github/sim
1
0
Fork 0
mirror of https://github.com/simstudioai/sim.git synced 2026-02-10 22:55:16 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:feat/copilot-enterprise-models
Branches Tags
github:main github:fix/posthog github:staging github:feat/copilot-enterprise-models github:feat/landing github:feat/the-copilot github:cursor/development-environment-setup-aad3 github:cursor/development-environment-setup-becb github:sim-609-tool-input-refactor github:feature/tiktok-integration github:feat/copilot-server-1 github:cursor/run-button-label-and-hover-fdc2 github:fix/tracespans github:sim-614 github:fix/kbtags github:feat/agent-media github:feat/copilot-server github:cleanup github:fix/hitl-outputs github:fix/copilot-credentials-validation github:dependabot/npm_and_yarn/npm_and_yarn-ae354da9f7 github:fix/s-tool github:lakees/db github:improvement/copilot-refactor github:feat/copilot-resume github:fix/start-inp github:feat/impersonation github:fix/refresh github:fix/copilot-thinking github:feat/groups github:fix/dups github:improvement/copilot-superagent-split github:improvement/respone-block github:SIM-514-useWebhookUrl-conditioning github:sim-499 github:fix/tool-output github:feat/figma github:feat/custom-oauth-adv-mdoe github:feat/zapier github:feat/snowflake github:feat/workflow-import-su github:feat/run-from-block github:improvement/debug-mode github:feat/while-subflow github:feat/aws-lambda
github:v0.5.85 github:v0.5.84 github:v0.5.83 github:v0.5.82 github:v0.5.81 github:v0.5.80 github:v0.5.79 github:v0.5.78 github:v0.5.77 github:v0.5.76 github:v0.5.75 github:v0.5.74 github:v0.5.73 github:v0.5.72 github:v0.5.71 github:python-sdk-v0.1.2 github:typescript-sdk-v0.1.2 github:v0.5.70 github:v0.5.69 github:v0.5.68 github:v0.5.67 github:v0.5.66 github:v0.5.65 github:v0.5.64 github:v0.5.63 github:v0.5.62 github:v0.5.61 github:v0.5.60 github:v0.5.59 github:v0.5.58 github:v0.5.57 github:v0.5.56 github:v0.5.55 github:v0.5.54 github:v0.5.53 github:v0.5.52 github:v0.5.51 github:v0.5.50 github:v0.5.49 github:v0.5.48 github:v0.5.47 github:v0.5.46 github:v0.5.45 github:v0.5.44 github:v0.5.43 github:v0.5.42 github:v0.5.41 github:v0.5.40 github:v0.5.39 github:v0.5.38 github:v0.5.37 github:v0.5.36 github:v0.5.35 github:v0.5.34 github:v0.5.33 github:v0.5.32 github:v0.5.31 github:v0.5.30 github:v0.5.29 github:v0.5.28 github:v0.5.27 github:v0.5.26 github:v0.5.25 github:v0.5.24 github:v0.5.23 github:v0.5.22 github:v0.5.21 github:v0.5.20 github:v0.5.19 github:v0.5.18 github:v0.5.17 github:v0.5.16 github:v0.5.15 github:v0.5.14 github:python-sdk-v0.1.1 github:typescript-sdk-v0.1.1 github:v0.5.13 github:v0.5.12 github:v0.5.11 github:v0.5.8 github:v0.5.9 github:v0.5.7 github:v0.5.6 github:v0.5.5 github:v0.5.2 github:v0.5.1 github:v0.5 github:v0.4.25 github:v0.4.24 github:v0.4.23 github:v0.4.22 github:v0.4.21 github:v0.4.20 github:v0.4.19 github:v0.4.17 github:v0.4.16 github:v0.4.15 github:v0.4.14 github:v0.4.13 github:v0.4.12 github:v0.4.11 github:v0.4.10 github:v0.4.9 github:v0.4.8 github:v0.4.7 github:v0.4.6 github:v0.4.5 github:v0.4.4 github:v0.4.3 github:v0.4.2 github:v0.4.1 github:v0.4.0 github:v0.3.41 github:v0.3.42 github:v0.3.43 github:v0.3.44 github:v0.3.45 github:v0.3.46 github:v0.3.47 github:v0.3.50 github:v0.3.51 github:v0.3.52 github:v0.3.53 github:v0.3.54 github:v0.3.55 github:v0.3.56 github:v0.3.57 github:v0.3.58 github:v0.2.1 github:v0.2.2 github:v0.2.3 github:v0.2.4 github:v0.2.5 github:v0.2.6 github:v0.2.7 github:v0.2.8 github:v0.2.9 github:v0.2.11 github:v0.2.12 github:v0.2.13 github:v0.3.1 github:v0.3.2 github:v0.3.3 github:v0.3.4 github:v0.3.5 github:v0.3.6 github:v0.3.7 github:v0.3.8 github:v0.3.9 github:v0.3.10 github:v0.3.13 github:v0.3.14 github:v0.3.15 github:v0.3.16 github:v0.3.17 github:v0.3.19 github:v0.3.21 github:v0.3.22 github:v0.3.23 github:v0.3.24 github:v0.3.26 github:v0.3.27 github:v0.3.28 github:v0.3.30 github:v0.3.31 github:v0.3.32 github:v0.3.33 github:v0.3.34 github:v0.3.35 github:v0.3.36 github:v0.3.37 github:v0.3.38 github:v0.3.39 github:v0.3.40 github:v1.0.0
...
compare: github:staging
Branches Tags
github:fix/posthog github:staging github:feat/copilot-enterprise-models github:feat/landing github:feat/the-copilot github:cursor/development-environment-setup-aad3 github:cursor/development-environment-setup-becb github:main github:sim-609-tool-input-refactor github:feature/tiktok-integration github:feat/copilot-server-1 github:cursor/run-button-label-and-hover-fdc2 github:fix/tracespans github:sim-614 github:fix/kbtags github:feat/agent-media github:feat/copilot-server github:cleanup github:fix/hitl-outputs github:fix/copilot-credentials-validation github:dependabot/npm_and_yarn/npm_and_yarn-ae354da9f7 github:fix/s-tool github:lakees/db github:improvement/copilot-refactor github:feat/copilot-resume github:fix/start-inp github:feat/impersonation github:fix/refresh github:fix/copilot-thinking github:feat/groups github:fix/dups github:improvement/copilot-superagent-split github:improvement/respone-block github:SIM-514-useWebhookUrl-conditioning github:sim-499 github:fix/tool-output github:feat/figma github:feat/custom-oauth-adv-mdoe github:feat/zapier github:feat/snowflake github:feat/workflow-import-su github:feat/run-from-block github:improvement/debug-mode github:feat/while-subflow github:feat/aws-lambda
github:v0.5.85 github:v0.5.84 github:v0.5.83 github:v0.5.82 github:v0.5.81 github:v0.5.80 github:v0.5.79 github:v0.5.78 github:v0.5.77 github:v0.5.76 github:v0.5.75 github:v0.5.74 github:v0.5.73 github:v0.5.72 github:v0.5.71 github:python-sdk-v0.1.2 github:typescript-sdk-v0.1.2 github:v0.5.70 github:v0.5.69 github:v0.5.68 github:v0.5.67 github:v0.5.66 github:v0.5.65 github:v0.5.64 github:v0.5.63 github:v0.5.62 github:v0.5.61 github:v0.5.60 github:v0.5.59 github:v0.5.58 github:v0.5.57 github:v0.5.56 github:v0.5.55 github:v0.5.54 github:v0.5.53 github:v0.5.52 github:v0.5.51 github:v0.5.50 github:v0.5.49 github:v0.5.48 github:v0.5.47 github:v0.5.46 github:v0.5.45 github:v0.5.44 github:v0.5.43 github:v0.5.42 github:v0.5.41 github:v0.5.40 github:v0.5.39 github:v0.5.38 github:v0.5.37 github:v0.5.36 github:v0.5.35 github:v0.5.34 github:v0.5.33 github:v0.5.32 github:v0.5.31 github:v0.5.30 github:v0.5.29 github:v0.5.28 github:v0.5.27 github:v0.5.26 github:v0.5.25 github:v0.5.24 github:v0.5.23 github:v0.5.22 github:v0.5.21 github:v0.5.20 github:v0.5.19 github:v0.5.18 github:v0.5.17 github:v0.5.16 github:v0.5.15 github:v0.5.14 github:python-sdk-v0.1.1 github:typescript-sdk-v0.1.1 github:v0.5.13 github:v0.5.12 github:v0.5.11 github:v0.5.8 github:v0.5.9 github:v0.5.7 github:v0.5.6 github:v0.5.5 github:v0.5.2 github:v0.5.1 github:v0.5 github:v0.4.25 github:v0.4.24 github:v0.4.23 github:v0.4.22 github:v0.4.21 github:v0.4.20 github:v0.4.19 github:v0.4.17 github:v0.4.16 github:v0.4.15 github:v0.4.14 github:v0.4.13 github:v0.4.12 github:v0.4.11 github:v0.4.10 github:v0.4.9 github:v0.4.8 github:v0.4.7 github:v0.4.6 github:v0.4.5 github:v0.4.4 github:v0.4.3 github:v0.4.2 github:v0.4.1 github:v0.4.0 github:v0.3.41 github:v0.3.42 github:v0.3.43 github:v0.3.44 github:v0.3.45 github:v0.3.46 github:v0.3.47 github:v0.3.50 github:v0.3.51 github:v0.3.52 github:v0.3.53 github:v0.3.54 github:v0.3.55 github:v0.3.56 github:v0.3.57 github:v0.3.58 github:v0.2.1 github:v0.2.2 github:v0.2.3 github:v0.2.4 github:v0.2.5 github:v0.2.6 github:v0.2.7 github:v0.2.8 github:v0.2.9 github:v0.2.11 github:v0.2.12 github:v0.2.13 github:v0.3.1 github:v0.3.2 github:v0.3.3 github:v0.3.4 github:v0.3.5 github:v0.3.6 github:v0.3.7 github:v0.3.8 github:v0.3.9 github:v0.3.10 github:v0.3.13 github:v0.3.14 github:v0.3.15 github:v0.3.16 github:v0.3.17 github:v0.3.19 github:v0.3.21 github:v0.3.22 github:v0.3.23 github:v0.3.24 github:v0.3.26 github:v0.3.27 github:v0.3.28 github:v0.3.30 github:v0.3.31 github:v0.3.32 github:v0.3.33 github:v0.3.34 github:v0.3.35 github:v0.3.36 github:v0.3.37 github:v0.3.38 github:v0.3.39 github:v0.3.40 github:v1.0.0

8 Commits
feat/copil ... staging

Author SHA1 Message Date
Waleed
f5dc180d9f fix(memory): upgrade bun from 1.3.3 to 1.3.9 (#3186) 2026-02-10 19:30:31 -08:00
Waleed
78fef22d0e fix(execution): scope execution state per workflow to prevent cross-workflow bleed (#3183) 
* fix(execution): scope execution state per workflow to prevent cross-workflow bleed

* fix(execution): use validated workflowId param instead of non-null assertion in handleRunUntilBlock

* improvement(execution): use individual selectors to avoid unnecessary re-renders from unselectored store hook

* improvement(execution): use useShallow selector in workflow.tsx to avoid re-renders from lastRunPath/lastRunEdges changes
 2026-02-10 18:17:50 -08:00
Waleed
6d16f216c8 improvement(mcp): improved mcp sse events notifs, update jira to handle files, fix UI issues in settings modal, fix org and workspace invitations when bundled (#3182) 
* improvement(mcp): improved mcp sse events notifs, update jira to handle files, fix UI issues in settings modal, fix org and workspace invitations when bundled

* added back useMcpToolsEvents for event-driven discovery

* ack PR comments

* updated placeholder

* updated colors, error throwing in mcp modal

* ack comments

* updated error msg
 2026-02-10 17:08:57 -08:00
Waleed
f8e9614c9c improvement(helm): support copilot-only deployments (#3185) 2026-02-10 17:03:11 -08:00
Siddharth Ganesan
c5dd90e79d feat(copilot): enterprise configuration (#3184) 
* Copilot enterprise models

* Fix azure anthropic

* Fix

* Consolidation

* Cleanup

* Clean up code

* Fix lint

* cleanup

* Fix greptile
 2026-02-10 16:37:30 -08:00
Vikhyath Mondreti
20b230d1aa improvement(schema): centralize derivation of block schemas (#3175) 
* improvement(schema): centralize derivation of block schemas

* address bugbot comments

* remove unused code

* address greptile comments

* merge conflict resolution

* fix

* update tests

* address greptile comments

* make evaluator metrics only

* return base and metrics for evaluator
 2026-02-10 16:31:50 -08:00
Vikhyath Mondreti
be3cdcf981 Merge pull request #3179 from simstudioai/improvement/file-download-timeouts 
improvement(timeouts): files/base64 should use max timeouts + auth centralization
 2026-02-10 15:57:06 -08:00
Emir Karabeg
73540e3936 feat(logs): add skill icon to trace spans (#3181) 
Adds the AgentSkillsIcon to trace spans in logs when displaying the
load_skill tool. Previously, skills appeared with a default gray color.
Now they display with the proper skill icon and a purple (#8B5CF6)
background color, consistent with the skills icon used in the settings
modal and skill input components.

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Emir Karabeg <emir-karabeg@users.noreply.github.com>
 2026-02-10 12:46:21 -08:00
201 changed files with 5225 additions and 3635 deletions
Expand all files Collapse all files

2
.devcontainer/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM oven/bun:1.3.3-alpine
FROM oven/bun:1.3.9-alpine
# Install necessary packages for development
RUN apk add --no-cache \

2
.github/workflows/docs-embeddings.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Setup Node
uses: actions/setup-node@v4

4
.github/workflows/i18n.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Cache Bun dependencies
uses: actions/cache@v4
@@ -125,7 +125,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Cache Bun dependencies
uses: actions/cache@v4

2
.github/workflows/migrations.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Cache Bun dependencies
uses: actions/cache@v4

2
.github/workflows/publish-cli.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Setup Node.js for npm publishing
uses: actions/setup-node@v4

2
.github/workflows/publish-ts-sdk.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Setup Node.js for npm publishing
uses: actions/setup-node@v4

2
.github/workflows/test-build.yml vendored
View File

@@ -19,7 +19,7 @@ jobs:
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: 1.3.3
bun-version: 1.3.9
- name: Setup Node
uses: actions/setup-node@v4

37
apps/docs/content/docs/en/tools/jira.mdx
View File

@@ -44,6 +44,7 @@ Retrieve detailed information about a specific Jira issue
| --------- | ---- | -------- | ----------- |
| `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
| `issueKey` | string | Yes | Jira issue key to retrieve \(e.g., PROJ-123\) |
| `includeAttachments` | boolean | No | Download attachment file contents and include them as files in the output |
| `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
#### Output
@@ -65,6 +66,7 @@ Retrieve detailed information about a specific Jira issue
| ↳ `key` | string | Status category key \(e.g., new, indeterminate, done\) |
| ↳ `name` | string | Status category name \(e.g., To Do, In Progress, Done\) |
| ↳ `colorName` | string | Status category color \(e.g., blue-gray, yellow, green\) |
| `statusName` | string | Issue status name \(e.g., Open, In Progress, Done\) |
| `issuetype` | object | Issue type |
| ↳ `id` | string | Issue type ID |
| ↳ `name` | string | Issue type name \(e.g., Task, Bug, Story, Epic\) |
@@ -88,6 +90,7 @@ Retrieve detailed information about a specific Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| `assigneeName` | string | Assignee display name or account ID |
| `reporter` | object | Reporter user |
| ↳ `accountId` | string | Atlassian account ID of the user |
| ↳ `displayName` | string | Display name of the user |
@@ -173,6 +176,7 @@ Retrieve detailed information about a specific Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `authorName` | string | Comment author display name |
| ↳ `updateAuthor` | object | User who last updated the comment |
| ↳ `accountId` | string | Atlassian account ID of the user |
| ↳ `displayName` | string | Display name of the user |
@@ -196,6 +200,7 @@ Retrieve detailed information about a specific Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `authorName` | string | Worklog author display name |
| ↳ `updateAuthor` | object | User who last updated the worklog |
| ↳ `accountId` | string | Atlassian account ID of the user |
| ↳ `displayName` | string | Display name of the user |
@@ -225,9 +230,11 @@ Retrieve detailed information about a specific Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `authorName` | string | Attachment author display name |
| ↳ `created` | string | ISO 8601 timestamp when the attachment was created |
| `issueKey` | string | Issue key \(e.g., PROJ-123\) |
| `issue` | json | Complete raw Jira issue object from the API |
| `files` | file[] | Downloaded attachment files \(only when includeAttachments is true\) |
### `jira_update`
@@ -258,6 +265,7 @@ Update a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Updated issue key \(e.g., PROJ-123\) |
| `summary` | string | Issue summary after update |
@@ -296,6 +304,7 @@ Create a new Jira issue
| `issueKey` | string | Created issue key \(e.g., PROJ-123\) |
| `self` | string | REST API URL for the created issue |
| `summary` | string | Issue summary |
| `success` | boolean | Whether the issue was created successfully |
| `url` | string | URL to the created issue in Jira |
| `assigneeId` | string | Account ID of the assigned user \(null if no assignee was set\) |
@@ -358,6 +367,7 @@ Delete a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Deleted issue key |
### `jira_assign_issue`
@@ -378,6 +388,7 @@ Assign a Jira issue to a user
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key that was assigned |
| `assigneeId` | string | Account ID of the assignee \(use "-1" for auto-assign, null to unassign\) |
@@ -401,6 +412,7 @@ Move a Jira issue between workflow statuses (e.g., To Do -> In Progress)
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key that was transitioned |
| `transitionId` | string | Applied transition ID |
| `transitionName` | string | Applied transition name |
@@ -443,6 +455,7 @@ Search for Jira issues using JQL (Jira Query Language)
| ↳ `key` | string | Status category key \(e.g., new, indeterminate, done\) |
| ↳ `name` | string | Status category name \(e.g., To Do, In Progress, Done\) |
| ↳ `colorName` | string | Status category color \(e.g., blue-gray, yellow, green\) |
| ↳ `statusName` | string | Issue status name \(e.g., Open, In Progress, Done\) |
| ↳ `issuetype` | object | Issue type |
| ↳ `id` | string | Issue type ID |
| ↳ `name` | string | Issue type name \(e.g., Task, Bug, Story, Epic\) |
@@ -466,6 +479,7 @@ Search for Jira issues using JQL (Jira Query Language)
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `assigneeName` | string | Assignee display name or account ID |
| ↳ `reporter` | object | Reporter user |
| ↳ `accountId` | string | Atlassian account ID of the user |
| ↳ `displayName` | string | Display name of the user |
@@ -509,6 +523,7 @@ Add a comment to a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key the comment was added to |
| `commentId` | string | Created comment ID |
| `body` | string | Comment text content |
@@ -558,6 +573,7 @@ Get all comments from a Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `authorName` | string | Comment author display name |
| ↳ `updateAuthor` | object | User who last updated the comment |
| ↳ `accountId` | string | Atlassian account ID of the user |
| ↳ `displayName` | string | Display name of the user |
@@ -592,6 +608,7 @@ Update an existing comment on a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key |
| `commentId` | string | Updated comment ID |
| `body` | string | Updated comment text |
@@ -624,6 +641,7 @@ Delete a comment from a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key |
| `commentId` | string | Deleted comment ID |
@@ -637,6 +655,7 @@ Get all attachments from a Jira issue
| --------- | ---- | -------- | ----------- |
| `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
| `issueKey` | string | Yes | Jira issue key to get attachments from \(e.g., PROJ-123\) |
| `includeAttachments` | boolean | No | Download attachment file contents and include them as files in the output |
| `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
#### Output
@@ -660,7 +679,9 @@ Get all attachments from a Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `authorName` | string | Attachment author display name |
| ↳ `created` | string | ISO 8601 timestamp when the attachment was created |
| `files` | file[] | Downloaded attachment files \(only when includeAttachments is true\) |
### `jira_add_attachment`
@@ -688,10 +709,7 @@ Add attachments to a Jira issue
| ↳ `size` | number | File size in bytes |
| ↳ `content` | string | URL to download the attachment |
| `attachmentIds` | array | Array of attachment IDs |
| `files` | array | Uploaded file metadata |
| ↳ `name` | string | File name |
| ↳ `mimeType` | string | MIME type |
| ↳ `size` | number | File size in bytes |
| `files` | file[] | Uploaded attachment files |
### `jira_delete_attachment`
@@ -710,6 +728,7 @@ Delete an attachment from a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `attachmentId` | string | Deleted attachment ID |
### `jira_add_worklog`
@@ -733,6 +752,7 @@ Add a time tracking worklog entry to a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key the worklog was added to |
| `worklogId` | string | Created worklog ID |
| `timeSpent` | string | Time spent in human-readable format \(e.g., 3h 20m\) |
@@ -781,6 +801,7 @@ Get all worklog entries from a Jira issue
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `authorName` | string | Worklog author display name |
| ↳ `updateAuthor` | object | User who last updated the worklog |
| ↳ `accountId` | string | Atlassian account ID of the user |
| ↳ `displayName` | string | Display name of the user |
@@ -818,6 +839,7 @@ Update an existing worklog entry on a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key |
| `worklogId` | string | Updated worklog ID |
| `timeSpent` | string | Human-readable time spent \(e.g., "3h 20m"\) |
@@ -861,6 +883,7 @@ Delete a worklog entry from a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key |
| `worklogId` | string | Deleted worklog ID |
@@ -884,6 +907,7 @@ Create a link relationship between two Jira issues
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `inwardIssue` | string | Inward issue key |
| `outwardIssue` | string | Outward issue key |
| `linkType` | string | Type of issue link |
@@ -906,6 +930,7 @@ Delete a link between two Jira issues
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `linkId` | string | Deleted link ID |
### `jira_add_watcher`
@@ -926,6 +951,7 @@ Add a watcher to a Jira issue to receive notifications about updates
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key |
| `watcherAccountId` | string | Added watcher account ID |
@@ -947,6 +973,7 @@ Remove a watcher from a Jira issue
| Parameter | Type | Description |
| --------- | ---- | ----------- |
| `ts` | string | ISO 8601 timestamp of the operation |
| `success` | boolean | Operation success status |
| `issueKey` | string | Issue key |
| `watcherAccountId` | string | Removed watcher account ID |
@@ -977,6 +1004,8 @@ Get Jira users. If an account ID is provided, returns a single user. Otherwise,
| ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
| ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
| ↳ `timeZone` | string | User timezone |
| ↳ `avatarUrls` | json | User avatar URLs in multiple sizes \(16x16, 24x24, 32x32, 48x48\) |
| ↳ `self` | string | REST API URL for this user |
| `total` | number | Total number of users returned |
| `startAt` | number | Pagination start index |
| `maxResults` | number | Maximum results per page |

7
apps/sim/app/api/a2a/agents/[agentId]/route.ts
View File

@@ -41,7 +41,12 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
if (!agent.agent.isPublished) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success) {
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
}
const workspaceAccess = await checkWorkspaceAccess(agent.agent.workspaceId, auth.userId)
if (!workspaceAccess.exists || !workspaceAccess.hasAccess) {
return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
}
}

17
apps/sim/app/api/a2a/agents/route.ts
View File

@@ -16,7 +16,7 @@ import { sanitizeAgentName } from '@/lib/a2a/utils'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
import { hasValidStartBlockInState } from '@/lib/workflows/triggers/trigger-utils'
import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
const logger = createLogger('A2AAgentsAPI')
@@ -39,10 +39,13 @@ export async function GET(request: NextRequest) {
return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
}
const ws = await getWorkspaceById(workspaceId)
if (!ws) {
const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
if (!workspaceAccess.exists) {
return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
}
if (!workspaceAccess.hasAccess) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
const agents = await db
.select({
@@ -103,6 +106,14 @@ export async function POST(request: NextRequest) {
)
}
const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
if (!workspaceAccess.exists) {
return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
}
if (!workspaceAccess.canWrite) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
const [wf] = await db
.select({
id: workflow.id,

121
apps/sim/app/api/a2a/serve/[agentId]/route.ts
View File

@@ -13,12 +13,14 @@ import {
isTerminalState,
parseWorkflowSSEChunk,
} from '@/lib/a2a/utils'
import { checkHybridAuth } from '@/lib/auth/hybrid'
import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
import { SSE_HEADERS } from '@/lib/core/utils/sse'
import { getBaseUrl } from '@/lib/core/utils/urls'
import { markExecutionCancelled } from '@/lib/execution/cancellation'
import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
import {
A2A_ERROR_CODES,
A2A_METHODS,
@@ -191,6 +193,9 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
const authSchemes = (agent.authentication as { schemes?: string[] })?.schemes || []
const requiresAuth = !authSchemes.includes('none')
let authenticatedUserId: string | null = null
let authenticatedAuthType: AuthResult['authType']
let authenticatedApiKeyType: AuthResult['apiKeyType']
if (requiresAuth) {
const auth = await checkHybridAuth(request, { requireWorkflowId: false })
@@ -200,6 +205,17 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
{ status: 401 }
)
}
authenticatedUserId = auth.userId
authenticatedAuthType = auth.authType
authenticatedApiKeyType = auth.apiKeyType
const workspaceAccess = await checkWorkspaceAccess(agent.workspaceId, authenticatedUserId)
if (!workspaceAccess.exists || !workspaceAccess.hasAccess) {
return NextResponse.json(
createError(null, A2A_ERROR_CODES.AUTHENTICATION_REQUIRED, 'Access denied'),
{ status: 403 }
)
}
}
const [wf] = await db
@@ -225,34 +241,61 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
}
const { id, method, params: rpcParams } = body
const apiKey = request.headers.get('X-API-Key')
const requestApiKey = request.headers.get('X-API-Key')
const apiKey = authenticatedAuthType === 'api_key' ? requestApiKey : null
const isPersonalApiKeyCaller =
authenticatedAuthType === 'api_key' && authenticatedApiKeyType === 'personal'
const billedUserId = await getWorkspaceBilledAccountUserId(agent.workspaceId)
if (!billedUserId) {
logger.error('Unable to resolve workspace billed account for A2A execution', {
agentId: agent.id,
workspaceId: agent.workspaceId,
})
return NextResponse.json(
createError(
id,
A2A_ERROR_CODES.INTERNAL_ERROR,
'Unable to resolve billing account for this workspace'
),
{ status: 500 }
)
}
const executionUserId =
isPersonalApiKeyCaller && authenticatedUserId ? authenticatedUserId : billedUserId
logger.info(`A2A request: ${method} for agent ${agentId}`)
switch (method) {
case A2A_METHODS.MESSAGE_SEND:
return handleMessageSend(id, agent, rpcParams as MessageSendParams, apiKey)
return handleMessageSend(id, agent, rpcParams as MessageSendParams, apiKey, executionUserId)
case A2A_METHODS.MESSAGE_STREAM:
return handleMessageStream(request, id, agent, rpcParams as MessageSendParams, apiKey)
return handleMessageStream(
request,
id,
agent,
rpcParams as MessageSendParams,
apiKey,
executionUserId
)
case A2A_METHODS.TASKS_GET:
return handleTaskGet(id, rpcParams as TaskIdParams)
return handleTaskGet(id, agent.id, rpcParams as TaskIdParams)
case A2A_METHODS.TASKS_CANCEL:
return handleTaskCancel(id, rpcParams as TaskIdParams)
return handleTaskCancel(id, agent.id, rpcParams as TaskIdParams)
case A2A_METHODS.TASKS_RESUBSCRIBE:
return handleTaskResubscribe(request, id, rpcParams as TaskIdParams)
return handleTaskResubscribe(request, id, agent.id, rpcParams as TaskIdParams)
case A2A_METHODS.PUSH_NOTIFICATION_SET:
return handlePushNotificationSet(id, rpcParams as PushNotificationSetParams)
return handlePushNotificationSet(id, agent.id, rpcParams as PushNotificationSetParams)
case A2A_METHODS.PUSH_NOTIFICATION_GET:
return handlePushNotificationGet(id, rpcParams as TaskIdParams)
return handlePushNotificationGet(id, agent.id, rpcParams as TaskIdParams)
case A2A_METHODS.PUSH_NOTIFICATION_DELETE:
return handlePushNotificationDelete(id, rpcParams as TaskIdParams)
return handlePushNotificationDelete(id, agent.id, rpcParams as TaskIdParams)
default:
return NextResponse.json(
@@ -268,6 +311,14 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
}
}
async function getTaskForAgent(taskId: string, agentId: string) {
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, taskId)).limit(1)
if (!task || task.agentId !== agentId) {
return null
}
return task
}
/**
* Handle message/send - Send a message (v0.3)
*/
@@ -280,7 +331,8 @@ async function handleMessageSend(
workspaceId: string
},
params: MessageSendParams,
apiKey?: string | null
apiKey?: string | null,
executionUserId?: string
): Promise<NextResponse> {
if (!params?.message) {
return NextResponse.json(
@@ -318,6 +370,13 @@ async function handleMessageSend(
)
}
if (existingTask.agentId !== agent.id) {
return NextResponse.json(
createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'),
{ status: 404 }
)
}
if (isTerminalState(existingTask.status as TaskState)) {
return NextResponse.json(
createError(id, A2A_ERROR_CODES.TASK_ALREADY_COMPLETE, 'Task already in terminal state'),
@@ -363,6 +422,7 @@ async function handleMessageSend(
} = await buildExecuteRequest({
workflowId: agent.workflowId,
apiKey,
userId: executionUserId,
})
logger.info(`Executing workflow ${agent.workflowId} for A2A task ${taskId}`)
@@ -475,7 +535,8 @@ async function handleMessageStream(
workspaceId: string
},
params: MessageSendParams,
apiKey?: string | null
apiKey?: string | null,
executionUserId?: string
): Promise<NextResponse> {
if (!params?.message) {
return NextResponse.json(
@@ -522,6 +583,13 @@ async function handleMessageStream(
})
}
if (existingTask.agentId !== agent.id) {
await releaseLock(lockKey, lockValue)
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
status: 404,
})
}
if (isTerminalState(existingTask.status as TaskState)) {
await releaseLock(lockKey, lockValue)
return NextResponse.json(
@@ -595,6 +663,7 @@ async function handleMessageStream(
} = await buildExecuteRequest({
workflowId: agent.workflowId,
apiKey,
userId: executionUserId,
stream: true,
})
@@ -788,7 +857,11 @@ async function handleMessageStream(
/**
* Handle tasks/get - Query task status
*/
async function handleTaskGet(id: string | number, params: TaskIdParams): Promise<NextResponse> {
async function handleTaskGet(
id: string | number,
agentId: string,
params: TaskIdParams
): Promise<NextResponse> {
if (!params?.id) {
return NextResponse.json(
createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Task ID is required'),
@@ -801,7 +874,7 @@ async function handleTaskGet(id: string | number, params: TaskIdParams): Promise
? params.historyLength
: undefined
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
const task = await getTaskForAgent(params.id, agentId)
if (!task) {
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -825,7 +898,11 @@ async function handleTaskGet(id: string | number, params: TaskIdParams): Promise
/**
* Handle tasks/cancel - Cancel a running task
*/
async function handleTaskCancel(id: string | number, params: TaskIdParams): Promise<NextResponse> {
async function handleTaskCancel(
id: string | number,
agentId: string,
params: TaskIdParams
): Promise<NextResponse> {
if (!params?.id) {
return NextResponse.json(
createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Task ID is required'),
@@ -833,7 +910,7 @@ async function handleTaskCancel(id: string | number, params: TaskIdParams): Prom
)
}
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
const task = await getTaskForAgent(params.id, agentId)
if (!task) {
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -897,6 +974,7 @@ async function handleTaskCancel(id: string | number, params: TaskIdParams): Prom
async function handleTaskResubscribe(
request: NextRequest,
id: string | number,
agentId: string,
params: TaskIdParams
): Promise<NextResponse> {
if (!params?.id) {
@@ -906,7 +984,7 @@ async function handleTaskResubscribe(
)
}
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
const task = await getTaskForAgent(params.id, agentId)
if (!task) {
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -1103,6 +1181,7 @@ async function handleTaskResubscribe(
*/
async function handlePushNotificationSet(
id: string | number,
agentId: string,
params: PushNotificationSetParams
): Promise<NextResponse> {
if (!params?.id) {
@@ -1130,7 +1209,7 @@ async function handlePushNotificationSet(
)
}
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
const task = await getTaskForAgent(params.id, agentId)
if (!task) {
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -1181,6 +1260,7 @@ async function handlePushNotificationSet(
*/
async function handlePushNotificationGet(
id: string | number,
agentId: string,
params: TaskIdParams
): Promise<NextResponse> {
if (!params?.id) {
@@ -1190,7 +1270,7 @@ async function handlePushNotificationGet(
)
}
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
const task = await getTaskForAgent(params.id, agentId)
if (!task) {
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -1224,6 +1304,7 @@ async function handlePushNotificationGet(
*/
async function handlePushNotificationDelete(
id: string | number,
agentId: string,
params: TaskIdParams
): Promise<NextResponse> {
if (!params?.id) {
@@ -1233,7 +1314,7 @@ async function handlePushNotificationDelete(
)
}
const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
const task = await getTaskForAgent(params.id, agentId)
if (!task) {
return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {

3
apps/sim/app/api/a2a/serve/[agentId]/utils.ts
View File

@@ -105,6 +105,7 @@ export function formatTaskResponse(task: Task, historyLength?: number): Task {
export interface ExecuteRequestConfig {
workflowId: string
apiKey?: string | null
userId?: string
stream?: boolean
}
@@ -124,7 +125,7 @@ export async function buildExecuteRequest(
if (config.apiKey) {
headers['X-API-Key'] = config.apiKey
} else {
const internalToken = await generateInternalToken()
const internalToken = await generateInternalToken(config.userId)
headers.Authorization = `Bearer ${internalToken}`
useInternalAuth = true
}

83
apps/sim/app/api/auth/oauth/credentials/route.ts
View File

@@ -1,5 +1,5 @@
import { db } from '@sim/db'
import { account, user, workflow } from '@sim/db/schema'
import { account, user } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import { jwtDecode } from 'jwt-decode'
@@ -8,7 +8,7 @@ import { z } from 'zod'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
export const dynamic = 'force-dynamic'
@@ -80,7 +80,7 @@ export async function GET(request: NextRequest) {
const { provider: providerParam, workflowId, credentialId } = parseResult.data
// Authenticate requester (supports session, API key, internal JWT)
// Authenticate requester (supports session and internal JWT)
const authResult = await checkSessionOrInternalAuth(request)
if (!authResult.success || !authResult.userId) {
logger.warn(`[${requestId}] Unauthenticated credentials request rejected`)
@@ -88,47 +88,24 @@ export async function GET(request: NextRequest) {
}
const requesterUserId = authResult.userId
// Resolve effective user id: workflow owner if workflowId provided (with access check); else requester
let effectiveUserId: string
const effectiveUserId = requesterUserId
if (workflowId) {
// Load workflow owner and workspace for access control
const rows = await db
.select({ userId: workflow.userId, workspaceId: workflow.workspaceId })
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
if (!rows.length) {
logger.warn(`[${requestId}] Workflow not found for credentials request`, { workflowId })
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId: requesterUserId,
action: 'read',
})
if (!workflowAuthorization.allowed) {
logger.warn(`[${requestId}] Forbidden credentials request for workflow`, {
requesterUserId,
workflowId,
status: workflowAuthorization.status,
})
return NextResponse.json(
{ error: workflowAuthorization.message || 'Forbidden' },
{ status: workflowAuthorization.status }
)
}
const wf = rows[0]
if (requesterUserId !== wf.userId) {
if (!wf.workspaceId) {
logger.warn(
`[${requestId}] Forbidden - workflow has no workspace and requester is not owner`,
{
requesterUserId,
}
)
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
const perm = await getUserEntityPermissions(requesterUserId, 'workspace', wf.workspaceId)
if (perm === null) {
logger.warn(`[${requestId}] Forbidden credentials request - no workspace access`, {
requesterUserId,
workspaceId: wf.workspaceId,
})
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
}
effectiveUserId = wf.userId
} else {
effectiveUserId = requesterUserId
}
// Parse the provider to get base provider and feature type (if provider is present)
@@ -136,18 +113,16 @@ export async function GET(request: NextRequest) {
let accountsData
if (credentialId) {
// Foreign-aware lookup for a specific credential by id
// If workflowId is provided and requester has access (checked above), allow fetching by id only
if (workflowId) {
accountsData = await db.select().from(account).where(eq(account.id, credentialId))
} else {
// Fallback: constrain to requester's own credentials when not in a workflow context
accountsData = await db
.select()
.from(account)
.where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
}
if (credentialId && workflowId) {
// When both workflowId and credentialId are provided, fetch by ID only.
// Workspace authorization above already proves access; the credential
// may belong to another workspace member (e.g. for display name resolution).
accountsData = await db.select().from(account).where(eq(account.id, credentialId))
} else if (credentialId) {
accountsData = await db
.select()
.from(account)
.where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
} else {
// Fetch all credentials for provider and effective user
accountsData = await db

47
apps/sim/app/api/auth/oauth/utils.test.ts
View File

@@ -4,16 +4,9 @@
* @vitest-environment node
*/
import { createSession, loggerMock } from '@sim/testing'
import { loggerMock } from '@sim/testing'
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const mockSession = createSession({ userId: 'test-user-id' })
const mockGetSession = vi.fn()
vi.mock('@/lib/auth', () => ({
getSession: () => mockGetSession(),
}))
vi.mock('@sim/db', () => ({
db: {
select: vi.fn().mockReturnThis(),
@@ -37,7 +30,6 @@ import { db } from '@sim/db'
import { refreshOAuthToken } from '@/lib/oauth'
import {
getCredential,
getUserId,
refreshAccessTokenIfNeeded,
refreshTokenIfNeeded,
} from '@/app/api/auth/oauth/utils'
@@ -48,7 +40,6 @@ const mockRefreshOAuthToken = refreshOAuthToken as any
describe('OAuth Utils', () => {
beforeEach(() => {
vi.clearAllMocks()
mockGetSession.mockResolvedValue(mockSession)
mockDbTyped.limit.mockReturnValue([])
})
@@ -56,42 +47,6 @@ describe('OAuth Utils', () => {
vi.clearAllMocks()
})
describe('getUserId', () => {
it('should get user ID from session when no workflowId is provided', async () => {
const userId = await getUserId('request-id')
expect(userId).toBe('test-user-id')
})
it('should get user ID from workflow when workflowId is provided', async () => {
mockDbTyped.limit.mockReturnValueOnce([{ userId: 'workflow-owner-id' }])
const userId = await getUserId('request-id', 'workflow-id')
expect(mockDbTyped.select).toHaveBeenCalled()
expect(mockDbTyped.from).toHaveBeenCalled()
expect(mockDbTyped.where).toHaveBeenCalled()
expect(mockDbTyped.limit).toHaveBeenCalledWith(1)
expect(userId).toBe('workflow-owner-id')
})
it('should return undefined if no session is found', async () => {
mockGetSession.mockResolvedValueOnce(null)
const userId = await getUserId('request-id')
expect(userId).toBeUndefined()
})
it('should return undefined if workflow is not found', async () => {
mockDbTyped.limit.mockReturnValueOnce([])
const userId = await getUserId('request-id', 'nonexistent-workflow-id')
expect(userId).toBeUndefined()
})
})
describe('getCredential', () => {
it('should return credential when found', async () => {
const mockCredential = { id: 'credential-id', userId: 'test-user-id' }

38
apps/sim/app/api/auth/oauth/utils.ts
View File

@@ -1,8 +1,7 @@
import { db } from '@sim/db'
import { account, credentialSetMember, workflow } from '@sim/db/schema'
import { account, credentialSetMember } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, desc, eq, inArray } from 'drizzle-orm'
import { getSession } from '@/lib/auth'
import { refreshOAuthToken } from '@/lib/oauth'
import {
getMicrosoftRefreshTokenExpiry,
@@ -49,41 +48,6 @@ export async function safeAccountInsert(
}
}
/**
* Get the user ID based on either a session or a workflow ID
*/
export async function getUserId(
requestId: string,
workflowId?: string
): Promise<string | undefined> {
// If workflowId is provided, this is a server-side request
if (workflowId) {
// Get the workflow to verify the user ID
const workflows = await db
.select({ userId: workflow.userId })
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
if (!workflows.length) {
logger.warn(`[${requestId}] Workflow not found`)
return undefined
}
return workflows[0].userId
}
// This is a client-side request, use the session
const session = await getSession()
// Check if the user is authenticated
if (!session?.user?.id) {
logger.warn(`[${requestId}] Unauthenticated request rejected`)
return undefined
}
return session.user.id
}
/**
* Get a credential by ID and verify it belongs to the user
*/

6
apps/sim/app/api/billing/portal/route.ts
View File

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
import { and, eq, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { getSession } from '@/lib/auth'
import { isOrganizationOwnerOrAdmin } from '@/lib/billing/core/organization'
import { requireStripeClient } from '@/lib/billing/stripe-client'
import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -32,6 +33,11 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: 'organizationId is required' }, { status: 400 })
}
const hasPermission = await isOrganizationOwnerOrAdmin(session.user.id, organizationId)
if (!hasPermission) {
return NextResponse.json({ error: 'Permission denied' }, { status: 403 })
}
const rows = await db
.select({ customer: subscriptionTable.stripeCustomerId })
.from(subscriptionTable)

4
apps/sim/app/api/chat/utils.test.ts
View File

@@ -47,6 +47,10 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
isProd: false,
}))
vi.mock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: vi.fn(),
}))
describe('Chat API Utils', () => {
beforeEach(() => {
vi.stubGlobal('process', {

43
apps/sim/app/api/chat/utils.ts
View File

@@ -9,7 +9,7 @@ import {
validateAuthToken,
} from '@/lib/core/security/deployment'
import { decryptSecret } from '@/lib/core/security/encryption'
import { hasAdminPermission } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
const logger = createLogger('ChatAuthUtils')
@@ -24,29 +24,23 @@ export function setChatAuthCookie(
/**
* Check if user has permission to create a chat for a specific workflow
* Either the user owns the workflow directly OR has admin permission for the workflow's workspace
*/
export async function checkWorkflowAccessForChatCreation(
workflowId: string,
userId: string
): Promise<{ hasAccess: boolean; workflow?: any }> {
const workflowData = await db.select().from(workflow).where(eq(workflow.id, workflowId)).limit(1)
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'admin',
})
if (workflowData.length === 0) {
if (!authorization.workflow) {
return { hasAccess: false }
}
const workflowRecord = workflowData[0]
if (workflowRecord.userId === userId) {
return { hasAccess: true, workflow: workflowRecord }
}
if (workflowRecord.workspaceId) {
const hasAdmin = await hasAdminPermission(userId, workflowRecord.workspaceId)
if (hasAdmin) {
return { hasAccess: true, workflow: workflowRecord }
}
if (authorization.allowed) {
return { hasAccess: true, workflow: authorization.workflow }
}
return { hasAccess: false }
@@ -54,7 +48,6 @@ export async function checkWorkflowAccessForChatCreation(
/**
* Check if user has access to view/edit/delete a specific chat
* Either the user owns the chat directly OR has admin permission for the workflow's workspace
*/
export async function checkChatAccess(
chatId: string,
@@ -75,19 +68,17 @@ export async function checkChatAccess(
}
const { chat: chatRecord, workflowWorkspaceId } = chatData[0]
if (chatRecord.userId === userId) {
return { hasAccess: true, chat: chatRecord }
if (!workflowWorkspaceId) {
return { hasAccess: false }
}
if (workflowWorkspaceId) {
const hasAdmin = await hasAdminPermission(userId, workflowWorkspaceId)
if (hasAdmin) {
return { hasAccess: true, chat: chatRecord }
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: chatRecord.workflowId,
userId,
action: 'admin',
})
return { hasAccess: false }
return authorization.allowed ? { hasAccess: true, chat: chatRecord } : { hasAccess: false }
}
export async function validateChatAuth(

68
apps/sim/app/api/copilot/chat/route.ts
View File

@@ -8,9 +8,8 @@ import { getSession } from '@/lib/auth'
import { buildConversationHistory } from '@/lib/copilot/chat-context'
import { resolveOrCreateChat } from '@/lib/copilot/chat-lifecycle'
import { buildCopilotRequestPayload } from '@/lib/copilot/chat-payload'
import { generateChatTitle } from '@/lib/copilot/chat-title'
import { getCopilotModel } from '@/lib/copilot/config'
import { COPILOT_MODEL_IDS, COPILOT_REQUEST_MODES } from '@/lib/copilot/models'
import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
import { COPILOT_REQUEST_MODES } from '@/lib/copilot/models'
import { orchestrateCopilotStream } from '@/lib/copilot/orchestrator'
import {
createStreamEventWriter,
@@ -29,6 +28,49 @@ import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
const logger = createLogger('CopilotChatAPI')
async function requestChatTitleFromCopilot(params: {
message: string
model: string
provider?: string
}): Promise<string | null> {
const { message, model, provider } = params
if (!message || !model) return null
const headers: Record<string, string> = {
'Content-Type': 'application/json',
}
if (env.COPILOT_API_KEY) {
headers['x-api-key'] = env.COPILOT_API_KEY
}
try {
const response = await fetch(`${SIM_AGENT_API_URL}/api/generate-chat-title`, {
method: 'POST',
headers,
body: JSON.stringify({
message,
model,
...(provider ? { provider } : {}),
}),
})
const payload = await response.json().catch(() => ({}))
if (!response.ok) {
logger.warn('Failed to generate chat title via copilot backend', {
status: response.status,
error: payload,
})
return null
}
const title = typeof payload?.title === 'string' ? payload.title.trim() : ''
return title || null
} catch (error) {
logger.error('Error generating chat title:', error)
return null
}
}
const FileAttachmentSchema = z.object({
id: z.string(),
key: z.string(),
@@ -43,14 +85,14 @@ const ChatMessageSchema = z.object({
chatId: z.string().optional(),
workflowId: z.string().optional(),
workflowName: z.string().optional(),
model: z.enum(COPILOT_MODEL_IDS).optional().default('claude-4.6-opus'),
model: z.string().optional().default('claude-opus-4-6'),
mode: z.enum(COPILOT_REQUEST_MODES).optional().default('agent'),
prefetch: z.boolean().optional(),
createNewChat: z.boolean().optional().default(false),
stream: z.boolean().optional().default(true),
implicitFeedback: z.string().optional(),
fileAttachments: z.array(FileAttachmentSchema).optional(),
provider: z.string().optional().default('openai'),
provider: z.string().optional(),
conversationId: z.string().optional(),
contexts: z
.array(
@@ -173,14 +215,14 @@ export async function POST(req: NextRequest) {
let currentChat: any = null
let conversationHistory: any[] = []
let actualChatId = chatId
const selectedModel = model || 'claude-opus-4-6'
if (chatId || createNewChat) {
const defaultsForChatRow = getCopilotModel('chat')
const chatResult = await resolveOrCreateChat({
chatId,
userId: authenticatedUserId,
workflowId,
model: defaultsForChatRow.model,
model: selectedModel,
})
currentChat = chatResult.chat
actualChatId = chatResult.chatId || chatId
@@ -191,8 +233,6 @@ export async function POST(req: NextRequest) {
conversationHistory = history.history
}
const defaults = getCopilotModel('chat')
const selectedModel = model || defaults.model
const effectiveMode = mode === 'agent' ? 'build' : mode
const effectiveConversationId =
(currentChat?.conversationId as string | undefined) || conversationId
@@ -205,6 +245,7 @@ export async function POST(req: NextRequest) {
userMessageId: userMessageIdToUse,
mode,
model: selectedModel,
provider,
conversationHistory,
contexts: agentContexts,
fileAttachments,
@@ -283,7 +324,7 @@ export async function POST(req: NextRequest) {
}
if (actualChatId && !currentChat?.title && conversationHistory.length === 0) {
generateChatTitle(message)
requestChatTitleFromCopilot({ message, model: selectedModel, provider })
.then(async (title) => {
if (title) {
await db
@@ -372,10 +413,7 @@ export async function POST(req: NextRequest) {
content: nonStreamingResult.content,
toolCalls: nonStreamingResult.toolCalls,
model: selectedModel,
provider:
(requestPayload?.provider as Record<string, unknown>)?.provider ||
env.COPILOT_PROVIDER ||
'openai',
provider: typeof requestPayload?.provider === 'string' ? requestPayload.provider : undefined,
}
logger.info(`[${tracker.requestId}] Non-streaming response from orchestrator:`, {
@@ -413,7 +451,7 @@ export async function POST(req: NextRequest) {
// Start title generation in parallel if this is first message (non-streaming)
if (actualChatId && !currentChat.title && conversationHistory.length === 0) {
logger.info(`[${tracker.requestId}] Starting title generation for non-streaming response`)
generateChatTitle(message)
requestChatTitleFromCopilot({ message, model: selectedModel, provider })
.then(async (title) => {
if (title) {
await db

13
apps/sim/app/api/copilot/checkpoints/revert/route.test.ts
View File

@@ -25,6 +25,13 @@ describe('Copilot Checkpoints Revert API Route', () => {
getEmailDomain: vi.fn(() => 'localhost:3000'),
}))
vi.doMock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: vi.fn().mockResolvedValue({
allowed: true,
status: 200,
}),
}))
mockSelect.mockReturnValue({ from: mockFrom })
mockFrom.mockReturnValue({ where: mockWhere })
mockWhere.mockReturnValue({ then: mockThen })
@@ -212,6 +219,12 @@ describe('Copilot Checkpoints Revert API Route', () => {
.mockResolvedValueOnce(mockCheckpoint) // Checkpoint found
.mockResolvedValueOnce(mockWorkflow) // Workflow found but different user
const { authorizeWorkflowByWorkspacePermission } = await import('@/lib/workflows/utils')
vi.mocked(authorizeWorkflowByWorkspacePermission).mockResolvedValueOnce({
allowed: false,
status: 403,
})
const req = createMockRequest('POST', {
checkpointId: 'checkpoint-123',
})

8
apps/sim/app/api/copilot/checkpoints/revert/route.ts
View File

@@ -12,6 +12,7 @@ import {
createUnauthorizedResponse,
} from '@/lib/copilot/request-helpers'
import { getBaseUrl } from '@/lib/core/utils/urls'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { isUuidV4 } from '@/executor/constants'
const logger = createLogger('CheckpointRevertAPI')
@@ -58,7 +59,12 @@ export async function POST(request: NextRequest) {
return createNotFoundResponse('Workflow not found')
}
if (workflowData.userId !== userId) {
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: checkpoint.workflowId,
userId,
action: 'write',
})
if (!authorization.allowed) {
return createUnauthorizedResponse()
}

84
apps/sim/app/api/copilot/models/route.ts Normal file
View File

@@ -0,0 +1,84 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
import { authenticateCopilotRequestSessionOnly } from '@/lib/copilot/request-helpers'
import type { AvailableModel } from '@/lib/copilot/types'
import { env } from '@/lib/core/config/env'
const logger = createLogger('CopilotModelsAPI')
interface RawAvailableModel {
id: string
friendlyName?: string
displayName?: string
provider?: string
}
function isRawAvailableModel(item: unknown): item is RawAvailableModel {
return (
typeof item === 'object' &&
item !== null &&
'id' in item &&
typeof (item as { id: unknown }).id === 'string'
)
}
export async function GET(_req: NextRequest) {
const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
if (!isAuthenticated || !userId) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const headers: Record<string, string> = {
'Content-Type': 'application/json',
}
if (env.COPILOT_API_KEY) {
headers['x-api-key'] = env.COPILOT_API_KEY
}
try {
const response = await fetch(`${SIM_AGENT_API_URL}/api/get-available-models`, {
method: 'GET',
headers,
cache: 'no-store',
})
const payload = await response.json().catch(() => ({}))
if (!response.ok) {
logger.warn('Failed to fetch available models from copilot backend', {
status: response.status,
})
return NextResponse.json(
{
success: false,
error: payload?.error || 'Failed to fetch available models',
models: [],
},
{ status: response.status }
)
}
const rawModels = Array.isArray(payload?.models) ? payload.models : []
const models: AvailableModel[] = rawModels
.filter((item: unknown): item is RawAvailableModel => isRawAvailableModel(item))
.map((item: RawAvailableModel) => ({
id: item.id,
friendlyName: item.friendlyName || item.displayName || item.id,
provider: item.provider || 'unknown',
}))
return NextResponse.json({ success: true, models })
} catch (error) {
logger.error('Error fetching available models', {
error: error instanceof Error ? error.message : String(error),
})
return NextResponse.json(
{
success: false,
error: 'Failed to fetch available models',
models: [],
},
{ status: 500 }
)
}
}

139
apps/sim/app/api/copilot/user-models/route.ts
View File

@@ -1,139 +0,0 @@
import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { getSession } from '@/lib/auth'
import type { CopilotModelId } from '@/lib/copilot/models'
import { db } from '@/../../packages/db'
import { settings } from '@/../../packages/db/schema'
const logger = createLogger('CopilotUserModelsAPI')
const DEFAULT_ENABLED_MODELS: Record<CopilotModelId, boolean> = {
'gpt-4o': false,
'gpt-4.1': false,
'gpt-5-fast': false,
'gpt-5': true,
'gpt-5-medium': false,
'gpt-5-high': false,
'gpt-5.1-fast': false,
'gpt-5.1': false,
'gpt-5.1-medium': false,
'gpt-5.1-high': false,
'gpt-5-codex': false,
'gpt-5.1-codex': false,
'gpt-5.2': false,
'gpt-5.2-codex': true,
'gpt-5.2-pro': true,
o3: true,
'claude-4-sonnet': false,
'claude-4.5-haiku': true,
'claude-4.5-sonnet': true,
'claude-4.6-opus': true,
'claude-4.5-opus': true,
'claude-4.1-opus': false,
'gemini-3-pro': true,
}
// GET - Fetch user's enabled models
export async function GET(request: NextRequest) {
try {
const session = await getSession()
if (!session?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const [userSettings] = await db
.select()
.from(settings)
.where(eq(settings.userId, userId))
.limit(1)
if (userSettings) {
const userModelsMap = (userSettings.copilotEnabledModels as Record<string, boolean>) || {}
const mergedModels = { ...DEFAULT_ENABLED_MODELS }
for (const [modelId, enabled] of Object.entries(userModelsMap)) {
if (modelId in mergedModels) {
mergedModels[modelId as CopilotModelId] = enabled
}
}
const hasNewModels = Object.keys(DEFAULT_ENABLED_MODELS).some(
(key) => !(key in userModelsMap)
)
if (hasNewModels) {
await db
.update(settings)
.set({
copilotEnabledModels: mergedModels,
updatedAt: new Date(),
})
.where(eq(settings.userId, userId))
}
return NextResponse.json({
enabledModels: mergedModels,
})
}
await db.insert(settings).values({
id: userId,
userId,
copilotEnabledModels: DEFAULT_ENABLED_MODELS,
})
logger.info('Created new settings record with default models', { userId })
return NextResponse.json({
enabledModels: DEFAULT_ENABLED_MODELS,
})
} catch (error) {
logger.error('Failed to fetch user models', { error })
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}
// PUT - Update user's enabled models
export async function PUT(request: NextRequest) {
try {
const session = await getSession()
if (!session?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const body = await request.json()
if (!body.enabledModels || typeof body.enabledModels !== 'object') {
return NextResponse.json({ error: 'enabledModels must be an object' }, { status: 400 })
}
const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
if (existing) {
await db
.update(settings)
.set({
copilotEnabledModels: body.enabledModels,
updatedAt: new Date(),
})
.where(eq(settings.userId, userId))
} else {
await db.insert(settings).values({
id: userId,
userId,
copilotEnabledModels: body.enabledModels,
})
}
return NextResponse.json({ success: true })
} catch (error) {
logger.error('Failed to update user models', { error })
return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
}
}

27
apps/sim/app/api/cron/renew-subscriptions/route.ts
View File

@@ -1,5 +1,5 @@
import { db } from '@sim/db'
import { webhook as webhookTable, workflow as workflowTable } from '@sim/db/schema'
import { account, webhook as webhookTable } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
@@ -8,6 +8,16 @@ import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
const logger = createLogger('TeamsSubscriptionRenewal')
async function getCredentialOwnerUserId(credentialId: string): Promise<string | null> {
const [credentialRecord] = await db
.select({ userId: account.userId })
.from(account)
.where(eq(account.id, credentialId))
.limit(1)
return credentialRecord?.userId ?? null
}
/**
* Cron endpoint to renew Microsoft Teams chat subscriptions before they expire
*
@@ -27,14 +37,12 @@ export async function GET(request: NextRequest) {
let totalFailed = 0
let totalChecked = 0
// Get all active Microsoft Teams webhooks with their workflows
// Get all active Microsoft Teams webhooks
const webhooksWithWorkflows = await db
.select({
webhook: webhookTable,
workflow: workflowTable,
})
.from(webhookTable)
.innerJoin(workflowTable, eq(webhookTable.workflowId, workflowTable.id))
.where(
and(
eq(webhookTable.isActive, true),
@@ -52,7 +60,7 @@ export async function GET(request: NextRequest) {
// Renewal threshold: 48 hours before expiration
const renewalThreshold = new Date(Date.now() + 48 * 60 * 60 * 1000)
for (const { webhook, workflow } of webhooksWithWorkflows) {
for (const { webhook } of webhooksWithWorkflows) {
const config = (webhook.providerConfig as Record<string, any>) || {}
// Check if this is a Teams chat subscription that needs renewal
@@ -80,10 +88,17 @@ export async function GET(request: NextRequest) {
continue
}
const credentialOwnerUserId = await getCredentialOwnerUserId(credentialId)
if (!credentialOwnerUserId) {
logger.error(`Credential owner not found for credential ${credentialId}`)
totalFailed++
continue
}
// Get fresh access token
const accessToken = await refreshAccessTokenIfNeeded(
credentialId,
workflow.userId,
credentialOwnerUserId,
`renewal-${webhook.id}`
)

4
apps/sim/app/api/files/upload/route.test.ts
View File

@@ -42,6 +42,10 @@ function setupFileApiMocks(
verifyCopilotFileAccess: vi.fn().mockResolvedValue(true),
}))
vi.doMock('@/lib/workspaces/permissions/utils', () => ({
getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
}))
vi.doMock('@/lib/uploads/contexts/workspace', () => ({
uploadWorkspaceFile: vi.fn().mockResolvedValue({
id: 'test-file-id',

7
apps/sim/app/api/files/upload/route.ts
View File

@@ -206,6 +206,13 @@ export async function POST(request: NextRequest) {
if (!workspaceId) {
throw new InvalidRequestError('Workspace context requires workspaceId parameter')
}
const permission = await getUserEntityPermissions(session.user.id, 'workspace', workspaceId)
if (permission !== 'admin' && permission !== 'write') {
return NextResponse.json(
{ error: 'Write or Admin access required for workspace uploads' },
{ status: 403 }
)
}
try {
const { uploadWorkspaceFile } = await import('@/lib/uploads/contexts/workspace')

4
apps/sim/app/api/form/utils.test.ts
View File

@@ -22,8 +22,8 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
isProd: false,
}))
vi.mock('@/lib/workspaces/permissions/utils', () => ({
hasAdminPermission: vi.fn(),
vi.mock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: vi.fn(),
}))
describe('Form API Utils', () => {

48
apps/sim/app/api/form/utils.ts
View File

@@ -9,7 +9,7 @@ import {
validateAuthToken,
} from '@/lib/core/security/deployment'
import { decryptSecret } from '@/lib/core/security/encryption'
import { hasAdminPermission } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
const logger = createLogger('FormAuthUtils')
@@ -24,29 +24,23 @@ export function setFormAuthCookie(
/**
* Check if user has permission to create a form for a specific workflow
* Either the user owns the workflow directly OR has admin permission for the workflow's workspace
*/
export async function checkWorkflowAccessForFormCreation(
workflowId: string,
userId: string
): Promise<{ hasAccess: boolean; workflow?: any }> {
const workflowData = await db.select().from(workflow).where(eq(workflow.id, workflowId)).limit(1)
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'admin',
})
if (workflowData.length === 0) {
if (!authorization.workflow) {
return { hasAccess: false }
}
const workflowRecord = workflowData[0]
if (workflowRecord.userId === userId) {
return { hasAccess: true, workflow: workflowRecord }
}
if (workflowRecord.workspaceId) {
const hasAdmin = await hasAdminPermission(userId, workflowRecord.workspaceId)
if (hasAdmin) {
return { hasAccess: true, workflow: workflowRecord }
}
if (authorization.allowed) {
return { hasAccess: true, workflow: authorization.workflow }
}
return { hasAccess: false }
@@ -54,17 +48,13 @@ export async function checkWorkflowAccessForFormCreation(
/**
* Check if user has access to view/edit/delete a specific form
* Either the user owns the form directly OR has admin permission for the workflow's workspace
*/
export async function checkFormAccess(
formId: string,
userId: string
): Promise<{ hasAccess: boolean; form?: any }> {
const formData = await db
.select({
form: form,
workflowWorkspaceId: workflow.workspaceId,
})
.select({ form: form, workflowWorkspaceId: workflow.workspaceId })
.from(form)
.innerJoin(workflow, eq(form.workflowId, workflow.id))
.where(eq(form.id, formId))
@@ -75,19 +65,17 @@ export async function checkFormAccess(
}
const { form: formRecord, workflowWorkspaceId } = formData[0]
if (formRecord.userId === userId) {
return { hasAccess: true, form: formRecord }
if (!workflowWorkspaceId) {
return { hasAccess: false }
}
if (workflowWorkspaceId) {
const hasAdmin = await hasAdminPermission(userId, workflowWorkspaceId)
if (hasAdmin) {
return { hasAccess: true, form: formRecord }
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: formRecord.workflowId,
userId,
action: 'admin',
})
return { hasAccess: false }
return authorization.allowed ? { hasAccess: true, form: formRecord } : { hasAccess: false }
}
export async function validateFormAuth(

