add filter

address bugbot
remove more unused code
2026-02-15 00:44:56 -05:00 · 2026-02-14 14:26:22 -08:00 · 2026-02-14 14:10:56 -08:00 · 2026-02-14 12:54:28 -08:00 · 2026-02-14 12:47:03 -08:00 · 2026-02-14 12:32:55 -08:00
280 changed files with 36926 additions and 13373 deletions
--- a/apps/docs/components/icons.tsx
+++ b/apps/docs/components/icons.tsx
@@ -1157,6 +1157,21 @@ export function AirweaveIcon(props: SVGProps<SVGSVGElement>) {
  )
 }
 export function GoogleBooksIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 478.633 540.068'>
      <path
        fill='#1C51A4'
        d='M449.059,218.231L245.519,99.538l-0.061,193.23c0.031,1.504-0.368,2.977-1.166,4.204c-0.798,1.258-1.565,1.995-2.915,2.547c-1.35,0.552-2.792,0.706-4.204,0.399c-1.412-0.307-2.7-1.043-3.713-2.117l-69.166-70.609l-69.381,70.179c-1.013,0.982-2.301,1.657-3.652,1.903c-1.381,0.246-2.792,0.092-4.081-0.491c-1.289-0.583-1.626-0.522-2.394-1.749c-0.767-1.197-1.197-2.608-1.197-4.081L85.031,6.007l-2.915-1.289C43.973-11.638,0,16.409,0,59.891v420.306c0,46.029,49.312,74.782,88.775,51.767l360.285-210.138C488.491,298.782,488.491,241.246,449.059,218.231z'
      />
      <path
        fill='#80D7FB'
        d='M88.805,8.124c-2.179-1.289-4.419-2.363-6.659-3.345l0.123,288.663c0,1.442,0.43,2.854,1.197,4.081c0.767,1.197,1.872,2.148,3.161,2.731c1.289,0.583,2.7,0.736,4.081,0.491c1.381-0.246,2.639-0.921,3.652-1.903l69.749-69.688l69.811,69.749c1.013,1.074,2.301,1.81,3.713,2.117c1.412,0.307,2.884,0.153,4.204-0.399c1.319-0.552,2.455-1.565,3.253-2.792c0.798-1.258,1.197-2.731,1.166-4.204V99.998L88.805,8.124z'
      />
    </svg>
  )
 }
 export function GoogleDocsIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
--- a/apps/docs/components/ui/icon-mapping.ts
+++ b/apps/docs/components/ui/icon-mapping.ts
@@ -38,6 +38,7 @@ import {
  GithubIcon,
  GitLabIcon,
  GmailIcon,
  GoogleBooksIcon,
  GoogleCalendarIcon,
  GoogleDocsIcon,
  GoogleDriveIcon,
@@ -172,6 +173,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  github_v2: GithubIcon,
  gitlab: GitLabIcon,
  gmail_v2: GmailIcon,
  google_books: GoogleBooksIcon,
  google_calendar_v2: GoogleCalendarIcon,
  google_docs: GoogleDocsIcon,
  google_drive: GoogleDriveIcon,
--- a/apps/docs/content/docs/en/tools/google_books.mdx
+++ b/apps/docs/content/docs/en/tools/google_books.mdx
@@ -0,0 +1,96 @@
 ---
 title: Google Books
 description: Search and retrieve book information
 ---
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 <BlockInfoCard 
  type="google_books"
  color="#FFFFFF"
 />
 ## Usage Instructions
 Search for books using the Google Books API. Find volumes by title, author, ISBN, or keywords, and retrieve detailed information about specific books including descriptions, ratings, and publication details.
 ## Tools
 ### `google_books_volume_search`
 Search for books using the Google Books API
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | Google Books API key |
 | `query` | string | Yes | Search query. Supports special keywords: intitle:, inauthor:, inpublisher:, subject:, isbn: |
 | `filter` | string | No | Filter results by availability \(partial, full, free-ebooks, paid-ebooks, ebooks\) |
 | `printType` | string | No | Restrict to print type \(all, books, magazines\) |
 | `orderBy` | string | No | Sort order \(relevance, newest\) |
 | `startIndex` | number | No | Index of the first result to return \(for pagination\) |
 | `maxResults` | number | No | Maximum number of results to return \(1-40\) |
 | `langRestrict` | string | No | Restrict results to a specific language \(ISO 639-1 code\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `totalItems` | number | Total number of matching results |
 | `volumes` | array | List of matching volumes |
 |   ↳ `id` | string | Volume ID |
 |   ↳ `title` | string | Book title |
 |   ↳ `subtitle` | string | Book subtitle |
 |   ↳ `authors` | array | List of authors |
 |   ↳ `publisher` | string | Publisher name |
 |   ↳ `publishedDate` | string | Publication date |
 |   ↳ `description` | string | Book description |
 |   ↳ `pageCount` | number | Number of pages |
 |   ↳ `categories` | array | Book categories |
 |   ↳ `averageRating` | number | Average rating \(1-5\) |
 |   ↳ `ratingsCount` | number | Number of ratings |
 |   ↳ `language` | string | Language code |
 |   ↳ `previewLink` | string | Link to preview on Google Books |
 |   ↳ `infoLink` | string | Link to info page |
 |   ↳ `thumbnailUrl` | string | Book cover thumbnail URL |
 |   ↳ `isbn10` | string | ISBN-10 identifier |
 |   ↳ `isbn13` | string | ISBN-13 identifier |
 ### `google_books_volume_details`
 Get detailed information about a specific book volume
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | Google Books API key |
 | `volumeId` | string | Yes | The ID of the volume to retrieve |
 | `projection` | string | No | Projection level \(full, lite\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `id` | string | Volume ID |
 | `title` | string | Book title |
 | `subtitle` | string | Book subtitle |
 | `authors` | array | List of authors |
 | `publisher` | string | Publisher name |
 | `publishedDate` | string | Publication date |
 | `description` | string | Book description |
 | `pageCount` | number | Number of pages |
 | `categories` | array | Book categories |
 | `averageRating` | number | Average rating \(1-5\) |
 | `ratingsCount` | number | Number of ratings |
 | `language` | string | Language code |
 | `previewLink` | string | Link to preview on Google Books |
 | `infoLink` | string | Link to info page |
 | `thumbnailUrl` | string | Book cover thumbnail URL |
 | `isbn10` | string | ISBN-10 identifier |
 | `isbn13` | string | ISBN-13 identifier |
--- a/apps/docs/content/docs/en/tools/meta.json
+++ b/apps/docs/content/docs/en/tools/meta.json
@@ -33,6 +33,7 @@
    "github",
    "gitlab",
    "gmail",
    "google_books",
    "google_calendar",
    "google_docs",
    "google_drive",
--- a/apps/sim/.env.example
+++ b/apps/sim/.env.example
@@ -13,6 +13,7 @@ BETTER_AUTH_URL=http://localhost:3000
 # NextJS (Required)
 NEXT_PUBLIC_APP_URL=http://localhost:3000
 # INTERNAL_API_BASE_URL=http://sim-app.default.svc.cluster.local:3000  # Optional: internal URL for server-side /api self-calls; defaults to NEXT_PUBLIC_APP_URL
 # Security (Required)
 ENCRYPTION_KEY=your_encryption_key  # Use `openssl rand -hex 32` to generate, used to encrypt environment variables
--- a/apps/sim/app/api/a2a/serve/[agentId]/utils.ts
+++ b/apps/sim/app/api/a2a/serve/[agentId]/utils.ts
@@ -1,7 +1,7 @@
 import type { Artifact, Message, PushNotificationConfig, Task, TaskState } from '@a2a-js/sdk'
 import { v4 as uuidv4 } from 'uuid'
 import { generateInternalToken } from '@/lib/auth/internal'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { getInternalApiBaseUrl } from '@/lib/core/utils/urls'
 /** A2A v0.3 JSON-RPC method names */
 export const A2A_METHODS = {
@@ -118,7 +118,7 @@ export interface ExecuteRequestResult {
 export async function buildExecuteRequest(
  config: ExecuteRequestConfig
 ): Promise<ExecuteRequestResult> {
-  const url = `${getBaseUrl()}/api/workflows/${config.workflowId}/execute`
+  const url = `${getInternalApiBaseUrl()}/api/workflows/${config.workflowId}/execute`
  const headers: Record<string, string> = { 'Content-Type': 'application/json' }
  let useInternalAuth = false
--- a/apps/sim/app/api/attribution/route.ts
+++ b/apps/sim/app/api/attribution/route.ts
@@ -0,0 +1,187 @@
 /**
 * POST /api/attribution
 *
 * Automatic UTM-based referral attribution.
 *
 * Reads the `sim_utm` cookie (set by proxy on auth pages), matches a campaign
 * by UTM specificity, and atomically inserts an attribution record + applies
 * bonus credits.
 *
 * Idempotent — the unique constraint on `userId` prevents double-attribution.
 */
 import { db } from '@sim/db'
 import { referralAttribution, referralCampaigns, userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { cookies } from 'next/headers'
 import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { applyBonusCredits } from '@/lib/billing/credits/bonus'
 const logger = createLogger('AttributionAPI')
 const COOKIE_NAME = 'sim_utm'
 const UtmCookieSchema = z.object({
  utm_source: z.string().optional(),
  utm_medium: z.string().optional(),
  utm_campaign: z.string().optional(),
  utm_content: z.string().optional(),
  referrer_url: z.string().optional(),
  landing_page: z.string().optional(),
  created_at: z.string().optional(),
 })
 /**
 * Finds the most specific active campaign matching the given UTM params.
 * Null fields on a campaign act as wildcards. Ties broken by newest campaign.
 */
 async function findMatchingCampaign(utmData: z.infer<typeof UtmCookieSchema>) {
  const campaigns = await db
    .select()
    .from(referralCampaigns)
    .where(eq(referralCampaigns.isActive, true))
  let bestMatch: (typeof campaigns)[number] | null = null
  let bestScore = -1
  for (const campaign of campaigns) {
    let score = 0
    let mismatch = false
    const fields = [
      { campaignVal: campaign.utmSource, utmVal: utmData.utm_source },
      { campaignVal: campaign.utmMedium, utmVal: utmData.utm_medium },
      { campaignVal: campaign.utmCampaign, utmVal: utmData.utm_campaign },
      { campaignVal: campaign.utmContent, utmVal: utmData.utm_content },
    ] as const
    for (const { campaignVal, utmVal } of fields) {
      if (campaignVal === null) continue
      if (campaignVal === utmVal) {
        score++
      } else {
        mismatch = true
        break
      }
    }
    if (!mismatch && score > 0) {
      if (
        score > bestScore ||
        (score === bestScore &&
          bestMatch &&
          campaign.createdAt.getTime() > bestMatch.createdAt.getTime())
      ) {
        bestScore = score
        bestMatch = campaign
      }
    }
  }
  return bestMatch
 }
 export async function POST() {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const cookieStore = await cookies()
    const utmCookie = cookieStore.get(COOKIE_NAME)
    if (!utmCookie?.value) {
      return NextResponse.json({ attributed: false, reason: 'no_utm_cookie' })
    }
    let utmData: z.infer<typeof UtmCookieSchema>
    try {
      let decoded: string
      try {
        decoded = decodeURIComponent(utmCookie.value)
      } catch {
        decoded = utmCookie.value
      }
      utmData = UtmCookieSchema.parse(JSON.parse(decoded))
    } catch {
      logger.warn('Failed to parse UTM cookie', { userId: session.user.id })
      cookieStore.delete(COOKIE_NAME)
      return NextResponse.json({ attributed: false, reason: 'invalid_cookie' })
    }
    const matchedCampaign = await findMatchingCampaign(utmData)
    if (!matchedCampaign) {
      cookieStore.delete(COOKIE_NAME)
      return NextResponse.json({ attributed: false, reason: 'no_matching_campaign' })
    }
    const bonusAmount = Number(matchedCampaign.bonusCreditAmount)
    let attributed = false
    await db.transaction(async (tx) => {
      const [existingStats] = await tx
        .select({ id: userStats.id })
        .from(userStats)
        .where(eq(userStats.userId, session.user.id))
        .limit(1)
      if (!existingStats) {
        await tx.insert(userStats).values({
          id: nanoid(),
          userId: session.user.id,
        })
      }
      const result = await tx
        .insert(referralAttribution)
        .values({
          id: nanoid(),
          userId: session.user.id,
          campaignId: matchedCampaign.id,
          utmSource: utmData.utm_source || null,
          utmMedium: utmData.utm_medium || null,
          utmCampaign: utmData.utm_campaign || null,
          utmContent: utmData.utm_content || null,
          referrerUrl: utmData.referrer_url || null,
          landingPage: utmData.landing_page || null,
          bonusCreditAmount: bonusAmount.toString(),
        })
        .onConflictDoNothing({ target: referralAttribution.userId })
        .returning({ id: referralAttribution.id })
      if (result.length > 0) {
        await applyBonusCredits(session.user.id, bonusAmount, tx)
        attributed = true
      }
    })
    if (attributed) {
      logger.info('Referral attribution created and bonus credits applied', {
        userId: session.user.id,
        campaignId: matchedCampaign.id,
        campaignName: matchedCampaign.name,
        utmSource: utmData.utm_source,
        utmCampaign: utmData.utm_campaign,
        utmContent: utmData.utm_content,
        bonusAmount,
      })
    } else {
      logger.info('User already attributed, skipping', { userId: session.user.id })
    }
    cookieStore.delete(COOKIE_NAME)
    return NextResponse.json({
      attributed,
      bonusAmount: attributed ? bonusAmount : undefined,
      reason: attributed ? undefined : 'already_attributed',
    })
  } catch (error) {
    logger.error('Attribution error', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/auth/accounts/route.ts
+++ b/apps/sim/app/api/auth/accounts/route.ts
@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, desc, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
@@ -31,15 +31,13 @@ export async function GET(request: NextRequest) {
      })
      .from(account)
      .where(and(...whereConditions))
-
+      .orderBy(desc(account.updatedAt))
    // Use the user's email as the display name (consistent with credential selector)
    const userEmail = session.user.email
    const accountsWithDisplayName = accounts.map((acc) => ({
      id: acc.id,
      accountId: acc.accountId,
      providerId: acc.providerId,
-      displayName: userEmail || acc.providerId,
+      displayName: acc.accountId || acc.providerId,
    }))
    return NextResponse.json({ accounts: accountsWithDisplayName })
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, user } from '@sim/db/schema'
+import { account, credential, credentialMember, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
@@ -7,8 +7,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 export const dynamic = 'force-dynamic'
@@ -18,6 +20,7 @@ const credentialsQuerySchema = z
  .object({
    provider: z.string().nullish(),
    workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
    credentialId: z
      .string()
      .min(1, 'Credential ID must not be empty')
@@ -35,6 +38,79 @@ interface GoogleIdToken {
  name?: string
 }
 function toCredentialResponse(
  id: string,
  displayName: string,
  providerId: string,
  updatedAt: Date,
  scope: string | null
 ) {
  const storedScope = scope?.trim()
  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
  const [_, featureType = 'default'] = providerId.split('-')
  return {
    id,
    name: displayName,
    provider: providerId,
    lastUsed: updatedAt.toISOString(),
    isDefault: featureType === 'default',
    scopes: scopeEvaluation.grantedScopes,
    canonicalScopes: scopeEvaluation.canonicalScopes,
    missingScopes: scopeEvaluation.missingScopes,
    extraScopes: scopeEvaluation.extraScopes,
    requiresReauthorization: scopeEvaluation.requiresReauthorization,
  }
 }
 async function getFallbackDisplayName(
  requestId: string,
  providerParam: string | null | undefined,
  accountRow: {
    idToken: string | null
    accountId: string
    userId: string
  }
 ) {
  const providerForParse = (providerParam || 'google') as OAuthProvider
  const { baseProvider } = parseProvider(providerForParse)
  if (accountRow.idToken) {
    try {
      const decoded = jwtDecode<GoogleIdToken>(accountRow.idToken)
      if (decoded.email) return decoded.email
      if (decoded.name) return decoded.name
    } catch (_error) {
      logger.warn(`[${requestId}] Error decoding ID token`, {
        accountId: accountRow.accountId,
      })
    }
  }
  if (baseProvider === 'github') {
    return `${accountRow.accountId} (GitHub)`
  }
  try {
    const userRecord = await db
      .select({ email: user.email })
      .from(user)
      .where(eq(user.id, accountRow.userId))
      .limit(1)
    if (userRecord.length > 0) {
      return userRecord[0].email
    }
  } catch (_error) {
    logger.warn(`[${requestId}] Error fetching user email`, {
      userId: accountRow.userId,
    })
  }
  return `${accountRow.accountId} (${baseProvider})`
 }
 /**
 * Get credentials for a specific provider
 */
@@ -46,6 +122,7 @@ export async function GET(request: NextRequest) {
    const rawQuery = {
      provider: searchParams.get('provider'),
      workflowId: searchParams.get('workflowId'),
      workspaceId: searchParams.get('workspaceId'),
      credentialId: searchParams.get('credentialId'),
    }
@@ -78,7 +155,7 @@ export async function GET(request: NextRequest) {
      )
    }
-    const { provider: providerParam, workflowId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data
    // Authenticate requester (supports session and internal JWT)
    const authResult = await checkSessionOrInternalAuth(request)
@@ -88,7 +165,7 @@ export async function GET(request: NextRequest) {
    }
    const requesterUserId = authResult.userId
-    const effectiveUserId = requesterUserId
+    let effectiveWorkspaceId = workspaceId ?? undefined
    if (workflowId) {
      const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
        workflowId,
@@ -106,101 +183,145 @@ export async function GET(request: NextRequest) {
          { status: workflowAuthorization.status }
        )
      }
      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
    }
-    // Parse the provider to get base provider and feature type (if provider is present)
+    if (effectiveWorkspaceId) {
-    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
+      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
      if (!workspaceAccess.hasAccess) {
        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
      }
    }
    let accountsData
    if (credentialId) {
      const [platformCredential] = await db
        .select({
          id: credential.id,
          workspaceId: credential.workspaceId,
          type: credential.type,
          displayName: credential.displayName,
          providerId: credential.providerId,
          accountId: credential.accountId,
          accountProviderId: account.providerId,
          accountScope: account.scope,
          accountUpdatedAt: account.updatedAt,
        })
        .from(credential)
        .leftJoin(account, eq(credential.accountId, account.id))
        .where(eq(credential.id, credentialId))
        .limit(1)
      if (platformCredential) {
        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
          return NextResponse.json({ credentials: [] }, { status: 200 })
        }
        if (workflowId) {
          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
          }
        } else {
          const [membership] = await db
            .select({ id: credentialMember.id })
            .from(credentialMember)
            .where(
              and(
                eq(credentialMember.credentialId, platformCredential.id),
                eq(credentialMember.userId, requesterUserId),
                eq(credentialMember.status, 'active')
              )
            )
            .limit(1)
          if (!membership) {
            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
          }
        }
        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
          return NextResponse.json({ credentials: [] }, { status: 200 })
        }
        return NextResponse.json(
          {
            credentials: [
              toCredentialResponse(
                platformCredential.id,
                platformCredential.displayName,
                platformCredential.accountProviderId,
                platformCredential.accountUpdatedAt,
                platformCredential.accountScope
              ),
            ],
          },
          { status: 200 }
        )
      }
    }
    if (effectiveWorkspaceId && providerParam) {
      await syncWorkspaceOAuthCredentialsForUser({
        workspaceId: effectiveWorkspaceId,
        userId: requesterUserId,
      })
      const credentialsData = await db
        .select({
          id: credential.id,
          displayName: credential.displayName,
          providerId: account.providerId,
          scope: account.scope,
          updatedAt: account.updatedAt,
        })
        .from(credential)
        .innerJoin(account, eq(credential.accountId, account.id))
        .innerJoin(
          credentialMember,
          and(
            eq(credentialMember.credentialId, credential.id),
            eq(credentialMember.userId, requesterUserId),
            eq(credentialMember.status, 'active')
          )
        )
        .where(
          and(
            eq(credential.workspaceId, effectiveWorkspaceId),
            eq(credential.type, 'oauth'),
            eq(account.providerId, providerParam)
          )
        )
      return NextResponse.json(
        {
          credentials: credentialsData.map((row) =>
            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
          ),
        },
        { status: 200 }
      )
    }
    if (credentialId && workflowId) {
      // When both workflowId and credentialId are provided, fetch by ID only.
      // Workspace authorization above already proves access; the credential
      // may belong to another workspace member (e.g. for display name resolution).
      accountsData = await db.select().from(account).where(eq(account.id, credentialId))
    } else if (credentialId) {
      accountsData = await db
        .select()
        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
+        .where(and(eq(account.userId, requesterUserId), eq(account.id, credentialId)))
    } else {
      // Fetch all credentials for provider and effective user
      accountsData = await db
        .select()
        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
+        .where(and(eq(account.userId, requesterUserId), eq(account.providerId, providerParam!)))
    }
    // Transform accounts into credentials
    const credentials = await Promise.all(
      accountsData.map(async (acc) => {
-        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
+        const displayName = await getFallbackDisplayName(requestId, providerParam, acc)
-        const [_, featureType = 'default'] = acc.providerId.split('-')
+        return toCredentialResponse(acc.id, displayName, acc.providerId, acc.updatedAt, acc.scope)
        // Try multiple methods to get a user-friendly display name
        let displayName = ''
        // Method 1: Try to extract email from ID token (works for Google, etc.)
        if (acc.idToken) {
          try {
            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
            if (decoded.email) {
              displayName = decoded.email
            } else if (decoded.name) {
              displayName = decoded.name
            }
          } catch (_error) {
            logger.warn(`[${requestId}] Error decoding ID token`, {
              accountId: acc.id,
            })
          }
        }
        // Method 2: For GitHub, the accountId might be the username
        if (!displayName && baseProvider === 'github') {
          displayName = `${acc.accountId} (GitHub)`
        }
        // Method 3: Try to get the user's email from our database
        if (!displayName) {
          try {
            const userRecord = await db
              .select({ email: user.email })
              .from(user)
              .where(eq(user.id, acc.userId))
              .limit(1)
            if (userRecord.length > 0) {
              displayName = userRecord[0].email
            }
          } catch (_error) {
            logger.warn(`[${requestId}] Error fetching user email`, {
              userId: acc.userId,
            })
          }
        }
        // Fallback: Use accountId with provider type as context
        if (!displayName) {
          displayName = `${acc.accountId} (${baseProvider})`
        }
        const storedScope = acc.scope?.trim()
        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
        return {
          id: acc.id,
          name: displayName,
          provider: acc.providerId,
          lastUsed: acc.updatedAt.toISOString(),
          isDefault: featureType === 'default',
          scopes: scopeEvaluation.grantedScopes,
          canonicalScopes: scopeEvaluation.canonicalScopes,
          missingScopes: scopeEvaluation.missingScopes,
          extraScopes: scopeEvaluation.extraScopes,
          requiresReauthorization: scopeEvaluation.requiresReauthorization,
        }
      })
    )
--- a/apps/sim/app/api/auth/oauth/disconnect/route.ts
+++ b/apps/sim/app/api/auth/oauth/disconnect/route.ts
@@ -15,6 +15,7 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
  provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
  providerId: z.string().optional(),
  accountId: z.string().optional(),
 })
 /**
@@ -50,15 +51,20 @@ export async function POST(request: NextRequest) {
      )
    }
-    const { provider, providerId } = parseResult.data
+    const { provider, providerId, accountId } = parseResult.data
    logger.info(`[${requestId}] Processing OAuth disconnect request`, {
      provider,
      hasProviderId: !!providerId,
    })
-    // If a specific providerId is provided, delete only that account
+    // If a specific account row ID is provided, delete that exact account
-    if (providerId) {
+    if (accountId) {
      await db
        .delete(account)
        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
    } else if (providerId) {
      // If a specific providerId is provided, delete accounts for that provider ID
      await db
        .delete(account)
        .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))
--- a/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
@@ -38,13 +38,18 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
@@ -37,14 +37,19 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    // Refresh access token if needed using the utility function
    const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/token/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.test.ts
@@ -351,10 +351,11 @@ describe('OAuth Token API Routes', () => {
   */
  describe('GET handler', () => {
    it('should return access token successfully', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
-        success: true,
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce({
        id: 'credential-id',
@@ -380,8 +381,8 @@ describe('OAuth Token API Routes', () => {
      expect(response.status).toBe(200)
      expect(data).toHaveProperty('accessToken', 'fresh-token')
-      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
+      expect(mockAuthorizeCredentialUse).toHaveBeenCalled()
-      expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
+      expect(mockGetCredential).toHaveBeenCalled()
      expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
    })
@@ -399,8 +400,8 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle authentication failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
-        success: false,
+        ok: false,
        error: 'Authentication required',
      })
@@ -413,15 +414,16 @@ describe('OAuth Token API Routes', () => {
      const response = await GET(req as any)
      const data = await response.json()
-      expect(response.status).toBe(401)
+      expect(response.status).toBe(403)
      expect(data).toHaveProperty('error')
    })
    it('should handle credential not found', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
-        success: true,
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce(undefined)
@@ -439,10 +441,11 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle missing access token', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
-        success: true,
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce({
        id: 'credential-id',
@@ -465,10 +468,11 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle token refresh failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
-        success: true,
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce({
        id: 'credential-id',
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -110,23 +110,35 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
    }
    const callerUserId = new URL(request.url).searchParams.get('userId') || undefined
    const authz = await authorizeCredentialUse(request, {
      credentialId,
      workflowId: workflowId ?? undefined,
      requireWorkflowIdForInternal: false,
      callerUserId,
    })
    if (!authz.ok || !authz.credentialOwnerUserId) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
        requestId,
        credential,
        resolvedCredentialId
      )
      let instanceUrl: string | undefined
      if (credential.providerId === 'salesforce' && credential.scope) {
@@ -186,13 +198,20 @@ export async function GET(request: NextRequest) {
    const { credentialId } = parseResult.data
-    // For GET requests, we only support session-based authentication
+    const authz = await authorizeCredentialUse(request, {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+      credentialId,
-    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
+      requireWorkflowIdForInternal: false,
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
+    })
    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }
-    const credential = await getCredential(requestId, credentialId, auth.userId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
    const credential = await getCredential(
      requestId,
      resolvedCredentialId,
      authz.credentialOwnerUserId
    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -204,7 +223,11 @@ export async function GET(request: NextRequest) {
    }
    try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
        requestId,
        credential,
        resolvedCredentialId
      )
      // For Salesforce, extract instanceUrl from the scope field
      let instanceUrl: string | undefined
--- a/apps/sim/app/api/auth/oauth/utils.test.ts
+++ b/apps/sim/app/api/auth/oauth/utils.test.ts
@@ -4,20 +4,10 @@
 * @vitest-environment node
 */
-import { loggerMock } from '@sim/testing'
+import { databaseMock, loggerMock } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-vi.mock('@sim/db', () => ({
+vi.mock('@sim/db', () => databaseMock)
  db: {
    select: vi.fn().mockReturnThis(),
    from: vi.fn().mockReturnThis(),
    where: vi.fn().mockReturnThis(),
    limit: vi.fn().mockReturnValue([]),
    update: vi.fn().mockReturnThis(),
    set: vi.fn().mockReturnThis(),
    orderBy: vi.fn().mockReturnThis(),
  },
 }))
 vi.mock('@/lib/oauth/oauth', () => ({
  refreshOAuthToken: vi.fn(),
@@ -34,13 +24,36 @@ import {
  refreshTokenIfNeeded,
 } from '@/app/api/auth/oauth/utils'
-const mockDbTyped = db as any
+const mockDb = db as any
 const mockRefreshOAuthToken = refreshOAuthToken as any
 /**
 * Creates a chainable mock for db.select() calls.
 * Returns a nested chain: select() -> from() -> where() -> limit() / orderBy()
 */
 function mockSelectChain(limitResult: unknown[]) {
  const mockLimit = vi.fn().mockReturnValue(limitResult)
  const mockOrderBy = vi.fn().mockReturnValue(limitResult)
  const mockWhere = vi.fn().mockReturnValue({ limit: mockLimit, orderBy: mockOrderBy })
  const mockFrom = vi.fn().mockReturnValue({ where: mockWhere })
  mockDb.select.mockReturnValueOnce({ from: mockFrom })
  return { mockFrom, mockWhere, mockLimit }
 }
 /**
 * Creates a chainable mock for db.update() calls.
 * Returns a nested chain: update() -> set() -> where()
 */
 function mockUpdateChain() {
  const mockWhere = vi.fn().mockResolvedValue({})
  const mockSet = vi.fn().mockReturnValue({ where: mockWhere })
  mockDb.update.mockReturnValueOnce({ set: mockSet })
  return { mockSet, mockWhere }
 }
 describe('OAuth Utils', () => {
  beforeEach(() => {
    vi.clearAllMocks()
    mockDbTyped.limit.mockReturnValue([])
  })
  afterEach(() => {
@@ -49,21 +62,23 @@ describe('OAuth Utils', () => {
  describe('getCredential', () => {
    it('should return credential when found', async () => {
-      const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
+      const mockCredentialRow = { type: 'oauth', accountId: 'resolved-account-id' }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      const mockAccountRow = { id: 'resolved-account-id', userId: 'test-user-id' }
      mockSelectChain([mockCredentialRow])
      mockSelectChain([mockAccountRow])
      const credential = await getCredential('request-id', 'credential-id', 'test-user-id')
-      expect(mockDbTyped.select).toHaveBeenCalled()
+      expect(mockDb.select).toHaveBeenCalledTimes(2)
      expect(mockDbTyped.from).toHaveBeenCalled()
      expect(mockDbTyped.where).toHaveBeenCalled()
      expect(mockDbTyped.limit).toHaveBeenCalledWith(1)
-      expect(credential).toEqual(mockCredential)
+      expect(credential).toMatchObject(mockAccountRow)
      expect(credential).toMatchObject({ resolvedCredentialId: 'resolved-account-id' })
    })
    it('should return undefined when credential is not found', async () => {
-      mockDbTyped.limit.mockReturnValueOnce([])
+      mockSelectChain([])
      mockSelectChain([])
      const credential = await getCredential('request-id', 'nonexistent-id', 'test-user-id')
@@ -102,11 +117,12 @@ describe('OAuth Utils', () => {
        refreshToken: 'new-refresh-token',
      })
      mockUpdateChain()
      const result = await refreshTokenIfNeeded('request-id', mockCredential, 'credential-id')
      expect(mockRefreshOAuthToken).toHaveBeenCalledWith('google', 'refresh-token')
-      expect(mockDbTyped.update).toHaveBeenCalled()
+      expect(mockDb.update).toHaveBeenCalled()
      expect(mockDbTyped.set).toHaveBeenCalled()
      expect(result).toEqual({ accessToken: 'new-token', refreshed: true })
    })
@@ -144,15 +160,17 @@ describe('OAuth Utils', () => {
  describe('refreshAccessTokenIfNeeded', () => {
    it('should return valid access token without refresh if not expired', async () => {
-      const mockCredential = {
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
-        id: 'credential-id',
+      const mockAccountRow = {
        id: 'account-id',
        accessToken: 'valid-token',
        refreshToken: 'refresh-token',
        accessTokenExpiresAt: new Date(Date.now() + 3600 * 1000),
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockSelectChain([mockCredentialRow])
      mockSelectChain([mockAccountRow])
      const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')
@@ -161,15 +179,18 @@ describe('OAuth Utils', () => {
    })
    it('should refresh token when expired', async () => {
-      const mockCredential = {
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
-        id: 'credential-id',
+      const mockAccountRow = {
        id: 'account-id',
        accessToken: 'expired-token',
        refreshToken: 'refresh-token',
        accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockSelectChain([mockCredentialRow])
      mockSelectChain([mockAccountRow])
      mockUpdateChain()
      mockRefreshOAuthToken.mockResolvedValueOnce({
        accessToken: 'new-token',
@@ -180,13 +201,13 @@ describe('OAuth Utils', () => {
      const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')
      expect(mockRefreshOAuthToken).toHaveBeenCalledWith('google', 'refresh-token')
-      expect(mockDbTyped.update).toHaveBeenCalled()
+      expect(mockDb.update).toHaveBeenCalled()
      expect(mockDbTyped.set).toHaveBeenCalled()
      expect(token).toBe('new-token')
    })
    it('should return null if credential not found', async () => {
-      mockDbTyped.limit.mockReturnValueOnce([])
+      mockSelectChain([])
      mockSelectChain([])
      const token = await refreshAccessTokenIfNeeded('nonexistent-id', 'test-user-id', 'request-id')
@@ -194,15 +215,17 @@ describe('OAuth Utils', () => {
    })
    it('should return null if refresh fails', async () => {
-      const mockCredential = {
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
-        id: 'credential-id',
+      const mockAccountRow = {
        id: 'account-id',
        accessToken: 'expired-token',
        refreshToken: 'refresh-token',
        accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockSelectChain([mockCredentialRow])
      mockSelectChain([mockAccountRow])
      mockRefreshOAuthToken.mockResolvedValueOnce(null)
--- a/apps/sim/app/api/auth/oauth/utils.ts
+++ b/apps/sim/app/api/auth/oauth/utils.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credentialSetMember } from '@sim/db/schema'
+import { account, credential, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,6 +25,28 @@ interface AccountInsertData {
  accessTokenExpiresAt?: Date
 }
 async function resolveOAuthAccountId(
  credentialId: string
 ): Promise<{ accountId: string; usedCredentialTable: boolean } | null> {
  const [credentialRow] = await db
    .select({
      type: credential.type,
      accountId: credential.accountId,
    })
    .from(credential)
    .where(eq(credential.id, credentialId))
    .limit(1)
  if (credentialRow) {
    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
      return null
    }
    return { accountId: credentialRow.accountId, usedCredentialTable: true }
  }
  return { accountId: credentialId, usedCredentialTable: false }
 }
 /**
 * Safely inserts an account record, handling duplicate constraint violations gracefully.
 * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -52,10 +74,16 @@ export async function safeAccountInsert(
 * Get a credential by ID and verify it belongs to the user
 */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
  const resolved = await resolveOAuthAccountId(credentialId)
  if (!resolved) {
    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
    return undefined
  }
  const credentials = await db
    .select()
    .from(account)
-    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
+    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
    .limit(1)
  if (!credentials.length) {
@@ -63,7 +91,10 @@ export async function getCredential(requestId: string, credentialId: string, use
    return undefined
  }
-  return credentials[0]
+  return {
    ...credentials[0],
    resolvedCredentialId: resolved.accountId,
  }
 }
 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -238,7 +269,9 @@ export async function refreshAccessTokenIfNeeded(
      }
      // Update the token in the database
-      await db.update(account).set(updateData).where(eq(account.id, credentialId))
+      const resolvedCredentialId =
        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
      logger.info(`[${requestId}] Successfully refreshed access token for credential`)
      return refreshedToken.accessToken
@@ -274,6 +307,8 @@ export async function refreshTokenIfNeeded(
  credential: any,
  credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
  // Decide if we should refresh: token missing OR expired
  const accessTokenExpiresAt = credential.accessTokenExpiresAt
  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -334,7 +369,7 @@ export async function refreshTokenIfNeeded(
      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
    }
-    await db.update(account).set(updateData).where(eq(account.id, credentialId))
+    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
    logger.info(`[${requestId}] Successfully refreshed access token`)
    return { accessToken: refreshedToken, refreshed: true }
@@ -343,7 +378,7 @@ export async function refreshTokenIfNeeded(
      `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
    )
-    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
    if (freshCredential?.accessToken) {
      const freshExpiresAt = freshCredential.accessTokenExpiresAt
      const stillValid = !freshExpiresAt || freshExpiresAt > new Date()
--- a/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
+++ b/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
@@ -48,16 +48,21 @@ export async function GET(request: NextRequest) {
    const shopData = await shopResponse.json()
    const shopInfo = shopData.shop
    const stableAccountId = shopInfo.id?.toString() || shopDomain
    const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'shopify')),
+      where: and(
        eq(account.userId, session.user.id),
        eq(account.providerId, 'shopify'),
        eq(account.accountId, stableAccountId)
      ),
    })
    const now = new Date()
    const accountData = {
      accessToken: accessToken,
-      accountId: shopInfo.id?.toString() || shopDomain,
+      accountId: stableAccountId,
      scope: scope || '',
      updatedAt: now,
      idToken: shopDomain,
--- a/apps/sim/app/api/auth/trello/store/route.ts
+++ b/apps/sim/app/api/auth/trello/store/route.ts
@@ -52,7 +52,11 @@ export async function POST(request: NextRequest) {
    const trelloUser = await userResponse.json()
    const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'trello')),
+      where: and(
        eq(account.userId, session.user.id),
        eq(account.providerId, 'trello'),
        eq(account.accountId, trelloUser.id)
      ),
    })
    const now = new Date()
--- a/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
+++ b/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
@@ -1,81 +1,145 @@
 import { db } from '@sim/db'
 import { settings } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
+import { getSession } from '@/lib/auth'
 import { authenticateCopilotRequestSessionOnly } from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 const logger = createLogger('CopilotAutoAllowedToolsAPI')
-function copilotHeaders(): HeadersInit {
+/**
-  const headers: Record<string, string> = {
+ * GET - Fetch user's auto-allowed integration tools
-    'Content-Type': 'application/json',
+ */
-  }
+export async function GET() {
-  if (env.COPILOT_API_KEY) {
+  try {
-    headers['x-api-key'] = env.COPILOT_API_KEY
+    const session = await getSession()
  }
  return headers
 }
-export async function DELETE(request: NextRequest) {
+    if (!session?.user?.id) {
  const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
  if (!isAuthenticated || !userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
-  const toolIdFromQuery = new URL(request.url).searchParams.get('toolId') || undefined
+    const userId = session.user.id
-  const toolIdFromBody = await request
+
-    .json()
+    const [userSettings] = await db
-    .then((body) => (typeof body?.toolId === 'string' ? body.toolId : undefined))
+      .select()
-    .catch(() => undefined)
+      .from(settings)
-  const toolId = toolIdFromBody || toolIdFromQuery
+      .where(eq(settings.userId, userId))
-  if (!toolId) {
+      .limit(1)
-    return NextResponse.json({ error: 'toolId is required' }, { status: 400 })
+
    if (userSettings) {
      const autoAllowedTools = (userSettings.copilotAutoAllowedTools as string[]) || []
      return NextResponse.json({ autoAllowedTools })
    }
-  try {
+    await db.insert(settings).values({
-    const res = await fetch(`${SIM_AGENT_API_URL}/api/tool-preferences/auto-allowed`, {
+      id: userId,
      method: 'DELETE',
      headers: copilotHeaders(),
      body: JSON.stringify({
      userId,
-        toolId,
+      copilotAutoAllowedTools: [],
      }),
    })
-    const payload = await res.json().catch(() => ({}))
+    return NextResponse.json({ autoAllowedTools: [] })
    if (!res.ok) {
      logger.warn('Failed to remove auto-allowed tool via copilot backend', {
        status: res.status,
        userId,
        toolId,
      })
      return NextResponse.json(
        {
          success: false,
          error: payload?.error || 'Failed to remove auto-allowed tool',
          autoAllowedTools: [],
        },
        { status: res.status }
      )
    }
    return NextResponse.json({
      success: true,
      autoAllowedTools: Array.isArray(payload?.autoAllowedTools) ? payload.autoAllowedTools : [],
    })
  } catch (error) {
-    logger.error('Error removing auto-allowed tool', {
+    logger.error('Failed to fetch auto-allowed tools', { error })
-      userId,
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-      toolId,
+  }
-      error: error instanceof Error ? error.message : String(error),
+}
-    })
+
-    return NextResponse.json(
+/**
-      {
+ * POST - Add a tool to the auto-allowed list
-        success: false,
+ */
-        error: 'Failed to remove auto-allowed tool',
+export async function POST(request: NextRequest) {
-        autoAllowedTools: [],
+  try {
-      },
+    const session = await getSession()
-      { status: 500 }
+
-    )
+    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = session.user.id
    const body = await request.json()
    if (!body.toolId || typeof body.toolId !== 'string') {
      return NextResponse.json({ error: 'toolId must be a string' }, { status: 400 })
    }
    const toolId = body.toolId
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
      const currentTools = (existing.copilotAutoAllowedTools as string[]) || []
      if (!currentTools.includes(toolId)) {
        const updatedTools = [...currentTools, toolId]
        await db
          .update(settings)
          .set({
            copilotAutoAllowedTools: updatedTools,
            updatedAt: new Date(),
          })
          .where(eq(settings.userId, userId))
        logger.info('Added tool to auto-allowed list', { userId, toolId })
        return NextResponse.json({ success: true, autoAllowedTools: updatedTools })
      }
      return NextResponse.json({ success: true, autoAllowedTools: currentTools })
    }
    await db.insert(settings).values({
      id: userId,
      userId,
      copilotAutoAllowedTools: [toolId],
    })
    logger.info('Created settings and added tool to auto-allowed list', { userId, toolId })
    return NextResponse.json({ success: true, autoAllowedTools: [toolId] })
  } catch (error) {
    logger.error('Failed to add auto-allowed tool', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 /**
 * DELETE - Remove a tool from the auto-allowed list
 */
 export async function DELETE(request: NextRequest) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = session.user.id
    const { searchParams } = new URL(request.url)
    const toolId = searchParams.get('toolId')
    if (!toolId) {
      return NextResponse.json({ error: 'toolId query parameter is required' }, { status: 400 })
    }
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
      const currentTools = (existing.copilotAutoAllowedTools as string[]) || []
      const updatedTools = currentTools.filter((t) => t !== toolId)
      await db
        .update(settings)
        .set({
          copilotAutoAllowedTools: updatedTools,
          updatedAt: new Date(),
        })
        .where(eq(settings.userId, userId))
      logger.info('Removed tool from auto-allowed list', { userId, toolId })
      return NextResponse.json({ success: true, autoAllowedTools: updatedTools })
    }
    return NextResponse.json({ success: true, autoAllowedTools: [] })
  } catch (error) {
    logger.error('Failed to remove auto-allowed tool', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/copilot/chat/route.ts
+++ b/apps/sim/app/api/copilot/chat/route.ts
@@ -28,24 +28,13 @@ import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
 const logger = createLogger('CopilotChatAPI')
 function truncateForLog(value: string, maxLength = 120): string {
  if (!value || maxLength <= 0) return ''
  return value.length <= maxLength ? value : `${value.slice(0, maxLength)}...`
 }
 async function requestChatTitleFromCopilot(params: {
  message: string
  model: string
  provider?: string
 }): Promise<string | null> {
  const { message, model, provider } = params
-  if (!message || !model) {
+  if (!message || !model) return null
    logger.warn('Skipping chat title request because message/model is missing', {
      hasMessage: !!message,
      hasModel: !!model,
    })
    return null
  }
  const headers: Record<string, string> = {
    'Content-Type': 'application/json',
@@ -55,13 +44,6 @@ async function requestChatTitleFromCopilot(params: {
  }
  try {
    logger.info('Requesting chat title from copilot backend', {
      model,
      provider: provider || null,
      messageLength: message.length,
      messagePreview: truncateForLog(message),
    })
    const response = await fetch(`${SIM_AGENT_API_URL}/api/generate-chat-title`, {
      method: 'POST',
      headers,
@@ -81,32 +63,10 @@ async function requestChatTitleFromCopilot(params: {
      return null
    }
-    const rawTitle = typeof payload?.title === 'string' ? payload.title : ''
+    const title = typeof payload?.title === 'string' ? payload.title.trim() : ''
    const title = rawTitle.trim()
    logger.info('Received chat title response from copilot backend', {
      status: response.status,
      hasRawTitle: !!rawTitle,
      rawTitle,
      normalizedTitle: title,
      messagePreview: truncateForLog(message),
    })
    if (!title) {
      logger.warn('Copilot backend returned empty chat title', {
        payload,
        model,
        provider: provider || null,
      })
    }
    return title || null
  } catch (error) {
-    logger.error('Error generating chat title:', {
+    logger.error('Error generating chat title:', error)
      error,
      model,
      provider: provider || null,
      messagePreview: truncateForLog(message),
    })
    return null
  }
 }
@@ -125,7 +85,7 @@ const ChatMessageSchema = z.object({
  chatId: z.string().optional(),
  workflowId: z.string().optional(),
  workflowName: z.string().optional(),
-  model: z.string().optional().default('claude-opus-4-6'),
+  model: z.string().optional().default('claude-opus-4-5'),
  mode: z.enum(COPILOT_REQUEST_MODES).optional().default('agent'),
  prefetch: z.boolean().optional(),
  createNewChat: z.boolean().optional().default(false),
@@ -278,8 +238,7 @@ export async function POST(req: NextRequest) {
    let currentChat: any = null
    let conversationHistory: any[] = []
    let actualChatId = chatId
-    let chatWasCreatedForRequest = false
+    const selectedModel = model || 'claude-opus-4-5'
    const selectedModel = model || 'claude-opus-4-6'
    if (chatId || createNewChat) {
      const chatResult = await resolveOrCreateChat({
@@ -290,7 +249,6 @@ export async function POST(req: NextRequest) {
      })
      currentChat = chatResult.chat
      actualChatId = chatResult.chatId || chatId
      chatWasCreatedForRequest = chatResult.isNew
      const history = buildConversationHistory(
        chatResult.conversationHistory,
        (chatResult.chat?.conversationId as string | undefined) || conversationId
@@ -298,18 +256,6 @@ export async function POST(req: NextRequest) {
      conversationHistory = history.history
    }
    const shouldGenerateTitleForRequest =
      !!actualChatId &&
      chatWasCreatedForRequest &&
      !currentChat?.title &&
      conversationHistory.length === 0
    const titleGenerationParams = {
      message,
      model: selectedModel,
      provider,
    }
    const effectiveMode = mode === 'agent' ? 'build' : mode
    const effectiveConversationId =
      (currentChat?.conversationId as string | undefined) || conversationId
@@ -402,22 +348,10 @@ export async function POST(req: NextRequest) {
            await pushEvent({ type: 'chat_id', chatId: actualChatId })
          }
-          if (shouldGenerateTitleForRequest) {
+          if (actualChatId && !currentChat?.title && conversationHistory.length === 0) {
-            logger.info(`[${tracker.requestId}] Starting title generation for streaming response`, {
+            requestChatTitleFromCopilot({ message, model: selectedModel, provider })
              chatId: actualChatId,
              model: titleGenerationParams.model,
              provider: provider || null,
              messageLength: message.length,
              messagePreview: truncateForLog(message),
              chatWasCreatedForRequest,
            })
            requestChatTitleFromCopilot(titleGenerationParams)
              .then(async (title) => {
                if (title) {
                  logger.info(`[${tracker.requestId}] Generated title for streaming response`, {
                    chatId: actualChatId,
                    title,
                  })
                  await db
                    .update(copilotChats)
                    .set({
@@ -425,30 +359,12 @@ export async function POST(req: NextRequest) {
                      updatedAt: new Date(),
                    })
                    .where(eq(copilotChats.id, actualChatId!))
-                  await pushEvent({ type: 'title_updated', title, chatId: actualChatId })
+                  await pushEvent({ type: 'title_updated', title })
                  logger.info(`[${tracker.requestId}] Emitted title_updated SSE event`, {
                    chatId: actualChatId,
                    title,
                  })
                } else {
                  logger.warn(`[${tracker.requestId}] No title returned for streaming response`, {
                    chatId: actualChatId,
                    model: selectedModel,
                  })
                }
              })
              .catch((error) => {
                logger.error(`[${tracker.requestId}] Title generation failed:`, error)
              })
          } else if (actualChatId && !chatWasCreatedForRequest) {
            logger.info(
              `[${tracker.requestId}] Skipping title generation because chat already exists`,
              {
                chatId: actualChatId,
                model: titleGenerationParams.model,
                provider: provider || null,
              }
            )
          }
          try {
@@ -563,9 +479,9 @@ export async function POST(req: NextRequest) {
      const updatedMessages = [...conversationHistory, userMessage, assistantMessage]
      // Start title generation in parallel if this is first message (non-streaming)
-      if (shouldGenerateTitleForRequest) {
+      if (actualChatId && !currentChat.title && conversationHistory.length === 0) {
        logger.info(`[${tracker.requestId}] Starting title generation for non-streaming response`)
-        requestChatTitleFromCopilot(titleGenerationParams)
+        requestChatTitleFromCopilot({ message, model: selectedModel, provider })
          .then(async (title) => {
            if (title) {
              await db
@@ -576,22 +492,11 @@ export async function POST(req: NextRequest) {
                })
                .where(eq(copilotChats.id, actualChatId!))
              logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
            } else {
              logger.warn(`[${tracker.requestId}] No title returned for non-streaming response`, {
                chatId: actualChatId,
                model: selectedModel,
              })
            }
          })
          .catch((error) => {
            logger.error(`[${tracker.requestId}] Title generation failed:`, error)
          })
      } else if (actualChatId && !chatWasCreatedForRequest) {
        logger.info(`[${tracker.requestId}] Skipping title generation because chat already exists`, {
          chatId: actualChatId,
          model: titleGenerationParams.model,
          provider: provider || null,
        })
      }
      // Update chat in database immediately (without blocking for title)
--- a/apps/sim/app/api/copilot/checkpoints/revert/route.test.ts
+++ b/apps/sim/app/api/copilot/checkpoints/revert/route.test.ts
@@ -18,9 +18,9 @@ describe('Copilot Checkpoints Revert API Route', () => {
    setupCommonApiMocks()
    mockCryptoUuid()
    // Mock getBaseUrl to return localhost for tests
    vi.doMock('@/lib/core/utils/urls', () => ({
      getBaseUrl: vi.fn(() => 'http://localhost:3000'),
      getInternalApiBaseUrl: vi.fn(() => 'http://localhost:3000'),
      getBaseDomain: vi.fn(() => 'localhost:3000'),
      getEmailDomain: vi.fn(() => 'localhost:3000'),
    }))
--- a/apps/sim/app/api/copilot/checkpoints/revert/route.ts
+++ b/apps/sim/app/api/copilot/checkpoints/revert/route.ts
@@ -11,7 +11,7 @@ import {
  createRequestTracker,
  createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { getInternalApiBaseUrl } from '@/lib/core/utils/urls'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { isUuidV4 } from '@/executor/constants'
@@ -99,7 +99,7 @@ export async function POST(request: NextRequest) {
    }
    const stateResponse = await fetch(
-      `${getBaseUrl()}/api/workflows/${checkpoint.workflowId}/state`,
+      `${getInternalApiBaseUrl()}/api/workflows/${checkpoint.workflowId}/state`,
      {
        method: 'PUT',
        headers: {
--- a/apps/sim/app/api/copilot/confirm/route.ts
+++ b/apps/sim/app/api/copilot/confirm/route.ts
@@ -1,11 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import {
+import { REDIS_TOOL_CALL_PREFIX, REDIS_TOOL_CALL_TTL_SECONDS } from '@/lib/copilot/constants'
  REDIS_TOOL_CALL_PREFIX,
  REDIS_TOOL_CALL_TTL_SECONDS,
  SIM_AGENT_API_URL,
 } from '@/lib/copilot/constants'
 import {
  authenticateCopilotRequestSessionOnly,
  createBadRequestResponse,
@@ -14,7 +10,6 @@ import {
  createUnauthorizedResponse,
  type NotificationStatus,
 } from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 import { getRedisClient } from '@/lib/core/config/redis'
 const logger = createLogger('CopilotConfirmAPI')
@@ -26,8 +21,6 @@ const ConfirmationSchema = z.object({
    errorMap: () => ({ message: 'Invalid notification status' }),
  }),
  message: z.string().optional(), // Optional message for background moves or additional context
  toolName: z.string().optional(),
  remember: z.boolean().optional(),
 })
 /**
@@ -64,44 +57,6 @@ async function updateToolCallStatus(
  }
 }
 async function saveAutoAllowedToolPreference(userId: string, toolName: string): Promise<boolean> {
  const headers: Record<string, string> = {
    'Content-Type': 'application/json',
  }
  if (env.COPILOT_API_KEY) {
    headers['x-api-key'] = env.COPILOT_API_KEY
  }
  try {
    const response = await fetch(`${SIM_AGENT_API_URL}/api/tool-preferences/auto-allowed`, {
      method: 'POST',
      headers,
      body: JSON.stringify({
        userId,
        toolId: toolName,
      }),
    })
    if (!response.ok) {
      logger.warn('Failed to persist auto-allowed tool preference', {
        userId,
        toolName,
        status: response.status,
      })
      return false
    }
    return true
  } catch (error) {
    logger.error('Error persisting auto-allowed tool preference', {
      userId,
      toolName,
      error: error instanceof Error ? error.message : String(error),
    })
    return false
  }
 }
 /**
 * POST /api/copilot/confirm
 * Update tool call status (Accept/Reject)
@@ -119,7 +74,7 @@ export async function POST(req: NextRequest) {
    }
    const body = await req.json()
-    const { toolCallId, status, message, toolName, remember } = ConfirmationSchema.parse(body)
+    const { toolCallId, status, message } = ConfirmationSchema.parse(body)
    // Update the tool call status in Redis
    const updated = await updateToolCallStatus(toolCallId, status, message)
@@ -135,22 +90,14 @@ export async function POST(req: NextRequest) {
      return createBadRequestResponse('Failed to update tool call status or tool call not found')
    }
-    let rememberSaved = false
+    const duration = tracker.getDuration()
    if (status === 'accepted' && remember === true && toolName && authenticatedUserId) {
      rememberSaved = await saveAutoAllowedToolPreference(authenticatedUserId, toolName)
    }
-    const response: Record<string, unknown> = {
+    return NextResponse.json({
      success: true,
      message: message || `Tool call ${toolCallId} has been ${status.toLowerCase()}`,
      toolCallId,
      status,
-    }
+    })
    if (remember === true) {
      response.rememberSaved = rememberSaved
    }
    return NextResponse.json(response)
  } catch (error) {
    const duration = tracker.getDuration()
--- a/apps/sim/app/api/credentials/[id]/members/route.ts
+++ b/apps/sim/app/api/credentials/[id]/members/route.ts
@@ -0,0 +1,226 @@
 import { db } from '@sim/db'
 import { credential, credentialMember, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('CredentialMembersAPI')
 interface RouteContext {
  params: Promise<{ id: string }>
 }
 async function requireWorkspaceAdminMembership(credentialId: string, userId: string) {
  const [cred] = await db
    .select({ id: credential.id, workspaceId: credential.workspaceId })
    .from(credential)
    .where(eq(credential.id, credentialId))
    .limit(1)
  if (!cred) return null
  const perm = await getUserEntityPermissions(userId, 'workspace', cred.workspaceId)
  if (perm === null) return null
  const [membership] = await db
    .select({ role: credentialMember.role, status: credentialMember.status })
    .from(credentialMember)
    .where(
      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
    )
    .limit(1)
  if (!membership || membership.status !== 'active' || membership.role !== 'admin') {
    return null
  }
  return membership
 }
 export async function GET(_request: NextRequest, context: RouteContext) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const { id: credentialId } = await context.params
    const [cred] = await db
      .select({ id: credential.id, workspaceId: credential.workspaceId })
      .from(credential)
      .where(eq(credential.id, credentialId))
      .limit(1)
    if (!cred) {
      return NextResponse.json({ members: [] }, { status: 200 })
    }
    const callerPerm = await getUserEntityPermissions(
      session.user.id,
      'workspace',
      cred.workspaceId
    )
    if (callerPerm === null) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    const members = await db
      .select({
        id: credentialMember.id,
        userId: credentialMember.userId,
        role: credentialMember.role,
        status: credentialMember.status,
        joinedAt: credentialMember.joinedAt,
        userName: user.name,
        userEmail: user.email,
      })
      .from(credentialMember)
      .innerJoin(user, eq(credentialMember.userId, user.id))
      .where(eq(credentialMember.credentialId, credentialId))
    return NextResponse.json({ members })
  } catch (error) {
    logger.error('Failed to fetch credential members', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 const addMemberSchema = z.object({
  userId: z.string().min(1),
  role: z.enum(['admin', 'member']).default('member'),
 })
 export async function POST(request: NextRequest, context: RouteContext) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const { id: credentialId } = await context.params
    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
    if (!admin) {
      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
    }
    const body = await request.json()
    const parsed = addMemberSchema.safeParse(body)
    if (!parsed.success) {
      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
    }
    const { userId, role } = parsed.data
    const now = new Date()
    const [existing] = await db
      .select({ id: credentialMember.id, status: credentialMember.status })
      .from(credentialMember)
      .where(
        and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
      )
      .limit(1)
    if (existing) {
      await db
        .update(credentialMember)
        .set({ role, status: 'active', updatedAt: now })
        .where(eq(credentialMember.id, existing.id))
      return NextResponse.json({ success: true })
    }
    await db.insert(credentialMember).values({
      id: crypto.randomUUID(),
      credentialId,
      userId,
      role,
      status: 'active',
      joinedAt: now,
      invitedBy: session.user.id,
      createdAt: now,
      updatedAt: now,
    })
    return NextResponse.json({ success: true }, { status: 201 })
  } catch (error) {
    logger.error('Failed to add credential member', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function DELETE(request: NextRequest, context: RouteContext) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const { id: credentialId } = await context.params
    const targetUserId = new URL(request.url).searchParams.get('userId')
    if (!targetUserId) {
      return NextResponse.json({ error: 'userId query parameter required' }, { status: 400 })
    }
    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
    if (!admin) {
      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
    }
    const [target] = await db
      .select({
        id: credentialMember.id,
        role: credentialMember.role,
      })
      .from(credentialMember)
      .where(
        and(
          eq(credentialMember.credentialId, credentialId),
          eq(credentialMember.userId, targetUserId),
          eq(credentialMember.status, 'active')
        )
      )
      .limit(1)
    if (!target) {
      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
    }
    const revoked = await db.transaction(async (tx) => {
      if (target.role === 'admin') {
        const activeAdmins = await tx
          .select({ id: credentialMember.id })
          .from(credentialMember)
          .where(
            and(
              eq(credentialMember.credentialId, credentialId),
              eq(credentialMember.role, 'admin'),
              eq(credentialMember.status, 'active')
            )
          )
        if (activeAdmins.length <= 1) {
          return false
        }
      }
      await tx
        .update(credentialMember)
        .set({ status: 'revoked', updatedAt: new Date() })
        .where(eq(credentialMember.id, target.id))
      return true
    })
    if (!revoked) {
      return NextResponse.json({ error: 'Cannot remove the last admin' }, { status: 400 })
    }
    return NextResponse.json({ success: true })
  } catch (error) {
    logger.error('Failed to remove credential member', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/[id]/route.ts
+++ b/apps/sim/app/api/credentials/[id]/route.ts
@@ -0,0 +1,251 @@
 import { db } from '@sim/db'
 import { credential, credentialMember, environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { getCredentialActorContext } from '@/lib/credentials/access'
 import {
  syncPersonalEnvCredentialsForUser,
  syncWorkspaceEnvCredentials,
 } from '@/lib/credentials/environment'
 const logger = createLogger('CredentialByIdAPI')
 const updateCredentialSchema = z
  .object({
    displayName: z.string().trim().min(1).max(255).optional(),
    description: z.string().trim().max(500).nullish(),
  })
  .strict()
  .refine((data) => data.displayName !== undefined || data.description !== undefined, {
    message: 'At least one field must be provided',
    path: ['displayName'],
  })
 async function getCredentialResponse(credentialId: string, userId: string) {
  const [row] = await db
    .select({
      id: credential.id,
      workspaceId: credential.workspaceId,
      type: credential.type,
      displayName: credential.displayName,
      description: credential.description,
      providerId: credential.providerId,
      accountId: credential.accountId,
      envKey: credential.envKey,
      envOwnerUserId: credential.envOwnerUserId,
      createdBy: credential.createdBy,
      createdAt: credential.createdAt,
      updatedAt: credential.updatedAt,
      role: credentialMember.role,
      status: credentialMember.status,
    })
    .from(credential)
    .innerJoin(
      credentialMember,
      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
    )
    .where(eq(credential.id, credentialId))
    .limit(1)
  return row ?? null
 }
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const { id } = await params
  try {
    const access = await getCredentialActorContext(id, session.user.id)
    if (!access.credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    if (!access.hasWorkspaceAccess || !access.member) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    const row = await getCredentialResponse(id, session.user.id)
    return NextResponse.json({ credential: row }, { status: 200 })
  } catch (error) {
    logger.error('Failed to fetch credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const { id } = await params
  try {
    const parseResult = updateCredentialSchema.safeParse(await request.json())
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const access = await getCredentialActorContext(id, session.user.id)
    if (!access.credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    if (!access.hasWorkspaceAccess || !access.isAdmin) {
      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
    }
    const updates: Record<string, unknown> = {}
    if (parseResult.data.description !== undefined) {
      updates.description = parseResult.data.description ?? null
    }
    if (parseResult.data.displayName !== undefined && access.credential.type === 'oauth') {
      updates.displayName = parseResult.data.displayName
    }
    if (Object.keys(updates).length === 0) {
      if (access.credential.type === 'oauth') {
        return NextResponse.json(
          {
            error: 'No updatable fields provided.',
          },
          { status: 400 }
        )
      }
      return NextResponse.json(
        {
          error:
            'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
        },
        { status: 400 }
      )
    }
    updates.updatedAt = new Date()
    await db.update(credential).set(updates).where(eq(credential.id, id))
    const row = await getCredentialResponse(id, session.user.id)
    return NextResponse.json({ credential: row }, { status: 200 })
  } catch (error) {
    logger.error('Failed to update credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function DELETE(
  request: NextRequest,
  { params }: { params: Promise<{ id: string }> }
 ) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const { id } = await params
  try {
    const access = await getCredentialActorContext(id, session.user.id)
    if (!access.credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }
    if (!access.hasWorkspaceAccess || !access.isAdmin) {
      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
    }
    if (access.credential.type === 'env_personal' && access.credential.envKey) {
      const ownerUserId = access.credential.envOwnerUserId
      if (!ownerUserId) {
        return NextResponse.json({ error: 'Invalid personal secret owner' }, { status: 400 })
      }
      const [personalRow] = await db
        .select({ variables: environment.variables })
        .from(environment)
        .where(eq(environment.userId, ownerUserId))
        .limit(1)
      const current = ((personalRow?.variables as Record<string, string> | null) ?? {}) as Record<
        string,
        string
      >
      if (access.credential.envKey in current) {
        delete current[access.credential.envKey]
      }
      await db
        .insert(environment)
        .values({
          id: ownerUserId,
          userId: ownerUserId,
          variables: current,
          updatedAt: new Date(),
        })
        .onConflictDoUpdate({
          target: [environment.userId],
          set: { variables: current, updatedAt: new Date() },
        })
      await syncPersonalEnvCredentialsForUser({
        userId: ownerUserId,
        envKeys: Object.keys(current),
      })
      return NextResponse.json({ success: true }, { status: 200 })
    }
    if (access.credential.type === 'env_workspace' && access.credential.envKey) {
      const [workspaceRow] = await db
        .select({
          id: workspaceEnvironment.id,
          createdAt: workspaceEnvironment.createdAt,
          variables: workspaceEnvironment.variables,
        })
        .from(workspaceEnvironment)
        .where(eq(workspaceEnvironment.workspaceId, access.credential.workspaceId))
        .limit(1)
      const current = ((workspaceRow?.variables as Record<string, string> | null) ?? {}) as Record<
        string,
        string
      >
      if (access.credential.envKey in current) {
        delete current[access.credential.envKey]
      }
      await db
        .insert(workspaceEnvironment)
        .values({
          id: workspaceRow?.id || crypto.randomUUID(),
          workspaceId: access.credential.workspaceId,
          variables: current,
          createdAt: workspaceRow?.createdAt || new Date(),
          updatedAt: new Date(),
        })
        .onConflictDoUpdate({
          target: [workspaceEnvironment.workspaceId],
          set: { variables: current, updatedAt: new Date() },
        })
      await syncWorkspaceEnvCredentials({
        workspaceId: access.credential.workspaceId,
        envKeys: Object.keys(current),
        actingUserId: session.user.id,
      })
      return NextResponse.json({ success: true }, { status: 200 })
    }
    await db.delete(credential).where(eq(credential.id, id))
    return NextResponse.json({ success: true }, { status: 200 })
  } catch (error) {
    logger.error('Failed to delete credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/draft/route.ts
+++ b/apps/sim/app/api/credentials/draft/route.ts
@@ -0,0 +1,116 @@
 import { db } from '@sim/db'
 import { credential, credentialMember, pendingCredentialDraft } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, lt } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('CredentialDraftAPI')
 const DRAFT_TTL_MS = 15 * 60 * 1000
 const createDraftSchema = z.object({
  workspaceId: z.string().min(1),
  providerId: z.string().min(1),
  displayName: z.string().min(1),
  description: z.string().trim().max(500).optional(),
  credentialId: z.string().min(1).optional(),
 })
 export async function POST(request: Request) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const parsed = createDraftSchema.safeParse(body)
    if (!parsed.success) {
      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
    }
    const { workspaceId, providerId, displayName, description, credentialId } = parsed.data
    const userId = session.user.id
    const workspaceAccess = await checkWorkspaceAccess(workspaceId, userId)
    if (!workspaceAccess.canWrite) {
      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
    }
    if (credentialId) {
      const [membership] = await db
        .select({ role: credentialMember.role, status: credentialMember.status })
        .from(credentialMember)
        .innerJoin(credential, eq(credential.id, credentialMember.credentialId))
        .where(
          and(
            eq(credentialMember.credentialId, credentialId),
            eq(credentialMember.userId, userId),
            eq(credentialMember.status, 'active'),
            eq(credentialMember.role, 'admin'),
            eq(credential.workspaceId, workspaceId)
          )
        )
        .limit(1)
      if (!membership) {
        return NextResponse.json(
          { error: 'Admin access required on the target credential' },
          { status: 403 }
        )
      }
    }
    const now = new Date()
    await db
      .delete(pendingCredentialDraft)
      .where(
        and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
      )
    await db
      .insert(pendingCredentialDraft)
      .values({
        id: crypto.randomUUID(),
        userId,
        workspaceId,
        providerId,
        displayName,
        description: description || null,
        credentialId: credentialId || null,
        expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
        createdAt: now,
      })
      .onConflictDoUpdate({
        target: [
          pendingCredentialDraft.userId,
          pendingCredentialDraft.providerId,
          pendingCredentialDraft.workspaceId,
        ],
        set: {
          displayName,
          description: description || null,
          credentialId: credentialId || null,
          expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
          createdAt: now,
        },
      })
    logger.info('Credential draft saved', {
      userId,
      workspaceId,
      providerId,
      displayName,
      credentialId: credentialId || null,
    })
    return NextResponse.json({ success: true }, { status: 200 })
  } catch (error) {
    logger.error('Failed to save credential draft', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/memberships/route.ts
+++ b/apps/sim/app/api/credentials/memberships/route.ts
@@ -0,0 +1,112 @@
 import { db } from '@sim/db'
 import { credential, credentialMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 const logger = createLogger('CredentialMembershipsAPI')
 const leaveCredentialSchema = z.object({
  credentialId: z.string().min(1),
 })
 export async function GET() {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const memberships = await db
      .select({
        membershipId: credentialMember.id,
        credentialId: credential.id,
        workspaceId: credential.workspaceId,
        type: credential.type,
        displayName: credential.displayName,
        providerId: credential.providerId,
        role: credentialMember.role,
        status: credentialMember.status,
        joinedAt: credentialMember.joinedAt,
      })
      .from(credentialMember)
      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
      .where(eq(credentialMember.userId, session.user.id))
    return NextResponse.json({ memberships }, { status: 200 })
  } catch (error) {
    logger.error('Failed to list credential memberships', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function DELETE(request: NextRequest) {
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const parseResult = leaveCredentialSchema.safeParse({
      credentialId: new URL(request.url).searchParams.get('credentialId'),
    })
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const { credentialId } = parseResult.data
    const [membership] = await db
      .select()
      .from(credentialMember)
      .where(
        and(
          eq(credentialMember.credentialId, credentialId),
          eq(credentialMember.userId, session.user.id)
        )
      )
      .limit(1)
    if (!membership) {
      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
    }
    if (membership.status !== 'active') {
      return NextResponse.json({ success: true }, { status: 200 })
    }
    if (membership.role === 'admin') {
      const activeAdmins = await db
        .select({ id: credentialMember.id })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, credentialId),
            eq(credentialMember.role, 'admin'),
            eq(credentialMember.status, 'active')
          )
        )
      if (activeAdmins.length <= 1) {
        return NextResponse.json(
          { error: 'Cannot leave credential as the last active admin' },
          { status: 400 }
        )
      }
    }
    await db
      .update(credentialMember)
      .set({
        status: 'revoked',
        updatedAt: new Date(),
      })
      .where(eq(credentialMember.id, membership.id))
    return NextResponse.json({ success: true }, { status: 200 })
  } catch (error) {
    logger.error('Failed to leave credential', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/credentials/route.ts
+++ b/apps/sim/app/api/credentials/route.ts
@@ -0,0 +1,521 @@
 import { db } from '@sim/db'
 import { account, credential, credentialMember, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { getServiceConfigByProviderId } from '@/lib/oauth'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { isValidEnvVarName } from '@/executor/constants'
 const logger = createLogger('CredentialsAPI')
 const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
 function normalizeEnvKeyInput(raw: string): string {
  const trimmed = raw.trim()
  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
  return wrappedMatch ? wrappedMatch[1] : trimmed
 }
 const listCredentialsSchema = z.object({
  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
  type: credentialTypeSchema.optional(),
  providerId: z.string().optional(),
  credentialId: z.string().optional(),
 })
 const createCredentialSchema = z
  .object({
    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
    type: credentialTypeSchema,
    displayName: z.string().trim().min(1).max(255).optional(),
    description: z.string().trim().max(500).optional(),
    providerId: z.string().trim().min(1).optional(),
    accountId: z.string().trim().min(1).optional(),
    envKey: z.string().trim().min(1).optional(),
    envOwnerUserId: z.string().trim().min(1).optional(),
  })
  .superRefine((data, ctx) => {
    if (data.type === 'oauth') {
      if (!data.accountId) {
        ctx.addIssue({
          code: z.ZodIssueCode.custom,
          message: 'accountId is required for oauth credentials',
          path: ['accountId'],
        })
      }
      if (!data.providerId) {
        ctx.addIssue({
          code: z.ZodIssueCode.custom,
          message: 'providerId is required for oauth credentials',
          path: ['providerId'],
        })
      }
      if (!data.displayName) {
        ctx.addIssue({
          code: z.ZodIssueCode.custom,
          message: 'displayName is required for oauth credentials',
          path: ['displayName'],
        })
      }
      return
    }
    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
    if (!normalizedEnvKey) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: 'envKey is required for env credentials',
        path: ['envKey'],
      })
      return
    }
    if (!isValidEnvVarName(normalizedEnvKey)) {
      ctx.addIssue({
        code: z.ZodIssueCode.custom,
        message: 'envKey must contain only letters, numbers, and underscores',
        path: ['envKey'],
      })
    }
  })
 interface ExistingCredentialSourceParams {
  workspaceId: string
  type: 'oauth' | 'env_workspace' | 'env_personal'
  accountId?: string | null
  envKey?: string | null
  envOwnerUserId?: string | null
 }
 async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
  if (type === 'oauth' && accountId) {
    const [row] = await db
      .select()
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'oauth'),
          eq(credential.accountId, accountId)
        )
      )
      .limit(1)
    return row ?? null
  }
  if (type === 'env_workspace' && envKey) {
    const [row] = await db
      .select()
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_workspace'),
          eq(credential.envKey, envKey)
        )
      )
      .limit(1)
    return row ?? null
  }
  if (type === 'env_personal' && envKey && envOwnerUserId) {
    const [row] = await db
      .select()
      .from(credential)
      .where(
        and(
          eq(credential.workspaceId, workspaceId),
          eq(credential.type, 'env_personal'),
          eq(credential.envKey, envKey),
          eq(credential.envOwnerUserId, envOwnerUserId)
        )
      )
      .limit(1)
    return row ?? null
  }
  return null
 }
 export async function GET(request: NextRequest) {
  const requestId = generateRequestId()
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const { searchParams } = new URL(request.url)
    const rawWorkspaceId = searchParams.get('workspaceId')
    const rawType = searchParams.get('type')
    const rawProviderId = searchParams.get('providerId')
    const rawCredentialId = searchParams.get('credentialId')
    const parseResult = listCredentialsSchema.safeParse({
      workspaceId: rawWorkspaceId?.trim(),
      type: rawType?.trim() || undefined,
      providerId: rawProviderId?.trim() || undefined,
      credentialId: rawCredentialId?.trim() || undefined,
    })
    if (!parseResult.success) {
      logger.warn(`[${requestId}] Invalid credential list request`, {
        workspaceId: rawWorkspaceId,
        type: rawType,
        providerId: rawProviderId,
        errors: parseResult.error.errors,
      })
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const { workspaceId, type, providerId, credentialId: lookupCredentialId } = parseResult.data
    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
    if (!workspaceAccess.hasAccess) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    if (lookupCredentialId) {
      let [row] = await db
        .select({
          id: credential.id,
          displayName: credential.displayName,
          type: credential.type,
          providerId: credential.providerId,
        })
        .from(credential)
        .where(and(eq(credential.id, lookupCredentialId), eq(credential.workspaceId, workspaceId)))
        .limit(1)
      if (!row) {
        ;[row] = await db
          .select({
            id: credential.id,
            displayName: credential.displayName,
            type: credential.type,
            providerId: credential.providerId,
          })
          .from(credential)
          .where(
            and(
              eq(credential.accountId, lookupCredentialId),
              eq(credential.workspaceId, workspaceId)
            )
          )
          .limit(1)
      }
      return NextResponse.json({ credential: row ?? null })
    }
    if (!type || type === 'oauth') {
      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
    }
    const whereClauses = [
      eq(credential.workspaceId, workspaceId),
      eq(credentialMember.userId, session.user.id),
      eq(credentialMember.status, 'active'),
    ]
    if (type) {
      whereClauses.push(eq(credential.type, type))
    }
    if (providerId) {
      whereClauses.push(eq(credential.providerId, providerId))
    }
    const credentials = await db
      .select({
        id: credential.id,
        workspaceId: credential.workspaceId,
        type: credential.type,
        displayName: credential.displayName,
        description: credential.description,
        providerId: credential.providerId,
        accountId: credential.accountId,
        envKey: credential.envKey,
        envOwnerUserId: credential.envOwnerUserId,
        createdBy: credential.createdBy,
        createdAt: credential.createdAt,
        updatedAt: credential.updatedAt,
        role: credentialMember.role,
      })
      .from(credential)
      .innerJoin(
        credentialMember,
        and(
          eq(credentialMember.credentialId, credential.id),
          eq(credentialMember.userId, session.user.id),
          eq(credentialMember.status, 'active')
        )
      )
      .where(and(...whereClauses))
    return NextResponse.json({ credentials })
  } catch (error) {
    logger.error(`[${requestId}] Failed to list credentials`, error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
 export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  const session = await getSession()
  if (!session?.user?.id) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const parseResult = createCredentialSchema.safeParse(body)
    if (!parseResult.success) {
      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
    }
    const {
      workspaceId,
      type,
      displayName,
      description,
      providerId,
      accountId,
      envKey,
      envOwnerUserId,
    } = parseResult.data
    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
    if (!workspaceAccess.canWrite) {
      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
    }
    let resolvedDisplayName = displayName?.trim() ?? ''
    const resolvedDescription = description?.trim() || null
    let resolvedProviderId: string | null = providerId ?? null
    let resolvedAccountId: string | null = accountId ?? null
    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
    let resolvedEnvOwnerUserId: string | null = null
    if (type === 'oauth') {
      const [accountRow] = await db
        .select({
          id: account.id,
          userId: account.userId,
          providerId: account.providerId,
          accountId: account.accountId,
        })
        .from(account)
        .where(eq(account.id, accountId!))
