feat: declarative input validation with opt-in runtime enforcement

- Add `minLength`/`maxLength` to `IO.String.Input`, mirroring existing `min`/`max` for `Int`/`Float`.
- Add `runtime_input_validation` to V3 `Schema` (and `RUNTIME_INPUT_VALIDATION` class attribute for V1 nodes). Default `False`

Signed-off-by: bigcat88 <bigcat88@icloud.com>

README.md

@@ -429,8 +429,6 @@ Use `--tls-keyfile key.pem --tls-certfile cert.pem` to enable TLS/SSL, the app w
 
 See also: [https://www.comfy.org/](https://www.comfy.org/)
 
-> _psst — we're hiring!_ Help build ComfyUI: [comfy.org/careers](https://www.comfy.org/careers)
-
 ## Frontend Development
 
 As of August 15, 2024, we have transitioned to a new frontend, which is now hosted in a separate repository: [ComfyUI Frontend](https://github.com/Comfy-Org/ComfyUI_frontend). This repository now hosts the compiled JS (from TS/Vue) under the `web/` directory.

SECURITY.md

@@ -1,44 +0,0 @@
-# Security Policy
-
-## Scope
-
-ComfyUI is designed to run locally. By default, the server binds to `127.0.0.1`, meaning only the user's own machine can reach it. Our threat model assumes:
-
-- The user installed ComfyUI through a supported channel: the desktop application, the portable build, or a manual install following the README.
-- The user has not installed untrusted custom nodes. Custom nodes are arbitrary Python code and are trusted as much as any other software the user chooses to install.
-- Anyone with access to the ComfyUI URL is trusted (a direct consequence of the localhost-only default).
-- PyTorch and other dependencies are at the versions we ship or recommend in the README.
-
-A report is in scope only if it affects a user operating within this threat model.
-
-## What We Consider a Vulnerability
-
-We want to hear about issues where a **reasonable user** — someone who does not install random untrusted nodes and who reads UI prompts and warnings before clicking through them — can be harmed by ComfyUI itself.
-
-The clearest example: a workflow file that such a user might plausibly load and run, using only built-in nodes, that results in **untrusted code execution, arbitrary file read/write outside expected directories, or credential/data exfiltration**.
-
-When submitting a report, please include a clear description of *why this is a problem for a typical local ComfyUI user*. Reports without this context are difficult to act on.
-
-## What We Do Not Consider a Security Vulnerability
-
-Please report the following through our regular [GitHub issues](https://github.com/comfyanonymous/ComfyUI/issues) instead. Filing them as security reports will likely cause them to be deprioritized or closed.
-
-- **Issues requiring `--listen` or any non-default network exposure.** ComfyUI binds to localhost by default. If a remote attacker needs to reach the server for the attack to work, the user has chosen to expose it and is responsible for securing that deployment (firewall, reverse proxy, authentication, etc.). These are bugs, not vulnerabilities.
-- **`torch.load` and related deserialization issues in old PyTorch versions.** These are upstream PyTorch issues. Our distributions ship with — and our documentation recommends — recent PyTorch versions where these are addressed.
-- **Vulnerabilities that depend on outdated library versions** that we neither ship nor recommend (e.g., requiring PyTorch 2.6 or older).
-- **Issues that require a specific custom node to be installed.** Custom nodes are third-party code. Report these to the maintainer of that node.
-- **Crashes, hangs, or resource exhaustion from a loaded workflow.** Annoying, but not a security issue in our model. File a regular bug.
-- **Social-engineering scenarios** where the user is expected to ignore an explicit UI warning or prompt.
-
-## Reporting
-
-If you believe you have found an issue that falls within the scope above, please report it privately via GitHub's [Report a vulnerability](https://github.com/comfyanonymous/ComfyUI/security/advisories/new) feature rather than opening a public issue.
-
-Please include:
-
-1. A description of the vulnerability and the affected component.
-2. Reproduction steps, ideally with a minimal workflow file or proof-of-concept.
-3. The ComfyUI version, install method (desktop / portable / manual), and OS.
-4. An explanation of how this affects a typical local user as described in the threat model.
-
-We will acknowledge valid reports and coordinate a fix and disclosure timeline with you.

app/frontend_management.py

@@ -38,54 +38,40 @@ def is_valid_version(version: str) -> bool:
     pattern = r"^(\d+)\.(\d+)\.(\d+)$"
     return bool(re.match(pattern, version))
 
