fix(binary-processor): add virus scanning + tests for offset loop

Security fix: Add scan_content_safe() call before writing files to prevent
bypass of ClamAV scanning infrastructure. Malicious base64-encoded content
matching a supported magic number would previously be saved without scanning.

Test coverage:
- Add tests for 4-byte aligned offset loop (handles marker bleed-in)
- Add tests for PDF_BASE64_START/END marker expansion
- Add tests verifying virus scanner integration
- Mock virus scanner in existing process_binary_outputs tests

Addresses review feedback from Claude sub-agents and ntindle.

.github/workflows/platform-frontend-ci.yml

@@ -27,20 +27,11 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       cache-key: ${{ steps.cache-key.outputs.key }}
-      components-changed: ${{ steps.filter.outputs.components }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Check for component changes
-        uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-            components:
-              - 'autogpt_platform/frontend/src/components/**'
-
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -99,11 +90,8 @@ jobs:
   chromatic:
     runs-on: ubuntu-latest
     needs: setup
-    # Disabled: to re-enable, remove 'false &&' from the condition below
-    if: >-
-      false
-      && (github.ref == 'refs/heads/dev' || github.base_ref == 'dev')
-      && needs.setup.outputs.components-changed == 'true'
+    # Only run on dev branch pushes or PRs targeting dev
+    if: github.ref == 'refs/heads/dev' || github.base_ref == 'dev'
 
     steps:
       - name: Checkout repository

autogpt_platform/backend/backend/api/features/chat/tools/binary_output_processor.py

@@ -0,0 +1,251 @@
+"""
+Detect and save embedded binary data in block outputs.
+
+Scans stdout_logs and other string outputs for embedded base64 patterns,
+saves detected binary content to workspace, and replaces the base64 with
+workspace:// references. This reduces LLM output token usage by ~97% for
+file generation tasks.
+
+Primary use case: ExecuteCodeBlock prints base64 to stdout, which appears
+in stdout_logs. Without this processor, the LLM would re-type the entire
+base64 string when saving files.
+"""
+
+import base64
+import binascii
+import hashlib
+import logging
+import re
+import uuid
+from typing import Any, Optional
+
+from backend.util.file import sanitize_filename
+from backend.util.virus_scanner import scan_content_safe
+from backend.util.workspace import WorkspaceManager
+
+logger = logging.getLogger(__name__)
+
+# Minimum decoded size to process (filters out small base64 strings)
+MIN_DECODED_SIZE = 1024  # 1KB
+
+# Pattern to find base64 chunks in text (at least 100 chars to be worth checking)
+# Matches continuous base64 characters (with optional whitespace for line wrapping),
+# optionally ending with = padding
+EMBEDDED_BASE64_PATTERN = re.compile(r"[A-Za-z0-9+/\s]{100,}={0,2}")
+
+# Magic numbers for binary file detection
+MAGIC_SIGNATURES = [
+    (b"\x89PNG\r\n\x1a\n", "png"),
+    (b"\xff\xd8\xff", "jpg"),
+    (b"%PDF-", "pdf"),
+    (b"GIF87a", "gif"),
+    (b"GIF89a", "gif"),
+    (b"RIFF", "webp"),  # Also check content[8:12] == b'WEBP'
+]
+
+
+async def process_binary_outputs(
+    outputs: dict[str, list[Any]],
+    workspace_manager: WorkspaceManager,
+    block_name: str,
+) -> dict[str, list[Any]]:
+    """
+    Scan all string values in outputs for embedded base64 binary content.
+    Save detected binaries to workspace and replace with references.
+
+    Args:
+        outputs: Block execution outputs (dict of output_name -> list of values)
+        workspace_manager: WorkspaceManager instance with session scoping
+        block_name: Name of the block (used in generated filenames)
+
+    Returns:
+        Processed outputs with embedded base64 replaced by workspace references
+    """
+    cache: dict[str, str] = {}  # content_hash -> workspace_ref
+
+    processed: dict[str, list[Any]] = {}
+    for name, items in outputs.items():
+        processed_items = []
+        for item in items:
+            processed_items.append(
+                await _process_value(item, workspace_manager, block_name, cache)
+            )
+        processed[name] = processed_items
+    return processed
+
+
+async def _process_value(
+    value: Any,
+    wm: WorkspaceManager,
+    block: str,
+    cache: dict[str, str],
+) -> Any:
+    """Recursively process a value, detecting embedded base64 in strings."""
+    if isinstance(value, dict):
+        result = {}
+        for k, v in value.items():
+            result[k] = await _process_value(v, wm, block, cache)
+        return result
+    if isinstance(value, list):
+        return [await _process_value(v, wm, block, cache) for v in value]
+    if isinstance(value, str) and len(value) > MIN_DECODED_SIZE:
+        return await _extract_and_replace_base64(value, wm, block, cache)
+    return value
+
+
+async def _extract_and_replace_base64(
+    text: str,
+    wm: WorkspaceManager,
+    block: str,
+    cache: dict[str, str],
+) -> str:
+    """
+    Find embedded base64 in text, save binaries, replace with references.
+
+    Scans for base64 patterns, validates each as binary via magic numbers,
+    saves valid binaries to workspace, and replaces the base64 portion
+    (plus any surrounding markers) with the workspace reference.
+    """
+    result = text
+    offset = 0
+
+    for match in EMBEDDED_BASE64_PATTERN.finditer(text):
+        b64_str = match.group(0)
+
+        # Try to decode and validate
+        detection = _decode_and_validate(b64_str)
+        if detection is None:
+            continue
+
+        content, ext = detection
+
+        # Save to workspace
+        ref = await _save_binary(content, ext, wm, block, cache)
+        if ref is None:
+            continue
+
+        # Calculate replacement bounds (include surrounding markers if present)
+        start, end = match.start(), match.end()
+        start, end = _expand_to_markers(text, start, end)
+
+        # Apply replacement with offset adjustment
+        adj_start = start + offset
+        adj_end = end + offset
+        result = result[:adj_start] + ref + result[adj_end:]
+        offset += len(ref) - (end - start)
+
+    return result
+
+
+def _decode_and_validate(b64_str: str) -> Optional[tuple[bytes, str]]:
+    """
+    Decode base64 and validate it's a known binary format.
+
+    Tries multiple 4-byte aligned offsets to handle cases where marker text
+    (e.g., "START" from "PDF_BASE64_START") bleeds into the regex match.
+    Base64 works in 4-char chunks, so we only check aligned offsets.
+
+    Returns (content, extension) if valid binary, None otherwise.
+    """
+    # Strip whitespace for RFC 2045 line-wrapped base64
+    normalized = re.sub(r"\s+", "", b64_str)
+
+    # Try offsets 0, 4, 8, ... up to 32 chars (handles markers up to ~24 chars)
+    # This handles cases like "STARTJVBERi0..." where "START" bleeds into match
+    for char_offset in range(0, min(33, len(normalized)), 4):
+        candidate = normalized[char_offset:]
+
+        try:
+            content = base64.b64decode(candidate, validate=True)
+        except (ValueError, binascii.Error):
+            continue
+
+        # Must meet minimum size
+        if len(content) < MIN_DECODED_SIZE:
+            continue
+
+        # Check magic numbers
+        for magic, ext in MAGIC_SIGNATURES:
+            if content.startswith(magic):
+                # Special case for WebP: RIFF container, verify "WEBP" at offset 8
+                if magic == b"RIFF":
+                    if len(content) < 12 or content[8:12] != b"WEBP":
+                        continue
+                return content, ext
+
+    return None
+
+
+def _expand_to_markers(text: str, start: int, end: int) -> tuple[int, int]:
+    """
+    Expand replacement bounds to include surrounding markers if present.
+
+    Handles patterns like:
+    - ---BASE64_START---\\n{base64}\\n---BASE64_END---
+    - [BASE64]{base64}[/BASE64]
+    - Or just the raw base64
+    """
+    # Common marker patterns to strip (order matters - check longer patterns first)
+    start_markers = [
+        "PDF_BASE64_START",
+        "---BASE64_START---\n",
+        "---BASE64_START---",
+        "[BASE64]\n",
+        "[BASE64]",
+    ]
+    end_markers = [
+        "PDF_BASE64_END",
+        "\n---BASE64_END---",
+        "---BASE64_END---",
+        "\n[/BASE64]",
+        "[/BASE64]",
+    ]
+
+    # Check for start markers
+    for marker in start_markers:
+        marker_start = start - len(marker)
+        if marker_start >= 0 and text[marker_start:start] == marker:
+            start = marker_start
+            break
+
+    # Check for end markers
+    for marker in end_markers:
+        marker_end = end + len(marker)
+        if marker_end <= len(text) and text[end:marker_end] == marker:
+            end = marker_end
+            break
+
+    return start, end
+
+
+async def _save_binary(
+    content: bytes,
+    ext: str,
+    wm: WorkspaceManager,
+    block: str,
+    cache: dict[str, str],
+) -> Optional[str]:
+    """
+    Save binary content to workspace with deduplication.
+
+    Returns workspace://file-id reference, or None on failure.
+    """
+    content_hash = hashlib.sha256(content).hexdigest()
+
+    if content_hash in cache:
+        return cache[content_hash]
+
+    try:
+        safe_block = sanitize_filename(block)[:20].lower()
+        filename = f"{safe_block}_{uuid.uuid4().hex[:12]}.{ext}"
+
+        # Scan for viruses before saving
+        await scan_content_safe(content, filename=filename)
+
+        file = await wm.write_file(content, filename)
+        ref = f"workspace://{file.id}"
+        cache[content_hash] = ref
+        return ref
+    except Exception as e:
+        logger.warning("Failed to save binary output: %s", e)
+        return None

autogpt_platform/backend/backend/api/features/chat/tools/run_block.py

@@ -14,8 +14,10 @@ from backend.data.model import CredentialsMetaInput
 from backend.data.workspace import get_or_create_workspace
 from backend.integrations.creds_manager import IntegrationCredentialsManager
 from backend.util.exceptions import BlockError
+from backend.util.workspace import WorkspaceManager
 
 from .base import BaseTool
+from .binary_output_processor import process_binary_outputs
 from .models import (
     BlockOutputResponse,
     ErrorResponse,
@@ -321,6 +323,16 @@ class RunBlockTool(BaseTool):
             ):
                 outputs[output_name].append(output_data)
 
+            # Post-process outputs to save binary content to workspace
+            workspace_manager = WorkspaceManager(
+                user_id=user_id,
+                workspace_id=workspace.id,
+                session_id=session.session_id,
+            )
+            outputs = await process_binary_outputs(
+                dict(outputs), workspace_manager, block.name
+            )
+
             return BlockOutputResponse(
                 message=f"Block '{block.name}' executed successfully",
                 block_id=block_id,

autogpt_platform/backend/backend/api/features/chat/tools/test_binary_output_processor.py

