update skills

fix
2026-02-03 19:24:57 -05:00 · 2026-02-03 16:04:16 -08:00 · 2026-02-03 15:58:51 -08:00 · 2026-02-03 15:53:24 -08:00 · 2026-02-03 15:50:50 -08:00 · 2026-02-03 15:44:39 -08:00
321 changed files with 8199 additions and 15143 deletions
--- a/.claude/commands/add-block.md
+++ b/.claude/commands/add-block.md
@@ -183,6 +183,109 @@ export const {ServiceName}Block: BlockConfig = {
 }
 ```
 ## File Input Handling
 When your block accepts file uploads, use the basic/advanced mode pattern with `normalizeFileInput`.
 ### Basic/Advanced File Pattern
 ```typescript
 // Basic mode: Visual file upload
 {
  id: 'uploadFile',
  title: 'File',
  type: 'file-upload',
  canonicalParamId: 'file',  // Both map to 'file' param
  placeholder: 'Upload file',
  mode: 'basic',
  multiple: false,
  required: true,
  condition: { field: 'operation', value: 'upload' },
 },
 // Advanced mode: Reference from other blocks
 {
  id: 'fileRef',
  title: 'File',
  type: 'short-input',
  canonicalParamId: 'file',  // Both map to 'file' param
  placeholder: 'Reference file (e.g., {{file_block.output}})',
  mode: 'advanced',
  required: true,
  condition: { field: 'operation', value: 'upload' },
 },
 ```
 **Critical constraints:**
 - `canonicalParamId` must NOT match any subblock's `id` in the same block
 - Values are stored under subblock `id`, not `canonicalParamId`
 ### Normalizing File Input in tools.config
 Use `normalizeFileInput` to handle all input variants:
 ```typescript
 import { normalizeFileInput } from '@/blocks/utils'
 tools: {
  access: ['service_upload'],
  config: {
    tool: (params) => {
      // Check all field IDs: uploadFile (basic), fileRef (advanced), fileContent (legacy)
      const normalizedFile = normalizeFileInput(
        params.uploadFile || params.fileRef || params.fileContent,
        { single: true }
      )
      if (normalizedFile) {
        params.file = normalizedFile
      }
      return `service_${params.operation}`
    },
  },
 }
 ```
 **Why this pattern?**
 - Values come through as `params.uploadFile` or `params.fileRef` (the subblock IDs)
 - `canonicalParamId` only controls UI/schema mapping, not runtime values
 - `normalizeFileInput` handles JSON strings from advanced mode template resolution
 ### File Input Types in `inputs`
 Use `type: 'json'` for file inputs:
 ```typescript
 inputs: {
  uploadFile: { type: 'json', description: 'Uploaded file (UserFile)' },
  fileRef: { type: 'json', description: 'File reference from previous block' },
  // Legacy field for backwards compatibility
  fileContent: { type: 'string', description: 'Legacy: base64 encoded content' },
 }
 ```
 ### Multiple Files
 For multiple file uploads:
 ```typescript
 {
  id: 'attachments',
  title: 'Attachments',
  type: 'file-upload',
  multiple: true,  // Allow multiple files
  maxSize: 25,     // Max size in MB per file
  acceptedTypes: 'image/*,application/pdf,.doc,.docx',
 }
 // In tools.config:
 const normalizedFiles = normalizeFileInput(
  params.attachments || params.attachmentRefs,
  // No { single: true } - returns array
 )
 if (normalizedFiles) {
  params.files = normalizedFiles
 }
 ```
 ## Condition Syntax
 Controls when a field is shown based on other field values.
--- a/.claude/commands/add-integration.md
+++ b/.claude/commands/add-integration.md
@@ -457,7 +457,230 @@ You can usually find this in the service's brand/press kit page, or copy it from
 Paste the SVG code here and I'll convert it to a React component.
 ```
-## Common Gotchas
+## File Handling
 When your integration handles file uploads or downloads, follow these patterns to work with `UserFile` objects consistently.
 ### What is a UserFile?
 A `UserFile` is the standard file representation in Sim:
 ```typescript
 interface UserFile {
  id: string       // Unique identifier
  name: string     // Original filename
  url: string      // Presigned URL for download
  size: number     // File size in bytes
  type: string     // MIME type (e.g., 'application/pdf')
  base64?: string  // Optional base64 content (if small file)
  key?: string     // Internal storage key
  context?: object // Storage context metadata
 }
 ```
 ### File Input Pattern (Uploads)
 For tools that accept file uploads, **always route through an internal API endpoint** rather than calling external APIs directly. This ensures proper file content retrieval.
 #### 1. Block SubBlocks for File Input
 Use the basic/advanced mode pattern:
 ```typescript
 // Basic mode: File upload UI
 {
  id: 'uploadFile',
  title: 'File',
  type: 'file-upload',
  canonicalParamId: 'file',  // Maps to 'file' param
  placeholder: 'Upload file',
  mode: 'basic',
  multiple: false,
  required: true,
  condition: { field: 'operation', value: 'upload' },
 },
 // Advanced mode: Reference from previous block
 {
  id: 'fileRef',
  title: 'File',
  type: 'short-input',
  canonicalParamId: 'file',  // Same canonical param
  placeholder: 'Reference file (e.g., {{file_block.output}})',
  mode: 'advanced',
  required: true,
  condition: { field: 'operation', value: 'upload' },
 },
 ```
 **Critical:** `canonicalParamId` must NOT match any subblock `id`.
 #### 2. Normalize File Input in Block Config
 In `tools.config.tool`, use `normalizeFileInput` to handle all input variants:
 ```typescript
 import { normalizeFileInput } from '@/blocks/utils'
 tools: {
  config: {
    tool: (params) => {
      // Normalize file from basic (uploadFile), advanced (fileRef), or legacy (fileContent)
      const normalizedFile = normalizeFileInput(
        params.uploadFile || params.fileRef || params.fileContent,
        { single: true }
      )
      if (normalizedFile) {
        params.file = normalizedFile
      }
      return `{service}_${params.operation}`
    },
  },
 }
 ```
 #### 3. Create Internal API Route
 Create `apps/sim/app/api/tools/{service}/{action}/route.ts`:
 ```typescript
 import { createLogger } from '@sim/logger'
 import { NextResponse, type NextRequest } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { FileInputSchema, type RawFileInput } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 const logger = createLogger('{Service}UploadAPI')
 const RequestSchema = z.object({
  accessToken: z.string(),
  file: FileInputSchema.optional().nullable(),
  // Legacy field for backwards compatibility
  fileContent: z.string().optional().nullable(),
  // ... other params
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
  if (!authResult.success) {
    return NextResponse.json({ success: false, error: 'Unauthorized' }, { status: 401 })
  }
  const body = await request.json()
  const data = RequestSchema.parse(body)
  let fileBuffer: Buffer
  let fileName: string
  // Prefer UserFile input, fall back to legacy base64
  if (data.file) {
    const userFiles = processFilesToUserFiles([data.file as RawFileInput], requestId, logger)
    if (userFiles.length === 0) {
      return NextResponse.json({ success: false, error: 'Invalid file' }, { status: 400 })
    }
    const userFile = userFiles[0]
    fileBuffer = await downloadFileFromStorage(userFile, requestId, logger)
    fileName = userFile.name
  } else if (data.fileContent) {
    // Legacy: base64 string (backwards compatibility)
    fileBuffer = Buffer.from(data.fileContent, 'base64')
    fileName = 'file'
  } else {
    return NextResponse.json({ success: false, error: 'File required' }, { status: 400 })
  }
  // Now call external API with fileBuffer
  const response = await fetch('https://api.{service}.com/upload', {
    method: 'POST',
    headers: { Authorization: `Bearer ${data.accessToken}` },
    body: new Uint8Array(fileBuffer),  // Convert Buffer for fetch
  })
  // ... handle response
 }
 ```
 #### 4. Update Tool to Use Internal Route
 ```typescript
 export const {service}UploadTool: ToolConfig<Params, Response> = {
  id: '{service}_upload',
  // ...
  params: {
    file: { type: 'file', required: false, visibility: 'user-or-llm' },
    fileContent: { type: 'string', required: false, visibility: 'hidden' }, // Legacy
  },
  request: {
    url: '/api/tools/{service}/upload',  // Internal route
    method: 'POST',
    body: (params) => ({
      accessToken: params.accessToken,
      file: params.file,
      fileContent: params.fileContent,
    }),
  },
 }
 ```
 ### File Output Pattern (Downloads)
 For tools that return files, use `FileToolProcessor` to store files and return `UserFile` objects.
 #### In Tool transformResponse
 ```typescript
 import { FileToolProcessor } from '@/executor/utils/file-tool-processor'
 transformResponse: async (response, context) => {
  const data = await response.json()
  // Process file outputs to UserFile objects
  const fileProcessor = new FileToolProcessor(context)
  const file = await fileProcessor.processFileData({
    data: data.content,      // base64 or buffer
    mimeType: data.mimeType,
    filename: data.filename,
  })
  return {
    success: true,
    output: { file },
  }
 }
 ```
 #### In API Route (for complex file handling)
 ```typescript
 // Return file data that FileToolProcessor can handle
 return NextResponse.json({
  success: true,
  output: {
    file: {
      data: base64Content,
      mimeType: 'application/pdf',
      filename: 'document.pdf',
    },
  },
 })
 ```
 ### Key Helpers Reference
 | Helper | Location | Purpose |
 |--------|----------|---------|
 | `normalizeFileInput` | `@/blocks/utils` | Normalize file params in block config |
 | `processFilesToUserFiles` | `@/lib/uploads/utils/file-utils` | Convert raw inputs to UserFile[] |
 | `downloadFileFromStorage` | `@/lib/uploads/utils/file-utils.server` | Get file Buffer from UserFile |
 | `FileToolProcessor` | `@/executor/utils/file-tool-processor` | Process tool output files |
 | `isUserFile` | `@/lib/core/utils/user-file` | Type guard for UserFile objects |
 | `FileInputSchema` | `@/lib/uploads/utils/file-schemas` | Zod schema for file validation |
 ### Common Gotchas
 1. **OAuth serviceId must match** - The `serviceId` in oauth-input must match the OAuth provider configuration
 2. **Tool IDs are snake_case** - `stripe_create_payment`, not `stripeCreatePayment`
@@ -465,3 +688,5 @@ Paste the SVG code here and I'll convert it to a React component.
 4. **Alphabetical ordering** - Keep imports and registry entries alphabetically sorted
 5. **Required can be conditional** - Use `required: { field: 'op', value: 'create' }` instead of always true
 6. **DependsOn clears options** - When a dependency changes, selector options are refetched
 7. **Never pass Buffer directly to fetch** - Convert to `new Uint8Array(buffer)` for TypeScript compatibility
 8. **Always handle legacy file params** - Keep hidden `fileContent` params for backwards compatibility
--- a/.claude/rules/sim-integrations.md
+++ b/.claude/rules/sim-integrations.md
@@ -195,6 +195,52 @@ import { {service}WebhookTrigger } from '@/triggers/{service}'
 {service}_webhook: {service}WebhookTrigger,
 ```
 ## File Handling
 When integrations handle file uploads/downloads, use `UserFile` objects consistently.
 ### File Input (Uploads)
 1. **Block subBlocks:** Use basic/advanced mode pattern with `canonicalParamId`
 2. **Normalize in block config:** Use `normalizeFileInput` from `@/blocks/utils`
 3. **Internal API route:** Create route that uses `downloadFileFromStorage` to get file content
 4. **Tool routes to internal API:** Don't call external APIs directly with files
 ```typescript
 // In block tools.config:
 import { normalizeFileInput } from '@/blocks/utils'
 const normalizedFile = normalizeFileInput(
  params.uploadFile || params.fileRef || params.fileContent,
  { single: true }
 )
 if (normalizedFile) params.file = normalizedFile
 ```
 ### File Output (Downloads)
 Use `FileToolProcessor` in tool `transformResponse` to store files:
 ```typescript
 import { FileToolProcessor } from '@/executor/utils/file-tool-processor'
 const processor = new FileToolProcessor(context)
 const file = await processor.processFileData({
  data: base64Content,
  mimeType: 'application/pdf',
  filename: 'doc.pdf',
 })
 ```
 ### Key Helpers
 | Helper | Location | Purpose |
 |--------|----------|---------|
 | `normalizeFileInput` | `@/blocks/utils` | Normalize file params in block config |
 | `processFilesToUserFiles` | `@/lib/uploads/utils/file-utils` | Convert raw inputs to UserFile[] |
 | `downloadFileFromStorage` | `@/lib/uploads/utils/file-utils.server` | Get Buffer from UserFile |
 | `FileToolProcessor` | `@/executor/utils/file-tool-processor` | Process tool output files |
 ## Checklist
 - [ ] Look up API docs for the service
@@ -207,3 +253,5 @@ import { {service}WebhookTrigger } from '@/triggers/{service}'
 - [ ] Register block in `blocks/registry.ts`
 - [ ] (Optional) Create triggers in `triggers/{service}/`
 - [ ] (Optional) Register triggers in `triggers/registry.ts`
 - [ ] (If file uploads) Create internal API route with `downloadFileFromStorage`
 - [ ] (If file uploads) Use `normalizeFileInput` in block config
--- a/.cursor/rules/sim-integrations.mdc
+++ b/.cursor/rules/sim-integrations.mdc
@@ -193,6 +193,52 @@ import { {service}WebhookTrigger } from '@/triggers/{service}'
 {service}_webhook: {service}WebhookTrigger,
 ```
 ## File Handling
 When integrations handle file uploads/downloads, use `UserFile` objects consistently.
 ### File Input (Uploads)
 1. **Block subBlocks:** Use basic/advanced mode pattern with `canonicalParamId`
 2. **Normalize in block config:** Use `normalizeFileInput` from `@/blocks/utils`
 3. **Internal API route:** Create route that uses `downloadFileFromStorage` to get file content
 4. **Tool routes to internal API:** Don't call external APIs directly with files
 ```typescript
 // In block tools.config:
 import { normalizeFileInput } from '@/blocks/utils'
 const normalizedFile = normalizeFileInput(
  params.uploadFile || params.fileRef || params.fileContent,
  { single: true }
 )
 if (normalizedFile) params.file = normalizedFile
 ```
 ### File Output (Downloads)
 Use `FileToolProcessor` in tool `transformResponse` to store files:
 ```typescript
 import { FileToolProcessor } from '@/executor/utils/file-tool-processor'
 const processor = new FileToolProcessor(context)
 const file = await processor.processFileData({
  data: base64Content,
  mimeType: 'application/pdf',
  filename: 'doc.pdf',
 })
 ```
 ### Key Helpers
 | Helper | Location | Purpose |
 |--------|----------|---------|
 | `normalizeFileInput` | `@/blocks/utils` | Normalize file params in block config |
 | `processFilesToUserFiles` | `@/lib/uploads/utils/file-utils` | Convert raw inputs to UserFile[] |
 | `downloadFileFromStorage` | `@/lib/uploads/utils/file-utils.server` | Get Buffer from UserFile |
 | `FileToolProcessor` | `@/executor/utils/file-tool-processor` | Process tool output files |
 ## Checklist
 - [ ] Look up API docs for the service
@@ -205,3 +251,5 @@ import { {service}WebhookTrigger } from '@/triggers/{service}'
 - [ ] Register block in `blocks/registry.ts`
 - [ ] (Optional) Create triggers in `triggers/{service}/`
 - [ ] (Optional) Register triggers in `triggers/registry.ts`
 - [ ] (If file uploads) Create internal API route with `downloadFileFromStorage`
 - [ ] (If file uploads) Use `normalizeFileInput` in block config
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -265,6 +265,23 @@ Register in `blocks/registry.ts` (alphabetically).
 **dependsOn:** `['field']` or `{ all: ['a'], any: ['b', 'c'] }`
 **File Input Pattern (basic/advanced mode):**
 ```typescript
 // Basic: file-upload UI
 { id: 'uploadFile', type: 'file-upload', canonicalParamId: 'file', mode: 'basic' },
 // Advanced: reference from other blocks
 { id: 'fileRef', type: 'short-input', canonicalParamId: 'file', mode: 'advanced' },
 ```
 In `tools.config.tool`, normalize with:
 ```typescript
 import { normalizeFileInput } from '@/blocks/utils'
 const file = normalizeFileInput(params.uploadFile || params.fileRef, { single: true })
 if (file) params.file = file
 ```
 For file uploads, create an internal API route (`/api/tools/{service}/upload`) that uses `downloadFileFromStorage` to get file content from `UserFile` objects.
 ### 3. Icon (`components/icons.tsx`)
 ```typescript
@@ -293,3 +310,5 @@ Register in `triggers/registry.ts`.
 - [ ] Create block in `blocks/blocks/{service}.ts`
 - [ ] Register block in `blocks/registry.ts`
 - [ ] (Optional) Create and register triggers
 - [ ] (If file uploads) Create internal API route with `downloadFileFromStorage`
 - [ ] (If file uploads) Use `normalizeFileInput` in block config
--- a/apps/docs/content/docs/en/execution/files.mdx
+++ b/apps/docs/content/docs/en/execution/files.mdx
@@ -0,0 +1,168 @@
 ---
 title: Passing Files
 ---
 import { Callout } from 'fumadocs-ui/components/callout'
 import { Tab, Tabs } from 'fumadocs-ui/components/tabs'
 Sim makes it easy to work with files throughout your workflows. Blocks can receive files, process them, and pass them to other blocks seamlessly.
 ## File Objects
 When blocks output files (like Gmail attachments, generated images, or parsed documents), they return a standardized file object:
 ```json
 {
  "name": "report.pdf",
  "url": "https://...",
  "base64": "JVBERi0xLjQK...",
  "type": "application/pdf",
  "size": 245678
 }
 ```
 You can access any of these properties when referencing files from previous blocks.
 ## The File Block
 The **File block** is the universal entry point for files in your workflows. It accepts files from any source and outputs standardized file objects that work with all integrations.
 **Inputs:**
 - **Uploaded files** - Drag and drop or select files directly
 - **External URLs** - Any publicly accessible file URL
 - **Files from other blocks** - Pass files from Gmail attachments, Slack downloads, etc.
 **Outputs:**
 - A list of `UserFile` objects with consistent structure (`name`, `url`, `base64`, `type`, `size`)
 - `combinedContent` - Extracted text content from all files (for documents)
 **Example usage:**
 ```
 // Get all files from the File block
 <file.files>
 // Get the first file
 <file.files[0]>
 // Get combined text content from parsed documents
 <file.combinedContent>
 ```
 The File block automatically:
 - Detects file types from URLs and extensions
 - Extracts text from PDFs, CSVs, and documents
 - Generates base64 encoding for binary files
 - Creates presigned URLs for secure access
 Use the File block when you need to normalize files from different sources before passing them to other blocks like Vision, STT, or email integrations.
 ## Passing Files Between Blocks
 Reference files from previous blocks using the tag dropdown. Click in any file input field and type `<` to see available outputs.
 **Common patterns:**
 ```
 // Single file from a block
 <gmail.attachments[0]>
 // Pass the whole file object
 <file_parser.files[0]>
 // Access specific properties
 <gmail.attachments[0].name>
 <gmail.attachments[0].base64>
 ```
 Most blocks accept the full file object and extract what they need automatically. You don't need to manually extract `base64` or `url` in most cases.
 ## Triggering Workflows with Files
 When calling a workflow via API that expects file input, include files in your request:
 <Tabs items={['Base64', 'URL']}>
  <Tab value="Base64">
    ```bash
    curl -X POST "https://sim.ai/api/workflows/YOUR_WORKFLOW_ID/execute" \
      -H "Content-Type: application/json" \
      -H "x-api-key: YOUR_API_KEY" \
      -d '{
        "document": {
          "name": "report.pdf",
          "base64": "JVBERi0xLjQK...",
          "type": "application/pdf"
        }
      }'
    ```
  </Tab>
  <Tab value="URL">
    ```bash
    curl -X POST "https://sim.ai/api/workflows/YOUR_WORKFLOW_ID/execute" \
      -H "Content-Type: application/json" \
      -H "x-api-key: YOUR_API_KEY" \
      -d '{
        "document": {
          "name": "report.pdf",
          "url": "https://example.com/report.pdf",
          "type": "application/pdf"
        }
      }'
    ```
  </Tab>
 </Tabs>
 The workflow's Start block should have an input field configured to receive the file parameter.
 ## Receiving Files in API Responses
 When a workflow outputs files, they're included in the response:
 ```json
 {
  "success": true,
  "output": {
    "generatedFile": {
      "name": "output.png",
      "url": "https://...",
      "base64": "iVBORw0KGgo...",
      "type": "image/png",
      "size": 34567
    }
  }
 }
 ```
 Use `url` for direct downloads or `base64` for inline processing.
 ## Blocks That Work with Files
 **File inputs:**
 - **File** - Parse documents, images, and text files
 - **Vision** - Analyze images with AI models
 - **Mistral Parser** - Extract text from PDFs
 **File outputs:**
 - **Gmail** - Email attachments
 - **Slack** - Downloaded files
 - **TTS** - Generated audio files
 - **Video Generator** - Generated videos
 - **Image Generator** - Generated images
 **File storage:**
 - **Supabase** - Upload/download from storage
 - **S3** - AWS S3 operations
 - **Google Drive** - Drive file operations
 - **Dropbox** - Dropbox file operations
 <Callout type="info">
  Files are automatically available to downstream blocks. The execution engine handles all file transfer and format conversion.
 </Callout>
 ## Best Practices
 1. **Use file objects directly** - Pass the full file object rather than extracting individual properties. Blocks handle the conversion automatically.
 2. **Check file types** - Ensure the file type matches what the receiving block expects. The Vision block needs images, the File block handles documents.
 3. **Consider file size** - Large files increase execution time. For very large files, consider using storage blocks (S3, Supabase) for intermediate storage.
--- a/apps/docs/content/docs/en/execution/meta.json
+++ b/apps/docs/content/docs/en/execution/meta.json
@@ -1,3 +1,3 @@
 {
-  "pages": ["index", "basics", "api", "logging", "costs"]
+  "pages": ["index", "basics", "files", "api", "logging", "costs"]
 }
--- a/apps/docs/content/docs/en/quick-reference/index.mdx
+++ b/apps/docs/content/docs/en/quick-reference/index.mdx
@@ -180,11 +180,6 @@ A quick lookup for everyday actions in the Sim workflow editor. For keyboard sho
      <td>Right-click → **Enable/Disable**</td>
      <td><ActionImage src="/static/quick-reference/disable-block.png" alt="Disable block" /></td>
    </tr>
    <tr>
      <td>Lock/Unlock a block</td>
      <td>Hover block → Click lock icon (Admin only)</td>
      <td><ActionImage src="/static/quick-reference/lock-block.png" alt="Lock block" /></td>
    </tr>
    <tr>
      <td>Toggle handle orientation</td>
      <td>Right-click → **Toggle Handles**</td>
--- a/apps/docs/content/docs/en/tools/pulse.mdx
+++ b/apps/docs/content/docs/en/tools/pulse.mdx
@@ -11,7 +11,7 @@ import { BlockInfoCard } from "@/components/ui/block-info-card"
 />
 {/* MANUAL-CONTENT-START:intro */}
-The [Pulse](https://www.runpulse.com) tool enables seamless extraction of text and structured content from a wide variety of documents—including PDFs, images, and Office files—using state-of-the-art OCR (Optical Character Recognition) powered by Pulse. Designed for automated agentic workflows, Pulse Parser makes it easy to unlock valuable information trapped in unstructured documents and integrate the extracted content directly into your workflow.
+The [Pulse](https://www.pulseapi.com/) tool enables seamless extraction of text and structured content from a wide variety of documents—including PDFs, images, and Office files—using state-of-the-art OCR (Optical Character Recognition) powered by Pulse. Designed for automated agentic workflows, Pulse Parser makes it easy to unlock valuable information trapped in unstructured documents and integrate the extracted content directly into your workflow.
 With Pulse, you can:
--- a/apps/docs/public/static/quick-reference/lock-block.png
+++ b/apps/docs/public/static/quick-reference/lock-block.png
--- a/apps/sim/app/(auth)/sso/page.tsx
+++ b/apps/sim/app/(auth)/sso/page.tsx
@@ -1,6 +1,6 @@
 import { redirect } from 'next/navigation'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
-import SSOForm from '@/ee/sso/components/sso-form'
+import SSOForm from '@/app/(auth)/sso/sso-form'
 export const dynamic = 'force-dynamic'
--- a/apps/sim/ee/sso/components/sso-form.tsx
+++ b/apps/sim/ee/sso/components/sso-form.tsx
--- a/apps/sim/app/api/a2a/serve/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/serve/[agentId]/route.ts
@@ -16,7 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1119,7 +1119,7 @@ async function handlePushNotificationSet(
    )
  }
-  const urlValidation = validateExternalUrl(
+  const urlValidation = await validateUrlWithDNS(
    params.pushNotificationConfig.url,
    'Push notification URL'
  )
--- a/apps/sim/app/api/files/parse/route.ts
+++ b/apps/sim/app/api/files/parse/route.ts
@@ -6,7 +6,11 @@ import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { sanitizeUrlForLog } from '@/lib/core/utils/logging'
 import { isSupportedFileType, parseFile } from '@/lib/file-parsers'
 import { isUsingCloudStorage, type StorageContext, StorageService } from '@/lib/uploads'
 import { uploadExecutionFile } from '@/lib/uploads/contexts/execution'
@@ -19,6 +23,7 @@ import {
  getMimeTypeFromExtension,
  getViewerUrl,
  inferContextFromKey,
  isInternalFileUrl,
 } from '@/lib/uploads/utils/file-utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -215,7 +220,7 @@ async function parseFileSingle(
    }
  }
-  if (filePath.includes('/api/files/serve/')) {
+  if (isInternalFileUrl(filePath)) {
    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
  }
@@ -246,7 +251,7 @@ function validateFilePath(filePath: string): { isValid: boolean; error?: string
    return { isValid: false, error: 'Invalid path: tilde character not allowed' }
  }
-  if (filePath.startsWith('/') && !filePath.startsWith('/api/files/serve/')) {
+  if (filePath.startsWith('/') && !isInternalFileUrl(filePath)) {
    return { isValid: false, error: 'Path outside allowed directory' }
  }
@@ -420,7 +425,7 @@ async function handleExternalUrl(
    return parseResult
  } catch (error) {
-    logger.error(`Error handling external URL ${url}:`, error)
+    logger.error(`Error handling external URL ${sanitizeUrlForLog(url)}:`, error)
    return {
      success: false,
      error: `Error fetching URL: ${(error as Error).message}`,
--- a/apps/sim/app/api/organizations/[id]/invitations/route.ts
+++ b/apps/sim/app/api/organizations/[id]/invitations/route.ts
@@ -29,7 +29,7 @@ import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 import {
  InvitationsNotAllowedError,
  validateInvitationsAllowed,
-} from '@/ee/access-control/utils/permission-check'
+} from '@/executor/utils/permission-check'
 const logger = createLogger('OrganizationInvitations')
--- a/apps/sim/app/api/tools/a2a/send-message/route.ts
+++ b/apps/sim/app/api/tools/a2a/send-message/route.ts
@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -95,6 +96,14 @@ export async function POST(request: NextRequest) {
    if (validatedData.files && validatedData.files.length > 0) {
      for (const file of validatedData.files) {
        if (file.type === 'url') {
          const urlValidation = await validateUrlWithDNS(file.data, 'fileUrl')
          if (!urlValidation.isValid) {
            return NextResponse.json(
              { success: false, error: urlValidation.error },
              { status: 400 }
            )
          }
          const filePart: FilePart = {
            kind: 'file',
            file: {
--- a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -3,7 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const validatedData = A2ASetPushNotificationSchema.parse(body)
-    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
+    const urlValidation = await validateUrlWithDNS(validatedData.webhookUrl, 'Webhook URL')
    if (!urlValidation.isValid) {
      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
      return NextResponse.json(
--- a/apps/sim/app/api/tools/confluence/upload-attachment/route.ts
+++ b/apps/sim/app/api/tools/confluence/upload-attachment/route.ts
@@ -92,6 +92,9 @@ export async function POST(request: NextRequest) {
      formData.append('comment', comment)
    }
    // Add minorEdit field as required by Confluence API
    formData.append('minorEdit', 'false')
    const response = await fetch(url, {
      method: 'POST',
      headers: {
--- a/apps/sim/app/api/tools/discord/send-message/route.ts
+++ b/apps/sim/app/api/tools/discord/send-message/route.ts
@@ -4,6 +4,7 @@ import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -15,7 +16,7 @@ const DiscordSendMessageSchema = z.object({
  botToken: z.string().min(1, 'Bot token is required'),
  channelId: z.string().min(1, 'Channel ID is required'),
  content: z.string().optional().nullable(),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
@@ -101,6 +102,12 @@ export async function POST(request: NextRequest) {
    logger.info(`[${requestId}] Processing ${validatedData.files.length} file(s)`)
    const userFiles = processFilesToUserFiles(validatedData.files, requestId, logger)
    const filesOutput: Array<{
      name: string
      mimeType: string
      data: string
      size: number
    }> = []
    if (userFiles.length === 0) {
      logger.warn(`[${requestId}] No valid files to upload, falling back to text-only`)
@@ -137,6 +144,12 @@ export async function POST(request: NextRequest) {
      logger.info(`[${requestId}] Downloading file ${i}: ${userFile.name}`)
      const buffer = await downloadFileFromStorage(userFile, requestId, logger)
      filesOutput.push({
        name: userFile.name,
        mimeType: userFile.type || 'application/octet-stream',
        data: buffer.toString('base64'),
        size: buffer.length,
      })
      const blob = new Blob([new Uint8Array(buffer)], { type: userFile.type })
      formData.append(`files[${i}]`, blob, userFile.name)
@@ -173,6 +186,7 @@ export async function POST(request: NextRequest) {
        message: data.content,
        data: data,
        fileCount: userFiles.length,
        files: filesOutput,
      },
    })
  } catch (error) {
--- a/apps/sim/app/api/tools/dropbox/upload/route.ts
+++ b/apps/sim/app/api/tools/dropbox/upload/route.ts
@@ -0,0 +1,141 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles, type RawFileInput } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('DropboxUploadAPI')
 /**
 * Escapes non-ASCII characters in JSON string for HTTP header safety.
