mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-02-11 15:25:16 -05:00
e596ea87cbae55eedba3bc58f144702e9e310504
7867 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Ubbe
|
5f2d4643f8 |
feat(frontend): dynamic search terms (#11156)
## Changes 🏗️ <img width="800" height="664" alt="Screenshot 2025-10-14 at 14 09 54" src="https://github.com/user-attachments/assets/73f6277a-6bef-40f9-b208-31aba0cfc69f" /> <img width="600" height="773" alt="Screenshot 2025-10-14 at 14 10 05" src="https://github.com/user-attachments/assets/c88cb22f-1597-4216-9688-09c19030df89" /> Allow to manage on the fly which search terms appear on the Marketplace page via Launch Darkly dashboard. There is a new flag configured there: `marketplace-search-terms`: - **enabled** → `["Foo", "Bar"]` → the terms that will appear - **disabled** → `[ "Marketing", "SEO", "Content Creation", "Automation", "Fun"]` → the default ones show ### Small fix Fix the following browser console warning about `onLoadingComplete` being deprecated... <img width="600" height="231" alt="Screenshot 2025-10-14 at 13 55 45" src="https://github.com/user-attachments/assets/1b26e228-0902-4554-9f8c-4839f8d4ed83" /> ## Checklist 📋 ### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Ran the flag locally and verified it shows the terms set on Launch Darkly ### For configuration changes: Launch Darkly new flag needs to be configured on all environments. |
||
|
Krzysztof Czerwinski
|
9c8652b273 |
feat(backend): Whitelist Onboarding Agents (#11149)
Some agents aren't suitable for onboarding. This adds per-store agent setting to allow them for onboarding. In case no agent is allowed fallback to the former search. ### Changes 🏗️ - Add `useForOnboarding` to `StoreListing` model and `StoreAgent` view (with migration) - Remove filtering of agents with empty input schema or credentials ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Only allowed agents are displayed - [x] Fallback to the old system in case there aren't enough allowed agents |
||
|
Swifty
|
58ef687a54 |
fix(platform): Disable logging store terms (#11147)
There is concern that the write load on the database may derail the performance optimisations. This hotfix comments out the code that adds the search terms to the db, so we can discuss how best to do this in a way that won't bring down the db. ### Changes 🏗️ - commented out the code to log store terms to the db ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] check search still works in dev |
||
|
Ubbe
|
c7dcbc64ec |
fix(frontend): ask for credentials in onboarding agent run (#11146)
## Changes 🏗️ <img width="800" height="852" alt="Screenshot_2025-10-13_at_19 20 47" src="https://github.com/user-attachments/assets/2fc150b9-1053-4e25-9018-24bcc2d93b43" /> <img width="800" height="669" alt="Screenshot 2025-10-13 at 19 23 41" src="https://github.com/user-attachments/assets/9078b04e-0f65-42f3-ac4a-d2f3daa91215" /> - Onboarding “Run” step now renders required credentials (e.g., Google OAuth) and includes them in execution. - Run button remains disabled until required inputs and credentials are provided. - Logic extracted and strongly typed; removed any usage. ## Checklist 📋 ### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [ ] I have tested my changes according to the test plan ( _once merged in dev..._ ) - [ ] Select an onboarding agent that requires Google OAuth: - [ ] Credentials selector appears. - [ ] After selecting/signing in, “Run agent” enables. - [ ]Run succeeds and navigates to the next step. ### For configuration changes: None |
||
|
Ubbe
|
99ac206272 |
fix(frontend): handle websocket disconnect issue (#11144)
## Changes 🏗️ I found that if I logged out while an agent was running, sometimes Webscokets would keep open connections but fail to connect ( given there is no token anymore ) and cause strange behavior down the line on the login screen. Two root causes behind after inspecting the browser logs 🧐 - WebSocket connections were attempted with an empty token right after logout, yielding `wss://.../ws?token=` and repeated `1006/connection` refused loops. - During logout, sockets in `CONNECTING` state weren’t being closed, so the browser kept trying to finish the handshake and were reattempted shortly after failing Trying to fix this like: - Guard `connectWebSocket()` to no-op if a logout/disconnect intent is set, and to skip connecting when no token is available. - Treat `CONNECTING` sockets as closeable in `disconnectWebSocket()` and clear `wsConnecting` to avoid stale pending Promises - Left existing heartbeat/reconnect logic intact, but it now won’t run when we’re logging out or when we can’t get a token. ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Login and run an agent that takes long to run - [x] Logout - [x] Check the browser console and you don't see any socket errors - [x] The login screen behaves ok ### For configuration changes: Noop |
||
|
Abhimanyu Yadav
|
f67d78df3e |
feat(frontend): Implement discriminator logic in the new builder’s credential system. (#11124)
- Depends on https://github.com/Significant-Gravitas/AutoGPT/pull/11107 and https://github.com/Significant-Gravitas/AutoGPT/pull/11122 In this PR, I’ve added support for discrimination. Now, users can choose a credential type based on other input values. https://github.com/user-attachments/assets/6cedc59b-ec84-4ae2-bb06-59d891916847 ### Changes 🏗️ - Updated CredentialsField to utilize credentialProvider from schema. - Refactored helper functions to filter credentials based on the selected provider. - Modified APIKeyCredentialsModal and PasswordCredentialsModal to accept provider as a prop. - Improved FieldTemplate to dynamically display the correct credential provider. - Added getCredentialProviderFromSchema function to manage multi-provider scenarios. ### Checklist 📋 #### For code changes: - [x] Credential input is correctly updating based on other input values. - [x] Credential can be added correctly. |
||
|
Swifty
|
e32c509ccc |
feat(backend): Simplify caching to just store routes (#11140)
### Problem Limits caching to just the main marketplace routes ### Changes 🏗️ - **Simplified store cache implementation** in `backend/server/v2/store/cache.py` - Streamlined caching logic for better maintainability - Reduced complexity while maintaining performance - **Added cache invalidation on store updates** - Implemented cache clearing when new agents are added to the store - Added invalidation logic in admin store routes (`admin_store_routes.py`) - Ensures all pods reflect the latest store state after modifications - **Updated store database operations** in `backend/server/v2/store/db.py` - Modified to work with the new cache structure - **Added cache deletion tests** (`test_cache_delete.py`) - Validates cache invalidation works correctly - Ensures cache consistency across operations ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Verify store listings are cached correctly - [x] Upload a new agent to the store and confirm cache is invalidated |
||
|
seer-by-sentry[bot]
|
20acd8b51d |
fix(backend): Improve Postmark error handling and logging for notification delivery (#11052)