@@ -0,0 +1,518 @@
+"""Tests for embedded binary detection in block outputs."""
+
+import base64
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+
+from .binary_output_processor import (
+    _decode_and_validate,
+    _expand_to_markers,
+    process_binary_outputs,
+)
+
+
+@pytest.fixture
+def mock_workspace_manager():
+    """Create a mock workspace manager that returns predictable file IDs."""
+    wm = MagicMock()
+
+    async def mock_write_file(content, filename):
+        file = MagicMock()
+        file.id = f"file-{filename[:10]}"
+        return file
+
+    wm.write_file = AsyncMock(side_effect=mock_write_file)
+    return wm
+
+
+def _make_pdf_base64(size: int = 2000) -> str:
+    """Create a valid PDF base64 string of specified size."""
+    pdf_content = b"%PDF-1.4 " + b"x" * size
+    return base64.b64encode(pdf_content).decode()
+
+
+def _make_png_base64(size: int = 2000) -> str:
+    """Create a valid PNG base64 string of specified size."""
+    png_content = b"\x89PNG\r\n\x1a\n" + b"\x00" * size
+    return base64.b64encode(png_content).decode()
+
+
+# =============================================================================
+# Decode and Validate Tests
+# =============================================================================
+
+
+class TestDecodeAndValidate:
+    """Tests for _decode_and_validate function."""
+
+    def test_detects_pdf_magic_number(self):
+        """Should detect valid PDF by magic number."""
+        pdf_b64 = _make_pdf_base64()
+        result = _decode_and_validate(pdf_b64)
+        assert result is not None
+        content, ext = result
+        assert ext == "pdf"
+        assert content.startswith(b"%PDF-")
+
+    def test_detects_png_magic_number(self):
+        """Should detect valid PNG by magic number."""
+        png_b64 = _make_png_base64()
+        result = _decode_and_validate(png_b64)
+        assert result is not None
+        content, ext = result
+        assert ext == "png"
+
+    def test_detects_jpeg_magic_number(self):
+        """Should detect valid JPEG by magic number."""
+        jpeg_content = b"\xff\xd8\xff\xe0" + b"\x00" * 2000
+        jpeg_b64 = base64.b64encode(jpeg_content).decode()
+        result = _decode_and_validate(jpeg_b64)
+        assert result is not None
+        _, ext = result
+        assert ext == "jpg"
+
+    def test_detects_gif_magic_number(self):
+        """Should detect valid GIF by magic number."""
+        gif_content = b"GIF89a" + b"\x00" * 2000
+        gif_b64 = base64.b64encode(gif_content).decode()
+        result = _decode_and_validate(gif_b64)
+        assert result is not None
+        _, ext = result
+        assert ext == "gif"
+
+    def test_detects_webp_magic_number(self):
+        """Should detect valid WebP by magic number."""
+        webp_content = b"RIFF\x00\x00\x00\x00WEBP" + b"\x00" * 2000
+        webp_b64 = base64.b64encode(webp_content).decode()
+        result = _decode_and_validate(webp_b64)
+        assert result is not None
+        _, ext = result
+        assert ext == "webp"
+
+    def test_rejects_small_content(self):
+        """Should reject content smaller than threshold."""
+        small_pdf = b"%PDF-1.4 small"
+        small_b64 = base64.b64encode(small_pdf).decode()
+        result = _decode_and_validate(small_b64)
+        assert result is None
+
+    def test_rejects_no_magic_number(self):
+        """Should reject content without recognized magic number."""
+        random_content = b"This is just random text" * 100
+        random_b64 = base64.b64encode(random_content).decode()
+        result = _decode_and_validate(random_b64)
+        assert result is None
+
+    def test_rejects_invalid_base64(self):
+        """Should reject invalid base64."""
+        result = _decode_and_validate("not-valid-base64!!!")
+        assert result is None
+
+    def test_rejects_riff_without_webp(self):
+        """Should reject RIFF files that aren't WebP (e.g., WAV)."""
+        wav_content = b"RIFF\x00\x00\x00\x00WAVE" + b"\x00" * 2000
+        wav_b64 = base64.b64encode(wav_content).decode()
+        result = _decode_and_validate(wav_b64)
+        assert result is None
+
+    def test_handles_line_wrapped_base64(self):
+        """Should handle RFC 2045 line-wrapped base64."""
+        pdf_content = b"%PDF-1.4 " + b"x" * 2000
+        pdf_b64 = base64.b64encode(pdf_content).decode()
+        # Simulate line wrapping at 76 chars
+        wrapped = "\n".join(pdf_b64[i : i + 76] for i in range(0, len(pdf_b64), 76))
+        result = _decode_and_validate(wrapped)
+        assert result is not None
+        content, ext = result
+        assert ext == "pdf"
+        assert content == pdf_content
+
+
+# =============================================================================
+# Marker Expansion Tests
+# =============================================================================
+
+
+class TestExpandToMarkers:
+    """Tests for _expand_to_markers function."""
+
+    def test_expands_base64_start_end_markers(self):
+        """Should expand to include ---BASE64_START--- and ---BASE64_END---."""
+        text = "prefix\n---BASE64_START---\nABCDEF\n---BASE64_END---\nsuffix"
+        # Base64 "ABCDEF" is at position 26-32
+        start, end = _expand_to_markers(text, 26, 32)
+        assert text[start:end] == "---BASE64_START---\nABCDEF\n---BASE64_END---"
+
+    def test_expands_bracket_markers(self):
+        """Should expand to include [BASE64] and [/BASE64] markers."""
+        text = "prefix[BASE64]ABCDEF[/BASE64]suffix"
+        # Base64 is at position 14-20
+        start, end = _expand_to_markers(text, 14, 20)
+        assert text[start:end] == "[BASE64]ABCDEF[/BASE64]"
+
+    def test_no_expansion_without_markers(self):
+        """Should not expand if no markers present."""
+        text = "prefix ABCDEF suffix"
+        start, end = _expand_to_markers(text, 7, 13)
+        assert start == 7
+        assert end == 13
+
+
+# =============================================================================
+# Process Binary Outputs Tests
+# =============================================================================
+
+
+@pytest.fixture
+def mock_scan():
+    """Patch virus scanner for tests."""
+    with patch(
+        "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
+        new_callable=AsyncMock,
+    ) as mock:
+        yield mock
+
+
+class TestProcessBinaryOutputs:
+    """Tests for process_binary_outputs function."""
+
+    @pytest.mark.asyncio
+    async def test_detects_embedded_pdf_in_stdout_logs(
+        self, mock_workspace_manager, mock_scan
+    ):
+        """Should detect and replace embedded PDF in stdout_logs."""
+        pdf_b64 = _make_pdf_base64()
+        stdout = f"PDF generated!\n---BASE64_START---\n{pdf_b64}\n---BASE64_END---\n"
+
+        outputs = {"stdout_logs": [stdout]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "ExecuteCodeBlock"
+        )
+
+        # Should contain workspace reference, not base64
+        assert "workspace://" in result["stdout_logs"][0]
+        assert pdf_b64 not in result["stdout_logs"][0]
+        assert "PDF generated!" in result["stdout_logs"][0]
+        mock_workspace_manager.write_file.assert_called_once()
+
+    @pytest.mark.asyncio
+    async def test_detects_embedded_png_without_markers(
+        self, mock_workspace_manager, mock_scan
+    ):
+        """Should detect embedded PNG even without markers."""
+        png_b64 = _make_png_base64()
+        stdout = f"Image created: {png_b64} done"
+
+        outputs = {"stdout_logs": [stdout]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "ExecuteCodeBlock"
+        )
+
+        assert "workspace://" in result["stdout_logs"][0]
+        assert "Image created:" in result["stdout_logs"][0]
+        assert "done" in result["stdout_logs"][0]
+
+    @pytest.mark.asyncio
+    async def test_preserves_small_strings(self, mock_workspace_manager, mock_scan):
+        """Should not process small strings."""
+        outputs = {"stdout_logs": ["small output"]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "TestBlock"
+        )
+
+        assert result["stdout_logs"][0] == "small output"
+        mock_workspace_manager.write_file.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_preserves_non_binary_large_strings(
+        self, mock_workspace_manager, mock_scan
+    ):
+        """Should preserve large strings that don't contain valid binary."""
+        large_text = "A" * 5000  # Large string - decodes to nulls, no magic number
+
+        outputs = {"stdout_logs": [large_text]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "TestBlock"
+        )
+
+        assert result["stdout_logs"][0] == large_text
+        mock_workspace_manager.write_file.assert_not_called()
+
+    @pytest.mark.asyncio
+    async def test_deduplicates_identical_content(
+        self, mock_workspace_manager, mock_scan
+    ):
+        """Should save identical content only once."""
+        pdf_b64 = _make_pdf_base64()
+        stdout1 = f"First: {pdf_b64}"
+        stdout2 = f"Second: {pdf_b64}"
+
+        outputs = {"stdout_logs": [stdout1, stdout2]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "TestBlock"
+        )
+
+        # Both should have references
+        assert "workspace://" in result["stdout_logs"][0]
+        assert "workspace://" in result["stdout_logs"][1]
+        # But only one write
+        assert mock_workspace_manager.write_file.call_count == 1
+
+    @pytest.mark.asyncio
+    async def test_handles_multiple_binaries_in_one_string(
+        self, mock_workspace_manager, mock_scan
+    ):
+        """Should handle multiple embedded binaries in a single string."""
+        pdf_b64 = _make_pdf_base64()
+        png_b64 = _make_png_base64()
+        stdout = f"PDF: {pdf_b64}\nPNG: {png_b64}"
+
+        outputs = {"stdout_logs": [stdout]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "TestBlock"
+        )
+
+        # Should have two workspace references
+        assert result["stdout_logs"][0].count("workspace://") == 2
+        assert mock_workspace_manager.write_file.call_count == 2
+
+    @pytest.mark.asyncio
+    async def test_processes_nested_structures(self, mock_workspace_manager, mock_scan):
+        """Should recursively process nested dicts and lists."""
+        pdf_b64 = _make_pdf_base64()
+
+        outputs = {"result": [{"nested": {"deep": f"data: {pdf_b64}"}}]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "TestBlock"
+        )
+
+        assert "workspace://" in result["result"][0]["nested"]["deep"]
+
+    @pytest.mark.asyncio
+    async def test_graceful_degradation_on_save_failure(
+        self, mock_workspace_manager, mock_scan
+    ):
+        """Should preserve original on save failure."""
+        mock_workspace_manager.write_file = AsyncMock(
+            side_effect=Exception("Storage error")
+        )
+
+        pdf_b64 = _make_pdf_base64()
+        stdout = f"PDF: {pdf_b64}"
+
+        outputs = {"stdout_logs": [stdout]}
+
+        result = await process_binary_outputs(
+            outputs, mock_workspace_manager, "TestBlock"
+        )
+
+        # Should keep original since save failed
+        assert pdf_b64 in result["stdout_logs"][0]
+
+
+# =============================================================================
+# Offset Loop Tests (handling marker bleed-in)
+# =============================================================================
+
+
+class TestOffsetLoopHandling:
+    """Tests for the offset-aligned decoding that handles marker bleed-in."""
+
+    def test_handles_4char_aligned_prefix(self):
+        """Should detect base64 when a 4-char aligned prefix bleeds into match.
+
+        When 'TEST' (4 chars, aligned) bleeds in, offset 4 finds valid base64.
+        """
+        pdf_content = b"%PDF-1.4 " + b"x" * 2000
+        pdf_b64 = base64.b64encode(pdf_content).decode()
+        # 4-char prefix (aligned)
+        with_prefix = f"TEST{pdf_b64}"
+
+        result = _decode_and_validate(with_prefix)
+        assert result is not None
+        content, ext = result
+        assert ext == "pdf"
+        assert content == pdf_content
+
+    def test_handles_8char_aligned_prefix(self):
+        """Should detect base64 when an 8-char prefix bleeds into match."""
+        pdf_content = b"%PDF-1.4 " + b"x" * 2000
+        pdf_b64 = base64.b64encode(pdf_content).decode()
+        # 8-char prefix (aligned)
+        with_prefix = f"TESTTEST{pdf_b64}"
+
+        result = _decode_and_validate(with_prefix)
+        assert result is not None
+        content, ext = result
+        assert ext == "pdf"
+
+    def test_handles_misaligned_prefix(self):
+        """Should handle misaligned prefix by finding a valid aligned offset.
+
+        'START' is 5 chars (misaligned). The loop tries offsets 0, 4, 8...
+        Since characters 0-4 include 'START' which is invalid base64 on its own,
+        we need the full PDF base64 to eventually decode correctly at some offset.
+        """
+        pdf_content = b"%PDF-1.4 " + b"x" * 2000
+        pdf_b64 = base64.b64encode(pdf_content).decode()
+        # 5-char prefix - misaligned, but offset 4 should start mid-'START'
+        # and offset 8 will be past the prefix
+        with_prefix = f"START{pdf_b64}"
+
+        result = _decode_and_validate(with_prefix)
+        # Should find valid PDF at some offset (8 in this case)
+        assert result is not None
+        _, ext = result
+        assert ext == "pdf"
+
+    def test_handles_pdf_base64_start_marker_bleed(self):
+        """Should handle PDF_BASE64_START marker bleeding into regex match.
+
+        This is the real-world case: regex matches 'STARTJVBERi0...' because
+        'START' chars are in the base64 alphabet. Offset loop skips past it.
+        PDF_BASE64_START is 16 chars (4-aligned), so offset 16 finds valid base64.
+        """
+        pdf_content = b"%PDF-1.4 " + b"x" * 2000
+        pdf_b64 = base64.b64encode(pdf_content).decode()
+        # Simulate regex capturing 'PDF_BASE64_START' + base64 together
+        # This happens when there's no delimiter between marker and content
+        with_full_marker = f"PDF_BASE64_START{pdf_b64}"
+
+        result = _decode_and_validate(with_full_marker)
+        assert result is not None
+        _, ext = result
+        assert ext == "pdf"
+
+    def test_clean_base64_works_at_offset_zero(self):
+        """Should detect clean base64 at offset 0 without issues."""
+        pdf_content = b"%PDF-1.4 " + b"x" * 2000
+        pdf_b64 = base64.b64encode(pdf_content).decode()
+
+        result = _decode_and_validate(pdf_b64)
+        assert result is not None
+        content, ext = result
+        assert ext == "pdf"
+        assert content == pdf_content
+
+
+# =============================================================================
+# PDF Marker Tests
+# =============================================================================
+
+
+class TestPdfMarkerExpansion:
+    """Tests for PDF_BASE64_START/END marker handling."""
+
+    def test_expands_pdf_base64_start_marker(self):
+        """Should expand to include PDF_BASE64_START marker."""
+        text = "prefixPDF_BASE64_STARTABCDEF"
+        # Base64 'ABCDEF' is at position 22-28
+        start, end = _expand_to_markers(text, 22, 28)
+        assert text[start:end] == "PDF_BASE64_STARTABCDEF"
+
+    def test_expands_pdf_base64_end_marker(self):
+        """Should expand to include PDF_BASE64_END marker."""
+        text = "ABCDEFPDF_BASE64_ENDsuffix"
+        # Base64 'ABCDEF' is at position 0-6
+        start, end = _expand_to_markers(text, 0, 6)
+        assert text[start:end] == "ABCDEFPDF_BASE64_END"
+
+    def test_expands_both_pdf_markers(self):
+        """Should expand to include both PDF_BASE64_START and END."""
+        text = "xPDF_BASE64_STARTABCDEFPDF_BASE64_ENDy"
+        # Base64 'ABCDEF' is at position 17-23
+        start, end = _expand_to_markers(text, 17, 23)
+        assert text[start:end] == "PDF_BASE64_STARTABCDEFPDF_BASE64_END"
+
+    def test_partial_marker_not_expanded(self):
+        """Should not expand if only partial marker present."""
+        text = "BASE64_STARTABCDEF"  # Missing 'PDF_' prefix
+        start, end = _expand_to_markers(text, 12, 18)
+        # Should not expand since it's not the full marker
+        assert start == 12
+        assert end == 18
+
+    @pytest.mark.asyncio
+    async def test_full_pipeline_with_pdf_markers(self, mock_workspace_manager):
+        """Test full pipeline with PDF_BASE64_START/END markers."""
+        pdf_b64 = _make_pdf_base64()
+        stdout = f"Output: PDF_BASE64_START{pdf_b64}PDF_BASE64_END done"
+
+        outputs = {"stdout_logs": [stdout]}
+
+        with patch(
+            "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
+            new_callable=AsyncMock,
+        ):
+            result = await process_binary_outputs(
+                outputs, mock_workspace_manager, "TestBlock"
+            )
+
+        # Should have workspace reference
+        assert "workspace://" in result["stdout_logs"][0]
+        # Markers should be consumed along with base64
+        assert "PDF_BASE64_START" not in result["stdout_logs"][0]
+        assert "PDF_BASE64_END" not in result["stdout_logs"][0]
+        # Surrounding text preserved
+        assert "Output:" in result["stdout_logs"][0]
+        assert "done" in result["stdout_logs"][0]
+
+
+# =============================================================================
+# Virus Scanning Tests
+# =============================================================================
+
+
+class TestVirusScanning:
+    """Tests for virus scanning integration."""
+
+    @pytest.mark.asyncio
+    async def test_calls_virus_scanner_before_save(self, mock_workspace_manager):
+        """Should call scan_content_safe before writing file."""
+        pdf_b64 = _make_pdf_base64()
+        stdout = f"PDF: {pdf_b64}"
+        outputs = {"stdout_logs": [stdout]}
+
+        with patch(
+            "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
+            new_callable=AsyncMock,
+        ) as mock_scan:
+            result = await process_binary_outputs(
+                outputs, mock_workspace_manager, "TestBlock"
+            )
+
+            # Verify scanner was called
+            mock_scan.assert_called_once()
+            # Verify file was written after scan
+            mock_workspace_manager.write_file.assert_called_once()
+            # Verify result has workspace reference
+            assert "workspace://" in result["stdout_logs"][0]
+
+    @pytest.mark.asyncio
+    async def test_virus_scan_failure_preserves_original(self, mock_workspace_manager):
+        """Should preserve original if virus scan fails."""
+        pdf_b64 = _make_pdf_base64()
+        stdout = f"PDF: {pdf_b64}"
+        outputs = {"stdout_logs": [stdout]}
+
+        with patch(
+            "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
+            new_callable=AsyncMock,
+            side_effect=Exception("Virus detected"),
+        ):
+            result = await process_binary_outputs(
+                outputs, mock_workspace_manager, "TestBlock"
+            )
+
+            # Should keep original since scan failed
+            assert pdf_b64 in result["stdout_logs"][0]
+            # File should not have been written
+            mock_workspace_manager.write_file.assert_not_called()

autogpt_platform/backend/backend/api/features/chat/tools/utils.py

@@ -6,6 +6,7 @@ from typing import Any
 from backend.api.features.library import db as library_db
 from backend.api.features.library import model as library_model
 from backend.api.features.store import db as store_db
+from backend.data import graph as graph_db
 from backend.data.graph import GraphModel
 from backend.data.model import (
     CredentialsFieldInfo,
@@ -43,8 +44,14 @@ async def fetch_graph_from_store_slug(
         return None, None
 
     # Get the graph from store listing version
-    graph = await store_db.get_available_graph(
-        store_agent.store_listing_version_id, hide_nodes=False
+    graph_meta = await store_db.get_available_graph(
+        store_agent.store_listing_version_id
+    )
+    graph = await graph_db.get_graph(
+        graph_id=graph_meta.id,
+        version=graph_meta.version,
+        user_id=None,  # Public access
+        include_subgraphs=True,
     )
     return graph, store_agent
 
@@ -117,11 +124,11 @@ def build_missing_credentials_from_graph(
     preserving all supported credential types for each field.
     """
     matched_keys = set(matched_credentials.keys()) if matched_credentials else set()
-    aggregated_fields = graph.regular_credentials_inputs
+    aggregated_fields = graph.aggregate_credentials_inputs()
 
     return {
         field_key: _serialize_missing_credential(field_key, field_info)
-        for field_key, (field_info, _, _) in aggregated_fields.items()
+        for field_key, (field_info, _node_fields) in aggregated_fields.items()
         if field_key not in matched_keys
     }
 
@@ -244,7 +251,7 @@ async def match_user_credentials_to_graph(
     missing_creds: list[str] = []
 
     # Get aggregated credentials requirements from the graph
-    aggregated_creds = graph.regular_credentials_inputs
+    aggregated_creds = graph.aggregate_credentials_inputs()
     logger.debug(
         f"Matching credentials for graph {graph.id}: {len(aggregated_creds)} required"
     )
@@ -262,8 +269,7 @@ async def match_user_credentials_to_graph(
     # provider is in the set of acceptable providers.
     for credential_field_name, (
         credential_requirements,
-        _,
-        _,
+        _node_fields,
     ) in aggregated_creds.items():
         # Find first matching credential by provider, type, and scopes
         matching_cred = next(

autogpt_platform/backend/backend/api/features/chat/tools/utils_test.py

@@ -1,78 +0,0 @@
-"""Tests for chat tools utility functions."""
-
-from unittest.mock import AsyncMock, MagicMock, patch
-
-import pytest
-
-from backend.data.model import CredentialsFieldInfo
-
-
-def _make_regular_field() -> CredentialsFieldInfo:
-    return CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["github"],
-            "credentials_types": ["api_key"],
-            "is_auto_credential": False,
-        },
-        by_alias=True,
-    )
-
-
-def test_build_missing_credentials_excludes_auto_creds():
-    """
-    build_missing_credentials_from_graph() should use regular_credentials_inputs
-    and thus exclude auto_credentials from the "missing" set.
-    """
-    from backend.api.features.chat.tools.utils import (
-        build_missing_credentials_from_graph,
-    )
-
-    regular_field = _make_regular_field()
-
-    mock_graph = MagicMock()
-    # regular_credentials_inputs should only return the non-auto field
-    mock_graph.regular_credentials_inputs = {
-        "github_api_key": (regular_field, {("node-1", "credentials")}, True),
-    }
-
-    result = build_missing_credentials_from_graph(mock_graph, matched_credentials=None)
-
-    # Should include the regular credential
-    assert "github_api_key" in result
-    # Should NOT include the auto_credential (not in regular_credentials_inputs)
-    assert "google_oauth2" not in result
-
-
-@pytest.mark.asyncio
-async def test_match_user_credentials_excludes_auto_creds():
-    """
-    match_user_credentials_to_graph() should use regular_credentials_inputs
-    and thus exclude auto_credentials from matching.
-    """
-    from backend.api.features.chat.tools.utils import match_user_credentials_to_graph
-
-    regular_field = _make_regular_field()
-
-    mock_graph = MagicMock()
-    mock_graph.id = "test-graph"
-    # regular_credentials_inputs returns only non-auto fields
-    mock_graph.regular_credentials_inputs = {
-        "github_api_key": (regular_field, {("node-1", "credentials")}, True),
-    }
-
-    # Mock the credentials manager to return no credentials
-    with patch(
-        "backend.api.features.chat.tools.utils.IntegrationCredentialsManager"
-    ) as MockCredsMgr:
-        mock_store = AsyncMock()
-        mock_store.get_all_creds.return_value = []
-        MockCredsMgr.return_value.store = mock_store
-
-        matched, missing = await match_user_credentials_to_graph(
-            user_id="test-user", graph=mock_graph
-        )
-
-    # No credentials available, so github should be missing
-    assert len(matched) == 0
-    assert len(missing) == 1
-    assert "github_api_key" in missing[0]

autogpt_platform/backend/backend/api/features/library/db.py

@@ -374,7 +374,7 @@ async def get_library_agent_by_graph_id(
 
 
 async def add_generated_agent_image(
-    graph: graph_db.GraphBaseMeta,
+    graph: graph_db.BaseGraph,
     user_id: str,
     library_agent_id: str,
 ) -> Optional[prisma.models.LibraryAgent]:
@@ -1103,7 +1103,7 @@ async def create_preset_from_graph_execution(
             raise NotFoundError(
                 f"Graph #{graph_execution.graph_id} not found or accessible"
             )
-        elif len(graph.regular_credentials_inputs) > 0:
+        elif len(graph.aggregate_credentials_inputs()) > 0:
             raise ValueError(
                 f"Graph execution #{graph_exec_id} can't be turned into a preset "
                 "because it was run before this feature existed "

autogpt_platform/backend/backend/api/features/store/db.py

@@ -1,7 +1,7 @@
 import asyncio
 import logging
 from datetime import datetime, timezone
-from typing import Any, Literal, overload
+from typing import Any, Literal
 
 import fastapi
 import prisma.enums
@@ -11,8 +11,8 @@ import prisma.types
 
 from backend.data.db import transaction
 from backend.data.graph import (
+    GraphMeta,
     GraphModel,
-    GraphModelWithoutNodes,
     get_graph,
     get_graph_as_admin,
     get_sub_graphs,
@@ -334,22 +334,7 @@ async def get_store_agent_details(
         raise DatabaseError("Failed to fetch agent details") from e
 
 
-@overload
-async def get_available_graph(
-    store_listing_version_id: str, hide_nodes: Literal[False]
-) -> GraphModel: ...
-
-
-@overload
-async def get_available_graph(
-    store_listing_version_id: str, hide_nodes: Literal[True] = True
-) -> GraphModelWithoutNodes: ...
-
-
-async def get_available_graph(
-    store_listing_version_id: str,
-    hide_nodes: bool = True,
-) -> GraphModelWithoutNodes | GraphModel:
+async def get_available_graph(store_listing_version_id: str) -> GraphMeta:
     try:
         # Get avaialble, non-deleted store listing version
         store_listing_version = (
@@ -359,7 +344,7 @@ async def get_available_graph(
                     "isAvailable": True,
                     "isDeleted": False,
                 },
-                include={"AgentGraph": {"include": AGENT_GRAPH_INCLUDE}},
+                include={"AgentGraph": {"include": {"Nodes": True}}},
             )
         )
 
