Temp

.github/workflows/ci.yml

@@ -27,9 +27,8 @@ jobs:
     steps:
       - name: Extract version from commit message
         id: extract
-        env:
-          COMMIT_MSG: ${{ github.event.head_commit.message }}
         run: |
+          COMMIT_MSG="${{ github.event.head_commit.message }}"
           # Only tag versions on main branch
           if [ "${{ github.ref }}" = "refs/heads/main" ] && [[ "$COMMIT_MSG" =~ ^(v[0-9]+\.[0-9]+\.[0-9]+): ]]; then
             VERSION="${BASH_REMATCH[1]}"

README.md

@@ -14,7 +14,7 @@
 </p>
 
 <p align="center">
-  <a href="https://deepwiki.com/simstudioai/sim" target="_blank" rel="noopener noreferrer"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>  <a href="https://cursor.com/link/prompt?text=Help%20me%20set%20up%20Sim%20locally.%20Follow%20these%20steps%3A%0A%0A1.%20First%2C%20verify%20Docker%20is%20installed%20and%20running%3A%0A%20%20%20docker%20--version%0A%20%20%20docker%20info%0A%0A2.%20Clone%20the%20repository%3A%0A%20%20%20git%20clone%20https%3A%2F%2Fgithub.com%2Fsimstudioai%2Fsim.git%0A%20%20%20cd%20sim%0A%0A3.%20Start%20the%20services%20with%20Docker%20Compose%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20up%20-d%0A%0A4.%20Wait%20for%20all%20containers%20to%20be%20healthy%20(this%20may%20take%201-2%20minutes)%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20ps%0A%0A5.%20Verify%20the%20app%20is%20accessible%20at%20http%3A%2F%2Flocalhost%3A3000%0A%0AIf%20there%20are%20any%20errors%2C%20help%20me%20troubleshoot%20them.%20Common%20issues%3A%0A-%20Port%203000%2C%203002%2C%20or%205432%20already%20in%20use%0A-%20Docker%20not%20running%0A-%20Insufficient%20memory%20(needs%2012GB%2B%20RAM)%0A%0AFor%20local%20AI%20models%20with%20Ollama%2C%20use%20this%20instead%20of%20step%203%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.ollama.yml%20--profile%20setup%20up%20-d"><img src="https://img.shields.io/badge/Set%20Up%20with-Cursor-000000?logo=cursor&logoColor=white" alt="Set Up with Cursor"></a>
+  <a href="https://deepwiki.com/simstudioai/sim" target="_blank" rel="noopener noreferrer"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>  <a href="https://cursor.com/link/prompt?text=Help%20me%20set%20up%20Sim%20Studio%20locally.%20Follow%20these%20steps%3A%0A%0A1.%20First%2C%20verify%20Docker%20is%20installed%20and%20running%3A%0A%20%20%20docker%20--version%0A%20%20%20docker%20info%0A%0A2.%20Clone%20the%20repository%3A%0A%20%20%20git%20clone%20https%3A%2F%2Fgithub.com%2Fsimstudioai%2Fsim.git%0A%20%20%20cd%20sim%0A%0A3.%20Start%20the%20services%20with%20Docker%20Compose%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20up%20-d%0A%0A4.%20Wait%20for%20all%20containers%20to%20be%20healthy%20(this%20may%20take%201-2%20minutes)%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20ps%0A%0A5.%20Verify%20the%20app%20is%20accessible%20at%20http%3A%2F%2Flocalhost%3A3000%0A%0AIf%20there%20are%20any%20errors%2C%20help%20me%20troubleshoot%20them.%20Common%20issues%3A%0A-%20Port%203000%2C%203002%2C%20or%205432%20already%20in%20use%0A-%20Docker%20not%20running%0A-%20Insufficient%20memory%20(needs%2012GB%2B%20RAM)%0A%0AFor%20local%20AI%20models%20with%20Ollama%2C%20use%20this%20instead%20of%20step%203%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.ollama.yml%20--profile%20setup%20up%20-d"><img src="https://img.shields.io/badge/Set%20Up%20with-Cursor-000000?logo=cursor&logoColor=white" alt="Set Up with Cursor"></a>
 </p>
 
 ### Build Workflows with Ease

apps/docs/components/icons.tsx

@@ -4093,23 +4093,6 @@ export function SQSIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
-export function TextractIcon(props: SVGProps<SVGSVGElement>) {
-  return (
-    <svg
-      {...props}
-      viewBox='10 14 60 52'
-      version='1.1'
-      xmlns='http://www.w3.org/2000/svg'
-      xmlnsXlink='http://www.w3.org/1999/xlink'
-    >
-      <path
-        d='M22.0624102,50 C24.3763895,53.603 28.4103535,56 33.0003125,56 C40.1672485,56 45.9991964,50.168 45.9991964,43 C45.9991964,35.832 40.1672485,30 33.0003125,30 C27.6033607,30 22.9664021,33.307 21.0024196,38 L23.2143999,38 C25.0393836,34.444 28.7363506,32 33.0003125,32 C39.0652583,32 43.9992143,36.935 43.9992143,43 C43.9992143,49.065 39.0652583,54 33.0003125,54 C29.5913429,54 26.5413702,52.441 24.5213882,50 L22.0624102,50 Z M37.0002768,45 L37.0002768,43 L41.9992321,43 C41.9992321,38.038 37.9622682,34 33.0003125,34 C28.0373568,34 23.9993929,38.038 23.9993929,43 L28.9993482,43 L28.9993482,45 L24.2313908,45 C25.1443826,49.002 28.7253507,52 33.0003125,52 C35.1362934,52 37.0992759,51.249 38.6442621,50 L34.0003036,50 L34.0003036,48 L40.4782457,48 C41.0812403,47.102 41.5202364,46.087 41.7682342,45 L37.0002768,45 Z M21.0024196,48 L23.2143999,48 C22.4434068,46.498 22.0004107,44.801 22.0004107,43 C22.0004107,41.959 22.1554093,40.955 22.4264069,40 L20.3634253,40 C20.1344274,40.965 19.9994286,41.966 19.9994286,43 C19.9994286,44.771 20.3584254,46.46 21.0024196,48 L21.0024196,48 Z M19.7434309,50 L17.0004554,50 L17.0004554,48 L18.8744386,48 C18.5344417,47.04 18.2894438,46.038 18.1494451,45 L15.4144695,45 L16.707458,46.293 L15.2924706,47.707 L12.2924974,44.707 C11.9025009,44.316 11.9025009,43.684 12.2924974,43.293 L15.2924706,40.293 L16.707458,41.707 L15.4144695,43 L18.0004464,43 C18.0004464,41.973 18.1044455,40.97 18.3024437,40 L17.0004554,40 L17.0004554,38 L18.8744386,38 C20.9404202,32.184 26.4833707,28 33.0003125,28 C37.427273,28 41.4002375,29.939 44.148213,33 L59.0000804,33 L59.0000804,35 L45.6661994,35 C47.1351863,37.318 47.9991786,40.058 47.9991786,43 L59.0000804,43 L59.0000804,45 L47.8501799,45 C46.8681887,52.327 40.5912447,58 33.0003125,58 C27.2563638,58 22.2624084,54.752 19.7434309,50 L19.7434309,50 Z M37.0002768,39 C37.0002768,38.448 36.5522808,38 36.0002857,38 L29.9993482,38 C29.4473442,38 28.9993482,38.448 28.9993482,39 L28.9993482,41 L31.0003304,41 L31.0003304,40 L32.0003214,40 L32.0003214,43 L31.0003304,43 L31.0003304,45 L35.0002946,45 L35.0002946,43 L34.0003036,43 L34.0003036,40 L35.0002946,40 L35.0002946,41 L37.0002768,41 L37.0002768,39 Z M49.0001696,40 L59.0000804,40 L59.0000804,38 L49.0001696,38 L49.0001696,40 Z M49.0001696,50 L59.0000804,50 L59.0000804,48 L49.0001696,48 L49.0001696,50 Z M57.0000982,27 L60.5850662,27 L57.0000982,23.414 L57.0000982,27 Z M63.7070383,27.293 C63.8940367,27.48 64.0000357,27.735 64.0000357,28 L64.0000357,63 C64.0000357,63.552 63.5520397,64 63.0000446,64 L32.0003304,64 C31.4473264,64 31.0003304,63.552 31.0003304,63 L31.0003304,59 L33.0003125,59 L33.0003125,62 L62.0000536,62 L62.0000536,29 L56.0001071,29 C55.4471121,29 55.0001161,28.552 55.0001161,28 L55.0001161,22 L33.0003125,22 L33.0003125,27 L31.0003304,27 L31.0003304,21 C31.0003304,20.448 31.4473264,20 32.0003304,20 L56.0001071,20 C56.2651048,20 56.5191025,20.105 56.7071008,20.293 L63.7070383,27.293 Z M68,24.166 L68,61 C68,61.552 67.552004,62 67.0000089,62 L65.0000268,62 L65.0000268,60 L66.0000179,60 L66.0000179,24.612 L58.6170838,18 L36.0002857,18 L36.0002857,19 L34.0003036,19 L34.0003036,17 C34.0003036,16.448 34.4472996,16 35.0003036,16 L59.0000804,16 C59.2460782,16 59.483076,16.091 59.6660744,16.255 L67.666003,23.42 C67.8780011,23.61 68,23.881 68,24.166 L68,24.166 Z'
-        fill='currentColor'
-      />
-    </svg>
-  )
-}
-
 export function McpIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg

apps/docs/components/ui/icon-mapping.ts

@@ -110,7 +110,6 @@ import {
   SupabaseIcon,
   TavilyIcon,
   TelegramIcon,
-  TextractIcon,
   TinybirdIcon,
   TranslateIcon,
   TrelloIcon,
@@ -144,7 +143,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   calendly: CalendlyIcon,
   circleback: CirclebackIcon,
   clay: ClayIcon,
-  confluence_v2: ConfluenceIcon,
+  confluence: ConfluenceIcon,
   cursor_v2: CursorIcon,
   datadog: DatadogIcon,
   discord: DiscordIcon,
@@ -154,7 +153,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   elasticsearch: ElasticsearchIcon,
   elevenlabs: ElevenLabsIcon,
   exa: ExaAIIcon,
-  file_v2: DocumentIcon,
+  file: DocumentIcon,
   firecrawl: FirecrawlIcon,
   fireflies: FirefliesIcon,
   github_v2: GithubIcon,
@@ -196,7 +195,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   microsoft_excel_v2: MicrosoftExcelIcon,
   microsoft_planner: MicrosoftPlannerIcon,
   microsoft_teams: MicrosoftTeamsIcon,
-  mistral_parse_v2: MistralIcon,
+  mistral_parse: MistralIcon,
   mongodb: MongoDBIcon,
   mysql: MySQLIcon,
   neo4j: Neo4jIcon,
@@ -238,7 +237,6 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   supabase: SupabaseIcon,
   tavily: TavilyIcon,
   telegram: TelegramIcon,
-  textract: TextractIcon,
   tinybird: TinybirdIcon,
   translate: TranslateIcon,
   trello: TrelloIcon,
@@ -246,7 +244,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   twilio_sms: TwilioIcon,
   twilio_voice: TwilioIcon,
   typeform: TypeformIcon,
-  video_generator_v2: VideoIcon,
+  video_generator: VideoIcon,
   vision: EyeIcon,
   wealthbox: WealthboxIcon,
   webflow: WebflowIcon,

apps/docs/content/docs/en/blocks/loop.mdx

@@ -124,44 +124,11 @@ Choose between four types of loops:
 3. Drag other blocks inside the loop container
 4. Connect the blocks as needed
 
-### Referencing Loop Data
+### Accessing Results
 
-There's an important distinction between referencing loop data from **inside** vs **outside** the loop:
+After a loop completes, you can access aggregated results:
 
-<Tabs items={['Inside the Loop', 'Outside the Loop']}>
+- **`<loop.results>`**: Array of results from all loop iterations
-  <Tab>
-    **Inside the loop**, use `<loop.>` references to access the current iteration context:
-    
-    - **`<loop.index>`**: Current iteration number (0-based)
-    - **`<loop.currentItem>`**: Current item being processed (forEach only)
-    - **`<loop.items>`**: Full collection being iterated (forEach only)
-    
-    ```
-    // Inside a Function block within the loop
-    const idx = <loop.index>;           // 0, 1, 2, ...
-    const item = <loop.currentItem>;    // Current item
-    ```
-    
-    <Callout type="info">
-      These references are only available for blocks **inside** the loop container. They give you access to the current iteration's context.
-    </Callout>
-  </Tab>
-  <Tab>
-    **Outside the loop** (after it completes), reference the loop block by its name to access aggregated results:
-    
-    - **`<LoopBlockName.results>`**: Array of results from all iterations
-    
-    ```
-    // If your loop block is named "Process Items"
-    const allResults = <processitems.results>;
-    // Returns: [result1, result2, result3, ...]
-    ```
-    
-    <Callout type="info">
-      After the loop completes, use the loop's block name (not `loop.`) to access the collected results. The block name is normalized (lowercase, no spaces).
-    </Callout>
-  </Tab>
-</Tabs>
 
 ## Example Use Cases
 
@@ -217,29 +184,28 @@ Variables (i=0) → Loop (While i<10) → Agent (Process) → Variables (i++)
     </ul>
   </Tab>
   <Tab>
-    Available **inside** the loop only:
     <ul className="list-disc space-y-2 pl-6">
       <li>
-        <strong>{"<loop.index>"}</strong>: Current iteration number (0-based)
+        <strong>loop.currentItem</strong>: Current item being processed
       </li>
       <li>
-        <strong>{"<loop.currentItem>"}</strong>: Current item being processed (forEach only)
+        <strong>loop.index</strong>: Current iteration number (0-based)
       </li>
       <li>
-        <strong>{"<loop.items>"}</strong>: Full collection (forEach only)
+        <strong>loop.items</strong>: Full collection (forEach loops)
       </li>
     </ul>
   </Tab>
   <Tab>
     <ul className="list-disc space-y-2 pl-6">
       <li>
-        <strong>{"<blockname.results>"}</strong>: Array of all iteration results (accessed via block name)
+        <strong>loop.results</strong>: Array of all iteration results
       </li>
       <li>
         <strong>Structure</strong>: Results maintain iteration order
       </li>
       <li>
-        <strong>Access</strong>: Available in blocks after the loop completes
+        <strong>Access</strong>: Available in blocks after the loop
       </li>
     </ul>
   </Tab>

apps/docs/content/docs/en/blocks/parallel.mdx

@@ -76,44 +76,11 @@ Choose between two types of parallel execution:
 3. Drag a single block inside the parallel container
 4. Connect the block as needed
 
-### Referencing Parallel Data
+### Accessing Results
 
-There's an important distinction between referencing parallel data from **inside** vs **outside** the parallel block:
+After a parallel block completes, you can access aggregated results:
 
-<Tabs items={['Inside the Parallel', 'Outside the Parallel']}>
+- **`<parallel.results>`**: Array of results from all parallel instances
-  <Tab>
-    **Inside the parallel**, use `<parallel.>` references to access the current instance context:
-    
-    - **`<parallel.index>`**: Current instance number (0-based)
-    - **`<parallel.currentItem>`**: Item for this instance (collection-based only)
-    - **`<parallel.items>`**: Full collection being distributed (collection-based only)
-    
-    ```
-    // Inside a Function block within the parallel
-    const idx = <parallel.index>;           // 0, 1, 2, ...
-    const item = <parallel.currentItem>;    // This instance's item
-    ```
-    
-    <Callout type="info">
-      These references are only available for blocks **inside** the parallel container. They give you access to the current instance's context.
-    </Callout>
-  </Tab>
-  <Tab>
-    **Outside the parallel** (after it completes), reference the parallel block by its name to access aggregated results:
-    
-    - **`<ParallelBlockName.results>`**: Array of results from all instances
-    
-    ```
-    // If your parallel block is named "Process Tasks"
-    const allResults = <processtasks.results>;
-    // Returns: [result1, result2, result3, ...]
-    ```
-    
-    <Callout type="info">
-      After the parallel completes, use the parallel's block name (not `parallel.`) to access the collected results. The block name is normalized (lowercase, no spaces).
-    </Callout>
-  </Tab>
-</Tabs>
 
 ## Example Use Cases
 
@@ -131,11 +98,11 @@ Parallel (["gpt-4o", "claude-3.7-sonnet", "gemini-2.5-pro"]) → Agent → Evalu
 
 ### Result Aggregation
 
-Results from all parallel instances are automatically collected and accessible via the block name:
+Results from all parallel instances are automatically collected:
 
 ```javascript
-// In a Function block after a parallel named "Process Tasks"
+// In a Function block after the parallel
-const allResults = <processtasks.results>;
+const allResults = input.parallel.results;
 // Returns: [result1, result2, result3, ...]
 ```
 
@@ -191,26 +158,25 @@ Understanding when to use each:
     </ul>
   </Tab>
   <Tab>
-    Available **inside** the parallel only:
     <ul className="list-disc space-y-2 pl-6">
       <li>
-        <strong>{"<parallel.index>"}</strong>: Instance number (0-based)
+        <strong>parallel.currentItem</strong>: Item for this instance
       </li>
       <li>
-        <strong>{"<parallel.currentItem>"}</strong>: Item for this instance (collection-based only)
+        <strong>parallel.index</strong>: Instance number (0-based)
       </li>
       <li>
-        <strong>{"<parallel.items>"}</strong>: Full collection (collection-based only)
+        <strong>parallel.items</strong>: Full collection (collection-based)
       </li>
     </ul>
   </Tab>
   <Tab>
     <ul className="list-disc space-y-2 pl-6">
       <li>
-        <strong>{"<blockname.results>"}</strong>: Array of all instance results (accessed via block name)
+        <strong>parallel.results</strong>: Array of all instance results
       </li>
       <li>
-        <strong>Access</strong>: Available in blocks after the parallel completes
+        <strong>Access</strong>: Available in blocks after the parallel
       </li>
     </ul>
   </Tab>

apps/docs/content/docs/en/tools/confluence.mdx

@@ -6,7 +6,7 @@ description: Interact with Confluence
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="confluence_v2"
+  type="confluence"
   color="#E0E0E0"
 />
 

apps/docs/content/docs/en/tools/file.mdx

@@ -6,7 +6,7 @@ description: Read and parse multiple files
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="file_v2"
+  type="file"
   color="#40916C"
 />
 
@@ -48,7 +48,7 @@ Parse one or more uploaded files or files from URLs (text, PDF, CSV, images, etc
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `files` | array | Array of parsed files with content, metadata, and file properties |
+| `files` | array | Array of parsed files |
-| `combinedContent` | string | All file contents merged into a single text string |
+| `combinedContent` | string | Combined content of all parsed files |
 
 

apps/docs/content/docs/en/tools/meta.json

@@ -106,7 +106,6 @@
     "supabase",
     "tavily",
     "telegram",
-    "textract",
     "tinybird",
     "translate",
     "trello",

apps/docs/content/docs/en/tools/mistral_parse.mdx

@@ -6,7 +6,7 @@ description: Extract text from PDF documents
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="mistral_parse_v2"
+  type="mistral_parse"
   color="#000000"
 />
 
