Merge from main to version-v3-main#461
Closed
arenadeveloper02 wants to merge 111 commits into
Closed
Conversation
…i#4155) * fix(ui): handle long file paths and names in search modal * Handle long subfolder names * fix memo
* v0.6.29: login improvements, posthog telemetry (simstudioai#4026) * feat(posthog): Add tracking on mothership abort (simstudioai#4023) Co-authored-by: Theodore Li <theo@sim.ai> * fix(login): fix captcha headers for manual login (simstudioai#4025) * fix(signup): fix turnstile key loading * fix(login): fix captcha header passing * Catch user already exists, remove login form captcha * fix build error * improvement(mothership): new agent loop (simstudioai#3920) * feat(transport): replace shared chat transport with mothership-stream module * improvement(contracts): regenerate contracts from go * feat(tools): add tool catalog codegen from go tool contracts * feat(tools): add tool-executor dispatch framework for sim side tool routing * feat(orchestrator): rewrite tool dispatch with catalog-driven executor and simplified resume loop * feat(orchestrator): checkpoint resume flow * refactor(copilot): consolidate orchestrator into request/ layer * refactor(mothership): reorganize lib/copilot into structured subdirectories * refactor(mothership): canonical transcript layer, dead code cleanup, type consolidation * refactor(mothership): rebase onto latest staging * refactor(mothership): rename request continue to lifecycle * feat(trace): add initial version of request traces * improvement(stream): batch stream from redis * fix(resume): fix the resume checkpoint * fix(resume): fix resume client tool * fix(subagents): subagent resume should join on existing subagent text block * improvement(reconnect): harden reconnect logic * fix(superagent): fix superagent integration tools * improvement(stream): improve stream perf * Rebase with origin dev * fix(tests): fix failing test * fix(build): fix type errors * fix(build): fix build errors * fix(build): fix type errors * feat(mothership): add cli execution * fix(mothership): fix function execute tests * Force redeploy * feat(motheship): add docx support * feat(mothership): append * Add deps * improvement(mothership): docs * File types * Add client retry logic * Fix stream reconnect * Eager tool streaming * Fix client side tools * Security * Fix shell var injection * Remove auto injected tasks * Fix 10mb tool response limit * Fix trailing leak * Remove dead tools * file/folder tools * Folder tools * Hide function code inline * Dont show internal tool result reads * Fix spacing * Auth vfs * Empty folders should show in vfs * Fix run workflow * change to node runtime * revert back to bun runtime * Fix * Appends * Remove debug logs * Patch * Fix patch tool * Temp * Checkpoint * File writes * Fix * Remove tool truncation limits * Bad hook * replace react markdown with streamdown * Checkpoitn * fix code block * fix stream persistence * temp * Fix file tools * tool joining * cleanup subagent + streaming issues * streamed text change * Tool display intetns * Fix dev * Fix tests * Fix dev * Speed up dev ci * Add req id * Fix persistence * Tool call names * fix payload accesses * Fix name * fix snapshot crash bug * fix * Fix * remove worker code * Clickable resources * Options ordering * Folder vfs * Restore and mass delete tools * Fix * lint * Update request tracing and skills and handlers * Fix editable * fix type error * Html code * fix(chat): make inline code inherit parent font size in markdown headers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * improved autolayout * durable stream for files * one more fix * POSSIBLE BREAKAGE: SCROLLING * Fixes * Fixes * Lint fix * fix(resource): fix resource view disappearing on ats (simstudioai#4103) Co-authored-by: Theodore Li <theo@sim.ai> * Fixes * feat(mothership): add execution logs as a resource type Adds `log` as a first-class mothership resource type so copilot can open and display workflow execution logs as tabs alongside workflows, tables, files, and knowledge bases. - Add `log` to MothershipResourceType, all Zod enums, and VALID_RESOURCE_TYPES - Register log in RESOURCE_REGISTRY (Library icon) and RESOURCE_INVALIDATORS - Add EmbeddedLog and EmbeddedLogActions components in resource-content - Export WorkflowOutputSection from log-details for reuse in EmbeddedLog - Add log resolution branch in open_resource handler via new getLogById service - Include log id in get_workflow_logs response and extract resources from output - Exclude log from manual add-resource dropdown (enters via copilot tools only) - Regenerate copilot contracts after adding log to open_resource Go enum * Fix perf and message queueing * Fix abort * fix(ui): dont delete resource on clearing from context, set resource closed on new task (simstudioai#4113) Co-authored-by: Theodore Li <theo@sim.ai> * improvement(mothership): structure sim side typing * address comments * reactive text editor tweaks * Fix file read and tool call name persistence bug * Fix code stream + create file opening resource * fix use chat race + headless trace issues * Fix type issue * Fix mothership block req lifecycle * Fix build * Move copy reqid * Fix * fix(ui): fix resource tag transition from home to task (simstudioai#4132) Co-authored-by: Theodore Li <theo@sim.ai> * Fix persistence * Clean code, fix bugs * Fix * Fixes --------- Co-authored-by: Waleed <walif6@gmail.com> Co-authored-by: Theodore Li <theodoreqili@gmail.