Open
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 2 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="packages/web/src/lib/agent/registry/tools.ts">
<violation number="1" location="packages/web/src/lib/agent/registry/tools.ts:541">
P3: The example in the OAuth guidance is contradictory: it names Slack as a system that does **not** support pre-configured OAuth, but the next bullet lists Slack as pre-configured. This can mislead the agent to ask for client secrets unnecessarily. Consider removing Slack from the example or clarifying the wording.</violation>
</file>
<file name="packages/web/src/lib/agent/agent-prompts.ts">
<violation number="1" location="packages/web/src/lib/agent/agent-prompts.ts:98">
P2: `client_id` is now classified as a sensitive credential (`sensitiveCredentials`) here and in the new `edit_system` section, but the `SYSTEM_PLAYGROUND_AGENT_PROMPT` in the same file still lists `client_id` as non-sensitive under `credentials` (lines 342, 350) and its `authenticate_oauth` section says `client_id` can be "passed directly (non-sensitive)" (line 366). This inconsistency will cause different agent behaviors depending on the context. The `SYSTEM_PLAYGROUND_AGENT_PROMPT` should be updated to match this new convention.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| - For OAuth auth: create system first, then call authenticate_oauth with the scopes from the response. | ||
| - If call_system fails (any error, 4xx/5xx status, auth errors, etc.), use search_documentation with the systemId and relevant keywords, then web_search. | ||
| - If you have NO information about the system and how to set it up, use the find_system_templates tool to get information about the system. There may not be a template, in which case you need to ask the user to provide system details. | ||
| - Always use 'sensitiveCredentials' for SECRETS: { api_key: true, client_secret: true, client_id: true } - these will need to be manually entered in a secure UI that appears in the tool call UI component |
Contributor
There was a problem hiding this comment.
P2: client_id is now classified as a sensitive credential (sensitiveCredentials) here and in the new edit_system section, but the SYSTEM_PLAYGROUND_AGENT_PROMPT in the same file still lists client_id as non-sensitive under credentials (lines 342, 350) and its authenticate_oauth section says client_id can be "passed directly (non-sensitive)" (line 366). This inconsistency will cause different agent behaviors depending on the context. The SYSTEM_PLAYGROUND_AGENT_PROMPT should be updated to match this new convention.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/web/src/lib/agent/agent-prompts.ts, line 98:
<comment>`client_id` is now classified as a sensitive credential (`sensitiveCredentials`) here and in the new `edit_system` section, but the `SYSTEM_PLAYGROUND_AGENT_PROMPT` in the same file still lists `client_id` as non-sensitive under `credentials` (lines 342, 350) and its `authenticate_oauth` section says `client_id` can be "passed directly (non-sensitive)" (line 366). This inconsistency will cause different agent behaviors depending on the context. The `SYSTEM_PLAYGROUND_AGENT_PROMPT` should be updated to match this new convention.</comment>
<file context>
@@ -87,14 +94,16 @@ find_system:
-- For OAuth auth: create system first, then call authenticate_oauth with the scopes from the response.
-- If call_system fails (any error, 4xx/5xx status, auth errors, etc.), use search_documentation with the systemId and relevant keywords, then web_search.
+- If you have NO information about the system and how to set it up, use the find_system_templates tool to get information about the system. There may not be a template, in which case you need to ask the user to provide system details.
+- Always use 'sensitiveCredentials' for SECRETS: { api_key: true, client_secret: true, client_id: true } - these will need to be manually entered in a secure UI that appears in the tool call UI component
+- Use 'credentials' for authentication config parameters: auth_url, token_url, scopes, grant_type
+- Only slack, salesforce, asana, jira, confluence, notion, airtable have pre-configured OAuth via templates - for other systems, use sensitiveCredentials to prompt users for client_id and client_secret
</file context>
| - Use templateId when creating systems for known services (slack, github, stripe, etc.) - this auto-populates urlHost, urlPath, documentationUrl, and OAuth config. | ||
| - When using templateId, you only need to provide: id, templateId, and credentials (if required by the auth type). | ||
| - For OAuth auth: create the system first, then call authenticate_oauth to trigger the OAuth flow. | ||
| - For systems that require OAuth (like Slack, GitHub, etc.) but do not support pre-configured OAuth, you MUST set sensitiveCredentials: { client_secret: true } (and optionally { client_id: true }) when calling create_system. |
Contributor
There was a problem hiding this comment.
P3: The example in the OAuth guidance is contradictory: it names Slack as a system that does not support pre-configured OAuth, but the next bullet lists Slack as pre-configured. This can mislead the agent to ask for client secrets unnecessarily. Consider removing Slack from the example or clarifying the wording.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/web/src/lib/agent/registry/tools.ts, line 541:
<comment>The example in the OAuth guidance is contradictory: it names Slack as a system that does **not** support pre-configured OAuth, but the next bullet lists Slack as pre-configured. This can mislead the agent to ask for client secrets unnecessarily. Consider removing Slack from the example or clarifying the wording.</comment>
<file context>
@@ -534,13 +534,13 @@ const createSystemDefinition = (): ToolDefinition => ({
- - Use templateId when creating systems for known services (slack, github, stripe, etc.) - this auto-populates urlHost, urlPath, documentationUrl, and OAuth config.
- - When using templateId, you only need to provide: id, templateId, and credentials (if required by the auth type).
- - For OAuth auth: create the system first, then call authenticate_oauth to trigger the OAuth flow.
+ - For systems that require OAuth (like Slack, GitHub, etc.) but do not support pre-configured OAuth, you MUST set sensitiveCredentials: { client_secret: true } (and optionally { client_id: true }) when calling create_system.
+ - slack, salesforce, asana, notion, airtable, jira, confluence are the only templates that support pre-configured oauth
+ - Use templateId when creating systems for knowns services auto-populates url, documentationUrl, and OAuth settings and URLs. For the list above, this also contains pre-configured client_id and secrets, but ONLY for pre-configured oauth templates.
</file context>
Suggested change
| - For systems that require OAuth (like Slack, GitHub, etc.) but do not support pre-configured OAuth, you MUST set sensitiveCredentials: { client_secret: true } (and optionally { client_id: true }) when calling create_system. | |
| - For systems that require OAuth (like GitHub, etc.) but do not support pre-configured OAuth, you MUST set sensitiveCredentials: { client_secret: true } (and optionally { client_id: true }) when calling create_system. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Auto-synced from hosted repository
Original PR: https://github.com/superglue-ai/superglue-hosted/pull/318
Author: @michaelfuest
Merged by: @michaelfuest
Summary by cubic
Tightened agent prompts and tool definitions to make OAuth setup explicit and safer, and to prevent parallel confirmation prompts. This reduces setup errors and improves user flow.
Written for commit a0c6b1a9c3ab76f19848d514ca99e9d0eb0d8687. Summary will update on new commits.