Comfy-Org
diff --git a/‎comfy_cli/command/custom_nodes/command.py‎
Lines changed: 12 additions & 0 deletions b/‎comfy_cli/command/custom_nodes/command.py‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎comfy_cli/registry/config_parser.py‎
Lines changed: 318 additions & 5 deletions b/‎comfy_cli/registry/config_parser.py‎
Lines changed: 318 additions & 5 deletions
@@ -975,6 +975,18 @@ def validate_node_for_publishing():
     # Perform some validation logic here
     typer.echo("Validating node configuration...")
     config = extract_node_configuration()
+    if config is None:
+        raise typer.Exit(code=1)
+
+    if not config.project.version or not config.project.version.strip():
+        # `.strip()` guards against a whitespace-only static `version = "   "`.
+        # Escape `[` chars so rich doesn't parse `[tool.comfy.version]` and
+        # `["version"]` as markup tags; `]` doesn't need escaping.
+        print(
+            "[red]Error: project version is empty. Set `project.version` in pyproject.toml, "
+            r'or configure `\[tool.comfy.version].path` if using `dynamic = \["version"]`.[/red]'
+        )
+        raise typer.Exit(code=1)
 
     # Run security checks first
     typer.echo("Running security checks...")
 
@@ -1,4 +1,7 @@
+import ast
+import datetime
 import os
+import pathlib
 import re
 import subprocess
 from urllib.parse import urlparse, urlunparse
@@ -22,6 +25,91 @@
 # direct-URL hashes (`#sha256=`) survive.
 _inline_comment_re: re.Pattern[str] = re.compile(r"(^|\s+)#.*$")
 
+# For `dynamic = ["version"]`: match a top-level `__version__` or `VERSION` assignment in a source file. Anchored
+# to start-of-line (MULTILINE) so single-line comments are skipped. Horizontal whitespace only — no cross-line
+# matching. Supports an optional PEP 526 type annotation. Straight quotes only. The `\\.` alternation in the
+# quoted-value portion accepts backslash-escape sequences (e.g., `\"` for a literal double quote);
+# `_decode_string_literal` below feeds the captured contents through `ast.literal_eval` to recover proper
+# Python-semantic values for ALL escape forms (`\\n`, `\\t`, `\\uXXXX`, ...). `\` is excluded from the
+# non-escape character class (`[^"\\\n]` / `[^'\\\n]`) so every backslash is forced through `\\.`; the earlier
+# `[^"\n]` form had overlapping alternatives that caused catastrophic backtracking on malformed Python
+# sources (unclosed literals with many backslashes).
+#
+# Recommended user layout: a dedicated `_version.py` / `__version__.py` (NOT the package's `__init__.py`), so
+# nothing in the file — module docstrings, assignments referenced in text, etc. — can collide with this regex.
+# This matches hatch/setuptools convention for dynamic-version source files.
+_VERSION_RE: re.Pattern[str] = re.compile(
+    r"""^(?P<name>__version__|VERSION)
+        (?:[\t ]*:[\t ]*[^=\n]+)?
+        [\t ]*=[\t ]*
+        (?:"(?P<dq>(?:\\.|[^"\\\n])*)"|'(?P<sq>(?:\\.|[^'\\\n])*)')
+        """,
+    re.MULTILINE | re.VERBOSE,
+)
+
+
+def _decode_string_literal(raw: str, quote: str) -> str:
+    """Decode the captured contents of a Python single-line string literal.
+
+    The regex matched a `"..."` or `'...'` literal; wrapping `raw` in its
+    outer quotes again and handing it to `ast.literal_eval` gives full
+    Python string-escape semantics (`\\n` → newline, `\\uXXXX` → codepoint,
+    `\\"` → quote, `\\\\` → backslash). The earlier one-char-strip approach
+    flattened e.g. `\\n` to the literal letter `n`, silently producing a
+    wrong version string.
+
+    On parse failure (exotic/malformed input the regex admitted but ast
+    rejects, like `\\z` on strict Python versions), fall back to the raw
+    captured contents so we degrade to the prior wrong-but-not-crashing
+    behavior rather than erroring out.
+    """
+    try:
+        parsed = ast.literal_eval(f"{quote}{raw}{quote}")
+    except (SyntaxError, ValueError):
+        return raw
+    return parsed if isinstance(parsed, str) else raw
+
+
+def _friendly_type_name(value: object) -> str:
+    """Map a (possibly tomlkit-wrapped) value to a Python-builtin-style name.
+
+    `type(x).__name__` returns tomlkit's class name (e.g., 'Integer', 'Float',
+    'DateTime') for parsed TOML values, which confuses users who wrote plain
+    TOML. Since tomlkit's wrapper classes inherit from the standard Python
+    types, we can detect the semantic type via isinstance.
+    """
+    if isinstance(value, bool):  # must precede int — bool is an int subclass
+        return "bool"
+    if isinstance(value, int):
+        return "int"
+    if isinstance(value, float):
+        return "float"
+    if isinstance(value, str):
+        return "str"
+    if isinstance(value, datetime.datetime):
+        return "datetime"
+    if isinstance(value, datetime.date):
+        return "date"
+    if isinstance(value, datetime.time):
+        return "time"
+    if isinstance(value, (list, tuple)):
+        return "array"
+    if isinstance(value, dict):
+        return "table"
+    return type(value).__name__
+
+
+def _friendly_value(value: object) -> str:
+    """Render a value for inclusion in a user-facing warning.
+
+    Uses str() for datetime-ish values (ISO-format is more familiar than
+    `DateTime(2024, 1, 1, 0, 0)` constructor style) and repr() otherwise so
+    strings show their quotes and collections show brackets.
+    """
+    if isinstance(value, (datetime.datetime, datetime.date, datetime.time)):
+        return str(value)
+    return repr(value)
+
 
