rookiestar28 / ComfyUI-OpenClaw

# ComfyUI-OpenClaw ComfyUI-OpenClaw is a **security-first orchestration layer** for ComfyUI that combines hardened automation APIs, embedded operator UX, and production deployment controls: • **LLM-assisted nodes** (planner/refiner/vision/batch variants) • **A built-in extension UI** ( panel) • **A standalone Remote Admin Console** ( ) for mobile/remote browser operations • **A secure-by-default HTTP API** for automation (webhooks, triggers, schedules, approvals, presets, rewrite recipes, model manager) • **Public-ready control-plane split architecture** (embedded UX + externalized high-risk control surfaces) • **Verification-first hardening lanes** (route drift, real-backend E2E, adversarial fuzz/mutation gates) • **Now supports 7 major messaging platforms, including Discord, Telegram, WhatsApp, LINE, WeChat, KakaoTalk, and Slack.** • **And more exciting features being added continuously** --- This project is designed to make **ComfyUI a reliable automation target** with an explicit admin boundary and hardened defaults. Security stance (how this project differs from convenience-first automation packs): • Public profile requires explicit shared-surface boundary acknowledgement to reduce accidental exposure of ComfyUI-native high-risk routes behind reverse proxies • Public MAE route-plane posture is guaranteed by startup enforcement plus no-skip CI route-drift checks • Public deployments enforce Control Plane Split so high-risk controls are externalized and embedded UI stays on safer read/UX surfaces • Runtime profile startup hardening is fail-closed in hardened mode • Multi-tenant boundary model rejects cross-tenant mismatches fail-closed and keeps tenant-scoped isolation across config, secret sources, connector installations, approvals, presets/templates visibility, and execution concurrency budgets, with explicit compatibility fallback controls • Operator-facing outputs redact provider reasoning/thinking traces by default across assist, events, traces, callbacks, and connector replies; privileged local-debug reveal is explicit, loopback/admin-gated, auditable, and fail-closed outside permissive local posture • Connector ingress is fail-closed in public/hardened posture when platform allowlists are missing, with synchronized startup gate, deployment-profile check, Security Doctor posture, and startup audit visibility • Admin write actions are protected by an explicit **Admin Token** boundary • Webhook ingress is **deny-by-default** until authentication is configured • Encrypted webhook ingress is **fail-closed** on signature/decrypt/app-id validation failures • Bridge worker ingress enforces device token auth, scope checks, and idempotency handling • Outbound SSRF policy is strict for callbacks and custom LLM base URLs • External tool sandboxing is fail-closed with filesystem path guards • Secrets are never stored in browser storage; optional server-side key store remains local-only convenience • Secrets-at-rest encryption depends on cryptography; WeChat AES ingress stays optional via • Optional local secret-manager integration supports 1Password CLI with explicit enable + command allowlist fail-closed controls while keeping frontend surfaces secret-blind • Cryptographic lifecycle drills emit machine-readable evidence for rotate/revoke/key-loss/token-compromise fail-closed exercises • Layered config resolution is deterministic ( ) with compatibility aliases preserved, reducing config drift/misrouting risk across API/node/runtime paths • Module capability gates prevent disabled modules from registering routes/workers • Endpoint inventory metadata plus route-drift tests catch unclassified API exposure regressions • Pack lifecycle file paths and pack API file inputs are root-bounded and traversal-validated • Sensitive write/admin paths use tamper-evident, append-only audit trails • Replay risk is reduced with deterministic dedupe keys for payloads without message IDs • Localhost-first defaults remain in place; remote access is explicit opt-in • Localhost no-origin CSRF override posture is surfaced in startup logs, Security Doctor, and audit visibility • Runtime guardrails are runtime-only, with diagnostics, clamping, and reject-on-persist behavior for safety-critical limits • Management queries enforce deterministic pagination normalization and bounded scans against malformed or unbounded admin/list requests • Retry partition hardening separates rate-limit and transport budgets with deterministic degrade decisions and lane-level diagnostics/audit evidence • Compatibility matrix freshness/drift governance is surfaced in Doctor with repeatable refresh evidence • Adversarial verification gates (bounded fuzz + mutation, adaptive smoke=>extended escalation on high-risk diffs) are enforced in CI and local full-test/pre-push workflows • Wave E hardening closeout includes deployment-profile gates, critical-flow parity, signed policy posture controls, bounded anomaly telemetry, adversarial fuzz validation, and mutation sensitivity checks • Wave A/B/C hardening closeout includes runtime/config/session stability contracts, strict outbound and supply-chain controls, and capability-aware operator guidance with bounded Parameter Lab/compare workflows Deployment profiles and hardening checklists: • Security Deployment Guide (local / LAN / public templates + self-check command) • Security Key/Token Lifecycle SOP (trust-root, secrets key, and bridge token rotation/revocation/disaster recovery) • Security Checklist (pre-exposure operational checklist for connector and ingress boundaries) • Runtime Hardening and Startup (runtime profile, startup gate, and hardened baseline behaviors) • R69 Frontend Migration Decision (framework migration feasibility matrix and no-migration decision record) Latest Updates - Click to expand Private-host LLM SSRF contract clarified across Remote Admin, docs, and deployment guidance • Clarified that only extends the exact public-host allowlist for custom LLM values and…