@@ -54,37 +54,18 @@ Parse PDF documents using Mistral OCR API
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `pages` | array | Array of page objects from Mistral OCR |
+| `success` | boolean | Whether the PDF was parsed successfully |
-|   ↳ `index` | number | Page index \(zero-based\) |
+| `content` | string | Extracted content in the requested format \(markdown, text, or JSON\) |
-|   ↳ `markdown` | string | Extracted markdown content |
+| `metadata` | object | Processing metadata including jobId, fileType, pageCount, and usage info |
-|   ↳ `images` | array | Images extracted from this page with bounding boxes |
+| ↳ `jobId` | string | Unique job identifier |
-|   ↳ `id` | string | Image identifier \(e.g., img-0.jpeg\) |
+| ↳ `fileType` | string | File type \(e.g., pdf\) |
-|   ↳ `top_left_x` | number | Top-left X coordinate in pixels |
+| ↳ `fileName` | string | Original file name |
-|   ↳ `top_left_y` | number | Top-left Y coordinate in pixels |
+| ↳ `source` | string | Source type \(url\) |
-|   ↳ `bottom_right_x` | number | Bottom-right X coordinate in pixels |
+| ↳ `pageCount` | number | Number of pages processed |
-|   ↳ `bottom_right_y` | number | Bottom-right Y coordinate in pixels |
+| ↳ `model` | string | Mistral model used |
-|   ↳ `image_base64` | string | Base64-encoded image data \(when include_image_base64=true\) |
+| ↳ `resultType` | string | Output format \(markdown, text, json\) |
-|   ↳ `id` | string | Image identifier \(e.g., img-0.jpeg\) |
+| ↳ `processedAt` | string | Processing timestamp |
-|   ↳ `top_left_x` | number | Top-left X coordinate in pixels |
+| ↳ `sourceUrl` | string | Source URL if applicable |
-|   ↳ `top_left_y` | number | Top-left Y coordinate in pixels |
+| ↳ `usageInfo` | object | Usage statistics from OCR processing |
-|   ↳ `bottom_right_x` | number | Bottom-right X coordinate in pixels |
-|   ↳ `bottom_right_y` | number | Bottom-right Y coordinate in pixels |
-|   ↳ `image_base64` | string | Base64-encoded image data \(when include_image_base64=true\) |
-|   ↳ `dimensions` | object | Page dimensions |
-|   ↳ `dpi` | number | Dots per inch |
-|   ↳ `height` | number | Page height in pixels |
-|   ↳ `width` | number | Page width in pixels |
-|   ↳ `dpi` | number | Dots per inch |
-|   ↳ `height` | number | Page height in pixels |
-|   ↳ `width` | number | Page width in pixels |
-|   ↳ `tables` | array | Extracted tables as HTML/markdown \(when table_format is set\). Referenced via placeholders like \[tbl-0.html\] |
-|   ↳ `hyperlinks` | array | Array of URL strings detected in the page \(e.g., \[ |
-|   ↳ `header` | string | Page header content \(when extract_header=true\) |
-|   ↳ `footer` | string | Page footer content \(when extract_footer=true\) |
-| `model` | string | Mistral OCR model identifier \(e.g., mistral-ocr-latest\) |
-| `usage_info` | object | Usage and processing statistics |
-| ↳ `pages_processed` | number | Total number of pages processed |
-| ↳ `doc_size_bytes` | number | Document file size in bytes |
-| `document_annotation` | string | Structured annotation data as JSON string \(when applicable\) |
 
 

apps/docs/content/docs/en/tools/s3.mdx

@@ -58,7 +58,6 @@ Upload a file to an AWS S3 bucket
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `url` | string | URL of the uploaded S3 object |
-| `uri` | string | S3 URI of the uploaded object \(s3://bucket/key\) |
 | `metadata` | object | Upload metadata including ETag and location |
 
 ### `s3_get_object`
@@ -150,7 +149,6 @@ Copy an object within or between AWS S3 buckets
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `url` | string | URL of the copied S3 object |
-| `uri` | string | S3 URI of the copied object \(s3://bucket/key\) |
 | `metadata` | object | Copy operation metadata |
 
 

apps/docs/content/docs/en/tools/textract.mdx

@@ -1,120 +0,0 @@
----
-title: AWS Textract
-description: Extract text, tables, and forms from documents
----
-
-import { BlockInfoCard } from "@/components/ui/block-info-card"
-
-<BlockInfoCard 
-  type="textract"
-  color="linear-gradient(135deg, #055F4E 0%, #56C0A7 100%)"
-/>
-
-{/* MANUAL-CONTENT-START:intro */}
-[AWS Textract](https://aws.amazon.com/textract/) is a powerful AI service from Amazon Web Services designed to automatically extract printed text, handwriting, tables, forms, key-value pairs, and other structured data from scanned documents and images. Textract leverages advanced optical character recognition (OCR) and document analysis to transform documents into actionable data, enabling automation, analytics, compliance, and more.
-
-With AWS Textract, you can:
-
-- **Extract text from images and documents**: Recognize printed text and handwriting in formats such as PDF, JPEG, PNG, or TIFF
-- **Detect and extract tables**: Automatically find tables and output their structured content
-- **Parse forms and key-value pairs**: Pull structured data from forms, including fields and their corresponding values
-- **Identify signatures and layout features**: Detect signatures, geometric layout, and relationships between document elements
-- **Customize extraction with queries**: Extract specific fields and answers using query-based extraction (e.g., "What is the invoice number?")
-
-In Sim, the AWS Textract integration empowers your agents to intelligently process documents as part of their workflows. This unlocks automation scenarios such as data entry from invoices, onboarding documents, contracts, receipts, and more. Your agents can extract relevant data, analyze structured forms, and generate summaries or reports directly from document uploads or URLs. By connecting Sim with AWS Textract, you can reduce manual effort, improve data accuracy, and streamline your business processes with robust document understanding.
-{/* MANUAL-CONTENT-END */}
-
-
-## Usage Instructions
-
-Integrate AWS Textract into your workflow to extract text, tables, forms, and key-value pairs from documents. Single-page mode supports JPEG, PNG, and single-page PDF. Multi-page mode supports multi-page PDF and TIFF.
-
-
-
-## Tools
-
-### `textract_parser`
-
-Parse documents using AWS Textract OCR and document analysis
-
-#### Input
-
-| Parameter | Type | Required | Description |
-| --------- | ---- | -------- | ----------- |
-| `accessKeyId` | string | Yes | AWS Access Key ID |
-| `secretAccessKey` | string | Yes | AWS Secret Access Key |
-| `region` | string | Yes | AWS region for Textract service \(e.g., us-east-1\) |
-| `processingMode` | string | No | Document type: single-page or multi-page. Defaults to single-page. |
-| `filePath` | string | No | URL to a document to be processed \(JPEG, PNG, or single-page PDF\). |
-| `s3Uri` | string | No | S3 URI for multi-page processing \(s3://bucket/key\). |
-| `fileUpload` | object | No | File upload data from file-upload component |
-| `featureTypes` | array | No | Feature types to detect: TABLES, FORMS, QUERIES, SIGNATURES, LAYOUT. If not specified, only text detection is performed. |
-| `items` | string | No | Feature type |
-| `queries` | array | No | Custom queries to extract specific information. Only used when featureTypes includes QUERIES. |
-| `items` | object | No | Query configuration |
-| `properties` | string | No | The query text |
-| `Text` | string | No | No description |
-| `Alias` | string | No | No description |
-
-#### Output
-
-| Parameter | Type | Description |
-| --------- | ---- | ----------- |
-| `blocks` | array | Array of Block objects containing detected text, tables, forms, and other elements |
-|   ↳ `BlockType` | string | Type of block \(PAGE, LINE, WORD, TABLE, CELL, KEY_VALUE_SET, etc.\) |
-|   ↳ `Id` | string | Unique identifier for the block |
-|   ↳ `Text` | string | Query text |
-|   ↳ `TextType` | string | Type of text \(PRINTED or HANDWRITING\) |
-|   ↳ `Confidence` | number | Confidence score \(0-100\) |
-|   ↳ `Page` | number | Page number |
-|   ↳ `Geometry` | object | Location and bounding box information |
-|   ↳ `BoundingBox` | object | Height as ratio of document height |
-|   ↳ `Height` | number | Height as ratio of document height |
-|   ↳ `Left` | number | Left position as ratio of document width |
-|   ↳ `Top` | number | Top position as ratio of document height |
-|   ↳ `Width` | number | Width as ratio of document width |
-|   ↳ `Height` | number | Height as ratio of document height |
-|   ↳ `Left` | number | Left position as ratio of document width |
-|   ↳ `Top` | number | Top position as ratio of document height |
-|   ↳ `Width` | number | Width as ratio of document width |
-|   ↳ `Polygon` | array | Polygon coordinates |
-|   ↳ `X` | number | X coordinate |
-|   ↳ `Y` | number | Y coordinate |
-|   ↳ `X` | number | X coordinate |
-|   ↳ `Y` | number | Y coordinate |
-|   ↳ `BoundingBox` | object | Height as ratio of document height |
-|   ↳ `Height` | number | Height as ratio of document height |
-|   ↳ `Left` | number | Left position as ratio of document width |
-|   ↳ `Top` | number | Top position as ratio of document height |
-|   ↳ `Width` | number | Width as ratio of document width |
-|   ↳ `Height` | number | Height as ratio of document height |
-|   ↳ `Left` | number | Left position as ratio of document width |
-|   ↳ `Top` | number | Top position as ratio of document height |
-|   ↳ `Width` | number | Width as ratio of document width |
-|   ↳ `Polygon` | array | Polygon coordinates |
-|   ↳ `X` | number | X coordinate |
-|   ↳ `Y` | number | Y coordinate |
-|   ↳ `X` | number | X coordinate |
-|   ↳ `Y` | number | Y coordinate |
-|   ↳ `Relationships` | array | Relationships to other blocks |
-|   ↳ `Type` | string | Relationship type \(CHILD, VALUE, ANSWER, etc.\) |
-|   ↳ `Ids` | array | IDs of related blocks |
-|   ↳ `Type` | string | Relationship type \(CHILD, VALUE, ANSWER, etc.\) |
-|   ↳ `Ids` | array | IDs of related blocks |
-|   ↳ `EntityTypes` | array | Entity types for KEY_VALUE_SET \(KEY or VALUE\) |
-|   ↳ `SelectionStatus` | string | For checkboxes: SELECTED or NOT_SELECTED |
-|   ↳ `RowIndex` | number | Row index for table cells |
-|   ↳ `ColumnIndex` | number | Column index for table cells |
-|   ↳ `RowSpan` | number | Row span for merged cells |
-|   ↳ `ColumnSpan` | number | Column span for merged cells |
-|   ↳ `Query` | object | Query information for QUERY blocks |
-|   ↳ `Text` | string | Query text |
-|   ↳ `Alias` | string | Query alias |
-|   ↳ `Pages` | array | Pages to search |
-|   ↳ `Alias` | string | Query alias |
-|   ↳ `Pages` | array | Pages to search |
-| `documentMetadata` | object | Metadata about the analyzed document |
-| ↳ `pages` | number | Number of pages in the document |
-| `modelVersion` | string | Version of the Textract model used for processing |
-
-

