Addresses review feedback on the per-prompt metadata envelope:
- Sanitize at the boundary: reject envelopes larger than 16 keys, keys
over 64 chars, values over 256 chars, or anything that isn't a flat
``dict[str, str]``. Logs a warning so abuse is observable. Stops a
malicious client from inflating broadcast volume by stamping a 10 MB
metadata blob onto every WS event.
- Cap the in-memory store at 4096 concurrent envelopes with FIFO
eviction. Acts as a backstop if any cleanup hook is skipped.
- Drop envelopes when prompts are cancelled before reaching the worker:
``PromptQueue.wipe_queue`` and ``delete_queue_item`` now call
``server.unregister_prompt_metadata`` for every removed item.
- Drop envelopes on hard execution failures: the worker now wraps
``e.execute()`` in ``try/finally``, so an uncaught exception in
execution no longer leaks the envelope.
- Guard the WS reconnect handler: only include ``prompt_id`` in the
``executing`` payload when ``last_prompt_id`` is set, so clients
with strict schemas (zod ``prompt_id: zJobId``) don't reject the
message with a null id.
- Extract a ``PromptMetadataStore`` class that owns the dict and the
bounds, so ``PromptServer`` becomes a thin delegating layer and the
full register/inject/unregister cycle (plus FIFO eviction and
sanitization) is unit-tested without torch.
44 tests passing; ruff clean on all touched files.
Replaces the workflow_id-on-every-event approach (#13684, reverted in
#13901) with a generic metadata envelope captured at submission and
injected at the server-side send chokepoint.
- POST /prompt accepts an opaque ``extra_data.metadata`` dict (falls
back to synthesizing ``{"workflow_id": <id>}`` from
``extra_pnginfo.workflow.id`` so existing frontends keep working).
- ``PromptServer`` owns a ``prompt_id -> metadata`` map populated at
submission, drained when the prompt finishes. ``send_sync`` injects
the envelope into any outbound payload that carries a ``prompt_id``,
including the ``(preview_image, metadata_dict)`` tuple used by
``PREVIEW_IMAGE_WITH_METADATA``. WS reconnect path carries it too.
- Pure helpers live in ``app/prompt_metadata.py`` so the execution
layer never depends on workflow concepts and the helpers can be
unit-tested without torch.
Execution layer (``execution.py``, ``comfy_execution/*``) and the jobs
API are unchanged. Backward compatible: existing fields and shapes are
preserved, only an additional ``metadata`` field is attached when
present.
Split GLB save logic out of nodes_hunyuan3d.py into a new nodes_save_3d.py, and extend the writer to support UVs, per-vertex colors, and embedded baseColor textures.
Extend the MESH type with optional uvs, vertex_colors, and texture fields so meshes can carry texture data through the graph.
Add pack_variable_mesh_batch / get_mesh_batch_item helpers and switch VoxelToMesh / VoxelToMeshBasic to use them so batches with differing vertex/face counts no longer fail at torch.stack.
The /ws path uses HTTP 101 (Switching Protocols), which is the correct
response for a WebSocket upgrade but not a 2xx. The built-in
operation-success-response rule fires as a false positive because
OpenAPI 3.x has no native WebSocket support.
Add a path-scoped override in .spectral.yaml to disable the rule for
/ws only, leaving it active for all other operations.
* Mark deprecated cloud-runtime endpoints in openapi.yaml
Add five cloud-runtime FE-facing endpoints to the OSS spec with
deprecated: true and standardized description prefixes:
- GET /api/history_v2 — superseded by GET /api/jobs
- GET /api/history_v2/{prompt_id} — superseded by GET /api/jobs/{prompt_id}
- GET /api/logs — returns static placeholder; no real log data
- GET /api/viewvideo — alias of GET /api/view for legacy video playback
- GET /api/job/{job_id}/status — superseded by GET /api/jobs/{job_id}
Each endpoint is tagged x-runtime: [cloud] and follows the same
deprecation convention established for /api/history endpoints.
