remove leftover type

* improvement(billing): improve against direct subscription creation bypasses

* more usage of block/unblock helpers

* address bugbot comments

* fail closed

* only run dup check for orgs

apps/docs/content/docs/de/execution/api.mdx

@@ -14,7 +14,7 @@ Alle API-Anfragen erfordern einen API-Schlüssel, der im Header `x-api-key` übe
 
 ```bash
 curl -H "x-api-key: YOUR_API_KEY" \
-  https://api.sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
+  https://sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
 ```
 
 Sie können API-Schlüssel in Ihren Benutzereinstellungen im Sim-Dashboard generieren.
@@ -528,7 +528,7 @@ async function pollLogs() {
   }
   
   const response = await fetch(
-    `https://api.sim.ai/api/v1/logs?${params}`,
+    `https://sim.ai/api/v1/logs?${params}`,
     {
       headers: {
         'x-api-key': 'YOUR_API_KEY'

apps/docs/content/docs/de/execution/costs.mdx

@@ -142,7 +142,7 @@ GET /api/users/me/usage-limits
 **Beispielanfrage:**
 
 ```bash
-curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://api.sim.ai/api/users/me/usage-limits
+curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://sim.ai/api/users/me/usage-limits
 ```
 
 **Beispielantwort:**

apps/docs/content/docs/de/sdks/python.mdx

@@ -647,7 +647,7 @@ def stream_workflow():
 
     def generate():
         response = requests.post(
-            'https://api.sim.ai/api/workflows/WORKFLOW_ID/execute',
+            'https://sim.ai/api/workflows/WORKFLOW_ID/execute',
             headers={
                 'Content-Type': 'application/json',
                 'X-API-Key': os.getenv('SIM_API_KEY')

apps/docs/content/docs/de/sdks/typescript.mdx

@@ -965,7 +965,7 @@ function StreamingWorkflow() {
 
     // IMPORTANT: Make this API call from your backend server, not the browser
     // Never expose your API key in client-side code
-    const response = await fetch('https://api.sim.ai/api/workflows/WORKFLOW_ID/execute', {
+    const response = await fetch('https://sim.ai/api/workflows/WORKFLOW_ID/execute', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

apps/docs/content/docs/en/execution/api.mdx

@@ -14,7 +14,7 @@ All API requests require an API key passed in the `x-api-key` header:
 
 ```bash
 curl -H "x-api-key: YOUR_API_KEY" \
-  https://api.sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
+  https://sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
 ```
 
 You can generate API keys from your user settings in the Sim dashboard.
@@ -513,7 +513,7 @@ async function pollLogs() {
   }
   
   const response = await fetch(
-    `https://api.sim.ai/api/v1/logs?${params}`,
+    `https://sim.ai/api/v1/logs?${params}`,
     {
       headers: {
         'x-api-key': 'YOUR_API_KEY'

apps/docs/content/docs/en/execution/costs.mdx

@@ -160,7 +160,7 @@ GET /api/users/me/usage-limits
 
 **Example Request:**
 ```bash
-curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://api.sim.ai/api/users/me/usage-limits
+curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://sim.ai/api/users/me/usage-limits
 ```
 
 **Example Response:**

apps/docs/content/docs/en/execution/files.mdx

@@ -0,0 +1,134 @@
+---
+title: Passing Files
+---
+
+import { Callout } from 'fumadocs-ui/components/callout'
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs'
+
+Sim makes it easy to work with files throughout your workflows. Blocks can receive files, process them, and pass them to other blocks seamlessly.
+
+## File Objects
+
+When blocks output files (like Gmail attachments, generated images, or parsed documents), they return a standardized file object:
+
+```json
+{
+  "name": "report.pdf",
+  "url": "https://...",
+  "base64": "JVBERi0xLjQK...",
+  "type": "application/pdf",
+  "size": 245678
+}
+```
+
+You can access any of these properties when referencing files from previous blocks.
+
+## Passing Files Between Blocks
+
+Reference files from previous blocks using the tag dropdown. Click in any file input field and type `<` to see available outputs.
+
+**Common patterns:**
+
+```
+// Single file from a block
+<gmail.attachments[0]>
+
+// Pass the whole file object
+<file_parser.files[0]>
+
+// Access specific properties
+<gmail.attachments[0].name>
+<gmail.attachments[0].base64>
+```
+
+Most blocks accept the full file object and extract what they need automatically. You don't need to manually extract `base64` or `url` in most cases.
+
+## Triggering Workflows with Files
+
+When calling a workflow via API that expects file input, include files in your request:
+
+<Tabs items={['Base64', 'URL']}>
+  <Tab value="Base64">
+    ```bash
+    curl -X POST "https://sim.ai/api/workflows/YOUR_WORKFLOW_ID/execute" \
+      -H "Content-Type: application/json" \
+      -H "x-api-key: YOUR_API_KEY" \
+      -d '{
+        "document": {
+          "name": "report.pdf",
+          "base64": "JVBERi0xLjQK...",
+          "type": "application/pdf"
+        }
+      }'
+    ```
+  </Tab>
+  <Tab value="URL">
+    ```bash
+    curl -X POST "https://sim.ai/api/workflows/YOUR_WORKFLOW_ID/execute" \
+      -H "Content-Type: application/json" \
+      -H "x-api-key: YOUR_API_KEY" \
+      -d '{
+        "document": {
+          "name": "report.pdf",
+          "url": "https://example.com/report.pdf",
+          "type": "application/pdf"
+        }
+      }'
+    ```
+  </Tab>
+</Tabs>
+
+The workflow's Start block should have an input field configured to receive the file parameter.
+
+## Receiving Files in API Responses
+
+When a workflow outputs files, they're included in the response:
+
+```json
+{
+  "success": true,
+  "output": {
+    "generatedFile": {
+      "name": "output.png",
+      "url": "https://...",
+      "base64": "iVBORw0KGgo...",
+      "type": "image/png",
+      "size": 34567
+    }
+  }
+}
+```
+
+Use `url` for direct downloads or `base64` for inline processing.
+
+## Blocks That Work with Files
+
+**File inputs:**
+- **File** - Parse documents, images, and text files
+- **Vision** - Analyze images with AI models
+- **Mistral Parser** - Extract text from PDFs
+
+**File outputs:**
+- **Gmail** - Email attachments
+- **Slack** - Downloaded files
+- **TTS** - Generated audio files
+- **Video Generator** - Generated videos
+- **Image Generator** - Generated images
+
+**File storage:**
+- **Supabase** - Upload/download from storage
+- **S3** - AWS S3 operations
+- **Google Drive** - Drive file operations
+- **Dropbox** - Dropbox file operations
+
+<Callout type="info">
+  Files are automatically available to downstream blocks. The execution engine handles all file transfer and format conversion.
+</Callout>
+
+## Best Practices
+
+1. **Use file objects directly** - Pass the full file object rather than extracting individual properties. Blocks handle the conversion automatically.
+
+2. **Check file types** - Ensure the file type matches what the receiving block expects. The Vision block needs images, the File block handles documents.
+
+3. **Consider file size** - Large files increase execution time. For very large files, consider using storage blocks (S3, Supabase) for intermediate storage.

apps/docs/content/docs/en/execution/form.mdx

@@ -82,7 +82,7 @@ Submit forms programmatically:
 <Tabs items={['cURL', 'TypeScript']}>
   <Tab value="cURL">
 ```bash
-curl -X POST https://api.sim.ai/api/form/your-identifier \
+curl -X POST https://sim.ai/api/form/your-identifier \
   -H "Content-Type: application/json" \
   -d '{
     "formData": {
@@ -94,7 +94,7 @@ curl -X POST https://api.sim.ai/api/form/your-identifier \
   </Tab>
   <Tab value="TypeScript">
 ```typescript
-const response = await fetch('https://api.sim.ai/api/form/your-identifier', {
+const response = await fetch('https://sim.ai/api/form/your-identifier', {
   method: 'POST',
   headers: { 'Content-Type': 'application/json' },
   body: JSON.stringify({
@@ -115,14 +115,14 @@ const result = await response.json();
 
 For password-protected forms:
 ```bash
-curl -X POST https://api.sim.ai/api/form/your-identifier \
+curl -X POST https://sim.ai/api/form/your-identifier \
   -H "Content-Type: application/json" \
   -d '{ "password": "secret", "formData": { "name": "John" } }'
 ```
 
 For email-protected forms:
 ```bash
-curl -X POST https://api.sim.ai/api/form/your-identifier \
+curl -X POST https://sim.ai/api/form/your-identifier \
   -H "Content-Type: application/json" \
   -d '{ "email": "allowed@example.com", "formData": { "name": "John" } }'
 ```

apps/docs/content/docs/en/execution/meta.json

@@ -1,3 +1,3 @@
 {
-  "pages": ["index", "basics", "api", "logging", "costs"]
+  "pages": ["index", "basics", "files", "api", "logging", "costs"]
 }

apps/docs/content/docs/en/sdks/python.mdx

@@ -655,7 +655,7 @@ def stream_workflow():
 
     def generate():
         response = requests.post(
-            'https://api.sim.ai/api/workflows/WORKFLOW_ID/execute',
+            'https://sim.ai/api/workflows/WORKFLOW_ID/execute',
             headers={
                 'Content-Type': 'application/json',
                 'X-API-Key': os.getenv('SIM_API_KEY')

apps/docs/content/docs/en/sdks/typescript.mdx

@@ -948,7 +948,7 @@ function StreamingWorkflow() {
 
     // IMPORTANT: Make this API call from your backend server, not the browser
     // Never expose your API key in client-side code
-    const response = await fetch('https://api.sim.ai/api/workflows/WORKFLOW_ID/execute', {
+    const response = await fetch('https://sim.ai/api/workflows/WORKFLOW_ID/execute', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

apps/docs/content/docs/es/execution/api.mdx

@@ -14,7 +14,7 @@ Todas las solicitudes a la API requieren una clave de API pasada en el encabezad
 
 ```bash
 curl -H "x-api-key: YOUR_API_KEY" \
-  https://api.sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
+  https://sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
 ```
 
 Puedes generar claves de API desde la configuración de usuario en el panel de control de Sim.
@@ -528,7 +528,7 @@ async function pollLogs() {
   }
   
   const response = await fetch(
-    `https://api.sim.ai/api/v1/logs?${params}`,
+    `https://sim.ai/api/v1/logs?${params}`,
     {
       headers: {
         'x-api-key': 'YOUR_API_KEY'

apps/docs/content/docs/es/execution/costs.mdx

@@ -142,7 +142,7 @@ GET /api/users/me/usage-limits
 **Solicitud de ejemplo:**
 
 ```bash
-curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://api.sim.ai/api/users/me/usage-limits
+curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://sim.ai/api/users/me/usage-limits
 ```
 
 **Respuesta de ejemplo:**

apps/docs/content/docs/es/sdks/python.mdx

@@ -656,7 +656,7 @@ def stream_workflow():
 
     def generate():
         response = requests.post(
-            'https://api.sim.ai/api/workflows/WORKFLOW_ID/execute',
+            'https://sim.ai/api/workflows/WORKFLOW_ID/execute',
             headers={
                 'Content-Type': 'application/json',
                 'X-API-Key': os.getenv('SIM_API_KEY')

apps/docs/content/docs/es/sdks/typescript.mdx

@@ -965,7 +965,7 @@ function StreamingWorkflow() {
 
     // IMPORTANT: Make this API call from your backend server, not the browser
     // Never expose your API key in client-side code
-    const response = await fetch('https://api.sim.ai/api/workflows/WORKFLOW_ID/execute', {
+    const response = await fetch('https://sim.ai/api/workflows/WORKFLOW_ID/execute', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

apps/docs/content/docs/fr/execution/api.mdx

@@ -14,7 +14,7 @@ Toutes les requêtes API nécessitent une clé API transmise dans l'en-tête `x-
 
 ```bash
 curl -H "x-api-key: YOUR_API_KEY" \
-  https://api.sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
+  https://sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
 ```
 
 Vous pouvez générer des clés API depuis vos paramètres utilisateur dans le tableau de bord Sim.
@@ -528,7 +528,7 @@ async function pollLogs() {
   }
   
   const response = await fetch(
-    `https://api.sim.ai/api/v1/logs?${params}`,
+    `https://sim.ai/api/v1/logs?${params}`,
     {
       headers: {
         'x-api-key': 'YOUR_API_KEY'

apps/docs/content/docs/fr/execution/costs.mdx

@@ -142,7 +142,7 @@ GET /api/users/me/usage-limits
 **Exemple de requête :**
 
 ```bash
-curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://api.sim.ai/api/users/me/usage-limits
+curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://sim.ai/api/users/me/usage-limits
 ```
 
 **Exemple de réponse :**

apps/docs/content/docs/fr/sdks/python.mdx

@@ -656,7 +656,7 @@ def stream_workflow():
 
     def generate():
         response = requests.post(
-            'https://api.sim.ai/api/workflows/WORKFLOW_ID/execute',
+            'https://sim.ai/api/workflows/WORKFLOW_ID/execute',
             headers={
                 'Content-Type': 'application/json',
                 'X-API-Key': os.getenv('SIM_API_KEY')

apps/docs/content/docs/fr/sdks/typescript.mdx

@@ -965,7 +965,7 @@ function StreamingWorkflow() {
 
     // IMPORTANT: Make this API call from your backend server, not the browser
     // Never expose your API key in client-side code
-    const response = await fetch('https://api.sim.ai/api/workflows/WORKFLOW_ID/execute', {
+    const response = await fetch('https://sim.ai/api/workflows/WORKFLOW_ID/execute', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

apps/docs/content/docs/ja/execution/api.mdx

@@ -14,7 +14,7 @@ Simは、ワークフローの実行ログを照会したり、ワークフロ
 
 ```bash
 curl -H "x-api-key: YOUR_API_KEY" \
-  https://api.sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
+  https://sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
 ```
 
 SimダッシュボードのユーザーセッティングからAPIキーを生成できます。
@@ -528,7 +528,7 @@ async function pollLogs() {
   }
   
   const response = await fetch(
-    `https://api.sim.ai/api/v1/logs?${params}`,
+    `https://sim.ai/api/v1/logs?${params}`,
     {
       headers: {
         'x-api-key': 'YOUR_API_KEY'

apps/docs/content/docs/ja/execution/costs.mdx

@@ -142,7 +142,7 @@ GET /api/users/me/usage-limits
 **リクエスト例:**
 
 ```bash
-curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://api.sim.ai/api/users/me/usage-limits
+curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://sim.ai/api/users/me/usage-limits
 ```
 
 **レスポンス例:**

apps/docs/content/docs/ja/sdks/python.mdx

@@ -656,7 +656,7 @@ def stream_workflow():
 
     def generate():
         response = requests.post(
-            'https://api.sim.ai/api/workflows/WORKFLOW_ID/execute',
+            'https://sim.ai/api/workflows/WORKFLOW_ID/execute',
             headers={
                 'Content-Type': 'application/json',
                 'X-API-Key': os.getenv('SIM_API_KEY')   

apps/docs/content/docs/ja/sdks/typescript.mdx

@@ -965,7 +965,7 @@ function StreamingWorkflow() {
 
     // IMPORTANT: Make this API call from your backend server, not the browser
     // Never expose your API key in client-side code
-    const response = await fetch('https://api.sim.ai/api/workflows/WORKFLOW_ID/execute', {
+    const response = await fetch('https://sim.ai/api/workflows/WORKFLOW_ID/execute', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

apps/docs/content/docs/zh/execution/api.mdx

@@ -14,7 +14,7 @@ Sim 提供了一个全面的外部 API，用于查询工作流执行日志，并
 
 ```bash
 curl -H "x-api-key: YOUR_API_KEY" \
-  https://api.sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
+  https://sim.ai/api/v1/logs?workspaceId=YOUR_WORKSPACE_ID
 ```
 
 您可以在 Sim 仪表板的用户设置中生成 API 密钥。
@@ -528,7 +528,7 @@ async function pollLogs() {
   }
   
   const response = await fetch(
-    `https://api.sim.ai/api/v1/logs?${params}`,
+    `https://sim.ai/api/v1/logs?${params}`,
     {
       headers: {
         'x-api-key': 'YOUR_API_KEY'

apps/docs/content/docs/zh/execution/costs.mdx

@@ -142,7 +142,7 @@ GET /api/users/me/usage-limits
 **请求示例：**
 
 ```bash
-curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://api.sim.ai/api/users/me/usage-limits
+curl -X GET -H "X-API-Key: YOUR_API_KEY" -H "Content-Type: application/json" https://sim.ai/api/users/me/usage-limits
 ```
 
 **响应示例：**

apps/docs/content/docs/zh/sdks/python.mdx

@@ -656,7 +656,7 @@ def stream_workflow():
 
     def generate():
         response = requests.post(
-            'https://api.sim.ai/api/workflows/WORKFLOW_ID/execute',
+            'https://sim.ai/api/workflows/WORKFLOW_ID/execute',
             headers={
                 'Content-Type': 'application/json',
                 'X-API-Key': os.getenv('SIM_API_KEY')   

apps/docs/content/docs/zh/sdks/typescript.mdx

@@ -965,7 +965,7 @@ function StreamingWorkflow() {
 
     // IMPORTANT: Make this API call from your backend server, not the browser
     // Never expose your API key in client-side code
-    const response = await fetch('https://api.sim.ai/api/workflows/WORKFLOW_ID/execute', {
+    const response = await fetch('https://sim.ai/api/workflows/WORKFLOW_ID/execute', {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -16,7 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1119,7 +1119,7 @@ async function handlePushNotificationSet(
     )
   }
 
-  const urlValidation = validateExternalUrl(
+  const urlValidation = await validateUrlWithDNS(
     params.pushNotificationConfig.url,
     'Push notification URL'
   )

apps/sim/app/api/cron/cleanup-stale-executions/route.ts

@@ -8,6 +8,7 @@ import { verifyCronAuth } from '@/lib/auth/internal'
 const logger = createLogger('CleanupStaleExecutions')
 
 const STALE_THRESHOLD_MINUTES = 30
+const MAX_INT32 = 2_147_483_647
 
 export async function GET(request: NextRequest) {
   try {
@@ -45,13 +46,14 @@ export async function GET(request: NextRequest) {
       try {
         const staleDurationMs = Date.now() - new Date(execution.startedAt).getTime()
         const staleDurationMinutes = Math.round(staleDurationMs / 60000)
+        const totalDurationMs = Math.min(staleDurationMs, MAX_INT32)
 
         await db
           .update(workflowExecutionLogs)
           .set({
             status: 'failed',
             endedAt: new Date(),
-            totalDurationMs: staleDurationMs,
+            totalDurationMs,
             executionData: sql`jsonb_set(
               COALESCE(execution_data, '{}'::jsonb),
               ARRAY['error'],

apps/sim/app/api/files/parse/route.ts

@@ -6,7 +6,11 @@ import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { sanitizeUrlForLog } from '@/lib/core/utils/logging'
 import { isSupportedFileType, parseFile } from '@/lib/file-parsers'
 import { isUsingCloudStorage, type StorageContext, StorageService } from '@/lib/uploads'
 import { uploadExecutionFile } from '@/lib/uploads/contexts/execution'
@@ -19,6 +23,7 @@ import {
   getMimeTypeFromExtension,
   getViewerUrl,
   inferContextFromKey,
+  isInternalFileUrl,
 } from '@/lib/uploads/utils/file-utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -215,7 +220,7 @@ async function parseFileSingle(
     }
   }
 
-  if (filePath.includes('/api/files/serve/')) {
+  if (isInternalFileUrl(filePath)) {
     return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
   }
 
@@ -246,7 +251,7 @@ function validateFilePath(filePath: string): { isValid: boolean; error?: string
     return { isValid: false, error: 'Invalid path: tilde character not allowed' }
   }
 
-  if (filePath.startsWith('/') && !filePath.startsWith('/api/files/serve/')) {
+  if (filePath.startsWith('/') && !isInternalFileUrl(filePath)) {
     return { isValid: false, error: 'Path outside allowed directory' }
   }
 
@@ -420,7 +425,7 @@ async function handleExternalUrl(
 
     return parseResult
   } catch (error) {
-    logger.error(`Error handling external URL ${url}:`, error)
+    logger.error(`Error handling external URL ${sanitizeUrlForLog(url)}:`, error)
     return {
       success: false,
       error: `Error fetching URL: ${(error as Error).message}`,

apps/sim/app/api/mcp/serve/[serverId]/route.ts

@@ -284,7 +284,7 @@ async function handleToolsCall(
       content: [
         { type: 'text', text: JSON.stringify(executeResult.output || executeResult, null, 2) },
       ],
-      isError: !executeResult.success,
+      isError: executeResult.success === false,
     }
 
     return NextResponse.json(createResponse(id, result))

apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts

@@ -20,6 +20,7 @@ import { z } from 'zod'
 import { getEmailSubject, renderInvitationEmail } from '@/components/emails'
 import { getSession } from '@/lib/auth'
 import { hasAccessControlAccess } from '@/lib/billing'
+import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { sendEmail } from '@/lib/messaging/email/mailer'
@@ -501,6 +502,18 @@ export async function PUT(
       }
     }
 
+    if (status === 'accepted') {
+      try {
+        await syncUsageLimitsFromSubscription(session.user.id)
+      } catch (syncError) {
+        logger.error('Failed to sync usage limits after joining org', {
+          userId: session.user.id,
+          organizationId,
+          error: syncError,
+        })
+      }
+    }
+
     logger.info(`Organization invitation ${status}`, {
       organizationId,
       invitationId,

apps/sim/app/api/tools/a2a/send-message/route.ts

@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -95,6 +96,14 @@ export async function POST(request: NextRequest) {
     if (validatedData.files && validatedData.files.length > 0) {
       for (const file of validatedData.files) {
         if (file.type === 'url') {
+          const urlValidation = await validateUrlWithDNS(file.data, 'fileUrl')
+          if (!urlValidation.isValid) {
+            return NextResponse.json(
+              { success: false, error: urlValidation.error },
+              { status: 400 }
+            )
+          }
+
           const filePart: FilePart = {
             kind: 'file',
             file: {

apps/sim/app/api/tools/a2a/set-push-notification/route.ts

@@ -3,7 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = A2ASetPushNotificationSchema.parse(body)
 
-    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
+    const urlValidation = await validateUrlWithDNS(validatedData.webhookUrl, 'Webhook URL')
     if (!urlValidation.isValid) {
       logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
       return NextResponse.json(

apps/sim/app/api/tools/confluence/upload-attachment/route.ts

@@ -92,6 +92,9 @@ export async function POST(request: NextRequest) {
       formData.append('comment', comment)
     }
 
