Fix

Checkpoint
2026-02-12 15:34:58 -05:00 · 2026-02-12 12:18:05 -08:00 · 2026-02-12 12:05:53 -08:00 · 2026-02-12 11:51:34 -08:00 · 2026-02-12 11:14:33 -08:00 · 2026-02-12 10:22:52 -08:00
107 changed files with 5585 additions and 17015 deletions
--- a/apps/docs/content/docs/de/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/de/keyboard-shortcuts/index.mdx
@@ -41,9 +41,6 @@ Diese Tastenkombinationen wechseln zwischen den Panel-Tabs auf der rechten Seite
 | Tastenkombination | Aktion |
 |----------|--------|
 | `C` | Copilot-Tab fokussieren |
 | `T` | Toolbar-Tab fokussieren |
 | `E` | Editor-Tab fokussieren |
 | `Mod` + `F` | Toolbar-Suche fokussieren |
 ## Globale Navigation
--- a/apps/docs/content/docs/en/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/en/keyboard-shortcuts/index.mdx
@@ -43,9 +43,6 @@ These shortcuts switch between panel tabs on the right side of the canvas.
 | Shortcut | Action |
 |----------|--------|
 | `C` | Focus Copilot tab |
 | `T` | Focus Toolbar tab |
 | `E` | Focus Editor tab |
 | `Mod` + `F` | Focus Toolbar search |
 ## Global Navigation
--- a/apps/docs/content/docs/en/tools/confluence.mdx
+++ b/apps/docs/content/docs/en/tools/confluence.mdx
@@ -399,6 +399,28 @@ Create a new custom property (metadata) on a Confluence page.
 |   ↳ `authorId` | string | Account ID of the version author |
 |   ↳ `createdAt` | string | ISO 8601 timestamp of version creation |
 ### `confluence_delete_page_property`
 Delete a content property from a Confluence page by its property ID.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Confluence domain \(e.g., yourcompany.atlassian.net\) |
 | `pageId` | string | Yes | The ID of the page containing the property |
 | `propertyId` | string | Yes | The ID of the property to delete |
 | `cloudId` | string | No | Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
 | `pageId` | string | ID of the page |
 | `propertyId` | string | ID of the deleted property |
 | `deleted` | boolean | Deletion status |
 ### `confluence_search`
 Search for content across Confluence pages, blog posts, and other content.
@@ -872,6 +894,90 @@ Add a label to a Confluence page for organization and categorization.
 | `labelName` | string | Name of the added label |
 | `labelId` | string | ID of the added label |
 ### `confluence_delete_label`
 Remove a label from a Confluence page.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Confluence domain \(e.g., yourcompany.atlassian.net\) |
 | `pageId` | string | Yes | Confluence page ID to remove the label from |
 | `labelName` | string | Yes | Name of the label to remove |
 | `cloudId` | string | No | Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
 | `pageId` | string | Page ID the label was removed from |
 | `labelName` | string | Name of the removed label |
 | `deleted` | boolean | Deletion status |
 ### `confluence_get_pages_by_label`
 Retrieve all pages that have a specific label applied.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Confluence domain \(e.g., yourcompany.atlassian.net\) |
 | `labelId` | string | Yes | The ID of the label to get pages for |
 | `limit` | number | No | Maximum number of pages to return \(default: 50, max: 250\) |
 | `cursor` | string | No | Pagination cursor from previous response |
 | `cloudId` | string | No | Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
 | `labelId` | string | ID of the label |
 | `pages` | array | Array of pages with this label |
 |   ↳ `id` | string | Unique page identifier |
 |   ↳ `title` | string | Page title |
 |   ↳ `status` | string | Page status \(e.g., current, archived, trashed, draft\) |
 |   ↳ `spaceId` | string | ID of the space containing the page |
 |   ↳ `parentId` | string | ID of the parent page \(null if top-level\) |
 |   ↳ `authorId` | string | Account ID of the page author |
 |   ↳ `createdAt` | string | ISO 8601 timestamp when the page was created |
 |   ↳ `version` | object | Page version information |
 |     ↳ `number` | number | Version number |
 |     ↳ `message` | string | Version message |
 |     ↳ `minorEdit` | boolean | Whether this is a minor edit |
 |     ↳ `authorId` | string | Account ID of the version author |
 |     ↳ `createdAt` | string | ISO 8601 timestamp of version creation |
 | `nextCursor` | string | Cursor for fetching the next page of results |
 ### `confluence_list_space_labels`
 List all labels associated with a Confluence space.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Confluence domain \(e.g., yourcompany.atlassian.net\) |
 | `spaceId` | string | Yes | The ID of the Confluence space to list labels from |
 | `limit` | number | No | Maximum number of labels to return \(default: 25, max: 250\) |
 | `cursor` | string | No | Pagination cursor from previous response |
 | `cloudId` | string | No | Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
 | `spaceId` | string | ID of the space |
 | `labels` | array | Array of labels on the space |
 |   ↳ `id` | string | Unique label identifier |
 |   ↳ `name` | string | Label name |
 |   ↳ `prefix` | string | Label prefix/type \(e.g., global, my, team\) |
 | `nextCursor` | string | Cursor for fetching the next page of results |
 ### `confluence_get_space`
 Get details about a specific Confluence space.
--- a/apps/docs/content/docs/es/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/es/keyboard-shortcuts/index.mdx
@@ -42,9 +42,6 @@ Estos atajos cambian entre las pestañas del panel en el lado derecho del lienzo
 | Atajo | Acción |
 |----------|--------|
 | `C` | Enfocar pestaña Copilot |
 | `T` | Enfocar pestaña Barra de herramientas |
 | `E` | Enfocar pestaña Editor |
 | `Mod` + `F` | Enfocar búsqueda de Barra de herramientas |
 ## Navegación global
--- a/apps/docs/content/docs/fr/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/fr/keyboard-shortcuts/index.mdx
@@ -42,9 +42,6 @@ Ces raccourcis permettent de basculer entre les onglets du panneau sur le côté
 | Raccourci | Action |
 |----------|--------|
 | `C` | Activer l'onglet Copilot |
 | `T` | Activer l'onglet Barre d'outils |
 | `E` | Activer l'onglet Éditeur |
 | `Mod` + `F` | Activer la recherche dans la barre d'outils |
 ## Navigation globale
--- a/apps/docs/content/docs/ja/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/ja/keyboard-shortcuts/index.mdx
@@ -41,9 +41,6 @@ import { Callout } from 'fumadocs-ui/components/callout'
 | ショートカット | 操作 |
 |----------|--------|
 | `C` | Copilotタブにフォーカス |
 | `T` | Toolbarタブにフォーカス |
 | `E` | Editorタブにフォーカス |
 | `Mod` + `F` | Toolbar検索にフォーカス |
 ## グローバルナビゲーション
--- a/apps/docs/content/docs/zh/keyboard-shortcuts/index.mdx
+++ b/apps/docs/content/docs/zh/keyboard-shortcuts/index.mdx
@@ -41,9 +41,6 @@ import { Callout } from 'fumadocs-ui/components/callout'
 | 快捷键 | 操作 |
 |----------|--------|
 | `C` | 聚焦 Copilot 标签页 |
 | `T` | 聚焦 Toolbar 标签页 |
 | `E` | 聚焦 Editor 标签页 |
 | `Mod` + `F` | 聚焦 Toolbar 搜索 |
 ## 全局导航
--- a/apps/sim/app/api/auth/accounts/route.ts
+++ b/apps/sim/app/api/auth/accounts/route.ts
@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, desc, eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
@@ -31,13 +31,15 @@ export async function GET(request: NextRequest) {
      })
      .from(account)
      .where(and(...whereConditions))
-      .orderBy(desc(account.updatedAt))
+
    // Use the user's email as the display name (consistent with credential selector)
    const userEmail = session.user.email
    const accountsWithDisplayName = accounts.map((acc) => ({
      id: acc.id,
      accountId: acc.accountId,
      providerId: acc.providerId,
-      displayName: acc.accountId || acc.providerId,
+      displayName: userEmail || acc.providerId,
    }))
    return NextResponse.json({ accounts: accountsWithDisplayName })
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credential, credentialMember, user } from '@sim/db/schema'
+import { account, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
@@ -7,10 +7,8 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 export const dynamic = 'force-dynamic'
@@ -20,7 +18,6 @@ const credentialsQuerySchema = z
  .object({
    provider: z.string().nullish(),
    workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
    credentialId: z
      .string()
      .min(1, 'Credential ID must not be empty')
@@ -38,79 +35,6 @@ interface GoogleIdToken {
  name?: string
 }
 function toCredentialResponse(
  id: string,
  displayName: string,
  providerId: string,
  updatedAt: Date,
  scope: string | null
 ) {
  const storedScope = scope?.trim()
  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
  const [_, featureType = 'default'] = providerId.split('-')
  return {
    id,
    name: displayName,
    provider: providerId,
    lastUsed: updatedAt.toISOString(),
    isDefault: featureType === 'default',
    scopes: scopeEvaluation.grantedScopes,
    canonicalScopes: scopeEvaluation.canonicalScopes,
    missingScopes: scopeEvaluation.missingScopes,
    extraScopes: scopeEvaluation.extraScopes,
    requiresReauthorization: scopeEvaluation.requiresReauthorization,
  }
 }
 async function getFallbackDisplayName(
  requestId: string,
  providerParam: string | null | undefined,
  accountRow: {
    idToken: string | null
    accountId: string
    userId: string
  }
 ) {
  const providerForParse = (providerParam || 'google') as OAuthProvider
  const { baseProvider } = parseProvider(providerForParse)
  if (accountRow.idToken) {
    try {
      const decoded = jwtDecode<GoogleIdToken>(accountRow.idToken)
      if (decoded.email) return decoded.email
      if (decoded.name) return decoded.name
    } catch (_error) {
      logger.warn(`[${requestId}] Error decoding ID token`, {
        accountId: accountRow.accountId,
      })
    }
  }
  if (baseProvider === 'github') {
    return `${accountRow.accountId} (GitHub)`
  }
  try {
    const userRecord = await db
      .select({ email: user.email })
      .from(user)
      .where(eq(user.id, accountRow.userId))
      .limit(1)
    if (userRecord.length > 0) {
      return userRecord[0].email
    }
  } catch (_error) {
    logger.warn(`[${requestId}] Error fetching user email`, {
      userId: accountRow.userId,
    })
  }
  return `${accountRow.accountId} (${baseProvider})`
 }
 /**
 * Get credentials for a specific provider
 */
@@ -122,7 +46,6 @@ export async function GET(request: NextRequest) {
    const rawQuery = {
      provider: searchParams.get('provider'),
      workflowId: searchParams.get('workflowId'),
      workspaceId: searchParams.get('workspaceId'),
      credentialId: searchParams.get('credentialId'),
    }
@@ -155,7 +78,7 @@ export async function GET(request: NextRequest) {
      )
    }
-    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, credentialId } = parseResult.data
    // Authenticate requester (supports session and internal JWT)
    const authResult = await checkSessionOrInternalAuth(request)
@@ -165,7 +88,7 @@ export async function GET(request: NextRequest) {
    }
    const requesterUserId = authResult.userId
-    let effectiveWorkspaceId = workspaceId ?? undefined
+    const effectiveUserId = requesterUserId
    if (workflowId) {
      const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
        workflowId,
@@ -183,145 +106,101 @@ export async function GET(request: NextRequest) {
          { status: workflowAuthorization.status }
        )
      }
      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
    }
-    if (effectiveWorkspaceId) {
+    // Parse the provider to get base provider and feature type (if provider is present)
-      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
+    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
      if (!workspaceAccess.hasAccess) {
        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
      }
    }
    let accountsData
    if (credentialId) {
      const [platformCredential] = await db
        .select({
          id: credential.id,
          workspaceId: credential.workspaceId,
          type: credential.type,
          displayName: credential.displayName,
          providerId: credential.providerId,
          accountId: credential.accountId,
          accountProviderId: account.providerId,
          accountScope: account.scope,
          accountUpdatedAt: account.updatedAt,
        })
        .from(credential)
        .leftJoin(account, eq(credential.accountId, account.id))
        .where(eq(credential.id, credentialId))
        .limit(1)
      if (platformCredential) {
        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
          return NextResponse.json({ credentials: [] }, { status: 200 })
        }
        if (workflowId) {
          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
          }
        } else {
          const [membership] = await db
            .select({ id: credentialMember.id })
            .from(credentialMember)
            .where(
              and(
                eq(credentialMember.credentialId, platformCredential.id),
                eq(credentialMember.userId, requesterUserId),
                eq(credentialMember.status, 'active')
              )
            )
            .limit(1)
          if (!membership) {
            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
          }
        }
        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
          return NextResponse.json({ credentials: [] }, { status: 200 })
        }
        return NextResponse.json(
          {
            credentials: [
              toCredentialResponse(
                platformCredential.id,
                platformCredential.displayName,
                platformCredential.accountProviderId,
                platformCredential.accountUpdatedAt,
                platformCredential.accountScope
              ),
            ],
          },
          { status: 200 }
        )
      }
    }
    if (effectiveWorkspaceId && providerParam) {
      await syncWorkspaceOAuthCredentialsForUser({
        workspaceId: effectiveWorkspaceId,
        userId: requesterUserId,
      })
      const credentialsData = await db
        .select({
          id: credential.id,
          displayName: credential.displayName,
          providerId: account.providerId,
          scope: account.scope,
          updatedAt: account.updatedAt,
        })
        .from(credential)
        .innerJoin(account, eq(credential.accountId, account.id))
        .innerJoin(
          credentialMember,
          and(
            eq(credentialMember.credentialId, credential.id),
            eq(credentialMember.userId, requesterUserId),
            eq(credentialMember.status, 'active')
          )
        )
        .where(
          and(
            eq(credential.workspaceId, effectiveWorkspaceId),
            eq(credential.type, 'oauth'),
            eq(account.providerId, providerParam)
          )
        )
      return NextResponse.json(
        {
          credentials: credentialsData.map((row) =>
            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
          ),
        },
        { status: 200 }
      )
    }
    if (credentialId && workflowId) {
      // When both workflowId and credentialId are provided, fetch by ID only.
      // Workspace authorization above already proves access; the credential
      // may belong to another workspace member (e.g. for display name resolution).
      accountsData = await db.select().from(account).where(eq(account.id, credentialId))
    } else if (credentialId) {
      accountsData = await db
        .select()
        .from(account)
-        .where(and(eq(account.userId, requesterUserId), eq(account.id, credentialId)))
+        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
    } else {
      // Fetch all credentials for provider and effective user
      accountsData = await db
        .select()
        .from(account)
-        .where(and(eq(account.userId, requesterUserId), eq(account.providerId, providerParam!)))
+        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
    }
    // Transform accounts into credentials
    const credentials = await Promise.all(
      accountsData.map(async (acc) => {
-        const displayName = await getFallbackDisplayName(requestId, providerParam, acc)
+        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
-        return toCredentialResponse(acc.id, displayName, acc.providerId, acc.updatedAt, acc.scope)
+        const [_, featureType = 'default'] = acc.providerId.split('-')
        // Try multiple methods to get a user-friendly display name
        let displayName = ''
        // Method 1: Try to extract email from ID token (works for Google, etc.)
        if (acc.idToken) {
          try {
            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
            if (decoded.email) {
              displayName = decoded.email
            } else if (decoded.name) {
              displayName = decoded.name
            }
          } catch (_error) {
            logger.warn(`[${requestId}] Error decoding ID token`, {
              accountId: acc.id,
            })
          }
        }
        // Method 2: For GitHub, the accountId might be the username
        if (!displayName && baseProvider === 'github') {
          displayName = `${acc.accountId} (GitHub)`
        }
        // Method 3: Try to get the user's email from our database
        if (!displayName) {
          try {
            const userRecord = await db
              .select({ email: user.email })
              .from(user)
              .where(eq(user.id, acc.userId))
              .limit(1)
            if (userRecord.length > 0) {
              displayName = userRecord[0].email
            }
          } catch (_error) {
            logger.warn(`[${requestId}] Error fetching user email`, {
              userId: acc.userId,
            })
          }
        }
        // Fallback: Use accountId with provider type as context
        if (!displayName) {
          displayName = `${acc.accountId} (${baseProvider})`
        }
        const storedScope = acc.scope?.trim()
        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
        return {
          id: acc.id,
          name: displayName,
          provider: acc.providerId,
          lastUsed: acc.updatedAt.toISOString(),
          isDefault: featureType === 'default',
          scopes: scopeEvaluation.grantedScopes,
          canonicalScopes: scopeEvaluation.canonicalScopes,
          missingScopes: scopeEvaluation.missingScopes,
          extraScopes: scopeEvaluation.extraScopes,
          requiresReauthorization: scopeEvaluation.requiresReauthorization,
        }
      })
    )
--- a/apps/sim/app/api/auth/oauth/disconnect/route.ts
+++ b/apps/sim/app/api/auth/oauth/disconnect/route.ts
@@ -15,7 +15,6 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
  provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
  providerId: z.string().optional(),
  accountId: z.string().optional(),
 })
 /**
@@ -51,20 +50,15 @@ export async function POST(request: NextRequest) {
      )
    }
-    const { provider, providerId, accountId } = parseResult.data
+    const { provider, providerId } = parseResult.data
    logger.info(`[${requestId}] Processing OAuth disconnect request`, {
      provider,
      hasProviderId: !!providerId,
    })
-    // If a specific account row ID is provided, delete that exact account
+    // If a specific providerId is provided, delete only that account
-    if (accountId) {
+    if (providerId) {
      await db
        .delete(account)
        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
    } else if (providerId) {
      // If a specific providerId is provided, delete accounts for that provider ID
      await db
        .delete(account)
        .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))
--- a/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
@@ -38,18 +38,13 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    const accessToken = await refreshAccessTokenIfNeeded(
-      resolvedCredentialId,
+      credentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
@@ -37,19 +37,14 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    // Refresh access token if needed using the utility function
    const accessToken = await refreshAccessTokenIfNeeded(
-      resolvedCredentialId,
+      credentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -119,23 +119,14 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    try {
-      const { accessToken } = await refreshTokenIfNeeded(
+      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
        requestId,
        credential,
        resolvedCredentialId
      )
      let instanceUrl: string | undefined
      if (credential.providerId === 'salesforce' && credential.scope) {
@@ -195,20 +186,13 @@ export async function GET(request: NextRequest) {
    const { credentialId } = parseResult.data
-    const authz = await authorizeCredentialUse(request, {
+    // For GET requests, we only support session-based authentication
-      credentialId,
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-      requireWorkflowIdForInternal: false,
+    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
-    })
+      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(requestId, credentialId, auth.userId)
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -220,11 +204,7 @@ export async function GET(request: NextRequest) {
    }
    try {
-      const { accessToken } = await refreshTokenIfNeeded(
+      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
        requestId,
        credential,
        resolvedCredentialId
      )
      // For Salesforce, extract instanceUrl from the scope field
      let instanceUrl: string | undefined
--- a/apps/sim/app/api/auth/oauth/utils.test.ts
+++ b/apps/sim/app/api/auth/oauth/utils.test.ts
@@ -50,7 +50,7 @@ describe('OAuth Utils', () => {
  describe('getCredential', () => {
    it('should return credential when found', async () => {
      const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
      const credential = await getCredential('request-id', 'credential-id', 'test-user-id')
@@ -59,8 +59,7 @@ describe('OAuth Utils', () => {
      expect(mockDbTyped.where).toHaveBeenCalled()
      expect(mockDbTyped.limit).toHaveBeenCalledWith(1)
-      expect(credential).toMatchObject(mockCredential)
+      expect(credential).toEqual(mockCredential)
      expect(credential).toMatchObject({ resolvedCredentialId: 'credential-id' })
    })
    it('should return undefined when credential is not found', async () => {
@@ -153,7 +152,7 @@ describe('OAuth Utils', () => {
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
      const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')
@@ -170,7 +169,7 @@ describe('OAuth Utils', () => {
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
      mockRefreshOAuthToken.mockResolvedValueOnce({
        accessToken: 'new-token',
@@ -203,7 +202,7 @@ describe('OAuth Utils', () => {
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
      mockRefreshOAuthToken.mockResolvedValueOnce(null)
--- a/apps/sim/app/api/auth/oauth/utils.ts
+++ b/apps/sim/app/api/auth/oauth/utils.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credential, credentialSetMember } from '@sim/db/schema'
+import { account, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,28 +25,6 @@ interface AccountInsertData {
  accessTokenExpiresAt?: Date
 }
 async function resolveOAuthAccountId(
  credentialId: string
 ): Promise<{ accountId: string; usedCredentialTable: boolean } | null> {
  const [credentialRow] = await db
    .select({
      type: credential.type,
      accountId: credential.accountId,
    })
    .from(credential)
    .where(eq(credential.id, credentialId))
    .limit(1)
  if (credentialRow) {
    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
      return null
    }
    return { accountId: credentialRow.accountId, usedCredentialTable: true }
  }
  return { accountId: credentialId, usedCredentialTable: false }
 }
 /**
 * Safely inserts an account record, handling duplicate constraint violations gracefully.
 * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -74,16 +52,10 @@ export async function safeAccountInsert(
 * Get a credential by ID and verify it belongs to the user
 */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
  const resolved = await resolveOAuthAccountId(credentialId)
  if (!resolved) {
    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
    return undefined
  }
  const credentials = await db
    .select()
    .from(account)
-    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
+    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
    .limit(1)
  if (!credentials.length) {
@@ -91,10 +63,7 @@ export async function getCredential(requestId: string, credentialId: string, use
    return undefined
  }
-  return {
+  return credentials[0]
    ...credentials[0],
    resolvedCredentialId: resolved.accountId,
  }
 }
 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -269,9 +238,7 @@ export async function refreshAccessTokenIfNeeded(
      }
      // Update the token in the database
-      const resolvedCredentialId =
+      await db.update(account).set(updateData).where(eq(account.id, credentialId))
        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
      logger.info(`[${requestId}] Successfully refreshed access token for credential`)
      return refreshedToken.accessToken
@@ -307,8 +274,6 @@ export async function refreshTokenIfNeeded(
  credential: any,
  credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
  // Decide if we should refresh: token missing OR expired
  const accessTokenExpiresAt = credential.accessTokenExpiresAt
  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -369,7 +334,7 @@ export async function refreshTokenIfNeeded(
      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
    }
-    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
+    await db.update(account).set(updateData).where(eq(account.id, credentialId))
    logger.info(`[${requestId}] Successfully refreshed access token`)
    return { accessToken: refreshedToken, refreshed: true }
@@ -378,7 +343,7 @@ export async function refreshTokenIfNeeded(
      `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
    )
-    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
    if (freshCredential?.accessToken) {
      const freshExpiresAt = freshCredential.accessTokenExpiresAt
      const stillValid = !freshExpiresAt || freshExpiresAt > new Date()
--- a/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
+++ b/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
@@ -48,21 +48,16 @@ export async function GET(request: NextRequest) {
    const shopData = await shopResponse.json()
    const shopInfo = shopData.shop
    const stableAccountId = shopInfo.id?.toString() || shopDomain
    const existing = await db.query.account.findFirst({
-      where: and(
+      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'shopify')),
        eq(account.userId, session.user.id),
        eq(account.providerId, 'shopify'),
        eq(account.accountId, stableAccountId)
      ),
    })
    const now = new Date()
    const accountData = {
      accessToken: accessToken,
-      accountId: stableAccountId,
+      accountId: shopInfo.id?.toString() || shopDomain,
      scope: scope || '',
      updatedAt: now,
      idToken: shopDomain,
--- a/apps/sim/app/api/auth/trello/store/route.ts
+++ b/apps/sim/app/api/auth/trello/store/route.ts
@@ -52,11 +52,7 @@ export async function POST(request: NextRequest) {
    const trelloUser = await userResponse.json()
    const existing = await db.query.account.findFirst({
-      where: and(
+      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'trello')),
        eq(account.userId, session.user.id),
        eq(account.providerId, 'trello'),
        eq(account.accountId, trelloUser.id)
      ),
    })
    const now = new Date()
--- a/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
+++ b/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
@@ -1,145 +1,81 @@
 import { db } from '@sim/db'
 import { settings } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
+import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
 import { authenticateCopilotRequestSessionOnly } from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 const logger = createLogger('CopilotAutoAllowedToolsAPI')
-/**
+function copilotHeaders(): HeadersInit {
- * GET - Fetch user's auto-allowed integration tools
+  const headers: Record<string, string> = {
- */
+    'Content-Type': 'application/json',
 export async function GET() {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = session.user.id
    const [userSettings] = await db
      .select()
      .from(settings)
      .where(eq(settings.userId, userId))
      .limit(1)
    if (userSettings) {
      const autoAllowedTools = (userSettings.copilotAutoAllowedTools as string[]) || []
      return NextResponse.json({ autoAllowedTools })
    }
    await db.insert(settings).values({
      id: userId,
      userId,
      copilotAutoAllowedTools: [],
    })
    return NextResponse.json({ autoAllowedTools: [] })
  } catch (error) {
    logger.error('Failed to fetch auto-allowed tools', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
  if (env.COPILOT_API_KEY) {
    headers['x-api-key'] = env.COPILOT_API_KEY
  }
  return headers
 }
 /**
 * POST - Add a tool to the auto-allowed list
 */
 export async function POST(request: NextRequest) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = session.user.id
    const body = await request.json()
    if (!body.toolId || typeof body.toolId !== 'string') {
      return NextResponse.json({ error: 'toolId must be a string' }, { status: 400 })
    }
    const toolId = body.toolId
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
      const currentTools = (existing.copilotAutoAllowedTools as string[]) || []
      if (!currentTools.includes(toolId)) {
        const updatedTools = [...currentTools, toolId]
        await db
          .update(settings)
          .set({
            copilotAutoAllowedTools: updatedTools,
            updatedAt: new Date(),
          })
          .where(eq(settings.userId, userId))
        logger.info('Added tool to auto-allowed list', { userId, toolId })
        return NextResponse.json({ success: true, autoAllowedTools: updatedTools })
      }
      return NextResponse.json({ success: true, autoAllowedTools: currentTools })
    }
    await db.insert(settings).values({
      id: userId,
      userId,
      copilotAutoAllowedTools: [toolId],
    })
    logger.info('Created settings and added tool to auto-allowed list', { userId, toolId })
    return NextResponse.json({ success: true, autoAllowedTools: [toolId] })
  } catch (error) {
    logger.error('Failed to add auto-allowed tool', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 /**
 * DELETE - Remove a tool from the auto-allowed list
 */
 export async function DELETE(request: NextRequest) {
  const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
  if (!isAuthenticated || !userId) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const toolIdFromQuery = new URL(request.url).searchParams.get('toolId') || undefined
  const toolIdFromBody = await request
    .json()
    .then((body) => (typeof body?.toolId === 'string' ? body.toolId : undefined))
    .catch(() => undefined)
  const toolId = toolIdFromBody || toolIdFromQuery
  if (!toolId) {
    return NextResponse.json({ error: 'toolId is required' }, { status: 400 })
  }
  try {
-    const session = await getSession()
+    const res = await fetch(`${SIM_AGENT_API_URL}/api/tool-preferences/auto-allowed`, {
      method: 'DELETE',
      headers: copilotHeaders(),
      body: JSON.stringify({
        userId,
        toolId,
      }),
    })
-    if (!session?.user?.id) {
+    const payload = await res.json().catch(() => ({}))
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    if (!res.ok) {
      logger.warn('Failed to remove auto-allowed tool via copilot backend', {
        status: res.status,
        userId,
        toolId,
      })
      return NextResponse.json(
        {
          success: false,
          error: payload?.error || 'Failed to remove auto-allowed tool',
          autoAllowedTools: [],
        },
        { status: res.status }
      )
    }
-    const userId = session.user.id
+    return NextResponse.json({
-    const { searchParams } = new URL(request.url)
+      success: true,
-    const toolId = searchParams.get('toolId')
+      autoAllowedTools: Array.isArray(payload?.autoAllowedTools) ? payload.autoAllowedTools : [],
-
+    })
    if (!toolId) {
      return NextResponse.json({ error: 'toolId query parameter is required' }, { status: 400 })
    }
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
      const currentTools = (existing.copilotAutoAllowedTools as string[]) || []
      const updatedTools = currentTools.filter((t) => t !== toolId)
      await db
        .update(settings)
        .set({
          copilotAutoAllowedTools: updatedTools,
          updatedAt: new Date(),
        })
        .where(eq(settings.userId, userId))
      logger.info('Removed tool from auto-allowed list', { userId, toolId })
      return NextResponse.json({ success: true, autoAllowedTools: updatedTools })
    }
    return NextResponse.json({ success: true, autoAllowedTools: [] })
  } catch (error) {
-    logger.error('Failed to remove auto-allowed tool', { error })
+    logger.error('Error removing auto-allowed tool', {
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+      userId,
      toolId,
      error: error instanceof Error ? error.message : String(error),
    })
    return NextResponse.json(
      {
        success: false,
        error: 'Failed to remove auto-allowed tool',
        autoAllowedTools: [],
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/copilot/chat/route.ts
+++ b/apps/sim/app/api/copilot/chat/route.ts
@@ -28,13 +28,24 @@ import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
 const logger = createLogger('CopilotChatAPI')
 function truncateForLog(value: string, maxLength = 120): string {
  if (!value || maxLength <= 0) return ''
  return value.length <= maxLength ? value : `${value.slice(0, maxLength)}...`
 }
 async function requestChatTitleFromCopilot(params: {
  message: string
  model: string
  provider?: string
 }): Promise<string | null> {
  const { message, model, provider } = params
-  if (!message || !model) return null
+  if (!message || !model) {
    logger.warn('Skipping chat title request because message/model is missing', {
      hasMessage: !!message,
      hasModel: !!model,
    })
    return null
  }
  const headers: Record<string, string> = {
    'Content-Type': 'application/json',
@@ -44,6 +55,13 @@ async function requestChatTitleFromCopilot(params: {
  }
  try {
    logger.info('Requesting chat title from copilot backend', {
      model,
      provider: provider || null,
      messageLength: message.length,
      messagePreview: truncateForLog(message),
    })
    const response = await fetch(`${SIM_AGENT_API_URL}/api/generate-chat-title`, {
      method: 'POST',
      headers,
@@ -63,10 +81,32 @@ async function requestChatTitleFromCopilot(params: {
      return null
    }
-    const title = typeof payload?.title === 'string' ? payload.title.trim() : ''
+    const rawTitle = typeof payload?.title === 'string' ? payload.title : ''
    const title = rawTitle.trim()
    logger.info('Received chat title response from copilot backend', {
      status: response.status,
      hasRawTitle: !!rawTitle,
      rawTitle,
      normalizedTitle: title,
      messagePreview: truncateForLog(message),
    })
    if (!title) {
      logger.warn('Copilot backend returned empty chat title', {
        payload,
        model,
        provider: provider || null,
      })
    }
    return title || null
  } catch (error) {
-    logger.error('Error generating chat title:', error)
+    logger.error('Error generating chat title:', {
      error,
      model,
      provider: provider || null,
      messagePreview: truncateForLog(message),
    })
    return null
  }
 }
@@ -113,6 +153,7 @@ const ChatMessageSchema = z.object({
        workflowId: z.string().optional(),
        knowledgeId: z.string().optional(),
        blockId: z.string().optional(),
        blockIds: z.array(z.string()).optional(),
        templateId: z.string().optional(),
        executionId: z.string().optional(),
        // For workflow_block, provide both workflowId and blockId
@@ -159,6 +200,20 @@ export async function POST(req: NextRequest) {
      commands,
    } = ChatMessageSchema.parse(body)
    const normalizedContexts = Array.isArray(contexts)
      ? contexts.map((ctx) => {
          if (ctx.kind !== 'blocks') return ctx
          if (Array.isArray(ctx.blockIds) && ctx.blockIds.length > 0) return ctx
          if (ctx.blockId) {
            return {
              ...ctx,
              blockIds: [ctx.blockId],
            }
          }
          return ctx
        })
      : contexts
    // Resolve workflowId - if not provided, use first workflow or find by name
    const resolved = await resolveWorkflowIdForUser(
      authenticatedUserId,
@@ -176,10 +231,10 @@ export async function POST(req: NextRequest) {
    const userMessageIdToUse = userMessageId || crypto.randomUUID()
    try {
      logger.info(`[${tracker.requestId}] Received chat POST`, {
-        hasContexts: Array.isArray(contexts),
+        hasContexts: Array.isArray(normalizedContexts),
-        contextsCount: Array.isArray(contexts) ? contexts.length : 0,
+        contextsCount: Array.isArray(normalizedContexts) ? normalizedContexts.length : 0,
-        contextsPreview: Array.isArray(contexts)
+        contextsPreview: Array.isArray(normalizedContexts)
-          ? contexts.map((c: any) => ({
+          ? normalizedContexts.map((c: any) => ({
              kind: c?.kind,
              chatId: c?.chatId,
              workflowId: c?.workflowId,
@@ -191,17 +246,25 @@ export async function POST(req: NextRequest) {
    } catch {}
    // Preprocess contexts server-side
    let agentContexts: Array<{ type: string; content: string }> = []
-    if (Array.isArray(contexts) && contexts.length > 0) {
+    if (Array.isArray(normalizedContexts) && normalizedContexts.length > 0) {
      try {
        const { processContextsServer } = await import('@/lib/copilot/process-contents')
-        const processed = await processContextsServer(contexts as any, authenticatedUserId, message)
+        const processed = await processContextsServer(
          normalizedContexts as any,
          authenticatedUserId,
          message
        )
        agentContexts = processed
        logger.info(`[${tracker.requestId}] Contexts processed for request`, {
          processedCount: agentContexts.length,
          kinds: agentContexts.map((c) => c.type),
          lengthPreview: agentContexts.map((c) => c.content?.length ?? 0),
        })
-        if (Array.isArray(contexts) && contexts.length > 0 && agentContexts.length === 0) {
+        if (
          Array.isArray(normalizedContexts) &&
          normalizedContexts.length > 0 &&
          agentContexts.length === 0
        ) {
          logger.warn(
            `[${tracker.requestId}] Contexts provided but none processed. Check executionId for logs contexts.`
          )
@@ -215,6 +278,7 @@ export async function POST(req: NextRequest) {
    let currentChat: any = null
    let conversationHistory: any[] = []
    let actualChatId = chatId
    let chatWasCreatedForRequest = false
    const selectedModel = model || 'claude-opus-4-6'
    if (chatId || createNewChat) {
@@ -226,6 +290,7 @@ export async function POST(req: NextRequest) {
      })
      currentChat = chatResult.chat
      actualChatId = chatResult.chatId || chatId
      chatWasCreatedForRequest = chatResult.isNew
      const history = buildConversationHistory(
        chatResult.conversationHistory,
        (chatResult.chat?.conversationId as string | undefined) || conversationId
@@ -233,6 +298,18 @@ export async function POST(req: NextRequest) {
      conversationHistory = history.history
    }
    const shouldGenerateTitleForRequest =
      !!actualChatId &&
      chatWasCreatedForRequest &&
      !currentChat?.title &&
      conversationHistory.length === 0
    const titleGenerationParams = {
      message,
      model: selectedModel,
      provider,
    }
    const effectiveMode = mode === 'agent' ? 'build' : mode
    const effectiveConversationId =
      (currentChat?.conversationId as string | undefined) || conversationId
@@ -246,11 +323,13 @@ export async function POST(req: NextRequest) {
        mode,
        model: selectedModel,
        provider,
        conversationId: effectiveConversationId,
        conversationHistory,
        contexts: agentContexts,
        fileAttachments,
        commands,
        chatId: actualChatId,
        prefetch,
        implicitFeedback,
      },
      {
@@ -323,10 +402,22 @@ export async function POST(req: NextRequest) {
            await pushEvent({ type: 'chat_id', chatId: actualChatId })
          }
-          if (actualChatId && !currentChat?.title && conversationHistory.length === 0) {
+          if (shouldGenerateTitleForRequest) {
-            requestChatTitleFromCopilot({ message, model: selectedModel, provider })
+            logger.info(`[${tracker.requestId}] Starting title generation for streaming response`, {
              chatId: actualChatId,
              model: titleGenerationParams.model,
              provider: provider || null,
              messageLength: message.length,
              messagePreview: truncateForLog(message),
              chatWasCreatedForRequest,
            })
            requestChatTitleFromCopilot(titleGenerationParams)
              .then(async (title) => {
                if (title) {
                  logger.info(`[${tracker.requestId}] Generated title for streaming response`, {
                    chatId: actualChatId,
                    title,
                  })
                  await db
                    .update(copilotChats)
                    .set({
@@ -334,12 +425,30 @@ export async function POST(req: NextRequest) {
                      updatedAt: new Date(),
                    })
                    .where(eq(copilotChats.id, actualChatId!))