Co-authored-by: Matt Miller <MillerMedia@users.noreply.github.com>
* fix(spec): consolidate duplicate path entries on deprecated cloud-runtime endpoints
Previous commit added new path entries with `deprecated: true` for
`/api/job/{job_id}/status`, `/api/history_v2`, `/api/history_v2/{prompt_id}`,
`/api/logs`, and `/api/viewvideo`, but the canonical entries already existed
elsewhere in the file. Result: 5 duplicate path keys (Spectral parser errors),
and the deprecation flag did not land on the operations that FE clients
consume by operationId.
This commit moves `deprecated: true` plus the standardized "Deprecated."
description onto the canonical operations (`getCloudJobStatus`, `getHistoryV2`,
`getHistoryV2ByPromptId`, `getCloudLogs`, `viewVideo`) and removes the
duplicate entries. Operation IDs and response schemas are unchanged.
Spectral lint passes with zero new warnings.
* Initial HiDream01-image support
* Cleanup nodes
* Cleaner handling of empty placeholder models
* Remove snap_to_predefined, prefer tooltip for the trained resolutions
* Add model and block wrappers
* Fix shift tooltip
* Add node to work around the patch tile issue
Experimental, runs multiple passes with the patch grid offset and blends with various different methods.
* Qwen35 vision rotary_pos_emb cast fix
* Fix embedding layout type
* Some small optimizations
* Cleanup, don't need this fallback
* Prefix KV cache, cleanup
Bit of speed, reduce redundant code
* Get rid of redundant custom sampler, refactor noise scaling
Our existing lcm sampler is mathematically same, just added the missing options to it instead and a node to control them. Refactored the noise scaling and fix it for the stochastic samplers, add a generic node to control the initial noise scale.
* Update nodes_hidream_o1.py
* Fix some cache validation cases
* Keep existing sampling params
* Remove redundant video vision path
* Replace some numpy ops with torch
* Fx RoPE index for batch size > 1
* Prefer torch preprocessing
* Rename block_type to be compatible with existing patch nodes
* Fixes and tweaks
* Add new blueprints
* Add Image Segmentation
* Add blueprint Get Video Last Frame (#13613)
* Add Video segment
* Fix Video Stitch subgraph issue
* Update get last frame to get any frame
* Add Frame Interpolate blueprint
* Correct typo
* Name blueprints
* Update and add new blueprints
* blueprints: add subgraph descriptions for previously undocumented workflows
Fill missing definitions.subgraphs[].description across ERNIE, Flux.2,
Z-Image base/default, Qwen edit 2509, Wan I2V, SAM3 image/video,
and align wording with existing blueprint style.
* Add new blueprint
* remove Image to Video
* Update ZIB blueprint
* Refine description
* Remove duplicate model entries from Image Edit blueprint
* Fix typos
* Update IDs
* Add Boolean support to math expressions
* Change boolean result test to assert values
---------
Co-authored-by: Alexis Rolland <alexisrolland@hotmail.com>
* initial WanDancer support
* nodes_wandancer: Add list form of chunker.
Create an alternate list form of the node so the chunk gens can be
trivially looped by the comfy executor.
* Closer match to original soxr resampling
* Remove librosa node
* Cleanup
---------
Co-authored-by: Rattus <rattus128@gmail.com>
* Add description field to all blueprint subgraphs
Sets the 'description' field on every subgraph blueprint node,
which will show on the node preview and tooltip. Covers all 51
blueprint files under blueprints/.
