Conversation
* feat(transport): replace shared chat transport with mothership-stream module * improvement(contracts): regenerate contracts from go * feat(tools): add tool catalog codegen from go tool contracts * feat(tools): add tool-executor dispatch framework for sim side tool routing * feat(orchestrator): rewrite tool dispatch with catalog-driven executor and simplified resume loop * feat(orchestrator): checkpoint resume flow * refactor(copilot): consolidate orchestrator into request/ layer * refactor(mothership): reorganize lib/copilot into structured subdirectories * refactor(mothership): canonical transcript layer, dead code cleanup, type consolidation * refactor(mothership): rebase onto latest staging * refactor(mothership): rename request continue to lifecycle * feat(trace): add initial version of request traces * improvement(stream): batch stream from redis * fix(resume): fix the resume checkpoint * fix(resume): fix resume client tool * fix(subagents): subagent resume should join on existing subagent text block * improvement(reconnect): harden reconnect logic * fix(superagent): fix superagent integration tools * improvement(stream): improve stream perf * Rebase with origin dev * fix(tests): fix failing test * fix(build): fix type errors * fix(build): fix build errors * fix(build): fix type errors * feat(mothership): add cli execution * fix(mothership): fix function execute tests
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Expands Copilot/Mothership APIs. Adds a GET-only chat query endpoint ( Changes background execution and CI behavior. CI now builds/pushes File and UI updates. File serving can now compile and cache Reviewed by Cursor Bugbot for commit 949601c. Configure here. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix prepared fixes for 2 of the 3 issues found in the latest run.
- ✅ Fixed: Promise.allSettled silently swallows chat resolution errors
- Added explicit check for rejected chatResult status that logs the error and returns a 500 response, preventing silent error swallowing.
- ✅ Fixed: Endpoint parameter allows path traversal in proxy URL
- Added regex validation to restrict endpoint parameter to alphanumeric characters, underscores, and hyphens only, preventing path traversal attacks.
Or push these changes by commenting:
@cursor push d1fd2cb4f0
Preview (d1fd2cb4f0)
diff --git a/apps/sim/app/api/admin/mothership/route.ts b/apps/sim/app/api/admin/mothership/route.ts
--- a/apps/sim/app/api/admin/mothership/route.ts
+++ b/apps/sim/app/api/admin/mothership/route.ts
@@ -41,6 +41,10 @@
return NextResponse.json({ error: 'endpoint query param required' }, { status: 400 })
}
+ if (!/^[a-zA-Z0-9_-]+$/.test(endpoint)) {
+ return NextResponse.json({ error: 'Invalid endpoint parameter' }, { status: 400 })
+ }
+
const baseUrl = getMothershipUrl(environment)
if (!baseUrl) {
return NextResponse.json(
@@ -93,6 +97,10 @@
return NextResponse.json({ error: 'endpoint query param required' }, { status: 400 })
}
+ if (!/^[a-zA-Z0-9_-]+$/.test(endpoint)) {
+ return NextResponse.json({ error: 'Invalid endpoint parameter' }, { status: 400 })
+ }
+
const baseUrl = getMothershipUrl(environment)
if (!baseUrl) {
return NextResponse.json(
diff --git a/apps/sim/app/api/mothership/chat/route.ts b/apps/sim/app/api/mothership/chat/route.ts
--- a/apps/sim/app/api/mothership/chat/route.ts
+++ b/apps/sim/app/api/mothership/chat/route.ts
@@ -142,6 +142,14 @@
return NextResponse.json({ error: 'Workspace not found or access denied' }, { status: 403 })
}
+ if (chatResult.status === 'rejected') {
+ logger.error(`[${tracker.requestId}] Failed to resolve chat`, {
+ chatId,
+ error: chatResult.reason instanceof Error ? chatResult.reason.message : 'Unknown error',
+ })
+ return NextResponse.json({ error: 'Failed to resolve chat' }, { status: 500 })
+ }
+
let currentChat: any = null
let conversationHistory: any[] = []
let actualChatId = chatIdThis Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 949601c. Configure here.
| currentChat = chatResult.chat | ||
| actualChatId = chatResult.chatId || chatId | ||
| conversationHistory = Array.isArray(chatResult.conversationHistory) | ||
| ? chatResult.conversationHistory |
There was a problem hiding this comment.
Promise.allSettled silently swallows chat resolution errors
High Severity
When resolveOrCreateChat rejects (e.g., a database error while chatId is provided), Promise.allSettled catches the rejection silently. The chatResult.status will be 'rejected', so the if (chatResult.status === 'fulfilled' && chatResult.value) block is skipped entirely — including the chatId && !currentChat guard that returns a 404. The code then continues with actualChatId still set to the user-provided chatId, leading to lock acquisition, user message persistence, and SSE stream creation against a potentially non-existent or inaccessible chat.
Reviewed by Cursor Bugbot for commit 949601c. Configure here.
| ) | ||
| } | ||
|
|
||
| const targetUrl = `${baseUrl}/api/admin/${endpoint}` |
There was a problem hiding this comment.
Endpoint parameter allows path traversal in proxy URL
Medium Severity
The endpoint query parameter is interpolated directly into the target URL (${baseUrl}/api/admin/${endpoint}) without any sanitization or validation. A value like ../../other-path would resolve to ${baseUrl}/other-path, allowing an admin user to reach arbitrary paths on the mothership server beyond /api/admin/. The same issue exists in both the POST and GET handlers.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 949601c. Configure here.
| jobs: | ||
| test-build: | ||
| name: Test and Build | ||
| if: github.ref != 'refs/heads/dev' || github.event_name == 'pull_request' |
There was a problem hiding this comment.
Dev branch skips CI tests before building and deploying
Medium Severity
The test-build job is skipped for pushes to the dev branch (line 19), and build-dev only depends on detect-version, not test-build. Combined with migrate-dev running migrations after the build, this means untested code gets built into Docker images and database migrations are applied to the dev environment without any test validation.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 949601c. Configure here.
There was a problem hiding this comment.
Bugbot Autofix determined this is a false positive.
This is intentional design: PRs to dev still run tests (via the pull_request condition), only direct pushes to dev skip tests for faster iteration cycles in the dev environment.
This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
Summary
Brief description of what this PR does and why.
Fixes #(issue)
Type of Change
Testing
How has this been tested? What should reviewers focus on?
Checklist
Screenshots/Videos