13
apps/sim/app/api/guardrails/validate/route.ts
View File

@@ -1,5 +1,6 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { validateHallucination } from '@/lib/guardrails/validate_hallucination'
import { validateJson } from '@/lib/guardrails/validate_json'
@@ -13,6 +14,11 @@ export async function POST(request: NextRequest) {
logger.info(`[${requestId}] Guardrails validation request received`)
try {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const body = await request.json()
const {
validationType,
@@ -109,6 +115,10 @@ export async function POST(request: NextRequest) {
validationType,
inputType: typeof input,
})
const authHeaders = {
cookie: request.headers.get('cookie') || undefined,
authorization: request.headers.get('authorization') || undefined,
}
const validationResult = await executeValidation(
validationType,
@@ -134,6 +144,7 @@ export async function POST(request: NextRequest) {
piiEntityTypes,
piiMode,
piiLanguage,
authHeaders,
requestId
)
@@ -213,6 +224,7 @@ async function executeValidation(
piiEntityTypes: string[] | undefined,
piiMode: string | undefined,
piiLanguage: string | undefined,
authHeaders: { cookie?: string; authorization?: string } | undefined,
requestId: string
): Promise<{
passed: boolean
@@ -253,6 +265,7 @@ async function executeValidation(
providerCredentials,
workflowId,
workspaceId,
authHeaders,
requestId,
})
}

2
apps/sim/app/api/jobs/[jobId]/route.ts
View File

@@ -76,7 +76,7 @@ export async function GET(
}
if (job.status === JOB_STATUS.PROCESSING || job.status === JOB_STATUS.PENDING) {
response.estimatedDuration = 180000
response.estimatedDuration = 300000
}
return NextResponse.json(response)

46
apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/route.ts
View File

@@ -1,10 +1,10 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { batchChunkOperation, createChunk, queryChunks } from '@/lib/knowledge/chunks/service'
import { getUserId } from '@/app/api/auth/oauth/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { checkDocumentAccess, checkDocumentWriteAccess } from '@/app/api/knowledge/utils'
import { calculateCost } from '@/providers/utils'
@@ -38,13 +38,14 @@ export async function GET(
const { id: knowledgeBaseId, documentId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized chunks access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, session.user.id)
const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, userId)
if (!accessCheck.hasAccess) {
if (accessCheck.notFound) {
@@ -54,7 +55,7 @@ export async function GET(
return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted unauthorized chunks access: ${accessCheck.reason}`
`[${requestId}] User ${userId} attempted unauthorized chunks access: ${accessCheck.reason}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -113,13 +114,25 @@ export async function POST(
const body = await req.json()
const { workflowId, ...searchParams } = body
const userId = await getUserId(requestId, workflowId)
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Authentication failed: ${auth.error || 'Unauthorized'}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
if (!userId) {
const errorMessage = workflowId ? 'Workflow not found' : 'Unauthorized'
const statusCode = workflowId ? 404 : 401
logger.warn(`[${requestId}] Authentication failed: ${errorMessage}`)
return NextResponse.json({ error: errorMessage }, { status: statusCode })
if (workflowId) {
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
if (!authorization.allowed) {
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status }
)
}
}
const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, userId)
@@ -248,13 +261,14 @@ export async function PATCH(
const { id: knowledgeBaseId, documentId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized batch chunk operation attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, session.user.id)
const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, userId)
if (!accessCheck.hasAccess) {
if (accessCheck.notFound) {
@@ -264,7 +278,7 @@ export async function PATCH(
return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted unauthorized batch chunk operation: ${accessCheck.reason}`
`[${requestId}] User ${userId} attempted unauthorized batch chunk operation: ${accessCheck.reason}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}

29
apps/sim/app/api/knowledge/[id]/documents/[documentId]/route.ts
View File

@@ -1,7 +1,7 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import {
deleteDocument,
@@ -54,13 +54,14 @@ export async function GET(
const { id: knowledgeBaseId, documentId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized document access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, session.user.id)
const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, userId)
if (!accessCheck.hasAccess) {
if (accessCheck.notFound) {
@@ -70,7 +71,7 @@ export async function GET(
return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted unauthorized document access: ${accessCheck.reason}`
`[${requestId}] User ${userId} attempted unauthorized document access: ${accessCheck.reason}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -97,13 +98,14 @@ export async function PUT(
const { id: knowledgeBaseId, documentId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized document update attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, session.user.id)
const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, userId)
if (!accessCheck.hasAccess) {
if (accessCheck.notFound) {
@@ -113,7 +115,7 @@ export async function PUT(
return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted unauthorized document update: ${accessCheck.reason}`
`[${requestId}] User ${userId} attempted unauthorized document update: ${accessCheck.reason}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -227,13 +229,14 @@ export async function DELETE(
const { id: knowledgeBaseId, documentId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized document delete attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, session.user.id)
const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, userId)
if (!accessCheck.hasAccess) {
if (accessCheck.notFound) {
@@ -243,7 +246,7 @@ export async function DELETE(
return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted unauthorized document deletion: ${accessCheck.reason}`
`[${requestId}] User ${userId} attempted unauthorized document deletion: ${accessCheck.reason}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}

29
apps/sim/app/api/knowledge/[id]/documents/route.ts
View File

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import {
bulkDocumentOperation,
bulkDocumentOperationByFilter,
@@ -13,7 +14,7 @@ import {
processDocumentsWithQueue,
} from '@/lib/knowledge/documents/service'
import type { DocumentSortField, SortOrder } from '@/lib/knowledge/documents/types'
import { getUserId } from '@/app/api/auth/oauth/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { checkKnowledgeBaseAccess, checkKnowledgeBaseWriteAccess } from '@/app/api/knowledge/utils'
const logger = createLogger('DocumentsAPI')
@@ -170,16 +171,28 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
bodyKeys: Object.keys(body),
})
const userId = await getUserId(requestId, workflowId)
if (!userId) {
const errorMessage = workflowId ? 'Workflow not found' : 'Unauthorized'
const statusCode = workflowId ? 404 : 401
logger.warn(`[${requestId}] Authentication failed: ${errorMessage}`, {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Authentication failed: ${auth.error || 'Unauthorized'}`, {
workflowId,
hasWorkflowId: !!workflowId,
})
return NextResponse.json({ error: errorMessage }, { status: statusCode })
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
if (workflowId) {
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
if (!authorization.allowed) {
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status }
)
}
}
const accessCheck = await checkKnowledgeBaseWriteAccess(knowledgeBaseId, userId)

35
apps/sim/app/api/knowledge/[id]/route.ts
View File

@@ -1,7 +1,7 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import {
@@ -54,13 +54,14 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
const { id } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(_request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized knowledge base access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkKnowledgeBaseAccess(id, session.user.id)
const accessCheck = await checkKnowledgeBaseAccess(id, userId)
if (!accessCheck.hasAccess) {
if ('notFound' in accessCheck && accessCheck.notFound) {
@@ -68,7 +69,7 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted to access unauthorized knowledge base ${id}`
`[${requestId}] User ${userId} attempted to access unauthorized knowledge base ${id}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -79,7 +80,7 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
}
logger.info(`[${requestId}] Retrieved knowledge base: ${id} for user ${session.user.id}`)
logger.info(`[${requestId}] Retrieved knowledge base: ${id} for user ${userId}`)
return NextResponse.json({
success: true,
@@ -96,13 +97,14 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
const { id } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized knowledge base update attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkKnowledgeBaseWriteAccess(id, session.user.id)
const accessCheck = await checkKnowledgeBaseWriteAccess(id, userId)
if (!accessCheck.hasAccess) {
if ('notFound' in accessCheck && accessCheck.notFound) {
@@ -110,7 +112,7 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted to update unauthorized knowledge base ${id}`
`[${requestId}] User ${userId} attempted to update unauthorized knowledge base ${id}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -131,7 +133,7 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
requestId
)
logger.info(`[${requestId}] Knowledge base updated: ${id} for user ${session.user.id}`)
logger.info(`[${requestId}] Knowledge base updated: ${id} for user ${userId}`)
return NextResponse.json({
success: true,
@@ -163,13 +165,14 @@ export async function DELETE(
const { id } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(_request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized knowledge base delete attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const accessCheck = await checkKnowledgeBaseWriteAccess(id, session.user.id)
const accessCheck = await checkKnowledgeBaseWriteAccess(id, userId)
if (!accessCheck.hasAccess) {
if ('notFound' in accessCheck && accessCheck.notFound) {
@@ -177,7 +180,7 @@ export async function DELETE(
return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
}
logger.warn(
`[${requestId}] User ${session.user.id} attempted to delete unauthorized knowledge base ${id}`
`[${requestId}] User ${userId} attempted to delete unauthorized knowledge base ${id}`
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
@@ -192,7 +195,7 @@ export async function DELETE(
// Telemetry should not fail the operation
}
logger.info(`[${requestId}] Knowledge base deleted: ${id} for user ${session.user.id}`)
logger.info(`[${requestId}] Knowledge base deleted: ${id} for user ${userId}`)
return NextResponse.json({
success: true,

2
apps/sim/app/api/knowledge/route.test.ts
View File

@@ -17,7 +17,7 @@ mockDrizzleOrm()
mockConsoleLogger()
vi.mock('@/lib/workspaces/permissions/utils', () => ({
getUserEntityPermissions: vi.fn().mockResolvedValue({ role: 'owner' }),
getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
}))
describe('Knowledge Base API Route', () => {

36
apps/sim/app/api/knowledge/search/route.test.ts
View File

@@ -104,6 +104,8 @@ describe('Knowledge Search API Route', () => {
const mockGetUserId = vi.fn()
const mockFetch = vi.fn()
const mockCheckSessionOrInternalAuth = vi.fn()
const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
const mockEmbedding = [0.1, 0.2, 0.3, 0.4, 0.5]
const mockSearchResults = [
@@ -132,8 +134,12 @@ describe('Knowledge Search API Route', () => {
db: mockDbChain,
}))
vi.doMock('@/app/api/auth/oauth/utils', () => ({
getUserId: mockGetUserId,
vi.doMock('@/lib/auth/hybrid', () => ({
checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
}))
vi.doMock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
}))
Object.values(mockDbChain).forEach((fn) => {
@@ -157,6 +163,15 @@ describe('Knowledge Search API Route', () => {
doc2: 'Document 2',
})
mockGetDocumentTagDefinitions.mockClear()
mockCheckSessionOrInternalAuth.mockClear().mockResolvedValue({
success: true,
userId: 'user-123',
authType: 'session',
})
mockAuthorizeWorkflowByWorkspacePermission.mockClear().mockResolvedValue({
allowed: true,
status: 200,
})
vi.stubGlobal('crypto', {
randomUUID: vi.fn().mockReturnValue('mock-uuid-1234-5678'),
@@ -311,11 +326,18 @@ describe('Knowledge Search API Route', () => {
expect(response.status).toBe(200)
expect(data.success).toBe(true)
expect(mockGetUserId).toHaveBeenCalledWith(expect.any(String), 'workflow-123')
expect(mockAuthorizeWorkflowByWorkspacePermission).toHaveBeenCalledWith({
workflowId: 'workflow-123',
userId: 'user-123',
action: 'read',
})
})
it.concurrent('should return unauthorized for unauthenticated request', async () => {
mockGetUserId.mockResolvedValue(null)
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
success: false,
error: 'Unauthorized',
})
const req = createMockRequest('POST', validSearchData)
const { POST } = await import('@/app/api/knowledge/search/route')
@@ -332,7 +354,11 @@ describe('Knowledge Search API Route', () => {
workflowId: 'nonexistent-workflow',
}
mockGetUserId.mockResolvedValue(null)
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: false,
status: 404,
message: 'Workflow not found',
})
const req = createMockRequest('POST', workflowData)
const { POST } = await import('@/app/api/knowledge/search/route')

25
apps/sim/app/api/knowledge/search/route.ts
View File

@@ -1,6 +1,7 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import { ALL_TAG_SLOTS } from '@/lib/knowledge/constants'
@@ -8,7 +9,7 @@ import { getDocumentTagDefinitions } from '@/lib/knowledge/tags/service'
import { buildUndefinedTagsError, validateTagValue } from '@/lib/knowledge/tags/utils'
import type { StructuredFilter } from '@/lib/knowledge/types'
import { estimateTokenCount } from '@/lib/tokenization/estimators'
import { getUserId } from '@/app/api/auth/oauth/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import {
generateSearchEmbedding,
getDocumentNamesByIds,
@@ -76,12 +77,24 @@ export async function POST(request: NextRequest) {
const body = await request.json()
const { workflowId, ...searchParams } = body
const userId = await getUserId(requestId, workflowId)
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
if (!userId) {
const errorMessage = workflowId ? 'Workflow not found' : 'Unauthorized'
const statusCode = workflowId ? 404 : 401
return NextResponse.json({ error: errorMessage }, { status: statusCode })
if (workflowId) {
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
if (!authorization.allowed) {
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status }
)
}
}
try {

25
apps/sim/app/api/mcp/copilot/route.ts
View File

@@ -17,7 +17,6 @@ import { createLogger } from '@sim/logger'
import { eq, sql } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
import { getCopilotModel } from '@/lib/copilot/config'
import {
ORCHESTRATION_TIMEOUT_MS,
SIM_AGENT_API_URL,
@@ -32,10 +31,14 @@ import {
import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
import { env } from '@/lib/core/config/env'
import { RateLimiter } from '@/lib/core/rate-limiter'
import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
import {
authorizeWorkflowByWorkspacePermission,
resolveWorkflowIdForUser,
} from '@/lib/workflows/utils'
const logger = createLogger('CopilotMcpAPI')
const mcpRateLimiter = new RateLimiter()
const DEFAULT_COPILOT_MODEL = 'claude-opus-4-6'
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'
@@ -624,10 +627,18 @@ async function handleBuildToolCall(
): Promise<CallToolResult> {
try {
const requestText = (args.request as string) || JSON.stringify(args)
const { model } = getCopilotModel('chat')
const workflowId = args.workflowId as string | undefined
const resolved = workflowId ? { workflowId } : await resolveWorkflowIdForUser(userId)
const resolved = workflowId
? await (async () => {
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
return authorization.allowed ? { workflowId } : null
})()
: await resolveWorkflowIdForUser(userId)
if (!resolved?.workflowId) {
return {
@@ -654,7 +665,7 @@ async function handleBuildToolCall(
message: requestText,
workflowId: resolved.workflowId,
userId,
model,
model: DEFAULT_COPILOT_MODEL,
mode: 'agent',
commands: ['fast'],
messageId: randomUUID(),
@@ -721,8 +732,6 @@ async function handleSubagentToolCall(
context.plan = args.plan
}
const { model } = getCopilotModel('chat')
const result = await orchestrateSubagentStream(
toolDef.agentId,
{
@@ -730,7 +739,7 @@ async function handleSubagentToolCall(
workflowId: args.workflowId,
workspaceId: args.workspaceId,
context,
model,
model: DEFAULT_COPILOT_MODEL,
headless: true,
source: 'mcp',
},

227
apps/sim/app/api/mcp/serve/[serverId]/route.test.ts Normal file
View File

@@ -0,0 +1,227 @@
/**
* Tests for MCP serve route auth propagation.
*
* @vitest-environment node
*/
import { NextRequest } from 'next/server'
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const mockCheckHybridAuth = vi.fn()
const mockGetUserEntityPermissions = vi.fn()
const mockGenerateInternalToken = vi.fn()
const mockDbSelect = vi.fn()
const mockDbFrom = vi.fn()
const mockDbWhere = vi.fn()
const mockDbLimit = vi.fn()
const fetchMock = vi.fn()
describe('MCP Serve Route', () => {
beforeEach(() => {
vi.resetModules()
vi.clearAllMocks()
mockDbSelect.mockReturnValue({ from: mockDbFrom })
mockDbFrom.mockReturnValue({ where: mockDbWhere })
mockDbWhere.mockReturnValue({ limit: mockDbLimit })
vi.doMock('@sim/logger', () => ({
createLogger: vi.fn(() => ({
info: vi.fn(),
warn: vi.fn(),
error: vi.fn(),
debug: vi.fn(),
})),
}))
vi.doMock('drizzle-orm', () => ({
and: vi.fn(),
eq: vi.fn(),
}))
vi.doMock('@sim/db', () => ({
db: {
select: mockDbSelect,
},
}))
vi.doMock('@sim/db/schema', () => ({
workflowMcpServer: {
id: 'id',
name: 'name',
workspaceId: 'workspaceId',
isPublic: 'isPublic',
createdBy: 'createdBy',
},
workflowMcpTool: {
serverId: 'serverId',
toolName: 'toolName',
toolDescription: 'toolDescription',
parameterSchema: 'parameterSchema',
workflowId: 'workflowId',
},
workflow: {
id: 'id',
isDeployed: 'isDeployed',
},
}))
vi.doMock('@/lib/auth/hybrid', () => ({
checkHybridAuth: mockCheckHybridAuth,
}))
vi.doMock('@/lib/workspaces/permissions/utils', () => ({
getUserEntityPermissions: mockGetUserEntityPermissions,
}))
vi.doMock('@/lib/auth/internal', () => ({
generateInternalToken: mockGenerateInternalToken,
}))
vi.doMock('@/lib/core/utils/urls', () => ({
getBaseUrl: () => 'http://localhost:3000',
}))
vi.doMock('@/lib/core/execution-limits', () => ({
getMaxExecutionTimeout: () => 10_000,
}))
vi.stubGlobal('fetch', fetchMock)
})
afterEach(() => {
vi.unstubAllGlobals()
vi.clearAllMocks()
})
it('returns 401 for private server when auth fails', async () => {
mockDbLimit.mockResolvedValueOnce([
{
id: 'server-1',
name: 'Private Server',
workspaceId: 'ws-1',
isPublic: false,
createdBy: 'owner-1',
},
])
mockCheckHybridAuth.mockResolvedValueOnce({ success: false, error: 'Unauthorized' })
const { POST } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
method: 'POST',
body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'ping' }),
})
const response = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
expect(response.status).toBe(401)
})
it('returns 401 on GET for private server when auth fails', async () => {
mockDbLimit.mockResolvedValueOnce([
{
id: 'server-1',
name: 'Private Server',
workspaceId: 'ws-1',
isPublic: false,
createdBy: 'owner-1',
},
])
mockCheckHybridAuth.mockResolvedValueOnce({ success: false, error: 'Unauthorized' })
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1')
const response = await GET(req, { params: Promise.resolve({ serverId: 'server-1' }) })
expect(response.status).toBe(401)
})
it('forwards X-API-Key for private server api_key auth', async () => {
mockDbLimit
.mockResolvedValueOnce([
{
id: 'server-1',
name: 'Private Server',
workspaceId: 'ws-1',
isPublic: false,
createdBy: 'owner-1',
},
])
.mockResolvedValueOnce([{ toolName: 'tool_a', workflowId: 'wf-1' }])
.mockResolvedValueOnce([{ isDeployed: true }])
mockCheckHybridAuth.mockResolvedValueOnce({
success: true,
userId: 'user-1',
authType: 'api_key',
apiKeyType: 'personal',
})
mockGetUserEntityPermissions.mockResolvedValueOnce('write')
fetchMock.mockResolvedValueOnce(
new Response(JSON.stringify({ output: { ok: true } }), {
status: 200,
headers: { 'Content-Type': 'application/json' },
})
)
const { POST } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
method: 'POST',
headers: { 'X-API-Key': 'pk_test_123' },
body: JSON.stringify({
jsonrpc: '2.0',
id: 1,
method: 'tools/call',
params: { name: 'tool_a', arguments: { q: 'test' } },
}),
})
const response = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
expect(response.status).toBe(200)
expect(fetchMock).toHaveBeenCalledTimes(1)
const fetchOptions = fetchMock.mock.calls[0][1] as RequestInit
const headers = fetchOptions.headers as Record<string, string>
expect(headers['X-API-Key']).toBe('pk_test_123')
expect(headers.Authorization).toBeUndefined()
expect(mockGenerateInternalToken).not.toHaveBeenCalled()
})
it('forwards internal token for private server session auth', async () => {
mockDbLimit
.mockResolvedValueOnce([
{
id: 'server-1',
name: 'Private Server',
workspaceId: 'ws-1',
isPublic: false,
createdBy: 'owner-1',
},
])
.mockResolvedValueOnce([{ toolName: 'tool_a', workflowId: 'wf-1' }])
.mockResolvedValueOnce([{ isDeployed: true }])
mockCheckHybridAuth.mockResolvedValueOnce({
success: true,
userId: 'user-1',
authType: 'session',
})
mockGetUserEntityPermissions.mockResolvedValueOnce('read')
mockGenerateInternalToken.mockResolvedValueOnce('internal-token-user-1')
fetchMock.mockResolvedValueOnce(
new Response(JSON.stringify({ output: { ok: true } }), {
status: 200,
headers: { 'Content-Type': 'application/json' },
})
)
const { POST } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
method: 'POST',
body: JSON.stringify({
jsonrpc: '2.0',
id: 1,
method: 'tools/call',
params: { name: 'tool_a' },
}),
})
const response = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
expect(response.status).toBe(200)
expect(fetchMock).toHaveBeenCalledTimes(1)
const fetchOptions = fetchMock.mock.calls[0][1] as RequestInit
const headers = fetchOptions.headers as Record<string, string>
expect(headers.Authorization).toBe('Bearer internal-token-user-1')
expect(headers['X-API-Key']).toBeUndefined()
expect(mockGenerateInternalToken).toHaveBeenCalledWith('user-1')
})
})

68
apps/sim/app/api/mcp/serve/[serverId]/route.ts
View File

@@ -19,10 +19,11 @@ import { workflow, workflowMcpServer, workflowMcpTool } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { checkHybridAuth } from '@/lib/auth/hybrid'
import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
import { generateInternalToken } from '@/lib/auth/internal'
import { getMaxExecutionTimeout } from '@/lib/core/execution-limits'
import { getBaseUrl } from '@/lib/core/utils/urls'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
const logger = createLogger('WorkflowMcpServeAPI')
@@ -32,6 +33,12 @@ interface RouteParams {
serverId: string
}
interface ExecuteAuthContext {
authType?: AuthResult['authType']
userId: string
apiKey?: string | null
}
function createResponse(id: RequestId, result: unknown): JSONRPCResponse {
return {
jsonrpc: '2.0',
@@ -73,6 +80,22 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
return NextResponse.json({ error: 'Server not found' }, { status: 404 })
}
if (!server.isPublic) {
const auth = await checkHybridAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const workspacePermission = await getUserEntityPermissions(
auth.userId,
'workspace',
server.workspaceId
)
if (workspacePermission === null) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
}
return NextResponse.json({
name: server.name,
version: '1.0.0',
@@ -94,11 +117,27 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
return NextResponse.json({ error: 'Server not found' }, { status: 404 })
}
let executeAuthContext: ExecuteAuthContext | null = null
if (!server.isPublic) {
const auth = await checkHybridAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const workspacePermission = await getUserEntityPermissions(
auth.userId,
'workspace',
server.workspaceId
)
if (workspacePermission === null) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
executeAuthContext = {
authType: auth.authType,
userId: auth.userId,
apiKey: auth.authType === 'api_key' ? request.headers.get('X-API-Key') : null,
}
}
const body = await request.json()
@@ -119,9 +158,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
}
const { id, method, params: rpcParams } = message
const apiKey =
request.headers.get('X-API-Key') ||
request.headers.get('Authorization')?.replace('Bearer ', '')
switch (method) {
case 'initialize': {
@@ -144,7 +180,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
id,
serverId,
rpcParams as { name: string; arguments?: Record<string, unknown> },
apiKey,
executeAuthContext,
server.isPublic ? server.createdBy : undefined
)
@@ -207,7 +243,7 @@ async function handleToolsCall(
id: RequestId,
serverId: string,
params: { name: string; arguments?: Record<string, unknown> } | undefined,
apiKey?: string | null,
executeAuthContext?: ExecuteAuthContext | null,
publicServerOwnerId?: string
): Promise<NextResponse> {
try {
@@ -255,8 +291,13 @@ async function handleToolsCall(
if (publicServerOwnerId) {
const internalToken = await generateInternalToken(publicServerOwnerId)
headers.Authorization = `Bearer ${internalToken}`
} else if (apiKey) {
headers['X-API-Key'] = apiKey
} else if (executeAuthContext) {
if (executeAuthContext.authType === 'api_key' && executeAuthContext.apiKey) {
headers['X-API-Key'] = executeAuthContext.apiKey
} else {
const internalToken = await generateInternalToken(executeAuthContext.userId)
headers.Authorization = `Bearer ${internalToken}`
}
}
logger.info(`Executing workflow ${tool.workflowId} via MCP tool ${params.name}`)
@@ -311,6 +352,17 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
if (!server.isPublic) {
const workspacePermission = await getUserEntityPermissions(
auth.userId,
'workspace',
server.workspaceId
)
if (workspacePermission === null) {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
}
}
logger.info(`MCP session terminated for server ${serverId}`)
return new NextResponse(null, { status: 204 })
} catch (error) {

8
apps/sim/app/api/mcp/workflow-servers/[id]/tools/route.ts
View File

@@ -6,6 +6,7 @@ import type { NextRequest } from 'next/server'
import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
import { mcpPubSub } from '@/lib/mcp/pubsub'
import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
import { generateParameterSchemaForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
import { hasValidStartBlock } from '@/lib/workflows/triggers/trigger-utils.server'
@@ -170,6 +171,11 @@ export const POST = withMcpAuth<RouteParams>('write')(
workflowRecord.description ||
`Execute ${workflowRecord.name} workflow`
const parameterSchema =
body.parameterSchema && Object.keys(body.parameterSchema).length > 0
? body.parameterSchema
: await generateParameterSchemaForWorkflow(body.workflowId)
const toolId = crypto.randomUUID()
const [tool] = await db
.insert(workflowMcpTool)
@@ -179,7 +185,7 @@ export const POST = withMcpAuth<RouteParams>('write')(
workflowId: body.workflowId,
toolName,
toolDescription,
parameterSchema: body.parameterSchema || {},
parameterSchema,
createdAt: new Date(),
updatedAt: new Date(),
})

5
apps/sim/app/api/mcp/workflow-servers/route.ts
View File

@@ -6,6 +6,7 @@ import type { NextRequest } from 'next/server'
import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
import { mcpPubSub } from '@/lib/mcp/pubsub'
import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
import { generateParameterSchemaForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
import { hasValidStartBlock } from '@/lib/workflows/triggers/trigger-utils.server'
@@ -156,6 +157,8 @@ export const POST = withMcpAuth('write')(
const toolDescription =
workflowRecord.description || `Execute ${workflowRecord.name} workflow`
const parameterSchema = await generateParameterSchemaForWorkflow(workflowRecord.id)
const toolId = crypto.randomUUID()
await db.insert(workflowMcpTool).values({
id: toolId,
@@ -163,7 +166,7 @@ export const POST = withMcpAuth('write')(
workflowId: workflowRecord.id,
toolName,
toolDescription,
parameterSchema: {},
parameterSchema,
createdAt: new Date(),
updatedAt: new Date(),
})

49
apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
View File

@@ -446,15 +446,46 @@ export async function PUT(
})
.where(eq(workspaceInvitation.id, wsInvitation.id))
await tx.insert(permissions).values({
id: randomUUID(),
entityType: 'workspace',
entityId: wsInvitation.workspaceId,
userId: session.user.id,
permissionType: wsInvitation.permissions || 'read',
createdAt: new Date(),
updatedAt: new Date(),
})
const existingPermission = await tx
.select({ id: permissions.id, permissionType: permissions.permissionType })
.from(permissions)
.where(
and(
eq(permissions.entityId, wsInvitation.workspaceId),
eq(permissions.entityType, 'workspace'),
eq(permissions.userId, session.user.id)
)
)
.then((rows) => rows[0])
if (existingPermission) {
const PERMISSION_RANK = { read: 0, write: 1, admin: 2 } as const
type PermissionLevel = keyof typeof PERMISSION_RANK
const existingRank =
PERMISSION_RANK[existingPermission.permissionType as PermissionLevel] ?? 0
const newPermission = (wsInvitation.permissions || 'read') as PermissionLevel
const newRank = PERMISSION_RANK[newPermission] ?? 0
if (newRank > existingRank) {
await tx
.update(permissions)
.set({
permissionType: newPermission,
updatedAt: new Date(),
})
.where(eq(permissions.id, existingPermission.id))
}
} else {
await tx.insert(permissions).values({
id: randomUUID(),
entityType: 'workspace',
entityId: wsInvitation.workspaceId,
userId: session.user.id,
permissionType: wsInvitation.permissions || 'read',
createdAt: new Date(),
updatedAt: new Date(),
})
}
}
} else if (status === 'cancelled') {
await tx

24
apps/sim/app/api/resume/[workflowId]/[executionId]/[contextId]/route.ts
View File

@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
import { generateRequestId } from '@/lib/core/utils/request'
import { preprocessExecution } from '@/lib/execution/preprocessing'
import { PauseResumeManager } from '@/lib/workflows/executor/human-in-the-loop-manager'
import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
const logger = createLogger('WorkflowResumeAPI')
@@ -37,7 +38,26 @@ export async function POST(
}
const resumeInput = payload?.input ?? payload ?? {}
const userId = workflow.userId ?? ''
const isPersonalApiKeyCaller =
access.auth?.authType === 'api_key' && access.auth?.apiKeyType === 'personal'
let userId: string
if (isPersonalApiKeyCaller && access.auth?.userId) {
userId = access.auth.userId
} else {
const billedAccountUserId = await getWorkspaceBilledAccountUserId(workflow.workspaceId)
if (!billedAccountUserId) {
logger.error('Unable to resolve workspace billed account for resume execution', {
workflowId,
workspaceId: workflow.workspaceId,
})
return NextResponse.json(
{ error: 'Unable to resolve billing account for this workspace' },
{ status: 500 }
)
}
userId = billedAccountUserId
}
const resumeExecutionId = randomUUID()
const requestId = generateRequestId()
@@ -58,8 +78,8 @@ export async function POST(
checkRateLimit: false, // Manual triggers bypass rate limits
checkDeployment: false, // Resuming existing execution, deployment already checked
skipUsageLimits: true, // Resume is continuation of authorized execution - don't recheck limits
useAuthenticatedUserAsActor: isPersonalApiKeyCaller,
workspaceId: workflow.workspaceId || undefined,
isResumeContext: true, // Enable billing fallback for paused workflow resumes
})
if (!preprocessResult.success) {

