * comp index * docs: azure default temperature (#11829) * change-azure-openai-default-temperature-to-1.0 * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * [autofix.ci] apply automated fixes --------- * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * fix unit test? * add no-group dev to docker builds * [autofix.ci] apply automated fixes --------- * feat: generate requirements.txt from dependencies (#11810) * Base script to generate requirements Dymanically picks dependency for LanguageM Comp. Requires separate change to remove eager loading. * Lazy load imports for language model component Ensures that only the necessary dependencies are required. For example, if OpenAI provider is used, it will now only import langchain_openai, rather than requiring langchain_anthropic, langchain_ibm, etc. * Add backwards-compat functions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Add exception handling * Add CLI command to create reqs * correctly exclude langchain imports * Add versions to reqs * dynamically resolve provider imports for language model comp * Lazy load imports for reqs, some ruff fixes * Add dynamic resolves for embedding model comp * Add install hints * Add missing provider tests; add warnings in reqs script * Add a few warnings and fix install hint * update comments add logging * Package hints, warnings, comments, tests * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Add alias for watsonx * Fix anthropic for basic prompt, azure mapping * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * ruff * [autofix.ci] apply automated fixes * test formatting * ruff * [autofix.ci] apply automated fixes --------- * fix: add handle to file input to be able to receive text (#11825) * changed base file and file components to support muitiple files and files from messages * update component index * update input file component to clear value and show placeholder * updated starter projects * [autofix.ci] apply automated fixes * updated base file, file and video file to share robust file verification method * updated component index * updated templates * fix whitespaces * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * add file upload test for files fed through the handle * [autofix.ci] apply automated fixes * added tests and fixed things pointed out by revies * update component index * fixed test * ruff fixes * Update component_index.json * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * updated component index * updated component index * removed handle from file input * Added functionality to use multiple files on the File Path, and to allow files on the langflow file system. * [autofix.ci] apply automated fixes * fixed lfx test * build component index --------- * docs: Add AGENTS.md development guide (#11922) * add AGENTS.md rule to project * change to agents-example * remove agents.md * add example description * chore: address cris I1 comment address cris I1 comment * chore: address cris I5 address cris I5 * chore: address cris I6 address cris I6 * chore: address cris R7 address cris R7 * fix testcase * chore: address cris R2 address cris R2 * restructure insight page into sidenav * added header and total run node * restructing branch * chore: address gab otel model changes address gab otel model changes will need no migration tables * chore: update alembic migration tables update alembic migration tables after model changes * add empty state for gropu sessions * remove invalid mock * test: update and add backend tests update and add backend tests * chore: address backend code rabbit comments address backend code rabbit comments * chore: address code rabbit frontend comments address code rabbit frontend comments * chore: test_native_tracer minor fix address c1 test_native_tracer minor fix address c1 * chore: address C2 + C3 address C2 + C3 * chore: address H1-H5 address H1-H5 * test: update test_native_tracer update test_native_tracer * fixes * chore: address M2 address m2 * chore: address M1 address M1 * dry changes, factorization * chore: fix 422 spam and clean comments fix 422 spam and clean comments * chore: address M12 address M12 * chore: address M3 address M3 * chore: address M4 address M4 * chore: address M5 address M5 * chore: clean up for M7, M9, M11 clean up for M7, M9, M11 * chore: address L2,L4,L5,L6 + any test address L2,L4,L5 and L6 + any test * chore: alembic + comment clean up alembic + comment clean up * chore: remove depricated test_traces file remove depricated test_traces file. test have all been moved to test_traces_api.py * fix datetime * chore: fix test_trace_api ge=0 is allowed now fix test_trace_api ge=0 is allowed now * chore: remove unused traces cost flow remove unused traces cost flow * fix traces test * fix traces test * fix traces test * fix traces test * fix traces test * chore: address gabriels otel coment address gabriels otel coment latest --------- Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com> Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com> Co-authored-by: cristhianzl <cristhian.lousa@gmail.com> Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com> Co-authored-by: Edwin Jose <edwin.jose@datastax.com> Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com> * fix(test): Fix superuser timeout test errors by replacing heavy clien… (#11982) fix(test): Fix superuser timeout test errors by replacing heavy client fixture (#11972) * fix super user timeout test error * fix fixture db test * remove canary test * [autofix.ci] apply automated fixes * flaky test --------- Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * refactor(components): Replace eager import with lazy loading in agentics module (#11974) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: add ondelete=CASCADE to TraceBase.flow_id to match migration (#12002) * fix: add ondelete=CASCADE to TraceBase.flow_id to match migration The migration file creates the trace table's flow_id foreign key with ondelete="CASCADE", but the model was missing this parameter. This mismatch caused the migration validator to block startup. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix: add defensive migration to ensure trace.flow_id has CASCADE Adds a migration that ensures the trace.flow_id foreign key has ondelete=CASCADE. While the original migration already creates it with CASCADE, this provides a safety net for any databases that may have gotten into an inconsistent state. * fix: dynamically find FK constraint name in migration The original migration did not name the FK constraint, so it gets an auto-generated name that varies by database. This fix queries the database to find the actual constraint name before dropping it. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * fix: LE-456 - Update ButtonSendWrapper to handle building state and improve button functionality (#12000) * fix: Update ButtonSendWrapper to handle building state and improve button functionality * fix(frontend): rename stop button title to avoid Playwright selector conflict The "Stop building" title caused getByRole('button', { name: 'Stop' }) to match two elements, breaking Playwright tests in shards 19, 20, 22, 25. Renamed to "Cancel" to avoid the collision with the no-input stop button. * Fix: pydantic fail because output is list, instead of a dict (#11987) pydantic fail because output is list, instead of a dict Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local> * refactor: Update guardrails icons (#12016) * Update guardrails.py Changing the heuristic threshold icons. The field was using the default icons. I added icons related to the security theme. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com> * feat: Clean up the modelinput unification * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update test_embedding_model_component.py * [autofix.ci] apply automated fixes * Revert to main for other files * More reversions * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Handle first run more elegantly in astra * [autofix.ci] apply automated fixes * Fix knowledge embedding dialog (#12071) * fix: Handle message inputs when ingesting knowledge * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * [autofix.ci] apply automated fixes (attempt 3/3) * Update test_ingestion.py * [autofix.ci] apply automated fixes * fix: Unify the knowledge creation model selector * Revert tracing * Update ingestion.py * Rebuild comp index * [autofix.ci] apply automated fixes * Update test_ingestion.py * [autofix.ci] apply automated fixes * [autofix.ci] apply automated fixes (attempt 2/3) * Update test_ingestion.py * Update component_index.json * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * [autofix.ci] apply automated fixes * Update comp index * Update test_astradb_base_component.py * Update Knowledge Ingestion.json * [autofix.ci] apply automated fixes * Fix broken tests * Cleanup from claude * [autofix.ci] apply automated fixes * Fix failing tests * Update test_unified_models.py * [autofix.ci] apply automated fixes * Update Nvidia Remix.json * Refactor ingest * Rebuild templates and component index * Fix test * [autofix.ci] apply automated fixes * Update component_index.json * [autofix.ci] apply automated fixes * test: add update_build_config visibility tests and PR review fixes (#12114) - Add update_build_config field-visibility tests to LanguageModelComponent, ToolCallingAgentComponent, and BatchRunComponent covering Ollama, WatsonX, OpenAI, and no-model-selected cases - Remove 16 stale @pytest.mark.skip tests from test_agent_component.py - Wire up validate_model_selection in agent.py for early input validation - Document AstraDB intentional use of lower-level update_model_options_in_build_config - Clarify model_kwargs info text to note provider-specific support Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * Update embedding_model.py * fix: address PR review recommendations for feat-unify-models++ (#12116) - Fix 9 skipped tests in test_batch_run_component.py by replacing model list with _MockLLM instances, following the existing pattern used by test_with_config_failure_handling - Fix test_agent_component.py: set component.model to a valid list before calling get_agent_requirements() in the three max_tokens tests, since validate_model_selection now requires a list-format model - Replace os.environ direct reads in apply_provider_variable_config_to_build_config with get_all_variables_for_provider() (DB-first, env fallback), and pass user_id through from handle_model_input_update - Add deprecated stubs for update_provider_fields_visibility, _update_watsonx_fields, and _update_ollama_fields in model_config.py with DeprecationWarning pointing to handle_model_input_update - Fix typo: "deault" -> "default" in structured_output.py TODO comment - Add 4 new KnowledgeIngestionComponent tests: new-format model_selection …

