fix(frontend): Remove hardcoded bypass of billing feature flag (#11762)

## Summary

Fixes a critical security issue where the billing button in the settings
sidebar was always visible to all users, bypassing the
`ENABLE_PLATFORM_PAYMENT` feature flag.

## Changes 🏗️

- Removed hardcoded `|| true` condition in
`frontend/src/app/(platform)/profile/(user)/layout.tsx:32` that was
bypassing the feature flag check
- The billing button is now properly gated by the
`ENABLE_PLATFORM_PAYMENT` feature flag as intended

## Root Cause

The `|| true` was accidentally left in commit
3dbc03e488 (PR #11617 - OAuth API & Single
Sign-On) from December 19, 2025. It was likely added temporarily during
development/testing to always show the billing button, but was not
removed before merging.

## Test Plan

1. Verify feature flag is set to disabled in LaunchDarkly
2. Navigate to settings page (`/profile/settings`)
3. Confirm billing button is NOT visible in the sidebar
4. Enable feature flag in LaunchDarkly
5. Refresh page and confirm billing button IS now visible
6. Verify billing page (`/profile/credits`) is still accessible via
direct URL when feature flag is disabled

## Checklist 📋

### For code changes:
- [x] I have clearly listed my changes in the PR description
- [x] I have made a test plan
- [x] I have tested my changes according to the test plan

Fixes SECRT-1791

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* The Billing link in the profile sidebar now respects the payment
feature flag configuration and will only display when payment
functionality is enabled.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

autogpt_platform/backend/backend/api/features/chat/tools/utils.py

@@ -166,7 +166,6 @@ async def get_or_create_library_agent(
     library_agents = await library_db.create_library_agent(
         graph=graph,
         user_id=user_id,
-        is_ai_generated=False,
         create_library_agents_for_sub_graphs=False,
     )
     assert len(library_agents) == 1, "Expected 1 library agent to be created"

autogpt_platform/backend/backend/api/features/library/db.py

@@ -401,10 +401,27 @@ async def add_generated_agent_image(
     )
 
 
+def _initialize_graph_settings(graph: graph_db.GraphModel) -> GraphSettings:
+    """
+    Initialize GraphSettings based on graph content.
+
+    Args:
+        graph: The graph to analyze
+
+    Returns:
+        GraphSettings with appropriate human_in_the_loop_safe_mode value
+    """
+    if graph.has_human_in_the_loop:
+        # Graph has HITL blocks - set safe mode to True by default
+        return GraphSettings(human_in_the_loop_safe_mode=True)
+    else:
+        # Graph has no HITL blocks - keep None
+        return GraphSettings(human_in_the_loop_safe_mode=None)
+
+
 async def create_library_agent(
     graph: graph_db.GraphModel,
     user_id: str,
-    is_ai_generated: bool,
     create_library_agents_for_sub_graphs: bool = True,
 ) -> list[library_model.LibraryAgent]:
     """
@@ -414,7 +431,6 @@ async def create_library_agent(
         agent: The agent/Graph to add to the library.
         user_id: The user to whom the agent will be added.
         create_library_agents_for_sub_graphs: If True, creates LibraryAgent records for sub-graphs as well.
-        is_ai_generated: Whether this graph was AI-generated.
 
     Returns:
         The newly created LibraryAgent records.
@@ -449,9 +465,7 @@ async def create_library_agent(
                             }
                         },
                         settings=SafeJson(
-                            GraphSettings.from_graph(
-                                graph_entry, is_ai_generated=is_ai_generated
-                            ).model_dump()
+                            _initialize_graph_settings(graph_entry).model_dump()
                         ),
                     ),
                     include=library_agent_include(
@@ -613,6 +627,33 @@ async def update_library_agent(
         raise DatabaseError("Failed to update library agent") from e
 
 
+async def update_library_agent_settings(
+    user_id: str,
+    agent_id: str,
+    settings: GraphSettings,
+) -> library_model.LibraryAgent:
+    """
+    Updates the settings for a specific LibraryAgent.
+
+    Args:
+        user_id: The owner of the LibraryAgent.
+        agent_id: The ID of the LibraryAgent to update.
+        settings: New GraphSettings to apply.
+
+    Returns:
+        The updated LibraryAgent.
+
+    Raises:
+        NotFoundError: If the specified LibraryAgent does not exist.
+        DatabaseError: If there's an error in the update operation.
+    """
+    return await update_library_agent(
+        library_agent_id=agent_id,
+        user_id=user_id,
+        settings=settings,
+    )
+
+
 async def delete_library_agent(
     library_agent_id: str, user_id: str, soft_delete: bool = True
 ) -> None:
@@ -797,9 +838,7 @@ async def add_store_agent_to_library(
                 "isCreatedByUser": False,
                 "useGraphIsActiveVersion": False,
                 "settings": SafeJson(
-                    GraphSettings.from_graph(
-                        graph_model, is_ai_generated=False
-                    ).model_dump()
+                    _initialize_graph_settings(graph_model).model_dump()
                 ),
             },
             include=library_agent_include(
@@ -1189,14 +1228,8 @@ async def fork_library_agent(
         )
         new_graph = await on_graph_activate(new_graph, user_id=user_id)
 