47
apps/sim/app/api/schedules/[id]/route.test.ts
View File

@@ -7,21 +7,20 @@ import { loggerMock } from '@sim/testing'
import { NextRequest } from 'next/server'
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const { mockGetSession, mockGetUserEntityPermissions, mockDbSelect, mockDbUpdate } = vi.hoisted(
() => ({
const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission, mockDbSelect, mockDbUpdate } =
vi.hoisted(() => ({
mockGetSession: vi.fn(),
mockGetUserEntityPermissions: vi.fn(),
mockAuthorizeWorkflowByWorkspacePermission: vi.fn(),
mockDbSelect: vi.fn(),
mockDbUpdate: vi.fn(),
})
)
}))
vi.mock('@/lib/auth', () => ({
getSession: mockGetSession,
}))
vi.mock('@/lib/workspaces/permissions/utils', () => ({
getUserEntityPermissions: mockGetUserEntityPermissions,
vi.mock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
}))
vi.mock('@sim/db', () => ({
@@ -81,7 +80,12 @@ describe('Schedule PUT API (Reactivate)', () => {
beforeEach(() => {
vi.clearAllMocks()
mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
mockGetUserEntityPermissions.mockResolvedValue('write')
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: 'write',
})
})
afterEach(() => {
@@ -140,6 +144,13 @@ describe('Schedule PUT API (Reactivate)', () => {
})
it('returns 404 when workflow does not exist for schedule', async () => {
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 404,
workflow: null,
workspacePermission: null,
message: 'Workflow not found',
})
mockDbChain([[{ id: 'sched-1', workflowId: 'wf-1', status: 'disabled' }], []])
const res = await PUT(createRequest({ action: 'reactivate' }), createParams('sched-1'))
@@ -152,6 +163,14 @@ describe('Schedule PUT API (Reactivate)', () => {
describe('Authorization', () => {
it('returns 403 when user is not workflow owner', async () => {
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 403,
workflow: { id: 'wf-1', workspaceId: null },
workspacePermission: null,
message:
'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
})
mockDbChain([
[{ id: 'sched-1', workflowId: 'wf-1', status: 'disabled' }],
[{ userId: 'other-user', workspaceId: null }],
@@ -161,11 +180,17 @@ describe('Schedule PUT API (Reactivate)', () => {
expect(res.status).toBe(403)
const data = await res.json()
expect(data.error).toBe('Not authorized to modify this schedule')
expect(data.error).toContain('Personal workflows are deprecated')
})
it('returns 403 for workspace member with only read permission', async () => {
mockGetUserEntityPermissions.mockResolvedValue('read')
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 403,
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: 'read',
message: 'Unauthorized: Access denied to write this workflow',
})
mockDbChain([
[{ id: 'sched-1', workflowId: 'wf-1', status: 'disabled' }],
[{ userId: 'other-user', workspaceId: 'ws-1' }],
@@ -198,7 +223,6 @@ describe('Schedule PUT API (Reactivate)', () => {
})
it('allows workspace member with write permission to reactivate', async () => {
mockGetUserEntityPermissions.mockResolvedValue('write')
mockDbChain([
[
{
@@ -218,7 +242,6 @@ describe('Schedule PUT API (Reactivate)', () => {
})
it('allows workspace admin to reactivate', async () => {
mockGetUserEntityPermissions.mockResolvedValue('admin')
mockDbChain([
[
{

34
apps/sim/app/api/schedules/[id]/route.ts
View File

@@ -1,5 +1,5 @@
import { db } from '@sim/db'
import { workflow, workflowSchedule } from '@sim/db/schema'
import { workflowSchedule } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
@@ -7,7 +7,7 @@ import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { generateRequestId } from '@/lib/core/utils/request'
import { validateCronExpression } from '@/lib/workflows/schedules/utils'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
const logger = createLogger('ScheduleAPI')
@@ -57,31 +57,23 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
return NextResponse.json({ error: 'Schedule not found' }, { status: 404 })
}
const [workflowRecord] = await db
.select({ userId: workflow.userId, workspaceId: workflow.workspaceId })
.from(workflow)
.where(eq(workflow.id, schedule.workflowId))
.limit(1)
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: schedule.workflowId,
userId: session.user.id,
action: 'write',
})
if (!workflowRecord) {
if (!authorization.workflow) {
logger.warn(`[${requestId}] Workflow not found for schedule: ${scheduleId}`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
let isAuthorized = workflowRecord.userId === session.user.id
if (!isAuthorized && workflowRecord.workspaceId) {
const userPermission = await getUserEntityPermissions(
session.user.id,
'workspace',
workflowRecord.workspaceId
)
isAuthorized = userPermission === 'write' || userPermission === 'admin'
}
if (!isAuthorized) {
if (!authorization.allowed) {
logger.warn(`[${requestId}] User not authorized to modify this schedule: ${scheduleId}`)
return NextResponse.json({ error: 'Not authorized to modify this schedule' }, { status: 403 })
return NextResponse.json(
{ error: authorization.message || 'Not authorized to modify this schedule' },
{ status: authorization.status }
)
}
if (schedule.status === 'active') {

50
apps/sim/app/api/schedules/route.test.ts
View File

@@ -7,18 +7,20 @@ import { loggerMock } from '@sim/testing'
import { NextRequest } from 'next/server'
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const { mockGetSession, mockGetUserEntityPermissions, mockDbSelect } = vi.hoisted(() => ({
mockGetSession: vi.fn(),
mockGetUserEntityPermissions: vi.fn(),
mockDbSelect: vi.fn(),
}))
const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission, mockDbSelect } = vi.hoisted(
() => ({
mockGetSession: vi.fn(),
mockAuthorizeWorkflowByWorkspacePermission: vi.fn(),
mockDbSelect: vi.fn(),
})
)
vi.mock('@/lib/auth', () => ({
getSession: mockGetSession,
}))
vi.mock('@/lib/workspaces/permissions/utils', () => ({
getUserEntityPermissions: mockGetUserEntityPermissions,
vi.mock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
}))
vi.mock('@sim/db', () => ({
@@ -80,7 +82,12 @@ describe('Schedule GET API', () => {
beforeEach(() => {
vi.clearAllMocks()
mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
mockGetUserEntityPermissions.mockResolvedValue('read')
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: 'read',
})
})
afterEach(() => {
@@ -89,7 +96,6 @@ describe('Schedule GET API', () => {
it('returns schedule data for authorized user', async () => {
mockDbChain([
[{ userId: 'user-1', workspaceId: null }],
[
{
schedule: {
@@ -111,7 +117,7 @@ describe('Schedule GET API', () => {
})
it('returns null when no schedule exists', async () => {
mockDbChain([[{ userId: 'user-1', workspaceId: null }], []])
mockDbChain([[]])
const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
const data = await res.json()
@@ -135,6 +141,13 @@ describe('Schedule GET API', () => {
})
it('returns 404 for non-existent workflow', async () => {
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 404,
message: 'Workflow not found',
workflow: null,
workspacePermission: null,
})
mockDbChain([[]])
const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
@@ -143,6 +156,13 @@ describe('Schedule GET API', () => {
})
it('denies access for unauthorized user', async () => {
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 403,
message: 'Unauthorized: Access denied to read this workflow',
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: null,
})
mockDbChain([[{ userId: 'other-user', workspaceId: null }]])
const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
@@ -151,10 +171,7 @@ describe('Schedule GET API', () => {
})
it('allows workspace members to view', async () => {
mockDbChain([
[{ userId: 'other-user', workspaceId: 'ws-1' }],
[{ schedule: { id: 'sched-1', status: 'active', failedCount: 0 } }],
])
mockDbChain([[{ schedule: { id: 'sched-1', status: 'active', failedCount: 0 } }]])
const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
@@ -162,10 +179,7 @@ describe('Schedule GET API', () => {
})
it('indicates disabled schedule with failures', async () => {
mockDbChain([
[{ userId: 'user-1', workspaceId: null }],
[{ schedule: { id: 'sched-1', status: 'disabled', failedCount: 100 } }],
])
mockDbChain([[{ schedule: { id: 'sched-1', status: 'disabled', failedCount: 100 } }]])
const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
const data = await res.json()

32
apps/sim/app/api/schedules/route.ts
View File

@@ -1,11 +1,11 @@
import { db } from '@sim/db'
import { workflow, workflowDeploymentVersion, workflowSchedule } from '@sim/db/schema'
import { workflowDeploymentVersion, workflowSchedule } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq, isNull, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { getSession } from '@/lib/auth'
import { generateRequestId } from '@/lib/core/utils/request'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
const logger = createLogger('ScheduledAPI')
@@ -29,29 +29,21 @@ export async function GET(req: NextRequest) {
return NextResponse.json({ error: 'Missing workflowId parameter' }, { status: 400 })
}
const [workflowRecord] = await db
.select({ userId: workflow.userId, workspaceId: workflow.workspaceId })
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId: session.user.id,
action: 'read',
})
if (!workflowRecord) {
if (!authorization.workflow) {
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
let isAuthorized = workflowRecord.userId === session.user.id
if (!isAuthorized && workflowRecord.workspaceId) {
const userPermission = await getUserEntityPermissions(
session.user.id,
'workspace',
workflowRecord.workspaceId
if (!authorization.allowed) {
return NextResponse.json(
{ error: authorization.message || 'Not authorized to view this workflow' },
{ status: authorization.status }
)
isAuthorized = userPermission !== null
}
if (!isAuthorized) {
return NextResponse.json({ error: 'Not authorized to view this workflow' }, { status: 403 })
}
logger.info(`[${requestId}] Getting schedule for workflow ${workflowId}`)

28
apps/sim/app/api/tools/custom/route.test.ts
View File

@@ -214,6 +214,14 @@ describe('Custom Tools API Routes', () => {
vi.doMock('@/lib/workflows/custom-tools/operations', () => ({
upsertCustomTools: vi.fn().mockResolvedValue(sampleTools),
}))
vi.doMock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: vi.fn().mockResolvedValue({
allowed: true,
status: 200,
workflow: { workspaceId: 'workspace-123' },
}),
}))
})
afterEach(() => {
@@ -272,20 +280,6 @@ describe('Custom Tools API Routes', () => {
it('should handle workflowId parameter', async () => {
const req = new NextRequest('http://localhost:3000/api/tools/custom?workflowId=workflow-123')
mockLimit.mockResolvedValueOnce([{ workspaceId: 'workspace-123' }])
mockWhere.mockImplementationOnce((condition) => {
const queryBuilder = {
limit: mockLimit,
then: (resolve: (value: typeof sampleTools) => void) => {
resolve(sampleTools)
return queryBuilder
},
catch: (reject: (error: Error) => void) => queryBuilder,
}
return queryBuilder
})
const { GET } = await import('@/app/api/tools/custom/route')
const response = await GET(req)
@@ -375,7 +369,8 @@ describe('Custom Tools API Routes', () => {
})
it('should handle tool not found', async () => {
mockLimit.mockResolvedValueOnce([])
const mockLimitNotFound = vi.fn().mockResolvedValue([])
mockWhere.mockReturnValueOnce({ limit: mockLimitNotFound })
const req = new NextRequest('http://localhost:3000/api/tools/custom?id=non-existent')
@@ -398,7 +393,8 @@ describe('Custom Tools API Routes', () => {
}))
const userScopedTool = { ...sampleTools[0], workspaceId: null, userId: 'user-123' }
mockLimit.mockResolvedValueOnce([userScopedTool])
const mockLimitUserScoped = vi.fn().mockResolvedValue([userScopedTool])
mockWhere.mockReturnValueOnce({ limit: mockLimitUserScoped })
const req = new NextRequest('http://localhost:3000/api/tools/custom?id=tool-1')

38
apps/sim/app/api/tools/custom/route.ts
View File

@@ -1,5 +1,5 @@
import { db } from '@sim/db'
import { customTools, workflow } from '@sim/db/schema'
import { customTools } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, desc, eq, isNull, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
@@ -7,6 +7,7 @@ import { z } from 'zod'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
const logger = createLogger('CustomToolsAPI')
@@ -52,27 +53,32 @@ export async function GET(request: NextRequest) {
const userId = authResult.userId
let resolvedWorkspaceId: string | null = workspaceId
let resolvedFromWorkflowAuthorization = false
if (!resolvedWorkspaceId && workflowId) {
const [workflowData] = await db
.select({ workspaceId: workflow.workspaceId })
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
if (!workflowData) {
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
if (!workflowAuthorization.allowed) {
logger.warn(`[${requestId}] Workflow authorization failed for custom tools`, {
workflowId,
userId,
status: workflowAuthorization.status,
})
return NextResponse.json(
{ error: workflowAuthorization.message || 'Access denied' },
{ status: workflowAuthorization.status }
)
}
resolvedWorkspaceId = workflowData.workspaceId
resolvedWorkspaceId = workflowAuthorization.workflow?.workspaceId ?? null
resolvedFromWorkflowAuthorization = true
}
// Check workspace permissions
// For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
// For session: verify user has access to the workspace
// For legacy (no workspaceId): skip workspace check, rely on userId match
if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
// Check workspace permissions for all auth types
if (resolvedWorkspaceId && !resolvedFromWorkflowAuthorization) {
const userPermission = await getUserEntityPermissions(
userId,
'workspace',

9
apps/sim/app/api/tools/jira/add-attachment/route.ts
View File

@@ -47,16 +47,9 @@ export async function POST(request: NextRequest) {
(await getJiraCloudId(validatedData.domain, validatedData.accessToken))
const formData = new FormData()
const filesOutput: Array<{ name: string; mimeType: string; data: string; size: number }> = []
for (const file of userFiles) {
const buffer = await downloadFileFromStorage(file, requestId, logger)
filesOutput.push({
name: file.name,
mimeType: file.type || 'application/octet-stream',
data: buffer.toString('base64'),
size: buffer.length,
})
const blob = new Blob([new Uint8Array(buffer)], {
type: file.type || 'application/octet-stream',
})
@@ -109,7 +102,7 @@ export async function POST(request: NextRequest) {
issueKey: validatedData.issueKey,
attachments,
attachmentIds,
files: filesOutput,
files: userFiles,
},
})
} catch (error) {

7
apps/sim/app/api/usage/route.ts
View File

@@ -7,6 +7,7 @@ import {
getOrganizationBillingData,
isOrganizationOwnerOrAdmin,
} from '@/lib/billing/core/organization'
import { isUserMemberOfOrganization } from '@/lib/billing/organizations/membership'
const logger = createLogger('UnifiedUsageAPI')
@@ -61,6 +62,12 @@ export async function GET(request: NextRequest) {
{ status: 400 }
)
}
const membership = await isUserMemberOfOrganization(session.user.id, organizationId)
if (!membership.isMember) {
return NextResponse.json({ error: 'Permission denied' }, { status: 403 })
}
const org = await getOrganizationBillingData(organizationId)
return NextResponse.json({
success: true,

5
apps/sim/app/api/v1/copilot/chat/route.ts
View File

@@ -1,7 +1,6 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getCopilotModel } from '@/lib/copilot/config'
import { SIM_AGENT_VERSION } from '@/lib/copilot/constants'
import { COPILOT_REQUEST_MODES } from '@/lib/copilot/models'
import { orchestrateCopilotStream } from '@/lib/copilot/orchestrator'
@@ -9,6 +8,7 @@ import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
import { authenticateV1Request } from '@/app/api/v1/auth'
const logger = createLogger('CopilotHeadlessAPI')
const DEFAULT_COPILOT_MODEL = 'claude-opus-4-6'
const RequestSchema = z.object({
message: z.string().min(1, 'message is required'),
@@ -42,8 +42,7 @@ export async function POST(req: NextRequest) {
try {
const body = await req.json()
const parsed = RequestSchema.parse(body)
const defaults = getCopilotModel('chat')
const selectedModel = parsed.model || defaults.model
const selectedModel = parsed.model || DEFAULT_COPILOT_MODEL
// Resolve workflow ID
const resolved = await resolveWorkflowIdForUser(

17
apps/sim/app/api/wand/route.ts
View File

@@ -160,7 +160,7 @@ export async function POST(req: NextRequest) {
let workspaceId: string | null = null
if (workflowId) {
const [workflowRecord] = await db
.select({ workspaceId: workflow.workspaceId, userId: workflow.userId })
.select({ workspaceId: workflow.workspaceId })
.from(workflow)
.where(eq(workflow.id, workflowId))
.limit(1)
@@ -183,9 +183,18 @@ export async function POST(req: NextRequest) {
)
return NextResponse.json({ success: false, error: 'Unauthorized' }, { status: 403 })
}
} else if (workflowRecord.userId !== session.user.id) {
logger.warn(`[${requestId}] User ${session.user.id} does not own workflow ${workflowId}`)
return NextResponse.json({ success: false, error: 'Unauthorized' }, { status: 403 })
} else {
logger.warn(
`[${requestId}] Workflow ${workflowId} has no workspaceId; wand request blocked`
)
return NextResponse.json(
{
success: false,
error:
'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
},
{ status: 403 }
)
}
}

101
apps/sim/app/api/webhooks/[id]/route.ts
View File

@@ -3,12 +3,12 @@ import { webhook, workflow } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { validateInteger } from '@/lib/core/security/input-validation'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
const logger = createLogger('WebhookAPI')
@@ -22,11 +22,12 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
const { id } = await params
logger.debug(`[${requestId}] Fetching webhook with ID: ${id}`)
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized webhook access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const webhooks = await db
.select({
@@ -50,28 +51,15 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
const webhookData = webhooks[0]
// Check if user has permission to access this webhook
let hasAccess = false
// Case 1: User owns the workflow
if (webhookData.workflow.userId === session.user.id) {
hasAccess = true
}
// Case 2: Workflow belongs to a workspace and user has any permission
if (!hasAccess && webhookData.workflow.workspaceId) {
const userPermission = await getUserEntityPermissions(
session.user.id,
'workspace',
webhookData.workflow.workspaceId
)
if (userPermission !== null) {
hasAccess = true
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: webhookData.workflow.id,
userId,
action: 'read',
})
const hasAccess = authorization.allowed
if (!hasAccess) {
logger.warn(`[${requestId}] User ${session.user.id} denied access to webhook: ${id}`)
logger.warn(`[${requestId}] User ${userId} denied access to webhook: ${id}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
@@ -90,11 +78,12 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
const { id } = await params
logger.debug(`[${requestId}] Updating webhook with ID: ${id}`)
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized webhook update attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
const body = await request.json()
const { isActive, failedCount } = body
@@ -127,27 +116,15 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
}
const webhookData = webhooks[0]
let canModify = false
if (webhookData.workflow.userId === session.user.id) {
canModify = true
}
if (!canModify && webhookData.workflow.workspaceId) {
const userPermission = await getUserEntityPermissions(
session.user.id,
'workspace',
webhookData.workflow.workspaceId
)
if (userPermission === 'write' || userPermission === 'admin') {
canModify = true
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: webhookData.workflow.id,
userId,
action: 'write',
})
const canModify = authorization.allowed
if (!canModify) {
logger.warn(
`[${requestId}] User ${session.user.id} denied permission to modify webhook: ${id}`
)
logger.warn(`[${requestId}] User ${userId} denied permission to modify webhook: ${id}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
@@ -185,11 +162,12 @@ export async function DELETE(
const { id } = await params
logger.debug(`[${requestId}] Deleting webhook with ID: ${id}`)
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized webhook deletion attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
// Find the webhook and check permissions
const webhooks = await db
@@ -213,30 +191,15 @@ export async function DELETE(
const webhookData = webhooks[0]
// Check if user has permission to delete this webhook
let canDelete = false
// Case 1: User owns the workflow
if (webhookData.workflow.userId === session.user.id) {
canDelete = true
}
// Case 2: Workflow belongs to a workspace and user has write or admin permission
if (!canDelete && webhookData.workflow.workspaceId) {
const userPermission = await getUserEntityPermissions(
session.user.id,
'workspace',
webhookData.workflow.workspaceId
)
if (userPermission === 'write' || userPermission === 'admin') {
canDelete = true
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: webhookData.workflow.id,
userId,
action: 'write',
})
const canDelete = authorization.allowed
if (!canDelete) {
logger.warn(
`[${requestId}] User ${session.user.id} denied permission to delete webhook: ${id}`
)
logger.warn(`[${requestId}] User ${userId} denied permission to delete webhook: ${id}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}

63
apps/sim/app/api/webhooks/route.ts
View File

@@ -1,7 +1,7 @@
import { db } from '@sim/db'
import { webhook, workflow, workflowDeploymentVersion } from '@sim/db/schema'
import { permissions, webhook, workflow, workflowDeploymentVersion } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, desc, eq, isNull, or } from 'drizzle-orm'
import { and, desc, eq, inArray, isNull, or } from 'drizzle-orm'
import { nanoid } from 'nanoid'
import { type NextRequest, NextResponse } from 'next/server'
import { getSession } from '@/lib/auth'
@@ -20,7 +20,7 @@ import {
configureRssPolling,
syncWebhooksForCredentialSet,
} from '@/lib/webhooks/utils.server'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'
const logger = createLogger('WebhooksAPI')
@@ -57,15 +57,12 @@ export async function GET(request: NextRequest) {
}
const wfRecord = wf[0]
let canRead = wfRecord.userId === session.user.id
if (!canRead && wfRecord.workspaceId) {
const permission = await getUserEntityPermissions(
session.user.id,
'workspace',
wfRecord.workspaceId
)
canRead = permission === 'read' || permission === 'write' || permission === 'admin'
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: wfRecord.id,
userId: session.user.id,
action: 'read',
})
const canRead = authorization.allowed
if (!canRead) {
logger.warn(
@@ -114,8 +111,17 @@ export async function GET(request: NextRequest) {
return NextResponse.json({ webhooks: [] }, { status: 200 })
}
// Default: list webhooks owned by the session user
logger.debug(`[${requestId}] Fetching user-owned webhooks for ${session.user.id}`)
logger.debug(`[${requestId}] Fetching workspace-accessible webhooks for ${session.user.id}`)
const workspacePermissionRows = await db
.select({ workspaceId: permissions.entityId })
.from(permissions)
.where(and(eq(permissions.userId, session.user.id), eq(permissions.entityType, 'workspace')))
const workspaceIds = workspacePermissionRows.map((row) => row.workspaceId)
if (workspaceIds.length === 0) {
return NextResponse.json({ webhooks: [] }, { status: 200 })
}
const webhooks = await db
.select({
webhook: webhook,
@@ -126,9 +132,9 @@ export async function GET(request: NextRequest) {
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.where(eq(workflow.userId, session.user.id))
.where(inArray(workflow.workspaceId, workspaceIds))
logger.info(`[${requestId}] Retrieved ${webhooks.length} user-owned webhooks`)
logger.info(`[${requestId}] Retrieved ${webhooks.length} workspace-accessible webhooks`)
return NextResponse.json({ webhooks }, { status: 200 })
} catch (error) {
logger.error(`[${requestId}] Error fetching webhooks`, error)
@@ -237,25 +243,12 @@ export async function POST(request: NextRequest) {
const workflowRecord = workflowData[0]
// Check if user has permission to modify this workflow
let canModify = false
// Case 1: User owns the workflow
if (workflowRecord.userId === userId) {
canModify = true
}
// Case 2: Workflow belongs to a workspace and user has write or admin permission
if (!canModify && workflowRecord.workspaceId) {
const userPermission = await getUserEntityPermissions(
userId,
'workspace',
workflowRecord.workspaceId
)
if (userPermission === 'write' || userPermission === 'admin') {
canModify = true
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const canModify = authorization.allowed
if (!canModify) {
logger.warn(

30
apps/sim/app/api/workflows/[id]/autolayout/route.ts
View File

@@ -1,7 +1,7 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { applyAutoLayout } from '@/lib/workflows/autolayout'
import {
@@ -13,7 +13,7 @@ import {
loadWorkflowFromNormalizedTables,
type NormalizedWorkflowData,
} from '@/lib/workflows/persistence/utils'
import { getWorkflowAccessContext } from '@/lib/workflows/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
export const dynamic = 'force-dynamic'
@@ -52,13 +52,13 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
const { id: workflowId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized autolayout attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const userId = auth.userId
const body = await request.json()
const layoutOptions = AutoLayoutRequestSchema.parse(body)
@@ -67,26 +67,28 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
userId,
})
const accessContext = await getWorkflowAccessContext(workflowId, userId)
const workflowData = accessContext?.workflow
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const workflowData = authorization.workflow
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found for autolayout`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const canUpdate =
accessContext?.isOwner ||
(workflowData.workspaceId
? accessContext?.workspacePermission === 'write' ||
accessContext?.workspacePermission === 'admin'
: false)
const canUpdate = authorization.allowed
if (!canUpdate) {
logger.warn(
`[${requestId}] User ${userId} denied permission to autolayout workflow ${workflowId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
}
let currentWorkflowData: NormalizedWorkflowData | null

131
apps/sim/app/api/workflows/[id]/chat/status/route.test.ts Normal file
View File

@@ -0,0 +1,131 @@
/**
* Tests for workflow chat status route auth and access.
*
* @vitest-environment node
*/
import { loggerMock } from '@sim/testing'
import { NextRequest } from 'next/server'
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const mockCheckSessionOrInternalAuth = vi.fn()
const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
const mockDbSelect = vi.fn()
const mockDbFrom = vi.fn()
const mockDbWhere = vi.fn()
const mockDbLimit = vi.fn()
describe('Workflow Chat Status Route', () => {
beforeEach(() => {
vi.resetModules()
vi.clearAllMocks()
mockDbSelect.mockReturnValue({ from: mockDbFrom })
mockDbFrom.mockReturnValue({ where: mockDbWhere })
mockDbWhere.mockReturnValue({ limit: mockDbLimit })
mockDbLimit.mockResolvedValue([])
vi.doMock('@sim/logger', () => loggerMock)
vi.doMock('drizzle-orm', () => ({
eq: vi.fn(),
}))
vi.doMock('@sim/db', () => ({
db: {
select: mockDbSelect,
},
}))
vi.doMock('@sim/db/schema', () => ({
chat: {
id: 'id',
identifier: 'identifier',
title: 'title',
description: 'description',
customizations: 'customizations',
authType: 'authType',
allowedEmails: 'allowedEmails',
outputConfigs: 'outputConfigs',
password: 'password',
isActive: 'isActive',
workflowId: 'workflowId',
},
}))
vi.doMock('@/lib/auth/hybrid', () => ({
checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
}))
vi.doMock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
}))
})
afterEach(() => {
vi.clearAllMocks()
})
it('returns 401 when unauthenticated', async () => {
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({ success: false })
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/chat/status')
const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
expect(response.status).toBe(401)
})
it('returns 403 when user lacks workspace access', async () => {
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
success: true,
userId: 'user-1',
authType: 'session',
})
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: false,
status: 403,
message: 'Access denied',
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: null,
})
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/chat/status')
const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
expect(response.status).toBe(403)
})
it('returns deployment details when authorized', async () => {
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
success: true,
userId: 'user-1',
authType: 'session',
})
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: 'read',
})
mockDbLimit.mockResolvedValueOnce([
{
id: 'chat-1',
identifier: 'assistant',
title: 'Support Bot',
description: 'desc',
customizations: { theme: 'dark' },
authType: 'public',
allowedEmails: [],
outputConfigs: {},
password: 'secret',
isActive: true,
},
])
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/chat/status')
const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
expect(response.status).toBe(200)
const data = await response.json()
expect(data.isDeployed).toBe(true)
expect(data.deployment.id).toBe('chat-1')
expect(data.deployment.hasPassword).toBe(true)
})
})

22
apps/sim/app/api/workflows/[id]/chat/status/route.ts
View File

@@ -2,7 +2,10 @@ import { db } from '@sim/db'
import { chat } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import type { NextRequest } from 'next/server'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
const logger = createLogger('ChatStatusAPI')
@@ -10,11 +13,28 @@ const logger = createLogger('ChatStatusAPI')
/**
* GET endpoint to check if a workflow has an active chat deployment
*/
export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
const { id } = await params
const requestId = generateRequestId()
try {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return createErrorResponse('Unauthorized', 401)
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId: id,
userId: auth.userId,
action: 'read',
})
if (!authorization.allowed) {
return createErrorResponse(
authorization.message || 'Access denied',
authorization.status || 403
)
}
logger.debug(`[${requestId}] Checking chat deployment status for workflow: ${id}`)
// Find any active chat deployments for this workflow

15
apps/sim/app/api/workflows/[id]/duplicate/route.ts
View File

@@ -1,7 +1,7 @@
import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import { duplicateWorkflow } from '@/lib/workflows/persistence/duplicate'
@@ -22,23 +22,22 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
const requestId = generateRequestId()
const startTime = Date.now()
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized workflow duplication attempt for ${sourceWorkflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
try {
const body = await req.json()
const { name, description, color, workspaceId, folderId } = DuplicateRequestSchema.parse(body)
logger.info(
`[${requestId}] Duplicating workflow ${sourceWorkflowId} for user ${session.user.id}`
)
logger.info(`[${requestId}] Duplicating workflow ${sourceWorkflowId} for user ${userId}`)
const result = await duplicateWorkflow({
sourceWorkflowId,
userId: session.user.id,
userId,
name,
description,
color,
@@ -72,7 +71,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
if (error.message === 'Source workflow not found or access denied') {
logger.warn(
`[${requestId}] User ${session.user.id} denied access to source workflow ${sourceWorkflowId}`
`[${requestId}] User ${userId} denied access to source workflow ${sourceWorkflowId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}

17
apps/sim/app/api/workflows/[id]/execute/route.ts
View File

@@ -29,7 +29,11 @@ import {
loadWorkflowFromNormalizedTables,
} from '@/lib/workflows/persistence/utils'
import { createStreamingResponse } from '@/lib/workflows/streaming/streaming'
import { createHttpResponseFromBlock, workflowHasResponseBlock } from '@/lib/workflows/utils'
import {
authorizeWorkflowByWorkspacePermission,
createHttpResponseFromBlock,
workflowHasResponseBlock,
} from '@/lib/workflows/utils'
import { executeWorkflowJob, type WorkflowExecutionPayload } from '@/background/workflow-execution'
import { normalizeName } from '@/executor/constants'
import { ExecutionSnapshot } from '@/executor/execution/snapshot'
@@ -340,6 +344,17 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
: validatedInput
const shouldUseDraftState = useDraftState ?? auth.authType === 'session'
const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: shouldUseDraftState ? 'write' : 'read',
})
if (!workflowAuthorization.allowed) {
return NextResponse.json(
{ error: workflowAuthorization.message || 'Access denied' },
{ status: workflowAuthorization.status }
)
}
const streamHeader = req.headers.get('X-Stream-Response') === 'true'
const enableSSE = streamHeader || streamParam === true

13
apps/sim/app/api/workflows/[id]/executions/[executionId]/cancel/route.ts
View File

@@ -2,6 +2,7 @@ import { createLogger } from '@sim/logger'
import { type NextRequest, NextResponse } from 'next/server'
import { checkHybridAuth } from '@/lib/auth/hybrid'
import { markExecutionCancelled } from '@/lib/execution/cancellation'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
const logger = createLogger('CancelExecutionAPI')
@@ -20,6 +21,18 @@ export async function POST(
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
}
const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId: auth.userId,
action: 'write',
})
if (!workflowAuthorization.allowed) {
return NextResponse.json(
{ error: workflowAuthorization.message || 'Access denied' },
{ status: workflowAuthorization.status }
)
}
logger.info('Cancel execution requested', { workflowId, executionId, userId: auth.userId })
const marked = await markExecutionCancelled(executionId)

119
apps/sim/app/api/workflows/[id]/form/status/route.test.ts Normal file
View File

@@ -0,0 +1,119 @@
/**
* Tests for workflow form status route auth and access.
*
* @vitest-environment node
*/
import { loggerMock } from '@sim/testing'
import { NextRequest } from 'next/server'
import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const mockCheckSessionOrInternalAuth = vi.fn()
const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
const mockDbSelect = vi.fn()
const mockDbFrom = vi.fn()
const mockDbWhere = vi.fn()
const mockDbLimit = vi.fn()
describe('Workflow Form Status Route', () => {
beforeEach(() => {
vi.resetModules()
vi.clearAllMocks()
mockDbSelect.mockReturnValue({ from: mockDbFrom })
mockDbFrom.mockReturnValue({ where: mockDbWhere })
mockDbWhere.mockReturnValue({ limit: mockDbLimit })
mockDbLimit.mockResolvedValue([])
vi.doMock('@sim/logger', () => loggerMock)
vi.doMock('drizzle-orm', () => ({
and: vi.fn(),
eq: vi.fn(),
}))
vi.doMock('@sim/db', () => ({
db: {
select: mockDbSelect,
},
}))
vi.doMock('@sim/db/schema', () => ({
form: {
id: 'id',
identifier: 'identifier',
title: 'title',
workflowId: 'workflowId',
isActive: 'isActive',
},
}))
vi.doMock('@/lib/auth/hybrid', () => ({
checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
}))
vi.doMock('@/lib/workflows/utils', () => ({
authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
}))
})
afterEach(() => {
vi.clearAllMocks()
})
it('returns 401 when unauthenticated', async () => {
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({ success: false })
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/form/status')
const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
expect(response.status).toBe(401)
})
it('returns 403 when user lacks workspace access', async () => {
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
success: true,
userId: 'user-1',
authType: 'session',
})
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: false,
status: 403,
message: 'Access denied',
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: null,
})
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/form/status')
const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
expect(response.status).toBe(403)
})
it('returns deployed form when authorized', async () => {
mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
success: true,
userId: 'user-1',
authType: 'session',
})
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: { id: 'wf-1', workspaceId: 'ws-1' },
workspacePermission: 'read',
})
mockDbLimit.mockResolvedValueOnce([
{
id: 'form-1',
identifier: 'feedback-form',
title: 'Feedback',
isActive: true,
},
])
const { GET } = await import('./route')
const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/form/status')
const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
expect(response.status).toBe(200)
const data = await response.json()
expect(data.isDeployed).toBe(true)
expect(data.form.id).toBe('form-1')
})
})

