* improvement(execution): memory usage for aggregated results

* progress

* address comments

* loop/parallel results compaction

* address comment

* remove build files, harden edge cases

* remove hotpath serialiazation

* display change to make use of only preview

* materialize refs before sending in response block

* preserve exact large-value access through workflow materialization

* address comments

* progress

* fix notif error + sync manifest undefined exit

* fix streaming ref materialization

* fix tests

#4658)

* fix(security): remove localhost CORS origin, consolidate CORS in proxy

Move all /api/* CORS handling from next.config.ts to proxy.ts so the
runtime can resolve allowed origin per-request instead of baking it at
build time (which produced "Access-Control-Allow-Origin: http://localhost:3000"
with credentials:true in production).

- proxy.ts: per-route CORS policy table covering auth, MCP, form, and
  workflow execute endpoints; OPTIONS preflight short-circuit; Vary:
  Origin when origin is not '*'; form routes defer to route handler's
  addCorsHeaders to avoid double-setting
- next.config.ts: drop all /api/* Access-Control-Allow-* headers; keep
  COEP/COOP/CSP
- deployment.ts: addCorsHeaders sets Vary: Origin alongside reflected
  Allow-Origin
- Dockerfile: drop NEXT_PUBLIC_APP_URL build placeholder (Zod has
  skipValidation:true; build path doesn't read it)
- Remove 8 dead OPTIONS handlers and their preflight tests now that the
  proxy handles preflight uniformly

* refactor(cors): consolidate API CORS into proxy as single source of truth

Move CORS for /api/chat/* and /api/form/* into the proxy policy table with
reflected-origin + credentials:false, and delete the per-route addCorsHeaders
helper. Routes no longer set CORS headers — the proxy is the only writer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor(cors): convert proxy CORS policy chain to a rule table + add tests

Replace the if/else chain in resolveApiCorsPolicy with a CORS_RULES table
so each route's policy lives in one place and is trivially scannable.
Add proxy.test.ts covering each rule and the wildcard-with-credentials
invariant.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(cors): scope embed CORS rule to /api/{chat,form}/[identifier] only

The embed policy (reflected origin, credentials:false) was matching
workspace-internal session-authed routes — /api/chat, /api/chat/manage/*,
/api/chat/validate, and the form equivalents — which need the default
credentialed policy. Tighten the matcher to the embed paths only and add
tests covering the exclusion.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor(cors): replace embed-path regex with explicit segment check

The regex form `^/api/(chat|form)/(?!manage|validate)[^/]+(/(otp|sso))?$`
was opaque on review and would silently exclude any future identifier
subroute outside the hard-coded (otp|sso) group from the embed policy.
Replace it with an imperative segment check and a named
EMBED_RESERVED_SEGMENTS Set, so the policy boundary is visible at the
top of the function and adding a reserved subpath is a one-line diff.
Add a test asserting that future identifier subroutes also get the
embed policy.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(cors): allow PUT in embed CORS policy for OTP verification

Both /api/chat/[identifier]/otp and /api/form/[identifier]/otp export
PUT for OTP code verification. The embed policy advertised only
GET/POST/OPTIONS, so cross-origin embed clients failed preflight on
verify. Add PUT and assert it in the embed policy test.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ch (#4662)

* feat(wiza): add Wiza integration for B2B prospect enrichment and search

* fix(wiza): coerce reveal id to string, skip empty filters in prospect search

* fix(wiza): throw on invalid JSON in advanced filter fields instead of silently dropping

* improvement(cleanup): cleanup refs along in logs cleanup job

* address comments

* cleanup code

#4665)

* fix(docker): restore NEXT_PUBLIC_APP_URL build arg with dummy fallback

getBaseUrl() in lib/core/utils/urls is evaluated at module load during
next build's page-data collection and throws if NEXT_PUBLIC_APP_URL is
unset. PR #4658 removed the build arg, breaking the Docker build at the
"/_not-found" page-data collection step.

Restore the dummy localhost fallback (mirroring DATABASE_URL). The CORS
fix from #4658 is preserved: next.config.ts no longer reads
NEXT_PUBLIC_APP_URL at build time, and no module-level expression
captures getBaseUrl() — every caller invokes it at request time, where
getEnv() reads the deployed container env. The dummy localhost value
cannot leak into runtime CORS response headers.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore(docker): trim verbose comment on build-time env args

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* azure devops logo on white