 * Dropbox API requires characters 0x7F and all non-ASCII to be escaped as \uXXXX.
 */
 function httpHeaderSafeJson(value: object): string {
  return JSON.stringify(value).replace(/[\u007f-\uffff]/g, (c) => {
    return '\\u' + ('0000' + c.charCodeAt(0).toString(16)).slice(-4)
  })
 }
 const DropboxUploadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  path: z.string().min(1, 'Destination path is required'),
  file: FileInputSchema.optional().nullable(),
  // Legacy field for backwards compatibility
  fileContent: z.string().optional().nullable(),
  fileName: z.string().optional().nullable(),
  mode: z.enum(['add', 'overwrite']).optional().nullable(),
  autorename: z.boolean().optional().nullable(),
  mute: z.boolean().optional().nullable(),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Dropbox upload attempt: ${authResult.error}`)
      return NextResponse.json(
        { success: false, error: authResult.error || 'Authentication required' },
        { status: 401 }
      )
    }
    logger.info(`[${requestId}] Authenticated Dropbox upload request via ${authResult.authType}`)
    const body = await request.json()
    const validatedData = DropboxUploadSchema.parse(body)
    let fileBuffer: Buffer
    let fileName: string
    // Prefer UserFile input, fall back to legacy base64 string
    if (validatedData.file) {
      // Process UserFile input
      const userFiles = processFilesToUserFiles(
        [validatedData.file as RawFileInput],
        requestId,
        logger
      )
      if (userFiles.length === 0) {
        return NextResponse.json({ success: false, error: 'Invalid file input' }, { status: 400 })
      }
      const userFile = userFiles[0]
      logger.info(`[${requestId}] Downloading file: ${userFile.name} (${userFile.size} bytes)`)
      fileBuffer = await downloadFileFromStorage(userFile, requestId, logger)
      fileName = userFile.name
    } else if (validatedData.fileContent) {
      // Legacy: base64 string input (backwards compatibility)
      logger.info(`[${requestId}] Using legacy base64 content input`)
      fileBuffer = Buffer.from(validatedData.fileContent, 'base64')
      fileName = validatedData.fileName || 'file'
    } else {
      return NextResponse.json({ success: false, error: 'File is required' }, { status: 400 })
    }
    // Determine final path
    let finalPath = validatedData.path
    if (finalPath.endsWith('/')) {
      finalPath = `${finalPath}${fileName}`
    }
    logger.info(`[${requestId}] Uploading to Dropbox: ${finalPath} (${fileBuffer.length} bytes)`)
    const dropboxApiArg = {
      path: finalPath,
      mode: validatedData.mode || 'add',
      autorename: validatedData.autorename ?? true,
      mute: validatedData.mute ?? false,
    }
    const response = await fetch('https://content.dropboxapi.com/2/files/upload', {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${validatedData.accessToken}`,
        'Content-Type': 'application/octet-stream',
        'Dropbox-API-Arg': httpHeaderSafeJson(dropboxApiArg),
      },
      body: new Uint8Array(fileBuffer),
    })
    const data = await response.json()
    if (!response.ok) {
      const errorMessage = data.error_summary || data.error?.message || 'Failed to upload file'
      logger.error(`[${requestId}] Dropbox API error:`, { status: response.status, data })
      return NextResponse.json({ success: false, error: errorMessage }, { status: response.status })
    }
    logger.info(`[${requestId}] File uploaded successfully to ${data.path_display}`)
    return NextResponse.json({
      success: true,
      output: {
        file: data,
      },
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      logger.warn(`[${requestId}] Validation error:`, error.errors)
      return NextResponse.json(
        { success: false, error: error.errors[0]?.message || 'Validation failed' },
        { status: 400 }
      )
    }
    logger.error(`[${requestId}] Unexpected error:`, error)
    return NextResponse.json(
      { success: false, error: error instanceof Error ? error.message : 'Unknown error' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/github/latest-commit/route.ts
+++ b/apps/sim/app/api/tools/github/latest-commit/route.ts
@@ -0,0 +1,195 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('GitHubLatestCommitAPI')
 interface GitHubErrorResponse {
  message?: string
 }
 interface GitHubCommitResponse {
  sha: string
  html_url: string
  commit: {
    message: string
    author: { name: string; email: string; date: string }
    committer: { name: string; email: string; date: string }
  }
  author?: { login: string; avatar_url: string; html_url: string }
  committer?: { login: string; avatar_url: string; html_url: string }
  stats?: { additions: number; deletions: number; total: number }
  files?: Array<{
    filename: string
    status: string
    additions: number
    deletions: number
    changes: number
    patch?: string
    raw_url?: string
    blob_url?: string
  }>
 }
 const GitHubLatestCommitSchema = z.object({
  owner: z.string().min(1, 'Owner is required'),
  repo: z.string().min(1, 'Repo is required'),
  branch: z.string().optional().nullable(),
  apiKey: z.string().min(1, 'API key is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized GitHub latest commit attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = GitHubLatestCommitSchema.parse(body)
    const { owner, repo, branch, apiKey } = validatedData
    const baseUrl = `https://api.github.com/repos/${owner}/${repo}`
    const commitUrl = branch ? `${baseUrl}/commits/${branch}` : `${baseUrl}/commits/HEAD`
    logger.info(`[${requestId}] Fetching latest commit from GitHub`, { owner, repo, branch })
    const urlValidation = await validateUrlWithDNS(commitUrl, 'commitUrl')
    if (!urlValidation.isValid) {
      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
    }
    const response = await secureFetchWithPinnedIP(commitUrl, urlValidation.resolvedIP!, {
      method: 'GET',
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${apiKey}`,
        'X-GitHub-Api-Version': '2022-11-28',
      },
    })
    if (!response.ok) {
      const errorData = (await response.json().catch(() => ({}))) as GitHubErrorResponse
      logger.error(`[${requestId}] GitHub API error`, {
        status: response.status,
        error: errorData,
      })
      return NextResponse.json(
        { success: false, error: errorData.message || `GitHub API error: ${response.status}` },
        { status: 400 }
      )
    }
    const data = (await response.json()) as GitHubCommitResponse
    const content = `Latest commit: "${data.commit.message}" by ${data.commit.author.name} on ${data.commit.author.date}. SHA: ${data.sha}`
    const files = data.files || []
    const fileDetailsWithContent = []
    for (const file of files) {
      const fileDetail: Record<string, any> = {
        filename: file.filename,
        additions: file.additions,
        deletions: file.deletions,
        changes: file.changes,
        status: file.status,
        raw_url: file.raw_url,
        blob_url: file.blob_url,
        patch: file.patch,
        content: undefined,
      }
      if (file.status !== 'removed' && file.raw_url) {
        try {
          const rawUrlValidation = await validateUrlWithDNS(file.raw_url, 'rawUrl')
          if (rawUrlValidation.isValid) {
            const contentResponse = await secureFetchWithPinnedIP(
              file.raw_url,
              rawUrlValidation.resolvedIP!,
              {
                headers: {
                  Authorization: `Bearer ${apiKey}`,
                  'X-GitHub-Api-Version': '2022-11-28',
                },
              }
            )
            if (contentResponse.ok) {
              fileDetail.content = await contentResponse.text()
            }
          }
        } catch (error) {
          logger.warn(`[${requestId}] Failed to fetch content for ${file.filename}:`, error)
        }
      }
      fileDetailsWithContent.push(fileDetail)
    }
    logger.info(`[${requestId}] Latest commit fetched successfully`, {
      sha: data.sha,
      fileCount: files.length,
    })
    return NextResponse.json({
      success: true,
      output: {
        content,
        metadata: {
          sha: data.sha,
          html_url: data.html_url,
          commit_message: data.commit.message,
          author: {
            name: data.commit.author.name,
            login: data.author?.login || 'Unknown',
            avatar_url: data.author?.avatar_url || '',
            html_url: data.author?.html_url || '',
          },
          committer: {
            name: data.commit.committer.name,
            login: data.committer?.login || 'Unknown',
            avatar_url: data.committer?.avatar_url || '',
            html_url: data.committer?.html_url || '',
          },
          stats: data.stats
            ? {
                additions: data.stats.additions,
                deletions: data.stats.deletions,
                total: data.stats.total,
              }
            : undefined,
          files: fileDetailsWithContent.length > 0 ? fileDetailsWithContent : undefined,
        },
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error fetching GitHub latest commit:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/gmail/draft/route.ts
+++ b/apps/sim/app/api/tools/gmail/draft/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -28,7 +29,7 @@ const GmailDraftSchema = z.object({
  replyToMessageId: z.string().optional().nullable(),
  cc: z.string().optional().nullable(),
  bcc: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
--- a/apps/sim/app/api/tools/gmail/send/route.ts
+++ b/apps/sim/app/api/tools/gmail/send/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -28,7 +29,7 @@ const GmailSendSchema = z.object({
  replyToMessageId: z.string().optional().nullable(),
  cc: z.string().optional().nullable(),
  bcc: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
--- a/apps/sim/app/api/tools/google_drive/download/route.ts
+++ b/apps/sim/app/api/tools/google_drive/download/route.ts
@@ -0,0 +1,252 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import type { GoogleDriveFile, GoogleDriveRevision } from '@/tools/google_drive/types'
 import {
  ALL_FILE_FIELDS,
  ALL_REVISION_FIELDS,
  DEFAULT_EXPORT_FORMATS,
  GOOGLE_WORKSPACE_MIME_TYPES,
 } from '@/tools/google_drive/utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('GoogleDriveDownloadAPI')
 /** Google API error response structure */
 interface GoogleApiErrorResponse {
  error?: {
    message?: string
    code?: number
    status?: string
  }
 }
 /** Google Drive revisions list response */
 interface GoogleDriveRevisionsResponse {
  revisions?: GoogleDriveRevision[]
  nextPageToken?: string
 }
 const GoogleDriveDownloadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  fileId: z.string().min(1, 'File ID is required'),
  mimeType: z.string().optional().nullable(),
  fileName: z.string().optional().nullable(),
  includeRevisions: z.boolean().optional().default(true),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Google Drive download attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = GoogleDriveDownloadSchema.parse(body)
    const {
      accessToken,
      fileId,
      mimeType: exportMimeType,
      fileName,
      includeRevisions,
    } = validatedData
    const authHeader = `Bearer ${accessToken}`
    logger.info(`[${requestId}] Getting file metadata from Google Drive`, { fileId })
    const metadataUrl = `https://www.googleapis.com/drive/v3/files/${fileId}?fields=${ALL_FILE_FIELDS}&supportsAllDrives=true`
    const metadataUrlValidation = await validateUrlWithDNS(metadataUrl, 'metadataUrl')
    if (!metadataUrlValidation.isValid) {
      return NextResponse.json(
        { success: false, error: metadataUrlValidation.error },
        { status: 400 }
      )
    }
    const metadataResponse = await secureFetchWithPinnedIP(
      metadataUrl,
      metadataUrlValidation.resolvedIP!,
      {
        headers: { Authorization: authHeader },
      }
    )
    if (!metadataResponse.ok) {
      const errorDetails = (await metadataResponse
        .json()
        .catch(() => ({}))) as GoogleApiErrorResponse
      logger.error(`[${requestId}] Failed to get file metadata`, {
        status: metadataResponse.status,
        error: errorDetails,
      })
      return NextResponse.json(
        { success: false, error: errorDetails.error?.message || 'Failed to get file metadata' },
        { status: 400 }
      )
    }
    const metadata = (await metadataResponse.json()) as GoogleDriveFile
    const fileMimeType = metadata.mimeType
    let fileBuffer: Buffer
    let finalMimeType = fileMimeType
    if (GOOGLE_WORKSPACE_MIME_TYPES.includes(fileMimeType)) {
      const exportFormat = exportMimeType || DEFAULT_EXPORT_FORMATS[fileMimeType] || 'text/plain'
      finalMimeType = exportFormat
      logger.info(`[${requestId}] Exporting Google Workspace file`, {
        fileId,
        mimeType: fileMimeType,
        exportFormat,
      })
      const exportUrl = `https://www.googleapis.com/drive/v3/files/${fileId}/export?mimeType=${encodeURIComponent(exportFormat)}&supportsAllDrives=true`
      const exportUrlValidation = await validateUrlWithDNS(exportUrl, 'exportUrl')
      if (!exportUrlValidation.isValid) {
        return NextResponse.json(
          { success: false, error: exportUrlValidation.error },
          { status: 400 }
        )
      }
      const exportResponse = await secureFetchWithPinnedIP(
        exportUrl,
        exportUrlValidation.resolvedIP!,
        { headers: { Authorization: authHeader } }
      )
      if (!exportResponse.ok) {
        const exportError = (await exportResponse
          .json()
          .catch(() => ({}))) as GoogleApiErrorResponse
        logger.error(`[${requestId}] Failed to export file`, {
          status: exportResponse.status,
          error: exportError,
        })
        return NextResponse.json(
          {
            success: false,
            error: exportError.error?.message || 'Failed to export Google Workspace file',
          },
          { status: 400 }
        )
      }
      const arrayBuffer = await exportResponse.arrayBuffer()
      fileBuffer = Buffer.from(arrayBuffer)
    } else {
      logger.info(`[${requestId}] Downloading regular file`, { fileId, mimeType: fileMimeType })
      const downloadUrl = `https://www.googleapis.com/drive/v3/files/${fileId}?alt=media&supportsAllDrives=true`
      const downloadUrlValidation = await validateUrlWithDNS(downloadUrl, 'downloadUrl')
      if (!downloadUrlValidation.isValid) {
        return NextResponse.json(
          { success: false, error: downloadUrlValidation.error },
          { status: 400 }
        )
      }
      const downloadResponse = await secureFetchWithPinnedIP(
        downloadUrl,
        downloadUrlValidation.resolvedIP!,
        { headers: { Authorization: authHeader } }
      )
      if (!downloadResponse.ok) {
        const downloadError = (await downloadResponse
          .json()
          .catch(() => ({}))) as GoogleApiErrorResponse
        logger.error(`[${requestId}] Failed to download file`, {
          status: downloadResponse.status,
          error: downloadError,
        })
        return NextResponse.json(
          { success: false, error: downloadError.error?.message || 'Failed to download file' },
          { status: 400 }
        )
      }
      const arrayBuffer = await downloadResponse.arrayBuffer()
      fileBuffer = Buffer.from(arrayBuffer)
    }
    const canReadRevisions = metadata.capabilities?.canReadRevisions === true
    if (includeRevisions && canReadRevisions) {
      try {
        const revisionsUrl = `https://www.googleapis.com/drive/v3/files/${fileId}/revisions?fields=revisions(${ALL_REVISION_FIELDS})&pageSize=100`
        const revisionsUrlValidation = await validateUrlWithDNS(revisionsUrl, 'revisionsUrl')
        if (revisionsUrlValidation.isValid) {
          const revisionsResponse = await secureFetchWithPinnedIP(
            revisionsUrl,
            revisionsUrlValidation.resolvedIP!,
            { headers: { Authorization: authHeader } }
          )
          if (revisionsResponse.ok) {
            const revisionsData = (await revisionsResponse.json()) as GoogleDriveRevisionsResponse
            metadata.revisions = revisionsData.revisions
            logger.info(`[${requestId}] Fetched file revisions`, {
              fileId,
              revisionCount: metadata.revisions?.length || 0,
            })
          }
        }
      } catch (error) {
        logger.warn(`[${requestId}] Error fetching revisions, continuing without them`, { error })
      }
    }
    const resolvedName = fileName || metadata.name || 'download'
    logger.info(`[${requestId}] File downloaded successfully`, {
      fileId,
      name: resolvedName,
      size: fileBuffer.length,
      mimeType: finalMimeType,
    })
    const base64Data = fileBuffer.toString('base64')
    return NextResponse.json({
      success: true,
      output: {
        file: {
          name: resolvedName,
          mimeType: finalMimeType,
          data: base64Data,
          size: fileBuffer.length,
        },
        metadata,
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error downloading Google Drive file:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/google_drive/upload/route.ts
+++ b/apps/sim/app/api/tools/google_drive/upload/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -20,7 +21,7 @@ const GOOGLE_DRIVE_API_BASE = 'https://www.googleapis.com/upload/drive/v3/files'
 const GoogleDriveUploadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  fileName: z.string().min(1, 'File name is required'),
-  file: z.any().optional().nullable(),
+  file: RawFileInputSchema.optional().nullable(),
  mimeType: z.string().optional().nullable(),
  folderId: z.string().optional().nullable(),
 })
--- a/apps/sim/app/api/tools/google_vault/download-export-file/route.ts
+++ b/apps/sim/app/api/tools/google_vault/download-export-file/route.ts
@@ -0,0 +1,131 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { enhanceGoogleVaultError } from '@/tools/google_vault/utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('GoogleVaultDownloadExportFileAPI')
 const GoogleVaultDownloadExportFileSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  bucketName: z.string().min(1, 'Bucket name is required'),
  objectName: z.string().min(1, 'Object name is required'),
  fileName: z.string().optional().nullable(),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Google Vault download attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = GoogleVaultDownloadExportFileSchema.parse(body)
    const { accessToken, bucketName, objectName, fileName } = validatedData
    const bucket = encodeURIComponent(bucketName)
    const object = encodeURIComponent(objectName)
    const downloadUrl = `https://storage.googleapis.com/storage/v1/b/${bucket}/o/${object}?alt=media`
    logger.info(`[${requestId}] Downloading file from Google Vault`, { bucketName, objectName })
    const urlValidation = await validateUrlWithDNS(downloadUrl, 'downloadUrl')
    if (!urlValidation.isValid) {
      return NextResponse.json(
        { success: false, error: enhanceGoogleVaultError(urlValidation.error || 'Invalid URL') },
        { status: 400 }
      )
    }
    const downloadResponse = await secureFetchWithPinnedIP(downloadUrl, urlValidation.resolvedIP!, {
      method: 'GET',
      headers: {
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!downloadResponse.ok) {
      const errorText = await downloadResponse.text().catch(() => '')
      const errorMessage = `Failed to download file: ${errorText || downloadResponse.statusText}`
      logger.error(`[${requestId}] Failed to download Vault export file`, {
        status: downloadResponse.status,
        error: errorText,
      })
      return NextResponse.json(
        { success: false, error: enhanceGoogleVaultError(errorMessage) },
        { status: 400 }
      )
    }
    const contentType = downloadResponse.headers.get('content-type') || 'application/octet-stream'
    const disposition = downloadResponse.headers.get('content-disposition') || ''
    const match = disposition.match(/filename\*=UTF-8''([^;]+)|filename="([^"]+)"/)
    let resolvedName = fileName
    if (!resolvedName) {
      if (match?.[1]) {
        try {
          resolvedName = decodeURIComponent(match[1])
        } catch {
          resolvedName = match[1]
        }
      } else if (match?.[2]) {
        resolvedName = match[2]
      } else if (objectName) {
        const parts = objectName.split('/')
        resolvedName = parts[parts.length - 1] || 'vault-export.bin'
      } else {
        resolvedName = 'vault-export.bin'
      }
    }
    const arrayBuffer = await downloadResponse.arrayBuffer()
    const buffer = Buffer.from(arrayBuffer)
    logger.info(`[${requestId}] Vault export file downloaded successfully`, {
      name: resolvedName,
      size: buffer.length,
      mimeType: contentType,
    })
    return NextResponse.json({
      success: true,
      output: {
        file: {
          name: resolvedName,
          mimeType: contentType,
          data: buffer.toString('base64'),
          size: buffer.length,
        },
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error downloading Google Vault export file:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/image/route.ts
+++ b/apps/sim/app/api/tools/image/route.ts
@@ -1,7 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateImageUrl } from '@/lib/core/security/input-validation'
+import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 const logger = createLogger('ImageProxyAPI')
@@ -26,7 +29,7 @@ export async function GET(request: NextRequest) {
    return new NextResponse('Missing URL parameter', { status: 400 })
  }
-  const urlValidation = validateImageUrl(imageUrl)
+  const urlValidation = await validateUrlWithDNS(imageUrl, 'imageUrl')
  if (!urlValidation.isValid) {
    logger.warn(`[${requestId}] Blocked image proxy request`, {
      url: imageUrl.substring(0, 100),
@@ -38,7 +41,8 @@ export async function GET(request: NextRequest) {
  logger.info(`[${requestId}] Proxying image request for: ${imageUrl}`)
  try {
-    const imageResponse = await fetch(imageUrl, {
+    const imageResponse = await secureFetchWithPinnedIP(imageUrl, urlValidation.resolvedIP!, {
      method: 'GET',
      headers: {
        'User-Agent':
          'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36',
@@ -64,14 +68,14 @@ export async function GET(request: NextRequest) {
    const contentType = imageResponse.headers.get('content-type') || 'image/jpeg'
-    const imageBlob = await imageResponse.blob()
+    const imageArrayBuffer = await imageResponse.arrayBuffer()
-    if (imageBlob.size === 0) {
+    if (imageArrayBuffer.byteLength === 0) {
-      logger.error(`[${requestId}] Empty image blob received`)
+      logger.error(`[${requestId}] Empty image received`)
      return new NextResponse('Empty image received', { status: 404 })
    }
-    return new NextResponse(imageBlob, {
+    return new NextResponse(imageArrayBuffer, {
      headers: {
        'Content-Type': contentType,
        'Access-Control-Allow-Origin': '*',
--- a/apps/sim/app/api/tools/jira/add-attachment/route.ts
+++ b/apps/sim/app/api/tools/jira/add-attachment/route.ts
@@ -0,0 +1,121 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import { getJiraCloudId } from '@/tools/jira/utils'
 const logger = createLogger('JiraAddAttachmentAPI')
 export const dynamic = 'force-dynamic'
 const JiraAddAttachmentSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  domain: z.string().min(1, 'Domain is required'),
  issueKey: z.string().min(1, 'Issue key is required'),
  files: RawFileInputArraySchema,
  cloudId: z.string().optional().nullable(),
 })
 export async function POST(request: NextRequest) {
  const requestId = `jira-attach-${Date.now()}`
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json(
        { success: false, error: authResult.error || 'Unauthorized' },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = JiraAddAttachmentSchema.parse(body)
    const userFiles = processFilesToUserFiles(validatedData.files, requestId, logger)
    if (userFiles.length === 0) {
      return NextResponse.json(
        { success: false, error: 'No valid files provided for upload' },
        { status: 400 }
      )
    }
    const cloudId =
      validatedData.cloudId ||
      (await getJiraCloudId(validatedData.domain, validatedData.accessToken))
    const formData = new FormData()
    const filesOutput: Array<{ name: string; mimeType: string; data: string; size: number }> = []
    for (const file of userFiles) {
      const buffer = await downloadFileFromStorage(file, requestId, logger)
      filesOutput.push({
        name: file.name,
        mimeType: file.type || 'application/octet-stream',
        data: buffer.toString('base64'),
        size: buffer.length,
      })
      const blob = new Blob([new Uint8Array(buffer)], {
        type: file.type || 'application/octet-stream',
      })
      formData.append('file', blob, file.name)
    }
    const url = `https://api.atlassian.com/ex/jira/${cloudId}/rest/api/3/issue/${validatedData.issueKey}/attachments`
    const response = await fetch(url, {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${validatedData.accessToken}`,
        'X-Atlassian-Token': 'no-check',
      },
      body: formData,
    })
    if (!response.ok) {
      const errorText = await response.text()
      logger.error(`[${requestId}] Jira attachment upload failed`, {
        status: response.status,
        statusText: response.statusText,
        error: errorText,
      })
      return NextResponse.json(
        {
          success: false,
          error: `Failed to upload attachments: ${response.statusText}`,
        },
        { status: response.status }
      )
    }
    const attachments = await response.json()
    const attachmentIds = Array.isArray(attachments)
      ? attachments.map((attachment) => attachment.id).filter(Boolean)
      : []
    return NextResponse.json({
      success: true,
      output: {
        ts: new Date().toISOString(),
        issueKey: validatedData.issueKey,
        attachmentIds,
        files: filesOutput,
      },
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { success: false, error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    logger.error(`[${requestId}] Jira attachment upload error`, error)
    return NextResponse.json(
      { success: false, error: error instanceof Error ? error.message : 'Internal server error' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
@@ -2,9 +2,11 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { uploadFilesForTeamsMessage } from '@/tools/microsoft_teams/server-utils'
 import type { GraphApiErrorResponse, GraphChatMessage } from '@/tools/microsoft_teams/types'
 import { resolveMentionsForChannel, type TeamsMention } from '@/tools/microsoft_teams/utils'
 export const dynamic = 'force-dynamic'
@@ -16,7 +18,7 @@ const TeamsWriteChannelSchema = z.object({
  teamId: z.string().min(1, 'Team ID is required'),
  channelId: z.string().min(1, 'Channel ID is required'),
  content: z.string().min(1, 'Message content is required'),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
@@ -53,93 +55,12 @@ export async function POST(request: NextRequest) {
      fileCount: validatedData.files?.length || 0,
    })
-    const attachments: any[] = []
+    const { attachments, filesOutput } = await uploadFilesForTeamsMessage({
-    if (validatedData.files && validatedData.files.length > 0) {
+      rawFiles: validatedData.files || [],
-      const rawFiles = validatedData.files
+      accessToken: validatedData.accessToken,
-      logger.info(`[${requestId}] Processing ${rawFiles.length} file(s) for upload to OneDrive`)
+      requestId,
-
+      logger,
-      const userFiles = processFilesToUserFiles(rawFiles, requestId, logger)
+    })
      for (const file of userFiles) {
        try {
          logger.info(`[${requestId}] Uploading file to Teams: ${file.name} (${file.size} bytes)`)
          const buffer = await downloadFileFromStorage(file, requestId, logger)
          const uploadUrl =
            'https://graph.microsoft.com/v1.0/me/drive/root:/TeamsAttachments/' +
            encodeURIComponent(file.name) +
            ':/content'
          logger.info(`[${requestId}] Uploading to Teams: ${uploadUrl}`)
          const uploadResponse = await fetch(uploadUrl, {
            method: 'PUT',
            headers: {
              Authorization: `Bearer ${validatedData.accessToken}`,
              'Content-Type': file.type || 'application/octet-stream',
            },
            body: new Uint8Array(buffer),
          })
          if (!uploadResponse.ok) {
            const errorData = await uploadResponse.json().catch(() => ({}))
            logger.error(`[${requestId}] Teams upload failed:`, errorData)
            throw new Error(
              `Failed to upload file to Teams: ${errorData.error?.message || 'Unknown error'}`
            )
          }
          const uploadedFile = await uploadResponse.json()
          logger.info(`[${requestId}] File uploaded to Teams successfully`, {
            id: uploadedFile.id,
            webUrl: uploadedFile.webUrl,
          })
          const fileDetailsUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${uploadedFile.id}?$select=id,name,webDavUrl,eTag,size`
          const fileDetailsResponse = await fetch(fileDetailsUrl, {
            headers: {
              Authorization: `Bearer ${validatedData.accessToken}`,
            },
          })
          if (!fileDetailsResponse.ok) {
            const errorData = await fileDetailsResponse.json().catch(() => ({}))
            logger.error(`[${requestId}] Failed to get file details:`, errorData)
            throw new Error(
              `Failed to get file details: ${errorData.error?.message || 'Unknown error'}`
            )
          }
          const fileDetails = await fileDetailsResponse.json()
          logger.info(`[${requestId}] Got file details`, {
            webDavUrl: fileDetails.webDavUrl,
            eTag: fileDetails.eTag,
          })
          const attachmentId = fileDetails.eTag?.match(/\{([a-f0-9-]+)\}/i)?.[1] || fileDetails.id
          attachments.push({
            id: attachmentId,
            contentType: 'reference',
            contentUrl: fileDetails.webDavUrl,
            name: file.name,
          })
          logger.info(`[${requestId}] Created attachment reference for ${file.name}`)
        } catch (error) {
          logger.error(`[${requestId}] Failed to process file ${file.name}:`, error)
          throw new Error(
            `Failed to process file "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
          )
        }
      }
      logger.info(
        `[${requestId}] All ${attachments.length} file(s) uploaded and attachment references created`
      )
    }
    let messageContent = validatedData.content
    let contentType: 'text' | 'html' = 'text'
@@ -197,17 +118,21 @@ export async function POST(request: NextRequest) {
    const teamsUrl = `https://graph.microsoft.com/v1.0/teams/${encodeURIComponent(validatedData.teamId)}/channels/${encodeURIComponent(validatedData.channelId)}/messages`
-    const teamsResponse = await fetch(teamsUrl, {
+    const teamsResponse = await secureFetchWithValidation(
-      method: 'POST',
+      teamsUrl,
-      headers: {
+      {
-        'Content-Type': 'application/json',
+        method: 'POST',
-        Authorization: `Bearer ${validatedData.accessToken}`,
+        headers: {
          'Content-Type': 'application/json',
          Authorization: `Bearer ${validatedData.accessToken}`,
        },
        body: JSON.stringify(messageBody),
      },
-      body: JSON.stringify(messageBody),
+      'teamsUrl'
-    })
+    )
    if (!teamsResponse.ok) {
-      const errorData = await teamsResponse.json().catch(() => ({}))
+      const errorData = (await teamsResponse.json().catch(() => ({}))) as GraphApiErrorResponse
      logger.error(`[${requestId}] Microsoft Teams API error:`, errorData)
      return NextResponse.json(
        {
@@ -218,7 +143,7 @@ export async function POST(request: NextRequest) {
