v0.6.40: mothership tool loop, new skills, agiloft, STS, IAM integrations, jira forms endpoints#4146
Merged
waleedlatif1 merged 23 commits intomainfrom Apr 14, 2026
Merged
v0.6.40: mothership tool loop, new skills, agiloft, STS, IAM integrations, jira forms endpoints#4146waleedlatif1 merged 23 commits intomainfrom
waleedlatif1 merged 23 commits intomainfrom
Conversation
…4127) * fix(navbar): eliminate auth button flash using useSyncExternalStore * fix(navbar): add inert and fix aria-hidden on auth button containers
* feat(logs): add cancel execution to log row context menu * lint * fix(logs): check success response and use targeted cache invalidation
…4131) * feat(workspaces): add recency-based workspace switching and redirect * fix(workspaces): skip prune when workspace list is empty on mount
* feat(agiloft): add Agiloft CLM integration with token-based auth Add 12 tools (CRUD, search, select, saved search, attachments, lock), block, icon, docs, and internal API route for file attachments. Uses EWLogin/EWLogout for short-lived Bearer tokens — credentials are never embedded in API request URLs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(agiloft): address PR review feedback - Add HTTPS enforcement guard to agiloftLogin to prevent plaintext credential transit - Add null guard on data.output in attach_file transformResponse - Change empty AgiloftSavedSearchParams interface to type alias Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(agiloft): add SSRF protection via DNS validation on instanceUrl Validates user-supplied instanceUrl against private/reserved IP ranges using validateUrlWithDNS before making any outbound requests. Uses dynamic import to avoid bundling Node.js dns module in client-side code. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(agiloft): fix SSRF protection to avoid client bundle breakage Replace dynamic import of input-validation.server (which Turbopack traces into the client bundle) with client-safe validateExternalUrl in utils.ts. Add full DNS-level SSRF validation via validateUrlWithDNS in the attach API route (server-only file). This matches the Okta pattern for directExecution tools and the textract pattern for API routes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(agiloft): use DELETE method for EWRemoveAttachment endpoint The remove_attachment tool was incorrectly using GET instead of DELETE for the Agiloft EWRemoveAttachment endpoint, which would cause removals to fail at runtime. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(agiloft): correct HTTP methods and parameter names per Agiloft API docs - EWRemoveAttachment uses GET, not DELETE (revert incorrect change) - EWRetrieve uses `filePosition` parameter, not `position` - EWAttach uses PUT, not POST Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(atlassian): unify error message extraction across all Jira, JSM, and Confluence routes Add parseAtlassianErrorMessage() to jira/utils.ts as single source of truth for parsing all 5 Atlassian error formats. Update 51 proxy routes (18 JSM, 5 Jira, 28 Confluence) to use it instead of hardcoded generic errors. Remove dead errorExtractor field from 95 Atlassian tool files — the compat loop in extractErrorMessage() already handles all formats without it. Consolidate duplicate parseJsmErrorMessage into a re-export from the shared utility. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: address PR review comments from Bugbot - Remove debug logger.info for formAnswers in JSM request route - Restore user-friendly spaceId error message in Confluence create-page route - Restore details field in Jira write and update route error responses Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: remove re-exports from jsm/utils and import directly from source Remove re-exports of getJiraCloudId, parseAtlassianErrorMessage, and parseJsmErrorMessage from jsm/utils.ts. Update all 21 JSM routes to import directly from @/tools/jira/utils per CLAUDE.md import rules. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * regen docs --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(workspaces): add workspace logo upload * feat(workspaces): add workspace logo upload * fix(workspaces): validate logoUrl accepts only paths or HTTPS URLs * fix(workspaces): add admin authorization, audit log, and posthog event for workspace logo uploads * lint * fix: add WebP support and use refs pattern in useProfilePictureUpload - Add image/webp to ACCEPTED_IMAGE_TYPES in useProfilePictureUpload - Add image/webp to file input accept attributes in whitelabeling settings - Refactor useProfilePictureUpload to use refs for onUpload, onError, and currentImage callbacks, matching the established codebase pattern Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: restore cloudwatch/cloudformation files from staging These files were accidentally regressed during rebase conflict resolution, reverting changes from #4027. Restoring to staging versions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add workspace_logo_uploaded to PostHogEventMap Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: separate workspaceId ref sync to prevent overwrite on re-render Split the ref sync useEffect so workspaceIdRef only updates when the workspaceId prop changes, not when onUpload/onError callbacks get new references. Prevents setTargetWorkspaceId from being overwritten by a re-render before the file upload completes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: use Pick type for workspace dropdown in knowledge header The shared Workspace type requires ownerId and other fields that aren't available from the workspaces API response mapping. Use a Pick type to accurately represent the subset of fields actually constructed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: replace raw fetch with useWorkspacesQuery in knowledge header Remove useState + useEffect + fetch anti-pattern for loading workspaces. Use useWorkspacesQuery from React Query with inline filter for write/admin permissions. Eliminates ~30 lines of manual state management, any casts, and the Pick type workaround. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Auto-focus input boxes for modals and copilot * Fix focus in emcn modal * Fix integrations manager focus * Change modal tabs to auto focus on first text input * Auto-focus mothership task chats --------- Co-authored-by: Theodore Li <theo@sim.ai>
* feat(ui): show folder path in search modal * Switch truncate folder over workspace name --------- Co-authored-by: Theodore Li <theo@sim.ai>
…yping, file write/patch/append tools, timing issues (#4090) * fix build error * improvement(mothership): new agent loop (#3920) * feat(transport): replace shared chat transport with mothership-stream module * improvement(contracts): regenerate contracts from go * feat(tools): add tool catalog codegen from go tool contracts * feat(tools): add tool-executor dispatch framework for sim side tool routing * feat(orchestrator): rewrite tool dispatch with catalog-driven executor and simplified resume loop * feat(orchestrator): checkpoint resume flow * refactor(copilot): consolidate orchestrator into request/ layer * refactor(mothership): reorganize lib/copilot into structured subdirectories * refactor(mothership): canonical transcript layer, dead code cleanup, type consolidation * refactor(mothership): rebase onto latest staging * refactor(mothership): rename request continue to lifecycle * feat(trace): add initial version of request traces * improvement(stream): batch stream from redis * fix(resume): fix the resume checkpoint * fix(resume): fix resume client tool * fix(subagents): subagent resume should join on existing subagent text block * improvement(reconnect): harden reconnect logic * fix(superagent): fix superagent integration tools * improvement(stream): improve stream perf * Rebase with origin dev * fix(tests): fix failing test * fix(build): fix type errors * fix(build): fix build errors * fix(build): fix type errors * feat(mothership): add cli execution * fix(mothership): fix function execute tests * Force redeploy * feat(motheship): add docx support * feat(mothership): append * Add deps * improvement(mothership): docs * File types * Add client retry logic * Fix stream reconnect * Eager tool streaming * Fix client side tools * Security * Fix shell var injection * Remove auto injected tasks * Fix 10mb tool response limit * Fix trailing leak * Remove dead tools * file/folder tools * Folder tools * Hide function code inline * Dont show internal tool result reads * Fix spacing * Auth vfs * Empty folders should show in vfs * Fix run workflow * change to node runtime * revert back to bun runtime * Fix * Appends * Remove debug logs * Patch * Fix patch tool * Temp * Checkpoint * File writes * Fix * Remove tool truncation limits * Bad hook * replace react markdown with streamdown * Checkpoitn * fix code block * fix stream persistence * temp * Fix file tools * tool joining * cleanup subagent + streaming issues * streamed text change * Tool display intetns * Fix dev * Fix tests * Fix dev * Speed up dev ci * Add req id * Fix persistence * Tool call names * fix payload accesses * Fix name * fix snapshot crash bug * fix * Fix * remove worker code * Clickable resources * Options ordering * Folder vfs * Restore and mass delete tools * Fix * lint * Update request tracing and skills and handlers * Fix editable * fix type error * Html code * fix(chat): make inline code inherit parent font size in markdown