From 474b1af1457f699a16120cf9bb98246f363d7816 Mon Sep 17 00:00:00 2001
From: Waleed <walif6@gmail.com>
Date: Fri, 6 Feb 2026 13:11:56 -0800
Subject: [PATCH 1/8] improvement(ui): improved skills UI, validation, and
 permissions (#3156)

* improvement(ui): improved skills UI, validation, and permissions

* stronger typing for Skill interface

* added missing docs description

* ack comment
---
 apps/docs/components/icons.tsx                |  21 ++++++
 apps/docs/content/docs/en/skills/index.mdx    |  63 ++++++++++++++--
 apps/docs/content/docs/en/tools/airweave.mdx  |  15 ++++
 apps/docs/public/static/skills/add-skill.png  | Bin 0 -> 28530 bytes
 .../public/static/skills/manage-skills.png    | Bin 0 -> 57505 bytes
 .../components/skill-input/skill-input.tsx    |  61 +++++++++------
 .../hooks/use-editor-subblock-layout.ts       |   6 ++
 .../workflow-block/workflow-block.tsx         |  44 +++++++++++
 .../skills/components/skill-modal.tsx         |  70 ++++++++++++------
 apps/sim/components/icons.tsx                 |  16 ++--
 10 files changed, 235 insertions(+), 61 deletions(-)
 create mode 100644 apps/docs/public/static/skills/add-skill.png
 create mode 100644 apps/docs/public/static/skills/manage-skills.png

diff --git a/apps/docs/components/icons.tsx b/apps/docs/components/icons.tsx
index f5d604d1d..d62410d7f 100644
--- a/apps/docs/components/icons.tsx
+++ b/apps/docs/components/icons.tsx
@@ -5462,3 +5462,24 @@ export function EnrichSoIcon(props: SVGProps<SVGSVGElement>) {
     </svg>
   )
 }
+
+export function AgentSkillsIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      xmlns='http://www.w3.org/2000/svg'
+      width='16'
+      height='16'
+      viewBox='0 0 16 16'
+      fill='none'
+    >
+      <path
+        d='M8 1L14.0622 4.5V11.5L8 15L1.93782 11.5V4.5L8 1Z'
+        stroke='currentColor'
+        strokeWidth='1.5'
+        fill='none'
+      />
+      <path d='M8 4.5L11 6.25V9.75L8 11.5L5 9.75V6.25L8 4.5Z' fill='currentColor' />
+    </svg>
+  )
+}
diff --git a/apps/docs/content/docs/en/skills/index.mdx b/apps/docs/content/docs/en/skills/index.mdx
index 1af685ceb..6f5a95d3f 100644
--- a/apps/docs/content/docs/en/skills/index.mdx
+++ b/apps/docs/content/docs/en/skills/index.mdx
@@ -18,7 +18,9 @@ This means you can attach many skills to an agent without bloating its context w
 
 ## Creating Skills
 
-Go to **Settings** (gear icon) and select **Skills** under the Tools section.
+Go to **Settings** and select **Skills** under the Tools section.
+
+![Manage Skills](/static/skills/manage-skills.png)
 
 Click **Add** to create a new skill with three fields:
 
@@ -52,11 +54,22 @@ Use when the user asks you to write, optimize, or debug SQL queries.
 ...
 ```
 
+**Recommended structure:**
+- **When to use** — Specific triggers and scenarios
+- **Instructions** — Step-by-step guidance with numbered lists
+- **Examples** — Input/output samples showing expected behavior
+- **Common Patterns** — Reusable approaches for frequent tasks
+- **Edge Cases** — Gotchas and special considerations
+
+Keep skills focused and under 500 lines. If a skill grows too large, split it into multiple specialized skills.
+
 ## Adding Skills to an Agent
 
 Open any **Agent** block and find the **Skills** dropdown below the tools section. Select the skills you want the agent to have access to.
 
-Selected skills appear as chips that you can click to edit or remove.
+![Add Skill](/static/skills/add-skill.png)
+
+Selected skills appear as cards that you can click to edit or remove.
 
 ### What Happens at Runtime
 
@@ -69,12 +82,50 @@ When the workflow runs:
 
 This works across all supported LLM providers — the `load_skill` tool uses standard tool-calling, so no provider-specific configuration is needed.
 
-## Tips
+## Common Use Cases
 
-- **Keep descriptions actionable** — Instead of "Helps with SQL", write "Write optimized SQL queries for PostgreSQL, MySQL, and SQLite, including index recommendations and query plan analysis"
+Skills are most valuable when agents need specialized knowledge or multi-step workflows:
+
+**Domain Expertise**
+- `api-integration-expert` — Best practices for calling specific APIs (authentication, rate limiting, error handling)
+- `data-transformation` — ETL patterns, data cleaning, and validation rules
+- `code-reviewer` — Code review guidelines specific to your team's standards
+
+**Workflow Templates**
+- `bug-investigation` — Step-by-step debugging methodology (reproduce → isolate → test → fix)
+- `feature-implementation` — Development workflow from requirements to deployment
+- `document-generator` — Templates and formatting rules for technical documentation
+
+**Company-Specific Knowledge**
+- `our-architecture` — System architecture diagrams, service dependencies, and deployment processes
+- `style-guide` — Brand guidelines, writing tone, UI/UX patterns
+- `customer-onboarding` — Standard procedures and common customer questions
+
+**When to use skills vs. agent instructions:**
+- Use **skills** for knowledge that applies across multiple workflows or changes frequently
+- Use **agent instructions** for task-specific context that's unique to a single agent
+
+## Best Practices
+
+**Writing Effective Descriptions**
+- **Be specific and keyword-rich** — Instead of "Helps with SQL", write "Write optimized SQL queries for PostgreSQL, MySQL, and SQLite, including index recommendations and query plan analysis"
+- **Include activation triggers** — Mention specific words or phrases that should prompt the skill (e.g., "Use when the user mentions PDFs, forms, or document extraction")
+- **Keep it under 200 words** — Agents scan descriptions quickly; make every word count
+
+**Skill Scope and Organization**
 - **One skill per domain** — A focused `sql-expert` skill works better than a broad `database-everything` skill
-- **Use markdown structure** — Headers, lists, and code blocks help the agent parse and follow instructions
-- **Test iteratively** — Run your workflow and check if the agent activates the skill when expected
+- **Limit to 5-10 skills per agent** — More skills = more decision overhead; start small and add as needed
+- **Split large skills** — If a skill exceeds 500 lines, break it into focused sub-skills
+
+**Content Structure**
+- **Use markdown formatting** — Headers, lists, and code blocks help agents parse and follow instructions
+- **Provide examples** — Show input/output pairs so agents understand expected behavior
+- **Be explicit about edge cases** — Don't assume agents will infer special handling
+
+**Testing and Iteration**
+- **Test activation** — Run your workflow and verify the agent loads the skill when expected
+- **Check for false positives** — Make sure skills aren't activating when they shouldn't
+- **Refine descriptions** — If a skill isn't loading when needed, add more keywords to the description
 
 ## Learn More
 
diff --git a/apps/docs/content/docs/en/tools/airweave.mdx b/apps/docs/content/docs/en/tools/airweave.mdx
index f5ce4994f..59764a4c0 100644
--- a/apps/docs/content/docs/en/tools/airweave.mdx
+++ b/apps/docs/content/docs/en/tools/airweave.mdx
@@ -10,6 +10,21 @@ import { BlockInfoCard } from "@/components/ui/block-info-card"
   color="#6366F1"
 />
 
+{/* MANUAL-CONTENT-START:intro */}
+[Airweave](https://airweave.ai/) is an AI-powered semantic search platform that helps you discover and retrieve knowledge across all your synced data sources. Built for modern teams, Airweave enables fast, relevant search results using neural, hybrid, or keyword-based strategies tailored to your needs.
+
+With Airweave, you can:
+
+- **Search smarter**: Use natural language queries to uncover information stored across your connected tools and databases
+- **Unify your data**: Seamlessly access content from sources like code, docs, chat, emails, cloud files, and more
+- **Customize retrieval**: Select between hybrid (semantic + keyword), neural, or keyword search strategies for optimal results
+- **Boost recall**: Expand search queries with AI to find more comprehensive answers
+- **Rerank results using AI**: Prioritize the most relevant answers with powerful language models
+- **Get instant answers**: Generate clear, AI-powered responses synthesized from your data
+
+In Sim, the Airweave integration empowers your agents to search, summarize, and extract insights from all your organization’s data via a single tool. Use Airweave to drive rich, contextual knowledge retrieval within your workflows—whether answering questions, generating summaries, or supporting dynamic decision-making.
+{/* MANUAL-CONTENT-END */}
+
 ## Usage Instructions
 
 Search across your synced data sources using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.
diff --git a/apps/docs/public/static/skills/add-skill.png b/apps/docs/public/static/skills/add-skill.png
new file mode 100644
index 0000000000000000000000000000000000000000..80428e88ae88183edbb73f53bc9136931b20ffb4
GIT binary patch
literal 28530
zcmeFYbyQqU@HU8B&|txd;TGJPgaiTv3GVLhE|~-gNq`8!WeCCDU4jN5+&#eHHrQa_
z<$d!e^V|Jr&)GkA&+f-L!_3^d-CbQ>U0u&pb;DJZWC`%7@la4u2;`nWRYgHTgQK9J
z=Hp-iS4!9UNKjDl6>X%YRpg|l8C6`JEN$#9P*9$Sf7Qa)R_mfj(NmSfA%6QR8k)#>
z@8PRxVqKK=XT)DWV&FXN2!@!-Qj+V}y)}NO^_a}S09D66JFk%A-E0L1g?h9{iLusP
zFiPzf`@Gn^(8<+FD&KXI+s+Ix3XdoTuMSr(CMbp9h@R$lbIQl07A6TyoMu!4Z&Y<g
z^`F&)gCr<Z3un8>tJLsN&&ih=M*~;awo~^?p5UO|CUB{Jez*6{DKpBRW!j4rB9xa{
zKJVAhc*zZKl@!uq;kZ=bS>?Kv;brCRw+E)4YSXt7p)w9*p!qPNBuIR;qQv1#BSg2n
zm6UNWoXj-nZNT9{<~zm|q7qIx*o{{mkpy>g=e^F1m;BC3Y))w6!F4G^7|mi{^E&?8
zO600)WrYoUtr#2;^N=V)V+DWnn8(Vt8gG~}kXbS6!)tA96tdX2h)a#QuNnA?D(C5y
zPcVtb@QWGgvwlV_6YZ7Udu%M+CPQrX-0l8-EdO`B4}P#QXiJsre;$Ym(`Hz*ExE_y
z*t}NlZ@aZnKhFD0d<W(FDdTR`<BaQP@n4!XHqAtJOs`%^uByk8r(!%JUus5^GkwsO
zKrGAVy3~U0uX?M@`_mgqSBrc$N`<#8rZ&%C=`yhQe8lb~Jl*YA!(WZ08~D6;AA2w3
zBL7syqo6qK$>X349?E=Kjuj^Sjkn~a_psbZ!qMN1)GV8q@ZVMHTSk;#ywX0>o-vG}
zkywbre(NT!UN6$N|L%45j}pu?XP4ZgeN&x4_j*yK`g?lB6a|sk^F;Shh%nFuRa#;Q
zGhf>?+H5+)LbWzhj2Tf}KjOAEyS$>J{WLOvKcrJw1?MXGIX;>6G8)3K9fER@8dk!l
z#M_n=70GA@QO@{`PX9OwyX7%gz2-5yT-d$m7({pPpUFN&n+WC!)1OekyiQ>-Z{pSe
z`4pe0`v=wJhsVmM#E(ASk;iA6S`4k`-ieTHPM5Oh62?BE?Oo23S|mwJc20Hv3VmEH
z@=Wys1I3Cr6!qv0_QsbhhX7~0?DbIW1xXb;wq=ePV&SDiXL_z3Y%9+<98Qdm8X6O=
z<<~JkguJYqqn2JgX1&jHMK-;7Utn8cHdI}`;;K?|Lwh)EqmO2TN>XY!apV1hh<`P6
zC5G7B<R41LYsHrNsKq5_+V{ua(Y;(uBR?q)YA5KYm}XEW9HDBoY@E~4cu3w~(QnY7
zIudZUM0J)M_DM)XP>rjrx7*5Xky5&MRUt$veS)i>YX>E}QEFp+Ixp^O7q7+kvYYb)
z9VOK)ARs_0Xr(0*buS&;{~_&F_oVAW)-&{1Wnm%mKH!8_4Qw=jH=c!IE0h<nFpERZ
zs!_Za2reEI<DkD}q<`?HiwD6`-M?Zi8b?6!%2WkU^R)*A%^r37vB1PF!dF;Oe5F@L
z%|6Z~`j}M<8|xSYAR=#c$$L0Yp1^QOAAw$wu(zSQJQjY-eLMImW65*g&!Oh`RG)_T
z%23?P_-XqcZ8CI(QR-gUC(@rH-|1??XQXRC#{R@6leWp`vi+c&p8k@s`&sLtxBKmc
za3$$mgU?{D<+KG)P9R4xT)4O|`8Fsut>I2HKM#dvsE8@;hp=ZRtlC&iovWq~wW%~i
zMokp=B#k;miygNll-lBjX}p5jg~^ngLr(eqxf=0{n)CL3FUSI^n!-*NjBwmvll%ZL
zJX;`TBId;%#%&MgZBc5u+hTLd;c<J8IQ%KaU?>bVwcXrQ(1pT<%7xU0VPCi;`SjI<
z!o5%U&j}wesFKNnx|zwp2!1^N82O3olc?P8Pik|u(pw^NNl#)vzyE3RYxY<AFNI&7
zzoN)E-;uY!zx|BlrKPH-il<5f3nfc(bd<V7F2QIRwQ^r37bHe)GdnA%DyN8_pTAc?
zT)>q70rjCkx4^Mo(r9(oeoCfvS=PRF4*x?35eLd`;ccdE@?@o|%=2M2*cp5UPK}U5
z7$C$HGc&(18L532Q7%(0Gd%pf>V_3!(!RjU#D_;^@!`#fTOS-b-^El=C@Vk&wDMFp
zi^n_)3>`9$?`*Sdi*H*@)m04GNDbay*WScff9p=MZa*%PbNDL!5oeru=Es_kHE(<p
zCUX=<Dh5|JEjME}c19hBw+Dv@-9{Bg64SJDyq*@l2`S0f@z><C!`wvKq~2`BStgkw
zSt3!89f_#sUn;nI9uO2z5*U6Zd6|b`z@NZ+j3t7Vhfj^ab7v{^IP_8IFo6(Fir^M~
zj@XdjcW3jipXm34gq}ofMVLldQaK3O3Ty}nJ|cV+L*>LHX*1){!n-fjC8%TPI`X|I
z+GfL!?U8|<Z!erxFRIUCt+Zz{YeK?O#xl)PzRbbW!IGiRp_jDxeeX&9d<jI?nS+;O
zOt)McuAQJ8S(W6VV|P|Z-u}+)t3}1!#)nZoJDSZ0o9$x+W6Jh$hf~22!3x1DhxN+9
z%3=FF`=SYwZDCIl&%`aRsq|yVW1Zu#$CR`x*k0J-txRFZFN0sEq<>G(l`-)8F5*ge
zi`I^ASEMBAUedcH>ZFvYO4?*z-%%J}dXsRS$eQS`bEANa)r*O^Z;uqs3~MLqa17WC
z3O{5-5zvb{*)LB}77`Ykj`tM`&BQq_&r;M?R0nvTILFqF*LeA8`+oPahgbIxt~_;%
zaq0KHEsid}<|F9Wc;b4}eImMW6kC<<6?x*g%e-vg5#G6d=cKuFMs}gBFRL|nJ8`vc
zw5oNWS9w8e#cO`P#pqYl@b#nd$i%+c)&TkiT1Fyavb~tK_QX~(`nQ;&7%>=?nClo1
zF*Gn{2?UAy@e2uda9wW2le>yX6I0XIvcW~?<G6o~@A<Wex2y&y<7I_(hG+%PM-@kX
zl;w|*?F@@B;=A(vuJN6}^e*1h{q(V?v*DHDDHNA(_>Y)GGkI5EZpBSZmRK#txu`99
zb~c0)y)_~UV*erdI3D`>=kphe`Eve=WO3!9Ic6;|TsNj9Wx*FQ4}>y5s@_)f%!Di9
zCsaF{TIK55x@=U)34XDBAu2TK?7H*ozS<o%3^l?`lA+H-o>>96pW^0XG^}61Bi1FJ
zq&PS1#s4%a*Bp6xOj1N4)xX!JoxJ~GnAuIyQY*$tQ%AEZm^tTT{ZGQaxzCq^%xqR#
zN=A;VJB{M5hPrbmIg$LbzP7ntBUEbB7KEjyI-UGQHk+A8KU-JC$lscN{`Sa-@(NbP
z=J0i%b(j2<LY<;MF-7=t0e_onh^l~Z+lnjsteU5KFHGl@V=+Hw(z1-Qw^1le%xYTS
z+z~Mo<3n*s(YKkzz}w`D>hZY$_58b}_nMRqhH>S^HlOytoxP{`r#vulD6uT5KSh}C
zw(G?#C_GS@iitF+HCd0n{j#elqd&tUBQ*v$_7ZU!x7*XStCvzz?+|kSu8%#OJ%hcd
z;6P8KLD$b?aRb|~qbSFy$55~I_^6h3v;S*NjDwD{L6QFaOZt~{)jwQYy9rX+O4$lE
zvD9~_t;=23JE{_&CUQ9(&+AvUdn>HR5a~VCbF#lRscB?kpi!Az-C%s4P8TlLf6;uF
zW|_6vKa`y6CFkX#-l>_IyPusi=}_+Xj8iu+e|zdn?b^~@b3=qjq{sAe$??}6?DMbZ
zsaJ8w%N6L0*t&$SgkzWHN5dV`z0wblo?rGNQbO}XBRhU|9JiW;=_S-B5?*e>4+|~J
zR=e-}%4*VP&>Ogy?`kiW%q^EL&oc8Wi(AJJxo-Xn{-UMSo@6UV7l_#6{?U{q-YVg?
zl|L}K>Snk`c-?(gu~>h8hS01UlWwZH^vv#SD7bpv8Pf4Sg)(ufvx1@Fm)CmRN^?(>
z{-TjckidcMc}1|DP+^wgZuQ;T{a=<leUwd<7gzgZ7t_Jh553BFqGtta^^U@38O}v#
z#3E;I)sOp1?OYXLw_p#@v(X1`=)>P$Wp9<NFDEc_DJRsuuH%wSJ}p0t-<s^)S(2)_
zo;jU4K2r`lyB?k5OUpV8xp+3;V^M@}xb3@*sLc?nJ=saD7h;%?sps?7x=cB|>J9r&
z6eXo}{S={oHM!$99J|L|b$)<An4{G|uC-9ma|;x)P`JHNLCRRKa8Dve!Z$8Wn(l5$
zI7p#g<K~@wyu`ZJ-&l|ecp-FAS3}r*MTep-9U#MoGU$%7B!MdGxurrg({r>drXdsT
z_om>BRMuL?n;^3diFF|tA}RE*x$JiWuP8$--jJBKwFm<E;+=)IoTZ{73LEel2L%I_
z8U+*hgbKVQQEC2smO*7fLI3AE8VX974GPBZdz66po4=31>!!`W@93XHQLuq;w}F>8
z1ns}O(clpD|30JU1HYj>R+E;K1K!olTrDgd-K?G5@z5MafeX0K&vo2TP$(YWyiny-
zAM64BkJ+eeyK5`H5H)jh;4(3HGPU6Hc5uGw2Swal6!_?1;cmj{?O^ZdCh9G5@1HwF
zfzLOWx$iOlbBnv3#64|A6-H?%R|`f#E*>tPdy;sJjEv&0=9Z$WPi1~L2fj(%vvzlP
z7Ukyl^77*H;^T61wc>sxA|k@g!^_Rf%L&}U>E`3;ZsN`9=yw0#PX6oXsfC-FtBtd}
zjguqeO}{3lP9E+O_wL;c^ylwiIW4?x{*L76_Ip~u1i5d1;eN!$!~LgkpsD!HRZ$fi
zZwq^!r#23N&VVr_`FVxK|GEGF^vmB7ky>j1Z7C!mh};tCm;Yl+4L1u{X(tC@NO#G<
z%k{f4@{hk8igVx097z-Zs`;O*fSx7s#JT^hnIs;XRsIe9rL}pgtPZ>bM)uF&81SD3
zc-_1MFK!!lZ}TkRT|n;XV|8!Tty$cBeT&QM{Vev`laNYxGxiM7q*wOq*ErAbS@ToJ
zW)EUSDDV$jADl18SdX+-@4LOH8O(;@-1~V?%z|A3Tp3LvZ=-M$Fn@J&dEp=Grfjv7
zEGEGh8{e4v%d?ViKx9o|_?KJCS;`tbj^AeJ%2*AAib<yO?>}%R8O#LY)IHD_q51bR
zBi<d@<vkY2D>S@+|3TZ(un<gFdo%8TTB2g&!vnGZ>j&u3+7uN%fHcV4vG%`KKzl6T
zCiLHZ-1Np@@(SD-E+sBx@K*#>^oDt)Z<q<%&7k=<hLps@Kf^;_f#-ISzM&~{7(<+v
zhz1n3{tDd;+V%ST4FqPQ;DHM5hplC@|DA_1<V5W6HwcLI)*V>lX{*~X`EPvyg784k
z>HdCGfrJASRlHcNSx1@&pdP~i7pbQ?kqdeP8@wOLc7C$U{cBk6a!{voKz@L-R8{Qd
zU!6c6qj})MgI9FQEJJ#@o5Wuv2|xNkBgB=jU&C8}y7Yd3H%8A9cXPZ*%9v8>d~zW4
zr0M!{|7;*&$Iaw;YZ9A7Z3lPEW!7UnBuzRjl;L6ldoeAH{@r^5T4A1<fRow%tHS{)
z2Fc@+sIPNZ)ALt?FA@bgB^&ozZnYK~)X5k5$o^etuq6qLI5dh{fX)B<e4aaG#g%w-
ztl&NB#h@&M!-;DFSn|B_>~JkC%Kz8>5+n2gF++yG3NMF%(!h;Q^Nov$%_5>sh9Lj%
zQ&mnz+O_UB+LiV?!aLQ=EpJKg%Lhj{`7hJV<5bOh>aEw<^XzuxTz=Iuq-sQr7Ig$(
zoecza1o{|5xCedzN(Om`iAMm}(sy}wIyK%%k#i^H`XIK6HYMPA@-&V&iHgrM*siES
zFv+!>b-zZ-(C1<OZon@4;21T`?`VU(U+VgT$Nc9<ZPPM`>B@;LaO2ZWx<7jcOhL}V
z4-HyjH^S92@X+{<=yM7rmEAmaT<(k_3c6Tk0HO>!3M0fXW+|!^pVfHprZG^ek*u#h
zMEUj{+aJR%&jqG`r8keztOiyseKhs@V$J)ttw^=ofP@fyYm%=wQHVR=psup~xfS?o
zt85@L{bHTqWY){bdp#p|DZDCH-&M{(!3cvs=wjdd+89mZ;ggHcJOK!JGdIdDO0Ex0
zg1zy4%ms6Le<Vl6tTli@K|y^2<H6j4`|n+{Sp3omCBM$7mu1mm`l6j*pQm2qN=&y1
zY!?Mx+KHdV=w2N5i*e7bozXZ}-@SmzN-a4m3c#bW0^sQk1gWQO%uhURdnQb#rA98?
zhIYpa^oG@trpN+yKnub0&5XJjPQ4<NEgz<Tq#HPH;1wcE@ADvEw}MT=;J8v1vi4o8
z+vm<`)=H1hJAC*E+>P;xnQfonZi5ik`7N$$#t*b2ypqb<*NE{Z`rY#=B*!$%s$vbX
zlErD9zdEjxPL&KGoG5zso+4!0sY!x|=rWXmhS0k~AHr;W=ugdg-K89OI}otbDnF-B
z;H%iC3k%`JU{W+bc>PJkE<sVlv9A7ju}SL^xNR|vf!=d#f~2q!vEjM$WLxkjHj>}q
ze-7CL4S15il^PPH^w0e|u-mgUTZc~Rc~9I*PZByj&?$AbUyYL?Fn>OG(h?yw7Z;#V
zZ)6Txd!jxvw>w=Yq<@%l61>tA8#~r{rJ{V@MyedVJzW)>auSI=w}&dRpj6M$!L9dP
zwJccYUz8<9;5)No4P;K&dtp++4A-Zf8Ed8B6jsix7xAjT5$w&b-yCW*%^}y51A&?e
znr_P-5sPDbP6SaB$J*kQ&BR7Z^J{-yeXSa#5G+||hK_}g6Kmk9L+ipI=?|FJNqO?~
zI(U->=OoBTccIDaj)*d4RCg25Z>pe!ZjxhJ(Dl`}W|`GMO7m9-R?2UMbD4jgdUN9A
z8{M$@Hw9j{#Bl0$@60d!c+=V^G*63j%AZ;L;K8sc9=!ev*fM;Pac)x6z=FfYEPLbj
zz(oFx`reBnCNtG8lN#;klT@CB-h<44<t4L*fK0$CB1<*TM*#Oiw+6m$p=?xf5xQez
zwMsp8V*z`~yZ+2`1K7R@8c}!a(;crS8l$XVE7A-Il^d_(pLE443e5_vp%e48hv>tG
z6u2WYq}MBmf=*jae!Rw9Ppd*&W%u{Ma91O0$^=rE>&nYYTMlAr@Y&r!FYOvvi^=5L
zo!U)P&}zHU#S-PBRue))pNj@o)O3Xq&co+6Cqh{rNM-2pWC6<+`~*qa41MRZ8_RF@
z9m32V@-5YBxm+X)x>MwxXn3fJ<V|;oSva74=eL+^l#)dScCgD@dE^JW3MM@}sI1yZ
zPSn%;lXd~cN4_^l4><PecDsTKYOI{%k}kQPeX)6u2cLZN*($|{N#Ad~;;!F9GiKK5
z=qpP|6#iBEpA~}kp@m@j9xs3YqJ-Bg!)FbJRO|JQOIr0O@p$dbK&zbQowrIlJ4(Ou
zXI%gmN42@CW?e`ITi*hV6#sf!(01UfX?)88U+US5B+1X?@9^OE;}H&85JhZ4`+1|Q
zgV<uz_IEsH9Uu1Am4j;4&j+}PCs{cs2@{blJAwl6pJn@`QNs89vkF!(f8LMUayE+L
z(77#JS4J7P!2%tg%#u9H+51#^wrvCG4fp1hTE@%;MuRIfh*Ne@KQhH2>ZvpWT*Bg-
z)V0s#xW6ir9%b;z=wXxI^5()m9;?0aCJ6Yt%NR|{+D2Ya4CgJO8E5IF0;Y)GL+XMu
z&;Y*Z$TVNYgKaQ2J&qA#C>D<<Eh@S4lFxP|dk;8UBty?X-Iwji65%%9Uus|UYC1Ql
z27Kc1xBubi3U1EiNr`WjDYd?6k4yr`3k@b?=iw(*IaZl8Ef@XCV)O9nO{~A(pH>&m
zg9si*k>!{7XKf%LGayQdIP!ErGD9*p;Ao2;?nmAT`9S<tGFPaGH038i%MjP8cw{w`
z1EJH{bOr05BZoyL8)&JbB!(0`LP~(3u*0`b5b2b_16opc+gKrq!LJF#bJ|YhNP8WW
z2DE%4vi$-{j1C~?q}kk_LXwt6y%}W0l9h}k22>jeGR+zckc}b)XnAX;oDWG1YIYz#
z%&)RTmR1F5nU>^<EXMycN(;e6GzOf9K7NB0a&>tgHrL=M<jJj%JR?PxV!%lj2b>=l
zTlB;f+l?0{978^Wr2J3!Zi0&h!Db;Ooj^c1iGmJzK-{*=+x{3EF_<nJhKi2WM!q{+
zC$v`uI9)EMw@yeQ?Scv^47dq4nx}PPHecm1O`%z2IQua44IbRaJO!o6@5J$qe=N*E
z8)<p2Nf{?j)`yv$r$;{_63`_C4uLb`y&k9`D*Ygk4k>)jHh9IO+>u$JUGi-s0l4!L
z2*g?dPi_`Y(0+kzDrCaKs7$eG7*>a?eI~QD9vU8+Zje+SlP5`i9fN1NNe0i6hF8KI
zVv#^!1vcTPyAMUS2vj*mT%^!=tv^|#;AaSu&8R@!z^#O099-q*U7!0Y9rap3M&w^^
zA*l;`=f;GR4BjIdyax#nbUb8K327eI9{_`Y)L-}vNs3yWJFv|b+bm@3mI18$j@9@#
zq`hc>fe-gEsZc{U$oqgnekij;j>frwO;B4rm4hTl1R#e{$7IFdP?tr85)juwds`hz
zjt)Q$n&mBBq<Lq*2gK#d_sm6-!wirk!o`ylN!*cVz?PyM8`~}i49sM{F`%IC&CZ{#
z4>bow;_^4{r1!Ij4QDA&)Ok6@Nd*N`&Yg99t4|HIzOgffSgwHOcG3CG`KBP@gP-@8
zb;pW~7-G1M<}w5#>BRmC`nRSk*n5-3gzRT)D`wBLlvC+(F6tYd7h61w=(cL7Jyy~G
z=mz{5q=4z$@++J<<qj4BHQ7Xoh}&u~0gYg^=dtl_lHX2Eno(1r$v}$4;??<XQI6Q0
zvQ#->xt+%PYO(_LHa|b!U4#!SN9{i7^*Vz5>g5~wQ0d+belA%)kRZSg-xy`LpKp{9
z2L#=&+%q1ZE#yN2644mCY|tnwKBgq+7Tk<vzssZX)?3{5D!%^3UW7-W0oX+_F6q5x
zAg-p=EYKZ|90AQow*Cp|K+-qOQ{9K;Oh&R_J`|QWqxawYp?y!y_keMSb_3if8%00p
z1=whbK8vyqWZ?bjpB<Im1nR-?wH+P+@B#?dD<}h_%HjS-2ejdnMh~!h()b7bl5s<M
z!B=nZN3tZ_BY=r^4kZE}Bg|uS43plg;%j1GMjlv_PJe5@si_>{I|5a!>hI;7Jc`zg
zt5Mq(^+XTAny&k80M5^GR1T84r5)jsRWBfG=E`X7eEH&VsI-e<%>HtxtTMeC(~!<G
zdOW|4s`&mFP?K3_WU=S=)ZRf4cV}Q803Gc%dUb^O>Y&1M?(Of$_n!^{j*P-pbqm<z
zOQKjr^t9vBkoi&zg^79}H|=_Fmx%_y6Vy6AMTpgPX9Nx9e4Wd3N3rpb*F)eZ#}z(@
zt8^-!W)P`YGyer^kPu8^FTUiauCtH}4_Ui#kd$%rE9c`$E7_)TLqE<NkP2@0JLqEW
zTr>1t&)D0@EAoUXXiFeq={;Pn`GU&g`%kxu%5)qLJT4{)ai^nEl0C+B_SbbSYfMIh
zx}#Z5Hb!zL3#Vt-AggC<sYEXn;~kPQ5nDyHFLJuLX}0`qPZys0ZRBJT!sbD#-|IF0
z1<znj%AcWU<wdjP8+!Mkd{v@%V`DONADpVHDLY8qAHRu`{TpVag0JKGtYS8Hby7b0
zv~2zSbiWmvCcVremcALiubxoJTSph&#ACs9xhILB5_UE=9!b2iuE6kJeVzKqOvYcT
ziIGFMoMndrn>zoEijqQ;x_OT?5b}QL=8F<9(2ra5L6^Y$&w&b$V0MR`nGeyWH9kZO
zU<*mh4?Rd2DIMmx4a40ylL4(=&I}p)tbElj{cOM`MQ2$9lCqyDb_Qk^GuHtVJUXB3
zz|2rxSUuB4lQ3ee4C~O}jXpG=ekn_*LH*1sT2gOVgB5CZQluJZMTdpRFF*P185dN@
zeukZ?TecqN2#Agd1waO{)-T#4Lx~vZl|)vetrfZmGK9`z3_@>{zxMW27vl`-ebgBo
zPRiU7wt^Pm>7J6{cXbe9M4%+LU9P=3U{`^GaO)SzQs*0JFUU?Vs{DEj{^GE!y?UZD
zvPFE82dc%s?fTn#q3_UETKol}URv2s2vE?BOK1BR>9Zm6vtM6IzCR2A<K(O*dl_>0
zn82?95GKi(Z)LYu<I1L`!Z|K{2LHg<|CSr*eRAr|_5NCpG9jL@Fl6*LjI}ClE40$G
zFTwj`DS+5dtIL88z=12>UrR>blD-nVbqIHW?7o;7|2=<*2Bs+9p-pO@4il%|F9$Vj
z-`6Z22hlw$%1XuqRrc`;HN0`lQBsn$fv1c64rl1E?Tzx^e~}b<&O!+jaYp$<a(KQ|
zxBCh`Y((pr5)3FmEy;*3PLa8yK(DI9H^BB7_e@_UPrnDt*U+kFL|GR5ZVoqkz~{aH
zVtvAg;6jX}LJqxX6SaR%`cBtR!9Q@b&SI26D?VI2?HqiQF`0G0YOv|OAzSWIHfQR2
zsYLK#(-z4H=Sx_6RAv>evtFAx9K)?eU`6Jv0~He+FPd^CYoiw%vE?VmCM4fO1^W{G
zADnT{#u>Q{weuPH;VtL^$vRF{F>)|_iui%eU@!EVz+1Gdd?>sOKJZgKE%_6|AF_6I
zgSz{()pi67l_SvcH()ju9{}7`ZIR-4oNBDx)C>DU&D_IV@t{fndkhi0x4E@fjMf}_
z6Tw^c$@Q!`5x{*&7=AN$Aog1yNw{la--ft6SIo!#vzyjZ{H7E&RX56Ci7C>+aEqd+
ziOX$(pdjz(kB}5qv*46Zh>^^4MXxU0g7OPH8!AWKMw_cs*R*7j-T14|GV98M&pVl~
z&xxj6w#3Tc5WugudFK|IV<XSj<6~1}QcIX=U}`qR=j}ygwAs+r{$!decFCWYW{?5!
zsmky3S67#j23B`_l~i7Ega-CSepQg>gBXoYf8;y9uMaBVIgh-=+@Qn4a?v^TJr!GB
zWq{cWZh5-9IvoF+yoVkzwQ3(BX~F+tC@Y2lo^;XUIV2qR$_>|gYZ@?{z-ITj`j}Z+
zZjO+*e?oLvAUKmQEzADlXeTMC2G35GbF_)?;X}7kx5bCllmSb@WBfx>PIL7)@X6DF
zBv{8tH&Y)nFm|Xm)%w*UCu^W`3tvcleiWn}u2_rMuB>cKb)ZokP%ep2?%<Qsu*v`p
zRGP1CSv3YK5%;I+>+OODUh+&w1!WABWm`;G{fSGVcxZ}LFx<-CP9?MMj>$4BFNBVH
zD+}|7+n#DPQi1-)2nFg47X1&bei;+|iVv8ZG;`C|8YZdSgpG~cr2I0pTUeNLGZT&q
zv3$oqNqkHTl8=aU{rrZYh3AL((ZFNOqKvVZ5UZwY9*Q1lcQPnRfWtRf@>~HI`vtB0
z3K7dYT_zvzKZvLNHAoH1ccbkrePy$aJ%DABrw50hx!F?B)3;~qaK?%(2}Qw}nIo1a
z%}V6SBXFX~W{*INxWL9p{;(}Bd<&ZyJ&PzZaH0{u`PjGKdw<FMGkcU;54E|1<Iv_7
zjoWtC7duK0ZRpNSurC&(>kBh>p=%;FALdHXB8zQ&Iib^kfg)Iw_<7AoUbwApRHg30
z<tRs-Q7Dg0k8(zwQDH*ox@``}^k6UlS!3yL54H^2BWzq*T9>Cu<B|=rBs(FuC_8Rx
zW|St&gHujaTBP?Z)TL-jsT9{@QB%?xbUA^mk9H*~vrO9(jxsvl3TCjqr{J{p0vEu2
zt-vWO!X-jqkDMW(bw%oxA}ffM)M>~oQeXDu9+eT^uGT-)9fTYsffqVXn$q0&Tp)cU
z`jB|e&L(<Ih5BhagS^ki;Dpi>o`;ezG$ywqpeg-M+2!2NIMs53QvWdP335P$`yw@F
z8acF7Y6hjE@24S!u6+-H2scx?$Km&xd9z&@nT?UR4iK(_EpG!6?r_#h<zGO{@{yDW
zx(4#kMhac|Z~<a|eb`m+KScxG{RFPLF-oc<5!&%Ugxd$VsVP7Taeo2VM2H!X`iH&%
z!dgp2`HbeDs1p^_6}U$GmI$eTYbGGl<_pku%tM-%2yl(CEexrD{x3kJ9WTjQrGXTY
zC%pnoVlPP}^`9UIF#!j*1mmW8?arA1sNUrI>ax%L7xKjSfb7c+5Sy-YnkchUzTvJl
zrYFpXzRL+@?33J=3I6d0I}8Y+I><FE1SwVjP8<Y&hlU?_aueLn)r;ioRTVC|PEy(u
z!f8cr2>s&~mVlU%b0neN4HzT(5Btg4HQVIlY<+V?pu=Z-i><96?@F6?^#L3tXG4z6
zj0F;)_=!urdJbPFt)4BnQPXY;3~&tZCL&^k4sQb@x4uF}U!rDdS{z6~bT2d_gP+@s
z&1$Bt48U3HU~;rEy1tU@NF)j^i{V!_8l^_Ybf}nw#ITK@{u=<YRkj)#A)@AIf$z>s
z^#^{@Tqr<V0^ocy7EA<a&M;2BN_7Li)ZLt7Q0nePC(`^_RDytox{NS*gVfLiu&eQi
zu}Gvf&Tax0@2aElG1A)A0(P}2V~5<`h!Fsjg3QMM@*fb;><y|*uP{Se;|*?ONKsRX
z9TK*NINtC%0F{n=!;W4ej^0xyZ2-=4*0UK|4r>Z9fbQFGJ>Q-vxo<yR$+<Pxa1Ie_
zfP&`hymonjSdGVdq4~`mj~H^_qnMSBv($q26U5b~_5}sSASr-_<8l4<bI8*fS1(dr
zc;g1Kt^4dE;Ya6eyc-at()Z+{0$_m(_yC(gpjT<nDzVd@`~>atCPe)y&d&4`I6@|g
z=f5idu=uMlLJ`!KO8~qp`~XhY2pS>J$wdfyfTwxjaHb+SmB9XgtUxl#%7%0(e)z3%
zUezEKa7w}%E-6#nSDMwl^JaZ{B!$<51V^~_D)SWtj<CsLvJuqe%C9ndLsN17XMc$(
zUwTxul-qj}1nhEmzORCmA6=jBFE76XpqNFU|L89+B#+SyMjIKqL2`}7{$~fdS>^d6
z&@56Dx@4)n);%huHM1poo(?w<d0e>)k^+c&;n{w~(dIHdy28GA7YUt%z(N>t{jR5b
zi;s+o^lJ_xC`GHa0DeN)#dHC$IA+=%vZ;VHd-unTUuT`4O=c*>Y993itjDjeFUxqE
z`Pwf>-{~U}8K{_|ly`(2_4Td0K0i$6o~aB5H?lDyZ*9mUz%g|Q*HIwJym1e(vs-z|
z$Ug1=M=S<mJV**K^5*`?JCE+cH^;dFuq$=5X@DG;V7_+AJ^PvJl1EDpcI$vMjRRKb
zf`;E(<qnTAXeQ=pbG&m~yWINaje~8i%&ODm2R7#o&0GxR51oe<g*?WAj9y_4Q{njy
zA_T~&JX^6-d}RR5@VLXEH{5nH01t-F*^ac<&xU9k{xISrj8Fh70LcFle<Zy`t#rx_
zL?wm^I?c^2x?-O%HG|Pxeb$mGL-DCpOY(pKKU9_>fd3z7&0Dbdgby3>$gCq6pc{As
z@q^ERq*WFClRDnc*A(uCL9zdA3q*j%Ne7D(S&idyTkXBwvsu(c53qG~vaM7m7Vb&L
zGO(;isuvSxQJ5_O61ux{4Xr?4a7;K?;Tq%kE4x-G;4<5c2qt1m%sM+X$~aHvgM#Wl
z&HLJ`c^yyof>Vrqxazh_p?O+G#Q;0A2e2p6EbN#k@&mDRus?ZA2o@L!RwsFs<@x|7
zM5`n}bnyI(k|--agQWOvNq|`~nJl#saQ3{2$x+J+9aa+K<a(;pH>@m0rw~-Sn*gv0
z!iT+l%W6Hb+(blD7tY5kF}3r+;6&emCD@1XTr0?DEEukz#UNB>|J$n8)gT2dUzwTt
zgP5wPy|ISAtXONd<^vKZGdzJ8r^S9JJI<YSUco><M*XldH&$dBKHU0?Rc-0uCfA3S
zA+Rz<WtBw2q?|$v5E$gzk=r)yV_V?HAuCnZYAxSJRVm4$|H2LR`_Rwez_ENC@Jlb5
zRR&*Jnl0@TZ}g(RYu7`Qy@ekp0DEuJpCqEuRF#0KredXITUf@dYB@h3SNh?~^&1!S
zZj9YULbIgnG>~Db-U3pGOOjf?M3*;*Sqv4xWN}1tx%GqCE?K=6n!%XUtv@>RiW;fs
zTX7qb^gobvOnRO!hG8Qt>yCG3X(pJI#8<iJ55Osx3tISyO!4sTmh2h7!+;eAx7+Rq
zCSt|k>%+IZsv=(t&f^Adr<I3xRNmx6=d8|c#QPo1GOpMplo|ZzF09%j4mnQsCoH?0
zCIbHi@hWnV6*P&*k)j?`$zF3*(l0ZTxlb-gWNAtICC|4`hd8TdZhP*`=s1=nq$Car
ziU#>kvq(fZcZC;yXz|J*ac3nG1=hQ#F#_e{bU7-P?$T;rTPole4d0dc>B1Wm;8@r;
zl*g8}=dM_?O7_saArbXgbFxzKq6r6aF5!JXC@WJy=>csJYgg#7J!Gv+^!nn^EUvF9
z=<4FE#GLKgzorvok5pOw5v|`=33h!im@uFLC?MD-jAp}hcp^R@0#6No6AK)uv1rGm
zT1IqM9NhzvYB^2v1AJ<P%<^V&PX6@%%G4sa)B<Vz^M5a~lOs4<1HhQ7qoK#vdHY;a
z<}+Q>RO=ZlvhHF&da*{5Kr*+*rIU_Q7&YdVuEMgptc)CP$7qXs8NE#BO?t3%P&>xz
zX%gr~gQS|K=NL{NZ9dQIKDn~`*iR-;c+-KTVt_ks0YInvRbL)YEByEpxW7h;Mty(&
zL!}!pm&s=mYo!Bozn#YOol}4P;_Xy27;bc&Gfy+@(aQ5%6dZ5+w<w$Jze4~N6og?d
zAE%8Sv36>4uYwGw6L|#-v$(U*G{ZYJ;5m4ZCUW$tDH+J7;={!UV1ku4zoe2ck|c;t
zYFr;DUOq5imS6VU0}^iKV#F->pk)p>bqp6u&U-&mv7179R0kg8Vv~zaNe)a;$rqjW
z{>c`B3~$Ur4VPEGcV+>jUssncVqN|+pknjxOld?Iou_tP74fPt&RyZm&yk+D$|V?!
zQ~eLR9!*H>HKV(9q-^m9E29Z-w^JJ74@jQd*DJI5cZ$uCp!01mJe{@|evnQ2Qzvp#
z_fEJnC#Em`A$<!^`u3z}zsMTEt}?Za-}L2){g^hG$H))yY!T2ByMq^yuzQxh)=*S`
zAfIFR<Wg^{KV%{1(?$@Gh0hpgo2`L;d%uKAR7O=&I5I(qSfZpQR62deSm6)Jx>$LA
zi|cJ#f(2Uu(K{S?uWehcwGIuv8>qF2f<KTddwfg51@lj0Q;{9&3QjTZrrnKZ<uIr%
z&m;<cPe&r?BXvnOd&fg^BRk!+!J8V~U-*W^*|IsU_n`pVdfnVnp)j5jgy|y2j#Zy8
z*Kbqmnu_vnwwj|f=m9MDT;P?8Ty<}%*GB^Q3gPEFa*Y6Qx$Jw|{;E0E$%ZUJkFa#8
zJ+TxlDRpGFalfv&plWVvJ-izzCb1CL{-$|VShpiT+oo6f)rbV=oEG#QaK5xE&du#U
zWaW{8RKU6(N-Vqz>o}u7Gb%o{2tgMQ^eFk0;8?-X<$|gWwXg^ucByHqDkxZp0nGiz
zD9(B`n7I6mv6M2=lt1Z{yUd79ea8>H2x@0}wQhmee$)iJ)=YGBJ&5@CsZ#P96BM@V
zPIcRrs^gQOpyddm%3CcQZM8}gM<dnZ7Lw8X(RLqv*9HJu^hka>fi9yFU}j8fRBEn<
z-E1=N(VMmXP__aKWBLZtEow!o_w@h3#(wlwmjs+b`gZ=fvZ`G}<)H1D*MQaH<)qO|
zHitI@e~Pp?DPcK&mRUFr7o$VM`(NVqOD)(d;KQRQJg<9ki*g+OZZZL@iB6GsMg2-0
zD=t-uQt2YBzNftO_Q%<cp5n1haTswTEmTtgr|4b+g)vg=>qDFmLD6V0JFjo*nO-#;
z=@$1U13R!#Xx3dV{^1jjRCz7)0w$<ck9#TIK_2!)_Tb}-$Fe|De5GdKxg_ODcjT&7
zEbBe!uo2=J%d}9+#go>er}kbM4nG?^{{vah)_CRmkhNfKnTbPYW6zakMGKmv+GcgD
z>CYR@I$R+KThE2>SC95Keo-p^&d?%uG?5b>ye3TY)z`I!i+Somixo=Bl`}n1<-R9v
z6y4^YF?t_b7D%X{S>DIehFdezYh`t`$QaI>Yj2|<2qpc#Z~QAsbN6#%_2<f<;;j16
zL#fhKlA^K#d%kJMKUvQMG(emGFq|DQ+YHhdhs5hHc>Nf4H>F0~mha?xMqCw&e;L2|
z<kIb33g(?Rn!-v^X3jZ~RNDAXl3#XowBJQ|WkPlZ6h~MkJqle=Y!JOaI-|__HP>AL
zI*=s7*Z)~s>I2m4q5Bv+G%H{!ru1Hm2x_WSOW<)VQA`(>ujS(6_}eY}CrSAU$yO;R
z(09~n*G+SCr?H1@rw>CW!-l}mY7Qyqyu(g@BhLjD3hNrsKv>tzVsy5OV+)Q~MZ`;c
zna+4{Cc9gz*09w5q8#_&95SlQq7j@Fn??k`2NScKp~tAkJ||rSwHnbtX%bmNH-G8o
zs;Q1XG26Uq_O>l#Kq+i;keiy8r&uD1^rK~0jx3OnV2xdZJPdOF6xd)gKg`WAqkNts
zft#?4h8_B0$ITFxd17?{71(QT#qB{)91odY%64vQ<^ofyM@0$P&#iwe89YXA-33za
zLSz2OE2`jw_n0qaTAsl|u$jbG<VRWAiTXy~%ppdl0(S#{Oe2*0e&GmgjplCTf-)}F
zcBI(O+lP!Z%4^uf>N(5<Mi}obSn?L1sy<=aU5O3ddcih%rJWKZv0t7CPT97g_i&t~
zf6cquTWNnOrDl_P$t4Q43TkKZT4)(b=tX;K_CPXOI|(h|3dHJHth&RP{}wc0)rU%1
zHsQ?cdL<UCbkMKd8h>=u_!}Y9PN8v9!OotS-Tj<k-J+Y}Q_t$M*w)4`B)<5rG{zNt
zX57eyAtaNF+r<CGG+{7!jfK*bEdJ#x+}HC#>YGS@BXMx@8#H;RJ0h7cmfI@bu$ihN
zc7{v&%ApL0(BZh4PpsUyk+gd%Q$M(=Z4zs#Ve4OXJrE0!kOcqC!e8SgmX(Wcabup~
z?|}}K5lf(8Xo5`bdqTLqLM_W3Y;t?-^tqYNR}SBULyp|Y7syiBF?|sVYdFqQK_69~
zLI&vhiKou&g>5Jm8e@~(Unpc~&8&$8wx{jWJ=fZNcyUOV=7PqTidispxc}_>H?9L`
zQd&=f2AEsla%8Zt<7EbG$XMXE2J5sC-4(<1F=T%3(yqG0$L&3sma@)_d&F9<g}@?t
zn={)V8$tYWGK;JkH-qEL@uw@C&=)>k{BLtIsD0?w#0CO0d?rN}79SZ-L?>334#}0|
zTvxK=gz*iC^GSSA<1&q>o_=yhjLnk+Y-v7e;`BY*7tlSE*>#ti_huesFqenKe13%3
zSQluY8cCmF_<pGVNM-RPr=(#7!7P<o{C$Rr4ky`j%4VM$izAf)L0g`&OaAalw80>o
z1cMQr;WtdQ_65ff!u>@*=raICeHk^AJprZ|0=9)z?OFO^LliB64NoNQe&SIG$GP9Z
zT1_H}JN}`N4?B?halaGa;^&vTEp~VZ96iUb8frj(2K`Q8NSvsL?K(;*;C2<MUicP_
zfd&x5j0==lgk-AA#&1aFsW=CeDRrVi1HNB~nD1r15qK?rf9!+xnsW3GP=&*gN;>Ri
z`aDkA;u$a{MAl1+_P65mP4Iw)=J)7~PsHX2NATftE&s8UAjk@O03r_8bL1VVV2yIz
zLmm=AkwqSwxI52^yt0+2pFRIR61t!ex3ke6EWF1!;>P%KHf$uQMsMy7DymonB1W%p
zYz>yE()Zj=vTc0Is$h3{oPuxz=g^>{z#|#^P_jjQ9=kEoknY&{K|s;J8z3yQ`7SA}
z4)MuSTEZm$i`<`J2nZVMCjqjD&i`Jp??#D;&r!`<%BHcL5fT9h@dIv{UEb0C%axF^
zJOxN2ob+TQ@&zgZfcYI4FJyj_3;^@o!GlUjTpNrYAg@lU>yY_LJfIYSvc;PDKOhK5
z<sJo)SAH`F$oymoPzrF%q?{CqEvS_R2wRDrLS%mO2_S9=&r~=PJ2nfHB<#|AjU&^#
zcL8yq+}VDLMAqy8a(G46*&)%o5Mn^wyB|D}X}=Rdj=Ij-3M7g`<t-pCvCRLdK>oj@
zHs~nm`WkpX<N6w$n4N@z!n1KxK)*eU9Zl9g)v+JT@sbQfikRnhw??nX`*+{smdPJ2
zJbPp;!^6&o7n*0<oYX2{*bC14X4(?`j^x?r+xonpn*uhp-E95*EUi2}z0j^jJCjrT
z5ADR));DrDbOFZE$mA;vov6FBo?^0S#cjPZTr?cUS17;#wc%dOUtgvsN|>|+SGTXM
zj^2aD@|j>E-6BHD2wnS-f`0!`8^(_fC}2rH>EpjwUV-{CaNr{8Yt2Y~n{$I819KlG
z{*K1@kq;FupdTi}gEYY8En--ikU0@j%U>^Efl~Q=2|xTNCgUs6F&YM9i(nERspbC`
z?f<&gG?-MX91Q@@H2$Wlsr$Gqk{E=7ia`v5RAb`6eY^t_1?(&VqNN;wrPKL3W%|uM
zt-~A$HQTxRnu5}9w&U~NrmQ2qs`)^_X`ps|rWOE6`2j$!iH*aW))YXgYy&mgp5uUT
z1Phw9U^M*<AiTrVyfK<*#b?!DZqge1Rc9<yk!EwYt}0Q;viFW3P{rNNv3BeCa*`D_
z%TvLsW?U8WH1c8s5bIe!ZWeX!>!tv3i*qRJ6C49dliPea4eKXlqUarfl9PJY?3cO9
z5P%u+-1~u@copEjH8H4LVY@;oXw^@94y4bw5}g`LfHI(73NHOSezyU9Tb}H@k>fZC
zl+W8ZHJ({+`F2^(dCdn@ULiK?+La}aqGvs)9V|2hwkyVGnj+-BFik${q*b$=45e|j
zZVe;yI+Xcv#{{5<S<8~Rf19gHJsP_K#A&=Rne|Q%paMxjm!-BO!&!ikoqk4XU|zS|
z=+}LyLiz#V#>VM^jQTg5NSCE>=BeDg!i~TapfosXcz*P|9BCbVNWlRBD+)ezftN>G
zUJXlEv*t7~;L#UaF&N~{%)SSgQ`4nqyxU!9?Bc?Idb{8(9>Vk;eRT!E0uQMspjhV^
z;H*}*7~Zs8C<@J*C)$_FEzzoz<|mx44`=Cx5z^VGM+mxBv<G5_)B}uR2QYPRsXSw;
zRPQBRH8m3QS!njQH`lv_F`zbqZmiNl&+8PZahU|9w`#gLc+aU@{&P&nijESlSLL`J
z!>wK1j5yx518V=d-D)SX5TYI%6NF-03kf6s=i5~l#|7LN2-gR_|C$;KSQXg*gy@%D
z%&GPge#h?D#2V;DkeyWe;A_#72{WRba;$Hx{Q#Y4d{d@cE&o_)O#!0CM-}2ij%hO*
zshlWS@WCcsCSt4pu)hp=9;5cm_I^<oo=KM=H0=CcA``SThll9KssYmm{1G197IC=n
zhA2Ts;N{EdEwSBtzV)W(6`vY63+wc!uU9ezCIS1%S4<EWSw}3s21>UkhB6e`^HH_R
zNGphn>=k`#JNMUO6d?o0`j;XwweiOldu$ug3He2@5rX2E@Zm8auQcwWvAw;raSJ@B
zuowQ@VF|DTuJ0ve{OtpP;7h6-GYUM*xT)eH$65zUCMN;Da;dUrB}Pxb8h))^30U3J
zuooWL>S4Wx4Zf3_dJY!J@?zdf@uC&_vhogjO!ONc>h?Qm5^dASSAlAGQ-Dx-xA``2
zl{x2KrPRVJbbUrcw>|-bW(_qm0SjNCw5TUy1So6rQww`Zu6Rz9P<+-+uBE@2Q1>({
zal1z5WUa~W>75XFiHGaJGYdmXMY=(UeL_N)O5_4P@nT+uiDRkn&>8|aLnsa7V5hl}
z{fL3s`%&UU$H3DUCr7~JDqhOBE_ee}r5S8_B7V=<5b)UPplhf!(d3j}(RSgRCv(^g
z{tHENL&~EYyXC`5jx|$WK>$e@?ji7N(IVDhwJ|R<sGwr3^zvk0szm?pWp;X`y#II`
zz~h-@r3U)O`z%rt)Me8UM3j?qQun`17AAl7g*;^TJ$K`TBtW>ev2C<M2K80HN(LY%
zs$G`5^FR01#7w^IjlH2)xU%g&iL%^0nqyh;&ME^BPW@O`(PzY8{@G*0OXimS)z(ZY
z7iBygIJpt}*uU0kY(WN`bd1nEL19{EeG`G%lKwB3_X*H1fo->H+XM`$EJRT&WB#)5
z9AI$2Oy~<-=CW!*M|?Nz&jHq`S}9j-r`qgW`VL@b%Z_9~F=5JtCaH;cvaWC0UenNa
z)A^3rc!~P`_U!bc;{qmDpt{BQ8<Sr8lsjj`nTkl7do)c%P0=?Mg9OJ}_|NOh0eN}(
zner=hzrt|3hw)HrG2j`Ydc9mG*<89<*-XW#CtsW=<Ox3ICJGvz(^IZ`IHNVxVO%`^
z$El-$@iE`=Li3pPwriH(CHS1~H)x0z?9piPzx&W}UKsf;!DkejXWd4I*-)HW$=ivK
z-cYH<*szhCXAk6bRy?bK^8VW6Q{JIFn^{S&^6~SzjDbg^T8Xb4y0@$59c_1a-X}z6
z>qHp_X2jCw$Vg0ut55F&d(!cXdBxm%dD=hwB@1Cc_${O^4cbIt^y?dwfGuGLGr3Ev
zI>O`9suWa|MH@!z`c{uqCvN-+T0`tF(%<`*mxQGjR3x}8$zg>?QdKxrt<~9+RXJh$
zz72=fSLf4f{mO^<a5aVL9(H{hyV1)>{ld%mVi$X@vswb-KEMM)m*3j55=N{aP<lvS
z0{reQ4tIEn&5P_9LxEYgjpw<7*MpyxAVuMBqdu%7b|cgT<kVX5G0h_d?>u;udGe=a
zv<64do5!kZ4Knc#b-^G8<^l14JqmI5a|jHrVeTL&mRsXlP9dnM>IWg6=t%N6$2%hw
z64SS_d<E8O0M&ioIoR)HQ2tQUI3IYfQyN)>x0vWq8K2iqG`-9`>rxCdtKAf4yDuAA
z4#4pl#jv0uT)2Qs;Z+hpVZGy1c*`S+<ZP{?6eIOjwY7pQiox3ia73zt^p{+9vegPg
zupu7VZ-IWQ-w1?~`>iX&kR@7)@BND(6@e3v)VIekrysMIaW^U6fsL|iwi+|B<4pv*
z$45ybSSD>VKe_o2;&9}iMa7J2>h(2T$hX>Vv@6`?Mk^4>q8_fpx>AWCqpxe!5+~~O
zN9Ip1QQ)TB5=Vn9AlrAp6lUsBT0liidcNI@3ZmTo_n>~9k|h7`Ax2X0H+*;w%E6*y
ziS69}jN8CNCAErq+p=UuIUy*!v)%LV7d@Di`YM*{blX<VuTaBH_|>+HO2Lh}{Q{#k
z8Feo%F-O)~qEyqjza_`Ff*59Z(TT)W7GaVYh-~Wl|3;y^IYwk^UMd!$HP}{Z0B5b1
zrFEw}m%e+lJ9<OH*ZQL|z3?f^h_jS@n0SDgf5fYF!eTbODPO#W=|o^75A0lMyeV20
zqb^iUAGbEA{MwC$$Q9P|LeqfDrjKSPH*|c{df7R@*Vi}*DxzUFhy_Lvll2Lfj*wA)
z4`Lu+6#E^ve7_I)`Nxp)5D}o)*<11a1;?X8bKdDpY7`;TQZe;UN}bXRBZdgzx>`b{
zzVZ+gs!>C6$0VPE*!-=^X~*zbX`2UeV07#lJq;(rQ5tOxHX2xkL*-g-z<0J>pYga$
zHtJF9jt^8hnqJA_qc62q0G8e(9rKK!1#}G@q7wk9v)f2taI%M!$#9b?2tH*6PN9SU
zPN8@lVwf8lY}7}Ko8sUZH{FoRm#%kH^?3&MK?*kR?g=l@8X`w4?6kbHfqYkAM<iY1
zR&mK;Ya$6j*Xg8H>Q}v8=#UBZ`ByGAIcBIGtRHxmF?L$Ha!uDU>=V_-g)a~$)z+jd
z810N+?`GkB8og~KfRW|+TK&pESMU18`g2fYFj$f{tP!Z*A8YXQs+s~acTT)fb>V=?