-        # Create a library agent for the new graph, preserving is_ai_generated flag
-        return (
-            await create_library_agent(
-                new_graph,
-                user_id,
-                is_ai_generated=original_agent.settings.is_ai_generated_graph,
-            )
-        )[0]
+        # Create a library agent for the new graph
+        return (await create_library_agent(new_graph, user_id))[0]
     except prisma.errors.PrismaError as e:
         logger.error(f"Database error cloning library agent: {e}")
         raise DatabaseError("Failed to fork library agent") from e

autogpt_platform/backend/backend/api/features/v1.py

@@ -762,10 +762,10 @@ async def create_new_graph(
     graph.reassign_ids(user_id=user_id, reassign_graph_id=True)
     graph.validate_graph(for_run=False)
 
+    # The return value of the create graph & library function is intentionally not used here,
+    # as the graph already valid and no sub-graphs are returned back.
     await graph_db.create_graph(graph, user_id=user_id)
-    await library_db.create_library_agent(
-        graph, user_id, is_ai_generated=create_graph.is_ai_generated
-    )
+    await library_db.create_library_agent(graph, user_id=user_id)
     activated_graph = await on_graph_activate(graph, user_id=user_id)
 
     if create_graph.source == "builder":
@@ -889,17 +889,21 @@ async def set_graph_active_version(
 async def _update_library_agent_version_and_settings(
     user_id: str, agent_graph: graph_db.GraphModel
 ) -> library_model.LibraryAgent:
+    # Keep the library agent up to date with the new active version
     library = await library_db.update_agent_version_in_library(
         user_id, agent_graph.id, agent_graph.version
     )
-    updated_settings = GraphSettings.from_graph(
-        agent_graph, is_ai_generated=library.settings.is_ai_generated_graph
-    )
-    if updated_settings != library.settings:
-        library = await library_db.update_library_agent(
-            library_agent_id=library.id,
+    # If the graph has HITL node, initialize the setting if it's not already set.
+    if (
+        agent_graph.has_human_in_the_loop
+        and library.settings.human_in_the_loop_safe_mode is None
+    ):
+        await library_db.update_library_agent_settings(
             user_id=user_id,
-            settings=updated_settings,
+            agent_id=library.id,
+            settings=library.settings.model_copy(
+                update={"human_in_the_loop_safe_mode": True}
+            ),
         )
     return library
 
@@ -916,18 +920,21 @@ async def update_graph_settings(
     user_id: Annotated[str, Security(get_user_id)],
 ) -> GraphSettings:
     """Update graph settings for the user's library agent."""
+    # Get the library agent for this graph
     library_agent = await library_db.get_library_agent_by_graph_id(
         graph_id=graph_id, user_id=user_id
     )
     if not library_agent:
         raise HTTPException(404, f"Graph #{graph_id} not found in user's library")
 
-    updated_agent = await library_db.update_library_agent(
-        library_agent_id=library_agent.id,
+    # Update the library agent settings
+    updated_agent = await library_db.update_library_agent_settings(
         user_id=user_id,
+        agent_id=library_agent.id,
         settings=settings,
     )
 
+    # Return the updated settings
     return GraphSettings.model_validate(updated_agent.settings)
 
 

autogpt_platform/backend/backend/api/model.py

@@ -43,7 +43,6 @@ GraphExecutionSource = Literal["builder", "library", "onboarding"]
 class CreateGraph(pydantic.BaseModel):
     graph: Graph
     source: GraphCreationSource | None = None
-    is_ai_generated: bool = False
 
 
 class CreateAPIKeyRequest(pydantic.BaseModel):

autogpt_platform/backend/backend/blocks/search.py

@@ -18,6 +18,7 @@ from backend.data.model import (
     SchemaField,
 )
 from backend.integrations.providers import ProviderName
+from backend.util.request import DEFAULT_USER_AGENT
 
 
 class GetWikipediaSummaryBlock(Block, GetRequest):
@@ -39,17 +40,27 @@ class GetWikipediaSummaryBlock(Block, GetRequest):
             output_schema=GetWikipediaSummaryBlock.Output,
             test_input={"topic": "Artificial Intelligence"},
             test_output=("summary", "summary content"),
-            test_mock={"get_request": lambda url, json: {"extract": "summary content"}},
+            test_mock={
+                "get_request": lambda url, headers, json: {"extract": "summary content"}
+            },
         )
 
     async def run(self, input_data: Input, **kwargs) -> BlockOutput:
         topic = input_data.topic
-        url = f"https://en.wikipedia.org/api/rest_v1/page/summary/{topic}"
+        # URL-encode the topic to handle spaces and special characters
+        encoded_topic = quote(topic, safe="")
+        url = f"https://en.wikipedia.org/api/rest_v1/page/summary/{encoded_topic}"
+
+        # Set headers per Wikimedia robot policy (https://w.wiki/4wJS)
+        # - User-Agent: Required, must identify the bot
+        # - Accept-Encoding: gzip recommended to reduce bandwidth
+        headers = {
+            "User-Agent": DEFAULT_USER_AGENT,
+            "Accept-Encoding": "gzip, deflate",
+        }
 
