[Partner Nodes] add SD2 real human support

[bigcat88]

API Node PR Checklist

Scope

• Is API Node Change

Pricing & Billing

• Need pricing update
• No pricing update

If Need pricing update:

• Metronome rate cards updated
• Auto‑billing tests updated and passing

QA

• QA done
• QA not required

Comms

• Informed Kosinkadink

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Seedance asset-management to the ByteDance nodes and polling UI updates. Reference asset IDs are resolved to asset://<id> URIs with Active status enforcement; slot-specific labels (Image N/Video N/Audio N) are generated and prompt tokens like assetNN are rewritten case-insensitively. ByteDance2FirstLastFrameNode now accepts first_frame_asset_id/last_frame_asset_id with mutual-exclusion validation; ByteDance2ReferenceNode gains reference_assets (autogrow asset_N), updated validation/caps, and appends asset-derived Task*Content after uploaded entries. New nodes ByteDanceCreateImageAsset and ByteDanceCreateVideoAsset create personal assets (polling until Active) and output asset_id and group_id. Polling APIs (poll_op, poll_op_raw, _display_time_progress) accept extra_text.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title '[Partner Nodes] add SD2 real human support' does not match the actual changeset, which primarily adds Seedance asset support and creates new ByteDance nodes, not SD2 real human features.	Update the title to reflect the actual changes, such as '[Partner Nodes] add Seedance asset support for ByteDance nodes' or '[Partner Nodes] add ByteDance asset creation and management nodes'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 36.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description contains only a checklist with no substantive information about the changes being made in this pull request.	Add a meaningful description explaining what Seedance asset support adds, how the new ByteDance nodes work, and what the changes enable for users.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@comfy_api_nodes/nodes_bytedance.py`:
- Around line 1755-1757: The price extractor is incorrectly marking
has_video_input False when the user supplies only video assets; update the logic
that sets has_video_input (currently using reference_videos and model_id from
SEEDANCE_MODELS) to also detect video content from the incoming assets/task
payload (e.g., check reference_videos OR any input/asset with type "video" or
TaskVideoContent) so the price_extractor uses the video rate; apply the same
change for the other instance referenced (around the second occurrence of
has_video_input/price_extractor).
- Around line 126-130: The code interpolates unescaped asset_id directly into
ApiEndpoint paths (e.g., the ApiEndpoint call within the async sync_op call that
returns GetAssetResponse), which allows user-controlled characters to break the
URL; fix by percent-encoding asset_id before inserting it into the path (use a
standard URL-encoding utility to quote the path segment) wherever
ApiEndpoint(...f"/proxy/seedance/assets/{asset_id}"...) is constructed
(including the other similar occurrence later in this module), ensuring the
encoded value is passed into ApiEndpoint and left as a single path segment.
- Line 1948: Uncomment and enable the API-node flag for the new asset-creation
node definitions by restoring is_api_node=True in their node declarations (the
two asset-creation nodes currently commenting out is_api_node); this ensures
they are treated like other ByteDance API nodes and pick up API-node specific
UI/handling. Locate the asset-creation node definitions in nodes_bytedance.py
and remove the comment marker so is_api_node=True is active for those nodes.
- Line 203: Remove the warning that logs the ephemeral H5 verification URL to
avoid leaking credentials: locate the logger.warning call that references
session.h5_link (in comfy_api_nodes/nodes_bytedance.py) and replace it with a
non-sensitive message (e.g., "Seedance authentication required — present
verification link to user interface") or omit the URL entirely; ensure
session.h5_link remains available for UI display but is not written to logs,
keeping the change limited to the logger.warning invocation.
- Around line 207-218: The poll_op call that polls Seedance visual-validate
sessions (the invocation using ApiEndpoint and
SeedanceGetVisualValidateSessionResponse) must exclude queued statuses from the
attempt counter and use a ceiling-based attempt limit: add queued_statuses=[] to
the poll_op kwargs and change max_poll_attempts from
(_VERIFICATION_POLL_TIMEOUT_SEC // _VERIFICATION_POLL_INTERVAL_SEC) - 1 to
math.ceil(_VERIFICATION_POLL_TIMEOUT_SEC / _VERIFICATION_POLL_INTERVAL_SEC)
(import math if needed) so queued statuses like "created"/"initializing"/"wait"
don't bypass the timeout; keep the other args (status_extractor,
completed_statuses, failed_statuses, poll_interval, estimated_duration,
extra_text=h5_text) unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0d3716b1-43ae-499b-ba5b-c151c7836691

📥 Commits

Reviewing files that changed from the base of the PR and between 91e1f45 and 370a857.