+    // Add minorEdit field as required by Confluence API
+    formData.append('minorEdit', 'false')
+
     const response = await fetch(url, {
       method: 'POST',
       headers: {

apps/sim/app/api/tools/discord/send-message/route.ts

@@ -4,6 +4,7 @@ import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
@@ -15,7 +16,7 @@ const DiscordSendMessageSchema = z.object({
   botToken: z.string().min(1, 'Bot token is required'),
   channelId: z.string().min(1, 'Channel ID is required'),
   content: z.string().optional().nullable(),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {
@@ -101,6 +102,12 @@ export async function POST(request: NextRequest) {
     logger.info(`[${requestId}] Processing ${validatedData.files.length} file(s)`)
 
     const userFiles = processFilesToUserFiles(validatedData.files, requestId, logger)
+    const filesOutput: Array<{
+      name: string
+      mimeType: string
+      data: string
+      size: number
+    }> = []
 
     if (userFiles.length === 0) {
       logger.warn(`[${requestId}] No valid files to upload, falling back to text-only`)
@@ -137,6 +144,12 @@ export async function POST(request: NextRequest) {
       logger.info(`[${requestId}] Downloading file ${i}: ${userFile.name}`)
 
       const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+      filesOutput.push({
+        name: userFile.name,
+        mimeType: userFile.type || 'application/octet-stream',
+        data: buffer.toString('base64'),
+        size: buffer.length,
+      })
 
       const blob = new Blob([new Uint8Array(buffer)], { type: userFile.type })
       formData.append(`files[${i}]`, blob, userFile.name)
@@ -173,6 +186,7 @@ export async function POST(request: NextRequest) {
         message: data.content,
         data: data,
         fileCount: userFiles.length,
+        files: filesOutput,
       },
     })
   } catch (error) {

apps/sim/app/api/tools/github/latest-commit/route.ts

@@ -0,0 +1,195 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('GitHubLatestCommitAPI')
+
+interface GitHubErrorResponse {
+  message?: string
+}
+
+interface GitHubCommitResponse {
+  sha: string
+  html_url: string
+  commit: {
+    message: string
+    author: { name: string; email: string; date: string }
+    committer: { name: string; email: string; date: string }
+  }
+  author?: { login: string; avatar_url: string; html_url: string }
+  committer?: { login: string; avatar_url: string; html_url: string }
+  stats?: { additions: number; deletions: number; total: number }
+  files?: Array<{
+    filename: string
+    status: string
+    additions: number
+    deletions: number
+    changes: number
+    patch?: string
+    raw_url?: string
+    blob_url?: string
+  }>
+}
+
+const GitHubLatestCommitSchema = z.object({
+  owner: z.string().min(1, 'Owner is required'),
+  repo: z.string().min(1, 'Repo is required'),
+  branch: z.string().optional().nullable(),
+  apiKey: z.string().min(1, 'API key is required'),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized GitHub latest commit attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = GitHubLatestCommitSchema.parse(body)
+
+    const { owner, repo, branch, apiKey } = validatedData
+
+    const baseUrl = `https://api.github.com/repos/${owner}/${repo}`
+    const commitUrl = branch ? `${baseUrl}/commits/${branch}` : `${baseUrl}/commits/HEAD`
+
+    logger.info(`[${requestId}] Fetching latest commit from GitHub`, { owner, repo, branch })
+
+    const urlValidation = await validateUrlWithDNS(commitUrl, 'commitUrl')
+    if (!urlValidation.isValid) {
+      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
+    }
+
+    const response = await secureFetchWithPinnedIP(commitUrl, urlValidation.resolvedIP!, {
+      method: 'GET',
+      headers: {
+        Accept: 'application/vnd.github.v3+json',
+        Authorization: `Bearer ${apiKey}`,
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = (await response.json().catch(() => ({}))) as GitHubErrorResponse
+      logger.error(`[${requestId}] GitHub API error`, {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { success: false, error: errorData.message || `GitHub API error: ${response.status}` },
+        { status: 400 }
+      )
+    }
+
+    const data = (await response.json()) as GitHubCommitResponse
+
+    const content = `Latest commit: "${data.commit.message}" by ${data.commit.author.name} on ${data.commit.author.date}. SHA: ${data.sha}`
+
+    const files = data.files || []
+    const fileDetailsWithContent = []
+
+    for (const file of files) {
+      const fileDetail: Record<string, any> = {
+        filename: file.filename,
+        additions: file.additions,
+        deletions: file.deletions,
+        changes: file.changes,
+        status: file.status,
+        raw_url: file.raw_url,
+        blob_url: file.blob_url,
+        patch: file.patch,
+        content: undefined,
+      }
+
+      if (file.status !== 'removed' && file.raw_url) {
+        try {
+          const rawUrlValidation = await validateUrlWithDNS(file.raw_url, 'rawUrl')
+          if (rawUrlValidation.isValid) {
+            const contentResponse = await secureFetchWithPinnedIP(
+              file.raw_url,
+              rawUrlValidation.resolvedIP!,
+              {
+                headers: {
+                  Authorization: `Bearer ${apiKey}`,
+                  'X-GitHub-Api-Version': '2022-11-28',
+                },
+              }
+            )
+
+            if (contentResponse.ok) {
+              fileDetail.content = await contentResponse.text()
+            }
+          }
+        } catch (error) {
+          logger.warn(`[${requestId}] Failed to fetch content for ${file.filename}:`, error)
+        }
+      }
+
+      fileDetailsWithContent.push(fileDetail)
+    }
+
+    logger.info(`[${requestId}] Latest commit fetched successfully`, {
+      sha: data.sha,
+      fileCount: files.length,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        content,
+        metadata: {
+          sha: data.sha,
+          html_url: data.html_url,
+          commit_message: data.commit.message,
+          author: {
+            name: data.commit.author.name,
+            login: data.author?.login || 'Unknown',
+            avatar_url: data.author?.avatar_url || '',
+            html_url: data.author?.html_url || '',
+          },
+          committer: {
+            name: data.commit.committer.name,
+            login: data.committer?.login || 'Unknown',
+            avatar_url: data.committer?.avatar_url || '',
+            html_url: data.committer?.html_url || '',
+          },
+          stats: data.stats
+            ? {
+                additions: data.stats.additions,
+                deletions: data.stats.deletions,
+                total: data.stats.total,
+              }
+            : undefined,
+          files: fileDetailsWithContent.length > 0 ? fileDetailsWithContent : undefined,
+        },
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching GitHub latest commit:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/gmail/draft/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -28,7 +29,7 @@ const GmailDraftSchema = z.object({
   replyToMessageId: z.string().optional().nullable(),
   cc: z.string().optional().nullable(),
   bcc: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/app/api/tools/gmail/send/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -28,7 +29,7 @@ const GmailSendSchema = z.object({
   replyToMessageId: z.string().optional().nullable(),
   cc: z.string().optional().nullable(),
   bcc: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/app/api/tools/google_drive/download/route.ts

@@ -0,0 +1,252 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+import type { GoogleDriveFile, GoogleDriveRevision } from '@/tools/google_drive/types'
+import {
+  ALL_FILE_FIELDS,
+  ALL_REVISION_FIELDS,
+  DEFAULT_EXPORT_FORMATS,
+  GOOGLE_WORKSPACE_MIME_TYPES,
+} from '@/tools/google_drive/utils'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('GoogleDriveDownloadAPI')
+
+/** Google API error response structure */
+interface GoogleApiErrorResponse {
+  error?: {
+    message?: string
+    code?: number
+    status?: string
+  }
+}
+
+/** Google Drive revisions list response */
+interface GoogleDriveRevisionsResponse {
+  revisions?: GoogleDriveRevision[]
+  nextPageToken?: string
+}
+
+const GoogleDriveDownloadSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  fileId: z.string().min(1, 'File ID is required'),
+  mimeType: z.string().optional().nullable(),
+  fileName: z.string().optional().nullable(),
+  includeRevisions: z.boolean().optional().default(true),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Google Drive download attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = GoogleDriveDownloadSchema.parse(body)
+
+    const {
+      accessToken,
+      fileId,
+      mimeType: exportMimeType,
+      fileName,
+      includeRevisions,
+    } = validatedData
+    const authHeader = `Bearer ${accessToken}`
+
+    logger.info(`[${requestId}] Getting file metadata from Google Drive`, { fileId })
+
+    const metadataUrl = `https://www.googleapis.com/drive/v3/files/${fileId}?fields=${ALL_FILE_FIELDS}&supportsAllDrives=true`
+    const metadataUrlValidation = await validateUrlWithDNS(metadataUrl, 'metadataUrl')
+    if (!metadataUrlValidation.isValid) {
+      return NextResponse.json(
+        { success: false, error: metadataUrlValidation.error },
+        { status: 400 }
+      )
+    }
+
+    const metadataResponse = await secureFetchWithPinnedIP(
+      metadataUrl,
+      metadataUrlValidation.resolvedIP!,
+      {
+        headers: { Authorization: authHeader },
+      }
+    )
+
+    if (!metadataResponse.ok) {
+      const errorDetails = (await metadataResponse
+        .json()
+        .catch(() => ({}))) as GoogleApiErrorResponse
+      logger.error(`[${requestId}] Failed to get file metadata`, {
+        status: metadataResponse.status,
+        error: errorDetails,
+      })
+      return NextResponse.json(
+        { success: false, error: errorDetails.error?.message || 'Failed to get file metadata' },
+        { status: 400 }
+      )
+    }
+
+    const metadata = (await metadataResponse.json()) as GoogleDriveFile
+    const fileMimeType = metadata.mimeType
+
+    let fileBuffer: Buffer
+    let finalMimeType = fileMimeType
+
+    if (GOOGLE_WORKSPACE_MIME_TYPES.includes(fileMimeType)) {
+      const exportFormat = exportMimeType || DEFAULT_EXPORT_FORMATS[fileMimeType] || 'text/plain'
+      finalMimeType = exportFormat
+
+      logger.info(`[${requestId}] Exporting Google Workspace file`, {
+        fileId,
+        mimeType: fileMimeType,
+        exportFormat,
+      })
+
+      const exportUrl = `https://www.googleapis.com/drive/v3/files/${fileId}/export?mimeType=${encodeURIComponent(exportFormat)}&supportsAllDrives=true`
+      const exportUrlValidation = await validateUrlWithDNS(exportUrl, 'exportUrl')
+      if (!exportUrlValidation.isValid) {
+        return NextResponse.json(
+          { success: false, error: exportUrlValidation.error },
+          { status: 400 }
+        )
+      }
+
+      const exportResponse = await secureFetchWithPinnedIP(
+        exportUrl,
+        exportUrlValidation.resolvedIP!,
+        { headers: { Authorization: authHeader } }
+      )
+
+      if (!exportResponse.ok) {
+        const exportError = (await exportResponse
+          .json()
+          .catch(() => ({}))) as GoogleApiErrorResponse
+        logger.error(`[${requestId}] Failed to export file`, {
+          status: exportResponse.status,
+          error: exportError,
+        })
+        return NextResponse.json(
+          {
+            success: false,
+            error: exportError.error?.message || 'Failed to export Google Workspace file',
+          },
+          { status: 400 }
+        )
+      }
+
+      const arrayBuffer = await exportResponse.arrayBuffer()
+      fileBuffer = Buffer.from(arrayBuffer)
+    } else {
+      logger.info(`[${requestId}] Downloading regular file`, { fileId, mimeType: fileMimeType })
+
+      const downloadUrl = `https://www.googleapis.com/drive/v3/files/${fileId}?alt=media&supportsAllDrives=true`
+      const downloadUrlValidation = await validateUrlWithDNS(downloadUrl, 'downloadUrl')
+      if (!downloadUrlValidation.isValid) {
+        return NextResponse.json(
+          { success: false, error: downloadUrlValidation.error },
+          { status: 400 }
+        )
+      }
+
+      const downloadResponse = await secureFetchWithPinnedIP(
+        downloadUrl,
+        downloadUrlValidation.resolvedIP!,
+        { headers: { Authorization: authHeader } }
+      )
+
+      if (!downloadResponse.ok) {
+        const downloadError = (await downloadResponse
+          .json()
+          .catch(() => ({}))) as GoogleApiErrorResponse
+        logger.error(`[${requestId}] Failed to download file`, {
+          status: downloadResponse.status,
+          error: downloadError,
+        })
+        return NextResponse.json(
+          { success: false, error: downloadError.error?.message || 'Failed to download file' },
+          { status: 400 }
+        )
+      }
+
+      const arrayBuffer = await downloadResponse.arrayBuffer()
+      fileBuffer = Buffer.from(arrayBuffer)
+    }
+
+    const canReadRevisions = metadata.capabilities?.canReadRevisions === true
+    if (includeRevisions && canReadRevisions) {
+      try {
+        const revisionsUrl = `https://www.googleapis.com/drive/v3/files/${fileId}/revisions?fields=revisions(${ALL_REVISION_FIELDS})&pageSize=100`
+        const revisionsUrlValidation = await validateUrlWithDNS(revisionsUrl, 'revisionsUrl')
+        if (revisionsUrlValidation.isValid) {
+          const revisionsResponse = await secureFetchWithPinnedIP(
+            revisionsUrl,
+            revisionsUrlValidation.resolvedIP!,
+            { headers: { Authorization: authHeader } }
+          )
+
+          if (revisionsResponse.ok) {
+            const revisionsData = (await revisionsResponse.json()) as GoogleDriveRevisionsResponse
+            metadata.revisions = revisionsData.revisions
+            logger.info(`[${requestId}] Fetched file revisions`, {
+              fileId,
+              revisionCount: metadata.revisions?.length || 0,
+            })
+          }
+        }
+      } catch (error) {
+        logger.warn(`[${requestId}] Error fetching revisions, continuing without them`, { error })
+      }
+    }
+
+    const resolvedName = fileName || metadata.name || 'download'
+
+    logger.info(`[${requestId}] File downloaded successfully`, {
+      fileId,
+      name: resolvedName,
+      size: fileBuffer.length,
+      mimeType: finalMimeType,
+    })
+
+    const base64Data = fileBuffer.toString('base64')
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        file: {
+          name: resolvedName,
+          mimeType: finalMimeType,
+          data: base64Data,
+          size: fileBuffer.length,
+        },
+        metadata,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error downloading Google Drive file:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/google_drive/upload/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -20,7 +21,7 @@ const GOOGLE_DRIVE_API_BASE = 'https://www.googleapis.com/upload/drive/v3/files'
 const GoogleDriveUploadSchema = z.object({
   accessToken: z.string().min(1, 'Access token is required'),
   fileName: z.string().min(1, 'File name is required'),
-  file: z.any().optional().nullable(),
+  file: RawFileInputSchema.optional().nullable(),
   mimeType: z.string().optional().nullable(),
   folderId: z.string().optional().nullable(),
 })

apps/sim/app/api/tools/google_vault/download-export-file/route.ts

@@ -0,0 +1,131 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { enhanceGoogleVaultError } from '@/tools/google_vault/utils'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('GoogleVaultDownloadExportFileAPI')
+
+const GoogleVaultDownloadExportFileSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  bucketName: z.string().min(1, 'Bucket name is required'),
+  objectName: z.string().min(1, 'Object name is required'),
+  fileName: z.string().optional().nullable(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Google Vault download attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = GoogleVaultDownloadExportFileSchema.parse(body)
+
+    const { accessToken, bucketName, objectName, fileName } = validatedData
+
+    const bucket = encodeURIComponent(bucketName)
+    const object = encodeURIComponent(objectName)
+    const downloadUrl = `https://storage.googleapis.com/storage/v1/b/${bucket}/o/${object}?alt=media`
+
+    logger.info(`[${requestId}] Downloading file from Google Vault`, { bucketName, objectName })
+
+    const urlValidation = await validateUrlWithDNS(downloadUrl, 'downloadUrl')
+    if (!urlValidation.isValid) {
+      return NextResponse.json(
+        { success: false, error: enhanceGoogleVaultError(urlValidation.error || 'Invalid URL') },
+        { status: 400 }
+      )
+    }
+
+    const downloadResponse = await secureFetchWithPinnedIP(downloadUrl, urlValidation.resolvedIP!, {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!downloadResponse.ok) {
+      const errorText = await downloadResponse.text().catch(() => '')
+      const errorMessage = `Failed to download file: ${errorText || downloadResponse.statusText}`
+      logger.error(`[${requestId}] Failed to download Vault export file`, {
+        status: downloadResponse.status,
+        error: errorText,
+      })
+      return NextResponse.json(
+        { success: false, error: enhanceGoogleVaultError(errorMessage) },
+        { status: 400 }
+      )
+    }
+
+    const contentType = downloadResponse.headers.get('content-type') || 'application/octet-stream'
+    const disposition = downloadResponse.headers.get('content-disposition') || ''
+    const match = disposition.match(/filename\*=UTF-8''([^;]+)|filename="([^"]+)"/)
+
+    let resolvedName = fileName
+    if (!resolvedName) {
+      if (match?.[1]) {
+        try {
+          resolvedName = decodeURIComponent(match[1])
+        } catch {
+          resolvedName = match[1]
+        }
+      } else if (match?.[2]) {
+        resolvedName = match[2]
+      } else if (objectName) {
+        const parts = objectName.split('/')
+        resolvedName = parts[parts.length - 1] || 'vault-export.bin'
+      } else {
+        resolvedName = 'vault-export.bin'
+      }
+    }
+
+    const arrayBuffer = await downloadResponse.arrayBuffer()
+    const buffer = Buffer.from(arrayBuffer)
+
+    logger.info(`[${requestId}] Vault export file downloaded successfully`, {
+      name: resolvedName,
+      size: buffer.length,
+      mimeType: contentType,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        file: {
+          name: resolvedName,
+          mimeType: contentType,
+          data: buffer.toString('base64'),
+          size: buffer.length,
+        },
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error downloading Google Vault export file:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/image/route.ts

@@ -1,7 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateImageUrl } from '@/lib/core/security/input-validation'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 const logger = createLogger('ImageProxyAPI')
@@ -26,7 +29,7 @@ export async function GET(request: NextRequest) {
     return new NextResponse('Missing URL parameter', { status: 400 })
   }
 
-  const urlValidation = validateImageUrl(imageUrl)
+  const urlValidation = await validateUrlWithDNS(imageUrl, 'imageUrl')
   if (!urlValidation.isValid) {
     logger.warn(`[${requestId}] Blocked image proxy request`, {
       url: imageUrl.substring(0, 100),
@@ -38,7 +41,8 @@ export async function GET(request: NextRequest) {
   logger.info(`[${requestId}] Proxying image request for: ${imageUrl}`)
 
   try {
-    const imageResponse = await fetch(imageUrl, {
+    const imageResponse = await secureFetchWithPinnedIP(imageUrl, urlValidation.resolvedIP!, {
+      method: 'GET',
       headers: {
         'User-Agent':
           'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36',
@@ -64,14 +68,14 @@ export async function GET(request: NextRequest) {
 
     const contentType = imageResponse.headers.get('content-type') || 'image/jpeg'
 
-    const imageBlob = await imageResponse.blob()
+    const imageArrayBuffer = await imageResponse.arrayBuffer()
 
-    if (imageBlob.size === 0) {
+    if (imageArrayBuffer.byteLength === 0) {
-      logger.error(`[${requestId}] Empty image blob received`)
+      logger.error(`[${requestId}] Empty image received`)
       return new NextResponse('Empty image received', { status: 404 })
     }
 
-    return new NextResponse(imageBlob, {
+    return new NextResponse(imageArrayBuffer, {
       headers: {
         'Content-Type': contentType,
         'Access-Control-Allow-Origin': '*',

apps/sim/app/api/tools/jira/add-attachment/route.ts

@@ -0,0 +1,121 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
+import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
+import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { getJiraCloudId } from '@/tools/jira/utils'
+
+const logger = createLogger('JiraAddAttachmentAPI')
+
+export const dynamic = 'force-dynamic'
+
+const JiraAddAttachmentSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  domain: z.string().min(1, 'Domain is required'),
+  issueKey: z.string().min(1, 'Issue key is required'),
+  files: RawFileInputArraySchema,
+  cloudId: z.string().optional().nullable(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = `jira-attach-${Date.now()}`
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    if (!authResult.success) {
+      return NextResponse.json(
+        { success: false, error: authResult.error || 'Unauthorized' },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = JiraAddAttachmentSchema.parse(body)
+
+    const userFiles = processFilesToUserFiles(validatedData.files, requestId, logger)
+    if (userFiles.length === 0) {
+      return NextResponse.json(
+        { success: false, error: 'No valid files provided for upload' },
+        { status: 400 }
+      )
+    }
+
+    const cloudId =
+      validatedData.cloudId ||
+      (await getJiraCloudId(validatedData.domain, validatedData.accessToken))
+
+    const formData = new FormData()
+    const filesOutput: Array<{ name: string; mimeType: string; data: string; size: number }> = []
+
+    for (const file of userFiles) {
+      const buffer = await downloadFileFromStorage(file, requestId, logger)
+      filesOutput.push({
+        name: file.name,
+        mimeType: file.type || 'application/octet-stream',
+        data: buffer.toString('base64'),
+        size: buffer.length,
+      })
+      const blob = new Blob([new Uint8Array(buffer)], {
+        type: file.type || 'application/octet-stream',
+      })
+      formData.append('file', blob, file.name)
+    }
+
+    const url = `https://api.atlassian.com/ex/jira/${cloudId}/rest/api/3/issue/${validatedData.issueKey}/attachments`
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${validatedData.accessToken}`,
+        'X-Atlassian-Token': 'no-check',
+      },
+      body: formData,
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      logger.error(`[${requestId}] Jira attachment upload failed`, {
+        status: response.status,
+        statusText: response.statusText,
+        error: errorText,
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: `Failed to upload attachments: ${response.statusText}`,
+        },
+        { status: response.status }
+      )
+    }
+
+    const attachments = await response.json()
+    const attachmentIds = Array.isArray(attachments)
+      ? attachments.map((attachment) => attachment.id).filter(Boolean)
+      : []
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        ts: new Date().toISOString(),
+        issueKey: validatedData.issueKey,
+        attachmentIds,
+        files: filesOutput,
+      },
+    })
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return NextResponse.json(
+        { success: false, error: 'Invalid request data', details: error.errors },
+        { status: 400 }
+      )
+    }
+
+    logger.error(`[${requestId}] Jira attachment upload error`, error)
+    return NextResponse.json(
+      { success: false, error: error instanceof Error ? error.message : 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts

@@ -2,9 +2,11 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { uploadFilesForTeamsMessage } from '@/tools/microsoft_teams/server-utils'
+import type { GraphApiErrorResponse, GraphChatMessage } from '@/tools/microsoft_teams/types'
 import { resolveMentionsForChannel, type TeamsMention } from '@/tools/microsoft_teams/utils'
 
 export const dynamic = 'force-dynamic'
@@ -16,7 +18,7 @@ const TeamsWriteChannelSchema = z.object({
   teamId: z.string().min(1, 'Team ID is required'),
   channelId: z.string().min(1, 'Channel ID is required'),
   content: z.string().min(1, 'Message content is required'),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {
@@ -53,93 +55,12 @@ export async function POST(request: NextRequest) {
       fileCount: validatedData.files?.length || 0,
     })
 