* Update blueprint descriptions with researched model info
* Refine blueprint descriptions with researched model specs from docs
Updates subgraph descriptions across all 51 blueprints with accurate
model details drawn from ComfyUI docs, including:
- Flux.1 Dev: 12B open-weights, Pro-level quality
- Flux.2 Klein 4B: fastest Flux, distilled architecture
- Qwen-Image: 20B MMDiT, multilingual text rendering
- Z-Image-Turbo: distilled 6B DiT, sub-second inference
- LTX-2/2.3: 19B DiT audio-video foundation model
- Wan2.2: open-source, 14B/1.3B variants
- ACE-Step 1.5: ~1s full-song generation
- GPU shader nodes consistently labeled as fragment shaders
* Strip marketing fluff and license info from descriptions
* Fix Canny to Video (LTX 2.0) description
* Remove 'local-' prefix from subgraph names
* Preserve UTF-8 encoding in JSON files (ensure_ascii=False)
* Apply review suggestions from alexisrolland
- Rename 'Image to Model (Hunyuan3d 2.1)' -> 'Image to 3D Model (Hunyuan3d 2.1)'
- Rename 'Image Upscale(Z-image-Turbo)' -> 'Image Upscale (Z-image-Turbo)'
- Rename 'Video Inpaint(Wan2.1 VACE)' -> 'Video Inpaint (Wan 2.1 VACE)'
- Use 'Black Forest Labs' branding in Flux descriptions
- Use 'Google's Gemini' with possessive in captioning nodes
- Normalize 'Wan 2.2' and 'Wan 2.1' spacing in descriptions
* fix: revert Color Adjustment.json to preserve original GLSL shader content
Only adds the 'description' field without modifying the shader code
(which contained Unicode escape \\u2192 that should be preserved).
* Apply CodeRabbit review suggestions
- Color Adjustment: include vibrance in description
- Image Blur: expand to Gaussian/Box/Radial modes
- Flux.2 Klein 4B: narrow to image edit only (no T2I)
- NetaYume Lumina: correct model base (Neta Lumina, not Lumina-Next)
---------
Co-authored-by: linmoumou <linmoumou@linmoumoudeMac-mini.local>
Co-authored-by: Daxiong (Lin) <contact@comfyui-wiki.com>
* Add cloud-runtime experiment node-schema endpoints to spec
Replace the GET operations at /api/experiment/nodes and
/api/experiment/nodes/{id} with getNodeInfoSchema and getNodeByID —
the optimized, ETag-tagged object_info schema endpoints the cloud
frontend depends on for the workflow editor.
Each operation is tagged x-runtime: [cloud] and uses the runtime-only
tag for cloud-side codegen exclusion. Response headers document the
ETag and Cache-Control validators; 304 Not Modified is declared for
RFC 7232 conditional GETs.
Remove the now-unused CloudNodeList schema to keep Spectral clean.
Co-authored-by: Matt Miller <MillerMedia@users.noreply.github.com>
* spec: document If-None-Match header on conditional GET endpoints
Both `getNodeInfoSchema` and `getNodeByID` advertise `ETag` response
headers and a `304 Not Modified` response, but the spec didn't declare
the `If-None-Match` request header that triggers conditional validation.
Adding it as an optional header parameter on both ops so client codegen
exposes the conditional-GET pattern.
* Add cloud-runtime FE-facing operations to openapi.yaml
Add ~67 cloud-runtime FE-facing path operations to the core OpenAPI spec,
each tagged with x-runtime: [cloud] at the operation level. These operations
are served by the cloud runtime; the local runtime returns 404 for all of
these paths.
Domain groups added:
- Jobs / prompts: /api/job/*, /api/jobs/*/cancel, /api/prompt/*, etc.
- History v2: /api/history_v2, /api/history_v2/{prompt_id}
- Cloud logs: /api/logs
- Asset extensions: /api/assets/download, export, import, etc.
- Custom nodes: /api/experiment/nodes (cloud install/uninstall)
- Hub: /api/hub/profiles, /api/hub/workflows, /api/hub/labels, etc.
- Workflows: /api/workflows CRUD, versioning, fork, publish
- Auth/session: /api/auth/session, /api/auth/token, /.well-known/jwks.json
- Billing: /api/billing/balance, plans, subscribe, topup, etc.
- Workspace: /api/workspace/*, /api/workspaces/*
- User/settings/misc: /api/user, /api/secrets, /api/feedback, etc.