-        # Note: User-Agent is now automatically set by the request library
-        # to comply with Wikimedia's robot policy (https://w.wiki/4wJS)
         try:
-            response = await self.get_request(url, json=True)
+            response = await self.get_request(url, headers=headers, json=True)
             if "extract" not in response:
                 raise ValueError(f"Unable to parse Wikipedia response: {response}")
             yield "summary", response["extract"]

autogpt_platform/backend/backend/data/block.py

@@ -637,11 +637,8 @@ class Block(ABC, Generic[BlockSchemaInputType, BlockSchemaOutputType]):
             - should_pause: True if execution should be paused for review
             - input_data_to_use: The input data to use (may be modified by reviewer)
         """
-        if not (
-            self.requires_human_review
-            and execution_context.safe_mode
-            and execution_context.is_ai_generated_graph
-        ):
+        # Skip review if not required or safe mode is disabled
+        if not self.requires_human_review or not execution_context.safe_mode:
             return False, input_data
 
         from backend.blocks.helpers.review import HITLReviewHelper

autogpt_platform/backend/backend/data/execution.py

@@ -82,7 +82,6 @@ class ExecutionContext(BaseModel):
     """
 
     safe_mode: bool = True
-    is_ai_generated_graph: bool = False
     user_timezone: str = "UTC"
     root_execution_id: Optional[str] = None
     parent_execution_id: Optional[str] = None

autogpt_platform/backend/backend/data/graph.py

@@ -63,14 +63,6 @@ logger = logging.getLogger(__name__)
 
 class GraphSettings(BaseModel):
     human_in_the_loop_safe_mode: bool | None = None
-    is_ai_generated_graph: bool = False
-
-    @classmethod
-    def from_graph(cls, graph: "GraphModel", is_ai_generated: bool) -> "GraphSettings":
-        return cls(
-            human_in_the_loop_safe_mode=(True if graph.has_human_in_the_loop else None),
-            is_ai_generated_graph=is_ai_generated,
-        )
 
 
 class Link(BaseDbModel):

autogpt_platform/backend/backend/executor/utils.py

@@ -877,7 +877,6 @@ async def add_graph_execution(
                 if settings.human_in_the_loop_safe_mode is not None
                 else True
             ),
-            is_ai_generated_graph=settings.is_ai_generated_graph,
             user_timezone=(
                 user.timezone if user.timezone != USER_TIMEZONE_NOT_SET else "UTC"
             ),

autogpt_platform/backend/snapshots/lib_agts_search

@@ -34,8 +34,7 @@
       "is_favorite": false,
       "recommended_schedule_cron": null,
       "settings": {
-        "human_in_the_loop_safe_mode": null,
-        "is_ai_generated_graph": false
+        "human_in_the_loop_safe_mode": null
       },
       "marketplace_listing": null
     },
@@ -73,8 +72,7 @@
       "is_favorite": false,
       "recommended_schedule_cron": null,
       "settings": {
-        "human_in_the_loop_safe_mode": null,
-        "is_ai_generated_graph": false
+        "human_in_the_loop_safe_mode": null
       },
       "marketplace_listing": null
     }

autogpt_platform/backend/test/e2e_test_data.py

@@ -412,9 +412,7 @@ class TestDataCreator:
                         # Use the API function to create library agent
                         library_agents.extend(
                             v.model_dump()
-                            for v in await create_library_agent(
-                                graph, user["id"], is_ai_generated=False
-                            )
+                            for v in await create_library_agent(graph, user["id"])
                         )
                 except Exception as e:
                     print(f"Error creating library agent: {e}")

autogpt_platform/frontend/src/app/(platform)/profile/(user)/layout.tsx

@@ -29,7 +29,7 @@ export default function Layout({ children }: { children: React.ReactNode }) {
           href: "/profile/dashboard",
           icon: <StorefrontIcon className="size-5" />,
         },
-        ...(isPaymentEnabled || true
+        ...(isPaymentEnabled
           ? [
               {
                 text: "Billing",

autogpt_platform/frontend/src/app/api/openapi.json

@@ -6613,11 +6613,6 @@
               { "type": "null" }
             ],
             "title": "Source"
-          },
-          "is_ai_generated": {
-            "type": "boolean",
-            "title": "Is Ai Generated",
-            "default": false
           }
         },
         "type": "object",
@@ -7563,11 +7558,6 @@
           "human_in_the_loop_safe_mode": {
             "anyOf": [{ "type": "boolean" }, { "type": "null" }],
             "title": "Human In The Loop Safe Mode"
-          },
-          "is_ai_generated_graph": {
-            "type": "boolean",
-            "title": "Is Ai Generated Graph",
-            "default": false
           }
         },
         "type": "object",