@@ -369,9 +354,7 @@ async def get_available_graph(
                 detail=f"Store listing version {store_listing_version_id} not found",
             )
 
-        return (GraphModelWithoutNodes if hide_nodes else GraphModel).from_db(
-            store_listing_version.AgentGraph
-        )
+        return GraphModel.from_db(store_listing_version.AgentGraph).meta()
 
     except Exception as e:
         logger.error(f"Error getting agent: {e}")

autogpt_platform/backend/backend/api/features/store/image_gen.py

@@ -16,7 +16,7 @@ from backend.blocks.ideogram import (
     StyleType,
     UpscaleOption,
 )
-from backend.data.graph import GraphBaseMeta
+from backend.data.graph import BaseGraph
 from backend.data.model import CredentialsMetaInput, ProviderName
 from backend.integrations.credentials_store import ideogram_credentials
 from backend.util.request import Requests
@@ -34,14 +34,14 @@ class ImageStyle(str, Enum):
     DIGITAL_ART = "digital art"
 
 
-async def generate_agent_image(agent: GraphBaseMeta | AgentGraph) -> io.BytesIO:
+async def generate_agent_image(agent: BaseGraph | AgentGraph) -> io.BytesIO:
     if settings.config.use_agent_image_generation_v2:
         return await generate_agent_image_v2(graph=agent)
     else:
         return await generate_agent_image_v1(agent=agent)
 
 
-async def generate_agent_image_v2(graph: GraphBaseMeta | AgentGraph) -> io.BytesIO:
+async def generate_agent_image_v2(graph: BaseGraph | AgentGraph) -> io.BytesIO:
     """
     Generate an image for an agent using Ideogram model.
     Returns:
@@ -54,17 +54,14 @@ async def generate_agent_image_v2(graph: GraphBaseMeta | AgentGraph) -> io.Bytes
     description = f"{name} ({graph.description})" if graph.description else name
 
     prompt = (
-        "Create a visually striking retro-futuristic vector pop art illustration "
-        f'prominently featuring "{name}" in bold typography. The image clearly and '
-        f"literally depicts a {description}, along with recognizable objects directly "
-        f"associated with the primary function of a {name}. "
-        f"Ensure the imagery is concrete, intuitive, and immediately understandable, "
-        f"clearly conveying the purpose of a {name}. "
-        "Maintain vibrant, limited-palette colors, sharp vector lines, "
-        "geometric shapes, flat illustration techniques, and solid colors "
-        "without gradients or shading. Preserve a retro-futuristic aesthetic "
-        "influenced by mid-century futurism and 1960s psychedelia, "
-        "prioritizing clear visual storytelling and thematic clarity above all else."
+        f"Create a visually striking retro-futuristic vector pop art illustration prominently featuring "
+        f'"{name}" in bold typography. The image clearly and literally depicts a {description}, '
+        f"along with recognizable objects directly associated with the primary function of a {name}. "
+        f"Ensure the imagery is concrete, intuitive, and immediately understandable, clearly conveying the "
+        f"purpose of a {name}. Maintain vibrant, limited-palette colors, sharp vector lines, geometric "
+        f"shapes, flat illustration techniques, and solid colors without gradients or shading. Preserve a "
+        f"retro-futuristic aesthetic influenced by mid-century futurism and 1960s psychedelia, "
+        f"prioritizing clear visual storytelling and thematic clarity above all else."
     )
 
     custom_colors = [
@@ -102,12 +99,12 @@ async def generate_agent_image_v2(graph: GraphBaseMeta | AgentGraph) -> io.Bytes
     return io.BytesIO(response.content)
 
 
-async def generate_agent_image_v1(agent: GraphBaseMeta | AgentGraph) -> io.BytesIO:
+async def generate_agent_image_v1(agent: BaseGraph | AgentGraph) -> io.BytesIO:
     """
     Generate an image for an agent using Flux model via Replicate API.
 
     Args:
-        agent (GraphBaseMeta | AgentGraph): The agent to generate an image for
+        agent (Graph): The agent to generate an image for
 
     Returns:
         io.BytesIO: The generated image as bytes
@@ -117,13 +114,7 @@ async def generate_agent_image_v1(agent: GraphBaseMeta | AgentGraph) -> io.Bytes
             raise ValueError("Missing Replicate API key in settings")
 
         # Construct prompt from agent details
-        prompt = (
-            "Create a visually engaging app store thumbnail for the AI agent "
-            "that highlights what it does in a clear and captivating way:\n"
-            f"- **Name**: {agent.name}\n"
-            f"- **Description**: {agent.description}\n"
-            f"Focus on showcasing its core functionality with an appealing design."
-        )
+        prompt = f"Create a visually engaging app store thumbnail for the AI agent that highlights what it does in a clear and captivating way:\n- **Name**: {agent.name}\n- **Description**: {agent.description}\nFocus on showcasing its core functionality with an appealing design."
 
         # Set up Replicate client
         client = ReplicateClient(api_token=settings.secrets.replicate_api_key)

autogpt_platform/backend/backend/api/features/store/routes.py

@@ -278,7 +278,7 @@ async def get_agent(
 )
 async def get_graph_meta_by_store_listing_version_id(
     store_listing_version_id: str,
-) -> backend.data.graph.GraphModelWithoutNodes:
+) -> backend.data.graph.GraphMeta:
     """
     Get Agent Graph from Store Listing Version ID.
     """

autogpt_platform/backend/backend/data/block.py

@@ -246,9 +246,7 @@ class BlockSchema(BaseModel):
                         f"is not of type {CredentialsMetaInput.__name__}"
                     )
 
-                CredentialsMetaInput.validate_credentials_field_schema(
-                    cls.get_field_schema(field_name), field_name
-                )
+                credentials_fields[field_name].validate_credentials_field_schema(cls)
 
             elif field_name in credentials_fields:
                 raise KeyError(
@@ -319,8 +317,6 @@ class BlockSchema(BaseModel):
                 "credentials_provider": [config.get("provider", "google")],
                 "credentials_types": [config.get("type", "oauth2")],
                 "credentials_scopes": config.get("scopes"),
-                "is_auto_credential": True,
-                "input_field_name": info["field_name"],
             }
             result[kwarg_name] = CredentialsFieldInfo.model_validate(
                 auto_schema, by_alias=True

autogpt_platform/backend/backend/data/graph.py

@@ -3,7 +3,7 @@ import logging
 import uuid
 from collections import defaultdict
 from datetime import datetime, timezone
-from typing import TYPE_CHECKING, Annotated, Any, Literal, Optional, Self, cast
+from typing import TYPE_CHECKING, Annotated, Any, Literal, Optional, cast
 
 from prisma.enums import SubmissionStatus
 from prisma.models import (
@@ -20,7 +20,7 @@ from prisma.types import (
     AgentNodeLinkCreateInput,
     StoreListingVersionWhereInput,
 )
-from pydantic import BaseModel, BeforeValidator, Field
+from pydantic import BaseModel, BeforeValidator, Field, create_model
 from pydantic.fields import computed_field
 
 from backend.blocks.agent import AgentExecutorBlock
@@ -30,6 +30,7 @@ from backend.data.db import prisma as db
 from backend.data.dynamic_fields import is_tool_pin, sanitize_pin_name
 from backend.data.includes import MAX_GRAPH_VERSIONS_FETCH
 from backend.data.model import (
+    CredentialsField,
     CredentialsFieldInfo,
     CredentialsMetaInput,
     is_credentials_field_name,
@@ -44,6 +45,7 @@ from .block import (
     AnyBlockSchema,
     Block,
     BlockInput,
+    BlockSchema,
     BlockType,
     EmptySchema,
     get_block,
@@ -111,12 +113,10 @@ class Link(BaseDbModel):
 
 class Node(BaseDbModel):
     block_id: str
-    input_default: BlockInput = Field(  # dict[input_name, default_value]
-        default_factory=dict
-    )
-    metadata: dict[str, Any] = Field(default_factory=dict)
-    input_links: list[Link] = Field(default_factory=list)
-    output_links: list[Link] = Field(default_factory=list)
+    input_default: BlockInput = {}  # dict[input_name, default_value]
+    metadata: dict[str, Any] = {}
+    input_links: list[Link] = []
+    output_links: list[Link] = []
 
     @property
     def credentials_optional(self) -> bool:
@@ -221,33 +221,18 @@ class NodeModel(Node):
         return result
 
 
-class GraphBaseMeta(BaseDbModel):
-    """
-    Shared base for `GraphMeta` and `BaseGraph`, with core graph metadata fields.
-    """
-
+class BaseGraph(BaseDbModel):
     version: int = 1
     is_active: bool = True
     name: str
     description: str
     instructions: str | None = None
     recommended_schedule_cron: str | None = None
+    nodes: list[Node] = []
+    links: list[Link] = []
     forked_from_id: str | None = None
     forked_from_version: int | None = None
 
-
-class BaseGraph(GraphBaseMeta):
-    """
-    Graph with nodes, links, and computed I/O schema fields.
-
-    Used to represent sub-graphs within a `Graph`. Contains the full graph
-    structure including nodes and links, plus computed fields for schemas
-    and trigger info. Does NOT include user_id or created_at (see GraphModel).
-    """
-
-    nodes: list[Node] = Field(default_factory=list)
-    links: list[Link] = Field(default_factory=list)
-
     @computed_field
     @property
     def input_schema(self) -> dict[str, Any]:
@@ -376,78 +361,44 @@ class GraphTriggerInfo(BaseModel):
 
 
 class Graph(BaseGraph):
-    """Creatable graph model used in API create/update endpoints."""
-
-    sub_graphs: list[BaseGraph] = Field(default_factory=list)  # Flattened sub-graphs
-
-
-class GraphMeta(GraphBaseMeta):
-    """
-    Lightweight graph metadata model representing an existing graph from the database,
-    for use in listings and summaries.
-
-    Lacks `GraphModel`'s nodes, links, and expensive computed fields.
-    Use for list endpoints where full graph data is not needed and performance matters.
-    """
-
-    id: str  # type: ignore
-    version: int  # type: ignore
-    user_id: str
-    created_at: datetime
-
-    @classmethod
-    def from_db(cls, graph: "AgentGraph") -> Self:
-        return cls(
-            id=graph.id,
-            version=graph.version,
-            is_active=graph.isActive,
-            name=graph.name or "",
-            description=graph.description or "",
-            instructions=graph.instructions,
-            recommended_schedule_cron=graph.recommendedScheduleCron,
-            forked_from_id=graph.forkedFromId,
-            forked_from_version=graph.forkedFromVersion,
-            user_id=graph.userId,
-            created_at=graph.createdAt,
-        )
-
-
-class GraphModel(Graph, GraphMeta):
-    """
-    Full graph model representing an existing graph from the database.
-
-    This is the primary model for working with persisted graphs. Includes all
-    graph data (nodes, links, sub_graphs) plus user ownership and timestamps.
-    Provides computed fields (input_schema, output_schema, etc.) used during
-    set-up (frontend) and execution (backend).
-
-    Inherits from:
-    - `Graph`: provides structure (nodes, links, sub_graphs) and computed schemas
-    - `GraphMeta`: provides user_id, created_at for database records
-    """
-
-    nodes: list[NodeModel] = Field(default_factory=list)  # type: ignore
-
-    @property
-    def starting_nodes(self) -> list[NodeModel]:
-        outbound_nodes = {link.sink_id for link in self.links}
-        input_nodes = {
-            node.id for node in self.nodes if node.block.block_type == BlockType.INPUT
-        }
-        return [
-            node
-            for node in self.nodes
-            if node.id not in outbound_nodes or node.id in input_nodes
-        ]
-
-    @property
-    def webhook_input_node(self) -> NodeModel | None:  # type: ignore
-        return cast(NodeModel, super().webhook_input_node)
+    sub_graphs: list[BaseGraph] = []  # Flattened sub-graphs
 
     @computed_field
     @property
     def credentials_input_schema(self) -> dict[str, Any]:
-        graph_credentials_inputs = self.regular_credentials_inputs
+        schema = self._credentials_input_schema.jsonschema()
+
+        # Determine which credential fields are required based on credentials_optional metadata
+        graph_credentials_inputs = self.aggregate_credentials_inputs()
+        required_fields = []
+
+        # Build a map of node_id -> node for quick lookup
+        all_nodes = {node.id: node for node in self.nodes}
+        for sub_graph in self.sub_graphs:
+            for node in sub_graph.nodes:
+                all_nodes[node.id] = node
+
+        for field_key, (
+            _field_info,
+            node_field_pairs,
+        ) in graph_credentials_inputs.items():
+            # A field is required if ANY node using it has credentials_optional=False
+            is_required = False
+            for node_id, _field_name in node_field_pairs:
+                node = all_nodes.get(node_id)
+                if node and not node.credentials_optional:
+                    is_required = True
+                    break
+
+            if is_required:
+                required_fields.append(field_key)
+
+        schema["required"] = required_fields
+        return schema
+
+    @property
+    def _credentials_input_schema(self) -> type[BlockSchema]:
+        graph_credentials_inputs = self.aggregate_credentials_inputs()
         logger.debug(
             f"Combined credentials input fields for graph #{self.id} ({self.name}): "
             f"{graph_credentials_inputs}"
@@ -455,8 +406,8 @@ class GraphModel(Graph, GraphMeta):
 
         # Warn if same-provider credentials inputs can't be combined (= bad UX)
         graph_cred_fields = list(graph_credentials_inputs.values())
-        for i, (field, keys, _) in enumerate(graph_cred_fields):
-            for other_field, other_keys, _ in list(graph_cred_fields)[i + 1 :]:
+        for i, (field, keys) in enumerate(graph_cred_fields):
+            for other_field, other_keys in list(graph_cred_fields)[i + 1 :]:
                 if field.provider != other_field.provider:
                     continue
                 if ProviderName.HTTP in field.provider:
@@ -472,78 +423,31 @@ class GraphModel(Graph, GraphMeta):
                     f"keys: {keys} <> {other_keys}."
                 )
 
-        # Build JSON schema directly to avoid expensive create_model + validation overhead
-        properties = {}
-        required_fields = []
-
-        for agg_field_key, (
-            field_info,
-            _,
-            is_required,
-        ) in graph_credentials_inputs.items():
-            providers = list(field_info.provider)
-            cred_types = list(field_info.supported_types)
-
-            field_schema: dict[str, Any] = {
-                "credentials_provider": providers,
-                "credentials_types": cred_types,
-                "type": "object",
-                "properties": {
-                    "id": {"title": "Id", "type": "string"},
-                    "title": {
-                        "anyOf": [{"type": "string"}, {"type": "null"}],
-                        "default": None,
-                        "title": "Title",
-                    },
-                    "provider": {
-                        "title": "Provider",
-                        "type": "string",
-                        **(
-                            {"enum": providers}
-                            if len(providers) > 1
-                            else {"const": providers[0]}
-                        ),
-                    },
-                    "type": {
-                        "title": "Type",
-                        "type": "string",
-                        **(
-                            {"enum": cred_types}
-                            if len(cred_types) > 1
-                            else {"const": cred_types[0]}
-                        ),
-                    },
-                },
-                "required": ["id", "provider", "type"],
-            }
-
-            # Add other (optional) field info items
-            field_schema.update(
-                field_info.model_dump(
-                    by_alias=True,
-                    exclude_defaults=True,
-                    exclude={"provider", "supported_types"},  # already included above
-                )
+        fields: dict[str, tuple[type[CredentialsMetaInput], CredentialsMetaInput]] = {
+            agg_field_key: (
+                CredentialsMetaInput[
+                    Literal[tuple(field_info.provider)],  # type: ignore
+                    Literal[tuple(field_info.supported_types)],  # type: ignore
+                ],
+                CredentialsField(
+                    required_scopes=set(field_info.required_scopes or []),
+                    discriminator=field_info.discriminator,
+                    discriminator_mapping=field_info.discriminator_mapping,
+                    discriminator_values=field_info.discriminator_values,
+                ),
             )
-
-            # Ensure field schema is well-formed
-            CredentialsMetaInput.validate_credentials_field_schema(
-                field_schema, agg_field_key
-            )
-
-            properties[agg_field_key] = field_schema
-            if is_required:
-                required_fields.append(agg_field_key)
-
-        return {
-            "type": "object",
-            "properties": properties,
-            "required": required_fields,
+            for agg_field_key, (field_info, _) in graph_credentials_inputs.items()
         }
 
+        return create_model(
+            self.name.replace(" ", "") + "CredentialsInputSchema",
+            __base__=BlockSchema,
+            **fields,  # type: ignore
+        )
+
     def aggregate_credentials_inputs(
         self,
-    ) -> dict[str, tuple[CredentialsFieldInfo, set[tuple[str, str]], bool]]:
+    ) -> dict[str, tuple[CredentialsFieldInfo, set[tuple[str, str]]]]:
         """
         Returns:
             dict[aggregated_field_key, tuple(
@@ -551,19 +455,13 @@ class GraphModel(Graph, GraphMeta):
                     (now includes discriminator_values from matching nodes)
                 set[(node_id, field_name)]: Node credentials fields that are
                     compatible with this aggregated field spec
-                bool: True if the field is required (any node has credentials_optional=False)
             )]
         """
         # First collect all credential field data with input defaults
-        # Track (field_info, (node_id, field_name), is_required) for each credential field
-        node_credential_data: list[tuple[CredentialsFieldInfo, tuple[str, str]]] = []
-        node_required_map: dict[str, bool] = {}  # node_id -> is_required
+        node_credential_data = []
 
         for graph in [self] + self.sub_graphs:
             for node in graph.nodes:
-                # Track if this node requires credentials (credentials_optional=False means required)
-                node_required_map[node.id] = not node.credentials_optional
-
                 for (
                     field_name,
                     field_info,
@@ -587,43 +485,37 @@ class GraphModel(Graph, GraphMeta):
                     )
 
