v0.6.39: billing fixes, tools audit, landing fix

[waleedlatif1]

• fix(billing): unblock on payment success (fix(billing): unblock on payment success for overage retries #4121)
• chore(skills): reinforce skill to not guess integration outputs (chore(skills): reinforce skills to not guess integration outputs #4122)
• feat(crowdstrike): add tools + validate whatsapp, shopify, trello (feat(crowdstrike): add tools + validate whatsapp, shopify, trello #4123)
• fix(models): fix mobile overflow and hide cost bars on small screens (fix(models): fix mobile overflow and hide cost bars on small screens #4125)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 13, 2026 5:27am

[cursor]

PR Summary

Low Risk
Changes are largely documentation and agent-skill guidance updates, plus new icon assets/mappings; minimal impact on runtime behavior beyond UI icon rendering and docs content.

Overview
Tightens agent skill guidance across add/validate workflows to explicitly forbid guessing tool/connector/trigger response schemas and require stopping to request docs, samples, or credentials when payload shapes are unknown.

Docs and UI metadata updates: adds new CrowdStrike tools documentation page and wires a new CrowdStrikeIcon into both docs and landing-page icon mappings, and updates existing tool docs for Shopify (cancel params), Trello (OAuth setup + richer IO schemas), and WhatsApp (message send inputs/outputs).

^{Reviewed by Cursor Bugbot for commit cd3e24b. Configure here.}

[greptile-apps]

Greptile Summary

This PR bundles three changes: a billing fix that adds a shared resolveInvoiceSubscription helper so overage invoices now correctly unblock users on payment success; a tools audit updating WhatsApp (signature verification, richer payload parsing), Trello (hardened auth, shared mappers, OAuth scope sync), and Shopify (pagination, cancel-order options); and a new CrowdStrike Identity Protection integration (query-sensors, get-sensor-details, get-sensor-aggregates with full Zod validation).

• Breaking change — WhatsApp webhooks: verifyAuth hard-rejects POST requests when providerConfig.appSecret is absent. Any trigger saved before this field was introduced will 401 on every incoming message. Existing users must update their trigger config before or immediately after deploying this change.

Confidence Score: 4/5

Safe to merge after resolving the WhatsApp breaking-change risk for existing triggers.

One P1 finding: existing WhatsApp webhook triggers without appSecret in their stored config will immediately start 401-ing on every incoming message after this deploy. All other findings are P2 (dead fallback code in mapTrelloCard, minor ID-generation style). The billing fix, CrowdStrike integration, and tool audits are well-implemented with good type safety and test coverage.

apps/sim/lib/webhooks/providers/whatsapp.ts — verifyAuth hard-rejects when appSecret is absent; needs a migration path or graceful fallback for existing triggers.

Important Files Changed

Filename	Overview
apps/sim/lib/billing/webhooks/invoices.ts	Refactors subscription resolution into a shared resolveInvoiceSubscription helper that now correctly handles overage invoices (metadata-based subscription ID) for both payment_succeeded and payment_failed handlers, fixing the unblock-on-payment-success regression.
apps/sim/lib/webhooks/providers/whatsapp.ts	Adds HMAC-SHA256 signature verification (verifyAuth), multi-entry/change payload parsing, idempotency key extraction, and richer formatInput output — but the new verifyAuth hard-rejects requests when appSecret is absent, breaking existing triggers that predate this field.
apps/sim/app/api/tools/crowdstrike/query/route.ts	New Next.js API route for CrowdStrike Identity Protection: validates via Zod discriminated union, exchanges client credentials for an access token server-side, and dispatches to query-sensors, get-sensor-details, or get-sensor-aggregates endpoints. Minor: uses generateId().slice(0,8) instead of generateShortId(8).
apps/sim/tools/trello/shared.ts	New shared Trello utility module exporting mapTrelloCard, mapTrelloList, mapTrelloAction, and extractTrelloErrorMessage. Contains a dead-code bug in mapTrelloCard where the labelIds fallback filters label objects for strings, always yielding nothing.
apps/sim/blocks/utils.ts	Adds three new block input parsers (parseOptionalJsonInput, parseOptionalNumberInput, parseOptionalBooleanInput) with appropriate validation and error messages; used across CrowdStrike and Shopify blocks.
apps/sim/tools/whatsapp/send_message.ts	Updated to Graph API v25.0, adds previewUrl param, improves transformResponse with typed parsing and richer output fields, and removes explicit + stripping from phone numbers (WhatsApp API accepts both formats).
apps/sim/blocks/blocks/crowdstrike.ts	New CrowdStrike block supporting query-sensors, get-sensor-details, and get-sensor-aggregates operations with correct API key visibility, cloud-region dropdown, and Wand-enabled inputs.
apps/sim/app/api/auth/trello/store/route.ts	Hardens Trello credential storage: safe JSON parsing, validates member ID exists in response, removes email from validation URL fields, and uses canonical scopes from getCanonicalScopesForProvider.
apps/sim/blocks/blocks/shopify.ts	Adds pagination (first), order/cancel-order enhancements (restock, cancelNotifyCustomer, refundOriginalPayment), includeInactive for locations, and productsFirst for collection fetches; removes unused acceptsMarketing field.

Sequence Diagram

sequenceDiagram
    participant Client as Sim Executor
    participant Route as /api/tools/crowdstrike/query
    participant CS_Auth as CrowdStrike OAuth2
    participant CS_API as CrowdStrike IDP API

    Client->>Route: POST {operation, clientId, clientSecret, cloud, ...}
    Route->>Route: checkInternalAuth (JWT)
    Route->>Route: Zod discriminated union parse
    Route->>CS_Auth: POST /oauth2/token (client_credentials)
    CS_Auth-->>Route: access_token
    alt crowdstrike_query_sensors
        Route->>CS_API: GET /identity-protection/queries/devices/v1
        CS_API-->>Route: {resources: [device_ids]}
        Route->>CS_API: POST /identity-protection/entities/devices/GET/v1
        CS_API-->>Route: {resources: [sensor_objects]}
        Route-->>Client: {sensors[], count, pagination}
    else crowdstrike_get_sensor_details
        Route->>CS_API: POST /identity-protection/entities/devices/GET/v1
        CS_API-->>Route: {resources: [sensor_objects]}
        Route-->>Client: {sensors[], count}
    else crowdstrike_get_sensor_aggregates
        Route->>CS_API: POST /identity-protection/aggregates/devices/GET/v1
        CS_API-->>Route: {resources: [aggregate_results]}
        Route-->>Client: {aggregates[], count}
    end

Loading

_{Reviews (1): Last reviewed commit: "feat(crowdstrike): add tools + validate ..." | Re-trigger Greptile}