19
apps/sim/app/api/workflows/[id]/form/status/route.ts
View File

@@ -3,20 +3,31 @@ import { form } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import type { NextRequest } from 'next/server'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
const logger = createLogger('FormStatusAPI')
export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
try {
const session = await getSession()
if (!session) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return createErrorResponse('Unauthorized', 401)
}
const { id: workflowId } = await params
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId: auth.userId,
action: 'read',
})
if (!authorization.allowed) {
return createErrorResponse(
authorization.message || 'Access denied',
authorization.status || 403
)
}
const formResult = await db
.select({

9
apps/sim/app/api/workflows/[id]/log/route.ts
View File

@@ -4,6 +4,7 @@ import { z } from 'zod'
import { generateRequestId } from '@/lib/core/utils/request'
import { LoggingSession } from '@/lib/logs/execution/logging-session'
import { buildTraceSpans } from '@/lib/logs/execution/trace-spans/trace-spans'
import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
import type { ExecutionResult } from '@/executor/types'
@@ -69,15 +70,19 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
const triggerType = isChatExecution ? 'chat' : 'manual'
const loggingSession = new LoggingSession(id, executionId, triggerType, requestId)
const userId = accessValidation.workflow.userId
const workspaceId = accessValidation.workflow.workspaceId
if (!workspaceId) {
logger.error(`[${requestId}] Workflow ${id} has no workspaceId`)
return createErrorResponse('Workflow has no associated workspace', 500)
}
const billedAccountUserId = await getWorkspaceBilledAccountUserId(workspaceId)
if (!billedAccountUserId) {
logger.error(`[${requestId}] Unable to resolve billed account for workspace ${workspaceId}`)
return createErrorResponse('Unable to resolve billing account for this workspace', 500)
}
await loggingSession.safeStart({
userId,
userId: billedAccountUserId,
workspaceId,
variables: {},
})

141
apps/sim/app/api/workflows/[id]/route.test.ts
View File

@@ -12,7 +12,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
const mockGetSession = vi.fn()
const mockLoadWorkflowFromNormalizedTables = vi.fn()
const mockGetWorkflowById = vi.fn()
const mockGetWorkflowAccessContext = vi.fn()
const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
const mockDbDelete = vi.fn()
const mockDbUpdate = vi.fn()
const mockDbSelect = vi.fn()
@@ -35,8 +35,11 @@ vi.mock('@/lib/workflows/utils', async () => {
return {
...actual,
getWorkflowById: (workflowId: string) => mockGetWorkflowById(workflowId),
getWorkflowAccessContext: (workflowId: string, userId?: string) =>
mockGetWorkflowAccessContext(workflowId, userId),
authorizeWorkflowByWorkspacePermission: (params: {
workflowId: string
userId: string
action?: 'read' | 'write' | 'admin'
}) => mockAuthorizeWorkflowByWorkspacePermission(params),
}
})
@@ -86,13 +89,6 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(null)
mockGetWorkflowAccessContext.mockResolvedValue({
workflow: null,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: false,
isWorkspaceOwner: false,
})
const req = new NextRequest('http://localhost:3000/api/workflows/nonexistent')
const params = Promise.resolve({ id: 'nonexistent' })
@@ -104,12 +100,12 @@ describe('Workflow By ID API Route', () => {
expect(data.error).toBe('Workflow not found')
})
it.concurrent('should allow access when user owns the workflow', async () => {
it.concurrent('should allow access when user has admin workspace permission', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
name: 'Test Workflow',
workspaceId: null,
workspaceId: 'workspace-456',
}
const mockNormalizedData = {
@@ -125,12 +121,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'admin',
})
mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
@@ -166,12 +161,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: 'read',
isOwner: false,
isWorkspaceOwner: false,
})
mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
@@ -199,12 +193,12 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 403,
message: 'Unauthorized: Access denied to read this workflow',
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: null,
isOwner: false,
isWorkspaceOwner: false,
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123')
@@ -214,7 +208,7 @@ describe('Workflow By ID API Route', () => {
expect(response.status).toBe(403)
const data = await response.json()
expect(data.error).toBe('Access denied')
expect(data.error).toBe('Unauthorized: Access denied to read this workflow')
})
it.concurrent('should use normalized tables when available', async () => {
@@ -222,7 +216,7 @@ describe('Workflow By ID API Route', () => {
id: 'workflow-123',
userId: 'user-123',
name: 'Test Workflow',
workspaceId: null,
workspaceId: 'workspace-456',
}
const mockNormalizedData = {
@@ -238,12 +232,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'admin',
})
mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
@@ -261,12 +254,12 @@ describe('Workflow By ID API Route', () => {
})
describe('DELETE /api/workflows/[id]', () => {
it('should allow owner to delete workflow', async () => {
it('should allow admin to delete workflow', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
name: 'Test Workflow',
workspaceId: null,
workspaceId: 'workspace-456',
}
mockGetSession.mockResolvedValue({
@@ -274,12 +267,17 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'admin',
})
mockDbSelect.mockReturnValue({
from: vi.fn().mockReturnValue({
where: vi.fn().mockResolvedValue([{ id: 'workflow-123' }, { id: 'workflow-456' }]),
}),
})
mockDbDelete.mockReturnValue({
@@ -315,12 +313,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: 'admin',
isOwner: false,
isWorkspaceOwner: false,
})
// Mock db.select() to return multiple workflows so deletion is allowed
@@ -363,12 +360,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: 'admin',
isOwner: true,
isWorkspaceOwner: false,
})
// Mock db.select() to return only 1 workflow (the one being deleted)
@@ -403,12 +399,12 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 403,
message: 'Unauthorized: Access denied to admin this workflow',
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: null,
isOwner: false,
isWorkspaceOwner: false,
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -420,17 +416,17 @@ describe('Workflow By ID API Route', () => {
expect(response.status).toBe(403)
const data = await response.json()
expect(data.error).toBe('Access denied')
expect(data.error).toBe('Unauthorized: Access denied to admin this workflow')
})
})
describe('PUT /api/workflows/[id]', () => {
it('should allow owner to update workflow', async () => {
it('should allow user with write permission to update workflow', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
name: 'Test Workflow',
workspaceId: null,
workspaceId: 'workspace-456',
}
const updateData = { name: 'Updated Workflow' }
@@ -441,12 +437,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'write',
})
mockDbUpdate.mockReturnValue({
@@ -486,12 +481,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: 'write',
isOwner: false,
isWorkspaceOwner: false,
})
mockDbUpdate.mockReturnValue({
@@ -530,12 +524,12 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: false,
status: 403,
message: 'Unauthorized: Access denied to write this workflow',
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-456',
workspacePermission: 'read',
isOwner: false,
isWorkspaceOwner: false,
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -548,7 +542,7 @@ describe('Workflow By ID API Route', () => {
expect(response.status).toBe(403)
const data = await response.json()
expect(data.error).toBe('Access denied')
expect(data.error).toBe('Unauthorized: Access denied to write this workflow')
})
it.concurrent('should validate request data', async () => {
@@ -556,7 +550,7 @@ describe('Workflow By ID API Route', () => {
id: 'workflow-123',
userId: 'user-123',
name: 'Test Workflow',
workspaceId: null,
workspaceId: 'workspace-456',
}
mockGetSession.mockResolvedValue({
@@ -564,12 +558,11 @@ describe('Workflow By ID API Route', () => {
})
mockGetWorkflowById.mockResolvedValue(mockWorkflow)
mockGetWorkflowAccessContext.mockResolvedValue({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'write',
})
const invalidData = { name: '' }

171
apps/sim/app/api/workflows/[id]/route.ts
View File

@@ -4,14 +4,12 @@ import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
import { getSession } from '@/lib/auth'
import { verifyInternalToken } from '@/lib/auth/internal'
import { checkHybridAuth, checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { env } from '@/lib/core/config/env'
import { PlatformEvents } from '@/lib/core/telemetry'
import { generateRequestId } from '@/lib/core/utils/request'
import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
import { getWorkflowAccessContext, getWorkflowById } from '@/lib/workflows/utils'
import { authorizeWorkflowByWorkspacePermission, getWorkflowById } from '@/lib/workflows/utils'
const logger = createLogger('WorkflowByIdAPI')
@@ -34,50 +32,14 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
const { id: workflowId } = await params
try {
const authHeader = request.headers.get('authorization')
let isInternalCall = false
if (authHeader?.startsWith('Bearer ')) {
const token = authHeader.split(' ')[1]
const verification = await verifyInternalToken(token)
isInternalCall = verification.valid
const auth = await checkHybridAuth(request, { requireWorkflowId: false })
if (!auth.success) {
logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
let userId: string | null = null
const userId = auth.userId || null
if (isInternalCall) {
logger.info(`[${requestId}] Internal API call for workflow ${workflowId}`)
} else {
const session = await getSession()
let authenticatedUserId: string | null = session?.user?.id || null
if (!authenticatedUserId) {
const apiKeyHeader = request.headers.get('x-api-key')
if (apiKeyHeader) {
const authResult = await authenticateApiKeyFromHeader(apiKeyHeader)
if (authResult.success && authResult.userId) {
authenticatedUserId = authResult.userId
if (authResult.keyId) {
await updateApiKeyLastUsed(authResult.keyId).catch((error) => {
logger.warn(`[${requestId}] Failed to update API key last used timestamp:`, {
keyId: authResult.keyId,
error,
})
})
}
}
}
}
if (!authenticatedUserId) {
logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
userId = authenticatedUserId
}
let accessContext = null
let workflowData = await getWorkflowById(workflowId)
if (!workflowData) {
@@ -86,36 +48,28 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
}
// Check if user has access to this workflow
let hasAccess = false
if (!userId) {
logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
if (isInternalCall) {
// Internal calls have full access
hasAccess = true
} else {
// Case 1: User owns the workflow
if (workflowData) {
accessContext = await getWorkflowAccessContext(workflowId, userId ?? undefined)
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
if (!authorization.workflow) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
if (!accessContext) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
workflowData = accessContext.workflow
if (accessContext.isOwner) {
hasAccess = true
}
if (!hasAccess && workflowData.workspaceId && accessContext.workspacePermission) {
hasAccess = true
}
}
if (!hasAccess) {
logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
}
workflowData = authorization.workflow
if (!authorization.allowed) {
logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status }
)
}
logger.debug(`[${requestId}] Attempting to load workflow ${workflowId} from normalized tables`)
@@ -196,43 +150,36 @@ export async function DELETE(
const { id: workflowId } = await params
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized deletion attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const userId = auth.userId
const accessContext = await getWorkflowAccessContext(workflowId, userId)
const workflowData = accessContext?.workflow || (await getWorkflowById(workflowId))
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'admin',
})
const workflowData = authorization.workflow || (await getWorkflowById(workflowId))
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found for deletion`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
// Check if user has permission to delete this workflow
let canDelete = false
// Case 1: User owns the workflow
if (workflowData.userId === userId) {
canDelete = true
}
// Case 2: Workflow belongs to a workspace and user has admin permission
if (!canDelete && workflowData.workspaceId) {
const context = accessContext || (await getWorkflowAccessContext(workflowId, userId))
if (context?.workspacePermission === 'admin') {
canDelete = true
}
}
const canDelete = authorization.allowed
if (!canDelete) {
logger.warn(
`[${requestId}] User ${userId} denied permission to delete workflow ${workflowId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
}
// Check if this is the last workflow in the workspace
@@ -403,48 +350,40 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
const { id: workflowId } = await params
try {
// Get the session
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized update attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const userId = auth.userId
const body = await request.json()
const updates = UpdateWorkflowSchema.parse(body)
// Fetch the workflow to check ownership/access
const accessContext = await getWorkflowAccessContext(workflowId, userId)
const workflowData = accessContext?.workflow || (await getWorkflowById(workflowId))
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const workflowData = authorization.workflow || (await getWorkflowById(workflowId))
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found for update`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
// Check if user has permission to update this workflow
let canUpdate = false
// Case 1: User owns the workflow
if (workflowData.userId === userId) {
canUpdate = true
}
// Case 2: Workflow belongs to a workspace and user has write or admin permission
if (!canUpdate && workflowData.workspaceId) {
const context = accessContext || (await getWorkflowAccessContext(workflowId, userId))
if (context?.workspacePermission === 'write' || context?.workspacePermission === 'admin') {
canUpdate = true
}
}
const canUpdate = authorization.allowed
if (!canUpdate) {
logger.warn(
`[${requestId}] User ${userId} denied permission to update workflow ${workflowId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
}
const updateData: Record<string, unknown> = { updatedAt: new Date() }

34
apps/sim/app/api/workflows/[id]/state/route.ts
View File

@@ -4,13 +4,13 @@ import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { env } from '@/lib/core/config/env'
import { generateRequestId } from '@/lib/core/utils/request'
import { extractAndPersistCustomTools } from '@/lib/workflows/persistence/custom-tools-persistence'
import { saveWorkflowToNormalizedTables } from '@/lib/workflows/persistence/utils'
import { sanitizeAgentToolsInBlocks } from '@/lib/workflows/sanitization/validation'
import { getWorkflowAccessContext } from '@/lib/workflows/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import type { BlockState } from '@/stores/workflows/workflow/types'
import { generateLoopBlocks, generateParallelBlocks } from '@/stores/workflows/workflow/utils'
@@ -118,40 +118,38 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
const { id: workflowId } = await params
try {
// Get the session
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized state update attempt for workflow ${workflowId}`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const userId = auth.userId
const body = await request.json()
const state = WorkflowStateSchema.parse(body)
// Fetch the workflow to check ownership/access
const accessContext = await getWorkflowAccessContext(workflowId, userId)
const workflowData = accessContext?.workflow
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const workflowData = authorization.workflow
if (!workflowData) {
logger.warn(`[${requestId}] Workflow ${workflowId} not found for state update`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
// Check if user has permission to update this workflow
const canUpdate =
accessContext?.isOwner ||
(workflowData.workspaceId
? accessContext?.workspacePermission === 'write' ||
accessContext?.workspacePermission === 'admin'
: false)
const canUpdate = authorization.allowed
if (!canUpdate) {
logger.warn(
`[${requestId}] User ${userId} denied permission to update workflow state ${workflowId}`
)
return NextResponse.json({ error: 'Access denied' }, { status: 403 })
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
}
// Sanitize custom tools in agent blocks before saving

117
apps/sim/app/api/workflows/[id]/variables/route.test.ts
View File

@@ -16,19 +16,19 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
describe('Workflow Variables API Route', () => {
let authMocks: ReturnType<typeof mockAuth>
const mockGetWorkflowAccessContext = vi.fn()
const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
beforeEach(() => {
vi.resetModules()
setupCommonApiMocks()
mockCryptoUuid('mock-request-id-12345678')
authMocks = mockAuth(defaultMockUser)
mockGetWorkflowAccessContext.mockReset()
mockAuthorizeWorkflowByWorkspacePermission.mockReset()
vi.doMock('@sim/db', () => databaseMock)
vi.doMock('@/lib/workflows/utils', () => ({
getWorkflowAccessContext: mockGetWorkflowAccessContext,
authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
}))
})
@@ -43,7 +43,7 @@ describe('Workflow Variables API Route', () => {
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
const params = Promise.resolve({ id: 'workflow-123' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(401)
@@ -53,12 +53,18 @@ describe('Workflow Variables API Route', () => {
it('should return 404 when workflow does not exist', async () => {
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce(null)
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: false,
status: 404,
message: 'Workflow not found',
workflow: null,
workspacePermission: null,
})
const req = new NextRequest('http://localhost:3000/api/workflows/nonexistent/variables')
const params = Promise.resolve({ id: 'nonexistent' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(404)
@@ -66,29 +72,28 @@ describe('Workflow Variables API Route', () => {
expect(data.error).toBe('Workflow not found')
})
it('should allow access when user owns the workflow', async () => {
it('should allow access when user has workspace permission', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
workspaceId: null,
workspaceId: 'workspace-456',
variables: {
'var-1': { id: 'var-1', name: 'test', type: 'string', value: 'hello' },
},
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'admin',
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
const params = Promise.resolve({ id: 'workflow-123' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(200)
@@ -107,18 +112,17 @@ describe('Workflow Variables API Route', () => {
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-owner',
workspacePermission: 'read',
isOwner: false,
isWorkspaceOwner: false,
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
const params = Promise.resolve({ id: 'workflow-123' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(200)
@@ -135,48 +139,47 @@ describe('Workflow Variables API Route', () => {
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: false,
status: 403,
message: 'Unauthorized: Access denied to read this workflow',
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-owner',
workspacePermission: null,
isOwner: false,
isWorkspaceOwner: false,
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
const params = Promise.resolve({ id: 'workflow-123' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(401)
expect(response.status).toBe(403)
const data = await response.json()
expect(data.error).toBe('Unauthorized')
expect(data.error).toBe('Unauthorized: Access denied to read this workflow')
})
it.concurrent('should include proper cache headers', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
workspaceId: null,
workspaceId: 'workspace-456',
variables: {
'var-1': { id: 'var-1', name: 'test', type: 'string', value: 'hello' },
},
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'admin',
})
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
const params = Promise.resolve({ id: 'workflow-123' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(200)
@@ -186,21 +189,20 @@ describe('Workflow Variables API Route', () => {
})
describe('POST /api/workflows/[id]/variables', () => {
it('should allow owner to update variables', async () => {
it('should allow user with write permission to update variables', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
workspaceId: null,
workspaceId: 'workspace-456',
variables: {},
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'write',
})
const variables = {
@@ -219,7 +221,7 @@ describe('Workflow Variables API Route', () => {
})
const params = Promise.resolve({ id: 'workflow-123' })
const { POST } = await import('@/app/api/workflows/[id]/variables/route')
const { POST } = await import('./route')
const response = await POST(req, { params })
expect(response.status).toBe(200)
@@ -236,12 +238,12 @@ describe('Workflow Variables API Route', () => {
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: false,
status: 403,
message: 'Unauthorized: Access denied to write this workflow',
workflow: mockWorkflow,
workspaceOwnerId: 'workspace-owner',
workspacePermission: null,
isOwner: false,
isWorkspaceOwner: false,
})
const variables = {
@@ -260,29 +262,28 @@ describe('Workflow Variables API Route', () => {
})
const params = Promise.resolve({ id: 'workflow-123' })
const { POST } = await import('@/app/api/workflows/[id]/variables/route')
const { POST } = await import('./route')
const response = await POST(req, { params })
expect(response.status).toBe(401)
expect(response.status).toBe(403)
const data = await response.json()
expect(data.error).toBe('Unauthorized')
expect(data.error).toBe('Unauthorized: Access denied to write this workflow')
})
it.concurrent('should validate request data schema', async () => {
const mockWorkflow = {
id: 'workflow-123',
userId: 'user-123',
workspaceId: null,
workspaceId: 'workspace-456',
variables: {},
}
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockResolvedValueOnce({
mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
allowed: true,
status: 200,
workflow: mockWorkflow,
workspaceOwnerId: null,
workspacePermission: null,
isOwner: true,
isWorkspaceOwner: false,
workspacePermission: 'write',
})
const invalidData = { variables: [{ name: 'test' }] }
@@ -293,7 +294,7 @@ describe('Workflow Variables API Route', () => {
})
const params = Promise.resolve({ id: 'workflow-123' })
const { POST } = await import('@/app/api/workflows/[id]/variables/route')
const { POST } = await import('./route')
const response = await POST(req, { params })
expect(response.status).toBe(400)
@@ -305,12 +306,14 @@ describe('Workflow Variables API Route', () => {
describe('Error handling', () => {
it.concurrent('should handle database errors gracefully', async () => {
authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
mockGetWorkflowAccessContext.mockRejectedValueOnce(new Error('Database connection failed'))
mockAuthorizeWorkflowByWorkspacePermission.mockRejectedValueOnce(
new Error('Database connection failed')
)
const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
const params = Promise.resolve({ id: 'workflow-123' })
const { GET } = await import('@/app/api/workflows/[id]/variables/route')
const { GET } = await import('./route')
const response = await GET(req, { params })
expect(response.status).toBe(500)

59
apps/sim/app/api/workflows/[id]/variables/route.ts
View File

@@ -4,9 +4,9 @@ import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { getWorkflowAccessContext } from '@/lib/workflows/utils'
import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
import type { Variable } from '@/stores/panel/variables/types'
const logger = createLogger('WorkflowVariablesAPI')
@@ -34,31 +34,34 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
const workflowId = (await params).id
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized workflow variables update attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
// Get the workflow record
const accessContext = await getWorkflowAccessContext(workflowId, session.user.id)
const workflowData = accessContext?.workflow
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'write',
})
const workflowData = authorization.workflow
if (!workflowData) {
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const workspaceId = workflowData.workspaceId
// Check authorization - either the user owns the workflow or has workspace permissions
const isAuthorized =
accessContext?.isOwner || (workspaceId ? accessContext?.workspacePermission !== null : false)
const isAuthorized = authorization.allowed
if (!isAuthorized) {
logger.warn(
`[${requestId}] User ${session.user.id} attempted to update variables for workflow ${workflowId} without permission`
`[${requestId}] User ${userId} attempted to update variables for workflow ${workflowId} without permission`
)
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const body = await req.json()
@@ -100,32 +103,34 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
const workflowId = (await params).id
try {
// Get the session directly in the API route
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized workflow variables access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
// Get the workflow record
const accessContext = await getWorkflowAccessContext(workflowId, session.user.id)
const workflowData = accessContext?.workflow
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId,
action: 'read',
})
const workflowData = authorization.workflow
if (!workflowData) {
logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
}
const workspaceId = workflowData.workspaceId
// Check authorization - either the user owns the workflow or has workspace permissions
const isAuthorized =
accessContext?.isOwner || (workspaceId ? accessContext?.workspacePermission !== null : false)
const isAuthorized = authorization.allowed
if (!isAuthorized) {
logger.warn(
`[${requestId}] User ${session.user.id} attempted to access variables for workflow ${workflowId} without permission`
`[${requestId}] User ${userId} attempted to access variables for workflow ${workflowId} without permission`
)
return NextResponse.json(
{ error: authorization.message || 'Access denied' },
{ status: authorization.status || 403 }
)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
// Return variables if they exist

65
apps/sim/app/api/workflows/middleware.ts
View File

@@ -5,14 +5,16 @@ import {
authenticateApiKeyFromHeader,
updateApiKeyLastUsed,
} from '@/lib/api-key/service'
import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
import { env } from '@/lib/core/config/env'
import { getWorkflowById } from '@/lib/workflows/utils'
import { authorizeWorkflowByWorkspacePermission, getWorkflowById } from '@/lib/workflows/utils'
const logger = createLogger('WorkflowMiddleware')
export interface ValidationResult {
error?: { message: string; status: number }
workflow?: any
auth?: AuthResult
}
export async function validateWorkflowAccess(
@@ -31,6 +33,44 @@ export async function validateWorkflowAccess(
}
}
if (!workflow.workspaceId) {
return {
error: {
message:
'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
status: 403,
},
}
}
if (!requireDeployment) {
const auth = await checkHybridAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
return {
error: {
message: auth.error || 'Unauthorized',
status: 401,
},
}
}
const authorization = await authorizeWorkflowByWorkspacePermission({
workflowId,
userId: auth.userId,
action: 'read',
})
if (!authorization.allowed) {
return {
error: {
message: authorization.message || 'Access denied',
status: authorization.status,
},
}
}
return { workflow, auth }
}
if (requireDeployment) {
if (!workflow.isDeployed) {
return {
@@ -65,24 +105,13 @@ export async function validateWorkflowAccess(
let validResult: ApiKeyAuthResult | null = null
if (workflow.workspaceId) {
const workspaceResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
workspaceId: workflow.workspaceId as string,
keyTypes: ['workspace', 'personal'],
})
const workspaceResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
workspaceId: workflow.workspaceId as string,
keyTypes: ['workspace', 'personal'],
})
if (workspaceResult.success) {
validResult = workspaceResult
}
} else {
const personalResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
userId: workflow.userId as string,
keyTypes: ['personal'],
})
if (personalResult.success) {
validResult = personalResult
}
if (workspaceResult.success) {
validResult = workspaceResult
}
if (!validResult) {

12
apps/sim/app/api/workflows/reorder/route.ts
View File

@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
import { eq, inArray } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -23,21 +23,21 @@ const ReorderSchema = z.object({
export async function PUT(req: NextRequest) {
const requestId = generateRequestId()
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized reorder attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
try {
const body = await req.json()
const { workspaceId, updates } = ReorderSchema.parse(body)
const permission = await getUserEntityPermissions(session.user.id, 'workspace', workspaceId)
const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (!permission || permission === 'read') {
logger.warn(
`[${requestId}] User ${session.user.id} lacks write permission for workspace ${workspaceId}`
`[${requestId}] User ${userId} lacks write permission for workspace ${workspaceId}`
)
return NextResponse.json({ error: 'Write access required' }, { status: 403 })
}

76
apps/sim/app/api/workflows/route.ts
View File

@@ -1,10 +1,10 @@
import { db } from '@sim/db'
import { workflow } from '@sim/db/schema'
import { permissions, workflow } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { and, asc, eq, isNull, min } from 'drizzle-orm'
import { and, asc, eq, inArray, isNull, min } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { getSession } from '@/lib/auth'
import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
import { generateRequestId } from '@/lib/core/utils/request'
import { getUserEntityPermissions, workspaceExists } from '@/lib/workspaces/permissions/utils'
import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
@@ -21,20 +21,19 @@ const CreateWorkflowSchema = z.object({
})
// GET /api/workflows - Get workflows for user (optionally filtered by workspaceId)
export async function GET(request: Request) {
export async function GET(request: NextRequest) {
const requestId = generateRequestId()
const startTime = Date.now()
const url = new URL(request.url)
const workspaceId = url.searchParams.get('workspaceId')
try {
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized workflow access attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = session.user.id
const userId = auth.userId
if (workspaceId) {
const wsExists = await workspaceExists(workspaceId)
@@ -73,10 +72,18 @@ export async function GET(request: Request) {
.where(eq(workflow.workspaceId, workspaceId))
.orderBy(...orderByClause)
} else {
const workspacePermissionRows = await db
.select({ workspaceId: permissions.entityId })
.from(permissions)
.where(and(eq(permissions.userId, userId), eq(permissions.entityType, 'workspace')))
const workspaceIds = workspacePermissionRows.map((row) => row.workspaceId)
if (workspaceIds.length === 0) {
return NextResponse.json({ data: [] }, { status: 200 })
}
workflows = await db
.select()
.from(workflow)
.where(eq(workflow.userId, userId))
.where(inArray(workflow.workspaceId, workspaceIds))
.orderBy(...orderByClause)
}
@@ -91,12 +98,12 @@ export async function GET(request: Request) {
// POST /api/workflows - Create a new workflow
export async function POST(req: NextRequest) {
const requestId = generateRequestId()
const session = await getSession()
if (!session?.user?.id) {
const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
if (!auth.success || !auth.userId) {
logger.warn(`[${requestId}] Unauthorized workflow creation attempt`)
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const userId = auth.userId
try {
const body = await req.json()
@@ -109,28 +116,33 @@ export async function POST(req: NextRequest) {
sortOrder: providedSortOrder,
} = CreateWorkflowSchema.parse(body)
if (workspaceId) {
const workspacePermission = await getUserEntityPermissions(
session.user.id,
'workspace',
workspaceId
if (!workspaceId) {
logger.warn(`[${requestId}] Workflow creation blocked: missing workspaceId`)
return NextResponse.json(
{
error:
'workspaceId is required. Personal workflows are deprecated and cannot be created.',
},
{ status: 400 }
)
}
if (!workspacePermission || workspacePermission === 'read') {
logger.warn(
`[${requestId}] User ${session.user.id} attempted to create workflow in workspace ${workspaceId} without write permissions`
)
return NextResponse.json(
{ error: 'Write or Admin access required to create workflows in this workspace' },
{ status: 403 }
)
}
const workspacePermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
if (!workspacePermission || workspacePermission === 'read') {
logger.warn(
`[${requestId}] User ${userId} attempted to create workflow in workspace ${workspaceId} without write permissions`
)
return NextResponse.json(
{ error: 'Write or Admin access required to create workflows in this workspace' },
{ status: 403 }
)
}
const workflowId = crypto.randomUUID()
const now = new Date()
logger.info(`[${requestId}] Creating workflow ${workflowId} for user ${session.user.id}`)
logger.info(`[${requestId}] Creating workflow ${workflowId} for user ${userId}`)
import('@/lib/core/telemetry')
.then(({ PlatformEvents }) => {
@@ -153,18 +165,14 @@ export async function POST(req: NextRequest) {
const [minResult] = await db
.select({ minOrder: min(workflow.sortOrder) })
.from(workflow)
.where(
workspaceId
? and(eq(workflow.workspaceId, workspaceId), folderCondition)
: and(eq(workflow.userId, session.user.id), folderCondition)
)
.where(and(eq(workflow.workspaceId, workspaceId), folderCondition))
sortOrder = (minResult?.minOrder ?? 1) - 1
}
await db.insert(workflow).values({
id: workflowId,
userId: session.user.id,
workspaceId: workspaceId || null,
userId,
workspaceId,
folderId: folderId || null,
sortOrder,
name,

6
apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/trace-spans/trace-spans.tsx
View File

@@ -16,7 +16,7 @@ import {
PopoverItem,
Tooltip,
} from '@/components/emcn'
import { WorkflowIcon } from '@/components/icons'
import { AgentSkillsIcon, WorkflowIcon } from '@/components/icons'
import { cn } from '@/lib/core/utils/cn'
import { formatDuration } from '@/lib/core/utils/formatting'
import { LoopTool } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/loop/loop-config'
@@ -118,6 +118,10 @@ function getBlockIconAndColor(
// Check for tool by name first (most specific)
if (lowerType === 'tool' && toolName) {
// Handle load_skill tool with the AgentSkillsIcon
if (toolName === 'load_skill') {
return { icon: AgentSkillsIcon, bgColor: '#8B5CF6' }
}
const toolBlock = getBlockByToolName(toolName)
if (toolBlock) {
return { icon: toolBlock.icon, bgColor: toolBlock.bgColor }

5
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/action-bar/action-bar.tsx
View File