         # Combine credential field info (this will merge discriminator_values automatically)
-        combined = CredentialsFieldInfo.combine(*node_credential_data)
+        return CredentialsFieldInfo.combine(*node_credential_data)
 
-        # Add is_required flag to each aggregated field
-        # A field is required if ANY node using it has credentials_optional=False
-        return {
-            key: (
-                field_info,
-                node_field_pairs,
-                any(
-                    node_required_map.get(node_id, True)
-                    for node_id, _ in node_field_pairs
-                ),
-            )
-            for key, (field_info, node_field_pairs) in combined.items()
-        }
+
+class GraphModel(Graph):
+    user_id: str
+    nodes: list[NodeModel] = []  # type: ignore
+
+    created_at: datetime
 
     @property
-    def regular_credentials_inputs(
-        self,
-    ) -> dict[str, tuple[CredentialsFieldInfo, set[tuple[str, str]], bool]]:
-        """Credentials that need explicit user mapping (CredentialsMetaInput fields)."""
-        return {
-            k: v
-            for k, v in self.aggregate_credentials_inputs().items()
-            if not v[0].is_auto_credential
+    def starting_nodes(self) -> list[NodeModel]:
+        outbound_nodes = {link.sink_id for link in self.links}
+        input_nodes = {
+            node.id for node in self.nodes if node.block.block_type == BlockType.INPUT
         }
+        return [
+            node
+            for node in self.nodes
+            if node.id not in outbound_nodes or node.id in input_nodes
+        ]
 
     @property
-    def auto_credentials_inputs(
-        self,
-    ) -> dict[str, tuple[CredentialsFieldInfo, set[tuple[str, str]], bool]]:
-        """Credentials embedded in file fields (_credentials_id), resolved at execution time."""
-        return {
-            k: v
-            for k, v in self.aggregate_credentials_inputs().items()
-            if v[0].is_auto_credential
-        }
+    def webhook_input_node(self) -> NodeModel | None:  # type: ignore
+        return cast(NodeModel, super().webhook_input_node)
+
+    def meta(self) -> "GraphMeta":
+        """
+        Returns a GraphMeta object with metadata about the graph.
+        This is used to return metadata about the graph without exposing nodes and links.
+        """
+        return GraphMeta.from_graph(self)
 
     def reassign_ids(self, user_id: str, reassign_graph_id: bool = False):
         """
@@ -675,16 +567,6 @@ class GraphModel(Graph, GraphMeta):
             ) and graph_id in graph_id_map:
                 node.input_default["graph_id"] = graph_id_map[graph_id]
 
-        # Clear auto-credentials references (e.g., _credentials_id in
-        # GoogleDriveFile fields) so the new user must re-authenticate
-        # with their own account
-        for node in graph.nodes:
-            if not node.input_default:
-                continue
-            for key, value in node.input_default.items():
-                if isinstance(value, dict) and "_credentials_id" in value:
-                    del value["_credentials_id"]
-
     def validate_graph(
         self,
         for_run: bool = False,
@@ -917,14 +799,13 @@ class GraphModel(Graph, GraphMeta):
             if is_static_output_block(link.source_id):
                 link.is_static = True  # Each value block output should be static.
 
-    @classmethod
-    def from_db(  # type: ignore[reportIncompatibleMethodOverride]
-        cls,
+    @staticmethod
+    def from_db(
         graph: AgentGraph,
         for_export: bool = False,
         sub_graphs: list[AgentGraph] | None = None,
-    ) -> Self:
-        return cls(
+    ) -> "GraphModel":
+        return GraphModel(
             id=graph.id,
             user_id=graph.userId if not for_export else "",
             version=graph.version,
@@ -950,28 +831,17 @@ class GraphModel(Graph, GraphMeta):
             ],
         )
 
-    def hide_nodes(self) -> "GraphModelWithoutNodes":
-        """
-        Returns a copy of the `GraphModel` with nodes, links, and sub-graphs hidden
-        (excluded from serialization). They are still present in the model instance
-        so all computed fields (e.g. `credentials_input_schema`) still work.
-        """
-        return GraphModelWithoutNodes.model_validate(self, from_attributes=True)
 
+class GraphMeta(Graph):
+    user_id: str
 
-class GraphModelWithoutNodes(GraphModel):
-    """
-    GraphModel variant that excludes nodes, links, and sub-graphs from serialization.
+    # Easy work-around to prevent exposing nodes and links in the API response
+    nodes: list[NodeModel] = Field(default=[], exclude=True)  # type: ignore
+    links: list[Link] = Field(default=[], exclude=True)
 
-    Used in contexts like the store where exposing internal graph structure
-    is not desired. Inherits all computed fields from GraphModel but marks
-    nodes and links as excluded from JSON output.
-    """
-
-    nodes: list[NodeModel] = Field(default_factory=list, exclude=True)
-    links: list[Link] = Field(default_factory=list, exclude=True)
-
-    sub_graphs: list[BaseGraph] = Field(default_factory=list, exclude=True)
+    @staticmethod
+    def from_graph(graph: GraphModel) -> "GraphMeta":
+        return GraphMeta(**graph.model_dump())
 
 
 class GraphsPaginated(BaseModel):
@@ -1042,11 +912,21 @@ async def list_graphs_paginated(
         where=where_clause,
         distinct=["id"],
         order={"version": "desc"},
+        include=AGENT_GRAPH_INCLUDE,
         skip=offset,
         take=page_size,
     )
 
-    graph_models = [GraphMeta.from_db(graph) for graph in graphs]
+    graph_models: list[GraphMeta] = []
+    for graph in graphs:
+        try:
+            graph_meta = GraphModel.from_db(graph).meta()
+            # Trigger serialization to validate that the graph is well formed
+            graph_meta.model_dump()
+            graph_models.append(graph_meta)
+        except Exception as e:
+            logger.error(f"Error processing graph {graph.id}: {e}")
+            continue
 
     return GraphsPaginated(
         graphs=graph_models,

autogpt_platform/backend/backend/data/graph_test.py

@@ -463,328 +463,3 @@ def test_node_credentials_optional_with_other_metadata():
     assert node.credentials_optional is True
     assert node.metadata["position"] == {"x": 100, "y": 200}
     assert node.metadata["customized_name"] == "My Custom Node"
-
-
-# ============================================================================
-# Tests for _reassign_ids credential clearing (Fix 3: SECRT-1772)
-def test_combine_preserves_is_auto_credential_flag():
-    """
-    CredentialsFieldInfo.combine() must propagate is_auto_credential and
-    input_field_name to the combined result. Regression test for reviewer
-    finding that combine() dropped these fields.
-    """
-    from backend.data.model import CredentialsFieldInfo
-
-    auto_field = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["google"],
-            "credentials_types": ["oauth2"],
-            "credentials_scopes": ["drive.readonly"],
-            "is_auto_credential": True,
-            "input_field_name": "spreadsheet",
-        },
-        by_alias=True,
-    )
-
-    # combine() takes *args of (field_info, key) tuples
-    combined = CredentialsFieldInfo.combine(
-        (auto_field, ("node-1", "credentials")),
-        (auto_field, ("node-2", "credentials")),
-    )
-
-    assert len(combined) == 1
-    group_key = next(iter(combined))
-    combined_info, combined_keys = combined[group_key]
-
-    assert combined_info.is_auto_credential is True
-    assert combined_info.input_field_name == "spreadsheet"
-    assert combined_keys == {("node-1", "credentials"), ("node-2", "credentials")}
-
-
-def test_combine_preserves_regular_credential_defaults():
-    """Regular credentials should have is_auto_credential=False after combine()."""
-    from backend.data.model import CredentialsFieldInfo
-
-    regular_field = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["github"],
-            "credentials_types": ["api_key"],
-            "is_auto_credential": False,
-        },
-        by_alias=True,
-    )
-
-    combined = CredentialsFieldInfo.combine(
-        (regular_field, ("node-1", "credentials")),
-    )
-
-    group_key = next(iter(combined))
-    combined_info, _ = combined[group_key]
-
-    assert combined_info.is_auto_credential is False
-    assert combined_info.input_field_name is None
-
-
-# ============================================================================
-
-
-def test_reassign_ids_clears_credentials_id():
-    """
-    [SECRT-1772] _reassign_ids should clear _credentials_id from
-    GoogleDriveFile-style input_default fields so forked agents
-    don't retain the original creator's credential references.
-    """
-    from backend.data.graph import GraphModel
-
-    node = Node(
-        id="node-1",
-        block_id=StoreValueBlock().id,
-        input_default={
-            "spreadsheet": {
-                "_credentials_id": "original-cred-id",
-                "id": "file-123",
-                "name": "test.xlsx",
-                "mimeType": "application/vnd.google-apps.spreadsheet",
-                "url": "https://docs.google.com/spreadsheets/d/file-123",
-            },
-        },
-    )
-
-    graph = Graph(
-        id="test-graph",
-        name="Test",
-        description="Test",
-        nodes=[node],
-        links=[],
-    )
-
-    GraphModel._reassign_ids(graph, user_id="new-user", graph_id_map={})
-
-    # _credentials_id key should be removed (not set to None) so that
-    # _acquire_auto_credentials correctly errors instead of treating it as chained data
-    assert "_credentials_id" not in graph.nodes[0].input_default["spreadsheet"]
-
-
-def test_reassign_ids_preserves_non_credential_fields():
-    """
-    Regression guard: _reassign_ids should NOT modify non-credential fields
-    like name, mimeType, id, url.
-    """
-    from backend.data.graph import GraphModel
-
-    node = Node(
-        id="node-1",
-        block_id=StoreValueBlock().id,
-        input_default={
-            "spreadsheet": {
-                "_credentials_id": "cred-abc",
-                "id": "file-123",
-                "name": "test.xlsx",
-                "mimeType": "application/vnd.google-apps.spreadsheet",
-                "url": "https://docs.google.com/spreadsheets/d/file-123",
-            },
-        },
-    )
-
-    graph = Graph(
-        id="test-graph",
-        name="Test",
-        description="Test",
-        nodes=[node],
-        links=[],
-    )
-
-    GraphModel._reassign_ids(graph, user_id="new-user", graph_id_map={})
-
-    field = graph.nodes[0].input_default["spreadsheet"]
-    assert field["id"] == "file-123"
-    assert field["name"] == "test.xlsx"
-    assert field["mimeType"] == "application/vnd.google-apps.spreadsheet"
-    assert field["url"] == "https://docs.google.com/spreadsheets/d/file-123"
-
-
-def test_reassign_ids_handles_no_credentials():
-    """
-    Regression guard: _reassign_ids should not error when input_default
-    has no dict fields with _credentials_id.
-    """
-    from backend.data.graph import GraphModel
-
-    node = Node(
-        id="node-1",
-        block_id=StoreValueBlock().id,
-        input_default={
-            "input": "some value",
-            "another_input": 42,
-        },
-    )
-
-    graph = Graph(
-        id="test-graph",
-        name="Test",
-        description="Test",
-        nodes=[node],
-        links=[],
-    )
-
-    GraphModel._reassign_ids(graph, user_id="new-user", graph_id_map={})
-
-    # Should not error, fields unchanged
-    assert graph.nodes[0].input_default["input"] == "some value"
-    assert graph.nodes[0].input_default["another_input"] == 42
-
-
-def test_reassign_ids_handles_multiple_credential_fields():
-    """
-    [SECRT-1772] When a node has multiple dict fields with _credentials_id,
-    ALL of them should be cleared.
-    """
-    from backend.data.graph import GraphModel
-
-    node = Node(
-        id="node-1",
-        block_id=StoreValueBlock().id,
-        input_default={
-            "spreadsheet": {
-                "_credentials_id": "cred-1",
-                "id": "file-1",
-                "name": "file1.xlsx",
-            },
-            "doc_file": {
-                "_credentials_id": "cred-2",
-                "id": "file-2",
-                "name": "file2.docx",
-            },
-            "plain_input": "not a dict",
-        },
-    )
-
-    graph = Graph(
-        id="test-graph",
-        name="Test",
-        description="Test",
-        nodes=[node],
-        links=[],
-    )
-
-    GraphModel._reassign_ids(graph, user_id="new-user", graph_id_map={})
-
-    assert "_credentials_id" not in graph.nodes[0].input_default["spreadsheet"]
-    assert "_credentials_id" not in graph.nodes[0].input_default["doc_file"]
-    assert graph.nodes[0].input_default["plain_input"] == "not a dict"
-
-
-# ============================================================================
-# Tests for discriminate() field propagation
-def test_discriminate_preserves_is_auto_credential_flag():
-    """
-    CredentialsFieldInfo.discriminate() must propagate is_auto_credential and
-    input_field_name to the discriminated result. Regression test for
-    discriminate() dropping these fields (same class of bug as combine()).
-    """
-    from backend.data.model import CredentialsFieldInfo
-
-    auto_field = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["google", "openai"],
-            "credentials_types": ["oauth2"],
-            "credentials_scopes": ["drive.readonly"],
-            "is_auto_credential": True,
-            "input_field_name": "spreadsheet",
-            "discriminator": "model",
-            "discriminator_mapping": {"gpt-4": "openai", "gemini": "google"},
-        },
-        by_alias=True,
-    )
-
-    discriminated = auto_field.discriminate("gemini")
-
-    assert discriminated.is_auto_credential is True
-    assert discriminated.input_field_name == "spreadsheet"
-    assert discriminated.provider == frozenset(["google"])
-
-
-def test_discriminate_preserves_regular_credential_defaults():
-    """Regular credentials should have is_auto_credential=False after discriminate()."""
-    from backend.data.model import CredentialsFieldInfo
-
-    regular_field = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["google", "openai"],
-            "credentials_types": ["api_key"],
-            "is_auto_credential": False,
-            "discriminator": "model",
-            "discriminator_mapping": {"gpt-4": "openai", "gemini": "google"},
-        },
-        by_alias=True,
-    )
-
-    discriminated = regular_field.discriminate("gpt-4")
-
-    assert discriminated.is_auto_credential is False
-    assert discriminated.input_field_name is None
-    assert discriminated.provider == frozenset(["openai"])
-
-
-# ============================================================================
-# Tests for credentials_input_schema excluding auto_credentials
-def test_credentials_input_schema_excludes_auto_creds():
-    """
-    GraphModel.credentials_input_schema should exclude auto_credentials
-    (is_auto_credential=True) from the schema. Auto_credentials are
-    transparently resolved at execution time via file picker data.
-    """
-    from datetime import datetime, timezone
-    from unittest.mock import PropertyMock, patch
-
-    from backend.data.graph import GraphModel, NodeModel
-    from backend.data.model import CredentialsFieldInfo
-
-    regular_field_info = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["github"],
-            "credentials_types": ["api_key"],
-            "is_auto_credential": False,
-        },
-        by_alias=True,
-    )
-
-    graph = GraphModel(
-        id="test-graph",
-        version=1,
-        name="Test",
-        description="Test",
-        user_id="test-user",
-        created_at=datetime.now(timezone.utc),
-        nodes=[
-            NodeModel(
-                id="node-1",
-                block_id=StoreValueBlock().id,
-                input_default={},
-                graph_id="test-graph",
-                graph_version=1,
-            ),
-        ],
-        links=[],
-    )
-
-    # Mock regular_credentials_inputs to return only the non-auto field (3-tuple)
-    regular_only = {
-        "github_credentials": (
-            regular_field_info,
-            {("node-1", "credentials")},
-            True,
-        ),
-    }
-
-    with patch.object(
-        type(graph),
-        "regular_credentials_inputs",
-        new_callable=PropertyMock,
-        return_value=regular_only,
-    ):
-        schema = graph.credentials_input_schema
-        field_names = set(schema.get("properties", {}).keys())
-        # Should include regular credential but NOT auto_credential
-        assert "github_credentials" in field_names
-        assert "google_credentials" not in field_names

autogpt_platform/backend/backend/data/model.py

@@ -163,6 +163,7 @@ class User(BaseModel):
 if TYPE_CHECKING:
     from prisma.models import User as PrismaUser
 
+    from backend.data.block import BlockSchema
 
 T = TypeVar("T")
 logger = logging.getLogger(__name__)
@@ -507,13 +508,15 @@ class CredentialsMetaInput(BaseModel, Generic[CP, CT]):
     def allowed_cred_types(cls) -> tuple[CredentialsType, ...]:
         return get_args(cls.model_fields["type"].annotation)
 
-    @staticmethod
-    def validate_credentials_field_schema(
-        field_schema: dict[str, Any], field_name: str
-    ):
+    @classmethod
+    def validate_credentials_field_schema(cls, model: type["BlockSchema"]):
         """Validates the schema of a credentials input field"""
+        field_name = next(
+            name for name, type in model.get_credentials_fields().items() if type is cls
+        )
+        field_schema = model.jsonschema()["properties"][field_name]
         try:
-            field_info = CredentialsFieldInfo[CP, CT].model_validate(field_schema)
+            schema_extra = CredentialsFieldInfo[CP, CT].model_validate(field_schema)
         except ValidationError as e:
             if "Field required [type=missing" not in str(e):
                 raise
@@ -523,11 +526,11 @@ class CredentialsMetaInput(BaseModel, Generic[CP, CT]):
                 f"{field_schema}"
             ) from e
 
-        providers = field_info.provider
+        providers = cls.allowed_providers()
         if (
             providers is not None
             and len(providers) > 1
-            and not field_info.discriminator
+            and not schema_extra.discriminator
         ):
             raise TypeError(
                 f"Multi-provider CredentialsField '{field_name}' "
@@ -571,8 +574,6 @@ class CredentialsFieldInfo(BaseModel, Generic[CP, CT]):
     discriminator: Optional[str] = None
     discriminator_mapping: Optional[dict[str, CP]] = None
     discriminator_values: set[Any] = Field(default_factory=set)
-    is_auto_credential: bool = False
-    input_field_name: Optional[str] = None
 
     @classmethod
     def combine(
@@ -653,9 +654,6 @@ class CredentialsFieldInfo(BaseModel, Generic[CP, CT]):
                 + "_credentials"
             )
 
