v0.6.69: security hardening, nextjs upgrade, SAP Concur, Emailbison integrations, robots.txt update, workday hardening #4489
Merged
waleedlatif1 merged 17 commits intomainfrom May 7, 2026
Merged
Conversation
Collaborator
waleedlatif1
commented
May 7, 2026
waleedlatif1
commented
- improvement(resolver): use context variables for block outputs in function block code (improvement(resolver): use context variables for block outputs in function block code #4223)
- improvement(func-exec): normalize inputs to match schema (improvement(func-exec): normalize inputs to match schema #4473)
- feat(models): add grok-4.3 (feat(models): add grok-4.3 #4472)
- fix(function): validate custom tool param keys before code interpolation (fix(function): validate custom tool param keys before code interpolation #4474)
- chore(skills): add /add-model and /validate-model commands (chore(skills): add /add-model and /validate-model commands #4475)
- chore(deps): upgrade next.js to 16.2.4 (chore(deps): upgrade next.js to 16.2.4 #4460)
- fix(agiloft): correct response parsing, add EWGetChoiceLineId tool (fix(agiloft): correct response parsing, add EWGetChoiceLineId tool #4477)
- improvement(next): bundle and CI cache config (improvement(next): bundle and CI cache config #4478)
- feat(emailbison): block, tools, sharepoint v2 block with cleaner code (feat(emailbison): block, tools, sharepoint v2 block with cleaner code #4470)
- fix(office-excel): support Office.js add-in embed and surface Graph errors (fix(office-excel): support Office.js add-in embed and surface Graph errors #4479)
- improvement(seo): restore explicit AI/search bot allow-list and add link-preview rules (improvement(seo): restore explicit AI/search bot allow-list and add link-preview rules #4480)
- improvement(executor): reserved keyword errors (improvement(executor): reserved keyword errors #4482)
- fix(security): xlsx CVE bump and bundled security hardening (fix(security): xlsx CVE bump and bundled security hardening #4481)
- feat(sap): add SAP Concur integration block and SAP S/4HANA validation fixes (feat(sap): add SAP Concur integration block and SAP S/4HANA validation fixes #4483)
- feat(files): zoom controls for inline mermaid and images in markdown (feat(files): zoom controls for inline mermaid and images in markdown #4411)
- fix(docker): drop scripts/ from workspaces array (fix(docker): drop scripts/ from workspaces array #4484)
- fix(workday): correct SOAP service routing and reference types (fix(workday): correct SOAP service routing and reference types #4485)
…ction block code (#4223) * v0.6.29: login improvements, posthog telemetry (#4026) * feat(posthog): Add tracking on mothership abort (#4023) Co-authored-by: Theodore Li <theo@sim.ai> * fix(login): fix captcha headers for manual login (#4025) * fix(signup): fix turnstile key loading * fix(login): fix captcha header passing * Catch user already exists, remove login form captcha * fix: use context variables for block outputs in function block code When a function block references another block's output via <BlockA.result>, the executor previously embedded the full value as a JavaScript literal directly in the code string. For large outputs (>50 KB), this caused the code string to exceed the terminal console display limit, making inputs appear truncated or replaced with { __simTruncated: true } in the UI. Instead, block output references in function block code are now stored as named global variables (__blockRef_N) in the isolated VM context. The code string only contains the compact variable name, keeping it small regardless of the referenced value size. Loop/parallel/env/workflow references are still inlined as literals since the API route has no way to resolve them independently. The _runtimeContextVars key is filtered from sanitizeInputsForLog so it does not appear in execution logs or SSE events. Pre-resolved context variables are merged with any variables produced by the API route resolveCodeVariables, with executor values taking precedence. Fixes #4195 * fix: address Cursor and Greptile bot review comments - Pass preResolvedContextVariables through to shellEnvs for Shell language (Cursor: shell loses pre-resolved block