v0.5.71: ux, ci improvements, docs updates

improvement(docs): add quick reference page and update SDK documentation (#2994 )
* docs(sdk): update README to reflect new interface * improvement(docs): add quick reference page and update SDK documentation * docs(copilot): update copilot documentation with all features
2026-01-25 14:58:14 -05:00 · 2026-01-25 03:08:08 -08:00 · 2026-01-25 02:21:02 -08:00 · 2026-01-25 00:50:09 -08:00 · 2026-01-24 22:33:04 -08:00 · 2026-01-24 22:13:57 -08:00
629 changed files with 31624 additions and 14418 deletions
--- a/.claude/rules/emcn-components.md
+++ b/.claude/rules/emcn-components.md
@@ -0,0 +1,35 @@
+---
+paths:
+  - "apps/sim/components/emcn/**"
+---
+
+# EMCN Components
+
+Import from `@/components/emcn`, never from subpaths (except CSS files).
+
+## CVA vs Direct Styles
+
+**Use CVA when:** 2+ variants (primary/secondary, sm/md/lg)
+
+```tsx
+const buttonVariants = cva('base-classes', {
+  variants: { variant: { default: '...', primary: '...' } }
+})
+export { Button, buttonVariants }
+```
+
+**Use direct className when:** Single consistent style, no variations
+
+```tsx
+function Label({ className, ...props }) {
+  return <Primitive className={cn('style-classes', className)} {...props} />
+}
+```
+
+## Rules
+
+- Use Radix UI primitives for accessibility
+- Export component and variants (if using CVA)
+- TSDoc with usage examples
+- Consistent tokens: `font-medium`, `text-[12px]`, `rounded-[4px]`
+- `transition-colors` for hover states
--- a/.claude/rules/global.md
+++ b/.claude/rules/global.md
@@ -0,0 +1,13 @@
+# Global Standards
+
+## Logging
+Import `createLogger` from `sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log`.
+
+## Comments
+Use TSDoc for documentation. No `====` separators. No non-TSDoc comments.
+
+## Styling
+Never update global styles. Keep all styling local to components.
+
+## Package Manager
+Use `bun` and `bunx`, not `npm` and `npx`.
--- a/.claude/rules/sim-architecture.md
+++ b/.claude/rules/sim-architecture.md
@@ -0,0 +1,56 @@
+---
+paths:
+  - "apps/sim/**"
+---
+
+# Sim App Architecture
+
+## Core Principles
+1. **Single Responsibility**: Each component, hook, store has one clear purpose
+2. **Composition Over Complexity**: Break down complex logic into smaller pieces
+3. **Type Safety First**: TypeScript interfaces for all props, state, return types
+4. **Predictable State**: Zustand for global state, useState for UI-only concerns
+
+## Root-Level Structure
+
+```
+apps/sim/
+├── app/                 # Next.js app router (pages, API routes)
+├── blocks/              # Block definitions and registry
+├── components/          # Shared UI (emcn/, ui/)
+├── executor/            # Workflow execution engine
+├── hooks/               # Shared hooks (queries/, selectors/)
+├── lib/                 # App-wide utilities
+├── providers/           # LLM provider integrations
+├── stores/              # Zustand stores
+├── tools/               # Tool definitions
+└── triggers/            # Trigger definitions
+```
+
+## Feature Organization
+
+Features live under `app/workspace/[workspaceId]/`:
+
+```
+feature/
+├── components/          # Feature components
+├── hooks/               # Feature-scoped hooks
+├── utils/               # Feature-scoped utilities (2+ consumers)
+├── feature.tsx          # Main component
+└── page.tsx             # Next.js page entry
+```
+
+## Naming Conventions
+- **Components**: PascalCase (`WorkflowList`)
+- **Hooks**: `use` prefix (`useWorkflowOperations`)
+- **Files**: kebab-case (`workflow-list.tsx`)
+- **Stores**: `stores/feature/store.ts`
+- **Constants**: SCREAMING_SNAKE_CASE
+- **Interfaces**: PascalCase with suffix (`WorkflowListProps`)
+
+## Utils Rules
+
+- **Never create `utils.ts` for single consumer** - inline it
+- **Create `utils.ts` when** 2+ files need the same helper
+- **Check existing sources** before duplicating (`lib/` has many utilities)
+- **Location**: `lib/` (app-wide) → `feature/utils/` (feature-scoped) → inline (single-use)
--- a/.claude/rules/sim-components.md
+++ b/.claude/rules/sim-components.md
@@ -0,0 +1,48 @@
+---
+paths:
+  - "apps/sim/**/*.tsx"
+---
+
+# Component Patterns
+
+## Structure Order
+
+```typescript
+'use client' // Only if using hooks
+
+// Imports (external → internal)
+// Constants at module level
+const CONFIG = { SPACING: 8 } as const
+
+// Props interface
+interface ComponentProps {
+  requiredProp: string
+  optionalProp?: boolean
+}
+
+export function Component({ requiredProp, optionalProp = false }: ComponentProps) {
+  // a. Refs
+  // b. External hooks (useParams, useRouter)
+  // c. Store hooks
+  // d. Custom hooks
+  // e. Local state
+  // f. useMemo
+  // g. useCallback
+  // h. useEffect
+  // i. Return JSX
+}
+```
+
+## Rules
+
+1. `'use client'` only when using React hooks
+2. Always define props interface
+3. Extract constants with `as const`
+4. Semantic HTML (`aside`, `nav`, `article`)
+5. Optional chain callbacks: `onAction?.(id)`
+
+## Component Extraction
+
+**Extract when:** 50+ lines, used in 2+ files, or has own state/logic
+
+**Keep inline when:** < 10 lines, single use, purely presentational
--- a/.claude/rules/sim-hooks.md
+++ b/.claude/rules/sim-hooks.md
@@ -0,0 +1,55 @@
+---
+paths:
+  - "apps/sim/**/use-*.ts"
+  - "apps/sim/**/hooks/**/*.ts"
+---
+
+# Hook Patterns
+
+## Structure
+
+```typescript
+interface UseFeatureProps {
+  id: string
+  onSuccess?: (result: Result) => void
+}
+
+export function useFeature({ id, onSuccess }: UseFeatureProps) {
+  // 1. Refs for stable dependencies
+  const idRef = useRef(id)
+  const onSuccessRef = useRef(onSuccess)
+
+  // 2. State
+  const [data, setData] = useState<Data | null>(null)
+  const [isLoading, setIsLoading] = useState(false)
+
+  // 3. Sync refs
+  useEffect(() => {
+    idRef.current = id
+    onSuccessRef.current = onSuccess
+  }, [id, onSuccess])
+
+  // 4. Operations (useCallback with empty deps when using refs)
+  const fetchData = useCallback(async () => {
+    setIsLoading(true)
+    try {
+      const result = await fetch(`/api/${idRef.current}`).then(r => r.json())
+      setData(result)
+      onSuccessRef.current?.(result)
+    } finally {
+      setIsLoading(false)
+    }
+  }, [])
+
+  return { data, isLoading, fetchData }
+}
+```
+
+## Rules
+
+1. Single responsibility per hook
+2. Props interface required
+3. Refs for stable callback dependencies
+4. Wrap returned functions in useCallback
+5. Always try/catch async operations
+6. Track loading/error states
--- a/.claude/rules/sim-imports.md
+++ b/.claude/rules/sim-imports.md
@@ -0,0 +1,62 @@
+---
+paths:
+  - "apps/sim/**/*.ts"
+  - "apps/sim/**/*.tsx"
+---
+
+# Import Patterns
+
+## Absolute Imports
+
+**Always use absolute imports.** Never use relative imports.
+
+```typescript
+// ✓ Good
+import { useWorkflowStore } from '@/stores/workflows/store'
+import { Button } from '@/components/ui/button'
+
+// ✗ Bad
+import { useWorkflowStore } from '../../../stores/workflows/store'
+```
+
+## Barrel Exports
+
+Use barrel exports (`index.ts`) when a folder has 3+ exports. Import from barrel, not individual files.
+
+```typescript
+// ✓ Good
+import { Dashboard, Sidebar } from '@/app/workspace/[workspaceId]/logs/components'
+
+// ✗ Bad
+import { Dashboard } from '@/app/workspace/[workspaceId]/logs/components/dashboard/dashboard'
+```
+
+## No Re-exports
+
+Do not re-export from non-barrel files. Import directly from the source.
+
+```typescript
+// ✓ Good - import from where it's declared
+import { CORE_TRIGGER_TYPES } from '@/stores/logs/filters/types'
+
+// ✗ Bad - re-exporting in utils.ts then importing from there
+import { CORE_TRIGGER_TYPES } from '@/app/workspace/.../utils'
+```
+
+## Import Order
+
+1. React/core libraries
+2. External libraries
+3. UI components (`@/components/emcn`, `@/components/ui`)
+4. Utilities (`@/lib/...`)
+5. Stores (`@/stores/...`)
+6. Feature imports
+7. CSS imports
+
+## Type Imports
+
+Use `type` keyword for type-only imports:
+
+```typescript
+import type { WorkflowLog } from '@/stores/logs/types'
+```
--- a/.claude/rules/sim-integrations.md
+++ b/.claude/rules/sim-integrations.md
@@ -0,0 +1,209 @@
+---
+paths:
+  - "apps/sim/tools/**"
+  - "apps/sim/blocks/**"
+  - "apps/sim/triggers/**"
+---
+
+# Adding Integrations
+
+## Overview
+
+Adding a new integration typically requires:
+1. **Tools** - API operations (`tools/{service}/`)
+2. **Block** - UI component (`blocks/blocks/{service}.ts`)
+3. **Icon** - SVG icon (`components/icons.tsx`)
+4. **Trigger** (optional) - Webhooks/polling (`triggers/{service}/`)
+
+Always look up the service's API docs first.
+
+## 1. Tools (`tools/{service}/`)
+
+```
+tools/{service}/
+├── index.ts           # Export all tools
+├── types.ts           # Params/response types
+├── {action}.ts        # Individual tool (e.g., send_message.ts)
+└── ...
+```
+
+**Tool file structure:**
+
+```typescript
+// tools/{service}/{action}.ts
+import type { {Service}Params, {Service}Response } from '@/tools/{service}/types'
+import type { ToolConfig } from '@/tools/types'
+
+export const {service}{Action}Tool: ToolConfig<{Service}Params, {Service}Response> = {
+  id: '{service}_{action}',
+  name: '{Service} {Action}',
+  description: 'What this tool does',
+  version: '1.0.0',
+  oauth: { required: true, provider: '{service}' }, // if OAuth
+  params: { /* param definitions */ },
+  request: {
+    url: '/api/tools/{service}/{action}',
+    method: 'POST',
+    headers: () => ({ 'Content-Type': 'application/json' }),
+    body: (params) => ({ ...params }),
+  },
+  transformResponse: async (response) => {
+    const data = await response.json()
+    if (!data.success) throw new Error(data.error)
+    return { success: true, output: data.output }
+  },
+  outputs: { /* output definitions */ },
+}
+```
+
+**Register in `tools/registry.ts`:**
+
+```typescript
+import { {service}{Action}Tool } from '@/tools/{service}'
+// Add to registry object
+{service}_{action}: {service}{Action}Tool,
+```
+
+## 2. Block (`blocks/blocks/{service}.ts`)
+
+```typescript
+import { {Service}Icon } from '@/components/icons'
+import type { BlockConfig } from '@/blocks/types'
+import type { {Service}Response } from '@/tools/{service}/types'
+
+export const {Service}Block: BlockConfig<{Service}Response> = {
+  type: '{service}',
+  name: '{Service}',
+  description: 'Short description',
+  longDescription: 'Detailed description',
+  category: 'tools',
+  bgColor: '#hexcolor',
+  icon: {Service}Icon,
+  subBlocks: [ /* see SubBlock Properties below */ ],
+  tools: {
+    access: ['{service}_{action}', ...],
+    config: {
+      tool: (params) => `{service}_${params.operation}`,
+      params: (params) => ({ ...params }),
+    },
+  },
+  inputs: { /* input definitions */ },
+  outputs: { /* output definitions */ },
+}
+```
+
+### SubBlock Properties
+
+```typescript
+{
+  id: 'fieldName',           // Unique identifier
+  title: 'Field Label',      // UI label
+  type: 'short-input',       // See SubBlock Types below
+  placeholder: 'Hint text',
+  required: true,            // See Required below
+  condition: { ... },        // See Condition below
+  dependsOn: ['otherField'], // See DependsOn below
+  mode: 'basic',             // 'basic' | 'advanced' | 'both' | 'trigger'
+}
+```
+
+**SubBlock Types:** `short-input`, `long-input`, `dropdown`, `code`, `switch`, `slider`, `oauth-input`, `channel-selector`, `user-selector`, `file-upload`, etc.
+
+### `condition` - Show/hide based on another field
+
+```typescript
+// Show when operation === 'send'
+condition: { field: 'operation', value: 'send' }
+
+// Show when operation is 'send' OR 'read'
+condition: { field: 'operation', value: ['send', 'read'] }
+
+// Show when operation !== 'send'
+condition: { field: 'operation', value: 'send', not: true }
+
+// Complex: NOT in list AND another condition
+condition: {
+  field: 'operation',
+  value: ['list_channels', 'list_users'],
+  not: true,
+  and: { field: 'destinationType', value: 'dm', not: true }
+}
+```
+
+### `required` - Field validation
+
+```typescript
+// Always required
+required: true
+
+// Conditionally required (same syntax as condition)
+required: { field: 'operation', value: 'send' }
+```
+
+### `dependsOn` - Clear field when dependencies change
+
+```typescript
+// Clear when credential changes
+dependsOn: ['credential']
+
+// Clear when authMethod changes AND (credential OR botToken) changes
+dependsOn: { all: ['authMethod'], any: ['credential', 'botToken'] }
+```
+
+### `mode` - When to show field
+
+- `'basic'` - Only in basic mode (default UI)
+- `'advanced'` - Only in advanced mode (manual input)
+- `'both'` - Show in both modes (default)
+- `'trigger'` - Only when block is used as trigger
+
+**Register in `blocks/registry.ts`:**
+
+```typescript
+import { {Service}Block } from '@/blocks/blocks/{service}'
+// Add to registry object (alphabetically)
+{service}: {Service}Block,
+```
+
+## 3. Icon (`components/icons.tsx`)
+
+```typescript
+export function {Service}Icon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
+      {/* SVG path from service's brand assets */}
+    </svg>
+  )
+}
+```
+
+## 4. Trigger (`triggers/{service}/`) - Optional
+
+```
+triggers/{service}/
+├── index.ts           # Export all triggers
+├── webhook.ts         # Webhook handler
+├── utils.ts           # Shared utilities
+└── {event}.ts         # Specific event handlers
+```
+
+**Register in `triggers/registry.ts`:**
+
+```typescript
+import { {service}WebhookTrigger } from '@/triggers/{service}'
+// Add to TRIGGER_REGISTRY
+{service}_webhook: {service}WebhookTrigger,
+```
+
+## Checklist
+
+- [ ] Look up API docs for the service
+- [ ] Create `tools/{service}/types.ts` with proper types
+- [ ] Create tool files for each operation
+- [ ] Create `tools/{service}/index.ts` barrel export
+- [ ] Register tools in `tools/registry.ts`
+- [ ] Add icon to `components/icons.tsx`
+- [ ] Create block in `blocks/blocks/{service}.ts`
+- [ ] Register block in `blocks/registry.ts`
+- [ ] (Optional) Create triggers in `triggers/{service}/`
+- [ ] (Optional) Register triggers in `triggers/registry.ts`
--- a/.claude/rules/sim-queries.md
+++ b/.claude/rules/sim-queries.md
@@ -0,0 +1,66 @@
+---
+paths:
+  - "apps/sim/hooks/queries/**/*.ts"
+---
+
+# React Query Patterns
+
+All React Query hooks live in `hooks/queries/`.
+
+## Query Key Factory
+
+Every query file defines a keys factory:
+
+```typescript
+export const entityKeys = {
+  all: ['entity'] as const,
+  list: (workspaceId?: string) => [...entityKeys.all, 'list', workspaceId ?? ''] as const,
+  detail: (id?: string) => [...entityKeys.all, 'detail', id ?? ''] as const,
+}
+```
+
+## File Structure
+
+```typescript
+// 1. Query keys factory
+// 2. Types (if needed)
+// 3. Private fetch functions
+// 4. Exported hooks
+```
+
+## Query Hook
+
+```typescript
+export function useEntityList(workspaceId?: string, options?: { enabled?: boolean }) {
+  return useQuery({
+    queryKey: entityKeys.list(workspaceId),
+    queryFn: () => fetchEntities(workspaceId as string),
+    enabled: Boolean(workspaceId) && (options?.enabled ?? true),
+    staleTime: 60 * 1000,
+    placeholderData: keepPreviousData,
+  })
+}
+```
+
+## Mutation Hook
+
+```typescript
+export function useCreateEntity() {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: async (variables) => { /* fetch POST */ },
+    onSuccess: () => queryClient.invalidateQueries({ queryKey: entityKeys.all }),
+  })
+}
+```
+
+## Optimistic Updates
+
+For optimistic mutations syncing with Zustand, use `createOptimisticMutationHandlers` from `@/hooks/queries/utils/optimistic-mutation`.
+
+## Naming
+
+- **Keys**: `entityKeys`
+- **Query hooks**: `useEntity`, `useEntityList`
+- **Mutation hooks**: `useCreateEntity`, `useUpdateEntity`
+- **Fetch functions**: `fetchEntity` (private)
--- a/.claude/rules/sim-stores.md
+++ b/.claude/rules/sim-stores.md
@@ -0,0 +1,71 @@
+---
+paths:
+  - "apps/sim/**/store.ts"
+  - "apps/sim/**/stores/**/*.ts"
+---
+
+# Zustand Store Patterns
+
+Stores live in `stores/`. Complex stores split into `store.ts` + `types.ts`.
+
+## Basic Store
+
+```typescript
+import { create } from 'zustand'
+import { devtools } from 'zustand/middleware'
+import type { FeatureState } from '@/stores/feature/types'
+
+const initialState = { items: [] as Item[], activeId: null as string | null }
+
+export const useFeatureStore = create<FeatureState>()(
+  devtools(
+    (set, get) => ({
+      ...initialState,
+      setItems: (items) => set({ items }),
+      addItem: (item) => set((state) => ({ items: [...state.items, item] })),
+      reset: () => set(initialState),
+    }),
+    { name: 'feature-store' }
+  )
+)
+```
+
+## Persisted Store
+
+```typescript
+import { create } from 'zustand'
+import { persist } from 'zustand/middleware'
+
+export const useFeatureStore = create<FeatureState>()(
+  persist(
+    (set) => ({
+      width: 300,
+      setWidth: (width) => set({ width }),
+      _hasHydrated: false,
+      setHasHydrated: (v) => set({ _hasHydrated: v }),
+    }),
+    {
+      name: 'feature-state',
+      partialize: (state) => ({ width: state.width }),
+      onRehydrateStorage: () => (state) => state?.setHasHydrated(true),
+    }
+  )
+)
+```
+
+## Rules
+
+1. Use `devtools` middleware (named stores)
+2. Use `persist` only when data should survive reload
+3. `partialize` to persist only necessary state
+4. `_hasHydrated` pattern for persisted stores needing hydration tracking
+5. Immutable updates only
+6. `set((state) => ...)` when depending on previous state
+7. Provide `reset()` action
+
+## Outside React
+
+```typescript
+const items = useFeatureStore.getState().items
+useFeatureStore.setState({ items: newItems })
+```
--- a/.claude/rules/sim-styling.md
+++ b/.claude/rules/sim-styling.md
@@ -0,0 +1,41 @@
+---
+paths:
+  - "apps/sim/**/*.tsx"
+  - "apps/sim/**/*.css"
+---
+
+# Styling Rules
+
+## Tailwind
+
+1. **No inline styles** - Use Tailwind classes
+2. **No duplicate dark classes** - Skip `dark:` when value matches light mode
+3. **Exact values** - `text-[14px]`, `h-[26px]`
+4. **Transitions** - `transition-colors` for interactive states
+
+## Conditional Classes
+
+```typescript
+import { cn } from '@/lib/utils'
+
+<div className={cn(
+  'base-classes',
+  isActive && 'active-classes',
+  disabled ? 'opacity-60' : 'hover:bg-accent'
+)} />
+```
+
+## CSS Variables
+
+For dynamic values (widths, heights) synced with stores:
+
+```typescript
+// In store
+setWidth: (width) => {
+  set({ width })
+  document.documentElement.style.setProperty('--sidebar-width', `${width}px`)
+}
+
+// In component
+<aside style={{ width: 'var(--sidebar-width)' }} />
+```
--- a/.claude/rules/sim-testing.md
+++ b/.claude/rules/sim-testing.md
@@ -0,0 +1,58 @@
+---
+paths:
+  - "apps/sim/**/*.test.ts"
+  - "apps/sim/**/*.test.tsx"
+---
+
+# Testing Patterns
+
+Use Vitest. Test files: `feature.ts` → `feature.test.ts`
+
+## Structure
+
+```typescript
+/**
+ * @vitest-environment node
+ */
+import { databaseMock, loggerMock } from '@sim/testing'
+import { describe, expect, it, vi } from 'vitest'
+
+vi.mock('@sim/db', () => databaseMock)
+vi.mock('@sim/logger', () => loggerMock)
+
+import { myFunction } from '@/lib/feature'
+
+describe('myFunction', () => {
+  beforeEach(() => vi.clearAllMocks())
+  it.concurrent('isolated tests run in parallel', () => { ... })
+})
+```
+
+## @sim/testing Package
+
+Always prefer over local mocks.
+
+| Category | Utilities |
+|----------|-----------|
+| **Mocks** | `loggerMock`, `databaseMock`, `setupGlobalFetchMock()` |
+| **Factories** | `createSession()`, `createWorkflowRecord()`, `createBlock()`, `createExecutorContext()` |
+| **Builders** | `WorkflowBuilder`, `ExecutionContextBuilder` |
+| **Assertions** | `expectWorkflowAccessGranted()`, `expectBlockExecuted()` |
+
+## Rules
+
+1. `@vitest-environment node` directive at file top
+2. `vi.mock()` calls before importing mocked modules
+3. `@sim/testing` utilities over local mocks
+4. `it.concurrent` for isolated tests (no shared mutable state)
+5. `beforeEach(() => vi.clearAllMocks())` to reset state
+
+## Hoisted Mocks
+
+For mutable mock references:
+
+```typescript
+const mockFn = vi.hoisted(() => vi.fn())
+vi.mock('@/lib/module', () => ({ myFunction: mockFn }))
+mockFn.mockResolvedValue({ data: 'test' })
+```
--- a/.claude/rules/sim-typescript.md
+++ b/.claude/rules/sim-typescript.md
@@ -0,0 +1,21 @@
+---
+paths:
+  - "apps/sim/**/*.ts"
+  - "apps/sim/**/*.tsx"
+---
+
+# TypeScript Rules
+
+1. **No `any`** - Use proper types or `unknown` with type guards
+2. **Props interface** - Always define for components
+3. **Const assertions** - `as const` for constant objects/arrays
+4. **Ref types** - Explicit: `useRef<HTMLDivElement>(null)`
+5. **Type imports** - `import type { X }` for type-only imports
+
+```typescript
+// ✗ Bad
+const handleClick = (e: any) => {}
+
+// ✓ Good
+const handleClick = (e: React.MouseEvent<HTMLButtonElement>) => {}
+```
--- a/.cursor/rules/global.mdc
+++ b/.cursor/rules/global.mdc
@@ -8,7 +8,7 @@ alwaysApply: true
 You are a professional software engineer. All code must follow best practices: accurate, readable, clean, and efficient.

 ## Logging
-Import `createLogger` from `sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log`.
+Import `createLogger` from `@sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log`.

 ## Comments
 Use TSDoc for documentation. No `====` separators. No non-TSDoc comments.
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,10 +27,11 @@ jobs:
    steps:
      - name: Extract version from commit message
        id: extract
+        env:
+          COMMIT_MSG: ${{ github.event.head_commit.message }}
        run: |
-          COMMIT_MSG="${{ github.event.head_commit.message }}"
          # Only tag versions on main branch
-          if [ "${{ github.ref }}" = "refs/heads/main" ] && [[ "$COMMIT_MSG" =~ ^(v[0-9]+\.[0-9]+\.[0-9]+): ]]; then
+          if [ "$GITHUB_REF" = "refs/heads/main" ] && [[ "$COMMIT_MSG" =~ ^(v[0-9]+\.[0-9]+\.[0-9]+): ]]; then
            VERSION="${BASH_REMATCH[1]}"
            echo "version=${VERSION}" >> $GITHUB_OUTPUT
            echo "is_release=true" >> $GITHUB_OUTPUT
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@
 </p>

 <p align="center">
-  <a href="https://deepwiki.com/simstudioai/sim" target="_blank" rel="noopener noreferrer"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>  <a href="https://cursor.com/link/prompt?text=Help%20me%20set%20up%20Sim%20Studio%20locally.%20Follow%20these%20steps%3A%0A%0A1.%20First%2C%20verify%20Docker%20is%20installed%20and%20running%3A%0A%20%20%20docker%20--version%0A%20%20%20docker%20info%0A%0A2.%20Clone%20the%20repository%3A%0A%20%20%20git%20clone%20https%3A%2F%2Fgithub.com%2Fsimstudioai%2Fsim.git%0A%20%20%20cd%20sim%0A%0A3.%20Start%20the%20services%20with%20Docker%20Compose%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20up%20-d%0A%0A4.%20Wait%20for%20all%20containers%20to%20be%20healthy%20(this%20may%20take%201-2%20minutes)%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20ps%0A%0A5.%20Verify%20the%20app%20is%20accessible%20at%20http%3A%2F%2Flocalhost%3A3000%0A%0AIf%20there%20are%20any%20errors%2C%20help%20me%20troubleshoot%20them.%20Common%20issues%3A%0A-%20Port%203000%2C%203002%2C%20or%205432%20already%20in%20use%0A-%20Docker%20not%20running%0A-%20Insufficient%20memory%20(needs%2012GB%2B%20RAM)%0A%0AFor%20local%20AI%20models%20with%20Ollama%2C%20use%20this%20instead%20of%20step%203%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.ollama.yml%20--profile%20setup%20up%20-d"><img src="https://img.shields.io/badge/Set%20Up%20with-Cursor-000000?logo=cursor&logoColor=white" alt="Set Up with Cursor"></a>
+  <a href="https://deepwiki.com/simstudioai/sim" target="_blank" rel="noopener noreferrer"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>  <a href="https://cursor.com/link/prompt?text=Help%20me%20set%20up%20Sim%20locally.%20Follow%20these%20steps%3A%0A%0A1.%20First%2C%20verify%20Docker%20is%20installed%20and%20running%3A%0A%20%20%20docker%20--version%0A%20%20%20docker%20info%0A%0A2.%20Clone%20the%20repository%3A%0A%20%20%20git%20clone%20https%3A%2F%2Fgithub.com%2Fsimstudioai%2Fsim.git%0A%20%20%20cd%20sim%0A%0A3.%20Start%20the%20services%20with%20Docker%20Compose%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20up%20-d%0A%0A4.%20Wait%20for%20all%20containers%20to%20be%20healthy%20(this%20may%20take%201-2%20minutes)%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20ps%0A%0A5.%20Verify%20the%20app%20is%20accessible%20at%20http%3A%2F%2Flocalhost%3A3000%0A%0AIf%20there%20are%20any%20errors%2C%20help%20me%20troubleshoot%20them.%20Common%20issues%3A%0A-%20Port%203000%2C%203002%2C%20or%205432%20already%20in%20use%0A-%20Docker%20not%20running%0A-%20Insufficient%20memory%20(needs%2012GB%2B%20RAM)%0A%0AFor%20local%20AI%20models%20with%20Ollama%2C%20use%20this%20instead%20of%20step%203%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.ollama.yml%20--profile%20setup%20up%20-d"><img src="https://img.shields.io/badge/Set%20Up%20with-Cursor-000000?logo=cursor&logoColor=white" alt="Set Up with Cursor"></a>
 </p>

 ### Build Workflows with Ease
--- a/apps/docs/app/global.css
+++ b/apps/docs/app/global.css
@@ -119,6 +119,19 @@ aside#nd-sidebar {
  }
 }

+/* Hide TOC popover on tablet/medium screens (768px - 1279px) */
+/* Keeps it visible on mobile (<768px) for easy navigation */
+/* Desktop (>=1280px) already hides it via fumadocs xl:hidden */
+@media (min-width: 768px) and (max-width: 1279px) {
+  #nd-docs-layout {
+    --fd-toc-popover-height: 0px !important;
+  }
+
+  [data-toc-popover] {
+    display: none !important;
+  }
+}
+
 /* Desktop only: Apply custom navbar offset, sidebar width and margin offsets */
 /* On mobile, let fumadocs handle the layout natively */
@media (min-width: 1024px) {
--- a/apps/docs/components/icons.tsx
+++ b/apps/docs/components/icons.tsx
@@ -4093,6 +4093,23 @@ export function SQSIcon(props: SVGProps<SVGSVGElement>) {
  )
 }

