feat(integrations): add AWS AppConfig integration with tools, block, and docs

[waleedlatif1]

Summary

• Add AWS AppConfig integration with 14 tools covering the full lifecycle: retrieve live configuration (data plane), manage applications/environments/configuration profiles, create and read hosted configuration versions, and run/inspect/stop deployments
• Routes use the official `@aws-sdk/client-appconfig` + `@aws-sdk/client-appconfigdata` SDKs, wrapped with `withRouteHandler`, internal-auth gated, and contract-validated (one contract per route under `lib/api/contracts/tools/aws/appconfig-*`)
• Add `appconfig` block (operation dropdown, conditional subBlocks, number coercion in `tools.config.params`), BlockMeta with 8 templates + 4 skills, and the AppConfig icon
• Register tools/block alphabetically; generate docs with a manual intro section
• Bump API-validation route baseline 792→793 for the new contract-bound routes

Type of Change

• New feature

Testing

Tested manually — `tsc` clean, `bun run lint` clean, `bun run check:api-validation` passes, docs regenerated

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[waleedlatif1]

@cursor review

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 9, 2026 7:47pm

[waleedlatif1]

@greptile

[cursor]

PR Summary

Medium Risk
New AWS integration accepts access keys in tool payloads and exposes destructive AppConfig actions (deletes, deployments); risk is mitigated by the same internal-auth and contract validation pattern as other AWS tool routes, but misconfigured workflows could still affect production config.

Overview
Adds a new AWS AppConfig integration so workflows and agents can read live config, manage AppConfig resources, version hosted config, and run deployments.

Backend: Authenticated POST routes under /api/tools/appconfig/* call shared helpers in utils.ts using @aws-sdk/client-appconfig and @aws-sdk/client-appconfigdata (including data-plane get configuration via a configuration session). Each route has a matching Zod contract under lib/api/contracts/tools/aws/.

Product surface: A workflow block with an operation dropdown (25 operations), conditional fields, and param coercion (e.g. configurationVersion forced to string). 25 agent tools proxy to those APIs. Docs (appconfig.mdx), integrations.json, icon mapping, and block registry entries are wired in alphabetically.

Docs/UI: New AppConfigIcon and BlockMeta templates/skills for common DevOps patterns (flag reads, publish/deploy, deployment monitoring).

^{Reviewed by Cursor Bugbot for commit 34fa181. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a comprehensive AWS AppConfig integration with 26 routes covering the full management plane (@aws-sdk/client-appconfig) and data plane (@aws-sdk/client-appconfigdata), a block UI with 25 operations, 26 Zod-validated contracts, and documentation. The implementation follows established patterns in the codebase: withRouteHandler, internal-auth gating, user-only credential visibility, and client.destroy() in finally blocks.

• All 26 API routes follow a consistent pattern: auth check → contract validation → client creation → operation → client.destroy() in finally — no client leaks observed.
• The data-plane getConfiguration correctly uses the two-step StartConfigurationSessionCommand + GetLatestConfigurationCommand pattern (not the deprecated GetConfigurationCommand), and the latestVersionNumber falsy-zero bug flagged in prior review has been addressed with a != null guard.
• The block's toInt coercion and configurationVersion string-casting handle the common case of numeric values piped from upstream steps, with contracts enforcing min/max bounds at the route layer.

Confidence Score: 5/5

Safe to merge — all 26 routes correctly validate inputs via Zod contracts, manage AWS SDK client lifecycle, and gate on internal auth. No data loss, credential leak, or destructive race conditions introduced.

The integration is a net-new addition with no changes to existing functionality. Every route follows the established safe pattern (auth gate → contract parse → finally client.destroy()), credentials use user-only visibility, the previously flagged latestVersionNumber zero-handling bug has been fixed, and Zod contracts enforce range constraints at the route boundary before any AWS call is made.