headers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * improved autolayout * durable stream for files * one more fix * POSSIBLE BREAKAGE: SCROLLING * Fixes * Fixes * Lint fix * fix(resource): fix resource view disappearing on ats (#4103) Co-authored-by: Theodore Li <theo@sim.ai> * Fixes * feat(mothership): add execution logs as a resource type Adds `log` as a first-class mothership resource type so copilot can open and display workflow execution logs as tabs alongside workflows, tables, files, and knowledge bases. - Add `log` to MothershipResourceType, all Zod enums, and VALID_RESOURCE_TYPES - Register log in RESOURCE_REGISTRY (Library icon) and RESOURCE_INVALIDATORS - Add EmbeddedLog and EmbeddedLogActions components in resource-content - Export WorkflowOutputSection from log-details for reuse in EmbeddedLog - Add log resolution branch in open_resource handler via new getLogById service - Include log id in get_workflow_logs response and extract resources from output - Exclude log from manual add-resource dropdown (enters via copilot tools only) - Regenerate copilot contracts after adding log to open_resource Go enum * Fix perf and message queueing * Fix abort * fix(ui): dont delete resource on clearing from context, set resource closed on new task (#4113) Co-authored-by: Theodore Li <theo@sim.ai> * improvement(mothership): structure sim side typing * address comments * reactive text editor tweaks * Fix file read and tool call name persistence bug * Fix code stream + create file opening resource * fix use chat race + headless trace issues * Fix type issue * Fix mothership block req lifecycle * Fix build * Move copy reqid * Fix * fix(ui): fix resource tag transition from home to task (#4132) Co-authored-by: Theodore Li <theo@sim.ai> * Fix persistence --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> Co-authored-by: Waleed Latif <walif6@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Theodore Li <theo@sim.ai> Co-authored-by: Theodore Li <theodoreqili@gmail.com>
* feat(aws): add IAM and STS integrations * fix(sts): address PR review comments - Fix CrowdStrike tags to include "security" (unintended removal) - Standardize STS tool versions to '1.0.0' (matching IAM convention) - Add range validation to durationSeconds in Zod schemas Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * icon * lint --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Theodore Li <theo@sim.ai>
Co-authored-by: Theodore Li <theo@sim.ai>
* chore(copilot): streaming paths reviewer group * narrow scope
Co-authored-by: Theodore Li <theo@sim.ai>
* feat(jsm): add all Forms API endpoints for two-step form workflow * removed tyoes * fix(jsm): handle 204 No Content on action endpoints and reject array answers * fix(jsm): validate formIds is an array in copy_forms route and block * fix(jsm): add formTemplateId validation and conditional required on formAnswers
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
* fix build error * improvement(mothership): new agent loop (#3920) * feat(transport): replace shared chat transport with mothership-stream module * improvement(contracts): regenerate contracts from go * feat(tools): add tool catalog codegen from go tool contracts * feat(tools): add tool-executor dispatch framework for sim side tool routing * feat(orchestrator): rewrite tool dispatch with catalog-driven executor and simplified resume loop * feat(orchestrator): checkpoint resume flow * refactor(copilot): consolidate orchestrator into request/ layer * refactor(mothership): reorganize lib/copilot into structured subdirectories * refactor(mothership): canonical transcript layer, dead code cleanup, type consolidation * refactor(mothership): rebase onto latest staging * refactor(mothership): rename request continue to lifecycle * feat(trace): add initial version of request traces * improvement(stream): batch stream from redis * fix(resume): fix the resume checkpoint * fix(resume): fix resume client tool * fix(subagents): subagent resume should join on existing subagent text block * improvement(reconnect): harden reconnect logic * fix(superagent): fix superagent integration tools * improvement(stream): improve stream perf * Rebase with origin dev * fix(tests): fix failing test * fix(build): fix type errors * fix(build): fix build errors * fix(build): fix type errors * feat(mothership): add cli execution * fix(mothership): fix function execute tests * Force redeploy * feat(motheship): add docx support * feat(mothership): append * Add deps * improvement(mothership): docs * File types * Add client retry logic * Fix stream reconnect * Eager tool streaming * Fix client side tools * Security * Fix shell var injection * Remove auto injected tasks * Fix 10mb tool response limit * Fix trailing leak * Remove dead tools * file/folder