apps/docs/content/docs/en/tools/video_generator.mdx

@@ -6,7 +6,7 @@ description: Generate videos from text using AI
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="video_generator_v2"
+  type="video_generator"
   color="#181C1E"
 />
 

apps/sim/app/(auth)/login/login-form.tsx

@@ -2,9 +2,10 @@
 
 import { useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { Eye, EyeOff } from 'lucide-react'
+import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
+import { Button } from '@/components/ui/button'
 import {
   Dialog,
   DialogContent,
@@ -21,10 +22,8 @@ import { getBaseUrl } from '@/lib/core/utils/urls'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
-import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import { SocialLoginButtons } from '@/app/(auth)/components/social-login-buttons'
 import { SSOLoginButton } from '@/app/(auth)/components/sso-login-button'
-import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('LoginForm')
 
@@ -106,7 +105,8 @@ export default function LoginPage({
   const [password, setPassword] = useState('')
   const [passwordErrors, setPasswordErrors] = useState<string[]>([])
   const [showValidationError, setShowValidationError] = useState(false)
-  const buttonClass = useBrandedButtonClass()
+  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+  const [isButtonHovered, setIsButtonHovered] = useState(false)
 
   const [callbackUrl, setCallbackUrl] = useState('/workspace')
   const [isInviteFlow, setIsInviteFlow] = useState(false)
@@ -114,6 +114,7 @@ export default function LoginPage({
   const [forgotPasswordOpen, setForgotPasswordOpen] = useState(false)
   const [forgotPasswordEmail, setForgotPasswordEmail] = useState('')
   const [isSubmittingReset, setIsSubmittingReset] = useState(false)
+  const [isResetButtonHovered, setIsResetButtonHovered] = useState(false)
   const [resetStatus, setResetStatus] = useState<{
     type: 'success' | 'error' | null
     message: string
@@ -122,7 +123,6 @@ export default function LoginPage({
   const [email, setEmail] = useState('')
   const [emailErrors, setEmailErrors] = useState<string[]>([])
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
-  const [resetSuccessMessage, setResetSuccessMessage] = useState<string | null>(null)
 
   useEffect(() => {
     setMounted(true)
@@ -139,11 +139,31 @@ export default function LoginPage({
 
       const inviteFlow = searchParams.get('invite_flow') === 'true'
       setIsInviteFlow(inviteFlow)
-
-      const resetSuccess = searchParams.get('resetSuccess') === 'true'
-      if (resetSuccess) {
-        setResetSuccessMessage('Password reset successful. Please sign in with your new password.')
     }
+
+    const checkCustomBrand = () => {
+      const computedStyle = getComputedStyle(document.documentElement)
+      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
+
+      if (brandAccent && brandAccent !== '#6f3dfa') {
+        setButtonClass('branded-button-custom')
+      } else {
+        setButtonClass('branded-button-gradient')
+      }
+    }
+
+    checkCustomBrand()
+
+    window.addEventListener('resize', checkCustomBrand)
+    const observer = new MutationObserver(checkCustomBrand)
+    observer.observe(document.documentElement, {
+      attributes: true,
+      attributeFilter: ['style', 'class'],
+    })
+
+    return () => {
+      window.removeEventListener('resize', checkCustomBrand)
+      observer.disconnect()
     }
   }, [searchParams])
 
@@ -182,13 +202,6 @@ export default function LoginPage({
     e.preventDefault()
     setIsLoading(true)
 
-    const redirectToVerify = (emailToVerify: string) => {
-      if (typeof window !== 'undefined') {
-        sessionStorage.setItem('verificationEmail', emailToVerify)
-      }
-      router.push('/verify')
-    }
-
     const formData = new FormData(e.currentTarget)
     const emailRaw = formData.get('email') as string
     const email = emailRaw.trim().toLowerCase()
@@ -208,7 +221,6 @@ export default function LoginPage({
 
     try {
       const safeCallbackUrl = validateCallbackUrl(callbackUrl) ? callbackUrl : '/workspace'
-      let errorHandled = false
 
       const result = await client.signIn.email(
         {
@@ -219,16 +231,11 @@ export default function LoginPage({
         {
           onError: (ctx) => {
             logger.error('Login error:', ctx.error)
-
-            if (ctx.error.code?.includes('EMAIL_NOT_VERIFIED')) {
-              errorHandled = true
-              redirectToVerify(email)
-              return
-            }
-
-            errorHandled = true
             const errorMessage: string[] = ['Invalid email or password']
 
+            if (ctx.error.code?.includes('EMAIL_NOT_VERIFIED')) {
+              return
+            }
             if (
               ctx.error.code?.includes('BAD_REQUEST') ||
               ctx.error.message?.includes('Email and password sign in is not enabled')
@@ -264,7 +271,6 @@ export default function LoginPage({
               errorMessage.push('Too many requests. Please wait a moment before trying again.')
             }
 
-            setResetSuccessMessage(null)
             setPasswordErrors(errorMessage)
             setShowValidationError(true)
           },
@@ -272,25 +278,15 @@ export default function LoginPage({
       )
 
       if (!result || result.error) {
-        // Show error if not already handled by onError callback
-        if (!errorHandled) {
-          setResetSuccessMessage(null)
-          const errorMessage = result?.error?.message || 'Login failed. Please try again.'
-          setPasswordErrors([errorMessage])
-          setShowValidationError(true)
-        }
         setIsLoading(false)
         return
       }
-
-      // Clear reset success message on successful login
-      setResetSuccessMessage(null)
-
-      // Explicit redirect fallback if better-auth doesn't redirect
-      router.push(safeCallbackUrl)
     } catch (err: any) {
       if (err.message?.includes('not verified') || err.code?.includes('EMAIL_NOT_VERIFIED')) {
-        redirectToVerify(email)
+        if (typeof window !== 'undefined') {
+          sessionStorage.setItem('verificationEmail', email)
+        }
+        router.push('/verify')
         return
       }
 
@@ -404,13 +400,6 @@ export default function LoginPage({
         </div>
       )}
 
-      {/* Password reset success message */}
-      {resetSuccessMessage && (
-        <div className={`${inter.className} mt-1 space-y-1 text-[#4CAF50] text-xs`}>
-          <p>{resetSuccessMessage}</p>
-        </div>
-      )}
-
       {/* Email/Password Form - show unless explicitly disabled */}
       {!isFalsy(getEnv('NEXT_PUBLIC_EMAIL_PASSWORD_SIGNUP_ENABLED')) && (
         <form onSubmit={onSubmit} className={`${inter.className} mt-8 space-y-8`}>
@@ -493,14 +482,24 @@ export default function LoginPage({
             </div>
           </div>
 
-          <BrandedButton
+          <Button
             type='submit'
+            onMouseEnter={() => setIsButtonHovered(true)}
+            onMouseLeave={() => setIsButtonHovered(false)}
+            className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
             disabled={isLoading}
-            loading={isLoading}
-            loadingText='Signing in'
           >
-            Sign in
+            <span className='flex items-center gap-1'>
-          </BrandedButton>
+              {isLoading ? 'Signing in...' : 'Sign in'}
+              <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
+                {isButtonHovered ? (
+                  <ArrowRight className='h-4 w-4' aria-hidden='true' />
+                ) : (
+                  <ChevronRight className='h-4 w-4' aria-hidden='true' />
+                )}
+              </span>
+            </span>
+          </Button>
         </form>
       )}
 
@@ -611,15 +610,25 @@ export default function LoginPage({
                 <p>{resetStatus.message}</p>
               </div>
             )}
-            <BrandedButton
+            <Button
               type='button'
               onClick={handleForgotPassword}
+              onMouseEnter={() => setIsResetButtonHovered(true)}
+              onMouseLeave={() => setIsResetButtonHovered(false)}
+              className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
               disabled={isSubmittingReset}
-              loading={isSubmittingReset}
-              loadingText='Sending'
             >
-              Send Reset Link
+              <span className='flex items-center gap-1'>
-            </BrandedButton>
+                {isSubmittingReset ? 'Sending...' : 'Send Reset Link'}
+                <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
+                  {isResetButtonHovered ? (
+                    <ArrowRight className='h-4 w-4' aria-hidden='true' />
+                  ) : (
+                    <ChevronRight className='h-4 w-4' aria-hidden='true' />
+                  )}
+                </span>
+              </span>
+            </Button>
           </div>
         </DialogContent>
       </Dialog>

apps/sim/app/(auth)/reset-password/reset-password-form.tsx

@@ -1,12 +1,12 @@
 'use client'
 