+def get_installed_frontend_version():
+    """Get the currently installed frontend package version."""
+    frontend_version_str = version("comfyui-frontend-package")
+    return frontend_version_str
+
+
 def get_required_frontend_version():
     return get_required_packages_versions().get("comfyui-frontend-package", None)
 
 
-COMFY_PACKAGE_VERSIONS = []
-def get_comfy_package_versions():
-    """List installed/required versions for every comfy* package in requirements.txt."""
-    if COMFY_PACKAGE_VERSIONS:
-        return COMFY_PACKAGE_VERSIONS.copy()
-    out = COMFY_PACKAGE_VERSIONS
-    for name, required in (get_required_packages_versions() or {}).items():
-        if not name.startswith("comfy"):
-            continue
-        try:
-            installed = version(name)
-        except Exception:
-            installed = None
-        out.append({"name": name, "installed": installed, "required": required})
-    return out.copy()
+def check_frontend_version():
+    """Check if the frontend version is up to date."""
 
-
-def check_comfy_packages_versions():
-    """Warn for every comfy* package whose installed version is below requirements.txt."""
-    from packaging.version import InvalidVersion, parse as parse_pep440
-    for pkg in get_comfy_package_versions():
-        installed_str = pkg["installed"]
-        required_str = pkg["required"]
-        if not installed_str or not required_str:
-            continue
-        try:
-            outdated = parse_pep440(installed_str) < parse_pep440(required_str)
-        except InvalidVersion as e:
-            logging.error(f"Failed to check {pkg['name']} version: {e}")
-            continue
-        if outdated:
+    try:
+        frontend_version_str = get_installed_frontend_version()
+        frontend_version = parse_version(frontend_version_str)
+        required_frontend_str = get_required_frontend_version()
+        required_frontend = parse_version(required_frontend_str)
+        if frontend_version < required_frontend:
             app.logger.log_startup_warning(
                 f"""
 ________________________________________________________________________
 WARNING WARNING WARNING WARNING WARNING
 
-Installed {pkg["name"]} version {installed_str} is lower than the recommended version {required_str}.
+Installed frontend version {".".join(map(str, frontend_version))} is lower than the recommended version {".".join(map(str, required_frontend))}.
 
-{get_missing_requirements_message()}
+{frontend_install_warning_message()}
 ________________________________________________________________________
 """.strip()
             )
         else:
-            logging.info("{} version: {}".format(pkg["name"], installed_str))
+            logging.info("ComfyUI frontend version: {}".format(frontend_version_str))
+    except Exception as e:
+        logging.error(f"Failed to check frontend version: {e}")
 
 
 REQUEST_TIMEOUT = 10  # seconds
@@ -215,11 +201,6 @@ class FrontendManager:
     def get_required_templates_version(cls) -> str:
         return get_required_packages_versions().get("comfyui-workflow-templates", None)
 
-    @classmethod
-    def get_comfy_package_versions(cls):
-        """List installed/required versions for every comfy* package in requirements.txt."""
-        return get_comfy_package_versions()
-
     @classmethod
     def default_frontend_path(cls) -> str:
         try:
@@ -360,7 +341,7 @@ comfyui-workflow-templates is not installed.
             main error source might be request timeout or invalid URL.
         """
         if version_string == DEFAULT_VERSION_STRING:
-            check_comfy_packages_versions()
+            check_frontend_version()
             return cls.default_frontend_path()
 
         repo_owner, repo_name, version = cls.parse_version_string(version_string)
@@ -422,7 +403,7 @@ comfyui-workflow-templates is not installed.
         except Exception as e:
             logging.error("Failed to initialize frontend: %s", e)
             logging.info("Falling back to the default frontend.")
-            check_comfy_packages_versions()
+            check_frontend_version()
             return cls.default_frontend_path()
     @classmethod
     def template_asset_handler(cls):

comfy_api/latest/_io.py

@@ -327,11 +327,14 @@ class String(ComfyTypeIO):
         '''String input.'''
         def __init__(self, id: str, display_name: str=None, optional=False, tooltip: str=None, lazy: bool=None,
                     multiline=False, placeholder: str=None, default: str=None, dynamic_prompts: bool=None,
-                    socketless: bool=None, force_input: bool=None, extra_dict=None, raw_link: bool=None, advanced: bool=None):
+                    socketless: bool=None, force_input: bool=None, extra_dict=None, raw_link: bool=None, advanced: bool=None,
+                    min_length: int=None, max_length: int=None):
             super().__init__(id, display_name, optional, tooltip, lazy, default, socketless, None, force_input, extra_dict, raw_link, advanced)
             self.multiline = multiline
             self.placeholder = placeholder
             self.dynamic_prompts = dynamic_prompts
+            self.min_length = min_length
+            self.max_length = max_length
             self.default: str
 
