* fix(webhooks): eliminate redundant DB queries from webhook execution path
* chore(webhooks): remove implementation-detail comments
* fix(webhooks): restore auth-first ordering and add credential resolution warning
- Revert parallel auth+preprocessing to sequential auth→preprocessing
to prevent rate-limit exhaustion via unauthenticated requests
- Add warning log when credential account resolution fails in background job
* fix(webhooks): restore auth-before-reachability ordering and remove dead credentialAccountUserId field
- Move reachability test back after auth to prevent path enumeration
- Remove dead credentialAccountUserId from WebhookExecutionPayload
- Simplify credential resolution condition in background job
* fix(security): add SSRF protection to database tools and webhook delivery
* fix(security): address review comments on SSRF PR
- Remove Promise.race timeout pattern to avoid unhandled rejections
(http.request timeout is sufficient for webhook delivery)
- Use safeCompare in verifyCronAuth instead of inline HMAC logic
- Strip IPv6 brackets before validateDatabaseHost in Redis route
* fix(security): allow HTTP webhooks and fix misleading MCP error docs
- Add allowHttp option to validateExternalUrl, validateUrlWithDNS,
and secureFetchWithValidation to support HTTP webhook URLs
- Pass allowHttp: true for webhook delivery and test endpoints
- Fix misleading JSDoc on createMcpErrorResponse (doesn't log errors)
- Mark unused error param with underscore prefix
* fix(security): forward allowHttp option through redirect validation
Pass allowHttp to validateUrlWithDNS in the redirect handler of
secureFetchWithPinnedIP so HTTP-to-HTTP redirects work when allowHttp
is enabled for webhook delivery.
* fix(security): block localhost when allowHttp is enabled
When allowHttp is true (user-supplied webhook URLs), explicitly block
localhost/loopback in both validateExternalUrl and validateUrlWithDNS
to prevent SSRF against internal services.
* fix(security): always strip multi-line content in sanitizeConnectionError
Take the first line of the error message regardless of length to
prevent leaking sensitive data from multi-line error messages.
* fix(parallel): align integration with Parallel AI API docs
* fix(parallel): keep processor subBlock ID for backwards compatibility
* fix(parallel): move error field to top level per ToolResponse interface
* fix(parallel): guard research_input and prevent domain leakage across operations
* fix(parallel): make url/title nullable in types to match transformResponse
* fix(parallel): revert search_queries param type to string for backwards compatibility
* feat(hosted keys): Implement serper hosted key
* Handle required fields correctly for hosted keys
* Add rate limiting (3 tries, exponential backoff)
* Add custom pricing, switch to exa as first hosted key
* Add telemetry
* Consolidate byok type definitions
* Add warning comment if default calculation is used
* Record usage to user stats table
* Fix unit tests, use cost property
* Include more metadata in cost output
* Fix disabled tests
* Fix spacing
* Fix lint
* Move knowledge cost restructuring away from generic block handler
* Migrate knowledge unit tests
* Lint
* Fix broken tests
* Add user based hosted key throttling
* Refactor hosted key handling. Add optimistic handling of throttling for custom throttle rules.
* Remove research as hosted key. Recommend BYOK if throtttling occurs
* Make adding api keys adjustable via env vars
* Remove vestigial fields from research
* Make billing actor id required for throttling
* Switch to round robin for api key distribution
* Add helper method for adding hosted key cost
* Strip leading double underscores to avoid breaking change
* Lint fix
* Remove falsy check in favor for explicit null check
* Add more detailed metrics for different throttling types
* Fix _costDollars field
* Handle hosted agent tool calls
* Fail loudly if cost field isn't found
* Remove any type
* Fix type error
* Fix lint
* Fix usage log double logging data
* Fix test
---------
Co-authored-by: Theodore Li <teddy@zenobiapay.com>
* feat(evernote): add Evernote integration with 11 tools
* fix(evernote): fix signed integer mismatch in Thrift version check
* fix(evernote): fix exception field mapping and add sandbox support
* fix(evernote): address PR review feedback
* fix(evernote): clamp maxNotes to Evernote's 250 limit
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* improvement(oauth): centralize scopes and remove dead scope evaluation code
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(oauth): fix stale scope-descriptions.ts references and add test coverage
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): resolve env var references at design time for selector context
Selectors now resolve {{ENV_VAR}} references before building context and
returning dependency values to consumers, enabling env-var-based credentials
(e.g. {{SLACK_BOT_TOKEN}}) to work with selector dropdowns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): prevent unresolved env var templates from leaking into context
- Fall back to undefined instead of raw template string when env var is
missing from store, so the null-check in the context loop discards it
- Use resolvedDetailId in query cache key so React Query refetches when
the underlying env var value changes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): use || for consistent empty-string env var handling
Align use-selector-setup.ts with use-selector-query.ts by using || instead
of ?? so empty-string env var values are treated as unset.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(selectors): add dropdown selectors for 14 integrations
* fix(selectors): secure OAuth tokens in JSM and Confluence selector routes
Convert JSM selector-servicedesks, selector-requesttypes, and Confluence
selector-spaces routes from GET (with access token in URL query params) to
POST with authorizeCredentialUse + refreshAccessTokenIfNeeded pattern. Also
adds missing ensureCredential guard to microsoft.planner.plans registry entry.
