v0.5.86: server side copilot, copilot mcp, error notifications, jira outputs destructuring, slack trigger improvements

* fix(subflows): tag dropdown + resolution logic (#2949)

* fix(subflows): tag dropdown + resolution logic

* fixes;

* revert parallel change

* chore(deps): bump posthog-js to 1.334.1 (#2948)

* fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950)

* fix(idempotency): add conflict target to atomicallyClaimDb query

* delete needs to account for namespace

* simplify namespace filtering logic

* fix cleanup

* consistent target

* improvement(kb): add document filtering, select all, and React Query migration (#2951)

* improvement(kb): add document filtering, select all, and React Query migration

* test(kb): update tests for enabledFilter and removed userId params

* fix(kb): remove non-null assertion, add explicit guard

* improvement(logs): trace span, details (#2952)

* improvement(action-bar): ordering

* improvement(logs): details, trace span

* feat(blog): v0.5 release post (#2953)

* feat(blog): v0.5 post

* improvement(blog): simplify title and remove code block header

- Simplified blog title from Introducing Sim Studio v0.5 to Introducing Sim v0.5
- Removed language label header and copy button from code blocks for cleaner appearance

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* ack PR comments

* small styling improvements

* created system to create post-specific components

* updated componnet

* cache invalidation

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

* feat(admin): add credits endpoint to issue credits to users (#2954)

* feat(admin): add credits endpoint to issue credits to users

* fix(admin): use existing credit functions and handle enterprise seats

* fix(admin): reject NaN and Infinity in amount validation

* styling

* fix(admin): validate userId and email are strings

* improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955)

* Improvements

* Fix actions mapping

* Remove console logs

* fix(billing): handle missing userStats and prevent crashes (#2956)

* fix(billing): handle missing userStats and prevent crashes

* fix(billing): correct import path for getFilledPillColor

* fix(billing): add Number.isFinite check to lastPeriodCost

* fix(logs): refresh logic to refresh logs details (#2958)

* fix(security): add authentication and input validation to API routes (#2959)

* fix(security): add authentication and input validation to API routes

* moved utils

* remove extraneous commetns

* removed unused dep

* improvement(helm): add internal ingress support and same-host path consolidation (#2960)

* improvement(helm): add internal ingress support and same-host path consolidation

* improvement(helm): clean up ingress template comments

Simplify verbose inline Helm comments and section dividers to match the
minimal style used in services.yaml.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(helm): add missing copilot path consolidation for realtime host

When copilot.host equals realtime.host but differs from app.host,
copilot paths were not being routed. Added logic to consolidate
copilot paths into the realtime rule for this scenario.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* improvement(helm): follow ingress best practices

- Remove orphan comments that appeared when services were disabled
- Add documentation about path ordering requirements
- Paths rendered in order: realtime, copilot, app (specific before catch-all)
- Clean template output matching industry Helm chart standards

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

* feat(blog): enterprise post (#2961)

* feat(blog): enterprise post

* added more images, styling

* more content

* updated v0-5 post

* remove unused transition

---------

Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>

* fix(envvars): resolution standardized (#2957)

* fix(envvars): resolution standardized

* remove comments

* address bugbot

* fix highlighting for env vars

* remove comments

* address greptile

* address bugbot

* fix(copilot): mask credentials fix (#2963)

* Fix copilot masking

* Clean up

* Lint

* improvement(webhooks): remove dead code (#2965)

* fix(webhooks): subscription recreation path

* improvement(webhooks): remove dead code

* fix tests

* address bugbot comments

* fix restoration edge case

* fix more edge cases

* address bugbot comments

* fix gmail polling

* add warnings for UI indication for credential sets

* fix(preview): subblock values (#2969)

* fix(child-workflow): nested spans handoff (#2966)

* fix(child-workflow): nested spans handoff

* remove overly defensive programming

* update type check

* type more code

* remove more dead code

* address bugbot comments

* fix(security): restrict API key access on internal-only routes (#2964)

* fix(security): restrict API key access on internal-only routes

* test(security): update function execute tests for checkInternalAuth

* updated agent handler

* move session check higher in checkSessionOrInternalAuth

* extracted duplicate code into helper for resolving user from jwt

* fix(copilot): update copilot chat title (#2968)

* fix(hitl): fix condition blocks after hitl (#2967)

* fix(notes): ghost edges (#2970)

* fix(notes): ghost edges

* fix deployed state fallback

* fallback

* remove UI level checks

* annotation missing from autoconnect source check

* improvement(docs): loop and parallel var reference syntax (#2975)

* fix(blog): slash actions description (#2976)

* improvement(docs): loop and parallel var reference syntax

* fix(blog): slash actions description

* fix(auth): copilot routes (#2977)

* Fix copilot auth

* Fix

* Fix

* Fix

* fix(copilot): fix edit summary for loops/parallels (#2978)

* fix(integrations): hide from tool bar (#2544)

* fix(landing): ui (#2979)

* fix(edge-validation): race condition on collaborative add (#2980)

* fix(variables): boolean type support and input improvements (#2981)

* fix(variables): boolean type support and input improvements

* fix formatting

---------

Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>
Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com>
Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>

apps/sim/app/api/auth/accounts/route.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, desc, eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 
@@ -31,13 +31,15 @@ export async function GET(request: NextRequest) {
       })
       .from(account)
       .where(and(...whereConditions))
-      .orderBy(desc(account.updatedAt))
+
+    // Use the user's email as the display name (consistent with credential selector)
+    const userEmail = session.user.email
 
     const accountsWithDisplayName = accounts.map((acc) => ({
       id: acc.id,
       accountId: acc.accountId,
       providerId: acc.providerId,
-      displayName: acc.accountId || acc.providerId,
+      displayName: userEmail || acc.providerId,
     }))
 
     return NextResponse.json({ accounts: accountsWithDisplayName })

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credential, credentialMember, user } from '@sim/db/schema'
+import { account, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
@@ -7,10 +7,8 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -20,7 +18,6 @@ const credentialsQuerySchema = z
   .object({
     provider: z.string().nullish(),
     workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
-    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
     credentialId: z
       .string()
       .min(1, 'Credential ID must not be empty')
@@ -38,79 +35,6 @@ interface GoogleIdToken {
   name?: string
 }
 
-function toCredentialResponse(
-  id: string,
-  displayName: string,
-  providerId: string,
-  updatedAt: Date,
-  scope: string | null
-) {
-  const storedScope = scope?.trim()
-  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
-  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
-  const [_, featureType = 'default'] = providerId.split('-')
-
-  return {
-    id,
-    name: displayName,
-    provider: providerId,
-    lastUsed: updatedAt.toISOString(),
-    isDefault: featureType === 'default',
-    scopes: scopeEvaluation.grantedScopes,
-    canonicalScopes: scopeEvaluation.canonicalScopes,
-    missingScopes: scopeEvaluation.missingScopes,
-    extraScopes: scopeEvaluation.extraScopes,
-    requiresReauthorization: scopeEvaluation.requiresReauthorization,
-  }
-}
-
-async function getFallbackDisplayName(
-  requestId: string,
-  providerParam: string | null | undefined,
-  accountRow: {
-    idToken: string | null
-    accountId: string
-    userId: string
-  }
-) {
-  const providerForParse = (providerParam || 'google') as OAuthProvider
-  const { baseProvider } = parseProvider(providerForParse)
-
-  if (accountRow.idToken) {
-    try {
-      const decoded = jwtDecode<GoogleIdToken>(accountRow.idToken)
-      if (decoded.email) return decoded.email
-      if (decoded.name) return decoded.name
-    } catch (_error) {
-      logger.warn(`[${requestId}] Error decoding ID token`, {
-        accountId: accountRow.accountId,
-      })
-    }
-  }
-
-  if (baseProvider === 'github') {
-    return `${accountRow.accountId} (GitHub)`
-  }
-
-  try {
-    const userRecord = await db
-      .select({ email: user.email })
-      .from(user)
-      .where(eq(user.id, accountRow.userId))
-      .limit(1)
-
-    if (userRecord.length > 0) {
-      return userRecord[0].email
-    }
-  } catch (_error) {
-    logger.warn(`[${requestId}] Error fetching user email`, {
-      userId: accountRow.userId,
-    })
-  }
-
-  return `${accountRow.accountId} (${baseProvider})`
-}
-
 /**
  * Get credentials for a specific provider
  */
@@ -122,7 +46,6 @@ export async function GET(request: NextRequest) {
     const rawQuery = {
       provider: searchParams.get('provider'),
       workflowId: searchParams.get('workflowId'),
-      workspaceId: searchParams.get('workspaceId'),
       credentialId: searchParams.get('credentialId'),
     }
 
@@ -155,7 +78,7 @@ export async function GET(request: NextRequest) {
       )
     }
 
-    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, credentialId } = parseResult.data
 
     // Authenticate requester (supports session and internal JWT)
     const authResult = await checkSessionOrInternalAuth(request)
@@ -165,7 +88,7 @@ export async function GET(request: NextRequest) {
     }
     const requesterUserId = authResult.userId
 
-    let effectiveWorkspaceId = workspaceId ?? undefined
+    const effectiveUserId = requesterUserId
     if (workflowId) {
       const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
         workflowId,
@@ -183,145 +106,101 @@ export async function GET(request: NextRequest) {
           { status: workflowAuthorization.status }
         )
       }
-      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
     }
 
-    if (effectiveWorkspaceId) {
-      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
-      if (!workspaceAccess.hasAccess) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
+    // Parse the provider to get base provider and feature type (if provider is present)
+    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
 
     let accountsData
 
-    if (credentialId) {
-      const [platformCredential] = await db
-        .select({
-          id: credential.id,
-          workspaceId: credential.workspaceId,
-          type: credential.type,
-          displayName: credential.displayName,
-          providerId: credential.providerId,
-          accountId: credential.accountId,
-          accountProviderId: account.providerId,
-          accountScope: account.scope,
-          accountUpdatedAt: account.updatedAt,
-        })
-        .from(credential)
-        .leftJoin(account, eq(credential.accountId, account.id))
-        .where(eq(credential.id, credentialId))
-        .limit(1)
-
-      if (platformCredential) {
-        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
-          return NextResponse.json({ credentials: [] }, { status: 200 })
-        }
-
-        if (workflowId) {
-          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
-            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-          }
-        } else {
-          const [membership] = await db
-            .select({ id: credentialMember.id })
-            .from(credentialMember)
-            .where(
-              and(
-                eq(credentialMember.credentialId, platformCredential.id),
-                eq(credentialMember.userId, requesterUserId),
-                eq(credentialMember.status, 'active')
-              )
-            )
-            .limit(1)
-
-          if (!membership) {
-            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-          }
-        }
-
-        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
-          return NextResponse.json({ credentials: [] }, { status: 200 })
-        }
-
-        return NextResponse.json(
-          {
-            credentials: [
-              toCredentialResponse(
-                platformCredential.id,
-                platformCredential.displayName,
-                platformCredential.accountProviderId,
-                platformCredential.accountUpdatedAt,
-                platformCredential.accountScope
-              ),
-            ],
-          },
-          { status: 200 }
-        )
-      }
-    }
-
-    if (effectiveWorkspaceId && providerParam) {
-      await syncWorkspaceOAuthCredentialsForUser({
-        workspaceId: effectiveWorkspaceId,
-        userId: requesterUserId,
-      })
-
-      const credentialsData = await db
-        .select({
-          id: credential.id,
-          displayName: credential.displayName,
-          providerId: account.providerId,
-          scope: account.scope,
-          updatedAt: account.updatedAt,
-        })
-        .from(credential)
-        .innerJoin(account, eq(credential.accountId, account.id))
-        .innerJoin(
-          credentialMember,
-          and(
-            eq(credentialMember.credentialId, credential.id),
-            eq(credentialMember.userId, requesterUserId),
-            eq(credentialMember.status, 'active')
-          )
-        )
-        .where(
-          and(
-            eq(credential.workspaceId, effectiveWorkspaceId),
-            eq(credential.type, 'oauth'),
-            eq(account.providerId, providerParam)
-          )
-        )
-
-      return NextResponse.json(
-        {
-          credentials: credentialsData.map((row) =>
-            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
-          ),
-        },
-        { status: 200 }
-      )
-    }
-
     if (credentialId && workflowId) {
+      // When both workflowId and credentialId are provided, fetch by ID only.
+      // Workspace authorization above already proves access; the credential
+      // may belong to another workspace member (e.g. for display name resolution).
       accountsData = await db.select().from(account).where(eq(account.id, credentialId))
     } else if (credentialId) {
       accountsData = await db
         .select()
         .from(account)
-        .where(and(eq(account.userId, requesterUserId), eq(account.id, credentialId)))
+        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
     } else {
+      // Fetch all credentials for provider and effective user
       accountsData = await db
         .select()
         .from(account)
-        .where(and(eq(account.userId, requesterUserId), eq(account.providerId, providerParam!)))
+        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
     }
 
     // Transform accounts into credentials
     const credentials = await Promise.all(
       accountsData.map(async (acc) => {
-        const displayName = await getFallbackDisplayName(requestId, providerParam, acc)
-        return toCredentialResponse(acc.id, displayName, acc.providerId, acc.updatedAt, acc.scope)
+        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
+        const [_, featureType = 'default'] = acc.providerId.split('-')
+
+        // Try multiple methods to get a user-friendly display name
+        let displayName = ''
+
+        // Method 1: Try to extract email from ID token (works for Google, etc.)
+        if (acc.idToken) {
+          try {
+            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
+            if (decoded.email) {
+              displayName = decoded.email
+            } else if (decoded.name) {
+              displayName = decoded.name
+            }
+          } catch (_error) {
+            logger.warn(`[${requestId}] Error decoding ID token`, {
+              accountId: acc.id,
+            })
+          }
+        }
+
+        // Method 2: For GitHub, the accountId might be the username
+        if (!displayName && baseProvider === 'github') {
+          displayName = `${acc.accountId} (GitHub)`
+        }
+
+        // Method 3: Try to get the user's email from our database
+        if (!displayName) {
+          try {
+            const userRecord = await db
+              .select({ email: user.email })
+              .from(user)
+              .where(eq(user.id, acc.userId))
+              .limit(1)
+
+            if (userRecord.length > 0) {
+              displayName = userRecord[0].email
+            }
+          } catch (_error) {
+            logger.warn(`[${requestId}] Error fetching user email`, {
+              userId: acc.userId,
+            })
+          }
+        }
+
+        // Fallback: Use accountId with provider type as context
+        if (!displayName) {
+          displayName = `${acc.accountId} (${baseProvider})`
+        }
+
+        const storedScope = acc.scope?.trim()
+        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
+        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
+
+        return {
+          id: acc.id,
+          name: displayName,
+          provider: acc.providerId,
+          lastUsed: acc.updatedAt.toISOString(),
+          isDefault: featureType === 'default',
+          scopes: scopeEvaluation.grantedScopes,
+          canonicalScopes: scopeEvaluation.canonicalScopes,
+          missingScopes: scopeEvaluation.missingScopes,
+          extraScopes: scopeEvaluation.extraScopes,
+          requiresReauthorization: scopeEvaluation.requiresReauthorization,
+        }
       })
     )
 

apps/sim/app/api/auth/oauth/disconnect/route.ts

@@ -15,7 +15,6 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
   provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
   providerId: z.string().optional(),
-  accountId: z.string().optional(),
 })
 
 /**
@@ -51,20 +50,15 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const { provider, providerId, accountId } = parseResult.data
+    const { provider, providerId } = parseResult.data
 
     logger.info(`[${requestId}] Processing OAuth disconnect request`, {
       provider,
       hasProviderId: !!providerId,
     })
 
-    // If a specific account row ID is provided, delete that exact account
-    if (accountId) {
-      await db
-        .delete(account)
-        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
-    } else if (providerId) {
-      // If a specific providerId is provided, delete accounts for that provider ID
+    // If a specific providerId is provided, delete only that account
+    if (providerId) {
       await db
         .delete(account)
         .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))

apps/sim/app/api/auth/oauth/microsoft/file/route.ts

@@ -38,18 +38,13 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
     }
 
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
-    const credential = await getCredential(
-      requestId,
-      resolvedCredentialId,
-      authz.credentialOwnerUserId
-    )
+    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     const accessToken = await refreshAccessTokenIfNeeded(
-      resolvedCredentialId,
+      credentialId,
       authz.credentialOwnerUserId,
       requestId
     )

apps/sim/app/api/auth/oauth/microsoft/files/route.ts

@@ -37,19 +37,14 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
     }
 
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
-    const credential = await getCredential(
-      requestId,
-      resolvedCredentialId,
-      authz.credentialOwnerUserId
-    )
+    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     // Refresh access token if needed using the utility function
     const accessToken = await refreshAccessTokenIfNeeded(
-      resolvedCredentialId,
+      credentialId,
       authz.credentialOwnerUserId,
       requestId
     )

apps/sim/app/api/auth/oauth/token/route.ts

@@ -119,23 +119,14 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
-    const credential = await getCredential(
-      requestId,
-      resolvedCredentialId,
-      authz.credentialOwnerUserId
-    )
+    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     try {
-      const { accessToken } = await refreshTokenIfNeeded(
-        requestId,
-        credential,
-        resolvedCredentialId
-      )
+      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
 
       let instanceUrl: string | undefined
       if (credential.providerId === 'salesforce' && credential.scope) {
@@ -195,20 +186,13 @@ export async function GET(request: NextRequest) {
 
     const { credentialId } = parseResult.data
 
-    const authz = await authorizeCredentialUse(request, {
-      credentialId,
-      requireWorkflowIdForInternal: false,
-    })
-    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
-      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    // For GET requests, we only support session-based authentication
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
+      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
     }
 
-    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
-    const credential = await getCredential(
-      requestId,
-      resolvedCredentialId,
-      authz.credentialOwnerUserId
-    )
+    const credential = await getCredential(requestId, credentialId, auth.userId)
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -220,11 +204,7 @@ export async function GET(request: NextRequest) {
     }
 
     try {
-      const { accessToken } = await refreshTokenIfNeeded(
-        requestId,
-        credential,
-        resolvedCredentialId
-      )
+      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
 
       // For Salesforce, extract instanceUrl from the scope field
       let instanceUrl: string | undefined

apps/sim/app/api/auth/oauth/utils.test.ts

@@ -50,7 +50,7 @@ describe('OAuth Utils', () => {
   describe('getCredential', () => {
     it('should return credential when found', async () => {
       const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
 
       const credential = await getCredential('request-id', 'credential-id', 'test-user-id')
 
@@ -59,8 +59,7 @@ describe('OAuth Utils', () => {
       expect(mockDbTyped.where).toHaveBeenCalled()
       expect(mockDbTyped.limit).toHaveBeenCalledWith(1)
 
-      expect(credential).toMatchObject(mockCredential)
-      expect(credential).toMatchObject({ resolvedCredentialId: 'credential-id' })
+      expect(credential).toEqual(mockCredential)
     })
 
     it('should return undefined when credential is not found', async () => {
@@ -153,7 +152,7 @@ describe('OAuth Utils', () => {
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
 
       const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')
 
@@ -170,7 +169,7 @@ describe('OAuth Utils', () => {
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
 
       mockRefreshOAuthToken.mockResolvedValueOnce({
         accessToken: 'new-token',
@@ -203,7 +202,7 @@ describe('OAuth Utils', () => {
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
 
       mockRefreshOAuthToken.mockResolvedValueOnce(null)
 

apps/sim/app/api/auth/oauth/utils.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credential, credentialSetMember } from '@sim/db/schema'
+import { account, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,28 +25,6 @@ interface AccountInsertData {
   accessTokenExpiresAt?: Date
 }
 
-async function resolveOAuthAccountId(
-  credentialId: string
-): Promise<{ accountId: string; usedCredentialTable: boolean } | null> {
-  const [credentialRow] = await db
-    .select({
-      type: credential.type,
-      accountId: credential.accountId,
-    })
-    .from(credential)
-    .where(eq(credential.id, credentialId))
-    .limit(1)
-
-  if (credentialRow) {
-    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
-      return null
-    }
-    return { accountId: credentialRow.accountId, usedCredentialTable: true }
-  }
-
-  return { accountId: credentialId, usedCredentialTable: false }
-}
-
 /**
  * Safely inserts an account record, handling duplicate constraint violations gracefully.
  * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -74,16 +52,10 @@ export async function safeAccountInsert(
  * Get a credential by ID and verify it belongs to the user
  */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
-  const resolved = await resolveOAuthAccountId(credentialId)
-  if (!resolved) {
-    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
-    return undefined
-  }
-
   const credentials = await db
     .select()
     .from(account)
-    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
+    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
     .limit(1)
 
   if (!credentials.length) {
@@ -91,10 +63,7 @@ export async function getCredential(requestId: string, credentialId: string, use
     return undefined
   }
 
-  return {
-    ...credentials[0],
-    resolvedCredentialId: resolved.accountId,
-  }
+  return credentials[0]
 }
 
 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -269,9 +238,7 @@ export async function refreshAccessTokenIfNeeded(
       }
 
       // Update the token in the database
-      const resolvedCredentialId =
-        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
-      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
+      await db.update(account).set(updateData).where(eq(account.id, credentialId))
 
       logger.info(`[${requestId}] Successfully refreshed access token for credential`)
       return refreshedToken.accessToken
@@ -307,8 +274,6 @@ export async function refreshTokenIfNeeded(
   credential: any,
   credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
-  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
-
   // Decide if we should refresh: token missing OR expired
   const accessTokenExpiresAt = credential.accessTokenExpiresAt
   const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -369,7 +334,7 @@ export async function refreshTokenIfNeeded(
       updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
     }
 
-    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
+    await db.update(account).set(updateData).where(eq(account.id, credentialId))
 
     logger.info(`[${requestId}] Successfully refreshed access token`)
     return { accessToken: refreshedToken, refreshed: true }
@@ -378,7 +343,7 @@ export async function refreshTokenIfNeeded(
       `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
     )
 
