The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 11, 2026 7:55pm

@greptile

PR Summary

Medium Risk
Compile sends user LaTeX and attachments to a third-party host and adds a new authenticated upload route with large payloads and remote resource URLs, though it follows existing tool patterns.

Overview
Adds a LaTeX workflow integration (no API key) so agents can compile documents to PDF and query TeX Live packages/fonts.

Compile path: New latex_compile tool and authenticated POST /api/tools/latex proxy to LaTeX-on-HTTP (latex.ytotech.com), with Zod validation (source size, resource paths/URLs), timeouts, PDF size limits, 422 responses with extracted TeX ! log snippets on build failures, and storage via execution uploads or general storage fallback.

Workflow UI: New LaTeX block with operations for compile (compiler choice, JSON resources), package search/detail, and font listing; wired through block/tool registries, integrations.json, LatexIcon, and docs (latex.mdx + nav) including a third-party data-handling warning.

^{Reviewed by Cursor Bugbot for commit 9c98876. Configure here.}

@cursor review

@cursor review

@greptile

Greptile Summary

This PR adds a full LaTeX integration: a latex_compile tool that proxies compilation to the public LaTeX-on-HTTP service, three lookup tools (search_packages, get_package, list_fonts), a block with four operations, and accompanying docs with a third-party disclosure note.

• The compile route is well-guarded with a 50 s AbortSignal timeout, 25 MB PDF size limit, TeX error extraction from compiler log files, and a dual storage path (execution file context or StorageService fallback).
• The Zod contract enforces path-traversal prevention, http/https-only resource URLs, and min(1) guards on resource content and file fields.
• The three lookup tools (search_packages, list_fonts, get_package) call latex.ytotech.com directly via the tool executor's secureFetchWithPinnedIP path (SSRF-protected, 5-minute fallback timeout).

Confidence Score: 5/5

Safe to merge; the compile route is well-bounded and the lookup tools call an unauthenticated public read API with SSRF protection already in place.

The new code adds a clearly scoped integration with no auth state, no database writes, and no mutations to existing paths. Previous review rounds caught and fixed the substantive issues. The two remaining observations are non-blocking style/performance notes.

apps/sim/tools/latex/search_packages.ts — worth investigating whether the upstream /packages endpoint supports a query parameter to avoid downloading the full TeX Live list on every search call.

Important Files Changed

_{Reviews (11): Last reviewed commit: "improvement(latex): make relatedPackages..." | Re-trigger Greptile}

Greptile Summary

This PR adds a full LaTeX integration — a latex_compile tool, an internal /api/tools/latex proxy route, a LaTeX block with templates and skills, icon assets, and docs. The implementation follows existing tool/block patterns well, with solid input validation (Zod contract with superRefine for the exactly-one-of resource constraint), proper error extraction from compiler log files, and a storage fallback for non-execution contexts.

• Route & tool: The API route proxies LaTeX source to latex.ytotech.com, reads the resulting PDF into a bounded buffer (MAX_PDF_BYTES = 25 MB), and stores it via uploadExecutionFile or StorageService, returning a file object and URL to the caller.
• Contract & validation: latexCompileBodySchema enforces size limits on source and resources, an enum on supported compilers, and mutually exclusive resource content fields — however, resource path values are not guarded against ../ traversal sequences, and url resources are forwarded to the external service without restricting schemes or host ranges.
• Fetch reliability: The upstream fetch to latex.ytotech.com is missing an explicit AbortSignal timeout, unlike other tool routes (e.g. TTS) that use AbortSignal.timeout(); the Vercel maxDuration = 60 is the only backstop.

Confidence Score: 4/5

The new LaTeX integration is well-structured and follows the project's tool/block patterns. The main areas to revisit before merging are the missing fetch timeout on the upstream call and the lack of filtering on url/path resource fields before they are forwarded to the external compilation service.

The integration adds no regressions to existing functionality. The two resource-field issues (unfiltered url and unsanitized path) only affect the external latex.ytotech.com service on the current deployment topology, but could have broader impact if the service is ever self-hosted. The missing AbortSignal is a reliability gap that Vercel's maxDuration partially mitigates. All three are straightforward to fix.

apps/sim/app/api/tools/latex/route.ts and apps/sim/lib/api/contracts/tools/latex.ts need attention for the timeout and resource validation gaps.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Client as Sim Workflow Executor
    participant Route as /api/tools/latex (Next.js)
    participant Upstream as latex.ytotech.com
    participant Storage as StorageService / uploadExecutionFile

