lfx-nightly 0.2.0.dev41__py3-none-any.whl → 0.3.0.dev3__py3-none-any.whl

lfx/services/settings/utils.py

@@ -1,9 +1,74 @@
 import platform
 from pathlib import Path
 
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+
 from lfx.log.logger import logger
 
 
+class RSAKeyError(Exception):
+    """Exception raised when RSA key operations fail."""
+
+
+def derive_public_key_from_private(private_key_pem: str) -> str:
+    """Derive a public key from a private key PEM string.
+
+    Args:
+        private_key_pem: The private key in PEM format.
+
+    Returns:
+        str: The public key in PEM format.
+
+    Raises:
+        RSAKeyError: If the private key is invalid or cannot be processed.
+    """
+    try:
+        private_key = load_pem_private_key(private_key_pem.encode(), password=None)
+        return (
+            private_key.public_key()
+            .public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo,
+            )
+            .decode("utf-8")
+        )
+    except Exception as e:
+        msg = f"Failed to derive public key from private key: {e}"
+        logger.error(msg)
+        raise RSAKeyError(msg) from e
+
+
+def generate_rsa_key_pair() -> tuple[str, str]:
+    """Generate an RSA key pair for RS256 JWT signing.
+
+    Returns:
+        tuple[str, str]: A tuple of (private_key_pem, public_key_pem) as strings.
+    """
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+    )
+
+    private_key_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode("utf-8")
+
+    public_key_pem = (
+        private_key.public_key()
+        .public_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PublicFormat.SubjectPublicKeyInfo,
+        )
+        .decode("utf-8")
+    )
+
+    return private_key_pem, public_key_pem
+
+
 def set_secure_permissions(file_path: Path) -> None:
     if platform.system() in {"Linux", "Darwin"}:  # Unix/Linux/Mac
         file_path.chmod(0o600)
@@ -38,3 +103,20 @@ def write_secret_to_file(path: Path, value: str) -> None:
 
 def read_secret_from_file(path: Path) -> str:
     return path.read_text(encoding="utf-8")
+
+
+def write_public_key_to_file(path: Path, value: str) -> None:
+    """Write a public key to file with appropriate permissions (0o644).
+
+    Public keys can be readable by others but should only be writable by owner.
+
+    Args:
+        path: The file path to write to.
+        value: The public key content.
+    """
+    path.write_text(value, encoding="utf-8")
+    try:
+        if platform.system() in {"Linux", "Darwin"}:
+            path.chmod(0o644)
+    except Exception:  # noqa: BLE001
+        logger.exception("Failed to set permissions on public key file")

lfx/services/storage/local.py

@@ -58,11 +58,12 @@ class LocalStorageService(StorageService):
         return str(self.data_dir / flow_id / file_name)
 
     def parse_file_path(self, full_path: str) -> tuple[str, str]:
-        """Parse a full local storage path to extract flow_id and file_name.
+        r"""Parse a full local storage path to extract flow_id and file_name.
 
         Args:
             full_path: Filesystem path, may or may not include data_dir
-                e.g., "/data/user_123/image.png" or "user_123/image.png"
+                e.g., "/data/user_123/image.png" or "user_123/image.png". On Windows the
+                separators may be backslashes ("\\"). This method handles both.
 
         Returns:
             tuple[str, str]: A tuple of (flow_id, file_name)
@@ -78,15 +79,19 @@ class LocalStorageService(StorageService):
         # Remove data_dir if present (but don't require it)
         path_without_prefix = full_path
         if full_path.startswith(data_dir_str):
-            path_without_prefix = full_path[len(data_dir_str) :].lstrip("/")
+            # Strip both POSIX and Windows separators
+            path_without_prefix = full_path[len(data_dir_str) :].lstrip("/").lstrip("\\")
 
-        # Split from the right to get the filename
-        # Everything before the last "/" is the flow_id
-        if "/" not in path_without_prefix:
-            return "", path_without_prefix
+        # Normalize separators so downstream logic is platform-agnostic
+        normalized_path = path_without_prefix.replace("\\", "/")
+
+        # Split from the right to get the filename; everything before the last
+        # "/" is the flow_id
+        if "/" not in normalized_path:
+            return "", normalized_path
 