-    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
     if (freshCredential?.accessToken) {
       const freshExpiresAt = freshCredential.accessTokenExpiresAt
       const stillValid = !freshExpiresAt || freshExpiresAt > new Date()

apps/sim/app/api/auth/oauth2/shopify/store/route.ts

@@ -48,21 +48,16 @@ export async function GET(request: NextRequest) {
 
     const shopData = await shopResponse.json()
     const shopInfo = shopData.shop
-    const stableAccountId = shopInfo.id?.toString() || shopDomain
 
     const existing = await db.query.account.findFirst({
-      where: and(
-        eq(account.userId, session.user.id),
-        eq(account.providerId, 'shopify'),
-        eq(account.accountId, stableAccountId)
-      ),
+      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'shopify')),
     })
 
     const now = new Date()
 
     const accountData = {
       accessToken: accessToken,
-      accountId: stableAccountId,
+      accountId: shopInfo.id?.toString() || shopDomain,
       scope: scope || '',
       updatedAt: now,
       idToken: shopDomain,

apps/sim/app/api/auth/trello/store/route.ts

@@ -52,11 +52,7 @@ export async function POST(request: NextRequest) {
     const trelloUser = await userResponse.json()
 
     const existing = await db.query.account.findFirst({
-      where: and(
-        eq(account.userId, session.user.id),
-        eq(account.providerId, 'trello'),
-        eq(account.accountId, trelloUser.id)
-      ),
+      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'trello')),
     })
 
     const now = new Date()

apps/sim/app/api/credentials/[id]/members/route.ts

@@ -1,194 +0,0 @@
-import { db } from '@sim/db'
-import { credential, credentialMember, user } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { getSession } from '@/lib/auth'
-
-const logger = createLogger('CredentialMembersAPI')
-
-interface RouteContext {
-  params: Promise<{ id: string }>
-}
-
-async function requireAdminMembership(credentialId: string, userId: string) {
-  const [membership] = await db
-    .select({ role: credentialMember.role, status: credentialMember.status })
-    .from(credentialMember)
-    .where(
-      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
-    )
-    .limit(1)
-
-  if (!membership || membership.status !== 'active' || membership.role !== 'admin') {
-    return null
-  }
-  return membership
-}
-
-export async function GET(_request: NextRequest, context: RouteContext) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const { id: credentialId } = await context.params
-
-    const [cred] = await db
-      .select({ id: credential.id })
-      .from(credential)
-      .where(eq(credential.id, credentialId))
-      .limit(1)
-
-    if (!cred) {
-      return NextResponse.json({ members: [] }, { status: 200 })
-    }
-
-    const members = await db
-      .select({
-        id: credentialMember.id,
-        userId: credentialMember.userId,
-        role: credentialMember.role,
-        status: credentialMember.status,
-        joinedAt: credentialMember.joinedAt,
-        userName: user.name,
-        userEmail: user.email,
-      })
-      .from(credentialMember)
-      .innerJoin(user, eq(credentialMember.userId, user.id))
-      .where(eq(credentialMember.credentialId, credentialId))
-
-    return NextResponse.json({ members })
-  } catch (error) {
-    logger.error('Failed to fetch credential members', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-const addMemberSchema = z.object({
-  userId: z.string().min(1),
-  role: z.enum(['admin', 'member']).default('member'),
-})
-
-export async function POST(request: NextRequest, context: RouteContext) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const { id: credentialId } = await context.params
-
-    const admin = await requireAdminMembership(credentialId, session.user.id)
-    if (!admin) {
-      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
-    }
-
-    const body = await request.json()
-    const parsed = addMemberSchema.safeParse(body)
-    if (!parsed.success) {
-      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
-    }
-
-    const { userId, role } = parsed.data
-    const now = new Date()
-
-    const [existing] = await db
-      .select({ id: credentialMember.id, status: credentialMember.status })
-      .from(credentialMember)
-      .where(
-        and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
-      )
-      .limit(1)
-
-    if (existing) {
-      await db
-        .update(credentialMember)
-        .set({ role, status: 'active', updatedAt: now })
-        .where(eq(credentialMember.id, existing.id))
-      return NextResponse.json({ success: true })
-    }
-
-    await db.insert(credentialMember).values({
-      id: crypto.randomUUID(),
-      credentialId,
-      userId,
-      role,
-      status: 'active',
-      joinedAt: now,
-      invitedBy: session.user.id,
-      createdAt: now,
-      updatedAt: now,
-    })
-
-    return NextResponse.json({ success: true }, { status: 201 })
-  } catch (error) {
-    logger.error('Failed to add credential member', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-export async function DELETE(request: NextRequest, context: RouteContext) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const { id: credentialId } = await context.params
-    const targetUserId = new URL(request.url).searchParams.get('userId')
-    if (!targetUserId) {
-      return NextResponse.json({ error: 'userId query parameter required' }, { status: 400 })
-    }
-
-    const admin = await requireAdminMembership(credentialId, session.user.id)
-    if (!admin) {
-      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
-    }
-
-    const [target] = await db
-      .select({
-        id: credentialMember.id,
-        role: credentialMember.role,
-        status: credentialMember.status,
-      })
-      .from(credentialMember)
-      .where(
-        and(
-          eq(credentialMember.credentialId, credentialId),
-          eq(credentialMember.userId, targetUserId)
-        )
-      )
-      .limit(1)
-
-    if (!target) {
-      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
-    }
-
-    if (target.role === 'admin') {
-      const activeAdmins = await db
-        .select({ id: credentialMember.id })
-        .from(credentialMember)
-        .where(
-          and(
-            eq(credentialMember.credentialId, credentialId),
-            eq(credentialMember.role, 'admin'),
-            eq(credentialMember.status, 'active')
-          )
-        )
-
-      if (activeAdmins.length <= 1) {
-        return NextResponse.json({ error: 'Cannot remove the last admin' }, { status: 400 })
-      }
-    }
-
-    await db.delete(credentialMember).where(eq(credentialMember.id, target.id))
-
-    return NextResponse.json({ success: true })
-  } catch (error) {
-    logger.error('Failed to remove credential member', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}

apps/sim/app/api/credentials/[id]/route.ts

@@ -1,234 +0,0 @@
-import { db } from '@sim/db'
-import { credential, credentialMember, environment, workspaceEnvironment } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { getSession } from '@/lib/auth'
-import { getCredentialActorContext } from '@/lib/credentials/access'
-import {
-  syncPersonalEnvCredentialsForUser,
-  syncWorkspaceEnvCredentials,
-} from '@/lib/credentials/environment'
-
-const logger = createLogger('CredentialByIdAPI')
-
-const updateCredentialSchema = z
-  .object({
-    displayName: z.string().trim().min(1).max(255).optional(),
-    accountId: z.string().trim().min(1).optional(),
-  })
-  .strict()
-  .refine((data) => Boolean(data.displayName || data.accountId), {
-    message: 'At least one field must be provided',
-    path: ['displayName'],
-  })
-
-async function getCredentialResponse(credentialId: string, userId: string) {
-  const [row] = await db
-    .select({
-      id: credential.id,
-      workspaceId: credential.workspaceId,
-      type: credential.type,
-      displayName: credential.displayName,
-      providerId: credential.providerId,
-      accountId: credential.accountId,
-      envKey: credential.envKey,
-      envOwnerUserId: credential.envOwnerUserId,
-      createdBy: credential.createdBy,
-      createdAt: credential.createdAt,
-      updatedAt: credential.updatedAt,
-      role: credentialMember.role,
-      status: credentialMember.status,
-    })
-    .from(credential)
-    .innerJoin(
-      credentialMember,
-      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
-    )
-    .where(eq(credential.id, credentialId))
-    .limit(1)
-
-  return row ?? null
-}
-
-export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const { id } = await params
-
-  try {
-    const access = await getCredentialActorContext(id, session.user.id)
-    if (!access.credential) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-    if (!access.hasWorkspaceAccess || !access.member) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
-    const row = await getCredentialResponse(id, session.user.id)
-    return NextResponse.json({ credential: row }, { status: 200 })
-  } catch (error) {
-    logger.error('Failed to fetch credential', error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const { id } = await params
-
-  try {
-    const parseResult = updateCredentialSchema.safeParse(await request.json())
-    if (!parseResult.success) {
-      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
-    }
-
-    const access = await getCredentialActorContext(id, session.user.id)
-    if (!access.credential) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-    if (!access.hasWorkspaceAccess || !access.isAdmin) {
-      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
-    }
-
-    if (access.credential.type === 'oauth') {
-      return NextResponse.json(
-        {
-          error:
-            'OAuth credential editing is disabled. Connect an account and create or use its linked credential.',
-        },
-        { status: 400 }
-      )
-    }
-
-    return NextResponse.json(
-      {
-        error:
-          'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
-      },
-      { status: 400 }
-    )
-  } catch (error) {
-    logger.error('Failed to update credential', error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-export async function DELETE(
-  request: NextRequest,
-  { params }: { params: Promise<{ id: string }> }
-) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const { id } = await params
-
-  try {
-    const access = await getCredentialActorContext(id, session.user.id)
-    if (!access.credential) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-    if (!access.hasWorkspaceAccess || !access.isAdmin) {
-      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
-    }
-
-    if (access.credential.type === 'env_personal' && access.credential.envKey) {
-      const ownerUserId = access.credential.envOwnerUserId
-      if (!ownerUserId) {
-        return NextResponse.json({ error: 'Invalid personal secret owner' }, { status: 400 })
-      }
-
-      const [personalRow] = await db
-        .select({ variables: environment.variables })
-        .from(environment)
-        .where(eq(environment.userId, ownerUserId))
-        .limit(1)
-
-      const current = ((personalRow?.variables as Record<string, string> | null) ?? {}) as Record<
-        string,
-        string
-      >
-      if (access.credential.envKey in current) {
-        delete current[access.credential.envKey]
-      }
-
-      await db
-        .insert(environment)
-        .values({
-          id: ownerUserId,
-          userId: ownerUserId,
-          variables: current,
-          updatedAt: new Date(),
-        })
-        .onConflictDoUpdate({
-          target: [environment.userId],
-          set: { variables: current, updatedAt: new Date() },
-        })
-
-      await syncPersonalEnvCredentialsForUser({
-        userId: ownerUserId,
-        envKeys: Object.keys(current),
-      })
-
-      return NextResponse.json({ success: true }, { status: 200 })
-    }
-
-    if (access.credential.type === 'env_workspace' && access.credential.envKey) {
-      const [workspaceRow] = await db
-        .select({
-          id: workspaceEnvironment.id,
-          createdAt: workspaceEnvironment.createdAt,
-          variables: workspaceEnvironment.variables,
-        })
-        .from(workspaceEnvironment)
-        .where(eq(workspaceEnvironment.workspaceId, access.credential.workspaceId))
-        .limit(1)
-
-      const current = ((workspaceRow?.variables as Record<string, string> | null) ?? {}) as Record<
-        string,
-        string
-      >
-      if (access.credential.envKey in current) {
-        delete current[access.credential.envKey]
-      }
-
-      await db
-        .insert(workspaceEnvironment)
-        .values({
-          id: workspaceRow?.id || crypto.randomUUID(),
-          workspaceId: access.credential.workspaceId,
-          variables: current,
-          createdAt: workspaceRow?.createdAt || new Date(),
-          updatedAt: new Date(),
-        })
-        .onConflictDoUpdate({
-          target: [workspaceEnvironment.workspaceId],
-          set: { variables: current, updatedAt: new Date() },
-        })
-
-      await syncWorkspaceEnvCredentials({
-        workspaceId: access.credential.workspaceId,
-        envKeys: Object.keys(current),
-        actingUserId: session.user.id,
-      })
-
-      return NextResponse.json({ success: true }, { status: 200 })
-    }
-
-    await db.delete(credential).where(eq(credential.id, id))
-    return NextResponse.json({ success: true }, { status: 200 })
-  } catch (error) {
-    logger.error('Failed to delete credential', error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}

apps/sim/app/api/credentials/bootstrap/route.ts

@@ -1,81 +0,0 @@
-import { db } from '@sim/db'
-import { environment, workspaceEnvironment } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { getSession } from '@/lib/auth'
-import {
-  syncPersonalEnvCredentialsForUser,
-  syncWorkspaceEnvCredentials,
-} from '@/lib/credentials/environment'
-import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
-
-const logger = createLogger('CredentialsBootstrapAPI')
-
-const bootstrapSchema = z.object({
-  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
-})
-
-/**
- * Ensures the current user's connected accounts and env vars are reflected as workspace credentials.
- */
-export async function POST(request: NextRequest) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  try {
-    const parseResult = bootstrapSchema.safeParse(await request.json())
-    if (!parseResult.success) {
-      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
-    }
-
-    const { workspaceId } = parseResult.data
-    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
-    if (!workspaceAccess.hasAccess) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
-    const [personalRow, workspaceRow] = await Promise.all([
-      db
-        .select({ variables: environment.variables })
-        .from(environment)
-        .where(eq(environment.userId, session.user.id))
-        .limit(1),
-      db
-        .select({ variables: workspaceEnvironment.variables })
-        .from(workspaceEnvironment)
-        .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-        .limit(1),
-    ])
-
-    const personalKeys = Object.keys((personalRow[0]?.variables as Record<string, string>) || {})
-    const workspaceKeys = Object.keys((workspaceRow[0]?.variables as Record<string, string>) || {})
-
-    const [oauthSyncResult] = await Promise.all([
-      syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id }),
-      syncPersonalEnvCredentialsForUser({ userId: session.user.id, envKeys: personalKeys }),
-      syncWorkspaceEnvCredentials({
-        workspaceId,
-        envKeys: workspaceKeys,
-        actingUserId: session.user.id,
-      }),
-    ])
-
-    return NextResponse.json({
-      success: true,
-      synced: {
-        oauthCreated: oauthSyncResult.createdCredentials,
-        oauthMembershipsUpdated: oauthSyncResult.updatedMemberships,
-        personalEnvKeys: personalKeys.length,
-        workspaceEnvKeys: workspaceKeys.length,
-      },
-    })
-  } catch (error) {
-    logger.error('Failed to bootstrap workspace credentials', error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}

apps/sim/app/api/credentials/draft/route.ts

@@ -1,73 +0,0 @@
-import { db } from '@sim/db'
-import { pendingCredentialDraft } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { and, eq, lt } from 'drizzle-orm'
-import { NextResponse } from 'next/server'
-import { z } from 'zod'
-import { getSession } from '@/lib/auth'
-
-const logger = createLogger('CredentialDraftAPI')
-
-const DRAFT_TTL_MS = 15 * 60 * 1000
-
-const createDraftSchema = z.object({
-  workspaceId: z.string().min(1),
-  providerId: z.string().min(1),
-  displayName: z.string().min(1),
-})
-
-export async function POST(request: Request) {
-  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    const body = await request.json()
-    const parsed = createDraftSchema.safeParse(body)
-    if (!parsed.success) {
-      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
-    }
-
-    const { workspaceId, providerId, displayName } = parsed.data
-    const userId = session.user.id
-    const now = new Date()
-
-    await db
-      .delete(pendingCredentialDraft)
-      .where(
-        and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
-      )
-
-    await db
-      .insert(pendingCredentialDraft)
-      .values({
-        id: crypto.randomUUID(),
-        userId,
-        workspaceId,
-        providerId,
-        displayName,
-        expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
-        createdAt: now,
-      })
-      .onConflictDoUpdate({
-        target: [
-          pendingCredentialDraft.userId,
-          pendingCredentialDraft.providerId,
-          pendingCredentialDraft.workspaceId,
-        ],
-        set: {
-          displayName,
-          expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
-          createdAt: now,
-        },
-      })
-
-    logger.info('Credential draft saved', { userId, workspaceId, providerId, displayName })
-
-    return NextResponse.json({ success: true }, { status: 200 })
-  } catch (error) {
-    logger.error('Failed to save credential draft', { error })
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}

apps/sim/app/api/credentials/memberships/route.ts

@@ -1,112 +0,0 @@
-import { db } from '@sim/db'
-import { credential, credentialMember } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { getSession } from '@/lib/auth'
-
-const logger = createLogger('CredentialMembershipsAPI')
-
-const leaveCredentialSchema = z.object({
-  credentialId: z.string().min(1),
-})
-
-export async function GET() {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  try {
-    const memberships = await db
-      .select({
-        membershipId: credentialMember.id,
-        credentialId: credential.id,
-        workspaceId: credential.workspaceId,
-        type: credential.type,
-        displayName: credential.displayName,
-        providerId: credential.providerId,
-        role: credentialMember.role,
-        status: credentialMember.status,
-        joinedAt: credentialMember.joinedAt,
-      })
-      .from(credentialMember)
-      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
-      .where(eq(credentialMember.userId, session.user.id))
-
-    return NextResponse.json({ memberships }, { status: 200 })
-  } catch (error) {
-    logger.error('Failed to list credential memberships', error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-export async function DELETE(request: NextRequest) {
-  const session = await getSession()
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  try {
-    const parseResult = leaveCredentialSchema.safeParse({
-      credentialId: new URL(request.url).searchParams.get('credentialId'),
-    })
-    if (!parseResult.success) {
-      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
-    }
-
-    const { credentialId } = parseResult.data
-    const [membership] = await db
-      .select()
-      .from(credentialMember)
-      .where(
-        and(
-          eq(credentialMember.credentialId, credentialId),
-          eq(credentialMember.userId, session.user.id)
-        )
-      )
-      .limit(1)
-
-    if (!membership) {
-      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
-    }
-
-    if (membership.status !== 'active') {
-      return NextResponse.json({ success: true }, { status: 200 })
-    }
-
-    if (membership.role === 'admin') {
-      const activeAdmins = await db
-        .select({ id: credentialMember.id })
-        .from(credentialMember)
-        .where(
-          and(
-            eq(credentialMember.credentialId, credentialId),
-            eq(credentialMember.role, 'admin'),
-            eq(credentialMember.status, 'active')
-          )
-        )
-
-      if (activeAdmins.length <= 1) {
-        return NextResponse.json(
-          { error: 'Cannot leave credential as the last active admin' },
-          { status: 400 }
-        )
-      }
-    }
-
-    await db
-      .update(credentialMember)
-      .set({
-        status: 'revoked',
-        updatedAt: new Date(),
-      })
-      .where(eq(credentialMember.id, membership.id))
-
-    return NextResponse.json({ success: true }, { status: 200 })
-  } catch (error) {
-    logger.error('Failed to leave credential', error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}

apps/sim/app/api/credentials/route.ts

@@ -1,468 +0,0 @@
-import { db } from '@sim/db'
-import { account, credential, credentialMember, workspace } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { getSession } from '@/lib/auth'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
-import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
-import { getServiceConfigByProviderId } from '@/lib/oauth'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
-import { isValidEnvVarName } from '@/executor/constants'
-
-const logger = createLogger('CredentialsAPI')
-
-const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
-
-function normalizeEnvKeyInput(raw: string): string {
-  const trimmed = raw.trim()
-  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
-  return wrappedMatch ? wrappedMatch[1] : trimmed
-}
-
-const listCredentialsSchema = z.object({
-  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
-  type: credentialTypeSchema.optional(),
-  providerId: z.string().optional(),
-})
-
-const createCredentialSchema = z
-  .object({
-    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
-    type: credentialTypeSchema,
-    displayName: z.string().trim().min(1).max(255).optional(),
-    providerId: z.string().trim().min(1).optional(),
-    accountId: z.string().trim().min(1).optional(),
-    envKey: z.string().trim().min(1).optional(),
-    envOwnerUserId: z.string().trim().min(1).optional(),
-  })
-  .superRefine((data, ctx) => {
-    if (data.type === 'oauth') {
-      if (!data.accountId) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: 'accountId is required for oauth credentials',
-          path: ['accountId'],
-        })
-      }
-      if (!data.providerId) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: 'providerId is required for oauth credentials',
-          path: ['providerId'],
-        })
-      }
-      if (!data.displayName) {
-        ctx.addIssue({
-          code: z.ZodIssueCode.custom,
-          message: 'displayName is required for oauth credentials',
-          path: ['displayName'],
-        })
-      }
-      return
-    }
-
-    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
-    if (!normalizedEnvKey) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        message: 'envKey is required for env credentials',
-        path: ['envKey'],
-      })
-      return
-    }
-
-    if (!isValidEnvVarName(normalizedEnvKey)) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        message: 'envKey must contain only letters, numbers, and underscores',
-        path: ['envKey'],
-      })
-    }
-  })
-
-interface ExistingCredentialSourceParams {
-  workspaceId: string
-  type: 'oauth' | 'env_workspace' | 'env_personal'
-  accountId?: string | null
-  envKey?: string | null
-  envOwnerUserId?: string | null
-}
-
-async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
-  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
-
-  if (type === 'oauth' && accountId) {
-    const [row] = await db
-      .select()
-      .from(credential)
-      .where(
-        and(
-          eq(credential.workspaceId, workspaceId),
-          eq(credential.type, 'oauth'),
-          eq(credential.accountId, accountId)
-        )
-      )
-      .limit(1)
-    return row ?? null
-  }
-
-  if (type === 'env_workspace' && envKey) {
-    const [row] = await db
-      .select()
-      .from(credential)
-      .where(
-        and(
-          eq(credential.workspaceId, workspaceId),
-          eq(credential.type, 'env_workspace'),
-          eq(credential.envKey, envKey)
-        )
-      )
-      .limit(1)
-    return row ?? null
-  }
-
-  if (type === 'env_personal' && envKey && envOwnerUserId) {
-    const [row] = await db
-      .select()
-      .from(credential)
-      .where(
-        and(
-          eq(credential.workspaceId, workspaceId),
-          eq(credential.type, 'env_personal'),
-          eq(credential.envKey, envKey),
-          eq(credential.envOwnerUserId, envOwnerUserId)
-        )
-      )
-      .limit(1)
-    return row ?? null
-  }
-
-  return null
-}
-
-export async function GET(request: NextRequest) {
-  const requestId = generateRequestId()
-  const session = await getSession()
-
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  try {
-    const { searchParams } = new URL(request.url)
-    const rawWorkspaceId = searchParams.get('workspaceId')
-    const rawType = searchParams.get('type')
-    const rawProviderId = searchParams.get('providerId')
-    const parseResult = listCredentialsSchema.safeParse({
-      workspaceId: rawWorkspaceId?.trim(),
-      type: rawType?.trim() || undefined,
-      providerId: rawProviderId?.trim() || undefined,
-    })
-
-    if (!parseResult.success) {
-      logger.warn(`[${requestId}] Invalid credential list request`, {
-        workspaceId: rawWorkspaceId,
-        type: rawType,
-        providerId: rawProviderId,
-        errors: parseResult.error.errors,
-      })
-      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
-    }
-
-    const { workspaceId, type, providerId } = parseResult.data
-    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
-
-    if (!workspaceAccess.hasAccess) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
-    if (!type || type === 'oauth') {
-      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
-    }
-
-    const whereClauses = [
-      eq(credential.workspaceId, workspaceId),
-      eq(credentialMember.userId, session.user.id),
-      eq(credentialMember.status, 'active'),
-    ]
-
-    if (type) {
-      whereClauses.push(eq(credential.type, type))
-    }
-    if (providerId) {
-      whereClauses.push(eq(credential.providerId, providerId))
-    }
-
-    const credentials = await db
-      .select({
-        id: credential.id,
-        workspaceId: credential.workspaceId,
-        type: credential.type,
-        displayName: credential.displayName,
-        providerId: credential.providerId,
-        accountId: credential.accountId,
-        envKey: credential.envKey,
-        envOwnerUserId: credential.envOwnerUserId,
-        createdBy: credential.createdBy,
-        createdAt: credential.createdAt,
-        updatedAt: credential.updatedAt,
-        role: credentialMember.role,
-      })
-      .from(credential)
-      .innerJoin(
-        credentialMember,
-        and(
-          eq(credentialMember.credentialId, credential.id),
-          eq(credentialMember.userId, session.user.id),
-          eq(credentialMember.status, 'active')
-        )
-      )
-      .where(and(...whereClauses))
-
-    return NextResponse.json({ credentials })
-  } catch (error) {
-    logger.error(`[${requestId}] Failed to list credentials`, error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-export async function POST(request: NextRequest) {
-  const requestId = generateRequestId()
-  const session = await getSession()
-
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  try {
-    const body = await request.json()
-    const parseResult = createCredentialSchema.safeParse(body)
-
-    if (!parseResult.success) {
-      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
-    }
-
-    const { workspaceId, type, displayName, providerId, accountId, envKey, envOwnerUserId } =
-      parseResult.data
-
-    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
-    }
-
-    let resolvedDisplayName = displayName?.trim() ?? ''
-    let resolvedProviderId: string | null = providerId ?? null
-    let resolvedAccountId: string | null = accountId ?? null
-    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
-    let resolvedEnvOwnerUserId: string | null = null
-
-    if (type === 'oauth') {
-      const [accountRow] = await db
-        .select({
-          id: account.id,
-          userId: account.userId,
-          providerId: account.providerId,
-          accountId: account.accountId,
-        })
-        .from(account)
-        .where(eq(account.id, accountId!))
-        .limit(1)
-
-      if (!accountRow) {
-        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
-      }
-
-      if (accountRow.userId !== session.user.id) {
-        return NextResponse.json(
-          { error: 'Only account owners can create oauth credentials for an account' },
-          { status: 403 }
-        )
-      }
-
-      if (providerId !== accountRow.providerId) {
-        return NextResponse.json(
-          { error: 'providerId does not match the selected OAuth account' },
-          { status: 400 }
-        )
-      }
-      if (!resolvedDisplayName) {
-        resolvedDisplayName =
-          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
-      }
-    } else if (type === 'env_personal') {
-      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
-      if (resolvedEnvOwnerUserId !== session.user.id) {
-        return NextResponse.json(
-          { error: 'Only the current user can create personal env credentials for themselves' },
-          { status: 403 }
-        )
-      }
-      resolvedProviderId = null
-      resolvedAccountId = null
-      resolvedDisplayName = resolvedEnvKey || ''
-    } else {
-      resolvedProviderId = null
-      resolvedAccountId = null
-      resolvedEnvOwnerUserId = null
-      resolvedDisplayName = resolvedEnvKey || ''
-    }
-
-    if (!resolvedDisplayName) {
-      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
-    }
-
-    const existingCredential = await findExistingCredentialBySource({
-      workspaceId,
-      type,
-      accountId: resolvedAccountId,
-      envKey: resolvedEnvKey,
-      envOwnerUserId: resolvedEnvOwnerUserId,
-    })
-
-    if (existingCredential) {
-      const [membership] = await db
-        .select({
-          id: credentialMember.id,
-          status: credentialMember.status,
-          role: credentialMember.role,
-        })
-        .from(credentialMember)
-        .where(
-          and(
-            eq(credentialMember.credentialId, existingCredential.id),
-            eq(credentialMember.userId, session.user.id)
-          )
-        )
-        .limit(1)
-
-      if (!membership || membership.status !== 'active') {
-        return NextResponse.json(
-          { error: 'A credential with this source already exists in this workspace' },
-          { status: 409 }
-        )
-      }
-
-      if (
-        type === 'oauth' &&
-        membership.role === 'admin' &&
-        resolvedDisplayName &&
-        resolvedDisplayName !== existingCredential.displayName
-      ) {
-        await db
-          .update(credential)
-          .set({
-            displayName: resolvedDisplayName,
-            updatedAt: new Date(),
-          })
-          .where(eq(credential.id, existingCredential.id))
-
-        const [updatedCredential] = await db
-          .select()
-          .from(credential)
-          .where(eq(credential.id, existingCredential.id))
-          .limit(1)
-
-        return NextResponse.json(
-          { credential: updatedCredential ?? existingCredential },
-          { status: 200 }
-        )
-      }
-
-      return NextResponse.json({ credential: existingCredential }, { status: 200 })
-    }
-
-    const now = new Date()
-    const credentialId = crypto.randomUUID()
-    const [workspaceRow] = await db
-      .select({ ownerId: workspace.ownerId })
-      .from(workspace)
-      .where(eq(workspace.id, workspaceId))
-      .limit(1)
-
-    await db.transaction(async (tx) => {
-      await tx.insert(credential).values({
-        id: credentialId,
-        workspaceId,
-        type,
-        displayName: resolvedDisplayName,
-        providerId: resolvedProviderId,
-        accountId: resolvedAccountId,
-        envKey: resolvedEnvKey,
-        envOwnerUserId: resolvedEnvOwnerUserId,
-        createdBy: session.user.id,
-        createdAt: now,
-        updatedAt: now,
-      })
-
-      if (type === 'env_workspace' && workspaceRow?.ownerId) {
-        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
-        if (workspaceUserIds.length > 0) {
-          for (const memberUserId of workspaceUserIds) {
-            await tx.insert(credentialMember).values({
-              id: crypto.randomUUID(),
-              credentialId,
-              userId: memberUserId,
-              role: memberUserId === workspaceRow.ownerId ? 'admin' : 'member',
-              status: 'active',
-              joinedAt: now,
-              invitedBy: session.user.id,
-              createdAt: now,
-              updatedAt: now,
-            })
-          }
-        }
-      } else {
-        await tx.insert(credentialMember).values({
-          id: crypto.randomUUID(),
-          credentialId,
-          userId: session.user.id,
-          role: 'admin',
-          status: 'active',
-          joinedAt: now,
-          invitedBy: session.user.id,
-          createdAt: now,
-          updatedAt: now,
-        })
-      }
-    })
-
-    const [created] = await db
-      .select()
-      .from(credential)
-      .where(eq(credential.id, credentialId))
-      .limit(1)
-
-    return NextResponse.json({ credential: created }, { status: 201 })
-  } catch (error: any) {
-    if (error?.code === '23505') {
-      return NextResponse.json(
-        { error: 'A credential with this source already exists' },
-        { status: 409 }
-      )
-    }
-    if (error?.code === '23503') {
-      return NextResponse.json(
-        { error: 'Invalid credential reference or membership target' },
-        { status: 400 }
-      )
-    }
-    if (error?.code === '23514') {
-      return NextResponse.json(
-        { error: 'Credential source data failed validation checks' },
-        { status: 400 }
-      )
-    }
-    logger.error(`[${requestId}] Credential create failure details`, {
-      code: error?.code,
-      detail: error?.detail,
-      constraint: error?.constraint,
-      table: error?.table,
-      message: error?.message,
-    })
-    logger.error(`[${requestId}] Failed to create credential`, error)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}

