feat: add watsonx governance component

[langley-2]

Created a custom component under the ibm folder for integrating with IBM watsonx governance to detect and catalog harmful AI inputs/outputs accordingly.

Summary by CodeRabbit

• New Features

  • Added IBM watsonx.governance component for logging and monitoring AI model payloads, enabling tracking, auditing, and compliance monitoring of AI model interactions.

• Dependencies

  • Updated project dependencies with IBM Cloud SDK and IBM Watson OpenScale support.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Added two new IBM Cloud dependencies to the project, registered a new WatsonxGovernanceComponent in the IBM components module, and introduced the component implementation for integrating with IBM watsonx.governance to log and audit AI model payloads.

Changes

Cohort / File(s)	Summary
Dependencies pyproject.toml	Added two runtime dependencies: ibm-cloud-sdk-core>=3.16.0 and ibm-watson-openscale>=3.0.0
Component Registration src/lfx/src/lfx/components/ibm/__init__.py	Added lazy loading for WatsonxGovernanceComponent including TYPE_CHECKING import, dynamic import mapping, and public export in __all__
New Component Implementation src/lfx/src/lfx/components/ibm/watsonx_governance.py	Introduced WatsonxGovernanceComponent class with methods for token retrieval, API calls to watsonx.governance, and prompt variable formatting; includes comprehensive error handling and logging

Sequence Diagram

sequenceDiagram
    participant Client as Client Code
    participant Component as WatsonxGovernanceComponent
    participant IAM as IBM Cloud Identity
    participant Governance as watsonx.governance API
    
    Client->>Component: execute_call()
    activate Component
    
    Component->>Component: get_token()
    activate Component
    Component->>IAM: POST /identity/token (api_key)
    IAM-->>Component: access_token
    deactivate Component
    
    Component->>Component: format_prompt_vars()
    Component-->>Component: formatted_vars (dict)
    
    Component->>Component: build request payload
    
    Component->>Governance: POST /deployments/{deployment_id}/governance (auth header, payload)
    activate Governance
    Governance-->>Component: response
    deactivate Governance
    
    Component-->>Client: Data(text, payload)
    deactivate Component

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas for extra attention:
  • Token retrieval logic and IAM authentication flow (get_token method)
  • Request payload construction and endpoint URL formatting in execute_call
  • Prompt variable parsing robustness and JSON normalization in format_prompt_vars
  • Error handling coverage and logging comprehensiveness across all methods

Suggested labels

lgtm

Suggested reviewers

• lucaseduoli
• erichare
• HimavarshaVS

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add watsonx governance component' directly and clearly describes the main change—introducing a new Watson x governance component to the IBM components folder.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

pyproject.toml (1)

134-135: Confirm IBM dependencies are needed and ensure requests is a declared runtime dependency where used

The new IBM deps look consistent with the feature, but the current watsonx governance component uses requests directly and doesn’t appear to import either ibm-cloud-sdk-core or ibm-watson-openscale.

Two follow‑ups worth doing:

1. If the component is not (yet) using these IBM SDKs, consider dropping them for now to avoid unnecessary weight and security surface, or wire the component up to use them instead of raw HTTP.
2. Make sure the package that owns src/lfx/src/lfx/components/ibm/watsonx_governance.py declares requests as a runtime dependency (not just in the dev group), so this component can’t fail at import/runtime in environments where requests is not pulled in transitively.

src/lfx/src/lfx/components/ibm/watsonx_governance.py (2)

73-145: Tighten error handling and logging behavior around the governance call

The overall structure of execute_call is solid (timeouts, HTTP error handling, logging response body), but there are a couple of smaller refinement opportunities:

• The except json.JSONDecodeError block after the main try is currently unreachable, since JSON parsing is already wrapped in an inner try/except ValueError around response.json(). You can safely drop that outer except json.JSONDecodeError or repurpose it if you later add a json.loads on the response.
• You’re logging full payloads and responses at INFO level. For a governance component that may see sensitive prompts and generations, you might want this at DEBUG or behind a flag to avoid duplicating potentially sensitive content in application logs on top of sending it to governance.

These are non‑blocking, but worth considering for maintainability and privacy posture.

---

147-155: Align format_prompt_vars docstring with the actual signature

The docstring still documents a user_input argument, but the method doesn’t take any parameters and uses self.prompt_variables instead. This is a small mismatch that can confuse users and tooling.

Consider updating the docstring to reflect that the input comes from self.prompt_variables and drop the Args section or reword it accordingly.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f2fb7b3 and edffa9e.

⛔ Files ignored due to path filters (2)

• src/frontend/package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• pyproject.toml (1 hunks)
• src/lfx/src/lfx/components/ibm/__init__.py (1 hunks)
• src/lfx/src/lfx/components/ibm/watsonx_governance.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

{pyproject.toml,uv.lock}

📄 CodeRabbit inference engine (.cursor/rules/backend_development.mdc)

Use uv (>=0.4) for Python dependency management in backend development

Files:

• pyproject.toml

🧠 Learnings (1)

📚 Learning: 2025-11-24T19:46:09.074Z

Learnt from: CR
Repo: langflow-ai/langflow PR: 0
File: .cursor/rules/backend_development.mdc:0-0
Timestamp: 2025-11-24T19:46:09.074Z
Learning: Applies to src/backend/base/langflow/components/**/__init__.py : Update `__init__.py` with alphabetically sorted imports when adding new components

Applied to files:

• src/lfx/src/lfx/components/ibm/__init__.py

🧬 Code graph analysis (1)

src/lfx/src/lfx/components/ibm/__init__.py (1)

src/lfx/src/lfx/components/ibm/watsonx_governance.py (1)

• WatsonxGovernanceComponent (14-184)

🔇 Additional comments (2)

src/lfx/src/lfx/components/ibm/__init__.py (1)

7-19: Lazy‑loader wiring for WatsonxGovernanceComponent looks correct

TYPE_CHECKING import, _dynamic_imports entry, and __all__ update are consistent and should integrate the new component cleanly into the IBM namespace.

src/lfx/src/lfx/components/ibm/watsonx_governance.py (1)

60-96: Based on my verification, I've searched the repository thoroughly and found that:

1. The file src/lfx/src/lfx/components/ibm/watsonx_governance.py does not exist in the repository
2. None of the methods referenced exist: get_token(), execute_call(), format_prompt_vars() are not in the codebase
3. The attribute deployment_id is not referenced anywhere in the IBM components

The IBM components directory (src/lfx/src/lfx/components/ibm/) contains only:

• watsonx.py (WatsonxAIComponent)
• watsonx_embeddings.py (WatsonxEmbeddingsComponent)
• __init__.py

The review comment references code that does not exist in the current PR branch.

Likely an incorrect or invalid review comment.

[edwinjosechittilappilly]

This is interesting, looking forward to this component.