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Theodore Li <theo@sim.ai>
* fix(billing): add idempotency to billing * Only release redis lock if billed
* fix(triggers): env var resolution in provider configs * throw on errored resolution
…API docs (simstudioai#4161) * fix(google-drive): add auto export format and Azure storage debug logging * chore: remove Azure storage debug logging * fix(google-drive): use status-based fallback instead of string matching for export errors * fix(google-drive): validate export formats against Drive API docs, remove fallback * fix(google-drive): use value function for dropdown default * fix(google-drive): add text/markdown to valid export formats for Google Docs * fix(google-drive): correct ODS MIME type for Sheets export format
…mstudioai#4164) * fix(security): resolve ReDoS vulnerability in function execute tag pattern Simplified regex to eliminate overlapping quantifiers that caused exponential backtracking on malformed input without closing delimiter. * feat(jira): support raw ADF document objects in description and environment fields Add toAdf() helper that passes through ADF objects as-is or wraps plain text in a single-paragraph ADF doc. Update write and update routes to use it, replacing inline ADF wrapping. Update Zod schema to accept string or object for description. Fully backward compatible — plain text still works, but callers can now pass rich ADF with expand nodes, tables, code blocks, etc. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(jira): handle partial ADF nodes and non-ADF objects in toAdf() Wrap partial ADF nodes (type + content but not doc) in a doc envelope. Fall back to JSON.stringify for non-ADF objects instead of String() which produces [object Object]. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint * fix(jira): handle JSON-stringified ADF in toAdf() for variable resolution The executor's formatValueForBlock() JSON.stringify's object values when resolving <Block.output> references. This means an ADF object from an upstream Agent block arrives at the route as a JSON string. toAdf() now detects JSON strings containing valid ADF documents or nodes and parses them back, ensuring rich formatting is preserved through the pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint changes * fix(jira): update environment Zod schema to accept ADF objects Match the description field schema change — environment also passes through toAdf() so its Zod schema must accept objects too. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * updated lobkc --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…simstudioai#4163) * improvement(ui): delegate streaming animation to Streamdown component Remove custom useStreamingText hook and useThrottledValue indirection in favor of Streamdown's built-in streaming props. This eliminates the manual character-by-character reveal logic (setInterval, easing, chase factor) and lets the library handle animation natively, reducing complexity and improving consistency across Mothership and chat. * improvement(ui): inline passthrough wrapper, add hydration guard - Inline EnhancedMarkdownRenderer which became a trivial passthrough after removing useThrottledValue - Add hydration guard to MarkdownRenderer to prevent replaying the entrance animation when mounting mid-stream with existing content * improvement: removed chat animation * improvement(ui): remove hardcoded fade-in animations from special tags Remove animate-stream-fade-in from OptionsDisplay, CredentialDisplay, MothershipErrorDisplay, and UsageUpgradeDisplay. These components re-render after streaming ends, causing a visible flash as the opacity animation replays. PendingTagIndicator retains its animation since it only renders during active streaming. * fix(ui): use streaming mode for Streamdown during active streams mode='static' disables Remend (auto-closing incomplete markdown), incremental block splitting, and React Transitions. Switch to streaming mode while isStreaming is true so partial markdown renders correctly, without re-adding animation props.