    Client->>Route: POST /api/tools/latex
    Route->>Route: checkInternalAuth + Zod validation
    Route->>Upstream: POST /builds/sync
    Upstream-->>Route: 200 application/pdf OR 400 JSON
    alt Compile success
        Route->>Route: readResponseToBufferWithLimit
        Route->>Storage: uploadExecutionFile or StorageService.uploadFile
        Storage-->>Route: url + path
        Route-->>Client: pdfFile, pdfUrl, fileName, compiler
    else Compile error
        Route->>Route: extractCompilationErrors(log_files)
        Route-->>Client: 422 error with TeX error lines
    else Upstream error
        Route-->>Client: 502 service error
    end

_{Reviews (2): Last reviewed commit: "fix(latex): surface extracted TeX errors..." | Re-trigger Greptile}

Greptile Summary

This PR adds a complete LaTeX integration — a latex_compile tool and matching block — that proxies LaTeX source to the public latex.ytotech.com compilation service and stores the resulting PDF as an execution file.

• API route (/api/tools/latex): validates input via a Zod contract, forwards the payload to the upstream compile service, extracts TeX error lines from the compiler log on failure, and stores the PDF through uploadExecutionFile (with a StorageService fallback).
• Tool & block: full ToolConfig, BlockConfig, BlockMeta templates/skills, icons in both sim and docs, and auto-generated docs — all wired into the block and tool registries.
• Contract: well-structured with size limits (1 MB source, 25 resources, 512-char path) and a superRefine check enforcing exactly one content type per resource.

Confidence Score: 4/5

Safe to merge as-is; the integration is fully wired and functional, with two non-blocking quality items worth addressing in a follow-up.

The route, tool, block, and registry additions are well-structured and follow the project's existing patterns. The fetch to latex.ytotech.com lacks an AbortSignal timeout, so a slow or hung external service will hold a serverless slot for the full 60-second window rather than returning cleanly. User LaTeX source is forwarded to that public third-party service with no in-app disclosure, which is an architectural decision that should at minimum be surfaced in documentation. Neither issue causes incorrect behavior under normal conditions.

apps/sim/app/api/tools/latex/route.ts (fetch timeout and third-party disclosure) and apps/sim/tools/latex/types.ts (pdf typed as unknown).

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Client as Sim Executor
    participant Route as /api/tools/latex
    participant Upstream as latex.ytotech.com
    participant Storage as Storage (Execution / Copilot)

    Client->>Route: "POST {content, compiler, resources, executionId?}"
    Route->>Route: checkInternalAuth + Zod validate
    Route->>Upstream: "POST /builds/sync {compiler, resources[{main:true, content}, ...]}"
    alt success (200 + application/pdf)
        Upstream-->>Route: PDF binary
        Route->>Route: "readResponseToBufferWithLimit (<=25 MB)"
        alt executionId present
            Route->>Storage: uploadExecutionFile(pdfBuffer)
        else fallback
            Route->>Storage: StorageService.uploadFile(pdfBuffer, context:copilot)
        end
        Storage-->>Route: pdfFile / fileInfo
        Route-->>Client: "{pdfFile, pdfUrl, fileName, compiler}"
    else compile failure (4xx + error JSON)
        Upstream-->>Route: "{error, log_files}"
        Route->>Route: extractCompilationErrors(log_files)
        Route-->>Client: "422 {error: LaTeX compilation failed}"
    else service error (5xx / unexpected)
        Upstream-->>Route: error response
        Route-->>Client: "502 {error: LaTeX compile service error}"
    end

_{Reviews (3): Last reviewed commit: "fix(latex): surface extracted TeX errors..." | Re-trigger Greptile}

Addressed all three Greptile findings in 2ae901b:

• Fetch timeout: the upstream compile call now uses AbortSignal.timeout(50s) (headroom within the route's 60s maxDuration to store the PDF), returning 504 on timeout instead of holding compute until the platform cutoff
• Error-code interpolation: the third-party error field is now capped at 100 chars via truncate() before being included in client-facing messages
• Empty resource payloads: content and file resource fields now have min(1) guards, so zero-byte resources are rejected at validation

@greptile

@cursor review

Pushed two updates in bd67bd7 (and rebased the branch onto origin/staging so the PR contains only the LaTeX commits):

• New tools: latex_search_packages (search the 5,000+ TeX Live packages by name/description), latex_get_package (exact package lookup with install status, license, topics, related packages), and latex_list_fonts (filterable list of the 2,700+ fonts available to xelatex/lualatex via fontspec) — all verified against the live API
• Block now has an operation dropdown (Compile Document / Search Packages / Get Package Details / List Fonts) with per-operation conditions, and the fix-compilation-errors skill references the new lookups

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile review

@greptile review

@cursor review

@greptile review

@cursor review

@greptile review

@cursor review