feat: only run CLA automation for PRs touching autogpt_platform/

CLA check still runs on all PRs (CLA-assistant config).
But label automation, reminders, and auto-close only apply to
platform code (Polyform Shield License).

Uses simple first-page check (per_page: 100) - covers 99%+ of PRs.

.github/workflows/cla-label-sync.yml

@@ -0,0 +1,412 @@
+name: CLA Label Sync
+
+on:
+  # Real-time: when CLA status changes (CLA-assistant uses Status API)
+  status:
+  
+  # When PRs are opened or updated
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+  
+  # Scheduled sweep - check stale PRs daily
+  schedule:
+    - cron: '0 9 * * *'  # 9 AM UTC daily
+  
+  # Manual trigger for testing
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Specific PR number to check (optional)'
+        required: false
+
+permissions:
+  pull-requests: write
+  contents: read
+  statuses: read
+  checks: read
+
+env:
+  CLA_CHECK_NAME: 'license/cla'
+  LABEL_PENDING: 'cla: pending'
+  LABEL_SIGNED: 'cla: signed'
+  # Timing configuration (all independently configurable)
+  REMINDER_DAYS: 3        # Days before first reminder
+  CLOSE_WARNING_DAYS: 7   # Days before "closing soon" warning
+  CLOSE_DAYS: 10          # Days before auto-close
+
+jobs:
+  sync-labels:
+    runs-on: ubuntu-latest
+    # Only run on status events if it's the CLA check
+    if: github.event_name != 'status' || github.event.context == 'license/cla'
+    
+    steps:
+      - name: Ensure CLA labels exist
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const labels = [
+              { name: 'cla: pending', color: 'fbca04', description: 'CLA not yet signed by all contributors' },
+              { name: 'cla: signed', color: '0e8a16', description: 'CLA signed by all contributors' }
+            ];
+            
+            for (const label of labels) {
+              try {
+                await github.rest.issues.getLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  name: label.name
+                });
+              } catch (e) {
+                if (e.status === 404) {
+                  await github.rest.issues.createLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    name: label.name,
+                    color: label.color,
+                    description: label.description
+                  });
+                  console.log(`Created label: ${label.name}`);
+                }
+              }
+            }
+
+      - name: Sync CLA labels and handle stale PRs
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const CLA_CHECK_NAME = process.env.CLA_CHECK_NAME;
+            const LABEL_PENDING = process.env.LABEL_PENDING;
+            const LABEL_SIGNED = process.env.LABEL_SIGNED;
+            const REMINDER_DAYS = parseInt(process.env.REMINDER_DAYS);
+            const CLOSE_WARNING_DAYS = parseInt(process.env.CLOSE_WARNING_DAYS);
+            const CLOSE_DAYS = parseInt(process.env.CLOSE_DAYS);
+            
+            // Validate timing configuration
+            if ([REMINDER_DAYS, CLOSE_WARNING_DAYS, CLOSE_DAYS].some(Number.isNaN)) {
+              core.setFailed('Invalid timing configuration — REMINDER_DAYS, CLOSE_WARNING_DAYS, and CLOSE_DAYS must be numeric.');
+              return;
+            }
+            if (!(REMINDER_DAYS < CLOSE_WARNING_DAYS && CLOSE_WARNING_DAYS < CLOSE_DAYS)) {
+              core.warning(`Timing order looks odd: REMINDER(${REMINDER_DAYS}) < WARNING(${CLOSE_WARNING_DAYS}) < CLOSE(${CLOSE_DAYS}) expected.`);
+            }
+            
+            const CLA_SIGN_URL = `https://cla-assistant.io/${context.repo.owner}/${context.repo.repo}`;
+            
+            // Helper: Get CLA status for a commit
+            async function getClaStatus(headSha) {
+              // CLA-assistant uses the commit status API (not checks API)
+              const { data: statuses } = await github.rest.repos.getCombinedStatusForRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: headSha
+              });
+              
+              const claStatus = statuses.statuses.find(
+                s => s.context === CLA_CHECK_NAME
+              );
+              
+              if (claStatus) {
+                return {
+                  found: true,
+                  passed: claStatus.state === 'success',
+                  state: claStatus.state,
+                  description: claStatus.description
+                };
+              }
+              
+              // Fallback: check the Checks API too
+              const { data: checkRuns } = await github.rest.checks.listForRef({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: headSha
+              });
+              
+              const claCheck = checkRuns.check_runs.find(
+                check => check.name === CLA_CHECK_NAME
+              );
+              
+              if (claCheck) {
+                return {
+                  found: true,
+                  passed: claCheck.conclusion === 'success',
+                  state: claCheck.conclusion,
+                  description: claCheck.output?.summary || ''
+                };
+              }
+              
+              return { found: false, passed: false, state: 'unknown' };
+            }
+            
+            // Helper: Check if bot already commented with a specific marker (paginated)
+            async function hasCommentWithMarker(prNumber, marker) {
+              // Use paginate to fetch ALL comments, not just first 100
+              const comments = await github.paginate(
+                github.rest.issues.listComments,
+                {
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: prNumber,
+                  per_page: 100
+                }
+              );
+              
+              return comments.some(c => 
+                c.user?.type === 'Bot' && 
+                c.body?.includes(marker)
+              );
+            }
+            
+            // Helper: Days since a date
+            function daysSince(dateString) {
+              const date = new Date(dateString);
+              const now = new Date();
+              return Math.floor((now - date) / (1000 * 60 * 60 * 24));
+            }
+            
+            // Determine which PRs to check
+            let prsToCheck = [];
+            
+            if (context.eventName === 'status') {
+              // Status event from CLA-assistant - find PRs with this commit
+              const sha = context.payload.sha;
+              console.log(`Status event for SHA: ${sha}, context: ${context.payload.context}`);
+              
+              // Search for open PRs with this head SHA
+              const { data: prs } = await github.rest.pulls.list({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                state: 'open',
+                per_page: 100
+              });
+              prsToCheck = prs.filter(pr => pr.head.sha === sha).map(pr => pr.number);
+              
+              if (prsToCheck.length === 0) {
+                console.log('No open PRs found with this SHA');
+                return;
+              }
+              
+            } else if (context.eventName === 'pull_request_target') {
+              prsToCheck = [context.payload.pull_request.number];
+              
+            } else if (context.eventName === 'workflow_dispatch' && context.payload.inputs?.pr_number) {
+              prsToCheck = [parseInt(context.payload.inputs.pr_number)];
+              
+            } else {
+              // Scheduled run: check all open PRs (paginated to handle >100 PRs)
+              const openPRs = await github.paginate(
+                github.rest.pulls.list,
+                {
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  state: 'open',
+                  per_page: 100
+                }
+              );
+              prsToCheck = openPRs.map(pr => pr.number);
+            }
+            
+            console.log(`Checking ${prsToCheck.length} PR(s): ${prsToCheck.join(', ')}`);
+            
+            for (const prNumber of prsToCheck) {
+              try {
+                // Get PR details
+                const { data: pr } = await github.rest.pulls.get({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  pull_number: prNumber
+                });
+                
+                // Skip if PR is from a bot
+                if (pr.user.type === 'Bot') {
+                  console.log(`PR #${prNumber}: Skipping bot PR`);
+                  continue;
+                }
+                
+                // Skip if PR is not open (closed/merged)
+                if (pr.state !== 'open') {