-    const attachments: any[] = []
+    const { attachments, filesOutput } = await uploadFilesForTeamsMessage({
-    if (validatedData.files && validatedData.files.length > 0) {
+      rawFiles: validatedData.files || [],
-      const rawFiles = validatedData.files
+      accessToken: validatedData.accessToken,
-      logger.info(`[${requestId}] Processing ${rawFiles.length} file(s) for upload to OneDrive`)
+      requestId,
-
+      logger,
-      const userFiles = processFilesToUserFiles(rawFiles, requestId, logger)
+    })
-
-      for (const file of userFiles) {
-        try {
-          logger.info(`[${requestId}] Uploading file to Teams: ${file.name} (${file.size} bytes)`)
-
-          const buffer = await downloadFileFromStorage(file, requestId, logger)
-
-          const uploadUrl =
-            'https://graph.microsoft.com/v1.0/me/drive/root:/TeamsAttachments/' +
-            encodeURIComponent(file.name) +
-            ':/content'
-
-          logger.info(`[${requestId}] Uploading to Teams: ${uploadUrl}`)
-
-          const uploadResponse = await fetch(uploadUrl, {
-            method: 'PUT',
-            headers: {
-              Authorization: `Bearer ${validatedData.accessToken}`,
-              'Content-Type': file.type || 'application/octet-stream',
-            },
-            body: new Uint8Array(buffer),
-          })
-
-          if (!uploadResponse.ok) {
-            const errorData = await uploadResponse.json().catch(() => ({}))
-            logger.error(`[${requestId}] Teams upload failed:`, errorData)
-            throw new Error(
-              `Failed to upload file to Teams: ${errorData.error?.message || 'Unknown error'}`
-            )
-          }
-
-          const uploadedFile = await uploadResponse.json()
-          logger.info(`[${requestId}] File uploaded to Teams successfully`, {
-            id: uploadedFile.id,
-            webUrl: uploadedFile.webUrl,
-          })
-
-          const fileDetailsUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${uploadedFile.id}?$select=id,name,webDavUrl,eTag,size`
-
-          const fileDetailsResponse = await fetch(fileDetailsUrl, {
-            headers: {
-              Authorization: `Bearer ${validatedData.accessToken}`,
-            },
-          })
-
-          if (!fileDetailsResponse.ok) {
-            const errorData = await fileDetailsResponse.json().catch(() => ({}))
-            logger.error(`[${requestId}] Failed to get file details:`, errorData)
-            throw new Error(
-              `Failed to get file details: ${errorData.error?.message || 'Unknown error'}`
-            )
-          }
-
-          const fileDetails = await fileDetailsResponse.json()
-          logger.info(`[${requestId}] Got file details`, {
-            webDavUrl: fileDetails.webDavUrl,
-            eTag: fileDetails.eTag,
-          })
-
-          const attachmentId = fileDetails.eTag?.match(/\{([a-f0-9-]+)\}/i)?.[1] || fileDetails.id
-
-          attachments.push({
-            id: attachmentId,
-            contentType: 'reference',
-            contentUrl: fileDetails.webDavUrl,
-            name: file.name,
-          })
-
-          logger.info(`[${requestId}] Created attachment reference for ${file.name}`)
-        } catch (error) {
-          logger.error(`[${requestId}] Failed to process file ${file.name}:`, error)
-          throw new Error(
-            `Failed to process file "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
-          )
-        }
-      }
-
-      logger.info(
-        `[${requestId}] All ${attachments.length} file(s) uploaded and attachment references created`
-      )
-    }
 
     let messageContent = validatedData.content
     let contentType: 'text' | 'html' = 'text'
@@ -197,17 +118,21 @@ export async function POST(request: NextRequest) {
 
     const teamsUrl = `https://graph.microsoft.com/v1.0/teams/${encodeURIComponent(validatedData.teamId)}/channels/${encodeURIComponent(validatedData.channelId)}/messages`
 
-    const teamsResponse = await fetch(teamsUrl, {
+    const teamsResponse = await secureFetchWithValidation(
-      method: 'POST',
+      teamsUrl,
-      headers: {
+      {
-        'Content-Type': 'application/json',
+        method: 'POST',
-        Authorization: `Bearer ${validatedData.accessToken}`,
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${validatedData.accessToken}`,
+        },
+        body: JSON.stringify(messageBody),
       },
-      body: JSON.stringify(messageBody),
+      'teamsUrl'
-    })
+    )
 
     if (!teamsResponse.ok) {
-      const errorData = await teamsResponse.json().catch(() => ({}))
+      const errorData = (await teamsResponse.json().catch(() => ({}))) as GraphApiErrorResponse
       logger.error(`[${requestId}] Microsoft Teams API error:`, errorData)
       return NextResponse.json(
         {
@@ -218,7 +143,7 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const responseData = await teamsResponse.json()
+    const responseData = (await teamsResponse.json()) as GraphChatMessage
     logger.info(`[${requestId}] Teams channel message sent successfully`, {
       messageId: responseData.id,
       attachmentCount: attachments.length,
@@ -237,6 +162,7 @@ export async function POST(request: NextRequest) {
           url: responseData.webUrl || '',
           attachmentCount: attachments.length,
         },
+        files: filesOutput,
       },
     })
   } catch (error) {

apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts

@@ -2,9 +2,11 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { uploadFilesForTeamsMessage } from '@/tools/microsoft_teams/server-utils'
+import type { GraphApiErrorResponse, GraphChatMessage } from '@/tools/microsoft_teams/types'
 import { resolveMentionsForChat, type TeamsMention } from '@/tools/microsoft_teams/utils'
 
 export const dynamic = 'force-dynamic'
@@ -15,7 +17,7 @@ const TeamsWriteChatSchema = z.object({
   accessToken: z.string().min(1, 'Access token is required'),
   chatId: z.string().min(1, 'Chat ID is required'),
   content: z.string().min(1, 'Message content is required'),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {
@@ -51,93 +53,12 @@ export async function POST(request: NextRequest) {
       fileCount: validatedData.files?.length || 0,
     })
 
-    const attachments: any[] = []
+    const { attachments, filesOutput } = await uploadFilesForTeamsMessage({
-    if (validatedData.files && validatedData.files.length > 0) {
+      rawFiles: validatedData.files || [],
-      const rawFiles = validatedData.files
+      accessToken: validatedData.accessToken,
-      logger.info(`[${requestId}] Processing ${rawFiles.length} file(s) for upload to Teams`)
+      requestId,
-
+      logger,
-      const userFiles = processFilesToUserFiles(rawFiles, requestId, logger)
+    })
-
-      for (const file of userFiles) {
-        try {
-          logger.info(`[${requestId}] Uploading file to Teams: ${file.name} (${file.size} bytes)`)
-
-          const buffer = await downloadFileFromStorage(file, requestId, logger)
-
-          const uploadUrl =
-            'https://graph.microsoft.com/v1.0/me/drive/root:/TeamsAttachments/' +
-            encodeURIComponent(file.name) +
-            ':/content'
-
-          logger.info(`[${requestId}] Uploading to Teams: ${uploadUrl}`)
-
-          const uploadResponse = await fetch(uploadUrl, {
-            method: 'PUT',
-            headers: {
-              Authorization: `Bearer ${validatedData.accessToken}`,
-              'Content-Type': file.type || 'application/octet-stream',
-            },
-            body: new Uint8Array(buffer),
-          })
-
-          if (!uploadResponse.ok) {
-            const errorData = await uploadResponse.json().catch(() => ({}))
-            logger.error(`[${requestId}] Teams upload failed:`, errorData)
-            throw new Error(
-              `Failed to upload file to Teams: ${errorData.error?.message || 'Unknown error'}`
-            )
-          }
-
-          const uploadedFile = await uploadResponse.json()
-          logger.info(`[${requestId}] File uploaded to Teams successfully`, {
-            id: uploadedFile.id,
-            webUrl: uploadedFile.webUrl,
-          })
-
-          const fileDetailsUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${uploadedFile.id}?$select=id,name,webDavUrl,eTag,size`
-
-          const fileDetailsResponse = await fetch(fileDetailsUrl, {
-            headers: {
-              Authorization: `Bearer ${validatedData.accessToken}`,
-            },
-          })
-
-          if (!fileDetailsResponse.ok) {
-            const errorData = await fileDetailsResponse.json().catch(() => ({}))
-            logger.error(`[${requestId}] Failed to get file details:`, errorData)
-            throw new Error(
-              `Failed to get file details: ${errorData.error?.message || 'Unknown error'}`
-            )
-          }
-
-          const fileDetails = await fileDetailsResponse.json()
-          logger.info(`[${requestId}] Got file details`, {
-            webDavUrl: fileDetails.webDavUrl,
-            eTag: fileDetails.eTag,
-          })
-
-          const attachmentId = fileDetails.eTag?.match(/\{([a-f0-9-]+)\}/i)?.[1] || fileDetails.id
-
-          attachments.push({
-            id: attachmentId,
-            contentType: 'reference',
-            contentUrl: fileDetails.webDavUrl,
-            name: file.name,
-          })
-
-          logger.info(`[${requestId}] Created attachment reference for ${file.name}`)
-        } catch (error) {
-          logger.error(`[${requestId}] Failed to process file ${file.name}:`, error)
-          throw new Error(
-            `Failed to process file "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
-          )
-        }
-      }
-
-      logger.info(
-        `[${requestId}] All ${attachments.length} file(s) uploaded and attachment references created`
-      )
-    }
 
     let messageContent = validatedData.content
     let contentType: 'text' | 'html' = 'text'
@@ -194,17 +115,21 @@ export async function POST(request: NextRequest) {
 
     const teamsUrl = `https://graph.microsoft.com/v1.0/chats/${encodeURIComponent(validatedData.chatId)}/messages`
 
-    const teamsResponse = await fetch(teamsUrl, {
+    const teamsResponse = await secureFetchWithValidation(
-      method: 'POST',
+      teamsUrl,
-      headers: {
+      {
-        'Content-Type': 'application/json',
+        method: 'POST',
-        Authorization: `Bearer ${validatedData.accessToken}`,
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${validatedData.accessToken}`,
+        },
+        body: JSON.stringify(messageBody),
       },
-      body: JSON.stringify(messageBody),
+      'teamsUrl'
-    })
+    )
 
     if (!teamsResponse.ok) {
-      const errorData = await teamsResponse.json().catch(() => ({}))
+      const errorData = (await teamsResponse.json().catch(() => ({}))) as GraphApiErrorResponse
       logger.error(`[${requestId}] Microsoft Teams API error:`, errorData)
       return NextResponse.json(
         {
@@ -215,7 +140,7 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const responseData = await teamsResponse.json()
+    const responseData = (await teamsResponse.json()) as GraphChatMessage
     logger.info(`[${requestId}] Teams message sent successfully`, {
       messageId: responseData.id,
       attachmentCount: attachments.length,
@@ -233,6 +158,7 @@ export async function POST(request: NextRequest) {
           url: responseData.webUrl || '',
           attachmentCount: attachments.length,
         },
+        files: filesOutput,
       },
     })
   } catch (error) {

apps/sim/app/api/tools/mistral/parse/route.ts

@@ -2,15 +2,17 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
-import { StorageService } from '@/lib/uploads'
 import {
-  extractStorageKey,
+  secureFetchWithPinnedIP,
-  inferContextFromKey,
+  validateUrlWithDNS,
-  isInternalFileUrl,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/uploads/utils/file-utils'
+import { generateRequestId } from '@/lib/core/utils/request'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
+import { isInternalFileUrl, processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
+import {
+  downloadFileFromStorage,
+  resolveInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils.server'
 
 export const dynamic = 'force-dynamic'
 
@@ -18,7 +20,9 @@ const logger = createLogger('MistralParseAPI')
 
 const MistralParseSchema = z.object({
   apiKey: z.string().min(1, 'API key is required'),
-  filePath: z.string().min(1, 'File path is required'),
+  filePath: z.string().min(1, 'File path is required').optional(),
+  fileData: FileInputSchema.optional(),
+  file: FileInputSchema.optional(),
   resultType: z.string().optional(),
   pages: z.array(z.number()).optional(),
   includeImageBase64: z.boolean().optional(),
@@ -49,66 +53,130 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = MistralParseSchema.parse(body)
 
+    const fileData = validatedData.file || validatedData.fileData
+    const filePath = typeof fileData === 'string' ? fileData : validatedData.filePath
+
+    if (!fileData && (!filePath || filePath.trim() === '')) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'File input is required',
+        },
+        { status: 400 }
+      )
+    }
+
     logger.info(`[${requestId}] Mistral parse request`, {
-      filePath: validatedData.filePath,
+      hasFileData: Boolean(fileData),
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      filePath,
+      isWorkspaceFile: filePath ? isInternalFileUrl(filePath) : false,
       userId,
     })
 
-    let fileUrl = validatedData.filePath
+    const mistralBody: any = {
+      model: 'mistral-ocr-latest',
+    }
 
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (fileData && typeof fileData === 'object') {
+      const rawFile = fileData
+      let userFile
       try {
-        const storageKey = extractStorageKey(validatedData.filePath)
+        userFile = processSingleFileToUserFile(rawFile, requestId, logger)
-
-        const context = inferContextFromKey(storageKey)
-
-        const hasAccess = await verifyFileAccess(
-          storageKey,
-          userId,
-          undefined, // customConfig
-          context, // context
-          false // isLocal
-        )
-
-        if (!hasAccess) {
-          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
-            userId,
-            key: storageKey,
-            context,
-          })
-          return NextResponse.json(
-            {
-              success: false,
-              error: 'File not found',
-            },
-            { status: 404 }
-          )
-        }
-
-        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
-        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
       } catch (error) {
-        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
         return NextResponse.json(
           {
             success: false,
-            error: 'Failed to generate file access URL',
+            error: error instanceof Error ? error.message : 'Failed to process file',
           },
-          { status: 500 }
+          { status: 400 }
         )
       }
-    } else if (validatedData.filePath?.startsWith('/')) {
-      const baseUrl = getBaseUrl()
-      fileUrl = `${baseUrl}${validatedData.filePath}`
-    }
 
-    const mistralBody: any = {
+      const mimeType = userFile.type || 'application/pdf'
-      model: 'mistral-ocr-latest',
+      let base64 = userFile.base64
-      document: {
+      if (!base64) {
-        type: 'document_url',
+        const buffer = await downloadFileFromStorage(userFile, requestId, logger)
-        document_url: fileUrl,
+        base64 = buffer.toString('base64')
-      },
+      }
+      const base64Payload = base64.startsWith('data:')
+        ? base64
+        : `data:${mimeType};base64,${base64}`
+
+      // Mistral API uses different document types for images vs documents
+      const isImage = mimeType.startsWith('image/')
+      if (isImage) {
+        mistralBody.document = {
+          type: 'image_url',
+          image_url: base64Payload,
+        }
+      } else {
+        mistralBody.document = {
+          type: 'document_url',
+          document_url: base64Payload,
+        }
+      }
+    } else if (filePath) {
+      let fileUrl = filePath
+
+      const isInternalFilePath = isInternalFileUrl(filePath)
+      if (isInternalFilePath) {
+        const resolution = await resolveInternalFileUrl(filePath, userId, requestId, logger)
+        if (resolution.error) {
+          return NextResponse.json(
+            {
+              success: false,
+              error: resolution.error.message,
+            },
+            { status: resolution.error.status }
+          )
+        }
+        fileUrl = resolution.fileUrl || fileUrl
+      } else if (filePath.startsWith('/')) {
+        logger.warn(`[${requestId}] Invalid internal path`, {
+          userId,
+          path: filePath.substring(0, 50),
+        })
+        return NextResponse.json(
+          {
+            success: false,
+            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
+          },
+          { status: 400 }
+        )
+      } else {
+        const urlValidation = await validateUrlWithDNS(fileUrl, 'filePath')
+        if (!urlValidation.isValid) {
+          return NextResponse.json(
+            {
+              success: false,
+              error: urlValidation.error,
+            },
+            { status: 400 }
+          )
+        }
+      }
+
+      // Detect image URLs by extension for proper Mistral API type
+      const lowerUrl = fileUrl.toLowerCase()
+      const isImageUrl =
+        lowerUrl.endsWith('.png') ||
+        lowerUrl.endsWith('.jpg') ||
+        lowerUrl.endsWith('.jpeg') ||
+        lowerUrl.endsWith('.gif') ||
+        lowerUrl.endsWith('.webp') ||
+        lowerUrl.endsWith('.avif')
+
+      if (isImageUrl) {
+        mistralBody.document = {
+          type: 'image_url',
+          image_url: fileUrl,
+        }
+      } else {
+        mistralBody.document = {
+          type: 'document_url',
+          document_url: fileUrl,
+        }
+      }
     }
 
     if (validatedData.pages) {
@@ -124,15 +192,34 @@ export async function POST(request: NextRequest) {
       mistralBody.image_min_size = validatedData.imageMinSize
     }
 
-    const mistralResponse = await fetch('https://api.mistral.ai/v1/ocr', {
+    const mistralEndpoint = 'https://api.mistral.ai/v1/ocr'
-      method: 'POST',
+    const mistralValidation = await validateUrlWithDNS(mistralEndpoint, 'Mistral API URL')
-      headers: {
+    if (!mistralValidation.isValid) {
-        'Content-Type': 'application/json',
+      logger.error(`[${requestId}] Mistral API URL validation failed`, {
-        Accept: 'application/json',
+        error: mistralValidation.error,
-        Authorization: `Bearer ${validatedData.apiKey}`,
+      })
-      },
+      return NextResponse.json(
-      body: JSON.stringify(mistralBody),
+        {
-    })
+          success: false,
+          error: 'Failed to reach Mistral API',
+        },
+        { status: 502 }
+      )
+    }
+
+    const mistralResponse = await secureFetchWithPinnedIP(
+      mistralEndpoint,
+      mistralValidation.resolvedIP!,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Accept: 'application/json',
+          Authorization: `Bearer ${validatedData.apiKey}`,
+        },
+        body: JSON.stringify(mistralBody),
+      }
+    )
 
     if (!mistralResponse.ok) {
       const errorText = await mistralResponse.text()

apps/sim/app/api/tools/onedrive/download/route.ts

@@ -0,0 +1,177 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+/** Microsoft Graph API error response structure */
+interface GraphApiError {
+  error?: {
+    code?: string
+    message?: string
+  }
+}
+
+/** Microsoft Graph API drive item metadata response */
+interface DriveItemMetadata {
+  id?: string
+  name?: string
+  folder?: Record<string, unknown>
+  file?: {
+    mimeType?: string
+  }
+}
+
+const logger = createLogger('OneDriveDownloadAPI')
+
+const OneDriveDownloadSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  fileId: z.string().min(1, 'File ID is required'),
+  fileName: z.string().optional().nullable(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized OneDrive download attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = OneDriveDownloadSchema.parse(body)
+
+    const { accessToken, fileId, fileName } = validatedData
+    const authHeader = `Bearer ${accessToken}`
+
+    logger.info(`[${requestId}] Getting file metadata from OneDrive`, { fileId })
+
+    const metadataUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${fileId}`
+    const metadataUrlValidation = await validateUrlWithDNS(metadataUrl, 'metadataUrl')
+    if (!metadataUrlValidation.isValid) {
+      return NextResponse.json(
+        { success: false, error: metadataUrlValidation.error },
+        { status: 400 }
+      )
+    }
+
+    const metadataResponse = await secureFetchWithPinnedIP(
+      metadataUrl,
+      metadataUrlValidation.resolvedIP!,
+      {
+        headers: { Authorization: authHeader },
+      }
+    )
+
+    if (!metadataResponse.ok) {
+      const errorDetails = (await metadataResponse.json().catch(() => ({}))) as GraphApiError
+      logger.error(`[${requestId}] Failed to get file metadata`, {
+        status: metadataResponse.status,
+        error: errorDetails,
+      })
+      return NextResponse.json(
+        { success: false, error: errorDetails.error?.message || 'Failed to get file metadata' },
+        { status: 400 }
+      )
+    }
+
+    const metadata = (await metadataResponse.json()) as DriveItemMetadata
+
+    if (metadata.folder && !metadata.file) {
+      logger.error(`[${requestId}] Attempted to download a folder`, {
+        itemId: metadata.id,
+        itemName: metadata.name,
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: `Cannot download folder "${metadata.name}". Please select a file instead.`,
+        },
+        { status: 400 }
+      )
+    }
+
+    const mimeType = metadata.file?.mimeType || 'application/octet-stream'
+
+    logger.info(`[${requestId}] Downloading file from OneDrive`, { fileId, mimeType })
+
+    const downloadUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${fileId}/content`
+    const downloadUrlValidation = await validateUrlWithDNS(downloadUrl, 'downloadUrl')
+    if (!downloadUrlValidation.isValid) {
+      return NextResponse.json(
+        { success: false, error: downloadUrlValidation.error },
+        { status: 400 }
+      )
+    }
+
+    const downloadResponse = await secureFetchWithPinnedIP(
+      downloadUrl,
+      downloadUrlValidation.resolvedIP!,
+      {
+        headers: { Authorization: authHeader },
+      }
+    )
+
+    if (!downloadResponse.ok) {
+      const downloadError = (await downloadResponse.json().catch(() => ({}))) as GraphApiError
+      logger.error(`[${requestId}] Failed to download file`, {
+        status: downloadResponse.status,
+        error: downloadError,
+      })
+      return NextResponse.json(
+        { success: false, error: downloadError.error?.message || 'Failed to download file' },
+        { status: 400 }
+      )
+    }
+
+    const arrayBuffer = await downloadResponse.arrayBuffer()
+    const fileBuffer = Buffer.from(arrayBuffer)
+
+    const resolvedName = fileName || metadata.name || 'download'
+
+    logger.info(`[${requestId}] File downloaded successfully`, {
+      fileId,
+      name: resolvedName,
+      size: fileBuffer.length,
+      mimeType,
+    })
+
+    const base64Data = fileBuffer.toString('base64')
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        file: {
+          name: resolvedName,
+          mimeType,
+          data: base64Data,
+          size: fileBuffer.length,
+        },
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error downloading OneDrive file:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/onedrive/upload/route.ts

@@ -4,7 +4,9 @@ import * as XLSX from 'xlsx'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
+import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import {
   getExtensionFromMimeType,
   processSingleFileToUserFile,
@@ -29,12 +31,33 @@ const ExcelValuesSchema = z.union([
 const OneDriveUploadSchema = z.object({
   accessToken: z.string().min(1, 'Access token is required'),
   fileName: z.string().min(1, 'File name is required'),
-  file: z.any().optional(),
+  file: RawFileInputSchema.optional(),
   folderId: z.string().optional().nullable(),
   mimeType: z.string().nullish(),
   values: ExcelValuesSchema.optional().nullable(),
+  conflictBehavior: z.enum(['fail', 'replace', 'rename']).optional().nullable(),
 })
 
+/** Microsoft Graph DriveItem response */
+interface OneDriveFileData {
+  id: string
+  name: string
+  size: number
+  webUrl: string
+  createdDateTime: string
+  lastModifiedDateTime: string
+  file?: { mimeType: string }
+  parentReference?: { id: string; path: string }
+  '@microsoft.graph.downloadUrl'?: string
+}
+
+/** Microsoft Graph Excel range response */
+interface ExcelRangeData {
+  address?: string
+  addressLocal?: string
+  values?: unknown[][]
+}
+
 export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
@@ -88,25 +111,9 @@ export async function POST(request: NextRequest) {
         )
       }
 
-      let fileToProcess
-      if (Array.isArray(rawFile)) {
-        if (rawFile.length === 0) {
-          return NextResponse.json(
-            {
-              success: false,
-              error: 'No file provided',
-            },
-            { status: 400 }
-          )
-        }
-        fileToProcess = rawFile[0]
-      } else {
-        fileToProcess = rawFile
-      }
-
       let userFile
       try {
-        userFile = processSingleFileToUserFile(fileToProcess, requestId, logger)
+        userFile = processSingleFileToUserFile(rawFile, requestId, logger)
       } catch (error) {
         return NextResponse.json(
           {
@@ -179,14 +186,23 @@ export async function POST(request: NextRequest) {
       uploadUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/root:/${encodeURIComponent(fileName)}:/content`
     }
 