         def as_dict(self):
@@ -339,6 +342,8 @@ class String(ComfyTypeIO):
                 "multiline": self.multiline,
                 "placeholder": self.placeholder,
                 "dynamicPrompts": self.dynamic_prompts,
+                "minLength": self.min_length,
+                "maxLength": self.max_length,
             })
 
 @comfytype(io_type="COMBO")
@@ -1551,6 +1556,12 @@ class Schema:
     Use this for nodes with interactive/operable UI regions that produce intermediate outputs
     (e.g., Image Crop, Painter) rather than final outputs (e.g., Save Image).
     """
+    runtime_input_validation: bool = False
+    """Opt this node into runtime validation of declared input bounds (STRING minLength/maxLength,
+    INT/FLOAT min/max, COMBO membership) against resolved values, including values that arrive via links.
+
+    When False, only direct widget values are validated pre-execution and linked values flow through unchecked.
+    """
 
     def validate(self):
         '''Validate the schema:
@@ -2006,6 +2017,14 @@ class _ComfyNodeBaseInternal(_ComfyNodeInternal):
             cls.GET_SCHEMA()
         return cls._ACCEPT_ALL_INPUTS
 
+    _RUNTIME_INPUT_VALIDATION = None
+    @final
+    @classproperty
+    def RUNTIME_INPUT_VALIDATION(cls):  # noqa
+        if cls._RUNTIME_INPUT_VALIDATION is None:
+            cls.GET_SCHEMA()
+        return cls._RUNTIME_INPUT_VALIDATION
+
     @final
     @classmethod
     def INPUT_TYPES(cls) -> dict[str, dict]:
@@ -2050,6 +2069,8 @@ class _ComfyNodeBaseInternal(_ComfyNodeInternal):
             cls._NOT_IDEMPOTENT = schema.not_idempotent
         if cls._ACCEPT_ALL_INPUTS is None:
             cls._ACCEPT_ALL_INPUTS = schema.accept_all_inputs
+        if cls._RUNTIME_INPUT_VALIDATION is None:
+            cls._RUNTIME_INPUT_VALIDATION = schema.runtime_input_validation
 
         if cls._RETURN_TYPES is None:
             output = []

execution.py

@@ -83,7 +83,7 @@ class IsChangedCache:
             return self.is_changed[node_id]
 
         # Intentionally do not use cached outputs here. We only want constants in IS_CHANGED
-        input_data_all, _, v3_data = get_input_data(node["inputs"], class_def, node_id, None)
+        input_data_all, _, v3_data, _ = get_input_data(node["inputs"], class_def, node_id, None)
         try:
             is_changed = await _async_map_node_over_list(self.prompt_id, node_id, class_def, input_data_all, is_changed_name, v3_data=v3_data)
             is_changed = await resolve_map_node_over_list_results(is_changed)
@@ -215,7 +215,52 @@ def get_input_data(inputs, class_def, unique_id, execution_list=None, dynprompt=
                 if h[x] == "API_KEY_COMFY_ORG":
                     input_data_all[x] = [extra_data.get("api_key_comfy_org", None)]
     v3_data["hidden_inputs"] = hidden_inputs_v3
-    return input_data_all, missing_keys, v3_data
+    return input_data_all, missing_keys, v3_data, valid_inputs
+
+def _check_resolved_input_bounds(name, val, input_type, extra_info):
+    """Raise ValueError if a single resolved value violates declared bounds."""
+    if input_type == "STRING":
+        if not isinstance(val, str):
+            return
+        min_length = extra_info.get("minLength")
+        max_length = extra_info.get("maxLength")
+        if min_length is not None and len(val) < min_length:
+            raise ValueError(f"Input '{name}': string length {len(val)} is shorter than minLength of {min_length}")
+        if max_length is not None and len(val) > max_length:
+            raise ValueError(f"Input '{name}': string length {len(val)} is longer than maxLength of {max_length}")
+    elif input_type in ("INT", "FLOAT"):
+        if isinstance(val, bool) or not isinstance(val, (int, float)):
+            return
+        min_v = extra_info.get("min")
+        max_v = extra_info.get("max")
+        if min_v is not None and val < min_v:
+            raise ValueError(f"Input '{name}': value {val} is smaller than min of {min_v}")
+        if max_v is not None and val > max_v:
+            raise ValueError(f"Input '{name}': value {val} is bigger than max of {max_v}")
+    elif isinstance(input_type, list) or input_type == io.Combo.io_type:
+        combo_options = extra_info.get("options", []) if input_type == io.Combo.io_type else input_type
+        is_multiselect = extra_info.get("multiselect", False)
+        if is_multiselect and isinstance(val, list):
+            invalid_vals = [v for v in val if v not in combo_options]
+        else:
+            invalid_vals = [val] if val not in combo_options else []
+        if invalid_vals:
+            raise ValueError(f"Input '{name}': value(s) {invalid_vals} not in combo options")
+
+
+def _validate_resolved_inputs(class_def, input_data_all, valid_inputs):
+    """Enforce declared input bounds against resolved values, including values that arrive via links."""
+    if not getattr(class_def, "RUNTIME_INPUT_VALIDATION", False):
+        return
+
+    for x, values in input_data_all.items():
+        input_type, _, extra_info = get_input_info(class_def, x, valid_inputs)
+        if input_type is None or extra_info is None:
+            continue
+        for val in values:
+            if val is None:
+                continue
+            _check_resolved_input_bounds(x, val, input_type, extra_info)
 