* fix(selectors): use sanitized serviceDeskId and encode SharePoint siteId
Use serviceDeskIdValidation.sanitized instead of raw serviceDeskId in JSM
request types URL. Add encodeURIComponent to SharePoint siteId to prevent
URL path injection.
* lint
* fix(selectors): revert encodeURIComponent on SharePoint siteId
SharePoint site IDs use the format "hostname,guid,guid" with commas that
must remain unencoded for the Microsoft Graph API. The encodeURIComponent
call would convert commas to %2C and break the API call.
* fix(selectors): use sanitized cloudId in Confluence and JSM route URLs
Use cloudIdValidation.sanitized instead of raw cloudId in URL construction
for consistency with the validation pattern, even though the current
validator returns the input unchanged.
* fix(selectors): add missing context fields to resolution, ensureCredential to sharepoint.lists, and siteId validation
- Add baseId, datasetId, serviceDeskId to SelectorResolutionArgs,
ExtendedSelectorContext, extractExtendedContext, useSelectorDisplayName,
and resolveSelectorForSubBlock so cascading selectors resolve correctly
through the resolution path.
- Add ensureCredential guard to sharepoint.lists registry entry.
- Add regex validation for SharePoint siteId format (hostname,GUID,GUID).
* fix(selectors): rename advanced subBlock IDs to avoid canonicalParamId clashes
Rename all advanced-mode subBlock IDs that matched their canonicalParamId
to use a `manual*` prefix, following the established convention
(e.g., manualSiteId, manualCredential). This prevents ambiguity between
subBlock IDs and canonical parameter names in the serialization layer.
25 renames across 14 blocks: baseId→manualBaseId, tableId→manualTableId,
workspace→manualWorkspace, objectType→manualObjectType, etc.
* Revert "fix(selectors): rename advanced subBlock IDs to avoid canonicalParamId clashes"
This reverts commit 4e30161c68.
* fix(selectors): rename canonicalParamIds to avoid subBlock ID clashes
Prefix all clashing canonicalParamId values with `selected_` so they
don't match any subBlock ID. Update each block's `inputs` section and
`tools.config.params` function to destructure the new canonical names
and remap them to the original tool param names. SubBlock IDs and tool
definitions remain unchanged for backwards compatibility.
Affected: 25 canonical params across 14 blocks (airtable, asana, attio,
calcom, confluence, google_bigquery, google_tasks, jsm, microsoft_planner,
notion, pipedrive, sharepoint, trello, zoom).
* fix(selectors): rename pre-existing driveId and files canonicalParamIds in SharePoint
Apply the same selected_ prefix convention to the pre-existing SharePoint
driveId and files canonical params that clashed with their subBlock IDs.
* style: format long lines in calcom, pipedrive, and sharepoint blocks
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): resolve cascading context for selected_ canonical params and normalize Asana response
Strip `selected_` prefix from canonical param IDs when mapping to
SelectorContext fields so cascading selectors (Airtable base→table,
BigQuery dataset→table, JSM serviceDesk→requestType) correctly
propagate parent values.
Normalize Asana workspaces route to return `{ id, name }` instead of
`{ gid, name }` for consistency with all other selector routes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): replace hacky prefix stripping with explicit CANONICAL_TO_CONTEXT mapping
Replace CONTEXT_FIELD_SET (Record<string, true>) with CANONICAL_TO_CONTEXT
(Record<string, keyof SelectorContext>) that explicitly maps canonical
param IDs to their SelectorContext field names.
This properly handles the selected_ prefix aliases (e.g. selected_baseId
→ baseId) without string manipulation, and removes the unsafe
Record<string, unknown> cast.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(selectors): remove unnecessary selected_ prefix from canonicalParamIds
The selected_ prefix was added to avoid a perceived clash between
canonicalParamId and subBlock id values, but this clash does not
actually cause any issues — pre-existing blocks on main (Google Sheets,
Webflow, SharePoint) already use matching values successfully.
Remove the prefix from all 14 blocks, revert use-selector-setup.ts to
the simple CONTEXT_FIELD_SET pattern, and simplify tools.config.params
functions that were only remapping the prefix back.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): add spaceId selector pair to Confluence V2 block
The V2 block was missing the spaceSelector basic-mode selector that the
V1 (Legacy) block already had.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(selectors): revert V1 block changes, add selectors to Notion V1 for V2 inheritance
Confluence V1: reverted to main state (V2 has its own subBlocks).