apps/sim/app/api/environment/route.ts

@@ -7,7 +7,6 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'
 
 const logger = createLogger('EnvironmentAPI')
@@ -54,11 +53,6 @@ export async function POST(req: NextRequest) {
           },
         })
 
-      await syncPersonalEnvCredentialsForUser({
-        userId: session.user.id,
-        envKeys: Object.keys(variables),
-      })
-
       return NextResponse.json({ success: true })
     } catch (validationError) {
       if (validationError instanceof z.ZodError) {

apps/sim/app/api/workflows/[id]/route.ts

@@ -38,7 +38,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const isInternalCall = auth.authType === 'internal_jwt'
     const userId = auth.userId || null
 
     let workflowData = await getWorkflowById(workflowId)
@@ -48,32 +47,29 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    if (isInternalCall && !userId) {
-      // Internal system calls (e.g. workflow-in-workflow executor) may not carry a userId.
-      // These are already authenticated via internal JWT; allow read access.
-      logger.info(`[${requestId}] Internal API call for workflow ${workflowId}`)
-    } else if (!userId) {
+    // Check if user has access to this workflow
+    if (!userId) {
       logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    } else {
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId,
-        action: 'read',
-      })
-      if (!authorization.workflow) {
-        logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
-        return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
-      }
+    }
 
-      workflowData = authorization.workflow
-      if (!authorization.allowed) {
-        logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
-        return NextResponse.json(
-          { error: authorization.message || 'Access denied' },
-          { status: authorization.status }
-        )
-      }
+    const authorization = await authorizeWorkflowByWorkspacePermission({
+      workflowId,
+      userId,
+      action: 'read',
+    })
+    if (!authorization.workflow) {
+      logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
+      return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
+    }
+
+    workflowData = authorization.workflow
+    if (!authorization.allowed) {
+      logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
+      return NextResponse.json(
+        { error: authorization.message || 'Access denied' },
+        { status: authorization.status }
+      )
     }
 
     logger.debug(`[${requestId}] Attempting to load workflow ${workflowId} from normalized tables`)

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -1,14 +1,12 @@
 import { db } from '@sim/db'
-import { workspaceEnvironment } from '@sim/db/schema'
+import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { encryptSecret } from '@/lib/core/security/encryption'
+import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
-import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceEnvironmentAPI')
@@ -46,10 +44,44 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
-      userId,
-      workspaceId
-    )
+    // Workspace env (encrypted)
+    const wsEnvRow = await db
+      .select()
+      .from(workspaceEnvironment)
+      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+      .limit(1)
+
+    const wsEncrypted: Record<string, string> = (wsEnvRow[0]?.variables as any) || {}
+
+    // Personal env (encrypted)
+    const personalRow = await db
+      .select()
+      .from(environment)
+      .where(eq(environment.userId, userId))
+      .limit(1)
+
+    const personalEncrypted: Record<string, string> = (personalRow[0]?.variables as any) || {}
+
+    // Decrypt both for UI
+    const decryptAll = async (src: Record<string, string>) => {
+      const out: Record<string, string> = {}
+      for (const [k, v] of Object.entries(src)) {
+        try {
+          const { decrypted } = await decryptSecret(v)
+          out[k] = decrypted
+        } catch {
+          out[k] = ''
+        }
+      }
+      return out
+    }
+
+    const [workspaceDecrypted, personalDecrypted] = await Promise.all([
+      decryptAll(wsEncrypted),
+      decryptAll(personalEncrypted),
+    ])
+
+    const conflicts = Object.keys(personalDecrypted).filter((k) => k in workspaceDecrypted)
 
     return NextResponse.json(
       {
@@ -124,12 +156,6 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         set: { variables: merged, updatedAt: new Date() },
       })
 
-    await syncWorkspaceEnvCredentials({
-      workspaceId,
-      envKeys: Object.keys(merged),
-      actingUserId: userId,
-    })
-
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace env PUT error`, error)
@@ -196,12 +222,6 @@ export async function DELETE(
         set: { variables: current, updatedAt: new Date() },
       })
 
-    await syncWorkspaceEnvCredentials({
-      workspaceId,
-      envKeys: Object.keys(current),
-      actingUserId: userId,
-    })
-
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace env DELETE error`, error)

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx

@@ -30,7 +30,6 @@ export interface OAuthRequiredModalProps {
   requiredScopes?: string[]
   serviceId: string
   newScopes?: string[]
-  onConnect?: () => Promise<void> | void
 }
 
 const SCOPE_DESCRIPTIONS: Record<string, string> = {
@@ -315,7 +314,6 @@ export function OAuthRequiredModal({
   requiredScopes = [],
   serviceId,
   newScopes = [],
-  onConnect,
 }: OAuthRequiredModalProps) {
   const [error, setError] = useState<string | null>(null)
   const { baseProvider } = parseProvider(provider)
@@ -361,12 +359,6 @@ export function OAuthRequiredModal({
     setError(null)
 
     try {
-      if (onConnect) {
-        await onConnect()
-        onClose()
-        return
-      }
-
       const providerId = getProviderIdFromServiceId(serviceId)
 
       logger.info('Linking OAuth2:', {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx

@@ -3,12 +3,10 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { ExternalLink, Users } from 'lucide-react'
-import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { getPollingProviderFromOAuth } from '@/lib/credential-sets/providers'
-import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
   getCanonicalScopesForProvider,
   getProviderIdFromServiceId,
@@ -20,9 +18,9 @@ import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import type { SubBlockConfig } from '@/blocks/types'
-import { CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSets } from '@/hooks/queries/credential-sets'
-import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
@@ -48,8 +46,6 @@ export function CredentialSelector({
   previewValue,
   previewContextValues,
 }: CredentialSelectorProps) {
-  const params = useParams()
-  const workspaceId = (params?.workspaceId as string) || ''
   const [showOAuthModal, setShowOAuthModal] = useState(false)
   const [editingValue, setEditingValue] = useState('')
   const [isEditing, setIsEditing] = useState(false)
@@ -100,32 +96,53 @@ export function CredentialSelector({
     data: credentials = [],
     isFetching: credentialsLoading,
     refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, {
-    enabled: Boolean(effectiveProviderId),
-    workspaceId,
-    workflowId: activeWorkflowId || undefined,
-  })
+  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
 
   const selectedCredential = useMemo(
     () => credentials.find((cred) => cred.id === selectedId),
     [credentials, selectedId]
   )
 
+  const shouldFetchForeignMeta =
+    Boolean(selectedId) &&
+    !selectedCredential &&
+    Boolean(activeWorkflowId) &&
+    Boolean(effectiveProviderId)
+
+  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
+    useOAuthCredentialDetail(
+      shouldFetchForeignMeta ? selectedId : undefined,
+      activeWorkflowId || undefined,
+      shouldFetchForeignMeta
+    )
+
+  const hasForeignMeta = foreignCredentials.length > 0
+  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
+
   const selectedCredentialSet = useMemo(
     () => credentialSets.find((cs) => cs.id === selectedCredentialSetId),
     [credentialSets, selectedCredentialSetId]
   )
 
+  const isForeignCredentialSet = Boolean(isCredentialSetSelected && !selectedCredentialSet)
+
   const resolvedLabel = useMemo(() => {
     if (selectedCredentialSet) return selectedCredentialSet.name
+    if (isForeignCredentialSet) return CREDENTIAL.FOREIGN_LABEL
     if (selectedCredential) return selectedCredential.name
+    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
     return ''
-  }, [selectedCredentialSet, selectedCredential])
+  }, [selectedCredentialSet, isForeignCredentialSet, selectedCredential, isForeign])
 
   const displayValue = isEditing ? editingValue : resolvedLabel
 
   const invalidSelection =
-    !isPreview && Boolean(selectedId) && !selectedCredential && !credentialsLoading
+    !isPreview &&
+    Boolean(selectedId) &&
+    !selectedCredential &&
+    !hasForeignMeta &&
+    !credentialsLoading &&
+    !foreignMetaLoading
 
   useEffect(() => {
     if (!invalidSelection) return
@@ -136,7 +153,7 @@ export function CredentialSelector({
     setStoreValue('')
   }, [invalidSelection, selectedId, effectiveProviderId, setStoreValue])
 
-  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
+  useCredentialRefreshTriggers(refetchCredentials)
 
   const handleOpenChange = useCallback(
     (isOpen: boolean) => {
@@ -178,18 +195,8 @@ export function CredentialSelector({
   )
 
   const handleAddCredential = useCallback(() => {
-    writePendingCredentialCreateRequest({
-      workspaceId,
-      type: 'oauth',
-      providerId: effectiveProviderId,
-      displayName: '',
-      serviceId,
-      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
-      requestedAt: Date.now(),
-    })
-
-    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
-  }, [workspaceId, effectiveProviderId, serviceId])
+    setShowOAuthModal(true)
+  }, [])
 
   const getProviderIcon = useCallback((providerName: OAuthProvider) => {
     const { baseProvider } = parseProvider(providerName)
@@ -244,18 +251,23 @@ export function CredentialSelector({
         label: cred.name,
         value: cred.id,
       }))
-      credentialItems.push({
-        label:
-          credentials.length > 0
-            ? `Connect another ${getProviderName(provider)} account`
-            : `Connect ${getProviderName(provider)} account`,
-        value: '__connect_account__',
-      })
 
-      groups.push({
-        section: 'Personal Credential',
-        items: credentialItems,
-      })
+      if (credentialItems.length > 0) {
+        groups.push({
+          section: 'Personal Credential',
+          items: credentialItems,
+        })
+      } else {
+        groups.push({
+          section: 'Personal Credential',
+          items: [
+            {
+              label: `Connect ${getProviderName(provider)} account`,
+              value: '__connect_account__',
+            },
+          ],
+        })
+      }
 
       return { comboboxOptions: [], comboboxGroups: groups }
     }
@@ -265,13 +277,12 @@ export function CredentialSelector({
       value: cred.id,
     }))
 
-    options.push({
-      label:
-        credentials.length > 0
-          ? `Connect another ${getProviderName(provider)} account`
-          : `Connect ${getProviderName(provider)} account`,
-      value: '__connect_account__',
-    })
+    if (credentials.length === 0) {
+      options.push({
+        label: `Connect ${getProviderName(provider)} account`,
+        value: '__connect_account__',
+      })
+    }
 
     return { comboboxOptions: options, comboboxGroups: undefined }
   }, [
@@ -357,7 +368,7 @@ export function CredentialSelector({
         }
         disabled={effectiveDisabled}
         editable={true}
-        filterOptions={true}
+        filterOptions={!isForeign && !isForeignCredentialSet}
         isLoading={credentialsLoading}
         overlayContent={overlayContent}
         className={selectedId || isCredentialSetSelected ? 'pl-[28px]' : ''}
@@ -369,13 +380,15 @@ export function CredentialSelector({
             <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
             Additional permissions required
           </div>
-          <Button
-            variant='active'
-            onClick={() => setShowOAuthModal(true)}
-            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-          >
-            Update access
-          </Button>
+          {!isForeign && (
+            <Button
+              variant='active'
+              onClick={() => setShowOAuthModal(true)}
+              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+            >
+              Update access
+            </Button>
+          )}
         </div>
       )}
 
@@ -394,11 +407,7 @@ export function CredentialSelector({
   )
 }
 
-function useCredentialRefreshTriggers(
-  refetchCredentials: () => Promise<unknown>,
-  providerId: string,
-  workspaceId: string
-) {
+function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
   useEffect(() => {
     const refresh = () => {
       void refetchCredentials()
@@ -416,29 +425,12 @@ function useCredentialRefreshTriggers(
       }
     }
 
-    const handleCredentialsUpdated = (
-      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
-    ) => {
-      if (event.detail?.providerId && event.detail.providerId !== providerId) {
-        return
-      }
-      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
-        return
-      }
-      refresh()
-    }
-
     document.addEventListener('visibilitychange', handleVisibilityChange)
     window.addEventListener('pageshow', handlePageShow)
-    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
 
     return () => {
       document.removeEventListener('visibilitychange', handleVisibilityChange)
       window.removeEventListener('pageshow', handlePageShow)
-      window.removeEventListener(
-        'oauth-credentials-updated',
-        handleCredentialsUpdated as EventListener
-      )
     }
-  }, [providerId, workspaceId, refetchCredentials])
+  }, [refetchCredentials])
 }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx

@@ -9,7 +9,6 @@ import {
   PopoverSection,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
-import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
   usePersonalEnvironment,
   useWorkspaceEnvironment,
@@ -169,15 +168,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
   }, [searchTerm])
 
   const openEnvironmentSettings = () => {
-    if (workspaceId) {
-      writePendingCredentialCreateRequest({
-        workspaceId,
-        type: 'env_personal',
-        envKey: searchTerm.trim(),
-        requestedAt: Date.now(),
-      })
-    }
-    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'environment' } }))
     onClose?.()
   }
 
@@ -311,7 +302,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
               }}
             >
               <Plus className='h-3 w-3' />
-              <span>Create Secret</span>
+              <span>Create environment variable</span>
             </PopoverItem>
           </PopoverScrollArea>
         ) : (

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx

@@ -7,6 +7,7 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
+import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -124,6 +125,8 @@ export function FileSelectorInput({
   const serviceId = subBlock.serviceId || ''
   const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
 
+  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
+
   const selectorResolution = useMemo<SelectorResolution | null>(() => {
     return resolveSelectorForSubBlock(subBlock, {
       workflowId: workflowIdFromUrl,
@@ -165,6 +168,7 @@ export function FileSelectorInput({
 
   const disabledReason =
     finalDisabled ||
+    isForeignCredential ||
     missingCredential ||
     missingDomain ||
     missingProject ||

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx

@@ -4,6 +4,7 @@ import { useCallback, useEffect, useMemo, useState } from 'react'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
+import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -46,6 +47,10 @@ export function FolderSelectorInput({
     subBlock.canonicalParamId === 'copyDestinationId' ||
     subBlock.id === 'copyDestinationFolder' ||
     subBlock.id === 'manualCopyDestinationFolder'
+  const { isForeignCredential } = useForeignCredential(
+    effectiveProviderId,
+    (connectedCredential as string) || ''
+  )
 
   // Central dependsOn gating
   const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
@@ -114,7 +119,9 @@ export function FolderSelectorInput({
       selectorContext={
         selectorResolution?.context ?? { credentialId, workflowId: activeWorkflowId || '' }
       }
-      disabled={finalDisabled || missingCredential || !selectorResolution?.key}
+      disabled={
+        finalDisabled || isForeignCredential || missingCredential || !selectorResolution?.key
+      }
       isPreview={isPreview}
       previewValue={previewValue ?? null}
       placeholder={subBlock.placeholder || 'Select folder'}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx

@@ -7,6 +7,7 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
+import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -72,6 +73,11 @@ export function ProjectSelectorInput({
 
   const serviceId = subBlock.serviceId || ''
   const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
+
+  const { isForeignCredential } = useForeignCredential(
+    effectiveProviderId,
+    (connectedCredential as string) || ''
+  )
   const workflowIdFromUrl = (params?.workflowId as string) || activeWorkflowId || ''
   const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
     disabled,
@@ -117,7 +123,7 @@ export function ProjectSelectorInput({
               subBlock={subBlock}
               selectorKey={selectorResolution.key}
               selectorContext={selectorResolution.context}
-              disabled={finalDisabled || missingCredential}
+              disabled={finalDisabled || isForeignCredential || missingCredential}
               isPreview={isPreview}
               previewValue={previewValue ?? null}
               placeholder={subBlock.placeholder || 'Select project'}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx

@@ -7,6 +7,7 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
+import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -86,6 +87,8 @@ export function SheetSelectorInput({
   const serviceId = subBlock.serviceId || ''
   const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
 
+  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
+
   const selectorResolution = useMemo<SelectorResolution | null>(() => {
     return resolveSelectorForSubBlock(subBlock, {
       workflowId: workflowIdFromUrl,
@@ -98,7 +101,11 @@ export function SheetSelectorInput({
   const missingSpreadsheet = !normalizedSpreadsheetId
 
   const disabledReason =
-    finalDisabled || missingCredential || missingSpreadsheet || !selectorResolution?.key
+    finalDisabled ||
+    isForeignCredential ||
+    missingCredential ||
+    missingSpreadsheet ||
+    !selectorResolution?.key
 
   if (!selectorResolution?.key) {
     return (

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx

@@ -6,6 +6,7 @@ import { Tooltip } from '@/components/emcn'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
+import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -84,6 +85,11 @@ export function SlackSelectorInput({
       ? (effectiveBotToken as string) || ''
       : (effectiveCredential as string) || ''
 
+  const { isForeignCredential } = useForeignCredential(
+    effectiveProviderId,
+    (effectiveAuthMethod as string) === 'bot_token' ? '' : (effectiveCredential as string) || ''
+  )
+
   useEffect(() => {
     const val = isPreview && previewValue !== undefined ? previewValue : storeValue
     if (typeof val === 'string') {
@@ -93,7 +99,7 @@ export function SlackSelectorInput({
 
   const requiresCredential = dependsOn.includes('credential')
   const missingCredential = !credential || credential.trim().length === 0
-  const shouldForceDisable = requiresCredential && missingCredential
+  const shouldForceDisable = requiresCredential && (missingCredential || isForeignCredential)
 
   const context: SelectorContext = useMemo(
     () => ({
@@ -130,7 +136,7 @@ export function SlackSelectorInput({
             subBlock={subBlock}
             selectorKey={config.selectorKey}
             selectorContext={context}
-            disabled={finalDisabled || shouldForceDisable}
+            disabled={finalDisabled || shouldForceDisable || isForeignCredential}
             isPreview={isPreview}
             previewValue={previewValue ?? null}
             placeholder={subBlock.placeholder || config.placeholder}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx

@@ -1,8 +1,6 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { ExternalLink } from 'lucide-react'
-import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
-import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
   getCanonicalScopesForProvider,
   getProviderIdFromServiceId,
@@ -12,7 +10,8 @@ import {
   parseProvider,
 } from '@/lib/oauth'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
-import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { CREDENTIAL } from '@/executor/constants'
+import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
@@ -55,12 +54,10 @@ export function ToolCredentialSelector({
   onChange,
   provider,
   requiredScopes = [],
-  label = 'Select credential',
+  label = 'Select account',
   serviceId,
   disabled = false,
 }: ToolCredentialSelectorProps) {
-  const params = useParams()
-  const workspaceId = (params?.workspaceId as string) || ''
   const [showOAuthModal, setShowOAuthModal] = useState(false)
   const [editingInputValue, setEditingInputValue] = useState('')
   const [isEditing, setIsEditing] = useState(false)
@@ -74,32 +71,50 @@ export function ToolCredentialSelector({
     data: credentials = [],
     isFetching: credentialsLoading,
     refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, {
-    enabled: Boolean(effectiveProviderId),
-    workspaceId,
-    workflowId: activeWorkflowId || undefined,
-  })
+  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
 
   const selectedCredential = useMemo(
     () => credentials.find((cred) => cred.id === selectedId),
     [credentials, selectedId]
   )
 
+  const shouldFetchForeignMeta =
+    Boolean(selectedId) &&
+    !selectedCredential &&
+    Boolean(activeWorkflowId) &&
+    Boolean(effectiveProviderId)
+
+  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
+    useOAuthCredentialDetail(
+      shouldFetchForeignMeta ? selectedId : undefined,
+      activeWorkflowId || undefined,
+      shouldFetchForeignMeta
+    )
+
+  const hasForeignMeta = foreignCredentials.length > 0
+  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
+
   const resolvedLabel = useMemo(() => {
     if (selectedCredential) return selectedCredential.name
+    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
     return ''
-  }, [selectedCredential])
+  }, [selectedCredential, isForeign])
 
   const inputValue = isEditing ? editingInputValue : resolvedLabel
 
-  const invalidSelection = Boolean(selectedId) && !selectedCredential && !credentialsLoading
+  const invalidSelection =
+    Boolean(selectedId) &&
+    !selectedCredential &&
+    !hasForeignMeta &&
+    !credentialsLoading &&
+    !foreignMetaLoading
 
   useEffect(() => {
     if (!invalidSelection) return
     onChange('')
   }, [invalidSelection, onChange])
 
-  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
+  useCredentialRefreshTriggers(refetchCredentials)
 
   const handleOpenChange = useCallback(
     (isOpen: boolean) => {
@@ -127,18 +142,8 @@ export function ToolCredentialSelector({
   )
 
   const handleAddCredential = useCallback(() => {
-    writePendingCredentialCreateRequest({
-      workspaceId,
-      type: 'oauth',
-      providerId: effectiveProviderId,
-      displayName: '',
-      serviceId,
-      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
-      requestedAt: Date.now(),
-    })
-
-    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
-  }, [workspaceId, effectiveProviderId, serviceId])
+    setShowOAuthModal(true)
+  }, [])
 
   const comboboxOptions = useMemo(() => {
     const options = credentials.map((cred) => ({
@@ -146,13 +151,12 @@ export function ToolCredentialSelector({
       value: cred.id,
     }))
 
-    options.push({
-      label:
-        credentials.length > 0
-          ? `Connect another ${getProviderName(provider)} account`
-          : `Connect ${getProviderName(provider)} account`,
-      value: '__connect_account__',
-    })
+    if (credentials.length === 0) {
+      options.push({
+        label: `Connect ${getProviderName(provider)} account`,
+        value: '__connect_account__',
+      })
+    }
 
     return options
   }, [credentials, provider])
@@ -202,7 +206,7 @@ export function ToolCredentialSelector({
         placeholder={label}
         disabled={disabled}
         editable={true}
-        filterOptions={true}
+        filterOptions={!isForeign}
         isLoading={credentialsLoading}
         overlayContent={overlayContent}
         className={selectedId ? 'pl-[28px]' : ''}
@@ -214,13 +218,15 @@ export function ToolCredentialSelector({
             <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
             Additional permissions required
           </div>
-          <Button
-            variant='active'
-            onClick={() => setShowOAuthModal(true)}
-            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-          >
-            Update access
-          </Button>
+          {!isForeign && (
+            <Button
+              variant='active'
+              onClick={() => setShowOAuthModal(true)}
+              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+            >
+              Update access
+            </Button>
+          )}
         </div>
       )}
 
@@ -239,11 +245,7 @@ export function ToolCredentialSelector({
   )
 }
 
-function useCredentialRefreshTriggers(
-  refetchCredentials: () => Promise<unknown>,
-  providerId: string,
-  workspaceId: string
-) {
+function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
   useEffect(() => {
     const refresh = () => {
       void refetchCredentials()
@@ -261,29 +263,12 @@ function useCredentialRefreshTriggers(
       }
     }
 
-    const handleCredentialsUpdated = (
-      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
-    ) => {
-      if (event.detail?.providerId && event.detail.providerId !== providerId) {
-        return
-      }
-      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
-        return
-      }
-      refresh()
-    }
-
     document.addEventListener('visibilitychange', handleVisibilityChange)
     window.addEventListener('pageshow', handlePageShow)
-    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
 
     return () => {
       document.removeEventListener('visibilitychange', handleVisibilityChange)
       window.removeEventListener('pageshow', handlePageShow)
-      window.removeEventListener(
-        'oauth-credentials-updated',
-        handleCredentialsUpdated as EventListener
-      )
     }
-  }, [providerId, workspaceId, refetchCredentials])
+  }, [refetchCredentials])
 }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts

@@ -0,0 +1,50 @@
+import { useEffect, useMemo, useState } from 'react'
+
+export function useForeignCredential(
+  provider: string | undefined,
+  credentialId: string | undefined
+) {
+  const [isForeign, setIsForeign] = useState<boolean>(false)
+  const [loading, setLoading] = useState<boolean>(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const normalizedProvider = useMemo(() => (provider || '').toString(), [provider])
+  const normalizedCredentialId = useMemo(() => credentialId || '', [credentialId])
+
+  useEffect(() => {
+    let cancelled = false
+    async function check() {
+      setLoading(true)
+      setError(null)
+      try {
+        if (!normalizedProvider || !normalizedCredentialId) {
+          if (!cancelled) setIsForeign(false)
+          return
+        }
+        const res = await fetch(
+          `/api/auth/oauth/credentials?provider=${encodeURIComponent(normalizedProvider)}`
+        )
+        if (!res.ok) {
+          if (!cancelled) setIsForeign(true)
+          return
+        }
+        const data = await res.json()
+        const isOwn = (data.credentials || []).some((c: any) => c.id === normalizedCredentialId)
+        if (!cancelled) setIsForeign(!isOwn)
+      } catch (e) {
+        if (!cancelled) {
+          setIsForeign(true)
+          setError((e as Error).message)
+        }
+      } finally {
+        if (!cancelled) setLoading(false)
+      }
+    }
+    void check()
+    return () => {
+      cancelled = true
+    }
+  }, [normalizedProvider, normalizedCredentialId])
+
+  return { isForeignCredential: isForeign, loading, error }
+}

apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx

@@ -473,7 +473,7 @@ function ConnectionsSection({
           </div>
         )}
 
-        {/* Secrets */}
+        {/* Environment Variables */}
         {envVars.length > 0 && (
           <div className='mb-[2px] last:mb-0'>
             <div
@@ -489,7 +489,7 @@ function ConnectionsSection({
                   'text-[var(--text-secondary)] group-hover:text-[var(--text-primary)]'
                 )}
               >
-                Secrets
+                Environment Variables
               </span>
               <ChevronDownIcon
                 className={cn(

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx

@@ -1,17 +0,0 @@
-'use client'
-
-import { CredentialsManager } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager'
-
-interface CredentialsProps {
-  onOpenChange?: (open: boolean) => void
-  registerCloseHandler?: (handler: (open: boolean) => void) => void
-  registerBeforeLeaveHandler?: (handler: (onProceed: () => void) => void) => void
-}
-
-export function Credentials(_props: CredentialsProps) {
-  return (
-    <div className='h-full min-h-0'>
-      <CredentialsManager />
-    </div>
-  )
-}

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx

@@ -134,7 +134,7 @@ function WorkspaceVariableRow({
               <Trash />
             </Button>
           </Tooltip.Trigger>
-          <Tooltip.Content>Delete secret</Tooltip.Content>
+          <Tooltip.Content>Delete environment variable</Tooltip.Content>
         </Tooltip.Root>
       </div>
     </div>
@@ -637,7 +637,7 @@ export function EnvironmentVariables({ registerBeforeLeaveHandler }: Environment
                     <Trash />
                   </Button>
                 </Tooltip.Trigger>
-                <Tooltip.Content>Delete secret</Tooltip.Content>
+                <Tooltip.Content>Delete environment variable</Tooltip.Content>
               </Tooltip.Root>
             </div>
           </div>
@@ -811,7 +811,7 @@ export function EnvironmentVariables({ registerBeforeLeaveHandler }: Environment
                   filteredWorkspaceEntries.length === 0 &&
                   (envVars.length > 0 || Object.keys(workspaceVars).length > 0) && (
                     <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
-                      No secrets found matching "{searchTerm}"
+                      No environment variables found matching "{searchTerm}"
                     </div>
                   )}
               </>

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts

@@ -2,7 +2,6 @@ export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
 export { CredentialSets } from './credential-sets/credential-sets'
-export { Credentials } from './credentials/credentials'
 export { CustomTools } from './custom-tools/custom-tools'
 export { Debug } from './debug/debug'
 export { EnvironmentVariables } from './environment/environment'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx

@@ -20,6 +20,7 @@ import {
 import {
   Card,
   Connections,
+  FolderCode,
   HexSimple,
   Key,
   SModal,
@@ -44,11 +45,12 @@ import {
   BYOK,
   Copilot,
   CredentialSets,
-  Credentials,
   CustomTools,
   Debug,
+  EnvironmentVariables,
   FileUploads,
   General,
+  Integrations,
   MCP,
   Skills,
   Subscription,
@@ -78,7 +80,6 @@ interface SettingsModalProps {
 
 type SettingsSection =
   | 'general'
-  | 'credentials'
   | 'environment'
   | 'template-profile'
   | 'integrations'
@@ -155,10 +156,11 @@ const allNavigationItems: NavigationItem[] = [
     requiresHosted: true,
     requiresTeam: true,
   },
-  { id: 'credentials', label: 'Credentials', icon: Connections, section: 'tools' },
+  { id: 'integrations', label: 'Integrations', icon: Connections, section: 'tools' },
   { id: 'custom-tools', label: 'Custom Tools', icon: Wrench, section: 'tools' },
   { id: 'skills', label: 'Skills', icon: AgentSkillsIcon, section: 'tools' },
   { id: 'mcp', label: 'MCP Tools', icon: McpIcon, section: 'tools' },
+  { id: 'environment', label: 'Environment', icon: FolderCode, section: 'system' },
   { id: 'apikeys', label: 'API Keys', icon: Key, section: 'system' },
   { id: 'workflow-mcp-servers', label: 'MCP Servers', icon: Server, section: 'system' },
   {
@@ -254,6 +256,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
       if (item.id === 'apikeys' && permissionConfig.hideApiKeysTab) {
         return false
       }
+      if (item.id === 'environment' && permissionConfig.hideEnvironmentTab) {
+        return false
+      }
       if (item.id === 'files' && permissionConfig.hideFilesTab) {
         return false
       }
@@ -319,9 +324,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
     if (!isBillingEnabled && (activeSection === 'subscription' || activeSection === 'team')) {
       return 'general'
     }
-    if (activeSection === 'environment' || activeSection === 'integrations') {
-      return 'credentials'
-    }
     return activeSection
   }, [activeSection])
 
@@ -340,7 +342,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
     (sectionId: SettingsSection) => {
       if (sectionId === effectiveActiveSection) return
 
-      if (effectiveActiveSection === 'credentials' && environmentBeforeLeaveHandler.current) {
+      if (effectiveActiveSection === 'environment' && environmentBeforeLeaveHandler.current) {
         environmentBeforeLeaveHandler.current(() => setActiveSection(sectionId))
         return
       }
@@ -368,11 +370,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
 
   useEffect(() => {
     const handleOpenSettings = (event: CustomEvent<{ tab: SettingsSection }>) => {
-      if (event.detail.tab === 'environment' || event.detail.tab === 'integrations') {
-        setActiveSection('credentials')
-      } else {
-        setActiveSection(event.detail.tab)
-      }
+      setActiveSection(event.detail.tab)
       onOpenChange(true)
     }
 
@@ -481,19 +479,13 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
   const handleDialogOpenChange = (newOpen: boolean) => {
     if (
       !newOpen &&
-      effectiveActiveSection === 'credentials' &&
+      effectiveActiveSection === 'environment' &&
       environmentBeforeLeaveHandler.current
     ) {
-      environmentBeforeLeaveHandler.current(() => {
-        if (integrationsCloseHandler.current) {
-          integrationsCloseHandler.current(newOpen)
-        } else {
-          onOpenChange(false)
-        }
-      })
+      environmentBeforeLeaveHandler.current(() => onOpenChange(false))
     } else if (
       !newOpen &&
-      effectiveActiveSection === 'credentials' &&
+      effectiveActiveSection === 'integrations' &&
       integrationsCloseHandler.current
     ) {
       integrationsCloseHandler.current(newOpen)
@@ -510,7 +502,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
         </VisuallyHidden.Root>
         <VisuallyHidden.Root>
           <DialogPrimitive.Description>
-            Configure your workspace settings, credentials, and preferences
+            Configure your workspace settings, environment variables, integrations, and preferences
           </DialogPrimitive.Description>
         </VisuallyHidden.Root>
 
@@ -547,14 +539,18 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
           </SModalMainHeader>
           <SModalMainBody>
             {effectiveActiveSection === 'general' && <General onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'credentials' && (
-              <Credentials
-                onOpenChange={onOpenChange}
-                registerCloseHandler={registerIntegrationsCloseHandler}
+            {effectiveActiveSection === 'environment' && (
+              <EnvironmentVariables
                 registerBeforeLeaveHandler={registerEnvironmentBeforeLeaveHandler}
               />
             )}
             {effectiveActiveSection === 'template-profile' && <TemplateProfile />}
+            {effectiveActiveSection === 'integrations' && (
+              <Integrations
+                onOpenChange={onOpenChange}
+                registerCloseHandler={registerIntegrationsCloseHandler}
+              />
+            )}
             {effectiveActiveSection === 'credential-sets' && <CredentialSets />}
             {effectiveActiveSection === 'access-control' && <AccessControl />}
             {effectiveActiveSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}

apps/sim/blocks/blocks/agent.ts

@@ -10,11 +10,9 @@ import {
   getReasoningEffortValuesForModel,
   getThinkingLevelsForModel,
   getVerbosityValuesForModel,
-  MODELS_WITH_DEEP_RESEARCH,
   MODELS_WITH_REASONING_EFFORT,
   MODELS_WITH_THINKING,
   MODELS_WITH_VERBOSITY,
-  MODELS_WITHOUT_MEMORY,
   providers,
   supportsTemperature,
 } from '@/providers/utils'
@@ -414,22 +412,12 @@ Return ONLY the JSON array.`,
       title: 'Tools',
       type: 'tool-input',
       defaultValue: [],
-      condition: {
-        field: 'model',
-        value: MODELS_WITH_DEEP_RESEARCH,
-        not: true,
-      },
     },
     {
       id: 'skills',
       title: 'Skills',
       type: 'skill-input',
       defaultValue: [],
-      condition: {
-        field: 'model',
-        value: MODELS_WITH_DEEP_RESEARCH,
-        not: true,
-      },
     },
     {
       id: 'memoryType',
@@ -443,11 +431,6 @@ Return ONLY the JSON array.`,
         { label: 'Sliding window (tokens)', id: 'sliding_window_tokens' },
       ],
       defaultValue: 'none',
-      condition: {
-        field: 'model',
-        value: MODELS_WITHOUT_MEMORY,
-        not: true,
-      },
     },
     {
       id: 'conversationId',
@@ -461,7 +444,6 @@ Return ONLY the JSON array.`,
       condition: {
         field: 'memoryType',
         value: ['conversation', 'sliding_window', 'sliding_window_tokens'],
-        and: { field: 'model', value: MODELS_WITHOUT_MEMORY, not: true },
       },
     },
     {
@@ -472,7 +454,6 @@ Return ONLY the JSON array.`,
       condition: {
         field: 'memoryType',
         value: ['sliding_window'],
-        and: { field: 'model', value: MODELS_WITHOUT_MEMORY, not: true },
       },
     },
     {
@@ -483,7 +464,6 @@ Return ONLY the JSON array.`,
       condition: {
         field: 'memoryType',
         value: ['sliding_window_tokens'],
-        and: { field: 'model', value: MODELS_WITHOUT_MEMORY, not: true },
       },
     },
     {
@@ -497,13 +477,9 @@ Return ONLY the JSON array.`,
       condition: () => ({
         field: 'model',
         value: (() => {
-          const deepResearch = new Set(MODELS_WITH_DEEP_RESEARCH.map((m) => m.toLowerCase()))
           const allModels = Object.keys(getBaseModelProviders())
           return allModels.filter(
-            (model) =>
-              supportsTemperature(model) &&
-              getMaxTemperature(model) === 1 &&
-              !deepResearch.has(model.toLowerCase())
+            (model) => supportsTemperature(model) && getMaxTemperature(model) === 1
           )
         })(),
       }),
@@ -519,13 +495,9 @@ Return ONLY the JSON array.`,
       condition: () => ({
         field: 'model',
         value: (() => {
-          const deepResearch = new Set(MODELS_WITH_DEEP_RESEARCH.map((m) => m.toLowerCase()))
           const allModels = Object.keys(getBaseModelProviders())
           return allModels.filter(
-            (model) =>
-              supportsTemperature(model) &&
-              getMaxTemperature(model) === 2 &&
-              !deepResearch.has(model.toLowerCase())
+            (model) => supportsTemperature(model) && getMaxTemperature(model) === 2
           )
         })(),
       }),
@@ -536,11 +508,6 @@ Return ONLY the JSON array.`,
       type: 'short-input',
       placeholder: 'Enter max tokens (e.g., 4096)...',
       mode: 'advanced',
-      condition: {
-        field: 'model',
-        value: MODELS_WITH_DEEP_RESEARCH,
-        not: true,
-      },
     },
     {
       id: 'responseFormat',
@@ -548,11 +515,6 @@ Return ONLY the JSON array.`,
       type: 'code',
       placeholder: 'Enter JSON schema...',
       language: 'json',
-      condition: {
-        field: 'model',
-        value: MODELS_WITH_DEEP_RESEARCH,
-        not: true,
-      },
       wandConfig: {
         enabled: true,
         maintainHistory: true,
@@ -645,16 +607,6 @@ Example 3 (Array Input):
         generationType: 'json-schema',
       },
     },
-    {
-      id: 'previousInteractionId',
-      title: 'Previous Interaction ID',
-      type: 'short-input',
-      placeholder: 'e.g., {{agent_1.interactionId}}',
-      condition: {
-        field: 'model',
-        value: MODELS_WITH_DEEP_RESEARCH,
-      },
-    },
   ],
   tools: {
     access: [
@@ -818,13 +770,5 @@ Example 3 (Array Input):
       description: 'Provider timing information',
     },
     cost: { type: 'json', description: 'Cost of the API call' },
-    interactionId: {
-      type: 'string',
-      description: 'Interaction ID for multi-turn deep research follow-ups',
-      condition: {
-        field: 'model',
-        value: MODELS_WITH_DEEP_RESEARCH,
-      },
-    },
   },
 }

apps/sim/content/blog/enterprise/index.mdx

@@ -2,8 +2,8 @@
 slug: enterprise
 title: 'Build with Sim for Enterprise'
 description: 'Access control, BYOK, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, Admin API, and flexible data retention—enterprise features for teams with strict security and compliance requirements.'
-date: 2026-02-11
-updated: 2026-02-11
+date: 2026-01-23
+updated: 2026-01-23
 authors:
   - vik
 readingTime: 10
@@ -13,8 +13,8 @@ ogAlt: 'Sim Enterprise features overview'
 about: ['Enterprise Software', 'Security', 'Compliance', 'Self-Hosting']
 timeRequired: PT10M
 canonical: https://sim.ai/studio/enterprise
-featured: true
-draft: false
+featured: false
+draft: true
 ---
 
 We've been working with security teams at larger organizations to bring Sim into environments with strict compliance and data handling requirements. This post covers the enterprise capabilities we've built: granular access control, bring-your-own-keys, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, compliance, and programmatic management via the Admin API.

apps/sim/executor/constants.ts

@@ -205,6 +205,10 @@ export const CREDENTIAL_SET = {
   PREFIX: 'credentialSet:',
 } as const
 
+export const CREDENTIAL = {
+  FOREIGN_LABEL: 'Saved by collaborator',
+} as const
+
 export function isCredentialSetValue(value: string | null | undefined): boolean {
   return typeof value === 'string' && value.startsWith(CREDENTIAL_SET.PREFIX)
 }

apps/sim/executor/handlers/agent/agent-handler.ts

@@ -999,7 +999,6 @@ export class AgentBlockHandler implements BlockHandler {
       reasoningEffort: inputs.reasoningEffort,
       verbosity: inputs.verbosity,
       thinkingLevel: inputs.thinkingLevel,
-      previousInteractionId: inputs.previousInteractionId,
     }
   }
 