+                  console.log(`PR #${prNumber}: Skipping non-open PR (state=${pr.state})`);
+                  continue;
+                }
+                
+                // Skip if PR doesn't touch platform code (CLA automation only for autogpt_platform/)
+                const PLATFORM_PATH = 'autogpt_platform/';
+                const { data: files } = await github.rest.pulls.listFiles({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  pull_number: prNumber,
+                  per_page: 100
+                });
+                const touchesPlatform = files.some(f => f.filename.startsWith(PLATFORM_PATH));
+                if (!touchesPlatform) {
+                  console.log(`PR #${prNumber}: Skipping - doesn't touch ${PLATFORM_PATH}`);
+                  continue;
+                }
+                
+                const claStatus = await getClaStatus(pr.head.sha);
+                const currentLabels = pr.labels.map(l => l.name);
+                const hasPending = currentLabels.includes(LABEL_PENDING);
+                const hasSigned = currentLabels.includes(LABEL_SIGNED);
+                const prAgeDays = daysSince(pr.created_at);
+                
+                console.log(`PR #${prNumber}: CLA ${claStatus.passed ? 'passed' : 'pending'} (${claStatus.state}), age: ${prAgeDays} days`);
+                
+                if (claStatus.passed) {
+                  // ✅ CLA signed - add signed label, remove pending
+                  if (!hasSigned) {
+                    await github.rest.issues.addLabels({
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      issue_number: prNumber,
+                      labels: [LABEL_SIGNED]
+                    });
+                    console.log(`Added '${LABEL_SIGNED}' to PR #${prNumber}`);
+                  }
+                  if (hasPending) {
+                    await github.rest.issues.removeLabel({
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      issue_number: prNumber,
+                      name: LABEL_PENDING
+                    });
+                    console.log(`Removed '${LABEL_PENDING}' from PR #${prNumber}`);
+                  }
+                  
+                } else {
+                  // ⏳ CLA pending
+                  
+                  // Add pending label if not present
+                  if (!hasPending) {
+                    await github.rest.issues.addLabels({
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      issue_number: prNumber,
+                      labels: [LABEL_PENDING]
+                    });
+                    console.log(`Added '${LABEL_PENDING}' to PR #${prNumber}`);
+                  }
+                  if (hasSigned) {
+                    await github.rest.issues.removeLabel({
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      issue_number: prNumber,
+                      name: LABEL_SIGNED
+                    });
+                    console.log(`Removed '${LABEL_SIGNED}' from PR #${prNumber}`);
+                  }
+                  
+                  // Check if we need to send reminder or close
+                  const REMINDER_MARKER = '<!-- cla-reminder -->';
+                  const CLOSE_WARNING_MARKER = '<!-- cla-close-warning -->';
+                  
+                  // 📢 Reminder after REMINDER_DAYS (but before warning window)
+                  if (prAgeDays >= REMINDER_DAYS && prAgeDays < CLOSE_WARNING_DAYS) {
+                    const hasReminder = await hasCommentWithMarker(prNumber, REMINDER_MARKER);
+                    
+                    if (!hasReminder) {
+                      await github.rest.issues.createComment({
+                        owner: context.repo.owner,
+                        repo: context.repo.repo,
+                        issue_number: prNumber,
+                        body: `${REMINDER_MARKER}
+            
+            👋 **Friendly reminder:** This PR is waiting on a signed CLA.
+            
+            All contributors need to sign our Contributor License Agreement before we can merge this PR.
+            
+            **➡️ [Sign the CLA here](${CLA_SIGN_URL}?pullRequest=${prNumber})**
+            
+            <details>
+            <summary>Why do we need a CLA?</summary>
+            
+            The CLA protects both you and the project by clarifying the terms under which your contribution is made. It's a one-time process — once signed, it covers all your future contributions.
+            
+            </details>
+            
+            <details>
+            <summary>Common issues</summary>
+            
+            - **Email mismatch:** Make sure your Git commit email matches your GitHub account email
+            - **Merge commits:** If you merged \`dev\` into your branch, try rebasing instead: \`git rebase origin/dev && git push --force-with-lease\`
+            - **Multiple authors:** All commit authors need to sign, not just the PR author
+            
+            </details>
+            
+            If you have questions, just ask! 🙂`
+                      });
+                      console.log(`Posted reminder on PR #${prNumber}`);
+                    }
+                  }
+                  
+                  // ⚠️ Close warning at CLOSE_WARNING_DAYS
+                  if (prAgeDays >= CLOSE_WARNING_DAYS && prAgeDays < CLOSE_DAYS) {
+                    const hasCloseWarning = await hasCommentWithMarker(prNumber, CLOSE_WARNING_MARKER);
+                    
+                    if (!hasCloseWarning) {
+                      const daysRemaining = CLOSE_DAYS - prAgeDays;
+                      await github.rest.issues.createComment({
+                        owner: context.repo.owner,
+                        repo: context.repo.repo,
+                        issue_number: prNumber,
+                        body: `${CLOSE_WARNING_MARKER}
+            
+            ⚠️ **This PR will be automatically closed in ${daysRemaining} day${daysRemaining === 1 ? '' : 's'}** if the CLA is not signed.
+            
+            We haven't received a signed CLA from all contributors yet. Please sign it to keep this PR open:
+            
+            **➡️ [Sign the CLA here](${CLA_SIGN_URL}?pullRequest=${prNumber})**
+            
+            If you're unable to sign or have questions, please let us know — we're happy to help!`
+                      });
+                      console.log(`Posted close warning on PR #${prNumber}`);
+                    }
+                  }
+                  
+                  // 🚪 Auto-close after CLOSE_DAYS
+                  if (prAgeDays >= CLOSE_DAYS) {
+                    const CLOSE_MARKER = '<!-- cla-auto-closed -->';
+                    const OVERRIDE_LABEL = 'cla: override';
+                    
+                    // Check for override label (maintainer wants to keep PR open)
+                    if (currentLabels.includes(OVERRIDE_LABEL)) {
+                      console.log(`PR #${prNumber}: Skipping close due to '${OVERRIDE_LABEL}' label`);
+                    } else {
+                      // Check if we already posted a close comment
+                      const hasCloseComment = await hasCommentWithMarker(prNumber, CLOSE_MARKER);
+                      
+                      if (!hasCloseComment) {
+                        await github.rest.issues.createComment({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          issue_number: prNumber,
+                          body: `${CLOSE_MARKER}
+            
+            👋 Closing this PR due to unsigned CLA after ${CLOSE_DAYS} days.
+            
+            Thank you for your contribution! If you'd still like to contribute:
+            
+            1. [Sign the CLA](${CLA_SIGN_URL})
+            2. Re-open this PR or create a new one
+            
+            We appreciate your interest in AutoGPT and hope to see you back! 🚀`
+                        });
+                      }
+                      
+                      await github.rest.pulls.update({
+                        owner: context.repo.owner,
+                        repo: context.repo.repo,
+                        pull_number: prNumber,
+                        state: 'closed'
+                      });
+                      
+                      console.log(`Closed PR #${prNumber} due to unsigned CLA`);
+                    }
+                  }
+                }
+                
+              } catch (error) {
+                console.error(`Error processing PR #${prNumber}: ${error.message}`);
+              }
+            }
+            
+            console.log('CLA label sync complete!');

