fix(integrations): harden jira, jsm, ashby, google drive, slack, confluence, notion

[waleedlatif1]

Summary

Audit and harden multiple integrations against API contracts, input validation, and error handling.

Jira (largest scope)

• NaN guards on timeSpentSeconds in worklog tools
• JSON.parse try/catch on internal /api/tools/jira/{write,update} responses (handles HTML 5xx from proxies)
• Domain normalization (strip leading https://) — fixes silent fallback to wrong site
• JQL injection prevention via project key regex validation in bulk_read
• ADF helper consolidation (toAdf across comments/links/transitions)
• Migrated to /search/jql nextPageToken pagination (deprecated /search startAt)
• Defensive .trim() on ID path params; encodeURIComponent on watcher account IDs
• resolveAssigneeAccountId helper; parent-as-object wrapping; summary fallback
• New read-bulk block operation; removed silent read → bulk_read fallback
• Restored total field (always null at runtime) to preserve TS contract

Other integrations

• JSM: customer/organization route validation
• Ashby: 30+ tools — output normalization, types cleanup
• Google Drive: tighter response handling across read/write/share
• Slack: types + tool fixes (canvas, reactions, messaging, members)
• Confluence: update tool + types
• Docs: regenerated .mdx for all touched integrations

Test plan

• Run a Jira workflow: search, read, write, update, comment, worklog, transition, watcher
• Verify worklog accepts numeric and human-readable durations without NaN
• Verify domain entered as https://x.atlassian.net resolves to correct cloudId
• JSM customer + organization flows
• Ashby candidate/application/job flows
• Google Drive copy/share/list/permissions
• Slack message + canvas + reactions
• Confluence update

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 30, 2026 1:49am

[cursor]

PR Summary

Medium Risk
Touches multiple production integration routes and request/response contracts (pagination, endpoint selection, and validation), which could impact existing workflows if any behavior changes were relied upon. Changes are mostly defensive and additive, but require careful regression testing against real third-party API responses.

Overview
Hardens Atlassian API interactions across Jira/JSM/Confluence by tightening input validation and pagination, improving error handling, and aligning requests with API expectations. Jira bulk issue reads now validate/sanitize issue keys, JQL escaping is hardened, pagination switches to nextPageToken, notifyUsers is handled explicitly, parent issue handling is normalized, and worklog time inputs reject non-positive/NaN values.

Confluence space/comment/property operations are made more robust: comment update/delete auto-detects footer vs inline comment endpoints, page property updates can auto-fetch the current version when not provided, and space update/delete uses the REST v1 space-key endpoint and surfaces long-task IDs/links on deletion.

Expands tool surface + docs/UX: Google Drive adds search, get_content, move, and untrash operations (with new block UI params and integration catalog updates); Slack list operations gain cursor pagination and update_view enforces an ID; Ashby adds new candidate/note fields and list filters (created/open/closed timestamps, job board/job expansion, include deactivated/archived, etc.) and standardizes auth/error helpers. Corresponding .mdx tool docs are updated to reflect these contract changes (including removing/adjusting deprecated fields like JSM emails and Ashby job/user output fields).

^{Reviewed by Cursor Bugbot for commit 952d1a9. Configure here.}

[greptile-apps]

Greptile Summary

This PR audits and hardens seven integrations across ~104 files, with the broadest scope on Jira. The changes are generally well-considered: NaN guards on worklog inputs, defensive JSON.parse try/catch on proxy responses, domain normalization, JQL injection prevention via project-key regex, and migration to the newer /search/jql pagination API.

• P1 — bulk_read.ts pagination: The break on line 133 fires before the page-token assignment on line 134, leaving the cursor stale on the final page of a multi-page fetch and causing isLast to evaluate incorrectly.

Confidence Score: 4/5

Safe to merge after the stale-cursor bug in bulk_read.ts is resolved.

