feat(integrations): extend ElevenLabs, Google Drive, Firecrawl, Pinecone, Resend, and S3 tool depth

[waleedlatif1]

Summary

Wave 3 of integration tool-depth: deepens six popular integrations that were shallow relative to their APIs. Every operation reuses the integration's existing scopes/auth — no new OAuth scopes; lib/oauth/oauth.ts is untouched.

What's added (41 new tools)

ElevenLabs (1 → 10 tools; API key) — list/get voices, get/edit voice settings, list models, get user, plus sound-effects, speech-to-speech, and audio-isolation (binary out via an internal route)

Google Drive (reuses drive) — list/get revisions, create/list/delete comments, export Google-native files to a format

Firecrawl (v2; API key) — crawl status/cancel, batch scrape + status, extract status, credit usage

Pinecone (API key) — delete/update vectors, describe-index-stats, list vector ids, list/describe indexes (data-plane vs control-plane handled per op)

Resend (API key) — audiences CRUD, broadcasts (create/send/get), cancel email

S3 (AWS key) — list/create/delete buckets, head-object, presigned URL, batch delete-objects (AWS SDK + internal routes)

Notes

• Type coercions live in tools.config.params; request/response shapes verified against each provider's live API docs.
• New internal routes (ElevenLabs audio, S3 ops, Drive export) are contract-bound; the check-api-validation route baseline is bumped 872 → 873 accordingly.
• Docs + integrations.json catalog regenerated from the block registry.

Validation

• bunx tsc --noEmit: clean across changed files
• bunx biome check: clean
• blocks/blocks.test.ts: 83/83 pass (incl. canonical-param test)
• bun run check:api-validation: passed

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 29, 2026 10:11pm

[cursor]

PR Summary

Medium Risk
New server routes accept third-party API keys and AWS credentials and perform destructive S3/Drive operations; mitigated by internal auth and validation, but misconfigured workflows could delete data or leak presigned URLs.

Overview
Adds 41 new workflow tools across six integrations by expanding block operation dropdowns, tool registries, and matching integration docs.

ElevenLabs becomes a multi-operation block (TTS plus sound effects, speech-to-speech, audio isolation, voice/model/account APIs) with a new /api/tools/elevenlabs/audio proxy for binary audio ops, file access checks, and response size limits.

Google Drive gains export (Workspace → PDF/DOCX/etc. via /api/tools/google_drive/export with DNS-pinned fetch), revisions, and comments—still on existing Drive OAuth scopes.

Firecrawl adds batch scrape, job status/cancel for crawl and extract, and credit usage. Pinecone adds vector update/delete, ID listing, index stats, and control-plane list/describe index. Resend adds audiences, broadcasts, and cancel scheduled email. S3 adds bucket lifecycle, head object, presigned URLs, and batch delete via new AWS SDK routes and Zod API contracts.

Existing auth patterns (checkInternalAuth, user-supplied API keys) are reused; no OAuth scope changes.

^{Reviewed by Cursor Bugbot for commit 3062ecb. Configure here.}

[greptile-apps]

Greptile Summary

This PR deepens six integrations (ElevenLabs, Google Drive, Firecrawl, Pinecone, Resend, S3) by adding 41 new tools, new internal proxy routes for binary-output operations (ElevenLabs audio, Drive export, S3 bucket management), and updated documentation. The implementation reuses existing auth scopes and follows established tool-framework patterns for error handling.

• New internal proxy routes (/api/tools/elevenlabs/audio, /api/tools/google_drive/export, six S3 routes) use checkInternalAuth, secureFetchWithPinnedIP/validateUrlWithDNS where appropriate, and structured error responses, consistent with the existing Google Drive and Slides proxies.
• 41 new tool configs span data-plane (Pinecone, Firecrawl, Resend) and control-plane (S3 bucket ops) operations; auth credential params correctly use visibility: 'user-only' per the codebase convention.
• Firecrawl batch-scrape uses the polling pattern from the existing crawl tool; the postProcess implementation correctly surfaces job failures and timeouts.