Notion V1: added selector pairs per-operation since V2 inherits
subBlocks, inputs, and params from V1.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): audit fixes for auth patterns, registry gaps, and display name resolution
- Convert Microsoft Planner plans/tasks routes from GET+getSession to POST+authorizeCredentialUse
- Add fetchById to microsoft.planner (tasks) and sharepoint.sites registry entries
- Add ensureCredential to sharepoint.sites and microsoft.planner registry fetchList
- Update microsoft.planner.plans registry to use POST method
- Add siteId, collectionId, spreadsheetId, fileId to SelectorDisplayNameArgs and caller
- Add fileId to SelectorResolutionArgs and resolution context
- Fix Zoom topicUpdate visibility in basic mode (remove mode:'advanced')
- Change Zoom meetings selector to fetch upcoming_meetings instead of only scheduled
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* style: lint formatting fixes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): consolidate Notion canonical param pairs into array conditions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): add missing selectorKey to Confluence V1 page selector
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): use sanitized IDs in URLs, convert SharePoint routes to POST+authorizeCredentialUse
- Use planIdValidation.sanitized in MS Planner tasks fetch URL
- Convert sharepoint/lists and sharepoint/sites from GET+getSession to POST+authorizeCredentialUse
- Update registry entries to match POST pattern
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): revert Zoom meetings type to scheduled for broader compatibility
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): add SharePoint site ID validator, fix cascading selector display name fallbacks
- Add validateSharePointSiteId to input-validation.ts
- Use validation util in SharePoint lists route instead of inline regex
- Add || fallback to selector IDs in workflow-block.tsx so cascading
display names resolve in basic mode (baseSelector, planSelector, etc.)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): hoist requestId before try block in all selector routes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): hoist requestId before try block in Trello boards route
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): guard selector queries against unresolved variable references
Skip fetchById and context population when values are design-time
placeholders (<Block.output> or {{ENV_VAR}}) rather than real IDs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(selectors): replace hardcoded display name fallbacks with canonical-aware resolution
Use resolveDependencyValue to resolve context values for
useSelectorDisplayName, eliminating manual || getStringValue('*Selector')
fallbacks that required updating for each new selector pair.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): tighten SharePoint site ID validation to exclude underscores
SharePoint composite site IDs use hostname,guid,guid format where only
alphanumerics, periods, hyphens, and commas are valid characters.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): ensure string IDs in Pipedrive/Cal.com routes, fix Trello closed board filter
Pipedrive pipelines and Cal.com event-types/schedules routes now
consistently return string IDs via String() conversion.
Trello boards route no longer filters out closed boards, preserving
them for fetchById lookups. The closed filter is applied only in the
registry's fetchList so archived boards don't appear in dropdowns
but can still be resolved by ID for display names.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): convert Zoom meeting IDs to strings for consistency
Zoom API returns numeric meeting IDs. Convert with String() to match
the string ID convention used by all other selector routes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(selectors): align registry types with route string ID returns
Routes already convert numeric IDs to strings via String(), so update
the registry types (CalcomEventType, CalcomSchedule, PipedrivePipeline,
ZoomMeeting) from id: number to id: string and remove the now-redundant
String() coercions in fetchList/fetchById.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(reddit): add 5 new tools, fix bugs, and audit all endpoints against API docs
* fix(reddit): add optional chaining, pagination wiring, and trim safety
- Add optional chaining on children?.[0] in get_posts, get_controversial,
search, and get_comments to prevent TypeError on unexpected API responses
- Wire after/before pagination params to get_messages block operation
- Use ?? instead of || for get_comments limit to handle 0 correctly
- Add .trim() on postId in get_comments URL path
* chore(reddit): remove unused output property constants from types.ts
* fix(reddit): add HTTP error handling to GET tools
Add !response.ok guards to get_me, get_user, get_subreddit_info,
and get_messages to return success: false on non-2xx responses
instead of silently returning empty data with success: true.
* fix(reddit): add input validation and HTTP error guards
- Add validateEnum/validatePathSegment to prevent URL path traversal
- Add !response.ok guards to send_message and reply tools
- Centralize subreddit validation in normalizeSubreddit
* feat(slack): add new tools and user selectors
* fix(slack): fix download fileName param and canvas error handling
* fix(slack): use markdown format for canvas rename title_content
* fix(slack): rename channel output to channelInfo and document presence API limitation
* lint
* fix(chat): use explicit trigger type check instead of heuristic for chat guard (#3419)
* fix(chat): use explicit trigger type check instead of heuristic for chat guard
* fix(chat): remove heuristic fallback from isExecutingFromChat
Use only overrideTriggerType === 'chat' instead of also checking
for 'input' in workflowInput, which can false-positive on manual
executions with workflow input.
* fix(chat): use isExecutingFromChat variable consistently in callbacks
Replace inline overrideTriggerType !== 'chat' checks with
!isExecutingFromChat to stay consistent with the rest of the function.
* fix(slack): add missing fields to SlackChannel interface
* fix(slack): fix canvas transformResponse type mismatch
Provide required output fields on error path to match SlackCanvasResponse type.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(slack): move error field to top level in canvas transformResponse
The error field belongs on ToolResponse, not inside the output object.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(chat): use explicit trigger type check instead of heuristic for chat guard
* fix(chat): remove heuristic fallback from isExecutingFromChat
Use only overrideTriggerType === 'chat' instead of also checking
for 'input' in workflowInput, which can false-positive on manual
executions with workflow input.
* fix(chat): use isExecutingFromChat variable consistently in callbacks
Replace inline overrideTriggerType !== 'chat' checks with
!isExecutingFromChat to stay consistent with the rest of the function.
* fix(memory): add Bun.gc, stream cancellation, and unconsumed fetch drains
* fix(memory): await reader.cancel() and use non-blocking Bun.gc
* fix(memory): update Bun.gc comment to match non-blocking call
* fix(memory): use response.body.cancel() instead of response.text() for drains
* fix(executor): flush TextDecoder after streaming loop for multi-byte chars
* fix(memory): use text() drain for SecureFetchResponse which lacks body property
* fix(chat): prevent premature isExecuting=false from killing chat stream
The onExecutionCompleted/Error/Cancelled callbacks were setting
isExecuting=false as soon as the server-side SSE stream completed.
For chat executions, this triggered a useEffect in chat.tsx that
cancelled the client-side stream reader before it finished consuming
buffered data — causing empty or partial chat responses.
Skip the isExecuting=false in these callbacks for chat executions
since the chat's own finally block handles cleanup after the stream
is fully consumed.