         # Use rsplit to split from the right, limiting to 1 split
-        flow_id, file_name = path_without_prefix.rsplit("/", 1)
+        flow_id, file_name = normalized_path.rsplit("/", 1)
         return flow_id, file_name
 
     async def save_file(self, flow_id: str, file_name: str, data: bytes, *, append: bool = False) -> None:

lfx/services/transaction/__init__.py

@@ -0,0 +1,5 @@
+"""Transaction service module for lfx."""
+
+from lfx.services.transaction.service import NoopTransactionService
+
+__all__ = ["NoopTransactionService"]

lfx/services/transaction/service.py

@@ -0,0 +1,35 @@
+"""Transaction service implementations for lfx."""
+
+from __future__ import annotations
+
+from typing import Any
+
+from lfx.services.interfaces import TransactionServiceProtocol
+
+
+class NoopTransactionService(TransactionServiceProtocol):
+    """No-operation transaction service for standalone lfx mode.
+
+    This service is used when lfx runs without a concrete transaction
+    service implementation (e.g., without langflow). All operations
+    are no-ops and transaction logging is disabled.
+    """
+
+    async def log_transaction(
+        self,
+        flow_id: str,
+        vertex_id: str,
+        inputs: dict[str, Any] | None,
+        outputs: dict[str, Any] | None,
+        status: str,
+        target_id: str | None = None,
+        error: str | None = None,
+    ) -> None:
+        """No-op implementation of transaction logging.
+
+        In standalone mode, transactions are not persisted.
+        """
+
+    def is_enabled(self) -> bool:
+        """Transaction logging is disabled in noop mode."""
+        return False

lfx/utils/constants.py

@@ -71,6 +71,7 @@ DIRECT_TYPES = [
     "float",
     "Any",
     "prompt",
+    "mustache",
     "code",
     "NestedDict",
     "table",
@@ -82,6 +83,7 @@ DIRECT_TYPES = [
     "query",
     "tools",
     "mcp",
+    "model",
 ]
 
 

lfx/utils/mustache_security.py

@@ -0,0 +1,79 @@
+"""Security utilities for mustache template processing."""
+
+import re
+from typing import Any
+
+# Regex pattern for simple variables only - same as frontend
+SIMPLE_VARIABLE_PATTERN = re.compile(r"\{\{([a-zA-Z_][a-zA-Z0-9_]*)\}\}")
+
+# Patterns for complex mustache syntax that we want to block
+DANGEROUS_PATTERNS = [
+    re.compile(r"\{\{\{"),  # Triple braces (unescaped HTML in Mustache)
+    re.compile(r"\{\{#"),  # Conditionals/sections start
+    re.compile(r"\{\{/"),  # Conditionals/sections end
+    re.compile(r"\{\{\^"),  # Inverted sections
+    re.compile(r"\{\{&"),  # Unescaped variables
+    re.compile(r"\{\{>"),  # Partials
+    re.compile(r"\{\{!"),  # Comments
+    re.compile(r"\{\{\."),  # Current context
+]
+
+
+def validate_mustache_template(template: str) -> None:
+    """Validate that a mustache template only contains simple variable substitutions.
+
+    Raises ValueError if complex mustache syntax is detected.
+    """
+    if not template:
+        return
+
+    # Check for dangerous patterns
+    for pattern in DANGEROUS_PATTERNS:
+        if pattern.search(template):
+            msg = (
+                "Complex mustache syntax is not allowed. Only simple variable substitution "
+                "like {{variable}} is permitted."
+            )
+            raise ValueError(msg)
+
+    # Check that all {{ }} patterns are simple variables
+    all_mustache_patterns = re.findall(r"\{\{[^}]*\}\}", template)
+    for pattern in all_mustache_patterns:
+        if not SIMPLE_VARIABLE_PATTERN.match(pattern):
+            msg = f"Invalid mustache variable: {pattern}. Only simple variable names like {{{{variable}}}} are allowed."
+            raise ValueError(msg)
+
+
+def safe_mustache_render(template: str, variables: dict[str, Any]) -> str:
+    """Safely render a mustache template with only simple variable substitution.
+
+    This function performs a single-pass replacement of all {{variable}} patterns.
+    Variable values that themselves contain mustache-like patterns (e.g., "{{other}}")
+    will NOT be processed - they are treated as literal strings. This prevents
+    injection attacks where user-controlled values could introduce new template variables.
+
+    Args:
+        template: The mustache template string
+        variables: Dictionary of variables to substitute
+
+    Returns:
+        The rendered template
+
+    Raises:
+        ValueError: If template contains complex mustache syntax
+    """
+    # Validate template first
+    validate_mustache_template(template)
+
+    # Simple replacement - find all simple variables and replace them
+    def replace_variable(match):
+        var_name = match.group(1)
+
+        # Get the variable value directly (no dot notation support)
+        value = variables.get(var_name, "")
+
+        # Convert to string
+        return str(value) if value is not None else ""
+
+    # Replace all simple variables
+    return SIMPLE_VARIABLE_PATTERN.sub(replace_variable, template)

lfx/utils/validate_cloud.py

@@ -5,6 +5,20 @@ such as disabling certain features when running in Astra cloud environment.
 """
 
 import os
+from typing import Any
+
+
+def is_astra_cloud_environment() -> bool:
+    """Check if we're running in an Astra cloud environment.
+
+    Check if the environment variable ASTRA_CLOUD_DISABLE_COMPONENT is set to true.
+    IF it is, then we know we are in an Astra cloud environment.
+
+    Returns:
+        bool: True if running in an Astra cloud environment, False otherwise.
+    """
+    disable_component = os.getenv("ASTRA_CLOUD_DISABLE_COMPONENT", "false")
+    return disable_component.lower().strip() == "true"
 
