[REF-1048]feat(tools): add file upload pre-processing and resource handling improvements

[alchemistklk]

This pull request introduces pre-execution processing for tools, especially for handling file uploads and resource fields, and improves file resource handling throughout the codebase. The changes add support for new file formats, allow explicit MIME type specification, and ensure proper cleanup of temporary files. Additionally, two new dependencies are added for document processing.

Pre-execution and Tool Processing Enhancements

• Integrated a pre-execution handler system (ComposioToolPreHandlerService, PreHandlerRegistryService) into ComposioService, enabling pre-processing of tool inputs—particularly for file_uploadable fields—before main execution. This includes error handling and cleanup logic for temporary files. [1] [2] [3] [4] [5] [6]
• Updated tool execution flow to utilize pre-processed input, ensuring that file fields are handled consistently and safely.

File and Resource Handling Improvements

• Enhanced ResourceHandler methods to accept and prioritize explicit MIME types for file uploads, adjusting filename extensions accordingly and ensuring correct content type handling for buffers, URLs, and string resources. [1] [2] [3] [4] [5] [6]
• Improved handling of the file_path format: if a value is already a local file path (from pre-handler), it is used directly; otherwise, an error is thrown to ensure pre-processing is enforced. [1] [2]

Dependency Additions

• Added html-to-docx and xlsx dependencies to support document and spreadsheet processing. [1] [2]

Utility and API Changes

• Made extractFileIdToTopLevel a named export for use in other modules.

Summary by CodeRabbit

Release Notes

• New Features

  • Added file upload support for tool parameters
  • Implemented automatic conversion of Google Docs to DOCX and Google Sheets to XLSX formats
  • Enhanced file processing with validation and compression for video/image uploads

• Improvements

  • Better handling of downloaded file content from tool executions
  • Improved content filtering and URL extraction

• Dependencies

  • Updated Composio integration library

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements comprehensive file handling for Composio tool execution by introducing pre-execution preprocessing (file downloads to temporary directories with compression and validation) and enhanced post-execution processing (Google format conversions, content compression, file uploads), alongside extended resource handling with explicit MIME type support and schema property updates.

Changes

Cohort / File(s)	Summary
Pre-execution Handler Infrastructure apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts, apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts, apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts	New interfaces (PreHandlerInput, PreHandlerOutput, IToolPreHandler) and services for preprocessing file_uploadable fields. ComposioToolPreHandlerService downloads files to temporary directories, validates platform-specific video limits, and compresses images exceeding 5MB. PreHandlerRegistryService routes pre-handling requests to the Composio handler.
Post-execution Handler Enhancement apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts	Extended post-processing with MIME type resolution, Google format conversions (Docs HTML → DOCX via html-to-docx, Sheets HTML → XLSX via SheetJS), downloaded file content extraction/upload, and tool-specific result pipelines for search vs. general tools. Refactored compression logic with specialized paths for Exa/Tavily.
Core Service Integration apps/api/src/modules/tool/composio/composio.service.ts	Integrated pre-execution handling via PreHandlerRegistryService dependency. Tool execution now includes pre-processing step (file downloads, MIME type handling) with guaranteed cleanup in finally block. Updated resource resolution to use pre-execution results.
Resource Service Enhancement apps/api/src/modules/tool/resource.service.ts	Added explicit explicitMimeType parameter to upload methods (uploadBufferResource, uploadStringResource, uploadUrlResource). New file_path format handling in resolveFileIdToFormat. Extended ExtendedUpsertDriveFileRequest with optional mimeType field. Filename extension adjustments based on explicit MIME types.
Schema & Type Definitions packages/openapi-schema/schema.yml, packages/openapi-schema/src/schemas.gen.ts, packages/openapi-schema/src/types.gen.ts	Added new file_uploadable: boolean field to SchemaProperty to mark Composio-specific file upload capability on fields.
Utility Updates apps/api/src/modules/tool/utils/schema-utils.ts, apps/api/src/modules/tool/utils/token.ts, apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts	Enhanced schema-utils with isFileUploadableField helper to detect and process file_uploadable fields with file_path format. Refactored token.ts with non-regex URL extraction, noise detection subsystem, and deduplication. Exported extractFileIdToTopLevel for use in post-processing.
Module Configuration & Dependencies apps/api/package.json, package.json, apps/api/src/modules/tool/composio/composio.module.ts, apps/api/src/modules/tool/tool.module.ts	Added runtime dependencies (html-to-docx, xlsx). Updated @composio/core from ^0.2.4 to ^0.3.3. Registered new pre-handler services in ComposioModule. Reactivated RegularToolPostHandlerService in tool module providers.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ComposioService
    participant PreHandlerRegistry
    participant ComposioPreHandler
    participant DriveService
    participant ResourceService
    participant ComposioExecutor
    participant ComposioPostHandler
    participant BillingService

    Client->>ComposioService: execute(toolsetKey, toolName, request)
    
    ComposioService->>PreHandlerRegistry: getHandler(toolsetKey, toolName)
    PreHandlerRegistry-->>ComposioService: ComposioPreHandler
    
    ComposioService->>ComposioPreHandler: process(input: request, schema, context)
    
    rect rgb(230, 245, 255)
        Note over ComposioPreHandler,DriveService: Pre-execution Phase
        ComposioPreHandler->>DriveService: downloadFile(fileId)
        DriveService-->>ComposioPreHandler: file buffer
        alt Image >5MB
            ComposioPreHandler->>ComposioPreHandler: compressImage(buffer)
        end
        alt Video with limits
            ComposioPreHandler->>ComposioPreHandler: validateVideoSize(buffer)
        end
        ComposioPreHandler->>ComposioPreHandler: write temp file
        ComposioPreHandler-->>ComposioService: {request, cleanup}
    end
    
    ComposioService->>ResourceService: resolveFileIdToFormat(request)
    ResourceService-->>ComposioService: resolved request
    
    ComposioService->>ComposioExecutor: execute(resolved request)
    ComposioExecutor-->>ComposioService: response
    
    rect rgb(240, 255, 240)
        Note over ComposioPostHandler,BillingService: Post-execution Phase
        ComposioService->>ComposioPostHandler: process(response, isSearchTool)
        
        alt Google Format Detection
            ComposioPostHandler->>ComposioPostHandler: convertGoogleFormat(HTML → DOCX/XLSX)
        end
        
        ComposioPostHandler->>ResourceService: uploadToFile(converted content)
        ResourceService-->>ComposioPostHandler: DriveFile
        
        alt Search Tool Result
            ComposioPostHandler->>ComposioPostHandler: compressContent(Exa/Tavily specific)
        else General Tool Result
            ComposioPostHandler->>ComposioPostHandler: processGeneralToolResult()
        end
        
        ComposioPostHandler->>BillingService: track usage
        ComposioPostHandler-->>ComposioService: processed response
    end
    
    ComposioService->>ComposioService: cleanup() in finally
    ComposioService-->>Client: final response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• composio gmail and twitter opt #1825: Modifies the same Composio tool execution paths (composio.service.ts, resource.service.ts, schema-utils.ts) with interconnected resource and post-processing changes.
• feat(resource-handler): enhance fileId validation and extraction logic #1695: Updates resource handling and fileId validation logic in ResourceHandler (uploadBufferResource, uploadStringResource, uploadUrlResource methods).
• feat: implement batch processing for output resources to reduce lock … #1750: Extends resource.service.ts with additional resource upload and MIME type handling patterns.

Suggested reviewers

• nettee
• mrcfps

Poem

🐰 Hops of joy through files so deep,
Pre-handlers compress while you sleep,
Sheets to XLSX, Docs to DOCX with glee,
Temp files cleaned up, no mess to see! 🗂️✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Title check	✅ Passed	The PR title accurately captures the main objective of adding pre-execution file upload handling and resource management improvements across the tool modules.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/tools/oauth-file-upload

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts (1)

154-161: Guideline violation: Missing optional chaining for nested properties.

Direct property access on file.url, file.mimeType, and file.name violates the coding guideline requiring optional chaining for object property access. These properties may be undefined, risking runtime errors.

As per coding guidelines: "Always use optional chaining (?.) when accessing object properties."

🔎 Proposed fix using optional chaining

         extractedResources.files = objRecord.files
           .filter((file) => file && typeof file === 'object' && 'fileId' in file)
           .map((file) => ({
-            url: file.url,
+            url: file?.url,
             fileId: String(file.fileId),
-            mimeType: 'mimeType' in file ? String(file.mimeType) : undefined,
-            name: 'name' in file ? String(file.name) : undefined,
+            mimeType: file?.mimeType ? String(file.mimeType) : undefined,
+            name: file?.name ? String(file.name) : undefined,
           }));

apps/api/src/modules/tool/composio/composio.service.ts (1)

606-711: Fix missing required fields in HandlerRequest type assertion.

The type cast on line 638 is unsafe. HandlerRequest requires two additional fields:

• provider: string (required)
• method: string (required)

The current code only provides params, which will cause runtime errors if downstream code accesses the missing required fields. Provide these required fields or restructure to match the actual type definition.

🧹 Nitpick comments (7)

apps/api/src/modules/tool/utils/token.ts (1)

224-230: Minor inconsistency: uses regex despite optimization goal.

The isViewCount function uses /^\d/.test(s) while other helper functions avoid regex for performance. For consistency, consider using charCodeAt:

Suggested change

 function isViewCount(s: string): boolean {
   const lower = s.toLowerCase();
-  return (lower.includes('view') || lower.includes('subscriber')) && /^\d/.test(s); // starts with digit
+  const firstChar = s.charCodeAt(0);
+  return (lower.includes('view') || lower.includes('subscriber')) && firstChar >= 48 && firstChar <= 57;
 }

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts (1)

1-37: Pre-handler contract is clear; consider tightening success/error typing

The pre-handler abstractions (PreHandlerInput, PreHandlerOutput, IToolPreHandler) are well-scoped and align with existing handler shapes. One small improvement to avoid inconsistent states would be to model success/error as a discriminated union (e.g., success: true without error, success: false with required error) instead of a boolean plus optional string. This would make consumers’ branching and error reporting safer at compile time but is not strictly required.

apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts (1)

86-111: Shallow copy may not isolate nested objects.

Line 88 uses a shallow spread ({ ...request.params }) before mutating nested paths with _.set(). If request.params contains nested objects, mutations could affect the original request.

🔎 Consider deep cloning for safety

       // Process each file upload field
-      const modifiedParams = { ...request.params };
+      const modifiedParams = _.cloneDeep(request.params);

apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts (2)

728-742: Verify user context before uploading.

Line 731 casts context.user to User without validation. If context.user is undefined or malformed, the upload will fail with an unclear error.

🔎 Proposed fix

+      // Validate user context
+      if (!context.user) {
+        this.logger.warn('No user context available for file upload');
+        return null;
+      }
+
       // Upload the file
       const driveFile = await this.resourceHandler.uploadResource(
-        context.user as User,
+        context.user,
         context.canvasId,

---

314-332: Consider logging JSON parse failures.

The empty catch block on line 329 silently swallows JSON parse errors. While the fallback behavior is acceptable, logging would help with debugging.

🔎 Proposed enhancement

       try {
         const parsed = JSON.parse(compressResult.content);
         parsed.files = [
           {
             fileId: fileMeta.fileId,
             canvasId: fileMeta.canvasId,
             name: fileMeta.name,
             type: fileMeta.type,
             summary:
               'Full content stored in this file. If need more details, use read_file tool with this fileId.',
           },
         ];
         content = JSON.stringify(parsed, null, 2);
-      } catch {
+      } catch (e) {
         // If compressed is not valid JSON, keep as-is
+        this.logger.debug('Could not parse compressed content as JSON, keeping as-is');
       }

apps/api/src/modules/tool/resource.service.ts (2)

996-1003: Fragile path detection for file_path format.

The check value.includes('composio-') could match unintended strings (e.g., a URL containing 'composio-'). Consider a more robust check.

🔎 Proposed improvement

     // For file_path format, check if value is already a local file path (from pre-handler)
     if (format === 'file_path') {
-      if (typeof value === 'string' && (value.startsWith('/') || value.includes('composio-'))) {
+      if (typeof value === 'string' && value.startsWith('/')) {
         // Already a local file path, return as-is
         return value;
       }
     }

The / prefix check is sufficient since all temp files are created with absolute paths via path.join(os.tmpdir(), tempFileName).

---

1056-1066: Duplicate path detection logic.

This duplicates the check from lines 998-1003. Consider extracting to a helper function for consistency.

🔎 Proposed helper extraction

/**
 * Check if value is already a local file path from pre-handler
 */
private isLocalFilePath(value: unknown): boolean {
  return typeof value === 'string' && value.startsWith('/');
}

Then use this.isLocalFilePath(value) in both locations.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c002191 and 7241f95.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (16)

• apps/api/package.json
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/utils/token.ts
• package.json
• packages/openapi-schema/schema.yml
• packages/openapi-schema/src/schemas.gen.ts
• packages/openapi-schema/src/types.gen.ts

🧰 Additional context used

📓 Path-based instructions (15)

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursorrules)

**/*.{js,ts,jsx,tsx}: Always use optional chaining (?.) when accessing object properties
Always use nullish coalescing (??) or default values for potentially undefined values
Always check array existence before using array methods
Always validate object properties before destructuring
Always use single quotes for string literals in JavaScript/TypeScript code

**/*.{js,ts,jsx,tsx}: Use semicolons at the end of statements
Include spaces around operators (e.g., a + b instead of a+b)
Always use curly braces for control statements
Place opening braces on the same line as their statement

**/*.{js,ts,jsx,tsx}: Group import statements in order: React/framework libraries, third-party libraries, internal modules, relative path imports, type imports, style imports
Sort imports alphabetically within each import group
Leave a blank line between import groups
Extract complex logic into custom hooks
Use functional updates for state (e.g., setCount(prev => prev + 1))
Split complex state into multiple state variables rather than single large objects
Use useReducer for complex state logic instead of multiple useState calls

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{js,ts,tsx,jsx,py,java,cpp,c,cs,rb,go,rs,php,swift,kt,scala,r,m,mm,sql}

📄 CodeRabbit inference engine (.cursor/rules/00-language-priority.mdc)

**/*.{js,ts,tsx,jsx,py,java,cpp,c,cs,rb,go,rs,php,swift,kt,scala,r,m,mm,sql}: All code comments MUST be written in English
All variable names, function names, class names, and other identifiers MUST use English words
Comments should be concise and explain 'why' rather than 'what'
Use proper grammar and punctuation in comments
Keep comments up-to-date when code changes
Document complex logic, edge cases, and important implementation details
Use clear, descriptive names that indicate purpose
Avoid abbreviations unless they are universally understood

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/00-language-priority.mdc)

Use JSDoc style comments for functions and classes in JavaScript/TypeScript

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/01-code-style.mdc)

**/*.{js,jsx,ts,tsx}: Use single quotes for string literals in TypeScript/JavaScript
Always use optional chaining (?.) when accessing object properties in TypeScript/JavaScript
Always use nullish coalescing (??) or default values for potentially undefined values in TypeScript/JavaScript
Always check array existence before using array methods in TypeScript/JavaScript
Validate object properties before destructuring in TypeScript/JavaScript
Use ES6+ features like arrow functions, destructuring, and spread operators in TypeScript/JavaScript
Avoid magic numbers and strings - use named constants in TypeScript/JavaScript
Use async/await instead of raw promises for asynchronous code in TypeScript/JavaScript

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/03-typescript-guidelines.mdc)

**/*.{ts,tsx}: Avoid using any type whenever possible - use unknown type instead with proper type guards
Always define explicit return types for functions, especially for public APIs
Prefer extending existing types over creating entirely new types
Use TypeScript utility types (Partial<T>, Pick<T, K>, Omit<T, K>, Readonly<T>, Record<K, T>) to derive new types
Use union types and intersection types to combine existing types
Always import types explicitly using the import type syntax
Group type imports separately from value imports
Minimize creating local type aliases for imported types

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{js,ts,jsx,tsx,css,json}

📄 CodeRabbit inference engine (.cursor/rules/04-code-formatting.mdc)

Maximum line length of 100 characters

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/package.json
• apps/api/src/modules/tool/resource.service.ts
• package.json
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{js,ts,jsx,tsx,css,json,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/04-code-formatting.mdc)

Use 2 spaces for indentation, no tabs

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• packages/openapi-schema/schema.yml
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/package.json
• apps/api/src/modules/tool/resource.service.ts
• package.json
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{js,ts,jsx,tsx,css,json,yml,yaml,md}

📄 CodeRabbit inference engine (.cursor/rules/04-code-formatting.mdc)

No trailing whitespace at the end of lines

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• packages/openapi-schema/schema.yml
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/package.json
• apps/api/src/modules/tool/resource.service.ts
• package.json
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{css,scss,sass,less,js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/09-design-system.mdc)

**/*.{css,scss,sass,less,js,jsx,ts,tsx}: Primary color (#155EEF) should be used for main brand color in buttons, links, and accents
Error color (#F04438) should be used for error states and destructive actions
Success color (#12B76A) should be used for success states and confirmations
Warning color (#F79009) should be used for warnings and important notifications
Info color (#0BA5EC) should be used for informational elements

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/09-i18n-guidelines.mdc)

**/*.{tsx,ts}: Use the translation wrapper component and useTranslation hook in components
Ensure all user-facing text is translatable

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{tsx,ts,json}

📄 CodeRabbit inference engine (.cursor/rules/09-i18n-guidelines.mdc)

Support dynamic content with placeholders in translations

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/package.json
• apps/api/src/modules/tool/resource.service.ts
• package.json
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{tsx,ts,jsx,js,vue,css,scss,less}

📄 CodeRabbit inference engine (.cursor/rules/11-ui-design-patterns.mdc)

**/*.{tsx,ts,jsx,js,vue,css,scss,less}: Use the primary blue (#155EEF) for main UI elements, CTAs, and active states
Use red (#F04438) only for errors, warnings, and destructive actions
Use green (#12B76A) for success states and confirmations
Use orange (#F79009) for warning states and important notifications
Use blue (#0BA5EC) for informational elements
Primary buttons should be solid with the primary color
Secondary buttons should have a border with transparent or light background
Danger buttons should use the error color
Use consistent padding, border radius, and hover states for all buttons
Follow fixed button sizes based on their importance and context
Use consistent border radius (rounded-lg) for all cards
Apply light shadows (shadow-sm) for card elevation
Maintain consistent padding inside cards (p-4 or p-6)
Use subtle borders for card separation
Ensure proper spacing between card elements
Apply consistent styling to all form inputs
Use clear visual indicators for focus, hover, and error states in form elements
Apply proper spacing between elements using 8px, 16px, 24px increments
Ensure proper alignment of elements (left, center, or right)
Use responsive layouts that work across different device sizes
Maintain a minimum contrast ratio of 4.5:1 for text

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{tsx,ts,jsx,js,vue}

📄 CodeRabbit inference engine (.cursor/rules/11-ui-design-patterns.mdc)

**/*.{tsx,ts,jsx,js,vue}: Include appropriate loading states for async actions in buttons
Group related form elements with appropriate spacing
Provide clear validation feedback for forms
Ensure proper labeling and accessibility for form elements
Ensure all interactive elements are keyboard accessible
Include appropriate ARIA attributes for complex components
Provide alternative text for images and icons
Support screen readers with semantic HTML elements

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/08-contributing-guidelines.mdc)

**/*.{ts,tsx,js,jsx}: Follow the TypeScript/JavaScript style guidelines
Ensure code is well-tested and documented

Files:

• apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• packages/openapi-schema/src/schemas.gen.ts
• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts
• packages/openapi-schema/src/types.gen.ts
• apps/api/src/modules/tool/utils/schema-utils.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts
• apps/api/src/modules/tool/tool.module.ts
• apps/api/src/modules/tool/utils/token.ts

apps/api/src/**/*.{controller,service}.ts

📄 CodeRabbit inference engine (.cursor/rules/06-api-structure.mdc)

Implement proper error handling in API modules

Files:

• apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts
• apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
• apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/resource.service.ts

🧠 Learnings (2)

📚 Learning: 2025-11-25T03:04:12.836Z

Learnt from: CR
Repo: refly-ai/refly PR: 0
File: .cursor/rules/06-api-structure.mdc:0-0
Timestamp: 2025-11-25T03:04:12.836Z
Learning: Applies to apps/api/src/{auth,user,project,canvas,rag,knowledge,search,skill,share,code-artifact}/**/*.{controller,service}.ts : Use dependency injection for module dependencies in NestJS

Applied to files:

• apps/api/src/modules/tool/composio/composio.module.ts
• apps/api/src/modules/tool/composio/composio.service.ts
• apps/api/src/modules/tool/tool.module.ts

📚 Learning: 2025-11-25T03:04:12.836Z

Learnt from: CR
Repo: refly-ai/refly PR: 0
File: .cursor/rules/06-api-structure.mdc:0-0
Timestamp: 2025-11-25T03:04:12.836Z
Learning: Applies to apps/api/src/{auth,user,project,canvas,rag,knowledge,search,skill,share,code-artifact}/**/*.{ts,tsx} : Follow NestJS module structure with controllers, services, and DTOs in dedicated module directories

Applied to files:

• apps/api/src/modules/tool/tool.module.ts

🧬 Code graph analysis (7)

apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts (3)

packages/openapi-schema/src/types.gen.ts (1)

• HandlerResponse (8793-8846)

packages/request/src/requests/types.gen.ts (1)

• HandlerResponse (8673-8726)

packages/ai-workspace-common/src/requests/types.gen.ts (1)

• HandlerResponse (8681-8734)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts (2)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts (1)

• Injectable (56-387)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts (1)

• IToolPreHandler (35-37)

apps/api/src/modules/tool/composio/composio.module.ts (2)

apps/api/src/modules/tool/tool.module.ts (1)

• Module (31-67)

apps/api/src/modules/tool/billing/billing.module.ts (1)

• Module (11-16)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts (2)

apps/api/src/modules/tool/tool-context.ts (1)

• RequestContext (11-46)

packages/openapi-schema/src/types.gen.ts (2)

• HandlerRequest (8733-8755)
• JsonSchema (8262-8281)

apps/api/src/modules/tool/utils/schema-utils.ts (2)

packages/openapi-schema/src/types.gen.ts (1)

• SchemaProperty (8188-8257)

packages/request/src/requests/types.gen.ts (1)

• SchemaProperty (8107-8172)

apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts (3)

apps/api/src/modules/tool/tool-execution/post-execution/post.interface.ts (2)

• PostHandlerInput (34-40)
• PostHandlerOutput (57-64)

apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts (1)

• extractFileIdToTopLevel (123-192)

apps/api/src/modules/tool/utils/token.ts (2)

• estimateTokens (31-33)
• truncateToTokens (39-42)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts (5)

apps/api/src/modules/tool/resource.service.ts (1)

• Injectable (78-1136)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts (1)

• Injectable (9-20)

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre.interface.ts (3)

• IToolPreHandler (35-37)
• PreHandlerInput (13-19)
• PreHandlerOutput (25-30)

apps/api/src/modules/tool/utils/schema-utils.ts (2)

• collectResourceFields (323-348)
• extractFileId (190-199)

apps/api/src/modules/tool/tool-context.ts (1)

• getCurrentUser (90-94)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build / Build

🔇 Additional comments (23)

apps/api/src/modules/tool/utils/token.ts (7)

96-149: Well-structured indexOf-based URL extraction.

The manual scanning approach with pre-defined terminator and punctuation sets is efficient for large texts. The implementation correctly handles:

• Both http:// and https:// protocols
• URL termination on whitespace and common delimiters
• Trailing punctuation cleanup
• Minimum length validation

---

260-271: Sound FNV-1a hash implementation.

The hash function correctly implements the FNV-1a algorithm with standard offset basis (2166136261) and prime (16777619). The >>> 0 ensures unsigned 32-bit arithmetic. Good choice for fast deduplication where occasional collisions are acceptable.

---

273-302: Efficient single-pass normalization.

The function correctly handles lowercase conversion and whitespace collapsing in one pass. The character-code-based approach avoids regex overhead while maintaining readability.

---

232-258: Well-organized noise detection with layered checks.

The function efficiently combines O(1) Set lookups, short prefix iterations, and specialized pattern detectors. The pre-trimmed input assumption is documented, and the check ordering (exact → prefix → patterns) optimizes for common cases.

---

364-409: Efficient line-by-line processing with inline trimming.

The implementation avoids split() allocations by processing character-by-character. Key strengths:

• Correct \r\n handling (line 379-381)
• Inline whitespace trimming (lines 384-391)
• Hash-based deduplication for memory efficiency
• Single-pass processing

---

413-425: Clear URL section formatting with useful count information.

The (${filteredUrls.length}/${originalUrlCount}) ratio provides helpful context about URL filtering effectiveness. The section structure with separator and bullet points is well-formatted.

---

208-222: Correct detection of standalone markdown links.

The function properly identifies both (http...) and [](http...) patterns using efficient character code checks. The minimum length validation and protocol/closing parenthesis checks ensure accuracy.

apps/api/src/modules/tool/tool.module.ts (1)

21-29: Post-handler wiring looks correct

Re‑enabling RegularToolPostHandlerService alongside ResourceHandler, ComposioToolPostHandlerService, and ToolWrapperFactoryService in this module is consistent with the execution pipeline and DI patterns; imports/controllers/services are wired cleanly.

packages/openapi-schema/src/types.gen.ts (1)

8189-8257: SchemaProperty extension for file uploads is compatible

Adding the optional file_uploadable?: boolean marker to SchemaProperty is type-safe and backward‑compatible; it provides a clear hook for tooling to detect uploadable fields without affecting existing schemas or consumers.

packages/openapi-schema/schema.yml (1)

12526-12528: New file_uploadable flag is well-integrated into SchemaProperty

The boolean marker is added in the right place, with correct indentation and a clear description, and it doesn’t affect existing required fields. This looks ready to ship.

apps/api/src/modules/tool/composio/composio.module.ts (1)

12-13: LGTM! Pre-execution infrastructure properly integrated.

The new pre-handler services are correctly imported and registered as providers, following NestJS dependency injection patterns. This enables file upload pre-processing before tool execution.

Also applies to: 21-22

apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts (1)

123-123: LGTM! Export enables cross-module reuse.

Exporting extractFileIdToTopLevel allows other post-processing flows (e.g., Composio post-handlers) to leverage centralized file reference extraction.

packages/openapi-schema/src/schemas.gen.ts (1)

11445-11469: New file_uploadable flag in SchemaPropertySchema looks correct

The added boolean field with a clear description fits the existing schema shape and keeps the marker optional, which is appropriate for backward compatibility. Just ensure this stays in sync with the OpenAPI source (schema.yml) and types.gen.ts so regeneration does not drop or rename it.

apps/api/src/modules/tool/tool-execution/pre-execution/composio/pre-registry.service.ts (1)

1-20: LGTM! Clean registry pattern implementation.

The service correctly implements a centralized pre-handler resolution path. The underscore-prefixed parameters (_toolsetKey, _toolName) clearly indicate intentional non-use while maintaining the interface for future extensibility.

Consider documenting the rationale for returning a generic handler in the JSDoc if tool-specific handlers are planned for the future.

apps/api/src/modules/tool/utils/schema-utils.ts (3)

398-408: LGTM! Tighter URL field detection.

The refined isUrlRelatedField function now only matches fields explicitly ending with 'url' or 'urls', reducing false positives from the previous broader detection logic.

---

410-417: LGTM! Clean helper for Composio-specific file detection.

The isFileUploadableField helper provides a clear abstraction for detecting Composio's file_uploadable marker.

---

432-457: LGTM! Well-structured schema enhancement for file uploads.

The logic correctly:

1. Prioritizes file_uploadable fields with file_path format
2. Falls back to URL-related field handling
3. Adds appropriate LLM guidance hints to descriptions
4. Uses proper null checks before string operations

apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts (2)

239-280: LGTM! Robust image compression strategy.

The multi-path compression approach is well-designed:

• Logarithmic quality estimation for predictable compression ratios
• Fallback to resizing for stubborn images
• Graceful degradation on compression failure
• Good logging for debugging

---

373-386: LGTM! Defensive cleanup implementation.

The cleanup method correctly handles failures gracefully, logging warnings instead of throwing, which ensures all temp files are attempted for cleanup even if some fail.

apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts (1)

121-206: LGTM! Well-implemented Google format conversions.

The conversion logic correctly:

1. Handles Google Docs → DOCX via html-to-docx
2. Handles Google Sheets → XLSX via SheetJS
3. Includes detailed logging for debugging
4. Properly strips extensions to let uploadResource handle them
5. Re-throws conversion errors for proper error propagation

apps/api/src/modules/tool/resource.service.ts (2)

779-816: LGTM! Clean explicit MIME type handling for URL resources.

The logic correctly:

1. Prioritizes explicit MIME type over inferred type
2. Adjusts filename extension to match the explicit MIME type
3. Preserves backward compatibility when no explicit type is provided

---

946-991: LGTM! Well-designed public API extension.

The uploadResource method properly:

1. Documents the new mimeType option in JSDoc
2. Propagates the option to appropriate internal methods
3. Maintains backward compatibility for callers not using the option

apps/api/package.json (1)

106-106: html-to-docx version ^1.8.0 is current, stable, and has no known security vulnerabilities.

Version 1.8.0 is the latest available on npm. Snyk, npm, and CVE databases show no direct vulnerabilities for this package or its 13 dependencies. The package is actively maintained with MIT licensing.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify xlsx package information and security status

# Get latest version and recent versions from npm registry
echo "=== Latest xlsx version info ==="
curl -s https://registry.npmjs.org/xlsx | jq -r '.["dist-tags"].latest'

# Get all versions to check release date context
echo "=== Recent versions (last 10) ==="
curl -s https://registry.npmjs.org/xlsx | jq -r '.versions | keys | .[-10:]'

# Check specifically for version 0.18.5
echo "=== Version 0.18.5 details ==="
curl -s https://registry.npmjs.org/xlsx/0.18.5 | jq -r '.version, .time'

Repository: refly-ai/refly

Length of output: 291

---

🌐 Web query:

xlsx npm security vulnerabilities CVE 0.18.5

💡 Result:

Short answer: Yes — [email protected] is known to contain high/medium security issues.