…ai#4166) * fix(ui): fix resource switching logic, multi select delete * Allow cmd+click on workspace menu * Add search bar to workspace modal * address greptile comments * fix resource tab scroll
…e headers (simstudioai#4168) * fix(seo): correct canonical URLs, compress oversized images, add cache headers - Replace all hardcoded https://sim.ai with https://www.sim.ai via SITE_URL constant - Migrate models, integrations, and homepage metadata from getBaseUrl() to SITE_URL - Compress 6 blog/landing images from 2.6MB to 300KB total - Convert mothership cover from PNG to JPEG (1.1MB → 99KB) - Add Cache-Control headers for static assets (1d max-age, 7d stale-while-revalidate) - Add SEO regression test scanning all public pages for canonical URL violations * fix(seo): replace hardcoded URLs with SITE_URL, broaden test detection - Replace hardcoded https://www.sim.ai with SITE_URL in academy, changelog.xml, and whitelabeling - Broaden getBaseUrl() detection in SEO test to match any variable name assignment - Add ee/whitelabeling/metadata.ts to SEO test scan scope
…e blocks (simstudioai#4172) * fix(blocks): correct required field validation for Jira and Confluence blocks Jira: summary is only required for create (not update), projectId is not required for update (API uses issueKey). Confluence: title and content are required for page creation, title is required for blog post creation — all enforced by backend validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(blocks): remove projectId dependsOn gate for update fields, require content for blog post creation Jira: Remove dependsOn projectId from shared write/update fields — projectId is not required for update so the gate would disable all update fields when no project is selected. Write-only fields (issueType, parentIssue, reporter) retain the gate since projectId is required for create. Confluence V2: Add create_blogpost to content required condition — backend Zod schema enforces content for blog post creation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…tion (simstudioai#4162) * feat(microsoft-excel): add SharePoint drive support for Excel integration * fix(microsoft-excel): address PR review comments - Validate siteId/driveId format in drives route to prevent path traversal - Use direct single-drive endpoint for fetchById instead of filtering full list - Fix dependsOn on sheet/spreadsheet selectors so driveId flows into context - Fix NextRequest type in drives route for build compatibility * fix(microsoft-excel): validate driveId in files route Add regex validation for driveId query param in the Microsoft OAuth files route to prevent path traversal, matching the drives route. * fix(microsoft-excel): unblock OneDrive users and validate driveId in sheets route - Add credential to any[] arrays so OneDrive users (no drive selected) still pass the dependsOn gate while driveSelector remains in the dependency list for context flow to SharePoint users - Add /^[\w-]+$/ validation for driveId in sheets API route * fix(microsoft-excel): validate driveId in getItemBasePath utility Add regex validation for driveId at the shared utility level to prevent path traversal through the tool execution path, which bypasses the API route validators. * fix(microsoft-excel): use centralized input validation Replace inline regex validation with platform validators from @/lib/core/security/input-validation: - validateSharePointSiteId for siteId in drives route - validateAlphanumericId for driveId in drives, sheets, files routes and getItemBasePath utility * lint * improvement(microsoft-excel): add File Source dropdown to control SharePoint visibility Replace always-visible optional SharePoint fields with a File Source dropdown (OneDrive/SharePoint) that conditionally shows site and drive selectors. OneDrive users see zero extra fields (default). SharePoint users switch the dropdown and get the full cascade. * fix(microsoft-excel): fix canonical param test failures Make fileSource dropdown mode:'both' so it appears in basic and advanced modes. Add condition to manualDriveId to match driveSelector's condition, satisfying the canonical pair consistency test. * fix(microsoft-excel): address PR review feedback for SharePoint drive support - Clear stale driveId/siteId/spreadsheetId when fileSource changes by adding fileSource to dependsOn arrays for siteSelector, driveSelector, and spreadsheetId selectors - Reorder manualDriveId before manualSpreadsheetId in advanced mode for logical top-down flow - Validate spreadsheetId with validateMicrosoftGraphId in getItemBasePath() and sheets route to close injection vector (uses permissive validator that accepts ! chars in OneDrive item IDs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(microsoft-excel): use validateMicrosoftGraphId for driveId validation SharePoint drive IDs use the format b!<base64-string> which contains ! characters rejected by validateAlphanumericId. Switch all driveId validation to validateMicrosoftGraphId which blocks path traversal and control characters while accepting valid Microsoft Graph identifiers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(microsoft-excel): use validatePathSegment with strict pattern for driveId/spreadsheetId Replace validateMicrosoftGraphId with validatePathSegment using a custom pattern ^[a-zA-Z0-9!_-]+$ for all URL-interpolated IDs. validatePathSegment blocks /, \, path traversal, and null bytes before checking the pattern, preventing URL-modifying characters like ?, #, & from altering the Graph API endpoint. The pattern allows ! for SharePoint b!