-            # Propagate is_auto_credential from the combined field.
-            # All fields in a group should share the same is_auto_credential
-            # value since auto and regular credentials serve different purposes.
             result[group_key] = (
                 CredentialsFieldInfo[CP, CT](
                     credentials_provider=combined.provider,
@@ -664,8 +662,6 @@ class CredentialsFieldInfo(BaseModel, Generic[CP, CT]):
                     discriminator=combined.discriminator,
                     discriminator_mapping=combined.discriminator_mapping,
                     discriminator_values=set(all_discriminator_values),
-                    is_auto_credential=combined.is_auto_credential,
-                    input_field_name=combined.input_field_name,
                 ),
                 combined_keys,
             )
@@ -691,8 +687,6 @@ class CredentialsFieldInfo(BaseModel, Generic[CP, CT]):
             discriminator=self.discriminator,
             discriminator_mapping=self.discriminator_mapping,
             discriminator_values=self.discriminator_values,
-            is_auto_credential=self.is_auto_credential,
-            input_field_name=self.input_field_name,
         )
 
 

autogpt_platform/backend/backend/executor/manager.py

@@ -172,81 +172,6 @@ def execute_graph(
 T = TypeVar("T")
 
 
-async def _acquire_auto_credentials(
-    input_model: type[BlockSchema],
-    input_data: dict[str, Any],
-    creds_manager: "IntegrationCredentialsManager",
-    user_id: str,
-) -> tuple[dict[str, Any], list[AsyncRedisLock]]:
-    """
-    Resolve auto_credentials from GoogleDriveFileField-style inputs.
-
-    Returns:
-        (extra_exec_kwargs, locks): kwargs to inject into block execution, and
-        credential locks to release after execution completes.
-    """
-    extra_exec_kwargs: dict[str, Any] = {}
-    locks: list[AsyncRedisLock] = []
-
-    # NOTE: If a block ever has multiple auto-credential fields, a ValueError
-    # on a later field will strand locks acquired for earlier fields. They'll
-    # auto-expire via Redis TTL, but add a try/except to release partial locks
-    # if that becomes a real scenario.
-    for kwarg_name, info in input_model.get_auto_credentials_fields().items():
-        field_name = info["field_name"]
-        field_data = input_data.get(field_name)
-
-        if field_data and isinstance(field_data, dict):
-            # Check if _credentials_id key exists in the field data
-            if "_credentials_id" in field_data:
-                cred_id = field_data["_credentials_id"]
-                if cred_id:
-                    # Credential ID provided - acquire credentials
-                    provider = info.get("config", {}).get(
-                        "provider", "external service"
-                    )
-                    file_name = field_data.get("name", "selected file")
-                    try:
-                        credentials, lock = await creds_manager.acquire(
-                            user_id, cred_id
-                        )
-                        locks.append(lock)
-                        extra_exec_kwargs[kwarg_name] = credentials
-                    except ValueError:
-                        raise ValueError(
-                            f"{provider.capitalize()} credentials for "
-                            f"'{file_name}' in field '{field_name}' are not "
-                            f"available in your account. "
-                            f"This can happen if the agent was created by another "
-                            f"user or the credentials were deleted. "
-                            f"Please open the agent in the builder and re-select "
-                            f"the file to authenticate with your own account."
-                        )
-                # else: _credentials_id is explicitly None, skip (chained data)
-            else:
-                # _credentials_id key missing entirely - this is an error
-                provider = info.get("config", {}).get("provider", "external service")
-                file_name = field_data.get("name", "selected file")
-                raise ValueError(
-                    f"Authentication missing for '{file_name}' in field "
-                    f"'{field_name}'. Please re-select the file to authenticate "
-                    f"with {provider.capitalize()}."
-                )
-        elif field_data is None and field_name not in input_data:
-            # Field not in input_data at all = connected from upstream block, skip
-            pass
-        else:
-            # field_data is None/empty but key IS in input_data = user didn't select
-            provider = info.get("config", {}).get("provider", "external service")
-            raise ValueError(
-                f"No file selected for '{field_name}'. "
-                f"Please select a file to provide "
-                f"{provider.capitalize()} authentication."
-            )
-
-    return extra_exec_kwargs, locks
-
-
 async def execute_node(
     node: Node,
     data: NodeExecutionEntry,
@@ -346,14 +271,41 @@ async def execute_node(
         extra_exec_kwargs[field_name] = credentials
 
     # Handle auto-generated credentials (e.g., from GoogleDriveFileInput)
-    auto_extra_kwargs, auto_locks = await _acquire_auto_credentials(
-        input_model=input_model,
-        input_data=input_data,
-        creds_manager=creds_manager,
-        user_id=user_id,
-    )
-    extra_exec_kwargs.update(auto_extra_kwargs)
-    creds_locks.extend(auto_locks)
+    for kwarg_name, info in input_model.get_auto_credentials_fields().items():
+        field_name = info["field_name"]
+        field_data = input_data.get(field_name)
+        if field_data and isinstance(field_data, dict):
+            # Check if _credentials_id key exists in the field data
+            if "_credentials_id" in field_data:
+                cred_id = field_data["_credentials_id"]
+                if cred_id:
+                    # Credential ID provided - acquire credentials
+                    provider = info.get("config", {}).get(
+                        "provider", "external service"
+                    )
+                    file_name = field_data.get("name", "selected file")
+                    try:
+                        credentials, lock = await creds_manager.acquire(
+                            user_id, cred_id
+                        )
+                        creds_locks.append(lock)
+                        extra_exec_kwargs[kwarg_name] = credentials
+                    except ValueError:
+                        # Credential was deleted or doesn't exist
+                        raise ValueError(
+                            f"Authentication expired for '{file_name}' in field '{field_name}'. "
+                            f"The saved {provider.capitalize()} credentials no longer exist. "
+                            f"Please re-select the file to re-authenticate."
+                        )
+                # else: _credentials_id is explicitly None, skip credentials (for chained data)
+            else:
+                # _credentials_id key missing entirely - this is an error
+                provider = info.get("config", {}).get("provider", "external service")
+                file_name = field_data.get("name", "selected file")
+                raise ValueError(
+                    f"Authentication missing for '{file_name}' in field '{field_name}'. "
+                    f"Please re-select the file to authenticate with {provider.capitalize()}."
+                )
 
     output_size = 0
 

autogpt_platform/backend/backend/executor/manager_auto_credentials_test.py

@@ -1,320 +0,0 @@
-"""
-Tests for auto_credentials handling in execute_node().
-
-These test the _acquire_auto_credentials() helper function extracted from
-execute_node() (manager.py lines 273-308).
-"""
-
-import pytest
-from pytest_mock import MockerFixture
-
-
-@pytest.fixture
-def google_drive_file_data():
-    return {
-        "valid": {
-            "_credentials_id": "cred-id-123",
-            "id": "file-123",
-            "name": "test.xlsx",
-            "mimeType": "application/vnd.google-apps.spreadsheet",
-        },
-        "chained": {
-            "_credentials_id": None,
-            "id": "file-456",
-            "name": "chained.xlsx",
-            "mimeType": "application/vnd.google-apps.spreadsheet",
-        },
-        "missing_key": {
-            "id": "file-789",
-            "name": "bad.xlsx",
-            "mimeType": "application/vnd.google-apps.spreadsheet",
-        },
-    }
-
-
-@pytest.fixture
-def mock_input_model(mocker: MockerFixture):
-    """Create a mock input model with get_auto_credentials_fields() returning one field."""
-    input_model = mocker.MagicMock()
-    input_model.get_auto_credentials_fields.return_value = {
-        "credentials": {
-            "field_name": "spreadsheet",
-            "config": {
-                "provider": "google",
-                "type": "oauth2",
-                "scopes": ["https://www.googleapis.com/auth/drive.readonly"],
-            },
-        }
-    }
-    return input_model
-
-
-@pytest.fixture
-def mock_creds_manager(mocker: MockerFixture):
-    manager = mocker.AsyncMock()
-    mock_lock = mocker.AsyncMock()
-    mock_creds = mocker.MagicMock()
-    mock_creds.id = "cred-id-123"
-    mock_creds.provider = "google"
-    manager.acquire.return_value = (mock_creds, mock_lock)
-    return manager, mock_creds, mock_lock
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_happy_path(
-    mocker: MockerFixture,
-    google_drive_file_data,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """When field_data has a valid _credentials_id, credentials should be acquired."""
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, mock_creds, mock_lock = mock_creds_manager
-    input_data = {"spreadsheet": google_drive_file_data["valid"]}
-
-    extra_kwargs, locks = await _acquire_auto_credentials(
-        input_model=mock_input_model,
-        input_data=input_data,
-        creds_manager=manager,
-        user_id="user-1",
-    )
-
-    manager.acquire.assert_called_once_with("user-1", "cred-id-123")
-    assert extra_kwargs["credentials"] == mock_creds
-    assert mock_lock in locks
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_field_none_static_raises(
-    mocker: MockerFixture,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """
-    [THE BUG FIX TEST — OPEN-2895]
-    When field_data is None and the key IS in input_data (user didn't select a file),
-    should raise ValueError instead of silently skipping.
-    """
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, _ = mock_creds_manager
-    # Key is present but value is None = user didn't select a file
-    input_data = {"spreadsheet": None}
-
-    with pytest.raises(ValueError, match="No file selected"):
-        await _acquire_auto_credentials(
-            input_model=mock_input_model,
-            input_data=input_data,
-            creds_manager=manager,
-            user_id="user-1",
-        )
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_field_absent_skips(
-    mocker: MockerFixture,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """
-    When the field key is NOT in input_data at all (upstream connection),
-    should skip without error.
-    """
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, _ = mock_creds_manager
-    # Key not present = connected from upstream block
-    input_data = {}
-
-    extra_kwargs, locks = await _acquire_auto_credentials(
-        input_model=mock_input_model,
-        input_data=input_data,
-        creds_manager=manager,
-        user_id="user-1",
-    )
-
-    manager.acquire.assert_not_called()
-    assert "credentials" not in extra_kwargs
-    assert locks == []
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_chained_cred_id_none(
-    mocker: MockerFixture,
-    google_drive_file_data,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """
-    When _credentials_id is explicitly None (chained data from upstream),
-    should skip credential acquisition.
-    """
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, _ = mock_creds_manager
-    input_data = {"spreadsheet": google_drive_file_data["chained"]}
-
-    extra_kwargs, locks = await _acquire_auto_credentials(
-        input_model=mock_input_model,
-        input_data=input_data,
-        creds_manager=manager,
-        user_id="user-1",
-    )
-
-    manager.acquire.assert_not_called()
-    assert "credentials" not in extra_kwargs
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_missing_cred_id_key_raises(
-    mocker: MockerFixture,
-    google_drive_file_data,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """
-    When _credentials_id key is missing entirely from field_data dict,
-    should raise ValueError.
-    """
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, _ = mock_creds_manager
-    input_data = {"spreadsheet": google_drive_file_data["missing_key"]}
-
-    with pytest.raises(ValueError, match="Authentication missing"):
-        await _acquire_auto_credentials(
-            input_model=mock_input_model,
-            input_data=input_data,
-            creds_manager=manager,
-            user_id="user-1",
-        )
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_ownership_mismatch_error(
-    mocker: MockerFixture,
-    google_drive_file_data,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """
-    [SECRT-1772] When acquire() raises ValueError (credential belongs to another user),
-    the error message should mention 'not available' (not 'expired').
-    """
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, _ = mock_creds_manager
-    manager.acquire.side_effect = ValueError(
-        "Credentials #cred-id-123 for user #user-2 not found"
-    )
-    input_data = {"spreadsheet": google_drive_file_data["valid"]}
-
-    with pytest.raises(ValueError, match="not available in your account"):
-        await _acquire_auto_credentials(
-            input_model=mock_input_model,
-            input_data=input_data,
-            creds_manager=manager,
-            user_id="user-2",
-        )
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_deleted_credential_error(
-    mocker: MockerFixture,
-    google_drive_file_data,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """
-    [SECRT-1772] When acquire() raises ValueError (credential was deleted),
-    the error message should mention 'not available' (not 'expired').
-    """
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, _ = mock_creds_manager
-    manager.acquire.side_effect = ValueError(
-        "Credentials #cred-id-123 for user #user-1 not found"
-    )
-    input_data = {"spreadsheet": google_drive_file_data["valid"]}
-
-    with pytest.raises(ValueError, match="not available in your account"):
-        await _acquire_auto_credentials(
-            input_model=mock_input_model,
-            input_data=input_data,
-            creds_manager=manager,
-            user_id="user-1",
-        )
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_lock_appended(
-    mocker: MockerFixture,
-    google_drive_file_data,
-    mock_input_model,
-    mock_creds_manager,
-):
-    """Lock from acquire() should be included in returned locks list."""
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, _, mock_lock = mock_creds_manager
-    input_data = {"spreadsheet": google_drive_file_data["valid"]}
-
-    extra_kwargs, locks = await _acquire_auto_credentials(
-        input_model=mock_input_model,
-        input_data=input_data,
-        creds_manager=manager,
-        user_id="user-1",
-    )
-
-    assert len(locks) == 1
-    assert locks[0] is mock_lock
-
-
-@pytest.mark.asyncio
-async def test_auto_credentials_multiple_fields(
-    mocker: MockerFixture,
-    mock_creds_manager,
-):
-    """When there are multiple auto_credentials fields, only valid ones should acquire."""
-    from backend.executor.manager import _acquire_auto_credentials
-
-    manager, mock_creds, mock_lock = mock_creds_manager
-
-    input_model = mocker.MagicMock()
-    input_model.get_auto_credentials_fields.return_value = {
-        "credentials": {
-            "field_name": "spreadsheet",
-            "config": {"provider": "google", "type": "oauth2"},
-        },
-        "credentials2": {
-            "field_name": "doc_file",
-            "config": {"provider": "google", "type": "oauth2"},
-        },
-    }
-
-    input_data = {
-        "spreadsheet": {
-            "_credentials_id": "cred-id-123",
-            "id": "file-1",
-            "name": "file1.xlsx",
-        },
-        "doc_file": {
-            "_credentials_id": None,
-            "id": "file-2",
-            "name": "chained.doc",
-        },
-    }
-
-    extra_kwargs, locks = await _acquire_auto_credentials(
-        input_model=input_model,
-        input_data=input_data,
-        creds_manager=manager,
-        user_id="user-1",
-    )
-
-    # Only the first field should have acquired credentials
-    manager.acquire.assert_called_once_with("user-1", "cred-id-123")
-    assert "credentials" in extra_kwargs
-    assert "credentials2" not in extra_kwargs
-    assert len(locks) == 1

autogpt_platform/backend/backend/executor/utils.py

@@ -259,8 +259,7 @@ async def _validate_node_input_credentials(
 
         # Find any fields of type CredentialsMetaInput
         credentials_fields = block.input_schema.get_credentials_fields()
-        auto_credentials_fields = block.input_schema.get_auto_credentials_fields()
-        if not credentials_fields and not auto_credentials_fields:
+        if not credentials_fields:
             continue
 
         # Track if any credential field is missing for this node
@@ -340,47 +339,6 @@ async def _validate_node_input_credentials(
                 ] = "Invalid credentials: type/provider mismatch"
                 continue
 
-        # Validate auto-credentials (GoogleDriveFileField-based)
-        # These have _credentials_id embedded in the file field data
-        if auto_credentials_fields:
-            for _kwarg_name, info in auto_credentials_fields.items():
-                field_name = info["field_name"]
-                # Check input_default and nodes_input_masks for the field value
-                field_value = node.input_default.get(field_name)
-                if nodes_input_masks and node.id in nodes_input_masks:
-                    field_value = nodes_input_masks[node.id].get(
-                        field_name, field_value
-                    )
-
-                if field_value and isinstance(field_value, dict):
-                    if "_credentials_id" not in field_value:
-                        # Key removed (e.g., on fork) — needs re-auth
-                        has_missing_credentials = True
-                        credential_errors[node.id][field_name] = (
-                            "Authentication missing for the selected file. "
-                            "Please re-select the file to authenticate with "
-                            "your own account."
-                        )
-                        continue
-                    cred_id = field_value.get("_credentials_id")
-                    if cred_id and isinstance(cred_id, str):
-                        try:
-                            creds_store = get_integration_credentials_store()
-                            creds = await creds_store.get_creds_by_id(user_id, cred_id)
-                        except Exception as e:
-                            has_missing_credentials = True
-                            credential_errors[node.id][
-                                field_name
-                            ] = f"Credentials not available: {e}"
-                            continue
-                        if not creds:
-                            has_missing_credentials = True
-                            credential_errors[node.id][field_name] = (
-                                "The saved credentials are not available "
-                                "for your account. Please re-select the file to "
-                                "authenticate with your own account."
-                            )
-
         # If node has optional credentials and any are missing, mark for skipping
         # But only if there are no other errors for this node
         if (
@@ -412,11 +370,10 @@ def make_node_credentials_input_map(
     """
     result: dict[str, dict[str, JsonValue]] = {}
 
-    # Only map regular credentials (not auto_credentials, which are resolved
-    # at execution time from _credentials_id in file field data)
-    graph_cred_inputs = graph.regular_credentials_inputs
+    # Get aggregated credentials fields for the graph
+    graph_cred_inputs = graph.aggregate_credentials_inputs()
 
-    for graph_input_name, (_, compatible_node_fields, _) in graph_cred_inputs.items():
+    for graph_input_name, (_, compatible_node_fields) in graph_cred_inputs.items():
         # Best-effort map: skip missing items
         if graph_input_name not in graph_credentials_input:
             continue

autogpt_platform/backend/backend/executor/utils_test.py

@@ -907,335 +907,3 @@ async def test_stop_graph_execution_cascades_to_child_with_reviews(
 
