fix(sap-concur): rename misleading exchange-rate tool, drop unusable refresh_token grant, validate geolocation host

- Rename sap_concur_get_exchange_rate to sap_concur_upload_exchange_rates (POST bulk upload, not GET)
- Remove refresh_token from SapConcurGrantType / Zod enum / block dropdown / docs (no implementation)
- Validate Concur geolocation hostname against SAP_CONCUR_ALLOWED_DATACENTERS

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/docs/content/docs/en/tools/sap_concur.mdx

@@ -22,7 +22,7 @@ export const SapConcurDatacenterSchema = z
     message: `datacenter must be one of: ${Array.from(SAP_CONCUR_ALLOWED_DATACENTERS).join(', ')}`,
   })
 
-export const SapConcurGrantTypeSchema = z.enum(['client_credentials', 'password', 'refresh_token'])
+export const SapConcurGrantTypeSchema = z.enum(['client_credentials', 'password'])
 
 export const SapConcurAuthSchema = z.object({
   datacenter: SapConcurDatacenterSchema.default('us.api.concursolutions.com'),
@@ -257,7 +257,12 @@ export async function fetchSapConcurAccessToken(
   }
 
   const geolocation = normalizeGeolocation(data.geolocation, auth.datacenter)
-  assertSafeExternalUrl(geolocation, 'geolocation')
+  const geolocationUrl = assertSafeExternalUrl(geolocation, 'geolocation')
+  if (!SAP_CONCUR_ALLOWED_DATACENTERS.has(geolocationUrl.hostname.toLowerCase())) {
+    throw new Error(
+      `Concur geolocation host is not in the allowed datacenter list: ${geolocationUrl.hostname}`
+    )
+  }
 
   const expiresInMs = (data.expires_in ?? 3600) * 1000
   rememberToken(cacheKey, {

apps/sim/app/api/tools/sap_concur/shared.ts

@@ -152,7 +152,7 @@ const BODY_OPS = [
   'sap_concur_update_user',
   'sap_concur_search_users',
   'sap_concur_create_purchase_request',
-  'sap_concur_get_exchange_rate',
+  'sap_concur_upload_exchange_rates',
 ]
 
 export const SapConcurBlock: BlockConfig<SapConcurProxyResponse> = {
@@ -247,7 +247,7 @@ export const SapConcurBlock: BlockConfig<SapConcurProxyResponse> = {
         { label: 'List Budgets', id: 'sap_concur_list_budgets' },
         { label: 'Get Budget', id: 'sap_concur_get_budget' },
         { label: 'List Budget Categories', id: 'sap_concur_list_budget_categories' },
-        { label: 'Get Exchange Rate', id: 'sap_concur_get_exchange_rate' },
+        { label: 'Upload Exchange Rates', id: 'sap_concur_upload_exchange_rates' },
         { label: 'Create Purchase Request', id: 'sap_concur_create_purchase_request' },
         { label: 'Get Purchase Request', id: 'sap_concur_get_purchase_request' },
         { label: 'Get Travel Profile', id: 'sap_concur_get_travel_profile' },
@@ -284,7 +284,6 @@ export const SapConcurBlock: BlockConfig<SapConcurProxyResponse> = {
       options: [
         { label: 'Client Credentials', id: 'client_credentials' },
         { label: 'Password', id: 'password' },
-        { label: 'Refresh Token', id: 'refresh_token' },
       ],
       value: () => 'client_credentials',
     },
@@ -1240,7 +1239,7 @@ export const SapConcurBlock: BlockConfig<SapConcurProxyResponse> = {
           'sap_concur_update_user',
           'sap_concur_search_users',
           'sap_concur_create_purchase_request',
-          'sap_concur_get_exchange_rate',
+          'sap_concur_upload_exchange_rates',
           'sap_concur_create_list_item',
           'sap_concur_update_list_item',
         ],
@@ -1270,7 +1269,7 @@ export const SapConcurBlock: BlockConfig<SapConcurProxyResponse> = {
       'sap_concur_get_allocation',
       'sap_concur_get_budget',
       'sap_concur_get_cash_advance',
-      'sap_concur_get_exchange_rate',
+      'sap_concur_upload_exchange_rates',
       'sap_concur_get_expected_expense',
       'sap_concur_get_expense',
       'sap_concur_get_expense_report',
@@ -1699,7 +1698,7 @@ export const SapConcurBlock: BlockConfig<SapConcurProxyResponse> = {
             return { ...auth, budgetId: params.budgetId }
           case 'sap_concur_list_budget_categories':
             return { ...auth }
-          case 'sap_concur_get_exchange_rate':
+          case 'sap_concur_upload_exchange_rates':
             return { ...auth, body: params.body }
           case 'sap_concur_create_purchase_request':
             return { ...auth, body: params.body }