      )
    }
-    const responseData = await teamsResponse.json()
+    const responseData = (await teamsResponse.json()) as GraphChatMessage
    logger.info(`[${requestId}] Teams channel message sent successfully`, {
      messageId: responseData.id,
      attachmentCount: attachments.length,
@@ -237,6 +162,7 @@ export async function POST(request: NextRequest) {
          url: responseData.webUrl || '',
          attachmentCount: attachments.length,
        },
        files: filesOutput,
      },
    })
  } catch (error) {
--- a/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
@@ -2,9 +2,11 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
+import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { uploadFilesForTeamsMessage } from '@/tools/microsoft_teams/server-utils'
 import type { GraphApiErrorResponse, GraphChatMessage } from '@/tools/microsoft_teams/types'
 import { resolveMentionsForChat, type TeamsMention } from '@/tools/microsoft_teams/utils'
 export const dynamic = 'force-dynamic'
@@ -15,7 +17,7 @@ const TeamsWriteChatSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  chatId: z.string().min(1, 'Chat ID is required'),
  content: z.string().min(1, 'Message content is required'),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
@@ -51,93 +53,12 @@ export async function POST(request: NextRequest) {
      fileCount: validatedData.files?.length || 0,
    })
-    const attachments: any[] = []
+    const { attachments, filesOutput } = await uploadFilesForTeamsMessage({
-    if (validatedData.files && validatedData.files.length > 0) {
+      rawFiles: validatedData.files || [],
-      const rawFiles = validatedData.files
+      accessToken: validatedData.accessToken,
-      logger.info(`[${requestId}] Processing ${rawFiles.length} file(s) for upload to Teams`)
+      requestId,
-
+      logger,
-      const userFiles = processFilesToUserFiles(rawFiles, requestId, logger)
+    })
      for (const file of userFiles) {
        try {
          logger.info(`[${requestId}] Uploading file to Teams: ${file.name} (${file.size} bytes)`)
          const buffer = await downloadFileFromStorage(file, requestId, logger)
          const uploadUrl =
            'https://graph.microsoft.com/v1.0/me/drive/root:/TeamsAttachments/' +
            encodeURIComponent(file.name) +
            ':/content'
          logger.info(`[${requestId}] Uploading to Teams: ${uploadUrl}`)
          const uploadResponse = await fetch(uploadUrl, {
            method: 'PUT',
            headers: {
              Authorization: `Bearer ${validatedData.accessToken}`,
              'Content-Type': file.type || 'application/octet-stream',
            },
            body: new Uint8Array(buffer),
          })
          if (!uploadResponse.ok) {
            const errorData = await uploadResponse.json().catch(() => ({}))
            logger.error(`[${requestId}] Teams upload failed:`, errorData)
            throw new Error(
              `Failed to upload file to Teams: ${errorData.error?.message || 'Unknown error'}`
            )
          }
          const uploadedFile = await uploadResponse.json()
          logger.info(`[${requestId}] File uploaded to Teams successfully`, {
            id: uploadedFile.id,
            webUrl: uploadedFile.webUrl,
          })
          const fileDetailsUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${uploadedFile.id}?$select=id,name,webDavUrl,eTag,size`
          const fileDetailsResponse = await fetch(fileDetailsUrl, {
            headers: {
              Authorization: `Bearer ${validatedData.accessToken}`,
            },
          })
          if (!fileDetailsResponse.ok) {
            const errorData = await fileDetailsResponse.json().catch(() => ({}))
            logger.error(`[${requestId}] Failed to get file details:`, errorData)
            throw new Error(
              `Failed to get file details: ${errorData.error?.message || 'Unknown error'}`
            )
          }
          const fileDetails = await fileDetailsResponse.json()
          logger.info(`[${requestId}] Got file details`, {
            webDavUrl: fileDetails.webDavUrl,
            eTag: fileDetails.eTag,
          })
          const attachmentId = fileDetails.eTag?.match(/\{([a-f0-9-]+)\}/i)?.[1] || fileDetails.id
          attachments.push({
            id: attachmentId,
            contentType: 'reference',
            contentUrl: fileDetails.webDavUrl,
            name: file.name,
          })
          logger.info(`[${requestId}] Created attachment reference for ${file.name}`)
        } catch (error) {
          logger.error(`[${requestId}] Failed to process file ${file.name}:`, error)
          throw new Error(
            `Failed to process file "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
          )
        }
      }
      logger.info(
        `[${requestId}] All ${attachments.length} file(s) uploaded and attachment references created`
      )
    }
    let messageContent = validatedData.content
    let contentType: 'text' | 'html' = 'text'
@@ -194,17 +115,21 @@ export async function POST(request: NextRequest) {
    const teamsUrl = `https://graph.microsoft.com/v1.0/chats/${encodeURIComponent(validatedData.chatId)}/messages`
-    const teamsResponse = await fetch(teamsUrl, {
+    const teamsResponse = await secureFetchWithValidation(
-      method: 'POST',
+      teamsUrl,
-      headers: {
+      {
-        'Content-Type': 'application/json',
+        method: 'POST',
-        Authorization: `Bearer ${validatedData.accessToken}`,
+        headers: {
          'Content-Type': 'application/json',
          Authorization: `Bearer ${validatedData.accessToken}`,
        },
        body: JSON.stringify(messageBody),
      },
-      body: JSON.stringify(messageBody),
+      'teamsUrl'
-    })
+    )
    if (!teamsResponse.ok) {
-      const errorData = await teamsResponse.json().catch(() => ({}))
+      const errorData = (await teamsResponse.json().catch(() => ({}))) as GraphApiErrorResponse
      logger.error(`[${requestId}] Microsoft Teams API error:`, errorData)
      return NextResponse.json(
        {
@@ -215,7 +140,7 @@ export async function POST(request: NextRequest) {
      )
    }
-    const responseData = await teamsResponse.json()
+    const responseData = (await teamsResponse.json()) as GraphChatMessage
    logger.info(`[${requestId}] Teams message sent successfully`, {
      messageId: responseData.id,
      attachmentCount: attachments.length,
@@ -233,6 +158,7 @@ export async function POST(request: NextRequest) {
          url: responseData.webUrl || '',
          attachmentCount: attachments.length,
        },
        files: filesOutput,
      },
    })
  } catch (error) {
--- a/apps/sim/app/api/tools/mistral/parse/route.ts
+++ b/apps/sim/app/api/tools/mistral/parse/route.ts
@@ -2,15 +2,17 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
 import {
-  extractStorageKey,
+  secureFetchWithPinnedIP,
-  inferContextFromKey,
+  validateUrlWithDNS,
-  isInternalFileUrl,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/uploads/utils/file-utils'
+import { generateRequestId } from '@/lib/core/utils/request'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { isInternalFileUrl, processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import {
  downloadFileFromStorage,
  resolveInternalFileUrl,
 } from '@/lib/uploads/utils/file-utils.server'
 export const dynamic = 'force-dynamic'
@@ -18,7 +20,9 @@ const logger = createLogger('MistralParseAPI')
 const MistralParseSchema = z.object({
  apiKey: z.string().min(1, 'API key is required'),
-  filePath: z.string().min(1, 'File path is required'),
+  filePath: z.string().min(1, 'File path is required').optional(),
  fileData: FileInputSchema.optional(),
  file: FileInputSchema.optional(),
  resultType: z.string().optional(),
  pages: z.array(z.number()).optional(),
  includeImageBase64: z.boolean().optional(),
@@ -49,66 +53,140 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const validatedData = MistralParseSchema.parse(body)
    const fileData = validatedData.file || validatedData.fileData
    const filePath = typeof fileData === 'string' ? fileData : validatedData.filePath
    if (!fileData && (!filePath || filePath.trim() === '')) {
      return NextResponse.json(
        {
          success: false,
          error: 'File input is required',
        },
        { status: 400 }
      )
    }
    logger.info(`[${requestId}] Mistral parse request`, {
-      filePath: validatedData.filePath,
+      hasFileData: Boolean(fileData),
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      filePath,
      isWorkspaceFile: filePath ? isInternalFileUrl(filePath) : false,
      userId,
    })
-    let fileUrl = validatedData.filePath
+    const mistralBody: any = {
      model: 'mistral-ocr-latest',
    }
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (fileData && typeof fileData === 'object') {
      const rawFile = fileData
      let userFile
      try {
-        const storageKey = extractStorageKey(validatedData.filePath)
+        userFile = processSingleFileToUserFile(rawFile, requestId, logger)
        const context = inferContextFromKey(storageKey)
        const hasAccess = await verifyFileAccess(
          storageKey,
          userId,
          undefined, // customConfig
          context, // context
          false // isLocal
        )
        if (!hasAccess) {
          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
            userId,
            key: storageKey,
            context,
          })
          return NextResponse.json(
            {
              success: false,
              error: 'File not found',
            },
            { status: 404 }
          )
        }
        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
      } catch (error) {
        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
        return NextResponse.json(
          {
            success: false,
-            error: 'Failed to generate file access URL',
+            error: error instanceof Error ? error.message : 'Failed to process file',
          },
-          { status: 500 }
+          { status: 400 }
        )
      }
    } else if (validatedData.filePath?.startsWith('/')) {
      const baseUrl = getBaseUrl()
      fileUrl = `${baseUrl}${validatedData.filePath}`
    }
-    const mistralBody: any = {
+      let mimeType = userFile.type
-      model: 'mistral-ocr-latest',
+      if (!mimeType || mimeType === 'application/octet-stream') {
-      document: {
+        const filename = userFile.name?.toLowerCase() || ''
-        type: 'document_url',
+        if (filename.endsWith('.pdf')) {
-        document_url: fileUrl,
+          mimeType = 'application/pdf'
-      },
+        } else if (filename.endsWith('.png')) {
          mimeType = 'image/png'
        } else if (filename.endsWith('.jpg') || filename.endsWith('.jpeg')) {
          mimeType = 'image/jpeg'
        } else if (filename.endsWith('.gif')) {
          mimeType = 'image/gif'
        } else if (filename.endsWith('.webp')) {
          mimeType = 'image/webp'
        } else {
          mimeType = 'application/pdf'
        }
      }
      let base64 = userFile.base64
      if (!base64) {
        const buffer = await downloadFileFromStorage(userFile, requestId, logger)
        base64 = buffer.toString('base64')
      }
      const base64Payload = base64.startsWith('data:')
        ? base64
        : `data:${mimeType};base64,${base64}`
      // Mistral API uses different document types for images vs documents
      const isImage = mimeType.startsWith('image/')
      if (isImage) {
        mistralBody.document = {
          type: 'image_url',
          image_url: base64Payload,
        }
      } else {
        mistralBody.document = {
          type: 'document_url',
          document_url: base64Payload,
        }
      }
    } else if (filePath) {
      let fileUrl = filePath
      const isInternalFilePath = isInternalFileUrl(filePath)
      if (isInternalFilePath) {
        const resolution = await resolveInternalFileUrl(filePath, userId, requestId, logger)
        if (resolution.error) {
          return NextResponse.json(
            {
              success: false,
              error: resolution.error.message,
            },
            { status: resolution.error.status }
          )
        }
        fileUrl = resolution.fileUrl || fileUrl
      } else if (filePath.startsWith('/')) {
        logger.warn(`[${requestId}] Invalid internal path`, {
          userId,
          path: filePath.substring(0, 50),
        })
        return NextResponse.json(
          {
            success: false,
            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
          },
          { status: 400 }
        )
      } else {
        const urlValidation = await validateUrlWithDNS(fileUrl, 'filePath')
        if (!urlValidation.isValid) {
          return NextResponse.json(
            {
              success: false,
              error: urlValidation.error,
            },
            { status: 400 }
          )
        }
      }
      const imageExtensions = ['.png', '.jpg', '.jpeg', '.gif', '.webp', '.avif']
      const pathname = new URL(fileUrl).pathname.toLowerCase()
      const isImageUrl = imageExtensions.some((ext) => pathname.endsWith(ext))
      if (isImageUrl) {
        mistralBody.document = {
          type: 'image_url',
          image_url: fileUrl,
        }
      } else {
        mistralBody.document = {
          type: 'document_url',
          document_url: fileUrl,
        }
      }
    }
    if (validatedData.pages) {
@@ -124,15 +202,34 @@ export async function POST(request: NextRequest) {
      mistralBody.image_min_size = validatedData.imageMinSize
    }
-    const mistralResponse = await fetch('https://api.mistral.ai/v1/ocr', {
+    const mistralEndpoint = 'https://api.mistral.ai/v1/ocr'
-      method: 'POST',
+    const mistralValidation = await validateUrlWithDNS(mistralEndpoint, 'Mistral API URL')
-      headers: {
+    if (!mistralValidation.isValid) {
-        'Content-Type': 'application/json',
+      logger.error(`[${requestId}] Mistral API URL validation failed`, {
-        Accept: 'application/json',
+        error: mistralValidation.error,
-        Authorization: `Bearer ${validatedData.apiKey}`,
+      })
-      },
+      return NextResponse.json(
-      body: JSON.stringify(mistralBody),
+        {
-    })
+          success: false,
          error: 'Failed to reach Mistral API',
        },
        { status: 502 }
      )
    }
    const mistralResponse = await secureFetchWithPinnedIP(
      mistralEndpoint,
      mistralValidation.resolvedIP!,
      {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
          Accept: 'application/json',
          Authorization: `Bearer ${validatedData.apiKey}`,
        },
        body: JSON.stringify(mistralBody),
      }
    )
    if (!mistralResponse.ok) {
      const errorText = await mistralResponse.text()
--- a/apps/sim/app/api/tools/onedrive/download/route.ts
+++ b/apps/sim/app/api/tools/onedrive/download/route.ts
@@ -0,0 +1,177 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
 /** Microsoft Graph API error response structure */
 interface GraphApiError {
  error?: {
    code?: string
    message?: string
  }
 }
 /** Microsoft Graph API drive item metadata response */
 interface DriveItemMetadata {
  id?: string
  name?: string
  folder?: Record<string, unknown>
  file?: {
    mimeType?: string
  }
 }
 const logger = createLogger('OneDriveDownloadAPI')
 const OneDriveDownloadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  fileId: z.string().min(1, 'File ID is required'),
  fileName: z.string().optional().nullable(),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized OneDrive download attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = OneDriveDownloadSchema.parse(body)
    const { accessToken, fileId, fileName } = validatedData
    const authHeader = `Bearer ${accessToken}`
    logger.info(`[${requestId}] Getting file metadata from OneDrive`, { fileId })
    const metadataUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${fileId}`
    const metadataUrlValidation = await validateUrlWithDNS(metadataUrl, 'metadataUrl')
    if (!metadataUrlValidation.isValid) {
      return NextResponse.json(
        { success: false, error: metadataUrlValidation.error },
        { status: 400 }
      )
    }
    const metadataResponse = await secureFetchWithPinnedIP(
      metadataUrl,
      metadataUrlValidation.resolvedIP!,
      {
        headers: { Authorization: authHeader },
      }
    )
    if (!metadataResponse.ok) {
      const errorDetails = (await metadataResponse.json().catch(() => ({}))) as GraphApiError
      logger.error(`[${requestId}] Failed to get file metadata`, {
        status: metadataResponse.status,
        error: errorDetails,
      })
      return NextResponse.json(
        { success: false, error: errorDetails.error?.message || 'Failed to get file metadata' },
        { status: 400 }
      )
    }
    const metadata = (await metadataResponse.json()) as DriveItemMetadata
    if (metadata.folder && !metadata.file) {
      logger.error(`[${requestId}] Attempted to download a folder`, {
        itemId: metadata.id,
        itemName: metadata.name,
      })
      return NextResponse.json(
        {
          success: false,
          error: `Cannot download folder "${metadata.name}". Please select a file instead.`,
        },
        { status: 400 }
      )
    }
    const mimeType = metadata.file?.mimeType || 'application/octet-stream'
    logger.info(`[${requestId}] Downloading file from OneDrive`, { fileId, mimeType })
    const downloadUrl = `https://graph.microsoft.com/v1.0/me/drive/items/${fileId}/content`
    const downloadUrlValidation = await validateUrlWithDNS(downloadUrl, 'downloadUrl')
    if (!downloadUrlValidation.isValid) {
      return NextResponse.json(
        { success: false, error: downloadUrlValidation.error },
        { status: 400 }
      )
    }
    const downloadResponse = await secureFetchWithPinnedIP(
      downloadUrl,
      downloadUrlValidation.resolvedIP!,
      {
        headers: { Authorization: authHeader },
      }
    )
    if (!downloadResponse.ok) {
      const downloadError = (await downloadResponse.json().catch(() => ({}))) as GraphApiError
      logger.error(`[${requestId}] Failed to download file`, {
        status: downloadResponse.status,
        error: downloadError,
      })
      return NextResponse.json(
        { success: false, error: downloadError.error?.message || 'Failed to download file' },
        { status: 400 }
      )
    }
    const arrayBuffer = await downloadResponse.arrayBuffer()
    const fileBuffer = Buffer.from(arrayBuffer)
    const resolvedName = fileName || metadata.name || 'download'
    logger.info(`[${requestId}] File downloaded successfully`, {
      fileId,
      name: resolvedName,
      size: fileBuffer.length,
      mimeType,
    })
    const base64Data = fileBuffer.toString('base64')
    return NextResponse.json({
      success: true,
      output: {
        file: {
          name: resolvedName,
          mimeType,
          data: base64Data,
          size: fileBuffer.length,
        },
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error downloading OneDrive file:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/onedrive/upload/route.ts
+++ b/apps/sim/app/api/tools/onedrive/upload/route.ts
@@ -4,7 +4,9 @@ import * as XLSX from 'xlsx'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import {
  getExtensionFromMimeType,
  processSingleFileToUserFile,
@@ -29,12 +31,33 @@ const ExcelValuesSchema = z.union([
 const OneDriveUploadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  fileName: z.string().min(1, 'File name is required'),
-  file: z.any().optional(),
+  file: RawFileInputSchema.optional(),
  folderId: z.string().optional().nullable(),
  mimeType: z.string().nullish(),
  values: ExcelValuesSchema.optional().nullable(),
  conflictBehavior: z.enum(['fail', 'replace', 'rename']).optional().nullable(),
 })
 /** Microsoft Graph DriveItem response */
 interface OneDriveFileData {
  id: string
  name: string
  size: number
  webUrl: string
  createdDateTime: string
  lastModifiedDateTime: string
  file?: { mimeType: string }
  parentReference?: { id: string; path: string }
  '@microsoft.graph.downloadUrl'?: string
 }
 /** Microsoft Graph Excel range response */
 interface ExcelRangeData {
  address?: string
  addressLocal?: string
  values?: unknown[][]
 }
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
@@ -88,25 +111,9 @@ export async function POST(request: NextRequest) {
        )
      }
      let fileToProcess
      if (Array.isArray(rawFile)) {
        if (rawFile.length === 0) {
          return NextResponse.json(
            {
              success: false,
              error: 'No file provided',
            },
            { status: 400 }
          )
        }
        fileToProcess = rawFile[0]
      } else {
        fileToProcess = rawFile
      }
      let userFile
      try {
-        userFile = processSingleFileToUserFile(fileToProcess, requestId, logger)
+        userFile = processSingleFileToUserFile(rawFile, requestId, logger)
      } catch (error) {
        return NextResponse.json(
          {
@@ -179,14 +186,23 @@ export async function POST(request: NextRequest) {
      uploadUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/root:/${encodeURIComponent(fileName)}:/content`
    }
-    const uploadResponse = await fetch(uploadUrl, {
+    // Add conflict behavior if specified (defaults to replace by Microsoft Graph API)
-      method: 'PUT',
+    if (validatedData.conflictBehavior) {
-      headers: {
+      uploadUrl += `?@microsoft.graph.conflictBehavior=${validatedData.conflictBehavior}`
-        Authorization: `Bearer ${validatedData.accessToken}`,
+    }
-        'Content-Type': mimeType,
+
    const uploadResponse = await secureFetchWithValidation(
      uploadUrl,
      {
        method: 'PUT',
        headers: {
          Authorization: `Bearer ${validatedData.accessToken}`,
          'Content-Type': mimeType,
        },
        body: fileBuffer,
      },
-      body: new Uint8Array(fileBuffer),
+      'uploadUrl'
-    })
+    )
    if (!uploadResponse.ok) {
      const errorText = await uploadResponse.text()
@@ -200,7 +216,7 @@ export async function POST(request: NextRequest) {
      )
    }
-    const fileData = await uploadResponse.json()
+    const fileData = (await uploadResponse.json()) as OneDriveFileData
    let excelWriteResult: any | undefined
    const shouldWriteExcelContent =
@@ -209,8 +225,11 @@ export async function POST(request: NextRequest) {
    if (shouldWriteExcelContent) {
      try {
        let workbookSessionId: string | undefined
-        const sessionResp = await fetch(
+        const sessionUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(
-          `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(fileData.id)}/workbook/createSession`,
+          fileData.id
        )}/workbook/createSession`
        const sessionResp = await secureFetchWithValidation(
          sessionUrl,
          {
            method: 'POST',
            headers: {
@@ -218,11 +237,12 @@ export async function POST(request: NextRequest) {
              'Content-Type': 'application/json',
            },
            body: JSON.stringify({ persistChanges: true }),
-          }
+          },
          'sessionUrl'
        )
        if (sessionResp.ok) {
-          const sessionData = await sessionResp.json()
+          const sessionData = (await sessionResp.json()) as { id?: string }
          workbookSessionId = sessionData?.id
        }
@@ -231,14 +251,19 @@ export async function POST(request: NextRequest) {
          const listUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(
            fileData.id
          )}/workbook/worksheets?$select=name&$orderby=position&$top=1`
-          const listResp = await fetch(listUrl, {
+          const listResp = await secureFetchWithValidation(
-            headers: {
+            listUrl,
-              Authorization: `Bearer ${validatedData.accessToken}`,
+            {
-              ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
+              method: 'GET',
              headers: {
                Authorization: `Bearer ${validatedData.accessToken}`,
                ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
              },
            },
-          })
+            'listUrl'
          )
          if (listResp.ok) {
-            const listData = await listResp.json()
+            const listData = (await listResp.json()) as { value?: Array<{ name?: string }> }
            const firstSheetName = listData?.value?.[0]?.name
            if (firstSheetName) {
              sheetName = firstSheetName
@@ -297,15 +322,19 @@ export async function POST(request: NextRequest) {
          )}')/range(address='${encodeURIComponent(computedRangeAddress)}')`
        )
-        const excelWriteResponse = await fetch(url.toString(), {
+        const excelWriteResponse = await secureFetchWithValidation(
-          method: 'PATCH',
+          url.toString(),
-          headers: {
+          {
-            Authorization: `Bearer ${validatedData.accessToken}`,
+            method: 'PATCH',
-            'Content-Type': 'application/json',
+            headers: {
-            ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
+              Authorization: `Bearer ${validatedData.accessToken}`,
              'Content-Type': 'application/json',
              ...(workbookSessionId ? { 'workbook-session-id': workbookSessionId } : {}),
            },
            body: JSON.stringify({ values: processedValues }),
          },
-          body: JSON.stringify({ values: processedValues }),
+          'excelWriteUrl'
-        })
+        )
        if (!excelWriteResponse || !excelWriteResponse.ok) {
          const errorText = excelWriteResponse ? await excelWriteResponse.text() : 'no response'
@@ -320,7 +349,7 @@ export async function POST(request: NextRequest) {
            details: errorText,
          }
        } else {
-          const writeData = await excelWriteResponse.json()
+          const writeData = (await excelWriteResponse.json()) as ExcelRangeData
          const addr = writeData.address || writeData.addressLocal
          const v = writeData.values || []
          excelWriteResult = {
@@ -328,21 +357,25 @@ export async function POST(request: NextRequest) {
            updatedRange: addr,
            updatedRows: Array.isArray(v) ? v.length : undefined,
            updatedColumns: Array.isArray(v) && v[0] ? v[0].length : undefined,
-            updatedCells: Array.isArray(v) && v[0] ? v.length * (v[0] as any[]).length : undefined,
+            updatedCells: Array.isArray(v) && v[0] ? v.length * v[0].length : undefined,
          }
        }
        if (workbookSessionId) {
          try {
-            const closeResp = await fetch(
+            const closeUrl = `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(
-              `${MICROSOFT_GRAPH_BASE}/me/drive/items/${encodeURIComponent(fileData.id)}/workbook/closeSession`,
+              fileData.id
            )}/workbook/closeSession`
            const closeResp = await secureFetchWithValidation(
              closeUrl,
              {
                method: 'POST',
                headers: {
                  Authorization: `Bearer ${validatedData.accessToken}`,
                  'workbook-session-id': workbookSessionId,
                },
-              }
+              },
              'closeSessionUrl'
            )
            if (!closeResp.ok) {
              const closeText = await closeResp.text()
--- a/apps/sim/app/api/tools/outlook/draft/route.ts
+++ b/apps/sim/app/api/tools/outlook/draft/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -18,7 +19,7 @@ const OutlookDraftSchema = z.object({
  contentType: z.enum(['text', 'html']).optional().nullable(),
  cc: z.string().optional().nullable(),
  bcc: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
--- a/apps/sim/app/api/tools/outlook/send/route.ts
+++ b/apps/sim/app/api/tools/outlook/send/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -20,7 +21,7 @@ const OutlookSendSchema = z.object({
  bcc: z.string().optional().nullable(),
  replyToMessageId: z.string().optional().nullable(),
  conversationId: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
@@ -95,14 +96,14 @@ export async function POST(request: NextRequest) {
      if (attachments.length > 0) {
        const totalSize = attachments.reduce((sum, file) => sum + file.size, 0)
-        const maxSize = 4 * 1024 * 1024 // 4MB
+        const maxSize = 3 * 1024 * 1024 // 3MB - Microsoft Graph API limit for inline attachments
        if (totalSize > maxSize) {
          const sizeMB = (totalSize / (1024 * 1024)).toFixed(2)
          return NextResponse.json(
            {
              success: false,
-              error: `Total attachment size (${sizeMB}MB) exceeds Outlook's limit of 4MB per request`,
+              error: `Total attachment size (${sizeMB}MB) exceeds Microsoft Graph API limit of 3MB per request`,
            },
            { status: 400 }
          )
--- a/apps/sim/app/api/tools/pipedrive/get-files/route.ts
+++ b/apps/sim/app/api/tools/pipedrive/get-files/route.ts
@@ -0,0 +1,165 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('PipedriveGetFilesAPI')
 interface PipedriveFile {
  id?: number
  name?: string
  url?: string
 }
 interface PipedriveApiResponse {
  success: boolean
  data?: PipedriveFile[]
  error?: string
 }
 const PipedriveGetFilesSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  deal_id: z.string().optional().nullable(),
  person_id: z.string().optional().nullable(),
  org_id: z.string().optional().nullable(),
  limit: z.string().optional().nullable(),
  downloadFiles: z.boolean().optional().default(false),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Pipedrive get files attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = PipedriveGetFilesSchema.parse(body)
    const { accessToken, deal_id, person_id, org_id, limit, downloadFiles } = validatedData
    const baseUrl = 'https://api.pipedrive.com/v1/files'
    const queryParams = new URLSearchParams()
    if (deal_id) queryParams.append('deal_id', deal_id)
    if (person_id) queryParams.append('person_id', person_id)
    if (org_id) queryParams.append('org_id', org_id)
    if (limit) queryParams.append('limit', limit)
    const queryString = queryParams.toString()
    const apiUrl = queryString ? `${baseUrl}?${queryString}` : baseUrl
    logger.info(`[${requestId}] Fetching files from Pipedrive`, { deal_id, person_id, org_id })
    const urlValidation = await validateUrlWithDNS(apiUrl, 'apiUrl')
    if (!urlValidation.isValid) {
      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
    }
    const response = await secureFetchWithPinnedIP(apiUrl, urlValidation.resolvedIP!, {
      method: 'GET',
      headers: {
        Authorization: `Bearer ${accessToken}`,
        Accept: 'application/json',
      },
    })
    const data = (await response.json()) as PipedriveApiResponse
    if (!data.success) {
      logger.error(`[${requestId}] Pipedrive API request failed`, { data })
      return NextResponse.json(
        { success: false, error: data.error || 'Failed to fetch files from Pipedrive' },
        { status: 400 }
      )
    }
    const files = data.data || []
    const downloadedFiles: Array<{
      name: string
      mimeType: string
      data: string
      size: number
    }> = []
    if (downloadFiles) {
      for (const file of files) {
        if (!file?.url) continue
        try {
          const fileUrlValidation = await validateUrlWithDNS(file.url, 'fileUrl')
          if (!fileUrlValidation.isValid) continue
          const downloadResponse = await secureFetchWithPinnedIP(
            file.url,
            fileUrlValidation.resolvedIP!,
            {
              method: 'GET',
              headers: { Authorization: `Bearer ${accessToken}` },
            }
          )
          if (!downloadResponse.ok) continue
          const arrayBuffer = await downloadResponse.arrayBuffer()
          const buffer = Buffer.from(arrayBuffer)