     # Verify both parent and child status updates
     assert mock_execution_db.update_graph_execution_stats.call_count >= 1
-
-
-# ============================================================================
-# Tests for auto_credentials validation in _validate_node_input_credentials
-# (Fix 3: SECRT-1772 + Fix 4: Path 4)
-# ============================================================================
-
-
-@pytest.mark.asyncio
-async def test_validate_node_input_credentials_auto_creds_valid(
-    mocker: MockerFixture,
-):
-    """
-    [SECRT-1772] When a node has auto_credentials with a valid _credentials_id
-    that exists in the store, validation should pass without errors.
-    """
-    from backend.executor.utils import _validate_node_input_credentials
-
-    mock_node = mocker.MagicMock()
-    mock_node.id = "node-with-auto-creds"
-    mock_node.credentials_optional = False
-    mock_node.input_default = {
-        "spreadsheet": {
-            "_credentials_id": "valid-cred-id",
-            "id": "file-123",
-            "name": "test.xlsx",
-        }
-    }
-
-    mock_block = mocker.MagicMock()
-    # No regular credentials fields
-    mock_block.input_schema.get_credentials_fields.return_value = {}
-    # Has auto_credentials fields
-    mock_block.input_schema.get_auto_credentials_fields.return_value = {
-        "credentials": {
-            "field_name": "spreadsheet",
-            "config": {"provider": "google", "type": "oauth2"},
-        }
-    }
-    mock_node.block = mock_block
-
-    mock_graph = mocker.MagicMock()
-    mock_graph.nodes = [mock_node]
-
-    # Mock the credentials store to return valid credentials
-    mock_store = mocker.MagicMock()
-    mock_creds = mocker.MagicMock()
-    mock_creds.id = "valid-cred-id"
-    mock_store.get_creds_by_id = mocker.AsyncMock(return_value=mock_creds)
-    mocker.patch(
-        "backend.executor.utils.get_integration_credentials_store",
-        return_value=mock_store,
-    )
-
-    errors, nodes_to_skip = await _validate_node_input_credentials(
-        graph=mock_graph,
-        user_id="test-user",
-        nodes_input_masks=None,
-    )
-
-    assert mock_node.id not in errors
-    assert mock_node.id not in nodes_to_skip
-
-
-@pytest.mark.asyncio
-async def test_validate_node_input_credentials_auto_creds_missing(
-    mocker: MockerFixture,
-):
-    """
-    [SECRT-1772] When a node has auto_credentials with a _credentials_id
-    that doesn't exist for the current user, validation should report an error.
-    """
-    from backend.executor.utils import _validate_node_input_credentials
-
-    mock_node = mocker.MagicMock()
-    mock_node.id = "node-with-bad-auto-creds"
-    mock_node.credentials_optional = False
-    mock_node.input_default = {
-        "spreadsheet": {
-            "_credentials_id": "other-users-cred-id",
-            "id": "file-123",
-            "name": "test.xlsx",
-        }
-    }
-
-    mock_block = mocker.MagicMock()
-    mock_block.input_schema.get_credentials_fields.return_value = {}
-    mock_block.input_schema.get_auto_credentials_fields.return_value = {
-        "credentials": {
-            "field_name": "spreadsheet",
-            "config": {"provider": "google", "type": "oauth2"},
-        }
-    }
-    mock_node.block = mock_block
-
-    mock_graph = mocker.MagicMock()
-    mock_graph.nodes = [mock_node]
-
-    # Mock the credentials store to return None (cred not found for this user)
-    mock_store = mocker.MagicMock()
-    mock_store.get_creds_by_id = mocker.AsyncMock(return_value=None)
-    mocker.patch(
-        "backend.executor.utils.get_integration_credentials_store",
-        return_value=mock_store,
-    )
-
-    errors, nodes_to_skip = await _validate_node_input_credentials(
-        graph=mock_graph,
-        user_id="different-user",
-        nodes_input_masks=None,
-    )
-
-    assert mock_node.id in errors
-    assert "spreadsheet" in errors[mock_node.id]
-    assert "not available" in errors[mock_node.id]["spreadsheet"].lower()
-
-
-@pytest.mark.asyncio
-async def test_validate_node_input_credentials_both_regular_and_auto(
-    mocker: MockerFixture,
-):
-    """
-    [SECRT-1772] A node that has BOTH regular credentials AND auto_credentials
-    should have both validated.
-    """
-    from backend.executor.utils import _validate_node_input_credentials
-
-    mock_node = mocker.MagicMock()
-    mock_node.id = "node-with-both-creds"
-    mock_node.credentials_optional = False
-    mock_node.input_default = {
-        "credentials": {
-            "id": "regular-cred-id",
-            "provider": "github",
-            "type": "api_key",
-        },
-        "spreadsheet": {
-            "_credentials_id": "auto-cred-id",
-            "id": "file-123",
-            "name": "test.xlsx",
-        },
-    }
-
-    mock_credentials_field_type = mocker.MagicMock()
-    mock_credentials_meta = mocker.MagicMock()
-    mock_credentials_meta.id = "regular-cred-id"
-    mock_credentials_meta.provider = "github"
-    mock_credentials_meta.type = "api_key"
-    mock_credentials_field_type.model_validate.return_value = mock_credentials_meta
-
-    mock_block = mocker.MagicMock()
-    # Regular credentials field
-    mock_block.input_schema.get_credentials_fields.return_value = {
-        "credentials": mock_credentials_field_type,
-    }
-    # Auto-credentials field
-    mock_block.input_schema.get_auto_credentials_fields.return_value = {
-        "auto_credentials": {
-            "field_name": "spreadsheet",
-            "config": {"provider": "google", "type": "oauth2"},
-        }
-    }
-    mock_node.block = mock_block
-
-    mock_graph = mocker.MagicMock()
-    mock_graph.nodes = [mock_node]
-
-    # Mock the credentials store to return valid credentials for both
-    mock_store = mocker.MagicMock()
-    mock_regular_creds = mocker.MagicMock()
-    mock_regular_creds.id = "regular-cred-id"
-    mock_regular_creds.provider = "github"
-    mock_regular_creds.type = "api_key"
-
-    mock_auto_creds = mocker.MagicMock()
-    mock_auto_creds.id = "auto-cred-id"
-
-    def get_creds_side_effect(user_id, cred_id):
-        if cred_id == "regular-cred-id":
-            return mock_regular_creds
-        elif cred_id == "auto-cred-id":
-            return mock_auto_creds
-        return None
-
-    mock_store.get_creds_by_id = mocker.AsyncMock(side_effect=get_creds_side_effect)
-    mocker.patch(
-        "backend.executor.utils.get_integration_credentials_store",
-        return_value=mock_store,
-    )
-
-    errors, nodes_to_skip = await _validate_node_input_credentials(
-        graph=mock_graph,
-        user_id="test-user",
-        nodes_input_masks=None,
-    )
-
-    # Both should validate successfully - no errors
-    assert mock_node.id not in errors
-    assert mock_node.id not in nodes_to_skip
-
-
-@pytest.mark.asyncio
-async def test_validate_node_input_credentials_auto_creds_skipped_when_none(
-    mocker: MockerFixture,
-):
-    """
-    When a node has auto_credentials but the field value has _credentials_id=None
-    (e.g., from upstream connection), validation should skip it without error.
-    """
-    from backend.executor.utils import _validate_node_input_credentials
-
-    mock_node = mocker.MagicMock()
-    mock_node.id = "node-with-chained-auto-creds"
-    mock_node.credentials_optional = False
-    mock_node.input_default = {
-        "spreadsheet": {
-            "_credentials_id": None,
-            "id": "file-123",
-            "name": "test.xlsx",
-        }
-    }
-
-    mock_block = mocker.MagicMock()
-    mock_block.input_schema.get_credentials_fields.return_value = {}
-    mock_block.input_schema.get_auto_credentials_fields.return_value = {
-        "credentials": {
-            "field_name": "spreadsheet",
-            "config": {"provider": "google", "type": "oauth2"},
-        }
-    }
-    mock_node.block = mock_block
-
-    mock_graph = mocker.MagicMock()
-    mock_graph.nodes = [mock_node]
-
-    errors, nodes_to_skip = await _validate_node_input_credentials(
-        graph=mock_graph,
-        user_id="test-user",
-        nodes_input_masks=None,
-    )
-
-    # No error - chained data with None cred_id is valid
-    assert mock_node.id not in errors
-
-
-# ============================================================================
-# Tests for CredentialsFieldInfo auto_credential tag (Fix 4: Path 4)
-# ============================================================================
-
-
-def test_credentials_field_info_auto_credential_tag():
-    """
-    [Path 4] CredentialsFieldInfo should support is_auto_credential and
-    input_field_name fields for distinguishing auto from regular credentials.
-    """
-    from backend.data.model import CredentialsFieldInfo
-
-    # Regular credential should have is_auto_credential=False by default
-    regular = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["github"],
-            "credentials_types": ["api_key"],
-        },
-        by_alias=True,
-    )
-    assert regular.is_auto_credential is False
-    assert regular.input_field_name is None
-
-    # Auto credential should have is_auto_credential=True
-    auto = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["google"],
-            "credentials_types": ["oauth2"],
-            "is_auto_credential": True,
-            "input_field_name": "spreadsheet",
-        },
-        by_alias=True,
-    )
-    assert auto.is_auto_credential is True
-    assert auto.input_field_name == "spreadsheet"
-
-
-def test_make_node_credentials_input_map_excludes_auto_creds(
-    mocker: MockerFixture,
-):
-    """
-    [Path 4] make_node_credentials_input_map should only include regular credentials,
-    not auto_credentials (which are resolved at execution time).
-    """
-    from backend.data.model import CredentialsFieldInfo, CredentialsMetaInput
-    from backend.executor.utils import make_node_credentials_input_map
-    from backend.integrations.providers import ProviderName
-
-    # Create a mock graph with aggregate_credentials_inputs that returns
-    # both regular and auto credentials
-    mock_graph = mocker.MagicMock()
-
-    regular_field_info = CredentialsFieldInfo.model_validate(
-        {
-            "credentials_provider": ["github"],
-            "credentials_types": ["api_key"],
-            "is_auto_credential": False,
-        },
-        by_alias=True,
-    )
-
-    # Mock regular_credentials_inputs property (auto_credentials are excluded)
-    mock_graph.regular_credentials_inputs = {
-        "github_creds": (regular_field_info, {("node-1", "credentials")}, True),
-    }
-
-    graph_credentials_input = {
-        "github_creds": CredentialsMetaInput(
-            id="cred-123",
-            provider=ProviderName("github"),
-            type="api_key",
-        ),
-    }
-
-    result = make_node_credentials_input_map(mock_graph, graph_credentials_input)
-
-    # Regular credentials should be mapped
-    assert "node-1" in result
-    assert "credentials" in result["node-1"]
-
-    # Auto credentials should NOT appear in the result
-    # (they would have been mapped to the kwarg_name "credentials" not "spreadsheet")
-    for node_id, fields in result.items():
-        for field_name, value in fields.items():
-            # Verify no auto-credential phantom entries
-            if isinstance(value, dict):
-                assert "_credentials_id" not in value

autogpt_platform/backend/backend/util/workspace.py

@@ -22,7 +22,6 @@ from backend.data.workspace import (
     soft_delete_workspace_file,
 )
 from backend.util.settings import Config
-from backend.util.virus_scanner import scan_content_safe
 from backend.util.workspace_storage import compute_file_checksum, get_workspace_storage
 
 logger = logging.getLogger(__name__)
@@ -188,9 +187,6 @@ class WorkspaceManager:
                 f"{Config().max_file_size_mb}MB limit"
             )
 
-        # Virus scan content before persisting (defense in depth)
-        await scan_content_safe(content, filename=filename)
-
         # Determine path with session scoping
         if path is None:
             path = f"/{filename}"

autogpt_platform/backend/snapshots/grph_single

@@ -3,6 +3,7 @@
   "credentials_input_schema": {
     "properties": {},
     "required": [],
+    "title": "TestGraphCredentialsInputSchema",
     "type": "object"
   },
   "description": "A test graph",

autogpt_platform/backend/snapshots/grphs_all

@@ -1,14 +1,34 @@
 [
   {
-    "created_at": "2025-09-04T13:37:00",
+    "credentials_input_schema": {
+      "properties": {},
+      "required": [],
+      "title": "TestGraphCredentialsInputSchema",
+      "type": "object"
+    },
     "description": "A test graph",
     "forked_from_id": null,
     "forked_from_version": null,
+    "has_external_trigger": false,
+    "has_human_in_the_loop": false,
+    "has_sensitive_action": false,
     "id": "graph-123",
+    "input_schema": {
+      "properties": {},
+      "required": [],
+      "type": "object"
+    },
     "instructions": null,
     "is_active": true,
     "name": "Test Graph",
+    "output_schema": {
+      "properties": {},
+      "required": [],
+      "type": "object"
+    },
     "recommended_schedule_cron": null,
+    "sub_graphs": [],
+    "trigger_setup_info": null,
     "user_id": "3e53486c-cf57-477e-ba2a-cb02dc828e1a",
     "version": 1
   }

autogpt_platform/frontend/src/app/(no-navbar)/onboarding/5-run/components/AgentOnboardingCredentials/AgentOnboardingCredentials.tsx

@@ -1,5 +1,5 @@
 import { CredentialsMetaInput } from "@/app/api/__generated__/models/credentialsMetaInput";
-import { GraphModel } from "@/app/api/__generated__/models/graphModel";
+import { GraphMeta } from "@/app/api/__generated__/models/graphMeta";
 import { CredentialsInput } from "@/components/contextual/CredentialsInput/CredentialsInput";
 import { useState } from "react";
 import { getSchemaDefaultCredentials } from "../../helpers";
@@ -9,7 +9,7 @@ type Credential = CredentialsMetaInput | undefined;
 type Credentials = Record<string, Credential>;
 
 type Props = {
-  agent: GraphModel | null;
+  agent: GraphMeta | null;
   siblingInputs?: Record<string, any>;
   onCredentialsChange: (
     credentials: Record<string, CredentialsMetaInput>,

autogpt_platform/frontend/src/app/(no-navbar)/onboarding/5-run/components/AgentOnboardingCredentials/helpers.ts

@@ -1,9 +1,9 @@
 import { CredentialsMetaInput } from "@/app/api/__generated__/models/credentialsMetaInput";
-import { GraphModel } from "@/app/api/__generated__/models/graphModel";
+import { GraphMeta } from "@/app/api/__generated__/models/graphMeta";
 import { BlockIOCredentialsSubSchema } from "@/lib/autogpt-server-api/types";
 
 export function getCredentialFields(
-  agent: GraphModel | null,
+  agent: GraphMeta | null,
 ): AgentCredentialsFields {
   if (!agent) return {};
 

autogpt_platform/frontend/src/app/(no-navbar)/onboarding/5-run/helpers.ts

@@ -3,10 +3,10 @@ import type {
   CredentialsMetaInput,
 } from "@/lib/autogpt-server-api/types";
 import type { InputValues } from "./types";
-import { GraphModel } from "@/app/api/__generated__/models/graphModel";
+import { GraphMeta } from "@/app/api/__generated__/models/graphMeta";
 
 export function computeInitialAgentInputs(
-  agent: GraphModel | null,
+  agent: GraphMeta | null,
   existingInputs?: InputValues | null,
 ): InputValues {
   const properties = agent?.input_schema?.properties || {};
@@ -29,7 +29,7 @@ export function computeInitialAgentInputs(
 }
 
 type IsRunDisabledParams = {
-  agent: GraphModel | null;
+  agent: GraphMeta | null;
   isRunning: boolean;
   agentInputs: InputValues | null | undefined;
 };

autogpt_platform/frontend/src/app/(platform)/build/components/legacy-builder/BlocksControl.tsx

@@ -30,8 +30,6 @@ import {
 } from "@/components/atoms/Tooltip/BaseTooltip";
 import { GraphMeta } from "@/lib/autogpt-server-api";
 import jaro from "jaro-winkler";
-import { getV1GetSpecificGraph } from "@/app/api/__generated__/endpoints/graphs/graphs";
-import { okData } from "@/app/api/helpers";
 
 type _Block = Omit<Block, "inputSchema" | "outputSchema"> & {
   uiKey?: string;
@@ -109,8 +107,6 @@ export function BlocksControl({
       .filter((b) => b.uiType !== BlockUIType.AGENT)
       .sort((a, b) => a.name.localeCompare(b.name));
 
-    // Agent blocks are created from GraphMeta which doesn't include schemas.
-    // Schemas will be fetched on-demand when the block is actually added.
     const agentBlockList = flows
       .map((flow): _Block => {
         return {
@@ -120,9 +116,8 @@ export function BlocksControl({
             `Ver.${flow.version}` +
             (flow.description ? ` | ${flow.description}` : ""),
           categories: [{ category: "AGENT", description: "" }],
-          // Empty schemas - will be populated when block is added
-          inputSchema: { type: "object", properties: {} },
-          outputSchema: { type: "object", properties: {} },
+          inputSchema: flow.input_schema,
+          outputSchema: flow.output_schema,
           staticOutput: false,
           uiType: BlockUIType.AGENT,
           costs: [],
@@ -130,7 +125,8 @@ export function BlocksControl({
           hardcodedValues: {
             graph_id: flow.id,
             graph_version: flow.version,
-            // Schemas will be fetched on-demand when block is added
+            input_schema: flow.input_schema,
+            output_schema: flow.output_schema,
           },
         };
       })
@@ -186,37 +182,6 @@ export function BlocksControl({
     setSelectedCategory(null);
   }, []);
 
-  // Handler to add a block, fetching graph data on-demand for agent blocks
-  const handleAddBlock = useCallback(
-    async (block: _Block & { notAvailable: string | null }) => {
-      if (block.notAvailable) return;
-
-      // For agent blocks, fetch the full graph to get schemas
-      if (block.uiType === BlockUIType.AGENT && block.hardcodedValues) {
-        const graphID = block.hardcodedValues.graph_id as string;
-        const graphVersion = block.hardcodedValues.graph_version as number;
-        const graphData = okData(
-          await getV1GetSpecificGraph(graphID, { version: graphVersion }),
-        );
-
-        if (graphData) {
-          addBlock(block.id, block.name, {
-            ...block.hardcodedValues,
-            input_schema: graphData.input_schema,
-            output_schema: graphData.output_schema,
-          });
-        } else {
-          // Fallback: add without schemas (will be incomplete)
-          console.error("Failed to fetch graph data for agent block");
-          addBlock(block.id, block.name, block.hardcodedValues || {});
-        }
-      } else {
-        addBlock(block.id, block.name, block.hardcodedValues || {});
-      }
-    },
-    [addBlock],
-  );
-
   // Extract unique categories from blocks
   const categories = useMemo(() => {
     return Array.from(
@@ -338,7 +303,10 @@ export function BlocksControl({
                       }),
                     );
                   }}
-                  onClick={() => handleAddBlock(block)}
+                  onClick={() =>
+                    !block.notAvailable &&
+                    addBlock(block.id, block.name, block?.hardcodedValues || {})
+                  }
                   title={block.notAvailable ?? undefined}
                 >
                   <div

autogpt_platform/frontend/src/app/(platform)/build/components/legacy-builder/Flow/Flow.tsx