z$o(}LU@;@n8n`~c{?4#zusoP|Ea<r9=K)oJtJx|46{uTElv%*-j2n0W4U?AN@W%TL
zWT-sPkAtWMY=3oZYRPJG4)4Q1vydleHRizzifkF^V_?J|yU-dcHBzz2D>{R&FHc%$
ztJm!ZDrN}p^T9tC0Z$2aco>h?p}@=U?ueJ`0M*U2U!sAWSM3QF%tGDQtcV+Eo-kvr
zo&*$w*J>E~@3*&oObOHrxDAsg$o$U=4gL*gsO|DiZc>s<4mrLGISKRDGhPCh*29?*
zx9WX|ZSyn>W&}n>@tOv8_W^x-eqSW>JKkD9&Jo<hi??Mi5<H|X$<!(`+&R@<1ga{z
z_{gkdxeT^|2iH8NbNlK;ap@#{%g+m;dBsI4MT~i$IiPu$f!<%fxt->~eXZ@UoLTzp
z`$v;Om_bUyix|T}jWD_Jj@5C6PWT9@FASbYB(}w)Ru@QqB>nbS>Ny3hqVY<0IMLSw
zJ&o6U&)Dy5C3d#_S{ib4+yCCba1O+D6VQ%-jA^{TJm<Gdr*}UE*SK;s_wpF1v$?(8
zk~NiT=;+?{Fm?iX+)LN7;sttxCu9odI9vO5T1!}(PK;c#RcMlJB$xFA(eff9K@*1_
zNMwIwRVW2Dt!F0I(x7_?61+F;;CGy<cGk=osOVKv^&c!w5-nut=WEa1;jHnRaS7Xe
zLtGfk2DNJdj+;51jg#CiMIbY^9mWv&eCstR6=IC`-)TXty^hvk&tF(A?@^CAwk_N$
zm0K~IsHZ`?E8B?c^(X-0u7xgXKf$9$5TKv)0;0t;uJ=NKuu(J&@old#!BrrGO29Tc
z)nHXEO}%1j1HPV0Z;cthAud2zw_Bdb0ksPd5K)b|s@*KKBcSGoa-6_H4t=das1bTD
zCs2@eYlF0S&Uf?ct>YdAG2&}Mmv5V$Hx=C-JDJ}=MG;D(>km%g(!*+*FI<{5($R8=
zVRYz0zmXTCH25no)XG}jEN`>#yRB6La84ZC&KDZ%sj8|LtU(r8M=xZ5=sTQ^${2yg
zXTPlq)ZT@9nyAIQSDkFGcgS3#snUr}yB&4PALZ!!5_IJpU)l<OPfP^L;1dl6WqwBj
zs2B%|Ky2ou6@2*T3NeTg9WY)j?fiF02)hxN7<Rb*&RG%(iJLP54i4qL#&4Uy2`+vL
z0ZkhXNcypVF99$eFg_4&QyG`AA))g#CZK5*d&?Oz{s#lh0Xm1~vwx$Mn+_P~fu?7k
z&x9F%pJ_KI2`@1t)aq4xE|Mg_5`m`kg*a<(kVM7;NCEs}ZE_?@{BQV*Y4Sz?-&+1h
zWDuYMREoUcCVtbwM<<}Ef8D(#A|#Qi0EfxfY^s4I$^TZ~&;JiA@0}oYyvXQ(wRh!#
zP_FH}jYO&w5|Ylz7NyN_B1=T4vTtJ>6cuAjmdbi`l7y5kjqLk6!q~<VqNp^MG1es8
zgqf1DPWbNk`=#dm|NHa%7w`K%@AE#-b6@v$UH5Hh&rz#qT|}S~y0i5UTGaYh9x*LC
z@Yy?Ok7)lnC=n|FvzA=Is;|ZK%Nn_uqU|iJEq}`cagwy9D}iiM20_#ej{AJb@JtL0
zE=Nh|mPM$n_CQ><V8=qNEc0Jk?uDXsXHxQ+E3r*}y_Z9e<U__ThwYN|nJOqBkZPGf
z?m^YdGt7F3fw~9!zEAV7)}be|D{|G6B{$VH_(G+3K9sd=;~}@@#eR4Kb`%nn_M2H0
z+l9o(91dg7r6qykvJA>D`@;lIPQ!7eQ@L}KpHak@U;BwHrpFuTpX4|H98T`uPa2`q
zy%UKgz^e?fEzHyU`$3&_A=0bzW(||k+{6o+fwdT-7eE$bZ`^U)X{a#QhFjK*4FB3b
zs@xpB8p$eC`6c=4!8_(5nDx151S*^BKs`&pU6i&{U#Wu^0vVc~vM*DW=ahPtIT&u{
zZ`FUE1=%|SQ#lx$x9%uKb(=PR@Mk*v3<vSIo<e~eDd-CvYyHnoxet7^yJX1~R1BwX
z<(#<AGkYF!ts+9V`5PLT&sU2;IXFJ19Lcr};oLk+Cqav_GAXNgrIi=mZ{4d?Nf%xG
zb$%2Xa3LcGdEBYrx!g02JODID=0_|2^LwbMH7Kura>y4!4_-rl3zh9Rs=R2}LE_DF
z0MV}#fi5X$+A;5QF~Ag622P@u!CQAH<b39xd`2Iin}!UQ^V-Sv<QS%1)qIo2Z&b1g
z((%E?PG|+owv4Y`Zfy=1n!xqGJpVFiMkgZyOFo_D|C!?y0FEH8KBx(BkH02FMWsG`
zm?O6c;kGL0Aii&OO7pBPw`|A5FGWH(YgwjG^?(ktKK$d<R)Ds$&E2*$6!*G%ZIxMg
zRcYT7WkD*!ry;aUqqaX#X7f;p^+Z5jIbIb%LtlCQCv<a&SpoYPotHd44kjwugb}d#
zU`wvP<J3)XU^x<{cqMVFUjja}3pv>!X^nIBOmk-0Y^_#;0@(#9s(5+V#CSe-D9K0i
zeb`nw|CuKKm8&7|odB+nY~8uv2~4#>l`-EU1yE<Rb@%<fjrIP&>v;q!%OVg8mW!3l
zN5|T}oSi~)Zwo$c_N%DP6!Dop&K!->O)WVBV^5%g*Mi<;<p0V$C8m$+c>i5ez-r~&
z&JA@tl720B4kJ-L*+8qKk2&MJ?yC6Kt<1aE`!9VPle2lTq1<XOd~Sen@`D@fMG)et
zvTUK3-8&)TVdXoy{tA8@f_?iRZVz$^l<>Q*_$1R8TUcTS9|x~*GG*}_lFV{_@()|0
zy1MihXJ9<qHC*PwigX#F&A2F&*||4hDG_x_1qZJJ1y_u)i@^R_irb(yl5cKhGIe35
zErU&Kc3srIA&YD4d2ZWi9H;qnbEqb(1>V`ofKO6|0aF(}c!!AcK)4gn3R$pbJlas#
zv*ajo`h<LL7(Ru<aT1r+0n`-n;~lPic+i-YL5y~?D>*lYR{TbWzIW0|XwO<l9#nSs
zA(gEfS}f$gUW#h{R_~PtgjPX#PbifnWF>mH5-w6oA86K{g1#hL+LoDGiB9VGc6iSE
zC8I68xCK6kDs(1-1%^H~cyowm^*#M)?-uWbM#v&)*zaEeJ-rOg={j#R>-k$GVQ^uh
zNrGht-H@Fzw>#T5La964DNQ7&j2aMK7Gh2Ch>nN-K^&^NKCDIr><G1kpXok89Ry(;
zN}vk8|NGJ`4WXk@%kVVX?4ngo{>9H!MJygKt|BHTR@SC4RUyR9jXq`fde_3`!vz;v
z5fBDBY?hx3c47{;I8}YlM99uOaG{?Br{!ZI!Z>uUxL!Zdn9j+_J*BcR;64~PFDP)X
z5krTh%dF;*$wZc)6EtO!c{z2uYa^OTiN6MU#FTEhF3VEx*aKTdWc3r!qH%o%(xOba
ziN>+Y#BLro&j;krP2?U!7L<~mud2_!+<Li4m}PQ;07V@wm2O^Q!7jT1rfl9W&VtD#
zWdW0=V2-!(v&1Hd+afl{){{Zx3`zln$3=VKR?D(6wg3*=@XvXcL309Lw6;fw&9b62
z0AySDYOxGL&mJyRBVK-Xlx4ICynA7@n`IDc0LS?I_(ptLM#}++ZzFpY%OH4h8v<)d
zg?lGLS->4Y&z;BO&a&(P5?mPM)%2$|%V;;joBv%e$}))mP1*m`l;uYUt^#xGzNPUV
zH<#qUzQorpCb_D0a5}~{e1}{$p~8T3ZVPkER-RuUl})_JV9RpF0TC++wq;%ArI*U9
zizC<NI)D8I$7qde`&MuAYo@r|Dt1wDsbb0hsdYI?#fL$?ghUpmz|BF=Co90E#VntP
ztUVJ!0-)yDg9ek+rJO1x?8j&?t7jLg=tWqUchEAZ>Vo;u*6n+3kO%{ntm9*yv2xCR
zreG=_bcMc0VKpGLIIPH+sIAXY$8VB-sv`WO#$5Op`@3JhD#-GDAl4&24fv&&KGd*H
z;+YN9H@hpW$+Q;CLO+yVoMWMb`$QW73QnF_SUnY>aPN2O|5Ef%KLeBoufXaP%-ayQ
z@<H;FbLbFN9FMb=Dhb67UTx%-FCA_SCfbJWJ)YX?azA%2z4z3QWy>3;+RnCIF^+OO
zqg<`#mSXiL^!FYfYNK>Qyu&6xmw{715-aIY)ple~@u6|&B_p`zpE@N)tl4ugD(j@S
zEDu<3Zu`Ht3cQS*J8O_T$5!g(#(aTN^QX5z`-gDN3%ORiRmD$`y^%lPvB{5)-+1ju
z-hZ5n_e!z~e4{s|Q9F+&<69`F2^qTGCLiz<!4>%-szb?VHd|DA<bX(c`1Dw57GWh-
zBeXR?$srjJk{uauT{qy5t>X5BHVDp8SnXhDl*#P}S`ES|)9X&y2>3dH#eGV&8fqJ&
zEq<dKek<Db<De+!1<E%m|EjVesRkHs)K29^o6B#PCpj64(O#Tj6x{3t>WN!|4j=VZ
zgovxk3L{DhN@fwEF(CJOl8|%hV_~q`x`@VSYRC6Y_m*huN`q0=r98r8^U8jo=}S<t
zb{8Cq-ZCVRklrbO|Ef*|Ttox7TZ-dgOkU4(@41%b=LB-ZjXJb22Jn}L&+5{|n?bu<
zkKh*b{jRQCg*_fQLzu`sRw#5YGIBQ)3Q?z3)|Mh>zcIDuD@PtG;uOBFj)<%s8|1a`
zN)qv3tY29G7}XPf$gtHJrvqY;%JQJpkne1`LswGkhn^V4jaPr9#;W>U`MiP3h1;|l
zxy@|M$?c51{Ne`*P*n{2OgS}2v{w3~6_8N#0M8`GgLo1YZ<blO){u?jg^%Q-YJs-b
zl0U&0e#5;>|C|}{Bx%I!L#Svw$P=a^glBi_yT~fMLsU<2-uqAA2BKck3-s5jUHdV=
zCji441e&2zmBT0Ir>4-sxkX4AcF(5rD7-S%IVGl`IO7M#ar!<L=5)!+)7nP7)SXJB
zyQXe-o4Le8DSYKD(p}-H-&eNvQ~xh<Jw~8a;5@XH`D>o}=52%=Ij2n(FW76St3(zK
zz&aGr*FO0718h@t>@O>Dh9FwjA|7u_>my)zo&n!W;^r4fbb>;`=|ms;alc%9-`iy9
ze>H_KYuaPc1M=9|cwVz9fiC6NXyO7gnitfln-Fz`%O56g58JQQx970w$2N6Td#)J8
z4RP)}H=2N?N-6BN(3M~)GScf67lrmHdENqaI(YkDfD|VKS_VBK9yf6RgPfhGY4xsv
zan=?x0>Zm054SpN`J>mKxoJ+5602qe|Gb{8m_MIF^Grm5SWdT<?uF6-a_-dlU-bh|
zi~_CXE%>c&rS!)h`_i=dBXR|5LDUK~(Pr~zGeTW*0Bk7agF$`7e%c)i_vrKbaQmA4
zRBEV9v3{CnP$&%&FRyycN#LjZR*ORJxoqeCo3Ftygx&jy56H%#%wKik8+?IeD*m1e
zl^|qR;rvxfs+v<MtK^rGeOYHx5VFcW5UnfBDAmw5Xo!>|-JI-d0o=A@fmi+AQ^uXc
zgQxF``Km$X#&-GG73+YN7*mZ)$RaOS$dFe$(XEV7!KQ^FjXPBa2DjTU!^(LMn!ia@
zp(qyvJD#4kqsq<jWDbb_l<cPq*q_W{6(9oD+{{gW*I%bcaTZgo18OW*A<O6o7#wMe
zcGW=q0+<&@Lf6?m3GNYl$oqopPY6<t6$7AzrSe^u)>(NrH{sJ{BMog6qg-i{^Z{wf
zV0kh6-x&cq%1d@ry(L-9+^pR@l^Bn#N0klPyjR2t@#soe%{0*Y-8<V=svPu$d}5>v
zD;gj@EO?1f{ufeH%W2BcTp{F&zgmi~{pYBMkl)6;umd-jel~usLKR=j^A9`s4SB)4
zxACvnfvJ%upr`CHB>QDTVo7gv8GZfO3+Pgbwo=Hw3oFB~LfRvA1xw<QUQtTvyX?8a
zID~x}kx9w79G|-E?^=>AbSkQ655Y0v5#xU<3>j&l-nW-`-E)0F4sSx*aS%fxy;1z_
z6FGJ@@}kV4602NQyu>c&zEZa-5yQT>4jrQ{SIXwB;lrp<7#c%qsOehuqS&0Au2E4Y
z>01S;LRE?1y2Ax7DeHvY{t;Fmg#ZL2wQ3|=I}^y3Ovj*FI6{bD3o?&kr9S<0OO_No
ze9|oZ`I;H*x_BWn+%?cj`}X(OQrPz*&aIyoQa&zee&*RoD2d==1n>9GhT5a|`2EbK
z&sj-T5*vmaj*+GgsTS|Z!A_<M@uQ3l;!Lu40JV#kqvbkKyad|}>rnJ<cjq&%qKb{$
zJ0Fy+($fX$>dq77SgW)VI|C4oXr)OA)s9K8YI!}nH-8=RN#kMQ74s+oDqlA$eH0|}
z-OtW^x05AF`!e<N`mkhk3F(}B1x7r)D*Gm&i;AmYhM3t5YLLuFMe&XTtr8{t0p;!h
zMhvb_Xt<I!b$A-Bvxn+w%Ye=wL~@teV#UbA+4yLt5%ll9tERi#V>WF!U0v8~&Q-J%
zrgC^5>ZzW?S~^;mqhGQACrnX25tzD@u{^va=akV<-QWQhiUCjkzl~mXL!l5((_G))
z<V6=%LJE|kuRhS_gLp--%)mBVLR#?sK*TMcf)upH4CF+E&fc(n#f5`0s8MVQ9=8mO
z;`qqi+24)zh1RHF<1ca7D6j_~Y`n`fII;xi!X%bJc9?tAacO@e!ueyEuR8?2mCW>_
zL{xmQRTLz3|D`JEZaoJ2p_a#W?uC@c0S4SBCl~lu!XWW}m{vAldx!*!@iN#}B3znp
zt^?)+M*?F&eF>?s!Sm}o*zs|z?>$0BIgPmxY2(e7lo??BYhGTzKRh#+dPvw>OpuC-
zPS?cf>vJ=pf^yJfAPJ7Q`mX$Q@EdZwk+6=jZ0^H5ZkFxg!6GszWJs@^quQ!riO4VZ
zF{ovi0`9bn_}Z+j)wa(}iE%N^3%!>7?R8PyIAy=8q5QYkprUy2{z;s`oIgz5;Qh1a
znQirTYpX=@PMJ%|=uVMA-fZi?HHX@n99?(My-Q-a2HsiE5A3A$q63x9RQVsO)ih_K
z&l9XXzIzYJHaW+QB|!(zp&DTmqP_)<8hT$=#kW^a)+Tp_fXz2{FK`=&9+xqD^)>pJ
zQ_bDEF`qBWk{pfr!|AEt;OG^1Iq`jY_2j<p=T)2hEU%#hd;y)x(cIJ>Gr>#}neIk4
zF033EoETpa@}K`QG*or-3;im$z=@aO40>#uKQrO?&ey~2az@9t!2>ztn2nf&AE;N1
zr7k5?{0Tc_Y8F29hezNYl+OHFdGkwpf)`=O&!~By2Qbi=fb@o{)jX|jj^iuy#sXBI
zC+zY=iA)HUC14kLA=2!Zt7$g!mMMM;mRn3|LO@<_LrnwLl+hs?bbBaY{Y@%x92y;u
z;#Qlq1wR=atiG#}pfN_JAX>F;?rjp%+jRej8s3ZVq6B5_KaNY^nrcE{I?o5&B=dSf
zD(NtjDv6qWmHfM?vFvDib2KHiz;|2lf>E%E5_u8e<oC-90`!B+U1Da*lzYQPIIMTZ
z>Tkn)7q9GS;QzVAG?VRtg|e`W!fD;{8<@|*jlR5<iORe9IsQC(9;4wrPJY%D+y(3;
z5i~96i{w|XW0{POcSR9r(lV&DERkrrbNUnSfgBkigrg-42&WL{qF)!jQzkZpFVfg3
zE#KC`dR6<m_tInRGqUX2HDh!#dM)t3tf7pbZQ<drGiX;g@{H$5N@V_ReK=NWvf|Z=
zm$Rt_)%fTS8*)No6sob+0pWsB`FN0W+?X)4YF@#;x|-HjG<hvKwfx&;^SP-U{6EW*
z_99gw2KsC4o?dfe#>tfMNX<XK$%ic;!LFYDNhWmgNx~yUg!x-hD#k_VBZX!C5Pb-_
z(&XPpS8B;EMy?!l!Uik8YdJVO@?Pc>wI(+2f;<}eIm%4`+{Ga8Apuz#lA{Hio@Z&e
zw0C<Hj+h<30BMGqbD$OB1NIy=%{=#BL-;DHbSzTrVrr;mf52dm7EZRMW{fbvnQ^k=
zs*c+m&(745b4hx4r?9fP{Yu_<OF(JAF#P@LwZucvAtRacplY~7$Qx<dT8<frdT>H<
zblpRCU>653CV8Rmh)mBpbwA5Tl==3#@5*`K3~57rMaCsljwC`rIHhnTuUDg(|6<TY
z%KUI&geGq03J|(3UA*C1QP`dfb+s<XjQ%OmNvn-Dd&B5BsC1sR$XFe_KsHv#3vrT7
z7HItxuR%|AC-sCBP)eS*q^WVy-lAAOGRaY8Ib3kk(AAfGYwgk!<Xu{gHzu188P70D
z@z)w1GqVIBD@k)y;Ol<N^fTtA5)!dXWZA#!Eb7eUkABPgDKGJD<8@A6P&sW@M7eQ<
z>!S9SrLVXA%?TZluy{BV$y+2kQ{y+&)PFa8cP5f;=)ruRYRy%L9%u8uFuPALLkdsn
zY4jVtx`9G{vu(@kbTuwJgtmz#<nuloGd3`YY=2Ku?mGP!GY;h#>vJMm(4TXiad^aq
z1PC=_?P^@-+0E5k@onR%)xGPW2sy9xgf~fRBrjZV@AJM>{bYFE=mOqLJvK<AzZ{Lk
z=b(9ne%=uhvY^9724G{ZwRyH~H9%f71wv$(jo>=a2HkBFLa+3&jd-xqD`4nMVgDJx
zU<ABzK(D-z*_*W<Yym8&N&>xt`WM0Y0)Q%;SN)%u^{ouqq#DpG+4ZvPFAIZULl~(d
zuIA4yWY8|oT`bBtl7vbgg9`&O$8=a3DLueczbs?OAOaCaYWj{_)ercB<f3;0M(X{;
z$~bd^AK2Q4Kdh6Lkpj0?u;9O#OB=Xw6Vc|G49jR!RKwYpLD?~b>;jOLLzz==@z;H<
zue~Ag0!LSl;VbZtUV-Y~a%l9FNeKS0bNX>N?s1HHxr;NBj>SYr_W)MrGiyb&%+IdZ
zMygBRApf{8Erb5>m*eb(t;@z}3>hcy>H>X;O98NFcpm%3Hy~>1=%!W*)YN(`c|%L;
z7WDR5BLxyA5B(m-H{zvH60aJ~%Ew9l{xQDazVnb_W)E!tj=qZ-n``DjK!-BNfr{e<
zhJ${|Zk88rVe_SZ2V&G2Y$Gk`u){4<Buaq=rLW9+%Ig$3V>{~)vCQ>>M^FEjY60)>
zxE${E?cyVtDp{Ja9mIoZac!I_q+kOZx6L^aOa5Sag3f{Mvxun|e4$rFqdb!-?Y>*h
zwDY2-2P)kKS`GHDo0Aa9Dv~4noi9|>VkArpQUkAc&^UzX#TUQ_vA4Txig>5yUWt*d
ze{;?gj-PQ*)#eJn-hIl)6M~5bX}yaEPjR>FoMYI$X?o6+<T&dHZpnWQ-(1yC&-i50
z`S>O3{ybR{GhwPQ4H7AOTN<cs^zdST0ag_tKYx?==4r@sF&AUmxb~zg$zGAdLo=P6
z9j{NYe$;FQSiNMkVhNTXVl812j*RYGCoPZ<nG4$wogn7(lTCs>-3;3grPH>NWk>$+
ec9tL4Hg1jBbS=YAy&d_70_Qb!&K9cK-1!f6Y4qp-

literal 0
HcmV?d00001

diff --git a/apps/docs/public/static/skills/manage-skills.png b/apps/docs/public/static/skills/manage-skills.png
new file mode 100644
index 0000000000000000000000000000000000000000..67f7ccd2045518f056969038041507c94594c6eb
GIT binary patch
literal 57505
zcmeFZcR-WRwkR4z@TW8p14t32Dph(13snqA38AA@X`u$B+vrWe&_YpKAR$CRKnO*o
zgkFTuL+`zd)Ejp>`|Nx7K5xH&-o59(y^?&hW@gQ-HIu1p&3xy>=Tm^IkJU8Q0AyqU
z02%26IG-UK)_nBH@~NJVn&uPLKS#6zNO18U0N?`k^3YR%c+1Gx<kqFBKd1N|_uSgk
z?YH|+fRyjS;P2c4fPSHWLi1k*U$(LJv?dX3k$&7BB<3VxuaofW_J79j{Kl>Rj4S-c
zeZ1VfNHkA>;~oZjk4U%;3BP0ipKz=Hgj>6L{HBj4(I~h$!+!Jn4ZkI(wuOTAN$ww{
z9~;0Epa)O~Jp5gLlAi>w*#LmdJ^(=e{%>JcsQ^G_2mru5`nNFdj{pGOI{=`f=Wk(u
zs}r~99?$=j-9^&#f}I@zu!95uXp8{>hF$>Ris_%?NRNLa+bvQQ8%Zu#(#Ia)46p^<
z0%!uD0Be9S2@?a{1Be2o&c^_c0OS`g{Qi>QBI!%<2L;8&ixgKbU84Mh`U*8Q)fFl#
z8ro}DX=v$bsi>|pUZrQa4g><J>6n-quQOk}4!r(56EbpAnu`>dDJU*qr=g;`{{I@z
zzX9m~xM2SWfSimIaDkqToSy8w3BXRO?hE8(B=~D-0hE`1%Sd+NGAY{VDuC=F*#&Y+
zatd;iv==X40+4(cDJbbLUAxV2UG#x&{2zMHImO&xmjD?(xgHuMewx0_#LO*j<<Tc0
zDJ^5@1^ZB1*6@SpO~RJcBmK9$vewx-U$#j(vywQHQT&Z7iT$4#U7{dGO45_00+3T&
zpr$1Mi(J3i(o-<p7S*MU2QrF1&^LJQ?(wOl?;59s<ipqERt@K)0BUklGJ0})fHL6B
z_dm+>Un1=MpAUee=YYkw({NAi&RW)M!KYGZum0K=|I4)h{UWa*J_0;m0mw??@S`2(
zp&9%;W0m6Z@eingoBqiS^bDv%H<1SHjl`>|9OHsn&oB$~BQ+;D*LvaO*IIAwd7>-B
zY83?tc}VCb0iHK@0v33_NPdymMWl)#m*m%<D}JC?q@CHhBXuX+3c6U^QDzdcf+~3R
z{314dT##VK)7cP7`0B7VgnV6L73rl@$%4w31<Jk5M$WwZJ!t$BAR9^EXg-lT3u9jE
z_-S><8hl^$)juKq?;bo40PJrb-dlNwaX$y#s*?JCQe@<i+swTb86l?0Ay*l^m;)Sh
zIhpW8w#42&(b@8h^i>$N>h@#fmd-rdh~!BGa<i?r5=SGORG~zm?nLcl@#*8&3ioFS
zHTh2W+uMgEChctxZn)pd<U=X;6}^b+MAagyk!egE)aQWjs!i)0P-+V-8UnE%-e~bQ
zd0SFd`35QOt!kN*hN^R<FyGeMCJQ?ZCotD6C~H<~+uSO8Z<bn?8|5-_XI{n8rP5&6
zyn;8)e@b3}GPPwvCIl-nNo}6!swj7(gT^I-A%DCJQqEGV@1+U`9c7C=+&m1KIt%}H
zqU9z6w%&$qeSsNj*Ce}l#uUZaI?Z~5t+%vo{dEJ9ZN*RQ=D#wgyHwI$D{zvR9d`KE
zniZQSMOXvZbZNx5O;_WB_p4s*;I9W=lT^P9%S1HWl`=0*?O$9AP0GRYNlL2oLl^ni
zD_U_!E>p<T^7@8+c;!}Q-d-2GasHh-0SlWSE60~vIV*oaUySbgSQLX2Q~ku3^a28B
z^Ir`pQ>9?2@;=Mu%Sj5U3rlk$LfD#|z~fz-`gr`eW%uX6$*I=q>TGCCR|~3e{v1Gc
zU#|XQ)|DgJ%M5sjUAZ>7E<U`{mFXt1CZT#!!1T;*03y70Y?_@d5*7hDQ9F??3rSn4
z`}o}{ng%D!et#G>TjC*UkFT=Cu`T2zL&0NhbXilw=5=>OvkqYOC*}O70R-2k1zjMJ
z>1V2($aXK4<%~~=!lRxOjio?_VoA99gN&~JLYgPhu%tUq&D=XJgJ=f4y=XUBhrPQd
zYiewOIe>sVO0;kwN=B(y@cV2kGFRFdOxmd}R%X9^xw$7~8JTqsNU^_IzcP$H2TXo`
zdJdRo88D`<Z_3n$qeYVPm5M|SL%_aVj`^#lekkly0c?11s5xY7IxP>P@Y$kejs=_d
zAs6+zr((Qol~4@o_p&q?F+jNWOl1k6y=Z9c(UO_uVKUSS>kpmR)~(mF5Ba&$2UIMD
zaVXwnmx=>yvt-*&J=qCerK7shm(p+DgjF0|{!0WQnEQY)-Do;LX~wm2^OF0x<{(_g
zv|xKUU#ix$rr5c+JjPy{Ps|xLSP~RD4|?_KFlXyh(zM0fR!7{?Pwf$W<AokWnM_RJ
z!152FA$#GDdR2=s>9Bh8D$t{kq9%<-tAUD*(Q41>hbPB8%S(-&5S@5utRtToOoa%6
zqQYTyLNaaH#csHVTRD$x<_A(vB_<roJf!W~H_YRU&Isn!FBt_-+@^hiFF~L7kT)eN
zf}apu3^Yor(n=Jg<1tRwUh!*DGcopJ0$_SwDe}&&s~j|bIn#>*YJ#0`52K<e`NuaL
z=@#BJdQWbvj_7*tY8Rjk@MtBGudJRAUSx0-x}_cSVZQpqYGZ{3-)#hYYMYP7fPQ%!
zELU^+<&WL`y=eMh!Q1w@B$%fDQ;WRV>2Q7MWH0qIfSjNG_0ENl_}&EVc6kOVY2`kk
z-<fS9YF~-<k$rx{gWMNghLr-AJh|WmgRvl&bAWQ8(exdQHd}#)m{?5_fvRkcx*dKP
zQJE%+;lxD=64W)we5J|<0*=_J3Li<WR6RKd(7alh6Ie#1^;1Yuj184@v0EjM;vUW$
z5OFBy!b7%=+g9v+^d3ehFtBHabprpEcyl2A)x?FpSn<m!uYAZAEL56@i`zy_c$H-%
zLwfrhaK=b!$)R&2Vc@{)q{L)UIIdzIF75Ti^17AZ`YA35pr2++=R;OFUl^<{Z1Mx*
zfw{q!-l?inQz!2-<K;Dfr9#FYjZrFcP|z<c^T=Oi;YX_I^HK7p4dTirQ#pjf2pK<=
zRKXrNxDOb-E4GaNB{*2W9~x9Zne-Vyh;0<&u)4!#vnxo<je&LtwIiT)_LNvUNuhBM
zi?>wJ$HlJV7SYFTD-kn=hqw6&rQBwsy>W)#;Um0Yt8;)n%8UD_2SGCb6FRZcF~V)c
zt{h`0wIW-RQ)jR<5==3EMRLuP4dWqT7FC*^-yRttZ_-_-R)K64=O5%bBN$qA6~ut|
zK{c_z7vBFDz|H99EmN&++`G><Up?@HLq>8-sm>RF>?*D5x4fv_2JfhxD0ojWed{K(
zIV{Wga*Q?OO>IKe3w<a}k9mzb?p!@Ni|X&_TsyhDwQI0gKF*TG@WDH|@fmS!vb*hv
z%&c~C99DgocL`&Gc$pbKdovfgt=t$rs2t*J^Tye>O>oZ5IpS83Zv9!Q3t<f9I)v|O
zrQ_I68;r^_Gmd-EpH`ez+|t07s8MW6>*&1fcgU4o+{D~wRa4HFaCz2CTy5TI*3WqX
z^)mYtX$M356hKAyy2fi@oNUl}fCbv9+vBJTO|P{oXFNvV%*sCew8F~4I?mc=gD7;}
zdidq24Dki_AxTL!apAbGuCQwQGesGGGlE77zwU1O)W+96zE{OgE<>GP3a#s->Ug;8
zTDoBlKa=)yrT5wpLoy%QS{mEA_Z>W)N4Li-u7m1!TxQU-l{%khKVJH%#Cax=KdY40
zw5&jzh0XOcysJytc9TzSp99646@+IfW#%GY2QwW7Yq$kjFuOCT=9m8HOzj6d*{aD&
zLeK~1{lz_C1A{S_ft}V1KYG)hwHe*}U>hHr@M_UMwh47S8^ofbeakuD#6EPz{A>JX
zc=1hlE%A^67N4-<{<MfxUK=qVe=m=bc>@cB5e0&Rj?^nf@#dbWqTp+F++R2tru&m#
z5c=H>VxM>=nf&Y-9!>%q_({@BYtkzyME1`pN9`XjH%Dh;(J{#kG%acaXo*5DL^~pI
zPDSAArH@}jwr{9Mj8jbaP+2vBqRWtLjid9tpNCXAx!74yk__IbrzZh%_9q7J0^;A9
zUYrO92w<AV0|N})i@i^!yU|>_EQL6FU$Ab${3Jdo^U}`O8ZY&h`Wq6IEERmL=(#Lb
z;|Mm%9pLlw)&Wp_!7_8Pipmz~;J%`Cp+tV#to`?eiorBQ2;r-3TBD>5el(N`vUw#O
z;XLGwiUrTFWGX&IZz;2~m_n8mc++Mt(M}Kkc%Blk-=-?2&M(Olo<4?*%;x0J-X9CT
z7C(b*s=W5H-%u{CQh&JhX-w-uU!)WS+nIT#q-C%itOy1^Zlc<qQJ=}SkhZ#)W>57x
z?D0~kSa9mhjE{U(#R#x_c`8$t@*fTd<Ygkns6&@iTG79(ph?>rvdYMI<L`6NYV}kj
zJ82iK``ffAd+5FD{M3kD4lo2?sbB&mIX(f4%5Sy<q}j_P3VZ5WZB*wt^|n;ihR7t_
zIOzrk`mqd^ug6Wc!GslK(OmiK*ZAZE`@7I9k*WYjZZ^&4z9ELi<r$vWNw@rYiW2gP
zIf=F&UQ3z&Y-Sc^aU8j2Uu{u8>$$jWoD23;>^i0j7gX<Gt0}J38nxD*y<NP7Y^vQ{
zPoFdJLuDgDb?-v8c^t-LmOMt-r4|>g)UXcJC-I7HQz&Bng)#t4QYxsWplh^kM8&xb
zhk)17=y1zE`-j!>-!72M!SPJlww#XUUNsZDHZ>*X2aP1FylSCk{a-sGS;Z5%0xGM{
zcsdx5!UFB=@?_DTr$zJ9+^$n%7gO&vfVakc=ApZ(QAYt2oj#4ic1c+?2*}DEp5>@|
zRCt9{8KfcWUxELBZNL7N8evZjTC;3)U2>1@toIg~uG}MM1^_M%sCukLRG$J4sS6Fk
zXI8PRBCT~(R+JXM-P!7n9g(lhuap1eZj_!xZBX8_{gW$SRL^<*I{b$JZ};Dc{#_9p
z|85cg?iyeJJB<;HMTIBL<X4rdP=pa(-5}&Q0BcIL<oMY`ewme0(@Ore)@%?V_;{bn
z<wY(CBc~$K;6gZjHdyh@Io9P5U|YStP{@J~-VSvmxXs=q;IQYoqyB*TCwyhw9=g_=
z!6$05uSE6sBngJ>i9QF^;LZWh&H+3b4!g6;o5JUSVQKgZGR)h)2vV!_X6o-^l>e3=
z&AeYG`$%TV|8rh1eeC?2{Ra+(>2{0<vy{Zob~aD{p8Eu(aGIF93f$D6`ud+({AYS!
zi~kVG79*ox_=U~9PCHTvbg(H&>|qfh1nBQRWU*vmXt`NTX-y>#TA;}$tTGe;_}`OM
zfH!QB3iRrN?`z}Re%@R_an(~u?H#bVJW9`rc`cpP*%hONz=BT_3j>@MtjoPqx|Y|R
z9mbYJTb8_6uui6B=Ya7`84Y*(<gNuiTlK8&G&-^6^&F{^CR+Ig8Z0^9WCs@_=ewSZ
zKecmsz^N`LiNd#_r*I;XWS1zyv_jzgR)wYmvP<_$CtMZ%Hm#~w2wM=BsW4JaQ<uWa
z(^)(&sY09IsW(bMk7;9cAsLW1diuau;TO6ruJ%?RUl%n=D}E$>fxjAIQV?gb?PR`?
z3k?lP8jSC@%R_t)61Mw(wBZWjM{({SK`$Czb5@ErtBCHhPiR+5S#0UXCkF-D?sIQW
z1F5~mnc~}5WJLEx9wta<L}C{#xpj03fbRugzO;vsV@rlRyR~^|izJh7mA0TNz6<ox
zBYgSyA8oQo)G?416bp;3fl_U)&7)%?Gv0W=z-{htpM1l7`zP}|?O$ec8N8h(j%jP`
zh-8(zG+1si=lHU)riJ@%SwO(RP(GsTkh8E9K(5Hb=;57elHu!O<hM5b$*Q*dgdXti
zvV~TNTqB(-)U4l^S%4E-DtM(JVg>h-UgtN{Q+3t_KhYS^@j4nuD2gXyOVOB%owdKY
z7z78Ly!x|PwwXl)U;h_2QK{0d@?abi1*N=2vV~#L;!|Ghp{gP1vRpMRzX;)e6WNhb
zW{eX&Rt>j-LaLqsPTtBd8OM4*T-m9x&tH!*Dp(Bq!zzidkt>zNWUS9*ZbW~FeCN+x
z{?C6d<QBGX)I}}5Xl;&JA#6W-IaHnHf?mLoo9!!quSiClJ|68BbP4Rxuf86yk7l0a
zJ~7y7SQ825_$3&2Rw=y_O6|&%>)m*5*k9PHEWaW=%jd>9Aj$^t!0r8i6rQp|i``V@
zp&#V7^FGoF&+Q88Yel{)x412FhU~Cr+3@Z!7xMD>wNs^k4tR7#{Zb_29Iz9Q3SO62
z{uRqT<(cAj)@WrJ7!!u2;S8?TeMKfZl>QOGn03*y;hmkUu|-^FF=urtBWk@zJkcdS
z(0lnD&>iNfzU`{5Y>+LjCC<(ZS_MXF+9Nix=KXN#mAqSk8i(Zt!!VN<l*5tv4+qxE
zRqZScyNP|eh_lPn`$tz#@YF?17*WNw^#k2jIkh}z8xJY<Cy0HBbKM^h{E%Xg_XgMl
zn^rt!c2ucuKGSLB+?|nBTYxZ>8@wIR+FX2)-%%}+Jmu(MyfrR9Qv_V-<W<9=s=xeH
zPQ6&XGYMOY43Dfc#eUK)-+&&=>IX%Y9%ccmC6H7ea;y-1X8SnW@{;PRoW&-M1+ms!
z1@w~`d_4Xu52K3RGFhZo)5va}bLK&PZr`(iG2kKGR-ZL;HgFg24=;$EH_*8V-csU3
z@$(C}XFfBJe{pOg{?@O!;-QiLZNblVk4rS-j7&SzYuYoUEzp(u_)F1HaN|<$Byz23
z`PU~S6dDeOz$_&JrU7c@?6QY2JMgGX;RCLrr8rf6o!BG0HJ1FrZ0&Y4HO;=C{`8NB
zxQ5D9wp1s7p>T)5*ZXFu0Y?;y?~Uu!rEmZ7|NlMm54Xyh$w%OGfGsG|<S)p3ien$?
zGo1j%h6f>$yiSS_z`~<#is6fd*AP4Po6CI=+tpvcKF|laKe}ukX(scdy5|yWF^*mH
z>v-M^{nY)5t^>bp*t~(|)!WS4N=}`;x|ODd!ee0XokvjBBw76~wjnPAZZ>G6)oyjL
zj{Bv{x+#a^W?Mw$HRo20_@+Q0z0WvmJH>P){hgPCL0VT8TeP!o33#l~bGr;ELUU-D
z^F=5hyDn8{meEyR9vjpet-3q*?9OMv&Ck<acV&FHRxKgRLW-0h2fWt=Ty(gp<Uhs$
zeGD97BRI|=|3d06_aSX}z6bLqqpKHMVQhEL0gbL!XfF2dg8E<>sKNkrsv95&>+SbG
zO#TL9k0LPR;^lSbhq7=RiH&t_rM1dw=sg3A5JY&7RS@5y3u@i|%ls3&U>b9tI3eSj
zf<=!i{dJeRNqaOHlKpzo;^tPOzPpk`KZPnc*78)cY9jstQ=dg$unG~haobJW&~5OY
zEE`6{zPWQlZ8Ap;L?@lVj|@FC&4yZ}1QQ=~TuIRxyPI^HY}KE%xu!0P^}-dmaiT;<
zwq!n(Peio1L5!xn7WfP-o6RC7J8b9^8cl-Chu23V+S6MJmfx;m?{6_cwwbQ4<x8al
zOI~cK;DT)4@L_Ynez<-wP%Ph78QX%dwh6JBL2n3Nn8i>#S&r+NeW%3ivzt7Pya^cf
zccX^*YvmzJ_sS$~o1cpk(iXXZ(nRyh?9HLT%Iy{JpxchK>|4J+F1ARm7K+(Ej%$-;
zms7*+8k}6cvR{9N?V-0Ofic8R6mIHrknvoeu^ikQvoMCPYu{5bPjoraI0w+l&=<*M
zP!HZ4KHy<aFM^HfaX;PVi{!*YT=rCj>0$!S;n<9RBW7WcB}+=ncz~{=NrJ{=6%Oah
z9v@LTlOK0;u{?6hp7yTQ&BHBmg8HzLoS0?>QFrX+KIG-=r`xP=N0A|(-^S0BOWwdn
zS)bN&hpaBe>QEdBxBD@~)G!XD>y~AkA`4XBKX?~oUoQURP6{e!1Q<XFq`#iMu^_oV
zK?g2$ys^-Cb##LDT2ri=Mr1*FoJHZxoQe*LF|N7$WBpCm`&KvXG`2UI#Tuur;VeIQ
zO6Va&Hd`n6^InF1C#ruR|KPPxadU0iwCj3b7030$Gj!tKwv1n}&KykJs#pN1r!_()
zG8g$rBFy6)uoRv_YCD`vlZ+Uxq(iG|A}&F$xnLo{B~2CVBRu9(eRg>bVg?wfV&`gF
zgX*(}A>;)?@um93#5tpJf)l(h5^)ar`ITK!eXADhHOSbaZ32d>8rK}$&T%O1xbhNJ
zRk)OiNWk2tcG~j6*cgqL^6GJ`^TTxJZ}0L93(~@8)F66B)7{9f<v=j>u5DG^mn=IF
z0o*m&EVsFUV`aN|`a0&&k5KBwJlMjLY5Ar68nhOjQX*hlnYpQ!KjHs+@hJVqK;n|7
zWJoxA)=jgX`)9sJhV(Jbw)bkE)b<Wf^=M0e;yVRps1`5^{nnVN$`o@B_yd8p@Y>;-
zWZbsdr*V-l+)h3|cvof~lSfT6A6tZgsY@yl<X~GP`pC@s>-7tZ-<4--E@SCeA5KPT
zv$e#FGOtKhI!a1eR!YZ%wmBXwz<zR+D{<)bntErrceE1IT1cu_2>+fVllrybMfb+w
zqZro{Px=~*^0I8D+cHts2Q)Pc!tF{_#5P>pMSo6od_e6t6s)JQuB?|?dO^eh<9dT7
z$F3yqbD|UwJhq+<)2@{sb7}A0o7}J<*LRzQ5T}DM9r}e96y+Zph#&+PeKA<uB|d<D
z0=G`kkr47VWwkNNjK^imn&3nhDDT;scvh&jeAb8~4NfIKmaQ!Za?)rEf>UBM8-kzg
z*WVA_|7ZFnH%=FVOPyJM2JI@3keeMaHPW3VJvs-NBK9BQk)P|BgXc;)j>acZ%%U|(
z5o5|@Tr+XGnD?}HISrM%Gko~!`F5IQ*ZHNck;jt_6Dmw}xrQ$E4nO3wYs>~@X%zKA
z${f!LL?>CjqV~zfmPHZqV6m5BnKC8c!`*-qvxq_%`@}8+ZLGKOz(%95+p?lN<7TGT
zoUw`jJGbSNTIaVgrM&7TNb0Ss1Y^$NzOFIU4PGvdnc-bo=M0aRhQ%TrT_^T&B8~xM
z$dvYmw@u@%qkifpMIveHB8euE=p*J)qLWk##<%_5Z045%@l~Er`OaNzCPCQXR&Ei4
z1)~01@r0t(@>z+`a;+xhse_+v{^ORx5_3M!ahznWwD;<KrGAfsTwaqP=E*_!r#E;D
zY+>flYOS&yi};O&oov_XxvV!dd`ga$SIQUOm9R7*noD|OnTeffs`SW(a{Xp0b-t<G
zh@vMBeSP9MX)2}*sg5Sq(;zE5US6+?c;7FcCl#v;Mpf8wMRsVhT8!C;*8NzG9Ne(t
zXF-H;Yl6#Z9fv;OWf<H{gu*=)^B{h0#@ce!=<~d1dQC?uUmCWLR$Jci#oS?VY-x|K
zKqd40Hcha+_GGd>pGcgv(rP_cug>U)67AN^e2d%@A?L`tRd2APbgDNbQ2Oqnm9>sz
zyYpHdFZKMYmY#G8Lvf;bo=e9&2l4)Br|d^9+Op4KQm-?qDb<JyiOwnqQW{z0b8#?Y
zCwTi&ALzL7@TULa$AM~Bp^u`y1LcPE^IzHoylK_tWPU+X{a*6DaapbWw4`=Aa6%<S
zfB1Z6T|q(4Myx+9Ok!|2U8p5EEK6hh6c(t!)N~H`r9n_W$jCau-`x9q{|z_U4y!fg
z756&kqa45m>yoPb|58u7^p_11oAqC;3xF2VhDc-&eb$cP&G5Y@s|#st01-eR=-x%C
zZj&oEuDuy=u;I?*N_1e(u#Q(`BP<oD-)B6nj})>NvM<ejS!5f*U_X}kP-fn;p*4e=
zdRBo28TQj_qZ}=4H7;Z<>MMov-fBhvG(*o2_}u^iio8aVaD|_=?jFx4O^SUe&+5x|
zXcn!RPAzr5Ejh(S1aueldoG_C3UK6$O3CRk%BB~?6@ibv$gH+HVn#Aqew4@9I#xyV
z<Sit#2B!B3)av(XCsiMYv^&;{@FH5Q+>h)pi&r5rF;?YvE0N*zmO{NK0OLXCVMO^O
z&E9WzdkX^khIrnA+`1vp@0pr?e%UN+8nX-55!Lz}Z(IA27Y!DSQ-!<?v7xOKmKRlY
z9)1RBzpQGG8n^7$ZJW%qh%UcdfiN~U!+4r3%EO2OL8Hg)ne5xg0-v@-z7bn~47`-|
zk-uwWQmm1D3f|%GrHF5)m9>*eeV8e<&;NW2&fdc)_g2<g9j0x&Zw?O}Slm{Q9QvC5
zRTcNRR(S+`Ej{o}mG3A5W<G@fbP1p>egdg2ka2(4_u~f^s9+Gq?af@geiOYqWF7Ts
zzXB3golxvbqx{^PrcXA}yB1B_D(<R2dIP8_<p9d^4b*(i5D#sbcU4<jvq7oVl16^-
z$p#H2`6y%RV5%~?+jkp;p5*0^CXEq@XtP-B3T@oW62;a#7n=J{99x%TF2jE?y6<}$
zX^mBV9)|=YsshZKRhNfsPo5G60!(WQC4^Ic?DS!2%&6eKoy|T9h?BA6iKeS$4vS~E
z#8S`rp23Q~w!51*Jz^6bw9Xo-WiB>=z$SmKPA@sl$o$M|aAy!f-&M7c6)Of;s<sxt
zQ7fLb)%E)Y{CHu8z;Vr(x-PZ#`MuF#V7`-0V$xd50l$)sB_j&^MtIJjr-e#ZnElya
z;^#fCw?J__mqAH?2Qb_G$b@Mic1>W4G*umj;yw%wo9nGBMnyW?2v9kS7O&;0?)nU1
z_mlDyjUA(t98G%r6V|#@d+#GeBkMHxWIp~&edvEP5gFEJQ~WgXIRi{mNF(7f4yLm7
z%1SY0tC6HUdw&iXTsVEYy}Wu32))d*!PL^^A%K8d*z6IXHpI+*(H=P);kX{i0|opc
z%(7tbwV<r04odw)-g}_5!!7^VqqUic^7=-Ve~{K}_fq{<f5*(-#ghKsR){UivocA;
z<`@h5IT9H2?K&pEjIn6>-VlCv)#^oqcDf+ekdoV7mBo2bQh}aE$|1nOcv<{O4ueOj
z`iRmGzA;ZlrV-kYRI}H%#YG)vd&V|Z5Z?oDji*;#?BBzUBha~PC*S~xD>>Hm@$==W
zdaK6R*D1wdSFd>@LL|}|_S)Pw=~qz;Z+w7ehFs^bDxce*w|rC^^c*|;Kj3bp$NGa2
z8-)b9L=nK1C!M>dQ7J9>bAZso#IMw&us4UK(@=L=kZ1iQ-CD}*MA#ddWC6Pw-u(Dj
zb<q)lE2I^(c3)FEt;bSE=&82EIiM&|_cNL3Fi9Uk0-AKF@PgGW|I<RnRh{GahA}@B
zC*SG<4QQU(;U2fh4ZtxCLZ+f30@JCH_>w>%6N>r%?_~cR{*n2KER*$d)4YeL^xi#y
zw0x&Uu}<sp1n0g_NiKl6N$-an_6e^wUvmIR`!`t>AF$7eK>S(m(@bnLp=-llMiC}j
z-jn;(sIF{2|97H)SH!<t#J{`7f6Fn#%G9i_i~+6~(B%eT^r3k9ZG&Ypt+sX2n%+Uz
z#z|=p`YT>}PvEMlC}Ru{o%Dx>o@ZksaV&!tL^R%<#*VVJ>hSgg=ogPueB0rkcyR1G
z%{f4m-(UU|A4V4DZh>L(r;ksajtEX3*-+jleyU&Q(XkKy`uB98X1~H2HLV|$^9TNM
zCq6G+k2Lj1CO0@{agTz3JkIPs2e?mvlLoH5j8E9B{1uovdk$b9Wj#wUIPf_RJKX4<
z+)F@~)sMe)qiOcb<hH35I<vI@dJe#Qhn@p+;ffh&(`WKuq))jE*EWCNWFvRCKt|jU
z(fY4M0*picDv@7h_~f+|GpMlNsE2LqoQ-37Vh)%qE_e}I$M36WY^i`vP#4JDhsd_$
zP^hf;c6prf4drXK@kt{xo=<AD%ew8;UtRcFK{8PR0G|&<z7NY}q_*=u;{6&e#T%VU
zH8{fYVlSo+WS@q$v>N{Li$=DQnlVQkxL9g}He8sEy%HFzobdRbr>CMBDrzX3FWEq+
zoo5TqXmyiwxUIjQR-PiZVD(0ub7dNzf$Fid!7dndaB@9uD@R&OHf$zH{DIB#vWt2`
zyHB*~di(q8$L2Y3PV1otT?PHsy(Jbu!Vy!%a%h`V?SuFqCZ!pMKia|GqCH9d{W&(;
zb(#DIY&O$~LtV_`cc1!Ep!s!g$FaFNV=I3jM|41PGf?qq?fzh4|6xqv_X1e{<IInp
zR{GAw(PB*_1ZqceL*@7}VFa?pFB0Kw=gHb!l)dPoJD*=VsADmp$h@-Qy7MApzD$?F
z^&`+ha%z*t+1);zxl8_H#yig{n-b}B0FuG4N`G}O3;gi9B?pB`XeN0q(AYy`Mr)r3
z$uMVL{{ifj7G8&LFZ}g-d|=#UI+@y2N@5~)x=vho;Nwrjth>n`nml3U-X7&(bg65-
z!PpXlK1kePx+1&pE5<Y@gON(eO1pg{V_g=G2v&@kL!7Bt3cS^(-S+DO8NV?rH!-wW
z)cah6DZjSay62NdQpBGFk|SVF8H(BEB8{c1{46Z&Tvks$JQZE8uIlrId4j!(OxVxY
zgW{&ND~616+pOFY+8(qQvhB)pIY%uKJo3*0@lEB8wW{in=Dc;QMNE2<N(7uo8zS2=
zU2&$h;)kE%<N9>Z=SzjMq`m%AG^H?4b|+^!99-*%G$2l}o~bkGJ1GQ}&0r~QG2vbM
zX*KaG<DpjdcB`LHGu3kvb54Co+L9Ft5&h|?2#DUIZN4)<!LMb{BU>On^A2%nJxJA$
zsGJbwdLaLzyGncL^F{>ALHhA}N5^bc@U~?HOME@BgU#3JX@j~rh0*g^u(Jb)ysoZE
z29p<f{Hw%)$n~C>40nlMq;D8?2RNk#Dee5Zp?l#RfN5VmF1TsZc_O=gi99Ts$5rPE
zeA-o^jWz9O(<DTa$%|{$GE@#>JR>r<^|i1R=%CS>Z&Y1{^~jc#+6IFS6mK*Nb1kLQ
zU0tk-gyKk6Pfb&Mb_ti{^6f=+^}18#&!<~qhHZH=sx9LSv^U&$8lC(~Iwy<;&<BqE
z$V5a}{md)hW4;D++Xw<dqG?!@m|jlqjMo;*+~@-90=>6L1~D-wrAtmA^5`eA_Edt`
zeblO(pqk9hdmfd6$=iJObncEs%hZ8iUIdTlO9XtCSgPqCW$nXYu&;5wf%#91ObT?P
z#$J+o2%8=fxs&!*SvLjWrWoB%&uOe%>>>Cfveu7eoFy|{#VAIix564bzsQWb%{$LK
zt1B)|S=+-4j#(vpR2Dq=_`Se8IuG9|GBt_(N^<Kt8zwD}W7`(*|IbU;f21<_pK1Q@
z@RNTamE(ft_cOkE8T|sDcI#(_uq1)HJQQTc_*Mzk!Gd*KWM*dF5-Q5Wf%rW1FtmS!
zC=}nY4C2XrBQ@NAaA$DC*)f~6*|>sB^&v``*C;@2N2GS2k^eYCN4(U&SVoh3ui8h`
zk$}}@PpO2`9xNAC`HXNcmr5f+$vby8xZLT4nrR?T%Be;P1FeHnEbE4<R4fR|Xh+mq
zc*F{Nq1GV!73Jdto<b|xsraofhWNDvX#uk#&W*^(%qx-B083`e=oot)4wDM&8?Oms
zhS1)zjvtWjNznL^B-8d7Y*&w_`KGL6w{XW5d#KvzQ{k=IW&8*vCQz3&W1NBwUIB#J
zZ*M;+{L+m;zp0OESgC<=k0Lz34EjJ+w$!TFG8kMHhgRHnYy1c%$>A?C&l8f$5yMq1
zM=*IF7b9IJFDp@0ROLD8-XuV;8lbs<>1wH5Vz|B&>pemopU~ihm#%2r6-88Jcz7|y
zV^3$%bzkl%ET$Tv+)Odl*FnkmG?=e_&7W;}tc^u2qW!15mtiG}A0@nU|2|XsIUrim
z+zJEF3++#F#uN<7?p_yN>2OuuU4Wome+97u&&Z=vF^ZqcmEfT)o_zx%PU}6-<GhwI
z2Ij+a9-Pp^g~*5Z8MK+UUFE-<VGt=^Xe(BCLB@iKsPZ?BifqKbK=|eIxXAS<DFH1v
zL#aU1TUBz!sFT1e!l5$ptp&?B+V_qfqh{9ov%T&<z1T0_99`!c%B*-<(eFvq^R>DG
z1~q(Mm~8vLfj_*Rpfk@tHL&%N@qg(T|HxALo2WytXbAJjqz0PS)Z^^l(nK_yH;-pn
zL4CBk1kraeYl-eqzLAbMYMx^rtR)nc!IvTt+3WkV@hZROZQRQ(exf8XIzaH&edSwg
zjxo2>`iv=cyJrPwij^c%KabjT!K3QB$NIeWV*%_>Vv{<pL=D7z+`U(<vDp|?{f7&9
zIlee9xRhn<{Hwo7d`VwCuZ+d}ioUI=_x9FA1aHyty{ZUtB|8+-;J?WkU8QV+WE;=`
z-K!2_-mmLE4neBqSH*sk9QIMm`1?)NwIoN~J9+M@D7gs9(VrQFE2n(4CeycF?fqLt
z{23!_|DQwtvH!1kbY}m$(WkrzV5d<;?yz8GAJIjij;jRvrLOGHj``G*RMi#{hgcOw
zQI2o04{hp5LH9@MhC`*IY(%lu$ECXhzE!{pg-LBo?CZx{tSS>TB1~Q_8F*XU@20g*
z@Txy<7A0I%L#HpG_=S%-*M~ayC(>HndY+u<%zjA{c(meTU$kO3>rx9!Yt_g|?}`T=
z1a-I1LEG1fvy~|~m7BKojqJYWZrp@4Rl&3bF%JAyOEEF}&D}n4BpI;MpO%P<TSERi
zPG$mk+*vj4B`w7E{SEiJoMK$^OA;h|=2g8{3c}H)<#iN8x%qjfvx|{H1UIaV$?YU%
z5tReBTQjak4!P9E-Q4O3^E(iU=mg4aS224M$}j5c$j|tBaM`JAa%EH!=hgX-@~4dI
z+0v9nuyywq`VaYCYvJ{V>G$q8ljbS>0=kc00Sx)pcIlh87EMx~X1e+h#{FEnSf6D(
zbF~o<&Kx*~=mT+%ni<e34DRyh&^h6*H1#l=u2drX+!qiT9wFAyrwr7#QLuLklRK@y
zwvlrz&0QVgd5U)S);S04S0!k>CPQ(XQxp+r*NljCH$~%XrTp&!O$wI^mg(-?oH!h6
zb1)NW&b-oH+dSUwaJYA(>6mf(nyigqZYx0@nn^bT!M*{~(M#eRH}utQoE+FG3f$#F
z)m#kcJHiihyw8NSVUxqOaV+jEzk)bqlzD^o`dgRLYaUhwkHB0>DCeHNxUuy;5576g
zUCXJR_GQ6F>w$6AAET}`g3cSi6h16pG0JGiHMJ<VqA)6|V4~8FbJP$ttcmYr;EXMJ
zBzT#=@QfinCiQUjEt0zjW^xpCsrd?a#5zl2ygg#21~Ym3VedliK-M3>%r7;ktGy?r
z<xstDwta32gbDU%>jgN>;HpeZPl3S{dfSJcho*fdetA#2$@P{M`HrOl31^MQT%m&|
zYE`SFO(cCH;glsZ9Ea9OZXP4rPvc+fx7X%&Jm`YpP-`)u#NgIplF740uB*$mu_jkC
zFN<wmlw7{k8KRD}iSGvWBUL;^7AR~RC*R?Y;vVS_np8rb9r_?es!SgSjN`Oi@#|uW
z{Yceq^OJ+ILiX9P#@OID^fTCz+DA_vYRY_<>_x>6;ET)E`Da?CXE!7L>1H13FQui+
zPTN^?eIMGsM8?Z_r*J&%wt{H?s1%<aCc=9X8F_*V(ZPdU-}eMaI22JThv>b?;BmUs
zCYog5Drf6-HY(tqxXvk$2trrh=k#-$N}4+gCi91ElRsH{5*ozY72Py%e-4mIjU9uV
zA+n_d`x^r*Rm_vKJ-;Sz!QM|NmHs#~St$E9CvMykgC^cp>`p?P|Fn&dDvL+Y_wGwK
z-3;p;G0S|L6+V2b>u>b@b9v6^by3jHKxquvLp&?d#scQIH)dl|r=GEUqK9kVj3)A=
zmxq+Sew~aODAb+>mgWk2<bX*RPc}X}xid`JOMb7FF7%X3G@2^ewzf)m66nA^UjjGe
z<j;NL8Ly98%M{ofvxexLFph&HL)%wf0`tH6TT8NlVq5I^&H=LU-{m0o!<oGH4T#bz
z7NM2+Op6WI8GpS-JD<nxwK0xso^_qh8e^rLzA!NO2vz8`Z67vz>CFux(KkcP8Q|u1
zS0@hEl;zTEJQ}0L9^ASp5vkS<XgGSc-|g<pGoS~HYfQNpZ^b}LppfAU|8e6EDORFj
zW3|gjRXdS%TZ>b;qnb&*WwB8z_D9ua7-i;wpZ?>D*qcn!TI$?x<JEid#~o}h<{+M&
z*{-Fh&3nqq({!Qy#&y>e9eBmdn$@C=yCE3woIZa^k9`YE+PZiCCp<FfxLGCgTcc%4
z(P@q-sSYDF3rb6Axof)L>*sw=%j+*=Z#Cw<e9{Fj5O8Gq`FXpZ!33_|wWWr!7vLxj
ztaQeJ&cZA&Z{0|UV~z1HoneIcR;8yq@F)mt_ZxQn+)~xH+dl``BYG=k>iuuT402qN
z@}#vEEty#rEDk2>lrXl}XEyU}cjUm#>gh+uyk8LOO>Zqt#%A8h;NlK332!OU_gbF*
z49vQENP&83+%!5WpxeN1nv@>{FUI3mhporM6V%q@%_eH~Z43-Xbg6KBXLL_8le?9Y
zkTYuVez2`!X-N9JW!B=>LPAkYx9SL!&1B%|)%1YJN-ZLqCz4a;tX2CMLkO&*eZwI;
z?!{Qy$xpCaHtG<4y{P`XY<!vP%;R-mWWakv{E)L~m7gdOg)R*=xDp(zKsR7^VK52_
zyY@gZ;o+Dh6dWue^&D)VUJkL<#uykFsH*CK;7<KR=Ku~dxfb|TU@9cj*J}nn=QH7>
z0YRNPZTyR`Yxu`A=Km+5WH|E(HjVYV{+ceXz^o<f6ToqG%r~;H;{ev*4)H!YFrO=D
zacrG0@+d8I?HsV>bEfvU^M-$sk?rHZB<w$0<&o9D>7MMDP4hJ~FT88x(3<$bif5#+
zN&$Girc{~j1l+1_9{j?3Wjt16E@9s}K(|MkGdst|k9WgWMO8<<=iB89)a*^vAe%-I
z4)=ZyCZ20kyMefN6Cz5_QV_G0K~E(wx=n2E>{jCM=`_G{`O0g-3f0=?)lmFgnGx05
z>jZ_POn(6A@NJ7ZxT!XX=#Ww~xWbsLF=jBU;p;Ck5*a>8@vyTkz<b;C?mMW`6N1s4
z8aK2SC?(aAmZ`-%cE*<lV9*wH57u)>>#1fCq@I_@N0#wRZhaq4EOSI5Rd$cH20~t4
z+%<5=8mye&$djme+<DDPqMhG5$A-o!wQkb4jW7vQc%oo7OPe?AjSN#p6+N)$0UGK%
zt$rIujFfkK@OCZNZTje41EjA)#T|ogEepx!?@HZDW<t&y6_m=b;6>59vU0dx9<cz(
zHsuf%PcM@Qq5dt*wg5kh!uMR)>N6PuN^56G@7?XCsQq3anR(kS?8=%H6CX{qSe04I
zNsRY!MATw?>~U=%jkzVBsM@0FfGl>W;yekx2LEdKSTaW=+lFm@ojw}c8i`SThz10M
zWO6cQE?tvkyD@QfJLie@Uci@WjqL*u5S9mOxVB-329KdO>YZ#?E8}$nOx+_x`QxZ(
z@(N1)$|9=0!Da7ztY@9yqZ2pE%`(_a*ZZ+y@iT+9U0WW=Ddacqbd?!e`$&`TXZbx{
zY`>hk)j`~%xh`N86;N6RLpEck_^fH9OqZxB)v<QQ7c|{-lhbP54k)EdMHgJ(%e-QB
z@6M}>=YYr>4?@k0)7Wa%8YC<7Ep90OeR=HsBy7QebQV7?L1D5v>?%x}YUsf{me4wV
z%sAvc$X_yO$_fUuB&^pb!1f+ykc`|>ErB}Cf_8{cS!EXqd;2Om4{pCML364&a`Gc5
z%+oRqKJNv$`~*tarJ+Nx@It>@sT}@}`24o{*9?vD4bahb<_qA0!%u~<ph_sF%a*6j
zo|R;mjpA@%!I+N@=v;L4dwD}9uUX+7z`XA@nyjxw6J69-%2)S?9`8=Mlul{JAK@1~
zn=(oNyFhRMhkcrGzPCC98wPsJtSqHMh`#nL-=Oa>J?ej{1OD$MBLCCyLi1+_aAZ<L
zF_i}uGa0z-DU-sI;^*LDN*iLMZQ+ufEs`7ozWMQxGe|L_32&P!n9}qOHDW{cC5l6A
z*W=WC>w-Z16#mM}>^jIY8Z2ZK%cms6z%C{js{&TrtON~xQc2ppD&nT?BIJ-J&5l}K
zq41QyES8}1nbVU`T1*lgv~e7$rL6B5$w3_;(`&GImim3(vpS5qvshgqxo`s5dQjfR
zAeY~oK1OOvpaY`Mh1~8fk9>yEBRYew6r<FF^}3oi?qDml2}U(o8(qqeoqJ&`qjRht
ziO!KQG^8<F_TCt}eFjRv+KwtpTV&bW^O6o*_bS+S&6fLIIpjz{hGD`mKKB+i<BEwN
zt>Jw+eFgPh;7R1bhh>cRI&d4G+Rt1Bm7<1P$+e06LUED$)heg=V+5CM`uxK303EGO
z$?lAYRKbX&SeJt(HAZ#PUJ?wHKG6kPb<A$k7q6cB1SX3fR$q>;wEN-|gB~u5(FDup
zuGDld&mO`*a*)n^Pi>yWaCrwG%AW(cGyuOZd9#sLK<o++G5N|bf;!hfB|x`FcGuex
z>lI7J?k9o{fjUq#XzWY{hiIm~xN%Im`94v+{};xy=E#>b?Hq7{V>bjJJWv!o{V+A4
zVrr;V^T7|XRS#h!LmmSU<uA(>q(g#8lKw<X-M)Cbbl*~oOItPah2;!EhoFQM{F(oC
zI+iJt1DFQQ{1hw8L75SIW>Pi;FKunf@A5;MSAr+El#P;RU{YEFZ-;)$n4}3ei8Y%D
zO7u0m-kduJs4Zoc3ZLPyas6ITcQVD_x!cIlrOsTNyV+J?lk@RId_?=6kI3jG$;^$>
z0ZqGO!louodLzBHTUH8g*{oZZ?x~j)%pH-G;0s=1hZ%T>@tg0n!d@O8e=ro&b4(T;
z+|-y;^^q16?%bQVe5Rn9`=waRbVZI?Q01;QkDo#4AMn-z&*YUl$_k&$uAqhD8Ei|u
zIa2&%YB(;(f-s`*wY}mGp-Adamp?4)?_Ik7ZKT<;dMl_mG)pK{H!F3S>zRkhj{jQJ
zFRTja{nYFay71sgEfXJotL>}Lznn%T3fvu9V|OXRWj~oSC)TIEp8e=Qd971Bufz79
z$<ZQ}X|}VfpyYI87n|YshRz-|=9qIM)Bks6SYEbuDC780WhjfVli>{jrDl1nIKk=L
z_RK5E4M=0br9ZuM;fsuCL*x-cs|Qui`w^S>rPK4L(fX5S|23_O71FT<?|uHApM6Xc
zJ=YHvA3c~a7XsZ*YqUrr3K;Xu7uv~6FE~w34RN9lf4NkqTs`C43Y1V1;K*#Ub6Nq3
zzxTk?KCBk-wb5ZzL{H_pnUCvrI&?98U-O~ek{y-=eW|Y8oI~;Mr>s{var*4mp+YzT
z>277AG&3%%gp2~wwBYKNp@UReJ*l>8lrxbam*2!jwzM2X4Q+@ByUSbMA3tmFQ7RCN
zc#%0r1k#VKp${M<kFCQ;Z_5N0T82X{l3Z9BY&Kv1qTd!i-Xk(KO9^+8-a#Z<%zh3S
zBVB=57?Z13egppEN`22SWL&wt$^1c@_82ZF9lqRnLhNHef1ne1+ZPZx)h&HFTVn7l
z-eJ|`!OwLbwouA`I59dh*02h<KjO>2F?qqYh2QMfR1baObn-)9$L6JM<KYTJ8Ar86
z0bL_va_TAp(&&;nKzH*kq2@`GTih#?e3k@<8~ggD7?(<Q#~&phZuz`5LWqdhK(O`5
znavAc734E`ZHIjQO%rQTt%In$Pxd`Ti*4H4>SJ4%DnVzjd<_s=J|Puf8!=q{Up61b
zrfz8}yUGK*R2=z0iQB@6)Uzwg-M7d4Tzfq%K31CR1&k*%mB*?Eb+k5V$2b-fflSDH
z|2OHP+Sg9ZHQ$7OAI&+Ia{}7=L}mMv2DT$)*xaS~jX@J1zT!o$q`T}aRSE~@(L8O9
z{70fyG+M6GZ(3JQRXS*)(qwvf8D)L^HWsVG(f$3~+k6U7rY-pKm#v1fzIuB}>4hxK
zR)(eaI2%3(AGgM-82;i5OFMkM=<la5qOS9!+X&yq$hk^n_m9;n5lAB`LF=`_2eRtr
z<v;27yf|n^nS`9e2pB7uku;W+4_}L1)GNQJ`pMonfct_27&fogakyz0XH2UJKsr9T
zxKqid`e#ro#(F%^yAB@dQP~EM9qWIi6HXLnaBJUWl8k2Y3n_3IPLk!(v{yCEmPE~O
zoltqkv9aKLr$YtIXZM;hK-i#v{-aCJ+ZW0qh$J=FsVw_rePl%Y;T>(LT(6Facks>!
zn({-1dMh7;PsI{lCy}y7qs|o(T<Mv2D~>mRT~EUN@CDHqK%a|Cn(K4vo+PMjHhLLY
zN|1I8mW9g~51%D7G-*oGnueR00%M}MSK|VF2)x$*;9%iywQTtg{P@O{eP2C22hev>
zM^B+56C2{mnWSQPfQ_(nby_`H<P4M|$3NSHvT7{RiaL!OM*Vo{P{LefnwNGKWL%Yx
zqjosRsF<{ef%>soZ`i4MgWrtejLRNWKG2HEgW}x^vuvA9*-NnkH|NG0%q!E77KNX$
zE7M9)YDJ8G56x)ykRs+;R&uTlN*16NMf&Kkf3`pL#`4xflRg#StC)8&w$B_(FTpbm
z;{=`RQ=um^&qYsoXDdGTR#6KY3lg<QHN<PN0tm|z_43-xj-P1-=pm#SQct-NbtDjN
z7Jvgu*f2)|mxx}3G20)xyOO8eThNI>rH}g6{%;5O>1fNni{p4K<VL*>RfS-VRsEi_
z4BjX&m17Ir06(2j-3pG7Gx3(Dd25&N13D_2%&;%X7gt}@F)yDSe+_gEAAKv!;k!m}
z1~2?xYg)|-^T^KL-#>!U36S?rUL9w}JDk$I9vtpccG9R@Lz^7XlDhFb9DjCY5Kg$`
zG%WM}?-kNtHI)DPCOlaJf4_DcJDW~?2~vD~5S61(2&A@c`?#2sy*J2Pr^c%U(v?R@
zEAI+;pjpu8fX+F~27@ck>`x9Zv@qzJHdVz2^mdj=O08_v+XhP*{N%<?NAb(aRqiv2
zg<7bny4*0EH$)vuZmNu+E(-gVfepQT+vr|2#b@M@UIu1)iTCVIUA}~>M>Z!EJr!<r
zqT4`3Jaq`rx&^U3jWMjZij1sTDpm!ZD1ctPv}cq31EpS2l4!@}Cr}{SO$0N+9F?J9
zpWZ)sB7Y3P`*awl;dO%Xs3E?&d@=hLO0>+|M92L0j5Pk>V;9+@U^Sd*EP@Am8lWxA
zci?2#vf6nLfMXo_tM12Mcu*+uE`<f|`oOzR=Z2G4Br%Y5!m_#8ao_QbPlPVKJhSb=
z!w*`LsTu7po0SWsw~joOXplPx06R-0J`}77x~w(5!1cwLMb7ImmaiaWgTfd<OJmis
z{x1?9sbM4*%Ax&L)*%XV*fi83C)u})IDy79JiU|-eG)nYZ3*3ir!BNy^FxEB$5w(q
zpU7khAe|QGS_g7s1LAB-hrudQaPOU!dD5NA`?sgk+rFb|W2p!pdxBGQPU$B|u~Hdd
z()+2F3ajO@D!a1PQ7Xc$OtgAQk4a`Bu4A6eY5{QEo+kuF#!OO>!|CaNU&>&>nem(H
zJ9WXkbzAf^rRwh5s>}Z1&tHkLf-P4=Yp>4PeF?z`!0`g}k@Et=&hU*vix+v&<*B;D
zg;(lDhDk+ewr!;w49y9WCWXK5Mt_DaP%h-oxS+15#HFb?Zp_a+nZ$s`=XX>j5RKuk
zxmz=m6x0=JlmbL;-r86{zBs!@-ky_JA#d9I{6wfe^o>OMh{3JD#&eRaX{<ky2NlFI
zKJ&A8uI$+yNv#vMW-$=!yPR?XxsgR77)!eAL~sDT)CI9XCvdk~IS>r7QQ75@RlG91
z%`h)|!*Qe<2ET@XhR1W89`cv8Ms@7Vq%d}$EGU-eY81&exx}jTE)5C9(}NX`UgsVX
z83=KXCF|yJ(%nwFHu<3Nj+ImU0+iCYxJ_YhqQ;qpTIWI)YpE~qaf;1!wvKjxN$OgV
z;kue&Vt;Y5IwxP809?v@^8W4nrF(Ue4Rc<!dh^k>8ta?aib~b?HxRf6Z*5c^`yYei
zD#}8xw@Pdr%NSIH;q6*DtC0XHP$k%sd-#u5o*OZ=aJS9&nH_kU(P3tE>Xu|@z~ef$
zP7luYePtsIbqBNGFNI>OVnz&77LN0-+DuN)#tP_qLr<lja(+bEy|i0Xvu28U(k1UL
zM(c<l&Vkd%PQs7ZOS9MKp7*#dIA19JlFCvxKcDd#9}@!pf#P3_wdDQfW%-oUppevD
zrcu!#)flstz|5)imGtAl?tZ9+t57Xyg5^bxo%V!os?&RQ#~OyRs>gVN98dkC$ijZR
z0^ppxlC6gtUeP3Sejaq7vaP?RBeB5PMO|#gM(drIkB><6U9{oHcsW%559;1Cs;RZ>
z_r|Up%SM{?Emf%k2Bcf)2uKNmKtQQNASfkt*fy$wfPi$VfdqmCLJXm(lmtSN5(0!G
zCG=iGXTRCceZS}2=Xvilp7Z65@x1FxR>nv&uC>;cd0k`9`TzYD+4yq=CI_Y#DtI(M
zqa3$um!{?YDSR?y!_sk=b*PytK0NxY-}U$h`9iU+xZ96zIsoE8KANqTmex7*j7m%8
z>B%=!Ez=m>7RSa{+J~YtW~#fCe&PsF#lwvc{7(OV^#s|wwcwAE3wnLb=Qa0w%ne2?
