FlowiseAI
diff --git a/‎.github/workflows/docker-image-dockerhub.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/docker-image-dockerhub.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/docker-image-ecr.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/docker-image-ecr.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/main.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/proprietary-path-guard.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/proprietary-path-guard.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test_docker_build.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test_docker_build.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/agentflow/README.md‎
Lines changed: 12 additions & 0 deletions b/‎packages/agentflow/README.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/agentflow/src/Agentflow.tsx‎
Lines changed: 2 additions & 0 deletions b/‎packages/agentflow/src/Agentflow.tsx‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎packages/agentflow/src/AgentflowProvider.tsx‎
Lines changed: 8 additions & 2 deletions b/‎packages/agentflow/src/AgentflowProvider.tsx‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎packages/agentflow/src/core/theme/tokens.ts‎
Lines changed: 2 additions & 1 deletion b/‎packages/agentflow/src/core/theme/tokens.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/agentflow/src/core/types/agentflow.ts‎
Lines changed: 113 additions & 0 deletions b/‎packages/agentflow/src/core/types/agentflow.ts‎
Lines changed: 113 additions & 0 deletions
@@ -27,16 +27,16 @@ jobs:
                   echo "tag_version=${{ github.event.inputs.tag_version || 'latest' }}" >> $GITHUB_OUTPUT
 
             - name: Checkout
-              uses: actions/checkout@v4.1.1
+              uses: actions/checkout@v6.0.2
 
             - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3.0.0
+              uses: docker/setup-qemu-action@v4.0.0
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3.0.0
+              uses: docker/setup-buildx-action@v4.0.0
 
             - name: Login to Docker Hub
-              uses: docker/login-action@v3
+              uses: docker/login-action@v4
               with:
                   username: ${{ secrets.DOCKERHUB_USERNAME }}
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -45,7 +45,7 @@ jobs:
             # Build and push main image
             # -------------------------
             - name: Build and push main image
-              uses: docker/build-push-action@v5.3.0
+              uses: docker/build-push-action@v6.19.2
               with:
                   context: .
                   file: ./docker/Dockerfile
@@ -60,7 +60,7 @@ jobs:
             # Build and push worker image
             # -------------------------
             - name: Build and push worker image
-              uses: docker/build-push-action@v5.3.0
+              uses: docker/build-push-action@v6.19.2
               with:
                   context: .
                   file: docker/worker/Dockerfile
 
@@ -40,17 +40,17 @@ jobs:
                   echo "tag_version=${{ github.event.inputs.tag_version || 'latest' }}" >> $GITHUB_OUTPUT
 
             - name: Checkout
-              uses: actions/checkout@v4.1.1
+              uses: actions/checkout@v6.0.2
 
             - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3.0.0
+              uses: docker/setup-qemu-action@v4.0.0
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3.0.0
+              uses: docker/setup-buildx-action@v4.0.0
 
             - name: Configure AWS Credentials
               if: ${{ inputs.environment != 'prod' }}
-              uses: aws-actions/configure-aws-credentials@v3
+              uses: aws-actions/configure-aws-credentials@v6
               with:
                   aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
                   aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -66,13 +66,13 @@ jobs:
                   unset-current-credentials: true
 
             - name: Login to Amazon ECR
-              uses: aws-actions/amazon-ecr-login@v1
+              uses: aws-actions/amazon-ecr-login@v2
 
             # -------------------------
             # Build and push main image
             # -------------------------
             - name: Build and push main image
-              uses: docker/build-push-action@v5.3.0
+              uses: docker/build-push-action@v6.19.2
               with:
                   context: .
                   file: Dockerfile
 
@@ -19,12 +19,12 @@ jobs:
         env:
             PUPPETEER_SKIP_DOWNLOAD: true
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v6
             - uses: pnpm/action-setup@v4
               with:
                   version: 10.26.0
             - name: Use Node.js ${{ matrix.node-version }}
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@v6
               with:
                   node-version: ${{ matrix.node-version }}
                   cache: 'pnpm'
@@ -38,12 +38,12 @@ jobs:
             - name: Cypress install
               run: pnpm cypress install
             - name: Install dependencies (Cypress Action)
-              uses: cypress-io/github-action@v6
+              uses: cypress-io/github-action@v7.1.5
               with:
                   working-directory: ./
                   runTests: false
             - name: Cypress test
-              uses: cypress-io/github-action@v6
+              uses: cypress-io/github-action@v7.1.5
               with:
                   install: false
                   working-directory: packages/server
 