@@ -29,17 +29,13 @@ import "@xyflow/react/dist/style.css";
 import { ConnectedEdge, CustomNode } from "../CustomNode/CustomNode";
 import "./flow.css";
 import {
-  BlockIORootSchema,
   BlockUIType,
   formatEdgeID,
   GraphExecutionID,
   GraphID,
   GraphMeta,
   LibraryAgent,
-  SpecialBlockID,
 } from "@/lib/autogpt-server-api";
-import { getV1GetSpecificGraph } from "@/app/api/__generated__/endpoints/graphs/graphs";
-import { okData } from "@/app/api/helpers";
 import { IncompatibilityInfo } from "../../../hooks/useSubAgentUpdate/types";
 import { Key, storage } from "@/services/storage/local-storage";
 import { findNewlyAddedBlockCoordinates, getTypeColor } from "@/lib/utils";
@@ -691,94 +687,8 @@ const FlowEditor: React.FC<{
     [getNode, updateNode, nodes],
   );
 
-  /* Shared helper to create and add a node */
-  const createAndAddNode = useCallback(
-    async (
-      blockID: string,
-      blockName: string,
-      hardcodedValues: Record<string, any>,
-      position: { x: number; y: number },
-    ): Promise<CustomNode | null> => {
-      const nodeSchema = availableBlocks.find((node) => node.id === blockID);
-      if (!nodeSchema) {
-        console.error(`Schema not found for block ID: ${blockID}`);
-        return null;
-      }
-
-      // For agent blocks, fetch the full graph to get schemas
-      let inputSchema: BlockIORootSchema = nodeSchema.inputSchema;
-      let outputSchema: BlockIORootSchema = nodeSchema.outputSchema;
-      let finalHardcodedValues = hardcodedValues;
-
-      if (blockID === SpecialBlockID.AGENT) {
-        const graphID = hardcodedValues.graph_id as string;
-        const graphVersion = hardcodedValues.graph_version as number;
-        const graphData = okData(
-          await getV1GetSpecificGraph(graphID, { version: graphVersion }),
-        );
-
-        if (graphData) {
-          inputSchema = graphData.input_schema as BlockIORootSchema;
-          outputSchema = graphData.output_schema as BlockIORootSchema;
-          finalHardcodedValues = {
-            ...hardcodedValues,
-            input_schema: graphData.input_schema,
-            output_schema: graphData.output_schema,
-          };
-        } else {
-          console.error("Failed to fetch graph data for agent block");
-        }
-      }
-
-      const newNode: CustomNode = {
-        id: nodeId.toString(),
-        type: "custom",
-        position,
-        data: {
-          blockType: blockName,
-          blockCosts: nodeSchema.costs || [],
-          title: `${blockName} ${nodeId}`,
-          description: nodeSchema.description,
-          categories: nodeSchema.categories,
-          inputSchema: inputSchema,
-          outputSchema: outputSchema,
-          hardcodedValues: finalHardcodedValues,
-          connections: [],
-          isOutputOpen: false,
-          block_id: blockID,
-          isOutputStatic: nodeSchema.staticOutput,
-          uiType: nodeSchema.uiType,
-        },
-      };
-
-      addNodes(newNode);
-      setNodeId((prevId) => prevId + 1);
-      clearNodesStatusAndOutput();
-
-      history.push({
-        type: "ADD_NODE",
-        payload: { node: { ...newNode, ...newNode.data } },
-        undo: () => deleteElements({ nodes: [{ id: newNode.id }] }),
-        redo: () => addNodes(newNode),
-      });
-
-      return newNode;
-    },
-    [
-      availableBlocks,
-      nodeId,
-      addNodes,
-      deleteElements,
-      clearNodesStatusAndOutput,
-    ],
-  );
-
   const addNode = useCallback(
-    async (
-      blockId: string,
-      nodeType: string,
-      hardcodedValues: Record<string, any> = {},
-    ) => {
+    (blockId: string, nodeType: string, hardcodedValues: any = {}) => {
       const nodeSchema = availableBlocks.find((node) => node.id === blockId);
       if (!nodeSchema) {
         console.error(`Schema not found for block ID: ${blockId}`);
@@ -797,42 +707,73 @@ const FlowEditor: React.FC<{
       // Alternative: We could also use D3 force, Intersection for this (React flow Pro examples)
 
       const { x, y } = getViewport();
-      const position =
+      const viewportCoordinates =
         nodeDimensions && Object.keys(nodeDimensions).length > 0
-          ? findNewlyAddedBlockCoordinates(
+          ? // we will get all the dimension of nodes, then store
+            findNewlyAddedBlockCoordinates(
               nodeDimensions,
               nodeSchema.uiType == BlockUIType.NOTE ? 300 : 500,
               60,
               1.0,
             )
-          : {
+          : // we will get all the dimension of nodes, then store
+            {
               x: window.innerWidth / 2 - x,
               y: window.innerHeight / 2 - y,
             };
 
-      const newNode = await createAndAddNode(
-        blockId,
-        nodeType,
-        hardcodedValues,
-        position,
-      );
-      if (!newNode) return;
+      const newNode: CustomNode = {
+        id: nodeId.toString(),
+        type: "custom",
+        position: viewportCoordinates, // Set the position to the calculated viewport center
+        data: {
+          blockType: nodeType,
+          blockCosts: nodeSchema.costs,
+          title: `${nodeType} ${nodeId}`,
+          description: nodeSchema.description,
+          categories: nodeSchema.categories,
+          inputSchema: nodeSchema.inputSchema,
+          outputSchema: nodeSchema.outputSchema,
+          hardcodedValues: hardcodedValues,
+          connections: [],
+          isOutputOpen: false,
+          block_id: blockId,
+          isOutputStatic: nodeSchema.staticOutput,
+          uiType: nodeSchema.uiType,
+        },
+      };
+
+      addNodes(newNode);
+      setNodeId((prevId) => prevId + 1);
+      clearNodesStatusAndOutput(); // Clear status and output when a new node is added
 
       setViewport(
         {
-          x: -position.x * 0.8 + (window.innerWidth - 0.0) / 2,
-          y: -position.y * 0.8 + (window.innerHeight - 400) / 2,
+          // Rough estimate of the dimension of the node is: 500x400px.
+          // Though we skip shifting the X, considering the block menu side-bar.
+          x: -viewportCoordinates.x * 0.8 + (window.innerWidth - 0.0) / 2,
+          y: -viewportCoordinates.y * 0.8 + (window.innerHeight - 400) / 2,
           zoom: 0.8,
         },
         { duration: 500 },
       );
+
+      history.push({
+        type: "ADD_NODE",
+        payload: { node: { ...newNode, ...newNode.data } },
+        undo: () => deleteElements({ nodes: [{ id: newNode.id }] }),
+        redo: () => addNodes(newNode),
+      });
     },
     [
+      nodeId,
       getViewport,
       setViewport,
       availableBlocks,
+      addNodes,
       nodeDimensions,
-      createAndAddNode,
+      deleteElements,
+      clearNodesStatusAndOutput,
     ],
   );
 
@@ -979,7 +920,7 @@ const FlowEditor: React.FC<{
   }, []);
 
   const onDrop = useCallback(
-    async (event: React.DragEvent) => {
+    (event: React.DragEvent) => {
       event.preventDefault();
 
       const blockData = event.dataTransfer.getData("application/reactflow");
@@ -994,17 +935,62 @@ const FlowEditor: React.FC<{
           y: event.clientY,
         });
 
-        await createAndAddNode(
-          blockId,
-          blockName,
-          hardcodedValues || {},
+        // Find the block schema
+        const nodeSchema = availableBlocks.find((node) => node.id === blockId);
+        if (!nodeSchema) {
+          console.error(`Schema not found for block ID: ${blockId}`);
+          return;
+        }
+
+        // Create the new node at the drop position
+        const newNode: CustomNode = {
+          id: nodeId.toString(),
+          type: "custom",
           position,
-        );
+          data: {
+            blockType: blockName,
+            blockCosts: nodeSchema.costs || [],
+            title: `${blockName} ${nodeId}`,
+            description: nodeSchema.description,
+            categories: nodeSchema.categories,
+            inputSchema: nodeSchema.inputSchema,
+            outputSchema: nodeSchema.outputSchema,
+            hardcodedValues: hardcodedValues,
+            connections: [],
+            isOutputOpen: false,
+            block_id: blockId,
+            uiType: nodeSchema.uiType,
+          },
+        };
+
+        history.push({
+          type: "ADD_NODE",
+          payload: { node: { ...newNode, ...newNode.data } },
+          undo: () => {
+            deleteElements({ nodes: [{ id: newNode.id } as any], edges: [] });
+          },
+          redo: () => {
+            addNodes([newNode]);
+          },
+        });
+        addNodes([newNode]);
+        clearNodesStatusAndOutput();
+
+        setNodeId((prevId) => prevId + 1);
       } catch (error) {
         console.error("Failed to drop block:", error);
       }
     },
-    [screenToFlowPosition, createAndAddNode],
+    [
+      nodeId,
+      availableBlocks,
+      nodes,
+      edges,
+      addNodes,
+      screenToFlowPosition,
+      deleteElements,
+      clearNodesStatusAndOutput,
+    ],
   );
 
   const buildContextValue: BuilderContextType = useMemo(

autogpt_platform/frontend/src/app/(platform)/build/components/legacy-builder/RunnerInputUI.tsx

@@ -4,13 +4,13 @@ import { AgentRunDraftView } from "@/app/(platform)/library/agents/[id]/componen
 import { Dialog } from "@/components/molecules/Dialog/Dialog";
 import type {
   CredentialsMetaInput,
-  Graph,
+  GraphMeta,
 } from "@/lib/autogpt-server-api/types";
 
 interface RunInputDialogProps {
   isOpen: boolean;
   doClose: () => void;
-  graph: Graph;
+  graph: GraphMeta;
   doRun?: (
     inputs: Record<string, any>,
     credentialsInputs: Record<string, CredentialsMetaInput>,

autogpt_platform/frontend/src/app/(platform)/build/components/legacy-builder/RunnerUIWrapper.tsx

@@ -9,13 +9,13 @@ import { CustomNodeData } from "@/app/(platform)/build/components/legacy-builder
 import {
   BlockUIType,
   CredentialsMetaInput,
-  Graph,
+  GraphMeta,
 } from "@/lib/autogpt-server-api/types";
 import RunnerOutputUI, { OutputNodeInfo } from "./RunnerOutputUI";
 import { RunnerInputDialog } from "./RunnerInputUI";
 
 interface RunnerUIWrapperProps {
-  graph: Graph;
+  graph: GraphMeta;
   nodes: Node<CustomNodeData>[];
   graphExecutionError?: string | null;
   saveAndRun: (

autogpt_platform/frontend/src/app/(platform)/build/hooks/useSubAgentUpdate/helpers.ts

@@ -1,5 +1,5 @@
 import { GraphInputSchema } from "@/lib/autogpt-server-api";
-import { GraphLike, IncompatibilityInfo } from "./types";
+import { GraphMetaLike, IncompatibilityInfo } from "./types";
 
 // Helper type for schema properties - the generated types are too loose
 type SchemaProperties = Record<string, GraphInputSchema["properties"][string]>;
@@ -36,7 +36,7 @@ export function getSchemaRequired(schema: unknown): SchemaRequired {
  */
 export function createUpdatedAgentNodeInputs(
   currentInputs: Record<string, unknown>,
-  latestSubGraphVersion: GraphLike,
+  latestSubGraphVersion: GraphMetaLike,
 ): Record<string, unknown> {
   return {
     ...currentInputs,

autogpt_platform/frontend/src/app/(platform)/build/hooks/useSubAgentUpdate/types.ts

@@ -1,11 +1,7 @@
-import type {
-  Graph as LegacyGraph,
-  GraphMeta as LegacyGraphMeta,
-} from "@/lib/autogpt-server-api";
-import type { GraphModel as GeneratedGraph } from "@/app/api/__generated__/models/graphModel";
+import type { GraphMeta as LegacyGraphMeta } from "@/lib/autogpt-server-api";
 import type { GraphMeta as GeneratedGraphMeta } from "@/app/api/__generated__/models/graphMeta";
 
-export type SubAgentUpdateInfo<T extends GraphLike = GraphLike> = {
+export type SubAgentUpdateInfo<T extends GraphMetaLike = GraphMetaLike> = {
   hasUpdate: boolean;
   currentVersion: number;
   latestVersion: number;
@@ -14,10 +10,7 @@ export type SubAgentUpdateInfo<T extends GraphLike = GraphLike> = {
   incompatibilities: IncompatibilityInfo | null;
 };
 
-// Union type for Graph (with schemas) that works with both legacy and new builder
-export type GraphLike = LegacyGraph | GeneratedGraph;
-
-// Union type for GraphMeta (without schemas) for version detection
+// Union type for GraphMeta that works with both legacy and new builder
 export type GraphMetaLike = LegacyGraphMeta | GeneratedGraphMeta;
 
 export type IncompatibilityInfo = {

autogpt_platform/frontend/src/app/(platform)/build/hooks/useSubAgentUpdate/useSubAgentUpdate.ts

@@ -1,11 +1,5 @@
 import { useMemo } from "react";
-import type {
-  GraphInputSchema,
-  GraphOutputSchema,
-} from "@/lib/autogpt-server-api";
-import type { GraphModel } from "@/app/api/__generated__/models/graphModel";
-import { useGetV1GetSpecificGraph } from "@/app/api/__generated__/endpoints/graphs/graphs";
-import { okData } from "@/app/api/helpers";
+import { GraphInputSchema, GraphOutputSchema } from "@/lib/autogpt-server-api";
 import { getEffectiveType } from "@/lib/utils";
 import { EdgeLike, getSchemaProperties, getSchemaRequired } from "./helpers";
 import {
@@ -17,38 +11,26 @@ import {
 /**
  * Checks if a newer version of a sub-agent is available and determines compatibility
  */
-export function useSubAgentUpdate(
+export function useSubAgentUpdate<T extends GraphMetaLike>(
   nodeID: string,
   graphID: string | undefined,
   graphVersion: number | undefined,
   currentInputSchema: GraphInputSchema | undefined,
   currentOutputSchema: GraphOutputSchema | undefined,
   connections: EdgeLike[],
-  availableGraphs: GraphMetaLike[],
-): SubAgentUpdateInfo<GraphModel> {
+  availableGraphs: T[],
+): SubAgentUpdateInfo<T> {
   // Find the latest version of the same graph
-  const latestGraphInfo = useMemo(() => {
+  const latestGraph = useMemo(() => {
     if (!graphID) return null;
     return availableGraphs.find((graph) => graph.id === graphID) || null;
   }, [graphID, availableGraphs]);
 
-  // Check if there's a newer version available
+  // Check if there's an update available
   const hasUpdate = useMemo(() => {
-    if (!latestGraphInfo || graphVersion === undefined) return false;
-    return latestGraphInfo.version! > graphVersion;
-  }, [latestGraphInfo, graphVersion]);
-
-  // Fetch full graph IF an update is detected
-  const { data: latestGraph } = useGetV1GetSpecificGraph(
-    graphID ?? "",
-    { version: latestGraphInfo?.version },
-    {
-      query: {
-        enabled: hasUpdate && !!graphID && !!latestGraphInfo?.version,
-        select: okData,
-      },
-    },
-  );
+    if (!latestGraph || graphVersion === undefined) return false;
+    return latestGraph.version! > graphVersion;
+  }, [latestGraph, graphVersion]);
 
   // Get connected input and output handles for this specific node
   const connectedHandles = useMemo(() => {
@@ -170,8 +152,8 @@ export function useSubAgentUpdate(
   return {
     hasUpdate,
     currentVersion: graphVersion || 0,
-    latestVersion: latestGraphInfo?.version || 0,
-    latestGraph: latestGraph || null,
+    latestVersion: latestGraph?.version || 0,
+    latestGraph,
     isCompatible: compatibilityResult.isCompatible,
     incompatibilities: compatibilityResult.incompatibilities,
   };

autogpt_platform/frontend/src/app/(platform)/build/stores/graphStore.ts

@@ -18,7 +18,7 @@ interface GraphStore {
     outputSchema: Record<string, any> | null,
   ) => void;
 
-  // Available graphs; used for sub-graph updated version detection
+  // Available graphs; used for sub-graph updates
   availableSubGraphs: GraphMeta[];
   setAvailableSubGraphs: (graphs: GraphMeta[]) => void;
 

autogpt_platform/frontend/src/app/(platform)/library/agents/[id]/components/OldAgentLibraryView/components/agent-run-draft-view.tsx

@@ -10,8 +10,8 @@ import React, {
 import {
   CredentialsMetaInput,
   CredentialsType,
-  Graph,
   GraphExecutionID,
+  GraphMeta,
   LibraryAgentPreset,
   LibraryAgentPresetID,
   LibraryAgentPresetUpdatable,
@@ -69,7 +69,7 @@ export function AgentRunDraftView({
   className,
   recommendedScheduleCron,
 }: {
-  graph: Graph;
+  graph: GraphMeta;
   agentActions?: ButtonAction[];
   recommendedScheduleCron?: string | null;
   doRun?: (

autogpt_platform/frontend/src/app/(platform)/library/agents/[id]/components/OldAgentLibraryView/components/agent-schedule-details-view.tsx