+export function TextractIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      viewBox='10 14 60 52'
+      version='1.1'
+      xmlns='http://www.w3.org/2000/svg'
+      xmlnsXlink='http://www.w3.org/1999/xlink'
+    >
+      <path
+        d='M22.0624102,50 C24.3763895,53.603 28.4103535,56 33.0003125,56 C40.1672485,56 45.9991964,50.168 45.9991964,43 C45.9991964,35.832 40.1672485,30 33.0003125,30 C27.6033607,30 22.9664021,33.307 21.0024196,38 L23.2143999,38 C25.0393836,34.444 28.7363506,32 33.0003125,32 C39.0652583,32 43.9992143,36.935 43.9992143,43 C43.9992143,49.065 39.0652583,54 33.0003125,54 C29.5913429,54 26.5413702,52.441 24.5213882,50 L22.0624102,50 Z M37.0002768,45 L37.0002768,43 L41.9992321,43 C41.9992321,38.038 37.9622682,34 33.0003125,34 C28.0373568,34 23.9993929,38.038 23.9993929,43 L28.9993482,43 L28.9993482,45 L24.2313908,45 C25.1443826,49.002 28.7253507,52 33.0003125,52 C35.1362934,52 37.0992759,51.249 38.6442621,50 L34.0003036,50 L34.0003036,48 L40.4782457,48 C41.0812403,47.102 41.5202364,46.087 41.7682342,45 L37.0002768,45 Z M21.0024196,48 L23.2143999,48 C22.4434068,46.498 22.0004107,44.801 22.0004107,43 C22.0004107,41.959 22.1554093,40.955 22.4264069,40 L20.3634253,40 C20.1344274,40.965 19.9994286,41.966 19.9994286,43 C19.9994286,44.771 20.3584254,46.46 21.0024196,48 L21.0024196,48 Z M19.7434309,50 L17.0004554,50 L17.0004554,48 L18.8744386,48 C18.5344417,47.04 18.2894438,46.038 18.1494451,45 L15.4144695,45 L16.707458,46.293 L15.2924706,47.707 L12.2924974,44.707 C11.9025009,44.316 11.9025009,43.684 12.2924974,43.293 L15.2924706,40.293 L16.707458,41.707 L15.4144695,43 L18.0004464,43 C18.0004464,41.973 18.1044455,40.97 18.3024437,40 L17.0004554,40 L17.0004554,38 L18.8744386,38 C20.9404202,32.184 26.4833707,28 33.0003125,28 C37.427273,28 41.4002375,29.939 44.148213,33 L59.0000804,33 L59.0000804,35 L45.6661994,35 C47.1351863,37.318 47.9991786,40.058 47.9991786,43 L59.0000804,43 L59.0000804,45 L47.8501799,45 C46.8681887,52.327 40.5912447,58 33.0003125,58 C27.2563638,58 22.2624084,54.752 19.7434309,50 L19.7434309,50 Z M37.0002768,39 C37.0002768,38.448 36.5522808,38 36.0002857,38 L29.9993482,38 C29.4473442,38 28.9993482,38.448 28.9993482,39 L28.9993482,41 L31.0003304,41 L31.0003304,40 L32.0003214,40 L32.0003214,43 L31.0003304,43 L31.0003304,45 L35.0002946,45 L35.0002946,43 L34.0003036,43 L34.0003036,40 L35.0002946,40 L35.0002946,41 L37.0002768,41 L37.0002768,39 Z M49.0001696,40 L59.0000804,40 L59.0000804,38 L49.0001696,38 L49.0001696,40 Z M49.0001696,50 L59.0000804,50 L59.0000804,48 L49.0001696,48 L49.0001696,50 Z M57.0000982,27 L60.5850662,27 L57.0000982,23.414 L57.0000982,27 Z M63.7070383,27.293 C63.8940367,27.48 64.0000357,27.735 64.0000357,28 L64.0000357,63 C64.0000357,63.552 63.5520397,64 63.0000446,64 L32.0003304,64 C31.4473264,64 31.0003304,63.552 31.0003304,63 L31.0003304,59 L33.0003125,59 L33.0003125,62 L62.0000536,62 L62.0000536,29 L56.0001071,29 C55.4471121,29 55.0001161,28.552 55.0001161,28 L55.0001161,22 L33.0003125,22 L33.0003125,27 L31.0003304,27 L31.0003304,21 C31.0003304,20.448 31.4473264,20 32.0003304,20 L56.0001071,20 C56.2651048,20 56.5191025,20.105 56.7071008,20.293 L63.7070383,27.293 Z M68,24.166 L68,61 C68,61.552 67.552004,62 67.0000089,62 L65.0000268,62 L65.0000268,60 L66.0000179,60 L66.0000179,24.612 L58.6170838,18 L36.0002857,18 L36.0002857,19 L34.0003036,19 L34.0003036,17 C34.0003036,16.448 34.4472996,16 35.0003036,16 L59.0000804,16 C59.2460782,16 59.483076,16.091 59.6660744,16.255 L67.666003,23.42 C67.8780011,23.61 68,23.881 68,24.166 L68,24.166 Z'
+        fill='currentColor'
+      />
+    </svg>
+  )
+}
+
 export function McpIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
--- a/apps/docs/components/ui/icon-mapping.ts
+++ b/apps/docs/components/ui/icon-mapping.ts
@@ -110,6 +110,7 @@ import {
  SupabaseIcon,
  TavilyIcon,
  TelegramIcon,
+  TextractIcon,
  TinybirdIcon,
  TranslateIcon,
  TrelloIcon,
@@ -143,7 +144,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  calendly: CalendlyIcon,
  circleback: CirclebackIcon,
  clay: ClayIcon,
-  confluence: ConfluenceIcon,
+  confluence_v2: ConfluenceIcon,
  cursor_v2: CursorIcon,
  datadog: DatadogIcon,
  discord: DiscordIcon,
@@ -153,7 +154,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  elasticsearch: ElasticsearchIcon,
  elevenlabs: ElevenLabsIcon,
  exa: ExaAIIcon,
-  file: DocumentIcon,
+  file_v2: DocumentIcon,
  firecrawl: FirecrawlIcon,
  fireflies: FirefliesIcon,
  github_v2: GithubIcon,
@@ -195,7 +196,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  microsoft_excel_v2: MicrosoftExcelIcon,
  microsoft_planner: MicrosoftPlannerIcon,
  microsoft_teams: MicrosoftTeamsIcon,
-  mistral_parse: MistralIcon,
+  mistral_parse_v2: MistralIcon,
  mongodb: MongoDBIcon,
  mysql: MySQLIcon,
  neo4j: Neo4jIcon,
@@ -237,6 +238,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  supabase: SupabaseIcon,
  tavily: TavilyIcon,
  telegram: TelegramIcon,
+  textract: TextractIcon,
  tinybird: TinybirdIcon,
  translate: TranslateIcon,
  trello: TrelloIcon,
@@ -244,7 +246,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  twilio_sms: TwilioIcon,
  twilio_voice: TwilioIcon,
  typeform: TypeformIcon,
-  video_generator: VideoIcon,
+  video_generator_v2: VideoIcon,
  vision: EyeIcon,
  wealthbox: WealthboxIcon,
  webflow: WebflowIcon,
--- a/apps/docs/content/docs/en/blocks/loop.mdx
+++ b/apps/docs/content/docs/en/blocks/loop.mdx
@@ -124,11 +124,44 @@ Choose between four types of loops:
 3. Drag other blocks inside the loop container
 4. Connect the blocks as needed

-### Accessing Results
+### Referencing Loop Data

-After a loop completes, you can access aggregated results:
+There's an important distinction between referencing loop data from **inside** vs **outside** the loop:

- **`<loop.results>`**: Array of results from all loop iterations
+<Tabs items={['Inside the Loop', 'Outside the Loop']}>
+  <Tab>
+    **Inside the loop**, use `<loop.>` references to access the current iteration context:
+    
+    - **`<loop.index>`**: Current iteration number (0-based)
+    - **`<loop.currentItem>`**: Current item being processed (forEach only)
+    - **`<loop.items>`**: Full collection being iterated (forEach only)
+    
+    ```
+    // Inside a Function block within the loop
+    const idx = <loop.index>;           // 0, 1, 2, ...
+    const item = <loop.currentItem>;    // Current item
+    ```
+    
+    <Callout type="info">
+      These references are only available for blocks **inside** the loop container. They give you access to the current iteration's context.
+    </Callout>
+  </Tab>
+  <Tab>
+    **Outside the loop** (after it completes), reference the loop block by its name to access aggregated results:
+    
+    - **`<LoopBlockName.results>`**: Array of results from all iterations
+    
+    ```
+    // If your loop block is named "Process Items"
+    const allResults = <processitems.results>;
+    // Returns: [result1, result2, result3, ...]
+    ```
+    
+    <Callout type="info">
+      After the loop completes, use the loop's block name (not `loop.`) to access the collected results. The block name is normalized (lowercase, no spaces).
+    </Callout>
+  </Tab>
+</Tabs>

 ## Example Use Cases

@@ -184,28 +217,29 @@ Variables (i=0) → Loop (While i<10) → Agent (Process) → Variables (i++)
    </ul>
  </Tab>
  <Tab>
+    Available **inside** the loop only:
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>loop.currentItem</strong>: Current item being processed
+        <strong>{"<loop.index>"}</strong>: Current iteration number (0-based)
      </li>
      <li>
-        <strong>loop.index</strong>: Current iteration number (0-based)
+        <strong>{"<loop.currentItem>"}</strong>: Current item being processed (forEach only)
      </li>
      <li>
-        <strong>loop.items</strong>: Full collection (forEach loops)
+        <strong>{"<loop.items>"}</strong>: Full collection (forEach only)
      </li>
    </ul>
  </Tab>
  <Tab>
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>loop.results</strong>: Array of all iteration results
+        <strong>{"<blockname.results>"}</strong>: Array of all iteration results (accessed via block name)
      </li>
      <li>
        <strong>Structure</strong>: Results maintain iteration order
      </li>
      <li>
-        <strong>Access</strong>: Available in blocks after the loop
+        <strong>Access</strong>: Available in blocks after the loop completes
      </li>
    </ul>
  </Tab>
--- a/apps/docs/content/docs/en/blocks/parallel.mdx
+++ b/apps/docs/content/docs/en/blocks/parallel.mdx
@@ -76,11 +76,44 @@ Choose between two types of parallel execution:
 3. Drag a single block inside the parallel container
 4. Connect the block as needed

-### Accessing Results
+### Referencing Parallel Data

-After a parallel block completes, you can access aggregated results:
+There's an important distinction between referencing parallel data from **inside** vs **outside** the parallel block:

- **`<parallel.results>`**: Array of results from all parallel instances
+<Tabs items={['Inside the Parallel', 'Outside the Parallel']}>
+  <Tab>
+    **Inside the parallel**, use `<parallel.>` references to access the current instance context:
+    
+    - **`<parallel.index>`**: Current instance number (0-based)
+    - **`<parallel.currentItem>`**: Item for this instance (collection-based only)
+    - **`<parallel.items>`**: Full collection being distributed (collection-based only)
+    
+    ```
+    // Inside a Function block within the parallel
+    const idx = <parallel.index>;           // 0, 1, 2, ...
+    const item = <parallel.currentItem>;    // This instance's item
+    ```
+    
+    <Callout type="info">
+      These references are only available for blocks **inside** the parallel container. They give you access to the current instance's context.
+    </Callout>
+  </Tab>
+  <Tab>
+    **Outside the parallel** (after it completes), reference the parallel block by its name to access aggregated results:
+    
+    - **`<ParallelBlockName.results>`**: Array of results from all instances
+    
+    ```
+    // If your parallel block is named "Process Tasks"
+    const allResults = <processtasks.results>;
+    // Returns: [result1, result2, result3, ...]
+    ```
+    
+    <Callout type="info">
+      After the parallel completes, use the parallel's block name (not `parallel.`) to access the collected results. The block name is normalized (lowercase, no spaces).
+    </Callout>
+  </Tab>
+</Tabs>

 ## Example Use Cases

@@ -98,11 +131,11 @@ Parallel (["gpt-4o", "claude-3.7-sonnet", "gemini-2.5-pro"]) → Agent → Evalu

 ### Result Aggregation

-Results from all parallel instances are automatically collected:
+Results from all parallel instances are automatically collected and accessible via the block name:

 ```javascript
-// In a Function block after the parallel
-const allResults = input.parallel.results;
+// In a Function block after a parallel named "Process Tasks"
+const allResults = <processtasks.results>;
 // Returns: [result1, result2, result3, ...]
 ```

@@ -158,25 +191,26 @@ Understanding when to use each:
    </ul>
  </Tab>
  <Tab>
+    Available **inside** the parallel only:
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>parallel.currentItem</strong>: Item for this instance
+        <strong>{"<parallel.index>"}</strong>: Instance number (0-based)
      </li>
      <li>
-        <strong>parallel.index</strong>: Instance number (0-based)
+        <strong>{"<parallel.currentItem>"}</strong>: Item for this instance (collection-based only)
      </li>
      <li>
-        <strong>parallel.items</strong>: Full collection (collection-based)
+        <strong>{"<parallel.items>"}</strong>: Full collection (collection-based only)
      </li>
    </ul>
  </Tab>
  <Tab>
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>parallel.results</strong>: Array of all instance results
+        <strong>{"<blockname.results>"}</strong>: Array of all instance results (accessed via block name)
      </li>
      <li>
-        <strong>Access</strong>: Available in blocks after the parallel
+        <strong>Access</strong>: Available in blocks after the parallel completes
      </li>
    </ul>
  </Tab>
--- a/apps/docs/content/docs/en/copilot/index.mdx
+++ b/apps/docs/content/docs/en/copilot/index.mdx
@@ -5,45 +5,25 @@ title: Copilot
 import { Callout } from 'fumadocs-ui/components/callout'
 import { Card, Cards } from 'fumadocs-ui/components/card'
 import { Image } from '@/components/ui/image'
-import { MessageCircle, Package, Zap, Infinity as InfinityIcon, Brain, BrainCircuit } from 'lucide-react'
+import { MessageCircle, Hammer, Zap, Globe, Paperclip, History, RotateCcw, Brain } from 'lucide-react'

-Copilot is your in-editor assistant that helps you build and edit workflows with Sim Copilot, as well as understand and improve them. It can:
+Copilot is your in-editor assistant that helps you build and edit workflows. It can:

 - **Explain**: Answer questions about Sim and your current workflow
 - **Guide**: Suggest edits and best practices
- **Edit**: Make changes to blocks, connections, and settings when you approve
+- **Build**: Add blocks, wire connections, and configure settings
+- **Debug**: Analyze execution issues and optimize performance

 <Callout type="info">
-  Copilot is a Sim-managed service. For self-hosted deployments, generate a Copilot API key in the hosted app (sim.ai → Settings → Copilot)
+  Copilot is a Sim-managed service. For self-hosted deployments:
  1. Go to [sim.ai](https://sim.ai) → Settings → Copilot and generate a Copilot API key
-  2. Set `COPILOT_API_KEY` in your self-hosted environment to that value
+  2. Set `COPILOT_API_KEY` in your self-hosted environment
 </Callout>

-## Context Menu (@)
-
-Use the `@` symbol to reference various resources and give Copilot more context about your workspace:
-
-<Image
-  src="/static/copilot/copilot-menu.png"
-  alt="Copilot context menu showing available reference options"
-  width={600}
-  height={400}
-/>
-
-The `@` menu provides access to:
- **Chats**: Reference previous copilot conversations
- **All workflows**: Reference any workflow in your workspace
- **Workflow Blocks**: Reference specific blocks from workflows
- **Blocks**: Reference block types and templates
- **Knowledge**: Reference your uploaded documents and knowledgebase
- **Docs**: Reference Sim documentation
- **Templates**: Reference workflow templates
- **Logs**: Reference execution logs and results
-
-This contextual information helps Copilot provide more accurate and relevant assistance for your specific use case.
-
 ## Modes

+Switch between modes using the mode selector at the bottom of the input area.
+
 <Cards>
  <Card
    title={
@@ -60,113 +40,153 @@ This contextual information helps Copilot provide more accurate and relevant ass
  <Card
    title={
      <span className="inline-flex items-center gap-2">
-        <Package className="h-4 w-4 text-muted-foreground" />
-        Agent
+        <Hammer className="h-4 w-4 text-muted-foreground" />
+        Build
      </span>
    }
  >
    <div className="m-0 text-sm">
-      Build-and-edit mode. Copilot proposes specific edits (add blocks, wire variables, tweak settings) and applies them when you approve.
+      Workflow building mode. Copilot can add blocks, wire connections, edit configurations, and debug issues.
    </div>
  </Card>
 </Cards>

-<div className="flex justify-center">
-  <Image
-    src="/static/copilot/copilot-mode.png"
-    alt="Copilot mode selection interface"
-    width={600}
-    height={400}
-    className="my-6"
-  />
-</div>
+## Models

-## Depth Levels
+Select your preferred AI model using the model selector at the bottom right of the input area.

-<Cards>
-  <Card
-    title={
-      <span className="inline-flex items-center gap-2">
-        <Zap className="h-4 w-4 text-muted-foreground" />
-        Fast
-      </span>
-    }
-  >
-    <div className="m-0 text-sm">Quickest and cheapest. Best for small edits, simple workflows, and minor tweaks.</div>
-  </Card>
-  <Card
-    title={
-      <span className="inline-flex items-center gap-2">
-        <InfinityIcon className="h-4 w-4 text-muted-foreground" />
-        Auto
-      </span>
-    }
-  >
-    <div className="m-0 text-sm">Balanced speed and reasoning. Recommended default for most tasks.</div>
-  </Card>
-  <Card
-    title={
-      <span className="inline-flex items-center gap-2">
-        <Brain className="h-4 w-4 text-muted-foreground" />
-        Advanced
-      </span>
-    }
-  >
-    <div className="m-0 text-sm">More reasoning for larger workflows and complex edits while staying performant.</div>
-  </Card>
-  <Card
-    title={
-      <span className="inline-flex items-center gap-2">
-        <BrainCircuit className="h-4 w-4 text-muted-foreground" />
-        Behemoth
-      </span>
-    }
-  >
-    <div className="m-0 text-sm">Maximum reasoning for deep planning, debugging, and complex architectural changes.</div>
-  </Card>
-</Cards>
+**Available Models:**
+- Claude 4.5 Opus, Sonnet (default), Haiku
+- GPT 5.2 Codex, Pro
+- Gemini 3 Pro

-### Mode Selection Interface
+Choose based on your needs: faster models for simple tasks, more capable models for complex workflows.

-You can easily switch between different reasoning modes using the mode selector in the Copilot interface:
+## Context Menu (@)

-<Image
-  src="/static/copilot/copilot-models.png"
-  alt="Copilot mode selection showing Advanced mode with MAX toggle"
-  width={600}
-  height={300}
-/>
+Use the `@` symbol to reference resources and give Copilot more context:

-The interface allows you to:
- **Select reasoning level**: Choose from Fast, Auto, Advanced, or Behemoth
- **Enable MAX mode**: Toggle for maximum reasoning capabilities when you need the most thorough analysis
- **See mode descriptions**: Understand what each mode is optimized for
+| Reference | Description |
+|-----------|-------------|
+| **Chats** | Previous copilot conversations |
+| **Workflows** | Any workflow in your workspace |
+| **Workflow Blocks** | Blocks in the current workflow |
+| **Blocks** | Block types and templates |
+| **Knowledge** | Uploaded documents and knowledge bases |
+| **Docs** | Sim documentation |
+| **Templates** | Workflow templates |
+| **Logs** | Execution logs and results |

-Choose your mode based on the complexity of your task - use Fast for simple questions and Behemoth for complex architectural changes.
+Type `@` in the input field to open the context menu, then search or browse to find what you need.

-## Billing and Cost Calculation
+## Slash Commands (/)

-### How Costs Are Calculated
+Use slash commands for quick actions:

-Copilot usage is billed per token from the underlying LLM:
+| Command | Description |
+|---------|-------------|
+| `/fast` | Fast mode execution |
+| `/research` | Research and exploration mode |
+| `/actions` | Execute agent actions |

- **Input tokens**: billed at the provider's base rate (**at-cost**)
- **Output tokens**: billed at **1.5×** the provider's base output rate
+**Web Commands:**

-```javascript
-copilotCost = (inputTokens × inputPrice + outputTokens × (outputPrice × 1.5)) / 1,000,000
-```
+| Command | Description |
+|---------|-------------|
+| `/search` | Search the web |
+| `/read` | Read a specific URL |
+| `/scrape` | Scrape web page content |
+| `/crawl` | Crawl multiple pages |

-| Component | Rate Applied         |
-|----------|----------------------|
-| Input    | inputPrice           |
-| Output   | outputPrice × 1.5    |
+Type `/` in the input field to see available commands.

-<Callout type="warning">
-  Pricing shown reflects rates as of September 4, 2025. Check provider documentation for current pricing.
-</Callout>
+## Chat Management
+
+### Starting a New Chat
+
+Click the **+** button in the Copilot header to start a fresh conversation.
+
+### Chat History
+
+Click **History** to view previous conversations grouped by date. You can:
+- Click a chat to resume it
+- Delete chats you no longer need
+
+### Editing Messages
+
+Hover over any of your messages and click **Edit** to modify and resend it. This is useful for refining your prompts.
+
+### Message Queue
+
+If you send a message while Copilot is still responding, it gets queued. You can:
+- View queued messages in the expandable queue panel
+- Send a queued message immediately (aborts current response)
+- Remove messages from the queue
+
+## File Attachments
+
+Click the attachment icon to upload files with your message. Supported file types include:
+- Images (preview thumbnails shown)
+- PDFs
+- Text files, JSON, XML
+- Other document formats
+
+Files are displayed as clickable thumbnails that open in a new tab.
+
+## Checkpoints & Changes
+
+When Copilot makes changes to your workflow, it saves checkpoints so you can revert if needed.
+
+### Viewing Checkpoints
+
+Hover over a Copilot message and click the checkpoints icon to see saved workflow states for that message.
+
+### Reverting Changes
+
+Click **Revert** on any checkpoint to restore your workflow to that state. A confirmation dialog will warn that this action cannot be undone.
+
+### Accepting Changes
+
+When Copilot proposes changes, you can:
+- **Accept**: Apply the proposed changes (`Mod+Shift+Enter`)
+- **Reject**: Dismiss the changes and keep your current workflow
+
+## Thinking Blocks
+
+For complex requests, Copilot may show its reasoning process in expandable thinking blocks:
+
+- Blocks auto-expand while Copilot is thinking
+- Click to manually expand/collapse
+- Shows duration of the thinking process
+- Helps you understand how Copilot arrived at its solution
+
+## Options Selection
+
+When Copilot presents multiple options, you can select using:
+
+| Control | Action |
+|---------|--------|
+| **1-9** | Select option by number |
+| **Arrow Up/Down** | Navigate between options |
+| **Enter** | Select highlighted option |
+
+Selected options are highlighted; unselected options appear struck through.
+
+## Keyboard Shortcuts
+
+| Shortcut | Action |
+|----------|--------|
+| `@` | Open context menu |
+| `/` | Open slash commands |
+| `Arrow Up/Down` | Navigate menu items |
+| `Enter` | Select menu item |
+| `Esc` | Close menus |
+| `Mod+Shift+Enter` | Accept Copilot changes |
+
+## Usage Limits
+
+Copilot usage is billed per token from the underlying LLM. If you reach your usage limit, Copilot will prompt you to increase your limit. You can add usage in increments ($50, $100) from your current base.

 <Callout type="info">
-  Model prices are per million tokens. The calculation divides by 1,000,000 to get the actual cost. See <a href="/execution/costs">the Cost Calculation page</a> for background and examples.
+  See the [Cost Calculation page](/execution/costs) for billing details.
 </Callout>
-
--- a/apps/docs/content/docs/en/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/en/keyboard-shortcuts/index.mdx
@@ -34,6 +34,8 @@ Speed up your workflow building with these keyboard shortcuts and mouse controls
 | `Mod` + `V` | Paste blocks |
 | `Delete` or `Backspace` | Delete selected blocks or edges |
 | `Shift` + `L` | Auto-layout canvas |
+| `Mod` + `Shift` + `F` | Fit to view |
+| `Mod` + `Shift` + `Enter` | Accept Copilot changes |

 ## Panel Navigation

--- a/apps/docs/content/docs/en/meta.json
+++ b/apps/docs/content/docs/en/meta.json
@@ -3,6 +3,7 @@
  "pages": [
    "./introduction/index",
    "./getting-started/index",
+    "./quick-reference/index",
    "triggers",
    "blocks",
    "tools",
--- a/apps/docs/content/docs/en/quick-reference/index.mdx
+++ b/apps/docs/content/docs/en/quick-reference/index.mdx
@@ -0,0 +1,136 @@
+---
+title: Quick Reference
+description: Essential actions for navigating and using the Sim workflow editor
+---
+
+import { Callout } from 'fumadocs-ui/components/callout'
+
+A quick lookup for everyday actions in the Sim workflow editor. For keyboard shortcuts, see [Keyboard Shortcuts](/keyboard-shortcuts).
+
+<Callout type="info">
+  **Mod** refers to `Cmd` on macOS and `Ctrl` on Windows/Linux.
+</Callout>
+
+## Workspaces
+
+| Action | How |
+|--------|-----|
+| Create a workspace | Click workspace dropdown in sidebar → **New Workspace** |
+| Rename a workspace | Workspace settings → Edit name |
+| Switch workspaces | Click workspace dropdown in sidebar → Select workspace |
+| Invite team members | Workspace settings → **Team** → **Invite** |
+
+## Workflows
+
+| Action | How |
+|--------|-----|
+| Create a workflow | Click **New Workflow** button or `Mod+Shift+A` |
+| Rename a workflow | Double-click workflow name in sidebar, or right-click → **Rename** |
+| Duplicate a workflow | Right-click workflow → **Duplicate** |
+| Reorder workflows | Drag workflow up/down in the sidebar list |
+| Import a workflow | Sidebar menu → **Import** → Select file |
+| Create a folder | Right-click in sidebar → **New Folder** |
+| Rename a folder | Right-click folder → **Rename** |
+| Delete a folder | Right-click folder → **Delete** |
+| Collapse/expand folder | Click folder arrow, or double-click folder |
+| Move workflow to folder | Drag workflow onto folder in sidebar |
+| Delete a workflow | Right-click workflow → **Delete** |
+| Export a workflow | Right-click workflow → **Export** |
+| Assign workflow color | Right-click workflow → **Change Color** |
+| Multi-select workflows | `Mod+Click` or `Shift+Click` workflows in sidebar |
+| Open in new tab | Right-click workflow → **Open in New Tab** |
+
+## Blocks
+
+| Action | How |
+|--------|-----|
+| Add a block | Drag from Toolbar panel, or right-click canvas → **Add Block** |
+| Select a block | Click on the block |
+| Multi-select blocks | `Mod+Click` additional blocks, or right-drag to draw selection box |
+| Move blocks | Drag selected block(s) to new position |
+| Copy blocks | `Mod+C` with blocks selected |
+| Paste blocks | `Mod+V` to paste copied blocks |
+| Duplicate blocks | Right-click → **Duplicate** |
+| Delete blocks | `Delete` or `Backspace` key, or right-click → **Delete** |
+| Rename a block | Click block name in header, or edit in the Editor panel |
+| Enable/Disable a block | Right-click → **Enable/Disable** |
+| Toggle handle orientation | Right-click → **Toggle Handles** |
+| Toggle trigger mode | Right-click trigger block → **Toggle Trigger Mode** |
+| Configure a block | Select block → use Editor panel on right |
+
+## Connections
+
+| Action | How |
+|--------|-----|
+| Create a connection | Drag from output handle to input handle |
+| Delete a connection | Click edge to select → `Delete` key |
+| Use output in another block | Drag connection tag into input field |
+
+## Canvas Navigation
+
+| Action | How |
+|--------|-----|
+| Pan/move canvas | Left-drag on empty space, or scroll/trackpad |
+| Zoom in/out | Scroll wheel or pinch gesture |
+| Auto-layout | `Shift+L` |
+| Draw selection box | Right-drag on empty canvas area |
+
+## Panels & Views
+
+| Action | How |
+|--------|-----|
+| Open Copilot tab | Press `C` or click Copilot tab |
+| Open Toolbar tab | Press `T` or click Toolbar tab |
+| Open Editor tab | Press `E` or click Editor tab |
+| Search toolbar | `Mod+F` |
+| Toggle advanced mode | Click toggle button on input fields |
+| Resize panels | Drag panel edge |
+| Collapse/expand sidebar | Click collapse button on sidebar |
+
+## Running & Testing
+
+| Action | How |
+|--------|-----|
+| Run workflow | Click Play button or `Mod+Enter` |
+| Stop workflow | Click Stop button or `Mod+Enter` while running |
+| Test with chat | Use Chat panel on the right side |
+| Select output to view | Click dropdown in Chat panel → Select block output |
+| Clear chat history | Click clear button in Chat panel |
+| View execution logs | Open terminal panel at bottom, or `Mod+L` |
+| Filter logs by block | Click block filter in terminal |
+| Filter logs by status | Click status filter in terminal |
+| Search logs | Use search field in terminal |
+| Copy log entry | Right-click log entry → **Copy** |
+| Clear terminal | `Mod+D` |
+
+## Deployment
+
+| Action | How |
+|--------|-----|
+| Deploy a workflow | Click **Deploy** button in Deploy tab |
+| Update deployment | Click **Update** when changes are detected |
+| View deployment status | Check status indicator (Live/Update/Deploy) in Deploy tab |
+| Revert deployment | Access previous versions in Deploy tab |
+| Copy webhook URL | Deploy tab → Copy webhook URL |
+| Copy API endpoint | Deploy tab → Copy API endpoint URL |
+| Set up a schedule | Add Schedule trigger block → Configure interval |
+
+## Variables
+
+| Action | How |
+|--------|-----|
+| Add workflow variable | Variables tab → **Add Variable** |
+| Edit workflow variable | Variables tab → Click variable to edit |
+| Delete workflow variable | Variables tab → Click delete icon on variable |
+| Add environment variable | Settings → **Environment Variables** → **Add** |
+| Reference a variable | Use `{{variableName}}` syntax in block inputs |
+
+## Credentials
+
+| Action | How |
+|--------|-----|
+| Add API key | Block credential field → **Add Credential** → Enter API key |
+| Connect OAuth account | Block credential field → **Connect** → Authorize with provider |
+| Manage credentials | Settings → **Credentials** |
+| Remove credential | Settings → **Credentials** → Delete credential |
+
--- a/apps/docs/content/docs/en/tools/confluence.mdx
+++ b/apps/docs/content/docs/en/tools/confluence.mdx
@@ -6,7 +6,7 @@ description: Interact with Confluence
 import { BlockInfoCard } from "@/components/ui/block-info-card"