@@ -7,7 +7,7 @@ import { useUserPermissionsContext } from '@/app/workspace/[workspaceId]/provide
import { useWorkflowExecution } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks'
import { validateTriggerPaste } from '@/app/workspace/[workspaceId]/w/[workflowId]/utils'
import { useCollaborativeWorkflow } from '@/hooks/use-collaborative-workflow'
import { useExecutionStore } from '@/stores/execution'
import { useCurrentWorkflowExecution, useExecutionStore } from '@/stores/execution'
import { useNotificationStore } from '@/stores/notifications'
import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -114,7 +114,8 @@ export const ActionBar = memo(
)
const { activeWorkflowId } = useWorkflowRegistry()
const { isExecuting, getLastExecutionSnapshot } = useExecutionStore()
const { isExecuting } = useCurrentWorkflowExecution()
const getLastExecutionSnapshot = useExecutionStore((s) => s.getLastExecutionSnapshot)
const userPermissions = useUserPermissionsContext()
const edges = useWorkflowStore((state) => state.edges)

4
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx
View File

@@ -51,7 +51,7 @@ import { useWorkflowExecution } from '@/app/workspace/[workspaceId]/w/[workflowI
import type { BlockLog, ExecutionResult } from '@/executor/types'
import { useChatStore } from '@/stores/chat/store'
import { getChatPosition } from '@/stores/chat/utils'
import { useExecutionStore } from '@/stores/execution'
import { useCurrentWorkflowExecution } from '@/stores/execution'
import { useOperationQueue } from '@/stores/operation-queue/store'
import { useTerminalConsoleStore } from '@/stores/terminal'
import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -256,7 +256,7 @@ export function Chat() {
const hasConsoleHydrated = useTerminalConsoleStore((state) => state._hasHydrated)
const entriesFromStore = useTerminalConsoleStore((state) => state.entries)
const entries = hasConsoleHydrated ? entriesFromStore : []
const { isExecuting } = useExecutionStore()
const { isExecuting } = useCurrentWorkflowExecution()
const { handleRunWorkflow, handleCancelExecution } = useWorkflowExecution()
const { data: session } = useSession()
const { addToQueue } = useOperationQueue()

54
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/components/output-select/output-select.tsx
View File

@@ -4,11 +4,8 @@ import type React from 'react'
import { useMemo } from 'react'
import { RepeatIcon, SplitIcon } from 'lucide-react'
import { Combobox, type ComboboxOptionGroup } from '@/components/emcn'
import {
extractFieldsFromSchema,
parseResponseFormatSafely,
} from '@/lib/core/utils/response-format'
import { getToolOutputs } from '@/lib/workflows/blocks/block-outputs'
import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
import { getBlock } from '@/blocks'
import { useWorkflowDiffStore } from '@/stores/workflow-diff/store'
import { useSubBlockStore } from '@/stores/workflows/subblock/store'
@@ -124,42 +121,27 @@ export function OutputSelect({
: `block-${block.id}`
const blockConfig = getBlock(block.type)
const responseFormatValue =
shouldUseBaseline && baselineWorkflow
? baselineWorkflow.blocks?.[block.id]?.subBlocks?.responseFormat?.value
: subBlockValues?.[block.id]?.responseFormat
const responseFormat = parseResponseFormatSafely(responseFormatValue, block.id)
const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
const effectiveTriggerMode = Boolean(block.triggerMode && isTriggerCapable)
let outputsToProcess: Record<string, unknown> = {}
if (responseFormat) {
const schemaFields = extractFieldsFromSchema(responseFormat)
if (schemaFields.length > 0) {
schemaFields.forEach((field) => {
outputsToProcess[field.name] = { type: field.type }
})
} else {
outputsToProcess = blockConfig?.outputs || {}
const rawSubBlockValues =
shouldUseBaseline && baselineWorkflow
? baselineWorkflow.blocks?.[block.id]?.subBlocks
: subBlockValues?.[block.id]
const subBlocks: Record<string, { value: unknown }> = {}
if (rawSubBlockValues && typeof rawSubBlockValues === 'object') {
for (const [key, val] of Object.entries(rawSubBlockValues)) {
// Handle both { value: ... } and raw value formats
subBlocks[key] = val && typeof val === 'object' && 'value' in val ? val : { value: val }
}
} else {
// Build subBlocks object for tool selector
const rawSubBlockValues =
shouldUseBaseline && baselineWorkflow
? baselineWorkflow.blocks?.[block.id]?.subBlocks
: subBlockValues?.[block.id]
const subBlocks: Record<string, { value: unknown }> = {}
if (rawSubBlockValues && typeof rawSubBlockValues === 'object') {
for (const [key, val] of Object.entries(rawSubBlockValues)) {
// Handle both { value: ... } and raw value formats
subBlocks[key] = val && typeof val === 'object' && 'value' in val ? val : { value: val }
}
}
const toolOutputs = blockConfig ? getToolOutputs(blockConfig, subBlocks) : {}
outputsToProcess =
Object.keys(toolOutputs).length > 0 ? toolOutputs : blockConfig?.outputs || {}
}
outputsToProcess = getEffectiveBlockOutputs(block.type, subBlocks, {
triggerMode: effectiveTriggerMode,
preferToolOutputs: !effectiveTriggerMode,
}) as Record<string, unknown>
if (Object.keys(outputsToProcess).length === 0) return
const addOutput = (path: string, outputObj: unknown, prefix = '') => {

100
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/user-input/components/model-selector/model-selector.tsx
View File

@@ -1,6 +1,6 @@
'use client'
import { useEffect, useRef, useState } from 'react'
import { useEffect, useMemo, useRef, useState } from 'react'
import {
Badge,
Popover,
@@ -9,8 +9,8 @@ import {
PopoverItem,
PopoverScrollArea,
} from '@/components/emcn'
import { getProviderIcon } from '@/providers/utils'
import { MODEL_OPTIONS } from '../../constants'
import { AnthropicIcon, AzureIcon, BedrockIcon, GeminiIcon, OpenAIIcon } from '@/components/icons'
import { useCopilotStore } from '@/stores/panel'
interface ModelSelectorProps {
/** Currently selected model */
@@ -22,14 +22,22 @@ interface ModelSelectorProps {
}
/**
* Gets the appropriate icon component for a model
* Map a provider string (from the available-models API) to its icon component.
* Falls back to null when the provider is unrecognised.
*/
function getModelIconComponent(modelValue: string) {
const IconComponent = getProviderIcon(modelValue)
if (!IconComponent) {
return null
}
return <IconComponent className='h-3.5 w-3.5' />
const PROVIDER_ICON_MAP: Record<string, React.ComponentType<{ className?: string }>> = {
anthropic: AnthropicIcon,
openai: OpenAIIcon,
gemini: GeminiIcon,
google: GeminiIcon,
bedrock: BedrockIcon,
azure: AzureIcon,
'azure-openai': AzureIcon,
'azure-anthropic': AzureIcon,
}
function getIconForProvider(provider: string): React.ComponentType<{ className?: string }> | null {
return PROVIDER_ICON_MAP[provider] ?? null
}
/**
@@ -43,17 +51,45 @@ export function ModelSelector({ selectedModel, isNearTop, onModelSelect }: Model
const [open, setOpen] = useState(false)
const triggerRef = useRef<HTMLDivElement>(null)
const popoverRef = useRef<HTMLDivElement>(null)
const availableModels = useCopilotStore((state) => state.availableModels)
const modelOptions = useMemo(() => {
return availableModels.map((model) => ({
value: model.id,
label: model.friendlyName || model.id,
provider: model.provider,
}))
}, [availableModels])
/**
* Extract the provider from a composite model key (e.g. "bedrock/claude-opus-4-6" → "bedrock").
* This mirrors the agent block pattern where model IDs are provider-prefixed.
*/
const getProviderForModel = (compositeKey: string): string | undefined => {
const slashIdx = compositeKey.indexOf('/')
if (slashIdx !== -1) return compositeKey.slice(0, slashIdx)
// Legacy migration path: allow old raw IDs (without provider prefix)
// by resolving against current available model options.
const exact = modelOptions.find((m) => m.value === compositeKey)
if (exact?.provider) return exact.provider
const byRawSuffix = modelOptions.find((m) => m.value.endsWith(`/${compositeKey}`))
return byRawSuffix?.provider
}
const getCollapsedModeLabel = () => {
const model = MODEL_OPTIONS.find((m) => m.value === selectedModel)
return model ? model.label : 'claude-4.5-sonnet'
const model =
modelOptions.find((m) => m.value === selectedModel) ??
modelOptions.find((m) => m.value.endsWith(`/${selectedModel}`))
return model?.label || selectedModel || 'No models available'
}
const getModelIcon = () => {
const IconComponent = getProviderIcon(selectedModel)
if (!IconComponent) {
return null
}
const provider = getProviderForModel(selectedModel)
if (!provider) return null
const IconComponent = getIconForProvider(provider)
if (!IconComponent) return null
return (
<span className='flex-shrink-0'>
<IconComponent className='h-3 w-3' />
@@ -61,6 +97,14 @@ export function ModelSelector({ selectedModel, isNearTop, onModelSelect }: Model
)
}
const getModelIconComponent = (modelValue: string) => {
const provider = getProviderForModel(modelValue)
if (!provider) return null
const IconComponent = getIconForProvider(provider)
if (!IconComponent) return null
return <IconComponent className='h-3.5 w-3.5' />
}
const handleSelect = (modelValue: string) => {
onModelSelect(modelValue)
setOpen(false)
@@ -124,16 +168,20 @@ export function ModelSelector({ selectedModel, isNearTop, onModelSelect }: Model
onCloseAutoFocus={(e) => e.preventDefault()}
>
<PopoverScrollArea className='space-y-[2px]'>
{MODEL_OPTIONS.map((option) => (
<PopoverItem
key={option.value}
active={selectedModel === option.value}
onClick={() => handleSelect(option.value)}
>
{getModelIconComponent(option.value)}
<span>{option.label}</span>
</PopoverItem>
))}
{modelOptions.length > 0 ? (
modelOptions.map((option) => (
<PopoverItem
key={option.value}
active={selectedModel === option.value}
onClick={() => handleSelect(option.value)}
>
{getModelIconComponent(option.value)}
<span>{option.label}</span>
</PopoverItem>
))
) : (
<div className='px-2 py-2 text-[var(--text-muted)] text-xs'>No models available</div>
)}
</PopoverScrollArea>
</PopoverContent>
</Popover>

13
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/user-input/constants.ts
View File

@@ -242,19 +242,6 @@ export function getCommandDisplayLabel(commandId: string): string {
return command?.label || commandId.charAt(0).toUpperCase() + commandId.slice(1)
}
/**
* Model configuration options
*/
export const MODEL_OPTIONS = [
{ value: 'claude-4.6-opus', label: 'Claude 4.6 Opus' },
{ value: 'claude-4.5-opus', label: 'Claude 4.5 Opus' },
{ value: 'claude-4.5-sonnet', label: 'Claude 4.5 Sonnet' },
{ value: 'claude-4.5-haiku', label: 'Claude 4.5 Haiku' },
{ value: 'gpt-5.2-codex', label: 'GPT 5.2 Codex' },
{ value: 'gpt-5.2-pro', label: 'GPT 5.2 Pro' },
{ value: 'gemini-3-pro', label: 'Gemini 3 Pro' },
] as const
/**
* Threshold for considering input "near top" of viewport (in pixels)
*/

2
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/copilot.tsx
View File

@@ -112,6 +112,7 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
closePlanTodos,
clearPlanArtifact,
savePlanArtifact,
loadAvailableModels,
loadAutoAllowedTools,
resumeActiveStream,
} = useCopilotStore()
@@ -123,6 +124,7 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
chatsLoadedForWorkflow,
setCopilotWorkflowId,
loadChats,
loadAvailableModels,
loadAutoAllowedTools,
currentChat,
isSendingMessage,

13
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/hooks/use-copilot-initialization.ts
View File

@@ -11,6 +11,7 @@ interface UseCopilotInitializationProps {
chatsLoadedForWorkflow: string | null
setCopilotWorkflowId: (workflowId: string | null) => Promise<void>
loadChats: (forceRefresh?: boolean) => Promise<void>
loadAvailableModels: () => Promise<void>
loadAutoAllowedTools: () => Promise<void>
currentChat: any
isSendingMessage: boolean
@@ -30,6 +31,7 @@ export function useCopilotInitialization(props: UseCopilotInitializationProps) {
chatsLoadedForWorkflow,
setCopilotWorkflowId,
loadChats,
loadAvailableModels,
loadAutoAllowedTools,
currentChat,
isSendingMessage,
@@ -129,6 +131,17 @@ export function useCopilotInitialization(props: UseCopilotInitializationProps) {
}
}, [loadAutoAllowedTools])
/** Load available models once on mount */
const hasLoadedModelsRef = useRef(false)
useEffect(() => {
if (!hasLoadedModelsRef.current) {
hasLoadedModelsRef.current = true
loadAvailableModels().catch((err) => {
logger.warn('[Copilot] Failed to load available models', err)
})
}
}, [loadAvailableModels])
return {
isInitialized,
}

243
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/mcp/mcp.tsx
View File

@@ -45,6 +45,12 @@ interface McpDeployProps {
onCanSaveChange?: (canSave: boolean) => void
}
function haveSameServerSelection(a: string[], b: string[]): boolean {
if (a.length !== b.length) return false
const bSet = new Set(b)
return a.every((id) => bSet.has(id))
}
/**
* Generate JSON Schema from input format with optional descriptions
*/
@@ -143,6 +149,7 @@ export function McpDeploy({
})
const [parameterDescriptions, setParameterDescriptions] = useState<Record<string, string>>({})
const [pendingServerChanges, setPendingServerChanges] = useState<Set<string>>(new Set())
const [saveErrors, setSaveErrors] = useState<string[]>([])
const parameterSchema = useMemo(
() => generateParameterSchema(inputFormat, parameterDescriptions),
@@ -179,6 +186,7 @@ export function McpDeploy({
}
return ids
}, [servers, serverToolsMap])
const [draftSelectedServerIds, setDraftSelectedServerIds] = useState<string[] | null>(null)
const hasLoadedInitialData = useRef(false)
@@ -238,9 +246,10 @@ export function McpDeploy({
}
}, [toolName, toolDescription, parameterDescriptions, savedValues])
const hasDeployedTools = selectedServerIds.length > 0
const hasChanges = useMemo(() => {
if (!savedValues || !hasDeployedTools) return false
const selectedServerIdsForForm = draftSelectedServerIds ?? selectedServerIds
const hasToolConfigurationChanges = useMemo(() => {
if (!savedValues) return false
if (toolName !== savedValues.toolName) return true
if (toolDescription !== savedValues.toolDescription) return true
if (
@@ -249,11 +258,18 @@ export function McpDeploy({
return true
}
return false
}, [toolName, toolDescription, parameterDescriptions, hasDeployedTools, savedValues])
}, [toolName, toolDescription, parameterDescriptions, savedValues])
const hasServerSelectionChanges = useMemo(
() => !haveSameServerSelection(selectedServerIdsForForm, selectedServerIds),
[selectedServerIdsForForm, selectedServerIds]
)
const hasChanges =
hasServerSelectionChanges ||
(hasToolConfigurationChanges && selectedServerIdsForForm.length > 0)
useEffect(() => {
onCanSaveChange?.(hasChanges && hasDeployedTools && !!toolName.trim())
}, [hasChanges, hasDeployedTools, toolName, onCanSaveChange])
onCanSaveChange?.(hasChanges && !!toolName.trim())
}, [hasChanges, toolName, onCanSaveChange])
/**
* Save tool configuration to all deployed servers
@@ -261,74 +277,25 @@ export function McpDeploy({
const handleSave = useCallback(async () => {
if (!toolName.trim()) return
const toolsToUpdate: Array<{ serverId: string; toolId: string }> = []
for (const server of servers) {
const toolInfo = serverToolsMap[server.id]
if (toolInfo?.tool) {
toolsToUpdate.push({ serverId: server.id, toolId: toolInfo.tool.id })
}
}
const currentIds = new Set(selectedServerIds)
const nextIds = new Set(selectedServerIdsForForm)
const toAdd = new Set(selectedServerIdsForForm.filter((id) => !currentIds.has(id)))
const toRemove = selectedServerIds.filter((id) => !nextIds.has(id))
const shouldUpdateExisting = hasToolConfigurationChanges
if (toolsToUpdate.length === 0) return
if (toAdd.size === 0 && toRemove.length === 0 && !shouldUpdateExisting) return
onSubmittingChange?.(true)
setSaveErrors([])
try {
for (const { serverId, toolId } of toolsToUpdate) {
await updateToolMutation.mutateAsync({
workspaceId,
serverId,
toolId,
toolName: toolName.trim(),
toolDescription: toolDescription.trim() || undefined,
parameterSchema,
})
}
// Update saved values after successful save (triggers re-render → hasChanges becomes false)
setSavedValues({
toolName,
toolDescription,
parameterDescriptions: { ...parameterDescriptions },
})
onCanSaveChange?.(false)
onSubmittingChange?.(false)
} catch (error) {
logger.error('Failed to save tool configuration:', error)
onSubmittingChange?.(false)
}
}, [
toolName,
toolDescription,
parameterDescriptions,
parameterSchema,
servers,
serverToolsMap,
workspaceId,
updateToolMutation,
onSubmittingChange,
onCanSaveChange,
])
const serverOptions: ComboboxOption[] = useMemo(() => {
return servers.map((server) => ({
label: server.name,
value: server.id,
}))
}, [servers])
const handleServerSelectionChange = useCallback(
async (newSelectedIds: string[]) => {
if (!toolName.trim()) return
const currentIds = new Set(selectedServerIds)
const newIds = new Set(newSelectedIds)
const toAdd = newSelectedIds.filter((id) => !currentIds.has(id))
const toRemove = selectedServerIds.filter((id) => !newIds.has(id))
const errors: string[] = []
const addedEntries: Record<string, { tool: WorkflowMcpTool; isLoading: boolean }> = {}
const removedIds: string[] = []
for (const serverId of toAdd) {
setPendingServerChanges((prev) => new Set(prev).add(serverId))
try {
await addToolMutation.mutateAsync({
const addedTool = await addToolMutation.mutateAsync({
workspaceId,
serverId,
workflowId,
@@ -336,10 +303,13 @@ export function McpDeploy({
toolDescription: toolDescription.trim() || undefined,
parameterSchema,
})
addedEntries[serverId] = { tool: addedTool, isLoading: false }
onAddedToServer?.()
logger.info(`Added workflow ${workflowId} as tool to server ${serverId}`)
} catch (error) {
logger.error('Failed to add tool:', error)
const serverName = servers.find((s) => s.id === serverId)?.name || serverId
errors.push(`Failed to add to ${serverName}`)
logger.error(`Failed to add tool to server ${serverId}:`, error)
} finally {
setPendingServerChanges((prev) => {
const next = new Set(prev)
@@ -351,54 +321,115 @@ export function McpDeploy({
for (const serverId of toRemove) {
const toolInfo = serverToolsMap[serverId]
if (toolInfo?.tool) {
setPendingServerChanges((prev) => new Set(prev).add(serverId))
if (!toolInfo?.tool) continue
setPendingServerChanges((prev) => new Set(prev).add(serverId))
try {
await deleteToolMutation.mutateAsync({
workspaceId,
serverId,
toolId: toolInfo.tool.id,
})
removedIds.push(serverId)
} catch (error) {
const serverName = servers.find((s) => s.id === serverId)?.name || serverId
errors.push(`Failed to remove from ${serverName}`)
logger.error(`Failed to remove tool from server ${serverId}:`, error)
} finally {
setPendingServerChanges((prev) => {
const next = new Set(prev)
next.delete(serverId)
return next
})
}
}
if (shouldUpdateExisting) {
for (const serverId of selectedServerIdsForForm) {
if (toAdd.has(serverId)) continue
const toolInfo = serverToolsMap[serverId]
if (!toolInfo?.tool) continue
try {
await deleteToolMutation.mutateAsync({
await updateToolMutation.mutateAsync({
workspaceId,
serverId,
toolId: toolInfo.tool.id,
})
setServerToolsMap((prev) => {
const next = { ...prev }
delete next[serverId]
return next
toolName: toolName.trim(),
toolDescription: toolDescription.trim() || undefined,
parameterSchema,
})
} catch (error) {
logger.error('Failed to remove tool:', error)
} finally {
setPendingServerChanges((prev) => {
const next = new Set(prev)
next.delete(serverId)
return next
})
const serverName = servers.find((s) => s.id === serverId)?.name || serverId
errors.push(`Failed to update on ${serverName}`)
logger.error(`Failed to update tool on server ${serverId}:`, error)
}
}
}
},
[
selectedServerIds,
serverToolsMap,
toolName,
toolDescription,
workspaceId,
workflowId,
parameterSchema,
addToolMutation,
deleteToolMutation,
onAddedToServer,
]
)
setServerToolsMap((prev) => {
const next = { ...prev, ...addedEntries }
for (const id of removedIds) {
delete next[id]
}
return next
})
if (errors.length > 0) {
setSaveErrors(errors)
} else {
setDraftSelectedServerIds(null)
setSavedValues({
toolName,
toolDescription,
parameterDescriptions: { ...parameterDescriptions },
})
onCanSaveChange?.(false)
}
onSubmittingChange?.(false)
} catch (error) {
logger.error('Failed to save tool configuration:', error)
onSubmittingChange?.(false)
}
}, [
toolName,
toolDescription,
parameterDescriptions,
parameterSchema,
selectedServerIds,
selectedServerIdsForForm,
hasToolConfigurationChanges,
serverToolsMap,
workspaceId,
workflowId,
servers,
addToolMutation,
deleteToolMutation,
updateToolMutation,
onAddedToServer,
onSubmittingChange,
onCanSaveChange,
])
const serverOptions: ComboboxOption[] = useMemo(() => {
return servers.map((server) => ({
label: server.name,
value: server.id,
}))
}, [servers])
const handleServerSelectionChange = useCallback((newSelectedIds: string[]) => {
setDraftSelectedServerIds(newSelectedIds)
}, [])
const selectedServersLabel = useMemo(() => {
const count = selectedServerIds.length
const count = selectedServerIdsForForm.length
if (count === 0) return 'Select servers...'
if (count === 1) {
const server = servers.find((s) => s.id === selectedServerIds[0])
const server = servers.find((s) => s.id === selectedServerIdsForForm[0])
return server?.name || '1 server'
}
return `${count} servers selected`
}, [selectedServerIds, servers])
}, [selectedServerIdsForForm, servers])
const isPending = pendingServerChanges.size > 0
@@ -544,7 +575,7 @@ export function McpDeploy({
<Combobox
options={serverOptions}
multiSelect
multiSelectValues={selectedServerIds}
multiSelectValues={selectedServerIdsForForm}
onMultiSelectChange={handleServerSelectionChange}
placeholder='Select servers...'
searchable
@@ -561,10 +592,14 @@ export function McpDeploy({
)}
</div>
{addToolMutation.isError && (
<p className='mt-[6.5px] text-[12px] text-[var(--text-error)]'>
{addToolMutation.error?.message || 'Failed to add tool'}
</p>
{saveErrors.length > 0 && (
<div className='mt-[6.5px] flex flex-col gap-[2px]'>
{saveErrors.map((error) => (
<p key={error} className='text-[12px] text-[var(--text-error)]'>
{error}
</p>
))}
</div>
)}
</form>
)

2
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/connection-blocks/connection-blocks.tsx
View File

@@ -61,8 +61,6 @@ function ConnectionItem({
blockId: connection.id,
blockType: connection.type,
mergedSubBlocks,
responseFormat: connection.responseFormat,
operation: connection.operation,
triggerMode: sourceBlock?.triggerMode,
})
const hasFields = fields.length > 0

284
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown.tsx
View File

@@ -14,16 +14,11 @@ import {
} from '@/components/emcn'
import { cn } from '@/lib/core/utils/cn'
import {
extractFieldsFromSchema,
parseResponseFormatSafely,
} from '@/lib/core/utils/response-format'
import {
getBlockOutputPaths,
getBlockOutputType,
getEffectiveBlockOutputPaths,
getEffectiveBlockOutputType,
getOutputPathsFromSchema,
getToolOutputPaths,
getToolOutputType,
} from '@/lib/workflows/blocks/block-outputs'
import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
import { TRIGGER_TYPES } from '@/lib/workflows/triggers/triggers'
import { KeyboardNavigationHandler } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/components/keyboard-navigation-handler'
import type {
@@ -214,43 +209,19 @@ const getOutputTypeForPath = (
outputPath: string,
mergedSubBlocksOverride?: Record<string, any>
): string => {
if (block?.triggerMode && blockConfig?.triggers?.enabled) {
return getBlockOutputType(block.type, outputPath, mergedSubBlocksOverride, true)
}
if (block?.type === 'starter') {
const startWorkflowValue =
mergedSubBlocksOverride?.startWorkflow?.value ?? getSubBlockValue(blockId, 'startWorkflow')
if (startWorkflowValue === 'chat') {
const chatModeTypes: Record<string, string> = {
input: 'string',
conversationId: 'string',
files: 'file[]',
}
return chatModeTypes[outputPath] || 'any'
}
const inputFormatValue =
mergedSubBlocksOverride?.inputFormat?.value ?? getSubBlockValue(blockId, 'inputFormat')
if (inputFormatValue && Array.isArray(inputFormatValue)) {
const field = inputFormatValue.find(
(f: { name?: string; type?: string }) => f.name === outputPath
)
if (field?.type) return field.type
}
} else if (blockConfig?.category === 'triggers') {
const blockState = useWorkflowStore.getState().blocks[blockId]
const subBlocks = mergedSubBlocksOverride ?? (blockState?.subBlocks || {})
return getBlockOutputType(block.type, outputPath, subBlocks)
} else if (blockConfig?.tools?.config?.tool) {
const blockState = useWorkflowStore.getState().blocks[blockId]
const subBlocks = mergedSubBlocksOverride ?? (blockState?.subBlocks || {})
return getToolOutputType(blockConfig, subBlocks, outputPath)
if (block?.type === 'variables') {
return 'any'
}
const subBlocks =
mergedSubBlocksOverride ?? useWorkflowStore.getState().blocks[blockId]?.subBlocks
const triggerMode = block?.triggerMode && blockConfig?.triggers?.enabled
return getBlockOutputType(block?.type ?? '', outputPath, subBlocks, triggerMode)
const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
const triggerMode = Boolean(block?.triggerMode && isTriggerCapable)
return getEffectiveBlockOutputType(block?.type ?? '', outputPath, subBlocks, {
triggerMode,
preferToolOutputs: !triggerMode,
})
}
/**
@@ -1088,24 +1059,9 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
const normalizedBlockName = normalizeName(blockName)
const mergedSubBlocks = getMergedSubBlocks(activeSourceBlockId)
const responseFormatValue = mergedSubBlocks?.responseFormat?.value
const responseFormat = parseResponseFormatSafely(responseFormatValue, activeSourceBlockId)
let blockTags: string[]
if (sourceBlock.type === 'evaluator') {
const metricsValue = getSubBlockValue(activeSourceBlockId, 'metrics')
if (metricsValue && Array.isArray(metricsValue) && metricsValue.length > 0) {
const validMetrics = metricsValue.filter((metric: { name?: string }) => metric?.name)
blockTags = validMetrics.map(
(metric: { name: string }) => `${normalizedBlockName}.${metric.name.toLowerCase()}`
)
} else {
const outputPaths = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
} else if (sourceBlock.type === 'variables') {
if (sourceBlock.type === 'variables') {
const variablesValue = getSubBlockValue(activeSourceBlockId, 'variables')
if (variablesValue && Array.isArray(variablesValue) && variablesValue.length > 0) {
@@ -1119,106 +1075,24 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
} else {
blockTags = [normalizedBlockName]
}
} else if (responseFormat) {
const schemaFields = extractFieldsFromSchema(responseFormat)
if (schemaFields.length > 0) {
blockTags = schemaFields.map((field) => `${normalizedBlockName}.${field.name}`)
} else {
const outputPaths = getBlockOutputPaths(
sourceBlock.type,
mergedSubBlocks,
sourceBlock.triggerMode
)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
} else if (!blockConfig.outputs || Object.keys(blockConfig.outputs).length === 0) {
if (sourceBlock.type === 'starter') {
const startWorkflowValue = mergedSubBlocks?.startWorkflow?.value
if (startWorkflowValue === 'chat') {
blockTags = [
`${normalizedBlockName}.input`,
`${normalizedBlockName}.conversationId`,
`${normalizedBlockName}.files`,
]
} else {
const inputFormatValue = mergedSubBlocks?.inputFormat?.value
if (
inputFormatValue &&
Array.isArray(inputFormatValue) &&
inputFormatValue.length > 0
) {
blockTags = inputFormatValue
.filter((field: { name?: string }) => field.name && field.name.trim() !== '')
.map((field: { name: string }) => `${normalizedBlockName}.${field.name}`)
} else {
blockTags = [normalizedBlockName]
}
}
} else if (sourceBlock.type === 'api_trigger' || sourceBlock.type === 'input_trigger') {
const inputFormatValue = mergedSubBlocks?.inputFormat?.value
if (inputFormatValue && Array.isArray(inputFormatValue) && inputFormatValue.length > 0) {
blockTags = inputFormatValue
.filter((field: { name?: string }) => field.name && field.name.trim() !== '')
.map((field: { name: string }) => `${normalizedBlockName}.${field.name}`)
} else {
blockTags = []
}
} else {
blockTags = [normalizedBlockName]
}
} else {
if (blockConfig.category === 'triggers' || sourceBlock.type === 'starter') {
const dynamicOutputs = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
if (dynamicOutputs.length > 0) {
blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
} else if (sourceBlock.type === 'starter') {
blockTags = [normalizedBlockName]
} else if (sourceBlock.type === TRIGGER_TYPES.GENERIC_WEBHOOK) {
blockTags = [normalizedBlockName]
} else {
blockTags = []
}
} else if (sourceBlock?.triggerMode && blockConfig.triggers?.enabled) {
const dynamicOutputs = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks, true)
if (dynamicOutputs.length > 0) {
blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
} else {
const outputPaths = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks, true)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
} else if (sourceBlock.type === 'human_in_the_loop') {
const dynamicOutputs = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
const sourceBlockConfig = getBlock(sourceBlock.type)
const isTriggerCapable = sourceBlockConfig ? hasTriggerCapability(sourceBlockConfig) : false
const effectiveTriggerMode = Boolean(sourceBlock.triggerMode && isTriggerCapable)
const outputPaths = getEffectiveBlockOutputPaths(sourceBlock.type, mergedSubBlocks, {
triggerMode: effectiveTriggerMode,
preferToolOutputs: !effectiveTriggerMode,
})
const allTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
const isSelfReference = activeSourceBlockId === blockId
if (dynamicOutputs.length > 0) {
const allTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
blockTags = isSelfReference
? allTags.filter((tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint'))
: allTags
} else {
const outputPaths = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
const allTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
blockTags = isSelfReference
? allTags.filter((tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint'))
: allTags
}
if (sourceBlock.type === 'human_in_the_loop' && activeSourceBlockId === blockId) {
blockTags = allTags.filter(
(tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint')
)
} else if (allTags.length === 0) {
blockTags = [normalizedBlockName]
} else {
const toolOutputPaths = getToolOutputPaths(blockConfig, mergedSubBlocks)
if (toolOutputPaths.length > 0) {
blockTags = toolOutputPaths.map((path) => `${normalizedBlockName}.${path}`)
} else {
const outputPaths = getBlockOutputPaths(
sourceBlock.type,
mergedSubBlocks,
sourceBlock.triggerMode
)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
blockTags = allTags
}
}
@@ -1432,45 +1306,10 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
const normalizedBlockName = normalizeName(blockName)
const mergedSubBlocks = getMergedSubBlocks(accessibleBlockId)
const responseFormatValue = mergedSubBlocks?.responseFormat?.value
const responseFormat = parseResponseFormatSafely(responseFormatValue, accessibleBlockId)
let blockTags: string[]
if (blockConfig.category === 'triggers' || accessibleBlock.type === 'starter') {
const dynamicOutputs = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks)
if (dynamicOutputs.length > 0) {
blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
} else if (accessibleBlock.type === 'starter') {
const startWorkflowValue = mergedSubBlocks?.startWorkflow?.value
if (startWorkflowValue === 'chat') {
blockTags = [
`${normalizedBlockName}.input`,
`${normalizedBlockName}.conversationId`,
`${normalizedBlockName}.files`,
]
} else {
blockTags = [normalizedBlockName]
}
} else if (accessibleBlock.type === TRIGGER_TYPES.GENERIC_WEBHOOK) {
blockTags = [normalizedBlockName]
} else {
blockTags = []
}
} else if (accessibleBlock.type === 'evaluator') {
const metricsValue = getSubBlockValue(accessibleBlockId, 'metrics')
if (metricsValue && Array.isArray(metricsValue) && metricsValue.length > 0) {
const validMetrics = metricsValue.filter((metric: { name?: string }) => metric?.name)
blockTags = validMetrics.map(
(metric: { name: string }) => `${normalizedBlockName}.${metric.name.toLowerCase()}`
)
} else {
const outputPaths = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
} else if (accessibleBlock.type === 'variables') {
if (accessibleBlock.type === 'variables') {
const variablesValue = getSubBlockValue(accessibleBlockId, 'variables')
if (variablesValue && Array.isArray(variablesValue) && variablesValue.length > 0) {
@@ -1484,57 +1323,26 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
} else {
blockTags = [normalizedBlockName]
}
} else if (responseFormat) {
const schemaFields = extractFieldsFromSchema(responseFormat)
if (schemaFields.length > 0) {
blockTags = schemaFields.map((field) => `${normalizedBlockName}.${field.name}`)
} else {
const outputPaths = getBlockOutputPaths(
accessibleBlock.type,
mergedSubBlocks,
accessibleBlock.triggerMode
)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
} else if (!blockConfig.outputs || Object.keys(blockConfig.outputs).length === 0) {
blockTags = [normalizedBlockName]
} else {
const blockState = blocks[accessibleBlockId]
if (blockState?.triggerMode && blockConfig.triggers?.enabled) {
const dynamicOutputs = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks, true)
if (dynamicOutputs.length > 0) {
blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
} else {
const outputPaths = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks, true)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
} else if (accessibleBlock.type === 'human_in_the_loop') {
const dynamicOutputs = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks)
const accessibleBlockConfig = getBlock(accessibleBlock.type)
const isTriggerCapable = accessibleBlockConfig
? hasTriggerCapability(accessibleBlockConfig)
: false
const effectiveTriggerMode = Boolean(accessibleBlock.triggerMode && isTriggerCapable)
const outputPaths = getEffectiveBlockOutputPaths(accessibleBlock.type, mergedSubBlocks, {
triggerMode: effectiveTriggerMode,
preferToolOutputs: !effectiveTriggerMode,
})
const allTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
const isSelfReference = accessibleBlockId === blockId
if (dynamicOutputs.length > 0) {
const allTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
blockTags = isSelfReference
? allTags.filter((tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint'))
: allTags
} else {
blockTags = [`${normalizedBlockName}.url`, `${normalizedBlockName}.resumeEndpoint`]
}
if (accessibleBlock.type === 'human_in_the_loop' && accessibleBlockId === blockId) {
blockTags = allTags.filter(
(tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint')
)
} else if (allTags.length === 0) {
blockTags = [normalizedBlockName]
} else {
const toolOutputPaths = getToolOutputPaths(blockConfig, mergedSubBlocks)
if (toolOutputPaths.length > 0) {
blockTags = toolOutputPaths.map((path) => `${normalizedBlockName}.${path}`)
} else {
const outputPaths = getBlockOutputPaths(
accessibleBlock.type,
mergedSubBlocks,
accessibleBlock.triggerMode
)
blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
}
blockTags = allTags
}
}