z2t?SImdyw3sg=ls6D=N&=9DsLQsK)@d7#_jZ_ElnbgtHi-+wolC<s|~MJuzWRAi?4
zfmGJ9%w%Y;B;7~69cNKcui)}^E{?NQe&6%s6_Dn8e$t%RGzpod5yA4uZ16`J2cKH3
zd%23b`7KIEZX0)1rw^7?;Un7-H}$T8Px0~OAQyzEyTU_@5#=-NDVnuC;f<{w&$};a
zutWyyBs`zsh?$~d|Nawg>N~$9CChgLwJr6;X$5<?Zx4(#4*Fg>cezyzZeN2e3)Y@V
zsiv)}D2)a0=R6)y>+~>od*2Fay1Xk<$XAdmLWkOPprJrE_0Zr~4zB~af6KeuXO^gv
zkaDjLKT!>yV;09I(wW`C-uasdRw4Dyd?jBYkeV=T)QQr;+&a^JlT^$m?*CEJd4p!<
zK7`|t4f8mJV-RlwARk&?Yd$WM?OmmPwRfCG8clSDpXAOg=_LL<aJ#;AxoET~f#BNQ
z3uIHKJ0c|@Ny?`i&t+9^>#}mkwwjvCo8Q)Q#aOyIZ~GJd58eBnXAiO^`PEH_DQH*U
zyX%i@vMJMFn32xAv%-7K6#44f1#feA))BXxSKNc7iO)(82BqZg`eH*lQFD6&+mj(u
zMgr<-1#QzleZrDvsdjXa$~X2i#+jcVqO3A!x?(TpsiW7Oy+A4vqVj=U5|`I&x0!)@
z;Yq{wW=GjxPWAMCWzW*a=Z%OnXA0Am4QEZpA6_<*tS@6<F-Zteq*h9S2Y^6YDck1&
ztY&h$i9*pb?!4~1S`>4$2}-2}G8bN*gWKQFNMl{mqzP#S-FEg2W<xUD!eVZTFm-?z
zs0cPSuw|A4V)CzWI+fc1A*1N|L98lX-@dfhVqs)wwHbD~M7C{#bA+%7%a!qwdwtCE
zYX}9<15`JQG67EW%$SOd`&HJI6#eCEdO~$N#ahx|*rvSaJ(4su0kE`S4YcJ?X?zP#
z;g)r8P<vyyir!~C^h9qCUA&=Y?R7Jy+YJ&Od9`CSbPNZpkAKIvo4vECt>*h;EDdS{
z7t(qJ@IY~HQr=`#(oH$t6g+24KmWc9%)ruAn}zSwt!jZDn@B{g@ZOCW`ksT<r7vu{
zL<5mcMQk}!3E!Y9%&%cwB-)p{sI)?gaDO}=@G~($^L%BL>Yi}rXSOZIULGHKPQDA;
z4@Z`enqKXR1!tno?(n+H*tj4!zcuvTm>%vlW(+ff;@Kzc#go47?VOKu^Z$OB1^@9d
z9V=gJkg@<KfUryHRb|EB;W92msa7D3`J}2ciamNCzVwytm+?fiu3d#2Ln%1YW5*RW
zQw-rB<}8~kAJZJ4c=X6{o;9<YFPt9oJIF<%3bXr;uB|f>Ah|E>dDiawGU8faBUhUR
zcLpM}5@;q}9PZjELv@B^=U7B22(w)G68XFe<;A(8)bH$?03$r>%P@OP4T5lB#<QQY
zBv(%hBK<ZEVa1WzZ2+`6E3-8QLhj6G1-{}qTf6$&sS55rxdrfjX=wsw`@vj*y!P>S
zF@*3^=&u^EbCpyo$$9D7#u&o69RbZ<5SopLngQWkPek-%k<l@AmB~V7BB63t`b7DK
zDXMtK+aBf5>4qheqbeN%qF))B$oo_|MPT?}ES5B92RU|GTYWnAd|fAy5RB=v*f$Eu
z%}$apjiEZ5E^D9u?UKF4Ln4Sz&?LdN#Da%bd#PNTD*sa@bd)H57-k@g{Q2oOu*Erz
zQ2MQ6KSdQc>%4|my&%5@+}Pqd`%AT2k=KWQ^pR;~i?(UcD!XcH;Gt9_X~2|Q?w9-Y
zT`9L##oH-lO7nC{QZF@`xf<oA7oe;MfWsP=7fZ!JcNH8rx1SPHQG!a-YSunxTbdHM
zo&xd1wSFgDtBgq0H|OGXp%fJRFo)!*uZWLEfCp@aL8~0!INgvY@omTXy`Q%!7hcI?
z-FPQ5r<=a_PFAv|cLsyjAHlS=#Ao>kugye9$5Bj2UVKj*^cWh`NoaR*)B%~jvrF(n
z#L9PMsW4;n=M;D2b0JnG#@IZ5_9sxgy}3iRRb*V<z840$3bUQ;hrGvmb7tpfgeh$e
zy>3#p8{9_)rL0I$SmJEk!1<g(()Z^JzjXIWsC{4Ad1RgaqX`#i@l15Mf3gDW<g-^~
z?q|g;Cjb8Q@16Dkz2p3$)=%Od?>}BnZQ~jR1G}Oouf!XUjth3Xrg<d#gaV2^J>qA_
z0)Pjc7f<h!Hm<$enqJYfh}@5s(Uef)fh2hp3YONREoo>nChvuMU|-OQ(6j9xwi@jF
ztuMyQRk%`XeHTw#@!kedE4#Dl_uuosaZ}kfMP3|CpZmNKICl3)#!Eh=Ug-v1Prg?e
z=ZfozsHT9rOke?1Jkm#cim^93oj<g--?S`zHjlQdB|HlOw)Z1N8anJwX-&(b`oKLF
zXr{~q_RQA3&lE1@Ta?|eG1^f<`>q}w#>~-$GZS=gnl|so5C0>5_Xi7$bW>EWwB@g+
z>&V5B8u9iAm#_c$a(^3|Y8Rcg+Q2H<)FQ{aoo4uW@Z;p0tWuR6Q6&tc&s9fwXI2+M
zVZsZgb2Nwz#_y&^HqHlSMaW2vjf<oo^H<@O{6d11y?=fYAj)z~N|0vP`R^wAiwzYy
z>V5n&JpXO(cuq;95mhz!^ju;5^c4@gbKTFmpJY%mJo=k5bwsR)BQq|KI|v-Gi%!o*
zQa`DyhZ^=$6;;X~U#Z~I<MX;{%Z6L6)wWy=T0aGy4V)eR+7nH^2hq^GV9PG8LE`~N
zx7FRF?k~nrx^*A}NghJc>R09BH~@@y-@q--MWM+qQsX(Iu^mlo05<jlIrB)C;M=3V
zlO|l<dTOsHixLLX9g|`NO`2T`&rIxQ4>1nV#GIL6vPdogMh8MtoVA#D?w_2vtAnxq
z=1>`jci(j+ABY>y0L?+-^W6a=LA6`7FmjL8%SR7i6k5{#n91Ky<z05#tHokR&1pvL
zWL}iB&niXxP`{B+!t^XNcmK9?v>zX9^Ei}jzoU|+u7HTMr;KrrU2C(w4OL0SCpRdT
zL-2~rrc(6|BBN;EbY@TGnO<IHi+PxqTSnpPygEFUG{ZaF+u<l!Va=>g6{rw|r9d!5
z4#rO?t{sdJE@-Sr$8_X+#8p+7><Ao-Wg|Ydc4IM|LOqvDvo_HkObNJqvBv<;lkDhL
zo?^HYGTJDKBp_c!vz*&NVN0&A{Sb`mf8o4D&OxMQLOFQX=#Gx<E@mCMSsG2p`i5WZ
z?l-@5dp8ns4hre{j1|8WcUpgcCZXYLeJT(&6>}g6VS(5=6H4U2dY<RwEZ?jn%5jX<
zK3v8L9@vNY$kUFCCcK!{;2ot#$(=NI>y5fv(4~~hWTH|9T;`JifepMX$?UB){#o#i
zTd&osq8Ta>5RZFH`kq`NsBqCi`sx_l{CLID69T*SBmmdCdj<Uz^Tb8!!E3`lGGw&N
zxx&b>!T~9g*_1JbF>N*u^Nr-~7b?5;;7XQX>LLj-ku=(Ag+BCOf5FWtm~3LL+<0`m
zOnT{HXz_RF;>=m$K#Fuxc~a2Ogr#p1+@UP*;me6rrJ9lmN(O7vvzl!`QG}H(jIQkj
zj)$GZuB5^bavcYFV*Ia$h@|GkCqM_CF$~33Y>yA#Of#$O^M#VHH!JV>*9c<!cK{j?
z9wbIN&10Bwv6T9~F6?cvFfxLfR!2pMlvVhnGm6(2a{K;bX>vyaq*nDrYbA2lY^WKW
zA)5X`E37IkNc+@+x}cH%hS6lxnIeoTvLvHxftF%TuZttA@nhtMX~e?*Ez`2<!mm-0
zQ>GVR)af#6tMV21lvTcfSBer?%_Pwzx(C8?!ke^p<Mh%rAV)E#cW+cy&6e(866U%h
zYqOTD8LNyYy@wy-m5tLQ#C8BD>^t@%x-Y|Xjg&t`@jSqK$`4AbxfYarL}wjaB3J|<
zwysijC`HFh*R90~cas_#uX>P>v3W^ep*NwIWn-pb4^INb&dX+h3i{<aD9}L(ZUpF_
zNMQ~+{ya_kCBgA*QjhHqvh6F+X;-I3T708M)`27fJ+8*pDDmh;mcddfpm{IKiosj)
zkwk52<*h*IQ+;azriHZ(^=~ZO0j&4B-gk!@y8>#%NAGzk=YJVgZD!~yS1nI@R5CZ6
zc`>9t&%r<qskY@dkX%Y-BGCvu&Ex9kNtDWAm~k(fv9PW^ShC|%n`Bl1hoCBk>vRQp
zL6~Y~04;}Y8EA#b(>6DKN8N+TtP_l%E-&G?uNL=j1Xz*&W4fEM@zqsXAcZ9`2e}Xy
zyKES~<oT~Vd!D*gWT<ov%tmfBjW%H#A?hU1WRIfyWc?jVSpF?ca?$-ge`cbV9^Z9Y
zhL|oAkrGO!`7{sK#pyV2MU(H)b8Bv-3WG87!n##J_Eb)F<uSt^o>Y8fP1^IJF!x^M
zcpqRG?!XT02B|PHG4{yMc0sgzooOKkOE*;d-X_;#i?d*^4LNKOoH0dp^&u9WPA1rl
z$4mCOGu%L}A~(<mY~)_E2!(s2t%FWN2}TNH+zq0Be8;H)XrkejfV_$XLwOfZ3{pZ;
zUg%eD^k?w!ZJX$++_Z$Fl@*Ii{HzKDghxeEDd8^`?5tI)UxHU=n`)dDe8lCWPe%nL
z#m&2?YZ8|`cm4!CYqqXAmLb7RHQdPF8MAIX9z^sitENE59yz9X7^Gnq=cBV@|6-9d
z{<gRg!+9?zRR=;*(_pqu(A=xvG(XADAI`*^w7K_<_(>P@CwQ76CC1@n0p{FE?O?KP
z7%HW)HEN|xgzC?X-6t)|cSaCWh!Mv0nvqT7;;ejlM<x23wQ2|8FBXoW1rRsaP0>cQ
z%X3Ocg}3A~s*|vaIP;dv@eQy}nKa~DWo7*|iHs4A9nU=x%HVA(Q^+t}eLc2N{%}Ff
z#W`V&^Uw?5?KH;M+XaLs1?ZS^JQ4i_;mfTmrRm;qD~2n}-Cdh?)WOB2jyuE%w*u4U
zn$;Py*>O+_2Vt5;Rl=;_&%&SpQ-C&;?hrRZ9f@2KD^miKmry}KBy)J%Ko#rJ;(Co*
zaIvFdEzhJVZ1~9~>ScGEW^w3kI5)M8XsBOglUbpMZ?6Vt?V)FD?e&!3-Z(FkdShvj
z)3!;6=GA1boJqmQKWwYM`5|+_3(}hyFg!tZGJIT&uUhX7i>k|(^__kPTE>!@u<lp#
zEB50TeF{@~mp8E%5gf~G@ZH7mmmR3@M?d5sm^&-m^F@ys#ZAL`)r985L@yeH?>P7G
zd<GHrD#PgIbkS$pH7^yxWK9kS%$&sQSI;&gSd((wxTbF=x9UBKRjN}$CB?>2P`Ids
zzgRNjL^!@C2)K9pGZ+Cb?J}S8BlIu=Nvepnr6zm@>fSq7>4u;$Dh5tb_-2miu3pYA
z7`fMi6zM=7>wws%tr$6W&o`7Oj0Fdt^0mZXwlf>>&*AVL#wJ?-iq-QeN|-UNY8psf
zc%M2maM@K^*8&lK)eYXKYNe!+#H5--Vy6b}SC)<$AqocGe)hu<2F~;<!kke*z#|E@
z>IQdyQBm?`Vvm9}8$TQPr4+S41(0ocRa>e=b3STB9CcB>EtT)yC1tC1o4YEg=giAs
zT53vWb^PoIu;|!Wf@C1)tcY^R8Snb(6$7iV+PQf6n8xMz13~vTd)hI}y%WCp95sRJ
z)cZNpo4ZW`Th(U$998~Sm{!*S{K^=z$zLTMd3;eb^)HqUU7-{FwUfIFuKwX}Pqc?H
zJeQVRC}TI~!g7w`D*kiH<r`h>gDOrw8j0R<KyJS$G97)YGA=E<RUJf}ke3;WAQ@I8
zTz?a2Y+u$CZ_pcYz!5K=-!2x{U)&x7?ev2?G}(Yx(R$(HjcO85b|)M{ZK<oHe9m#1
zAn93pmS*(uFjQ;s#r@Va=g@1*Ls^w_?$cHMeO&BE)-y;&PC=_N+XeOQS&#?;;3%x-
z%1nQi7KcRj%)H>raT9_WR;#Gk%~N5{+YS~hVLB<Ok11kTh6@@*QrB`4hP#0qqnA2^
zpyZ<JWXpcb4NK?vD(h4`2C8mbw=f;K3ZE$XMS7kie{R{z=uSC$p|JWrUAL+dew>2a
zu$;Hz$pNJgT!t!e&(^e|=ZS>nf|Ij@3|n?&=~SLzQFu-ovx_Uaa5~9`5NbzpL!Uei
z4Wr=#GZ1~<N_Li<W1PVhy3Ux0cjVG6f@_C+QTA4sxvkWh@(C;H!yWID4b#ee0&>SI
zQ2s_JOi@fzckEJ*>dZLBW3{ZeVglX1bCcaJHw0EKiuR9E%W;`lk!lDyJ@W0lVPjJi
zUt<5YkR=*DMJybIpO0R}NcwpM!l3Sqt(T^jKL!qc2EVoew6f{m+7GWeIe74y>G9*C
zvQYj6Q!LeQeJqrrQZ-wt^U*Fv#*o%=5<VtSjc5M2%a4&hN>kZ%rgF>nH`<}x-x7(t
z$BpF~-Pe2L_^HM+e3fBeMHW}G^IQ&t5J{X>s4XsUYrObFmuhuZu#NKK9<>#<Z2@A-
zZu+x&T%JKMQ=&-~!fA+sOXw7o(}mAF#^rBeuZzEC*x#TVrx~c==HnKoo=&MJKvW7u
zKyt#4`$>dt9VUWo+0;=gV*qdbkU<cELqnVVMFVtCE<(pTXryK<DJ7x1{)Nl=P->Cq
zw&~~VN1JOuDpXMv^HEY>Bq=;lO2lc(Ucjz&z@AdpglsvE{)jj7{TcZ&P4M6Y-hp4T
z$pzUc8Ob~7g7{mV(QC|?)EUC<;(^FKr8!w_;4z~()SkJR!RIIX8uvUKiGk&?M`*@A
zU*9#MKcjN+V@r^!;wutqRw!FOzFi#f0QNRQs%$d@^?^o!+bsXcQUJ+~xMM$1gN`Zy
zD5#X{b512+&VT&Tp&o=6&HyE=E@$mZK$(!>I6snZDasU}IT@J|UGFHD4^?`I`py>D
z!M(Sb3=hpB(ZxxBD+g0wan&OVFMX^levEtbbOcg*w0pf)J+k1P2wBHVxXe*kL@ZOI
zZZ+5aWcmx;Y9oN9lpyI?VClfzfw$^q45-LFP%ug&0NVL_xj^2yU*S{>7tl@4)nnz*
z*t;<)zF{R*?9SQ;o@b+?l2wi@h)mre{p$`8xY)q|?0d)ly|RaTDt5arpOAEWWCM~7
z86;(W*hv5fG`lCvd6q-6;}%0BkE7)jmVH&yGK39>&BFUMxcwZ6FH|$<N~*gfsA7My
zv>*b&f3f7vH!z#}Jnk*2W~HiU6D3!Ui)1Nf-Zp71o2oW+pN6%7xYSUfNwJr)w5sFy
zb^R<rkc;OAo;=8n(6KzS_<TL#CMem?Dz0`YPt0n{(WwXu1jkYi^-<fJ8y0*}iPXZ6
z#T;oHwUXLH&N0XtSl6&^|Mw>`kB~l;^|e-o?e@g*dF*~;j|027kd5mX&av}aA{x)_
z2<4su#>eo}KU_Z53@S%`+)`8M3PEE<gmyp2^qAOtn?jl>!ojr1E>v6R8>z0CB`b)u
zLKSkBL{)<$CH>YdMYu6cRArvy=vtK;HNZdw2UOhwtbWedsac|z6K%?>trHKK$g4lW
z014>V281MjC7EKV5g&yOICST$3%5V3W-!_@U6ZTp+y?6U<>1Amp`r}J7&jhxQ5uwt
zNiO`Yqp$~Zz-m!tHlVpHVFgx(**WU`8m5!{?eYH0U6<0`?FiSEq>0#5(u1mw*<U?n
zO*su)c`8ZsO|BjE-~vRJ@)G7l+(!g)IJx0d&gBhsPy7M~8;-EpMcoWgF}?YL;Mnp(
zpDME7*l))Dy)hCUAuk)D=zUZ9!05UZb^h!Y<XPqTPp}dtuqd|%Xh*HRJ39jm(6Kay
z#B0Cyl(@Lk{K4_ZA@$S27gCm*D{e)F{pWl0!Hmv;XJeaiVSSP1LJze<+v(cz$Xr{M
z2#seFB-^yn(kzi8_@Ts4)-YL6ajS;<(sd=lepY@n(%SikUOeBy%6@9Mn*N*!<%<QA
zR5c1`g9u~c#yNF_to|O~s0bO~+jq@rRic|Ze2z}J4d6j$gVqHr<A~DY!qJIz40b;#
zDCnp`dE+#3?WY?+v!OUK3EcqCbAf;f@NVw|ZByV&d-sOhS$KHI;7S#`f_*|JhO<|M
zH-@5ou;=+gYB;kv()4mdtgBiE1^~BofOI!n*tsz)q1e&lm|qU{M76>up(oN185C;1
zoBx?N`9b>ZalWFH?_VrOH4B|(JG5`n&=q-6l|Tg!(UhABWC9kYio|#OR9dNoJDbai
zn~#2-FV$=wGm$8N|Bo$Fsn_(5z`+YpX}Y+}4TRU*n7H0box}F|&(FsTop?M92lGR@
zMCRwmvm}GkAaSW13(dAlsn_fEi4Ejm0|xAs^r`y*B_CshTtafXpWoW7wgZRud~{Rt
z%?jvk*iP_I>o5Dy%E$Gs>GLhy_r+9~j9q4^cu~VGlO_0=G`l=<wjmL|Y{|4qu~;Aa
zuu$(+myUHk-!)U6otxqmX+p6>TS6$&s5zW*w6R7|sr)vdNuyOKFf+TtQEe4b5X>LA
zYRXxJY0sryT=h%kucsZXp6!XeC!G`KtJ}Opw&FFHu60dC4r1==%#ML5s^M-AS<9=K
ztj1VW``P`Aqb=U1U*_;;8qv9?c5~I7Tos-F^F~`_Ts0pHX75XA9ya%f7RPWeH&}cJ
zt)G6@%-qEM3T{<T=WCoeYI)c#Nmor>F$L?RhIFipd_1Wu(^Z?f=HseT@`GRYY+RTE
z8^`5D?}8luw&HY&SIv%;H9yN6CzTF!D&v>7wRI6+uM6-fPEInIPYH~6HU^rSI2AUl
znY9=A8{aC`NvUu6c-*Zg3Gc;@!D-0Ny=749X4;}fl@;H$gob#6^+<ydE^=-*@?p1Z
zzw|)P&Ya`wun4^4PwTzMtuuvbc|yhRPEIavO3a9-D=Z)E#YlH?$ZvYvzu|n(EjDsi
z^~7GHN3>UskK7P;AO&ekIOH5;T99o06y@Hu7>)`%R8}jfMCMCJ$;S=wx?MA3Y-hr|
zE)GgmIRz7CmztE8w~p?AM@iekolN_~#oHwK9;NYC4KMD(W<V;SW`Bo=50cX5ZDTU)
z+9WT^Dlqkb+5H*HD}{8}eEf#RtI{1AUhu=q0_x?%WOpx_3ThR2s1`;V^z|3MU5ar}
z3pbN{oN=L2v0S7!xH1ZO+C9C+aVt|oEb|S!Y#z?gdgRL%{#jlI+}<(((jV3pW($Uf
zs`gquVy7qETE^(fBTFeO0mEUcZ120v$%_|<1s@&_7CNpDYD~CrQ=RBnEYjMXO7g+m
zRTf#{fo9<yYg1?Qz>k@vWdR{>1xDD%1p4MgmRDDrqx{enu{RA)JWfxBNlJPcKx)_P
zvpU-J;fA2}&et{_ws<S7`?99BR6*^H(S{pw(^X9|gDT|$zzRJPKp<xjL5WZxhYUWY
zJoVNj%D~;E?_=N`$~gcY7gnePVJs4kBNWryB&%hSMh5JIHK|f47bXz+FBb8EjU)Z|
zBl=O1ybf%%RwM@4>B%hCf{<moZDnNJ7DaBrLh<J={IlTI7~G#+JNt!yvGA)VAUi&c
z;1czvG(g^TE^*JSV+%j2F3u7~wk6NdutAR=)H95+$Vdg0monCYTBx0Yoj9&q{DG?g
zCx^sg%DWw~y-FrcuW$AfD*eyvCJ$7lRg3wX03DlJH8?J{hQ0^cwDS4okk5ANIA!$1
z%M(mjOb33gXGH9k*r=xqXf7-<^xr+Mr~_1hDxYmUaxZNkqAUmtuSORNeZ<8k>kWK4
zSWAlIOO2~tao{-Z@S5pCb|g9A+ukc@^SUNv9|g*R|3P$<C=(?;lmA+xJtWz$r{-FD
zpob4`2uCm-8UAk`ry5xCldy3JN3Yh)j`?(WDc|Ss6QG&rYpBh;mw)~5Pu;f~3GMOs
z6^8AtIk{Uq+=URN1pz|3|35OV|2kr(P2>N`@$bOZ|0m!3|KDf+(SrG3kNck{k&oX0
z)Aa1~jc<Q{N%=)!M)iJqxI!IP8d4?joU(-R)gTQ_EY!U!y3};zt3k%Ew69gg)s?Rw
zzn9lj%&|G@9A2pNzd3+x+#yNnVGQoZ#}oEoC`|b0XJ>cckMee{t65UN&COJbwIlWX
zQ8q_iGr>p+2M0{iMHXp|m)|clUQLcC4chQXsd1NmTDYwwu_i2H#u=1CUb|_}axSVg
zP$;)QRN~vl`GM5*OP?}+Qk{hAOJ^p+`pMranFBr(aVj#;%<Y!rl9YLC`>;JAcsaY<
zQhQ=Fc_ZMRO88|cRMp|$o+t_ABpQNJ%g9nuHu?PUKQ8s}%l+?vXuWJ%0J$P&FZ|-u
zXb*=c%rvRpA3WdV<B(H`m+SrscvU@`KKFdpXshPRQ_o$o{gF_x$!3V<l^5Z8e1-6C
z<B$I@HT{2F>fZv}vz7W!w;RnrR(8A1whS8tImN1yB~=I#kp5=$!an;IogZTY#S@o<
zuGqNpxV;mPY3KrFpnf%Q{Puyz<(1i{wEn_PXzFzn;9{<!Bg?h^$z-Jhe1eDEYor%m
z>WwZaJreG(Fq9<S8YC&ICLxS9<BotFyt;m2K{zB6t*Zjgm5llM{~6c+7~tP0|5n`_
zFMyb$fDzo$d19bz=h|r;>8lMqm#+X9cbPS2Sa4?4Zzp^e(2;DVD2-B#4NVaf2M`0b
zEt+6fGNZ@RT^#Z7S(-Pw>|v<JLXJlH*Pf#F5u|g}8Q7FU2mUB}h7N>sjx+bGwoL=O
zCo=VB{dU2Xh?>E7{h?Zu{`?<3;r5NHTmg02?UM>?U7|6)Y-M#)DG`7(L|*8m93W>e
zzWoJ$H-l9^8PC{^?aCY>4fyCsqoyh>7n)+A3%LSE%A-?oK125|qr6Ha(mCJD6I<Fl
zP%-2jUB;cj+;DcpVf-x@ZGK-G6;Ik@OkI^yasRXj;8OWSLhBQhR0P<Ag7>{A@umxM
zuU7w97{BKvJ$thvv9Cs<7m}jB^jJTS)kO~>0imo8v$1>aT8>_wYt_4?U<ccy!&BNw
zBWpNAR0(E#?2GmgE`*}aVCoU$_8iuS_3S`D2X=HnyCPrHq;U84Miyl;3EDFO4(EKl
z>Xf%+yq>k#$z5&wA>m=Sy^Kg~pUfx9;I{Q0L=8HSjrz#wtbLdTkK8NtAC&1w%SN2f
zYm#RU7Z<r{jt@tcB(#(k30q$MUiIOBGVLfXJ%&UHZuI(!;O_uzJ99%+AGOcn8Ugp>
zec$}W!WAfB@IF7j)4CWjm7u!++{$B9q|a3nUpkB2hA&Wwjzv?-ZD}P_R`Kob<hn<?
zPRMaLk>%-^$vSH6VY|>Yptb|)n)cF_+n=koE{1ZEH`oEbJg-~L?ZKahdKoaX2vZyg
zBM1x213`#%2XKJHk=pvM{fh{R7W>Q27<TG+riUl@4?28hGSO?lpGfxKU@G!xNJ%d0
z?|~9o(|X_2FGwxm9yuu|AZWz*p<VHeLSJyAmG@M|aDyg-H44lpv7WWw+j=>-!OyzB
z8&%#Ju6%I;yl*$-8Ly{O+K4&16%TayUHHg4zVGPldf9sq{3@v<-XjpXx*ExIBJ@?~
z8w7x$Pm6;T11w!pwSCXNczN#^nan2yZ;2lV81F8Y5^nZRaXpaNI&&mYUsY5FlC748
z{#pegSN4|!8gK0>X6=2(mfXu|KCf4{5g?yrfwj5>9!7SwS`J&&jZ@I%`3lI<pCu=M
zH1bt})r_C|uU+%OEDBu6@zG(OHKi{-MwSgXXmQY(sQsR>c5GAB$+dMMqhHQbC$@?a
z7PHXeqLyDH6I<3}ztBKteTax2zYq~u-MqfE-c%Uqo{6_#Md!&0I?^wSdN%YakrHQs
zCNaBann=`Cj!9JOg>zfXoHfrC#TFP3QLwmmoTy{f8Ym8RFt^&a!lNyRHNuomS5Vb&
z^wr;+a=TnT!e^;dTGRL$e|B9*w0zB<Q?Qku8cisWUBV#6J19D`-Reh*<I`HLf<;}f
z(kE;4(hzIWc2~sV6*?3MOhRshf-BRf%!7%Oi|H)>6TdBvP}pX6V7g;L80+UE9ylS!
zaIdporP3lYhG7v7lASC6+Pb0fFtJ6an+>YU3Hhv0!($kfo!7ynEDFvADTk#r7c75{
zP}^%hjOW5sfuc4b$FCgrmB3AMchl_RDD!z;-UYuq_U^^~g6sWRuZw?O-KDAIu=U<+
zrLik^vB||O%;I}^De&9>66pRLzqvAR+s+E#S}cia?Aew-VF~-^SWoR?vVTfe#)0yS
zU_F1aT!@%)|Ib&!Tw_ihBp!=IaLAfSI68GNH3%i9j#dpJ&hR&xDr9<W;<<YR#4`J%
zuX~i2$R2T~3jluG_|a+*L;*HlT{muG5kE+eF<-dirgSwyJnqHEV#77$;{4p>fq5iq
z5n-Y!F!|-kvRl&1EB3~LP>o~JYFRfSEcHNmwXp>fNQfagUd}Z&05#;jV~6HUS`+c=
z{Igz^Q1#>J9a)K452yiFB)7f78tC~Guay!SE|5E(B`h4yV&W%Tl@iO7vAyc^PPre;
zKFIyxv^<5P&dI5s;PEi^>y^|P?u@EAHUc73_-=oC>|Uocw-DlP{XM(*S}D=5wOl|)
zxkO>l?4od)7gg&gZ5iO$Ib(m>0Bm}5frOmwgsH$c+=eoWF25I8Q(Ue#>EeoM<K2GV
zE*?Gs4UqH)Iy{UT0MN^_8!qpdzc0@qEp|cr02ALYt=P*>3y87qUy(XjPZtLyK@yq^
zJXU_89mUB^+u>I%-Lsw^{H^t=6@(B4=|s9oG;02Q^nZRN|MLFdmKP5ateD0V1qf#P
zK-6k41*O0#1*|T^Fr)@UoFi4_3}@SB(JMZ%)!4XSjrQ6vPT`U}9Xcn%mUcbI>vnYf
zvlQwK1aOh7K%naG*LdWn<x_;WIlX+~6?i^BZ8^b-lN*i{CbV+0dmBg3p9zr3BF(K<
zbmkn|@Wn>QIgWOx>1eN;xJgz%DszhtE}4~7cRomzQc~4O!aBfp;+579)mDBcvM5*c
zjHcydXexH`^{J6nA_i!a1^al@^Q&|qZT|V67hsLJ0U+OlFK(MJl_D3+%JITtVMif%
zCzelaZ}^`_b$O6wsxrwCvdLI)CE-~g%A!{#6@HZP<V<+m=MHe|_xE{XKAxVeT}-HN
zNPc`6xD}GJ`6$2?nxj*cA$2EXG(jwx37B({GL1nWAORNs2ibSdw>=W^mVp_8DvW&w
z;s|q9!lYd}3YlV3l1Bw68njAV+cAvT`J2K%u4sxAHgu8vcg~N!Z#WDRBbmZms1(u;
zRut`roLRT`hwRSh1ZdKIZ7#1+?b_|DKh(}>+j5ooVPwaJ+&hr&f2sz>n`R6=Mt7pY
z3}bAsEi23>w2aqpjIR@gdmR|e|LtEM@_+ABKBn^fk<hQ_|9rjBx3gzEIi5;YfT{(f
z-|sF=z6{$*dLZXYw+ygvdZoiuZ{F-cU%8j@!EnPCJS3L>B}dsgO9hnLJ{vcC79>*f
zl~Y!;U-J3m8Kp7ytjmccfLW!bJ<yVgKv)LW*+w29Y#-en;=i(7bZ0v>brJ+XEi^^`
z#quzq<*HVby*t#}dsIg5?aC-IVAMr|sHS3<a3~9srLADL*Uj6f(<*viOuRi3BhHft
zzYMVkGPm1qg7g?quobpv&L?PfPL{TZJUGQRI4a%j4!gcil+qOJw0WPaYpw8NwIb6B
z+jV%6a)@3m&5K5T)0sl>`|w5>JyQTf&zy0xW&Pl$xZr!g(xd4Z2MDrQw6U}Ap7ode
z?H+4#&lcJ|v_REB)HqLKB%W>66!?fB7;uwW9K9%(9mWI&6b5}L&fFkXI3IoL8t%+x
z#UNLjN(Hs2E?iTzQ|UHNB==UCsoC(^+f2_G3{icyaPtk^TOy*=_q^$frGS%{8KLon
z<DQ$YH~2h2S{OHvHO$x%dx77<@1M2U|6=(*vCpgfKNb4i7k(hFuGgDQ9jjjrzc55J
z0K4;(#>?$p3%mxhfr$0vit3*J3Zk2z|6Ir7PiL2!l!wXQ7^!~mE8X7TqK+nCPV7ht
z?L9%tXX?q9fBmp*BKUq+Ziu8&g%OuTM%*Ic!<hJ)&_Bto_FOK37L_pfkghc)5g+O6
zEfmWy#4sX2voTV-=b}G4w>f;U-90o%-CIs!IE|20VG0T@+skFv|Mwy^Hlp6PfkSQh
zGJQ=L-l5MEK{O}!=J41VV}@xN$K)<o4O}hSrWocFquSRxRIU?o2Fk-3UF1scMDaP)
z`K(Oiv?to{7rw~W_)goi8VGI#XAduCeDZkYmJ!|wqmL=AZ<(Je2?Uk{axTeE-ksHx
zFwR<2|6Q_r(?N?=zrN8Q@O`#6fg_nec=0Q5OR7?c$eiow-&WT)_1-<tyRIoEv|0}w
z^gjlc#Z>}s+#L%fpmw$GdpYf5(G$e5Z=1wRff9LBB~5XUo6TF5^&}OJ`n1bNY19A>
z6b2FXD!-+XeeSDU8KQOOB_oS>C=?*ADdqvzB{=)C_k`!pm3hA8<)3SveT{#E%I!xb
zSAs8>2N^cB@1KL_k)=MxRrlI<WbK9J<#$g4_jjV&OkB~325+&e;?T`$<VY|nNdv_Q
zVJ6okC0?JJ^&~QHcHWN@Drw<=x!J)IQ`*;H^H*h_FMG3X$v!4t_s_{n8j59{9#oKG
zGwe#w3LH7^<-;Y6u}6rhLp~XHk;e@^lT~BX`nU|UG|Fe~Eq#JlYJa)^$&69|LCO5D
zW7WTvP)W4Bm{!Xup_y4Zb587vG8+Z;PWZ>guL@00^+2VKc}5Z<ZBlYjv(Zd-(6YkP
ziUCxs%v;mIE_EuY_rY(nUGeddBsQ%-?)n~B+%B<in~|*JB4uH;?OoN@ef(6;zP{q-
zm1#eC6|O{aw@-}kmqg`T?nhiV&F#x{GIFe9z}jK0sDVCfl=ci$1<SpH4^!SW)j9q3
zETiqy4|mCr8CjJfH<PifZlM4OsbeKzOb3!45Ozi8QNiL9(v)b0zhjFFZ(>4g(eN{4
zhL4)}-P3~M8SFC?NeSWYb(<xJH=j=534WxJ0sAf4IV6bFDNeLfPrhdp=sL!W+SyXI
zlYhgOcsx}cUbN{f^<7assnWz=7u^w^Yg8xqMDnxoodYOanF0?h_K<S<ye1b}OSLE&
z$wUWvQ!Hu4B`?5rtRJ2&F|YdbyMAq&+zO8>K-qHL1UPh&MYF2D2O6NeN`N(9G|76T
zYlb_oq-Wppc-zA$9MyY+D92ox5B0P5U!7Hz`t$22(M}&6UV7}cT2`edZI5RMo)i9Y
zAmF8s!AM2Ga<Ugrk*Sdi`<V6X_O$1EstegVnfHY=uw#gg%K$>g00`Tr#QAei{b0Xj
zoi_Y@*a2nWIc3Mv6$%`Z&UAB8a4+X7{b7$ogivgU_72_4Mws&N7<D_QA<9DkqVoW-
zh>-8+5@_2cjZS*+jYQSn|KpD@a+5WY9|?zYw{V->h1y;jODeo1huL`3Ij<dn*Lt5b
zrRJr-j8d@jv=Jv-(lhQV4V9{4rhflz4(|=t3~4JpkuzXy)dFufaz@9*-xAh7N8w1<
zOZYkH<AAZ%m={D_(>|uIEbku!8;vJ=d}Wi{$cH(V&#5D$r3Xp!PY(@*8I{^}8u5kH
zm&X9EPi+gAEuapmg8+`w1pmMsh9ovLyAgK4?<G+(N69$&L=sG@bCbK9u<m50?As)I
zUxg)4NAKZi)1mC`wQqD_e1<{pKs;ozViR`are*qkF-^;3yu)s$#R)>%hkDML&>b*?
zLH--3g)i-dDI>6{Ql9<ourzSFkt(oeJH%67b5|1arZKA1<l{HJe3ZxKat1FQvuAaY
zQ>A#A-P!m^6M6RH2ghwqQ>nKp(k+p^#vnjtuBF@avZ;8T4OM)F#@p(Wseya2EdlEl
zF(^>NN2LpB+zVd&mb^#+d)@ObVaJc_i+U9!2QrkMl67=I+e_5u`E$_ZZ(}W12#wN^
zdlkfyA1l2<S&g*pO_!{`@|nIn-__&9&Ckx-KnT{z6Z@E%yhly(eFvIt=;NVe=~$X)
z!aJB~bi7}@&X@{(K8L%M^M!b7&7hpvRaDg(iAZVBTYEQl3)3?=dFwlJH3C!)xJ|7F
z0x(ZTK!wohxteYr+KN1z#pY?HON=uHPaX2vpU{_0uj>W<RJ{eCO;uqttC;v60AV^b
znS}9X+T6q^<HVvKjBHx9X>S_<HQiJ!3c^{mP5Y-pL+h7)gHrrvjd7;t(DeRK)-SCa
zbga~3qBA?F)#f0H=R{#|1_WnmIe{jI#45TE5T7M|^wM*EY-fV3NK&yLs}t#mp>|H!
zk)OhT^&v;&Fh=sCz5Y709{bsw{%Jqg@EQHqBMR-J!@T9e<=wNo-gW2+ZEfHXdDKrt
zfi=btf1yEOID9})LP9HYz9&7R=jk6TUzqg#E7r%*58qu%mTC6&$+dyhWu!2S8h+kR
zHoFgu_~WazUwVGKN~PhhtB<r#Ln#V_Yv*=3T_<{@>sm_tq!?NLW@L&A-a);zH3^)B
z1aP;S@PU)8bvr3^Xl;lEk%;7KLt{(WqrP%@NwxE3DGYjh=DD1pcNWj-UK*_nFm>m(
zj0n6wHkw1qdgeh1mj9x=M(AYD>Ig>Neglso&x_&9&YRXhoJ&0QG2(sNE4}>0u<*~1
zPH9Y?&+ZS_3>hMcV!dxA=;^LHFHd?P<s=W#w4@yQc;XDkE<>&TVYa7@;I{GTN>k<p
z@)haqW@B#u0g5jf&c!-V(fiKLWPLj+MZQtfpo8$cu3G8}1UDQobjd_H(q=j5)(WQn
ziH@YN-ngr$2NSRYT=c16u3(ottx=ppoD24Y3d(-7%*Jh(ZE1*6bX2S&rTu9&z{ced
zXISfSIwln65vbT6A*`JAM$OIA{YbFD`HLn`K_y?Uc7*F(0W8r}NHF%Skwkn|G|9Ty
zJtrqxuskVi4U=DPz1MXqo@tQcU_!?~t9<X-;}S*4ut+_Gt=Yf1!sPT|66l_GRC$Jn
z9!;7tn&6y-7zb*vL+X~#y<k&@eE70a=WXOsGEQ{l+E$UIOsFe%&sbT{ES6TBz)o}m
z&!4!R3pnL?Pflm3UDPYJtnm<Q;b(Ebn*Bj9z9rO(%ck7Gs!P{!PSbcaw#wHtZUJAB
z@clV$82*$8upp~{@;yV;N7N+cyOJBZ=@aMnOHH7q6aS9(m|0oVqfKzVEF!MewffT`
z#WhRB9-F3W)xegMWoAZ`KprF=nPfIEhQ^bDA%j}y645DOzu06$R3mBd81n1Shp(QR
z_1_bKaMlgQQkmpIN55V%MB(t?%ZYtV2Z4Y2d|vDK5=4)ytz)3=GbtS_LQ?FUR~;&6
z=1=WYS`^g?V@ltr_a(AYW#Yzb(Ca~L=3-7sf^kcYOPCC7cUr$Hpl@JB#)j0z>ijNx
zM)y%&AU^cy;1op2ny9}G<wg5!YcmB>#>r_3t&Lcfu>d(oU4Sdrcz#e9MKP<Ot$6LI
zWm=d_*F<nmwc0!5iVO<DzJMTGMv9+rN)PdnrD7v6%jW&ZyOM1faK`9+$L+DlN{j7=
z1K3$_(JB>d#sSlf(G;S0A!kYq%pr_7>l;f-6ZI>rLoZPXf&O>zjA$0qGHAn63e+D{
zMV4v0VP!7NzV33^2^1Io`!`eQLYG?k?U6*&;yN2}Z+W|YfA308{2@&;P?p#!nEaif
z9X?JTs^WI@dgga$rAy8vo*9u*^MBs|4j?Zqi<=r+cmE=EIU^K>tIf$thaz<V(#%2j
z*rnHHWxggv8(*5}PlGW^T<vB7Y{20&+c(pD{>_UANcHN<$BV}alqK0ik!2PB(!6xJ
zr~&$~ny#Rl*$9ab20Wu?RoVj(Tm~5<e0YmLwB-D%psF|Snk((4=+B*r4AiW9aS#{$
zN4b?DT6Yt#1R2P+Zkf7cBO@pKpcYNV8Kg+N%hEI)Fv8xy#&gf_au)q4!Q(iCYehQ5
zK7|-?E(}Zh;Jy=rJ<py|d5cB(q)e}3%d3AY(BNHlUY}_BDKjqmsQA{B5h~3#-OJk7
zZW}oReQKPfezLj$LFQ$NO|frJ*=4dLYTEOs;moidQGB6^O5QxJd8sj>@80{yk7O52
zS}}4&p)HF@v7=1D3xd&Omv^?ub12)gip+bR0Zvl&t8|}dbhjO^q^b*SpFVwwk=J+c
z_Faj!tM)A$a8M4U_Yv-H87Y?8qt9BmikgpgL?Q0naS|Wk5!~UDv>BANEcAh6R;JJa
z$$$L*)YxaljV-+&?wk3tzpcXr3Ny!)&gmvVG8xFglDUV2AN#EZlwXr)=s3l-`{>md
zDs1*M_NdOri+KmHAg7&5w`-L=&juZ9?&mzhE=yE6m46^LSRexnvZ&kL7xWk$)tqZH
zn8bLD$w;NHo<jzkSt)_plJ)uiDJ^@!e%G3B{hobYQRD&xjsz1MwuS(YV>1(1Y@7QL
zYjK;?gyW#$rPOL0p8_3>Hvya*24C7fEq)0e*_Z0;w>ivLQKjMO=M_ANI!OjX7)NYM
zizT)BWr!jo2p^RhyoFzEuVR2Qn5ujm{+P+VSG>x1_Of_Jb38bCsWx9u^n1w|$rA~u
z=-}Ymbc)qW3g^<<mn}0O^b(;Ento{ck!ic@d9|+h8oCmQ=ZA~VK~DM#_D<Q3lpnxd
zUR!D>OGxoY6LxfljXTeuUM*=SK78vglU|rTh$jsUv->YLX^Z27>tqx1@kW0fGTi*S
z4Pf6&2es);nRG$Kyx(2%)GWi7Fm=CVjFpUgQKaAeu!x@tJ>V~v@Yu5+_Us<|Lvsq{
zR-9#Zm`fwOA;Q_xx>-$G1lQu{NfMRpvq{NvlGyUYam|Q_Kl+YTNDs<T!?40uyl{q?
z^}@J;Sg`O~M?6ywPIFq#YB)5C3C8rm!!-NiTbEtDrLua}Ee3vL_9&juXnTOj$?Gvv
zu<&bm7ffO3b#5C|nM?tm&0x1{nf<lZsxLitMu82hsp-Bd@xWn0iYdqFMT6XTw|ziQ
zQKyBw6#JBf(Ih4dkX>n^{%ZP<X|F}W9T-Dbw2D&_tt<LcZp=4lu|Qf^Jh!wz;0`sd
z)z(S`SSgiK`-(I(#vgMWdsgdqeBQO>YTXVIPf(Im5--yTklSU^BQ4TfN5{?5LwXes
z`uVLDZdI71^$~O8GMt3Si%RSbC%oLA{nYBbk&(T<Q$bEF7O@fF?HSjZ-SVxSkHIB;
zd+`0{z|Ni9;GBAy7;v?(=zynxsAO&^&9k&9kVSmw?l`;YuUj)azYSMuY=fx9KvLJI
zIGkd(yIakPtY2#nqC(ZL@r3xbbC&V5y-rwoWd_;6aj{gIZ_i7hxDqWPzC>LmR!fhR
z&v?Gn>f+7orY+ujF>-e5yc(NhfOVU_W7oOpla5B_YUEI`y?8E^^=c%mF0HegWw_G7
z$3X4;Oy-RKpw4`jB7LHh{?t#(%hjjXxxB(ITq48kam!doG(i}kVR`jD>m{fe9W`AB
zsKlxw<<S9>vLw{>o^amR?UntP>E0MYkD3|%*%ZG+S>Q0MV&t8L$4nfj8b|u`QS@BH
zd(2FTo3}_(sOI7_;lxmT>Dkljq8)J)8*x1ff&IFYma7W?&V=8V!~L5}>?3Ur)-z7^
z{AInyOV)ff8yuTH&14f=_K@?KW*-)AP9Ctji+Qnoc855s&%a>K;o07qxCN3OdlKVZ
zGacdU*MRKFG*aPN))~SdVmT{yajELK(Tma2tb34~#j+(*x0a}DRcz8j<=dVw@D|_8
zj#l2ke6e{EuqwhSy;>bhT9M}B>FtR(18SWcV|n$u#r2v_a}NBxL8YmSt2Oscz9bQ+
zU7E9ZrttRY;J0;#iek{g{srT^)~-?$S1eD=VFdB<+|LhANepoM%?!aIE$xn}ZC%4g
z2{rYrbXqtZ&%QaV|Bc09{p0q^W9600^;>pd_BoTL7n_nuF;jDRi-KTJ&&4pQhmDGC
z8LbtOPHUuj$ho{G){#cOeP;gnv>>aT`9gz0p--9l;&_ATd+6ak!FYW$i>^@Wyw9fk
zJ>MPdWmyIP%*F@tx%Hb8mN8~_$fnoACu*mDi&ZujxiL{s*F{W~ta@L9nmRidzpQYH
z6qYQ6bmmz2Ek4dK%m0f7suTa(?lrShHNIWN%*nSmG)NQZplI~|@-mh_>)j+}orTC7
zzJIffeUzwigYFb8m82>$8*b$AxQD43Yqf{;_twl30e-a=scb#Ll{y|Py~<2lTEg_*
zK~8x%_PhbZu|<06ieVK}x>~K(3^Eh5c=i^1Xk<pSo8L-jW47(@jge$nJVGS<y~71;
z`&2HXBiQ%SpWn>d7dfjPJzq;LnIUI9ik=gE@#D7pfBc?OnDfo9Ki$@9iMKt6&qbT*
zoYFBfc9l`m$3*xJy_j1!?>KUrS$2se9_TaMAuTtUvbV2Ho3SaT$YbX>W?GBo&1s_m
zQy}EpBSoNnbww1Yh63s3_8KW$zz+`Aoo>wP+e57zF36}oUy}#<G3~Yl2N<Il6Zo!p
zYkf#ay>$q^E{w8iq%CKal}VdKg4(u+mx0if-X~Ry^B$Z4tK63IS`n<q)vcGE5t3D_
zj(FbOEU)8|lJwqBp}DzTbf2`6N<qy&c`HqHh^D2^i4Xdl_RAqYJQ%bx7*+E+?z+KP
zorDw+ZrW=Sq)eQWw+V$+5E9pb9(@(;zhX9bd{DLaVfDeQC0$-pi09AitwN*#>6*>s
zt*Fxlsz99u3{&PU0X*Gww%O9X6STVW_=K&$HoICT2s&&D(%v@iXD*ZZeOV?8Ir8F?
z39f2X*|FDB*U6Ci!H0?Kx`?gXqx+Q)ZcWLu^C1BIUq^l2bg9~Ujc$c_iWw)ThPwXO
z|2n_)ub=o&U_sM8y|((lSkA3ES3G@|uZH<uENJ+{D;LKq?(pb@hb$}&3R*XKD<u-K
zCdO(-HUiN(>^Xurd1v&53y^YJI!jY8YOb~9B7dsd?)ral-1-zajsc-EOVey2<k>DN
z!k)l+|MX9)7F%XhG<KcMHP6s{C~c4qB3=;QT8)i|lW~$vNRRN%j;@VD^Vz+k@jq0b
zOL~a6bHpc?hgKC3`JB9mf%dV3CC9<5MZcd?nnG}Hs@syO?amuRbzFsx*wr?meu$go
zYGnj)Hh`k9|L=6aVxuxs;ZAQ=YX$UPd%4XB$8P{++A0&>#L2y!TIL-cN6$B|uSjvu
zE3+cT)PNZ47N<TQNYg<Fin{pZ*VQ&5(CiD|v@4JFMATJET~}xUd6^~=0HA}w(e8#!
zXI`5uzTx4t<iPi5n;=K)3Rn5Bv&>bhGGP<e0HV?y<5(WMZ&(0~B5edN@j+#;@3h%x
zbjMr4dI?_DI2tTw=CNN?s}j1e&L{VJa3Dm_FzV=%??*nDoiG)CWR|DJ=S#Wy)8|nG
zM-ShCCpuJ(AJ|*dE7ic!LqXhdKs<APAf}su7KDluVSr{W<wm^jm+2SyQ7C>mgdO-t
zGU%vJcB!)wVpxAF*tt<2OBqq-u_|F@OCelubyG|rDoJ6mp#doooI8x60tyiL4~O-?
zr_0qR|2k>@x99)1*fzh=*_j!lrYFW1GzPXzNe{!PbZOwkhmX%^;zX1j9)l}<a&Xe<
zO3|(aYyJixGQo1o{@sf(Jt>eMP-o}9_;7_<Y@eztcz5PCqwos@#d8)pgKXIt0}~`G
zXYb`piKU++F`7J`_3KfM<bk&=vYm~-=8JpJXSQqIlDR=n(!B;5e4kU<-TWLl90a<r
z?CQvV=^xn9j9_#cLsr`8Itdr#-UKBD@6edWf>NQJ7VDa)LZ3+tV6pzDBg%`<wzoVB
z9bXp~IEgJWZVY$>b(l!S&CytQo5^&CMP%IFmyNr@k=z=jc;D0|jQ5Tdzy~QTi7W^V
zyY{Ee0T(pWFmyG$`sJt4;vwtBL4q#IR#=v4mII6F%(*friy;mWoV1Wa@n!rbGggn=
zA&Rw3jt4jTq*xb;hERYY%0oP)b`gcs9=$w}%nd=O0nO`3<GmKd^zf!3JG@JGKS|_8
z!1G_*SzxLX1sLDdzMO>zt>Gt3%~Lf0pZ2~ptjVR%8;?glir_&+lzI**NEeVU;8BVo
zMT8JKO6XN;=-5DNFk)ySAP58!LJSxngrd^B5Fmt5q}R|(sJ{2}>^{5C?moNkhyAo?
zmoLoRliayxu9^QeGyh-Nl#vG9GoKj-cS(p&iWsif;vMqCRIt@DLvBM9W-Rf-Iom%f
zf5V6Pons0Eic0ru>Y;&ap#6QW*q=JSPRvYHh|0g|=sFMfGK)}sH-*554YVU`gFrM+
z2;1_fV4O@Y4lS8r1#X@1H32(D&IFZ$r5FE_wEirKGJKD7@0{Mt;@ieSeCjLa!Wj-<
zu>)P9;wwo0Q-c;Y0{G8;Uhjy>&3%DqOXV>V+40H#k+B%F`57%UZ8Pn4W7F@Ke-6L#
zaRl$?$FTT#V+Kw;ZQ-yg2%AT)Rv(|9ec64y>{bi);B<j6uQ0IJin105!suO<r5z+I
zfAK<~+pj-MN=`O3sw*70!65QmR}#qr^9fJlCWJ&Y_p`it+|O0}nE&Chfpu$dp&}TD
z14*G?U3=1v7AG`cz8ZYowmDX7ew!C$x18utFzMYVDvbwj4IM4S$<h)9{Pi2$ehc5Z
z*mSi-T;aO;N-S08Erx4X4r`)ho6^cWg(`R||FpZSX2;uAqV4=eZF8)M$M|iScUv!4
zWV?5*k&d~!%-N@%x<tDSF@$x!nUU7U@6vuGfQx5eymq!u&Rq1DO%CjEvdugFq;U*d
zG<OrE-}02MB`Yux_GnJtBow_d=6LOddxv?Qy=X&bnZ$IG2U-<uUoo1Eof){zJ`1@X
z)ND63@3<A=nHWEx;mzMS*g^4j@!6?ZAep#j9S%cOz}IbY;cwI;b%RwDX(oCX7uop7
zQs<Ug6ClVOg0&vaKX~7#@*8_ha&ub}5p%0q=l+5tZg3gG$c`O=bMeL1zc$-c&E(cK
zED+4fk#Z(_JaSmpWpnPNk`_7u_I_Tl*AmHQ(d!S0nTymkL)cpCwKvY?r3t{^IearK
zj!g>$MBtw*5+%4_noZ65xMrZqDUswL4K;qiNxrk!8)>9#vY%XoF}^n6l&V~DAl@Ar
zxBZBq@d1IY7SB6ksUR|teoretSsGydEX`+3T(sc)G#SUEOk@C{loBv%Hsj%GMmv&y
z)@c%8YKDe6h4Je52l%*XYkMCc+IBNcxRh+unpi4ui|*C_p!uaujGoo)FbEP31<n*E
z;Ej<<y|2i6Vwh`bUl2zRgBNbiHnY4t9%#5b?juwWtSlMnrH-k}H<xFXO!~V$4jGvn
zq5;n0?rW{vG`pl^NBhpWr!hL(jo}hwvxGR|UH>#k<LQxmpLwsI8aqN56%UiQAK7DO
zAXQNXJXE4he_Bx9wo(3XCtTbU`LYc3EjzEh=@6$nUS8CbfP~8_D2_YX;mqg_-&#^K
z>$02OYH!g^tVoyts9;o!3TJR4OgNCo+Md+E#>{;|mUq4yIvsd_BM6*f%}(pG?KSM?
zYPjn;P`AnNR$74_OoS>fqcjaG$Md$v8>64e*s#^!Y0v2IC*A)5o<i$0cQkHkA4pVh
zl;?T%{`z6DTEsGrLU4>0h~E)f#*FS4&MN$Ewz6_cHJH!h3K-Yb!<0#IzM=fGLA{?C
z1EsUJhemZ_zn{OVekL}13%U_}V6uxmA0=;<Agt&>?(uq8Y|=h{%IxsMGpqHXgx#0%
zti$py)biGvww?NS8{5K%(g?Uk_hxO$_*GR=IY#yJT^7#B3;M0Zu#sJ2(uz4JRJv{V
z(kqrz)KlrEiRof$=0R@BNn9gsWipTJoSgE;20c90vWf-^hJYxV7m=_08>^;~&GRg?
zo~CQP&1qNNYy5zi4JL8%_8++hR(_CnxwTC$X_%I~DeF$x<H0#5fz0zrN;LlJT(BUh
zeP$E{iZEmKjS4RUku;*rG<l7bQSGyx{}Qq1mhLOOQ}(}vD!rZ%N*`5|KkT@aRUZh^
zTBye$&XK@g17IJvwn#Pbl;n5uN%<<8_dSzt3lW@*@NmLpLcR7KRV%t+dh0-O%G*J?
zSs^6-XU|5Ji|0n#Q7Yk;_L`q5llgDD@YlfV{6Cdl@=qsk%@}rh)_r_Gs;<F#1{T2+
z<mg#(jUeL&@UwBoT3U~;ouZ@~jOyiiXH?!}E4(P8R(EH9xP~k$pS@aFIv$xV0xRh-
zLpL9K%^AUpd8mG!rQ>J-mm_ZHG(!)he`B6P!YG5ERxisAN>yLNJ1@<|o9j~*x@@VD
z36z%3!wFn}SO0*Ooi)cmdC+(W`c}dx?=TxO0o)O=CIRv*rDICRcyn0F1G-Vj*Yfl(
z=h+w4EkDD-c)qT%*{~Ex8V5KpIE$RhD|7ZY?XWOiCz~1PqsYa*UjzR(v(8o^5lIt~
zc!%1eT|-j@rWVW~e@^&bmi*P(%{~d7S%XUfuu0p-5UmqlzT7g_`i3ztIphW2+68$V
zY0twz!-~iEVfW5lF8S8tfPK`gPZMez3VH<Kcw+$_ulh_3;_*)*crTsSt$^6+P;FR}
zO_J?^VrXgeD(6~xTM2*BlW_S-@2-=%*(z4#qnIsv1ZAbzS}-KdtJ1cXCC%4e=RxCn
zZ2EK<i1C*N7TM0rXMuP-D;wWJoKK(U0AcHGWAFUb`7OPuJp5LFz;ro3xXqotZG()!