<!-- Clearly explain the need for these changes: --> Fixes [AUTOGPT-SERVER-5K6](https://sentry.io/organizations/significant-gravitas/issues/6887660207/). The issue was that: Batch sending fails due to malformed data (422) and inactive recipients (406); the 406 error is misclassified as a size limit failure. - Implements more robust error handling for Postmark API failures during notification sending. - Specifically handles inactive recipients (HTTP 406), malformed data (HTTP 422), and oversized notifications. - Adds detailed logging for each error case, including the notification index and error message. - Skips individual notifications that fail due to these errors, preventing the entire batch from failing. - Improves error handling for ValueErrors during send_templated calls, specifically addressing oversized notifications. This fix was generated by Seer in Sentry, triggered by Nicholas Tindle. 👁️ Run ID: 1675950 Not quite right? [Click here to continue debugging with Seer.](https://sentry.io/organizations/significant-gravitas/issues/6887660207/?seerDrawer=true) ### Changes 🏗️ <!-- Concisely describe all of the changes made in this pull request: --> - Implements more robust error handling for Postmark API failures during notification sending. - Specifically handles inactive recipients (HTTP 406), malformed data (HTTP 422), and oversized notifications. - Adds detailed logging for each error case, including the notification index and error message. - Skips individual notifications that fail due to these errors, preventing the entire batch from failing. - Improves error handling for ValueErrors during send_templated calls, specifically addressing oversized notifications. - Also disables this in prod to prevent scaling issues until we work out some of the more critical issues ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Test sending notifications with invalid email addresses to ensure 406 errors are handled correctly. - [x] Test sending notifications with malformed data to ensure 422 errors are handled correctly. - [x] Test sending oversized notifications to ensure they are skipped and logged correctly. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - None - Bug Fixes - Individual email failures no longer abort a batch; processing continues after per-recipient errors. - Specific handling for inactive recipients and malformed messages to prevent repeated delivery attempts. - Chores - Improved error logging and diagnostics for email delivery scenarios. - Tests - Added tests covering email-sending error cases, user-deactivation on inactive addresses, and batch-continuation behavior. - Documentation - None <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Nicholas Tindle <ntindle@users.noreply.github.com> Co-authored-by: Nicholas Tindle <nicholas.tindle@agpt.co> |
||
|
Nicholas Tindle
|
a49c957467 |
Revert "fix(frontend/builder): Sync frontend node IDs with backend after save" (#11142)
Reverts Significant-Gravitas/AutoGPT#11075 |
||
|
Abhimanyu Yadav
|
cf6e724e99 |
feat(platform): load graph on new builder (#11141)
In this PR, I’ve added functionality to fetch a graph based on the flowID and flowVersion provided in the URL. Once the graph is fetched, we add the nodes and links using the graph data in a new builder. <img width="1512" height="982" alt="Screenshot 2025-10-11 at 10 26 07 AM" src="https://github.com/user-attachments/assets/2f66eb52-77b2-424c-86db-559ea201b44d" /> ### Changes - Added `get_specific_blocks` route in `routes.py`. - Created `get_block_by_id` function in `db.py`. - Add a new hook `useFlow.ts` to load the graph and populate it in the flow editor. - Updated frontend components to reflect changes in block handling. ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Able to load the graph correctly. - [x] Able to populate it on the builder. |
||
|
Reinier van der Leer
|
b67555391d |
fix(frontend/builder): Sync frontend node IDs with backend after save (#11075)
- Resolves #10980 Fixes unnecessary graph re-saving when no changes were made after initial save. The issue occurred because frontend node IDs weren't synced with backend IDs after save operations. ### Changes 🏗️ - Update actual node.id to match backend node ID after save - Update edge references with new node IDs - Properly sync visual editor state with backend ### Test Plan 📋 - [x] TypeScript compilation passes - [x] Pre-commit hooks pass - [x] Manual test: Save graph, verify no re-save needed on subsequent save/run |
||
|
Zamil Majdy
|
05a72f4185 |
feat(backend): implement user rate limiting for concurrent graph executions (#11128)
## Summary Add configurable rate limiting to prevent users from exceeding the maximum number of concurrent graph executions, defaulting to 50 per user. ## Changes Made ### Configuration (`backend/util/settings.py`) - Add `max_concurrent_graph_executions_per_user` setting (default: 50, range: 1-1000) - Configurable via environment variables or settings file ### Database Query Function (`backend/data/execution.py`) - Add `get_graph_executions_count()` function for efficient count queries - Supports filtering by user_id, statuses, and time ranges - Used to check current RUNNING/QUEUED executions per user ### Database Manager Integration (`backend/executor/database.py`) - Expose `get_graph_executions_count` through DatabaseManager RPC interface - Follows existing patterns for database operations - Enables proper service-to-service communication ### Rate Limiting Logic (`backend/executor/manager.py`) - Inline rate limit check in `_handle_run_message()` before cluster lock - Use existing `db_client` pattern for consistency - Reject and requeue executions when limit exceeded - Graceful error handling - proceed if rate limit check fails - Enhanced logging with user_id and current/max execution counts ## Technical Implementation - **Database approach**: Query actual execution statuses for accuracy - **RPC pattern**: Use DatabaseManager client following existing codebase patterns - **Fail-safe design**: Proceed with execution if rate limit check fails - **Requeue on limit**: Rejected executions are requeued for later processing - **Early rejection**: Check rate limit before expensive cluster lock operations ## Rate Limiting Flow 1. Parse incoming graph execution request 2. Query database via RPC for user's current RUNNING/QUEUED execution count 3. Compare against configured limit (default: 50) 4. If limit exceeded: reject and requeue message 5. If within limit: proceed with normal execution flow ## Configuration Example ```env MAX_CONCURRENT_GRAPH_EXECUTIONS_PER_USER=25 # Reduce to 25 for stricter limits ``` ## Test plan - [x] Basic functionality tested - settings load correctly, database function works - [x] ExecutionManager imports and initializes without errors - [x] Database manager exposes the new function through RPC - [x] Code follows existing patterns and conventions - [ ] Integration testing with actual rate limiting scenarios - [ ] Performance testing to ensure minimal impact on execution pipeline 🤖 Generated with [Claude Code](https://claude.ai/code) --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Swifty
|
36f634c417 |
fix(backend): Update store agent view to return only latest version (#11065)
This PR fixes duplicate agent listings on the marketplace home page by updating the StoreAgent view to return only the latest approved version of each agent. ### Changes 🏗️ - Updated `StoreAgent` database view to filter for only the latest approved version per listing - Added CTE (Common Table Expression) `latest_versions` to efficiently determine the maximum version for each store listing - Modified the join logic to only include the latest version instead of all approved versions - Updated `versions` array field to contain only the single latest version **Technical details:** - The view now uses a `latest_versions` CTE that groups by `storeListingId` and finds `MAX(version)` for approved submissions - Join condition ensures only the latest version is included: `slv.version = lv.latest_version` - This prevents duplicate entries for agents with multiple approved versions ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Verified marketplace home page shows no duplicate agents - [x] Confirmed only latest version is displayed for agents with multiple approved versions - [x] Checked that agent details page still functions correctly - [x] Validated that run counts and ratings are still accurate #### For configuration changes: - [x] `.env.default` is updated or already compatible with my changes - [x] `docker-compose.yml` is updated or already compatible with my changes - [x] I have included a list of my configuration changes in the PR description (under **Changes**) |