 def create_comfynode_config():
     # Create the initial structure of the TOML document
@@ -281,19 +369,241 @@ def initialize_project_config():
         raise OSError("Failed to write 'pyproject.toml'") from e
 
 
+def _resolve_dynamic_version(pyproject_dir: pathlib.Path, rel_path: str) -> str:
+    """Read a version from a source file referenced by `[tool.comfy.version].path`.
+
+    No Python execution — just text I/O and a regex, matching the contract
+    agreed in issue #294. Returns empty string on any failure and emits a
+    user-visible warning so scanning contexts degrade gracefully.
+    """
+    # Reject paths that are absolute under either POSIX or Windows rules —
+    # `pathlib.Path.is_absolute()` alone is OS-specific (e.g., `/etc/foo` is
+    # not considered absolute on Windows because it has no drive), and we
+    # want identical rejection behavior regardless of the host OS.
+    if pathlib.PurePosixPath(rel_path).is_absolute() or pathlib.PureWindowsPath(rel_path).is_absolute():
+        typer.echo(
+            f"Warning: `[tool.comfy.version].path` must be relative to pyproject.toml "
+            f"(got `{rel_path}`). No version will be populated."
+        )
+        return ""
+    path_obj = pathlib.Path(rel_path)
+
+    pyproject_dir = pyproject_dir.resolve()
+    resolved = (pyproject_dir / path_obj).resolve()
+    try:
+        resolved.relative_to(pyproject_dir)
+    except ValueError:
+        typer.echo(
+            f"Warning: `[tool.comfy.version].path` must point inside the project directory "
+            f"(got `{rel_path}`). No version will be populated."
+        )
+        return ""
+
+    try:
+        # `utf-8-sig` transparently strips a leading BOM — some Windows editors
+        # add one, and it would defeat the `^__version__` anchor otherwise.
+        text = resolved.read_text(encoding="utf-8-sig")
+    except (OSError, UnicodeDecodeError) as e:
+        typer.echo(f"Warning: could not read version file `{rel_path}`: {e}. No version will be populated.")
+        return ""
+
+    match = _VERSION_RE.search(text)
+    if not match:
+        typer.echo(
+            f"Warning: could not find `__version__` or `VERSION` in `{rel_path}`. "
+            f'The version file must contain a line like `__version__ = "1.2.3"`. '
+            f"No version will be populated."
+        )
+        return ""
+
+    # Exactly one of `dq` / `sq` was consumed by the regex. Use `is not None`
+    # instead of truthy-check because an empty capture (`""` or `''`) is a
+    # valid match the regex now accepts — and we want to warn about that
+    # case explicitly rather than crash on `None`. Tracking the quote type
+    # lets us (a) feed the correct outer quote into `_decode_string_literal`
+    # and (b) detect the triple-quoted case below.
+    if match.group("dq") is not None:
+        raw, quote = match.group("dq"), '"'
+    else:
+        raw, quote = match.group("sq"), "'"
+
+    # `__version__ = """1.2.3"""` parses as an empty `""` literal followed by
+    # leftover `"1.2.3"""`, which would otherwise surface as the generic
+    # "empty or whitespace-only" warning and leave the user staring at a
+    # clearly-non-empty literal. If the capture is empty AND the byte right
+    # after the match is the same quote type, it's almost certainly a
+    # triple-quoted literal — emit a targeted hint instead.
+    if not raw and match.end() < len(text) and text[match.end()] == quote:
+        typer.echo(
+            f"Warning: `{match.group('name')}` in `{rel_path}` uses a triple-quoted string literal, "
+            f'which is not supported. Use a single-line assignment like `{match.group("name")} = "1.2.3"`. '
+            f"No version will be populated."
+        )
+        return ""
+
+    version = _decode_string_literal(raw, quote).strip()
+    if not version:
+        typer.echo(
+            f"Warning: `{match.group('name')}` in `{rel_path}` is empty or whitespace-only. "
+            f"No version will be populated."
+        )
+        return ""
+    return version
+
+
+def _parse_dynamic_fields(project_data) -> list[str]:
+    """Return the `project.dynamic` field as a list of strings.
+
+    Warns and returns `[]` if `dynamic` is present but has the wrong shape
+    (e.g. a scalar string — a common PEP 621 misconfiguration).
+    """
+    dynamic_raw = project_data.get("dynamic", [])
+    # tomlkit.Array inherits from list, so valid arrays (including empty `[]`)
+    # pass through. Everything else is a misconfiguration.
+    if not isinstance(dynamic_raw, (list, tuple)):
+        typer.echo(
+            f"Warning: `project.dynamic` must be an array of strings "
+            f"(got {_friendly_type_name(dynamic_raw)} `{_friendly_value(dynamic_raw)}`). "
+            f'Use `dynamic = ["version"]` instead. '
+            f"No dynamic fields will be honored."
+        )
+        return []
+    return [str(d) for d in dynamic_raw]
+
+
+def _extract_version(project_data, comfy_data, pyproject_dir: pathlib.Path) -> str:
+    """Return the project version, honoring PEP 621 `dynamic = ["version"]`.
+
+    - Static `project.version` wins if present.
+    - If absent and `"version"` is in `project.dynamic`, resolve via