 <BlockInfoCard 
-  type="confluence"
+  type="confluence_v2"
  color="#E0E0E0"
 />

--- a/apps/docs/content/docs/en/tools/file.mdx
+++ b/apps/docs/content/docs/en/tools/file.mdx
@@ -6,7 +6,7 @@ description: Read and parse multiple files
 import { BlockInfoCard } from "@/components/ui/block-info-card"

 <BlockInfoCard 
-  type="file"
+  type="file_v2"
  color="#40916C"
 />

@@ -48,7 +48,7 @@ Parse one or more uploaded files or files from URLs (text, PDF, CSV, images, etc

 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `files` | array | Array of parsed files |
-| `combinedContent` | string | Combined content of all parsed files |
+| `files` | array | Array of parsed files with content, metadata, and file properties |
+| `combinedContent` | string | All file contents merged into a single text string |


--- a/apps/docs/content/docs/en/tools/meta.json
+++ b/apps/docs/content/docs/en/tools/meta.json
@@ -106,6 +106,7 @@
    "supabase",
    "tavily",
    "telegram",
+    "textract",
    "tinybird",
    "translate",
    "trello",
--- a/apps/docs/content/docs/en/tools/mistral_parse.mdx
+++ b/apps/docs/content/docs/en/tools/mistral_parse.mdx
@@ -6,7 +6,7 @@ description: Extract text from PDF documents
 import { BlockInfoCard } from "@/components/ui/block-info-card"

 <BlockInfoCard 
-  type="mistral_parse"
+  type="mistral_parse_v2"
  color="#000000"
 />

@@ -54,18 +54,37 @@ Parse PDF documents using Mistral OCR API

 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `success` | boolean | Whether the PDF was parsed successfully |
-| `content` | string | Extracted content in the requested format \(markdown, text, or JSON\) |
-| `metadata` | object | Processing metadata including jobId, fileType, pageCount, and usage info |
-| ↳ `jobId` | string | Unique job identifier |
-| ↳ `fileType` | string | File type \(e.g., pdf\) |
-| ↳ `fileName` | string | Original file name |
-| ↳ `source` | string | Source type \(url\) |
-| ↳ `pageCount` | number | Number of pages processed |
-| ↳ `model` | string | Mistral model used |
-| ↳ `resultType` | string | Output format \(markdown, text, json\) |
-| ↳ `processedAt` | string | Processing timestamp |
-| ↳ `sourceUrl` | string | Source URL if applicable |
-| ↳ `usageInfo` | object | Usage statistics from OCR processing |
+| `pages` | array | Array of page objects from Mistral OCR |
+|   ↳ `index` | number | Page index \(zero-based\) |
+|   ↳ `markdown` | string | Extracted markdown content |
+|   ↳ `images` | array | Images extracted from this page with bounding boxes |
+|   ↳ `id` | string | Image identifier \(e.g., img-0.jpeg\) |
+|   ↳ `top_left_x` | number | Top-left X coordinate in pixels |
+|   ↳ `top_left_y` | number | Top-left Y coordinate in pixels |
+|   ↳ `bottom_right_x` | number | Bottom-right X coordinate in pixels |
+|   ↳ `bottom_right_y` | number | Bottom-right Y coordinate in pixels |
+|   ↳ `image_base64` | string | Base64-encoded image data \(when include_image_base64=true\) |
+|   ↳ `id` | string | Image identifier \(e.g., img-0.jpeg\) |
+|   ↳ `top_left_x` | number | Top-left X coordinate in pixels |
+|   ↳ `top_left_y` | number | Top-left Y coordinate in pixels |
+|   ↳ `bottom_right_x` | number | Bottom-right X coordinate in pixels |
+|   ↳ `bottom_right_y` | number | Bottom-right Y coordinate in pixels |
+|   ↳ `image_base64` | string | Base64-encoded image data \(when include_image_base64=true\) |
+|   ↳ `dimensions` | object | Page dimensions |
+|   ↳ `dpi` | number | Dots per inch |
+|   ↳ `height` | number | Page height in pixels |
+|   ↳ `width` | number | Page width in pixels |
+|   ↳ `dpi` | number | Dots per inch |
+|   ↳ `height` | number | Page height in pixels |
+|   ↳ `width` | number | Page width in pixels |
+|   ↳ `tables` | array | Extracted tables as HTML/markdown \(when table_format is set\). Referenced via placeholders like \[tbl-0.html\] |
+|   ↳ `hyperlinks` | array | Array of URL strings detected in the page \(e.g., \[ |
+|   ↳ `header` | string | Page header content \(when extract_header=true\) |
+|   ↳ `footer` | string | Page footer content \(when extract_footer=true\) |
+| `model` | string | Mistral OCR model identifier \(e.g., mistral-ocr-latest\) |
+| `usage_info` | object | Usage and processing statistics |
+| ↳ `pages_processed` | number | Total number of pages processed |
+| ↳ `doc_size_bytes` | number | Document file size in bytes |
+| `document_annotation` | string | Structured annotation data as JSON string \(when applicable\) |


--- a/apps/docs/content/docs/en/tools/s3.mdx
+++ b/apps/docs/content/docs/en/tools/s3.mdx
@@ -58,6 +58,7 @@ Upload a file to an AWS S3 bucket
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `url` | string | URL of the uploaded S3 object |
+| `uri` | string | S3 URI of the uploaded object \(s3://bucket/key\) |
 | `metadata` | object | Upload metadata including ETag and location |

 ### `s3_get_object`
@@ -149,6 +150,7 @@ Copy an object within or between AWS S3 buckets
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `url` | string | URL of the copied S3 object |
+| `uri` | string | S3 URI of the copied object \(s3://bucket/key\) |
 | `metadata` | object | Copy operation metadata |


--- a/apps/docs/content/docs/en/tools/textract.mdx
+++ b/apps/docs/content/docs/en/tools/textract.mdx
@@ -0,0 +1,120 @@
+---
+title: AWS Textract
+description: Extract text, tables, and forms from documents
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="textract"
+  color="linear-gradient(135deg, #055F4E 0%, #56C0A7 100%)"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[AWS Textract](https://aws.amazon.com/textract/) is a powerful AI service from Amazon Web Services designed to automatically extract printed text, handwriting, tables, forms, key-value pairs, and other structured data from scanned documents and images. Textract leverages advanced optical character recognition (OCR) and document analysis to transform documents into actionable data, enabling automation, analytics, compliance, and more.
+
+With AWS Textract, you can:
+
+- **Extract text from images and documents**: Recognize printed text and handwriting in formats such as PDF, JPEG, PNG, or TIFF
+- **Detect and extract tables**: Automatically find tables and output their structured content
+- **Parse forms and key-value pairs**: Pull structured data from forms, including fields and their corresponding values
+- **Identify signatures and layout features**: Detect signatures, geometric layout, and relationships between document elements
+- **Customize extraction with queries**: Extract specific fields and answers using query-based extraction (e.g., "What is the invoice number?")
+
+In Sim, the AWS Textract integration empowers your agents to intelligently process documents as part of their workflows. This unlocks automation scenarios such as data entry from invoices, onboarding documents, contracts, receipts, and more. Your agents can extract relevant data, analyze structured forms, and generate summaries or reports directly from document uploads or URLs. By connecting Sim with AWS Textract, you can reduce manual effort, improve data accuracy, and streamline your business processes with robust document understanding.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate AWS Textract into your workflow to extract text, tables, forms, and key-value pairs from documents. Single-page mode supports JPEG, PNG, and single-page PDF. Multi-page mode supports multi-page PDF and TIFF.
+
+
+
+## Tools
+
+### `textract_parser`
+
+Parse documents using AWS Textract OCR and document analysis
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKeyId` | string | Yes | AWS Access Key ID |
+| `secretAccessKey` | string | Yes | AWS Secret Access Key |
+| `region` | string | Yes | AWS region for Textract service \(e.g., us-east-1\) |
+| `processingMode` | string | No | Document type: single-page or multi-page. Defaults to single-page. |
+| `filePath` | string | No | URL to a document to be processed \(JPEG, PNG, or single-page PDF\). |
+| `s3Uri` | string | No | S3 URI for multi-page processing \(s3://bucket/key\). |
+| `fileUpload` | object | No | File upload data from file-upload component |
+| `featureTypes` | array | No | Feature types to detect: TABLES, FORMS, QUERIES, SIGNATURES, LAYOUT. If not specified, only text detection is performed. |
+| `items` | string | No | Feature type |
+| `queries` | array | No | Custom queries to extract specific information. Only used when featureTypes includes QUERIES. |
+| `items` | object | No | Query configuration |
+| `properties` | string | No | The query text |
+| `Text` | string | No | No description |
+| `Alias` | string | No | No description |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `blocks` | array | Array of Block objects containing detected text, tables, forms, and other elements |
+|   ↳ `BlockType` | string | Type of block \(PAGE, LINE, WORD, TABLE, CELL, KEY_VALUE_SET, etc.\) |
+|   ↳ `Id` | string | Unique identifier for the block |
+|   ↳ `Text` | string | Query text |
+|   ↳ `TextType` | string | Type of text \(PRINTED or HANDWRITING\) |
+|   ↳ `Confidence` | number | Confidence score \(0-100\) |
+|   ↳ `Page` | number | Page number |
+|   ↳ `Geometry` | object | Location and bounding box information |
+|   ↳ `BoundingBox` | object | Height as ratio of document height |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Polygon` | array | Polygon coordinates |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `BoundingBox` | object | Height as ratio of document height |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Polygon` | array | Polygon coordinates |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `Relationships` | array | Relationships to other blocks |
+|   ↳ `Type` | string | Relationship type \(CHILD, VALUE, ANSWER, etc.\) |
+|   ↳ `Ids` | array | IDs of related blocks |
+|   ↳ `Type` | string | Relationship type \(CHILD, VALUE, ANSWER, etc.\) |
+|   ↳ `Ids` | array | IDs of related blocks |
+|   ↳ `EntityTypes` | array | Entity types for KEY_VALUE_SET \(KEY or VALUE\) |
+|   ↳ `SelectionStatus` | string | For checkboxes: SELECTED or NOT_SELECTED |
+|   ↳ `RowIndex` | number | Row index for table cells |
+|   ↳ `ColumnIndex` | number | Column index for table cells |
+|   ↳ `RowSpan` | number | Row span for merged cells |
+|   ↳ `ColumnSpan` | number | Column span for merged cells |
+|   ↳ `Query` | object | Query information for QUERY blocks |
+|   ↳ `Text` | string | Query text |
+|   ↳ `Alias` | string | Query alias |
+|   ↳ `Pages` | array | Pages to search |
+|   ↳ `Alias` | string | Query alias |
+|   ↳ `Pages` | array | Pages to search |
+| `documentMetadata` | object | Metadata about the analyzed document |
+| ↳ `pages` | number | Number of pages in the document |
+| `modelVersion` | string | Version of the Textract model used for processing |
+
+
--- a/apps/docs/content/docs/en/tools/video_generator.mdx
+++ b/apps/docs/content/docs/en/tools/video_generator.mdx
@@ -6,7 +6,7 @@ description: Generate videos from text using AI
 import { BlockInfoCard } from "@/components/ui/block-info-card"

 <BlockInfoCard 
-  type="video_generator"
+  type="video_generator_v2"
  color="#181C1E"
 />

--- a/apps/sim/app/(auth)/login/login-form.tsx
+++ b/apps/sim/app/(auth)/login/login-form.tsx
@@ -2,10 +2,9 @@

 import { useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
+import { Eye, EyeOff } from 'lucide-react'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Button } from '@/components/ui/button'
 import {
  Dialog,
  DialogContent,
@@ -22,8 +21,10 @@ import { getBaseUrl } from '@/lib/core/utils/urls'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import { SocialLoginButtons } from '@/app/(auth)/components/social-login-buttons'
 import { SSOLoginButton } from '@/app/(auth)/components/sso-login-button'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'

 const logger = createLogger('LoginForm')

@@ -105,8 +106,7 @@ export default function LoginPage({
  const [password, setPassword] = useState('')
  const [passwordErrors, setPasswordErrors] = useState<string[]>([])
  const [showValidationError, setShowValidationError] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
+  const buttonClass = useBrandedButtonClass()

  const [callbackUrl, setCallbackUrl] = useState('/workspace')
  const [isInviteFlow, setIsInviteFlow] = useState(false)
@@ -114,7 +114,6 @@ export default function LoginPage({
  const [forgotPasswordOpen, setForgotPasswordOpen] = useState(false)
  const [forgotPasswordEmail, setForgotPasswordEmail] = useState('')
  const [isSubmittingReset, setIsSubmittingReset] = useState(false)
-  const [isResetButtonHovered, setIsResetButtonHovered] = useState(false)
  const [resetStatus, setResetStatus] = useState<{
    type: 'success' | 'error' | null
    message: string
@@ -123,6 +122,7 @@ export default function LoginPage({
  const [email, setEmail] = useState('')
  const [emailErrors, setEmailErrors] = useState<string[]>([])
  const [showEmailValidationError, setShowEmailValidationError] = useState(false)
+  const [resetSuccessMessage, setResetSuccessMessage] = useState<string | null>(null)

  useEffect(() => {
    setMounted(true)
@@ -139,32 +139,12 @@ export default function LoginPage({

      const inviteFlow = searchParams.get('invite_flow') === 'true'
      setIsInviteFlow(inviteFlow)
-    }

-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
+      const resetSuccess = searchParams.get('resetSuccess') === 'true'
+      if (resetSuccess) {
+        setResetSuccessMessage('Password reset successful. Please sign in with your new password.')
      }
    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
  }, [searchParams])

  useEffect(() => {
@@ -202,6 +182,13 @@ export default function LoginPage({
    e.preventDefault()
    setIsLoading(true)

+    const redirectToVerify = (emailToVerify: string) => {
+      if (typeof window !== 'undefined') {
+        sessionStorage.setItem('verificationEmail', emailToVerify)
+      }
+      router.push('/verify')
+    }
+
    const formData = new FormData(e.currentTarget)
    const emailRaw = formData.get('email') as string
    const email = emailRaw.trim().toLowerCase()
@@ -221,6 +208,7 @@ export default function LoginPage({

    try {
      const safeCallbackUrl = validateCallbackUrl(callbackUrl) ? callbackUrl : '/workspace'
+      let errorHandled = false

      const result = await client.signIn.email(
        {
@@ -231,11 +219,16 @@ export default function LoginPage({
        {
          onError: (ctx) => {
            logger.error('Login error:', ctx.error)
-            const errorMessage: string[] = ['Invalid email or password']

            if (ctx.error.code?.includes('EMAIL_NOT_VERIFIED')) {
+              errorHandled = true
+              redirectToVerify(email)
              return
            }
+
+            errorHandled = true
+            const errorMessage: string[] = ['Invalid email or password']
+
            if (
              ctx.error.code?.includes('BAD_REQUEST') ||
              ctx.error.message?.includes('Email and password sign in is not enabled')
@@ -271,6 +264,7 @@ export default function LoginPage({
              errorMessage.push('Too many requests. Please wait a moment before trying again.')
            }

+            setResetSuccessMessage(null)
            setPasswordErrors(errorMessage)
            setShowValidationError(true)
          },
@@ -278,15 +272,25 @@ export default function LoginPage({
      )

      if (!result || result.error) {
+        // Show error if not already handled by onError callback
+        if (!errorHandled) {
+          setResetSuccessMessage(null)
+          const errorMessage = result?.error?.message || 'Login failed. Please try again.'
+          setPasswordErrors([errorMessage])
+          setShowValidationError(true)
+        }
        setIsLoading(false)
        return
      }
+
+      // Clear reset success message on successful login
+      setResetSuccessMessage(null)
+
+      // Explicit redirect fallback if better-auth doesn't redirect
+      router.push(safeCallbackUrl)
    } catch (err: any) {
      if (err.message?.includes('not verified') || err.code?.includes('EMAIL_NOT_VERIFIED')) {
-        if (typeof window !== 'undefined') {
-          sessionStorage.setItem('verificationEmail', email)
-        }
-        router.push('/verify')
+        redirectToVerify(email)
        return
      }

@@ -400,6 +404,13 @@ export default function LoginPage({
        </div>
      )}

+      {/* Password reset success message */}
+      {resetSuccessMessage && (
+        <div className={`${inter.className} mt-1 space-y-1 text-[#4CAF50] text-xs`}>
+          <p>{resetSuccessMessage}</p>
+        </div>
+      )}
+
      {/* Email/Password Form - show unless explicitly disabled */}
      {!isFalsy(getEnv('NEXT_PUBLIC_EMAIL_PASSWORD_SIGNUP_ENABLED')) && (
        <form onSubmit={onSubmit} className={`${inter.className} mt-8 space-y-8`}>
@@ -482,24 +493,14 @@ export default function LoginPage({
            </div>
          </div>

-          <Button
+          <BrandedButton
            type='submit'
-            onMouseEnter={() => setIsButtonHovered(true)}
-            onMouseLeave={() => setIsButtonHovered(false)}
-            className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
            disabled={isLoading}
+            loading={isLoading}
+            loadingText='Signing in'
          >
-            <span className='flex items-center gap-1'>
-              {isLoading ? 'Signing in...' : 'Sign in'}
-              <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-                {isButtonHovered ? (
-                  <ArrowRight className='h-4 w-4' aria-hidden='true' />
-                ) : (
-                  <ChevronRight className='h-4 w-4' aria-hidden='true' />
-                )}
-              </span>
-            </span>
-          </Button>
+            Sign in
+          </BrandedButton>
        </form>
      )}

@@ -610,25 +611,15 @@ export default function LoginPage({
                <p>{resetStatus.message}</p>
              </div>
            )}
-            <Button
+            <BrandedButton
              type='button'
              onClick={handleForgotPassword}
-              onMouseEnter={() => setIsResetButtonHovered(true)}
-              onMouseLeave={() => setIsResetButtonHovered(false)}
-              className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
              disabled={isSubmittingReset}
+              loading={isSubmittingReset}
+              loadingText='Sending'
            >
-              <span className='flex items-center gap-1'>
-                {isSubmittingReset ? 'Sending...' : 'Send Reset Link'}
-                <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-                  {isResetButtonHovered ? (
-                    <ArrowRight className='h-4 w-4' aria-hidden='true' />
-                  ) : (
-                    <ChevronRight className='h-4 w-4' aria-hidden='true' />
-                  )}
-                </span>
-              </span>
-            </Button>
+              Send Reset Link
+            </BrandedButton>
          </div>
        </DialogContent>
      </Dialog>
--- a/apps/sim/app/(auth)/reset-password/reset-password-form.tsx
+++ b/apps/sim/app/(auth)/reset-password/reset-password-form.tsx
@@ -1,12 +1,12 @@
 'use client'

-import { useEffect, useState } from 'react'
-import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
-import { Button } from '@/components/ui/button'
+import { useState } from 'react'
+import { Eye, EyeOff } from 'lucide-react'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { cn } from '@/lib/core/utils/cn'
 import { inter } from '@/app/_styles/fonts/inter/inter'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'

 interface RequestResetFormProps {
  email: string
@@ -27,36 +27,6 @@ export function RequestResetForm({
  statusMessage,
  className,
 }: RequestResetFormProps) {
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
-
-  useEffect(() => {
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
-  }, [])
-
  const handleSubmit = async (e: React.FormEvent) => {
    e.preventDefault()
    onSubmit(email)
@@ -94,24 +64,14 @@ export function RequestResetForm({
        )}
      </div>

-      <Button
+      <BrandedButton
        type='submit'
        disabled={isSubmitting}
-        onMouseEnter={() => setIsButtonHovered(true)}
-        onMouseLeave={() => setIsButtonHovered(false)}
-        className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
+        loading={isSubmitting}
+        loadingText='Sending'
      >
-        <span className='flex items-center gap-1'>
-          {isSubmitting ? 'Sending...' : 'Send Reset Link'}
-          <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-            {isButtonHovered ? (
-              <ArrowRight className='h-4 w-4' aria-hidden='true' />
-            ) : (
-              <ChevronRight className='h-4 w-4' aria-hidden='true' />
-            )}
-          </span>
-        </span>
-      </Button>
+        Send Reset Link
+      </BrandedButton>
    </form>
  )
 }
@@ -138,35 +98,6 @@ export function SetNewPasswordForm({
  const [validationMessage, setValidationMessage] = useState('')
  const [showPassword, setShowPassword] = useState(false)
  const [showConfirmPassword, setShowConfirmPassword] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
-
-  useEffect(() => {
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
-  }, [])

  const handleSubmit = async (e: React.FormEvent) => {
    e.preventDefault()
@@ -296,24 +227,14 @@ export function SetNewPasswordForm({
        )}
      </div>

-      <Button
-        disabled={isSubmitting || !token}
+      <BrandedButton
        type='submit'
-        onMouseEnter={() => setIsButtonHovered(true)}
-        onMouseLeave={() => setIsButtonHovered(false)}
-        className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
+        disabled={isSubmitting || !token}
+        loading={isSubmitting}
+        loadingText='Resetting'
      >
-        <span className='flex items-center gap-1'>
-          {isSubmitting ? 'Resetting...' : 'Reset Password'}
-          <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-            {isButtonHovered ? (
-              <ArrowRight className='h-4 w-4' aria-hidden='true' />
-            ) : (
-              <ChevronRight className='h-4 w-4' aria-hidden='true' />
-            )}
-          </span>
-        </span>
-      </Button>
+        Reset Password
+      </BrandedButton>
    </form>
  )
 }
--- a/apps/sim/app/(auth)/signup/signup-form.tsx
+++ b/apps/sim/app/(auth)/signup/signup-form.tsx
@@ -2,10 +2,9 @@

 import { Suspense, useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
+import { Eye, EyeOff } from 'lucide-react'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { client, useSession } from '@/lib/auth/auth-client'
@@ -14,8 +13,10 @@ import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import { SocialLoginButtons } from '@/app/(auth)/components/social-login-buttons'
 import { SSOLoginButton } from '@/app/(auth)/components/sso-login-button'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'

 const logger = createLogger('SignupForm')

@@ -95,8 +96,7 @@ function SignupFormContent({
  const [showEmailValidationError, setShowEmailValidationError] = useState(false)
  const [redirectUrl, setRedirectUrl] = useState('')
  const [isInviteFlow, setIsInviteFlow] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
+  const buttonClass = useBrandedButtonClass()

  const [name, setName] = useState('')
  const [nameErrors, setNameErrors] = useState<string[]>([])
@@ -126,31 +126,6 @@ function SignupFormContent({
    if (inviteFlowParam === 'true') {
      setIsInviteFlow(true)
    }
-
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
  }, [searchParams])

  const validatePassword = (passwordValue: string): string[] => {
@@ -500,24 +475,14 @@ function SignupFormContent({
            </div>
          </div>

-          <Button
+          <BrandedButton
            type='submit'
-            onMouseEnter={() => setIsButtonHovered(true)}
-            onMouseLeave={() => setIsButtonHovered(false)}
-            className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
            disabled={isLoading}
+            loading={isLoading}
+            loadingText='Creating account'
          >
-            <span className='flex items-center gap-1'>
-              {isLoading ? 'Creating account' : 'Create account'}
-              <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-                {isButtonHovered ? (
-                  <ArrowRight className='h-4 w-4' aria-hidden='true' />
-                ) : (
-                  <ChevronRight className='h-4 w-4' aria-hidden='true' />
-                )}
-              </span>
-            </span>
-          </Button>
+            Create account
+          </BrandedButton>
        </form>
      )}

--- a/apps/sim/app/(auth)/sso/sso-form.tsx
+++ b/apps/sim/app/(auth)/sso/sso-form.tsx
@@ -13,6 +13,7 @@ import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'

 const logger = createLogger('SSOForm')

@@ -57,7 +58,7 @@ export default function SSOForm() {
  const [email, setEmail] = useState('')
  const [emailErrors, setEmailErrors] = useState<string[]>([])
  const [showEmailValidationError, setShowEmailValidationError] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+  const buttonClass = useBrandedButtonClass()
  const [callbackUrl, setCallbackUrl] = useState('/workspace')

  useEffect(() => {
@@ -90,31 +91,6 @@ export default function SSOForm() {
        setShowEmailValidationError(true)
      }
    }
-
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
  }, [searchParams])

  const handleEmailChange = (e: React.ChangeEvent<HTMLInputElement>) => {
--- a/apps/sim/app/(auth)/verify/verify-content.tsx
+++ b/apps/sim/app/(auth)/verify/verify-content.tsx
@@ -8,6 +8,7 @@ import { cn } from '@/lib/core/utils/cn'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { useVerification } from '@/app/(auth)/verify/use-verification'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'

 interface VerifyContentProps {
  hasEmailService: boolean
@@ -58,34 +59,7 @@ function VerificationForm({
    setCountdown(30)
  }

-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-
-  useEffect(() => {
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
-  }, [])
+  const buttonClass = useBrandedButtonClass()

  return (
    <>
--- a/apps/sim/app/(landing)/careers/page.tsx
+++ b/apps/sim/app/(landing)/careers/page.tsx
@@ -4,7 +4,6 @@ import { useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { X } from 'lucide-react'
 import { Textarea } from '@/components/emcn'
-import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import {
@@ -18,6 +17,7 @@ import { isHosted } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import Footer from '@/app/(landing)/components/footer/footer'
 import Nav from '@/app/(landing)/components/nav/nav'

@@ -493,18 +493,17 @@ export default function CareersPage() {

              {/* Submit Button */}
              <div className='flex justify-end pt-2'>
-                <Button
+                <BrandedButton
                  type='submit'
                  disabled={isSubmitting || submitStatus === 'success'}
-                  className='min-w-[200px] rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all duration-300 hover:opacity-90 disabled:opacity-50'
-                  size='lg'
+                  loading={isSubmitting}
+                  loadingText='Submitting'
+                  showArrow={false}
+                  fullWidth={false}
+                  className='min-w-[200px]'
                >
-                  {isSubmitting
-                    ? 'Submitting...'
-                    : submitStatus === 'success'
-                      ? 'Submitted'
-                      : 'Submit Application'}
-                </Button>
+                  {submitStatus === 'success' ? 'Submitted' : 'Submit Application'}
+                </BrandedButton>
              </div>
            </form>
          </section>
--- a/apps/sim/app/(landing)/components/footer/components/status-indicator.tsx
+++ b/apps/sim/app/(landing)/components/footer/components/status-indicator.tsx
@@ -59,7 +59,7 @@ export default function StatusIndicator() {
      href={statusUrl}
      target='_blank'
      rel='noopener noreferrer'
-      className={`flex items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
+      className={`flex min-w-[165px] items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
      aria-label={`System status: ${message}`}
    >
      <StatusDotIcon status={status} className='h-[6px] w-[6px]' aria-hidden='true' />
--- a/apps/sim/app/(landing)/components/hero/components/index.ts
+++ b/apps/sim/app/(landing)/components/hero/components/index.ts
@@ -10,8 +10,8 @@ export { LandingLoopNode } from './landing-canvas/landing-block/landing-loop-nod
 export { LandingNode } from './landing-canvas/landing-block/landing-node'
 export type { LoopBlockProps } from './landing-canvas/landing-block/loop-block'
 export { LoopBlock } from './landing-canvas/landing-block/loop-block'
-export type { TagProps } from './landing-canvas/landing-block/tag'
-export { Tag } from './landing-canvas/landing-block/tag'
+export type { SubBlockRowProps, TagProps } from './landing-canvas/landing-block/tag'
+export { SubBlockRow, Tag } from './landing-canvas/landing-block/tag'
 export type {
  LandingBlockNode,
  LandingCanvasProps,
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block.tsx
@@ -1,12 +1,12 @@
 import React from 'react'
-import { BookIcon } from 'lucide-react'
 import {
-  Tag,
-  type TagProps,
+  SubBlockRow,
+  type SubBlockRowProps,
 } from '@/app/(landing)/components/hero/components/landing-canvas/landing-block/tag'