-                  await pushEvent({ type: 'title_updated', title })
+                  await pushEvent({ type: 'title_updated', title, chatId: actualChatId })
                  logger.info(`[${tracker.requestId}] Emitted title_updated SSE event`, {
                    chatId: actualChatId,
                    title,
                  })
                } else {
                  logger.warn(`[${tracker.requestId}] No title returned for streaming response`, {
                    chatId: actualChatId,
                    model: selectedModel,
                  })
                }
              })
              .catch((error) => {
                logger.error(`[${tracker.requestId}] Title generation failed:`, error)
              })
          } else if (actualChatId && !chatWasCreatedForRequest) {
            logger.info(
              `[${tracker.requestId}] Skipping title generation because chat already exists`,
              {
                chatId: actualChatId,
                model: titleGenerationParams.model,
                provider: provider || null,
              }
            )
          }
          try {
@@ -432,10 +541,15 @@ export async function POST(req: NextRequest) {
        content: message,
        timestamp: new Date().toISOString(),
        ...(fileAttachments && fileAttachments.length > 0 && { fileAttachments }),
-        ...(Array.isArray(contexts) && contexts.length > 0 && { contexts }),
+        ...(Array.isArray(normalizedContexts) &&
-        ...(Array.isArray(contexts) &&
+          normalizedContexts.length > 0 && {
-          contexts.length > 0 && {
+            contexts: normalizedContexts,
-            contentBlocks: [{ type: 'contexts', contexts: contexts as any, timestamp: Date.now() }],
+          }),
        ...(Array.isArray(normalizedContexts) &&
          normalizedContexts.length > 0 && {
            contentBlocks: [
              { type: 'contexts', contexts: normalizedContexts as any, timestamp: Date.now() },
            ],
          }),
      }
@@ -449,9 +563,9 @@ export async function POST(req: NextRequest) {
      const updatedMessages = [...conversationHistory, userMessage, assistantMessage]
      // Start title generation in parallel if this is first message (non-streaming)
-      if (actualChatId && !currentChat.title && conversationHistory.length === 0) {
+      if (shouldGenerateTitleForRequest) {
        logger.info(`[${tracker.requestId}] Starting title generation for non-streaming response`)
-        requestChatTitleFromCopilot({ message, model: selectedModel, provider })
+        requestChatTitleFromCopilot(titleGenerationParams)
          .then(async (title) => {
            if (title) {
              await db
@@ -462,11 +576,22 @@ export async function POST(req: NextRequest) {
                })
                .where(eq(copilotChats.id, actualChatId!))
              logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
            } else {
              logger.warn(`[${tracker.requestId}] No title returned for non-streaming response`, {
                chatId: actualChatId,
                model: selectedModel,
              })
            }
          })
          .catch((error) => {
            logger.error(`[${tracker.requestId}] Title generation failed:`, error)
          })
      } else if (actualChatId && !chatWasCreatedForRequest) {
        logger.info(`[${tracker.requestId}] Skipping title generation because chat already exists`, {
          chatId: actualChatId,
          model: titleGenerationParams.model,
          provider: provider || null,
        })
      }
      // Update chat in database immediately (without blocking for title)
--- a/apps/sim/app/api/copilot/confirm/route.ts
+++ b/apps/sim/app/api/copilot/confirm/route.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { REDIS_TOOL_CALL_PREFIX, REDIS_TOOL_CALL_TTL_SECONDS } from '@/lib/copilot/constants'
+import {
  REDIS_TOOL_CALL_PREFIX,
  REDIS_TOOL_CALL_TTL_SECONDS,
  SIM_AGENT_API_URL,
 } from '@/lib/copilot/constants'
 import {
  authenticateCopilotRequestSessionOnly,
  createBadRequestResponse,
@@ -10,6 +14,7 @@ import {
  createUnauthorizedResponse,
  type NotificationStatus,
 } from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 import { getRedisClient } from '@/lib/core/config/redis'
 const logger = createLogger('CopilotConfirmAPI')
@@ -21,6 +26,8 @@ const ConfirmationSchema = z.object({
    errorMap: () => ({ message: 'Invalid notification status' }),
  }),
  message: z.string().optional(), // Optional message for background moves or additional context
  toolName: z.string().optional(),
  remember: z.boolean().optional(),
 })
 /**
@@ -57,6 +64,44 @@ async function updateToolCallStatus(
  }
 }
 async function saveAutoAllowedToolPreference(userId: string, toolName: string): Promise<boolean> {
  const headers: Record<string, string> = {
    'Content-Type': 'application/json',
  }
  if (env.COPILOT_API_KEY) {
    headers['x-api-key'] = env.COPILOT_API_KEY
  }
  try {
    const response = await fetch(`${SIM_AGENT_API_URL}/api/tool-preferences/auto-allowed`, {
      method: 'POST',
      headers,
      body: JSON.stringify({
        userId,
        toolId: toolName,
      }),
    })
    if (!response.ok) {
      logger.warn('Failed to persist auto-allowed tool preference', {
        userId,
        toolName,
        status: response.status,
      })
      return false
    }
    return true
  } catch (error) {
    logger.error('Error persisting auto-allowed tool preference', {
      userId,
      toolName,
      error: error instanceof Error ? error.message : String(error),
    })
    return false
  }
 }
 /**
 * POST /api/copilot/confirm
 * Update tool call status (Accept/Reject)
@@ -74,7 +119,7 @@ export async function POST(req: NextRequest) {
    }
    const body = await req.json()
-    const { toolCallId, status, message } = ConfirmationSchema.parse(body)
+    const { toolCallId, status, message, toolName, remember } = ConfirmationSchema.parse(body)
    // Update the tool call status in Redis
    const updated = await updateToolCallStatus(toolCallId, status, message)
@@ -90,14 +135,22 @@ export async function POST(req: NextRequest) {
      return createBadRequestResponse('Failed to update tool call status or tool call not found')
    }
-    const duration = tracker.getDuration()
+    let rememberSaved = false
    if (status === 'accepted' && remember === true && toolName && authenticatedUserId) {
      rememberSaved = await saveAutoAllowedToolPreference(authenticatedUserId, toolName)
    }
-    return NextResponse.json({
+    const response: Record<string, unknown> = {
      success: true,
      message: message || `Tool call ${toolCallId} has been ${status.toLowerCase()}`,
      toolCallId,
      status,
-    })
+    }
    if (remember === true) {
      response.rememberSaved = rememberSaved
    }
    return NextResponse.json(response)
  } catch (error) {
    const duration = tracker.getDuration()
--- a/apps/sim/app/api/credentials/[id]/members/route.ts
+++ b/apps/sim/app/api/credentials/[id]/members/route.ts
@@ -1,194 +0,0 @@
 import { db } from '@sim/db'
 import { credential, credentialMember, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 const logger = createLogger('CredentialMembersAPI')
 interface RouteContext {
  params: Promise<{ id: string }>
 }
 async function requireAdminMembership(credentialId: string, userId: string) {
  const [membership] = await db
    .select({ role: credentialMember.role, status: credentialMember.status })
    .from(credentialMember)
    .where(
      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
    )
    .limit(1)
  if (!membership || membership.status !== 'active' || membership.role !== 'admin') {
    return null
  }
  return membership
 }
 export async function GET(_request: NextRequest, context: RouteContext) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const { id: credentialId } = await context.params
    const [cred] = await db
      .select({ id: credential.id })
      .from(credential)
      .where(eq(credential.id, credentialId))
      .limit(1)
    if (!cred) {
      return NextResponse.json({ members: [] }, { status: 200 })
    }
    const members = await db
      .select({
        id: credentialMember.id,
        userId: credentialMember.userId,
        role: credentialMember.role,
        status: credentialMember.status,
        joinedAt: credentialMember.joinedAt,
        userName: user.name,
        userEmail: user.email,
      })
      .from(credentialMember)
      .innerJoin(user, eq(credentialMember.userId, user.id))
      .where(eq(credentialMember.credentialId, credentialId))
    return NextResponse.json({ members })
  } catch (error) {
    logger.error('Failed to fetch credential members', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 const addMemberSchema = z.object({
  userId: z.string().min(1),
  role: z.enum(['admin', 'member']).default('member'),
 })
 export async function POST(request: NextRequest, context: RouteContext) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const { id: credentialId } = await context.params
    const admin = await requireAdminMembership(credentialId, session.user.id)
    if (!admin) {
      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
    }
    const body = await request.json()
    const parsed = addMemberSchema.safeParse(body)
    if (!parsed.success) {
      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
    }
    const { userId, role } = parsed.data
    const now = new Date()
    const [existing] = await db
      .select({ id: credentialMember.id, status: credentialMember.status })
      .from(credentialMember)
      .where(
        and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
      )
      .limit(1)
    if (existing) {
      await db
        .update(credentialMember)
        .set({ role, status: 'active', updatedAt: now })
        .where(eq(credentialMember.id, existing.id))
      return NextResponse.json({ success: true })
    }
    await db.insert(credentialMember).values({
      id: crypto.randomUUID(),
      credentialId,
      userId,
      role,
      status: 'active',
      joinedAt: now,
      invitedBy: session.user.id,
      createdAt: now,
      updatedAt: now,
    })
    return NextResponse.json({ success: true }, { status: 201 })
  } catch (error) {
    logger.error('Failed to add credential member', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function DELETE(request: NextRequest, context: RouteContext) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const { id: credentialId } = await context.params
    const targetUserId = new URL(request.url).searchParams.get('userId')
    if (!targetUserId) {
      return NextResponse.json({ error: 'userId query parameter required' }, { status: 400 })
    }
    const admin = await requireAdminMembership(credentialId, session.user.id)
    if (!admin) {
      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
    }
    const [target] = await db
      .select({
        id: credentialMember.id,
        role: credentialMember.role,
        status: credentialMember.status,
      })
      .from(credentialMember)
      .where(
        and(
          eq(credentialMember.credentialId, credentialId),
          eq(credentialMember.userId, targetUserId)
        )
      )
      .limit(1)
    if (!target) {
      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
    }
    if (target.role === 'admin') {
      const activeAdmins = await db
        .select({ id: credentialMember.id })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, credentialId),
            eq(credentialMember.role, 'admin'),
            eq(credentialMember.status, 'active')
          )
        )
      if (activeAdmins.length <= 1) {
        return NextResponse.json({ error: 'Cannot remove the last admin' }, { status: 400 })
      }
    }
    await db.delete(credentialMember).where(eq(credentialMember.id, target.id))
    return NextResponse.json({ success: true })
  } catch (error) {
    logger.error('Failed to remove credential member', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/[id]/route.ts
+++ b/apps/sim/app/api/credentials/[id]/route.ts
@@ -1,234 +0,0 @@
 import { db } from '@sim/db'
 import { credential, credentialMember, environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { getCredentialActorContext } from '@/lib/credentials/access'
 import {
  syncPersonalEnvCredentialsForUser,
  syncWorkspaceEnvCredentials,
 } from '@/lib/credentials/environment'
 const logger = createLogger('CredentialByIdAPI')
 const updateCredentialSchema = z
  .object({
    displayName: z.string().trim().min(1).max(255).optional(),
    accountId: z.string().trim().min(1).optional(),
  })
  .strict()
  .refine((data) => Boolean(data.displayName || data.accountId), {
    message: 'At least one field must be provided',
    path: ['displayName'],
  })
 async function getCredentialResponse(credentialId: string, userId: string) {
  const [row] = await db
    .select({
      id: credential.id,
      workspaceId: credential.workspaceId,
      type: credential.type,
      displayName: credential.displayName,
      providerId: credential.providerId,
      accountId: credential.accountId,
      envKey: credential.envKey,
      envOwnerUserId: credential.envOwnerUserId,
      createdBy: credential.createdBy,
      createdAt: credential.createdAt,
      updatedAt: credential.updatedAt,
      role: credentialMember.role,
      status: credentialMember.status,
    })
    .from(credential)
    .innerJoin(
      credentialMember,
      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
    )
    .where(eq(credential.id, credentialId))
    .limit(1)
  return row ?? null
 }
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const { id } = await params
  try {
    const access = await getCredentialActorContext(id, session.user.id)
    if (!access.credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    if (!access.hasWorkspaceAccess || !access.member) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    const row = await getCredentialResponse(id, session.user.id)
    return NextResponse.json({ credential: row }, { status: 200 })
  } catch (error) {
    logger.error('Failed to fetch credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const { id } = await params
  try {
    const parseResult = updateCredentialSchema.safeParse(await request.json())
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const access = await getCredentialActorContext(id, session.user.id)
    if (!access.credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    if (!access.hasWorkspaceAccess || !access.isAdmin) {
      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
    }
    if (access.credential.type === 'oauth') {
      return NextResponse.json(
        {
          error:
            'OAuth credential editing is disabled. Connect an account and create or use its linked credential.',
        },
        { status: 400 }
      )
    }
    return NextResponse.json(
      {
        error:
          'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
      },
      { status: 400 }
    )
  } catch (error) {
    logger.error('Failed to update credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function DELETE(
  request: NextRequest,
  { params }: { params: Promise<{ id: string }> }
 ) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const { id } = await params
  try {
    const access = await getCredentialActorContext(id, session.user.id)
    if (!access.credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    if (!access.hasWorkspaceAccess || !access.isAdmin) {
      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
    }
    if (access.credential.type === 'env_personal' && access.credential.envKey) {
      const ownerUserId = access.credential.envOwnerUserId
      if (!ownerUserId) {
        return NextResponse.json({ error: 'Invalid personal secret owner' }, { status: 400 })
      }
      const [personalRow] = await db
        .select({ variables: environment.variables })
        .from(environment)
        .where(eq(environment.userId, ownerUserId))
        .limit(1)
      const current = ((personalRow?.variables as Record<string, string> | null) ?? {}) as Record<
        string,
        string
      >
      if (access.credential.envKey in current) {
        delete current[access.credential.envKey]
      }
      await db
        .insert(environment)
        .values({
          id: ownerUserId,
          userId: ownerUserId,
          variables: current,
          updatedAt: new Date(),
        })
        .onConflictDoUpdate({
          target: [environment.userId],
          set: { variables: current, updatedAt: new Date() },
        })
      await syncPersonalEnvCredentialsForUser({
        userId: ownerUserId,
        envKeys: Object.keys(current),
      })
      return NextResponse.json({ success: true }, { status: 200 })
    }
    if (access.credential.type === 'env_workspace' && access.credential.envKey) {
      const [workspaceRow] = await db
        .select({
          id: workspaceEnvironment.id,
          createdAt: workspaceEnvironment.createdAt,
          variables: workspaceEnvironment.variables,
        })
        .from(workspaceEnvironment)
        .where(eq(workspaceEnvironment.workspaceId, access.credential.workspaceId))
        .limit(1)
      const current = ((workspaceRow?.variables as Record<string, string> | null) ?? {}) as Record<
        string,
        string
      >
      if (access.credential.envKey in current) {
        delete current[access.credential.envKey]
      }
      await db
        .insert(workspaceEnvironment)
        .values({
          id: workspaceRow?.id || crypto.randomUUID(),
          workspaceId: access.credential.workspaceId,
          variables: current,
          createdAt: workspaceRow?.createdAt || new Date(),
          updatedAt: new Date(),
        })
        .onConflictDoUpdate({
          target: [workspaceEnvironment.workspaceId],
          set: { variables: current, updatedAt: new Date() },
        })
      await syncWorkspaceEnvCredentials({
        workspaceId: access.credential.workspaceId,
        envKeys: Object.keys(current),
        actingUserId: session.user.id,
      })
      return NextResponse.json({ success: true }, { status: 200 })
    }
    await db.delete(credential).where(eq(credential.id, id))
    return NextResponse.json({ success: true }, { status: 200 })
  } catch (error) {
    logger.error('Failed to delete credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/bootstrap/route.ts
+++ b/apps/sim/app/api/credentials/bootstrap/route.ts
@@ -1,81 +0,0 @@
 import { db } from '@sim/db'
 import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import {
  syncPersonalEnvCredentialsForUser,
  syncWorkspaceEnvCredentials,
 } from '@/lib/credentials/environment'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('CredentialsBootstrapAPI')
 const bootstrapSchema = z.object({
  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
 })
 /**
 * Ensures the current user's connected accounts and env vars are reflected as workspace credentials.
 */
 export async function POST(request: NextRequest) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const parseResult = bootstrapSchema.safeParse(await request.json())
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const { workspaceId } = parseResult.data
    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
    if (!workspaceAccess.hasAccess) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    const [personalRow, workspaceRow] = await Promise.all([
      db
        .select({ variables: environment.variables })
        .from(environment)
        .where(eq(environment.userId, session.user.id))
        .limit(1),
      db
        .select({ variables: workspaceEnvironment.variables })
        .from(workspaceEnvironment)
        .where(eq(workspaceEnvironment.workspaceId, workspaceId))
        .limit(1),
    ])
    const personalKeys = Object.keys((personalRow[0]?.variables as Record<string, string>) || {})
    const workspaceKeys = Object.keys((workspaceRow[0]?.variables as Record<string, string>) || {})
    const [oauthSyncResult] = await Promise.all([
      syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id }),
      syncPersonalEnvCredentialsForUser({ userId: session.user.id, envKeys: personalKeys }),
      syncWorkspaceEnvCredentials({
        workspaceId,
        envKeys: workspaceKeys,
        actingUserId: session.user.id,
      }),
    ])
    return NextResponse.json({
      success: true,
      synced: {
        oauthCreated: oauthSyncResult.createdCredentials,
        oauthMembershipsUpdated: oauthSyncResult.updatedMemberships,
        personalEnvKeys: personalKeys.length,
        workspaceEnvKeys: workspaceKeys.length,
      },
    })
  } catch (error) {
    logger.error('Failed to bootstrap workspace credentials', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/draft/route.ts
+++ b/apps/sim/app/api/credentials/draft/route.ts
@@ -1,73 +0,0 @@
 import { db } from '@sim/db'
 import { pendingCredentialDraft } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, lt } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 const logger = createLogger('CredentialDraftAPI')
 const DRAFT_TTL_MS = 15 * 60 * 1000
 const createDraftSchema = z.object({
  workspaceId: z.string().min(1),
  providerId: z.string().min(1),
  displayName: z.string().min(1),
 })
 export async function POST(request: Request) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const parsed = createDraftSchema.safeParse(body)
    if (!parsed.success) {
      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
    }
    const { workspaceId, providerId, displayName } = parsed.data
    const userId = session.user.id
    const now = new Date()
    await db
      .delete(pendingCredentialDraft)
      .where(
        and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
      )
    await db
      .insert(pendingCredentialDraft)
      .values({
        id: crypto.randomUUID(),
        userId,
        workspaceId,
        providerId,
        displayName,
        expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
        createdAt: now,
      })
      .onConflictDoUpdate({
        target: [
          pendingCredentialDraft.userId,
          pendingCredentialDraft.providerId,
          pendingCredentialDraft.workspaceId,
        ],
        set: {
          displayName,
          expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
          createdAt: now,
        },
      })
    logger.info('Credential draft saved', { userId, workspaceId, providerId, displayName })
    return NextResponse.json({ success: true }, { status: 200 })
  } catch (error) {
    logger.error('Failed to save credential draft', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/memberships/route.ts
+++ b/apps/sim/app/api/credentials/memberships/route.ts
@@ -1,112 +0,0 @@
 import { db } from '@sim/db'
 import { credential, credentialMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 const logger = createLogger('CredentialMembershipsAPI')
 const leaveCredentialSchema = z.object({
  credentialId: z.string().min(1),
 })
 export async function GET() {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const memberships = await db
      .select({
        membershipId: credentialMember.id,
        credentialId: credential.id,
        workspaceId: credential.workspaceId,
        type: credential.type,
        displayName: credential.displayName,
        providerId: credential.providerId,
        role: credentialMember.role,
        status: credentialMember.status,
        joinedAt: credentialMember.joinedAt,
      })
      .from(credentialMember)
      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
      .where(eq(credentialMember.userId, session.user.id))
    return NextResponse.json({ memberships }, { status: 200 })
  } catch (error) {
    logger.error('Failed to list credential memberships', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function DELETE(request: NextRequest) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const parseResult = leaveCredentialSchema.safeParse({
      credentialId: new URL(request.url).searchParams.get('credentialId'),
    })
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const { credentialId } = parseResult.data
    const [membership] = await db
      .select()
      .from(credentialMember)
      .where(
        and(
          eq(credentialMember.credentialId, credentialId),
          eq(credentialMember.userId, session.user.id)
        )
      )
      .limit(1)
    if (!membership) {
      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
    }
    if (membership.status !== 'active') {
      return NextResponse.json({ success: true }, { status: 200 })
    }
    if (membership.role === 'admin') {
      const activeAdmins = await db
        .select({ id: credentialMember.id })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, credentialId),
            eq(credentialMember.role, 'admin'),
            eq(credentialMember.status, 'active')
          )
        )
      if (activeAdmins.length <= 1) {
        return NextResponse.json(
          { error: 'Cannot leave credential as the last active admin' },
          { status: 400 }
        )
      }
    }
    await db
      .update(credentialMember)
      .set({
        status: 'revoked',
        updatedAt: new Date(),
      })
      .where(eq(credentialMember.id, membership.id))
    return NextResponse.json({ success: true }, { status: 200 })
  } catch (error) {
    logger.error('Failed to leave credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/route.ts
+++ b/apps/sim/app/api/credentials/route.ts
@@ -1,468 +0,0 @@
 import { db } from '@sim/db'
 import { account, credential, credentialMember, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { getServiceConfigByProviderId } from '@/lib/oauth'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { isValidEnvVarName } from '@/executor/constants'
 const logger = createLogger('CredentialsAPI')
 const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
 function normalizeEnvKeyInput(raw: string): string {
  const trimmed = raw.trim()
  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
  return wrappedMatch ? wrappedMatch[1] : trimmed
 }
 const listCredentialsSchema = z.object({
  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
  type: credentialTypeSchema.optional(),
  providerId: z.string().optional(),
 })
 const createCredentialSchema = z
  .object({
    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
    type: credentialTypeSchema,
    displayName: z.string().trim().min(1).max(255).optional(),
    providerId: z.string().trim().min(1).optional(),
    accountId: z.string().trim().min(1).optional(),
    envKey: z.string().trim().min(1).optional(),
    envOwnerUserId: z.string().trim().min(1).optional(),
  })
  .superRefine((data, ctx) => {
    if (data.type === 'oauth') {
      if (!data.accountId) {
        ctx.addIssue({
          code: z.ZodIssueCode.custom,
          message: 'accountId is required for oauth credentials',
          path: ['accountId'],
        })
      }
      if (!data.providerId) {
        ctx.addIssue({
          code: z.ZodIssueCode.custom,
          message: 'providerId is required for oauth credentials',
          path: ['providerId'],
        })
      }
      if (!data.displayName) {
        ctx.addIssue({
          code: z.ZodIssueCode.custom,
          message: 'displayName is required for oauth credentials',
          path: ['displayName'],
        })
      }
      return
    }
    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
    if (!normalizedEnvKey) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: 'envKey is required for env credentials',
        path: ['envKey'],
      })
      return
    }
    if (!isValidEnvVarName(normalizedEnvKey)) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: 'envKey must contain only letters, numbers, and underscores',
        path: ['envKey'],
      })
    }
  })
 interface ExistingCredentialSourceParams {
  workspaceId: string
  type: 'oauth' | 'env_workspace' | 'env_personal'
  accountId?: string | null
  envKey?: string | null
  envOwnerUserId?: string | null
 }
 async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
  if (type === 'oauth' && accountId) {
    const [row] = await db
      .select()
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'oauth'),
          eq(credential.accountId, accountId)
        )
      )
      .limit(1)
    return row ?? null
  }
  if (type === 'env_workspace' && envKey) {
    const [row] = await db
      .select()
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_workspace'),
          eq(credential.envKey, envKey)
        )
      )
      .limit(1)
    return row ?? null
  }
  if (type === 'env_personal' && envKey && envOwnerUserId) {
    const [row] = await db
      .select()
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_personal'),
          eq(credential.envKey, envKey),
          eq(credential.envOwnerUserId, envOwnerUserId)
        )
      )
      .limit(1)
    return row ?? null
  }
  return null
 }
 export async function GET(request: NextRequest) {
  const requestId = generateRequestId()
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const { searchParams } = new URL(request.url)
    const rawWorkspaceId = searchParams.get('workspaceId')
    const rawType = searchParams.get('type')
    const rawProviderId = searchParams.get('providerId')
    const parseResult = listCredentialsSchema.safeParse({
      workspaceId: rawWorkspaceId?.trim(),
      type: rawType?.trim() || undefined,
      providerId: rawProviderId?.trim() || undefined,
    })
    if (!parseResult.success) {
      logger.warn(`[${requestId}] Invalid credential list request`, {
        workspaceId: rawWorkspaceId,
        type: rawType,
        providerId: rawProviderId,
        errors: parseResult.error.errors,
      })
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const { workspaceId, type, providerId } = parseResult.data
    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
    if (!workspaceAccess.hasAccess) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    if (!type || type === 'oauth') {
      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
    }
    const whereClauses = [
      eq(credential.workspaceId, workspaceId),
      eq(credentialMember.userId, session.user.id),
      eq(credentialMember.status, 'active'),
    ]
    if (type) {
      whereClauses.push(eq(credential.type, type))
    }
    if (providerId) {
      whereClauses.push(eq(credential.providerId, providerId))
    }
    const credentials = await db
      .select({
        id: credential.id,
        workspaceId: credential.workspaceId,
        type: credential.type,
        displayName: credential.displayName,
        providerId: credential.providerId,
        accountId: credential.accountId,
        envKey: credential.envKey,
        envOwnerUserId: credential.envOwnerUserId,
        createdBy: credential.createdBy,
        createdAt: credential.createdAt,
        updatedAt: credential.updatedAt,
        role: credentialMember.role,
      })
      .from(credential)
      .innerJoin(
        credentialMember,
        and(
          eq(credentialMember.credentialId, credential.id),
          eq(credentialMember.userId, session.user.id),
          eq(credentialMember.status, 'active')
        )
      )
      .where(and(...whereClauses))
    return NextResponse.json({ credentials })
  } catch (error) {
    logger.error(`[${requestId}] Failed to list credentials`, error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const parseResult = createCredentialSchema.safeParse(body)
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const { workspaceId, type, displayName, providerId, accountId, envKey, envOwnerUserId } =
      parseResult.data
    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
    if (!workspaceAccess.canWrite) {
      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
    }
    let resolvedDisplayName = displayName?.trim() ?? ''
    let resolvedProviderId: string | null = providerId ?? null
    let resolvedAccountId: string | null = accountId ?? null
    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
    let resolvedEnvOwnerUserId: string | null = null
    if (type === 'oauth') {
      const [accountRow] = await db
        .select({
          id: account.id,
          userId: account.userId,
          providerId: account.providerId,
          accountId: account.accountId,
        })
        .from(account)
        .where(eq(account.id, accountId!))
        .limit(1)
      if (!accountRow) {
        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
      }
      if (accountRow.userId !== session.user.id) {
        return NextResponse.json(
          { error: 'Only account owners can create oauth credentials for an account' },
          { status: 403 }
        )
      }
      if (providerId !== accountRow.providerId) {
        return NextResponse.json(
          { error: 'providerId does not match the selected OAuth account' },
          { status: 400 }
        )
      }
      if (!resolvedDisplayName) {
        resolvedDisplayName =
          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
      }
    } else if (type === 'env_personal') {
      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
      if (resolvedEnvOwnerUserId !== session.user.id) {
        return NextResponse.json(
          { error: 'Only the current user can create personal env credentials for themselves' },
          { status: 403 }
        )
      }
      resolvedProviderId = null
      resolvedAccountId = null
      resolvedDisplayName = resolvedEnvKey || ''
    } else {
      resolvedProviderId = null
      resolvedAccountId = null
      resolvedEnvOwnerUserId = null
      resolvedDisplayName = resolvedEnvKey || ''
    }
    if (!resolvedDisplayName) {
      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
    }
    const existingCredential = await findExistingCredentialBySource({
      workspaceId,
      type,
      accountId: resolvedAccountId,
      envKey: resolvedEnvKey,
      envOwnerUserId: resolvedEnvOwnerUserId,
    })
    if (existingCredential) {
      const [membership] = await db
        .select({
          id: credentialMember.id,
          status: credentialMember.status,
          role: credentialMember.role,
        })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, existingCredential.id),
            eq(credentialMember.userId, session.user.id)
          )
        )
        .limit(1)
      if (!membership || membership.status !== 'active') {
        return NextResponse.json(
          { error: 'A credential with this source already exists in this workspace' },
          { status: 409 }
        )
      }
      if (
        type === 'oauth' &&
        membership.role === 'admin' &&
        resolvedDisplayName &&
        resolvedDisplayName !== existingCredential.displayName
      ) {
        await db
          .update(credential)
          .set({
            displayName: resolvedDisplayName,
            updatedAt: new Date(),
          })
          .where(eq(credential.id, existingCredential.id))
        const [updatedCredential] = await db
          .select()
          .from(credential)
          .where(eq(credential.id, existingCredential.id))
          .limit(1)
        return NextResponse.json(
          { credential: updatedCredential ?? existingCredential },
          { status: 200 }
        )
      }
      return NextResponse.json({ credential: existingCredential }, { status: 200 })
    }
    const now = new Date()
    const credentialId = crypto.randomUUID()
    const [workspaceRow] = await db
      .select({ ownerId: workspace.ownerId })
      .from(workspace)
      .where(eq(workspace.id, workspaceId))
      .limit(1)
    await db.transaction(async (tx) => {
      await tx.insert(credential).values({
        id: credentialId,
        workspaceId,
        type,
        displayName: resolvedDisplayName,
        providerId: resolvedProviderId,
        accountId: resolvedAccountId,
        envKey: resolvedEnvKey,
        envOwnerUserId: resolvedEnvOwnerUserId,
        createdBy: session.user.id,
        createdAt: now,
        updatedAt: now,
      })
      if (type === 'env_workspace' && workspaceRow?.ownerId) {
        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
        if (workspaceUserIds.length > 0) {
          for (const memberUserId of workspaceUserIds) {
            await tx.insert(credentialMember).values({
              id: crypto.randomUUID(),
              credentialId,
              userId: memberUserId,
              role: memberUserId === workspaceRow.ownerId ? 'admin' : 'member',
              status: 'active',
              joinedAt: now,
              invitedBy: session.user.id,
              createdAt: now,
              updatedAt: now,
            })
          }
        }
      } else {
        await tx.insert(credentialMember).values({
          id: crypto.randomUUID(),
          credentialId,
          userId: session.user.id,
          role: 'admin',
          status: 'active',
          joinedAt: now,
          invitedBy: session.user.id,
          createdAt: now,
          updatedAt: now,
        })
      }
    })
    const [created] = await db
      .select()
      .from(credential)
      .where(eq(credential.id, credentialId))
      .limit(1)
    return NextResponse.json({ credential: created }, { status: 201 })
  } catch (error: any) {
    if (error?.code === '23505') {
      return NextResponse.json(
        { error: 'A credential with this source already exists' },
        { status: 409 }
      )
    }
    if (error?.code === '23503') {
      return NextResponse.json(
        { error: 'Invalid credential reference or membership target' },
        { status: 400 }
      )
    }
    if (error?.code === '23514') {
      return NextResponse.json(
        { error: 'Credential source data failed validation checks' },
        { status: 400 }
      )
    }
    logger.error(`[${requestId}] Credential create failure details`, {
      code: error?.code,
      detail: error?.detail,
      constraint: error?.constraint,
      table: error?.table,
      message: error?.message,
    })
    logger.error(`[${requestId}] Failed to create credential`, error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/environment/route.ts
+++ b/apps/sim/app/api/environment/route.ts
@@ -7,7 +7,6 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'
 const logger = createLogger('EnvironmentAPI')
@@ -54,11 +53,6 @@ export async function POST(req: NextRequest) {
          },
        })
      await syncPersonalEnvCredentialsForUser({
        userId: session.user.id,
        envKeys: Object.keys(variables),
      })
      return NextResponse.json({ success: true })
    } catch (validationError) {
      if (validationError instanceof z.ZodError) {
--- a/apps/sim/app/api/tools/confluence/labels/route.ts
+++ b/apps/sim/app/api/tools/confluence/labels/route.ts
@@ -191,3 +191,84 @@ export async function GET(request: NextRequest) {
    )
  }
 }
 // Delete a label from a page
 export async function DELETE(request: NextRequest) {
  try {
    const auth = await checkSessionOrInternalAuth(request)
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const {
      domain,
      accessToken,
      cloudId: providedCloudId,
      pageId,
      labelName,
    } = await request.json()
    if (!domain) {
      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
    }
    if (!accessToken) {
      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
    }
    if (!pageId) {
      return NextResponse.json({ error: 'Page ID is required' }, { status: 400 })
    }
    if (!labelName) {
      return NextResponse.json({ error: 'Label name is required' }, { status: 400 })
    }
    const pageIdValidation = validateAlphanumericId(pageId, 'pageId', 255)
    if (!pageIdValidation.isValid) {
      return NextResponse.json({ error: pageIdValidation.error }, { status: 400 })
    }
    const cloudId = providedCloudId || (await getConfluenceCloudId(domain, accessToken))
    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
    if (!cloudIdValidation.isValid) {
      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
    }
    const encodedLabel = encodeURIComponent(labelName.trim())
    const url = `https://api.atlassian.com/ex/confluence/${cloudId}/wiki/rest/api/content/${pageId}/label?name=${encodedLabel}`
    const response = await fetch(url, {
      method: 'DELETE',
      headers: {
        Accept: 'application/json',
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!response.ok) {
      const errorData = await response.json().catch(() => null)
      logger.error('Confluence API error response:', {
        status: response.status,
        statusText: response.statusText,
        error: JSON.stringify(errorData, null, 2),
      })
      const errorMessage =
        errorData?.message || `Failed to delete Confluence label (${response.status})`
      return NextResponse.json({ error: errorMessage }, { status: response.status })
    }
    return NextResponse.json({
      pageId,
      labelName,
      deleted: true,
    })
  } catch (error) {
    logger.error('Error deleting Confluence label:', error)
    return NextResponse.json(
      { error: (error as Error).message || 'Internal server error' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/confluence/pages-by-label/route.ts
+++ b/apps/sim/app/api/tools/confluence/pages-by-label/route.ts
@@ -0,0 +1,103 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation'
 import { getConfluenceCloudId } from '@/tools/confluence/utils'
 const logger = createLogger('ConfluencePagesByLabelAPI')
 export const dynamic = 'force-dynamic'
 export async function GET(request: NextRequest) {
  try {
    const auth = await checkSessionOrInternalAuth(request)
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const { searchParams } = new URL(request.url)
    const domain = searchParams.get('domain')
    const accessToken = searchParams.get('accessToken')
    const labelId = searchParams.get('labelId')
    const providedCloudId = searchParams.get('cloudId')
    const limit = searchParams.get('limit') || '50'
    const cursor = searchParams.get('cursor')
    if (!domain) {
      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
    }
    if (!accessToken) {
      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
    }
    if (!labelId) {
      return NextResponse.json({ error: 'Label ID is required' }, { status: 400 })
    }
    const labelIdValidation = validateAlphanumericId(labelId, 'labelId', 255)
    if (!labelIdValidation.isValid) {
      return NextResponse.json({ error: labelIdValidation.error }, { status: 400 })
    }
    const cloudId = providedCloudId || (await getConfluenceCloudId(domain, accessToken))
    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
    if (!cloudIdValidation.isValid) {
      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
    }
    const queryParams = new URLSearchParams()
    queryParams.append('limit', String(Math.min(Number(limit), 250)))
    if (cursor) {
      queryParams.append('cursor', cursor)
    }
    const url = `https://api.atlassian.com/ex/confluence/${cloudId}/wiki/api/v2/labels/${labelId}/pages?${queryParams.toString()}`
    const response = await fetch(url, {
      method: 'GET',
      headers: {
        Accept: 'application/json',
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!response.ok) {
      const errorData = await response.json().catch(() => null)
      logger.error('Confluence API error response:', {
        status: response.status,
        statusText: response.statusText,
        error: JSON.stringify(errorData, null, 2),
      })
      const errorMessage = errorData?.message || `Failed to get pages by label (${response.status})`
      return NextResponse.json({ error: errorMessage }, { status: response.status })
    }
    const data = await response.json()
    const pages = (data.results || []).map((page: any) => ({
      id: page.id,
      title: page.title,
      status: page.status ?? null,
      spaceId: page.spaceId ?? null,
      parentId: page.parentId ?? null,
      authorId: page.authorId ?? null,
      createdAt: page.createdAt ?? null,
      version: page.version ?? null,
    }))
    return NextResponse.json({
      pages,
      labelId,
      nextCursor: data._links?.next
        ? new URL(data._links.next, 'https://placeholder').searchParams.get('cursor')
        : null,
    })
  } catch (error) {
    logger.error('Error getting pages by label:', error)
    return NextResponse.json(
      { error: (error as Error).message || 'Internal server error' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/confluence/space-labels/route.ts
+++ b/apps/sim/app/api/tools/confluence/space-labels/route.ts
@@ -0,0 +1,98 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation'
 import { getConfluenceCloudId } from '@/tools/confluence/utils'
 const logger = createLogger('ConfluenceSpaceLabelsAPI')
 export const dynamic = 'force-dynamic'
 export async function GET(request: NextRequest) {
  try {
    const auth = await checkSessionOrInternalAuth(request)
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const { searchParams } = new URL(request.url)
    const domain = searchParams.get('domain')
    const accessToken = searchParams.get('accessToken')
    const spaceId = searchParams.get('spaceId')
    const providedCloudId = searchParams.get('cloudId')
    const limit = searchParams.get('limit') || '25'
    const cursor = searchParams.get('cursor')
    if (!domain) {
      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
    }
    if (!accessToken) {
      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
    }
    if (!spaceId) {
      return NextResponse.json({ error: 'Space ID is required' }, { status: 400 })
    }
    const spaceIdValidation = validateAlphanumericId(spaceId, 'spaceId', 255)
    if (!spaceIdValidation.isValid) {
      return NextResponse.json({ error: spaceIdValidation.error }, { status: 400 })
    }
    const cloudId = providedCloudId || (await getConfluenceCloudId(domain, accessToken))
    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
    if (!cloudIdValidation.isValid) {
      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
    }
    const queryParams = new URLSearchParams()
    queryParams.append('limit', String(Math.min(Number(limit), 250)))
    if (cursor) {
      queryParams.append('cursor', cursor)
    }
    const url = `https://api.atlassian.com/ex/confluence/${cloudId}/wiki/api/v2/spaces/${spaceId}/labels?${queryParams.toString()}`
    const response = await fetch(url, {
      method: 'GET',
      headers: {
        Accept: 'application/json',
        Authorization: `Bearer ${accessToken}`,
      },
    })
    if (!response.ok) {
      const errorData = await response.json().catch(() => null)
      logger.error('Confluence API error response:', {
        status: response.status,
        statusText: response.statusText,
        error: JSON.stringify(errorData, null, 2),
      })
      const errorMessage = errorData?.message || `Failed to list space labels (${response.status})`
      return NextResponse.json({ error: errorMessage }, { status: response.status })
    }
    const data = await response.json()
    const labels = (data.results || []).map((label: any) => ({
      id: label.id,
      name: label.name,
      prefix: label.prefix || 'global',
    }))
    return NextResponse.json({
      labels,
      spaceId,
      nextCursor: data._links?.next
        ? new URL(data._links.next, 'https://placeholder').searchParams.get('cursor')
        : null,
    })
  } catch (error) {
    logger.error('Error listing space labels:', error)
    return NextResponse.json(
      { error: (error as Error).message || 'Internal server error' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/workspaces/[id]/environment/route.ts
+++ b/apps/sim/app/api/workspaces/[id]/environment/route.ts
@@ -1,14 +1,12 @@
 import { db } from '@sim/db'
-import { workspaceEnvironment } from '@sim/db/schema'
+import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { encryptSecret } from '@/lib/core/security/encryption'
+import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('WorkspaceEnvironmentAPI')
@@ -46,10 +44,44 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
-    const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
+    // Workspace env (encrypted)
-      userId,
+    const wsEnvRow = await db
-      workspaceId
+      .select()
-    )
+      .from(workspaceEnvironment)
      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
      .limit(1)
    const wsEncrypted: Record<string, string> = (wsEnvRow[0]?.variables as any) || {}
    // Personal env (encrypted)
    const personalRow = await db
      .select()
      .from(environment)
      .where(eq(environment.userId, userId))
      .limit(1)
    const personalEncrypted: Record<string, string> = (personalRow[0]?.variables as any) || {}
    // Decrypt both for UI
    const decryptAll = async (src: Record<string, string>) => {
      const out: Record<string, string> = {}
      for (const [k, v] of Object.entries(src)) {
        try {
          const { decrypted } = await decryptSecret(v)
          out[k] = decrypted
        } catch {
          out[k] = ''
        }
      }
      return out
    }
    const [workspaceDecrypted, personalDecrypted] = await Promise.all([
      decryptAll(wsEncrypted),
      decryptAll(personalEncrypted),
    ])
    const conflicts = Object.keys(personalDecrypted).filter((k) => k in workspaceDecrypted)
    return NextResponse.json(
      {
@@ -124,12 +156,6 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
        set: { variables: merged, updatedAt: new Date() },
      })
    await syncWorkspaceEnvCredentials({
      workspaceId,
      envKeys: Object.keys(merged),
      actingUserId: userId,
    })
    return NextResponse.json({ success: true })
  } catch (error: any) {
    logger.error(`[${requestId}] Workspace env PUT error`, error)
@@ -196,12 +222,6 @@ export async function DELETE(
        set: { variables: current, updatedAt: new Date() },
      })
    await syncWorkspaceEnvCredentials({
      workspaceId,
      envKeys: Object.keys(current),
      actingUserId: userId,
    })
    return NextResponse.json({ success: true })
  } catch (error: any) {
    logger.error(`[${requestId}] Workspace env DELETE error`, error)
--- a/apps/sim/app/workspace/[workspaceId]/utils/commands-utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/utils/commands-utils.ts
@@ -13,9 +13,6 @@ export type CommandId =
  | 'goto-logs'
  | 'open-search'
  | 'run-workflow'
  | 'focus-copilot-tab'
  | 'focus-toolbar-tab'
  | 'focus-editor-tab'
  | 'clear-terminal-console'
  | 'focus-toolbar-search'
  | 'clear-notifications'
@@ -75,21 +72,6 @@ export const COMMAND_DEFINITIONS: Record<CommandId, CommandDefinition> = {
    shortcut: 'Mod+Enter',
    allowInEditable: false,
  },
  'focus-copilot-tab': {
    id: 'focus-copilot-tab',
    shortcut: 'C',
    allowInEditable: false,
  },
  'focus-toolbar-tab': {
    id: 'focus-toolbar-tab',
    shortcut: 'T',
    allowInEditable: false,
  },
  'focus-editor-tab': {
    id: 'focus-editor-tab',
    shortcut: 'E',
    allowInEditable: false,
  },
  'clear-terminal-console': {
    id: 'clear-terminal-console',
    shortcut: 'Mod+D',
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/diff-controls/diff-controls.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/diff-controls/diff-controls.tsx
@@ -14,6 +14,14 @@ const logger = createLogger('DiffControls')
 const NOTIFICATION_WIDTH = 240
 const NOTIFICATION_GAP = 16
 function isWorkflowEditToolCall(name?: string, params?: Record<string, unknown>): boolean {
  if (name !== 'workflow_change') return false
  const mode = typeof params?.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  return typeof params?.proposalId === 'string' && params.proposalId.length > 0
 }
 export const DiffControls = memo(function DiffControls() {
  const isTerminalResizing = useTerminalStore((state) => state.isResizing)
  const isPanelResizing = usePanelStore((state) => state.isResizing)
@@ -64,7 +72,7 @@ export const DiffControls = memo(function DiffControls() {
          const b = blocks[bi]
          if (b?.type === 'tool_call') {
            const tn = b.toolCall?.name
-            if (tn === 'edit_workflow') {
+            if (isWorkflowEditToolCall(tn, b.toolCall?.params)) {
              id = b.toolCall?.id
              break outer
            }
@@ -72,7 +80,9 @@ export const DiffControls = memo(function DiffControls() {
        }
      }
      if (!id) {
-        const candidates = Object.values(toolCallsById).filter((t) => t.name === 'edit_workflow')
+        const candidates = Object.values(toolCallsById).filter((t) =>
          isWorkflowEditToolCall(t.name, t.params)
        )
        id = candidates.length ? candidates[candidates.length - 1].id : undefined
      }
      if (id) updatePreviewToolCallState('accepted', id)
@@ -102,7 +112,7 @@ export const DiffControls = memo(function DiffControls() {
          const b = blocks[bi]
          if (b?.type === 'tool_call') {
            const tn = b.toolCall?.name
-            if (tn === 'edit_workflow') {
+            if (isWorkflowEditToolCall(tn, b.toolCall?.params)) {
              id = b.toolCall?.id
              break outer
            }
@@ -110,7 +120,9 @@ export const DiffControls = memo(function DiffControls() {
        }
      }
      if (!id) {
-        const candidates = Object.values(toolCallsById).filter((t) => t.name === 'edit_workflow')
+        const candidates = Object.values(toolCallsById).filter((t) =>
          isWorkflowEditToolCall(t.name, t.params)
        )
        id = candidates.length ? candidates[candidates.length - 1].id : undefined
      }
      if (id) updatePreviewToolCallState('rejected', id)
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx
@@ -47,6 +47,27 @@ interface ParsedTags {
  cleanContent: string
 }
 function getToolCallParams(toolCall?: CopilotToolCall): Record<string, unknown> {
  const candidate = ((toolCall as any)?.parameters ||
    (toolCall as any)?.input ||
    (toolCall as any)?.params ||
    {}) as Record<string, unknown>
  return candidate && typeof candidate === 'object' ? candidate : {}
 }
 function isWorkflowChangeApplyMode(toolCall?: CopilotToolCall): boolean {
  if (!toolCall || toolCall.name !== 'workflow_change') return false
  const params = getToolCallParams(toolCall)
  const mode = typeof params.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  return typeof params.proposalId === 'string' && params.proposalId.length > 0
 }
 function isWorkflowEditSummaryTool(toolCall?: CopilotToolCall): boolean {
  if (!toolCall) return false
  return isWorkflowChangeApplyMode(toolCall)
 }
 /**
 * Extracts plan steps from plan_respond tool calls in subagent blocks.
 * @param blocks - The subagent content blocks to search
@@ -871,7 +892,10 @@ const SubagentContentRenderer = memo(function SubagentContentRenderer({
          )
        }
        if (segment.type === 'tool' && segment.block.toolCall) {
-          if (toolCall.name === 'edit' && segment.block.toolCall.name === 'edit_workflow') {
+          if (
            (toolCall.name === 'edit' || toolCall.name === 'build') &&
            isWorkflowEditSummaryTool(segment.block.toolCall)
          ) {
            return (
              <div key={`tool-${segment.block.toolCall.id || index}`}>
                <WorkflowEditSummary toolCall={segment.block.toolCall} />
@@ -968,12 +992,11 @@ const WorkflowEditSummary = memo(function WorkflowEditSummary({
    }
  }, [blocks])
-  if (toolCall.name !== 'edit_workflow') {
+  if (!isWorkflowEditSummaryTool(toolCall)) {
    return null
  }
-  const params =
+  const params = getToolCallParams(toolCall)
    (toolCall as any).parameters || (toolCall as any).input || (toolCall as any).params || {}
  let operations = Array.isArray(params.operations) ? params.operations : []
  if (operations.length === 0 && Array.isArray((toolCall as any).operations)) {
@@ -1219,11 +1242,6 @@ const WorkflowEditSummary = memo(function WorkflowEditSummary({
  )
 })
 /** Checks if a tool is server-side executed (not a client tool) */
 function isIntegrationTool(toolName: string): boolean {
  return !TOOL_DISPLAY_REGISTRY[toolName]
 }
 function shouldShowRunSkipButtons(toolCall: CopilotToolCall): boolean {
  if (!toolCall.name || toolCall.name === 'unknown_tool') {
    return false
@@ -1233,59 +1251,96 @@ function shouldShowRunSkipButtons(toolCall: CopilotToolCall): boolean {
    return false
  }
-  // Never show buttons for tools the user has marked as always-allowed
+  if (toolCall.ui?.showInterrupt !== true) {
  if (useCopilotStore.getState().isToolAutoAllowed(toolCall.name)) {
    return false
  }
-  const hasInterrupt = !!TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig?.interrupt
+  return true
  if (hasInterrupt) {
    return true
  }
  // Integration tools (user-installed) always require approval
  if (isIntegrationTool(toolCall.name)) {
    return true
  }
  return false
 }
 const toolCallLogger = createLogger('CopilotToolCall')
 async function sendToolDecision(
  toolCallId: string,
-  status: 'accepted' | 'rejected' | 'background'
+  status: 'accepted' | 'rejected' | 'background',
  options?: {
    toolName?: string
    remember?: boolean
  }
 ) {
  try {
    await fetch('/api/copilot/confirm', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ toolCallId, status }),
+      body: JSON.stringify({
        toolCallId,
        status,
        ...(options?.toolName ? { toolName: options.toolName } : {}),
        ...(options?.remember ? { remember: true } : {}),
      }),
    })
  } catch (error) {
    toolCallLogger.warn('Failed to send tool decision', {
      toolCallId,
      status,
      remember: options?.remember === true,
      toolName: options?.toolName,
      error: error instanceof Error ? error.message : String(error),
    })
  }
 }
 async function removeAutoAllowedToolPreference(toolName: string): Promise<boolean> {
  try {
    const response = await fetch(`/api/copilot/auto-allowed-tools?toolId=${encodeURIComponent(toolName)}`, {
      method: 'DELETE',
    })
    return response.ok
  } catch (error) {
    toolCallLogger.warn('Failed to remove auto-allowed tool preference', {
      toolName,
      error: error instanceof Error ? error.message : String(error),
    })
    return false
  }
 }
 type ToolUiAction = NonNullable<NonNullable<CopilotToolCall['ui']>['actions']>[number]
 function actionDecision(action: ToolUiAction): 'accepted' | 'rejected' | 'background' {
  const id = action.id.toLowerCase()
  if (id.includes('background')) return 'background'
  if (action.kind === 'reject') return 'rejected'
  return 'accepted'
 }
 function isClientRunCapability(toolCall: CopilotToolCall): boolean {
  if (toolCall.execution?.target === 'sim_client_capability') {
    return toolCall.execution.capabilityId === 'workflow.run' || !toolCall.execution.capabilityId
  }
  return CLIENT_EXECUTABLE_RUN_TOOLS.has(toolCall.name)
 }
 async function handleRun(
  toolCall: CopilotToolCall,
  setToolCallState: any,
  onStateChange?: any,
-  editedParams?: any
+  editedParams?: any,
  options?: {
    remember?: boolean
  }
 ) {
  setToolCallState(toolCall, 'executing', editedParams ? { params: editedParams } : undefined)
  onStateChange?.('executing')
-  await sendToolDecision(toolCall.id, 'accepted')
+  await sendToolDecision(toolCall.id, 'accepted', {
    toolName: toolCall.name,
    remember: options?.remember === true,
  })
  // Client-executable run tools: execute on the client for real-time feedback
  // (block pulsing, console logs, stop button). The server defers execution
  // for these tools; the client reports back via mark-complete.