z9M=?KXGpsb7WSAv*GI<OT_s3}>3Cw00kzJJ4=Jhznt!DOD{wO8Px&gz?$7AC)Fyqz
z+g5K_FaM$x9E`zF{yf&-2|bOKN7bSkE&m)hdD9m=siBush4Oo~)0*{n70+fT>V1H=
zV<`a=ALEP20G`jHO*=RwZ!>VU=i*Em!;ym$uNB(DqXt!{2N)jyy0FN9T^ik+saw@^
zZaf}YiIt3P3ga3N!PIg)ZR{iDFqjo=HR?#a7>R6tyjaG4cR4UH+OBjQ1%i&Mv%H;7
z&*Z$<7MtBDH?uPA^!f{D?*c0iN(G_njnVffd6{6)uO$ln?GH7A)02x*2r!(G0!Npb
zJ;tZLKOX@#T~x8IYcH-hdS*pr47qTAYE;@>%E&$=>bWcKcL(4m$1?U2%^@Z<@?t`@
z<mzG$L+m|E#?uW1mNnGI$Ze=|#L%7k+%C~8W_1T{gRL~yR@>j#o9_LlX;P81suW_>
zu0P+1_{N~-q@ZDRF5hjC4H>gihdEV%`&57m%t%&`&n~H2dZ<-)e{Z<^i&disycJt-
zWQu-cg;0K-D~$J6Q}~YORSSU9Y%7<x#Pa>}#Dy?I%-l6rZlwm^4BJ24yH!V3*8L6U
zpp_OLk8X|Q<-}LwbDsa+;8N_YT&w*K?fI@4g1Rel!AvXVt*EHt(jund7R*fBkm|Id
zapH;DgpqfJxte0hqn1I(HsKQ0X%FDKXC*csOByT4DL_s}=9A6MrCb~e<KE)6;MTm>
z^|M8$-&rqk{v0~>$G}%m<_$mQ!l>la&MgOH-kKoLLbcdIf<TR0pGwt+e8T})jMt;d
zNQ`5#S!e|xG|Ks{)C6G2+rAUWlrEC-nCH$ez88Jvug0`JnT~mY5YyEeRk`LN(Bymo
zsIUV_+WIknYqaZvmtNub)h<Gc_4$Zq+1B}q1HJN)l+Kq5?E|A+CJ_&rr<zg+d)?Ka
zpeR-^g6i3vzcxGy&;pp*a7<B4-oDI>W6iiGij{}VO9J90CsN<)MM+VA5shbPS$k6m
zv%LD{A?_<+;{p)(`JtA32F~ntpc^fiWy|I1h)A7P9*nTLksWd+|D?%xPq)N@EGM+i
z-V#O_b#Y~2v<N`^+<KB$M&K)T*K42lBaX4t!Y_5aZ8b#Ht9P)^Wx8NT>Ont!u1|n+
zd>XrKU<OzF9rluJfxZ^o;#IG!6i9nGGu+faF>|Ep{Xon|_EZdwXfCSI8He+eu&$0$
zxo>TQv+V_O4*<J*)wDa711d{bv!pUB2$p9rw|MRiH$~f!NdocY!Vc1KqjOP5W0(A0
zTxyRs7ib{0`v;5D$_$VwiBNik(iIoV6VH>07i3v=QzB+gU78aYest)L!S-qlbGnmw
zzzUbkKM#FuA17Y-1Ap8;I4h(Uplz=${_#|0gY6j?1CLN{e?|9xM{mD7jVOFTkGYDf
zXDz1}HBi~Cz~SkXg*>WerPkJJbRSQLKK}_UQ3C?6Yn*T(b1PydQpM7DwXY4)3Ik(N
z!dA0DPA#atHvB@WUrFP9#0fVQ$A||N&H=8qq51<$09!D2#`{3L@EF)g<BZ=gyN^uM
zO8DakebYwiL2r!)Rk`eIlC^CqP9qDZosXa#Tak(dsTR1nBnj2Oc9_<VNm!sd<o|1j
zSHS*J5mpRJTD|ycy>Xq96bL{Va%@XhjSNr8bw(*@dGz8?q22>Q2a)=q$E?;?btC&c
z+5>uq!>?-yVh=93&{Z|(Ha7xhey~s-PGJIwxa*-j71J@`4ptYBT&SEMIimg^tQ2HB
z0JSf!M6?^GeM&Jb^J^YTZ)Pgsw6wH#eroB1TP16mrRmFM&W@_}E%)Vn+;%%0vy1xq
zkPQ{#9ujc*L|R!=+jIsT8Uim9?uF4J+r>kK#6^veD`v4X?pq+^&&;1Y68z+BJ)AoI
z?Z(<QaJH0{T*(~Meo83izFpaLgw7-+#zhutE)4G)M;Fc)+-3R5`?Vv$pQGpcqT4Ia
zIANdNnC1E1`5N+S{kPu9X}De~UX?o^?pKazC9h-^-6J7Py{L{rRCw&_UfMJ7W%vri
zqzFqQ=HkT!5*a*H8O8RxoPFda!Vi|3eU)1sPBC@<+-@6kR~>aKoblRPK?mN^Pve2<
z8f0&#0ho~0+dq^Ht(tqfr0){tW_->`?#=c4VogHoT@Lu+u!>Pm^z(z-M7wKlS$yfm
zzuRQXm6;NNybH{{a;27B+8*usmy;;e9`wtM`$~LKT@m08qT0F@^fKrtYYyXgWVZ^J
zc<v8<r-_PMAR}Zku4%ziy6Aalm>sIQ+IwJp@6~T7AWz|28@Sf*W%7zVeH+#Q1Dc~3
za9Tj3Y=sfn(m;*eCPybvvsHr*SqbWgFj2JDp=CAKZ$EWVhNG)rCZ;%!3tf|IQ*xe@
zZcWsYusn*5LAa%7DfE}j`KXooVw55=NU;+vMz<tOoMD3u|6!_X)_p)H5X`_o-|O!q
zj41V$07orq4;eT(4gdbz*$zJHTHMDEa7UZ6h*!2F^-sbRSWWduoc2Fqt@@Uo&aLZ$
z{BO+JM03Q}yMcQmi?Yvt%l)3QJqxp-rrsZcxdU0!c_X>d27|>1fPU1+)D&SMp-!Tt
zFa+L;^eICdvnXd$IT6jXwu)BfwCu?sMmcY9CxW|+>vrtk_`q;Mph7$jR_@k^=7!jv
zE<MDpFV?v~{ZB7d{&52@aqO*D(l|q@wNE1t3kD)N+tE8ucW6drApfjA>JEMAzo-<V
zL(=9<Cus=N)uO8mbzVUcKz<=SGUh#KH1yfO|2>sEz!Ly7m0uN@ul#$`;Bd>yDAUmn
zyUY?U>`0*VT{s4vU;|(Rg7cV1s@wS!u-8+X=gVo?yl#?pf+{iDBGBt)OSTNbNu)}9
zahVVv*v7zf1MM#mbAFNK;k9t`c3V=$mRrXx-@I0WxCR0lqvON)Lzo#Ks-zmik2znf
z=3Gw!NDo>o%y~6|m7xKsnH_m0{=Eli!tV9=!B@?*!5?BfrZ;I|4E4*`nUar$S}wb3
zzbN;-quZ_ME6Q$Yan~B|Ujy#pnhND8)miUkR?5xF`u#RG183bo@XsBNbB!0k8)}X(
zOs28L_Nw-c4h1@K-`@`j&P=xaux?%-CCAnh5mlJmS5?Y0-zq7>$?Eq&(QBBVJ%GyU
z_W7ccv%2-un`_~>zgcRCxVMKwf1T%zq$)XA*p;}@+(}R~?G5b>;pm>V2*B-)O@(Rv
zgXQg-xaToXb5{4Xui`+0dvu0)JE4>@2SJq5!YKi!T3b}MD*Hkvve{dzq4<%`;0JZO
zY!~l9Z3?*qZo5rWnveVhi<uC;f|=bqPHS-@SawFJNP=32Gx$<ToK0OD;}mqPfKNe8
z{adVem%h0qwWvQL?nzv?qm=Cq7$eeUlrS~#mfgS%>X>gIIXiic^ScyjOH65JiY_NK
zYM4(GUfK!Lf|Bf?QeF+)$6KN-F<6LP;4O0=MO8@yX+5bPq4Fah6{U4Ezhl=kIe#pQ
zF|QX^CFLpbkBGeOa?KjMTuq0mt$-W674tBKONR`2lzMFGvx%K#O3h`!sVB7jYM2Qw
z>+RI{mPcvjjyGb-b=pR?L4X8EW&b%ofp=4<UrcnLyg$E`Zg5#2!FX`ZRClaobx5~6
zb_WZ_+wP0iw`d5irM<+Fv|XoV=E^LZB6!xj4iTay?uqb4Z1qtcIaKtSfQ=j&FGc3~
z^0QB-n@u9%XlgU30*H76wg&2_&;hHg1m+0;jkT+_VQ@05VC0UvO)Eydql{1#H#t_P
zxsS@^)99<Y#Dq6Y`CU24$coq<L|!ZnmEE2Rqac8+J|gPQ?I{6Nt8@_G?SUL);cK|p
zgii?<iQQ&&B(kCDwo&~><-m6n-o?lh>2FIa9UzWiO4_F+lQxQznfC78b!HAJZ{yIe
zJQf>GK3!--3>s^#3$SpGvxvocgqwtx<9iK4@e@n@DCS#IK7rD8?~FOt+nR7IL4wAk
z1P!$3+PHJO|AN8yn_29W?1e$En*q7dtXHdnp(<@Ix)qiwk#^32a9m8Q+f(~z${zbu
zv8p~+n+n5`<*2d8p~Ndi)5j+2CRPBoyhy<ROyO2`^n}cnd6%bFVE)v`Ip0sy<>p7l
z@C6U}ZJTka{ZKDb=l9CfA62BeX16QsFNA?@ilL;Y=#~eqICsBI^@BkBnp$<vo~O50
zSVa?=D6YHRauK2e4|o+~5!9!9H%5{%M~58kan)QO|24Y&BSW))ZT&Nq{%Z4jV!rDt
z)Nl>`ELh!E1JS%_&<qj1EqzoNKb=Gn&+`+CJiDUzvD!PiNtaDQDp4BN_+3F!y74S%
z3k1<Kp>GNgKsVg%<~3yI!E0sNan$NCF*q)nbiF!AR$c)%x`>&Ml1DCWA0}qzB!&u~
zZICQ{H_<JqkPvAV>`3+(Q?psI*hh;Br(y8g^C+&!XO<x)1yL_M1>i6#(Zp8wFhq`2
z#~|O_{g%}-VyR)Z=N;zP>L~j)CGJM6OuxeHZo_OFubAFhPd|bK;t<dsClhL;IJu1E
z*H$g&6Hg1rT7{`Vg`=Yf-dDz#_3IMA5u@GHODn!rxTY@QjEPd=yYt}!_pZiZBm7Ja
z-ysC$XJ*1UI1%kgFQNTlQDgqEnNs!92Hlz`TKG;a7c349o8*t|cy$ha@LpHpgsPZu
z7C&N9*Zdk``Ko1|GpRz#*>@W|{$j%{)x!WHDN&+g1;>>3jH(vWSF|EI{Fz;9jh;z~
zr8<RjWP-V{XQim80a#q53-EyOu8Zbl*#bAjM4j^CY+~a@beVnWC>9S2C>?=cJy)xy
zMYE~Z%pO=@qC$$lM1Wuu`TOHBAyW3%mzRz*Dg9LoBy5YSd<2P7IPT$O&o+!szavo8
z&qnwV;2qRlG-X<zc0C%>0$ICy3FYjUhu+9mQ-Cf_P$KioqX)%ZHDeeOLW`b}vE>;g
z_2L|4UYd0vM|;1yZavM&ED1{A9t}6QskWXJAVyqB>I-eqfovB_TrORa$%az1Ph&9H
zkl}btwyolPY(ib@&-er@d8Hg@nOGUBGQ;Z?Hi)Op_z_pha9lU)qQd;(K9eISA$&#2
z#Mf<bJ>(oo74@}TE!4ll+#6oF&^cf>%H2A%ej!-`^XXOS1LK8E9!<k*Z4UYYV`X)2
zoL}sLW6D9K)1x!QZT9!rv}QM?6=y7y|7z}%X<TJdMf<%FK<>r0L~Aw_6R@!uUtBlM
zJt<@VU9ctMLQeCH$ISXW;bO^h5DKvKD-$B|;Xnu0A;H-WETOuStS6##;s%so#t&54
zl*-7y#o(}Z6k7+j^sMeM=z)~BOFW}ePUtO8uQ^GrKtrr-Pt2RzwormQ4OzCym3Q{w
znPqgs+%eJ}ld&Pco>(*#`^wMJkQ4#7b__<mAfsgm)sC$C=k%mHXYuk^X?YkxcYa}p
z3fXL6mvGqDAxsJ6wT%_W8VoAhEwFW*PwH8WZC1)K%@`>{{kk##(<W1^XL4)xSGgTI
zl6ZQnU@U>xiKOP>kyV6L;A)S>)V+T20zs(Q>ekzjipAzB0FYPm?dVT0Q0c16N%m~i
zfOSBJ&l8>fOdy$AG{6iWOz%@B`74hamMjQUuctPB0FISVT1{JT#{^@BH23#`?jIrl
z|GxdtQ~vKH6#qP<@b^9WZ;(U&{xyG|@;^-xtx-V5pY`=bhw<c0ZSl6b9YEIHs*~Eg
z;Z~1z%HUE_LC*FsV)st40EBi`^o|QdaP%<Qmj<p}>7J&kVpa+KW;A0TNT7860H190
z*k_wa4;hRN6KBWZLEL;(c+i}9?A^6#+EWubaalBaeIe{h_}AI@9cJNWLmL4lk=_2L
zGqx0;FL#PQi`sBbWMx@R0+35Z(2JV*G8*ExC2J_z2eYMhc<05-zI`-oUnXV`tLm>a
ze_lhE>yIU?2YZS^Z)yHu7ZvU{uJG3JD;W(*E_uG8_y<8(*mNDtVrFw3FnN0tbc&-f
z_34ez_qVAR%59X}zreb|ULK}*=#n0Guu<5!)2QZ2mxpVWkKEGSc5L2bMM6(owzRO4
zM&<dE%(sj+KcQISUJP^|-dw+M=4Fl;<UF;>PGd0mHxxeeGNW$AL3(;BTJ!8KvHqOD
z6|6t%@NVPzlrxw7^Mt7kf62IM<OYLzL%{FnK>@Z!dgx;J8*F?;&5V;)<`qCvHY`ti
zarI|IgeuA~Vr{cj*(b)J0&*#*9I8{-<#y4$5&IoRZ@?QKvf!R;_T4@^7`k-ATK-id
zZc(0Qg$omiE!tWHTu|cb<N7<oW!JemGIJ9nPwa@))<dLRK1|xyfNZ~y*1ZQkL#+$G
zup&o41QCj4Ym?NZr{nu&^n}1(^)hn7(qnaMGP%joSr3w9G9)UdDOICdsSfwwN~WkF
z1v={GBkS(mJ;5;iqv^b&@G}dx2*C?mQ>%_X)j;a1I>^i2e_NX#ar`yxT|lO&dAOd-
zvdgCxz)3Qf&+GXS-PN7gwFO#-+L0qz&?h7&xmg2cSj%K7{T9@|@ZzpZu|@OK#@ja8
z*IwT}R9@=--QnuHrb!jqjez(j(nXPu<K`pq`r1Q@n}#0q;dQZ-F@k4{e0vJKD!=P~
zkrN^^EIBbDDwha#!U1euy6b`|lzsbOX_ES_VXE&YJ$U+;DS<RaK;P}BSErInH3W(H
z3v1Zac8JBH2VY`plO9su0s3KQP2yi%gU>kIleyRE`+Sgcnb8EM*AYwepJ&Pco1UC}
z2UJf&&%UZJ+93L-x0j99J1y|tygNFwD+6DU6oEl6xLZ#QB0N>bgyyi4SC`|}G7Ck@
zmP-?mUqGr7S#>!txON+Y>b}l<-OKW}>mV4nO*x^#H(UF3d*LQQp`rk{)NE5riP*#W
zv0BE^qIX1{D3xk+V2OGlF5%Lu9&RzPt`qrQ|6{22>*_N*(PGL|Ua~SqE!X3lAhQsh
zN_|LDsCXU`j8+`a0Ig%=KKhE9m>#8>42`P9VcM@$%dE#=-Xmj<3hc0ZqHw!srx<I1
zh227(l9?9`5}k3btS@OJz^J#Ks-Uznp61i^Fwb~IUeC_?0q5u?0*SAM5abV1&CA=n
zaWVV)(;qDI4M!gD8XOmT_`Y=?ck9Z6M3QW3$`rzT+o*op8Q+~D_t(ZbaAiA74`a4t
z%J@9zcWC~gP<2kP3OYVHrtu}~`g1%XxK(U8NM4ah|D@;_c+oOrzJ?B<1dHv~IpeKT
z;zP{G`&G`+!#G`Y-Tj&_hAPyZ-GA;A?q)(zx)^Xs__`-dh{n-Wl12pw+9;bMhmV8&
z^_DbFNo%r-fK`$jzvh&4kV&f$Azk@-K=g4#oR7Q7x$?_GdwTQ{624+EjrKdzN^J^Q
z)Am4wn-+Fdrez2W@&ykJ(`C?Ql`FcJjZg9DJ{onFxCSz;qfi4!J36QhJ?{mQo6ISE
z_SDShnbuO6s=!8%n-9hoX;1|y#;bd@7i6MD|6;v$_tfWim4YXjqt>6`I}+6ADi$*!
z?>5CnWaK&RGEHvP#bb?5NpBIvfvlvwlY5_sRBb(Db@DFLzM1XbR|8Z>u;p*?G{`az
zR4M3oscST7*4S(`qM!Bk^A*yW1~jM4;~b$yZ&$h`e5JgCt$G6((pjIE5+qidp^L8K
zLWyh3lbJ|uDe)4ipoOyS`S=osdR_D%aZ{0nl*2n@EI|gBRO=g+inSB4!h5%7B?!ih
zvNu;V(+2kEPH1qnB{w)Mm+p8>dR*h5qM}Sf0X18n^vhg)M~B>Bgeii~`dAM|=CyE-
z_8Etbl~D@SyRcavJbNRYb2vb0)-kzbSA&8I=@S*l5V@N;^DaS{xfxMxmbnOt$VM+>
zbpj3VF)TgaJ?>Q<?0L26e220pgFViAM;KQyVAmC9N5OAat}RV`<Q9;grujUt*%(0#
zny2PLBucQIguERI0M!Kl!E&S@Qk6!Tgt;f5$GhI|t6WyAytsv#A8=-HrhK6<#~mU=
zy%x1two)qrL2C`bC$}PJ-@wzCxJ#&K8xct`*0{fQIKZ`c1~kgE<PMks4&2@&+Y8<j
z^GxIN53%Eg1l(Q#??`L34@X<`<ku{9O)~b;bbDcZgPq1A><UEEp-9RACIIy(3#PoT
zjOJhL2Q5@xZuIX!Fz-a~lloNP&X8nYby(R>*ik9SuBIrf8Q<)c)x>67=-wOt%`Kg9
zvs8fyvSvRDK`1VC?M6vIdOvA@RY8WU5O?6+X;=(W#OvfoyyJ)}>)*T<DlzE;p08Cp
zefBD>3xbv2hI9<*4c4Q@F-+0-mwPT2Wbd+9aYG*}jMqN0O%m9vr)bo>?SSapi&+VK
zD4ZUqoJVHzz|=`L)V;g#c~x^uP_5SR{rBbyHaqwi;(kn-<ma<emQ6`|xb0{!y^QMA
z4X%90H?r2BO#DcENgk$Ol<wg)1p)HpgB068ym>5X7DLl3y$sHw*tqr*5OA|^d{g@B
zRz(^>!ynuexZ-ZB`zj`1&qV@V)=^_B%h8^sD};Zm*3`W*?!(z}ih$F&zU^I3srU$c
z&HXwTiff)M&Sx*H3tvnaxK#Z4Z(;ZUjvs#;iGTk85Alru?lXUqDscQb`QcSlB&Doq
z#w;3TQ#`jN^6R4)<s1a9LD60o{Bww((v0zw)^UXTv(i8QhgO2T_DqN7rauO*Hm;ao
zGmTPU7*-$MdG&Hz(mO_1cA-2I5QsN!{a<x4c|xL3%4kA-uLP4b^g3W-L55jvKZ&1z
z{gg$`N>^)+xZ`l!9Mwqgv`_iU1IG?<4gl)C`=za+;_RoMu1@U#va%kfIMQ7(qnF!v
z1-uDZ=~PxkwpH$kqHhXVpDFSaWVd<%3*IXq;p%AMZ_cZW5KKi8h7)|al0Y5R;!N?Q
z989o)ProYkdj6*Q`qlVHQyZXb7HFJWkUwAcgX1-o&lmYmyx-(A7^pf@d0v|82exl-
zCWTn^YmIjM?J00@f$k)q?6;rR<R|-2_-2{*k@)R@64!g-SoBu7SCznx0y1O0kv+!h
z@pCahSlBbXd`cATGTUqo)l(?_vqT4##|%>HEztD*G(F0$?l-f?NBZ5}y5$jjAXC2(
zQC6((*DHb5?un3+wlLE1S6y_dd-#D*J=Lq`_UC6Wn4O0bJ+YI8(Y+qU!ifDsq_pCs
zshR#rr#}gl1u!>O7<Kbz)jwGD)$V$r{wN%El2+r043&6twe@X@pM(ktYFkN<sC=mW
z+dqgQzwK@5%q-^xEav3#ZRQqfP9<o@M@`(zX8BLVEdRkP{--|z^iCh#N;|ZbSqE?3
zt9rWiFU2#(8ti_%Px)?5mFn_4>qD`RA#Zs(q<fO)X*>SlHq*8Ttl!fnDEHUZ^lhls
zUu!Z`#6<L6txwHiCuX%gP{NdmX@A5bwu>@fpuLuay)~+D^G9#y%bT6&Gwb;}BOdJV
zpk5hir3Ho|Ow(2i>0A4`>V2Wuc>9xtifjm%{X<t?|7zEg{!mr1Yhk7?a$1W6W`Gz4
zQs!-uV11I&Nw?!)dZGu1MIKnNR;*ydh~N$Flf(UH0oI-+he~FLzvQ$u#d$5&vfl1f
zwao7ewA&LPliJITFqpc0q*+H}Pm<nu(i^n34zTIxnX_1>!Yx^OXOCSx0cj+pXn$#>
z-1ZKV8h-bSl7VBrhe^Z4?@eu9CFX<;IXxT9=%J|#+P?AJFJ+Me!5_O>eNDNF3o%Qd
zCUw6!U)h<n0OYtUqi)UD+g5B!ICL>XCW8c{!~aMSExP%}<!O22;^5;{k=9v-_MCQE
zeo6rSz>M`M>*_>3_jW*L%BvcKpfjMMk4xVi%6=(<r(j8G@KJ%$tXfsIbwSo)s5y8l
z`Qlo2p$9ine*%raRZ(auC^0}*2pI^?TR}#!8=?9HFYFsz^$&ik%J8T%DNB3&wE(>P
zDh!-K*z{utiyRy~Q`sX$J{^r|_@1$z_O3Jr*C)I^@6g$z(!Nva+8Y9>^<#v#=TGB*
zW!e|iaVdM9b2rpHT{_90t6P1B4ngVi^{>;Nw8ByX7G}x8qKS%Qv7djiz?;;~(lK5A
zaxSB`w9}Ptmo>|GA`};cm?6y(YE2qE?g9e7*0+f8(uie&+)vc@{ms=~ZUh%y9AAbB
z<>Sk)rTB&mf61Hb`~rFSrAY9Jdt=K{QK-=Uc$^k3=rHn`y%ps+@bL5x7Q&MsENvkd
zCg#p>_52zs96SM0NXF-MIFu<lH-7iBScZ`0dSu4zZ)xj@qUob120R~<tN^LzM&n-;
z&R=CZHazk5{UdT%S5)%C{p|PwBU>s4{X*>A*F|scMI(9NyWRQiHqE-}ZB~RA{r$E=
zij}weR0K*4Q9E#}V#)xQ>T@PDu5m)ljR)5Hv}}$&FvSzg<t7{DGV~g-{~^_?JlxD!
zl9pMwHgHfrq4@l@bw^`K7cwbZZR74vS-#seEYusj5_0Q5MvY%I-v3~MNgj*+V2NfA
z`PMJE-jvg%xt80*^3Qs@xy^r*Fg^eHKYsmB@dN-tT+e)PES<*0?*Bd_T&+U^codlB
z74HCJJEY9~{b!e{zeI{C`1~>z_zUXvd&=7nNa+jG2~tk8^gwq&G=tKl8k&c=@l)p{
zwNa5Ubsm=>6+*nZhTp3Yco`=Ct?~;8Pfm!5sy7*t{$GukhIpP3rnEKt@m+;8hrTZB
z#)mijyGn4cD&g7YM^rWRcNE*h|5Z0cCwI^H;3XWB+NngS_C50HQh140>d){oTu@{9
ziR(veK3kyU@`Kl_FQfAC+c_gT&o0`J11nYAeo3<`lBu*0EI-SmM%VxQ=>Km7=B5L=
z64pz+v|<$2b(r|szlf3lui7a8Wm&#)^*WU~sTeA$b1rYVVhb>r3$f%iZR+vcau>xs
z7d!<ot>Vb~#^iR6a-EbP8Y*1barsJLJ!@s0Y82OA;LUP!o6i_AQUb|d)hS#&Gc9P>
zqBG->iSrB2D{Ox~l>64jues&^Kee3!d_d#l<FjuRI`@5?-|IUI%8`=|+CBM;1`!qp
z$GMX_dO0|YGh8jTMm^f&j=w&Cc1l~D7AltUsYJbKmWt@ID=KO-dwBDu>bJ6fkkv+>
zXgv1PXP^&)Ro_#cYkQk_iE(5E4y1#oemne2-~R6JZ_#|}Zx;fmZ~k5DpQ*_A9_Y<Q
z^^@=YMs)jcPWt}(VcO5X<90&FB@Xl$d}U21PvBkS!_RIgK?vt_q9l)oQod!9Hfs<u
zyZq=PCV0cA7j!}4d*BM>1bX8NPa3}|R|*_f{YJJ}GRb&$lgT(PJrK`sDMy!iplq7c
zzUZblXd96OQuSQosuFEMNotnU9teKAFdSrJ0*aD)_8p9cQ35yn<y4&pH-=MR3I`z?
zBpkd|-`RU5qmGRM;-MWT<RCFivthyF)}X&phw6mFDTQ)24{u#VO9oV8$`3uJ1u{g<
z_18>wI4rr<5NR8nx_OVBj<7{J)pq?ADb2rdxAX6NXX|D$a~jDt`d!)%7LeRTv>>!)
z>b+qe_FOO^J&2use=mXjeOSb}CGp-hh@<-#O`4x~&eQw{E#F&??bZc9=loz{;m=9z
zx?q%wYgsao=RFX7s8uY~j8sU499#hOS~0OGb*sr{rr@`CABW<$jjTkZvTBZ61loAw
zF@uGxenQ7+Zk@&~H;Rq^MEI&lS=AvivGi(>*{Eh3)U^?`W(X)8Zm4}re?nxlfi^nF
zPOMy?ud0>NUTbUnesHd9Y-S(8zMdmT+sJ)ctdsQRe&p^-_EIXaSEqBCs2Y%4iw5Xz
z95CCOeZD2ZtJQCBqg|4}JYHBBtao+@LxQk8A>#XtIfC4Gn0_kM$~Wb8Do(DT)~G|a
zH$0nF{8~}*wrv)S-WwkR{LHDqK{b=obG8!iY?9q*MEF41&~beTAbJK^Gvn$$+sHXp
zMPZnXhMGDUexziylCvy$I>FT;C2Dprbj$dzZnJTmm(vI3%4|wir?beITtRBnrHfO0
zBRg0gOngyoIJh;T_j^+$n=dxTY^F=`*nK7)P0}XhK|veZe&VatC<nb3&3GwLo-(%h
zX7I3bWb?ZPKGQBeeA<cv6lBk}`18HVg9i@2(5+OzR5?kJdrGheO1^8A2tr$V=*C{~
zvgcFoNhJ{3%r)uqysuG%>VT);rl~f<0W2K3bF3D!{77}q-bFb%J4LogMq`_rr<7sB
zGpN*yGm6d8Qp*C+zNxirKUh2g2f$8O?n;5+?UMO*<43NNQj(rqIl^LJE<VyVSm_fH
z&r^%yAF0#2Ec0>{d`<mj+0gy+1VPtyml2;}J0znL|1DebSc!j~5oGgW3U;buP-l;e
zqgZ^<K^~y~;|R910hjAt8pA$#YYHusHx_Q2zg6<vu`QfGj$+sHiC?WWe1=`GKBI{k
zWa}GPPa&(8OR^eTmk&>`j{}h~;)vDs_q8~T$HR)n5F15P36uD}^;-<$&Xu@HWC$jd
zdr(l}6>&WU`xxg?6QcK2LjNq>)Wue(r91ApOo2;t4?z2VHe@R$jQ^_KkK~7A0Zy_W
zJUe(SQ73Q?ObQj3dAmw&Wyd!JTr{5m^W`F7F!LuSrH~XS_Yb0@T)#-aVup7u8OjLc
z<p?Kzeu73k!MTX4>ZA(97ZvqyF2*B|F4b&pA4Wd1k0UD+Aw_M5OS~TrN)O~$inm6R
z7HoB+I6mX#b#2!UcJW#dZo!(zT8578*hUz800j-|->YPfkH2wAmxJk%IpH0(W9}}Z
z2$sDb<7(T(*J*!7A^cl>noH9K_IcOv*&Jdb=}juk>ZNCsv6xVGC~i$h`Y4Frpa1#q
zBlq7zyDzM>K1gPwa_i)kzi<8%mH&z(I5F0DHQ0Stc3ZB(s}L1YsLHT#^0(UY&H~(g
zympM20d`>2q`g?sU>VLzZL4G<-9vWBLbmh=i&9KAT5DzlT6zQ(2Vx$MA1AMRQjOi^
zM4<29jm+7yfTUy^m!cg^8+gb2vzK!w1#<hU3HwN{l!)6?<JVvn&9Wd{k;4O`i8VEF
zfw0TkXse4RhHYz~M^5ypufnN-31|D<(G0B>x5VW5e40@+utbXUE2Bj*u8LT*f9(0V
z(hH7soS{37<L|cP*G-%Bs~YpVY@Hmmbn=s9MD^p2hs!gfxNO_spP*q&%0UWRR!JFG
zbFyIGYxHvQ`^S`7JFng-d3JO^P2DM*l+kHrO;Yoj%MOHC;BDbbw4zuP$L(KdSx)b;
zs)QLjyEzfcaW>InNc9kS(TXk+>b_hASoDSD=CLffdw~&yJTZe%8Q;N;ifn3!3!((9
z!ok7qoF^2ZwPq|7BG~wYg>&MI(#0-IH=<Q{mjJwlE*wPnrlcV^$D@kPpD8|WqvPOC
zOq?PA?EMtQ4!dF@&4@ix4RpM8CJD*RoOFKwRgDu0vJ6xzFHb3hDUa>!OAPlzceW*1
zetv1>ad`Z;$$7mhD*^MU>)z;UBb;zl6Q-gF@&}o&s$s-sOe^0rXG)b_^!2Tv4~=zF
zM(|eMkn2f&b>cv>Rw0V5^0#N~-MB%^T4;KTL{6JwO1+S0xk268`B<coXfMaFQ~!42
g|F61i`?p>H$F=`67y9?(^3PM`&Yu^D@q_mN0C*Vaj{pDw

literal 0
HcmV?d00001

diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/skill-input/skill-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/skill-input/skill-input.tsx
index b61a96414..713cbf183 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/skill-input/skill-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/skill-input/skill-input.tsx
@@ -130,39 +130,52 @@ export function SkillInput({
           onOpenChange={setOpen}
         />
 
-        {selectedSkills.length > 0 && (
-          <div className='flex flex-wrap gap-[4px]'>
-            {selectedSkills.map((stored) => {
-              const fullSkill = workspaceSkills.find((s) => s.id === stored.skillId)
-              return (
+        {selectedSkills.length > 0 &&
+          selectedSkills.map((stored) => {
+            const fullSkill = workspaceSkills.find((s) => s.id === stored.skillId)
+            return (
+              <div
+                key={stored.skillId}
+                className='group relative flex flex-col overflow-hidden rounded-[4px] border border-[var(--border-1)] transition-all duration-200 ease-in-out'
+              >
                 <div
-                  key={stored.skillId}
-                  className='flex cursor-pointer items-center gap-[4px] rounded-[4px] border border-[var(--border-1)] bg-[var(--surface-5)] px-[6px] py-[2px] font-medium text-[12px] text-[var(--text-secondary)] hover:bg-[var(--surface-6)]'
+                  className='flex cursor-pointer items-center justify-between gap-[8px] rounded-t-[4px] bg-[var(--surface-4)] px-[8px] py-[6.5px]'
                   onClick={() => {
                     if (fullSkill && !disabled && !isPreview) {
                       setEditingSkill(fullSkill)
                     }
                   }}
                 >
-                  <AgentSkillsIcon className='h-[10px] w-[10px] text-[var(--text-tertiary)]' />
-                  <span className='max-w-[140px] truncate'>{resolveSkillName(stored)}</span>
-                  {!disabled && !isPreview && (
-                    <button
-                      type='button'
-                      onClick={(e) => {
-                        e.stopPropagation()
-                        handleRemove(stored.skillId)
-                      }}
-                      className='ml-[2px] rounded-[2px] p-[1px] text-[var(--text-tertiary)] hover:bg-[var(--surface-7)] hover:text-[var(--text-secondary)]'
+                  <div className='flex min-w-0 flex-1 items-center gap-[8px]'>
+                    <div
+                      className='flex h-[16px] w-[16px] flex-shrink-0 items-center justify-center rounded-[4px]'
+                      style={{ backgroundColor: '#e0e0e0' }}
                     >
-                      <XIcon className='h-[10px] w-[10px]' />
-                    </button>
-                  )}
+                      <AgentSkillsIcon className='h-[10px] w-[10px] text-[#333]' />
+                    </div>
+                    <span className='truncate font-medium text-[13px] text-[var(--text-primary)]'>
+                      {resolveSkillName(stored)}
+                    </span>
+                  </div>
+                  <div className='flex flex-shrink-0 items-center gap-[8px]'>
+                    {!disabled && !isPreview && (
+                      <button
+                        type='button'
+                        onClick={(e) => {
+                          e.stopPropagation()
+                          handleRemove(stored.skillId)
+                        }}
+                        className='flex items-center justify-center text-[var(--text-tertiary)] transition-colors hover:text-[var(--text-primary)]'
+                        aria-label='Remove skill'
+                      >
+                        <XIcon className='h-[13px] w-[13px]' />
+                      </button>
+                    )}
+                  </div>
                 </div>
-              )
-            })}
-          </div>
-        )}
+              </div>
+            )
+          })}
       </div>
 
       <SkillModal
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-editor-subblock-layout.ts b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-editor-subblock-layout.ts
index 23137d26e..50d3f416e 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-editor-subblock-layout.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-editor-subblock-layout.ts
@@ -6,6 +6,7 @@ import {
   isSubBlockVisibleForMode,
 } from '@/lib/workflows/subblocks/visibility'
 import type { BlockConfig, SubBlockConfig, SubBlockType } from '@/blocks/types'
+import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff'
 import { mergeSubblockState } from '@/stores/workflows/utils'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -35,6 +36,7 @@ export function useEditorSubblockLayout(
   const blockDataFromStore = useWorkflowStore(
     useCallback((state) => state.blocks?.[blockId]?.data, [blockId])
   )
+  const { config: permissionConfig } = usePermissionConfig()
 
   return useMemo(() => {
     // Guard against missing config or block selection
@@ -100,6 +102,9 @@ export function useEditorSubblockLayout(
     const visibleSubBlocks = (config.subBlocks || []).filter((block) => {
       if (block.hidden) return false
 
+      // Hide skill-input subblock when skills are disabled via permissions
+      if (block.type === 'skill-input' && permissionConfig.disableSkills) return false
+
       // Check required feature if specified - declarative feature gating
       if (!isSubBlockFeatureEnabled(block)) return false
 
@@ -149,5 +154,6 @@ export function useEditorSubblockLayout(
     activeWorkflowId,
     isSnapshotView,
     blockDataFromStore,
+    permissionConfig.disableSkills,
   ])
 }
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
index 636fd559d..c0f89e2b3 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
@@ -40,6 +40,7 @@ import { useCustomTools } from '@/hooks/queries/custom-tools'
 import { useMcpServers, useMcpToolsQuery } from '@/hooks/queries/mcp'
 import { useCredentialName } from '@/hooks/queries/oauth-credentials'
 import { useReactivateSchedule, useScheduleInfo } from '@/hooks/queries/schedules'
+import { useSkills } from '@/hooks/queries/skills'
 import { useDeployChildWorkflow } from '@/hooks/queries/workflows'
 import { useSelectorDisplayName } from '@/hooks/use-selector-display-name'
 import { useVariablesStore } from '@/stores/panel'
@@ -618,6 +619,48 @@ const SubBlockRow = memo(function SubBlockRow({
     return `${toolNames[0]}, ${toolNames[1]} +${toolNames.length - 2}`
   }, [subBlock?.type, rawValue, customTools, workspaceId])
 
+  /**
+   * Hydrates skill references to display names.
+   * Resolves skill IDs to their current names from the skills query.
+   */
+  const { data: workspaceSkills = [] } = useSkills(workspaceId || '')
+
+  const skillsDisplayValue = useMemo(() => {
+    if (subBlock?.type !== 'skill-input' || !Array.isArray(rawValue) || rawValue.length === 0) {
+      return null
+    }
+
+    interface StoredSkill {
+      skillId: string
+      name?: string
+    }
+
+    const skillNames = rawValue
+      .map((skill: StoredSkill) => {
+        if (!skill || typeof skill !== 'object') return null
+
+        // Priority 1: Resolve skill name from the skills query (fresh data)
+        if (skill.skillId) {
+          const foundSkill = workspaceSkills.find((s) => s.id === skill.skillId)
+          if (foundSkill?.name) return foundSkill.name
+        }
+
+        // Priority 2: Fall back to stored name (for deleted skills)
+        if (skill.name && typeof skill.name === 'string') return skill.name
+
+        // Priority 3: Use skillId as last resort
+        if (skill.skillId) return skill.skillId
+
+        return null
+      })
+      .filter((name): name is string => !!name)
+
+    if (skillNames.length === 0) return null
+    if (skillNames.length === 1) return skillNames[0]
+    if (skillNames.length === 2) return `${skillNames[0]}, ${skillNames[1]}`
+    return `${skillNames[0]}, ${skillNames[1]} +${skillNames.length - 2}`
+  }, [subBlock?.type, rawValue, workspaceSkills])
+
   const isPasswordField = subBlock?.password === true
   const maskedValue = isPasswordField && value && value !== '-' ? '•••' : null
 
@@ -627,6 +670,7 @@ const SubBlockRow = memo(function SubBlockRow({
     dropdownLabel ||
     variablesDisplayValue ||
     toolsDisplayValue ||
+    skillsDisplayValue ||
     knowledgeBaseDisplayName ||
     workflowSelectionName ||
     mcpServerDisplayName ||
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx
index 36b7c9ddd..99a473fd2 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx
@@ -27,6 +27,13 @@ interface SkillModalProps {
 
 const KEBAB_CASE_REGEX = /^[a-z0-9]+(-[a-z0-9]+)*$/
 
+interface FieldErrors {
+  name?: string
+  description?: string
+  content?: string
+  general?: string
+}
+
 export function SkillModal({
   open,
   onOpenChange,
@@ -43,7 +50,7 @@ export function SkillModal({
   const [name, setName] = useState('')
   const [description, setDescription] = useState('')
   const [content, setContent] = useState('')
-  const [formError, setFormError] = useState('')
+  const [errors, setErrors] = useState<FieldErrors>({})
   const [saving, setSaving] = useState(false)
 
   useEffect(() => {
@@ -57,7 +64,7 @@ export function SkillModal({
         setDescription('')
         setContent('')
       }
-      setFormError('')
+      setErrors({})
     }
   }, [open, initialValues])
 
@@ -71,24 +78,26 @@ export function SkillModal({
   }, [name, description, content, initialValues])
 
   const handleSave = async () => {
+    const newErrors: FieldErrors = {}
+
     if (!name.trim()) {
-      setFormError('Name is required')
-      return
-    }
-    if (name.length > 64) {
-      setFormError('Name must be 64 characters or less')
-      return
-    }
-    if (!KEBAB_CASE_REGEX.test(name)) {
-      setFormError('Name must be kebab-case (e.g. my-skill)')
-      return
+      newErrors.name = 'Name is required'
+    } else if (name.length > 64) {
+      newErrors.name = 'Name must be 64 characters or less'
+    } else if (!KEBAB_CASE_REGEX.test(name)) {
+      newErrors.name = 'Name must be kebab-case (e.g. my-skill)'
     }
+
     if (!description.trim()) {
-      setFormError('Description is required')
-      return
+      newErrors.description = 'Description is required'
     }
+
     if (!content.trim()) {
-      setFormError('Content is required')
+      newErrors.content = 'Content is required'
+    }
+
+    if (Object.keys(newErrors).length > 0) {
+      setErrors(newErrors)
       return
     }
 
@@ -113,7 +122,7 @@ export function SkillModal({
         error instanceof Error && error.message.includes('already exists')
           ? error.message
           : 'Failed to save skill. Please try again.'
-      setFormError(message)
+      setErrors({ general: message })
     } finally {
       setSaving(false)
     }
@@ -135,12 +144,17 @@ export function SkillModal({
                 value={name}
                 onChange={(e) => {
                   setName(e.target.value)
-                  if (formError) setFormError('')
+                  if (errors.name || errors.general)
+                    setErrors((prev) => ({ ...prev, name: undefined, general: undefined }))
                 }}
               />
-              <span className='text-[11px] text-[var(--text-muted)]'>
-                Lowercase letters, numbers, and hyphens (e.g. my-skill)
-              </span>
+              {errors.name ? (
+                <p className='text-[12px] text-[var(--text-error)]'>{errors.name}</p>
+              ) : (
+                <span className='text-[11px] text-[var(--text-muted)]'>
+                  Lowercase letters, numbers, and hyphens (e.g. my-skill)
+                </span>
+              )}
             </div>
 
             <div className='flex flex-col gap-[4px]'>
@@ -153,10 +167,14 @@ export function SkillModal({
                 value={description}
                 onChange={(e) => {
                   setDescription(e.target.value)
-                  if (formError) setFormError('')
+                  if (errors.description || errors.general)
+                    setErrors((prev) => ({ ...prev, description: undefined, general: undefined }))
                 }}
                 maxLength={1024}
               />
+              {errors.description && (
+                <p className='text-[12px] text-[var(--text-error)]'>{errors.description}</p>
+              )}
             </div>
 
             <div className='flex flex-col gap-[4px]'>
@@ -169,13 +187,19 @@ export function SkillModal({
                 value={content}
                 onChange={(e: ChangeEvent<HTMLTextAreaElement>) => {
                   setContent(e.target.value)
-                  if (formError) setFormError('')
+                  if (errors.content || errors.general)
+                    setErrors((prev) => ({ ...prev, content: undefined, general: undefined }))
                 }}
                 className='min-h-[200px] resize-y font-mono text-[13px]'
               />
+              {errors.content && (
+                <p className='text-[12px] text-[var(--text-error)]'>{errors.content}</p>
+              )}
             </div>
 
-            {formError && <span className='text-[11px] text-[var(--text-error)]'>{formError}</span>}
+            {errors.general && (
+              <p className='text-[12px] text-[var(--text-error)]'>{errors.general}</p>
+            )}
           </div>
         </ModalBody>
         <ModalFooter className='items-center justify-between'>
diff --git a/apps/sim/components/icons.tsx b/apps/sim/components/icons.tsx
index 969f5be13..d62410d7f 100644
--- a/apps/sim/components/icons.tsx
+++ b/apps/sim/components/icons.tsx
@@ -5468,18 +5468,18 @@ export function AgentSkillsIcon(props: SVGProps<SVGSVGElement>) {
     <svg
       {...props}
       xmlns='http://www.w3.org/2000/svg'
-      width='24'
-      height='24'
-      viewBox='0 0 32 32'
+      width='16'
+      height='16'
+      viewBox='0 0 16 16'
       fill='none'
     >
-      <path d='M16 0.5L29.4234 8.25V23.75L16 31.5L2.57661 23.75V8.25L16 0.5Z' fill='currentColor' />
       <path
-        d='M16 6L24.6603 11V21L16 26L7.33975 21V11L16 6Z'
-        fill='currentColor'
-        stroke='var(--background, white)'
-        strokeWidth='3'
+        d='M8 1L14.0622 4.5V11.5L8 15L1.93782 11.5V4.5L8 1Z'
+        stroke='currentColor'
+        strokeWidth='1.5'
+        fill='none'
       />
+      <path d='M8 4.5L11 6.25V9.75L8 11.5L5 9.75V6.25L8 4.5Z' fill='currentColor' />
     </svg>
   )
 }

From 1edaf197b28b7aee84d5a83eb331d0fce8c2c4fb Mon Sep 17 00:00:00 2001
From: Waleed <walif6@gmail.com>
Date: Fri, 6 Feb 2026 15:26:10 -0800
Subject: [PATCH 2/8] fix(azure): add azure-anthropic support to router,
 evaluator, copilot, and tokenization (#3158)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(azure): add azure-anthropic support to router, evaluator, copilot, and tokenization

* added azure anthropic values to env

* fix(azure): make anthropic-version configurable for azure-anthropic provider

* fix(azure): thread provider credentials through guardrails and fix translate missing bedrockAccessKeyId

* updated guardrails

* ack'd PR comments

* fix(azure): unify credential passing pattern across all LLM handlers

- Pass all provider credentials unconditionally in router, evaluator (matching agent pattern)
- Remove conditional if-branching on providerId for credential fields
- Thread workspaceId through guardrails → hallucination validator for BYOK key resolution
- Remove getApiKey() from hallucination validator, let executeProviderRequest handle it
- Resolve vertex OAuth credentials in hallucination validator matching agent handler pattern

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/sim/app/api/copilot/chat/route.ts        |  8 ++
 apps/sim/app/api/guardrails/validate/route.ts | 33 ++++++++
 apps/sim/blocks/blocks/agent.ts               |  6 +-
 apps/sim/blocks/blocks/translate.ts           |  3 +-
 apps/sim/blocks/utils.ts                      | 14 ++--
 .../handlers/evaluator/evaluator-handler.ts   | 23 ++----
 .../handlers/router/router-handler.ts         | 46 ++++-------
 apps/sim/lib/copilot/config.ts                |  1 +
 apps/sim/lib/copilot/types.ts                 |  9 ++-
 apps/sim/lib/core/config/env.ts               |  3 +
 .../lib/guardrails/validate_hallucination.ts  | 77 +++++++++++++++----
 apps/sim/lib/tokenization/constants.ts        |  5 ++
 apps/sim/lib/tokenization/estimators.ts       |  1 +
 apps/sim/providers/azure-anthropic/index.ts   |  4 +-
 apps/sim/tools/guardrails/validate.ts         | 16 ++++
 15 files changed, 171 insertions(+), 78 deletions(-)

diff --git a/apps/sim/app/api/copilot/chat/route.ts b/apps/sim/app/api/copilot/chat/route.ts
index 9d31bf5c3..72c959d9a 100644
--- a/apps/sim/app/api/copilot/chat/route.ts
+++ b/apps/sim/app/api/copilot/chat/route.ts
@@ -285,6 +285,14 @@ export async function POST(req: NextRequest) {
           apiVersion: 'preview',
           endpoint: env.AZURE_OPENAI_ENDPOINT,
         }
+      } else if (providerEnv === 'azure-anthropic') {
+        providerConfig = {
+          provider: 'azure-anthropic',
+          model: envModel,
+          apiKey: env.AZURE_ANTHROPIC_API_KEY,
+          apiVersion: env.AZURE_ANTHROPIC_API_VERSION,
+          endpoint: env.AZURE_ANTHROPIC_ENDPOINT,
+        }
       } else if (providerEnv === 'vertex') {
         providerConfig = {
           provider: 'vertex',
diff --git a/apps/sim/app/api/guardrails/validate/route.ts b/apps/sim/app/api/guardrails/validate/route.ts
index 5f4738339..6e1b65750 100644
--- a/apps/sim/app/api/guardrails/validate/route.ts
+++ b/apps/sim/app/api/guardrails/validate/route.ts
@@ -23,7 +23,16 @@ export async function POST(request: NextRequest) {
       topK,
       model,
       apiKey,
+      azureEndpoint,
+      azureApiVersion,
+      vertexProject,
+      vertexLocation,
+      vertexCredential,
+      bedrockAccessKeyId,
+      bedrockSecretKey,
+      bedrockRegion,
       workflowId,
+      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -110,7 +119,18 @@ export async function POST(request: NextRequest) {
       topK,
       model,
       apiKey,
+      {
+        azureEndpoint,
+        azureApiVersion,
+        vertexProject,
+        vertexLocation,
+        vertexCredential,
+        bedrockAccessKeyId,
+        bedrockSecretKey,
+        bedrockRegion,
+      },
       workflowId,
+      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -178,7 +198,18 @@ async function executeValidation(
   topK: string | undefined,
   model: string,
   apiKey: string | undefined,
+  providerCredentials: {
+    azureEndpoint?: string
+    azureApiVersion?: string
+    vertexProject?: string
+    vertexLocation?: string
+    vertexCredential?: string
+    bedrockAccessKeyId?: string
+    bedrockSecretKey?: string
+    bedrockRegion?: string
+  },
   workflowId: string | undefined,
+  workspaceId: string | undefined,
   piiEntityTypes: string[] | undefined,
   piiMode: string | undefined,
   piiLanguage: string | undefined,
@@ -219,7 +250,9 @@ async function executeValidation(
       topK: topK ? Number.parseInt(topK) : 10, // Default topK is 10
       model: model,
       apiKey,
+      providerCredentials,
       workflowId,
+      workspaceId,
       requestId,
     })
   }
diff --git a/apps/sim/blocks/blocks/agent.ts b/apps/sim/blocks/blocks/agent.ts
index 395efec87..bf8ec0d66 100644
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -333,11 +333,11 @@ Return ONLY the JSON array.`,
       id: 'azureApiVersion',
       title: 'Azure API Version',
       type: 'short-input',
-      placeholder: '2024-07-01-preview',
+      placeholder: 'Enter API version',
       connectionDroppable: false,
       condition: {
         field: 'model',
-        value: providers['azure-openai'].models,
+        value: [...providers['azure-openai'].models, ...providers['azure-anthropic'].models],
       },
     },
     {
@@ -715,7 +715,7 @@ Example 3 (Array Input):
     },
     model: { type: 'string', description: 'AI model to use' },
     apiKey: { type: 'string', description: 'Provider API key' },
-    azureEndpoint: { type: 'string', description: 'Azure OpenAI endpoint URL' },
+    azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
     azureApiVersion: { type: 'string', description: 'Azure API version' },
     vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
     vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },
diff --git a/apps/sim/blocks/blocks/translate.ts b/apps/sim/blocks/blocks/translate.ts
index d0d647765..1385075c7 100644
--- a/apps/sim/blocks/blocks/translate.ts
+++ b/apps/sim/blocks/blocks/translate.ts
@@ -76,8 +76,9 @@ export const TranslateBlock: BlockConfig = {
         vertexProject: params.vertexProject,
         vertexLocation: params.vertexLocation,
         vertexCredential: params.vertexCredential,
-        bedrockRegion: params.bedrockRegion,
+        bedrockAccessKeyId: params.bedrockAccessKeyId,
         bedrockSecretKey: params.bedrockSecretKey,
+        bedrockRegion: params.bedrockRegion,
       }),
     },
   },
diff --git a/apps/sim/blocks/utils.ts b/apps/sim/blocks/utils.ts
index 7de0b518a..eed4a5c37 100644
--- a/apps/sim/blocks/utils.ts
+++ b/apps/sim/blocks/utils.ts
@@ -80,7 +80,7 @@ export function getApiKeyCondition() {
 
 /**
  * Returns the standard provider credential subblocks used by LLM-based blocks.
- * This includes: Vertex AI OAuth, API Key, Azure OpenAI, Vertex AI config, and Bedrock config.
+ * This includes: Vertex AI OAuth, API Key, Azure (OpenAI + Anthropic), Vertex AI config, and Bedrock config.
  *
  * Usage: Spread into your block's subBlocks array after block-specific fields
  */
@@ -111,25 +111,25 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
     },
     {
       id: 'azureEndpoint',
-      title: 'Azure OpenAI Endpoint',
+      title: 'Azure Endpoint',
       type: 'short-input',
       password: true,
-      placeholder: 'https://your-resource.openai.azure.com',
+      placeholder: 'https://your-resource.services.ai.azure.com',
       connectionDroppable: false,
       condition: {
         field: 'model',
-        value: providers['azure-openai'].models,
+        value: [...providers['azure-openai'].models, ...providers['azure-anthropic'].models],
       },
     },
     {
       id: 'azureApiVersion',
       title: 'Azure API Version',
       type: 'short-input',
-      placeholder: '2024-07-01-preview',
+      placeholder: 'Enter API version',
       connectionDroppable: false,
       condition: {
         field: 'model',
-        value: providers['azure-openai'].models,
+        value: [...providers['azure-openai'].models, ...providers['azure-anthropic'].models],
       },
     },
     {
@@ -202,7 +202,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
  */
 export const PROVIDER_CREDENTIAL_INPUTS = {
   apiKey: { type: 'string', description: 'Provider API key' },
-  azureEndpoint: { type: 'string', description: 'Azure OpenAI endpoint URL' },
+  azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
   azureApiVersion: { type: 'string', description: 'Azure API version' },
   vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
   vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },
diff --git a/apps/sim/executor/handlers/evaluator/evaluator-handler.ts b/apps/sim/executor/handlers/evaluator/evaluator-handler.ts
index 3e95b2f85..8c432f1da 100644
--- a/apps/sim/executor/handlers/evaluator/evaluator-handler.ts
+++ b/apps/sim/executor/handlers/evaluator/evaluator-handler.ts
@@ -121,26 +121,17 @@ export class EvaluatorBlockHandler implements BlockHandler {
 
         temperature: EVALUATOR.DEFAULT_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: evaluatorConfig.vertexProject,
+        vertexLocation: evaluatorConfig.vertexLocation,
+        bedrockAccessKeyId: evaluatorConfig.bedrockAccessKeyId,
+        bedrockSecretKey: evaluatorConfig.bedrockSecretKey,
+        bedrockRegion: evaluatorConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = evaluatorConfig.vertexProject
-        providerRequest.vertexLocation = evaluatorConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = evaluatorConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = evaluatorConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = evaluatorConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),
diff --git a/apps/sim/executor/handlers/router/router-handler.ts b/apps/sim/executor/handlers/router/router-handler.ts
index 766a4aac6..541cdccca 100644
--- a/apps/sim/executor/handlers/router/router-handler.ts
+++ b/apps/sim/executor/handlers/router/router-handler.ts
@@ -96,26 +96,17 @@ export class RouterBlockHandler implements BlockHandler {
         context: JSON.stringify(messages),
         temperature: ROUTER.INFERENCE_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: routerConfig.vertexProject,
+        vertexLocation: routerConfig.vertexLocation,
+        bedrockAccessKeyId: routerConfig.bedrockAccessKeyId,
+        bedrockSecretKey: routerConfig.bedrockSecretKey,
+        bedrockRegion: routerConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = routerConfig.vertexProject
-        providerRequest.vertexLocation = routerConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = routerConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = routerConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = routerConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),
@@ -234,6 +225,13 @@ export class RouterBlockHandler implements BlockHandler {
         context: JSON.stringify(messages),
         temperature: ROUTER.INFERENCE_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: routerConfig.vertexProject,
+        vertexLocation: routerConfig.vertexLocation,
+        bedrockAccessKeyId: routerConfig.bedrockAccessKeyId,
+        bedrockSecretKey: routerConfig.bedrockSecretKey,
+        bedrockRegion: routerConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
         responseFormat: {
@@ -257,22 +255,6 @@ export class RouterBlockHandler implements BlockHandler {
         },
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = routerConfig.vertexProject
-        providerRequest.vertexLocation = routerConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = routerConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = routerConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = routerConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),
diff --git a/apps/sim/lib/copilot/config.ts b/apps/sim/lib/copilot/config.ts
index 4b9c89274..5700e9930 100644
--- a/apps/sim/lib/copilot/config.ts
+++ b/apps/sim/lib/copilot/config.ts
@@ -12,6 +12,7 @@ const VALID_PROVIDER_IDS: readonly ProviderId[] = [
   'openai',
   'azure-openai',
   'anthropic',
+  'azure-anthropic',
   'google',
   'deepseek',
   'xai',
diff --git a/apps/sim/lib/copilot/types.ts b/apps/sim/lib/copilot/types.ts
index 6ed813308..68e097039 100644
--- a/apps/sim/lib/copilot/types.ts
+++ b/apps/sim/lib/copilot/types.ts
@@ -147,6 +147,13 @@ export type CopilotProviderConfig =
       apiVersion?: string
       endpoint?: string
     }
+  | {
+      provider: 'azure-anthropic'
+      model: string
+      apiKey?: string
+      apiVersion?: string
+      endpoint?: string
+    }
   | {
       provider: 'vertex'
       model: string
@@ -155,7 +162,7 @@ export type CopilotProviderConfig =
       vertexLocation?: string
     }
   | {
-      provider: Exclude<ProviderId, 'azure-openai' | 'vertex'>
+      provider: Exclude<ProviderId, 'azure-openai' | 'azure-anthropic' | 'vertex'>
       model?: string
       apiKey?: string
     }
diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts
index 8440de3bc..48e1a630d 100644
--- a/apps/sim/lib/core/config/env.ts
+++ b/apps/sim/lib/core/config/env.ts
@@ -95,6 +95,9 @@ export const env = createEnv({
     AZURE_OPENAI_ENDPOINT:                 z.string().url().optional(),            // Shared Azure OpenAI service endpoint
     AZURE_OPENAI_API_VERSION:              z.string().optional(),                  // Shared Azure OpenAI API version
     AZURE_OPENAI_API_KEY:                  z.string().min(1).optional(),           // Shared Azure OpenAI API key
+    AZURE_ANTHROPIC_ENDPOINT:              z.string().url().optional(),            // Azure Anthropic service endpoint
+    AZURE_ANTHROPIC_API_KEY:               z.string().min(1).optional(),           // Azure Anthropic API key
+    AZURE_ANTHROPIC_API_VERSION:           z.string().min(1).optional(),           // Azure Anthropic API version (e.g. 2023-06-01)
     KB_OPENAI_MODEL_NAME:                  z.string().optional(),                  // Knowledge base OpenAI model name (works with both regular OpenAI and Azure OpenAI)
     WAND_OPENAI_MODEL_NAME:                z.string().optional(),                  // Wand generation OpenAI model name (works with both regular OpenAI and Azure OpenAI)
     OCR_AZURE_ENDPOINT:                    z.string().url().optional(),            // Azure Mistral OCR service endpoint
diff --git a/apps/sim/lib/guardrails/validate_hallucination.ts b/apps/sim/lib/guardrails/validate_hallucination.ts
index b2668f248..48a91fb81 100644
--- a/apps/sim/lib/guardrails/validate_hallucination.ts
+++ b/apps/sim/lib/guardrails/validate_hallucination.ts
@@ -1,7 +1,11 @@
+import { db } from '@sim/db'
+import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { executeProviderRequest } from '@/providers'
-import { getApiKey, getProviderFromModel } from '@/providers/utils'
+import { getProviderFromModel } from '@/providers/utils'
 
 const logger = createLogger('HallucinationValidator')
 
@@ -19,7 +23,18 @@ export interface HallucinationValidationInput {
   topK: number // Number of chunks to retrieve, default 10
   model: string
   apiKey?: string
+  providerCredentials?: {
+    azureEndpoint?: string
+    azureApiVersion?: string
+    vertexProject?: string
+    vertexLocation?: string
+    vertexCredential?: string
+    bedrockAccessKeyId?: string
+    bedrockSecretKey?: string
+    bedrockRegion?: string
+  }
   workflowId?: string
+  workspaceId?: string
   requestId: string
 }
 
@@ -89,7 +104,9 @@ async function scoreHallucinationWithLLM(
   userInput: string,
   ragContext: string[],
   model: string,
-  apiKey: string,
+  apiKey: string | undefined,
+  providerCredentials: HallucinationValidationInput['providerCredentials'],
+  workspaceId: string | undefined,
   requestId: string
 ): Promise<{ score: number; reasoning: string }> {
   try {
@@ -127,6 +144,23 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
 
     const providerId = getProviderFromModel(model)
 
+    let finalApiKey: string | undefined = apiKey
+    if (providerId === 'vertex' && providerCredentials?.vertexCredential) {
+      const credential = await db.query.account.findFirst({
+        where: eq(account.id, providerCredentials.vertexCredential),
+      })
+      if (credential) {
+        const { accessToken } = await refreshTokenIfNeeded(
+          requestId,
+          credential,
+          providerCredentials.vertexCredential
+        )
+        if (accessToken) {
+          finalApiKey = accessToken
+        }
+      }
+    }
+
     const response = await executeProviderRequest(providerId, {
       model,
       systemPrompt,
@@ -137,7 +171,15 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
         },
       ],
       temperature: 0.1, // Low temperature for consistent scoring
-      apiKey,
+      apiKey: finalApiKey,
+      azureEndpoint: providerCredentials?.azureEndpoint,
+      azureApiVersion: providerCredentials?.azureApiVersion,
+      vertexProject: providerCredentials?.vertexProject,
+      vertexLocation: providerCredentials?.vertexLocation,
+      bedrockAccessKeyId: providerCredentials?.bedrockAccessKeyId,
+      bedrockSecretKey: providerCredentials?.bedrockSecretKey,
+      bedrockRegion: providerCredentials?.bedrockRegion,
+      workspaceId,
     })
 
     if (response instanceof ReadableStream || ('stream' in response && 'execution' in response)) {
@@ -184,8 +226,18 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
 export async function validateHallucination(
   input: HallucinationValidationInput
 ): Promise<HallucinationValidationResult> {
-  const { userInput, knowledgeBaseId, threshold, topK, model, apiKey, workflowId, requestId } =
-    input
+  const {
+    userInput,
+    knowledgeBaseId,
+    threshold,
+    topK,
+    model,
+    apiKey,
+    providerCredentials,
+    workflowId,
+    workspaceId,
+    requestId,
+  } = input
 
   try {
     if (!userInput || userInput.trim().length === 0) {
@@ -202,17 +254,6 @@ export async function validateHallucination(
       }
     }
 
-    let finalApiKey: string
-    try {
-      const providerId = getProviderFromModel(model)
-      finalApiKey = getApiKey(providerId, model, apiKey)
-    } catch (error: any) {
-      return {
-        passed: false,
-        error: `API key error: ${error.message}`,
-      }
-    }
-
     // Step 1: Query knowledge base with RAG
     const ragContext = await queryKnowledgeBase(
       knowledgeBaseId,
@@ -234,7 +275,9 @@ export async function validateHallucination(
       userInput,
       ragContext,
       model,
-      finalApiKey,
+      apiKey,
+      providerCredentials,
+      workspaceId,
       requestId
     )
 
diff --git a/apps/sim/lib/tokenization/constants.ts b/apps/sim/lib/tokenization/constants.ts
index 010ef4743..a10b1995d 100644
--- a/apps/sim/lib/tokenization/constants.ts
+++ b/apps/sim/lib/tokenization/constants.ts
@@ -21,6 +21,11 @@ export const TOKENIZATION_CONFIG = {
       confidence: 'high',
       supportedMethods: ['heuristic', 'fallback'],
     },
+    'azure-anthropic': {
+      avgCharsPerToken: 4.5,
+      confidence: 'high',
+      supportedMethods: ['heuristic', 'fallback'],
+    },
     google: {
       avgCharsPerToken: 5,
       confidence: 'medium',
diff --git a/apps/sim/lib/tokenization/estimators.ts b/apps/sim/lib/tokenization/estimators.ts
index 53ce71965..01aed1c1e 100644
--- a/apps/sim/lib/tokenization/estimators.ts
+++ b/apps/sim/lib/tokenization/estimators.ts
@@ -204,6 +204,7 @@ export function estimateTokenCount(text: string, providerId?: string): TokenEsti
       estimatedTokens = estimateOpenAITokens(text)
       break
     case 'anthropic':
+    case 'azure-anthropic':
       estimatedTokens = estimateAnthropicTokens(text)
       break
     case 'google':
diff --git a/apps/sim/providers/azure-anthropic/index.ts b/apps/sim/providers/azure-anthropic/index.ts
index efb131be1..721e36339 100644
--- a/apps/sim/providers/azure-anthropic/index.ts
+++ b/apps/sim/providers/azure-anthropic/index.ts
@@ -35,6 +35,8 @@ export const azureAnthropicProvider: ProviderConfig = {
     // The SDK appends /v1/messages automatically
     const baseURL = `${request.azureEndpoint.replace(/\/$/, '')}/anthropic`
 
+    const anthropicVersion = request.azureApiVersion || '2023-06-01'
+
     return executeAnthropicProviderRequest(
       {
         ...request,
@@ -49,7 +51,7 @@ export const azureAnthropicProvider: ProviderConfig = {
             apiKey,
             defaultHeaders: {
               'api-key': apiKey,
-              'anthropic-version': '2023-06-01',
+              'anthropic-version': anthropicVersion,
               ...(useNativeStructuredOutputs
                 ? { 'anthropic-beta': 'structured-outputs-2025-11-13' }
                 : {}),
diff --git a/apps/sim/tools/guardrails/validate.ts b/apps/sim/tools/guardrails/validate.ts
index f791fa89c..124795c44 100644
--- a/apps/sim/tools/guardrails/validate.ts
+++ b/apps/sim/tools/guardrails/validate.ts
@@ -9,6 +9,14 @@ export interface GuardrailsValidateInput {
   topK?: string
   model?: string
   apiKey?: string
+  azureEndpoint?: string
+  azureApiVersion?: string
+  vertexProject?: string
+  vertexLocation?: string
+  vertexCredential?: string
+  bedrockAccessKeyId?: string
+  bedrockSecretKey?: string
+  bedrockRegion?: string
   piiEntityTypes?: string[]
   piiMode?: string
   piiLanguage?: string
@@ -166,6 +174,14 @@ export const guardrailsValidateTool: ToolConfig<GuardrailsValidateInput, Guardra
         topK: params.topK,
         model: params.model,
         apiKey: params.apiKey,
+        azureEndpoint: params.azureEndpoint,
+        azureApiVersion: params.azureApiVersion,
+        vertexProject: params.vertexProject,
+        vertexLocation: params.vertexLocation,
+        vertexCredential: params.vertexCredential,
+        bedrockAccessKeyId: params.bedrockAccessKeyId,
+        bedrockSecretKey: params.bedrockSecretKey,
+        bedrockRegion: params.bedrockRegion,
         piiEntityTypes: params.piiEntityTypes,
         piiMode: params.piiMode,
         piiLanguage: params.piiLanguage,

From 0ca25bbab626bbc1532f8655fef3f7652c056cbb Mon Sep 17 00:00:00 2001
From: Waleed <walif6@gmail.com>
Date: Fri, 6 Feb 2026 18:34:03 -0800
Subject: [PATCH 3/8] fix(function): isolated-vm worker pool to prevent
 single-worker bottleneck + execution user id resolution  (#3155)

* fix(executor): isolated-vm worker pool to prevent single-worker bottleneck

* chore(helm): add isolated-vm worker pool env vars to values.yaml

* fix(userid): resolution for fair scheduling

* add fallback back

* add to helm charts

* remove constant fallbacks

* fix

* address bugbot comments

* fix fallbacks

* one more bugbot comment

---------

Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
---
 apps/sim/app/api/function/execute/route.ts    |    2 +
 .../app/api/workflows/[id]/execute/route.ts   |    6 +
 .../executor/handlers/agent/agent-handler.ts  |    1 +
 apps/sim/executor/handlers/api/api-handler.ts |    1 +
 .../handlers/condition/condition-handler.ts   |    1 +
 .../handlers/function/function-handler.ts     |    1 +
 .../handlers/generic/generic-handler.ts       |    1 +
 .../human-in-the-loop-handler.ts              |    1 +
 apps/sim/executor/orchestrators/loop.ts       |    2 +
 apps/sim/lib/auth/hybrid.ts                   |   32 +-
 apps/sim/lib/core/config/env.ts               |   18 +
 .../core/security/input-validation.server.ts  |   22 +-
 apps/sim/lib/execution/isolated-vm-worker.cjs |   54 +-
 apps/sim/lib/execution/isolated-vm.test.ts    |  500 ++++++++
 apps/sim/lib/execution/isolated-vm.ts         | 1042 ++++++++++++++---
 apps/sim/lib/execution/preprocessing.ts       |   11 +-
 apps/sim/tools/index.ts                       |   20 +-
 apps/sim/tools/utils.ts                       |   12 +-
 helm/sim/values.yaml                          |   20 +-
 19 files changed, 1530 insertions(+), 217 deletions(-)
 create mode 100644 apps/sim/lib/execution/isolated-vm.test.ts

diff --git a/apps/sim/app/api/function/execute/route.ts b/apps/sim/app/api/function/execute/route.ts
index 4ccbd8d7c..441bf788d 100644
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -845,6 +845,8 @@ export async function POST(req: NextRequest) {
       contextVariables,
       timeoutMs: timeout,
       requestId,
+      ownerKey: `user:${auth.userId}`,
+      ownerWeight: 1,
     })
 
     const executionTime = Date.now() - startTime
diff --git a/apps/sim/app/api/workflows/[id]/execute/route.ts b/apps/sim/app/api/workflows/[id]/execute/route.ts
index 7c4cdc9db..06984a3e2 100644
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -325,6 +325,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId
     )
 
+    // Client-side sessions and personal API keys bill/permission-check the
+    // authenticated user, not the workspace billed account.
+    const useAuthenticatedUserAsActor =
+      isClientSession || (auth.authType === 'api_key' && auth.apiKeyType === 'personal')
+
     const preprocessResult = await preprocessExecution({
       workflowId,
       userId,
@@ -334,6 +339,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       checkDeployment: !shouldUseDraftState,
       loggingSession,
       useDraftState: shouldUseDraftState,
+      useAuthenticatedUserAsActor,
     })
 
     if (!preprocessResult.success) {
diff --git a/apps/sim/executor/handlers/agent/agent-handler.ts b/apps/sim/executor/handlers/agent/agent-handler.ts
index b4c2794a8..a1f0cee0d 100644
--- a/apps/sim/executor/handlers/agent/agent-handler.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.ts
@@ -326,6 +326,7 @@ export class AgentBlockHandler implements BlockHandler {
             _context: {
               workflowId: ctx.workflowId,
               workspaceId: ctx.workspaceId,
+              userId: ctx.userId,
               isDeployedContext: ctx.isDeployedContext,
             },
           },
diff --git a/apps/sim/executor/handlers/api/api-handler.ts b/apps/sim/executor/handlers/api/api-handler.ts
index 562067cdf..83c710bef 100644
--- a/apps/sim/executor/handlers/api/api-handler.ts
+++ b/apps/sim/executor/handlers/api/api-handler.ts
@@ -72,6 +72,7 @@ export class ApiBlockHandler implements BlockHandler {
             workflowId: ctx.workflowId,
             workspaceId: ctx.workspaceId,
             executionId: ctx.executionId,
+            userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
           },
         },
diff --git a/apps/sim/executor/handlers/condition/condition-handler.ts b/apps/sim/executor/handlers/condition/condition-handler.ts
index 96fe0db4b..0c88e0e78 100644
--- a/apps/sim/executor/handlers/condition/condition-handler.ts
+++ b/apps/sim/executor/handlers/condition/condition-handler.ts
@@ -48,6 +48,7 @@ export async function evaluateConditionExpression(
         _context: {
           workflowId: ctx.workflowId,
           workspaceId: ctx.workspaceId,
+          userId: ctx.userId,
           isDeployedContext: ctx.isDeployedContext,
         },
       },
diff --git a/apps/sim/executor/handlers/function/function-handler.ts b/apps/sim/executor/handlers/function/function-handler.ts
index 624a262d3..d8e1209e5 100644
--- a/apps/sim/executor/handlers/function/function-handler.ts
+++ b/apps/sim/executor/handlers/function/function-handler.ts
@@ -39,6 +39,7 @@ export class FunctionBlockHandler implements BlockHandler {
         _context: {
           workflowId: ctx.workflowId,
           workspaceId: ctx.workspaceId,
+          userId: ctx.userId,
           isDeployedContext: ctx.isDeployedContext,
         },
       },
diff --git a/apps/sim/executor/handlers/generic/generic-handler.ts b/apps/sim/executor/handlers/generic/generic-handler.ts
index 558a37dee..c6a6b7e9f 100644
--- a/apps/sim/executor/handlers/generic/generic-handler.ts
+++ b/apps/sim/executor/handlers/generic/generic-handler.ts
@@ -66,6 +66,7 @@ export class GenericBlockHandler implements BlockHandler {
             workflowId: ctx.workflowId,
             workspaceId: ctx.workspaceId,
             executionId: ctx.executionId,
+            userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
           },
         },
diff --git a/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts b/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts
index dd53a0a0e..2a23c622c 100644
--- a/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts
+++ b/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts
@@ -605,6 +605,7 @@ export class HumanInTheLoopBlockHandler implements BlockHandler {
           _context: {
             workflowId: ctx.workflowId,
             workspaceId: ctx.workspaceId,
+            userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
           },
           blockData: blockDataWithPause,
diff --git a/apps/sim/executor/orchestrators/loop.ts b/apps/sim/executor/orchestrators/loop.ts
index 8bdf8edd2..456838d1e 100644
--- a/apps/sim/executor/orchestrators/loop.ts
+++ b/apps/sim/executor/orchestrators/loop.ts
@@ -511,6 +511,8 @@ export class LoopOrchestrator {
         contextVariables: {},
         timeoutMs: LOOP_CONDITION_TIMEOUT_MS,
         requestId,
+        ownerKey: `user:${ctx.userId}`,
+        ownerWeight: 1,
       })
 
       if (vmResult.error) {
diff --git a/apps/sim/lib/auth/hybrid.ts b/apps/sim/lib/auth/hybrid.ts
index 2b49d7158..1c34286f6 100644
--- a/apps/sim/lib/auth/hybrid.ts
+++ b/apps/sim/lib/auth/hybrid.ts
@@ -1,7 +1,4 @@
-import { db } from '@sim/db'
-import { workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
 import { getSession } from '@/lib/auth'
@@ -13,35 +10,33 @@ export interface AuthResult {
   success: boolean
   userId?: string
   authType?: 'session' | 'api_key' | 'internal_jwt'
+  apiKeyType?: 'personal' | 'workspace'
   error?: string
 }
 
 /**
  * Resolves userId from a verified internal JWT token.