||
|
Swifty
|
18e169aa51 |
feat(platform): Log Marketplace Search Terms (#11092)
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Reinier van der Leer <Pwuts@users.noreply.github.com> |
||
|
Swifty
|
c5b90f7b09 |
feat(platform): Simplify running of core docker services (#11113)
Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com> |
||
|
Ubbe
|
a446c1acc9 |
fix(frontend): improve navbar on mobile (#11137)
## Changes 🏗️ Make the navigation bar look nice across screen sizes 📱 <img width="1229" height="388" alt="Screenshot 2025-10-10 at 17 53 48" src="https://github.com/user-attachments/assets/037a9957-9c0b-4e2c-9ef5-af198fdce923" /> <img width="700" height="392" alt="Screenshot 2025-10-10 at 17 53 42" src="https://github.com/user-attachments/assets/bf9a0f83-a528-4613-83e7-6e204078b905" /> <img width="500" height="377" alt="Screenshot 2025-10-10 at 17 52 24" src="https://github.com/user-attachments/assets/2209d4f3-a41a-4700-894b-5e6e7c15fefb" /> <img width="300" height="381" alt="Screenshot 2025-10-10 at 17 52 16" src="https://github.com/user-attachments/assets/1c87d545-784e-47b5-b23c-6f37cfae489b" /> ## Checklist 📋 ### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Login to the platform and resize the window down - [x] The navbar looks good across screen sizes and everything is aligned and accessible ### For configuration changes: None |
||
|
Ubbe
|
59d242f69c |
fix(frontend): remove agent activity flag (#11136)
## Changes 🏗️ The Agent Activity Dropdown is now stable, it has been 100% exposed to users on production for a few weeks, no need to have it behind a flag anymore. ## Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Login to AutoGPT - [x] The bell on the navbar is always present even if the flag on Launch Darkly is turned off ### For configuration changes: None |
||
|
Abhimanyu Yadav
|
a2cd5d9c1f |
feat(frontend): add support for user password credentials in new FlowEditor (#11122)
- depends on https://github.com/Significant-Gravitas/AutoGPT/pull/11107 In this PR, I’ve added a way to add a username and password as credentials on new builder. https://github.com/user-attachments/assets/b896ea62-6a6d-487c-99a3-727cef4ad9a5 ### Changes 🏗️ - Introduced PasswordCredentialsModal to handle user password credentials. - Updated useCredentialField to support user password type. - Refactored APIKeyCredentialsModal to remove unnecessary onSuccess prop. - Enhanced the CredentialsField component to conditionally render the new password modal based on supported credential types. ### Checklist 📋 #### For code changes: - [x] Ability to add username and password correctly. - [x] The username and password are visible in the credentials list after adding it. |
||
|
Abhimanyu Yadav
|
df5b348676 |
feat(frontend): add search functionality in new block menu (#11121)
- Depends on https://github.com/Significant-Gravitas/AutoGPT/pull/11120 In this PR, I’ve added a search functionality to the new block menu with pagination. https://github.com/user-attachments/assets/4c199997-4b5a-43c7-83b6-66abb1feb915 ### Changes 🏗️ - Add a frontend for the search list with pagination functionality. - Updated the search route to use GET method. - Removed the SearchRequest model and replaced it with individual query parameters. ### Checklist 📋 #### For code changes: - [x] The search functionality is working perfectly. - [x] If the search query doesn’t exist, it correctly displays a “No Result” UI. |
||
|
Bently
|
4856bd1f3a |
fix(backend): prevent sub-agent execution visibility across users (#11132)
Fixes a issue where sub-agent executions triggered by one user were visible in the original agent author's execution library. ## Solution Fixed the user_id attribution in `autogpt_platform/backend/backend/executor/manager.py` by ensuring that sub-agent executions always use the actual executor's user_id rather than the agent author's user_id stored in node defaults. ### Changes - Added user_id override in `execute_node()` function when preparing AgentExecutorBlock input (line 194) - Ensures sub-agent executions are correctly attributed to the user running them, not the agent author - Maintains proper privacy isolation between users in marketplace agent scenarios ### Security Impact - **Before**: When User B downloaded and ran a marketplace agent containing sub-agents owned by User A, the sub-agent executions appeared in User A's library - **After**: Sub-agent executions now only appear in the library of the user who actually ran them - Prevents unauthorized access to execution data and user privacy violation #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Test plan: --> - [x] Create an agent with sub-agents as User A - [x] Publish agent to marketplace - [x] Run the agent as User B - [x] Verify User A cannot see User B's sub-agent executions in their library - [x] Verify User B can see their own sub-agent executions - [x] Verify primary agent executions remain correctly filtered |
||
|
Abhimanyu Yadav
|
2e1d3dd185 |
refactor(frontend): replace context api in new block menu with zustand store (#11120)
Currently, we use the context API for the block menu provider and to access some of its state outside the blockMenuProvider wrapper. For instance, in the tutorial, we need to move this wrapper higher up in the tree, perhaps at the top of the builder tree. This will cause unnecessary re-renders. Therefore, we should create a block menu zustand store so that we can easily access it in other parts of the builder. ### Changes 🏗️ - Deleted `block-menu-provider.tsx` file. - Updated BlockMenu, BlockMenuContent, BlockMenuDefaultContent, and other components to utilize blockMenuStore instead of BlockMenuStateProvider. - Adjusted imports and context usage accordingly. ### Checklist 📋 - [x] Changes have been clearly listed. - [x] Code has been tested and verified. - [x] I’ve checked every part of the block menu where we used the context API and it’s working perfectly. - [x] Ability to use block menu state in other parts of the builder. |
||
|
Abhimanyu Yadav
|
ff72343035 |
feat(frontend): add UI for sticky notes on new builder (#11123)
Currently, the new builder doesn’t support sticky notes. We’re rendering them as normal nodes with an input, which is why I’ve added a UI for this. <img width="1512" height="982" alt="Screenshot 2025-10-08 at 4 12 58 PM" src="https://github.com/user-attachments/assets/be716e45-71c6-4cc4-81ba-97313426222f" /> To add sticky notes, go to the search menu of the block menu and search for “Note block”. Then, add them from there. ### Changes 🏗️ - Updated CustomNodeData to include uiType. - Conditional rendering in CustomNode based on uiType. - Added a custom sticky note UI component called `StickyNoteBlock.tsx`. - Adjusted FormCreator and FieldTemplate to pass and utilize uiType. - Enhanced TextInputWidget to render differently based on uiType. ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Able to attach sticky notes to the builder. - [x] Able to accurately capture data while writing on sticky notes and data is persistent also |
||
|
Abhimanyu Yadav
|
7982c34450 |
feat(frontend): add oauth2 credential support in new builder (#11107)
In this PR, I have added support of oAuth2 in new builder. https://github.com/user-attachments/assets/89472ebb-8ec2-467a-9824-79a80a71af8a ### Changes 🏗️ - Updated the FlowEditor to support OAuth2 credential selection. - Improved the UI for API key and OAuth2 modals, enhancing user experience. - Refactored credential field components for better modularity and maintainability. - Updated OpenAPI documentation to reflect changes in OAuth flow endpoints. ### Checklist 📋 - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Able to create OAuth credentials - [x] OAuth2 is correctly selected using the Credential Selector. |