@@ -35,7 +35,7 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
               with:
                   fetch-depth: 0
 
 
@@ -15,5 +15,5 @@ jobs:
         env:
             PUPPETEER_SKIP_DOWNLOAD: true
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v6
             - run: docker build --no-cache -t flowise .
@@ -98,10 +98,12 @@ export default function App() {
 
 ## Props
 
+<!-- prettier-ignore -->
 | Prop                 | Type                                       | Default        | Description                                                     |
 | -------------------- | ------------------------------------------ | -------------- | --------------------------------------------------------------- |
 | `apiBaseUrl`         | `string`                                   | **(required)** | Flowise API server endpoint                                     |
 | `token`              | `string`                                   | —              | Authentication token for API calls                              |
+| `requestInterceptor` | `(config: InternalAxiosRequestConfig) => InternalAxiosRequestConfig` | — | Customize outgoing API requests (e.g., set `withCredentials`, add headers). The callback receives the full Axios request config — only modify what you need. See [Security: requestInterceptor](#security-requestinterceptor) below. |
 | `initialFlow`        | `FlowData`                                 | —              | Initial flow data to render (uncontrolled — only used on mount) |
 | `components`         | `string[]`                                 | —              | Restrict which node types appear in the palette                 |
 | `onFlowChange`       | `(flow: FlowData) => void`                 | —              | Called when the flow changes (node/edge add, remove, move)      |
@@ -127,6 +129,16 @@ export default function App() {
 | `addNode(nodeData)`      | `void`                    | Add a node (`Partial<FlowNode>`)      |
 | `getReactFlowInstance()` | `ReactFlowInstance\|null` | Get the underlying ReactFlow instance |
 
+### Security: `requestInterceptor`
+
+The `requestInterceptor` callback runs inside the Axios request pipeline and has access to the full request configuration, including authentication headers. This is the same trust model as any other callback prop (e.g., `onSave`, `renderHeader`) — the host application developer supplies the function and is responsible for its behavior.
+
+**Guidelines for consumers:**
+
+-   Only pass **trusted, developer-authored** functions. Never use dynamically evaluated code (`eval`, `new Function`, etc.) or user-generated input as the interceptor.
+-   Follow the **principle of least privilege** — only read or modify the specific config properties you need (e.g., `withCredentials`, custom headers).
+-   If the interceptor throws, the error is caught, logged, and the **original unmodified config** is used so the request still proceeds safely.
+
 ### Design Note
 
 `<Agentflow>` is an **uncontrolled component**. The `initialFlow` prop seeds the canvas state on mount, but the component owns its own state afterward. Use the `ref` for imperative access and `onFlowChange` to observe changes.
 
@@ -322,6 +322,7 @@ export const Agentflow = forwardRef<AgentFlowInstance, AgentflowProps>(function
     const {
         apiBaseUrl,
         token,
+        requestInterceptor,
         initialFlow,
         components,
         onFlowChange,
@@ -340,6 +341,7 @@ export const Agentflow = forwardRef<AgentFlowInstance, AgentflowProps>(function
         <AgentflowProvider
             apiBaseUrl={apiBaseUrl}
             token={token}
+            requestInterceptor={requestInterceptor}
             isDarkMode={isDarkMode}
             components={components}
             readOnly={readOnly}
 
@@ -4,14 +4,19 @@ import { ReactFlowProvider } from 'reactflow'
 import { ThemeProvider } from '@mui/material/styles'
 
 import { createAgentflowTheme, generateCSSVariables } from './core/theme'
-import type { FlowData } from './core/types'
+import type { FlowData, RequestInterceptor } from './core/types'
 import { AgentflowStateProvider, ApiProvider, ConfigProvider } from './infrastructure/store'
 
 interface AgentflowProviderProps {
     /** Flowise API server endpoint */
     apiBaseUrl: string
     /** Authentication token for API calls */
     token?: string
+    /**
+     * Optional callback to customize outgoing API requests.
+     * Has access to full request config including auth tokens — only pass trusted code.
+     */
+    requestInterceptor?: RequestInterceptor
     /** Whether to use dark mode (default: false) */
     isDarkMode?: boolean
     /** Array of allowed node component names */
@@ -31,6 +36,7 @@ interface AgentflowProviderProps {
 export function AgentflowProvider({
     apiBaseUrl,
     token,
+    requestInterceptor,
     isDarkMode = false,
     components,
     readOnly = false,
@@ -70,7 +76,7 @@ export function AgentflowProvider({
     return (
         <ReactFlowProvider>
             <ThemeProvider theme={theme}>
-                <ApiProvider apiBaseUrl={apiBaseUrl} token={token}>
+                <ApiProvider apiBaseUrl={apiBaseUrl} token={token} requestInterceptor={requestInterceptor}>
                     <ConfigProvider isDarkMode={isDarkMode} components={components} readOnly={readOnly}>
                         <AgentflowStateProvider initialFlow={initialFlow}>{children}</AgentflowStateProvider>
                     </ConfigProvider>
 