        .limit(1)
      if (!accountRow) {
        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
      }
      if (accountRow.userId !== session.user.id) {
        return NextResponse.json(
          { error: 'Only account owners can create oauth credentials for an account' },
          { status: 403 }
        )
      }
      if (providerId !== accountRow.providerId) {
        return NextResponse.json(
          { error: 'providerId does not match the selected OAuth account' },
          { status: 400 }
        )
      }
      if (!resolvedDisplayName) {
        resolvedDisplayName =
          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
      }
    } else if (type === 'env_personal') {
      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
      if (resolvedEnvOwnerUserId !== session.user.id) {
        return NextResponse.json(
          { error: 'Only the current user can create personal env credentials for themselves' },
          { status: 403 }
        )
      }
      resolvedProviderId = null
      resolvedAccountId = null
      resolvedDisplayName = resolvedEnvKey || ''
    } else {
      resolvedProviderId = null
      resolvedAccountId = null
      resolvedEnvOwnerUserId = null
      resolvedDisplayName = resolvedEnvKey || ''
    }
    if (!resolvedDisplayName) {
      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
    }
    const existingCredential = await findExistingCredentialBySource({
      workspaceId,
      type,
      accountId: resolvedAccountId,
      envKey: resolvedEnvKey,
      envOwnerUserId: resolvedEnvOwnerUserId,
    })
    if (existingCredential) {
      const [membership] = await db
        .select({
          id: credentialMember.id,
          status: credentialMember.status,
          role: credentialMember.role,
        })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, existingCredential.id),
            eq(credentialMember.userId, session.user.id)
          )
        )
        .limit(1)
      if (!membership || membership.status !== 'active') {
        return NextResponse.json(
          { error: 'A credential with this source already exists in this workspace' },
          { status: 409 }
        )
      }
      const canUpdateExistingCredential = membership.role === 'admin'
      const shouldUpdateDisplayName =
        type === 'oauth' &&
        resolvedDisplayName &&
        resolvedDisplayName !== existingCredential.displayName
      const shouldUpdateDescription =
        typeof description !== 'undefined' &&
        (existingCredential.description ?? null) !== resolvedDescription
      if (canUpdateExistingCredential && (shouldUpdateDisplayName || shouldUpdateDescription)) {
        await db
          .update(credential)
          .set({
            ...(shouldUpdateDisplayName ? { displayName: resolvedDisplayName } : {}),
            ...(shouldUpdateDescription ? { description: resolvedDescription } : {}),
            updatedAt: new Date(),
          })
          .where(eq(credential.id, existingCredential.id))
        const [updatedCredential] = await db
          .select()
          .from(credential)
          .where(eq(credential.id, existingCredential.id))
          .limit(1)
        return NextResponse.json(
          { credential: updatedCredential ?? existingCredential },
          { status: 200 }
        )
      }
      return NextResponse.json({ credential: existingCredential }, { status: 200 })
    }
    const now = new Date()
    const credentialId = crypto.randomUUID()
    const [workspaceRow] = await db
      .select({ ownerId: workspace.ownerId })
      .from(workspace)
      .where(eq(workspace.id, workspaceId))
      .limit(1)
    await db.transaction(async (tx) => {
      await tx.insert(credential).values({
        id: credentialId,
        workspaceId,
        type,
        displayName: resolvedDisplayName,
        description: resolvedDescription,
        providerId: resolvedProviderId,
        accountId: resolvedAccountId,
        envKey: resolvedEnvKey,
        envOwnerUserId: resolvedEnvOwnerUserId,
        createdBy: session.user.id,
        createdAt: now,
        updatedAt: now,
      })
      if (type === 'env_workspace' && workspaceRow?.ownerId) {
        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
        if (workspaceUserIds.length > 0) {
          for (const memberUserId of workspaceUserIds) {
            await tx.insert(credentialMember).values({
              id: crypto.randomUUID(),
              credentialId,
              userId: memberUserId,
              role: memberUserId === workspaceRow.ownerId ? 'admin' : 'member',
              status: 'active',
              joinedAt: now,
              invitedBy: session.user.id,
              createdAt: now,
              updatedAt: now,
            })
          }
        }
      } else {
        await tx.insert(credentialMember).values({
          id: crypto.randomUUID(),
          credentialId,
          userId: session.user.id,
          role: 'admin',
          status: 'active',
          joinedAt: now,
          invitedBy: session.user.id,
          createdAt: now,
          updatedAt: now,
        })
      }
    })
    const [created] = await db
      .select()
      .from(credential)
      .where(eq(credential.id, credentialId))
      .limit(1)
    return NextResponse.json({ credential: created }, { status: 201 })
  } catch (error: any) {
    if (error?.code === '23505') {
      return NextResponse.json(
        { error: 'A credential with this source already exists' },
        { status: 409 }
      )
    }
    if (error?.code === '23503') {
      return NextResponse.json(
        { error: 'Invalid credential reference or membership target' },
        { status: 400 }
      )
    }
    if (error?.code === '23514') {
      return NextResponse.json(
        { error: 'Credential source data failed validation checks' },
        { status: 400 }
      )
    }
    logger.error(`[${requestId}] Credential create failure details`, {
      code: error?.code,
      detail: error?.detail,
      constraint: error?.constraint,
      table: error?.table,
      message: error?.message,
    })
    logger.error(`[${requestId}] Failed to create credential`, error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/environment/route.ts
+++ b/apps/sim/app/api/environment/route.ts
@@ -7,6 +7,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'
 const logger = createLogger('EnvironmentAPI')
@@ -53,6 +54,11 @@ export async function POST(req: NextRequest) {
          },
        })
      await syncPersonalEnvCredentialsForUser({
        userId: session.user.id,
        envKeys: Object.keys(variables),
      })
      return NextResponse.json({ success: true })
    } catch (validationError) {
      if (validationError instanceof z.ZodError) {
--- a/apps/sim/app/api/knowledge/search/utils.test.ts
+++ b/apps/sim/app/api/knowledge/search/utils.test.ts
@@ -4,16 +4,12 @@
 *
 * @vitest-environment node
 */
-import { createEnvMock, createMockLogger } from '@sim/testing'
+import { createEnvMock, databaseMock, loggerMock } from '@sim/testing'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 const loggerMock = vi.hoisted(() => ({
  createLogger: () => createMockLogger(),
 }))
 vi.mock('drizzle-orm')
 vi.mock('@sim/logger', () => loggerMock)
-vi.mock('@sim/db')
+vi.mock('@sim/db', () => databaseMock)
 vi.mock('@/lib/knowledge/documents/utils', () => ({
  retryWithExponentialBackoff: (fn: any) => fn(),
 }))
--- a/apps/sim/app/api/mcp/copilot/route.test.ts
+++ b/apps/sim/app/api/mcp/copilot/route.test.ts
@@ -1,89 +0,0 @@
 /**
 * @vitest-environment node
 */
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 describe('mcp copilot route manifest contract', () => {
  const previousInternalSecret = process.env.INTERNAL_API_SECRET
  const previousAgentUrl = process.env.SIM_AGENT_API_URL
  const previousFetch = global.fetch
  beforeEach(() => {
    vi.resetModules()
    process.env.INTERNAL_API_SECRET = 'x'.repeat(32)
    process.env.SIM_AGENT_API_URL = 'https://copilot.sim.ai'
  })
  afterEach(() => {
    vi.restoreAllMocks()
    global.fetch = previousFetch
    if (previousInternalSecret === undefined) {
      delete process.env.INTERNAL_API_SECRET
    } else {
      process.env.INTERNAL_API_SECRET = previousInternalSecret
    }
    if (previousAgentUrl === undefined) {
      delete process.env.SIM_AGENT_API_URL
    } else {
      process.env.SIM_AGENT_API_URL = previousAgentUrl
    }
  })
  it('loads and caches tool manifest from copilot backend', async () => {
    const payload = {
      directTools: [
        {
          name: 'list_workspaces',
          description: 'List workspaces',
          inputSchema: { type: 'object', properties: {} },
          toolId: 'list_user_workspaces',
        },
      ],
      subagentTools: [
        {
          name: 'sim_build',
          description: 'Build workflows',
          inputSchema: { type: 'object', properties: {} },
          agentId: 'build',
        },
      ],
      generatedAt: '2026-02-12T00:00:00Z',
    }
    const fetchSpy = vi.spyOn(global, 'fetch').mockResolvedValue(
      new Response(JSON.stringify(payload), {
        status: 200,
        headers: { 'Content-Type': 'application/json' },
      })
    )
    const mod = await import('./route')
    mod.clearMcpToolManifestCacheForTests()
    const first = await mod.getMcpToolManifest()
    const second = await mod.getMcpToolManifest()
    expect(first).toEqual(payload)
    expect(second).toEqual(payload)
    expect(fetchSpy).toHaveBeenCalledTimes(1)
    expect(fetchSpy.mock.calls[0]?.[0]).toBe('https://copilot.sim.ai/api/mcp/tools/manifest')
  })
  it('rejects invalid manifest payloads from copilot backend', async () => {
    const fetchSpy = vi.spyOn(global, 'fetch').mockResolvedValue(
      new Response(JSON.stringify({ tools: [] }), {
        status: 200,
        headers: { 'Content-Type': 'application/json' },
      })
    )
    const mod = await import('./route')
    mod.clearMcpToolManifestCacheForTests()
    await expect(mod.fetchMcpToolManifestFromCopilot()).rejects.toThrow(
      'invalid manifest payload from copilot'
    )
    expect(fetchSpy).toHaveBeenCalledTimes(1)
  })
 })
--- a/apps/sim/app/api/mcp/copilot/route.ts
+++ b/apps/sim/app/api/mcp/copilot/route.ts
@@ -28,6 +28,7 @@ import {
  executeToolServerSide,
  prepareExecutionContext,
 } from '@/lib/copilot/orchestrator/tool-executor'
 import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
 import { env } from '@/lib/core/config/env'
 import { RateLimiter } from '@/lib/core/rate-limiter'
 import {
@@ -37,33 +38,7 @@ import {
 const logger = createLogger('CopilotMcpAPI')
 const mcpRateLimiter = new RateLimiter()
-const DEFAULT_COPILOT_MODEL = 'claude-opus-4-6'
+const DEFAULT_COPILOT_MODEL = 'claude-opus-4-5'
 const MCP_TOOL_MANIFEST_CACHE_TTL_MS = 60_000
 type McpDirectToolDef = {
  name: string
  description: string
  inputSchema: { type: 'object'; properties?: Record<string, unknown>; required?: string[] }
  toolId: string
 }
 type McpSubagentToolDef = {
  name: string
  description: string
  inputSchema: { type: 'object'; properties?: Record<string, unknown>; required?: string[] }
  agentId: string
 }
 type McpToolManifest = {
  directTools: McpDirectToolDef[]
  subagentTools: McpSubagentToolDef[]
  generatedAt?: string
 }
 let cachedMcpToolManifest: {
  value: McpToolManifest
  expiresAt: number
 } | null = null
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
@@ -137,58 +112,6 @@ async function authenticateCopilotApiKey(apiKey: string): Promise<CopilotKeyAuth
  }
 }
 export function isMcpToolManifest(value: unknown): value is McpToolManifest {
  if (!value || typeof value !== 'object') return false
  const payload = value as Record<string, unknown>
  return Array.isArray(payload.directTools) && Array.isArray(payload.subagentTools)
 }
 export async function fetchMcpToolManifestFromCopilot(): Promise<McpToolManifest> {
  const internalSecret = env.INTERNAL_API_SECRET
  if (!internalSecret) {
    throw new Error('INTERNAL_API_SECRET not configured')
  }
  const res = await fetch(`${SIM_AGENT_API_URL}/api/mcp/tools/manifest`, {
    method: 'GET',
    headers: {
      'Content-Type': 'application/json',
      'x-api-key': internalSecret,
    },
    signal: AbortSignal.timeout(10_000),
  })
  if (!res.ok) {
    const bodyText = await res.text().catch(() => '')
    throw new Error(`manifest fetch failed (${res.status}): ${bodyText || res.statusText}`)
  }
  const payload: unknown = await res.json()
  if (!isMcpToolManifest(payload)) {
    throw new Error('invalid manifest payload from copilot')
  }
  return payload
 }
 export async function getMcpToolManifest(): Promise<McpToolManifest> {
  const now = Date.now()
  if (cachedMcpToolManifest && cachedMcpToolManifest.expiresAt > now) {
    return cachedMcpToolManifest.value
  }
  const manifest = await fetchMcpToolManifestFromCopilot()
  cachedMcpToolManifest = {
    value: manifest,
    expiresAt: now + MCP_TOOL_MANIFEST_CACHE_TTL_MS,
  }
  return manifest
 }
 export function clearMcpToolManifestCacheForTests(): void {
  cachedMcpToolManifest = null
 }
 /**
 * MCP Server instructions that guide LLMs on how to use the Sim copilot tools.
 * This is included in the initialize response to help external LLMs understand
@@ -457,15 +380,13 @@ function buildMcpServer(abortSignal?: AbortSignal): Server {
  )
  server.setRequestHandler(ListToolsRequestSchema, async () => {
-    const manifest = await getMcpToolManifest()
+    const directTools = DIRECT_TOOL_DEFS.map((tool) => ({
    const directTools = manifest.directTools.map((tool) => ({
      name: tool.name,
      description: tool.description,
      inputSchema: tool.inputSchema,
    }))
-    const subagentTools = manifest.subagentTools.map((tool) => ({
+    const subagentTools = SUBAGENT_TOOL_DEFS.map((tool) => ({
      name: tool.name,
      description: tool.description,
      inputSchema: tool.inputSchema,
@@ -534,15 +455,12 @@ function buildMcpServer(abortSignal?: AbortSignal): Server {
      throw new McpError(ErrorCode.InvalidParams, 'Tool name required')
    }
    const manifest = await getMcpToolManifest()
    const result = await handleToolsCall(
      {
        name: params.name,
        arguments: params.arguments,
      },
      authResult.userId,
      manifest,
      abortSignal
    )
@@ -638,17 +556,16 @@ function trackMcpCopilotCall(userId: string): void {
 async function handleToolsCall(
  params: { name: string; arguments?: Record<string, unknown> },
  userId: string,
  manifest: McpToolManifest,
  abortSignal?: AbortSignal
 ): Promise<CallToolResult> {
  const args = params.arguments || {}
-  const directTool = manifest.directTools.find((tool) => tool.name === params.name)
+  const directTool = DIRECT_TOOL_DEFS.find((tool) => tool.name === params.name)
  if (directTool) {
    return handleDirectToolCall(directTool, args, userId)
  }
-  const subagentTool = manifest.subagentTools.find((tool) => tool.name === params.name)
+  const subagentTool = SUBAGENT_TOOL_DEFS.find((tool) => tool.name === params.name)
  if (subagentTool) {
    return handleSubagentToolCall(subagentTool, args, userId, abortSignal)
  }
@@ -657,7 +574,7 @@ async function handleToolsCall(
 }
 async function handleDirectToolCall(
-  toolDef: McpDirectToolDef,
+  toolDef: (typeof DIRECT_TOOL_DEFS)[number],
  args: Record<string, unknown>,
  userId: string
 ): Promise<CallToolResult> {
@@ -794,7 +711,7 @@ async function handleBuildToolCall(
 }
 async function handleSubagentToolCall(
-  toolDef: McpSubagentToolDef,
+  toolDef: (typeof SUBAGENT_TOOL_DEFS)[number],
  args: Record<string, unknown>,
  userId: string,
  abortSignal?: AbortSignal
--- a/apps/sim/app/api/mcp/serve/[serverId]/route.test.ts
+++ b/apps/sim/app/api/mcp/serve/[serverId]/route.test.ts
@@ -72,6 +72,7 @@ describe('MCP Serve Route', () => {
    }))
    vi.doMock('@/lib/core/utils/urls', () => ({
      getBaseUrl: () => 'http://localhost:3000',
      getInternalApiBaseUrl: () => 'http://localhost:3000',
    }))
    vi.doMock('@/lib/core/execution-limits', () => ({
      getMaxExecutionTimeout: () => 10_000,
--- a/apps/sim/app/api/mcp/serve/[serverId]/route.ts
+++ b/apps/sim/app/api/mcp/serve/[serverId]/route.ts
@@ -22,7 +22,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateInternalToken } from '@/lib/auth/internal'
 import { getMaxExecutionTimeout } from '@/lib/core/execution-limits'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { getInternalApiBaseUrl } from '@/lib/core/utils/urls'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('WorkflowMcpServeAPI')
@@ -285,7 +285,7 @@ async function handleToolsCall(
      )
    }
-    const executeUrl = `${getBaseUrl()}/api/workflows/${tool.workflowId}/execute`
+    const executeUrl = `${getInternalApiBaseUrl()}/api/workflows/${tool.workflowId}/execute`
    const headers: Record<string, string> = { 'Content-Type': 'application/json' }
    if (publicServerOwnerId) {
--- a/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
+++ b/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
@@ -11,6 +11,7 @@ import {
  user,
  userStats,
  type WorkspaceInvitationStatus,
  workspaceEnvironment,
  workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -23,6 +24,7 @@ import { hasAccessControlAccess } from '@/lib/billing'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 const logger = createLogger('OrganizationInvitation')
@@ -495,6 +497,34 @@ export async function PUT(
      }
    })
    if (status === 'accepted') {
      const acceptedWsInvitations = await db
        .select({ workspaceId: workspaceInvitation.workspaceId })
        .from(workspaceInvitation)
        .where(
          and(
            eq(workspaceInvitation.orgInvitationId, invitationId),
            eq(workspaceInvitation.status, 'accepted' as WorkspaceInvitationStatus)
          )
        )
      for (const wsInv of acceptedWsInvitations) {
        const [wsEnvRow] = await db
          .select({ variables: workspaceEnvironment.variables })
          .from(workspaceEnvironment)
          .where(eq(workspaceEnvironment.workspaceId, wsInv.workspaceId))
          .limit(1)
        const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
        if (wsEnvKeys.length > 0) {
          await syncWorkspaceEnvCredentials({
            workspaceId: wsInv.workspaceId,
            envKeys: wsEnvKeys,
            actingUserId: session.user.id,
          })
        }
      }
    }
    // Handle Pro subscription cancellation after transaction commits
    if (personalProToCancel) {
      try {
--- a/apps/sim/app/api/referral-code/redeem/route.ts
+++ b/apps/sim/app/api/referral-code/redeem/route.ts
@@ -0,0 +1,170 @@
 /**
 * POST /api/referral-code/redeem
 *
 * Redeem a referral/promo code to receive bonus credits.
 *
 * Body:
 *   - code: string — The referral code to redeem
 *
 * Response: { redeemed: boolean, bonusAmount?: number, error?: string }
 *
 * Constraints:
 *   - Enterprise users cannot redeem codes
 *   - One redemption per user, ever (unique constraint on userId)
 *   - One redemption per organization for team users (partial unique on organizationId)
 */
 import { db } from '@sim/db'
 import { referralAttribution, referralCampaigns, userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { applyBonusCredits } from '@/lib/billing/credits/bonus'
 const logger = createLogger('ReferralCodeRedemption')
 const RedeemCodeSchema = z.object({
  code: z.string().min(1, 'Code is required'),
 })
 export async function POST(request: Request) {
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const { code } = RedeemCodeSchema.parse(body)
    const subscription = await getHighestPrioritySubscription(session.user.id)
    if (subscription?.plan === 'enterprise') {
      return NextResponse.json({
        redeemed: false,
        error: 'Enterprise accounts cannot redeem referral codes',
      })
    }
    const isTeam = subscription?.plan === 'team'
    const orgId = isTeam ? subscription.referenceId : null
    const normalizedCode = code.trim().toUpperCase()
    const [campaign] = await db
      .select()
      .from(referralCampaigns)
      .where(and(eq(referralCampaigns.code, normalizedCode), eq(referralCampaigns.isActive, true)))
      .limit(1)
    if (!campaign) {
      logger.info('Invalid code redemption attempt', {
        userId: session.user.id,
        code: normalizedCode,
      })
      return NextResponse.json({ error: 'Invalid or expired code' }, { status: 404 })
    }
    const [existingUserAttribution] = await db
      .select({ id: referralAttribution.id })
      .from(referralAttribution)
      .where(eq(referralAttribution.userId, session.user.id))
      .limit(1)
    if (existingUserAttribution) {
      return NextResponse.json({
        redeemed: false,
        error: 'You have already redeemed a code',
      })
    }
    if (orgId) {
      const [existingOrgAttribution] = await db
        .select({ id: referralAttribution.id })
        .from(referralAttribution)
        .where(eq(referralAttribution.organizationId, orgId))
        .limit(1)
      if (existingOrgAttribution) {
        return NextResponse.json({
          redeemed: false,
          error: 'A code has already been redeemed for your organization',
        })
      }
    }
    const bonusAmount = Number(campaign.bonusCreditAmount)
    let redeemed = false
    await db.transaction(async (tx) => {
      const [existingStats] = await tx
        .select({ id: userStats.id })
        .from(userStats)
        .where(eq(userStats.userId, session.user.id))
        .limit(1)
      if (!existingStats) {
        await tx.insert(userStats).values({
          id: nanoid(),
          userId: session.user.id,
        })
      }
      const result = await tx
        .insert(referralAttribution)
        .values({
          id: nanoid(),
          userId: session.user.id,
          organizationId: orgId,
          campaignId: campaign.id,
          utmSource: null,
          utmMedium: null,
          utmCampaign: null,
          utmContent: null,
          referrerUrl: null,
          landingPage: null,
          bonusCreditAmount: bonusAmount.toString(),
        })
        .onConflictDoNothing()
        .returning({ id: referralAttribution.id })
      if (result.length > 0) {
        await applyBonusCredits(session.user.id, bonusAmount, tx)
        redeemed = true
      }
    })
    if (redeemed) {
      logger.info('Referral code redeemed', {
        userId: session.user.id,
        organizationId: orgId,
        code: normalizedCode,
        campaignId: campaign.id,
        campaignName: campaign.name,
        bonusAmount,
      })
    }
    if (!redeemed) {
      return NextResponse.json({
        redeemed: false,
        error: 'You have already redeemed a code',
      })
    }
    return NextResponse.json({
      redeemed: true,
      bonusAmount,
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json({ error: error.errors[0].message }, { status: 400 })
    }
    logger.error('Referral code redemption error', { error })
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/schedules/[id]/route.test.ts
+++ b/apps/sim/app/api/schedules/[id]/route.test.ts
@@ -3,17 +3,14 @@
 *
 * @vitest-environment node
 */
-import { loggerMock } from '@sim/testing'
+import { databaseMock, loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission, mockDbSelect, mockDbUpdate } =
+const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission } = vi.hoisted(() => ({
  vi.hoisted(() => ({
  mockGetSession: vi.fn(),
  mockAuthorizeWorkflowByWorkspacePermission: vi.fn(),
-    mockDbSelect: vi.fn(),
+}))
    mockDbUpdate: vi.fn(),
  }))
 vi.mock('@/lib/auth', () => ({
  getSession: mockGetSession,
@@ -23,12 +20,7 @@ vi.mock('@/lib/workflows/utils', () => ({
  authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
 }))
-vi.mock('@sim/db', () => ({
+vi.mock('@sim/db', () => databaseMock)
  db: {
    select: mockDbSelect,
    update: mockDbUpdate,
  },
 }))
 vi.mock('@sim/db/schema', () => ({
  workflow: { id: 'id', userId: 'userId', workspaceId: 'workspaceId' },
@@ -59,6 +51,9 @@ function createParams(id: string): { params: Promise<{ id: string }> } {
  return { params: Promise.resolve({ id }) }
 }
 const mockDbSelect = databaseMock.db.select as ReturnType<typeof vi.fn>
 const mockDbUpdate = databaseMock.db.update as ReturnType<typeof vi.fn>
 function mockDbChain(selectResults: unknown[][]) {
  let selectCallIndex = 0
  mockDbSelect.mockImplementation(() => ({
--- a/apps/sim/app/api/schedules/route.test.ts
+++ b/apps/sim/app/api/schedules/route.test.ts
@@ -3,17 +3,14 @@
 *
 * @vitest-environment node
 */
-import { loggerMock } from '@sim/testing'
+import { databaseMock, loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission, mockDbSelect } = vi.hoisted(
+const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission } = vi.hoisted(() => ({
  () => ({
  mockGetSession: vi.fn(),
  mockAuthorizeWorkflowByWorkspacePermission: vi.fn(),
-    mockDbSelect: vi.fn(),
+}))
  })
 )
 vi.mock('@/lib/auth', () => ({
  getSession: mockGetSession,
@@ -23,11 +20,7 @@ vi.mock('@/lib/workflows/utils', () => ({
  authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
 }))
-vi.mock('@sim/db', () => ({
+vi.mock('@sim/db', () => databaseMock)
  db: {
    select: mockDbSelect,
  },
 }))
 vi.mock('@sim/db/schema', () => ({
  workflow: { id: 'id', userId: 'userId', workspaceId: 'workspaceId' },
@@ -62,6 +55,8 @@ function createRequest(url: string): NextRequest {
  return new NextRequest(new URL(url), { method: 'GET' })
 }
 const mockDbSelect = databaseMock.db.select as ReturnType<typeof vi.fn>
 function mockDbChain(results: any[]) {
  let callIndex = 0
  mockDbSelect.mockImplementation(() => ({
--- a/apps/sim/app/api/templates/[id]/use/route.ts
+++ b/apps/sim/app/api/templates/[id]/use/route.ts
@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { getInternalApiBaseUrl } from '@/lib/core/utils/urls'
 import {
  type RegenerateStateInput,
  regenerateWorkflowStateIds,
@@ -115,7 +115,9 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
    // Step 3: Save the workflow state using the existing state endpoint (like imports do)
    // Ensure variables in state are remapped for the new workflow as well
    const workflowStateWithVariables = { ...workflowState, variables: remappedVariables }
-    const stateResponse = await fetch(`${getBaseUrl()}/api/workflows/${newWorkflowId}/state`, {
+    const stateResponse = await fetch(
      `${getInternalApiBaseUrl()}/api/workflows/${newWorkflowId}/state`,
      {
        method: 'PUT',
        headers: {
          'Content-Type': 'application/json',
@@ -123,7 +125,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
          cookie: request.headers.get('cookie') || '',
        },
        body: JSON.stringify(workflowStateWithVariables),
-    })
+      }
    )
    if (!stateResponse.ok) {
      logger.error(`[${requestId}] Failed to save workflow state for template use`)
--- a/apps/sim/app/api/v1/admin/index.ts
+++ b/apps/sim/app/api/v1/admin/index.ts
@@ -66,6 +66,12 @@
 *   Credits:
 *   POST   /api/v1/admin/credits                            - Issue credits to user (by userId or email)
 *
 *   Referral Campaigns:
 *   GET    /api/v1/admin/referral-campaigns                 - List campaigns (?active=true/false)
 *   POST   /api/v1/admin/referral-campaigns                 - Create campaign
 *   GET    /api/v1/admin/referral-campaigns/:id             - Get campaign details
 *   PATCH  /api/v1/admin/referral-campaigns/:id             - Update campaign fields
 *
 *   Access Control (Permission Groups):
 *   GET    /api/v1/admin/access-control                     - List permission groups (?organizationId=X)
 *   DELETE /api/v1/admin/access-control                     - Delete permission groups for org (?organizationId=X)
@@ -97,6 +103,7 @@ export type {
  AdminOrganization,
  AdminOrganizationBillingSummary,
  AdminOrganizationDetail,
  AdminReferralCampaign,
  AdminSeatAnalytics,
  AdminSingleResponse,
  AdminSubscription,
@@ -111,6 +118,7 @@ export type {
  AdminWorkspaceMember,
  DbMember,
  DbOrganization,
  DbReferralCampaign,
  DbSubscription,
  DbUser,
  DbUserStats,
@@ -139,6 +147,7 @@ export {
  parseWorkflowVariables,
  toAdminFolder,
  toAdminOrganization,
  toAdminReferralCampaign,
  toAdminSubscription,
  toAdminUser,
  toAdminWorkflow,
--- a/apps/sim/app/api/v1/admin/referral-campaigns/[id]/route.ts
+++ b/apps/sim/app/api/v1/admin/referral-campaigns/[id]/route.ts
@@ -0,0 +1,142 @@
 /**
 * GET   /api/v1/admin/referral-campaigns/:id
 *
 * Get a single referral campaign by ID.
 *
 * PATCH /api/v1/admin/referral-campaigns/:id
 *
 * Update campaign fields. All fields are optional.
 *
 * Body:
 *   - name: string (non-empty) - Campaign name
 *   - bonusCreditAmount: number (> 0) - Bonus credits in dollars
 *   - isActive: boolean - Enable/disable the campaign
 *   - code: string | null (min 6 chars, auto-uppercased, null to remove) - Redeemable code
 *   - utmSource: string | null - UTM source match (null = wildcard)
 *   - utmMedium: string | null - UTM medium match (null = wildcard)
 *   - utmCampaign: string | null - UTM campaign match (null = wildcard)
 *   - utmContent: string | null - UTM content match (null = wildcard)
 */
 import { db } from '@sim/db'
 import { referralCampaigns } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
  internalErrorResponse,
  notFoundResponse,
  singleResponse,
 } from '@/app/api/v1/admin/responses'
 import { toAdminReferralCampaign } from '@/app/api/v1/admin/types'
 const logger = createLogger('AdminReferralCampaignDetailAPI')
 interface RouteParams {
  id: string
 }
 export const GET = withAdminAuthParams<RouteParams>(async (_, context) => {
  try {
    const { id: campaignId } = await context.params
    const [campaign] = await db
      .select()
      .from(referralCampaigns)
      .where(eq(referralCampaigns.id, campaignId))
      .limit(1)
    if (!campaign) {
      return notFoundResponse('Campaign')
    }
    logger.info(`Admin API: Retrieved referral campaign ${campaignId}`)
    return singleResponse(toAdminReferralCampaign(campaign, getBaseUrl()))
  } catch (error) {
    logger.error('Admin API: Failed to get referral campaign', { error })
    return internalErrorResponse('Failed to get referral campaign')
  }
 })
 export const PATCH = withAdminAuthParams<RouteParams>(async (request, context) => {
  try {
    const { id: campaignId } = await context.params
    const body = await request.json()
    const [existing] = await db
      .select()
      .from(referralCampaigns)
      .where(eq(referralCampaigns.id, campaignId))
      .limit(1)
    if (!existing) {
      return notFoundResponse('Campaign')
    }
    const updateData: Record<string, unknown> = { updatedAt: new Date() }
    if (body.name !== undefined) {
      if (typeof body.name !== 'string' || body.name.trim().length === 0) {
        return badRequestResponse('name must be a non-empty string')
      }
      updateData.name = body.name.trim()
    }
    if (body.bonusCreditAmount !== undefined) {
      if (
        typeof body.bonusCreditAmount !== 'number' ||
        !Number.isFinite(body.bonusCreditAmount) ||
        body.bonusCreditAmount <= 0
      ) {
        return badRequestResponse('bonusCreditAmount must be a positive number')
      }
      updateData.bonusCreditAmount = body.bonusCreditAmount.toString()
    }
    if (body.isActive !== undefined) {
      if (typeof body.isActive !== 'boolean') {
        return badRequestResponse('isActive must be a boolean')
      }
      updateData.isActive = body.isActive
    }
    if (body.code !== undefined) {
      if (body.code !== null) {
        if (typeof body.code !== 'string') {
          return badRequestResponse('code must be a string or null')
        }
        if (body.code.trim().length < 6) {
          return badRequestResponse('code must be at least 6 characters')
        }
      }
      updateData.code = body.code ? body.code.trim().toUpperCase() : null
    }
    for (const field of ['utmSource', 'utmMedium', 'utmCampaign', 'utmContent'] as const) {
      if (body[field] !== undefined) {
        if (body[field] !== null && typeof body[field] !== 'string') {
          return badRequestResponse(`${field} must be a string or null`)
        }
        updateData[field] = body[field] || null
      }
    }
    const [updated] = await db
      .update(referralCampaigns)
      .set(updateData)
      .where(eq(referralCampaigns.id, campaignId))
      .returning()
    logger.info(`Admin API: Updated referral campaign ${campaignId}`, {
      fields: Object.keys(updateData).filter((k) => k !== 'updatedAt'),
    })
    return singleResponse(toAdminReferralCampaign(updated, getBaseUrl()))
  } catch (error) {
    logger.error('Admin API: Failed to update referral campaign', { error })
    return internalErrorResponse('Failed to update referral campaign')
  }
 })
--- a/apps/sim/app/api/v1/admin/referral-campaigns/route.ts
+++ b/apps/sim/app/api/v1/admin/referral-campaigns/route.ts
@@ -0,0 +1,140 @@
 /**
 * GET  /api/v1/admin/referral-campaigns
 *
 * List referral campaigns with optional filtering and pagination.
 *
 * Query Parameters:
 *   - active: string (optional) - Filter by active status ('true' or 'false')
 *   - limit: number (default: 50, max: 250)
 *   - offset: number (default: 0)
 *
 * POST /api/v1/admin/referral-campaigns
 *
 * Create a new referral campaign.