||
|
Zamil Majdy
|
59c27fe248 |
feat(backend): implement comprehensive rate-limited Discord alerting system (#11106)
## Summary Implement comprehensive Discord alerting system with intelligent rate limiting to prevent spam and provide proper visibility into system failures across retry mechanisms and execution errors. ## Key Features ### 🚨 Rate-Limited Discord Alerting Infrastructure - **Reusable rate-limited alerts**: `send_rate_limited_discord_alert()` function for any Discord alerts - **5-minute rate limiting**: Prevents spam for identical error signatures (function+error+context) - **Thread-safe**: Proper locking for concurrent alert attempts - **Configurable channels**: Support custom Discord channels or default to PLATFORM - **Graceful failure handling**: Alert failures don't break main application flow ### 🔄 Enhanced Retry Alert System - **Unified threshold alerting**: Both general retries and infrastructure retries alert at EXCESSIVE_RETRY_THRESHOLD (50 attempts) - **Critical retry alerts**: Early warning when operations approach failure threshold - **Infrastructure monitoring**: Dedicated alerts for database, Redis, RabbitMQ connection issues - **Rate limited**: All retry alerts use rate limiting to prevent overwhelming Discord channels ### 📊 Unknown Execution Error Alerts - **Automatic error detection**: Alert for unexpected graph execution failures - **Rich context**: Include user ID, graph ID, execution ID, error type and message - **Filtered alerts**: Skip known errors (InsufficientBalanceError, ModerationError) - **Proper error tracking**: Ensure execution_stats.error is set for all error types ## Technical Implementation ### Rate Limiting Strategy ```python # Create unique signatures based on function+error+context error_signature = f"{context}:{func_name}:{type(exception).__name__}:{str(exception)[:100]}" ``` - **5-minute windows**: ALERT_RATE_LIMIT_SECONDS = 300 prevents duplicate alerts - **Memory efficient**: Only store last alert timestamp per unique error signature - **Context awareness**: Same error in different contexts can send separate alerts ### Alerting Hierarchy 1. **50 attempts**: Critical alert warning about approaching failure (EXCESSIVE_RETRY_THRESHOLD) 2. **100 attempts**: Final infrastructure failure (conn_retry max_retry) 3. **Unknown execution errors**: Immediate rate-limited alerts for unexpected failures ## Files Modified ### Core Implementation - `backend/executor/manager.py`: Unknown execution error alerts with rate limiting - `backend/util/retry.py`: Comprehensive rate-limited alerting infrastructure - `backend/util/retry_test.py`: Full test coverage for rate limiting functionality (14 tests) ### Code Quality Improvements - **Inlined alert messages**: Eliminated unnecessary temporary variables - **Simplified logic**: Removed excessive comments and redundant alerts - **Consistent patterns**: All alert functions follow same clean code style - **DRY principle**: Reusable rate-limited alert system for future monitoring needs ## Benefits ### 🛡️ Prevents Alert Spam - **Rate limiting**: No more overwhelming Discord channels with duplicate alerts - **Intelligent deduplication**: Same errors rate limited while different errors get through - **Thread safety**: Concurrent operations handled correctly ### 🔍 Better System Visibility - **Unknown errors**: Issues that need investigation are properly surfaced - **Infrastructure monitoring**: Early warning for database/Redis/RabbitMQ issues - **Rich context**: All necessary debugging information included in alerts ### 🧹 Maintainable Codebase - **Reusable infrastructure**: `send_rate_limited_discord_alert()` for future monitoring - **Clean, consistent code**: Inlined messages, simplified logic, proper abstractions - **Comprehensive testing**: Rate limiting edge cases and real-world scenarios covered ## Validation Results - ✅ All 14 retry tests pass including comprehensive rate limiting coverage - ✅ Manager execution tests pass validating integration with execution flow - ✅ Thread safety validated with concurrent alert attempt tests - ✅ Real-world scenarios tested including the specific spend_credits spam issue that motivated this work - ✅ Code formatting, linting, and type checking all pass ## Before/After Comparison ### Before - No rate limiting → Discord spam for repeated errors - Unknown execution errors not monitored → Issues went unnoticed - Inconsistent alerting thresholds → Confusing monitoring - Verbose code with temporary variables → Harder to maintain ### After - ✅ Rate-limited intelligent alerting prevents spam - ✅ Unknown execution errors properly monitored with context - ✅ Unified 50-attempt threshold for consistent monitoring - ✅ Clean, maintainable code with reusable infrastructure 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Zamil Majdy
|
c7575dc579 |
fix(backend): implement rate limiting for critical retry alerts to prevent spam (#11127)
## Summary Fix the critical issue where retry failure alerts were being spammed when service communication failed repeatedly. ## Problem The service communication retry mechanism was sending a critical Discord alert every time it hit the 50-attempt threshold, with no rate limiting. This caused alert spam when the same operation (like spend_credits) kept failing repeatedly with the same error. ## Solution ### Rate Limiting Implementation - Add ALERT_RATE_LIMIT_SECONDS = 300 (5 minutes) between identical alerts - Create _should_send_alert() function with thread-safe rate limiting using _alert_rate_limiter dict - Generate unique signatures based on context:func_name:exception_type:exception_message - Only send alert if sufficient time has passed since last identical alert ### Enhanced Logging - Rate-limited alerts log as warnings instead of being silently dropped - Add full exception tracebacks for final failures and every 10th retry attempt - Improve alert message clarity and add note about rate limiting - Better structured logging with exception types and details ### Error Context Preservation - Maintain all original retry behavior and exception handling - Preserve critical alerting for genuinely new issues - Clean up alert message (removed accidental paste from error logs) ## Technical Details - Thread-safe implementation using threading.Lock() for rate limiter access - Signature includes first 100 chars of exception message for granularity - Memory efficient - only stores last alert timestamp per unique error type - No breaking changes to existing retry functionality ## Impact - **Eliminates alert spam**: Same failing operation only alerts once per 5 minutes - **Preserves critical alerts**: New/different failures still trigger immediate alerts - **Better debugging**: Enhanced logging provides full exception context - **Maintains reliability**: All retry logic works exactly as before ## Testing - ✅ Rate limiting tested with multiple scenarios - ✅ Import compatibility verified - ✅ No regressions in retry functionality - ✅ Alert generation works for new vs repeated errors ## Type of Change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update ## How Has This Been Tested? - Manual testing of rate limiting functionality with different error scenarios - Import verification to ensure no regressions - Code formatting and linting compliance ## Checklist - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation (N/A - internal utility) - [x] My changes generate no new warnings - [x] Any dependent changes have been merged and published in downstream modules (N/A) |
||
|
Ubbe
|
73603a8ce5 |
fix(frontend): onboarding re-directs (#11126)
## Changes 🏗️ We weren't awaiting the onboarding enabled check and also we were re-directing to a wrong onboarding URL. ## Checklist 📋 ### For code changes - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Create a new user - [x] Re-directs well to onboarding - [x] Complete up to Step 5 and logout - [x] Login again - [x] You are on Step 5 #### For configuration changes: Noneautogpt-platform-beta-v0.6.32 |
||