-  if (CLIENT_EXECUTABLE_RUN_TOOLS.has(toolCall.name)) {
+  if (isClientRunCapability(toolCall)) {
    const params = editedParams || toolCall.params || {}
    executeRunToolOnClient(toolCall.id, toolCall.name, params)
  }
@@ -1298,6 +1353,9 @@ async function handleSkip(toolCall: CopilotToolCall, setToolCallState: any, onSt
 }
 function getDisplayName(toolCall: CopilotToolCall): string {
  if (toolCall.ui?.phaseLabel) return toolCall.ui.phaseLabel
  if (toolCall.ui?.title) return `${getStateVerb(toolCall.state)} ${toolCall.ui.title}`
  const fromStore = (toolCall as any).display?.text
  if (fromStore) return fromStore
  const registryEntry = TOOL_DISPLAY_REGISTRY[toolCall.name]
@@ -1342,53 +1400,37 @@ function RunSkipButtons({
  toolCall,
  onStateChange,
  editedParams,
  actions,
 }: {
  toolCall: CopilotToolCall
  onStateChange?: (state: any) => void
  editedParams?: any
  actions: ToolUiAction[]
 }) {
  const [isProcessing, setIsProcessing] = useState(false)
  const [buttonsHidden, setButtonsHidden] = useState(false)
  const actionInProgressRef = useRef(false)
-  const { setToolCallState, addAutoAllowedTool } = useCopilotStore()
+  const { setToolCallState } = useCopilotStore()
-  const onRun = async () => {
+  const onAction = async (action: ToolUiAction) => {
    // Prevent race condition - check ref synchronously
    if (actionInProgressRef.current) return
    actionInProgressRef.current = true
    setIsProcessing(true)
    setButtonsHidden(true)
    try {
-      await handleRun(toolCall, setToolCallState, onStateChange, editedParams)
+      const decision = actionDecision(action)
-    } finally {
+      if (decision === 'accepted') {
-      setIsProcessing(false)
+        await handleRun(toolCall, setToolCallState, onStateChange, editedParams, {
-      actionInProgressRef.current = false
+          remember: action.remember === true,
-    }
+        })
-  }
+      } else if (decision === 'rejected') {
-
+        await handleSkip(toolCall, setToolCallState, onStateChange)
-  const onAlwaysAllow = async () => {
+      } else {
-    // Prevent race condition - check ref synchronously
+        setToolCallState(toolCall, ClientToolCallState.background)
-    if (actionInProgressRef.current) return
+        onStateChange?.('background')
-    actionInProgressRef.current = true
+        await sendToolDecision(toolCall.id, 'background')
-    setIsProcessing(true)
+      }
    setButtonsHidden(true)
    try {
      await addAutoAllowedTool(toolCall.name)
      await handleRun(toolCall, setToolCallState, onStateChange, editedParams)
    } finally {
      setIsProcessing(false)
      actionInProgressRef.current = false
    }
  }
  const onSkip = async () => {
    // Prevent race condition - check ref synchronously
    if (actionInProgressRef.current) return
    actionInProgressRef.current = true
    setIsProcessing(true)
    setButtonsHidden(true)
    try {
      await handleSkip(toolCall, setToolCallState, onStateChange)
    } finally {
      setIsProcessing(false)
      actionInProgressRef.current = false
@@ -1397,23 +1439,22 @@ function RunSkipButtons({
  if (buttonsHidden) return null
  // Show "Always Allow" for all tools that require confirmation
  const showAlwaysAllow = true
  // Standardized buttons for all interrupt tools: Allow, Always Allow, Skip
  return (
    <div className='mt-[10px] flex gap-[6px]'>
-      <Button onClick={onRun} disabled={isProcessing} variant='tertiary'>
+      {actions.map((action, index) => {
-        {isProcessing ? 'Allowing...' : 'Allow'}
+        const variant =
-      </Button>
+          action.kind === 'reject' ? 'default' : action.remember ? 'default' : 'tertiary'
-      {showAlwaysAllow && (
+        return (
-        <Button onClick={onAlwaysAllow} disabled={isProcessing} variant='default'>
+          <Button
-          {isProcessing ? 'Allowing...' : 'Always Allow'}
+            key={action.id}
-        </Button>
+            onClick={() => onAction(action)}
-      )}
+            disabled={isProcessing}
-      <Button onClick={onSkip} disabled={isProcessing} variant='default'>
+            variant={variant}
-        Skip
+          >
-      </Button>
+            {isProcessing && index === 0 ? 'Working...' : action.label}
          </Button>
        )
      })}
    </div>
  )
 }
@@ -1430,10 +1471,16 @@ export function ToolCall({
  const liveToolCall = useCopilotStore((s) =>
    effectiveId ? s.toolCallsById[effectiveId] : undefined
  )
-  const toolCall = liveToolCall || toolCallProp
+  const rawToolCall = liveToolCall || toolCallProp
-
+  const hasRealToolCall = !!rawToolCall
-  // Guard: nothing to render without a toolCall
+  const toolCall: CopilotToolCall =
-  if (!toolCall) return null
+    rawToolCall ||
    ({
      id: effectiveId || '',
      name: '',
      state: ClientToolCallState.generating,
      params: {},
    } as CopilotToolCall)
  const isExpandablePending =
    toolCall?.state === 'pending' &&
@@ -1441,17 +1488,15 @@ export function ToolCall({
  const [expanded, setExpanded] = useState(isExpandablePending)
  const [showRemoveAutoAllow, setShowRemoveAutoAllow] = useState(false)
  const [autoAllowRemovedForCall, setAutoAllowRemovedForCall] = useState(false)
  // State for editable parameters
  const params = (toolCall as any).parameters || (toolCall as any).input || toolCall.params || {}
  const [editedParams, setEditedParams] = useState(params)
  const paramsRef = useRef(params)
-  // Check if this integration tool is auto-allowed
+  const { setToolCallState } = useCopilotStore()
-  const { removeAutoAllowedTool, setToolCallState } = useCopilotStore()
+  const isAutoAllowed = toolCall.ui?.autoAllowed === true && !autoAllowRemovedForCall
  const isAutoAllowed = useCopilotStore(
    (s) => isIntegrationTool(toolCall.name) && s.isToolAutoAllowed(toolCall.name)
  )
  // Update edited params when toolCall params change (deep comparison to avoid resetting user edits on ref change)
  useEffect(() => {
@@ -1461,6 +1506,14 @@ export function ToolCall({
    }
  }, [params])
  useEffect(() => {
    setAutoAllowRemovedForCall(false)
    setShowRemoveAutoAllow(false)
  }, [toolCall.id])
  // Guard: nothing to render without a toolCall
  if (!hasRealToolCall) return null
  // Skip rendering some internal tools
  if (
    toolCall.name === 'checkoff_todo' ||
@@ -1472,7 +1525,9 @@ export function ToolCall({
    return null
  // Special rendering for subagent tools - show as thinking text with tool calls at top level
-  const isSubagentTool = TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig?.subagent === true
+  const isSubagentTool =
    toolCall.execution?.target === 'go_subagent' ||
    TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig?.subagent === true
  // For ALL subagent tools, don't show anything until we have blocks with content
  if (isSubagentTool) {
@@ -1499,28 +1554,6 @@ export function ToolCall({
    )
  }
  // Get current mode from store to determine if we should render integration tools
  const mode = useCopilotStore.getState().mode
  // Check if this is a completed/historical tool call (not pending/executing)
  // Use string comparison to handle both enum values and string values from DB
  const stateStr = String(toolCall.state)
  const isCompletedToolCall =
    stateStr === 'success' ||
    stateStr === 'error' ||
    stateStr === 'rejected' ||
    stateStr === 'aborted'
  // Allow rendering if:
  // 1. Tool is in TOOL_DISPLAY_REGISTRY (client tools), OR
  // 2. We're in build mode (integration tools are executed server-side), OR
  // 3. Tool call is already completed (historical - should always render)
  const isClientTool = !!TOOL_DISPLAY_REGISTRY[toolCall.name]
  const isIntegrationToolInBuildMode = mode === 'build' && !isClientTool
  if (!isClientTool && !isIntegrationToolInBuildMode && !isCompletedToolCall) {
    return null
  }
  const toolUIConfig = TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig
  // Check if tool has params table config (meaning it's expandable)
  const hasParamsTable = !!toolUIConfig?.paramsTable
@@ -1530,6 +1563,14 @@ export function ToolCall({
    toolCall.name === 'make_api_request' ||
    toolCall.name === 'set_global_workflow_variables'
  const interruptActions =
    (toolCall.ui?.actions && toolCall.ui.actions.length > 0
      ? toolCall.ui.actions
      : [
          { id: 'allow_once', label: 'Allow', kind: 'accept' as const },
          { id: 'allow_always', label: 'Always Allow', kind: 'accept' as const, remember: true },
          { id: 'reject', label: 'Skip', kind: 'reject' as const },
        ]) as ToolUiAction[]
  const showButtons = isCurrentMessage && shouldShowRunSkipButtons(toolCall)
  // Check UI config for secondary action - only show for current message tool calls
@@ -1987,9 +2028,12 @@ export function ToolCall({
          <div className='mt-[10px]'>
            <Button
              onClick={async () => {
-                await removeAutoAllowedTool(toolCall.name)
+                const removed = await removeAutoAllowedToolPreference(toolCall.name)
-                setShowRemoveAutoAllow(false)
+                if (removed) {
-                forceUpdate({})
+                  setAutoAllowRemovedForCall(true)
                  setShowRemoveAutoAllow(false)
                  forceUpdate({})
                }
              }}
              variant='default'
              className='text-xs'
@@ -2003,6 +2047,7 @@ export function ToolCall({
            toolCall={toolCall}
            onStateChange={handleStateChange}
            editedParams={editedParams}
            actions={interruptActions}
          />
        )}
        {/* Render subagent content as thinking text */}
@@ -2048,9 +2093,12 @@ export function ToolCall({
          <div className='mt-[10px]'>
            <Button
              onClick={async () => {
-                await removeAutoAllowedTool(toolCall.name)
+                const removed = await removeAutoAllowedToolPreference(toolCall.name)
-                setShowRemoveAutoAllow(false)
+                if (removed) {
-                forceUpdate({})
+                  setAutoAllowRemovedForCall(true)
                  setShowRemoveAutoAllow(false)
                  forceUpdate({})
                }
              }}
              variant='default'
              className='text-xs'
@@ -2064,6 +2112,7 @@ export function ToolCall({
            toolCall={toolCall}
            onStateChange={handleStateChange}
            editedParams={editedParams}
            actions={interruptActions}
          />
        )}
        {/* Render subagent content as thinking text */}
@@ -2087,7 +2136,7 @@ export function ToolCall({
    }
  }
-  const isEditWorkflow = toolCall.name === 'edit_workflow'
+  const isEditWorkflow = isWorkflowEditSummaryTool(toolCall)
  const shouldShowDetails = isRunWorkflow || (isExpandableTool && expanded)
  const hasOperations = Array.isArray(params.operations) && params.operations.length > 0
  const hideTextForEditWorkflow = isEditWorkflow && hasOperations
@@ -2109,9 +2158,12 @@ export function ToolCall({
        <div className='mt-[10px]'>
          <Button
            onClick={async () => {
-              await removeAutoAllowedTool(toolCall.name)
+              const removed = await removeAutoAllowedToolPreference(toolCall.name)
-              setShowRemoveAutoAllow(false)
+              if (removed) {
-              forceUpdate({})
+                setAutoAllowRemovedForCall(true)
                setShowRemoveAutoAllow(false)
                forceUpdate({})
              }
            }}
            variant='default'
            className='text-xs'
@@ -2125,6 +2177,7 @@ export function ToolCall({
          toolCall={toolCall}
          onStateChange={handleStateChange}
          editedParams={editedParams}
          actions={interruptActions}
        />
      ) : showMoveToBackground ? (
        <div className='mt-[10px]'>
@@ -2155,7 +2208,7 @@ export function ToolCall({
          </Button>
        </div>
      ) : null}
-      {/* Workflow edit summary - shows block changes after edit_workflow completes */}
+      {/* Workflow edit summary - shows block changes after workflow_change(apply) */}
      <WorkflowEditSummary toolCall={toolCall} />
      {/* Render subagent content as thinking text */}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/copilot.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/copilot.tsx
@@ -113,7 +113,6 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    clearPlanArtifact,
    savePlanArtifact,
    loadAvailableModels,
    loadAutoAllowedTools,
    resumeActiveStream,
  } = useCopilotStore()
@@ -125,8 +124,6 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    setCopilotWorkflowId,
    loadChats,
    loadAvailableModels,
    loadAutoAllowedTools,
    currentChat,
    isSendingMessage,
    resumeActiveStream,
  })
@@ -154,6 +151,8 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    planTodos,
  })
  const renderedChatTitle = currentChat?.title || 'New Chat'
  /** Gets markdown content for design document section (available in all modes once created) */
  const designDocumentContent = useMemo(() => {
    if (streamingPlanContent) {
@@ -166,6 +165,14 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    return ''
  }, [streamingPlanContent])
  useEffect(() => {
    logger.info('[TitleRender] Copilot header title changed', {
      currentChatId: currentChat?.id || null,
      currentChatTitle: currentChat?.title || null,
      renderedTitle: renderedChatTitle,
    })
  }, [currentChat?.id, currentChat?.title, renderedChatTitle])
  /** Focuses the copilot input */
  const focusInput = useCallback(() => {
    userInputRef.current?.focus()
@@ -348,7 +355,7 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
        {/* Header */}
        <div className='mx-[-1px] flex flex-shrink-0 items-center justify-between gap-[8px] rounded-[4px] border border-[var(--border)] bg-[var(--surface-4)] px-[12px] py-[6px]'>
          <h2 className='min-w-0 flex-1 truncate font-medium text-[14px] text-[var(--text-primary)]'>
-            {currentChat?.title || 'New Chat'}
+            {renderedChatTitle}
          </h2>
          <div className='flex items-center gap-[8px]'>
            <Button variant='ghost' className='p-0' onClick={handleStartNewChat}>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/hooks/use-copilot-initialization.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/hooks/use-copilot-initialization.ts
@@ -12,8 +12,6 @@ interface UseCopilotInitializationProps {
  setCopilotWorkflowId: (workflowId: string | null) => Promise<void>
  loadChats: (forceRefresh?: boolean) => Promise<void>
  loadAvailableModels: () => Promise<void>
  loadAutoAllowedTools: () => Promise<void>
  currentChat: any
  isSendingMessage: boolean
  resumeActiveStream: () => Promise<boolean>
 }
@@ -32,8 +30,6 @@ export function useCopilotInitialization(props: UseCopilotInitializationProps) {
    setCopilotWorkflowId,
    loadChats,
    loadAvailableModels,
    loadAutoAllowedTools,
    currentChat,
    isSendingMessage,
    resumeActiveStream,
  } = props
@@ -120,17 +116,6 @@ export function useCopilotInitialization(props: UseCopilotInitializationProps) {
    })
  }, [isSendingMessage, resumeActiveStream])
  /** Load auto-allowed tools once on mount - runs immediately, independent of workflow */
  const hasLoadedAutoAllowedToolsRef = useRef(false)
  useEffect(() => {
    if (!hasLoadedAutoAllowedToolsRef.current) {
      hasLoadedAutoAllowedToolsRef.current = true
      loadAutoAllowedTools().catch((err) => {
        logger.warn('[Copilot] Failed to load auto-allowed tools', err)
      })
    }
  }, [loadAutoAllowedTools])
  /** Load available models once on mount */
  const hasLoadedModelsRef = useRef(false)
  useEffect(() => {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
@@ -30,7 +30,6 @@ export interface OAuthRequiredModalProps {
  requiredScopes?: string[]
  serviceId: string
  newScopes?: string[]
  onConnect?: () => Promise<void> | void
 }
 const SCOPE_DESCRIPTIONS: Record<string, string> = {
@@ -315,7 +314,6 @@ export function OAuthRequiredModal({
  requiredScopes = [],
  serviceId,
  newScopes = [],
  onConnect,
 }: OAuthRequiredModalProps) {
  const [error, setError] = useState<string | null>(null)
  const { baseProvider } = parseProvider(provider)
@@ -361,12 +359,6 @@ export function OAuthRequiredModal({
    setError(null)
    try {
      if (onConnect) {
        await onConnect()
        onClose()
        return
      }
      const providerId = getProviderIdFromServiceId(serviceId)
      logger.info('Linking OAuth2:', {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -3,12 +3,10 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { ExternalLink, Users } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { getPollingProviderFromOAuth } from '@/lib/credential-sets/providers'
 import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  getCanonicalScopesForProvider,
  getProviderIdFromServiceId,
@@ -20,9 +18,9 @@ import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import type { SubBlockConfig } from '@/blocks/types'
-import { CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSets } from '@/hooks/queries/credential-sets'
-import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
@@ -48,8 +46,6 @@ export function CredentialSelector({
  previewValue,
  previewContextValues,
 }: CredentialSelectorProps) {
  const params = useParams()
  const workspaceId = (params?.workspaceId as string) || ''
  const [showOAuthModal, setShowOAuthModal] = useState(false)
  const [editingValue, setEditingValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
@@ -100,32 +96,53 @@ export function CredentialSelector({
    data: credentials = [],
    isFetching: credentialsLoading,
    refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, {
+  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
    enabled: Boolean(effectiveProviderId),
    workspaceId,
    workflowId: activeWorkflowId || undefined,
  })
  const selectedCredential = useMemo(
    () => credentials.find((cred) => cred.id === selectedId),
    [credentials, selectedId]
  )
  const shouldFetchForeignMeta =
    Boolean(selectedId) &&
    !selectedCredential &&
    Boolean(activeWorkflowId) &&
    Boolean(effectiveProviderId)
  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
    useOAuthCredentialDetail(
      shouldFetchForeignMeta ? selectedId : undefined,
      activeWorkflowId || undefined,
      shouldFetchForeignMeta
    )
  const hasForeignMeta = foreignCredentials.length > 0
  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
  const selectedCredentialSet = useMemo(
    () => credentialSets.find((cs) => cs.id === selectedCredentialSetId),
    [credentialSets, selectedCredentialSetId]
  )
  const isForeignCredentialSet = Boolean(isCredentialSetSelected && !selectedCredentialSet)
  const resolvedLabel = useMemo(() => {
    if (selectedCredentialSet) return selectedCredentialSet.name
    if (isForeignCredentialSet) return CREDENTIAL.FOREIGN_LABEL
    if (selectedCredential) return selectedCredential.name
    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
    return ''
-  }, [selectedCredentialSet, selectedCredential])
+  }, [selectedCredentialSet, isForeignCredentialSet, selectedCredential, isForeign])
  const displayValue = isEditing ? editingValue : resolvedLabel
  const invalidSelection =
-    !isPreview && Boolean(selectedId) && !selectedCredential && !credentialsLoading
+    !isPreview &&
    Boolean(selectedId) &&
    !selectedCredential &&
    !hasForeignMeta &&
    !credentialsLoading &&
    !foreignMetaLoading
  useEffect(() => {
    if (!invalidSelection) return
@@ -136,7 +153,7 @@ export function CredentialSelector({
    setStoreValue('')
  }, [invalidSelection, selectedId, effectiveProviderId, setStoreValue])
-  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
+  useCredentialRefreshTriggers(refetchCredentials)
  const handleOpenChange = useCallback(
    (isOpen: boolean) => {
@@ -178,18 +195,8 @@ export function CredentialSelector({
  )
  const handleAddCredential = useCallback(() => {
-    writePendingCredentialCreateRequest({
+    setShowOAuthModal(true)
-      workspaceId,
+  }, [])
      type: 'oauth',
      providerId: effectiveProviderId,
      displayName: '',
      serviceId,
      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
      requestedAt: Date.now(),
    })
    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
  }, [workspaceId, effectiveProviderId, serviceId])
  const getProviderIcon = useCallback((providerName: OAuthProvider) => {
    const { baseProvider } = parseProvider(providerName)
@@ -244,18 +251,23 @@ export function CredentialSelector({
        label: cred.name,
        value: cred.id,
      }))
      credentialItems.push({
        label:
          credentials.length > 0
            ? `Connect another ${getProviderName(provider)} account`
            : `Connect ${getProviderName(provider)} account`,
        value: '__connect_account__',
      })
-      groups.push({
+      if (credentialItems.length > 0) {
-        section: 'Personal Credential',
+        groups.push({
-        items: credentialItems,
+          section: 'Personal Credential',
-      })
+          items: credentialItems,
        })
      } else {
        groups.push({
          section: 'Personal Credential',
          items: [
            {
              label: `Connect ${getProviderName(provider)} account`,
              value: '__connect_account__',
            },
          ],
        })
      }
      return { comboboxOptions: [], comboboxGroups: groups }
    }
@@ -265,13 +277,12 @@ export function CredentialSelector({
      value: cred.id,
    }))
-    options.push({
+    if (credentials.length === 0) {
-      label:
+      options.push({
-        credentials.length > 0
+        label: `Connect ${getProviderName(provider)} account`,
-          ? `Connect another ${getProviderName(provider)} account`
+        value: '__connect_account__',
-          : `Connect ${getProviderName(provider)} account`,
+      })
-      value: '__connect_account__',
+    }
    })
    return { comboboxOptions: options, comboboxGroups: undefined }
  }, [
@@ -357,7 +368,7 @@ export function CredentialSelector({
        }
        disabled={effectiveDisabled}
        editable={true}
-        filterOptions={true}
+        filterOptions={!isForeign && !isForeignCredentialSet}
        isLoading={credentialsLoading}
        overlayContent={overlayContent}
        className={selectedId || isCredentialSetSelected ? 'pl-[28px]' : ''}
@@ -369,13 +380,15 @@ export function CredentialSelector({
            <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
            Additional permissions required
          </div>
-          <Button
+          {!isForeign && (
-            variant='active'
+            <Button
-            onClick={() => setShowOAuthModal(true)}
+              variant='active'
-            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+              onClick={() => setShowOAuthModal(true)}
-          >
+              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-            Update access
+            >
-          </Button>
+              Update access
            </Button>
          )}
        </div>
      )}
@@ -394,11 +407,7 @@ export function CredentialSelector({
  )
 }
-function useCredentialRefreshTriggers(
+function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
  refetchCredentials: () => Promise<unknown>,
  providerId: string,
  workspaceId: string
 ) {
  useEffect(() => {
    const refresh = () => {
      void refetchCredentials()
@@ -416,29 +425,12 @@ function useCredentialRefreshTriggers(
      }
    }
    const handleCredentialsUpdated = (
      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
    ) => {
      if (event.detail?.providerId && event.detail.providerId !== providerId) {
        return
      }
      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
        return
      }
      refresh()
    }
    document.addEventListener('visibilitychange', handleVisibilityChange)
    window.addEventListener('pageshow', handlePageShow)
    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
    return () => {
      document.removeEventListener('visibilitychange', handleVisibilityChange)
      window.removeEventListener('pageshow', handlePageShow)
      window.removeEventListener(
        'oauth-credentials-updated',
        handleCredentialsUpdated as EventListener
      )
    }
-  }, [providerId, workspaceId, refetchCredentials])
+  }, [refetchCredentials])
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
@@ -9,7 +9,6 @@ import {
  PopoverSection,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  usePersonalEnvironment,
  useWorkspaceEnvironment,
@@ -169,15 +168,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
  }, [searchTerm])
  const openEnvironmentSettings = () => {
-    if (workspaceId) {
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'environment' } }))
      writePendingCredentialCreateRequest({
        workspaceId,
        type: 'env_personal',
        envKey: searchTerm.trim(),
        requestedAt: Date.now(),
      })
    }
    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
    onClose?.()
  }
@@ -311,7 +302,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
              }}
            >
              <Plus className='h-3 w-3' />
-              <span>Create Secret</span>
+              <span>Create environment variable</span>
            </PopoverItem>
          </PopoverScrollArea>
        ) : (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
@@ -7,6 +7,7 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -124,6 +125,8 @@ export function FileSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
  const selectorResolution = useMemo<SelectorResolution | null>(() => {
    return resolveSelectorForSubBlock(subBlock, {
      workflowId: workflowIdFromUrl,
@@ -165,6 +168,7 @@ export function FileSelectorInput({
  const disabledReason =
    finalDisabled ||
    isForeignCredential ||
    missingCredential ||
    missingDomain ||
    missingProject ||
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
@@ -4,6 +4,7 @@ import { useCallback, useEffect, useMemo, useState } from 'react'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -46,6 +47,10 @@ export function FolderSelectorInput({
    subBlock.canonicalParamId === 'copyDestinationId' ||
    subBlock.id === 'copyDestinationFolder' ||
    subBlock.id === 'manualCopyDestinationFolder'
  const { isForeignCredential } = useForeignCredential(
    effectiveProviderId,
    (connectedCredential as string) || ''
  )
  // Central dependsOn gating
  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
@@ -114,7 +119,9 @@ export function FolderSelectorInput({
      selectorContext={
        selectorResolution?.context ?? { credentialId, workflowId: activeWorkflowId || '' }
      }
-      disabled={finalDisabled || missingCredential || !selectorResolution?.key}
+      disabled={
        finalDisabled || isForeignCredential || missingCredential || !selectorResolution?.key
      }
      isPreview={isPreview}
      previewValue={previewValue ?? null}
      placeholder={subBlock.placeholder || 'Select folder'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
@@ -7,6 +7,7 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -72,6 +73,11 @@ export function ProjectSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
  const { isForeignCredential } = useForeignCredential(
    effectiveProviderId,
    (connectedCredential as string) || ''
  )
  const workflowIdFromUrl = (params?.workflowId as string) || activeWorkflowId || ''
  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
    disabled,
@@ -117,7 +123,7 @@ export function ProjectSelectorInput({
              subBlock={subBlock}
              selectorKey={selectorResolution.key}
              selectorContext={selectorResolution.context}
-              disabled={finalDisabled || missingCredential}
+              disabled={finalDisabled || isForeignCredential || missingCredential}
              isPreview={isPreview}
              previewValue={previewValue ?? null}
              placeholder={subBlock.placeholder || 'Select project'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
@@ -7,6 +7,7 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -86,6 +87,8 @@ export function SheetSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
  const selectorResolution = useMemo<SelectorResolution | null>(() => {
    return resolveSelectorForSubBlock(subBlock, {
      workflowId: workflowIdFromUrl,
@@ -98,7 +101,11 @@ export function SheetSelectorInput({
  const missingSpreadsheet = !normalizedSpreadsheetId
  const disabledReason =
-    finalDisabled || missingCredential || missingSpreadsheet || !selectorResolution?.key
+    finalDisabled ||
    isForeignCredential ||
    missingCredential ||
    missingSpreadsheet ||
    !selectorResolution?.key
  if (!selectorResolution?.key) {
    return (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
@@ -6,6 +6,7 @@ import { Tooltip } from '@/components/emcn'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -84,6 +85,11 @@ export function SlackSelectorInput({
      ? (effectiveBotToken as string) || ''
      : (effectiveCredential as string) || ''
  const { isForeignCredential } = useForeignCredential(
    effectiveProviderId,
    (effectiveAuthMethod as string) === 'bot_token' ? '' : (effectiveCredential as string) || ''
  )
  useEffect(() => {
    const val = isPreview && previewValue !== undefined ? previewValue : storeValue
    if (typeof val === 'string') {
@@ -93,7 +99,7 @@ export function SlackSelectorInput({
  const requiresCredential = dependsOn.includes('credential')
  const missingCredential = !credential || credential.trim().length === 0
-  const shouldForceDisable = requiresCredential && missingCredential
+  const shouldForceDisable = requiresCredential && (missingCredential || isForeignCredential)
  const context: SelectorContext = useMemo(
    () => ({
@@ -130,7 +136,7 @@ export function SlackSelectorInput({
            subBlock={subBlock}
            selectorKey={config.selectorKey}
            selectorContext={context}
-            disabled={finalDisabled || shouldForceDisable}
+            disabled={finalDisabled || shouldForceDisable || isForeignCredential}
            isPreview={isPreview}
            previewValue={previewValue ?? null}
            placeholder={subBlock.placeholder || config.placeholder}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx
@@ -1,8 +1,6 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { ExternalLink } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  getCanonicalScopesForProvider,
  getProviderIdFromServiceId,
@@ -12,7 +10,8 @@ import {
  parseProvider,
 } from '@/lib/oauth'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
-import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { CREDENTIAL } from '@/executor/constants'
 import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -55,12 +54,10 @@ export function ToolCredentialSelector({
  onChange,
  provider,
  requiredScopes = [],
-  label = 'Select credential',
+  label = 'Select account',
  serviceId,
  disabled = false,
 }: ToolCredentialSelectorProps) {
  const params = useParams()
  const workspaceId = (params?.workspaceId as string) || ''
  const [showOAuthModal, setShowOAuthModal] = useState(false)
  const [editingInputValue, setEditingInputValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
@@ -74,32 +71,50 @@ export function ToolCredentialSelector({
    data: credentials = [],
    isFetching: credentialsLoading,
    refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, {
+  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
    enabled: Boolean(effectiveProviderId),
    workspaceId,
    workflowId: activeWorkflowId || undefined,
  })
  const selectedCredential = useMemo(
    () => credentials.find((cred) => cred.id === selectedId),
    [credentials, selectedId]
  )
  const shouldFetchForeignMeta =
    Boolean(selectedId) &&
    !selectedCredential &&
    Boolean(activeWorkflowId) &&
    Boolean(effectiveProviderId)
  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
    useOAuthCredentialDetail(
      shouldFetchForeignMeta ? selectedId : undefined,
      activeWorkflowId || undefined,
      shouldFetchForeignMeta
    )
  const hasForeignMeta = foreignCredentials.length > 0
  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
  const resolvedLabel = useMemo(() => {
    if (selectedCredential) return selectedCredential.name
    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
    return ''
-  }, [selectedCredential])
+  }, [selectedCredential, isForeign])
  const inputValue = isEditing ? editingInputValue : resolvedLabel
-  const invalidSelection = Boolean(selectedId) && !selectedCredential && !credentialsLoading
+  const invalidSelection =
    Boolean(selectedId) &&
    !selectedCredential &&
    !hasForeignMeta &&
    !credentialsLoading &&
    !foreignMetaLoading
  useEffect(() => {
    if (!invalidSelection) return
    onChange('')
  }, [invalidSelection, onChange])
-  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
+  useCredentialRefreshTriggers(refetchCredentials)
  const handleOpenChange = useCallback(
    (isOpen: boolean) => {
@@ -127,18 +142,8 @@ export function ToolCredentialSelector({
  )
  const handleAddCredential = useCallback(() => {
-    writePendingCredentialCreateRequest({
+    setShowOAuthModal(true)
-      workspaceId,
+  }, [])
      type: 'oauth',
      providerId: effectiveProviderId,
      displayName: '',
      serviceId,
      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
      requestedAt: Date.now(),
    })
    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
  }, [workspaceId, effectiveProviderId, serviceId])
  const comboboxOptions = useMemo(() => {
    const options = credentials.map((cred) => ({
@@ -146,13 +151,12 @@ export function ToolCredentialSelector({
      value: cred.id,
    }))
-    options.push({
+    if (credentials.length === 0) {
-      label:
+      options.push({
-        credentials.length > 0
+        label: `Connect ${getProviderName(provider)} account`,
-          ? `Connect another ${getProviderName(provider)} account`
+        value: '__connect_account__',
-          : `Connect ${getProviderName(provider)} account`,
+      })
-      value: '__connect_account__',
+    }
    })
    return options
  }, [credentials, provider])
@@ -202,7 +206,7 @@ export function ToolCredentialSelector({
        placeholder={label}
        disabled={disabled}
        editable={true}
-        filterOptions={true}
+        filterOptions={!isForeign}
        isLoading={credentialsLoading}
        overlayContent={overlayContent}
        className={selectedId ? 'pl-[28px]' : ''}
@@ -214,13 +218,15 @@ export function ToolCredentialSelector({
            <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
            Additional permissions required
          </div>
-          <Button
+          {!isForeign && (
-            variant='active'
+            <Button
-            onClick={() => setShowOAuthModal(true)}
+              variant='active'
-            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+              onClick={() => setShowOAuthModal(true)}
-          >
+              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-            Update access
+            >
-          </Button>
+              Update access
            </Button>
          )}
        </div>
      )}
@@ -239,11 +245,7 @@ export function ToolCredentialSelector({
  )
 }
-function useCredentialRefreshTriggers(
+function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
  refetchCredentials: () => Promise<unknown>,
  providerId: string,
  workspaceId: string
 ) {
  useEffect(() => {
    const refresh = () => {
      void refetchCredentials()
@@ -261,29 +263,12 @@ function useCredentialRefreshTriggers(
      }
    }
    const handleCredentialsUpdated = (
      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
    ) => {
      if (event.detail?.providerId && event.detail.providerId !== providerId) {
        return
      }
      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
        return
      }
      refresh()
    }
    document.addEventListener('visibilitychange', handleVisibilityChange)
    window.addEventListener('pageshow', handlePageShow)
    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
    return () => {
      document.removeEventListener('visibilitychange', handleVisibilityChange)
      window.removeEventListener('pageshow', handlePageShow)
      window.removeEventListener(
        'oauth-credentials-updated',
        handleCredentialsUpdated as EventListener
      )
    }
-  }, [providerId, workspaceId, refetchCredentials])
+  }, [refetchCredentials])
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
@@ -0,0 +1,50 @@
 import { useEffect, useMemo, useState } from 'react'
 export function useForeignCredential(
  provider: string | undefined,
  credentialId: string | undefined
 ) {
  const [isForeign, setIsForeign] = useState<boolean>(false)
  const [loading, setLoading] = useState<boolean>(false)
  const [error, setError] = useState<string | null>(null)
  const normalizedProvider = useMemo(() => (provider || '').toString(), [provider])
  const normalizedCredentialId = useMemo(() => credentialId || '', [credentialId])
  useEffect(() => {
    let cancelled = false
    async function check() {
      setLoading(true)
      setError(null)
      try {
        if (!normalizedProvider || !normalizedCredentialId) {
          if (!cancelled) setIsForeign(false)
          return
        }
        const res = await fetch(
          `/api/auth/oauth/credentials?provider=${encodeURIComponent(normalizedProvider)}`
        )
        if (!res.ok) {
          if (!cancelled) setIsForeign(true)
          return
        }
        const data = await res.json()
        const isOwn = (data.credentials || []).some((c: any) => c.id === normalizedCredentialId)
        if (!cancelled) setIsForeign(!isOwn)
      } catch (e) {
        if (!cancelled) {
          setIsForeign(true)
          setError((e as Error).message)
        }
      } finally {
        if (!cancelled) setLoading(false)
      }
    }
    void check()
    return () => {
      cancelled = true
    }
  }, [normalizedProvider, normalizedCredentialId])
  return { isForeignCredential: isForeign, loading, error }
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/panel.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/panel.tsx
@@ -340,13 +340,7 @@ export const Panel = memo(function Panel() {
   * Register global keyboard shortcuts using the central commands registry.
   *
   * - Mod+Enter: Run / cancel workflow (matches the Run button behavior)
   * - C: Focus Copilot tab
   * - T: Focus Toolbar tab
   * - E: Focus Editor tab
   * - Mod+F: Focus Toolbar tab and search input
   *
   * The tab-switching commands are disabled inside editable elements so typing
   * in inputs or textareas is not interrupted.