 
 def raise_error_if_astra_cloud_disable_component(msg: str):
@@ -20,7 +34,71 @@ def raise_error_if_astra_cloud_disable_component(msg: str):
     Raises:
         ValueError: If running in an Astra cloud environment.
     """
-    if (
-        disable_component := os.getenv("ASTRA_CLOUD_DISABLE_COMPONENT", "false")
-    ) and disable_component.lower().strip() == "true":
+    if is_astra_cloud_environment():
         raise ValueError(msg)
+
+
+# Mapping of component types to their disabled module names and component names when in Astra cloud environment.
+# Keys are component type names (e.g., "docling")
+# Values are sets containing both module filenames (e.g., "chunk_docling_document")
+# and component names (e.g., "ChunkDoclingDocument")
+# To add new disabled components in the future, simply add entries to this dictionary.
+ASTRA_CLOUD_DISABLED_COMPONENTS: dict[str, set[str]] = {
+    "docling": {
+        # Module filenames (for dynamic loading)
+        "chunk_docling_document",
+        "docling_inline",
+        "export_docling_document",
+        # Component names (for index/cache loading)
+        "ChunkDoclingDocument",
+        "DoclingInline",
+        "ExportDoclingDocument",
+    }
+}
+
+
+def is_component_disabled_in_astra_cloud(component_type: str, module_filename: str) -> bool:
+    """Check if a specific component module should be disabled in cloud environment.
+
+    Args:
+        component_type: The top-level component type (e.g., "docling")
+        module_filename: The module filename without extension (e.g., "chunk_docling_document")
+
+    Returns:
+        bool: True if the component should be disabled, False otherwise.
+    """
+    if not is_astra_cloud_environment():
+        return False
+
+    disabled_modules = ASTRA_CLOUD_DISABLED_COMPONENTS.get(component_type.lower(), set())
+    return module_filename in disabled_modules
+
+
+def filter_disabled_components_from_dict(modules_dict: dict[str, dict[str, Any]]) -> dict[str, dict[str, Any]]:
+    """Filter out disabled components from a loaded modules dictionary.
+
+    This function is used to filter components that were loaded from index/cache,
+    since those bypass the dynamic loading filter.
+
+    Args:
+        modules_dict: Dictionary mapping component types to their components
+
+    Returns:
+        Filtered dictionary with disabled components removed
+    """
+    if not is_astra_cloud_environment():
+        return modules_dict
+
+    filtered_dict: dict[str, dict[str, Any]] = {}
+    for component_type, components in modules_dict.items():
+        disabled_set = ASTRA_CLOUD_DISABLED_COMPONENTS.get(component_type.lower(), set())
+        if disabled_set:
+            # Filter out disabled components
+            filtered_components = {name: comp for name, comp in components.items() if name not in disabled_set}
+            if filtered_components:  # Only add if there are remaining components
+                filtered_dict[component_type] = filtered_components
+        else:
+            # No disabled components for this type, keep all
+            filtered_dict[component_type] = components
+
+    return filtered_dict

{lfx_nightly-0.2.0.dev41.dist-info → lfx_nightly-0.3.0.dev3.dist-info}/METADATA

@@ -1,14 +1,16 @@
 Metadata-Version: 2.4
 Name: lfx-nightly
-Version: 0.2.0.dev41
+Version: 0.3.0.dev3
 Summary: Langflow Executor - A lightweight CLI tool for executing and serving Langflow AI flows
 Author-email: Gabriel Luiz Freitas Almeida <gabriel@langflow.org>
 Requires-Python: <3.14,>=3.10
+Requires-Dist: ag-ui-protocol>=0.1.10
 Requires-Dist: aiofile<4.0.0,>=3.8.0
 Requires-Dist: aiofiles<25.0.0,>=24.1.0
 Requires-Dist: asyncer<1.0.0,>=0.0.8
 Requires-Dist: cachetools>=6.0.0
 Requires-Dist: chardet<6.0.0,>=5.2.0
+Requires-Dist: cryptography>=43.0.0
 Requires-Dist: defusedxml<1.0.0,>=0.7.1
 Requires-Dist: docstring-parser<1.0.0,>=0.16
 Requires-Dist: emoji<3.0.0,>=2.14.1
@@ -257,7 +259,10 @@ async def get_graph() -> Graph:
 uv pip install lfx
 
 # Install additional dependencies required for the agent
-uv pip install langchain-community langchain beautifulsoup4 lxml langchain-openai
+uv pip install 'langchain-core>=0.3.0,<1.0.0' \
+               'langchain-openai>=0.3.0,<1.0.0' \
+               'langchain-community>=0.3.0,<1.0.0' \
+               beautifulsoup4 lxml
 ```
 
 **Step 3: Set up environment**