+      `[tool.comfy.version].path` (text-read + regex, no Python execution).
+    - Otherwise return empty (existing behavior).
+    """
+    static_version = project_data.get("version", "")
+    dynamic_fields = _parse_dynamic_fields(project_data)
+    # Type-check runs BEFORE the truthy check so falsy non-strings (`version = 0`,
+    # `version = 0.0`, `version = false`, `version = []`, `version = {}`) produce
+    # the same named "must be a string" warning as truthy non-strings (`version = 1`,
+    # `version = ["1","2"]`, `version = { path = "_v.py" }`). With the order reversed,
+    # they would silently fall through to the dynamic branch and the user would
+    # only see the downstream "project version is empty" error at publish time.
+    # `static_version != ""` skips the default (key absent) without coercing types.
+    if static_version != "" and not isinstance(static_version, str):
+        typer.echo(
+            f"Warning: `project.version` must be a string "
+            f"(got {_friendly_type_name(static_version)} `{_friendly_value(static_version)}`). "
+            f"No version will be populated."
+        )
+        return ""
+    if static_version:
+        # `static_version` is known to be a str from here.
+        if "version" in dynamic_fields:
+            # PEP 621 §Dynamic says a field listed in `dynamic` must NOT also
+            # appear in `[project]`. Honor the static value (the user wrote it
+            # explicitly) but surface the conflict.
+            typer.echo(
+                'Warning: `project.version` is set but `"version"` also appears in `project.dynamic`. '
+                "Per PEP 621 these are mutually exclusive; using the static value."
+            )
+        stripped = static_version.strip()
+        if not stripped:
+            # A whitespace-only static `version = "   "` must warn here, matching
+            # the dynamic path's `__version__ = "   "` warning. Otherwise only the
+            # downstream "project version is empty" error would surface, with no
+            # hint that the root cause is a whitespace-only literal.
+            typer.echo("Warning: `project.version` is empty or whitespace-only. No version will be populated.")
+            return ""
+        # Strip so a padded static `version = "  1.0.0  "` does not get POSTed
+        # with surrounding whitespace. Matches the stripped semantics applied to
+        # dynamically-resolved versions.
+        return stripped
+
+    if "version" not in dynamic_fields:
+        return ""
+
+    version_cfg = comfy_data.get("version")
+    if version_cfg is None:
+        typer.echo(
+            'Warning: `dynamic = ["version"]` declared but `[tool.comfy.version].path` is not set. '
+            "See https://docs.comfy.org/registry/specifications for dynamic-version setup. "
+            "No version will be populated."
+        )
+        return ""
+    if not isinstance(version_cfg, dict):
+        # A non-table value under `[tool.comfy].version` — the user likely
+        # wrote `version = "x"` scalar (or any other type) instead of a nested
+        # table. Name the actual type, not "scalar value", so arrays/tables
+        # are described accurately too.
+        typer.echo(
+            f"Warning: `[tool.comfy].version` must be a table with a `path` key "
+            f"(got {_friendly_type_name(version_cfg)} `{_friendly_value(version_cfg)}`). "
+            f'Use `[tool.comfy.version]` with `path = "..."` instead. '
+            f"No version will be populated."
+        )
+        return ""
+    # Flag unknown keys so a typo like `file = "..."` / `attr = "..."` (common
+    # spellings in setuptools/hatch) doesn't silently surface as a misleading
+    # "path is not set" warning. Emitted independently of path resolution so
+    # the user sees BOTH the typo and any downstream path-missing condition.
+    unknown_keys = sorted(k for k in version_cfg if k != "path")
+    if unknown_keys:
+        keys_str = ", ".join(f"`{k}`" for k in unknown_keys)
+        typer.echo(f"Warning: `[tool.comfy.version]` has unknown key(s): {keys_str}. Only `path` is supported.")
+    # Order matters: check type BEFORE falsy-ness so that `path = 0` / `false`
+    # / `[]` / `{}` produce a type warning, not a misleading "not set" warning.
+    path_value = version_cfg.get("path")
+    if path_value is not None and not isinstance(path_value, str):
+        typer.echo(
+            f"Warning: `[tool.comfy.version].path` must be a string "
+            f"(got {_friendly_type_name(path_value)} `{_friendly_value(path_value)}`). "
+            f"No version will be populated."
+        )
+        return ""
+    if not path_value:
+        typer.echo(
+            "Warning: `[tool.comfy.version].path` is not set. "
+            "See https://docs.comfy.org/registry/specifications for dynamic-version setup. "
+            "No version will be populated."
+        )
+        return ""
+
+    return _resolve_dynamic_version(pyproject_dir, path_value)
+
+
 def extract_node_configuration(
     path: str = os.path.join(os.getcwd(), "pyproject.toml"),
 ) -> PyProjectConfig | None:
     if not os.path.isfile(path):
         ui.display_error_message("No pyproject.toml file found in the current directory.")
         return None
 