.github/workflows/platform-frontend-ci.yml

@@ -27,11 +27,20 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       cache-key: ${{ steps.cache-key.outputs.key }}
+      components-changed: ${{ steps.filter.outputs.components }}
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: Check for component changes
+        uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            components:
+              - 'autogpt_platform/frontend/src/components/**'
+
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -90,8 +99,11 @@ jobs:
   chromatic:
     runs-on: ubuntu-latest
     needs: setup
-    # Only run on dev branch pushes or PRs targeting dev
-    if: github.ref == 'refs/heads/dev' || github.base_ref == 'dev'
+    # Disabled: to re-enable, remove 'false &&' from the condition below
+    if: >-
+      false
+      && (github.ref == 'refs/heads/dev' || github.base_ref == 'dev')
+      && needs.setup.outputs.components-changed == 'true'
 
     steps:
       - name: Checkout repository

autogpt_platform/backend/backend/api/features/chat/tools/binary_output_processor.py

@@ -1,251 +0,0 @@
-"""
-Detect and save embedded binary data in block outputs.
-
-Scans stdout_logs and other string outputs for embedded base64 patterns,
-saves detected binary content to workspace, and replaces the base64 with
-workspace:// references. This reduces LLM output token usage by ~97% for
-file generation tasks.
-
-Primary use case: ExecuteCodeBlock prints base64 to stdout, which appears
-in stdout_logs. Without this processor, the LLM would re-type the entire
-base64 string when saving files.
-"""
-
-import base64
-import binascii
-import hashlib
-import logging
-import re
-import uuid
-from typing import Any, Optional
-
-from backend.util.file import sanitize_filename
-from backend.util.virus_scanner import scan_content_safe
-from backend.util.workspace import WorkspaceManager
-
-logger = logging.getLogger(__name__)
-
-# Minimum decoded size to process (filters out small base64 strings)
-MIN_DECODED_SIZE = 1024  # 1KB
-
-# Pattern to find base64 chunks in text (at least 100 chars to be worth checking)
-# Matches continuous base64 characters (with optional whitespace for line wrapping),
-# optionally ending with = padding
-EMBEDDED_BASE64_PATTERN = re.compile(r"[A-Za-z0-9+/\s]{100,}={0,2}")
-
-# Magic numbers for binary file detection
-MAGIC_SIGNATURES = [
-    (b"\x89PNG\r\n\x1a\n", "png"),
-    (b"\xff\xd8\xff", "jpg"),
-    (b"%PDF-", "pdf"),
-    (b"GIF87a", "gif"),
-    (b"GIF89a", "gif"),
-    (b"RIFF", "webp"),  # Also check content[8:12] == b'WEBP'
-]
-
-
-async def process_binary_outputs(
-    outputs: dict[str, list[Any]],
-    workspace_manager: WorkspaceManager,
-    block_name: str,
-) -> dict[str, list[Any]]:
-    """
-    Scan all string values in outputs for embedded base64 binary content.
-    Save detected binaries to workspace and replace with references.
-
-    Args:
-        outputs: Block execution outputs (dict of output_name -> list of values)
-        workspace_manager: WorkspaceManager instance with session scoping
-        block_name: Name of the block (used in generated filenames)
-
-    Returns:
-        Processed outputs with embedded base64 replaced by workspace references
-    """
-    cache: dict[str, str] = {}  # content_hash -> workspace_ref
-
-    processed: dict[str, list[Any]] = {}
-    for name, items in outputs.items():
-        processed_items = []
-        for item in items:
-            processed_items.append(
-                await _process_value(item, workspace_manager, block_name, cache)
-            )
-        processed[name] = processed_items
-    return processed
-
-
-async def _process_value(
-    value: Any,
-    wm: WorkspaceManager,
-    block: str,
-    cache: dict[str, str],
-) -> Any:
-    """Recursively process a value, detecting embedded base64 in strings."""
-    if isinstance(value, dict):
-        result = {}
-        for k, v in value.items():
-            result[k] = await _process_value(v, wm, block, cache)
-        return result
-    if isinstance(value, list):
-        return [await _process_value(v, wm, block, cache) for v in value]
-    if isinstance(value, str) and len(value) > MIN_DECODED_SIZE:
-        return await _extract_and_replace_base64(value, wm, block, cache)
-    return value
-
-
-async def _extract_and_replace_base64(
-    text: str,
-    wm: WorkspaceManager,
-    block: str,
-    cache: dict[str, str],
-) -> str:
-    """
-    Find embedded base64 in text, save binaries, replace with references.
-
-    Scans for base64 patterns, validates each as binary via magic numbers,