<base64> drive IDs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint * fix(microsoft-excel): reorder driveId before spreadsheetId in v1 block Move driveId subBlock before manualSpreadsheetId in the legacy v1 block to match the logical top-down flow (Drive ID → Spreadsheet ID), consistent with the v2 block ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(microsoft-excel): clear manualDriveId when fileSource changes Add dependsOn: ['fileSource'] to manualDriveId so its value is cleared when switching from SharePoint back to OneDrive. Without this, the stale driveId would still be serialized and forwarded to getItemBasePath, routing through the SharePoint drive path instead of me/drive. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(microsoft-excel): use getItemBasePath in sheets route to remove duplication Replace inline URL construction and validation logic with the shared getItemBasePath utility, eliminating duplicated GRAPH_ID_PATTERN regex and conditional URL building. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…lidation (simstudioai#4174) * refactor(microsoft-excel): export GRAPH_ID_PATTERN and reuse across routes Export the shared regex pattern from utils.ts and import it in files/route.ts and drives/route.ts instead of duplicating the inline pattern. Also reorders the TSDoc comment to sit above getItemBasePath where it belongs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…#4176) * v0.6.29: login improvements, posthog telemetry (simstudioai#4026) * feat(posthog): Add tracking on mothership abort (simstudioai#4023) Co-authored-by: Theodore Li <theo@sim.ai> * fix(login): fix captcha headers for manual login (simstudioai#4025) * fix(signup): fix turnstile key loading * fix(login): fix captcha header passing * Catch user already exists, remove login form captcha * improvement(ui): rename user-facing "execution" to "run" * fix(mothership): remove duplicate handleStopGeneration declaration * chore: remove verbose comment in cancel route * fix(ui): missed execution → run renames in search suggestions and error fallback --------- Co-authored-by: Theodore Li <theodoreqili@gmail.com>
…#4182) * v0.6.29: login improvements, posthog telemetry (simstudioai#4026) * feat(posthog): Add tracking on mothership abort (simstudioai#4023) Co-authored-by: Theodore Li <theo@sim.ai> * fix(login): fix captcha headers for manual login (simstudioai#4025) * fix(signup): fix turnstile key loading * fix(login): fix captcha header passing * Catch user already exists, remove login form captcha * fix(landing): return 404 for invalid dynamic route slugs Add `dynamicParams = false` to all landing page dynamic routes so Next.js returns a proper 404 instead of a client-side exception for slugs not in generateStaticParams. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(home): remove duplicate handleStopGeneration declaration Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Theodore Li <theodoreqili@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…across sim and docs (simstudioai#4170) * improvement(seo): optimize sitemaps and robots.txt across sim and docs - Add missing pages to sim sitemap: blog author pages, academy catalog and course pages - Fix 6x duplicate URL bug in docs sitemap by deduplicating with source.getLanguages() - Convert docs sitemap from route handler to Next.js metadata convention with native hreflang - Add x-default hreflang alternate for docs multi-language pages - Remove changeFrequency and priority fields (Google ignores both) - Fix inaccurate lastModified timestamps — derive from real content dates, omit when unknown - Consolidate 20+ redundant per-bot robots rules into single wildcard entry - Add /form/ and /credential-account/ to sim robots disallow list - Reference image sitemap in sim robots.txt - Remove deprecated host directive from sim robots - Move disallow rules before allow in docs robots for crawler compatibility - Extract hardcoded docs baseUrl to env variable with production fallback * fix(seo): remove homepage new Date(), guard latestModelDate empty array * improvement(seo): consolidate DOCS_BASE_URL, optimize core web vitals Extract hardcoded https://docs.sim.ai into shared DOCS_BASE_URL constant in lib/urls.ts and replace all 20+ instances across layouts, metadata, structured data, LLM manifest, sitemap, and robots files. Remove OneDollarStats analytics script and tighten CSP for improved core web vitals. * fix: removed onedollarstats from bun lock * fix(seo): guard per-provider Math.max, consolidate docs robots to single wildcard
…imstudioai#4184) * v0.6.29: login improvements, posthog telemetry (simstudioai#4026) * feat(posthog): Add tracking on mothership abort (simstudioai#4023) Co-authored-by: Theodore Li <theo@sim.ai> * fix(login): fix captcha headers for manual login (simstudioai#4025) * fix(signup): fix turnstile key loading * fix(login): fix captcha header passing * Catch user already exists, remove login form captcha * fix(gemini): support structured output with tools on Gemini 3 models * fix(home): remove duplicate handleStopGeneration declaration * refactor(gemini): use prefix-based Gemini 3 model detection --------- Co-authored-by: Theodore Li <theodoreqili@gmail.com>