|
Ubbe
|
e562ca37aa |
fix(frontend): login redirects + onboarding (#11125)
## Changes 🏗️ ### Fix re-direct bugs Sometimes the app will re-direct to a strange URL after login: ``` http://localhost:3000/marketplace,%20/marketplace ``` It looks like a race-condition because the re-direct to `/marketplace` was done on a [server action](https://nextjs.org/docs/14/app/building-your-application/data-fetching/server-actions-and-mutations) rather than in the browser. **✅ Fixed by** Moving the login / signup server actions to Next.js API endpoints. In this way the login/signup pages just call an API endpoint and handle its response without having to hassle with serverless 💆🏽 ### Wallet layout flash <img width="800" height="744" alt="Screenshot 2025-10-08 at 22 52 03" src="https://github.com/user-attachments/assets/7cb85fd5-7dc4-4870-b4e1-173cc8148e51" /> The wallet popover would sometimes flash after login, because it was re-rendering once onboarding and credits data loaded. **✅ Fixed by** Only rendering once we have onboarding and credits data, without the popover is useless and causes flashes. ## Checklist 📋 ### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Login / Signup to the app with email and Google - [x] Works fine - [x] Onboarding popover does not flash - [x] Onboarding and marketplace re-directs work ### For configuration changes: None |
||
|
Nicholas Tindle
|
f906fd9298 |
fix(backend): Allow Project.content to be optional for linear search projects (#11118)
Changed the type of the 'content' field in the Project model to accept None, making it optional instead of required. Linear doesn't always return data here if its not set by the user. <!-- Clearly explain the need for these changes: --> ### Changes 🏗️ - Makes the content optional <!-- Concisely describe all of the changes made in this pull request: --> ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Manually test it works with our data <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Bug Fixes** - Improved handling of projects with no content by making content optional. - Prevents validation errors during project creation, import, or sync when content is missing. - Enhances compatibility with integrations that may omit content fields. - No impact on existing projects with content; behavior remains unchanged. - No user action required. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|
seer-by-sentry[bot]
|
9e79add436 |
fix(backend): Change progress type to float in Linear Project (#11117)
### Changes 🏗️ - Changed the type of the `progress` field in the `LinearTask` model from `int` to `float` to fix [BUILDER-3V5](https://sentry.io/organizations/significant-gravitas/issues/6929150079/). ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Root cause analysis confirms fix -- testing will need to occur in dev environment before release to prod but this should merge now <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Progress indicators now support decimal values, allowing more precise tracking (e.g., 42.5% instead of 42%). This enables finer-grained updates in the interface and any integrations consuming progress data. - Users may notice smoother progress changes during long-running tasks, with improved accuracy in percentage displays across relevant views and APIs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com> Co-authored-by: Nicholas Tindle <nicholas.tindle@agpt.co> |
||
|
Nicholas Tindle
|
de6f4fca23 | Merge branch 'master' into dev | ||
|
Nicholas Tindle
|
fb4b8ed9fc |
feat: track users with sentry on client side (not backend yet) (#11077)
<!-- Clearly explain the need for these changes: --> We need to be able to count user impact by user count which means we need to track that ### Changes 🏗️ - Attaches user id to frontend actions (which hopefully propagate to the backend in some places) <!-- Concisely describe all of the changes made in this pull request: --> ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Test login -> shows on sentry - [x] Test logout -> no longer shows on sentry |
||
|
Zamil Majdy
|
f3900127d7 |
feat(backend): instrument prometheus for internal services (#11114)
<!-- Clearly explain the need for these changes: --> ### Changes 🏗️ Instrument Prometheus for internal services ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Existing tests |
||
|
Abhimanyu Yadav
|
7c47f54e25 |
feat(frontend): add an API key modal for adding credentials in new builder. (#11105)
In this PR, I’ve added an API Key modal to the new builder so users can add API key credentials. https://github.com/user-attachments/assets/68da226c-3787-4950-abb0-7a715910355e ### Changes - Updated the credential field to support API key. - Added a modal for creating new API keys and improved the selection UI for credentials. - Refactored components for better modularity and maintainability. - Enhanced styling and user experience in the FlowEditor components. - Updated OpenAPI documentation for better clarity on credential operations. ### Checklist 📋 - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Able to create API key perfectly. - [x] can select the correct credentials. |
||
|
Lluis Agusti
|
927042d93e | fix(frontend): more turnstile experiments (2) | ||
|
Lluis Agusti
|
4244979a45 | fix(frontend): more turnstile experiments | ||
|
Lluis Agusti
|
aa27365e7f | fix(frontend): fix captcha reset | ||
|
Nicholas Tindle
|
b86aa8b14e |
feat(frontend): launchdarkly tracking on frontend browser (#11076)
<!-- Clearly explain the need for these changes: --> We struggle to identify where issues are coming from feature flags and which are from normal use. This adds that split on the frontend. ### Changes 🏗️ Include sentry in the LD initialization <!-- Concisely describe all of the changes made in this pull request: --> ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Test that launch darkly flags get attached to the frontend (browser only) |
||
|
Lluis Agusti
|
e7ab2626f5 | fix(frontend): remove captcha ref reset | ||
|
Ubbe
|
ff58ce174b |
fix(frontend): possible login issues related to turnstile (#11094)
## Changes 🏗️ We are seeing login and authentication issues in production and staging. Locally though, the app behaves fine. We also had issues related to the CAPTCHA in the past. Our CAPTCHA code is less than ideal, with some heavy `useEffect` that will load the Turnstile script into the DOM. I have the impression that is loading the script multiple times ( due to dependencies on the effects array not being well set ), or the like causing associated login issues. Created a new Turnstile component using [`react-turnstile`](https://docs.page/marsidev/react-turnstile) that is way simpler and should hopefully be more stable. I also fixed an issue with the Credits popover layout rendering cropped on the window. ## Checklist 📋 ### For code changes - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Login/logout on the app multiple times with Turnstile ON, everything is stable - [x] Credits popover appears on the right place ### For configuration changes: None |
||
|
Abhimanyu Yadav
|
2d8ab6b7c0 |
feat(frontend): add selecting UI for custom node in new builder (#11091)
React Flow has built-in functionality to select multiple nodes by using `cmd` + click. You can also select using rectangle selection by holding the shift key. However, we need to design a custom node after it’s selected. <img width="845" height="510" alt="Screenshot 2025-10-06 at 12 41 16 PM" src="https://github.com/user-attachments/assets/c91f22e3-2211-46b6-b3d3-fbc89148e99a" /> ### Tests - [x] Selecting Ui is visible after selecting a node, using cmd + click, and after rectangle selection. |
||