-    saves valid binaries to workspace, and replaces the base64 portion
-    (plus any surrounding markers) with the workspace reference.
-    """
-    result = text
-    offset = 0
-
-    for match in EMBEDDED_BASE64_PATTERN.finditer(text):
-        b64_str = match.group(0)
-
-        # Try to decode and validate
-        detection = _decode_and_validate(b64_str)
-        if detection is None:
-            continue
-
-        content, ext = detection
-
-        # Save to workspace
-        ref = await _save_binary(content, ext, wm, block, cache)
-        if ref is None:
-            continue
-
-        # Calculate replacement bounds (include surrounding markers if present)
-        start, end = match.start(), match.end()
-        start, end = _expand_to_markers(text, start, end)
-
-        # Apply replacement with offset adjustment
-        adj_start = start + offset
-        adj_end = end + offset
-        result = result[:adj_start] + ref + result[adj_end:]
-        offset += len(ref) - (end - start)
-
-    return result
-
-
-def _decode_and_validate(b64_str: str) -> Optional[tuple[bytes, str]]:
-    """
-    Decode base64 and validate it's a known binary format.
-
-    Tries multiple 4-byte aligned offsets to handle cases where marker text
-    (e.g., "START" from "PDF_BASE64_START") bleeds into the regex match.
-    Base64 works in 4-char chunks, so we only check aligned offsets.
-
-    Returns (content, extension) if valid binary, None otherwise.
-    """
-    # Strip whitespace for RFC 2045 line-wrapped base64
-    normalized = re.sub(r"\s+", "", b64_str)
-
-    # Try offsets 0, 4, 8, ... up to 32 chars (handles markers up to ~24 chars)
-    # This handles cases like "STARTJVBERi0..." where "START" bleeds into match
-    for char_offset in range(0, min(33, len(normalized)), 4):
-        candidate = normalized[char_offset:]
-
-        try:
-            content = base64.b64decode(candidate, validate=True)
-        except (ValueError, binascii.Error):
-            continue
-
-        # Must meet minimum size
-        if len(content) < MIN_DECODED_SIZE:
-            continue
-
-        # Check magic numbers
-        for magic, ext in MAGIC_SIGNATURES:
-            if content.startswith(magic):
-                # Special case for WebP: RIFF container, verify "WEBP" at offset 8
-                if magic == b"RIFF":
-                    if len(content) < 12 or content[8:12] != b"WEBP":
-                        continue
-                return content, ext
-
-    return None
-
-
-def _expand_to_markers(text: str, start: int, end: int) -> tuple[int, int]:
-    """
-    Expand replacement bounds to include surrounding markers if present.
-
-    Handles patterns like:
-    - ---BASE64_START---\\n{base64}\\n---BASE64_END---
-    - [BASE64]{base64}[/BASE64]
-    - Or just the raw base64
-    """
-    # Common marker patterns to strip (order matters - check longer patterns first)
-    start_markers = [
-        "PDF_BASE64_START",
-        "---BASE64_START---\n",
-        "---BASE64_START---",
-        "[BASE64]\n",
-        "[BASE64]",
-    ]
-    end_markers = [
-        "PDF_BASE64_END",
-        "\n---BASE64_END---",
-        "---BASE64_END---",
-        "\n[/BASE64]",
-        "[/BASE64]",
-    ]
-
-    # Check for start markers
-    for marker in start_markers:
-        marker_start = start - len(marker)
-        if marker_start >= 0 and text[marker_start:start] == marker:
-            start = marker_start
-            break
-
-    # Check for end markers
-    for marker in end_markers:
-        marker_end = end + len(marker)
-        if marker_end <= len(text) and text[end:marker_end] == marker:
-            end = marker_end
-            break
-
-    return start, end
-
-
-async def _save_binary(
-    content: bytes,
-    ext: str,
-    wm: WorkspaceManager,
-    block: str,
-    cache: dict[str, str],
-) -> Optional[str]:
-    """
-    Save binary content to workspace with deduplication.
-
-    Returns workspace://file-id reference, or None on failure.
-    """
-    content_hash = hashlib.sha256(content).hexdigest()
-
-    if content_hash in cache:
-        return cache[content_hash]
-
-    try:
-        safe_block = sanitize_filename(block)[:20].lower()
-        filename = f"{safe_block}_{uuid.uuid4().hex[:12]}.{ext}"
-
-        # Scan for viruses before saving
-        await scan_content_safe(content, filename=filename)
-
-        file = await wm.write_file(content, filename)
-        ref = f"workspace://{file.id}"
-        cache[content_hash] = ref
-        return ref
-    except Exception as e:
-        logger.warning("Failed to save binary output: %s", e)
-        return None