* fix(chat): remove useEffect anti-pattern that killed chat stream on state change
The effect reacted to isExecuting becoming false to clean up streams,
but this is an anti-pattern per React guidelines — using state changes
as a proxy for events. All cleanup cases are already handled by proper
event paths: stream done (processStreamingResponse), user cancel
(handleStopStreaming), component unmount (cleanup effect), and
abort/error (catch block).
* fix(servicenow): remove invalid string comparison on numeric offset param
* upgrade turborepo
* feat(servicenow): add offset and display value params to read records
* fix(servicenow): address greptile review feedback for offset and displayValue
* fix(servicenow): handle offset=0 correctly in pagination
* fix(servicenow): guard offset against empty string in URL builder
* fix(subflows): recurse into all descendants for lock, enable, and protection checks
* fix(subflows): prevent container resize on initial render and clean up code
- Add canvasReadyRef to skip container dimension recalculation during
ReactFlow init — position changes from extent clamping fired before
block heights are measured, causing containers to resize on page load
- Resolve globals.css merge conflict, remove global z-index overrides
(handled via ReactFlow zIndex prop instead)
- Clean up subflow-node: hoist static helpers to module scope, remove
unused ref, fix nested ternary readability, rename outlineColor→ringColor
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(subflows): use full ancestor-chain protection for descendant enable-toggle
The enable-toggle for descendants was checking only direct `locked` status
instead of walking the full ancestor chain via `isBlockProtected`. This meant
a block nested 2+ levels inside a locked subflow could still be toggled.
Also added TSDoc clarifying why boxShadow works for subflow ring indicators.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* revert(subflows): remove canvasReadyRef height-gating approach
The canvasReadyRef gating in onNodesChange didn't fully fix the
container resize-on-load issue. Reverting to address properly later.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: remove unintentional edge-interaction CSS from globals
Leftover from merge conflict resolution — not part of this PR's changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(editor): correct isAncestorLocked when block and ancestor both locked, restore fade-in transition
isAncestorLocked was derived from isBlockProtected which short-circuits
on block.locked, so a self-locked block inside a locked ancestor showed
"Unlock block" instead of "Ancestor container is locked". Now walks the
ancestor chain independently.
Also restores the accidentally removed transition-opacity duration-150
class on the ReactFlow container.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(subflows): use full ancestor-chain protection for top-level enable-toggle, restore edge-label z-index
The top-level block check in batchToggleEnabled used block.locked (self
only) while descendants used isBlockProtected (full ancestor chain). A
block inside a locked ancestor but not itself locked would bypass the
check. Now all three layers (store, collaborative hook, DB operations)
consistently use isBlockProtected/isDbBlockProtected at both levels.
Also restores the accidentally removed edge-labels z-index rule, bumped
from 60 to 1001 so labels render above child nodes (zIndex: 1000).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(subflows): extract isAncestorProtected utility, add cycle detection to all traversals
- Extract isAncestorProtected from utils.ts so editor.tsx doesn't
duplicate the ancestor-chain walk. isBlockProtected now delegates to it.
- Add visited-set cycle detection to all ancestor walks
(isBlockProtected, isAncestorProtected, isDbBlockProtected) and
descendant searches (findAllDescendantNodes, findDbDescendants) to
guard against corrupt parentId references.
- Document why click-catching div has no event bubbling concern
(ReactFlow renders children as viewport siblings, not DOM children).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(editor): restore cursor position after tag/env-var completion in code editors
* lint
* refactor(editor): extract restoreCursorAfterInsertion helper, fix weak fallbacks
* updated
* fix(editor): replace useEffect with direct ref assignment for editorValueRef
* fix(editor): guard cursor restoration behind preview/readOnly check
Move restoreCursorAfterInsertion inside the !isPreview && !readOnly guard
so cursor position isn't computed against newValue when the textarea still
holds liveValue. Add comment documenting the cross-string index invariant
in the shared helper.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(editor): escape blockId in CSS selector with CSS.escape()
Prevents potential SyntaxError if blockId ever contains CSS special
characters when querying the textarea for cursor restoration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* perf(editor): use ref for cursor fallback to stabilize useCallback
Replace cursorPosition state in handleSubflowTagSelect's dependency
array with a cursorPositionRef. This avoids recreating the callback
on every keystroke since cursorPosition is only used as a fallback
when textareaRef.current is null.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(editor): pass cursor position explicitly from dropdowns
Instead of inferring cursor position by searching for delimiters in the
output string (which could match unrelated < or {{ in code), compute
the exact cursor position in TagDropdown and EnvVarDropdown where the
insertion range is definitively known, and pass it through onSelect.
This follows the same pattern used by CodeMirror, Monaco, and
ProseMirror: the insertion source always knows the range, so cursor
position is computed at the source rather than inferred by the consumer.
- TagDropdown/EnvVarDropdown: compute newCursorPosition, pass as 2nd arg
- restoreCursorAfterInsertion: simplified to just (textarea, position)
- code.tsx, condition-input.tsx, use-subflow-editor.ts: accept position
- Removed editorValueRef and cursorPositionRef from use-subflow-editor
(no longer needed since dropdown computes position)
- Other consumers (native inputs) unaffected due to TS callback compat
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs(editor): fix JSDoc terminology — macrotask not microtask
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(executor): support nested loop DAG construction and edge wiring
Wire inner loop sentinel nodes into outer loop sentinel chains so that
nested loops execute correctly. Resolves boundary-node detection to use
effective sentinel IDs for nested loops, handles loop-exit edges from
inner sentinel-end to outer sentinel-end, and recursively clears
execution state for all nested loop scopes between iterations.
