feat(monday): add full Monday.com integration

[waleedlatif1]

Summary

• 13 tools: list/get boards, CRUD items, search by column values, subitems, updates (comments), groups, move item to group, archive item
• Block: operation dropdown with 13 operations, board/group selectors with OAuth credential, advanced mode for pagination/colors, wandConfig for JSON fields
• 9 webhook triggers: item created/archived/deleted/moved, column changed, status changed, item name changed, subitem created, update posted — all with auto-subscription lifecycle via Monday's GraphQL API
• OAuth: 7 scopes (boards:read/write, updates:read/write, webhooks:read/write, me:read), token endpoint, getUserInfo via GraphQL
• Provider handler: challenge verification, createSubscription/deleteSubscription via GraphQL mutations, formatInput with full output alignment, idempotency via triggerUuid
• Docs, icon, selectors, and all registry wiring

Test plan

• Connect Monday.com OAuth account
• Test each of the 13 tool operations (list boards, get board, CRUD items, search, subitems, updates, groups)
• Test board and group selectors populate correctly from OAuth credential
• Deploy a workflow with a Monday trigger and verify webhook creation on the board
• Verify challenge verification works during webhook setup
• Send test events from Monday.com board and verify trigger fires
• Undeploy workflow and verify webhook is cleaned up
• Verify all 9 trigger types produce correct output fields

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 17, 2026 3:12am

[cursor]

PR Summary

High Risk
High risk because it introduces a new OAuth provider plus webhook subscription/challenge handling and many new API/tool execution paths that interact with external Monday.com GraphQL APIs; failures could impact auth flows and workflow trigger reliability.

Overview
Adds full Monday.com integration support across the product, including a new monday block with 13 operations and wiring into the blocks/tools registries so workflows can manage boards, items, groups, subitems, and updates.

Introduces a new OAuth provider (monday) with env config (MONDAY_CLIENT_ID/SECRET), scope descriptions, token refresh support, and user-info lookup via Monday GraphQL.

Adds Monday webhook trigger support (9 trigger types) with a provider handler that supports challenge verification, automatic subscription create/delete via GraphQL, idempotency via triggerUuid, and selector-backed UI pickers (monday.boards/monday.groups) backed by new Next.js API routes. Docs and icon mappings are updated to surface the new tool/trigger pages and branding.

^{Reviewed by Cursor Bugbot for commit 0bf1850. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a full Monday.com integration: 13 tools (CRUD on boards/items/groups/subitems/updates), a 13-operation block with OAuth credential and board/group selectors, 9 webhook triggers with auto-subscription lifecycle, and supporting OAuth/auth/security infrastructure. Previously flagged issues (groups-route GraphQL injection, get_items unescaped groupId, search_items unguarded JSON.parse) are all confirmed fixed. Two minor issues remain below.

Confidence Score: 5/5

Safe to merge — all previously flagged P1 security issues are resolved; only two P2 findings remain.

All three previously flagged issues (groups-route GraphQL injection, get_items unescaped groupId, search_items unguarded JSON.parse) are confirmed fixed. The remaining findings are P2: a scope-description display regression for Pipedrive (cosmetic, no functional impact) and an orphaned TSDoc comment. Neither blocks correctness or security.

apps/sim/lib/oauth/utils.ts (scope key collision) and apps/sim/lib/core/security/input-validation.ts (orphaned JSDoc)

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/monday.ts	New webhook provider handler: challenge verification, createSubscription/deleteSubscription via GraphQL, formatInput with full field mapping, idempotency via triggerUuid. Numeric IDs validated before interpolation. Clean implementation following established patterns.
apps/sim/blocks/blocks/monday.ts	Block config with 13 operations, OAuth credential, board/group selectors (basic/advanced), wand-enabled JSON fields, and all 9 trigger subBlocks spread in. Operation routing and param mapping looks correct.
apps/sim/lib/oauth/utils.ts	Adds Monday.com scope descriptions but reuses the webhooks:read key that previously described Pipedrive's webhook scope — Pipedrive's entry is deleted in the same hunk, silently replacing its description with Monday's.
apps/sim/lib/core/security/input-validation.ts	Adds validateMondayNumericId, validateMondayGroupId, validateMondayColumnId. All three validators inserted between isMicrosoftContentUrl's JSDoc and its function definition, detaching the doc from its function.
apps/sim/tools/monday/search_items.ts	Search tool with cursor-based pagination. JSON.parse wrapped in try/catch with user-friendly error, boardId sanitized, cursor safely JSON.stringify'd. Previously flagged issues resolved.
apps/sim/tools/monday/get_items.ts	Board items list tool. groupId now correctly uses JSON.stringify per the fix; boardId validated via sanitizeNumericId. Previously flagged injection issue resolved.
apps/sim/app/api/tools/monday/groups/route.ts	Groups selector API route. boardId validated with validateMondayNumericId before GraphQL interpolation. Previously flagged injection issue resolved.
apps/sim/lib/auth/auth.ts	Monday.com OAuth provider added following the established pattern for getUserInfo with generateId() suffix (intentional design per prior review thread).
apps/sim/triggers/monday/utils.ts	Trigger utility: event-type map, subBlock builder, and output field builders for all 9 event types. Well structured and complete.
apps/sim/lib/core/security/input-validation.test.ts	Comprehensive tests for all three new Monday validators covering valid IDs, injection attempts, control characters, length limits, and type coercions.

Sequence Diagram

sequenceDiagram
    participant User
    participant SimUI
    participant SimAPI as Sim API
    participant MondayAPI as Monday.com API

    Note over User,MondayAPI: Workflow Deployment (Trigger Subscription)
    User->>SimUI: Deploy workflow with Monday trigger
    SimUI->>SimAPI: createSubscription(boardId, triggerId, credentialId)
    SimAPI->>SimAPI: validateMondayNumericId(boardId)
    SimAPI->>SimAPI: resolveAccessToken(credentialId)
    SimAPI->>MondayAPI: create_webhook(board_id, url, event)
    MondayAPI-->>SimAPI: POST challenge {challenge: abc}
    SimAPI->>SimAPI: handleChallenge echo back
    SimAPI-->>MondayAPI: {challenge: abc} 200 OK
    MondayAPI-->>SimAPI: {id: ext-webhook-id}
    SimAPI-->>SimUI: externalId stored in providerConfig

    Note over User,MondayAPI: Webhook Event
    MondayAPI->>SimAPI: POST event {event: {..., triggerUuid}}
    SimAPI->>SimAPI: extractIdempotencyId(triggerUuid)
    SimAPI->>SimAPI: formatInput flatten event fields
    SimAPI->>SimUI: trigger workflow execution

    Note over User,MondayAPI: Workflow Undeployment
    User->>SimUI: Undeploy workflow
    SimUI->>SimAPI: deleteSubscription(externalId, credentialId)
    SimAPI->>SimAPI: validateMondayNumericId(externalId)
    SimAPI->>MondayAPI: delete_webhook(id: externalId)
    MondayAPI-->>SimAPI: deleted confirmation

Loading

_{Reviews (7): Last reviewed commit: "fix(monday): align list_boards limit des..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 0bf1850. Configure here.}