- * Extracts workflowId/userId from URL params or POST body, then looks up userId if needed.
+ * Extracts userId from the JWT payload, URL search params, or POST body.
  */
 async function resolveUserFromJwt(
   request: NextRequest,
   verificationUserId: string | null,
   options: { requireWorkflowId?: boolean }
 ): Promise<AuthResult> {
-  let workflowId: string | null = null
   let userId: string | null = verificationUserId
 
-  const { searchParams } = new URL(request.url)
-  workflowId = searchParams.get('workflowId')
   if (!userId) {
+    const { searchParams } = new URL(request.url)
     userId = searchParams.get('userId')
   }
 
-  if (!workflowId && !userId && request.method === 'POST') {
+  if (!userId && request.method === 'POST') {
     try {
       const clonedRequest = request.clone()
       const bodyText = await clonedRequest.text()
       if (bodyText) {
         const body = JSON.parse(bodyText)
-        workflowId = body.workflowId || body._context?.workflowId
-        userId = userId || body.userId || body._context?.userId
+        userId = body.userId || body._context?.userId || null
       }
     } catch {
       // Ignore JSON parse errors
@@ -52,22 +47,8 @@ async function resolveUserFromJwt(
     return { success: true, userId, authType: 'internal_jwt' }
   }
 
-  if (workflowId) {
-    const [workflowData] = await db
-      .select({ userId: workflow.userId })
-      .from(workflow)
-      .where(eq(workflow.id, workflowId))
-      .limit(1)
-
-    if (!workflowData) {
-      return { success: false, error: 'Workflow not found' }
-    }
-
-    return { success: true, userId: workflowData.userId, authType: 'internal_jwt' }
-  }
-
   if (options.requireWorkflowId !== false) {
-    return { success: false, error: 'workflowId or userId required for internal JWT calls' }
+    return { success: false, error: 'userId required for internal JWT calls' }
   }
 
   return { success: true, authType: 'internal_jwt' }
@@ -222,6 +203,7 @@ export async function checkHybridAuth(
           success: true,
           userId: result.userId!,
           authType: 'api_key',
+          apiKeyType: result.keyType,
         }
       }
 
diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts
index 48e1a630d..685cf0e9d 100644
--- a/apps/sim/lib/core/config/env.ts
+++ b/apps/sim/lib/core/config/env.ts
@@ -183,6 +183,24 @@ export const env = createEnv({
     EXECUTION_TIMEOUT_ASYNC_TEAM:          z.string().optional().default('5400'),  // 90 minutes
     EXECUTION_TIMEOUT_ASYNC_ENTERPRISE:    z.string().optional().default('5400'),  // 90 minutes
 
+    // Isolated-VM Worker Pool Configuration
+    IVM_POOL_SIZE:                         z.string().optional().default('4'),      // Max worker processes in pool
+    IVM_MAX_CONCURRENT:                    z.string().optional().default('10000'),  // Max concurrent executions globally
+    IVM_MAX_PER_WORKER:                    z.string().optional().default('2500'),   // Max concurrent executions per worker
+    IVM_WORKER_IDLE_TIMEOUT_MS:            z.string().optional().default('60000'),  // Worker idle cleanup timeout (ms)
+    IVM_MAX_QUEUE_SIZE:                    z.string().optional().default('10000'),  // Max pending queued executions in memory
+    IVM_MAX_FETCH_RESPONSE_BYTES:          z.string().optional().default('8388608'),// Max bytes read from sandbox fetch responses
+    IVM_MAX_FETCH_RESPONSE_CHARS:          z.string().optional().default('4000000'),// Max chars returned to sandbox from fetch body
+    IVM_MAX_FETCH_OPTIONS_JSON_CHARS:      z.string().optional().default('262144'), // Max JSON payload size for sandbox fetch options
+    IVM_MAX_FETCH_URL_LENGTH:              z.string().optional().default('8192'),   // Max URL length accepted by sandbox fetch
+    IVM_MAX_STDOUT_CHARS:                  z.string().optional().default('200000'), // Max captured stdout characters per execution
+    IVM_MAX_ACTIVE_PER_OWNER:              z.string().optional().default('200'),    // Max active executions per owner (per process)
+    IVM_MAX_QUEUED_PER_OWNER:              z.string().optional().default('2000'),   // Max queued executions per owner (per process)
+    IVM_MAX_OWNER_WEIGHT:                  z.string().optional().default('5'),      // Max accepted weight for weighted owner scheduling
+    IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER:z.string().optional().default('2200'),   // Max owner in-flight leases across replicas
+    IVM_DISTRIBUTED_LEASE_MIN_TTL_MS:      z.string().optional().default('120000'), // Min TTL for distributed in-flight leases (ms)
+    IVM_QUEUE_TIMEOUT_MS:                  z.string().optional().default('300000'), // Max queue wait before rejection (ms)
+
     // Knowledge Base Processing Configuration - Shared across all processing methods
     KB_CONFIG_MAX_DURATION:                z.number().optional().default(600),     // Max processing duration in seconds (10 minutes)
     KB_CONFIG_MAX_ATTEMPTS:                z.number().optional().default(3),       // Max retry attempts
diff --git a/apps/sim/lib/core/security/input-validation.server.ts b/apps/sim/lib/core/security/input-validation.server.ts
index e8c0ec861..2a912240c 100644
--- a/apps/sim/lib/core/security/input-validation.server.ts
+++ b/apps/sim/lib/core/security/input-validation.server.ts
@@ -103,6 +103,7 @@ export interface SecureFetchOptions {
   body?: string | Buffer | Uint8Array
   timeout?: number
   maxRedirects?: number
+  maxResponseBytes?: number
 }
 
 export class SecureFetchHeaders {
@@ -165,6 +166,7 @@ export async function secureFetchWithPinnedIP(
   redirectCount = 0
 ): Promise<SecureFetchResponse> {
   const maxRedirects = options.maxRedirects ?? DEFAULT_MAX_REDIRECTS
+  const maxResponseBytes = options.maxResponseBytes
 
   return new Promise((resolve, reject) => {
     const parsed = new URL(url)
@@ -237,14 +239,32 @@ export async function secureFetchWithPinnedIP(
       }
 
       const chunks: Buffer[] = []
+      let totalBytes = 0
+      let responseTerminated = false
 
-      res.on('data', (chunk: Buffer) => chunks.push(chunk))
+      res.on('data', (chunk: Buffer) => {
+        if (responseTerminated) return
+
+        totalBytes += chunk.length
+        if (
+          typeof maxResponseBytes === 'number' &&
+          maxResponseBytes > 0 &&
+          totalBytes > maxResponseBytes
+        ) {
+          responseTerminated = true
+          res.destroy(new Error(`Response exceeded maximum size of ${maxResponseBytes} bytes`))
+          return
+        }
+
+        chunks.push(chunk)
+      })
 
       res.on('error', (error) => {
         reject(error)
       })
 
       res.on('end', () => {
+        if (responseTerminated) return
         const bodyBuffer = Buffer.concat(chunks)
         const body = bodyBuffer.toString('utf-8')
         const headersRecord: Record<string, string> = {}
diff --git a/apps/sim/lib/execution/isolated-vm-worker.cjs b/apps/sim/lib/execution/isolated-vm-worker.cjs
index 3deb76166..2641b80e1 100644
--- a/apps/sim/lib/execution/isolated-vm-worker.cjs
+++ b/apps/sim/lib/execution/isolated-vm-worker.cjs
@@ -9,6 +9,21 @@ const USER_CODE_START_LINE = 4
 const pendingFetches = new Map()
 let fetchIdCounter = 0
 const FETCH_TIMEOUT_MS = 300000 // 5 minutes
+const MAX_STDOUT_CHARS = Number.parseInt(process.env.IVM_MAX_STDOUT_CHARS || '', 10) || 200000
+const MAX_FETCH_OPTIONS_JSON_CHARS =
+  Number.parseInt(process.env.IVM_MAX_FETCH_OPTIONS_JSON_CHARS || '', 10) || 256 * 1024
+
+function stringifyLogValue(value) {
+  if (typeof value !== 'object' || value === null) {
+    return String(value)
+  }
+
+  try {
+    return JSON.stringify(value)
+  } catch {
+    return '[unserializable]'
+  }
+}
 
 /**
  * Extract line and column from error stack or message
@@ -101,8 +116,32 @@ function convertToCompatibleError(errorInfo, userCode) {
 async function executeCode(request) {
   const { code, params, envVars, contextVariables, timeoutMs, requestId } = request
   const stdoutChunks = []
+  let stdoutLength = 0
+  let stdoutTruncated = false
   let isolate = null
 
+  const appendStdout = (line) => {
+    if (stdoutTruncated || !line) return
+
+    const remaining = MAX_STDOUT_CHARS - stdoutLength
+    if (remaining <= 0) {
+      stdoutTruncated = true
+      stdoutChunks.push('[stdout truncated]\n')
+      return
+    }
+
+    if (line.length <= remaining) {
+      stdoutChunks.push(line)
+      stdoutLength += line.length
+      return
+    }
+
+    stdoutChunks.push(line.slice(0, remaining))
+    stdoutChunks.push('\n[stdout truncated]\n')
+    stdoutLength = MAX_STDOUT_CHARS
+    stdoutTruncated = true
+  }
+
   try {
     isolate = new ivm.Isolate({ memoryLimit: 128 })
     const context = await isolate.createContext()
@@ -111,18 +150,14 @@ async function executeCode(request) {
     await jail.set('global', jail.derefInto())
 
     const logCallback = new ivm.Callback((...args) => {
-      const message = args
-        .map((arg) => (typeof arg === 'object' ? JSON.stringify(arg) : String(arg)))
-        .join(' ')
-      stdoutChunks.push(`${message}\n`)
+      const message = args.map((arg) => stringifyLogValue(arg)).join(' ')
+      appendStdout(`${message}\n`)
     })
     await jail.set('__log', logCallback)
 
     const errorCallback = new ivm.Callback((...args) => {
-      const message = args
-        .map((arg) => (typeof arg === 'object' ? JSON.stringify(arg) : String(arg)))
-        .join(' ')
-      stdoutChunks.push(`ERROR: ${message}\n`)
+      const message = args.map((arg) => stringifyLogValue(arg)).join(' ')
+      appendStdout(`ERROR: ${message}\n`)
     })
     await jail.set('__error', errorCallback)
 
@@ -178,6 +213,9 @@ async function executeCode(request) {
           } catch {
             throw new Error('fetch options must be JSON-serializable');
           }
+          if (optionsJson.length > ${MAX_FETCH_OPTIONS_JSON_CHARS}) {
+            throw new Error('fetch options exceed maximum payload size');
+          }
         }
         const resultJson = await __fetchRef.apply(undefined, [url, optionsJson], { result: { promise: true } });
         let result;
diff --git a/apps/sim/lib/execution/isolated-vm.test.ts b/apps/sim/lib/execution/isolated-vm.test.ts
new file mode 100644
index 000000000..17fb20c0d
--- /dev/null
+++ b/apps/sim/lib/execution/isolated-vm.test.ts
@@ -0,0 +1,500 @@
+import { EventEmitter } from 'node:events'
+import { afterEach, describe, expect, it, vi } from 'vitest'
+
+type MockProc = EventEmitter & {
+  connected: boolean
+  stderr: EventEmitter
+  send: (message: unknown) => boolean
+  kill: () => boolean
+}
+
+type SpawnFactory = () => MockProc
+type RedisEval = (...args: any[]) => unknown | Promise<unknown>
+type SecureFetchImpl = (...args: any[]) => unknown | Promise<unknown>
+
+function createBaseProc(): MockProc {
+  const proc = new EventEmitter() as MockProc
+  proc.connected = true
+  proc.stderr = new EventEmitter()
+  proc.send = () => true
+  proc.kill = () => {
+    if (!proc.connected) return true
+    proc.connected = false
+    setImmediate(() => proc.emit('exit', 0))
+    return true
+  }
+  return proc
+}
+
+function createStartupFailureProc(): MockProc {
+  const proc = createBaseProc()
+  setImmediate(() => {
+    proc.connected = false
+    proc.emit('exit', 1)
+  })
+  return proc
+}
+
+function createReadyProc(result: unknown): MockProc {
+  const proc = createBaseProc()
+  proc.send = (message: unknown) => {
+    const msg = message as { type?: string; executionId?: number }
+    if (msg.type === 'execute') {
+      setImmediate(() => {
+        proc.emit('message', {
+          type: 'result',
+          executionId: msg.executionId,
+          result: { result, stdout: '' },
+        })
+      })
+    }
+    return true
+  }
+  setImmediate(() => proc.emit('message', { type: 'ready' }))
+  return proc
+}
+
+function createReadyProcWithDelay(delayMs: number): MockProc {
+  const proc = createBaseProc()
+  proc.send = (message: unknown) => {
+    const msg = message as { type?: string; executionId?: number; request?: { requestId?: string } }
+    if (msg.type === 'execute') {
+      setTimeout(() => {
+        proc.emit('message', {
+          type: 'result',
+          executionId: msg.executionId,
+          result: { result: msg.request?.requestId ?? 'unknown', stdout: '' },
+        })
+      }, delayMs)
+    }
+    return true
+  }
+  setImmediate(() => proc.emit('message', { type: 'ready' }))
+  return proc
+}
+
+function createReadyFetchProxyProc(fetchMessage: { url: string; optionsJson?: string }): MockProc {
+  const proc = createBaseProc()
+  let currentExecutionId = 0
+
+  proc.send = (message: unknown) => {
+    const msg = message as { type?: string; executionId?: number; request?: { requestId?: string } }
+
+    if (msg.type === 'execute') {
+      currentExecutionId = msg.executionId ?? 0
+      setImmediate(() => {
+        proc.emit('message', {
+          type: 'fetch',
+          fetchId: 1,
+          requestId: msg.request?.requestId ?? 'fetch-test',
+          url: fetchMessage.url,
+          optionsJson: fetchMessage.optionsJson,
+        })
+      })
+      return true
+    }
+
+    if (msg.type === 'fetchResponse') {
+      const fetchResponse = message as { response?: string }
+      setImmediate(() => {
+        proc.emit('message', {
+          type: 'result',
+          executionId: currentExecutionId,
+          result: { result: fetchResponse.response ?? '', stdout: '' },
+        })
+      })
+      return true
+    }
+
+    return true
+  }
+
+  setImmediate(() => proc.emit('message', { type: 'ready' }))
+  return proc
+}
+
+async function loadExecutionModule(options: {
+  envOverrides?: Record<string, string>
+  spawns: SpawnFactory[]
+  redisEvalImpl?: RedisEval
+  secureFetchImpl?: SecureFetchImpl
+}) {
+  vi.resetModules()
+
+  const spawnQueue = [...options.spawns]
+  const spawnMock = vi.fn(() => {
+    const next = spawnQueue.shift()
+    if (!next) {
+      throw new Error('No mock spawn factory configured')
+    }
+    return next() as any
+  })
+
+  vi.doMock('@sim/logger', () => ({
+    createLogger: () => ({
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+    }),
+  }))
+
+  const secureFetchMock = vi.fn(
+    options.secureFetchImpl ??
+      (async () => ({
+        ok: true,
+        status: 200,
+        statusText: 'OK',
+        headers: new Map<string, string>(),
+        text: async () => '',
+        json: async () => ({}),
+        arrayBuffer: async () => new ArrayBuffer(0),
+      }))
+  )
+  vi.doMock('@/lib/core/security/input-validation.server', () => ({
+    secureFetchWithValidation: secureFetchMock,
+  }))
+
+  vi.doMock('@/lib/core/config/env', () => ({
+    env: {
+      IVM_POOL_SIZE: '1',
+      IVM_MAX_CONCURRENT: '100',
+      IVM_MAX_PER_WORKER: '100',
+      IVM_WORKER_IDLE_TIMEOUT_MS: '60000',
+      IVM_MAX_QUEUE_SIZE: '10',
+      IVM_MAX_ACTIVE_PER_OWNER: '100',
+      IVM_MAX_QUEUED_PER_OWNER: '10',
+      IVM_MAX_OWNER_WEIGHT: '5',
+      IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER: '100',
+      IVM_DISTRIBUTED_LEASE_MIN_TTL_MS: '1000',
+      IVM_QUEUE_TIMEOUT_MS: '1000',
+      ...(options.envOverrides ?? {}),
+    },
+  }))
+
+  const redisEval = options.redisEvalImpl ? vi.fn(options.redisEvalImpl) : undefined
+  vi.doMock('@/lib/core/config/redis', () => ({
+    getRedisClient: vi.fn(() =>
+      redisEval
+        ? ({
+            eval: redisEval,
+          } as any)
+        : null
+    ),
+  }))
+
+  vi.doMock('node:child_process', () => ({
+    execSync: vi.fn(() => Buffer.from('v23.11.0')),
+    spawn: spawnMock,
+  }))
+
+  const mod = await import('./isolated-vm')
+  return { ...mod, spawnMock, secureFetchMock }
+}
+
+describe('isolated-vm scheduler', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+  })
+
+  it('recovers from an initial spawn failure and drains queued work', async () => {
+    const { executeInIsolatedVM, spawnMock } = await loadExecutionModule({
+      spawns: [createStartupFailureProc, () => createReadyProc('ok')],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "ok"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-1',
+    })
+
+    expect(result.error).toBeUndefined()
+    expect(result.result).toBe('ok')
+    expect(spawnMock).toHaveBeenCalledTimes(2)
+  })
+
+  it('rejects new requests when the queue is full', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_QUEUE_SIZE: '1',
+        IVM_QUEUE_TIMEOUT_MS: '200',
+      },
+      spawns: [createStartupFailureProc, createStartupFailureProc, createStartupFailureProc],
+    })
+
+    const firstPromise = executeInIsolatedVM({
+      code: 'return 1',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-2',
+      ownerKey: 'user:a',
+    })
+
+    await new Promise((resolve) => setTimeout(resolve, 25))
+
+    const second = await executeInIsolatedVM({
+      code: 'return 2',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-3',
+      ownerKey: 'user:b',
+    })
+
+    expect(second.error?.message).toContain('at capacity')
+
+    const first = await firstPromise
+    expect(first.error?.message).toContain('timed out waiting')
+  })
+
+  it('enforces per-owner queued limit', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_QUEUED_PER_OWNER: '1',
+        IVM_QUEUE_TIMEOUT_MS: '200',
+      },
+      spawns: [createStartupFailureProc, createStartupFailureProc, createStartupFailureProc],
+    })
+
+    const firstPromise = executeInIsolatedVM({
+      code: 'return 1',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-4',
+      ownerKey: 'user:hog',
+    })
+
+    await new Promise((resolve) => setTimeout(resolve, 25))
+
+    const second = await executeInIsolatedVM({
+      code: 'return 2',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-5',
+      ownerKey: 'user:hog',
+    })
+
+    expect(second.error?.message).toContain('Too many concurrent')
+
+    const first = await firstPromise
+    expect(first.error?.message).toContain('timed out waiting')
+  })
+
+  it('enforces distributed owner in-flight lease limit when Redis is configured', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER: '1',
+        REDIS_URL: 'redis://localhost:6379',
+      },
+      spawns: [() => createReadyProc('ok')],
+      redisEvalImpl: (...args: any[]) => {
+        const script = String(args[0] ?? '')
+        if (script.includes('ZREMRANGEBYSCORE')) {
+          return 0
+        }
+        return 1
+      },
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "blocked"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-6',
+      ownerKey: 'user:distributed',
+    })
+
+    expect(result.error?.message).toContain('Too many concurrent')
+  })
+
+  it('fails closed when Redis is configured but unavailable', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        REDIS_URL: 'redis://localhost:6379',
+      },
+      spawns: [() => createReadyProc('ok')],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "blocked"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-7',
+      ownerKey: 'user:redis-down',
+    })
+
+    expect(result.error?.message).toContain('temporarily unavailable')
+  })
+
+  it('fails closed when Redis lease evaluation errors', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        REDIS_URL: 'redis://localhost:6379',
+      },
+      spawns: [() => createReadyProc('ok')],
+      redisEvalImpl: (...args: any[]) => {
+        const script = String(args[0] ?? '')
+        if (script.includes('ZREMRANGEBYSCORE')) {
+          throw new Error('redis timeout')
+        }
+        return 1
+      },
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "blocked"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-8',
+      ownerKey: 'user:redis-error',
+    })
+
+    expect(result.error?.message).toContain('temporarily unavailable')
+  })
+
+  it('applies weighted owner scheduling when draining queued executions', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_PER_WORKER: '1',
+      },
+      spawns: [() => createReadyProcWithDelay(10)],
+    })
+
+    const completionOrder: string[] = []
+    const pushCompletion = (label: string) => (res: { result: unknown }) => {
+      completionOrder.push(String(res.result ?? label))
+      return res
+    }
+
+    const p1 = executeInIsolatedVM({
+      code: 'return 1',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'a-1',
+      ownerKey: 'user:a',
+      ownerWeight: 2,
+    }).then(pushCompletion('a-1'))
+
+    const p2 = executeInIsolatedVM({
+      code: 'return 2',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'a-2',
+      ownerKey: 'user:a',
+      ownerWeight: 2,
+    }).then(pushCompletion('a-2'))
+
+    const p3 = executeInIsolatedVM({
+      code: 'return 3',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'b-1',
+      ownerKey: 'user:b',
+      ownerWeight: 1,
+    }).then(pushCompletion('b-1'))
+
+    const p4 = executeInIsolatedVM({
+      code: 'return 4',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'b-2',
+      ownerKey: 'user:b',
+      ownerWeight: 1,
+    }).then(pushCompletion('b-2'))
+
+    const p5 = executeInIsolatedVM({
+      code: 'return 5',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'a-3',
+      ownerKey: 'user:a',
+      ownerWeight: 2,
+    }).then(pushCompletion('a-3'))
+
+    await Promise.all([p1, p2, p3, p4, p5])
+
+    expect(completionOrder.slice(0, 3)).toEqual(['a-1', 'a-2', 'a-3'])
+    expect(completionOrder).toEqual(['a-1', 'a-2', 'a-3', 'b-1', 'b-2'])
+  })
+
+  it('rejects oversized fetch options payloads before outbound call', async () => {
+    const { executeInIsolatedVM, secureFetchMock } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_FETCH_OPTIONS_JSON_CHARS: '50',
+      },
+      spawns: [
+        () =>
+          createReadyFetchProxyProc({
+            url: 'https://example.com',
+            optionsJson: 'x'.repeat(100),
+          }),
+      ],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "fetch-options"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-fetch-options',
+    })
+
+    const payload = JSON.parse(String(result.result))
+    expect(payload.error).toContain('Fetch options exceed maximum payload size')
+    expect(secureFetchMock).not.toHaveBeenCalled()
+  })
+
+  it('rejects overly long fetch URLs before outbound call', async () => {
+    const { executeInIsolatedVM, secureFetchMock } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_FETCH_URL_LENGTH: '30',
+      },
+      spawns: [
+        () =>
+          createReadyFetchProxyProc({
+            url: 'https://example.com/path/to/a/very/long/resource',
+          }),
+      ],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "fetch-url"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-fetch-url',
+    })
+
+    const payload = JSON.parse(String(result.result))
+    expect(payload.error).toContain('fetch URL exceeds maximum length')
+    expect(secureFetchMock).not.toHaveBeenCalled()
+  })
+})
diff --git a/apps/sim/lib/execution/isolated-vm.ts b/apps/sim/lib/execution/isolated-vm.ts
index 472fc12b2..75567aed5 100644
--- a/apps/sim/lib/execution/isolated-vm.ts
+++ b/apps/sim/lib/execution/isolated-vm.ts
@@ -3,7 +3,13 @@ import fs from 'node:fs'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { createLogger } from '@sim/logger'
-import { validateProxyUrl } from '@/lib/core/security/input-validation'
+import { env } from '@/lib/core/config/env'
+import { getRedisClient } from '@/lib/core/config/redis'
+import {
+  type SecureFetchOptions,
+  secureFetchWithValidation,
+} from '@/lib/core/security/input-validation.server'
+import { sanitizeUrlForLog } from '@/lib/core/utils/logging'
 
 const logger = createLogger('IsolatedVMExecution')
 
@@ -27,6 +33,8 @@ export interface IsolatedVMExecutionRequest {
   contextVariables: Record<string, unknown>
   timeoutMs: number
   requestId: string
+  ownerKey?: string
+  ownerWeight?: number
 }
 
 export interface IsolatedVMExecutionResult {
@@ -44,90 +52,478 @@ export interface IsolatedVMError {
   lineContent?: string
 }
 
+const POOL_SIZE = Number.parseInt(env.IVM_POOL_SIZE) || 4
+const MAX_CONCURRENT = Number.parseInt(env.IVM_MAX_CONCURRENT) || 10000
+const MAX_PER_WORKER = Number.parseInt(env.IVM_MAX_PER_WORKER) || 2500
+const WORKER_IDLE_TIMEOUT_MS = Number.parseInt(env.IVM_WORKER_IDLE_TIMEOUT_MS) || 60000
+const QUEUE_TIMEOUT_MS = Number.parseInt(env.IVM_QUEUE_TIMEOUT_MS) || 300000
+const MAX_QUEUE_SIZE = Number.parseInt(env.IVM_MAX_QUEUE_SIZE) || 10000
+const MAX_FETCH_RESPONSE_BYTES = Number.parseInt(env.IVM_MAX_FETCH_RESPONSE_BYTES) || 8_388_608
+const MAX_FETCH_RESPONSE_CHARS = Number.parseInt(env.IVM_MAX_FETCH_RESPONSE_CHARS) || 4_000_000
+const MAX_FETCH_URL_LENGTH = Number.parseInt(env.IVM_MAX_FETCH_URL_LENGTH) || 8192
+const MAX_FETCH_OPTIONS_JSON_CHARS =
+  Number.parseInt(env.IVM_MAX_FETCH_OPTIONS_JSON_CHARS) || 262_144
+const MAX_ACTIVE_PER_OWNER = Number.parseInt(env.IVM_MAX_ACTIVE_PER_OWNER) || 200
+const MAX_QUEUED_PER_OWNER = Number.parseInt(env.IVM_MAX_QUEUED_PER_OWNER) || 2000
+const MAX_OWNER_WEIGHT = Number.parseInt(env.IVM_MAX_OWNER_WEIGHT) || 5
+const DISTRIBUTED_MAX_INFLIGHT_PER_OWNER =
+  Number.parseInt(env.IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER) ||
+  MAX_ACTIVE_PER_OWNER + MAX_QUEUED_PER_OWNER
+const DISTRIBUTED_LEASE_MIN_TTL_MS = Number.parseInt(env.IVM_DISTRIBUTED_LEASE_MIN_TTL_MS) || 120000
+const DISTRIBUTED_KEY_PREFIX = 'ivm:fair:v1:owner'
+const QUEUE_RETRY_DELAY_MS = 1000
+const DISTRIBUTED_LEASE_GRACE_MS = 30000
+
 interface PendingExecution {
   resolve: (result: IsolatedVMExecutionResult) => void
   timeout: ReturnType<typeof setTimeout>
+  ownerKey: string
 }
 
-let worker: ChildProcess | null = null
-let workerReady = false
-let workerReadyPromise: Promise<void> | null = null
-let workerIdleTimeout: ReturnType<typeof setTimeout> | null = null
-const pendingExecutions = new Map<number, PendingExecution>()
+interface WorkerInfo {
+  process: ChildProcess
+  ready: boolean
+  readyPromise: Promise<void> | null
+  activeExecutions: number
+  pendingExecutions: Map<number, PendingExecution>
+  idleTimeout: ReturnType<typeof setTimeout> | null
+  id: number
+}
+
+interface QueuedExecution {
+  id: number
+  ownerKey: string
+  req: IsolatedVMExecutionRequest
+  resolve: (result: IsolatedVMExecutionResult) => void
+  queueTimeout: ReturnType<typeof setTimeout>
+}
+
+interface QueueNode {
+  ownerKey: string
+  value: QueuedExecution
+  prev: QueueNode | null
+  next: QueueNode | null
+}
+
+interface OwnerState {
+  ownerKey: string
+  weight: number
+  activeExecutions: number
+  queueHead: QueueNode | null
+  queueTail: QueueNode | null
+  queueLength: number
+  burstRemaining: number
+}
+
+const workers: Map<number, WorkerInfo> = new Map()
+const ownerStates: Map<string, OwnerState> = new Map()
+const queuedOwnerRing: string[] = []
+let queuedOwnerCursor = 0
+let queueSize = 0
+const queueNodes: Map<number, QueueNode> = new Map()
+let totalActiveExecutions = 0
 let executionIdCounter = 0
+let queueIdCounter = 0
+let nextWorkerId = 0
+let spawnInProgress = 0
+let queueDrainRetryTimeout: ReturnType<typeof setTimeout> | null = null
 
-const WORKER_IDLE_TIMEOUT_MS = 60000
-
-function cleanupWorker() {
-  if (workerIdleTimeout) {
-    clearTimeout(workerIdleTimeout)
-    workerIdleTimeout = null
-  }
-  if (worker) {
-    worker.kill()
-    worker = null
-  }
-  workerReady = false
-  workerReadyPromise = null
+type IsolatedFetchOptions = RequestInit & {
+  timeout?: number
+  maxRedirects?: number
 }
 
-function resetIdleTimeout() {
-  if (workerIdleTimeout) {
-    clearTimeout(workerIdleTimeout)
+function truncateString(value: string, maxChars: number): { value: string; truncated: boolean } {
+  if (value.length <= maxChars) {
+    return { value, truncated: false }
   }
-  workerIdleTimeout = setTimeout(() => {
-    if (pendingExecutions.size === 0) {
-      logger.info('Cleaning up idle isolated-vm worker')
-      cleanupWorker()
+  return {
+    value: `${value.slice(0, maxChars)}... [truncated ${value.length - maxChars} chars]`,
+    truncated: true,
+  }
+}
+
+function normalizeFetchOptions(options?: IsolatedFetchOptions): SecureFetchOptions {
+  if (!options) return { maxResponseBytes: MAX_FETCH_RESPONSE_BYTES }
+
+  const normalized: SecureFetchOptions = {
+    maxResponseBytes: MAX_FETCH_RESPONSE_BYTES,
+  }
+
+  if (typeof options.method === 'string' && options.method.length > 0) {
+    normalized.method = options.method
+  }
+
+  if (
+    typeof options.timeout === 'number' &&
+    Number.isFinite(options.timeout) &&
+    options.timeout > 0
+  ) {
+    normalized.timeout = Math.floor(options.timeout)
+  }
+
+  if (
+    typeof options.maxRedirects === 'number' &&
+    Number.isFinite(options.maxRedirects) &&
+    options.maxRedirects >= 0
+  ) {
+    normalized.maxRedirects = Math.floor(options.maxRedirects)
+  }
+
+  if (options.headers) {
+    const headers: Record<string, string> = {}
+    if (options.headers instanceof Headers) {
+      options.headers.forEach((value, key) => {
+        headers[key] = value
+      })
+    } else if (Array.isArray(options.headers)) {
+      for (const [key, value] of options.headers) {
+        headers[String(key)] = String(value)
+      }
+    } else {
+      for (const [key, value] of Object.entries(options.headers)) {
+        headers[key] = String(value)
+      }
     }
-  }, WORKER_IDLE_TIMEOUT_MS)
+    normalized.headers = headers
+  }
+
+  if (
+    typeof options.body === 'string' ||
+    options.body instanceof Buffer ||
+    options.body instanceof Uint8Array
+  ) {
+    normalized.body = options.body
+  } else if (options.body !== undefined && options.body !== null) {
+    normalized.body = String(options.body)
+  }
+
+  return normalized
 }
 
-/**
- * Secure fetch wrapper that validates URLs to prevent SSRF attacks
- */
-async function secureFetch(requestId: string, url: string, options?: RequestInit): Promise<string> {
-  const validation = validateProxyUrl(url)
-  if (!validation.isValid) {
-    logger.warn(`[${requestId}] Blocked fetch request due to SSRF validation`, {
-      url: url.substring(0, 100),
-      error: validation.error,
+async function secureFetch(
+  requestId: string,
+  url: string,
+  options?: IsolatedFetchOptions
+): Promise<string> {
+  if (url.length > MAX_FETCH_URL_LENGTH) {
+    return JSON.stringify({
+      error: `Security Error: fetch URL exceeds maximum length (${MAX_FETCH_URL_LENGTH})`,
     })
-    return JSON.stringify({ error: `Security Error: ${validation.error}` })
   }
 
   try {
-    const response = await fetch(url, options)
-    const body = await response.text()
+    const response = await secureFetchWithValidation(
+      url,
+      normalizeFetchOptions(options),
+      'fetchUrl'
+    )
+    const bodyResult = truncateString(await response.text(), MAX_FETCH_RESPONSE_CHARS)
     const headers: Record<string, string> = {}
-    response.headers.forEach((value, key) => {
+    for (const [key, value] of response.headers) {
       headers[key] = value
-    })
+    }
     return JSON.stringify({
       ok: response.ok,
       status: response.status,
       statusText: response.statusText,
-      body,
+      body: bodyResult.value,
+      bodyTruncated: bodyResult.truncated,
       headers,
     })
   } catch (error: unknown) {
+    logger.warn(`[${requestId}] Isolated fetch failed`, {
+      url: sanitizeUrlForLog(url),
+      error: error instanceof Error ? error.message : String(error),
+    })
     return JSON.stringify({ error: error instanceof Error ? error.message : 'Unknown fetch error' })
   }
 }
 
-/**
- * Handle IPC messages from the Node.js worker
- */
-function handleWorkerMessage(message: unknown) {
+function normalizeOwnerKey(ownerKey?: string): string {
+  if (!ownerKey) return 'anonymous'
+  const normalized = ownerKey.trim()
+  return normalized || 'anonymous'
+}
+
+function normalizeOwnerWeight(ownerWeight?: number): number {
+  if (!Number.isFinite(ownerWeight) || ownerWeight === undefined) return 1
+  return Math.max(1, Math.min(MAX_OWNER_WEIGHT, Math.floor(ownerWeight)))
+}
+
+function ownerRedisKey(ownerKey: string): string {
+  return `${DISTRIBUTED_KEY_PREFIX}:${ownerKey}`
+}
+
+type LeaseAcquireResult = 'acquired' | 'limit_exceeded' | 'unavailable'
+
+async function tryAcquireDistributedLease(
+  ownerKey: string,
+  leaseId: string,
+  timeoutMs: number
+): Promise<LeaseAcquireResult> {
+  // Redis not configured: explicit local-mode fallback is allowed.
+  if (!env.REDIS_URL) return 'acquired'
+
+  const redis = getRedisClient()
+  if (!redis) {
+    logger.error('Redis is configured but unavailable for distributed lease acquisition', {
+      ownerKey,
+    })
+    return 'unavailable'
+  }
+
+  const now = Date.now()
+  const leaseTtlMs = Math.max(
+    timeoutMs + QUEUE_TIMEOUT_MS + DISTRIBUTED_LEASE_GRACE_MS,
+    DISTRIBUTED_LEASE_MIN_TTL_MS
+  )
+  const expiresAt = now + leaseTtlMs
+  const key = ownerRedisKey(ownerKey)
+
+  const script = `
+    redis.call('ZREMRANGEBYSCORE', KEYS[1], '-inf', ARGV[1])
+    local current = redis.call('ZCARD', KEYS[1])
+    if current >= tonumber(ARGV[2]) then
+      return 0
+    end
+    redis.call('ZADD', KEYS[1], ARGV[3], ARGV[4])
+    redis.call('PEXPIRE', KEYS[1], ARGV[5])
+    return 1
+  `
+
+  try {
+    const result = await redis.eval(
+      script,
+      1,
+      key,
+      now.toString(),
+      DISTRIBUTED_MAX_INFLIGHT_PER_OWNER.toString(),
+      expiresAt.toString(),
+      leaseId,
+      leaseTtlMs.toString()
+    )
+    return Number(result) === 1 ? 'acquired' : 'limit_exceeded'
+  } catch (error) {
+    logger.error('Failed to acquire distributed owner lease', { ownerKey, error })
+    return 'unavailable'
+  }
+}
+
+async function releaseDistributedLease(ownerKey: string, leaseId: string): Promise<void> {
+  const redis = getRedisClient()
+  if (!redis) return
+
+  const key = ownerRedisKey(ownerKey)
+  const script = `
+    redis.call('ZREM', KEYS[1], ARGV[1])
+    if redis.call('ZCARD', KEYS[1]) == 0 then
+      redis.call('DEL', KEYS[1])
+    end
+    return 1
+  `
+
+  try {
+    await redis.eval(script, 1, key, leaseId)
+  } catch (error) {
+    logger.error('Failed to release distributed owner lease', { ownerKey, error })
+  }
+}
+
+function queueLength(): number {
+  return queueSize
+}
+
+function maybeClearDrainRetry() {
+  if (queueSize === 0 && queueDrainRetryTimeout) {
+    clearTimeout(queueDrainRetryTimeout)
+    queueDrainRetryTimeout = null
+  }
+}
+
+function getOrCreateOwnerState(ownerKey: string, ownerWeight: number): OwnerState {
+  const existing = ownerStates.get(ownerKey)
+  if (existing) {
+    existing.weight = Math.max(existing.weight, ownerWeight)
+    return existing
+  }
+
+  const ownerState: OwnerState = {
+    ownerKey,
+    weight: ownerWeight,
+    activeExecutions: 0,
+    queueHead: null,
+    queueTail: null,
+    queueLength: 0,
+    burstRemaining: 0,
+  }
+  ownerStates.set(ownerKey, ownerState)
+  return ownerState
+}
+
+function addOwnerToRing(ownerKey: string) {
+  if (queuedOwnerRing.includes(ownerKey)) return
+  queuedOwnerRing.push(ownerKey)
+}
+
+function removeOwnerFromRing(ownerKey: string) {
+  const idx = queuedOwnerRing.indexOf(ownerKey)
+  if (idx === -1) return
+  queuedOwnerRing.splice(idx, 1)
+  if (queuedOwnerRing.length === 0) {
+    queuedOwnerCursor = 0
+    return
+  }
+  if (idx < queuedOwnerCursor) {
+    queuedOwnerCursor--
+  } else if (queuedOwnerCursor >= queuedOwnerRing.length) {
+    queuedOwnerCursor = 0
+  }
+}
+
+function maybeCleanupOwner(ownerKey: string) {
+  const owner = ownerStates.get(ownerKey)
+  if (!owner) return
+  if (owner.queueLength === 0) {
+    removeOwnerFromRing(ownerKey)
+  }
+  if (owner.queueLength === 0 && owner.activeExecutions === 0) {
+    ownerStates.delete(ownerKey)
+  }
+}
+
+function removeQueueNode(node: QueueNode): QueuedExecution {
+  const owner = ownerStates.get(node.ownerKey)
+  if (!owner) {
+    queueNodes.delete(node.value.id)
+    queueSize = Math.max(0, queueSize - 1)
+    maybeClearDrainRetry()
+    return node.value
+  }
+
+  const { prev, next, value } = node
+  if (prev) prev.next = next
+  else owner.queueHead = next
+  if (next) next.prev = prev
+  else owner.queueTail = prev
+
+  node.prev = null
+  node.next = null
+
+  queueNodes.delete(value.id)
+  owner.queueLength--
+  queueSize--
+  maybeCleanupOwner(owner.ownerKey)
+  maybeClearDrainRetry()
+  return value
+}
+
+function shiftQueuedExecutionForOwner(owner: OwnerState): QueuedExecution | null {
+  if (!owner.queueHead) return null
+  return removeQueueNode(owner.queueHead)
+}
+
+function removeQueuedExecutionById(queueId: number): QueuedExecution | null {
+  const node = queueNodes.get(queueId)
+  if (!node) return null
+  return removeQueueNode(node)
+}
+
+function pushQueuedExecution(owner: OwnerState, queued: QueuedExecution) {
+  const node: QueueNode = {
+    ownerKey: owner.ownerKey,
+    value: queued,
+    prev: owner.queueTail,
+    next: null,
+  }
+  if (owner.queueTail) {
+    owner.queueTail.next = node
+  } else {
+    owner.queueHead = node
+  }
+  owner.queueTail = node
+  owner.queueLength++
+  owner.burstRemaining = 0
+  addOwnerToRing(owner.ownerKey)
+  queueNodes.set(queued.id, node)
+  queueSize++
+}
+
+function selectOwnerForDispatch(): OwnerState | null {
+  if (queuedOwnerRing.length === 0) return null
+
+  let visited = 0
+  while (queuedOwnerRing.length > 0 && visited < queuedOwnerRing.length) {
+    if (queuedOwnerCursor >= queuedOwnerRing.length) {
+      queuedOwnerCursor = 0
+    }
+    const ownerKey = queuedOwnerRing[queuedOwnerCursor]
+    if (!ownerKey) return null
+
+    const owner = ownerStates.get(ownerKey)
+    if (!owner) {
+      removeOwnerFromRing(ownerKey)
+      continue
+    }
+
+    if (owner.queueLength === 0) {
+      owner.burstRemaining = 0
+      removeOwnerFromRing(ownerKey)
+      continue
+    }
+
+    if (owner.activeExecutions >= MAX_ACTIVE_PER_OWNER) {
+      owner.burstRemaining = 0
+      queuedOwnerCursor = (queuedOwnerCursor + 1) % queuedOwnerRing.length
+      visited++
+      continue
+    }
+
+    if (owner.burstRemaining <= 0) {
+      owner.burstRemaining = owner.weight
+    }
+
+    owner.burstRemaining--
+    if (owner.burstRemaining <= 0) {
+      queuedOwnerCursor = (queuedOwnerCursor + 1) % queuedOwnerRing.length
+    }
+
+    return owner
+  }
+
+  return null
+}
+
+function scheduleDrainRetry() {
+  if (queueDrainRetryTimeout || queueSize === 0) return
+  queueDrainRetryTimeout = setTimeout(() => {
+    queueDrainRetryTimeout = null
+    if (queueSize === 0) return
+    drainQueue()
+  }, QUEUE_RETRY_DELAY_MS)
+}
+
+function handleWorkerMessage(workerId: number, message: unknown) {
   if (typeof message !== 'object' || message === null) return
   const msg = message as Record<string, unknown>
+  const workerInfo = workers.get(workerId)
 
   if (msg.type === 'result') {
-    const pending = pendingExecutions.get(msg.executionId as number)
+    const execId = msg.executionId as number
+    const pending = workerInfo?.pendingExecutions.get(execId)
     if (pending) {
       clearTimeout(pending.timeout)
-      pendingExecutions.delete(msg.executionId as number)
+      workerInfo!.pendingExecutions.delete(execId)
+      workerInfo!.activeExecutions--
+      totalActiveExecutions--
+      const owner = ownerStates.get(pending.ownerKey)
+      if (owner) {
+        owner.activeExecutions = Math.max(0, owner.activeExecutions - 1)
+        maybeCleanupOwner(owner.ownerKey)
+      }
       pending.resolve(msg.result as IsolatedVMExecutionResult)
+      resetWorkerIdleTimeout(workerId)
+      drainQueue()
     }
     return
   }
@@ -139,12 +535,31 @@ function handleWorkerMessage(message: unknown) {
       url: string
       optionsJson?: string
     }
-    let options: RequestInit | undefined
+    if (typeof url !== 'string' || url.length === 0) {
+      workerInfo?.process.send({
+        type: 'fetchResponse',
+        fetchId,
+        response: JSON.stringify({ error: 'Invalid fetch URL' }),
+      })
+      return
+    }
+    if (optionsJson && optionsJson.length > MAX_FETCH_OPTIONS_JSON_CHARS) {
+      workerInfo?.process.send({
+        type: 'fetchResponse',
+        fetchId,
+        response: JSON.stringify({
+          error: `Fetch options exceed maximum payload size (${MAX_FETCH_OPTIONS_JSON_CHARS} chars)`,
+        }),
+      })
+      return
+    }
+
+    let options: IsolatedFetchOptions | undefined
     if (optionsJson) {
       try {
         options = JSON.parse(optionsJson)
       } catch {
-        worker?.send({
+        workerInfo?.process.send({
           type: 'fetchResponse',
           fetchId,
           response: JSON.stringify({ error: 'Invalid fetch options JSON' }),
@@ -155,14 +570,14 @@ function handleWorkerMessage(message: unknown) {
     secureFetch(requestId, url, options)
       .then((response) => {
         try {
-          worker?.send({ type: 'fetchResponse', fetchId, response })
+          workerInfo?.process.send({ type: 'fetchResponse', fetchId, response })
         } catch (err) {
-          logger.error('Failed to send fetch response to worker', { err, fetchId })
+          logger.error('Failed to send fetch response to worker', { err, fetchId, workerId })
         }
       })
       .catch((err) => {
         try {
-          worker?.send({
+          workerInfo?.process.send({
             type: 'fetchResponse',
             fetchId,
             response: JSON.stringify({
@@ -170,21 +585,90 @@ function handleWorkerMessage(message: unknown) {
             }),
           })
         } catch (sendErr) {
-          logger.error('Failed to send fetch error to worker', { sendErr, fetchId })
+          logger.error('Failed to send fetch error to worker', { sendErr, fetchId, workerId })
         }
       })
   }
 }
 
-/**
- * Start the Node.js worker process
- */
-async function ensureWorker(): Promise<void> {
-  if (workerReady && worker) return
-  if (workerReadyPromise) return workerReadyPromise
+function cleanupWorker(workerId: number) {
+  const workerInfo = workers.get(workerId)
+  if (!workerInfo) return
 
-  workerReadyPromise = new Promise<void>((resolve, reject) => {
+  if (workerInfo.idleTimeout) {
+    clearTimeout(workerInfo.idleTimeout)
+  }
+
+  workerInfo.process.kill()
+
+  for (const [id, pending] of workerInfo.pendingExecutions) {
+    clearTimeout(pending.timeout)
+    totalActiveExecutions--
+    const owner = ownerStates.get(pending.ownerKey)
+    if (owner) {
+      owner.activeExecutions = Math.max(0, owner.activeExecutions - 1)
+      maybeCleanupOwner(owner.ownerKey)
+    }
+    pending.resolve({
+      result: null,
+      stdout: '',
+      error: { message: 'Code execution failed unexpectedly. Please try again.', name: 'Error' },
+    })
+    workerInfo.pendingExecutions.delete(id)
+  }
+  workerInfo.activeExecutions = 0
+
+  workers.delete(workerId)
+  logger.info('Worker removed from pool', { workerId, poolSize: workers.size })
+}
+
+function resetWorkerIdleTimeout(workerId: number) {
+  const workerInfo = workers.get(workerId)
+  if (!workerInfo) return
+
+  if (workerInfo.idleTimeout) {
+    clearTimeout(workerInfo.idleTimeout)
+    workerInfo.idleTimeout = null
+  }
+
+  if (workerInfo.activeExecutions === 0) {
+    workerInfo.idleTimeout = setTimeout(() => {
+      const w = workers.get(workerId)
+      if (w && w.activeExecutions === 0) {
+        logger.info('Cleaning up idle worker', { workerId })
+        cleanupWorker(workerId)
+      }
+    }, WORKER_IDLE_TIMEOUT_MS)
+  }
+}
+
+function spawnWorker(): Promise<WorkerInfo> {
+  const workerId = nextWorkerId++
+  spawnInProgress++
+  let spawnSettled = false
+
+  const settleSpawnInProgress = () => {
+    if (spawnSettled) {
+      return false
+    }
+    spawnSettled = true
+    spawnInProgress--
+    return true
+  }
+
+  const workerInfo: WorkerInfo = {
+    process: null as unknown as ChildProcess,
+    ready: false,
+    readyPromise: null,
+    activeExecutions: 0,
+    pendingExecutions: new Map(),
+    idleTimeout: null,
+    id: workerId,
+  }
+
+  workerInfo.readyPromise = new Promise<void>((resolve, reject) => {
     if (!checkNodeAvailable()) {
+      settleSpawnInProgress()
       reject(
         new Error(
           'Node.js is required for code execution but was not found. ' +
@@ -198,141 +682,361 @@ async function ensureWorker(): Promise<void> {
     const workerPath = path.join(currentDir, 'isolated-vm-worker.cjs')
 
     if (!fs.existsSync(workerPath)) {
+      settleSpawnInProgress()
       reject(new Error(`Worker file not found at ${workerPath}`))
       return
     }
 
-    import('node:child_process').then(({ spawn }) => {
-      worker = spawn('node', [workerPath], {
-        stdio: ['ignore', 'pipe', 'pipe', 'ipc'],
-        serialization: 'json',
+    import('node:child_process')
+      .then(({ spawn }) => {
+        const proc = spawn('node', [workerPath], {
+          stdio: ['ignore', 'pipe', 'pipe', 'ipc'],
+          serialization: 'json',
+        })
+        workerInfo.process = proc
+
+        proc.on('message', (message: unknown) => handleWorkerMessage(workerId, message))
+
+        let stderrData = ''
+        proc.stderr?.on('data', (data: Buffer) => {
+          stderrData += data.toString()
+        })
+
+        const startTimeout = setTimeout(() => {
+          proc.kill()
+          workers.delete(workerId)
+          if (!settleSpawnInProgress()) return
+          reject(new Error('Worker failed to start within timeout'))
+        }, 10000)
+
+        const readyHandler = (message: unknown) => {
+          if (
+            typeof message === 'object' &&
+            message !== null &&
+            (message as { type?: string }).type === 'ready'
+          ) {
+            if (!settleSpawnInProgress()) {
+              proc.off('message', readyHandler)
+              return
+            }
+            workerInfo.ready = true
+            clearTimeout(startTimeout)
+            proc.off('message', readyHandler)
+            workers.set(workerId, workerInfo)
+            resetWorkerIdleTimeout(workerId)
+            logger.info('Worker spawned and ready', { workerId, poolSize: workers.size })
+            resolve()
+          }
+        }
+        proc.on('message', readyHandler)
+
+        proc.on('exit', () => {
+          const wasStartupFailure = !workerInfo.ready
+
+          if (wasStartupFailure) {
+            clearTimeout(startTimeout)
+            if (!settleSpawnInProgress()) return
+
+            let errorMessage = 'Worker process exited unexpectedly'
+            if (stderrData.includes('isolated_vm') || stderrData.includes('MODULE_NOT_FOUND')) {
+              errorMessage =
+                'Code execution requires the isolated-vm native module which failed to load. ' +
+                'This usually means the module needs to be rebuilt for your Node.js version. ' +
+                'Please run: cd node_modules/isolated-vm && npm rebuild'
+              logger.error('isolated-vm module failed to load', { stderr: stderrData, workerId })
+            } else if (stderrData) {
+              errorMessage = `Worker process failed: ${stderrData.slice(0, 500)}`
+              logger.error('Worker process failed', { stderr: stderrData, workerId })
+            }
+
+            reject(new Error(errorMessage))
+            return
+          }
+
+          cleanupWorker(workerId)
+          drainQueue()
+        })
       })
-
-      worker.on('message', handleWorkerMessage)
-
-      let stderrData = ''
-      worker.stderr?.on('data', (data: Buffer) => {
-        stderrData += data.toString()
+      .catch((error) => {
+        if (!settleSpawnInProgress()) return
+        reject(error instanceof Error ? error : new Error('Failed to load child_process module'))
       })
-
-      const startTimeout = setTimeout(() => {
-        worker?.kill()
-        worker = null
-        workerReady = false
-        workerReadyPromise = null
-        reject(new Error('Worker failed to start within timeout'))
-      }, 10000)
-
-      const readyHandler = (message: unknown) => {
-        if (
-          typeof message === 'object' &&
-          message !== null &&
-          (message as { type?: string }).type === 'ready'
-        ) {
-          workerReady = true
-          clearTimeout(startTimeout)
-          worker?.off('message', readyHandler)
-          resolve()
-        }
-      }
-      worker.on('message', readyHandler)
-
-      worker.on('exit', (code) => {
-        if (workerIdleTimeout) {
-          clearTimeout(workerIdleTimeout)
-          workerIdleTimeout = null
-        }
-
-        const wasStartupFailure = !workerReady && workerReadyPromise
-
-        worker = null
-        workerReady = false
-        workerReadyPromise = null
-
-        let errorMessage = 'Worker process exited unexpectedly'
-        if (stderrData.includes('isolated_vm') || stderrData.includes('MODULE_NOT_FOUND')) {
-          errorMessage =
-            'Code execution requires the isolated-vm native module which failed to load. ' +
-            'This usually means the module needs to be rebuilt for your Node.js version. ' +
-            'Please run: cd node_modules/isolated-vm && npm rebuild'
-          logger.error('isolated-vm module failed to load', { stderr: stderrData })
-        } else if (stderrData) {
-          errorMessage = `Worker process failed: ${stderrData.slice(0, 500)}`
-          logger.error('Worker process failed', { stderr: stderrData })
-        }
-
-        if (wasStartupFailure) {
-          clearTimeout(startTimeout)
-          reject(new Error(errorMessage))
-          return
-        }
-
-        for (const [id, pending] of pendingExecutions) {
-          clearTimeout(pending.timeout)
-          pending.resolve({
-            result: null,
-            stdout: '',
-            error: { message: errorMessage, name: 'WorkerError' },
-          })
-          pendingExecutions.delete(id)
-        }
-      })
-    })
   })
 
-  return workerReadyPromise
+  return workerInfo.readyPromise.then(() => workerInfo)
+}
+
+/**
+ * Returns the ready worker with the fewest active executions that still
+ * has capacity, or null if none available.
+ */
+function selectWorker(): WorkerInfo | null {
+  let best: WorkerInfo | null = null
+  for (const w of workers.values()) {
+    if (!w.ready) continue
+    if (w.activeExecutions >= MAX_PER_WORKER) continue
+    if (!best || w.activeExecutions < best.activeExecutions) {
+      best = w
+    }
+  }
+  return best
+}
+
+/**
+ * Tries to get an existing worker with capacity, or spawns a new one if the
+ * pool is not full. Returns null when the pool is at capacity and all workers
+ * are saturated (caller should enqueue).
+ */
+async function acquireWorker(): Promise<WorkerInfo | null> {
+  const existing = selectWorker()
+  if (existing) return existing
+
+  const currentPoolSize = workers.size + spawnInProgress
+  if (currentPoolSize < POOL_SIZE) {
+    try {
+      return await spawnWorker()
+    } catch (error) {
+      logger.error('Failed to spawn worker', { error })
+      return null
+    }
+  }
+
+  return null
+}
+
+function dispatchToWorker(
+  workerInfo: WorkerInfo,
+  ownerState: OwnerState,
+  req: IsolatedVMExecutionRequest,
+  resolve: (result: IsolatedVMExecutionResult) => void
+) {
+  const execId = ++executionIdCounter
+
+  if (workerInfo.idleTimeout) {
+    clearTimeout(workerInfo.idleTimeout)
+    workerInfo.idleTimeout = null
+  }
+
+  const timeout = setTimeout(() => {
+    workerInfo.pendingExecutions.delete(execId)
+    workerInfo.activeExecutions--
+    totalActiveExecutions--
+    ownerState.activeExecutions = Math.max(0, ownerState.activeExecutions - 1)
+    maybeCleanupOwner(ownerState.ownerKey)
+    resolve({
+      result: null,
+      stdout: '',
+      error: { message: `Execution timed out after ${req.timeoutMs}ms`, name: 'TimeoutError' },
+    })
+    resetWorkerIdleTimeout(workerInfo.id)
+    drainQueue()
+  }, req.timeoutMs + 1000)
+
+  workerInfo.pendingExecutions.set(execId, { resolve, timeout, ownerKey: ownerState.ownerKey })
+  workerInfo.activeExecutions++
+  totalActiveExecutions++
+  ownerState.activeExecutions++
+
+  try {
+    workerInfo.process.send({ type: 'execute', executionId: execId, request: req })
+  } catch {
+    clearTimeout(timeout)
+    workerInfo.pendingExecutions.delete(execId)
+    workerInfo.activeExecutions--
+    totalActiveExecutions--
+    ownerState.activeExecutions = Math.max(0, ownerState.activeExecutions - 1)
+    maybeCleanupOwner(ownerState.ownerKey)
+    resolve({
+      result: null,
+      stdout: '',
+      error: { message: 'Code execution failed to start. Please try again.', name: 'Error' },
+    })
+    resetWorkerIdleTimeout(workerInfo.id)
+    // Defer to break synchronous recursion: drainQueue → dispatchToWorker → catch → drainQueue
+    queueMicrotask(() => drainQueue())
+  }
+}
+
+function enqueueExecution(
+  ownerState: OwnerState,
+  req: IsolatedVMExecutionRequest,
+  resolve: (result: IsolatedVMExecutionResult) => void
+) {
+  if (queueLength() >= MAX_QUEUE_SIZE) {
+    resolve({
+      result: null,
+      stdout: '',
+      error: {
+        message: 'Code execution is at capacity. Please try again in a moment.',
+        name: 'Error',
+      },
+    })
+    return
+  }
+  if (ownerState.queueLength >= MAX_QUEUED_PER_OWNER) {
+    resolve({
+      result: null,
+      stdout: '',
+      error: {
+        message:
+          'Too many concurrent code executions. Please wait for some to complete before running more.',
+        name: 'Error',
+      },
+    })
+    return
+  }
+
+  const queueId = ++queueIdCounter
+  const queueTimeout = setTimeout(() => {
+    const queued = removeQueuedExecutionById(queueId)
+    if (!queued) return
+    resolve({
+      result: null,
+      stdout: '',
+      error: {
+        message: 'Code execution timed out waiting for an available worker. Please try again.',
+        name: 'Error',
+      },
+    })
+  }, QUEUE_TIMEOUT_MS)
+
+  pushQueuedExecution(ownerState, {
+    id: queueId,
+    ownerKey: ownerState.ownerKey,
+    req,
+    resolve,
+    queueTimeout,
+  })
+  logger.info('Execution queued', {
+    queueLength: queueLength(),
+    ownerKey: ownerState.ownerKey,
+    ownerQueueLength: ownerState.queueLength,
+    totalActive: totalActiveExecutions,
+    poolSize: workers.size,
+  })
+  drainQueue()
+}
+
+/**
+ * Called after every completion or worker spawn — dispatches queued
+ * executions to available workers.
+ */
+function drainQueue() {
+  while (queueLength() > 0 && totalActiveExecutions < MAX_CONCURRENT) {
+    const worker = selectWorker()
+    if (!worker) {
+      const currentPoolSize = workers.size + spawnInProgress
+      if (currentPoolSize < POOL_SIZE) {
+        spawnWorker()
+          .then(() => drainQueue())
+          .catch((err) => {
+            logger.error('Failed to spawn worker during drain', { err })
+            scheduleDrainRetry()
+          })
+      }
+      break
+    }
+
+    const owner = selectOwnerForDispatch()
+    if (!owner) {
+      scheduleDrainRetry()
+      break
+    }
+
+    const queued = shiftQueuedExecutionForOwner(owner)
+    if (!queued) {
+      owner.burstRemaining = 0
+      maybeCleanupOwner(owner.ownerKey)
+      continue
+    }
+    clearTimeout(queued.queueTimeout)
+    dispatchToWorker(worker, owner, queued.req, queued.resolve)
+  }
 }
 
 /**
  * Execute JavaScript code in an isolated V8 isolate via Node.js subprocess.
- * The worker's V8 isolate enforces timeoutMs internally. The parent timeout
- * (timeoutMs + 1000) is a safety buffer for IPC communication.
  */
 export async function executeInIsolatedVM(
   req: IsolatedVMExecutionRequest
 ): Promise<IsolatedVMExecutionResult> {
-  if (workerIdleTimeout) {
-    clearTimeout(workerIdleTimeout)
-    workerIdleTimeout = null
-  }
+  const ownerKey = normalizeOwnerKey(req.ownerKey)
+  const ownerWeight = normalizeOwnerWeight(req.ownerWeight)
+  const ownerState = getOrCreateOwnerState(ownerKey, ownerWeight)
 
-  await ensureWorker()
-
-  if (!worker) {
+  const distributedLeaseId = `${req.requestId}:${Date.now()}:${Math.random().toString(36).slice(2, 10)}`
+  const leaseAcquireResult = await tryAcquireDistributedLease(
+    ownerKey,
+    distributedLeaseId,
+    req.timeoutMs
+  )
+  if (leaseAcquireResult === 'limit_exceeded') {
+    maybeCleanupOwner(ownerKey)
     return {
       result: null,
       stdout: '',
-      error: { message: 'Failed to start isolated-vm worker', name: 'WorkerError' },
+      error: {
+        message:
+          'Too many concurrent code executions. Please wait for some to complete before running more.',
+        name: 'Error',
+      },
+    }
+  }
+  if (leaseAcquireResult === 'unavailable') {
+    maybeCleanupOwner(ownerKey)
+    return {
+      result: null,
+      stdout: '',
+      error: {
+        message: 'Code execution is temporarily unavailable. Please try again in a moment.',
+        name: 'Error',
+      },
     }
   }
 
-  const executionId = ++executionIdCounter
+  let settled = false
+  const releaseLease = () => {
+    if (settled) return
+    settled = true
+    releaseDistributedLease(ownerKey, distributedLeaseId).catch((error) => {
+      logger.error('Failed to release distributed lease', { ownerKey, error })
+    })
+  }
 
-  return new Promise((resolve) => {
-    const timeout = setTimeout(() => {
-      pendingExecutions.delete(executionId)
-      resolve({
-        result: null,
-        stdout: '',
-        error: { message: `Execution timed out after ${req.timeoutMs}ms`, name: 'TimeoutError' },
-      })
-    }, req.timeoutMs + 1000)
+  return new Promise<IsolatedVMExecutionResult>((resolve) => {
+    const resolveWithRelease = (result: IsolatedVMExecutionResult) => {
+      releaseLease()
+      resolve(result)
+    }
 
-    pendingExecutions.set(executionId, { resolve, timeout })
-
-    try {
-      worker!.send({ type: 'execute', executionId, request: req })
-    } catch {
-      clearTimeout(timeout)
-      pendingExecutions.delete(executionId)
-      resolve({
-        result: null,
-        stdout: '',
-        error: { message: 'Failed to send execution request to worker', name: 'WorkerError' },
-      })
+    if (
+      totalActiveExecutions >= MAX_CONCURRENT ||
+      ownerState.activeExecutions >= MAX_ACTIVE_PER_OWNER
+    ) {
+      enqueueExecution(ownerState, req, resolveWithRelease)
       return
     }
 
-    resetIdleTimeout()
+    acquireWorker()
+      .then((workerInfo) => {
+        if (!workerInfo) {
+          enqueueExecution(ownerState, req, resolveWithRelease)
+          return
+        }
+
+        dispatchToWorker(workerInfo, ownerState, req, resolveWithRelease)
+        if (queueLength() > 0) {
+          drainQueue()
+        }
+      })
+      .catch((error) => {
+        logger.error('Failed to acquire worker for execution', { error, ownerKey })
+        enqueueExecution(ownerState, req, resolveWithRelease)
+      })
+  }).finally(() => {
+    releaseLease()
+    if (ownerState.queueLength === 0 && ownerState.activeExecutions === 0) {
+      maybeCleanupOwner(ownerState.ownerKey)
+    }
   })
 }
diff --git a/apps/sim/lib/execution/preprocessing.ts b/apps/sim/lib/execution/preprocessing.ts
index 9a0236fd1..3eb14813e 100644
--- a/apps/sim/lib/execution/preprocessing.ts
+++ b/apps/sim/lib/execution/preprocessing.ts
@@ -124,6 +124,7 @@ export interface PreprocessExecutionOptions {
   workspaceId?: string // If known, used for billing resolution
   loggingSession?: LoggingSession // If provided, will be used for error logging
   isResumeContext?: boolean // If true, allows fallback billing on resolution failure (for paused workflow resumes)
+  useAuthenticatedUserAsActor?: boolean // If true, use the authenticated userId as actorUserId (for client-side executions and personal API keys)
   /** @deprecated No longer used - background/async executions always use deployed state */
   useDraftState?: boolean
 }
@@ -170,6 +171,7 @@ export async function preprocessExecution(
     workspaceId: providedWorkspaceId,
     loggingSession: providedLoggingSession,
     isResumeContext = false,
+    useAuthenticatedUserAsActor = false,
   } = options
 
   logger.info(`[${requestId}] Starting execution preprocessing`, {
@@ -257,7 +259,14 @@ export async function preprocessExecution(
   let actorUserId: string | null = null
 
   try {
-    if (workspaceId) {
+    // For client-side executions and personal API keys, the authenticated
+    // user is the billing and permission actor — not the workspace owner.