tools * Folder tools * Hide function code inline * Dont show internal tool result reads * Fix spacing * Auth vfs * Empty folders should show in vfs * Fix run workflow * change to node runtime * revert back to bun runtime * Fix * Appends * Remove debug logs * Patch * Fix patch tool * Temp * Checkpoint * File writes * Fix * Remove tool truncation limits * Bad hook * replace react markdown with streamdown * Checkpoitn * fix code block * fix stream persistence * temp * Fix file tools * tool joining * cleanup subagent + streaming issues * streamed text change * Tool display intetns * Fix dev * Fix tests * Fix dev * Speed up dev ci * Add req id * Fix persistence * Tool call names * fix payload accesses * Fix name * fix snapshot crash bug * fix * Fix * remove worker code * Clickable resources * Options ordering * Folder vfs * Restore and mass delete tools * Fix * lint * Update request tracing and skills and handlers * Fix editable * fix type error * Html code * fix(chat): make inline code inherit parent font size in markdown headers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * improved autolayout * durable stream for files * one more fix * POSSIBLE BREAKAGE: SCROLLING * Fixes * Fixes * Lint fix * fix(resource): fix resource view disappearing on ats (#4103) Co-authored-by: Theodore Li <theo@sim.ai> * Fixes * feat(mothership): add execution logs as a resource type Adds `log` as a first-class mothership resource type so copilot can open and display workflow execution logs as tabs alongside workflows, tables, files, and knowledge bases. - Add `log` to MothershipResourceType, all Zod enums, and VALID_RESOURCE_TYPES - Register log in RESOURCE_REGISTRY (Library icon) and RESOURCE_INVALIDATORS - Add EmbeddedLog and EmbeddedLogActions components in resource-content - Export WorkflowOutputSection from log-details for reuse in EmbeddedLog - Add log resolution branch in open_resource handler via new getLogById service - Include log id in get_workflow_logs response and extract resources from output - Exclude log from manual add-resource dropdown (enters via copilot tools only) - Regenerate copilot contracts after adding log to open_resource Go enum * Fix perf and message queueing * Fix abort * fix(ui): dont delete resource on clearing from context, set resource closed on new task (#4113) Co-authored-by: Theodore Li <theo@sim.ai> * improvement(mothership): structure sim side typing * address comments * reactive text editor tweaks * Fix file read and tool call name persistence bug * Fix code stream + create file opening resource * fix use chat race + headless trace issues * Fix type issue * Fix mothership block req lifecycle * Fix build * Move copy reqid * Fix * fix(ui): fix resource tag transition from home to task (#4132) Co-authored-by: Theodore Li <theo@sim.ai> * Fix persistence * Clean code, fix bugs * Fix --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> Co-authored-by: Waleed Latif <walif6@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Theodore Li <theo@sim.ai> Co-authored-by: Theodore Li <theodoreqili@gmail.com>
…k ID (#4150) getTrigger() namespaces condition-gated subBlock IDs (e.g. webhookUrlDisplay → webhookUrlDisplay_github_release_published). The block card's useMemo was checking for an exact match on 'webhookUrlDisplay', which never matched. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…ttern (#4149) * fix(security): resolve ReDoS vulnerability in function execute tag pattern Simplified regex to eliminate overlapping quantifiers that caused exponential backtracking on malformed input without closing delimiter. * fix(security): exclude trailing-dot refs and hoist tag pattern to module level * fix(security): align tag pattern with codebase standard [^<>]+ pattern Matches createReferencePattern() from reference-validation.ts used by the core executor. Invalid refs handled gracefully by resolveBlockReference. * refactor(security): use createReferencePattern() instead of inline regex
PR SummaryMedium Risk Overview Expands docs/integrations by adding Agiloft + AWS IAM/STS tool pages, new icons/mappings, and updating the integrations catalog; also extends Jira Service Management docs to include the full set of Forms API endpoints and clarifies form answer keying. Refactors Copilot/Mothership server routes: Operational changes: adds CODEOWNERS entries for streaming surfaces, updates CI to build/push dev images separately and run dev DB migrations, adjusts build job dependencies/branch conditions, increases Node memory for tests/build, and updates README/pricing/docs to remove concurrency-limit references; landing UI swaps markdown rendering to Reviewed by Cursor Bugbot for commit 0e6ada4. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0e6ada4. Configure here.