 *
 * Body:
 *   - name: string (required) - Campaign name
 *   - bonusCreditAmount: number (required, > 0) - Bonus credits in dollars
 *   - code: string | null (optional, min 6 chars, auto-uppercased) - Redeemable code
 *   - utmSource: string | null (optional) - UTM source match (null = wildcard)
 *   - utmMedium: string | null (optional) - UTM medium match (null = wildcard)
 *   - utmCampaign: string | null (optional) - UTM campaign match (null = wildcard)
 *   - utmContent: string | null (optional) - UTM content match (null = wildcard)
 */
 import { db } from '@sim/db'
 import { referralCampaigns } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { count, eq, type SQL } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { withAdminAuth } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
  internalErrorResponse,
  listResponse,
  singleResponse,
 } from '@/app/api/v1/admin/responses'
 import {
  type AdminReferralCampaign,
  createPaginationMeta,
  parsePaginationParams,
  toAdminReferralCampaign,
 } from '@/app/api/v1/admin/types'
 const logger = createLogger('AdminReferralCampaignsAPI')
 export const GET = withAdminAuth(async (request) => {
  const url = new URL(request.url)
  const { limit, offset } = parsePaginationParams(url)
  const activeFilter = url.searchParams.get('active')
  try {
    const conditions: SQL<unknown>[] = []
    if (activeFilter === 'true') {
      conditions.push(eq(referralCampaigns.isActive, true))
    } else if (activeFilter === 'false') {
      conditions.push(eq(referralCampaigns.isActive, false))
    }
    const whereClause = conditions.length > 0 ? conditions[0] : undefined
    const baseUrl = getBaseUrl()
    const [countResult, campaigns] = await Promise.all([
      db.select({ total: count() }).from(referralCampaigns).where(whereClause),
      db
        .select()
        .from(referralCampaigns)
        .where(whereClause)
        .orderBy(referralCampaigns.createdAt)
        .limit(limit)
        .offset(offset),
    ])
    const total = countResult[0].total
    const data: AdminReferralCampaign[] = campaigns.map((c) => toAdminReferralCampaign(c, baseUrl))
    const pagination = createPaginationMeta(total, limit, offset)
    logger.info(`Admin API: Listed ${data.length} referral campaigns (total: ${total})`)
    return listResponse(data, pagination)
  } catch (error) {
    logger.error('Admin API: Failed to list referral campaigns', { error })
    return internalErrorResponse('Failed to list referral campaigns')
  }
 })
 export const POST = withAdminAuth(async (request) => {
  try {
    const body = await request.json()
    const { name, code, utmSource, utmMedium, utmCampaign, utmContent, bonusCreditAmount } = body
    if (!name || typeof name !== 'string') {
      return badRequestResponse('name is required and must be a string')
    }
    if (
      typeof bonusCreditAmount !== 'number' ||
      !Number.isFinite(bonusCreditAmount) ||
      bonusCreditAmount <= 0
    ) {
      return badRequestResponse('bonusCreditAmount must be a positive number')
    }
    if (code !== undefined && code !== null) {
      if (typeof code !== 'string') {
        return badRequestResponse('code must be a string or null')
      }
      if (code.trim().length < 6) {
        return badRequestResponse('code must be at least 6 characters')
      }
    }
    const id = nanoid()
    const [campaign] = await db
      .insert(referralCampaigns)
      .values({
        id,
        name,
        code: code ? code.trim().toUpperCase() : null,
        utmSource: utmSource || null,
        utmMedium: utmMedium || null,
        utmCampaign: utmCampaign || null,
        utmContent: utmContent || null,
        bonusCreditAmount: bonusCreditAmount.toString(),
      })
      .returning()
    logger.info(`Admin API: Created referral campaign ${id}`, {
      name,
      code: campaign.code,
      bonusCreditAmount,
    })
    return singleResponse(toAdminReferralCampaign(campaign, getBaseUrl()))
  } catch (error) {
    logger.error('Admin API: Failed to create referral campaign', { error })
    return internalErrorResponse('Failed to create referral campaign')
  }
 })
--- a/apps/sim/app/api/v1/admin/types.ts
+++ b/apps/sim/app/api/v1/admin/types.ts
@@ -8,6 +8,7 @@
 import type {
  member,
  organization,
  referralCampaigns,
  subscription,
  user,
  userStats,
@@ -31,6 +32,7 @@ export type DbOrganization = InferSelectModel<typeof organization>
 export type DbSubscription = InferSelectModel<typeof subscription>
 export type DbMember = InferSelectModel<typeof member>
 export type DbUserStats = InferSelectModel<typeof userStats>
 export type DbReferralCampaign = InferSelectModel<typeof referralCampaigns>
 // =============================================================================
 // Pagination
@@ -646,3 +648,49 @@ export interface AdminDeployResult {
 export interface AdminUndeployResult {
  isDeployed: boolean
 }
 // =============================================================================
 // Referral Campaign Types
 // =============================================================================
 export interface AdminReferralCampaign {
  id: string
  name: string
  code: string | null
  utmSource: string | null
  utmMedium: string | null
  utmCampaign: string | null
  utmContent: string | null
  bonusCreditAmount: string
  isActive: boolean
  signupUrl: string | null
  createdAt: string
  updatedAt: string
 }
 export function toAdminReferralCampaign(
  dbCampaign: DbReferralCampaign,
  baseUrl: string
 ): AdminReferralCampaign {
  const utmParams = new URLSearchParams()
  if (dbCampaign.utmSource) utmParams.set('utm_source', dbCampaign.utmSource)
  if (dbCampaign.utmMedium) utmParams.set('utm_medium', dbCampaign.utmMedium)
  if (dbCampaign.utmCampaign) utmParams.set('utm_campaign', dbCampaign.utmCampaign)
  if (dbCampaign.utmContent) utmParams.set('utm_content', dbCampaign.utmContent)
  const query = utmParams.toString()
  return {
    id: dbCampaign.id,
    name: dbCampaign.name,
    code: dbCampaign.code,
    utmSource: dbCampaign.utmSource,
    utmMedium: dbCampaign.utmMedium,
    utmCampaign: dbCampaign.utmCampaign,
    utmContent: dbCampaign.utmContent,
    bonusCreditAmount: dbCampaign.bonusCreditAmount,
    isActive: dbCampaign.isActive,
    signupUrl: query ? `${baseUrl}/signup?${query}` : null,
    createdAt: dbCampaign.createdAt.toISOString(),
    updatedAt: dbCampaign.updatedAt.toISOString(),
  }
 }
--- a/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
+++ b/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
@@ -25,6 +25,7 @@ import { db } from '@sim/db'
 import { permissions, user, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
@@ -215,6 +216,8 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (_, context) => {
    await db.delete(permissions).where(eq(permissions.id, memberId))
    await revokeWorkspaceCredentialMemberships(workspaceId, existingMember.userId)
    logger.info(`Admin API: Removed member ${memberId} from workspace ${workspaceId}`, {
      userId: existingMember.userId,
    })
--- a/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
+++ b/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
@@ -32,9 +32,10 @@
 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, user, workspace } from '@sim/db/schema'
+import { permissions, user, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, count, eq } from 'drizzle-orm'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
@@ -232,6 +233,20 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
      permissionId,
    })
    const [wsEnvRow] = await db
      .select({ variables: workspaceEnvironment.variables })
      .from(workspaceEnvironment)
      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
      .limit(1)
    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
    if (wsEnvKeys.length > 0) {
      await syncWorkspaceEnvCredentials({
        workspaceId,
        envKeys: wsEnvKeys,
        actingUserId: body.userId,
      })
    }
    return singleResponse({
      id: permissionId,
      workspaceId,
--- a/apps/sim/app/api/v1/copilot/chat/route.ts
+++ b/apps/sim/app/api/v1/copilot/chat/route.ts
@@ -8,7 +8,7 @@ import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
 import { authenticateV1Request } from '@/app/api/v1/auth'
 const logger = createLogger('CopilotHeadlessAPI')
-const DEFAULT_COPILOT_MODEL = 'claude-opus-4-6'
+const DEFAULT_COPILOT_MODEL = 'claude-opus-4-5'
 const RequestSchema = z.object({
  message: z.string().min(1, 'message is required'),
--- a/apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts
+++ b/apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts
@@ -29,7 +29,7 @@ const patchBodySchema = z
    description: z
      .string()
      .trim()
-      .max(500, 'Description must be 500 characters or less')
+      .max(2000, 'Description must be 2000 characters or less')
      .nullable()
      .optional(),
    isActive: z.literal(true).optional(), // Set to true to activate this version
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -12,7 +12,7 @@ import {
 import { generateRequestId } from '@/lib/core/utils/request'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
-import { markExecutionCancelled } from '@/lib/execution/cancellation'
+import { createExecutionEventWriter, setExecutionMeta } from '@/lib/execution/event-buffer'
 import { processInputFileFields } from '@/lib/execution/files'
 import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
@@ -536,6 +536,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
          useDraftState: shouldUseDraftState,
          startTime: new Date().toISOString(),
          isClientSession,
          enforceCredentialAccess: useAuthenticatedUserAsActor,
          workflowStateOverride: effectiveWorkflowStateOverride,
        }
@@ -700,17 +701,29 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
    const timeoutController = createTimeoutAbortController(preprocessResult.executionTimeout?.sync)
    let isStreamClosed = false
    const eventWriter = createExecutionEventWriter(executionId)
    setExecutionMeta(executionId, {
      status: 'active',
      userId: actorUserId,
      workflowId,
    }).catch(() => {})
    const stream = new ReadableStream<Uint8Array>({
      async start(controller) {
-        const sendEvent = (event: ExecutionEvent) => {
+        let finalMetaStatus: 'complete' | 'error' | 'cancelled' | null = null
          if (isStreamClosed) return
        const sendEvent = (event: ExecutionEvent) => {
          if (!isStreamClosed) {
            try {
              controller.enqueue(encodeSSEEvent(event))
            } catch {
              isStreamClosed = true
            }
          }
          if (event.type !== 'stream:chunk' && event.type !== 'stream:done') {
            eventWriter.write(event).catch(() => {})
          }
        }
        try {
          const startTime = new Date()
@@ -829,14 +842,12 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
            const reader = streamingExec.stream.getReader()
            const decoder = new TextDecoder()
            let chunkCount = 0
            try {
              while (true) {
                const { done, value } = await reader.read()
                if (done) break
                chunkCount++
                const chunk = decoder.decode(value, { stream: true })
                sendEvent({
                  type: 'stream:chunk',
@@ -875,6 +886,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
            useDraftState: shouldUseDraftState,
            startTime: new Date().toISOString(),
            isClientSession,
            enforceCredentialAccess: useAuthenticatedUserAsActor,
            workflowStateOverride: effectiveWorkflowStateOverride,
          }
@@ -951,6 +963,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
                  duration: result.metadata?.duration || 0,
                },
              })
              finalMetaStatus = 'error'
            } else {
              logger.info(`[${requestId}] Workflow execution was cancelled`)
@@ -963,6 +976,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
                  duration: result.metadata?.duration || 0,
                },
              })
              finalMetaStatus = 'cancelled'
            }
            return
          }
@@ -986,6 +1000,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
              endTime: result.metadata?.endTime || new Date().toISOString(),
            },
          })
          finalMetaStatus = 'complete'
        } catch (error: unknown) {
          const isTimeout = isTimeoutError(error) || timeoutController.isTimedOut()
          const errorMessage = isTimeout
@@ -1017,7 +1032,18 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
              duration: executionResult?.metadata?.duration || 0,
            },
          })
          finalMetaStatus = 'error'
        } finally {
          try {
            await eventWriter.close()
          } catch (closeError) {
            logger.warn(`[${requestId}] Failed to close event writer`, {
              error: closeError instanceof Error ? closeError.message : String(closeError),
            })
          }
          if (finalMetaStatus) {
            setExecutionMeta(executionId, { status: finalMetaStatus }).catch(() => {})
          }
          timeoutController.cleanup()
          if (executionId) {
            await cleanupExecutionBase64Cache(executionId)
@@ -1032,10 +1058,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      },
      cancel() {
        isStreamClosed = true
-        timeoutController.cleanup()
+        logger.info(`[${requestId}] Client disconnected from SSE stream`)
        logger.info(`[${requestId}] Client aborted SSE stream, signalling cancellation`)
        timeoutController.abort()
        markExecutionCancelled(executionId).catch(() => {})
      },
    })
--- a/apps/sim/app/api/workflows/[id]/executions/[executionId]/stream/route.ts
+++ b/apps/sim/app/api/workflows/[id]/executions/[executionId]/stream/route.ts
@@ -0,0 +1,170 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import {
  type ExecutionStreamStatus,
  getExecutionMeta,
  readExecutionEvents,
 } from '@/lib/execution/event-buffer'
 import { formatSSEEvent } from '@/lib/workflows/executor/execution-events'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 const logger = createLogger('ExecutionStreamReconnectAPI')
 const POLL_INTERVAL_MS = 500
 const MAX_POLL_DURATION_MS = 10 * 60 * 1000 // 10 minutes
 function isTerminalStatus(status: ExecutionStreamStatus): boolean {
  return status === 'complete' || status === 'error' || status === 'cancelled'
 }
 export const runtime = 'nodejs'
 export const dynamic = 'force-dynamic'
 export async function GET(
  req: NextRequest,
  { params }: { params: Promise<{ id: string; executionId: string }> }
 ) {
  const { id: workflowId, executionId } = await params
  try {
    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
      workflowId,
      userId: auth.userId,
      action: 'read',
    })
    if (!workflowAuthorization.allowed) {
      return NextResponse.json(
        { error: workflowAuthorization.message || 'Access denied' },
        { status: workflowAuthorization.status }
      )
    }
    const meta = await getExecutionMeta(executionId)
    if (!meta) {
      return NextResponse.json({ error: 'Execution buffer not found or expired' }, { status: 404 })
    }
    if (meta.workflowId && meta.workflowId !== workflowId) {
      return NextResponse.json(
        { error: 'Execution does not belong to this workflow' },
        { status: 403 }
      )
    }
    const fromParam = req.nextUrl.searchParams.get('from')
    const parsed = fromParam ? Number.parseInt(fromParam, 10) : 0
    const fromEventId = Number.isFinite(parsed) && parsed >= 0 ? parsed : 0
    logger.info('Reconnection stream requested', {
      workflowId,
      executionId,
      fromEventId,
      metaStatus: meta.status,
    })
    const encoder = new TextEncoder()
    let closed = false
    const stream = new ReadableStream<Uint8Array>({
      async start(controller) {
        let lastEventId = fromEventId
        const pollDeadline = Date.now() + MAX_POLL_DURATION_MS
        const enqueue = (text: string) => {
          if (closed) return
          try {
            controller.enqueue(encoder.encode(text))
          } catch {
            closed = true
          }
        }
        try {
          const events = await readExecutionEvents(executionId, lastEventId)
          for (const entry of events) {
            if (closed) return
            enqueue(formatSSEEvent(entry.event))
            lastEventId = entry.eventId
          }
          const currentMeta = await getExecutionMeta(executionId)
          if (!currentMeta || isTerminalStatus(currentMeta.status)) {
            enqueue('data: [DONE]\n\n')
            if (!closed) controller.close()
            return
          }
          while (!closed && Date.now() < pollDeadline) {
            await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS))
            if (closed) return
            const newEvents = await readExecutionEvents(executionId, lastEventId)
            for (const entry of newEvents) {
              if (closed) return
              enqueue(formatSSEEvent(entry.event))
              lastEventId = entry.eventId
            }
            const polledMeta = await getExecutionMeta(executionId)
            if (!polledMeta || isTerminalStatus(polledMeta.status)) {
              const finalEvents = await readExecutionEvents(executionId, lastEventId)
              for (const entry of finalEvents) {
                if (closed) return
                enqueue(formatSSEEvent(entry.event))
                lastEventId = entry.eventId
              }
              enqueue('data: [DONE]\n\n')
              if (!closed) controller.close()
              return
            }
          }
          if (!closed) {
            logger.warn('Reconnection stream poll deadline reached', { executionId })
            enqueue('data: [DONE]\n\n')
            controller.close()
          }
        } catch (error) {
          logger.error('Error in reconnection stream', {
            executionId,
            error: error instanceof Error ? error.message : String(error),
          })
          if (!closed) {
            try {
              controller.close()
            } catch {}
          }
        }
      },
      cancel() {
        closed = true
        logger.info('Client disconnected from reconnection stream', { executionId })
      },
    })
    return new NextResponse(stream, {
      headers: {
        ...SSE_HEADERS,
        'X-Execution-Id': executionId,
      },
    })
  } catch (error: any) {
    logger.error('Failed to start reconnection stream', {
      workflowId,
      executionId,
      error: error.message,
    })
    return NextResponse.json(
      { error: error.message || 'Failed to start reconnection stream' },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/workflows/[id]/route.test.ts
+++ b/apps/sim/app/api/workflows/[id]/route.test.ts
@@ -5,7 +5,7 @@
 * @vitest-environment node
 */
-import { loggerMock } from '@sim/testing'
+import { loggerMock, setupGlobalFetchMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
@@ -284,9 +284,7 @@ describe('Workflow By ID API Route', () => {
        where: vi.fn().mockResolvedValue([{ id: 'workflow-123' }]),
      })
-      global.fetch = vi.fn().mockResolvedValue({
+      setupGlobalFetchMock({ ok: true })
        ok: true,
      })
      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
        method: 'DELETE',
@@ -331,9 +329,7 @@ describe('Workflow By ID API Route', () => {
        where: vi.fn().mockResolvedValue([{ id: 'workflow-123' }]),
      })
-      global.fetch = vi.fn().mockResolvedValue({
+      setupGlobalFetchMock({ ok: true })
        ok: true,
      })
      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
        method: 'DELETE',
--- a/apps/sim/app/api/workspaces/[id]/environment/route.ts
+++ b/apps/sim/app/api/workspaces/[id]/environment/route.ts
@@ -1,12 +1,14 @@
 import { db } from '@sim/db'
-import { environment, workspaceEnvironment } from '@sim/db/schema'
+import { workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
+import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('WorkspaceEnvironmentAPI')
@@ -44,44 +46,10 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
-    // Workspace env (encrypted)
+    const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
-    const wsEnvRow = await db
+      userId,
-      .select()
+      workspaceId
-      .from(workspaceEnvironment)
+    )
      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
      .limit(1)
    const wsEncrypted: Record<string, string> = (wsEnvRow[0]?.variables as any) || {}
    // Personal env (encrypted)
    const personalRow = await db
      .select()
      .from(environment)
      .where(eq(environment.userId, userId))
      .limit(1)
    const personalEncrypted: Record<string, string> = (personalRow[0]?.variables as any) || {}
    // Decrypt both for UI
    const decryptAll = async (src: Record<string, string>) => {
      const out: Record<string, string> = {}
      for (const [k, v] of Object.entries(src)) {
        try {
          const { decrypted } = await decryptSecret(v)
          out[k] = decrypted
        } catch {
          out[k] = ''
        }
      }
      return out
    }
    const [workspaceDecrypted, personalDecrypted] = await Promise.all([
      decryptAll(wsEncrypted),
      decryptAll(personalEncrypted),
    ])
    const conflicts = Object.keys(personalDecrypted).filter((k) => k in workspaceDecrypted)
    return NextResponse.json(
      {
@@ -156,6 +124,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
        set: { variables: merged, updatedAt: new Date() },
      })
    await syncWorkspaceEnvCredentials({
      workspaceId,
      envKeys: Object.keys(merged),
      actingUserId: userId,
    })
    return NextResponse.json({ success: true })
  } catch (error: any) {
    logger.error(`[${requestId}] Workspace env PUT error`, error)
@@ -222,6 +196,12 @@ export async function DELETE(
        set: { variables: current, updatedAt: new Date() },
      })
    await syncWorkspaceEnvCredentials({
      workspaceId,
      envKeys: Object.keys(current),
      actingUserId: userId,
    })
    return NextResponse.json({ success: true })
  } catch (error: any) {
    logger.error(`[${requestId}] Workspace env DELETE error`, error)
--- a/apps/sim/app/api/workspaces/[id]/permissions/route.ts
+++ b/apps/sim/app/api/workspaces/[id]/permissions/route.ts
@@ -1,11 +1,12 @@
 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, workspace } from '@sim/db/schema'
+import { permissions, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import {
  getUsersWithPermissions,
  hasWorkspaceAdminAccess,
@@ -154,6 +155,20 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
      }
    })
    const [wsEnvRow] = await db
      .select({ variables: workspaceEnvironment.variables })
      .from(workspaceEnvironment)
      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
      .limit(1)
    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
    if (wsEnvKeys.length > 0) {
      await syncWorkspaceEnvCredentials({
        workspaceId,
        envKeys: wsEnvKeys,
        actingUserId: session.user.id,
      })
    }
    const updatedUsers = await getUsersWithPermissions(workspaceId)
    return NextResponse.json({
--- a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts
+++ b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts
@@ -8,15 +8,27 @@ const mockHasWorkspaceAdminAccess = vi.fn()
 let dbSelectResults: any[] = []
 let dbSelectCallIndex = 0
-const mockDbSelect = vi.fn().mockImplementation(() => ({
+const mockDbSelect = vi.fn().mockImplementation(() => {
-  from: vi.fn().mockReturnThis(),
+  const makeThen = () =>
-  where: vi.fn().mockReturnThis(),
+    vi.fn().mockImplementation((callback: (rows: any[]) => any) => {
  then: vi.fn().mockImplementation((callback: (rows: any[]) => any) => {
      const result = dbSelectResults[dbSelectCallIndex] || []
      dbSelectCallIndex++
      return Promise.resolve(callback ? callback(result) : result)
-  }),
+    })
-}))
+  const makeLimit = () =>
    vi.fn().mockImplementation(() => {
      const result = dbSelectResults[dbSelectCallIndex] || []
      dbSelectCallIndex++
      return Promise.resolve(result)
    })
  const chain: any = {}
  chain.from = vi.fn().mockReturnValue(chain)
  chain.where = vi.fn().mockReturnValue(chain)
  chain.limit = makeLimit()
  chain.then = makeThen()
  return chain
 })
 const mockDbInsert = vi.fn().mockImplementation(() => ({
  values: vi.fn().mockResolvedValue(undefined),
@@ -53,6 +65,10 @@ vi.mock('@/lib/workspaces/permissions/utils', () => ({
    mockHasWorkspaceAdminAccess(userId, workspaceId),
 }))
 vi.mock('@/lib/credentials/environment', () => ({
  syncWorkspaceEnvCredentials: vi.fn().mockResolvedValue(undefined),
 }))
 vi.mock('@sim/logger', () => loggerMock)
 vi.mock('@/lib/core/utils/urls', () => ({
@@ -95,6 +111,10 @@ vi.mock('@sim/db/schema', () => ({
    userId: 'userId',
    permissionType: 'permissionType',
  },
  workspaceEnvironment: {
    workspaceId: 'workspaceId',
    variables: 'variables',
  },
 }))
 vi.mock('drizzle-orm', () => ({
@@ -207,6 +227,7 @@ describe('Workspace Invitation [invitationId] API Route', () => {
        [mockWorkspace],
        [{ ...mockUser, email: 'invited@example.com' }],
        [],
        [],
      ]
      const request = new NextRequest(
@@ -460,6 +481,7 @@ describe('Workspace Invitation [invitationId] API Route', () => {
        [mockWorkspace],
        [{ ...mockUser, email: 'invited@example.com' }],
        [],
        [],
      ]
      const request2 = new NextRequest(
--- a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
+++ b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
@@ -6,6 +6,7 @@ import {
  user,
  type WorkspaceInvitationStatus,
  workspace,
  workspaceEnvironment,
  workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -14,6 +15,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { WorkspaceInvitationEmail } from '@/components/emails'
 import { getSession } from '@/lib/auth'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
@@ -162,6 +164,20 @@ export async function GET(
          .where(eq(workspaceInvitation.id, invitation.id))
      })
      const [wsEnvRow] = await db
        .select({ variables: workspaceEnvironment.variables })
        .from(workspaceEnvironment)
        .where(eq(workspaceEnvironment.workspaceId, invitation.workspaceId))
        .limit(1)
      const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
      if (wsEnvKeys.length > 0) {
        await syncWorkspaceEnvCredentials({
          workspaceId: invitation.workspaceId,
          envKeys: wsEnvKeys,
          actingUserId: session.user.id,
        })
      }
      return NextResponse.redirect(new URL(`/workspace/${invitation.workspaceId}/w`, getBaseUrl()))
    }
--- a/apps/sim/app/api/workspaces/members/[id]/route.ts
+++ b/apps/sim/app/api/workspaces/members/[id]/route.ts
@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('WorkspaceMemberAPI')
@@ -101,6 +102,8 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
        )
      )
    await revokeWorkspaceCredentialMemberships(workspaceId, userId)
    return NextResponse.json({ success: true })
  } catch (error) {
    logger.error('Error removing workspace member:', error)
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/diff-controls/diff-controls.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/diff-controls/diff-controls.tsx
@@ -14,14 +14,6 @@ const logger = createLogger('DiffControls')
 const NOTIFICATION_WIDTH = 240
 const NOTIFICATION_GAP = 16
 function isWorkflowEditToolCall(name?: string, params?: Record<string, unknown>): boolean {
  if (name !== 'workflow_change') return false
  const mode = typeof params?.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  return typeof params?.proposalId === 'string' && params.proposalId.length > 0
 }
 export const DiffControls = memo(function DiffControls() {
  const isTerminalResizing = useTerminalStore((state) => state.isResizing)
  const isPanelResizing = usePanelStore((state) => state.isResizing)
@@ -72,7 +64,7 @@ export const DiffControls = memo(function DiffControls() {
          const b = blocks[bi]
          if (b?.type === 'tool_call') {
            const tn = b.toolCall?.name
-            if (isWorkflowEditToolCall(tn, b.toolCall?.params)) {
+            if (tn === 'edit_workflow') {
              id = b.toolCall?.id
              break outer
            }
@@ -80,9 +72,7 @@ export const DiffControls = memo(function DiffControls() {
        }
      }
      if (!id) {
-        const candidates = Object.values(toolCallsById).filter((t) =>
+        const candidates = Object.values(toolCallsById).filter((t) => t.name === 'edit_workflow')
          isWorkflowEditToolCall(t.name, t.params)
        )
        id = candidates.length ? candidates[candidates.length - 1].id : undefined
      }
      if (id) updatePreviewToolCallState('accepted', id)
@@ -112,7 +102,7 @@ export const DiffControls = memo(function DiffControls() {
          const b = blocks[bi]
          if (b?.type === 'tool_call') {
            const tn = b.toolCall?.name
-            if (isWorkflowEditToolCall(tn, b.toolCall?.params)) {
+            if (tn === 'edit_workflow') {
              id = b.toolCall?.id
              break outer
            }
@@ -120,9 +110,7 @@ export const DiffControls = memo(function DiffControls() {
        }
      }
      if (!id) {
-        const candidates = Object.values(toolCallsById).filter((t) =>
+        const candidates = Object.values(toolCallsById).filter((t) => t.name === 'edit_workflow')
          isWorkflowEditToolCall(t.name, t.params)
        )
        id = candidates.length ? candidates[candidates.length - 1].id : undefined
      }
      if (id) updatePreviewToolCallState('rejected', id)
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx
@@ -47,27 +47,6 @@ interface ParsedTags {
  cleanContent: string
 }
 function getToolCallParams(toolCall?: CopilotToolCall): Record<string, unknown> {
  const candidate = ((toolCall as any)?.parameters ||
    (toolCall as any)?.input ||
    (toolCall as any)?.params ||
    {}) as Record<string, unknown>
  return candidate && typeof candidate === 'object' ? candidate : {}
 }
 function isWorkflowChangeApplyMode(toolCall?: CopilotToolCall): boolean {
  if (!toolCall || toolCall.name !== 'workflow_change') return false
  const params = getToolCallParams(toolCall)
  const mode = typeof params.mode === 'string' ? params.mode.toLowerCase() : ''
  if (mode === 'apply') return true
  return typeof params.proposalId === 'string' && params.proposalId.length > 0
 }
 function isWorkflowEditSummaryTool(toolCall?: CopilotToolCall): boolean {
  if (!toolCall) return false
  return isWorkflowChangeApplyMode(toolCall)
 }
 /**
 * Extracts plan steps from plan_respond tool calls in subagent blocks.
 * @param blocks - The subagent content blocks to search
@@ -892,10 +871,7 @@ const SubagentContentRenderer = memo(function SubagentContentRenderer({
          )
        }
        if (segment.type === 'tool' && segment.block.toolCall) {
-          if (
+          if (toolCall.name === 'edit' && segment.block.toolCall.name === 'edit_workflow') {
            (toolCall.name === 'edit' || toolCall.name === 'build') &&
            isWorkflowEditSummaryTool(segment.block.toolCall)
          ) {
            return (
              <div key={`tool-${segment.block.toolCall.id || index}`}>
                <WorkflowEditSummary toolCall={segment.block.toolCall} />
@@ -992,11 +968,12 @@ const WorkflowEditSummary = memo(function WorkflowEditSummary({
    }
  }, [blocks])
-  if (!isWorkflowEditSummaryTool(toolCall)) {
+  if (toolCall.name !== 'edit_workflow') {
    return null
  }
-  const params = getToolCallParams(toolCall)
+  const params =
    (toolCall as any).parameters || (toolCall as any).input || (toolCall as any).params || {}
  let operations = Array.isArray(params.operations) ? params.operations : []
  if (operations.length === 0 && Array.isArray((toolCall as any).operations)) {
@@ -1242,6 +1219,11 @@ const WorkflowEditSummary = memo(function WorkflowEditSummary({
  )
 })
 /** Checks if a tool is server-side executed (not a client tool) */
 function isIntegrationTool(toolName: string): boolean {
  return !TOOL_DISPLAY_REGISTRY[toolName]
 }
 function shouldShowRunSkipButtons(toolCall: CopilotToolCall): boolean {
  if (!toolCall.name || toolCall.name === 'unknown_tool') {
    return false
@@ -1251,96 +1233,59 @@ function shouldShowRunSkipButtons(toolCall: CopilotToolCall): boolean {
    return false
  }
-  if (toolCall.ui?.showInterrupt !== true) {
+  // Never show buttons for tools the user has marked as always-allowed
  if (useCopilotStore.getState().isToolAutoAllowed(toolCall.name)) {
    return false
  }
  const hasInterrupt = !!TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig?.interrupt
  if (hasInterrupt) {
    return true
  }
  // Integration tools (user-installed) always require approval
  if (isIntegrationTool(toolCall.name)) {
    return true
  }
  return false
 }
 const toolCallLogger = createLogger('CopilotToolCall')
 async function sendToolDecision(
  toolCallId: string,
-  status: 'accepted' | 'rejected' | 'background',
+  status: 'accepted' | 'rejected' | 'background'
  options?: {
    toolName?: string
    remember?: boolean
  }
 ) {
  try {
    await fetch('/api/copilot/confirm', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
+      body: JSON.stringify({ toolCallId, status }),
        toolCallId,
        status,
        ...(options?.toolName ? { toolName: options.toolName } : {}),
        ...(options?.remember ? { remember: true } : {}),
      }),
    })
  } catch (error) {
    toolCallLogger.warn('Failed to send tool decision', {
      toolCallId,
      status,
      remember: options?.remember === true,
      toolName: options?.toolName,
      error: error instanceof Error ? error.message : String(error),
    })
  }
 }
 async function removeAutoAllowedToolPreference(toolName: string): Promise<boolean> {
  try {
    const response = await fetch(`/api/copilot/auto-allowed-tools?toolId=${encodeURIComponent(toolName)}`, {
      method: 'DELETE',
    })
    return response.ok
  } catch (error) {
    toolCallLogger.warn('Failed to remove auto-allowed tool preference', {
      toolName,
      error: error instanceof Error ? error.message : String(error),
    })
    return false
  }
 }
 type ToolUiAction = NonNullable<NonNullable<CopilotToolCall['ui']>['actions']>[number]
 function actionDecision(action: ToolUiAction): 'accepted' | 'rejected' | 'background' {
  const id = action.id.toLowerCase()
  if (id.includes('background')) return 'background'
  if (action.kind === 'reject') return 'rejected'
  return 'accepted'
 }
 function isClientRunCapability(toolCall: CopilotToolCall): boolean {
  if (toolCall.execution?.target === 'sim_client_capability') {
    return toolCall.execution.capabilityId === 'workflow.run' || !toolCall.execution.capabilityId
  }
  return CLIENT_EXECUTABLE_RUN_TOOLS.has(toolCall.name)
 }
 async function handleRun(
  toolCall: CopilotToolCall,
  setToolCallState: any,
  onStateChange?: any,
-  editedParams?: any,
+  editedParams?: any
  options?: {
    remember?: boolean
  }
 ) {
  setToolCallState(toolCall, 'executing', editedParams ? { params: editedParams } : undefined)
  onStateChange?.('executing')
-  await sendToolDecision(toolCall.id, 'accepted', {
+  await sendToolDecision(toolCall.id, 'accepted')
    toolName: toolCall.name,
    remember: options?.remember === true,
  })
  // Client-executable run tools: execute on the client for real-time feedback
  // (block pulsing, console logs, stop button). The server defers execution
  // for these tools; the client reports back via mark-complete.