+    if (useAuthenticatedUserAsActor && userId) {
+      actorUserId = userId
+      logger.info(`[${requestId}] Using authenticated user as actor: ${actorUserId}`)
+    }
+
+    if (!actorUserId && workspaceId) {
       actorUserId = await getWorkspaceBilledAccountUserId(workspaceId)
       if (actorUserId) {
         logger.info(`[${requestId}] Using workspace billed account: ${actorUserId}`)
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
index 1670b5520..09c3ac616 100644
--- a/apps/sim/tools/index.ts
+++ b/apps/sim/tools/index.ts
@@ -247,7 +247,8 @@ export async function executeTool(
     // If it's a custom tool, use the async version with workflowId
     if (isCustomTool(normalizedToolId)) {
       const workflowId = params._context?.workflowId
-      tool = await getToolAsync(normalizedToolId, workflowId)
+      const userId = params._context?.userId
+      tool = await getToolAsync(normalizedToolId, workflowId, userId)
       if (!tool) {
         logger.error(`[${requestId}] Custom tool not found: ${normalizedToolId}`)
       }
@@ -286,26 +287,25 @@ export async function executeTool(
       try {
         const baseUrl = getBaseUrl()
 
+        const workflowId = contextParams._context?.workflowId
+        const userId = contextParams._context?.userId
+
         const tokenPayload: OAuthTokenPayload = {
           credentialId: contextParams.credential as string,
         }
-
-        // Add workflowId if it exists in params, context, or executionContext
-        const workflowId =
-          contextParams.workflowId ||
-          contextParams._context?.workflowId ||
-          executionContext?.workflowId
         if (workflowId) {
           tokenPayload.workflowId = workflowId
         }
 
         logger.info(`[${requestId}] Fetching access token from ${baseUrl}/api/auth/oauth/token`)
 
-        // Build token URL and also include workflowId in query so server auth can read it
         const tokenUrlObj = new URL('/api/auth/oauth/token', baseUrl)
         if (workflowId) {
           tokenUrlObj.searchParams.set('workflowId', workflowId)
         }
+        if (userId) {
+          tokenUrlObj.searchParams.set('userId', userId)
+        }
 
         // Always send Content-Type; add internal auth on server-side runs
         const tokenHeaders: Record<string, string> = { 'Content-Type': 'application/json' }
@@ -609,6 +609,10 @@ async function executeToolRequest(
       if (workflowId) {
         fullUrlObj.searchParams.set('workflowId', workflowId)
       }
+      const userId = params._context?.userId
+      if (userId) {
+        fullUrlObj.searchParams.set('userId', userId)
+      }
     }
 
     const fullUrl = fullUrlObj.toString()
diff --git a/apps/sim/tools/utils.ts b/apps/sim/tools/utils.ts
index e5364e415..0a7b635fa 100644
--- a/apps/sim/tools/utils.ts
+++ b/apps/sim/tools/utils.ts
@@ -311,7 +311,8 @@ export function getTool(toolId: string): ToolConfig | undefined {
 // Get a tool by its ID asynchronously (supports server-side)
 export async function getToolAsync(
   toolId: string,
-  workflowId?: string
+  workflowId?: string,
+  userId?: string
 ): Promise<ToolConfig | undefined> {
   // Check for built-in tools
   const builtInTool = tools[toolId]
@@ -319,7 +320,7 @@ export async function getToolAsync(
 
   // Check if it's a custom tool
   if (isCustomTool(toolId)) {
-    return fetchCustomToolFromAPI(toolId, workflowId)
+    return fetchCustomToolFromAPI(toolId, workflowId, userId)
   }
 
   return undefined
@@ -366,7 +367,8 @@ function createToolConfig(customTool: any, customToolId: string): ToolConfig {
 // Create a tool config from a custom tool definition by fetching from API
 async function fetchCustomToolFromAPI(
   customToolId: string,
-  workflowId?: string
+  workflowId?: string,
+  userId?: string
 ): Promise<ToolConfig | undefined> {
   const identifier = customToolId.replace('custom_', '')
 
@@ -374,10 +376,12 @@ async function fetchCustomToolFromAPI(
     const baseUrl = getBaseUrl()
     const url = new URL('/api/tools/custom', baseUrl)
 
-    // Add workflowId as a query parameter if available
     if (workflowId) {
       url.searchParams.append('workflowId', workflowId)
     }
+    if (userId) {
+      url.searchParams.append('userId', userId)
+    }
 
     // For server-side calls (during workflow execution), use internal JWT token
     const headers: Record<string, string> = {}
diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
index 86e6c9079..d5eecb51e 100644
--- a/helm/sim/values.yaml
+++ b/helm/sim/values.yaml
@@ -139,7 +139,25 @@ app:
     EXECUTION_TIMEOUT_ASYNC_PRO: "5400"                   # Pro tier async timeout (90 minutes)
     EXECUTION_TIMEOUT_ASYNC_TEAM: "5400"                  # Team tier async timeout (90 minutes)
     EXECUTION_TIMEOUT_ASYNC_ENTERPRISE: "5400"            # Enterprise tier async timeout (90 minutes)
-    
+
+    # Isolated-VM Worker Pool Configuration
+    IVM_POOL_SIZE: "4"                                    # Max worker processes in pool
+    IVM_MAX_CONCURRENT: "10000"                           # Max concurrent executions globally
+    IVM_MAX_PER_WORKER: "2500"                            # Max concurrent executions per worker
+    IVM_WORKER_IDLE_TIMEOUT_MS: "60000"                   # Worker idle cleanup timeout (ms)
+    IVM_QUEUE_TIMEOUT_MS: "300000"                        # Max queue wait before rejection (ms)
+    IVM_MAX_QUEUE_SIZE: "10000"                           # Max queued executions globally
+    IVM_MAX_ACTIVE_PER_OWNER: "200"                       # Max concurrent executions per user
+    IVM_MAX_QUEUED_PER_OWNER: "2000"                      # Max queued executions per user
+    IVM_MAX_OWNER_WEIGHT: "5"                             # Max scheduling weight per user
+    IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER: "2200"        # Max in-flight per user across instances (Redis)
+    IVM_DISTRIBUTED_LEASE_MIN_TTL_MS: "120000"            # Min distributed lease TTL (ms)
+    IVM_MAX_FETCH_RESPONSE_BYTES: "8388608"               # Max fetch response size (8MB)
+    IVM_MAX_FETCH_RESPONSE_CHARS: "4000000"               # Max fetch response chars
+    IVM_MAX_FETCH_URL_LENGTH: "8192"                      # Max fetch URL length
+    IVM_MAX_FETCH_OPTIONS_JSON_CHARS: "262144"            # Max fetch options payload (256KB)
+    IVM_MAX_STDOUT_CHARS: "200000"                        # Max stdout capture per execution
+
     # UI Branding & Whitelabeling Configuration
     NEXT_PUBLIC_BRAND_NAME: "Sim"                         # Custom brand name
     NEXT_PUBLIC_BRAND_LOGO_URL: ""                        # Custom logo URL (leave empty for default)

From 193b95cfec8e2c20dd134d2812b76c2106bd998f Mon Sep 17 00:00:00 2001
From: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Date: Fri, 6 Feb 2026 22:07:55 -0800
Subject: [PATCH 4/8] fix(auth): swap out hybrid auth in relevant callsites
 (#3160)

* fix(logs): execution files should always use our internal route

* correct degree of access control

* fix tests

* fix tag defs flag

* fix type check

* fix mcp tools

* make webhooks consistent

* fix ollama and vllm visibility

* remove dup test
---
 .../sim/app/api/a2a/agents/[agentId]/route.ts | 10 +--
 apps/sim/app/api/a2a/agents/route.ts          |  6 +-
 .../app/api/auth/oauth/credentials/route.ts   |  4 +-
 .../app/api/auth/oauth/token/route.test.ts    | 48 ++++--------
 apps/sim/app/api/auth/oauth/token/route.ts    |  6 +-
 apps/sim/app/api/files/delete/route.test.ts   |  2 +-
 apps/sim/app/api/files/delete/route.ts        |  4 +-
 apps/sim/app/api/files/download/route.ts      |  4 +-
 apps/sim/app/api/files/parse/route.test.ts    |  2 +-
 apps/sim/app/api/files/parse/route.ts         |  4 +-
 .../api/files/serve/[...path]/route.test.ts   | 10 +--
 .../app/api/files/serve/[...path]/route.ts    |  4 +-
 .../knowledge/[id]/tag-definitions/route.ts   | 22 +-----
 .../api/logs/execution/[executionId]/route.ts |  4 +-
 apps/sim/app/api/memory/[id]/route.ts         |  4 +-
 apps/sim/app/api/memory/route.ts              |  8 +-
 .../app/api/tools/a2a/cancel-task/route.ts    |  4 +-
 .../a2a/delete-push-notification/route.ts     |  4 +-
 .../app/api/tools/a2a/get-agent-card/route.ts |  4 +-
 .../tools/a2a/get-push-notification/route.ts  |  4 +-
 apps/sim/app/api/tools/a2a/get-task/route.ts  |  4 +-
 .../app/api/tools/a2a/resubscribe/route.ts    |  4 +-
 .../app/api/tools/a2a/send-message/route.ts   |  4 +-
 .../tools/a2a/set-push-notification/route.ts  |  4 +-
 apps/sim/app/api/users/me/usage-logs/route.ts |  4 +-
 .../file-download/file-download.tsx           | 18 +----
 apps/sim/blocks/blocks/agent.ts               | 30 +-------
 apps/sim/blocks/types.ts                      |  4 +-
 apps/sim/blocks/utils.ts                      | 76 +++++++++++++------
 .../executor/handlers/agent/agent-handler.ts  | 13 +++-
 .../handlers/evaluator/evaluator-handler.ts   |  2 +-
 .../handlers/router/router-handler.ts         |  2 +
 apps/sim/lib/auth/credential-access.ts        | 20 ++---
 apps/sim/lib/mcp/middleware.ts                |  4 +-
 apps/sim/lib/webhooks/processor.ts            | 18 ++++-
 .../workflows/subblocks/visibility.test.ts    |  9 +++
 .../sim/lib/workflows/subblocks/visibility.ts |  7 +-
 apps/sim/tools/index.ts                       |  8 +-
 38 files changed, 196 insertions(+), 193 deletions(-)

diff --git a/apps/sim/app/api/a2a/agents/[agentId]/route.ts b/apps/sim/app/api/a2a/agents/[agentId]/route.ts
index 65f22e5b6..1c8eea273 100644
--- a/apps/sim/app/api/a2a/agents/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/agents/[agentId]/route.ts
@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { generateAgentCard, generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
@@ -40,7 +40,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
     }
 
     if (!agent.agent.isPublished) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
       if (!auth.success) {
         return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
       }
@@ -81,7 +81,7 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -151,7 +151,7 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -189,7 +189,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       logger.warn('A2A agent publish auth failed:', { error: auth.error, hasUserId: !!auth.userId })
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
diff --git a/apps/sim/app/api/a2a/agents/route.ts b/apps/sim/app/api/a2a/agents/route.ts
index e4229ea1e..82eb4c3bb 100644
--- a/apps/sim/app/api/a2a/agents/route.ts
+++ b/apps/sim/app/api/a2a/agents/route.ts
@@ -13,7 +13,7 @@ import { v4 as uuidv4 } from 'uuid'
 import { generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import { A2A_DEFAULT_CAPABILITIES } from '@/lib/a2a/constants'
 import { sanitizeAgentName } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { hasValidStartBlockInState } from '@/lib/workflows/triggers/trigger-utils'
 import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
@@ -27,7 +27,7 @@ export const dynamic = 'force-dynamic'
  */
 export async function GET(request: NextRequest) {
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -87,7 +87,7 @@ export async function GET(request: NextRequest) {
  */
 export async function POST(request: NextRequest) {
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
diff --git a/apps/sim/app/api/auth/oauth/credentials/route.ts b/apps/sim/app/api/auth/oauth/credentials/route.ts
index 76a71b2df..24ca149d2 100644
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -5,7 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -81,7 +81,7 @@ export async function GET(request: NextRequest) {
     const { provider: providerParam, workflowId, credentialId } = parseResult.data
 
     // Authenticate requester (supports session, API key, internal JWT)
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkSessionOrInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthenticated credentials request rejected`)
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
diff --git a/apps/sim/app/api/auth/oauth/token/route.test.ts b/apps/sim/app/api/auth/oauth/token/route.test.ts
index 6fc18000f..325f4d6c2 100644
--- a/apps/sim/app/api/auth/oauth/token/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.test.ts
@@ -12,7 +12,7 @@ describe('OAuth Token API Routes', () => {
   const mockRefreshTokenIfNeeded = vi.fn()
   const mockGetOAuthToken = vi.fn()
   const mockAuthorizeCredentialUse = vi.fn()
-  const mockCheckHybridAuth = vi.fn()
+  const mockCheckSessionOrInternalAuth = vi.fn()
 
   const mockLogger = createMockLogger()
 
@@ -42,7 +42,7 @@ describe('OAuth Token API Routes', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: mockCheckHybridAuth,
+      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
     }))
   })
 
@@ -235,7 +235,7 @@ describe('OAuth Token API Routes', () => {
 
     describe('credentialAccountUserId + providerId path', () => {
       it('should reject unauthenticated requests', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: false,
           error: 'Authentication required',
         })
@@ -255,30 +255,8 @@ describe('OAuth Token API Routes', () => {
         expect(mockGetOAuthToken).not.toHaveBeenCalled()
       })
 
-      it('should reject API key authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
-          success: true,
-          authType: 'api_key',
-          userId: 'test-user-id',
-        })
-
-        const req = createMockRequest('POST', {
-          credentialAccountUserId: 'test-user-id',
-          providerId: 'google',
-        })
-
-        const { POST } = await import('@/app/api/auth/oauth/token/route')
-
-        const response = await POST(req)
-        const data = await response.json()
-
-        expect(response.status).toBe(401)
-        expect(data).toHaveProperty('error', 'User not authenticated')
-        expect(mockGetOAuthToken).not.toHaveBeenCalled()
-      })
-
       it('should reject internal JWT authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'internal_jwt',
           userId: 'test-user-id',
@@ -300,7 +278,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should reject requests for other users credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'attacker-user-id',
@@ -322,7 +300,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should allow session-authenticated users to access their own credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'test-user-id',
@@ -345,7 +323,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should return 404 when credential not found for user', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'test-user-id',
@@ -373,7 +351,7 @@ describe('OAuth Token API Routes', () => {
    */
   describe('GET handler', () => {
     it('should return access token successfully', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -402,7 +380,7 @@ describe('OAuth Token API Routes', () => {
       expect(response.status).toBe(200)
       expect(data).toHaveProperty('accessToken', 'fresh-token')
 
-      expect(mockCheckHybridAuth).toHaveBeenCalled()
+      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
       expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
       expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
     })
@@ -421,7 +399,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle authentication failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: false,
         error: 'Authentication required',
       })
@@ -440,7 +418,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle credential not found', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -461,7 +439,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle missing access token', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -487,7 +465,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle token refresh failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
diff --git a/apps/sim/app/api/auth/oauth/token/route.ts b/apps/sim/app/api/auth/oauth/token/route.ts
index 7c7d1f463..f6728fe69 100644
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, getOAuthToken, refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -71,7 +71,7 @@ export async function POST(request: NextRequest) {
         providerId,
       })
 
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
       if (!auth.success || auth.authType !== 'session' || !auth.userId) {
         logger.warn(`[${requestId}] Unauthorized request for credentialAccountUserId path`, {
           success: auth.success,
@@ -187,7 +187,7 @@ export async function GET(request: NextRequest) {
     const { credentialId } = parseResult.data
 
     // For GET requests, we only support session-based authentication
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || auth.authType !== 'session' || !auth.userId) {
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
     }
diff --git a/apps/sim/app/api/files/delete/route.test.ts b/apps/sim/app/api/files/delete/route.test.ts
index 669ea86ad..0cc9824f7 100644
--- a/apps/sim/app/api/files/delete/route.test.ts
+++ b/apps/sim/app/api/files/delete/route.test.ts
@@ -29,7 +29,7 @@ function setupFileApiMocks(
   }
 
   vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
       success: authenticated,
       userId: authenticated ? 'test-user-id' : undefined,
       error: authenticated ? undefined : 'Unauthorized',
diff --git a/apps/sim/app/api/files/delete/route.ts b/apps/sim/app/api/files/delete/route.ts
index 1a5f49138..273500461 100644
--- a/apps/sim/app/api/files/delete/route.ts
+++ b/apps/sim/app/api/files/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { deleteFile, hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
@@ -24,7 +24,7 @@ const logger = createLogger('FilesDeleteAPI')
  */
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized file delete request', {
diff --git a/apps/sim/app/api/files/download/route.ts b/apps/sim/app/api/files/download/route.ts
index bd718ed8f..45f9ebb24 100644
--- a/apps/sim/app/api/files/download/route.ts
+++ b/apps/sim/app/api/files/download/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -12,7 +12,7 @@ export const dynamic = 'force-dynamic'
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized download URL request', {
diff --git a/apps/sim/app/api/files/parse/route.test.ts b/apps/sim/app/api/files/parse/route.test.ts
index 801795570..bfdc3bbe7 100644
--- a/apps/sim/app/api/files/parse/route.test.ts
+++ b/apps/sim/app/api/files/parse/route.test.ts
@@ -35,7 +35,7 @@ function setupFileApiMocks(
   }
 
   vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkInternalAuth: vi.fn().mockResolvedValue({
       success: authenticated,
       userId: authenticated ? 'test-user-id' : undefined,
       error: authenticated ? undefined : 'Unauthorized',
diff --git a/apps/sim/app/api/files/parse/route.ts b/apps/sim/app/api/files/parse/route.ts
index 25112133f..4b1882f86 100644
--- a/apps/sim/app/api/files/parse/route.ts
+++ b/apps/sim/app/api/files/parse/route.ts
@@ -5,7 +5,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   secureFetchWithPinnedIP,
   validateUrlWithDNS,
@@ -66,7 +66,7 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: true })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: true })
 
     if (!authResult.success) {
       logger.warn('Unauthorized file parse request', {
diff --git a/apps/sim/app/api/files/serve/[...path]/route.test.ts b/apps/sim/app/api/files/serve/[...path]/route.test.ts
index fe833f3aa..d09adf048 100644
--- a/apps/sim/app/api/files/serve/[...path]/route.test.ts
+++ b/apps/sim/app/api/files/serve/[...path]/route.test.ts
@@ -55,7 +55,7 @@ describe('File Serve API Route', () => {
     })
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -165,7 +165,7 @@ describe('File Serve API Route', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -226,7 +226,7 @@ describe('File Serve API Route', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -291,7 +291,7 @@ describe('File Serve API Route', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -350,7 +350,7 @@ describe('File Serve API Route', () => {
     for (const test of contentTypeTests) {
       it(`should serve ${test.ext} file with correct content type`, async () => {
         vi.doMock('@/lib/auth/hybrid', () => ({
-          checkHybridAuth: vi.fn().mockResolvedValue({
+          checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
             success: true,
             userId: 'test-user-id',
           }),
diff --git a/apps/sim/app/api/files/serve/[...path]/route.ts b/apps/sim/app/api/files/serve/[...path]/route.ts
index e339615f8..9c562fb26 100644
--- a/apps/sim/app/api/files/serve/[...path]/route.ts
+++ b/apps/sim/app/api/files/serve/[...path]/route.ts
@@ -2,7 +2,7 @@ import { readFile } from 'fs/promises'
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { CopilotFiles, isUsingCloudStorage } from '@/lib/uploads'
 import type { StorageContext } from '@/lib/uploads/config'
 import { downloadFile } from '@/lib/uploads/core/storage-service'
@@ -49,7 +49,7 @@ export async function GET(
       return await handleLocalFilePublic(fullPath)
     }
 
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized file access attempt', {
diff --git a/apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts b/apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts
index ba52994c8..cbc5ac90e 100644
--- a/apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts
+++ b/apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { SUPPORTED_FIELD_TYPES } from '@/lib/knowledge/constants'
 import { createTagDefinition, getTagDefinitions } from '@/lib/knowledge/tags/service'
 import { checkKnowledgeBaseAccess } from '@/app/api/knowledge/utils'
@@ -19,19 +19,11 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
   try {
     logger.info(`[${requestId}] Getting tag definitions for knowledge base ${knowledgeBaseId}`)
 
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
     if (!auth.success) {
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
     }
 
-    // Only allow session and internal JWT auth (not API key)
-    if (auth.authType === 'api_key') {
-      return NextResponse.json(
-        { error: 'API key auth not supported for this endpoint' },
-        { status: 401 }
-      )
-    }
-
     // For session auth, verify KB access. Internal JWT is trusted.
     if (auth.authType === 'session' && auth.userId) {
       const accessCheck = await checkKnowledgeBaseAccess(knowledgeBaseId, auth.userId)
@@ -64,19 +56,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   try {
     logger.info(`[${requestId}] Creating tag definition for knowledge base ${knowledgeBaseId}`)
 
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
     if (!auth.success) {
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
     }
 
-    // Only allow session and internal JWT auth (not API key)
-    if (auth.authType === 'api_key') {
-      return NextResponse.json(
-        { error: 'API key auth not supported for this endpoint' },
-        { status: 401 }
-      )
-    }
-
     // For session auth, verify KB access. Internal JWT is trusted.
     if (auth.authType === 'session' && auth.userId) {
       const accessCheck = await checkKnowledgeBaseAccess(knowledgeBaseId, auth.userId)
diff --git a/apps/sim/app/api/logs/execution/[executionId]/route.ts b/apps/sim/app/api/logs/execution/[executionId]/route.ts
index 8d7004ef5..27a75298d 100644
--- a/apps/sim/app/api/logs/execution/[executionId]/route.ts
+++ b/apps/sim/app/api/logs/execution/[executionId]/route.ts
@@ -8,7 +8,7 @@ import {
 import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import type { TraceSpan, WorkflowExecutionLog } from '@/lib/logs/types'
 
@@ -23,7 +23,7 @@ export async function GET(
   try {
     const { executionId } = await params
 
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized execution data access attempt for: ${executionId}`)
       return NextResponse.json(
diff --git a/apps/sim/app/api/memory/[id]/route.ts b/apps/sim/app/api/memory/[id]/route.ts
index 2f5b5ae1c..4a4c96b11 100644
--- a/apps/sim/app/api/memory/[id]/route.ts
+++ b/apps/sim/app/api/memory/[id]/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -36,7 +36,7 @@ async function validateMemoryAccess(
   requestId: string,
   action: 'read' | 'write'
 ): Promise<{ userId: string } | { error: NextResponse }> {
-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
   if (!authResult.success || !authResult.userId) {
     logger.warn(`[${requestId}] Unauthorized memory ${action} attempt`)
     return {
diff --git a/apps/sim/app/api/memory/route.ts b/apps/sim/app/api/memory/route.ts
index 072756c7a..c5a4638d7 100644
--- a/apps/sim/app/api/memory/route.ts
+++ b/apps/sim/app/api/memory/route.ts
@@ -3,7 +3,7 @@ import { memory } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull, like } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -16,7 +16,7 @@ export async function GET(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized memory access attempt`)
       return NextResponse.json(
@@ -89,7 +89,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized memory creation attempt`)
       return NextResponse.json(
@@ -228,7 +228,7 @@ export async function DELETE(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized memory deletion attempt`)
       return NextResponse.json(
diff --git a/apps/sim/app/api/tools/a2a/cancel-task/route.ts b/apps/sim/app/api/tools/a2a/cancel-task/route.ts
index 9298273ce..d36b63e6b 100644
--- a/apps/sim/app/api/tools/a2a/cancel-task/route.ts
+++ b/apps/sim/app/api/tools/a2a/cancel-task/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 const logger = createLogger('A2ACancelTaskAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A cancel task attempt`)
diff --git a/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts b/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts
index f222ef883..e2ed939c5 100644
--- a/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(
diff --git a/apps/sim/app/api/tools/a2a/get-agent-card/route.ts b/apps/sim/app/api/tools/a2a/get-agent-card/route.ts
index c26ed764b..8562b651b 100644
--- a/apps/sim/app/api/tools/a2a/get-agent-card/route.ts
+++ b/apps/sim/app/api/tools/a2a/get-agent-card/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A get agent card attempt: ${authResult.error}`)
diff --git a/apps/sim/app/api/tools/a2a/get-push-notification/route.ts b/apps/sim/app/api/tools/a2a/get-push-notification/route.ts
index 5feedf4de..337e79a9d 100644
--- a/apps/sim/app/api/tools/a2a/get-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/get-push-notification/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(
diff --git a/apps/sim/app/api/tools/a2a/get-task/route.ts b/apps/sim/app/api/tools/a2a/get-task/route.ts
index 35aa5e278..eda09dfd0 100644
--- a/apps/sim/app/api/tools/a2a/get-task/route.ts
+++ b/apps/sim/app/api/tools/a2a/get-task/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A get task attempt: ${authResult.error}`)
diff --git a/apps/sim/app/api/tools/a2a/resubscribe/route.ts b/apps/sim/app/api/tools/a2a/resubscribe/route.ts
index 75c0d24ae..38ac95a3c 100644
--- a/apps/sim/app/api/tools/a2a/resubscribe/route.ts
+++ b/apps/sim/app/api/tools/a2a/resubscribe/route.ts
@@ -10,7 +10,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 const logger = createLogger('A2AResubscribeAPI')
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A resubscribe attempt`)
diff --git a/apps/sim/app/api/tools/a2a/send-message/route.ts b/apps/sim/app/api/tools/a2a/send-message/route.ts
index 4c98dc67a..1cf7f966e 100644
--- a/apps/sim/app/api/tools/a2a/send-message/route.ts
+++ b/apps/sim/app/api/tools/a2a/send-message/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -32,7 +32,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A send message attempt: ${authResult.error}`)
diff --git a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
index 132bb6be2..e12fbd6d9 100644
--- a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A set push notification attempt`, {
diff --git a/apps/sim/app/api/users/me/usage-logs/route.ts b/apps/sim/app/api/users/me/usage-logs/route.ts
index 3c4f1229f..038cf2ece 100644
--- a/apps/sim/app/api/users/me/usage-logs/route.ts
+++ b/apps/sim/app/api/users/me/usage-logs/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserUsageLogs, type UsageLogSource } from '@/lib/billing/core/usage-log'
 
 const logger = createLogger('UsageLogsAPI')
@@ -20,7 +20,7 @@ const QuerySchema = z.object({
  */
 export async function GET(req: NextRequest) {
   try {
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
 
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
diff --git a/apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx b/apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx
index 3dd05f8d8..5985a00c0 100644
--- a/apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx
@@ -74,8 +74,7 @@ function FileCard({ file, isExecutionFile = false, workspaceId }: FileCardProps)
       }
 
       if (isExecutionFile) {
-        const serveUrl =
-          file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
+        const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
         window.open(serveUrl, '_blank')
         logger.info(`Opened execution file serve URL: ${serveUrl}`)
       } else {
@@ -88,16 +87,12 @@ function FileCard({ file, isExecutionFile = false, workspaceId }: FileCardProps)
           logger.warn(
             `Could not construct viewer URL for file: ${file.name}, falling back to serve URL`
           )
-          const serveUrl =
-            file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
+          const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
           window.open(serveUrl, '_blank')
         }
       }
     } catch (error) {
       logger.error(`Failed to download file ${file.name}:`, error)
-      if (file.url) {
-        window.open(file.url, '_blank')
-      }
     } finally {
       setIsDownloading(false)
     }
@@ -198,8 +193,7 @@ export function FileDownload({
       }
 
       if (isExecutionFile) {
-        const serveUrl =
-          file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
+        const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
         window.open(serveUrl, '_blank')
         logger.info(`Opened execution file serve URL: ${serveUrl}`)
       } else {
@@ -212,16 +206,12 @@ export function FileDownload({
           logger.warn(
             `Could not construct viewer URL for file: ${file.name}, falling back to serve URL`
           )
-          const serveUrl =
-            file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
+          const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
           window.open(serveUrl, '_blank')
         }
       }
     } catch (error) {
       logger.error(`Failed to download file ${file.name}:`, error)
-      if (file.url) {
-        window.open(file.url, '_blank')
-      }
     } finally {
       setIsDownloading(false)
     }
diff --git a/apps/sim/blocks/blocks/agent.ts b/apps/sim/blocks/blocks/agent.ts
index bf8ec0d66..7e7b12f96 100644
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { AgentIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/feature-flags'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
+import { getApiKeyCondition } from '@/blocks/utils'
 import {
   getBaseModelProviders,
-  getHostedModels,
   getMaxTemperature,
   getProviderIcon,
   getReasoningEffortValuesForModel,
@@ -17,15 +16,6 @@ import {
   providers,
   supportsTemperature,
 } from '@/providers/utils'
-
-const getCurrentOllamaModels = () => {
-  return useProvidersStore.getState().providers.ollama.models
-}
-
-const getCurrentVLLMModels = () => {
-  return useProvidersStore.getState().providers.vllm.models
-}
-
 import { useProvidersStore } from '@/stores/providers'
 import type { ToolResponse } from '@/tools/types'
 
@@ -421,23 +411,7 @@ Return ONLY the JSON array.`,
       password: true,
       connectionDroppable: false,
       required: true,
-      // Hide API key for hosted models, Ollama models, vLLM models, Vertex models (uses OAuth), and Bedrock (uses AWS credentials)
-      condition: isHosted
-        ? {
-            field: 'model',
-            value: [...getHostedModels(), ...providers.vertex.models, ...providers.bedrock.models],
-            not: true, // Show for all models EXCEPT those listed
-          }
-        : () => ({
-            field: 'model',
-            value: [
-              ...getCurrentOllamaModels(),
-              ...getCurrentVLLMModels(),
-              ...providers.vertex.models,
-              ...providers.bedrock.models,
-            ],
-            not: true, // Show for all models EXCEPT Ollama, vLLM, Vertex, and Bedrock models
-          }),
+      condition: getApiKeyCondition(),
     },
     {
       id: 'memoryType',
diff --git a/apps/sim/blocks/types.ts b/apps/sim/blocks/types.ts
index a9904dd2e..08a716925 100644
--- a/apps/sim/blocks/types.ts
+++ b/apps/sim/blocks/types.ts
@@ -208,7 +208,7 @@ export interface SubBlockConfig {
           not?: boolean
         }
       }
-    | (() => {
+    | ((values?: Record<string, unknown>) => {
         field: string
         value: string | number | boolean | Array<string | number | boolean>
         not?: boolean
@@ -261,7 +261,7 @@ export interface SubBlockConfig {
           not?: boolean
         }
       }
-    | (() => {
+    | ((values?: Record<string, unknown>) => {
         field: string
         value: string | number | boolean | Array<string | number | boolean>
         not?: boolean
diff --git a/apps/sim/blocks/utils.ts b/apps/sim/blocks/utils.ts
index eed4a5c37..8c003e0ad 100644
--- a/apps/sim/blocks/utils.ts
+++ b/apps/sim/blocks/utils.ts
@@ -1,6 +1,6 @@
 import { isHosted } from '@/lib/core/config/feature-flags'
 import type { BlockOutput, OutputFieldDefinition, SubBlockConfig } from '@/blocks/types'
-import { getHostedModels, providers } from '@/providers/utils'
+import { getHostedModels, getProviderFromModel, providers } from '@/providers/utils'
 import { useProvidersStore } from '@/stores/providers/store'
 
 /**
@@ -48,11 +48,54 @@ const getCurrentOllamaModels = () => {
   return useProvidersStore.getState().providers.ollama.models
 }
 
-/**
- * Helper to get current vLLM models from store
- */
-const getCurrentVLLMModels = () => {
-  return useProvidersStore.getState().providers.vllm.models
+function buildModelVisibilityCondition(model: string, shouldShow: boolean) {
+  if (!model) {
+    return { field: 'model', value: '__no_model_selected__' }
+  }
+
+  return shouldShow ? { field: 'model', value: model } : { field: 'model', value: model, not: true }
+}
+
+function shouldRequireApiKeyForModel(model: string): boolean {
+  const normalizedModel = model.trim().toLowerCase()
+  if (!normalizedModel) return false
+
+  const hostedModels = getHostedModels()
+  const isHostedModel = hostedModels.some(
+    (hostedModel) => hostedModel.toLowerCase() === normalizedModel
+  )
+  if (isHosted && isHostedModel) return false
+
+  if (normalizedModel.startsWith('vertex/') || normalizedModel.startsWith('bedrock/')) {
+    return false
+  }
+
+  if (normalizedModel.startsWith('vllm/')) {
+    return false
+  }
+
+  const currentOllamaModels = getCurrentOllamaModels()
+  if (currentOllamaModels.some((ollamaModel) => ollamaModel.toLowerCase() === normalizedModel)) {
+    return false
+  }
+
+  if (!isHosted) {
+    try {
+      const providerId = getProviderFromModel(model)
+      if (
+        providerId === 'ollama' ||
+        providerId === 'vllm' ||
+        providerId === 'vertex' ||
+        providerId === 'bedrock'
+      ) {
+        return false
+      }
+    } catch {
+      // If model resolution fails, fall through and require an API key.
+    }
+  }
+
+  return true
 }
 
 /**
@@ -60,22 +103,11 @@ const getCurrentVLLMModels = () => {
  * Handles hosted vs self-hosted environments and excludes providers that don't need API key.
  */
 export function getApiKeyCondition() {
-  return isHosted
-    ? {
-        field: 'model',
-        value: [...getHostedModels(), ...providers.vertex.models, ...providers.bedrock.models],
-        not: true,
-      }
-    : () => ({
-        field: 'model',
-        value: [
-          ...getCurrentOllamaModels(),
-          ...getCurrentVLLMModels(),
-          ...providers.vertex.models,
-          ...providers.bedrock.models,
-        ],
-        not: true,
-      })
+  return (values?: Record<string, unknown>) => {
+    const model = typeof values?.model === 'string' ? values.model : ''
+    const shouldShow = shouldRequireApiKeyForModel(model)
+    return buildModelVisibilityCondition(model, shouldShow)
+  }
 }
 
 /**
diff --git a/apps/sim/executor/handlers/agent/agent-handler.ts b/apps/sim/executor/handlers/agent/agent-handler.ts
index a1f0cee0d..524407506 100644
--- a/apps/sim/executor/handlers/agent/agent-handler.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.ts
@@ -378,6 +378,9 @@ export class AgentBlockHandler implements BlockHandler {
       if (ctx.workflowId) {
         params.workflowId = ctx.workflowId
       }
+      if (ctx.userId) {
+        params.userId = ctx.userId
+      }
 
       const url = buildAPIUrl('/api/tools/custom', params)
       const response = await fetch(url.toString(), {
@@ -488,7 +491,9 @@ export class AgentBlockHandler implements BlockHandler {
       usageControl: tool.usageControl || 'auto',
       executeFunction: async (callParams: Record<string, any>) => {
         const headers = await buildAuthHeaders()
-        const execUrl = buildAPIUrl('/api/mcp/tools/execute')
+        const execParams: Record<string, string> = {}
+        if (ctx.userId) execParams.userId = ctx.userId
+        const execUrl = buildAPIUrl('/api/mcp/tools/execute', execParams)
 
         const execResponse = await fetch(execUrl.toString(), {
           method: 'POST',
@@ -597,6 +602,7 @@ export class AgentBlockHandler implements BlockHandler {
       serverId,
       workspaceId: ctx.workspaceId,
       workflowId: ctx.workflowId,
+      ...(ctx.userId ? { userId: ctx.userId } : {}),
     })
 
     const maxAttempts = 2
@@ -671,7 +677,9 @@ export class AgentBlockHandler implements BlockHandler {
       usageControl: tool.usageControl || 'auto',
       executeFunction: async (callParams: Record<string, any>) => {
         const headers = await buildAuthHeaders()
-        const execUrl = buildAPIUrl('/api/mcp/tools/execute')
+        const discoverExecParams: Record<string, string> = {}
+        if (ctx.userId) discoverExecParams.userId = ctx.userId
+        const execUrl = buildAPIUrl('/api/mcp/tools/execute', discoverExecParams)
 
         const execResponse = await fetch(execUrl.toString(), {
           method: 'POST',
@@ -1056,6 +1064,7 @@ export class AgentBlockHandler implements BlockHandler {
         responseFormat: providerRequest.responseFormat,
         workflowId: providerRequest.workflowId,
         workspaceId: ctx.workspaceId,
+        userId: ctx.userId,
         stream: providerRequest.stream,
         messages: 'messages' in providerRequest ? providerRequest.messages : undefined,
         environmentVariables: ctx.environmentVariables || {},
diff --git a/apps/sim/executor/handlers/evaluator/evaluator-handler.ts b/apps/sim/executor/handlers/evaluator/evaluator-handler.ts
index 8c432f1da..65ea2f9ea 100644
--- a/apps/sim/executor/handlers/evaluator/evaluator-handler.ts
+++ b/apps/sim/executor/handlers/evaluator/evaluator-handler.ts
@@ -104,7 +104,7 @@ export class EvaluatorBlockHandler implements BlockHandler {
     }
 
     try {
-      const url = buildAPIUrl('/api/providers')
+      const url = buildAPIUrl('/api/providers', ctx.userId ? { userId: ctx.userId } : {})
 
       const providerRequest: Record<string, any> = {
         provider: providerId,
diff --git a/apps/sim/executor/handlers/router/router-handler.ts b/apps/sim/executor/handlers/router/router-handler.ts
index 541cdccca..a42956c66 100644
--- a/apps/sim/executor/handlers/router/router-handler.ts
+++ b/apps/sim/executor/handlers/router/router-handler.ts
@@ -80,6 +80,7 @@ export class RouterBlockHandler implements BlockHandler {
 
     try {
       const url = new URL('/api/providers', getBaseUrl())
+      if (ctx.userId) url.searchParams.set('userId', ctx.userId)
 
       const messages = [{ role: 'user', content: routerConfig.prompt }]
       const systemPrompt = generateRouterPrompt(routerConfig.prompt, targetBlocks)
@@ -209,6 +210,7 @@ export class RouterBlockHandler implements BlockHandler {
 
     try {
       const url = new URL('/api/providers', getBaseUrl())
+      if (ctx.userId) url.searchParams.set('userId', ctx.userId)
 
       const messages = [{ role: 'user', content: routerConfig.context }]
       const systemPrompt = generateRouterV2Prompt(routerConfig.context, routes)
diff --git a/apps/sim/lib/auth/credential-access.ts b/apps/sim/lib/auth/credential-access.ts
index be7b7e1bd..61b0f655a 100644
--- a/apps/sim/lib/auth/credential-access.ts
+++ b/apps/sim/lib/auth/credential-access.ts
@@ -2,13 +2,13 @@ import { db } from '@sim/db'
 import { account, workflow as workflowTable } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 export interface CredentialAccessResult {
   ok: boolean
   error?: string
-  authType?: 'session' | 'api_key' | 'internal_jwt'
+  authType?: 'session' | 'internal_jwt'
   requesterUserId?: string
   credentialOwnerUserId?: string
   workspaceId?: string
@@ -16,10 +16,10 @@ export interface CredentialAccessResult {
 
 /**
  * Centralizes auth + collaboration rules for credential use.
- * - Uses checkHybridAuth to authenticate the caller
+ * - Uses checkSessionOrInternalAuth to authenticate the caller
  * - Fetches credential owner
  * - Authorization rules:
- *   - session/api_key: allow if requester owns the credential; otherwise require workflowId and
+ *   - session: allow if requester owns the credential; otherwise require workflowId and
  *     verify BOTH requester and owner have access to the workflow's workspace
  *   - internal_jwt: require workflowId (by default) and verify credential owner has access to the
  *     workflow's workspace (requester identity is the system/workflow)
@@ -30,7 +30,9 @@ export async function authorizeCredentialUse(
 ): Promise<CredentialAccessResult> {
   const { credentialId, workflowId, requireWorkflowIdForInternal = true } = params
 
-  const auth = await checkHybridAuth(request, { requireWorkflowId: requireWorkflowIdForInternal })
+  const auth = await checkSessionOrInternalAuth(request, {
+    requireWorkflowId: requireWorkflowIdForInternal,
+  })
   if (!auth.success || !auth.userId) {
     return { ok: false, error: auth.error || 'Authentication required' }
   }
@@ -52,7 +54,7 @@ export async function authorizeCredentialUse(
   if (auth.authType !== 'internal_jwt' && auth.userId === credentialOwnerUserId) {
     return {
       ok: true,
-      authType: auth.authType,
+      authType: auth.authType as CredentialAccessResult['authType'],
       requesterUserId: auth.userId,
       credentialOwnerUserId,
     }
@@ -85,14 +87,14 @@ export async function authorizeCredentialUse(
     }
     return {
       ok: true,
-      authType: auth.authType,
+      authType: auth.authType as CredentialAccessResult['authType'],
       requesterUserId: auth.userId,
       credentialOwnerUserId,
       workspaceId: wf.workspaceId,
     }
   }
 
-  // Session/API key: verify BOTH requester and owner belong to the workflow's workspace
+  // Session: verify BOTH requester and owner belong to the workflow's workspace
   const requesterPerm = await getUserEntityPermissions(auth.userId, 'workspace', wf.workspaceId)
   const ownerPerm = await getUserEntityPermissions(
     credentialOwnerUserId,
@@ -105,7 +107,7 @@ export async function authorizeCredentialUse(
 
   return {
     ok: true,
-    authType: auth.authType,
+    authType: auth.authType as CredentialAccessResult['authType'],
     requesterUserId: auth.userId,
     credentialOwnerUserId,
     workspaceId: wf.workspaceId,
diff --git a/apps/sim/lib/mcp/middleware.ts b/apps/sim/lib/mcp/middleware.ts
index f994990c6..f95e4eac7 100644
--- a/apps/sim/lib/mcp/middleware.ts
+++ b/apps/sim/lib/mcp/middleware.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createMcpErrorResponse } from '@/lib/mcp/utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -43,7 +43,7 @@ async function validateMcpAuth(
   const requestId = generateRequestId()
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Authentication failed: ${auth.error}`)
       return {
diff --git a/apps/sim/lib/webhooks/processor.ts b/apps/sim/lib/webhooks/processor.ts
index 6f738855f..15013ab2f 100644
--- a/apps/sim/lib/webhooks/processor.ts
+++ b/apps/sim/lib/webhooks/processor.ts
@@ -24,6 +24,7 @@ import {
   validateTypeformSignature,
   verifyProviderWebhook,
 } from '@/lib/webhooks/utils.server'
+import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 import { executeWebhookJob } from '@/background/webhook-execution'
 import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 import { isGitHubEventMatch } from '@/triggers/github/utils'
@@ -1003,10 +1004,23 @@ export async function queueWebhookExecution(
       }
     }
 
+    if (!foundWorkflow.workspaceId) {
+      logger.error(`[${options.requestId}] Workflow ${foundWorkflow.id} has no workspaceId`)
+      return NextResponse.json({ error: 'Workflow has no associated workspace' }, { status: 500 })
+    }
+
+    const actorUserId = await getWorkspaceBilledAccountUserId(foundWorkflow.workspaceId)
+    if (!actorUserId) {
+      logger.error(
+        `[${options.requestId}] No billing account for workspace ${foundWorkflow.workspaceId}`
+      )
+      return NextResponse.json({ error: 'Unable to resolve billing account' }, { status: 500 })
+    }
+
     const payload = {
       webhookId: foundWebhook.id,
       workflowId: foundWorkflow.id,
-      userId: foundWorkflow.userId,
+      userId: actorUserId,
       provider: foundWebhook.provider,
       body,
       headers,
@@ -1017,7 +1031,7 @@ export async function queueWebhookExecution(
 
     const jobQueue = await getJobQueue()
     const jobId = await jobQueue.enqueue('webhook-execution', payload, {
-      metadata: { workflowId: foundWorkflow.id, userId: foundWorkflow.userId },
+      metadata: { workflowId: foundWorkflow.id, userId: actorUserId },
     })
     logger.info(
       `[${options.requestId}] Queued webhook execution task ${jobId} for ${foundWebhook.provider} webhook`
diff --git a/apps/sim/lib/workflows/subblocks/visibility.test.ts b/apps/sim/lib/workflows/subblocks/visibility.test.ts
index 07b1f1818..b55bfad5f 100644
--- a/apps/sim/lib/workflows/subblocks/visibility.test.ts
+++ b/apps/sim/lib/workflows/subblocks/visibility.test.ts
@@ -156,6 +156,15 @@ describe('evaluateSubBlockCondition', () => {
       expect(evaluateSubBlockCondition(condition, values)).toBe(true)
     })
 
+    it.concurrent('passes current values into function conditions', () => {
+      const condition = (values?: Record<string, unknown>) => ({
+        field: 'model',
+        value: typeof values?.model === 'string' ? values.model : '__no_model_selected__',
+      })
+      const values = { model: 'ollama/gemma3:4b' }
+      expect(evaluateSubBlockCondition(condition, values)).toBe(true)
+    })
+
     it.concurrent('handles boolean values', () => {
       const condition = { field: 'enabled', value: true }
       const values = { enabled: true }
diff --git a/apps/sim/lib/workflows/subblocks/visibility.ts b/apps/sim/lib/workflows/subblocks/visibility.ts
index 74eda40fd..1ce0076b4 100644
--- a/apps/sim/lib/workflows/subblocks/visibility.ts
+++ b/apps/sim/lib/workflows/subblocks/visibility.ts
@@ -100,11 +100,14 @@ export function resolveCanonicalMode(
  * Evaluate a subblock condition against a map of raw values.
  */
 export function evaluateSubBlockCondition(
-  condition: SubBlockCondition | (() => SubBlockCondition) | undefined,
+  condition:
+    | SubBlockCondition
+    | ((values?: Record<string, unknown>) => SubBlockCondition)
+    | undefined,
   values: Record<string, unknown>
 ): boolean {
   if (!condition) return true
-  const actual = typeof condition === 'function' ? condition() : condition
+  const actual = typeof condition === 'function' ? condition(values) : condition
   const fieldValue = values[actual.field]
   const valueMatch = Array.isArray(actual.value)
     ? fieldValue != null &&
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
index 09c3ac616..040a40a27 100644
--- a/apps/sim/tools/index.ts
+++ b/apps/sim/tools/index.ts
@@ -961,6 +961,7 @@ async function executeMcpTool(
 
     const workspaceId = params._context?.workspaceId || executionContext?.workspaceId
     const workflowId = params._context?.workflowId || executionContext?.workflowId
+    const userId = params._context?.userId || executionContext?.userId
 
     if (!workspaceId) {
       return {
@@ -1002,7 +1003,12 @@ async function executeMcpTool(
       hasToolSchema: !!toolSchema,
     })
 
-    const response = await fetch(`${baseUrl}/api/mcp/tools/execute`, {
+    const mcpUrl = new URL('/api/mcp/tools/execute', baseUrl)
+    if (userId) {
+      mcpUrl.searchParams.set('userId', userId)
+    }
+
+    const response = await fetch(mcpUrl.toString(), {
       method: 'POST',
       headers,
       body,

From 925f06add77e6e1b526a353c93ac7158825c24fc Mon Sep 17 00:00:00 2001
From: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Date: Fri, 6 Feb 2026 22:12:40 -0800
Subject: [PATCH 5/8] improvement(preview): render nested values like input
 format correctly in workflow execution preview  (#3154)

* improvement(preview): nested workflow snapshots/preview when not executed

* improvements to resolve nested subblock values

* few more things

* add try catch

* fix fallback case

* deps
---
 .../credential-selector.tsx                   |  8 ++-
 .../document-selector/document-selector.tsx   |  5 +-
 .../document-tag-entry/document-tag-entry.tsx |  5 +-
 .../file-selector/file-selector-input.tsx     | 49 ++++++++++++-------
 .../components/folder-selector-input.tsx      | 14 +++++-
 .../input-mapping/input-mapping.tsx           |  9 +++-
 .../knowledge-tag-filters.tsx                 |  5 +-
 .../mcp-dynamic-args/mcp-dynamic-args.tsx     | 13 ++++-
 .../mcp-server-modal/mcp-tool-selector.tsx    |  8 ++-
 .../project-selector-input.tsx                | 16 ++++--
 .../sheet-selector/sheet-selector-input.tsx   |  8 ++-
 .../slack-selector/slack-selector-input.tsx   | 13 +++--
 .../components/tool-input/tool-input.tsx      |  1 +
 .../editor/components/sub-block/sub-block.tsx | 10 ++++
 .../editor/components/sub-block/utils.ts      | 18 +++++++
 .../preview-editor/preview-editor.tsx         | 16 ++++--
 .../lib/logs/execution/snapshot/service.ts    | 16 +++++-
 17 files changed, 171 insertions(+), 43 deletions(-)
 create mode 100644 apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils.ts

diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
index 79087c7c4..378a9baed 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -35,6 +35,7 @@ interface CredentialSelectorProps {
   disabled?: boolean
   isPreview?: boolean
   previewValue?: any | null
+  previewContextValues?: Record<string, unknown>
 }
 
 export function CredentialSelector({
@@ -43,6 +44,7 @@ export function CredentialSelector({
   disabled = false,
   isPreview = false,
   previewValue,
+  previewContextValues,
 }: CredentialSelectorProps) {
   const [showOAuthModal, setShowOAuthModal] = useState(false)
   const [editingValue, setEditingValue] = useState('')
@@ -67,7 +69,11 @@ export function CredentialSelector({
     canUseCredentialSets
   )
 
-  const { depsSatisfied, dependsOn } = useDependsOnGate(blockId, subBlock, { disabled, isPreview })
+  const { depsSatisfied, dependsOn } = useDependsOnGate(blockId, subBlock, {
+    disabled,
+    isPreview,
+    previewContextValues,
+  })
   const hasDependencies = dependsOn.length > 0
 
   const effectiveDisabled = disabled || (hasDependencies && !depsSatisfied)
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-selector/document-selector.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-selector/document-selector.tsx
index 012c78338..f1e47ab71 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-selector/document-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-selector/document-selector.tsx
@@ -5,6 +5,7 @@ import { Tooltip } from '@/components/emcn'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
 import type { SelectorContext } from '@/hooks/selectors/types'
 
@@ -33,7 +34,9 @@ export function DocumentSelector({
     previewContextValues,
   })
   const [knowledgeBaseIdFromStore] = useSubBlockValue(blockId, 'knowledgeBaseId')
-  const knowledgeBaseIdValue = previewContextValues?.knowledgeBaseId ?? knowledgeBaseIdFromStore
+  const knowledgeBaseIdValue = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.knowledgeBaseId)
+    : knowledgeBaseIdFromStore
   const normalizedKnowledgeBaseId =
     typeof knowledgeBaseIdValue === 'string' && knowledgeBaseIdValue.trim().length > 0
       ? knowledgeBaseIdValue
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-tag-entry/document-tag-entry.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-tag-entry/document-tag-entry.tsx
index ffb5122db..b21c6f9d4 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-tag-entry/document-tag-entry.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/document-tag-entry/document-tag-entry.tsx
@@ -17,6 +17,7 @@ import { formatDisplayText } from '@/app/workspace/[workspaceId]/w/[workflowId]/
 import { TagDropdown } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown'
 import { useSubBlockInput } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-input'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-accessible-reference-prefixes'
 import type { SubBlockConfig } from '@/blocks/types'
 import { useKnowledgeBaseTagDefinitions } from '@/hooks/kb/use-knowledge-base-tag-definitions'
@@ -77,7 +78,9 @@ export function DocumentTagEntry({
   })
 
   const [knowledgeBaseIdFromStore] = useSubBlockValue(blockId, 'knowledgeBaseId')
-  const knowledgeBaseIdValue = previewContextValues?.knowledgeBaseId ?? knowledgeBaseIdFromStore
+  const knowledgeBaseIdValue = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.knowledgeBaseId)
+    : knowledgeBaseIdFromStore
   const knowledgeBaseId =
     typeof knowledgeBaseIdValue === 'string' && knowledgeBaseIdValue.trim().length > 0
       ? knowledgeBaseIdValue
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
index 6805e2ec4..730f01b24 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
@@ -9,6 +9,7 @@ import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/c
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
 import { isDependency } from '@/blocks/utils'
@@ -62,42 +63,56 @@ export function FileSelectorInput({
 
   const [domainValueFromStore] = useSubBlockValue(blockId, 'domain')
 
-  const connectedCredential = previewContextValues?.credential ?? blockValues.credential
-  const domainValue = previewContextValues?.domain ?? domainValueFromStore
+  const connectedCredential = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.credential)
+    : blockValues.credential
+  const domainValue = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.domain)
+    : domainValueFromStore
 
   const teamIdValue = useMemo(
     () =>
-      previewContextValues?.teamId ??
-      resolveDependencyValue('teamId', blockValues, canonicalIndex, canonicalModeOverrides),
-    [previewContextValues?.teamId, blockValues, canonicalIndex, canonicalModeOverrides]
+      previewContextValues
+        ? resolvePreviewContextValue(previewContextValues.teamId)
+        : resolveDependencyValue('teamId', blockValues, canonicalIndex, canonicalModeOverrides),
+    [previewContextValues, blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
   const siteIdValue = useMemo(
     () =>
-      previewContextValues?.siteId ??
-      resolveDependencyValue('siteId', blockValues, canonicalIndex, canonicalModeOverrides),
-    [previewContextValues?.siteId, blockValues, canonicalIndex, canonicalModeOverrides]
+      previewContextValues
+        ? resolvePreviewContextValue(previewContextValues.siteId)
+        : resolveDependencyValue('siteId', blockValues, canonicalIndex, canonicalModeOverrides),
+    [previewContextValues, blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
   const collectionIdValue = useMemo(
     () =>
-      previewContextValues?.collectionId ??
-      resolveDependencyValue('collectionId', blockValues, canonicalIndex, canonicalModeOverrides),
-    [previewContextValues?.collectionId, blockValues, canonicalIndex, canonicalModeOverrides]
+      previewContextValues
+        ? resolvePreviewContextValue(previewContextValues.collectionId)
+        : resolveDependencyValue(
+            'collectionId',
+            blockValues,
+            canonicalIndex,
+            canonicalModeOverrides
+          ),
+    [previewContextValues, blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
   const projectIdValue = useMemo(
     () =>
-      previewContextValues?.projectId ??
-      resolveDependencyValue('projectId', blockValues, canonicalIndex, canonicalModeOverrides),
-    [previewContextValues?.projectId, blockValues, canonicalIndex, canonicalModeOverrides]
+      previewContextValues
+        ? resolvePreviewContextValue(previewContextValues.projectId)
+        : resolveDependencyValue('projectId', blockValues, canonicalIndex, canonicalModeOverrides),
+    [previewContextValues, blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
   const planIdValue = useMemo(
     () =>
-      previewContextValues?.planId ??
-      resolveDependencyValue('planId', blockValues, canonicalIndex, canonicalModeOverrides),
-    [previewContextValues?.planId, blockValues, canonicalIndex, canonicalModeOverrides]
+      previewContextValues
+        ? resolvePreviewContextValue(previewContextValues.planId)
+        : resolveDependencyValue('planId', blockValues, canonicalIndex, canonicalModeOverrides),
+    [previewContextValues, blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
   const normalizedCredentialId =
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
index fa9a48bb4..4be4a8da3 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
@@ -6,6 +6,7 @@ import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/c
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
 import { resolveSelectorForSubBlock } from '@/hooks/selectors/resolution'
 import { useCollaborativeWorkflow } from '@/hooks/use-collaborative-workflow'
@@ -17,6 +18,7 @@ interface FolderSelectorInputProps {
   disabled?: boolean
   isPreview?: boolean
   previewValue?: any | null
+  previewContextValues?: Record<string, unknown>
 }
 
 export function FolderSelectorInput({
@@ -25,9 +27,13 @@ export function FolderSelectorInput({
   disabled = false,
   isPreview = false,
   previewValue,
+  previewContextValues,
 }: FolderSelectorInputProps) {
   const [storeValue] = useSubBlockValue(blockId, subBlock.id)
-  const [connectedCredential] = useSubBlockValue(blockId, 'credential')
+  const [credentialFromStore] = useSubBlockValue(blockId, 'credential')
+  const connectedCredential = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.credential)
+    : credentialFromStore
   const { collaborativeSetSubblockValue } = useCollaborativeWorkflow()
   const { activeWorkflowId } = useWorkflowRegistry()
   const [selectedFolderId, setSelectedFolderId] = useState<string>('')
@@ -47,7 +53,11 @@ export function FolderSelectorInput({
   )
 
   // Central dependsOn gating
-  const { finalDisabled } = useDependsOnGate(blockId, subBlock, { disabled, isPreview })
+  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
+    disabled,
+    isPreview,
+    previewContextValues,
+  })
 
   // Get the current value from the store or prop value if in preview mode
   useEffect(() => {
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/input-mapping/input-mapping.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/input-mapping/input-mapping.tsx
index 55c37277b..69189c762 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/input-mapping/input-mapping.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/input-mapping/input-mapping.tsx
@@ -7,6 +7,7 @@ import { formatDisplayText } from '@/app/workspace/[workspaceId]/w/[workflowId]/
 import { TagDropdown } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown'
 import { useSubBlockInput } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-input'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-accessible-reference-prefixes'
 import { useWorkflowState } from '@/hooks/queries/workflows'
 
@@ -37,6 +38,8 @@ interface InputMappingProps {
   isPreview?: boolean
   previewValue?: Record<string, unknown>
   disabled?: boolean
+  /** Sub-block values from the preview context for resolving sibling sub-block values */
+  previewContextValues?: Record<string, unknown>
 }
 
 /**
@@ -50,9 +53,13 @@ export function InputMapping({
   isPreview = false,
   previewValue,
   disabled = false,
+  previewContextValues,
 }: InputMappingProps) {
   const [mapping, setMapping] = useSubBlockValue(blockId, subBlockId)
-  const [selectedWorkflowId] = useSubBlockValue(blockId, 'workflowId')
+  const [storeWorkflowId] = useSubBlockValue(blockId, 'workflowId')
+  const selectedWorkflowId = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.workflowId)
+    : storeWorkflowId
 
   const inputController = useSubBlockInput({
     blockId,
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/knowledge-tag-filters/knowledge-tag-filters.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/knowledge-tag-filters/knowledge-tag-filters.tsx
index 2198555fc..d297252ab 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/knowledge-tag-filters/knowledge-tag-filters.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/knowledge-tag-filters/knowledge-tag-filters.tsx
@@ -17,6 +17,7 @@ import { type FilterFieldType, getOperatorsForFieldType } from '@/lib/knowledge/
 import { formatDisplayText } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/formatted-text'
 import { TagDropdown } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown'
 import { useSubBlockInput } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-input'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-accessible-reference-prefixes'
 import type { SubBlockConfig } from '@/blocks/types'
 import { useKnowledgeBaseTagDefinitions } from '@/hooks/kb/use-knowledge-base-tag-definitions'
@@ -69,7 +70,9 @@ export function KnowledgeTagFilters({
   const overlayRefs = useRef<Record<string, HTMLDivElement>>({})
 
   const [knowledgeBaseIdFromStore] = useSubBlockValue(blockId, 'knowledgeBaseId')
-  const knowledgeBaseIdValue = previewContextValues?.knowledgeBaseId ?? knowledgeBaseIdFromStore
+  const knowledgeBaseIdValue = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.knowledgeBaseId)
+    : knowledgeBaseIdFromStore
   const knowledgeBaseId =
     typeof knowledgeBaseIdValue === 'string' && knowledgeBaseIdValue.trim().length > 0
       ? knowledgeBaseIdValue
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-dynamic-args/mcp-dynamic-args.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-dynamic-args/mcp-dynamic-args.tsx
index 41527a516..5271ecb33 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-dynamic-args/mcp-dynamic-args.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-dynamic-args/mcp-dynamic-args.tsx
@@ -6,6 +6,7 @@ import { cn } from '@/lib/core/utils/cn'
 import { LongInput } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/long-input/long-input'
 import { ShortInput } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/short-input/short-input'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
 import { useMcpTools } from '@/hooks/mcp/use-mcp-tools'
 import { formatParameterLabel } from '@/tools/params'
@@ -18,6 +19,7 @@ interface McpDynamicArgsProps {
   disabled?: boolean
   isPreview?: boolean
   previewValue?: any
+  previewContextValues?: Record<string, unknown>
 }
 
 /**
@@ -47,12 +49,19 @@ export function McpDynamicArgs({
   disabled = false,
   isPreview = false,
   previewValue,
+  previewContextValues,
 }: McpDynamicArgsProps) {
   const params = useParams()
   const workspaceId = params.workspaceId as string
   const { mcpTools, isLoading } = useMcpTools(workspaceId)
-  const [selectedTool] = useSubBlockValue(blockId, 'tool')
-  const [cachedSchema] = useSubBlockValue(blockId, '_toolSchema')
+  const [toolFromStore] = useSubBlockValue(blockId, 'tool')
+  const selectedTool = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.tool)
+    : toolFromStore
+  const [schemaFromStore] = useSubBlockValue(blockId, '_toolSchema')
+  const cachedSchema = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues._toolSchema)
+    : schemaFromStore
   const [toolArgs, setToolArgs] = useSubBlockValue(blockId, subBlockId)
 
   const selectedToolConfig = mcpTools.find((tool) => tool.id === selectedTool)
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-server-modal/mcp-tool-selector.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-server-modal/mcp-tool-selector.tsx
index fa5fcd496..ca4ff45b1 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-server-modal/mcp-tool-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/mcp-server-modal/mcp-tool-selector.tsx
@@ -4,6 +4,7 @@ import { useEffect, useMemo, useState } from 'react'
 import { useParams } from 'next/navigation'
 import { Combobox } from '@/components/emcn/components'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
 import { useMcpTools } from '@/hooks/mcp/use-mcp-tools'
 
@@ -13,6 +14,7 @@ interface McpToolSelectorProps {
   disabled?: boolean
   isPreview?: boolean
   previewValue?: string | null
+  previewContextValues?: Record<string, unknown>
 }
 
 export function McpToolSelector({
@@ -21,6 +23,7 @@ export function McpToolSelector({
   disabled = false,
   isPreview = false,
   previewValue,
+  previewContextValues,
 }: McpToolSelectorProps) {
   const params = useParams()
   const workspaceId = params.workspaceId as string
@@ -31,7 +34,10 @@ export function McpToolSelector({
   const [storeValue, setStoreValue] = useSubBlockValue(blockId, subBlock.id)
   const [, setSchemaCache] = useSubBlockValue(blockId, '_toolSchema')
 
-  const [serverValue] = useSubBlockValue(blockId, 'server')
+  const [serverFromStore] = useSubBlockValue(blockId, 'server')
+  const serverValue = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.server)
+    : serverFromStore
 
   const label = subBlock.placeholder || 'Select tool'
 
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
index 9d5e35320..e5b7c5d93 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
@@ -9,6 +9,7 @@ import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/c
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
 import { resolveSelectorForSubBlock } from '@/hooks/selectors/resolution'
@@ -55,14 +56,19 @@ export function ProjectSelectorInput({
     return (workflowValues as Record<string, Record<string, unknown>>)[blockId] || {}
   })
 
-  const connectedCredential = previewContextValues?.credential ?? blockValues.credential
-  const jiraDomain = previewContextValues?.domain ?? jiraDomainFromStore
+  const connectedCredential = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.credential)
+    : blockValues.credential
+  const jiraDomain = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.domain)
+    : jiraDomainFromStore
 
   const linearTeamId = useMemo(
     () =>
-      previewContextValues?.teamId ??
-      resolveDependencyValue('teamId', blockValues, canonicalIndex, canonicalModeOverrides),
-    [previewContextValues?.teamId, blockValues, canonicalIndex, canonicalModeOverrides]
+      previewContextValues
+        ? resolvePreviewContextValue(previewContextValues.teamId)
+        : resolveDependencyValue('teamId', blockValues, canonicalIndex, canonicalModeOverrides),
+    [previewContextValues, blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
   const serviceId = subBlock.serviceId || ''
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
index cd2a5adf5..bfb9dbe4f 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
@@ -8,6 +8,7 @@ import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/sub
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
 import { resolveSelectorForSubBlock, type SelectorResolution } from '@/hooks/selectors/resolution'
@@ -66,9 +67,12 @@ export function SheetSelectorInput({
     [blockValues, canonicalIndex, canonicalModeOverrides]
   )
 
-  const connectedCredential = previewContextValues?.credential ?? connectedCredentialFromStore
+  const connectedCredential = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.credential)
+    : connectedCredentialFromStore
   const spreadsheetId = previewContextValues
-    ? (previewContextValues.spreadsheetId ?? previewContextValues.manualSpreadsheetId)
+    ? (resolvePreviewContextValue(previewContextValues.spreadsheetId) ??
+      resolvePreviewContextValue(previewContextValues.manualSpreadsheetId))
     : spreadsheetIdFromStore
 
   const normalizedCredentialId =
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
index 9a7e4ebfa..b99c26bff 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
@@ -8,6 +8,7 @@ import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/c
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
 import type { SelectorContext, SelectorKey } from '@/hooks/selectors/types'
 
@@ -58,9 +59,15 @@ export function SlackSelectorInput({
   const [botToken] = useSubBlockValue(blockId, 'botToken')
   const [connectedCredential] = useSubBlockValue(blockId, 'credential')
 
-  const effectiveAuthMethod = previewContextValues?.authMethod ?? authMethod
-  const effectiveBotToken = previewContextValues?.botToken ?? botToken
-  const effectiveCredential = previewContextValues?.credential ?? connectedCredential
+  const effectiveAuthMethod = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.authMethod)
+    : authMethod
+  const effectiveBotToken = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.botToken)
+    : botToken
+  const effectiveCredential = previewContextValues
+    ? resolvePreviewContextValue(previewContextValues.credential)
+    : connectedCredential
   const [_selectedValue, setSelectedValue] = useState<string | null>(null)
 
   const serviceId = subBlock.serviceId || ''
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
index cd2f342a3..8f03f4b2e 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
@@ -332,6 +332,7 @@ function FolderSelectorSyncWrapper({
           dependsOn: uiComponent.dependsOn,
         }}
         disabled={disabled}
+        previewContextValues={previewContextValues}
       />
     </GenericSyncWrapper>
   )
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
index 800ed5f93..c8422f0e7 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
@@ -797,6 +797,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -832,6 +833,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -843,6 +845,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -865,6 +868,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue as any}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -876,6 +880,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue as any}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -887,6 +892,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue as any}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -911,6 +917,7 @@ function SubBlockComponent({
             isPreview={isPreview}
             previewValue={previewValue as any}
             disabled={isDisabled}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -946,6 +953,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -979,6 +987,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue as any}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
@@ -990,6 +999,7 @@ function SubBlockComponent({
             disabled={isDisabled}
             isPreview={isPreview}
             previewValue={previewValue}
+            previewContextValues={isPreview ? subBlockValues : undefined}
           />
         )
 
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils.ts b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils.ts
new file mode 100644
index 000000000..181299221
--- /dev/null
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils.ts
@@ -0,0 +1,18 @@
+/**
+ * Extracts the raw value from a preview context entry.
+ *
+ * @remarks
+ * In the sub-block preview context, values are wrapped as `{ value: T }` objects
+ * (the full sub-block state). In the tool-input preview context, values are already
+ * raw. This function normalizes both cases to return the underlying value.