@@ -1070,7 +1069,6 @@ export class AgentBlockHandler implements BlockHandler {
         reasoningEffort: providerRequest.reasoningEffort,
         verbosity: providerRequest.verbosity,
         thinkingLevel: providerRequest.thinkingLevel,
-        previousInteractionId: providerRequest.previousInteractionId,
       })
 
       return this.processProviderResponse(response, block, responseFormat)
@@ -1271,7 +1269,6 @@ export class AgentBlockHandler implements BlockHandler {
       content: result.content,
       model: result.model,
       ...this.createResponseMetadata(result),
-      ...(result.interactionId && { interactionId: result.interactionId }),
     }
   }
 

apps/sim/executor/handlers/agent/types.ts

@@ -20,8 +20,6 @@ export interface AgentInputs {
   conversationId?: string // Required for all non-none memory types
   slidingWindowSize?: string // For message-based sliding window
   slidingWindowTokens?: string // For token-based sliding window
-  // Deep research multi-turn
-  previousInteractionId?: string // Interactions API previous interaction reference
   // LLM parameters
   temperature?: string
   maxTokens?: string

apps/sim/hooks/queries/credentials.ts

@@ -1,268 +0,0 @@
-'use client'
-
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
-import { environmentKeys } from '@/hooks/queries/environment'
-import { fetchJson } from '@/hooks/selectors/helpers'
-
-export type WorkspaceCredentialType = 'oauth' | 'env_workspace' | 'env_personal'
-export type WorkspaceCredentialRole = 'admin' | 'member'
-export type WorkspaceCredentialMemberStatus = 'active' | 'pending' | 'revoked'
-
-export interface WorkspaceCredential {
-  id: string
-  workspaceId: string
-  type: WorkspaceCredentialType
-  displayName: string
-  providerId: string | null
-  accountId: string | null
-  envKey: string | null
-  envOwnerUserId: string | null
-  createdBy: string
-  createdAt: string
-  updatedAt: string
-  role?: WorkspaceCredentialRole
-  status?: WorkspaceCredentialMemberStatus
-}
-
-export interface WorkspaceCredentialMember {
-  id: string
-  userId: string
-  role: WorkspaceCredentialRole
-  status: WorkspaceCredentialMemberStatus
-  joinedAt: string | null
-  invitedBy: string | null
-  createdAt: string
-  updatedAt: string
-  userName: string | null
-  userEmail: string | null
-  userImage: string | null
-}
-
-interface CredentialListResponse {
-  credentials?: WorkspaceCredential[]
-}
-
-interface CredentialResponse {
-  credential?: WorkspaceCredential | null
-}
-
-interface MembersResponse {
-  members?: WorkspaceCredentialMember[]
-}
-
-export const workspaceCredentialKeys = {
-  all: ['workspaceCredentials'] as const,
-  list: (workspaceId?: string, type?: string, providerId?: string) =>
-    ['workspaceCredentials', workspaceId ?? 'none', type ?? 'all', providerId ?? 'all'] as const,
-  detail: (credentialId?: string) =>
-    ['workspaceCredentials', 'detail', credentialId ?? 'none'] as const,
-  members: (credentialId?: string) =>
-    ['workspaceCredentials', 'detail', credentialId ?? 'none', 'members'] as const,
-}
-
-export function useWorkspaceCredentials(params: {
-  workspaceId?: string
-  type?: WorkspaceCredentialType
-  providerId?: string
-  enabled?: boolean
-}) {
-  const { workspaceId, type, providerId, enabled = true } = params
-
-  return useQuery<WorkspaceCredential[]>({
-    queryKey: workspaceCredentialKeys.list(workspaceId, type, providerId),
-    queryFn: async () => {
-      if (!workspaceId) return []
-      const data = await fetchJson<CredentialListResponse>('/api/credentials', {
-        searchParams: {
-          workspaceId,
-          type,
-          providerId,
-        },
-      })
-      return data.credentials ?? []
-    },
-    enabled: Boolean(workspaceId) && enabled,
-    staleTime: 60 * 1000,
-  })
-}
-
-export function useWorkspaceCredential(credentialId?: string, enabled = true) {
-  return useQuery<WorkspaceCredential | null>({
-    queryKey: workspaceCredentialKeys.detail(credentialId),
-    queryFn: async () => {
-      if (!credentialId) return null
-      const data = await fetchJson<CredentialResponse>(`/api/credentials/${credentialId}`)
-      return data.credential ?? null
-    },
-    enabled: Boolean(credentialId) && enabled,
-    staleTime: 60 * 1000,
-  })
-}
-
-export function useCreateWorkspaceCredential() {
-  const queryClient = useQueryClient()
-
-  return useMutation({
-    mutationFn: async (payload: {
-      workspaceId: string
-      type: WorkspaceCredentialType
-      displayName?: string
-      providerId?: string
-      accountId?: string
-      envKey?: string
-      envOwnerUserId?: string
-    }) => {
-      const response = await fetch('/api/credentials', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify(payload),
-      })
-
-      if (!response.ok) {
-        const data = await response.json()
-        throw new Error(data.error || 'Failed to create credential')
-      }
-
-      return response.json()
-    },
-    onSuccess: (_data, variables) => {
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.list(variables.workspaceId),
-      })
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.all,
-      })
-    },
-  })
-}
-
-export function useUpdateWorkspaceCredential() {
-  const queryClient = useQueryClient()
-
-  return useMutation({
-    mutationFn: async (payload: {
-      credentialId: string
-      displayName?: string
-      accountId?: string
-    }) => {
-      const response = await fetch(`/api/credentials/${payload.credentialId}`, {
-        method: 'PUT',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({
-          displayName: payload.displayName,
-          accountId: payload.accountId,
-        }),
-      })
-      if (!response.ok) {
-        const data = await response.json()
-        throw new Error(data.error || 'Failed to update credential')
-      }
-      return response.json()
-    },
-    onSuccess: (_data, variables) => {
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
-      })
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.all,
-      })
-    },
-  })
-}
-
-export function useDeleteWorkspaceCredential() {
-  const queryClient = useQueryClient()
-
-  return useMutation({
-    mutationFn: async (credentialId: string) => {
-      const response = await fetch(`/api/credentials/${credentialId}`, {
-        method: 'DELETE',
-      })
-      if (!response.ok) {
-        const data = await response.json()
-        throw new Error(data.error || 'Failed to delete credential')
-      }
-      return response.json()
-    },
-    onSuccess: (_data, credentialId) => {
-      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.detail(credentialId) })
-      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
-      queryClient.invalidateQueries({ queryKey: environmentKeys.all })
-    },
-  })
-}
-
-export function useWorkspaceCredentialMembers(credentialId?: string) {
-  return useQuery<WorkspaceCredentialMember[]>({
-    queryKey: workspaceCredentialKeys.members(credentialId),
-    queryFn: async () => {
-      if (!credentialId) return []
-      const data = await fetchJson<MembersResponse>(`/api/credentials/${credentialId}/members`)
-      return data.members ?? []
-    },
-    enabled: Boolean(credentialId),
-    staleTime: 30 * 1000,
-  })
-}
-
-export function useUpsertWorkspaceCredentialMember() {
-  const queryClient = useQueryClient()
-
-  return useMutation({
-    mutationFn: async (payload: {
-      credentialId: string
-      userId: string
-      role: WorkspaceCredentialRole
-    }) => {
-      const response = await fetch(`/api/credentials/${payload.credentialId}/members`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({
-          userId: payload.userId,
-          role: payload.role,
-        }),
-      })
-      if (!response.ok) {
-        const data = await response.json()
-        throw new Error(data.error || 'Failed to update credential member')
-      }
-      return response.json()
-    },
-    onSuccess: (_data, variables) => {
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.members(variables.credentialId),
-      })
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
-      })
-      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
-    },
-  })
-}
-
-export function useRemoveWorkspaceCredentialMember() {
-  const queryClient = useQueryClient()
-
-  return useMutation({
-    mutationFn: async (payload: { credentialId: string; userId: string }) => {
-      const response = await fetch(
-        `/api/credentials/${payload.credentialId}/members?userId=${encodeURIComponent(payload.userId)}`,
-        { method: 'DELETE' }
-      )
-      if (!response.ok) {
-        const data = await response.json()
-        throw new Error(data.error || 'Failed to remove credential member')
-      }
-      return response.json()
-    },
-    onSuccess: (_data, variables) => {
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.members(variables.credentialId),
-      })
-      queryClient.invalidateQueries({
-        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
-      })
-      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
-    },
-  })
-}

apps/sim/hooks/queries/oauth-connections.ts

@@ -169,9 +169,9 @@ export function useConnectOAuthService() {
 
 interface DisconnectServiceParams {
   provider: string
-  providerId?: string
+  providerId: string
   serviceId: string
-  accountId?: string
+  accountId: string
 }
 
 /**
@@ -182,7 +182,7 @@ export function useDisconnectOAuthService() {
   const queryClient = useQueryClient()
 
   return useMutation({
-    mutationFn: async ({ provider, providerId, accountId }: DisconnectServiceParams) => {
+    mutationFn: async ({ provider, providerId }: DisconnectServiceParams) => {
       const response = await fetch('/api/auth/oauth/disconnect', {
         method: 'POST',
         headers: {
@@ -191,7 +191,6 @@ export function useDisconnectOAuthService() {
         body: JSON.stringify({
           provider,
           providerId,
-          accountId,
         }),
       })
 
@@ -213,8 +212,7 @@ export function useDisconnectOAuthService() {
           oauthConnectionsKeys.connections(),
           previousServices.map((svc) => {
             if (svc.id === serviceId) {
-              const updatedAccounts =
-                accountId && svc.accounts ? svc.accounts.filter((acc) => acc.id !== accountId) : []
+              const updatedAccounts = svc.accounts?.filter((acc) => acc.id !== accountId) || []
               return {
                 ...svc,
                 accounts: updatedAccounts,

apps/sim/hooks/queries/oauth-credentials.ts

@@ -1,6 +1,6 @@
 import { useQuery } from '@tanstack/react-query'
 import type { Credential } from '@/lib/oauth'
-import { CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSetDetail } from '@/hooks/queries/credential-sets'
 import { fetchJson } from '@/hooks/selectors/helpers'
 
@@ -13,34 +13,15 @@ interface CredentialDetailResponse {
 }
 
 export const oauthCredentialKeys = {
-  list: (providerId?: string, workspaceId?: string, workflowId?: string) =>
-    [
-      'oauthCredentials',
-      providerId ?? 'none',
-      workspaceId ?? 'none',
-      workflowId ?? 'none',
-    ] as const,
+  list: (providerId?: string) => ['oauthCredentials', providerId ?? 'none'] as const,
   detail: (credentialId?: string, workflowId?: string) =>
     ['oauthCredentialDetail', credentialId ?? 'none', workflowId ?? 'none'] as const,
 }
 
-interface FetchOAuthCredentialsParams {
-  providerId: string
-  workspaceId?: string
-  workflowId?: string
-}
-
-export async function fetchOAuthCredentials(
-  params: FetchOAuthCredentialsParams
-): Promise<Credential[]> {
-  const { providerId, workspaceId, workflowId } = params
+export async function fetchOAuthCredentials(providerId: string): Promise<Credential[]> {
   if (!providerId) return []
   const data = await fetchJson<CredentialListResponse>('/api/auth/oauth/credentials', {
-    searchParams: {
-      provider: providerId,
-      workspaceId,
-      workflowId,
-    },
+    searchParams: { provider: providerId },
   })
   return data.credentials ?? []
 }
@@ -59,44 +40,10 @@ export async function fetchOAuthCredentialDetail(
   return data.credentials ?? []
 }
 
-interface UseOAuthCredentialsOptions {
-  enabled?: boolean
-  workspaceId?: string
-  workflowId?: string
-}
-
-function resolveOptions(
-  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
-): Required<UseOAuthCredentialsOptions> {
-  if (typeof enabledOrOptions === 'boolean') {
-    return {
-      enabled: enabledOrOptions,
-      workspaceId: '',
-      workflowId: '',
-    }
-  }
-
-  return {
-    enabled: enabledOrOptions?.enabled ?? true,
-    workspaceId: enabledOrOptions?.workspaceId ?? '',
-    workflowId: enabledOrOptions?.workflowId ?? '',
-  }
-}
-
-export function useOAuthCredentials(
-  providerId?: string,
-  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
-) {
-  const { enabled, workspaceId, workflowId } = resolveOptions(enabledOrOptions)
-
+export function useOAuthCredentials(providerId?: string, enabled = true) {
   return useQuery<Credential[]>({
-    queryKey: oauthCredentialKeys.list(providerId, workspaceId, workflowId),
-    queryFn: () =>
-      fetchOAuthCredentials({
-        providerId: providerId ?? '',
-        workspaceId: workspaceId || undefined,
-        workflowId: workflowId || undefined,
-      }),
+    queryKey: oauthCredentialKeys.list(providerId),
+    queryFn: () => fetchOAuthCredentials(providerId ?? ''),
     enabled: Boolean(providerId) && enabled,
     staleTime: 60 * 1000,
   })
@@ -115,12 +62,7 @@ export function useOAuthCredentialDetail(
   })
 }
 
-export function useCredentialName(
-  credentialId?: string,
-  providerId?: string,
-  workflowId?: string,
-  workspaceId?: string
-) {
+export function useCredentialName(credentialId?: string, providerId?: string, workflowId?: string) {
   // Check if this is a credential set value
   const isCredentialSet = credentialId?.startsWith(CREDENTIAL_SET.PREFIX) ?? false
   const credentialSetId = isCredentialSet
@@ -135,11 +77,7 @@ export function useCredentialName(
 
   const { data: credentials = [], isFetching: credentialsLoading } = useOAuthCredentials(
     providerId,
-    {
-      enabled: Boolean(providerId) && !isCredentialSet,
-      workspaceId,
-      workflowId,
-    }
+    Boolean(providerId) && !isCredentialSet
   )
 
   const selectedCredential = credentials.find((cred) => cred.id === credentialId)
@@ -154,18 +92,18 @@ export function useCredentialName(
     shouldFetchDetail
   )
 
-  const detailCredential = foreignCredentials[0]
   const hasForeignMeta = foreignCredentials.length > 0
+  const isForeignCredentialSet = isCredentialSet && !credentialSetData && !credentialSetLoading
 
   const displayName =
-    credentialSetData?.name ?? selectedCredential?.name ?? detailCredential?.name ?? null
+    credentialSetData?.name ??
+    selectedCredential?.name ??
+    (hasForeignMeta ? CREDENTIAL.FOREIGN_LABEL : null) ??
+    (isForeignCredentialSet ? CREDENTIAL.FOREIGN_LABEL : null)
 
   return {
     displayName,
-    isLoading:
-      credentialsLoading ||
-      foreignLoading ||
-      (isCredentialSet && credentialSetLoading && !credentialSetData),
+    isLoading: credentialsLoading || foreignLoading || (isCredentialSet && credentialSetLoading),
     hasForeignMeta,
   }
 }

apps/sim/lib/auth/auth.ts

@@ -14,7 +14,7 @@ import {
   oneTimeToken,
   organization,
 } from 'better-auth/plugins'
-import { and, eq, inArray, sql } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { headers } from 'next/headers'
 import Stripe from 'stripe'
 import {
@@ -150,6 +150,16 @@ export const auth = betterAuth({
     account: {
       create: {
         before: async (account) => {
+          // Only one credential per (userId, providerId) is allowed
+          // If user reconnects (even with a different external account), delete the old one
+          // and let Better Auth create the new one (returning false breaks account linking flow)
+          const existing = await db.query.account.findFirst({
+            where: and(
+              eq(schema.account.userId, account.userId),
+              eq(schema.account.providerId, account.providerId)
+            ),
+          })
+
           const modifiedAccount = { ...account }
 
           if (account.providerId === 'salesforce' && account.accessToken) {
@@ -179,148 +189,32 @@ export const auth = betterAuth({
             }
           }
 
+          // Handle Microsoft refresh token expiry
           if (isMicrosoftProvider(account.providerId)) {
             modifiedAccount.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
           }
 
+          if (existing) {
+            // Delete the existing account so Better Auth can create the new one
+            // This allows account linking/re-authorization to succeed
+            await db.delete(schema.account).where(eq(schema.account.id, existing.id))
+
+            // Preserve the existing account ID so references (like workspace notifications) continue to work
+            modifiedAccount.id = existing.id
+
+            logger.info('[account.create.before] Deleted existing account for re-authorization', {
+              userId: account.userId,
+              providerId: account.providerId,
+              existingAccountId: existing.id,
+              preservingId: true,
+            })
+
+            // Sync webhooks for credential sets after reconnecting (in after hook)
+          }
+
           return { data: modifiedAccount }
         },
         after: async (account) => {
-          /**
-           * Migrate credentials from stale account rows to the newly created one.
-           *
-           * Each getUserInfo appends a random UUID to the stable external ID so
-           * that Better Auth never blocks cross-user connections. This means
-           * re-connecting the same external identity creates a new row. We detect
-           * the stale siblings here by comparing the stable prefix (everything
-           * before the trailing UUID), migrate any credential FKs to the new row,
-           * then delete the stale rows.
-           */
-          try {
-            const UUID_SUFFIX_RE = /-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
-            const stablePrefix = account.accountId.replace(UUID_SUFFIX_RE, '')
-
-            if (stablePrefix && stablePrefix !== account.accountId) {
-              const siblings = await db
-                .select({ id: schema.account.id, accountId: schema.account.accountId })
-                .from(schema.account)
-                .where(
-                  and(
-                    eq(schema.account.userId, account.userId),
-                    eq(schema.account.providerId, account.providerId),
-                    sql`${schema.account.id} != ${account.id}`
-                  )
-                )
-
-              const staleRows = siblings.filter(
-                (row) => row.accountId.replace(UUID_SUFFIX_RE, '') === stablePrefix
-              )
-
-              if (staleRows.length > 0) {
-                const staleIds = staleRows.map((row) => row.id)
-
-                await db
-                  .update(schema.credential)
-                  .set({ accountId: account.id })
-                  .where(inArray(schema.credential.accountId, staleIds))
-
-                await db.delete(schema.account).where(inArray(schema.account.id, staleIds))
-
-                logger.info('[account.create.after] Migrated credentials from stale accounts', {
-                  userId: account.userId,
-                  providerId: account.providerId,
-                  newAccountId: account.id,
-                  migratedFrom: staleIds,
-                })
-              }
-            }
-          } catch (error) {
-            logger.error('[account.create.after] Failed to clean up stale accounts', {
-              userId: account.userId,
-              providerId: account.providerId,
-              error,
-            })
-          }
-
-          /**
-           * If a pending credential draft exists for this (userId, providerId),
-           * create the credential now with the user's chosen display name.
-           * This is deterministic — the account row is guaranteed to exist.
-           */
-          try {
-            const [draft] = await db
-              .select()
-              .from(schema.pendingCredentialDraft)
-              .where(
-                and(
-                  eq(schema.pendingCredentialDraft.userId, account.userId),
-                  eq(schema.pendingCredentialDraft.providerId, account.providerId),
-                  sql`${schema.pendingCredentialDraft.expiresAt} > NOW()`
-                )
-              )
-              .limit(1)
-
-            if (draft) {
-              const credentialId = crypto.randomUUID()
-              const now = new Date()
-
-              try {
-                await db.insert(schema.credential).values({
-                  id: credentialId,
-                  workspaceId: draft.workspaceId,
-                  type: 'oauth',
-                  displayName: draft.displayName,
-                  providerId: account.providerId,
-                  accountId: account.id,
-                  createdBy: account.userId,
-                  createdAt: now,
-                  updatedAt: now,
-                })
-
-                await db.insert(schema.credentialMember).values({
-                  id: crypto.randomUUID(),
-                  credentialId,
-                  userId: account.userId,
-                  role: 'admin',
-                  status: 'active',
-                  joinedAt: now,
-                  invitedBy: account.userId,
-                  createdAt: now,
-                  updatedAt: now,
-                })
-
-                logger.info('[account.create.after] Created credential from draft', {
-                  credentialId,
-                  displayName: draft.displayName,
-                  providerId: account.providerId,
-                  accountId: account.id,
-                })
-              } catch (insertError: unknown) {
-                const code =
-                  insertError && typeof insertError === 'object' && 'code' in insertError
-                    ? (insertError as { code: string }).code
-                    : undefined
-                if (code !== '23505') {
-                  throw insertError
-                }
-                logger.info('[account.create.after] Credential already exists, skipping draft', {
-                  providerId: account.providerId,
-                  accountId: account.id,
-                })
-              }
-
-              await db
-                .delete(schema.pendingCredentialDraft)
-                .where(eq(schema.pendingCredentialDraft.id, draft.id))
-            }
-          } catch (error) {
-            logger.error('[account.create.after] Failed to create credential from draft', {
-              userId: account.userId,
-              providerId: account.providerId,
-              error,
-            })
-          }
-
           try {
             const { ensureUserStatsExists } = await import('@/lib/billing/core/usage')
             await ensureUserStatsExists(account.userId)
@@ -1593,7 +1487,7 @@ export const auth = betterAuth({
               })
 
               return {
-                id: `${(data.user_id || data.hub_id).toString()}-${crypto.randomUUID()}`,
+                id: `${data.user_id || data.hub_id.toString()}-${crypto.randomUUID()}`,
                 name: data.user || 'HubSpot User',
                 email: data.user || `hubspot-${data.hub_id}@hubspot.com`,
                 emailVerified: true,
@@ -1647,7 +1541,7 @@ export const auth = betterAuth({
               const data = await response.json()
 
               return {
-                id: `${(data.user_id || data.sub).toString()}-${crypto.randomUUID()}`,
+                id: `${data.user_id || data.sub}-${crypto.randomUUID()}`,
                 name: data.name || 'Salesforce User',
                 email: data.email || `salesforce-${data.user_id}@salesforce.com`,
                 emailVerified: data.email_verified || true,
@@ -1706,7 +1600,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.data.id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.data.id}-${crypto.randomUUID()}`,
                 name: profile.data.name || 'X User',
                 email: `${profile.data.username}@x.com`,
                 image: profile.data.profile_image_url,
@@ -1786,7 +1680,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.account_id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.account_id}-${crypto.randomUUID()}`,
                 name: profile.name || profile.display_name || 'Confluence User',
                 email: profile.email || `${profile.account_id}@atlassian.com`,
                 image: profile.picture || undefined,
@@ -1897,7 +1791,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.account_id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.account_id}-${crypto.randomUUID()}`,
                 name: profile.name || profile.display_name || 'Jira User',
                 email: profile.email || `${profile.account_id}@atlassian.com`,
                 image: profile.picture || undefined,
@@ -1947,7 +1841,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${data.id.toString()}-${crypto.randomUUID()}`,
+                id: `${data.id}-${crypto.randomUUID()}`,
                 name: data.email ? data.email.split('@')[0] : 'Airtable User',
                 email: data.email || `${data.id}@airtable.user`,
                 emailVerified: !!data.email,
@@ -1996,7 +1890,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${(profile.bot?.owner?.user?.id || profile.id).toString()}-${crypto.randomUUID()}`,
+                id: `${profile.bot?.owner?.user?.id || profile.id}-${crypto.randomUUID()}`,
                 name: profile.name || profile.bot?.owner?.user?.name || 'Notion User',
                 email: profile.person?.email || `${profile.id}@notion.user`,
                 emailVerified: !!profile.person?.email,
@@ -2063,7 +1957,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${data.id.toString()}-${crypto.randomUUID()}`,
+                id: `${data.id}-${crypto.randomUUID()}`,
                 name: data.name || 'Reddit User',
                 email: `${data.name}@reddit.user`,
                 image: data.icon_img || undefined,
@@ -2135,7 +2029,7 @@ export const auth = betterAuth({
               const viewer = data.viewer
 
               return {
-                id: `${viewer.id.toString()}-${crypto.randomUUID()}`,
+                id: `${viewer.id}-${crypto.randomUUID()}`,
                 email: viewer.email,
                 name: viewer.name,
                 emailVerified: true,
@@ -2198,7 +2092,7 @@ export const auth = betterAuth({
               const data = await response.json()
 
               return {
-                id: `${data.account_id.toString()}-${crypto.randomUUID()}`,
+                id: `${data.account_id}-${crypto.randomUUID()}`,
                 email: data.email,
                 name: data.name?.display_name || data.email,
                 emailVerified: data.email_verified || false,
@@ -2249,7 +2143,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.gid.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.gid}-${crypto.randomUUID()}`,
                 name: profile.name || 'Asana User',
                 email: profile.email || `${profile.gid}@asana.user`,
                 image: profile.photo?.image_128x128 || undefined,
@@ -2484,7 +2378,7 @@ export const auth = betterAuth({
               const profile = await response.json()
 
               return {
-                id: `${profile.id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.id}-${crypto.randomUUID()}`,
                 name:
                   `${profile.first_name || ''} ${profile.last_name || ''}`.trim() || 'Zoom User',
                 email: profile.email || `${profile.id}@zoom.user`,
@@ -2551,7 +2445,7 @@ export const auth = betterAuth({
               const profile = await response.json()
 
               return {
-                id: `${profile.id.toString()}-${crypto.randomUUID()}`,
+                id: `${profile.id}-${crypto.randomUUID()}`,
                 name: profile.display_name || 'Spotify User',
                 email: profile.email || `${profile.id}@spotify.user`,
                 emailVerified: true,

apps/sim/lib/auth/credential-access.ts

@@ -1,6 +1,6 @@
 import { db } from '@sim/db'
-import { account, credential, credentialMember, workflow as workflowTable } from '@sim/db/schema'
-import { and, eq } from 'drizzle-orm'
+import { account, workflow as workflowTable } from '@sim/db/schema'
+import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -12,14 +12,17 @@ export interface CredentialAccessResult {
   requesterUserId?: string
   credentialOwnerUserId?: string
   workspaceId?: string
-  resolvedCredentialId?: string
 }
 
