Add two boolean config.ini [default] flags — allow_git_url_install and
allow_pip_install (both default false) — that fully REPLACE the
security_level term on the legacy install surfaces:
- POST /v2/customnode/install/git_url (S-A) and
POST /v2/customnode/install/pip (S-B) are now gated solely by their
dedicated flag AND the retained network-position invariant
(loopback listener OR network_mode=personal_cloud). security_level
no longer affects these two surfaces in either direction.
- The batch unknown-URL branch (S-C) routes through the same predicate;
the unknown-pip branch stays unconditionally blocked; the general
middle+ batch entry gate is unchanged.
- New pure predicate is_dedicated_install_allowed() in
common/manager_security.py (config-import-free; callers pass values
from their own reader). Both config readers (glob + legacy) register
the keys in read/write/fallback paths.
- Denial logs and frontend copy name the responsible flag instead of
the misleading security_level guidance. Public listeners remain
denied regardless of the flags (no exposure widening).
- README security policy updated: config keys documented, git-url/pip
removed from the security_level risky table, and a dedicated-flags
subsection (REPLACE semantics, network rule, batch behavior,
restart-only activation, weak/normal- opt-in migration note).
- Migration: existing weak/normal- users must opt in via the new flags
(CHANGELOG note; deliberate no auto-seed).
Includes the unit/config/guard test suites (88 tests): predicate truth
table, dual-reader config contract (missing/malformed keys read false,
round-trip, cache staleness), security_level-matrix freeze guards, and
suite-order-independent test stubs.
Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 16 no-body POST handlers (glob + legacy) to block
<form method=POST> CSRF that bypasses method-only gating. Move
comfyui_switch_version to a JSON body so the preflight requirement applies.
Split db_mode/policy/update/channel_url_list into GET(read) + POST(write).
Tighten do_fix (high → high+) and gate three previously-ungated config
setters at middle. Resynchronize openapi.yaml (27 paths, 30 operations,
ComfyUISwitchVersionParams as a shared $ref component). Add E2E harness
variants, Playwright config, CSRF/secgate suites, 39-endpoint coverage,
and a CHANGELOG.
Breaking: legacy per-op POST routes (install/uninstall/fix/disable/update/
reinstall/abort_current) are removed; callers already use queue/batch.
Legacy /manager/notice (v1) is removed; /v2/manager/notice is retained.
Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
* Started changing UI to match the rest of ComfyUI
Completed Main Container
* - Added layout formatting to components of the Manager dialog box
- Pulled name from select and put it into a label (eg "DB: Channel" now has a label of DB and a dropdown with channel, etc)
- Fixed incorrect z-index
* Removed this.close() I added before finding z-index issue.
* Matched buttons and drop downs to match style of ComfyUI interface while keeping the colours the same as OG ComfyUI Manager
* - Took gui building out and put into its own .js
- Applied theme to Nodes Manager
- Made theme respect user theme colors
* - Themed model manager and snapshot manager
- fixed incorrect id in gui builder
* Fix syntax error in color property
---------
Co-authored-by: Dr.Lt.Data <128333288+ltdrdata@users.noreply.github.com>
modified: The matrix share feature is now only available when the `matrix-nio` dependency is installed.
If `matrix-nio` is not installed:
1. Apply a strikethrough to the matrix checkbox text in the share UI and display a tooltip.
2. A warning is logged at startup indicating that `matrix-nio` is missing, along with the installation command.
fixed: Corrected an issue where PR #2025 was merged into draft-v4 but applied only to `legacy/..` and not to `glob/..`
* [feat] Add bulk import failure info API endpoint
- Add import_fail_info_bulk endpoint to both glob and legacy manager servers
- Supports bulk processing of cnr_ids and urls arrays in single request
- Maintains same error handling pattern as original import_fail_info API
- Reduces API calls from N to 1 for conflict detection optimization
- Validates input parameters and provides proper error responses
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* modified: remove manager button completely. Now, even when using the legacy UI, it must always be accessed through the menu.
* chore(api): Add temporary cache reload for import_fail_info_bulk
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Dr.Lt.Data <dr.lt.data@gmail.com>