   */
  useRegisterGlobalCommands(() =>
    createCommands([
@@ -363,33 +357,6 @@ export const Panel = memo(function Panel() {
          allowInEditable: false,
        },
      },
      {
        id: 'focus-copilot-tab',
        handler: () => {
          setActiveTab('copilot')
        },
        overrides: {
          allowInEditable: false,
        },
      },
      {
        id: 'focus-toolbar-tab',
        handler: () => {
          setActiveTab('toolbar')
        },
        overrides: {
          allowInEditable: false,
        },
      },
      {
        id: 'focus-editor-tab',
        handler: () => {
          setActiveTab('editor')
        },
        overrides: {
          allowInEditable: false,
        },
      },
      {
        id: 'focus-toolbar-search',
        handler: () => {
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
@@ -473,7 +473,7 @@ function ConnectionsSection({
          </div>
        )}
-        {/* Secrets */}
+        {/* Environment Variables */}
        {envVars.length > 0 && (
          <div className='mb-[2px] last:mb-0'>
            <div
@@ -489,7 +489,7 @@ function ConnectionsSection({
                  'text-[var(--text-secondary)] group-hover:text-[var(--text-primary)]'
                )}
              >
-                Secrets
+                Environment Variables
              </span>
              <ChevronDownIcon
                className={cn(
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
@@ -1,17 +0,0 @@
 'use client'
 import { CredentialsManager } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager'
 interface CredentialsProps {
  onOpenChange?: (open: boolean) => void
  registerCloseHandler?: (handler: (open: boolean) => void) => void
  registerBeforeLeaveHandler?: (handler: (onProceed: () => void) => void) => void
 }
 export function Credentials(_props: CredentialsProps) {
  return (
    <div className='h-full min-h-0'>
      <CredentialsManager />
    </div>
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
@@ -134,7 +134,7 @@ function WorkspaceVariableRow({
              <Trash />
            </Button>
          </Tooltip.Trigger>
-          <Tooltip.Content>Delete secret</Tooltip.Content>
+          <Tooltip.Content>Delete environment variable</Tooltip.Content>
        </Tooltip.Root>
      </div>
    </div>
@@ -637,7 +637,7 @@ export function EnvironmentVariables({ registerBeforeLeaveHandler }: Environment
                    <Trash />
                  </Button>
                </Tooltip.Trigger>
-                <Tooltip.Content>Delete secret</Tooltip.Content>
+                <Tooltip.Content>Delete environment variable</Tooltip.Content>
              </Tooltip.Root>
            </div>
          </div>
@@ -811,7 +811,7 @@ export function EnvironmentVariables({ registerBeforeLeaveHandler }: Environment
                  filteredWorkspaceEntries.length === 0 &&
                  (envVars.length > 0 || Object.keys(workspaceVars).length > 0) && (
                    <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
-                      No secrets found matching "{searchTerm}"
+                      No environment variables found matching "{searchTerm}"
                    </div>
                  )}
              </>
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
@@ -2,7 +2,6 @@ export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
 export { CredentialSets } from './credential-sets/credential-sets'
 export { Credentials } from './credentials/credentials'
 export { CustomTools } from './custom-tools/custom-tools'
 export { Debug } from './debug/debug'
 export { EnvironmentVariables } from './environment/environment'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
@@ -20,6 +20,7 @@ import {
 import {
  Card,
  Connections,
  FolderCode,
  HexSimple,
  Key,
  SModal,
@@ -44,11 +45,12 @@ import {
  BYOK,
  Copilot,
  CredentialSets,
  Credentials,
  CustomTools,
  Debug,
  EnvironmentVariables,
  FileUploads,
  General,
  Integrations,
  MCP,
  Skills,
  Subscription,
@@ -78,7 +80,6 @@ interface SettingsModalProps {
 type SettingsSection =
  | 'general'
  | 'credentials'
  | 'environment'
  | 'template-profile'
  | 'integrations'
@@ -155,10 +156,11 @@ const allNavigationItems: NavigationItem[] = [
    requiresHosted: true,
    requiresTeam: true,
  },
-  { id: 'credentials', label: 'Credentials', icon: Connections, section: 'tools' },
+  { id: 'integrations', label: 'Integrations', icon: Connections, section: 'tools' },
  { id: 'custom-tools', label: 'Custom Tools', icon: Wrench, section: 'tools' },
  { id: 'skills', label: 'Skills', icon: AgentSkillsIcon, section: 'tools' },
  { id: 'mcp', label: 'MCP Tools', icon: McpIcon, section: 'tools' },
  { id: 'environment', label: 'Environment', icon: FolderCode, section: 'system' },
  { id: 'apikeys', label: 'API Keys', icon: Key, section: 'system' },
  { id: 'workflow-mcp-servers', label: 'MCP Servers', icon: Server, section: 'system' },
  {
@@ -254,6 +256,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
      if (item.id === 'apikeys' && permissionConfig.hideApiKeysTab) {
        return false
      }
      if (item.id === 'environment' && permissionConfig.hideEnvironmentTab) {
        return false
      }
      if (item.id === 'files' && permissionConfig.hideFilesTab) {
        return false
      }
@@ -319,9 +324,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    if (!isBillingEnabled && (activeSection === 'subscription' || activeSection === 'team')) {
      return 'general'
    }
    if (activeSection === 'environment' || activeSection === 'integrations') {
      return 'credentials'
    }
    return activeSection
  }, [activeSection])
@@ -340,7 +342,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    (sectionId: SettingsSection) => {
      if (sectionId === effectiveActiveSection) return
-      if (effectiveActiveSection === 'credentials' && environmentBeforeLeaveHandler.current) {
+      if (effectiveActiveSection === 'environment' && environmentBeforeLeaveHandler.current) {
        environmentBeforeLeaveHandler.current(() => setActiveSection(sectionId))
        return
      }
@@ -368,11 +370,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  useEffect(() => {
    const handleOpenSettings = (event: CustomEvent<{ tab: SettingsSection }>) => {
-      if (event.detail.tab === 'environment' || event.detail.tab === 'integrations') {
+      setActiveSection(event.detail.tab)
        setActiveSection('credentials')
      } else {
        setActiveSection(event.detail.tab)
      }
      onOpenChange(true)
    }
@@ -481,19 +479,13 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  const handleDialogOpenChange = (newOpen: boolean) => {
    if (
      !newOpen &&
-      effectiveActiveSection === 'credentials' &&
+      effectiveActiveSection === 'environment' &&
      environmentBeforeLeaveHandler.current
    ) {
-      environmentBeforeLeaveHandler.current(() => {
+      environmentBeforeLeaveHandler.current(() => onOpenChange(false))
        if (integrationsCloseHandler.current) {
          integrationsCloseHandler.current(newOpen)
        } else {
          onOpenChange(false)
        }
      })
    } else if (
      !newOpen &&
-      effectiveActiveSection === 'credentials' &&
+      effectiveActiveSection === 'integrations' &&
      integrationsCloseHandler.current
    ) {
      integrationsCloseHandler.current(newOpen)
@@ -510,7 +502,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
        </VisuallyHidden.Root>
        <VisuallyHidden.Root>
          <DialogPrimitive.Description>
-            Configure your workspace settings, credentials, and preferences
+            Configure your workspace settings, environment variables, integrations, and preferences
          </DialogPrimitive.Description>
        </VisuallyHidden.Root>
@@ -547,14 +539,18 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
          </SModalMainHeader>
          <SModalMainBody>
            {effectiveActiveSection === 'general' && <General onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'credentials' && (
+            {effectiveActiveSection === 'environment' && (
-              <Credentials
+              <EnvironmentVariables
                onOpenChange={onOpenChange}
                registerCloseHandler={registerIntegrationsCloseHandler}
                registerBeforeLeaveHandler={registerEnvironmentBeforeLeaveHandler}
              />
            )}
            {effectiveActiveSection === 'template-profile' && <TemplateProfile />}
            {effectiveActiveSection === 'integrations' && (
              <Integrations
                onOpenChange={onOpenChange}
                registerCloseHandler={registerIntegrationsCloseHandler}
              />
            )}
            {effectiveActiveSection === 'credential-sets' && <CredentialSets />}
            {effectiveActiveSection === 'access-control' && <AccessControl />}
            {effectiveActiveSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}
--- a/apps/sim/background/schedule-execution.ts
+++ b/apps/sim/background/schedule-execution.ts
@@ -589,6 +589,7 @@ export async function executeScheduleJob(payload: ScheduleExecutionPayload) {
 export const scheduleExecution = task({
  id: 'schedule-execution',
  machine: 'medium-1x',
  retry: {
    maxAttempts: 1,
  },
--- a/apps/sim/background/webhook-execution.ts
+++ b/apps/sim/background/webhook-execution.ts
@@ -669,6 +669,7 @@ async function executeWebhookJobInternal(
 export const webhookExecution = task({
  id: 'webhook-execution',
  machine: 'medium-1x',
  retry: {
    maxAttempts: 1,
  },
--- a/apps/sim/background/workflow-execution.ts
+++ b/apps/sim/background/workflow-execution.ts
@@ -197,5 +197,6 @@ export async function executeWorkflowJob(payload: WorkflowExecutionPayload) {
 export const workflowExecutionTask = task({
  id: 'workflow-execution',
  machine: 'medium-1x',
  run: executeWorkflowJob,
 })
--- a/apps/sim/blocks/blocks/confluence.ts
+++ b/apps/sim/blocks/blocks/confluence.ts
@@ -394,6 +394,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
        // Page Property Operations
        { label: 'List Page Properties', id: 'list_page_properties' },
        { label: 'Create Page Property', id: 'create_page_property' },
        { label: 'Delete Page Property', id: 'delete_page_property' },
        // Search Operations
        { label: 'Search Content', id: 'search' },
        { label: 'Search in Space', id: 'search_in_space' },
@@ -414,6 +415,9 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
        // Label Operations
        { label: 'List Labels', id: 'list_labels' },
        { label: 'Add Label', id: 'add_label' },
        { label: 'Delete Label', id: 'delete_label' },
        { label: 'Get Pages by Label', id: 'get_pages_by_label' },
        { label: 'List Space Labels', id: 'list_space_labels' },
        // Space Operations
        { label: 'Get Space', id: 'get_space' },
        { label: 'List Spaces', id: 'list_spaces' },
@@ -485,6 +489,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'search_in_space',
          'get_space',
          'list_spaces',
          'get_pages_by_label',
          'list_space_labels',
        ],
        not: true,
      },
@@ -500,6 +506,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'list_labels',
          'upload_attachment',
          'add_label',
          'delete_label',
          'delete_page_property',
          'get_page_children',
          'get_page_ancestors',
          'list_page_versions',
@@ -527,6 +535,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'search_in_space',
          'get_space',
          'list_spaces',
          'get_pages_by_label',
          'list_space_labels',
        ],
        not: true,
      },
@@ -542,6 +552,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'list_labels',
          'upload_attachment',
          'add_label',
          'delete_label',
          'delete_page_property',
          'get_page_children',
          'get_page_ancestors',
          'list_page_versions',
@@ -566,6 +578,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'search_in_space',
          'create_blogpost',
          'list_blogposts_in_space',
          'list_space_labels',
        ],
      },
    },
@@ -601,6 +614,14 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
      required: true,
      condition: { field: 'operation', value: 'create_page_property' },
    },
    {
      id: 'propertyId',
      title: 'Property ID',
      type: 'short-input',
      placeholder: 'Enter property ID to delete',
      required: true,
      condition: { field: 'operation', value: 'delete_page_property' },
    },
    {
      id: 'title',
      title: 'Title',
@@ -694,7 +715,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
      type: 'short-input',
      placeholder: 'Enter label name',
      required: true,
-      condition: { field: 'operation', value: 'add_label' },
+      condition: { field: 'operation', value: ['add_label', 'delete_label'] },
    },
    {
      id: 'labelPrefix',
@@ -709,6 +730,14 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
      value: () => 'global',
      condition: { field: 'operation', value: 'add_label' },
    },
    {
      id: 'labelId',
      title: 'Label ID',
      type: 'short-input',
      placeholder: 'Enter label ID',
      required: true,
      condition: { field: 'operation', value: 'get_pages_by_label' },
    },
    {
      id: 'blogPostStatus',
      title: 'Status',
@@ -759,6 +788,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'list_page_versions',
          'list_page_properties',
          'list_labels',
          'get_pages_by_label',
          'list_space_labels',
        ],
      },
    },
@@ -780,6 +811,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          'list_page_versions',
          'list_page_properties',
          'list_labels',
          'get_pages_by_label',
          'list_space_labels',
        ],
      },
    },
@@ -800,6 +833,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
      // Property Tools
      'confluence_list_page_properties',
      'confluence_create_page_property',
      'confluence_delete_page_property',
      // Search Tools
      'confluence_search',
      'confluence_search_in_space',
@@ -820,6 +854,9 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
      // Label Tools
      'confluence_list_labels',
      'confluence_add_label',
      'confluence_delete_label',
      'confluence_get_pages_by_label',
      'confluence_list_space_labels',
      // Space Tools
      'confluence_get_space',
      'confluence_list_spaces',
@@ -852,6 +889,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
            return 'confluence_list_page_properties'
          case 'create_page_property':
            return 'confluence_create_page_property'
          case 'delete_page_property':
            return 'confluence_delete_page_property'
          // Search Operations
          case 'search':
            return 'confluence_search'
@@ -887,6 +926,12 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
            return 'confluence_list_labels'
          case 'add_label':
            return 'confluence_add_label'
          case 'delete_label':
            return 'confluence_delete_label'
          case 'get_pages_by_label':
            return 'confluence_get_pages_by_label'
          case 'list_space_labels':
            return 'confluence_list_space_labels'
          // Space Operations
          case 'get_space':
            return 'confluence_get_space'
@@ -908,7 +953,9 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          versionNumber,
          propertyKey,
          propertyValue,
          propertyId,
          labelPrefix,
          labelId,
          blogPostStatus,
          purge,
          bodyFormat,
@@ -959,7 +1006,9 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          }
        }
-        // Operations that support cursor pagination
+        // Operations that support generic cursor pagination.
        // get_pages_by_label and list_space_labels have dedicated handlers
        // below that pass cursor along with their required params (labelId, spaceId).
        const supportsCursor = [
          'list_attachments',
          'list_spaces',
@@ -996,6 +1045,35 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          }
        }
        if (operation === 'delete_page_property') {
          return {
            credential,
            pageId: effectivePageId,
            operation,
            propertyId,
            ...rest,
          }
        }
        if (operation === 'get_pages_by_label') {
          return {
            credential,
            operation,
            labelId,
            cursor: cursor || undefined,
            ...rest,
          }
        }
        if (operation === 'list_space_labels') {
          return {
            credential,
            operation,
            cursor: cursor || undefined,
            ...rest,
          }
        }
        if (operation === 'upload_attachment') {
          const normalizedFile = normalizeFileInput(attachmentFile, { single: true })
          if (!normalizedFile) {
@@ -1044,7 +1122,9 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
    attachmentFileName: { type: 'string', description: 'Custom file name for attachment' },
    attachmentComment: { type: 'string', description: 'Comment for the attachment' },
    labelName: { type: 'string', description: 'Label name' },
    labelId: { type: 'string', description: 'Label identifier' },
    labelPrefix: { type: 'string', description: 'Label prefix (global, my, team, system)' },
    propertyId: { type: 'string', description: 'Property identifier' },
    blogPostStatus: { type: 'string', description: 'Blog post status (current or draft)' },
    purge: { type: 'boolean', description: 'Permanently delete instead of moving to trash' },
    bodyFormat: { type: 'string', description: 'Body format for comments' },
@@ -1080,6 +1160,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
    // Label Results
    labels: { type: 'array', description: 'List of labels' },
    labelName: { type: 'string', description: 'Label name' },
    labelId: { type: 'string', description: 'Label identifier' },
    // Space Results
    spaces: { type: 'array', description: 'List of spaces' },
    spaceId: { type: 'string', description: 'Space identifier' },
--- a/apps/sim/executor/constants.ts
+++ b/apps/sim/executor/constants.ts
@@ -205,6 +205,10 @@ export const CREDENTIAL_SET = {
  PREFIX: 'credentialSet:',
 } as const
 export const CREDENTIAL = {
  FOREIGN_LABEL: 'Saved by collaborator',
 } as const
 export function isCredentialSetValue(value: string | null | undefined): boolean {
  return typeof value === 'string' && value.startsWith(CREDENTIAL_SET.PREFIX)
 }
--- a/apps/sim/hooks/queries/credentials.ts
+++ b/apps/sim/hooks/queries/credentials.ts
@@ -1,268 +0,0 @@
 'use client'
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { environmentKeys } from '@/hooks/queries/environment'
 import { fetchJson } from '@/hooks/selectors/helpers'
 export type WorkspaceCredentialType = 'oauth' | 'env_workspace' | 'env_personal'
 export type WorkspaceCredentialRole = 'admin' | 'member'
 export type WorkspaceCredentialMemberStatus = 'active' | 'pending' | 'revoked'
 export interface WorkspaceCredential {
  id: string
  workspaceId: string
  type: WorkspaceCredentialType
  displayName: string
  providerId: string | null
  accountId: string | null
  envKey: string | null
  envOwnerUserId: string | null
  createdBy: string
  createdAt: string
  updatedAt: string
  role?: WorkspaceCredentialRole
  status?: WorkspaceCredentialMemberStatus
 }
 export interface WorkspaceCredentialMember {
  id: string
  userId: string
  role: WorkspaceCredentialRole
  status: WorkspaceCredentialMemberStatus
  joinedAt: string | null
  invitedBy: string | null
  createdAt: string
  updatedAt: string
  userName: string | null
  userEmail: string | null
  userImage: string | null
 }
 interface CredentialListResponse {
  credentials?: WorkspaceCredential[]
 }
 interface CredentialResponse {
  credential?: WorkspaceCredential | null
 }
 interface MembersResponse {
  members?: WorkspaceCredentialMember[]
 }
 export const workspaceCredentialKeys = {
  all: ['workspaceCredentials'] as const,
  list: (workspaceId?: string, type?: string, providerId?: string) =>
    ['workspaceCredentials', workspaceId ?? 'none', type ?? 'all', providerId ?? 'all'] as const,
  detail: (credentialId?: string) =>
    ['workspaceCredentials', 'detail', credentialId ?? 'none'] as const,
  members: (credentialId?: string) =>
    ['workspaceCredentials', 'detail', credentialId ?? 'none', 'members'] as const,
 }
 export function useWorkspaceCredentials(params: {
  workspaceId?: string
  type?: WorkspaceCredentialType
  providerId?: string
  enabled?: boolean
 }) {
  const { workspaceId, type, providerId, enabled = true } = params
  return useQuery<WorkspaceCredential[]>({
    queryKey: workspaceCredentialKeys.list(workspaceId, type, providerId),
    queryFn: async () => {
      if (!workspaceId) return []
      const data = await fetchJson<CredentialListResponse>('/api/credentials', {
        searchParams: {
          workspaceId,
          type,
          providerId,
        },
      })
      return data.credentials ?? []
    },
    enabled: Boolean(workspaceId) && enabled,
    staleTime: 60 * 1000,
  })
 }
 export function useWorkspaceCredential(credentialId?: string, enabled = true) {
  return useQuery<WorkspaceCredential | null>({
    queryKey: workspaceCredentialKeys.detail(credentialId),
    queryFn: async () => {
      if (!credentialId) return null
      const data = await fetchJson<CredentialResponse>(`/api/credentials/${credentialId}`)
      return data.credential ?? null
    },
    enabled: Boolean(credentialId) && enabled,
    staleTime: 60 * 1000,
  })
 }
 export function useCreateWorkspaceCredential() {
  const queryClient = useQueryClient()
  return useMutation({
    mutationFn: async (payload: {
      workspaceId: string
      type: WorkspaceCredentialType
      displayName?: string
      providerId?: string
      accountId?: string
      envKey?: string
      envOwnerUserId?: string
    }) => {
      const response = await fetch('/api/credentials', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify(payload),
      })
      if (!response.ok) {
        const data = await response.json()
        throw new Error(data.error || 'Failed to create credential')
      }
      return response.json()
    },
    onSuccess: (_data, variables) => {
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.list(variables.workspaceId),
      })
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.all,
      })
    },
  })
 }
 export function useUpdateWorkspaceCredential() {
  const queryClient = useQueryClient()
  return useMutation({
    mutationFn: async (payload: {
      credentialId: string
      displayName?: string
      accountId?: string
    }) => {
      const response = await fetch(`/api/credentials/${payload.credentialId}`, {
        method: 'PUT',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          displayName: payload.displayName,
          accountId: payload.accountId,
        }),
      })
      if (!response.ok) {
        const data = await response.json()
        throw new Error(data.error || 'Failed to update credential')
      }
      return response.json()
    },
    onSuccess: (_data, variables) => {
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
      })
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.all,
      })
    },
  })
 }
 export function useDeleteWorkspaceCredential() {
  const queryClient = useQueryClient()
  return useMutation({
    mutationFn: async (credentialId: string) => {
      const response = await fetch(`/api/credentials/${credentialId}`, {
        method: 'DELETE',
      })
      if (!response.ok) {
        const data = await response.json()
        throw new Error(data.error || 'Failed to delete credential')
      }
      return response.json()
    },
    onSuccess: (_data, credentialId) => {
      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.detail(credentialId) })
      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
      queryClient.invalidateQueries({ queryKey: environmentKeys.all })
    },
  })
 }
 export function useWorkspaceCredentialMembers(credentialId?: string) {
  return useQuery<WorkspaceCredentialMember[]>({
    queryKey: workspaceCredentialKeys.members(credentialId),
    queryFn: async () => {
      if (!credentialId) return []
      const data = await fetchJson<MembersResponse>(`/api/credentials/${credentialId}/members`)
      return data.members ?? []
    },
    enabled: Boolean(credentialId),
    staleTime: 30 * 1000,
  })
 }
 export function useUpsertWorkspaceCredentialMember() {
  const queryClient = useQueryClient()
  return useMutation({
    mutationFn: async (payload: {
      credentialId: string
      userId: string
      role: WorkspaceCredentialRole
    }) => {
      const response = await fetch(`/api/credentials/${payload.credentialId}/members`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          userId: payload.userId,
          role: payload.role,
        }),
      })
      if (!response.ok) {
        const data = await response.json()
        throw new Error(data.error || 'Failed to update credential member')
      }
      return response.json()
    },
    onSuccess: (_data, variables) => {
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.members(variables.credentialId),
      })
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
      })
      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
    },
  })
 }
 export function useRemoveWorkspaceCredentialMember() {
  const queryClient = useQueryClient()
  return useMutation({
    mutationFn: async (payload: { credentialId: string; userId: string }) => {
      const response = await fetch(
        `/api/credentials/${payload.credentialId}/members?userId=${encodeURIComponent(payload.userId)}`,
        { method: 'DELETE' }
      )
      if (!response.ok) {
        const data = await response.json()
        throw new Error(data.error || 'Failed to remove credential member')
      }
      return response.json()
    },
    onSuccess: (_data, variables) => {
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.members(variables.credentialId),
      })
      queryClient.invalidateQueries({
        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
      })
      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
    },
  })
 }
--- a/apps/sim/hooks/queries/oauth-connections.ts
+++ b/apps/sim/hooks/queries/oauth-connections.ts
@@ -169,9 +169,9 @@ export function useConnectOAuthService() {
 interface DisconnectServiceParams {
  provider: string
-  providerId?: string
+  providerId: string
  serviceId: string
-  accountId?: string
+  accountId: string
 }
 /**
@@ -182,7 +182,7 @@ export function useDisconnectOAuthService() {
  const queryClient = useQueryClient()
  return useMutation({
-    mutationFn: async ({ provider, providerId, accountId }: DisconnectServiceParams) => {
+    mutationFn: async ({ provider, providerId }: DisconnectServiceParams) => {
      const response = await fetch('/api/auth/oauth/disconnect', {
        method: 'POST',
        headers: {
@@ -191,7 +191,6 @@ export function useDisconnectOAuthService() {
        body: JSON.stringify({
          provider,
          providerId,
          accountId,
        }),
      })
@@ -213,8 +212,7 @@ export function useDisconnectOAuthService() {
          oauthConnectionsKeys.connections(),
          previousServices.map((svc) => {
            if (svc.id === serviceId) {
-              const updatedAccounts =
+              const updatedAccounts = svc.accounts?.filter((acc) => acc.id !== accountId) || []
                accountId && svc.accounts ? svc.accounts.filter((acc) => acc.id !== accountId) : []
              return {
                ...svc,
                accounts: updatedAccounts,
--- a/apps/sim/hooks/queries/oauth-credentials.ts
+++ b/apps/sim/hooks/queries/oauth-credentials.ts
@@ -1,6 +1,6 @@
 import { useQuery } from '@tanstack/react-query'
 import type { Credential } from '@/lib/oauth'
-import { CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSetDetail } from '@/hooks/queries/credential-sets'
 import { fetchJson } from '@/hooks/selectors/helpers'
@@ -13,34 +13,15 @@ interface CredentialDetailResponse {
 }
 export const oauthCredentialKeys = {
-  list: (providerId?: string, workspaceId?: string, workflowId?: string) =>
+  list: (providerId?: string) => ['oauthCredentials', providerId ?? 'none'] as const,
    [
      'oauthCredentials',
      providerId ?? 'none',
      workspaceId ?? 'none',
      workflowId ?? 'none',
    ] as const,
  detail: (credentialId?: string, workflowId?: string) =>
    ['oauthCredentialDetail', credentialId ?? 'none', workflowId ?? 'none'] as const,
 }
-interface FetchOAuthCredentialsParams {
+export async function fetchOAuthCredentials(providerId: string): Promise<Credential[]> {
  providerId: string
  workspaceId?: string
  workflowId?: string
 }
 export async function fetchOAuthCredentials(
  params: FetchOAuthCredentialsParams
 ): Promise<Credential[]> {
  const { providerId, workspaceId, workflowId } = params
  if (!providerId) return []
  const data = await fetchJson<CredentialListResponse>('/api/auth/oauth/credentials', {
-    searchParams: {
+    searchParams: { provider: providerId },
      provider: providerId,
      workspaceId,
      workflowId,
    },
  })
  return data.credentials ?? []
 }
@@ -59,44 +40,10 @@ export async function fetchOAuthCredentialDetail(
  return data.credentials ?? []
 }
-interface UseOAuthCredentialsOptions {
+export function useOAuthCredentials(providerId?: string, enabled = true) {
  enabled?: boolean
  workspaceId?: string
  workflowId?: string
 }
 function resolveOptions(
  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
 ): Required<UseOAuthCredentialsOptions> {
  if (typeof enabledOrOptions === 'boolean') {
    return {
      enabled: enabledOrOptions,
      workspaceId: '',
      workflowId: '',
    }
  }
  return {
    enabled: enabledOrOptions?.enabled ?? true,
    workspaceId: enabledOrOptions?.workspaceId ?? '',
    workflowId: enabledOrOptions?.workflowId ?? '',
  }
 }
 export function useOAuthCredentials(
  providerId?: string,
  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
 ) {
  const { enabled, workspaceId, workflowId } = resolveOptions(enabledOrOptions)
  return useQuery<Credential[]>({
-    queryKey: oauthCredentialKeys.list(providerId, workspaceId, workflowId),
+    queryKey: oauthCredentialKeys.list(providerId),
-    queryFn: () =>
+    queryFn: () => fetchOAuthCredentials(providerId ?? ''),
      fetchOAuthCredentials({
        providerId: providerId ?? '',
        workspaceId: workspaceId || undefined,
        workflowId: workflowId || undefined,
      }),
    enabled: Boolean(providerId) && enabled,
    staleTime: 60 * 1000,
  })
@@ -115,12 +62,7 @@ export function useOAuthCredentialDetail(
  })
 }
-export function useCredentialName(
+export function useCredentialName(credentialId?: string, providerId?: string, workflowId?: string) {
  credentialId?: string,
  providerId?: string,
  workflowId?: string,
  workspaceId?: string
 ) {
  // Check if this is a credential set value
  const isCredentialSet = credentialId?.startsWith(CREDENTIAL_SET.PREFIX) ?? false
  const credentialSetId = isCredentialSet
@@ -135,11 +77,7 @@ export function useCredentialName(
  const { data: credentials = [], isFetching: credentialsLoading } = useOAuthCredentials(
    providerId,
-    {
+    Boolean(providerId) && !isCredentialSet
      enabled: Boolean(providerId) && !isCredentialSet,
      workspaceId,
      workflowId,
    }
  )
  const selectedCredential = credentials.find((cred) => cred.id === credentialId)
@@ -154,18 +92,18 @@ export function useCredentialName(
    shouldFetchDetail
  )
  const detailCredential = foreignCredentials[0]
  const hasForeignMeta = foreignCredentials.length > 0
  const isForeignCredentialSet = isCredentialSet && !credentialSetData && !credentialSetLoading
  const displayName =
-    credentialSetData?.name ?? selectedCredential?.name ?? detailCredential?.name ?? null
+    credentialSetData?.name ??
    selectedCredential?.name ??
    (hasForeignMeta ? CREDENTIAL.FOREIGN_LABEL : null) ??
    (isForeignCredentialSet ? CREDENTIAL.FOREIGN_LABEL : null)
  return {
    displayName,
-    isLoading:
+    isLoading: credentialsLoading || foreignLoading || (isCredentialSet && credentialSetLoading),
      credentialsLoading ||
      foreignLoading ||
      (isCredentialSet && credentialSetLoading && !credentialSetData),
    hasForeignMeta,
  }
 }
--- a/apps/sim/lib/auth/auth.ts
+++ b/apps/sim/lib/auth/auth.ts
@@ -14,7 +14,7 @@ import {
  oneTimeToken,
  organization,
 } from 'better-auth/plugins'
-import { and, eq, inArray, sql } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { headers } from 'next/headers'
 import Stripe from 'stripe'
 import {
@@ -150,6 +150,16 @@ export const auth = betterAuth({
    account: {
      create: {
        before: async (account) => {
          // Only one credential per (userId, providerId) is allowed
          // If user reconnects (even with a different external account), delete the old one
          // and let Better Auth create the new one (returning false breaks account linking flow)
          const existing = await db.query.account.findFirst({
            where: and(
              eq(schema.account.userId, account.userId),
              eq(schema.account.providerId, account.providerId)
            ),
          })
          const modifiedAccount = { ...account }
          if (account.providerId === 'salesforce' && account.accessToken) {
@@ -179,148 +189,32 @@ export const auth = betterAuth({
            }
          }
          // Handle Microsoft refresh token expiry
          if (isMicrosoftProvider(account.providerId)) {
            modifiedAccount.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
          }
          if (existing) {
            // Delete the existing account so Better Auth can create the new one
            // This allows account linking/re-authorization to succeed
            await db.delete(schema.account).where(eq(schema.account.id, existing.id))
            // Preserve the existing account ID so references (like workspace notifications) continue to work
            modifiedAccount.id = existing.id
            logger.info('[account.create.before] Deleted existing account for re-authorization', {
              userId: account.userId,
              providerId: account.providerId,
              existingAccountId: existing.id,
              preservingId: true,
            })
            // Sync webhooks for credential sets after reconnecting (in after hook)
          }
          return { data: modifiedAccount }
        },
        after: async (account) => {
          /**
           * Migrate credentials from stale account rows to the newly created one.
           *
           * Each getUserInfo appends a random UUID to the stable external ID so
           * that Better Auth never blocks cross-user connections. This means
           * re-connecting the same external identity creates a new row. We detect
           * the stale siblings here by comparing the stable prefix (everything
           * before the trailing UUID), migrate any credential FKs to the new row,
           * then delete the stale rows.
           */
          try {
            const UUID_SUFFIX_RE = /-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
            const stablePrefix = account.accountId.replace(UUID_SUFFIX_RE, '')
            if (stablePrefix && stablePrefix !== account.accountId) {
              const siblings = await db
                .select({ id: schema.account.id, accountId: schema.account.accountId })
                .from(schema.account)
                .where(
                  and(
                    eq(schema.account.userId, account.userId),
                    eq(schema.account.providerId, account.providerId),
                    sql`${schema.account.id} != ${account.id}`
                  )
                )
              const staleRows = siblings.filter(
                (row) => row.accountId.replace(UUID_SUFFIX_RE, '') === stablePrefix
              )
              if (staleRows.length > 0) {
                const staleIds = staleRows.map((row) => row.id)
                await db
                  .update(schema.credential)
                  .set({ accountId: account.id })
                  .where(inArray(schema.credential.accountId, staleIds))
                await db.delete(schema.account).where(inArray(schema.account.id, staleIds))
                logger.info('[account.create.after] Migrated credentials from stale accounts', {
                  userId: account.userId,
                  providerId: account.providerId,
                  newAccountId: account.id,
                  migratedFrom: staleIds,
                })
              }
            }
          } catch (error) {
            logger.error('[account.create.after] Failed to clean up stale accounts', {
              userId: account.userId,
              providerId: account.providerId,
              error,
            })
          }
          /**
           * If a pending credential draft exists for this (userId, providerId),
           * create the credential now with the user's chosen display name.
           * This is deterministic — the account row is guaranteed to exist.
           */
          try {
            const [draft] = await db
              .select()
              .from(schema.pendingCredentialDraft)
              .where(
                and(
                  eq(schema.pendingCredentialDraft.userId, account.userId),
                  eq(schema.pendingCredentialDraft.providerId, account.providerId),
                  sql`${schema.pendingCredentialDraft.expiresAt} > NOW()`
                )
              )
              .limit(1)
            if (draft) {
              const credentialId = crypto.randomUUID()
              const now = new Date()
              try {
                await db.insert(schema.credential).values({
                  id: credentialId,
                  workspaceId: draft.workspaceId,
                  type: 'oauth',
                  displayName: draft.displayName,
                  providerId: account.providerId,
                  accountId: account.id,
                  createdBy: account.userId,
                  createdAt: now,
                  updatedAt: now,
                })
                await db.insert(schema.credentialMember).values({
                  id: crypto.randomUUID(),
                  credentialId,
                  userId: account.userId,
                  role: 'admin',
                  status: 'active',
                  joinedAt: now,
                  invitedBy: account.userId,
                  createdAt: now,
                  updatedAt: now,
                })
                logger.info('[account.create.after] Created credential from draft', {
                  credentialId,
                  displayName: draft.displayName,
                  providerId: account.providerId,
                  accountId: account.id,
                })
              } catch (insertError: unknown) {
                const code =
                  insertError && typeof insertError === 'object' && 'code' in insertError
                    ? (insertError as { code: string }).code
                    : undefined
                if (code !== '23505') {
                  throw insertError
                }
                logger.info('[account.create.after] Credential already exists, skipping draft', {
                  providerId: account.providerId,
                  accountId: account.id,
                })
              }
              await db
                .delete(schema.pendingCredentialDraft)
                .where(eq(schema.pendingCredentialDraft.id, draft.id))
            }
          } catch (error) {
            logger.error('[account.create.after] Failed to create credential from draft', {
              userId: account.userId,
              providerId: account.providerId,
              error,
            })
          }
          try {
            const { ensureUserStatsExists } = await import('@/lib/billing/core/usage')
            await ensureUserStatsExists(account.userId)
@@ -1593,7 +1487,7 @@ export const auth = betterAuth({
              })
              return {
-                id: `${(data.user_id || data.hub_id).toString()}-${crypto.randomUUID()}`,
+                id: `${data.user_id || data.hub_id.toString()}-${crypto.randomUUID()}`,
                name: data.user || 'HubSpot User',
                email: data.user || `hubspot-${data.hub_id}@hubspot.com`,
                emailVerified: true,
@@ -1647,7 +1541,7 @@ export const auth = betterAuth({
              const data = await response.json()
              return {
-                id: `${(data.user_id || data.sub).toString()}-${crypto.randomUUID()}`,
+                id: `${data.user_id || data.sub}-${crypto.randomUUID()}`,
                name: data.name || 'Salesforce User',
                email: data.email || `salesforce-${data.user_id}@salesforce.com`,
                emailVerified: data.email_verified || true,
@@ -1706,7 +1600,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${profile.data.id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.data.id}-${crypto.randomUUID()}`,
                name: profile.data.name || 'X User',
                email: `${profile.data.username}@x.com`,
                image: profile.data.profile_image_url,
@@ -1786,7 +1680,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${profile.account_id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.account_id}-${crypto.randomUUID()}`,
                name: profile.name || profile.display_name || 'Confluence User',
                email: profile.email || `${profile.account_id}@atlassian.com`,
                image: profile.picture || undefined,
@@ -1897,7 +1791,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${profile.account_id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.account_id}-${crypto.randomUUID()}`,
                name: profile.name || profile.display_name || 'Jira User',
                email: profile.email || `${profile.account_id}@atlassian.com`,
                image: profile.picture || undefined,
@@ -1947,7 +1841,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${data.id.toString()}-${crypto.randomUUID()}`,
+                id: `${data.id}-${crypto.randomUUID()}`,
                name: data.email ? data.email.split('@')[0] : 'Airtable User',
                email: data.email || `${data.id}@airtable.user`,
                emailVerified: !!data.email,
@@ -1996,7 +1890,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${(profile.bot?.owner?.user?.id || profile.id).toString()}-${crypto.randomUUID()}`,
+                id: `${profile.bot?.owner?.user?.id || profile.id}-${crypto.randomUUID()}`,
                name: profile.name || profile.bot?.owner?.user?.name || 'Notion User',
                email: profile.person?.email || `${profile.id}@notion.user`,
                emailVerified: !!profile.person?.email,
@@ -2063,7 +1957,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${data.id.toString()}-${crypto.randomUUID()}`,
+                id: `${data.id}-${crypto.randomUUID()}`,
                name: data.name || 'Reddit User',
                email: `${data.name}@reddit.user`,
                image: data.icon_img || undefined,
@@ -2135,7 +2029,7 @@ export const auth = betterAuth({
              const viewer = data.viewer
              return {
-                id: `${viewer.id.toString()}-${crypto.randomUUID()}`,
+                id: `${viewer.id}-${crypto.randomUUID()}`,
                email: viewer.email,
                name: viewer.name,
                emailVerified: true,
@@ -2198,7 +2092,7 @@ export const auth = betterAuth({
              const data = await response.json()
              return {
-                id: `${data.account_id.toString()}-${crypto.randomUUID()}`,
+                id: `${data.account_id}-${crypto.randomUUID()}`,
                email: data.email,
                name: data.name?.display_name || data.email,
                emailVerified: data.email_verified || false,
@@ -2249,7 +2143,7 @@ export const auth = betterAuth({
              const now = new Date()
              return {
-                id: `${profile.gid.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.gid}-${crypto.randomUUID()}`,
                name: profile.name || 'Asana User',
                email: profile.email || `${profile.gid}@asana.user`,
                image: profile.photo?.image_128x128 || undefined,
@@ -2484,7 +2378,7 @@ export const auth = betterAuth({
              const profile = await response.json()
              return {
-                id: `${profile.id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.id}-${crypto.randomUUID()}`,
                name:
                  `${profile.first_name || ''} ${profile.last_name || ''}`.trim() || 'Zoom User',
                email: profile.email || `${profile.id}@zoom.user`,
@@ -2551,7 +2445,7 @@ export const auth = betterAuth({
              const profile = await response.json()
              return {
-                id: `${profile.id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.id}-${crypto.randomUUID()}`,
                name: profile.display_name || 'Spotify User',
                email: profile.email || `${profile.id}@spotify.user`,
                emailVerified: true,
--- a/apps/sim/lib/auth/credential-access.ts
+++ b/apps/sim/lib/auth/credential-access.ts
@@ -1,6 +1,6 @@
 import { db } from '@sim/db'
-import { account, credential, credentialMember, workflow as workflowTable } from '@sim/db/schema'
+import { account, workflow as workflowTable } from '@sim/db/schema'
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -12,14 +12,17 @@ export interface CredentialAccessResult {
  requesterUserId?: string
  credentialOwnerUserId?: string
  workspaceId?: string
  resolvedCredentialId?: string
 }
 /**
- * Centralizes auth + credential membership checks for OAuth usage.
+ * Centralizes auth + collaboration rules for credential use.
- * - Workspace-scoped credential IDs enforce active credential_member access.
+ * - Uses checkSessionOrInternalAuth to authenticate the caller
- * - Legacy account IDs are resolved to workspace-scoped credentials when workflowId is provided.
+ * - Fetches credential owner
- * - Direct legacy account-ID access without workflowId is restricted to account owners only.
+ * - Authorization rules:
 *   - session: allow if requester owns the credential; otherwise require workflowId and
 *     verify BOTH requester and owner have access to the workflow's workspace
 *   - internal_jwt: require workflowId (by default) and verify credential owner has access to the
 *     workflow's workspace (requester identity is the system/workflow)
 */
 export async function authorizeCredentialUse(
  request: NextRequest,
@@ -34,173 +37,71 @@ export async function authorizeCredentialUse(
    return { ok: false, error: auth.error || 'Authentication required' }
  }
-  const [workflowContext] = workflowId
+  // Lookup credential owner
-    ? await db
+  const [credRow] = await db
        .select({ workspaceId: workflowTable.workspaceId })
        .from(workflowTable)
        .where(eq(workflowTable.id, workflowId))
        .limit(1)
    : [null]
  if (workflowId && (!workflowContext || !workflowContext.workspaceId)) {
    return { ok: false, error: 'Workflow not found' }
  }
  const [platformCredential] = await db
    .select({
      id: credential.id,
      workspaceId: credential.workspaceId,
      type: credential.type,
      accountId: credential.accountId,
    })
    .from(credential)
    .where(eq(credential.id, credentialId))
    .limit(1)
  if (platformCredential) {
    if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
      return { ok: false, error: 'Unsupported credential type for OAuth access' }
    }
    if (workflowContext && workflowContext.workspaceId !== platformCredential.workspaceId) {
      return { ok: false, error: 'Credential is not accessible from this workflow workspace' }
    }
    const [accountRow] = await db
      .select({ userId: account.userId })
      .from(account)
      .where(eq(account.id, platformCredential.accountId))
      .limit(1)
    if (!accountRow) {
      return { ok: false, error: 'Credential account not found' }
    }
    const requesterPerm =
      auth.authType === 'internal_jwt'
        ? null
        : await getUserEntityPermissions(auth.userId, 'workspace', platformCredential.workspaceId)
    if (auth.authType !== 'internal_jwt') {
      const [membership] = await db
        .select({ id: credentialMember.id })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, platformCredential.id),
            eq(credentialMember.userId, auth.userId),
            eq(credentialMember.status, 'active')
          )
        )
        .limit(1)
      if (!membership || requesterPerm === null) {
        return { ok: false, error: 'Unauthorized' }
      }
    }
    const ownerPerm = await getUserEntityPermissions(
      accountRow.userId,
      'workspace',
      platformCredential.workspaceId
    )
    if (ownerPerm === null) {
      return { ok: false, error: 'Unauthorized' }
    }
    return {
      ok: true,
      authType: auth.authType as CredentialAccessResult['authType'],
      requesterUserId: auth.userId,
      credentialOwnerUserId: accountRow.userId,
      workspaceId: platformCredential.workspaceId,
      resolvedCredentialId: platformCredential.accountId,
    }
  }
  if (workflowContext?.workspaceId) {
    const [workspaceCredential] = await db
      .select({
        id: credential.id,
        workspaceId: credential.workspaceId,
        accountId: credential.accountId,
      })
      .from(credential)
      .where(
        and(
          eq(credential.type, 'oauth'),
          eq(credential.workspaceId, workflowContext.workspaceId),
          eq(credential.accountId, credentialId)
        )
      )
      .limit(1)
    if (!workspaceCredential?.accountId) {
      return { ok: false, error: 'Credential not found' }
    }
    const [accountRow] = await db
      .select({ userId: account.userId })
      .from(account)
      .where(eq(account.id, workspaceCredential.accountId))
      .limit(1)
    if (!accountRow) {
      return { ok: false, error: 'Credential account not found' }
    }
    if (auth.authType !== 'internal_jwt') {
      const [membership] = await db
        .select({ id: credentialMember.id })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, workspaceCredential.id),
            eq(credentialMember.userId, auth.userId),
            eq(credentialMember.status, 'active')
          )
        )
        .limit(1)
      if (!membership) {
        return { ok: false, error: 'Unauthorized' }
      }
    }
    const ownerPerm = await getUserEntityPermissions(
      accountRow.userId,
      'workspace',
      workflowContext.workspaceId
    )
    if (ownerPerm === null) {
      return { ok: false, error: 'Unauthorized' }
    }
    return {
      ok: true,
      authType: auth.authType as CredentialAccessResult['authType'],
      requesterUserId: auth.userId,
      credentialOwnerUserId: accountRow.userId,
      workspaceId: workflowContext.workspaceId,
      resolvedCredentialId: workspaceCredential.accountId,
    }
  }
  const [legacyAccount] = await db
    .select({ userId: account.userId })
    .from(account)
    .where(eq(account.id, credentialId))
    .limit(1)
-  if (!legacyAccount) {
+  if (!credRow) {
    return { ok: false, error: 'Credential not found' }
  }
-  if (auth.authType === 'internal_jwt') {
+  const credentialOwnerUserId = credRow.userId
  // If requester owns the credential, allow immediately
  if (auth.authType !== 'internal_jwt' && auth.userId === credentialOwnerUserId) {
    return {
      ok: true,
      authType: auth.authType as CredentialAccessResult['authType'],
      requesterUserId: auth.userId,
      credentialOwnerUserId,
    }
  }
  // For collaboration paths, workflowId is required to scope to a workspace
  if (!workflowId) {
    return { ok: false, error: 'workflowId is required' }
  }
-  if (auth.userId !== legacyAccount.userId) {
+  const [wf] = await db
    .select({ workspaceId: workflowTable.workspaceId })
    .from(workflowTable)
    .where(eq(workflowTable.id, workflowId))
    .limit(1)
  if (!wf || !wf.workspaceId) {
    return { ok: false, error: 'Workflow not found' }
  }
  if (auth.authType === 'internal_jwt') {
    // Internal calls: verify credential owner belongs to the workflow's workspace
    const ownerPerm = await getUserEntityPermissions(
      credentialOwnerUserId,
      'workspace',
      wf.workspaceId
    )
    if (ownerPerm === null) {
      return { ok: false, error: 'Unauthorized' }
    }
    return {
      ok: true,
      authType: auth.authType as CredentialAccessResult['authType'],
      requesterUserId: auth.userId,
      credentialOwnerUserId,
      workspaceId: wf.workspaceId,
    }
  }
  // Session: verify BOTH requester and owner belong to the workflow's workspace
  const requesterPerm = await getUserEntityPermissions(auth.userId, 'workspace', wf.workspaceId)
  const ownerPerm = await getUserEntityPermissions(
    credentialOwnerUserId,
    'workspace',
    wf.workspaceId
  )
  if (requesterPerm === null || ownerPerm === null) {
    return { ok: false, error: 'Unauthorized' }
  }
@@ -208,7 +109,7 @@ export async function authorizeCredentialUse(
    ok: true,
    authType: auth.authType as CredentialAccessResult['authType'],
    requesterUserId: auth.userId,
-    credentialOwnerUserId: legacyAccount.userId,
+    credentialOwnerUserId,
-    resolvedCredentialId: credentialId,
+    workspaceId: wf.workspaceId,
  }
 }
--- a/apps/sim/lib/copilot/chat-payload.ts
+++ b/apps/sim/lib/copilot/chat-payload.ts
@@ -20,6 +20,8 @@ export interface BuildPayloadParams {
  fileAttachments?: Array<{ id: string; key: string; size: number; [key: string]: unknown }>
  commands?: string[]
  chatId?: string
  conversationId?: string
  prefetch?: boolean
  implicitFeedback?: string
 }
@@ -64,6 +66,10 @@ export async function buildCopilotRequestPayload(
    fileAttachments,
    commands,
    chatId,
    conversationId,
    prefetch,
    conversationHistory,
    implicitFeedback,
  } = params
  const selectedModel = options.selectedModel
@@ -154,6 +160,12 @@ export async function buildCopilotRequestPayload(
    version: SIM_AGENT_VERSION,
    ...(contexts && contexts.length > 0 ? { context: contexts } : {}),
    ...(chatId ? { chatId } : {}),
    ...(conversationId ? { conversationId } : {}),
    ...(Array.isArray(conversationHistory) && conversationHistory.length > 0
      ? { conversationHistory }
      : {}),
    ...(typeof prefetch === 'boolean' ? { prefetch } : {}),
    ...(implicitFeedback ? { implicitFeedback } : {}),
    ...(processedFileContents.length > 0 ? { fileAttachments: processedFileContents } : {}),
    ...(integrationTools.length > 0 ? { integrationTools } : {}),
    ...(credentials ? { credentials } : {}),
--- a/apps/sim/lib/copilot/client-sse/handlers.ts
+++ b/apps/sim/lib/copilot/client-sse/handlers.ts
@@ -1,22 +1,21 @@
 import { createLogger } from '@sim/logger'
-import { COPILOT_CONFIRM_API_PATH, STREAM_STORAGE_KEY } from '@/lib/copilot/constants'
+import { STREAM_STORAGE_KEY } from '@/lib/copilot/constants'
 import { asRecord } from '@/lib/copilot/orchestrator/sse-utils'
 import type { SSEEvent } from '@/lib/copilot/orchestrator/types'
-import {
+import { isBackgroundState, isRejectedState, isReviewState } from '@/lib/copilot/store-utils'
  isBackgroundState,
  isRejectedState,
  isReviewState,
  resolveToolDisplay,
 } from '@/lib/copilot/store-utils'
 import { ClientToolCallState } from '@/lib/copilot/tools/client/tool-display-registry'
 import type { CopilotStore, CopilotStreamInfo, CopilotToolCall } from '@/stores/panel/copilot/types'
 import { useVariablesStore } from '@/stores/panel/variables/store'
 import { useEnvironmentStore } from '@/stores/settings/environment/store'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff/store'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import type { WorkflowState } from '@/stores/workflows/workflow/types'
 import { appendTextBlock, beginThinkingBlock, finalizeThinkingBlock } from './content-blocks'
 import { CLIENT_EXECUTABLE_RUN_TOOLS, executeRunToolOnClient } from './run-tool-execution'
 import {
  extractOperationListFromResultPayload,
  extractToolExecutionMetadata,
  extractToolUiMetadata,
  isWorkflowChangeApplyCall,
  mapServerStateToClientState,
  resolveDisplayFromServerUi,
 } from './tool-call-helpers'
 import { applyToolEffects } from './tool-effects'
 import type { ClientContentBlock, ClientStreamingContext } from './types'
 const logger = createLogger('CopilotClientSseHandlers')
@@ -26,21 +25,11 @@ const MAX_BATCH_INTERVAL = 50
 const MIN_BATCH_INTERVAL = 16
 const MAX_QUEUE_SIZE = 5
-/**
+function isClientRunCapability(toolCall: CopilotToolCall): boolean {
- * Send an auto-accept confirmation to the server for auto-allowed tools.