-  if (isClientRunCapability(toolCall)) {
+  if (CLIENT_EXECUTABLE_RUN_TOOLS.has(toolCall.name)) {
    const params = editedParams || toolCall.params || {}
    executeRunToolOnClient(toolCall.id, toolCall.name, params)
  }
@@ -1353,9 +1298,6 @@ async function handleSkip(toolCall: CopilotToolCall, setToolCallState: any, onSt
 }
 function getDisplayName(toolCall: CopilotToolCall): string {
  if (toolCall.ui?.phaseLabel) return toolCall.ui.phaseLabel
  if (toolCall.ui?.title) return `${getStateVerb(toolCall.state)} ${toolCall.ui.title}`
  const fromStore = (toolCall as any).display?.text
  if (fromStore) return fromStore
  const registryEntry = TOOL_DISPLAY_REGISTRY[toolCall.name]
@@ -1400,37 +1342,53 @@ function RunSkipButtons({
  toolCall,
  onStateChange,
  editedParams,
  actions,
 }: {
  toolCall: CopilotToolCall
  onStateChange?: (state: any) => void
  editedParams?: any
  actions: ToolUiAction[]
 }) {
  const [isProcessing, setIsProcessing] = useState(false)
  const [buttonsHidden, setButtonsHidden] = useState(false)
  const actionInProgressRef = useRef(false)
-  const { setToolCallState } = useCopilotStore()
+  const { setToolCallState, addAutoAllowedTool } = useCopilotStore()
-  const onAction = async (action: ToolUiAction) => {
+  const onRun = async () => {
    // Prevent race condition - check ref synchronously
    if (actionInProgressRef.current) return
    actionInProgressRef.current = true
    setIsProcessing(true)
    setButtonsHidden(true)
    try {
-      const decision = actionDecision(action)
+      await handleRun(toolCall, setToolCallState, onStateChange, editedParams)
-      if (decision === 'accepted') {
+    } finally {
-        await handleRun(toolCall, setToolCallState, onStateChange, editedParams, {
+      setIsProcessing(false)
-          remember: action.remember === true,
+      actionInProgressRef.current = false
        })
      } else if (decision === 'rejected') {
        await handleSkip(toolCall, setToolCallState, onStateChange)
      } else {
        setToolCallState(toolCall, ClientToolCallState.background)
        onStateChange?.('background')
        await sendToolDecision(toolCall.id, 'background')
    }
  }
  const onAlwaysAllow = async () => {
    // Prevent race condition - check ref synchronously
    if (actionInProgressRef.current) return
    actionInProgressRef.current = true
    setIsProcessing(true)
    setButtonsHidden(true)
    try {
      await addAutoAllowedTool(toolCall.name)
      await handleRun(toolCall, setToolCallState, onStateChange, editedParams)
    } finally {
      setIsProcessing(false)
      actionInProgressRef.current = false
    }
  }
  const onSkip = async () => {
    // Prevent race condition - check ref synchronously
    if (actionInProgressRef.current) return
    actionInProgressRef.current = true
    setIsProcessing(true)
    setButtonsHidden(true)
    try {
      await handleSkip(toolCall, setToolCallState, onStateChange)
    } finally {
      setIsProcessing(false)
      actionInProgressRef.current = false
@@ -1439,22 +1397,23 @@ function RunSkipButtons({
  if (buttonsHidden) return null
  // Show "Always Allow" for all tools that require confirmation
  const showAlwaysAllow = true
  // Standardized buttons for all interrupt tools: Allow, Always Allow, Skip
  return (
    <div className='mt-[10px] flex gap-[6px]'>
-      {actions.map((action, index) => {
+      <Button onClick={onRun} disabled={isProcessing} variant='tertiary'>
-        const variant =
+        {isProcessing ? 'Allowing...' : 'Allow'}
-          action.kind === 'reject' ? 'default' : action.remember ? 'default' : 'tertiary'
+      </Button>
-        return (
+      {showAlwaysAllow && (
-          <Button
+        <Button onClick={onAlwaysAllow} disabled={isProcessing} variant='default'>
-            key={action.id}
+          {isProcessing ? 'Allowing...' : 'Always Allow'}
-            onClick={() => onAction(action)}
+        </Button>
-            disabled={isProcessing}
+      )}
-            variant={variant}
+      <Button onClick={onSkip} disabled={isProcessing} variant='default'>
-          >
+        Skip
            {isProcessing && index === 0 ? 'Working...' : action.label}
      </Button>
        )
      })}
    </div>
  )
 }
@@ -1471,16 +1430,10 @@ export function ToolCall({
  const liveToolCall = useCopilotStore((s) =>
    effectiveId ? s.toolCallsById[effectiveId] : undefined
  )
-  const rawToolCall = liveToolCall || toolCallProp
+  const toolCall = liveToolCall || toolCallProp
-  const hasRealToolCall = !!rawToolCall
+
-  const toolCall: CopilotToolCall =
+  // Guard: nothing to render without a toolCall
-    rawToolCall ||
+  if (!toolCall) return null
    ({
      id: effectiveId || '',
      name: '',
      state: ClientToolCallState.generating,
      params: {},
    } as CopilotToolCall)
  const isExpandablePending =
    toolCall?.state === 'pending' &&
@@ -1488,15 +1441,17 @@ export function ToolCall({
  const [expanded, setExpanded] = useState(isExpandablePending)
  const [showRemoveAutoAllow, setShowRemoveAutoAllow] = useState(false)
  const [autoAllowRemovedForCall, setAutoAllowRemovedForCall] = useState(false)
  // State for editable parameters
  const params = (toolCall as any).parameters || (toolCall as any).input || toolCall.params || {}
  const [editedParams, setEditedParams] = useState(params)
  const paramsRef = useRef(params)
-  const { setToolCallState } = useCopilotStore()
+  // Check if this integration tool is auto-allowed
-  const isAutoAllowed = toolCall.ui?.autoAllowed === true && !autoAllowRemovedForCall
+  const { removeAutoAllowedTool, setToolCallState } = useCopilotStore()
  const isAutoAllowed = useCopilotStore(
    (s) => isIntegrationTool(toolCall.name) && s.isToolAutoAllowed(toolCall.name)
  )
  // Update edited params when toolCall params change (deep comparison to avoid resetting user edits on ref change)
  useEffect(() => {
@@ -1506,14 +1461,6 @@ export function ToolCall({
    }
  }, [params])
  useEffect(() => {
    setAutoAllowRemovedForCall(false)
    setShowRemoveAutoAllow(false)
  }, [toolCall.id])
  // Guard: nothing to render without a toolCall
  if (!hasRealToolCall) return null
  // Skip rendering some internal tools
  if (
    toolCall.name === 'checkoff_todo' ||
@@ -1525,9 +1472,7 @@ export function ToolCall({
    return null
  // Special rendering for subagent tools - show as thinking text with tool calls at top level
-  const isSubagentTool =
+  const isSubagentTool = TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig?.subagent === true
    toolCall.execution?.target === 'go_subagent' ||
    TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig?.subagent === true
  // For ALL subagent tools, don't show anything until we have blocks with content
  if (isSubagentTool) {
@@ -1554,6 +1499,28 @@ export function ToolCall({
    )
  }
  // Get current mode from store to determine if we should render integration tools
  const mode = useCopilotStore.getState().mode
  // Check if this is a completed/historical tool call (not pending/executing)
  // Use string comparison to handle both enum values and string values from DB
  const stateStr = String(toolCall.state)
  const isCompletedToolCall =
    stateStr === 'success' ||
    stateStr === 'error' ||
    stateStr === 'rejected' ||
    stateStr === 'aborted'
  // Allow rendering if:
  // 1. Tool is in TOOL_DISPLAY_REGISTRY (client tools), OR
  // 2. We're in build mode (integration tools are executed server-side), OR
  // 3. Tool call is already completed (historical - should always render)
  const isClientTool = !!TOOL_DISPLAY_REGISTRY[toolCall.name]
  const isIntegrationToolInBuildMode = mode === 'build' && !isClientTool
  if (!isClientTool && !isIntegrationToolInBuildMode && !isCompletedToolCall) {
    return null
  }
  const toolUIConfig = TOOL_DISPLAY_REGISTRY[toolCall.name]?.uiConfig
  // Check if tool has params table config (meaning it's expandable)
  const hasParamsTable = !!toolUIConfig?.paramsTable
@@ -1563,14 +1530,6 @@ export function ToolCall({
    toolCall.name === 'make_api_request' ||
    toolCall.name === 'set_global_workflow_variables'
  const interruptActions =
    (toolCall.ui?.actions && toolCall.ui.actions.length > 0
      ? toolCall.ui.actions
      : [
          { id: 'allow_once', label: 'Allow', kind: 'accept' as const },
          { id: 'allow_always', label: 'Always Allow', kind: 'accept' as const, remember: true },
          { id: 'reject', label: 'Skip', kind: 'reject' as const },
        ]) as ToolUiAction[]
  const showButtons = isCurrentMessage && shouldShowRunSkipButtons(toolCall)
  // Check UI config for secondary action - only show for current message tool calls
@@ -2028,12 +1987,9 @@ export function ToolCall({
          <div className='mt-[10px]'>
            <Button
              onClick={async () => {
-                const removed = await removeAutoAllowedToolPreference(toolCall.name)
+                await removeAutoAllowedTool(toolCall.name)
                if (removed) {
                  setAutoAllowRemovedForCall(true)
                setShowRemoveAutoAllow(false)
                forceUpdate({})
                }
              }}
              variant='default'
              className='text-xs'
@@ -2047,7 +2003,6 @@ export function ToolCall({
            toolCall={toolCall}
            onStateChange={handleStateChange}
            editedParams={editedParams}
            actions={interruptActions}
          />
        )}
        {/* Render subagent content as thinking text */}
@@ -2093,12 +2048,9 @@ export function ToolCall({
          <div className='mt-[10px]'>
            <Button
              onClick={async () => {
-                const removed = await removeAutoAllowedToolPreference(toolCall.name)
+                await removeAutoAllowedTool(toolCall.name)
                if (removed) {
                  setAutoAllowRemovedForCall(true)
                setShowRemoveAutoAllow(false)
                forceUpdate({})
                }
              }}
              variant='default'
              className='text-xs'
@@ -2112,7 +2064,6 @@ export function ToolCall({
            toolCall={toolCall}
            onStateChange={handleStateChange}
            editedParams={editedParams}
            actions={interruptActions}
          />
        )}
        {/* Render subagent content as thinking text */}
@@ -2136,7 +2087,7 @@ export function ToolCall({
    }
  }
-  const isEditWorkflow = isWorkflowEditSummaryTool(toolCall)
+  const isEditWorkflow = toolCall.name === 'edit_workflow'
  const shouldShowDetails = isRunWorkflow || (isExpandableTool && expanded)
  const hasOperations = Array.isArray(params.operations) && params.operations.length > 0
  const hideTextForEditWorkflow = isEditWorkflow && hasOperations
@@ -2158,12 +2109,9 @@ export function ToolCall({
        <div className='mt-[10px]'>
          <Button
            onClick={async () => {
-              const removed = await removeAutoAllowedToolPreference(toolCall.name)
+              await removeAutoAllowedTool(toolCall.name)
              if (removed) {
                setAutoAllowRemovedForCall(true)
              setShowRemoveAutoAllow(false)
              forceUpdate({})
              }
            }}
            variant='default'
            className='text-xs'
@@ -2177,7 +2125,6 @@ export function ToolCall({
          toolCall={toolCall}
          onStateChange={handleStateChange}
          editedParams={editedParams}
          actions={interruptActions}
        />
      ) : showMoveToBackground ? (
        <div className='mt-[10px]'>
@@ -2208,7 +2155,7 @@ export function ToolCall({
          </Button>
        </div>
      ) : null}
-      {/* Workflow edit summary - shows block changes after workflow_change(apply) */}
+      {/* Workflow edit summary - shows block changes after edit_workflow completes */}
      <WorkflowEditSummary toolCall={toolCall} />
      {/* Render subagent content as thinking text */}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/copilot.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/copilot.tsx
@@ -113,6 +113,7 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    clearPlanArtifact,
    savePlanArtifact,
    loadAvailableModels,
    loadAutoAllowedTools,
    resumeActiveStream,
  } = useCopilotStore()
@@ -124,6 +125,8 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    setCopilotWorkflowId,
    loadChats,
    loadAvailableModels,
    loadAutoAllowedTools,
    currentChat,
    isSendingMessage,
    resumeActiveStream,
  })
@@ -151,8 +154,6 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    planTodos,
  })
  const renderedChatTitle = currentChat?.title || 'New Chat'
  /** Gets markdown content for design document section (available in all modes once created) */
  const designDocumentContent = useMemo(() => {
    if (streamingPlanContent) {
@@ -165,14 +166,6 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
    return ''
  }, [streamingPlanContent])
  useEffect(() => {
    logger.info('[TitleRender] Copilot header title changed', {
      currentChatId: currentChat?.id || null,
      currentChatTitle: currentChat?.title || null,
      renderedTitle: renderedChatTitle,
    })
  }, [currentChat?.id, currentChat?.title, renderedChatTitle])
  /** Focuses the copilot input */
  const focusInput = useCallback(() => {
    userInputRef.current?.focus()
@@ -355,7 +348,7 @@ export const Copilot = forwardRef<CopilotRef, CopilotProps>(({ panelWidth }, ref
        {/* Header */}
        <div className='mx-[-1px] flex flex-shrink-0 items-center justify-between gap-[8px] rounded-[4px] border border-[var(--border)] bg-[var(--surface-4)] px-[12px] py-[6px]'>
          <h2 className='min-w-0 flex-1 truncate font-medium text-[14px] text-[var(--text-primary)]'>
-            {renderedChatTitle}
+            {currentChat?.title || 'New Chat'}
          </h2>
          <div className='flex items-center gap-[8px]'>
            <Button variant='ghost' className='p-0' onClick={handleStartNewChat}>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/hooks/use-copilot-initialization.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/hooks/use-copilot-initialization.ts
@@ -12,6 +12,8 @@ interface UseCopilotInitializationProps {
  setCopilotWorkflowId: (workflowId: string | null) => Promise<void>
  loadChats: (forceRefresh?: boolean) => Promise<void>
  loadAvailableModels: () => Promise<void>
  loadAutoAllowedTools: () => Promise<void>
  currentChat: any
  isSendingMessage: boolean
  resumeActiveStream: () => Promise<boolean>
 }
@@ -30,6 +32,8 @@ export function useCopilotInitialization(props: UseCopilotInitializationProps) {
    setCopilotWorkflowId,
    loadChats,
    loadAvailableModels,
    loadAutoAllowedTools,
    currentChat,
    isSendingMessage,
    resumeActiveStream,
  } = props
@@ -116,6 +120,17 @@ export function useCopilotInitialization(props: UseCopilotInitializationProps) {
    })
  }, [isSendingMessage, resumeActiveStream])
  /** Load auto-allowed tools once on mount - runs immediately, independent of workflow */
  const hasLoadedAutoAllowedToolsRef = useRef(false)
  useEffect(() => {
    if (!hasLoadedAutoAllowedToolsRef.current) {
      hasLoadedAutoAllowedToolsRef.current = true
      loadAutoAllowedTools().catch((err) => {
        logger.warn('[Copilot] Failed to load auto-allowed tools', err)
      })
    }
  }, [loadAutoAllowedTools])
  /** Load available models once on mount */
  const hasLoadedModelsRef = useRef(false)
  useEffect(() => {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/general/components/version-description-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/general/components/version-description-modal.tsx
@@ -113,7 +113,7 @@ export function VersionDescriptionModal({
              className='min-h-[120px] resize-none'
              value={description}
              onChange={(e) => setDescription(e.target.value)}
-              maxLength={500}
+              maxLength={2000}
              disabled={isGenerating}
            />
            <div className='flex items-center justify-between'>
@@ -123,7 +123,7 @@ export function VersionDescriptionModal({
                </p>
              )}
              {!updateMutation.error && !generateMutation.error && <div />}
-              <p className='text-[11px] text-[var(--text-tertiary)]'>{description.length}/500</p>
+              <p className='text-[11px] text-[var(--text-tertiary)]'>{description.length}/2000</p>
            </div>
          </ModalBody>
          <ModalFooter>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/hooks/use-change-detection.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/hooks/use-change-detection.ts
@@ -57,6 +57,21 @@ export function useChangeDetection({
        }
      }
      if (block.triggerMode) {
        const triggerConfigValue = blockSubValues?.triggerConfig
        if (
          triggerConfigValue &&
          typeof triggerConfigValue === 'object' &&
          !subBlocks.triggerConfig
        ) {
          subBlocks.triggerConfig = {
            id: 'triggerConfig',
            type: 'short-input',
            value: triggerConfigValue,
          }
        }
      }
      blocksWithSubBlocks[blockId] = {
        ...block,
        subBlocks,
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/hooks/use-deployment.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/hooks/use-deployment.ts
@@ -1,7 +1,10 @@
 import { useCallback, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { runPreDeployChecks } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/hooks/use-predeploy-checks'
 import { useNotificationStore } from '@/stores/notifications'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { mergeSubblockState } from '@/stores/workflows/utils'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
 const logger = createLogger('useDeployment')
@@ -35,6 +38,24 @@ export function useDeployment({
      return { success: true, shouldOpenModal: true }
    }
    const { blocks, edges, loops, parallels } = useWorkflowStore.getState()
    const liveBlocks = mergeSubblockState(blocks, workflowId)
    const checkResult = runPreDeployChecks({
      blocks: liveBlocks,
      edges,
      loops,
      parallels,
      workflowId,
    })
    if (!checkResult.passed) {
      addNotification({
        level: 'error',
        message: checkResult.error || 'Pre-deploy validation failed',
        workflowId,
      })
      return { success: false, shouldOpenModal: false }
    }
    setIsDeploying(true)
    try {
      const response = await fetch(`/api/workflows/${workflowId}/deploy`, {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
@@ -30,6 +30,7 @@ export interface OAuthRequiredModalProps {
  requiredScopes?: string[]
  serviceId: string
  newScopes?: string[]
  onConnect?: () => Promise<void> | void
 }
 const SCOPE_DESCRIPTIONS: Record<string, string> = {
@@ -314,6 +315,7 @@ export function OAuthRequiredModal({
  requiredScopes = [],
  serviceId,
  newScopes = [],
  onConnect,
 }: OAuthRequiredModalProps) {
  const [error, setError] = useState<string | null>(null)
  const { baseProvider } = parseProvider(provider)
@@ -359,6 +361,12 @@ export function OAuthRequiredModal({
    setError(null)
    try {
      if (onConnect) {
        await onConnect()
        onClose()
        return
      }
      const providerId = getProviderIdFromServiceId(serviceId)
      logger.info('Linking OAuth2:', {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -1,12 +1,13 @@
 'use client'
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { ExternalLink, Users } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { getPollingProviderFromOAuth } from '@/lib/credential-sets/providers'
 import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  getCanonicalScopesForProvider,
  getProviderIdFromServiceId,
@@ -18,15 +19,14 @@ import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import type { SubBlockConfig } from '@/blocks/types'
-import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSets } from '@/hooks/queries/credential-sets'
-import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 const logger = createLogger('CredentialSelector')
 const isBillingEnabled = isTruthy(getEnv('NEXT_PUBLIC_BILLING_ENABLED'))
 interface CredentialSelectorProps {
@@ -46,6 +46,8 @@ export function CredentialSelector({
  previewValue,
  previewContextValues,
 }: CredentialSelectorProps) {
  const params = useParams()
  const workspaceId = (params?.workspaceId as string) || ''
  const [showOAuthModal, setShowOAuthModal] = useState(false)
  const [editingValue, setEditingValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
@@ -96,64 +98,64 @@ export function CredentialSelector({
    data: credentials = [],
    isFetching: credentialsLoading,
    refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
+  } = useOAuthCredentials(effectiveProviderId, {
    enabled: Boolean(effectiveProviderId),
    workspaceId,
    workflowId: activeWorkflowId || undefined,
  })
  const selectedCredential = useMemo(
    () => credentials.find((cred) => cred.id === selectedId),
    [credentials, selectedId]
  )
  const shouldFetchForeignMeta =
    Boolean(selectedId) &&
    !selectedCredential &&
    Boolean(activeWorkflowId) &&
    Boolean(effectiveProviderId)
  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
    useOAuthCredentialDetail(
      shouldFetchForeignMeta ? selectedId : undefined,
      activeWorkflowId || undefined,
      shouldFetchForeignMeta
    )
  const hasForeignMeta = foreignCredentials.length > 0
  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
  const selectedCredentialSet = useMemo(
    () => credentialSets.find((cs) => cs.id === selectedCredentialSetId),
    [credentialSets, selectedCredentialSetId]
  )
-  const isForeignCredentialSet = Boolean(isCredentialSetSelected && !selectedCredentialSet)
+  const [inaccessibleCredentialName, setInaccessibleCredentialName] = useState<string | null>(null)
  useEffect(() => {
    if (!selectedId || selectedCredential || credentialsLoading || !workspaceId) {
      setInaccessibleCredentialName(null)
      return
    }
    let cancelled = false
    ;(async () => {
      try {
        const response = await fetch(
          `/api/credentials?workspaceId=${encodeURIComponent(workspaceId)}&credentialId=${encodeURIComponent(selectedId)}`
        )
        if (!response.ok || cancelled) return
        const data = await response.json()
        if (!cancelled && data.credential?.displayName) {
          if (data.credential.id !== selectedId) {
            setStoreValue(data.credential.id)
          }
          setInaccessibleCredentialName(data.credential.displayName)
        }
      } catch {
        // Ignore fetch errors
      }
    })()
    return () => {
      cancelled = true
    }
  }, [selectedId, selectedCredential, credentialsLoading, workspaceId])
  const resolvedLabel = useMemo(() => {
    if (selectedCredentialSet) return selectedCredentialSet.name
    if (isForeignCredentialSet) return CREDENTIAL.FOREIGN_LABEL
    if (selectedCredential) return selectedCredential.name
-    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
+    if (inaccessibleCredentialName) return inaccessibleCredentialName
    return ''
-  }, [selectedCredentialSet, isForeignCredentialSet, selectedCredential, isForeign])
+  }, [selectedCredentialSet, selectedCredential, inaccessibleCredentialName])
  const displayValue = isEditing ? editingValue : resolvedLabel
-  const invalidSelection =
+  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
    !isPreview &&
    Boolean(selectedId) &&
    !selectedCredential &&
    !hasForeignMeta &&
    !credentialsLoading &&
    !foreignMetaLoading
  useEffect(() => {
    if (!invalidSelection) return
    logger.info('Clearing invalid credential selection - credential was disconnected', {
      selectedId,
      provider: effectiveProviderId,
    })
    setStoreValue('')
  }, [invalidSelection, selectedId, effectiveProviderId, setStoreValue])
  useCredentialRefreshTriggers(refetchCredentials)
  const handleOpenChange = useCallback(
    (isOpen: boolean) => {
@@ -195,8 +197,18 @@ export function CredentialSelector({
  )
  const handleAddCredential = useCallback(() => {
-    setShowOAuthModal(true)
+    writePendingCredentialCreateRequest({
-  }, [])
+      workspaceId,
      type: 'oauth',
      providerId: effectiveProviderId,
      displayName: '',
      serviceId,
      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
      requestedAt: Date.now(),
    })
    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
  }, [workspaceId, effectiveProviderId, serviceId])
  const getProviderIcon = useCallback((providerName: OAuthProvider) => {
    const { baseProvider } = parseProvider(providerName)
@@ -251,23 +263,18 @@ export function CredentialSelector({
        label: cred.name,
        value: cred.id,
      }))
      credentialItems.push({
        label:
          credentials.length > 0
            ? `Connect another ${getProviderName(provider)} account`
            : `Connect ${getProviderName(provider)} account`,
        value: '__connect_account__',
      })
      if (credentialItems.length > 0) {
      groups.push({
        section: 'Personal Credential',
        items: credentialItems,
      })
      } else {
        groups.push({
          section: 'Personal Credential',
          items: [
            {
              label: `Connect ${getProviderName(provider)} account`,
              value: '__connect_account__',
            },
          ],
        })
      }
      return { comboboxOptions: [], comboboxGroups: groups }
    }
@@ -277,12 +284,13 @@ export function CredentialSelector({
      value: cred.id,
    }))
    if (credentials.length === 0) {
    options.push({
-        label: `Connect ${getProviderName(provider)} account`,
+      label:
        credentials.length > 0
          ? `Connect another ${getProviderName(provider)} account`
          : `Connect ${getProviderName(provider)} account`,
      value: '__connect_account__',
    })
    }
    return { comboboxOptions: options, comboboxGroups: undefined }
  }, [
@@ -368,7 +376,7 @@ export function CredentialSelector({
        }
        disabled={effectiveDisabled}
        editable={true}
-        filterOptions={!isForeign && !isForeignCredentialSet}
+        filterOptions={true}
        isLoading={credentialsLoading}
        overlayContent={overlayContent}
        className={selectedId || isCredentialSetSelected ? 'pl-[28px]' : ''}
@@ -380,7 +388,6 @@ export function CredentialSelector({
            <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
            Additional permissions required
          </div>
          {!isForeign && (
          <Button
            variant='active'
            onClick={() => setShowOAuthModal(true)}
@@ -388,7 +395,6 @@ export function CredentialSelector({
          >
            Update access
          </Button>
          )}
        </div>
      )}
@@ -407,7 +413,11 @@ export function CredentialSelector({
  )
 }
-function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
+function useCredentialRefreshTriggers(
  refetchCredentials: () => Promise<unknown>,
  providerId: string,
  workspaceId: string
 ) {
  useEffect(() => {
    const refresh = () => {
      void refetchCredentials()
@@ -425,12 +435,29 @@ function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>
      }
    }
    const handleCredentialsUpdated = (
      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
    ) => {
      if (event.detail?.providerId && event.detail.providerId !== providerId) {
        return
      }
      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
        return
      }
      refresh()
    }
    document.addEventListener('visibilitychange', handleVisibilityChange)
    window.addEventListener('pageshow', handlePageShow)
    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
    return () => {
      document.removeEventListener('visibilitychange', handleVisibilityChange)
      window.removeEventListener('pageshow', handlePageShow)
      window.removeEventListener(
        'oauth-credentials-updated',
        handleCredentialsUpdated as EventListener
      )
    }
-  }, [refetchCredentials])
+  }, [providerId, workspaceId, refetchCredentials])
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
@@ -9,6 +9,7 @@ import {
  PopoverSection,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  usePersonalEnvironment,
  useWorkspaceEnvironment,
@@ -168,7 +169,15 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
  }, [searchTerm])
  const openEnvironmentSettings = () => {
-    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'environment' } }))
+    if (workspaceId) {
      writePendingCredentialCreateRequest({
        workspaceId,
        type: 'env_personal',
        envKey: searchTerm.trim(),
        requestedAt: Date.now(),
      })
    }
    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
    onClose?.()
  }
@@ -302,7 +311,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
              }}
            >
              <Plus className='h-3 w-3' />
-              <span>Create environment variable</span>
+              <span>Create Secret</span>
            </PopoverItem>
          </PopoverScrollArea>
        ) : (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -125,8 +124,6 @@ export function FileSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
  const selectorResolution = useMemo<SelectorResolution | null>(() => {
    return resolveSelectorForSubBlock(subBlock, {
      workflowId: workflowIdFromUrl,
@@ -168,7 +165,6 @@ export function FileSelectorInput({
  const disabledReason =
    finalDisabled ||
    isForeignCredential ||
    missingCredential ||
    missingDomain ||
    missingProject ||
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
@@ -4,7 +4,6 @@ import { useCallback, useEffect, useMemo, useState } from 'react'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -47,10 +46,6 @@ export function FolderSelectorInput({
    subBlock.canonicalParamId === 'copyDestinationId' ||
    subBlock.id === 'copyDestinationFolder' ||
    subBlock.id === 'manualCopyDestinationFolder'
  const { isForeignCredential } = useForeignCredential(
    effectiveProviderId,
    (connectedCredential as string) || ''
  )
  // Central dependsOn gating
  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
@@ -119,9 +114,7 @@ export function FolderSelectorInput({
      selectorContext={
        selectorResolution?.context ?? { credentialId, workflowId: activeWorkflowId || '' }
      }
-      disabled={
+      disabled={finalDisabled || missingCredential || !selectorResolution?.key}
        finalDisabled || isForeignCredential || missingCredential || !selectorResolution?.key
      }
      isPreview={isPreview}
      previewValue={previewValue ?? null}
      placeholder={subBlock.placeholder || 'Select folder'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -73,11 +72,6 @@ export function ProjectSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
  const { isForeignCredential } = useForeignCredential(
    effectiveProviderId,
    (connectedCredential as string) || ''
  )
  const workflowIdFromUrl = (params?.workflowId as string) || activeWorkflowId || ''
  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
    disabled,
@@ -123,7 +117,7 @@ export function ProjectSelectorInput({
              subBlock={subBlock}
              selectorKey={selectorResolution.key}
              selectorContext={selectorResolution.context}
-              disabled={finalDisabled || isForeignCredential || missingCredential}
+              disabled={finalDisabled || missingCredential}
              isPreview={isPreview}
              previewValue={previewValue ?? null}
              placeholder={subBlock.placeholder || 'Select project'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -87,8 +86,6 @@ export function SheetSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
  const selectorResolution = useMemo<SelectorResolution | null>(() => {
    return resolveSelectorForSubBlock(subBlock, {
      workflowId: workflowIdFromUrl,
@@ -101,11 +98,7 @@ export function SheetSelectorInput({
  const missingSpreadsheet = !normalizedSpreadsheetId
  const disabledReason =
-    finalDisabled ||
+    finalDisabled || missingCredential || missingSpreadsheet || !selectorResolution?.key
    isForeignCredential ||
    missingCredential ||
    missingSpreadsheet ||
    !selectorResolution?.key
  if (!selectorResolution?.key) {
    return (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
@@ -6,7 +6,6 @@ import { Tooltip } from '@/components/emcn'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -85,11 +84,6 @@ export function SlackSelectorInput({
      ? (effectiveBotToken as string) || ''
      : (effectiveCredential as string) || ''
  const { isForeignCredential } = useForeignCredential(
    effectiveProviderId,
    (effectiveAuthMethod as string) === 'bot_token' ? '' : (effectiveCredential as string) || ''
  )
  useEffect(() => {
    const val = isPreview && previewValue !== undefined ? previewValue : storeValue
    if (typeof val === 'string') {
@@ -99,7 +93,7 @@ export function SlackSelectorInput({
  const requiresCredential = dependsOn.includes('credential')
  const missingCredential = !credential || credential.trim().length === 0
-  const shouldForceDisable = requiresCredential && (missingCredential || isForeignCredential)
+  const shouldForceDisable = requiresCredential && missingCredential
  const context: SelectorContext = useMemo(
    () => ({
@@ -136,7 +130,7 @@ export function SlackSelectorInput({
            subBlock={subBlock}
            selectorKey={config.selectorKey}
            selectorContext={context}
-            disabled={finalDisabled || shouldForceDisable || isForeignCredential}
+            disabled={finalDisabled || shouldForceDisable}
            isPreview={isPreview}
            previewValue={previewValue ?? null}
            placeholder={subBlock.placeholder || config.placeholder}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
@@ -1,17 +1,19 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { ExternalLink } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  getCanonicalScopesForProvider,
  getProviderIdFromServiceId,
  getServiceConfigByProviderId,
  OAUTH_PROVIDERS,
  type OAuthProvider,
  type OAuthService,
  parseProvider,
 } from '@/lib/oauth'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
-import { CREDENTIAL } from '@/executor/constants'
+import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -26,6 +28,11 @@ const getProviderIcon = (providerName: OAuthProvider) => {
 }
 const getProviderName = (providerName: OAuthProvider) => {
  const serviceConfig = getServiceConfigByProviderId(providerName)
  if (serviceConfig) {
    return serviceConfig.name
  }
  const { baseProvider } = parseProvider(providerName)
  const baseProviderConfig = OAUTH_PROVIDERS[baseProvider]
@@ -54,16 +61,19 @@ export function ToolCredentialSelector({
  onChange,
  provider,
  requiredScopes = [],
-  label = 'Select account',
+  label,
  serviceId,
  disabled = false,
 }: ToolCredentialSelectorProps) {
  const params = useParams()
  const workspaceId = (params?.workspaceId as string) || ''
  const [showOAuthModal, setShowOAuthModal] = useState(false)
  const [editingInputValue, setEditingInputValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
  const { activeWorkflowId } = useWorkflowRegistry()
  const selectedId = value || ''
  const effectiveLabel = label || `Select ${getProviderName(provider)} account`
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
@@ -71,50 +81,58 @@ export function ToolCredentialSelector({
    data: credentials = [],
    isFetching: credentialsLoading,
    refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
+  } = useOAuthCredentials(effectiveProviderId, {
    enabled: Boolean(effectiveProviderId),
    workspaceId,
    workflowId: activeWorkflowId || undefined,
  })
  const selectedCredential = useMemo(
    () => credentials.find((cred) => cred.id === selectedId),
    [credentials, selectedId]
  )
-  const shouldFetchForeignMeta =
+  const [inaccessibleCredentialName, setInaccessibleCredentialName] = useState<string | null>(null)
    Boolean(selectedId) &&
    !selectedCredential &&
    Boolean(activeWorkflowId) &&
    Boolean(effectiveProviderId)
-  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
+  useEffect(() => {
-    useOAuthCredentialDetail(
+    if (!selectedId || selectedCredential || credentialsLoading || !workspaceId) {
-      shouldFetchForeignMeta ? selectedId : undefined,
+      setInaccessibleCredentialName(null)
-      activeWorkflowId || undefined,
+      return
-      shouldFetchForeignMeta
+    }
    let cancelled = false
    ;(async () => {
      try {
        const response = await fetch(
          `/api/credentials?workspaceId=${encodeURIComponent(workspaceId)}&credentialId=${encodeURIComponent(selectedId)}`
        )
        if (!response.ok || cancelled) return
        const data = await response.json()
        if (!cancelled && data.credential?.displayName) {
          if (data.credential.id !== selectedId) {
            onChange(data.credential.id)
          }
          setInaccessibleCredentialName(data.credential.displayName)
        }
      } catch {
        // Ignore fetch errors
      }
    })()
-  const hasForeignMeta = foreignCredentials.length > 0
+    return () => {
-  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
+      cancelled = true
    }
  }, [selectedId, selectedCredential, credentialsLoading, workspaceId])
  const resolvedLabel = useMemo(() => {
    if (selectedCredential) return selectedCredential.name
-    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
+    if (inaccessibleCredentialName) return inaccessibleCredentialName
    return ''
-  }, [selectedCredential, isForeign])
+  }, [selectedCredential, inaccessibleCredentialName])
  const inputValue = isEditing ? editingInputValue : resolvedLabel
-  const invalidSelection =
+  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
    Boolean(selectedId) &&
    !selectedCredential &&
    !hasForeignMeta &&
    !credentialsLoading &&
    !foreignMetaLoading
  useEffect(() => {
    if (!invalidSelection) return
    onChange('')
  }, [invalidSelection, onChange])
  useCredentialRefreshTriggers(refetchCredentials)
  const handleOpenChange = useCallback(
    (isOpen: boolean) => {
@@ -142,8 +160,18 @@ export function ToolCredentialSelector({
  )
  const handleAddCredential = useCallback(() => {
-    setShowOAuthModal(true)
+    writePendingCredentialCreateRequest({
-  }, [])
+      workspaceId,
      type: 'oauth',
      providerId: effectiveProviderId,
      displayName: '',
      serviceId,
      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
      requestedAt: Date.now(),
    })
    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
  }, [workspaceId, effectiveProviderId, serviceId])
  const comboboxOptions = useMemo(() => {
    const options = credentials.map((cred) => ({
@@ -151,12 +179,13 @@ export function ToolCredentialSelector({
      value: cred.id,
    }))
    if (credentials.length === 0) {
    options.push({
-        label: `Connect ${getProviderName(provider)} account`,
+      label:
        credentials.length > 0
          ? `Connect another ${getProviderName(provider)} account`
          : `Connect ${getProviderName(provider)} account`,
      value: '__connect_account__',
    })
    }
    return options
  }, [credentials, provider])
@@ -203,10 +232,10 @@ export function ToolCredentialSelector({
        selectedValue={selectedId}
        onChange={handleComboboxChange}
        onOpenChange={handleOpenChange}
-        placeholder={label}
+        placeholder={effectiveLabel}
        disabled={disabled}
        editable={true}
-        filterOptions={!isForeign}
+        filterOptions={true}
        isLoading={credentialsLoading}
        overlayContent={overlayContent}
        className={selectedId ? 'pl-[28px]' : ''}
@@ -218,7 +247,6 @@ export function ToolCredentialSelector({
            <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
            Additional permissions required
          </div>
          {!isForeign && (
          <Button
            variant='active'
            onClick={() => setShowOAuthModal(true)}
@@ -226,7 +254,6 @@ export function ToolCredentialSelector({
          >
            Update access
          </Button>
          )}
        </div>
      )}
@@ -245,7 +272,11 @@ export function ToolCredentialSelector({
  )
 }
-function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
+function useCredentialRefreshTriggers(
  refetchCredentials: () => Promise<unknown>,
  providerId: string,
  workspaceId: string
 ) {
  useEffect(() => {
    const refresh = () => {
      void refetchCredentials()
@@ -263,12 +294,29 @@ function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>
      }
    }
    const handleCredentialsUpdated = (
      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
    ) => {
      if (event.detail?.providerId && event.detail.providerId !== providerId) {
        return
      }
      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
        return
      }
      refresh()
    }
    document.addEventListener('visibilitychange', handleVisibilityChange)
    window.addEventListener('pageshow', handlePageShow)
    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
    return () => {
      document.removeEventListener('visibilitychange', handleVisibilityChange)
      window.removeEventListener('pageshow', handlePageShow)
      window.removeEventListener(
        'oauth-credentials-updated',
        handleCredentialsUpdated as EventListener
      )
    }
-  }, [refetchCredentials])
+  }, [providerId, workspaceId, refetchCredentials])
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/parameter.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/parameter.tsx
@@ -0,0 +1,186 @@
 'use client'
 import type React from 'react'
 import { useRef, useState } from 'react'
 import { ArrowLeftRight, ArrowUp } from 'lucide-react'
 import { Button, Input, Label, Tooltip } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import type { WandControlHandlers } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block'
 /**
 * Props for a generic parameter with label component
 */
 export interface ParameterWithLabelProps {
  paramId: string
  title: string
  isRequired: boolean
  visibility: string
  wandConfig?: {
    enabled: boolean
    prompt?: string
    placeholder?: string
  }
  canonicalToggle?: {
    mode: 'basic' | 'advanced'
    disabled?: boolean
    onToggle?: () => void
  }
  disabled: boolean
  isPreview: boolean
  children: (wandControlRef: React.MutableRefObject<WandControlHandlers | null>) => React.ReactNode
 }
 /**
 * Generic wrapper component for parameters that manages wand state and renders label + input
 */
 export function ParameterWithLabel({
  paramId,
  title,
  isRequired,
  visibility,
  wandConfig,
  canonicalToggle,
  disabled,
  isPreview,
  children,
 }: ParameterWithLabelProps) {
  const [isSearchActive, setIsSearchActive] = useState(false)
  const [searchQuery, setSearchQuery] = useState('')
  const searchInputRef = useRef<HTMLInputElement>(null)
  const wandControlRef = useRef<WandControlHandlers | null>(null)
  const isWandEnabled = wandConfig?.enabled ?? false
  const showWand = isWandEnabled && !isPreview && !disabled
  const handleSearchClick = (): void => {
    setIsSearchActive(true)
    setTimeout(() => {
      searchInputRef.current?.focus()
    }, 0)
  }
  const handleSearchBlur = (): void => {
    if (!searchQuery.trim() && !wandControlRef.current?.isWandStreaming) {
      setIsSearchActive(false)
    }
  }
  const handleSearchChange = (value: string): void => {
    setSearchQuery(value)
  }
  const handleSearchSubmit = (): void => {
    if (searchQuery.trim() && wandControlRef.current) {
      wandControlRef.current.onWandTrigger(searchQuery)
      setSearchQuery('')
      setIsSearchActive(false)
    }
  }
  const handleSearchCancel = (): void => {
    setSearchQuery('')
    setIsSearchActive(false)
  }
  const isStreaming = wandControlRef.current?.isWandStreaming ?? false
  return (
    <div key={paramId} className='relative min-w-0 space-y-[6px]'>
      <div className='flex items-center justify-between gap-[6px] pl-[2px]'>
        <Label className='flex items-baseline gap-[6px] whitespace-nowrap font-medium text-[13px] text-[var(--text-primary)]'>
          {title}
          {isRequired && visibility === 'user-only' && <span className='ml-0.5'>*</span>}
        </Label>
        <div className='flex min-w-0 flex-1 items-center justify-end gap-[6px]'>
          {showWand &&
            (!isSearchActive ? (
              <Button
                variant='active'
                className='-my-1 h-5 px-2 py-0 text-[11px]'
                onClick={handleSearchClick}
              >
                Generate
              </Button>
            ) : (
              <div className='-my-1 flex min-w-[120px] max-w-[280px] flex-1 items-center gap-[4px]'>
                <Input
                  ref={searchInputRef}
                  value={isStreaming ? 'Generating...' : searchQuery}
                  onChange={(e: React.ChangeEvent<HTMLInputElement>) =>
                    handleSearchChange(e.target.value)
                  }
                  onBlur={(e: React.FocusEvent<HTMLInputElement>) => {
                    const relatedTarget = e.relatedTarget as HTMLElement | null
                    if (relatedTarget?.closest('button')) return
                    handleSearchBlur()
                  }}
                  onKeyDown={(e: React.KeyboardEvent<HTMLInputElement>) => {
                    if (e.key === 'Enter' && searchQuery.trim() && !isStreaming) {
                      handleSearchSubmit()
                    } else if (e.key === 'Escape') {
                      handleSearchCancel()
                    }
                  }}
                  disabled={isStreaming}
                  className={cn(
                    'h-5 min-w-[80px] flex-1 text-[11px]',
                    isStreaming && 'text-muted-foreground'
                  )}
                  placeholder='Generate with AI...'
                />
                <Button
                  variant='tertiary'
                  disabled={!searchQuery.trim() || isStreaming}
                  onMouseDown={(e: React.MouseEvent) => {
                    e.preventDefault()
                    e.stopPropagation()
                  }}
                  onClick={(e: React.MouseEvent) => {
                    e.stopPropagation()
                    handleSearchSubmit()
                  }}
                  className='h-[20px] w-[20px] flex-shrink-0 p-0'
                >
                  <ArrowUp className='h-[12px] w-[12px]' />
                </Button>
              </div>
            ))}
          {canonicalToggle && !isPreview && (
            <Tooltip.Root>
              <Tooltip.Trigger asChild>
                <button
                  type='button'
                  className='flex h-[12px] w-[12px] flex-shrink-0 items-center justify-center bg-transparent p-0 disabled:cursor-not-allowed disabled:opacity-50'
                  onClick={canonicalToggle.onToggle}
                  disabled={canonicalToggle.disabled || disabled}
                  aria-label={
                    canonicalToggle.mode === 'advanced'
                      ? 'Switch to selector'
                      : 'Switch to manual ID'
                  }
                >
                  <ArrowLeftRight
                    className={cn(
                      '!h-[12px] !w-[12px]',
                      canonicalToggle.mode === 'advanced'
                        ? 'text-[var(--text-primary)]'
                        : 'text-[var(--text-secondary)]'
                    )}
                  />
                </button>
              </Tooltip.Trigger>
              <Tooltip.Content side='top'>
                <p>
                  {canonicalToggle.mode === 'advanced'
                    ? 'Switch to selector'
                    : 'Switch to manual ID'}
                </p>
              </Tooltip.Content>
            </Tooltip.Root>
          )}
        </div>
      </div>
      <div className='relative w-full min-w-0'>{children(wandControlRef)}</div>
    </div>
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/sub-block-renderer.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/sub-block-renderer.tsx
@@ -0,0 +1,114 @@
 'use client'
 import { useEffect, useRef } from 'react'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { SubBlock } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block'
 import type { SubBlockConfig as BlockSubBlockConfig } from '@/blocks/types'
 interface ToolSubBlockRendererProps {
  blockId: string
  subBlockId: string
  toolIndex: number
  subBlock: BlockSubBlockConfig
  effectiveParamId: string
  toolParams: Record<string, string> | undefined
  onParamChange: (toolIndex: number, paramId: string, value: string) => void
  disabled: boolean
  canonicalToggle?: {
    mode: 'basic' | 'advanced'
    disabled?: boolean
    onToggle?: () => void
  }
 }
 /**
 * SubBlock types whose store values are objects/arrays/non-strings.
 * tool.params stores strings (via JSON.stringify), so when syncing
 * back to the store we parse them to restore the native shape.
 */
 const OBJECT_SUBBLOCK_TYPES = new Set(['file-upload', 'table', 'grouped-checkbox-list'])
 /**
 * Bridges the subblock store with StoredTool.params via a synthetic store key,
 * then delegates all rendering to SubBlock for full parity.