 /**
- * Centralizes auth + credential membership checks for OAuth usage.
- * - Workspace-scoped credential IDs enforce active credential_member access.
- * - Legacy account IDs are resolved to workspace-scoped credentials when workflowId is provided.
- * - Direct legacy account-ID access without workflowId is restricted to account owners only.
+ * Centralizes auth + collaboration rules for credential use.
+ * - Uses checkSessionOrInternalAuth to authenticate the caller
+ * - Fetches credential owner
+ * - Authorization rules:
+ *   - session: allow if requester owns the credential; otherwise require workflowId and
+ *     verify BOTH requester and owner have access to the workflow's workspace
+ *   - internal_jwt: require workflowId (by default) and verify credential owner has access to the
+ *     workflow's workspace (requester identity is the system/workflow)
  */
 export async function authorizeCredentialUse(
   request: NextRequest,
@@ -34,173 +37,71 @@ export async function authorizeCredentialUse(
     return { ok: false, error: auth.error || 'Authentication required' }
   }
 
-  const [workflowContext] = workflowId
-    ? await db
-        .select({ workspaceId: workflowTable.workspaceId })
-        .from(workflowTable)
-        .where(eq(workflowTable.id, workflowId))
-        .limit(1)
-    : [null]
-
-  if (workflowId && (!workflowContext || !workflowContext.workspaceId)) {
-    return { ok: false, error: 'Workflow not found' }
-  }
-
-  const [platformCredential] = await db
-    .select({
-      id: credential.id,
-      workspaceId: credential.workspaceId,
-      type: credential.type,
-      accountId: credential.accountId,
-    })
-    .from(credential)
-    .where(eq(credential.id, credentialId))
-    .limit(1)
-
-  if (platformCredential) {
-    if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
-      return { ok: false, error: 'Unsupported credential type for OAuth access' }
-    }
-
-    if (workflowContext && workflowContext.workspaceId !== platformCredential.workspaceId) {
-      return { ok: false, error: 'Credential is not accessible from this workflow workspace' }
-    }
-
-    const [accountRow] = await db
-      .select({ userId: account.userId })
-      .from(account)
-      .where(eq(account.id, platformCredential.accountId))
-      .limit(1)
-
-    if (!accountRow) {
-      return { ok: false, error: 'Credential account not found' }
-    }
-
-    const requesterPerm =
-      auth.authType === 'internal_jwt'
-        ? null
-        : await getUserEntityPermissions(auth.userId, 'workspace', platformCredential.workspaceId)
-
-    if (auth.authType !== 'internal_jwt') {
-      const [membership] = await db
-        .select({ id: credentialMember.id })
-        .from(credentialMember)
-        .where(
-          and(
-            eq(credentialMember.credentialId, platformCredential.id),
-            eq(credentialMember.userId, auth.userId),
-            eq(credentialMember.status, 'active')
-          )
-        )
-        .limit(1)
-
-      if (!membership || requesterPerm === null) {
-        return { ok: false, error: 'Unauthorized' }
-      }
-    }
-
-    const ownerPerm = await getUserEntityPermissions(
-      accountRow.userId,
-      'workspace',
-      platformCredential.workspaceId
-    )
-    if (ownerPerm === null) {
-      return { ok: false, error: 'Unauthorized' }
-    }
-
-    return {
-      ok: true,
-      authType: auth.authType as CredentialAccessResult['authType'],
-      requesterUserId: auth.userId,
-      credentialOwnerUserId: accountRow.userId,
-      workspaceId: platformCredential.workspaceId,
-      resolvedCredentialId: platformCredential.accountId,
-    }
-  }
-
-  if (workflowContext?.workspaceId) {
-    const [workspaceCredential] = await db
-      .select({
-        id: credential.id,
-        workspaceId: credential.workspaceId,
-        accountId: credential.accountId,
-      })
-      .from(credential)
-      .where(
-        and(
-          eq(credential.type, 'oauth'),
-          eq(credential.workspaceId, workflowContext.workspaceId),
-          eq(credential.accountId, credentialId)
-        )
-      )
-      .limit(1)
-
-    if (!workspaceCredential?.accountId) {
-      return { ok: false, error: 'Credential not found' }
-    }
-
-    const [accountRow] = await db
-      .select({ userId: account.userId })
-      .from(account)
-      .where(eq(account.id, workspaceCredential.accountId))
-      .limit(1)
-
-    if (!accountRow) {
-      return { ok: false, error: 'Credential account not found' }
-    }
-
-    if (auth.authType !== 'internal_jwt') {
-      const [membership] = await db
-        .select({ id: credentialMember.id })
-        .from(credentialMember)
-        .where(
-          and(
-            eq(credentialMember.credentialId, workspaceCredential.id),
-            eq(credentialMember.userId, auth.userId),
-            eq(credentialMember.status, 'active')
-          )
-        )
-        .limit(1)
-
-      if (!membership) {
-        return { ok: false, error: 'Unauthorized' }
-      }
-    }
-
-    const ownerPerm = await getUserEntityPermissions(
-      accountRow.userId,
-      'workspace',
-      workflowContext.workspaceId
-    )
-    if (ownerPerm === null) {
-      return { ok: false, error: 'Unauthorized' }
-    }
-
-    return {
-      ok: true,
-      authType: auth.authType as CredentialAccessResult['authType'],
-      requesterUserId: auth.userId,
-      credentialOwnerUserId: accountRow.userId,
-      workspaceId: workflowContext.workspaceId,
-      resolvedCredentialId: workspaceCredential.accountId,
-    }
-  }
-
-  const [legacyAccount] = await db
+  // Lookup credential owner
+  const [credRow] = await db
     .select({ userId: account.userId })
     .from(account)
     .where(eq(account.id, credentialId))
     .limit(1)
 
-  if (!legacyAccount) {
+  if (!credRow) {
     return { ok: false, error: 'Credential not found' }
   }
 
-  if (auth.authType === 'internal_jwt') {
+  const credentialOwnerUserId = credRow.userId
+
+  // If requester owns the credential, allow immediately
+  if (auth.authType !== 'internal_jwt' && auth.userId === credentialOwnerUserId) {
+    return {
+      ok: true,
+      authType: auth.authType as CredentialAccessResult['authType'],
+      requesterUserId: auth.userId,
+      credentialOwnerUserId,
+    }
+  }
+
+  // For collaboration paths, workflowId is required to scope to a workspace
+  if (!workflowId) {
     return { ok: false, error: 'workflowId is required' }
   }
 
-  if (auth.userId !== legacyAccount.userId) {
+  const [wf] = await db
+    .select({ workspaceId: workflowTable.workspaceId })
+    .from(workflowTable)
+    .where(eq(workflowTable.id, workflowId))
+    .limit(1)
+
+  if (!wf || !wf.workspaceId) {
+    return { ok: false, error: 'Workflow not found' }
+  }
+
+  if (auth.authType === 'internal_jwt') {
+    // Internal calls: verify credential owner belongs to the workflow's workspace
+    const ownerPerm = await getUserEntityPermissions(
+      credentialOwnerUserId,
+      'workspace',
+      wf.workspaceId
+    )
+    if (ownerPerm === null) {
+      return { ok: false, error: 'Unauthorized' }
+    }
+    return {
+      ok: true,
+      authType: auth.authType as CredentialAccessResult['authType'],
+      requesterUserId: auth.userId,
+      credentialOwnerUserId,
+      workspaceId: wf.workspaceId,
+    }
+  }
+
+  // Session: verify BOTH requester and owner belong to the workflow's workspace
+  const requesterPerm = await getUserEntityPermissions(auth.userId, 'workspace', wf.workspaceId)
+  const ownerPerm = await getUserEntityPermissions(
+    credentialOwnerUserId,
+    'workspace',
+    wf.workspaceId
+  )
+  if (requesterPerm === null || ownerPerm === null) {
     return { ok: false, error: 'Unauthorized' }
   }
 
@@ -208,7 +109,7 @@ export async function authorizeCredentialUse(
     ok: true,
     authType: auth.authType as CredentialAccessResult['authType'],
     requesterUserId: auth.userId,
-    credentialOwnerUserId: legacyAccount.userId,
-    resolvedCredentialId: credentialId,
+    credentialOwnerUserId,
+    workspaceId: wf.workspaceId,
   }
 }

apps/sim/lib/credentials/access.ts

@@ -1,62 +0,0 @@
-import { db } from '@sim/db'
-import { credential, credentialMember } from '@sim/db/schema'
-import { and, eq } from 'drizzle-orm'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
-
-type ActiveCredentialMember = typeof credentialMember.$inferSelect
-type CredentialRecord = typeof credential.$inferSelect
-
-export interface CredentialActorContext {
-  credential: CredentialRecord | null
-  member: ActiveCredentialMember | null
-  hasWorkspaceAccess: boolean
-  canWriteWorkspace: boolean
-  isAdmin: boolean
-}
-
-/**
- * Resolves user access context for a credential.
- */
-export async function getCredentialActorContext(
-  credentialId: string,
-  userId: string
-): Promise<CredentialActorContext> {
-  const [credentialRow] = await db
-    .select()
-    .from(credential)
-    .where(eq(credential.id, credentialId))
-    .limit(1)
-
-  if (!credentialRow) {
-    return {
-      credential: null,
-      member: null,
-      hasWorkspaceAccess: false,
-      canWriteWorkspace: false,
-      isAdmin: false,
-    }
-  }
-
-  const workspaceAccess = await checkWorkspaceAccess(credentialRow.workspaceId, userId)
-  const [memberRow] = await db
-    .select()
-    .from(credentialMember)
-    .where(
-      and(
-        eq(credentialMember.credentialId, credentialId),
-        eq(credentialMember.userId, userId),
-        eq(credentialMember.status, 'active')
-      )
-    )
-    .limit(1)
-
-  const isAdmin = memberRow?.role === 'admin'
-
-  return {
-    credential: credentialRow,
-    member: memberRow ?? null,
-    hasWorkspaceAccess: workspaceAccess.hasAccess,
-    canWriteWorkspace: workspaceAccess.canWrite,
-    isAdmin,
-  }
-}

apps/sim/lib/credentials/client-state.ts

@@ -1,77 +0,0 @@
-'use client'
-
-export const PENDING_OAUTH_CREDENTIAL_DRAFT_KEY = 'sim.pending-oauth-credential-draft'
-export const PENDING_CREDENTIAL_CREATE_REQUEST_KEY = 'sim.pending-credential-create-request'
-
-export interface PendingOAuthCredentialDraft {
-  workspaceId: string
-  providerId: string
-  displayName: string
-  existingCredentialIds: string[]
-  existingAccountIds: string[]
-  requestedAt: number
-}
-
-interface PendingOAuthCredentialCreateRequest {
-  workspaceId: string
-  type: 'oauth'
-  providerId: string
-  displayName: string
-  serviceId: string
-  requiredScopes: string[]
-  requestedAt: number
-}
-
-interface PendingSecretCredentialCreateRequest {
-  workspaceId: string
-  type: 'env_personal' | 'env_workspace'
-  envKey?: string
-  requestedAt: number
-}
-
-export type PendingCredentialCreateRequest =
-  | PendingOAuthCredentialCreateRequest
-  | PendingSecretCredentialCreateRequest
-
-function parseJson<T>(raw: string | null): T | null {
-  if (!raw) return null
-  try {
-    return JSON.parse(raw) as T
-  } catch {
-    return null
-  }
-}
-
-export function readPendingOAuthCredentialDraft(): PendingOAuthCredentialDraft | null {
-  if (typeof window === 'undefined') return null
-  return parseJson<PendingOAuthCredentialDraft>(
-    window.sessionStorage.getItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
-  )
-}
-
-export function writePendingOAuthCredentialDraft(payload: PendingOAuthCredentialDraft) {
-  if (typeof window === 'undefined') return
-  window.sessionStorage.setItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY, JSON.stringify(payload))
-}
-
-export function clearPendingOAuthCredentialDraft() {
-  if (typeof window === 'undefined') return
-  window.sessionStorage.removeItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
-}
-
-export function readPendingCredentialCreateRequest(): PendingCredentialCreateRequest | null {
-  if (typeof window === 'undefined') return null
-  return parseJson<PendingCredentialCreateRequest>(
-    window.sessionStorage.getItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
-  )
-}
-
-export function writePendingCredentialCreateRequest(payload: PendingCredentialCreateRequest) {
-  if (typeof window === 'undefined') return
-  window.sessionStorage.setItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY, JSON.stringify(payload))
-}
-
-export function clearPendingCredentialCreateRequest() {
-  if (typeof window === 'undefined') return
-  window.sessionStorage.removeItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
-}

apps/sim/lib/credentials/environment.ts

@@ -1,356 +0,0 @@
-import { db } from '@sim/db'
-import { credential, credentialMember, permissions, workspace } from '@sim/db/schema'
-import { and, eq, inArray, notInArray } from 'drizzle-orm'
-
-interface AccessibleEnvCredential {
-  type: 'env_workspace' | 'env_personal'
-  envKey: string
-  envOwnerUserId: string | null
-  updatedAt: Date
-}
-
-function getPostgresErrorCode(error: unknown): string | undefined {
-  if (!error || typeof error !== 'object') return undefined
-  const err = error as { code?: string; cause?: { code?: string } }
-  return err.code || err.cause?.code
-}
-
-export async function getWorkspaceMemberUserIds(workspaceId: string): Promise<string[]> {
-  const [workspaceRows, permissionRows] = await Promise.all([
-    db
-      .select({ ownerId: workspace.ownerId })
-      .from(workspace)
-      .where(eq(workspace.id, workspaceId))
-      .limit(1),
-    db
-      .select({ userId: permissions.userId })
-      .from(permissions)
-      .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
-  ])
-  const workspaceRow = workspaceRows[0]
-
-  const memberIds = new Set<string>(permissionRows.map((row) => row.userId))
-  if (workspaceRow?.ownerId) {
-    memberIds.add(workspaceRow.ownerId)
-  }
-  return Array.from(memberIds)
-}
-
-export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
-  const [permissionRows, ownedWorkspaceRows] = await Promise.all([
-    db
-      .select({ workspaceId: workspace.id })
-      .from(permissions)
-      .innerJoin(
-        workspace,
-        and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspace.id))
-      )
-      .where(eq(permissions.userId, userId)),
-    db.select({ workspaceId: workspace.id }).from(workspace).where(eq(workspace.ownerId, userId)),
-  ])
-
-  const workspaceIds = new Set<string>(permissionRows.map((row) => row.workspaceId))
-  for (const row of ownedWorkspaceRows) {
-    workspaceIds.add(row.workspaceId)
-  }
-
-  return Array.from(workspaceIds)
-}
-
-async function upsertCredentialAdminMember(credentialId: string, adminUserId: string) {
-  const now = new Date()
-  const [existingMembership] = await db
-    .select({ id: credentialMember.id, joinedAt: credentialMember.joinedAt })
-    .from(credentialMember)
-    .where(
-      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, adminUserId))
-    )
-    .limit(1)
-
-  if (existingMembership) {
-    await db
-      .update(credentialMember)
-      .set({
-        role: 'admin',
-        status: 'active',
-        joinedAt: existingMembership.joinedAt ?? now,
-        invitedBy: adminUserId,
-        updatedAt: now,
-      })
-      .where(eq(credentialMember.id, existingMembership.id))
-    return
-  }
-
-  await db.insert(credentialMember).values({
-    id: crypto.randomUUID(),
-    credentialId,
-    userId: adminUserId,
-    role: 'admin',
-    status: 'active',
-    joinedAt: now,
-    invitedBy: adminUserId,
-    createdAt: now,
-    updatedAt: now,
-  })
-}
-
-async function ensureWorkspaceCredentialMemberships(
-  credentialId: string,
-  workspaceId: string,
-  ownerUserId: string
-) {
-  const workspaceMemberUserIds = await getWorkspaceMemberUserIds(workspaceId)
-  if (!workspaceMemberUserIds.length) return
-
-  const existingMemberships = await db
-    .select({
-      id: credentialMember.id,
-      userId: credentialMember.userId,
-      joinedAt: credentialMember.joinedAt,
-    })
-    .from(credentialMember)
-    .where(
-      and(
-        eq(credentialMember.credentialId, credentialId),
-        inArray(credentialMember.userId, workspaceMemberUserIds)
-      )
-    )
-
-  const byUserId = new Map(existingMemberships.map((row) => [row.userId, row]))
-  const now = new Date()
-
-  for (const memberUserId of workspaceMemberUserIds) {
-    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
-    const existing = byUserId.get(memberUserId)
-    if (existing) {
-      await db
-        .update(credentialMember)
-        .set({
-          role: targetRole,
-          status: 'active',
-          joinedAt: existing.joinedAt ?? now,
-          invitedBy: ownerUserId,
-          updatedAt: now,
-        })
-        .where(eq(credentialMember.id, existing.id))
-      continue
-    }
-
-    await db.insert(credentialMember).values({
-      id: crypto.randomUUID(),
-      credentialId,
-      userId: memberUserId,
-      role: targetRole,
-      status: 'active',
-      joinedAt: now,
-      invitedBy: ownerUserId,
-      createdAt: now,
-      updatedAt: now,
-    })
-  }
-}
-
-export async function syncWorkspaceEnvCredentials(params: {
-  workspaceId: string
-  envKeys: string[]
-  actingUserId: string
-}) {
-  const { workspaceId, envKeys, actingUserId } = params
-  const [workspaceRow] = await db
-    .select({ ownerId: workspace.ownerId })
-    .from(workspace)
-    .where(eq(workspace.id, workspaceId))
-    .limit(1)
-
-  if (!workspaceRow) return
-
-  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
-  const existingCredentials = await db
-    .select({
-      id: credential.id,
-      envKey: credential.envKey,
-    })
-    .from(credential)
-    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
-
-  const existingByKey = new Map(
-    existingCredentials
-      .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
-      .map((row) => [row.envKey, row.id])
-  )
-
-  const credentialIdsToEnsureMembership = new Set<string>()
-  const now = new Date()
-
-  for (const envKey of normalizedKeys) {
-    const existingId = existingByKey.get(envKey)
-    if (existingId) {
-      credentialIdsToEnsureMembership.add(existingId)
-      continue
-    }
-
-    const createdId = crypto.randomUUID()
-    try {
-      await db.insert(credential).values({
-        id: createdId,
-        workspaceId,
-        type: 'env_workspace',
-        displayName: envKey,
-        envKey,
-        createdBy: actingUserId,
-        createdAt: now,
-        updatedAt: now,
-      })
-      credentialIdsToEnsureMembership.add(createdId)
-    } catch (error: unknown) {
-      const code = getPostgresErrorCode(error)
-      if (code !== '23505') throw error
-    }
-  }
-
-  for (const credentialId of credentialIdsToEnsureMembership) {
-    await ensureWorkspaceCredentialMemberships(credentialId, workspaceId, workspaceRow.ownerId)
-  }
-
-  if (normalizedKeys.length > 0) {
-    await db
-      .delete(credential)
-      .where(
-        and(
-          eq(credential.workspaceId, workspaceId),
-          eq(credential.type, 'env_workspace'),
-          notInArray(credential.envKey, normalizedKeys)
-        )
-      )
-    return
-  }
-
-  await db
-    .delete(credential)
-    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
-}
-
-export async function syncPersonalEnvCredentialsForUser(params: {
-  userId: string
-  envKeys: string[]
-}) {
-  const { userId, envKeys } = params
-  const workspaceIds = await getUserWorkspaceIds(userId)
-  if (!workspaceIds.length) return
-
-  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
-  const now = new Date()
-
-  for (const workspaceId of workspaceIds) {
-    const existingCredentials = await db
-      .select({
-        id: credential.id,
-        envKey: credential.envKey,
-      })
-      .from(credential)
-      .where(
-        and(
-          eq(credential.workspaceId, workspaceId),
-          eq(credential.type, 'env_personal'),
-          eq(credential.envOwnerUserId, userId)
-        )
-      )
-
-    const existingByKey = new Map(
-      existingCredentials
-        .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
-        .map((row) => [row.envKey, row.id])
-    )
-
-    for (const envKey of normalizedKeys) {
-      const existingId = existingByKey.get(envKey)
-      if (existingId) {
-        await upsertCredentialAdminMember(existingId, userId)
-        continue
-      }
-
-      const createdId = crypto.randomUUID()
-      try {
-        await db.insert(credential).values({
-          id: createdId,
-          workspaceId,
-          type: 'env_personal',
-          displayName: envKey,
-          envKey,
-          envOwnerUserId: userId,
-          createdBy: userId,
-          createdAt: now,
-          updatedAt: now,
-        })
-        await upsertCredentialAdminMember(createdId, userId)
-      } catch (error: unknown) {
-        const code = getPostgresErrorCode(error)
-        if (code !== '23505') throw error
-      }
-    }
-
-    if (normalizedKeys.length > 0) {
-      await db
-        .delete(credential)
-        .where(
-          and(
-            eq(credential.workspaceId, workspaceId),
-            eq(credential.type, 'env_personal'),
-            eq(credential.envOwnerUserId, userId),
-            notInArray(credential.envKey, normalizedKeys)
-          )
-        )
-      continue
-    }
-
-    await db
-      .delete(credential)
-      .where(
-        and(
-          eq(credential.workspaceId, workspaceId),
-          eq(credential.type, 'env_personal'),
-          eq(credential.envOwnerUserId, userId)
-        )
-      )
-  }
-}
-
-export async function getAccessibleEnvCredentials(
-  workspaceId: string,
-  userId: string
-): Promise<AccessibleEnvCredential[]> {
-  const rows = await db
-    .select({
-      type: credential.type,
-      envKey: credential.envKey,
-      envOwnerUserId: credential.envOwnerUserId,
-      updatedAt: credential.updatedAt,
-    })
-    .from(credential)
-    .innerJoin(
-      credentialMember,
-      and(
-        eq(credentialMember.credentialId, credential.id),
-        eq(credentialMember.userId, userId),
-        eq(credentialMember.status, 'active')
-      )
-    )
-    .where(
-      and(
-        eq(credential.workspaceId, workspaceId),
-        inArray(credential.type, ['env_workspace', 'env_personal'])
-      )
-    )
-
-  return rows
-    .filter(
-      (row): row is AccessibleEnvCredential =>
-        (row.type === 'env_workspace' || row.type === 'env_personal') && Boolean(row.envKey)
-    )
-    .map((row) => ({
-      type: row.type,
-      envKey: row.envKey!,
-      envOwnerUserId: row.envOwnerUserId,
-      updatedAt: row.updatedAt,
-    }))
-}