…ai#4183) * feat(brightdata): add Bright Data integration with 8 tools Add complete Bright Data integration supporting Web Unlocker, SERP API, Discover API, and Web Scraper dataset operations. Includes scrape URL, SERP search, discover, sync scrape, scrape dataset, snapshot status, download snapshot, and cancel snapshot tools. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(brightdata): address PR review feedback - Fix truncated "Download Snapshot" description in integrations.json and docs - Map engine-specific query params (num/count/numdoc, hl/setLang/lang/kl, gl/cc/lr) per search engine instead of using Google-specific params for all - Attempt to parse snapshot_id from cancel/download response bodies instead of hardcoding null Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint * fix(agiloft): change bgColor to white; fix docs truncation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(brightdata): avoid inner quotes in description to fix docs generation The docs generator regex truncates at inner quotes. Reword the download_snapshot description to avoid embedded double quotes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(brightdata): disable incompatible DuckDuckGo and Yandex URL params DuckDuckGo kl expects region-language format (us-en) and Yandex lr expects numeric region IDs (213), not plain two-letter codes. Disable these URL-level params since Bright Data normalizes localization through the body-level country param. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Fix * Fix ajv csp issue * Lint
…ist + cleanup (simstudioai#4186) Derive sidebar open state from selection validity instead of using a separate useEffect. Also removes unnecessary useMemo/useCallback in non-memo'd components, replaces useEffect with render-time reset in dashboard, fixes CSS tokens, and adds hierarchical query key factory. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…mat, logs performance improvements fix(csp): add missing analytics domains, remove unsafe-eval, fix workspace CSP gap (simstudioai#4179) fix(landing): return 404 for invalid dynamic route slugs (simstudioai#4182) improvement(seo): optimize sitemaps, robots.txt, and core web vitals across sim and docs (simstudioai#4170) fix(gemini): support structured output with tools on Gemini 3 models (simstudioai#4184) feat(brightdata): add Bright Data integration with 8 tools (simstudioai#4183) fix(mothership): fix superagent credentials (simstudioai#4185) fix(logs): close sidebar when selected log disappears from filtered list; cleanup (simstudioai#4186)
…ry ordering (simstudioai#4188) * fix(brightdata): use params for echo-back fields in transformResponse transformResponse receives params as its second argument. Use it to return the original url, query, snapshotId, and searchEngine values instead of hardcoding null or extracting from response data that may not contain them. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(brightdata): handle async Discover API with polling The Bright Data Discover API is asynchronous — POST /discover returns a task_id, and results must be polled via GET /discover?task_id=... The previous implementation incorrectly treated it as synchronous, always returning empty results. Uses postProcess (matching Firecrawl crawl pattern) to poll every 3s with a 120s timeout until status is "done". Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(brightdata): alphabetize block registry entry Move box before brandfetch/brightdata to maintain alphabetical ordering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * lint * fix(brightdata): return error objects instead of throwing in postProcess The executor wraps postProcess in try-catch and falls back to the intermediate transformResponse result on error, which has success: true with empty results. Throwing errors would silently return empty results. Match Firecrawl's pattern: return { ...result, success: false, error } instead of throwing. Also add taskId to BrightDataDiscoverResponse type to eliminate unsafe casts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(brightdata): use platform execution timeout for Discover polling Replace hardcoded 120s timeout with DEFAULT_EXECUTION_TIMEOUT_MS to match Firecrawl and other async polling tools. Respects platform- configured limits (300s free, 3000s paid). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…tion updates (simstudioai#4241) * improvement(enterprise): slack wizard UI, enterprise docs, data retention updates * improvement(docs): add enterprise screenshots to sso, access-control, whitelabeling pages * form * fix(enterprise): address PR review — h-full for recently-deleted, shared SettingRow, toast UX, stale form fix, emcn tokens * fix(whitelabeling): scope drop zone to thumbnail only, not full upload row * fix(whitelabeling): remove drop image text from drag overlay * fix(config): add DATA_RETENTION_ENABLED to env schema to fix build type error * fix(testing): add isDataRetentionEnabled to feature flags mock * improvement(docs): remove redundant requirements section from data-retention page * improvement(docs): remove requirements sections from all enterprise doc pages * improvement(docs): add screenshot to audit-logs page * fix(data-retention): bypass enterprise gate when billing is disabled for self-hosted
…#4061) * feat(log): Add wrapper function for standardized logging * Add all routes to wrapper, handle background execution * fix lint * fix test * fix test missing url * fix lint * fix tests * fix build * fix(build): unmangle generic in admin outbox requeue route Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…on (simstudioai#4242) * feat(contact): add contact page, migrate help/demo forms to useMutation * improvement(contact): address greptile review feedback - Map contact topic to help email type for accurate confirmation emails - Drop Zod schema details from 400 response on public /api/contact - Wire aria-describedby + aria-invalid in LandingField for both forms - Reset helpMutation on modal reopen to match demo-request pattern * improvement(landing): extract shared LandingField component