One P1 logic bug in bulk_read.ts (stale cursor causes incorrect isLast on multi-page results). All other changes are clean hardening with no introduced regressions found.

apps/sim/tools/jira/bulk_read.ts — stale pagination cursor on the terminal break.

Important Files Changed

Filename	Overview
apps/sim/tools/jira/bulk_read.ts	New jira_bulk_read tool with nextPageToken pagination; stale-cursor bug makes isLast incorrect on final multi-page fetch.
apps/sim/tools/jira/utils.ts	Adds normalizeDomain, normalizeJiraWorklogTimestamp, toAdf helpers; exports made public; clean refactor.
apps/sim/tools/jira/write.ts	Added JSON.parse try/catch for proxy 5xx HTML responses; parent field now correctly wrapped as {id} or {key} object.
apps/sim/tools/jira/update.ts	Added JSON.parse try/catch for non-JSON responses; otherwise clean.
apps/sim/tools/jira/add_worklog.ts	NaN guard added for timeSpentSeconds; toAdf helper used for comment body; timestamp normalized.
apps/sim/tools/jira/search_issues.ts	total field fixed to always return null; isLast derivation improved; minor description update.
apps/sim/app/api/tools/jira/issues/route.ts	Issue key regex validation added; pagination migrated from startAt to nextPageToken; escapeJql now escapes backslashes.
apps/sim/app/api/tools/jira/update/route.ts	.json().catch defensive fallback added; notifyUsers ternary now handles explicit true; summaryValue added as fallback in output.
apps/sim/app/api/tools/jsm/organization/route.ts	Added positive-integer guard for organizationId before the Atlassian request; clean improvement.
apps/sim/tools/confluence/update.ts	Removed version param from tool definition; route handler now auto-increments version; body sends {value} which route wraps with representation: storage.
apps/sim/tools/google_drive/share.ts	moveToNewOwnersRoot now gated on transferOwnership; ownership transfers always send sendNotificationEmail=true.
apps/sim/tools/slack/canvas.ts	canvas_id fallback restored to data.id; channel and title fields removed from output.
apps/sim/tools/slack/list_members.ts	Added cursor pagination param and nextCursor output field; channel trimmed.
apps/sim/tools/jira/assign_issue.ts	resolveAssigneeAccountId helper correctly maps empty/null/special strings; .trim() on issueKey.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant BulkRead as jira_bulk_read
    participant Atlassian as Atlassian OAuth Resources
    participant JiraAPI as Jira search/jql

    Caller->>BulkRead: invoke(domain, projectId, accessToken)
    BulkRead->>Atlassian: GET accessible-resources
    Atlassian-->>BulkRead: list of sites with IDs
    BulkRead->>JiraAPI: GET page 1
    JiraAPI-->>BulkRead: issues + pagination token
    alt More pages available
        BulkRead->>JiraAPI: GET page 2 using token
        JiraAPI-->>BulkRead: issues + isLast=true
        Note over BulkRead: BUG: break fires before token is updated, output carries stale token, isLast evaluates to false
    end
    BulkRead-->>Caller: issues + incorrect pagination state

Loading

Comments Outside Diff (1)

1. apps/sim/tools/jira/bulk_read.ts, line 133-134 (link)

   Stale pagination cursor makes isLast wrong on the final page

   When the loop breaks because pageData.isLast is true or pageData.nextPageToken is absent, the break on line 133 fires before the assignment on line 134 executes. So on a two-page fetch the cursor variable still holds the value used to reach the final page rather than being cleared. The output at line 168-169 evaluates isLast: !nextPageToken against this stale value, returning isLast: false and a non-null cursor even though all issues have been consumed. Any caller driving incremental reads off these fields will re-request the already-consumed last page.

   The fix is to run the assignment before evaluating the terminal condition, so the cursor reflects the final page state before the break.

_{Reviews (8): Last reviewed commit: "fix(jira): quote project key in bulk_rea..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 5ab87a9. Configure here.}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 952d1a9. Configure here.}