-import { useState } from 'react'
+import { useEffect, useState } from 'react'
-import { Eye, EyeOff } from 'lucide-react'
+import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
+import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { cn } from '@/lib/core/utils/cn'
 import { inter } from '@/app/_styles/fonts/inter/inter'
-import { BrandedButton } from '@/app/(auth)/components/branded-button'
 
 interface RequestResetFormProps {
   email: string
@@ -27,6 +27,36 @@ export function RequestResetForm({
   statusMessage,
   className,
 }: RequestResetFormProps) {
+  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+  const [isButtonHovered, setIsButtonHovered] = useState(false)
+
+  useEffect(() => {
+    const checkCustomBrand = () => {
+      const computedStyle = getComputedStyle(document.documentElement)
+      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
+
+      if (brandAccent && brandAccent !== '#6f3dfa') {
+        setButtonClass('branded-button-custom')
+      } else {
+        setButtonClass('branded-button-gradient')
+      }
+    }
+
+    checkCustomBrand()
+
+    window.addEventListener('resize', checkCustomBrand)
+    const observer = new MutationObserver(checkCustomBrand)
+    observer.observe(document.documentElement, {
+      attributes: true,
+      attributeFilter: ['style', 'class'],
+    })
+
+    return () => {
+      window.removeEventListener('resize', checkCustomBrand)
+      observer.disconnect()
+    }
+  }, [])
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
     onSubmit(email)
@@ -64,14 +94,24 @@ export function RequestResetForm({
         )}
       </div>
 
-      <BrandedButton
+      <Button
         type='submit'
         disabled={isSubmitting}
-        loading={isSubmitting}
+        onMouseEnter={() => setIsButtonHovered(true)}
-        loadingText='Sending'
+        onMouseLeave={() => setIsButtonHovered(false)}
+        className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
       >
-        Send Reset Link
+        <span className='flex items-center gap-1'>
-      </BrandedButton>
+          {isSubmitting ? 'Sending...' : 'Send Reset Link'}
+          <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
+            {isButtonHovered ? (
+              <ArrowRight className='h-4 w-4' aria-hidden='true' />
+            ) : (
+              <ChevronRight className='h-4 w-4' aria-hidden='true' />
+            )}
+          </span>
+        </span>
+      </Button>
     </form>
   )
 }
@@ -98,6 +138,35 @@ export function SetNewPasswordForm({
   const [validationMessage, setValidationMessage] = useState('')
   const [showPassword, setShowPassword] = useState(false)
   const [showConfirmPassword, setShowConfirmPassword] = useState(false)
+  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+  const [isButtonHovered, setIsButtonHovered] = useState(false)
+
+  useEffect(() => {
+    const checkCustomBrand = () => {
+      const computedStyle = getComputedStyle(document.documentElement)
+      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
+
+      if (brandAccent && brandAccent !== '#6f3dfa') {
+        setButtonClass('branded-button-custom')
+      } else {
+        setButtonClass('branded-button-gradient')
+      }
+    }
+
+    checkCustomBrand()
+
+    window.addEventListener('resize', checkCustomBrand)
+    const observer = new MutationObserver(checkCustomBrand)
+    observer.observe(document.documentElement, {
+      attributes: true,
+      attributeFilter: ['style', 'class'],
+    })
+
+    return () => {
+      window.removeEventListener('resize', checkCustomBrand)
+      observer.disconnect()
+    }
+  }, [])
 
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
@@ -227,14 +296,24 @@ export function SetNewPasswordForm({
         )}
       </div>
 
-      <BrandedButton
+      <Button
-        type='submit'
         disabled={isSubmitting || !token}
-        loading={isSubmitting}
+        type='submit'
-        loadingText='Resetting'
+        onMouseEnter={() => setIsButtonHovered(true)}
+        onMouseLeave={() => setIsButtonHovered(false)}
+        className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
       >
-        Reset Password
+        <span className='flex items-center gap-1'>
-      </BrandedButton>
+          {isSubmitting ? 'Resetting...' : 'Reset Password'}
+          <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
+            {isButtonHovered ? (
+              <ArrowRight className='h-4 w-4' aria-hidden='true' />
+            ) : (
+              <ChevronRight className='h-4 w-4' aria-hidden='true' />
+            )}
+          </span>
+        </span>
+      </Button>
     </form>
   )
 }

apps/sim/app/(auth)/signup/signup-form.tsx

@@ -2,9 +2,10 @@
 
 import { Suspense, useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { Eye, EyeOff } from 'lucide-react'
+import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
+import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { client, useSession } from '@/lib/auth/auth-client'
@@ -13,10 +14,8 @@ import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
-import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import { SocialLoginButtons } from '@/app/(auth)/components/social-login-buttons'
 import { SSOLoginButton } from '@/app/(auth)/components/sso-login-button'
-import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('SignupForm')
 
@@ -96,7 +95,8 @@ function SignupFormContent({
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
   const [redirectUrl, setRedirectUrl] = useState('')
   const [isInviteFlow, setIsInviteFlow] = useState(false)
-  const buttonClass = useBrandedButtonClass()
+  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+  const [isButtonHovered, setIsButtonHovered] = useState(false)
 
   const [name, setName] = useState('')
   const [nameErrors, setNameErrors] = useState<string[]>([])
@@ -126,6 +126,31 @@ function SignupFormContent({
     if (inviteFlowParam === 'true') {
       setIsInviteFlow(true)
     }
+
+    const checkCustomBrand = () => {
+      const computedStyle = getComputedStyle(document.documentElement)
+      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
+
+      if (brandAccent && brandAccent !== '#6f3dfa') {
+        setButtonClass('branded-button-custom')
+      } else {
+        setButtonClass('branded-button-gradient')
+      }
+    }
+
+    checkCustomBrand()
+
+    window.addEventListener('resize', checkCustomBrand)
+    const observer = new MutationObserver(checkCustomBrand)
+    observer.observe(document.documentElement, {
+      attributes: true,
+      attributeFilter: ['style', 'class'],
+    })
+
+    return () => {
+      window.removeEventListener('resize', checkCustomBrand)
+      observer.disconnect()
+    }
   }, [searchParams])
 
   const validatePassword = (passwordValue: string): string[] => {
@@ -475,14 +500,24 @@ function SignupFormContent({
             </div>
           </div>
 
-          <BrandedButton
+          <Button
             type='submit'
+            onMouseEnter={() => setIsButtonHovered(true)}
+            onMouseLeave={() => setIsButtonHovered(false)}
+            className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
             disabled={isLoading}
-            loading={isLoading}
-            loadingText='Creating account'
           >
-            Create account
+            <span className='flex items-center gap-1'>
-          </BrandedButton>
+              {isLoading ? 'Creating account' : 'Create account'}
+              <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
+                {isButtonHovered ? (
+                  <ArrowRight className='h-4 w-4' aria-hidden='true' />
+                ) : (
+                  <ChevronRight className='h-4 w-4' aria-hidden='true' />
+                )}
+              </span>
+            </span>
+          </Button>
         </form>
       )}
 

apps/sim/app/(auth)/sso/sso-form.tsx

@@ -13,7 +13,6 @@ import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
-import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('SSOForm')
 
@@ -58,7 +57,7 @@ export default function SSOForm() {
   const [email, setEmail] = useState('')
   const [emailErrors, setEmailErrors] = useState<string[]>([])
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
-  const buttonClass = useBrandedButtonClass()
+  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
   const [callbackUrl, setCallbackUrl] = useState('/workspace')
 
   useEffect(() => {
@@ -91,6 +90,31 @@ export default function SSOForm() {
         setShowEmailValidationError(true)
       }
     }
+
+    const checkCustomBrand = () => {
+      const computedStyle = getComputedStyle(document.documentElement)
+      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
+
+      if (brandAccent && brandAccent !== '#6f3dfa') {
+        setButtonClass('branded-button-custom')
+      } else {
+        setButtonClass('branded-button-gradient')
+      }
+    }
+
+    checkCustomBrand()
+
+    window.addEventListener('resize', checkCustomBrand)
+    const observer = new MutationObserver(checkCustomBrand)
+    observer.observe(document.documentElement, {
+      attributes: true,
+      attributeFilter: ['style', 'class'],
+    })
+
+    return () => {
+      window.removeEventListener('resize', checkCustomBrand)
+      observer.disconnect()
+    }
   }, [searchParams])
 
   const handleEmailChange = (e: React.ChangeEvent<HTMLInputElement>) => {

apps/sim/app/(auth)/verify/verify-content.tsx

@@ -8,7 +8,6 @@ import { cn } from '@/lib/core/utils/cn'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { useVerification } from '@/app/(auth)/verify/use-verification'
-import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 interface VerifyContentProps {
   hasEmailService: boolean
@@ -59,7 +58,34 @@ function VerificationForm({
     setCountdown(30)
   }
 
