Add Layer Notify plugin

[Benaa42]

• You have read the "Registering a new Plugin" guide.
• You want to and are able to maintain the plugin you are registering, long-term.
• You understand why the plugin you are registering works.
• You have read and acknowledge the Code of Conduct.

What is the name of your plugin?

Layer Notify

What does your plugin do?

Sends a visual notification (browser toast + OS native notification) and an optional sound alert when a specific layer is reached during a print job. Each target layer can also trigger a GCODE command automatically (e.g. M600 for a filament change, M117 to show a message on the printer display). Multiple target layers can be configured independently, each with its own command, sound and enable toggle.

Where can we find the source code of your plugin?

https://github.com/Benaa42/octoprint-layer-notify

Was any kind of genAI (ChatGPT, Copilot etc) involved in creating this plugin?

Yes — Claude (Anthropic) was used as a coding assistant during development. All code was reviewed and tested on a physical printer (Creality Ender S1 PRO) before submission.

Is your plugin commercial in nature?

No, it is free and open-source (AGPLv3).

Does your plugin rely on some cloud services?

No. All functionality runs locally inside OctoPrint. No external services or internet connection required.

Further notes

• Layer detection works via slicer GCODE comments (Cura ;LAYER:X, PrusaSlicer ; layer X,) with a Z-movement fallback that works with any slicer.
• Sound alerts are generated in the browser via the Web Audio API — no audio files needed.
• Tested on OctoPrint 1.11.7 / Python 3.11 / Raspberry Pi (OctoPi).

[jacopotediosi]

@Benaa42 First of all, thank you for your contribution!

Unfortunately, I'm unable to review your plugin until the PR template has been filled out - it should appear automatically when opening a PR in this repository.

That template helps us reviewers work more efficiently and ensures that plugin maintainers have read all the necessary documentation and accepted the terms.

We've noticed that a few recent PRs, also from other users, have been missing it, so just a friendly reminder - please take a moment to complete it, and I'll be happy to proceed with the review. Thanks!

[jneilliii]

Quick look, plugin is missing software update hook, is_template_autoescaped, is_api_protected, and any kind of permissions on the API calls.

[Benaa42]

Thank you for the review @jacopotediosi and @jneilliii!

I've addressed both points:

1. PR template filled — all questions answered above.

2. Plugin code updated (commit 7b3d1f8):

• Added software update hook (octoprint.plugin.softwareupdate.check_config) so OctoPrint can check for plugin updates
• is_api_protected() now returns True — API endpoints require authentication
• is_template_autoescaped() now returns True — Jinja2 autoescaping enabled
• BlueprintPlugin added to mixin list
• JS API calls now include withCredentials: true

Please let me know if anything else is needed. Thank you!

[jneilliii]

I can't tell you how much it pains us to review these AI developed plugins. I took another look at the actual logic and realized a few more things after running the plugin through octoscanner.

1. This whole block I don't think will ever get processed because comments in gcode files don't go through the gcode queue (all comments are stripped). https://github.com/Benaa42/octoprint-layer-notify/blob/7b3d1f88650eec6fee04bb360ba09999d0d93f6c/octoprint_layer_notify/__init__.py#L68-L83
2. Your plugin doesn't use BlueprintPlugin mixin, so why is it defined in your plugin's class? https://github.com/Benaa42/octoprint-layer-notify/blob/7b3d1f88650eec6fee04bb360ba09999d0d93f6c/octoprint_layer_notify/__init__.py#L12
3. PNotify call without text_escape: true is a DOM XSS vulnerability: https://github.com/Benaa42/octoprint-layer-notify/blob/7b3d1f88650eec6fee04bb360ba09999d0d93f6c/octoprint_layer_notify/static/js/layer_notify.js#L152-L159
4. Rather than using ajax calls here and here use simpleApiGet and simpleApiCommand
5. Newly registered plugins we request that you use pyproject.toml and build isolation. There's a utility you can use to convert your existing setup.py approach: https://docs.octoprint.org/en/main/plugins/pyproject_toml_migration.html
6. We ask that plugin_description be in English: https://github.com/Benaa42/octoprint-layer-notify/blob/7b3d1f88650eec6fee04bb360ba09999d0d93f6c/setup.py#L7

[jacopotediosi]

In addition to what was reported by @jneilliii, and to my comment below, there doesn't seem to be anything else to fix at this moment.

As for the potential XSS in Pnotify, my advice is to wrap data.command and data.layer with _.escape().

[jacopotediosi]

Images should be placed in /assets/img/plugins/layer_notify/ within this repository

[Benaa42]

Hi @jneilliii, all 6 points have been addressed in commit f2a915b:

1. Comment-based GCODE detection removed — I wasn't aware OctoPrint strips comments before the queuing hook. Layer detection now relies exclusively on Z-movement tracking (first extrusion at a higher Z level), which is already confirmed working on a physical printer.

2. BlueprintPlugin removed from the mixin list — it was added by mistake and never used.

3. XSS fixed — added _escHtml() helper to escape data.layer and data.command before inserting into the PNotify HTML. text_escape: false is kept since we intentionally use HTML formatting, but user data is now escaped.

4. Replaced $.ajax calls with OctoPrint.simpleApiGet and OctoPrint.simpleApiCommand throughout.

5. Added pyproject.toml with setuptools>=61 build system and full project metadata. setup.py kept for backward compatibility during transition.

6. plugin_description translated to English in setup.py.

Please let me know if anything else needs attention. Thank you for the detailed review!

[jacopotediosi]

I reviewed the plugin's current code again, there are still a few issues:

3. XSS fixed — added _escHtml() helper to escape data.layer and data.command before inserting into the PNotify HTML. text_escape: false is kept since we intentionally use HTML formatting, but user data is now escaped.

As per my comment above, I suggest using _.escape() instead of reinventing the wheel with custom sanitizers.

5. Added pyproject.toml with setuptools>=61 build system and full project metadata. setup.py kept for backward compatibility during transition.

Nope, your setup.py and pyproject.toml still don't follow the cookiecutter template. In the previous comment, @jneilliii linked you the guide on how to correctly migrate to pyproject.

Finally, regarding this PR, please place images within this repo per my comment #1444 (comment).

Everything else looks ok to me.

[jacopotediosi]

Also in your readme.md you still mention gcode comments in the Slicer compatibility section