          const extension = getFileExtension(file.name || '')
          const mimeType =
            downloadResponse.headers.get('content-type') || getMimeTypeFromExtension(extension)
          const fileName = file.name || `pipedrive-file-${file.id || Date.now()}`
          downloadedFiles.push({
            name: fileName,
            mimeType,
            data: buffer.toString('base64'),
            size: buffer.length,
          })
        } catch (error) {
          logger.warn(`[${requestId}] Failed to download file ${file.id}:`, error)
        }
      }
    }
    logger.info(`[${requestId}] Pipedrive files fetched successfully`, {
      fileCount: files.length,
      downloadedCount: downloadedFiles.length,
    })
    return NextResponse.json({
      success: true,
      output: {
        files,
        downloadedFiles: downloadedFiles.length > 0 ? downloadedFiles : undefined,
        total_items: files.length,
        success: true,
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error fetching Pipedrive files:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/pulse/parse/route.ts
+++ b/apps/sim/app/api/tools/pulse/parse/route.ts
@@ -2,15 +2,14 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
 import {
-  extractStorageKey,
+  secureFetchWithPinnedIP,
-  inferContextFromKey,
+  validateUrlWithDNS,
-  isInternalFileUrl,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/uploads/utils/file-utils'
+import { generateRequestId } from '@/lib/core/utils/request'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { isInternalFileUrl } from '@/lib/uploads/utils/file-utils'
 import { resolveFileInputToUrl } from '@/lib/uploads/utils/file-utils.server'
 export const dynamic = 'force-dynamic'
@@ -18,7 +17,8 @@ const logger = createLogger('PulseParseAPI')
 const PulseParseSchema = z.object({
  apiKey: z.string().min(1, 'API key is required'),
-  filePath: z.string().min(1, 'File path is required'),
+  filePath: z.string().optional(),
  file: RawFileInputSchema.optional(),
  pages: z.string().optional(),
  extractFigure: z.boolean().optional(),
  figureDescription: z.boolean().optional(),
@@ -51,50 +51,30 @@ export async function POST(request: NextRequest) {
    const validatedData = PulseParseSchema.parse(body)
    logger.info(`[${requestId}] Pulse parse request`, {
      fileName: validatedData.file?.name,
      filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath ? isInternalFileUrl(validatedData.filePath) : false,
      userId,
    })
-    let fileUrl = validatedData.filePath
+    const resolution = await resolveFileInputToUrl({
      file: validatedData.file,
      filePath: validatedData.filePath,
      userId,
      requestId,
      logger,
    })
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (resolution.error) {
-      try {
+      return NextResponse.json(
-        const storageKey = extractStorageKey(validatedData.filePath)
+        { success: false, error: resolution.error.message },
-        const context = inferContextFromKey(storageKey)
+        { status: resolution.error.status }
      )
    }
-        const hasAccess = await verifyFileAccess(storageKey, userId, undefined, context, false)
+    const fileUrl = resolution.fileUrl
-
+    if (!fileUrl) {
-        if (!hasAccess) {
+      return NextResponse.json({ success: false, error: 'File input is required' }, { status: 400 })
          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
            userId,
            key: storageKey,
            context,
          })
          return NextResponse.json(
            {
              success: false,
              error: 'File not found',
            },
            { status: 404 }
          )
        }
        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
      } catch (error) {
        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
        return NextResponse.json(
          {
            success: false,
            error: 'Failed to generate file access URL',
          },
          { status: 500 }
        )
      }
    } else if (validatedData.filePath?.startsWith('/')) {
      const baseUrl = getBaseUrl()
      fileUrl = `${baseUrl}${validatedData.filePath}`
    }
    const formData = new FormData()
@@ -119,13 +99,36 @@ export async function POST(request: NextRequest) {
      formData.append('chunk_size', String(validatedData.chunkSize))
    }
-    const pulseResponse = await fetch('https://api.runpulse.com/extract', {
+    const pulseEndpoint = 'https://api.runpulse.com/extract'
-      method: 'POST',
+    const pulseValidation = await validateUrlWithDNS(pulseEndpoint, 'Pulse API URL')
-      headers: {
+    if (!pulseValidation.isValid) {
-        'x-api-key': validatedData.apiKey,
+      logger.error(`[${requestId}] Pulse API URL validation failed`, {
-      },
+        error: pulseValidation.error,
-      body: formData,
+      })
-    })
+      return NextResponse.json(
        {
          success: false,
          error: 'Failed to reach Pulse API',
        },
        { status: 502 }
      )
    }
    const pulsePayload = new Response(formData)
    const contentType = pulsePayload.headers.get('content-type') || 'multipart/form-data'
    const bodyBuffer = Buffer.from(await pulsePayload.arrayBuffer())
    const pulseResponse = await secureFetchWithPinnedIP(
      pulseEndpoint,
      pulseValidation.resolvedIP!,
      {
        method: 'POST',
        headers: {
          'x-api-key': validatedData.apiKey,
          'Content-Type': contentType,
        },
        body: bodyBuffer,
      }
    )
    if (!pulseResponse.ok) {
      const errorText = await pulseResponse.text()
--- a/apps/sim/app/api/tools/reducto/parse/route.ts
+++ b/apps/sim/app/api/tools/reducto/parse/route.ts
@@ -2,15 +2,14 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
 import {
-  extractStorageKey,
+  secureFetchWithPinnedIP,
-  inferContextFromKey,
+  validateUrlWithDNS,
-  isInternalFileUrl,
+} from '@/lib/core/security/input-validation.server'
-} from '@/lib/uploads/utils/file-utils'
+import { generateRequestId } from '@/lib/core/utils/request'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { isInternalFileUrl } from '@/lib/uploads/utils/file-utils'
 import { resolveFileInputToUrl } from '@/lib/uploads/utils/file-utils.server'
 export const dynamic = 'force-dynamic'
@@ -18,7 +17,8 @@ const logger = createLogger('ReductoParseAPI')
 const ReductoParseSchema = z.object({
  apiKey: z.string().min(1, 'API key is required'),
-  filePath: z.string().min(1, 'File path is required'),
+  filePath: z.string().optional(),
  file: RawFileInputSchema.optional(),
  pages: z.array(z.number()).optional(),
  tableOutputFormat: z.enum(['html', 'md']).optional(),
 })
@@ -47,56 +47,30 @@ export async function POST(request: NextRequest) {
    const validatedData = ReductoParseSchema.parse(body)
    logger.info(`[${requestId}] Reducto parse request`, {
      fileName: validatedData.file?.name,
      filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath ? isInternalFileUrl(validatedData.filePath) : false,
      userId,
    })
-    let fileUrl = validatedData.filePath
+    const resolution = await resolveFileInputToUrl({
      file: validatedData.file,
      filePath: validatedData.filePath,
      userId,
      requestId,
      logger,
    })
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (resolution.error) {
-      try {
+      return NextResponse.json(
-        const storageKey = extractStorageKey(validatedData.filePath)
+        { success: false, error: resolution.error.message },
-        const context = inferContextFromKey(storageKey)
+        { status: resolution.error.status }
      )
    }
-        const hasAccess = await verifyFileAccess(
+    const fileUrl = resolution.fileUrl
-          storageKey,
+    if (!fileUrl) {
-          userId,
+      return NextResponse.json({ success: false, error: 'File input is required' }, { status: 400 })
          undefined, // customConfig
          context, // context
          false // isLocal
        )
        if (!hasAccess) {
          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
            userId,
            key: storageKey,
            context,
          })
          return NextResponse.json(
            {
              success: false,
              error: 'File not found',
            },
            { status: 404 }
          )
        }
        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
      } catch (error) {
        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
        return NextResponse.json(
          {
            success: false,
            error: 'Failed to generate file access URL',
          },
          { status: 500 }
        )
      }
    } else if (validatedData.filePath?.startsWith('/')) {
      const baseUrl = getBaseUrl()
      fileUrl = `${baseUrl}${validatedData.filePath}`
    }
    const reductoBody: Record<string, unknown> = {
@@ -104,8 +78,13 @@ export async function POST(request: NextRequest) {
    }
    if (validatedData.pages && validatedData.pages.length > 0) {
      // Reducto API expects page_range as an object with start/end, not an array
      const pages = validatedData.pages
      reductoBody.settings = {
-        page_range: validatedData.pages,
+        page_range: {
          start: Math.min(...pages),
          end: Math.max(...pages),
        },
      }
    }
@@ -115,15 +94,34 @@ export async function POST(request: NextRequest) {
      }
    }
-    const reductoResponse = await fetch('https://platform.reducto.ai/parse', {
+    const reductoEndpoint = 'https://platform.reducto.ai/parse'
-      method: 'POST',
+    const reductoValidation = await validateUrlWithDNS(reductoEndpoint, 'Reducto API URL')
-      headers: {
+    if (!reductoValidation.isValid) {
-        'Content-Type': 'application/json',
+      logger.error(`[${requestId}] Reducto API URL validation failed`, {
-        Accept: 'application/json',
+        error: reductoValidation.error,
-        Authorization: `Bearer ${validatedData.apiKey}`,
+      })
-      },
+      return NextResponse.json(
-      body: JSON.stringify(reductoBody),
+        {
-    })
+          success: false,
          error: 'Failed to reach Reducto API',
        },
        { status: 502 }
      )
    }
    const reductoResponse = await secureFetchWithPinnedIP(
      reductoEndpoint,
      reductoValidation.resolvedIP!,
      {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
          Accept: 'application/json',
          Authorization: `Bearer ${validatedData.apiKey}`,
        },
        body: JSON.stringify(reductoBody),
      }
    )
    if (!reductoResponse.ok) {
      const errorText = await reductoResponse.text()
--- a/apps/sim/app/api/tools/s3/put-object/route.ts
+++ b/apps/sim/app/api/tools/s3/put-object/route.ts
@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -17,7 +18,7 @@ const S3PutObjectSchema = z.object({
  region: z.string().min(1, 'Region is required'),
  bucketName: z.string().min(1, 'Bucket name is required'),
  objectKey: z.string().min(1, 'Object key is required'),
-  file: z.any().optional().nullable(),
+  file: RawFileInputSchema.optional().nullable(),
  content: z.string().optional().nullable(),
  contentType: z.string().optional().nullable(),
  acl: z.string().optional().nullable(),
--- a/apps/sim/app/api/tools/sendgrid/send-mail/route.ts
+++ b/apps/sim/app/api/tools/sendgrid/send-mail/route.ts
@@ -0,0 +1,188 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('SendGridSendMailAPI')
 const SendGridSendMailSchema = z.object({
  apiKey: z.string().min(1, 'API key is required'),
  from: z.string().min(1, 'From email is required'),
  fromName: z.string().optional().nullable(),
  to: z.string().min(1, 'To email is required'),
  toName: z.string().optional().nullable(),
  subject: z.string().optional().nullable(),
  content: z.string().optional().nullable(),
  contentType: z.string().optional().nullable(),
  cc: z.string().optional().nullable(),
  bcc: z.string().optional().nullable(),
  replyTo: z.string().optional().nullable(),
  replyToName: z.string().optional().nullable(),
  templateId: z.string().optional().nullable(),
  dynamicTemplateData: z.any().optional().nullable(),
  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SendGrid send attempt: ${authResult.error}`)
      return NextResponse.json(
        { success: false, error: authResult.error || 'Authentication required' },
        { status: 401 }
      )
    }
    logger.info(`[${requestId}] Authenticated SendGrid send request via ${authResult.authType}`)
    const body = await request.json()
    const validatedData = SendGridSendMailSchema.parse(body)
    logger.info(`[${requestId}] Sending SendGrid email`, {
      to: validatedData.to,
      subject: validatedData.subject || '(template)',
      hasAttachments: !!(validatedData.attachments && validatedData.attachments.length > 0),
      attachmentCount: validatedData.attachments?.length || 0,
    })
    // Build personalizations
    const personalizations: Record<string, unknown> = {
      to: [
        { email: validatedData.to, ...(validatedData.toName && { name: validatedData.toName }) },
      ],
    }
    if (validatedData.cc) {
      personalizations.cc = [{ email: validatedData.cc }]
    }
    if (validatedData.bcc) {
      personalizations.bcc = [{ email: validatedData.bcc }]
    }
    if (validatedData.templateId && validatedData.dynamicTemplateData) {
      personalizations.dynamic_template_data =
        typeof validatedData.dynamicTemplateData === 'string'
          ? JSON.parse(validatedData.dynamicTemplateData)
          : validatedData.dynamicTemplateData
    }
    // Build mail body
    const mailBody: Record<string, unknown> = {
      personalizations: [personalizations],
      from: {
        email: validatedData.from,
        ...(validatedData.fromName && { name: validatedData.fromName }),
      },
      subject: validatedData.subject,
    }
    if (validatedData.templateId) {
      mailBody.template_id = validatedData.templateId
    } else {
      mailBody.content = [
        {
          type: validatedData.contentType || 'text/plain',
          value: validatedData.content,
        },
      ]
    }
    if (validatedData.replyTo) {
      mailBody.reply_to = {
        email: validatedData.replyTo,
        ...(validatedData.replyToName && { name: validatedData.replyToName }),
      }
    }
    // Process attachments from UserFile objects
    if (validatedData.attachments && validatedData.attachments.length > 0) {
      const rawAttachments = validatedData.attachments
      logger.info(`[${requestId}] Processing ${rawAttachments.length} attachment(s)`)
      const userFiles = processFilesToUserFiles(rawAttachments, requestId, logger)
      if (userFiles.length > 0) {
        const sendGridAttachments = await Promise.all(
          userFiles.map(async (file) => {
            try {
              logger.info(
                `[${requestId}] Downloading attachment: ${file.name} (${file.size} bytes)`
              )
              const buffer = await downloadFileFromStorage(file, requestId, logger)
              return {
                content: buffer.toString('base64'),
                filename: file.name,
                type: file.type || 'application/octet-stream',
                disposition: 'attachment',
              }
            } catch (error) {
              logger.error(`[${requestId}] Failed to download attachment ${file.name}:`, error)
              throw new Error(
                `Failed to download attachment "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
              )
            }
          })
        )
        mailBody.attachments = sendGridAttachments
      }
    }
    // Send to SendGrid
    const response = await fetch('https://api.sendgrid.com/v3/mail/send', {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${validatedData.apiKey}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(mailBody),
    })
    if (!response.ok) {
      const errorData = await response.json().catch(() => ({}))
      const errorMessage =
        errorData.errors?.[0]?.message || errorData.message || 'Failed to send email'
      logger.error(`[${requestId}] SendGrid API error:`, { status: response.status, errorData })
      return NextResponse.json({ success: false, error: errorMessage }, { status: response.status })
    }
    const messageId = response.headers.get('X-Message-Id')
    logger.info(`[${requestId}] Email sent successfully`, { messageId })
    return NextResponse.json({
      success: true,
      output: {
        success: true,
        messageId: messageId || undefined,
        to: validatedData.to,
        subject: validatedData.subject || '',
      },
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      logger.warn(`[${requestId}] Validation error:`, error.errors)
      return NextResponse.json(
        { success: false, error: error.errors[0]?.message || 'Validation failed' },
        { status: 400 }
      )
    }
    logger.error(`[${requestId}] Unexpected error:`, error)
    return NextResponse.json(
      { success: false, error: error instanceof Error ? error.message : 'Unknown error' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/sftp/download/route.ts
+++ b/apps/sim/app/api/tools/sftp/download/route.ts
@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
 import { createSftpConnection, getSftp, isPathSafe, sanitizePath } from '@/app/api/tools/sftp/utils'
 export const dynamic = 'force-dynamic'
@@ -111,6 +112,8 @@ export async function POST(request: NextRequest) {
      const buffer = Buffer.concat(chunks)
      const fileName = path.basename(remotePath)
      const extension = getFileExtension(fileName)
      const mimeType = getMimeTypeFromExtension(extension)
      let content: string
      if (params.encoding === 'base64') {
@@ -124,6 +127,12 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({
        success: true,
        fileName,
        file: {
          name: fileName,
          mimeType,
          data: buffer.toString('base64'),
          size: buffer.length,
        },
        content,
        size: buffer.length,
        encoding: params.encoding,
--- a/apps/sim/app/api/tools/sftp/upload/route.ts
+++ b/apps/sim/app/api/tools/sftp/upload/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import {
@@ -26,14 +27,7 @@ const UploadSchema = z.object({
  privateKey: z.string().nullish(),
  passphrase: z.string().nullish(),
  remotePath: z.string().min(1, 'Remote path is required'),
-  files: z
+  files: RawFileInputArraySchema.optional().nullable(),
    .union([z.array(z.any()), z.string(), z.number(), z.null(), z.undefined()])
    .transform((val) => {
      if (Array.isArray(val)) return val
      if (val === null || val === undefined || val === '') return undefined
      return undefined
    })
    .nullish(),
  fileContent: z.string().nullish(),
  fileName: z.string().nullish(),
  overwrite: z.boolean().default(true),
--- a/apps/sim/app/api/tools/sharepoint/upload/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/upload/route.ts
@@ -2,9 +2,12 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { MicrosoftGraphDriveItem } from '@/tools/onedrive/types'
 export const dynamic = 'force-dynamic'
@@ -16,7 +19,7 @@ const SharepointUploadSchema = z.object({
  driveId: z.string().optional().nullable(),
  folderPath: z.string().optional().nullable(),
  fileName: z.string().optional().nullable(),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
@@ -79,18 +82,23 @@ export async function POST(request: NextRequest) {
    let effectiveDriveId = validatedData.driveId
    if (!effectiveDriveId) {
      logger.info(`[${requestId}] No driveId provided, fetching default drive for site`)
-      const driveResponse = await fetch(
+      const driveUrl = `https://graph.microsoft.com/v1.0/sites/${validatedData.siteId}/drive`
-        `https://graph.microsoft.com/v1.0/sites/${validatedData.siteId}/drive`,
+      const driveResponse = await secureFetchWithValidation(
        driveUrl,
        {
          method: 'GET',
          headers: {
            Authorization: `Bearer ${validatedData.accessToken}`,
            Accept: 'application/json',
          },
-        }
+        },
        'driveUrl'
      )
      if (!driveResponse.ok) {
-        const errorData = await driveResponse.json().catch(() => ({}))
+        const errorData = (await driveResponse.json().catch(() => ({}))) as {
          error?: { message?: string }
        }
        logger.error(`[${requestId}] Failed to get default drive:`, errorData)
        return NextResponse.json(
          {
@@ -101,7 +109,7 @@ export async function POST(request: NextRequest) {
        )
      }
-      const driveData = await driveResponse.json()
+      const driveData = (await driveResponse.json()) as { id: string }
      effectiveDriveId = driveData.id
      logger.info(`[${requestId}] Using default drive: ${effectiveDriveId}`)
    }
@@ -145,34 +153,87 @@ export async function POST(request: NextRequest) {
      logger.info(`[${requestId}] Uploading to: ${uploadUrl}`)
-      const uploadResponse = await fetch(uploadUrl, {
+      const uploadResponse = await secureFetchWithValidation(
-        method: 'PUT',
+        uploadUrl,
-        headers: {
+        {
-          Authorization: `Bearer ${validatedData.accessToken}`,
+          method: 'PUT',
-          'Content-Type': userFile.type || 'application/octet-stream',
+          headers: {
            Authorization: `Bearer ${validatedData.accessToken}`,
            'Content-Type': userFile.type || 'application/octet-stream',
          },
          body: buffer,
        },
-        body: new Uint8Array(buffer),
+        'uploadUrl'
-      })
+      )
      if (!uploadResponse.ok) {
        const errorData = await uploadResponse.json().catch(() => ({}))
        logger.error(`[${requestId}] Failed to upload file ${fileName}:`, errorData)
        if (uploadResponse.status === 409) {
-          logger.warn(`[${requestId}] File ${fileName} already exists, attempting to replace`)
+          // File exists - retry with conflict behavior set to replace
          logger.warn(`[${requestId}] File ${fileName} already exists, retrying with replace`)
          const replaceUrl = `${uploadUrl}?@microsoft.graph.conflictBehavior=replace`
          const replaceResponse = await secureFetchWithValidation(
            replaceUrl,
            {
              method: 'PUT',
              headers: {
                Authorization: `Bearer ${validatedData.accessToken}`,
                'Content-Type': userFile.type || 'application/octet-stream',
              },
              body: buffer,
            },
            'replaceUrl'
          )
          if (!replaceResponse.ok) {
            const replaceErrorData = (await replaceResponse.json().catch(() => ({}))) as {
              error?: { message?: string }
            }
            logger.error(`[${requestId}] Failed to replace file ${fileName}:`, replaceErrorData)
            return NextResponse.json(
              {
                success: false,
                error: replaceErrorData.error?.message || `Failed to replace file: ${fileName}`,
              },
              { status: replaceResponse.status }
            )
          }
          const replaceData = (await replaceResponse.json()) as {
            id: string
            name: string
            webUrl: string
            size: number
            createdDateTime: string
            lastModifiedDateTime: string
          }
          logger.info(`[${requestId}] File replaced successfully: ${fileName}`)
          uploadedFiles.push({
            id: replaceData.id,
            name: replaceData.name,
            webUrl: replaceData.webUrl,
            size: replaceData.size,
            createdDateTime: replaceData.createdDateTime,
            lastModifiedDateTime: replaceData.lastModifiedDateTime,
          })
          continue
        }
        return NextResponse.json(
          {
            success: false,
-            error: errorData.error?.message || `Failed to upload file: ${fileName}`,
+            error:
              (errorData as { error?: { message?: string } }).error?.message ||
              `Failed to upload file: ${fileName}`,
          },
          { status: uploadResponse.status }
        )
      }
-      const uploadData = await uploadResponse.json()
+      const uploadData = (await uploadResponse.json()) as MicrosoftGraphDriveItem
      logger.info(`[${requestId}] File uploaded successfully: ${fileName}`)
      uploadedFiles.push({
--- a/apps/sim/app/api/tools/slack/download/route.ts
+++ b/apps/sim/app/api/tools/slack/download/route.ts
@@ -0,0 +1,170 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('SlackDownloadAPI')
 const SlackDownloadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  fileId: z.string().min(1, 'File ID is required'),
  fileName: z.string().optional().nullable(),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack download attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    logger.info(`[${requestId}] Authenticated Slack download request via ${authResult.authType}`, {
      userId: authResult.userId,
    })
    const body = await request.json()
    const validatedData = SlackDownloadSchema.parse(body)
    const { accessToken, fileId, fileName } = validatedData
    logger.info(`[${requestId}] Getting file info from Slack`, { fileId })
    const infoResponse = await fetch(`https://slack.com/api/files.info?file=${fileId}`, {
      method: 'GET',
      headers: {
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!infoResponse.ok) {
      const errorDetails = await infoResponse.json().catch(() => ({}))
      logger.error(`[${requestId}] Failed to get file info from Slack`, {
        status: infoResponse.status,
        statusText: infoResponse.statusText,
        error: errorDetails,
      })
      return NextResponse.json(
        {
          success: false,
          error: errorDetails.error || 'Failed to get file info',
        },
        { status: 400 }
      )
    }
    const data = await infoResponse.json()
    if (!data.ok) {
      logger.error(`[${requestId}] Slack API returned error`, { error: data.error })
      return NextResponse.json(
        {
          success: false,
          error: data.error || 'Slack API error',
        },
        { status: 400 }
      )
    }
    const file = data.file
    const resolvedFileName = fileName || file.name || 'download'
    const mimeType = file.mimetype || 'application/octet-stream'
    const urlPrivate = file.url_private
    if (!urlPrivate) {
      return NextResponse.json(
        {
          success: false,
          error: 'File does not have a download URL',
        },
        { status: 400 }
      )
    }
    const urlValidation = await validateUrlWithDNS(urlPrivate, 'urlPrivate')
    if (!urlValidation.isValid) {
      return NextResponse.json(
        {
          success: false,
          error: urlValidation.error,
        },
        { status: 400 }
      )
    }
    logger.info(`[${requestId}] Downloading file from Slack`, {
      fileId,
      fileName: resolvedFileName,
      mimeType,
    })
    const downloadResponse = await secureFetchWithPinnedIP(urlPrivate, urlValidation.resolvedIP!, {
      headers: {
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!downloadResponse.ok) {
      logger.error(`[${requestId}] Failed to download file content`, {
        status: downloadResponse.status,
        statusText: downloadResponse.statusText,
      })
      return NextResponse.json(
        {
          success: false,
          error: 'Failed to download file content',
        },
        { status: 400 }
      )
    }
    const arrayBuffer = await downloadResponse.arrayBuffer()
    const fileBuffer = Buffer.from(arrayBuffer)
    logger.info(`[${requestId}] File downloaded successfully`, {
      fileId,
      name: resolvedFileName,
      size: fileBuffer.length,
      mimeType,
    })
    const base64Data = fileBuffer.toString('base64')
    return NextResponse.json({
      success: true,
      output: {
        file: {
          name: resolvedFileName,
          mimeType,
          data: base64Data,
          size: fileBuffer.length,
        },
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error downloading Slack file:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/slack/send-message/route.ts
+++ b/apps/sim/app/api/tools/slack/send-message/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { sendSlackMessage } from '../utils'
 export const dynamic = 'force-dynamic'
@@ -16,7 +17,7 @@ const SlackSendMessageSchema = z
    userId: z.string().optional().nullable(),
    text: z.string().min(1, 'Message text is required'),
    thread_ts: z.string().optional().nullable(),
-    files: z.array(z.any()).optional().nullable(),
+    files: RawFileInputArraySchema.optional().nullable(),
  })
  .refine((data) => data.channel || data.userId, {
    message: 'Either channel or userId is required',
--- a/apps/sim/app/api/tools/slack/utils.ts
+++ b/apps/sim/app/api/tools/slack/utils.ts
@@ -1,6 +1,8 @@
 import type { Logger } from '@sim/logger'
 import { secureFetchWithValidation } from '@/lib/core/security/input-validation.server'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { ToolFileData } from '@/tools/types'
 /**
 * Sends a message to a Slack channel using chat.postMessage
@@ -70,9 +72,10 @@ export async function uploadFilesToSlack(
  accessToken: string,
  requestId: string,
  logger: Logger
-): Promise<string[]> {
+): Promise<{ fileIds: string[]; files: ToolFileData[] }> {
  const userFiles = processFilesToUserFiles(files, requestId, logger)
  const uploadedFileIds: string[] = []
  const uploadedFiles: ToolFileData[] = []
  for (const userFile of userFiles) {
    logger.info(`[${requestId}] Uploading file: ${userFile.name}`)
@@ -100,10 +103,14 @@ export async function uploadFilesToSlack(
    logger.info(`[${requestId}] Got upload URL for ${userFile.name}, file_id: ${urlData.file_id}`)
-    const uploadResponse = await fetch(urlData.upload_url, {
+    const uploadResponse = await secureFetchWithValidation(
-      method: 'POST',
+      urlData.upload_url,
-      body: new Uint8Array(buffer),
+      {
-    })
+        method: 'POST',
        body: buffer,
      },
      'uploadUrl'
    )
    if (!uploadResponse.ok) {
      logger.error(`[${requestId}] Failed to upload file data: ${uploadResponse.status}`)
@@ -112,9 +119,16 @@ export async function uploadFilesToSlack(
    logger.info(`[${requestId}] File data uploaded successfully`)
    uploadedFileIds.push(urlData.file_id)
    // Only add to uploadedFiles after successful upload to keep arrays in sync
    uploadedFiles.push({
      name: userFile.name,
      mimeType: userFile.type || 'application/octet-stream',
      data: buffer.toString('base64'),
      size: buffer.length,
    })
  }
-  return uploadedFileIds
+  return { fileIds: uploadedFileIds, files: uploadedFiles }
 }
 /**
@@ -124,7 +138,8 @@ export async function completeSlackFileUpload(
  uploadedFileIds: string[],
  channel: string,
  text: string,
-  accessToken: string
+  accessToken: string,
  threadTs?: string | null
 ): Promise<{ ok: boolean; files?: any[]; error?: string }> {
  const response = await fetch('https://slack.com/api/files.completeUploadExternal', {
    method: 'POST',
@@ -136,6 +151,7 @@ export async function completeSlackFileUpload(
      files: uploadedFileIds.map((id) => ({ id })),
      channel_id: channel,
      initial_comment: text,
      ...(threadTs && { thread_ts: threadTs }),
    }),
  })
@@ -217,7 +233,13 @@ export async function sendSlackMessage(
  logger: Logger
 ): Promise<{
  success: boolean
-  output?: { message: any; ts: string; channel: string; fileCount?: number }
+  output?: {
    message: any
    ts: string
    channel: string
    fileCount?: number
    files?: ToolFileData[]
  }
  error?: string
 }> {
  const { accessToken, text, threadTs, files } = params
@@ -249,10 +271,15 @@ export async function sendSlackMessage(
  // Process files
  logger.info(`[${requestId}] Processing ${files.length} file(s)`)
-  const uploadedFileIds = await uploadFilesToSlack(files, accessToken, requestId, logger)
+  const { fileIds, files: uploadedFiles } = await uploadFilesToSlack(
    files,
    accessToken,