 map_node_over_list = None #Don't hook this please
 
@@ -480,7 +525,7 @@ async def execute(server, dynprompt, caches, current_item, extra_data, executed,
             has_subgraph = False
         else:
             get_progress_state().start_progress(unique_id)
-            input_data_all, missing_keys, v3_data = get_input_data(inputs, class_def, unique_id, execution_list, dynprompt, extra_data)
+            input_data_all, missing_keys, v3_data, valid_inputs = get_input_data(inputs, class_def, unique_id, execution_list, dynprompt, extra_data)
             if server.client_id is not None:
                 server.last_node_id = display_node_id
                 server.send_sync("executing", { "node": unique_id, "display_node": display_node_id, "prompt_id": prompt_id }, server.client_id)
@@ -509,6 +554,8 @@ async def execute(server, dynprompt, caches, current_item, extra_data, executed,
                         execution_list.make_input_strong_link(unique_id, i)
                     return (ExecutionResult.PENDING, None, None)
 
+            _validate_resolved_inputs(class_def, input_data_all, valid_inputs)
+
             def execution_block_cb(block):
                 if block.message is not None:
                     mes = {
@@ -1014,6 +1061,36 @@ async def validate_inputs(prompt_id, prompt, item, validated, visiting=None):
                     errors.append(error)
                     continue
 
+                if input_type == "STRING":
+                    min_length = extra_info.get("minLength")
+                    max_length = extra_info.get("maxLength")
+                    if min_length is not None and len(val) < min_length:
+                        error = {
+                            "type": "value_shorter_than_min_length",
+                            "message": f"Value length {len(val)} shorter than min length of {min_length}",
+                            "details": f"{x}",
+                            "extra_info": {
+                                "input_name": x,
+                                "input_config": info,
+                                "received_value": val,
+                            }
+                        }
+                        errors.append(error)
+                        continue
+                    if max_length is not None and len(val) > max_length:
+                        error = {
+                            "type": "value_longer_than_max_length",
+                            "message": f"Value length {len(val)} longer than max length of {max_length}",
+                            "details": f"{x}",
+                            "extra_info": {
+                                "input_name": x,
+                                "input_config": info,
+                                "received_value": val,
+                            }
+                        }
+                        errors.append(error)
+                        continue
+
                 if isinstance(input_type, list) or input_type == io.Combo.io_type:
                     if input_type == io.Combo.io_type:
                         combo_options = extra_info.get("options", [])
@@ -1050,7 +1127,7 @@ async def validate_inputs(prompt_id, prompt, item, validated, visiting=None):
                         continue
 
     if len(validate_function_inputs) > 0 or validate_has_kwargs:
-        input_data_all, _, v3_data = get_input_data(inputs, obj_class, unique_id)
+        input_data_all, _, v3_data, _ = get_input_data(inputs, obj_class, unique_id)
         input_filtered = {}
         for x in input_data_all:
             if x in validate_function_inputs or validate_has_kwargs:

openapi.yaml

@@ -6030,24 +6030,6 @@ components:
               type: string
               nullable: true
               description: Minimum required workflow templates version for this ComfyUI build
-            comfy_package_versions:
-              type: array
-              description: Installed and required versions for every comfy* package pinned in requirements.txt
-              items:
-                type: object
-                required:
-                  - name
-                  - installed
-                  - required
-                properties:
-                  name:
-                    type: string
-                  installed:
-                    type: string
-                    nullable: true
-                  required:
-                    type: string
-                    nullable: true
         devices:
           type: array
           items:

server.py

@@ -656,7 +656,6 @@ class PromptServer():
             required_frontend_version = FrontendManager.get_required_frontend_version()
             installed_templates_version = FrontendManager.get_installed_templates_version()
             required_templates_version = FrontendManager.get_required_templates_version()
-            comfy_package_versions = FrontendManager.get_comfy_package_versions()
 
             system_stats = {
                 "system": {
@@ -667,7 +666,6 @@ class PromptServer():
                     "required_frontend_version": required_frontend_version,
                     "installed_templates_version": installed_templates_version,
                     "required_templates_version": required_templates_version,
-                    "comfy_package_versions": comfy_package_versions,
                     "python_version": sys.version,
                     "pytorch_version": comfy.model_management.torch_version,
                     "embedded_python": os.path.split(os.path.split(sys.executable)[0])[1] == "python_embeded",

tests-unit/app_test/frontend_manager_test.py

@@ -52,10 +52,7 @@ def mock_provider(mock_releases):
 @pytest.fixture(autouse=True)
 def clear_cache():
     import utils.install_util
-    import app.frontend_management
-
     utils.install_util.PACKAGE_VERSIONS = {}
-    app.frontend_management.COMFY_PACKAGE_VERSIONS = []
 
 
 def test_get_release(mock_provider, mock_releases):
@@ -150,7 +147,7 @@ def test_init_frontend_default_with_mocks():
 
     # Act
     with (
-        patch("app.frontend_management.check_comfy_packages_versions") as mock_check,
+        patch("app.frontend_management.check_frontend_version") as mock_check,
         patch.object(
             FrontendManager, "default_frontend_path", return_value="/mocked/path"
         ),
@@ -171,7 +168,7 @@ def test_init_frontend_fallback_on_error():
         patch.object(
             FrontendManager, "init_frontend_unsafe", side_effect=Exception("Test error")
         ),
-        patch("app.frontend_management.check_comfy_packages_versions") as mock_check,
+        patch("app.frontend_management.check_frontend_version") as mock_check,
         patch.object(
             FrontendManager, "default_frontend_path", return_value="/default/path"
         ),
@@ -280,9 +277,7 @@ def test_get_installed_templates_version():
 
 def test_get_installed_templates_version_not_installed():
     # Act
-    with patch(
-        "app.frontend_management.version", side_effect=Exception("Package not found")
-    ):
+    with patch("app.frontend_management.version", side_effect=Exception("Package not found")):
         version = FrontendManager.get_installed_templates_version()
 