-    const uploadResponse = await fetch(uploadUrl, {
+    // Add conflict behavior if specified (defaults to replace by Microsoft Graph API)
-      method: 'PUT',
+    if (validatedData.conflictBehavior) {
-      headers: {
+      uploadUrl += `?@microsoft.graph.conflictBehavior=${validatedData.conflictBehavior}`
-        Authorization: `Bearer ${validatedData.accessToken}`,
+    }
-        'Content-Type': mimeType,
+
+    const uploadResponse = await secureFetchWithValidation(
+      uploadUrl,
+      {
+        method: 'PUT',
+        headers: {
+          Authorization: `Bearer ${validatedData.accessToken}`,
+          'Content-Type': mimeType,
+        },
+        body: fileBuffer,
       },
-      body: new Uint8Array(fileBuffer),
+      'uploadUrl'
-    })
+    )
 
     if (!uploadResponse.ok) {
       const errorText = await uploadResponse.text()
@@ -200,7 +216,7 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const fileData = await uploadResponse.json()
+    const fileData = (await uploadResponse.json()) as OneDriveFileData
 
     let excelWriteResult: any | undefined
     const shouldWriteExcelContent =
@@ -209,8 +225,11 @@ export async function POST(request: NextRequest) {
     if (shouldWriteExcelContent) {
       try {
         let workbookSessionId: string | undefined
-        const sessionResp = await fetch(
+        const sessionUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(
-          `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(fileData.id)}/workbook/createSession`,
+          fileData.id
+        )}/workbook/createSession`
+        const sessionResp = await secureFetchWithValidation(
+          sessionUrl,
           {
             method: 'POST',
             headers: {
@@ -218,11 +237,12 @@ export async function POST(request: NextRequest) {
               'Content-Type': 'application/json',
             },
             body: JSON.stringify({ persistChanges: true }),
-          }
+          },
+          'sessionUrl'
         )
 
         if (sessionResp.ok) {
-          const sessionData = await sessionResp.json()
+          const sessionData = (await sessionResp.json()) as { id?: string }
           workbookSessionId = sessionData?.id
         }
 
@@ -231,14 +251,19 @@ export async function POST(request: NextRequest) {
           const listUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(
             fileData.id
           )}/workbook/worksheets?$select=name&$orderby=position&$top=1`
-          const listResp = await fetch(listUrl, {
+          const listResp = await secureFetchWithValidation(
-            headers: {
+            listUrl,
-              Authorization: `Bearer ${validatedData.accessToken}`,
+            {
-              ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
+              method: 'GET',
+              headers: {
+                Authorization: `Bearer ${validatedData.accessToken}`,
+                ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
+              },
             },
-          })
+            'listUrl'
+          )
           if (listResp.ok) {
-            const listData = await listResp.json()
+            const listData = (await listResp.json()) as { value?: Array<{ name?: string }> }
             const firstSheetName = listData?.value?.[0]?.name
             if (firstSheetName) {
               sheetName = firstSheetName
@@ -297,15 +322,19 @@ export async function POST(request: NextRequest) {
           )}')/range(address='${encodeURIComponent(computedRangeAddress)}')`
         )
 
-        const excelWriteResponse = await fetch(url.toString(), {
+        const excelWriteResponse = await secureFetchWithValidation(
-          method: 'PATCH',
+          url.toString(),
-          headers: {
+          {
-            Authorization: `Bearer ${validatedData.accessToken}`,
+            method: 'PATCH',
-            'Content-Type': 'application/json',
+            headers: {
-            ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
+              Authorization: `Bearer ${validatedData.accessToken}`,
+              'Content-Type': 'application/json',
+              ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
+            },
+            body: JSON.stringify({ values: processedValues }),
           },
-          body: JSON.stringify({ values: processedValues }),
+          'excelWriteUrl'
-        })
+        )
 
         if (!excelWriteResponse || !excelWriteResponse.ok) {
           const errorText = excelWriteResponse ? await excelWriteResponse.text() : 'no response'
@@ -320,7 +349,7 @@ export async function POST(request: NextRequest) {
             details: errorText,
           }
         } else {
-          const writeData = await excelWriteResponse.json()
+          const writeData = (await excelWriteResponse.json()) as ExcelRangeData
           const addr = writeData.address || writeData.addressLocal
           const v = writeData.values || []
           excelWriteResult = {
@@ -328,21 +357,25 @@ export async function POST(request: NextRequest) {
             updatedRange: addr,
             updatedRows: Array.isArray(v) ? v.length : undefined,
             updatedColumns: Array.isArray(v) && v[0] ? v[0].length : undefined,
-            updatedCells: Array.isArray(v) && v[0] ? v.length * (v[0] as any[]).length : undefined,
+            updatedCells: Array.isArray(v) && v[0] ? v.length * v[0].length : undefined,
           }
         }
 
         if (workbookSessionId) {
           try {
-            const closeResp = await fetch(
+            const closeUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(
-              `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(fileData.id)}/workbook/closeSession`,
+              fileData.id
+            )}/workbook/closeSession`
+            const closeResp = await secureFetchWithValidation(
+              closeUrl,
               {
                 method: 'POST',
                 headers: {
                   Authorization: `Bearer ${validatedData.accessToken}`,
                   'workbook-session-id': workbookSessionId,
                 },
-              }
+              },
+              'closeSessionUrl'
             )
             if (!closeResp.ok) {
               const closeText = await closeResp.text()

apps/sim/app/api/tools/outlook/draft/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
@@ -18,7 +19,7 @@ const OutlookDraftSchema = z.object({
   contentType: z.enum(['text', 'html']).optional().nullable(),
   cc: z.string().optional().nullable(),
   bcc: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/app/api/tools/outlook/send/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
@@ -20,7 +21,7 @@ const OutlookSendSchema = z.object({
   bcc: z.string().optional().nullable(),
   replyToMessageId: z.string().optional().nullable(),
   conversationId: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {
@@ -95,14 +96,14 @@ export async function POST(request: NextRequest) {
 
       if (attachments.length > 0) {
         const totalSize = attachments.reduce((sum, file) => sum + file.size, 0)
-        const maxSize = 4 * 1024 * 1024 // 4MB
+        const maxSize = 3 * 1024 * 1024 // 3MB - Microsoft Graph API limit for inline attachments
 
         if (totalSize > maxSize) {
           const sizeMB = (totalSize / (1024 * 1024)).toFixed(2)
           return NextResponse.json(
             {
               success: false,
-              error: `Total attachment size (${sizeMB}MB) exceeds Outlook's limit of 4MB per request`,
+              error: `Total attachment size (${sizeMB}MB) exceeds Microsoft Graph API limit of 3MB per request`,
             },
             { status: 400 }
           )

apps/sim/app/api/tools/pipedrive/get-files/route.ts

@@ -0,0 +1,165 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('PipedriveGetFilesAPI')
+
+interface PipedriveFile {
+  id?: number
+  name?: string
+  url?: string
+}
+
+interface PipedriveApiResponse {
+  success: boolean
+  data?: PipedriveFile[]
+  error?: string
+}
+
+const PipedriveGetFilesSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  deal_id: z.string().optional().nullable(),
+  person_id: z.string().optional().nullable(),
+  org_id: z.string().optional().nullable(),
+  limit: z.string().optional().nullable(),
+  downloadFiles: z.boolean().optional().default(false),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Pipedrive get files attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = PipedriveGetFilesSchema.parse(body)
+
+    const { accessToken, deal_id, person_id, org_id, limit, downloadFiles } = validatedData
+
+    const baseUrl = 'https://api.pipedrive.com/v1/files'
+    const queryParams = new URLSearchParams()
+
+    if (deal_id) queryParams.append('deal_id', deal_id)
+    if (person_id) queryParams.append('person_id', person_id)
+    if (org_id) queryParams.append('org_id', org_id)
+    if (limit) queryParams.append('limit', limit)
+
+    const queryString = queryParams.toString()
+    const apiUrl = queryString ? `${baseUrl}?${queryString}` : baseUrl
+
+    logger.info(`[${requestId}] Fetching files from Pipedrive`, { deal_id, person_id, org_id })
+
+    const urlValidation = await validateUrlWithDNS(apiUrl, 'apiUrl')
+    if (!urlValidation.isValid) {
+      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
+    }
+
+    const response = await secureFetchWithPinnedIP(apiUrl, urlValidation.resolvedIP!, {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/json',
+      },
+    })
+
+    const data = (await response.json()) as PipedriveApiResponse
+
+    if (!data.success) {
+      logger.error(`[${requestId}] Pipedrive API request failed`, { data })
+      return NextResponse.json(
+        { success: false, error: data.error || 'Failed to fetch files from Pipedrive' },
+        { status: 400 }
+      )
+    }
+
+    const files = data.data || []
+    const downloadedFiles: Array<{
+      name: string
+      mimeType: string
+      data: string
+      size: number
+    }> = []
+
+    if (downloadFiles) {
+      for (const file of files) {
+        if (!file?.url) continue
+
+        try {
+          const fileUrlValidation = await validateUrlWithDNS(file.url, 'fileUrl')
+          if (!fileUrlValidation.isValid) continue
+
+          const downloadResponse = await secureFetchWithPinnedIP(
+            file.url,
+            fileUrlValidation.resolvedIP!,
+            {
+              method: 'GET',
+              headers: { Authorization: `Bearer ${accessToken}` },
+            }
+          )
+
+          if (!downloadResponse.ok) continue
+
+          const arrayBuffer = await downloadResponse.arrayBuffer()
+          const buffer = Buffer.from(arrayBuffer)
+          const extension = getFileExtension(file.name || '')
+          const mimeType =
+            downloadResponse.headers.get('content-type') || getMimeTypeFromExtension(extension)
+          const fileName = file.name || `pipedrive-file-${file.id || Date.now()}`
+
+          downloadedFiles.push({
+            name: fileName,
+            mimeType,
+            data: buffer.toString('base64'),
+            size: buffer.length,
+          })
+        } catch (error) {
+          logger.warn(`[${requestId}] Failed to download file ${file.id}:`, error)
+        }
+      }
+    }
+
+    logger.info(`[${requestId}] Pipedrive files fetched successfully`, {
+      fileCount: files.length,
+      downloadedCount: downloadedFiles.length,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        files,
+        downloadedFiles: downloadedFiles.length > 0 ? downloadedFiles : undefined,
+        total_items: files.length,
+        success: true,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching Pipedrive files:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/pulse/parse/route.ts

@@ -2,15 +2,14 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
-import { StorageService } from '@/lib/uploads'
 import {
-  extractStorageKey,
+  secureFetchWithPinnedIP,
-  inferContextFromKey,
+  validateUrlWithDNS,
-  isInternalFileUrl,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/uploads/utils/file-utils'
+import { generateRequestId } from '@/lib/core/utils/request'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
+import { isInternalFileUrl } from '@/lib/uploads/utils/file-utils'
+import { resolveFileInputToUrl } from '@/lib/uploads/utils/file-utils.server'
 
 export const dynamic = 'force-dynamic'
 
@@ -18,7 +17,8 @@ const logger = createLogger('PulseParseAPI')
 
 const PulseParseSchema = z.object({
   apiKey: z.string().min(1, 'API key is required'),
-  filePath: z.string().min(1, 'File path is required'),
+  filePath: z.string().optional(),
+  file: RawFileInputSchema.optional(),
   pages: z.string().optional(),
   extractFigure: z.boolean().optional(),
   figureDescription: z.boolean().optional(),
@@ -51,50 +51,30 @@ export async function POST(request: NextRequest) {
     const validatedData = PulseParseSchema.parse(body)
 
     logger.info(`[${requestId}] Pulse parse request`, {
+      fileName: validatedData.file?.name,
       filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath ? isInternalFileUrl(validatedData.filePath) : false,
       userId,
     })
 
-    let fileUrl = validatedData.filePath
+    const resolution = await resolveFileInputToUrl({
+      file: validatedData.file,
+      filePath: validatedData.filePath,
+      userId,
+      requestId,
+      logger,
+    })
 
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (resolution.error) {
-      try {
+      return NextResponse.json(
-        const storageKey = extractStorageKey(validatedData.filePath)
+        { success: false, error: resolution.error.message },
-        const context = inferContextFromKey(storageKey)
+        { status: resolution.error.status }
+      )
+    }
 
-        const hasAccess = await verifyFileAccess(storageKey, userId, undefined, context, false)
+    const fileUrl = resolution.fileUrl
-
+    if (!fileUrl) {
-        if (!hasAccess) {
+      return NextResponse.json({ success: false, error: 'File input is required' }, { status: 400 })
-          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
-            userId,
-            key: storageKey,
-            context,
-          })
-          return NextResponse.json(
-            {
-              success: false,
-              error: 'File not found',
-            },
-            { status: 404 }
-          )
-        }
-
-        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
-        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
-      } catch (error) {
-        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
-        return NextResponse.json(
-          {
-            success: false,
-            error: 'Failed to generate file access URL',
-          },
-          { status: 500 }
-        )
-      }
-    } else if (validatedData.filePath?.startsWith('/')) {
-      const baseUrl = getBaseUrl()
-      fileUrl = `${baseUrl}${validatedData.filePath}`
     }
 
     const formData = new FormData()
@@ -119,13 +99,36 @@ export async function POST(request: NextRequest) {
       formData.append('chunk_size', String(validatedData.chunkSize))
     }
 
-    const pulseResponse = await fetch('https://api.runpulse.com/extract', {
+    const pulseEndpoint = 'https://api.runpulse.com/extract'
-      method: 'POST',
+    const pulseValidation = await validateUrlWithDNS(pulseEndpoint, 'Pulse API URL')
-      headers: {
+    if (!pulseValidation.isValid) {
-        'x-api-key': validatedData.apiKey,
+      logger.error(`[${requestId}] Pulse API URL validation failed`, {
-      },
+        error: pulseValidation.error,
-      body: formData,
+      })
-    })
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'Failed to reach Pulse API',
+        },
+        { status: 502 }
+      )
+    }
+
+    const pulsePayload = new Response(formData)
+    const contentType = pulsePayload.headers.get('content-type') || 'multipart/form-data'
+    const bodyBuffer = Buffer.from(await pulsePayload.arrayBuffer())
+    const pulseResponse = await secureFetchWithPinnedIP(
+      pulseEndpoint,
+      pulseValidation.resolvedIP!,
+      {
+        method: 'POST',
+        headers: {
+          'x-api-key': validatedData.apiKey,
+          'Content-Type': contentType,
+        },
+        body: bodyBuffer,
+      }
+    )
 
     if (!pulseResponse.ok) {
       const errorText = await pulseResponse.text()

apps/sim/app/api/tools/reducto/parse/route.ts

@@ -2,15 +2,14 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
-import { StorageService } from '@/lib/uploads'
 import {
-  extractStorageKey,
+  secureFetchWithPinnedIP,
-  inferContextFromKey,
+  validateUrlWithDNS,
-  isInternalFileUrl,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/uploads/utils/file-utils'
+import { generateRequestId } from '@/lib/core/utils/request'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
+import { isInternalFileUrl } from '@/lib/uploads/utils/file-utils'
+import { resolveFileInputToUrl } from '@/lib/uploads/utils/file-utils.server'
 
 export const dynamic = 'force-dynamic'
 
@@ -18,7 +17,8 @@ const logger = createLogger('ReductoParseAPI')
 
 const ReductoParseSchema = z.object({
   apiKey: z.string().min(1, 'API key is required'),
-  filePath: z.string().min(1, 'File path is required'),
+  filePath: z.string().optional(),
+  file: RawFileInputSchema.optional(),
   pages: z.array(z.number()).optional(),
   tableOutputFormat: z.enum(['html', 'md']).optional(),
 })
@@ -47,56 +47,30 @@ export async function POST(request: NextRequest) {
     const validatedData = ReductoParseSchema.parse(body)
 
     logger.info(`[${requestId}] Reducto parse request`, {
+      fileName: validatedData.file?.name,
       filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath ? isInternalFileUrl(validatedData.filePath) : false,
       userId,
     })
 
-    let fileUrl = validatedData.filePath
+    const resolution = await resolveFileInputToUrl({
+      file: validatedData.file,
+      filePath: validatedData.filePath,
+      userId,
+      requestId,
+      logger,
+    })
 
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (resolution.error) {
-      try {
+      return NextResponse.json(
-        const storageKey = extractStorageKey(validatedData.filePath)
+        { success: false, error: resolution.error.message },
-        const context = inferContextFromKey(storageKey)
+        { status: resolution.error.status }
+      )
+    }
 
-        const hasAccess = await verifyFileAccess(
+    const fileUrl = resolution.fileUrl
-          storageKey,
+    if (!fileUrl) {
-          userId,
+      return NextResponse.json({ success: false, error: 'File input is required' }, { status: 400 })
-          undefined, // customConfig
-          context, // context
-          false // isLocal
-        )
-
-        if (!hasAccess) {
-          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
-            userId,
-            key: storageKey,
-            context,
-          })
-          return NextResponse.json(
-            {
-              success: false,
-              error: 'File not found',
-            },
-            { status: 404 }
-          )
-        }
-
-        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
-        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
-      } catch (error) {
-        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
-        return NextResponse.json(
-          {
-            success: false,
-            error: 'Failed to generate file access URL',
-          },
-          { status: 500 }
-        )
-      }
-    } else if (validatedData.filePath?.startsWith('/')) {
-      const baseUrl = getBaseUrl()
-      fileUrl = `${baseUrl}${validatedData.filePath}`
     }
 
     const reductoBody: Record<string, unknown> = {
@@ -104,8 +78,13 @@ export async function POST(request: NextRequest) {
     }
 
     if (validatedData.pages && validatedData.pages.length > 0) {
+      // Reducto API expects page_range as an object with start/end, not an array
+      const pages = validatedData.pages
       reductoBody.settings = {
-        page_range: validatedData.pages,
+        page_range: {
+          start: Math.min(...pages),
+          end: Math.max(...pages),
+        },
       }
     }
 
@@ -115,15 +94,34 @@ export async function POST(request: NextRequest) {
       }
     }
 
-    const reductoResponse = await fetch('https://platform.reducto.ai/parse', {
+    const reductoEndpoint = 'https://platform.reducto.ai/parse'
-      method: 'POST',
+    const reductoValidation = await validateUrlWithDNS(reductoEndpoint, 'Reducto API URL')
-      headers: {
+    if (!reductoValidation.isValid) {
-        'Content-Type': 'application/json',
+      logger.error(`[${requestId}] Reducto API URL validation failed`, {
-        Accept: 'application/json',
+        error: reductoValidation.error,
-        Authorization: `Bearer ${validatedData.apiKey}`,
+      })
-      },
+      return NextResponse.json(
-      body: JSON.stringify(reductoBody),
+        {
-    })
+          success: false,
+          error: 'Failed to reach Reducto API',
+        },
+        { status: 502 }
+      )
+    }
+
+    const reductoResponse = await secureFetchWithPinnedIP(
+      reductoEndpoint,
+      reductoValidation.resolvedIP!,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Accept: 'application/json',
+          Authorization: `Bearer ${validatedData.apiKey}`,
+        },
+        body: JSON.stringify(reductoBody),
+      }
+    )
 
     if (!reductoResponse.ok) {
       const errorText = await reductoResponse.text()

apps/sim/app/api/tools/s3/put-object/route.ts

@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
@@ -17,7 +18,7 @@ const S3PutObjectSchema = z.object({
   region: z.string().min(1, 'Region is required'),
   bucketName: z.string().min(1, 'Bucket name is required'),
   objectKey: z.string().min(1, 'Object key is required'),
-  file: z.any().optional().nullable(),
+  file: RawFileInputSchema.optional().nullable(),
   content: z.string().optional().nullable(),
   contentType: z.string().optional().nullable(),
   acl: z.string().optional().nullable(),

apps/sim/app/api/tools/sftp/download/route.ts

@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
 import { createSftpConnection, getSftp, isPathSafe, sanitizePath } from '@/app/api/tools/sftp/utils'
 
 export const dynamic = 'force-dynamic'
@@ -111,6 +112,8 @@ export async function POST(request: NextRequest) {
 
       const buffer = Buffer.concat(chunks)
       const fileName = path.basename(remotePath)
+      const extension = getFileExtension(fileName)
+      const mimeType = getMimeTypeFromExtension(extension)
 
       let content: string
       if (params.encoding === 'base64') {
@@ -124,6 +127,12 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({
         success: true,
         fileName,
+        file: {
+          name: fileName,
+          mimeType,
+          data: buffer.toString('base64'),
+          size: buffer.length,
+        },
         content,
         size: buffer.length,
         encoding: params.encoding,

apps/sim/app/api/tools/sftp/upload/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -26,14 +27,7 @@ const UploadSchema = z.object({
   privateKey: z.string().nullish(),
   passphrase: z.string().nullish(),
   remotePath: z.string().min(1, 'Remote path is required'),
-  files: z
+  files: RawFileInputArraySchema.optional().nullable(),
-    .union([z.array(z.any()), z.string(), z.number(), z.null(), z.undefined()])
-    .transform((val) => {
-      if (Array.isArray(val)) return val
-      if (val === null || val === undefined || val === '') return undefined
-      return undefined
-    })
-    .nullish(),
   fileContent: z.string().nullish(),
   fileName: z.string().nullish(),
   overwrite: z.boolean().default(true),

apps/sim/app/api/tools/sharepoint/upload/route.ts

@@ -2,9 +2,12 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import type { MicrosoftGraphDriveItem } from '@/tools/onedrive/types'
 
 export const dynamic = 'force-dynamic'
 
@@ -16,7 +19,7 @@ const SharepointUploadSchema = z.object({
   driveId: z.string().optional().nullable(),
   folderPath: z.string().optional().nullable(),
   fileName: z.string().optional().nullable(),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {
@@ -79,18 +82,23 @@ export async function POST(request: NextRequest) {
     let effectiveDriveId = validatedData.driveId
     if (!effectiveDriveId) {
       logger.info(`[${requestId}] No driveId provided, fetching default drive for site`)
-      const driveResponse = await fetch(
+      const driveUrl = `https://graph.microsoft.com/v1.0/sites/${validatedData.siteId}/drive`
-        `https://graph.microsoft.com/v1.0/sites/${validatedData.siteId}/drive`,
+      const driveResponse = await secureFetchWithValidation(
+        driveUrl,
         {
+          method: 'GET',
           headers: {
             Authorization: `Bearer ${validatedData.accessToken}`,
             Accept: 'application/json',
           },
-        }
+        },
+        'driveUrl'
       )
 
       if (!driveResponse.ok) {
-        const errorData = await driveResponse.json().catch(() => ({}))
+        const errorData = (await driveResponse.json().catch(() => ({}))) as {
+          error?: { message?: string }
+        }
         logger.error(`[${requestId}] Failed to get default drive:`, errorData)
         return NextResponse.json(
           {
@@ -101,7 +109,7 @@ export async function POST(request: NextRequest) {
         )
       }
 
-      const driveData = await driveResponse.json()
+      const driveData = (await driveResponse.json()) as { id: string }
       effectiveDriveId = driveData.id
       logger.info(`[${requestId}] Using default drive: ${effectiveDriveId}`)
     }
@@ -145,34 +153,87 @@ export async function POST(request: NextRequest) {
 
       logger.info(`[${requestId}] Uploading to: ${uploadUrl}`)
 