Confidence Score: 5/5

The new proxy routes are well-hardened (auth checks, DNS pinning, URL encoding, size limits) and the tool configs follow established patterns throughout. Two style-level observations exist but neither affects correctness in normal use.

All new API routes go through checkInternalAuth, credential params use visibility: 'user-only', binary outputs are size-capped, and the ElevenLabs proxy validates voiceId before URL construction. The two comments raised are a missing encodeURIComponent on a hardcoded-domain call and a latent field-override risk behind a hidden param — neither causes a live defect on today's code paths.

apps/sim/tools/firecrawl/batch-scrape.ts (scrapeOptions spread ordering) and apps/sim/tools/elevenlabs/edit-voice-settings.ts / get-voice.ts / get-voice-settings.ts (voiceId not encodeURIComponent-wrapped)

Important Files Changed

Filename	Overview
apps/sim/app/api/tools/elevenlabs/audio/route.ts	New proxy route for ElevenLabs audio operations (sound effects, speech-to-speech, audio isolation). Uses checkInternalAuth, validateAlphanumericId for voiceId, readResponseToBufferWithLimit for size safety, and proper error handling.
apps/sim/app/api/tools/google_drive/export/route.ts	New proxy route for Google Drive Workspace export. Uses encodeURIComponent on fileId, validateUrlWithDNS + secureFetchWithPinnedIP, allowlist-based MIME type validation, and a 10 MB export cap.
apps/sim/app/api/tools/s3/presigned-url/route.ts	Generates S3 presigned URLs via AWS SDK. Uses checkInternalAuth, parses credentials from validated contract body, and delegates URL construction to @aws-sdk/s3-request-presigner.
apps/sim/app/api/tools/s3/delete-objects/route.ts	Batch-deletes S3 objects via AWS SDK. Properly surfaces per-object errors in the errors array rather than throwing; auth and validation look correct.
apps/sim/tools/firecrawl/batch-scrape.ts	Implements polling-based batch scrape. Object.assign(body, scrapeOptions) runs after the urls field is set and can clobber it if scrapeOptions contains a urls key; the hidden visibility limits the attack surface but the ordering creates a latent override risk.
apps/sim/tools/elevenlabs/edit-voice-settings.ts	New tool for editing ElevenLabs voice settings. voiceId is .trim()'d but not encodeURIComponent-wrapped or regex-validated before being interpolated into the URL path, inconsistent with the audio proxy route.
apps/sim/tools/pinecone/describe_index_stats.ts	New Pinecone data-plane tool for index statistics. Uses established indexHost pattern consistent with pre-existing Pinecone tools; transformResponse pattern matches rest of the pinecone tool suite.
apps/sim/tools/s3/presigned_url.ts	Tool config for S3 presigned URL generation. Correctly checks data.success, defaults expiresIn to 3600, and uses user-only visibility for credentials.
apps/sim/tools/google_drive/export.ts	Tool config for Google Drive Workspace export via the new proxy route. Follows the same no-transformResponse proxy-route pattern as the existing download.ts tool.
apps/sim/tools/resend/create_broadcast.ts	New Resend broadcast creation tool. Uses data.id presence check (consistent with other Resend tools); framework throws on non-2xx before transformResponse is reached.
apps/sim/lib/api/contracts/tools/google.ts	Added googleDriveExportBodySchema and contract. fileId validated as min(1) string; further validation (encodeURIComponent) applied in the route handler.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client as Workflow Executor
    participant AudioProxy as /api/tools/elevenlabs/audio
    participant ExportProxy as /api/tools/google_drive/export
    participant S3Proxy as /api/tools/s3/*
    participant ElevenLabs as api.elevenlabs.io
    participant GoogleDrive as googleapis.com
    participant AWS as AWS S3