No files require special attention. The utils.ts and blocks/blocks/appconfig.ts carry the most logic but both are straightforward and consistent with existing integrations.

Important Files Changed

Filename	Overview
apps/sim/app/api/tools/appconfig/utils.ts	Central util with all 26 AWS SDK call wrappers; all clients destroyed in caller finally-blocks, latestVersionNumber uses != null guard (bug from prior review fixed), update functions use consistent null-check for clearable fields vs truthy-check for non-clearable ones.
apps/sim/blocks/blocks/appconfig.ts	Block definition with 25 operations, conditional subBlocks, and toInt coercion for numeric fields; logic is correct — configurationVersion is stringified, toInt handles 0 correctly for latestVersionNumber, and all condition/required arrays are consistent.
apps/sim/tools/appconfig/types.ts	All param interfaces align with their contracts; locationUri is now correctly typed as string (non-optional) in AppConfigCreateConfigurationProfileParams, matching the prior-review fix.
apps/sim/tools/appconfig/get_configuration.ts	Data-plane get configuration tool using the correct two-step session pattern; credentials marked user-only.
apps/sim/tools/appconfig/start_deployment.ts	Start deployment tool; configurationVersion correctly typed as string matching the contract and block coercion.
apps/sim/lib/api/contracts/tools/aws/appconfig-create-hosted-configuration-version.ts	Contract validates latestVersionNumber with min(0) (allowing the zero guard fix), content min(1), and contentType max(255); no upper bound on content size (AWS has 1 MB limit enforced server-side).

Sequence Diagram

sequenceDiagram
    participant UI as Block UI / LLM Tool
    participant Route as Next.js Route /api/tools/appconfig/*
    participant Auth as checkInternalAuth
    participant Contract as Zod Contract
    participant Util as utils.ts
    participant AWS as AWS SDK (AppConfig / AppConfigData)

    UI->>Route: POST (credentials + params)
    Route->>Auth: verify internal token
    Auth-->>Route: "{success, userId}"
    Route->>Contract: parseToolRequest(contract, request)
    Contract-->>Route: "{success, data.body} or error response"
    Route->>Util: createAppConfig[Data]Client(config)
    Util-->>Route: client
    Route->>AWS: client.send(Command)
    AWS-->>Route: response
    Route->>Util: client.destroy() [finally]
    Route-->>UI: NextResponse.json(result)

Loading

_{Reviews (8): Last reviewed commit: "feat(appconfig): add full CRUD for appli..." | Re-trigger Greptile}

[greptile-apps]

Greptile Summary

This PR adds a comprehensive AWS AppConfig integration with 14 tools covering the full control-plane and data-plane lifecycle: listing/creating applications, environments, profiles, and hosted configuration versions; starting/monitoring/stopping deployments; and retrieving live configuration via the AppConfigData plane.

• All 14 routes are wrapped with withRouteHandler, gated by checkInternalAuth, and validated by per-route Zod contracts. AWS SDK clients are created and destroyed per-request, credentials use user-only visibility throughout.
• The appconfig block provides a single operation dropdown that conditionally surfaces the correct fields, with explicit toInt coercion for all numeric inputs (maxResults, versionNumber, deploymentNumber, latestVersionNumber).
• The getConfiguration data-plane path correctly uses StartConfigurationSessionCommand + GetLatestConfigurationCommand from @aws-sdk/client-appconfigdata; the initial token always yields a full response on the first call.

Confidence Score: 4/5

The integration is well-structured and safe to merge; the only notable gap is a loose TypeScript interface type that is compensated by runtime Zod validation.

All 14 routes follow the same auth-validate-execute-destroy pattern. AWS credentials are properly scoped with user-only visibility, the data-plane session/fetch flow is correct, numeric inputs are explicitly coerced, and each operation's required fields are consistently enforced in both the block UI and the server-side contract. The single gap — locationUri typed as optional in AppConfigCreateConfigurationProfileParams while every concrete usage site treats it as required — is caught at runtime by Zod, so no bad data reaches AWS.

apps/sim/tools/appconfig/types.ts — the locationUri optionality mismatch.