-      const uploadResponse = await fetch(uploadUrl, {
+      const uploadResponse = await secureFetchWithValidation(
-        method: 'PUT',
+        uploadUrl,
-        headers: {
+        {
-          Authorization: `Bearer ${validatedData.accessToken}`,
+          method: 'PUT',
-          'Content-Type': userFile.type || 'application/octet-stream',
+          headers: {
+            Authorization: `Bearer ${validatedData.accessToken}`,
+            'Content-Type': userFile.type || 'application/octet-stream',
+          },
+          body: buffer,
         },
-        body: new Uint8Array(buffer),
+        'uploadUrl'
-      })
+      )
 
       if (!uploadResponse.ok) {
         const errorData = await uploadResponse.json().catch(() => ({}))
         logger.error(`[${requestId}] Failed to upload file ${fileName}:`, errorData)
 
         if (uploadResponse.status === 409) {
-          logger.warn(`[${requestId}] File ${fileName} already exists, attempting to replace`)
+          // File exists - retry with conflict behavior set to replace
+          logger.warn(`[${requestId}] File ${fileName} already exists, retrying with replace`)
+          const replaceUrl = `${uploadUrl}?@microsoft.graph.conflictBehavior=replace`
+          const replaceResponse = await secureFetchWithValidation(
+            replaceUrl,
+            {
+              method: 'PUT',
+              headers: {
+                Authorization: `Bearer ${validatedData.accessToken}`,
+                'Content-Type': userFile.type || 'application/octet-stream',
+              },
+              body: buffer,
+            },
+            'replaceUrl'
+          )
+
+          if (!replaceResponse.ok) {
+            const replaceErrorData = (await replaceResponse.json().catch(() => ({}))) as {
+              error?: { message?: string }
+            }
+            logger.error(`[${requestId}] Failed to replace file ${fileName}:`, replaceErrorData)
+            return NextResponse.json(
+              {
+                success: false,
+                error: replaceErrorData.error?.message || `Failed to replace file: ${fileName}`,
+              },
+              { status: replaceResponse.status }
+            )
+          }
+
+          const replaceData = (await replaceResponse.json()) as {
+            id: string
+            name: string
+            webUrl: string
+            size: number
+            createdDateTime: string
+            lastModifiedDateTime: string
+          }
+          logger.info(`[${requestId}] File replaced successfully: ${fileName}`)
+
+          uploadedFiles.push({
+            id: replaceData.id,
+            name: replaceData.name,
+            webUrl: replaceData.webUrl,
+            size: replaceData.size,
+            createdDateTime: replaceData.createdDateTime,
+            lastModifiedDateTime: replaceData.lastModifiedDateTime,
+          })
           continue
         }
 
         return NextResponse.json(
           {
             success: false,
-            error: errorData.error?.message || `Failed to upload file: ${fileName}`,
+            error:
+              (errorData as { error?: { message?: string } }).error?.message ||
+              `Failed to upload file: ${fileName}`,
           },
           { status: uploadResponse.status }
         )
       }
 
-      const uploadData = await uploadResponse.json()
+      const uploadData = (await uploadResponse.json()) as MicrosoftGraphDriveItem
       logger.info(`[${requestId}] File uploaded successfully: ${fileName}`)
 
       uploadedFiles.push({

apps/sim/app/api/tools/slack/download/route.ts

@@ -0,0 +1,170 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('SlackDownloadAPI')
+
+const SlackDownloadSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  fileId: z.string().min(1, 'File ID is required'),
+  fileName: z.string().optional().nullable(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Slack download attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    logger.info(`[${requestId}] Authenticated Slack download request via ${authResult.authType}`, {
+      userId: authResult.userId,
+    })
+
+    const body = await request.json()
+    const validatedData = SlackDownloadSchema.parse(body)
+
+    const { accessToken, fileId, fileName } = validatedData
+
+    logger.info(`[${requestId}] Getting file info from Slack`, { fileId })
+
+    const infoResponse = await fetch(`https://slack.com/api/files.info?file=${fileId}`, {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!infoResponse.ok) {
+      const errorDetails = await infoResponse.json().catch(() => ({}))
+      logger.error(`[${requestId}] Failed to get file info from Slack`, {
+        status: infoResponse.status,
+        statusText: infoResponse.statusText,
+        error: errorDetails,
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: errorDetails.error || 'Failed to get file info',
+        },
+        { status: 400 }
+      )
+    }
+
+    const data = await infoResponse.json()
+
+    if (!data.ok) {
+      logger.error(`[${requestId}] Slack API returned error`, { error: data.error })
+      return NextResponse.json(
+        {
+          success: false,
+          error: data.error || 'Slack API error',
+        },
+        { status: 400 }
+      )
+    }
+
+    const file = data.file
+    const resolvedFileName = fileName || file.name || 'download'
+    const mimeType = file.mimetype || 'application/octet-stream'
+    const urlPrivate = file.url_private
+
+    if (!urlPrivate) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'File does not have a download URL',
+        },
+        { status: 400 }
+      )
+    }
+
+    const urlValidation = await validateUrlWithDNS(urlPrivate, 'urlPrivate')
+    if (!urlValidation.isValid) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: urlValidation.error,
+        },
+        { status: 400 }
+      )
+    }
+
+    logger.info(`[${requestId}] Downloading file from Slack`, {
+      fileId,
+      fileName: resolvedFileName,
+      mimeType,
+    })
+
+    const downloadResponse = await secureFetchWithPinnedIP(urlPrivate, urlValidation.resolvedIP!, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!downloadResponse.ok) {
+      logger.error(`[${requestId}] Failed to download file content`, {
+        status: downloadResponse.status,
+        statusText: downloadResponse.statusText,
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'Failed to download file content',
+        },
+        { status: 400 }
+      )
+    }
+
+    const arrayBuffer = await downloadResponse.arrayBuffer()
+    const fileBuffer = Buffer.from(arrayBuffer)
+
+    logger.info(`[${requestId}] File downloaded successfully`, {
+      fileId,
+      name: resolvedFileName,
+      size: fileBuffer.length,
+      mimeType,
+    })
+
+    const base64Data = fileBuffer.toString('base64')
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        file: {
+          name: resolvedFileName,
+          mimeType,
+          data: base64Data,
+          size: fileBuffer.length,
+        },
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error downloading Slack file:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/slack/send-message/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { sendSlackMessage } from '../utils'
 
 export const dynamic = 'force-dynamic'
@@ -16,7 +17,7 @@ const SlackSendMessageSchema = z
     userId: z.string().optional().nullable(),
     text: z.string().min(1, 'Message text is required'),
     thread_ts: z.string().optional().nullable(),
-    files: z.array(z.any()).optional().nullable(),
+    files: RawFileInputArraySchema.optional().nullable(),
   })
   .refine((data) => data.channel || data.userId, {
     message: 'Either channel or userId is required',

apps/sim/app/api/tools/slack/utils.ts

@@ -1,6 +1,8 @@
 import type { Logger } from '@sim/logger'
+import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import type { ToolFileData } from '@/tools/types'
 
 /**
  * Sends a message to a Slack channel using chat.postMessage
@@ -70,14 +72,21 @@ export async function uploadFilesToSlack(
   accessToken: string,
   requestId: string,
   logger: Logger
-): Promise<string[]> {
+): Promise<{ fileIds: string[]; files: ToolFileData[] }> {
   const userFiles = processFilesToUserFiles(files, requestId, logger)
   const uploadedFileIds: string[] = []
+  const uploadedFiles: ToolFileData[] = []
 
   for (const userFile of userFiles) {
     logger.info(`[${requestId}] Uploading file: ${userFile.name}`)
 
     const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+    uploadedFiles.push({
+      name: userFile.name,
+      mimeType: userFile.type || 'application/octet-stream',
+      data: buffer.toString('base64'),
+      size: buffer.length,
+    })
 
     const getUrlResponse = await fetch('https://slack.com/api/files.getUploadURLExternal', {
       method: 'POST',
@@ -100,10 +109,14 @@ export async function uploadFilesToSlack(
 
     logger.info(`[${requestId}] Got upload URL for ${userFile.name}, file_id: ${urlData.file_id}`)
 
-    const uploadResponse = await fetch(urlData.upload_url, {
+    const uploadResponse = await secureFetchWithValidation(
-      method: 'POST',
+      urlData.upload_url,
-      body: new Uint8Array(buffer),
+      {
-    })
+        method: 'POST',
+        body: buffer,
+      },
+      'uploadUrl'
+    )
 
     if (!uploadResponse.ok) {
       logger.error(`[${requestId}] Failed to upload file data: ${uploadResponse.status}`)
@@ -114,7 +127,7 @@ export async function uploadFilesToSlack(
     uploadedFileIds.push(urlData.file_id)
   }
 
-  return uploadedFileIds
+  return { fileIds: uploadedFileIds, files: uploadedFiles }
 }
 
 /**
@@ -124,7 +137,8 @@ export async function completeSlackFileUpload(
   uploadedFileIds: string[],
   channel: string,
   text: string,
-  accessToken: string
+  accessToken: string,
+  threadTs?: string | null
 ): Promise<{ ok: boolean; files?: any[]; error?: string }> {
   const response = await fetch('https://slack.com/api/files.completeUploadExternal', {
     method: 'POST',
@@ -136,6 +150,7 @@ export async function completeSlackFileUpload(
       files: uploadedFileIds.map((id) => ({ id })),
       channel_id: channel,
       initial_comment: text,
+      ...(threadTs && { thread_ts: threadTs }),
     }),
   })
 
@@ -217,7 +232,13 @@ export async function sendSlackMessage(
   logger: Logger
 ): Promise<{
   success: boolean
-  output?: { message: any; ts: string; channel: string; fileCount?: number }
+  output?: {
+    message: any
+    ts: string
+    channel: string
+    fileCount?: number
+    files?: ToolFileData[]
+  }
   error?: string
 }> {
   const { accessToken, text, threadTs, files } = params
@@ -249,10 +270,15 @@ export async function sendSlackMessage(
 
   // Process files
   logger.info(`[${requestId}] Processing ${files.length} file(s)`)
-  const uploadedFileIds = await uploadFilesToSlack(files, accessToken, requestId, logger)
+  const { fileIds, files: uploadedFiles } = await uploadFilesToSlack(
+    files,
+    accessToken,
+    requestId,
+    logger
+  )
 
   // No valid files uploaded - send text-only
-  if (uploadedFileIds.length === 0) {
+  if (fileIds.length === 0) {
     logger.warn(`[${requestId}] No valid files to upload, sending text-only message`)
 
     const data = await postSlackMessage(accessToken, channel, text, threadTs)
@@ -264,8 +290,8 @@ export async function sendSlackMessage(
     return { success: true, output: formatMessageSuccessResponse(data, text) }
   }
 
-  // Complete file upload
+  // Complete file upload with thread support
-  const completeData = await completeSlackFileUpload(uploadedFileIds, channel, text, accessToken)
+  const completeData = await completeSlackFileUpload(fileIds, channel, text, accessToken, threadTs)
 
   if (!completeData.ok) {
     logger.error(`[${requestId}] Failed to complete upload:`, completeData.error)
@@ -282,7 +308,8 @@ export async function sendSlackMessage(
       message: fileMessage,
       ts: fileMessage.ts,
       channel,
-      fileCount: uploadedFileIds.length,
+      fileCount: fileIds.length,
+      files: uploadedFiles,
     },
   }
 }

apps/sim/app/api/tools/smtp/send/route.ts

@@ -4,6 +4,7 @@ import nodemailer from 'nodemailer'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
@@ -28,7 +29,7 @@ const SmtpSendSchema = z.object({
   cc: z.string().optional().nullable(),
   bcc: z.string().optional().nullable(),
   replyTo: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/app/api/tools/ssh/download-file/route.ts

@@ -5,6 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHDownloadFileAPI')
@@ -79,6 +80,16 @@ export async function POST(request: NextRequest) {
         })
       })
 
+      // Check file size limit (50MB to prevent memory exhaustion)
+      const maxSize = 50 * 1024 * 1024
+      if (stats.size > maxSize) {
+        const sizeMB = (stats.size / (1024 * 1024)).toFixed(2)
+        return NextResponse.json(
+          { error: `File size (${sizeMB}MB) exceeds download limit of 50MB` },
+          { status: 400 }
+        )
+      }
+
       // Read file content
       const content = await new Promise<Buffer>((resolve, reject) => {
         const chunks: Buffer[] = []
@@ -96,6 +107,8 @@ export async function POST(request: NextRequest) {
       })
 
       const fileName = path.basename(remotePath)
+      const extension = getFileExtension(fileName)
+      const mimeType = getMimeTypeFromExtension(extension)
 
       // Encode content as base64 for binary safety
       const base64Content = content.toString('base64')
@@ -104,6 +117,12 @@ export async function POST(request: NextRequest) {
 
       return NextResponse.json({
         downloaded: true,
+        file: {
+          name: fileName,
+          mimeType,
+          data: base64Content,
+          size: stats.size,
+        },
         content: base64Content,
         fileName: fileName,
         remotePath: remotePath,

apps/sim/app/api/tools/stagehand/agent/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { isSensitiveKey, REDACTED_MARKER } from '@/lib/core/security/redaction'
 import { ensureZodObject, normalizeUrl } from '@/app/api/tools/stagehand/utils'
 
@@ -123,6 +124,10 @@ export async function POST(request: NextRequest) {
     const variablesObject = processVariables(params.variables)
 
     const startUrl = normalizeUrl(rawStartUrl)
+    const urlValidation = await validateUrlWithDNS(startUrl, 'startUrl')
+    if (!urlValidation.isValid) {
+      return NextResponse.json({ error: urlValidation.error }, { status: 400 })
+    }
 
     logger.info('Starting Stagehand agent process', {
       rawStartUrl,

apps/sim/app/api/tools/stagehand/extract/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { ensureZodObject, normalizeUrl } from '@/app/api/tools/stagehand/utils'
 
 const logger = createLogger('StagehandExtractAPI')
@@ -51,6 +52,10 @@ export async function POST(request: NextRequest) {
     const params = validationResult.data
     const { url: rawUrl, instruction, selector, provider, apiKey, schema } = params
     const url = normalizeUrl(rawUrl)
+    const urlValidation = await validateUrlWithDNS(url, 'url')
+    if (!urlValidation.isValid) {
+      return NextResponse.json({ error: urlValidation.error }, { status: 400 })
+    }
 
     logger.info('Starting Stagehand extraction process', {
       rawUrl,

apps/sim/app/api/tools/stt/route.ts

@@ -2,7 +2,15 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { extractAudioFromVideo, isVideoFile } from '@/lib/audio/extractor'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { isInternalFileUrl } from '@/lib/uploads/utils/file-utils'
+import {
+  downloadFileFromStorage,
+  resolveInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { TranscriptSegment } from '@/tools/stt/types'
 
@@ -45,6 +53,7 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
+    const userId = authResult.userId
     const body: SttRequestBody = await request.json()
     const {
       provider,
@@ -72,6 +81,9 @@ export async function POST(request: NextRequest) {
     let audioMimeType: string
 
     if (body.audioFile) {
+      if (Array.isArray(body.audioFile) && body.audioFile.length !== 1) {
+        return NextResponse.json({ error: 'audioFile must be a single file' }, { status: 400 })
+      }
       const file = Array.isArray(body.audioFile) ? body.audioFile[0] : body.audioFile
       logger.info(`[${requestId}] Processing uploaded file: ${file.name}`)
 
@@ -79,6 +91,12 @@ export async function POST(request: NextRequest) {
       audioFileName = file.name
       audioMimeType = file.type
     } else if (body.audioFileReference) {
+      if (Array.isArray(body.audioFileReference) && body.audioFileReference.length !== 1) {
+        return NextResponse.json(
+          { error: 'audioFileReference must be a single file' },
+          { status: 400 }
+        )
+      }
       const file = Array.isArray(body.audioFileReference)
         ? body.audioFileReference[0]
         : body.audioFileReference
@@ -90,14 +108,48 @@ export async function POST(request: NextRequest) {
     } else if (body.audioUrl) {
       logger.info(`[${requestId}] Downloading from URL: ${body.audioUrl}`)
 
-      const response = await fetch(body.audioUrl)
+      let audioUrl = body.audioUrl.trim()
+      if (audioUrl.startsWith('/') && !isInternalFileUrl(audioUrl)) {
+        return NextResponse.json(
+          {
+            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
+          },
+          { status: 400 }
+        )
+      }
+
+      if (isInternalFileUrl(audioUrl)) {
+        if (!userId) {
+          return NextResponse.json(
+            { error: 'Authentication required for internal file access' },
+            { status: 401 }
+          )
+        }
+        const resolution = await resolveInternalFileUrl(audioUrl, userId, requestId, logger)
+        if (resolution.error) {
+          return NextResponse.json(
+            { error: resolution.error.message },
+            { status: resolution.error.status }
+          )
+        }
+        audioUrl = resolution.fileUrl || audioUrl
+      }
+
+      const urlValidation = await validateUrlWithDNS(audioUrl, 'audioUrl')
+      if (!urlValidation.isValid) {
+        return NextResponse.json({ error: urlValidation.error }, { status: 400 })
+      }
+
+      const response = await secureFetchWithPinnedIP(audioUrl, urlValidation.resolvedIP!, {
+        method: 'GET',
+      })
       if (!response.ok) {
         throw new Error(`Failed to download audio from URL: ${response.statusText}`)
       }
 
       const arrayBuffer = await response.arrayBuffer()
       audioBuffer = Buffer.from(arrayBuffer)
-      audioFileName = body.audioUrl.split('/').pop() || 'audio_file'
+      audioFileName = audioUrl.split('/').pop() || 'audio_file'
       audioMimeType = response.headers.get('content-type') || 'audio/mpeg'
     } else {
       return NextResponse.json(
@@ -149,7 +201,9 @@ export async function POST(request: NextRequest) {
           translateToEnglish,
           model,
           body.prompt,
-          body.temperature
+          body.temperature,
+          audioMimeType,
+          audioFileName
         )
         transcript = result.transcript
         segments = result.segments
@@ -162,7 +216,8 @@ export async function POST(request: NextRequest) {
           language,
           timestamps,
           diarization,
-          model
+          model,
+          audioMimeType
         )
         transcript = result.transcript
         segments = result.segments
@@ -252,7 +307,9 @@ async function transcribeWithWhisper(
   translate?: boolean,
   model?: string,
   prompt?: string,
-  temperature?: number
+  temperature?: number,
+  mimeType?: string,
+  fileName?: string
 ): Promise<{
   transcript: string
   segments?: TranscriptSegment[]
@@ -261,8 +318,11 @@ async function transcribeWithWhisper(
 }> {
   const formData = new FormData()
 
-  const blob = new Blob([new Uint8Array(audioBuffer)], { type: 'audio/mpeg' })
+  // Use actual MIME type and filename if provided
-  formData.append('file', blob, 'audio.mp3')
+  const actualMimeType = mimeType || 'audio/mpeg'
+  const actualFileName = fileName || 'audio.mp3'
+  const blob = new Blob([new Uint8Array(audioBuffer)], { type: actualMimeType })
+  formData.append('file', blob, actualFileName)
   formData.append('model', model || 'whisper-1')
 
   if (language && language !== 'auto') {
@@ -279,10 +339,11 @@ async function transcribeWithWhisper(
 
   formData.append('response_format', 'verbose_json')
 
+  // OpenAI API uses array notation for timestamp_granularities
   if (timestamps === 'word') {
-    formData.append('timestamp_granularities', 'word')
+    formData.append('timestamp_granularities[]', 'word')
   } else if (timestamps === 'sentence') {
-    formData.append('timestamp_granularities', 'segment')
+    formData.append('timestamp_granularities[]', 'segment')
   }
 
   const endpoint = translate ? 'translations' : 'transcriptions'
@@ -325,7 +386,8 @@ async function transcribeWithDeepgram(
   language?: string,
   timestamps?: 'none' | 'sentence' | 'word',
   diarization?: boolean,
-  model?: string
+  model?: string,
+  mimeType?: string
 ): Promise<{
   transcript: string
   segments?: TranscriptSegment[]
@@ -357,7 +419,7 @@ async function transcribeWithDeepgram(
     method: 'POST',
     headers: {
       Authorization: `Token ${apiKey}`,
-      'Content-Type': 'audio/mpeg',
+      'Content-Type': mimeType || 'audio/mpeg',
     },
     body: new Uint8Array(audioBuffer),
   })
@@ -513,7 +575,8 @@ async function transcribeWithAssemblyAI(
     audio_url: upload_url,
   }
 
-  if (model === 'best' || model === 'nano') {
+  // AssemblyAI supports 'best', 'slam-1', or 'universal' for speech_model
+  if (model === 'best' || model === 'slam-1' || model === 'universal') {
     transcriptRequest.speech_model = model
   }
 

apps/sim/app/api/tools/supabase/storage-upload/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
@@ -16,7 +17,7 @@ const SupabaseStorageUploadSchema = z.object({
   bucket: z.string().min(1, 'Bucket name is required'),
   fileName: z.string().min(1, 'File name is required'),
   path: z.string().optional().nullable(),
-  fileData: z.any(),
+  fileData: FileInputSchema,
   contentType: z.string().optional().nullable(),
   upsert: z.boolean().optional().default(false),
 })

apps/sim/app/api/tools/telegram/send-document/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import { convertMarkdownToHTML } from '@/tools/telegram/utils'
@@ -14,7 +15,7 @@ const logger = createLogger('TelegramSendDocumentAPI')
 const TelegramSendDocumentSchema = z.object({
   botToken: z.string().min(1, 'Bot token is required'),
   chatId: z.string().min(1, 'Chat ID is required'),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
   caption: z.string().optional().nullable(),
 })
 
@@ -93,6 +94,14 @@ export async function POST(request: NextRequest) {
     logger.info(`[${requestId}] Uploading document: ${userFile.name}`)
 
     const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+    const filesOutput = [
+      {
+        name: userFile.name,
+        mimeType: userFile.type || 'application/octet-stream',
+        data: buffer.toString('base64'),
+        size: buffer.length,
+      },
+    ]
 
     logger.info(`[${requestId}] Downloaded file: ${buffer.length} bytes`)
 
@@ -135,6 +144,7 @@ export async function POST(request: NextRequest) {
       output: {
         message: 'Document sent successfully',
         data: data.result,
+        files: filesOutput,
       },
     })
   } catch (error) {

apps/sim/app/api/tools/textract/parse/route.ts

@@ -3,19 +3,18 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion, validateS3BucketName } from '@/lib/core/security/input-validation'
 import {
-  validateAwsRegion,
+  secureFetchWithPinnedIP,
-  validateExternalUrl,
+  validateUrlWithDNS,
-  validateS3BucketName,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { StorageService } from '@/lib/uploads'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
+import { isInternalFileUrl, processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import {
-  extractStorageKey,
+  downloadFileFromStorage,
-  inferContextFromKey,
+  resolveInternalFileUrl,
-  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils.server'
-} from '@/lib/uploads/utils/file-utils'
-import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
 export const maxDuration = 300 // 5 minutes for large multi-page PDF processing
@@ -35,6 +34,7 @@ const TextractParseSchema = z
     region: z.string().min(1, 'AWS region is required'),
     processingMode: z.enum(['sync', 'async']).optional().default('sync'),
     filePath: z.string().optional(),
+    file: RawFileInputSchema.optional(),
     s3Uri: z.string().optional(),
     featureTypes: z
       .array(z.enum(['TABLES', 'FORMS', 'QUERIES', 'SIGNATURES', 'LAYOUT']))
@@ -50,6 +50,20 @@ const TextractParseSchema = z
         path: ['region'],
       })
     }
+    if (data.processingMode === 'async' && !data.s3Uri) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'S3 URI is required for multi-page processing (s3://bucket/key)',
+        path: ['s3Uri'],
+      })
+    }
+    if (data.processingMode !== 'async' && !data.file && !data.filePath) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'File input is required for single-page processing',
+        path: ['filePath'],
+      })
+    }
   })
 
 function getSignatureKey(
@@ -111,7 +125,14 @@ function signAwsRequest(
 }
 
 async function fetchDocumentBytes(url: string): Promise<{ bytes: string; contentType: string }> {
-  const response = await fetch(url)
+  const urlValidation = await validateUrlWithDNS(url, 'Document URL')
+  if (!urlValidation.isValid) {
+    throw new Error(urlValidation.error || 'Invalid document URL')
+  }
+
+  const response = await secureFetchWithPinnedIP(url, urlValidation.resolvedIP!, {
+    method: 'GET',
+  })
   if (!response.ok) {
     throw new Error(`Failed to fetch document: ${response.statusText}`)
   }
@@ -318,8 +339,8 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Textract parse request`, {
       processingMode,
-      filePath: validatedData.filePath?.substring(0, 50),
+      hasFile: Boolean(validatedData.file),
-      s3Uri: validatedData.s3Uri?.substring(0, 50),
+      hasS3Uri: Boolean(validatedData.s3Uri),
       featureTypes,
       userId,
     })
@@ -414,90 +435,89 @@ export async function POST(request: NextRequest) {
       })
     }
 
