Skip to content

Comments

v0.5.99: local dev improvements, live workflow logs in terminal #3308

Merged
waleedlatif1 merged 3 commits intomainfrom
staging
Feb 23, 2026
Merged

v0.5.99: local dev improvements, live workflow logs in terminal #3308
waleedlatif1 merged 3 commits intomainfrom
staging

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Feb 23, 2026

waleedlatif1 and others added 3 commits February 22, 2026 14:58
@waleedlatif1 @aayush598
fix(security): allow HTTP for localhost and loopback addresses (#3304)
996dc96 
* fix(security): allow localhost HTTP without weakening SSRF protections

* fix(security): remove extraneous comments and fix failing SSRF test

* fix(security): derive isLocalhost from hostname not resolved IP in validateUrlWithDNS

* fix(security): verify resolved IP is loopback when hostname is localhost in validateUrlWithDNS

---------

Co-authored-by: aayush598 <aayushgid598@gmail.com>
@waleedlatif1
fix(parallel): correct active state pulsing and duration display for …
687c125 
…parallel subflow blocks (#3305)

* fix(executor): resolve block ID for parallel subflow active state

* fix timing for parallel block

* refactor(parallel): extract shared updateActiveBlockRefCount helper

* fix(parallel): error-sticky block run status to prevent branch success masking failure

* Revert "fix(parallel): error-sticky block run status to prevent branch success masking failure"

This reverts commit 9c087cd.
@waleedlatif1
feat(terminal): expandable child workflow blocks in console (#3306)
69ec70a 
* feat(terminal): expandable child workflow blocks in console

* fix(terminal): cycle guard in collectWorkflowDescendants, workflow node running/canceled state

* fix(terminal): expand workflow blocks nested inside loop/parallel iterations

* fix(terminal): prevent child block mixing across loop iterations for workflow blocks

* ack PR comments, remove extranoeus logs

* feat(terminal): real-time child workflow block propagation in console

* fix(terminal): align parallel guard in WorkflowBlockHandler.getIterationContext with BlockExecutor

* fix(terminal): fire onChildWorkflowInstanceReady regardless of nodeMetadata presence

* fix(terminal): use shared isWorkflowBlockType from executor/constants
@vercel
Copy link

vercel bot commented Feb 23, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 23, 2026 8:18am

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 23, 2026

Greptile Summary

This PR implements three significant improvements for local development and workflow execution visualization:

Security Enhancement

  • Modified URL validation to allow HTTP protocol for localhost and loopback addresses (localhost, 127.0.0.1, ::1) while maintaining HTTPS requirement for external URLs
  • Enables local development workflows without requiring HTTPS setup

Parallel Workflow Fixes

  • Implemented reference counting for active blocks to prevent premature state clearing when parallel branches execute the same block
  • Fixed duration calculation: parallel branches now show wall-clock time while loop iterations show cumulative time
  • Ensures blocks remain visually active until all parallel invocations complete

Child Workflow Visualization

  • Added expandable workflow block nodes in terminal console with full nested hierarchy support
  • Introduced per-invocation childWorkflowInstanceId to correctly correlate child block events across loop iterations
  • Implemented MAX_SSE_CHILD_DEPTH limit (3 levels) to prevent performance issues with deeply nested workflows
  • Added block:childWorkflowStarted event for pre-association of running entries before child execution begins

Critical Issues Found

  • Loopback detection only checks exact IPs (127.0.0.1, ::1) but misses the full 127.0.0.0/8 range - addresses like 127.0.0.2 or 127.1.2.3 would be incorrectly rejected

Confidence Score: 3/5

  • Safe to merge after fixing loopback range detection logic
  • The PR contains well-structured features with proper type safety and comprehensive test updates. However, the localhost security logic has a critical bug where only exact loopback IPs are checked instead of the full 127.0.0.0/8 range, which could break legitimate local development scenarios using addresses like 127.0.0.2 or 127.1.1.1
  • Security validation files need loopback range fix: apps/sim/lib/core/security/input-validation.ts and apps/sim/lib/core/security/input-validation.server.ts

Important Files Changed

Filename Overview
apps/sim/lib/core/security/input-validation.ts Allows HTTP for localhost/loopback addresses while maintaining HTTPS requirement for external URLs
apps/sim/lib/core/security/input-validation.server.ts DNS validation now permits localhost and loopback IPs with proper detection logic
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils.ts Added ref counting for active blocks in parallel workflows and child workflow context handling
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/terminal.tsx Added WorkflowNodeRow component for expandable child workflow blocks in terminal console
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/utils.ts Added workflow node tree building logic with proper duration calculation for parallel vs serial execution
apps/sim/executor/handlers/workflow/workflow-handler.ts Propagates callbacks to child workflows with unique instance IDs for correlation in nested executions

Sequence Diagram

sequenceDiagram
    participant Client as Client/Terminal
    participant API as Workflow API
    participant Executor as Workflow Executor
    participant Handler as WorkflowHandler
    participant ChildExec as Child Workflow
    participant Console as Console Store
    
    Client->>API: Execute workflow (SSE stream)
    API->>Executor: Start execution with callbacks
    Executor->>Handler: Execute workflow block
    
    Note over Handler: Generate unique instanceId
    Handler->>Console: onChildWorkflowInstanceReady(instanceId)
    Console-->>Client: Update entry with instanceId
    
    Handler->>ChildExec: Start child with callbacks & context
    Note over ChildExec: depth <= MAX_SSE_CHILD_DEPTH
    
    loop For each child block
        ChildExec->>Console: onBlockStart(childWorkflowContext)
        Console-->>Client: Add console entry with parentBlockId
        ChildExec->>ChildExec: Execute block
        ChildExec->>Console: onBlockComplete(childWorkflowContext)
        Console-->>Client: Update with childWorkflowInstanceId
    end
    
    ChildExec-->>Handler: Return result with instanceId
    Handler-->>Executor: Return workflow block output
    Executor->>Console: onBlockComplete(instanceId)
    Console-->>Client: Mark workflow block complete
    
    Note over Client: Tree builder groups children<br/>by instanceId for display
Loading

Last reviewed commit: 69ec70a

greptile-apps[bot]
greptile-apps bot reviewed Feb 23, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

22 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 merged commit af59234 into main Feb 23, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1