feat(block): Add cloudwatch block

[TheodoreSpeaks]

Summary

Add block for cloudwatch operations. Second time's the charm!

• Log Insights
• Describe Log Groups
• Get Log Events
• List Metrics
• Get Metric Statistics
• Describe Alarms

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

• Validated each operation in local using aws credentials. Validated mothership could use credentials as well.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 4, 2026 11:50pm

[cursor]

PR Summary

Medium Risk
Adds multiple new API endpoints and tool integrations that accept AWS access keys and query CloudWatch; mistakes could expose credentials in logs or broaden access if auth assumptions are wrong. Logic is mostly additive but touches workflow selector context and registries used broadly across the app.

Overview
Adds a new CloudWatch block that can run Log Insights queries, browse log groups/streams, fetch log events, list metrics, get metric statistics, and describe alarms, wiring these operations into the block/tool registries.

Introduces new Next.js API routes under app/api/tools/cloudwatch/* plus shared cloudwatch/utils.ts for CloudWatch Logs client creation, query polling with timeout handling, and log stream/event retrieval; responses are normalized into simplified JSON outputs.

Extends selector infrastructure to support CloudWatch log group/stream pickers (new selector keys and additional AWS fields in selector context), and adds AWS SDK dependencies plus a new CloudWatchIcon.

^{Reviewed by Cursor Bugbot for commit 498504c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds a fully-featured AWS CloudWatch block supporting seven operations: Query Logs (Insights), Describe Log Groups, Get Log Events, Describe Log Streams, List Metrics, Get Metric Statistics, and Describe Alarms. It follows the project's integration checklist closely — tools, block config, icon, selector entries, and API routes are all present and registered correctly.

Key highlights:

• All seven operations are correctly wired end-to-end (tool → internal API route → AWS SDK → response transform).
• The selector registry entries for cloudwatch.logGroups and cloudwatch.logStreams enable cascading file-selector dropdowns in the UI, backed by checkSessionOrInternalAuth so they work during user interaction.
• Credentials use visibility: 'user-only' throughout, in line with the project's credential visibility convention.
• The pollQueryResults utility handles Log Insights async polling cleanly, with a timeout fallback that returns partial results.
• Two minor style issues were identified: import statements placed after a const declaration in three route files, and awsSecretAccessKey omitted from both selector query cache keys.

Confidence Score: 4/5

Safe to merge after addressing two minor style issues; no functional or security regressions introduced.

All seven operations are correctly implemented end-to-end, credentials use the correct 'user-only' visibility, and the selector integration works. Two P2 findings remain: import-after-const in three route files and a missing awsSecretAccessKey in both selector cache keys. Neither causes a runtime failure but both represent small correctness/style gaps.

apps/sim/app/api/tools/cloudwatch/query-logs/route.ts, apps/sim/app/api/tools/cloudwatch/get-log-events/route.ts, apps/sim/app/api/tools/cloudwatch/describe-log-streams/route.ts (import order), and apps/sim/hooks/selectors/registry.ts (query key completeness).

Important Files Changed

Filename	Overview
apps/sim/blocks/blocks/cloudwatch.ts	Block config for all 7 operations; subBlocks, conditions, canonicalParamIds, and params coercions all look correct.
apps/sim/app/api/tools/cloudwatch/utils.ts	Shared CloudWatch Logs client factory plus polling and helper functions; correct ms/seconds conversions for GetLogEvents.
apps/sim/app/api/tools/cloudwatch/query-logs/route.ts	Log Insights query route; minor import-after-const style issue (utils import placed after const logger).
apps/sim/app/api/tools/cloudwatch/get-log-events/route.ts	GetLogEvents route; same import-after-const style issue as query-logs.
apps/sim/app/api/tools/cloudwatch/describe-log-streams/route.ts	DescribeLogStreams route; same import-after-const style issue.
apps/sim/hooks/selectors/registry.ts	cloudwatch.logGroups and cloudwatch.logStreams selector entries added; both query keys omit awsSecretAccessKey, risking stale cache on credential rotation.
apps/sim/tools/cloudwatch/types.ts	Type definitions for all params/response interfaces; well-typed with appropriate optionals.
apps/sim/tools/cloudwatch/index.ts	Barrel export re-exporting all 7 tools under cloudwatch-prefixed names.
apps/sim/app/api/tools/cloudwatch/describe-alarms/route.ts	DescribeAlarms route; correctly merges MetricAlarms and CompositeAlarms and maps AWS field names.
apps/sim/app/api/tools/cloudwatch/get-metric-statistics/route.ts	GetMetricStatistics route; dimensions JSON parsing handles both array and object shapes; timestamps converted to epoch seconds on output.
apps/sim/app/api/tools/cloudwatch/list-metrics/route.ts	ListMetrics route; limit applied via client-side slice (ListMetricsCommand has no native limit param), which is the correct approach.
apps/sim/hooks/selectors/types.ts	Added cloudwatch.logGroups and cloudwatch.logStreams to SelectorKey union and AWS credential fields to SelectorContext.
apps/sim/lib/workflows/subblocks/context.ts	Added awsAccessKeyId, awsSecretAccessKey, awsRegion, and logGroupName to SELECTOR_CONTEXT_FIELDS so block values propagate to the selector context.

Sequence Diagram

sequenceDiagram
    participant UI as Block UI
    participant Exec as Executor
    participant Route as API Route
    participant AWS as AWS SDK

    UI->>Exec: Run workflow (operation + params)
    Exec->>Route: POST /api/tools/cloudwatch/{operation}
    Route->>Route: checkInternalAuth / checkSessionOrInternalAuth
    Route->>Route: Zod schema validation
    Route->>AWS: AWS SDK command (CloudWatchLogsClient / CloudWatchClient)
    AWS-->>Route: Response
    alt query_logs
        Route->>Route: pollQueryResults (polls until Complete/timeout)
    end
    Route-->>Exec: { success, output }
    Exec-->>UI: Block output

    UI->>Route: POST /api/tools/cloudwatch/describe-log-groups (file-selector)
    Note over Route: checkSessionOrInternalAuth (session needed for UI)
    Route->>AWS: DescribeLogGroupsCommand
    AWS-->>Route: logGroups[]
    Route-->>UI: { output: { logGroups } }

    UI->>Route: POST /api/tools/cloudwatch/describe-log-streams (file-selector)
    Note over Route: checkSessionOrInternalAuth
    Route->>AWS: DescribeLogStreamsCommand
    AWS-->>Route: logStreams[]
    Route-->>UI: { output: { logStreams } }

Loading

_{Reviews (1): Last reviewed commit: "feat(block): Add cloudwatch block (#3911..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 498504c. Configure here.}

[cursor]

Inconsistent timestamp units in log event output

Medium Severity

The getLogEvents utility returns timestamp and ingestionTime in milliseconds, inconsistent with its startTime/endTime inputs (seconds) and other CloudWatch utilities like getMetricStatistics (seconds output). This unit mismatch, also seen in describeLogStreams and describeAlarms outputs, can cause downstream consumers to misinterpret or incorrectly use timestamp values.

 

^{Reviewed by Cursor Bugbot for commit 498504c. Configure here.}