refactor(tools): route grafana/agiloft egress server-side, drop SSRF browser shim

Move the server-only SSRF-pinned fetch out of the grafana (update_dashboard,
update_alert_rule) and agiloft (11 record/search tools) definitions and into
internal API routes, the same pattern the rest of the server-side tools (and
agiloft's own attach/retrieve) already use. The tool definitions are now purely
declarative (request → internal route), so they no longer import
`input-validation.server` and the tools registry is fully client-safe.

With connectors (meta split) and these tools no longer reaching server-only code
from the client bundle, the browser no longer pulls in `dns`/`net`/`tls`:

- Add `import 'server-only'` to `input-validation.server.ts` so any future client
  import fails loudly at build time instead of silently bloating the bundle.
- Remove the `turbopack.resolveAlias` browser stub and delete
  `empty-node-fallback.browser.ts` — the root cause is fixed, the shim is gone.

Behavior is unchanged: each route runs the exact merge/validation/fetch logic the
tool ran before (every header, param branch, JSON-parse guard, error string, and
SSRF pinning preserved); only the location of execution moved from the client-
bundled definition to a server route.

Author: waleedlatif1

apps/sim/app/api/tools/agiloft/attachment_info/route.ts

@@ -0,0 +1,106 @@
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { type NextRequest, NextResponse } from 'next/server'
+import { agiloftAttachmentInfoContract } from '@/lib/api/contracts/tools/agiloft'
+import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import type { AgiloftAttachmentInfoResponse } from '@/tools/agiloft/types'
+import { buildAttachmentInfoUrl } from '@/tools/agiloft/utils'
+import { executeAgiloftRequest } from '@/tools/agiloft/utils.server'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('AgiloftAttachmentInfoAPI')
+
+export const POST = withRouteHandler(async (request: NextRequest) => {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(
+        `[${requestId}] Unauthorized Agiloft attachment_info attempt: ${authResult.error}`
+      )
+      return NextResponse.json(
+        { success: false, error: authResult.error || 'Authentication required' },
+        { status: 401 }
+      )
+    }
+
+    const parsed = await parseRequest(
+      agiloftAttachmentInfoContract,
+      request,
+      {},
+      {
+        validationErrorResponse: (error) => {
+          logger.warn(`[${requestId}] Invalid request data`, { errors: error.issues })
+          return NextResponse.json(
+            {
+              success: false,
+              error: getValidationErrorMessage(error, 'Invalid request data'),
+              details: error.issues,
+            },
+            { status: 400 }
+          )
+        },
+      }
+    )
+    if (!parsed.success) return parsed.response
+    const params = parsed.data.body
+
+    const result = await executeAgiloftRequest<AgiloftAttachmentInfoResponse>(
+      params,
+      (base) => ({
+        url: buildAttachmentInfoUrl(base, params),
+        method: 'GET',
+      }),
+      async (response) => {
+        if (!response.ok) {
+          const errorText = await response.text()
+          return {
+            success: false,
+            output: { attachments: [], totalCount: 0 },
+            error: `Agiloft error: ${response.status} - ${errorText}`,
+          }
+        }
+
+        const data = (await response.json()) as Record<string, unknown>
+        const result = (data.result ?? data) as Record<string, unknown>
+
+        const attachments: Array<{ position: number; name: string; size: number }> = []
+
+        if (Array.isArray(result)) {
+          for (let i = 0; i < result.length; i++) {
+            const item = result[i] as Record<string, unknown>
+            attachments.push({
+              position: (item.filePosition as number) ?? (item.position as number) ?? i,
+              name:
+                (item.fileName as string) ??
+                (item.name as string) ??
+                (item.filename as string) ??
+                '',
+              size: (item.size as number) ?? (item.fileSize as number) ?? 0,
+            })
+          }
+        }
+
+        return {
+          success: data.success !== false,
+          output: {
+            attachments,
+            totalCount: attachments.length,
+          },
+        }
+      }
+    )
+
+    return NextResponse.json(result)
+  } catch (error) {
+    logger.error(`[${requestId}] Error getting Agiloft attachment info:`, error)
+
+    return NextResponse.json({ success: false, error: toError(error).message }, { status: 500 })
+  }
+})