…ations routes (simstudioai#4243) * fix(layout): use plain inline script for PublicEnvScript to set env before chunks eval on error pages * fix(landing): handle runtime env race on error-page renders React skips SSR on unhandled server errors and re-renders on the client (see vercel/next.js#63980, #82456). Root-layout scripts — including the runtime env script that populates window.__ENV — are inserted but not executed on that client re-render, so any client module that reads env at module evaluation crashes the render into a blank "Application error" overlay instead of rendering the styled 404. This replaces the earlier PublicEnvScript tweak with the architectural fix: - auth-client.ts: fall back to window.location.origin when getBaseUrl() throws on the client. Auth endpoints are same-origin, so this is the correct baseURL on the client. Server-side we still throw on genuine misconfig. - loading.tsx under /models/[provider], /models/[provider]/[model], and /integrations/[slug]: establishes a Suspense boundary below the root layout so a page-level notFound() no longer invalidates the layout's SSR output (the fix endorsed by Next.js maintainers in #63980). - layout.tsx: revert disableNextScript — the research showed this doesn't actually fix error-page renders. The real fix is above. * improvement(landing): use emcn Loader in scoped loading.tsx, trim auth-client comment Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…gn scoped 404s with root (simstudioai#4246) * improvement(landing): scope navbar/footer shell to (shell) route group, align scoped 404s with root Move integrations and models page routes into a `(shell)` route group so the Navbar+Footer layout wraps pages but not `not-found.tsx`. This lets scoped 404s render the same `<AuthBackground>` + Navbar treatment as the root `/` 404, instead of appearing inside the landing CTA footer. Extract the shared 404 markup into `<NotFoundView>` so root, integrations, and models 404s share a single source of truth. Route URLs are unchanged — route groups are URL-transparent. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(landing): convert relative imports to absolute in integrations (shell) page Build failed because the move into the (shell) route group invalidated relative `./components/...` and `./data/...` imports. CLAUDE.md mandates absolute imports throughout — switching these resolves the Turbopack build errors. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…4244) * improvement(access-control): migrate to workspace scope * fix edge cases * update docs * prep merge * regen migrations * address comments * add ws id, user constraint * address more comments * address ui comments * address more comments
…S/CloudWatch/DynamoDB (simstudioai#4245) * feat(integrations): add AWS SES, IAM Identity Center, and enhanced IAM/STS/CloudWatch/DynamoDB integrations - Add AWS SES v2 integration with 9 operations (send email, templated, bulk, templates, account) - Add AWS IAM Identity Center integration with 12 operations (account assignments, permission sets, users, groups) - Add 3 new IAM tools: list-attached-role-policies, list-attached-user-policies, simulate-principal-policy - Fix DynamoDB duplicate subBlock IDs, add operation-scoped field names, add subblock migrations - Add authMode: AuthMode.ApiKey to DynamoDB block - Fix CloudWatch routes: toError, client.destroy(), withRouteHandler, auth outside try - Fix STS/DynamoDB/IAM routes: nullable Zod schemas, withRouteHandler adoption - Fix Identity Center: list_instances pagination, list_groups instanceArn condition - Add subblock migrations for renamed DynamoDB fields (key, filterExpression, etc.) - Apply withRouteHandler to all new and existing AWS tool routes * docs(ses): add manual intro section to SES docs * fix(dynamodb): add legacy fallbacks in params for subblock migration compatibility Workflows saved with the old shared IDs (key, filterExpression, etc.) that migrate to get-scoped slots via subblock-migrations still work correctly on update/delete/scan/put operations via fallback lookups in tools.config.params. * feat(contact): add contact page, migrate help/demo forms to useMutation (simstudioai#4242) * feat(contact): add contact page, migrate help/demo forms to useMutation * improvement(contact): address greptile review feedback - Map contact topic to help email type for accurate confirmation emails - Drop Zod schema details from 400 response on public /api/contact - Wire aria-describedby + aria-invalid in LandingField for both forms - Reset helpMutation on modal reopen to match demo-request pattern * improvement(landing): extract shared LandingField component * fix(landing): resolve error-page crash on invalid /models and /integrations routes (simstudioai#4243) * fix(layout): use plain inline script for PublicEnvScript to set env before chunks eval on error pages * fix(landing): handle runtime env race on error-page renders React skips SSR on unhandled server errors and re-renders on the client (see vercel/next.js#63980, #82456). Root-layout scripts — including the runtime env script that populates window.