NOTE: loop-in-loop nesting only; parallel nesting is not yet supported.
Made-with: Cursor
* feat(executor): add nested loop iteration context and named loop variable resolution
Introduce ParentIteration to track ancestor loop state, build a
loopParentMap during DAG construction, and propagate parent iterations
through block execution and child workflow contexts.
Extend LoopResolver to support named loop references (e.g. <loop1.index>)
and add output property resolution (<loop1.result>). Named references
use the block's display name normalized to a tag-safe identifier,
enabling blocks inside nested loops to reference any ancestor loop's
iteration state.
NOTE: loop-in-loop nesting only; parallel nesting is not yet supported.
Made-with: Cursor
* feat(terminal): propagate parent iteration context through SSE events and terminal display
Thread parentIterations through SSE block-started, block-completed, and
block-error events so the terminal can reconstruct nested loop
hierarchies. Update the entry tree builder to recursively nest inner
loop subflow nodes inside their parent iteration rows, using
parentIterations depth-stripping to support arbitrary nesting depth.
Display the block's store name for subflow container rows instead of
the generic "Loop" / "Parallel" label.
Made-with: Cursor
* feat(canvas): allow nesting subflow containers and prevent cycles
Remove the restriction that prevented subflow nodes from being dragged
into other subflow containers, enabling loop-in-loop nesting on the
canvas. Add cycle detection (isDescendantOf) to prevent a container
from being placed inside one of its own descendants.
Resize all ancestor containers when a nested child moves, collect
descendant blocks when removing from a subflow so boundary edges are
attributed correctly, and surface all ancestor loop tags in the tag
dropdown for blocks inside nested loops.
Made-with: Cursor
* feat(agent): add MCP server discovery mode for agent tool input (#3353)
* feat(agent): add MCP server discovery mode for agent tool input
* fix(tool-input): use type variant for MCP server tool count badge
* fix(mcp-dynamic-args): align label styling with standard subblock labels
* standardized inp format UI
* feat(tool-input): replace MCP server inline expand with drill-down navigation
* feat(tool-input): add chevron affordance and keyboard nav for MCP server drill-down
* fix(tool-input): handle mcp-server type in refresh, validation, badges, and usage control
* refactor(tool-validation): extract getMcpServerIssue, remove fake tool hack
* lint
* reorder dropdown
* perf(agent): parallelize MCP server tool creation with Promise.all
* fix(combobox): preserve cursor movement in search input, reset query on drilldown
* fix(combobox): route ArrowRight through handleSelect, remove redundant type guards
* fix(agent): rename mcpServers to mcpServerSelections to avoid shadowing DB import, route ArrowRight through handleSelect
* docs: update google integration docs
* fix(tool-input): reset drilldown state on tool selection to prevent stale view
* perf(agent): parallelize MCP server discovery across multiple servers
* improvement(tests): speed up unit tests by eliminating vi.resetModules anti-pattern (#3357)
* improvement(tests): speed up unit tests by eliminating vi.resetModules anti-pattern
- convert 51 test files from vi.resetModules/vi.doMock/dynamic import to vi.hoisted/vi.mock/static import
- add global @sim/db mock to vitest.setup.ts
- switch 4 test files from jsdom to node environment
- remove all vi.importActual calls that loaded heavy modules (200+ block files)
- remove slow mockConsoleLogger/mockAuth/setupCommonApiMocks helpers
- reduce real setTimeout delays in engine tests
- mock heavy transitive deps in diff-engine test
test execution time: 34s -> 9s (3.9x faster)
environment time: 2.5s -> 0.6s (4x faster)
* docs(testing): update testing best practices with performance rules
- document vi.hoisted + vi.mock + static import as the standard pattern
- explicitly ban vi.resetModules, vi.doMock, vi.importActual, mockAuth, setupCommonApiMocks
- document global mocks from vitest.setup.ts
- add mock pattern reference for auth, hybrid auth, and database chains
- add performance rules section covering heavy deps, jsdom vs node, real timers
* fix(tests): fix 4 failing test files with missing mocks
- socket/middleware/permissions: add vi.mock for @/lib/auth to prevent transitive getBaseUrl() call
- workflow-handler: add vi.mock for @/executor/utils/http matching executor mock pattern
- evaluator-handler: add db.query.account mock structure before vi.spyOn
- router-handler: same db.query.account fix as evaluator
* fix(tests): replace banned Function type with explicit callback signature
* feat(databricks): add Databricks integration with 8 tools (#3361)
* feat(databricks): add Databricks integration with 8 tools
Add complete Databricks integration supporting SQL execution, job management,
run monitoring, and cluster listing via Personal Access Token authentication.
