v0.6.100: auth, mothership, scopes improvements, new apify tools

[icecrasher321]

• fix(mothership): scope mothership block tool permissions to the executing user (fix(mothership): scope mothership block tool permissions to the executing user #4843)
• feat(landing): add AI-generated content disclaimer to integration landing pages (feat(landing): add AI-generated content disclaimer to integration landing page #4845)
• fix(hubspot): remove unused scopes (fix(hubspot): remove unused scopes #4846)
• chore(auth): remove deprecated OAuth MCP provider plugin and backing tables (chore(auth): remove deprecated OAuth MCP provider plugin and backing tables #4847)
• fix(mothership): connect integrations from chat without state_mismatch (fix(mothership): connect integrations from chat without state_mismatch #4848)
• fix(tables): count dispatcher pre-stamps in "X running" during active dispatch (fix(tables): count dispatcher pre-stamps in "X running" during active dispatch #4850)
• feat(apify): add run task, get dataset items, and get run tools (feat(apify): add run task, get dataset items, and get run tools #4851)
• feat(connectors): add 11 knowledge base connectors

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 2, 2026 7:58pm

[cursor]

PR Summary

High Risk
Large auth surface removal (OIDC tables/plugins) plus new OAuth redirect/cookie path; any external client relying on the old authorization server or consent flow will break.

Overview
Removes the Better Auth OIDC/MCP authorization-server stack (consent UI, CIMD client resolution, .well-known discovery routes, JWT plugin, and DB tables for JWKS/OAuth apps/tokens/consent) and tightens CORS so JWKS/well-known are no longer wildcard-served.

Workspace OAuth from chat now uses a new browser GET /api/auth/oauth2/authorize entrypoint: it checks workspace write access, creates/refreshes the pending credential draft at click time, calls oAuth2LinkAccount in the user’s browser, and forwards Better Auth’s state cookie so callbacks avoid state_mismatch. Copilot’s oauth_get_auth_link returns that URL instead of linking server-side.

Copilot passes userPermission from the request payload into the execution context (with a lifecycle test). HubSpot OAuth scopes are trimmed to drop unused permissions.

Integration landing pages gain optional aiDisclaimer content (Slack copy for marketplace AI guidelines). Table dispatch running-cell counts can include unclaimed pre-stamps during active dispatch so the badge matches live SSE counts.

^{Reviewed by Cursor Bugbot for commit 34ee7f9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR bundles five related changes: removal of the OIDC/JWT MCP provider plugin and its backing tables (jwks, oauth_access_token, oauth_application, oauth_consent), a reworked browser-initiated OAuth authorize flow that fixes state_mismatch errors when connecting integrations from chat, propagation of userPermission from the request payload into the copilot execution context for mothership permission scoping, unused HubSpot scope removal, and an optional AI-generated content disclaimer on integration landing pages.

• OIDC removal: The oidcProvider and jwt better-auth plugins are dropped along with all supporting routes (/oauth/consent, /.well-known/oauth-*, /api/auth/oauth2/authorize-params), CIMD client registration, and CORS rules for JWKS/discovery. The corresponding DB migration drops the four backing tables with CASCADE.
• OAuth state-mismatch fix: generateOAuthLink now returns a URL pointing to the new /api/auth/oauth2/authorize endpoint instead of calling oAuth2LinkAccount server-side. The new endpoint runs inside the user's browser request so Better Auth's signed state cookie is planted correctly and survives the OAuth round-trip.
• Mothership permission scoping: buildExecutionContext now reads userPermission from the request payload and sets it on the ExecutionContext, enabling the management-tool handlers to enforce the executing user's workspace role when called via the mothership block.

Confidence Score: 4/5

Safe to merge with awareness that the management-handler permission model has a design gap that is now more visible.

The OAuth state-mismatch fix is well-reasoned and the browser-initiated flow is implemented correctly with a proper open-redirect guard. The OIDC removal is complete — schema, routes, plugins, CORS rules, and the DB migration all match. Two areas warrant follow-up: the new authorize endpoint creates a pendingCredentialDraft for any non-empty providerId string before validating it against known services, which could produce orphaned drafts; and userPermission flowing from the client payload is now the sole write-gate in the management handlers, which can be bypassed by omission. Neither is a regression — the draft expires, and the permission gap existed before. The HubSpot scope reduction and AI disclaimer addition are straightforward and low-risk.

apps/sim/app/api/auth/oauth2/authorize/route.ts (providerId validation before draft creation) and apps/sim/lib/copilot/tools/handlers/management/* (userPermission as sole write gate)

Important Files Changed

Filename	Overview
apps/sim/app/api/auth/oauth2/authorize/route.ts	New browser-initiated OAuth2 authorize endpoint that creates credential drafts and plants the Better Auth state cookie correctly, fixing state_mismatch in chat-initiated flows. Well-structured with workspace access check and open-redirect guard.
apps/sim/lib/auth/auth.ts	Removes jwt/oidcProvider plugins and CIMD resolution middleware, drops claude.ai/claude.com from trustedOrigins. Clean removal matching the DB migration.
apps/sim/lib/copilot/tools/handlers/oauth.ts	Simplified to return a browser-initiated authorize URL instead of calling oAuth2LinkAccount server-side. workspaceId guard ensures the call fails early if undefined before building the URL.
apps/sim/lib/copilot/request/lifecycle/run.ts	Propagates userPermission from request payload into ExecutionContext, enabling mothership tool execution to scope permissions to the executing user's workspace role.
packages/db/migrations/0223_lowly_shocker.sql	Drops jwks, oauth_access_token, oauth_application, and oauth_consent tables with CASCADE. These back the removed oidcProvider/jwt plugins and have no remaining references in schema.ts.
apps/sim/lib/oauth/oauth.ts	Removes unused HubSpot scopes: crm.objects.users.write, crm.objects.marketing_events.write, crm.objects.quotes.write, crm.objects.carts.write, crm.import.
apps/sim/proxy.ts	Removes CORS rules for /api/auth/jwks and /api/auth/.well-known/ — consistent with removal of the JWKS/OIDC discovery endpoints.
apps/sim/lib/api/contracts/oauth-connections.ts	Removes old oauthAuthorizeParams contract and adds new authorizeOAuth2Contract with providerId + workspaceId query params for the browser-initiated flow.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant CopilotAPI as /api/chat (copilot)
    participant OAuthHandler as oauth.ts handler
    participant AuthorizeRoute as /api/auth/oauth2/authorize
    participant BetterAuth as Better Auth
    participant Provider as OAuth Provider

    Browser->>CopilotAPI: POST /api/chat (message: connect Google)
    CopilotAPI->>OAuthHandler: executeOAuthGetAuthLink(context)
    OAuthHandler->>OAuthHandler: ensureWorkspaceAccess(workspaceId, userId, write)
    OAuthHandler->>OAuthHandler: generateOAuthLink(workspaceId, workflowId, ...)
    OAuthHandler-->>CopilotAPI: "oauth_url = /api/auth/oauth2/authorize?providerId=...&workspaceId=..."
    CopilotAPI-->>Browser: stream response with oauth_url

    Note over Browser,Provider: User clicks the oauth_url link

    Browser->>AuthorizeRoute: "GET /api/auth/oauth2/authorize?providerId=google&workspaceId=ws-1"
    AuthorizeRoute->>AuthorizeRoute: getSession() validate auth
    AuthorizeRoute->>AuthorizeRoute: checkWorkspaceAccess(workspaceId, userId)
    AuthorizeRoute->>AuthorizeRoute: createConnectDraft(userId, workspaceId, providerId)
    AuthorizeRoute->>BetterAuth: "auth.api.oAuth2LinkAccount({ providerId, callbackURL })"
    BetterAuth-->>AuthorizeRoute: "{ url: provider_auth_url } + Set-Cookie state"
    AuthorizeRoute-->>Browser: 302 to provider + Set-Cookie forwarded
    Browser->>Provider: GET provider_auth_url
    Provider-->>Browser: "302 to /api/auth/callback/google?code=...&state=..."
    Browser->>BetterAuth: GET /api/auth/callback/google with state cookie
    BetterAuth->>BetterAuth: account.create.after hook consume pendingCredentialDraft
    BetterAuth-->>Browser: 302 to callbackURL

Loading

_{Reviews (1): Last reviewed commit: "fix(mothership): connect integrations fr..." | Re-trigger Greptile}