apps/sim/blocks/blocks/sap_concur.ts

@@ -2292,7 +2292,6 @@ import {
   getAllocationTool as sapConcurGetAllocationTool,
   getBudgetTool as sapConcurGetBudgetTool,
   getCashAdvanceTool as sapConcurGetCashAdvanceTool,
-  getExchangeRateTool as sapConcurGetExchangeRateTool,
   getExpectedExpenseTool as sapConcurGetExpectedExpenseTool,
   getExpenseReportTool as sapConcurGetExpenseReportTool,
   getExpenseTool as sapConcurGetExpenseTool,
@@ -2340,6 +2339,7 @@ import {
   updateListItemTool as sapConcurUpdateListItemTool,
   updateTravelRequestTool as sapConcurUpdateTravelRequestTool,
   updateUserTool as sapConcurUpdateUserTool,
+  uploadExchangeRatesTool as sapConcurUploadExchangeRatesTool,
   uploadReceiptImageTool as sapConcurUploadReceiptImageTool,
 } from '@/tools/sap_concur'
 import {
@@ -5463,7 +5463,7 @@ export const tools: Record<string, ToolConfig> = {
   sap_concur_get_allocation: sapConcurGetAllocationTool,
   sap_concur_get_budget: sapConcurGetBudgetTool,
   sap_concur_get_cash_advance: sapConcurGetCashAdvanceTool,
-  sap_concur_get_exchange_rate: sapConcurGetExchangeRateTool,
+  sap_concur_upload_exchange_rates: sapConcurUploadExchangeRatesTool,
   sap_concur_get_expected_expense: sapConcurGetExpectedExpenseTool,
   sap_concur_get_expense: sapConcurGetExpenseTool,
   sap_concur_get_expense_report: sapConcurGetExpenseReportTool,

apps/sim/tools/registry.ts

@@ -27,7 +27,7 @@ export const approveExpenseReportTool: ToolConfig<
       type: 'string',
       required: false,
       visibility: 'user-only',
-      description: 'OAuth grant type: client_credentials (default), password, refresh_token',
+      description: 'OAuth grant type: client_credentials (default) or password',
     },
     clientId: {
       type: 'string',

apps/sim/tools/sap_concur/approve_expense_report.ts

@@ -25,7 +25,7 @@ export const associateAttendeesTool: ToolConfig<AssociateAttendeesParams, SapCon
         type: 'string',
         required: false,
         visibility: 'user-only',
-        description: 'OAuth grant type: client_credentials (default), password, refresh_token',
+        description: 'OAuth grant type: client_credentials (default) or password',
       },
       clientId: {
         type: 'string',

apps/sim/tools/sap_concur/associate_attendees.ts

@@ -22,7 +22,7 @@ export const createCashAdvanceTool: ToolConfig<CreateCashAdvanceParams, SapConcu
       type: 'string',
       required: false,
       visibility: 'user-only',
-      description: 'OAuth grant type: client_credentials (default), password, refresh_token',
+      description: 'OAuth grant type: client_credentials (default) or password',
     },
     clientId: {
       type: 'string',

apps/sim/tools/sap_concur/create_cash_advance.ts

@@ -27,7 +27,7 @@ export const createExpectedExpenseTool: ToolConfig<
       type: 'string',
       required: false,
       visibility: 'user-only',
-      description: 'OAuth grant type: client_credentials (default), password, refresh_token',
+      description: 'OAuth grant type: client_credentials (default) or password',
     },
     clientId: {
       type: 'string',

apps/sim/tools/sap_concur/create_expected_expense.ts

@@ -27,7 +27,7 @@ export const createExpenseReportTool: ToolConfig<
       type: 'string',
       required: false,
       visibility: 'user-only',
-      description: 'OAuth grant type: client_credentials (default), password, refresh_token',
+      description: 'OAuth grant type: client_credentials (default) or password',
     },
     clientId: {
       type: 'string',

apps/sim/tools/sap_concur/create_expense_report.ts

@@ -22,7 +22,7 @@ export const createListItemTool: ToolConfig<CreateListItemParams, SapConcurProxy
       type: 'string',
       required: false,
       visibility: 'user-only',
-      description: 'OAuth grant type: client_credentials (default), password, refresh_token',
+      description: 'OAuth grant type: client_credentials (default) or password',
     },
     clientId: {
       type: 'string',