-    if (!validatedData.filePath) {
+    let bytes = ''
-      return NextResponse.json(
+    let contentType = 'application/octet-stream'
-        {
+    let isPdf = false
-          success: false,
-          error: 'File path is required for single-page processing',
-        },
-        { status: 400 }
-      )
-    }
 
-    let fileUrl = validatedData.filePath
+    if (validatedData.file) {
-
+      let userFile
-    const isInternalFilePath = validatedData.filePath && isInternalFileUrl(validatedData.filePath)
-
-    if (isInternalFilePath) {
       try {
-        const storageKey = extractStorageKey(validatedData.filePath)
+        userFile = processSingleFileToUserFile(validatedData.file, requestId, logger)
-        const context = inferContextFromKey(storageKey)
-
-        const hasAccess = await verifyFileAccess(storageKey, userId, undefined, context, false)
-
-        if (!hasAccess) {
-          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
-            userId,
-            key: storageKey,
-            context,
-          })
-          return NextResponse.json(
-            {
-              success: false,
-              error: 'File not found',
-            },
-            { status: 404 }
-          )
-        }
-
-        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
-        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
       } catch (error) {
-        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
         return NextResponse.json(
           {
             success: false,
-            error: 'Failed to generate file access URL',
+            error: error instanceof Error ? error.message : 'Failed to process file',
-          },
-          { status: 500 }
-        )
-      }
-    } else if (validatedData.filePath?.startsWith('/')) {
-      // Reject arbitrary absolute paths that don't contain /api/files/serve/
-      logger.warn(`[${requestId}] Invalid internal path`, {
-        userId,
-        path: validatedData.filePath.substring(0, 50),
-      })
-      return NextResponse.json(
-        {
-          success: false,
-          error: 'Invalid file path. Only uploaded files are supported for internal paths.',
-        },
-        { status: 400 }
-      )
-    } else {
-      const urlValidation = validateExternalUrl(fileUrl, 'Document URL')
-      if (!urlValidation.isValid) {
-        logger.warn(`[${requestId}] SSRF attempt blocked`, {
-          userId,
-          url: fileUrl.substring(0, 100),
-          error: urlValidation.error,
-        })
-        return NextResponse.json(
-          {
-            success: false,
-            error: urlValidation.error,
           },
           { status: 400 }
         )
       }
+
+      const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+      bytes = buffer.toString('base64')
+      contentType = userFile.type || 'application/octet-stream'
+      isPdf = contentType.includes('pdf') || userFile.name?.toLowerCase().endsWith('.pdf')
+    } else if (validatedData.filePath) {
+      let fileUrl = validatedData.filePath
+
+      const isInternalFilePath = isInternalFileUrl(fileUrl)
+
+      if (isInternalFilePath) {
+        const resolution = await resolveInternalFileUrl(fileUrl, userId, requestId, logger)
+        if (resolution.error) {
+          return NextResponse.json(
+            {
+              success: false,
+              error: resolution.error.message,
+            },
+            { status: resolution.error.status }
+          )
+        }
+        fileUrl = resolution.fileUrl || fileUrl
+      } else if (fileUrl.startsWith('/')) {
+        logger.warn(`[${requestId}] Invalid internal path`, {
+          userId,
+          path: fileUrl.substring(0, 50),
+        })
+        return NextResponse.json(
+          {
+            success: false,
+            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
+          },
+          { status: 400 }
+        )
+      } else {
+        const urlValidation = await validateUrlWithDNS(fileUrl, 'Document URL')
+        if (!urlValidation.isValid) {
+          logger.warn(`[${requestId}] SSRF attempt blocked`, {
+            userId,
+            url: fileUrl.substring(0, 100),
+            error: urlValidation.error,
+          })
+          return NextResponse.json(
+            {
+              success: false,
+              error: urlValidation.error,
+            },
+            { status: 400 }
+          )
+        }
+      }
+
+      const fetched = await fetchDocumentBytes(fileUrl)
+      bytes = fetched.bytes
+      contentType = fetched.contentType
+      isPdf = contentType.includes('pdf') || fileUrl.toLowerCase().endsWith('.pdf')
+    } else {
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'File input is required for single-page processing',
+        },
+        { status: 400 }
+      )
     }
 
-    const { bytes, contentType } = await fetchDocumentBytes(fileUrl)
-
-    // Track if this is a PDF for better error messaging
-    const isPdf = contentType.includes('pdf') || fileUrl.toLowerCase().endsWith('.pdf')
-
     const uri = '/'
 
     let textractBody: Record<string, unknown>

apps/sim/app/api/tools/twilio/get-recording/route.ts

@@ -0,0 +1,250 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getExtensionFromMimeType } from '@/lib/uploads/utils/file-utils'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('TwilioGetRecordingAPI')
+
+interface TwilioRecordingResponse {
+  sid?: string
+  call_sid?: string
+  duration?: string
+  status?: string
+  channels?: number
+  source?: string
+  price?: string
+  price_unit?: string
+  uri?: string
+  error_code?: number
+  message?: string
+  error_message?: string
+}
+
+interface TwilioErrorResponse {
+  message?: string
+}
+
+interface TwilioTranscription {
+  transcription_text?: string
+  status?: string
+  price?: string
+  price_unit?: string
+}
+
+interface TwilioTranscriptionsResponse {
+  transcriptions?: TwilioTranscription[]
+}
+
+const TwilioGetRecordingSchema = z.object({
+  accountSid: z.string().min(1, 'Account SID is required'),
+  authToken: z.string().min(1, 'Auth token is required'),
+  recordingSid: z.string().min(1, 'Recording SID is required'),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Twilio get recording attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = TwilioGetRecordingSchema.parse(body)
+
+    const { accountSid, authToken, recordingSid } = validatedData
+
+    if (!accountSid.startsWith('AC')) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: `Invalid Account SID format. Account SID must start with "AC" (you provided: ${accountSid.substring(0, 2)}...)`,
+        },
+        { status: 400 }
+      )
+    }
+
+    const twilioAuth = Buffer.from(`${accountSid}:${authToken}`).toString('base64')
+
+    logger.info(`[${requestId}] Getting recording info from Twilio`, { recordingSid })
+
+    const infoUrl = `https://api.twilio.com/2010-04-01/Accounts/${accountSid}/Recordings/${recordingSid}.json`
+    const infoUrlValidation = await validateUrlWithDNS(infoUrl, 'infoUrl')
+    if (!infoUrlValidation.isValid) {
+      return NextResponse.json({ success: false, error: infoUrlValidation.error }, { status: 400 })
+    }
+
+    const infoResponse = await secureFetchWithPinnedIP(infoUrl, infoUrlValidation.resolvedIP!, {
+      method: 'GET',
+      headers: { Authorization: `Basic ${twilioAuth}` },
+    })
+
+    if (!infoResponse.ok) {
+      const errorData = (await infoResponse.json().catch(() => ({}))) as TwilioErrorResponse
+      logger.error(`[${requestId}] Twilio API error`, {
+        status: infoResponse.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { success: false, error: errorData.message || `Twilio API error: ${infoResponse.status}` },
+        { status: 400 }
+      )
+    }
+
+    const data = (await infoResponse.json()) as TwilioRecordingResponse
+
+    if (data.error_code) {
+      return NextResponse.json({
+        success: false,
+        output: {
+          success: false,
+          error: data.message || data.error_message || 'Failed to retrieve recording',
+        },
+        error: data.message || data.error_message || 'Failed to retrieve recording',
+      })
+    }
+
+    const baseUrl = 'https://api.twilio.com'
+    const mediaUrl = data.uri ? `${baseUrl}${data.uri.replace('.json', '')}` : undefined
+
+    let transcriptionText: string | undefined
+    let transcriptionStatus: string | undefined
+    let transcriptionPrice: string | undefined
+    let transcriptionPriceUnit: string | undefined
+    let file:
+      | {
+          name: string
+          mimeType: string
+          data: string
+          size: number
+        }
+      | undefined
+
+    try {
+      const transcriptionUrl = `https://api.twilio.com/2010-04-01/Accounts/${accountSid}/Transcriptions.json?RecordingSid=${data.sid}`
+      logger.info(`[${requestId}] Checking for transcriptions`)
+
+      const transcriptionUrlValidation = await validateUrlWithDNS(
+        transcriptionUrl,
+        'transcriptionUrl'
+      )
+      if (transcriptionUrlValidation.isValid) {
+        const transcriptionResponse = await secureFetchWithPinnedIP(
+          transcriptionUrl,
+          transcriptionUrlValidation.resolvedIP!,
+          {
+            method: 'GET',
+            headers: { Authorization: `Basic ${twilioAuth}` },
+          }
+        )
+
+        if (transcriptionResponse.ok) {
+          const transcriptionData =
+            (await transcriptionResponse.json()) as TwilioTranscriptionsResponse
+
+          if (transcriptionData.transcriptions && transcriptionData.transcriptions.length > 0) {
+            const transcription = transcriptionData.transcriptions[0]
+            transcriptionText = transcription.transcription_text
+            transcriptionStatus = transcription.status
+            transcriptionPrice = transcription.price
+            transcriptionPriceUnit = transcription.price_unit
+            logger.info(`[${requestId}] Transcription found`, {
+              status: transcriptionStatus,
+              textLength: transcriptionText?.length,
+            })
+          }
+        }
+      }
+    } catch (error) {
+      logger.warn(`[${requestId}] Failed to fetch transcription:`, error)
+    }
+
+    if (mediaUrl) {
+      try {
+        const mediaUrlValidation = await validateUrlWithDNS(mediaUrl, 'mediaUrl')
+        if (mediaUrlValidation.isValid) {
+          const mediaResponse = await secureFetchWithPinnedIP(
+            mediaUrl,
+            mediaUrlValidation.resolvedIP!,
+            {
+              method: 'GET',
+              headers: { Authorization: `Basic ${twilioAuth}` },
+            }
+          )
+
+          if (mediaResponse.ok) {
+            const contentType =
+              mediaResponse.headers.get('content-type') || 'application/octet-stream'
+            const extension = getExtensionFromMimeType(contentType) || 'dat'
+            const arrayBuffer = await mediaResponse.arrayBuffer()
+            const buffer = Buffer.from(arrayBuffer)
+            const fileName = `${data.sid || recordingSid}.${extension}`
+
+            file = {
+              name: fileName,
+              mimeType: contentType,
+              data: buffer.toString('base64'),
+              size: buffer.length,
+            }
+          }
+        }
+      } catch (error) {
+        logger.warn(`[${requestId}] Failed to download recording media:`, error)
+      }
+    }
+
+    logger.info(`[${requestId}] Twilio recording fetched successfully`, {
+      recordingSid: data.sid,
+      hasFile: !!file,
+      hasTranscription: !!transcriptionText,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        success: true,
+        recordingSid: data.sid,
+        callSid: data.call_sid,
+        duration: data.duration ? Number.parseInt(data.duration, 10) : undefined,
+        status: data.status,
+        channels: data.channels,
+        source: data.source,
+        mediaUrl,
+        file,
+        price: data.price,
+        priceUnit: data.price_unit,
+        uri: data.uri,
+        transcriptionText,
+        transcriptionStatus,
+        transcriptionPrice,
+        transcriptionPriceUnit,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching Twilio recording:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/vision/analyze/route.ts

@@ -1,10 +1,20 @@
+import { GoogleGenAI } from '@google/genai'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { isInternalFileUrl, processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
+import {
+  downloadFileFromStorage,
+  resolveInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils.server'
+import { convertUsageMetadata, extractTextContent } from '@/providers/google/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -13,8 +23,8 @@ const logger = createLogger('VisionAnalyzeAPI')
 const VisionAnalyzeSchema = z.object({
   apiKey: z.string().min(1, 'API key is required'),
   imageUrl: z.string().optional().nullable(),
-  imageFile: z.any().optional().nullable(),
+  imageFile: RawFileInputSchema.optional().nullable(),
-  model: z.string().optional().default('gpt-4o'),
+  model: z.string().optional().default('gpt-5.2'),
   prompt: z.string().optional().nullable(),
 })
 
@@ -39,6 +49,7 @@ export async function POST(request: NextRequest) {
       userId: authResult.userId,
     })
 
+    const userId = authResult.userId
     const body = await request.json()
     const validatedData = VisionAnalyzeSchema.parse(body)
 
@@ -77,18 +88,72 @@ export async function POST(request: NextRequest) {
         )
       }
 
-      const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+      let base64 = userFile.base64
-
+      let bufferLength = 0
-      const base64 = buffer.toString('base64')
+      if (!base64) {
+        const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+        base64 = buffer.toString('base64')
+        bufferLength = buffer.length
+      }
       const mimeType = userFile.type || 'image/jpeg'
       imageSource = `data:${mimeType};base64,${base64}`
-      logger.info(`[${requestId}] Converted image to base64 (${buffer.length} bytes)`)
+      if (bufferLength > 0) {
+        logger.info(`[${requestId}] Converted image to base64 (${bufferLength} bytes)`)
+      }
+    }
+
+    let imageUrlValidation: Awaited<ReturnType<typeof validateUrlWithDNS>> | null = null
+    if (imageSource && !imageSource.startsWith('data:')) {
+      if (imageSource.startsWith('/') && !isInternalFileUrl(imageSource)) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
+          },
+          { status: 400 }
+        )
+      }
+
+      if (isInternalFileUrl(imageSource)) {
+        if (!userId) {
+          return NextResponse.json(
+            {
+              success: false,
+              error: 'Authentication required for internal file access',
+            },
+            { status: 401 }
+          )
+        }
+        const resolution = await resolveInternalFileUrl(imageSource, userId, requestId, logger)
+        if (resolution.error) {
+          return NextResponse.json(
+            {
+              success: false,
+              error: resolution.error.message,
+            },
+            { status: resolution.error.status }
+          )
+        }
+        imageSource = resolution.fileUrl || imageSource
+      }
+
+      imageUrlValidation = await validateUrlWithDNS(imageSource, 'imageUrl')
+      if (!imageUrlValidation.isValid) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: imageUrlValidation.error,
+          },
+          { status: 400 }
+        )
+      }
     }
 
     const defaultPrompt = 'Please analyze this image and describe what you see in detail.'
     const prompt = validatedData.prompt || defaultPrompt
 
-    const isClaude = validatedData.model.startsWith('claude-3')
+    const isClaude = validatedData.model.startsWith('claude-')
+    const isGemini = validatedData.model.startsWith('gemini-')
     const apiUrl = isClaude
       ? 'https://api.anthropic.com/v1/messages'
       : 'https://api.openai.com/v1/chat/completions'
@@ -106,6 +171,72 @@ export async function POST(request: NextRequest) {
 
     let requestBody: any
 
+    if (isGemini) {
+      let base64Payload = imageSource
+      if (!base64Payload.startsWith('data:')) {
+        const urlValidation =
+          imageUrlValidation || (await validateUrlWithDNS(base64Payload, 'imageUrl'))
+        if (!urlValidation.isValid) {
+          return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
+        }
+
+        const response = await secureFetchWithPinnedIP(base64Payload, urlValidation.resolvedIP!, {
+          method: 'GET',
+        })
+        if (!response.ok) {
+          return NextResponse.json(
+            { success: false, error: 'Failed to fetch image for Gemini' },
+            { status: 400 }
+          )
+        }
+        const contentType =
+          response.headers.get('content-type') || validatedData.imageFile?.type || 'image/jpeg'
+        const arrayBuffer = await response.arrayBuffer()
+        const base64 = Buffer.from(arrayBuffer).toString('base64')
+        base64Payload = `data:${contentType};base64,${base64}`
+      }
+      const base64Marker = ';base64,'
+      const markerIndex = base64Payload.indexOf(base64Marker)
+      if (!base64Payload.startsWith('data:') || markerIndex === -1) {
+        return NextResponse.json(
+          { success: false, error: 'Invalid base64 image format' },
+          { status: 400 }
+        )
+      }
+      const rawMimeType = base64Payload.slice('data:'.length, markerIndex)
+      const mediaType = rawMimeType.split(';')[0] || 'image/jpeg'
+      const base64Data = base64Payload.slice(markerIndex + base64Marker.length)
+      if (!base64Data) {
+        return NextResponse.json(
+          { success: false, error: 'Invalid base64 image format' },
+          { status: 400 }
+        )
+      }
+
+      const ai = new GoogleGenAI({ apiKey: validatedData.apiKey })
+      const geminiResponse = await ai.models.generateContent({
+        model: validatedData.model,
+        contents: [
+          {
+            role: 'user',
+            parts: [{ text: prompt }, { inlineData: { mimeType: mediaType, data: base64Data } }],
+          },
+        ],
+      })
+
+      const content = extractTextContent(geminiResponse.candidates?.[0])
+      const usage = convertUsageMetadata(geminiResponse.usageMetadata)
+
+      return NextResponse.json({
+        success: true,
+        output: {
+          content,
+          model: validatedData.model,
+          tokens: usage.totalTokenCount || undefined,
+        },
+      })
+    }
+
     if (isClaude) {
       if (imageSource.startsWith('data:')) {
         const base64Match = imageSource.match(/^data:([^;]+);base64,(.+)$/)
@@ -172,7 +303,7 @@ export async function POST(request: NextRequest) {
             ],
           },
         ],
-        max_tokens: 1000,
+        max_completion_tokens: 1000,
       }
     }
 

apps/sim/app/api/tools/wordpress/upload/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import {
   getFileExtension,
   getMimeTypeFromExtension,
@@ -19,7 +20,7 @@ const WORDPRESS_COM_API_BASE = 'https://public-api.wordpress.com/wp/v2/sites'
 const WordPressUploadSchema = z.object({
   accessToken: z.string().min(1, 'Access token is required'),
   siteId: z.string().min(1, 'Site ID is required'),
-  file: z.any().optional().nullable(),
+  file: RawFileInputSchema.optional().nullable(),
   filename: z.string().optional().nullable(),
   title: z.string().optional().nullable(),
   caption: z.string().optional().nullable(),

apps/sim/app/api/tools/zoom/get-recordings/route.ts

@@ -0,0 +1,216 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getExtensionFromMimeType } from '@/lib/uploads/utils/file-utils'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('ZoomGetRecordingsAPI')
+
+interface ZoomRecordingFile {
+  id?: string
+  meeting_id?: string
+  recording_start?: string
+  recording_end?: string
+  file_type?: string
+  file_extension?: string
+  file_size?: number
+  play_url?: string
+  download_url?: string
+  status?: string
+  recording_type?: string
+}
+
+interface ZoomRecordingsResponse {
+  uuid?: string
+  id?: string | number
+  account_id?: string
+  host_id?: string
+  topic?: string
+  type?: number
+  start_time?: string
+  duration?: number
+  total_size?: number
+  recording_count?: number
+  share_url?: string
+  recording_files?: ZoomRecordingFile[]
+}
+
+interface ZoomErrorResponse {
+  message?: string
+  code?: number
+}
+
+const ZoomGetRecordingsSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  meetingId: z.string().min(1, 'Meeting ID is required'),
+  includeFolderItems: z.boolean().optional(),
+  ttl: z.number().optional(),
+  downloadFiles: z.boolean().optional().default(false),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Zoom get recordings attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = ZoomGetRecordingsSchema.parse(body)
+
+    const { accessToken, meetingId, includeFolderItems, ttl, downloadFiles } = validatedData
+
+    const baseUrl = `https://api.zoom.us/v2/meetings/${encodeURIComponent(meetingId)}/recordings`
+    const queryParams = new URLSearchParams()
+
+    if (includeFolderItems != null) {
+      queryParams.append('include_folder_items', String(includeFolderItems))
+    }
+    if (ttl) {
+      queryParams.append('ttl', String(ttl))
+    }
+
+    const queryString = queryParams.toString()
+    const apiUrl = queryString ? `${baseUrl}?${queryString}` : baseUrl
+
+    logger.info(`[${requestId}] Fetching recordings from Zoom`, { meetingId })
+
+    const urlValidation = await validateUrlWithDNS(apiUrl, 'apiUrl')
+    if (!urlValidation.isValid) {
+      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
+    }
+
+    const response = await secureFetchWithPinnedIP(apiUrl, urlValidation.resolvedIP!, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = (await response.json().catch(() => ({}))) as ZoomErrorResponse
+      logger.error(`[${requestId}] Zoom API error`, {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { success: false, error: errorData.message || `Zoom API error: ${response.status}` },
+        { status: 400 }
+      )
+    }
+
+    const data = (await response.json()) as ZoomRecordingsResponse
+    const files: Array<{
+      name: string
+      mimeType: string
+      data: string
+      size: number
+    }> = []
+
+    if (downloadFiles && Array.isArray(data.recording_files)) {
+      for (const file of data.recording_files) {
+        if (!file?.download_url) continue
+
+        try {
+          const fileUrlValidation = await validateUrlWithDNS(file.download_url, 'downloadUrl')
+          if (!fileUrlValidation.isValid) continue
+
+          const downloadResponse = await secureFetchWithPinnedIP(
+            file.download_url,
+            fileUrlValidation.resolvedIP!,
+            {
+              method: 'GET',
+              headers: { Authorization: `Bearer ${accessToken}` },
+            }
+          )
+
+          if (!downloadResponse.ok) continue
+
+          const contentType =
+            downloadResponse.headers.get('content-type') || 'application/octet-stream'
+          const arrayBuffer = await downloadResponse.arrayBuffer()
+          const buffer = Buffer.from(arrayBuffer)
+          const extension =
+            file.file_extension?.toString().toLowerCase() ||
+            getExtensionFromMimeType(contentType) ||
+            'dat'
+          const fileName = `zoom-recording-${file.id || file.recording_start || Date.now()}.${extension}`
+
+          files.push({
+            name: fileName,
+            mimeType: contentType,
+            data: buffer.toString('base64'),
+            size: buffer.length,
+          })
+        } catch (error) {
+          logger.warn(`[${requestId}] Failed to download recording file:`, error)
+        }
+      }
+    }
+
+    logger.info(`[${requestId}] Zoom recordings fetched successfully`, {
+      recordingCount: data.recording_files?.length || 0,
+      downloadedCount: files.length,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        recording: {
+          uuid: data.uuid,
+          id: data.id,
+          account_id: data.account_id,
+          host_id: data.host_id,
+          topic: data.topic,
+          type: data.type,
+          start_time: data.start_time,
+          duration: data.duration,
+          total_size: data.total_size,
+          recording_count: data.recording_count,
+          share_url: data.share_url,
+          recording_files: (data.recording_files || []).map((file: ZoomRecordingFile) => ({
+            id: file.id,
+            meeting_id: file.meeting_id,
+            recording_start: file.recording_start,
+            recording_end: file.recording_end,
+            file_type: file.file_type,
+            file_extension: file.file_extension,
+            file_size: file.file_size,
+            play_url: file.play_url,
+            download_url: file.download_url,
+            status: file.status,
+            recording_type: file.recording_type,
+          })),
+        },
+        files: files.length > 0 ? files : undefined,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching Zoom recordings:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/users/me/subscription/[id]/transfer/route.ts

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
+import { hasActiveSubscription } from '@/lib/billing'
 
 const logger = createLogger('SubscriptionTransferAPI')
 
