The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 5, 2026 1:48am

PR Summary

Medium Risk
Expands access to existing logs endpoints by allowing internal-JWT authentication in addition to sessions, which is security-sensitive and could broaden who can read log data if misconfigured. Adds new block/tool surface area that hits these endpoints from workflows, increasing usage and potential load.

Overview
Adds a new Logs block that lets workflows query log summaries, fetch a log by id, and fetch execution details, with cursor-based pagination and basic filter/sort inputs.

Introduces corresponding tools (logs_query, logs_get, logs_get_execution) and registers them in the tool registry, wiring requests to the existing /api/logs routes using workspace context.

Updates GET /api/logs and GET /api/logs/[id] to use checkSessionOrInternalAuth (rejecting API keys) instead of session-only auth, returning clearer 401 errors and passing the authenticated userId into log fetches.

^{Reviewed by Cursor Bugbot for commit 164afe6. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

This PR adds a Logs block with three operations (query, get by ID, get execution details) that call internal /api/logs routes via the executor's auto-attached JWT, and widens auth on GET /api/logs and GET /api/logs/[id] from session-only to checkSessionOrInternalAuth. The auth change is safe — workspace scoping is still enforced via the permissions INNER JOIN.

• All three transformResponse implementations lack a response.ok check: on 4xx/5xx responses the tools return success: true with error/empty data, silently masking failures from downstream blocks (get_execution returns the raw error body as output; get_log returns log: undefined; query returns empty results).
• The executionMetadata output description documents a totalTokens field that the /api/logs/execution/[executionId] route does not return, which will produce undefined for any workflow wiring that field.

Confidence Score: 3/5

Three P1 bugs cause silent success on API errors across all three new tools; fix before merging.

Three independent P1 findings (one per tool), each causing success: true to be returned on HTTP errors, which will silently corrupt downstream block inputs. The auth changes are sound and carry no regression risk.

apps/sim/tools/logs/get_execution.ts, apps/sim/tools/logs/get_log.ts, apps/sim/tools/logs/query.ts

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant WF as Workflow Executor
    participant LB as Logs Block
    participant QT as logsQueryTool / logsGetTool / logsGetExecutionTool
    participant API as /api/logs routes
    participant DB as Database

    WF->>LB: execute(params)
    LB->>QT: dispatch tool with operation params
    QT->>API: GET request (internal JWT auto-attached)
    API->>API: checkSessionOrInternalAuth(request)
    API->>DB: query with permissions INNER JOIN (userId scope)
    DB-->>API: rows
    API-->>QT: JSON response (200 or 4xx/5xx)
    Note over QT: response.ok not checked — errors silently return success:true
    QT-->>LB: { success: true, output: ... }
    LB-->>WF: result

_{Reviews (1): Last reviewed commit: "feat(logs): add Logs block for querying ..." | Re-trigger Greptile}