 /**
 * Data structure for a landing card component
+ * Matches the workflow block structure from the application
 */
 export interface LandingCardData {
  /** Icon element to display in the card header */
@@ -15,8 +15,8 @@ export interface LandingCardData {
  color: string | '#f6f6f6'
  /** Name/title of the card */
  name: string
-  /** Optional tags to display at the bottom of the card */
-  tags?: TagProps[]
+  /** Optional subblock rows to display below the header */
+  tags?: SubBlockRowProps[]
 }

 /**
@@ -28,7 +28,8 @@ export interface LandingBlockProps extends LandingCardData {
 }

 /**
- * Landing block component that displays a card with icon, name, and optional tags
+ * Landing block component that displays a card with icon, name, and optional subblock rows
+ * Styled to match the application's workflow blocks
 * @param props - Component properties including icon, color, name, tags, and className
 * @returns A styled block card component
 */
@@ -39,33 +40,37 @@ export const LandingBlock = React.memo(function LandingBlock({
  tags,
  className,
 }: LandingBlockProps) {
+  const hasContentBelowHeader = tags && tags.length > 0
+
  return (
    <div
-      className={`z-10 flex w-64 flex-col items-start gap-3 rounded-[14px] border border-[#E5E5E5] bg-[#FEFEFE] p-3 ${className ?? ''}`}
-      style={{
-        boxShadow: '0 1px 2px 0 rgba(0, 0, 0, 0.05)',
-      }}
+      className={`z-10 flex w-[250px] flex-col rounded-[8px] border border-[#E5E5E5] bg-white ${className ?? ''}`}
    >
-      <div className='flex w-full items-center justify-between'>
-        <div className='flex items-center gap-2.5'>
+      {/* Header - matches workflow-block.tsx header styling */}
+      <div
+        className={`flex items-center justify-between p-[8px] ${hasContentBelowHeader ? 'border-[#E5E5E5] border-b' : ''}`}
+      >
+        <div className='flex min-w-0 flex-1 items-center gap-[10px]'>
          <div
-            className='flex h-6 w-6 items-center justify-center rounded-[8px] text-white'
-            style={{ backgroundColor: color as string }}
+            className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
+            style={{ background: color as string }}
          >
            {icon}
          </div>
-          <p className='text-base text-card-foreground'>{name}</p>
+          <span className='truncate font-medium text-[#171717] text-[16px]' title={name}>
+            {name}
+          </span>
        </div>
-        <BookIcon className='h-4 w-4 text-muted-foreground' />
      </div>

-      {tags && tags.length > 0 ? (
-        <div className='flex flex-wrap gap-2'>
+      {/* Content - SubBlock Rows matching workflow-block.tsx */}
+      {hasContentBelowHeader && (
+        <div className='flex flex-col gap-[8px] p-[8px]'>
          {tags.map((tag) => (
-            <Tag key={tag.label} icon={tag.icon} label={tag.label} />
+            <SubBlockRow key={tag.label} icon={tag.icon} label={tag.label} />
          ))}
        </div>
-      ) : null}
+      )}
    </div>
  )
 })
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-node.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-node.tsx
@@ -7,9 +7,14 @@ import {
  type LandingCardData,
 } from '@/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block'

+/**
+ * Handle Y offset from block top - matches HANDLE_POSITIONS.DEFAULT_Y_OFFSET
+ */
+const HANDLE_Y_OFFSET = 20
+
 /**
 * React Flow node component for the landing canvas
- * Includes CSS animations and connection handles
+ * Styled to match the application's workflow blocks
 * @param props - Component properties containing node data
 * @returns A React Flow compatible node component
 */
@@ -41,15 +46,15 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
          type='target'
          position={Position.Left}
          style={{
-            width: '12px',
-            height: '12px',
-            background: '#FEFEFE',
-            border: '1px solid #E5E5E5',
-            borderRadius: '50%',
-            top: '50%',
-            left: '-20px',
+            width: '7px',
+            height: '20px',
+            background: '#D1D1D1',
+            border: 'none',
+            borderRadius: '2px 0 0 2px',
+            top: `${HANDLE_Y_OFFSET}px`,
+            left: '-7px',
            transform: 'translateY(-50%)',
-            zIndex: 2,
+            zIndex: 10,
          }}
          isConnectable={false}
        />
@@ -59,15 +64,15 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
          type='source'
          position={Position.Right}
          style={{
-            width: '12px',
-            height: '12px',
-            background: '#FEFEFE',
-            border: '1px solid #E5E5E5',
-            borderRadius: '50%',
-            top: '50%',
-            right: '-20px',
+            width: '7px',
+            height: '20px',
+            background: '#D1D1D1',
+            border: 'none',
+            borderRadius: '0 2px 2px 0',
+            top: `${HANDLE_Y_OFFSET}px`,
+            right: '-7px',
            transform: 'translateY(-50%)',
-            zIndex: 2,
+            zIndex: 10,
          }}
          isConnectable={false}
        />
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/loop-block.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/loop-block.tsx
@@ -15,6 +15,7 @@ export interface LoopBlockProps {
 /**
 * Loop block container component that provides a styled container
 * for grouping related elements with a dashed border
+ * Styled to match the application's subflow containers
 * @param props - Component properties including children and styling
 * @returns A styled loop container component
 */
@@ -29,33 +30,33 @@ export const LoopBlock = React.memo(function LoopBlock({
      style={{
        width: '1198px',
        height: '528px',
-        borderRadius: '14px',
-        background: 'rgba(59, 130, 246, 0.10)',
+        borderRadius: '8px',
+        background: 'rgba(59, 130, 246, 0.08)',
        position: 'relative',
        ...style,
      }}
    >
-      {/* Custom dashed border with SVG */}
+      {/* Custom dashed border with SVG - 8px border radius to match blocks */}
      <svg
        className='pointer-events-none absolute inset-0 h-full w-full'
-        style={{ borderRadius: '14px' }}
+        style={{ borderRadius: '8px' }}
        preserveAspectRatio='none'
      >
        <path
          className='landing-loop-animated-dash'
-          d='M 1183.5 527.5 
-             L 14 527.5 
-             A 13.5 13.5 0 0 1 0.5 514 
-             L 0.5 14 
-             A 13.5 13.5 0 0 1 14 0.5 
-             L 1183.5 0.5 
-             A 13.5 13.5 0 0 1 1197 14 
-             L 1197 514 
-             A 13.5 13.5 0 0 1 1183.5 527.5 Z'
+          d='M 1190 527.5 
+             L 8 527.5 
+             A 7.5 7.5 0 0 1 0.5 520 
+             L 0.5 8 
+             A 7.5 7.5 0 0 1 8 0.5 
+             L 1190 0.5 
+             A 7.5 7.5 0 0 1 1197.5 8 
+             L 1197.5 520 
+             A 7.5 7.5 0 0 1 1190 527.5 Z'
          fill='none'
          stroke='#3B82F6'
          strokeWidth='1'
-          strokeDasharray='12 12'
+          strokeDasharray='8 8'
          strokeLinecap='round'
        />
      </svg>
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/tag.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/tag.tsx
@@ -1,25 +1,52 @@
 import React from 'react'

 /**
- * Properties for a tag component
+ * Properties for a subblock row component
+ * Matches the SubBlockRow pattern from workflow-block.tsx
 */
-export interface TagProps {
-  /** Icon element to display in the tag */
-  icon: React.ReactNode
-  /** Text label for the tag */
+export interface SubBlockRowProps {
+  /** Icon element to display (optional, for visual context) */
+  icon?: React.ReactNode
+  /** Text label for the row title */
  label: string
+  /** Optional value to display on the right side */
+  value?: string
 }

 /**
- * Tag component for displaying labeled icons in a compact format
- * @param props - Tag properties including icon and label
- * @returns A styled tag component
+ * Kept for backwards compatibility
 */
-export const Tag = React.memo(function Tag({ icon, label }: TagProps) {
+export type TagProps = SubBlockRowProps
+
+/**
+ * SubBlockRow component matching the workflow block's subblock row style
+ * @param props - Row properties including label and optional value
+ * @returns A styled row component
+ */
+export const SubBlockRow = React.memo(function SubBlockRow({ label, value }: SubBlockRowProps) {
+  // Split label by colon to separate title and value if present
+  const [title, displayValue] = label.includes(':')
+    ? label.split(':').map((s) => s.trim())
+    : [label, value]
+
  return (
-    <div className='flex w-fit items-center gap-1 rounded-[8px] border border-gray-300 bg-white px-2 py-0.5'>
-      <div className='h-3 w-3 text-muted-foreground'>{icon}</div>
-      <p className='text-muted-foreground text-xs leading-normal'>{label}</p>
+    <div className='flex items-center gap-[8px]'>
+      <span className='min-w-0 truncate text-[#888888] text-[14px] capitalize' title={title}>
+        {title}
+      </span>
+      {displayValue && (
+        <span
+          className='flex-1 truncate text-right text-[#171717] text-[14px]'
+          title={displayValue}
+        >
+          {displayValue}
+        </span>
+      )}
    </div>
  )
 })
+
+/**
+ * Tag component - alias for SubBlockRow for backwards compatibility
+ */
+export const Tag = SubBlockRow
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-canvas.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-canvas.tsx
@@ -9,9 +9,10 @@ import { LandingFlow } from '@/app/(landing)/components/hero/components/landing-

 /**
 * Visual constants for landing node dimensions
+ * Matches BLOCK_DIMENSIONS from the application
 */
-export const CARD_WIDTH = 256
-export const CARD_HEIGHT = 92
+export const CARD_WIDTH = 250
+export const CARD_HEIGHT = 100

 /**
 * Landing block node with positioning information
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-edge/landing-edge.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-edge/landing-edge.tsx
@@ -4,33 +4,29 @@ import React from 'react'
 import { type EdgeProps, getSmoothStepPath, Position } from 'reactflow'

 /**
- * Custom edge component with animated dotted line that floats between handles
+ * Custom edge component with animated dashed line
+ * Styled to match the application's workflow edges with rectangular handles
 * @param props - React Flow edge properties
- * @returns An animated dotted edge component
+ * @returns An animated dashed edge component
 */
 export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
-  const { id, sourceX, sourceY, targetX, targetY, sourcePosition, targetPosition, style, data } =
-    props
+  const { id, sourceX, sourceY, targetX, targetY, sourcePosition, targetPosition, style } = props

-  // Adjust the connection points to create floating effect
-  // Account for handle size (12px) and additional spacing
-  const handleRadius = 6 // Half of handle width (12px)
-  const floatingGap = 1 // Additional gap for floating effect
-
-  // Calculate adjusted positions based on edge direction
+  // Adjust the connection points to connect flush with rectangular handles
+  // Handle width is 7px, positioned at -7px from edge
  let adjustedSourceX = sourceX
  let adjustedTargetX = targetX

  if (sourcePosition === Position.Right) {
-    adjustedSourceX = sourceX + handleRadius + floatingGap
+    adjustedSourceX = sourceX + 1
  } else if (sourcePosition === Position.Left) {
-    adjustedSourceX = sourceX - handleRadius - floatingGap
+    adjustedSourceX = sourceX - 1
  }

  if (targetPosition === Position.Left) {
-    adjustedTargetX = targetX - handleRadius - floatingGap
+    adjustedTargetX = targetX - 1
  } else if (targetPosition === Position.Right) {
-    adjustedTargetX = targetX + handleRadius + floatingGap
+    adjustedTargetX = targetX + 1
  }

  const [path] = getSmoothStepPath({
@@ -40,8 +36,8 @@ export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
    targetY,
    sourcePosition,
    targetPosition,
-    borderRadius: 20,
-    offset: 10,
+    borderRadius: 8,
+    offset: 16,
  })

  return (
--- a/apps/sim/app/(landing)/components/hero/hero.tsx
+++ b/apps/sim/app/(landing)/components/hero/hero.tsx
@@ -1,16 +1,7 @@
 'use client'

 import React from 'react'
-import {
-  ArrowUp,
-  BinaryIcon,
-  BookIcon,
-  CalendarIcon,
-  CodeIcon,
-  Globe2Icon,
-  MessageSquareIcon,
-  VariableIcon,
-} from 'lucide-react'
+import { ArrowUp, CodeIcon } from 'lucide-react'
 import { useRouter } from 'next/navigation'
 import { type Edge, type Node, Position } from 'reactflow'
 import {
@@ -23,7 +14,6 @@ import {
  JiraIcon,
  LinearIcon,
  NotionIcon,
-  OpenAIIcon,
  OutlookIcon,
  PackageSearchIcon,
  PineconeIcon,
@@ -65,67 +55,56 @@ const SERVICE_TEMPLATES = {

 /**
 * Landing blocks for the canvas preview
+ * Styled to match the application's workflow blocks with subblock rows
 */
 const LANDING_BLOCKS: LandingManualBlock[] = [
  {
    id: 'schedule',
    name: 'Schedule',
    color: '#7B68EE',
-    icon: <ScheduleIcon className='h-4 w-4' />,
+    icon: <ScheduleIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 8, y: 60 },
      tablet: { x: 40, y: 120 },
      desktop: { x: 60, y: 180 },
    },
-    tags: [
-      { icon: <CalendarIcon className='h-3 w-3' />, label: '09:00AM Daily' },
-      { icon: <Globe2Icon className='h-3 w-3' />, label: 'PST' },
-    ],
+    tags: [{ label: 'Time: 09:00AM Daily' }, { label: 'Timezone: PST' }],
  },
  {
    id: 'knowledge',
    name: 'Knowledge',
    color: '#00B0B0',
-    icon: <PackageSearchIcon className='h-4 w-4' />,
+    icon: <PackageSearchIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 120, y: 140 },
      tablet: { x: 220, y: 200 },
      desktop: { x: 420, y: 241 },
    },
-    tags: [
-      { icon: <BookIcon className='h-3 w-3' />, label: 'Product Vector DB' },
-      { icon: <BinaryIcon className='h-3 w-3' />, label: 'Limit: 10' },
-    ],
+    tags: [{ label: 'Source: Product Vector DB' }, { label: 'Limit: 10' }],
  },
  {
    id: 'agent',
    name: 'Agent',
    color: '#802FFF',
-    icon: <AgentIcon className='h-4 w-4' />,
+    icon: <AgentIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 340, y: 60 },
      tablet: { x: 540, y: 120 },
      desktop: { x: 880, y: 142 },
    },
-    tags: [
-      { icon: <OpenAIIcon className='h-3 w-3' />, label: 'gpt-5' },
-      { icon: <MessageSquareIcon className='h-3 w-3' />, label: 'You are a support ag...' },
-    ],
+    tags: [{ label: 'Model: gpt-5' }, { label: 'Prompt: You are a support ag...' }],
  },
  {
    id: 'function',
    name: 'Function',
    color: '#FF402F',
-    icon: <CodeIcon className='h-4 w-4' />,
+    icon: <CodeIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 480, y: 220 },
      tablet: { x: 740, y: 280 },
      desktop: { x: 880, y: 340 },
    },
-    tags: [
-      { icon: <CodeIcon className='h-3 w-3' />, label: 'Python' },
-      { icon: <VariableIcon className='h-3 w-3' />, label: 'time = "2025-09-01...' },
-    ],
+    tags: [{ label: 'Language: Python' }, { label: 'Code: time = "2025-09-01...' }],
  },
 ]

--- a/apps/sim/app/(landing)/components/landing-pricing/landing-pricing.tsx
+++ b/apps/sim/app/(landing)/components/landing-pricing/landing-pricing.tsx
@@ -229,7 +229,7 @@ function PricingCard({
 */
 export default function LandingPricing() {
  return (
-    <section id='pricing' className='px-4 pt-[19px] sm:px-0 sm:pt-0' aria-label='Pricing plans'>
+    <section id='pricing' className='px-4 pt-[23px] sm:px-0 sm:pt-[4px]' aria-label='Pricing plans'>
      <h2 className='sr-only'>Pricing Plans</h2>
      <div className='relative mx-auto w-full max-w-[1289px]'>
        <div className='grid grid-cols-1 gap-4 sm:grid-cols-2 sm:gap-0 lg:grid-cols-4'>
--- a/apps/sim/app/(landing)/components/nav/nav.tsx
+++ b/apps/sim/app/(landing)/components/nav/nav.tsx
@@ -11,6 +11,7 @@ import { useBrandConfig } from '@/lib/branding/branding'
 import { isHosted } from '@/lib/core/config/feature-flags'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { getFormattedGitHubStars } from '@/app/(landing)/actions/github'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'

 const logger = createLogger('nav')

@@ -20,11 +21,12 @@ interface NavProps {
 }

 export default function Nav({ hideAuthButtons = false, variant = 'landing' }: NavProps = {}) {
-  const [githubStars, setGithubStars] = useState('25.1k')
+  const [githubStars, setGithubStars] = useState('26.1k')
  const [isHovered, setIsHovered] = useState(false)
  const [isLoginHovered, setIsLoginHovered] = useState(false)
  const router = useRouter()
  const brand = useBrandConfig()
+  const buttonClass = useBrandedButtonClass()

  useEffect(() => {
    if (variant !== 'landing') return
@@ -183,7 +185,7 @@ export default function Nav({ hideAuthButtons = false, variant = 'landing' }: Na
            href='/signup'
            onMouseEnter={() => setIsHovered(true)}
            onMouseLeave={() => setIsHovered(false)}
-            className='group inline-flex items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[14px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all sm:text-[16px]'
+            className={`${buttonClass} group inline-flex items-center justify-center gap-2 rounded-[10px] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white transition-all`}
            aria-label='Get started with Sim - Sign up for free'
            prefetch={true}
          >
--- a/apps/sim/app/(landing)/studio/[slug]/back-link.tsx
+++ b/apps/sim/app/(landing)/studio/[slug]/back-link.tsx
@@ -0,0 +1,27 @@
+'use client'
+
+import { useState } from 'react'
+import { ArrowLeft, ChevronLeft } from 'lucide-react'
+import Link from 'next/link'
+
+export function BackLink() {
+  const [isHovered, setIsHovered] = useState(false)
+
+  return (
+    <Link
+      href='/studio'
+      className='group flex items-center gap-1 text-gray-600 text-sm hover:text-gray-900'
+      onMouseEnter={() => setIsHovered(true)}
+      onMouseLeave={() => setIsHovered(false)}
+    >
+      <span className='group-hover:-translate-x-0.5 inline-flex transition-transform duration-200'>
+        {isHovered ? (
+          <ArrowLeft className='h-4 w-4' aria-hidden='true' />
+        ) : (
+          <ChevronLeft className='h-4 w-4' aria-hidden='true' />
+        )}
+      </span>
+      Back to Sim Studio
+    </Link>
+  )
+}
--- a/apps/sim/app/(landing)/studio/[slug]/page.tsx
+++ b/apps/sim/app/(landing)/studio/[slug]/page.tsx
@@ -5,7 +5,10 @@ import { Avatar, AvatarFallback, AvatarImage } from '@/components/emcn'
 import { FAQ } from '@/lib/blog/faq'
 import { getAllPostMeta, getPostBySlug, getRelatedPosts } from '@/lib/blog/registry'
 import { buildArticleJsonLd, buildBreadcrumbJsonLd, buildPostMetadata } from '@/lib/blog/seo'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BackLink } from '@/app/(landing)/studio/[slug]/back-link'
+import { ShareButton } from '@/app/(landing)/studio/[slug]/share-button'

 export async function generateStaticParams() {
  const posts = await getAllPostMeta()
@@ -48,9 +51,7 @@ export default async function Page({ params }: { params: Promise<{ slug: string
      />
      <header className='mx-auto max-w-[1450px] px-6 pt-8 sm:px-8 sm:pt-12 md:px-12 md:pt-16'>
        <div className='mb-6'>
-          <Link href='/studio' className='text-gray-600 text-sm hover:text-gray-900'>
-            ← Back to Sim Studio
-          </Link>
+          <BackLink />
        </div>
        <div className='flex flex-col gap-8 md:flex-row md:gap-12'>
          <div className='w-full flex-shrink-0 md:w-[450px]'>
@@ -75,28 +76,31 @@ export default async function Page({ params }: { params: Promise<{ slug: string
            >
              {post.title}
            </h1>
-            <div className='mt-4 flex items-center gap-3'>
-              {(post.authors || [post.author]).map((a, idx) => (
-                <div key={idx} className='flex items-center gap-2'>
-                  {a?.avatarUrl ? (
-                    <Avatar className='size-6'>
-                      <AvatarImage src={a.avatarUrl} alt={a.name} />
-                      <AvatarFallback>{a.name.slice(0, 2)}</AvatarFallback>
-                    </Avatar>
-                  ) : null}
-                  <Link
-                    href={a?.url || '#'}
-                    target='_blank'
-                    rel='noopener noreferrer author'
-                    className='text-[14px] text-gray-600 leading-[1.5] hover:text-gray-900 sm:text-[16px]'
-                    itemProp='author'
-                    itemScope
-                    itemType='https://schema.org/Person'
-                  >
-                    <span itemProp='name'>{a?.name}</span>
-                  </Link>
-                </div>
-              ))}
+            <div className='mt-4 flex items-center justify-between'>
+              <div className='flex items-center gap-3'>
+                {(post.authors || [post.author]).map((a, idx) => (
+                  <div key={idx} className='flex items-center gap-2'>
+                    {a?.avatarUrl ? (
+                      <Avatar className='size-6'>
+                        <AvatarImage src={a.avatarUrl} alt={a.name} />
+                        <AvatarFallback>{a.name.slice(0, 2)}</AvatarFallback>
+                      </Avatar>
+                    ) : null}
+                    <Link
+                      href={a?.url || '#'}
+                      target='_blank'
+                      rel='noopener noreferrer author'
+                      className='text-[14px] text-gray-600 leading-[1.5] hover:text-gray-900 sm:text-[16px]'
+                      itemProp='author'
+                      itemScope
+                      itemType='https://schema.org/Person'
+                    >
+                      <span itemProp='name'>{a?.name}</span>
+                    </Link>
+                  </div>
+                ))}
+              </div>
+              <ShareButton url={`${getBaseUrl()}/studio/${slug}`} title={post.title} />
            </div>
          </div>
        </div>
--- a/apps/sim/app/(landing)/studio/[slug]/share-button.tsx
+++ b/apps/sim/app/(landing)/studio/[slug]/share-button.tsx
@@ -0,0 +1,65 @@
+'use client'
+
+import { useState } from 'react'
+import { Share2 } from 'lucide-react'
+import { Popover, PopoverContent, PopoverItem, PopoverTrigger } from '@/components/emcn'
+
+interface ShareButtonProps {
+  url: string
+  title: string
+}
+
+export function ShareButton({ url, title }: ShareButtonProps) {
+  const [open, setOpen] = useState(false)
+  const [copied, setCopied] = useState(false)
+
+  const handleCopyLink = async () => {
+    try {
+      await navigator.clipboard.writeText(url)
+      setCopied(true)
+      setTimeout(() => {
+        setCopied(false)
+        setOpen(false)
+      }, 1000)
+    } catch {
+      setOpen(false)
+    }
+  }
+
+  const handleShareTwitter = () => {
+    const tweetUrl = `https://twitter.com/intent/tweet?url=${encodeURIComponent(url)}&text=${encodeURIComponent(title)}`
+    window.open(tweetUrl, '_blank', 'noopener,noreferrer')
+    setOpen(false)
+  }
+
+  const handleShareLinkedIn = () => {
+    const linkedInUrl = `https://www.linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(url)}`
+    window.open(linkedInUrl, '_blank', 'noopener,noreferrer')
+    setOpen(false)
+  }
+
+  return (
+    <Popover
+      open={open}
+      onOpenChange={setOpen}
+      variant='secondary'
+      size='sm'
+      colorScheme='inverted'
+    >
+      <PopoverTrigger asChild>
+        <button
+          className='flex items-center gap-1.5 text-gray-600 text-sm hover:text-gray-900'
+          aria-label='Share this post'
+        >
+          <Share2 className='h-4 w-4' />
+          <span>Share</span>
+        </button>
+      </PopoverTrigger>
+      <PopoverContent align='end' minWidth={140}>
+        <PopoverItem onClick={handleCopyLink}>{copied ? 'Copied!' : 'Copy link'}</PopoverItem>
+        <PopoverItem onClick={handleShareTwitter}>Share on X</PopoverItem>
+        <PopoverItem onClick={handleShareLinkedIn}>Share on LinkedIn</PopoverItem>
+      </PopoverContent>
+    </Popover>
+  )
+}
--- a/apps/sim/app/(landing)/studio/page.tsx
+++ b/apps/sim/app/(landing)/studio/page.tsx
@@ -22,7 +22,7 @@ export default async function StudioIndex({
      ? filtered.sort((a, b) => {
          if (a.featured && !b.featured) return -1
          if (!a.featured && b.featured) return 1
-          return 0
+          return new Date(b.date).getTime() - new Date(a.date).getTime()
        })
      : filtered

--- a/apps/sim/app/api/a2a/agents/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/agents/[agentId]/route.ts
@@ -8,6 +8,7 @@ import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'

 const logger = createLogger('A2AAgentCardAPI')

@@ -95,6 +96,11 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }

+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
    const body = await request.json()

    if (
@@ -160,6 +166,11 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }

+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
    await db.delete(a2aAgent).where(eq(a2aAgent.id, agentId))

    logger.info(`Deleted A2A agent: ${agentId}`)
@@ -194,6 +205,11 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }

+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
    const body = await request.json()
    const action = body.action as 'publish' | 'unpublish' | 'refresh'

--- a/apps/sim/app/api/a2a/serve/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/serve/[agentId]/route.ts
@@ -16,6 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1118,17 +1119,13 @@ async function handlePushNotificationSet(
    )
  }

-  try {
-    const url = new URL(params.pushNotificationConfig.url)
-    if (url.protocol !== 'https:') {
-      return NextResponse.json(
-        createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Push notification URL must use HTTPS'),
-        { status: 400 }
-      )
-    }
-  } catch {
+  const urlValidation = validateExternalUrl(
+    params.pushNotificationConfig.url,
+    'Push notification URL'
+  )
+  if (!urlValidation.isValid) {
    return NextResponse.json(
-      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Invalid push notification URL'),
+      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, urlValidation.error || 'Invalid URL'),
      { status: 400 }
    )
  }
--- a/apps/sim/app/api/auth/oauth/utils.ts
+++ b/apps/sim/app/api/auth/oauth/utils.ts
@@ -4,6 +4,11 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { getSession } from '@/lib/auth'
 import { refreshOAuthToken } from '@/lib/oauth'
+import {
+  getMicrosoftRefreshTokenExpiry,
+  isMicrosoftProvider,
+  PROACTIVE_REFRESH_THRESHOLD_DAYS,
+} from '@/lib/oauth/microsoft'

 const logger = createLogger('OAuthUtilsAPI')

@@ -205,15 +210,32 @@ export async function refreshAccessTokenIfNeeded(
  }

  // Decide if we should refresh: token missing OR expired
-  const expiresAt = credential.accessTokenExpiresAt
+  const accessTokenExpiresAt = credential.accessTokenExpiresAt
+  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
  const now = new Date()
-  const shouldRefresh =
-    !!credential.refreshToken && (!credential.accessToken || (expiresAt && expiresAt <= now))
+
+  // Check if access token needs refresh (missing or expired)
+  const accessTokenNeedsRefresh =
+    !!credential.refreshToken &&
+    (!credential.accessToken || (accessTokenExpiresAt && accessTokenExpiresAt <= now))
+
+  // Check if we should proactively refresh to prevent refresh token expiry
+  // This applies to Microsoft providers whose refresh tokens expire after 90 days of inactivity
+  const proactiveRefreshThreshold = new Date(
+    now.getTime() + PROACTIVE_REFRESH_THRESHOLD_DAYS * 24 * 60 * 60 * 1000
+  )
+  const refreshTokenNeedsProactiveRefresh =
+    !!credential.refreshToken &&
+    isMicrosoftProvider(credential.providerId) &&
+    refreshTokenExpiresAt &&
+    refreshTokenExpiresAt <= proactiveRefreshThreshold
+
+  const shouldRefresh = accessTokenNeedsRefresh || refreshTokenNeedsProactiveRefresh

  const accessToken = credential.accessToken

  if (shouldRefresh) {
-    logger.info(`[${requestId}] Token expired, attempting to refresh for credential`)
+    logger.info(`[${requestId}] Refreshing token for credential`)
    try {
      const refreshedToken = await refreshOAuthToken(
        credential.providerId,
@@ -227,11 +249,15 @@ export async function refreshAccessTokenIfNeeded(
          userId: credential.userId,
          hasRefreshToken: !!credential.refreshToken,
        })
+        if (!accessTokenNeedsRefresh && accessToken) {
+          logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+          return accessToken
+        }
        return null
      }