github-actions Bot added the enhancement New feature or request label Mar 14, 2026

github-actions Bot added enhancement New feature or request and removed enhancement New feature or request labels Mar 14, 2026

coderabbitai Bot reviewed Mar 14, 2026

View reviewed changes

Comment thread src/lfx/src/lfx/services/adapters/deployment/payloads.py

Comment thread src/lfx/src/lfx/services/adapters/payload.py Outdated

github-actions Bot added enhancement New feature or request and removed enhancement New feature or request labels Mar 14, 2026

jordanrfrazier approved these changes Mar 16, 2026

View reviewed changes

HzaRashid force-pushed the deployment-schema-unify branch from 2a54790 to 98fbef9 Compare March 16, 2026 15:39

github-actions Bot added enhancement New feature or request and removed enhancement New feature or request labels Mar 16, 2026

HzaRashid changed the base branch from main to release-1.9.0 March 16, 2026 16:25

github-actions Bot added enhancement New feature or request and removed enhancement New feature or request labels Mar 16, 2026

HzaRashid added 5 commits March 16, 2026 16:32

feat(deployments): unify dynamic payload passthrough across api and a…

5917a89

…dapter

use datatime.timezone for python3.10 compatibility

8bf7689

use appropriate type vars in slots and sanitize error message

f53f69d

tweaks to schemas

703a21e

use policy to avoid dump churn

dbebf80

HzaRashid force-pushed the deployment-schema-unify branch from 98fbef9 to dbebf80 Compare March 16, 2026 16:38

github-actions Bot added enhancement New feature or request and removed enhancement New feature or request labels Mar 16, 2026

HzaRashid merged commit 3811db4 into release-1.9.0 Mar 16, 2026
99 checks passed

HzaRashid deleted the deployment-schema-unify branch March 16, 2026 16:55

coderabbitai Bot mentioned this pull request Mar 18, 2026

Fix: unauthenticated image IDOR #12233

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(deployments): unify payload passthrough from api to adapter#12190

feat(deployments): unify payload passthrough from api to adapter#12190
HzaRashid merged 5 commits into
release-1.9.0from
deployment-schema-unify

HzaRashid commented Mar 14, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Mar 14, 2026 •

edited

Loading

Review skipped

❌ Failed checks (2 warnings)

Uh oh!

github-actions Bot commented Mar 14, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Mar 14, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

HzaRashid commented Mar 14, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What’s included

Why

Test plan

Notes

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Mar 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (2 warnings)

Uh oh!

github-actions Bot commented Mar 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Frontend Unit Test Coverage Report

Coverage Summary

Unit Test Results

Uh oh!

codecov Bot commented Mar 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

HzaRashid commented Mar 14, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Mar 14, 2026 •

edited

Loading

github-actions Bot commented Mar 14, 2026 •

edited

Loading

codecov Bot commented Mar 14, 2026 •

edited

Loading