refs, executes against undefined vars) - Remove duplicate CodeExecutionOutput interface declaration (Cursor + Greptile: dead duplicate declaration in tools/function/types.ts) - Deduplicate identical block references in resolveCodeWithContextVars so the same <BlockA.result> reused multiple times shares one __blockRef_N slot (Greptile P2: avoid duplicating large payloads across the wire) * fix: shell block references and complex env value serialization Two follow-ups to the function-block context-variable refactor: - resolveCodeWithContextVars now emits `$__blockRef_N` for shell function blocks so the script dereferences the env var injected by the executor. Other languages still receive the bare identifier. - The function-execute route now JSON-stringifies non-primitive values when building shell env vars, replacing the previous `String(v)` call that produced `[object Object]` for objects/arrays. Co-Authored-By: Octopus <liyuan851277048@icloud.com> * fix lint * review pass * ignore shell comments * update contract * fix tests --------- Co-authored-by: Waleed <walif6@gmail.com> Co-authored-by: Theodore Li <theodoreqili@gmail.com> Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: octo-patch <octo-patch@github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
…ion (#4474) * fix(function): validate custom tool param keys before code interpolation * fix(function): exclude JS reserved words from param key injection guard
* chore(deps): upgrade next.js to 16.2.4 - Bump next and @next/env to 16.2.4 across root, apps/sim, apps/docs - Replace next-runtime-env's env() helper (calls unstable_noStore(), rejected by Next 16.2 outside request scope) with a direct window.__ENV / process.env getter - Add export const dynamic = 'force-dynamic' on landing /privacy and /terms pages so NEXT_PUBLIC_* runtime env reads aren't baked at build * fix(whitelabel): force dynamic rendering for manifest.ts Without this, NEXT_PUBLIC_BRAND_* values are baked into the manifest at build time. Pairs with the next-runtime-env removal in the prior commit, restoring Docker runtime injection for whitelabel deployments. * fix(oauth): wrap consent page useSearchParams in Suspense Next 16.2's stricter prerender check fails the build when useSearchParams() is used without a Suspense boundary. Splits the client component into an outer wrapper and inner body. * fix(whitelabel): force dynamic rendering for landing segment Client components in (landing) (e.g. Navbar) read NEXT_PUBLIC_BRAND_* via getEnv. Without this, SSR prerender would bake the build-time process.env values into HTML, mismatching window.__ENV after hydration in Docker runtime-env deployments. Cascades to all landing routes via the layout. * revert(whitelabel): drop force-dynamic from landing layout Cascading force-dynamic neutered dynamicParams = false + generateStaticParams on /blog/[slug], /integrations/[slug], /models/[provider], /models/[provider]/[model] — killing static prerender for SEO-critical pages. The hydration concern only materializes for whitelabel Docker deployments where build-time and runtime NEXT_PUBLIC_BRAND_* differ; those deployments can set the vars at build instead. Keeping force-dynamic on /privacy, /terms, and /manifest where it actually matters. * fix(prerender): wrap useSearchParams callsites for Next 16.2 Next 16.2 fails the build when a client component using useSearchParams() is statically prerendered without a Suspense boundary. - Wrap landing Navbar in Suspense (imported by /oauth/consent and other pages) - Add force-dynamic to reset-password, invite/[id], and unsubscribe pages whose client bodies call useSearchParams * fix(navbar): preserve SSR HTML, drop Suspense bailout Reading useSearchParams() forced a Suspense fallback that emitted no navbar HTML during SSR — leaving crawlers and no-JS users without nav. The 'home' query param only affects client-side link targets, so read it from window.location in an effect after hydration. Restores full SSR navbar markup. * chore: trim verbose comments in next.js upgrade The force-dynamic export name is self-documenting; the remaining env.ts comment is tightened to the essential WHY (why we don't use next-runtime-env's helper).