⛔ Files ignored due to path filters (1)

• comfy_api_nodes/apis/bytedance.py is excluded by !comfy_api_nodes/apis/**

📒 Files selected for processing (2)

• comfy_api_nodes/nodes_bytedance.py
• comfy_api_nodes/util/client.py

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

comfy_api_nodes/nodes_bytedance.py (3)

126-130: ⚠️ Potential issue | 🟠 Major

Encode asset IDs before embedding them in proxy paths.

Still present from the prior review: asset_id is user-controlled in reference flows and is interpolated as a raw path segment, so /, ?, or # can alter the proxied route/query.

🛡️ Proposed fix

 import logging
 import math
 import re
+from urllib.parse import quote
@@
+def _seedance_asset_endpoint(asset_id: str) -> ApiEndpoint:
+    return ApiEndpoint(path=f"/proxy/seedance/assets/{quote(asset_id, safe='')}")
+
+
 async def _resolve_reference_assets(
@@
         result = await sync_op(
             cls,
-            ApiEndpoint(path=f"/proxy/seedance/assets/{asset_id}"),
+            _seedance_asset_endpoint(asset_id),
             response_model=GetAssetResponse,
         )
@@
     return await poll_op(
         cls,
-        ApiEndpoint(path=f"/proxy/seedance/assets/{asset_id}"),
+        _seedance_asset_endpoint(asset_id),
         response_model=GetAssetResponse,

As per coding guidelines, comfy_api_nodes/** integrations should focus on “Security of user data passed to external APIs”.

Also applies to: 259-264

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@comfy_api_nodes/nodes_bytedance.py` around lines 126 - 130, The code uses the
user-controlled variable asset_id interpolated directly into ApiEndpoint path in
the call to sync_op (ApiEndpoint(path=f"/proxy/seedance/assets/{asset_id}"),
response_model=GetAssetResponse) which allows path traversal or query injection;
fix by URL-encoding/percent-encoding asset_id before embedding it in the path
(replace direct interpolation with an encoded variable) and apply the same fix
to the other occurrence around the sync_op call at lines ~259-264; ensure you
call a standard encoder (e.g., urllib.parse.quote or equivalent) so characters
like '/', '?', and '#' are percent-encoded before constructing the ApiEndpoint
path.

---

203-205: ⚠️ Potential issue | 🟠 Major

Avoid logging the H5 verification link.

Still present from the prior review: session.h5_link is an authentication/verification URL and should be displayed in the node UI, not written to logs.

🛡️ Proposed fix

-    logger.warning("Seedance authentication required. Open link: %s", session.h5_link)
+    logger.warning("Seedance authentication required; verification link displayed in the node UI.")

As per coding guidelines, comfy_api_nodes/** integrations should focus on “Security of user data passed to external APIs”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@comfy_api_nodes/nodes_bytedance.py` around lines 203 - 205, The code
currently logs the sensitive verification URL (session.h5_link) via
logger.warning; remove that log call and ensure the link is only used to
populate the UI text (h5_text) for display to the user. Specifically, delete or
change the logger.warning(...) reference to not include session.h5_link and keep
building h5_text = f"Open this link..." using session.h5_link so the URL is only
surfaced in the node UI (referencing logger.warning, h5_text, and
session.h5_link).

---

207-218: ⚠️ Potential issue | 🟠 Major

Keep queued statuses from bypassing the poll timeout.

Still present from the prior review: poll_op does not count default queued statuses toward max_poll_attempts, so these flows can poll longer than intended if Seedance returns queued-like states.