 */
 export function ToolSubBlockRenderer({
  blockId,
  subBlockId,
  toolIndex,
  subBlock,
  effectiveParamId,
  toolParams,
  onParamChange,
  disabled,
  canonicalToggle,
 }: ToolSubBlockRendererProps) {
  const syntheticId = `${subBlockId}-tool-${toolIndex}-${effectiveParamId}`
  const [storeValue, setStoreValue] = useSubBlockValue(blockId, syntheticId)
  const toolParamValue = toolParams?.[effectiveParamId] ?? ''
  const isObjectType = OBJECT_SUBBLOCK_TYPES.has(subBlock.type)
  const lastPushedToStoreRef = useRef<string | null>(null)
  const lastPushedToParamsRef = useRef<string | null>(null)
  useEffect(() => {
    if (!toolParamValue && lastPushedToStoreRef.current === null) {
      lastPushedToStoreRef.current = toolParamValue
      lastPushedToParamsRef.current = toolParamValue
      return
    }
    if (toolParamValue !== lastPushedToStoreRef.current) {
      lastPushedToStoreRef.current = toolParamValue
      lastPushedToParamsRef.current = toolParamValue
      if (isObjectType && typeof toolParamValue === 'string' && toolParamValue) {
        try {
          const parsed = JSON.parse(toolParamValue)
          if (typeof parsed === 'object' && parsed !== null) {
            setStoreValue(parsed)
            return
          }
        } catch {
          // Not valid JSON — fall through to set as string
        }
      }
      setStoreValue(toolParamValue)
    }
  }, [toolParamValue, setStoreValue, isObjectType])
  useEffect(() => {
    if (storeValue == null && lastPushedToParamsRef.current === null) return
    const stringValue =
      storeValue == null
        ? ''
        : typeof storeValue === 'string'
          ? storeValue
          : JSON.stringify(storeValue)
    if (stringValue !== lastPushedToParamsRef.current) {
      lastPushedToParamsRef.current = stringValue
      lastPushedToStoreRef.current = stringValue
      onParamChange(toolIndex, effectiveParamId, stringValue)
    }
  }, [storeValue, toolIndex, effectiveParamId, onParamChange])
  const visibility = subBlock.paramVisibility ?? 'user-or-llm'
  const isOptionalForUser = visibility !== 'user-only'
  const config = {
    ...subBlock,
    id: syntheticId,
    ...(isOptionalForUser && { required: false }),
  }
  return (
    <SubBlock
      blockId={blockId}
      config={config}
      isPreview={false}
      disabled={disabled}
      canonicalToggle={canonicalToggle}
      dependencyContext={toolParams}
    />
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.test.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.test.ts
@@ -2,37 +2,12 @@
 * @vitest-environment node
 */
 import { describe, expect, it } from 'vitest'
-
+import type { StoredTool } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/types'
-interface StoredTool {
+import {
-  type: string
+  isCustomToolAlreadySelected,
-  title?: string
+  isMcpToolAlreadySelected,
-  toolId?: string
+  isWorkflowAlreadySelected,
-  params?: Record<string, string>
+} from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/utils'
  customToolId?: string
  schema?: any
  code?: string
  operation?: string
  usageControl?: 'auto' | 'force' | 'none'
 }
 const isMcpToolAlreadySelected = (selectedTools: StoredTool[], mcpToolId: string): boolean => {
  return selectedTools.some((tool) => tool.type === 'mcp' && tool.toolId === mcpToolId)
 }
 const isCustomToolAlreadySelected = (
  selectedTools: StoredTool[],
  customToolId: string
 ): boolean => {
  return selectedTools.some(
    (tool) => tool.type === 'custom-tool' && tool.customToolId === customToolId
  )
 }
 const isWorkflowAlreadySelected = (selectedTools: StoredTool[], workflowId: string): boolean => {
  return selectedTools.some(
    (tool) => tool.type === 'workflow_input' && tool.params?.workflowId === workflowId
  )
 }
 describe('isMcpToolAlreadySelected', () => {
  describe('basic functionality', () => {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/types.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/types.ts
@@ -0,0 +1,31 @@
 /**
 * Represents a tool selected and configured in the workflow
 *
 * @remarks
 * For custom tools (new format), we only store: type, customToolId, usageControl, isExpanded.
 * Everything else (title, schema, code) is loaded dynamically from the database.
 * Legacy custom tools with inline schema/code are still supported for backwards compatibility.
 */
 export interface StoredTool {
  /** Block type identifier */
  type: string
  /** Display title for the tool (optional for new custom tool format) */
  title?: string
  /** Direct tool ID for execution (optional for new custom tool format) */
  toolId?: string
  /** Parameter values configured by the user (optional for new custom tool format) */
  params?: Record<string, string>
  /** Whether the tool details are expanded in UI */
  isExpanded?: boolean
  /** Database ID for custom tools (new format - reference only) */
  customToolId?: string
  /** Tool schema for custom tools (legacy format - inline JSON schema) */
  // eslint-disable-next-line @typescript-eslint/no-explicit-any
  schema?: Record<string, any>
  /** Implementation code for custom tools (legacy format - inline) */
  code?: string
  /** Selected operation for multi-operation tools */
  operation?: string
  /** Tool usage control mode for LLM */
  usageControl?: 'auto' | 'force' | 'none'
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/utils.ts
@@ -0,0 +1,32 @@
 import type { StoredTool } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/types'
 /**
 * Checks if an MCP tool is already selected.
 */
 export function isMcpToolAlreadySelected(selectedTools: StoredTool[], mcpToolId: string): boolean {
  return selectedTools.some((tool) => tool.type === 'mcp' && tool.toolId === mcpToolId)
 }
 /**
 * Checks if a custom tool is already selected.
 */
 export function isCustomToolAlreadySelected(
  selectedTools: StoredTool[],
  customToolId: string
 ): boolean {
  return selectedTools.some(
    (tool) => tool.type === 'custom-tool' && tool.customToolId === customToolId
  )
 }
 /**
 * Checks if a workflow is already selected.
 */
 export function isWorkflowAlreadySelected(
  selectedTools: StoredTool[],
  workflowId: string
 ): boolean {
  return selectedTools.some(
    (tool) => tool.type === 'workflow_input' && tool.params?.workflowId === workflowId
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
@@ -1,50 +0,0 @@
 import { useEffect, useMemo, useState } from 'react'
 export function useForeignCredential(
  provider: string | undefined,
  credentialId: string | undefined
 ) {
  const [isForeign, setIsForeign] = useState<boolean>(false)
  const [loading, setLoading] = useState<boolean>(false)
  const [error, setError] = useState<string | null>(null)
  const normalizedProvider = useMemo(() => (provider || '').toString(), [provider])
  const normalizedCredentialId = useMemo(() => credentialId || '', [credentialId])
  useEffect(() => {
    let cancelled = false
    async function check() {
      setLoading(true)
      setError(null)
      try {
        if (!normalizedProvider || !normalizedCredentialId) {
          if (!cancelled) setIsForeign(false)
          return
        }
        const res = await fetch(
          `/api/auth/oauth/credentials?provider=${encodeURIComponent(normalizedProvider)}`
        )
        if (!res.ok) {
          if (!cancelled) setIsForeign(true)
          return
        }
        const data = await res.json()
        const isOwn = (data.credentials || []).some((c: any) => c.id === normalizedCredentialId)
        if (!cancelled) setIsForeign(!isOwn)
      } catch (e) {
        if (!cancelled) {
          setIsForeign(true)
          setError((e as Error).message)
        }
      } finally {
        if (!cancelled) setLoading(false)
      }
    }
    void check()
    return () => {
      cancelled = true
    }
  }, [normalizedProvider, normalizedCredentialId])
  return { isForeignCredential: isForeign, loading, error }
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
@@ -3,7 +3,6 @@ import { isEqual } from 'lodash'
 import { AlertTriangle, ArrowLeftRight, ArrowUp, Check, Clipboard } from 'lucide-react'
 import { Button, Input, Label, Tooltip } from '@/components/emcn/components'
 import { cn } from '@/lib/core/utils/cn'
 import type { FieldDiffStatus } from '@/lib/workflows/diff/types'
 import {
  CheckboxList,
  Code,
@@ -69,13 +68,15 @@ interface SubBlockProps {
  isPreview?: boolean
  subBlockValues?: Record<string, any>
  disabled?: boolean
  fieldDiffStatus?: FieldDiffStatus
  allowExpandInPreview?: boolean
  canonicalToggle?: {
    mode: 'basic' | 'advanced'
    disabled?: boolean
    onToggle?: () => void
  }
  labelSuffix?: React.ReactNode
  /** Provides sibling values for dependency resolution in non-preview contexts (e.g. tool-input) */
  dependencyContext?: Record<string, unknown>
 }
 /**
@@ -162,16 +163,14 @@ const getPreviewValue = (
 /**
 * Renders the label with optional validation and description tooltips.
 *
 * @remarks
 * Handles JSON validation indicators for code blocks and required field markers.
 * Includes inline AI generate button when wand is enabled.
 *
 * @param config - The sub-block configuration defining the label content
 * @param isValidJson - Whether the JSON content is valid (for code blocks)
 * @param subBlockValues - Current values of all subblocks for evaluating conditional requirements
- * @param wandState - Optional state and handlers for the AI wand feature
+ * @param wandState - State and handlers for the inline AI generate feature
- * @param canonicalToggle - Optional canonical toggle metadata and handlers
+ * @param canonicalToggle - Metadata and handlers for the basic/advanced mode toggle
- * @param canonicalToggleIsDisabled - Whether the canonical toggle is disabled
+ * @param canonicalToggleIsDisabled - Whether the canonical toggle is disabled (includes dependsOn gating)
 * @param copyState - State and handler for the copy-to-clipboard button
 * @param labelSuffix - Additional content rendered after the label text
 * @returns The label JSX element, or `null` for switch types or when no title is defined
 */
 const renderLabel = (
@@ -202,7 +201,8 @@ const renderLabel = (
    showCopyButton: boolean
    copied: boolean
    onCopy: () => void
-  }
+  },
  labelSuffix?: React.ReactNode
 ): JSX.Element | null => {
  if (config.type === 'switch') return null
  if (!config.title) return null
@@ -215,9 +215,10 @@ const renderLabel = (
  return (
    <div className='flex items-center justify-between gap-[6px] pl-[2px]'>
-      <Label className='flex items-center gap-[6px] whitespace-nowrap'>
+      <Label className='flex items-baseline gap-[6px] whitespace-nowrap'>
        {config.title}
        {required && <span className='ml-0.5'>*</span>}
        {labelSuffix}
        {config.type === 'code' &&
          config.language === 'json' &&
          !isValidJson &&
@@ -383,28 +384,25 @@ const arePropsEqual = (prevProps: SubBlockProps, nextProps: SubBlockProps): bool
    prevProps.isPreview === nextProps.isPreview &&
    valueEqual &&
    prevProps.disabled === nextProps.disabled &&
    prevProps.fieldDiffStatus === nextProps.fieldDiffStatus &&
    prevProps.allowExpandInPreview === nextProps.allowExpandInPreview &&
-    canonicalToggleEqual
+    canonicalToggleEqual &&
    prevProps.labelSuffix === nextProps.labelSuffix &&
    prevProps.dependencyContext === nextProps.dependencyContext
  )
 }
 /**
 * Renders a single workflow sub-block input based on config.type.
 *
 * @remarks
 * Supports multiple input types including short-input, long-input, dropdown,
 * combobox, slider, table, code, switch, tool-input, and many more.
 * Handles preview mode, disabled states, and AI wand generation.
 *
 * @param blockId - The parent block identifier
 * @param config - Configuration defining the input type and properties
 * @param isPreview - Whether to render in preview mode
 * @param subBlockValues - Current values of all subblocks
 * @param disabled - Whether the input is disabled
 * @param fieldDiffStatus - Optional diff status for visual indicators
 * @param allowExpandInPreview - Whether to allow expanding in preview mode
- * @returns The rendered sub-block input component
+ * @param canonicalToggle - Metadata and handlers for the basic/advanced mode toggle
 * @param labelSuffix - Additional content rendered after the label text
 * @param dependencyContext - Sibling values for dependency resolution in non-preview contexts (e.g. tool-input)
 */
 function SubBlockComponent({
  blockId,
@@ -412,9 +410,10 @@ function SubBlockComponent({
  isPreview = false,
  subBlockValues,
  disabled = false,
  fieldDiffStatus,
  allowExpandInPreview,
  canonicalToggle,
  labelSuffix,
  dependencyContext,
 }: SubBlockProps): JSX.Element {
  const [isValidJson, setIsValidJson] = useState(true)
  const [isSearchActive, setIsSearchActive] = useState(false)
@@ -423,7 +422,6 @@ function SubBlockComponent({
  const searchInputRef = useRef<HTMLInputElement>(null)
  const wandControlRef = useRef<WandControlHandlers | null>(null)
  // Use webhook management hook when config has useWebhookUrl enabled
  const webhookManagement = useWebhookManagement({
    blockId,
    triggerId: undefined,
@@ -510,10 +508,12 @@ function SubBlockComponent({
    | null
    | undefined
  const contextValues = dependencyContext ?? (isPreview ? subBlockValues : undefined)
  const { finalDisabled: gatedDisabled } = useDependsOnGate(blockId, config, {
    disabled,
    isPreview,
-    previewContextValues: isPreview ? subBlockValues : undefined,
+    previewContextValues: contextValues,
  })
  const isDisabled = gatedDisabled
@@ -797,7 +797,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -809,7 +809,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -821,7 +821,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -833,7 +833,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -845,7 +845,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -868,7 +868,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue as any}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -880,7 +880,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue as any}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -892,7 +892,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue as any}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -917,7 +917,7 @@ function SubBlockComponent({
            isPreview={isPreview}
            previewValue={previewValue as any}
            disabled={isDisabled}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -953,7 +953,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -987,7 +987,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue as any}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -999,7 +999,7 @@ function SubBlockComponent({
            disabled={isDisabled}
            isPreview={isPreview}
            previewValue={previewValue}
-            previewContextValues={isPreview ? subBlockValues : undefined}
+            previewContextValues={contextValues}
          />
        )
@@ -1059,7 +1059,8 @@ function SubBlockComponent({
          showCopyButton: Boolean(config.showCopyButton && config.useWebhookUrl),
          copied,
          onCopy: handleCopy,
-        }
+        },
        labelSuffix
      )}
      {renderInput()}
    </div>
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx
@@ -571,7 +571,6 @@ export function Editor() {
                          isPreview={false}
                          subBlockValues={subBlockState}
                          disabled={!canEditBlock}
                          fieldDiffStatus={undefined}
                          allowExpandInPreview={false}
                          canonicalToggle={
                            isCanonicalSwap && canonicalMode && canonicalId
@@ -635,7 +634,6 @@ export function Editor() {
                          isPreview={false}
                          subBlockValues={subBlockState}
                          disabled={!canEditBlock}
                          fieldDiffStatus={undefined}
                          allowExpandInPreview={false}
                        />
                        {index < advancedOnlySubBlocks.length - 1 && (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
@@ -106,31 +106,6 @@ const isPlainObject = (value: unknown): value is Record<string, unknown> => {
  return typeof value === 'object' && value !== null && !Array.isArray(value)
 }
 /**
 * Parse subblock values that may arrive as JSON strings or already-materialized arrays.
 */
 const parseStructuredArrayValue = (value: unknown): Array<Record<string, unknown>> | null => {
  if (Array.isArray(value)) {
    return value.filter(
      (item): item is Record<string, unknown> => typeof item === 'object' && item !== null
    )
  }
  if (typeof value !== 'string') {
    return null
  }
  try {
    const parsed = JSON.parse(value)
    if (!Array.isArray(parsed)) {
      return null
    }
    return parsed.filter(
      (item): item is Record<string, unknown> => typeof item === 'object' && item !== null
    )
  } catch {
    return null
  }
 }
 /**
 * Type guard for variable assignments array
 */
@@ -986,21 +961,25 @@ export const WorkflowBlock = memo(function WorkflowBlock({
    if (type !== 'condition') return [] as { id: string; title: string; value: string }[]
    const conditionsValue = subBlockState.conditions?.value
-    const parsed = parseStructuredArrayValue(conditionsValue)
+    const raw = typeof conditionsValue === 'string' ? conditionsValue : undefined
-    if (parsed && parsed.length > 0) {
+
-      return parsed.map((item, index) => {
+    try {
-        const conditionId = typeof item.id === 'string' ? item.id : `${id}-cond-${index}`
+      if (raw) {
        const parsed = JSON.parse(raw) as unknown
        if (Array.isArray(parsed)) {
          return parsed.map((item: unknown, index: number) => {
            const conditionItem = item as { id?: string; value?: unknown }
            const title = index === 0 ? 'if' : index === parsed.length - 1 ? 'else' : 'else if'
            return {
-          id: conditionId,
+              id: conditionItem?.id ?? `${id}-cond-${index}`,
              title,
-          value: typeof item.value === 'string' ? item.value : '',
+              value: typeof conditionItem?.value === 'string' ? conditionItem.value : '',
            }
          })
        }
-
+      }
-    if (typeof conditionsValue === 'string' && conditionsValue.trim()) {
+    } catch (error) {
-      logger.warn('Failed to parse condition subblock value', { blockId: id })
+      logger.warn('Failed to parse condition subblock value', { error, blockId: id })
    }
    return [
@@ -1018,16 +997,24 @@ export const WorkflowBlock = memo(function WorkflowBlock({
    if (type !== 'router_v2') return [] as { id: string; value: string }[]
    const routesValue = subBlockState.routes?.value
-    const parsed = parseStructuredArrayValue(routesValue)
+    const raw = typeof routesValue === 'string' ? routesValue : undefined
    if (parsed && parsed.length > 0) {
      return parsed.map((item, index) => ({
        id: typeof item.id === 'string' ? item.id : `${id}-route${index + 1}`,
        value: typeof item.value === 'string' ? item.value : '',
      }))
    }
-    if (typeof routesValue === 'string' && routesValue.trim()) {
+    try {
-      logger.warn('Failed to parse router routes value', { blockId: id })
+      if (raw) {
        const parsed = JSON.parse(raw) as unknown
        if (Array.isArray(parsed)) {
          return parsed.map((item: unknown, index: number) => {
            const routeItem = item as { id?: string; value?: string }
            return {
              // Use stable ID format that matches ConditionInput's generateStableId
              id: routeItem?.id ?? `${id}-route${index + 1}`,
              value: routeItem?.value ?? '',
            }
          })
        }
      }
    } catch (error) {
      logger.warn('Failed to parse router routes value', { error, blockId: id })
    }
    // Fallback must match ConditionInput's default: generateStableId(blockId, 'route1') = `${blockId}-route1`
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
@@ -1,4 +1,4 @@
-import { useCallback, useRef, useState } from 'react'
+import { useCallback, useEffect, useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { useQueryClient } from '@tanstack/react-query'
 import { v4 as uuidv4 } from 'uuid'
@@ -46,7 +46,13 @@ import { useWorkflowStore } from '@/stores/workflows/workflow/store'
 const logger = createLogger('useWorkflowExecution')
-// Debug state validation result
+/**
 * Module-level Set tracking which workflows have an active reconnection effect.
 * Prevents multiple hook instances (from different components) from starting
 * concurrent reconnection streams for the same workflow during the same mount cycle.
 */
 const activeReconnections = new Set<string>()
 interface DebugValidationResult {
  isValid: boolean
  error?: string
@@ -54,7 +60,7 @@ interface DebugValidationResult {
 interface BlockEventHandlerConfig {
  workflowId?: string
-  executionId?: string
+  executionIdRef: { current: string }
  workflowEdges: Array<{ id: string; target: string; sourceHandle?: string | null }>
  activeBlocksSet: Set<string>
  accumulatedBlockLogs: BlockLog[]
@@ -108,12 +114,15 @@ export function useWorkflowExecution() {
  const queryClient = useQueryClient()
  const currentWorkflow = useCurrentWorkflow()
  const { activeWorkflowId, workflows } = useWorkflowRegistry()
-  const { toggleConsole, addConsole, updateConsole, cancelRunningEntries } =
+  const { toggleConsole, addConsole, updateConsole, cancelRunningEntries, clearExecutionEntries } =
    useTerminalConsoleStore()
  const hasHydrated = useTerminalConsoleStore((s) => s._hasHydrated)
  const { getAllVariables } = useEnvironmentStore()
  const { getVariablesByWorkflowId, variables } = useVariablesStore()
  const { isExecuting, isDebugging, pendingBlocks, executor, debugContext } =
    useCurrentWorkflowExecution()
  const setCurrentExecutionId = useExecutionStore((s) => s.setCurrentExecutionId)
  const getCurrentExecutionId = useExecutionStore((s) => s.getCurrentExecutionId)
  const setIsExecuting = useExecutionStore((s) => s.setIsExecuting)
  const setIsDebugging = useExecutionStore((s) => s.setIsDebugging)
  const setPendingBlocks = useExecutionStore((s) => s.setPendingBlocks)
@@ -297,7 +306,7 @@ export function useWorkflowExecution() {
    (config: BlockEventHandlerConfig) => {
      const {
        workflowId,
-        executionId,
+        executionIdRef,
        workflowEdges,
        activeBlocksSet,
        accumulatedBlockLogs,
@@ -308,6 +317,14 @@ export function useWorkflowExecution() {
        onBlockCompleteCallback,
      } = config
      /** Returns true if this execution was cancelled or superseded by another run. */
      const isStaleExecution = () =>
        !!(
          workflowId &&
          executionIdRef.current &&
          useExecutionStore.getState().getCurrentExecutionId(workflowId) !== executionIdRef.current
        )
      const updateActiveBlocks = (blockId: string, isActive: boolean) => {
        if (!workflowId) return
        if (isActive) {
@@ -360,7 +377,7 @@ export function useWorkflowExecution() {
          endedAt: data.endedAt,
          workflowId,
          blockId: data.blockId,
-          executionId,
+          executionId: executionIdRef.current,
          blockName: data.blockName || 'Unknown Block',
          blockType: data.blockType || 'unknown',
          iterationCurrent: data.iterationCurrent,
@@ -383,7 +400,7 @@ export function useWorkflowExecution() {
          endedAt: data.endedAt,
          workflowId,
          blockId: data.blockId,
-          executionId,
+          executionId: executionIdRef.current,
          blockName: data.blockName || 'Unknown Block',
          blockType: data.blockType || 'unknown',
          iterationCurrent: data.iterationCurrent,
@@ -410,7 +427,7 @@ export function useWorkflowExecution() {
            iterationType: data.iterationType,
            iterationContainerId: data.iterationContainerId,
          },
-          executionId
+          executionIdRef.current
        )
      }
@@ -432,11 +449,12 @@ export function useWorkflowExecution() {
            iterationType: data.iterationType,
            iterationContainerId: data.iterationContainerId,
          },
-          executionId
+          executionIdRef.current
        )
      }
      const onBlockStarted = (data: BlockStartedData) => {
        if (isStaleExecution()) return
        updateActiveBlocks(data.blockId, true)
        markIncomingEdges(data.blockId)
@@ -453,7 +471,7 @@ export function useWorkflowExecution() {
          endedAt: undefined,
          workflowId,
          blockId: data.blockId,
-          executionId,
+          executionId: executionIdRef.current,
          blockName: data.blockName || 'Unknown Block',
          blockType: data.blockType || 'unknown',
          isRunning: true,
@@ -465,6 +483,7 @@ export function useWorkflowExecution() {
      }
      const onBlockCompleted = (data: BlockCompletedData) => {
        if (isStaleExecution()) return
        updateActiveBlocks(data.blockId, false)
        if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'success')
@@ -495,6 +514,7 @@ export function useWorkflowExecution() {
      }
      const onBlockError = (data: BlockErrorData) => {
        if (isStaleExecution()) return
        updateActiveBlocks(data.blockId, false)
        if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'error')
@@ -902,10 +922,6 @@ export function useWorkflowExecution() {
                // Update block logs with actual stream completion times
                if (result.logs && streamCompletionTimes.size > 0) {
                  const streamCompletionEndTime = new Date(
                    Math.max(...Array.from(streamCompletionTimes.values()))
                  ).toISOString()
                  result.logs.forEach((log: BlockLog) => {
                    if (streamCompletionTimes.has(log.blockId)) {
                      const completionTime = streamCompletionTimes.get(log.blockId)!
@@ -987,7 +1003,6 @@ export function useWorkflowExecution() {
        return { success: true, stream }
      }
      // For manual (non-chat) execution
      const manualExecutionId = uuidv4()
      try {
        const result = await executeWorkflow(
@@ -1002,29 +1017,10 @@ export function useWorkflowExecution() {
          if (result.metadata.pendingBlocks) {
            setPendingBlocks(activeWorkflowId, result.metadata.pendingBlocks)
          }
        } else if (result && 'success' in result) {
          setExecutionResult(result)
          // Reset execution state after successful non-debug execution
          setIsExecuting(activeWorkflowId, false)
          setIsDebugging(activeWorkflowId, false)
          setActiveBlocks(activeWorkflowId, new Set())
          if (isChatExecution) {
            if (!result.metadata) {
              result.metadata = { duration: 0, startTime: new Date().toISOString() }
            }
            ;(result.metadata as any).source = 'chat'
          }
          // Invalidate subscription queries to update usage
          setTimeout(() => {
            queryClient.invalidateQueries({ queryKey: subscriptionKeys.all })
          }, 1000)
        }
        return result
      } catch (error: any) {
        const errorResult = handleExecutionError(error, { executionId: manualExecutionId })
        // Note: Error logs are already persisted server-side via execution-core.ts
        return errorResult
      }
    },
@@ -1275,7 +1271,7 @@ export function useWorkflowExecution() {
    if (activeWorkflowId) {
      logger.info('Using server-side executor')
-      const executionId = uuidv4()
+      const executionIdRef = { current: '' }
      let executionResult: ExecutionResult = {
        success: false,
@@ -1293,7 +1289,7 @@ export function useWorkflowExecution() {
      try {
        const blockHandlers = buildBlockEventHandlers({
          workflowId: activeWorkflowId,
-          executionId,
+          executionIdRef,
          workflowEdges,
          activeBlocksSet,
          accumulatedBlockLogs,
@@ -1326,6 +1322,10 @@ export function useWorkflowExecution() {
            loops: clientWorkflowState.loops,
            parallels: clientWorkflowState.parallels,
          },
          onExecutionId: (id) => {
            executionIdRef.current = id
            setCurrentExecutionId(activeWorkflowId, id)
          },
          callbacks: {
            onExecutionStarted: (data) => {
              logger.info('Server execution started:', data)
@@ -1368,6 +1368,18 @@ export function useWorkflowExecution() {
            },
            onExecutionCompleted: (data) => {
              if (
                activeWorkflowId &&
                executionIdRef.current &&
                useExecutionStore.getState().getCurrentExecutionId(activeWorkflowId) !==
                  executionIdRef.current
              )
                return
              if (activeWorkflowId) {
                setCurrentExecutionId(activeWorkflowId, null)
              }
              executionResult = {
                success: data.success,
                output: data.output,
@@ -1425,9 +1437,33 @@ export function useWorkflowExecution() {
                  })
                }
              }
              const workflowExecState = activeWorkflowId
                ? useExecutionStore.getState().getWorkflowExecution(activeWorkflowId)
                : null
              if (activeWorkflowId && !workflowExecState?.isDebugging) {
                setExecutionResult(executionResult)
                setIsExecuting(activeWorkflowId, false)
                setActiveBlocks(activeWorkflowId, new Set())
                setTimeout(() => {
                  queryClient.invalidateQueries({ queryKey: subscriptionKeys.all })
                }, 1000)
              }
            },
            onExecutionError: (data) => {
              if (
                activeWorkflowId &&
                executionIdRef.current &&
                useExecutionStore.getState().getCurrentExecutionId(activeWorkflowId) !==
                  executionIdRef.current
              )
                return
              if (activeWorkflowId) {
                setCurrentExecutionId(activeWorkflowId, null)
              }
              executionResult = {
                success: false,
                output: {},
@@ -1441,43 +1477,53 @@ export function useWorkflowExecution() {
              const isPreExecutionError = accumulatedBlockLogs.length === 0
              handleExecutionErrorConsole({
                workflowId: activeWorkflowId,
-                executionId,
+                executionId: executionIdRef.current,
                error: data.error,
                durationMs: data.duration,
                blockLogs: accumulatedBlockLogs,
                isPreExecutionError,
              })
              if (activeWorkflowId) {
                setIsExecuting(activeWorkflowId, false)
                setIsDebugging(activeWorkflowId, false)
                setActiveBlocks(activeWorkflowId, new Set())
              }
            },
            onExecutionCancelled: (data) => {
              if (
                activeWorkflowId &&
                executionIdRef.current &&
                useExecutionStore.getState().getCurrentExecutionId(activeWorkflowId) !==
                  executionIdRef.current
              )
                return
              if (activeWorkflowId) {
                setCurrentExecutionId(activeWorkflowId, null)
              }
              handleExecutionCancelledConsole({
                workflowId: activeWorkflowId,
-                executionId,
+                executionId: executionIdRef.current,
                durationMs: data?.duration,
              })
              if (activeWorkflowId) {
                setIsExecuting(activeWorkflowId, false)
                setIsDebugging(activeWorkflowId, false)
                setActiveBlocks(activeWorkflowId, new Set())
              }
            },
          },
        })
        return executionResult
      } catch (error: any) {
        // Don't log abort errors - they're intentional user actions
        if (error.name === 'AbortError' || error.message?.includes('aborted')) {
          logger.info('Execution aborted by user')
-
+          return executionResult
          // Reset execution state
          if (activeWorkflowId) {
            setIsExecuting(activeWorkflowId, false)
            setActiveBlocks(activeWorkflowId, new Set())
          }
          // Return gracefully without error
          return {
            success: false,
            output: {},
            metadata: { duration: 0 },
            logs: [],
          }
        }
        logger.error('Server-side execution failed:', error)
@@ -1485,7 +1531,6 @@ export function useWorkflowExecution() {
      }
    }
    // Fallback: should never reach here
    throw new Error('Server-side execution is required')
  }
@@ -1717,25 +1762,28 @@ export function useWorkflowExecution() {
   * Handles cancelling the current workflow execution
   */
  const handleCancelExecution = useCallback(() => {
    if (!activeWorkflowId) return
    logger.info('Workflow execution cancellation requested')
-    // Cancel the execution stream for this workflow (server-side)
+    const storedExecutionId = getCurrentExecutionId(activeWorkflowId)
    executionStream.cancel(activeWorkflowId ?? undefined)
-    // Mark current chat execution as superseded so its cleanup won't affect new executions
+    if (storedExecutionId) {
      setCurrentExecutionId(activeWorkflowId, null)
      fetch(`/api/workflows/${activeWorkflowId}/executions/${storedExecutionId}/cancel`, {
        method: 'POST',
      }).catch(() => {})
      handleExecutionCancelledConsole({
        workflowId: activeWorkflowId,
        executionId: storedExecutionId,
      })
    }
    executionStream.cancel(activeWorkflowId)
    currentChatExecutionIdRef.current = null
    // Mark all running entries as canceled in the terminal
    if (activeWorkflowId) {
      cancelRunningEntries(activeWorkflowId)
      // Reset execution state - this triggers chat stream cleanup via useEffect in chat.tsx
    setIsExecuting(activeWorkflowId, false)
    setIsDebugging(activeWorkflowId, false)
    setActiveBlocks(activeWorkflowId, new Set())
    }
    // If in debug mode, also reset debug state
    if (isDebugging) {
      resetDebugState()
    }
@@ -1747,7 +1795,9 @@ export function useWorkflowExecution() {
    setIsDebugging,
    setActiveBlocks,
    activeWorkflowId,
-    cancelRunningEntries,
+    getCurrentExecutionId,
    setCurrentExecutionId,
    handleExecutionCancelledConsole,
  ])
  /**
@@ -1847,7 +1897,7 @@ export function useWorkflowExecution() {
      }
      setIsExecuting(workflowId, true)
-      const executionId = uuidv4()
+      const executionIdRef = { current: '' }
      const accumulatedBlockLogs: BlockLog[] = []
      const accumulatedBlockStates = new Map<string, BlockState>()
      const executedBlockIds = new Set<string>()
@@ -1856,7 +1906,7 @@ export function useWorkflowExecution() {
      try {
        const blockHandlers = buildBlockEventHandlers({
          workflowId,
-          executionId,
+          executionIdRef,
          workflowEdges,
          activeBlocksSet,
          accumulatedBlockLogs,
@@ -1871,6 +1921,10 @@ export function useWorkflowExecution() {
          startBlockId: blockId,
          sourceSnapshot: effectiveSnapshot,
          input: workflowInput,
          onExecutionId: (id) => {
            executionIdRef.current = id
            setCurrentExecutionId(workflowId, id)
          },
          callbacks: {
            onBlockStarted: blockHandlers.onBlockStarted,
            onBlockCompleted: blockHandlers.onBlockCompleted,
@@ -1878,7 +1932,6 @@ export function useWorkflowExecution() {
            onExecutionCompleted: (data) => {
              if (data.success) {
                // Add the start block (trigger) to executed blocks
                executedBlockIds.add(blockId)
                const mergedBlockStates: Record<string, BlockState> = {
@@ -1902,6 +1955,10 @@ export function useWorkflowExecution() {
                }
                setLastExecutionSnapshot(workflowId, updatedSnapshot)
              }
              setCurrentExecutionId(workflowId, null)
              setIsExecuting(workflowId, false)
              setActiveBlocks(workflowId, new Set())
            },
            onExecutionError: (data) => {
@@ -1921,19 +1978,27 @@ export function useWorkflowExecution() {
              handleExecutionErrorConsole({
                workflowId,
-                executionId,
+                executionId: executionIdRef.current,
                error: data.error,
                durationMs: data.duration,
                blockLogs: accumulatedBlockLogs,
              })
              setCurrentExecutionId(workflowId, null)
              setIsExecuting(workflowId, false)
              setActiveBlocks(workflowId, new Set())
            },
            onExecutionCancelled: (data) => {
              handleExecutionCancelledConsole({
                workflowId,
-                executionId,
+                executionId: executionIdRef.current,
                durationMs: data?.duration,
              })
              setCurrentExecutionId(workflowId, null)
              setIsExecuting(workflowId, false)
              setActiveBlocks(workflowId, new Set())
            },
          },
        })
@@ -1942,14 +2007,20 @@ export function useWorkflowExecution() {
          logger.error('Run-from-block failed:', error)
        }
      } finally {
        const currentId = getCurrentExecutionId(workflowId)
        if (currentId === null || currentId === executionIdRef.current) {
          setCurrentExecutionId(workflowId, null)
          setIsExecuting(workflowId, false)
          setActiveBlocks(workflowId, new Set())
        }
      }
    },
    [
      getLastExecutionSnapshot,
      setLastExecutionSnapshot,
      clearLastExecutionSnapshot,
      getCurrentExecutionId,
      setCurrentExecutionId,
      setIsExecuting,
      setActiveBlocks,
      setBlockRunStatus,
@@ -1979,29 +2050,213 @@ export function useWorkflowExecution() {
      const executionId = uuidv4()
      try {
-        const result = await executeWorkflow(
+        await executeWorkflow(undefined, undefined, executionId, undefined, 'manual', blockId)
          undefined,
          undefined,
          executionId,
          undefined,
          'manual',
          blockId
        )
        if (result && 'success' in result) {
          setExecutionResult(result)
        }
      } catch (error) {
        const errorResult = handleExecutionError(error, { executionId })
        return errorResult
      } finally {
        setCurrentExecutionId(workflowId, null)
        setIsExecuting(workflowId, false)
        setIsDebugging(workflowId, false)
        setActiveBlocks(workflowId, new Set())
      }
    },
-    [activeWorkflowId, setExecutionResult, setIsExecuting, setIsDebugging, setActiveBlocks]
+    [
      activeWorkflowId,
      setCurrentExecutionId,
      setExecutionResult,
      setIsExecuting,
      setIsDebugging,
      setActiveBlocks,
    ]
  )
  useEffect(() => {
    if (!activeWorkflowId || !hasHydrated) return
    const entries = useTerminalConsoleStore.getState().entries
    const runningEntries = entries.filter(
      (e) => e.isRunning && e.workflowId === activeWorkflowId && e.executionId
    )
    if (runningEntries.length === 0) return
    if (activeReconnections.has(activeWorkflowId)) return
    activeReconnections.add(activeWorkflowId)
    executionStream.cancel(activeWorkflowId)
    const sorted = [...runningEntries].sort((a, b) => {
      const aTime = a.startedAt ? new Date(a.startedAt).getTime() : 0
      const bTime = b.startedAt ? new Date(b.startedAt).getTime() : 0
      return bTime - aTime
    })
    const executionId = sorted[0].executionId!
    const otherExecutionIds = new Set(
      sorted.filter((e) => e.executionId !== executionId).map((e) => e.executionId!)
