feat(appconfig): add AWS AppConfig integration for config versions and deployments

[TheodoreSpeaks]

Summary

• Add AWS AppConfig integration — 11 control-plane operations: create/get/list hosted configuration versions, start/get/stop/list deployments, and list applications/environments/configuration profiles/deployment strategies
• Built on the existing AWS SDK-behind-internal-routes pattern (like DynamoDB/SES/SQS): contract → route → tool per op, shared AppConfigClient util, region + access-key auth
• New appconfig block with op dropdown, conditional fields, typed outputs, official AWS AppConfig icon, and AppConfigBlockMeta (7 templates); registered in tool + block registries; docs generated

Type of Change

• New feature

Testing

Tested manually. bun run type-check, full bun run lint, and bun run check:api-validation:strict all pass.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 9, 2026 6:48pm

[cursor]

PR Summary

Medium Risk
New mutating AWS paths (create versions, start/stop deployments) accept long-lived credentials in requests; risk is mitigated by the same internal-auth and contract validation pattern as other AWS tools, but misconfigured workflows could change live config.

Overview
Adds a full AWS AppConfig integration so workflows can manage hosted configuration versions and environment deployments from the product.

Eleven control-plane capabilities are wired end-to-end: create/get/list hosted versions, start/get/stop/list deployments, and list applications, environments, configuration profiles, and deployment strategies. Each operation follows the existing AWS tool stack—Zod contract, authenticated internal API route, @aws-sdk/client-appconfig helper, client tool definition, and tool registry entry—plus a workflow appconfig block with operation-specific fields, AWS key auth, and several starter templates.

Docs and discovery are updated with AppConfigIcon, tools docs page, meta.json, and integrations.json. @aws-sdk/client-appconfig is added to apps/sim dependencies.

^{Reviewed by Cursor Bugbot for commit 1503711. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds AWS AppConfig integration following the existing AWS SDK-behind-internal-routes pattern (consistent with DynamoDB, SES, SQS). It contributes 11 control-plane operations across contracts, route handlers, tool definitions, a block config, and documentation.

• All 11 operations (create/get/list hosted configuration versions, start/get/stop/list deployments, list applications/environments/profiles/strategies) are implemented with a shared AppConfigClient util, proper client.destroy() cleanup in finally blocks, Zod validation including AWS region format checks, and checkInternalAuth on every route.
• The block's APP_ID_OPERATIONS, PROFILE_ID_OPERATIONS, ENVIRONMENT_ID_OPERATIONS, and PAGINATED_OPERATIONS arrays correctly gate which fields are surfaced and forwarded per operation; the toInteger coercion helper gracefully handles string inputs from the UI while still surfacing clean type errors for invalid values.
• AWS credentials (accessKeyId, secretAccessKey) use visibility: 'user-only', consistent with the project rule for user-provided credentials.

Confidence Score: 5/5

Safe to merge — all 11 operations correctly follow the established AWS internal-route pattern with proper auth, Zod validation, and SDK client cleanup.

The implementation is structurally correct across all layers: contracts, routes, utils, tool definitions, and block config. No operations are missing required parameters, no credentials are leaked, and SDK client lifecycle is managed with finally blocks throughout. The two findings are both style-level concerns (missing synthesized message on read operations, and no client-side 1 MB size guard on config content before the AWS call).

No files require special attention. utils.ts and appconfig.ts (block) have the minor inconsistencies noted, but neither affects correctness.

Important Files Changed

Filename	Overview
apps/sim/app/api/tools/appconfig/utils.ts	Shared AWS AppConfig SDK wrapper; all 11 operations implemented with correct credential injection, client.destroy() in finally blocks, and ISO date/binary content helpers. No size guard on hosted configuration content before encoding.
apps/sim/blocks/blocks/appconfig.ts	Block config with 11 operations, conditional subBlock visibility arrays, and a toInteger coercion helper. Logic is correct; minor inconsistency: block-level outputs declares message but read/list operations don't return it.
apps/sim/tools/appconfig/types.ts	Well-typed param/response interfaces covering all 11 operations; nullable union types are consistent with AWS SDK optional fields.
apps/sim/lib/api/contracts/tools/aws/appconfig-start-deployment.ts	Zod contract for start-deployment with AWS region validation and all required fields; matches utils.ts response shape exactly.
apps/sim/lib/api/contracts/tools/aws/appconfig-create-hosted-configuration-version.ts	Zod contract with region validation; no upper-bound on content length (1 MB AWS limit not enforced at contract layer).
apps/sim/tools/registry.ts	All 11 AppConfig tool IDs correctly registered; import names match the re-exports in index.ts.
apps/sim/tools/appconfig/index.ts	Re-exports all 11 tool instances with appconfig-prefixed names; consistent with the pattern used by other AWS tools.

Sequence Diagram

sequenceDiagram
    participant UI as Sim UI (Block)
    participant Tool as Tool Layer (tools/appconfig)
    participant Route as API Route (/api/tools/appconfig/*)
    participant Utils as Utils (utils.ts)
    participant AWS as AWS AppConfig SDK

    UI->>Tool: params (region, accessKeyId, secretKey, op-specific fields)
    Tool->>Route: "POST /api/tools/appconfig/{operation}"
    Route->>Route: checkInternalAuth()
    Route->>Route: parseToolRequest() [Zod validation + region check]
    Route->>Utils: createAppConfigClient(config)
    Utils-->>Route: AppConfigClient
    Route->>Utils: operation(client, params)
    Utils->>AWS: SDK Command (e.g. StartDeploymentCommand)
    AWS-->>Utils: Response
    Utils-->>Route: Mapped result object
    Route-->>Tool: NextResponse.json(result)
    Note over Route: client.destroy() in finally
    Tool-->>UI: "transformResponse → { success, output }"

Loading

_{Reviews (3): Last reviewed commit: "Merge remote-tracking branch 'origin/sta..." | Re-trigger Greptile}

[TheodoreSpeaks]

@greptile review

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ff6926c. Configure here.}

[TheodoreSpeaks]

@greptile review

[TheodoreSpeaks]

Closing in favor of #4928 (waleedlatif1), which is a superset of this integration — it covers the same control-plane operations plus resource creation (applications/environments/profiles) and the live-config data plane. I ported this PR's one unique operation (list_hosted_configuration_versions) over to #4928, so nothing is lost.