apps/sim/app/api/tools/agiloft/create_record/route.ts

@@ -0,0 +1,101 @@
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { type NextRequest, NextResponse } from 'next/server'
+import { agiloftCreateRecordContract } from '@/lib/api/contracts/tools/agiloft'
+import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import type { AgiloftRecordResponse } from '@/tools/agiloft/types'
+import { buildCreateRecordUrl } from '@/tools/agiloft/utils'
+import { executeAgiloftRequest } from '@/tools/agiloft/utils.server'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('AgiloftCreateRecordAPI')
+
+export const POST = withRouteHandler(async (request: NextRequest) => {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized Agiloft create_record attempt: ${authResult.error}`)
+      return NextResponse.json(
+        { success: false, error: authResult.error || 'Authentication required' },
+        { status: 401 }
+      )
+    }
+
+    const parsed = await parseRequest(
+      agiloftCreateRecordContract,
+      request,
+      {},
+      {
+        validationErrorResponse: (error) => {
+          logger.warn(`[${requestId}] Invalid request data`, { errors: error.issues })
+          return NextResponse.json(
+            {
+              success: false,
+              error: getValidationErrorMessage(error, 'Invalid request data'),
+              details: error.issues,
+            },
+            { status: 400 }
+          )
+        },
+      }
+    )
+    if (!parsed.success) return parsed.response
+    const params = parsed.data.body
+
+    let body: string
+    try {
+      body = JSON.stringify(JSON.parse(params.data))
+    } catch {
+      return NextResponse.json({
+        success: false,
+        output: { id: null, fields: {} },
+        error: 'Invalid JSON in data parameter',
+      })
+    }
+
+    const result = await executeAgiloftRequest<AgiloftRecordResponse>(
+      params,
+      (base) => ({
+        url: buildCreateRecordUrl(base, params),
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
+        body,
+      }),
+      async (response) => {
+        if (!response.ok) {
+          const errorText = await response.text()
+          return {
+            success: false,
+            output: { id: null, fields: {} },
+            error: `Agiloft error: ${response.status} - ${errorText}`,
+          }
+        }
+
+        const data = (await response.json()) as Record<string, unknown>
+        const result = (data.result ?? data) as Record<string, unknown>
+        const id = result.id ?? result.ID ?? data.id ?? data.ID ?? null
+
+        return {
+          success: data.success !== false,
+          output: {
+            id: id != null ? String(id) : null,
+            fields: result ?? {},
+          },
+        }
+      }
+    )
+
+    return NextResponse.json(result)
+  } catch (error) {
+    logger.error(`[${requestId}] Error creating Agiloft record:`, error)
+
+    return NextResponse.json({ success: false, error: toError(error).message }, { status: 500 })
+  }
+})

apps/sim/app/api/tools/agiloft/delete_record/route.ts

@@ -0,0 +1,85 @@
+import { createLogger } from '@sim/logger'
+import { toError } from '@sim/utils/errors'
+import { type NextRequest, NextResponse } from 'next/server'
+import { agiloftDeleteRecordContract } from '@/lib/api/contracts/tools/agiloft'
+import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import type { AgiloftDeleteResponse } from '@/tools/agiloft/types'
+import { buildDeleteRecordUrl } from '@/tools/agiloft/utils'
+import { executeAgiloftRequest } from '@/tools/agiloft/utils.server'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('AgiloftDeleteRecordAPI')
+
+export const POST = withRouteHandler(async (request: NextRequest) => {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized Agiloft delete_record attempt: ${authResult.error}`)
+      return NextResponse.json(
+        { success: false, error: authResult.error || 'Authentication required' },
+        { status: 401 }
+      )
+    }
+
+    const parsed = await parseRequest(
+      agiloftDeleteRecordContract,
+      request,
+      {},
+      {
+        validationErrorResponse: (error) => {
+          logger.warn(`[${requestId}] Invalid request data`, { errors: error.issues })
+          return NextResponse.json(
+            {
+              success: false,
+              error: getValidationErrorMessage(error, 'Invalid request data'),
+              details: error.issues,
+            },
+            { status: 400 }
+          )
+        },
+      }
+    )
+    if (!parsed.success) return parsed.response
+    const params = parsed.data.body
+
+    const result = await executeAgiloftRequest<AgiloftDeleteResponse>(
+      params,
+      (base) => ({
+        url: buildDeleteRecordUrl(base, params),
+        method: 'DELETE',
+        headers: { Accept: 'application/json' },
+      }),
+      async (response) => {
+        if (!response.ok) {
+          const errorText = await response.text()
+          return {
+            success: false,
+            output: { id: params.recordId?.trim() ?? '', deleted: false },
+            error: `Agiloft error: ${response.status} - ${errorText}`,
+          }
+        }
+
+        return {
+          success: true,
+          output: {
+            id: params.recordId?.trim() ?? '',
+            deleted: true,
+          },
+        }
+      }
+    )
+
+    return NextResponse.json(result)
+  } catch (error) {
+    logger.error(`[${requestId}] Error deleting Agiloft record:`, error)
+
+    return NextResponse.json({ success: false, error: toError(error).message }, { status: 500 })
+  }
+})