fix(ci): revert client-bundled tools to avoid .server import in client

Author: waleedlatif1

apps/sim/app/api/tools/agiloft/attach/route.ts

@@ -4,8 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { agiloftAttachContract } from '@/lib/api/contracts/tools/agiloft'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateAgiloftInstanceUrl } from '@/lib/core/security/input-validation'
-import { secureFetchWithPinnedIP } from '@/lib/core/security/input-validation.server'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import type { RawFileInput } from '@/lib/uploads/utils/file-schemas'
@@ -70,26 +69,26 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     const fileBuffer = await downloadFileFromStorage(userFile, requestId, logger)
     const resolvedFileName = data.fileName || userFile.name || 'attachment'
 
-    const surfaceCheck = validateAgiloftInstanceUrl(data.instanceUrl)
-    if (!surfaceCheck.isValid) {
+    const urlValidation = await validateUrlWithDNS(data.instanceUrl, 'instanceUrl')
+    if (!urlValidation.isValid) {
       logger.warn(`[${requestId}] SSRF attempt blocked for Agiloft instance URL`, {
         instanceUrl: data.instanceUrl,
       })
       return NextResponse.json(
-        { success: false, error: surfaceCheck.error || 'Invalid instance URL' },
+        { success: false, error: urlValidation.error || 'Invalid instance URL' },
         { status: 400 }
       )
     }
 
-    const { token, resolvedIP } = await agiloftLogin(data)
+    const token = await agiloftLogin(data)
     const base = data.instanceUrl.replace(/\/$/, '')
 
     try {
       const url = buildAttachFileUrl(base, data, resolvedFileName)
 
       logger.info(`[${requestId}] Uploading file to Agiloft: ${resolvedFileName}`)
 
-      const agiloftResponse = await secureFetchWithPinnedIP(url, resolvedIP, {
+      const agiloftResponse = await fetch(url, {
         method: 'PUT',
         headers: {
           'Content-Type': 'application/octet-stream',
@@ -133,7 +132,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         },
       })
     } finally {
-      await agiloftLogout(data.instanceUrl, data.knowledgeBase, token, resolvedIP)
+      await agiloftLogout(data.instanceUrl, data.knowledgeBase, token)
     }
   } catch (error) {
     logger.error(`[${requestId}] Error attaching file to Agiloft:`, error)

apps/sim/app/api/tools/agiloft/retrieve/route.ts

@@ -4,8 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { agiloftRetrieveContract } from '@/lib/api/contracts/tools/agiloft'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateAgiloftInstanceUrl } from '@/lib/core/security/input-validation'
-import { secureFetchWithPinnedIP } from '@/lib/core/security/input-validation.server'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { agiloftLogin, agiloftLogout, buildRetrieveAttachmentUrl } from '@/tools/agiloft/utils'
@@ -49,18 +48,18 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     if (!parsed.success) return parsed.response
     const data = parsed.data.body
 
-    const surfaceCheck = validateAgiloftInstanceUrl(data.instanceUrl)
-    if (!surfaceCheck.isValid) {
+    const urlValidation = await validateUrlWithDNS(data.instanceUrl, 'instanceUrl')
+    if (!urlValidation.isValid) {
       logger.warn(`[${requestId}] SSRF attempt blocked for Agiloft instance URL`, {
         instanceUrl: data.instanceUrl,
       })
       return NextResponse.json(
-        { success: false, error: surfaceCheck.error || 'Invalid instance URL' },
+        { success: false, error: urlValidation.error || 'Invalid instance URL' },
         { status: 400 }
       )
     }
 
-    const { token, resolvedIP } = await agiloftLogin(data)
+    const token = await agiloftLogin(data)
     const base = data.instanceUrl.replace(/\/$/, '')
 
     try {
@@ -72,7 +71,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         position: data.position,
       })
 