|
Abhimanyu Yadav
|
a7306970b8 |
refactor(frontend): simplify marketplace search page and update data fetching (#11061)
This PR refactors the marketplace search page to improve code maintainability, readability, and follows modern React patterns by extracting complex logic into a custom hook and creating dedicated components. ### 🔄 Changes #### **Architecture Improvements** - **Component Extraction**: Replaced the monolithic `SearchResults` component with a cleaner `MainSearchResultPage` component that focuses solely on presentation - **Custom Hook Pattern**: Extracted all business logic and state management into `useMainSearchResultPage` hook for better separation of concerns - **Loading State Component**: Added dedicated `MainSearchResultPageLoading` component for consistent loading UI #### **Code Simplification** - **Reduced search page to 19 lines** (from 175 lines) by removing inline logic and state management - **Centralized data fetching** using auto-generated API endpoints (`useGetV2ListStoreAgents`, `useGetV2ListStoreCreators`) - **Improved error handling** with dedicated error states and loading states #### **Feature Updates** - **Sort Options**: Commented out "Most Recent" and "Highest Rated" sort options due to backend limitations (no date/rating data available) - **Client-side Sorting**: Implemented client-side sorting for "runs" and "rating" as a temporary solution - **Search Filters**: Maintained filter functionality for agents/creators with improved state management ### 📊 Impact - **Better Developer Experience**: Code is now more modular and easier to understand - **Improved Maintainability**: Business logic separated from presentation layer - **Future-Ready**: Structure prepared for backend improvements when date/rating data becomes available - **Type Safety**: Leveraging TypeScript with auto-generated API types ### 🧪 Testing Checklist - [x] Search functionality works correctly with various search terms - [x] Filter chips correctly toggle between "All", "Agents", and "Creators" - [x] Sort dropdown displays only "Most Runs" option - [x] Client-side sorting correctly sorts agents and creators by runs - [x] Loading state displays while fetching data - [x] Error state displays when API calls fail - [x] "No results found" message appears for empty searches - [x] Search bar in results page is functional - [x] Results display correctly with proper layout and styling |
||
|
Abhimanyu Yadav
|
c42f94ce2a |
feat(frontend): add new credential field for new builder (#11066)
In this PR, I’ve added a feature to select a credential from a list and also provided a UI to create a new credential if desired. <img width="443" height="157" alt="Screenshot 2025-10-06 at 9 28 07 AM" src="https://github.com/user-attachments/assets/d9e72a14-255d-45b6-aa61-b55c2465dd7e" /> #### Frontend Changes: - **Refactored credential field** from a single component to a modular architecture: - Created `CredentialField/` directory with separated concerns - Added `SelectCredential.tsx` component for credential selection UI with provider details display - Implemented `useCredentialField.ts` custom hook for credential data fetching with 10-minute caching - Added `helpers.ts` with credential filtering and provider name formatting utilities - Added loading states with skeleton UI while fetching credentials - **Enhanced UI/UX features**: - Dropdown selector showing credentials with provider, title, username, and host details - Visual key icon for each credential option - Placeholder "Add API Key" button (implementation pending) - Loading skeleton UI for better perceived performance - Smart filtering of credentials based on provider requirements - **Template improvements**: - Updated `FieldTemplate.tsx` to properly handle credential field display - Special handling for credential field labels showing provider-specific names - Removed input handle for credential fields in the node editor #### Backend Changes: - **API Documentation improvements**: - Added OpenAPI summaries to `/credentials` endpoint ("List Credentials") - Added summary to `/{provider}/credentials/{cred_id}` endpoint ("Get Specific Credential By ID") ### Test Plan 📋 - [x] Navigate to the flow builder - [x] Add a block that requires credentials (e.g., API block) - [x] Verify the credential dropdown loads and displays available credentials - [x] Check that only credentials matching the provider requirements are shown |
||
|
Zamil Majdy
|
4e1557e498 |
fix(backend): Add dynamic input pin support for Smart Decision Maker Block (#11082)
## Summary - Centralize dynamic field delimiters and helpers in backend/data/dynamic_fields.py. - Refactor SmartDecisionMaker: build function signatures with dynamic-field mapping and re-map tool outputs back to original dynamic names. - Deterministic retry loop with retry-only feedback to avoid polluting final conversation history. - Update executor/utils.py and data/graph.py to use centralized utilities. - Update and extend tests: dynamic-field E2E flow, mapping verification, output yielding, and retry validation; switch mocked llm_call to AsyncMock; align tool-name expectations. - Add a single-tool fallback in schema lookup to support mocked scenarios. ## Validation - Full backend test suite: 1125 passed, 88 skipped, 53 warnings (local). - Backend lint/format pass. ## Scope - Minimal and localized to SmartDecisionMaker and dynamic-field utilities; unrelated pyright warnings remain unchanged. ## Risks/Mitigations - Behavior is backward-compatible; dynamic-field constants are centralized and reused. - Output re-mapping only affects SmartDecisionMaker tool outputs and matches existing link naming conventions. ## Checklist - [x] Formatted and linted - [x] All updated tests pass locally - [x] No secrets introduced --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
seer-by-sentry[bot]
|
7f8cf36ceb |
feat(frontend): Add description to Upload Agent dialog (#11053)
### Changes 🏗️ - Added a description to the Upload Agent dialog to provide more context for users. Fixes [BUILDER-3N1](https://sentry.io/organizations/significant-gravitas/issues/6915512912/). The issue was that: DialogContent in LibraryUploadAgentDialog lacks an accessible description, violating WAI-ARIA standards. <img width="2066" height="1740" alt="image" src="https://github.com/user-attachments/assets/c876fb33-4375-4a66-a6a2-6b13c00ef8d3" /> ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [x] Test it works - [x] Get design approval Co-authored-by: seer-by-sentry[bot] <157164994+seer-by-sentry[bot]@users.noreply.github.com> Co-authored-by: Nicholas Tindle <nicholas.tindle@agpt.co> |
||
|
Ubbe
|
0978566089 |
fix(frontend): performance and layout issues (#11036)
## Changes 🏗️ ### Performance (Onboarding) 🐎 - Moved non-UI logic into `providers/onboarding/helpers.ts` to reduce provider complexity. - Memoized provider value and narrowed state updates to cut unnecessary re-renders. - Deferred non-critical effects until after mount to lower initial JS work. **Result:** faster initial render and smoother onboarding flows under load. ### Layout and overflow fixes 📐 - Replaced `w-screen` with `w-full` in platform/admin/profile layouts and marketplace wrappers to avoid 100vw scrollbar overflow. - Adjusted mobile navbar position (`right-0` instead of `-right-4`) to prevent off-viewport elements. **Result:** removed horizontal scrolling on Marketplace, Library, and Settings pages; Build remains unaffected. ### New Generic Error pages - Standardized global error handling in `app/global-error.tsx` for consistent display and user feedback. - Added platform-scoped error page(s) under `app/(platform)/error` for route-level failures with a consistent layout. - Improved retry affordances using existing `ErrorCard`. ## Checklist 📋 ### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Verify onboarding flows render faster and re-render less (DevTools flamegraph) - [x] Confirm no horizontal scrolling on Marketplace, Library, Settings at common widths - [x] Validate mobile navbar stays within viewport - [x] Trigger errors to confirm global and platform error pages render consistently ### For configuration changes: None |
||