Tools: execute_sql, list_jobs, run_job, get_run, list_runs, cancel_run,
get_run_output, list_clusters
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(databricks): throw on invalid JSON params, fix boolean coercion, add expandTasks field
- Throw errors on invalid JSON in jobParameters/notebookParams instead of silently defaulting to {}
- Always set boolean params explicitly to prevent string 'false' being truthy
- Add missing expandTasks dropdown UI field for list_jobs operation
* fix(databricks): align tool inputs/outputs with official API spec
- execute_sql: fix wait_timeout default description (50s, not 10s)
- get_run: add queueDuration field, update lifecycle/result state enums
- get_run_output: fix notebook output size (5 MB not 1 MB), add logsTruncated field
- list_runs: add userCancelledOrTimedout to state, fix limit range (1-24), update state enums
- list_jobs: fix name filter description to "exact case-insensitive"
- list_clusters: add PIPELINE_MAINTENANCE to ClusterSource enum
* fix(databricks): regenerate docs to reflect API spec fixes
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(luma): add Luma integration for event and guest management (#3364)
* feat(luma): add Luma integration for event and guest management
Add complete Luma (lu.ma) integration with 6 tools: get event, create event,
update event, list calendar events, get guests, and add guests. Includes block
configuration with wandConfig for timestamps/timezones/durations, advanced mode
for optional fields, and generated documentation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(luma): address PR review feedback
- Remove hosts field from list_events transformResponse (not in LumaEventEntry type)
- Fix truncated add_guests description by removing quotes that broke docs generator
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(luma): fix update_event field name and add_guests response parsing
- Use 'id' instead of 'event_id' in update_event request body per API spec
- Fix add_guests to parse entries[].guest response structure instead of flat guests array
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(gamma): add gamma integration for AI-powered content generation (#3358)
* feat(gamma): add gamma integration for AI-powered content generation
* fix(gamma): address PR review comments
- Make credits/error conditionally included in check_status response to avoid always-truthy objects
- Replace full wordmark SVG with square "G" letterform for proper rendering in icon slots
* fix(gamma): remove imageSource from generate_from_template endpoint
The from-template API only accepts imageOptions.model and imageOptions.style,
not imageOptions.source (image source is inherited from the template).
* fix(gamma): use typed output in check_status transformResponse
* regen docs
* feat(greenhouse): add greenhouse integration for managing candidates, jobs, and applications (#3363)
* feat(ashby): add ashby integration for candidate, job, and application management (#3362)
* feat(ashby): add ashby integration for candidate, job, and application management
* fix(ashby): auto-fix lint formatting in docs files
* improvement(oauth): reordered oauth modal (#3368)
* feat(loops): add Loops email platform integration (#3359)
* feat(loops): add Loops email platform integration
Add complete Loops integration with 10 tools covering all API endpoints:
- Contact management: create, update, find, delete
- Email: send transactional emails with attachments
- Events: trigger automated email sequences
- Lists: list mailing lists and transactional email templates
- Properties: create and list contact properties
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* ran litn
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(resend): expand integration with contacts, domains, and enhanced email ops (#3366)
* improvement(blocks): update luma styling and linkup field modes (#3370)
* improvement(blocks): update luma styling and linkup field modes
* improvement(fireflies): move optional fields to advanced mode
* improvement(blocks): move optional fields to advanced mode for 10 integrations
* improvement(blocks): move optional fields to advanced mode for 6 more integrations
* feat(x): add 28 new X API v2 tool integrations and expand OAuth scopes (#3365)
* feat(x): add 28 new X API v2 tool integrations and expand OAuth scopes
* fix(x): add missing nextToken param to search tweets and fix XCreateTweetParams type
* fix(x): correct API spec issues in retweeted_by, quote_tweets, personalized_trends, and usage tools
* fix(x): add missing newestId and oldestId to error meta in get_liked_tweets and get_quote_tweets
* fix(x): add missing newestId/oldestId to get_liked_tweets success branch and includes to XTweetListResponse
* fix(x): add error handling to create_tweet and delete_tweet transformResponse
* fix(x): add error handling and logger to all X tools
* fix(x): revert block requiredScopes to match current operations
* feat(x): update block to support all 28 new X API v2 tools
* fix(x): add missing text output and fix hiddenResult output key mismatch
* docs(x): regenerate docs for all 28 new X API v2 tools
* improvement(docs): audit and standardize tool description sections, update developer count to 70k (#3371)
* improvement(x): align OAuth scopes, add scope descriptions, and set optional fields to advanced mode (#3372)
* improvement(x): align OAuth scopes, add scope descriptions, and set optional fields to advanced mode
* improvement(skills): add typed JSON outputs guidance to add-tools, add-block, and add-integration skills
* improvement(skills): add final validation steps to add-tools, add-block, and add-integration skills
* fix(skills): correct misleading JSON array comment in wandConfig example
* feat(skills): add validate-integration skill for auditing tools, blocks, and registry against API docs
* improvement(skills): expand validate-integration with full block-tool alignment, OAuth scopes, pagination, and error handling checks
* improvement(ci): add sticky disk caches and bump runner for faster builds (#3373)
* improvement(selectors): make selectorKeys declarative (#3374)
* fix(webflow): resolution for selectors
* remove unecessary fallback'
* fix teams selector resolution
* make selector keys declarative
* selectors fixes
* improvement(selectors): consolidate selector input logic (#3375)
* feat(google-contacts): add google contacts integration (#3340)
* feat(google-contacts): add google contacts integration
* fix(google-contacts): throw error when no update fields provided