autogpt_platform/backend/backend/api/features/chat/tools/run_block.py

@@ -14,10 +14,8 @@ from backend.data.model import CredentialsMetaInput
 from backend.data.workspace import get_or_create_workspace
 from backend.integrations.creds_manager import IntegrationCredentialsManager
 from backend.util.exceptions import BlockError
-from backend.util.workspace import WorkspaceManager
 
 from .base import BaseTool
-from .binary_output_processor import process_binary_outputs
 from .models import (
     BlockOutputResponse,
     ErrorResponse,
@@ -323,16 +321,6 @@ class RunBlockTool(BaseTool):
             ):
                 outputs[output_name].append(output_data)
 
-            # Post-process outputs to save binary content to workspace
-            workspace_manager = WorkspaceManager(
-                user_id=user_id,
-                workspace_id=workspace.id,
-                session_id=session.session_id,
-            )
-            outputs = await process_binary_outputs(
-                dict(outputs), workspace_manager, block.name
-            )
-
             return BlockOutputResponse(
                 message=f"Block '{block.name}' executed successfully",
                 block_id=block_id,

autogpt_platform/backend/backend/api/features/chat/tools/test_binary_output_processor.py

@@ -1,518 +0,0 @@
-"""Tests for embedded binary detection in block outputs."""
-
-import base64
-from unittest.mock import AsyncMock, MagicMock, patch
-
-import pytest
-
-from .binary_output_processor import (
-    _decode_and_validate,
-    _expand_to_markers,
-    process_binary_outputs,
-)
-
-
-@pytest.fixture
-def mock_workspace_manager():
-    """Create a mock workspace manager that returns predictable file IDs."""
-    wm = MagicMock()
-
-    async def mock_write_file(content, filename):
-        file = MagicMock()
-        file.id = f"file-{filename[:10]}"
-        return file
-
-    wm.write_file = AsyncMock(side_effect=mock_write_file)
-    return wm
-
-
-def _make_pdf_base64(size: int = 2000) -> str:
-    """Create a valid PDF base64 string of specified size."""
-    pdf_content = b"%PDF-1.4 " + b"x" * size
-    return base64.b64encode(pdf_content).decode()
-
-
-def _make_png_base64(size: int = 2000) -> str:
-    """Create a valid PNG base64 string of specified size."""
-    png_content = b"\x89PNG\r\n\x1a\n" + b"\x00" * size
-    return base64.b64encode(png_content).decode()
-
-
-# =============================================================================
-# Decode and Validate Tests
-# =============================================================================
-
-
-class TestDecodeAndValidate:
-    """Tests for _decode_and_validate function."""
-
-    def test_detects_pdf_magic_number(self):
-        """Should detect valid PDF by magic number."""
-        pdf_b64 = _make_pdf_base64()
-        result = _decode_and_validate(pdf_b64)
-        assert result is not None
-        content, ext = result
-        assert ext == "pdf"
-        assert content.startswith(b"%PDF-")
-
-    def test_detects_png_magic_number(self):
-        """Should detect valid PNG by magic number."""
-        png_b64 = _make_png_base64()
-        result = _decode_and_validate(png_b64)
-        assert result is not None
-        content, ext = result
-        assert ext == "png"
-
-    def test_detects_jpeg_magic_number(self):
-        """Should detect valid JPEG by magic number."""
-        jpeg_content = b"\xff\xd8\xff\xe0" + b"\x00" * 2000
-        jpeg_b64 = base64.b64encode(jpeg_content).decode()
-        result = _decode_and_validate(jpeg_b64)
-        assert result is not None
-        _, ext = result
-        assert ext == "jpg"
-
-    def test_detects_gif_magic_number(self):
-        """Should detect valid GIF by magic number."""
-        gif_content = b"GIF89a" + b"\x00" * 2000
-        gif_b64 = base64.b64encode(gif_content).decode()
-        result = _decode_and_validate(gif_b64)
-        assert result is not None
-        _, ext = result
-        assert ext == "gif"
-
-    def test_detects_webp_magic_number(self):
-        """Should detect valid WebP by magic number."""
-        webp_content = b"RIFF\x00\x00\x00\x00WEBP" + b"\x00" * 2000
-        webp_b64 = base64.b64encode(webp_content).decode()
-        result = _decode_and_validate(webp_b64)
-        assert result is not None
-        _, ext = result
-        assert ext == "webp"
-
-    def test_rejects_small_content(self):
-        """Should reject content smaller than threshold."""
-        small_pdf = b"%PDF-1.4 small"
-        small_b64 = base64.b64encode(small_pdf).decode()
-        result = _decode_and_validate(small_b64)
-        assert result is None
-
-    def test_rejects_no_magic_number(self):
-        """Should reject content without recognized magic number."""
-        random_content = b"This is just random text" * 100
-        random_b64 = base64.b64encode(random_content).decode()
-        result = _decode_and_validate(random_b64)
-        assert result is None
-
-    def test_rejects_invalid_base64(self):
-        """Should reject invalid base64."""
-        result = _decode_and_validate("not-valid-base64!!!")
-        assert result is None
-
-    def test_rejects_riff_without_webp(self):
-        """Should reject RIFF files that aren't WebP (e.g., WAV)."""
-        wav_content = b"RIFF\x00\x00\x00\x00WAVE" + b"\x00" * 2000
-        wav_b64 = base64.b64encode(wav_content).decode()
-        result = _decode_and_validate(wav_b64)
-        assert result is None
-
-    def test_handles_line_wrapped_base64(self):
-        """Should handle RFC 2045 line-wrapped base64."""
-        pdf_content = b"%PDF-1.4 " + b"x" * 2000
-        pdf_b64 = base64.b64encode(pdf_content).decode()
-        # Simulate line wrapping at 76 chars
-        wrapped = "\n".join(pdf_b64[i : i + 76] for i in range(0, len(pdf_b64), 76))
-        result = _decode_and_validate(wrapped)
-        assert result is not None
-        content, ext = result
-        assert ext == "pdf"
-        assert content == pdf_content
-
-
-# =============================================================================
-# Marker Expansion Tests
-# =============================================================================
-
-
-class TestExpandToMarkers:
-    """Tests for _expand_to_markers function."""
-
-    def test_expands_base64_start_end_markers(self):
-        """Should expand to include ---BASE64_START--- and ---BASE64_END---."""
-        text = "prefix\n---BASE64_START---\nABCDEF\n---BASE64_END---\nsuffix"
-        # Base64 "ABCDEF" is at position 26-32
-        start, end = _expand_to_markers(text, 26, 32)
-        assert text[start:end] == "---BASE64_START---\nABCDEF\n---BASE64_END---"
-
-    def test_expands_bracket_markers(self):
-        """Should expand to include [BASE64] and [/BASE64] markers."""
-        text = "prefix[BASE64]ABCDEF[/BASE64]suffix"
-        # Base64 is at position 14-20