• Prototype Pollution — tracked as CVE-2023-30533 / GHSA-4r6h-8v6p-xvw6; affects xlsx < 0.19.3. SheetJS fixed it in 0.19.3 (not published to the npm xlsx package; available from SheetJS releases/CDN). [1][4]

• Regular‑Expression DoS (ReDoS) — tracked as CVE-2024-22363; affects versions before 0.20.2. Fixed in 0.20.2 (available via SheetJS authoritative distribution). [2][5]

Evidence and scanners (Snyk / vulnerability pages) also list Prototype Pollution and ReDoS for 0.18.5. [3][6]

Recommended action: stop using [email protected] for parsing untrusted files. Upgrade to a patched SheetJS build (at least 0.19.3 for the prototype‑pollution fix and 0.20.2 for the ReDoS fix) obtained from the SheetJS authoritative releases/CDN, or replace the library with a maintained alternative. [1][2][3]

Sources:
[1] GitHub Advisory / CVE-2023-30533 (Prototype Pollution).
[2] GitLab Advisory / CVE-2024-22363 (ReDoS).
[3] Snyk xlsx vulnerability page.
[4] SheetJS issue noting 0.18.5 and fix availability (0.19.3).
[5] Snyk / org.webjars note about fixes in 0.19.3 / 0.20.2.
[6] ReversingLabs / package vulnerability summary.

---

🌐 Web query:

xlsx package.json latest version npm 2025

💡 Result:

As of Dec 26, 2025 the latest published version of the npm package "xlsx" is 0.18.5. [1][2]

Sources:

• npm package page for xlsx (v0.18.5). [1]
• Snyk package page noting current latest and known vulnerabilities. [2]

---

Update xlsx to a patched version—current version contains known vulnerabilities.

Version ^0.18.5 is affected by Prototype Pollution (CVE-2023-30533) and Regular Expression DoS (CVE-2024-22363). Patches are available in SheetJS 0.19.3+ (prototype pollution) and 0.20.2+ (ReDoS), though the standard npm package is unmaintained at 0.18.5. Consider upgrading to a SheetJS patched release or switching to a maintained alternative.

🤖 Prompt for AI Agents

In apps/api/package.json around line 140, the dependency "xlsx": "^0.18.5" is
vulnerable (CVE-2023-30533, CVE-2024-22363); update it to a patched SheetJS
release (at least 0.20.2) or replace with a maintained alternative. Edit
package.json to bump the xlsx version to ">=0.20.2" (or swap to an alternative
package), then reinstall dependencies (npm/yarn), regenerate the lockfile, run
the test suite and npm audit to confirm vulnerabilities are resolved.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Type check doesn't distinguish arrays from objects.

The check typeof response.data !== 'object' at line 124 returns false for both plain objects and arrays. At lines 185-186, spreading response.data assumes it's a plain object, but if it's an array, the spread will create an object with numeric keys (e.g., {0: item1, 1: item2, ...}), which is not the intended structure.

🔎 Proposed fix to handle array vs object distinction

-  if (!response.success || !response.data || typeof response.data !== 'object') {
+  if (!response.success || !response.data || typeof response.data !== 'object' || Array.isArray(response.data)) {
     return response;
   }

This ensures the function only processes plain objects, not arrays.

Also applies to: 181-189

🤖 Prompt for AI Agents

In apps/api/src/modules/tool/dynamic-tooling/core/handler-post.ts around lines
124 and also affecting 181-189, the current guard uses typeof response.data !==
'object' which does not exclude arrays; update the check to explicitly reject
arrays (e.g., add Array.isArray(response.data) to the condition) so only plain
objects pass, and then safely spread response.data at 185-186; if arrays are
expected in some flows, handle them separately (return an error or process the
array explicitly) and update typings to reflect the allowed shape.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add timeout to axios request to prevent hanging.

The axios.get call on line 713 lacks a timeout, which could cause the request to hang indefinitely if the remote server is unresponsive.

🔎 Proposed fix

         // Download file first
-        const response = await axios.get(s3url, { responseType: 'arraybuffer' });
+        const response = await axios.get(s3url, { 
+          responseType: 'arraybuffer',
+          timeout: 30000, // 30 second timeout
+        });
         const buffer = Buffer.from(response.data);

🤖 Prompt for AI Agents

In
apps/api/src/modules/tool/tool-execution/post-execution/composio-post.service.ts
around lines 710 to 727, the axios.get call that downloads s3url has no timeout
and can hang indefinitely; update the axios.get call to include a sensible
timeout (e.g., 10_000 ms) in the request options (keeping responseType:
'arraybuffer'), and ensure any timeout/retry error is properly handled (catch
and log or rethrow with contextual message) so the service won’t block on
unresponsive remote servers.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Potential undefined user passed to DriveService.

getCurrentUser() can return undefined, but getDriveFileDetail is called without a null check. If user is undefined, the DriveService call may fail or behave unexpectedly.

