v0.6.24: copilot feedback wiring, captcha fixes

[waleedlatif1]

• feat: mothership/copilot feedback (feat: mothership/copilot feedback #3940)
• fix(envvars): restore workflowUserId fallback for scheduled execution env var resolution (fix(envvars): restore workflowUserId fallback for scheduled execution env var resolution #3941)
• improvement(models): tighten model metadata and crawl discovery (improvement(models): tighten model metadata and crawl discovery #3942)
• fix(captcha): use getResponsePromise for Turnstile execute-on-submit flow (fix(captcha): use getResponsePromise for Turnstile execute-on-submit flow #3943)

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
29606901	Triggered	Generic High Entropy Secret	4a9439e	apps/sim/providers/utils.test.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[cursor]

PR Summary

Medium Risk
Touches workflow execution environment-variable resolution and adds new copilot feedback submission wiring, both of which can affect production execution behavior and data capture if incorrect. Remaining changes are mostly SEO/catalog/captcha adjustments but span multiple user-facing surfaces.

Overview
Adds copilot message feedback UI (thumbs up/down + modal comment) and wires it to a new client mutation posting to /api/copilot/feedback, passing chatId, preceding userQuery, and the assistant response.

Fixes signup Turnstile execution-on-submit by switching to getResponsePromise() and adjusting widget options, reducing flaky captcha timeouts.

Tightens the public model catalog: makes bestFor optional (only for differentiated models), changes structured-output tagging/labels (including native vs non-native), shows only published max output tokens, and adds tests plus updated provider maxOutputTokens metadata. Also updates crawl/discovery surfaces (sitemap.ts last-modified logic + extra hub pages, and llms.txt content/wording).

Updates workflow execution core to resolve env vars using sessionUserId only for client sessions and otherwise workflowUserId (now required), with new tests covering the selection and missing-metadata error path.

^{Reviewed by Cursor Bugbot for commit c2b12cf. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 4, 2026 7:36pm

[greptile-apps]

Greptile Summary

This PR bundles four changes: (1) wires copilot/mothership thumbs-up/thumbs-down feedback through a new mutation hook to the existing /api/copilot/feedback route; (2) fixes a scheduled-execution regression where env-var resolution used the billing-actor userId instead of the workflow owner's workflowUserId; (3) tightens model-catalog metadata by adding published maxOutputTokens to ~25 models, making bestFor optional for undifferentiated models, and broadening the structured-outputs display to cover all non-deep-research models; and (4) replaces the manual Promise.race-with-timeout Turnstile captcha flow with the library-native getResponsePromise().

Key changes:

• message-actions.tsx refactored from a dropdown to inline copy + thumbs icons with a feedback modal
• execution-core.ts correctly selects sessionUserId for client sessions and workflowUserId for server-side (scheduled/API-triggered) executions, with an explicit throw when workflowUserId is absent
• providers/models.ts corrects Claude Sonnet 4.6 maxOutputTokens from 128k → 64k and adds maxOutputTokens to many previously unspecified models
• signup-form.tsx removes the manual Promise-race timeout wrapper; the form could be left in a perpetual loading state if getResponsePromise() never settles (see inline comment)

Confidence Score: 5/5

Safe to merge — no P0/P1 findings; both open items are P2 style/best-practice improvements.

All substantive logic changes (env-resolution fix, feedback wiring, model metadata) are well-tested and correct. The two remaining findings are a relative import in a new test file and the removed captcha timeout guard — both non-blocking P2 suggestions. No data-integrity or runtime-correctness concerns remain.

apps/sim/app/(auth)/signup/signup-form.tsx (removed timeout guard) and apps/sim/app/(landing)/models/utils.test.ts (relative import)

Important Files Changed

Filename	Overview
apps/sim/app/(auth)/signup/signup-form.tsx	Captcha flow simplified to use getResponsePromise() — cleaner approach but removes the 15s safety timeout that prevented the form from getting stuck in an infinite loading state.
apps/sim/hooks/queries/copilot-feedback.ts	New TanStack Query mutation hook for copilot feedback; properly logs errors with createLogger, targets the already-existing /api/copilot/feedback route.
apps/sim/app/workspace/[workspaceId]/components/message-actions/message-actions.tsx	Refactored from a dropdown menu to inline copy/thumbs-up/thumbs-down buttons; adds a feedback modal that fires the new mutation hook. Logic is sound.
apps/sim/lib/workflows/executor/execution-core.ts	Fixed env resolution to use workflowUserId for server-side (scheduled) executions instead of falling back to the billing-actor userId; adds explicit error for missing workflowUserId.
apps/sim/app/(landing)/models/utils.test.ts	New test file covering catalog utils; uses a relative import ('./utils') which violates the project's absolute-import rule.
apps/sim/providers/models.ts	Adds maxOutputTokens to many provider models and corrects Claude Sonnet 4.6 from 128k to 64k; also tightens getMaxOutputTokensForModel to prefer exact matches before prefix-matching.
apps/sim/app/(landing)/models/utils.ts	Structured-outputs logic now covers all non-deep-research models (not just nativeStructuredOutputs); bestFor is made optional and returns null for undifferentiated models.
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/sidebar.tsx	Wraps tasks + workflows sections in a shared scrollContentRef div so the ResizeObserver also triggers on content-size changes; purely structural refactor with no behavioral regressions visible.

Sequence Diagram

sequenceDiagram
    participant User
    participant MessageActions
    participant FeedbackModal
    participant useSubmitCopilotFeedback
    participant API as /api/copilot/feedback

    User->>MessageActions: clicks 👍 or 👎
    MessageActions->>FeedbackModal: open (pendingFeedback = 'up'|'down')
    User->>FeedbackModal: enters feedback text
    User->>FeedbackModal: clicks Submit
    FeedbackModal->>useSubmitCopilotFeedback: mutate({ chatId, userQuery, agentResponse, isPositiveFeedback, feedback })
    useSubmitCopilotFeedback->>API: POST /api/copilot/feedback
    API-->>useSubmitCopilotFeedback: { success, feedbackId }
    FeedbackModal-->>User: modal closes

Loading

_{Reviews (1): Last reviewed commit: "fix(captcha): use getResponsePromise for..." | Re-trigger Greptile}