The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 12, 2026 12:39am

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

PR Summary

Medium Risk
Large new surface around financial data and API tokens; receipt upload follows existing hardened file-route patterns but still handles user files and third-party pre-signed URLs.

Overview
Adds a Brex integration so workflows and agents can use corporate spend data via a user API token.

The integration ships 28 tools (expenses, receipts, card/cash transactions and accounts, statements, budgets, spend limits, team/org data, vendors, and transfer status) plus a Brex workflow block with operation-specific subblocks, templates, and skills. Scope is read-heavy: listing and reporting dominate; writes are limited to expense memo updates and receipt upload/match.

Receipt flows use the standard file pattern and a dedicated POST /api/tools/brex/upload-receipt route: internal auth, contract validation, file access checks, a 50 MB cap, Brex pre-signed URL creation, then DNS-pinned PUT to S3 with SSRF guards. BrexIcon and docs/catalog entries wire the integration into the app and docs site.

^{Reviewed by Cursor Bugbot for commit 5be5521. Configure here.}

@greptile

@cursor review

Greptile Summary

This PR adds a Brex integration with 28 tools spanning Expenses, Receipts, Transactions & Accounts, Team, Budgets, and Payments — all wired up through a single BlockConfig that maps brex_${operation} to the corresponding tool at runtime.

• Receipt upload route (/api/tools/brex/upload-receipt) implements a two-phase flow: POST to Brex to get a presigned S3 URL, then a SSRF-validated pinned-IP PUT to upload the file binary; size is capped at 50 MB, file access is gated by assertToolFileAccess, and the API key schema rejects header-injection characters.
• get_expense correctly uses the non-deprecated GET /v1/expenses/{id} endpoint; update_expense uses PUT /v1/expenses/card/{id} (the only available update path); list_card_accounts correctly handles Brex's non-paginated plain-array response while all other list tools use cursor pagination.
• Two separate tools (brex_upload_receipt / brex_match_receipt) share the same internal route but differ in whether expenseId is passed, giving LLMs distinct verbs for "attach to expense" vs. "auto-match"; the contract's optional expenseId and the PAGINATED_OPERATIONS set are both internally consistent with the block's conditional subblock logic.

Confidence Score: 5/5

Safe to merge — the receipt upload route is well-hardened and all 28 tools follow established project patterns without introducing money-movement or card-issuance capabilities.

The integration is read-heavy and deliberately scoped to safe operations. Security-sensitive paths (SSRF, file access, header injection, size limits) all have server-side enforcement and corresponding tests. The block-to-tool mapping, PAGINATED_OPERATIONS set, and conditional subblock logic are internally consistent across all 28 operations.

No files require special attention. The route, contract, tools, and block are all consistent with each other.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant B as Block / Tool
    participant R as /api/tools/brex/upload-receipt
    participant BrexAPI as Brex API
    participant S3 as Pre-signed S3 URL

    B->>R: "POST {apiKey, expenseId?, file, receiptName?}"
    R->>R: checkInternalAuth
    R->>R: parseRequest Zod trim+min expenseId and receiptName
    R->>R: assertToolFileAccess(file.key, userId)
    R->>R: downloadFileFromStorage check 50 MB
    alt expenseId present
        R->>BrexAPI: "POST /v1/expenses/card/{expenseId}/receipt_upload"
    else no expenseId
        R->>BrexAPI: POST /v1/expenses/card/receipt_match
    end
    BrexAPI-->>R: "{id, uri}"
    R->>R: validateUrlWithDNS(uri) SSRF check
    R->>S3: secureFetchWithPinnedIP PUT binary
    S3-->>R: 200 OK
    R-->>B: "{success:true, output:{receiptId, receiptName, expenseId}}"

_{Reviews (7): Last reviewed commit: "fix(brex): normalize timezone-suffixed t..." | Re-trigger Greptile}

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review