|
Zamil Majdy
|
8b4eb6f87c |
fix(backend): resolve SmartDecisionMaker ChatCompletionMessage error and enhance tool call token counting (#11059)
## Summary Fix two critical production issues affecting SmartDecisionMaker functionality and prompt compression accuracy. ### 🔧 Changes Made #### Issue 1: SmartDecisionMaker ChatCompletionMessage Error **Problem**: PR #11015 introduced code that appended `response.raw_response` (ChatCompletionMessage object) directly to conversation history, causing `'ChatCompletionMessage' object has no attribute 'get'` errors. **Root Cause**: ChatCompletionMessage objects don't have `.get()` method but conversation history processing expects dictionary objects with `.get()` capability. **Solution**: Created `_convert_raw_response_to_dict()` helper function for type-safe conversion: - ✅ **Helper function**: Safely converts raw_response to dictionary format for conversation history - ✅ **Type safety**: Handles OpenAI (ChatCompletionMessage), Anthropic (Message), and Ollama (string) responses - ✅ **Preserves context**: Maintains conversation flow for multi-turn tool calling scenarios - ✅ **DRY principle**: Single helper used in both validation error path (line 624) and success path (line 681) - ✅ **No breaking changes**: Tool call continuity preserved for complex workflows #### Issue 2: Tool Call Token Counting in Prompt Compression **Problem**: `_msg_tokens()` function only counted tokens in 'content' field, severely undercounting tool calls which store data in different fields (tool_calls, function.arguments, etc.). **Root Cause**: Tool calls have no 'content' to calculate length of, causing massive token undercounting during prompt compression that could lead to context overflow. **Solution**: Enhanced `_msg_tokens()` to handle both OpenAI and Anthropic tool call formats: - ✅ **OpenAI format**: Count tokens in `tool_calls[].id`, `type`, `function.name`, `function.arguments` - ✅ **Anthropic format**: Count tokens in `content[].tool_use` (`id`, `name`, `input`) and `content[].tool_result` - ✅ **Backward compatibility**: Regular string content counted exactly as before - ✅ **Comprehensive testing**: Added 11 unit tests in `prompt_test.py` ### 📊 Validation Results - ✅ **SmartDecisionMaker errors resolved**: No more ChatCompletionMessage.get() failures - ✅ **Token counting accuracy**: OpenAI tool calls 9+ tokens vs previous 3-4 wrapper-only tokens - ✅ **Token counting accuracy**: Anthropic tool calls 13+ tokens vs previous 3-4 wrapper-only tokens - ✅ **Backward compatibility**: Regular messages maintain exact same token count - ✅ **Type safety**: 0 type errors in both modified files - ✅ **Test coverage**: All 11 new unit tests pass + existing SmartDecisionMaker tests pass - ✅ **Multi-turn conversations**: Tool call workflows continue working correctly ### 🎯 Impact - **Resolves Sentry issue OPEN-2750**: ChatCompletionMessage errors eliminated - **Prevents context overflow**: Accurate token counting during prompt compression for long tool call conversations - **Production stability**: SmartDecisionMaker retry mechanism works correctly with proper conversation flow - **Resource efficiency**: Better memory management through accurate token accounting - **Zero breaking changes**: Full backward compatibility maintained ### 🧪 Test Plan - [x] Verified SmartDecisionMaker no longer crashes with ChatCompletionMessage errors - [x] Validated tool call token counting accuracy with comprehensive unit tests (11 tests all pass) - [x] Confirmed backward compatibility for regular message token counting - [x] Tested both OpenAI and Anthropic tool call formats - [x] Verified type safety with pyright checks - [x] Ensured conversation history flows correctly with helper function - [x] Confirmed multi-turn tool calling scenarios work with preserved context ### 📝 Files Modified - `backend/blocks/smart_decision_maker.py` - Added `_convert_raw_response_to_dict()` helper for safe conversion - `backend/util/prompt.py` - Enhanced tool call token counting for accurate prompt compression - `backend/util/prompt_test.py` - Comprehensive unit tests for token counting (11 tests) ### ⚡ Ready for Review Both fixes are critical for production stability and have been thoroughly tested with zero breaking changes. The helper function approach ensures type safety while preserving essential conversation context for complex tool calling workflows. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Reinier van der Leer
|
4b7d17b9d2 |
refactor(blocks/code): Clean up & rename code execution blocks (#11019)
The code execution blocks' implementations are heavily duplicated and their names aren't very clear. E.g. the "InstantiationBlock" just shows up as "Instantiation" in the block list. I would've done this in #11017 but kept the refactoring separate for easier reviewing. ### Changes 🏗️ - Rename "Code Execution" block to "Execute Code" - Rename "Instantiation" block to "Instantiate Code Sandbox" - Rename "Step Execution" block to "Execute Code Step" - Deduplicate implementation of the three code execution blocks - Add `dispose_sandbox` toggle to "Execute Code" and "Execute Code Step" blocks - Note: it's default `True` on the Execute Code block, default `False` on the Execute Code Step block - Update block and input descriptions to clarify behavior - Fix all linting issues <details> <summary>Screenshots</summary>     </details> ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Test all code execution blocks manually |
||
|
dependabot[bot]
|
0fc6a44389 |
chore(backend/deps-dev): Bump the development-dependencies group across 1 directory with 4 updates (#10946)
Bumps the development-dependencies group with 4 updates in the /autogpt_platform/backend directory: [faker](https://github.com/joke2k/faker), [pyright](https://github.com/RobertCraigie/pyright-python), [pytest-mock](https://github.com/pytest-dev/pytest-mock) and [ruff](https://github.com/astral-sh/ruff). Updates `faker` from 37.6.0 to 37.8.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/joke2k/faker/releases">faker's releases</a>.</em></p> <blockquote> <h2>Release v37.8.0</h2> <p>See <a href="https://github.com/joke2k/faker/blob/refs/tags/v37.8.0/CHANGELOG.md">CHANGELOG.md</a>.</p> <h2>Release v37.7.0</h2> <p>See <a href="https://github.com/joke2k/faker/blob/refs/tags/v37.7.0/CHANGELOG.md">CHANGELOG.md</a>.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/joke2k/faker/blob/master/CHANGELOG.md">faker's changelog</a>.</em></p> <blockquote> <h3><a href="https://github.com/joke2k/faker/compare/v37.7.0...v37.8.0">v37.8.0 - 2025-09-15</a></h3> <ul> <li>Add Automotive providers for <code>ja_JP</code> locale. Thanks <a href="https://github.com/ItoRino424"><code>@ItoRino424</code></a>.</li> </ul> <h3><a href="https://github.com/joke2k/faker/compare/v37.6.0...v37.7.0">v37.7.0 - 2025-09-15</a></h3> <ul> <li>Add Nigerian name locales (<code>yo_NG</code>, <code>ha_NG</code>, <code>ig_NG</code>, <code>en_NG</code>). Thanks <a href="https://github.com/ifeoluwaoladeji"><code>@ifeoluwaoladeji</code></a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
f5ee579ab2 |
chore(backend/deps): Bump firecrawl-py from 2.16.3 to 4.3.1 in /autogpt_platform/backend (#10809)
Bumps [firecrawl-py](https://github.com/firecrawl/firecrawl) from 2.16.3
to 4.3.1.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/firecrawl/firecrawl/commits">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Upgrade firecrawl-py to v4.3.6 and refactor firecrawl blocks to new v4
API, formats handling, method names, and response fields.