* lint
* update icon
* improvement(google-contacts): add advanced mode, error handling, and input trimming
- Set mode: 'advanced' on optional fields (emailType, phoneType, notes, pageSize, pageToken, sortOrder)
- Add createLogger and response.ok error handling to all 6 tools
- Add .trim() on resourceName in get, update, delete URL builders
* improvement(mcp): add all MCP server tools individually instead of as single server entry (#3376)
* improvement(mcp): add all MCP server tools individually instead of as single server entry
* fix(mcp): prevent remove popover from opening inadvertently
* fix(sse): fix memory leaks in SSE stream cleanup and add memory telemetry (#3378)
* fix(sse): fix memory leaks in SSE stream cleanup and add memory telemetry
* improvement(monitoring): add SSE metering to wand, execution-stream, and a2a-message endpoints
* fix(workflow-execute): remove abort from cancel() to preserve run-on-leave behavior
* improvement(monitoring): use stable process.getActiveResourcesInfo() API
* refactor(a2a): hoist resubscribe cleanup to eliminate duplication between start() and cancel()
* style(a2a): format import line
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(wand): set guard flag on early-return decrement for consistency
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* improvement(ashby): validate ashby integration and update skill files (#3381)
* improvement(luma): expand host response fields and harden event ID inputs (#3383)
* improvement(resend): add error handling, authMode, and naming consistency (#3382)
* fix(chat-deploy): fix launch chat popup and auth persistence, clean up React anti-patterns (#3380)
* fix(chat-deploy): fix launch chat popup and auth persistence, clean up React anti-patterns
* lint
* fix(greenhouse): fix email_address query param, add .trim() to ID paths, revert onValidationChange to useEffect
* fix(chat-deploy): fix stale AuthSelector state, stabilize refetch ref, clean up copy timeout
* fix(chat-deploy): reset chatSuccess on modal open to prevent stuck state
* improvement(loops): validate loops integration and update skill files (#3384)
* improvement(loops): validate loops integration and update skill files
* loops icon color
* update databricks icon
* fix(monitoring): set MemoryTelemetry logger to INFO level for production visibility (#3386)
Production defaults to ERROR-only logging. Without this override,
memory snapshots would be silently suppressed.
* feat(integrations): add amplitude, google pagespeed insights, and pagerduty integrations (#3385)
* feat(integrations): add amplitude and google pagespeed insights integrations
* verified and regen docs
* fix icons
* fix(integrations): add pagerduty to tool and block registries
Re-add registry entries that were reverted after initial commit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* more updates
* ack comemnts
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(docs): add API reference with OpenAPI spec and auto-generated endpoint pages (#3388)
* feat(docs): add API reference with OpenAPI spec and auto-generated endpoint pages
* multiline curl
* random improvements
* cleanup
* update docs copy
* fix build
* cast
* fix builg
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lakee Sivaraya <71339072+lakeesiv@users.noreply.github.com>
Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>
* fix(icons): fix pagerduty icon (#3392)
* improvement(executor): audit and harden nested loop/parallel implementation
* improvement(executor): audit and harden nested loop/parallel implementation
- Replace unsafe _childWorkflowInstanceId cast with typeof type guard
- Reuse WorkflowNodeMetadata interface instead of inline type duplication
- Rename _executeCore to executeCore (private, no underscore needed)
- Add log warning when SSE callbacks are dropped beyond MAX_SSE_CHILD_DEPTH
- Remove unnecessary onStream type assertion, use StreamingExecution type
- Convert OUTPUT_PROPERTIES/KNOWN_PROPERTIES from arrays to Sets for O(1) lookup
- Add type guard in loop resolver resolveOutput before casting
- Add TSDoc to edgeCrossesLoopBoundary explaining original-ID usage
- Add TSDoc to MAX_SSE_CHILD_DEPTH constant
- Update ParentIteration TSDoc to reflect parallel nesting support
- Type usageControl as union 'auto'|'force'|'none' in buildMcpTool
- Replace (t: any) casts with typed objects in agent-handler tests
- Add type guard in builder-data convertArrayItem
- Make ctx required in clearLoopExecutionState (only caller always passes it)
- Replace Math.random() with deterministic counter in terminal tests
- Fix isWorkflowBlockType mock to actually check block types
- Add loop-in-loop and workflow block tree tests
* improvement(executor): audit fixes for nested subflow implementation
- Fix findInnermostLoopForBlock/ParallelForBlock to return deepest nested
container instead of first Object.keys() match
- Fix isBlockInLoopOrDescendant returning false when directLoopId equals
target (should return true)
- Add isBlockInParallelOrDescendant with recursive nested parallel checking
to match loop resolver behavior
- Extract duplicated ~20-line iteration context building from loop/parallel
orchestrators into shared buildContainerIterationContext utility
- Remove inline import() type references in orchestrators
- Remove dead executionOrder field from WorkflowNodeMetadata
- Remove redundant double-normalization in findParallelBoundaryNodes
- Consolidate 3 identical tree-walk helpers into generic hasMatchInTree
- Add empty-array guards for Math.min/Math.max in terminal utils
- Make KNOWN_PROPERTIES a Set in parallel resolver for consistency
- Remove no-op handleDragEnd callback from toolbar
- Remove dead result/results entries from KNOWN_PROPERTIES in loop resolver
- Add tests for buildContainerIterationContext
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* finished
* improvement(airtable): added more tools (#3396)
* fix(layout): polyfill crypto.randomUUID for non-secure HTTP contexts (#3397)
* feat(integrations): add dub.co integration (#3400)
* feat(integrations): add dub.co integration
* improvement(dub): add manual docs description and lint formatting fixes
* lint
* fix(dub): remove unsupported optional property from block outputs
* fix(memory): fix O(n²) string concatenation and unconsumed fetch response leaks (#3399)
* fix(monitoring): set MemoryTelemetry logger to INFO level for production visibility
Production defaults to ERROR-only logging. Without this override,
memory snapshots would be silently suppressed.
