mirror of
https://github.com/Comfy-Org/ComfyUI-Manager.git
synced 2026-06-23 00:09:25 +08:00
e4c5401dd5
Some checks are pending
Python Linting / Run Ruff (push) Waiting to run
* feat(security): add dedicated install flags decoupled from security_level Gate 'install via git URL' and 'install via pip' with dedicated opt-in boolean flags (allow_git_url_install / allow_pip_install) in config.ini [default], fully replacing the security_level term on those surfaces (REPLACE, not AND — a strict level no longer denies when the flag is on; a weak level no longer allows when the flag is off). - glob/manager_server.py: pure predicate is_dedicated_install_allowed (flag AND loopback, request-time args.listen); REPLACE gates at /customnode/install/git_url and /customnode/install/pip; batch unknown-URL arm routes through the same full predicate at the risky position (loopback term is load-bearing — the middle entry gate has no network-position term; the entry gate itself stays in force); unknown-pip in batch stays unconditionally blocked; new SECURITY_MESSAGE_FLAG_* denial constants name the responsible flag; security_403_response gains flag_token (comfyui_outdated keeps precedence) - glob/manager_core.py: register both keys (read via get_bool default-false, write list, exception fallback); "true"-only truthy; restart-only activation - js/common.js: 403 dialog copy names the responsible flag at the two install call sites - README.md: security-policy docs for both flags (per-surface scope incl. the batch entry-gate qualifier, REPLACE decoupling, loopback bound, opt-in config snippet, default-deny + migration note); stale tier lists corrected against the actual gates - CHANGELOG.md: opt-in migration note + accepted residual risk (flags bypass the forced-strong outdated-ComfyUI hardening on loopback, opt-in only), decoupling claim qualified for the batch entry gate Tests: unit suite (predicate truth table, REPLACE litmus both directions, AST binding-proofs against live handlers, subprocess-isolated config contract) plus a real-server E2E suite that mounts the Manager-under-test via git worktree (exact-SHA pin, detached) against a real ComfyUI and exercises both flag surfaces and both arms — deny arms (403 + flag-naming body/log + no install artifact), git-URL allow arm (real clone), pip allow arm as a two-phase reservation oracle — with zero-residual self-clean. Module skips without E2E_COMFYUI_ROOT; unit suite unaffected. The manager-v4 branch ships the identical policy (shared invariants + config contract); this tree uses the degraded predicate 'flag AND loopback' (no personal_cloud-equivalent mode here). * bump version to v3.41 |
||
|---|---|---|
| .. | ||
| cm-api.js | ||
| comfyui-gui-builder.js | ||
| comfyui-manager.js | ||
| comfyui-share-common.js | ||
| comfyui-share-copus.js | ||
| comfyui-share-openart.js | ||
| comfyui-share-youml.js | ||
| common.js | ||
| components-manager.js | ||
| custom-nodes-manager.css | ||
| custom-nodes-manager.js | ||
| model-manager.css | ||
| model-manager.js | ||
| node_fixer.js | ||
| popover-helper.js | ||
| README.md | ||
| snapshot.css | ||
| snapshot.js | ||
| turbogrid.esm.js | ||
| workflow-metadata.js | ||
ComfyUI-Manager: Frontend (js)
This directory contains the JavaScript frontend implementation for ComfyUI-Manager, providing the user interface components that interact with the backend API.
Core Components
- comfyui-manager.js: Main entry point that initializes the manager UI and integrates with ComfyUI.
- custom-nodes-manager.js: Implements the UI for browsing, installing, and managing custom nodes.
- model-manager.js: Handles the model management interface for downloading and organizing AI models.
- components-manager.js: Manages reusable workflow components system.
- snapshot.js: Implements the snapshot system for backing up and restoring installations.
Sharing Components
- comfyui-share-common.js: Base functionality for workflow sharing features.
- comfyui-share-copus.js: Integration with the ComfyUI Copus sharing platform.
- comfyui-share-openart.js: Integration with the OpenArt sharing platform.
- comfyui-share-youml.js: Integration with the YouML sharing platform.
Utility Components
- cm-api.js: Client-side API wrapper for communication with the backend.
- common.js: Shared utilities and helper functions used across the frontend.
- node_fixer.js: Utilities for fixing disconnected links and repairing malformed nodes by recreating them while preserving connections.
- popover-helper.js: UI component for popup tooltips and contextual information.
- turbogrid.esm.js: Grid component library - https://github.com/cenfun/turbogrid
- workflow-metadata.js: Handles workflow metadata parsing, validation and cross-repository compatibility including versioning, dependencies tracking, and resource management.
Architecture
The frontend follows a modular component-based architecture:
- Integration Layer: Connects with ComfyUI's existing UI system
- Manager Components: Individual functional UI components (node manager, model manager, etc.)
- Sharing Components: Platform-specific sharing implementations
- Utility Layer: Reusable UI components and helpers
Implementation Details
- The frontend integrates directly with ComfyUI's UI system through
app.js - Dialog-based UI for most manager functions to avoid cluttering the main interface
- Asynchronous API calls to handle backend operations without blocking the UI
Styling
CSS files are included for specific components:
- custom-nodes-manager.css: Styling for the node management UI
- model-manager.css: Styling for the model management UI
This frontend implementation provides a comprehensive yet user-friendly interface for managing the ComfyUI ecosystem.