- Break long SVG path lines in login pages (E501)
- Remove unused request parameter from callbacks (ARG001)
- Add noqa for too-many-returns in OAuth callbacks (PLR0911)
- Remove unused CORSMiddleware import
- Fix type narrowing in logout redirect
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Support cross-domain auth for tensors-web with return_url parameter.
New endpoints: /auth/login, /auth/github, /auth/callback, /auth/verify
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add GitHub OAuth flow with /comfy/auth/github and /comfy/auth/callback
- User allowlist via GITHUB_ALLOWED_USERS environment variable
- CSRF protection with state parameter
- Keep same dark mode login page design (saved screenshot)
- Strip Origin header from proxied requests (fixes ComfyUI 403s)
- Add manual CORS headers to proxy responses
Env vars: GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET, GITHUB_ALLOWED_USERS
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CORS spec doesn't allow credentials with wildcard origins.
This was causing 403 for all crossorigin module preloads.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CORS preflight requests don't send cookies, so they were failing auth.
Now OPTIONS requests are allowed through without authentication.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
modulepreload links use crossorigin attribute which doesn't send
cookies, so static assets (JS, CSS, fonts, images, JSON) are now
allowed without session authentication.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New /comfy/* routes that proxy to local ComfyUI instance
- Dark mode login page with session-based auth (HMAC-signed cookies)
- HTTP proxy for all ComfyUI requests
- WebSocket proxy for real-time features
- Environment variables: COMFYUI_URL, COMFYUI_USER, COMFYUI_PASS, SESSION_SECRET
- Added websockets and python-multipart to server dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Unified search at /api/search handles both CivitAI and HuggingFace.
CivitAI routes now only provide:
- /api/civitai/model/{id} - get model by ID
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document unified search with --provider flag (civitai, hf, all)
- Add /api/search to server endpoints
- Add TypeScript client section (@saiden/tensors)
- Add public API info (tensors-api.saiden.dev)
- Update search options table with provider column
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Console is now optional for headless/server usage
- Progress spinner only shown when console is provided
- Error messages print only when console is provided
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --provider flag to search command (civitai, hf, or all)
- Default to searching both providers simultaneously
- Add /api/search unified REST endpoint
- Map common parameters (sort, author, tag) across providers
- Remove separate `hf search` subcommand (use `search -P hf`)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add `tsr hf search` to search HF models with safetensor files
- Add `tsr hf get` to view model info and list safetensor files
- Add `tsr hf files` to list safetensor files in a model
- Add `tsr hf dl` to download safetensor files from HF
Uses official huggingface_hub library for API access.
Only safetensor files are supported (enforced at search and download).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SVG icon with red rounded border "T"
- Add PyPI version, coverage, Python version, and license badges
- Remove video embed from README
- Center header with icon
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adam Ladachowski