    requestId,
    logger
  )
  // No valid files uploaded - send text-only
-  if (uploadedFileIds.length === 0) {
+  if (fileIds.length === 0) {
    logger.warn(`[${requestId}] No valid files to upload, sending text-only message`)
    const data = await postSlackMessage(accessToken, channel, text, threadTs)
@@ -264,8 +291,8 @@ export async function sendSlackMessage(
    return { success: true, output: formatMessageSuccessResponse(data, text) }
  }
-  // Complete file upload
+  // Complete file upload with thread support
-  const completeData = await completeSlackFileUpload(uploadedFileIds, channel, text, accessToken)
+  const completeData = await completeSlackFileUpload(fileIds, channel, text, accessToken, threadTs)
  if (!completeData.ok) {
    logger.error(`[${requestId}] Failed to complete upload:`, completeData.error)
@@ -282,7 +309,8 @@ export async function sendSlackMessage(
      message: fileMessage,
      ts: fileMessage.ts,
      channel,
-      fileCount: uploadedFileIds.length,
+      fileCount: fileIds.length,
      files: uploadedFiles,
    },
  }
 }
--- a/apps/sim/app/api/tools/smtp/send/route.ts
+++ b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -4,6 +4,7 @@ import nodemailer from 'nodemailer'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -28,7 +29,7 @@ const SmtpSendSchema = z.object({
  cc: z.string().optional().nullable(),
  bcc: z.string().optional().nullable(),
  replyTo: z.string().optional().nullable(),
-  attachments: z.array(z.any()).optional().nullable(),
+  attachments: RawFileInputArraySchema.optional().nullable(),
 })
 export async function POST(request: NextRequest) {
--- a/apps/sim/app/api/tools/ssh/download-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/download-file/route.ts
@@ -5,6 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHDownloadFileAPI')
@@ -79,6 +80,16 @@ export async function POST(request: NextRequest) {
        })
      })
      // Check file size limit (50MB to prevent memory exhaustion)
      const maxSize = 50 * 1024 * 1024
      if (stats.size > maxSize) {
        const sizeMB = (stats.size / (1024 * 1024)).toFixed(2)
        return NextResponse.json(
          { error: `File size (${sizeMB}MB) exceeds download limit of 50MB` },
          { status: 400 }
        )
      }
      // Read file content
      const content = await new Promise<Buffer>((resolve, reject) => {
        const chunks: Buffer[] = []
@@ -96,6 +107,8 @@ export async function POST(request: NextRequest) {
      })
      const fileName = path.basename(remotePath)
      const extension = getFileExtension(fileName)
      const mimeType = getMimeTypeFromExtension(extension)
      // Encode content as base64 for binary safety
      const base64Content = content.toString('base64')
@@ -104,6 +117,12 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({
        downloaded: true,
        file: {
          name: fileName,
          mimeType,
          data: base64Content,
          size: stats.size,
        },
        content: base64Content,
        fileName: fileName,
        remotePath: remotePath,
--- a/apps/sim/app/api/tools/stagehand/agent/route.ts
+++ b/apps/sim/app/api/tools/stagehand/agent/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { isSensitiveKey, REDACTED_MARKER } from '@/lib/core/security/redaction'
 import { ensureZodObject, normalizeUrl } from '@/app/api/tools/stagehand/utils'
@@ -123,6 +124,10 @@ export async function POST(request: NextRequest) {
    const variablesObject = processVariables(params.variables)
    const startUrl = normalizeUrl(rawStartUrl)
    const urlValidation = await validateUrlWithDNS(startUrl, 'startUrl')
    if (!urlValidation.isValid) {
      return NextResponse.json({ error: urlValidation.error }, { status: 400 })
    }
    logger.info('Starting Stagehand agent process', {
      rawStartUrl,
--- a/apps/sim/app/api/tools/stagehand/extract/route.ts
+++ b/apps/sim/app/api/tools/stagehand/extract/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { ensureZodObject, normalizeUrl } from '@/app/api/tools/stagehand/utils'
 const logger = createLogger('StagehandExtractAPI')
@@ -51,6 +52,10 @@ export async function POST(request: NextRequest) {
    const params = validationResult.data
    const { url: rawUrl, instruction, selector, provider, apiKey, schema } = params
    const url = normalizeUrl(rawUrl)
    const urlValidation = await validateUrlWithDNS(url, 'url')
    if (!urlValidation.isValid) {
      return NextResponse.json({ error: urlValidation.error }, { status: 400 })
    }
    logger.info('Starting Stagehand extraction process', {
      rawUrl,
--- a/apps/sim/app/api/tools/stt/route.ts
+++ b/apps/sim/app/api/tools/stt/route.ts
@@ -2,7 +2,15 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { extractAudioFromVideo, isVideoFile } from '@/lib/audio/extractor'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { getMimeTypeFromExtension, isInternalFileUrl } from '@/lib/uploads/utils/file-utils'
 import {
  downloadFileFromStorage,
  resolveInternalFileUrl,
 } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { TranscriptSegment } from '@/tools/stt/types'
@@ -45,6 +53,7 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = authResult.userId
    const body: SttRequestBody = await request.json()
    const {
      provider,
@@ -72,13 +81,25 @@ export async function POST(request: NextRequest) {
    let audioMimeType: string
    if (body.audioFile) {
      if (Array.isArray(body.audioFile) && body.audioFile.length !== 1) {
        return NextResponse.json({ error: 'audioFile must be a single file' }, { status: 400 })
      }
      const file = Array.isArray(body.audioFile) ? body.audioFile[0] : body.audioFile
      logger.info(`[${requestId}] Processing uploaded file: ${file.name}`)
      audioBuffer = await downloadFileFromStorage(file, requestId, logger)
      audioFileName = file.name
-      audioMimeType = file.type
+      // file.type may be missing if the file came from a block that doesn't preserve it
      // Infer from filename extension as fallback
      const ext = file.name.split('.').pop()?.toLowerCase() || ''
      audioMimeType = file.type || getMimeTypeFromExtension(ext)
    } else if (body.audioFileReference) {
      if (Array.isArray(body.audioFileReference) && body.audioFileReference.length !== 1) {
        return NextResponse.json(
          { error: 'audioFileReference must be a single file' },
          { status: 400 }
        )
      }
      const file = Array.isArray(body.audioFileReference)
        ? body.audioFileReference[0]
        : body.audioFileReference
@@ -86,18 +107,54 @@ export async function POST(request: NextRequest) {
      audioBuffer = await downloadFileFromStorage(file, requestId, logger)
      audioFileName = file.name
-      audioMimeType = file.type
+
      const ext = file.name.split('.').pop()?.toLowerCase() || ''
      audioMimeType = file.type || getMimeTypeFromExtension(ext)
    } else if (body.audioUrl) {
      logger.info(`[${requestId}] Downloading from URL: ${body.audioUrl}`)
-      const response = await fetch(body.audioUrl)
+      let audioUrl = body.audioUrl.trim()
      if (audioUrl.startsWith('/') && !isInternalFileUrl(audioUrl)) {
        return NextResponse.json(
          {
            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
          },
          { status: 400 }
        )
      }
      if (isInternalFileUrl(audioUrl)) {
        if (!userId) {
          return NextResponse.json(
            { error: 'Authentication required for internal file access' },
            { status: 401 }
          )
        }
        const resolution = await resolveInternalFileUrl(audioUrl, userId, requestId, logger)
        if (resolution.error) {
          return NextResponse.json(
            { error: resolution.error.message },
            { status: resolution.error.status }
          )
        }
        audioUrl = resolution.fileUrl || audioUrl
      }
      const urlValidation = await validateUrlWithDNS(audioUrl, 'audioUrl')
      if (!urlValidation.isValid) {
        return NextResponse.json({ error: urlValidation.error }, { status: 400 })
      }
      const response = await secureFetchWithPinnedIP(audioUrl, urlValidation.resolvedIP!, {
        method: 'GET',
      })
      if (!response.ok) {
        throw new Error(`Failed to download audio from URL: ${response.statusText}`)
      }
      const arrayBuffer = await response.arrayBuffer()
      audioBuffer = Buffer.from(arrayBuffer)
-      audioFileName = body.audioUrl.split('/').pop() || 'audio_file'
+      audioFileName = audioUrl.split('/').pop() || 'audio_file'
      audioMimeType = response.headers.get('content-type') || 'audio/mpeg'
    } else {
      return NextResponse.json(
@@ -149,7 +206,9 @@ export async function POST(request: NextRequest) {
          translateToEnglish,
          model,
          body.prompt,
-          body.temperature
+          body.temperature,
          audioMimeType,
          audioFileName
        )
        transcript = result.transcript
        segments = result.segments
@@ -162,7 +221,8 @@ export async function POST(request: NextRequest) {
          language,
          timestamps,
          diarization,
-          model
+          model,
          audioMimeType
        )
        transcript = result.transcript
        segments = result.segments
@@ -252,7 +312,9 @@ async function transcribeWithWhisper(
  translate?: boolean,
  model?: string,
  prompt?: string,
-  temperature?: number
+  temperature?: number,
  mimeType?: string,
  fileName?: string
 ): Promise<{
  transcript: string
  segments?: TranscriptSegment[]
@@ -261,8 +323,11 @@ async function transcribeWithWhisper(
 }> {
  const formData = new FormData()
-  const blob = new Blob([new Uint8Array(audioBuffer)], { type: 'audio/mpeg' })
+  // Use actual MIME type and filename if provided
-  formData.append('file', blob, 'audio.mp3')
+  const actualMimeType = mimeType || 'audio/mpeg'
  const actualFileName = fileName || 'audio.mp3'
  const blob = new Blob([new Uint8Array(audioBuffer)], { type: actualMimeType })
  formData.append('file', blob, actualFileName)
  formData.append('model', model || 'whisper-1')
  if (language && language !== 'auto') {
@@ -279,10 +344,11 @@ async function transcribeWithWhisper(
  formData.append('response_format', 'verbose_json')
  // OpenAI API uses array notation for timestamp_granularities
  if (timestamps === 'word') {
-    formData.append('timestamp_granularities', 'word')
+    formData.append('timestamp_granularities[]', 'word')
  } else if (timestamps === 'sentence') {
-    formData.append('timestamp_granularities', 'segment')
+    formData.append('timestamp_granularities[]', 'segment')
  }
  const endpoint = translate ? 'translations' : 'transcriptions'
@@ -325,7 +391,8 @@ async function transcribeWithDeepgram(
  language?: string,
  timestamps?: 'none' | 'sentence' | 'word',
  diarization?: boolean,
-  model?: string
+  model?: string,
  mimeType?: string
 ): Promise<{
  transcript: string
  segments?: TranscriptSegment[]
@@ -357,7 +424,7 @@ async function transcribeWithDeepgram(
    method: 'POST',
    headers: {
      Authorization: `Token ${apiKey}`,
-      'Content-Type': 'audio/mpeg',
+      'Content-Type': mimeType || 'audio/mpeg',
    },
    body: new Uint8Array(audioBuffer),
  })
@@ -513,7 +580,8 @@ async function transcribeWithAssemblyAI(
    audio_url: upload_url,
  }
-  if (model === 'best' || model === 'nano') {
+  // AssemblyAI supports 'best', 'slam-1', or 'universal' for speech_model
  if (model === 'best' || model === 'slam-1' || model === 'universal') {
    transcriptRequest.speech_model = model
  }
--- a/apps/sim/app/api/tools/supabase/storage-upload/route.ts
+++ b/apps/sim/app/api/tools/supabase/storage-upload/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -16,7 +17,7 @@ const SupabaseStorageUploadSchema = z.object({
  bucket: z.string().min(1, 'Bucket name is required'),
  fileName: z.string().min(1, 'File name is required'),
  path: z.string().optional().nullable(),
-  fileData: z.any(),
+  fileData: FileInputSchema,
  contentType: z.string().optional().nullable(),
  upsert: z.boolean().optional().default(false),
 })
--- a/apps/sim/app/api/tools/telegram/send-document/route.ts
+++ b/apps/sim/app/api/tools/telegram/send-document/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputArraySchema } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import { convertMarkdownToHTML } from '@/tools/telegram/utils'
@@ -14,7 +15,7 @@ const logger = createLogger('TelegramSendDocumentAPI')
 const TelegramSendDocumentSchema = z.object({
  botToken: z.string().min(1, 'Bot token is required'),
  chatId: z.string().min(1, 'Chat ID is required'),
-  files: z.array(z.any()).optional().nullable(),
+  files: RawFileInputArraySchema.optional().nullable(),
  caption: z.string().optional().nullable(),
 })
@@ -93,6 +94,14 @@ export async function POST(request: NextRequest) {
    logger.info(`[${requestId}] Uploading document: ${userFile.name}`)
    const buffer = await downloadFileFromStorage(userFile, requestId, logger)
    const filesOutput = [
      {
        name: userFile.name,
        mimeType: userFile.type || 'application/octet-stream',
        data: buffer.toString('base64'),
        size: buffer.length,
      },
    ]
    logger.info(`[${requestId}] Downloaded file: ${buffer.length} bytes`)
@@ -135,6 +144,7 @@ export async function POST(request: NextRequest) {
      output: {
        message: 'Document sent successfully',
        data: data.result,
        files: filesOutput,
      },
    })
  } catch (error) {
--- a/apps/sim/app/api/tools/textract/parse/route.ts
+++ b/apps/sim/app/api/tools/textract/parse/route.ts
@@ -3,19 +3,18 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAwsRegion, validateS3BucketName } from '@/lib/core/security/input-validation'
 import {
-  validateAwsRegion,
+  secureFetchWithPinnedIP,
-  validateExternalUrl,
+  validateUrlWithDNS,
-  validateS3BucketName,
+} from '@/lib/core/security/input-validation.server'
 } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { StorageService } from '@/lib/uploads'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import { isInternalFileUrl, processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import {
-  extractStorageKey,
+  downloadFileFromStorage,
-  inferContextFromKey,
+  resolveInternalFileUrl,
-  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils.server'
 } from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 export const dynamic = 'force-dynamic'
 export const maxDuration = 300 // 5 minutes for large multi-page PDF processing
@@ -35,6 +34,7 @@ const TextractParseSchema = z
    region: z.string().min(1, 'AWS region is required'),
    processingMode: z.enum(['sync', 'async']).optional().default('sync'),
    filePath: z.string().optional(),
    file: RawFileInputSchema.optional(),
    s3Uri: z.string().optional(),
    featureTypes: z
      .array(z.enum(['TABLES', 'FORMS', 'QUERIES', 'SIGNATURES', 'LAYOUT']))
@@ -50,6 +50,20 @@ const TextractParseSchema = z
        path: ['region'],
      })
    }
    if (data.processingMode === 'async' && !data.s3Uri) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: 'S3 URI is required for multi-page processing (s3://bucket/key)',
        path: ['s3Uri'],
      })
    }
    if (data.processingMode !== 'async' && !data.file && !data.filePath) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: 'File input is required for single-page processing',
        path: ['filePath'],
      })
    }
  })
 function getSignatureKey(
@@ -111,7 +125,14 @@ function signAwsRequest(
 }
 async function fetchDocumentBytes(url: string): Promise<{ bytes: string; contentType: string }> {
-  const response = await fetch(url)
+  const urlValidation = await validateUrlWithDNS(url, 'Document URL')
  if (!urlValidation.isValid) {
    throw new Error(urlValidation.error || 'Invalid document URL')
  }
  const response = await secureFetchWithPinnedIP(url, urlValidation.resolvedIP!, {
    method: 'GET',
  })
  if (!response.ok) {
    throw new Error(`Failed to fetch document: ${response.statusText}`)
  }
@@ -318,8 +339,8 @@ export async function POST(request: NextRequest) {
    logger.info(`[${requestId}] Textract parse request`, {
      processingMode,
-      filePath: validatedData.filePath?.substring(0, 50),
+      hasFile: Boolean(validatedData.file),
-      s3Uri: validatedData.s3Uri?.substring(0, 50),
+      hasS3Uri: Boolean(validatedData.s3Uri),
      featureTypes,
      userId,
    })
@@ -414,90 +435,89 @@ export async function POST(request: NextRequest) {
      })
    }
-    if (!validatedData.filePath) {
+    let bytes = ''
-      return NextResponse.json(
+    let contentType = 'application/octet-stream'
-        {
+    let isPdf = false
          success: false,
          error: 'File path is required for single-page processing',
        },
        { status: 400 }
      )
    }
-    let fileUrl = validatedData.filePath
+    if (validatedData.file) {
-
+      let userFile
    const isInternalFilePath = validatedData.filePath && isInternalFileUrl(validatedData.filePath)
    if (isInternalFilePath) {
      try {
-        const storageKey = extractStorageKey(validatedData.filePath)
+        userFile = processSingleFileToUserFile(validatedData.file, requestId, logger)
        const context = inferContextFromKey(storageKey)
        const hasAccess = await verifyFileAccess(storageKey, userId, undefined, context, false)
        if (!hasAccess) {
          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
            userId,
            key: storageKey,
            context,
          })
          return NextResponse.json(
            {
              success: false,
              error: 'File not found',
            },
            { status: 404 }
          )
        }
        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
      } catch (error) {
        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
        return NextResponse.json(
          {
            success: false,
-            error: 'Failed to generate file access URL',
+            error: error instanceof Error ? error.message : 'Failed to process file',
          },
          { status: 500 }
        )
      }
    } else if (validatedData.filePath?.startsWith('/')) {
      // Reject arbitrary absolute paths that don't contain /api/files/serve/
      logger.warn(`[${requestId}] Invalid internal path`, {
        userId,
        path: validatedData.filePath.substring(0, 50),
      })
      return NextResponse.json(
        {
          success: false,
          error: 'Invalid file path. Only uploaded files are supported for internal paths.',
        },
        { status: 400 }
      )
    } else {
      const urlValidation = validateExternalUrl(fileUrl, 'Document URL')
      if (!urlValidation.isValid) {
        logger.warn(`[${requestId}] SSRF attempt blocked`, {
          userId,
          url: fileUrl.substring(0, 100),
          error: urlValidation.error,
        })
        return NextResponse.json(
          {
            success: false,
            error: urlValidation.error,
          },
          { status: 400 }
        )
      }
      const buffer = await downloadFileFromStorage(userFile, requestId, logger)
      bytes = buffer.toString('base64')
      contentType = userFile.type || 'application/octet-stream'
      isPdf = contentType.includes('pdf') || userFile.name?.toLowerCase().endsWith('.pdf')
    } else if (validatedData.filePath) {
      let fileUrl = validatedData.filePath
      const isInternalFilePath = isInternalFileUrl(fileUrl)
      if (isInternalFilePath) {
        const resolution = await resolveInternalFileUrl(fileUrl, userId, requestId, logger)
        if (resolution.error) {
          return NextResponse.json(
            {
              success: false,
              error: resolution.error.message,
            },
            { status: resolution.error.status }
          )
        }
        fileUrl = resolution.fileUrl || fileUrl
      } else if (fileUrl.startsWith('/')) {
        logger.warn(`[${requestId}] Invalid internal path`, {
          userId,
          path: fileUrl.substring(0, 50),
        })
        return NextResponse.json(
          {
            success: false,
            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
          },
          { status: 400 }
        )
      } else {
        const urlValidation = await validateUrlWithDNS(fileUrl, 'Document URL')
        if (!urlValidation.isValid) {
          logger.warn(`[${requestId}] SSRF attempt blocked`, {
            userId,
            url: fileUrl.substring(0, 100),
            error: urlValidation.error,
          })
          return NextResponse.json(
            {
              success: false,
              error: urlValidation.error,
            },
            { status: 400 }
          )
        }
      }
      const fetched = await fetchDocumentBytes(fileUrl)
      bytes = fetched.bytes
      contentType = fetched.contentType
      isPdf = contentType.includes('pdf') || fileUrl.toLowerCase().endsWith('.pdf')
    } else {
      return NextResponse.json(
        {
          success: false,
          error: 'File input is required for single-page processing',
        },
        { status: 400 }
      )
    }
    const { bytes, contentType } = await fetchDocumentBytes(fileUrl)
    // Track if this is a PDF for better error messaging
    const isPdf = contentType.includes('pdf') || fileUrl.toLowerCase().endsWith('.pdf')
    const uri = '/'
    let textractBody: Record<string, unknown>
--- a/apps/sim/app/api/tools/twilio/get-recording/route.ts
+++ b/apps/sim/app/api/tools/twilio/get-recording/route.ts
@@ -0,0 +1,250 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getExtensionFromMimeType } from '@/lib/uploads/utils/file-utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('TwilioGetRecordingAPI')
 interface TwilioRecordingResponse {
  sid?: string
  call_sid?: string
  duration?: string
  status?: string
  channels?: number
  source?: string
  price?: string
  price_unit?: string
  uri?: string
  error_code?: number
  message?: string
  error_message?: string
 }
 interface TwilioErrorResponse {
  message?: string
 }
 interface TwilioTranscription {
  transcription_text?: string
  status?: string
  price?: string
  price_unit?: string
 }
 interface TwilioTranscriptionsResponse {
  transcriptions?: TwilioTranscription[]
 }
 const TwilioGetRecordingSchema = z.object({
  accountSid: z.string().min(1, 'Account SID is required'),
  authToken: z.string().min(1, 'Auth token is required'),
  recordingSid: z.string().min(1, 'Recording SID is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Twilio get recording attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = TwilioGetRecordingSchema.parse(body)
    const { accountSid, authToken, recordingSid } = validatedData
    if (!accountSid.startsWith('AC')) {
      return NextResponse.json(
        {
          success: false,
          error: `Invalid Account SID format. Account SID must start with "AC" (you provided: ${accountSid.substring(0, 2)}...)`,
        },
        { status: 400 }
      )
    }
    const twilioAuth = Buffer.from(`${accountSid}:${authToken}`).toString('base64')
    logger.info(`[${requestId}] Getting recording info from Twilio`, { recordingSid })
    const infoUrl = `https://api.twilio.com/2010-04-01/Accounts/${accountSid}/Recordings/${recordingSid}.json`
    const infoUrlValidation = await validateUrlWithDNS(infoUrl, 'infoUrl')
    if (!infoUrlValidation.isValid) {
      return NextResponse.json({ success: false, error: infoUrlValidation.error }, { status: 400 })
    }
    const infoResponse = await secureFetchWithPinnedIP(infoUrl, infoUrlValidation.resolvedIP!, {
      method: 'GET',
      headers: { Authorization: `Basic ${twilioAuth}` },
    })
    if (!infoResponse.ok) {
      const errorData = (await infoResponse.json().catch(() => ({}))) as TwilioErrorResponse
      logger.error(`[${requestId}] Twilio API error`, {
        status: infoResponse.status,
        error: errorData,
      })
      return NextResponse.json(
        { success: false, error: errorData.message || `Twilio API error: ${infoResponse.status}` },
        { status: 400 }
      )
    }
    const data = (await infoResponse.json()) as TwilioRecordingResponse
    if (data.error_code) {
      return NextResponse.json({
        success: false,
        output: {
          success: false,
          error: data.message || data.error_message || 'Failed to retrieve recording',
        },
        error: data.message || data.error_message || 'Failed to retrieve recording',
      })
    }
    const baseUrl = 'https://api.twilio.com'
    const mediaUrl = data.uri ? `${baseUrl}${data.uri.replace('.json', '')}` : undefined
    let transcriptionText: string | undefined
    let transcriptionStatus: string | undefined
    let transcriptionPrice: string | undefined
    let transcriptionPriceUnit: string | undefined
    let file:
      | {
          name: string
          mimeType: string
          data: string
          size: number
        }
      | undefined
    try {
      const transcriptionUrl = `https://api.twilio.com/2010-04-01/Accounts/${accountSid}/Transcriptions.json?RecordingSid=${data.sid}`
      logger.info(`[${requestId}] Checking for transcriptions`)
      const transcriptionUrlValidation = await validateUrlWithDNS(
        transcriptionUrl,
        'transcriptionUrl'
      )
      if (transcriptionUrlValidation.isValid) {
        const transcriptionResponse = await secureFetchWithPinnedIP(
          transcriptionUrl,
          transcriptionUrlValidation.resolvedIP!,
          {
            method: 'GET',
            headers: { Authorization: `Basic ${twilioAuth}` },
          }
        )
        if (transcriptionResponse.ok) {
          const transcriptionData =
            (await transcriptionResponse.json()) as TwilioTranscriptionsResponse
          if (transcriptionData.transcriptions && transcriptionData.transcriptions.length > 0) {
            const transcription = transcriptionData.transcriptions[0]
            transcriptionText = transcription.transcription_text
            transcriptionStatus = transcription.status
            transcriptionPrice = transcription.price
            transcriptionPriceUnit = transcription.price_unit
            logger.info(`[${requestId}] Transcription found`, {
              status: transcriptionStatus,
              textLength: transcriptionText?.length,
            })
          }
        }
      }
    } catch (error) {
      logger.warn(`[${requestId}] Failed to fetch transcription:`, error)
    }
    if (mediaUrl) {
      try {
        const mediaUrlValidation = await validateUrlWithDNS(mediaUrl, 'mediaUrl')
        if (mediaUrlValidation.isValid) {
          const mediaResponse = await secureFetchWithPinnedIP(
            mediaUrl,
            mediaUrlValidation.resolvedIP!,
            {
              method: 'GET',
              headers: { Authorization: `Basic ${twilioAuth}` },
            }
          )
          if (mediaResponse.ok) {
            const contentType =
              mediaResponse.headers.get('content-type') || 'application/octet-stream'
            const extension = getExtensionFromMimeType(contentType) || 'dat'
            const arrayBuffer = await mediaResponse.arrayBuffer()
            const buffer = Buffer.from(arrayBuffer)
            const fileName = `${data.sid || recordingSid}.${extension}`
            file = {
              name: fileName,
              mimeType: contentType,
              data: buffer.toString('base64'),
              size: buffer.length,
            }
          }
        }
      } catch (error) {
        logger.warn(`[${requestId}] Failed to download recording media:`, error)
      }
    }
    logger.info(`[${requestId}] Twilio recording fetched successfully`, {
      recordingSid: data.sid,
      hasFile: !!file,
      hasTranscription: !!transcriptionText,
    })
    return NextResponse.json({
      success: true,
      output: {
        success: true,
        recordingSid: data.sid,
        callSid: data.call_sid,
        duration: data.duration ? Number.parseInt(data.duration, 10) : undefined,
        status: data.status,
        channels: data.channels,
        source: data.source,
        mediaUrl,
        file,
        price: data.price,
        priceUnit: data.price_unit,
        uri: data.uri,
        transcriptionText,
        transcriptionStatus,
        transcriptionPrice,
        transcriptionPriceUnit,
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error fetching Twilio recording:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/vision/analyze/route.ts
+++ b/apps/sim/app/api/tools/vision/analyze/route.ts
@@ -1,10 +1,20 @@
 import { GoogleGenAI } from '@google/genai'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
+import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
-import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { isInternalFileUrl, processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import {
  downloadFileFromStorage,
  resolveInternalFileUrl,
 } from '@/lib/uploads/utils/file-utils.server'
 import { convertUsageMetadata, extractTextContent } from '@/providers/google/utils'
 export const dynamic = 'force-dynamic'
@@ -13,8 +23,8 @@ const logger = createLogger('VisionAnalyzeAPI')
 const VisionAnalyzeSchema = z.object({
  apiKey: z.string().min(1, 'API key is required'),
  imageUrl: z.string().optional().nullable(),
-  imageFile: z.any().optional().nullable(),
+  imageFile: RawFileInputSchema.optional().nullable(),
-  model: z.string().optional().default('gpt-4o'),
+  model: z.string().optional().default('gpt-5.2'),
  prompt: z.string().optional().nullable(),
 })
@@ -39,6 +49,7 @@ export async function POST(request: NextRequest) {
      userId: authResult.userId,
    })
    const userId = authResult.userId
    const body = await request.json()
    const validatedData = VisionAnalyzeSchema.parse(body)
@@ -77,18 +88,72 @@ export async function POST(request: NextRequest) {
        )
      }
-      const buffer = await downloadFileFromStorage(userFile, requestId, logger)
+      let base64 = userFile.base64
-
+      let bufferLength = 0
-      const base64 = buffer.toString('base64')
+      if (!base64) {
        const buffer = await downloadFileFromStorage(userFile, requestId, logger)
        base64 = buffer.toString('base64')
        bufferLength = buffer.length
      }
      const mimeType = userFile.type || 'image/jpeg'
      imageSource = `data:${mimeType};base64,${base64}`
-      logger.info(`[${requestId}] Converted image to base64 (${buffer.length} bytes)`)
+      if (bufferLength > 0) {
        logger.info(`[${requestId}] Converted image to base64 (${bufferLength} bytes)`)
      }
    }
    let imageUrlValidation: Awaited<ReturnType<typeof validateUrlWithDNS>> | null = null
    if (imageSource && !imageSource.startsWith('data:')) {
      if (imageSource.startsWith('/') && !isInternalFileUrl(imageSource)) {
        return NextResponse.json(
          {
            success: false,
            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
          },
          { status: 400 }
        )
      }
      if (isInternalFileUrl(imageSource)) {
        if (!userId) {
          return NextResponse.json(
            {
              success: false,
              error: 'Authentication required for internal file access',
            },
            { status: 401 }
          )
        }
        const resolution = await resolveInternalFileUrl(imageSource, userId, requestId, logger)
        if (resolution.error) {
          return NextResponse.json(
            {
              success: false,
              error: resolution.error.message,
            },
            { status: resolution.error.status }
          )
        }
        imageSource = resolution.fileUrl || imageSource
      }
      imageUrlValidation = await validateUrlWithDNS(imageSource, 'imageUrl')
      if (!imageUrlValidation.isValid) {
        return NextResponse.json(
          {
            success: false,
            error: imageUrlValidation.error,
          },
          { status: 400 }
        )
      }
    }
    const defaultPrompt = 'Please analyze this image and describe what you see in detail.'