…e CopyCodeButton to emcn (#4148) * improvement(ui): restore smooth streaming animation, fix follow-up auto-scroll, move CopyCodeButton to emcn * fix(ui): restore delayed animation, handle tilde fences, fix follow-up scroll root cause * fix(ui): extract useStreamingReveal to followup, keep cleanup changes * fix(ui): restore hydratedStreamingRef for reconnect path order-of-ops * fix(ui): restore full hydratedStreamingRef effect for reconnect path * fix(ui): use hover-hover prefix on CopyCodeButton callers to correctly override ghost variant * fix(logs): remove destructive color from cancel execution menu item * feat(logs): optimistic cancelling status on cancel execution * feat(logs): allow cancellation of pending (paused) executions * fix(hitl): cancel paused executions directly in DB Paused HITL executions are idle in the DB — they don't poll Redis or run in-process, so the existing cancel signals had no effect. The DB status stayed 'pending', causing the optimistic 'cancelling' update to revert on refetch. - Add PauseResumeManager.cancelPausedExecution: atomically sets paused_executions.status and workflow_execution_logs.status to 'cancelled' inside a FOR UPDATE transaction - Guard enqueueOrStartResume against resuming a cancelled execution - Include pausedCancelled in the cancel route success check * upgrade turbo * test(hitl): update cancel route tests for paused execution cancellation - Mock PauseResumeManager.cancelPausedExecution to prevent DB calls - Add pausedCancelled to all expected response objects - Add test for HITL paused execution cancellation path - Add missing auth/authz tests - Switch to vi.hoisted pattern for all mocks * fix(hitl): set endedAt when cancelling paused execution Without endedAt, the logs API running filter (isNull(endedAt)) would keep cancelled paused executions in the running view indefinitely. * fix(hitl): emit execution:cancelled event to canvas when cancelling paused execution Paused HITL executions have no active SSE stream, so the canvas never received the cancellation event. Now writes execution:cancelled to the event buffer and updates the stream meta so the canvas reconnect path picks it up and shows 'Execution Cancelled'. * fix(hitl): isolate cancelPausedExecution failure from successful cancellation Wrap cancelPausedExecution in try/catch so a DB error does not mask a prior successful Redis or in-process cancellation. Also move the resource-collapse side effect in home.tsx to a useEffect to avoid the stale closure on the resources array. * fix(hitl): add .catch() to fire-and-forget event buffer calls in cancel route
#4151) * fix(ci): replace dynamic secret access with explicit secret references Resolves CodeQL "Excessive Secrets Exposure" warning by replacing secrets[matrix.ecr_repo_secret] with conditional expressions that reference only the specific secrets needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): add explicit ECR_REALTIME guard and use env block for secret injection - Prevent silent fallthrough to ECR_REALTIME for unrecognized secret keys - Move build-amd64 secret resolution to env: block matching build-dev pattern --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.