🔎 Proposed fix

   private async downloadFileToTemp(
     fileId: string,
     _fieldPath: string,
     toolsetKey: string,
   ): Promise<string> {
     // Get current user from tool-context
     const user = getCurrentUser();
+    if (!user) {
+      throw new Error('User context is required for file download');
+    }

     // Get file details and validate permissions
     const driveFile = await this.driveService.getDriveFileDetail(user, fileId, {

🤖 Prompt for AI Agents

In
apps/api/src/modules/tool/tool-execution/pre-execution/composio/composio-pre.service.ts
around lines 143 to 154, getCurrentUser() may return undefined but its result is
passed directly to this.driveService.getDriveFileDetail; add a null-check
immediately after calling getCurrentUser() and handle the missing user by
throwing an appropriate authentication/authorization error (or returning a clear
error response) before calling getDriveFileDetail so that a defined user object
is always passed to the DriveService.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check npm registry for @composio/core version info
curl -s https://registry.npmjs.org/@composio/core | jq '.["dist-tags"], (.versions | to_entries | map(select(.key | test("^0\\.[23]\\."))) | map({version: .key, published: .value.time}) | sort_by(.version) | .[-10:])'

Repository: refly-ai/refly

Length of output: 752

---

🌐 Web query:

breaking changes @composio/core 0.2.4 0.3.3 migration guide

💡 Result:

Summary of breaking changes and migration steps moving from @composio/core ~0.2.x (e.g. 0.2.4) to 0.3.x (e.g. 0.3.3)

Key breaking changes

• MCP API surface reworked: legacy/experimental MCP helpers were removed or moved under deprecated namespaces; create/manage MCP servers uses the new composio.mcp API instead of the old deprecated.mcp usage. [1][2]
• Response shape change for toolkit outputs: many tool responses were flattened and are now explicitly typed (old nested response_data shape removed). If you post-process response_data you must update to the new flat fields or re-fetch toolkit schemas. [1][3]
• Tool Router / routing API stabilized and changed (experimental → stable): APIs and call patterns for creating routed MCP sessions changed; update code that used composio.experimental.tool_router.*. [2]
• Package and naming notes (context): the v3-era SDKs renamed/changed client patterns; verify imports and initialization patterns match the 0.3.x docs (examples moved to the v3 docs). [4]

Minimal migration actions

1. Read the 0.3.x migration notes and changelog for the exact call signatures you use. [1][2]
2. Replace legacy MCP calls:
   • Before: composio.deprecated.mcp.createServer(...) (or experimental tool_router)
   • After: use composio.mcp.create(...) / new Tool Router APIs per docs. Test MCP URLs and headers. [2][5]
3. Update response handling:
   • Stop expecting data.response_data; adjust to flattened/typed response fields and re-fetch toolkit schemas in platform UI if needed. [1][3]
4. Update imports/initialization if your code relied on renamed packages or experimental exports; follow the 0.3.x examples in the docs. [4]
5. Run test suite and smoke-test all toolkits (especially anything that relied on response_data shapes or experimental Tool Router/MCP flows).

Sources
[1] Composio changelog — flattening/typed outputs & response shape notes. https://docs.composio.dev/docs/changelog.
[2] Composio changelog (Tool Router / MCP migration notes). https://docs.composio.dev/docs/changelog/2025/12/15.
[3] Changelog entry describing response_data → flattened outputs (Dec 9, 2025). https://docs.composio.dev/changelog.
[4] Blog / SDK preview and migration pointers for v3 SDKs (package/usage notes). https://composio.dev/blog/new-sdk-preview.
[5] TypeScript SDK migration example (legacy MCP → new MCP API). https://docs.composio.dev/docs/changelog/2025/9/26.

If you want, I can produce a line-by-line code diff for your repository (paste the affected files) or map specific old calls in your code to their 0.3.3 equivalents.

---

🌐 Web query:

@composio/core version 0.3.3 security vulnerabilities

💡 Result:

Do you mean the npm package "@composio/core" version 0.3.3, or the Python package "composio-core" (PyPI) version 0.3.3?

---

Verify compatibility with @composio/core 0.3.3 breaking changes.

The upgrade from 0.2.4 to 0.3.3 introduces documented breaking changes: MCP API surface reworked (legacy helpers removed/moved), response shape changes (response_data removed and outputs flattened), and Tool Router API stabilized. Ensure the codebase does not rely on:

• Legacy MCP calls (deprecated.mcp) — must migrate to composio.mcp
• response_data field in toolkit outputs — adjust to flattened/typed response fields
• Experimental tool router patterns — update to stable API

Run integration tests against all composio toolkits after upgrade.

🤖 Prompt for AI Agents

In package.json around line 79, the project bumped @composio/core to 0.3.3 which
contains breaking changes; update all code that still uses legacy MCP helpers
(deprecated.mcp) to the new composio.mcp API, refactor toolkit output handling
to remove reliance on response_data and adapt to the flattened/typed output
fields, and replace any experimental tool-router usage with the stabilized Tool
Router API; audit imports/usages across the repo, update types/interfaces and
tests accordingly, then run and fix failing integration tests against each
composio toolkit to ensure compatibility.

[linear]

REF-1048 composio适配