-        start, end = _expand_to_markers(text, 14, 20)
-        assert text[start:end] == "[BASE64]ABCDEF[/BASE64]"
-
-    def test_no_expansion_without_markers(self):
-        """Should not expand if no markers present."""
-        text = "prefix ABCDEF suffix"
-        start, end = _expand_to_markers(text, 7, 13)
-        assert start == 7
-        assert end == 13
-
-
-# =============================================================================
-# Process Binary Outputs Tests
-# =============================================================================
-
-
-@pytest.fixture
-def mock_scan():
-    """Patch virus scanner for tests."""
-    with patch(
-        "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
-        new_callable=AsyncMock,
-    ) as mock:
-        yield mock
-
-
-class TestProcessBinaryOutputs:
-    """Tests for process_binary_outputs function."""
-
-    @pytest.mark.asyncio
-    async def test_detects_embedded_pdf_in_stdout_logs(
-        self, mock_workspace_manager, mock_scan
-    ):
-        """Should detect and replace embedded PDF in stdout_logs."""
-        pdf_b64 = _make_pdf_base64()
-        stdout = f"PDF generated!\n---BASE64_START---\n{pdf_b64}\n---BASE64_END---\n"
-
-        outputs = {"stdout_logs": [stdout]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "ExecuteCodeBlock"
-        )
-
-        # Should contain workspace reference, not base64
-        assert "workspace://" in result["stdout_logs"][0]
-        assert pdf_b64 not in result["stdout_logs"][0]
-        assert "PDF generated!" in result["stdout_logs"][0]
-        mock_workspace_manager.write_file.assert_called_once()
-
-    @pytest.mark.asyncio
-    async def test_detects_embedded_png_without_markers(
-        self, mock_workspace_manager, mock_scan
-    ):
-        """Should detect embedded PNG even without markers."""
-        png_b64 = _make_png_base64()
-        stdout = f"Image created: {png_b64} done"
-
-        outputs = {"stdout_logs": [stdout]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "ExecuteCodeBlock"
-        )
-
-        assert "workspace://" in result["stdout_logs"][0]
-        assert "Image created:" in result["stdout_logs"][0]
-        assert "done" in result["stdout_logs"][0]
-
-    @pytest.mark.asyncio
-    async def test_preserves_small_strings(self, mock_workspace_manager, mock_scan):
-        """Should not process small strings."""
-        outputs = {"stdout_logs": ["small output"]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "TestBlock"
-        )
-
-        assert result["stdout_logs"][0] == "small output"
-        mock_workspace_manager.write_file.assert_not_called()
-
-    @pytest.mark.asyncio
-    async def test_preserves_non_binary_large_strings(
-        self, mock_workspace_manager, mock_scan
-    ):
-        """Should preserve large strings that don't contain valid binary."""
-        large_text = "A" * 5000  # Large string - decodes to nulls, no magic number
-
-        outputs = {"stdout_logs": [large_text]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "TestBlock"
-        )
-
-        assert result["stdout_logs"][0] == large_text
-        mock_workspace_manager.write_file.assert_not_called()
-
-    @pytest.mark.asyncio
-    async def test_deduplicates_identical_content(
-        self, mock_workspace_manager, mock_scan
-    ):
-        """Should save identical content only once."""
-        pdf_b64 = _make_pdf_base64()
-        stdout1 = f"First: {pdf_b64}"
-        stdout2 = f"Second: {pdf_b64}"
-
-        outputs = {"stdout_logs": [stdout1, stdout2]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "TestBlock"
-        )
-
-        # Both should have references
-        assert "workspace://" in result["stdout_logs"][0]
-        assert "workspace://" in result["stdout_logs"][1]
-        # But only one write
-        assert mock_workspace_manager.write_file.call_count == 1
-
-    @pytest.mark.asyncio
-    async def test_handles_multiple_binaries_in_one_string(
-        self, mock_workspace_manager, mock_scan
-    ):
-        """Should handle multiple embedded binaries in a single string."""
-        pdf_b64 = _make_pdf_base64()
-        png_b64 = _make_png_base64()
-        stdout = f"PDF: {pdf_b64}\nPNG: {png_b64}"
-
-        outputs = {"stdout_logs": [stdout]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "TestBlock"
-        )
-
-        # Should have two workspace references
-        assert result["stdout_logs"][0].count("workspace://") == 2
-        assert mock_workspace_manager.write_file.call_count == 2
-
-    @pytest.mark.asyncio
-    async def test_processes_nested_structures(self, mock_workspace_manager, mock_scan):
-        """Should recursively process nested dicts and lists."""
-        pdf_b64 = _make_pdf_base64()
-
-        outputs = {"result": [{"nested": {"deep": f"data: {pdf_b64}"}}]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "TestBlock"
-        )
-
-        assert "workspace://" in result["result"][0]["nested"]["deep"]
-
-    @pytest.mark.asyncio
-    async def test_graceful_degradation_on_save_failure(
-        self, mock_workspace_manager, mock_scan
-    ):
-        """Should preserve original on save failure."""
-        mock_workspace_manager.write_file = AsyncMock(
-            side_effect=Exception("Storage error")
-        )
-
-        pdf_b64 = _make_pdf_base64()
-        stdout = f"PDF: {pdf_b64}"
-
-        outputs = {"stdout_logs": [stdout]}
-
-        result = await process_binary_outputs(
-            outputs, mock_workspace_manager, "TestBlock"
-        )
-
-        # Should keep original since save failed
-        assert pdf_b64 in result["stdout_logs"][0]
-
-
-# =============================================================================
-# Offset Loop Tests (handling marker bleed-in)
-# =============================================================================
-
-
-class TestOffsetLoopHandling:
-    """Tests for the offset-aligned decoding that handles marker bleed-in."""
-
-    def test_handles_4char_aligned_prefix(self):
-        """Should detect base64 when a 4-char aligned prefix bleeds into match.
-
-        When 'TEST' (4 chars, aligned) bleeds in, offset 4 finds valid base64.
-        """
-        pdf_content = b"%PDF-1.4 " + b"x" * 2000
-        pdf_b64 = base64.b64encode(pdf_content).decode()
-        # 4-char prefix (aligned)
-        with_prefix = f"TEST{pdf_b64}"
-
-        result = _decode_and_validate(with_prefix)
-        assert result is not None
-        content, ext = result
-        assert ext == "pdf"
-        assert content == pdf_content
-
-    def test_handles_8char_aligned_prefix(self):
-        """Should detect base64 when an 8-char prefix bleeds into match."""
-        pdf_content = b"%PDF-1.4 " + b"x" * 2000
-        pdf_b64 = base64.b64encode(pdf_content).decode()
-        # 8-char prefix (aligned)
-        with_prefix = f"TESTTEST{pdf_b64}"
-
-        result = _decode_and_validate(with_prefix)