11
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx
View File

@@ -59,7 +59,7 @@ export function ToolCredentialSelector({
disabled = false,
}: ToolCredentialSelectorProps) {
const [showOAuthModal, setShowOAuthModal] = useState(false)
const [inputValue, setInputValue] = useState('')
const [editingInputValue, setEditingInputValue] = useState('')
const [isEditing, setIsEditing] = useState(false)
const { activeWorkflowId } = useWorkflowRegistry()
@@ -100,11 +100,7 @@ export function ToolCredentialSelector({
return ''
}, [selectedCredential, isForeign])
useEffect(() => {
if (!isEditing) {
setInputValue(resolvedLabel)
}
}, [resolvedLabel, isEditing])
const inputValue = isEditing ? editingInputValue : resolvedLabel
const invalidSelection =
Boolean(selectedId) &&
@@ -189,13 +185,12 @@ export function ToolCredentialSelector({
const matchedCred = credentials.find((c) => c.id === newValue)
if (matchedCred) {
setInputValue(matchedCred.name)
handleSelect(newValue)
return
}
setIsEditing(true)
setInputValue(newValue)
setEditingInputValue(newValue)
},
[credentials, handleAddCredential, handleSelect]
)

2
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
View File

@@ -2642,7 +2642,7 @@ export const ToolInput = memo(function ToolInput({
</div>
{!isCustomTool && isExpandedForDisplay && (
<div className='flex flex-col gap-[10px] overflow-visible rounded-b-[4px] border-[var(--border-1)] border-t px-[8px] py-[8px]'>
<div className='flex flex-col gap-[10px] overflow-visible rounded-b-[4px] border-[var(--border-1)] border-t bg-[var(--surface-2)] px-[8px] py-[8px]'>
{/* Operation dropdown for tools with multiple operations */}
{(() => {
const hasOperations = hasMultipleOperations(tool.type)

56
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-block-connections.ts
View File

@@ -1,10 +1,8 @@
import { useShallow } from 'zustand/react/shallow'
import {
extractFieldsFromSchema,
parseResponseFormatSafely,
} from '@/lib/core/utils/response-format'
import { getBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
import { BlockPathCalculator } from '@/lib/workflows/blocks/block-path-calculator'
import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
import { getBlock } from '@/blocks'
import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
import { useSubBlockStore } from '@/stores/workflows/subblock/store'
import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -20,18 +18,7 @@ export interface ConnectedBlock {
type: string
outputType: string | string[]
name: string
responseFormat?: {
// Support both formats
fields?: Field[]
name?: string
schema?: {
type: string
properties: Record<string, any>
required?: string[]
}
}
outputs?: Record<string, any>
operation?: string
}
export function useBlockConnections(blockId: string) {
@@ -102,47 +89,32 @@ export function useBlockConnections(blockId: string) {
// Get merged subblocks for this source block
const mergedSubBlocks = getMergedSubBlocks(sourceId)
const blockConfig = getBlock(sourceBlock.type)
const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
const effectiveTriggerMode = Boolean(sourceBlock.triggerMode && isTriggerCapable)
// Get the response format from the subblock store
const responseFormatValue = useSubBlockStore.getState().getValue(sourceId, 'responseFormat')
const blockOutputs = getEffectiveBlockOutputs(sourceBlock.type, mergedSubBlocks, {
triggerMode: effectiveTriggerMode,
preferToolOutputs: !effectiveTriggerMode,
})
// Safely parse response format with proper error handling
const responseFormat = parseResponseFormatSafely(responseFormatValue, sourceId)
// Get operation value for tool-based blocks
const operationValue = useSubBlockStore.getState().getValue(sourceId, 'operation')
// Use getBlockOutputs to properly handle dynamic outputs from inputFormat
const blockOutputs = getBlockOutputs(
sourceBlock.type,
mergedSubBlocks,
sourceBlock.triggerMode
)
// Extract fields from the response format if available, otherwise use block outputs
let outputFields: Field[]
if (responseFormat) {
outputFields = extractFieldsFromSchema(responseFormat)
} else {
// Convert block outputs to field format
outputFields = Object.entries(blockOutputs).map(([key, value]: [string, any]) => ({
const outputFields: Field[] = Object.entries(blockOutputs).map(
([key, value]: [string, any]) => ({
name: key,
type: value && typeof value === 'object' && 'type' in value ? value.type : 'string',
description:
value && typeof value === 'object' && 'description' in value
? value.description
: undefined,
}))
}
})
)
return {
id: sourceBlock.id,
type: sourceBlock.type,
outputType: outputFields.map((field: Field) => field.name),
name: sourceBlock.name,
responseFormat,
outputs: blockOutputs,
operation: operationValue,
distance: nodeDistances.get(sourceId) || Number.POSITIVE_INFINITY,
}
})

4
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/hooks/use-block-state.ts
View File

@@ -1,7 +1,7 @@
import { useCallback } from 'react'
import type { DiffStatus } from '@/lib/workflows/diff/types'
import { hasDiffStatus } from '@/lib/workflows/diff/types'
import { useExecutionStore } from '@/stores/execution'
import { useIsBlockActive } from '@/stores/execution'
import { useWorkflowDiffStore } from '@/stores/workflow-diff'
import type { CurrentWorkflow } from '../../../hooks/use-current-workflow'
import type { WorkflowBlockProps } from '../types'
@@ -67,7 +67,7 @@ export function useBlockState(
const isDeletedBlock = !isShowingDiff && diffAnalysis?.deleted_blocks?.includes(blockId)
// Execution state
const isActiveBlock = useExecutionStore((state) => state.activeBlockIds.has(blockId))
const isActiveBlock = useIsBlockActive(blockId)
const isActive = data.isActive || isActiveBlock
return {

4
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-edge/workflow-edge.tsx
View File

@@ -3,7 +3,7 @@ import { X } from 'lucide-react'
import { BaseEdge, EdgeLabelRenderer, type EdgeProps, getSmoothStepPath } from 'reactflow'
import { useShallow } from 'zustand/react/shallow'
import type { EdgeDiffStatus } from '@/lib/workflows/diff/types'
import { useExecutionStore } from '@/stores/execution'
import { useLastRunEdges } from '@/stores/execution'
import { useWorkflowDiffStore } from '@/stores/workflow-diff'
/** Extended edge props with optional handle identifiers */
@@ -49,7 +49,7 @@ const WorkflowEdgeComponent = ({
isDiffReady: state.isDiffReady,
}))
)
const lastRunEdges = useExecutionStore((state) => state.lastRunEdges)
const lastRunEdges = useLastRunEdges()
const dataSourceHandle = (data as { sourceHandle?: string } | undefined)?.sourceHandle
const isErrorEdge = (sourceHandle ?? dataSourceHandle) === 'error'

161
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-output-fields.ts
View File

@@ -1,13 +1,8 @@
'use client'
import { useMemo } from 'react'
import { extractFieldsFromSchema } from '@/lib/core/utils/response-format'
import {
getBlockOutputPaths,
getBlockOutputs,
getToolOutputs,
} from '@/lib/workflows/blocks/block-outputs'
import { TRIGGER_TYPES } from '@/lib/workflows/triggers/triggers'
import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
import type { SchemaField } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/connection-blocks/components/field-item/field-item'
import { getBlock } from '@/blocks'
import { useSubBlockStore } from '@/stores/workflows/subblock/store'
@@ -76,11 +71,7 @@ const extractNestedFields = (properties: Record<string, any>): SchemaField[] =>
/**
* Creates a schema field from an output definition
*/
const createFieldFromOutput = (
name: string,
output: any,
responseFormatFields?: SchemaField[]
): SchemaField => {
const createFieldFromOutput = (name: string, output: any): SchemaField => {
const hasExplicitType = isObject(output) && typeof output.type === 'string'
const type = hasExplicitType ? output.type : isObject(output) ? 'object' : 'string'
@@ -90,11 +81,7 @@ const createFieldFromOutput = (
description: isObject(output) && 'description' in output ? output.description : undefined,
}
if (name === 'data' && responseFormatFields && responseFormatFields.length > 0) {
field.children = responseFormatFields
} else {
field.children = extractChildFields(output)
}
field.children = extractChildFields(output)
return field
}
@@ -103,8 +90,6 @@ interface UseBlockOutputFieldsParams {
blockId: string
blockType: string
mergedSubBlocks?: Record<string, any>
responseFormat?: any
operation?: string
triggerMode?: boolean
}
@@ -116,8 +101,6 @@ export function useBlockOutputFields({
blockId,
blockType,
mergedSubBlocks,
responseFormat,
operation,
triggerMode,
}: UseBlockOutputFieldsParams): SchemaField[] {
return useMemo(() => {
@@ -138,21 +121,6 @@ export function useBlockOutputFields({
return []
}
// Handle evaluator blocks - use metrics if available
if (blockType === 'evaluator') {
const metricsValue = mergedSubBlocks?.metrics?.value ?? getSubBlockValue(blockId, 'metrics')
if (metricsValue && Array.isArray(metricsValue) && metricsValue.length > 0) {
const validMetrics = metricsValue.filter((metric: { name?: string }) => metric?.name)
return validMetrics.map((metric: { name: string }) => ({
name: metric.name.toLowerCase(),
type: 'number',
description: `Metric: ${metric.name}`,
}))
}
// Fall through to use blockConfig.outputs
}
// Handle variables blocks - use variable assignments if available
if (blockType === 'variables') {
const variablesValue =
@@ -172,123 +140,16 @@ export function useBlockOutputFields({
return []
}
// Get base outputs using getBlockOutputs (handles triggers, starter, approval, etc.)
let baseOutputs: Record<string, any> = {}
if (blockConfig.category === 'triggers' || blockType === 'starter') {
// Use getBlockOutputPaths to get dynamic outputs, then reconstruct the structure
const outputPaths = getBlockOutputPaths(blockType, mergedSubBlocks, triggerMode)
if (outputPaths.length > 0) {
// Reconstruct outputs structure from paths
// This is a simplified approach - we'll use the paths to build the structure
baseOutputs = getBlockOutputs(blockType, mergedSubBlocks, triggerMode)
} else if (blockType === 'starter') {
const startWorkflowValue = mergedSubBlocks?.startWorkflow?.value
if (startWorkflowValue === 'chat') {
baseOutputs = {
input: { type: 'string', description: 'User message' },
conversationId: { type: 'string', description: 'Conversation ID' },
files: { type: 'file[]', description: 'Uploaded files' },
}
} else {
const inputFormatValue = mergedSubBlocks?.inputFormat?.value
if (inputFormatValue && Array.isArray(inputFormatValue) && inputFormatValue.length > 0) {
baseOutputs = {}
inputFormatValue.forEach((field: { name?: string; type?: string }) => {
if (field.name && field.name.trim() !== '') {
baseOutputs[field.name] = {
type: field.type || 'string',
description: `Field from input format`,
}
}
})
}
}
} else if (blockType === TRIGGER_TYPES.GENERIC_WEBHOOK) {
// Generic webhook returns the whole payload
baseOutputs = {}
} else {
baseOutputs = {}
}
} else if (triggerMode && blockConfig.triggers?.enabled) {
// Trigger mode enabled
const dynamicOutputs = getBlockOutputPaths(blockType, mergedSubBlocks, true)
if (dynamicOutputs.length > 0) {
baseOutputs = getBlockOutputs(blockType, mergedSubBlocks, true)
} else {
baseOutputs = blockConfig.outputs || {}
}
} else if (blockType === 'approval') {
// Approval block uses dynamic outputs from inputFormat
baseOutputs = getBlockOutputs(blockType, mergedSubBlocks)
} else {
// For tool-based blocks, try to get tool outputs first
const toolOutputs = blockConfig ? getToolOutputs(blockConfig, mergedSubBlocks) : {}
if (Object.keys(toolOutputs).length > 0) {
baseOutputs = toolOutputs
} else {
baseOutputs = getBlockOutputs(blockType, mergedSubBlocks, triggerMode)
}
}
// Handle responseFormat
const responseFormatFields = responseFormat ? extractFieldsFromSchema(responseFormat) : []
// If responseFormat exists and has fields, merge with base outputs
if (responseFormatFields.length > 0) {
// If base outputs is empty, use responseFormat fields directly
if (Object.keys(baseOutputs).length === 0) {
return responseFormatFields.map((field) => ({
name: field.name,
type: field.type,
description: field.description,
children: undefined, // ResponseFormat fields are flat
}))
}
// Otherwise, merge: responseFormat takes precedence for 'data' field
const fields: SchemaField[] = []
const responseFormatFieldNames = new Set(responseFormatFields.map((f) => f.name))
// Add base outputs, replacing 'data' with responseFormat fields if present
for (const [name, output] of Object.entries(baseOutputs)) {
if (name === 'data' && responseFormatFields.length > 0) {
fields.push(
createFieldFromOutput(
name,
output,
responseFormatFields.map((f) => ({
name: f.name,
type: f.type,
description: f.description,
}))
)
)
} else if (!responseFormatFieldNames.has(name)) {
fields.push(createFieldFromOutput(name, output))
}
}
// Add responseFormat fields that aren't in base outputs
for (const field of responseFormatFields) {
if (!baseOutputs[field.name]) {
fields.push({
name: field.name,
type: field.type,
description: field.description,
})
}
}
return fields
}
// No responseFormat, just use base outputs
const isTriggerCapable = hasTriggerCapability(blockConfig)
const effectiveTriggerMode = Boolean(triggerMode && isTriggerCapable)
const baseOutputs = getEffectiveBlockOutputs(blockType, mergedSubBlocks, {
triggerMode: effectiveTriggerMode,
preferToolOutputs: !effectiveTriggerMode,
}) as Record<string, any>
if (Object.keys(baseOutputs).length === 0) {
return []
}
return Object.entries(baseOutputs).map(([name, output]) => createFieldFromOutput(name, output))
}, [blockId, blockType, mergedSubBlocks, responseFormat, operation, triggerMode])
}, [blockId, blockType, mergedSubBlocks, triggerMode])
}

4
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-visual.ts
View File

@@ -3,7 +3,7 @@ import { useBlockState } from '@/app/workspace/[workspaceId]/w/[workflowId]/comp
import type { WorkflowBlockProps } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/types'
import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
import { getBlockRingStyles } from '@/app/workspace/[workspaceId]/w/[workflowId]/utils/block-ring-utils'
import { useExecutionStore } from '@/stores/execution'
import { useLastRunPath } from '@/stores/execution'
import { usePanelEditorStore, usePanelStore } from '@/stores/panel'
import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -64,7 +64,7 @@ export function useBlockVisual({
)
const isEditorOpen = !isPreview && isThisBlockInEditor && activeTabIsEditor
const lastRunPath = useExecutionStore((state) => state.lastRunPath)
const lastRunPath = useLastRunPath()
const runPathStatus = isPreview ? undefined : lastRunPath.get(blockId)
const setCurrentBlockId = usePanelEditorStore((state) => state.setCurrentBlockId)

134
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
View File

@@ -34,7 +34,7 @@ import { coerceValue } from '@/executor/utils/start-block'
import { subscriptionKeys } from '@/hooks/queries/subscription'
import { useExecutionStream } from '@/hooks/use-execution-stream'
import { WorkflowValidationError } from '@/serializer'
import { useExecutionStore } from '@/stores/execution'
import { useCurrentWorkflowExecution, useExecutionStore } from '@/stores/execution'
import { useNotificationStore } from '@/stores/notifications'
import { useVariablesStore } from '@/stores/panel'
import { useEnvironmentStore } from '@/stores/settings/environment'
@@ -112,24 +112,19 @@ export function useWorkflowExecution() {
useTerminalConsoleStore()
const { getAllVariables } = useEnvironmentStore()
const { getVariablesByWorkflowId, variables } = useVariablesStore()
const {
isExecuting,
isDebugging,
pendingBlocks,
executor,
debugContext,
setIsExecuting,
setIsDebugging,
setPendingBlocks,
setExecutor,
setDebugContext,
setActiveBlocks,
setBlockRunStatus,
setEdgeRunStatus,
setLastExecutionSnapshot,
getLastExecutionSnapshot,
clearLastExecutionSnapshot,
} = useExecutionStore()
const { isExecuting, isDebugging, pendingBlocks, executor, debugContext } =
useCurrentWorkflowExecution()
const setIsExecuting = useExecutionStore((s) => s.setIsExecuting)
const setIsDebugging = useExecutionStore((s) => s.setIsDebugging)
const setPendingBlocks = useExecutionStore((s) => s.setPendingBlocks)
const setExecutor = useExecutionStore((s) => s.setExecutor)
const setDebugContext = useExecutionStore((s) => s.setDebugContext)
const setActiveBlocks = useExecutionStore((s) => s.setActiveBlocks)
const setBlockRunStatus = useExecutionStore((s) => s.setBlockRunStatus)
const setEdgeRunStatus = useExecutionStore((s) => s.setEdgeRunStatus)
const setLastExecutionSnapshot = useExecutionStore((s) => s.setLastExecutionSnapshot)
const getLastExecutionSnapshot = useExecutionStore((s) => s.getLastExecutionSnapshot)
const clearLastExecutionSnapshot = useExecutionStore((s) => s.clearLastExecutionSnapshot)
const [executionResult, setExecutionResult] = useState<ExecutionResult | null>(null)
const executionStream = useExecutionStream()
const currentChatExecutionIdRef = useRef<string | null>(null)
@@ -158,13 +153,15 @@ export function useWorkflowExecution() {
* Resets all debug-related state
*/
const resetDebugState = useCallback(() => {
setIsExecuting(false)
setIsDebugging(false)
setDebugContext(null)
setExecutor(null)
setPendingBlocks([])
setActiveBlocks(new Set())
if (!activeWorkflowId) return
setIsExecuting(activeWorkflowId, false)
setIsDebugging(activeWorkflowId, false)
setDebugContext(activeWorkflowId, null)
setExecutor(activeWorkflowId, null)
setPendingBlocks(activeWorkflowId, [])
setActiveBlocks(activeWorkflowId, new Set())
}, [
activeWorkflowId,
setIsExecuting,
setIsDebugging,
setDebugContext,
@@ -312,18 +309,20 @@ export function useWorkflowExecution() {
} = config
const updateActiveBlocks = (blockId: string, isActive: boolean) => {
if (!workflowId) return
if (isActive) {
activeBlocksSet.add(blockId)
} else {
activeBlocksSet.delete(blockId)
}
setActiveBlocks(new Set(activeBlocksSet))
setActiveBlocks(workflowId, new Set(activeBlocksSet))
}
const markIncomingEdges = (blockId: string) => {
if (!workflowId) return
const incomingEdges = workflowEdges.filter((edge) => edge.target === blockId)
incomingEdges.forEach((edge) => {
setEdgeRunStatus(edge.id, 'success')
setEdgeRunStatus(workflowId, edge.id, 'success')
})
}
@@ -459,7 +458,7 @@ export function useWorkflowExecution() {
const onBlockCompleted = (data: BlockCompletedData) => {
updateActiveBlocks(data.blockId, false)
setBlockRunStatus(data.blockId, 'success')
if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'success')
executedBlockIds.add(data.blockId)
accumulatedBlockStates.set(data.blockId, {
@@ -489,7 +488,7 @@ export function useWorkflowExecution() {
const onBlockError = (data: BlockErrorData) => {
updateActiveBlocks(data.blockId, false)
setBlockRunStatus(data.blockId, 'error')
if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'error')
executedBlockIds.add(data.blockId)
accumulatedBlockStates.set(data.blockId, {
@@ -547,19 +546,20 @@ export function useWorkflowExecution() {
*/
const handleDebugSessionContinuation = useCallback(
(result: ExecutionResult) => {
if (!activeWorkflowId) return
logger.info('Debug step completed, next blocks pending', {
nextPendingBlocks: result.metadata?.pendingBlocks?.length || 0,
})
// Update debug context and pending blocks
if (result.metadata?.context) {
setDebugContext(result.metadata.context)
setDebugContext(activeWorkflowId, result.metadata.context)
}
if (result.metadata?.pendingBlocks) {
setPendingBlocks(result.metadata.pendingBlocks)
setPendingBlocks(activeWorkflowId, result.metadata.pendingBlocks)
}
},
[setDebugContext, setPendingBlocks]
[activeWorkflowId, setDebugContext, setPendingBlocks]
)
/**
@@ -663,11 +663,11 @@ export function useWorkflowExecution() {
// Reset execution result and set execution state
setExecutionResult(null)
setIsExecuting(true)
setIsExecuting(activeWorkflowId, true)
// Set debug mode only if explicitly requested
if (enableDebug) {
setIsDebugging(true)
setIsDebugging(activeWorkflowId, true)
}
// Determine if this is a chat execution
@@ -965,9 +965,9 @@ export function useWorkflowExecution() {
controller.close()
}
if (currentChatExecutionIdRef.current === executionId) {
setIsExecuting(false)
setIsDebugging(false)
setActiveBlocks(new Set())
setIsExecuting(activeWorkflowId, false)
setIsDebugging(activeWorkflowId, false)
setActiveBlocks(activeWorkflowId, new Set())
}
}
},
@@ -989,16 +989,16 @@ export function useWorkflowExecution() {
'manual'
)
if (result && 'metadata' in result && result.metadata?.isDebugSession) {
setDebugContext(result.metadata.context || null)
setDebugContext(activeWorkflowId, result.metadata.context || null)
if (result.metadata.pendingBlocks) {
setPendingBlocks(result.metadata.pendingBlocks)
setPendingBlocks(activeWorkflowId, result.metadata.pendingBlocks)
}
} else if (result && 'success' in result) {
setExecutionResult(result)
// Reset execution state after successful non-debug execution
setIsExecuting(false)
setIsDebugging(false)
setActiveBlocks(new Set())
setIsExecuting(activeWorkflowId, false)
setIsDebugging(activeWorkflowId, false)
setActiveBlocks(activeWorkflowId, new Set())
if (isChatExecution) {
if (!result.metadata) {
@@ -1179,7 +1179,7 @@ export function useWorkflowExecution() {
logger.error('No trigger blocks found for manual run', {
allBlockTypes: Object.values(filteredStates).map((b) => b.type),
})
setIsExecuting(false)
if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
throw error
}
@@ -1195,7 +1195,7 @@ export function useWorkflowExecution() {
'Workflow Validation'
)
logger.error('Multiple API triggers found')
setIsExecuting(false)
if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
throw error
}
@@ -1220,7 +1220,7 @@ export function useWorkflowExecution() {
'Workflow Validation'
)
logger.error('Trigger has no outgoing connections', { triggerName, startBlockId })
setIsExecuting(false)
if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
throw error
}
}
@@ -1251,7 +1251,7 @@ export function useWorkflowExecution() {
'Workflow Validation'
)
logger.error('No startBlockId found after trigger search')
setIsExecuting(false)
if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
throw error
}
@@ -1457,8 +1457,10 @@ export function useWorkflowExecution() {
logger.info('Execution aborted by user')
// Reset execution state
setIsExecuting(false)
setActiveBlocks(new Set())
if (activeWorkflowId) {
setIsExecuting(activeWorkflowId, false)
setActiveBlocks(activeWorkflowId, new Set())
}
// Return gracefully without error
return {
@@ -1533,9 +1535,11 @@ export function useWorkflowExecution() {
}
setExecutionResult(errorResult)
setIsExecuting(false)
setIsDebugging(false)
setActiveBlocks(new Set())
if (activeWorkflowId) {
setIsExecuting(activeWorkflowId, false)
setIsDebugging(activeWorkflowId, false)
setActiveBlocks(activeWorkflowId, new Set())
}
let notificationMessage = WORKFLOW_EXECUTION_FAILURE_MESSAGE
if (isRecord(error) && isRecord(error.request) && sanitizeMessage(error.request.url)) {
@@ -1706,8 +1710,8 @@ export function useWorkflowExecution() {
const handleCancelExecution = useCallback(() => {
logger.info('Workflow execution cancellation requested')
// Cancel the execution stream (server-side)
executionStream.cancel()
// Cancel the execution stream for this workflow (server-side)
executionStream.cancel(activeWorkflowId ?? undefined)
// Mark current chat execution as superseded so its cleanup won't affect new executions
currentChatExecutionIdRef.current = null
@@ -1715,12 +1719,12 @@ export function useWorkflowExecution() {
// Mark all running entries as canceled in the terminal
if (activeWorkflowId) {
cancelRunningEntries(activeWorkflowId)
}
// Reset execution state - this triggers chat stream cleanup via useEffect in chat.tsx
setIsExecuting(false)
setIsDebugging(false)
setActiveBlocks(new Set())
// Reset execution state - this triggers chat stream cleanup via useEffect in chat.tsx
setIsExecuting(activeWorkflowId, false)
setIsDebugging(activeWorkflowId, false)
setActiveBlocks(activeWorkflowId, new Set())
}
// If in debug mode, also reset debug state
if (isDebugging) {
@@ -1833,7 +1837,7 @@ export function useWorkflowExecution() {
}
}
setIsExecuting(true)
setIsExecuting(workflowId, true)
const executionId = uuidv4()
const accumulatedBlockLogs: BlockLog[] = []
const accumulatedBlockStates = new Map<string, BlockState>()
@@ -1929,8 +1933,8 @@ export function useWorkflowExecution() {
logger.error('Run-from-block failed:', error)
}
} finally {
setIsExecuting(false)
setActiveBlocks(new Set())
setIsExecuting(workflowId, false)
setActiveBlocks(workflowId, new Set())
}
},
[
@@ -1962,7 +1966,7 @@ export function useWorkflowExecution() {
logger.info('Starting run-until-block execution', { workflowId, stopAfterBlockId: blockId })
setExecutionResult(null)
setIsExecuting(true)
setIsExecuting(workflowId, true)
const executionId = uuidv4()
try {
@@ -1981,9 +1985,9 @@ export function useWorkflowExecution() {
const errorResult = handleExecutionError(error, { executionId })
return errorResult
} finally {
setIsExecuting(false)
setIsDebugging(false)
setActiveBlocks(new Set())
setIsExecuting(workflowId, false)
setIsDebugging(workflowId, false)
setActiveBlocks(workflowId, new Set())
}
},
[activeWorkflowId, setExecutionResult, setIsExecuting, setIsDebugging, setActiveBlocks]