     # Assert

tests/execution/test_execution.py

@@ -1011,3 +1011,124 @@ class TestExecution:
         """Test getting a non-existent job returns 404"""
         job = client.get_job("nonexistent-job-id")
         assert job is None, "Non-existent job should return None"
+
+
+    @pytest.mark.parametrize("text, expect_error", [
+        ("hello", False),       # 5 chars, within [3, 10]
+        ("abc", False),         # 3 chars, exact min boundary
+        ("abcdefghij", False),  # 10 chars, exact max boundary
+        ("ab", True),           # 2 chars, below min
+        ("abcdefghijk", True),  # 11 chars, above max
+        ("", True),             # 0 chars, below min
+    ])
+    def test_string_length_widget_validation(self, text, expect_error, client: ComfyClient, builder: GraphBuilder):
+        """Test minLength/maxLength validation for direct widget values (validate_inputs path)."""
+        g = builder
+        node = g.node("StubStringWithLength", text=text)
+        g.node("SaveImage", images=node.out(0))
+        if expect_error:
+            with pytest.raises(urllib.error.HTTPError) as exc_info:
+                client.run(g)
+            assert exc_info.value.code == 400
+        else:
+            client.run(g)
+
+
+    @pytest.mark.parametrize("text, expect_error", [
+        ("hello", False),       # within bounds
+        ("ab", True),           # below min
+        ("abcdefghijk", True),  # above max
+    ])
+    def test_string_length_linked_validation(self, text, expect_error, client: ComfyClient, builder: GraphBuilder):
+        """Test minLength/maxLength validation for linked inputs when node opts in via RUNTIME_INPUT_VALIDATION=True."""
+        g = builder
+        str_node = g.node("StubStringOutput", value=text)
+        node = g.node("StubStringWithLength", text=str_node.out(0))
+        g.node("SaveImage", images=node.out(0))
+
+        if expect_error:
+            try:
+                client.run(g)
+                assert False, "Should have raised an error"
+            except Exception as e:
+                assert 'prompt_id' in e.args[0], f"Did not get proper error message: {e}"
+        else:
+            client.run(g)
+
+
+    @pytest.mark.parametrize("text", [
+        "ab",            # below declared minLength
+        "abcdefghijk",   # above declared maxLength
+        "",              # empty
+        "hello",         # within bounds
+    ])
+    def test_string_length_linked_skipped_without_flag(self, text, client: ComfyClient, builder: GraphBuilder):
+        """Without RUNTIME_INPUT_VALIDATION=True, declared bounds must NOT be enforced for linked values.
+
+        Preserves V1 behavior: many existing workflows rely on out-of-bounds values passing
+        through links. Adding declared bounds without the flag must not break them.
+        """
+        g = builder
+        str_node = g.node("StubStringOutput", value=text)
+        node = g.node("StubStringWithLengthNoFlag", text=str_node.out(0))
+        g.node("SaveImage", images=node.out(0))
+        client.run(g)
+
+
+    @pytest.mark.parametrize("value, expect_error", [
+        (5, False),     # within [1, 10]
+        (1, False),     # exact min boundary
+        (10, False),    # exact max boundary
+        (0, True),      # below min
+        (11, True),     # above max
+        (-7, True),     # well below min
+    ])
+    def test_int_bounds_linked_validation(self, value, expect_error, client: ComfyClient, builder: GraphBuilder):
+        """min/max validation for linked INT inputs when node opts in via RUNTIME_INPUT_VALIDATION=True.
+
+        Direct widget INT values are already validated pre-execution. This test exercises the
+        symmetric runtime path for values arriving through a connection.
+        """
+        g = builder
+        int_node = g.node("StubInt", value=value)
+        node = g.node("StubIntWithBounds", value=int_node.out(0))
+        g.node("SaveImage", images=node.out(0))
+
+        if expect_error:
+            try:
+                client.run(g)
+                assert False, "Should have raised an error"
+            except Exception as e:
+                assert 'prompt_id' in e.args[0], f"Did not get proper error message: {e}"
+        else:
+            client.run(g)
+
+
+    @pytest.mark.parametrize("choice, expect_error", [
+        ("RED", False),
+        ("GREEN", False),
+        ("BLUE", False),
+        ("PURPLE", True),
+        ("", True),
+        ("red", True),    # case-sensitive
+    ])
+    def test_combo_membership_linked_validation(self, choice, expect_error, client: ComfyClient, builder: GraphBuilder):
+        """COMBO option membership for linked values when node opts in via RUNTIME_INPUT_VALIDATION=True.
+
+        StubComboWithOptions declares ``input_types`` in VALIDATE_INPUTS to bypass the engine's
+        link-type compatibility check, so we can feed a STRING into a COMBO and verify the
+        runtime membership check fires.
+        """
+        g = builder
+        str_node = g.node("StubStringOutput", value=choice)
+        node = g.node("StubComboWithOptions", choice=str_node.out(0))
+        g.node("SaveImage", images=node.out(0))
+
+        if expect_error:
+            try:
+                client.run(g)
+                assert False, "Should have raised an error"
+            except Exception as e:
+                assert 'prompt_id' in e.args[0], f"Did not get proper error message: {e}"
+        else:
+            client.run(g)

tests/execution/testing_nodes/testing-pack/stubs.py

@@ -113,12 +113,117 @@ class StubFloat:
     def stub_float(self, value):
         return (value,)
 