+ *
+ * @param raw - The preview context entry, which may be a raw value or a `{ value: T }` wrapper
+ * @returns The unwrapped value, or `null` if the input is nullish
+ */
+export function resolvePreviewContextValue(raw: unknown): unknown {
+  if (raw === null || raw === undefined) return null
+  if (typeof raw === 'object' && !Array.isArray(raw) && 'value' in raw) {
+    return (raw as Record<string, unknown>).value ?? null
+  }
+  return raw
+}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
index 90831de45..bfc86ec20 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
@@ -784,8 +784,12 @@ function PreviewEditorContent({
     ? childWorkflowSnapshotState
     : childWorkflowState
   const resolvedIsLoadingChildWorkflow = isExecutionMode ? false : isLoadingChildWorkflow
+  const isBlockNotExecuted = isExecutionMode && !executionData
   const isMissingChildWorkflow =
-    Boolean(childWorkflowId) && !resolvedIsLoadingChildWorkflow && !resolvedChildWorkflowState
+    Boolean(childWorkflowId) &&
+    !isBlockNotExecuted &&
+    !resolvedIsLoadingChildWorkflow &&
+    !resolvedChildWorkflowState
 
   /** Drills down into the child workflow or opens it in a new tab */
   const handleExpandChildWorkflow = useCallback(() => {
@@ -1192,7 +1196,7 @@ function PreviewEditorContent({
         <div ref={subBlocksRef} className='subblocks-section flex flex-1 flex-col overflow-hidden'>
           <div className='flex-1 overflow-y-auto overflow-x-hidden'>
             {/* Not Executed Banner - shown when in execution mode but block wasn't executed */}
-            {isExecutionMode && !executionData && (
+            {isBlockNotExecuted && (
               <div className='flex min-w-0 flex-col gap-[8px] overflow-hidden border-[var(--border)] border-b px-[12px] py-[10px]'>
                 <div className='flex items-center justify-between'>
                   <Badge variant='gray-secondary' size='sm' dot>
@@ -1419,9 +1423,11 @@ function PreviewEditorContent({
                     ) : (
                       <div className='flex h-full items-center justify-center bg-[var(--surface-3)]'>
                         <span className='text-[13px] text-[var(--text-tertiary)]'>
-                          {isMissingChildWorkflow
-                            ? DELETED_WORKFLOW_LABEL
-                            : 'Unable to load preview'}
+                          {isBlockNotExecuted
+                            ? 'Not Executed'
+                            : isMissingChildWorkflow
+                              ? DELETED_WORKFLOW_LABEL
+                              : 'Unable to load preview'}
                         </span>
                       </div>
                     )}
diff --git a/apps/sim/lib/logs/execution/snapshot/service.ts b/apps/sim/lib/logs/execution/snapshot/service.ts
index cad4c259c..856c3a185 100644
--- a/apps/sim/lib/logs/execution/snapshot/service.ts
+++ b/apps/sim/lib/logs/execution/snapshot/service.ts
@@ -33,11 +33,25 @@ export class SnapshotService implements ISnapshotService {
 
     const existingSnapshot = await this.getSnapshotByHash(workflowId, stateHash)
     if (existingSnapshot) {
+      let refreshedState: WorkflowState = existingSnapshot.stateData
+      try {
+        await db
+          .update(workflowExecutionSnapshots)
+          .set({ stateData: state })
+          .where(eq(workflowExecutionSnapshots.id, existingSnapshot.id))
+        refreshedState = state
+      } catch (error) {
+        logger.warn(
+          `Failed to refresh snapshot stateData for ${existingSnapshot.id}, continuing with existing data`,
+          error
+        )
+      }
+
       logger.info(
         `Reusing existing snapshot for workflow ${workflowId} (hash: ${stateHash.slice(0, 12)}...)`
       )
       return {
-        snapshot: existingSnapshot,
+        snapshot: { ...existingSnapshot, stateData: refreshedState },
         isNew: false,
       }
     }

From 99ae5435e349e53a4fff8302db1ded4f7b39e1e2 Mon Sep 17 00:00:00 2001
From: Waleed <walif6@gmail.com>
Date: Fri, 6 Feb 2026 22:35:57 -0800
Subject: [PATCH 6/8] feat(models): updated model configs, updated anthropic
 provider to propagate errors back to user if any (#3159)

* feat(models): updated model configs, updated anthropic provider to propagate errors back to user if any

* moved max tokens to advanced

* updated model configs and testesd

* removed default in max config for output tokens

* moved more stuff to advanced mode in the agent block

* stronger typing

* move api key under model, update mistral and groq

* update openrouter, fixed serializer to allow ollama/vllm models without api key

* removed ollama handling
---
 .../workflow-selector/workflow-selector.tsx   |   2 +-
 apps/sim/blocks/blocks/agent.ts               |  65 +--
 .../executor/handlers/agent/agent-handler.ts  |  14 +-
 apps/sim/executor/handlers/agent/types.ts     |   1 +
 apps/sim/providers/anthropic/core.ts          | 371 +++++++++++-------
 apps/sim/providers/azure-openai/index.ts      |  49 ++-
 apps/sim/providers/azure-openai/utils.ts      |   5 +-
 apps/sim/providers/bedrock/index.ts           |  10 +
 apps/sim/providers/gemini/core.ts             |   9 +-
 apps/sim/providers/mistral/index.ts           |   2 -
 apps/sim/providers/models.ts                  | 236 ++++-------
 apps/sim/providers/openai/core.ts             |  58 +--
 apps/sim/providers/openai/utils.ts            | 117 ++++--
 apps/sim/providers/openrouter/index.ts        |  10 +-
 apps/sim/providers/utils.test.ts              | 322 +++++++++++----
 apps/sim/providers/utils.ts                   |  14 +-
 apps/sim/serializer/index.ts                  |   1 +
 17 files changed, 766 insertions(+), 520 deletions(-)

diff --git a/apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/components/workflow-selector/workflow-selector.tsx b/apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/components/workflow-selector/workflow-selector.tsx
index fe8b66356..35f40657e 100644
--- a/apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/components/workflow-selector/workflow-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/components/workflow-selector/workflow-selector.tsx
@@ -89,7 +89,7 @@ export function WorkflowSelector({
             onMouseDown={(e) => handleRemove(e, w.id)}
           >
             {w.name}
-            <X className='h-3 w-3' />
+            <X className='!text-[var(--text-primary)] h-4 w-4 flex-shrink-0 opacity-50' />
           </Badge>
         ))}
         {selectedWorkflows.length > 2 && (
diff --git a/apps/sim/blocks/blocks/agent.ts b/apps/sim/blocks/blocks/agent.ts
index 7e7b12f96..1dd36a2b2 100644
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -154,6 +154,7 @@ Return ONLY the JSON array.`,
       type: 'dropdown',
       placeholder: 'Select reasoning effort...',
       options: [
+        { label: 'auto', id: 'auto' },
         { label: 'low', id: 'low' },
         { label: 'medium', id: 'medium' },
         { label: 'high', id: 'high' },
@@ -163,9 +164,12 @@ Return ONLY the JSON array.`,
         const { useSubBlockStore } = await import('@/stores/workflows/subblock/store')
         const { useWorkflowRegistry } = await import('@/stores/workflows/registry/store')
 
+        const autoOption = { label: 'auto', id: 'auto' }
+
         const activeWorkflowId = useWorkflowRegistry.getState().activeWorkflowId
         if (!activeWorkflowId) {
           return [
+            autoOption,
             { label: 'low', id: 'low' },
             { label: 'medium', id: 'medium' },
             { label: 'high', id: 'high' },
@@ -178,6 +182,7 @@ Return ONLY the JSON array.`,
 
         if (!modelValue) {
           return [
+            autoOption,
             { label: 'low', id: 'low' },
             { label: 'medium', id: 'medium' },
             { label: 'high', id: 'high' },
@@ -187,15 +192,16 @@ Return ONLY the JSON array.`,
         const validOptions = getReasoningEffortValuesForModel(modelValue)
         if (!validOptions) {
           return [
+            autoOption,
             { label: 'low', id: 'low' },
             { label: 'medium', id: 'medium' },
             { label: 'high', id: 'high' },
           ]
         }
 
-        return validOptions.map((opt) => ({ label: opt, id: opt }))
+        return [autoOption, ...validOptions.map((opt) => ({ label: opt, id: opt }))]
       },
-      value: () => 'medium',
+      mode: 'advanced',
       condition: {
         field: 'model',
         value: MODELS_WITH_REASONING_EFFORT,
@@ -207,6 +213,7 @@ Return ONLY the JSON array.`,
       type: 'dropdown',
       placeholder: 'Select verbosity...',
       options: [
+        { label: 'auto', id: 'auto' },
         { label: 'low', id: 'low' },
         { label: 'medium', id: 'medium' },
         { label: 'high', id: 'high' },
@@ -216,9 +223,12 @@ Return ONLY the JSON array.`,
         const { useSubBlockStore } = await import('@/stores/workflows/subblock/store')
         const { useWorkflowRegistry } = await import('@/stores/workflows/registry/store')
 
+        const autoOption = { label: 'auto', id: 'auto' }
+
         const activeWorkflowId = useWorkflowRegistry.getState().activeWorkflowId
         if (!activeWorkflowId) {
           return [
+            autoOption,
             { label: 'low', id: 'low' },
             { label: 'medium', id: 'medium' },
             { label: 'high', id: 'high' },
@@ -231,6 +241,7 @@ Return ONLY the JSON array.`,
 
         if (!modelValue) {
           return [
+            autoOption,
             { label: 'low', id: 'low' },
             { label: 'medium', id: 'medium' },
             { label: 'high', id: 'high' },
@@ -240,15 +251,16 @@ Return ONLY the JSON array.`,
         const validOptions = getVerbosityValuesForModel(modelValue)
         if (!validOptions) {
           return [
+            autoOption,
             { label: 'low', id: 'low' },
             { label: 'medium', id: 'medium' },
             { label: 'high', id: 'high' },
           ]
         }
 
-        return validOptions.map((opt) => ({ label: opt, id: opt }))
+        return [autoOption, ...validOptions.map((opt) => ({ label: opt, id: opt }))]
       },
-      value: () => 'medium',
+      mode: 'advanced',
       condition: {
         field: 'model',
         value: MODELS_WITH_VERBOSITY,
@@ -260,6 +272,7 @@ Return ONLY the JSON array.`,
       type: 'dropdown',
       placeholder: 'Select thinking level...',
       options: [
+        { label: 'none', id: 'none' },
         { label: 'minimal', id: 'minimal' },
         { label: 'low', id: 'low' },
         { label: 'medium', id: 'medium' },
@@ -271,12 +284,11 @@ Return ONLY the JSON array.`,
         const { useSubBlockStore } = await import('@/stores/workflows/subblock/store')
         const { useWorkflowRegistry } = await import('@/stores/workflows/registry/store')
 
+        const noneOption = { label: 'none', id: 'none' }
+
         const activeWorkflowId = useWorkflowRegistry.getState().activeWorkflowId
         if (!activeWorkflowId) {
-          return [
-            { label: 'low', id: 'low' },
-            { label: 'high', id: 'high' },
-          ]
+          return [noneOption, { label: 'low', id: 'low' }, { label: 'high', id: 'high' }]
         }
 
         const workflowValues = useSubBlockStore.getState().workflowValues[activeWorkflowId]
@@ -284,23 +296,17 @@ Return ONLY the JSON array.`,
         const modelValue = blockValues?.model as string
 
         if (!modelValue) {
-          return [
-            { label: 'low', id: 'low' },
-            { label: 'high', id: 'high' },
-          ]
+          return [noneOption, { label: 'low', id: 'low' }, { label: 'high', id: 'high' }]
         }
 
         const validOptions = getThinkingLevelsForModel(modelValue)
         if (!validOptions) {
-          return [
-            { label: 'low', id: 'low' },
-            { label: 'high', id: 'high' },
-          ]
+          return [noneOption, { label: 'low', id: 'low' }, { label: 'high', id: 'high' }]
         }
 
-        return validOptions.map((opt) => ({ label: opt, id: opt }))
+        return [noneOption, ...validOptions.map((opt) => ({ label: opt, id: opt }))]
       },
-      value: () => 'high',
+      mode: 'advanced',
       condition: {
         field: 'model',
         value: MODELS_WITH_THINKING,
@@ -391,6 +397,16 @@ Return ONLY the JSON array.`,
         value: providers.bedrock.models,
       },
     },
+    {
+      id: 'apiKey',
+      title: 'API Key',
+      type: 'short-input',
+      placeholder: 'Enter your API key',
+      password: true,
+      connectionDroppable: false,
+      required: true,
+      condition: getApiKeyCondition(),
+    },
     {
       id: 'tools',
       title: 'Tools',
@@ -403,16 +419,6 @@ Return ONLY the JSON array.`,
       type: 'skill-input',
       defaultValue: [],
     },
-    {
-      id: 'apiKey',
-      title: 'API Key',
-      type: 'short-input',
-      placeholder: 'Enter your API key',
-      password: true,
-      connectionDroppable: false,
-      required: true,
-      condition: getApiKeyCondition(),
-    },
     {
       id: 'memoryType',
       title: 'Memory',
@@ -467,6 +473,7 @@ Return ONLY the JSON array.`,
       min: 0,
       max: 1,
       defaultValue: 0.3,
+      mode: 'advanced',
       condition: () => ({
         field: 'model',
         value: (() => {
@@ -484,6 +491,7 @@ Return ONLY the JSON array.`,
       min: 0,
       max: 2,
       defaultValue: 0.3,
+      mode: 'advanced',
       condition: () => ({
         field: 'model',
         value: (() => {
@@ -499,6 +507,7 @@ Return ONLY the JSON array.`,
       title: 'Max Output Tokens',
       type: 'short-input',
       placeholder: 'Enter max tokens (e.g., 4096)...',
+      mode: 'advanced',
     },
     {
       id: 'responseFormat',
diff --git a/apps/sim/executor/handlers/agent/agent-handler.ts b/apps/sim/executor/handlers/agent/agent-handler.ts
index 524407506..0de77719b 100644
--- a/apps/sim/executor/handlers/agent/agent-handler.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.ts
@@ -915,24 +915,17 @@ export class AgentBlockHandler implements BlockHandler {
       }
     }
 
-    // Find first system message
     const firstSystemIndex = messages.findIndex((msg) => msg.role === 'system')
 
     if (firstSystemIndex === -1) {
-      // No system message exists - add at position 0
       messages.unshift({ role: 'system', content })
     } else if (firstSystemIndex === 0) {
-      // System message already at position 0 - replace it
-      // Explicit systemPrompt parameter takes precedence over memory/messages
       messages[0] = { role: 'system', content }
     } else {
-      // System message exists but not at position 0 - move it to position 0
-      // and update with new content
       messages.splice(firstSystemIndex, 1)
       messages.unshift({ role: 'system', content })
     }
 
-    // Remove any additional system messages (keep only the first one)
     for (let i = messages.length - 1; i >= 1; i--) {
       if (messages[i].role === 'system') {
         messages.splice(i, 1)
@@ -998,13 +991,14 @@ export class AgentBlockHandler implements BlockHandler {
       workflowId: ctx.workflowId,
       workspaceId: ctx.workspaceId,
       stream: streaming,
-      messages,
+      messages: messages?.map(({ executionId, ...msg }) => msg),
       environmentVariables: ctx.environmentVariables || {},
       workflowVariables: ctx.workflowVariables || {},
       blockData,
       blockNameMapping,
       reasoningEffort: inputs.reasoningEffort,
       verbosity: inputs.verbosity,
+      thinkingLevel: inputs.thinkingLevel,
     }
   }
 
@@ -1074,6 +1068,7 @@ export class AgentBlockHandler implements BlockHandler {
         isDeployedContext: ctx.isDeployedContext,
         reasoningEffort: providerRequest.reasoningEffort,
         verbosity: providerRequest.verbosity,
+        thinkingLevel: providerRequest.thinkingLevel,
       })
 
       return this.processProviderResponse(response, block, responseFormat)
@@ -1091,8 +1086,6 @@ export class AgentBlockHandler implements BlockHandler {
 
     logger.info(`[${requestId}] Resolving Vertex AI credential: ${credentialId}`)
 
-    // Get the credential - we need to find the owner
-    // Since we're in a workflow context, we can query the credential directly
     const credential = await db.query.account.findFirst({
       where: eq(account.id, credentialId),
     })
@@ -1101,7 +1094,6 @@ export class AgentBlockHandler implements BlockHandler {
       throw new Error(`Vertex AI credential not found: ${credentialId}`)
     }
 
-    // Refresh the token if needed
     const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
 
     if (!accessToken) {
diff --git a/apps/sim/executor/handlers/agent/types.ts b/apps/sim/executor/handlers/agent/types.ts
index 36002b7b0..c0731d9ee 100644
--- a/apps/sim/executor/handlers/agent/types.ts
+++ b/apps/sim/executor/handlers/agent/types.ts
@@ -34,6 +34,7 @@ export interface AgentInputs {
   bedrockRegion?: string
   reasoningEffort?: string
   verbosity?: string
+  thinkingLevel?: string
 }
 
 export interface ToolInput {
diff --git a/apps/sim/providers/anthropic/core.ts b/apps/sim/providers/anthropic/core.ts
index 3cd16eb4d..dcb2b9c14 100644
--- a/apps/sim/providers/anthropic/core.ts
+++ b/apps/sim/providers/anthropic/core.ts
@@ -1,5 +1,6 @@
 import type Anthropic from '@anthropic-ai/sdk'
 import { transformJSONSchema } from '@anthropic-ai/sdk/lib/transform-json-schema'
+import type { RawMessageStreamEvent } from '@anthropic-ai/sdk/resources/messages/messages'
 import type { Logger } from '@sim/logger'
 import type { StreamingExecution } from '@/executor/types'
 import { MAX_TOOL_ITERATIONS } from '@/providers'
@@ -34,11 +35,21 @@ export interface AnthropicProviderConfig {
   logger: Logger
 }
 
+/**
+ * Custom payload type extending the SDK's base message creation params.
+ * Adds fields not yet in the SDK: adaptive thinking, output_format, output_config.
+ */
+interface AnthropicPayload extends Omit<Anthropic.Messages.MessageStreamParams, 'thinking'> {
+  thinking?: Anthropic.Messages.ThinkingConfigParam | { type: 'adaptive' }
+  output_format?: { type: 'json_schema'; schema: Record<string, unknown> }
+  output_config?: { effort: string }
+}
+
 /**
  * Generates prompt-based schema instructions for older models that don't support native structured outputs.
  * This is a fallback approach that adds schema requirements to the system prompt.
  */
-function generateSchemaInstructions(schema: any, schemaName?: string): string {
+function generateSchemaInstructions(schema: Record<string, unknown>, schemaName?: string): string {
   const name = schemaName || 'response'
   return `IMPORTANT: You must respond with a valid JSON object that conforms to the following schema.
 Do not include any text before or after the JSON object. Only output the JSON.
@@ -113,6 +124,30 @@ function buildThinkingConfig(
   }
 }
 
+/**
+ * The Anthropic SDK requires streaming for non-streaming requests when max_tokens exceeds
+ * this threshold, to avoid HTTP timeouts. When thinking is enabled and pushes max_tokens
+ * above this limit, we use streaming internally and collect the final message.
+ */
+const ANTHROPIC_SDK_NON_STREAMING_MAX_TOKENS = 21333
+
+/**
+ * Creates an Anthropic message, automatically using streaming internally when max_tokens
+ * exceeds the SDK's non-streaming threshold. Returns the same Message object either way.
+ */
+async function createMessage(
+  anthropic: Anthropic,
+  payload: AnthropicPayload
+): Promise<Anthropic.Messages.Message> {
+  if (payload.max_tokens > ANTHROPIC_SDK_NON_STREAMING_MAX_TOKENS && !payload.stream) {
+    const stream = anthropic.messages.stream(payload as Anthropic.Messages.MessageStreamParams)
+    return stream.finalMessage()
+  }
+  return anthropic.messages.create(
+    payload as Anthropic.Messages.MessageCreateParamsNonStreaming
+  ) as Promise<Anthropic.Messages.Message>
+}
+
 /**
  * Executes a request using the Anthropic API with full tool loop support.
  * This is the shared core implementation used by both the standard Anthropic provider
@@ -135,7 +170,7 @@ export async function executeAnthropicProviderRequest(
 
   const anthropic = config.createClient(request.apiKey, useNativeStructuredOutputs)
 
-  const messages: any[] = []
+  const messages: Anthropic.Messages.MessageParam[] = []
   let systemPrompt = request.systemPrompt || ''
 
   if (request.context) {
@@ -153,8 +188,8 @@ export async function executeAnthropicProviderRequest(
           content: [
             {
               type: 'tool_result',
-              tool_use_id: msg.name,
-              content: msg.content,
+              tool_use_id: msg.name || '',
+              content: msg.content || undefined,
             },
           ],
         })
@@ -188,12 +223,12 @@ export async function executeAnthropicProviderRequest(
     systemPrompt = ''
   }
 
-  let anthropicTools = request.tools?.length
+  let anthropicTools: Anthropic.Messages.Tool[] | undefined = request.tools?.length
     ? request.tools.map((tool) => ({
         name: tool.id,
         description: tool.description,
         input_schema: {
-          type: 'object',
+          type: 'object' as const,
           properties: tool.parameters.properties,
           required: tool.parameters.required,
         },
@@ -238,13 +273,12 @@ export async function executeAnthropicProviderRequest(
     }
   }
 
-  const payload: any = {
+  const payload: AnthropicPayload = {
     model: request.model,
     messages,
     system: systemPrompt,
     max_tokens:
-      Number.parseInt(String(request.maxTokens)) ||
-      getMaxOutputTokensForModel(request.model, request.stream ?? false),
+      Number.parseInt(String(request.maxTokens)) || getMaxOutputTokensForModel(request.model),
     temperature: Number.parseFloat(String(request.temperature ?? 0.7)),
   }
 
@@ -268,13 +302,35 @@ export async function executeAnthropicProviderRequest(
   }
 
   // Add extended thinking configuration if supported and requested
-  if (request.thinkingLevel) {
+  // The 'none' sentinel means "disable thinking" — skip configuration entirely.
+  if (request.thinkingLevel && request.thinkingLevel !== 'none') {
     const thinkingConfig = buildThinkingConfig(request.model, request.thinkingLevel)
     if (thinkingConfig) {
       payload.thinking = thinkingConfig.thinking
       if (thinkingConfig.outputConfig) {
         payload.output_config = thinkingConfig.outputConfig
       }
+
+      // Per Anthropic docs: budget_tokens must be less than max_tokens.
+      // Ensure max_tokens leaves room for both thinking and text output.
+      if (
+        thinkingConfig.thinking.type === 'enabled' &&
+        'budget_tokens' in thinkingConfig.thinking
+      ) {
+        const budgetTokens = thinkingConfig.thinking.budget_tokens
+        const minMaxTokens = budgetTokens + 4096
+        if (payload.max_tokens < minMaxTokens) {
+          const modelMax = getMaxOutputTokensForModel(request.model)
+          payload.max_tokens = Math.min(minMaxTokens, modelMax)
+          logger.info(
+            `Adjusted max_tokens to ${payload.max_tokens} to satisfy budget_tokens (${budgetTokens}) constraint`
+          )
+        }
+      }
+
+      // Per Anthropic docs: thinking is not compatible with temperature or top_k modifications.
+      payload.temperature = undefined
+
       const isAdaptive = thinkingConfig.thinking.type === 'adaptive'
       logger.info(
         `Using ${isAdaptive ? 'adaptive' : 'extended'} thinking for model: ${modelId} with ${isAdaptive ? `effort: ${request.thinkingLevel}` : `budget: ${(thinkingConfig.thinking as { budget_tokens: number }).budget_tokens}`}`
@@ -288,7 +344,16 @@ export async function executeAnthropicProviderRequest(
 
   if (anthropicTools?.length) {
     payload.tools = anthropicTools
-    if (toolChoice !== 'auto') {
+    // Per Anthropic docs: forced tool_choice (type: "tool" or "any") is incompatible with
+    // thinking. Only auto and none are supported when thinking is enabled.
+    if (payload.thinking) {
+      // Per Anthropic docs: only 'auto' (default) and 'none' work with thinking.
+      if (toolChoice === 'none') {
+        payload.tool_choice = { type: 'none' }
+      }
+    } else if (toolChoice === 'none') {
+      payload.tool_choice = { type: 'none' }
+    } else if (toolChoice !== 'auto') {
       payload.tool_choice = toolChoice
     }
   }
@@ -301,42 +366,46 @@ export async function executeAnthropicProviderRequest(
     const providerStartTime = Date.now()
     const providerStartTimeISO = new Date(providerStartTime).toISOString()
 
-    const streamResponse: any = await anthropic.messages.create({
+    const streamResponse = await anthropic.messages.create({
       ...payload,
       stream: true,
-    })
+    } as Anthropic.Messages.MessageCreateParamsStreaming)
 
     const streamingResult = {
-      stream: createReadableStreamFromAnthropicStream(streamResponse, (content, usage) => {
-        streamingResult.execution.output.content = content
-        streamingResult.execution.output.tokens = {
-          input: usage.input_tokens,
-          output: usage.output_tokens,
-          total: usage.input_tokens + usage.output_tokens,
-        }
+      stream: createReadableStreamFromAnthropicStream(
+        streamResponse as AsyncIterable<RawMessageStreamEvent>,
+        (content, usage) => {
+          streamingResult.execution.output.content = content
+          streamingResult.execution.output.tokens = {
+            input: usage.input_tokens,
+            output: usage.output_tokens,
+            total: usage.input_tokens + usage.output_tokens,
+          }
 
-        const costResult = calculateCost(request.model, usage.input_tokens, usage.output_tokens)
-        streamingResult.execution.output.cost = {
-          input: costResult.input,
-          output: costResult.output,
-          total: costResult.total,
-        }
+          const costResult = calculateCost(request.model, usage.input_tokens, usage.output_tokens)
+          streamingResult.execution.output.cost = {
+            input: costResult.input,
+            output: costResult.output,
+            total: costResult.total,
+          }
 
-        const streamEndTime = Date.now()
-        const streamEndTimeISO = new Date(streamEndTime).toISOString()
+          const streamEndTime = Date.now()
+          const streamEndTimeISO = new Date(streamEndTime).toISOString()
 
-        if (streamingResult.execution.output.providerTiming) {
-          streamingResult.execution.output.providerTiming.endTime = streamEndTimeISO
-          streamingResult.execution.output.providerTiming.duration =
-            streamEndTime - providerStartTime
-
-          if (streamingResult.execution.output.providerTiming.timeSegments?.[0]) {
-            streamingResult.execution.output.providerTiming.timeSegments[0].endTime = streamEndTime
-            streamingResult.execution.output.providerTiming.timeSegments[0].duration =
+          if (streamingResult.execution.output.providerTiming) {
+            streamingResult.execution.output.providerTiming.endTime = streamEndTimeISO
+            streamingResult.execution.output.providerTiming.duration =
               streamEndTime - providerStartTime
+
+            if (streamingResult.execution.output.providerTiming.timeSegments?.[0]) {
+              streamingResult.execution.output.providerTiming.timeSegments[0].endTime =
+                streamEndTime
+              streamingResult.execution.output.providerTiming.timeSegments[0].duration =
+                streamEndTime - providerStartTime
+            }
           }
         }
-      }),
+      ),
       execution: {
         success: true,
         output: {
@@ -385,21 +454,13 @@ export async function executeAnthropicProviderRequest(
     const providerStartTime = Date.now()
     const providerStartTimeISO = new Date(providerStartTime).toISOString()
 
-    // Cap intermediate calls at non-streaming limit to avoid SDK timeout errors,
-    // but allow users to set lower values if desired
-    const nonStreamingLimit = getMaxOutputTokensForModel(request.model, false)
-    const nonStreamingMaxTokens = request.maxTokens
-      ? Math.min(Number.parseInt(String(request.maxTokens)), nonStreamingLimit)
-      : nonStreamingLimit
-    const intermediatePayload = { ...payload, max_tokens: nonStreamingMaxTokens }
-
     try {
       const initialCallTime = Date.now()
-      const originalToolChoice = intermediatePayload.tool_choice
+      const originalToolChoice = payload.tool_choice
       const forcedTools = preparedTools?.forcedTools || []
       let usedForcedTools: string[] = []
 
-      let currentResponse = await anthropic.messages.create(intermediatePayload)
+      let currentResponse = await createMessage(anthropic, payload)
       const firstResponseTime = Date.now() - initialCallTime
 
       let content = ''
@@ -468,10 +529,10 @@ export async function executeAnthropicProviderRequest(
           const toolExecutionPromises = toolUses.map(async (toolUse) => {
             const toolCallStartTime = Date.now()
             const toolName = toolUse.name
-            const toolArgs = toolUse.input as Record<string, any>
+            const toolArgs = toolUse.input as Record<string, unknown>
 
             try {
-              const tool = request.tools?.find((t: any) => t.id === toolName)
+              const tool = request.tools?.find((t) => t.id === toolName)
               if (!tool) return null
 
               const { toolParams, executionParams } = prepareToolExecution(tool, toolArgs, request)
@@ -512,17 +573,8 @@ export async function executeAnthropicProviderRequest(
           const executionResults = await Promise.allSettled(toolExecutionPromises)
 
           // Collect all tool_use and tool_result blocks for batching
-          const toolUseBlocks: Array<{
-            type: 'tool_use'
-            id: string
-            name: string
-            input: Record<string, unknown>
-          }> = []
-          const toolResultBlocks: Array<{
-            type: 'tool_result'
-            tool_use_id: string
-            content: string
-          }> = []
+          const toolUseBlocks: Anthropic.Messages.ToolUseBlockParam[] = []
+          const toolResultBlocks: Anthropic.Messages.ToolResultBlockParam[] = []
 
           for (const settledResult of executionResults) {
             if (settledResult.status === 'rejected' || !settledResult.value) continue
@@ -583,11 +635,25 @@ export async function executeAnthropicProviderRequest(
             })
           }
 
-          // Add ONE assistant message with ALL tool_use blocks
+          // Per Anthropic docs: thinking blocks must be preserved in assistant messages
+          // during tool use to maintain reasoning continuity.
+          const thinkingBlocks = currentResponse.content.filter(
+            (
+              item
+            ): item is
+              | Anthropic.Messages.ThinkingBlock
+              | Anthropic.Messages.RedactedThinkingBlock =>
+              item.type === 'thinking' || item.type === 'redacted_thinking'
+          )
+
+          // Add ONE assistant message with thinking + tool_use blocks
           if (toolUseBlocks.length > 0) {
             currentMessages.push({
               role: 'assistant',
-              content: toolUseBlocks as unknown as Anthropic.Messages.ContentBlock[],
+              content: [
+                ...thinkingBlocks,
+                ...toolUseBlocks,
+              ] as Anthropic.Messages.ContentBlockParam[],
             })
           }
 
@@ -595,19 +661,23 @@ export async function executeAnthropicProviderRequest(
           if (toolResultBlocks.length > 0) {
             currentMessages.push({
               role: 'user',
-              content: toolResultBlocks as unknown as Anthropic.Messages.ContentBlockParam[],
+              content: toolResultBlocks as Anthropic.Messages.ContentBlockParam[],
             })
           }
 
           const thisToolsTime = Date.now() - toolsStartTime
           toolsTime += thisToolsTime
 
-          const nextPayload = {
-            ...intermediatePayload,
+          const nextPayload: AnthropicPayload = {
+            ...payload,
             messages: currentMessages,
           }
 
+          // Per Anthropic docs: forced tool_choice is incompatible with thinking.
+          // Only auto and none are supported when thinking is enabled.
+          const thinkingEnabled = !!payload.thinking
           if (
+            !thinkingEnabled &&
             typeof originalToolChoice === 'object' &&
             hasUsedForcedTool &&
             forcedTools.length > 0
@@ -624,7 +694,11 @@ export async function executeAnthropicProviderRequest(
               nextPayload.tool_choice = undefined
               logger.info('All forced tools have been used, removing tool_choice parameter')
             }
-          } else if (hasUsedForcedTool && typeof originalToolChoice === 'object') {
+          } else if (
+            !thinkingEnabled &&
+            hasUsedForcedTool &&
+            typeof originalToolChoice === 'object'
+          ) {
             nextPayload.tool_choice = undefined
             logger.info(
               'Removing tool_choice parameter for subsequent requests after forced tool was used'
@@ -633,7 +707,7 @@ export async function executeAnthropicProviderRequest(
 
           const nextModelStartTime = Date.now()
 
-          currentResponse = await anthropic.messages.create(nextPayload)
+          currentResponse = await createMessage(anthropic, nextPayload)
 
           const nextCheckResult = checkForForcedToolUsage(
             currentResponse,
@@ -682,33 +756,38 @@ export async function executeAnthropicProviderRequest(
         tool_choice: undefined,
       }
 
-      const streamResponse: any = await anthropic.messages.create(streamingPayload)
+      const streamResponse = await anthropic.messages.create(
+        streamingPayload as Anthropic.Messages.MessageCreateParamsStreaming
+      )
 
       const streamingResult = {
-        stream: createReadableStreamFromAnthropicStream(streamResponse, (streamContent, usage) => {
-          streamingResult.execution.output.content = streamContent
-          streamingResult.execution.output.tokens = {
-            input: tokens.input + usage.input_tokens,
-            output: tokens.output + usage.output_tokens,
-            total: tokens.total + usage.input_tokens + usage.output_tokens,
-          }
+        stream: createReadableStreamFromAnthropicStream(
+          streamResponse as AsyncIterable<RawMessageStreamEvent>,
+          (streamContent, usage) => {
+            streamingResult.execution.output.content = streamContent
+            streamingResult.execution.output.tokens = {
+              input: tokens.input + usage.input_tokens,
+              output: tokens.output + usage.output_tokens,
+              total: tokens.total + usage.input_tokens + usage.output_tokens,
+            }
 
-          const streamCost = calculateCost(request.model, usage.input_tokens, usage.output_tokens)
-          streamingResult.execution.output.cost = {
-            input: accumulatedCost.input + streamCost.input,
-            output: accumulatedCost.output + streamCost.output,
-            total: accumulatedCost.total + streamCost.total,
-          }
+            const streamCost = calculateCost(request.model, usage.input_tokens, usage.output_tokens)
+            streamingResult.execution.output.cost = {
+              input: accumulatedCost.input + streamCost.input,
+              output: accumulatedCost.output + streamCost.output,
+              total: accumulatedCost.total + streamCost.total,
+            }
 
-          const streamEndTime = Date.now()
-          const streamEndTimeISO = new Date(streamEndTime).toISOString()
+            const streamEndTime = Date.now()
+            const streamEndTimeISO = new Date(streamEndTime).toISOString()
 
-          if (streamingResult.execution.output.providerTiming) {
-            streamingResult.execution.output.providerTiming.endTime = streamEndTimeISO
-            streamingResult.execution.output.providerTiming.duration =
-              streamEndTime - providerStartTime
+            if (streamingResult.execution.output.providerTiming) {
+              streamingResult.execution.output.providerTiming.endTime = streamEndTimeISO
+              streamingResult.execution.output.providerTiming.duration =
+                streamEndTime - providerStartTime
+            }
           }
-        }),
+        ),
         execution: {
           success: true,
           output: {
@@ -778,21 +857,13 @@ export async function executeAnthropicProviderRequest(
   const providerStartTime = Date.now()
   const providerStartTimeISO = new Date(providerStartTime).toISOString()
 
-  // Cap intermediate calls at non-streaming limit to avoid SDK timeout errors,
-  // but allow users to set lower values if desired
-  const nonStreamingLimit = getMaxOutputTokensForModel(request.model, false)
-  const toolLoopMaxTokens = request.maxTokens
-    ? Math.min(Number.parseInt(String(request.maxTokens)), nonStreamingLimit)
-    : nonStreamingLimit
-  const toolLoopPayload = { ...payload, max_tokens: toolLoopMaxTokens }
-
   try {
     const initialCallTime = Date.now()
-    const originalToolChoice = toolLoopPayload.tool_choice
+    const originalToolChoice = payload.tool_choice
     const forcedTools = preparedTools?.forcedTools || []
     let usedForcedTools: string[] = []
 
-    let currentResponse = await anthropic.messages.create(toolLoopPayload)
+    let currentResponse = await createMessage(anthropic, payload)
     const firstResponseTime = Date.now() - initialCallTime
 
     let content = ''
@@ -872,7 +943,7 @@ export async function executeAnthropicProviderRequest(
         const toolExecutionPromises = toolUses.map(async (toolUse) => {
           const toolCallStartTime = Date.now()
           const toolName = toolUse.name
-          const toolArgs = toolUse.input as Record<string, any>
+          const toolArgs = toolUse.input as Record<string, unknown>
           // Preserve the original tool_use ID from Claude's response
           const toolUseId = toolUse.id
 
@@ -918,17 +989,8 @@ export async function executeAnthropicProviderRequest(
         const executionResults = await Promise.allSettled(toolExecutionPromises)
 
         // Collect all tool_use and tool_result blocks for batching
-        const toolUseBlocks: Array<{
-          type: 'tool_use'
-          id: string
-          name: string
-          input: Record<string, unknown>
-        }> = []
-        const toolResultBlocks: Array<{
-          type: 'tool_result'
-          tool_use_id: string
-          content: string
-        }> = []
+        const toolUseBlocks: Anthropic.Messages.ToolUseBlockParam[] = []
+        const toolResultBlocks: Anthropic.Messages.ToolResultBlockParam[] = []
 
         for (const settledResult of executionResults) {
           if (settledResult.status === 'rejected' || !settledResult.value) continue
@@ -989,11 +1051,23 @@ export async function executeAnthropicProviderRequest(
           })
         }
 
-        // Add ONE assistant message with ALL tool_use blocks
+        // Per Anthropic docs: thinking blocks must be preserved in assistant messages
+        // during tool use to maintain reasoning continuity.
+        const thinkingBlocks = currentResponse.content.filter(
+          (
+            item
+          ): item is Anthropic.Messages.ThinkingBlock | Anthropic.Messages.RedactedThinkingBlock =>
+            item.type === 'thinking' || item.type === 'redacted_thinking'
+        )
+
+        // Add ONE assistant message with thinking + tool_use blocks
         if (toolUseBlocks.length > 0) {
           currentMessages.push({
             role: 'assistant',
-            content: toolUseBlocks as unknown as Anthropic.Messages.ContentBlock[],
+            content: [
+              ...thinkingBlocks,
+              ...toolUseBlocks,
+            ] as Anthropic.Messages.ContentBlockParam[],
           })
         }
 
@@ -1001,19 +1075,27 @@ export async function executeAnthropicProviderRequest(
         if (toolResultBlocks.length > 0) {
           currentMessages.push({
             role: 'user',
-            content: toolResultBlocks as unknown as Anthropic.Messages.ContentBlockParam[],
+            content: toolResultBlocks as Anthropic.Messages.ContentBlockParam[],
           })
         }
 
         const thisToolsTime = Date.now() - toolsStartTime
         toolsTime += thisToolsTime
 
-        const nextPayload = {
-          ...toolLoopPayload,
+        const nextPayload: AnthropicPayload = {
+          ...payload,
           messages: currentMessages,
         }
 
-        if (typeof originalToolChoice === 'object' && hasUsedForcedTool && forcedTools.length > 0) {
+        // Per Anthropic docs: forced tool_choice is incompatible with thinking.
+        // Only auto and none are supported when thinking is enabled.
+        const thinkingEnabled = !!payload.thinking
+        if (
+          !thinkingEnabled &&
+          typeof originalToolChoice === 'object' &&
+          hasUsedForcedTool &&
+          forcedTools.length > 0
+        ) {
           const remainingTools = forcedTools.filter((tool) => !usedForcedTools.includes(tool))
 
           if (remainingTools.length > 0) {
@@ -1026,7 +1108,11 @@ export async function executeAnthropicProviderRequest(
             nextPayload.tool_choice = undefined
             logger.info('All forced tools have been used, removing tool_choice parameter')
           }
-        } else if (hasUsedForcedTool && typeof originalToolChoice === 'object') {
+        } else if (
+          !thinkingEnabled &&
+          hasUsedForcedTool &&
+          typeof originalToolChoice === 'object'
+        ) {
           nextPayload.tool_choice = undefined
           logger.info(
             'Removing tool_choice parameter for subsequent requests after forced tool was used'
@@ -1035,7 +1121,7 @@ export async function executeAnthropicProviderRequest(
 
         const nextModelStartTime = Date.now()
 
-        currentResponse = await anthropic.messages.create(nextPayload)
+        currentResponse = await createMessage(anthropic, nextPayload)
 
         const nextCheckResult = checkForForcedToolUsage(
           currentResponse,
@@ -1098,33 +1184,38 @@ export async function executeAnthropicProviderRequest(
         tool_choice: undefined,
       }
 
-      const streamResponse: any = await anthropic.messages.create(streamingPayload)
+      const streamResponse = await anthropic.messages.create(
+        streamingPayload as Anthropic.Messages.MessageCreateParamsStreaming
+      )
 
       const streamingResult = {
-        stream: createReadableStreamFromAnthropicStream(streamResponse, (streamContent, usage) => {
-          streamingResult.execution.output.content = streamContent
-          streamingResult.execution.output.tokens = {
-            input: tokens.input + usage.input_tokens,
-            output: tokens.output + usage.output_tokens,
-            total: tokens.total + usage.input_tokens + usage.output_tokens,
-          }
+        stream: createReadableStreamFromAnthropicStream(
+          streamResponse as AsyncIterable<RawMessageStreamEvent>,
+          (streamContent, usage) => {
+            streamingResult.execution.output.content = streamContent
+            streamingResult.execution.output.tokens = {
+              input: tokens.input + usage.input_tokens,
+              output: tokens.output + usage.output_tokens,
+              total: tokens.total + usage.input_tokens + usage.output_tokens,
+            }
 
-          const streamCost = calculateCost(request.model, usage.input_tokens, usage.output_tokens)
-          streamingResult.execution.output.cost = {
-            input: cost.input + streamCost.input,
-            output: cost.output + streamCost.output,
-            total: cost.total + streamCost.total,
-          }
+            const streamCost = calculateCost(request.model, usage.input_tokens, usage.output_tokens)
+            streamingResult.execution.output.cost = {
+              input: cost.input + streamCost.input,
+              output: cost.output + streamCost.output,
+              total: cost.total + streamCost.total,
+            }
 
-          const streamEndTime = Date.now()
-          const streamEndTimeISO = new Date(streamEndTime).toISOString()
+            const streamEndTime = Date.now()
+            const streamEndTimeISO = new Date(streamEndTime).toISOString()
 
-          if (streamingResult.execution.output.providerTiming) {
-            streamingResult.execution.output.providerTiming.endTime = streamEndTimeISO
-            streamingResult.execution.output.providerTiming.duration =
-              streamEndTime - providerStartTime
+            if (streamingResult.execution.output.providerTiming) {
+              streamingResult.execution.output.providerTiming.endTime = streamEndTimeISO
+              streamingResult.execution.output.providerTiming.duration =
+                streamEndTime - providerStartTime
+            }
           }
-        }),
+        ),
         execution: {
           success: true,
           output: {
@@ -1179,7 +1270,7 @@ export async function executeAnthropicProviderRequest(
         toolCalls.length > 0
           ? toolCalls.map((tc) => ({
               name: tc.name,
-              arguments: tc.arguments as Record<string, any>,
+              arguments: tc.arguments as Record<string, unknown>,
               startTime: tc.startTime,
               endTime: tc.endTime,
               duration: tc.duration,
diff --git a/apps/sim/providers/azure-openai/index.ts b/apps/sim/providers/azure-openai/index.ts
index ca63904df..d8b6c268c 100644
--- a/apps/sim/providers/azure-openai/index.ts
+++ b/apps/sim/providers/azure-openai/index.ts
@@ -1,6 +1,14 @@
 import { createLogger } from '@sim/logger'
 import { AzureOpenAI } from 'openai'
-import type { ChatCompletionCreateParamsStreaming } from 'openai/resources/chat/completions'
+import type {
+  ChatCompletion,
+  ChatCompletionCreateParamsBase,
+  ChatCompletionCreateParamsStreaming,
+  ChatCompletionMessageParam,
+  ChatCompletionTool,
+  ChatCompletionToolChoiceOption,
+} from 'openai/resources/chat/completions'
+import type { ReasoningEffort } from 'openai/resources/shared'
 import { env } from '@/lib/core/config/env'
 import type { StreamingExecution } from '@/executor/types'
 import { MAX_TOOL_ITERATIONS } from '@/providers'
@@ -16,6 +24,7 @@ import {
 import { getProviderDefaultModel, getProviderModels } from '@/providers/models'
 import { executeResponsesProviderRequest } from '@/providers/openai/core'
 import type {
+  FunctionCallResponse,
   ProviderConfig,
   ProviderRequest,
   ProviderResponse,
@@ -59,7 +68,7 @@ async function executeChatCompletionsRequest(
     endpoint: azureEndpoint,
   })
 
-  const allMessages: any[] = []
+  const allMessages: ChatCompletionMessageParam[] = []
 
   if (request.systemPrompt) {
     allMessages.push({
@@ -76,12 +85,12 @@ async function executeChatCompletionsRequest(
   }
 
   if (request.messages) {
-    allMessages.push(...request.messages)
+    allMessages.push(...(request.messages as ChatCompletionMessageParam[]))
   }
 
-  const tools = request.tools?.length
+  const tools: ChatCompletionTool[] | undefined = request.tools?.length
     ? request.tools.map((tool) => ({
-        type: 'function',
+        type: 'function' as const,
         function: {
           name: tool.id,
           description: tool.description,
@@ -90,7 +99,7 @@ async function executeChatCompletionsRequest(
       }))
     : undefined
 
-  const payload: any = {
+  const payload: ChatCompletionCreateParamsBase & { verbosity?: string } = {
     model: deploymentName,
     messages: allMessages,
   }
@@ -98,8 +107,10 @@ async function executeChatCompletionsRequest(
   if (request.temperature !== undefined) payload.temperature = request.temperature
   if (request.maxTokens != null) payload.max_completion_tokens = request.maxTokens
 
-  if (request.reasoningEffort !== undefined) payload.reasoning_effort = request.reasoningEffort
-  if (request.verbosity !== undefined) payload.verbosity = request.verbosity
+  if (request.reasoningEffort !== undefined && request.reasoningEffort !== 'auto')
+    payload.reasoning_effort = request.reasoningEffort as ReasoningEffort
+  if (request.verbosity !== undefined && request.verbosity !== 'auto')
+    payload.verbosity = request.verbosity
 
   if (request.responseFormat) {
     payload.response_format = {
@@ -121,8 +132,8 @@ async function executeChatCompletionsRequest(
     const { tools: filteredTools, toolChoice } = preparedTools
 
     if (filteredTools?.length && toolChoice) {
-      payload.tools = filteredTools
-      payload.tool_choice = toolChoice
+      payload.tools = filteredTools as ChatCompletionTool[]
+      payload.tool_choice = toolChoice as ChatCompletionToolChoiceOption
 
       logger.info('Azure OpenAI request configuration:', {
         toolCount: filteredTools.length,
@@ -231,7 +242,7 @@ async function executeChatCompletionsRequest(
     const forcedTools = preparedTools?.forcedTools || []
     let usedForcedTools: string[] = []
 
-    let currentResponse = await azureOpenAI.chat.completions.create(payload)
+    let currentResponse = (await azureOpenAI.chat.completions.create(payload)) as ChatCompletion
     const firstResponseTime = Date.now() - initialCallTime
 
     let content = currentResponse.choices[0]?.message?.content || ''
@@ -240,8 +251,8 @@ async function executeChatCompletionsRequest(
       output: currentResponse.usage?.completion_tokens || 0,
       total: currentResponse.usage?.total_tokens || 0,
     }
-    const toolCalls = []
-    const toolResults = []
+    const toolCalls: (FunctionCallResponse & { success: boolean })[] = []
+    const toolResults: Record<string, unknown>[] = []
     const currentMessages = [...allMessages]
     let iterationCount = 0
     let modelTime = firstResponseTime
@@ -260,7 +271,7 @@ async function executeChatCompletionsRequest(
 
     const firstCheckResult = checkForForcedToolUsage(
       currentResponse,
-      originalToolChoice,
+      originalToolChoice ?? 'auto',
       logger,
       forcedTools,
       usedForcedTools
@@ -356,10 +367,10 @@ async function executeChatCompletionsRequest(
           duration: duration,
         })
 
-        let resultContent: any
+        let resultContent: Record<string, unknown>
         if (result.success) {
-          toolResults.push(result.output)
-          resultContent = result.output
+          toolResults.push(result.output as Record<string, unknown>)
+          resultContent = result.output as Record<string, unknown>
         } else {
           resultContent = {
             error: true,
@@ -409,11 +420,11 @@ async function executeChatCompletionsRequest(
       }
 
       const nextModelStartTime = Date.now()
-      currentResponse = await azureOpenAI.chat.completions.create(nextPayload)
+      currentResponse = (await azureOpenAI.chat.completions.create(nextPayload)) as ChatCompletion
 
       const nextCheckResult = checkForForcedToolUsage(
         currentResponse,
-        nextPayload.tool_choice,
+        nextPayload.tool_choice ?? 'auto',
         logger,
         forcedTools,
         usedForcedTools
diff --git a/apps/sim/providers/azure-openai/utils.ts b/apps/sim/providers/azure-openai/utils.ts
index 36e65e678..fec1e862e 100644
--- a/apps/sim/providers/azure-openai/utils.ts
+++ b/apps/sim/providers/azure-openai/utils.ts
@@ -1,4 +1,5 @@
 import type { Logger } from '@sim/logger'
+import type OpenAI from 'openai'
 import type { ChatCompletionChunk } from 'openai/resources/chat/completions'
 import type { CompletionUsage } from 'openai/resources/completions'
 import type { Stream } from 'openai/streaming'
@@ -20,8 +21,8 @@ export function createReadableStreamFromAzureOpenAIStream(
  * Uses the shared OpenAI-compatible forced tool usage helper.
  */
 export function checkForForcedToolUsage(
-  response: any,
-  toolChoice: string | { type: string; function?: { name: string }; name?: string; any?: any },
+  response: OpenAI.Chat.Completions.ChatCompletion,
+  toolChoice: string | { type: string; function?: { name: string }; name?: string },
   _logger: Logger,
   forcedTools: string[],
   usedForcedTools: string[]
diff --git a/apps/sim/providers/bedrock/index.ts b/apps/sim/providers/bedrock/index.ts
index 57935394a..e602627b7 100644
--- a/apps/sim/providers/bedrock/index.ts
+++ b/apps/sim/providers/bedrock/index.ts
@@ -197,6 +197,9 @@ export const bedrockProvider: ProviderConfig = {
             } else if (tc.type === 'function' && tc.function?.name) {
               toolChoice = { tool: { name: tc.function.name } }
               logger.info(`Using Bedrock tool_choice format: force tool "${tc.function.name}"`)
+            } else if (tc.type === 'any') {
+              toolChoice = { any: {} }
+              logger.info('Using Bedrock tool_choice format: any tool')
             } else {
               toolChoice = { auto: {} }
             }
@@ -413,6 +416,7 @@ export const bedrockProvider: ProviderConfig = {
         input: initialCost.input,
         output: initialCost.output,
         total: initialCost.total,
+        pricing: initialCost.pricing,
       }
 
       const toolCalls: any[] = []
@@ -860,6 +864,12 @@ export const bedrockProvider: ProviderConfig = {
         content,
         model: request.model,
         tokens,
+        cost: {
+          input: cost.input,
+          output: cost.output,
+          total: cost.total,
+          pricing: cost.pricing,
+        },
         toolCalls:
           toolCalls.length > 0
             ? toolCalls.map((tc) => ({
diff --git a/apps/sim/providers/gemini/core.ts b/apps/sim/providers/gemini/core.ts
index 5050672ea..4e7164b82 100644
--- a/apps/sim/providers/gemini/core.ts
+++ b/apps/sim/providers/gemini/core.ts
@@ -24,7 +24,6 @@ import {
   extractTextContent,
   mapToThinkingLevel,
 } from '@/providers/google/utils'
-import { getThinkingCapability } from '@/providers/models'
 import type { FunctionCallResponse, ProviderRequest, ProviderResponse } from '@/providers/types'
 import {
   calculateCost,
@@ -432,13 +431,11 @@ export async function executeGeminiRequest(
       logger.warn('Gemini does not support responseFormat with tools. Structured output ignored.')
     }
 
-    // Configure thinking for models that support it
-    const thinkingCapability = getThinkingCapability(model)
-    if (thinkingCapability) {
-      const level = request.thinkingLevel ?? thinkingCapability.default ?? 'high'
+    // Configure thinking only when the user explicitly selects a thinking level
+    if (request.thinkingLevel && request.thinkingLevel !== 'none') {
       const thinkingConfig: ThinkingConfig = {
         includeThoughts: false,
-        thinkingLevel: mapToThinkingLevel(level),
+        thinkingLevel: mapToThinkingLevel(request.thinkingLevel),
       }
       geminiConfig.thinkingConfig = thinkingConfig
     }
diff --git a/apps/sim/providers/mistral/index.ts b/apps/sim/providers/mistral/index.ts
index fb3e701ed..0195c04fb 100644
--- a/apps/sim/providers/mistral/index.ts
+++ b/apps/sim/providers/mistral/index.ts
@@ -141,7 +141,6 @@ export const mistralProvider: ProviderConfig = {
         const streamingParams: ChatCompletionCreateParamsStreaming = {
           ...payload,
           stream: true,
-          stream_options: { include_usage: true },
         }
         const streamResponse = await mistral.chat.completions.create(streamingParams)
 
@@ -453,7 +452,6 @@ export const mistralProvider: ProviderConfig = {
           messages: currentMessages,
           tool_choice: 'auto',
           stream: true,
-          stream_options: { include_usage: true },
         }
         const streamResponse = await mistral.chat.completions.create(streamingParams)
 
diff --git a/apps/sim/providers/models.ts b/apps/sim/providers/models.ts
index 3662e1ca5..cbced7ffe 100644
--- a/apps/sim/providers/models.ts
+++ b/apps/sim/providers/models.ts
@@ -34,17 +34,8 @@ export interface ModelCapabilities {
   toolUsageControl?: boolean
   computerUse?: boolean
   nativeStructuredOutputs?: boolean
-  /**
-   * Max output tokens configuration for Anthropic SDK's streaming timeout workaround.
-   * The Anthropic SDK throws an error for non-streaming requests that may take >10 minutes.
-   * This only applies to direct Anthropic API calls, not Bedrock (which uses AWS SDK).
-   */
-  maxOutputTokens?: {
-    /** Maximum tokens for streaming requests */
-    max: number
-    /** Safe default for non-streaming requests (to avoid Anthropic SDK timeout errors) */
-    default: number
-  }
+  /** Maximum supported output tokens for this model */
+  maxOutputTokens?: number
   reasoningEffort?: {
     values: string[]
   }
@@ -109,7 +100,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
     name: 'OpenAI',
     description: "OpenAI's models",
     defaultModel: 'gpt-4o',
-    modelPatterns: [/^gpt/, /^o1/, /^text-embedding/],
+    modelPatterns: [/^gpt/, /^o\d/, /^text-embedding/],
     icon: OpenAIIcon,
     capabilities: {
       toolUsageControl: true,
@@ -138,7 +129,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         capabilities: {
           reasoningEffort: {
-            values: ['none', 'minimal', 'low', 'medium', 'high', 'xhigh'],
+            values: ['none', 'low', 'medium', 'high', 'xhigh'],
           },
           verbosity: {
             values: ['low', 'medium', 'high'],
@@ -164,60 +155,6 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         contextWindow: 400000,
       },
-      // {
-      //   id: 'gpt-5.1-mini',
-      //   pricing: {
-      //     input: 0.25,
-      //     cachedInput: 0.025,
-      //     output: 2.0,
-      //     updatedAt: '2025-11-14',
-      //   },
-      //   capabilities: {
-      //     reasoningEffort: {
-      //       values: ['none', 'low', 'medium', 'high'],
-      //     },
-      //     verbosity: {
-      //       values: ['low', 'medium', 'high'],
-      //     },
-      //   },
-      //   contextWindow: 400000,
-      // },
-      // {
-      //   id: 'gpt-5.1-nano',
-      //   pricing: {
-      //     input: 0.05,
-      //     cachedInput: 0.005,
-      //     output: 0.4,
-      //     updatedAt: '2025-11-14',
-      //   },
-      //   capabilities: {
-      //     reasoningEffort: {
-      //       values: ['none', 'low', 'medium', 'high'],
-      //     },
-      //     verbosity: {
-      //       values: ['low', 'medium', 'high'],
-      //     },
-      //   },
-      //   contextWindow: 400000,
-      // },
-      // {
-      //   id: 'gpt-5.1-codex',
-      //   pricing: {
-      //     input: 1.25,
-      //     cachedInput: 0.125,
-      //     output: 10.0,
-      //     updatedAt: '2025-11-14',
-      //   },
-      //   capabilities: {
-      //     reasoningEffort: {
-      //       values: ['none', 'medium', 'high'],
-      //     },
-      //     verbosity: {
-      //       values: ['low', 'medium', 'high'],
-      //     },
-      //   },
-      //   contextWindow: 400000,
-      // },
       {
         id: 'gpt-5',
         pricing: {
@@ -280,8 +217,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
           output: 10.0,
           updatedAt: '2025-08-07',
         },
-        capabilities: {},
-        contextWindow: 400000,
+        capabilities: {
+          temperature: { min: 0, max: 2 },
+        },
+        contextWindow: 128000,
       },
       {
         id: 'o1',
@@ -311,7 +250,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
             values: ['low', 'medium', 'high'],
           },
         },
-        contextWindow: 128000,
+        contextWindow: 200000,
       },
       {
         id: 'o4-mini',
@@ -326,7 +265,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
             values: ['low', 'medium', 'high'],
           },
         },
-        contextWindow: 128000,
+        contextWindow: 200000,
       },
       {
         id: 'gpt-4.1',
@@ -391,7 +330,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 128000, default: 8192 },
+          maxOutputTokens: 128000,
           thinking: {
             levels: ['low', 'medium', 'high', 'max'],
             default: 'high',
@@ -410,10 +349,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -429,10 +368,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -447,10 +386,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         capabilities: {
           temperature: { min: 0, max: 1 },
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -466,10 +405,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -484,10 +423,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         capabilities: {
           temperature: { min: 0, max: 1 },
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -503,10 +442,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -515,13 +454,13 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         id: 'claude-3-haiku-20240307',
         pricing: {
           input: 0.25,
-          cachedInput: 0.025,
+          cachedInput: 0.03,
           output: 1.25,
           updatedAt: '2026-02-05',
         },
         capabilities: {
           temperature: { min: 0, max: 1 },
-          maxOutputTokens: { max: 4096, default: 4096 },
+          maxOutputTokens: 4096,
         },
         contextWindow: 200000,
       },
@@ -536,10 +475,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           computerUse: true,
-          maxOutputTokens: { max: 8192, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -580,7 +519,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         capabilities: {
           reasoningEffort: {
-            values: ['none', 'minimal', 'low', 'medium', 'high', 'xhigh'],
+            values: ['none', 'low', 'medium', 'high', 'xhigh'],
           },
           verbosity: {
             values: ['low', 'medium', 'high'],
@@ -606,42 +545,6 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         contextWindow: 400000,
       },
-      {
-        id: 'azure/gpt-5.1-mini',
-        pricing: {
-          input: 0.25,
-          cachedInput: 0.025,
-          output: 2.0,
-          updatedAt: '2025-11-14',
-        },
-        capabilities: {
-          reasoningEffort: {
-            values: ['none', 'low', 'medium', 'high'],
-          },
-          verbosity: {
-            values: ['low', 'medium', 'high'],
-          },
-        },
-        contextWindow: 400000,
-      },
-      {
-        id: 'azure/gpt-5.1-nano',
-        pricing: {
-          input: 0.05,
-          cachedInput: 0.005,
-          output: 0.4,
-          updatedAt: '2025-11-14',
-        },
-        capabilities: {
-          reasoningEffort: {
-            values: ['none', 'low', 'medium', 'high'],
-          },
-          verbosity: {
-            values: ['low', 'medium', 'high'],
-          },
-        },
-        contextWindow: 400000,
-      },
       {
         id: 'azure/gpt-5.1-codex',
         pricing: {
@@ -652,7 +555,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         capabilities: {
           reasoningEffort: {
-            values: ['none', 'medium', 'high'],
+            values: ['none', 'low', 'medium', 'high'],
           },
           verbosity: {
             values: ['low', 'medium', 'high'],
@@ -722,23 +625,25 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
           output: 10.0,
           updatedAt: '2025-08-07',
         },
-        capabilities: {},
-        contextWindow: 400000,
+        capabilities: {
+          temperature: { min: 0, max: 2 },
+        },
+        contextWindow: 128000,
       },
       {
         id: 'azure/o3',
         pricing: {
-          input: 10,
-          cachedInput: 2.5,
-          output: 40,
-          updatedAt: '2025-06-15',
+          input: 2,
+          cachedInput: 0.5,
+          output: 8,
+          updatedAt: '2026-02-06',
         },
         capabilities: {
           reasoningEffort: {
             values: ['low', 'medium', 'high'],
           },
         },
-        contextWindow: 128000,
+        contextWindow: 200000,
       },
       {
         id: 'azure/o4-mini',
@@ -753,7 +658,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
             values: ['low', 'medium', 'high'],
           },
         },
-        contextWindow: 128000,
+        contextWindow: 200000,
       },
       {
         id: 'azure/gpt-4.1',
@@ -763,7 +668,35 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
           output: 8.0,
           updatedAt: '2025-06-15',
         },
-        capabilities: {},
+        capabilities: {
+          temperature: { min: 0, max: 2 },
+        },
+        contextWindow: 1000000,
+      },
+      {
+        id: 'azure/gpt-4.1-mini',
+        pricing: {
+          input: 0.4,
+          cachedInput: 0.1,
+          output: 1.6,
+          updatedAt: '2025-06-15',
+        },
+        capabilities: {
+          temperature: { min: 0, max: 2 },
+        },
+        contextWindow: 1000000,
+      },
+      {
+        id: 'azure/gpt-4.1-nano',
+        pricing: {
+          input: 0.1,
+          cachedInput: 0.025,
+          output: 0.4,
+          updatedAt: '2025-06-15',
+        },
+        capabilities: {
+          temperature: { min: 0, max: 2 },
+        },
         contextWindow: 1000000,
       },
       {
@@ -775,7 +708,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
           updatedAt: '2025-06-15',
         },
         capabilities: {},
-        contextWindow: 1000000,
+        contextWindow: 200000,
       },
     ],
   },
@@ -801,7 +734,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 128000, default: 8192 },
+          maxOutputTokens: 128000,
           thinking: {
             levels: ['low', 'medium', 'high', 'max'],
             default: 'high',
@@ -820,10 +753,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -839,10 +772,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -858,10 +791,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -877,10 +810,10 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         capabilities: {
           temperature: { min: 0, max: 1 },
           nativeStructuredOutputs: true,
-          maxOutputTokens: { max: 64000, default: 8192 },
+          maxOutputTokens: 64000,
           thinking: {
             levels: ['low', 'medium', 'high'],
-            default: 'medium',
+            default: 'high',
           },
         },
         contextWindow: 200000,
@@ -2548,14 +2481,11 @@ export function getThinkingLevelsForModel(modelId: string): string[] | null {
 }
 
 /**
- * Get the max output tokens for a specific model
- * Returns the model's max capacity for streaming requests,
- * or the model's safe default for non-streaming requests to avoid timeout issues.
+ * Get the max output tokens for a specific model.
  *
  * @param modelId - The model ID
- * @param streaming - Whether the request is streaming (default: false)
  */
-export function getMaxOutputTokensForModel(modelId: string, streaming = false): number {
+export function getMaxOutputTokensForModel(modelId: string): number {
   const normalizedModelId = modelId.toLowerCase()
   const STANDARD_MAX_OUTPUT_TOKENS = 4096
 
@@ -2563,11 +2493,7 @@ export function getMaxOutputTokensForModel(modelId: string, streaming = false):
     for (const model of provider.models) {
       const baseModelId = model.id.toLowerCase()
       if (normalizedModelId === baseModelId || normalizedModelId.startsWith(`${baseModelId}-`)) {
-        const outputTokens = model.capabilities.maxOutputTokens
-        if (outputTokens) {
-          return streaming ? outputTokens.max : outputTokens.default
-        }
-        return STANDARD_MAX_OUTPUT_TOKENS
+        return model.capabilities.maxOutputTokens || STANDARD_MAX_OUTPUT_TOKENS
       }
     }
   }
diff --git a/apps/sim/providers/openai/core.ts b/apps/sim/providers/openai/core.ts
index 8ed4c9386..6e6d42cb4 100644
--- a/apps/sim/providers/openai/core.ts
+++ b/apps/sim/providers/openai/core.ts
@@ -1,4 +1,5 @@
 import type { Logger } from '@sim/logger'
+import type OpenAI from 'openai'
 import type { StreamingExecution } from '@/executor/types'
 import { MAX_TOOL_ITERATIONS } from '@/providers'
 import type { Message, ProviderRequest, ProviderResponse, TimeSegment } from '@/providers/types'
@@ -30,7 +31,7 @@ type ToolChoice = PreparedTools['toolChoice']
  * - Sets additionalProperties: false on all object types.
  * - Ensures required includes ALL property keys.