    const prompt = validatedData.prompt || defaultPrompt
-    const isClaude = validatedData.model.startsWith('claude-3')
+    const isClaude = validatedData.model.startsWith('claude-')
    const isGemini = validatedData.model.startsWith('gemini-')
    const apiUrl = isClaude
      ? 'https://api.anthropic.com/v1/messages'
      : 'https://api.openai.com/v1/chat/completions'
@@ -106,6 +171,72 @@ export async function POST(request: NextRequest) {
    let requestBody: any
    if (isGemini) {
      let base64Payload = imageSource
      if (!base64Payload.startsWith('data:')) {
        const urlValidation =
          imageUrlValidation || (await validateUrlWithDNS(base64Payload, 'imageUrl'))
        if (!urlValidation.isValid) {
          return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
        }
        const response = await secureFetchWithPinnedIP(base64Payload, urlValidation.resolvedIP!, {
          method: 'GET',
        })
        if (!response.ok) {
          return NextResponse.json(
            { success: false, error: 'Failed to fetch image for Gemini' },
            { status: 400 }
          )
        }
        const contentType =
          response.headers.get('content-type') || validatedData.imageFile?.type || 'image/jpeg'
        const arrayBuffer = await response.arrayBuffer()
        const base64 = Buffer.from(arrayBuffer).toString('base64')
        base64Payload = `data:${contentType};base64,${base64}`
      }
      const base64Marker = ';base64,'
      const markerIndex = base64Payload.indexOf(base64Marker)
      if (!base64Payload.startsWith('data:') || markerIndex === -1) {
        return NextResponse.json(
          { success: false, error: 'Invalid base64 image format' },
          { status: 400 }
        )
      }
      const rawMimeType = base64Payload.slice('data:'.length, markerIndex)
      const mediaType = rawMimeType.split(';')[0] || 'image/jpeg'
      const base64Data = base64Payload.slice(markerIndex + base64Marker.length)
      if (!base64Data) {
        return NextResponse.json(
          { success: false, error: 'Invalid base64 image format' },
          { status: 400 }
        )
      }
      const ai = new GoogleGenAI({ apiKey: validatedData.apiKey })
      const geminiResponse = await ai.models.generateContent({
        model: validatedData.model,
        contents: [
          {
            role: 'user',
            parts: [{ text: prompt }, { inlineData: { mimeType: mediaType, data: base64Data } }],
          },
        ],
      })
      const content = extractTextContent(geminiResponse.candidates?.[0])
      const usage = convertUsageMetadata(geminiResponse.usageMetadata)
      return NextResponse.json({
        success: true,
        output: {
          content,
          model: validatedData.model,
          tokens: usage.totalTokenCount || undefined,
        },
      })
    }
    if (isClaude) {
      if (imageSource.startsWith('data:')) {
        const base64Match = imageSource.match(/^data:([^;]+);base64,(.+)$/)
@@ -172,7 +303,7 @@ export async function POST(request: NextRequest) {
            ],
          },
        ],
-        max_tokens: 1000,
+        max_completion_tokens: 1000,
      }
    }
--- a/apps/sim/app/api/tools/wordpress/upload/route.ts
+++ b/apps/sim/app/api/tools/wordpress/upload/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { RawFileInputSchema } from '@/lib/uploads/utils/file-schemas'
 import {
  getFileExtension,
  getMimeTypeFromExtension,
@@ -19,7 +20,7 @@ const WORDPRESS_COM_API_BASE = 'https://public-api.wordpress.com/wp/v2/sites'
 const WordPressUploadSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  siteId: z.string().min(1, 'Site ID is required'),
-  file: z.any().optional().nullable(),
+  file: RawFileInputSchema.optional().nullable(),
  filename: z.string().optional().nullable(),
  title: z.string().optional().nullable(),
  caption: z.string().optional().nullable(),
--- a/apps/sim/app/api/tools/zoom/get-recordings/route.ts
+++ b/apps/sim/app/api/tools/zoom/get-recordings/route.ts
@@ -0,0 +1,216 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
 } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getExtensionFromMimeType } from '@/lib/uploads/utils/file-utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('ZoomGetRecordingsAPI')
 interface ZoomRecordingFile {
  id?: string
  meeting_id?: string
  recording_start?: string
  recording_end?: string
  file_type?: string
  file_extension?: string
  file_size?: number
  play_url?: string
  download_url?: string
  status?: string
  recording_type?: string
 }
 interface ZoomRecordingsResponse {
  uuid?: string
  id?: string | number
  account_id?: string
  host_id?: string
  topic?: string
  type?: number
  start_time?: string
  duration?: number
  total_size?: number
  recording_count?: number
  share_url?: string
  recording_files?: ZoomRecordingFile[]
 }
 interface ZoomErrorResponse {
  message?: string
  code?: number
 }
 const ZoomGetRecordingsSchema = z.object({
  accessToken: z.string().min(1, 'Access token is required'),
  meetingId: z.string().min(1, 'Meeting ID is required'),
  includeFolderItems: z.boolean().optional(),
  ttl: z.number().optional(),
  downloadFiles: z.boolean().optional().default(false),
 })
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Zoom get recordings attempt: ${authResult.error}`)
      return NextResponse.json(
        {
          success: false,
          error: authResult.error || 'Authentication required',
        },
        { status: 401 }
      )
    }
    const body = await request.json()
    const validatedData = ZoomGetRecordingsSchema.parse(body)
    const { accessToken, meetingId, includeFolderItems, ttl, downloadFiles } = validatedData
    const baseUrl = `https://api.zoom.us/v2/meetings/${encodeURIComponent(meetingId)}/recordings`
    const queryParams = new URLSearchParams()
    if (includeFolderItems != null) {
      queryParams.append('include_folder_items', String(includeFolderItems))
    }
    if (ttl) {
      queryParams.append('ttl', String(ttl))
    }
    const queryString = queryParams.toString()
    const apiUrl = queryString ? `${baseUrl}?${queryString}` : baseUrl
    logger.info(`[${requestId}] Fetching recordings from Zoom`, { meetingId })
    const urlValidation = await validateUrlWithDNS(apiUrl, 'apiUrl')
    if (!urlValidation.isValid) {
      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
    }
    const response = await secureFetchWithPinnedIP(apiUrl, urlValidation.resolvedIP!, {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!response.ok) {
      const errorData = (await response.json().catch(() => ({}))) as ZoomErrorResponse
      logger.error(`[${requestId}] Zoom API error`, {
        status: response.status,
        error: errorData,
      })
      return NextResponse.json(
        { success: false, error: errorData.message || `Zoom API error: ${response.status}` },
        { status: 400 }
      )
    }
    const data = (await response.json()) as ZoomRecordingsResponse
    const files: Array<{
      name: string
      mimeType: string
      data: string
      size: number
    }> = []
    if (downloadFiles && Array.isArray(data.recording_files)) {
      for (const file of data.recording_files) {
        if (!file?.download_url) continue
        try {
          const fileUrlValidation = await validateUrlWithDNS(file.download_url, 'downloadUrl')
          if (!fileUrlValidation.isValid) continue
          const downloadResponse = await secureFetchWithPinnedIP(
            file.download_url,
            fileUrlValidation.resolvedIP!,
            {
              method: 'GET',
              headers: { Authorization: `Bearer ${accessToken}` },
            }
          )
          if (!downloadResponse.ok) continue
          const contentType =
            downloadResponse.headers.get('content-type') || 'application/octet-stream'
          const arrayBuffer = await downloadResponse.arrayBuffer()
          const buffer = Buffer.from(arrayBuffer)
          const extension =
            file.file_extension?.toString().toLowerCase() ||
            getExtensionFromMimeType(contentType) ||
            'dat'
          const fileName = `zoom-recording-${file.id || file.recording_start || Date.now()}.${extension}`
          files.push({
            name: fileName,
            mimeType: contentType,
            data: buffer.toString('base64'),
            size: buffer.length,
          })
        } catch (error) {
          logger.warn(`[${requestId}] Failed to download recording file:`, error)
        }
      }
    }
    logger.info(`[${requestId}] Zoom recordings fetched successfully`, {
      recordingCount: data.recording_files?.length || 0,
      downloadedCount: files.length,
    })
    return NextResponse.json({
      success: true,
      output: {
        recording: {
          uuid: data.uuid,
          id: data.id,
          account_id: data.account_id,
          host_id: data.host_id,
          topic: data.topic,
          type: data.type,
          start_time: data.start_time,
          duration: data.duration,
          total_size: data.total_size,
          recording_count: data.recording_count,
          share_url: data.share_url,
          recording_files: (data.recording_files || []).map((file: ZoomRecordingFile) => ({
            id: file.id,
            meeting_id: file.meeting_id,
            recording_start: file.recording_start,
            recording_end: file.recording_end,
            file_type: file.file_type,
            file_extension: file.file_extension,
            file_size: file.file_size,
            play_url: file.play_url,
            download_url: file.download_url,
            status: file.status,
            recording_type: file.recording_type,
          })),
        },
        files: files.length > 0 ? files : undefined,
      },
    })
  } catch (error) {
    logger.error(`[${requestId}] Error fetching Zoom recordings:`, error)
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Unknown error occurred',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/workspaces/invitations/route.test.ts
+++ b/apps/sim/app/api/workspaces/invitations/route.test.ts
@@ -102,7 +102,7 @@ describe('Workspace Invitations API Route', () => {
      inArray: vi.fn().mockImplementation((field, values) => ({ type: 'inArray', field, values })),
    }))
-    vi.doMock('@/ee/access-control/utils/permission-check', () => ({
+    vi.doMock('@/executor/utils/permission-check', () => ({
      validateInvitationsAllowed: vi.fn().mockResolvedValue(undefined),
      InvitationsNotAllowedError: class InvitationsNotAllowedError extends Error {
        constructor() {
--- a/apps/sim/app/api/workspaces/invitations/route.ts
+++ b/apps/sim/app/api/workspaces/invitations/route.ts
@@ -21,7 +21,7 @@ import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 import {
  InvitationsNotAllowedError,
  validateInvitationsAllowed,
-} from '@/ee/access-control/utils/permission-check'
+} from '@/executor/utils/permission-check'
 export const dynamic = 'force-dynamic'
@@ -38,6 +38,7 @@ export async function GET(req: NextRequest) {
  }
  try {
    // Get all workspaces where the user has permissions
    const userWorkspaces = await db
      .select({ id: workspace.id })
      .from(workspace)
@@ -54,8 +55,10 @@ export async function GET(req: NextRequest) {
      return NextResponse.json({ invitations: [] })
    }
    // Get all workspaceIds where the user is a member
    const workspaceIds = userWorkspaces.map((w) => w.id)
    // Find all invitations for those workspaces
    const invitations = await db
      .select()
      .from(workspaceInvitation)
--- a/apps/sim/app/chat/[identifier]/chat.tsx
+++ b/apps/sim/app/chat/[identifier]/chat.tsx
@@ -14,11 +14,11 @@ import {
  ChatMessageContainer,
  EmailAuth,
  PasswordAuth,
  SSOAuth,
  VoiceInterface,
 } from '@/app/chat/components'
 import { CHAT_ERROR_MESSAGES, CHAT_REQUEST_TIMEOUT_MS } from '@/app/chat/constants'
 import { useAudioStreaming, useChatStreaming } from '@/app/chat/hooks'
 import SSOAuth from '@/ee/sso/components/sso-auth'
 const logger = createLogger('ChatClient')
--- a/apps/sim/app/chat/components/auth/sso/sso-auth.tsx
+++ b/apps/sim/app/chat/components/auth/sso/sso-auth.tsx
--- a/apps/sim/app/chat/components/index.ts
+++ b/apps/sim/app/chat/components/index.ts
@@ -1,5 +1,6 @@
 export { default as EmailAuth } from './auth/email/email-auth'
 export { default as PasswordAuth } from './auth/password/password-auth'
 export { default as SSOAuth } from './auth/sso/sso-auth'
 export { ChatErrorState } from './error-state/error-state'
 export { ChatHeader } from './header/header'
 export { ChatInput } from './input/input'
--- a/apps/sim/app/workspace/[workspaceId]/knowledge/page.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/knowledge/page.tsx
@@ -1,7 +1,7 @@
 import { redirect } from 'next/navigation'
 import { getSession } from '@/lib/auth'
 import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
-import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
+import { getUserPermissionConfig } from '@/executor/utils/permission-check'
 import { Knowledge } from './knowledge'
 interface KnowledgePageProps {
@@ -23,6 +23,7 @@ export default async function KnowledgePage({ params }: KnowledgePageProps) {
    redirect('/')
  }
  // Check permission group restrictions
  const permissionConfig = await getUserPermissionConfig(session.user.id)
  if (permissionConfig?.hideKnowledgeBaseTab) {
    redirect(`/workspace/${workspaceId}`)
--- a/apps/sim/app/workspace/[workspaceId]/logs/components/logs-list/logs-list.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/logs/components/logs-list/logs-list.tsx
@@ -6,11 +6,11 @@ import Link from 'next/link'
 import { List, type RowComponentProps, useListRef } from 'react-window'
 import { Badge, buttonVariants } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import {
  DELETED_WORKFLOW_COLOR,
  DELETED_WORKFLOW_LABEL,
  formatDate,
  formatDuration,
  getDisplayStatus,
  LOG_COLUMNS,
  StatusBadge,
@@ -113,7 +113,7 @@ const LogRow = memo(
          <div className={`${LOG_COLUMNS.duration.width} ${LOG_COLUMNS.duration.minWidth}`}>
            <Badge variant='default' className='rounded-[6px] px-[9px] py-[2px] text-[12px]'>
-              {formatDuration(log.duration, { precision: 2 }) || '—'}
+              {formatDuration(log.duration) || '—'}
            </Badge>
          </div>
        </div>
--- a/apps/sim/app/workspace/[workspaceId]/logs/utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/logs/utils.ts
@@ -1,7 +1,6 @@
 import React from 'react'
 import { format } from 'date-fns'
 import { Badge } from '@/components/emcn'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import { getIntegrationMetadata } from '@/lib/logs/get-trigger-options'
 import { getBlock } from '@/blocks/registry'
 import { CORE_TRIGGER_TYPES } from '@/stores/logs/filters/types'
@@ -363,14 +362,47 @@ export function mapToExecutionLogAlt(log: RawLogResponse): ExecutionLog {
  }
 }
 /**
 * Format duration for display in logs UI
 * If duration is under 1 second, displays as milliseconds (e.g., "500ms")
 * If duration is 1 second or more, displays as seconds (e.g., "1.23s")
 * @param duration - Duration string (e.g., "500ms") or null
 * @returns Formatted duration string or null
 */
 export function formatDuration(duration: string | null): string | null {
  if (!duration) return null
  // Extract numeric value from duration string (e.g., "500ms" -> 500)
  const ms = Number.parseInt(duration.replace(/[^0-9]/g, ''), 10)
  if (!Number.isFinite(ms)) return duration
  if (ms < 1000) {
    return `${ms}ms`
  }
  // Convert to seconds with up to 2 decimal places
  const seconds = ms / 1000
  return `${seconds.toFixed(2).replace(/\.?0+$/, '')}s`
 }
 /**
 * Format latency value for display in dashboard UI
 * If latency is under 1 second, displays as milliseconds (e.g., "500ms")
 * If latency is 1 second or more, displays as seconds (e.g., "1.23s")
 * @param ms - Latency in milliseconds (number)
 * @returns Formatted latency string
 */
 export function formatLatency(ms: number): string {
  if (!Number.isFinite(ms) || ms <= 0) return '—'
-  return formatDuration(ms, { precision: 2 }) ?? '—'
+
  if (ms < 1000) {
    return `${Math.round(ms)}ms`
  }
  // Convert to seconds with up to 2 decimal places
  const seconds = ms / 1000
  return `${seconds.toFixed(2).replace(/\.?0+$/, '')}s`
 }
 export const formatDate = (dateString: string) => {
--- a/apps/sim/app/workspace/[workspaceId]/templates/page.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/templates/page.tsx
@@ -6,7 +6,7 @@ import { getSession } from '@/lib/auth'
 import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
 import type { Template as WorkspaceTemplate } from '@/app/workspace/[workspaceId]/templates/templates'
 import Templates from '@/app/workspace/[workspaceId]/templates/templates'
-import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
+import { getUserPermissionConfig } from '@/executor/utils/permission-check'
 interface TemplatesPageProps {
  params: Promise<{
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/action-bar/action-bar.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/action-bar/action-bar.tsx
@@ -1,5 +1,5 @@
 import { memo, useCallback } from 'react'
-import { ArrowLeftRight, ArrowUpDown, Circle, CircleOff, Lock, LogOut, Unlock } from 'lucide-react'
+import { ArrowLeftRight, ArrowUpDown, Circle, CircleOff, LogOut } from 'lucide-react'
 import { Button, Copy, PlayOutline, Tooltip, Trash2 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { isInputDefinitionTrigger } from '@/lib/workflows/triggers/input-definition-triggers'
@@ -49,7 +49,6 @@ export const ActionBar = memo(
      collaborativeBatchRemoveBlocks,
      collaborativeBatchToggleBlockEnabled,
      collaborativeBatchToggleBlockHandles,
      collaborativeBatchToggleLocked,
    } = useCollaborativeWorkflow()
    const { setPendingSelection } = useWorkflowRegistry()
    const { handleRunFromBlock } = useWorkflowExecution()
@@ -85,28 +84,16 @@ export const ActionBar = memo(
      )
    }, [blockId, addNotification, collaborativeBatchAddBlocks, setPendingSelection])
-    const {
+    const { isEnabled, horizontalHandles, parentId, parentType } = useWorkflowStore(
      isEnabled,
      horizontalHandles,
      parentId,
      parentType,
      isLocked,
      isParentLocked,
      isParentDisabled,
    } = useWorkflowStore(
      useCallback(
        (state) => {
          const block = state.blocks[blockId]
          const parentId = block?.data?.parentId
          const parentBlock = parentId ? state.blocks[parentId] : undefined
          return {
            isEnabled: block?.enabled ?? true,
            horizontalHandles: block?.horizontalHandles ?? false,
            parentId,
-            parentType: parentBlock?.type,
+            parentType: parentId ? state.blocks[parentId]?.type : undefined,
            isLocked: block?.locked ?? false,
            isParentLocked: parentBlock?.locked ?? false,
            isParentDisabled: parentBlock ? !parentBlock.enabled : false,
          }
        },
        [blockId]
@@ -174,27 +161,25 @@ export const ActionBar = memo(
        {!isNoteBlock && !isInsideSubflow && (
          <Tooltip.Root>
            <Tooltip.Trigger asChild>
-              <span className='inline-flex'>
+              <Button
-                <Button
+                variant='ghost'
-                  variant='ghost'
+                onClick={(e) => {
-                  onClick={(e) => {
+                  e.stopPropagation()
-                    e.stopPropagation()
+                  if (canRunFromBlock && !disabled) {
-                    if (canRunFromBlock && !disabled) {
+                    handleRunFromBlockClick()
-                      handleRunFromBlockClick()
+                  }
-                    }
+                }}
-                  }}
+                className={ACTION_BUTTON_STYLES}
-                  className={ACTION_BUTTON_STYLES}
+                disabled={disabled || !canRunFromBlock}
-                  disabled={disabled || !canRunFromBlock}
+              >
-                >
+                <PlayOutline className={ICON_SIZE} />
-                  <PlayOutline className={ICON_SIZE} />
+              </Button>
                </Button>
              </span>
            </Tooltip.Trigger>
            <Tooltip.Content side='top'>
              {(() => {
                if (disabled) return getTooltipMessage('Run from block')
                if (isExecuting) return 'Execution in progress'
-                if (!dependenciesSatisfied) return 'Run previous blocks first'
+                if (!dependenciesSatisfied) return 'Run upstream blocks first'
                return 'Run from block'
              })()}
            </Tooltip.Content>
@@ -208,54 +193,18 @@ export const ActionBar = memo(
                variant='ghost'
                onClick={(e) => {
                  e.stopPropagation()
-                  // Can't enable if parent is disabled (must enable parent first)
+                  if (!disabled) {
                  const cantEnable = !isEnabled && isParentDisabled
                  if (!disabled && !isLocked && !isParentLocked && !cantEnable) {
                    collaborativeBatchToggleBlockEnabled([blockId])
                  }
                }}
                className={ACTION_BUTTON_STYLES}
-                disabled={
+                disabled={disabled}
                  disabled || isLocked || isParentLocked || (!isEnabled && isParentDisabled)
                }
              >
                {isEnabled ? <Circle className={ICON_SIZE} /> : <CircleOff className={ICON_SIZE} />}
              </Button>
            </Tooltip.Trigger>
            <Tooltip.Content side='top'>
-              {isLocked || isParentLocked
+              {getTooltipMessage(isEnabled ? 'Disable Block' : 'Enable Block')}
                ? 'Block is locked'
                : !isEnabled && isParentDisabled
                  ? 'Parent container is disabled'
                  : getTooltipMessage(isEnabled ? 'Disable Block' : 'Enable Block')}
            </Tooltip.Content>
          </Tooltip.Root>
        )}
        {userPermissions.canAdmin && (
          <Tooltip.Root>
            <Tooltip.Trigger asChild>
              <Button
                variant='ghost'
                onClick={(e) => {
                  e.stopPropagation()
                  // Can't unlock a block if its parent container is locked
                  if (!disabled && !(isLocked && isParentLocked)) {
                    collaborativeBatchToggleLocked([blockId])
                  }
                }}
                className={ACTION_BUTTON_STYLES}
                disabled={disabled || (isLocked && isParentLocked)}
              >
                {isLocked ? <Unlock className={ICON_SIZE} /> : <Lock className={ICON_SIZE} />}
              </Button>
            </Tooltip.Trigger>
            <Tooltip.Content side='top'>
              {isLocked && isParentLocked
                ? 'Parent container is locked'
                : isLocked
                  ? 'Unlock Block'
                  : 'Lock Block'}
            </Tooltip.Content>
          </Tooltip.Root>
        )}
@@ -288,12 +237,12 @@ export const ActionBar = memo(
                variant='ghost'
                onClick={(e) => {
                  e.stopPropagation()
-                  if (!disabled && !isLocked && !isParentLocked) {
+                  if (!disabled) {
                    collaborativeBatchToggleBlockHandles([blockId])
                  }
                }}
                className={ACTION_BUTTON_STYLES}
-                disabled={disabled || isLocked || isParentLocked}
+                disabled={disabled}
              >
                {horizontalHandles ? (
                  <ArrowLeftRight className={ICON_SIZE} />
@@ -303,9 +252,7 @@ export const ActionBar = memo(
              </Button>
            </Tooltip.Trigger>
            <Tooltip.Content side='top'>
-              {isLocked || isParentLocked
+              {getTooltipMessage(horizontalHandles ? 'Vertical Ports' : 'Horizontal Ports')}
                ? 'Block is locked'
                : getTooltipMessage(horizontalHandles ? 'Vertical Ports' : 'Horizontal Ports')}
            </Tooltip.Content>
          </Tooltip.Root>
        )}
@@ -317,23 +264,19 @@ export const ActionBar = memo(
                variant='ghost'
                onClick={(e) => {
                  e.stopPropagation()
-                  if (!disabled && userPermissions.canEdit && !isLocked && !isParentLocked) {
+                  if (!disabled && userPermissions.canEdit) {
                    window.dispatchEvent(
                      new CustomEvent('remove-from-subflow', { detail: { blockIds: [blockId] } })
                    )
                  }
                }}
                className={ACTION_BUTTON_STYLES}
-                disabled={disabled || !userPermissions.canEdit || isLocked || isParentLocked}
+                disabled={disabled || !userPermissions.canEdit}
              >
                <LogOut className={ICON_SIZE} />
              </Button>
            </Tooltip.Trigger>
-            <Tooltip.Content side='top'>
+            <Tooltip.Content side='top'>{getTooltipMessage('Remove from Subflow')}</Tooltip.Content>
              {isLocked || isParentLocked
                ? 'Block is locked'
                : getTooltipMessage('Remove from Subflow')}
            </Tooltip.Content>
          </Tooltip.Root>
        )}
@@ -343,19 +286,17 @@ export const ActionBar = memo(
              variant='ghost'
              onClick={(e) => {
                e.stopPropagation()
-                if (!disabled && !isLocked && !isParentLocked) {
+                if (!disabled) {
                  collaborativeBatchRemoveBlocks([blockId])
                }
              }}
              className={ACTION_BUTTON_STYLES}
-              disabled={disabled || isLocked || isParentLocked}
+              disabled={disabled}
            >
              <Trash2 className={ICON_SIZE} />
            </Button>
          </Tooltip.Trigger>
-          <Tooltip.Content side='top'>
+          <Tooltip.Content side='top'>{getTooltipMessage('Delete Block')}</Tooltip.Content>
            {isLocked || isParentLocked ? 'Block is locked' : getTooltipMessage('Delete Block')}
          </Tooltip.Content>
        </Tooltip.Root>
      </div>
    )
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/block-menu/block-menu.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/block-menu/block-menu.tsx
@@ -20,9 +20,6 @@ export interface BlockInfo {
  horizontalHandles: boolean
  parentId?: string
  parentType?: string
  locked?: boolean
  isParentLocked?: boolean
  isParentDisabled?: boolean
 }
 /**
@@ -49,17 +46,10 @@ export interface BlockMenuProps {
  showRemoveFromSubflow?: boolean
  /** Whether run from block is available (has snapshot, was executed, not inside subflow) */
  canRunFromBlock?: boolean
  /** Whether to disable edit actions (user can't edit OR blocks are locked) */
  disableEdit?: boolean
  /** Whether the user has edit permission (ignoring locked state) */
  userCanEdit?: boolean
  isExecuting?: boolean
  /** Whether the selected block is a trigger (has no incoming edges) */
  isPositionalTrigger?: boolean
  /** Callback to toggle locked state of selected blocks */
  onToggleLocked?: () => void
  /** Whether the user has admin permissions */
  canAdmin?: boolean
 }
 /**
@@ -88,22 +78,13 @@ export function BlockMenu({
  showRemoveFromSubflow = false,
  canRunFromBlock = false,
  disableEdit = false,
  userCanEdit = true,
  isExecuting = false,
  isPositionalTrigger = false,
  onToggleLocked,
  canAdmin = false,
 }: BlockMenuProps) {
  const isSingleBlock = selectedBlocks.length === 1
  const allEnabled = selectedBlocks.every((b) => b.enabled)
  const allDisabled = selectedBlocks.every((b) => !b.enabled)
  const allLocked = selectedBlocks.every((b) => b.locked)
  const allUnlocked = selectedBlocks.every((b) => !b.locked)
  // Can't unlock blocks that have locked parents
  const hasBlockWithLockedParent = selectedBlocks.some((b) => b.locked && b.isParentLocked)
  // Can't enable blocks that have disabled parents
  const hasBlockWithDisabledParent = selectedBlocks.some((b) => !b.enabled && b.isParentDisabled)
  const hasSingletonBlock = selectedBlocks.some(
    (b) =>
@@ -127,12 +108,6 @@ export function BlockMenu({
    return 'Toggle Enabled'
  }
  const getToggleLockedLabel = () => {
    if (allLocked) return 'Unlock'
    if (allUnlocked) return 'Lock'
    return 'Toggle Lock'
  }
  return (
    <Popover
      open={isOpen}
@@ -164,7 +139,7 @@ export function BlockMenu({
        </PopoverItem>
        <PopoverItem
          className='group'
-          disabled={!userCanEdit || !hasClipboard}
+          disabled={disableEdit || !hasClipboard}
          onClick={() => {
            onPaste()
            onClose()
@@ -175,7 +150,7 @@ export function BlockMenu({
        </PopoverItem>
        {!hasSingletonBlock && (
          <PopoverItem
-            disabled={!userCanEdit}
+            disabled={disableEdit}
            onClick={() => {
              onDuplicate()
              onClose()
@@ -189,15 +164,13 @@ export function BlockMenu({
        {!allNoteBlocks && <PopoverDivider />}
        {!allNoteBlocks && (
          <PopoverItem
-            disabled={disableEdit || hasBlockWithDisabledParent}
+            disabled={disableEdit}
            onClick={() => {
-              if (!disableEdit && !hasBlockWithDisabledParent) {
+              onToggleEnabled()
-                onToggleEnabled()
+              onClose()
                onClose()
              }
            }}
          >
-            {hasBlockWithDisabledParent ? 'Parent is disabled' : getToggleEnabledLabel()}
+            {getToggleEnabledLabel()}
          </PopoverItem>
        )}
        {!allNoteBlocks && !isSubflow && (
@@ -222,19 +195,6 @@ export function BlockMenu({
            Remove from Subflow
          </PopoverItem>
        )}
        {canAdmin && onToggleLocked && (
          <PopoverItem
            disabled={hasBlockWithLockedParent}
            onClick={() => {
              if (!hasBlockWithLockedParent) {
                onToggleLocked()
                onClose()
              }
            }}
          >
            {hasBlockWithLockedParent ? 'Parent is locked' : getToggleLockedLabel()}
          </PopoverItem>
        )}
        {/* Single block actions */}
        {isSingleBlock && <PopoverDivider />}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/canvas-menu/canvas-menu.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/canvas-menu/canvas-menu.tsx
@@ -34,8 +34,6 @@ export interface CanvasMenuProps {
  canUndo?: boolean
  canRedo?: boolean
  isInvitationsDisabled?: boolean
  /** Whether the workflow has locked blocks (disables auto-layout) */
  hasLockedBlocks?: boolean
 }
 /**
@@ -62,7 +60,6 @@ export function CanvasMenu({
  disableEdit = false,
  canUndo = false,
  canRedo = false,
  hasLockedBlocks = false,
 }: CanvasMenuProps) {
  return (
    <Popover
@@ -132,12 +129,11 @@ export function CanvasMenu({
        </PopoverItem>
        <PopoverItem
          className='group'
-          disabled={disableEdit || hasLockedBlocks}
+          disabled={disableEdit}
          onClick={() => {
            onAutoLayout()
            onClose()
          }}
          title={hasLockedBlocks ? 'Unlock blocks to use auto-layout' : undefined}
        >
          <span>Auto-layout</span>
          <span className='ml-auto opacity-70 group-hover:opacity-100'>⇧L</span>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx
@@ -807,7 +807,7 @@ export function Chat() {
      const newReservedFields: StartInputFormatField[] = missingStartReservedFields.map(
        (fieldName) => {
-          const defaultType = fieldName === 'files' ? 'files' : 'string'
+          const defaultType = fieldName === 'files' ? 'file[]' : 'string'
          return {
            id: crypto.randomUUID(),
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/thinking-block/thinking-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/thinking-block/thinking-block.tsx
@@ -3,7 +3,6 @@
 import { memo, useEffect, useMemo, useRef, useState } from 'react'
 import clsx from 'clsx'
 import { ChevronUp } from 'lucide-react'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import { CopilotMarkdownRenderer } from '../markdown-renderer'
 /** Removes thinking tags (raw or escaped) and special tags from streamed content */
@@ -242,11 +241,15 @@ export function ThinkingBlock({
    return () => window.clearInterval(intervalId)
  }, [isStreaming, isExpanded, userHasScrolledAway])
  /** Formats duration in milliseconds to seconds (minimum 1s) */
  const formatDuration = (ms: number) => {
    const seconds = Math.max(1, Math.round(ms / 1000))
    return `${seconds}s`
  }
  const hasContent = cleanContent.length > 0
  const isThinkingDone = !isStreaming || hasFollowingContent || hasSpecialTags
-  // Round to nearest second (minimum 1s) to match original behavior
+  const durationText = `${label} for ${formatDuration(duration)}`
  const roundedMs = Math.max(1000, Math.round(duration / 1000) * 1000)
  const durationText = `${label} for ${formatDuration(roundedMs)}`
  const getStreamingLabel = (lbl: string) => {
    if (lbl === 'Thought') return 'Thinking'
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx
@@ -15,7 +15,6 @@ import {
  hasInterrupt as hasInterruptFromConfig,
  isSpecialTool as isSpecialToolFromConfig,
 } from '@/lib/copilot/tools/client/ui-config'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import { CopilotMarkdownRenderer } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/markdown-renderer'
 import { SmoothStreamingText } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/smooth-streaming'
 import { ThinkingBlock } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/thinking-block'
@@ -849,10 +848,13 @@ const SubagentContentRenderer = memo(function SubagentContentRenderer({
    (allParsed.options && Object.keys(allParsed.options).length > 0)
  )
  const formatDuration = (ms: number) => {
    const seconds = Math.max(1, Math.round(ms / 1000))
    return `${seconds}s`
  }
  const outerLabel = getSubagentCompletionLabel(toolCall.name)
-  // Round to nearest second (minimum 1s) to match original behavior
+  const durationText = `${outerLabel} for ${formatDuration(duration)}`
  const roundedMs = Math.max(1000, Math.round(duration / 1000) * 1000)
  const durationText = `${outerLabel} for ${formatDuration(roundedMs)}`
  const renderCollapsibleContent = () => (
    <>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/a2a/a2a.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/a2a/a2a.tsx
@@ -179,7 +179,7 @@ export function A2aDeploy({
      newFields.push({
        id: crypto.randomUUID(),
        name: 'files',
-        type: 'files',
+        type: 'file[]',
        value: '',
        collapsed: false,
      })
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -45,7 +45,7 @@ export function CredentialSelector({
  previewValue,
 }: CredentialSelectorProps) {
  const [showOAuthModal, setShowOAuthModal] = useState(false)
-  const [editingValue, setEditingValue] = useState('')
+  const [inputValue, setInputValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
  const { activeWorkflowId } = useWorkflowRegistry()
  const [storeValue, setStoreValue] = useSubBlockValue<string | null>(blockId, subBlock.id)
@@ -128,7 +128,11 @@ export function CredentialSelector({
    return ''
  }, [selectedCredentialSet, isForeignCredentialSet, selectedCredential, isForeign])
-  const displayValue = isEditing ? editingValue : resolvedLabel
+  useEffect(() => {
    if (!isEditing) {
      setInputValue(resolvedLabel)
    }
  }, [resolvedLabel, isEditing])
  const invalidSelection =
    !isPreview &&
@@ -291,7 +295,7 @@ export function CredentialSelector({
  const selectedCredentialProvider = selectedCredential?.provider ?? provider
  const overlayContent = useMemo(() => {
-    if (!displayValue) return null
+    if (!inputValue) return null
    if (isCredentialSetSelected && selectedCredentialSet) {
      return (
@@ -299,7 +303,7 @@ export function CredentialSelector({
          <div className='mr-2 flex-shrink-0 opacity-90'>
            <Users className='h-3 w-3' />
          </div>
-          <span className='truncate'>{displayValue}</span>
+          <span className='truncate'>{inputValue}</span>
        </div>
      )
    }
@@ -309,12 +313,12 @@ export function CredentialSelector({
        <div className='mr-2 flex-shrink-0 opacity-90'>
          {getProviderIcon(selectedCredentialProvider)}
        </div>
-        <span className='truncate'>{displayValue}</span>
+        <span className='truncate'>{inputValue}</span>
      </div>
    )
  }, [
    getProviderIcon,
-    displayValue,
+    inputValue,
    selectedCredentialProvider,
    isCredentialSetSelected,
    selectedCredentialSet,
@@ -331,6 +335,7 @@ export function CredentialSelector({
        const credentialSetId = value.slice(CREDENTIAL_SET.PREFIX.length)
        const matchedSet = credentialSets.find((cs) => cs.id === credentialSetId)
        if (matchedSet) {
          setInputValue(matchedSet.name)
          handleCredentialSetSelect(credentialSetId)
          return
        }
@@ -338,12 +343,13 @@ export function CredentialSelector({
      const matchedCred = credentials.find((c) => c.id === value)
      if (matchedCred) {
        setInputValue(matchedCred.name)
        handleSelect(value)
        return
      }
      setIsEditing(true)
-      setEditingValue(value)
+      setInputValue(value)
    },
    [credentials, credentialSets, handleAddCredential, handleSelect, handleCredentialSetSelect]
  )
@@ -353,7 +359,7 @@ export function CredentialSelector({
      <Combobox
        options={comboboxOptions}
        groups={comboboxGroups}
-        value={displayValue}
+        value={inputValue}
        selectedValue={rawSelectedId}
        onChange={handleComboboxChange}
        onOpenChange={handleOpenChange}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/starter/input-format.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/starter/input-format.tsx
@@ -26,7 +26,7 @@ import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/
 interface Field {
  id: string
  name: string
-  type?: 'string' | 'number' | 'boolean' | 'object' | 'array' | 'files'
+  type?: 'string' | 'number' | 'boolean' | 'object' | 'array' | 'file[]'
  value?: string
  description?: string
  collapsed?: boolean
@@ -57,7 +57,7 @@ const TYPE_OPTIONS: ComboboxOption[] = [
  { label: 'Boolean', value: 'boolean' },
  { label: 'Object', value: 'object' },
  { label: 'Array', value: 'array' },
-  { label: 'Files', value: 'files' },
+  { label: 'Files', value: 'file[]' },
 ]
 /**
@@ -448,7 +448,7 @@ export function FieldFormat({
      )
    }
-    if (field.type === 'files') {
+    if (field.type === 'file[]') {
      const lineCount = fieldValue.split('\n').length
      const gutterWidth = calculateGutterWidth(lineCount)
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown.tsx
@@ -225,7 +225,7 @@ const getOutputTypeForPath = (
      const chatModeTypes: Record<string, string> = {
        input: 'string',
        conversationId: 'string',
-        files: 'files',
+        files: 'file[]',
      }
      return chatModeTypes[outputPath] || 'any'
    }
@@ -1563,16 +1563,11 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
    blockTagGroups.sort((a, b) => a.distance - b.distance)
    finalBlockTagGroups.push(...blockTagGroups)
-    const contextualTags: string[] = []
+    const groupTags = finalBlockTagGroups.flatMap((group) => group.tags)
-    if (loopBlockGroup) {
+    const tags = [...groupTags, ...variableTags]
      contextualTags.push(...loopBlockGroup.tags)
    }
    if (parallelBlockGroup) {
      contextualTags.push(...parallelBlockGroup.tags)
    }
    return {
-      tags: [...allBlockTags, ...variableTags, ...contextualTags],
+      tags,
      variableInfoMap,
      blockTagGroups: finalBlockTagGroups,
    }
@@ -1746,7 +1741,7 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
          mergedSubBlocks
        )
-        if (fieldType === 'files' || fieldType === 'file[]' || fieldType === 'array') {
+        if (fieldType === 'file' || fieldType === 'file[]' || fieldType === 'array') {
          const blockName = parts[0]
          const remainingPath = parts.slice(2).join('.')