    Client->>AudioProxy: "POST {operation, apiKey, audioFile?}"
    AudioProxy->>AudioProxy: checkInternalAuth + validateAlphanumericId(voiceId)
    AudioProxy->>ElevenLabs: POST sound-generation / speech-to-speech / audio-isolation
    ElevenLabs-->>AudioProxy: audio/mpeg binary
    AudioProxy->>AudioProxy: readResponseToBufferWithLimit (25 MB cap)
    AudioProxy-->>Client: "{audioUrl, audioFile}"

    Client->>ExportProxy: "POST {accessToken, fileId, mimeType}"
    ExportProxy->>ExportProxy: checkInternalAuth + encodeURIComponent(fileId)
    ExportProxy->>GoogleDrive: "GET /files/{fileId} metadata (validateUrlWithDNS + pinnedIP)"
    GoogleDrive-->>ExportProxy: file metadata
    ExportProxy->>GoogleDrive: "GET /files/{fileId}/export?mimeType=... (10 MB cap)"
    GoogleDrive-->>ExportProxy: exported bytes
    ExportProxy-->>Client: "{file: {name, mimeType, data(base64), size}}"

    Client->>S3Proxy: "POST {accessKeyId, secretAccessKey, region, ...}"
    S3Proxy->>S3Proxy: checkInternalAuth + parseToolRequest (Zod contract)
    S3Proxy->>AWS: AWS SDK command (CreateBucket / DeleteObjects / HeadObject / PresignedURL / ...)
    AWS-->>S3Proxy: result
    S3Proxy-->>Client: "{success, output}"

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client as Workflow Executor
    participant AudioProxy as /api/tools/elevenlabs/audio
    participant ExportProxy as /api/tools/google_drive/export
    participant S3Proxy as /api/tools/s3/*
    participant ElevenLabs as api.elevenlabs.io
    participant GoogleDrive as googleapis.com
    participant AWS as AWS S3

    Client->>AudioProxy: "POST {operation, apiKey, audioFile?}"
    AudioProxy->>AudioProxy: checkInternalAuth + validateAlphanumericId(voiceId)
    AudioProxy->>ElevenLabs: POST sound-generation / speech-to-speech / audio-isolation
    ElevenLabs-->>AudioProxy: audio/mpeg binary
    AudioProxy->>AudioProxy: readResponseToBufferWithLimit (25 MB cap)
    AudioProxy-->>Client: "{audioUrl, audioFile}"

    Client->>ExportProxy: "POST {accessToken, fileId, mimeType}"
    ExportProxy->>ExportProxy: checkInternalAuth + encodeURIComponent(fileId)
    ExportProxy->>GoogleDrive: "GET /files/{fileId} metadata (validateUrlWithDNS + pinnedIP)"
    GoogleDrive-->>ExportProxy: file metadata
    ExportProxy->>GoogleDrive: "GET /files/{fileId}/export?mimeType=... (10 MB cap)"
    GoogleDrive-->>ExportProxy: exported bytes
    ExportProxy-->>Client: "{file: {name, mimeType, data(base64), size}}"

    Client->>S3Proxy: "POST {accessKeyId, secretAccessKey, region, ...}"
    S3Proxy->>S3Proxy: checkInternalAuth + parseToolRequest (Zod contract)
    S3Proxy->>AWS: AWS SDK command (CreateBucket / DeleteObjects / HeadObject / PresignedURL / ...)
    AWS-->>S3Proxy: result
    S3Proxy-->>Client: "{success, output}"

Loading

_{Reviews (8): Last reviewed commit: "fix(integrations): I/O fidelity vs API d..." | Re-trigger Greptile}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

2 issues from previous reviews remain unresolved.

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit e33543c. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 062eb50. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit c7308eb. Configure here.}

[waleedlatif1]

@greptile review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 3062ecb. Configure here.}

[waleedlatif1]

@greptile review