    )
    if (otherExecutionIds.size > 0) {
      cancelRunningEntries(activeWorkflowId)
    }
    setCurrentExecutionId(activeWorkflowId, executionId)
    setIsExecuting(activeWorkflowId, true)
    const workflowEdges = useWorkflowStore.getState().edges
    const activeBlocksSet = new Set<string>()
    const accumulatedBlockLogs: BlockLog[] = []
    const accumulatedBlockStates = new Map<string, BlockState>()
    const executedBlockIds = new Set<string>()
    const executionIdRef = { current: executionId }
    const handlers = buildBlockEventHandlers({
      workflowId: activeWorkflowId,
      executionIdRef,
      workflowEdges,
      activeBlocksSet,
      accumulatedBlockLogs,
      accumulatedBlockStates,
      executedBlockIds,
      consoleMode: 'update',
      includeStartConsoleEntry: true,
    })
    const originalEntries = entries
      .filter((e) => e.executionId === executionId)
      .map((e) => ({ ...e }))
    let cleared = false
    let reconnectionComplete = false
    let cleanupRan = false
    const clearOnce = () => {
      if (!cleared) {
        cleared = true
        clearExecutionEntries(executionId)
      }
    }
    const reconnectWorkflowId = activeWorkflowId
    executionStream
      .reconnect({
        workflowId: reconnectWorkflowId,
        executionId,
        callbacks: {
          onBlockStarted: (data) => {
            clearOnce()
            handlers.onBlockStarted(data)
          },
          onBlockCompleted: (data) => {
            clearOnce()
            handlers.onBlockCompleted(data)
          },
          onBlockError: (data) => {
            clearOnce()
            handlers.onBlockError(data)
          },
          onExecutionCompleted: () => {
            const currentId = useExecutionStore
              .getState()
              .getCurrentExecutionId(reconnectWorkflowId)
            if (currentId !== executionId) {
              reconnectionComplete = true
              activeReconnections.delete(reconnectWorkflowId)
              return
            }
            clearOnce()
            reconnectionComplete = true
            activeReconnections.delete(reconnectWorkflowId)
            setCurrentExecutionId(reconnectWorkflowId, null)
            setIsExecuting(reconnectWorkflowId, false)
            setActiveBlocks(reconnectWorkflowId, new Set())
          },
          onExecutionError: (data) => {
            const currentId = useExecutionStore
              .getState()
              .getCurrentExecutionId(reconnectWorkflowId)
            if (currentId !== executionId) {
              reconnectionComplete = true
              activeReconnections.delete(reconnectWorkflowId)
              return
            }
            clearOnce()
            reconnectionComplete = true
            activeReconnections.delete(reconnectWorkflowId)
            setCurrentExecutionId(reconnectWorkflowId, null)
            setIsExecuting(reconnectWorkflowId, false)
            setActiveBlocks(reconnectWorkflowId, new Set())
            handleExecutionErrorConsole({
              workflowId: reconnectWorkflowId,
              executionId,
              error: data.error,
              blockLogs: accumulatedBlockLogs,
            })
          },
          onExecutionCancelled: () => {
            const currentId = useExecutionStore
              .getState()
              .getCurrentExecutionId(reconnectWorkflowId)
            if (currentId !== executionId) {
              reconnectionComplete = true
              activeReconnections.delete(reconnectWorkflowId)
              return
            }
            clearOnce()
            reconnectionComplete = true
            activeReconnections.delete(reconnectWorkflowId)
            setCurrentExecutionId(reconnectWorkflowId, null)
            setIsExecuting(reconnectWorkflowId, false)
            setActiveBlocks(reconnectWorkflowId, new Set())
            handleExecutionCancelledConsole({
              workflowId: reconnectWorkflowId,
              executionId,
            })
          },
        },
      })
      .catch((error) => {
        logger.warn('Execution reconnection failed', { executionId, error })
      })
      .finally(() => {
        if (reconnectionComplete || cleanupRan) return
        const currentId = useExecutionStore.getState().getCurrentExecutionId(reconnectWorkflowId)
        if (currentId !== executionId) return
        reconnectionComplete = true
        activeReconnections.delete(reconnectWorkflowId)
        clearExecutionEntries(executionId)
        for (const entry of originalEntries) {
          addConsole({
            workflowId: entry.workflowId,
            blockId: entry.blockId,
            blockName: entry.blockName,
            blockType: entry.blockType,
            executionId: entry.executionId,
            executionOrder: entry.executionOrder,
            isRunning: false,
            warning: 'Execution result unavailable — check the logs page',
          })
        }
        setCurrentExecutionId(reconnectWorkflowId, null)
        setIsExecuting(reconnectWorkflowId, false)
        setActiveBlocks(reconnectWorkflowId, new Set())
      })
    return () => {
      cleanupRan = true
      executionStream.cancel(reconnectWorkflowId)
      activeReconnections.delete(reconnectWorkflowId)
      if (cleared && !reconnectionComplete) {
        clearExecutionEntries(executionId)
        for (const entry of originalEntries) {
          addConsole(entry)
        }
      }
    }
    // eslint-disable-next-line react-hooks/exhaustive-deps
  }, [activeWorkflowId, hasHydrated])
  return {
    isExecuting,
    isDebugging,
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
@@ -255,6 +255,69 @@ const WorkflowContent = React.memo(() => {
  const addNotification = useNotificationStore((state) => state.addNotification)
  useEffect(() => {
    const OAUTH_CONNECT_PENDING_KEY = 'sim.oauth-connect-pending'
    const pending = window.sessionStorage.getItem(OAUTH_CONNECT_PENDING_KEY)
    if (!pending) return
    window.sessionStorage.removeItem(OAUTH_CONNECT_PENDING_KEY)
    ;(async () => {
      try {
        const {
          displayName,
          providerId,
          preCount,
          workspaceId: wsId,
          reconnect,
        } = JSON.parse(pending) as {
          displayName: string
          providerId: string
          preCount: number
          workspaceId: string
          reconnect?: boolean
        }
        if (reconnect) {
          addNotification({
            level: 'info',
            message: `"${displayName}" reconnected successfully.`,
          })
          window.dispatchEvent(
            new CustomEvent('oauth-credentials-updated', {
              detail: { providerId, workspaceId: wsId },
            })
          )
          return
        }
        const response = await fetch(
          `/api/credentials?workspaceId=${encodeURIComponent(wsId)}&type=oauth`
        )
        const data = response.ok ? await response.json() : { credentials: [] }
        const oauthCredentials = (data.credentials ?? []) as Array<{
          displayName: string
          providerId: string | null
        }>
        if (oauthCredentials.length > preCount) {
          addNotification({
            level: 'info',
            message: `"${displayName}" credential connected successfully.`,
          })
        } else {
          const existing = oauthCredentials.find((c) => c.providerId === providerId)
          const existingName = existing?.displayName || displayName
          addNotification({
            level: 'info',
            message: `This account is already connected as "${existingName}".`,
          })
        }
      } catch {
        // Ignore malformed sessionStorage data
      }
    })()
  }, [])
  const {
    workflows,
    activeWorkflowId,
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
@@ -473,7 +473,7 @@ function ConnectionsSection({
          </div>
        )}
-        {/* Environment Variables */}
+        {/* Secrets */}
        {envVars.length > 0 && (
          <div className='mb-[2px] last:mb-0'>
            <div
@@ -489,7 +489,7 @@ function ConnectionsSection({
                  'text-[var(--text-secondary)] group-hover:text-[var(--text-primary)]'
                )}
              >
-                Environment Variables
+                Secrets
              </span>
              <ChevronDownIcon
                className={cn(
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-workflow/components/block/block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-workflow/components/block/block.tsx
@@ -72,31 +72,6 @@ function extractValue(entry: SubBlockValueEntry | unknown): unknown {
  return entry
 }
 /**
 * Parse subblock values that may be JSON strings or already-materialized arrays.
 */
 function parseStructuredArrayValue(value: unknown): Array<Record<string, unknown>> | null {
  if (Array.isArray(value)) {
    return value.filter(
      (item): item is Record<string, unknown> => typeof item === 'object' && item !== null
    )
  }
  if (typeof value !== 'string') {
    return null
  }
  try {
    const parsed = JSON.parse(value)
    if (!Array.isArray(parsed)) {
      return null
    }
    return parsed.filter(
      (item): item is Record<string, unknown> => typeof item === 'object' && item !== null
    )
  } catch {
    return null
  }
 }
 interface SubBlockRowProps {
  title: string
  value?: string
@@ -372,17 +347,26 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
    if (lightweight) return defaultRows
    const conditionsValue = rawValues.conditions
-    const parsed = parseStructuredArrayValue(conditionsValue)
+    const raw = typeof conditionsValue === 'string' ? conditionsValue : undefined
-    if (parsed && parsed.length > 0) {
+
-      return parsed.map((item, index) => {
+    try {
      if (raw) {
        const parsed = JSON.parse(raw) as unknown
        if (Array.isArray(parsed)) {
          return parsed.map((item: unknown, index: number) => {
            const conditionItem = item as { id?: string; value?: unknown }
            const title = index === 0 ? 'if' : index === parsed.length - 1 ? 'else' : 'else if'
            return {
-          id: typeof item.id === 'string' ? item.id : `cond-${index}`,
+              id: conditionItem?.id ?? `cond-${index}`,
              title,
-          value: typeof item.value === 'string' ? item.value : '',
+              value: typeof conditionItem?.value === 'string' ? conditionItem.value : '',
            }
          })
        }
      }
    } catch {
      /* empty */
    }
    return defaultRows
  }, [type, rawValues, lightweight])
@@ -400,12 +384,23 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
    if (lightweight) return defaultRows
    const routesValue = rawValues.routes
-    const parsed = parseStructuredArrayValue(routesValue)
+    const raw = typeof routesValue === 'string' ? routesValue : undefined
-    if (parsed && parsed.length > 0) {
+
-      return parsed.map((item, index) => ({
+    try {
-        id: typeof item.id === 'string' ? item.id : `route${index + 1}`,
+      if (raw) {
-        value: typeof item.value === 'string' ? item.value : '',
+        const parsed = JSON.parse(raw) as unknown
-      }))
+        if (Array.isArray(parsed)) {
          return parsed.map((item: unknown, index: number) => {
            const routeItem = item as { id?: string; value?: string }
            return {
              id: routeItem?.id ?? `route${index + 1}`,
              value: routeItem?.value ?? '',
            }
          })
        }
      }
    } catch {
      /* empty */
    }
    return defaultRows
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/api-keys.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/api-keys.tsx
@@ -31,10 +31,9 @@ const logger = createLogger('ApiKeys')
 interface ApiKeysProps {
  onOpenChange?: (open: boolean) => void
  registerCloseHandler?: (handler: (open: boolean) => void) => void
 }
-export function ApiKeys({ onOpenChange, registerCloseHandler }: ApiKeysProps) {
+export function ApiKeys({ onOpenChange }: ApiKeysProps) {
  const { data: session } = useSession()
  const userId = session?.user?.id
  const params = useParams()
@@ -118,12 +117,6 @@ export function ApiKeys({ onOpenChange, registerCloseHandler }: ApiKeysProps) {
    onOpenChange?.(open)
  }
  useEffect(() => {
    if (registerCloseHandler) {
      registerCloseHandler(handleModalClose)
    }
  }, [registerCloseHandler])
  useEffect(() => {
    if (shouldScrollToBottom && scrollContainerRef.current) {
      scrollContainerRef.current.scrollTo({
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
@@ -0,0 +1,15 @@
 'use client'
 import { CredentialsManager } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager'
 interface CredentialsProps {
  onOpenChange?: (open: boolean) => void
 }
 export function Credentials(_props: CredentialsProps) {
  return (
    <div className='h-full min-h-0'>
      <CredentialsManager />
    </div>
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
@@ -1,864 +0,0 @@
 'use client'
 import { useCallback, useEffect, useMemo, useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { Plus, Search, Share2, Undo2 } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import {
  Button,
  Input as EmcnInput,
  Modal,
  ModalBody,
  ModalContent,
  ModalFooter,
  ModalHeader,
  Tooltip,
 } from '@/components/emcn'
 import { Trash } from '@/components/emcn/icons/trash'
 import { Input, Skeleton } from '@/components/ui'
 import { isValidEnvVarName } from '@/executor/constants'
 import {
  usePersonalEnvironment,
  useRemoveWorkspaceEnvironment,
  useSavePersonalEnvironment,
  useUpsertWorkspaceEnvironment,
  useWorkspaceEnvironment,
  type WorkspaceEnvironmentData,
 } from '@/hooks/queries/environment'
 const logger = createLogger('EnvironmentVariables')
 const GRID_COLS = 'grid grid-cols-[minmax(0,1fr)_8px_minmax(0,1fr)_auto] items-center'
 const generateRowId = (() => {
  let counter = 0
  return () => {
    counter += 1
    return Date.now() + counter
  }
 })()
 const createEmptyEnvVar = (): UIEnvironmentVariable => ({
  key: '',
  value: '',
  id: generateRowId(),
 })
 interface UIEnvironmentVariable {
  key: string
  value: string
  id?: number
 }
 /**
 * Validates an environment variable key.
 * Returns an error message if invalid, undefined if valid.
 */
 function validateEnvVarKey(key: string): string | undefined {
  if (!key) return undefined
  if (key.includes(' ')) return 'Spaces are not allowed'
  if (!isValidEnvVarName(key)) return 'Only letters, numbers, and underscores allowed'
  return undefined
 }
 interface EnvironmentVariablesProps {
  registerBeforeLeaveHandler?: (handler: (onProceed: () => void) => void) => void
 }
 interface WorkspaceVariableRowProps {
  envKey: string
  value: string
  renamingKey: string | null
  pendingKeyValue: string
  isNewlyPromoted: boolean
  onRenameStart: (key: string) => void
  onPendingKeyChange: (value: string) => void
  onRenameEnd: (key: string, value: string) => void
  onDelete: (key: string) => void
  onDemote: (key: string, value: string) => void
 }
 function WorkspaceVariableRow({
  envKey,
  value,
  renamingKey,
  pendingKeyValue,
  isNewlyPromoted,
  onRenameStart,
  onPendingKeyChange,
  onRenameEnd,
  onDelete,
  onDemote,
 }: WorkspaceVariableRowProps) {
  return (
    <div className={GRID_COLS}>
      <EmcnInput
        value={renamingKey === envKey ? pendingKeyValue : envKey}
        onChange={(e) => {
          if (renamingKey !== envKey) onRenameStart(envKey)
          onPendingKeyChange(e.target.value)
        }}
        onBlur={() => onRenameEnd(envKey, value)}
        name={`workspace_env_key_${envKey}_${Math.random()}`}
        autoComplete='off'
        autoCapitalize='off'
        spellCheck='false'
        readOnly
        onFocus={(e) => e.target.removeAttribute('readOnly')}
        className='h-9'
      />
      <div />
      <EmcnInput
        value={value ? '•'.repeat(value.length) : ''}
        readOnly
        autoComplete='off'
        autoCorrect='off'
        autoCapitalize='off'
        spellCheck='false'
        className='h-9'
      />
      <div className='ml-[8px] flex'>
        {isNewlyPromoted && (
          <Tooltip.Root>
            <Tooltip.Trigger asChild>
              <Button variant='ghost' onClick={() => onDemote(envKey, value)} className='h-9 w-9'>
                <Undo2 className='h-3.5 w-3.5' />
              </Button>
            </Tooltip.Trigger>
            <Tooltip.Content>Change to personal scope</Tooltip.Content>
          </Tooltip.Root>
        )}
        <Tooltip.Root>
          <Tooltip.Trigger asChild>
            <Button variant='ghost' onClick={() => onDelete(envKey)} className='h-9 w-9'>
              <Trash />
            </Button>
          </Tooltip.Trigger>
          <Tooltip.Content>Delete environment variable</Tooltip.Content>
        </Tooltip.Root>
      </div>
    </div>
  )
 }
 export function EnvironmentVariables({ registerBeforeLeaveHandler }: EnvironmentVariablesProps) {
  const params = useParams()
  const workspaceId = (params?.workspaceId as string) || ''
  const { data: personalEnvData, isLoading: isPersonalLoading } = usePersonalEnvironment()
  const { data: workspaceEnvData, isLoading: isWorkspaceLoading } = useWorkspaceEnvironment(
    workspaceId,
    {
      select: useCallback(
        (data: WorkspaceEnvironmentData): WorkspaceEnvironmentData => ({
          workspace: data.workspace || {},
          personal: data.personal || {},
          conflicts: data.conflicts || [],
        }),
        []
      ),
    }
  )
  const savePersonalMutation = useSavePersonalEnvironment()
  const upsertWorkspaceMutation = useUpsertWorkspaceEnvironment()
  const removeWorkspaceMutation = useRemoveWorkspaceEnvironment()
  const isLoading = isPersonalLoading || isWorkspaceLoading
  const variables = useMemo(() => personalEnvData || {}, [personalEnvData])
  const [envVars, setEnvVars] = useState<UIEnvironmentVariable[]>([])
  const [searchTerm, setSearchTerm] = useState('')
  const [focusedValueIndex, setFocusedValueIndex] = useState<number | null>(null)
  const [showUnsavedChanges, setShowUnsavedChanges] = useState(false)
  const [shouldScrollToBottom, setShouldScrollToBottom] = useState(false)
  const [workspaceVars, setWorkspaceVars] = useState<Record<string, string>>({})
  const [conflicts, setConflicts] = useState<string[]>([])
  const [renamingKey, setRenamingKey] = useState<string | null>(null)
  const [pendingKeyValue, setPendingKeyValue] = useState<string>('')
  const [changeToken, setChangeToken] = useState(0)
  const initialWorkspaceVarsRef = useRef<Record<string, string>>({})
  const scrollContainerRef = useRef<HTMLDivElement>(null)
  const pendingProceedCallback = useRef<(() => void) | null>(null)
  const initialVarsRef = useRef<UIEnvironmentVariable[]>([])
  const hasChangesRef = useRef(false)
  const hasSavedRef = useRef(false)
  const filteredEnvVars = useMemo(() => {
    const mapped = envVars.map((envVar, index) => ({ envVar, originalIndex: index }))
    if (!searchTerm.trim()) return mapped
    const term = searchTerm.toLowerCase()
    return mapped.filter(({ envVar }) => envVar.key.toLowerCase().includes(term))
  }, [envVars, searchTerm])
  const filteredWorkspaceEntries = useMemo(() => {
    const entries = Object.entries(workspaceVars)
    if (!searchTerm.trim()) return entries
    const term = searchTerm.toLowerCase()
    return entries.filter(([key]) => key.toLowerCase().includes(term))
  }, [workspaceVars, searchTerm])
  const hasChanges = useMemo(() => {
    const initialVars = initialVarsRef.current.filter((v) => v.key || v.value)
    const currentVars = envVars.filter((v) => v.key || v.value)
    const initialMap = new Map(initialVars.map((v) => [v.key, v.value]))
    const currentMap = new Map(currentVars.map((v) => [v.key, v.value]))
    if (initialMap.size !== currentMap.size) return true
    for (const [key, value] of currentMap) {
      if (initialMap.get(key) !== value) return true
    }
    for (const key of initialMap.keys()) {
      if (!currentMap.has(key)) return true
    }
    const before = initialWorkspaceVarsRef.current
    const after = workspaceVars
    const allKeys = new Set([...Object.keys(before), ...Object.keys(after)])
    if (Object.keys(before).length !== Object.keys(after).length) return true
    for (const key of allKeys) {
      if (before[key] !== after[key]) return true
    }
    return false
  }, [envVars, workspaceVars, changeToken])
  const hasConflicts = useMemo(() => {
    return envVars.some((envVar) => !!envVar.key && Object.hasOwn(workspaceVars, envVar.key))
  }, [envVars, workspaceVars])
  const hasInvalidKeys = useMemo(() => {
    return envVars.some((envVar) => !!envVar.key && validateEnvVarKey(envVar.key))
  }, [envVars])
  useEffect(() => {
    hasChangesRef.current = hasChanges
  }, [hasChanges])
  const handleBeforeLeave = useCallback((onProceed: () => void) => {
    if (hasChangesRef.current) {
      setShowUnsavedChanges(true)
      pendingProceedCallback.current = onProceed
    } else {
      onProceed()
    }
  }, [])
  useEffect(() => {
    if (hasSavedRef.current) return
    const existingVars = Object.values(variables)
    const initialVars = existingVars.length
      ? existingVars.map((envVar) => ({
          ...envVar,
          id: generateRowId(),
        }))
      : [createEmptyEnvVar()]
    initialVarsRef.current = JSON.parse(JSON.stringify(initialVars))
    setEnvVars(JSON.parse(JSON.stringify(initialVars)))
    pendingProceedCallback.current = null
  }, [variables])
  useEffect(() => {
    if (workspaceEnvData) {
      if (hasSavedRef.current) {
        setConflicts(workspaceEnvData?.conflicts || [])
        hasSavedRef.current = false
      } else {
        setWorkspaceVars(workspaceEnvData?.workspace || {})
        initialWorkspaceVarsRef.current = workspaceEnvData?.workspace || {}
        setConflicts(workspaceEnvData?.conflicts || [])
      }
    }
  }, [workspaceEnvData])
  useEffect(() => {
    if (registerBeforeLeaveHandler) {
      registerBeforeLeaveHandler(handleBeforeLeave)
    }
  }, [registerBeforeLeaveHandler, handleBeforeLeave])
  useEffect(() => {
    if (shouldScrollToBottom && scrollContainerRef.current) {
      scrollContainerRef.current.scrollTo({
        top: scrollContainerRef.current.scrollHeight,
        behavior: 'smooth',
      })
      setShouldScrollToBottom(false)
    }
  }, [shouldScrollToBottom])
  useEffect(() => {
    const personalKeys = envVars.map((envVar) => envVar.key.trim()).filter((key) => key.length > 0)
    const uniquePersonalKeys = Array.from(new Set(personalKeys))
    const computedConflicts = uniquePersonalKeys.filter((key) => Object.hasOwn(workspaceVars, key))
    setConflicts((prev) => {
      if (prev.length === computedConflicts.length) {
        const sameKeys = prev.every((key) => computedConflicts.includes(key))
        if (sameKeys) return prev
      }
      return computedConflicts
    })
  }, [envVars, workspaceVars])
  const handleWorkspaceKeyRename = useCallback(
    (currentKey: string, currentValue: string) => {
      const newKey = pendingKeyValue.trim()
      if (!renamingKey || renamingKey !== currentKey) return
      setRenamingKey(null)
      if (!newKey || newKey === currentKey) return
      setWorkspaceVars((prev) => {
        const next = { ...prev }
        delete next[currentKey]
        next[newKey] = currentValue
        return next
      })
    },
    [pendingKeyValue, renamingKey]
  )
  const handleDeleteWorkspaceVar = useCallback((key: string) => {
    setWorkspaceVars((prev) => {
      const next = { ...prev }
      delete next[key]
      return next
    })
  }, [])
  const addEnvVar = useCallback(() => {
    setEnvVars((prev) => [...prev, createEmptyEnvVar()])
    setSearchTerm('')
    setShouldScrollToBottom(true)
  }, [])
  const updateEnvVar = useCallback((index: number, field: 'key' | 'value', value: string) => {
    setEnvVars((prev) => {
      const newEnvVars = [...prev]
      newEnvVars[index][field] = value
      return newEnvVars
    })
  }, [])
  const removeEnvVar = useCallback((index: number) => {
    setEnvVars((prev) => {
      const newEnvVars = prev.filter((_, i) => i !== index)
      return newEnvVars.length ? newEnvVars : [createEmptyEnvVar()]
    })
  }, [])
  const handleValueFocus = useCallback((index: number, e: React.FocusEvent<HTMLInputElement>) => {
    setFocusedValueIndex(index)
    e.target.scrollLeft = 0
  }, [])
  const handleValueClick = useCallback((e: React.MouseEvent<HTMLInputElement>) => {
    e.preventDefault()
    e.currentTarget.scrollLeft = 0
  }, [])
  const parseEnvVarLine = useCallback((line: string): UIEnvironmentVariable | null => {
    const trimmed = line.trim()
    if (!trimmed || trimmed.startsWith('#')) return null
    const withoutExport = trimmed.replace(/^export\s+/, '')
    const equalIndex = withoutExport.indexOf('=')
    if (equalIndex === -1 || equalIndex === 0) return null
    const potentialKey = withoutExport.substring(0, equalIndex).trim()
    if (!isValidEnvVarName(potentialKey)) return null
    let value = withoutExport.substring(equalIndex + 1)
    const looksLikeBase64Key = /^[A-Za-z0-9+/]+$/.test(potentialKey) && !potentialKey.includes('_')
    const valueIsJustPadding = /^=+$/.test(value.trim())
    if (looksLikeBase64Key && valueIsJustPadding && potentialKey.length > 20) {
      return null
    }
    const trimmedValue = value.trim()
    if (
      !trimmedValue.startsWith('"') &&
      !trimmedValue.startsWith("'") &&
      !trimmedValue.startsWith('`')
    ) {
      const commentIndex = value.search(/\s#/)
      if (commentIndex !== -1) {
        value = value.substring(0, commentIndex)
      }
    }
    value = value.trim()
    if (
      (value.startsWith('"') && value.endsWith('"')) ||
      (value.startsWith("'") && value.endsWith("'")) ||
      (value.startsWith('`') && value.endsWith('`'))
    ) {
      value = value.slice(1, -1)
    }
    return { key: potentialKey, value, id: generateRowId() }
  }, [])
  const handleSingleValuePaste = useCallback(
    (text: string, index: number, inputType: 'key' | 'value') => {
      setEnvVars((prev) => {
        const newEnvVars = [...prev]
        newEnvVars[index][inputType] = text
        return newEnvVars
      })
    },
    []
  )
  const handleKeyValuePaste = useCallback(
    (lines: string[]) => {
      const parsedVars = lines
        .map(parseEnvVarLine)
        .filter((parsed): parsed is UIEnvironmentVariable => parsed !== null)
        .filter(({ key, value }) => key && value)
      if (parsedVars.length > 0) {
        setEnvVars((prev) => {
          const existingVars = prev.filter((v) => v.key || v.value)
          return [...existingVars, ...parsedVars]
        })
        setShouldScrollToBottom(true)
      }
    },
    [parseEnvVarLine]
  )
  const handlePaste = useCallback(
    (e: React.ClipboardEvent<HTMLInputElement>, index: number) => {
      const text = e.clipboardData.getData('text').trim()
      if (!text) return
      const lines = text.split('\n').filter((line) => line.trim())
      if (lines.length === 0) return
      e.preventDefault()
      const inputType = (e.target as HTMLInputElement).getAttribute('data-input-type') as
        | 'key'
        | 'value'
      if (inputType) {
        const hasValidEnvVarPattern = lines.some((line) => parseEnvVarLine(line) !== null)
        if (!hasValidEnvVarPattern) {
          handleSingleValuePaste(text, index, inputType)
          return
        }
      }
      handleKeyValuePaste(lines)
    },
    [parseEnvVarLine, handleSingleValuePaste, handleKeyValuePaste]
  )
  const handleCancel = useCallback(() => {
    setEnvVars(JSON.parse(JSON.stringify(initialVarsRef.current)))
    setWorkspaceVars({ ...initialWorkspaceVarsRef.current })
    setShowUnsavedChanges(false)
    pendingProceedCallback.current?.()
    pendingProceedCallback.current = null
  }, [])
  const handleSave = useCallback(async () => {
    const onProceed = pendingProceedCallback.current
    const prevInitialVars = [...initialVarsRef.current]
    const prevInitialWorkspaceVars = { ...initialWorkspaceVarsRef.current }
    try {
      setShowUnsavedChanges(false)
      hasSavedRef.current = true
      initialWorkspaceVarsRef.current = { ...workspaceVars }
      initialVarsRef.current = JSON.parse(JSON.stringify(envVars.filter((v) => v.key && v.value)))
      setChangeToken((prev) => prev + 1)
      const validVariables = envVars
        .filter((v) => v.key && v.value)
        .reduce<Record<string, string>>((acc, { key, value }) => ({ ...acc, [key]: value }), {})
      await savePersonalMutation.mutateAsync({ variables: validVariables })
      const before = prevInitialWorkspaceVars
      const after = workspaceVars
      const toUpsert: Record<string, string> = {}
      const toDelete: string[] = []
      for (const [k, v] of Object.entries(after)) {
        if (!(k in before) || before[k] !== v) {
          toUpsert[k] = v
        }
      }
      for (const k of Object.keys(before)) {
        if (!(k in after)) toDelete.push(k)
      }
      if (workspaceId) {
        if (Object.keys(toUpsert).length) {
          await upsertWorkspaceMutation.mutateAsync({ workspaceId, variables: toUpsert })
        }
        if (toDelete.length) {
          await removeWorkspaceMutation.mutateAsync({ workspaceId, keys: toDelete })
        }
      }
      onProceed?.()
      pendingProceedCallback.current = null
    } catch (error) {
      hasSavedRef.current = false
      initialVarsRef.current = prevInitialVars
      initialWorkspaceVarsRef.current = prevInitialWorkspaceVars
      logger.error('Failed to save environment variables:', error)
    }
  }, [
    envVars,
    workspaceVars,
    workspaceId,
    savePersonalMutation,
    upsertWorkspaceMutation,
    removeWorkspaceMutation,
  ])
  const promoteToWorkspace = useCallback(
    (envVar: UIEnvironmentVariable) => {
      if (!envVar.key || !envVar.value || !workspaceId) return
      setWorkspaceVars((prev) => ({ ...prev, [envVar.key]: envVar.value }))
      setEnvVars((prev) => {
        const filtered = prev.filter((entry) => entry !== envVar)
        return filtered.length ? filtered : [createEmptyEnvVar()]
      })
    },
    [workspaceId]
  )
  const demoteToPersonal = useCallback((key: string, value: string) => {
    if (!key) return
    setWorkspaceVars((prev) => {
      const next = { ...prev }
      delete next[key]
      return next
    })
    setEnvVars((prev) => [...prev, { key, value, id: generateRowId() }])
  }, [])
  const conflictClassName = 'border-[var(--text-error)] bg-[#F6D2D2] dark:bg-[#442929]'
  const renderEnvVarRow = useCallback(
    (envVar: UIEnvironmentVariable, originalIndex: number) => {
      const isConflict = !!envVar.key && Object.hasOwn(workspaceVars, envVar.key)
      const keyError = validateEnvVarKey(envVar.key)
      const maskedValueStyle =
        focusedValueIndex !== originalIndex && !isConflict
          ? ({ WebkitTextSecurity: 'disc' } as React.CSSProperties)
          : undefined
      return (
        <>
          <div className={GRID_COLS}>
            <EmcnInput
              data-input-type='key'
              value={envVar.key}
              onChange={(e) => updateEnvVar(originalIndex, 'key', e.target.value)}
              onPaste={(e) => handlePaste(e, originalIndex)}
              placeholder='API_KEY'
              name={`env_variable_name_${envVar.id || originalIndex}_${Math.random()}`}
              autoComplete='off'
              autoCapitalize='off'
              spellCheck='false'
              readOnly
              onFocus={(e) => e.target.removeAttribute('readOnly')}
              className={`h-9 ${isConflict ? conflictClassName : ''} ${keyError ? 'border-[var(--text-error)]' : ''}`}
            />
            <div />
            <EmcnInput
              data-input-type='value'
              value={envVar.value}
              onChange={(e) => updateEnvVar(originalIndex, 'value', e.target.value)}
              type='text'
              onFocus={(e) => {
                if (!isConflict) {
                  e.target.removeAttribute('readOnly')
                  handleValueFocus(originalIndex, e)
                }
              }}
              onClick={handleValueClick}
              onBlur={() => setFocusedValueIndex(null)}
              onPaste={(e) => handlePaste(e, originalIndex)}
              placeholder={isConflict ? 'Workspace override active' : 'Enter value'}
              disabled={isConflict}
              aria-disabled={isConflict}
              name={`env_variable_value_${envVar.id || originalIndex}_${Math.random()}`}
              autoComplete='off'
              autoCapitalize='off'
              spellCheck='false'
              readOnly={isConflict}
              style={maskedValueStyle}
              className={`h-9 ${isConflict ? `cursor-not-allowed ${conflictClassName}` : ''}`}
            />
            <div className='ml-[8px] flex items-center'>
              <Tooltip.Root>
                <Tooltip.Trigger asChild>
                  <Button
                    variant='ghost'
                    disabled={!envVar.key || !envVar.value || isConflict || !workspaceId}
                    onClick={() => promoteToWorkspace(envVar)}
                    className='h-9 w-9'
                  >
                    <Share2 className='h-3.5 w-3.5' />
                  </Button>
                </Tooltip.Trigger>
                <Tooltip.Content>Change to workspace scope</Tooltip.Content>
              </Tooltip.Root>
              <Tooltip.Root>
                <Tooltip.Trigger asChild>
                  <Button
                    variant='ghost'
                    onClick={() => removeEnvVar(originalIndex)}
                    className='h-9 w-9'
                  >
                    <Trash />
                  </Button>
                </Tooltip.Trigger>
                <Tooltip.Content>Delete environment variable</Tooltip.Content>
              </Tooltip.Root>
            </div>
          </div>
          {keyError && (
            <div className='col-span-3 mt-[4px] text-[12px] text-[var(--text-error)] leading-tight'>
              {keyError}
            </div>
          )}
          {isConflict && !keyError && (
            <div className='col-span-3 mt-[4px] text-[12px] text-[var(--text-error)] leading-tight'>
              Workspace variable with the same name overrides this. Rename your personal key to use
              it.
            </div>
          )}
        </>
      )
    },
    [
      workspaceVars,
      workspaceId,
      focusedValueIndex,
      updateEnvVar,
      handlePaste,
      handleValueFocus,
      handleValueClick,
      promoteToWorkspace,
      removeEnvVar,
    ]
  )
  return (
    <>
      <div className='flex h-full flex-col gap-[16px]'>
        <div className='hidden'>
          <input
            type='text'
            name='fakeusernameremembered'
            autoComplete='username'
            tabIndex={-1}
            readOnly
          />
          <input
            type='password'
            name='fakepasswordremembered'
            autoComplete='current-password'
            tabIndex={-1}
            readOnly
          />
          <input
            type='email'
            name='fakeemailremembered'
            autoComplete='email'
            tabIndex={-1}
            readOnly
          />
        </div>
        <div className='flex items-center gap-[8px]'>
          <div className='flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
            <Search
              className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
              strokeWidth={2}
            />
            <Input
              placeholder='Search variables...'
              value={searchTerm}
              onChange={(e) => setSearchTerm(e.target.value)}
              name='env_search_field'
              autoComplete='off'
              autoCapitalize='off'
              spellCheck='false'
              readOnly
              onFocus={(e) => e.target.removeAttribute('readOnly')}
              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
            />
          </div>
          <Button onClick={addEnvVar} variant='tertiary' disabled={isLoading}>
            <Plus className='mr-[6px] h-[13px] w-[13px]' />
            Add
          </Button>
          <Tooltip.Root>
            <Tooltip.Trigger asChild>
              <Button
                onClick={handleSave}
                disabled={isLoading || !hasChanges || hasConflicts || hasInvalidKeys}
                variant='tertiary'
                className={`${hasConflicts || hasInvalidKeys ? 'cursor-not-allowed opacity-50' : ''}`}
              >
                Save
              </Button>
            </Tooltip.Trigger>
            {hasConflicts && <Tooltip.Content>Resolve all conflicts before saving</Tooltip.Content>}
            {hasInvalidKeys && !hasConflicts && (
              <Tooltip.Content>Fix invalid variable names before saving</Tooltip.Content>
            )}
          </Tooltip.Root>
        </div>
        <div ref={scrollContainerRef} className='min-h-0 flex-1 overflow-y-auto'>
          <div className='flex flex-col gap-[16px]'>
            {isLoading ? (
              <>
                <div className='flex flex-col gap-[8px]'>
                  <Skeleton className='h-5 w-[70px]' />
                  <div className='text-[13px] text-[var(--text-muted)]'>
                    <Skeleton className='h-5 w-[160px]' />
                  </div>
                </div>
                <div className='flex flex-col gap-[8px]'>
                  <Skeleton className='h-5 w-[55px]' />
                  {Array.from({ length: 2 }, (_, i) => (
                    <div key={`personal-${i}`} className={GRID_COLS}>
                      <Skeleton className='h-9 rounded-[6px]' />
                      <div />
                      <Skeleton className='h-9 rounded-[6px]' />
                      <div className='ml-[8px] flex items-center gap-0'>
                        <Skeleton className='h-9 w-9 rounded-[6px]' />
                        <Skeleton className='h-9 w-9 rounded-[6px]' />
                      </div>
                    </div>
                  ))}
                </div>
              </>
            ) : (
              <>
                {(!searchTerm.trim() || filteredWorkspaceEntries.length > 0) && (
                  <div className='flex flex-col gap-[8px]'>
                    <div className='font-medium text-[13px] text-[var(--text-secondary)]'>
                      Workspace
                    </div>
                    {!searchTerm.trim() && Object.keys(workspaceVars).length === 0 ? (
                      <div className='text-[13px] text-[var(--text-muted)]'>
                        No workspace variables yet
                      </div>
                    ) : (
                      (searchTerm.trim()
                        ? filteredWorkspaceEntries
                        : Object.entries(workspaceVars)
                      ).map(([key, value]) => (
                        <WorkspaceVariableRow
                          key={key}
                          envKey={key}
                          value={value}
                          renamingKey={renamingKey}
                          pendingKeyValue={pendingKeyValue}
                          isNewlyPromoted={!Object.hasOwn(initialWorkspaceVarsRef.current, key)}
                          onRenameStart={setRenamingKey}
                          onPendingKeyChange={setPendingKeyValue}
                          onRenameEnd={handleWorkspaceKeyRename}
                          onDelete={handleDeleteWorkspaceVar}
                          onDemote={demoteToPersonal}
                        />
                      ))
                    )}
                  </div>
                )}
                {(!searchTerm.trim() || filteredEnvVars.length > 0) && (
                  <div className='flex flex-col gap-[8px]'>
                    <div className='font-medium text-[13px] text-[var(--text-secondary)]'>
                      Personal
                    </div>
                    {filteredEnvVars.map(({ envVar, originalIndex }) => (
                      <div key={envVar.id || originalIndex}>
                        {renderEnvVarRow(envVar, originalIndex)}
                      </div>
                    ))}
                  </div>
                )}
                {searchTerm.trim() &&
                  filteredEnvVars.length === 0 &&
                  filteredWorkspaceEntries.length === 0 &&
                  (envVars.length > 0 || Object.keys(workspaceVars).length > 0) && (
                    <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
                      No environment variables found matching "{searchTerm}"
                    </div>
                  )}
              </>
            )}
          </div>
        </div>
      </div>
      <Modal open={showUnsavedChanges} onOpenChange={setShowUnsavedChanges}>
        <ModalContent size='sm'>
          <ModalHeader>Unsaved Changes</ModalHeader>
          <ModalBody>
            <p className='text-[12px] text-[var(--text-secondary)]'>
              {hasConflicts || hasInvalidKeys
                ? `You have unsaved changes, but ${hasConflicts ? 'conflicts must be resolved' : 'invalid variable names must be fixed'} before saving. You can discard your changes to close the modal.`
                : 'You have unsaved changes. Do you want to save them before closing?'}
            </p>
          </ModalBody>
          <ModalFooter>
            <Button variant='destructive' onClick={handleCancel}>
              Discard Changes
            </Button>
            {hasConflicts || hasInvalidKeys ? (
              <Tooltip.Root>
                <Tooltip.Trigger asChild>
                  <Button
                    disabled={true}
                    variant='tertiary'
                    className='cursor-not-allowed opacity-50'
                  >
                    Save Changes
                  </Button>
                </Tooltip.Trigger>
                <Tooltip.Content>
                  {hasConflicts
                    ? 'Resolve all conflicts before saving'
                    : 'Fix invalid variable names before saving'}
                </Tooltip.Content>
              </Tooltip.Root>
            ) : (
              <Button onClick={handleSave} variant='tertiary'>
                Save Changes
              </Button>
            )}
          </ModalFooter>
        </ModalContent>
      </Modal>
    </>
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
@@ -2,12 +2,11 @@ export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
 export { CredentialSets } from './credential-sets/credential-sets'
 export { Credentials } from './credentials/credentials'
 export { CustomTools } from './custom-tools/custom-tools'
 export { Debug } from './debug/debug'
 export { EnvironmentVariables } from './environment/environment'
 export { Files as FileUploads } from './files/files'
 export { General } from './general/general'
 export { Integrations } from './integrations/integrations'
 export { MCP } from './mcp/mcp'
 export { Skills } from './skills/skills'
 export { Subscription } from './subscription/subscription'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx
@@ -1,417 +0,0 @@
 'use client'
 import { createElement, useEffect, useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { Check, ChevronDown, ExternalLink, Search } from 'lucide-react'
 import { useRouter, useSearchParams } from 'next/navigation'
 import {
  Button,
  Label,
  Modal,
  ModalBody,
  ModalContent,
  ModalFooter,
  ModalHeader,
 } from '@/components/emcn'
 import { Input, Skeleton } from '@/components/ui'
 import { cn } from '@/lib/core/utils/cn'
 import { OAUTH_PROVIDERS } from '@/lib/oauth'
 import {
  type ServiceInfo,
  useConnectOAuthService,
  useDisconnectOAuthService,
  useOAuthConnections,
 } from '@/hooks/queries/oauth-connections'
 import { usePermissionConfig } from '@/hooks/use-permission-config'
 const logger = createLogger('Integrations')
 /**
 * Static skeleton structure matching OAUTH_PROVIDERS layout
 * Each entry: [providerName, serviceCount]
 */
 const SKELETON_STRUCTURE: [string, number][] = [
  ['Google', 7],
  ['Microsoft', 6],
  ['GitHub', 1],
  ['X', 1],
  ['Confluence', 1],
  ['Jira', 1],
  ['Airtable', 1],
  ['Notion', 1],
  ['Linear', 1],
  ['Slack', 1],
  ['Reddit', 1],
  ['Wealthbox', 1],
  ['Webflow', 1],
  ['Trello', 1],
  ['Asana', 1],
  ['Pipedrive', 1],
  ['HubSpot', 1],
  ['Salesforce', 1],
 ]
 function IntegrationsSkeleton() {
  return (
    <div className='flex h-full flex-col gap-[16px]'>
      <div className='flex w-full items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
        <Search className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]' />
        <Input
          placeholder='Search integrations...'