      // Prepare update data
-      const updateData: any = {
+      const updateData: Record<string, unknown> = {
        accessToken: refreshedToken.accessToken,
        accessTokenExpiresAt: new Date(Date.now() + refreshedToken.expiresIn * 1000),
        updatedAt: new Date(),
@@ -243,6 +269,10 @@ export async function refreshAccessTokenIfNeeded(
        updateData.refreshToken = refreshedToken.refreshToken
      }

+      if (isMicrosoftProvider(credential.providerId)) {
+        updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
+      }
+
      // Update the token in the database
      await db.update(account).set(updateData).where(eq(account.id, credentialId))

@@ -256,6 +286,10 @@ export async function refreshAccessTokenIfNeeded(
        credentialId,
        userId: credential.userId,
      })
+      if (!accessTokenNeedsRefresh && accessToken) {
+        logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+        return accessToken
+      }
      return null
    }
  } else if (!accessToken) {
@@ -277,10 +311,27 @@ export async function refreshTokenIfNeeded(
  credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
  // Decide if we should refresh: token missing OR expired
-  const expiresAt = credential.accessTokenExpiresAt
+  const accessTokenExpiresAt = credential.accessTokenExpiresAt
+  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
  const now = new Date()
-  const shouldRefresh =
-    !!credential.refreshToken && (!credential.accessToken || (expiresAt && expiresAt <= now))
+
+  // Check if access token needs refresh (missing or expired)
+  const accessTokenNeedsRefresh =
+    !!credential.refreshToken &&
+    (!credential.accessToken || (accessTokenExpiresAt && accessTokenExpiresAt <= now))
+
+  // Check if we should proactively refresh to prevent refresh token expiry
+  // This applies to Microsoft providers whose refresh tokens expire after 90 days of inactivity
+  const proactiveRefreshThreshold = new Date(
+    now.getTime() + PROACTIVE_REFRESH_THRESHOLD_DAYS * 24 * 60 * 60 * 1000
+  )
+  const refreshTokenNeedsProactiveRefresh =
+    !!credential.refreshToken &&
+    isMicrosoftProvider(credential.providerId) &&
+    refreshTokenExpiresAt &&
+    refreshTokenExpiresAt <= proactiveRefreshThreshold
+
+  const shouldRefresh = accessTokenNeedsRefresh || refreshTokenNeedsProactiveRefresh

  // If token appears valid and present, return it directly
  if (!shouldRefresh) {
@@ -293,13 +344,17 @@ export async function refreshTokenIfNeeded(

    if (!refreshResult) {
      logger.error(`[${requestId}] Failed to refresh token for credential`)
+      if (!accessTokenNeedsRefresh && credential.accessToken) {
+        logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+        return { accessToken: credential.accessToken, refreshed: false }
+      }
      throw new Error('Failed to refresh token')
    }

    const { accessToken: refreshedToken, expiresIn, refreshToken: newRefreshToken } = refreshResult

    // Prepare update data
-    const updateData: any = {
+    const updateData: Record<string, unknown> = {
      accessToken: refreshedToken,
      accessTokenExpiresAt: new Date(Date.now() + expiresIn * 1000), // Use provider's expiry
      updatedAt: new Date(),
@@ -311,6 +366,10 @@ export async function refreshTokenIfNeeded(
      updateData.refreshToken = newRefreshToken
    }

+    if (isMicrosoftProvider(credential.providerId)) {
+      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
+    }
+
    await db.update(account).set(updateData).where(eq(account.id, credentialId))

    logger.info(`[${requestId}] Successfully refreshed access token`)
@@ -331,6 +390,11 @@ export async function refreshTokenIfNeeded(
      }
    }

+    if (!accessTokenNeedsRefresh && credential.accessToken) {
+      logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+      return { accessToken: credential.accessToken, refreshed: false }
+    }
+
    logger.error(`[${requestId}] Refresh failed and no valid token found in DB`, error)
    throw error
  }
--- a/apps/sim/app/api/auth/reset-password/route.ts
+++ b/apps/sim/app/api/auth/reset-password/route.ts
@@ -15,7 +15,8 @@ const resetPasswordSchema = z.object({
    .max(100, 'Password must not exceed 100 characters')
    .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
    .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
-    .regex(/[0-9]/, 'Password must contain at least one number'),
+    .regex(/[0-9]/, 'Password must contain at least one number')
+    .regex(/[^A-Za-z0-9]/, 'Password must contain at least one special character'),
 })

 export async function POST(request: NextRequest) {
--- a/apps/sim/app/api/auth/sso/providers/route.ts
+++ b/apps/sim/app/api/auth/sso/providers/route.ts
@@ -4,7 +4,7 @@ import { eq } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'

-const logger = createLogger('SSO-Providers')
+const logger = createLogger('SSOProvidersRoute')

 export async function GET() {
  try {
--- a/apps/sim/app/api/auth/sso/register/route.ts
+++ b/apps/sim/app/api/auth/sso/register/route.ts
@@ -6,7 +6,7 @@ import { hasSSOAccess } from '@/lib/billing'
 import { env } from '@/lib/core/config/env'
 import { REDACTED_MARKER } from '@/lib/core/security/redaction'

-const logger = createLogger('SSO-Register')
+const logger = createLogger('SSORegisterRoute')

 const mappingSchema = z
  .object({
@@ -43,6 +43,10 @@ const ssoRegistrationSchema = z.discriminatedUnion('providerType', [
      ])
      .default(['openid', 'profile', 'email']),
    pkce: z.boolean().default(true),
+    authorizationEndpoint: z.string().url().optional(),
+    tokenEndpoint: z.string().url().optional(),
+    userInfoEndpoint: z.string().url().optional(),
+    jwksEndpoint: z.string().url().optional(),
  }),
  z.object({
    providerType: z.literal('saml'),
@@ -64,12 +68,10 @@ const ssoRegistrationSchema = z.discriminatedUnion('providerType', [

 export async function POST(request: NextRequest) {
  try {
-    // SSO plugin must be enabled in Better Auth
    if (!env.SSO_ENABLED) {
      return NextResponse.json({ error: 'SSO is not enabled' }, { status: 400 })
    }

-    // Check plan access (enterprise) or env var override
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Authentication required' }, { status: 401 })
@@ -116,7 +118,16 @@ export async function POST(request: NextRequest) {
    }

    if (providerType === 'oidc') {
-      const { clientId, clientSecret, scopes, pkce } = body
+      const {
+        clientId,
+        clientSecret,
+        scopes,
+        pkce,
+        authorizationEndpoint,
+        tokenEndpoint,
+        userInfoEndpoint,
+        jwksEndpoint,
+      } = body

      const oidcConfig: any = {
        clientId,
@@ -127,50 +138,104 @@ export async function POST(request: NextRequest) {
        pkce: pkce ?? true,
      }

-      // Add manual endpoints for providers that might need them
-      // Common patterns for OIDC providers that don't support discovery properly
-      if (
-        issuer.includes('okta.com') ||
-        issuer.includes('auth0.com') ||
-        issuer.includes('identityserver')
-      ) {
-        const baseUrl = issuer.includes('/oauth2/default')
-          ? issuer.replace('/oauth2/default', '')
-          : issuer.replace('/oauth', '').replace('/v2.0', '').replace('/oauth2', '')
+      oidcConfig.authorizationEndpoint = authorizationEndpoint
+      oidcConfig.tokenEndpoint = tokenEndpoint
+      oidcConfig.userInfoEndpoint = userInfoEndpoint
+      oidcConfig.jwksEndpoint = jwksEndpoint

-        // Okta-style endpoints
-        if (issuer.includes('okta.com')) {
-          oidcConfig.authorizationEndpoint = `${baseUrl}/oauth2/default/v1/authorize`
-          oidcConfig.tokenEndpoint = `${baseUrl}/oauth2/default/v1/token`
-          oidcConfig.userInfoEndpoint = `${baseUrl}/oauth2/default/v1/userinfo`
-          oidcConfig.jwksEndpoint = `${baseUrl}/oauth2/default/v1/keys`
-        }
-        // Auth0-style endpoints
-        else if (issuer.includes('auth0.com')) {
-          oidcConfig.authorizationEndpoint = `${baseUrl}/authorize`
-          oidcConfig.tokenEndpoint = `${baseUrl}/oauth/token`
-          oidcConfig.userInfoEndpoint = `${baseUrl}/userinfo`
-          oidcConfig.jwksEndpoint = `${baseUrl}/.well-known/jwks.json`
-        }
-        // Generic OIDC endpoints (IdentityServer, etc.)
-        else {
-          oidcConfig.authorizationEndpoint = `${baseUrl}/connect/authorize`
-          oidcConfig.tokenEndpoint = `${baseUrl}/connect/token`
-          oidcConfig.userInfoEndpoint = `${baseUrl}/connect/userinfo`
-          oidcConfig.jwksEndpoint = `${baseUrl}/.well-known/jwks`
-        }
+      const needsDiscovery =
+        !oidcConfig.authorizationEndpoint || !oidcConfig.tokenEndpoint || !oidcConfig.jwksEndpoint

-        logger.info('Using manual OIDC endpoints for provider', {
+      if (needsDiscovery) {
+        const discoveryUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`
+        try {
+          logger.info('Fetching OIDC discovery document for missing endpoints', {
+            discoveryUrl,
+            hasAuthEndpoint: !!oidcConfig.authorizationEndpoint,
+            hasTokenEndpoint: !!oidcConfig.tokenEndpoint,
+            hasJwksEndpoint: !!oidcConfig.jwksEndpoint,
+          })
+
+          const discoveryResponse = await fetch(discoveryUrl, {
+            headers: { Accept: 'application/json' },
+          })
+
+          if (!discoveryResponse.ok) {
+            logger.error('Failed to fetch OIDC discovery document', {
+              status: discoveryResponse.status,
+              statusText: discoveryResponse.statusText,
+            })
+            return NextResponse.json(
+              {
+                error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Status: ${discoveryResponse.status}. Provide all endpoints explicitly or verify the issuer URL.`,
+              },
+              { status: 400 }
+            )
+          }
+
+          const discovery = await discoveryResponse.json()
+
+          oidcConfig.authorizationEndpoint =
+            oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
+          oidcConfig.tokenEndpoint = oidcConfig.tokenEndpoint || discovery.token_endpoint
+          oidcConfig.userInfoEndpoint = oidcConfig.userInfoEndpoint || discovery.userinfo_endpoint
+          oidcConfig.jwksEndpoint = oidcConfig.jwksEndpoint || discovery.jwks_uri
+
+          logger.info('Merged OIDC endpoints (user-provided + discovery)', {
+            providerId,
+            issuer,
+            authorizationEndpoint: oidcConfig.authorizationEndpoint,
+            tokenEndpoint: oidcConfig.tokenEndpoint,
+            userInfoEndpoint: oidcConfig.userInfoEndpoint,
+            jwksEndpoint: oidcConfig.jwksEndpoint,
+          })
+        } catch (error) {
+          logger.error('Error fetching OIDC discovery document', {
+            error: error instanceof Error ? error.message : 'Unknown error',
+            discoveryUrl,
+          })
+          return NextResponse.json(
+            {
+              error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Please verify the issuer URL is correct or provide all endpoints explicitly.`,
+            },
+            { status: 400 }
+          )
+        }
+      } else {
+        logger.info('Using explicitly provided OIDC endpoints (all present)', {
          providerId,
-          provider: issuer.includes('okta.com')
-            ? 'Okta'
-            : issuer.includes('auth0.com')
-              ? 'Auth0'
-              : 'Generic',
-          authEndpoint: oidcConfig.authorizationEndpoint,
+          issuer,
+          authorizationEndpoint: oidcConfig.authorizationEndpoint,
+          tokenEndpoint: oidcConfig.tokenEndpoint,
+          userInfoEndpoint: oidcConfig.userInfoEndpoint,
+          jwksEndpoint: oidcConfig.jwksEndpoint,
        })
      }

+      if (
+        !oidcConfig.authorizationEndpoint ||
+        !oidcConfig.tokenEndpoint ||
+        !oidcConfig.jwksEndpoint
+      ) {
+        const missing: string[] = []
+        if (!oidcConfig.authorizationEndpoint) missing.push('authorizationEndpoint')
+        if (!oidcConfig.tokenEndpoint) missing.push('tokenEndpoint')
+        if (!oidcConfig.jwksEndpoint) missing.push('jwksEndpoint')
+
+        logger.error('Missing required OIDC endpoints after discovery merge', {
+          missing,
+          authorizationEndpoint: oidcConfig.authorizationEndpoint,
+          tokenEndpoint: oidcConfig.tokenEndpoint,
+          jwksEndpoint: oidcConfig.jwksEndpoint,
+        })
+        return NextResponse.json(
+          {
+            error: `Missing required OIDC endpoints: ${missing.join(', ')}. Please provide these explicitly or verify the issuer supports OIDC discovery.`,
+          },
+          { status: 400 }
+        )
+      }
+
      providerConfig.oidcConfig = oidcConfig
    } else if (providerType === 'saml') {
      const {
--- a/apps/sim/app/api/copilot/chat/[chatId]/active-stream/route.ts
+++ b/apps/sim/app/api/copilot/chat/[chatId]/active-stream/route.ts
@@ -1,86 +0,0 @@
-/**
- * GET /api/copilot/chat/[chatId]/active-stream
- *
- * Check if a chat has an active stream that can be resumed.
- * Used by the client on page load to detect if there's an in-progress stream.
- */
-
-import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import {
-  getActiveStreamForChat,
-  getChunkCount,
-  getStreamMeta,
-} from '@/lib/copilot/stream-persistence'
-
-const logger = createLogger('CopilotActiveStreamAPI')
-
-export async function GET(
-  req: NextRequest,
-  { params }: { params: Promise<{ chatId: string }> }
-) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const { chatId } = await params
-
-  logger.info('Active stream check', { chatId, userId: session.user.id })
-
-  // Look up active stream ID from Redis
-  const streamId = await getActiveStreamForChat(chatId)
-
-  if (!streamId) {
-    logger.debug('No active stream found', { chatId })
-    return NextResponse.json({ hasActiveStream: false })
-  }
-
-  // Get stream metadata
-  const meta = await getStreamMeta(streamId)
-
-  if (!meta) {
-    logger.debug('Stream metadata not found', { streamId, chatId })
-    return NextResponse.json({ hasActiveStream: false })
-  }
-
-  // Verify the stream is still active
-  if (meta.status !== 'streaming') {
-    logger.debug('Stream not active', { streamId, chatId, status: meta.status })
-    return NextResponse.json({ hasActiveStream: false })
-  }
-
-  // Verify ownership
-  if (meta.userId !== session.user.id) {
-    logger.warn('Stream belongs to different user', {
-      streamId,
-      chatId,
-      requesterId: session.user.id,
-      ownerId: meta.userId,
-    })
-    return NextResponse.json({ hasActiveStream: false })
-  }
-
-  // Get current chunk count for client to track progress
-  const chunkCount = await getChunkCount(streamId)
-
-  logger.info('Active stream found', {
-    streamId,
-    chatId,
-    chunkCount,
-    toolCallsCount: meta.toolCalls.length,
-  })
-
-  return NextResponse.json({
-    hasActiveStream: true,
-    streamId,
-    chunkCount,
-    toolCalls: meta.toolCalls.filter(
-      (tc) => tc.state === 'pending' || tc.state === 'executing'
-    ),
-    createdAt: meta.createdAt,
-    updatedAt: meta.updatedAt,
-  })
-}
-
--- a/apps/sim/app/api/copilot/chat/route.ts
+++ b/apps/sim/app/api/copilot/chat/route.ts
@@ -2,7 +2,6 @@ import { db } from '@sim/db'
 import { copilotChats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
-import { after } from 'next/server'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
@@ -17,21 +16,6 @@ import {
  createRequestTracker,
  createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
-import {
-  type RenderEvent,
-  serializeRenderEvent,
-} from '@/lib/copilot/render-events'
-import {
-  appendChunk,
-  appendContent,
-  checkAbortSignal,
-  completeStream,
-  createStream,
-  errorStream,
-  refreshStreamTTL,
-  updateToolCall,
-} from '@/lib/copilot/stream-persistence'
-import { transformStream } from '@/lib/copilot/stream-transformer'
 import { getCredentialsServerTool } from '@/lib/copilot/tools/server/user/get-credentials'
 import type { CopilotProviderConfig } from '@/lib/copilot/types'
 import { env } from '@/lib/core/config/env'
@@ -508,205 +492,385 @@ export async function POST(req: NextRequest) {
      )
    }

-    // If streaming is requested, start background processing and return streamId immediately
+    // If streaming is requested, forward the stream and update chat later
    if (stream && simAgentResponse.body) {
-      // Create stream ID for persistence and resumption
-      const streamId = crypto.randomUUID()
-
-      // Initialize stream state in Redis
-      await createStream({
-        streamId,
-        chatId: actualChatId!,
-        userId: authenticatedUserId,
-        workflowId,
-        userMessageId: userMessageIdToUse,
-        isClientSession: true,
-      })
-
-      // Save user message to database immediately so it's available on refresh
-      // This is critical for stream resumption - user message must be persisted before stream starts
-      if (currentChat) {
-        const existingMessages = Array.isArray(currentChat.messages) ? currentChat.messages : []
-        const userMessage = {
-          id: userMessageIdToUse,
-          role: 'user',
-          content: message,
-          timestamp: new Date().toISOString(),
-          ...(fileAttachments && fileAttachments.length > 0 && { fileAttachments }),
-          ...(Array.isArray(contexts) && contexts.length > 0 && { contexts }),
-          ...(Array.isArray(contexts) &&
-            contexts.length > 0 && {
-              contentBlocks: [{ type: 'contexts', contexts: contexts as any, timestamp: Date.now() }],
-            }),
-        }
-
-        await db
-          .update(copilotChats)
-          .set({
-            messages: [...existingMessages, userMessage],
-            updatedAt: new Date(),
-          })
-          .where(eq(copilotChats.id, actualChatId!))
-
-        logger.info(`[${tracker.requestId}] Saved user message before streaming`, {
-          chatId: actualChatId,
-          messageId: userMessageIdToUse,
-        })
+      // Create user message to save
+      const userMessage = {
+        id: userMessageIdToUse, // Consistent ID used for request and persistence
+        role: 'user',
+        content: message,
+        timestamp: new Date().toISOString(),
+        ...(fileAttachments && fileAttachments.length > 0 && { fileAttachments }),
+        ...(Array.isArray(contexts) && contexts.length > 0 && { contexts }),
+        ...(Array.isArray(contexts) &&
+          contexts.length > 0 && {
+            contentBlocks: [{ type: 'contexts', contexts: contexts as any, timestamp: Date.now() }],
+          }),
      }

-      // Track last TTL refresh time
-      const TTL_REFRESH_INTERVAL = 60000 // Refresh TTL every minute
+      // Create a pass-through stream that captures the response
+      const transformedStream = new ReadableStream({
+        async start(controller) {
+          const encoder = new TextEncoder()
+          let assistantContent = ''
+          const toolCalls: any[] = []
+          let buffer = ''
+          const isFirstDone = true
+          let responseIdFromStart: string | undefined
+          let responseIdFromDone: string | undefined
+          // Track tool call progress to identify a safe done event
+          const announcedToolCallIds = new Set<string>()
+          const startedToolExecutionIds = new Set<string>()
+          const completedToolExecutionIds = new Set<string>()
+          let lastDoneResponseId: string | undefined
+          let lastSafeDoneResponseId: string | undefined

-      // Capture needed values for background task
-      const capturedChatId = actualChatId!
-      const capturedCurrentChat = currentChat
-
-      // Generate assistant message ID upfront
-      const assistantMessageId = crypto.randomUUID()
-
-      // Start background processing task using the stream transformer
-      // This processes the Sim Agent stream, executes tools, and emits render events
-      // Client will connect to /api/copilot/stream/{streamId} for live updates
-      const backgroundTask = (async () => {
-        // Start title generation if needed (runs in parallel)
-        if (capturedChatId && !capturedCurrentChat?.title && conversationHistory.length === 0) {
-          generateChatTitle(message)
-            .then(async (title) => {
-              if (title) {
-                await db
-                  .update(copilotChats)
-                  .set({ title, updatedAt: new Date() })
-                  .where(eq(copilotChats.id, capturedChatId))
-                logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
-              }
-            })
-            .catch((error) => {
-              logger.error(`[${tracker.requestId}] Title generation failed:`, error)
-            })
-        }
-
-        // Track accumulated content for final persistence
-        let accumulatedContent = ''
-        const accumulatedToolCalls: Array<{
-          id: string
-          name: string
-          args: Record<string, unknown>
-          state: string
-          result?: unknown
-        }> = []
-
-        try {
-          // Use the stream transformer to process the Sim Agent stream
-          await transformStream(simAgentResponse.body!, {
-            streamId,
-            chatId: capturedChatId,
-            userId: authenticatedUserId,
-            workflowId,
-            userMessageId: userMessageIdToUse,
-            assistantMessageId,
-
-            // Emit render events to Redis for client consumption
-            onRenderEvent: async (event: RenderEvent) => {
-              // Serialize and append to Redis
-              const serialized = serializeRenderEvent(event)
-              await appendChunk(streamId, serialized).catch(() => {})
-
-              // Also update stream metadata for specific events
-              switch (event.type) {
-                case 'text_delta':
-                  accumulatedContent += (event as any).content || ''
-                  appendContent(streamId, (event as any).content || '').catch(() => {})
-                  break
-                case 'tool_pending':
-                  updateToolCall(streamId, (event as any).toolCallId, {
-                    id: (event as any).toolCallId,
-                    name: (event as any).toolName,
-                    args: (event as any).args || {},
-                    state: 'pending',
-                  }).catch(() => {})
-                  break
-                case 'tool_executing':
-                  updateToolCall(streamId, (event as any).toolCallId, {
-                    state: 'executing',
-                  }).catch(() => {})
-                  break
-                case 'tool_success':
-                  updateToolCall(streamId, (event as any).toolCallId, {
-                    state: 'success',
-                    result: (event as any).result,
-                  }).catch(() => {})
-                  accumulatedToolCalls.push({
-                    id: (event as any).toolCallId,
-                    name: (event as any).display?.label || '',
-                    args: {},
-                    state: 'success',
-                    result: (event as any).result,
-                  })
-                  break
-                case 'tool_error':
-                  updateToolCall(streamId, (event as any).toolCallId, {
-                    state: 'error',
-                    error: (event as any).error,
-                  }).catch(() => {})
-                  accumulatedToolCalls.push({
-                    id: (event as any).toolCallId,
-                    name: (event as any).display?.label || '',
-                    args: {},
-                    state: 'error',
-                  })
-                  break
-              }
-            },
-
-            // Persist data at key moments
-            onPersist: async (data) => {
-              if (data.type === 'message_complete') {
-                // Stream complete - save final message to DB
-                await completeStream(streamId, undefined)
-              }
-            },
-
-            // Check for user-initiated abort
-            isAborted: () => {
-              // We'll check Redis for abort signal synchronously cached
-              // For now, return false - proper abort checking can be async in transformer
-              return false
-            },
-          })
-
-          // Update chat with conversationId if available
-          if (capturedCurrentChat) {
-            await db
-              .update(copilotChats)
-              .set({ updatedAt: new Date() })
-              .where(eq(copilotChats.id, capturedChatId))
+          // Send chatId as first event
+          if (actualChatId) {
+            const chatIdEvent = `data: ${JSON.stringify({
+              type: 'chat_id',
+              chatId: actualChatId,
+            })}\n\n`
+            controller.enqueue(encoder.encode(chatIdEvent))
+            logger.debug(`[${tracker.requestId}] Sent initial chatId event to client`)
          }

-          logger.info(`[${tracker.requestId}] Background stream processing complete`, {
-            streamId,
-            contentLength: accumulatedContent.length,
-            toolCallsCount: accumulatedToolCalls.length,
-          })
-        } catch (error) {
-          logger.error(`[${tracker.requestId}] Background stream error`, { streamId, error })
-          await errorStream(streamId, error instanceof Error ? error.message : 'Unknown error')
-        }
-      })()
+          // Start title generation in parallel if needed
+          if (actualChatId && !currentChat?.title && conversationHistory.length === 0) {
+            generateChatTitle(message)
+              .then(async (title) => {
+                if (title) {
+                  await db
+                    .update(copilotChats)
+                    .set({
+                      title,
+                      updatedAt: new Date(),
+                    })
+                    .where(eq(copilotChats.id, actualChatId!))