-  const buttonClass = useBrandedButtonClass()
+  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+
+  useEffect(() => {
+    const checkCustomBrand = () => {
+      const computedStyle = getComputedStyle(document.documentElement)
+      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
+
+      if (brandAccent && brandAccent !== '#6f3dfa') {
+        setButtonClass('branded-button-custom')
+      } else {
+        setButtonClass('branded-button-gradient')
+      }
+    }
+
+    checkCustomBrand()
+
+    window.addEventListener('resize', checkCustomBrand)
+    const observer = new MutationObserver(checkCustomBrand)
+    observer.observe(document.documentElement, {
+      attributes: true,
+      attributeFilter: ['style', 'class'],
+    })
+
+    return () => {
+      window.removeEventListener('resize', checkCustomBrand)
+      observer.disconnect()
+    }
+  }, [])
 
   return (
     <>

apps/sim/app/(landing)/careers/page.tsx

@@ -4,6 +4,7 @@ import { useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { X } from 'lucide-react'
 import { Textarea } from '@/components/emcn'
+import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import {
@@ -17,7 +18,6 @@ import { isHosted } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
-import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import Footer from '@/app/(landing)/components/footer/footer'
 import Nav from '@/app/(landing)/components/nav/nav'
 
@@ -493,17 +493,18 @@ export default function CareersPage() {
 
               {/* Submit Button */}
               <div className='flex justify-end pt-2'>
-                <BrandedButton
+                <Button
                   type='submit'
                   disabled={isSubmitting || submitStatus === 'success'}
-                  loading={isSubmitting}
+                  className='min-w-[200px] rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all duration-300 hover:opacity-90 disabled:opacity-50'
-                  loadingText='Submitting'
+                  size='lg'
-                  showArrow={false}
-                  fullWidth={false}
-                  className='min-w-[200px]'
                 >
-                  {submitStatus === 'success' ? 'Submitted' : 'Submit Application'}
+                  {isSubmitting
-                </BrandedButton>
+                    ? 'Submitting...'
+                    : submitStatus === 'success'
+                      ? 'Submitted'
+                      : 'Submit Application'}
+                </Button>
               </div>
             </form>
           </section>

apps/sim/app/(landing)/components/footer/components/status-indicator.tsx

@@ -59,7 +59,7 @@ export default function StatusIndicator() {
       href={statusUrl}
       target='_blank'
       rel='noopener noreferrer'
-      className={`flex min-w-[165px] items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
+      className={`flex items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
       aria-label={`System status: ${message}`}
     >
       <StatusDotIcon status={status} className='h-[6px] w-[6px]' aria-hidden='true' />

apps/sim/app/(landing)/components/hero/components/index.ts

@@ -10,8 +10,8 @@ export { LandingLoopNode } from './landing-canvas/landing-block/landing-loop-nod
 export { LandingNode } from './landing-canvas/landing-block/landing-node'
 export type { LoopBlockProps } from './landing-canvas/landing-block/loop-block'
 export { LoopBlock } from './landing-canvas/landing-block/loop-block'
-export type { SubBlockRowProps, TagProps } from './landing-canvas/landing-block/tag'
+export type { TagProps } from './landing-canvas/landing-block/tag'
-export { SubBlockRow, Tag } from './landing-canvas/landing-block/tag'
+export { Tag } from './landing-canvas/landing-block/tag'
 export type {
   LandingBlockNode,
   LandingCanvasProps,

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block.tsx

@@ -1,12 +1,12 @@
 import React from 'react'
+import { BookIcon } from 'lucide-react'
 import {
-  SubBlockRow,
+  Tag,
-  type SubBlockRowProps,
+  type TagProps,
 } from '@/app/(landing)/components/hero/components/landing-canvas/landing-block/tag'
 
 /**
  * Data structure for a landing card component
- * Matches the workflow block structure from the application
  */
 export interface LandingCardData {
   /** Icon element to display in the card header */
@@ -15,8 +15,8 @@ export interface LandingCardData {
   color: string | '#f6f6f6'
   /** Name/title of the card */
   name: string
-  /** Optional subblock rows to display below the header */
+  /** Optional tags to display at the bottom of the card */
-  tags?: SubBlockRowProps[]
+  tags?: TagProps[]
 }
 
 /**
@@ -28,8 +28,7 @@ export interface LandingBlockProps extends LandingCardData {
 }
 
 /**
- * Landing block component that displays a card with icon, name, and optional subblock rows
+ * Landing block component that displays a card with icon, name, and optional tags
- * Styled to match the application's workflow blocks
  * @param props - Component properties including icon, color, name, tags, and className
  * @returns A styled block card component
  */
@@ -40,37 +39,33 @@ export const LandingBlock = React.memo(function LandingBlock({
   tags,
   className,
 }: LandingBlockProps) {
-  const hasContentBelowHeader = tags && tags.length > 0
-
   return (
     <div
-      className={`z-10 flex w-[250px] flex-col rounded-[8px] border border-[#E5E5E5] bg-white ${className ?? ''}`}
+      className={`z-10 flex w-64 flex-col items-start gap-3 rounded-[14px] border border-[#E5E5E5] bg-[#FEFEFE] p-3 ${className ?? ''}`}
+      style={{
+        boxShadow: '0 1px 2px 0 rgba(0, 0, 0, 0.05)',
+      }}
     >
-      {/* Header - matches workflow-block.tsx header styling */}
+      <div className='flex w-full items-center justify-between'>
+        <div className='flex items-center gap-2.5'>
           <div
-        className={`flex items-center justify-between p-[8px] ${hasContentBelowHeader ? 'border-[#E5E5E5] border-b' : ''}`}
+            className='flex h-6 w-6 items-center justify-center rounded-[8px] text-white'
-      >
+            style={{ backgroundColor: color as string }}
-        <div className='flex min-w-0 flex-1 items-center gap-[10px]'>
-          <div
-            className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
-            style={{ background: color as string }}
           >
             {icon}
           </div>
-          <span className='truncate font-medium text-[#171717] text-[16px]' title={name}>
+          <p className='text-base text-card-foreground'>{name}</p>
-            {name}
-          </span>
         </div>
+        <BookIcon className='h-4 w-4 text-muted-foreground' />
       </div>
 
-      {/* Content - SubBlock Rows matching workflow-block.tsx */}
+      {tags && tags.length > 0 ? (
-      {hasContentBelowHeader && (
+        <div className='flex flex-wrap gap-2'>
-        <div className='flex flex-col gap-[8px] p-[8px]'>
           {tags.map((tag) => (
-            <SubBlockRow key={tag.label} icon={tag.icon} label={tag.label} />
+            <Tag key={tag.label} icon={tag.icon} label={tag.label} />
           ))}
         </div>
-      )}
+      ) : null}
     </div>
   )
 })

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-node.tsx

@@ -7,14 +7,9 @@ import {
   type LandingCardData,
 } from '@/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block'
 
-/**
- * Handle Y offset from block top - matches HANDLE_POSITIONS.DEFAULT_Y_OFFSET
- */
-const HANDLE_Y_OFFSET = 20
-
 /**
  * React Flow node component for the landing canvas
- * Styled to match the application's workflow blocks
+ * Includes CSS animations and connection handles
  * @param props - Component properties containing node data
  * @returns A React Flow compatible node component
  */
@@ -46,15 +41,15 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
           type='target'
           position={Position.Left}
           style={{
-            width: '7px',
+            width: '12px',
-            height: '20px',
+            height: '12px',
-            background: '#D1D1D1',
+            background: '#FEFEFE',
-            border: 'none',
+            border: '1px solid #E5E5E5',
-            borderRadius: '2px 0 0 2px',
+            borderRadius: '50%',
-            top: `${HANDLE_Y_OFFSET}px`,
+            top: '50%',
-            left: '-7px',
+            left: '-20px',
             transform: 'translateY(-50%)',
-            zIndex: 10,
+            zIndex: 2,
           }}
           isConnectable={false}
         />
@@ -64,15 +59,15 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
           type='source'
           position={Position.Right}
           style={{
-            width: '7px',
+            width: '12px',
-            height: '20px',
+            height: '12px',
-            background: '#D1D1D1',
+            background: '#FEFEFE',
-            border: 'none',
+            border: '1px solid #E5E5E5',
-            borderRadius: '0 2px 2px 0',
+            borderRadius: '50%',
-            top: `${HANDLE_Y_OFFSET}px`,
+            top: '50%',
-            right: '-7px',
+            right: '-20px',
             transform: 'translateY(-50%)',
-            zIndex: 10,
+            zIndex: 2,
           }}
           isConnectable={false}
         />

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/loop-block.tsx

@@ -15,7 +15,6 @@ export interface LoopBlockProps {
 /**
  * Loop block container component that provides a styled container
  * for grouping related elements with a dashed border
- * Styled to match the application's subflow containers
  * @param props - Component properties including children and styling
  * @returns A styled loop container component
  */
@@ -30,33 +29,33 @@ export const LoopBlock = React.memo(function LoopBlock({
       style={{
         width: '1198px',
         height: '528px',
-        borderRadius: '8px',
+        borderRadius: '14px',
-        background: 'rgba(59, 130, 246, 0.08)',
+        background: 'rgba(59, 130, 246, 0.10)',
         position: 'relative',
         ...style,
       }}
     >
-      {/* Custom dashed border with SVG - 8px border radius to match blocks */}
+      {/* Custom dashed border with SVG */}
       <svg
         className='pointer-events-none absolute inset-0 h-full w-full'
-        style={{ borderRadius: '8px' }}
+        style={{ borderRadius: '14px' }}
         preserveAspectRatio='none'
       >
         <path
           className='landing-loop-animated-dash'
-          d='M 1190 527.5 
+          d='M 1183.5 527.5 
-             L 8 527.5 
+             L 14 527.5 
-             A 7.5 7.5 0 0 1 0.5 520 
+             A 13.5 13.5 0 0 1 0.5 514 
-             L 0.5 8 
+             L 0.5 14 
-             A 7.5 7.5 0 0 1 8 0.5 
+             A 13.5 13.5 0 0 1 14 0.5 
-             L 1190 0.5 
+             L 1183.5 0.5 
-             A 7.5 7.5 0 0 1 1197.5 8 
+             A 13.5 13.5 0 0 1 1197 14 
-             L 1197.5 520 
+             L 1197 514 
-             A 7.5 7.5 0 0 1 1190 527.5 Z'
+             A 13.5 13.5 0 0 1 1183.5 527.5 Z'
           fill='none'
           stroke='#3B82F6'
           strokeWidth='1'
-          strokeDasharray='8 8'
+          strokeDasharray='12 12'
           strokeLinecap='round'
         />
       </svg>