-        assert result is not None
-        content, ext = result
-        assert ext == "pdf"
-
-    def test_handles_misaligned_prefix(self):
-        """Should handle misaligned prefix by finding a valid aligned offset.
-
-        'START' is 5 chars (misaligned). The loop tries offsets 0, 4, 8...
-        Since characters 0-4 include 'START' which is invalid base64 on its own,
-        we need the full PDF base64 to eventually decode correctly at some offset.
-        """
-        pdf_content = b"%PDF-1.4 " + b"x" * 2000
-        pdf_b64 = base64.b64encode(pdf_content).decode()
-        # 5-char prefix - misaligned, but offset 4 should start mid-'START'
-        # and offset 8 will be past the prefix
-        with_prefix = f"START{pdf_b64}"
-
-        result = _decode_and_validate(with_prefix)
-        # Should find valid PDF at some offset (8 in this case)
-        assert result is not None
-        _, ext = result
-        assert ext == "pdf"
-
-    def test_handles_pdf_base64_start_marker_bleed(self):
-        """Should handle PDF_BASE64_START marker bleeding into regex match.
-
-        This is the real-world case: regex matches 'STARTJVBERi0...' because
-        'START' chars are in the base64 alphabet. Offset loop skips past it.
-        PDF_BASE64_START is 16 chars (4-aligned), so offset 16 finds valid base64.
-        """
-        pdf_content = b"%PDF-1.4 " + b"x" * 2000
-        pdf_b64 = base64.b64encode(pdf_content).decode()
-        # Simulate regex capturing 'PDF_BASE64_START' + base64 together
-        # This happens when there's no delimiter between marker and content
-        with_full_marker = f"PDF_BASE64_START{pdf_b64}"
-
-        result = _decode_and_validate(with_full_marker)
-        assert result is not None
-        _, ext = result
-        assert ext == "pdf"
-
-    def test_clean_base64_works_at_offset_zero(self):
-        """Should detect clean base64 at offset 0 without issues."""
-        pdf_content = b"%PDF-1.4 " + b"x" * 2000
-        pdf_b64 = base64.b64encode(pdf_content).decode()
-
-        result = _decode_and_validate(pdf_b64)
-        assert result is not None
-        content, ext = result
-        assert ext == "pdf"
-        assert content == pdf_content
-
-
-# =============================================================================
-# PDF Marker Tests
-# =============================================================================
-
-
-class TestPdfMarkerExpansion:
-    """Tests for PDF_BASE64_START/END marker handling."""
-
-    def test_expands_pdf_base64_start_marker(self):
-        """Should expand to include PDF_BASE64_START marker."""
-        text = "prefixPDF_BASE64_STARTABCDEF"
-        # Base64 'ABCDEF' is at position 22-28
-        start, end = _expand_to_markers(text, 22, 28)
-        assert text[start:end] == "PDF_BASE64_STARTABCDEF"
-
-    def test_expands_pdf_base64_end_marker(self):
-        """Should expand to include PDF_BASE64_END marker."""
-        text = "ABCDEFPDF_BASE64_ENDsuffix"
-        # Base64 'ABCDEF' is at position 0-6
-        start, end = _expand_to_markers(text, 0, 6)
-        assert text[start:end] == "ABCDEFPDF_BASE64_END"
-
-    def test_expands_both_pdf_markers(self):
-        """Should expand to include both PDF_BASE64_START and END."""
-        text = "xPDF_BASE64_STARTABCDEFPDF_BASE64_ENDy"
-        # Base64 'ABCDEF' is at position 17-23
-        start, end = _expand_to_markers(text, 17, 23)
-        assert text[start:end] == "PDF_BASE64_STARTABCDEFPDF_BASE64_END"
-
-    def test_partial_marker_not_expanded(self):
-        """Should not expand if only partial marker present."""
-        text = "BASE64_STARTABCDEF"  # Missing 'PDF_' prefix
-        start, end = _expand_to_markers(text, 12, 18)
-        # Should not expand since it's not the full marker
-        assert start == 12
-        assert end == 18
-
-    @pytest.mark.asyncio
-    async def test_full_pipeline_with_pdf_markers(self, mock_workspace_manager):
-        """Test full pipeline with PDF_BASE64_START/END markers."""
-        pdf_b64 = _make_pdf_base64()
-        stdout = f"Output: PDF_BASE64_START{pdf_b64}PDF_BASE64_END done"
-
-        outputs = {"stdout_logs": [stdout]}
-
-        with patch(
-            "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
-            new_callable=AsyncMock,
-        ):
-            result = await process_binary_outputs(
-                outputs, mock_workspace_manager, "TestBlock"
-            )
-
-        # Should have workspace reference
-        assert "workspace://" in result["stdout_logs"][0]
-        # Markers should be consumed along with base64
-        assert "PDF_BASE64_START" not in result["stdout_logs"][0]
-        assert "PDF_BASE64_END" not in result["stdout_logs"][0]
-        # Surrounding text preserved
-        assert "Output:" in result["stdout_logs"][0]
-        assert "done" in result["stdout_logs"][0]
-
-
-# =============================================================================
-# Virus Scanning Tests
-# =============================================================================
-
-
-class TestVirusScanning:
-    """Tests for virus scanning integration."""
-
-    @pytest.mark.asyncio
-    async def test_calls_virus_scanner_before_save(self, mock_workspace_manager):
-        """Should call scan_content_safe before writing file."""
-        pdf_b64 = _make_pdf_base64()
-        stdout = f"PDF: {pdf_b64}"
-        outputs = {"stdout_logs": [stdout]}
-
-        with patch(
-            "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
-            new_callable=AsyncMock,
-        ) as mock_scan:
-            result = await process_binary_outputs(
-                outputs, mock_workspace_manager, "TestBlock"
-            )
-
-            # Verify scanner was called
-            mock_scan.assert_called_once()
-            # Verify file was written after scan
-            mock_workspace_manager.write_file.assert_called_once()
-            # Verify result has workspace reference
-            assert "workspace://" in result["stdout_logs"][0]
-
-    @pytest.mark.asyncio
-    async def test_virus_scan_failure_preserves_original(self, mock_workspace_manager):
-        """Should preserve original if virus scan fails."""
-        pdf_b64 = _make_pdf_base64()
-        stdout = f"PDF: {pdf_b64}"
-        outputs = {"stdout_logs": [stdout]}
-
-        with patch(
-            "backend.api.features.chat.tools.binary_output_processor.scan_content_safe",
-            new_callable=AsyncMock,
-            side_effect=Exception("Virus detected"),
-        ):
-            result = await process_binary_outputs(
-                outputs, mock_workspace_manager, "TestBlock"
-            )
-
-            # Should keep original since scan failed
-            assert pdf_b64 in result["stdout_logs"][0]
-            # File should not have been written
-            mock_workspace_manager.write_file.assert_not_called()