Also adds corresponding cloud-only component schemas (CloudJob, CloudWorkflow,
BillingPlan, Workspace, HubProfile, AuthSession, etc.), all tagged with
x-runtime: [cloud].
Spectral lint passes under the existing ruleset with zero new warnings.
* Add job_id field to Asset schema and deprecate prompt_id (#13736)
- Add job_id as a nullable UUID field to the Asset schema
- Mark prompt_id as deprecated with note pointing to job_id
- No x-runtime tag needed as both runtimes populate the field
* Add hash field to Asset schemas and deprecate asset_hash (#13738)
- Add 'hash' as a nullable string field to Asset and AssetUpdated schemas
- Mark 'asset_hash' as deprecated with a note pointing to 'hash'
- AssetCreated inherits 'hash' via allOf from Asset
- Spectral lint clean (no new warnings)
* Fix method drift on cloud-runtime endpoints
Three PUT operations were added that should be PATCH (cloud serves
PATCH for partial updates):
- /api/workflows/{workflow_id}
- /api/workspaces/{id}
- /api/workspace/members/{userId}
Two POST operations were added that should be GET (cloud serves GET
with query params):
- /api/assets/remote-metadata (url moves to query param)
- /api/files/mask-layers (response shape replaced — operation queries
related mask layer filenames, not file uploads)
* Add missing cloud-runtime operations and schemas
PR review surfaced operations the cloud runtime serves that weren't
covered by the initial spec push, plus one path family missed entirely.
New methods on existing paths:
- /api/auth/session: add POST (create session cookie) and DELETE (logout)
- /api/secrets/{id}: add GET (read metadata) and PATCH (update)
- /api/hub/profiles: add POST (create profile)
- /api/hub/workflows: add POST (publish to hub)
- /api/hub/workflows/{share_id}: add DELETE (unpublish)
- /api/workspaces/{id}: add DELETE (soft-delete workspace)
- /api/workspace/members/{user_id}/api-keys: add DELETE (bulk revoke)
- /api/workflows/{workflow_id}/versions: add POST (create new version)
- /api/userdata/{file}/publish: add GET (read publish info)
New path family:
- /api/tasks (GET list) and /api/tasks/{task_id} (GET detail) for the
background task framework
New component schemas (all tagged x-runtime: [cloud]):
CreateSessionResponse, DeleteSessionResponse, UpdateSecretRequest,
BulkRevokeAPIKeysResponse, CreateHubProfileRequest, PublishHubWorkflowRequest,
HubWorkflowDetail, AssetInfo, CreateWorkflowVersionRequest,
WorkflowVersionResponse, WorkflowPublishInfo, TaskEntry, TaskResponse,
TasksListResponse. Existing SecretMeta extended with provider and
last_used_at fields the cloud runtime actually returns.
New tag: task. Spectral lint passes with zero errors.
* Add job_id and prompt_id to AssetUpdated schema
Mirrors the Asset schema's deprecation pattern: prompt_id is marked
deprecated with a description pointing to job_id; job_id is the new
preferred field. PUT /api/assets/{id} responses can now carry both fields
consistent with the other Asset-returning endpoints.
* feat: add width and height fields to Asset schema (#13745)
Add nullable integer fields 'width' and 'height' to the Asset schema
in openapi.yaml. These expose original image dimensions in pixels for
clients that need pre-thumbnail size info. Both fields are null for
non-image assets or assets ingested before dimension extraction.
Co-authored-by: Matt Miller <MillerMedia@users.noreply.github.com>
* Remove /api/job/{job_id} and /api/job/{job_id}/outputs
These two paths are not actually served by the cloud runtime — they
return 404 with a redirect message pointing callers to the canonical
`/api/jobs/{job_id}` (plural). Declaring them with `x-runtime: [cloud]`
and a 200 response schema is incorrect.
`/api/job/{job_id}/status` stays — it is a real cloud-served endpoint.
Also drops the now-orphaned `CloudJob` and `CloudJobOutputs` component
schemas. `CloudJobStatus` is retained.