  */
-function enforceStrictSchema(schema: any): any {
+function enforceStrictSchema(schema: Record<string, unknown>): Record<string, unknown> {
   if (!schema || typeof schema !== 'object') return schema
 
   const result = { ...schema }
@@ -41,23 +42,26 @@ function enforceStrictSchema(schema: any): any {
 
     // Recursively process properties and ensure required includes all keys
     if (result.properties && typeof result.properties === 'object') {
-      const propKeys = Object.keys(result.properties)
+      const propKeys = Object.keys(result.properties as Record<string, unknown>)
       result.required = propKeys // Strict mode requires ALL properties
       result.properties = Object.fromEntries(
-        Object.entries(result.properties).map(([key, value]) => [key, enforceStrictSchema(value)])
+        Object.entries(result.properties as Record<string, unknown>).map(([key, value]) => [
+          key,
+          enforceStrictSchema(value as Record<string, unknown>),
+        ])
       )
     }
   }
 
   // Handle array items
   if (result.type === 'array' && result.items) {
-    result.items = enforceStrictSchema(result.items)
+    result.items = enforceStrictSchema(result.items as Record<string, unknown>)
   }
 
   // Handle anyOf, oneOf, allOf
   for (const keyword of ['anyOf', 'oneOf', 'allOf']) {
     if (Array.isArray(result[keyword])) {
-      result[keyword] = result[keyword].map(enforceStrictSchema)
+      result[keyword] = (result[keyword] as Record<string, unknown>[]).map(enforceStrictSchema)
     }
   }
 
@@ -65,7 +69,10 @@ function enforceStrictSchema(schema: any): any {
   for (const defKey of ['$defs', 'definitions']) {
     if (result[defKey] && typeof result[defKey] === 'object') {
       result[defKey] = Object.fromEntries(
-        Object.entries(result[defKey]).map(([key, value]) => [key, enforceStrictSchema(value)])
+        Object.entries(result[defKey] as Record<string, unknown>).map(([key, value]) => [
+          key,
+          enforceStrictSchema(value as Record<string, unknown>),
+        ])
       )
     }
   }
@@ -123,29 +130,29 @@ export async function executeResponsesProviderRequest(
 
   const initialInput = buildResponsesInputFromMessages(allMessages)
 
-  const basePayload: Record<string, any> = {
+  const basePayload: Record<string, unknown> = {
     model: config.modelName,
   }
 
   if (request.temperature !== undefined) basePayload.temperature = request.temperature
   if (request.maxTokens != null) basePayload.max_output_tokens = request.maxTokens
 
-  if (request.reasoningEffort !== undefined) {
+  if (request.reasoningEffort !== undefined && request.reasoningEffort !== 'auto') {
     basePayload.reasoning = {
       effort: request.reasoningEffort,
       summary: 'auto',
     }
   }
 
-  if (request.verbosity !== undefined) {
+  if (request.verbosity !== undefined && request.verbosity !== 'auto') {
     basePayload.text = {
-      ...(basePayload.text ?? {}),
+      ...((basePayload.text as Record<string, unknown>) ?? {}),
       verbosity: request.verbosity,
     }
   }
 
   // Store response format config - for Azure with tools, we defer applying it until after tool calls complete
-  let deferredTextFormat: { type: string; name: string; schema: any; strict: boolean } | undefined
+  let deferredTextFormat: OpenAI.Responses.ResponseFormatTextJSONSchemaConfig | undefined
   const hasTools = !!request.tools?.length
   const isAzure = config.providerId === 'azure-openai'
 
@@ -171,7 +178,7 @@ export async function executeResponsesProviderRequest(
       )
     } else {
       basePayload.text = {
-        ...(basePayload.text ?? {}),
+        ...((basePayload.text as Record<string, unknown>) ?? {}),
         format: textFormat,
       }
       logger.info(`Added JSON schema response format to ${config.providerLabel} request`)
@@ -231,7 +238,10 @@ export async function executeResponsesProviderRequest(
     }
   }
 
-  const createRequestBody = (input: ResponsesInputItem[], overrides: Record<string, any> = {}) => ({
+  const createRequestBody = (
+    input: ResponsesInputItem[],
+    overrides: Record<string, unknown> = {}
+  ) => ({
     ...basePayload,
     input,
     ...overrides,
@@ -247,7 +257,9 @@ export async function executeResponsesProviderRequest(
     }
   }
 
-  const postResponses = async (body: Record<string, any>) => {
+  const postResponses = async (
+    body: Record<string, unknown>
+  ): Promise<OpenAI.Responses.Response> => {
     const response = await fetch(config.endpoint, {
       method: 'POST',
       headers: config.headers,
@@ -496,10 +508,10 @@ export async function executeResponsesProviderRequest(
           duration: duration,
         })
 
-        let resultContent: any
+        let resultContent: Record<string, unknown>
         if (result.success) {
           toolResults.push(result.output)
-          resultContent = result.output
+          resultContent = result.output as Record<string, unknown>
         } else {
           resultContent = {
             error: true,
@@ -615,11 +627,11 @@ export async function executeResponsesProviderRequest(
       }
 
       // Make final call with the response format - build payload without tools
-      const finalPayload: Record<string, any> = {
+      const finalPayload: Record<string, unknown> = {
         model: config.modelName,
         input: formattedInput,
         text: {
-          ...(basePayload.text ?? {}),
+          ...((basePayload.text as Record<string, unknown>) ?? {}),
           format: deferredTextFormat,
         },
       }
@@ -627,15 +639,15 @@ export async function executeResponsesProviderRequest(
       // Copy over non-tool related settings
       if (request.temperature !== undefined) finalPayload.temperature = request.temperature
       if (request.maxTokens != null) finalPayload.max_output_tokens = request.maxTokens
-      if (request.reasoningEffort !== undefined) {
+      if (request.reasoningEffort !== undefined && request.reasoningEffort !== 'auto') {
         finalPayload.reasoning = {
           effort: request.reasoningEffort,
           summary: 'auto',
         }
       }
-      if (request.verbosity !== undefined) {
+      if (request.verbosity !== undefined && request.verbosity !== 'auto') {
         finalPayload.text = {
-          ...finalPayload.text,
+          ...((finalPayload.text as Record<string, unknown>) ?? {}),
           verbosity: request.verbosity,
         }
       }
@@ -679,10 +691,10 @@ export async function executeResponsesProviderRequest(
       const accumulatedCost = calculateCost(request.model, tokens.input, tokens.output)
 
       // For Azure with deferred format in streaming mode, include the format in the streaming call
-      const streamOverrides: Record<string, any> = { stream: true, tool_choice: 'auto' }
+      const streamOverrides: Record<string, unknown> = { stream: true, tool_choice: 'auto' }
       if (deferredTextFormat) {
         streamOverrides.text = {
-          ...(basePayload.text ?? {}),
+          ...((basePayload.text as Record<string, unknown>) ?? {}),
           format: deferredTextFormat,
         }
       }
diff --git a/apps/sim/providers/openai/utils.ts b/apps/sim/providers/openai/utils.ts
index 664c0d8fc..f1575473a 100644
--- a/apps/sim/providers/openai/utils.ts
+++ b/apps/sim/providers/openai/utils.ts
@@ -1,4 +1,5 @@
 import { createLogger } from '@sim/logger'
+import type OpenAI from 'openai'
 import type { Message } from '@/providers/types'
 
 const logger = createLogger('ResponsesUtils')
@@ -38,7 +39,7 @@ export interface ResponsesToolDefinition {
   type: 'function'
   name: string
   description?: string
-  parameters?: Record<string, any>
+  parameters?: Record<string, unknown>
 }
 
 /**
@@ -85,7 +86,15 @@ export function buildResponsesInputFromMessages(messages: Message[]): ResponsesI
 /**
  * Converts tool definitions to the Responses API format.
  */
-export function convertToolsToResponses(tools: any[]): ResponsesToolDefinition[] {
+export function convertToolsToResponses(
+  tools: Array<{
+    type?: string
+    name?: string
+    description?: string
+    parameters?: Record<string, unknown>
+    function?: { name: string; description?: string; parameters?: Record<string, unknown> }
+  }>
+): ResponsesToolDefinition[] {
   return tools
     .map((tool) => {
       const name = tool.function?.name ?? tool.name
@@ -131,7 +140,7 @@ export function toResponsesToolChoice(
   return 'auto'
 }
 
-function extractTextFromMessageItem(item: any): string {
+function extractTextFromMessageItem(item: Record<string, unknown>): string {
   if (!item) {
     return ''
   }
@@ -170,7 +179,7 @@ function extractTextFromMessageItem(item: any): string {
 /**
  * Extracts plain text from Responses API output items.
  */
-export function extractResponseText(output: unknown): string {
+export function extractResponseText(output: OpenAI.Responses.ResponseOutputItem[]): string {
   if (!Array.isArray(output)) {
     return ''
   }
@@ -181,7 +190,7 @@ export function extractResponseText(output: unknown): string {
       continue
     }
 
-    const text = extractTextFromMessageItem(item)
+    const text = extractTextFromMessageItem(item as unknown as Record<string, unknown>)
     if (text) {
       textParts.push(text)
     }
@@ -193,7 +202,9 @@ export function extractResponseText(output: unknown): string {
 /**
  * Converts Responses API output items into input items for subsequent calls.
  */
-export function convertResponseOutputToInputItems(output: unknown): ResponsesInputItem[] {
+export function convertResponseOutputToInputItems(
+  output: OpenAI.Responses.ResponseOutputItem[]
+): ResponsesInputItem[] {
   if (!Array.isArray(output)) {
     return []
   }
@@ -205,7 +216,7 @@ export function convertResponseOutputToInputItems(output: unknown): ResponsesInp
     }
 
     if (item.type === 'message') {
-      const text = extractTextFromMessageItem(item)
+      const text = extractTextFromMessageItem(item as unknown as Record<string, unknown>)
       if (text) {
         items.push({
           role: 'assistant',
@@ -213,18 +224,20 @@ export function convertResponseOutputToInputItems(output: unknown): ResponsesInp
         })
       }
 
-      const toolCalls = Array.isArray(item.tool_calls) ? item.tool_calls : []
+      // Handle Chat Completions-style tool_calls nested under message items
+      const msgRecord = item as unknown as Record<string, unknown>
+      const toolCalls = Array.isArray(msgRecord.tool_calls) ? msgRecord.tool_calls : []
       for (const toolCall of toolCalls) {
-        const callId = toolCall?.id
-        const name = toolCall?.function?.name ?? toolCall?.name
+        const tc = toolCall as Record<string, unknown>
+        const fn = tc.function as Record<string, unknown> | undefined
+        const callId = tc.id as string | undefined
+        const name = (fn?.name ?? tc.name) as string | undefined
         if (!callId || !name) {
           continue
         }
 
         const argumentsValue =
-          typeof toolCall?.function?.arguments === 'string'
-            ? toolCall.function.arguments
-            : JSON.stringify(toolCall?.function?.arguments ?? {})
+          typeof fn?.arguments === 'string' ? fn.arguments : JSON.stringify(fn?.arguments ?? {})
 
         items.push({
           type: 'function_call',
@@ -238,14 +251,18 @@ export function convertResponseOutputToInputItems(output: unknown): ResponsesInp
     }
 
     if (item.type === 'function_call') {
-      const callId = item.call_id ?? item.id
-      const name = item.name ?? item.function?.name
+      const fc = item as OpenAI.Responses.ResponseFunctionToolCall
+      const fcRecord = item as unknown as Record<string, unknown>
+      const callId = fc.call_id ?? (fcRecord.id as string | undefined)
+      const name =
+        fc.name ??
+        ((fcRecord.function as Record<string, unknown> | undefined)?.name as string | undefined)
       if (!callId || !name) {
         continue
       }
 
       const argumentsValue =
-        typeof item.arguments === 'string' ? item.arguments : JSON.stringify(item.arguments ?? {})
+        typeof fc.arguments === 'string' ? fc.arguments : JSON.stringify(fc.arguments ?? {})
 
       items.push({
         type: 'function_call',
@@ -262,7 +279,9 @@ export function convertResponseOutputToInputItems(output: unknown): ResponsesInp
 /**
  * Extracts tool calls from Responses API output items.
  */
-export function extractResponseToolCalls(output: unknown): ResponsesToolCall[] {
+export function extractResponseToolCalls(
+  output: OpenAI.Responses.ResponseOutputItem[]
+): ResponsesToolCall[] {
   if (!Array.isArray(output)) {
     return []
   }
@@ -275,14 +294,18 @@ export function extractResponseToolCalls(output: unknown): ResponsesToolCall[] {
     }
 
     if (item.type === 'function_call') {
-      const callId = item.call_id ?? item.id
-      const name = item.name ?? item.function?.name
+      const fc = item as OpenAI.Responses.ResponseFunctionToolCall
+      const fcRecord = item as unknown as Record<string, unknown>
+      const callId = fc.call_id ?? (fcRecord.id as string | undefined)
+      const name =
+        fc.name ??
+        ((fcRecord.function as Record<string, unknown> | undefined)?.name as string | undefined)
       if (!callId || !name) {
         continue
       }
 
       const argumentsValue =
-        typeof item.arguments === 'string' ? item.arguments : JSON.stringify(item.arguments ?? {})
+        typeof fc.arguments === 'string' ? fc.arguments : JSON.stringify(fc.arguments ?? {})
 
       toolCalls.push({
         id: callId,
@@ -292,18 +315,20 @@ export function extractResponseToolCalls(output: unknown): ResponsesToolCall[] {
       continue
     }
 
-    if (item.type === 'message' && Array.isArray(item.tool_calls)) {
-      for (const toolCall of item.tool_calls) {
-        const callId = toolCall?.id
-        const name = toolCall?.function?.name ?? toolCall?.name
+    // Handle Chat Completions-style tool_calls nested under message items
+    const msgRecord = item as unknown as Record<string, unknown>
+    if (item.type === 'message' && Array.isArray(msgRecord.tool_calls)) {
+      for (const toolCall of msgRecord.tool_calls) {
+        const tc = toolCall as Record<string, unknown>
+        const fn = tc.function as Record<string, unknown> | undefined
+        const callId = tc.id as string | undefined
+        const name = (fn?.name ?? tc.name) as string | undefined
         if (!callId || !name) {
           continue
         }
 
         const argumentsValue =
-          typeof toolCall?.function?.arguments === 'string'
-            ? toolCall.function.arguments
-            : JSON.stringify(toolCall?.function?.arguments ?? {})
+          typeof fn?.arguments === 'string' ? fn.arguments : JSON.stringify(fn?.arguments ?? {})
 
         toolCalls.push({
           id: callId,
@@ -323,15 +348,17 @@ export function extractResponseToolCalls(output: unknown): ResponsesToolCall[] {
  * Note: output_tokens is expected to include reasoning tokens; fall back to reasoning_tokens
  * when output_tokens is missing or zero.
  */
-export function parseResponsesUsage(usage: any): ResponsesUsageTokens | undefined {
-  if (!usage || typeof usage !== 'object') {
+export function parseResponsesUsage(
+  usage: OpenAI.Responses.ResponseUsage | undefined
+): ResponsesUsageTokens | undefined {
+  if (!usage) {
     return undefined
   }
 
-  const inputTokens = Number(usage.input_tokens ?? 0)
-  const outputTokens = Number(usage.output_tokens ?? 0)
-  const cachedTokens = Number(usage.input_tokens_details?.cached_tokens ?? 0)
-  const reasoningTokens = Number(usage.output_tokens_details?.reasoning_tokens ?? 0)
+  const inputTokens = usage.input_tokens ?? 0
+  const outputTokens = usage.output_tokens ?? 0
+  const cachedTokens = usage.input_tokens_details?.cached_tokens ?? 0
+  const reasoningTokens = usage.output_tokens_details?.reasoning_tokens ?? 0
   const completionTokens = Math.max(outputTokens, reasoningTokens)
   const totalTokens = inputTokens + completionTokens
 
@@ -398,7 +425,7 @@ export function createReadableStreamFromResponses(
               continue
             }
 
-            let event: any
+            let event: Record<string, unknown>
             try {
               event = JSON.parse(data)
             } catch (error) {
@@ -416,7 +443,8 @@ export function createReadableStreamFromResponses(
               eventType === 'error' ||
               eventType === 'response.failed'
             ) {
-              const message = event?.error?.message || 'Responses API stream error'
+              const errorObj = event.error as Record<string, unknown> | undefined
+              const message = (errorObj?.message as string) || 'Responses API stream error'
               controller.error(new Error(message))
               return
             }
@@ -426,12 +454,13 @@ export function createReadableStreamFromResponses(
               eventType === 'response.output_json.delta'
             ) {
               let deltaText = ''
-              if (typeof event.delta === 'string') {
-                deltaText = event.delta
-              } else if (event.delta && typeof event.delta.text === 'string') {
-                deltaText = event.delta.text
-              } else if (event.delta && event.delta.json !== undefined) {
-                deltaText = JSON.stringify(event.delta.json)
+              const delta = event.delta as string | Record<string, unknown> | undefined
+              if (typeof delta === 'string') {
+                deltaText = delta
+              } else if (delta && typeof delta.text === 'string') {
+                deltaText = delta.text
+              } else if (delta && delta.json !== undefined) {
+                deltaText = JSON.stringify(delta.json)
               } else if (event.json !== undefined) {
                 deltaText = JSON.stringify(event.json)
               } else if (typeof event.text === 'string') {
@@ -445,7 +474,11 @@ export function createReadableStreamFromResponses(
             }
 
             if (eventType === 'response.completed') {
-              finalUsage = parseResponsesUsage(event?.response?.usage ?? event?.usage)
+              const responseObj = event.response as Record<string, unknown> | undefined
+              const usageData = (responseObj?.usage ?? event.usage) as
+                | OpenAI.Responses.ResponseUsage
+                | undefined
+              finalUsage = parseResponsesUsage(usageData)
             }
           }
         }
diff --git a/apps/sim/providers/openrouter/index.ts b/apps/sim/providers/openrouter/index.ts
index 57246c437..0444fc35e 100644
--- a/apps/sim/providers/openrouter/index.ts
+++ b/apps/sim/providers/openrouter/index.ts
@@ -431,19 +431,13 @@ export const openRouterProvider: ProviderConfig = {
         const accumulatedCost = calculateCost(requestedModel, tokens.input, tokens.output)
 
         const streamingParams: ChatCompletionCreateParamsStreaming & { provider?: any } = {
-          model: payload.model,
+          ...payload,
           messages: [...currentMessages],
+          tool_choice: 'auto',
           stream: true,
           stream_options: { include_usage: true },
         }
 
-        if (payload.temperature !== undefined) {
-          streamingParams.temperature = payload.temperature
-        }
-        if (payload.max_tokens !== undefined) {
-          streamingParams.max_tokens = payload.max_tokens
-        }
-
         if (request.responseFormat) {
           ;(streamingParams as any).messages = await applyResponseFormat(
             streamingParams as any,
diff --git a/apps/sim/providers/utils.test.ts b/apps/sim/providers/utils.test.ts
index 68575b875..e8fa79917 100644
--- a/apps/sim/providers/utils.test.ts
+++ b/apps/sim/providers/utils.test.ts
@@ -12,16 +12,22 @@ import {
   getApiKey,
   getBaseModelProviders,
   getHostedModels,
+  getMaxOutputTokensForModel,
   getMaxTemperature,
+  getModelPricing,
   getProvider,
   getProviderConfigFromModel,
   getProviderFromModel,
   getProviderModels,
+  getReasoningEffortValuesForModel,
+  getThinkingLevelsForModel,
+  getVerbosityValuesForModel,
   isProviderBlacklisted,
   MODELS_TEMP_RANGE_0_1,
   MODELS_TEMP_RANGE_0_2,
   MODELS_WITH_REASONING_EFFORT,
   MODELS_WITH_TEMPERATURE_SUPPORT,
+  MODELS_WITH_THINKING,
   MODELS_WITH_VERBOSITY,
   PROVIDERS_WITH_TOOL_USAGE_CONTROL,
   prepareToolExecution,
@@ -169,6 +175,8 @@ describe('Model Capabilities', () => {
         'gpt-4.1',
         'gpt-4.1-mini',
         'gpt-4.1-nano',
+        'gpt-5-chat-latest',
+        'azure/gpt-5-chat-latest',
         'gemini-2.5-flash',
         'claude-sonnet-4-0',
         'claude-opus-4-0',
@@ -186,34 +194,27 @@ describe('Model Capabilities', () => {
     it.concurrent('should return false for models that do not support temperature', () => {
       const unsupportedModels = [
         'unsupported-model',
-        'cerebras/llama-3.3-70b', // Cerebras models don't have temperature defined
-        'groq/meta-llama/llama-4-scout-17b-16e-instruct', // Groq models don't have temperature defined
-        // Reasoning models that don't support temperature
+        'cerebras/llama-3.3-70b',
+        'groq/meta-llama/llama-4-scout-17b-16e-instruct',
         'o1',
         'o3',
         'o4-mini',
         'azure/o3',
         'azure/o4-mini',
         'deepseek-r1',
-        // Chat models that don't support temperature
         'deepseek-chat',
-        'azure/gpt-4.1',
         'azure/model-router',
-        // GPT-5.1 models don't support temperature (removed in our implementation)
         'gpt-5.1',
         'azure/gpt-5.1',
         'azure/gpt-5.1-mini',
         'azure/gpt-5.1-nano',
         'azure/gpt-5.1-codex',
-        // GPT-5 models don't support temperature (removed in our implementation)
         'gpt-5',
         'gpt-5-mini',
         'gpt-5-nano',
-        'gpt-5-chat-latest',
         'azure/gpt-5',
         'azure/gpt-5-mini',
         'azure/gpt-5-nano',
-        'azure/gpt-5-chat-latest',
       ]
 
       for (const model of unsupportedModels) {
@@ -240,6 +241,8 @@ describe('Model Capabilities', () => {
       const modelsRange02 = [
         'gpt-4o',
         'azure/gpt-4o',
+        'gpt-5-chat-latest',
+        'azure/gpt-5-chat-latest',
         'gemini-2.5-pro',
         'gemini-2.5-flash',
         'deepseek-v3',
@@ -268,28 +271,23 @@ describe('Model Capabilities', () => {
       expect(getMaxTemperature('unsupported-model')).toBeUndefined()
       expect(getMaxTemperature('cerebras/llama-3.3-70b')).toBeUndefined()
       expect(getMaxTemperature('groq/meta-llama/llama-4-scout-17b-16e-instruct')).toBeUndefined()
-      // Reasoning models that don't support temperature
       expect(getMaxTemperature('o1')).toBeUndefined()
       expect(getMaxTemperature('o3')).toBeUndefined()
       expect(getMaxTemperature('o4-mini')).toBeUndefined()
       expect(getMaxTemperature('azure/o3')).toBeUndefined()
       expect(getMaxTemperature('azure/o4-mini')).toBeUndefined()
       expect(getMaxTemperature('deepseek-r1')).toBeUndefined()
-      // GPT-5.1 models don't support temperature
       expect(getMaxTemperature('gpt-5.1')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5.1')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5.1-mini')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5.1-nano')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5.1-codex')).toBeUndefined()
-      // GPT-5 models don't support temperature
       expect(getMaxTemperature('gpt-5')).toBeUndefined()
       expect(getMaxTemperature('gpt-5-mini')).toBeUndefined()
       expect(getMaxTemperature('gpt-5-nano')).toBeUndefined()
-      expect(getMaxTemperature('gpt-5-chat-latest')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5-mini')).toBeUndefined()
       expect(getMaxTemperature('azure/gpt-5-nano')).toBeUndefined()
-      expect(getMaxTemperature('azure/gpt-5-chat-latest')).toBeUndefined()
     })
 
     it.concurrent('should be case insensitive', () => {
@@ -340,13 +338,13 @@ describe('Model Capabilities', () => {
       expect(MODELS_TEMP_RANGE_0_2).toContain('gpt-4o')
       expect(MODELS_TEMP_RANGE_0_2).toContain('gemini-2.5-flash')
       expect(MODELS_TEMP_RANGE_0_2).toContain('deepseek-v3')
-      expect(MODELS_TEMP_RANGE_0_2).not.toContain('claude-sonnet-4-0') // Should be in 0-1 range
+      expect(MODELS_TEMP_RANGE_0_2).not.toContain('claude-sonnet-4-0')
     })
 
     it.concurrent('should have correct models in MODELS_TEMP_RANGE_0_1', () => {
       expect(MODELS_TEMP_RANGE_0_1).toContain('claude-sonnet-4-0')
       expect(MODELS_TEMP_RANGE_0_1).toContain('grok-3-latest')
-      expect(MODELS_TEMP_RANGE_0_1).not.toContain('gpt-4o') // Should be in 0-2 range
+      expect(MODELS_TEMP_RANGE_0_1).not.toContain('gpt-4o')
     })
 
     it.concurrent('should have correct providers in PROVIDERS_WITH_TOOL_USAGE_CONTROL', () => {
@@ -363,20 +361,19 @@ describe('Model Capabilities', () => {
         expect(MODELS_WITH_TEMPERATURE_SUPPORT.length).toBe(
           MODELS_TEMP_RANGE_0_2.length + MODELS_TEMP_RANGE_0_1.length
         )
-        expect(MODELS_WITH_TEMPERATURE_SUPPORT).toContain('gpt-4o') // From 0-2 range
-        expect(MODELS_WITH_TEMPERATURE_SUPPORT).toContain('claude-sonnet-4-0') // From 0-1 range
+        expect(MODELS_WITH_TEMPERATURE_SUPPORT).toContain('gpt-4o')
+        expect(MODELS_WITH_TEMPERATURE_SUPPORT).toContain('claude-sonnet-4-0')
       }
     )
 
     it.concurrent('should have correct models in MODELS_WITH_REASONING_EFFORT', () => {
-      // Should contain GPT-5.1 models that support reasoning effort
       expect(MODELS_WITH_REASONING_EFFORT).toContain('gpt-5.1')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5.1')
-      expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5.1-mini')
-      expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5.1-nano')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5.1-codex')
 
-      // Should contain GPT-5 models that support reasoning effort
+      expect(MODELS_WITH_REASONING_EFFORT).not.toContain('azure/gpt-5.1-mini')
+      expect(MODELS_WITH_REASONING_EFFORT).not.toContain('azure/gpt-5.1-nano')
+
       expect(MODELS_WITH_REASONING_EFFORT).toContain('gpt-5')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('gpt-5-mini')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('gpt-5-nano')
@@ -384,35 +381,30 @@ describe('Model Capabilities', () => {
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5-mini')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5-nano')
 
-      // Should contain gpt-5.2 models
       expect(MODELS_WITH_REASONING_EFFORT).toContain('gpt-5.2')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/gpt-5.2')
 
-      // Should contain o-series reasoning models (reasoning_effort added Dec 17, 2024)
       expect(MODELS_WITH_REASONING_EFFORT).toContain('o1')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('o3')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('o4-mini')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/o3')
       expect(MODELS_WITH_REASONING_EFFORT).toContain('azure/o4-mini')
 
-      // Should NOT contain non-reasoning GPT-5 models
       expect(MODELS_WITH_REASONING_EFFORT).not.toContain('gpt-5-chat-latest')
       expect(MODELS_WITH_REASONING_EFFORT).not.toContain('azure/gpt-5-chat-latest')
 
-      // Should NOT contain other models
       expect(MODELS_WITH_REASONING_EFFORT).not.toContain('gpt-4o')
       expect(MODELS_WITH_REASONING_EFFORT).not.toContain('claude-sonnet-4-0')
     })
 
     it.concurrent('should have correct models in MODELS_WITH_VERBOSITY', () => {
-      // Should contain GPT-5.1 models that support verbosity
       expect(MODELS_WITH_VERBOSITY).toContain('gpt-5.1')
       expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5.1')
-      expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5.1-mini')
-      expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5.1-nano')
       expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5.1-codex')
 
-      // Should contain GPT-5 models that support verbosity
+      expect(MODELS_WITH_VERBOSITY).not.toContain('azure/gpt-5.1-mini')
+      expect(MODELS_WITH_VERBOSITY).not.toContain('azure/gpt-5.1-nano')
+
       expect(MODELS_WITH_VERBOSITY).toContain('gpt-5')
       expect(MODELS_WITH_VERBOSITY).toContain('gpt-5-mini')
       expect(MODELS_WITH_VERBOSITY).toContain('gpt-5-nano')
@@ -420,26 +412,39 @@ describe('Model Capabilities', () => {
       expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5-mini')
       expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5-nano')
 
-      // Should contain gpt-5.2 models
       expect(MODELS_WITH_VERBOSITY).toContain('gpt-5.2')
       expect(MODELS_WITH_VERBOSITY).toContain('azure/gpt-5.2')
 
-      // Should NOT contain non-reasoning GPT-5 models
       expect(MODELS_WITH_VERBOSITY).not.toContain('gpt-5-chat-latest')
       expect(MODELS_WITH_VERBOSITY).not.toContain('azure/gpt-5-chat-latest')
 
-      // Should NOT contain o-series models (they support reasoning_effort but not verbosity)
       expect(MODELS_WITH_VERBOSITY).not.toContain('o1')
       expect(MODELS_WITH_VERBOSITY).not.toContain('o3')
       expect(MODELS_WITH_VERBOSITY).not.toContain('o4-mini')
 
-      // Should NOT contain other models
       expect(MODELS_WITH_VERBOSITY).not.toContain('gpt-4o')
       expect(MODELS_WITH_VERBOSITY).not.toContain('claude-sonnet-4-0')
     })
 
+    it.concurrent('should have correct models in MODELS_WITH_THINKING', () => {
+      expect(MODELS_WITH_THINKING).toContain('claude-opus-4-6')
+      expect(MODELS_WITH_THINKING).toContain('claude-opus-4-5')
+      expect(MODELS_WITH_THINKING).toContain('claude-opus-4-1')
+      expect(MODELS_WITH_THINKING).toContain('claude-opus-4-0')
+      expect(MODELS_WITH_THINKING).toContain('claude-sonnet-4-5')
+      expect(MODELS_WITH_THINKING).toContain('claude-sonnet-4-0')
+
+      expect(MODELS_WITH_THINKING).toContain('gemini-3-pro-preview')
+      expect(MODELS_WITH_THINKING).toContain('gemini-3-flash-preview')
+
+      expect(MODELS_WITH_THINKING).toContain('claude-haiku-4-5')
+
+      expect(MODELS_WITH_THINKING).not.toContain('gpt-4o')
+      expect(MODELS_WITH_THINKING).not.toContain('gpt-5')
+      expect(MODELS_WITH_THINKING).not.toContain('o3')
+    })
+
     it.concurrent('should have GPT-5 models in both reasoning effort and verbosity arrays', () => {
-      // GPT-5 series models support both reasoning effort and verbosity
       const gpt5ModelsWithReasoningEffort = MODELS_WITH_REASONING_EFFORT.filter(
         (m) => m.includes('gpt-5') && !m.includes('chat-latest')
       )
@@ -448,11 +453,201 @@ describe('Model Capabilities', () => {
       )
       expect(gpt5ModelsWithReasoningEffort.sort()).toEqual(gpt5ModelsWithVerbosity.sort())
 
-      // o-series models have reasoning effort but NOT verbosity
       expect(MODELS_WITH_REASONING_EFFORT).toContain('o1')
       expect(MODELS_WITH_VERBOSITY).not.toContain('o1')
     })
   })
+  describe('Reasoning Effort Values Per Model', () => {
+    it.concurrent('should return correct values for GPT-5.2', () => {
+      const values = getReasoningEffortValuesForModel('gpt-5.2')
+      expect(values).toBeDefined()
+      expect(values).toContain('none')
+      expect(values).toContain('low')
+      expect(values).toContain('medium')
+      expect(values).toContain('high')
+      expect(values).toContain('xhigh')
+      expect(values).not.toContain('minimal')
+    })
+
+    it.concurrent('should return correct values for GPT-5', () => {
+      const values = getReasoningEffortValuesForModel('gpt-5')
+      expect(values).toBeDefined()
+      expect(values).toContain('minimal')
+      expect(values).toContain('low')
+      expect(values).toContain('medium')
+      expect(values).toContain('high')
+    })
+
+    it.concurrent('should return correct values for o-series models', () => {
+      for (const model of ['o1', 'o3', 'o4-mini']) {
+        const values = getReasoningEffortValuesForModel(model)
+        expect(values).toBeDefined()
+        expect(values).toContain('low')
+        expect(values).toContain('medium')
+        expect(values).toContain('high')
+        expect(values).not.toContain('none')
+        expect(values).not.toContain('minimal')
+      }
+    })
+
+    it.concurrent('should return null for non-reasoning models', () => {
+      expect(getReasoningEffortValuesForModel('gpt-4o')).toBeNull()
+      expect(getReasoningEffortValuesForModel('claude-sonnet-4-5')).toBeNull()
+      expect(getReasoningEffortValuesForModel('gemini-2.5-flash')).toBeNull()
+    })
+
+    it.concurrent('should return correct values for Azure GPT-5.2', () => {
+      const values = getReasoningEffortValuesForModel('azure/gpt-5.2')
+      expect(values).toBeDefined()
+      expect(values).not.toContain('minimal')
+      expect(values).toContain('xhigh')
+    })
+  })
+
+  describe('Verbosity Values Per Model', () => {
+    it.concurrent('should return correct values for GPT-5 family', () => {
+      for (const model of ['gpt-5.2', 'gpt-5.1', 'gpt-5', 'gpt-5-mini', 'gpt-5-nano']) {
+        const values = getVerbosityValuesForModel(model)
+        expect(values).toBeDefined()
+        expect(values).toContain('low')
+        expect(values).toContain('medium')
+        expect(values).toContain('high')
+      }
+    })
+
+    it.concurrent('should return null for o-series models', () => {
+      expect(getVerbosityValuesForModel('o1')).toBeNull()
+      expect(getVerbosityValuesForModel('o3')).toBeNull()
+      expect(getVerbosityValuesForModel('o4-mini')).toBeNull()
+    })
+
+    it.concurrent('should return null for non-reasoning models', () => {
+      expect(getVerbosityValuesForModel('gpt-4o')).toBeNull()
+      expect(getVerbosityValuesForModel('claude-sonnet-4-5')).toBeNull()
+    })
+  })
+
+  describe('Thinking Levels Per Model', () => {
+    it.concurrent('should return correct levels for Claude Opus 4.6 (adaptive)', () => {
+      const levels = getThinkingLevelsForModel('claude-opus-4-6')
+      expect(levels).toBeDefined()
+      expect(levels).toContain('low')
+      expect(levels).toContain('medium')
+      expect(levels).toContain('high')
+      expect(levels).toContain('max')
+    })
+
+    it.concurrent('should return correct levels for other Claude models (budget_tokens)', () => {
+      for (const model of ['claude-opus-4-5', 'claude-sonnet-4-5', 'claude-sonnet-4-0']) {
+        const levels = getThinkingLevelsForModel(model)
+        expect(levels).toBeDefined()
+        expect(levels).toContain('low')
+        expect(levels).toContain('medium')
+        expect(levels).toContain('high')
+        expect(levels).not.toContain('max')
+      }
+    })
+
+    it.concurrent('should return correct levels for Gemini 3 models', () => {
+      const proLevels = getThinkingLevelsForModel('gemini-3-pro-preview')
+      expect(proLevels).toBeDefined()
+      expect(proLevels).toContain('low')
+      expect(proLevels).toContain('high')
+
+      const flashLevels = getThinkingLevelsForModel('gemini-3-flash-preview')
+      expect(flashLevels).toBeDefined()
+      expect(flashLevels).toContain('minimal')
+      expect(flashLevels).toContain('low')
+      expect(flashLevels).toContain('medium')
+      expect(flashLevels).toContain('high')
+    })
+
+    it.concurrent('should return correct levels for Claude Haiku 4.5', () => {
+      const levels = getThinkingLevelsForModel('claude-haiku-4-5')
+      expect(levels).toBeDefined()
+      expect(levels).toContain('low')
+      expect(levels).toContain('medium')
+      expect(levels).toContain('high')
+    })
+
+    it.concurrent('should return null for non-thinking models', () => {
+      expect(getThinkingLevelsForModel('gpt-4o')).toBeNull()
+      expect(getThinkingLevelsForModel('gpt-5')).toBeNull()
+      expect(getThinkingLevelsForModel('o3')).toBeNull()
+    })
+  })
+})
+
+describe('Max Output Tokens', () => {
+  describe('getMaxOutputTokensForModel', () => {
+    it.concurrent('should return correct max for Claude Opus 4.6', () => {
+      expect(getMaxOutputTokensForModel('claude-opus-4-6')).toBe(128000)
+    })
+
+    it.concurrent('should return correct max for Claude Sonnet 4.5', () => {
+      expect(getMaxOutputTokensForModel('claude-sonnet-4-5')).toBe(64000)
+    })
+
+    it.concurrent('should return correct max for Claude Opus 4.1', () => {
+      expect(getMaxOutputTokensForModel('claude-opus-4-1')).toBe(64000)
+    })
+
+    it.concurrent('should return standard default for models without maxOutputTokens', () => {
+      expect(getMaxOutputTokensForModel('gpt-4o')).toBe(4096)
+    })
+
+    it.concurrent('should return standard default for unknown models', () => {
+      expect(getMaxOutputTokensForModel('unknown-model')).toBe(4096)
+    })
+  })
+})
+
+describe('Model Pricing Validation', () => {
+  it.concurrent('should have correct pricing for key Anthropic models', () => {
+    const opus46 = getModelPricing('claude-opus-4-6')
+    expect(opus46).toBeDefined()
+    expect(opus46.input).toBe(5.0)
+    expect(opus46.output).toBe(25.0)
+
+    const sonnet45 = getModelPricing('claude-sonnet-4-5')
+    expect(sonnet45).toBeDefined()
+    expect(sonnet45.input).toBe(3.0)
+    expect(sonnet45.output).toBe(15.0)
+  })
+
+  it.concurrent('should have correct pricing for key OpenAI models', () => {
+    const gpt4o = getModelPricing('gpt-4o')
+    expect(gpt4o).toBeDefined()
+    expect(gpt4o.input).toBe(2.5)
+    expect(gpt4o.output).toBe(10.0)
+
+    const o3 = getModelPricing('o3')
+    expect(o3).toBeDefined()
+    expect(o3.input).toBe(2.0)
+    expect(o3.output).toBe(8.0)
+  })
+
+  it.concurrent('should have correct pricing for Azure OpenAI o3', () => {
+    const azureO3 = getModelPricing('azure/o3')
+    expect(azureO3).toBeDefined()
+    expect(azureO3.input).toBe(2.0)
+    expect(azureO3.output).toBe(8.0)
+  })
+
+  it.concurrent('should return null for unknown models', () => {
+    expect(getModelPricing('unknown-model')).toBeNull()
+  })
+})
+
+describe('Context Window Validation', () => {
+  it.concurrent('should have correct context windows for key models', () => {
+    const allModels = getAllModels()
+
+    expect(allModels).toContain('gpt-5-chat-latest')
+
+    expect(allModels).toContain('o3')
+    expect(allModels).toContain('o4-mini')
+  })
 })
 
 describe('Cost Calculation', () => {
@@ -464,7 +659,7 @@ describe('Cost Calculation', () => {
       expect(result.output).toBeGreaterThan(0)
       expect(result.total).toBeCloseTo(result.input + result.output, 6)
       expect(result.pricing).toBeDefined()
-      expect(result.pricing.input).toBe(2.5) // GPT-4o pricing
+      expect(result.pricing.input).toBe(2.5)
     })
 
     it.concurrent('should handle cached input pricing when enabled', () => {
@@ -472,7 +667,7 @@ describe('Cost Calculation', () => {
       const cachedCost = calculateCost('gpt-4o', 1000, 500, true)
 
       expect(cachedCost.input).toBeLessThan(regularCost.input)
-      expect(cachedCost.output).toBe(regularCost.output) // Output cost should be same
+      expect(cachedCost.output).toBe(regularCost.output)
     })
 
     it.concurrent('should return default pricing for unknown models', () => {
@@ -481,7 +676,7 @@ describe('Cost Calculation', () => {
       expect(result.input).toBe(0)
       expect(result.output).toBe(0)
       expect(result.total).toBe(0)
-      expect(result.pricing.input).toBe(1.0) // Default pricing
+      expect(result.pricing.input).toBe(1.0)
     })
 
     it.concurrent('should handle zero tokens', () => {
@@ -528,19 +723,15 @@ describe('getHostedModels', () => {
   it.concurrent('should return OpenAI, Anthropic, and Google models as hosted', () => {
     const hostedModels = getHostedModels()
 
-    // OpenAI models
     expect(hostedModels).toContain('gpt-4o')
     expect(hostedModels).toContain('o1')
 
-    // Anthropic models
     expect(hostedModels).toContain('claude-sonnet-4-0')
     expect(hostedModels).toContain('claude-opus-4-0')
 
-    // Google models
     expect(hostedModels).toContain('gemini-2.5-pro')
     expect(hostedModels).toContain('gemini-2.5-flash')
 
-    // Should not contain models from other providers
     expect(hostedModels).not.toContain('deepseek-v3')
     expect(hostedModels).not.toContain('grok-4-latest')
   })
@@ -558,31 +749,24 @@ describe('getHostedModels', () => {
 
 describe('shouldBillModelUsage', () => {
   it.concurrent('should return true for exact matches of hosted models', () => {
-    // OpenAI models
     expect(shouldBillModelUsage('gpt-4o')).toBe(true)
     expect(shouldBillModelUsage('o1')).toBe(true)
 
-    // Anthropic models
     expect(shouldBillModelUsage('claude-sonnet-4-0')).toBe(true)
     expect(shouldBillModelUsage('claude-opus-4-0')).toBe(true)
 
-    // Google models
     expect(shouldBillModelUsage('gemini-2.5-pro')).toBe(true)
     expect(shouldBillModelUsage('gemini-2.5-flash')).toBe(true)
   })
 
   it.concurrent('should return false for non-hosted models', () => {
-    // Other providers
     expect(shouldBillModelUsage('deepseek-v3')).toBe(false)
     expect(shouldBillModelUsage('grok-4-latest')).toBe(false)
 
-    // Unknown models
     expect(shouldBillModelUsage('unknown-model')).toBe(false)
   })
 
   it.concurrent('should return false for versioned model names not in hosted list', () => {
-    // Versioned model names that are NOT in the hosted list
-    // These should NOT be billed (user provides own API key)
     expect(shouldBillModelUsage('claude-sonnet-4-20250514')).toBe(false)
     expect(shouldBillModelUsage('gpt-4o-2024-08-06')).toBe(false)
     expect(shouldBillModelUsage('claude-3-5-sonnet-20241022')).toBe(false)
@@ -595,8 +779,7 @@ describe('shouldBillModelUsage', () => {
   })
 
   it.concurrent('should not match partial model names', () => {
-    // Should not match partial/prefix models
-    expect(shouldBillModelUsage('gpt-4')).toBe(false) // gpt-4o is hosted, not gpt-4
+    expect(shouldBillModelUsage('gpt-4')).toBe(false)
     expect(shouldBillModelUsage('claude-sonnet')).toBe(false)
     expect(shouldBillModelUsage('gemini')).toBe(false)
   })
@@ -612,8 +795,8 @@ describe('Provider Management', () => {
     })
 
     it.concurrent('should use model patterns for pattern matching', () => {
-      expect(getProviderFromModel('gpt-5-custom')).toBe('openai') // Matches /^gpt/ pattern
-      expect(getProviderFromModel('claude-custom-model')).toBe('anthropic') // Matches /^claude/ pattern
+      expect(getProviderFromModel('gpt-5-custom')).toBe('openai')
+      expect(getProviderFromModel('claude-custom-model')).toBe('anthropic')
     })
 
     it.concurrent('should default to ollama for unknown models', () => {
@@ -667,7 +850,6 @@ describe('Provider Management', () => {
       expect(Array.isArray(allModels)).toBe(true)
       expect(allModels.length).toBeGreaterThan(0)
 
-      // Should contain models from different providers
       expect(allModels).toContain('gpt-4o')
       expect(allModels).toContain('claude-sonnet-4-0')
       expect(allModels).toContain('gemini-2.5-pro')
@@ -712,7 +894,6 @@ describe('Provider Management', () => {
 
       const baseProviders = getBaseModelProviders()
       expect(typeof baseProviders).toBe('object')
-      // Should exclude ollama models
     })
   })
 
@@ -720,10 +901,8 @@ describe('Provider Management', () => {
     it.concurrent('should update ollama models', () => {
       const mockModels = ['llama2', 'codellama', 'mistral']
 
-      // This should not throw
       expect(() => updateOllamaProviderModels(mockModels)).not.toThrow()
 
-      // Verify the models were updated
       const ollamaModels = getProviderModels('ollama')
       expect(ollamaModels).toEqual(mockModels)
     })
@@ -754,7 +933,7 @@ describe('JSON and Structured Output', () => {
     })
 
     it.concurrent('should clean up common JSON issues', () => {
-      const content = '{\n  "key": "value",\n  "number": 42,\n}' // Trailing comma
+      const content = '{\n  "key": "value",\n  "number": 42,\n}'
       const result = extractAndParseJSON(content)
       expect(result).toEqual({ key: 'value', number: 42 })
     })
@@ -945,13 +1124,13 @@ describe('prepareToolExecution', () => {
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
       expect(toolParams.apiKey).toBe('user-key')
-      expect(toolParams.channel).toBe('#general') // User value wins
+      expect(toolParams.channel).toBe('#general')
       expect(toolParams.message).toBe('Hello world')
     })
 
     it.concurrent('should filter out empty string user params', () => {
       const tool = {
-        params: { apiKey: 'user-key', channel: '' }, // Empty channel
+        params: { apiKey: 'user-key', channel: '' },
       }
       const llmArgs = { message: 'Hello', channel: '#llm-channel' }
       const request = {}
@@ -959,7 +1138,7 @@ describe('prepareToolExecution', () => {
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
       expect(toolParams.apiKey).toBe('user-key')
-      expect(toolParams.channel).toBe('#llm-channel') // LLM value used since user is empty
+      expect(toolParams.channel).toBe('#llm-channel')
       expect(toolParams.message).toBe('Hello')
     })
   })
@@ -969,7 +1148,7 @@ describe('prepareToolExecution', () => {
       const tool = {
         params: {
           workflowId: 'child-workflow-123',
-          inputMapping: '{}', // Empty JSON string from UI
+          inputMapping: '{}',
         },
       }
       const llmArgs = {
@@ -979,7 +1158,6 @@ describe('prepareToolExecution', () => {
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
-      // LLM values should be used since user object is empty
       expect(toolParams.inputMapping).toEqual({ query: 'search term', limit: 10 })
       expect(toolParams.workflowId).toBe('child-workflow-123')
     })
@@ -988,7 +1166,7 @@ describe('prepareToolExecution', () => {
       const tool = {
         params: {
           workflowId: 'child-workflow',
-          inputMapping: '{"query": "", "customField": "user-value"}', // Partial values
+          inputMapping: '{"query": "", "customField": "user-value"}',
         },
       }
       const llmArgs = {
@@ -998,7 +1176,6 @@ describe('prepareToolExecution', () => {
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
-      // LLM fills empty query, user's customField preserved, LLM's limit included
       expect(toolParams.inputMapping).toEqual({
         query: 'llm-search',
         limit: 10,
@@ -1020,7 +1197,6 @@ describe('prepareToolExecution', () => {
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
-      // User values win, but LLM's extra field is included
       expect(toolParams.inputMapping).toEqual({
         query: 'user-search',
         limit: 5,
@@ -1032,7 +1208,7 @@ describe('prepareToolExecution', () => {
       const tool = {
         params: {
           workflowId: 'child-workflow',
-          inputMapping: { query: '', customField: 'user-value' }, // Object, not string
+          inputMapping: { query: '', customField: 'user-value' },
         },
       }
       const llmArgs = {
@@ -1051,7 +1227,7 @@ describe('prepareToolExecution', () => {
 
     it.concurrent('should use LLM inputMapping when user does not provide it', () => {
       const tool = {
-        params: { workflowId: 'child-workflow' }, // No inputMapping
+        params: { workflowId: 'child-workflow' },
       }
       const llmArgs = {
         inputMapping: { query: 'llm-search', limit: 10 },
@@ -1070,7 +1246,7 @@ describe('prepareToolExecution', () => {
           inputMapping: '{"query": "user-search"}',
         },
       }
-      const llmArgs = {} // No inputMapping from LLM
+      const llmArgs = {}
       const request = {}
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
@@ -1092,7 +1268,6 @@ describe('prepareToolExecution', () => {
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
-      // Should use LLM values since user JSON is invalid
       expect(toolParams.inputMapping).toEqual({ query: 'llm-search' })
     })
 
@@ -1105,9 +1280,8 @@ describe('prepareToolExecution', () => {
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
-      // Normal behavior: user values override LLM values
       expect(toolParams.apiKey).toBe('user-key')
-      expect(toolParams.channel).toBe('#general') // User value wins
+      expect(toolParams.channel).toBe('#general')
       expect(toolParams.message).toBe('Hello')
     })
 
@@ -1125,8 +1299,6 @@ describe('prepareToolExecution', () => {
 
       const { toolParams } = prepareToolExecution(tool, llmArgs, request)
 
-      // 0 and false should be preserved (they're valid values)
-      // empty string should be filled by LLM
       expect(toolParams.inputMapping).toEqual({
         limit: 0,
         enabled: false,
diff --git a/apps/sim/providers/utils.ts b/apps/sim/providers/utils.ts
index 50bcec5c6..5b6481cbe 100644
--- a/apps/sim/providers/utils.ts
+++ b/apps/sim/providers/utils.ts
@@ -1,4 +1,5 @@
 import { createLogger, type Logger } from '@sim/logger'
+import type OpenAI from 'openai'
 import type { ChatCompletionChunk } from 'openai/resources/chat/completions'
 import type { CompletionUsage } from 'openai/resources/completions'
 import { env } from '@/lib/core/config/env'
@@ -995,15 +996,12 @@ export function getThinkingLevelsForModel(model: string): string[] | null {
 }
 
 /**
- * Get max output tokens for a specific model
- * Returns the model's maxOutputTokens capability for streaming requests,
- * or a conservative default (8192) for non-streaming requests to avoid timeout issues.
+ * Get max output tokens for a specific model.
  *
  * @param model - The model ID
- * @param streaming - Whether the request is streaming (default: false)
  */
-export function getMaxOutputTokensForModel(model: string, streaming = false): number {
-  return getMaxOutputTokensForModelFromDefinitions(model, streaming)
+export function getMaxOutputTokensForModel(model: string): number {
+  return getMaxOutputTokensForModelFromDefinitions(model)
 }
 
 /**
@@ -1126,8 +1124,8 @@ export function createOpenAICompatibleStream(
  * @returns Object with hasUsedForcedTool flag and updated usedForcedTools array
  */
 export function checkForForcedToolUsageOpenAI(
-  response: any,
-  toolChoice: string | { type: string; function?: { name: string }; name?: string; any?: any },
+  response: OpenAI.Chat.Completions.ChatCompletion,
+  toolChoice: string | { type: string; function?: { name: string }; name?: string },
   providerName: string,
   forcedTools: string[],
   usedForcedTools: string[],
diff --git a/apps/sim/serializer/index.ts b/apps/sim/serializer/index.ts
index 622667d9f..66f4568a4 100644
--- a/apps/sim/serializer/index.ts
+++ b/apps/sim/serializer/index.ts
@@ -70,6 +70,7 @@ function shouldSerializeSubBlock(
           : group.basicId === subBlockConfig.id
       return matchesMode && evaluateSubBlockCondition(subBlockConfig.condition, values)
     }
+    console.log('[FUCK] subBlockConfig.condition', subBlockConfig.condition, values)
     return evaluateSubBlockCondition(subBlockConfig.condition, values)
   }
 

From 7b36f9257ef06c0327c5e102156b0cea1db9cd1c Mon Sep 17 00:00:00 2001
From: Waleed <walif6@gmail.com>
Date: Sat, 7 Feb 2026 12:05:10 -0800
Subject: [PATCH 7/8] improvement(models): reorder models dropdown (#3164)

---
 apps/sim/providers/utils.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/sim/providers/utils.ts b/apps/sim/providers/utils.ts
index 5b6481cbe..5d49dc53d 100644
--- a/apps/sim/providers/utils.ts
+++ b/apps/sim/providers/utils.ts
@@ -114,6 +114,8 @@ function buildProviderMetadata(providerId: ProviderId): ProviderMetadata {
 }
 
 export const providers: Record<ProviderId, ProviderMetadata> = {
+  ollama: buildProviderMetadata('ollama'),
+  vllm: buildProviderMetadata('vllm'),
   openai: {
     ...buildProviderMetadata('openai'),
     computerUseModels: ['computer-use-preview'],
@@ -124,19 +126,17 @@ export const providers: Record<ProviderId, ProviderMetadata> = {
       getProviderModelsFromDefinitions('anthropic').includes(model)
     ),
   },
-  'azure-anthropic': buildProviderMetadata('azure-anthropic'),
   google: buildProviderMetadata('google'),
   vertex: buildProviderMetadata('vertex'),
+  'azure-openai': buildProviderMetadata('azure-openai'),
+  'azure-anthropic': buildProviderMetadata('azure-anthropic'),
   deepseek: buildProviderMetadata('deepseek'),
   xai: buildProviderMetadata('xai'),
   cerebras: buildProviderMetadata('cerebras'),
   groq: buildProviderMetadata('groq'),
-  vllm: buildProviderMetadata('vllm'),
   mistral: buildProviderMetadata('mistral'),
-  'azure-openai': buildProviderMetadata('azure-openai'),
-  openrouter: buildProviderMetadata('openrouter'),
-  ollama: buildProviderMetadata('ollama'),
   bedrock: buildProviderMetadata('bedrock'),
+  openrouter: buildProviderMetadata('openrouter'),
 }
 
 export function updateOllamaProviderModels(models: string[]): void {

From 0cb671449658e0e9a62e49ae3d4512ebd12f27fa Mon Sep 17 00:00:00 2001
From: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Date: Sat, 7 Feb 2026 12:18:07 -0800
Subject: [PATCH 8/8] fix(rooms): cleanup edge case for 1hr ttl (#3163)

* fix(rooms): cleanup edge case for 1hr ttl

* revert feature flags

* address comments

* remove console log
---
 apps/sim/serializer/index.ts            |  1 -
 apps/sim/socket/handlers/connection.ts  |  3 +-
 apps/sim/socket/handlers/workflow.ts    | 70 +++++++++++++++++++------
 apps/sim/socket/rooms/memory-manager.ts |  2 +-
 apps/sim/socket/rooms/redis-manager.ts  | 52 ++++++++++++++----
 apps/sim/socket/rooms/types.ts          |  5 +-
 6 files changed, 104 insertions(+), 29 deletions(-)

diff --git a/apps/sim/serializer/index.ts b/apps/sim/serializer/index.ts
index 66f4568a4..622667d9f 100644
--- a/apps/sim/serializer/index.ts
+++ b/apps/sim/serializer/index.ts
@@ -70,7 +70,6 @@ function shouldSerializeSubBlock(
           : group.basicId === subBlockConfig.id
       return matchesMode && evaluateSubBlockCondition(subBlockConfig.condition, values)
     }
-    console.log('[FUCK] subBlockConfig.condition', subBlockConfig.condition, values)
     return evaluateSubBlockCondition(subBlockConfig.condition, values)
   }
 
diff --git a/apps/sim/socket/handlers/connection.ts b/apps/sim/socket/handlers/connection.ts
index 5444c9a83..ee7a9a774 100644
--- a/apps/sim/socket/handlers/connection.ts
+++ b/apps/sim/socket/handlers/connection.ts
@@ -21,7 +21,8 @@ export function setupConnectionHandlers(socket: AuthenticatedSocket, roomManager
       cleanupPendingSubblocksForSocket(socket.id)
       cleanupPendingVariablesForSocket(socket.id)
 
-      const workflowId = await roomManager.removeUserFromRoom(socket.id)
+      const workflowIdHint = [...socket.rooms].find((roomId) => roomId !== socket.id)
+      const workflowId = await roomManager.removeUserFromRoom(socket.id, workflowIdHint)
 
       if (workflowId) {
         await roomManager.broadcastPresenceUpdate(workflowId)
diff --git a/apps/sim/socket/handlers/workflow.ts b/apps/sim/socket/handlers/workflow.ts
index c59316d1e..8353f0a38 100644
--- a/apps/sim/socket/handlers/workflow.ts
+++ b/apps/sim/socket/handlers/workflow.ts
@@ -51,26 +51,66 @@ export function setupWorkflowHandlers(socket: AuthenticatedSocket, roomManager:
       const currentWorkflowId = await roomManager.getWorkflowIdForSocket(socket.id)
       if (currentWorkflowId) {
         socket.leave(currentWorkflowId)
-        await roomManager.removeUserFromRoom(socket.id)
+        await roomManager.removeUserFromRoom(socket.id, currentWorkflowId)
         await roomManager.broadcastPresenceUpdate(currentWorkflowId)
       }
 
-      const STALE_THRESHOLD_MS = 60_000
+      // Keep this above Redis socket key TTL (1h) so a normal idle user is not evicted too aggressively.
+      const STALE_THRESHOLD_MS = 75 * 60 * 1000
       const now = Date.now()
       const existingUsers = await roomManager.getWorkflowUsers(workflowId)
-      for (const existingUser of existingUsers) {
-        if (existingUser.userId === userId && existingUser.socketId !== socket.id) {
-          const isSameTab = tabSessionId && existingUser.tabSessionId === tabSessionId
-          const isStale =
-            now - (existingUser.lastActivity || existingUser.joinedAt || 0) > STALE_THRESHOLD_MS
+      let liveSocketIds = new Set<string>()
+      let canCheckLiveness = false
 
-          if (isSameTab || isStale) {
-            logger.info(
-              `Cleaning up socket ${existingUser.socketId} for user ${userId} (${isSameTab ? 'same tab' : 'stale'})`
-            )
-            await roomManager.removeUserFromRoom(existingUser.socketId)
-            roomManager.io.in(existingUser.socketId).socketsLeave(workflowId)
+      try {
+        const liveSockets = await roomManager.io.in(workflowId).fetchSockets()
+        liveSocketIds = new Set(liveSockets.map((liveSocket) => liveSocket.id))
+        canCheckLiveness = true
+      } catch (error) {
+        logger.warn(
+          `Skipping stale cleanup for ${workflowId} due to live socket lookup failure`,
+          error
+        )
+      }
+
+      for (const existingUser of existingUsers) {
+        try {
+          if (existingUser.socketId === socket.id) {
+            continue
           }
+
+          const isSameTab = Boolean(
+            existingUser.userId === userId &&
+              tabSessionId &&
+              existingUser.tabSessionId === tabSessionId
+          )
+
+          if (isSameTab) {
+            logger.info(
+              `Cleaning up socket ${existingUser.socketId} for user ${existingUser.userId} (same tab)`
+            )
+            await roomManager.removeUserFromRoom(existingUser.socketId, workflowId)
+            await roomManager.io.in(existingUser.socketId).socketsLeave(workflowId)
+            continue
+          }
+
+          if (!canCheckLiveness || liveSocketIds.has(existingUser.socketId)) {
+            continue
+          }
+
+          const isStaleByActivity =
+            now - (existingUser.lastActivity || existingUser.joinedAt || 0) > STALE_THRESHOLD_MS
+          if (!isStaleByActivity) {
+            continue
+          }
+
+          logger.info(
+            `Cleaning up socket ${existingUser.socketId} for user ${existingUser.userId} (stale activity)`
+          )
+          await roomManager.removeUserFromRoom(existingUser.socketId, workflowId)
+          await roomManager.io.in(existingUser.socketId).socketsLeave(workflowId)
+        } catch (error) {
+          logger.warn(`Best-effort cleanup failed for socket ${existingUser.socketId}`, error)
         }
       }
 
@@ -136,7 +176,7 @@ export function setupWorkflowHandlers(socket: AuthenticatedSocket, roomManager:
       logger.error('Error joining workflow:', error)
       // Undo socket.join and room manager entry if any operation failed
       socket.leave(workflowId)
-      await roomManager.removeUserFromRoom(socket.id)
+      await roomManager.removeUserFromRoom(socket.id, workflowId)
       const isReady = roomManager.isReady()
       socket.emit('join-workflow-error', {
         error: isReady ? 'Failed to join workflow' : 'Realtime unavailable',
@@ -156,7 +196,7 @@ export function setupWorkflowHandlers(socket: AuthenticatedSocket, roomManager:
 
       if (workflowId && session) {
         socket.leave(workflowId)
-        await roomManager.removeUserFromRoom(socket.id)
+        await roomManager.removeUserFromRoom(socket.id, workflowId)
         await roomManager.broadcastPresenceUpdate(workflowId)
 
         logger.info(`User ${session.userId} (${session.userName}) left workflow ${workflowId}`)
diff --git a/apps/sim/socket/rooms/memory-manager.ts b/apps/sim/socket/rooms/memory-manager.ts
index 908ee13f7..fa631ff68 100644
--- a/apps/sim/socket/rooms/memory-manager.ts
+++ b/apps/sim/socket/rooms/memory-manager.ts
@@ -66,7 +66,7 @@ export class MemoryRoomManager implements IRoomManager {
     logger.debug(`Added user ${presence.userId} to workflow ${workflowId} (socket: ${socketId})`)
   }
 
-  async removeUserFromRoom(socketId: string): Promise<string | null> {
+  async removeUserFromRoom(socketId: string, _workflowIdHint?: string): Promise<string | null> {
     const workflowId = this.socketToWorkflow.get(socketId)
 
     if (!workflowId) {
diff --git a/apps/sim/socket/rooms/redis-manager.ts b/apps/sim/socket/rooms/redis-manager.ts
index 9288a4762..fb0d0d104 100644
--- a/apps/sim/socket/rooms/redis-manager.ts
+++ b/apps/sim/socket/rooms/redis-manager.ts
@@ -10,9 +10,11 @@ const KEYS = {
   workflowMeta: (wfId: string) => `workflow:${wfId}:meta`,
   socketWorkflow: (socketId: string) => `socket:${socketId}:workflow`,
   socketSession: (socketId: string) => `socket:${socketId}:session`,
+  socketPresenceWorkflow: (socketId: string) => `socket:${socketId}:presence-workflow`,
 } as const
 
 const SOCKET_KEY_TTL = 3600
+const SOCKET_PRESENCE_WORKFLOW_KEY_TTL = 24 * 60 * 60
 
 /**
  * Lua script for atomic user removal from room.
@@ -22,11 +24,21 @@ const SOCKET_KEY_TTL = 3600
 const REMOVE_USER_SCRIPT = `
 local socketWorkflowKey = KEYS[1]
 local socketSessionKey = KEYS[2]
+local socketPresenceWorkflowKey = KEYS[3]
 local workflowUsersPrefix = ARGV[1]
 local workflowMetaPrefix = ARGV[2]
 local socketId = ARGV[3]
+local workflowIdHint = ARGV[4]
 
 local workflowId = redis.call('GET', socketWorkflowKey)
+if not workflowId then
+  workflowId = redis.call('GET', socketPresenceWorkflowKey)
+end
+
+if not workflowId and workflowIdHint ~= '' then
+  workflowId = workflowIdHint
+end
+
 if not workflowId then
   return nil
 end
@@ -35,7 +47,7 @@ local workflowUsersKey = workflowUsersPrefix .. workflowId .. ':users'
 local workflowMetaKey = workflowMetaPrefix .. workflowId .. ':meta'
 
 redis.call('HDEL', workflowUsersKey, socketId)
-redis.call('DEL', socketWorkflowKey, socketSessionKey)
+redis.call('DEL', socketWorkflowKey, socketSessionKey, socketPresenceWorkflowKey)
 
 local remaining = redis.call('HLEN', workflowUsersKey)
 if remaining == 0 then
@@ -54,11 +66,13 @@ const UPDATE_ACTIVITY_SCRIPT = `
 local workflowUsersKey = KEYS[1]
 local socketWorkflowKey = KEYS[2]
 local socketSessionKey = KEYS[3]
+local socketPresenceWorkflowKey = KEYS[4]
 local socketId = ARGV[1]
 local cursorJson = ARGV[2]
 local selectionJson = ARGV[3]
 local lastActivity = ARGV[4]
 local ttl = tonumber(ARGV[5])
+local presenceWorkflowTtl = tonumber(ARGV[6])
 
 local existingJson = redis.call('HGET', workflowUsersKey, socketId)
 if not existingJson then
@@ -78,6 +92,7 @@ existing.lastActivity = tonumber(lastActivity)
 redis.call('HSET', workflowUsersKey, socketId, cjson.encode(existing))
 redis.call('EXPIRE', socketWorkflowKey, ttl)
 redis.call('EXPIRE', socketSessionKey, ttl)
+redis.call('EXPIRE', socketPresenceWorkflowKey, presenceWorkflowTtl)
 return 1
 `
 
@@ -164,6 +179,8 @@ export class RedisRoomManager implements IRoomManager {
       pipeline.hSet(KEYS.workflowMeta(workflowId), 'lastModified', Date.now().toString())
       pipeline.set(KEYS.socketWorkflow(socketId), workflowId)
       pipeline.expire(KEYS.socketWorkflow(socketId), SOCKET_KEY_TTL)
+      pipeline.set(KEYS.socketPresenceWorkflow(socketId), workflowId)
+      pipeline.expire(KEYS.socketPresenceWorkflow(socketId), SOCKET_PRESENCE_WORKFLOW_KEY_TTL)
       pipeline.hSet(KEYS.socketSession(socketId), {
         userId: presence.userId,
         userName: presence.userName,
@@ -187,7 +204,11 @@ export class RedisRoomManager implements IRoomManager {
     }
   }
 
-  async removeUserFromRoom(socketId: string, retried = false): Promise<string | null> {
+  async removeUserFromRoom(
+    socketId: string,
+    workflowIdHint?: string,
+    retried = false
+  ): Promise<string | null> {
     if (!this.removeUserScriptSha) {
       logger.error('removeUserFromRoom called before initialize()')
       return null
@@ -195,19 +216,25 @@ export class RedisRoomManager implements IRoomManager {
 
     try {
       const workflowId = await this.redis.evalSha(this.removeUserScriptSha, {
-        keys: [KEYS.socketWorkflow(socketId), KEYS.socketSession(socketId)],
-        arguments: ['workflow:', 'workflow:', socketId],
+        keys: [
+          KEYS.socketWorkflow(socketId),
+          KEYS.socketSession(socketId),
+          KEYS.socketPresenceWorkflow(socketId),
+        ],
+        arguments: ['workflow:', 'workflow:', socketId, workflowIdHint ?? ''],
       })
 
-      if (workflowId) {
+      if (typeof workflowId === 'string' && workflowId.length > 0) {
         logger.debug(`Removed socket ${socketId} from workflow ${workflowId}`)
+        return workflowId
       }
-      return workflowId as string | null
+
+      return null
     } catch (error) {
       if ((error as Error).message?.includes('NOSCRIPT') && !retried) {
         logger.warn('Lua script not found, reloading...')
         this.removeUserScriptSha = await this.redis.scriptLoad(REMOVE_USER_SCRIPT)
-        return this.removeUserFromRoom(socketId, true)
+        return this.removeUserFromRoom(socketId, workflowIdHint, true)
       }
       logger.error(`Failed to remove user from room: ${socketId}`, error)
       return null
@@ -215,7 +242,12 @@ export class RedisRoomManager implements IRoomManager {
   }
 
   async getWorkflowIdForSocket(socketId: string): Promise<string | null> {
-    return this.redis.get(KEYS.socketWorkflow(socketId))
+    const workflowId = await this.redis.get(KEYS.socketWorkflow(socketId))
+    if (workflowId) {
+      return workflowId
+    }
+
+    return this.redis.get(KEYS.socketPresenceWorkflow(socketId))
   }
 
   async getUserSession(socketId: string): Promise<UserSession | null> {
@@ -278,6 +310,7 @@ export class RedisRoomManager implements IRoomManager {
           KEYS.workflowUsers(workflowId),
           KEYS.socketWorkflow(socketId),
           KEYS.socketSession(socketId),
+          KEYS.socketPresenceWorkflow(socketId),
         ],
         arguments: [
           socketId,
@@ -285,6 +318,7 @@ export class RedisRoomManager implements IRoomManager {
           updates.selection !== undefined ? JSON.stringify(updates.selection) : '',
           (updates.lastActivity ?? Date.now()).toString(),
           SOCKET_KEY_TTL.toString(),
+          SOCKET_PRESENCE_WORKFLOW_KEY_TTL.toString(),
         ],
       })
     } catch (error) {
@@ -348,7 +382,7 @@ export class RedisRoomManager implements IRoomManager {
 
       // Remove all users from Redis state
       for (const user of users) {
-        await this.removeUserFromRoom(user.socketId)
+        await this.removeUserFromRoom(user.socketId, workflowId)
       }
 
       // Clean up room data
diff --git a/apps/sim/socket/rooms/types.ts b/apps/sim/socket/rooms/types.ts
index b294646f6..5c755a739 100644
--- a/apps/sim/socket/rooms/types.ts
+++ b/apps/sim/socket/rooms/types.ts
@@ -65,9 +65,10 @@ export interface IRoomManager {
 
   /**
    * Remove a user from their current room
-   * Returns the workflowId they were in, or null if not in any room
+   * Optional workflowIdHint is used when socket mapping keys are missing/expired.
+   * Returns the workflowId they were in, or null if not in any room.
    */
-  removeUserFromRoom(socketId: string): Promise<string | null>
+  removeUserFromRoom(socketId: string, workflowIdHint?: string): Promise<string | null>
 
   /**
    * Get the workflow ID for a socket