@@ -88,6 +89,14 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
+    // Check if org already has an active subscription (prevent duplicates)
+    if (await hasActiveSubscription(organizationId)) {
+      return NextResponse.json(
+        { error: 'Organization already has an active subscription' },
+        { status: 409 }
+      )
+    }
+
     await db
       .update(subscription)
       .set({ referenceId: organizationId })

apps/sim/app/api/v1/admin/users/[id]/billing/route.ts

@@ -203,6 +203,10 @@ export const PATCH = withAdminAuthParams<RouteParams>(async (request, context) =
       }
 
       updateData.billingBlocked = body.billingBlocked
+      // Clear the reason when unblocking
+      if (body.billingBlocked === false) {
+        updateData.billingBlockedReason = null
+      }
       updated.push('billingBlocked')
     }
 

apps/sim/app/api/workflows/[id]/execute-from-block/route.ts

@@ -1,6 +1,4 @@
-import { db, workflow as workflowTable } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
@@ -8,6 +6,7 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
+import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { executeWorkflowCore } from '@/lib/workflows/executor/execution-core'
 import { createSSECallbacks } from '@/lib/workflows/executor/execution-events'
@@ -75,12 +74,31 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
     const { startBlockId, sourceSnapshot, input } = validation.data
     const executionId = uuidv4()
 
-    const [workflowRecord] = await db
+    // Run preprocessing checks (billing, rate limits, usage limits)
-      .select({ workspaceId: workflowTable.workspaceId, userId: workflowTable.userId })
+    const preprocessResult = await preprocessExecution({
-      .from(workflowTable)
+      workflowId,
-      .where(eq(workflowTable.id, workflowId))
+      userId,
-      .limit(1)
+      triggerType: 'manual',
+      executionId,
+      requestId,
+      checkRateLimit: false, // Manual executions don't rate limit
+      checkDeployment: false, // Run-from-block doesn't require deployment
+    })
 
+    if (!preprocessResult.success) {
+      const { error } = preprocessResult
+      logger.warn(`[${requestId}] Preprocessing failed for run-from-block`, {
+        workflowId,
+        error: error?.message,
+        statusCode: error?.statusCode,
+      })
+      return NextResponse.json(
+        { error: error?.message || 'Execution blocked' },
+        { status: error?.statusCode || 500 }
+      )
+    }
+
+    const workflowRecord = preprocessResult.workflowRecord
     if (!workflowRecord?.workspaceId) {
       return NextResponse.json({ error: 'Workflow not found or has no workspace' }, { status: 404 })
     }
@@ -92,6 +110,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       workflowId,
       startBlockId,
       executedBlocksCount: sourceSnapshot.executedBlocks.length,
+      billingActorUserId: preprocessResult.actorUserId,
     })
 
     const loggingSession = new LoggingSession(workflowId, executionId, 'manual', requestId)

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx

@@ -807,7 +807,7 @@ export function Chat() {
 
       const newReservedFields: StartInputFormatField[] = missingStartReservedFields.map(
         (fieldName) => {
-          const defaultType = fieldName === 'files' ? 'files' : 'string'
+          const defaultType = fieldName === 'files' ? 'file[]' : 'string'
 
           return {
             id: crypto.randomUUID(),

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/a2a/a2a.tsx

@@ -179,7 +179,7 @@ export function A2aDeploy({
       newFields.push({
         id: crypto.randomUUID(),
         name: 'files',
-        type: 'files',
+        type: 'file[]',
         value: '',
         collapsed: false,
       })

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/deploy-modal.tsx

@@ -16,7 +16,7 @@ import {
   ModalTabsList,
   ModalTabsTrigger,
 } from '@/components/emcn'
-import { getApiUrl } from '@/lib/core/utils/urls'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 import { getInputFormatExample as getInputFormatExampleUtil } from '@/lib/workflows/operations/deployment-utils'
 import { useUserPermissionsContext } from '@/app/workspace/[workspaceId]/providers/workspace-permissions-provider'
 import { CreateApiKeyModal } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/components'
@@ -201,7 +201,7 @@ export function DeployModal({
       return null
     }
 
-    const endpoint = `${getApiUrl()}/api/workflows/${workflowId}/execute`
+    const endpoint = `${getBaseUrl()}/api/workflows/${workflowId}/execute`
     const inputFormatExample = getInputFormatExample(selectedStreamingOutputs.length > 0)
     const placeholderKey = getApiHeaderPlaceholder()
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/starter/input-format.tsx

@@ -26,7 +26,7 @@ import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/
 interface Field {
   id: string
   name: string
-  type?: 'string' | 'number' | 'boolean' | 'object' | 'array' | 'files'
+  type?: 'string' | 'number' | 'boolean' | 'object' | 'array' | 'file[]'
   value?: string
   description?: string
   collapsed?: boolean
@@ -57,7 +57,7 @@ const TYPE_OPTIONS: ComboboxOption[] = [
   { label: 'Boolean', value: 'boolean' },
   { label: 'Object', value: 'object' },
   { label: 'Array', value: 'array' },
-  { label: 'Files', value: 'files' },
+  { label: 'Files', value: 'file[]' },
 ]
 
 /**
@@ -448,7 +448,7 @@ export function FieldFormat({
       )
     }
 
-    if (field.type === 'files') {
+    if (field.type === 'file[]') {
       const lineCount = fieldValue.split('\n').length
       const gutterWidth = calculateGutterWidth(lineCount)
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown.tsx

@@ -225,7 +225,7 @@ const getOutputTypeForPath = (
       const chatModeTypes: Record<string, string> = {
         input: 'string',
         conversationId: 'string',
-        files: 'files',
+        files: 'file[]',
       }
       return chatModeTypes[outputPath] || 'any'
     }
@@ -1563,16 +1563,11 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
     blockTagGroups.sort((a, b) => a.distance - b.distance)
     finalBlockTagGroups.push(...blockTagGroups)
 
-    const contextualTags: string[] = []
+    const groupTags = finalBlockTagGroups.flatMap((group) => group.tags)
-    if (loopBlockGroup) {
+    const tags = [...groupTags, ...variableTags]
-      contextualTags.push(...loopBlockGroup.tags)
-    }
-    if (parallelBlockGroup) {
-      contextualTags.push(...parallelBlockGroup.tags)
-    }
 
     return {
-      tags: [...allBlockTags, ...variableTags, ...contextualTags],
+      tags,
       variableInfoMap,
       blockTagGroups: finalBlockTagGroups,
     }
@@ -1746,7 +1741,7 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
           mergedSubBlocks
         )
 
-        if (fieldType === 'files' || fieldType === 'file[]' || fieldType === 'array') {
+        if (fieldType === 'file' || fieldType === 'file[]' || fieldType === 'array') {
           const blockName = parts[0]
           const remainingPath = parts.slice(2).join('.')
           processedTag = `${blockName}.${arrayFieldName}[0].${remainingPath}`

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx

@@ -50,6 +50,12 @@ import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 /** Stable empty object to avoid creating new references */
 const EMPTY_SUBBLOCK_VALUES = {} as Record<string, any>
 
+/** Shared style for dashed divider lines */
+const DASHED_DIVIDER_STYLE = {
+  backgroundImage:
+    'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
+} as const
+
 /**
  * Icon component for rendering block icons.
  *
@@ -89,31 +95,23 @@ export function Editor() {
   const blockConfig = currentBlock ? getBlock(currentBlock.type) : null
   const title = currentBlock?.name || 'Editor'
 
-  // Check if selected block is a subflow (loop or parallel)
   const isSubflow =
     currentBlock && (currentBlock.type === 'loop' || currentBlock.type === 'parallel')
 
-  // Get subflow display properties from configs
   const subflowConfig = isSubflow ? (currentBlock.type === 'loop' ? LoopTool : ParallelTool) : null
 
-  // Check if selected block is a workflow block
   const isWorkflowBlock =
     currentBlock && (currentBlock.type === 'workflow' || currentBlock.type === 'workflow_input')
 
-  // Get workspace ID from params
   const params = useParams()
   const workspaceId = params.workspaceId as string
 
-  // Refs for resize functionality
   const subBlocksRef = useRef<HTMLDivElement>(null)
 
-  // Get user permissions
   const userPermissions = useUserPermissionsContext()
 
-  // Get active workflow ID
   const activeWorkflowId = useWorkflowRegistry((state) => state.activeWorkflowId)
 
-  // Get block properties (advanced/trigger modes)
   const { advancedMode, triggerMode } = useEditorBlockProperties(
     currentBlockId,
     currentWorkflow.isSnapshotView
@@ -145,10 +143,9 @@ export function Editor() {
     [subBlocksForCanonical]
   )
   const canonicalModeOverrides = currentBlock?.data?.canonicalModes
-  const advancedValuesPresent = hasAdvancedValues(
+  const advancedValuesPresent = useMemo(
-    subBlocksForCanonical,
+    () => hasAdvancedValues(subBlocksForCanonical, blockSubBlockValues, canonicalIndex),
-    blockSubBlockValues,
+    [subBlocksForCanonical, blockSubBlockValues, canonicalIndex]
-    canonicalIndex
   )
   const displayAdvancedOptions = userPermissions.canEdit
     ? advancedMode
@@ -156,11 +153,9 @@ export function Editor() {
 
   const hasAdvancedOnlyFields = useMemo(() => {
     for (const subBlock of subBlocksForCanonical) {
-      // Must be standalone advanced (mode: 'advanced' without canonicalParamId)
       if (subBlock.mode !== 'advanced') continue
       if (canonicalIndex.canonicalIdBySubBlockId[subBlock.id]) continue
 
-      // Check condition - skip if condition not met for current values
       if (
         subBlock.condition &&
         !evaluateSubBlockCondition(subBlock.condition, blockSubBlockValues)
@@ -173,7 +168,6 @@ export function Editor() {
     return false
   }, [subBlocksForCanonical, canonicalIndex.canonicalIdBySubBlockId, blockSubBlockValues])
 
-  // Get subblock layout using custom hook
   const { subBlocks, stateToUse: subBlockState } = useEditorSubblockLayout(
     blockConfig || ({} as any),
     currentBlockId || '',
@@ -206,31 +200,34 @@ export function Editor() {
     return { regularSubBlocks: regular, advancedOnlySubBlocks: advancedOnly }
   }, [subBlocks, canonicalIndex.canonicalIdBySubBlockId])
 
-  // Get block connections
   const { incomingConnections, hasIncomingConnections } = useBlockConnections(currentBlockId || '')
 
-  // Connections resize hook
   const { handleMouseDown: handleConnectionsResizeMouseDown, isResizing } = useConnectionsResize({
     subBlocksRef,
   })
 
-  // Collaborative actions
   const {
     collaborativeSetBlockCanonicalMode,
     collaborativeUpdateBlockName,
     collaborativeToggleBlockAdvancedMode,
   } = useCollaborativeWorkflow()
 
-  // Advanced mode toggle handler
   const handleToggleAdvancedMode = useCallback(() => {
     if (!currentBlockId || !userPermissions.canEdit) return
     collaborativeToggleBlockAdvancedMode(currentBlockId)
   }, [currentBlockId, userPermissions.canEdit, collaborativeToggleBlockAdvancedMode])
 
-  // Rename state
   const [isRenaming, setIsRenaming] = useState(false)
   const [editedName, setEditedName] = useState('')
-  const nameInputRef = useRef<HTMLInputElement>(null)
+
+  /**
+   * Ref callback that auto-selects the input text when mounted.
+   */
+  const nameInputRefCallback = useCallback((element: HTMLInputElement | null) => {
+    if (element) {
+      element.select()
+    }
+  }, [])
 
   /**
    * Handles starting the rename process.
@@ -251,7 +248,6 @@ export function Editor() {
     if (trimmedName && trimmedName !== currentBlock?.name) {
       const result = collaborativeUpdateBlockName(currentBlockId, trimmedName)
       if (!result.success) {
-        // Keep rename mode open on error so user can correct the name
         return
       }
     }
@@ -266,14 +262,6 @@ export function Editor() {
     setEditedName('')
   }, [])
 
-  // Focus input when entering rename mode
-  useEffect(() => {
-    if (isRenaming && nameInputRef.current) {
-      nameInputRef.current.select()
-    }
-  }, [isRenaming])
-
-  // Trigger rename mode when signaled from context menu
   useEffect(() => {
     if (shouldFocusRename && currentBlock) {
       handleStartRename()
@@ -284,17 +272,13 @@ export function Editor() {
   /**
    * Handles opening documentation link in a new secure tab.
    */
-  const handleOpenDocs = () => {
+  const handleOpenDocs = useCallback(() => {
     const docsLink = isSubflow ? subflowConfig?.docsLink : blockConfig?.docsLink
-    if (docsLink) {
+    window.open(docsLink || 'https://docs.sim.ai/quick-reference', '_blank', 'noopener,noreferrer')
-      window.open(docsLink, '_blank', 'noopener,noreferrer')
+  }, [isSubflow, subflowConfig?.docsLink, blockConfig?.docsLink])
-    }
-  }
 
-  // Get child workflow ID for workflow blocks
   const childWorkflowId = isWorkflowBlock ? blockSubBlockValues?.workflowId : null
 
-  // Fetch child workflow state for preview (only for workflow blocks with a selected workflow)
   const { data: childWorkflowState, isLoading: isLoadingChildWorkflow } =
     useWorkflowState(childWorkflowId)
 
@@ -307,7 +291,6 @@ export function Editor() {
     }
   }, [childWorkflowId, workspaceId])
 
-  // Determine if connections are at minimum height (collapsed state)
   const isConnectionsAtMinHeight = connectionsHeight <= 35
 
   return (
@@ -328,7 +311,7 @@ export function Editor() {
           )}
           {isRenaming ? (
             <input
-              ref={nameInputRef}
+              ref={nameInputRefCallback}
               type='text'
               value={editedName}
               onChange={(e) => setEditedName(e.target.value)}
@@ -399,23 +382,21 @@ export function Editor() {
               </Tooltip.Content>
             </Tooltip.Root>
           )} */}
-          {currentBlock && (isSubflow ? subflowConfig?.docsLink : blockConfig?.docsLink) && (
+          <Tooltip.Root>
-            <Tooltip.Root>
+            <Tooltip.Trigger asChild>
-              <Tooltip.Trigger asChild>
+              <Button
-                <Button
+                variant='ghost'
-                  variant='ghost'
+                className='p-0'
-                  className='p-0'
+                onClick={handleOpenDocs}
-                  onClick={handleOpenDocs}
+                aria-label='Open documentation'
-                  aria-label='Open documentation'
+              >
-                >
+                <BookOpen className='h-[14px] w-[14px]' />
-                  <BookOpen className='h-[14px] w-[14px]' />
+              </Button>
-                </Button>
+            </Tooltip.Trigger>
-              </Tooltip.Trigger>
+            <Tooltip.Content side='top'>
-              <Tooltip.Content side='top'>
+              <p>Open docs</p>
-                <p>Open docs</p>
+            </Tooltip.Content>
-              </Tooltip.Content>
+          </Tooltip.Root>
-            </Tooltip.Root>
-          )}
         </div>
       </div>
 
@@ -495,13 +476,7 @@ export function Editor() {
                     </div>
                   </div>
                   <div className='subblock-divider px-[2px] pt-[16px] pb-[13px]'>
-                    <div
+                    <div className='h-[1.25px]' style={DASHED_DIVIDER_STYLE} />
-                      className='h-[1.25px]'
-                      style={{
-                        backgroundImage:
-                          'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                      }}
-                    />
                   </div>
                 </>
               )}
@@ -566,13 +541,7 @@ export function Editor() {
                         />
                         {showDivider && (
                           <div className='subblock-divider px-[2px] pt-[16px] pb-[13px]'>
-                            <div
+                            <div className='h-[1.25px]' style={DASHED_DIVIDER_STYLE} />
-                              className='h-[1.25px]'
-                              style={{
-                                backgroundImage:
-                                  'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                              }}
-                            />
                           </div>
                         )}
                       </div>
@@ -581,13 +550,7 @@ export function Editor() {
 
                   {hasAdvancedOnlyFields && userPermissions.canEdit && (
                     <div className='flex items-center gap-[10px] px-[2px] pt-[14px] pb-[12px]'>
-                      <div
+                      <div className='h-[1.25px] flex-1' style={DASHED_DIVIDER_STYLE} />
-                        className='h-[1.25px] flex-1'
-                        style={{
-                          backgroundImage:
-                            'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                        }}
-                      />
                       <button
                         type='button'
                         onClick={handleToggleAdvancedMode}
@@ -600,13 +563,7 @@ export function Editor() {
                           className={`h-[14px] w-[14px] transition-transform duration-200 ${displayAdvancedOptions ? 'rotate-180' : ''}`}
                         />
                       </button>
-                      <div
+                      <div className='h-[1.25px] flex-1' style={DASHED_DIVIDER_STYLE} />
-                        className='h-[1.25px] flex-1'
-                        style={{
-                          backgroundImage:
-                            'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                        }}
-                      />
                     </div>
                   )}
 
@@ -630,13 +587,7 @@ export function Editor() {
                         />
                         {index < advancedOnlySubBlocks.length - 1 && (
                           <div className='subblock-divider px-[2px] pt-[16px] pb-[13px]'>
-                            <div
+                            <div className='h-[1.25px]' style={DASHED_DIVIDER_STYLE} />
-                              className='h-[1.25px]'
-                              style={{
-                                backgroundImage:
-                                  'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                              }}
-                            />
                           </div>
                         )}
                       </div>

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-output-fields.ts

@@ -188,7 +188,7 @@ export function useBlockOutputFields({
           baseOutputs = {
             input: { type: 'string', description: 'User message' },
             conversationId: { type: 'string', description: 'Conversation ID' },
-            files: { type: 'files', description: 'Uploaded files' },
+            files: { type: 'file[]', description: 'Uploaded files' },
           }
         } else {
           const inputFormatValue = mergedSubBlocks?.inputFormat?.value

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils.ts

@@ -1,5 +1,4 @@
 import { v4 as uuidv4 } from 'uuid'
-import { getApiUrl } from '@/lib/core/utils/urls'
 import type { ExecutionResult, StreamingExecution } from '@/executor/types'
 import { useExecutionStore } from '@/stores/execution'
 import { useTerminalConsoleStore } from '@/stores/terminal'
@@ -42,8 +41,7 @@ export async function executeWorkflowWithFullLogging(
     isClientSession: true,
   }
 
-  const apiUrl = getApiUrl()
+  const response = await fetch(`/api/workflows/${activeWorkflowId}/execute`, {
-  const response = await fetch(`${apiUrl}/api/workflows/${activeWorkflowId}/execute`, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',

apps/sim/background/webhook-execution.ts

@@ -417,11 +417,11 @@ async function executeWebhookJobInternal(
         if (triggerBlock?.subBlocks?.inputFormat?.value) {
           const inputFormat = triggerBlock.subBlocks.inputFormat.value as unknown as Array<{
             name: string
-            type: 'string' | 'number' | 'boolean' | 'object' | 'array' | 'files'
+            type: 'string' | 'number' | 'boolean' | 'object' | 'array' | 'file[]'
           }>
           logger.debug(`[${requestId}] Processing generic webhook files from inputFormat`)
 
-          const fileFields = inputFormat.filter((field) => field.type === 'files')
+          const fileFields = inputFormat.filter((field) => field.type === 'file[]')
 
           if (fileFields.length > 0 && typeof input === 'object' && input !== null) {
             const executionContext = {

apps/sim/blocks/blocks.test.ts

@@ -442,7 +442,16 @@ describe('Blocks Module', () => {
     })
 
     it('should have valid output types', () => {
-      const validPrimitiveTypes = ['string', 'number', 'boolean', 'json', 'array', 'files', 'any']
+      const validPrimitiveTypes = [
+        'string',
+        'number',
+        'boolean',
+        'json',
+        'array',
+        'file',
+        'file[]',
+        'any',
+      ]
       const blocks = getAllBlocks()
       for (const block of blocks) {
         for (const [key, outputConfig] of Object.entries(block.outputs)) {

apps/sim/blocks/blocks/api_trigger.ts

@@ -11,7 +11,7 @@ export const ApiTriggerBlock: BlockConfig = {
   bestPractices: `
   - Can run the workflow manually to test implementation when this is the trigger point.
   - The input format determines variables accesssible in the following blocks. E.g. <api1.paramName>. You can set the value in the input format to test the workflow manually.
-  - In production, the curl would come in as e.g. curl -X POST -H "X-API-Key: $SIM_API_KEY" -H "Content-Type: application/json" -d '{"paramName":"example"}' https://api.sim.ai/api/workflows/9e7e4f26-fc5e-4659-b270-7ea474b14f4a/execute -- If user asks to test via API, you might need to clarify the API key.
+  - In production, the curl would come in as e.g. curl -X POST -H "X-API-Key: $SIM_API_KEY" -H "Content-Type: application/json" -d '{"paramName":"example"}' https://www.staging.sim.ai/api/workflows/9e7e4f26-fc5e-4659-b270-7ea474b14f4a/execute -- If user asks to test via API, you might need to clarify the API key.
   `,
   category: 'triggers',
   hideFromToolbar: true,

apps/sim/blocks/blocks/chat_trigger.ts

@@ -26,7 +26,7 @@ export const ChatTriggerBlock: BlockConfig = {
   outputs: {
     input: { type: 'string', description: 'User message' },
     conversationId: { type: 'string', description: 'Conversation ID' },
-    files: { type: 'files', description: 'Uploaded files' },
+    files: { type: 'file[]', description: 'Uploaded files' },
   },
   triggers: {
     enabled: true,

apps/sim/blocks/blocks/discord.ts

@@ -578,13 +578,20 @@ export const DiscordBlock: BlockConfig<DiscordResponse> = {
         if (!params.serverId) throw new Error('Server ID is required')
 
         switch (params.operation) {
-          case 'discord_send_message':
+          case 'discord_send_message': {
+            const fileParam = params.attachmentFiles || params.files
+            const normalizedFiles = fileParam
+              ? Array.isArray(fileParam)
+                ? fileParam
+                : [fileParam]
+              : undefined
             return {
               ...commonParams,
               channelId: params.channelId,
               content: params.content,
-              files: params.attachmentFiles || params.files,
+              files: normalizedFiles,
             }
+          }
           case 'discord_get_messages':
             return {
               ...commonParams,
@@ -789,6 +796,7 @@ export const DiscordBlock: BlockConfig<DiscordResponse> = {
   },
   outputs: {
     message: { type: 'string', description: 'Status message' },
+    files: { type: 'file[]', description: 'Files attached to the message' },
     data: { type: 'json', description: 'Response data' },
   },
 }

apps/sim/blocks/blocks/dropbox.ts

@@ -60,12 +60,25 @@ export const DropboxBlock: BlockConfig<DropboxResponse> = {
       required: true,
     },
     {
-      id: 'fileContent',
+      id: 'uploadFile',
-      title: 'File Content',
+      title: 'File',
-      type: 'long-input',
+      type: 'file-upload',
-      placeholder: 'Base64 encoded file content or file reference',
+      canonicalParamId: 'fileContent',
-      condition: { field: 'operation', value: 'dropbox_upload' },
+      placeholder: 'Upload file to send to Dropbox',
+      mode: 'basic',
+      multiple: false,
       required: true,
+      condition: { field: 'operation', value: 'dropbox_upload' },
+    },
+    {
+      id: 'fileContent',
+      title: 'File',
+      type: 'short-input',
+      canonicalParamId: 'fileContent',
+      placeholder: 'Reference file from previous blocks',
+      mode: 'advanced',
+      required: true,
+      condition: { field: 'operation', value: 'dropbox_upload' },
     },
     {
       id: 'mode',
@@ -337,7 +350,8 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
     path: { type: 'string', description: 'Path in Dropbox' },
     autorename: { type: 'boolean', description: 'Auto-rename on conflict' },
     // Upload inputs
-    fileContent: { type: 'string', description: 'Base64 encoded file content' },
+    uploadFile: { type: 'json', description: 'Uploaded file (UserFile)' },
+    fileContent: { type: 'json', description: 'File reference or UserFile object' },
     fileName: { type: 'string', description: 'Optional filename' },
     mode: { type: 'string', description: 'Write mode: add or overwrite' },
     mute: { type: 'boolean', description: 'Mute notifications' },
@@ -360,7 +374,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
   },
   outputs: {
     // Upload/Download outputs
-    file: { type: 'json', description: 'File metadata' },
+    file: { type: 'file', description: 'Downloaded file stored in execution files' },
     content: { type: 'string', description: 'File content (base64)' },
     temporaryLink: { type: 'string', description: 'Temporary download link' },
     // List folder outputs

apps/sim/blocks/blocks/elevenlabs.ts

@@ -73,5 +73,6 @@ export const ElevenLabsBlock: BlockConfig<ElevenLabsBlockResponse> = {
 
   outputs: {
     audioUrl: { type: 'string', description: 'Generated audio URL' },
+    audioFile: { type: 'file', description: 'Generated audio file' },
   },
 }

apps/sim/blocks/blocks/file.ts

@@ -1,11 +1,48 @@
 import { createLogger } from '@sim/logger'
 import { DocumentIcon } from '@/components/icons'
+import { inferContextFromKey } from '@/lib/uploads/utils/file-utils'
 import type { BlockConfig, SubBlockType } from '@/blocks/types'
 import { createVersionedToolSelector } from '@/blocks/utils'
-import type { FileParserOutput } from '@/tools/file/types'
+import type { FileParserOutput, FileParserV3Output } from '@/tools/file/types'
 
 const logger = createLogger('FileBlock')
 
