feat(credentials): token-paste service accounts for 12 providers#5682
Conversation
…Spot, Airtable, Notion, Asana, Attio, Linear, monday, Shopify, Webflow, Trello, Cal.com, Wealthbox)
…ied validator hardening - Migrate Google/Atlassian/Slack service-account branches to the same registry pattern as token-paste providers (builder + resolver maps, unified required-fields contract validation) - Fix Shopify service-account store domain never reaching tool URL builders - Linear: rate-limit 400s no longer mislabeled as invalid credentials; validation header matches runtime header rule - Trello: server API key rejection no longer blamed on customer token - Fleet-wide: network errors and non-JSON provider bodies map to provider_unavailable via shared fetchProvider/parseProviderJson - HubSpot: drop regional-host displayName upgrade; Wealthbox: explicit 402; monday: provider-side GraphQL errors mapped correctly; Attio: null-body guard
… for token service accounts - 12 setup-guide docs pages (docs.sim.ai/integrations/<provider>-service-account) incl. the Trello authorize-link flow the integration depends on - Attio: HTTP 400 on /v2/self maps to invalid_credentials (live-verified) - monday: scan all GraphQL errors for provider-side codes; no empty audit ids - Compile-time descriptor/validator lockstep (typed registry) and prototype-safe provider-id guard (Object.hasOwn) - Shared errors.test.ts pinning fetchProvider/parseProviderJson/ throwForProviderResponse guarantees for all validators - Stale TSDoc updated after the registry migration; biome organizeImports pass
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryMedium Risk Overview The implementation is registry-driven instead of one-off branches. Client descriptors define modal fields, connect labels, and required API fields; a generic Integration UX uses vendor-accurate connect nouns (e.g. “Add private app token”). Credential create validation pulls required fields from Docs: twelve new Reviewed by Cursor Bugbot for commit 2452f96. Configure here. |
…guides 34 corrections from a 12-agent audit against live official vendor docs: current HubSpot Development-area nav, Notion connections rename, monday Developer Center paths, Shopify legacy-vs-Dev-Dashboard token flows, and hedged wording for claims vendors do not document (expiry, limits)
… surfaces 'Add service account' only where the vendor actually has service accounts (Google, Atlassian); token-paste providers now use their own vocabulary via a connectNoun descriptor field — 'Add private app token' (HubSpot), 'Add API key' (Attio/Linear/Cal.com), 'Add personal access token' (Airtable), etc. Docs page titles updated to match; slugs and internal provider ids unchanged
…lid credentials Shopify can reject invalid or revoked shpat_ tokens with HTTP 200 and a GraphQL error body instead of a 401; those now map to invalid_credentials instead of a provider-outage message
|
@greptile-apps review |
|
@cursor review |
Greptile SummaryThis PR adds token-paste service-account credentials across the integration system. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (3): Last reviewed commit: "fix(credentials): cold-review hardening ..." | Re-trigger Greptile |
Live probing showed the documented access-token-info route returns a bare 404 for unrecognized tokens (ambiguous with a missing route), so 404/400 now falls back to the Account Information API, which answers with a JSON 401 for rejected tokens and 200/403 for live ones — verified against the real endpoints
- Shopify tools prefer the credential-validated store domain over the
block's auto-detected shopDomain (a store-bound token must hit its own store)
- Unknown non-empty service-account providerIds are rejected instead of
silently persisting as google-service-account (empty stays the legacy
Google fallback)
- Shopify/modal domain normalization strips URL paths ('https://x.myshopify.com/admin')
- monday: warning-class GraphQL errors no longer reject a token whose me
data proves it authenticated
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit dd00d09. Configure here.
- Object.hasOwn guards on all provider-id registry lookups (crafted '__proto__'/'constructor' providerIds now 400 instead of 500) + regression test - fetchProvider gets a 10s AbortSignal.timeout so a hung provider can't pin the create/reconnect request - HubSpot: unexpected 403 on the token-info route defers to the account-info fallback instead of blaming the token - Linear selector routes use the SDK apiKey option for lin_api_ keys (bare header parity with the tools sweep) - Docs: UI steps aligned to the vendor-noun connect labels; HubSpot scope-propagation claims softened; Trello in-product-link promise corrected
|
@greptile-apps review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 2452f96. Configure here.
…alesforce + Pipedrive API tokens Second service-account kind (follow-up to #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage. - Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged - Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched - SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays provider_unavailable; 408/429 from token endpoints never blamed on creds - Create route forwards clientId/clientSecret/orgId to the builder, pinned by a route-level regression test - Zoom user-scoped tools document that server-to-server tokens don't support 'me' - 4 setup-guide docs pages verified against current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section
…alesforce + Pipedrive API tokens Second service-account kind (follow-up to #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage. - Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged - Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched - SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays provider_unavailable; 408/429 from token endpoints never blamed on creds - Create route forwards clientId/clientSecret/orgId to the builder, pinned by a route-level regression test - Zoom user-scoped tools document that server-to-server tokens don't support 'me' - 4 setup-guide docs pages verified against current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section
…alesforce + Pipedrive API tokens Second service-account kind (follow-up to #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage. - Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged - Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched - SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays provider_unavailable; 408/429 from token endpoints never blamed on creds - Create route forwards clientId/clientSecret/orgId to the builder, pinned by a route-level regression test - Zoom user-scoped tools document that server-to-server tokens don't support 'me' - 4 setup-guide docs pages verified against current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section
…alesforce + Pipedrive API tokens Second service-account kind (follow-up to #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage. - Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged - Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched - SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays provider_unavailable; 408/429 from token endpoints never blamed on creds - Create route forwards clientId/clientSecret/orgId to the builder, pinned by a route-level regression test - Zoom user-scoped tools document that server-to-server tokens don't support 'me' - 4 setup-guide docs pages verified against current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section
…alesforce + Pipedrive API tokens Second service-account kind (follow-up to #5682): client-credential pairs (client ID + secret + org identifier) that mint short-lived tokens at execution — in-memory cache with ciphertext-fingerprint validation (rotation-correct across instances), single-flight coalescing, 30s failure memo, no refresh-token storage. - Zoom Server-to-Server OAuth, Box Client Credentials Grant, and Salesforce client-credentials (integration user) are the first minters; Salesforce's live instance_url rides the existing instanceUrl plumbing so all 40 tools work unchanged - Pipedrive lands as a token-paste provider with explicit authStyle threading: descriptor declares x-api-token, one shared header helper drives all 18 tools + both selector routes, OAuth Bearer behavior untouched - SSRF-allowlisted Salesforce My Domain host (production/sandbox/developer partitioned domains); ENOTFOUND maps to site_not_found, EAI_AGAIN stays provider_unavailable; 408/429 from token endpoints never blamed on creds - Create route forwards clientId/clientSecret/orgId to the builder, pinned by a route-level regression test - Zoom user-scoped tools document that server-to-server tokens don't support 'me' - 4 setup-guide docs pages verified against current vendor flows (incl. Salesforce External Client Apps — the classic Connected App wizard is disabled by default since Spring '26); integrations sidebar gains a Service Accounts & API Keys section
Summary
Type of Change
Testing
91 new unit tests for validators + shared error plumbing; full credential/oauth suites green (213 tests); typecheck + check:api-validation pass. Every provider spec was verified against current official API docs by independent review passes.
Checklist