fix: block public builds of code execution agents

[erichare]

Summary

• Block unauthenticated public-flow builds for the shipped CSVAgent, CodeActAgentSmolagents, and OpenDsStarAgent code-execution agents.
• Reject the bundled Structured Data Analysis starter template on the public build path because it contains OpenDsStarAgent.
• Treat CSVAgent's allow_dangerous_code toggle as a tweak-protected sandbox boundary.

Test plan

• uv run ruff check src/lfx/src/lfx/utils/flow_validation.py src/lfx/tests/unit/utils/test_flow_validation.py src/lfx/tests/unit/test_process.py src/backend/tests/unit/test_process.py
• uv run pytest src/backend/tests/unit/test_process.py::test_apply_tweaks_blocks_csv_agent_dangerous_code_flag src/backend/tests/unit/test_chat_endpoint.py::test_build_public_tmp_rejects_code_execution_components -q
• (cd src/lfx && uv sync --group dev && uv run pytest tests/unit/utils/test_flow_validation.py tests/unit/test_process.py -q)

Summary by CodeRabbit

• Bug Fixes

  • Strengthened flow validation so additional code-capable agent setups are blocked on public builds.
  • Prevented a dangerous code-related option from being overridden in CSV-based agent configurations, while keeping other safe settings editable.

• Tests

  • Added coverage for code-execution restrictions and agent validation to help catch regressions.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6ec55f92-18e5-4278-ab50-ac848221c7c9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

CSVAgent-related code-execution handling is added to validation constants and test coverage. The PR blocks allow_dangerous_code tweaks, updates code-execution tripwire expectations, and adds public-flow rejection tests for agent types and the bundled Structured Data Analysis Agent starter project.

Changes

Code-execution guard expansion

Layer / File(s)	Summary
Policy constants src/lfx/src/lfx/utils/flow_validation.py	CODE_EXECUTION_COMPONENT_TYPES adds three agent types, CODE_EXECUTION_FIELD_NAMES adds allow_dangerous_code, and the validate_public_flow_no_code_execution docstring is updated.
CSVAgent tweak regression src/backend/tests/unit/test_process.py, src/lfx/tests/unit/test_process.py	apply_tweaks tests keep allow_dangerous_code at False for CSVAgent, and the code-execution tripwire assertions expand to the new type and field mapping.
Public flow validation tests src/lfx/tests/unit/utils/test_flow_validation.py	Tests add a reported code-execution agent type list, reject each type through validate_public_flow_no_code_execution, and load the Structured Data Analysis Agent starter project to assert rejection.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• langflow-ai/langflow#13538: Extends flow_validation and apply_tweaks blocking for CSVAgent and allow_dangerous_code, matching the same code-execution guard surface.
• langflow-ai/langflow#13705: Adds CSVAgent and allow_dangerous_code protections in the Tweaks API and covers them with tests, overlapping with the regression coverage here.

Suggested labels

bug

Suggested reviewers

• Adam-Aghili
• ogabrielluiz

🚥 Pre-merge checks | ✅ 9

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Coverage For New Implementations	✅ Passed	PASS: The PR adds real regression/unit tests for CSVAgent tweak blocking and public-flow rejection of CSVAgent/CodeActAgentSmolagents/OpenDsStarAgent, plus sync checks for the constants.
Test Quality And Coverage	✅ Passed	PASS: New tests cover blocked CSVAgent/public-flow cases, include positive/negative endpoint paths, use proper pytest/async patterns, and assert concrete state changes and errors.
Test File Naming And Structure	✅ Passed	PASS: The changed tests are in unit test dirs with test_*.py names, descriptive pytest functions, helper setup, and clear positive/negative coverage; no frontend tests are involved.
Excessive Mock Usage Warning	✅ Passed	Mocks are limited to boundary setup (settings service, async loader, logger); the new regression tests use real flows/data, not over-mocked core logic.
Title check	✅ Passed	The title clearly summarizes the main change: blocking public builds for code-execution agents.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/pvr0795578-public-flow-code-agents

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

✅ Test Coverage Advisor

No source changes detected without accompanying tests. Thanks for keeping coverage up! 🎉

Advisory check only — never blocks merge.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (release-1.10.2@c6dbca3). Learn more about missing BASE report.

Additional details and impacted files

@@                Coverage Diff                @@
##             release-1.10.2   #13875   +/-   ##
=================================================
  Coverage                  ?   58.61%           
=================================================
  Files                     ?     2307           
  Lines                     ?   220979           
  Branches                  ?    34177           
=================================================
  Hits                      ?   129524           
  Misses                    ?    89976           
  Partials                  ?     1479           

Flag	Coverage Δ
backend	65.95% <ø> (?)
frontend	57.72% <ø> (?)
lfx	54.63% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/lfx/src/lfx/utils/flow_validation.py	69.71% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	43.54% (58072/133362)	69.2% (7884/11392)	41.56% (1298/3123)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
4978	0 💤	0 ❌	0 🔥	11m 7s ⏱️