feat(block): Add cloudwatch block

[TheodoreSpeaks]

Summary

Add block for cloudwatch operations.

• Log Insights
• Describe Log Groups
• Get Log Events
• List Metrics
• Get Metric Statistics
• Describe Alarms

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

• Validated each operation in local using aws credentials. Validated mothership could use credentials as well.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 3, 2026 7:05pm

[cursor]

PR Summary

Medium Risk
Adds multiple new server routes and tools that accept AWS access keys and execute CloudWatch/Logs API calls; correctness and access control around credential handling and query polling are the main risks.

Overview
Adds a new CloudWatch block that can run Log Insights queries, browse log groups/streams, fetch log events, list metrics, retrieve metric statistics, and describe alarms.

Implements new /api/tools/cloudwatch/* POST routes plus shared CloudWatch Logs helpers (client creation, Log Insights polling with timeout, log stream listing, and log event retrieval), and registers corresponding tool configs/types in the tool registry.

Wires up UI support via a new CloudWatchIcon, selector entries for cloudwatch.logGroups/cloudwatch.logStreams (including additional selector context fields), and adds required AWS SDK dependencies.

^{Written by Cursor Bugbot for commit 68d9174. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a CloudWatch integration block to Sim, covering 7 operations: Query Logs (Insights), Describe Log Groups, Get Log Events, Describe Log Streams, List Metrics, Get Metric Statistics, and Describe Alarms. The implementation follows the established integration pattern (tools → block → icon → API routes) and is well-structured overall — type definitions are clean, Zod validation is consistent, credentials use user-only visibility correctly, and the cascading file-selector dropdowns (log group → log stream) are wired up properly.

Key findings:

• The tools/cloudwatch/index.ts barrel file uses relative imports (./describe_alarms, etc.) which violates the project's absolute-import convention; these should be @/tools/cloudwatch/... paths.
• pollQueryResults in utils.ts blocks the HTTP handler for up to 60 seconds via a polling loop; this can silently exceed serverless function timeout limits depending on deployment plan.
• Six of the seven new API routes omit createLogger, while describe-log-groups properly uses it — logging should be consistent across all routes in the integration.

Confidence Score: 5/5

Safe to merge — all findings are P2 style/best-practice issues that do not affect runtime correctness or data integrity.

The integration is fully functional, tested locally, and follows the established block/tool/route pattern correctly. The three flagged issues are all non-blocking: relative imports in a barrel file, a polling timeout concern that depends on deployment configuration, and inconsistent logger usage. None introduce bugs, security holes, or broken user paths.

apps/sim/tools/cloudwatch/index.ts (relative imports) and apps/sim/app/api/tools/cloudwatch/utils.ts (60s polling loop)

Important Files Changed

Filename	Overview
apps/sim/tools/cloudwatch/index.ts	Barrel export re-exposing all seven tools with cloudwatch prefix; uses relative imports which violates the project's absolute-import rule.
apps/sim/app/api/tools/cloudwatch/utils.ts	Shared utility: creates CloudWatchLogsClient, implements blocking poll loop (up to 60s), and exposes describeLogStreams/getLogEvents helpers. The 60-second poll could exceed serverless function timeouts.
apps/sim/blocks/blocks/cloudwatch.ts	Full block config covering 7 operations with cascading file-selector dropdowns, operation-conditional subblocks, and correct params/tool routing including single-stat→array coercion for metric statistics.
apps/sim/app/api/tools/cloudwatch/query-logs/route.ts	POST handler validates with Zod, checks internal auth, starts a Log Insights query, and delegates to pollQueryResults; logic is correct but inherits the 60s polling concern from utils.ts.
apps/sim/app/api/tools/cloudwatch/describe-log-groups/route.ts	Uses checkSessionOrInternalAuth (correct for selector populating dropdowns), adds logger, and maps SDK response cleanly; the only route with consistent logging.
apps/sim/hooks/selectors/registry.ts	Adds cloudwatch.logGroups and cloudwatch.logStreams selectors with correct cache keys, enabled guards, and cascading logGroupName dependency for the stream selector.
apps/sim/tools/cloudwatch/types.ts	Well-structured type definitions for all 7 operation param/response interfaces extending CloudWatchConnectionConfig; no issues found.