* fix(memory): fix O(n²) string concatenation and unconsumed fetch response leaks
* fix(tests): add text() mock to workflow-handler test fetch responses
* fix(memory): remove unused O(n²) join in onStreamChunk callback
* chore(careers): remove careers page, redirect to Ashby jobs portal (#3401)
* chore(careers): remove careers page, redirect to Ashby jobs portal
* lint
* feat(integrations): add google meet integration (#3403)
* feat(integrations): add google meet integration
* lint
* ack comments
* ack comments
* fix(terminal): deduplicate nested container entries in buildEntryTree
Filter out container-typed block rows when matching nested subflow
nodes exist, preventing nested loops/parallels from appearing twice
(once as a flat block and once as an expandable subflow).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* improvement(executor): clean up nested subflow implementation
- Fix wireSentinelEdges to use LOOP_EXIT handle for nested loop terminals
- Extract buildExecutionPipeline to deduplicate orchestrator wiring
- Replace two-phase init with constructor injection for Loop/ParallelOrchestrator
- Remove dead code: shouldExecuteLoopNode, resolveForEachItems, isLoopNode, isParallelNode, isSubflowBlockType
- Deduplicate currentItem resolution in ParallelResolver via resolveCurrentItem
- Type getDistributionItems param as SerializedParallel instead of any
- Demote verbose per-reference logger.info to logger.debug in evaluateWhileCondition
- Add loop-in-parallel wiring test in edges.test.ts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(test): update parallel resolver test to use distribution instead of distributionItems
The distributionItems fallback was never part of SerializedParallel — it
only worked through any typing. Updated the test to use the real
distribution property.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(executor): skip loop back-edges in parallel boundary detection and update test
findParallelBoundaryNodes now skips LOOP_CONTINUE back-edges when
detecting terminal nodes, matching findLoopBoundaryNodes behavior.
Without this, a nested loop's back-edge was incorrectly counted as a
forward edge within the parallel, preventing terminal detection.
Also updated parallel resolver test to use the real distribution
property instead of the non-existent distributionItems fallback.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(executor): clean up cloned loop scopes in deleteParallelScopeAndClones
When a parallel contains a nested loop, cloned loop scopes (__obranch-N)
created by expandParallel were not being deleted, causing stale scopes to
persist across outer loop iterations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(executor): remove dead fallbacks, fix nested loop boundary detection, restore executionOrder
- Remove unreachable `?? candidateIds[0]` fallbacks in loop/parallel resolvers
- Remove arbitrary first-match fallback scan in findEffectiveContainerId
- Fix edgeCrossesLoopBoundary to use innermost loop detection for nested loops
- Add warning log for missing branch outputs in parallel aggregation
- Restore executionOrder on WorkflowNodeMetadata and pipe through child workflow notification
- Remove dead sim-drag-subflow classList.remove call
- Clean up cloned loop subflowParentMap entries in deleteParallelScopeAndClones
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* leftover
* upgrade turborepo
* update stagehand icon
* fix(tag-dropdown): show contextual loop/parallel tags for deeply nested blocks
findAncestorLoops only checked direct loop membership, missing blocks nested
inside parallels within loops (and vice versa). Refactored to walk through
both loop and parallel containers recursively, so a block inside a parallel
inside a loop correctly sees the loop's contextual tags (index, currentItem)
instead of the loop's output tags (results).
Also fixed parallel ancestor detection to handle nested parallel-in-loop and
loop-in-parallel scenarios, collecting all ancestor parallels instead of just
the immediate containing one.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* testing
* fixed dedicated logs
* fix
* fix(subflows): enable nested subflow interaction and execution highlighting
Remove !important z-index overrides that prevented nested subflows from
being grabbed/dragged independently. Z-index is now managed by ReactFlow's
elevateNodesOnSelect and per-node zIndex: depth props. Also adds execution
status highlighting for nested subflows in both canvas and snapshot preview.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(preview): add cycle guard to recursive subflow status derivation
Prevents infinite recursion if subflowChildrenMap contains circular
references by tracking visited nodes during traversal.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lakee Sivaraya <71339072+lakeesiv@users.noreply.github.com>
Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Co-authored-by: Vasyl Abramovych <vasyl.abramovych@gmail.com>
* fix(monitoring): set MemoryTelemetry logger to INFO level for production visibility
Production defaults to ERROR-only logging. Without this override,
memory snapshots would be silently suppressed.
* fix(memory): fix O(n²) string concatenation and unconsumed fetch response leaks
* fix(tests): add text() mock to workflow-handler test fetch responses
* fix(memory): remove unused O(n²) join in onStreamChunk callback
* feat(integrations): add amplitude and google pagespeed insights integrations
* verified and regen docs
* fix icons
* fix(integrations): add pagerduty to tool and block registries
Re-add registry entries that were reverted after initial commit.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* more updates
* ack comemnts
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(chat-deploy): fix launch chat popup and auth persistence, clean up React anti-patterns
* lint
* fix(greenhouse): fix email_address query param, add .trim() to ID paths, revert onValidationChange to useEffect
* fix(chat-deploy): fix stale AuthSelector state, stabilize refetch ref, clean up copy timeout
* fix(chat-deploy): reset chatSuccess on modal open to prevent stuck state