+  if (toolCall.execution?.target === 'sim_client_capability') {
- * The server-side orchestrator polls Redis for this decision.
+    return toolCall.execution.capabilityId === 'workflow.run' || !toolCall.execution.capabilityId
- */
+  }
-export function sendAutoAcceptConfirmation(toolCallId: string): void {
+  return CLIENT_EXECUTABLE_RUN_TOOLS.has(toolCall.name)
  fetch(COPILOT_CONFIRM_API_PATH, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ toolCallId, status: 'accepted' }),
  }).catch((error) => {
    logger.warn('Failed to send auto-accept confirmation', {
      toolCallId,
      error: error instanceof Error ? error.message : String(error),
    })
  })
 }
 function writeActiveStreamToStorage(info: CopilotStreamInfo | null): void {
@@ -230,28 +219,86 @@ export const sseHandlers: Record<string, SSEHandler> = {
    }
  },
  title_updated: (_data, _context, get, set) => {
-    const title = _data.title
+    const title = typeof _data.title === 'string' ? _data.title.trim() : ''
-    if (!title) return
+    const eventChatId = typeof _data.chatId === 'string' ? _data.chatId : undefined
    const { currentChat, chats } = get()
-    if (currentChat) {
+
-      set({
+    logger.info('[Title] Received title_updated SSE event', {
-        currentChat: { ...currentChat, title },
+      eventTitle: title,
-        chats: chats.map((c) => (c.id === currentChat.id ? { ...c, title } : c)),
+      eventChatId: eventChatId || null,
      currentChatId: currentChat?.id || null,
      currentChatTitle: currentChat?.title || null,
      chatCount: chats.length,
    })
    if (!title) {
      logger.warn('[Title] Ignoring title_updated event with empty title', {
        payload: _data,
      })
      return
    }
    if (!currentChat) {
      logger.warn('[Title] Received title_updated event without an active currentChat', {
        eventChatId: eventChatId || null,
        title,
      })
      return
    }
    const targetChatId = eventChatId || currentChat.id
    if (eventChatId && eventChatId !== currentChat.id) {
      logger.warn('[Title] title_updated event chatId does not match currentChat', {
        eventChatId,
        currentChatId: currentChat.id,
      })
    }
    set({
      currentChat:
        currentChat.id === targetChatId
          ? {
              ...currentChat,
              title,
            }
          : currentChat,
      chats: chats.map((c) => (c.id === targetChatId ? { ...c, title } : c)),
    })
    const updatedState = get()
    logger.info('[Title] Applied title_updated event to copilot store', {
      targetChatId,
      renderedCurrentChatId: updatedState.currentChat?.id || null,
      renderedCurrentChatTitle: updatedState.currentChat?.title || null,
      chatListTitle: updatedState.chats.find((c) => c.id === targetChatId)?.title || null,
    })
  },
  tool_result: (data, context, get, set) => {
    try {
      const eventData = asRecord(data?.data)
      const toolCallId: string | undefined =
-        data?.toolCallId || (eventData.id as string | undefined)
+        data?.toolCallId ||
        (eventData.id as string | undefined) ||
        (eventData.callId as string | undefined)
      const success: boolean | undefined = data?.success
      const failedDependency: boolean = data?.failedDependency === true
      const resultObj = asRecord(data?.result)
      const skipped: boolean = resultObj.skipped === true
      if (!toolCallId) return
      const uiMetadata = extractToolUiMetadata(eventData)
      const executionMetadata = extractToolExecutionMetadata(eventData)
      const serverState = (eventData.state as string | undefined) || undefined
      const targetState = serverState
        ? mapServerStateToClientState(serverState)
        : success
          ? ClientToolCallState.success
          : failedDependency || skipped
            ? ClientToolCallState.rejected
            : ClientToolCallState.error
      const resultPayload = asRecord(data?.result || eventData.result || eventData.data || data?.data)
      const { toolCallsById } = get()
      const current = toolCallsById[toolCallId]
      let paramsForCurrentToolCall: Record<string, unknown> | undefined = current?.params
      if (current) {
        if (
          isRejectedState(current.state) ||
@@ -260,16 +307,33 @@ export const sseHandlers: Record<string, SSEHandler> = {
        ) {
          return
        }
-        const targetState = success
+        if (
-          ? ClientToolCallState.success
+          targetState === ClientToolCallState.success &&
-          : failedDependency || skipped
+          isWorkflowChangeApplyCall(current.name, paramsForCurrentToolCall)
-            ? ClientToolCallState.rejected
+        ) {
-            : ClientToolCallState.error
+          const operations = extractOperationListFromResultPayload(resultPayload || {})
          if (operations && operations.length > 0) {
            paramsForCurrentToolCall = {
              ...(current.params || {}),
              operations,
            }
          }
        }
        const updatedMap = { ...toolCallsById }
        updatedMap[toolCallId] = {
          ...current,
          ui: uiMetadata || current.ui,
          execution: executionMetadata || current.execution,
          params: paramsForCurrentToolCall,
          state: targetState,
-          display: resolveToolDisplay(current.name, targetState, current.id, current.params),
+          display: resolveDisplayFromServerUi(
            current.name,
            targetState,
            current.id,
            paramsForCurrentToolCall,
            uiMetadata || current.ui
          ),
        }
        set({ toolCallsById: updatedMap })
@@ -312,138 +376,11 @@ export const sseHandlers: Record<string, SSEHandler> = {
          }
        }
-        if (current.name === 'edit_workflow') {
+        applyToolEffects({
-          try {
+          effectsRaw: eventData.effects,
-            const resultPayload = asRecord(
+          toolCall: updatedMap[toolCallId],
-              data?.result || eventData.result || eventData.data || data?.data
+          resultPayload,
-            )
+        })
            const workflowState = asRecord(resultPayload?.workflowState)
            const hasWorkflowState = !!resultPayload?.workflowState
            logger.info('[SSE] edit_workflow result received', {
              hasWorkflowState,
              blockCount: hasWorkflowState ? Object.keys(workflowState.blocks ?? {}).length : 0,
              edgeCount: Array.isArray(workflowState.edges) ? workflowState.edges.length : 0,
            })
            if (hasWorkflowState) {
              const diffStore = useWorkflowDiffStore.getState()
              diffStore
                .setProposedChanges(resultPayload.workflowState as WorkflowState)
                .catch((err) => {
                  logger.error('[SSE] Failed to apply edit_workflow diff', {
                    error: err instanceof Error ? err.message : String(err),
                  })
                })
            }
          } catch (err) {
            logger.error('[SSE] edit_workflow result handling failed', {
              error: err instanceof Error ? err.message : String(err),
            })
          }
        }
        // Deploy tools: update deployment status in workflow registry
        if (
          targetState === ClientToolCallState.success &&
          (current.name === 'deploy_api' ||
            current.name === 'deploy_chat' ||
            current.name === 'deploy_mcp' ||
            current.name === 'redeploy')
        ) {
          try {
            const resultPayload = asRecord(
              data?.result || eventData.result || eventData.data || data?.data
            )
            const input = asRecord(current.params)
            const workflowId =
              (resultPayload?.workflowId as string) ||
              (input?.workflowId as string) ||
              useWorkflowRegistry.getState().activeWorkflowId
            const isDeployed = resultPayload?.isDeployed !== false
            if (workflowId) {
              useWorkflowRegistry
                .getState()
                .setDeploymentStatus(workflowId, isDeployed, isDeployed ? new Date() : undefined)
              logger.info('[SSE] Updated deployment status from tool result', {
                toolName: current.name,
                workflowId,
                isDeployed,
              })
            }
          } catch (err) {
            logger.warn('[SSE] Failed to hydrate deployment status', {
              error: err instanceof Error ? err.message : String(err),
            })
          }
        }
        // Environment variables: reload store after successful set
        if (
          targetState === ClientToolCallState.success &&
          current.name === 'set_environment_variables'
        ) {
          try {
            useEnvironmentStore.getState().loadEnvironmentVariables()
            logger.info('[SSE] Triggered environment variables reload')
          } catch (err) {
            logger.warn('[SSE] Failed to reload environment variables', {
              error: err instanceof Error ? err.message : String(err),
            })
          }
        }
        // Workflow variables: reload store after successful set
        if (
          targetState === ClientToolCallState.success &&
          current.name === 'set_global_workflow_variables'
        ) {
          try {
            const input = asRecord(current.params)
            const workflowId =
              (input?.workflowId as string) || useWorkflowRegistry.getState().activeWorkflowId
            if (workflowId) {
              useVariablesStore.getState().loadForWorkflow(workflowId)
              logger.info('[SSE] Triggered workflow variables reload', { workflowId })
            }
          } catch (err) {
            logger.warn('[SSE] Failed to reload workflow variables', {
              error: err instanceof Error ? err.message : String(err),
            })
          }
        }
        // Generate API key: update deployment status with the new key
        if (targetState === ClientToolCallState.success && current.name === 'generate_api_key') {
          try {
            const resultPayload = asRecord(
              data?.result || eventData.result || eventData.data || data?.data
            )
            const input = asRecord(current.params)
            const workflowId =
              (input?.workflowId as string) || useWorkflowRegistry.getState().activeWorkflowId
            const apiKey = (resultPayload?.apiKey || resultPayload?.key) as string | undefined
            if (workflowId) {
              const existingStatus = useWorkflowRegistry
                .getState()
                .getWorkflowDeploymentStatus(workflowId)
              useWorkflowRegistry
                .getState()
                .setDeploymentStatus(
                  workflowId,
                  existingStatus?.isDeployed ?? false,
                  existingStatus?.deployedAt,
                  apiKey
                )
              logger.info('[SSE] Updated deployment status with API key', {
                workflowId,
                hasKey: !!apiKey,
              })
            }
          } catch (err) {
            logger.warn('[SSE] Failed to hydrate API key status', {
              error: err instanceof Error ? err.message : String(err),
            })
          }
        }
      }
      for (let i = 0; i < context.contentBlocks.length; i++) {
@@ -460,16 +397,24 @@ export const sseHandlers: Record<string, SSEHandler> = {
            : failedDependency || skipped
              ? ClientToolCallState.rejected
              : ClientToolCallState.error
          const paramsForBlock =
            b.toolCall?.id === toolCallId
              ? paramsForCurrentToolCall || b.toolCall?.params
              : b.toolCall?.params
          context.contentBlocks[i] = {
            ...b,
            toolCall: {
              ...b.toolCall,
              params: paramsForBlock,
              ui: uiMetadata || b.toolCall?.ui,
              execution: executionMetadata || b.toolCall?.execution,
              state: targetState,
-              display: resolveToolDisplay(
+              display: resolveDisplayFromServerUi(
                b.toolCall?.name,
                targetState,
                toolCallId,
-                b.toolCall?.params
+                paramsForBlock,
                uiMetadata || b.toolCall?.ui
              ),
            },
          }
@@ -487,7 +432,9 @@ export const sseHandlers: Record<string, SSEHandler> = {
    try {
      const errorData = asRecord(data?.data)
      const toolCallId: string | undefined =
-        data?.toolCallId || (errorData.id as string | undefined)
+        data?.toolCallId ||
        (errorData.id as string | undefined) ||
        (errorData.callId as string | undefined)
      const failedDependency: boolean = data?.failedDependency === true
      if (!toolCallId) return
      const { toolCallsById } = get()
@@ -500,14 +447,26 @@ export const sseHandlers: Record<string, SSEHandler> = {
        ) {
          return
        }
-        const targetState = failedDependency
+        const targetState = errorData.state
-          ? ClientToolCallState.rejected
+          ? mapServerStateToClientState(errorData.state)
-          : ClientToolCallState.error
+          : failedDependency
            ? ClientToolCallState.rejected
            : ClientToolCallState.error
        const uiMetadata = extractToolUiMetadata(errorData)
        const executionMetadata = extractToolExecutionMetadata(errorData)
        const updatedMap = { ...toolCallsById }
        updatedMap[toolCallId] = {
          ...current,
          ui: uiMetadata || current.ui,
          execution: executionMetadata || current.execution,
          state: targetState,
-          display: resolveToolDisplay(current.name, targetState, current.id, current.params),
+          display: resolveDisplayFromServerUi(
            current.name,
            targetState,
            current.id,
            current.params,
            uiMetadata || current.ui
          ),
        }
        set({ toolCallsById: updatedMap })
      }
@@ -520,19 +479,26 @@ export const sseHandlers: Record<string, SSEHandler> = {
            isBackgroundState(b.toolCall?.state)
          )
            break
-          const targetState = failedDependency
+          const targetState = errorData.state
-            ? ClientToolCallState.rejected
+            ? mapServerStateToClientState(errorData.state)
-            : ClientToolCallState.error
+            : failedDependency
              ? ClientToolCallState.rejected
              : ClientToolCallState.error
          const uiMetadata = extractToolUiMetadata(errorData)
          const executionMetadata = extractToolExecutionMetadata(errorData)
          context.contentBlocks[i] = {
            ...b,
            toolCall: {
              ...b.toolCall,
              ui: uiMetadata || b.toolCall?.ui,
              execution: executionMetadata || b.toolCall?.execution,
              state: targetState,
-              display: resolveToolDisplay(
+              display: resolveDisplayFromServerUi(
                b.toolCall?.name,
                targetState,
                toolCallId,
-                b.toolCall?.params
+                b.toolCall?.params,
                uiMetadata || b.toolCall?.ui
              ),
            },
          }
@@ -547,20 +513,28 @@ export const sseHandlers: Record<string, SSEHandler> = {
    }
  },
  tool_generating: (data, context, get, set) => {
-    const { toolCallId, toolName } = data
+    const eventData = asRecord(data?.data)
    const toolCallId =
      data?.toolCallId ||
      (eventData.id as string | undefined) ||
      (eventData.callId as string | undefined)
    const toolName =
      data?.toolName ||
      (eventData.name as string | undefined) ||
      (eventData.toolName as string | undefined)
    if (!toolCallId || !toolName) return
    const { toolCallsById } = get()
    if (!toolCallsById[toolCallId]) {
-      const isAutoAllowed = get().isToolAutoAllowed(toolName)
+      const initialState = ClientToolCallState.generating
-      const initialState = isAutoAllowed
+      const uiMetadata = extractToolUiMetadata(eventData)
        ? ClientToolCallState.executing
        : ClientToolCallState.pending
      const tc: CopilotToolCall = {
        id: toolCallId,
        name: toolName,
        state: initialState,
-        display: resolveToolDisplay(toolName, initialState, toolCallId),
+        ui: uiMetadata,
        execution: extractToolExecutionMetadata(eventData),
        display: resolveDisplayFromServerUi(toolName, initialState, toolCallId, undefined, uiMetadata),
      }
      const updated = { ...toolCallsById, [toolCallId]: tc }
      set({ toolCallsById: updated })
@@ -572,17 +546,27 @@ export const sseHandlers: Record<string, SSEHandler> = {
  },
  tool_call: (data, context, get, set) => {
    const toolData = asRecord(data?.data)
-    const id: string | undefined = (toolData.id as string | undefined) || data?.toolCallId
+    const id: string | undefined =
-    const name: string | undefined = (toolData.name as string | undefined) || data?.toolName
+      (toolData.id as string | undefined) ||
      (toolData.callId as string | undefined) ||
      data?.toolCallId
    const name: string | undefined =
      (toolData.name as string | undefined) ||
      (toolData.toolName as string | undefined) ||
      data?.toolName
    if (!id) return
    const args = toolData.arguments as Record<string, unknown> | undefined
    const isPartial = toolData.partial === true
    const uiMetadata = extractToolUiMetadata(toolData)
    const executionMetadata = extractToolExecutionMetadata(toolData)
    const serverState = toolData.state
    const { toolCallsById } = get()
    const existing = toolCallsById[id]
    const toolName = name || existing?.name || 'unknown_tool'
-    const isAutoAllowed = get().isToolAutoAllowed(toolName)
+    let initialState = serverState
-    let initialState = isAutoAllowed ? ClientToolCallState.executing : ClientToolCallState.pending
+      ? mapServerStateToClientState(serverState)
      : ClientToolCallState.pending
    // Avoid flickering back to pending on partial/duplicate events once a tool is executing.
    if (
@@ -597,15 +581,25 @@ export const sseHandlers: Record<string, SSEHandler> = {
          ...existing,
          name: toolName,
          state: initialState,
          ui: uiMetadata || existing.ui,
          execution: executionMetadata || existing.execution,
          ...(args ? { params: args } : {}),
-          display: resolveToolDisplay(toolName, initialState, id, args || existing.params),
+          display: resolveDisplayFromServerUi(
            toolName,
            initialState,
            id,
            args || existing.params,
            uiMetadata || existing.ui
          ),
        }
      : {
          id,
          name: toolName,
          state: initialState,
          ui: uiMetadata,
          execution: executionMetadata,
          ...(args ? { params: args } : {}),
-          display: resolveToolDisplay(toolName, initialState, id, args),
+          display: resolveDisplayFromServerUi(toolName, initialState, id, args, uiMetadata),
        }
    const updated = { ...toolCallsById, [id]: next }
    set({ toolCallsById: updated })
@@ -618,20 +612,12 @@ export const sseHandlers: Record<string, SSEHandler> = {
      return
    }
-    // Auto-allowed tools: send confirmation to the server so it can proceed
+    const shouldInterrupt = next.ui?.showInterrupt === true
    // without waiting for the user to click "Allow".
    if (isAutoAllowed) {
      sendAutoAcceptConfirmation(id)
    }
-    // Client-executable run tools: execute on the client for real-time feedback
+    // Client-run capability: execution is delegated to the browser.
-    // (block pulsing, console logs, stop button). The server defers execution
+    // We run immediately only when no interrupt is required.
-    // for these tools in interactive mode; the client reports back via mark-complete.
+    if (isClientRunCapability(next) && !shouldInterrupt) {
-    if (
+      executeRunToolOnClient(id, toolName, args || next.params || {})
      CLIENT_EXECUTABLE_RUN_TOOLS.has(toolName) &&
      initialState === ClientToolCallState.executing
    ) {
      executeRunToolOnClient(id, toolName, args || existing?.params || {})
    }
    // OAuth: dispatch event to open the OAuth connect modal
--- a/apps/sim/lib/copilot/client-sse/run-tool-execution.ts
+++ b/apps/sim/lib/copilot/client-sse/run-tool-execution.ts
@@ -15,10 +15,7 @@ const logger = createLogger('CopilotRunToolExecution')
 * (block pulsing, logs, stop button, etc.).
 */
 export const CLIENT_EXECUTABLE_RUN_TOOLS = new Set([
-  'run_workflow',
+  'workflow_run',
  'run_workflow_until_block',
  'run_from_block',
  'run_block',
 ])
 /**
@@ -74,21 +71,44 @@ async function doExecuteRunTool(
    | Record<string, unknown>
    | undefined
  const runMode =
    toolName === 'workflow_run' ? ((params.mode as string | undefined) || 'full').toLowerCase() : undefined
  if (
    toolName === 'workflow_run' &&
    runMode !== 'full' &&
    runMode !== 'until_block' &&
    runMode !== 'from_block' &&
    runMode !== 'block'
  ) {
    const error = `Unsupported workflow_run mode: ${String(params.mode)}`
    logger.warn('[RunTool] Execution prevented: unsupported workflow_run mode', {
      toolCallId,
      mode: params.mode,
    })
    setToolState(toolCallId, ClientToolCallState.error)
    await reportCompletion(toolCallId, false, error)
    return
  }
  const stopAfterBlockId = (() => {
-    if (toolName === 'run_workflow_until_block')
+    if (toolName === 'workflow_run' && runMode === 'until_block') {
      return params.stopAfterBlockId as string | undefined
-    if (toolName === 'run_block') return params.blockId as string | undefined
+    }
    if (toolName === 'workflow_run' && runMode === 'block') {
      return params.blockId as string | undefined
    }
    return undefined
  })()
  const runFromBlock = (() => {
-    if (toolName === 'run_from_block' && params.startBlockId) {
+    if (toolName === 'workflow_run' && runMode === 'from_block' && params.startBlockId) {
      return {
        startBlockId: params.startBlockId as string,
        executionId: (params.executionId as string | undefined) || 'latest',
      }
    }
-    if (toolName === 'run_block' && params.blockId) {
+    if (toolName === 'workflow_run' && runMode === 'block' && params.blockId) {
      return {
        startBlockId: params.blockId as string,
        executionId: (params.executionId as string | undefined) || 'latest',
--- a/apps/sim/lib/copilot/client-sse/subagent-handlers.ts
+++ b/apps/sim/lib/copilot/client-sse/subagent-handlers.ts
@@ -6,16 +6,23 @@ import {
  shouldSkipToolResultEvent,
 } from '@/lib/copilot/orchestrator/sse-utils'
 import type { SSEEvent } from '@/lib/copilot/orchestrator/types'
 import { resolveToolDisplay } from '@/lib/copilot/store-utils'
 import { ClientToolCallState } from '@/lib/copilot/tools/client/tool-display-registry'
 import type { CopilotStore, CopilotToolCall } from '@/stores/panel/copilot/types'
 import {
  type SSEHandler,
  sendAutoAcceptConfirmation,
  sseHandlers,
  updateStreamingMessage,
 } from './handlers'
 import { CLIENT_EXECUTABLE_RUN_TOOLS, executeRunToolOnClient } from './run-tool-execution'
 import {
  extractOperationListFromResultPayload,
  extractToolExecutionMetadata,
  extractToolUiMetadata,
  isWorkflowChangeApplyCall,
  mapServerStateToClientState,
  resolveDisplayFromServerUi,
 } from './tool-call-helpers'
 import { applyToolEffects } from './tool-effects'
 import type { ClientStreamingContext } from './types'
 const logger = createLogger('CopilotClientSubagentHandlers')
@@ -24,6 +31,13 @@ type StoreSet = (
  partial: Partial<CopilotStore> | ((state: CopilotStore) => Partial<CopilotStore>)
 ) => void
 function isClientRunCapability(toolCall: CopilotToolCall): boolean {
  if (toolCall.execution?.target === 'sim_client_capability') {
    return toolCall.execution.capabilityId === 'workflow.run' || !toolCall.execution.capabilityId
  }
  return CLIENT_EXECUTABLE_RUN_TOOLS.has(toolCall.name)
 }
 export function appendSubAgentContent(
  context: ClientStreamingContext,
  parentToolCallId: string,
@@ -164,6 +178,8 @@ export const subAgentSSEHandlers: Record<string, SSEHandler> = {
    const name: string | undefined = (toolData.name as string | undefined) || data?.toolName
    if (!id || !name) return
    const isPartial = toolData.partial === true
    const uiMetadata = extractToolUiMetadata(toolData)
    const executionMetadata = extractToolExecutionMetadata(toolData)
    let args: Record<string, unknown> | undefined = (toolData.arguments || toolData.input) as
      | Record<string, unknown>
@@ -199,9 +215,10 @@ export const subAgentSSEHandlers: Record<string, SSEHandler> = {
    const existingToolCall =
      existingIndex >= 0 ? context.subAgentToolCalls[parentToolCallId][existingIndex] : undefined
-    // Auto-allowed tools skip pending state to avoid flashing interrupt buttons
+    const serverState = toolData.state
-    const isAutoAllowed = get().isToolAutoAllowed(name)
+    let initialState = serverState
-    let initialState = isAutoAllowed ? ClientToolCallState.executing : ClientToolCallState.pending
+      ? mapServerStateToClientState(serverState)
      : ClientToolCallState.pending
    // Avoid flickering back to pending on partial/duplicate events once a tool is executing.
    if (
@@ -215,8 +232,10 @@ export const subAgentSSEHandlers: Record<string, SSEHandler> = {
      id,
      name,
      state: initialState,
      ui: uiMetadata,
      execution: executionMetadata,
      ...(args ? { params: args } : {}),
-      display: resolveToolDisplay(name, initialState, id, args),
+      display: resolveDisplayFromServerUi(name, initialState, id, args, uiMetadata),
    }
    if (existingIndex >= 0) {
@@ -241,16 +260,11 @@ export const subAgentSSEHandlers: Record<string, SSEHandler> = {
      return
    }
-    // Auto-allowed tools: send confirmation to the server so it can proceed
+    const shouldInterrupt = subAgentToolCall.ui?.showInterrupt === true
    // without waiting for the user to click "Allow".
    if (isAutoAllowed) {
      sendAutoAcceptConfirmation(id)
    }
-    // Client-executable run tools: if auto-allowed, execute immediately for
+    // Client-run capability: execution is delegated to the browser.
-    // real-time feedback. For non-auto-allowed, the user must click "Allow"
+    // Execute immediately only for non-interrupting calls.
-    // first — handleRun in tool-call.tsx triggers executeRunToolOnClient.
+    if (isClientRunCapability(subAgentToolCall) && !shouldInterrupt) {
    if (CLIENT_EXECUTABLE_RUN_TOOLS.has(name) && isAutoAllowed) {
      executeRunToolOnClient(id, name, args || {})
    }
  },
@@ -275,17 +289,51 @@ export const subAgentSSEHandlers: Record<string, SSEHandler> = {
    if (!context.subAgentToolCalls[parentToolCallId]) return
    if (!context.subAgentBlocks[parentToolCallId]) return
-    const targetState = success ? ClientToolCallState.success : ClientToolCallState.error
+    const serverState = resultData.state
    const targetState = serverState
      ? mapServerStateToClientState(serverState)
      : success
        ? ClientToolCallState.success
        : ClientToolCallState.error
    const uiMetadata = extractToolUiMetadata(resultData)
    const executionMetadata = extractToolExecutionMetadata(resultData)
    const existingIndex = context.subAgentToolCalls[parentToolCallId].findIndex(
      (tc: CopilotToolCall) => tc.id === toolCallId
    )
    if (existingIndex >= 0) {
      const existing = context.subAgentToolCalls[parentToolCallId][existingIndex]
      let nextParams = existing.params
      const resultPayload = asRecord(
        data?.result || resultData.result || resultData.data || data?.data
      )
      if (
        targetState === ClientToolCallState.success &&
        isWorkflowChangeApplyCall(existing.name, existing.params as Record<string, unknown>) &&
        resultPayload
      ) {
        const operations = extractOperationListFromResultPayload(resultPayload)
        if (operations && operations.length > 0) {
          nextParams = {
            ...(existing.params || {}),
            operations,
          }
        }
      }
      const updatedSubAgentToolCall = {
        ...existing,
        params: nextParams,
        ui: uiMetadata || existing.ui,
        execution: executionMetadata || existing.execution,
        state: targetState,
-        display: resolveToolDisplay(existing.name, targetState, toolCallId, existing.params),
+        display: resolveDisplayFromServerUi(
          existing.name,
          targetState,
          toolCallId,
          nextParams,
          uiMetadata || existing.ui
        ),
      }
      context.subAgentToolCalls[parentToolCallId][existingIndex] = updatedSubAgentToolCall
@@ -309,6 +357,12 @@ export const subAgentSSEHandlers: Record<string, SSEHandler> = {
          state: targetState,
        })
      }
      applyToolEffects({
        effectsRaw: resultData.effects,
        toolCall: updatedSubAgentToolCall,
        resultPayload,
      })
    }
    updateToolCallWithSubAgentData(context, get, set, parentToolCallId)
--- a/apps/sim/lib/copilot/client-sse/tool-call-helpers.ts
+++ b/apps/sim/lib/copilot/client-sse/tool-call-helpers.ts
@@ -0,0 +1,134 @@
 import { asRecord } from '@/lib/copilot/orchestrator/sse-utils'
 import { humanizedFallback, resolveToolDisplay } from '@/lib/copilot/store-utils'
 import { ClientToolCallState } from '@/lib/copilot/tools/client/tool-display-registry'
 import type { CopilotToolCall } from '@/stores/panel/copilot/types'
 export function mapServerStateToClientState(state: unknown): ClientToolCallState {
  switch (String(state || '')) {
    case 'generating':
      return ClientToolCallState.generating
    case 'pending':
    case 'awaiting_approval':
      return ClientToolCallState.pending
    case 'executing':
      return ClientToolCallState.executing
    case 'success':
      return ClientToolCallState.success
    case 'rejected':
    case 'skipped':
      return ClientToolCallState.rejected
    case 'aborted':
      return ClientToolCallState.aborted
    case 'error':
    case 'failed':
      return ClientToolCallState.error
    default:
      return ClientToolCallState.pending
  }
 }
 export function extractToolUiMetadata(
  data: Record<string, unknown>
 ): CopilotToolCall['ui'] | undefined {
  const ui = asRecord(data.ui)
  if (!ui || Object.keys(ui).length === 0) return undefined
  const autoAllowedFromUi = ui.autoAllowed === true
  const autoAllowedFromData = data.autoAllowed === true
  return {
    title: typeof ui.title === 'string' ? ui.title : undefined,
    phaseLabel: typeof ui.phaseLabel === 'string' ? ui.phaseLabel : undefined,
    icon: typeof ui.icon === 'string' ? ui.icon : undefined,
    showInterrupt: ui.showInterrupt === true,
    showRemember: ui.showRemember === true,
    autoAllowed: autoAllowedFromUi || autoAllowedFromData,
    actions: Array.isArray(ui.actions)
      ? ui.actions
          .map((action) => {
            const a = asRecord(action)
            const id = typeof a.id === 'string' ? a.id : undefined
            const label = typeof a.label === 'string' ? a.label : undefined
            const kind: 'accept' | 'reject' = a.kind === 'reject' ? 'reject' : 'accept'
            if (!id || !label) return null
            return {
              id,
              label,
              kind,
              remember: a.remember === true,
            }
          })
          .filter((a): a is NonNullable<typeof a> => !!a)
      : undefined,
  }
 }
 export function extractToolExecutionMetadata(
  data: Record<string, unknown>
 ): CopilotToolCall['execution'] | undefined {
  const execution = asRecord(data.execution)
  if (!execution || Object.keys(execution).length === 0) return undefined
  return {
    target: typeof execution.target === 'string' ? execution.target : undefined,
    capabilityId: typeof execution.capabilityId === 'string' ? execution.capabilityId : undefined,
  }
 }
 function displayVerb(state: ClientToolCallState): string {
  switch (state) {
    case ClientToolCallState.success:
      return 'Completed'
    case ClientToolCallState.error:
      return 'Failed'
    case ClientToolCallState.rejected:
      return 'Skipped'
    case ClientToolCallState.aborted:
      return 'Aborted'
    case ClientToolCallState.generating:
      return 'Preparing'
    case ClientToolCallState.pending:
      return 'Waiting'
    default:
      return 'Running'
  }
 }
 export function resolveDisplayFromServerUi(
  toolName: string,
  state: ClientToolCallState,
  toolCallId: string,
  params: Record<string, unknown> | undefined,
  ui?: CopilotToolCall['ui']
 ) {
  const fallback =
    resolveToolDisplay(toolName, state, toolCallId, params) ||
    humanizedFallback(toolName, state)
  if (!fallback) return undefined
  if (ui?.phaseLabel) {
    return { text: ui.phaseLabel, icon: fallback.icon }
  }
  if (ui?.title) {
    return { text: `${displayVerb(state)} ${ui.title}`, icon: fallback.icon }
  }
  return fallback
 }
 export function isWorkflowChangeApplyCall(
  toolName?: string,
  params?: Record<string, unknown>
 ): boolean {
  if (toolName !== 'workflow_change') return false
  const mode = typeof params?.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  return typeof params?.proposalId === 'string' && params.proposalId.length > 0
 }
 export function extractOperationListFromResultPayload(
  resultPayload: Record<string, unknown>
 ): Array<Record<string, unknown>> | undefined {
  const operations = resultPayload.operations
  if (Array.isArray(operations)) return operations as Array<Record<string, unknown>>
  const compiled = resultPayload.compiledOperations
  if (Array.isArray(compiled)) return compiled as Array<Record<string, unknown>>
  return undefined
 }
--- a/apps/sim/lib/copilot/client-sse/tool-effects.ts
+++ b/apps/sim/lib/copilot/client-sse/tool-effects.ts
@@ -0,0 +1,175 @@
 import { createLogger } from '@sim/logger'
 import { asRecord } from '@/lib/copilot/orchestrator/sse-utils'
 import type { CopilotToolCall } from '@/stores/panel/copilot/types'
 import { useVariablesStore } from '@/stores/panel/variables/store'
 import { useEnvironmentStore } from '@/stores/settings/environment/store'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff/store'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import type { WorkflowState } from '@/stores/workflows/workflow/types'
 const logger = createLogger('CopilotToolEffects')
 type ParsedToolEffect = {
  kind: string
  payload: Record<string, unknown>
 }
 function parseToolEffects(raw: unknown): ParsedToolEffect[] {
  if (!Array.isArray(raw)) return []
  const effects: ParsedToolEffect[] = []
  for (const item of raw) {
    const effect = asRecord(item)
    const kind = typeof effect.kind === 'string' ? effect.kind : ''
    if (!kind) continue
    effects.push({
      kind,
      payload: asRecord(effect.payload) || {},
    })
  }
  return effects
 }
 function resolveWorkflowId(
  payload: Record<string, unknown>,
  toolCall?: CopilotToolCall
 ): string | undefined {
  const payloadWorkflowId = typeof payload.workflowId === 'string' ? payload.workflowId : undefined
  if (payloadWorkflowId) return payloadWorkflowId
  const params = asRecord(toolCall?.params)
  const paramWorkflowId = typeof params?.workflowId === 'string' ? params.workflowId : undefined
  if (paramWorkflowId) return paramWorkflowId
  return useWorkflowRegistry.getState().activeWorkflowId || undefined
 }
 function resolveWorkflowState(
  payload: Record<string, unknown>,
  resultPayload?: Record<string, unknown>
 ): WorkflowState | null {
  const payloadState = asRecord(payload.workflowState)
  if (payloadState) return payloadState as unknown as WorkflowState
  if (resultPayload) {
    const directState = asRecord(resultPayload.workflowState)
    if (directState) return directState as unknown as WorkflowState
    const editResult = asRecord(resultPayload.editResult)
    const nestedState = asRecord(editResult?.workflowState)
    if (nestedState) return nestedState as unknown as WorkflowState
  }
  return null
 }
 function applyDeploymentSyncEffect(payload: Record<string, unknown>, toolCall?: CopilotToolCall): void {
  const workflowId = resolveWorkflowId(payload, toolCall)
  if (!workflowId) return
  const registry = useWorkflowRegistry.getState()
  const existingStatus = registry.getWorkflowDeploymentStatus(workflowId)
  const isDeployed =
    typeof payload.isDeployed === 'boolean'
      ? payload.isDeployed
      : (existingStatus?.isDeployed ?? true)
  const deployedAt = (() => {
    if (typeof payload.deployedAt === 'string' && payload.deployedAt) {
      const parsed = new Date(payload.deployedAt)
      if (!Number.isNaN(parsed.getTime())) return parsed
    }
    return existingStatus?.deployedAt
  })()
  const apiKey =
    typeof payload.apiKey === 'string' && payload.apiKey.length > 0
      ? payload.apiKey
      : existingStatus?.apiKey
  registry.setDeploymentStatus(workflowId, isDeployed, deployedAt, apiKey)
 }
 function applyApiKeySyncEffect(payload: Record<string, unknown>, toolCall?: CopilotToolCall): void {
  const workflowId = resolveWorkflowId(payload, toolCall)
  if (!workflowId) return
  const apiKey = typeof payload.apiKey === 'string' ? payload.apiKey : undefined
  const registry = useWorkflowRegistry.getState()
  const existingStatus = registry.getWorkflowDeploymentStatus(workflowId)
  registry.setDeploymentStatus(
    workflowId,
    existingStatus?.isDeployed ?? false,
    existingStatus?.deployedAt,
    apiKey || existingStatus?.apiKey
  )
 }
 function applyWorkflowVariablesReload(
  payload: Record<string, unknown>,
  toolCall?: CopilotToolCall
 ): void {
  const workflowId = resolveWorkflowId(payload, toolCall)
  if (!workflowId) return
  useVariablesStore.getState().loadForWorkflow(workflowId)
 }
 export function applyToolEffects(params: {
  effectsRaw: unknown
  toolCall?: CopilotToolCall
  resultPayload?: Record<string, unknown>
 }): void {
  const effects = parseToolEffects(params.effectsRaw)
  if (effects.length === 0) {
    if (params.toolCall?.name === 'workflow_change' && params.resultPayload) {
      const workflowState = resolveWorkflowState({}, params.resultPayload)
      if (!workflowState) return
      useWorkflowDiffStore
        .getState()
        .setProposedChanges(workflowState)
        .catch((error) => {
          logger.error('Failed to apply fallback workflow diff from result payload', {
            error: error instanceof Error ? error.message : String(error),
          })
        })
    }
    return
  }
  for (const effect of effects) {
    switch (effect.kind) {
      case 'workflow.diff.proposed': {
        const workflowState = resolveWorkflowState(effect.payload, params.resultPayload)
        if (!workflowState) break
        useWorkflowDiffStore
          .getState()
          .setProposedChanges(workflowState)
          .catch((error) => {
            logger.error('Failed to apply workflow diff effect', {
              error: error instanceof Error ? error.message : String(error),
            })
          })
        break
      }
      case 'workflow.deployment.sync':
        applyDeploymentSyncEffect(effect.payload, params.toolCall)
        break
      case 'workflow.api_key.sync':
        applyApiKeySyncEffect(effect.payload, params.toolCall)
        break
      case 'environment.variables.reload':
        useEnvironmentStore.getState().loadEnvironmentVariables()
        break
      case 'workflow.variables.reload':
        applyWorkflowVariablesReload(effect.payload, params.toolCall)
        break
      default:
        logger.debug('Ignoring unknown tool effect', { kind: effect.kind })
        break
    }
  }
 }
--- a/apps/sim/lib/copilot/constants.ts
+++ b/apps/sim/lib/copilot/constants.ts
@@ -101,9 +101,6 @@ export const COPILOT_CHECKPOINTS_API_PATH = '/api/copilot/checkpoints'
 /** POST — revert to a checkpoint. */
 export const COPILOT_CHECKPOINTS_REVERT_API_PATH = '/api/copilot/checkpoints/revert'
 /** GET/POST/DELETE — manage auto-allowed tools. */
 export const COPILOT_AUTO_ALLOWED_TOOLS_API_PATH = '/api/copilot/auto-allowed-tools'
 /** GET — fetch dynamically available copilot models. */
 export const COPILOT_MODELS_API_PATH = '/api/copilot/models'
--- a/apps/sim/lib/copilot/orchestrator/config.ts
+++ b/apps/sim/lib/copilot/orchestrator/config.ts
@@ -1,67 +0,0 @@
 export const INTERRUPT_TOOL_NAMES = [
  'set_global_workflow_variables',
  'run_workflow',
  'run_workflow_until_block',
  'run_from_block',
  'run_block',
  'manage_mcp_tool',
  'manage_custom_tool',
  'deploy_mcp',
  'deploy_chat',
  'deploy_api',
  'create_workspace_mcp_server',
  'set_environment_variables',
  'make_api_request',
  'oauth_request_access',
  'navigate_ui',
  'knowledge_base',
  'generate_api_key',
 ] as const
 export const INTERRUPT_TOOL_SET = new Set<string>(INTERRUPT_TOOL_NAMES)
 export const SUBAGENT_TOOL_NAMES = [
  'debug',
  'edit',
  'build',
  'plan',
  'test',
  'deploy',
  'auth',
  'research',
  'knowledge',
  'custom_tool',
  'tour',
  'info',
  'workflow',
  'evaluate',
  'superagent',
  'discovery',
 ] as const
 export const SUBAGENT_TOOL_SET = new Set<string>(SUBAGENT_TOOL_NAMES)
 /**
 * Respond tools are internal to the copilot's subagent system.
 * They're used by subagents to signal completion and should NOT be executed by the sim side.
 * The copilot backend handles these internally.
 */
 export const RESPOND_TOOL_NAMES = [
  'plan_respond',
  'edit_respond',
  'build_respond',
  'debug_respond',
  'info_respond',
  'research_respond',
  'deploy_respond',
  'superagent_respond',
  'discovery_respond',
  'tour_respond',
  'auth_respond',
  'workflow_respond',
  'knowledge_respond',
  'custom_tool_respond',
  'test_respond',
 ] as const
 export const RESPOND_TOOL_SET = new Set<string>(RESPOND_TOOL_NAMES)
--- a/apps/sim/lib/copilot/orchestrator/sse-handlers/handlers.ts
+++ b/apps/sim/lib/copilot/orchestrator/sse-handlers/handlers.ts
@@ -1,17 +1,12 @@
 import { createLogger } from '@sim/logger'
 import { STREAM_TIMEOUT_MS } from '@/lib/copilot/constants'
 import { RESPOND_TOOL_SET, SUBAGENT_TOOL_SET } from '@/lib/copilot/orchestrator/config'
 import {
  asRecord,
  getEventData,
  markToolResultSeen,
  wasToolResultSeen,
 } from '@/lib/copilot/orchestrator/sse-utils'
-import {
+import { markToolComplete } from '@/lib/copilot/orchestrator/tool-executor'
  isIntegrationTool,
  isToolAvailableOnSimSide,
  markToolComplete,
 } from '@/lib/copilot/orchestrator/tool-executor'
 import type {
  ContentBlock,
  ExecutionContext,
@@ -22,7 +17,6 @@ import type {
 } from '@/lib/copilot/orchestrator/types'
 import {
  executeToolAndReport,
  isInterruptToolName,
  waitForToolCompletion,
  waitForToolDecision,
 } from './tool-execution'
@@ -35,12 +29,208 @@ const logger = createLogger('CopilotSseHandlers')
 * execution to the browser client instead of running executeWorkflow directly.