          disabled
          className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
        />
      </div>
      <div className='min-h-0 flex-1 overflow-y-auto'>
        <div className='flex flex-col gap-[16px]'>
          {SKELETON_STRUCTURE.map(([providerName, serviceCount]) => (
            <div key={providerName} className='flex flex-col gap-[8px]'>
              <Skeleton className='h-[14px] w-[60px]' />
              {Array.from({ length: serviceCount }).map((_, index) => (
                <div key={index} className='flex items-center justify-between'>
                  <div className='flex items-center gap-[12px]'>
                    <Skeleton className='h-9 w-9 flex-shrink-0 rounded-[6px]' />
                    <div className='flex flex-col justify-center gap-[1px]'>
                      <Skeleton className='h-[14px] w-[100px]' />
                      <Skeleton className='h-[13px] w-[200px]' />
                    </div>
                  </div>
                  <Skeleton className='h-[32px] w-[72px] rounded-[6px]' />
                </div>
              ))}
            </div>
          ))}
        </div>
      </div>
    </div>
  )
 }
 interface IntegrationsProps {
  onOpenChange?: (open: boolean) => void
  registerCloseHandler?: (handler: (open: boolean) => void) => void
 }
 export function Integrations({ onOpenChange, registerCloseHandler }: IntegrationsProps) {
  const router = useRouter()
  const searchParams = useSearchParams()
  const pendingServiceRef = useRef<HTMLDivElement>(null)
  const { data: services = [], isPending } = useOAuthConnections()
  const connectService = useConnectOAuthService()
  const disconnectService = useDisconnectOAuthService()
  const { config: permissionConfig } = usePermissionConfig()
  const [searchTerm, setSearchTerm] = useState('')
  const [pendingService, setPendingService] = useState<string | null>(null)
  const [authSuccess, setAuthSuccess] = useState(false)
  const [showActionRequired, setShowActionRequired] = useState(false)
  const prevConnectedIdsRef = useRef<Set<string>>(new Set())
  const connectionAddedRef = useRef<boolean>(false)
  // Disconnect confirmation dialog state
  const [showDisconnectDialog, setShowDisconnectDialog] = useState(false)
  const [serviceToDisconnect, setServiceToDisconnect] = useState<{
    service: ServiceInfo
    accountId: string
  } | null>(null)
  // Check for OAuth callback - just show success message
  useEffect(() => {
    const code = searchParams.get('code')
    const state = searchParams.get('state')
    const error = searchParams.get('error')
    if (code && state) {
      logger.info('OAuth callback successful')
      setAuthSuccess(true)
      // Clear URL parameters without changing the page
      const url = new URL(window.location.href)
      url.searchParams.delete('code')
      url.searchParams.delete('state')
      router.replace(url.pathname + url.search)
    } else if (error) {
      logger.error('OAuth error:', { error })
    }
  }, [searchParams, router])
  // Track when a new connection is added compared to previous render
  useEffect(() => {
    try {
      const currentConnected = new Set<string>()
      services.forEach((svc) => {
        if (svc.isConnected) currentConnected.add(svc.id)
      })
      // Detect new connections by comparing to previous connected set
      for (const id of currentConnected) {
        if (!prevConnectedIdsRef.current.has(id)) {
          connectionAddedRef.current = true
          break
        }
      }
      prevConnectedIdsRef.current = currentConnected
    } catch {}
  }, [services])
  // On mount, register a close handler so the parent modal can delegate close events here
  useEffect(() => {
    if (!registerCloseHandler) return
    const handle = (open: boolean) => {
      if (open) return
      try {
        if (typeof window !== 'undefined') {
          window.dispatchEvent(
            new CustomEvent('oauth-integration-closed', {
              detail: { success: connectionAddedRef.current === true },
            })
          )
        }
      } catch {}
      onOpenChange?.(open)
    }
    registerCloseHandler(handle)
  }, [registerCloseHandler, onOpenChange])
  // Handle connect button click
  const handleConnect = async (service: ServiceInfo) => {
    try {
      logger.info('Connecting service:', {
        serviceId: service.id,
        providerId: service.providerId,
        scopes: service.scopes,
      })
      // better-auth will automatically redirect back to this URL after OAuth
      await connectService.mutateAsync({
        providerId: service.providerId,
        callbackURL: window.location.href,
      })
    } catch (error) {
      logger.error('OAuth connection error:', { error })
    }
  }
  /**
   * Opens the disconnect confirmation dialog for a service.
   */
  const handleDisconnect = (service: ServiceInfo, accountId: string) => {
    setServiceToDisconnect({ service, accountId })
    setShowDisconnectDialog(true)
  }
  /**
   * Confirms and executes the service disconnection.
   */
  const confirmDisconnect = async () => {
    if (!serviceToDisconnect) return
    setShowDisconnectDialog(false)
    const { service, accountId } = serviceToDisconnect
    setServiceToDisconnect(null)
    try {
      await disconnectService.mutateAsync({
        provider: service.providerId.split('-')[0],
        providerId: service.providerId,
        serviceId: service.id,
        accountId,
      })
    } catch (error) {
      logger.error('Error disconnecting service:', { error })
    }
  }
  // Group services by provider, filtering by permission config
  const groupedServices = services.reduce(
    (acc, service) => {
      // Filter based on allowedIntegrations
      if (
        permissionConfig.allowedIntegrations !== null &&
        !permissionConfig.allowedIntegrations.includes(service.id)
      ) {
        return acc
      }
      // Find the provider for this service
      const providerKey =
        Object.keys(OAUTH_PROVIDERS).find((key) =>
          Object.keys(OAUTH_PROVIDERS[key].services).includes(service.id)
        ) || 'other'
      if (!acc[providerKey]) {
        acc[providerKey] = []
      }
      acc[providerKey].push(service)
      return acc
    },
    {} as Record<string, ServiceInfo[]>
  )
  // Filter services based on search term
  const filteredGroupedServices = Object.entries(groupedServices).reduce(
    (acc, [providerKey, providerServices]) => {
      const filteredServices = providerServices.filter(
        (service) =>
          service.name.toLowerCase().includes(searchTerm.toLowerCase()) ||
          service.description.toLowerCase().includes(searchTerm.toLowerCase())
      )
      if (filteredServices.length > 0) {
        acc[providerKey] = filteredServices
      }
      return acc
    },
    {} as Record<string, ServiceInfo[]>
  )
  const scrollToHighlightedService = () => {
    if (pendingServiceRef.current) {
      pendingServiceRef.current.scrollIntoView({
        behavior: 'smooth',
        block: 'center',
      })
    }
  }
  if (isPending) {
    return <IntegrationsSkeleton />
  }
  return (
    <>
      <div className='flex h-full flex-col gap-[16px]'>
        <div className='flex w-full items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
          <Search className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]' />
          <Input
            placeholder='Search services...'
            value={searchTerm}
            onChange={(e) => setSearchTerm(e.target.value)}
            className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
          />
        </div>
        <div className='min-h-0 flex-1 overflow-y-auto'>
          <div className='flex flex-col gap-[16px]'>
            {authSuccess && (
              <div className='flex items-center gap-[12px] rounded-[8px] border border-green-200 bg-green-50 p-[12px]'>
                <Check className='h-4 w-4 flex-shrink-0 text-green-500' />
                <p className='font-medium text-[13px] text-green-800'>
                  Account connected successfully!
                </p>
              </div>
            )}
            {pendingService && showActionRequired && (
              <div className='flex items-start gap-[12px] rounded-[8px] border border-[var(--border)] bg-[var(--bg)] p-[12px]'>
                <ExternalLink className='mt-0.5 h-4 w-4 flex-shrink-0 text-[var(--text-muted)]' />
                <div className='flex flex-1 flex-col gap-[8px]'>
                  <p className='text-[13px] text-[var(--text-muted)]'>
                    <span className='font-medium text-[var(--text-primary)]'>Action Required:</span>{' '}
                    Please connect your account to enable the requested features.
                  </p>
                  <Button variant='outline' onClick={scrollToHighlightedService}>
                    <span>Go to service</span>
                    <ChevronDown className='h-3 w-3' />
                  </Button>
                </div>
              </div>
            )}
            <div className='flex flex-col gap-[16px]'>
              {Object.entries(filteredGroupedServices).map(([providerKey, providerServices]) => (
                <div key={providerKey} className='flex flex-col gap-[8px]'>
                  <Label className='text-[12px] text-[var(--text-tertiary)]'>
                    {OAUTH_PROVIDERS[providerKey]?.name || 'Other Services'}
                  </Label>
                  {providerServices.map((service) => (
                    <div
                      key={service.id}
                      className={cn(
                        'flex items-center justify-between',
                        pendingService === service.id &&
                          '-m-[8px] rounded-[8px] bg-[var(--bg)] p-[8px]'
                      )}
                      ref={pendingService === service.id ? pendingServiceRef : undefined}
                    >
                      <div className='flex items-center gap-[12px]'>
                        <div className='flex h-9 w-9 flex-shrink-0 items-center justify-center overflow-hidden rounded-[6px] bg-[var(--surface-5)]'>
                          {createElement(service.icon, { className: 'h-4 w-4' })}
                        </div>
                        <div className='flex flex-col justify-center gap-[1px]'>
                          <span className='font-medium text-[14px]'>{service.name}</span>
                          {service.accounts && service.accounts.length > 0 ? (
                            <p className='truncate text-[13px] text-[var(--text-muted)]'>
                              {service.accounts.map((a) => a.name).join(', ')}
                            </p>
                          ) : (
                            <p className='truncate text-[13px] text-[var(--text-muted)]'>
                              {service.description}
                            </p>
                          )}
                        </div>
                      </div>
                      {service.accounts && service.accounts.length > 0 ? (
                        <Button
                          variant='ghost'
                          onClick={() => handleDisconnect(service, service.accounts![0].id)}
                          disabled={disconnectService.isPending}
                        >
                          Disconnect
                        </Button>
                      ) : (
                        <Button
                          variant='tertiary'
                          onClick={() => handleConnect(service)}
                          disabled={connectService.isPending}
                        >
                          Connect
                        </Button>
                      )}
                    </div>
                  ))}
                </div>
              ))}
              {searchTerm.trim() && Object.keys(filteredGroupedServices).length === 0 && (
                <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
                  No services found matching "{searchTerm}"
                </div>
              )}
            </div>
          </div>
        </div>
      </div>
      <Modal open={showDisconnectDialog} onOpenChange={setShowDisconnectDialog}>
        <ModalContent size='sm'>
          <ModalHeader>Disconnect Service</ModalHeader>
          <ModalBody>
            <p className='text-[12px] text-[var(--text-secondary)]'>
              Are you sure you want to disconnect{' '}
              <span className='font-medium text-[var(--text-primary)]'>
                {serviceToDisconnect?.service.name}
              </span>
              ?{' '}
              <span className='text-[var(--text-error)]'>
                This will revoke access and you will need to reconnect to use this service.
              </span>
            </p>
          </ModalBody>
          <ModalFooter>
            <Button variant='default' onClick={() => setShowDisconnectDialog(false)}>
              Cancel
            </Button>
            <Button variant='destructive' onClick={confirmDisconnect}>
              Disconnect
            </Button>
          </ModalFooter>
        </ModalContent>
      </Modal>
    </>
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/index.ts
@@ -1,3 +1,4 @@
 export { CancelSubscription } from './cancel-subscription'
 export { CreditBalance } from './credit-balance'
 export { PlanCard, type PlanCardProps, type PlanFeature } from './plan-card'
 export { ReferralCode } from './referral-code'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/referral-code/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/referral-code/index.ts
@@ -0,0 +1 @@
 export { ReferralCode } from './referral-code'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/referral-code/referral-code.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/referral-code/referral-code.tsx
@@ -0,0 +1,103 @@
 'use client'
 import { useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { Button, Input, Label } from '@/components/emcn'
 const logger = createLogger('ReferralCode')
 interface ReferralCodeProps {
  onRedeemComplete?: () => void
 }
 /**
 * Inline referral/promo code entry field with redeem button.
 * One-time use per account — shows success or "already redeemed" state.
 */
 export function ReferralCode({ onRedeemComplete }: ReferralCodeProps) {
  const [code, setCode] = useState('')
  const [isRedeeming, setIsRedeeming] = useState(false)
  const [error, setError] = useState<string | null>(null)
  const [success, setSuccess] = useState<{ bonusAmount: number } | null>(null)
  const handleRedeem = async () => {
    const trimmed = code.trim()
    if (!trimmed || isRedeeming) return
    setIsRedeeming(true)
    setError(null)
    try {
      const response = await fetch('/api/referral-code/redeem', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ code: trimmed }),
      })
      const data = await response.json()
      if (!response.ok) {
        throw new Error(data.error || 'Failed to redeem code')
      }
      if (data.redeemed) {
        setSuccess({ bonusAmount: data.bonusAmount })
        setCode('')
        onRedeemComplete?.()
      } else {
        setError(data.error || 'Code could not be redeemed')
      }
    } catch (err) {
      logger.error('Referral code redemption failed', { error: err })
      setError(err instanceof Error ? err.message : 'Failed to redeem code')
    } finally {
      setIsRedeeming(false)
    }
  }
  if (success) {
    return (
      <div className='flex items-center justify-between'>
        <Label>Referral Code</Label>
        <span className='text-[12px] text-[var(--text-secondary)]'>
          +${success.bonusAmount} credits applied
        </span>
      </div>
    )
  }
  return (
    <div className='flex flex-col'>
      <div className='flex items-center justify-between gap-[12px]'>
        <Label className='shrink-0'>Referral Code</Label>
        <div className='flex items-center gap-[8px]'>
          <Input
            type='text'
            value={code}
            onChange={(e) => {
              setCode(e.target.value)
              setError(null)
            }}
            onKeyDown={(e) => {
              if (e.key === 'Enter') handleRedeem()
            }}
            placeholder='Enter code'
            className='h-[32px] w-[140px] text-[12px]'
            disabled={isRedeeming}
          />
          <Button
            variant='active'
            className='h-[32px] shrink-0 rounded-[6px] text-[12px]'
            onClick={handleRedeem}
            disabled={isRedeeming || !code.trim()}
          >
            {isRedeeming ? 'Redeeming...' : 'Redeem'}
          </Button>
        </div>
      </div>
      <div className='mt-[4px] min-h-[18px] text-right'>
        {error && <span className='text-[11px] text-[var(--text-error)]'>{error}</span>}
      </div>
    </div>
  )
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/subscription.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/subscription.tsx
@@ -17,6 +17,7 @@ import {
  CancelSubscription,
  CreditBalance,
  PlanCard,
  ReferralCode,
 } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components'
 import {
  ENTERPRISE_PLAN_FEATURES,
@@ -549,6 +550,10 @@ export function Subscription() {
        />
      )}
      {!subscription.isEnterprise && (
        <ReferralCode onRedeemComplete={() => refetchSubscription()} />
      )}
      {/* Next Billing Date - hidden from team members */}
      {subscription.isPaid &&
        subscriptionData?.data?.periodEnd &&
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
@@ -1,6 +1,6 @@
 'use client'
-import { useCallback, useEffect, useMemo, useRef, useState } from 'react'
+import { useCallback, useEffect, useMemo, useState } from 'react'
 import * as DialogPrimitive from '@radix-ui/react-dialog'
 import * as VisuallyHidden from '@radix-ui/react-visually-hidden'
 import { useQueryClient } from '@tanstack/react-query'
@@ -20,7 +20,6 @@ import {
 import {
  Card,
  Connections,
  FolderCode,
  HexSimple,
  Key,
  SModal,
@@ -45,12 +44,11 @@ import {
  BYOK,
  Copilot,
  CredentialSets,
  Credentials,
  CustomTools,
  Debug,
  EnvironmentVariables,
  FileUploads,
  General,
  Integrations,
  MCP,
  Skills,
  Subscription,
@@ -80,9 +78,8 @@ interface SettingsModalProps {
 type SettingsSection =
  | 'general'
-  | 'environment'
+  | 'credentials'
  | 'template-profile'
  | 'integrations'
  | 'credential-sets'
  | 'access-control'
  | 'apikeys'
@@ -156,11 +153,10 @@ const allNavigationItems: NavigationItem[] = [
    requiresHosted: true,
    requiresTeam: true,
  },
-  { id: 'integrations', label: 'Integrations', icon: Connections, section: 'tools' },
+  { id: 'credentials', label: 'Credentials', icon: Connections, section: 'tools' },
  { id: 'custom-tools', label: 'Custom Tools', icon: Wrench, section: 'tools' },
  { id: 'skills', label: 'Skills', icon: AgentSkillsIcon, section: 'tools' },
  { id: 'mcp', label: 'MCP Tools', icon: McpIcon, section: 'tools' },
  { id: 'environment', label: 'Environment', icon: FolderCode, section: 'system' },
  { id: 'apikeys', label: 'API Keys', icon: Key, section: 'system' },
  { id: 'workflow-mcp-servers', label: 'MCP Servers', icon: Server, section: 'system' },
  {
@@ -218,8 +214,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  const activeOrganization = organizationsData?.activeOrganization
  const { config: permissionConfig } = usePermissionConfig()
  const environmentBeforeLeaveHandler = useRef<((onProceed: () => void) => void) | null>(null)
  const integrationsCloseHandler = useRef<((open: boolean) => void) | null>(null)
  const userEmail = session?.user?.email
  const userId = session?.user?.id
@@ -256,9 +250,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
      if (item.id === 'apikeys' && permissionConfig.hideApiKeysTab) {
        return false
      }
      if (item.id === 'environment' && permissionConfig.hideEnvironmentTab) {
        return false
      }
      if (item.id === 'files' && permissionConfig.hideFilesTab) {
        return false
      }
@@ -327,26 +318,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    return activeSection
  }, [activeSection])
  const registerEnvironmentBeforeLeaveHandler = useCallback(
    (handler: (onProceed: () => void) => void) => {
      environmentBeforeLeaveHandler.current = handler
    },
    []
  )
  const registerIntegrationsCloseHandler = useCallback((handler: (open: boolean) => void) => {
    integrationsCloseHandler.current = handler
  }, [])
  const handleSectionChange = useCallback(
    (sectionId: SettingsSection) => {
      if (sectionId === effectiveActiveSection) return
      if (effectiveActiveSection === 'environment' && environmentBeforeLeaveHandler.current) {
        environmentBeforeLeaveHandler.current(() => setActiveSection(sectionId))
        return
      }
      setActiveSection(sectionId)
    },
    [effectiveActiveSection]
@@ -475,24 +449,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    }
  }
  // Handle dialog close - delegate to environment component if it's active
  const handleDialogOpenChange = (newOpen: boolean) => {
    if (
      !newOpen &&
      effectiveActiveSection === 'environment' &&
      environmentBeforeLeaveHandler.current
    ) {
      environmentBeforeLeaveHandler.current(() => onOpenChange(false))
    } else if (
      !newOpen &&
      effectiveActiveSection === 'integrations' &&
      integrationsCloseHandler.current
    ) {
      integrationsCloseHandler.current(newOpen)
    } else {
    onOpenChange(newOpen)
  }
  }
  return (
    <SModal open={open} onOpenChange={handleDialogOpenChange}>
@@ -502,7 +461,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
        </VisuallyHidden.Root>
        <VisuallyHidden.Root>
          <DialogPrimitive.Description>
-            Configure your workspace settings, environment variables, integrations, and preferences
+            Configure your workspace settings, credentials, and preferences
          </DialogPrimitive.Description>
        </VisuallyHidden.Root>
@@ -539,18 +498,10 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
          </SModalMainHeader>
          <SModalMainBody>
            {effectiveActiveSection === 'general' && <General onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'environment' && (
+            {effectiveActiveSection === 'credentials' && (
-              <EnvironmentVariables
+              <Credentials onOpenChange={onOpenChange} />
                registerBeforeLeaveHandler={registerEnvironmentBeforeLeaveHandler}
              />
            )}
            {effectiveActiveSection === 'template-profile' && <TemplateProfile />}
            {effectiveActiveSection === 'integrations' && (
              <Integrations
                onOpenChange={onOpenChange}
                registerCloseHandler={registerIntegrationsCloseHandler}
              />
            )}
            {effectiveActiveSection === 'credential-sets' && <CredentialSets />}
            {effectiveActiveSection === 'access-control' && <AccessControl />}
            {effectiveActiveSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}
--- a/apps/sim/app/workspace/page.tsx
+++ b/apps/sim/app/workspace/page.tsx
@@ -4,12 +4,14 @@ import { useEffect } from 'react'
 import { createLogger } from '@sim/logger'
 import { useRouter } from 'next/navigation'
 import { useSession } from '@/lib/auth/auth-client'
 import { useReferralAttribution } from '@/hooks/use-referral-attribution'
 const logger = createLogger('WorkspacePage')
 export default function WorkspacePage() {
  const router = useRouter()
  const { data: session, isPending } = useSession()
  useReferralAttribution()
  useEffect(() => {
    const redirectToFirstWorkspace = async () => {
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -142,6 +142,8 @@ Return ONLY the JSON array.`,
      title: 'Google Cloud Account',
      type: 'oauth-input',
      serviceId: 'vertex-ai',
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      requiredScopes: ['https://www.googleapis.com/auth/cloud-platform'],
      placeholder: 'Select Google Cloud account',
      required: true,
@@ -150,6 +152,19 @@ Return ONLY the JSON array.`,
        value: providers.vertex.models,
      },
    },
    {
      id: 'manualCredential',
      title: 'Google Cloud Account',
      type: 'short-input',
      canonicalParamId: 'oauthCredential',
      mode: 'advanced',
      placeholder: 'Enter credential ID',
      required: true,
      condition: {
        field: 'model',
        value: providers.vertex.models,
      },
    },
    {
      id: 'reasoningEffort',
      title: 'Reasoning Effort',
@@ -748,6 +763,7 @@ Example 3 (Array Input):
    apiKey: { type: 'string', description: 'Provider API key' },
    azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
    azureApiVersion: { type: 'string', description: 'Azure API version' },
    oauthCredential: { type: 'string', description: 'OAuth credential for Vertex AI' },
    vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
    vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },
    bedrockAccessKeyId: { type: 'string', description: 'AWS Access Key ID for Bedrock' },
--- a/apps/sim/blocks/blocks/airtable.ts
+++ b/apps/sim/blocks/blocks/airtable.ts
@@ -32,6 +32,8 @@ export const AirtableBlock: BlockConfig<AirtableResponse> = {
      id: 'credential',
      title: 'Airtable Account',
      type: 'oauth-input',
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'airtable',
      requiredScopes: [
        'data.records:read',
@@ -42,6 +44,15 @@ export const AirtableBlock: BlockConfig<AirtableResponse> = {
      placeholder: 'Select Airtable account',
      required: true,
    },
    {
      id: 'manualCredential',
      title: 'Airtable Account',
      type: 'short-input',
      canonicalParamId: 'oauthCredential',
      mode: 'advanced',
      placeholder: 'Enter credential ID',
      required: true,
    },
    {
      id: 'baseId',
      title: 'Base ID',
@@ -219,7 +230,7 @@ Return ONLY the valid JSON object - no explanations, no markdown.`,
        }
      },
      params: (params) => {
-        const { credential, records, fields, ...rest } = params
+        const { oauthCredential, records, fields, ...rest } = params
        let parsedRecords: any | undefined
        let parsedFields: any | undefined
@@ -237,7 +248,7 @@ Return ONLY the valid JSON object - no explanations, no markdown.`,
        // Construct parameters based on operation
        const baseParams = {
-          credential,
+          credential: oauthCredential,
          ...rest,
        }
@@ -255,7 +266,7 @@ Return ONLY the valid JSON object - no explanations, no markdown.`,
  },
  inputs: {
    operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Airtable access token' },
+    oauthCredential: { type: 'string', description: 'Airtable access token' },
    baseId: { type: 'string', description: 'Airtable base identifier' },
    tableId: { type: 'string', description: 'Airtable table identifier' },
    // Conditional inputs
--- a/apps/sim/blocks/blocks/asana.ts
+++ b/apps/sim/blocks/blocks/asana.ts
@@ -32,12 +32,22 @@ export const AsanaBlock: BlockConfig<AsanaResponse> = {
      id: 'credential',
      title: 'Asana Account',
      type: 'oauth-input',
-
+      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      required: true,
      serviceId: 'asana',
      requiredScopes: ['default'],
      placeholder: 'Select Asana account',
    },
    {
      id: 'manualCredential',
      title: 'Asana Account',
      type: 'short-input',
      canonicalParamId: 'oauthCredential',
      mode: 'advanced',
      placeholder: 'Enter credential ID',
      required: true,
    },
    {
      id: 'workspace',
      title: 'Workspace GID',
@@ -215,7 +225,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
        }
      },
      params: (params) => {
-        const { credential, operation } = params
+        const { oauthCredential, operation } = params
        const projectsArray = params.projects
          ? params.projects
@@ -225,7 +235,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
          : undefined
        const baseParams = {
-          accessToken: credential?.accessToken,
+          accessToken: oauthCredential?.accessToken,
        }
        switch (operation) {
@@ -284,6 +294,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
  },
  inputs: {
    operation: { type: 'string', description: 'Operation to perform' },
    oauthCredential: { type: 'string', description: 'Asana OAuth credential' },
    workspace: { type: 'string', description: 'Workspace GID' },
    taskGid: { type: 'string', description: 'Task GID' },
    getTasks_workspace: { type: 'string', description: 'Workspace GID for getting tasks' },
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Vikhyath Mondreti	d8bbd7eeec	add filter	2026-02-14 14:26:22 -08:00
Vikhyath Mondreti	9584b99c8a	address bugbot	2026-02-14 14:10:56 -08:00
Vikhyath Mondreti	140f870cfc	remove more unused code	2026-02-14 12:54:28 -08:00
Vikhyath Mondreti	d235d747ca	more permissions stuff	2026-02-14 12:47:03 -08:00
Vikhyath Mondreti	3769da88b0	remove some dead code	2026-02-14 12:32:55 -08:00
Vikhyath Mondreti	41cdca20d6	address bugbot comments	2026-02-14 12:27:03 -08:00
Vikhyath Mondreti	cd1ccf1f1f	autoselect provider when connecting from block	2026-02-14 12:15:57 -08:00
Vikhyath Mondreti	6053050718	remove unused code	2026-02-14 11:44:28 -08:00
Vikhyath Mondreti	08b908fdce	fix tests	2026-02-14 00:00:03 -08:00
Vikhyath Mondreti	ea42e64540	run lint	2026-02-13 18:05:52 -08:00
Vikhyath Mondreti	d70a5d4271	backfill improvements	2026-02-13 16:26:13 -08:00
Vikhyath Mondreti	93826cbd1a	migration readded	2026-02-13 15:25:13 -08:00
Vikhyath Mondreti	7092c88b9b	Merge remote-tracking branch 'origin/staging' into feat/mult-credentials-rv	2026-02-13 15:05:12 -08:00
Vikhyath Mondreti	084ff9c9d0	remove migration to prep stagin migration	2026-02-13 14:37:03 -08:00
Vikhyath Mondreti	3ad0f62545	canonical credential id entry	2026-02-13 14:20:57 -08:00
Vikhyath Mondreti	ff13b1f43b	remove credential no access marker	2026-02-13 12:17:26 -08:00
Vikhyath Mondreti	fa32b9e687	reconnect option to connect diff account	2026-02-13 12:12:56 -08:00
Waleed	7fbbc7ba7a	fix(tool-input): sync cleared subblock values to tool params (#3214 )	2026-02-13 00:18:25 -08:00
Waleed	a337aa7dfe	feat(internal): added internal api base url for internal calls (#3212 ) * feat(internal): added internal api base url for internal calls * make validation on http more lax	2026-02-12 23:56:35 -08:00
Waleed	022e84c4b1	feat(creators): added referrers, code redemption, campaign tracking, etc (#3198 ) * feat(creators): added referrers, code redemption, campaign tracking, etc * more * added zod * remove default * remove duplicate index * update admin routes * reran migrations * lint * move userstats record creation inside tx * added reason for already attributed case * cleanup referral attributes	2026-02-12 20:07:40 -08:00
Waleed	602e371a7a	refactor(tool-input): subblock-first rendering, component extraction, bug fixes (#3207 ) * refactor(tool-input): eliminate SyncWrappers, add canonical toggle and dependsOn gating Replace 17+ individual SyncWrapper components with a single centralized ToolSubBlockRenderer that bridges the subblock store with StoredTool.params via synthetic store keys. This reduces ~1000 lines of duplicated wrapper code and ensures tool-input renders subblock components identically to the standalone SubBlock path. - Add ToolSubBlockRenderer with bidirectional store sync - Add basic/advanced mode toggle (ArrowLeftRight) using collaborative functions - Add dependsOn gating via useDependsOnGate (fields disable instead of hiding) - Add paramVisibility field to SubBlockConfig for tool-input visibility control - Pass canonicalModeOverrides through getSubBlocksForToolInput - Show (optional) label for non-user-only fields (LLM can inject at runtime) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): restore optional indicator, fix folder selector and canonical toggle, extract components - Attach resolved paramVisibility to subblocks from getSubBlocksForToolInput - Add labelSuffix prop to SubBlock for "(optional)" badge on user-or-llm params - Fix folder selector missing for tools with canonicalParamId (e.g. Google Drive) - Fix canonical toggle not clickable by letting SubBlock handle dependsOn internally - Extract ParameterWithLabel, ToolSubBlockRenderer, ToolCredentialSelector to components/tools/ - Extract StoredTool interface to types.ts, selection helpers to utils.ts - Remove dead code (mcpError, refreshTools, oldParamIds, initialParams) - Strengthen typing: replace any with proper types on icon components and evaluateParameterCondition * add sibling values to subblock context since subblock store isn't relevant in tool input, and removed unused param * cleanup * fix(tool-input): render uncovered tool params alongside subblocks The SubBlock-first rendering path was hard-returning after rendering subblocks, so tool params without matching subblocks (like inputMapping for workflow tools) were never rendered. Now renders subblocks first, then any remaining displayParams not covered by subblocks via the legacy ParameterWithLabel fallback. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): auto-refresh workflow inputs after redeploy After redeploying a child workflow via the stale badge, the workflow state cache was not invalidated, so WorkflowInputMapperInput kept showing stale input fields until page refresh. Now invalidates workflowKeys.state on deploy success. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): correct workflow selector visibility and tighten (optional) spacing - Set workflowId param to user-only in workflow_executor tool config so "Select Workflow" no longer shows "(optional)" indicator - Tighten (optional) label spacing with -ml-[3px] to counteract parent Label's gap-[6px], making it feel inline with the label text Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): align (optional) text to baseline instead of center Use items-baseline instead of items-center on Label flex containers so the smaller (optional) text aligns with the label text baseline rather than sitting slightly below it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): increase top padding of expanded tool body Bump the expanded tool body container's top padding from 8px to 12px for more breathing room between the header bar and the first parameter. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): apply extra top padding only to SubBlock-first path Revert container padding to py-[8px] (MCP tools were correct). Wrap SubBlock-first output in a div with pt-[4px] so only registry tools get extra breathing room from the container top. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(tool-input): increase gap between SubBlock params for visual clarity SubBlock's internal gap (10px between label and input) matched the between-parameter gap (10px), making them indistinguishable. Increase the between-parameter gap to 14px so consecutive parameters are visually distinct, matching the separation seen in ParameterWithLabel. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix spacing and optional tag * update styling + move predeploy checks earlier for first time deploys * update change detection to account for synthetic tool ids * fix remaining blocks who had files visibility set to hidden * cleanup * add catch --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 19:01:04 -08:00
Vikhyath Mondreti	dcf40be189	copilot + oauth name comflict	2026-02-12 18:42:52 -08:00
Vikhyath Mondreti	77bb048307	share button	2026-02-12 18:04:02 -08:00
Vikhyath Mondreti	17710b39a5	remove new badge	2026-02-12 17:05:54 -08:00
Vikhyath Mondreti	bdd14839a3	share with workspace for oauth	2026-02-12 17:01:55 -08:00
Vikhyath Mondreti	8ed8a5a1ce	more ux improvmeent	2026-02-12 16:52:54 -08:00
Vikhyath Mondreti	5e19226dd1	promote to workspace secret	2026-02-12 16:50:13 -08:00
Vikhyath Mondreti	622023d998	bulk entry of .env	2026-02-12 16:39:10 -08:00
Theodore Li	9a06cae591	Merge pull request #3210 from simstudioai/feat/google-books feat(google books): Add google books integration	2026-02-12 16:18:42 -08:00
Theodore Li	dce47a101c	Migrate last response to types	2026-02-12 15:45:00 -08:00
Theodore Li	1130f8ddb2	Remove redundant error handling, move volume item to types file	2026-02-12 15:31:12 -08:00
Waleed	ebc2ffa1c5	fix(agent): always fetch latest custom tool from DB when customToolId is present (#3208 ) * fix(agent): always fetch latest custom tool from DB when customToolId is present * test(agent): use generic test data for customToolId resolution tests * fix(agent): mock buildAuthHeaders in tests for CI compatibility * remove inline mocks in favor of sim/testing ones	2026-02-12 15:31:11 -08:00
Vikhyath Mondreti	319768c2bd	remove add member ui for workspace secrets	2026-02-12 15:28:15 -08:00
Theodore Li	fc97ce007d	Correct error handling, specify auth mode as api key	2026-02-12 15:26:13 -08:00
Vikhyath Mondreti	aefa281677	improve collaborative UX	2026-02-12 15:18:54 -08:00
Theodore Li	6c006cdfec	feat(google books): Add google books integration	2026-02-12 15:01:33 -08:00
Siddharth Ganesan	c380e59cb3	fix(copilot): make default model opus 4.5 (#3209 ) * Fix default model * Fix	2026-02-12 13:17:45 -08:00
Waleed	2944579d21	fix(s3): support get-object region override and robust S3 URL parsing (#3206 ) * fix(s3): support get-object region override and robust S3 URL parsing * ack pr comments	2026-02-12 10:59:22 -08:00
Vikhyath Mondreti	508772cf58	make it autoselect personal secret when create secret is clicked	2026-02-11 20:06:27 -08:00
Vikhyath Mondreti	7314675f50	checkpoint	2026-02-11 19:58:24 -08:00
Waleed	81dfeb0bb0	fix(terminal): reconnect to running executions after page refresh (#3200 ) * fix(terminal): reconnect to running executions after page refresh * fix(terminal): use ExecutionEvent type instead of any in reconnection stream * fix(execution): type event buffer with ExecutionEvent instead of Record<string, unknown> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(execution): validate fromEventId query param in reconnection endpoint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix some bugs * fix(variables): fix tag dropdown and cursor alignment in variables block (#3199) * feat(confluence): added list space labels, delete label, delete page prop (#3201) * updated route * ack comments * fix(execution): reset execution state in reconnection cleanup to unblock re-entry Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(execution): restore running entries when reconnection is interrupted by navigation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * done * remove cast in ioredis types * ack PR comments --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Siddharth Ganesan <siddharthganesan@gmail.com>	2026-02-11 19:31:29 -08:00
Waleed	01577a18b4	fix(change-detection): resolve false positive trigger block change detection (#3204 )	2026-02-11 17:24:17 -08:00
Vikhyath Mondreti	253161afba	feat(mult-credentials): progress	2026-02-11 15:18:31 -08:00
		`@@ -0,0 +1 @@`
							`export { ReferralCode } from './referral-code'`