-      // Use after() to ensure background task completes even after response is sent
-      after(() => backgroundTask)
+                  const titleEvent = `data: ${JSON.stringify({
+                    type: 'title_updated',
+                    title: title,
+                  })}\n\n`
+                  controller.enqueue(encoder.encode(titleEvent))
+                  logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
+                }
+              })
+              .catch((error) => {
+                logger.error(`[${tracker.requestId}] Title generation failed:`, error)
+              })
+          } else {
+            logger.debug(`[${tracker.requestId}] Skipping title generation`)
+          }

-      // Return streamId immediately - client will connect to stream endpoint
-      logger.info(`[${tracker.requestId}] Returning streamId for client to connect`, {
-        streamId,
-        chatId: capturedChatId,
+          // Forward the sim agent stream and capture assistant response
+          const reader = simAgentResponse.body!.getReader()
+          const decoder = new TextDecoder()
+
+          try {
+            while (true) {
+              const { done, value } = await reader.read()
+              if (done) {
+                break
+              }
+
+              // Decode and parse SSE events for logging and capturing content
+              const decodedChunk = decoder.decode(value, { stream: true })
+              buffer += decodedChunk
+
+              const lines = buffer.split('\n')
+              buffer = lines.pop() || '' // Keep incomplete line in buffer
+
+              for (const line of lines) {
+                if (line.trim() === '') continue // Skip empty lines
+
+                if (line.startsWith('data: ') && line.length > 6) {
+                  try {
+                    const jsonStr = line.slice(6)
+
+                    // Check if the JSON string is unusually large (potential streaming issue)
+                    if (jsonStr.length > 50000) {
+                      // 50KB limit
+                      logger.warn(`[${tracker.requestId}] Large SSE event detected`, {
+                        size: jsonStr.length,
+                        preview: `${jsonStr.substring(0, 100)}...`,
+                      })
+                    }
+
+                    const event = JSON.parse(jsonStr)
+
+                    // Log different event types comprehensively
+                    switch (event.type) {
+                      case 'content':
+                        if (event.data) {
+                          assistantContent += event.data
+                        }
+                        break
+
+                      case 'reasoning':
+                        logger.debug(
+                          `[${tracker.requestId}] Reasoning chunk received (${(event.data || event.content || '').length} chars)`
+                        )
+                        break
+
+                      case 'tool_call':
+                        if (!event.data?.partial) {
+                          toolCalls.push(event.data)
+                          if (event.data?.id) {
+                            announcedToolCallIds.add(event.data.id)
+                          }
+                        }
+                        break
+
+                      case 'tool_generating':
+                        if (event.toolCallId) {
+                          startedToolExecutionIds.add(event.toolCallId)
+                        }
+                        break
+
+                      case 'tool_result':
+                        if (event.toolCallId) {
+                          completedToolExecutionIds.add(event.toolCallId)
+                        }
+                        break
+
+                      case 'tool_error':
+                        logger.error(`[${tracker.requestId}] Tool error:`, {
+                          toolCallId: event.toolCallId,
+                          toolName: event.toolName,
+                          error: event.error,
+                          success: event.success,
+                        })
+                        if (event.toolCallId) {
+                          completedToolExecutionIds.add(event.toolCallId)
+                        }
+                        break
+
+                      case 'start':
+                        if (event.data?.responseId) {
+                          responseIdFromStart = event.data.responseId
+                        }
+                        break
+
+                      case 'done':
+                        if (event.data?.responseId) {
+                          responseIdFromDone = event.data.responseId
+                          lastDoneResponseId = responseIdFromDone
+
+                          // Mark this done as safe only if no tool call is currently in progress or pending
+                          const announced = announcedToolCallIds.size
+                          const completed = completedToolExecutionIds.size
+                          const started = startedToolExecutionIds.size
+                          const hasToolInProgress = announced > completed || started > completed
+                          if (!hasToolInProgress) {
+                            lastSafeDoneResponseId = responseIdFromDone
+                          }
+                        }
+                        break
+
+                      case 'error':
+                        break
+
+                      default:
+                    }
+
+                    // Emit to client: rewrite 'error' events into user-friendly assistant message
+                    if (event?.type === 'error') {
+                      try {
+                        const displayMessage: string =
+                          (event?.data && (event.data.displayMessage as string)) ||
+                          'Sorry, I encountered an error. Please try again.'
+                        const formatted = `_${displayMessage}_`
+                        // Accumulate so it persists to DB as assistant content
+                        assistantContent += formatted
+                        // Send as content chunk
+                        try {
+                          controller.enqueue(
+                            encoder.encode(
+                              `data: ${JSON.stringify({ type: 'content', data: formatted })}\n\n`
+                            )
+                          )
+                        } catch (enqueueErr) {
+                          reader.cancel()
+                          break
+                        }
+                        // Then close this response cleanly for the client
+                        try {
+                          controller.enqueue(
+                            encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`)
+                          )
+                        } catch (enqueueErr) {
+                          reader.cancel()
+                          break
+                        }
+                      } catch {}
+                      // Do not forward the original error event
+                    } else {
+                      // Forward original event to client
+                      try {
+                        controller.enqueue(encoder.encode(`data: ${jsonStr}\n\n`))
+                      } catch (enqueueErr) {
+                        reader.cancel()
+                        break
+                      }
+                    }
+                  } catch (e) {
+                    // Enhanced error handling for large payloads and parsing issues
+                    const lineLength = line.length
+                    const isLargePayload = lineLength > 10000
+
+                    if (isLargePayload) {
+                      logger.error(
+                        `[${tracker.requestId}] Failed to parse large SSE event (${lineLength} chars)`,
+                        {
+                          error: e,
+                          preview: `${line.substring(0, 200)}...`,
+                          size: lineLength,
+                        }
+                      )
+                    } else {
+                      logger.warn(
+                        `[${tracker.requestId}] Failed to parse SSE event: "${line.substring(0, 200)}..."`,
+                        e
+                      )
+                    }
+                  }
+                } else if (line.trim() && line !== 'data: [DONE]') {
+                  logger.debug(`[${tracker.requestId}] Non-SSE line from sim agent: "${line}"`)
+                }
+              }
+            }
+
+            // Process any remaining buffer
+            if (buffer.trim()) {
+              logger.debug(`[${tracker.requestId}] Processing remaining buffer: "${buffer}"`)
+              if (buffer.startsWith('data: ')) {
+                try {
+                  const jsonStr = buffer.slice(6)
+                  const event = JSON.parse(jsonStr)
+                  if (event.type === 'content' && event.data) {
+                    assistantContent += event.data
+                  }
+                  // Forward remaining event, applying same error rewrite behavior
+                  if (event?.type === 'error') {
+                    const displayMessage: string =
+                      (event?.data && (event.data.displayMessage as string)) ||
+                      'Sorry, I encountered an error. Please try again.'
+                    const formatted = `_${displayMessage}_`
+                    assistantContent += formatted
+                    try {
+                      controller.enqueue(
+                        encoder.encode(
+                          `data: ${JSON.stringify({ type: 'content', data: formatted })}\n\n`
+                        )
+                      )
+                      controller.enqueue(
+                        encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`)
+                      )
+                    } catch (enqueueErr) {
+                      reader.cancel()
+                    }
+                  } else {
+                    try {
+                      controller.enqueue(encoder.encode(`data: ${jsonStr}\n\n`))
+                    } catch (enqueueErr) {
+                      reader.cancel()
+                    }
+                  }
+                } catch (e) {
+                  logger.warn(`[${tracker.requestId}] Failed to parse final buffer: "${buffer}"`)
+                }
+              }
+            }
+
+            // Log final streaming summary
+            logger.info(`[${tracker.requestId}] Streaming complete summary:`, {
+              totalContentLength: assistantContent.length,
+              toolCallsCount: toolCalls.length,
+              hasContent: assistantContent.length > 0,
+              toolNames: toolCalls.map((tc) => tc?.name).filter(Boolean),
+            })
+
+            // NOTE: Messages are saved by the client via update-messages endpoint with full contentBlocks.
+            // Server only updates conversationId here to avoid overwriting client's richer save.
+            if (currentChat) {
+              // Persist only a safe conversationId to avoid continuing from a state that expects tool outputs
+              const previousConversationId = currentChat?.conversationId as string | undefined
+              const responseId = lastSafeDoneResponseId || previousConversationId || undefined
+
+              if (responseId) {
+                await db
+                  .update(copilotChats)
+                  .set({
+                    updatedAt: new Date(),
+                    conversationId: responseId,
+                  })
+                  .where(eq(copilotChats.id, actualChatId!))
+
+                logger.info(
+                  `[${tracker.requestId}] Updated conversationId for chat ${actualChatId}`,
+                  {
+                    updatedConversationId: responseId,
+                  }
+                )
+              }
+            }
+          } catch (error) {
+            logger.error(`[${tracker.requestId}] Error processing stream:`, error)
+
+            // Send an error event to the client before closing so it knows what happened
+            try {
+              const errorMessage =
+                error instanceof Error && error.message === 'terminated'
+                  ? 'Connection to AI service was interrupted. Please try again.'
+                  : 'An unexpected error occurred while processing the response.'
+              const encoder = new TextEncoder()
+
+              // Send error as content so it shows in the chat
+              controller.enqueue(
+                encoder.encode(
+                  `data: ${JSON.stringify({ type: 'content', data: `\n\n_${errorMessage}_` })}\n\n`
+                )
+              )
+              // Send done event to properly close the stream on client
+              controller.enqueue(encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`))
+            } catch (enqueueError) {
+              // Stream might already be closed, that's ok
+              logger.warn(
+                `[${tracker.requestId}] Could not send error event to client:`,
+                enqueueError
+              )
+            }
+          } finally {
+            try {
+              controller.close()
+            } catch {
+              // Controller might already be closed
+            }
+          }
+        },
      })

-      return NextResponse.json({
-        success: true,
-        streamId,
-        chatId: capturedChatId,
+      const response = new Response(transformedStream, {
+        headers: {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          Connection: 'keep-alive',
+          'X-Accel-Buffering': 'no',
+        },
      })
+
+      logger.info(`[${tracker.requestId}] Returning streaming response to client`, {
+        duration: tracker.getDuration(),
+        chatId: actualChatId,
+        headers: {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          Connection: 'keep-alive',
+        },
+      })
+
+      return response
    }

    // For non-streaming responses
@@ -735,7 +899,7 @@ export async function POST(req: NextRequest) {
    // Save messages if we have a chat
    if (currentChat && responseData.content) {
      const userMessage = {
-        id: userMessageIdToUse,
+        id: userMessageIdToUse, // Consistent ID used for request and persistence
        role: 'user',
        content: message,
        timestamp: new Date().toISOString(),
--- a/apps/sim/app/api/copilot/execute-tool/route.ts
+++ b/apps/sim/app/api/copilot/execute-tool/route.ts
@@ -104,17 +104,11 @@ export async function POST(req: NextRequest) {
    })

    // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments
+    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
    const executionParams: Record<string, any> = resolveEnvVarReferences(
      toolArgs,
      decryptedEnvVars,
-      {
-        resolveExactMatch: true,
-        allowEmbedded: true,
-        trimKeys: true,
-        onMissing: 'keep',
-        deep: true,
-      }
+      { deep: true }
    ) as Record<string, any>

    logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {
@@ -224,7 +218,7 @@ export async function POST(req: NextRequest) {
      hasApiKey: !!executionParams.apiKey,
    })

-    const result = await executeTool(resolvedToolName, executionParams, true)
+    const result = await executeTool(resolvedToolName, executionParams)

    logger.info(`[${tracker.requestId}] Tool execution complete`, {
      toolName,
--- a/apps/sim/app/api/copilot/stream/[streamId]/abort/route.ts
+++ b/apps/sim/app/api/copilot/stream/[streamId]/abort/route.ts
@@ -1,64 +0,0 @@
-/**
- * POST /api/copilot/stream/[streamId]/abort
- *
- * Signal the server to abort an active stream.
- * The original request handler will check for this signal and cancel the stream.
- */
-
-import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import { getStreamMeta, setAbortSignal } from '@/lib/copilot/stream-persistence'
-
-const logger = createLogger('CopilotStreamAbortAPI')
-
-export async function POST(
-  req: NextRequest,
-  { params }: { params: Promise<{ streamId: string }> }
-) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const { streamId } = await params
-
-  logger.info('Stream abort request', { streamId, userId: session.user.id })
-
-  const meta = await getStreamMeta(streamId)
-
-  if (!meta) {
-    logger.info('Stream not found for abort', { streamId })
-    return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
-  }
-
-  // Verify ownership
-  if (meta.userId !== session.user.id) {
-    logger.warn('Unauthorized abort attempt', {
-      streamId,
-      requesterId: session.user.id,
-      ownerId: meta.userId,
-    })
-    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-  }
-
-  // Stream already finished
-  if (meta.status !== 'streaming') {
-    logger.info('Stream already finished, nothing to abort', {
-      streamId,
-      status: meta.status,
-    })
-    return NextResponse.json({
-      success: true,
-      message: 'Stream already finished',
-    })
-  }
-
-  // Set abort signal in Redis
-  await setAbortSignal(streamId)
-
-  logger.info('Abort signal set for stream', { streamId })
-
-  return NextResponse.json({ success: true })
-}
-
--- a/apps/sim/app/api/copilot/stream/[streamId]/pending-diff/route.ts
+++ b/apps/sim/app/api/copilot/stream/[streamId]/pending-diff/route.ts
@@ -1,146 +0,0 @@
-import { createLogger } from '@sim/logger'
-import { NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import {
-  clearPendingDiff,
-  getPendingDiff,
-  getStreamMeta,
-  setPendingDiff,
-} from '@/lib/copilot/stream-persistence'
-
-const logger = createLogger('CopilotPendingDiffAPI')
-
-/**
- * GET /api/copilot/stream/[streamId]/pending-diff
- * Retrieve pending diff state for a stream (used for resumption after page refresh)
- */
-export async function GET(
-  request: Request,
-  { params }: { params: Promise<{ streamId: string }> }
-) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const { streamId } = await params
-    if (!streamId) {
-      return NextResponse.json({ error: 'Stream ID required' }, { status: 400 })
-    }
-
-    // Verify user owns this stream
-    const meta = await getStreamMeta(streamId)
-    if (!meta) {
-      return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
-    }
-
-    if (meta.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    // Get pending diff
-    const pendingDiff = await getPendingDiff(streamId)
-
-    if (!pendingDiff) {
-      return NextResponse.json({ pendingDiff: null })
-    }
-
-    logger.info('Retrieved pending diff', {
-      streamId,
-      toolCallId: pendingDiff.toolCallId,
-    })
-
-    return NextResponse.json({ pendingDiff })
-  } catch (error) {
-    logger.error('Failed to get pending diff', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-/**
- * POST /api/copilot/stream/[streamId]/pending-diff
- * Store pending diff state for a stream
- */
-export async function POST(
-  request: Request,
-  { params }: { params: Promise<{ streamId: string }> }
-) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const { streamId } = await params
-    if (!streamId) {
-      return NextResponse.json({ error: 'Stream ID required' }, { status: 400 })
-    }
-
-    // Verify user owns this stream
-    const meta = await getStreamMeta(streamId)
-    if (!meta) {
-      return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
-    }
-
-    if (meta.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const body = await request.json()
-    const { pendingDiff } = body
-
-    if (!pendingDiff || !pendingDiff.toolCallId) {
-      return NextResponse.json({ error: 'Invalid pending diff data' }, { status: 400 })
-    }
-
-    await setPendingDiff(streamId, pendingDiff)
-
-    logger.info('Stored pending diff', {
-      streamId,
-      toolCallId: pendingDiff.toolCallId,
-    })
-
-    return NextResponse.json({ success: true })
-  } catch (error) {
-    logger.error('Failed to store pending diff', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-/**
- * DELETE /api/copilot/stream/[streamId]/pending-diff
- * Clear pending diff state for a stream
- */
-export async function DELETE(
-  request: Request,
-  { params }: { params: Promise<{ streamId: string }> }
-) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const { streamId } = await params
-    if (!streamId) {
-      return NextResponse.json({ error: 'Stream ID required' }, { status: 400 })
-    }
-
-    // Verify user owns this stream (if it exists - might already be cleaned up)
-    const meta = await getStreamMeta(streamId)
-    if (meta && meta.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    await clearPendingDiff(streamId)
-
-    logger.info('Cleared pending diff', { streamId })
-
-    return NextResponse.json({ success: true })
-  } catch (error) {
-    logger.error('Failed to clear pending diff', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
--- a/apps/sim/app/api/copilot/stream/[streamId]/route.ts
+++ b/apps/sim/app/api/copilot/stream/[streamId]/route.ts
@@ -1,160 +0,0 @@
-/**
- * GET /api/copilot/stream/[streamId]
- *
- * Resume an active copilot stream.
- * - If stream is still active: returns SSE with replay of missed chunks + live updates via Redis Pub/Sub
- * - If stream is completed: returns JSON indicating to load from database
- * - If stream not found: returns 404
- */
-
-import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import {
-  getChunks,
-  getStreamMeta,
-  subscribeToStream,
-} from '@/lib/copilot/stream-persistence'
-
-const logger = createLogger('CopilotStreamResumeAPI')
-
-const SSE_HEADERS = {
-  'Content-Type': 'text/event-stream',
-  'Cache-Control': 'no-cache',
-  Connection: 'keep-alive',
-  'X-Accel-Buffering': 'no',
-}
-
-export async function GET(
-  req: NextRequest,
-  { params }: { params: Promise<{ streamId: string }> }
-) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const { streamId } = await params
-  const fromChunk = parseInt(req.nextUrl.searchParams.get('from') || '0')
-
-  logger.info('Stream resume request', { streamId, fromChunk, userId: session.user.id })
-
-  const meta = await getStreamMeta(streamId)
-
-  if (!meta) {
-    logger.info('Stream not found or expired', { streamId })
-    return NextResponse.json(
-      {
-        status: 'not_found',
-        message: 'Stream not found or expired. Reload chat from database.',
-      },
-      { status: 404 }
-    )
-  }
-
-  // Verify ownership
-  if (meta.userId !== session.user.id) {
-    logger.warn('Unauthorized stream access attempt', {
-      streamId,
-      requesterId: session.user.id,
-      ownerId: meta.userId,
-    })
-    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-  }
-
-  // Stream completed - tell client to load from database
-  if (meta.status === 'completed') {
-    logger.info('Stream already completed', { streamId, chatId: meta.chatId })
-    return NextResponse.json({
-      status: 'completed',
-      chatId: meta.chatId,
-      message: 'Stream completed. Messages saved to database.',
-    })
-  }
-
-  // Stream errored
-  if (meta.status === 'error') {
-    logger.info('Stream encountered error', { streamId, chatId: meta.chatId })
-    return NextResponse.json({
-      status: 'error',
-      chatId: meta.chatId,
-      message: 'Stream encountered an error.',
-    })
-  }
-
-  // Stream still active - return SSE with replay + live updates
-  logger.info('Resuming active stream', { streamId, chatId: meta.chatId })
-
-  const encoder = new TextEncoder()
-  const abortController = new AbortController()
-
-  // Handle client disconnect
-  req.signal.addEventListener('abort', () => {
-    logger.info('Client disconnected from resumed stream', { streamId })
-    abortController.abort()
-  })
-
-  const responseStream = new ReadableStream({
-    async start(controller) {
-      try {
-        // 1. Replay missed chunks (single read from Redis LIST)
-        const missedChunks = await getChunks(streamId, fromChunk)
-        logger.info('Replaying missed chunks', {
-          streamId,
-          fromChunk,
-          missedChunkCount: missedChunks.length,
-        })
-
-        for (const chunk of missedChunks) {
-          // Chunks are already in SSE format, just re-encode
-          controller.enqueue(encoder.encode(chunk))
-        }
-
-        // 2. Subscribe to live chunks via Redis Pub/Sub (blocking, no polling)
-        await subscribeToStream(
-          streamId,
-          (chunk) => {
-            try {
-              controller.enqueue(encoder.encode(chunk))
-            } catch {
-              // Client disconnected
-              abortController.abort()
-            }
-          },
-          () => {
-            // Stream complete - close connection
-            logger.info('Stream completed during resume', { streamId })
-            try {
-              controller.close()
-            } catch {
-              // Already closed
-            }
-          },
-          abortController.signal
-        )
-      } catch (error) {
-        logger.error('Error in stream resume', {
-          streamId,
-          error: error instanceof Error ? error.message : String(error),
-        })
-        try {
-          controller.close()
-        } catch {
-          // Already closed
-        }
-      }
-    },
-    cancel() {
-      abortController.abort()
-    },
-  })
-
-  return new Response(responseStream, {
-    headers: {
-      ...SSE_HEADERS,
-      'X-Stream-Id': streamId,
-      'X-Chat-Id': meta.chatId,
-    },
-  })
-}
-
--- a/apps/sim/app/api/files/parse/route.ts
+++ b/apps/sim/app/api/files/parse/route.ts
@@ -6,9 +6,10 @@ import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
 import { isSupportedFileType, parseFile } from '@/lib/file-parsers'
 import { isUsingCloudStorage, type StorageContext, StorageService } from '@/lib/uploads'
+import { uploadExecutionFile } from '@/lib/uploads/contexts/execution'
 import { UPLOAD_DIR_SERVER } from '@/lib/uploads/core/setup.server'
 import { getFileMetadataByKey } from '@/lib/uploads/server/metadata'
 import {
@@ -21,6 +22,7 @@ import {
 } from '@/lib/uploads/utils/file-utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
+import type { UserFile } from '@/executor/types'
 import '@/lib/uploads/core/setup.server'

 export const dynamic = 'force-dynamic'
@@ -30,6 +32,12 @@ const logger = createLogger('FilesParseAPI')
 const MAX_DOWNLOAD_SIZE_BYTES = 100 * 1024 * 1024 // 100 MB
 const DOWNLOAD_TIMEOUT_MS = 30000 // 30 seconds

+interface ExecutionContext {
+  workspaceId: string
+  workflowId: string
+  executionId: string
+}
+
 interface ParseResult {
  success: boolean
  content?: string
@@ -37,6 +45,7 @@ interface ParseResult {
  filePath: string
  originalName?: string // Original filename from database (for workspace files)
  viewerUrl?: string | null // Viewer URL for the file if available
+  userFile?: UserFile // UserFile object for the raw file
  metadata?: {
    fileType: string
    size: number
@@ -70,27 +79,45 @@ export async function POST(request: NextRequest) {

    const userId = authResult.userId
    const requestData = await request.json()
-    const { filePath, fileType, workspaceId } = requestData
+    const { filePath, fileType, workspaceId, workflowId, executionId } = requestData

    if (!filePath || (typeof filePath === 'string' && filePath.trim() === '')) {
      return NextResponse.json({ success: false, error: 'No file path provided' }, { status: 400 })
    }

-    logger.info('File parse request received:', { filePath, fileType, workspaceId, userId })
+    // Build execution context if all required fields are present
+    const executionContext: ExecutionContext | undefined =
+      workspaceId && workflowId && executionId
+        ? { workspaceId, workflowId, executionId }
+        : undefined
+
+    logger.info('File parse request received:', {
+      filePath,
+      fileType,
+      workspaceId,
+      userId,
+      hasExecutionContext: !!executionContext,
+    })

    if (Array.isArray(filePath)) {
      const results = []
-      for (const path of filePath) {
-        if (!path || (typeof path === 'string' && path.trim() === '')) {
+      for (const singlePath of filePath) {
+        if (!singlePath || (typeof singlePath === 'string' && singlePath.trim() === '')) {
          results.push({
            success: false,
            error: 'Empty file path in array',
-            filePath: path || '',
+            filePath: singlePath || '',
          })
          continue
        }

-        const result = await parseFileSingle(path, fileType, workspaceId, userId)
+        const result = await parseFileSingle(
+          singlePath,
+          fileType,
+          workspaceId,
+          userId,
+          executionContext
+        )
        if (result.metadata) {
          result.metadata.processingTime = Date.now() - startTime
        }
@@ -106,6 +133,7 @@ export async function POST(request: NextRequest) {
              fileType: result.metadata?.fileType || 'application/octet-stream',
              size: result.metadata?.size || 0,
              binary: false,
+              file: result.userFile,
            },
            filePath: result.filePath,
            viewerUrl: result.viewerUrl,
@@ -121,7 +149,7 @@ export async function POST(request: NextRequest) {
      })
    }

-    const result = await parseFileSingle(filePath, fileType, workspaceId, userId)
+    const result = await parseFileSingle(filePath, fileType, workspaceId, userId, executionContext)

    if (result.metadata) {
      result.metadata.processingTime = Date.now() - startTime
@@ -137,6 +165,7 @@ export async function POST(request: NextRequest) {
          fileType: result.metadata?.fileType || 'application/octet-stream',
          size: result.metadata?.size || 0,
          binary: false,
+          file: result.userFile,
        },
        filePath: result.filePath,
        viewerUrl: result.viewerUrl,
@@ -164,7 +193,8 @@ async function parseFileSingle(
  filePath: string,
  fileType: string,
  workspaceId: string,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
  logger.info('Parsing file:', filePath)

@@ -186,18 +216,18 @@ async function parseFileSingle(
  }

  if (filePath.includes('/api/files/serve/')) {
-    return handleCloudFile(filePath, fileType, undefined, userId)
+    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
  }

  if (filePath.startsWith('http://') || filePath.startsWith('https://')) {
-    return handleExternalUrl(filePath, fileType, workspaceId, userId)
+    return handleExternalUrl(filePath, fileType, workspaceId, userId, executionContext)
  }

  if (isUsingCloudStorage()) {
-    return handleCloudFile(filePath, fileType, undefined, userId)
+    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
  }

-  return handleLocalFile(filePath, fileType, userId)
+  return handleLocalFile(filePath, fileType, userId, executionContext)
 }

 /**
@@ -230,12 +260,14 @@ function validateFilePath(filePath: string): { isValid: boolean; error?: string
 /**
 * Handle external URL
 * If workspaceId is provided, checks if file already exists and saves to workspace if not
+ * If executionContext is provided, also stores the file in execution storage and returns UserFile
 */
 async function handleExternalUrl(
  url: string,
  fileType: string,
  workspaceId: string,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
  try {
    logger.info('Fetching external URL:', url)
@@ -312,17 +344,13 @@ async function handleExternalUrl(

        if (existingFile) {
          const storageFilePath = `/api/files/serve/${existingFile.key}`
-          return handleCloudFile(storageFilePath, fileType, 'workspace', userId)
+          return handleCloudFile(storageFilePath, fileType, 'workspace', userId, executionContext)
        }
      }
    }

-    const pinnedUrl = createPinnedUrl(url, urlValidation.resolvedIP!)
-    const response = await fetch(pinnedUrl, {
-      signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS),
-      headers: {
-        Host: urlValidation.originalHostname!,
-      },
+    const response = await secureFetchWithPinnedIP(url, urlValidation.resolvedIP!, {
+      timeout: DOWNLOAD_TIMEOUT_MS,
    })
    if (!response.ok) {
      throw new Error(`Failed to fetch URL: ${response.status} ${response.statusText}`)
@@ -341,6 +369,19 @@ async function handleExternalUrl(

    logger.info(`Downloaded file from URL: ${url}, size: ${buffer.length} bytes`)

+    let userFile: UserFile | undefined
+    const mimeType = response.headers.get('content-type') || getMimeTypeFromExtension(extension)
+
+    if (executionContext) {
+      try {
+        userFile = await uploadExecutionFile(executionContext, buffer, filename, mimeType, userId)
+        logger.info(`Stored file in execution storage: ${filename}`, { key: userFile.key })
+      } catch (uploadError) {
+        logger.warn(`Failed to store file in execution storage:`, uploadError)
+        // Continue without userFile - parsing can still work
+      }
+    }
+
    if (shouldCheckWorkspace) {
      try {
        const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
@@ -353,8 +394,6 @@ async function handleExternalUrl(
          })
        } else {
          const { uploadWorkspaceFile } = await import('@/lib/uploads/contexts/workspace')
-          const mimeType =
-            response.headers.get('content-type') || getMimeTypeFromExtension(extension)
          await uploadWorkspaceFile(workspaceId, userId, buffer, filename, mimeType)
          logger.info(`Saved URL file to workspace storage: ${filename}`)
        }
@@ -363,17 +402,23 @@ async function handleExternalUrl(
      }
    }

+    let parseResult: ParseResult
    if (extension === 'pdf') {
-      return await handlePdfBuffer(buffer, filename, fileType, url)
-    }
-    if (extension === 'csv') {
-      return await handleCsvBuffer(buffer, filename, fileType, url)
-    }
-    if (isSupportedFileType(extension)) {
-      return await handleGenericTextBuffer(buffer, filename, extension, fileType, url)
+      parseResult = await handlePdfBuffer(buffer, filename, fileType, url)
+    } else if (extension === 'csv') {
+      parseResult = await handleCsvBuffer(buffer, filename, fileType, url)
+    } else if (isSupportedFileType(extension)) {
+      parseResult = await handleGenericTextBuffer(buffer, filename, extension, fileType, url)
+    } else {
+      parseResult = handleGenericBuffer(buffer, filename, extension, fileType)
    }

-    return handleGenericBuffer(buffer, filename, extension, fileType)
+    // Attach userFile to the result
+    if (userFile) {
+      parseResult.userFile = userFile
+    }
+
+    return parseResult
  } catch (error) {
    logger.error(`Error handling external URL ${url}:`, error)
    return {
@@ -386,12 +431,15 @@ async function handleExternalUrl(

 /**
 * Handle file stored in cloud storage
+ * If executionContext is provided and file is not already from execution storage,
+ * copies the file to execution storage and returns UserFile
 */
 async function handleCloudFile(
  filePath: string,
  fileType: string,
  explicitContext: string | undefined,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
  try {
    const cloudKey = extractStorageKey(filePath)
@@ -438,6 +486,7 @@ async function handleCloudFile(

    const filename = originalFilename || cloudKey.split('/').pop() || cloudKey
    const extension = path.extname(filename).toLowerCase().substring(1)
+    const mimeType = getMimeTypeFromExtension(extension)

    const normalizedFilePath = `/api/files/serve/${encodeURIComponent(cloudKey)}?context=${context}`
    let workspaceIdFromKey: string | undefined
@@ -453,6 +502,39 @@ async function handleCloudFile(

    const viewerUrl = getViewerUrl(cloudKey, workspaceIdFromKey)

+    // Store file in execution storage if executionContext is provided
+    let userFile: UserFile | undefined
+
+    if (executionContext) {
+      // If file is already from execution context, create UserFile reference without re-uploading
+      if (context === 'execution') {
+        userFile = {
+          id: `file_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`,
+          name: filename,
+          url: normalizedFilePath,
+          size: fileBuffer.length,
+          type: mimeType,
+          key: cloudKey,
+          context: 'execution',
+        }
+        logger.info(`Created UserFile reference for existing execution file: ${filename}`)
+      } else {
+        // Copy from workspace/other storage to execution storage
+        try {
+          userFile = await uploadExecutionFile(
+            executionContext,
+            fileBuffer,
+            filename,
+            mimeType,
+            userId
+          )
+          logger.info(`Copied file to execution storage: ${filename}`, { key: userFile.key })
+        } catch (uploadError) {
+          logger.warn(`Failed to copy file to execution storage:`, uploadError)
+        }
+      }
+    }
+
    let parseResult: ParseResult
    if (extension === 'pdf') {
      parseResult = await handlePdfBuffer(fileBuffer, filename, fileType, normalizedFilePath)
@@ -477,6 +559,11 @@ async function handleCloudFile(

    parseResult.viewerUrl = viewerUrl

+    // Attach userFile to the result
+    if (userFile) {
+      parseResult.userFile = userFile
+    }
+
    return parseResult
  } catch (error) {
    logger.error(`Error handling cloud file ${filePath}:`, error)
@@ -500,7 +587,8 @@ async function handleCloudFile(
 async function handleLocalFile(
  filePath: string,
  fileType: string,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
  try {
    const filename = filePath.split('/').pop() || filePath
@@ -540,13 +628,32 @@ async function handleLocalFile(
    const hash = createHash('md5').update(fileBuffer).digest('hex')

    const extension = path.extname(filename).toLowerCase().substring(1)
+    const mimeType = fileType || getMimeTypeFromExtension(extension)
+
+    // Store file in execution storage if executionContext is provided
+    let userFile: UserFile | undefined
+    if (executionContext) {
+      try {
+        userFile = await uploadExecutionFile(
+          executionContext,
+          fileBuffer,
+          filename,
+          mimeType,
+          userId
+        )
+        logger.info(`Stored local file in execution storage: ${filename}`, { key: userFile.key })
+      } catch (uploadError) {
+        logger.warn(`Failed to store local file in execution storage:`, uploadError)
+      }
+    }

    return {
      success: true,
      content: result.content,
      filePath,
+      userFile,
      metadata: {
-        fileType: fileType || getMimeTypeFromExtension(extension),
+        fileType: mimeType,
        size: stats.size,
        hash,
        processingTime: 0,
--- a/apps/sim/app/api/form/[identifier]/route.ts
+++ b/apps/sim/app/api/form/[identifier]/route.ts
@@ -11,7 +11,7 @@ import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { normalizeInputFormatValue } from '@/lib/workflows/input-format'
 import { createStreamingResponse } from '@/lib/workflows/streaming/streaming'
-import { isValidStartBlockType } from '@/lib/workflows/triggers/start-block-types'
+import { isInputDefinitionTrigger } from '@/lib/workflows/triggers/input-definition-triggers'
 import { setFormAuthCookie, validateFormAuth } from '@/app/api/form/utils'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'

@@ -36,7 +36,7 @@ async function getWorkflowInputSchema(workflowId: string): Promise<any[]> {
      .from(workflowBlocks)
      .where(eq(workflowBlocks.workflowId, workflowId))

-    const startBlock = blocks.find((block) => isValidStartBlockType(block.type))
+    const startBlock = blocks.find((block) => isInputDefinitionTrigger(block.type))

    if (!startBlock) {
      return []
--- a/apps/sim/app/api/function/execute/route.test.ts
+++ b/apps/sim/app/api/function/execute/route.test.ts
@@ -84,6 +84,14 @@ vi.mock('@/lib/execution/isolated-vm', () => ({

 vi.mock('@sim/logger', () => loggerMock)

+vi.mock('@/lib/auth/hybrid', () => ({
+  checkInternalAuth: vi.fn().mockResolvedValue({
+    success: true,
+    userId: 'user-123',
+    authType: 'internal_jwt',
+  }),
+}))
+
 vi.mock('@/lib/execution/e2b', () => ({
  executeInE2B: vi.fn(),
 }))
@@ -110,6 +118,24 @@ describe('Function Execute API Route', () => {
  })

  describe('Security Tests', () => {
+    it('should reject unauthorized requests', async () => {
+      const { checkInternalAuth } = await import('@/lib/auth/hybrid')
+      vi.mocked(checkInternalAuth).mockResolvedValueOnce({
+        success: false,
+        error: 'Unauthorized',
+      })
+
+      const req = createMockRequest('POST', {
+        code: 'return "test"',
+      })
+
+      const response = await POST(req)
+      const data = await response.json()
+
+      expect(response.status).toBe(401)
+      expect(data).toHaveProperty('error', 'Unauthorized')
+    })
+
    it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
      const req = createMockRequest('POST', {
        code: 'return "test"',
@@ -276,8 +302,11 @@ describe('Function Execute API Route', () => {
    it.concurrent('should resolve tag variables with <tag_name> syntax', async () => {
      const req = createMockRequest('POST', {
        code: 'return <email>',
-        params: {
-          email: { id: '123', subject: 'Test Email' },
+        blockData: {
+          'block-123': { id: '123', subject: 'Test Email' },
+        },
+        blockNameMapping: {
+          email: 'block-123',
        },
      })

@@ -305,9 +334,13 @@ describe('Function Execute API Route', () => {
    it.concurrent('should only match valid variable names in angle brackets', async () => {
      const req = createMockRequest('POST', {
        code: 'return <validVar> + "<invalid@email.com>" + <another_valid>',
-        params: {
-          validVar: 'hello',
-          another_valid: 'world',
+        blockData: {
+          'block-1': 'hello',
+          'block-2': 'world',
+        },
+        blockNameMapping: {
+          validvar: 'block-1',
+          another_valid: 'block-2',
        },
      })

@@ -321,28 +354,22 @@ describe('Function Execute API Route', () => {
    it.concurrent(
      'should handle Gmail webhook data with email addresses containing angle brackets',
      async () => {
-        const gmailData = {
-          email: {
-            id: '123',
-            from: 'Waleed Latif <waleed@sim.ai>',
-            to: 'User <user@example.com>',
-            subject: 'Test Email',
-            bodyText: 'Hello world',
-          },
-          rawEmail: {
-            id: '123',
-            payload: {
-              headers: [
-                { name: 'From', value: 'Waleed Latif <waleed@sim.ai>' },
-                { name: 'To', value: 'User <user@example.com>' },
-              ],
-            },
-          },
+        const emailData = {
+          id: '123',
+          from: 'Waleed Latif <waleed@sim.ai>',
+          to: 'User <user@example.com>',
+          subject: 'Test Email',
+          bodyText: 'Hello world',
        }

        const req = createMockRequest('POST', {
          code: 'return <email>',
-          params: gmailData,
+          blockData: {
+            'block-email': emailData,
+          },
+          blockNameMapping: {
+            email: 'block-email',
+          },
        })

        const response = await POST(req)
@@ -356,17 +383,20 @@ describe('Function Execute API Route', () => {
    it.concurrent(
      'should properly serialize complex email objects with special characters',
      async () => {
-        const complexEmailData = {
-          email: {
-            from: 'Test User <test@example.com>',
-            bodyHtml: '<div>HTML content with "quotes" and \'apostrophes\'</div>',
-            bodyText: 'Text with\nnewlines\tand\ttabs',
-          },
+        const emailData = {
+          from: 'Test User <test@example.com>',
+          bodyHtml: '<div>HTML content with "quotes" and \'apostrophes\'</div>',
+          bodyText: 'Text with\nnewlines\tand\ttabs',
        }

        const req = createMockRequest('POST', {
          code: 'return <email>',
-          params: complexEmailData,
+          blockData: {
+            'block-email': emailData,
+          },
+          blockNameMapping: {
+            email: 'block-email',
+          },
        })

        const response = await POST(req)
@@ -519,18 +549,23 @@ describe('Function Execute API Route', () => {
    })

    it.concurrent('should handle JSON serialization edge cases', async () => {
+      const complexData = {
+        special: 'chars"with\'quotes',
+        unicode: '🎉 Unicode content',
+        nested: {
+          deep: {
+            value: 'test',
+          },
+        },
+      }
+
      const req = createMockRequest('POST', {
        code: 'return <complexData>',
-        params: {
-          complexData: {
-            special: 'chars"with\'quotes',
-            unicode: '🎉 Unicode content',
-            nested: {
-              deep: {
-                value: 'test',
-              },
-            },
-          },
+        blockData: {
+          'block-complex': complexData,
+        },
+        blockNameMapping: {
+          complexdata: 'block-complex',
        },
      })

--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -1,15 +1,16 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
 import { executeInIsolatedVM } from '@/lib/execution/isolated-vm'
 import { CodeLanguage, DEFAULT_CODE_LANGUAGE, isValidCodeLanguage } from '@/lib/execution/languages'
 import { escapeRegExp, normalizeName, REFERENCE } from '@/executor/constants'
+import { type OutputSchema, resolveBlockReference } from '@/executor/utils/block-reference'
 import {
  createEnvVarPattern,
  createWorkflowVariablePattern,
-  resolveEnvVarReferences,
 } from '@/executor/utils/reference-validation'
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
@@ -18,8 +19,8 @@ export const MAX_DURATION = 210

 const logger = createLogger('FunctionExecuteAPI')

-const E2B_JS_WRAPPER_LINES = 3 // Lines before user code: ';(async () => {', '  try {', '    const __sim_result = await (async () => {'
-const E2B_PYTHON_WRAPPER_LINES = 1 // Lines before user code: 'def __sim_main__():'
+const E2B_JS_WRAPPER_LINES = 3
+const E2B_PYTHON_WRAPPER_LINES = 1

 type TypeScriptModule = typeof import('typescript')

@@ -134,33 +135,21 @@ function extractEnhancedError(
  if (error.stack) {
    enhanced.stack = error.stack

-    // Parse stack trace to extract line and column information
-    // Handle both compilation errors and runtime errors
    const stackLines: string[] = error.stack.split('\n')

    for (const line of stackLines) {
-      // Pattern 1: Compilation errors - "user-function.js:6"
      let match = line.match(/user-function\.js:(\d+)(?::(\d+))?/)

-      // Pattern 2: Runtime errors - "at user-function.js:5:12"
      if (!match) {
        match = line.match(/at\s+user-function\.js:(\d+):(\d+)/)
      }

-      // Pattern 3: Generic patterns for any line containing our filename
-      if (!match) {
-        match = line.match(/user-function\.js:(\d+)(?::(\d+))?/)
-      }
-
      if (match) {
        const stackLine = Number.parseInt(match[1], 10)
        const stackColumn = match[2] ? Number.parseInt(match[2], 10) : undefined

-        // Adjust line number to account for wrapper code
-        // The user code starts at a specific line in our wrapper
        const adjustedLine = stackLine - userCodeStartLine + 1

-        // Check if this is a syntax error in wrapper code caused by incomplete user code
        const isWrapperSyntaxError =
          stackLine > userCodeStartLine &&
          error.name === 'SyntaxError' &&
@@ -168,7 +157,6 @@ function extractEnhancedError(
            error.message.includes('Unexpected end of input'))

        if (isWrapperSyntaxError && userCode) {
-          // Map wrapper syntax errors to the last line of user code
          const codeLines = userCode.split('\n')
          const lastUserLine = codeLines.length
          enhanced.line = lastUserLine
@@ -181,7 +169,6 @@ function extractEnhancedError(
          enhanced.line = adjustedLine
          enhanced.column = stackColumn

-          // Extract the actual line content from user code
          if (userCode) {
            const codeLines = userCode.split('\n')
            if (adjustedLine <= codeLines.length) {
@@ -192,7 +179,6 @@ function extractEnhancedError(
        }

        if (stackLine <= userCodeStartLine) {
-          // Error is in wrapper code itself
          enhanced.line = stackLine
          enhanced.column = stackColumn
          break
@@ -200,7 +186,6 @@ function extractEnhancedError(
      }
    }

-    // Clean up stack trace to show user-relevant information
    const cleanedStackLines: string[] = stackLines
      .filter(
        (line: string) =>
@@ -214,9 +199,6 @@ function extractEnhancedError(
    }
  }

-  // Keep original message without adding error type prefix
-  // The error type will be added later in createUserFriendlyErrorMessage
-
  return enhanced
 }

@@ -231,7 +213,6 @@ function formatE2BError(
  userCode: string,
  prologueLineCount: number
 ): { formattedError: string; cleanedOutput: string } {
-  // Calculate line offset based on language and prologue
  const wrapperLines =
    language === CodeLanguage.Python ? E2B_PYTHON_WRAPPER_LINES : E2B_JS_WRAPPER_LINES
  const totalOffset = prologueLineCount + wrapperLines
@@ -241,27 +222,20 @@ function formatE2BError(
  let cleanErrorMsg = ''

  if (language === CodeLanguage.Python) {
-    // Python error format: "Cell In[X], line Y" followed by error details
-    // Extract line number from the Cell reference
    const cellMatch = errorOutput.match(/Cell In\[\d+\], line (\d+)/)
    if (cellMatch) {
      const originalLine = Number.parseInt(cellMatch[1], 10)
      userLine = originalLine - totalOffset
    }

-    // Extract clean error message from the error string
-    // Remove file references like "(detected at line X) (file.py, line Y)"
    cleanErrorMsg = errorMessage
      .replace(/\s*\(detected at line \d+\)/g, '')
      .replace(/\s*\([^)]+\.py, line \d+\)/g, '')
      .trim()
  } else if (language === CodeLanguage.JavaScript) {
-    // JavaScript error format from E2B: "SyntaxError: /path/file.ts: Message. (line:col)\n\n   9 | ..."
-    // First, extract the error type and message from the first line
    const firstLineEnd = errorMessage.indexOf('\n')
    const firstLine = firstLineEnd > 0 ? errorMessage.substring(0, firstLineEnd) : errorMessage

-    // Parse: "SyntaxError: /home/user/index.ts: Missing semicolon. (11:9)"
    const jsErrorMatch = firstLine.match(/^(\w+Error):\s*[^:]+:\s*([^(]+)\.\s*\((\d+):(\d+)\)/)
    if (jsErrorMatch) {
      cleanErrorType = jsErrorMatch[1]
@@ -269,13 +243,11 @@ function formatE2BError(
      const originalLine = Number.parseInt(jsErrorMatch[3], 10)
      userLine = originalLine - totalOffset
    } else {
-      // Fallback: look for line number in the arrow pointer line (> 11 |)
      const arrowMatch = errorMessage.match(/^>\s*(\d+)\s*\|/m)
      if (arrowMatch) {
        const originalLine = Number.parseInt(arrowMatch[1], 10)
        userLine = originalLine - totalOffset
      }
-      // Try to extract error type and message
      const errorMatch = firstLine.match(/^(\w+Error):\s*(.+)/)
      if (errorMatch) {
        cleanErrorType = errorMatch[1]
@@ -289,13 +261,11 @@ function formatE2BError(
    }
  }

-  // Build the final clean error message
  const finalErrorMsg =
    cleanErrorType && cleanErrorMsg
      ? `${cleanErrorType}: ${cleanErrorMsg}`
      : cleanErrorMsg || errorMessage

-  // Format with line number if available
  let formattedError = finalErrorMsg
  if (userLine && userLine > 0) {
    const codeLines = userCode.split('\n')
@@ -311,7 +281,6 @@ function formatE2BError(
    }
  }

-  // For stdout, just return the clean error message without the full traceback
  const cleanedOutput = finalErrorMsg

  return { formattedError, cleanedOutput }
@@ -327,7 +296,6 @@ function createUserFriendlyErrorMessage(
 ): string {
  let errorMessage = enhanced.message

-  // Add line information if available
  if (enhanced.line !== undefined) {
    let lineInfo = `Line ${enhanced.line}`

@@ -338,18 +306,14 @@ function createUserFriendlyErrorMessage(

    errorMessage = `${lineInfo} - ${errorMessage}`
  } else {
-    // If no line number, try to extract it from stack trace for display
    if (enhanced.stack) {
      const stackMatch = enhanced.stack.match(/user-function\.js:(\d+)(?::(\d+))?/)
      if (stackMatch) {
        const line = Number.parseInt(stackMatch[1], 10)
        let lineInfo = `Line ${line}`

-        // Try to get line content if we have userCode
        if (userCode) {
          const codeLines = userCode.split('\n')
-          // Note: stackMatch gives us VM line number, need to adjust
-          // This is a fallback case, so we might not have perfect line mapping
          if (line <= codeLines.length) {
            const lineContent = codeLines[line - 1]?.trim()
            if (lineContent) {
@@ -363,7 +327,6 @@ function createUserFriendlyErrorMessage(
    }
  }

-  // Add error type prefix with consistent naming
  if (enhanced.name !== 'Error') {
    const errorTypePrefix =
      enhanced.name === 'SyntaxError'
@@ -374,7 +337,6 @@ function createUserFriendlyErrorMessage(
            ? 'Reference Error'
            : enhanced.name

-    // Only add prefix if not already present
    if (!errorMessage.toLowerCase().includes(errorTypePrefix.toLowerCase())) {
      errorMessage = `${errorTypePrefix}: ${errorMessage}`
    }
@@ -383,9 +345,6 @@ function createUserFriendlyErrorMessage(
  return errorMessage
 }

-/**
- * Resolves workflow variables with <variable.name> syntax
- */
 function resolveWorkflowVariables(
  code: string,
  workflowVariables: Record<string, any>,
@@ -405,39 +364,35 @@ function resolveWorkflowVariables(
  while ((match = regex.exec(code)) !== null) {
    const variableName = match[1].trim()

-    // Find the variable by name (workflowVariables is indexed by ID, values are variable objects)
    const foundVariable = Object.entries(workflowVariables).find(
      ([_, variable]) => normalizeName(variable.name || '') === variableName
    )

-    let variableValue: unknown = ''
-    if (foundVariable) {
-      const variable = foundVariable[1]
-      variableValue = variable.value
+    if (!foundVariable) {
+      const availableVars = Object.values(workflowVariables)
+        .map((v) => v.name)
+        .filter(Boolean)
+      throw new Error(
+        `Variable "${variableName}" doesn't exist.` +
+          (availableVars.length > 0 ? ` Available: ${availableVars.join(', ')}` : '')
+      )
+    }

-      if (variable.value !== undefined && variable.value !== null) {
+    const variable = foundVariable[1]
+    let variableValue: unknown = variable.value
+
+    if (variable.value !== undefined && variable.value !== null) {
+      const type = variable.type === 'string' ? 'plain' : variable.type
+
+      if (type === 'number') {
+        variableValue = Number(variableValue)
+      } else if (type === 'boolean') {
+        variableValue = variableValue === 'true' || variableValue === true
+      } else if (type === 'json' && typeof variableValue === 'string') {
        try {
-          // Handle 'string' type the same as 'plain' for backward compatibility
-          const type = variable.type === 'string' ? 'plain' : variable.type
-
-          // For plain text, use exactly what's entered without modifications
-          if (type === 'plain' && typeof variableValue === 'string') {
-            // Use as-is for plain text
-          } else if (type === 'number') {
-            variableValue = Number(variableValue)
-          } else if (type === 'boolean') {
-            variableValue = variableValue === 'true' || variableValue === true
-          } else if (type === 'json') {
-            try {
-              variableValue =
-                typeof variableValue === 'string' ? JSON.parse(variableValue) : variableValue
-            } catch {
-              // Keep original value if JSON parsing fails
-            }
-          }
+          variableValue = JSON.parse(variableValue)
        } catch {
-          // Fallback to original value on error
-          variableValue = variable.value
+          // Keep as-is
        }
      }
    }
@@ -450,11 +405,9 @@ function resolveWorkflowVariables(
    })
  }

-  // Process replacements in reverse order to maintain correct indices
  for (let i = replacements.length - 1; i >= 0; i--) {
    const { match: matchStr, index, variableName, variableValue } = replacements[i]

-    // Use variable reference approach
    const safeVarName = `__variable_${variableName.replace(/[^a-zA-Z0-9_]/g, '_')}`
    contextVariables[safeVarName] = variableValue
    resolvedCode =
@@ -464,9 +417,6 @@ function resolveWorkflowVariables(
  return resolvedCode
 }

-/**
- * Resolves environment variables with {{var_name}} syntax
- */
 function resolveEnvironmentVariables(
  code: string,
  params: Record<string, any>,
@@ -482,32 +432,28 @@ function resolveEnvironmentVariables(

  const resolverVars: Record<string, string> = {}
  Object.entries(params).forEach(([key, value]) => {
-    if (value) {
+    if (value !== undefined && value !== null) {
      resolverVars[key] = String(value)
    }
  })
  Object.entries(envVars).forEach(([key, value]) => {
-    if (value) {
+    if (value !== undefined && value !== null) {
      resolverVars[key] = value
    }
  })

  while ((match = regex.exec(code)) !== null) {
    const varName = match[1].trim()
-    const resolved = resolveEnvVarReferences(match[0], resolverVars, {
-      allowEmbedded: true,
-      resolveExactMatch: true,
-      trimKeys: true,
-      onMissing: 'empty',
-      deep: false,
-    })
-    const varValue =
-      typeof resolved === 'string' ? resolved : resolved == null ? '' : String(resolved)
+
+    if (!(varName in resolverVars)) {
+      continue
+    }
+
    replacements.push({
      match: match[0],
      index: match.index,
      varName,
-      varValue: String(varValue),
+      varValue: resolverVars[varName],
    })
  }

@@ -523,64 +469,59 @@ function resolveEnvironmentVariables(
  return resolvedCode
 }

-/**
- * Resolves tags with <tag_name> syntax (including nested paths like <block.response.data>)
- */
 function resolveTagVariables(
  code: string,
-  params: Record<string, any>,
-  blockData: Record<string, any>,
+  blockData: Record<string, unknown>,
  blockNameMapping: Record<string, string>,
-  contextVariables: Record<string, any>
+  blockOutputSchemas: Record<string, OutputSchema>,
+  contextVariables: Record<string, unknown>,
+  language = 'javascript'
 ): string {
  let resolvedCode = code
+  const undefinedLiteral = language === 'python' ? 'None' : 'undefined'

  const tagPattern = new RegExp(
-    `${REFERENCE.START}([a-zA-Z_][a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])${REFERENCE.END}`,
+    `${REFERENCE.START}([a-zA-Z_](?:[a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])?)${REFERENCE.END}`,
    'g'
  )
  const tagMatches = resolvedCode.match(tagPattern) || []

  for (const match of tagMatches) {
    const tagName = match.slice(REFERENCE.START.length, -REFERENCE.END.length).trim()
+    const pathParts = tagName.split(REFERENCE.PATH_DELIMITER)
+    const blockName = pathParts[0]
+    const fieldPath = pathParts.slice(1)

-    // Handle nested paths like "getrecord.response.data" or "function1.response.result"
-    // First try params, then blockData directly, then try with block name mapping
-    let tagValue = getNestedValue(params, tagName) || getNestedValue(blockData, tagName) || ''
+    const result = resolveBlockReference(blockName, fieldPath, {
+      blockNameMapping,
+      blockData,
+      blockOutputSchemas,
+    })

-    // If not found and the path starts with a block name, try mapping the block name to ID
-    if (!tagValue && tagName.includes(REFERENCE.PATH_DELIMITER)) {
-      const pathParts = tagName.split(REFERENCE.PATH_DELIMITER)
-      const normalizedBlockName = pathParts[0] // This should already be normalized like "function1"
+    if (!result) {
+      continue
+    }

-      // Direct lookup using normalized block name
-      const blockId = blockNameMapping[normalizedBlockName] ?? null
+    let tagValue = result.value

-      if (blockId) {
-        const remainingPath = pathParts.slice(1).join('.')
-        const fullPath = `${blockId}.${remainingPath}`
-        tagValue = getNestedValue(blockData, fullPath) || ''
+    if (tagValue === undefined) {
+      resolvedCode = resolvedCode.replace(new RegExp(escapeRegExp(match), 'g'), undefinedLiteral)
+      continue
+    }
+
+    if (typeof tagValue === 'string') {
+      const trimmed = tagValue.trimStart()
+      if (trimmed.startsWith('{') || trimmed.startsWith('[')) {
+        try {
+          tagValue = JSON.parse(tagValue)
+        } catch {
+          // Keep as string if not valid JSON
+        }
      }
    }

-    // If the value is a stringified JSON, parse it back to object
-    if (
-      typeof tagValue === 'string' &&
-      tagValue.length > 100 &&
-      (tagValue.startsWith('{') || tagValue.startsWith('['))
-    ) {
-      try {
-        tagValue = JSON.parse(tagValue)
-      } catch (e) {
-        // Keep as string if parsing fails
-      }
-    }
-
-    // Instead of injecting large JSON directly, create a variable reference
-    const safeVarName = `__tag_${tagName.replace(/[^a-zA-Z0-9_]/g, '_')}`
+    const safeVarName = `__tag_${tagName.replace(/_/g, '_1').replace(/\./g, '_0')}`
    contextVariables[safeVarName] = tagValue
-
-    // Replace the template with a variable reference
    resolvedCode = resolvedCode.replace(new RegExp(escapeRegExp(match), 'g'), safeVarName)
  }

@@ -596,44 +537,31 @@ function resolveTagVariables(
 */
 function resolveCodeVariables(
  code: string,
-  params: Record<string, any>,
+  params: Record<string, unknown>,
  envVars: Record<string, string> = {},
-  blockData: Record<string, any> = {},
+  blockData: Record<string, unknown> = {},
  blockNameMapping: Record<string, string> = {},
-  workflowVariables: Record<string, any> = {}
-): { resolvedCode: string; contextVariables: Record<string, any> } {
+  blockOutputSchemas: Record<string, OutputSchema> = {},
+  workflowVariables: Record<string, unknown> = {},
+  language = 'javascript'
+): { resolvedCode: string; contextVariables: Record<string, unknown> } {
  let resolvedCode = code
-  const contextVariables: Record<string, any> = {}
+  const contextVariables: Record<string, unknown> = {}

-  // Resolve workflow variables with <variable.name> syntax first
  resolvedCode = resolveWorkflowVariables(resolvedCode, workflowVariables, contextVariables)
-
-  // Resolve environment variables with {{var_name}} syntax
  resolvedCode = resolveEnvironmentVariables(resolvedCode, params, envVars, contextVariables)
-
-  // Resolve tags with <tag_name> syntax (including nested paths like <block.response.data>)
  resolvedCode = resolveTagVariables(
    resolvedCode,
-    params,
    blockData,
    blockNameMapping,
-    contextVariables
+    blockOutputSchemas,
+    contextVariables,
+    language
  )

  return { resolvedCode, contextVariables }
 }

-/**
- * Get nested value from object using dot notation path
- */
-function getNestedValue(obj: any, path: string): any {
-  if (!obj || !path) return undefined
-
-  return path.split('.').reduce((current, key) => {
-    return current && typeof current === 'object' ? current[key] : undefined
-  }, obj)
-}
-
 /**
 * Remove one trailing newline from stdout
 * This handles the common case where print() or console.log() adds a trailing \n
@@ -654,6 +582,12 @@ export async function POST(req: NextRequest) {
  let resolvedCode = '' // Store resolved code for error reporting

  try {
+    const auth = await checkInternalAuth(req)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await req.json()

    const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')
@@ -666,12 +600,12 @@ export async function POST(req: NextRequest) {
      envVars = {},
      blockData = {},
      blockNameMapping = {},
+      blockOutputSchemas = {},
      workflowVariables = {},
      workflowId,
      isCustomTool = false,
    } = body

-    // Extract internal parameters that shouldn't be passed to the execution context
    const executionParams = { ...params }
    executionParams._context = undefined

@@ -683,21 +617,21 @@ export async function POST(req: NextRequest) {
      isCustomTool,
    })

-    // Resolve variables in the code with workflow environment variables
+    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
+
    const codeResolution = resolveCodeVariables(
      code,
      executionParams,
      envVars,
      blockData,
      blockNameMapping,
-      workflowVariables
+      blockOutputSchemas,
+      workflowVariables,
+      lang
    )
    resolvedCode = codeResolution.resolvedCode
    const contextVariables = codeResolution.contextVariables

-    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
-
-    // Extract imports once for JavaScript code (reuse later to avoid double extraction)
    let jsImports = ''
    let jsRemainingCode = resolvedCode
    let hasImports = false
@@ -707,31 +641,22 @@ export async function POST(req: NextRequest) {
      jsImports = extractionResult.imports
      jsRemainingCode = extractionResult.remainingCode

-      // Check for ES6 imports or CommonJS require statements
-      // ES6 imports are extracted by the TypeScript parser
-      // Also check for require() calls which indicate external dependencies
      const hasRequireStatements = /require\s*\(\s*['"`]/.test(resolvedCode)
      hasImports = jsImports.trim().length > 0 || hasRequireStatements
    }

-    // Python always requires E2B
    if (lang === CodeLanguage.Python && !isE2bEnabled) {
      throw new Error(
        'Python execution requires E2B to be enabled. Please contact your administrator to enable E2B, or use JavaScript instead.'
      )
    }

-    // JavaScript with imports requires E2B
    if (lang === CodeLanguage.JavaScript && hasImports && !isE2bEnabled) {
      throw new Error(
        'JavaScript code with import statements requires E2B to be enabled. Please remove the import statements, or contact your administrator to enable E2B.'
      )
    }

-    // Use E2B if:
-    // - E2B is enabled AND
-    // - Not a custom tool AND
-    // - (Python OR JavaScript with imports)
    const useE2B =
      isE2bEnabled &&
      !isCustomTool &&
@@ -744,13 +669,10 @@ export async function POST(req: NextRequest) {
        language: lang,
      })
      let prologue = ''
-      const epilogue = ''

      if (lang === CodeLanguage.JavaScript) {
-        // Track prologue lines for error adjustment
        let prologueLineCount = 0

-        // Reuse the imports we already extracted earlier
        const imports = jsImports
        const remainingCode = jsRemainingCode

@@ -765,7 +687,11 @@ export async function POST(req: NextRequest) {
        prologue += `const environmentVariables = JSON.parse(${JSON.stringify(JSON.stringify(envVars))});\n`
        prologueLineCount++
        for (const [k, v] of Object.entries(contextVariables)) {
-          prologue += `const ${k} = JSON.parse(${JSON.stringify(JSON.stringify(v))});\n`
+          if (v === undefined) {
+            prologue += `const ${k} = undefined;\n`
+          } else {
+            prologue += `const ${k} = JSON.parse(${JSON.stringify(JSON.stringify(v))});\n`
+          }
          prologueLineCount++
        }

@@ -782,7 +708,7 @@ export async function POST(req: NextRequest) {
          '  }',
          '})();',
        ].join('\n')
-        const codeForE2B = importSection + prologue + wrapped + epilogue
+        const codeForE2B = importSection + prologue + wrapped

        const execStart = Date.now()
        const {
@@ -804,7 +730,6 @@ export async function POST(req: NextRequest) {
          error: e2bError,
        })

