Skip to content

feat(credentials): token-paste service accounts for 12 providers#5682

Open
waleedlatif1 wants to merge 10 commits into
stagingfrom
worktree-hubspot-service-accounts
Open

feat(credentials): token-paste service accounts for 12 providers#5682
waleedlatif1 wants to merge 10 commits into
stagingfrom
worktree-hubspot-service-accounts

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Adds workspace-level service-account credentials (paste a long-lived token, verified server-side, encrypted at rest) for 12 providers: HubSpot, Airtable, Notion, Asana, Attio, Linear, monday, Shopify, Webflow, Trello, Cal.com, Wealthbox — mirroring the existing Atlassian pattern
  • Declarative registry instead of per-provider branches: client-safe descriptors drive the contract validation and a single generic connect modal; server-side validators verify each token against the provider's whoami-style endpoint with SSRF guards and status-code-only error mapping (outages are never blamed on the token)
  • Migrates the existing Google/Atlassian/Slack service-account dispatch to the same registry pattern (builder + resolver maps, unified required-fields validation) — stored secret formats and runtime behavior unchanged
  • Linear tools now send the documented bare Authorization header for lin_api_ personal keys via a shared helper (OAuth tokens unchanged); Shopify tools resolve the store domain from service-account credentials
  • 12 setup-guide docs pages under docs/integrations, incl. the Trello authorize-link flow
  • No DB migration; existing credentials unaffected

Type of Change

  • New feature

Testing

91 new unit tests for validators + shared error plumbing; full credential/oauth suites green (213 tests); typecheck + check:api-validation pass. Every provider spec was verified against current official API docs by independent review passes.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

…Spot, Airtable, Notion, Asana, Attio, Linear, monday, Shopify, Webflow, Trello, Cal.com, Wealthbox)
…ied validator hardening

- Migrate Google/Atlassian/Slack service-account branches to the same
  registry pattern as token-paste providers (builder + resolver maps,
  unified required-fields contract validation)
- Fix Shopify service-account store domain never reaching tool URL builders
- Linear: rate-limit 400s no longer mislabeled as invalid credentials;
  validation header matches runtime header rule
- Trello: server API key rejection no longer blamed on customer token
- Fleet-wide: network errors and non-JSON provider bodies map to
  provider_unavailable via shared fetchProvider/parseProviderJson
- HubSpot: drop regional-host displayName upgrade; Wealthbox: explicit 402;
  monday: provider-side GraphQL errors mapped correctly; Attio: null-body guard
… for token service accounts

- 12 setup-guide docs pages (docs.sim.ai/integrations/<provider>-service-account)
  incl. the Trello authorize-link flow the integration depends on
- Attio: HTTP 400 on /v2/self maps to invalid_credentials (live-verified)
- monday: scan all GraphQL errors for provider-side codes; no empty audit ids
- Compile-time descriptor/validator lockstep (typed registry) and
  prototype-safe provider-id guard (Object.hasOwn)
- Shared errors.test.ts pinning fetchProvider/parseProviderJson/
  throwForProviderResponse guarantees for all validators
- Stale TSDoc updated after the registry migration; biome organizeImports pass
@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 15, 2026 3:30am

Request Review

@cursor

cursor Bot commented Jul 15, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Touches credential create/update, encrypted secret storage, and runtime token resolution for production integrations; mistakes could break auth or accept bad tokens, though behavior is heavily tested and scoped to the new registry paths.

Overview
Introduces token-paste service accounts for HubSpot, Airtable, Notion, Asana, Attio, Linear, monday.com, Shopify, Webflow, Trello, Cal.com, and Wealthbox: workspaces can store long-lived provider tokens that are verified on connect, encrypted, and used at runtime as the access token (no OAuth refresh).

The implementation is registry-driven instead of one-off branches. Client descriptors define modal fields, connect labels, and required API fields; a generic TokenServiceAccountModal handles connect/reconnect; per-provider validators call each vendor’s whoami-style endpoint with shared error mapping (invalid_credentials vs provider_unavailable). verifyAndBuildServiceAccountSecret and resolveServiceAccountToken now dispatch through builder/resolver maps, with token-paste providers handled generically alongside Google, Atlassian, and Slack.

