Add octogoat plugin#1435
Conversation
Add OctoGoat plugin documentation for 3D print recovery.
There was a problem hiding this comment.
The following is the result of my preliminary review. A decision on this PR will follow in the next days.
Security concerns
-
The plugin's SimpleAPI endpoints check that the user is authenticated but do not verify granular permissions. E.g. some commands allow moving the printer head without checking the
CONTROLpermission, others modify plugin settings without checking theSETTINGSpermission. -
The plugin injects a JavaScript file from Stripe's site into OctoPrint's DOM, on every page and even when the plugin is not in use - as long as it is installed and enabled - in order to handle license payments. This allows Stripe to execute virtually any JavaScript code within OctoPrint's pages, and could be a risk - even assuming we trust Stripe - due to potential supply chain attacks. Furthermore, I'm not convinced that handling payments inside OctoPrint's UI is a good idea, and I don't think it's a responsibility the project wants to take on. Please handle payments outside OctoPrint, e.g. on your own licensing server.
Privacy concerns
- The Privacy Policy does not mention that Stripe's Privacy Policy also applies, nor that including Stripe's script could result in third-party data collection.
Concerns about the licensing approach
-
There is no way to know the pricing, the available plans, or the limits of the free tier (if any) before installing the plugin.
-
The license check is entirely client-side and performed in the plugin's template file. A user could bypass it without even needing to tamper with the plugin's code, simply by using the plugin's SimpleAPI endpoints (which don't check license validity at all), or by setting the
last_validatedfield in the settings to today's date, tricking the plugin into thinking the license has already been validated.
Concerns about adherence to OctoPrint best practices
-
The plugin still uses
setup.pyinstead of the newerpyproject.toml-based packaging. Wasn't it generated from a recent version of the cookiecutter template? -
is_template_autoescapedis not implemented, so a warning is printed to the logs on every OctoPrint startup. -
The Software Update hook is not implemented, so plugin users won't be notified of future plugin updates and won't be able to upgrade easily.
Legal concerns
-
The static images in the plugin's folder carry a Sora watermark, so I assume they were generated on the free plan. I believe their terms of use do not allow commercial use of those images.
-
It should also be verified whether the plugin is actually allowed to use the
Octoprefix in its name, according to OctoPrint's Trademark Rules. I'm not sure fair use would be justifiable here, per section 5(b):Using trading names that include the prefix "Octo" for the sole purpose of giving the impression that the product or service in question is related to OctoPrint.
Minor concerns about code hygiene
-
Placeholders are left throughout:
- In the online Privacy Policy:
Privacy questions: support@YOURDOMAIN.COM - In
README.md:Terms: https://YOURDOMAIN.COM/termsandPrivacy: https://YOURDOMAIN.COM/privacy - In
TERMS.md:Support: support@YOURDOMAIN.COM Business / OEM / partnership inquiries: support@YOURDOMAIN.COM - In
PRIVACY.md:Privacy questions: support@YOURDOMAIN.COM - In
__init__.py:__plugin_url__ = "https://YOURDOMAIN.COM/octogoat"and__plugin_license__ = "Proprietary - See LICENSE.txt"
- In the online Privacy Policy:
-
Many of the plugin's defined settings are unused, e.g.
api_key,park_z_offset,smart_park_enabled,smart_park_acknowledged. -
Stray files have been committed: a
.codexfile and the__pycache__directory. -
In
__init__.pythe plugin version is0.1.0, but insetup.pyit is0.1.1.
| - windows | ||
| - macos | ||
|
|
||
| python: ">=3,<4" |
There was a problem hiding this comment.
This must be the same as declared in your __plugin_pythoncompat__: >=3.7,<4
|
Hi @jacopotediosi, I pushed follow-up changes addressing the preliminary review. Summary of fixes:
Activation, pricing, and legal pages are now here:
The plugin source updates are on Please take another look when you have time. Thank you. |
3 participants
What is the name of your plugin?
OctoGoat
What does your plugin do?
OctoGoat helps users recover failed 3D prints when the partially completed print is still attached to the bed.
The plugin generates reconstructed resume G-code locally inside OctoPrint, using the original G-code file, the measured print height, and the user’s slicer layer height. It also provides a guided alignment flow so the user can safely align the printer to the real-world print position before choosing to resume.
It is designed to keep the user in control of printer movement and final resume confirmation. It does not force automatic Z homing into an existing print.
OctoGoat also includes optional Klipper/Moonraker support through a user-provided local Moonraker address.
Where can we find the source code of your plugin?
https://github.com/ksmith1489/octogoat-plugin
Was any kind of genAI (ChatGPT, Copilot etc) involved in creating this plugin?
Yes. ChatGPT, GitHub Copilot, and Codex were used as development assistants while building and refining the plugin.
The plugin was not simply generated blindly and published without review. I have been actively involved in the design, testing, debugging, and iteration of the plugin, including testing the OctoPrint UI, local resume G-code generation, license validation behavior, and Klipper/Moonraker command flow on actual printer setups.
I understand the main architecture and behavior of the plugin: the OctoPrint plugin UI gathers the file and recovery inputs, the local resume engine reconstructs the resume G-code, unsafe commands are removed before resuming, alignment commands are user-triggered, and the external service is used for subscription/license validation rather than for uploading or processing the print file.
I also have prior coding experience from building trading bots and indicators, including Pine Script and MetaTrader 4 related work, and I am comfortable maintaining and debugging this plugin going forward.
Is your plugin commercial in nature?
Yes.
OctoGoat is a commercial plugin with subscription-based licensing. Installing the plugin is free, but an active paid subscription is required before the plugin can generate, download, upload, or execute resume output. There is only one price and plan for $29 per year.
License, terms, and privacy information are available at:
https://app.lazarus3dprint.com
Does your plugin rely on some cloud services?
Partially.
The resume G-code generation runs locally inside the OctoPrint plugin. The original G-code file is not uploaded to the OctoGoat/Lazarus service for resume generation.
The plugin does use the OctoGoat/Lazarus service at:
https://app.lazarus3dprint.com
for subscription and license validation.
The plugin is marked with the
cloudattribute and includes a privacy policy link in the registration file:https://app.lazarus3dprint.com/privacy
If the license validation service is unreachable, the plugin is intended to fail gracefully and not cause OctoPrint itself to malfunction.
Further notes
OctoGoat is focused on failed-print recovery with a safety-first, user-controlled workflow. Its goal is to make print recovery approachable for normal users while avoiding dangerous automatic behavior, especially around Z homing and printer movement near an already-existing print..
Big Thank you to Gina and everyone that keeps OctoPrint going strong. Holler at me and I will give you guys coupon codes for a free year's subscription.