@@ -97,7 +97,8 @@ export const tokens = {
 
         border: {
             default: { light: baseColors.gray300, dark: baseColors.darkGray500 },
-            hover: { light: baseColors.gray400, dark: baseColors.darkGray600 }
+            hover: { light: baseColors.gray400, dark: baseColors.darkGray600 },
+            validation: baseColors.nodeCondition
         },
 
         text: {
 
@@ -0,0 +1,113 @@
+// ============================================================================
+// Component Props & Hook Return Types
+// ============================================================================
+
+import type { ReactNode } from 'react'
+import type { ReactFlowInstance } from 'reactflow'
+
+import type { RequestInterceptor } from './api'
+import type { FlowData, FlowDataCallback, FlowNode } from './flow'
+import type { NodeData } from './node'
+import type { ValidationResult } from './validation'
+
+// ============================================================================
+// Render Props Types
+// ============================================================================
+
+export interface HeaderRenderProps {
+    flowName: string
+    isDirty: boolean
+    onSave: () => void
+    onExport: () => void
+    onValidate: () => ValidationResult
+}
+
+export interface PaletteRenderProps {
+    availableNodes: NodeData[]
+    onAddNode: (nodeType: string, position?: { x: number; y: number }) => void
+}
+
+// ============================================================================
+// Component Props & Hook Return Types
+// ============================================================================
+
+export interface AgentflowProps {
+    /** Flowise API server endpoint (e.g., "https://flowise-url.com") */
+    apiBaseUrl: string
+
+    /** Authentication token for API calls */
+    token?: string
+
+    /** Initial flow data to render */
+    initialFlow?: FlowData
+
+    /** Flow ID for loading existing flow */
+    flowId?: string
+
+    /** Array of allowed node component names to show in palette */
+    components?: string[]
+
+    /** Callback when flow changes */
+    onFlowChange?: FlowDataCallback
+
+    /** Callback when flow is saved */
+    onSave?: FlowDataCallback
+
+    /** Whether to use dark mode (default: false) */
+    isDarkMode?: boolean
+
+    /** Whether the canvas is read-only */
+    readOnly?: boolean
+
+    /** Custom header renderer - receives save/export handlers */
+    renderHeader?: (props: HeaderRenderProps) => ReactNode
+
+    /** Custom node palette renderer - receives available nodes */
+    renderNodePalette?: (props: PaletteRenderProps) => ReactNode
+
+    /** Whether to show default header (ignored if renderHeader provided) */
+    showDefaultHeader?: boolean
+
+    /** Whether to show default node palette (ignored if renderNodePalette provided) */
+    showDefaultPalette?: boolean
+
+    /** Enable the AI flow generator feature (default: true) */
+    enableGenerator?: boolean
+
+    /** Callback when flow is generated via AI */
+    onFlowGenerated?: FlowDataCallback
+
+    /**
+     * Optional callback to customize outgoing API requests (e.g., set `withCredentials`, add headers).
+     * Receives the full Axios request config including auth headers — only modify what you need.
+     *
+     * **Security:** This callback executes in the request pipeline with access to all request
+     * data, including authentication tokens. Only pass trusted, developer-authored functions.
+     * Never use dynamically evaluated or user-generated code as the interceptor.
+     * If the interceptor throws, the error is caught and the original config is used.
+     */
+    requestInterceptor?: RequestInterceptor
+}
+
+export interface AgentFlowInstance {
+    /** Get current flow data as serializable object */
+    getFlow(): FlowData
+
+    /** Convert flow to JSON string */
+    toJSON(): string
+
+    /** Validate the current flow */
+    validate(): ValidationResult
+
+    /** Fit view to show all nodes */
+    fitView(): void
+
+    /** Get the underlying ReactFlow instance */
+    getReactFlowInstance(): ReactFlowInstance | null
+
+    /** Programmatically add a node */
+    addNode(nodeData: Partial<FlowNode>): void
+
+    /** Clear all nodes and edges */
+    clear(): void
+}