…4477) * fix(agiloft): correct response parsing, add EWGetChoiceLineId tool * fix(agiloft): address PR review feedback
- drop redundant turbopack config (Next 16 defaults) - remove lucide-react/date-fns from optimizePackageImports (built-in defaults) - enable turbopackFileSystemCacheForBuild for warm CI builds - disable poweredByHeader - swap actions/cache for Blacksmith sticky disk on .next/cache
…#4470) * feat(emailbison): block, tools * type improvments * typecheck issue * add email bison trigger, cleanup sharepoint block * address comments * fix tests * error on partial upload failures
…rrors (#4479) * fix(office-excel): support Office.js add-in embed and surface Graph errors * fix(office-excel): delegate to parseGraphErrorFromData and handle array embed param
…ink-preview rules (#4480) * improvement(seo): restore explicit AI/search bot allow-list and add link-preview rules * fix(seo): correct xAI UA strings, drop Bravebot, block /playground/ and /w/ from link-preview bots * fix(seo): drop unverified Grok UAs, correct DeepSeekBot and ImagesiftBot tokens * fix(seo): re-add Bravebot to allow-list per Brave Search docs * improvement(seo): drop redundant named AI/search bot allow-list * chore(seo): trim verbose comments in robots.ts
* improvment(executor): reserved keyword errors * address comments and make error messages for func execute make sense block ref accs
* fix(security): xlsx CVE bump and bundled security hardening * fix(stripe): use configured secret key for SDK init Avoids leaving a recognisable placeholder string in heap dumps and error serialisations. Webhook verification remains a purely local HMAC operation; the SDK's constructor key is unused by it. Addresses Greptile feedback on #4481. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(stripe): use static Stripe.webhooks for verification Avoids instantiating a Stripe client just to access constructEvent. The webhook signing secret is per-trigger (user-provided whsec_…) and unrelated to our billing STRIPE_SECRET_KEY, so coupling them was wrong. Stripe.webhooks is exposed as a static — no client, no API key needed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(ci): revert client-bundled tools to avoid .server import in client * fix(security): collapse 403 to 404 on v1 detail-by-ID routes * chore(security): remove unused validateAgiloftInstanceUrl helper * fix(security): bump minimatch + clean up scripts/ workspace Resolves CVE-2026-27903 (GHSA-7r86-cg39-jmmj) by adding a root-level minimatch ^10.2.5 override. Also resolves CVE-2026-0969 in next-mdx-remote (bumped to ^6.0.0). Cleanup: - Make scripts/ a proper bun workspace (root workspaces array) - Remove duplicate scripts/package-lock.json (this repo uses bun) - Remove redundant scripts/bun.lock (now hoisted to root) - Remove vestigial scripts/setup-doc-generator.sh - Slim scripts/package.json to its real deps (glob, yaml) - Gitignore stray package-lock.json files - Update scripts/README.md Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…n fixes (#4483) * feat(sap): add SAP Concur integration block and SAP S/4HANA validation fixes * added * fix(sap_s4hana): preserve raw Set-Cookie array for CSRF cookie join SecureFetchHeaders previously collapsed multi-value Set-Cookie headers with ", ", forcing consumers to re-split via a fragile regex. Cookie values containing "=" or "," (e.g., Base64 session tokens) could be misparsed and produce malformed Cookie strings on CSRF-protected mutations. Add SecureFetchHeaders.getSetCookie() that returns the raw array, and update the S/4HANA OData proxy's joinSetCookies to consume it directly. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(sap-concur): rename misleading exchange-rate tool, drop unusable refresh_token grant, validate geolocation host - Rename sap_concur_get_exchange_rate to sap_concur_upload_exchange_rates (POST bulk upload, not GET) - Remove refresh_token from SapConcurGrantType / Zod enum / block dropdown / docs (no implementation) - Validate Concur geolocation hostname against SAP_CONCUR_ALLOWED_DATACENTERS Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * finished * docs * fix(docs): escape braces in tool/trigger description prose for MDX Tool and trigger descriptions can contain URL path placeholders like {reportId} or JSON-shape hints like { Items, NextPage }. When rendered as MDX prose (not table cells), these were emitted unescaped and MDX parsed them as JSX expressions, failing prerender with "ReferenceError: reportId is not defined". Escape { and } in the operation-level description and trigger description renderers, matching the existing escaping in table-cell descriptions. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(sap-concur): align with live API on travel-profile, itineraries, and context types - list_travel_profiles_summary: rename Status query to Active with 1/0 values, tighten LastModifiedDate format hint - list_itineraries / get_itinerary: use documented userid_type / userid_value / ItemsPerPage / Page query keys - create_report_comment: contextType allows MANAGER (move to EXPENSE_READ_CONTEXT_TYPE_OPS) - get_list_item: drop unused listId from block (tool only needs itemId) - Tighten description copy on list_expenses/get_itemizations/associate_attendees/remove_all_attendees Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(sap-concur): correct Cash Advance v4.1 paths, add SCIM filter param - Update Cash Advance create/get/issue tools from /cashadvance/v4/ to /cashadvance/v4.1/ to match the live API - Add filter query param to list_users (SCIM v4.1 supports filtering by userName, employeeNumber, externalId) - Regenerate docs MDX Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(sap-concur): drop SCIM list_users filter param (not supported on v4.1 GET) SCIM Identity v4.1 GET /Users does not accept a filter query parameter — filtering is only supported via POST /Users/.search (already exposed by sap_concur_search_users). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(sap-concur): final live-API alignment Verified against live SAP Concur docs (concur/developer.concur.com preview branch): - Revert Cash Advance paths to /cashadvance/v4/ (v4.1 endpoints do not exist; live spec is v4) - Travel Profile v2 summary has no Active/Status query param — drop the filter from tool, types, and block - Report Comments v4 contextType is TRAVELER or PROXY only (NOT MANAGER) — move create_report_comment + list_report_comments into the TRAVELER/PROXY context group - Trip v1.1 query keys: userid_type / userid_value / ItemsPerPage / Page (snake/Pascal per docs) — already correct, kept Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs * fix(sap-concur): restore Cash Advance v4.1 paths Re-verified against live developer.concur.com docs at /api-reference/cash-advance/v4-1.cash-advance.html — only v4.1 endpoints are documented: - POST /cashadvance/v4.1/cashadvances - GET /cashadvance/v4.1/cashadvances/{cashAdvanceId} - POST /cashadvance/v4.1/cashadvances/{cashAdvanceId}/issue The /cashadvance/v4/ docs page returns 404. Reverts the prior local rollback in 9ef3a11. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…4411) - Add pan/zoom/fit controls to mermaid diagrams rendered inline in markdown — same experience as the standalone .mmd viewer - Wrap inline markdown images in ZoomablePreview with fit-to-container scale - Allow fit zoom to upscale small diagrams to fill the view (previously capped at 100%)
`turbo prune sim --docker` strips `scripts/` from the pruned output (sim doesn't depend on it), but the pruned root package.json still listed it as a workspace, causing `bun install` to fail with "Workspace not found 'scripts'" in the Docker build. scripts/ is dev-only tooling that runs from the repo root via `bun run scripts/*.ts`. Its imports (glob, yaml) resolve against the root node_modules — they're already in root devDependencies. - Remove "scripts" from root workspaces array - Delete scripts/package.json (no longer a workspace, manifest unused) Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(workday): correct SOAP service routing and reference types - create-prehire: route Put_Applicant to Recruiting service (was Staffing, where the operation does not exist) - assign-onboarding: use WID for Action_Event_Reference (was Background_Check_ID, wrong identifier domain for hire events) - update-worker block: rewrite labels and wand prompt to match Change_Personal_Information demographic-only scope (prior prompt instructed LLM to emit businessTitle/primaryWorkEmail which the SOAP op rejects) - enrich opaque JSON output descriptions on worker, workers, organizations, compensationPlans * fix(workday): correct Date_of_Birth casing in update wand prompt
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryLow Risk Overview Extends docs and UI icon mapping to support new integrations: adds tool docs for Email Bison and a large SAP Concur tool surface, adds new Makes small documentation corrections ( Reviewed by Cursor Bugbot for commit 76d602f. Configure here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.