Sequence Diagram

sequenceDiagram
    participant UI as Block UI
    participant Selector as Selector (Registry)
    participant LogGroupsAPI as /api/tools/cloudwatch/describe-log-groups
    participant LogStreamsAPI as /api/tools/cloudwatch/describe-log-streams
    participant ExecutionEngine as Executor
    participant ToolAPI as /api/tools/cloudwatch/{operation}
    participant AWS as AWS CloudWatch

    UI->>Selector: Populate log group dropdown (awsAccessKeyId, awsRegion, awsSecretAccessKey)
    Selector->>LogGroupsAPI: POST (checkSessionOrInternalAuth)
    LogGroupsAPI->>AWS: DescribeLogGroupsCommand
    AWS-->>LogGroupsAPI: logGroups[]
    LogGroupsAPI-->>Selector: { output: { logGroups } }
    Selector-->>UI: Dropdown options

    UI->>Selector: Populate log stream dropdown (+ logGroupName)
    Selector->>LogStreamsAPI: POST (checkSessionOrInternalAuth)
    LogStreamsAPI->>AWS: DescribeLogStreamsCommand
    AWS-->>LogStreamsAPI: logStreams[]
    LogStreamsAPI-->>Selector: { output: { logStreams } }
    Selector-->>UI: Dropdown options

    ExecutionEngine->>ToolAPI: POST (checkInternalAuth) — selected operation
    alt query_logs
        ToolAPI->>AWS: StartQueryCommand
        AWS-->>ToolAPI: queryId
        loop Poll up to 60s
            ToolAPI->>AWS: GetQueryResultsCommand(queryId)
            AWS-->>ToolAPI: status / results
        end
    else get_log_events
        ToolAPI->>AWS: GetLogEventsCommand
        AWS-->>ToolAPI: events[]
    else get_metric_statistics
        ToolAPI->>AWS: GetMetricStatisticsCommand
        AWS-->>ToolAPI: Datapoints[]
    else describe_alarms
        ToolAPI->>AWS: DescribeAlarmsCommand
        AWS-->>ToolAPI: MetricAlarms[] + CompositeAlarms[]
    end
    ToolAPI-->>ExecutionEngine: { success, output }

Loading

_{Reviews (1): Last reviewed commit: "Fix bun lock" | Re-trigger Greptile}

[greptile-apps]

Relative imports violate absolute-import rule

All seven imports in the barrel file use relative paths (./describe_alarms, etc.). Per the project's import conventions, absolute imports must always be used — relative imports are prohibited.

Suggested change

	import { describeAlarmsTool } from './describe_alarms'
	import { describeLogGroupsTool } from './describe_log_groups'
	import { describeLogStreamsTool } from './describe_log_streams'
	import { getLogEventsTool } from './get_log_events'
	import { getMetricStatisticsTool } from './get_metric_statistics'
	import { listMetricsTool } from './list_metrics'
	import { queryLogsTool } from './query_logs'
	import { describeAlarmsTool } from '@/tools/cloudwatch/describe_alarms'
	import { describeLogGroupsTool } from '@/tools/cloudwatch/describe_log_groups'
	import { describeLogStreamsTool } from '@/tools/cloudwatch/describe_log_streams'
	import { getLogEventsTool } from '@/tools/cloudwatch/get_log_events'
	import { getMetricStatisticsTool } from '@/tools/cloudwatch/get_metric_statistics'
	import { listMetricsTool } from '@/tools/cloudwatch/list_metrics'
	import { queryLogsTool } from '@/tools/cloudwatch/query_logs'

Rule Used: Use established path alias patterns instead of dee... (source)

Learnt From
simstudioai/sim#233

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}