Integration UX uses vendor-accurate connect nouns (e.g. “Add private app token”). Credential create validation pulls required fields from service-account-fields.ts. Linear teams/projects API routes instantiate the SDK with apiKey when the token is lin_api_*, matching tool auth behavior.

Docs: twelve new *-service-account integration guides (scopes, setup steps, FAQs) are registered in meta.json.

Reviewed by Cursor Bugbot for commit 2452f96. Configure here.

…guides

34 corrections from a 12-agent audit against live official vendor docs:
current HubSpot Development-area nav, Notion connections rename, monday
Developer Center paths, Shopify legacy-vs-Dev-Dashboard token flows, and
hedged wording for claims vendors do not document (expiry, limits)
… surfaces

'Add service account' only where the vendor actually has service accounts
(Google, Atlassian); token-paste providers now use their own vocabulary via a
connectNoun descriptor field — 'Add private app token' (HubSpot), 'Add API key'
(Attio/Linear/Cal.com), 'Add personal access token' (Airtable), etc. Docs page
titles updated to match; slugs and internal provider ids unchanged
…lid credentials

Shopify can reject invalid or revoked shpat_ tokens with HTTP 200 and a
GraphQL error body instead of a 401; those now map to invalid_credentials
instead of a provider-outage message
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds token-paste service-account credentials across the integration system. The main changes are:

  • Workspace-level credential setup for twelve token-based providers.
  • A shared descriptor and validator registry for service-account creation.
  • Server-side token verification with normalized provider metadata.
  • Shopify tool URLs that prefer the credential-resolved store domain.
  • Linear API-key authorization handling and new setup docs.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
apps/sim/lib/credentials/service-account-secret.ts Routes service-account secret creation through provider-specific builders and rejects unknown non-empty provider IDs.
apps/sim/lib/credentials/token-service-accounts/validators/shopify.ts Validates Shopify service-account credentials and stores a normalized store domain for runtime tool calls.
apps/sim/tools/shopify/types.ts Adds the optional credential-resolved Shopify domain parameter used by tool URL builders.
apps/sim/tools/shopify/get_product.ts Updates Shopify request URL selection to prefer the credential-resolved domain before block parameters.
apps/sim/lib/credentials/token-service-accounts/validators/wealthbox.ts Validates Wealthbox tokens against the runtime Bearer authentication path.

Reviews (3): Last reviewed commit: "fix(credentials): cold-review hardening ..." | Re-trigger Greptile

Comment thread apps/sim/tools/shopify/get_product.ts Outdated
Comment thread apps/sim/lib/credentials/service-account-secret.ts Outdated
Live probing showed the documented access-token-info route returns a bare
404 for unrecognized tokens (ambiguous with a missing route), so 404/400
now falls back to the Account Information API, which answers with a JSON
401 for rejected tokens and 200/403 for live ones — verified against the
real endpoints
- Shopify tools prefer the credential-validated store domain over the
  block's auto-detected shopDomain (a store-bound token must hit its own store)
- Unknown non-empty service-account providerIds are rejected instead of
  silently persisting as google-service-account (empty stays the legacy
  Google fallback)
- Shopify/modal domain normalization strips URL paths ('https://x.myshopify.com/admin')
- monday: warning-class GraphQL errors no longer reject a token whose me
  data proves it authenticated
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit dd00d09. Configure here.

- Object.hasOwn guards on all provider-id registry lookups (crafted
  '__proto__'/'constructor' providerIds now 400 instead of 500) + regression test
- fetchProvider gets a 10s AbortSignal.timeout so a hung provider can't pin
  the create/reconnect request
- HubSpot: unexpected 403 on the token-info route defers to the account-info
  fallback instead of blaming the token
- Linear selector routes use the SDK apiKey option for lin_api_ keys (bare
  header parity with the tools sweep)
- Docs: UI steps aligned to the vendor-noun connect labels; HubSpot
  scope-propagation claims softened; Trello in-product-link promise corrected
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile-apps review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 2452f96. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant