improvement(utils): add shared utility functions and replace inline patterns

[waleedlatif1]

Summary

• Add sleep, toError, safeJsonParse, isNonNull to @/lib/core/utils/helpers
• Add invariant, assertNever to @/lib/core/utils/asserts
• Replace all inline new Promise(resolve => setTimeout(resolve, ms)) with sleep(ms) across 29 files
• Replace all inline e instanceof Error ? e.message : String(e) with toError(e).message across ~290 files
• Document utility patterns in CLAUDE.md, .claude/rules/global.md, .cursor/rules/global.mdc
• Zero behavioral changes — all replacements are 1:1 equivalent

Type of Change

• Improvement (code cleanup / consolidation)

Testing

• bun run lint passes
• bun run type-check passes (sim package)
• Verified toError fallback uses String(value) to match original inline behavior exactly

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 17, 2026 8:32pm

[cursor]

PR Summary

Medium Risk
Broad refactor touches many request handlers and background jobs, so regressions would be widespread if toError/sleep behavior differs in edge cases; additional redirect/URL validation and the new Agiloft fetch endpoint also affect security-sensitive request flows.

Overview
Standardizes common patterns by adding @/lib/core/utils/helpers (e.g. sleep, toError, safeJsonParse, isNonNull) and @/lib/core/utils/asserts (e.g. invariant, assertNever), then updates many API routes, background tasks, and UI hooks to use these helpers instead of inline setTimeout promises and instanceof Error ? ... message normalization.

Adds a few security/validation hardenings: validates Shopify returnUrl with isSameOrigin, validates user-supplied OIDC endpoints in SSO registration via validateUrlWithDNS before discovery, and sanitizes/validates Supabase projectId when constructing Storage URLs.

Adds a new internal POST /api/tools/agiloft/retrieve endpoint to authenticate to Agiloft, download an attachment, and return it as base64 (with SSRF validation and logout cleanup).

^{Reviewed by Cursor Bugbot for commit 4b89bd6. Configure here.}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit db54596. Configure here.}

[greptile-apps]

Greptile Summary

This PR extracts five common inline patterns — sleep, toError, safeJsonParse, isNonNull, invariant/assertNever — into shared utility modules and applies them across the codebase (~320 files). It also introduces supabase/utils.ts with supabaseBaseUrl(), which replaces bare template-literal URL construction with validated project ID input, preventing SSRF via fragment injection.

The toError/sleep replacements are verified 1:1 equivalent. The Supabase URL changes are a security improvement (not truly zero behavioral change), but are well-tested and intentional.

Confidence Score: 5/5

Safe to merge — all replacements are verified equivalent, and the Supabase validation is a net security improvement.

No P0 or P1 issues found. The toError/sleep replacements are 1:1 equivalent to the original inline patterns. The supabaseBaseUrl change adds beneficial input validation with comprehensive tests. Documentation updates are accurate. Prior review concerns have been addressed.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/core/utils/helpers.ts	New utility module with sleep, safeJsonParse, isNonNull, and toError — all correctly implemented and 1:1 equivalent to the replaced inline patterns.
apps/sim/lib/core/utils/asserts.ts	New assertion utilities: invariant (throws on falsy condition) and assertNever (exhaustive switch guard). Both are correctly typed and implemented.
apps/sim/tools/supabase/utils.ts	New supabaseBaseUrl() wraps validateSupabaseProjectId() to enforce lowercase-alphanumeric project IDs before URL construction, preventing SSRF via fragment injection. Correctly implemented and well-guarded.
apps/sim/tools/supabase/utils.test.ts	Comprehensive test suite covering valid IDs, empty strings, fragment injection, path traversal, authority injection, uppercase, and too-short IDs. Uses correct vi.mock/static-import pattern.
apps/sim/lib/execution/isolated-vm.ts	Replaces inline error-message ternary with toError(error).message in the logger call; the intentional user-facing fallback 'Unknown fetch error' in the return value is preserved unchanged.
apps/sim/executor/execution/engine.ts	Two replacements: toError(error) for executionError assignment and toError(error).message for logger — both 1:1 equivalent to the original inline patterns.
apps/sim/app/workspace/[workspaceId]/knowledge/hooks/use-knowledge-upload.ts	Local sleep helper removed and replaced with shared sleep import — identical implementation, clean extraction.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Catch block] --> B[toError value]
    B -->|instanceof Error| C[Return error as-is]
    B -->|typeof string| D[new Error with value]
    B -->|other| E[new Error with String value]
    C --> F[.message]
    D --> F
    E --> F

    G[Supabase tool url fn] --> H[supabaseBaseUrl projectId]
    H --> I[validateSupabaseProjectId]
    I -->|invalid| J[throw Error]
    I -->|valid| K[https sanitized .supabase.co]

    L[sleep ms] --> M[setTimeout resolve ms]

Loading

_{Reviews (4): Last reviewed commit: "chore(utils): remove unused utilities (a..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit a05b442. Configure here.}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 4b89bd6. Configure here.}