+const resolveFilePathFromInput = (fileInput: unknown): string | null => {
+  if (!fileInput || typeof fileInput !== 'object') {
+    return null
+  }
+
+  const record = fileInput as Record<string, unknown>
+  if (typeof record.path === 'string' && record.path.trim() !== '') {
+    return record.path
+  }
+  if (typeof record.url === 'string' && record.url.trim() !== '') {
+    return record.url
+  }
+  if (typeof record.key === 'string' && record.key.trim() !== '') {
+    const key = record.key.trim()
+    const context = typeof record.context === 'string' ? record.context : inferContextFromKey(key)
+    return `/api/files/serve/${encodeURIComponent(key)}?context=${context}`
+  }
+
+  return null
+}
+
+const resolveFilePathsFromInput = (fileInput: unknown): string[] => {
+  if (!fileInput) {
+    return []
+  }
+
+  if (Array.isArray(fileInput)) {
+    return fileInput
+      .map((file) => resolveFilePathFromInput(file))
+      .filter((path): path is string => Boolean(path))
+  }
+
+  const resolved = resolveFilePathFromInput(fileInput)
+  return resolved ? [resolved] : []
+}
+
 export const FileBlock: BlockConfig<FileParserOutput> = {
   type: 'file',
   name: 'File (Legacy)',
@@ -79,24 +116,14 @@ export const FileBlock: BlockConfig<FileParserOutput> = {
 
         // Handle file upload input
         if (inputMethod === 'upload') {
-          // Handle case where 'file' is an array (multiple files)
+          const filePaths = resolveFilePathsFromInput(params.file)
-          if (params.file && Array.isArray(params.file) && params.file.length > 0) {
+          if (filePaths.length > 0) {
-            const filePaths = params.file.map((file) => file.path)
-
             return {
               filePath: filePaths.length === 1 ? filePaths[0] : filePaths,
               fileType: params.fileType || 'auto',
             }
           }
 
-          // Handle case where 'file' is a single file object
-          if (params.file?.path) {
-            return {
-              filePath: params.file.path,
-              fileType: params.fileType || 'auto',
-            }
-          }
-
           // If no files, return error
           logger.error('No files provided for upload method')
           throw new Error('Please upload a file')
@@ -116,7 +143,7 @@ export const FileBlock: BlockConfig<FileParserOutput> = {
   },
   outputs: {
     files: {
-      type: 'json',
+      type: 'file[]',
       description: 'Array of parsed file objects with content, metadata, and file properties',
     },
     combinedContent: {
@@ -124,7 +151,7 @@ export const FileBlock: BlockConfig<FileParserOutput> = {
       description: 'All file contents merged into a single text string',
     },
     processedFiles: {
-      type: 'files',
+      type: 'file[]',
       description: 'Array of UserFile objects for downstream use (attachments, uploads, etc.)',
     },
   },
@@ -133,9 +160,9 @@ export const FileBlock: BlockConfig<FileParserOutput> = {
 export const FileV2Block: BlockConfig<FileParserOutput> = {
   ...FileBlock,
   type: 'file_v2',
-  name: 'File',
+  name: 'File (Legacy)',
   description: 'Read and parse multiple files',
-  hideFromToolbar: false,
+  hideFromToolbar: true,
   subBlocks: [
     {
       id: 'file',
@@ -182,16 +209,17 @@ export const FileV2Block: BlockConfig<FileParserOutput> = {
         }
 
         if (Array.isArray(fileInput) && fileInput.length > 0) {
-          const filePaths = fileInput.map((file) => file.path)
+          const filePaths = resolveFilePathsFromInput(fileInput)
           return {
             filePath: filePaths.length === 1 ? filePaths[0] : filePaths,
             fileType: params.fileType || 'auto',
           }
         }
 
-        if (fileInput?.path) {
+        const resolvedSingle = resolveFilePathsFromInput(fileInput)
+        if (resolvedSingle.length > 0) {
           return {
-            filePath: fileInput.path,
+            filePath: resolvedSingle[0],
             fileType: params.fileType || 'auto',
           }
         }
@@ -209,7 +237,7 @@ export const FileV2Block: BlockConfig<FileParserOutput> = {
   },
   outputs: {
     files: {
-      type: 'json',
+      type: 'file[]',
       description: 'Array of parsed file objects with content, metadata, and file properties',
     },
     combinedContent: {
@@ -218,3 +246,108 @@ export const FileV2Block: BlockConfig<FileParserOutput> = {
     },
   },
 }
+
+export const FileV3Block: BlockConfig<FileParserV3Output> = {
+  type: 'file_v3',
+  name: 'File',
+  description: 'Read and parse multiple files',
+  longDescription: 'Upload files or reference files from previous blocks to extract text content.',
+  docsLink: 'https://docs.sim.ai/tools/file',
+  category: 'tools',
+  bgColor: '#40916C',
+  icon: DocumentIcon,
+  subBlocks: [
+    {
+      id: 'file',
+      title: 'Files',
+      type: 'file-upload' as SubBlockType,
+      canonicalParamId: 'fileInput',
+      acceptedTypes:
+        '.pdf,.csv,.doc,.docx,.txt,.md,.xlsx,.xls,.html,.htm,.pptx,.ppt,.json,.xml,.rtf',
+      placeholder: 'Upload files to process',
+      multiple: true,
+      mode: 'basic',
+      maxSize: 100,
+      required: true,
+    },
+    {
+      id: 'fileRef',
+      title: 'Files',
+      type: 'short-input' as SubBlockType,
+      canonicalParamId: 'fileInput',
+      placeholder: 'File reference from previous block',
+      mode: 'advanced',
+      required: true,
+    },
+  ],
+  tools: {
+    access: ['file_parser_v3'],
+    config: {
+      tool: () => 'file_parser_v3',
+      params: (params) => {
+        const fileInput = params.fileInput ?? params.file ?? params.filePath
+        if (!fileInput) {
+          logger.error('No file input provided')
+          throw new Error('File input is required')
+        }
+
+        if (typeof fileInput === 'string') {
+          return {
+            filePath: fileInput.trim(),
+            fileType: params.fileType || 'auto',
+            workspaceId: params._context?.workspaceId,
+            workflowId: params._context?.workflowId,
+            executionId: params._context?.executionId,
+          }
+        }
+
+        if (Array.isArray(fileInput)) {
+          const filePaths = resolveFilePathsFromInput(fileInput)
+          if (filePaths.length === 0) {
+            logger.error('No valid file paths found in file input array')
+            throw new Error('File input is required')
+          }
+          return {
+            filePath: filePaths.length === 1 ? filePaths[0] : filePaths,
+            fileType: params.fileType || 'auto',
+            workspaceId: params._context?.workspaceId,
+            workflowId: params._context?.workflowId,
+            executionId: params._context?.executionId,
+          }
+        }
+
+        if (typeof fileInput === 'object') {
+          const resolvedPaths = resolveFilePathsFromInput(fileInput)
+          if (resolvedPaths.length === 0) {
+            logger.error('File input object missing path, url, or key')
+            throw new Error('File input is required')
+          }
+          return {
+            filePath: resolvedPaths[0],
+            fileType: params.fileType || 'auto',
+            workspaceId: params._context?.workspaceId,
+            workflowId: params._context?.workflowId,
+            executionId: params._context?.executionId,
+          }
+        }
+
+        logger.error('Invalid file input format')
+        throw new Error('File input is required')
+      },
+    },
+  },
+  inputs: {
+    fileInput: { type: 'json', description: 'File input (upload or UserFile reference)' },
+    fileType: { type: 'string', description: 'File type' },
+  },
+  outputs: {
+    files: {
+      type: 'file[]',
+      description: 'Parsed files as UserFile objects',
+    },
+    combinedContent: {
+      type: 'string',
+      description: 'All file contents merged into a single text string',
+    },
+  },
+}

apps/sim/blocks/blocks/fireflies.ts

@@ -1,4 +1,5 @@
 import { FirefliesIcon } from '@/components/icons'
+import { resolveHttpsUrlFromFileInput } from '@/lib/uploads/utils/file-utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { FirefliesResponse } from '@/tools/fireflies/types'
@@ -6,8 +7,9 @@ import { getTrigger } from '@/triggers'
 
 export const FirefliesBlock: BlockConfig<FirefliesResponse> = {
   type: 'fireflies',
-  name: 'Fireflies',
+  name: 'Fireflies (Legacy)',
   description: 'Interact with Fireflies.ai meeting transcripts and recordings',
+  hideFromToolbar: true,
   authMode: AuthMode.ApiKey,
   triggerAllowed: true,
   longDescription:
@@ -587,3 +589,74 @@ Return ONLY the summary text - no quotes, no labels.`,
     available: ['fireflies_transcription_complete'],
   },
 }
+
+const firefliesV2SubBlocks = (FirefliesBlock.subBlocks || []).filter(
+  (subBlock) => subBlock.id !== 'audioUrl'
+)
+const firefliesV2Inputs = FirefliesBlock.inputs
+  ? Object.fromEntries(Object.entries(FirefliesBlock.inputs).filter(([key]) => key !== 'audioUrl'))
+  : {}
+
+export const FirefliesV2Block: BlockConfig<FirefliesResponse> = {
+  ...FirefliesBlock,
+  type: 'fireflies_v2',
+  name: 'Fireflies',
+  description: 'Interact with Fireflies.ai meeting transcripts and recordings',
+  hideFromToolbar: false,
+  subBlocks: firefliesV2SubBlocks,
+  tools: {
+    ...FirefliesBlock.tools,
+    config: {
+      ...FirefliesBlock.tools?.config,
+      tool: (params) =>
+        FirefliesBlock.tools?.config?.tool
+          ? FirefliesBlock.tools.config.tool(params)
+          : params.operation || 'fireflies_list_transcripts',
+      params: (params) => {
+        const baseParams = FirefliesBlock.tools?.config?.params
+        if (!baseParams) {
+          return params
+        }
+
+        if (params.operation === 'fireflies_upload_audio') {
+          let audioInput = params.audioFile || params.audioFileReference
+          if (!audioInput) {
+            throw new Error('Audio file is required.')
+          }
+          if (typeof audioInput === 'string') {
+            try {
+              audioInput = JSON.parse(audioInput)
+            } catch {
+              throw new Error('Audio file must be a valid file reference.')
+            }
+          }
+          if (Array.isArray(audioInput)) {
+            throw new Error(
+              'File reference must be a single file, not an array. Use <block.files[0]> to select one file.'
+            )
+          }
+          if (typeof audioInput !== 'object' || audioInput === null) {
+            throw new Error('Audio file must be a file reference.')
+          }
+          const audioUrl = resolveHttpsUrlFromFileInput(audioInput)
+          if (!audioUrl) {
+            throw new Error('Audio file must include a https URL.')
+          }
+
+          return baseParams({
+            ...params,
+            audioUrl,
+            audioFile: undefined,
+            audioFileReference: undefined,
+          })
+        }
+
+        return baseParams(params)
+      },
+    },
+  },
+  inputs: {
+    ...firefliesV2Inputs,
+    audioFileReference: { type: 'json', description: 'Audio/video file reference' },
+  },
+}

apps/sim/blocks/blocks/gmail.ts

@@ -516,7 +516,7 @@ Return ONLY the search query - no explanations, no extra text.`,
     // Tool outputs
     content: { type: 'string', description: 'Response content' },
     metadata: { type: 'json', description: 'Email metadata' },
-    attachments: { type: 'json', description: 'Email attachments array' },
+    attachments: { type: 'file[]', description: 'Email attachments array' },
     // Trigger outputs
     email_id: { type: 'string', description: 'Gmail message ID' },
     thread_id: { type: 'string', description: 'Gmail thread ID' },
@@ -579,7 +579,7 @@ export const GmailV2Block: BlockConfig<GmailToolResponse> = {
     date: { type: 'string', description: 'Date' },
     body: { type: 'string', description: 'Email body text (best-effort)' },
     results: { type: 'json', description: 'Search/read summary results' },
-    attachments: { type: 'json', description: 'Downloaded attachments (if enabled)' },
+    attachments: { type: 'file[]', description: 'Downloaded attachments (if enabled)' },
 
     // Draft-specific outputs
     draftId: {

apps/sim/blocks/blocks/google_drive.ts

@@ -861,7 +861,7 @@ Return ONLY the message text - no subject line, no greetings/signatures, no extr
     permissionId: { type: 'string', description: 'Permission ID to remove' },
   },
   outputs: {
-    file: { type: 'json', description: 'File metadata or downloaded file data' },
+    file: { type: 'file', description: 'Downloaded file stored in execution files' },
     files: { type: 'json', description: 'List of files' },
     metadata: { type: 'json', description: 'Complete file metadata (from download)' },
     content: { type: 'string', description: 'File content as text' },

apps/sim/blocks/blocks/google_sheets.ts

@@ -1,6 +1,7 @@
 import { GoogleSheetsIcon } from '@/components/icons'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
+import { createVersionedToolSelector } from '@/blocks/utils'
 import type { GoogleSheetsResponse, GoogleSheetsV2Response } from '@/tools/google_sheets/types'
 
 // Legacy block - hidden from toolbar
@@ -681,34 +682,38 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
       'google_sheets_copy_sheet_v2',
     ],
     config: {
-      tool: (params) => {
+      tool: createVersionedToolSelector({
-        switch (params.operation) {
+        baseToolSelector: (params) => {
-          case 'read':
+          switch (params.operation) {
-            return 'google_sheets_read_v2'
+            case 'read':
-          case 'write':
+              return 'google_sheets_read'
-            return 'google_sheets_write_v2'
+            case 'write':
-          case 'update':
+              return 'google_sheets_write'
-            return 'google_sheets_update_v2'
+            case 'update':
-          case 'append':
+              return 'google_sheets_update'
-            return 'google_sheets_append_v2'
+            case 'append':
-          case 'clear':
+              return 'google_sheets_append'
-            return 'google_sheets_clear_v2'
+            case 'clear':
-          case 'get_info':
+              return 'google_sheets_clear'
-            return 'google_sheets_get_spreadsheet_v2'
+            case 'get_info':
-          case 'create':
+              return 'google_sheets_get_spreadsheet'
-            return 'google_sheets_create_spreadsheet_v2'
+            case 'create':
-          case 'batch_get':
+              return 'google_sheets_create_spreadsheet'
-            return 'google_sheets_batch_get_v2'
+            case 'batch_get':
-          case 'batch_update':
+              return 'google_sheets_batch_get'
-            return 'google_sheets_batch_update_v2'
+            case 'batch_update':
-          case 'batch_clear':
+              return 'google_sheets_batch_update'
-            return 'google_sheets_batch_clear_v2'
+            case 'batch_clear':
-          case 'copy_sheet':
+              return 'google_sheets_batch_clear'
-            return 'google_sheets_copy_sheet_v2'
+            case 'copy_sheet':
-          default:
+              return 'google_sheets_copy_sheet'
-            throw new Error(`Invalid Google Sheets V2 operation: ${params.operation}`)
+            default:
-        }
+              throw new Error(`Invalid Google Sheets operation: ${params.operation}`)
-      },
+          }
+        },
+        suffix: '_v2',
+        fallbackToolId: 'google_sheets_read_v2',
+      }),
       params: (params) => {
         const {
           credential,

apps/sim/blocks/blocks/google_slides.ts

@@ -1,12 +1,14 @@
 import { GoogleSlidesIcon } from '@/components/icons'
+import { resolveHttpsUrlFromFileInput } from '@/lib/uploads/utils/file-utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { GoogleSlidesResponse } from '@/tools/google_slides/types'
 
 export const GoogleSlidesBlock: BlockConfig<GoogleSlidesResponse> = {
   type: 'google_slides',
-  name: 'Google Slides',
+  name: 'Google Slides (Legacy)',
   description: 'Read, write, and create presentations',
+  hideFromToolbar: true,
   authMode: AuthMode.OAuth,
   longDescription:
     'Integrate Google Slides into the workflow. Can read, write, create presentations, replace text, add slides, add images, get thumbnails, get page details, delete objects, duplicate objects, reorder slides, create tables, create shapes, and insert text.',
@@ -315,12 +317,26 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
       required: true,
     },
     {
-      id: 'imageUrl',
+      id: 'imageFile',
-      title: 'Image URL',
+      title: 'Image',
-      type: 'short-input',
+      type: 'file-upload',
-      placeholder: 'Public URL of the image (PNG, JPEG, or GIF)',
+      canonicalParamId: 'imageSource',
-      condition: { field: 'operation', value: 'add_image' },
+      placeholder: 'Upload image (PNG, JPEG, or GIF)',
+      mode: 'basic',
+      multiple: false,
       required: true,
+      acceptedTypes: '.png,.jpg,.jpeg,.gif',
+      condition: { field: 'operation', value: 'add_image' },
+    },
+    {
+      id: 'imageUrl',
+      title: 'Image',
+      type: 'short-input',
+      canonicalParamId: 'imageSource',
+      placeholder: 'Reference image from previous blocks or enter URL',
+      mode: 'advanced',
+      required: true,
+      condition: { field: 'operation', value: 'add_image' },
     },
     {
       id: 'imageWidth',
@@ -809,7 +825,9 @@ Return ONLY the text content - no explanations, no markdown formatting markers,
     placeholderIdMappings: { type: 'string', description: 'JSON array of placeholder ID mappings' },
     // Add image operation
     pageObjectId: { type: 'string', description: 'Slide object ID for image' },
-    imageUrl: { type: 'string', description: 'Image URL' },
+    imageFile: { type: 'json', description: 'Uploaded image (UserFile)' },
+    imageUrl: { type: 'string', description: 'Image URL or reference' },
+    imageSource: { type: 'json', description: 'Image source (file or URL)' },
     imageWidth: { type: 'number', description: 'Image width in points' },
     imageHeight: { type: 'number', description: 'Image height in points' },
     positionX: { type: 'number', description: 'X position in points' },
@@ -887,3 +905,99 @@ Return ONLY the text content - no explanations, no markdown formatting markers,
     text: { type: 'string', description: 'Text that was inserted' },
   },
 }
+
+const googleSlidesV2SubBlocks = (GoogleSlidesBlock.subBlocks || []).flatMap((subBlock) => {
+  if (subBlock.id === 'imageFile') {
+    return [
+      {
+        ...subBlock,
+        canonicalParamId: 'imageFile',
+      },
+    ]
+  }
+
+  if (subBlock.id !== 'imageUrl') {
+    return [subBlock]
+  }
+
+  return [
+    {
+      id: 'imageFileReference',
+      title: 'Image',
+      type: 'short-input' as const,
+      canonicalParamId: 'imageFile',
+      placeholder: 'Reference image from previous blocks',
+      mode: 'advanced' as const,
+      required: true,
+      condition: { field: 'operation', value: 'add_image' },
+    },
+  ]
+})
+
+const googleSlidesV2Inputs = GoogleSlidesBlock.inputs
+  ? Object.fromEntries(
+      Object.entries(GoogleSlidesBlock.inputs).filter(
+        ([key]) => key !== 'imageUrl' && key !== 'imageSource'
+      )
+    )
+  : {}
+
+export const GoogleSlidesV2Block: BlockConfig<GoogleSlidesResponse> = {
+  ...GoogleSlidesBlock,
+  type: 'google_slides_v2',
+  name: 'Google Slides',
+  description: 'Read, write, and create presentations',
+  hideFromToolbar: false,
+  subBlocks: googleSlidesV2SubBlocks,
+  tools: {
+    access: GoogleSlidesBlock.tools!.access,
+    config: {
+      tool: GoogleSlidesBlock.tools!.config!.tool,
+      params: (params) => {
+        const baseParams = GoogleSlidesBlock.tools?.config?.params
+        if (!baseParams) {
+          return params
+        }
+
+        if (params.operation === 'add_image') {
+          let imageInput = params.imageFile || params.imageFileReference || params.imageSource
+          if (!imageInput) {
+            throw new Error('Image file is required.')
+          }
+          if (typeof imageInput === 'string') {
+            try {
+              imageInput = JSON.parse(imageInput)
+            } catch {
+              throw new Error('Image file must be a valid file reference.')
+            }
+          }
+          if (Array.isArray(imageInput)) {
+            throw new Error(
+              'File reference must be a single file, not an array. Use <block.files[0]> to select one file.'
+            )
+          }
+          if (typeof imageInput !== 'object' || imageInput === null) {
+            throw new Error('Image file must be a file reference.')
+          }
+          const imageUrl = resolveHttpsUrlFromFileInput(imageInput)
+          if (!imageUrl) {
+            throw new Error('Image file must include a https URL.')
+          }
+
+          return baseParams({
+            ...params,
+            imageUrl,
+            imageFileReference: undefined,
+            imageSource: undefined,
+          })
+        }
+
+        return baseParams(params)
+      },
+    },
+  },
+  inputs: {
+    ...googleSlidesV2Inputs,
+    imageFileReference: { type: 'json', description: 'Image file reference' },
+  },
+}

apps/sim/blocks/blocks/google_vault.ts

@@ -526,7 +526,7 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
       description:
         'Single hold object (for create_matters_holds or list_matters_holds with holdId)',
     },
-    file: { type: 'json', description: 'Downloaded export file (UserFile) from execution files' },
+    file: { type: 'file', description: 'Downloaded export file (UserFile) from execution files' },
     nextPageToken: {
       type: 'string',
       description: 'Token for fetching next page of results (for list operations)',

apps/sim/blocks/blocks/image_generator.ts

@@ -149,7 +149,7 @@ export const ImageGeneratorBlock: BlockConfig<DalleResponse> = {
   },
   outputs: {
     content: { type: 'string', description: 'Generation response' },
-    image: { type: 'string', description: 'Generated image URL' },
+    image: { type: 'file', description: 'Generated image file (UserFile)' },
     metadata: { type: 'json', description: 'Generation metadata' },
   },
 }

apps/sim/blocks/blocks/imap.ts

@@ -44,7 +44,7 @@ export const ImapBlock: BlockConfig = {
     bodyHtml: { type: 'string', description: 'HTML email body' },
     mailbox: { type: 'string', description: 'Mailbox/folder where email was received' },
     hasAttachments: { type: 'boolean', description: 'Whether email has attachments' },
-    attachments: { type: 'json', description: 'Array of email attachments' },
+    attachments: { type: 'file[]', description: 'Array of email attachments' },
     timestamp: { type: 'string', description: 'Event timestamp' },
   },
   triggers: {