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/tag.tsx

@@ -1,52 +1,25 @@
 import React from 'react'
 
 /**
- * Properties for a subblock row component
+ * Properties for a tag component
- * Matches the SubBlockRow pattern from workflow-block.tsx
  */
-export interface SubBlockRowProps {
+export interface TagProps {
-  /** Icon element to display (optional, for visual context) */
+  /** Icon element to display in the tag */
-  icon?: React.ReactNode
+  icon: React.ReactNode
-  /** Text label for the row title */
+  /** Text label for the tag */
   label: string
-  /** Optional value to display on the right side */
-  value?: string
 }
 
 /**
- * Kept for backwards compatibility
+ * Tag component for displaying labeled icons in a compact format
+ * @param props - Tag properties including icon and label
+ * @returns A styled tag component
  */
-export type TagProps = SubBlockRowProps
+export const Tag = React.memo(function Tag({ icon, label }: TagProps) {
-
-/**
- * SubBlockRow component matching the workflow block's subblock row style
- * @param props - Row properties including label and optional value
- * @returns A styled row component
- */
-export const SubBlockRow = React.memo(function SubBlockRow({ label, value }: SubBlockRowProps) {
-  // Split label by colon to separate title and value if present
-  const [title, displayValue] = label.includes(':')
-    ? label.split(':').map((s) => s.trim())
-    : [label, value]
-
   return (
-    <div className='flex items-center gap-[8px]'>
+    <div className='flex w-fit items-center gap-1 rounded-[8px] border border-gray-300 bg-white px-2 py-0.5'>
-      <span className='min-w-0 truncate text-[#888888] text-[14px] capitalize' title={title}>
+      <div className='h-3 w-3 text-muted-foreground'>{icon}</div>
-        {title}
+      <p className='text-muted-foreground text-xs leading-normal'>{label}</p>
-      </span>
-      {displayValue && (
-        <span
-          className='flex-1 truncate text-right text-[#171717] text-[14px]'
-          title={displayValue}
-        >
-          {displayValue}
-        </span>
-      )}
     </div>
   )
 })
-
-/**
- * Tag component - alias for SubBlockRow for backwards compatibility
- */
-export const Tag = SubBlockRow

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-canvas.tsx

@@ -9,10 +9,9 @@ import { LandingFlow } from '@/app/(landing)/components/hero/components/landing-
 
 /**
  * Visual constants for landing node dimensions
- * Matches BLOCK_DIMENSIONS from the application
  */
-export const CARD_WIDTH = 250
+export const CARD_WIDTH = 256
-export const CARD_HEIGHT = 100
+export const CARD_HEIGHT = 92
 
 /**
  * Landing block node with positioning information

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-edge/landing-edge.tsx

@@ -4,29 +4,33 @@ import React from 'react'
 import { type EdgeProps, getSmoothStepPath, Position } from 'reactflow'
 
 /**
- * Custom edge component with animated dashed line
+ * Custom edge component with animated dotted line that floats between handles
- * Styled to match the application's workflow edges with rectangular handles
  * @param props - React Flow edge properties
- * @returns An animated dashed edge component
+ * @returns An animated dotted edge component
  */
 export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
-  const { id, sourceX, sourceY, targetX, targetY, sourcePosition, targetPosition, style } = props
+  const { id, sourceX, sourceY, targetX, targetY, sourcePosition, targetPosition, style, data } =
+    props
 
-  // Adjust the connection points to connect flush with rectangular handles
+  // Adjust the connection points to create floating effect
-  // Handle width is 7px, positioned at -7px from edge
+  // Account for handle size (12px) and additional spacing
+  const handleRadius = 6 // Half of handle width (12px)
+  const floatingGap = 1 // Additional gap for floating effect
+
+  // Calculate adjusted positions based on edge direction
   let adjustedSourceX = sourceX
   let adjustedTargetX = targetX
 
   if (sourcePosition === Position.Right) {
-    adjustedSourceX = sourceX + 1
+    adjustedSourceX = sourceX + handleRadius + floatingGap
   } else if (sourcePosition === Position.Left) {
-    adjustedSourceX = sourceX - 1
+    adjustedSourceX = sourceX - handleRadius - floatingGap
   }
 
   if (targetPosition === Position.Left) {
-    adjustedTargetX = targetX - 1
+    adjustedTargetX = targetX - handleRadius - floatingGap
   } else if (targetPosition === Position.Right) {
-    adjustedTargetX = targetX + 1
+    adjustedTargetX = targetX + handleRadius + floatingGap
   }
 
   const [path] = getSmoothStepPath({
@@ -36,8 +40,8 @@ export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
     targetY,
     sourcePosition,
     targetPosition,
-    borderRadius: 8,
+    borderRadius: 20,
-    offset: 16,
+    offset: 10,
   })
 
   return (

apps/sim/app/(landing)/components/hero/hero.tsx

@@ -1,7 +1,16 @@
 'use client'
 
 import React from 'react'
-import { ArrowUp, CodeIcon } from 'lucide-react'
+import {
+  ArrowUp,
+  BinaryIcon,
+  BookIcon,
+  CalendarIcon,
+  CodeIcon,
+  Globe2Icon,
+  MessageSquareIcon,
+  VariableIcon,
+} from 'lucide-react'
 import { useRouter } from 'next/navigation'
 import { type Edge, type Node, Position } from 'reactflow'
 import {
@@ -14,6 +23,7 @@ import {
   JiraIcon,
   LinearIcon,
   NotionIcon,
+  OpenAIIcon,
   OutlookIcon,
   PackageSearchIcon,
   PineconeIcon,
@@ -55,56 +65,67 @@ const SERVICE_TEMPLATES = {
 
 /**
  * Landing blocks for the canvas preview
- * Styled to match the application's workflow blocks with subblock rows
  */
 const LANDING_BLOCKS: LandingManualBlock[] = [
   {
     id: 'schedule',
     name: 'Schedule',
     color: '#7B68EE',
-    icon: <ScheduleIcon className='h-[16px] w-[16px] text-white' />,
+    icon: <ScheduleIcon className='h-4 w-4' />,
     positions: {
       mobile: { x: 8, y: 60 },
       tablet: { x: 40, y: 120 },
       desktop: { x: 60, y: 180 },
     },
-    tags: [{ label: 'Time: 09:00AM Daily' }, { label: 'Timezone: PST' }],
+    tags: [
+      { icon: <CalendarIcon className='h-3 w-3' />, label: '09:00AM Daily' },
+      { icon: <Globe2Icon className='h-3 w-3' />, label: 'PST' },
+    ],
   },
   {
     id: 'knowledge',
     name: 'Knowledge',
     color: '#00B0B0',
-    icon: <PackageSearchIcon className='h-[16px] w-[16px] text-white' />,
+    icon: <PackageSearchIcon className='h-4 w-4' />,
     positions: {
       mobile: { x: 120, y: 140 },
       tablet: { x: 220, y: 200 },
       desktop: { x: 420, y: 241 },
     },
-    tags: [{ label: 'Source: Product Vector DB' }, { label: 'Limit: 10' }],
+    tags: [
+      { icon: <BookIcon className='h-3 w-3' />, label: 'Product Vector DB' },
+      { icon: <BinaryIcon className='h-3 w-3' />, label: 'Limit: 10' },
+    ],
   },
   {
     id: 'agent',
     name: 'Agent',
     color: '#802FFF',
-    icon: <AgentIcon className='h-[16px] w-[16px] text-white' />,
+    icon: <AgentIcon className='h-4 w-4' />,
     positions: {
       mobile: { x: 340, y: 60 },
       tablet: { x: 540, y: 120 },
       desktop: { x: 880, y: 142 },
     },
-    tags: [{ label: 'Model: gpt-5' }, { label: 'Prompt: You are a support ag...' }],
+    tags: [
+      { icon: <OpenAIIcon className='h-3 w-3' />, label: 'gpt-5' },
+      { icon: <MessageSquareIcon className='h-3 w-3' />, label: 'You are a support ag...' },
+    ],
   },
   {
     id: 'function',
     name: 'Function',
     color: '#FF402F',
-    icon: <CodeIcon className='h-[16px] w-[16px] text-white' />,
+    icon: <CodeIcon className='h-4 w-4' />,
     positions: {
       mobile: { x: 480, y: 220 },
       tablet: { x: 740, y: 280 },
       desktop: { x: 880, y: 340 },
     },
-    tags: [{ label: 'Language: Python' }, { label: 'Code: time = "2025-09-01...' }],
+    tags: [
+      { icon: <CodeIcon className='h-3 w-3' />, label: 'Python' },
+      { icon: <VariableIcon className='h-3 w-3' />, label: 'time = "2025-09-01...' },
+    ],
   },
 ]
 

apps/sim/app/(landing)/components/landing-pricing/landing-pricing.tsx

@@ -229,7 +229,7 @@ function PricingCard({
  */
 export default function LandingPricing() {
   return (
-    <section id='pricing' className='px-4 pt-[23px] sm:px-0 sm:pt-[4px]' aria-label='Pricing plans'>
+    <section id='pricing' className='px-4 pt-[19px] sm:px-0 sm:pt-0' aria-label='Pricing plans'>
       <h2 className='sr-only'>Pricing Plans</h2>
       <div className='relative mx-auto w-full max-w-[1289px]'>
         <div className='grid grid-cols-1 gap-4 sm:grid-cols-2 sm:gap-0 lg:grid-cols-4'>

apps/sim/app/(landing)/components/nav/nav.tsx

@@ -11,7 +11,6 @@ import { useBrandConfig } from '@/lib/branding/branding'
 import { isHosted } from '@/lib/core/config/feature-flags'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { getFormattedGitHubStars } from '@/app/(landing)/actions/github'
-import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('nav')
 