-      const agiloftResponse = await secureFetchWithPinnedIP(url, resolvedIP, {
+      const agiloftResponse = await fetch(url, {
         method: 'GET',
         headers: {
           Authorization: `Bearer ${token}`,
@@ -124,7 +123,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         },
       })
     } finally {
-      await agiloftLogout(data.instanceUrl, data.knowledgeBase, token, resolvedIP)
+      await agiloftLogout(data.instanceUrl, data.knowledgeBase, token)
     }
   } catch (error) {
     logger.error(`[${requestId}] Error retrieving Agiloft attachment:`, error)

apps/sim/tools/agiloft/utils.ts

@@ -1,11 +1,5 @@
 import { createLogger } from '@sim/logger'
-import { toError } from '@sim/utils/errors'
-import { validateAgiloftInstanceUrl } from '@/lib/core/security/input-validation'
-import {
-  type SecureFetchResponse,
-  secureFetchWithPinnedIP,
-  validateUrlWithDNS,
-} from '@/lib/core/security/input-validation.server'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import type {
   AgiloftAttachmentInfoParams,
   AgiloftBaseParams,
@@ -27,69 +21,40 @@ interface AgiloftRequestConfig {
   url: string
   method: HttpMethod
   headers?: Record<string, string>
-  body?: string | Buffer | Uint8Array
-}
-
-/**
- * Result of a successful Agiloft authentication. The `resolvedIP` is the
- * DNS-resolved address of the instance and MUST be reused (via
- * `secureFetchWithPinnedIP`) for every follow-up request to defeat DNS
- * rebinding between the validation step and the actual call.
- */
-export interface AgiloftSession {
-  token: string
-  resolvedIP: string
-}
-
-/**
- * Validates the user-supplied Agiloft instance URL with DNS resolution so
- * SSRF protections cannot be bypassed by hostnames that resolve to internal
- * addresses (or that flip after a sync-only check).
- */
-async function validateInstanceUrl(instanceUrl: string): Promise<string> {
-  const surfaceCheck = validateAgiloftInstanceUrl(instanceUrl)
-  if (!surfaceCheck.isValid) {
-    throw new Error(`Invalid Agiloft instance URL: ${surfaceCheck.error}`)
-  }
-
-  const dnsCheck = await validateUrlWithDNS(instanceUrl, 'instanceUrl')
-  if (!dnsCheck.isValid || !dnsCheck.resolvedIP) {
-    throw new Error(`Invalid Agiloft instance URL: ${dnsCheck.error ?? 'unresolved hostname'}`)
-  }
-
-  return dnsCheck.resolvedIP
+  body?: BodyInit
 }
 
 /**
  * Exchanges login/password for a short-lived Bearer token via EWLogin.
- *
- * Returns the token alongside the DNS-resolved IP of the instance so callers
- * can pin every subsequent request to the same address.
  */
-async function agiloftLogin(params: AgiloftBaseParams): Promise<AgiloftSession> {
-  const resolvedIP = await validateInstanceUrl(params.instanceUrl)
+async function agiloftLogin(params: AgiloftBaseParams): Promise<string> {
   const base = params.instanceUrl.replace(/\/$/, '')
 
+  const urlValidation = validateExternalUrl(params.instanceUrl, 'instanceUrl')
+  if (!urlValidation.isValid) {
+    throw new Error(`Invalid Agiloft instance URL: ${urlValidation.error}`)
+  }
+
   const kb = encodeURIComponent(params.knowledgeBase)
   const login = encodeURIComponent(params.login)
   const password = encodeURIComponent(params.password)
 
   const url = `${base}/ewws/EWLogin?$KB=${kb}&$login=${login}&$password=${password}`
-  const response = await secureFetchWithPinnedIP(url, resolvedIP, { method: 'POST' })
+  const response = await fetch(url, { method: 'POST' })
 
   if (!response.ok) {
     const errorText = await response.text()
     throw new Error(`Agiloft login failed: ${response.status} - ${errorText}`)
   }
 
-  const data = (await response.json()) as { access_token?: string }
+  const data = await response.json()
   const token = data.access_token
 
   if (!token) {
     throw new Error('Agiloft login did not return an access token')
   }
 
-  return { token, resolvedIP }
+  return token
 }
 
 /**
@@ -98,41 +63,41 @@ async function agiloftLogin(params: AgiloftBaseParams): Promise<AgiloftSession>
 async function agiloftLogout(
   instanceUrl: string,
   knowledgeBase: string,
-  token: string,
-  resolvedIP: string
+  token: string
 ): Promise<void> {
   try {
     const base = instanceUrl.replace(/\/$/, '')
     const kb = encodeURIComponent(knowledgeBase)
-    await secureFetchWithPinnedIP(`${base}/ewws/EWLogout?$KB=${kb}`, resolvedIP, {
+    await fetch(`${base}/ewws/EWLogout?$KB=${kb}`, {
       method: 'POST',
       headers: { Authorization: `Bearer ${token}` },
     })
   } catch (error) {
-    logger.warn('Agiloft logout failed (best-effort)', { error: toError(error).message })
+    logger.warn('Agiloft logout failed (best-effort)', { error })
   }
 }
 