Important Files Changed

Filename	Overview
apps/sim/app/api/tools/appconfig/utils.ts	Central utility layer for all 14 AppConfig SDK operations. AWS clients are correctly instantiated and destroyed per-call, content is decoded/encoded with TextDecoder/TextEncoder, and all operations map cleanly to SDK commands.
apps/sim/tools/appconfig/types.ts	Defines param and response interfaces. AppConfigCreateConfigurationProfileParams.locationUri is typed as optional but the tool definition, Zod contract, and util function all treat it as required — a minor type-safety gap.
apps/sim/blocks/blocks/appconfig.ts	Block definition with 14-operation dropdown, correct conditional field visibility, and numeric coercion (toInt) for maxResults/versionNumber/deploymentNumber/latestVersionNumber. Field conditions and required sets are consistent.
apps/sim/app/api/tools/appconfig/get-configuration/route.ts	Data-plane route using AppConfigDataClient; correctly starts a new session per request and fetches the latest configuration in two sequential API calls.
apps/sim/app/api/tools/appconfig/start-deployment/route.ts	Control-plane route; correctly validates with Zod contract and delegates to startDeployment util. Client is destroyed in finally block.
apps/sim/lib/api/contracts/tools/aws/appconfig-create-configuration-profile.ts	Zod contract correctly enforces locationUri as required (z.string().min(1)), providing the runtime safety that the TypeScript interface misses.
apps/sim/tools/appconfig/create_configuration_profile.ts	Tool definition correctly marks locationUri as required: true, closing the practical gap opened by the interface, but the underlying type still allows null.

Sequence Diagram

sequenceDiagram
    participant Client as Workflow Block
    participant Route as Next.js API Route
    participant Auth as checkInternalAuth
    participant Zod as Zod Contract
    participant SDK as AWS SDK

    Note over Client,SDK: Get Configuration (data-plane)
    Client->>Route: POST /api/tools/appconfig/get-configuration
    Route->>Auth: checkInternalAuth(request)
    Auth-->>Route: "{ success, userId }"
    Route->>Zod: parseToolRequest(contract, request)
    Zod-->>Route: "{ success, data.body }"
    Route->>SDK: AppConfigDataClient.StartConfigurationSession
    SDK-->>Route: "{ InitialConfigurationToken }"
    Route->>SDK: AppConfigDataClient.GetLatestConfiguration(token)
    SDK-->>Route: "{ Configuration, ContentType, VersionLabel }"
    Route-->>Client: "{ configuration, contentType, versionLabel }"

    Note over Client,SDK: Deploy Configuration (control-plane)
    Client->>Route: POST /api/tools/appconfig/create-hosted-configuration-version
    Route->>Auth: checkInternalAuth(request)
    Route->>Zod: parseToolRequest(contract, request)
    Route->>SDK: AppConfigClient.CreateHostedConfigurationVersion
    SDK-->>Route: "{ VersionNumber, ApplicationId, ... }"
    Route-->>Client: "{ message, versionNumber, ... }"

    Client->>Route: POST /api/tools/appconfig/start-deployment
    Route->>Auth: checkInternalAuth(request)
    Route->>Zod: parseToolRequest(contract, request)
    Route->>SDK: AppConfigClient.StartDeployment
    SDK-->>Route: "{ DeploymentNumber, State, ... }"
    Route-->>Client: "{ message, deploymentNumber, state }"

Loading

_{Reviews (2): Last reviewed commit: "fix(integrations): preserve latestVersio..." | Re-trigger Greptile}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 05807bb. Configure here.}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit cd186f8. Configure here.}

[TheodoreSpeaks]

@greptile review

[TheodoreSpeaks]

@greptile review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 7f5dcf1. Configure here.}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 34fa181. Configure here.}