@@ -2,8 +2,8 @@
 import React, { useCallback, useMemo } from "react";
 
 import {
-  Graph,
   GraphExecutionID,
+  GraphMeta,
   Schedule,
   ScheduleID,
 } from "@/lib/autogpt-server-api";
@@ -35,7 +35,7 @@ export function AgentScheduleDetailsView({
   onForcedRun,
   doDeleteSchedule,
 }: {
-  graph: Graph;
+  graph: GraphMeta;
   schedule: Schedule;
   agentActions: ButtonAction[];
   onForcedRun: (runID: GraphExecutionID) => void;

autogpt_platform/frontend/src/app/api/openapi.json

@@ -5629,9 +5629,7 @@
             "description": "Successful Response",
             "content": {
               "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/GraphModelWithoutNodes"
-                }
+                "schema": { "$ref": "#/components/schemas/GraphMeta" }
               }
             }
           },
@@ -6497,6 +6495,18 @@
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Recommended Schedule Cron"
           },
+          "nodes": {
+            "items": { "$ref": "#/components/schemas/Node" },
+            "type": "array",
+            "title": "Nodes",
+            "default": []
+          },
+          "links": {
+            "items": { "$ref": "#/components/schemas/Link" },
+            "type": "array",
+            "title": "Links",
+            "default": []
+          },
           "forked_from_id": {
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Forked From Id"
@@ -6504,22 +6514,11 @@
           "forked_from_version": {
             "anyOf": [{ "type": "integer" }, { "type": "null" }],
             "title": "Forked From Version"
-          },
-          "nodes": {
-            "items": { "$ref": "#/components/schemas/Node" },
-            "type": "array",
-            "title": "Nodes"
-          },
-          "links": {
-            "items": { "$ref": "#/components/schemas/Link" },
-            "type": "array",
-            "title": "Links"
           }
         },
         "type": "object",
         "required": ["name", "description"],
-        "title": "BaseGraph",
-        "description": "Graph with nodes, links, and computed I/O schema fields.\n\nUsed to represent sub-graphs within a `Graph`. Contains the full graph\nstructure including nodes and links, plus computed fields for schemas\nand trigger info. Does NOT include user_id or created_at (see GraphModel)."
+        "title": "BaseGraph"
       },
       "BaseGraph-Output": {
         "properties": {
@@ -6540,6 +6539,18 @@
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Recommended Schedule Cron"
           },
+          "nodes": {
+            "items": { "$ref": "#/components/schemas/Node" },
+            "type": "array",
+            "title": "Nodes",
+            "default": []
+          },
+          "links": {
+            "items": { "$ref": "#/components/schemas/Link" },
+            "type": "array",
+            "title": "Links",
+            "default": []
+          },
           "forked_from_id": {
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Forked From Id"
@@ -6548,16 +6559,6 @@
             "anyOf": [{ "type": "integer" }, { "type": "null" }],
             "title": "Forked From Version"
           },
-          "nodes": {
-            "items": { "$ref": "#/components/schemas/Node" },
-            "type": "array",
-            "title": "Nodes"
-          },
-          "links": {
-            "items": { "$ref": "#/components/schemas/Link" },
-            "type": "array",
-            "title": "Links"
-          },
           "input_schema": {
             "additionalProperties": true,
             "type": "object",
@@ -6604,8 +6605,7 @@
           "has_sensitive_action",
           "trigger_setup_info"
         ],
-        "title": "BaseGraph",
-        "description": "Graph with nodes, links, and computed I/O schema fields.\n\nUsed to represent sub-graphs within a `Graph`. Contains the full graph\nstructure including nodes and links, plus computed fields for schemas\nand trigger info. Does NOT include user_id or created_at (see GraphModel)."
+        "title": "BaseGraph"
       },
       "BlockCategoryResponse": {
         "properties": {
@@ -7399,6 +7399,18 @@
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Recommended Schedule Cron"
           },
+          "nodes": {
+            "items": { "$ref": "#/components/schemas/Node" },
+            "type": "array",
+            "title": "Nodes",
+            "default": []
+          },
+          "links": {
+            "items": { "$ref": "#/components/schemas/Link" },
+            "type": "array",
+            "title": "Links",
+            "default": []
+          },
           "forked_from_id": {
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Forked From Id"
@@ -7407,26 +7419,16 @@
             "anyOf": [{ "type": "integer" }, { "type": "null" }],
             "title": "Forked From Version"
           },
-          "nodes": {
-            "items": { "$ref": "#/components/schemas/Node" },
-            "type": "array",
-            "title": "Nodes"
-          },
-          "links": {
-            "items": { "$ref": "#/components/schemas/Link" },
-            "type": "array",
-            "title": "Links"
-          },
           "sub_graphs": {
             "items": { "$ref": "#/components/schemas/BaseGraph-Input" },
             "type": "array",
-            "title": "Sub Graphs"
+            "title": "Sub Graphs",
+            "default": []
           }
         },
         "type": "object",
         "required": ["name", "description"],
-        "title": "Graph",
-        "description": "Creatable graph model used in API create/update endpoints."
+        "title": "Graph"
       },
       "GraphExecution": {
         "properties": {
@@ -7778,7 +7780,7 @@
       "GraphMeta": {
         "properties": {
           "id": { "type": "string", "title": "Id" },
-          "version": { "type": "integer", "title": "Version" },
+          "version": { "type": "integer", "title": "Version", "default": 1 },
           "is_active": {
             "type": "boolean",
             "title": "Is Active",
@@ -7802,24 +7804,68 @@
             "anyOf": [{ "type": "integer" }, { "type": "null" }],
             "title": "Forked From Version"
           },
+          "sub_graphs": {
+            "items": { "$ref": "#/components/schemas/BaseGraph-Output" },
+            "type": "array",
+            "title": "Sub Graphs",
+            "default": []
+          },
           "user_id": { "type": "string", "title": "User Id" },
-          "created_at": {
-            "type": "string",
-            "format": "date-time",
-            "title": "Created At"
+          "input_schema": {
+            "additionalProperties": true,
+            "type": "object",
+            "title": "Input Schema",
+            "readOnly": true
+          },
+          "output_schema": {
+            "additionalProperties": true,
+            "type": "object",
+            "title": "Output Schema",
+            "readOnly": true
+          },
+          "has_external_trigger": {
+            "type": "boolean",
+            "title": "Has External Trigger",
+            "readOnly": true
+          },
+          "has_human_in_the_loop": {
+            "type": "boolean",
+            "title": "Has Human In The Loop",
+            "readOnly": true
+          },
+          "has_sensitive_action": {
+            "type": "boolean",
+            "title": "Has Sensitive Action",
+            "readOnly": true
+          },
+          "trigger_setup_info": {
+            "anyOf": [
+              { "$ref": "#/components/schemas/GraphTriggerInfo" },
+              { "type": "null" }
+            ],
+            "readOnly": true
+          },
+          "credentials_input_schema": {
+            "additionalProperties": true,
+            "type": "object",
+            "title": "Credentials Input Schema",
+            "readOnly": true
           }
         },
         "type": "object",
         "required": [
-          "id",
-          "version",
           "name",
           "description",
           "user_id",
-          "created_at"
+          "input_schema",
+          "output_schema",
+          "has_external_trigger",
+          "has_human_in_the_loop",
+          "has_sensitive_action",
+          "trigger_setup_info",
+          "credentials_input_schema"
         ],
-        "title": "GraphMeta",
-        "description": "Lightweight graph metadata model representing an existing graph from the database,\nfor use in listings and summaries.\n\nLacks `GraphModel`'s nodes, links, and expensive computed fields.\nUse for list endpoints where full graph data is not needed and performance matters."
+        "title": "GraphMeta"
       },
       "GraphModel": {
         "properties": {
@@ -7840,111 +7886,17 @@
             "anyOf": [{ "type": "string" }, { "type": "null" }],
             "title": "Recommended Schedule Cron"
           },
-          "forked_from_id": {
-            "anyOf": [{ "type": "string" }, { "type": "null" }],
-            "title": "Forked From Id"
-          },
-          "forked_from_version": {
-            "anyOf": [{ "type": "integer" }, { "type": "null" }],
-            "title": "Forked From Version"
-          },
-          "user_id": { "type": "string", "title": "User Id" },
-          "created_at": {
-            "type": "string",
-            "format": "date-time",
-            "title": "Created At"
-          },
           "nodes": {
             "items": { "$ref": "#/components/schemas/NodeModel" },
             "type": "array",
-            "title": "Nodes"
+            "title": "Nodes",
+            "default": []
           },
           "links": {
             "items": { "$ref": "#/components/schemas/Link" },
             "type": "array",
-            "title": "Links"
-          },
-          "sub_graphs": {
-            "items": { "$ref": "#/components/schemas/BaseGraph-Output" },
-            "type": "array",
-            "title": "Sub Graphs"
-          },
-          "input_schema": {
-            "additionalProperties": true,
-            "type": "object",
-            "title": "Input Schema",
-            "readOnly": true
-          },
-          "output_schema": {
-            "additionalProperties": true,
-            "type": "object",
-            "title": "Output Schema",
-            "readOnly": true
-          },
-          "has_external_trigger": {
-            "type": "boolean",
-            "title": "Has External Trigger",
-            "readOnly": true
-          },
-          "has_human_in_the_loop": {
-            "type": "boolean",
-            "title": "Has Human In The Loop",
-            "readOnly": true
-          },
-          "has_sensitive_action": {
-            "type": "boolean",
-            "title": "Has Sensitive Action",
-            "readOnly": true
-          },
-          "trigger_setup_info": {
-            "anyOf": [
-              { "$ref": "#/components/schemas/GraphTriggerInfo" },
-              { "type": "null" }
-            ],
-            "readOnly": true
-          },
-          "credentials_input_schema": {
-            "additionalProperties": true,
-            "type": "object",
-            "title": "Credentials Input Schema",
-            "readOnly": true
-          }
-        },
-        "type": "object",
-        "required": [
-          "name",
-          "description",
-          "user_id",
-          "created_at",
-          "input_schema",
-          "output_schema",
-          "has_external_trigger",
-          "has_human_in_the_loop",
-          "has_sensitive_action",
-          "trigger_setup_info",
-          "credentials_input_schema"
-        ],
-        "title": "GraphModel",
-        "description": "Full graph model representing an existing graph from the database.\n\nThis is the primary model for working with persisted graphs. Includes all\ngraph data (nodes, links, sub_graphs) plus user ownership and timestamps.\nProvides computed fields (input_schema, output_schema, etc.) used during\nset-up (frontend) and execution (backend).\n\nInherits from:\n- `Graph`: provides structure (nodes, links, sub_graphs) and computed schemas\n- `GraphMeta`: provides user_id, created_at for database records"
-      },
-      "GraphModelWithoutNodes": {
-        "properties": {
-          "id": { "type": "string", "title": "Id" },
-          "version": { "type": "integer", "title": "Version", "default": 1 },
-          "is_active": {
-            "type": "boolean",
-            "title": "Is Active",
-            "default": true
-          },
-          "name": { "type": "string", "title": "Name" },
-          "description": { "type": "string", "title": "Description" },
-          "instructions": {
-            "anyOf": [{ "type": "string" }, { "type": "null" }],
-            "title": "Instructions"
-          },
-          "recommended_schedule_cron": {
-            "anyOf": [{ "type": "string" }, { "type": "null" }],
-            "title": "Recommended Schedule Cron"
+            "title": "Links",
+            "default": []
           },
           "forked_from_id": {
             "anyOf": [{ "type": "string" }, { "type": "null" }],
@@ -7954,6 +7906,12 @@
             "anyOf": [{ "type": "integer" }, { "type": "null" }],
             "title": "Forked From Version"
           },
+          "sub_graphs": {
+            "items": { "$ref": "#/components/schemas/BaseGraph-Output" },
+            "type": "array",
+            "title": "Sub Graphs",
+            "default": []
+          },
           "user_id": { "type": "string", "title": "User Id" },
           "created_at": {
             "type": "string",
@@ -8015,8 +7973,7 @@
           "trigger_setup_info",
           "credentials_input_schema"
         ],
-        "title": "GraphModelWithoutNodes",
-        "description": "GraphModel variant that excludes nodes, links, and sub-graphs from serialization.\n\nUsed in contexts like the store where exposing internal graph structure\nis not desired. Inherits all computed fields from GraphModel but marks\nnodes and links as excluded from JSON output."
+        "title": "GraphModel"
       },
       "GraphSettings": {
         "properties": {
@@ -8656,22 +8613,26 @@
           "input_default": {
             "additionalProperties": true,
             "type": "object",
-            "title": "Input Default"
+            "title": "Input Default",
+            "default": {}
           },
           "metadata": {
             "additionalProperties": true,
             "type": "object",
-            "title": "Metadata"
+            "title": "Metadata",
+            "default": {}
           },
           "input_links": {
             "items": { "$ref": "#/components/schemas/Link" },
             "type": "array",
-            "title": "Input Links"
+            "title": "Input Links",
+            "default": []
           },
           "output_links": {
             "items": { "$ref": "#/components/schemas/Link" },
             "type": "array",
-            "title": "Output Links"
+            "title": "Output Links",
+            "default": []
           }
         },
         "type": "object",
@@ -8751,22 +8712,26 @@
           "input_default": {
             "additionalProperties": true,
             "type": "object",
-            "title": "Input Default"
+            "title": "Input Default",
+            "default": {}
           },
           "metadata": {
             "additionalProperties": true,
             "type": "object",
-            "title": "Metadata"
+            "title": "Metadata",
+            "default": {}
           },
           "input_links": {
             "items": { "$ref": "#/components/schemas/Link" },
             "type": "array",
-            "title": "Input Links"
+            "title": "Input Links",
+            "default": []
           },
           "output_links": {
             "items": { "$ref": "#/components/schemas/Link" },
             "type": "array",
-            "title": "Output Links"
+            "title": "Output Links",
+            "default": []
           },
           "graph_id": { "type": "string", "title": "Graph Id" },
           "graph_version": { "type": "integer", "title": "Graph Version" },

autogpt_platform/frontend/src/components/contextual/Chat/components/ChatMessage/ChatMessage.tsx

@@ -102,6 +102,18 @@ export function ChatMessage({
     }
   }
 
+  function handleClarificationAnswers(answers: Record<string, string>) {
+    if (onSendMessage) {
+      const contextMessage = Object.entries(answers)
+        .map(([keyword, answer]) => `${keyword}: ${answer}`)
+        .join("\n");
+
+      onSendMessage(
+        `I have the answers to your questions:\n\n${contextMessage}\n\nPlease proceed with creating the agent.`,
+      );
+    }
+  }
+
   const handleCopy = useCallback(
     async function handleCopy() {
       if (message.type !== "message") return;
@@ -150,22 +162,6 @@ export function ChatMessage({
         .slice(index + 1)
         .some((m) => m.type === "message" && m.role === "user");
 
-    const handleClarificationAnswers = (answers: Record<string, string>) => {
-      if (onSendMessage) {
-        // Iterate over questions (preserves original order) instead of answers
-        const contextMessage = message.questions
-          .map((q) => {
-            const answer = answers[q.keyword] || "";
-            return `> ${q.question}\n\n${answer}`;
-          })
-          .join("\n\n");
-
-        onSendMessage(
-          `**Here are my answers:**\n\n${contextMessage}\n\nPlease proceed with creating the agent.`,
-        );
-      }
-    };
-
     return (
       <ClarificationQuestionsWidget
         questions={message.questions}

autogpt_platform/frontend/src/components/contextual/Chat/components/ThinkingMessage/ThinkingMessage.tsx

@@ -19,13 +19,13 @@ export function ThinkingMessage({ className }: ThinkingMessageProps) {
     if (timerRef.current === null) {
       timerRef.current = setTimeout(() => {
         setShowSlowLoader(true);
-      }, 8000);
+      }, 3000);
     }
 
     if (coffeeTimerRef.current === null) {
       coffeeTimerRef.current = setTimeout(() => {
         setShowCoffeeMessage(true);
-      }, 10000);
+      }, 8000);
     }
 
     return () => {

autogpt_platform/frontend/src/components/contextual/GoogleDrivePicker/helpers.ts

@@ -4,9 +4,7 @@ import { loadScript } from "@/services/scripts/scripts";
 export async function loadGoogleAPIPicker(): Promise<void> {
   validateWindow();
 
-  await loadScript("https://apis.google.com/js/api.js", {
-    referrerPolicy: "no-referrer-when-downgrade",
-  });
+  await loadScript("https://apis.google.com/js/api.js");
 
   const googleAPI = window.gapi;
   if (!googleAPI) {
@@ -29,9 +27,7 @@ export async function loadGoogleIdentityServices(): Promise<void> {
     throw new Error("Google Identity Services cannot load on server");
   }
 
-  await loadScript("https://accounts.google.com/gsi/client", {
-    referrerPolicy: "no-referrer-when-downgrade",
-  });
+  await loadScript("https://accounts.google.com/gsi/client");
 
   const google = window.google;
   if (!google?.accounts?.oauth2) {

autogpt_platform/frontend/src/lib/autogpt-server-api/types.ts

@@ -362,14 +362,25 @@ export type GraphMeta = {
   user_id: UserID;
   version: number;
   is_active: boolean;
-  created_at: Date;
   name: string;
   description: string;
   instructions?: string | null;
   recommended_schedule_cron: string | null;
   forked_from_id?: GraphID | null;
   forked_from_version?: number | null;
-};
+  input_schema: GraphInputSchema;
+  output_schema: GraphOutputSchema;
+  credentials_input_schema: CredentialsInputSchema;
+} & (
+  | {
+      has_external_trigger: true;
+      trigger_setup_info: GraphTriggerInfo;
+    }
+  | {
+      has_external_trigger: false;
+      trigger_setup_info: null;
+    }
+);
 
 export type GraphID = Brand<string, "GraphID">;
 
@@ -436,22 +447,11 @@ export type GraphTriggerInfo = {
 
 /* Mirror of backend/data/graph.py:Graph */
 export type Graph = GraphMeta & {
+  created_at: Date;
   nodes: Node[];
   links: Link[];
   sub_graphs: Omit<Graph, "sub_graphs">[]; // Flattened sub-graphs
-  input_schema: GraphInputSchema;
-  output_schema: GraphOutputSchema;
-  credentials_input_schema: CredentialsInputSchema;
-} & (
-    | {
-        has_external_trigger: true;
-        trigger_setup_info: GraphTriggerInfo;
-      }
-    | {
-        has_external_trigger: false;
-        trigger_setup_info: null;
-      }
-  );
+};
 
 export type GraphUpdateable = Omit<
   Graph,