 */
 const CLIENT_EXECUTABLE_RUN_TOOLS = new Set([
-  'run_workflow',
+  'workflow_run',
  'run_workflow_until_block',
  'run_from_block',
  'run_block',
 ])
 function mapServerStateToToolStatus(state: unknown): ToolCallState['status'] {
  switch (String(state || '')) {
    case 'generating':
    case 'pending':
    case 'awaiting_approval':
      return 'pending'
    case 'executing':
      return 'executing'
    case 'success':
      return 'success'
    case 'rejected':
    case 'skipped':
      return 'rejected'
    case 'aborted':
      return 'skipped'
    case 'error':
    case 'failed':
      return 'error'
    default:
      return 'pending'
  }
 }
 function getExecutionTarget(
  toolData: Record<string, unknown>,
  toolName: string
 ): { target: string; capabilityId?: string } {
  const execution = asRecord(toolData.execution)
  if (typeof execution.target === 'string' && execution.target.length > 0) {
    return {
      target: execution.target,
      capabilityId:
        typeof execution.capabilityId === 'string' ? execution.capabilityId : undefined,
    }
  }
  // Fallback only when metadata is missing.
  if (CLIENT_EXECUTABLE_RUN_TOOLS.has(toolName)) {
    return { target: 'sim_client_capability', capabilityId: 'workflow.run' }
  }
  return { target: 'sim_server' }
 }
 function needsApproval(toolData: Record<string, unknown>): boolean {
  const ui = asRecord(toolData.ui)
  return ui.showInterrupt === true
 }
 async function waitForClientCapabilityAndReport(
  toolCall: ToolCallState,
  options: OrchestratorOptions,
  logScope: string
 ): Promise<void> {
  toolCall.status = 'executing'
  const completion = await waitForToolCompletion(
    toolCall.id,
    options.timeout || STREAM_TIMEOUT_MS,
    options.abortSignal
  )
  if (completion?.status === 'background') {
    toolCall.status = 'skipped'
    toolCall.endTime = Date.now()
    markToolComplete(
      toolCall.id,
      toolCall.name,
      202,
      completion.message || 'Tool execution moved to background',
      { background: true }
    ).catch((err) => {
      logger.error(`markToolComplete fire-and-forget failed (${logScope} background)`, {
        toolCallId: toolCall.id,
        error: err instanceof Error ? err.message : String(err),
      })
    })
    markToolResultSeen(toolCall.id)
    return
  }
  if (completion?.status === 'rejected') {
    toolCall.status = 'rejected'
    toolCall.endTime = Date.now()
    markToolComplete(toolCall.id, toolCall.name, 400, completion.message || 'Tool execution rejected')
      .catch((err) => {
        logger.error(`markToolComplete fire-and-forget failed (${logScope} rejected)`, {
          toolCallId: toolCall.id,
          error: err instanceof Error ? err.message : String(err),
        })
      })
    markToolResultSeen(toolCall.id)
    return
  }
  const success = completion?.status === 'success'
  toolCall.status = success ? 'success' : 'error'
  toolCall.endTime = Date.now()
  const msg = completion?.message || (success ? 'Tool completed' : 'Tool failed or timed out')
  markToolComplete(toolCall.id, toolCall.name, success ? 200 : 500, msg).catch((err) => {
    logger.error(`markToolComplete fire-and-forget failed (${logScope})`, {
      toolCallId: toolCall.id,
      toolName: toolCall.name,
      error: err instanceof Error ? err.message : String(err),
    })
  })
  markToolResultSeen(toolCall.id)
 }
 function markToolCallAndNotify(
  toolCall: ToolCallState,
  statusCode: number,
  message: string,
  data: Record<string, unknown> | undefined,
  logScope: string
 ): void {
  markToolComplete(toolCall.id, toolCall.name, statusCode, message, data).catch((err) => {
    logger.error(`markToolComplete fire-and-forget failed (${logScope})`, {
      toolCallId: toolCall.id,
      error: err instanceof Error ? err.message : String(err),
    })
  })
  markToolResultSeen(toolCall.id)
 }
 async function executeToolCallWithPolicy(
  toolCall: ToolCallState,
  toolName: string,
  toolData: Record<string, unknown>,
  context: StreamingContext,
  execContext: ExecutionContext,
  options: OrchestratorOptions,
  logScope: string
 ): Promise<void> {
  const execution = getExecutionTarget(toolData, toolName)
  const isInteractive = options.interactive === true
  const requiresApproval = isInteractive && needsApproval(toolData)
  if (toolData.state) {
    toolCall.status = mapServerStateToToolStatus(toolData.state)
  }
  if (requiresApproval) {
    const decision = await waitForToolDecision(
      toolCall.id,
      options.timeout || STREAM_TIMEOUT_MS,
      options.abortSignal
    )
    if (decision?.status === 'accepted' || decision?.status === 'success') {
      // Continue below into normal execution path.
    } else if (decision?.status === 'rejected' || decision?.status === 'error') {
      toolCall.status = 'rejected'
      toolCall.endTime = Date.now()
      markToolCallAndNotify(
        toolCall,
        400,
        decision.message || 'Tool execution rejected',
        { skipped: true, reason: 'user_rejected' },
        `${logScope} rejected`
      )
      return
    } else if (decision?.status === 'background') {
      toolCall.status = 'skipped'
      toolCall.endTime = Date.now()
      markToolCallAndNotify(
        toolCall,
        202,
        decision.message || 'Tool execution moved to background',
        { background: true },
        `${logScope} background`
      )
      return
    } else {
      // Decision was null (timeout/abort).
      toolCall.status = 'rejected'
      toolCall.endTime = Date.now()
      markToolCallAndNotify(
        toolCall,
        408,
        'Tool approval timed out',
        { skipped: true, reason: 'timeout' },
        `${logScope} timeout`
      )
      return
    }
  }
  if (execution.target === 'sim_client_capability' && isInteractive) {
    await waitForClientCapabilityAndReport(toolCall, options, logScope)
    return
  }
  if (
    (execution.target === 'sim_server' || execution.target === 'sim_client_capability') &&
    options.autoExecuteTools !== false
  ) {
    await executeToolAndReport(toolCall.id, context, execContext, options)
  }
 }
 // Normalization + dedupe helpers live in sse-utils to keep server/client in sync.
 function inferToolSuccess(data: Record<string, unknown> | undefined): {
@@ -85,7 +275,11 @@ export const sseHandlers: Record<string, SSEHandler> = {
    const { success, hasResultData, hasError } = inferToolSuccess(data)
-    current.status = success ? 'success' : 'error'
+    current.status = data?.state
      ? mapServerStateToToolStatus(data.state)
      : success
        ? 'success'
        : 'error'
    current.endTime = Date.now()
    if (hasResultData) {
      current.result = {
@@ -104,7 +298,7 @@ export const sseHandlers: Record<string, SSEHandler> = {
    if (!toolCallId) return
    const current = context.toolCalls.get(toolCallId)
    if (!current) return
-    current.status = 'error'
+    current.status = data?.state ? mapServerStateToToolStatus(data.state) : 'error'
    current.error = (data?.error as string | undefined) || 'Tool execution failed'
    current.endTime = Date.now()
  },
@@ -121,7 +315,7 @@ export const sseHandlers: Record<string, SSEHandler> = {
      context.toolCalls.set(toolCallId, {
        id: toolCallId,
        name: toolName,
-        status: 'pending',
+        status: data?.state ? mapServerStateToToolStatus(data.state) : 'pending',
        startTime: Date.now(),
      })
    }
@@ -156,7 +350,7 @@ export const sseHandlers: Record<string, SSEHandler> = {
      context.toolCalls.set(toolCallId, {
        id: toolCallId,
        name: toolName,
-        status: 'pending',
+        status: toolData.state ? mapServerStateToToolStatus(toolData.state) : 'pending',
        params: args,
        startTime: Date.now(),
      })
@@ -170,147 +364,15 @@ export const sseHandlers: Record<string, SSEHandler> = {
    const toolCall = context.toolCalls.get(toolCallId)
    if (!toolCall) return
-    // Subagent tools are executed by the copilot backend, not sim side.
+    await executeToolCallWithPolicy(
-    if (SUBAGENT_TOOL_SET.has(toolName)) {
+      toolCall,
-      return
+      toolName,
-    }
+      toolData,
-
+      context,
-    // Respond tools are internal to copilot's subagent system - skip execution.
+      execContext,
-    // The copilot backend handles these internally to signal subagent completion.
+      options,
-    if (RESPOND_TOOL_SET.has(toolName)) {
+      'run tool'
-      toolCall.status = 'success'
+    )
      toolCall.endTime = Date.now()
      toolCall.result = {
        success: true,
        output: 'Internal respond tool - handled by copilot backend',
      }
      return
    }
    const isInterruptTool = isInterruptToolName(toolName)
    const isInteractive = options.interactive === true
    // Integration tools (user-installed) also require approval in interactive mode
    const needsApproval = isInterruptTool || isIntegrationTool(toolName)
    if (needsApproval && isInteractive) {
      const decision = await waitForToolDecision(
        toolCallId,
        options.timeout || STREAM_TIMEOUT_MS,
        options.abortSignal
      )
      if (decision?.status === 'accepted' || decision?.status === 'success') {
        // Client-executable run tools: defer execution to the browser client.
        // The client calls executeWorkflowWithFullLogging for real-time feedback
        // (block pulsing, logs, stop button) and reports completion via
        // /api/copilot/confirm with status success/error. We poll Redis for
        // that completion signal, then fire-and-forget markToolComplete to Go.
        if (CLIENT_EXECUTABLE_RUN_TOOLS.has(toolName)) {
          toolCall.status = 'executing'
          const completion = await waitForToolCompletion(
            toolCallId,
            options.timeout || STREAM_TIMEOUT_MS,
            options.abortSignal
          )
          if (completion?.status === 'background') {
            toolCall.status = 'skipped'
            toolCall.endTime = Date.now()
            markToolComplete(
              toolCall.id,
              toolCall.name,
              202,
              completion.message || 'Tool execution moved to background',
              { background: true }
            ).catch((err) => {
              logger.error('markToolComplete fire-and-forget failed (run tool background)', {
                toolCallId: toolCall.id,
                error: err instanceof Error ? err.message : String(err),
              })
            })
            markToolResultSeen(toolCallId)
            return
          }
          const success = completion?.status === 'success'
          toolCall.status = success ? 'success' : 'error'
          toolCall.endTime = Date.now()
          const msg =
            completion?.message || (success ? 'Tool completed' : 'Tool failed or timed out')
          // Fire-and-forget: tell Go backend the tool is done
          // (must NOT await — see deadlock note in executeToolAndReport)
          markToolComplete(toolCall.id, toolCall.name, success ? 200 : 500, msg).catch((err) => {
            logger.error('markToolComplete fire-and-forget failed (run tool)', {
              toolCallId: toolCall.id,
              toolName: toolCall.name,
              error: err instanceof Error ? err.message : String(err),
            })
          })
          markToolResultSeen(toolCallId)
          return
        }
        await executeToolAndReport(toolCallId, context, execContext, options)
        return
      }
      if (decision?.status === 'rejected' || decision?.status === 'error') {
        toolCall.status = 'rejected'
        toolCall.endTime = Date.now()
        // Fire-and-forget: must NOT await — see deadlock note in executeToolAndReport
        markToolComplete(
          toolCall.id,
          toolCall.name,
          400,
          decision.message || 'Tool execution rejected',
          { skipped: true, reason: 'user_rejected' }
        ).catch((err) => {
          logger.error('markToolComplete fire-and-forget failed (rejected)', {
            toolCallId: toolCall.id,
            error: err instanceof Error ? err.message : String(err),
          })
        })
        markToolResultSeen(toolCall.id)
        return
      }
      if (decision?.status === 'background') {
        toolCall.status = 'skipped'
        toolCall.endTime = Date.now()
        // Fire-and-forget: must NOT await — see deadlock note in executeToolAndReport
        markToolComplete(
          toolCall.id,
          toolCall.name,
          202,
          decision.message || 'Tool execution moved to background',
          { background: true }
        ).catch((err) => {
          logger.error('markToolComplete fire-and-forget failed (background)', {
            toolCallId: toolCall.id,
            error: err instanceof Error ? err.message : String(err),
          })
        })
        markToolResultSeen(toolCall.id)
        return
      }
      // Decision was null — timed out or aborted.
      // Do NOT fall through to auto-execute. Mark the tool as timed out
      // and notify Go so it can unblock waitForExternalTool.
      toolCall.status = 'rejected'
      toolCall.endTime = Date.now()
      markToolComplete(toolCall.id, toolCall.name, 408, 'Tool approval timed out', {
        skipped: true,
        reason: 'timeout',
      }).catch((err) => {
        logger.error('markToolComplete fire-and-forget failed (timeout)', {
          toolCallId: toolCall.id,
          error: err instanceof Error ? err.message : String(err),
        })
      })
      markToolResultSeen(toolCall.id)
      return
    }
    if (options.autoExecuteTools !== false) {
      await executeToolAndReport(toolCallId, context, execContext, options)
    }
  },
  reasoning: (event, context) => {
    const d = asRecord(event.data)
@@ -410,7 +472,7 @@ export const subAgentHandlers: Record<string, SSEHandler> = {
    const toolCall: ToolCallState = {
      id: toolCallId,
      name: toolName,
-      status: 'pending',
+      status: toolData.state ? mapServerStateToToolStatus(toolData.state) : 'pending',
      params: args,
      startTime: Date.now(),
    }
@@ -428,157 +490,15 @@ export const subAgentHandlers: Record<string, SSEHandler> = {
    if (isPartial) return
-    // Respond tools are internal to copilot's subagent system - skip execution.
+    await executeToolCallWithPolicy(
-    if (RESPOND_TOOL_SET.has(toolName)) {
+      toolCall,
-      toolCall.status = 'success'
+      toolName,
-      toolCall.endTime = Date.now()
+      toolData,
-      toolCall.result = {
+      context,
-        success: true,
+      execContext,
-        output: 'Internal respond tool - handled by copilot backend',
+      options,
-      }
+      'subagent run tool'
-      return
+    )
    }
    // Tools that only exist on the Go backend (e.g. search_patterns,
    // search_errors, remember_debug) should NOT be re-executed on the Sim side.
    // The Go backend already executed them and will send its own tool_result
    // SSE event with the real outcome.  Trying to execute them here would fail
    // with "Tool not found" and incorrectly mark the tool as failed.
    if (!isToolAvailableOnSimSide(toolName)) {
      return
    }
    // Interrupt tools and integration tools (user-installed) require approval
    // in interactive mode, same as top-level handler.
    const needsSubagentApproval = isInterruptToolName(toolName) || isIntegrationTool(toolName)
    if (options.interactive === true && needsSubagentApproval) {
      const decision = await waitForToolDecision(
        toolCallId,
        options.timeout || STREAM_TIMEOUT_MS,
        options.abortSignal
      )
      if (decision?.status === 'accepted' || decision?.status === 'success') {
        await executeToolAndReport(toolCallId, context, execContext, options)
        return
      }
      if (decision?.status === 'rejected' || decision?.status === 'error') {
        toolCall.status = 'rejected'
        toolCall.endTime = Date.now()
        // Fire-and-forget: must NOT await — see deadlock note in executeToolAndReport
        markToolComplete(
          toolCall.id,
          toolCall.name,
          400,
          decision.message || 'Tool execution rejected',
          { skipped: true, reason: 'user_rejected' }
        ).catch((err) => {
          logger.error('markToolComplete fire-and-forget failed (subagent rejected)', {
            toolCallId: toolCall.id,
            error: err instanceof Error ? err.message : String(err),
          })
        })
        markToolResultSeen(toolCall.id)
        return
      }
      if (decision?.status === 'background') {
        toolCall.status = 'skipped'
        toolCall.endTime = Date.now()
        // Fire-and-forget: must NOT await — see deadlock note in executeToolAndReport
        markToolComplete(
          toolCall.id,
          toolCall.name,
          202,
          decision.message || 'Tool execution moved to background',
          { background: true }
        ).catch((err) => {
          logger.error('markToolComplete fire-and-forget failed (subagent background)', {
            toolCallId: toolCall.id,
            error: err instanceof Error ? err.message : String(err),
          })
        })
        markToolResultSeen(toolCall.id)
        return
      }
      // Decision was null — timed out or aborted.
      // Do NOT fall through to auto-execute.
      toolCall.status = 'rejected'
      toolCall.endTime = Date.now()
      markToolComplete(toolCall.id, toolCall.name, 408, 'Tool approval timed out', {
        skipped: true,
        reason: 'timeout',
      }).catch((err) => {
        logger.error('markToolComplete fire-and-forget failed (subagent timeout)', {
          toolCallId: toolCall.id,
          error: err instanceof Error ? err.message : String(err),
        })
      })
      markToolResultSeen(toolCall.id)
      return
    }
    // Client-executable run tools in interactive mode: defer to client.
    // Same pattern as main handler: wait for client completion, then tell Go.
    if (options.interactive === true && CLIENT_EXECUTABLE_RUN_TOOLS.has(toolName)) {
      toolCall.status = 'executing'
      const completion = await waitForToolCompletion(
        toolCallId,
        options.timeout || STREAM_TIMEOUT_MS,
        options.abortSignal
      )
      if (completion?.status === 'rejected') {
        toolCall.status = 'rejected'
        toolCall.endTime = Date.now()
        markToolComplete(
          toolCall.id,
          toolCall.name,
          400,
          completion.message || 'Tool execution rejected'
        ).catch((err) => {
          logger.error('markToolComplete fire-and-forget failed (subagent run tool rejected)', {
            toolCallId: toolCall.id,
            error: err instanceof Error ? err.message : String(err),
          })
        })
        markToolResultSeen(toolCallId)
        return
      }
      if (completion?.status === 'background') {
        toolCall.status = 'skipped'
        toolCall.endTime = Date.now()
        markToolComplete(
          toolCall.id,
          toolCall.name,
          202,
          completion.message || 'Tool execution moved to background',
          { background: true }
        ).catch((err) => {
          logger.error('markToolComplete fire-and-forget failed (subagent run tool background)', {
            toolCallId: toolCall.id,
            error: err instanceof Error ? err.message : String(err),
          })
        })
        markToolResultSeen(toolCallId)
        return
      }
      const success = completion?.status === 'success'
      toolCall.status = success ? 'success' : 'error'
      toolCall.endTime = Date.now()
      const msg = completion?.message || (success ? 'Tool completed' : 'Tool failed or timed out')
      markToolComplete(toolCall.id, toolCall.name, success ? 200 : 500, msg).catch((err) => {
        logger.error('markToolComplete fire-and-forget failed (subagent run tool)', {
          toolCallId: toolCall.id,
          toolName: toolCall.name,
          error: err instanceof Error ? err.message : String(err),
        })
      })
      markToolResultSeen(toolCallId)
      return
    }
    if (options.autoExecuteTools !== false) {
      await executeToolAndReport(toolCallId, context, execContext, options)
    }
  },
  tool_result: (event, context) => {
    const parentToolCallId = context.subAgentParentToolCallId
@@ -596,7 +516,7 @@ export const subAgentHandlers: Record<string, SSEHandler> = {
    const { success, hasResultData, hasError } = inferToolSuccess(data)
-    const status = success ? 'success' : 'error'
+    const status = data?.state ? mapServerStateToToolStatus(data.state) : success ? 'success' : 'error'
    const endTime = Date.now()
    const result = hasResultData ? { success, output: data?.result || data?.data } : undefined
--- a/apps/sim/lib/copilot/orchestrator/sse-handlers/tool-execution.ts
+++ b/apps/sim/lib/copilot/orchestrator/sse-handlers/tool-execution.ts
@@ -4,7 +4,6 @@ import {
  TOOL_DECISION_MAX_POLL_MS,
  TOOL_DECISION_POLL_BACKOFF,
 } from '@/lib/copilot/constants'
 import { INTERRUPT_TOOL_SET } from '@/lib/copilot/orchestrator/config'
 import { getToolConfirmation } from '@/lib/copilot/orchestrator/persistence'
 import {
  asRecord,
@@ -21,10 +20,6 @@ import type {
 const logger = createLogger('CopilotSseToolExecution')
 export function isInterruptToolName(toolName: string): boolean {
  return INTERRUPT_TOOL_SET.has(toolName)
 }
 export async function executeToolAndReport(
  toolCallId: string,
  context: StreamingContext,
@@ -34,9 +29,11 @@ export async function executeToolAndReport(
  const toolCall = context.toolCalls.get(toolCallId)
  if (!toolCall) return
-  if (toolCall.status === 'executing') return
+  const lockable = toolCall as typeof toolCall & { __simExecuting?: boolean }
  if (lockable.__simExecuting) return
  if (wasToolResultSeen(toolCall.id)) return
  lockable.__simExecuting = true
  toolCall.status = 'executing'
  try {
    const result = await executeToolServerSide(toolCall, execContext)
@@ -122,6 +119,8 @@ export async function executeToolAndReport(
      },
    }
    await options?.onEvent?.(errorEvent)
  } finally {
    delete lockable.__simExecuting
  }
 }
--- a/apps/sim/lib/copilot/orchestrator/sse-utils.test.ts
+++ b/apps/sim/lib/copilot/orchestrator/sse-utils.test.ts
@@ -14,7 +14,7 @@ describe('sse-utils', () => {
      type: 'tool_result',
      data: JSON.stringify({
        id: 'tool_1',
-        name: 'edit_workflow',
+        name: 'workflow_change',
        success: true,
        result: { ok: true },
      }),
@@ -23,7 +23,7 @@ describe('sse-utils', () => {
    const normalized = normalizeSseEvent(event as any)
    expect(normalized.toolCallId).toBe('tool_1')
-    expect(normalized.toolName).toBe('edit_workflow')
+    expect(normalized.toolName).toBe('workflow_change')
    expect(normalized.success).toBe(true)
    expect(normalized.result).toEqual({ ok: true })
  })
--- a/apps/sim/lib/copilot/orchestrator/tool-executor/deployment-tools/deploy.ts
+++ b/apps/sim/lib/copilot/orchestrator/tool-executor/deployment-tools/deploy.ts
@@ -220,7 +220,8 @@ export async function executeDeployMcp(
    if (!workflowRecord.isDeployed) {
      return {
        success: false,
-        error: 'Workflow must be deployed before adding as an MCP tool. Use deploy_api first.',
+        error:
          'Workflow must be deployed before adding as an MCP tool. Use workflow_deploy(mode: "api") first.',
      }
    }
--- a/apps/sim/lib/copilot/orchestrator/tool-executor/index.ts
+++ b/apps/sim/lib/copilot/orchestrator/tool-executor/index.ts
@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
-import { workflow } from '@sim/db/schema'
+import { customTools, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
 import type {
  ExecutionContext,
@@ -12,6 +12,7 @@ import { routeExecution } from '@/lib/copilot/tools/server/router'
 import { env } from '@/lib/core/config/env'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getTool, resolveToolId } from '@/tools/utils'
 import {
  executeCheckDeploymentStatus,
@@ -49,6 +50,8 @@ import type {
  RunWorkflowParams,
  RunWorkflowUntilBlockParams,
  SetGlobalWorkflowVariablesParams,
  WorkflowDeployParams,
  WorkflowRunParams,
 } from './param-types'
 import { PLATFORM_ACTIONS_CONTENT } from './platform-actions'
 import {
@@ -76,13 +79,332 @@ import {
 const logger = createLogger('CopilotToolExecutor')
 type ManageCustomToolOperation = 'add' | 'edit' | 'delete' | 'list'
 interface ManageCustomToolSchema {
  type: 'function'
  function: {
    name: string
    description?: string
    parameters: Record<string, unknown>
  }
 }
 interface ManageCustomToolParams {
  operation?: string
  toolId?: string
  schema?: ManageCustomToolSchema
  code?: string
  title?: string
  workspaceId?: string
 }
 async function executeManageCustomTool(
  rawParams: Record<string, unknown>,
  context: ExecutionContext
 ): Promise<ToolCallResult> {
  const params = rawParams as ManageCustomToolParams
  const operation = String(params.operation || '').toLowerCase() as ManageCustomToolOperation
  const workspaceId = params.workspaceId || context.workspaceId
  if (!operation) {
    return { success: false, error: "Missing required 'operation' argument" }
  }
  try {
    if (operation === 'list') {
      const toolsForUser = workspaceId
        ? await db
            .select()
            .from(customTools)
            .where(
              or(
                eq(customTools.workspaceId, workspaceId),
                and(isNull(customTools.workspaceId), eq(customTools.userId, context.userId))
              )
            )
            .orderBy(desc(customTools.createdAt))
        : await db
            .select()
            .from(customTools)
            .where(and(isNull(customTools.workspaceId), eq(customTools.userId, context.userId)))
            .orderBy(desc(customTools.createdAt))
      return {
        success: true,
        output: {
          success: true,
          operation,
          tools: toolsForUser,
          count: toolsForUser.length,
        },
      }
    }
    if (operation === 'add') {
      if (!workspaceId) {
        return {
          success: false,
          error: "workspaceId is required for operation 'add'",
        }
      }
      if (!params.schema || !params.code) {
        return {
          success: false,
          error: "Both 'schema' and 'code' are required for operation 'add'",
        }
      }
      const title = params.title || params.schema.function?.name
      if (!title) {
        return { success: false, error: "Missing tool title or schema.function.name for 'add'" }
      }
      const resultTools = await upsertCustomTools({
        tools: [
          {
            title,
            schema: params.schema,
            code: params.code,
          },
        ],
        workspaceId,
        userId: context.userId,
      })
      const created = resultTools.find((tool) => tool.title === title)
      return {
        success: true,
        output: {
          success: true,
          operation,
          toolId: created?.id,
          title,
          message: `Created custom tool "${title}"`,
        },
      }
    }
    if (operation === 'edit') {
      if (!workspaceId) {
        return {
          success: false,
          error: "workspaceId is required for operation 'edit'",
        }
      }
      if (!params.toolId) {
        return { success: false, error: "'toolId' is required for operation 'edit'" }
      }
      if (!params.schema && !params.code) {
        return {
          success: false,
          error: "At least one of 'schema' or 'code' is required for operation 'edit'",
        }
      }
      const workspaceTool = await db
        .select()
        .from(customTools)
        .where(and(eq(customTools.id, params.toolId), eq(customTools.workspaceId, workspaceId)))
        .limit(1)
      const legacyTool =
        workspaceTool.length === 0
          ? await db
              .select()
              .from(customTools)
              .where(
                and(
                  eq(customTools.id, params.toolId),
                  isNull(customTools.workspaceId),
                  eq(customTools.userId, context.userId)
                )
              )
              .limit(1)
          : []
      const existing = workspaceTool[0] || legacyTool[0]
      if (!existing) {
        return { success: false, error: `Custom tool not found: ${params.toolId}` }
      }
      const mergedSchema = params.schema || (existing.schema as ManageCustomToolSchema)
      const mergedCode = params.code || existing.code
      const title = params.title || mergedSchema.function?.name || existing.title
      await upsertCustomTools({
        tools: [
          {
            id: params.toolId,
            title,
            schema: mergedSchema,
            code: mergedCode,
          },
        ],
        workspaceId,
        userId: context.userId,
      })
      return {
        success: true,
        output: {
          success: true,
          operation,
          toolId: params.toolId,
          title,
          message: `Updated custom tool "${title}"`,
        },
      }
    }
    if (operation === 'delete') {
      if (!params.toolId) {
        return { success: false, error: "'toolId' is required for operation 'delete'" }
      }
      const workspaceDelete =
        workspaceId != null
          ? await db
              .delete(customTools)
              .where(
                and(eq(customTools.id, params.toolId), eq(customTools.workspaceId, workspaceId))
              )
              .returning({ id: customTools.id })
          : []
      const legacyDelete =
        workspaceDelete.length === 0
          ? await db
              .delete(customTools)
              .where(
                and(
                  eq(customTools.id, params.toolId),
                  isNull(customTools.workspaceId),
                  eq(customTools.userId, context.userId)
                )
              )
              .returning({ id: customTools.id })
          : []
      const deleted = workspaceDelete[0] || legacyDelete[0]
      if (!deleted) {
        return { success: false, error: `Custom tool not found: ${params.toolId}` }
      }
      return {
        success: true,
        output: {
          success: true,
          operation,
          toolId: params.toolId,
          message: 'Deleted custom tool',
        },
      }
    }
    return {
      success: false,
      error: `Unsupported operation for manage_custom_tool: ${operation}`,
    }
  } catch (error) {
    logger.error('manage_custom_tool execution failed', {
      operation,
      workspaceId,
      userId: context.userId,
      error: error instanceof Error ? error.message : String(error),
    })
    return {
      success: false,
      error: error instanceof Error ? error.message : 'Failed to manage custom tool',
    }
  }
 }
 async function executeWorkflowRunUnified(
  rawParams: Record<string, unknown>,
  context: ExecutionContext
 ): Promise<ToolCallResult> {
  const params = rawParams as WorkflowRunParams
  const mode = params.mode || 'full'
  switch (mode) {
    case 'full':
      return executeRunWorkflow(params as RunWorkflowParams, context)
    case 'until_block':
      if (!params.stopAfterBlockId) {
        return { success: false, error: 'stopAfterBlockId is required for mode=until_block' }
      }
      return executeRunWorkflowUntilBlock(params as RunWorkflowUntilBlockParams, context)
    case 'from_block':
      if (!params.startBlockId) {
        return { success: false, error: 'startBlockId is required for mode=from_block' }
      }
      return executeRunFromBlock(params as RunFromBlockParams, context)
    case 'block':
      if (!params.blockId) {
        return { success: false, error: 'blockId is required for mode=block' }
      }
      return executeRunBlock(params as RunBlockParams, context)
    default:
      return {
        success: false,
        error: `Unsupported workflow_run mode: ${String(mode)}`,
      }
  }
 }
 async function executeWorkflowDeployUnified(
  rawParams: Record<string, unknown>,
  context: ExecutionContext
 ): Promise<ToolCallResult> {
  const params = rawParams as unknown as WorkflowDeployParams
  const mode = params.mode
  if (!mode) {
    return { success: false, error: 'mode is required for workflow_deploy' }
  }
  const scopedContext =
    params.workflowId && params.workflowId !== context.workflowId
      ? { ...context, workflowId: params.workflowId }
      : context
  switch (mode) {
    case 'status':
      return executeCheckDeploymentStatus(params as CheckDeploymentStatusParams, scopedContext)
    case 'redeploy':
      return executeRedeploy(scopedContext)
    case 'api':
      return executeDeployApi(params as DeployApiParams, scopedContext)
    case 'chat':
      return executeDeployChat(params as DeployChatParams, scopedContext)
    case 'mcp':
      return executeDeployMcp(params as DeployMcpParams, scopedContext)
    case 'list_mcp_servers':
      return executeListWorkspaceMcpServers(params as ListWorkspaceMcpServersParams, scopedContext)
    case 'create_mcp_server':
      return executeCreateWorkspaceMcpServer(
        params as CreateWorkspaceMcpServerParams,
        scopedContext
      )
    default:
      return {
        success: false,
        error: `Unsupported workflow_deploy mode: ${String(mode)}`,
      }
  }
 }
 const SERVER_TOOLS = new Set<string>([
  'get_blocks_and_tools',
  'get_blocks_metadata',
  'get_block_options',
  'get_block_config',
  'get_trigger_blocks',
-  'edit_workflow',
+  'workflow_context_get',
  'workflow_context_expand',
  'workflow_change',
  'workflow_verify',
  'get_workflow_console',
  'search_documentation',
  'search_online',
@@ -110,11 +432,7 @@ const SIM_WORKFLOW_TOOL_HANDLERS: Record<
  get_block_outputs: (p, c) => executeGetBlockOutputs(p as GetBlockOutputsParams, c),
  get_block_upstream_references: (p, c) =>
    executeGetBlockUpstreamReferences(p as unknown as GetBlockUpstreamReferencesParams, c),
-  run_workflow: (p, c) => executeRunWorkflow(p as RunWorkflowParams, c),
+  workflow_run: (p, c) => executeWorkflowRunUnified(p, c),
  run_workflow_until_block: (p, c) =>
    executeRunWorkflowUntilBlock(p as unknown as RunWorkflowUntilBlockParams, c),
  run_from_block: (p, c) => executeRunFromBlock(p as unknown as RunFromBlockParams, c),
  run_block: (p, c) => executeRunBlock(p as unknown as RunBlockParams, c),
  get_deployed_workflow_state: (p, c) =>
    executeGetDeployedWorkflowState(p as GetDeployedWorkflowStateParams, c),
  generate_api_key: (p, c) => executeGenerateApiKey(p as unknown as GenerateApiKeyParams, c),
@@ -125,10 +443,7 @@ const SIM_WORKFLOW_TOOL_HANDLERS: Record<
    }),
  set_global_workflow_variables: (p, c) =>
    executeSetGlobalWorkflowVariables(p as SetGlobalWorkflowVariablesParams, c),
-  deploy_api: (p, c) => executeDeployApi(p as DeployApiParams, c),
+  workflow_deploy: (p, c) => executeWorkflowDeployUnified(p, c),
  deploy_chat: (p, c) => executeDeployChat(p as DeployChatParams, c),
  deploy_mcp: (p, c) => executeDeployMcp(p as DeployMcpParams, c),
  redeploy: (_p, c) => executeRedeploy(c),
  check_deployment_status: (p, c) =>
    executeCheckDeploymentStatus(p as CheckDeploymentStatusParams, c),
  list_workspace_mcp_servers: (p, c) =>
@@ -161,6 +476,19 @@ const SIM_WORKFLOW_TOOL_HANDLERS: Record<
      }
    }
  },
  oauth_request_access: async (p, _c) => {
    const providerName = (p.providerName || p.provider_name || 'the provider') as string
    return {
      success: true,
      output: {
        success: true,
        status: 'requested',
        providerName,
        message: `Requested ${providerName} OAuth connection. The user should complete the OAuth modal in the UI, then retry credential-dependent actions.`,
      },
    }
  },
  manage_custom_tool: (p, c) => executeManageCustomTool(p, c),
 }
 /**
--- a/apps/sim/lib/copilot/orchestrator/tool-executor/param-types.ts
+++ b/apps/sim/lib/copilot/orchestrator/tool-executor/param-types.ts
@@ -93,6 +93,18 @@ export interface RunBlockParams {
  useDeployedState?: boolean
 }
 export interface WorkflowRunParams {
  mode?: 'full' | 'until_block' | 'from_block' | 'block'
  workflowId?: string
  workflow_input?: unknown
  input?: unknown
  useDeployedState?: boolean
  stopAfterBlockId?: string
  startBlockId?: string
  blockId?: string
  executionId?: string
 }
 export interface GetDeployedWorkflowStateParams {
  workflowId?: string
 }
@@ -169,6 +181,39 @@ export interface CreateWorkspaceMcpServerParams {
  workflowIds?: string[]
 }
 export interface WorkflowDeployParams {
  mode:
    | 'status'
    | 'redeploy'
    | 'api'
    | 'chat'
    | 'mcp'
    | 'list_mcp_servers'
    | 'create_mcp_server'
  workflowId?: string
  action?: 'deploy' | 'undeploy'
  identifier?: string
  title?: string
  description?: string
  customizations?: {
    primaryColor?: string
    secondaryColor?: string
    welcomeMessage?: string
    iconUrl?: string
  }
  authType?: 'none' | 'password' | 'public' | 'email' | 'sso'
  password?: string
  allowedEmails?: string[]
  outputConfigs?: unknown[]
  serverId?: string
  toolName?: string
  toolDescription?: string
  parameterSchema?: Record<string, unknown>
  name?: string
  isPublic?: boolean
  workflowIds?: string[]
 }
 // === Workflow Organization Params ===
 export interface RenameWorkflowParams {
--- a/apps/sim/lib/copilot/tools/client/tool-display-registry.ts
+++ b/apps/sim/lib/copilot/tools/client/tool-display-registry.ts
@@ -592,16 +592,40 @@ const META_edit: ToolMetadata = {
  },
 }
-const META_edit_workflow: ToolMetadata = {
+const META_workflow_change: ToolMetadata = {
  displayNames: {
-    [ClientToolCallState.generating]: { text: 'Editing your workflow', icon: Loader2 },
+    [ClientToolCallState.generating]: { text: 'Planning workflow changes', icon: Loader2 },
-    [ClientToolCallState.executing]: { text: 'Editing your workflow', icon: Loader2 },
+    [ClientToolCallState.executing]: { text: 'Applying workflow changes', icon: Loader2 },
-    [ClientToolCallState.success]: { text: 'Edited your workflow', icon: Grid2x2Check },
+    [ClientToolCallState.success]: { text: 'Updated your workflow', icon: Grid2x2Check },
-    [ClientToolCallState.error]: { text: 'Failed to edit your workflow', icon: XCircle },
+    [ClientToolCallState.error]: { text: 'Failed to update your workflow', icon: XCircle },
    [ClientToolCallState.review]: { text: 'Review your workflow changes', icon: Grid2x2 },
    [ClientToolCallState.rejected]: { text: 'Rejected workflow changes', icon: Grid2x2X },
-    [ClientToolCallState.aborted]: { text: 'Aborted editing your workflow', icon: MinusCircle },
+    [ClientToolCallState.aborted]: { text: 'Aborted workflow changes', icon: MinusCircle },
-    [ClientToolCallState.pending]: { text: 'Editing your workflow', icon: Loader2 },
+    [ClientToolCallState.pending]: { text: 'Planning workflow changes', icon: Loader2 },
  },
  getDynamicText: (params, state) => {
    const mode = typeof params?.mode === 'string' ? params.mode.toLowerCase() : ''
    if (mode === 'dry_run') {
      switch (state) {
        case ClientToolCallState.success:
          return 'Planned workflow changes'
        case ClientToolCallState.executing:
        case ClientToolCallState.generating:
        case ClientToolCallState.pending:
          return 'Planning workflow changes'
      }
    }
    if (mode === 'apply' || typeof params?.proposalId === 'string') {
      switch (state) {
        case ClientToolCallState.success:
          return 'Applied workflow changes'
        case ClientToolCallState.executing:
        case ClientToolCallState.generating:
        case ClientToolCallState.pending:
          return 'Applying workflow changes'
      }
    }
    return undefined
  },
  uiConfig: {
    isSpecial: true,
@@ -609,6 +633,42 @@ const META_edit_workflow: ToolMetadata = {
  },
 }
 const META_workflow_context_get: ToolMetadata = {
  displayNames: {
    [ClientToolCallState.generating]: { text: 'Gathering workflow context', icon: Loader2 },
    [ClientToolCallState.pending]: { text: 'Gathering workflow context', icon: Loader2 },
    [ClientToolCallState.executing]: { text: 'Gathering workflow context', icon: Loader2 },
    [ClientToolCallState.success]: { text: 'Gathered workflow context', icon: FileText },
    [ClientToolCallState.error]: { text: 'Failed to gather workflow context', icon: XCircle },
    [ClientToolCallState.rejected]: { text: 'Skipped workflow context', icon: MinusCircle },
    [ClientToolCallState.aborted]: { text: 'Aborted workflow context', icon: MinusCircle },
  },
 }
 const META_workflow_context_expand: ToolMetadata = {
  displayNames: {
    [ClientToolCallState.generating]: { text: 'Expanding workflow schemas', icon: Loader2 },
    [ClientToolCallState.pending]: { text: 'Expanding workflow schemas', icon: Loader2 },
    [ClientToolCallState.executing]: { text: 'Expanding workflow schemas', icon: Loader2 },
    [ClientToolCallState.success]: { text: 'Expanded workflow schemas', icon: FileText },
    [ClientToolCallState.error]: { text: 'Failed to expand workflow schemas', icon: XCircle },
    [ClientToolCallState.rejected]: { text: 'Skipped schema expansion', icon: MinusCircle },
    [ClientToolCallState.aborted]: { text: 'Aborted schema expansion', icon: MinusCircle },
  },
 }
 const META_workflow_verify: ToolMetadata = {
  displayNames: {
    [ClientToolCallState.generating]: { text: 'Verifying workflow', icon: Loader2 },
    [ClientToolCallState.pending]: { text: 'Verifying workflow', icon: Loader2 },
    [ClientToolCallState.executing]: { text: 'Verifying workflow', icon: Loader2 },
    [ClientToolCallState.success]: { text: 'Verified workflow', icon: CheckCircle2 },
    [ClientToolCallState.error]: { text: 'Workflow verification failed', icon: XCircle },
    [ClientToolCallState.rejected]: { text: 'Skipped workflow verification', icon: MinusCircle },
    [ClientToolCallState.aborted]: { text: 'Aborted workflow verification', icon: MinusCircle },
  },
 }
 const META_evaluate: ToolMetadata = {
  displayNames: {
    [ClientToolCallState.generating]: { text: 'Evaluating', icon: Loader2 },
@@ -2541,7 +2601,12 @@ const TOOL_METADATA_BY_ID: Record<string, ToolMetadata> = {
  deploy_chat: META_deploy_chat,
  deploy_mcp: META_deploy_mcp,
  edit: META_edit,
-  edit_workflow: META_edit_workflow,
+  workflow_context_get: META_workflow_context_get,
  workflow_context_expand: META_workflow_context_expand,
  workflow_change: META_workflow_change,
  workflow_verify: META_workflow_verify,
  workflow_run: META_run_workflow,
  workflow_deploy: META_deploy_api,
  evaluate: META_evaluate,
  get_block_config: META_get_block_config,
  get_block_options: META_get_block_options,
--- a/apps/sim/lib/copilot/tools/mcp/definitions.ts
+++ b/apps/sim/lib/copilot/tools/mcp/definitions.ts
@@ -191,10 +191,10 @@ export const DIRECT_TOOL_DEFS: DirectToolDef[] = [
    },
  },
  {
-    name: 'run_workflow',
+    name: 'workflow_run',
-    toolId: 'run_workflow',
+    toolId: 'workflow_run',
    description:
-      'Run a workflow and return its output. Works on both draft and deployed states. By default runs the draft (live) state.',
+      'Run a workflow using one unified interface. Supports full runs and partial execution modes.',
    inputSchema: {
      type: 'object',
      properties: {
@@ -202,112 +202,38 @@ export const DIRECT_TOOL_DEFS: DirectToolDef[] = [
          type: 'string',
          description: 'REQUIRED. The workflow ID to run.',
        },
        mode: {
          type: 'string',
          description: 'Execution mode: full, until_block, from_block, or block. Default: full.',
          enum: ['full', 'until_block', 'from_block', 'block'],
        },
        workflow_input: {
          type: 'object',
          description:
-            'JSON object with input values. Keys should match the workflow start block input field names.',
+            'JSON object with input values. Keys should match workflow start block input names.',
        },
        useDeployedState: {
          type: 'boolean',
          description: 'When true, runs the deployed version instead of the draft. Default: false.',
        },
      },
      required: ['workflowId'],
    },
  },
  {
    name: 'run_workflow_until_block',
    toolId: 'run_workflow_until_block',
    description:
      'Run a workflow and stop after a specific block completes. Useful for testing partial execution or debugging specific blocks.',
    inputSchema: {
      type: 'object',
      properties: {
        workflowId: {
          type: 'string',
          description: 'REQUIRED. The workflow ID to run.',
        },
        stopAfterBlockId: {
          type: 'string',
-          description:
+          description: 'Required when mode is until_block.',
            'REQUIRED. The block ID to stop after. Execution halts once this block completes.',
        },
        workflow_input: {
          type: 'object',
          description: 'JSON object with input values for the workflow.',
        },
        useDeployedState: {
          type: 'boolean',
          description: 'When true, runs the deployed version instead of the draft. Default: false.',
        },
      },
      required: ['workflowId', 'stopAfterBlockId'],
    },
  },
  {
    name: 'run_from_block',
    toolId: 'run_from_block',
    description:
      'Run a workflow starting from a specific block, using cached outputs from a prior execution for upstream blocks. The workflow must have been run at least once first.',
    inputSchema: {
      type: 'object',
      properties: {
        workflowId: {
          type: 'string',
          description: 'REQUIRED. The workflow ID to run.',
        },
        startBlockId: {
          type: 'string',
-          description: 'REQUIRED. The block ID to start execution from.',
+          description: 'Required when mode is from_block.',
        },
        executionId: {
          type: 'string',
          description:
            'Optional. Specific execution ID to load the snapshot from. Uses latest if omitted.',
        },
        workflow_input: {
          type: 'object',
          description: 'Optional input values for the workflow.',
        },
        useDeployedState: {
          type: 'boolean',
          description: 'When true, runs the deployed version instead of the draft. Default: false.',
        },
      },
      required: ['workflowId', 'startBlockId'],
    },
  },
  {
    name: 'run_block',
    toolId: 'run_block',
    description:
      'Run a single block in isolation using cached outputs from a prior execution. Only the specified block executes — nothing upstream or downstream. The workflow must have been run at least once first.',
    inputSchema: {
      type: 'object',
      properties: {
        workflowId: {
          type: 'string',
          description: 'REQUIRED. The workflow ID.',
        },
        blockId: {
          type: 'string',
-          description: 'REQUIRED. The block ID to run in isolation.',
+          description: 'Required when mode is block.',
        },
        executionId: {
          type: 'string',
-          description:
+          description: 'Optional execution snapshot ID for from_block or block modes.',
            'Optional. Specific execution ID to load the snapshot from. Uses latest if omitted.',
        },
        workflow_input: {
          type: 'object',
          description: 'Optional input values for the workflow.',
        },
        useDeployedState: {
          type: 'boolean',
-          description: 'When true, runs the deployed version instead of the draft. Default: false.',
+          description: 'When true, runs deployed state instead of draft. Default: false.',
        },
      },
-      required: ['workflowId', 'blockId'],
+      required: ['workflowId'],
    },
  },
  {
@@ -531,10 +457,10 @@ ALSO CAN:
    description: `Run a workflow and verify its outputs. Works on both deployed and undeployed (draft) workflows. Use after building to verify correctness.