-        // If there was an execution error, format it properly
        if (e2bError) {
          const { formattedError, cleanedOutput } = formatE2BError(
            e2bError,
@@ -828,7 +753,7 @@ export async function POST(req: NextRequest) {
          output: { result: e2bResult ?? null, stdout: cleanStdout(stdout), executionTime },
        })
      }
-      // Track prologue lines for error adjustment
+
      let prologueLineCount = 0
      prologue += 'import json\n'
      prologueLineCount++
@@ -837,7 +762,11 @@ export async function POST(req: NextRequest) {
      prologue += `environmentVariables = json.loads(${JSON.stringify(JSON.stringify(envVars))})\n`
      prologueLineCount++
      for (const [k, v] of Object.entries(contextVariables)) {
-        prologue += `${k} = json.loads(${JSON.stringify(JSON.stringify(v))})\n`
+        if (v === undefined) {
+          prologue += `${k} = None\n`
+        } else {
+          prologue += `${k} = json.loads(${JSON.stringify(JSON.stringify(v))})\n`
+        }
        prologueLineCount++
      }
      const wrapped = [
@@ -846,7 +775,7 @@ export async function POST(req: NextRequest) {
        '__sim_result__ = __sim_main__()',
        "print('__SIM_RESULT__=' + json.dumps(__sim_result__))",
      ].join('\n')
-      const codeForE2B = prologue + wrapped + epilogue
+      const codeForE2B = prologue + wrapped

      const execStart = Date.now()
      const {
@@ -868,7 +797,6 @@ export async function POST(req: NextRequest) {
        error: e2bError,
      })

-      // If there was an execution error, format it properly
      if (e2bError) {
        const { formattedError, cleanedOutput } = formatE2BError(
          e2bError,
@@ -897,7 +825,6 @@ export async function POST(req: NextRequest) {

    const wrapperLines = ['(async () => {', '  try {']
    if (isCustomTool) {
-      wrapperLines.push('    // For custom tools, make parameters directly accessible')
      Object.keys(executionParams).forEach((key) => {
        wrapperLines.push(`    const ${key} = params.${key};`)
      })
@@ -931,12 +858,10 @@ export async function POST(req: NextRequest) {
      })

      const ivmError = isolatedResult.error
-      // Adjust line number for prepended param destructuring in custom tools
      let adjustedLine = ivmError.line
      let adjustedLineContent = ivmError.lineContent
      if (prependedLineCount > 0 && ivmError.line !== undefined) {
        adjustedLine = Math.max(1, ivmError.line - prependedLineCount)
-        // Get line content from original user code, not the prepended code
        const codeLines = resolvedCode.split('\n')
        if (adjustedLine <= codeLines.length) {
          adjustedLineContent = codeLines[adjustedLine - 1]?.trim()
--- a/apps/sim/app/api/knowledge/[id]/documents/route.test.ts
+++ b/apps/sim/app/api/knowledge/[id]/documents/route.test.ts
@@ -157,7 +157,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
        'kb-123',
        {
-          includeDisabled: false,
+          enabledFilter: undefined,
          search: undefined,
          limit: 50,
          offset: 0,
@@ -166,7 +166,7 @@ describe('Knowledge Base Documents API Route', () => {
      )
    })

-    it('should filter disabled documents by default', async () => {
+    it('should return documents with default filter', async () => {
      const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
      const { getDocuments } = await import('@/lib/knowledge/documents/service')

@@ -194,7 +194,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
        'kb-123',
        {
-          includeDisabled: false,
+          enabledFilter: undefined,
          search: undefined,
          limit: 50,
          offset: 0,
@@ -203,7 +203,7 @@ describe('Knowledge Base Documents API Route', () => {
      )
    })

-    it('should include disabled documents when requested', async () => {
+    it('should filter documents by enabled status when requested', async () => {
      const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
      const { getDocuments } = await import('@/lib/knowledge/documents/service')

@@ -223,7 +223,7 @@ describe('Knowledge Base Documents API Route', () => {
        },
      })

-      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?includeDisabled=true'
+      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?enabledFilter=disabled'
      const req = new Request(url, { method: 'GET' }) as any

      const { GET } = await import('@/app/api/knowledge/[id]/documents/route')
@@ -233,7 +233,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
        'kb-123',
        {
-          includeDisabled: true,
+          enabledFilter: 'disabled',
          search: undefined,
          limit: 50,
          offset: 0,
@@ -361,8 +361,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(createSingleDocument)).toHaveBeenCalledWith(
        validDocumentData,
        'kb-123',
-        expect.any(String),
-        'user-123'
+        expect.any(String)
      )
    })

@@ -470,8 +469,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(createDocumentRecords)).toHaveBeenCalledWith(
        validBulkData.documents,
        'kb-123',
-        expect.any(String),
-        'user-123'
+        expect.any(String)
      )
      expect(vi.mocked(processDocumentsWithQueue)).toHaveBeenCalled()
    })
--- a/apps/sim/app/api/knowledge/[id]/documents/route.ts
+++ b/apps/sim/app/api/knowledge/[id]/documents/route.ts
@@ -5,6 +5,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import {
  bulkDocumentOperation,
+  bulkDocumentOperationByFilter,
  createDocumentRecords,
  createSingleDocument,
  getDocuments,
@@ -57,13 +58,20 @@ const BulkCreateDocumentsSchema = z.object({
  bulk: z.literal(true),
 })

-const BulkUpdateDocumentsSchema = z.object({
-  operation: z.enum(['enable', 'disable', 'delete']),
-  documentIds: z
-    .array(z.string())
-    .min(1, 'At least one document ID is required')
-    .max(100, 'Cannot operate on more than 100 documents at once'),
-})
+const BulkUpdateDocumentsSchema = z
+  .object({
+    operation: z.enum(['enable', 'disable', 'delete']),
+    documentIds: z
+      .array(z.string())
+      .min(1, 'At least one document ID is required')
+      .max(100, 'Cannot operate on more than 100 documents at once')
+      .optional(),
+    selectAll: z.boolean().optional(),
+    enabledFilter: z.enum(['all', 'enabled', 'disabled']).optional(),
+  })
+  .refine((data) => data.selectAll || (data.documentIds && data.documentIds.length > 0), {
+    message: 'Either selectAll must be true or documentIds must be provided',
+  })

 export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const requestId = randomUUID().slice(0, 8)
@@ -90,14 +98,17 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
    }

    const url = new URL(req.url)
-    const includeDisabled = url.searchParams.get('includeDisabled') === 'true'
+    const enabledFilter = url.searchParams.get('enabledFilter') as
+      | 'all'
+      | 'enabled'
+      | 'disabled'
+      | null
    const search = url.searchParams.get('search') || undefined
    const limit = Number.parseInt(url.searchParams.get('limit') || '50')
    const offset = Number.parseInt(url.searchParams.get('offset') || '0')
    const sortByParam = url.searchParams.get('sortBy')
    const sortOrderParam = url.searchParams.get('sortOrder')

-    // Validate sort parameters
    const validSortFields: DocumentSortField[] = [
      'filename',
      'fileSize',
@@ -105,6 +116,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
      'chunkCount',
      'uploadedAt',
      'processingStatus',
+      'enabled',
    ]
    const validSortOrders: SortOrder[] = ['asc', 'desc']

@@ -120,7 +132,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
    const result = await getDocuments(
      knowledgeBaseId,
      {
-        includeDisabled,
+        enabledFilter: enabledFilter || undefined,
        search,
        limit,
        offset,
@@ -190,8 +202,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        const createdDocuments = await createDocumentRecords(
          validatedData.documents,
          knowledgeBaseId,
-          requestId,
-          userId
+          requestId
        )

        logger.info(
@@ -250,16 +261,10 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        throw validationError
      }
    } else {
-      // Handle single document creation
      try {
        const validatedData = CreateDocumentSchema.parse(body)

-        const newDocument = await createSingleDocument(
-          validatedData,
-          knowledgeBaseId,
-          requestId,
-          userId
-        )
+        const newDocument = await createSingleDocument(validatedData, knowledgeBaseId, requestId)

        try {
          const { PlatformEvents } = await import('@/lib/core/telemetry')
@@ -294,7 +299,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
  } catch (error) {
    logger.error(`[${requestId}] Error creating document`, error)

-    // Check if it's a storage limit error
    const errorMessage = error instanceof Error ? error.message : 'Failed to create document'
    const isStorageLimitError =
      errorMessage.includes('Storage limit exceeded') || errorMessage.includes('storage limit')
@@ -331,16 +335,22 @@ export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id

    try {
      const validatedData = BulkUpdateDocumentsSchema.parse(body)
-      const { operation, documentIds } = validatedData
+      const { operation, documentIds, selectAll, enabledFilter } = validatedData

      try {
-        const result = await bulkDocumentOperation(
-          knowledgeBaseId,
-          operation,
-          documentIds,
-          requestId,
-          session.user.id
-        )
+        let result
+        if (selectAll) {
+          result = await bulkDocumentOperationByFilter(
+            knowledgeBaseId,
+            operation,
+            enabledFilter,
+            requestId
+          )
+        } else if (documentIds && documentIds.length > 0) {
+          result = await bulkDocumentOperation(knowledgeBaseId, operation, documentIds, requestId)
+        } else {
+          return NextResponse.json({ error: 'No documents specified' }, { status: 400 })
+        }

        return NextResponse.json({
          success: true,
--- a/apps/sim/app/api/mcp/servers/test-connection/route.ts
+++ b/apps/sim/app/api/mcp/servers/test-connection/route.ts
@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
-import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
+import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
+import type { McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
-import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'

 const logger = createLogger('McpServerTestAPI')

@@ -19,30 +18,6 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
  return transport === 'streamable-http'
 }

-/**
- * Resolve environment variables in strings
- */
-function resolveEnvVars(value: string, envVars: Record<string, string>): string {
-  const missingVars: string[] = []
-  const resolvedValue = resolveEnvVarReferences(value, envVars, {
-    allowEmbedded: true,
-    resolveExactMatch: true,
-    trimKeys: true,
-    onMissing: 'keep',
-    deep: false,
-    missingKeys: missingVars,
-  }) as string
-
-  if (missingVars.length > 0) {
-    const uniqueMissing = Array.from(new Set(missingVars))
-    uniqueMissing.forEach((envKey) => {
-      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
-    })
-  }
-
-  return resolvedValue
-}
-
 interface TestConnectionRequest {
  name: string
  transport: McpTransport
@@ -96,39 +71,30 @@ export const POST = withMcpAuth('write')(
        )
      }

-      let resolvedUrl = body.url
-      let resolvedHeaders = body.headers || {}
-
-      try {
-        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
-
-        if (resolvedUrl) {
-          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
-        }
-
-        const resolvedHeadersObj: Record<string, string> = {}
-        for (const [key, value] of Object.entries(resolvedHeaders)) {
-          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
-        }
-        resolvedHeaders = resolvedHeadersObj
-      } catch (envError) {
-        logger.warn(
-          `[${requestId}] Failed to resolve environment variables, using raw values:`,
-          envError
-        )
-      }
-
-      const testConfig: McpServerConfig = {
+      // Build initial config for resolution
+      const initialConfig = {
        id: `test-${requestId}`,
        name: body.name,
        transport: body.transport,
-        url: resolvedUrl,
-        headers: resolvedHeaders,
+        url: body.url,
+        headers: body.headers || {},
        timeout: body.timeout || 10000,
        retries: 1, // Only one retry for tests
        enabled: true,
      }

+      // Resolve env vars using shared utility (non-strict mode for testing)
+      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
+        initialConfig,
+        userId,
+        workspaceId,
+        { strict: false }
+      )
+
+      if (missingVars.length > 0) {
+        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
+      }
+
      const testSecurityPolicy = {
        requireConsent: false,
        auditLevel: 'none' as const,
--- a/apps/sim/app/api/providers/route.ts
+++ b/apps/sim/app/api/providers/route.ts
@@ -3,7 +3,9 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
@@ -20,6 +22,11 @@ export async function POST(request: NextRequest) {
  const startTime = Date.now()

  try {
+    const auth = await checkInternalAuth(request, { requireWorkflowId: false })
+    if (!auth.success || !auth.userId) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
    logger.info(`[${requestId}] Provider API request started`, {
      timestamp: new Date().toISOString(),
      userAgent: request.headers.get('User-Agent'),
@@ -85,6 +92,13 @@ export async function POST(request: NextRequest) {
      verbosity,
    })

+    if (workspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
    let finalApiKey: string | undefined = apiKey
    try {
      if (provider === 'vertex' && vertexCredential) {
--- a/apps/sim/app/api/proxy/route.ts
+++ b/apps/sim/app/api/proxy/route.ts
@@ -1,395 +0,0 @@
-import { createLogger } from '@sim/logger'
-import type { NextRequest } from 'next/server'
-import { NextResponse } from 'next/server'
-import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { generateInternalToken } from '@/lib/auth/internal'
-import { isDev } from '@/lib/core/config/feature-flags'
-import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
-import { executeTool } from '@/tools'
-import { getTool, validateRequiredParametersAfterMerge } from '@/tools/utils'
-
-const logger = createLogger('ProxyAPI')
-
-const proxyPostSchema = z.object({
-  toolId: z.string().min(1, 'toolId is required'),
-  params: z.record(z.any()).optional().default({}),
-  executionContext: z
-    .object({
-      workflowId: z.string().optional(),
-      workspaceId: z.string().optional(),
-      executionId: z.string().optional(),
-      userId: z.string().optional(),
-    })
-    .optional(),
-})
-
-/**
- * Creates a minimal set of default headers for proxy requests
- * @returns Record of HTTP headers
- */
-const getProxyHeaders = (): Record<string, string> => {
-  return {
-    'User-Agent':
-      'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36',
-    Accept: '*/*',
-    'Accept-Encoding': 'gzip, deflate, br',
-    'Cache-Control': 'no-cache',
-    Connection: 'keep-alive',
-  }
-}
-
-/**
- * Formats a response with CORS headers
- * @param responseData Response data object
- * @param status HTTP status code
- * @returns NextResponse with CORS headers
- */
-const formatResponse = (responseData: any, status = 200) => {
-  return NextResponse.json(responseData, {
-    status,
-    headers: {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-    },
-  })
-}
-
-/**
- * Creates an error response with consistent formatting
- * @param error Error object or message
- * @param status HTTP status code
- * @param additionalData Additional data to include in the response
- * @returns Formatted error response
- */
-const createErrorResponse = (error: any, status = 500, additionalData = {}) => {
-  const errorMessage = error instanceof Error ? error.message : String(error)
-  const errorStack = error instanceof Error ? error.stack : undefined
-
-  logger.error('Creating error response', {
-    errorMessage,
-    status,
-    stack: isDev ? errorStack : undefined,
-  })
-
-  return formatResponse(
-    {
-      success: false,
-      error: errorMessage,
-      stack: isDev ? errorStack : undefined,
-      ...additionalData,
-    },
-    status
-  )
-}
-
-/**
- * GET handler for direct external URL proxying
- * This allows for GET requests to external APIs
- */
-export async function GET(request: Request) {
-  const url = new URL(request.url)
-  const targetUrl = url.searchParams.get('url')
-  const requestId = generateRequestId()
-
-  // Vault download proxy: /api/proxy?vaultDownload=1&bucket=...&object=...&credentialId=...
-  const vaultDownload = url.searchParams.get('vaultDownload')
-  if (vaultDownload === '1') {
-    try {
-      const bucket = url.searchParams.get('bucket')
-      const objectParam = url.searchParams.get('object')
-      const credentialId = url.searchParams.get('credentialId')
-
-      if (!bucket || !objectParam || !credentialId) {
-        return createErrorResponse('Missing bucket, object, or credentialId', 400)
-      }
-
-      // Fetch access token using existing token API
-      const baseUrl = new URL(getBaseUrl())
-      const tokenUrl = new URL('/api/auth/oauth/token', baseUrl)
-
-      // Build headers: forward session cookies if present; include internal auth for server-side
-      const tokenHeaders: Record<string, string> = { 'Content-Type': 'application/json' }
-      const incomingCookie = request.headers.get('cookie')
-      if (incomingCookie) tokenHeaders.Cookie = incomingCookie
-      try {
-        const internalToken = await generateInternalToken()
-        tokenHeaders.Authorization = `Bearer ${internalToken}`
-      } catch (_e) {
-        // best-effort internal auth
-      }
-
-      // Optional workflow context for collaboration auth
-      const workflowId = url.searchParams.get('workflowId') || undefined
-
-      const tokenRes = await fetch(tokenUrl.toString(), {
-        method: 'POST',
-        headers: tokenHeaders,
-        body: JSON.stringify({ credentialId, workflowId }),
-      })
-
-      if (!tokenRes.ok) {
-        const err = await tokenRes.text()
-        return createErrorResponse(`Failed to fetch access token: ${err}`, 401)
-      }
-
-      const tokenJson = await tokenRes.json()
-      const accessToken = tokenJson.accessToken
-      if (!accessToken) {
-        return createErrorResponse('No access token available', 401)
-      }
-
-      // Avoid double-encoding: incoming object may already be percent-encoded
-      const objectDecoded = decodeURIComponent(objectParam)
-      const gcsUrl = `https://storage.googleapis.com/storage/v1/b/${encodeURIComponent(
-        bucket
-      )}/o/${encodeURIComponent(objectDecoded)}?alt=media`
-
-      const fileRes = await fetch(gcsUrl, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-      })
-
-      if (!fileRes.ok) {
-        const errText = await fileRes.text()
-        return createErrorResponse(errText || 'Failed to download file', fileRes.status)
-      }
-
-      const headers = new Headers()
-      fileRes.headers.forEach((v, k) => headers.set(k, v))
-      return new NextResponse(fileRes.body, { status: 200, headers })
-    } catch (error: any) {
-      logger.error(`[${requestId}] Vault download proxy failed`, {
-        error: error instanceof Error ? error.message : String(error),
-      })
-      return createErrorResponse('Vault download failed', 500)
-    }
-  }
-
-  if (!targetUrl) {
-    logger.error(`[${requestId}] Missing 'url' parameter`)
-    return createErrorResponse("Missing 'url' parameter", 400)
-  }
-
-  const urlValidation = await validateUrlWithDNS(targetUrl)
-  if (!urlValidation.isValid) {
-    logger.warn(`[${requestId}] Blocked proxy request`, {
-      url: targetUrl.substring(0, 100),
-      error: urlValidation.error,
-    })
-    return createErrorResponse(urlValidation.error || 'Invalid URL', 403)
-  }
-
-  const method = url.searchParams.get('method') || 'GET'
-
-  const bodyParam = url.searchParams.get('body')
-  let body: string | undefined
-
-  if (bodyParam && ['POST', 'PUT', 'PATCH'].includes(method.toUpperCase())) {
-    try {
-      body = decodeURIComponent(bodyParam)
-    } catch (error) {
-      logger.warn(`[${requestId}] Failed to decode body parameter`, error)
-    }
-  }
-
-  const customHeaders: Record<string, string> = {}
-
-  for (const [key, value] of url.searchParams.entries()) {
-    if (key.startsWith('header.')) {
-      const headerName = key.substring(7)
-      customHeaders[headerName] = value
-    }
-  }
-
-  if (body && !customHeaders['Content-Type']) {
-    customHeaders['Content-Type'] = 'application/json'
-  }
-
-  logger.info(`[${requestId}] Proxying ${method} request to: ${targetUrl}`)
-
-  try {
-    const pinnedUrl = createPinnedUrl(targetUrl, urlValidation.resolvedIP!)
-    const response = await fetch(pinnedUrl, {
-      method: method,
-      headers: {
-        ...getProxyHeaders(),
-        ...customHeaders,
-        Host: urlValidation.originalHostname!,
-      },
-      body: body || undefined,
-    })
-
-    const contentType = response.headers.get('content-type') || ''
-    let data
-
-    if (contentType.includes('application/json')) {
-      data = await response.json()
-    } else {
-      data = await response.text()
-    }
-
-    const errorMessage = !response.ok
-      ? data && typeof data === 'object' && data.error
-        ? `${data.error.message || JSON.stringify(data.error)}`
-        : response.statusText || `HTTP error ${response.status}`
-      : undefined
-
-    if (!response.ok) {
-      logger.error(`[${requestId}] External API error: ${response.status} ${response.statusText}`)
-    }
-
-    return formatResponse({
-      success: response.ok,
-      status: response.status,
-      statusText: response.statusText,
-      headers: Object.fromEntries(response.headers.entries()),
-      data,
-      error: errorMessage,
-    })
-  } catch (error: any) {
-    logger.error(`[${requestId}] Proxy GET request failed`, {
-      url: targetUrl,
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : undefined,
-    })
-
-    return createErrorResponse(error)
-  }
-}
-
-export async function POST(request: NextRequest) {
-  const requestId = generateRequestId()
-  const startTime = new Date()
-  const startTimeISO = startTime.toISOString()
-
-  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
-    if (!authResult.success) {
-      logger.error(`[${requestId}] Authentication failed for proxy:`, authResult.error)
-      return createErrorResponse('Unauthorized', 401)
-    }
-
-    let requestBody
-    try {
-      requestBody = await request.json()
-    } catch (parseError) {
-      logger.error(`[${requestId}] Failed to parse request body`, {
-        error: parseError instanceof Error ? parseError.message : String(parseError),
-      })
-      throw new Error('Invalid JSON in request body')
-    }
-
-    const validationResult = proxyPostSchema.safeParse(requestBody)
-    if (!validationResult.success) {
-      logger.error(`[${requestId}] Request validation failed`, {
-        errors: validationResult.error.errors,
-      })
-      const errorMessages = validationResult.error.errors
-        .map((err) => `${err.path.join('.')}: ${err.message}`)
-        .join(', ')
-      throw new Error(`Validation failed: ${errorMessages}`)
-    }
-
-    const { toolId, params } = validationResult.data
-
-    logger.info(`[${requestId}] Processing tool: ${toolId}`)
-
-    const tool = getTool(toolId)
-
-    if (!tool) {
-      logger.error(`[${requestId}] Tool not found: ${toolId}`)
-      throw new Error(`Tool not found: ${toolId}`)
-    }
-
-    try {
-      validateRequiredParametersAfterMerge(toolId, tool, params)
-    } catch (validationError) {
-      logger.warn(`[${requestId}] Tool validation failed for ${toolId}`, {
-        error: validationError instanceof Error ? validationError.message : String(validationError),
-      })
-
-      const endTime = new Date()
-      const endTimeISO = endTime.toISOString()
-      const duration = endTime.getTime() - startTime.getTime()
-
-      return createErrorResponse(validationError, 400, {
-        startTime: startTimeISO,
-        endTime: endTimeISO,
-        duration,
-      })
-    }
-
-    const hasFileOutputs =
-      tool.outputs &&
-      Object.values(tool.outputs).some(
-        (output) => output.type === 'file' || output.type === 'file[]'
-      )
-
-    const result = await executeTool(
-      toolId,
-      params,
-      true, // skipProxy (we're already in the proxy)
-      !hasFileOutputs, // skipPostProcess (don't skip if tool has file outputs)
-      undefined // execution context is not available in proxy context
-    )
-
-    if (!result.success) {
-      logger.warn(`[${requestId}] Tool execution failed for ${toolId}`, {
-        error: result.error || 'Unknown error',
-      })
-
-      throw new Error(result.error || 'Tool execution failed')
-    }
-
-    const endTime = new Date()
-    const endTimeISO = endTime.toISOString()
-    const duration = endTime.getTime() - startTime.getTime()
-
-    const responseWithTimingData = {
-      ...result,
-      startTime: startTimeISO,
-      endTime: endTimeISO,
-      duration,
-      timing: {
-        startTime: startTimeISO,
-        endTime: endTimeISO,
-        duration,
-      },
-    }
-
-    logger.info(`[${requestId}] Tool executed successfully: ${toolId} (${duration}ms)`)
-
-    return formatResponse(responseWithTimingData)
-  } catch (error: any) {
-    logger.error(`[${requestId}] Proxy request failed`, {
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : undefined,
-      name: error instanceof Error ? error.name : undefined,
-    })
-
-    const endTime = new Date()
-    const endTimeISO = endTime.toISOString()
-    const duration = endTime.getTime() - startTime.getTime()
-
-    return createErrorResponse(error, 500, {
-      startTime: startTimeISO,
-      endTime: endTimeISO,
-      duration,
-    })
-  }
-}
-
-export async function OPTIONS() {
-  return new NextResponse(null, {
-    status: 204,
-    headers: {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      'Access-Control-Max-Age': '86400',
-    },
-  })
-}
--- a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -39,6 +40,18 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const validatedData = A2ASetPushNotificationSchema.parse(body)

+    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
+    if (!urlValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
+      return NextResponse.json(
+        {
+          success: false,
+          error: urlValidation.error,
+        },
+        { status: 400 }
+      )
+    }
+
    logger.info(`[${requestId}] A2A set push notification request`, {
      agentUrl: validatedData.agentUrl,
      taskId: validatedData.taskId,
--- a/apps/sim/app/api/tools/custom/route.test.ts
+++ b/apps/sim/app/api/tools/custom/route.test.ts
@@ -181,7 +181,7 @@ describe('Custom Tools API Routes', () => {
    }))

    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'user-123',
        authType: 'session',
@@ -254,7 +254,7 @@ describe('Custom Tools API Routes', () => {
      )

      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -304,7 +304,7 @@ describe('Custom Tools API Routes', () => {
  describe('POST /api/tools/custom', () => {
    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -390,7 +390,7 @@ describe('Custom Tools API Routes', () => {

    it('should prevent unauthorized deletion of user-scoped tool', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: true,
          userId: 'user-456',
          authType: 'session',
@@ -413,7 +413,7 @@ describe('Custom Tools API Routes', () => {

    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
--- a/apps/sim/app/api/tools/custom/route.ts
+++ b/apps/sim/app/api/tools/custom/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -42,8 +42,8 @@ export async function GET(request: NextRequest) {
  const workflowId = searchParams.get('workflowId')

  try {
-    // Use hybrid auth to support session, API key, and internal JWT
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    // Use session/internal auth to support session and internal JWT (no API key access)
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -69,8 +69,8 @@ export async function GET(request: NextRequest) {
    }

    // Check workspace permissions
-    // For internal JWT with workflowId: checkHybridAuth already resolved userId from workflow owner
-    // For session/API key: verify user has access to the workspace
+    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
+    // For session: verify user has access to the workspace
    // For legacy (no workspaceId): skip workspace check, rely on userId match
    if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
      const userPermission = await getUserEntityPermissions(
@@ -116,8 +116,8 @@ export async function POST(req: NextRequest) {
  const requestId = generateRequestId()

  try {
-    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkHybridAuth(req, { requireWorkflowId: false })
+    // Use session/internal auth (no API key access)
+    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -193,8 +193,8 @@ export async function DELETE(request: NextRequest) {
  }

  try {
-    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    // Use session/internal auth (no API key access)
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/discord/send-message/route.ts
+++ b/apps/sim/app/api/tools/discord/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Discord send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/add-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/add-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail add label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/archive/route.ts
+++ b/apps/sim/app/api/tools/gmail/archive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail archive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/delete/route.ts
+++ b/apps/sim/app/api/tools/gmail/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/draft/route.ts
+++ b/apps/sim/app/api/tools/gmail/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-read/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/move/route.ts
+++ b/apps/sim/app/api/tools/gmail/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/remove-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/remove-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail remove label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/send/route.ts
+++ b/apps/sim/app/api/tools/gmail/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/unarchive/route.ts
+++ b/apps/sim/app/api/tools/gmail/unarchive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail unarchive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/google_drive/upload/route.ts
+++ b/apps/sim/app/api/tools/google_drive/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -56,7 +56,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Google Drive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/image/route.ts
+++ b/apps/sim/app/api/tools/image/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateImageUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -15,7 +15,7 @@ export async function GET(request: NextRequest) {
  const imageUrl = url.searchParams.get('url')
  const requestId = generateRequestId()

-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
  if (!authResult.success) {
    logger.error(`[${requestId}] Authentication failed for image proxy:`, authResult.error)
    return new NextResponse('Unauthorized', { status: 401 })
--- a/apps/sim/app/api/tools/mail/send/route.ts
+++ b/apps/sim/app/api/tools/mail/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { Resend } from 'resend'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized mail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams channel write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/mistral/parse/route.ts
+++ b/apps/sim/app/api/tools/mistral/parse/route.ts
@@ -1,11 +1,15 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'

 export const dynamic = 'force-dynamic'
@@ -26,7 +30,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Mistral parse attempt`, {
@@ -47,13 +51,13 @@ export async function POST(request: NextRequest) {

    logger.info(`[${requestId}] Mistral parse request`, {
      filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
      userId,
    })

    let fileUrl = validatedData.filePath

-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
      try {
        const storageKey = extractStorageKey(validatedData.filePath)

--- a/apps/sim/app/api/tools/mysql/delete/route.ts
+++ b/apps/sim/app/api/tools/mysql/delete/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await request.json()
    const params = DeleteSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/execute/route.ts
+++ b/apps/sim/app/api/tools/mysql/execute/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLExecuteAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await request.json()
    const params = ExecuteSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/insert/route.ts
+++ b/apps/sim/app/api/tools/mysql/insert/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await request.json()
    const params = InsertSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/introspect/route.ts
+++ b/apps/sim/app/api/tools/mysql/introspect/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLIntrospectAPI')
@@ -19,6 +20,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await request.json()
    const params = IntrospectSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/query/route.ts
+++ b/apps/sim/app/api/tools/mysql/query/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await request.json()
    const params = QuerySchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/update/route.ts
+++ b/apps/sim/app/api/tools/mysql/update/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
    const body = await request.json()
    const params = UpdateSchema.parse(body)

--- a/Show More
+++ b/Show More