__ENV — are inserted but not executed on that client re-render, so any client module that reads env at module evaluation crashes the render into a blank "Application error" overlay instead of rendering the styled 404. This replaces the earlier PublicEnvScript tweak with the architectural fix: - auth-client.ts: fall back to window.location.origin when getBaseUrl() throws on the client. Auth endpoints are same-origin, so this is the correct baseURL on the client. Server-side we still throw on genuine misconfig. - loading.tsx under /models/[provider], /models/[provider]/[model], and /integrations/[slug]: establishes a Suspense boundary below the root layout so a page-level notFound() no longer invalidates the layout's SSR output (the fix endorsed by Next.js maintainers in #63980). - layout.tsx: revert disableNextScript — the research showed this doesn't actually fix error-page renders. The real fix is above. * improvement(landing): use emcn Loader in scoped loading.tsx, trim auth-client comment Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> * fix(iam): correct MissingContextValues mapping in simulatePrincipalPolicy * fix(aws): add conditionExpression migration fallback for DynamoDB delete, fix SES pageSize min * fix(aws): deep validation fixes across SES, IAM, Identity Center, DynamoDB integrations - IAM: replace non-existent StatementId with SourcePolicyType in simulatePrincipalPolicy - IAM: add .int() constraint to list-users/roles/policies/groups Zod schemas - IAM: remove redundant manual requestId from all 21 IAM route handlers - SES: add .refine() body validation to create-template route - SES: make bulk email destination templateData optional, only include ReplacementEmailContent when present - SES: fix pageSize guard to if (pageSize != null) to correctly forward 0 - SES: add max(100) to list-templates pageSize, revert list-identities to min(0) per SDK - STS: fix logger.error calls to use structured metadata pattern - Identity Center: remove deprecated account.Status fallback, use account.State only - DynamoDB: convert empty interface extends to type aliases, remove redundant error field, fix barrel to absolute imports * regen docs * fix(iam): add .int() constraint to maxSessionDuration in create-role route * fix(ses): forward pageSize=0 correctly in listIdentities util * fix(aws): add gradient background to IdentityCenterIcon, fix listTemplates pageSize guard --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
… fixes (simstudioai#4248) * improvement(contact): add Turnstile CAPTCHA, honeypot, and robustness fixes - Add Cloudflare Turnstile with graceful degradation: when the widget fails to load (ad blockers, iOS privacy, corporate DNS), submissions fall through to a tighter rate-limit bucket rather than hard-blocking - Add honeypot field to filter automated submissions without user impact - Add separate CAPTCHA_UNAVAILABLE_RATE_LIMIT bucket (3/min) for the no-captcha path so spam via ad-blocker bypass remains expensive - Pass expectedHostname to verifyTurnstileToken to close cross-site token reuse gap - Add SITE_HOSTNAME as module-level constant (avoid URL parsing per req) - Wire onExpire/onError/onUnsupported callbacks so token expiry during slow form-filling falls back gracefully instead of showing a captcha error - Add getResponsePromise(30_000) timeout to prevent indefinite hang on network blips - Add size: 'invisible' to Turnstile options (required for execute mode) - Move turnstile.ts to lib/core/security/ alongside csp/encryption/input-validation - Switch all CSS to --landing-* variables throughout contact form - Move error display inline next to label with truncation in LandingField - Add labelClassName prop to LandingField for context-specific overrides - Simplify contact page to single-column max-w-[640px] layout * fix(contact): fall through to no-captcha rate limit on Cloudflare transport errors * chore(contact): remove extraneous comments from route * fix(contact): remove forced min-height on success state, let content flow naturally * fix(contact): cast CONTACT_TOPIC_OPTIONS to satisfy Combobox mutable type * fix(contact): disable submit during CAPTCHA resolution window, add relative to form
…SRF (simstudioai#4250) * fix(aws): add validateAwsRegion to all AWS route schemas to prevent SSRF * fix(validation): add mx and eu-isoe prefixes to validateAwsRegion regex * test(validation): add mx-central-1, eu-isoe-west-1, and us-iso-west-1 region test cases * fix(aws): eliminate double validateAwsRegion call and fix regex alternation order - Replace double-call .refine() pattern with single-call + static message across all 61 AWS routes - Reorder regex alternation to put longer prefixes first (eu-isoe before eu, us-isob/us-iso/us-gov before us) for engine-agnostic correctness
simstudioai#4252) * fix(deps): bump drizzle-orm to 0.45.2 (GHSA-gpj5-g38j-94v9) Resolves Dependabot alert #98. Drizzle ORM <0.45.2 improperly escaped quoted SQL identifiers, allowing SQL injection via untrusted input passed to APIs like sql.identifier() or .as(). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore(mcp): adopt native SDK types after @modelcontextprotocol/sdk 1.25.3 bump Replace hand-written schema/annotation shapes with the SDK's exported Tool, JSONRPCResultResponse, and Tool['annotations'] types so changes upstream flow through automatically. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refactor(types): use drizzle $inferSelect for row types Replace hand-written interfaces that duplicated schema shape with typeof table.$inferSelect aliases for webhook, workflow, and workspaceFiles rows. Also simplify metadata insert/update to use .returning() instead of field-by-field copies. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(uploads): fall through to INSERT if restore-deleted row races a hard delete If a hard delete races between the initial SELECT and the restore UPDATE, .returning() yields no row. Previously the function would return undefined and silently violate the Promise<FileMetadataRecord> contract. Now the function falls through to the INSERT path, which already handles uniqueness races via the 23505 catch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore(uploads): align metadata.ts with global standards Replace dynamic uuid import with generateId() per @sim/utils/id convention, narrow the error catch off `any`, and convert the inline comment to TSDoc. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…rity hardening, contact page, 404 page, access control, SES, SNS