15
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils.ts
View File

@@ -35,6 +35,7 @@ export async function executeWorkflowWithFullLogging(
const executionId = options.executionId || uuidv4()
const { addConsole } = useTerminalConsoleStore.getState()
const { setActiveBlocks, setBlockRunStatus, setEdgeRunStatus } = useExecutionStore.getState()
const wfId = activeWorkflowId
const workflowEdges = useWorkflowStore.getState().edges
const activeBlocksSet = new Set<string>()
@@ -103,22 +104,22 @@ export async function executeWorkflowWithFullLogging(
switch (event.type) {
case 'block:started': {
activeBlocksSet.add(event.data.blockId)
setActiveBlocks(new Set(activeBlocksSet))
setActiveBlocks(wfId, new Set(activeBlocksSet))
const incomingEdges = workflowEdges.filter(
(edge) => edge.target === event.data.blockId
)
incomingEdges.forEach((edge) => {
setEdgeRunStatus(edge.id, 'success')
setEdgeRunStatus(wfId, edge.id, 'success')
})
break
}
case 'block:completed':
activeBlocksSet.delete(event.data.blockId)
setActiveBlocks(new Set(activeBlocksSet))
setActiveBlocks(wfId, new Set(activeBlocksSet))
setBlockRunStatus(event.data.blockId, 'success')
setBlockRunStatus(wfId, event.data.blockId, 'success')
addConsole({
input: event.data.input || {},
@@ -145,9 +146,9 @@ export async function executeWorkflowWithFullLogging(
case 'block:error':
activeBlocksSet.delete(event.data.blockId)
setActiveBlocks(new Set(activeBlocksSet))
setActiveBlocks(wfId, new Set(activeBlocksSet))
setBlockRunStatus(event.data.blockId, 'error')
setBlockRunStatus(wfId, event.data.blockId, 'error')
addConsole({
input: event.data.input || {},
@@ -192,7 +193,7 @@ export async function executeWorkflowWithFullLogging(
}
} finally {
reader.releaseLock()
setActiveBlocks(new Set())
setActiveBlocks(wfId, new Set())
}
return executionResult

24
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
View File

@@ -74,7 +74,7 @@ import { useStreamCleanup } from '@/hooks/use-stream-cleanup'
import { useCanvasModeStore } from '@/stores/canvas-mode'
import { useChatStore } from '@/stores/chat/store'
import { useCopilotTrainingStore } from '@/stores/copilot-training/store'
import { useExecutionStore } from '@/stores/execution'
import { defaultWorkflowExecutionState, useExecutionStore } from '@/stores/execution'
import { useSearchModalStore } from '@/stores/modals/search/store'
import { useNotificationStore } from '@/stores/notifications'
import { useCopilotStore, usePanelEditorStore } from '@/stores/panel'
@@ -740,16 +740,18 @@ const WorkflowContent = React.memo(() => {
[collaborativeBatchAddBlocks, setSelectedEdges, setPendingSelection]
)
const { activeBlockIds, pendingBlocks, isDebugging, isExecuting, getLastExecutionSnapshot } =
useExecutionStore(
useShallow((state) => ({
activeBlockIds: state.activeBlockIds,
pendingBlocks: state.pendingBlocks,
isDebugging: state.isDebugging,
isExecuting: state.isExecuting,
getLastExecutionSnapshot: state.getLastExecutionSnapshot,
}))
)
const { activeBlockIds, pendingBlocks, isDebugging, isExecuting } = useExecutionStore(
useShallow((state) => {
const wf = activeWorkflowId ? state.workflowExecutions.get(activeWorkflowId) : undefined
return {
activeBlockIds: wf?.activeBlockIds ?? defaultWorkflowExecutionState.activeBlockIds,
pendingBlocks: wf?.pendingBlocks ?? defaultWorkflowExecutionState.pendingBlocks,
isDebugging: wf?.isDebugging ?? false,
isExecuting: wf?.isExecuting ?? false,
}
})
)
const getLastExecutionSnapshot = useExecutionStore((s) => s.getLastExecutionSnapshot)
const [dragStartParentId, setDragStartParentId] = useState<string | null>(null)

10
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/custom-tools/custom-tools.tsx
View File

@@ -6,7 +6,6 @@ import { Plus, Search } from 'lucide-react'
import { useParams } from 'next/navigation'
import { Button, Modal, ModalBody, ModalContent, ModalFooter, ModalHeader } from '@/components/emcn'
import { Input, Skeleton } from '@/components/ui'
import { cn } from '@/lib/core/utils/cn'
import { CustomToolModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/custom-tool-modal/custom-tool-modal'
import { useCustomTools, useDeleteCustomTool } from '@/hooks/queries/custom-tools'
@@ -103,12 +102,7 @@ export function CustomTools() {
<>
<div className='flex h-full flex-col gap-[16px]'>
<div className='flex items-center gap-[8px]'>
<div
className={cn(
'flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]',
isLoading && 'opacity-50'
)}
>
<div className='flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
<Search
className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
strokeWidth={2}
@@ -118,7 +112,7 @@ export function CustomTools() {
value={searchTerm}
onChange={(e) => setSearchTerm(e.target.value)}
disabled={isLoading}
className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0 disabled:cursor-not-allowed disabled:opacity-100'
className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
/>
</div>
<Button onClick={() => setShowAddForm(true)} disabled={isLoading} variant='tertiary'>

391
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx
View File

@@ -38,6 +38,7 @@ import {
useMcpToolsQuery,
useRefreshMcpServer,
useStoredMcpTools,
useUpdateMcpServer,
} from '@/hooks/queries/mcp'
import { useAvailableEnvVarKeys } from '@/hooks/use-available-env-vars'
import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -96,6 +97,8 @@ interface McpServer {
name?: string
transport?: string
url?: string
headers?: Record<string, string>
enabled?: boolean
connectionStatus?: 'connected' | 'disconnected' | 'error'
lastError?: string | null
lastConnected?: string
@@ -378,6 +381,13 @@ export function MCP({ initialServerId }: MCPProps) {
const deleteServerMutation = useDeleteMcpServer()
const refreshServerMutation = useRefreshMcpServer()
const { testResult, isTestingConnection, testConnection, clearTestResult } = useMcpServerTest()
const updateServerMutation = useUpdateMcpServer()
const {
testResult: editTestResult,
isTestingConnection: isEditTestingConnection,
testConnection: editTestConnection,
clearTestResult: clearEditTestResult,
} = useMcpServerTest()
const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
const urlInputRef = useRef<HTMLInputElement>(null)
@@ -407,6 +417,19 @@ export function MCP({ initialServerId }: MCPProps) {
const [urlScrollLeft, setUrlScrollLeft] = useState(0)
const [headerScrollLeft, setHeaderScrollLeft] = useState<Record<string, number>>({})
const [showEditModal, setShowEditModal] = useState(false)
const [editFormData, setEditFormData] = useState<McpServerFormData>(DEFAULT_FORM_DATA)
const [editOriginalData, setEditOriginalData] = useState<McpServerFormData>(DEFAULT_FORM_DATA)
const [isUpdatingServer, setIsUpdatingServer] = useState(false)
const [editSaveError, setEditSaveError] = useState<string | null>(null)
const [editShowEnvVars, setEditShowEnvVars] = useState(false)
const [editEnvSearchTerm, setEditEnvSearchTerm] = useState('')
const [editCursorPosition, setEditCursorPosition] = useState(0)
const [editActiveInputField, setEditActiveInputField] = useState<InputFieldType | null>(null)
const [editActiveHeaderIndex, setEditActiveHeaderIndex] = useState<number | null>(null)
const [editUrlScrollLeft, setEditUrlScrollLeft] = useState(0)
const [editHeaderScrollLeft, setEditHeaderScrollLeft] = useState<Record<string, number>>({})
useEffect(() => {
if (initialServerId && servers.some((s) => s.id === initialServerId)) {
setSelectedServerId(initialServerId)
@@ -757,6 +780,215 @@ export function MCP({ initialServerId }: MCPProps) {
[refreshServerMutation, workspaceId]
)
/**
* Resets edit modal environment variable dropdown state.
*/
const resetEditEnvVarState = useCallback(() => {
setEditShowEnvVars(false)
setEditActiveInputField(null)
setEditActiveHeaderIndex(null)
}, [])
/**
* Opens the edit modal and populates form with current server data.
*/
const handleOpenEditModal = useCallback(
(server: McpServer) => {
const headers: HeaderEntry[] = server.headers
? Object.entries(server.headers).map(([key, value]) => ({ key, value }))
: [{ key: '', value: '' }]
if (headers.length === 0) headers.push({ key: '', value: '' })
const data: McpServerFormData = {
name: server.name || '',
transport: (server.transport as McpTransport) || 'streamable-http',
url: server.url || '',
timeout: 30000,
headers,
}
setEditFormData(data)
setEditOriginalData(JSON.parse(JSON.stringify(data)))
setShowEditModal(true)
setEditSaveError(null)
clearEditTestResult()
resetEditEnvVarState()
setEditUrlScrollLeft(0)
setEditHeaderScrollLeft({})
},
[clearEditTestResult, resetEditEnvVarState]
)
/**
* Closes the edit modal and resets state.
*/
const handleCloseEditModal = useCallback(() => {
setShowEditModal(false)
setEditFormData(DEFAULT_FORM_DATA)
setEditOriginalData(DEFAULT_FORM_DATA)
setEditSaveError(null)
clearEditTestResult()
resetEditEnvVarState()
}, [clearEditTestResult, resetEditEnvVarState])
/**
* Handles environment variable selection in the edit modal.
*/
const handleEditEnvVarSelect = useCallback(
(newValue: string) => {
if (editActiveInputField === 'url') {
setEditFormData((prev) => ({ ...prev, url: newValue }))
} else if (editActiveHeaderIndex !== null) {
const field = editActiveInputField === 'header-key' ? 'key' : 'value'
const processedValue = field === 'key' ? newValue.replace(/[{}]/g, '') : newValue
setEditFormData((prev) => {
const newHeaders = [...(prev.headers || [])]
if (newHeaders[editActiveHeaderIndex]) {
newHeaders[editActiveHeaderIndex] = {
...newHeaders[editActiveHeaderIndex],
[field]: processedValue,
}
}
return { ...prev, headers: newHeaders }
})
}
resetEditEnvVarState()
},
[editActiveInputField, editActiveHeaderIndex, resetEditEnvVarState]
)
/**
* Handles input changes in the edit modal and manages env var dropdown.
*/
const handleEditInputChange = useCallback(
(field: InputFieldType, value: string, headerIndex?: number) => {
const input = document.activeElement as HTMLInputElement
const pos = input?.selectionStart || 0
setEditCursorPosition(pos)
if (editTestResult) {
clearEditTestResult()
}
const envVarTrigger = checkEnvVarTrigger(value, pos)
setEditShowEnvVars(envVarTrigger.show)
setEditEnvSearchTerm(envVarTrigger.show ? envVarTrigger.searchTerm : '')
if (envVarTrigger.show) {
setEditActiveInputField(field)
setEditActiveHeaderIndex(headerIndex ?? null)
} else {
resetEditEnvVarState()
}
if (field === 'url') {
setEditFormData((prev) => ({ ...prev, url: value }))
} else if (headerIndex !== undefined) {
const headerField = field === 'header-key' ? 'key' : 'value'
setEditFormData((prev) => {
const newHeaders = [...(prev.headers || [])]
if (newHeaders[headerIndex]) {
newHeaders[headerIndex] = { ...newHeaders[headerIndex], [headerField]: value }
}
return { ...prev, headers: newHeaders }
})
}
},
[editTestResult, clearEditTestResult, resetEditEnvVarState]
)
const handleEditHeaderScroll = useCallback((key: string, scrollLeft: number) => {
setEditHeaderScrollLeft((prev) => ({ ...prev, [key]: scrollLeft }))
}, [])
const handleEditAddHeader = useCallback(() => {
setEditFormData((prev) => ({
...prev,
headers: [...(prev.headers || []), { key: '', value: '' }],
}))
}, [])
const handleEditRemoveHeader = useCallback((index: number) => {
setEditFormData((prev) => ({
...prev,
headers: (prev.headers || []).filter((_, i) => i !== index),
}))
}, [])
/**
* Tests the connection with the edit modal's form data.
*/
const handleEditTestConnection = useCallback(async () => {
if (!editFormData.name.trim() || !editFormData.url?.trim()) return
await editTestConnection({
name: editFormData.name,
transport: editFormData.transport,
url: editFormData.url,
headers: headersToRecord(editFormData.headers),
timeout: editFormData.timeout,
workspaceId,
})
}, [editFormData, editTestConnection, workspaceId, headersToRecord])
/**
* Saves the edited MCP server after validating and testing the connection.
*/
const handleSaveEdit = useCallback(async () => {
if (!selectedServerId || !editFormData.name.trim()) return
setEditSaveError(null)
try {
const headersRecord = headersToRecord(editFormData.headers)
const serverConfig = {
name: editFormData.name,
transport: editFormData.transport,
url: editFormData.url,
headers: headersRecord,
timeout: editFormData.timeout,
workspaceId,
}
const connectionResult = await editTestConnection(serverConfig)
if (!connectionResult.success) {
setEditSaveError(connectionResult.error || 'Connection test failed')
return
}
setIsUpdatingServer(true)
const currentServer = servers.find((s) => s.id === selectedServerId)
await updateServerMutation.mutateAsync({
workspaceId,
serverId: selectedServerId,
updates: {
name: editFormData.name.trim(),
transport: editFormData.transport,
url: editFormData.url,
headers: headersRecord,
timeout: editFormData.timeout || 30000,
enabled: currentServer?.enabled ?? true,
},
})
setShowEditModal(false)
logger.info(`Updated MCP server: ${editFormData.name}`)
} catch (error) {
const message = error instanceof Error ? error.message : 'Failed to update server'
setEditSaveError(message)
logger.error('Failed to update MCP server:', error)
} finally {
setIsUpdatingServer(false)
}
}, [
selectedServerId,
editFormData,
editTestConnection,
updateServerMutation,
workspaceId,
headersToRecord,
servers,
])
/**
* Gets the selected server and its tools for the detail view.
*/
@@ -777,6 +1009,26 @@ export function MCP({ initialServerId }: MCPProps) {
const isSubmitDisabled = serversLoading || isAddingServer || !isFormValid
const testButtonLabel = getTestButtonLabel(testResult, isTestingConnection)
const isEditFormValid = editFormData.name.trim() && editFormData.url?.trim()
const editTestButtonLabel = getTestButtonLabel(editTestResult, isEditTestingConnection)
const hasEditChanges = useMemo(() => {
if (editFormData.name !== editOriginalData.name) return true
if (editFormData.url !== editOriginalData.url) return true
if (editFormData.transport !== editOriginalData.transport) return true
const currentHeaders = editFormData.headers || []
const originalHeaders = editOriginalData.headers || []
if (currentHeaders.length !== originalHeaders.length) return true
for (let i = 0; i < currentHeaders.length; i++) {
if (
currentHeaders[i].key !== originalHeaders[i].key ||
currentHeaders[i].value !== originalHeaders[i].value
)
return true
}
return false
}, [editFormData, editOriginalData])
/**
* Gets issues for stored tools that reference a specific server tool.
* Returns issues from all workflows that have stored this tool.
@@ -905,7 +1157,6 @@ export function MCP({ initialServerId }: MCPProps) {
<Badge
variant={getIssueBadgeVariant(issues[0].issue)}
size='sm'
className='cursor-help'
>
{getIssueBadgeLabel(issues[0].issue)}
</Badge>
@@ -991,23 +1242,135 @@ export function MCP({ initialServerId }: MCPProps) {
</div>
<div className='mt-auto flex items-center justify-between'>
<Button
onClick={() => handleRefreshServer(server.id)}
variant='default'
disabled={!!refreshingServers[server.id]}
>
{refreshingServers[server.id]?.status === 'refreshing'
? 'Refreshing...'
: refreshingServers[server.id]?.status === 'refreshed'
? refreshingServers[server.id].workflowsUpdated
? `Synced (${refreshingServers[server.id].workflowsUpdated} workflow${refreshingServers[server.id].workflowsUpdated === 1 ? '' : 's'})`
: 'Refreshed'
: 'Refresh Tools'}
</Button>
<div className='flex items-center gap-[8px]'>
<Button
onClick={() => handleRefreshServer(server.id)}
variant='default'
disabled={!!refreshingServers[server.id]}
>
{refreshingServers[server.id]?.status === 'refreshing'
? 'Refreshing...'
: refreshingServers[server.id]?.status === 'refreshed'
? refreshingServers[server.id].workflowsUpdated
? `Synced (${refreshingServers[server.id].workflowsUpdated} workflow${refreshingServers[server.id].workflowsUpdated === 1 ? '' : 's'})`
: 'Refreshed'
: 'Refresh Tools'}
</Button>
<Button onClick={() => handleOpenEditModal(server)} variant='default'>
Edit
</Button>
</div>
<Button onClick={handleBackToList} variant='tertiary'>
Back
</Button>
</div>
<Modal open={showEditModal} onOpenChange={setShowEditModal}>
<ModalContent>
<ModalHeader>Edit MCP Server</ModalHeader>
<ModalBody>
<div className='flex flex-col gap-[8px]'>
<FormField label='Server Name'>
<EmcnInput
placeholder='e.g., My MCP Server'
value={editFormData.name}
onChange={(e) => {
if (editTestResult) clearEditTestResult()
setEditFormData((prev) => ({ ...prev, name: e.target.value }))
}}
className='h-9'
/>
</FormField>
<FormField label='Server URL'>
<FormattedInput
placeholder='https://mcp.server.dev/{{YOUR_API_KEY}}/sse'
value={editFormData.url || ''}
scrollLeft={editUrlScrollLeft}
showEnvVars={editShowEnvVars && editActiveInputField === 'url'}
envVarProps={{
searchTerm: editEnvSearchTerm,
cursorPosition: editCursorPosition,
workspaceId,
onSelect: handleEditEnvVarSelect,
onClose: resetEditEnvVarState,
}}
availableEnvVars={availableEnvVars}
onChange={(e) => handleEditInputChange('url', e.target.value)}
onScroll={setEditUrlScrollLeft}
/>
</FormField>
<div className='flex flex-col gap-[8px]'>
<div className='flex items-center justify-between'>
<span className='font-medium text-[13px] text-[var(--text-secondary)]'>
Headers
</span>
<Button
type='button'
variant='ghost'
onClick={handleEditAddHeader}
className='h-6 w-6 p-0'
>
<Plus className='h-3 w-3' />
</Button>
</div>
<div className='flex max-h-[140px] flex-col gap-[8px] overflow-y-auto'>
{(editFormData.headers || []).map((header, index) => (
<HeaderRow
key={index}
header={header}
index={index}
headerScrollLeft={editHeaderScrollLeft}
showEnvVars={editShowEnvVars}
activeInputField={editActiveInputField}
activeHeaderIndex={editActiveHeaderIndex}
envSearchTerm={editEnvSearchTerm}
cursorPosition={editCursorPosition}
workspaceId={workspaceId}
availableEnvVars={availableEnvVars}
onInputChange={handleEditInputChange}
onHeaderScroll={handleEditHeaderScroll}
onEnvVarSelect={handleEditEnvVarSelect}
onEnvVarClose={resetEditEnvVarState}
onRemove={() => handleEditRemoveHeader(index)}
/>
))}
</div>
</div>
</div>
</ModalBody>
<ModalFooter>
{editSaveError && (
<p className='mb-[8px] w-full text-[12px] text-[var(--text-error)]'>
{editSaveError}
</p>
)}
<div className='flex w-full items-center justify-between'>
<Button
variant='default'
onClick={handleEditTestConnection}
disabled={isEditTestingConnection || !isEditFormValid}
>
{editTestButtonLabel}
</Button>
<div className='flex items-center gap-[8px]'>
<Button variant='ghost' onClick={handleCloseEditModal}>
Cancel
</Button>
<Button
onClick={handleSaveEdit}
disabled={!hasEditChanges || isUpdatingServer || !isEditFormValid}
variant='tertiary'
>
{isUpdatingServer ? 'Saving...' : 'Save'}
</Button>
</div>
</div>
</ModalFooter>
</ModalContent>
</Modal>
</div>
)
}

26
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx
View File

@@ -1,7 +1,7 @@
'use client'
import type { ChangeEvent } from 'react'
import { useEffect, useMemo, useState } from 'react'
import { useMemo, useState } from 'react'
import { useParams } from 'next/navigation'
import {
Button,
@@ -52,21 +52,17 @@ export function SkillModal({
const [content, setContent] = useState('')
const [errors, setErrors] = useState<FieldErrors>({})
const [saving, setSaving] = useState(false)
const [prevOpen, setPrevOpen] = useState(false)
const [prevInitialValues, setPrevInitialValues] = useState(initialValues)
useEffect(() => {
if (open) {
if (initialValues) {
setName(initialValues.name)
setDescription(initialValues.description)
setContent(initialValues.content)
} else {
setName('')
setDescription('')
setContent('')
}
setErrors({})
}
}, [open, initialValues])
if ((open && !prevOpen) || (open && initialValues !== prevInitialValues)) {
setName(initialValues?.name ?? '')
setDescription(initialValues?.description ?? '')
setContent(initialValues?.content ?? '')
setErrors({})
}
if (open !== prevOpen) setPrevOpen(open)
if (initialValues !== prevInitialValues) setPrevInitialValues(initialValues)
const hasChanges = useMemo(() => {
if (!initialValues) return true

22
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/skills.tsx
View File

@@ -4,17 +4,8 @@ import { useState } from 'react'
import { createLogger } from '@sim/logger'
import { Plus, Search } from 'lucide-react'
import { useParams } from 'next/navigation'
import {
Button,
Input,
Modal,
ModalBody,
ModalContent,
ModalFooter,
ModalHeader,
} from '@/components/emcn'
import { Skeleton } from '@/components/ui'
import { cn } from '@/lib/core/utils/cn'
import { Button, Modal, ModalBody, ModalContent, ModalFooter, ModalHeader } from '@/components/emcn'
import { Input, Skeleton } from '@/components/ui'
import { SkillModal } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal'
import type { SkillDefinition } from '@/hooks/queries/skills'
import { useDeleteSkill, useSkills } from '@/hooks/queries/skills'
@@ -105,12 +96,7 @@ export function Skills() {
<>
<div className='flex h-full flex-col gap-[16px]'>
<div className='flex items-center gap-[8px]'>
<div
className={cn(
'flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]',
isLoading && 'opacity-50'
)}
>
<div className='flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
<Search
className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
strokeWidth={2}
@@ -120,7 +106,7 @@ export function Skills() {
value={searchTerm}
onChange={(e) => setSearchTerm(e.target.value)}
disabled={isLoading}
className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0 disabled:cursor-not-allowed disabled:opacity-100'
className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
/>
</div>
<Button onClick={() => setShowAddForm(true)} disabled={isLoading} variant='tertiary'>

111
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/components/member-invitation-card/member-invitation-card.tsx
View File

@@ -1,17 +1,18 @@
'use client'
import React, { useState } from 'react'
import React from 'react'
import { ChevronDown } from 'lucide-react'
import {
Button,
ButtonGroup,
ButtonGroupItem,
Checkbox,
Input,
Popover,
PopoverContent,
PopoverItem,
PopoverTrigger,
TagInput,
type TagItem,
} from '@/components/emcn'
import { cn } from '@/lib/core/utils/cn'
import { quickValidateEmail } from '@/lib/messaging/email/validation'
@@ -64,8 +65,8 @@ const PermissionSelector = React.memo<PermissionSelectorProps>(
PermissionSelector.displayName = 'PermissionSelector'
interface MemberInvitationCardProps {
inviteEmail: string
setInviteEmail: (email: string) => void
inviteEmails: TagItem[]
setInviteEmails: (emails: TagItem[]) => void
isInviting: boolean
showWorkspaceInvite: boolean
setShowWorkspaceInvite: (show: boolean) => void
@@ -82,8 +83,8 @@ interface MemberInvitationCardProps {
}
export function MemberInvitationCard({
inviteEmail,
setInviteEmail,
inviteEmails,
setInviteEmails,
isInviting,
showWorkspaceInvite,
setShowWorkspaceInvite,
@@ -100,45 +101,26 @@ export function MemberInvitationCard({
}: MemberInvitationCardProps) {
const selectedCount = selectedWorkspaces.length
const hasAvailableSeats = availableSeats > 0
const [emailError, setEmailError] = useState<string>('')
const hasValidEmails = inviteEmails.some((e) => e.isValid)
const validateEmailInput = (email: string) => {
if (!email.trim()) {
setEmailError('')
return
}
const handleAddEmail = (value: string) => {
const normalized = value.trim().toLowerCase()
if (!normalized) return false
const validation = quickValidateEmail(email.trim())
if (!validation.isValid) {
setEmailError(validation.reason || 'Please enter a valid email address')
} else {
setEmailError('')
}
const isDuplicate = inviteEmails.some((e) => e.value === normalized)
if (isDuplicate) return false
const validation = quickValidateEmail(normalized)
setInviteEmails([...inviteEmails, { value: normalized, isValid: validation.isValid }])
return validation.isValid
}
const handleEmailChange = (e: React.ChangeEvent<HTMLInputElement>) => {
const value = e.target.value
setInviteEmail(value)
if (emailError) {
setEmailError('')
}
}
const handleInviteClick = () => {
if (inviteEmail.trim()) {
validateEmailInput(inviteEmail)
const validation = quickValidateEmail(inviteEmail.trim())
if (!validation.isValid) {
return // Don't proceed if validation fails
}
}
onInviteMember()
const handleRemoveEmail = (_value: string, index: number) => {
setInviteEmails(inviteEmails.filter((_, i) => i !== index))
}
return (
<div className='overflow-hidden rounded-[6px] border border-[var(--border-1)] bg-[var(--surface-5)]'>
{/* Header */}
<div className='px-[14px] py-[10px]'>
<h4 className='font-medium text-[14px] text-[var(--text-primary)]'>Invite Team Members</h4>
<p className='text-[12px] text-[var(--text-muted)]'>
@@ -147,46 +129,18 @@ export function MemberInvitationCard({
</div>
<div className='flex flex-col gap-[12px] border-[var(--border-1)] border-t bg-[var(--surface-4)] px-[14px] py-[12px]'>
{/* Main invitation input */}
<div className='flex items-start gap-[8px]'>
<div className='flex-1'>
{/* Hidden decoy fields to prevent browser autofill */}
<input
type='text'
name='fakeusernameremembered'
autoComplete='username'
style={{ position: 'absolute', left: '-9999px', opacity: 0, pointerEvents: 'none' }}
tabIndex={-1}
readOnly
/>
<input
type='email'
name='fakeemailremembered'
autoComplete='email'
style={{ position: 'absolute', left: '-9999px', opacity: 0, pointerEvents: 'none' }}
tabIndex={-1}
readOnly
/>
<Input
placeholder='Enter email address'
value={inviteEmail}
onChange={handleEmailChange}
<TagInput
items={inviteEmails}
onAdd={handleAddEmail}
onRemove={handleRemoveEmail}
placeholder='Enter email addresses'
placeholderWithTags='Add another email'
disabled={isInviting || !hasAvailableSeats}
className={cn(emailError && 'border-red-500 focus-visible:ring-red-500')}
name='member_invite_field'
autoComplete='off'
autoCorrect='off'
autoCapitalize='off'
spellCheck={false}
data-lpignore='true'
data-form-type='other'
aria-autocomplete='none'
triggerKeys={['Enter', ',', ' ']}
maxHeight='max-h-24'
/>
{emailError && (
<p className='mt-1 text-[12px] text-[var(--text-error)] leading-tight'>
{emailError}
</p>
)}
</div>
<Popover
open={showWorkspaceInvite}
@@ -220,8 +174,9 @@ export function MemberInvitationCard({
align='end'
maxHeight={320}
sideOffset={4}
className='w-[240px] border border-[var(--border-muted)] [scrollbar-width:none] [&::-webkit-scrollbar]:hidden'
style={{ minWidth: '240px', maxWidth: '240px' }}
minWidth={240}
maxWidth={240}
border
>
{isLoadingWorkspaces ? (
<div className='px-[6px] py-[16px] text-center'>
@@ -286,14 +241,13 @@ export function MemberInvitationCard({
</Popover>
<Button
variant='tertiary'
onClick={handleInviteClick}
disabled={!inviteEmail || isInviting || !hasAvailableSeats}
onClick={() => onInviteMember()}
disabled={!hasValidEmails || isInviting || !hasAvailableSeats}
>
{isInviting ? 'Inviting...' : hasAvailableSeats ? 'Invite' : 'No Seats'}
</Button>
</div>
{/* Invitation error - inline */}
{invitationError && (
<p className='text-[12px] text-[var(--text-error)] leading-tight'>
{invitationError instanceof Error && invitationError.message
@@ -302,7 +256,6 @@ export function MemberInvitationCard({
</p>
)}
{/* Success message */}
{inviteSuccess && (
<p className='text-[11px] text-[var(--text-success)] leading-tight'>
Invitation sent successfully

20
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/team-management.tsx
View File

@@ -2,6 +2,7 @@
import { useCallback, useEffect, useState } from 'react'
import { createLogger } from '@sim/logger'
import type { TagItem } from '@/components/emcn'
import { Skeleton } from '@/components/ui'
import { useSession } from '@/lib/auth/auth-client'
import { DEFAULT_TEAM_TIER_COST_LIMIT } from '@/lib/billing/constants'
@@ -69,7 +70,7 @@ export function TeamManagement() {
const [inviteSuccess, setInviteSuccess] = useState(false)
const [inviteEmail, setInviteEmail] = useState('')
const [inviteEmails, setInviteEmails] = useState<TagItem[]>([])
const [showWorkspaceInvite, setShowWorkspaceInvite] = useState(false)
const [selectedWorkspaces, setSelectedWorkspaces] = useState<
Array<{ workspaceId: string; permission: string }>
@@ -129,7 +130,8 @@ export function TeamManagement() {
}, [orgName, orgSlug, createOrgMutation])
const handleInviteMember = useCallback(async () => {
if (!session?.user || !activeOrganization?.id || !inviteEmail.trim()) return
const validEmails = inviteEmails.filter((e) => e.isValid).map((e) => e.value)
if (!session?.user || !activeOrganization?.id || validEmails.length === 0) return
try {
const workspaceInvitations =
@@ -141,23 +143,21 @@ export function TeamManagement() {
: undefined
await inviteMutation.mutateAsync({
email: inviteEmail.trim(),
emails: validEmails,
orgId: activeOrganization.id,
workspaceInvitations,
})
// Show success state
setInviteSuccess(true)
setTimeout(() => setInviteSuccess(false), 3000)
// Reset form
setInviteEmail('')
setInviteEmails([])
setSelectedWorkspaces([])
setShowWorkspaceInvite(false)
} catch (error) {
logger.error('Failed to invite member', error)
}
}, [session?.user?.id, activeOrganization?.id, inviteEmail, selectedWorkspaces, inviteMutation])
}, [session?.user?.id, activeOrganization?.id, inviteEmails, selectedWorkspaces, inviteMutation])
const handleWorkspaceToggle = useCallback((workspaceId: string, permission: string) => {
setSelectedWorkspaces((prev) => {
@@ -391,15 +391,15 @@ export function TeamManagement() {
{adminOrOwner && !isInvitationsDisabled && (
<div>
<MemberInvitationCard
inviteEmail={inviteEmail}
setInviteEmail={setInviteEmail}
inviteEmails={inviteEmails}
setInviteEmails={setInviteEmails}
isInviting={inviteMutation.isPending}
showWorkspaceInvite={showWorkspaceInvite}
setShowWorkspaceInvite={setShowWorkspaceInvite}
selectedWorkspaces={selectedWorkspaces}
userWorkspaces={adminWorkspaces}
onInviteMember={handleInviteMember}
onLoadUserWorkspaces={async () => {}} // No-op: data is auto-loaded by React Query
onLoadUserWorkspaces={async () => {}}
onWorkspaceToggle={handleWorkspaceToggle}
inviteSuccess={inviteSuccess}
availableSeats={Math.max(0, totalSeats - usedSeats.used)}

Some files were not shown because too many files have changed in this diff Show More