 /**
  * Shared wrapper that handles the full auth lifecycle:
- * 1. Validate the instance URL (with DNS resolution) and login to get a Bearer token
- * 2. Execute the request against the pinned IP with the token
- * 3. Logout to clean up the session (also pinned)
+ * 1. Login to get Bearer token
+ * 2. Execute the request with the token
+ * 3. Logout to clean up the session
  *
- * Every fetch is performed via `secureFetchWithPinnedIP`, so DNS rebinding
- * between validation and the subsequent calls is not possible.
+ * The `buildRequest` callback receives the token and base URL, and returns
+ * the request config. The `transformResponse` callback converts the raw
+ * Response into the tool's output format.
  */
 export async function executeAgiloftRequest<R extends ToolResponse>(
   params: AgiloftBaseParams,
   buildRequest: (base: string) => AgiloftRequestConfig,
-  transformResponse: (response: SecureFetchResponse) => Promise<R>
+  transformResponse: (response: Response) => Promise<R>
 ): Promise<R> {
-  const { token, resolvedIP } = await agiloftLogin(params)
+  const token = await agiloftLogin(params)
   const base = params.instanceUrl.replace(/\/$/, '')
 
   try {
     const req = buildRequest(base)
-    const response = await secureFetchWithPinnedIP(req.url, resolvedIP, {
+    const response = await fetch(req.url, {
       method: req.method,
       headers: {
         ...req.headers,
@@ -142,14 +107,12 @@ export async function executeAgiloftRequest<R extends ToolResponse>(
     })
     return await transformResponse(response)
   } finally {
-    await agiloftLogout(params.instanceUrl, params.knowledgeBase, token, resolvedIP)
+    await agiloftLogout(params.instanceUrl, params.knowledgeBase, token)
   }
 }
 
 /**
- * Login helper exported for use in the attach/retrieve API routes. The route
- * is responsible for using the returned `resolvedIP` with
- * `secureFetchWithPinnedIP` (or `agiloftLogout`) on every follow-up request.
+ * Login helper exported for use in the attach file API route.
  */
 export { agiloftLogin, agiloftLogout }
 

apps/sim/tools/grafana/update_alert_rule.ts

@@ -1,4 +1,3 @@
-import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import type { GrafanaUpdateAlertRuleParams } from '@/tools/grafana/types'
 import type { ToolConfig, ToolResponse } from '@/tools/types'
 
@@ -189,14 +188,13 @@ export const updateAlertRuleTool: ToolConfig<GrafanaUpdateAlertRuleParams, ToolR
       headers['X-Grafana-Org-Id'] = params.organizationId
     }
 
-    const updateResponse = await secureFetchWithValidation(
+    const updateResponse = await fetch(
       `${params.baseUrl.replace(/\/$/, '')}/api/v1/provisioning/alert-rules/${params.alertRuleUid}`,
       {
         method: 'PUT',
         headers,
         body: JSON.stringify(updatedRule),
-      },
-      'baseUrl'
+      }
     )
 
     if (!updateResponse.ok) {

apps/sim/tools/grafana/update_dashboard.ts

@@ -1,4 +1,3 @@
-import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import type { GrafanaUpdateDashboardParams } from '@/tools/grafana/types'
 import type { ToolConfig, ToolResponse } from '@/tools/types'
 
@@ -183,15 +182,11 @@ export const updateDashboardTool: ToolConfig<GrafanaUpdateDashboardParams, ToolR
       headers['X-Grafana-Org-Id'] = params.organizationId
     }
 
-    const updateResponse = await secureFetchWithValidation(
-      `${params.baseUrl.replace(/\/$/, '')}/api/dashboards/db`,
-      {
-        method: 'POST',
-        headers,
-        body: JSON.stringify(body),
-      },
-      'baseUrl'
-    )
+    const updateResponse = await fetch(`${params.baseUrl.replace(/\/$/, '')}/api/dashboards/db`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify(body),
+    })
 
     if (!updateResponse.ok) {
       const errorText = await updateResponse.text()