* generated ADO tool docs

* generated ADO tool docs

* added ADO to registries

* ADO workflow triggers

* ADO workflow triggers

* tool layer for ADO, checks passed and manual verified

* ADO workflow triggers

* block layer for ADO

* ADO icon svg

* generated docs for ADO triggers

* committing the tests for azure devops tools and blocks

* Update apps/sim/triggers/azure_devops/utils.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update apps/sim/tools/azure_devops/update_work_item.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update apps/sim/triggers/azure_devops/utils.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* comma syntax error patched

* azure devops: validate-integration fixes + manual description

- bgColor switched from white to Azure DevOps brand color #0078D4 (block + mdx)
- WIQL query_work_items: hydrate ALL matched IDs by chunking through batches
  of 200 instead of silently truncating; check response.ok on the follow-up
  fetch and surface a clear error on 4xx/5xx; trim org/project; expose
  totalMatched in metadata so users can see pre-hydration count
- Add MANUAL-CONTENT-START:intro section to the azure_devops.mdx docs page
- Update unit tests for new chunking behavior and update-work-item validation

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* azure_devops: second-pass audit fixes + formatter cleanup

- Add types barrel export to tools/azure_devops/index.ts
- Normalize comment endpoint path casing (/workItems/ -> /workitems/)
- Update test assertions to match normalized path
- Biome formatter reflow across tools, triggers, registry, and docs icon

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* azure_devops: address PR review comments

- Fix bgColor #FFFFFF -> #0078D4 in integrations.json and triggers/azure_devops.mdx
- Bump File tool operationCount from 4 to 5 (Read, Fetch, Get, Write, Append)
- Apply .trim() to org/project across all 15 remaining tools (consistency with query_work_items)
- Fix Found ${data.count} -> Found ${data.count ?? items.length} fallback in list_builds, list_pipelines, list_pipeline_runs content strings

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* idemtpotency

* azure_devops: address bugbot review comments

- triggers/utils: match build.complete result case-insensitively, accept stopped/cancelled in addition to failed/canceled/partiallySucceeded so PascalCase and legacy Azure DevOps payloads aren't dropped
- get_work_items_batch: chunk comma-separated IDs into 200-batch loops with proper status checks (was failing or returning incomplete data on >200 IDs)
- Add tests for both behaviors

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* azure_devops: address additional bugbot comments

- Block update_work_item now forwards areaPath; the Area Path subblock condition expanded to include update operation
- get_build_timeline.failedRecords now also flags partiallySucceeded and succeededWithIssues, normalized case-insensitively. Output description and added a focused test

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* azure_devops: address more bugbot comments

- Webhook provider extractIdempotencyId returns null when subscriptionId or notificationId is missing/empty, preventing the literal "azure_devops:undefined:undefined" key from collapsing unrelated deliveries into duplicates
- Get Work Items Batch validates that at least one non-empty ID is supplied before issuing the API request, throwing a clear error instead of hitting an empty ids= query
- Tests cover both behaviors

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* azure_devops: pin add_comment to documented api-version 7.0-preview.3

Microsoft's Add Comments docs only publish 7.0-preview.3 (the 7.2 view falls back to the 7.0 page). Get Comments stays on the documented 7.2-preview.4. Matches what's strictly in the Azure DevOps REST API reference rather than relying on undocumented version behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Marcus Chandra <mzxchandra@gmail.com>
Co-authored-by: mzxchandra <129460234+mzxchandra@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

* feat(integrations): add Gong incident.io Railway and New Relic

* fix(railway): preserve explicit empty variable values

* fix(incidentio): fail on invalid workflow JSON

* fix(new-relic): validate custom attributes JSON

* fix(integrations): address incident workflow review fixes

* chore(docs): apply lint formatting

* chore: refresh integration docs and validation fixes

* more

* fix(integrations): address PR review comments

* fix(gong): align list calls block validation

…ch (#4668)

* improvement(workflow-search): include block names in in-workflow search

Adds block names to the workflow search index alongside subblock content. Selecting a block-name match navigates to the block and highlights its title in the editor header with the same orange treatment used for subblock labels.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor(panel-store): derive ActiveSearchTargetKind from WorkflowSearchTarget

Replaces the hand-maintained literal union with a derived type so adding a new target kind in search-replace/types.ts automatically propagates here.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…4670)

The editor title h2 uses truncate (overflow:hidden) so the search highlight's -3px box-shadow was getting clipped on the left, exposing the mark's sharp edge. Replaces overflow:hidden with overflow:clip plus a 3px overflow-clip-margin so the shadow can bleed past the clip boundary without shifting the title text or breaking truncation.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…atest models + fixes (#4667)

* improvement(media-blocks): new versions of image and video gen with latest models + fixes

* respect versioning for icons

* fix integration routes

* address comments

* address api mismatches

* more ltx 2.3 durations

* typing tightness

…d new relic integrations