…i#4257) * fix(docs): update simstudio.ai URLs to sim.ai in SSO docs * improvement(docs): remove plan defaults table from data retention docs * improvement(docs): consolidate self-hosting info at bottom of enterprise docs * improvement(docs): reduce callout and FAQ overuse in enterprise docs * improvement(docs): restore FAQs and genuine-gotcha callouts
v0.6.54: migration error logs
* fix(db): raise db pool size * Raise socket connections * bump up connection size even more
* fix(auth): add api key auth via sha256 hash lookup * Remove promise all logic * Restore feature flag * fix feature flag * Combine auth and hash gate
* feat(ui): Add thinking ui * fix tests * Remove duplicate helper for block timing * fix lint * fix endedAt timestamp bug * fix stuck subagent thinking
) * improvement(repo): restructuring to make realtime image narrower scoped * improvements * chore(repo): rebase fixes and quality improvements for realtime split Addresses merge-time issues and gaps from the realtime app split: - Retarget stale vi.mock paths to @sim/workflow-persistence/subblocks - Restore README branding, fix AGENTS.md script reference - Restore TSDoc on workflow-persistence subblocks helpers - Use toError() from @sim/utils/errors in save.ts - Add vitest config + local mocks so @sim/audit tests run standalone - Move socket.io-client to devDependencies in apps/realtime - Add missing package COPY steps to docker/app.Dockerfile - Add check:boundaries/check:realtime-prune scripts and wire into CI Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refactor(security): consolidate crypto primitives into @sim/security Move general-purpose crypto primitives out of apps/sim into the @sim/security package so both apps/sim and apps/realtime can share them. @sim/security exports (all pure, dependency-free): ./compare safeCompare (constant-time HMAC-wrapped equality) ./encryption encrypt/decrypt (AES-256-GCM, iv:cipher:tag format) ./hash sha256Hex ./tokens generateSecureToken (base64url) Migrate apps/sim call sites to use these + @sim/utils helpers: crypto.randomUUID() -> generateId() from @sim/utils/id createHash('sha256').digest -> sha256Hex timingSafeEqual on hashed hex -> safeCompare new Promise(setTimeout) -> sleep from @sim/utils/helpers No behavior change: encryption format, digest output, and token length are preserved exactly. * refactor(copilot): use toError in remaining otel/finalize sites Replace the last two `error instanceof Error ? error : new Error(String(error))` patterns with toError from @sim/utils/errors. Completes the sweep of clean candidates — no behavior change. * refactor(security): consolidate HMAC-SHA256 primitives into @sim/security Adds hmacSha256Hex and hmacSha256Base64 to @sim/security/hmac and migrates 15 webhook providers plus 5 other hot paths (deployment token signing, outbound webhook requests, workspace notification delivery, notification test route, Shopify OAuth callback) off bare `createHmac` calls. Secret parameter accepts `string | Buffer` to cover base64-decoded Svix-style secrets (Resend) and MS Teams' HMAC scheme. AWS SigV4 signing in S3 and Textract tools intentionally retains direct `createHmac` usage — its multi-step key derivation chain doesn't fit a generic helper. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore(packages): post-audit test + packaging polish - Add safeCompare unit tests (identity, length mismatch, hex-nibble diff). - Add Buffer-secret cases to hmac tests to lock in Svix/MS-Teams contract. - Declare `reactflow` as a peerDependency on @sim/workflow-types — only used for type imports. - Add a barrel export to @sim/workflow-persistence for consumers that prefer package-level imports; subpath exports retained. - Document the data-field invariant in load.ts for loop/parallel subflow patching. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore(realtime): address PR review feedback - Remove redundant SOCKET_PORT=3002 env from Dockerfile runner stage (env.PORT already defaults to 3002 via zod schema). - Reorder PORT fallback so an explicitly-set SOCKET_PORT wins over the schema default for PORT; keeps SOCKET_PORT functional as an override instead of dead code. - Add dedicated type-check CI step for @sim/realtime so TS errors surface pre-deploy (the Dockerfile runs source TS via Bun and has no implicit build-time type check). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore(realtime): remove unused SOCKET_PORT env var SOCKET_PORT has lived in the socket server since the June 2025 refactor but was never actually set in any deploy config — docker-compose.prod, helm values/templates, .env.example, and docs all use PORT or the 3002 default exclusively. No self-hoster was ever pointed at SOCKET_PORT, so removing it is safe. Simplifies realtime port resolution to `env.PORT` (zod-validated with a 3002 default) and drops the orphaned sim-side schema entry. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Waleed Latif <walif6@gmail.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brief description of what this PR does and why.
Fixes #(issue)
Type of Change
Testing
How has this been tested? What should reviewers focus on?
Checklist
Screenshots/Videos