refactor(ashby): align tools, block, and triggers with Ashby API

[waleedlatif1]

Summary

• Audit-driven refactor of Ashby integration against Ashby's API docs. All tools, block, provider handler, and triggers now destructure rich fields per the documented response shapes.
• Centralizes output shapes in a shared tools/ashby/utils.ts via mappers + *_OUTPUTS constants, eliminating drift between tools and block outputs.
• Aligns webhook provider handler with trigger IDs via a single ASHBY_TRIGGER_ACTION_MAP source of truth, and filters Ashby's ping events in matchEvent.

Notable changes

• tools/ashby/utils.ts (new) — shared mappers (mapCandidate, mapJob, mapApplication, mapOffer, mapOpenings, etc.) and output constants.
• tools/ashby/* — 28 tool files refactored to use shared mappers; ID fields .trim()-ed; body keys aligned with Ashby API (id for get_candidate/get_job, single-string status for list_applications).
• blocks/blocks/ashby.ts — advanced-mode switches added (syncToken, includeArchived, expandApplicationFormDefinition, expandSurveyFormDefinitions); stale top-level outputs removed.
• lib/webhooks/providers/ashby.ts — matchEvent added to filter ping events; uses shared ASHBY_TRIGGER_ACTION_MAP.
• triggers/ashby/utils.ts — ASHBY_TRIGGER_ACTION_MAP + isAshbyEventMatch helper; candidateHire outputs expanded with accepted offer details.

Breaking (intentional, API-accurate)

• add_candidate_tag / remove_candidate_tag return full candidate (was { success: true }).
• create_application / change_application_stage return full application (was { applicationId, stageId? }).
• create_note returns full note (was { noteId }).
• get_offer / list_offers nest startDate, salary, openingId, createdAt under latestVersion per Ashby's response shape.

Test plan

• bun run type-check passes
• Verify Ashby webhook delivery end-to-end (signature verification + ping filter)
• Run each tool operation in a workflow (candidate/job/application/offer read + write paths)
• Confirm block output autocomplete reflects new shapes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 24, 2026 8:21pm

[cursor]

PR Summary

Medium Risk
Touches many Ashby tools’ request/response contracts and block parameters (including intentional breaking output shape changes), so downstream workflows/autocomplete could break if assumptions were relying on prior minimal outputs. Webhook auth/matching logic changes could also affect trigger firing if misconfigured secrets or action mapping diverge.

Overview
Refactors the Ashby integration to match documented API request/response shapes, centralizing mapping and output schemas in tools/ashby/utils.ts and updating many tools to return rich, consistent objects (e.g., candidate/application/offer) instead of minimal IDs/flags.

Updates the Ashby block UI and parameter mapping to remove the candidateId filter for list_applications, add new advanced options (includeArchived, syncToken, and job posting expand flags), and keep output autocomplete aligned with the new shared schemas.

Improves webhook handling by implementing explicit Ashby signature verification with clearer 401 errors, adding matchEvent filtering (ignore ping and skip mismatched actions), and using a single ASHBY_TRIGGER_ACTION_MAP source of truth; docs/triggers are updated accordingly (including candidateHire trigger output including accepted offer details).

^{Reviewed by Cursor Bugbot for commit 611a1f7. Configure here.}

[greptile-apps]

Greptile Summary

This PR is a comprehensive audit-driven refactoring of the Ashby integration that centralizes output shapes and mappers into a new shared tools/ashby/utils.ts, aligns 28 tool files with Ashby's documented API request/response shapes, and adds a matchEvent filter in the webhook provider to reject ping events.

All three previously-flagged concerns from the review thread (stale noteId descriptor, ping-event bypass when triggerId is absent, and the missing data key in formatInput) have been correctly addressed in commit 611a1f7.

Confidence Score: 5/5

Safe to merge — all previously flagged issues are resolved, no new P0/P1 defects found.

All three review-thread concerns (stale noteId descriptor, ping-event bypass, missing data key) were fixed in the final commit. The refactoring is well-scoped: the centralized utils.ts eliminates output drift, the trigger action map is a single source of truth, and subblock migrations correctly tombstone the removed filterCandidateId field. Intentional breaking changes (offer latestVersion nesting, tag/application/note output enrichment) are documented and accepted.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/tools/ashby/utils.ts	New shared module with typed mappers (mapCandidate, mapJob, mapApplication, mapOffer, etc.) and *_OUTPUTS constants — well-structured, eliminates drift between tools and block outputs.
apps/sim/lib/webhooks/providers/ashby.ts	matchEvent now correctly rejects ping events unconditionally before the triggerId fallback; data key restored in formatInput so both input.data.* and flat input.* paths work for trigger workflows.
apps/sim/triggers/ashby/utils.ts	ASHBY_TRIGGER_ACTION_MAP provides a single source of truth for trigger-to-action mapping; isAshbyEventMatch helper is clean and correct; candidateHire outputs expanded with offer details.
apps/sim/blocks/blocks/ashby.ts	Advanced-mode switches added for syncToken, includeArchived, expandApplicationFormDefinition, expandSurveyFormDefinitions; stale top-level output descriptors replaced with API-accurate shapes.
apps/sim/lib/workflows/migrations/subblock-migrations.ts	filterCandidateId correctly migrated to _removed_filterCandidateId to prevent orphaned block params in existing workflows.
apps/sim/tools/ashby/list_applications.ts	candidateId filter removed; status now sent as single string per Ashby API; createdAfter NaN-guarded before sending to API; mapped via shared APPLICATION_OUTPUTS.
apps/sim/tools/ashby/create_candidate.ts	Email made optional (required: false) — aligns with Ashby API where only name is required; output now uses shared mapCandidate/CANDIDATE_OUTPUTS.
apps/sim/tools/ashby/get_offer.ts	Now uses shared mapOffer/OFFER_OUTPUTS; startDate/salary/openingId/createdAt correctly nested under latestVersion per Ashby response shape.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Inbound Ashby Webhook] --> B[verifyAuth\nHMAC sha256 validation]
    B -->|Invalid signature| C[401 Unauthorized]
    B -->|Valid| D[matchEvent]
    D -->|action == 'ping'| E[return false\nSkip execution]
    D -->|no triggerId| F[return true\nAllow all]
    D -->|triggerId present| G[isAshbyEventMatch\nASHBY_TRIGGER_ACTION_MAP lookup]
    G -->|mismatch| H[return false\nSkip execution]
    G -->|match| I[formatInput\nspread data + keep data key]
    I --> J[Workflow Execution\ninput.application.* ✓\ninput.data.application.* ✓]

    subgraph Tools
      K[get_candidate / list_candidates / search_candidates\ncreate_candidate / update_candidate\nadd_candidate_tag / remove_candidate_tag] --> L[mapCandidate + CANDIDATE_OUTPUTS]
      M[get_application / list_applications\ncreate_application / change_application_stage] --> N[mapApplication + APPLICATION_OUTPUTS]
      O[get_offer / list_offers] --> P[mapOffer + OFFER_OUTPUTS]
      Q[get_job / list_jobs] --> R[mapJob + JOB_OUTPUTS]
    end

    subgraph SharedUtils["tools/ashby/utils.ts"]
      L
      N
      P
      R
    end

Loading

_{Reviews (3): Last reviewed commit: "fix(ashby): preserve input.data path in ..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 611a1f7. Configure here.}