 Supports full and partial execution:
- Full run with test inputs
+- Full run with test inputs using workflow_run mode "full"
- Stop after a specific block (run_workflow_until_block)
+- Stop after a specific block using workflow_run mode "until_block"
- Run a single block in isolation (run_block)
+- Run a single block in isolation using workflow_run mode "block"
- Resume from a specific block (run_from_block)`,
+- Resume from a specific block using workflow_run mode "from_block"`,
    inputSchema: {
      type: 'object',
      properties: {
--- a/apps/sim/lib/copilot/tools/server/blocks/get-block-config.ts
+++ b/apps/sim/lib/copilot/tools/server/blocks/get-block-config.ts
@@ -109,7 +109,7 @@ function resolveSubBlockOptions(sb: SubBlockConfig): string[] | undefined {
    return undefined
  }
-  // Return the actual option ID/value that edit_workflow expects, not the display label
+  // Return canonical option IDs/values expected by workflow_change compilation and apply
  return rawOptions
    .map((opt: any) => {
      if (!opt) return undefined
--- a/apps/sim/lib/copilot/tools/server/router.ts
+++ b/apps/sim/lib/copilot/tools/server/router.ts
@@ -11,8 +11,13 @@ import { makeApiRequestServerTool } from '@/lib/copilot/tools/server/other/make-
 import { searchOnlineServerTool } from '@/lib/copilot/tools/server/other/search-online'
 import { getCredentialsServerTool } from '@/lib/copilot/tools/server/user/get-credentials'
 import { setEnvironmentVariablesServerTool } from '@/lib/copilot/tools/server/user/set-environment-variables'
 import { editWorkflowServerTool } from '@/lib/copilot/tools/server/workflow/edit-workflow'
 import { getWorkflowConsoleServerTool } from '@/lib/copilot/tools/server/workflow/get-workflow-console'
 import { workflowChangeServerTool } from '@/lib/copilot/tools/server/workflow/workflow-change'
 import {
  workflowContextExpandServerTool,
  workflowContextGetServerTool,
 } from '@/lib/copilot/tools/server/workflow/workflow-context'
 import { workflowVerifyServerTool } from '@/lib/copilot/tools/server/workflow/workflow-verify'
 import { ExecuteResponseSuccessSchema } from '@/lib/copilot/tools/shared/schemas'
 export { ExecuteResponseSuccessSchema }
@@ -27,7 +32,6 @@ const serverToolRegistry: Record<string, BaseServerTool> = {
  [getBlockOptionsServerTool.name]: getBlockOptionsServerTool,
  [getBlockConfigServerTool.name]: getBlockConfigServerTool,
  [getTriggerBlocksServerTool.name]: getTriggerBlocksServerTool,
  [editWorkflowServerTool.name]: editWorkflowServerTool,
  [getWorkflowConsoleServerTool.name]: getWorkflowConsoleServerTool,
  [searchDocumentationServerTool.name]: searchDocumentationServerTool,
  [searchOnlineServerTool.name]: searchOnlineServerTool,
@@ -35,6 +39,10 @@ const serverToolRegistry: Record<string, BaseServerTool> = {
  [getCredentialsServerTool.name]: getCredentialsServerTool,
  [makeApiRequestServerTool.name]: makeApiRequestServerTool,
  [knowledgeBaseServerTool.name]: knowledgeBaseServerTool,
  [workflowContextGetServerTool.name]: workflowContextGetServerTool,
  [workflowContextExpandServerTool.name]: workflowContextExpandServerTool,
  [workflowChangeServerTool.name]: workflowChangeServerTool,
  [workflowVerifyServerTool.name]: workflowVerifyServerTool,
 }
 /**
--- a/apps/sim/lib/copilot/tools/server/workflow/change-store.ts
+++ b/apps/sim/lib/copilot/tools/server/workflow/change-store.ts
@@ -0,0 +1,185 @@
 import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { getRedisClient } from '@/lib/core/config/redis'
 type StoreEntry<T> = {
  value: T
  expiresAt: number
 }
 const DEFAULT_TTL_MS = 30 * 60 * 1000
 const MAX_ENTRIES = 500
 const DEFAULT_TTL_SECONDS = Math.floor(DEFAULT_TTL_MS / 1000)
 const CONTEXT_PREFIX = 'copilot:workflow_change:context'
 const PROPOSAL_PREFIX = 'copilot:workflow_change:proposal'
 const logger = createLogger('WorkflowChangeStore')
 class TTLStore<T> {
  private readonly data = new Map<string, StoreEntry<T>>()
  constructor(private readonly ttlMs = DEFAULT_TTL_MS) {}
  set(value: T): string {
    this.gc()
    if (this.data.size >= MAX_ENTRIES) {
      const firstKey = this.data.keys().next().value as string | undefined
      if (firstKey) {
        this.data.delete(firstKey)
      }
    }
    const id = crypto.randomUUID()
    this.data.set(id, {
      value,
      expiresAt: Date.now() + this.ttlMs,
    })
    return id
  }
  get(id: string): T | null {
    const entry = this.data.get(id)
    if (!entry) return null
    if (entry.expiresAt <= Date.now()) {
      this.data.delete(id)
      return null
    }
    return entry.value
  }
  private gc(): void {
    const now = Date.now()
    for (const [key, entry] of this.data.entries()) {
      if (entry.expiresAt <= now) {
        this.data.delete(key)
      }
    }
  }
 }
 export type WorkflowContextPack = {
  workflowId: string
  snapshotHash: string
  workflowState: {
    blocks: Record<string, any>
    edges: Array<Record<string, any>>
    loops: Record<string, any>
    parallels: Record<string, any>
  }
  schemasByType: Record<string, any>
  schemaRefsByType: Record<string, string>
  summary: Record<string, any>
 }
 export type WorkflowChangeProposal = {
  workflowId: string
  baseSnapshotHash: string
  compiledOperations: Array<Record<string, any>>
  diffSummary: Record<string, any>
  warnings: string[]
  diagnostics: string[]
  touchedBlocks: string[]
  acceptanceAssertions: string[]
  postApply?: {
    verify?: boolean
    run?: Record<string, any>
    evaluator?: Record<string, any>
  }
  handoff?: {
    objective?: string
    constraints?: string[]
    resolvedIds?: Record<string, string>
    assumptions?: string[]
    unresolvedRisks?: string[]
  }
 }
 const contextPackStore = new TTLStore<WorkflowContextPack>()
 const proposalStore = new TTLStore<WorkflowChangeProposal>()
 function getContextRedisKey(id: string): string {
  return `${CONTEXT_PREFIX}:${id}`
 }
 function getProposalRedisKey(id: string): string {
  return `${PROPOSAL_PREFIX}:${id}`
 }
 async function writeRedisJson(key: string, value: unknown): Promise<void> {
  const redis = getRedisClient()!
  await redis.set(key, JSON.stringify(value), 'EX', DEFAULT_TTL_SECONDS)
 }
 async function readRedisJson<T>(key: string): Promise<T | null> {
  const redis = getRedisClient()!
  const raw = await redis.get(key)
  if (!raw) {
    return null
  }
  try {
    return JSON.parse(raw) as T
  } catch (error) {
    logger.warn('Failed parsing workflow change store JSON payload', { key, error })
    await redis.del(key).catch(() => {})
    return null
  }
 }
 export async function saveContextPack(pack: WorkflowContextPack): Promise<string> {
  if (!getRedisClient()) {
    return contextPackStore.set(pack)
  }
  const id = crypto.randomUUID()
  try {
    await writeRedisJson(getContextRedisKey(id), pack)
    return id
  } catch (error) {
    logger.warn('Redis write failed for workflow context pack, using memory fallback', { error })
    return contextPackStore.set(pack)
  }
 }
 export async function getContextPack(id: string): Promise<WorkflowContextPack | null> {
  if (!getRedisClient()) {
    return contextPackStore.get(id)
  }
  try {
    const redisPayload = await readRedisJson<WorkflowContextPack>(getContextRedisKey(id))
    if (redisPayload) {
      return redisPayload
    }
  } catch (error) {
    logger.warn('Redis read failed for workflow context pack, using memory fallback', { error })
  }
  return contextPackStore.get(id)
 }
 export async function saveProposal(proposal: WorkflowChangeProposal): Promise<string> {
  if (!getRedisClient()) {
    return proposalStore.set(proposal)
  }
  const id = crypto.randomUUID()
  try {
    await writeRedisJson(getProposalRedisKey(id), proposal)
    return id
  } catch (error) {
    logger.warn('Redis write failed for workflow proposal, using memory fallback', { error })
    return proposalStore.set(proposal)
  }
 }
 export async function getProposal(id: string): Promise<WorkflowChangeProposal | null> {
  if (!getRedisClient()) {
    return proposalStore.get(id)
  }
  try {
    const redisPayload = await readRedisJson<WorkflowChangeProposal>(getProposalRedisKey(id))
    if (redisPayload) {
      return redisPayload
    }
  } catch (error) {
    logger.warn('Redis read failed for workflow proposal, using memory fallback', { error })
  }
  return proposalStore.get(id)
 }
--- a/apps/sim/lib/copilot/tools/server/workflow/edit-workflow/index.ts
+++ b/apps/sim/lib/copilot/tools/server/workflow/edit-workflow/index.ts
@@ -68,8 +68,8 @@ async function getCurrentWorkflowStateFromDb(
  return { workflowState, subBlockValues }
 }
-export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, unknown> = {
+export const applyWorkflowOperationsServerTool: BaseServerTool<EditWorkflowParams, unknown> = {
-  name: 'edit_workflow',
+  name: '__internal_apply_workflow_operations',
  async execute(params: EditWorkflowParams, context?: { userId: string }): Promise<unknown> {
    const logger = createLogger('EditWorkflowServerTool')
    const { operations, workflowId, currentUserWorkflow } = params
@@ -90,7 +90,7 @@ export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, unknown>
      throw new Error(authorization.message || 'Unauthorized workflow access')
    }
-    logger.info('Executing edit_workflow', {
+    logger.info('Executing internal workflow operation apply', {
      operationCount: operations.length,
      workflowId,
      hasCurrentUserWorkflow: !!currentUserWorkflow,
@@ -210,7 +210,7 @@ export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, unknown>
      logger.warn('No userId in context - skipping custom tools persistence', { workflowId })
    }
-    logger.info('edit_workflow successfully applied operations', {
+    logger.info('Internal workflow operation apply succeeded', {
      operationCount: operations.length,
      blocksCount: Object.keys(modifiedWorkflowState.blocks).length,
      edgesCount: modifiedWorkflowState.edges.length,
--- a/apps/sim/lib/copilot/tools/server/workflow/workflow-change.ts
+++ b/apps/sim/lib/copilot/tools/server/workflow/workflow-change.ts
--- a/apps/sim/lib/copilot/tools/server/workflow/workflow-context.ts
+++ b/apps/sim/lib/copilot/tools/server/workflow/workflow-context.ts
@@ -0,0 +1,166 @@
 import { createLogger } from '@sim/logger'
 import { z } from 'zod'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { getContextPack, saveContextPack } from './change-store'
 import {
  buildSchemasByType,
  getAllKnownBlockTypes,
  hashWorkflowState,
  loadWorkflowStateFromDb,
  summarizeWorkflowState,
 } from './workflow-state'
 const logger = createLogger('WorkflowContextServerTool')
 const WorkflowContextGetInputSchema = z.object({
  workflowId: z.string(),
  objective: z.string().optional(),
  includeBlockTypes: z.array(z.string()).optional(),
  includeAllSchemas: z.boolean().optional(),
  schemaMode: z.enum(['minimal', 'workflow', 'all']).optional(),
 })
 type WorkflowContextGetParams = z.infer<typeof WorkflowContextGetInputSchema>
 const WorkflowContextExpandInputSchema = z.object({
  contextPackId: z.string(),
  blockTypes: z.array(z.string()).optional(),
  schemaRefs: z.array(z.string()).optional(),
 })
 type WorkflowContextExpandParams = z.infer<typeof WorkflowContextExpandInputSchema>
 function parseSchemaRefToBlockType(schemaRef: string): string | null {
  if (!schemaRef) return null
  const [blockType] = schemaRef.split('@')
  return blockType || null
 }
 function buildAvailableBlockCatalog(
  schemaRefsByType: Record<string, string>
 ): Array<Record<string, any>> {
  return Object.entries(schemaRefsByType)
    .sort((a, b) => a[0].localeCompare(b[0]))
    .map(([blockType, schemaRef]) => ({
      blockType,
      schemaRef,
    }))
 }
 export const workflowContextGetServerTool: BaseServerTool<WorkflowContextGetParams, any> = {
  name: 'workflow_context_get',
  inputSchema: WorkflowContextGetInputSchema,
  async execute(params: WorkflowContextGetParams, context?: { userId: string }): Promise<any> {
    if (!context?.userId) {
      throw new Error('Unauthorized workflow access')
    }
    const authorization = await authorizeWorkflowByWorkspacePermission({
      workflowId: params.workflowId,
      userId: context.userId,
      action: 'read',
    })
    if (!authorization.allowed) {
      throw new Error(authorization.message || 'Unauthorized workflow access')
    }
    const { workflowState } = await loadWorkflowStateFromDb(params.workflowId)
    const snapshotHash = hashWorkflowState(workflowState as unknown as Record<string, unknown>)
    const blockTypesInWorkflow = Object.values(workflowState.blocks || {}).map((block: any) =>
      String(block?.type || '')
    )
    const requestedTypes = params.includeBlockTypes || []
    const schemaMode =
      params.includeAllSchemas === true ? 'all' : (params.schemaMode || 'minimal')
    const candidateTypes =
      schemaMode === 'all'
        ? getAllKnownBlockTypes()
        : schemaMode === 'workflow'
          ? [...blockTypesInWorkflow, ...requestedTypes]
          : [...requestedTypes]
    const { schemasByType, schemaRefsByType } = buildSchemasByType(candidateTypes)
    const suggestedSchemaTypes = [...new Set(blockTypesInWorkflow.filter(Boolean))]
    const summary = summarizeWorkflowState(workflowState)
    const packId = await saveContextPack({
      workflowId: params.workflowId,
      snapshotHash,
      workflowState,
      schemasByType,
      schemaRefsByType,
      summary: {
        ...summary,
        objective: params.objective || null,
      },
    })
    logger.info('Generated workflow context pack', {
      workflowId: params.workflowId,
      contextPackId: packId,
      schemaCount: Object.keys(schemaRefsByType).length,
    })
    return {
      success: true,
      contextPackId: packId,
      workflowId: params.workflowId,
      snapshotHash,
      schemaMode,
      summary: {
        ...summary,
        objective: params.objective || null,
      },
      schemaRefsByType,
      availableBlockCatalog: buildAvailableBlockCatalog(schemaRefsByType),
      suggestedSchemaTypes,
      inScopeSchemas: schemasByType,
    }
  },
 }
 export const workflowContextExpandServerTool: BaseServerTool<WorkflowContextExpandParams, any> = {
  name: 'workflow_context_expand',
  inputSchema: WorkflowContextExpandInputSchema,
  async execute(params: WorkflowContextExpandParams, context?: { userId: string }): Promise<any> {
    if (!context?.userId) {
      throw new Error('Unauthorized workflow access')
    }
    const contextPack = await getContextPack(params.contextPackId)
    if (!contextPack) {
      throw new Error(`Context pack not found or expired: ${params.contextPackId}`)
    }
    const authorization = await authorizeWorkflowByWorkspacePermission({
      workflowId: contextPack.workflowId,
      userId: context.userId,
      action: 'read',
    })
    if (!authorization.allowed) {
      throw new Error(authorization.message || 'Unauthorized workflow access')
    }
    const requestedBlockTypes = new Set<string>()
    for (const blockType of params.blockTypes || []) {
      if (blockType) requestedBlockTypes.add(blockType)
    }
    for (const schemaRef of params.schemaRefs || []) {
      const blockType = parseSchemaRefToBlockType(schemaRef)
      if (blockType) requestedBlockTypes.add(blockType)
    }
    const typesToExpand = [...requestedBlockTypes]
    const { schemasByType, schemaRefsByType } = buildSchemasByType(typesToExpand)
    return {
      success: true,
      contextPackId: params.contextPackId,
      workflowId: contextPack.workflowId,
      snapshotHash: contextPack.snapshotHash,
      schemasByType,
      schemaRefsByType,
    }
  },
 }
--- a/apps/sim/lib/copilot/tools/server/workflow/workflow-state.ts
+++ b/apps/sim/lib/copilot/tools/server/workflow/workflow-state.ts
@@ -0,0 +1,226 @@
 import crypto from 'crypto'
 import { db } from '@sim/db'
 import { workflow as workflowTable } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { getAllBlockTypes, getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
 const logger = createLogger('WorkflowContextState')
 function stableSortValue(value: any): any {
  if (Array.isArray(value)) {
    return value.map(stableSortValue)
  }
  if (value && typeof value === 'object') {
    const sorted: Record<string, any> = {}
    for (const key of Object.keys(value).sort()) {
      sorted[key] = stableSortValue(value[key])
    }
    return sorted
  }
  return value
 }
 export function hashWorkflowState(state: Record<string, unknown>): string {
  const stable = stableSortValue(state)
  const payload = JSON.stringify(stable)
  return `sha256:${crypto.createHash('sha256').update(payload).digest('hex')}`
 }
 function normalizeOptions(options: unknown): string[] | null {
  if (!Array.isArray(options)) return null
  const normalized = options
    .map((option) => {
      if (option == null) return null
      if (typeof option === 'object') {
        const optionRecord = option as Record<string, unknown>
        const id = optionRecord.id
        if (typeof id === 'string') return id
        const label = optionRecord.label
        if (typeof label === 'string') return label
        return null
      }
      return String(option)
    })
    .filter((value): value is string => Boolean(value))
  return normalized.length > 0 ? normalized : null
 }
 function serializeRequired(required: SubBlockConfig['required']): boolean | Record<string, any> {
  if (typeof required === 'boolean') return required
  if (!required) return false
  if (typeof required === 'object') {
    const out: Record<string, any> = {}
    const record = required as Record<string, unknown>
    for (const key of ['field', 'operator', 'value']) {
      if (record[key] !== undefined) {
        out[key] = record[key]
      }
    }
    return out
  }
  return false
 }
 function serializeSubBlock(subBlock: SubBlockConfig): Record<string, unknown> {
  const staticOptions =
    typeof subBlock.options === 'function' ? null : normalizeOptions(subBlock.options)
  return {
    id: subBlock.id,
    type: subBlock.type,
    title: subBlock.title,
    description: subBlock.description || null,
    mode: subBlock.mode || null,
    placeholder: subBlock.placeholder || null,
    hidden: Boolean(subBlock.hidden),
    multiSelect: Boolean(subBlock.multiSelect),
    required: serializeRequired(subBlock.required),
    hasDynamicOptions: typeof subBlock.options === 'function',
    options: staticOptions,
    defaultValue: subBlock.defaultValue ?? null,
    min: subBlock.min ?? null,
    max: subBlock.max ?? null,
  }
 }
 function serializeBlockSchema(blockType: string): Record<string, unknown> | null {
  const blockConfig = getBlock(blockType)
  if (!blockConfig) return null
  const subBlocks = Array.isArray(blockConfig.subBlocks)
    ? blockConfig.subBlocks.map(serializeSubBlock)
    : []
  const outputs = blockConfig.outputs || {}
  const outputKeys = Object.keys(outputs)
  return {
    blockType,
    blockName: blockConfig.name || blockType,
    category: blockConfig.category,
    triggerAllowed: Boolean(blockConfig.triggerAllowed || blockConfig.triggers?.enabled),
    hasTriggersConfig: Boolean(blockConfig.triggers?.enabled),
    subBlocks,
    outputKeys,
    longDescription: blockConfig.longDescription || null,
  }
 }
 export function buildSchemasByType(blockTypes: string[]): {
  schemasByType: Record<string, any>
  schemaRefsByType: Record<string, string>
 } {
  const schemasByType: Record<string, any> = {}
  const schemaRefsByType: Record<string, string> = {}
  const uniqueTypes = [...new Set(blockTypes.filter(Boolean))]
  for (const blockType of uniqueTypes) {
    const schema = serializeBlockSchema(blockType)
    if (!schema) continue
    const stableSchema = stableSortValue(schema)
    const schemaHash = crypto
      .createHash('sha256')
      .update(JSON.stringify(stableSchema))
      .digest('hex')
    schemasByType[blockType] = stableSchema
    schemaRefsByType[blockType] = `${blockType}@sha256:${schemaHash}`
  }
  return { schemasByType, schemaRefsByType }
 }
 export async function loadWorkflowStateFromDb(workflowId: string): Promise<{
  workflowState: {
    blocks: Record<string, any>
    edges: Array<Record<string, any>>
    loops: Record<string, any>
    parallels: Record<string, any>
  }
  workspaceId?: string
 }> {
  const [workflowRecord] = await db
    .select({ workspaceId: workflowTable.workspaceId })
    .from(workflowTable)
    .where(eq(workflowTable.id, workflowId))
    .limit(1)
  if (!workflowRecord) {
    throw new Error(`Workflow ${workflowId} not found`)
  }
  const normalized = await loadWorkflowFromNormalizedTables(workflowId)
  if (!normalized) {
    throw new Error(`Workflow ${workflowId} has no normalized data`)
  }
  const blocks = { ...normalized.blocks }
  const invalidBlockIds: string[] = []
  for (const [blockId, block] of Object.entries(blocks)) {
    if (!(block as { type?: unknown })?.type) {
      invalidBlockIds.push(blockId)
    }
  }
  for (const blockId of invalidBlockIds) {
    delete blocks[blockId]
  }
  const invalidSet = new Set(invalidBlockIds)
  const edges = (normalized.edges || []).filter(
    (edge: any) => !invalidSet.has(edge.source) && !invalidSet.has(edge.target)
  )
  if (invalidBlockIds.length > 0) {
    logger.warn('Dropped blocks without type while loading workflow state', {
      workflowId,
      dropped: invalidBlockIds,
    })
  }
  return {
    workflowState: {
      blocks,
      edges,
      loops: normalized.loops || {},
      parallels: normalized.parallels || {},
    },
    workspaceId: workflowRecord.workspaceId || undefined,
  }
 }
 export function summarizeWorkflowState(workflowState: {
  blocks: Record<string, any>
  edges: Array<Record<string, any>>
  loops: Record<string, any>
  parallels: Record<string, any>
 }): Record<string, unknown> {
  const blocks = workflowState.blocks || {}
  const edges = workflowState.edges || []
  const blockTypes: Record<string, number> = {}
  const triggerBlocks: Array<{ id: string; name: string; type: string }> = []
  for (const [blockId, block] of Object.entries(blocks)) {
    const blockType = String((block as Record<string, unknown>).type || 'unknown')
    blockTypes[blockType] = (blockTypes[blockType] || 0) + 1
    if ((block as Record<string, unknown>).triggerMode === true) {
      triggerBlocks.push({
        id: blockId,
        name: String((block as Record<string, unknown>).name || blockType),
        type: blockType,
      })
    }
  }
  return {
    blockCount: Object.keys(blocks).length,
    edgeCount: edges.length,
    loopCount: Object.keys(workflowState.loops || {}).length,
    parallelCount: Object.keys(workflowState.parallels || {}).length,
    blockTypes,
    triggerBlocks,
  }
 }
 export function getAllKnownBlockTypes(): string[] {
  return getAllBlockTypes()
 }
--- a/apps/sim/lib/copilot/tools/server/workflow/workflow-verify.ts
+++ b/apps/sim/lib/copilot/tools/server/workflow/workflow-verify.ts
@@ -0,0 +1,194 @@
 import { createLogger } from '@sim/logger'
 import { z } from 'zod'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
 import { validateWorkflowState } from '@/lib/workflows/sanitization/validation'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { hashWorkflowState, loadWorkflowStateFromDb } from './workflow-state'
 const logger = createLogger('WorkflowVerifyServerTool')
 const AcceptanceItemSchema = z.union([
  z.string(),
  z.object({
    kind: z.string().optional(),
    assert: z.string(),
  }),
 ])
 const WorkflowVerifyInputSchema = z
  .object({
    workflowId: z.string(),
    acceptance: z.array(AcceptanceItemSchema).optional(),
    baseSnapshotHash: z.string().optional(),
  })
  .strict()
 type WorkflowVerifyParams = z.infer<typeof WorkflowVerifyInputSchema>
 function normalizeName(value: string): string {
  return value.trim().toLowerCase()
 }
 function resolveBlockToken(
  workflowState: { blocks: Record<string, any> },
  token: string
 ): string | null {
  if (!token) return null
  if (workflowState.blocks[token]) return token
  const normalized = normalizeName(token)
  for (const [blockId, block] of Object.entries(workflowState.blocks || {})) {
    const blockName = normalizeName(String((block as Record<string, unknown>).name || ''))
    if (blockName === normalized) return blockId
  }
  return null
 }
 function hasPath(
  workflowState: { edges: Array<Record<string, any>> },
  blockPath: string[]
 ): boolean {
  if (blockPath.length < 2) return true
  const adjacency = new Map<string, string[]>()
  for (const edge of workflowState.edges || []) {
    const source = String(edge.source || '')
    const target = String(edge.target || '')
    if (!source || !target) continue
    const existing = adjacency.get(source) || []
    existing.push(target)
    adjacency.set(source, existing)
  }
  for (let i = 0; i < blockPath.length - 1; i++) {
    const from = blockPath[i]
    const to = blockPath[i + 1]
    const next = adjacency.get(from) || []
    if (!next.includes(to)) return false
  }
  return true
 }
 function evaluateAssertions(params: {
  workflowState: {
    blocks: Record<string, any>
    edges: Array<Record<string, any>>
  }
  assertions: string[]
 }): { failures: string[]; checks: Array<Record<string, any>> } {
  const failures: string[] = []
  const checks: Array<Record<string, any>> = []
  for (const assertion of params.assertions) {
    if (assertion.startsWith('block_exists:')) {
      const token = assertion.slice('block_exists:'.length).trim()
      const blockId = resolveBlockToken(params.workflowState, token)
      const passed = Boolean(blockId)
      checks.push({ assert: assertion, passed, resolvedBlockId: blockId || null })
      if (!passed) failures.push(`Assertion failed: ${assertion}`)
      continue
    }
    if (assertion.startsWith('trigger_exists:')) {
      const triggerType = normalizeName(assertion.slice('trigger_exists:'.length))
      const triggerBlock = Object.values(params.workflowState.blocks || {}).find((block: any) => {
        if (block?.triggerMode !== true) return false
        return normalizeName(String(block?.type || '')) === triggerType
      })
      const passed = Boolean(triggerBlock)
      checks.push({ assert: assertion, passed })
      if (!passed) failures.push(`Assertion failed: ${assertion}`)
      continue
    }
    if (assertion.startsWith('path_exists:')) {
      const rawPath = assertion.slice('path_exists:'.length).trim()
      const tokens = rawPath
        .split('->')
        .map((token) => token.trim())
        .filter(Boolean)
      const resolvedPath = tokens
        .map((token) => resolveBlockToken(params.workflowState, token))
        .filter((value): value is string => Boolean(value))
      const resolvedAll = resolvedPath.length === tokens.length
      const passed = resolvedAll && hasPath(params.workflowState, resolvedPath)
      checks.push({
        assert: assertion,
        passed,
        resolvedPath,
      })
      if (!passed) failures.push(`Assertion failed: ${assertion}`)
      continue
    }
    // Unknown assertion format - mark as warning failure for explicit visibility.
    checks.push({ assert: assertion, passed: false, reason: 'unknown_assertion_type' })
    failures.push(`Unknown assertion format: ${assertion}`)
  }
  return { failures, checks }
 }
 export const workflowVerifyServerTool: BaseServerTool<WorkflowVerifyParams, any> = {
  name: 'workflow_verify',
  inputSchema: WorkflowVerifyInputSchema,
  async execute(params: WorkflowVerifyParams, context?: { userId: string }): Promise<any> {
    if (!context?.userId) {
      throw new Error('Unauthorized workflow access')
    }
    const authorization = await authorizeWorkflowByWorkspacePermission({
      workflowId: params.workflowId,
      userId: context.userId,
      action: 'read',
    })
    if (!authorization.allowed) {
      throw new Error(authorization.message || 'Unauthorized workflow access')
    }
    const { workflowState } = await loadWorkflowStateFromDb(params.workflowId)
    const snapshotHash = hashWorkflowState(workflowState as unknown as Record<string, unknown>)
    if (params.baseSnapshotHash && params.baseSnapshotHash !== snapshotHash) {
      return {
        success: false,
        verified: false,
        reason: 'snapshot_mismatch',
        expected: params.baseSnapshotHash,
        current: snapshotHash,
      }
    }
    const validation = validateWorkflowState(workflowState as any, { sanitize: false })
    const assertions = (params.acceptance || []).map((item) =>
      typeof item === 'string' ? item : item.assert
    )
    const assertionResults = evaluateAssertions({
      workflowState,
      assertions,
    })
    const verified =
      validation.valid && assertionResults.failures.length === 0 && validation.errors.length === 0
    logger.info('Workflow verification complete', {
      workflowId: params.workflowId,
      verified,
      errorCount: validation.errors.length,
      warningCount: validation.warnings.length,
      assertionFailures: assertionResults.failures.length,
    })
    return {
      success: true,
      verified,
      snapshotHash,
      validation: {
        valid: validation.valid,
        errors: validation.errors,
        warnings: validation.warnings,
      },
      assertions: assertionResults.checks,
      failures: assertionResults.failures,
    }
  },
 }
--- a/apps/sim/lib/credentials/access.ts
+++ b/apps/sim/lib/credentials/access.ts
@@ -1,62 +0,0 @@
 import { db } from '@sim/db'
 import { credential, credentialMember } from '@sim/db/schema'
 import { and, eq } from 'drizzle-orm'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 type ActiveCredentialMember = typeof credentialMember.$inferSelect
 type CredentialRecord = typeof credential.$inferSelect
 export interface CredentialActorContext {
  credential: CredentialRecord | null
  member: ActiveCredentialMember | null
  hasWorkspaceAccess: boolean
  canWriteWorkspace: boolean
  isAdmin: boolean
 }
 /**
 * Resolves user access context for a credential.
 */
 export async function getCredentialActorContext(
  credentialId: string,
  userId: string
 ): Promise<CredentialActorContext> {
  const [credentialRow] = await db
    .select()
    .from(credential)
    .where(eq(credential.id, credentialId))
    .limit(1)
  if (!credentialRow) {
    return {
      credential: null,
      member: null,
      hasWorkspaceAccess: false,
      canWriteWorkspace: false,
      isAdmin: false,
    }
  }
  const workspaceAccess = await checkWorkspaceAccess(credentialRow.workspaceId, userId)
  const [memberRow] = await db
    .select()
    .from(credentialMember)
    .where(
      and(
        eq(credentialMember.credentialId, credentialId),
        eq(credentialMember.userId, userId),
        eq(credentialMember.status, 'active')
      )
    )
    .limit(1)
  const isAdmin = memberRow?.role === 'admin'
  return {
    credential: credentialRow,
    member: memberRow ?? null,
    hasWorkspaceAccess: workspaceAccess.hasAccess,
    canWriteWorkspace: workspaceAccess.canWrite,
    isAdmin,
  }
 }
--- a/apps/sim/lib/credentials/client-state.ts
+++ b/apps/sim/lib/credentials/client-state.ts
@@ -1,77 +0,0 @@
 'use client'
 export const PENDING_OAUTH_CREDENTIAL_DRAFT_KEY = 'sim.pending-oauth-credential-draft'
 export const PENDING_CREDENTIAL_CREATE_REQUEST_KEY = 'sim.pending-credential-create-request'
 export interface PendingOAuthCredentialDraft {
  workspaceId: string
  providerId: string
  displayName: string
  existingCredentialIds: string[]
  existingAccountIds: string[]
  requestedAt: number
 }
 interface PendingOAuthCredentialCreateRequest {
  workspaceId: string
  type: 'oauth'
  providerId: string
  displayName: string
  serviceId: string
  requiredScopes: string[]
  requestedAt: number
 }
 interface PendingSecretCredentialCreateRequest {
  workspaceId: string
  type: 'env_personal' | 'env_workspace'
  envKey?: string
  requestedAt: number
 }
 export type PendingCredentialCreateRequest =
  | PendingOAuthCredentialCreateRequest
  | PendingSecretCredentialCreateRequest
 function parseJson<T>(raw: string | null): T | null {
  if (!raw) return null
  try {
    return JSON.parse(raw) as T
  } catch {
    return null
  }
 }
 export function readPendingOAuthCredentialDraft(): PendingOAuthCredentialDraft | null {
  if (typeof window === 'undefined') return null
  return parseJson<PendingOAuthCredentialDraft>(
    window.sessionStorage.getItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
  )
 }
 export function writePendingOAuthCredentialDraft(payload: PendingOAuthCredentialDraft) {
  if (typeof window === 'undefined') return
  window.sessionStorage.setItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY, JSON.stringify(payload))
 }
 export function clearPendingOAuthCredentialDraft() {
  if (typeof window === 'undefined') return
  window.sessionStorage.removeItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
 }
 export function readPendingCredentialCreateRequest(): PendingCredentialCreateRequest | null {
  if (typeof window === 'undefined') return null
  return parseJson<PendingCredentialCreateRequest>(
    window.sessionStorage.getItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
  )
 }
 export function writePendingCredentialCreateRequest(payload: PendingCredentialCreateRequest) {
  if (typeof window === 'undefined') return
  window.sessionStorage.setItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY, JSON.stringify(payload))
 }
 export function clearPendingCredentialCreateRequest() {
  if (typeof window === 'undefined') return
  window.sessionStorage.removeItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
 }
--- a/apps/sim/lib/credentials/environment.ts
+++ b/apps/sim/lib/credentials/environment.ts
@@ -1,356 +0,0 @@
 import { db } from '@sim/db'
 import { credential, credentialMember, permissions, workspace } from '@sim/db/schema'
 import { and, eq, inArray, notInArray } from 'drizzle-orm'
 interface AccessibleEnvCredential {
  type: 'env_workspace' | 'env_personal'
  envKey: string
  envOwnerUserId: string | null
  updatedAt: Date
 }
 function getPostgresErrorCode(error: unknown): string | undefined {
  if (!error || typeof error !== 'object') return undefined
  const err = error as { code?: string; cause?: { code?: string } }
  return err.code || err.cause?.code
 }
 export async function getWorkspaceMemberUserIds(workspaceId: string): Promise<string[]> {
  const [workspaceRows, permissionRows] = await Promise.all([
    db
      .select({ ownerId: workspace.ownerId })
      .from(workspace)
      .where(eq(workspace.id, workspaceId))
      .limit(1),
    db
      .select({ userId: permissions.userId })
      .from(permissions)
      .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
  ])
  const workspaceRow = workspaceRows[0]
  const memberIds = new Set<string>(permissionRows.map((row) => row.userId))
  if (workspaceRow?.ownerId) {
    memberIds.add(workspaceRow.ownerId)
  }
  return Array.from(memberIds)
 }
 export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
  const [permissionRows, ownedWorkspaceRows] = await Promise.all([
    db
      .select({ workspaceId: workspace.id })
      .from(permissions)
      .innerJoin(
        workspace,
        and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspace.id))
      )
      .where(eq(permissions.userId, userId)),
    db.select({ workspaceId: workspace.id }).from(workspace).where(eq(workspace.ownerId, userId)),
  ])
  const workspaceIds = new Set<string>(permissionRows.map((row) => row.workspaceId))
  for (const row of ownedWorkspaceRows) {
    workspaceIds.add(row.workspaceId)
  }
  return Array.from(workspaceIds)
 }
 async function upsertCredentialAdminMember(credentialId: string, adminUserId: string) {
  const now = new Date()
  const [existingMembership] = await db
    .select({ id: credentialMember.id, joinedAt: credentialMember.joinedAt })
    .from(credentialMember)
    .where(
      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, adminUserId))
    )
    .limit(1)
  if (existingMembership) {
    await db
      .update(credentialMember)
      .set({
        role: 'admin',
        status: 'active',
        joinedAt: existingMembership.joinedAt ?? now,
        invitedBy: adminUserId,
        updatedAt: now,
      })
      .where(eq(credentialMember.id, existingMembership.id))
    return
  }
  await db.insert(credentialMember).values({
    id: crypto.randomUUID(),
    credentialId,
    userId: adminUserId,
    role: 'admin',
    status: 'active',
    joinedAt: now,
    invitedBy: adminUserId,
    createdAt: now,
    updatedAt: now,
  })
 }
 async function ensureWorkspaceCredentialMemberships(
  credentialId: string,
  workspaceId: string,
  ownerUserId: string
 ) {
  const workspaceMemberUserIds = await getWorkspaceMemberUserIds(workspaceId)
  if (!workspaceMemberUserIds.length) return
  const existingMemberships = await db
    .select({
      id: credentialMember.id,
      userId: credentialMember.userId,
      joinedAt: credentialMember.joinedAt,
    })
    .from(credentialMember)
    .where(
      and(
        eq(credentialMember.credentialId, credentialId),
        inArray(credentialMember.userId, workspaceMemberUserIds)
      )
    )
  const byUserId = new Map(existingMemberships.map((row) => [row.userId, row]))
  const now = new Date()
  for (const memberUserId of workspaceMemberUserIds) {
    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
    const existing = byUserId.get(memberUserId)
    if (existing) {
      await db
        .update(credentialMember)
        .set({
          role: targetRole,
          status: 'active',
          joinedAt: existing.joinedAt ?? now,
          invitedBy: ownerUserId,
          updatedAt: now,
        })
        .where(eq(credentialMember.id, existing.id))
      continue
    }
    await db.insert(credentialMember).values({
      id: crypto.randomUUID(),
      credentialId,
      userId: memberUserId,
      role: targetRole,
      status: 'active',
      joinedAt: now,
      invitedBy: ownerUserId,
      createdAt: now,
      updatedAt: now,
    })
  }
 }
 export async function syncWorkspaceEnvCredentials(params: {
  workspaceId: string
  envKeys: string[]
  actingUserId: string
 }) {
  const { workspaceId, envKeys, actingUserId } = params
  const [workspaceRow] = await db
    .select({ ownerId: workspace.ownerId })
    .from(workspace)
    .where(eq(workspace.id, workspaceId))
    .limit(1)
  if (!workspaceRow) return
  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
  const existingCredentials = await db
    .select({
      id: credential.id,
      envKey: credential.envKey,
    })
    .from(credential)
    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
  const existingByKey = new Map(
    existingCredentials
      .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
      .map((row) => [row.envKey, row.id])
  )
  const credentialIdsToEnsureMembership = new Set<string>()
  const now = new Date()
  for (const envKey of normalizedKeys) {
    const existingId = existingByKey.get(envKey)
    if (existingId) {
      credentialIdsToEnsureMembership.add(existingId)
      continue
    }
    const createdId = crypto.randomUUID()
    try {
      await db.insert(credential).values({
        id: createdId,
        workspaceId,
        type: 'env_workspace',
        displayName: envKey,
        envKey,
        createdBy: actingUserId,
        createdAt: now,
        updatedAt: now,
      })
      credentialIdsToEnsureMembership.add(createdId)
    } catch (error: unknown) {
      const code = getPostgresErrorCode(error)
      if (code !== '23505') throw error
    }
  }
  for (const credentialId of credentialIdsToEnsureMembership) {
    await ensureWorkspaceCredentialMemberships(credentialId, workspaceId, workspaceRow.ownerId)
  }
  if (normalizedKeys.length > 0) {
    await db
      .delete(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_workspace'),
          notInArray(credential.envKey, normalizedKeys)
        )
      )
    return
  }
  await db
    .delete(credential)
    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
 }
 export async function syncPersonalEnvCredentialsForUser(params: {
  userId: string
  envKeys: string[]
 }) {
  const { userId, envKeys } = params
  const workspaceIds = await getUserWorkspaceIds(userId)
  if (!workspaceIds.length) return
  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
  const now = new Date()
  for (const workspaceId of workspaceIds) {
    const existingCredentials = await db
      .select({
        id: credential.id,
        envKey: credential.envKey,
      })
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_personal'),
          eq(credential.envOwnerUserId, userId)
        )
      )
    const existingByKey = new Map(
      existingCredentials
        .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
        .map((row) => [row.envKey, row.id])
    )
    for (const envKey of normalizedKeys) {
      const existingId = existingByKey.get(envKey)
      if (existingId) {
        await upsertCredentialAdminMember(existingId, userId)
        continue
      }
      const createdId = crypto.randomUUID()
      try {
        await db.insert(credential).values({
          id: createdId,
          workspaceId,
          type: 'env_personal',
          displayName: envKey,
          envKey,
          envOwnerUserId: userId,
          createdBy: userId,
          createdAt: now,
          updatedAt: now,
        })
        await upsertCredentialAdminMember(createdId, userId)
      } catch (error: unknown) {
        const code = getPostgresErrorCode(error)
        if (code !== '23505') throw error
      }
    }
    if (normalizedKeys.length > 0) {
      await db
        .delete(credential)
        .where(
          and(
            eq(credential.workspaceId, workspaceId),
            eq(credential.type, 'env_personal'),
            eq(credential.envOwnerUserId, userId),
            notInArray(credential.envKey, normalizedKeys)
          )
        )
      continue
    }
    await db
      .delete(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_personal'),
          eq(credential.envOwnerUserId, userId)
        )
      )
  }
 }
 export async function getAccessibleEnvCredentials(
  workspaceId: string,
  userId: string
 ): Promise<AccessibleEnvCredential[]> {
  const rows = await db
    .select({
      type: credential.type,
      envKey: credential.envKey,
      envOwnerUserId: credential.envOwnerUserId,
      updatedAt: credential.updatedAt,
    })
    .from(credential)
    .innerJoin(
      credentialMember,
      and(
        eq(credentialMember.credentialId, credential.id),
        eq(credentialMember.userId, userId),
        eq(credentialMember.status, 'active')
      )
    )
    .where(
      and(
        eq(credential.workspaceId, workspaceId),
        inArray(credential.type, ['env_workspace', 'env_personal'])
      )
    )
  return rows
    .filter(
      (row): row is AccessibleEnvCredential =>
        (row.type === 'env_workspace' || row.type === 'env_personal') && Boolean(row.envKey)
    )
    .map((row) => ({
      type: row.type,
      envKey: row.envKey!,
      envOwnerUserId: row.envOwnerUserId,
      updatedAt: row.updatedAt,
    }))
 }
--- a/apps/sim/lib/credentials/oauth.ts
+++ b/apps/sim/lib/credentials/oauth.ts
@@ -1,195 +0,0 @@
 import { db } from '@sim/db'
 import { account, credential, credentialMember } from '@sim/db/schema'
 import { and, eq, inArray } from 'drizzle-orm'
 import { getServiceConfigByProviderId } from '@/lib/oauth'
 interface SyncWorkspaceOAuthCredentialsForUserParams {
  workspaceId: string
  userId: string
 }
 interface SyncWorkspaceOAuthCredentialsForUserResult {
  createdCredentials: number
  updatedMemberships: number
 }
 function getPostgresErrorCode(error: unknown): string | undefined {
  if (!error || typeof error !== 'object') return undefined
  const err = error as { code?: string; cause?: { code?: string } }
  return err.code || err.cause?.code
 }
 /**
 * Ensures connected OAuth accounts for a user exist as workspace-scoped credentials.