+class StubStringOutput:
+    @classmethod
+    def INPUT_TYPES(cls):
+        return {
+            "required": {
+                "value": ("STRING", {"default": ""}),
+            },
+        }
+
+    RETURN_TYPES = ("STRING",)
+    FUNCTION = "stub_string"
+
+    CATEGORY = "Testing/Stub Nodes"
+
+    def stub_string(self, value):
+        return (value,)
+
+class StubStringWithLength:
+    """STRING input with declared bounds AND opted in to runtime validation (RUNTIME_INPUT_VALIDATION = True)."""
+    @classmethod
+    def INPUT_TYPES(cls):
+        return {
+            "required": {
+                "text": ("STRING", {"default": "hello", "minLength": 3, "maxLength": 10}),
+            },
+        }
+
+    RETURN_TYPES = ("IMAGE",)
+    FUNCTION = "stub_string_with_length"
+    RUNTIME_INPUT_VALIDATION = True
+
+    CATEGORY = "Testing/Stub Nodes"
+
+    def stub_string_with_length(self, text):
+        return (torch.zeros(1, 64, 64, 3),)
+
+class StubStringWithLengthNoFlag:
+    """Same bounds as StubStringWithLength but NOT opted in - linked values must flow through unchecked."""
+    @classmethod
+    def INPUT_TYPES(cls):
+        return {
+            "required": {
+                "text": ("STRING", {"default": "hello", "minLength": 3, "maxLength": 10}),
+            },
+        }
+
+    RETURN_TYPES = ("IMAGE",)
+    FUNCTION = "stub_string_with_length_no_flag"
+
+    CATEGORY = "Testing/Stub Nodes"
+
+    def stub_string_with_length_no_flag(self, text):
+        return (torch.zeros(1, 64, 64, 3),)
+
+class StubIntWithBounds:
+    """INT input with min/max bounds AND opted in to runtime validation."""
+    @classmethod
+    def INPUT_TYPES(cls):
+        return {
+            "required": {
+                "value": ("INT", {"default": 5, "min": 1, "max": 10}),
+            },
+        }
+
+    RETURN_TYPES = ("IMAGE",)
+    FUNCTION = "stub_int_with_bounds"
+    RUNTIME_INPUT_VALIDATION = True
+
+    CATEGORY = "Testing/Stub Nodes"
+
+    def stub_int_with_bounds(self, value):
+        return (torch.zeros(1, 64, 64, 3),)
+
+class StubComboWithOptions:
+    """COMBO input opted in to runtime validation.
+
+    Declares ``input_types`` in VALIDATE_INPUTS to bypass the engine's link-type compatibility
+    check, allowing tests to link a STRING into a COMBO and exercise the runtime membership check.
+    """
+    @classmethod
+    def INPUT_TYPES(cls):
+        return {
+            "required": {
+                "choice": (["RED", "GREEN", "BLUE"],),
+            },
+        }
+
+    RETURN_TYPES = ("IMAGE",)
+    FUNCTION = "stub_combo"
+    RUNTIME_INPUT_VALIDATION = True
+
+    CATEGORY = "Testing/Stub Nodes"
+
+    @classmethod
+    def VALIDATE_INPUTS(cls, input_types):
+        return True
+
+    def stub_combo(self, choice):
+        return (torch.zeros(1, 64, 64, 3),)
+
 TEST_STUB_NODE_CLASS_MAPPINGS = {
     "StubImage": StubImage,
     "StubConstantImage": StubConstantImage,
     "StubMask": StubMask,
     "StubInt": StubInt,
     "StubFloat": StubFloat,
+    "StubStringOutput": StubStringOutput,
+    "StubStringWithLength": StubStringWithLength,
+    "StubStringWithLengthNoFlag": StubStringWithLengthNoFlag,
+    "StubIntWithBounds": StubIntWithBounds,
+    "StubComboWithOptions": StubComboWithOptions,
 }
 TEST_STUB_NODE_DISPLAY_NAME_MAPPINGS = {
     "StubImage": "Stub Image",
@@ -126,4 +231,9 @@ TEST_STUB_NODE_DISPLAY_NAME_MAPPINGS = {
     "StubMask": "Stub Mask",
     "StubInt": "Stub Int",
     "StubFloat": "Stub Float",
+    "StubStringOutput": "Stub String Output",
+    "StubStringWithLength": "Stub String With Length",
+    "StubStringWithLengthNoFlag": "Stub String With Length (No Flag)",
+    "StubIntWithBounds": "Stub Int With Bounds",
+    "StubComboWithOptions": "Stub Combo With Options",
 }