feat(agiloft): add Agiloft CLM integration with token-based auth

[waleedlatif1]

Summary

• Add complete Agiloft CLM integration with 12 tools: CRUD operations, search, select, saved search, file attachments (attach, retrieve, remove, info), and record locking
• Uses token-based authentication via EWLogin/EWLogout — credentials are exchanged for short-lived Bearer tokens and never embedded in API request URLs
• Includes block with operation dropdown, icon, docs, and internal API route for file attachment uploads

Test plan

• Verify Agiloft CRUD operations (create, read, update, delete) work with valid credentials
• Verify search and select return expected records
• Verify file attach/retrieve/remove work end-to-end
• Verify lock/unlock/check status operations
• Confirm Bearer token is used in request headers (no credentials in URLs)
• Confirm session cleanup (EWLogout) occurs after each operation

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 13, 2026 9:24pm

[cursor]

PR Summary

Medium Risk
Adds a new external-integration surface area (credentialed requests, file upload/download, and new API route) where mistakes could impact security and reliability despite SSRF/auth validations.

Overview
Adds a full Agiloft CLM integration: a new AgiloftBlock with an operation picker wired to 12 new agiloft_* tools (CRUD, search/select/saved search, attachments, and record locking) and registered in the global block/tool registries.

Implements token-based request execution via EWLogin/EWLogout in tools/agiloft/utils.ts plus a dedicated internal API route (/api/tools/agiloft/attach) to handle attachment uploads from stored files with internal auth + SSRF/DNS validation.

Updates the landing integrations data, docs site metadata, and both apps’ icon mappings by adding AgiloftIcon and a new tools/agiloft.mdx documentation page (plus a small Trello doc spacing tweak).

^{Reviewed by Cursor Bugbot for commit f278a21. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a complete Agiloft CLM integration with 12 tools covering CRUD operations, attachment management, search/select, saved searches, and record locking. The implementation uses a token-exchange pattern (EWLogin → Bearer token → EWLogout) and routes file uploads through an internal API endpoint with DNS-level SSRF protection.

All HTTP methods have been verified against the official Agiloft REST API docs — including GET/POST for EWRemoveAttachment, PUT for EWAttach, and GET/PUT/DELETE for EWLock. Prior review feedback on HTTPS enforcement, optional chaining on data.output, the AgiloftSavedSearchParams type alias, and the file attachment guard has been addressed.

Confidence Score: 5/5

Safe to merge — all prior review concerns are resolved, HTTP methods verified against official Agiloft API docs, no new P0/P1 issues found.

All prior feedback (HTTPS guard, optional chaining on data.output, AgiloftSavedSearchParams type alias, file null guard) has been addressed. HTTP methods match the official Agiloft REST API docs. Credential visibility follows the codebase rule (user-only). SSRF protection is in place at both the tool layer and route layer. No remaining P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/tools/agiloft/utils.ts	Core auth/URL utilities; HTTPS enforcement via validateExternalUrl, proper try/finally logout, token injected centrally in executeAgiloftRequest.
apps/sim/app/api/tools/agiloft/attach/route.ts	File attachment route uses validateUrlWithDNS (DNS-level SSRF guard), processFilesToUserFiles, downloadFileFromStorage, and a correct try/finally for token cleanup.
apps/sim/blocks/blocks/agiloft.ts	Block config correctly uses AuthMode.ApiKey, normalizeFileInput for the canonical attachFile param, and proper condition/required rules for all 12 operations.
apps/sim/tools/agiloft/retrieve_attachment.ts	Returns base64-encoded file data; FileToolProcessor is applied automatically by the executor, consistent with how other file-output tools work in the codebase.
apps/sim/tools/agiloft/remove_attachment.ts	Uses GET method for EWRemoveAttachment, correct per official Agiloft API docs; prior commit using DELETE was corrected in the final commit.
apps/sim/tools/agiloft/types.ts	All response interfaces properly typed; AgiloftSavedSearchParams correctly simplified to a type alias per prior review feedback.
apps/sim/tools/agiloft/lock_record.ts	getLockHttpMethod correctly maps lock→PUT, unlock→DELETE, check→GET, matching Agiloft API docs.
apps/sim/tools/agiloft/search_records.ts	Handles multiple Agiloft response formats including the EWREST_length flat-object pattern; pagination defaults are reasonable.

Sequence Diagram

sequenceDiagram
    participant E as Executor
    participant U as utils.ts
    participant A as Agiloft API

    E->>U: directExecution(params)
    U->>U: validateExternalUrl(instanceUrl)
    U->>A: POST /ewws/EWLogin (KB + credentials in query)
    A-->>U: access_token
    U->>A: Request with Authorization Bearer header
    A-->>U: Response data
    U->>U: transformResponse(response)
    U->>A: POST /ewws/EWLogout (best-effort, finally block)
    U-->>E: ToolResponse

    Note over E,A: attach_file uses internal API route
    E->>+Route: POST /api/tools/agiloft/attach
    Route->>Route: validateUrlWithDNS (DNS-level SSRF guard)
    Route->>A: POST /ewws/EWLogin
    Route->>A: PUT /ewws/EWAttach (binary body, Bearer)
    A-->>Route: attachment count
    Route->>A: POST /ewws/EWLogout (finally block)
    Route-->>-E: success output

Loading

_{Reviews (4): Last reviewed commit: "fix(agiloft): correct HTTP methods and p..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 762d2ae. Configure here.}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit f278a21. Configure here.}