          processedTag = `${blockName}.${arrayFieldName}[0].${remainingPath}`
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx
@@ -9,9 +9,7 @@ import {
  ChevronUp,
  ExternalLink,
  Loader2,
  Lock,
  Pencil,
  Unlock,
 } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import { useShallow } from 'zustand/react/shallow'
@@ -48,7 +46,6 @@ import { useCollaborativeWorkflow } from '@/hooks/use-collaborative-workflow'
 import { usePanelEditorStore } from '@/stores/panel'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
 /** Stable empty object to avoid creating new references */
 const EMPTY_SUBBLOCK_VALUES = {} as Record<string, any>
@@ -113,14 +110,6 @@ export function Editor() {
  const userPermissions = useUserPermissionsContext()
  // Check if block is locked (or inside a locked container) and compute edit permission
  // Locked blocks cannot be edited by anyone (admins can only lock/unlock)
  const blocks = useWorkflowStore((state) => state.blocks)
  const parentId = currentBlock?.data?.parentId as string | undefined
  const isParentLocked = parentId ? (blocks[parentId]?.locked ?? false) : false
  const isLocked = (currentBlock?.locked ?? false) || isParentLocked
  const canEditBlock = userPermissions.canEdit && !isLocked
  const activeWorkflowId = useWorkflowRegistry((state) => state.activeWorkflowId)
  const { advancedMode, triggerMode } = useEditorBlockProperties(
@@ -158,7 +147,9 @@ export function Editor() {
    () => hasAdvancedValues(subBlocksForCanonical, blockSubBlockValues, canonicalIndex),
    [subBlocksForCanonical, blockSubBlockValues, canonicalIndex]
  )
-  const displayAdvancedOptions = canEditBlock ? advancedMode : advancedMode || advancedValuesPresent
+  const displayAdvancedOptions = userPermissions.canEdit
    ? advancedMode
    : advancedMode || advancedValuesPresent
  const hasAdvancedOnlyFields = useMemo(() => {
    for (const subBlock of subBlocksForCanonical) {
@@ -219,13 +210,12 @@ export function Editor() {
    collaborativeSetBlockCanonicalMode,
    collaborativeUpdateBlockName,
    collaborativeToggleBlockAdvancedMode,
    collaborativeBatchToggleLocked,
  } = useCollaborativeWorkflow()
  const handleToggleAdvancedMode = useCallback(() => {
-    if (!currentBlockId || !canEditBlock) return
+    if (!currentBlockId || !userPermissions.canEdit) return
    collaborativeToggleBlockAdvancedMode(currentBlockId)
-  }, [currentBlockId, canEditBlock, collaborativeToggleBlockAdvancedMode])
+  }, [currentBlockId, userPermissions.canEdit, collaborativeToggleBlockAdvancedMode])
  const [isRenaming, setIsRenaming] = useState(false)
  const [editedName, setEditedName] = useState('')
@@ -243,10 +233,10 @@ export function Editor() {
   * Handles starting the rename process.
   */
  const handleStartRename = useCallback(() => {
-    if (!canEditBlock || !currentBlock) return
+    if (!userPermissions.canEdit || !currentBlock) return
    setEditedName(currentBlock.name || '')
    setIsRenaming(true)
-  }, [canEditBlock, currentBlock])
+  }, [userPermissions.canEdit, currentBlock])
  /**
   * Handles saving the renamed block.
@@ -351,36 +341,6 @@ export function Editor() {
          )}
        </div>
        <div className='flex shrink-0 items-center gap-[8px]'>
          {/* Locked indicator - clickable to unlock if user has admin permissions, block is locked, and parent is not locked */}
          {isLocked && currentBlock && (
            <Tooltip.Root>
              <Tooltip.Trigger asChild>
                {userPermissions.canAdmin && currentBlock.locked && !isParentLocked ? (
                  <Button
                    variant='ghost'
                    className='p-0'
                    onClick={() => collaborativeBatchToggleLocked([currentBlockId!])}
                    aria-label='Unlock block'
                  >
                    <Unlock className='h-[14px] w-[14px] text-[var(--text-secondary)]' />
                  </Button>
                ) : (
                  <div className='flex items-center justify-center'>
                    <Lock className='h-[14px] w-[14px] text-[var(--text-secondary)]' />
                  </div>
                )}
              </Tooltip.Trigger>
              <Tooltip.Content side='top'>
                <p>
                  {isParentLocked
                    ? 'Parent container is locked'
                    : userPermissions.canAdmin && currentBlock.locked
                      ? 'Unlock block'
                      : 'Block is locked'}
                </p>
              </Tooltip.Content>
            </Tooltip.Root>
          )}
          {/* Rename button */}
          {currentBlock && (
            <Tooltip.Root>
@@ -389,7 +349,7 @@ export function Editor() {
                  variant='ghost'
                  className='p-0'
                  onClick={isRenaming ? handleSaveRename : handleStartRename}
-                  disabled={!canEditBlock}
+                  disabled={!userPermissions.canEdit}
                  aria-label={isRenaming ? 'Save name' : 'Rename block'}
                >
                  {isRenaming ? (
@@ -455,7 +415,7 @@ export function Editor() {
          incomingConnections={incomingConnections}
          handleConnectionsResizeMouseDown={handleConnectionsResizeMouseDown}
          toggleConnectionsCollapsed={toggleConnectionsCollapsed}
-          userCanEdit={canEditBlock}
+          userCanEdit={userPermissions.canEdit}
          isConnectionsAtMinHeight={isConnectionsAtMinHeight}
        />
      ) : (
@@ -557,14 +517,14 @@ export function Editor() {
                          config={subBlock}
                          isPreview={false}
                          subBlockValues={subBlockState}
-                          disabled={!canEditBlock}
+                          disabled={!userPermissions.canEdit}
                          fieldDiffStatus={undefined}
                          allowExpandInPreview={false}
                          canonicalToggle={
                            isCanonicalSwap && canonicalMode && canonicalId
                              ? {
                                  mode: canonicalMode,
-                                  disabled: !canEditBlock,
+                                  disabled: !userPermissions.canEdit,
                                  onToggle: () => {
                                    if (!currentBlockId) return
                                    const nextMode =
@@ -588,7 +548,7 @@ export function Editor() {
                    )
                  })}
-                  {hasAdvancedOnlyFields && canEditBlock && (
+                  {hasAdvancedOnlyFields && userPermissions.canEdit && (
                    <div className='flex items-center gap-[10px] px-[2px] pt-[14px] pb-[12px]'>
                      <div className='h-[1.25px] flex-1' style={DASHED_DIVIDER_STYLE} />
                      <button
@@ -621,7 +581,7 @@ export function Editor() {
                          config={subBlock}
                          isPreview={false}
                          subBlockValues={subBlockState}
-                          disabled={!canEditBlock}
+                          disabled={!userPermissions.canEdit}
                          fieldDiffStatus={undefined}
                          allowExpandInPreview={false}
                        />
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/panel.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/panel.tsx
@@ -45,13 +45,11 @@ import { useWorkflowExecution } from '@/app/workspace/[workspaceId]/w/[workflowI
 import { useDeleteWorkflow, useImportWorkflow } from '@/app/workspace/[workspaceId]/w/hooks'
 import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useChatStore } from '@/stores/chat/store'
 import { useNotificationStore } from '@/stores/notifications/store'
 import type { PanelTab } from '@/stores/panel'
 import { usePanelStore, useVariablesStore as usePanelVariablesStore } from '@/stores/panel'
 import { useVariablesStore } from '@/stores/variables/store'
 import { getWorkflowWithValues } from '@/stores/workflows'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
 const logger = createLogger('Panel')
 /**
@@ -121,11 +119,6 @@ export const Panel = memo(function Panel() {
    hydration.phase === 'state-loading'
  const { handleAutoLayout: autoLayoutWithFitView } = useAutoLayout(activeWorkflowId || null)
  // Check for locked blocks (disables auto-layout)
  const hasLockedBlocks = useWorkflowStore((state) =>
    Object.values(state.blocks).some((block) => block.locked)
  )
  // Delete workflow hook
  const { isDeleting, handleDeleteWorkflow } = useDeleteWorkflow({
    workspaceId,
@@ -237,24 +230,11 @@ export const Panel = memo(function Panel() {
    setIsAutoLayouting(true)
    try {
-      const result = await autoLayoutWithFitView()
+      await autoLayoutWithFitView()
      if (!result.success && result.error) {
        useNotificationStore.getState().addNotification({
          level: 'info',
          message: result.error,
          workflowId: activeWorkflowId || undefined,
        })
      }
    } finally {
      setIsAutoLayouting(false)
    }
-  }, [
+  }, [isExecuting, userPermissions.canEdit, isAutoLayouting, autoLayoutWithFitView])
    isExecuting,
    userPermissions.canEdit,
    isAutoLayouting,
    autoLayoutWithFitView,
    activeWorkflowId,
  ])
  /**
   * Handles exporting workflow as JSON
@@ -424,10 +404,7 @@ export const Panel = memo(function Panel() {
                <PopoverContent align='start' side='bottom' sideOffset={8}>
                  <PopoverItem
                    onClick={handleAutoLayout}
-                    disabled={
+                    disabled={isExecuting || !userPermissions.canEdit || isAutoLayouting}
                      isExecuting || !userPermissions.canEdit || isAutoLayouting || hasLockedBlocks
                    }
                    title={hasLockedBlocks ? 'Unlock blocks to use auto-layout' : undefined}
                  >
                    <Layout className='h-3 w-3' animate={isAutoLayouting} variant='clockwise' />
                    <span>Auto layout</span>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/subflow-node.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/subflow-node.tsx
@@ -80,7 +80,6 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
      : undefined
  const isEnabled = currentBlock?.enabled ?? true
  const isLocked = currentBlock?.locked ?? false
  const isPreview = data?.isPreview || false
  // Focus state
@@ -201,10 +200,7 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
                {blockName}
              </span>
            </div>
-            <div className='flex items-center gap-1'>
+            {!isEnabled && <Badge variant='gray-secondary'>disabled</Badge>}
              {!isEnabled && <Badge variant='gray-secondary'>disabled</Badge>}
              {isLocked && <Badge variant='gray-secondary'>locked</Badge>}
            </div>
          </div>
          {!isPreview && (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/terminal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/terminal.tsx
@@ -24,7 +24,6 @@ import {
  Tooltip,
 } from '@/components/emcn'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import { useRegisterGlobalCommands } from '@/app/workspace/[workspaceId]/providers/global-commands-provider'
 import { createCommands } from '@/app/workspace/[workspaceId]/utils/commands-utils'
 import {
@@ -44,6 +43,7 @@ import {
  type EntryNode,
  type ExecutionGroup,
  flattenBlockEntriesOnly,
  formatDuration,
  getBlockColor,
  getBlockIcon,
  groupEntriesByExecution,
@@ -128,7 +128,7 @@ const BlockRow = memo(function BlockRow({
        <StatusDisplay
          isRunning={isRunning}
          isCanceled={isCanceled}
-          formattedDuration={formatDuration(entry.durationMs, { precision: 2 }) ?? '-'}
+          formattedDuration={formatDuration(entry.durationMs)}
        />
      </span>
    </div>
@@ -201,7 +201,7 @@ const IterationNodeRow = memo(function IterationNodeRow({
          <StatusDisplay
            isRunning={hasRunningChild}
            isCanceled={hasCanceledChild}
-            formattedDuration={formatDuration(entry.durationMs, { precision: 2 }) ?? '-'}
+            formattedDuration={formatDuration(entry.durationMs)}
          />
        </span>
      </div>
@@ -314,7 +314,7 @@ const SubflowNodeRow = memo(function SubflowNodeRow({
          <StatusDisplay
            isRunning={hasRunningDescendant}
            isCanceled={hasCanceledDescendant}
-            formattedDuration={formatDuration(entry.durationMs, { precision: 2 }) ?? '-'}
+            formattedDuration={formatDuration(entry.durationMs)}
          />
        </span>
      </div>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/utils.ts
@@ -53,6 +53,17 @@ export function getBlockColor(blockType: string): string {
  return '#6b7280'
 }
 /**
 * Formats duration from milliseconds to readable format
 */
 export function formatDuration(ms?: number): string {
  if (ms === undefined || ms === null) return '-'
  if (ms < 1000) {
    return `${Math.round(ms)}ms`
  }
  return `${(ms / 1000).toFixed(2)}s`
 }
 /**
 * Determines if a keyboard event originated from a text-editable element
 */
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/training-modal/training-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/training-modal/training-modal.tsx
@@ -30,7 +30,6 @@ import {
  Textarea,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import { sanitizeForCopilot } from '@/lib/workflows/sanitization/json-sanitizer'
 import { formatEditSequence } from '@/lib/workflows/training/compute-edit-sequence'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
@@ -576,9 +575,7 @@ export function TrainingModal() {
                                    <span className='text-[var(--text-muted)]'>Duration:</span>{' '}
                                    <span className='text-[var(--text-secondary)]'>
                                      {dataset.metadata?.duration
-                                        ? formatDuration(dataset.metadata.duration, {
+                                        ? `${(dataset.metadata.duration / 1000).toFixed(1)}s`
                                            precision: 1,
                                          })
                                        : 'N/A'}
                                    </span>
                                  </div>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/hooks/use-block-state.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/hooks/use-block-state.ts
@@ -18,8 +18,6 @@ export interface UseBlockStateReturn {
  diffStatus: DiffStatus
  /** Whether this is a deleted block in diff mode */
  isDeletedBlock: boolean
  /** Whether the block is locked */
  isLocked: boolean
 }
 /**
@@ -42,11 +40,6 @@ export function useBlockState(
    ? (data.blockState?.enabled ?? true)
    : (currentBlock?.enabled ?? true)
  // Determine if block is locked
  const isLocked = data.isPreview
    ? (data.blockState?.locked ?? false)
    : (currentBlock?.locked ?? false)
  // Get diff status
  const diffStatus: DiffStatus =
    currentWorkflow.isDiffMode && currentBlock && hasDiffStatus(currentBlock)
@@ -75,6 +68,5 @@ export function useBlockState(
    isActive,
    diffStatus,
    isDeletedBlock: isDeletedBlock ?? false,
    isLocked,
  }
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
@@ -672,7 +672,6 @@ export const WorkflowBlock = memo(function WorkflowBlock({
    currentWorkflow,
    activeWorkflowId,
    isEnabled,
    isLocked,
    handleClick,
    hasRing,
    ringStyles,
@@ -1101,7 +1100,7 @@ export const WorkflowBlock = memo(function WorkflowBlock({
              {name}
            </span>
          </div>
-          <div className='relative z-10 flex flex-shrink-0 items-center gap-1'>
+          <div className='relative z-10 flex flex-shrink-0 items-center gap-2'>
            {isWorkflowSelector &&
              childWorkflowId &&
              typeof childIsDeployed === 'boolean' &&
@@ -1134,7 +1133,6 @@ export const WorkflowBlock = memo(function WorkflowBlock({
                </Tooltip.Root>
              )}
            {!isEnabled && <Badge variant='gray-secondary'>disabled</Badge>}
            {isLocked && <Badge variant='gray-secondary'>locked</Badge>}
            {type === 'schedule' && shouldShowScheduleBadge && scheduleInfo?.isDisabled && (
              <Tooltip.Root>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-output-fields.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-output-fields.ts
@@ -188,7 +188,7 @@ export function useBlockOutputFields({
          baseOutputs = {
            input: { type: 'string', description: 'User message' },
            conversationId: { type: 'string', description: 'Conversation ID' },
-            files: { type: 'files', description: 'Uploaded files' },
+            files: { type: 'file[]', description: 'Uploaded files' },
          }
        } else {
          const inputFormatValue = mergedSubBlocks?.inputFormat?.value
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-visual.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-visual.ts
@@ -47,7 +47,6 @@ export function useBlockVisual({
    isActive: isExecuting,
    diffStatus,
    isDeletedBlock,
    isLocked,
  } = useBlockState(blockId, currentWorkflow, data)
  const currentBlockId = usePanelEditorStore((state) => state.currentBlockId)
@@ -104,7 +103,6 @@ export function useBlockVisual({
    currentWorkflow,
    activeWorkflowId,
    isEnabled,
    isLocked,
    handleClick,
    hasRing,
    ringStyles,
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-canvas-context-menu.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-canvas-context-menu.ts
@@ -31,8 +31,7 @@ export function useCanvasContextMenu({ blocks, getNodes, setNodes }: UseCanvasCo
      nodes.map((n) => {
        const block = blocks[n.id]
        const parentId = block?.data?.parentId
-        const parentBlock = parentId ? blocks[parentId] : undefined
+        const parentType = parentId ? blocks[parentId]?.type : undefined
        const parentType = parentBlock?.type
        return {
          id: n.id,
          type: block?.type || '',
@@ -40,9 +39,6 @@ export function useCanvasContextMenu({ blocks, getNodes, setNodes }: UseCanvasCo
          horizontalHandles: block?.horizontalHandles ?? false,
          parentId,
          parentType,
          locked: block?.locked ?? false,
          isParentLocked: parentBlock?.locked ?? false,
          isParentDisabled: parentBlock ? !parentBlock.enabled : false,
        }
      }),
    [blocks]
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/auto-layout-utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/auto-layout-utils.ts
@@ -52,16 +52,6 @@ export async function applyAutoLayoutAndUpdateStore(
      return { success: false, error: 'No blocks to layout' }
    }
    // Check for locked blocks - auto-layout is disabled when blocks are locked
    const hasLockedBlocks = Object.values(blocks).some((block) => block.locked)
    if (hasLockedBlocks) {
      logger.info('Auto layout skipped: workflow contains locked blocks', { workflowId })
      return {
        success: false,
        error: 'Auto-layout is disabled when blocks are locked. Unlock blocks to use auto-layout.',
      }
    }
    // Merge with default options
    const layoutOptions = {
      spacing: {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/block-protection-utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/block-protection-utils.ts
@@ -1,72 +0,0 @@
 import type { BlockState } from '@/stores/workflows/workflow/types'
 /**
 * Result of filtering protected blocks from a deletion operation
 */
 export interface FilterProtectedBlocksResult {
  /** Block IDs that can be deleted (not protected) */
  deletableIds: string[]
  /** Block IDs that are protected and cannot be deleted */
  protectedIds: string[]
  /** Whether all blocks are protected (deletion should be cancelled entirely) */
  allProtected: boolean
 }
 /**
 * Checks if a block is protected from editing/deletion.
 * A block is protected if it is locked or if its parent container is locked.
 *
 * @param blockId - The ID of the block to check
 * @param blocks - Record of all blocks in the workflow
 * @returns True if the block is protected
 */
 export function isBlockProtected(blockId: string, blocks: Record<string, BlockState>): boolean {
  const block = blocks[blockId]
  if (!block) return false
  // Block is locked directly
  if (block.locked) return true
  // Block is inside a locked container
  const parentId = block.data?.parentId
  if (parentId && blocks[parentId]?.locked) return true
  return false
 }
 /**
 * Checks if an edge is protected from modification.
 * An edge is protected if either its source or target block is protected.
 *
 * @param edge - The edge to check (must have source and target)
 * @param blocks - Record of all blocks in the workflow
 * @returns True if the edge is protected
 */
 export function isEdgeProtected(
  edge: { source: string; target: string },
  blocks: Record<string, BlockState>
 ): boolean {
  return isBlockProtected(edge.source, blocks) || isBlockProtected(edge.target, blocks)
 }
 /**
 * Filters out protected blocks from a list of block IDs for deletion.
 * Protected blocks are those that are locked or inside a locked container.