-    with open(path) as file:
-        data = tomlkit.load(file)
+    try:
+        # `utf-8-sig` strips a leading BOM if present — Windows editors sometimes
+        # write one, and tomlkit would otherwise report `Empty key at line 1 col 0`.
+        # `UnicodeDecodeError` must be in the except tuple: it is a `ValueError`,
+        # not an `OSError`, and would otherwise escape and crash the caller.
+        with open(path, encoding="utf-8-sig") as file:
+            data = tomlkit.load(file)
+    except (OSError, UnicodeDecodeError, tomlkit.exceptions.TOMLKitError) as e:
+        ui.display_error_message(f"Could not parse `{path}`: {e}")
+        return None
 
     project_data = data.get("project", {})
+    if not isinstance(project_data, dict):
+        # Degenerate TOML like `project = "hello"` at the root. Keep scanning
+        # contexts alive by treating it as "no project metadata".
+        typer.echo(
+            f"Warning: `project` in pyproject.toml must be a table "
+            f"(got {_friendly_type_name(project_data)}). Using defaults."
+        )
+        project_data = {}
     urls_data = project_data.get("urls", {})
-    comfy_data = data.get("tool", {}).get("comfy", {})
+    if not isinstance(urls_data, dict):
+        urls_data = {}
+    tool_data = data.get("tool", {})
+    comfy_data = tool_data.get("comfy", {}) if isinstance(tool_data, dict) else {}
+    if not isinstance(comfy_data, dict):
+        comfy_data = {}
 
     dependencies = project_data.get("dependencies", [])
     supported_comfyui_frontend_version = ""
@@ -307,7 +617,7 @@ def extract_node_configuration(
         dep for dep in dependencies if not (isinstance(dep, str) and dep.startswith("comfyui-frontend-package"))
     ]
 
-    supported_comfyui_version = data.get("tool", {}).get("comfy", {}).get("requires-comfyui", "")
+    supported_comfyui_version = comfy_data.get("requires-comfyui", "")
 
     classifiers = project_data.get("classifiers", [])
     supported_os = validate_and_extract_os_classifiers(classifiers)
@@ -334,10 +644,13 @@ def extract_node_configuration(
             'Warning: License should be in one of these two formats: license = {file = "LICENSE"} OR license = {text = "MIT License"}. Please check the documentation: https://docs.comfy.org/registry/specifications.'
         )
 
+    pyproject_dir = pathlib.Path(path).parent
+    version = _extract_version(project_data, comfy_data, pyproject_dir)
+
     project = ProjectConfig(
         name=project_data.get("name", ""),
         description=project_data.get("description", ""),
-        version=project_data.get("version", ""),
+        version=version,
         requires_python=project_data.get("requires-python", ""),
         dependencies=dependencies,
         license=license,