⏱️ Proposed fix

     result = await poll_op(
         cls,
         ApiEndpoint(path=f"/proxy/seedance/visual-validate/sessions/{session.session_id}"),
         response_model=SeedanceGetVisualValidateSessionResponse,
         status_extractor=lambda r: r.status,
         completed_statuses=["completed"],
         failed_statuses=["failed"],
+        queued_statuses=[],
         poll_interval=_VERIFICATION_POLL_INTERVAL_SEC,
-        max_poll_attempts=(_VERIFICATION_POLL_TIMEOUT_SEC // _VERIFICATION_POLL_INTERVAL_SEC) - 1,
+        max_poll_attempts=math.ceil(_VERIFICATION_POLL_TIMEOUT_SEC / _VERIFICATION_POLL_INTERVAL_SEC),
         estimated_duration=_VERIFICATION_POLL_TIMEOUT_SEC - 1,
         extra_text=h5_text,
     )
@@
     return await poll_op(
         cls,
         ApiEndpoint(path=f"/proxy/seedance/assets/{asset_id}"),
         response_model=GetAssetResponse,
         status_extractor=lambda r: r.status,
         completed_statuses=["Active"],
         failed_statuses=["Failed"],
+        queued_statuses=[],
         poll_interval=5,
         max_poll_attempts=1200,
         extra_text=f"Waiting for asset pre-processing...\n\nasset_id: {asset_id}\n\ngroup_id: {group_id}",
     )

As per coding guidelines, comfy_api_nodes/** integrations should focus on “Proper error handling for API failures”.

Also applies to: 259-271

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@comfy_api_nodes/nodes_bytedance.py` around lines 207 - 218, poll_op calls for
Seedance visual-validate sessions are currently not counting "queued"-type
statuses toward max_poll_attempts, allowing polls to exceed the intended
timeout; update the poll_op invocation in the Seedance flow (the call using
ApiEndpoint(.../visual-validate/sessions/{session.session_id}) and the similar
block at 259-271) to pass the queued/queued-like statuses returned by Seedance
(for example "queued", "pending", etc.) via the poll_op parameter that controls
which statuses should be treated as normal attempts (e.g., queued_statuses or
similar), so that poll_op will decrement/max out attempts when those states are
seen and respect max_poll_attempts/estimated_duration as intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@comfy_api_nodes/nodes_bytedance.py`:
- Around line 1727-1731: Before calling _resolve_reference_assets and before
invoking _build_asset_labels, validate the model's reference_assets (from
reference_assets = model.get("reference_assets", {})) to detect duplicate asset
IDs across slots and reject them: if two or more slots reference the same
asset_id, raise/return an explicit validation error (or remove duplicates per
product decision) so that _build_asset_labels and content builders (e.g.,
TaskImageContent) cannot produce mismatched labels for collapsed assets; make
this check in the same function that currently calls _resolve_reference_assets
(using cls and model), and apply the same validation where reference assets are
processed for the other block (lines ~1790–1857) to ensure consistency.

---

Duplicate comments:
In `@comfy_api_nodes/nodes_bytedance.py`:
- Around line 126-130: The code uses the user-controlled variable asset_id
interpolated directly into ApiEndpoint path in the call to sync_op
(ApiEndpoint(path=f"/proxy/seedance/assets/{asset_id}"),
response_model=GetAssetResponse) which allows path traversal or query injection;
fix by URL-encoding/percent-encoding asset_id before embedding it in the path
(replace direct interpolation with an encoded variable) and apply the same fix
to the other occurrence around the sync_op call at lines ~259-264; ensure you
call a standard encoder (e.g., urllib.parse.quote or equivalent) so characters
like '/', '?', and '#' are percent-encoded before constructing the ApiEndpoint
path.
- Around line 203-205: The code currently logs the sensitive verification URL
(session.h5_link) via logger.warning; remove that log call and ensure the link
is only used to populate the UI text (h5_text) for display to the user.
Specifically, delete or change the logger.warning(...) reference to not include
session.h5_link and keep building h5_text = f"Open this link..." using
session.h5_link so the URL is only surfaced in the node UI (referencing
logger.warning, h5_text, and session.h5_link).
- Around line 207-218: poll_op calls for Seedance visual-validate sessions are
currently not counting "queued"-type statuses toward max_poll_attempts, allowing
polls to exceed the intended timeout; update the poll_op invocation in the
Seedance flow (the call using
ApiEndpoint(.../visual-validate/sessions/{session.session_id}) and the similar
block at 259-271) to pass the queued/queued-like statuses returned by Seedance
(for example "queued", "pending", etc.) via the poll_op parameter that controls
which statuses should be treated as normal attempts (e.g., queued_statuses or
similar), so that poll_op will decrement/max out attempts when those states are
seen and respect max_poll_attempts/estimated_duration as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bd7c5482-69ca-438b-ac83-717ea4678ae8

📥 Commits

Reviewing files that changed from the base of the PR and between 370a857 and 0efa7cc.

📒 Files selected for processing (1)

• comfy_api_nodes/nodes_bytedance.py