feat(clickup): ClickUp integration — 23 tools, OAuth + API-token auth, attachment upload#5702
Conversation
…3 tools, block, and attachment upload - 23 tools covering tasks (create/get/update/delete/list/search), comments (create/get/update/delete), attachment upload, tags, members, custom fields, and the workspace/space/folder/list hierarchy - OAuth provider wiring (authorization-code flow, non-expiring tokens) plus clickup-service-account token-paste credential (personal pk_ API tokens), with a shared clickupAuthorizationHeader helper (pk_ tokens sent bare, OAuth tokens as Bearer) - File upload follows the internal-route pattern: contract-validated /api/tools/clickup/upload-attachment builds the multipart form and returns UserFiles - ClickUp block with per-operation subBlocks, canonical file param, BlockMeta templates/skills, and gradient brand icon - Generated integration docs page + hand-written service-account guide
…pload route - Map documented task fields that were dropped: markdown_description, subtasks, watchers, custom_fields, time_spent, folder, space — making the include_subtasks / include_markdown_description options observable - Expand verified filters: assignees/tags/due-date ranges on get_tasks and search_tasks, include_closed on search_tasks; add due_date_time / start_date_time flags and update-task assignee add/remove - Guard update_comment against an empty body and require comment text in the block; prefer markdown_content over content on create_list and make markdown reachable for lists in the UI - Drop the unverified 'required' field from custom-field outputs; read both err and error keys from ClickUp error bodies; correct notify_all wording - Upload route: 100MB size cap, shared attachment mapper with full documented response fields (version, thumbnails), base-URL constant
…oc generation The generator prunes integration pages it does not derive from blocks; add the hand-written ClickUp API-token guide to HANDWRITTEN_INTEGRATION_DOCS so regeneration cannot delete it.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Auth: OAuth provider ( Attachments: Dedicated Also registers the block, icons, integrations catalog entry, and BlockMeta templates/skills. Reviewed by Cursor Bugbot for commit 33caff5. Configure here. |
|
@cursor review |
Greptile SummaryThis PR adds a full ClickUp integration to Sim. The main changes are:
Confidence Score: 5/5This looks safe to merge.
Important Files Changed
Reviews (13): Last reviewed commit: "fix(clickup): reject empty update_task b..." | Re-trigger Greptile |
Greptile SummaryThis PR adds a full ClickUp integration to Sim. The main changes are:
Confidence Score: 4/5The list-operation validation bug should be fixed before merging; the upload limit and documentation navigation also need cleanup.
apps/sim/blocks/blocks/clickup.ts, apps/sim/app/api/tools/clickup/upload-attachment/route.ts, apps/docs/content/docs/en/integrations/meta.json Important Files Changed
Reviews (1): Last reviewed commit: "fix(docs): restore clickup-service-accou..." | Re-trigger Greptile |
…g-time list parent validation, upload memory cap, unique icon gradient ids - Remove duplicated clickup entries in docs meta.json and integrations.json introduced by a double docs regeneration - Add a Location dropdown for Get Lists / Create List so the folder ID or space ID is conditionally required at configuration time instead of failing at run time - Pass the 100MB cap into downloadServableFileFromStorage so oversized files abort during download instead of after full buffering - Use useId()-derived SVG gradient ids for ClickUpIcon in both icon files
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit d0fbad1. Configure here.
…and block - create_task: add doc-backed sprint points param (parity with update) - get_tasks/search_tasks: expose include_markdown_description - update_task legacy numeric priority in list responses mapped instead of dropped; create_comment omits absent response fields instead of emitting sentinel ''/0 values - order_by only sent when explicitly chosen (Default sentinel); comment text no longer UI-required for update_comment (resolve-only and assignee-only updates are valid per the tool contract, which still rejects an empty body) - add_tag_to_task sends no request body per docs; upload tool tolerates non-JSON error responses
|
@cursor review |
The task/list member endpoints document a flat member object; accept the
workspace-members-style nested { user: {...} } wrapper as well so both
shapes map correctly.
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 09da11f. Configure here.
… (15 tools, 38 total)
- Set/remove custom field values on tasks (PUT/DELETE /task/{id}/field/{field_id});
block value input parses JSON for structured field types, plain values pass through
- Checklist CRUD: create/rename/reorder/delete checklists and create/update/
delete checklist items (assign, resolve, nest), mapped from the documented
{checklist} response shape
- Time tracking: list entries in a date range (assignee/location filters,
task-tag and location-name includes), create/update/delete entries, start/
stop timers, and read the currently running timer; entries mapped from the
documented data envelope with negative-duration running semantics
- Block gains 15 operations with conditionally-required fields, timestamp
wand configs, tri-state billable/resolved dropdowns, and a single-location
filter selector matching the API's one-location-filter rule
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 35c8490. Configure here.
…, tolerant time-entry envelopes, richer mappings - Set Custom Field Value uses POST per the live reference OpenAPI (the llms mirror shows PUT; the reference console spec is authoritative) - delete_time_entry maps the documented array envelope; create_time_entry tolerates both data-wrapped and flat echo bodies - Time entries surface task_tags and task_location so the include switches are observable; checklists carry date_created - Custom field value input parses any JSON literal (numbers, booleans, arrays, objects) and passes plain text through - Update Time Entry supports duration edits; single-assignee time ops get their own field so a comma-separated list can't silently NaN out
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 8af98b5. Configure here.
The due/start date-time switches previously only transmitted true; a timed date could never be flipped back to date-only. The flag is now sent as an explicit boolean whenever the corresponding date is provided and omitted otherwise.
|
@cursor review |
…ildren, tolerant comment date - Checklist items surface the documented children array of nested item IDs - create_comment tolerates a string-typed date in the response
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
2 issues from previous reviews remain unresolved.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 4aa17bf. Configure here.
…r, matching sibling update tools
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 33caff5. Configure here.

Summary
https://app.clickup.com/api, redirect/api/auth/oauth2/callback/clickup; ClickUp issues non-expiring tokens with no refresh tokens, so the refresh path is intentionally unreachable) +clickup-service-accounttoken-paste credential for personalpk_API tokens, mirroring the Linear setupclickupAuthorizationHeaderhelper sendspk_tokens bare and OAuth tokens asBearer, per ClickUp's documented auth — used by tools, the upload route, and the token validator alike/api/tools/clickup/upload-attachment,processFilesToUserFiles→assertToolFileAccess→ multipartattachmentfield, 100MB cap, returns UserFiles for downstream blocks)required) were dropped rather than guessed.custom_task_ids/team_idcustom-ID addressing is intentionally out of scope for this round.Type of Change
Testing
Typecheck,
check:api-validation,check:bare-icons, and docs generation all pass; tool/block/OAuth wiring audited against the ClickUp API docs. Needs a live OAuth app (client ID/secret) for end-to-end verification.Checklist