apps/sim/lib/credentials/oauth.ts

@@ -1,195 +0,0 @@
-import { db } from '@sim/db'
-import { account, credential, credentialMember } from '@sim/db/schema'
-import { and, eq, inArray } from 'drizzle-orm'
-import { getServiceConfigByProviderId } from '@/lib/oauth'
-
-interface SyncWorkspaceOAuthCredentialsForUserParams {
-  workspaceId: string
-  userId: string
-}
-
-interface SyncWorkspaceOAuthCredentialsForUserResult {
-  createdCredentials: number
-  updatedMemberships: number
-}
-
-function getPostgresErrorCode(error: unknown): string | undefined {
-  if (!error || typeof error !== 'object') return undefined
-  const err = error as { code?: string; cause?: { code?: string } }
-  return err.code || err.cause?.code
-}
-
-/**
- * Ensures connected OAuth accounts for a user exist as workspace-scoped credentials.
- */
-export async function syncWorkspaceOAuthCredentialsForUser(
-  params: SyncWorkspaceOAuthCredentialsForUserParams
-): Promise<SyncWorkspaceOAuthCredentialsForUserResult> {
-  const { workspaceId, userId } = params
-
-  const userAccounts = await db
-    .select({
-      id: account.id,
-      providerId: account.providerId,
-      accountId: account.accountId,
-    })
-    .from(account)
-    .where(eq(account.userId, userId))
-
-  if (userAccounts.length === 0) {
-    return { createdCredentials: 0, updatedMemberships: 0 }
-  }
-
-  const accountIds = userAccounts.map((row) => row.id)
-  const existingCredentials = await db
-    .select({
-      id: credential.id,
-      displayName: credential.displayName,
-      providerId: credential.providerId,
-      accountId: credential.accountId,
-    })
-    .from(credential)
-    .where(
-      and(
-        eq(credential.workspaceId, workspaceId),
-        eq(credential.type, 'oauth'),
-        inArray(credential.accountId, accountIds)
-      )
-    )
-
-  const now = new Date()
-  const userAccountById = new Map(userAccounts.map((row) => [row.id, row]))
-  for (const existingCredential of existingCredentials) {
-    if (!existingCredential.accountId) continue
-    const linkedAccount = userAccountById.get(existingCredential.accountId)
-    if (!linkedAccount) continue
-
-    const normalizedLabel =
-      getServiceConfigByProviderId(linkedAccount.providerId)?.name || linkedAccount.providerId
-    const shouldNormalizeDisplayName =
-      existingCredential.displayName === linkedAccount.accountId ||
-      existingCredential.displayName === linkedAccount.providerId
-
-    if (!shouldNormalizeDisplayName || existingCredential.displayName === normalizedLabel) {
-      continue
-    }
-
-    await db
-      .update(credential)
-      .set({
-        displayName: normalizedLabel,
-        updatedAt: now,
-      })
-      .where(eq(credential.id, existingCredential.id))
-  }
-
-  const existingByAccountId = new Map(
-    existingCredentials
-      .filter((row) => Boolean(row.accountId))
-      .map((row) => [row.accountId!, row.id])
-  )
-
-  let createdCredentials = 0
-
-  for (const acc of userAccounts) {
-    if (existingByAccountId.has(acc.id)) {
-      continue
-    }
-
-    try {
-      await db.insert(credential).values({
-        id: crypto.randomUUID(),
-        workspaceId,
-        type: 'oauth',
-        displayName: getServiceConfigByProviderId(acc.providerId)?.name || acc.providerId,
-        providerId: acc.providerId,
-        accountId: acc.id,
-        createdBy: userId,
-        createdAt: now,
-        updatedAt: now,
-      })
-      createdCredentials += 1
-    } catch (error) {
-      if (getPostgresErrorCode(error) !== '23505') {
-        throw error
-      }
-    }
-  }
-
-  const credentialRows = await db
-    .select({ id: credential.id, accountId: credential.accountId })
-    .from(credential)
-    .where(
-      and(
-        eq(credential.workspaceId, workspaceId),
-        eq(credential.type, 'oauth'),
-        inArray(credential.accountId, accountIds)
-      )
-    )
-
-  const credentialIdByAccountId = new Map(
-    credentialRows.filter((row) => Boolean(row.accountId)).map((row) => [row.accountId!, row.id])
-  )
-  const allCredentialIds = Array.from(credentialIdByAccountId.values())
-  if (allCredentialIds.length === 0) {
-    return { createdCredentials, updatedMemberships: 0 }
-  }
-
-  const existingMemberships = await db
-    .select({
-      id: credentialMember.id,
-      credentialId: credentialMember.credentialId,
-      joinedAt: credentialMember.joinedAt,
-    })
-    .from(credentialMember)
-    .where(
-      and(
-        inArray(credentialMember.credentialId, allCredentialIds),
-        eq(credentialMember.userId, userId)
-      )
-    )
-
-  const membershipByCredentialId = new Map(
-    existingMemberships.map((row) => [row.credentialId, row])
-  )
-  let updatedMemberships = 0
-
-  for (const credentialId of allCredentialIds) {
-    const existingMembership = membershipByCredentialId.get(credentialId)
-    if (existingMembership) {
-      await db
-        .update(credentialMember)
-        .set({
-          role: 'admin',
-          status: 'active',
-          joinedAt: existingMembership.joinedAt ?? now,
-          invitedBy: userId,
-          updatedAt: now,
-        })
-        .where(eq(credentialMember.id, existingMembership.id))
-      updatedMemberships += 1
-      continue
-    }
-
-    try {
-      await db.insert(credentialMember).values({
-        id: crypto.randomUUID(),
-        credentialId,
-        userId,
-        role: 'admin',
-        status: 'active',
-        joinedAt: now,
-        invitedBy: userId,
-        createdAt: now,
-        updatedAt: now,
-      })
-      updatedMemberships += 1
-    } catch (error) {
-      if (getPostgresErrorCode(error) !== '23505') {
-        throw error
-      }
-    }
-  }
-
-  return { createdCredentials, updatedMemberships }
-}

apps/sim/lib/environment/utils.ts

@@ -1,9 +1,8 @@
 import { db } from '@sim/db'
 import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq, inArray } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { decryptSecret } from '@/lib/core/security/encryption'
-import { getAccessibleEnvCredentials } from '@/lib/credentials/environment'
 
 const logger = createLogger('EnvironmentUtils')
 
@@ -54,7 +53,7 @@ export async function getPersonalAndWorkspaceEnv(
   conflicts: string[]
   decryptionFailures: string[]
 }> {
-  const [personalRows, workspaceRows, accessibleEnvCredentials] = await Promise.all([
+  const [personalRows, workspaceRows] = await Promise.all([
     db.select().from(environment).where(eq(environment.userId, userId)).limit(1),
     workspaceId
       ? db
@@ -63,69 +62,10 @@ export async function getPersonalAndWorkspaceEnv(
           .where(eq(workspaceEnvironment.workspaceId, workspaceId))
           .limit(1)
       : Promise.resolve([] as any[]),
-    workspaceId ? getAccessibleEnvCredentials(workspaceId, userId) : Promise.resolve([]),
   ])
 
-  const ownPersonalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
-  const allWorkspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
-
-  const hasCredentialFiltering = Boolean(workspaceId) && accessibleEnvCredentials.length > 0
-  const workspaceCredentialKeys = new Set(
-    accessibleEnvCredentials.filter((row) => row.type === 'env_workspace').map((row) => row.envKey)
-  )
-
-  const personalCredentialRows = accessibleEnvCredentials
-    .filter((row) => row.type === 'env_personal' && row.envOwnerUserId)
-    .sort((a, b) => {
-      const aIsRequester = a.envOwnerUserId === userId
-      const bIsRequester = b.envOwnerUserId === userId
-      if (aIsRequester && !bIsRequester) return -1
-      if (!aIsRequester && bIsRequester) return 1
-      return b.updatedAt.getTime() - a.updatedAt.getTime()
-    })
-
-  const selectedPersonalOwners = new Map<string, string>()
-  for (const row of personalCredentialRows) {
-    if (!selectedPersonalOwners.has(row.envKey) && row.envOwnerUserId) {
-      selectedPersonalOwners.set(row.envKey, row.envOwnerUserId)
-    }
-  }
-
-  const ownerUserIds = Array.from(new Set(selectedPersonalOwners.values()))
-  const ownerEnvironmentRows =
-    ownerUserIds.length > 0
-      ? await db
-          .select({
-            userId: environment.userId,
-            variables: environment.variables,
-          })
-          .from(environment)
-          .where(inArray(environment.userId, ownerUserIds))
-      : []
-
-  const ownerVariablesByUserId = new Map<string, Record<string, string>>(
-    ownerEnvironmentRows.map((row) => [row.userId, (row.variables as Record<string, string>) || {}])
-  )
-
-  let personalEncrypted: Record<string, string> = ownPersonalEncrypted
-  let workspaceEncrypted: Record<string, string> = allWorkspaceEncrypted
-
-  if (hasCredentialFiltering) {
-    personalEncrypted = {}
-    for (const [envKey, ownerUserId] of selectedPersonalOwners.entries()) {
-      const ownerVariables = ownerVariablesByUserId.get(ownerUserId)
-      const encryptedValue = ownerVariables?.[envKey]
-      if (encryptedValue) {
-        personalEncrypted[envKey] = encryptedValue
-      }
-    }
-
-    workspaceEncrypted = Object.fromEntries(
-      Object.entries(allWorkspaceEncrypted).filter(([envKey]) =>
-        workspaceCredentialKeys.has(envKey)
-      )
-    )
-  }
+  const personalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
+  const workspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
 
   const decryptionFailures: string[] = []
 

apps/sim/providers/gemini/core.ts

@@ -5,7 +5,6 @@ import {
   type GenerateContentConfig,
   type GenerateContentResponse,
   type GoogleGenAI,
-  type Interactions,
   type Part,
   type Schema,
   type ThinkingConfig,
@@ -28,7 +27,6 @@ import {
 import type { FunctionCallResponse, ProviderRequest, ProviderResponse } from '@/providers/types'
 import {
   calculateCost,
-  isDeepResearchModel,
   prepareToolExecution,
   prepareToolsWithUsageControl,
 } from '@/providers/utils'
@@ -383,468 +381,6 @@ export interface GeminiExecutionConfig {
   providerType: GeminiProviderType
 }
 
-const DEEP_RESEARCH_POLL_INTERVAL_MS = 10_000
-const DEEP_RESEARCH_MAX_DURATION_MS = 60 * 60 * 1000
-
-/**
- * Sleeps for the specified number of milliseconds
- */
-function sleep(ms: number): Promise<void> {
-  return new Promise((resolve) => setTimeout(resolve, ms))
-}
-
-/**
- * Collapses a ProviderRequest into a single input string and optional system instruction
- * for the Interactions API, which takes a flat input rather than a messages array.
- *
- * Deep research is single-turn only — it takes one research query and returns a report.
- * Memory/conversation history is hidden in the UI for deep research models, so only
- * the last user message is used as input. System messages are passed via system_instruction.
- */
-function collapseMessagesToInput(request: ProviderRequest): {
-  input: string
-  systemInstruction: string | undefined
-} {
-  const systemParts: string[] = []
-  const userParts: string[] = []
-
-  if (request.systemPrompt) {
-    systemParts.push(request.systemPrompt)
-  }
-
-  if (request.messages) {
-    for (const msg of request.messages) {
-      if (msg.role === 'system' && msg.content) {
-        systemParts.push(msg.content)
-      } else if (msg.role === 'user' && msg.content) {
-        userParts.push(msg.content)
-      }
-    }
-  }
-
-  return {
-    input:
-      userParts.length > 0
-        ? userParts[userParts.length - 1]
-        : 'Please conduct research on the provided topic.',
-    systemInstruction: systemParts.length > 0 ? systemParts.join('\n\n') : undefined,
-  }
-}
-
-/**
- * Extracts text content from a completed interaction's outputs array.
- * The outputs array can contain text, thought, google_search_result, and other types.
- * We concatenate all text outputs to get the full research report.
- */
-function extractTextFromInteractionOutputs(outputs: Interactions.Interaction['outputs']): string {
-  if (!outputs || outputs.length === 0) return ''
-
-  const textParts: string[] = []
-  for (const output of outputs) {
-    if (output.type === 'text') {
-      const text = (output as Interactions.TextContent).text
-      if (text) textParts.push(text)
-    }
-  }
-
-  return textParts.join('\n\n')
-}
-
-/**
- * Extracts token usage from an Interaction's Usage object.
- * The Interactions API provides total_input_tokens, total_output_tokens, total_tokens,
- * and total_reasoning_tokens (for thinking models).
- *
- * Also handles the raw API field name total_thought_tokens which the SDK may
- * map to total_reasoning_tokens.
- */
-function extractInteractionUsage(usage: Interactions.Usage | undefined): {
-  inputTokens: number
-  outputTokens: number
-  reasoningTokens: number
-  totalTokens: number
-} {
-  if (!usage) {
-    return { inputTokens: 0, outputTokens: 0, reasoningTokens: 0, totalTokens: 0 }
-  }
-
-  const usageLogger = createLogger('DeepResearchUsage')
-  usageLogger.info('Raw interaction usage', { usage: JSON.stringify(usage) })
-
-  const inputTokens = usage.total_input_tokens ?? 0
-  const outputTokens = usage.total_output_tokens ?? 0
-  const reasoningTokens =
-    usage.total_reasoning_tokens ??
-    ((usage as Record<string, unknown>).total_thought_tokens as number) ??
-    0
-  const totalTokens = usage.total_tokens ?? inputTokens + outputTokens
-
-  return { inputTokens, outputTokens, reasoningTokens, totalTokens }
-}
-
-/**
- * Builds a standard ProviderResponse from a completed deep research interaction.
- */
-function buildDeepResearchResponse(
-  content: string,
-  model: string,
-  usage: {
-    inputTokens: number
-    outputTokens: number
-    reasoningTokens: number
-    totalTokens: number
-  },
-  providerStartTime: number,
-  providerStartTimeISO: string,
-  interactionId?: string
-): ProviderResponse {
-  const providerEndTime = Date.now()
-  const duration = providerEndTime - providerStartTime
-
-  return {
-    content,
-    model,
-    tokens: {
-      input: usage.inputTokens,
-      output: usage.outputTokens,
-      total: usage.totalTokens,
-    },
-    timing: {
-      startTime: providerStartTimeISO,
-      endTime: new Date(providerEndTime).toISOString(),
-      duration,
-      modelTime: duration,
-      toolsTime: 0,
-      firstResponseTime: duration,
-      iterations: 1,
-      timeSegments: [
-        {
-          type: 'model',
-          name: 'Deep research',
-          startTime: providerStartTime,
-          endTime: providerEndTime,
-          duration,
-        },
-      ],
-    },
-    cost: calculateCost(model, usage.inputTokens, usage.outputTokens),
-    interactionId,
-  }
-}
-
-/**
- * Creates a ReadableStream from a deep research streaming interaction.
- *
- * Deep research streaming returns InteractionSSEEvent chunks including:
- * - interaction.start: initial interaction with ID
- * - content.delta: incremental text and thought_summary updates
- * - content.start / content.stop: output boundaries
- * - interaction.complete: final event (outputs is undefined in streaming; must reconstruct)
- * - error: error events
- *
- * We stream text deltas to the client and track usage from the interaction.complete event.
- */
-function createDeepResearchStream(
-  stream: AsyncIterable<Interactions.InteractionSSEEvent>,
-  onComplete?: (
-    content: string,
-    usage: {
-      inputTokens: number
-      outputTokens: number
-      reasoningTokens: number
-      totalTokens: number
-    },
-    interactionId?: string
-  ) => void
-): ReadableStream<Uint8Array> {
-  const streamLogger = createLogger('DeepResearchStream')
-  let fullContent = ''
-  let completionUsage = { inputTokens: 0, outputTokens: 0, reasoningTokens: 0, totalTokens: 0 }
-  let completedInteractionId: string | undefined
-
-  return new ReadableStream({
-    async start(controller) {
-      try {
-        for await (const event of stream) {
-          if (event.event_type === 'content.delta') {
-            const delta = (event as Interactions.ContentDelta).delta
-            if (delta?.type === 'text' && 'text' in delta && delta.text) {
-              fullContent += delta.text
-              controller.enqueue(new TextEncoder().encode(delta.text))
-            }
-          } else if (event.event_type === 'interaction.complete') {
-            const interaction = (event as Interactions.InteractionEvent).interaction
-            if (interaction?.usage) {
-              completionUsage = extractInteractionUsage(interaction.usage)
-            }
-            completedInteractionId = interaction?.id
-          } else if (event.event_type === 'interaction.start') {
-            const interaction = (event as Interactions.InteractionEvent).interaction
-            if (interaction?.id) {
-              completedInteractionId = interaction.id
-            }
-          } else if (event.event_type === 'error') {
-            const errorEvent = event as { error?: { code?: string; message?: string } }
-            const message = errorEvent.error?.message ?? 'Unknown deep research stream error'
-            streamLogger.error('Deep research stream error', {
-              code: errorEvent.error?.code,
-              message,
-            })
-            controller.error(new Error(message))
-            return
-          }
-        }
-
-        onComplete?.(fullContent, completionUsage, completedInteractionId)
-        controller.close()
-      } catch (error) {
-        streamLogger.error('Error reading deep research stream', {
-          error: error instanceof Error ? error.message : String(error),
-        })
-        controller.error(error)
-      }
-    },
-  })
-}
-
-/**
- * Executes a deep research request using the Interactions API.
- *
- * Deep research uses the Interactions API ({@link https://ai.google.dev/api/interactions-api}),
- * a completely different surface from generateContent. It creates a background interaction
- * that performs comprehensive research (up to 60 minutes).
- *
- * Supports both streaming and non-streaming modes:
- * - Streaming: returns a StreamingExecution with a ReadableStream of text deltas
- * - Non-streaming: polls until completion and returns a ProviderResponse
- *
- * Deep research does NOT support custom function calling tools, MCP servers,
- * or structured output (response_format). These are gracefully ignored.
- */
-export async function executeDeepResearchRequest(
-  config: GeminiExecutionConfig
-): Promise<ProviderResponse | StreamingExecution> {
-  const { ai, model, request, providerType } = config
-  const logger = createLogger(providerType === 'google' ? 'GoogleProvider' : 'VertexProvider')
-
-  logger.info('Preparing deep research request', {
-    model,
-    hasSystemPrompt: !!request.systemPrompt,
-    hasMessages: !!request.messages?.length,
-    streaming: !!request.stream,
-    hasPreviousInteractionId: !!request.previousInteractionId,
-  })
-
-  if (request.tools?.length) {
-    logger.warn('Deep research does not support custom tools — ignoring tools parameter')
-  }
-  if (request.responseFormat) {
-    logger.warn(
-      'Deep research does not support structured output — ignoring responseFormat parameter'
-    )
-  }
-
-  const providerStartTime = Date.now()
-  const providerStartTimeISO = new Date(providerStartTime).toISOString()
-
-  try {
-    const { input, systemInstruction } = collapseMessagesToInput(request)
-
-    // Deep research requires background=true and store=true (store defaults to true,
-    // but we set it explicitly per API requirements)
-    const baseParams = {
-      agent: model as Interactions.CreateAgentInteractionParamsNonStreaming['agent'],
-      input,
-      background: true,
-      store: true,
-      ...(systemInstruction && { system_instruction: systemInstruction }),
-      ...(request.previousInteractionId && {
-        previous_interaction_id: request.previousInteractionId,
-      }),
-      agent_config: {
-        type: 'deep-research' as const,
-        thinking_summaries: 'auto' as const,
-      },
-    }
-
-    logger.info('Creating deep research interaction', {
-      inputLength: input.length,
-      hasSystemInstruction: !!systemInstruction,
-      streaming: !!request.stream,
-    })
-
-    // Streaming mode: create a streaming interaction and return a StreamingExecution
-    if (request.stream) {
-      const streamParams: Interactions.CreateAgentInteractionParamsStreaming = {
-        ...baseParams,
-        stream: true,
-      }
-
-      const streamResponse = await ai.interactions.create(streamParams)
-      const firstResponseTime = Date.now() - providerStartTime
-
-      const streamingResult: StreamingExecution = {
-        stream: undefined as unknown as ReadableStream<Uint8Array>,
-        execution: {
-          success: true,
-          output: {
-            content: '',
-            model,
-            tokens: { input: 0, output: 0, total: 0 },
-            providerTiming: {
-              startTime: providerStartTimeISO,
-              endTime: new Date().toISOString(),
-              duration: Date.now() - providerStartTime,
-              modelTime: firstResponseTime,
-              toolsTime: 0,
-              firstResponseTime,
-              iterations: 1,
-              timeSegments: [
-                {
-                  type: 'model',
-                  name: 'Deep research (streaming)',
-                  startTime: providerStartTime,
-                  endTime: providerStartTime + firstResponseTime,
-                  duration: firstResponseTime,
-                },
-              ],
-            },
-            cost: {
-              input: 0,
-              output: 0,
-              total: 0,
-              pricing: { input: 0, output: 0, updatedAt: new Date().toISOString() },
-            },
-          },
-          logs: [],
-          metadata: {
-            startTime: providerStartTimeISO,
-            endTime: new Date().toISOString(),
-            duration: Date.now() - providerStartTime,
-          },
-          isStreaming: true,
-        },
-      }
-
-      streamingResult.stream = createDeepResearchStream(
-        streamResponse,
-        (content, usage, streamInteractionId) => {
-          streamingResult.execution.output.content = content
-          streamingResult.execution.output.tokens = {
-            input: usage.inputTokens,
-            output: usage.outputTokens,
-            total: usage.totalTokens,
-          }
-          streamingResult.execution.output.interactionId = streamInteractionId
-
-          const cost = calculateCost(model, usage.inputTokens, usage.outputTokens)
-          streamingResult.execution.output.cost = cost
-
-          const streamEndTime = Date.now()
-          if (streamingResult.execution.output.providerTiming) {
-            streamingResult.execution.output.providerTiming.endTime = new Date(
-              streamEndTime
-            ).toISOString()
-            streamingResult.execution.output.providerTiming.duration =
-              streamEndTime - providerStartTime
-            const segments = streamingResult.execution.output.providerTiming.timeSegments
-            if (segments?.[0]) {
-              segments[0].endTime = streamEndTime
-              segments[0].duration = streamEndTime - providerStartTime
-            }
-          }
-        }
-      )
-
-      return streamingResult
-    }
-
-    // Non-streaming mode: create and poll
-    const createParams: Interactions.CreateAgentInteractionParamsNonStreaming = {
-      ...baseParams,
-      stream: false,
-    }
-
-    const interaction = await ai.interactions.create(createParams)
-    const interactionId = interaction.id
-
-    logger.info('Deep research interaction created', { interactionId, status: interaction.status })
-
-    // Poll until a terminal status
-    const pollStartTime = Date.now()
-    let result: Interactions.Interaction = interaction
-
-    while (Date.now() - pollStartTime < DEEP_RESEARCH_MAX_DURATION_MS) {
-      if (result.status === 'completed') {
-        break
-      }
-
-      if (result.status === 'failed') {
-        throw new Error(`Deep research interaction failed: ${interactionId}`)
-      }
-
-      if (result.status === 'cancelled') {
-        throw new Error(`Deep research interaction was cancelled: ${interactionId}`)
-      }
-
-      logger.info('Deep research in progress, polling...', {
-        interactionId,
-        status: result.status,
-        elapsedMs: Date.now() - pollStartTime,
-      })
-
-      await sleep(DEEP_RESEARCH_POLL_INTERVAL_MS)
-      result = await ai.interactions.get(interactionId)
-    }
-
-    if (result.status !== 'completed') {
-      throw new Error(
-        `Deep research timed out after ${DEEP_RESEARCH_MAX_DURATION_MS / 1000}s (status: ${result.status})`
-      )
-    }
-
-    const content = extractTextFromInteractionOutputs(result.outputs)
-    const usage = extractInteractionUsage(result.usage)
-
-    logger.info('Deep research completed', {
-      interactionId,
-      contentLength: content.length,
-      inputTokens: usage.inputTokens,
-      outputTokens: usage.outputTokens,
-      reasoningTokens: usage.reasoningTokens,
-      totalTokens: usage.totalTokens,
-      durationMs: Date.now() - providerStartTime,
-    })
-
-    return buildDeepResearchResponse(
-      content,
-      model,
-      usage,
-      providerStartTime,
-      providerStartTimeISO,
-      interactionId
-    )
-  } catch (error) {
-    const providerEndTime = Date.now()
-    const duration = providerEndTime - providerStartTime
-
-    logger.error('Error in deep research request:', {
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : undefined,
-    })
-
-    const enhancedError = error instanceof Error ? error : new Error(String(error))
-    Object.assign(enhancedError, {
-      timing: {
-        startTime: providerStartTimeISO,
-        endTime: new Date(providerEndTime).toISOString(),
-        duration,
-      },
-    })
-    throw enhancedError
-  }
-}
-
 /**
  * Executes a request using the Gemini API
  *
@@ -855,12 +391,6 @@ export async function executeGeminiRequest(
   config: GeminiExecutionConfig
 ): Promise<ProviderResponse | StreamingExecution> {
   const { ai, model, request, providerType } = config
-
-  // Route deep research models to the interactions API
-  if (isDeepResearchModel(model)) {
-    return executeDeepResearchRequest(config)
-  }
-
   const logger = createLogger(providerType === 'google' ? 'GoogleProvider' : 'VertexProvider')
 
   logger.info(`Preparing ${providerType} Gemini request`, {

apps/sim/providers/models.ts

@@ -46,9 +46,6 @@ export interface ModelCapabilities {
     levels: string[]
     default?: string
   }
-  deepResearch?: boolean
-  /** Whether this model supports conversation memory. Defaults to true if omitted. */
-  memory?: boolean
 }
 
 export interface ModelDefinition {
@@ -828,7 +825,7 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
     name: 'Google',
     description: "Google's Gemini models",
     defaultModel: 'gemini-2.5-pro',
-    modelPatterns: [/^gemini/, /^deep-research/],
+    modelPatterns: [/^gemini/],
     capabilities: {
       toolUsageControl: true,
     },
@@ -931,19 +928,6 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         contextWindow: 1000000,
       },
-      {
-        id: 'deep-research-pro-preview-12-2025',
-        pricing: {
-          input: 2.0,
-          output: 2.0,
-          updatedAt: '2026-02-10',
-        },
-        capabilities: {
-          deepResearch: true,
-          memory: false,
-        },
-        contextWindow: 1000000,
-      },
     ],
   },
   vertex: {
@@ -1054,19 +1038,6 @@ export const PROVIDER_DEFINITIONS: Record<string, ProviderDefinition> = {
         },
         contextWindow: 1000000,
       },
-      {
-        id: 'vertex/deep-research-pro-preview-12-2025',
-        pricing: {
-          input: 2.0,
-          output: 2.0,
-          updatedAt: '2026-02-10',
-        },
-        capabilities: {
-          deepResearch: true,
-          memory: false,
-        },
-        contextWindow: 1000000,
-      },
     ],
   },
   deepseek: {
@@ -2509,37 +2480,6 @@ export function getThinkingLevelsForModel(modelId: string): string[] | null {
   return capability?.levels ?? null
 }
 