 */
 export async function syncWorkspaceOAuthCredentialsForUser(
  params: SyncWorkspaceOAuthCredentialsForUserParams
 ): Promise<SyncWorkspaceOAuthCredentialsForUserResult> {
  const { workspaceId, userId } = params
  const userAccounts = await db
    .select({
      id: account.id,
      providerId: account.providerId,
      accountId: account.accountId,
    })
    .from(account)
    .where(eq(account.userId, userId))
  if (userAccounts.length === 0) {
    return { createdCredentials: 0, updatedMemberships: 0 }
  }
  const accountIds = userAccounts.map((row) => row.id)
  const existingCredentials = await db
    .select({
      id: credential.id,
      displayName: credential.displayName,
      providerId: credential.providerId,
      accountId: credential.accountId,
    })
    .from(credential)
    .where(
      and(
        eq(credential.workspaceId, workspaceId),
        eq(credential.type, 'oauth'),
        inArray(credential.accountId, accountIds)
      )
    )
  const now = new Date()
  const userAccountById = new Map(userAccounts.map((row) => [row.id, row]))
  for (const existingCredential of existingCredentials) {
    if (!existingCredential.accountId) continue
    const linkedAccount = userAccountById.get(existingCredential.accountId)
    if (!linkedAccount) continue
    const normalizedLabel =
      getServiceConfigByProviderId(linkedAccount.providerId)?.name || linkedAccount.providerId
    const shouldNormalizeDisplayName =
      existingCredential.displayName === linkedAccount.accountId ||
      existingCredential.displayName === linkedAccount.providerId
    if (!shouldNormalizeDisplayName || existingCredential.displayName === normalizedLabel) {
      continue
    }
    await db
      .update(credential)
      .set({
        displayName: normalizedLabel,
        updatedAt: now,
      })
      .where(eq(credential.id, existingCredential.id))
  }
  const existingByAccountId = new Map(
    existingCredentials
      .filter((row) => Boolean(row.accountId))
      .map((row) => [row.accountId!, row.id])
  )
  let createdCredentials = 0
  for (const acc of userAccounts) {
    if (existingByAccountId.has(acc.id)) {
      continue
    }
    try {
      await db.insert(credential).values({
        id: crypto.randomUUID(),
        workspaceId,
        type: 'oauth',
        displayName: getServiceConfigByProviderId(acc.providerId)?.name || acc.providerId,
        providerId: acc.providerId,
        accountId: acc.id,
        createdBy: userId,
        createdAt: now,
        updatedAt: now,
      })
      createdCredentials += 1
    } catch (error) {
      if (getPostgresErrorCode(error) !== '23505') {
        throw error
      }
    }
  }
  const credentialRows = await db
    .select({ id: credential.id, accountId: credential.accountId })
    .from(credential)
    .where(
      and(
        eq(credential.workspaceId, workspaceId),
        eq(credential.type, 'oauth'),
        inArray(credential.accountId, accountIds)
      )
    )
  const credentialIdByAccountId = new Map(
    credentialRows.filter((row) => Boolean(row.accountId)).map((row) => [row.accountId!, row.id])
  )
  const allCredentialIds = Array.from(credentialIdByAccountId.values())
  if (allCredentialIds.length === 0) {
    return { createdCredentials, updatedMemberships: 0 }
  }
  const existingMemberships = await db
    .select({
      id: credentialMember.id,
      credentialId: credentialMember.credentialId,
      joinedAt: credentialMember.joinedAt,
    })
    .from(credentialMember)
    .where(
      and(
        inArray(credentialMember.credentialId, allCredentialIds),
        eq(credentialMember.userId, userId)
      )
    )
  const membershipByCredentialId = new Map(
    existingMemberships.map((row) => [row.credentialId, row])
  )
  let updatedMemberships = 0
  for (const credentialId of allCredentialIds) {
    const existingMembership = membershipByCredentialId.get(credentialId)
    if (existingMembership) {
      await db
        .update(credentialMember)
        .set({
          role: 'admin',
          status: 'active',
          joinedAt: existingMembership.joinedAt ?? now,
          invitedBy: userId,
          updatedAt: now,
        })
        .where(eq(credentialMember.id, existingMembership.id))
      updatedMemberships += 1
      continue
    }
    try {
      await db.insert(credentialMember).values({
        id: crypto.randomUUID(),
        credentialId,
        userId,
        role: 'admin',
        status: 'active',
        joinedAt: now,
        invitedBy: userId,
        createdAt: now,
        updatedAt: now,
      })
      updatedMemberships += 1
    } catch (error) {
      if (getPostgresErrorCode(error) !== '23505') {
        throw error
      }
    }
  }
  return { createdCredentials, updatedMemberships }
 }
--- a/apps/sim/lib/environment/utils.ts
+++ b/apps/sim/lib/environment/utils.ts
@@ -1,9 +1,8 @@
 import { db } from '@sim/db'
 import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq, inArray } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { decryptSecret } from '@/lib/core/security/encryption'
 import { getAccessibleEnvCredentials } from '@/lib/credentials/environment'
 const logger = createLogger('EnvironmentUtils')
@@ -54,7 +53,7 @@ export async function getPersonalAndWorkspaceEnv(
  conflicts: string[]
  decryptionFailures: string[]
 }> {
-  const [personalRows, workspaceRows, accessibleEnvCredentials] = await Promise.all([
+  const [personalRows, workspaceRows] = await Promise.all([
    db.select().from(environment).where(eq(environment.userId, userId)).limit(1),
    workspaceId
      ? db
@@ -63,69 +62,10 @@ export async function getPersonalAndWorkspaceEnv(
          .where(eq(workspaceEnvironment.workspaceId, workspaceId))
          .limit(1)
      : Promise.resolve([] as any[]),
    workspaceId ? getAccessibleEnvCredentials(workspaceId, userId) : Promise.resolve([]),
  ])
-  const ownPersonalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
+  const personalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
-  const allWorkspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
+  const workspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
  const hasCredentialFiltering = Boolean(workspaceId) && accessibleEnvCredentials.length > 0
  const workspaceCredentialKeys = new Set(
    accessibleEnvCredentials.filter((row) => row.type === 'env_workspace').map((row) => row.envKey)
  )
  const personalCredentialRows = accessibleEnvCredentials
    .filter((row) => row.type === 'env_personal' && row.envOwnerUserId)
    .sort((a, b) => {
      const aIsRequester = a.envOwnerUserId === userId
      const bIsRequester = b.envOwnerUserId === userId
      if (aIsRequester && !bIsRequester) return -1
      if (!aIsRequester && bIsRequester) return 1
      return b.updatedAt.getTime() - a.updatedAt.getTime()
    })
  const selectedPersonalOwners = new Map<string, string>()
  for (const row of personalCredentialRows) {
    if (!selectedPersonalOwners.has(row.envKey) && row.envOwnerUserId) {
      selectedPersonalOwners.set(row.envKey, row.envOwnerUserId)
    }
  }
  const ownerUserIds = Array.from(new Set(selectedPersonalOwners.values()))
  const ownerEnvironmentRows =
    ownerUserIds.length > 0
      ? await db
          .select({
            userId: environment.userId,
            variables: environment.variables,
          })
          .from(environment)
          .where(inArray(environment.userId, ownerUserIds))
      : []
  const ownerVariablesByUserId = new Map<string, Record<string, string>>(
    ownerEnvironmentRows.map((row) => [row.userId, (row.variables as Record<string, string>) || {}])
  )
  let personalEncrypted: Record<string, string> = ownPersonalEncrypted
  let workspaceEncrypted: Record<string, string> = allWorkspaceEncrypted
  if (hasCredentialFiltering) {
    personalEncrypted = {}
    for (const [envKey, ownerUserId] of selectedPersonalOwners.entries()) {
      const ownerVariables = ownerVariablesByUserId.get(ownerUserId)
      const encryptedValue = ownerVariables?.[envKey]
      if (encryptedValue) {
        personalEncrypted[envKey] = encryptedValue
      }
    }
    workspaceEncrypted = Object.fromEntries(
      Object.entries(allWorkspaceEncrypted).filter(([envKey]) =>
        workspaceCredentialKeys.has(envKey)
      )
    )
  }
  const decryptionFailures: string[] = []
--- a/apps/sim/stores/modals/settings/types.ts
+++ b/apps/sim/stores/modals/settings/types.ts
@@ -1,6 +1,5 @@
 export type SettingsSection =
  | 'general'
  | 'credentials'
  | 'environment'
  | 'template-profile'
  | 'integrations'
--- a/apps/sim/stores/panel/copilot/store.ts
+++ b/apps/sim/stores/panel/copilot/store.ts
@@ -18,7 +18,6 @@ import {
 import { flushStreamingUpdates, stopStreamingUpdates } from '@/lib/copilot/client-sse/handlers'
 import type { ClientContentBlock, ClientStreamingContext } from '@/lib/copilot/client-sse/types'
 import {
  COPILOT_AUTO_ALLOWED_TOOLS_API_PATH,
  COPILOT_CHAT_API_PATH,
  COPILOT_CHAT_STREAM_API_PATH,
  COPILOT_CHECKPOINTS_API_PATH,
@@ -84,6 +83,14 @@ function isPageUnloading(): boolean {
  return _isPageUnloading
 }
 function isWorkflowEditToolCall(name?: string, params?: Record<string, unknown>): boolean {
  if (name !== 'workflow_change') return false
  const mode = typeof params?.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  return typeof params?.proposalId === 'string' && params.proposalId.length > 0
 }
 function readActiveStreamFromStorage(): CopilotStreamInfo | null {
  if (typeof window === 'undefined') return null
  try {
@@ -140,41 +147,6 @@ function updateActiveStreamEventId(
  writeActiveStreamToStorage(next)
 }
 const AUTO_ALLOWED_TOOLS_STORAGE_KEY = 'copilot_auto_allowed_tools'
 function readAutoAllowedToolsFromStorage(): string[] | null {
  if (typeof window === 'undefined') return null
  try {
    const raw = window.localStorage.getItem(AUTO_ALLOWED_TOOLS_STORAGE_KEY)
    if (!raw) return null
    const parsed = JSON.parse(raw)
    if (!Array.isArray(parsed)) return null
    return parsed.filter((item): item is string => typeof item === 'string')
  } catch (error) {
    logger.warn('[AutoAllowedTools] Failed to read local cache', {
      error: error instanceof Error ? error.message : String(error),
    })
    return null
  }
 }
 function writeAutoAllowedToolsToStorage(tools: string[]): void {
  if (typeof window === 'undefined') return
  try {
    window.localStorage.setItem(AUTO_ALLOWED_TOOLS_STORAGE_KEY, JSON.stringify(tools))
  } catch (error) {
    logger.warn('[AutoAllowedTools] Failed to write local cache', {
      error: error instanceof Error ? error.message : String(error),
    })
  }
 }
 function isToolAutoAllowedByList(toolId: string, autoAllowedTools: string[]): boolean {
  if (!toolId) return false
  const normalizedTarget = toolId.trim()
  return autoAllowedTools.some((allowed) => allowed?.trim() === normalizedTarget)
 }
 /**
 * Clear any lingering diff preview from a previous session.
 * Called lazily when the store is first activated (setWorkflowId).
@@ -310,6 +282,50 @@ function parseModelKey(compositeKey: string): { provider: string; modelId: strin
  return { provider: compositeKey.slice(0, slashIdx), modelId: compositeKey.slice(slashIdx + 1) }
 }
 /**
 * Convert legacy/variant Claude IDs into the canonical ID shape used by the model catalog.
 *
 * Examples:
 * - claude-4.5-opus -> claude-opus-4-5
 * - claude-opus-4.6 -> claude-opus-4-6
 * - anthropic.claude-opus-4-5-20251101-v1:0 -> claude-opus-4-5 (match key only)
 */
 function canonicalizeModelMatchKey(modelId: string): string {
  if (!modelId) return modelId
  const normalized = modelId.trim().toLowerCase()
  const toCanonicalClaude = (tier: string, version: string): string => {
    const normalizedVersion = version.replace(/\./g, '-')
    return `claude-${tier}-${normalizedVersion}`
  }
  const tierFirstExact = normalized.match(/^claude-(opus|sonnet|haiku)-(\d+(?:[.-]\d+)?)$/)
  if (tierFirstExact) {
    const [, tier, version] = tierFirstExact
    return toCanonicalClaude(tier, version)
  }
  const versionFirstExact = normalized.match(/^claude-(\d+(?:[.-]\d+)?)-(opus|sonnet|haiku)$/)
  if (versionFirstExact) {
    const [, version, tier] = versionFirstExact
    return toCanonicalClaude(tier, version)
  }
  const tierFirstEmbedded = normalized.match(/claude-(opus|sonnet|haiku)-(\d+(?:[.-]\d+)?)/)
  if (tierFirstEmbedded) {
    const [, tier, version] = tierFirstEmbedded
    return toCanonicalClaude(tier, version)
  }
  const versionFirstEmbedded = normalized.match(/claude-(\d+(?:[.-]\d+)?)-(opus|sonnet|haiku)/)
  if (versionFirstEmbedded) {
    const [, version, tier] = versionFirstEmbedded
    return toCanonicalClaude(tier, version)
  }
  return normalized
 }
 const MODEL_PROVIDER_PRIORITY = [
  'anthropic',
  'bedrock',
@@ -350,12 +366,23 @@ function normalizeSelectedModelKey(selectedModel: string, models: AvailableModel
  const { provider, modelId } = parseModelKey(selectedModel)
  const targetModelId = modelId || selectedModel
  const targetMatchKey = canonicalizeModelMatchKey(targetModelId)
-  const matches = models.filter((m) => m.id.endsWith(`/${targetModelId}`))
+  const matches = models.filter((m) => {
    const candidateModelId = parseModelKey(m.id).modelId || m.id
    const candidateMatchKey = canonicalizeModelMatchKey(candidateModelId)
    return (
      candidateModelId === targetModelId ||
      m.id.endsWith(`/${targetModelId}`) ||
      candidateMatchKey === targetMatchKey
    )
  })
  if (matches.length === 0) return selectedModel
  if (provider) {
-    const sameProvider = matches.find((m) => m.provider === provider)
+    const sameProvider = matches.find(
      (m) => m.provider === provider || m.id.startsWith(`${provider}/`)
    )
    if (sameProvider) return sameProvider.id
  }
@@ -425,11 +452,6 @@ function prepareSendContext(
    .catch((err) => {
      logger.warn('[Copilot] Failed to load sensitive credential IDs', err)
    })
  get()
    .loadAutoAllowedTools()
    .catch((err) => {
      logger.warn('[Copilot] Failed to load auto-allowed tools', err)
    })
  let newMessages: CopilotMessage[]
  if (revertState) {
@@ -982,8 +1004,6 @@ async function resumeFromLiveStream(
  return false
 }
 const cachedAutoAllowedTools = readAutoAllowedToolsFromStorage()
 // Initial state (subset required for UI/streaming)
 const initialState = {
  mode: 'build' as const,
@@ -1018,8 +1038,6 @@ const initialState = {
  streamingPlanContent: '',
  toolCallsById: {} as Record<string, CopilotToolCall>,
  suppressAutoSelect: false,
  autoAllowedTools: cachedAutoAllowedTools ?? ([] as string[]),
  autoAllowedToolsLoaded: cachedAutoAllowedTools !== null,
  activeStream: null as CopilotStreamInfo | null,
  messageQueue: [] as import('./types').QueuedMessage[],
  suppressAbortContinueOption: false,
@@ -1058,8 +1076,6 @@ export const useCopilotStore = create<CopilotStore>()(
        agentPrefetch: get().agentPrefetch,
        availableModels: get().availableModels,
        isLoadingModels: get().isLoadingModels,
        autoAllowedTools: get().autoAllowedTools,
        autoAllowedToolsLoaded: get().autoAllowedToolsLoaded,
      })
    },
@@ -1093,11 +1109,12 @@ export const useCopilotStore = create<CopilotStore>()(
      const chatConfig = chat.config ?? {}
      const chatMode = chatConfig.mode || get().mode
      const chatModel = chatConfig.model || get().selectedModel
      const normalizedChatModel = normalizeSelectedModelKey(chatModel, get().availableModels)
      logger.debug('[Chat] Restoring chat config', {
        chatId: chat.id,
        mode: chatMode,
-        model: chatModel,
+        model: normalizedChatModel,
        hasPlanArtifact: !!planArtifact,
      })
@@ -1119,7 +1136,7 @@ export const useCopilotStore = create<CopilotStore>()(
        showPlanTodos: false,
        streamingPlanContent: planArtifact,
        mode: chatMode,
-        selectedModel: chatModel as CopilotStore['selectedModel'],
+        selectedModel: normalizedChatModel as CopilotStore['selectedModel'],
        suppressAutoSelect: false,
      })
@@ -1292,6 +1309,10 @@ export const useCopilotStore = create<CopilotStore>()(
                const refreshedConfig = updatedCurrentChat.config ?? {}
                const refreshedMode = refreshedConfig.mode || get().mode
                const refreshedModel = refreshedConfig.model || get().selectedModel
                const normalizedRefreshedModel = normalizeSelectedModelKey(
                  refreshedModel,
                  get().availableModels
                )
                const toolCallsById = buildToolCallsById(normalizedMessages)
                set({
@@ -1300,7 +1321,7 @@ export const useCopilotStore = create<CopilotStore>()(
                  toolCallsById,
                  streamingPlanContent: refreshedPlanArtifact,
                  mode: refreshedMode,
-                  selectedModel: refreshedModel as CopilotStore['selectedModel'],
+                  selectedModel: normalizedRefreshedModel as CopilotStore['selectedModel'],
                })
              }
              try {
@@ -1320,11 +1341,15 @@ export const useCopilotStore = create<CopilotStore>()(
              const chatConfig = mostRecentChat.config ?? {}
              const chatMode = chatConfig.mode || get().mode
              const chatModel = chatConfig.model || get().selectedModel
              const normalizedChatModel = normalizeSelectedModelKey(
                chatModel,
                get().availableModels
              )
              logger.info('[Chat] Auto-selecting most recent chat with config', {
                chatId: mostRecentChat.id,
                mode: chatMode,
-                model: chatModel,
+                model: normalizedChatModel,
                hasPlanArtifact: !!planArtifact,
              })
@@ -1336,7 +1361,7 @@ export const useCopilotStore = create<CopilotStore>()(
                toolCallsById,
                streamingPlanContent: planArtifact,
                mode: chatMode,
-                selectedModel: chatModel as CopilotStore['selectedModel'],
+                selectedModel: normalizedChatModel as CopilotStore['selectedModel'],
              })
              try {
                await get().loadMessageCheckpoints(mostRecentChat.id)
@@ -1365,16 +1390,6 @@ export const useCopilotStore = create<CopilotStore>()(
    // Send a message (streaming only)
    sendMessage: async (message: string, options = {}) => {
      if (!get().autoAllowedToolsLoaded) {
        try {
          await get().loadAutoAllowedTools()
        } catch (error) {
          logger.warn('[Copilot] Failed to preload auto-allowed tools before send', {
            error: error instanceof Error ? error.message : String(error),
          })
        }
      }
      const prepared = prepareSendContext(get, set, message, options as SendMessageOptionsInput)
      if (!prepared) return
@@ -1641,7 +1656,7 @@ export const useCopilotStore = create<CopilotStore>()(
            const b = blocks[bi]
            if (b?.type === 'tool_call') {
              const tn = b.toolCall?.name
-              if (tn === 'edit_workflow') {
+              if (isWorkflowEditToolCall(tn, b.toolCall?.params)) {
                id = b.toolCall?.id
                break outer
              }
@@ -1650,7 +1665,9 @@ export const useCopilotStore = create<CopilotStore>()(
        }
        // Fallback to map if not found in messages
        if (!id) {
-          const candidates = Object.values(toolCallsById).filter((t) => t.name === 'edit_workflow')
+          const candidates = Object.values(toolCallsById).filter((t) =>
            isWorkflowEditToolCall(t.name, t.params)
          )
          id = candidates.length ? candidates[candidates.length - 1].id : undefined
        }
      }
@@ -2268,7 +2285,8 @@ export const useCopilotStore = create<CopilotStore>()(
    },
    setSelectedModel: async (model) => {
-      set({ selectedModel: model })
+      const normalizedModel = normalizeSelectedModelKey(model, get().availableModels)
      set({ selectedModel: normalizedModel as CopilotStore['selectedModel'] })
    },
    setAgentPrefetch: (prefetch) => set({ agentPrefetch: prefetch }),
    loadAvailableModels: async () => {
@@ -2342,74 +2360,6 @@ export const useCopilotStore = create<CopilotStore>()(
      }
    },
    loadAutoAllowedTools: async () => {
      try {
        logger.debug('[AutoAllowedTools] Loading from API...')
        const res = await fetch(COPILOT_AUTO_ALLOWED_TOOLS_API_PATH)
        logger.debug('[AutoAllowedTools] Load response', { status: res.status, ok: res.ok })
        if (res.ok) {
          const data = await res.json()
          const tools = data.autoAllowedTools ?? []
          set({ autoAllowedTools: tools, autoAllowedToolsLoaded: true })
          writeAutoAllowedToolsToStorage(tools)
          logger.debug('[AutoAllowedTools] Loaded successfully', { count: tools.length, tools })
        } else {
          set({ autoAllowedToolsLoaded: true })
          logger.warn('[AutoAllowedTools] Load failed with status', { status: res.status })
        }
      } catch (err) {
        set({ autoAllowedToolsLoaded: true })
        logger.error('[AutoAllowedTools] Failed to load', { error: err })
      }
    },
    addAutoAllowedTool: async (toolId: string) => {
      try {
        logger.debug('[AutoAllowedTools] Adding tool...', { toolId })
        const res = await fetch(COPILOT_AUTO_ALLOWED_TOOLS_API_PATH, {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({ toolId }),
        })
        logger.debug('[AutoAllowedTools] API response', { toolId, status: res.status, ok: res.ok })
        if (res.ok) {
          const data = await res.json()
          logger.debug('[AutoAllowedTools] API returned', { toolId, tools: data.autoAllowedTools })
          const tools = data.autoAllowedTools ?? []
          set({ autoAllowedTools: tools, autoAllowedToolsLoaded: true })
          writeAutoAllowedToolsToStorage(tools)
          logger.debug('[AutoAllowedTools] Added tool to store', { toolId })
        }
      } catch (err) {
        logger.error('[AutoAllowedTools] Failed to add tool', { toolId, error: err })
      }
    },
    removeAutoAllowedTool: async (toolId: string) => {
      try {
        const res = await fetch(
          `${COPILOT_AUTO_ALLOWED_TOOLS_API_PATH}?toolId=${encodeURIComponent(toolId)}`,
          {
            method: 'DELETE',
          }
        )
        if (res.ok) {
          const data = await res.json()
          const tools = data.autoAllowedTools ?? []
          set({ autoAllowedTools: tools, autoAllowedToolsLoaded: true })
          writeAutoAllowedToolsToStorage(tools)
          logger.debug('[AutoAllowedTools] Removed tool', { toolId })
        }
      } catch (err) {
        logger.error('[AutoAllowedTools] Failed to remove tool', { toolId, error: err })
      }
    },
    isToolAutoAllowed: (toolId: string) => {
      const { autoAllowedTools } = get()
      return isToolAutoAllowedByList(toolId, autoAllowedTools)
    },
    // Credential masking
    loadSensitiveCredentialIds: async () => {
      try {
--- a/apps/sim/stores/panel/copilot/types.ts
+++ b/apps/sim/stores/panel/copilot/types.ts
@@ -26,6 +26,26 @@ export interface CopilotToolCall {
  params?: Record<string, unknown>
  input?: Record<string, unknown>
  display?: ClientToolDisplay
  /** Server-provided UI contract for this tool call phase */
  ui?: {
    title?: string
    phaseLabel?: string
    icon?: string
    showInterrupt?: boolean
    showRemember?: boolean
    autoAllowed?: boolean
    actions?: Array<{
      id: string
      label: string
      kind: 'accept' | 'reject'
      remember?: boolean
    }>
  }
  /** Server-provided execution routing contract */
  execution?: {
    target?: 'go' | 'go_subagent' | 'sim_server' | 'sim_client_capability' | string
    capabilityId?: string
  }
  /** Content streamed from a subagent (e.g., debug agent) */
  subAgentContent?: string
  /** Tool calls made by the subagent */
@@ -167,10 +187,6 @@ export interface CopilotState {
  // Per-message metadata captured at send-time for reliable stats
  // Auto-allowed integration tools (tools that can run without confirmation)
  autoAllowedTools: string[]
  autoAllowedToolsLoaded: boolean
  // Active stream metadata for reconnect/replay
  activeStream: CopilotStreamInfo | null
@@ -247,11 +263,6 @@ export interface CopilotActions {
    abortSignal?: AbortSignal
  ) => Promise<void>
  handleNewChatCreation: (newChatId: string) => Promise<void>
  loadAutoAllowedTools: () => Promise<void>
  addAutoAllowedTool: (toolId: string) => Promise<void>
  removeAutoAllowedTool: (toolId: string) => Promise<void>
  isToolAutoAllowed: (toolId: string) => boolean
  // Credential masking
  loadSensitiveCredentialIds: () => Promise<void>
  maskCredentialValue: (value: string) => string
--- a/apps/sim/stores/workflow-diff/store.ts
+++ b/apps/sim/stores/workflow-diff/store.ts
@@ -15,7 +15,7 @@ import {
  captureBaselineSnapshot,
  cloneWorkflowState,
  createBatchedUpdater,
-  findLatestEditWorkflowToolCallId,
+  findLatestWorkflowEditToolCallId,
  getLatestUserMessageId,
  persistWorkflowStateToServer,
 } from './utils'
@@ -334,7 +334,7 @@ export const useWorkflowDiffStore = create<WorkflowDiffState & WorkflowDiffActio
            })
          }
-          findLatestEditWorkflowToolCallId().then((toolCallId) => {
+          findLatestWorkflowEditToolCallId().then((toolCallId) => {
            if (toolCallId) {
              import('@/stores/panel/copilot/store')
                .then(({ useCopilotStore }) => {
@@ -439,7 +439,7 @@ export const useWorkflowDiffStore = create<WorkflowDiffState & WorkflowDiffActio
            })
          }
-          findLatestEditWorkflowToolCallId().then((toolCallId) => {
+          findLatestWorkflowEditToolCallId().then((toolCallId) => {
            if (toolCallId) {
              import('@/stores/panel/copilot/store')
                .then(({ useCopilotStore }) => {
--- a/apps/sim/stores/workflow-diff/utils.ts
+++ b/apps/sim/stores/workflow-diff/utils.ts
@@ -126,6 +126,20 @@ export async function getLatestUserMessageId(): Promise<string | null> {
 }
 export async function findLatestEditWorkflowToolCallId(): Promise<string | undefined> {
  return findLatestWorkflowEditToolCallId()
 }
 function isWorkflowEditToolCall(name?: string, params?: Record<string, unknown>): boolean {
  if (name !== 'workflow_change') return false
  const mode = typeof params?.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  // Be permissive for incomplete events: apply calls always include proposalId.
  return typeof params?.proposalId === 'string' && params.proposalId.length > 0
 }
 export async function findLatestWorkflowEditToolCallId(): Promise<string | undefined> {
  try {
    const { useCopilotStore } = await import('@/stores/panel/copilot/store')
    const { messages, toolCallsById } = useCopilotStore.getState()
@@ -134,17 +148,22 @@ export async function findLatestEditWorkflowToolCallId(): Promise<string | undef
      const message = messages[mi]
      if (message.role !== 'assistant' || !message.contentBlocks) continue
      for (const block of message.contentBlocks) {
-        if (block?.type === 'tool_call' && block.toolCall?.name === 'edit_workflow') {
+        if (
          block?.type === 'tool_call' &&
          isWorkflowEditToolCall(block.toolCall?.name, block.toolCall?.params)
        ) {
          return block.toolCall?.id
        }
      }
    }
-    const fallback = Object.values(toolCallsById).filter((call) => call.name === 'edit_workflow')
+    const fallback = Object.values(toolCallsById).filter((call) =>
      isWorkflowEditToolCall(call.name, call.params)
    )
    return fallback.length ? fallback[fallback.length - 1].id : undefined
  } catch (error) {
-    logger.warn('Failed to resolve edit_workflow tool call id', { error })
+    logger.warn('Failed to resolve workflow edit tool call id', { error })
    return undefined
  }
 }
--- a/apps/sim/tools/confluence/delete_label.ts
+++ b/apps/sim/tools/confluence/delete_label.ts
@@ -0,0 +1,114 @@
 import { TIMESTAMP_OUTPUT } from '@/tools/confluence/types'
 import type { ToolConfig } from '@/tools/types'
 export interface ConfluenceDeleteLabelParams {
  accessToken: string
  domain: string
  pageId: string
  labelName: string
  cloudId?: string
 }
 export interface ConfluenceDeleteLabelResponse {
  success: boolean
  output: {
    ts: string
    pageId: string
    labelName: string
    deleted: boolean
  }
 }
 export const confluenceDeleteLabelTool: ToolConfig<
  ConfluenceDeleteLabelParams,
  ConfluenceDeleteLabelResponse
 > = {
  id: 'confluence_delete_label',
  name: 'Confluence Delete Label',
  description: 'Remove a label from a Confluence page.',
  version: '1.0.0',
  oauth: {
    required: true,
    provider: 'confluence',
  },
  params: {
    accessToken: {
      type: 'string',
      required: true,
      visibility: 'hidden',
      description: 'OAuth access token for Confluence',
    },
    domain: {
      type: 'string',
      required: true,
      visibility: 'user-only',
      description: 'Your Confluence domain (e.g., yourcompany.atlassian.net)',
    },
    pageId: {
      type: 'string',
      required: true,
      visibility: 'user-or-llm',
      description: 'Confluence page ID to remove the label from',
    },
    labelName: {
      type: 'string',
      required: true,
      visibility: 'user-or-llm',
      description: 'Name of the label to remove',
    },
    cloudId: {
      type: 'string',
      required: false,
      visibility: 'user-only',
      description:
        'Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain.',
    },
  },
  request: {
    url: () => '/api/tools/confluence/labels',
    method: 'DELETE',
    headers: (params: ConfluenceDeleteLabelParams) => ({
      Accept: 'application/json',
      Authorization: `Bearer ${params.accessToken}`,
    }),
    body: (params: ConfluenceDeleteLabelParams) => ({
      domain: params.domain,
      accessToken: params.accessToken,
      pageId: params.pageId?.trim(),
      labelName: params.labelName?.trim(),
      cloudId: params.cloudId,
    }),
  },
  transformResponse: async (response: Response) => {
    const data = await response.json()
    return {
      success: true,
      output: {
        ts: new Date().toISOString(),
        pageId: data.pageId ?? '',
        labelName: data.labelName ?? '',
        deleted: true,
      },
    }
  },
  outputs: {
    ts: TIMESTAMP_OUTPUT,
    pageId: {
      type: 'string',
      description: 'Page ID the label was removed from',
    },
    labelName: {
      type: 'string',
      description: 'Name of the removed label',
    },
    deleted: {
      type: 'boolean',
      description: 'Deletion status',
    },
  },
 }
--- a/apps/sim/tools/confluence/delete_page_property.ts
+++ b/apps/sim/tools/confluence/delete_page_property.ts
@@ -0,0 +1,105 @@
 import { TIMESTAMP_OUTPUT } from '@/tools/confluence/types'
 import type { ToolConfig } from '@/tools/types'
 export interface ConfluenceDeletePagePropertyParams {
  accessToken: string
  domain: string
  pageId: string
  propertyId: string
  cloudId?: string
 }
 export interface ConfluenceDeletePagePropertyResponse {
  success: boolean
  output: {
    ts: string
    pageId: string
    propertyId: string
    deleted: boolean
  }
 }
 export const confluenceDeletePagePropertyTool: ToolConfig<
  ConfluenceDeletePagePropertyParams,
  ConfluenceDeletePagePropertyResponse
 > = {
  id: 'confluence_delete_page_property',
  name: 'Confluence Delete Page Property',
  description: 'Delete a content property from a Confluence page by its property ID.',
  version: '1.0.0',
  oauth: {
    required: true,
    provider: 'confluence',
  },
  params: {
    accessToken: {
      type: 'string',
      required: true,
      visibility: 'hidden',
      description: 'OAuth access token for Confluence',
    },
    domain: {
      type: 'string',
      required: true,
      visibility: 'user-only',
      description: 'Your Confluence domain (e.g., yourcompany.atlassian.net)',
    },
    pageId: {
      type: 'string',
      required: true,
      visibility: 'user-or-llm',
      description: 'The ID of the page containing the property',
    },
    propertyId: {
      type: 'string',
      required: true,
      visibility: 'user-or-llm',
      description: 'The ID of the property to delete',
    },
    cloudId: {
      type: 'string',
      required: false,
      visibility: 'user-only',
      description:
        'Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain.',
    },
  },
  request: {
    url: () => '/api/tools/confluence/page-properties',
    method: 'DELETE',
    headers: (params: ConfluenceDeletePagePropertyParams) => ({
      Accept: 'application/json',
      Authorization: `Bearer ${params.accessToken}`,
    }),
    body: (params: ConfluenceDeletePagePropertyParams) => ({
      domain: params.domain,
      accessToken: params.accessToken,
      pageId: params.pageId?.trim(),
      propertyId: params.propertyId?.trim(),
      cloudId: params.cloudId,
    }),
  },
  transformResponse: async (response: Response) => {
    const data = await response.json()
    return {
      success: true,
      output: {
        ts: new Date().toISOString(),
        pageId: data.pageId ?? '',
        propertyId: data.propertyId ?? '',
        deleted: true,
      },
    }
  },
  outputs: {
    ts: TIMESTAMP_OUTPUT,
    pageId: { type: 'string', description: 'ID of the page' },
    propertyId: { type: 'string', description: 'ID of the deleted property' },
    deleted: { type: 'boolean', description: 'Deletion status' },
  },
 }
--- a/apps/sim/tools/confluence/get_pages_by_label.ts
+++ b/apps/sim/tools/confluence/get_pages_by_label.ts
@@ -0,0 +1,143 @@
 import { PAGE_ITEM_PROPERTIES, TIMESTAMP_OUTPUT } from '@/tools/confluence/types'
 import type { ToolConfig } from '@/tools/types'
 export interface ConfluenceGetPagesByLabelParams {
  accessToken: string
  domain: string
  labelId: string
  limit?: number
  cursor?: string
  cloudId?: string
 }
 export interface ConfluenceGetPagesByLabelResponse {
  success: boolean
  output: {
    ts: string
    labelId: string
    pages: Array<{
      id: string
      title: string
      status: string | null
      spaceId: string | null
      parentId: string | null
      authorId: string | null
      createdAt: string | null
      version: {
        number: number
        message?: string
        createdAt?: string
      } | null
    }>
    nextCursor: string | null
  }
 }
 export const confluenceGetPagesByLabelTool: ToolConfig<
  ConfluenceGetPagesByLabelParams,
  ConfluenceGetPagesByLabelResponse
 > = {
  id: 'confluence_get_pages_by_label',
  name: 'Confluence Get Pages by Label',
  description: 'Retrieve all pages that have a specific label applied.',
  version: '1.0.0',
  oauth: {
    required: true,
    provider: 'confluence',
  },
  params: {
    accessToken: {
      type: 'string',
      required: true,
      visibility: 'hidden',
      description: 'OAuth access token for Confluence',
    },
    domain: {
      type: 'string',
      required: true,
      visibility: 'user-only',
      description: 'Your Confluence domain (e.g., yourcompany.atlassian.net)',
    },
    labelId: {
      type: 'string',
      required: true,
      visibility: 'user-or-llm',
      description: 'The ID of the label to get pages for',
    },
    limit: {
      type: 'number',
      required: false,
      visibility: 'user-or-llm',
      description: 'Maximum number of pages to return (default: 50, max: 250)',
    },
    cursor: {
      type: 'string',
      required: false,
      visibility: 'user-or-llm',
      description: 'Pagination cursor from previous response',
    },
    cloudId: {
      type: 'string',
      required: false,
      visibility: 'user-only',
      description:
        'Confluence Cloud ID for the instance. If not provided, it will be fetched using the domain.',
    },
  },
  request: {
    url: (params: ConfluenceGetPagesByLabelParams) => {
      const query = new URLSearchParams({
        domain: params.domain,
        accessToken: params.accessToken,
        labelId: params.labelId,
        limit: String(params.limit || 50),
      })
      if (params.cursor) {
        query.set('cursor', params.cursor)
      }
      if (params.cloudId) {
        query.set('cloudId', params.cloudId)
      }
      return `/api/tools/confluence/pages-by-label?${query.toString()}`
    },
    method: 'GET',
    headers: (params: ConfluenceGetPagesByLabelParams) => ({
      Accept: 'application/json',
      Authorization: `Bearer ${params.accessToken}`,
    }),
  },
  transformResponse: async (response: Response) => {
    const data = await response.json()
    return {
      success: true,
      output: {
        ts: new Date().toISOString(),
        labelId: data.labelId ?? '',
        pages: data.pages ?? [],
        nextCursor: data.nextCursor ?? null,
      },
    }
  },
  outputs: {
    ts: TIMESTAMP_OUTPUT,
    labelId: { type: 'string', description: 'ID of the label' },
    pages: {
      type: 'array',
      description: 'Array of pages with this label',
      items: {
        type: 'object',
        properties: PAGE_ITEM_PROPERTIES,
      },
    },
    nextCursor: {
      type: 'string',
      description: 'Cursor for fetching the next page of results',
      optional: true,
    },
  },
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Siddharth Ganesan	311c4d38f3	Fix	2026-02-12 12:18:05 -08:00
Siddharth Ganesan	e7abcd34df	Fix	2026-02-12 12:05:53 -08:00
Siddharth Ganesan	433552019e	Checkpoint	2026-02-12 11:51:34 -08:00
Siddharth Ganesan	f733b8dd88	Checkpoint	2026-02-12 11:14:33 -08:00
Siddharth Ganesan	76bd405293	Checkpoint	2026-02-12 10:22:52 -08:00
Siddharth Ganesan	c22bd2caaa	SSE interface	2026-02-11 18:22:26 -08:00
Siddharth Ganesan	462aa15341	Implement basic tooling for workflow.apply	2026-02-11 16:30:11 -08:00
Vikhyath Mondreti	52aff4d60b	fix build	2026-02-11 15:33:22 -08:00
Waleed	3a3bddd6f8	fix(confl): use recommended query param pattern for confluence route (#3202 ) * fix(confl): use recommended query param pattern for confluence route * use unused var	2026-02-11 14:59:26 -08:00
Waleed	639d50d6b9	feat(confluence): added list space labels, delete label, delete page prop (#3201 )	2026-02-11 14:40:31 -08:00
Waleed	cec74e09c2	fix(variables): fix tag dropdown and cursor alignment in variables block (#3199 )	2026-02-11 14:40:31 -08:00
Waleed	d5a756c9f2	fix(hotkeys): remove C, T, E tab-switching hotkeys (#3197 )	2026-02-11 13:24:00 -08:00
Waleed	f3e994baf0	improvement(oom): increase trigger machine size (#3196 )	2026-02-11 13:11:28 -08:00