 *
 * @param blockIds - Array of block IDs to filter
 * @param blocks - Record of all blocks in the workflow
 * @returns Result containing deletable IDs, protected IDs, and whether all are protected
 */
 export function filterProtectedBlocks(
  blockIds: string[],
  blocks: Record<string, BlockState>
 ): FilterProtectedBlocksResult {
  const protectedIds = blockIds.filter((id) => isBlockProtected(id, blocks))
  const deletableIds = blockIds.filter((id) => !protectedIds.includes(id))
  return {
    deletableIds,
    protectedIds,
    allProtected: protectedIds.length === blockIds.length && blockIds.length > 0,
  }
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/index.ts
@@ -1,5 +1,4 @@
 export * from './auto-layout-utils'
 export * from './block-protection-utils'
 export * from './block-ring-utils'
 export * from './node-position-utils'
 export * from './workflow-canvas-helpers'
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
@@ -55,10 +55,7 @@ import {
  clearDragHighlights,
  computeClampedPositionUpdates,
  estimateBlockDimensions,
  filterProtectedBlocks,
  getClampedPositionForNode,
  isBlockProtected,
  isEdgeProtected,
  isInEditableElement,
  resolveParentChildSelectionConflicts,
  validateTriggerPaste,
@@ -546,7 +543,6 @@ const WorkflowContent = React.memo(() => {
    collaborativeBatchRemoveBlocks,
    collaborativeBatchToggleBlockEnabled,
    collaborativeBatchToggleBlockHandles,
    collaborativeBatchToggleLocked,
    undo,
    redo,
  } = useCollaborativeWorkflow()
@@ -1073,27 +1069,8 @@ const WorkflowContent = React.memo(() => {
  const handleContextDelete = useCallback(() => {
    const blockIds = contextMenuBlocks.map((b) => b.id)
-    const { deletableIds, protectedIds, allProtected } = filterProtectedBlocks(blockIds, blocks)
+    collaborativeBatchRemoveBlocks(blockIds)
-
+  }, [contextMenuBlocks, collaborativeBatchRemoveBlocks])
    if (protectedIds.length > 0) {
      if (allProtected) {
        addNotification({
          level: 'info',
          message: 'Cannot delete locked blocks or blocks inside locked containers',
          workflowId: activeWorkflowId || undefined,
        })
        return
      }
      addNotification({
        level: 'info',
        message: `Skipped ${protectedIds.length} protected block(s)`,
        workflowId: activeWorkflowId || undefined,
      })
    }
    if (deletableIds.length > 0) {
      collaborativeBatchRemoveBlocks(deletableIds)
    }
  }, [contextMenuBlocks, collaborativeBatchRemoveBlocks, addNotification, activeWorkflowId, blocks])
  const handleContextToggleEnabled = useCallback(() => {
    const blockIds = contextMenuBlocks.map((block) => block.id)
@@ -1105,11 +1082,6 @@ const WorkflowContent = React.memo(() => {
    collaborativeBatchToggleBlockHandles(blockIds)
  }, [contextMenuBlocks, collaborativeBatchToggleBlockHandles])
  const handleContextToggleLocked = useCallback(() => {
    const blockIds = contextMenuBlocks.map((block) => block.id)
    collaborativeBatchToggleLocked(blockIds)
  }, [contextMenuBlocks, collaborativeBatchToggleLocked])
  const handleContextRemoveFromSubflow = useCallback(() => {
    const blocksToRemove = contextMenuBlocks.filter(
      (block) => block.parentId && (block.parentType === 'loop' || block.parentType === 'parallel')
@@ -1979,6 +1951,7 @@ const WorkflowContent = React.memo(() => {
  const loadingWorkflowRef = useRef<string | null>(null)
  const currentWorkflowExists = Boolean(workflows[workflowIdParam])
  /** Initializes workflow when it exists in registry and needs hydration. */
  useEffect(() => {
    const currentId = workflowIdParam
    const currentWorkspaceHydration = hydration.workspaceId
@@ -2155,7 +2128,6 @@ const WorkflowContent = React.memo(() => {
          parentId: block.data?.parentId,
          extent: block.data?.extent || undefined,
          dragHandle: '.workflow-drag-handle',
          draggable: !isBlockProtected(block.id, blocks),
          data: {
            ...block.data,
            name: block.name,
@@ -2191,7 +2163,6 @@ const WorkflowContent = React.memo(() => {
        position,
        parentId: block.data?.parentId,
        dragHandle,
        draggable: !isBlockProtected(block.id, blocks),
        extent: (() => {
          // Clamp children to subflow body (exclude header)
          const parentId = block.data?.parentId as string | undefined
@@ -2520,18 +2491,12 @@ const WorkflowContent = React.memo(() => {
      const edgeIdsToRemove = changes
        .filter((change: any) => change.type === 'remove')
        .map((change: any) => change.id)
        .filter((edgeId: string) => {
          // Prevent removing edges connected to protected blocks
          const edge = edges.find((e) => e.id === edgeId)
          if (!edge) return true
          return !isEdgeProtected(edge, blocks)
        })
      if (edgeIdsToRemove.length > 0) {
        collaborativeBatchRemoveEdges(edgeIdsToRemove)
      }
    },
-    [collaborativeBatchRemoveEdges, edges, blocks]
+    [collaborativeBatchRemoveEdges]
  )
  /**
@@ -2593,16 +2558,6 @@ const WorkflowContent = React.memo(() => {
        if (!sourceNode || !targetNode) return
        // Prevent connections to/from protected blocks
        if (isEdgeProtected(connection, blocks)) {
          addNotification({
            level: 'info',
            message: 'Cannot connect to locked blocks or blocks inside locked containers',
            workflowId: activeWorkflowId || undefined,
          })
          return
        }
        // Get parent information (handle container start node case)
        const sourceParentId =
          blocks[sourceNode.id]?.data?.parentId ||
@@ -2665,7 +2620,7 @@ const WorkflowContent = React.memo(() => {
        connectionCompletedRef.current = true
      }
    },
-    [addEdge, getNodes, blocks, addNotification, activeWorkflowId]
+    [addEdge, getNodes, blocks]
  )
  /**
@@ -2760,9 +2715,6 @@ const WorkflowContent = React.memo(() => {
          // Only consider container nodes that aren't the dragged node
          if (n.type !== 'subflowNode' || n.id === node.id) return false
          // Don't allow dropping into locked containers
          if (blocks[n.id]?.locked) return false
          // Get the container's absolute position
          const containerAbsolutePos = getNodeAbsolutePosition(n.id)
@@ -2855,11 +2807,6 @@ const WorkflowContent = React.memo(() => {
  /** Captures initial parent ID and position when drag starts. */
  const onNodeDragStart = useCallback(
    (_event: React.MouseEvent, node: any) => {
      // Prevent dragging protected blocks
      if (isBlockProtected(node.id, blocks)) {
        return
      }
      // Store the original parent ID when starting to drag
      const currentParentId = blocks[node.id]?.data?.parentId || null
      setDragStartParentId(currentParentId)
@@ -2888,7 +2835,7 @@ const WorkflowContent = React.memo(() => {
        }
      })
    },
-    [blocks, setDragStartPosition, getNodes, setPotentialParentId]
+    [blocks, setDragStartPosition, getNodes, potentialParentId, setPotentialParentId]
  )
  /** Handles node drag stop to establish parent-child relationships. */
@@ -2950,18 +2897,6 @@ const WorkflowContent = React.memo(() => {
      // Don't process parent changes if the node hasn't actually changed parent or is being moved within same parent
      if (potentialParentId === dragStartParentId) return
      // Prevent moving locked blocks out of locked containers
      // Unlocked blocks (e.g., duplicates) can be moved out freely
      if (dragStartParentId && blocks[dragStartParentId]?.locked && blocks[node.id]?.locked) {
        addNotification({
          level: 'info',
          message: 'Cannot move locked blocks out of locked containers',
          workflowId: activeWorkflowId || undefined,
        })
        setPotentialParentId(dragStartParentId) // Reset to original parent
        return
      }
      // Check if this is a starter block - starter blocks should never be in containers
      const isStarterBlock = node.data?.type === 'starter'
      if (isStarterBlock) {
@@ -3358,16 +3293,6 @@ const WorkflowContent = React.memo(() => {
  /** Stable delete handler to avoid creating new function references per edge. */
  const handleEdgeDelete = useCallback(
    (edgeId: string) => {
      // Prevent removing edges connected to protected blocks
      const edge = edges.find((e) => e.id === edgeId)
      if (edge && isEdgeProtected(edge, blocks)) {
        addNotification({
          level: 'info',
          message: 'Cannot remove connections from locked blocks',
          workflowId: activeWorkflowId || undefined,
        })
        return
      }
      removeEdge(edgeId)
      // Remove this edge from selection (find by edge ID value)
      setSelectedEdges((prev) => {
@@ -3380,7 +3305,7 @@ const WorkflowContent = React.memo(() => {
        return next
      })
    },
-    [removeEdge, edges, blocks, addNotification, activeWorkflowId]
+    [removeEdge]
  )
  /** Transforms edges to include selection state and delete handlers. Memoized to prevent re-renders. */
@@ -3421,15 +3346,9 @@ const WorkflowContent = React.memo(() => {
      // Handle edge deletion first (edges take priority if selected)
      if (selectedEdges.size > 0) {
-        // Get all selected edge IDs and filter out edges connected to protected blocks
+        // Get all selected edge IDs and batch delete them
-        const edgeIds = Array.from(selectedEdges.values()).filter((edgeId) => {
+        const edgeIds = Array.from(selectedEdges.values())
-          const edge = edges.find((e) => e.id === edgeId)
+        collaborativeBatchRemoveEdges(edgeIds)
          if (!edge) return true
          return !isEdgeProtected(edge, blocks)
        })
        if (edgeIds.length > 0) {
          collaborativeBatchRemoveEdges(edgeIds)
        }
        setSelectedEdges(new Map())
        return
      }
@@ -3446,29 +3365,7 @@ const WorkflowContent = React.memo(() => {
      event.preventDefault()
      const selectedIds = selectedNodes.map((node) => node.id)
-      const { deletableIds, protectedIds, allProtected } = filterProtectedBlocks(
+      collaborativeBatchRemoveBlocks(selectedIds)
        selectedIds,
        blocks
      )
      if (protectedIds.length > 0) {
        if (allProtected) {
          addNotification({
            level: 'info',
            message: 'Cannot delete locked blocks or blocks inside locked containers',
            workflowId: activeWorkflowId || undefined,
          })
          return
        }
        addNotification({
          level: 'info',
          message: `Skipped ${protectedIds.length} protected block(s)`,
          workflowId: activeWorkflowId || undefined,
        })
      }
      if (deletableIds.length > 0) {
        collaborativeBatchRemoveBlocks(deletableIds)
      }
    }
    window.addEventListener('keydown', handleKeyDown)
@@ -3479,10 +3376,6 @@ const WorkflowContent = React.memo(() => {
    getNodes,
    collaborativeBatchRemoveBlocks,
    effectivePermissions.canEdit,
    blocks,
    edges,
    addNotification,
    activeWorkflowId,
  ])
  return (
@@ -3603,18 +3496,12 @@ const WorkflowContent = React.memo(() => {
                (b) => b.parentId && (b.parentType === 'loop' || b.parentType === 'parallel')
              )}
              canRunFromBlock={runFromBlockState.canRun}
-              disableEdit={
+              disableEdit={!effectivePermissions.canEdit}
                !effectivePermissions.canEdit ||
                contextMenuBlocks.some((b) => b.locked || b.isParentLocked)
              }
              userCanEdit={effectivePermissions.canEdit}
              isExecuting={isExecuting}
              isPositionalTrigger={
                contextMenuBlocks.length === 1 &&
                edges.filter((e) => e.target === contextMenuBlocks[0]?.id).length === 0
              }
              onToggleLocked={handleContextToggleLocked}
              canAdmin={effectivePermissions.canAdmin}
            />
            <CanvasMenu
@@ -3637,7 +3524,6 @@ const WorkflowContent = React.memo(() => {
              disableEdit={!effectivePermissions.canEdit}
              canUndo={canUndo}
              canRedo={canRedo}
              hasLockedBlocks={Object.values(blocks).some((b) => b.locked)}
            />
          </>
        )}
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/access-control/access-control.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/access-control/access-control.tsx
@@ -29,6 +29,7 @@ import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
 import { getUserColor } from '@/lib/workspaces/colors'
 import { getUserRole } from '@/lib/workspaces/organization'
 import { getAllBlocks } from '@/blocks'
 import { useOrganization, useOrganizations } from '@/hooks/queries/organization'
 import {
  type PermissionGroup,
  useBulkAddPermissionGroupMembers,
@@ -38,8 +39,7 @@ import {
  usePermissionGroups,
  useRemovePermissionGroupMember,
  useUpdatePermissionGroup,
-} from '@/ee/access-control/hooks/permission-groups'
+} from '@/hooks/queries/permission-groups'
 import { useOrganization, useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { PROVIDER_DEFINITIONS } from '@/providers/models'
 import { getAllProviderIds } from '@/providers/utils'
@@ -255,6 +255,7 @@ export function AccessControl() {
    queryEnabled
  )
  // Show loading while dependencies load, or while permission groups query is pending
  const isLoading = orgsLoading || subLoading || (queryEnabled && groupsLoading)
  const { data: organization } = useOrganization(activeOrganization?.id || '')
@@ -409,8 +410,10 @@ export function AccessControl() {
  }, [viewingGroup, editingConfig])
  const allBlocks = useMemo(() => {
    // Filter out hidden blocks and start_trigger (which should never be disabled)
    const blocks = getAllBlocks().filter((b) => !b.hideFromToolbar && b.type !== 'start_trigger')
    return blocks.sort((a, b) => {
      // Group by category: triggers first, then blocks, then tools
      const categoryOrder = { triggers: 0, blocks: 1, tools: 2 }
      const catA = categoryOrder[a.category] ?? 3
      const catB = categoryOrder[b.category] ?? 3
@@ -552,9 +555,10 @@ export function AccessControl() {
  }, [viewingGroup, editingConfig, activeOrganization?.id, updatePermissionGroup])
  const handleOpenAddMembersModal = useCallback(() => {
    const existingMemberUserIds = new Set(members.map((m) => m.userId))
    setSelectedMemberIds(new Set())
    setShowAddMembersModal(true)
-  }, [])
+  }, [members])
  const handleAddSelectedMembers = useCallback(async () => {
    if (!viewingGroup || selectedMemberIds.size === 0) return
@@ -887,6 +891,7 @@ export function AccessControl() {
                            prev
                              ? {
                                  ...prev,
                                  // When deselecting all, keep start_trigger allowed (it should never be disabled)
                                  allowedIntegrations: allAllowed ? ['start_trigger'] : null,
                                }
                              : prev
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credential-sets/credential-sets.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credential-sets/credential-sets.tsx
@@ -246,6 +246,7 @@ export function CredentialSets() {
      setNewSetDescription('')
      setNewSetProvider('google-email')
      // Open detail view for the newly created group
      if (result?.credentialSet) {
        setViewingSet(result.credentialSet)
      }
@@ -335,6 +336,7 @@ export function CredentialSets() {
          email,
        })
        // Start 60s cooldown
        setResendCooldowns((prev) => ({ ...prev, [invitationId]: 60 }))
        const interval = setInterval(() => {
          setResendCooldowns((prev) => {
@@ -391,6 +393,7 @@ export function CredentialSets() {
    return <GmailIcon className='h-4 w-4' />
  }
  // All hooks must be called before any early returns
  const activeMemberships = useMemo(
    () => memberships.filter((m) => m.status === 'active'),
    [memberships]
@@ -444,6 +447,7 @@ export function CredentialSets() {
        <div className='flex h-full flex-col gap-[16px]'>
          <div className='min-h-0 flex-1 overflow-y-auto'>
            <div className='flex flex-col gap-[16px]'>
              {/* Group Info */}
              <div className='flex items-center gap-[16px]'>
                <div className='flex items-center gap-[8px]'>
                  <span className='font-medium text-[13px] text-[var(--text-primary)]'>
@@ -467,6 +471,7 @@ export function CredentialSets() {
                </div>
              </div>
              {/* Invite Section - Email Tags Input */}
              <div className='flex flex-col gap-[4px]'>
                <div className='flex items-center gap-[8px]'>
                  <TagInput
@@ -490,6 +495,7 @@ export function CredentialSets() {
                {emailError && <p className='text-[12px] text-[var(--text-error)]'>{emailError}</p>}
              </div>
              {/* Members List - styled like team members */}
              <div className='flex flex-col gap-[16px]'>
                <h4 className='font-medium text-[14px] text-[var(--text-primary)]'>Members</h4>
@@ -513,6 +519,7 @@ export function CredentialSets() {
                  </p>
                ) : (
                  <div className='flex flex-col gap-[16px]'>
                    {/* Active Members */}
                    {activeMembers.map((member) => {
                      const name = member.userName || 'Unknown'
                      const avatarInitial = name.charAt(0).toUpperCase()
@@ -565,6 +572,7 @@ export function CredentialSets() {
                      )
                    })}
                    {/* Pending Invitations */}
                    {pendingInvitations.map((invitation) => {
                      const email = invitation.email || 'Unknown'
                      const emailPrefix = email.split('@')[0]
@@ -633,6 +641,7 @@ export function CredentialSets() {
            </div>
          </div>
          {/* Footer Actions */}
          <div className='mt-auto flex items-center justify-end'>
            <Button onClick={handleBackToList} variant='tertiary'>
              Back
@@ -813,6 +822,7 @@ export function CredentialSets() {
        </div>
      </div>
      {/* Create Polling Group Modal */}
      <Modal open={showCreateModal} onOpenChange={handleCloseCreateModal}>
        <ModalContent size='sm'>
          <ModalHeader>Create Polling Group</ModalHeader>
@@ -885,6 +895,7 @@ export function CredentialSets() {
        </ModalContent>
      </Modal>
      {/* Leave Confirmation Modal */}
      <Modal open={!!leavingMembership} onOpenChange={() => setLeavingMembership(null)}>
        <ModalContent size='sm'>
          <ModalHeader>Leave Polling Group</ModalHeader>
@@ -912,6 +923,7 @@ export function CredentialSets() {
        </ModalContent>
      </Modal>
      {/* Delete Confirmation Modal */}
      <Modal open={!!deletingSet} onOpenChange={() => setDeletingSet(null)}>
        <ModalContent size='sm'>
          <ModalHeader>Delete Polling Group</ModalHeader>
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
@@ -1,3 +1,4 @@
 export { AccessControl } from './access-control/access-control'
 export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
@@ -9,6 +10,7 @@ export { Files as FileUploads } from './files/files'
 export { General } from './general/general'
 export { Integrations } from './integrations/integrations'
 export { MCP } from './mcp/mcp'
 export { SSO } from './sso/sso'
 export { Subscription } from './subscription/subscription'
 export { TeamManagement } from './team-management/team-management'
 export { WorkflowMcpServers } from './workflow-mcp-servers/workflow-mcp-servers'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx
@@ -407,12 +407,14 @@ export function MCP({ initialServerId }: MCPProps) {
  const [urlScrollLeft, setUrlScrollLeft] = useState(0)
  const [headerScrollLeft, setHeaderScrollLeft] = useState<Record<string, number>>({})
  // Auto-select server when initialServerId is provided
  useEffect(() => {
    if (initialServerId && servers.some((s) => s.id === initialServerId)) {
      setSelectedServerId(initialServerId)
    }
  }, [initialServerId, servers])
  // Force refresh tools when entering server detail view to detect stale schemas
  useEffect(() => {
    if (selectedServerId) {
      forceRefreshTools(workspaceId)
@@ -673,7 +675,6 @@ export function MCP({ initialServerId }: MCPProps) {
  /**
   * Opens the detail view for a specific server.
   * Note: Tool refresh is handled by the useEffect that watches selectedServerId
   */
  const handleViewDetails = useCallback((serverId: string) => {
    setSelectedServerId(serverId)
@@ -716,6 +717,7 @@ export function MCP({ initialServerId }: MCPProps) {
          `Refreshed MCP server: ${serverId}, workflows updated: ${result.workflowsUpdated}`
        )
        // If the active workflow was updated, reload its subblock values from DB
        const activeWorkflowId = useWorkflowRegistry.getState().activeWorkflowId
        if (activeWorkflowId && result.updatedWorkflowIds?.includes(activeWorkflowId)) {
          logger.info(`Active workflow ${activeWorkflowId} was updated, reloading subblock values`)
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/sso/sso.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/sso/sso.tsx
@@ -11,13 +11,55 @@ import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { getUserRole } from '@/lib/workspaces/organization/utils'
 import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/constants'
 import { useConfigureSSO, useSSOProviders } from '@/ee/sso/hooks/sso'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useConfigureSSO, useSSOProviders } from '@/hooks/queries/sso'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 const logger = createLogger('SSO')
 const TRUSTED_SSO_PROVIDERS = [
  'okta',
  'okta-saml',
  'okta-prod',
  'okta-dev',
  'okta-staging',
  'okta-test',
  'azure-ad',
  'azure-active-directory',
  'azure-corp',
  'azure-enterprise',
  'adfs',
  'adfs-company',
  'adfs-corp',
  'adfs-enterprise',
  'auth0',
  'auth0-prod',
  'auth0-dev',
  'auth0-staging',
  'onelogin',
  'onelogin-prod',
  'onelogin-corp',
  'jumpcloud',
  'jumpcloud-prod',
  'jumpcloud-corp',
  'ping-identity',
  'ping-federate',
  'pingone',
  'shibboleth',
  'shibboleth-idp',
  'google-workspace',
  'google-sso',
  'saml',
  'saml2',
  'saml-sso',
  'oidc',
  'oidc-sso',
  'openid-connect',
  'custom-sso',
  'enterprise-sso',
  'company-sso',
 ]
 interface SSOProvider {
  id: string
  providerId: string
@@ -523,7 +565,7 @@ export function SSO() {
            <Combobox
              value={formData.providerId}
              onChange={(value: string) => handleInputChange('providerId', value)}
-              options={SSO_TRUSTED_PROVIDERS.map((id) => ({
+              options={TRUSTED_SSO_PROVIDERS.map((id) => ({
                label: id,
                value: id,
              }))}
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
@@ -41,6 +41,7 @@ import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { isHosted } from '@/lib/core/config/feature-flags'
 import { getUserRole } from '@/lib/workspaces/organization'
 import {
  AccessControl,
  ApiKeys,
  BYOK,
  Copilot,
@@ -52,18 +53,16 @@ import {
  General,
  Integrations,
  MCP,
  SSO,
  Subscription,
  TeamManagement,
  WorkflowMcpServers,
 } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components'
 import { TemplateProfile } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/template-profile/template-profile'
 import { AccessControl } from '@/ee/access-control/components/access-control'
 import { SSO } from '@/ee/sso/components/sso-settings'
 import { ssoKeys, useSSOProviders } from '@/ee/sso/hooks/sso'
 import { generalSettingsKeys, useGeneralSettings } from '@/hooks/queries/general-settings'
 import { organizationKeys, useOrganizations } from '@/hooks/queries/organization'
 import { ssoKeys, useSSOProviders } from '@/hooks/queries/sso'
 import { subscriptionKeys, useSubscriptionData } from '@/hooks/queries/subscription'
 import { useSuperUserStatus } from '@/hooks/queries/user-profile'
 import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useSettingsModalStore } from '@/stores/modals/settings/store'
@@ -205,13 +204,13 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  const [activeSection, setActiveSection] = useState<SettingsSection>('general')
  const { initialSection, mcpServerId, clearInitialState } = useSettingsModalStore()
  const [pendingMcpServerId, setPendingMcpServerId] = useState<string | null>(null)
  const [isSuperUser, setIsSuperUser] = useState(false)
  const { data: session } = useSession()
  const queryClient = useQueryClient()
  const { data: organizationsData } = useOrganizations()
  const { data: generalSettings } = useGeneralSettings()
  const { data: subscriptionData } = useSubscriptionData({ enabled: isBillingEnabled })
  const { data: ssoProvidersData, isLoading: isLoadingSSO } = useSSOProviders()
  const { data: superUserData } = useSuperUserStatus(session?.user?.id)
  const activeOrganization = organizationsData?.activeOrganization
  const { config: permissionConfig } = usePermissionConfig()
@@ -230,7 +229,22 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  const hasEnterprisePlan = subscriptionStatus.isEnterprise
  const hasOrganization = !!activeOrganization?.id
-  const isSuperUser = superUserData?.isSuperUser ?? false
+  // Fetch superuser status
  useEffect(() => {
    const fetchSuperUserStatus = async () => {
      if (!userId) return
      try {
        const response = await fetch('/api/user/super-user')
        if (response.ok) {
          const data = await response.json()
          setIsSuperUser(data.isSuperUser)
        }
      } catch {
        setIsSuperUser(false)
      }
    }
    fetchSuperUserStatus()
  }, [userId])
  // Memoize SSO provider ownership check
  const isSSOProviderOwner = useMemo(() => {
@@ -314,13 +328,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    generalSettings?.superUserModeEnabled,
  ])
-  const effectiveActiveSection = useMemo(() => {
+  // Memoized callbacks to prevent infinite loops in child components
    if (!isBillingEnabled && (activeSection === 'subscription' || activeSection === 'team')) {
      return 'general'
    }
    return activeSection
  }, [activeSection])
  const registerEnvironmentBeforeLeaveHandler = useCallback(
    (handler: (onProceed: () => void) => void) => {
      environmentBeforeLeaveHandler.current = handler
@@ -334,18 +342,19 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  const handleSectionChange = useCallback(
    (sectionId: SettingsSection) => {
-      if (sectionId === effectiveActiveSection) return
+      if (sectionId === activeSection) return
-      if (effectiveActiveSection === 'environment' && environmentBeforeLeaveHandler.current) {
+      if (activeSection === 'environment' && environmentBeforeLeaveHandler.current) {
        environmentBeforeLeaveHandler.current(() => setActiveSection(sectionId))
        return
      }
      setActiveSection(sectionId)
    },
-    [effectiveActiveSection]
+    [activeSection]
  )
  // Apply initial section from store when modal opens
  useEffect(() => {
    if (open && initialSection) {
      setActiveSection(initialSection)
@@ -356,6 +365,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    }
  }, [open, initialSection, mcpServerId, clearInitialState])
  // Clear pending server ID when section changes away from MCP
  useEffect(() => {
    if (activeSection !== 'mcp') {
      setPendingMcpServerId(null)
@@ -381,6 +391,14 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    }
  }, [onOpenChange])
  // Redirect away from billing tabs if billing is disabled
  useEffect(() => {
    if (!isBillingEnabled && (activeSection === 'subscription' || activeSection === 'team')) {
      setActiveSection('general')
    }
  }, [activeSection])
  // Prefetch functions for React Query
  const prefetchGeneral = () => {
    queryClient.prefetchQuery({
      queryKey: generalSettingsKeys.settings(),
@@ -471,17 +489,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  // Handle dialog close - delegate to environment component if it's active
  const handleDialogOpenChange = (newOpen: boolean) => {
-    if (
+    if (!newOpen && activeSection === 'environment' && environmentBeforeLeaveHandler.current) {
      !newOpen &&
      effectiveActiveSection === 'environment' &&
      environmentBeforeLeaveHandler.current
    ) {
      environmentBeforeLeaveHandler.current(() => onOpenChange(false))
-    } else if (
+    } else if (!newOpen && activeSection === 'integrations' && integrationsCloseHandler.current) {
      !newOpen &&
      effectiveActiveSection === 'integrations' &&
      integrationsCloseHandler.current
    ) {
      integrationsCloseHandler.current(newOpen)
    } else {
      onOpenChange(newOpen)
@@ -512,7 +522,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
                {sectionItems.map((item) => (
                  <SModalSidebarItem
                    key={item.id}
-                    active={effectiveActiveSection === item.id}
+                    active={activeSection === item.id}
                    icon={<item.icon />}
                    onMouseEnter={() => handlePrefetch(item.id)}
                    onClick={() => handleSectionChange(item.id)}
@@ -528,36 +538,35 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
        <SModalMain>
          <SModalMainHeader>
-            {navigationItems.find((item) => item.id === effectiveActiveSection)?.label ||
+            {navigationItems.find((item) => item.id === activeSection)?.label || activeSection}
              effectiveActiveSection}
          </SModalMainHeader>
          <SModalMainBody>
-            {effectiveActiveSection === 'general' && <General onOpenChange={onOpenChange} />}
+            {activeSection === 'general' && <General onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'environment' && (
+            {activeSection === 'environment' && (
              <EnvironmentVariables
                registerBeforeLeaveHandler={registerEnvironmentBeforeLeaveHandler}
              />
            )}
-            {effectiveActiveSection === 'template-profile' && <TemplateProfile />}
+            {activeSection === 'template-profile' && <TemplateProfile />}
-            {effectiveActiveSection === 'integrations' && (
+            {activeSection === 'integrations' && (
              <Integrations
                onOpenChange={onOpenChange}
                registerCloseHandler={registerIntegrationsCloseHandler}
              />
            )}
-            {effectiveActiveSection === 'credential-sets' && <CredentialSets />}
+            {activeSection === 'credential-sets' && <CredentialSets />}
-            {effectiveActiveSection === 'access-control' && <AccessControl />}
+            {activeSection === 'access-control' && <AccessControl />}
-            {effectiveActiveSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}
+            {activeSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'files' && <FileUploads />}
+            {activeSection === 'files' && <FileUploads />}
-            {isBillingEnabled && effectiveActiveSection === 'subscription' && <Subscription />}
+            {isBillingEnabled && activeSection === 'subscription' && <Subscription />}
-            {isBillingEnabled && effectiveActiveSection === 'team' && <TeamManagement />}
+            {isBillingEnabled && activeSection === 'team' && <TeamManagement />}
-            {effectiveActiveSection === 'sso' && <SSO />}
+            {activeSection === 'sso' && <SSO />}
-            {effectiveActiveSection === 'byok' && <BYOK />}
+            {activeSection === 'byok' && <BYOK />}
-            {effectiveActiveSection === 'copilot' && <Copilot />}
+            {activeSection === 'copilot' && <Copilot />}
-            {effectiveActiveSection === 'mcp' && <MCP initialServerId={pendingMcpServerId} />}
+            {activeSection === 'mcp' && <MCP initialServerId={pendingMcpServerId} />}
-            {effectiveActiveSection === 'custom-tools' && <CustomTools />}
+            {activeSection === 'custom-tools' && <CustomTools />}
-            {effectiveActiveSection === 'workflow-mcp-servers' && <WorkflowMcpServers />}
+            {activeSection === 'workflow-mcp-servers' && <WorkflowMcpServers />}
-            {effectiveActiveSection === 'debug' && <Debug />}
+            {activeSection === 'debug' && <Debug />}
          </SModalMainBody>
        </SModalMain>
      </SModalContent>
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/workflow-list/components/folder-item/folder-item.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/workflow-list/components/folder-item/folder-item.tsx
@@ -231,8 +231,6 @@ export function FolderItem({
    const isFolderSelected = store.selectedFolders.has(folder.id)
    if (!isFolderSelected) {
      // Replace selection with just this folder (Finder/Explorer pattern)
      store.clearAllSelection()
      store.selectFolder(folder.id)
    }
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/workflow-list/components/workflow-item/workflow-item.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/workflow-list/components/workflow-item/workflow-item.tsx
@@ -189,9 +189,6 @@ export function WorkflowItem({
    const isCurrentlySelected = store.selectedWorkflows.has(workflow.id)
    if (!isCurrentlySelected) {
      // Replace selection with just this item (Finder/Explorer pattern)
      // This clears both workflow and folder selections
      store.clearAllSelection()
      store.selectWorkflow(workflow.id)
    }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Vikhyath Mondreti	1282befcf1	update skills	2026-02-03 16:04:16 -08:00
Vikhyath Mondreti	b7ccbc8cb9	fix	2026-02-03 15:58:51 -08:00
Vikhyath Mondreti	5a78b55b1e	fix	2026-02-03 15:53:24 -08:00
Vikhyath Mondreti	aa1b158b26	fix dropbox	2026-02-03 15:50:50 -08:00
Vikhyath Mondreti	2d96ac55db	fix sendgrid	2026-02-03 15:44:39 -08:00
Vikhyath Mondreti	bd5866ed6b	fix dropbox upload file	2026-02-03 15:35:15 -08:00
Vikhyath Mondreti	cfc360404a	fix slack to include successful execs	2026-02-03 13:19:58 -08:00
Vikhyath Mondreti	b0457bc7c1	improve docs	2026-02-03 13:06:16 -08:00
Vikhyath Mondreti	4669ec9823	Merge branch 'improvement/double-fetch' of github.com:simstudioai/sim into improvement/double-fetch	2026-02-03 12:53:41 -08:00
Vikhyath Mondreti	ed1ca6e861	user files should be passed through	2026-02-03 12:53:28 -08:00
waleed	a529f06adb	added wand to ssh block	2026-02-03 12:30:51 -08:00
Vikhyath Mondreti	4f2b5a5ec6	accept all types	2026-02-03 12:29:55 -08:00
Vikhyath Mondreti	dc3d449d99	remove file only annotation	2026-02-03 12:24:45 -08:00
Vikhyath Mondreti	fa81609a92	cleanup fireflies	2026-02-03 12:17:55 -08:00
Vikhyath Mondreti	f256a9fa8c	make interface simpler	2026-02-03 12:15:26 -08:00
Vikhyath Mondreti	47c9604577	update single file blocks	2026-02-03 12:09:55 -08:00
Vikhyath Mondreti	ff0753a298	fix more v2 blocks	2026-02-03 11:55:51 -08:00
Vikhyath Mondreti	3b747086bf	fix for v2 versions	2026-02-03 11:53:57 -08:00
Vikhyath Mondreti	285490666f	fix v2 blocmks for ocr	2026-02-03 11:50:26 -08:00
Vikhyath Mondreti	c230e1aae2	normalize file input	2026-02-03 11:38:14 -08:00
Vikhyath Mondreti	6e5e8debc5	fix	2026-02-03 11:23:54 -08:00
Vikhyath Mondreti	66b954d15d	fix file block adv mode	2026-02-03 11:00:05 -08:00
Vikhyath Mondreti	4169a25e29	address bugbot comment	2026-02-03 09:49:07 -08:00
Vikhyath Mondreti	0aeaf6faee	remove leftover type	2026-02-03 01:22:49 -08:00
Vikhyath Mondreti	a6ec6a0e6c	fix typing	2026-02-03 01:22:21 -08:00
Vikhyath Mondreti	cbe0f8aed2	fix ocr integrations	2026-02-03 01:18:13 -08:00
Vikhyath Mondreti	6e642fc705	address more bugbot comments	2026-02-03 00:58:58 -08:00
Vikhyath Mondreti	1c857cdcda	fix circular impport	2026-02-03 00:52:12 -08:00
Vikhyath Mondreti	7570e509ff	Merge branch 'staging' into improvement/double-fetch	2026-02-02 20:24:34 -08:00
Vikhyath Mondreti	1ff35405fa	fix type check	2026-02-02 20:14:46 -08:00
Vikhyath Mondreti	3ceabbb816	fix more bugbot comments	2026-02-02 20:12:31 -08:00
Vikhyath Mondreti	a65f3b8e6b	fix tests	2026-02-02 17:26:57 -08:00
Vikhyath Mondreti	5ecbf6cf4a	consolidate more code	2026-02-02 17:21:22 -08:00
Vikhyath Mondreti	42767fc4f4	fix types	2026-02-02 17:13:23 -08:00
Vikhyath Mondreti	5a0becf76f	fix integrations	2026-02-02 17:04:17 -08:00
Vikhyath Mondreti	f4a3c94f87	consolidate more code	2026-02-02 15:11:32 -08:00
Vikhyath Mondreti	9ec0c8f3f5	separate server and client logic	2026-02-02 15:00:53 -08:00
Vikhyath Mondreti	39ca1f61c7	more integrations	2026-02-02 01:08:38 -08:00
Vikhyath Mondreti	1da3407f41	progress on files	2026-02-01 11:14:32 -08:00
Vikhyath Mondreti	bea0a685ae	improvement(collab): do not refetch active workflow id	2026-01-31 18:50:14 -08:00