>
> - **Dependencies**
> - Bump `firecrawl-py` from `2.16.3` to `4.3.6` (adds `httpx`, updates
`pydantic>=2`).
> - **Firecrawl API migration**
> - Centralize `ScrapeFormat` in `backend/blocks/firecrawl/_api.py`.
> - Add `_format_utils.convert_to_format_options` to map `ScrapeFormat`
(incl. `screenshot@fullPage`) to v4 `FormatOption`/`ScreenshotFormat`.
> - Switch to v4 types (`firecrawl.v2.types.ScrapeOptions`); adopt
snake_case fields (`only_main_content`, `max_age`, `wait_for`).
> - Rename methods: `crawl_url` → `crawl`, `scrape_url` → `scrape`,
`map_url` → `map`.
> - Normalize response attributes: `rawHtml` → `raw_html`,
`changeTracking` → `change_tracking`.
> - **Blocks**
> - `crawl.py`, `scrape.py`, `search.py`: use new formats conversion and
updated options/fields; adjust iteration over results (`search`: iterate
`web` when present).
> - `map.py`: return both `links` and detailed `results`
(url/title/description) and update output schema accordingly.
> - **Project files**
> - Update `pyproject.toml` and `poetry.lock` for new dependency
versions.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|
||
|
Zamil Majdy
|
57a06f7088 |
fix(blocks, security): Fixes for various DoS vulnerabilities (#10798)
This PR addresses multiple critical and medium security vulnerabilities
that could lead to Denial of Service (DoS) attacks. All fixes implement
defense-in-depth strategies with comprehensive testing.
### Changes 🏗️
#### **Critical Security Fixes:**
1. **GHSA-m2wr-7m3r-p52c - ReDoS in CodeExtractionBlock**
- Fixed catastrophic backtracking in regex patterns `\s+[\s\S]*?` and
`\s+(.*?)`
- Replaced with safer patterns: `[ \t]*\n([^\s\S]*?)`
- Files: `backend/blocks/code_extraction_block.py`
2. **GHSA-955p-gpfx-r66j - AITextSummarizerBlock Memory Amplification**
- Added 1MB text size limit and 100 chunk maximum
- Prevents 10K input → 50G memory amplification attacks
- Files: `backend/blocks/llm.py`
3. **GHSA-5cqw-g779-9f9x - RSS Feed XML Bomb DoS**
- Added 10MB feed size limit and 30s timeout
- Prevents deep XML parsing memory exhaustion
- Files: `backend/blocks/rss.py`
4. **GHSA-7g34-7fvq-xxq6 - File Storage Disk Exhaustion**
- Added 100MB per file and 1GB per execution directory limits
- Prevents disk space exhaustion from file uploads
- Files: `backend/util/file.py`
5. **GHSA-pppq-xx2w-7jpq - ExtractTextInformationBlock ReDoS**
- Added 1MB text limit, 1000 match limit, and 5s timeout protection
- Prevents lookahead pattern memory exhaustion
- Files: `backend/blocks/text.py`
6. **GHSA-vw3v-whvp-33v5 - Docker Logging Disk Exhaustion**
- Added log rotation limits at Docker (10MB × 3 files) and application
levels
- Prevents unbounded log growth causing disk exhaustion
- Files: `docker-compose.platform.yml`,
`autogpt_libs/autogpt_libs/logging/config.py`
#### **Additional Security Improvements:**
7. **StepThroughItemsBlock DoS Prevention**
- Added 10,000 item limit and 1MB input size limit
- Prevents large iteration DoS attacks
- Files: `backend/blocks/iteration.py`
8. **XMLParserBlock XML Bomb Prevention**
- Added 10MB XML input size limit
- Files: `backend/blocks/xml_parser.py`
#### **Code Quality:**
- Fixed Python 3.10 typing compatibility issues
- Added comprehensive security test suite
- All code formatted and linted
### Checklist 📋
#### For code changes:
- [x] I have clearly listed my changes in the PR description
- [x] I have made a test plan
- [x] I have tested my changes according to the test plan:
- [x] Created comprehensive security test suite covering all
vulnerabilities
- [x] Verified ReDoS patterns are fixed and don't cause timeouts
- [x] Confirmed memory limits prevent amplification attacks
- [x] Tested file size limits prevent disk exhaustion
- [x] Validated log rotation prevents unbounded growth
- [x] Ensured backward compatibility for normal usage
#### For configuration changes:
- [x] `docker-compose.yml` is updated with logging limits
- [x] I have included a list of my configuration changes in the PR
description (under **Changes**)
### Test Plan 🧪
**Security Tests:**
1. **ReDoS Protection**: Tested with malicious regex inputs (large
spaces) - completes without hanging
2. **Memory Limits**: Verified 2MB text input gets truncated to 1MB,
chunk limits enforced
3. **File Size Limits**: Confirmed 200MB files rejected, directory size
limits enforced
4. **Iteration Limits**: Tested 20K item arrays rejected, large JSON
strings rejected
5. **Timeout Protection**: Dangerous regex patterns timeout after 5s
instead of hanging
**Compatibility Tests:**
- Normal functionality preserved for all blocks
- Existing tests pass with new security limits
- Performance impact minimal for typical usage
### Security Impact 🛡️
**Before:** Multiple attack vectors could cause:
- CPU exhaustion (ReDoS attacks)
- Memory exhaustion (amplification attacks)
- Disk exhaustion (file/log bombs)
- Service unavailability
**After:** All attack vectors mitigated with:
- Input validation and size limits
- Timeout protections
- Resource quotas
- Defense-in-depth approach
All fixes maintain backward compatibility while preventing DoS attacks.
🤖 Generated with [Claude Code](https://claude.ai/code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Adds robust DoS protections across blocks (regex, memory, iteration,
XML/RSS, file I/O) and enables app/Docker log rotation with
comprehensive tests.
>
> - **Security hardening**:
> - Replace unsafe regex in `backend/blocks/code_extraction_block.py` to
prevent ReDoS; add safer extraction/removal patterns.
> - Constrain LLM summarizer chunking in `backend/blocks/llm.py` (1MB
cap, chunk/overlap validation, chunk count limit).
> - Limit RSS fetching in `backend/blocks/rss.py` (scheme validation,
10MB cap, timeout, bounded read) and return empty on failure.
> - Impose XML size limit (10MB) in `backend/blocks/xml_parser.py`.
> - Add file upload/download limits in `backend/util/file.py`
(100MB/file, 1GB dir quota) and enforce scanning before write.
> - Enable rotating file logs in `autogpt_libs/logging/config.py` (size
+ backups) and Docker json-file log rotation in
`docker-compose.platform.yml`.
> - **Iteration block**:
> - Add item count/string size limits; fix yielded key for dicts; cap
iterations in `backend/blocks/iteration.py`.
> - **Tests**:
> - New `backend/blocks/test/test_security_fixes.py` covering ReDoS,
timeouts, memory/size and iteration limits, XML/file constraints.
> - **Misc**:
> - Typing fallback for `NotRequired` in `activity_status_generator.py`.
> - Dependency updates in `backend/poetry.lock`.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|