-/**
- * Get all models that support deep research capability
- */
-export function getModelsWithDeepResearch(): string[] {
-  const models: string[] = []
-  for (const provider of Object.values(PROVIDER_DEFINITIONS)) {
-    for (const model of provider.models) {
-      if (model.capabilities.deepResearch) {
-        models.push(model.id)
-      }
-    }
-  }
-  return models
-}
-
-/**
- * Get all models that explicitly disable memory support (memory: false).
- * Models without this capability default to supporting memory.
- */
-export function getModelsWithoutMemory(): string[] {
-  const models: string[] = []
-  for (const provider of Object.values(PROVIDER_DEFINITIONS)) {
-    for (const model of provider.models) {
-      if (model.capabilities.memory === false) {
-        models.push(model.id)
-      }
-    }
-  }
-  return models
-}
-
 /**
  * Get the max output tokens for a specific model.
  *

apps/sim/providers/types.ts

@@ -95,8 +95,6 @@ export interface ProviderResponse {
     total: number
     pricing: ModelPricing
   }
-  /** Interaction ID returned by the Interactions API (used for multi-turn deep research) */
-  interactionId?: string
 }
 
 export type ToolUsageControl = 'auto' | 'force' | 'none'
@@ -171,8 +169,6 @@ export interface ProviderRequest {
   verbosity?: string
   thinkingLevel?: string
   isDeployedContext?: boolean
-  /** Previous interaction ID for multi-turn Interactions API requests (deep research follow-ups) */
-  previousInteractionId?: string
 }
 
 export const providers: Record<string, ProviderConfig> = {}

apps/sim/providers/utils.ts

@@ -12,8 +12,6 @@ import {
   getMaxOutputTokensForModel as getMaxOutputTokensForModelFromDefinitions,
   getMaxTemperature as getMaxTempFromDefinitions,
   getModelPricing as getModelPricingFromDefinitions,
-  getModelsWithDeepResearch,
-  getModelsWithoutMemory,
   getModelsWithReasoningEffort,
   getModelsWithTemperatureSupport,
   getModelsWithTempRange01,
@@ -955,8 +953,6 @@ export const MODELS_WITH_TEMPERATURE_SUPPORT = getModelsWithTemperatureSupport()
 export const MODELS_WITH_REASONING_EFFORT = getModelsWithReasoningEffort()
 export const MODELS_WITH_VERBOSITY = getModelsWithVerbosity()
 export const MODELS_WITH_THINKING = getModelsWithThinking()
-export const MODELS_WITH_DEEP_RESEARCH = getModelsWithDeepResearch()
-export const MODELS_WITHOUT_MEMORY = getModelsWithoutMemory()
 export const PROVIDERS_WITH_TOOL_USAGE_CONTROL = getProvidersWithToolUsageControl()
 
 export function supportsTemperature(model: string): boolean {
@@ -975,10 +971,6 @@ export function supportsThinking(model: string): boolean {
   return MODELS_WITH_THINKING.includes(model.toLowerCase())
 }
 
-export function isDeepResearchModel(model: string): boolean {
-  return MODELS_WITH_DEEP_RESEARCH.includes(model.toLowerCase())
-}
-
 /**
  * Get the maximum temperature value for a model
  * @returns Maximum temperature value (1 or 2) or undefined if temperature not supported

apps/sim/stores/modals/settings/types.ts

@@ -1,6 +1,5 @@
 export type SettingsSection =
   | 'general'
-  | 'credentials'
   | 'environment'
   | 'template-profile'
   | 'integrations'

packages/db/migrations/0154_luxuriant_maria_hill.sql

@@ -1,274 +0,0 @@
-CREATE TYPE "public"."credential_member_role" AS ENUM('admin', 'member');--> statement-breakpoint
-CREATE TYPE "public"."credential_member_status" AS ENUM('active', 'pending', 'revoked');--> statement-breakpoint
-CREATE TYPE "public"."credential_type" AS ENUM('oauth', 'env_workspace', 'env_personal');--> statement-breakpoint
-CREATE TABLE "credential" (
-	"id" text PRIMARY KEY NOT NULL,
-	"workspace_id" text NOT NULL,
-	"type" "credential_type" NOT NULL,
-	"display_name" text NOT NULL,
-	"provider_id" text,
-	"account_id" text,
-	"env_key" text,
-	"env_owner_user_id" text,
-	"created_by" text NOT NULL,
-	"created_at" timestamp DEFAULT now() NOT NULL,
-	"updated_at" timestamp DEFAULT now() NOT NULL,
-	CONSTRAINT "credential_oauth_source_check" CHECK ((type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)),
-	CONSTRAINT "credential_workspace_env_source_check" CHECK ((type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)),
-	CONSTRAINT "credential_personal_env_source_check" CHECK ((type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL))
-);
---> statement-breakpoint
-CREATE TABLE "credential_member" (
-	"id" text PRIMARY KEY NOT NULL,
-	"credential_id" text NOT NULL,
-	"user_id" text NOT NULL,
-	"role" "credential_member_role" DEFAULT 'member' NOT NULL,
-	"status" "credential_member_status" DEFAULT 'active' NOT NULL,
-	"joined_at" timestamp,
-	"invited_by" text,
-	"created_at" timestamp DEFAULT now() NOT NULL,
-	"updated_at" timestamp DEFAULT now() NOT NULL
-);
---> statement-breakpoint
-ALTER TABLE "credential" ADD CONSTRAINT "credential_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "credential" ADD CONSTRAINT "credential_account_id_account_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."account"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "credential" ADD CONSTRAINT "credential_env_owner_user_id_user_id_fk" FOREIGN KEY ("env_owner_user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "credential" ADD CONSTRAINT "credential_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_credential_id_credential_id_fk" FOREIGN KEY ("credential_id") REFERENCES "public"."credential"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_invited_by_user_id_fk" FOREIGN KEY ("invited_by") REFERENCES "public"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
-CREATE INDEX "credential_workspace_id_idx" ON "credential" USING btree ("workspace_id");--> statement-breakpoint
-CREATE INDEX "credential_type_idx" ON "credential" USING btree ("type");--> statement-breakpoint
-CREATE INDEX "credential_provider_id_idx" ON "credential" USING btree ("provider_id");--> statement-breakpoint
-CREATE INDEX "credential_account_id_idx" ON "credential" USING btree ("account_id");--> statement-breakpoint
-CREATE INDEX "credential_env_owner_user_id_idx" ON "credential" USING btree ("env_owner_user_id");--> statement-breakpoint
-CREATE UNIQUE INDEX "credential_workspace_account_unique" ON "credential" USING btree ("workspace_id","account_id") WHERE account_id IS NOT NULL;--> statement-breakpoint
-CREATE UNIQUE INDEX "credential_workspace_env_unique" ON "credential" USING btree ("workspace_id","type","env_key") WHERE type = 'env_workspace';--> statement-breakpoint
-CREATE UNIQUE INDEX "credential_workspace_personal_env_unique" ON "credential" USING btree ("workspace_id","type","env_key","env_owner_user_id") WHERE type = 'env_personal';--> statement-breakpoint
-CREATE INDEX "credential_member_credential_id_idx" ON "credential_member" USING btree ("credential_id");--> statement-breakpoint
-CREATE INDEX "credential_member_user_id_idx" ON "credential_member" USING btree ("user_id");--> statement-breakpoint
-CREATE INDEX "credential_member_role_idx" ON "credential_member" USING btree ("role");--> statement-breakpoint
-CREATE INDEX "credential_member_status_idx" ON "credential_member" USING btree ("status");--> statement-breakpoint
-CREATE UNIQUE INDEX "credential_member_unique" ON "credential_member" USING btree ("credential_id","user_id");
---> statement-breakpoint
-CREATE TABLE IF NOT EXISTS "pending_credential_draft" (
-	"id" text PRIMARY KEY NOT NULL,
-	"user_id" text NOT NULL,
-	"workspace_id" text NOT NULL,
-	"provider_id" text NOT NULL,
-	"display_name" text NOT NULL,
-	"expires_at" timestamp NOT NULL,
-	"created_at" timestamp DEFAULT now() NOT NULL
-);
---> statement-breakpoint
-ALTER TABLE "pending_credential_draft" ADD CONSTRAINT "pending_credential_draft_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "pending_credential_draft" ADD CONSTRAINT "pending_credential_draft_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-CREATE UNIQUE INDEX "pending_draft_user_provider_ws" ON "pending_credential_draft" USING btree ("user_id","provider_id","workspace_id");
---> statement-breakpoint
-DROP INDEX IF EXISTS "account_user_provider_unique";
---> statement-breakpoint
-WITH workspace_user_access AS (
-	SELECT DISTINCT w.id AS workspace_id, p.user_id
-	FROM "permissions" p
-	INNER JOIN "workspace" w
-		ON w.id = p.entity_id
-	WHERE p.entity_type = 'workspace'
-	UNION
-	SELECT w.id AS workspace_id, w.owner_id AS user_id
-	FROM "workspace" w
-	UNION
-	SELECT DISTINCT wf.workspace_id AS workspace_id, wf.user_id
-	FROM "workflow" wf
-	INNER JOIN "workspace" w
-		ON w.id = wf.workspace_id
-	WHERE wf.workspace_id IS NOT NULL
-)
-INSERT INTO "credential" (
-	"id",
-	"workspace_id",
-	"type",
-	"display_name",
-	"provider_id",
-	"account_id",
-	"created_by",
-	"created_at",
-	"updated_at"
-)
-SELECT
-	'cred_' || md5('oauth:' || wua.workspace_id || ':' || a.id) AS id,
-	wua.workspace_id,
-	'oauth'::"credential_type",
-	COALESCE(NULLIF(a.account_id, ''), a.provider_id) AS display_name,
-	a.provider_id,
-	a.id,
-	a.user_id,
-	now(),
-	now()
-FROM "account" a
-INNER JOIN workspace_user_access wua
-	ON wua.user_id = a.user_id
-ON CONFLICT DO NOTHING;
---> statement-breakpoint
-INSERT INTO "credential" (
-	"id",
-	"workspace_id",
-	"type",
-	"display_name",
-	"env_key",
-	"created_by",
-	"created_at",
-	"updated_at"
-)
-SELECT
-	'cred_' || md5('env_workspace:' || we.workspace_id || ':' || env.key) AS id,
-	we.workspace_id,
-	'env_workspace'::"credential_type",
-	env.key AS display_name,
-	env.key,
-	COALESCE(wf_owner.user_id, w.owner_id),
-	now(),
-	now()
-FROM "workspace_environment" we
-INNER JOIN "workspace" w
-	ON w.id = we.workspace_id
-LEFT JOIN LATERAL (
-	SELECT wf.user_id
-	FROM "workflow" wf
-	WHERE wf.workspace_id = we.workspace_id
-	ORDER BY wf.created_at ASC
-	LIMIT 1
-) wf_owner
-	ON TRUE
-CROSS JOIN LATERAL jsonb_each_text(COALESCE(we.variables::jsonb, '{}'::jsonb)) AS env(key, value)
-ON CONFLICT DO NOTHING;
---> statement-breakpoint
-WITH workflow_workspace_owners AS (
-	SELECT DISTINCT wf.workspace_id, wf.user_id
-	FROM "workflow" wf
-	INNER JOIN "workspace" w
-		ON w.id = wf.workspace_id
-	WHERE wf.workspace_id IS NOT NULL
-)
-INSERT INTO "credential" (
-	"id",
-	"workspace_id",
-	"type",
-	"display_name",
-	"env_key",
-	"env_owner_user_id",
-	"created_by",
-	"created_at",
-	"updated_at"
-)
-SELECT
-	'cred_' || md5('env_personal:' || wwo.workspace_id || ':' || e.user_id || ':' || env.key) AS id,
-	wwo.workspace_id,
-	'env_personal'::"credential_type",
-	env.key AS display_name,
-	env.key,
-	e.user_id,
-	e.user_id,
-	now(),
-	now()
-FROM "environment" e
-INNER JOIN workflow_workspace_owners wwo
-	ON wwo.user_id = e.user_id
-CROSS JOIN LATERAL jsonb_each_text(COALESCE(e.variables::jsonb, '{}'::jsonb)) AS env(key, value)
-ON CONFLICT DO NOTHING;
---> statement-breakpoint
-WITH workspace_user_access AS (
-	SELECT DISTINCT w.id AS workspace_id, p.user_id
-	FROM "permissions" p
-	INNER JOIN "workspace" w
-		ON w.id = p.entity_id
-	WHERE p.entity_type = 'workspace'
-	UNION
-	SELECT w.id AS workspace_id, w.owner_id AS user_id
-	FROM "workspace" w
-	UNION
-	SELECT DISTINCT wf.workspace_id AS workspace_id, wf.user_id
-	FROM "workflow" wf
-	INNER JOIN "workspace" w
-		ON w.id = wf.workspace_id
-	WHERE wf.workspace_id IS NOT NULL
-),
-workflow_workspace_owners AS (
-	SELECT DISTINCT wf.workspace_id, wf.user_id
-	FROM "workflow" wf
-	INNER JOIN "workspace" w
-		ON w.id = wf.workspace_id
-	WHERE wf.workspace_id IS NOT NULL
-)
-INSERT INTO "credential_member" (
-	"id",
-	"credential_id",
-	"user_id",
-	"role",
-	"status",
-	"joined_at",
-	"invited_by",
-	"created_at",
-	"updated_at"
-)
-SELECT
-	'credm_' || md5(c.id || ':' || wua.user_id) AS id,
-	c.id,
-	wua.user_id,
-	CASE
-		WHEN c.type = 'oauth'::"credential_type" AND c.created_by = wua.user_id THEN 'admin'::"credential_member_role"
-		WHEN c.type = 'env_workspace'::"credential_type" AND (
-			EXISTS (
-				SELECT 1
-				FROM workflow_workspace_owners wwo
-				WHERE wwo.workspace_id = c.workspace_id
-					AND wwo.user_id = wua.user_id
-			)
-			OR (
-				NOT EXISTS (
-					SELECT 1
-					FROM workflow_workspace_owners wwo
-					WHERE wwo.workspace_id = c.workspace_id
-				)
-				AND w.owner_id = wua.user_id
-			)
-		) THEN 'admin'::"credential_member_role"
-		ELSE 'member'::"credential_member_role"
-	END AS role,
-	'active'::"credential_member_status",
-	now(),
-	c.created_by,
-	now(),
-	now()
-FROM "credential" c
-INNER JOIN "workspace" w
-	ON w.id = c.workspace_id
-INNER JOIN workspace_user_access wua
-	ON wua.workspace_id = c.workspace_id
-WHERE c.type IN ('oauth'::"credential_type", 'env_workspace'::"credential_type")
-ON CONFLICT DO NOTHING;
---> statement-breakpoint
-INSERT INTO "credential_member" (
-	"id",
-	"credential_id",
-	"user_id",
-	"role",
-	"status",
-	"joined_at",
-	"invited_by",
-	"created_at",
-	"updated_at"
-)
-SELECT
-	'credm_' || md5(c.id || ':' || c.env_owner_user_id) AS id,
-	c.id,
-	c.env_owner_user_id,
-	'admin'::"credential_member_role",
-	'active'::"credential_member_status",
-	now(),
-	c.created_by,
-	now(),
-	now()
-FROM "credential" c
-WHERE c.type = 'env_personal'::"credential_type"
-	AND c.env_owner_user_id IS NOT NULL
-ON CONFLICT DO NOTHING;

packages/db/migrations/meta/_journal.json

@@ -1072,13 +1072,6 @@
       "when": 1770410282842,
       "tag": "0153_complete_arclight",
       "breakpoints": true
-    },
-    {
-      "idx": 154,
-      "version": "7",
-      "when": 1770840006821,
-      "tag": "0154_luxuriant_maria_hill",
-      "breakpoints": true
     }
   ]
 }

packages/db/schema.ts

@@ -89,6 +89,10 @@ export const account = pgTable(
       table.accountId,
       table.providerId
     ),
+    uniqueUserProvider: uniqueIndex('account_user_provider_unique').on(
+      table.userId,
+      table.providerId
+    ),
   })
 )
 
@@ -2007,118 +2011,6 @@ export const usageLog = pgTable(
   })
 )
 
-export const credentialTypeEnum = pgEnum('credential_type', [
-  'oauth',
-  'env_workspace',
-  'env_personal',
-])
-
-export const credential = pgTable(
-  'credential',
-  {
-    id: text('id').primaryKey(),
-    workspaceId: text('workspace_id')
-      .notNull()
-      .references(() => workspace.id, { onDelete: 'cascade' }),
-    type: credentialTypeEnum('type').notNull(),
-    displayName: text('display_name').notNull(),
-    providerId: text('provider_id'),
-    accountId: text('account_id').references(() => account.id, { onDelete: 'cascade' }),
-    envKey: text('env_key'),
-    envOwnerUserId: text('env_owner_user_id').references(() => user.id, { onDelete: 'cascade' }),
-    createdBy: text('created_by')
-      .notNull()
-      .references(() => user.id, { onDelete: 'cascade' }),
-    createdAt: timestamp('created_at').notNull().defaultNow(),
-    updatedAt: timestamp('updated_at').notNull().defaultNow(),
-  },
-  (table) => ({
-    workspaceIdIdx: index('credential_workspace_id_idx').on(table.workspaceId),
-    typeIdx: index('credential_type_idx').on(table.type),
-    providerIdIdx: index('credential_provider_id_idx').on(table.providerId),
-    accountIdIdx: index('credential_account_id_idx').on(table.accountId),
-    envOwnerUserIdIdx: index('credential_env_owner_user_id_idx').on(table.envOwnerUserId),
-    workspaceAccountUnique: uniqueIndex('credential_workspace_account_unique')
-      .on(table.workspaceId, table.accountId)
-      .where(sql`account_id IS NOT NULL`),
-    workspaceEnvUnique: uniqueIndex('credential_workspace_env_unique')
-      .on(table.workspaceId, table.type, table.envKey)
-      .where(sql`type = 'env_workspace'`),
-    workspacePersonalEnvUnique: uniqueIndex('credential_workspace_personal_env_unique')
-      .on(table.workspaceId, table.type, table.envKey, table.envOwnerUserId)
-      .where(sql`type = 'env_personal'`),
-    oauthSourceConstraint: check(
-      'credential_oauth_source_check',
-      sql`(type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)`
-    ),
-    workspaceEnvSourceConstraint: check(
-      'credential_workspace_env_source_check',
-      sql`(type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)`
-    ),
-    personalEnvSourceConstraint: check(
-      'credential_personal_env_source_check',
-      sql`(type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL)`
-    ),
-  })
-)
-
-export const credentialMemberRoleEnum = pgEnum('credential_member_role', ['admin', 'member'])
-export const credentialMemberStatusEnum = pgEnum('credential_member_status', [
-  'active',
-  'pending',
-  'revoked',
-])
-
-export const credentialMember = pgTable(
-  'credential_member',
-  {
-    id: text('id').primaryKey(),
-    credentialId: text('credential_id')
-      .notNull()
-      .references(() => credential.id, { onDelete: 'cascade' }),
-    userId: text('user_id')
-      .notNull()
-      .references(() => user.id, { onDelete: 'cascade' }),
-    role: credentialMemberRoleEnum('role').notNull().default('member'),
-    status: credentialMemberStatusEnum('status').notNull().default('active'),
-    joinedAt: timestamp('joined_at'),
-    invitedBy: text('invited_by').references(() => user.id, { onDelete: 'set null' }),
-    createdAt: timestamp('created_at').notNull().defaultNow(),
-    updatedAt: timestamp('updated_at').notNull().defaultNow(),
-  },
-  (table) => ({
-    credentialIdIdx: index('credential_member_credential_id_idx').on(table.credentialId),
-    userIdIdx: index('credential_member_user_id_idx').on(table.userId),
-    roleIdx: index('credential_member_role_idx').on(table.role),
-    statusIdx: index('credential_member_status_idx').on(table.status),
-    uniqueMembership: uniqueIndex('credential_member_unique').on(table.credentialId, table.userId),
-  })
-)
-
-export const pendingCredentialDraft = pgTable(
-  'pending_credential_draft',
-  {
-    id: text('id').primaryKey(),
-    userId: text('user_id')
-      .notNull()
-      .references(() => user.id, { onDelete: 'cascade' }),
-    workspaceId: text('workspace_id')
-      .notNull()
-      .references(() => workspace.id, { onDelete: 'cascade' }),
-    providerId: text('provider_id').notNull(),
-    displayName: text('display_name').notNull(),
-    expiresAt: timestamp('expires_at').notNull(),
-    createdAt: timestamp('created_at').notNull().defaultNow(),
-  },
-  (table) => ({
-    uniqueDraft: uniqueIndex('pending_draft_user_provider_ws').on(
-      table.userId,
-      table.providerId,
-      table.workspaceId
-    ),
-  })
-)
-
 export const credentialSet = pgTable(
   'credential_set',
   {