autogpt_platform/backend/backend/util/workspace.py

@@ -22,6 +22,7 @@ from backend.data.workspace import (
     soft_delete_workspace_file,
 )
 from backend.util.settings import Config
+from backend.util.virus_scanner import scan_content_safe
 from backend.util.workspace_storage import compute_file_checksum, get_workspace_storage
 
 logger = logging.getLogger(__name__)
@@ -187,6 +188,9 @@ class WorkspaceManager:
                 f"{Config().max_file_size_mb}MB limit"
             )
 
+        # Virus scan content before persisting (defense in depth)
+        await scan_content_safe(content, filename=filename)
+
         # Determine path with session scoping
         if path is None:
             path = f"/{filename}"

autogpt_platform/frontend/src/components/contextual/Chat/components/ChatMessage/ChatMessage.tsx

@@ -102,18 +102,6 @@ export function ChatMessage({
     }
   }
 
-  function handleClarificationAnswers(answers: Record<string, string>) {
-    if (onSendMessage) {
-      const contextMessage = Object.entries(answers)
-        .map(([keyword, answer]) => `${keyword}: ${answer}`)
-        .join("\n");
-
-      onSendMessage(
-        `I have the answers to your questions:\n\n${contextMessage}\n\nPlease proceed with creating the agent.`,
-      );
-    }
-  }
-
   const handleCopy = useCallback(
     async function handleCopy() {
       if (message.type !== "message") return;
@@ -162,6 +150,22 @@ export function ChatMessage({
         .slice(index + 1)
         .some((m) => m.type === "message" && m.role === "user");
 
+    const handleClarificationAnswers = (answers: Record<string, string>) => {
+      if (onSendMessage) {
+        // Iterate over questions (preserves original order) instead of answers
+        const contextMessage = message.questions
+          .map((q) => {
+            const answer = answers[q.keyword] || "";
+            return `> ${q.question}\n\n${answer}`;
+          })
+          .join("\n\n");
+
+        onSendMessage(
+          `**Here are my answers:**\n\n${contextMessage}\n\nPlease proceed with creating the agent.`,
+        );
+      }
+    };
+
     return (
       <ClarificationQuestionsWidget
         questions={message.questions}

autogpt_platform/frontend/src/components/contextual/Chat/components/ThinkingMessage/ThinkingMessage.tsx

@@ -19,13 +19,13 @@ export function ThinkingMessage({ className }: ThinkingMessageProps) {
     if (timerRef.current === null) {
       timerRef.current = setTimeout(() => {
         setShowSlowLoader(true);
-      }, 3000);
+      }, 8000);
     }
 
     if (coffeeTimerRef.current === null) {
       coffeeTimerRef.current = setTimeout(() => {
         setShowCoffeeMessage(true);
-      }, 8000);
+      }, 10000);
     }
 
     return () => {