@@ -21,12 +20,11 @@ interface NavProps {
 }
 
 export default function Nav({ hideAuthButtons = false, variant = 'landing' }: NavProps = {}) {
-  const [githubStars, setGithubStars] = useState('26.1k')
+  const [githubStars, setGithubStars] = useState('25.1k')
   const [isHovered, setIsHovered] = useState(false)
   const [isLoginHovered, setIsLoginHovered] = useState(false)
   const router = useRouter()
   const brand = useBrandConfig()
-  const buttonClass = useBrandedButtonClass()
 
   useEffect(() => {
     if (variant !== 'landing') return
@@ -185,7 +183,7 @@ export default function Nav({ hideAuthButtons = false, variant = 'landing' }: Na
             href='/signup'
             onMouseEnter={() => setIsHovered(true)}
             onMouseLeave={() => setIsHovered(false)}
-            className={`${buttonClass} group inline-flex items-center justify-center gap-2 rounded-[10px] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white transition-all`}
+            className='group inline-flex items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[14px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all sm:text-[16px]'
             aria-label='Get started with Sim - Sign up for free'
             prefetch={true}
           >

apps/sim/app/(landing)/studio/[slug]/back-link.tsx

@@ -1,27 +0,0 @@
-'use client'
-
-import { useState } from 'react'
-import { ArrowLeft, ChevronLeft } from 'lucide-react'
-import Link from 'next/link'
-
-export function BackLink() {
-  const [isHovered, setIsHovered] = useState(false)
-
-  return (
-    <Link
-      href='/studio'
-      className='group flex items-center gap-1 text-gray-600 text-sm hover:text-gray-900'
-      onMouseEnter={() => setIsHovered(true)}
-      onMouseLeave={() => setIsHovered(false)}
-    >
-      <span className='group-hover:-translate-x-0.5 inline-flex transition-transform duration-200'>
-        {isHovered ? (
-          <ArrowLeft className='h-4 w-4' aria-hidden='true' />
-        ) : (
-          <ChevronLeft className='h-4 w-4' aria-hidden='true' />
-        )}
-      </span>
-      Back to Sim Studio
-    </Link>
-  )
-}

apps/sim/app/(landing)/studio/[slug]/page.tsx

@@ -5,10 +5,7 @@ import { Avatar, AvatarFallback, AvatarImage } from '@/components/emcn'
 import { FAQ } from '@/lib/blog/faq'
 import { getAllPostMeta, getPostBySlug, getRelatedPosts } from '@/lib/blog/registry'
 import { buildArticleJsonLd, buildBreadcrumbJsonLd, buildPostMetadata } from '@/lib/blog/seo'
-import { getBaseUrl } from '@/lib/core/utils/urls'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
-import { BackLink } from '@/app/(landing)/studio/[slug]/back-link'
-import { ShareButton } from '@/app/(landing)/studio/[slug]/share-button'
 
 export async function generateStaticParams() {
   const posts = await getAllPostMeta()
@@ -51,7 +48,9 @@ export default async function Page({ params }: { params: Promise<{ slug: string
       />
       <header className='mx-auto max-w-[1450px] px-6 pt-8 sm:px-8 sm:pt-12 md:px-12 md:pt-16'>
         <div className='mb-6'>
-          <BackLink />
+          <Link href='/studio' className='text-gray-600 text-sm hover:text-gray-900'>
+            ← Back to Sim Studio
+          </Link>
         </div>
         <div className='flex flex-col gap-8 md:flex-row md:gap-12'>
           <div className='w-full flex-shrink-0 md:w-[450px]'>
@@ -76,8 +75,7 @@ export default async function Page({ params }: { params: Promise<{ slug: string
             >
               {post.title}
             </h1>
-            <div className='mt-4 flex items-center justify-between'>
+            <div className='mt-4 flex items-center gap-3'>
-              <div className='flex items-center gap-3'>
               {(post.authors || [post.author]).map((a, idx) => (
                 <div key={idx} className='flex items-center gap-2'>
                   {a?.avatarUrl ? (
@@ -100,8 +98,6 @@ export default async function Page({ params }: { params: Promise<{ slug: string
                 </div>
               ))}
             </div>
-              <ShareButton url={`${getBaseUrl()}/studio/${slug}`} title={post.title} />
-            </div>
           </div>
         </div>
         <hr className='mt-8 border-gray-200 border-t sm:mt-12' />

apps/sim/app/(landing)/studio/[slug]/share-button.tsx

@@ -1,65 +0,0 @@
-'use client'
-
-import { useState } from 'react'
-import { Share2 } from 'lucide-react'
-import { Popover, PopoverContent, PopoverItem, PopoverTrigger } from '@/components/emcn'
-
-interface ShareButtonProps {
-  url: string
-  title: string
-}
-
-export function ShareButton({ url, title }: ShareButtonProps) {
-  const [open, setOpen] = useState(false)
-  const [copied, setCopied] = useState(false)
-
-  const handleCopyLink = async () => {
-    try {
-      await navigator.clipboard.writeText(url)
-      setCopied(true)
-      setTimeout(() => {
-        setCopied(false)
-        setOpen(false)
-      }, 1000)
-    } catch {
-      setOpen(false)
-    }
-  }
-
-  const handleShareTwitter = () => {
-    const tweetUrl = `https://twitter.com/intent/tweet?url=${encodeURIComponent(url)}&text=${encodeURIComponent(title)}`
-    window.open(tweetUrl, '_blank', 'noopener,noreferrer')
-    setOpen(false)
-  }
-
-  const handleShareLinkedIn = () => {
-    const linkedInUrl = `https://www.linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(url)}`
-    window.open(linkedInUrl, '_blank', 'noopener,noreferrer')
-    setOpen(false)
-  }
-
-  return (
-    <Popover
-      open={open}
-      onOpenChange={setOpen}
-      variant='secondary'
-      size='sm'
-      colorScheme='inverted'
-    >
-      <PopoverTrigger asChild>
-        <button
-          className='flex items-center gap-1.5 text-gray-600 text-sm hover:text-gray-900'
-          aria-label='Share this post'
-        >
-          <Share2 className='h-4 w-4' />
-          <span>Share</span>
-        </button>
-      </PopoverTrigger>
-      <PopoverContent align='end' minWidth={140}>
-        <PopoverItem onClick={handleCopyLink}>{copied ? 'Copied!' : 'Copy link'}</PopoverItem>
-        <PopoverItem onClick={handleShareTwitter}>Share on X</PopoverItem>
-        <PopoverItem onClick={handleShareLinkedIn}>Share on LinkedIn</PopoverItem>
-      </PopoverContent>
-    </Popover>
-  )
-}

apps/sim/app/(landing)/studio/page.tsx

@@ -22,7 +22,7 @@ export default async function StudioIndex({
       ? filtered.sort((a, b) => {
           if (a.featured && !b.featured) return -1
           if (!a.featured && b.featured) return 1
-          return new Date(b.date).getTime() - new Date(a.date).getTime()
+          return 0
         })
       : filtered
 

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -8,7 +8,6 @@ import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('A2AAgentCardAPI')
 
@@ -96,11 +95,6 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
-    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
     const body = await request.json()
 
     if (
@@ -166,11 +160,6 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
-    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
     await db.delete(a2aAgent).where(eq(a2aAgent.id, agentId))
 
     logger.info(`Deleted A2A agent: ${agentId}`)
@@ -205,11 +194,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
-    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
     const body = await request.json()
     const action = body.action as 'publish' | 'unpublish' | 'refresh'
 

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -16,7 +16,6 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1119,13 +1118,17 @@ async function handlePushNotificationSet(
     )
   }
 
-  const urlValidation = validateExternalUrl(
+  try {
-    params.pushNotificationConfig.url,
+    const url = new URL(params.pushNotificationConfig.url)
-    'Push notification URL'
+    if (url.protocol !== 'https:') {
-  )
-  if (!urlValidation.isValid) {
       return NextResponse.json(
-      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, urlValidation.error || 'Invalid URL'),
+        createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Push notification URL must use HTTPS'),
+        { status: 400 }
+      )
+    }
+  } catch {
+    return NextResponse.json(
+      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Invalid push notification URL'),
       { status: 400 }
     )
   }

apps/sim/app/api/auth/oauth/utils.ts

@@ -4,11 +4,6 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { getSession } from '@/lib/auth'
 import { refreshOAuthToken } from '@/lib/oauth'
-import {
-  getMicrosoftRefreshTokenExpiry,
-  isMicrosoftProvider,
-  PROACTIVE_REFRESH_THRESHOLD_DAYS,
-} from '@/lib/oauth/microsoft'
 
 const logger = createLogger('OAuthUtilsAPI')
 
@@ -210,32 +205,15 @@ export async function refreshAccessTokenIfNeeded(
   }
 
   // Decide if we should refresh: token missing OR expired
-  const accessTokenExpiresAt = credential.accessTokenExpiresAt
+  const expiresAt = credential.accessTokenExpiresAt
-  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
   const now = new Date()
-
+  const shouldRefresh =
-  // Check if access token needs refresh (missing or expired)
+    !!credential.refreshToken && (!credential.accessToken || (expiresAt && expiresAt <= now))
-  const accessTokenNeedsRefresh =
-    !!credential.refreshToken &&
-    (!credential.accessToken || (accessTokenExpiresAt && accessTokenExpiresAt <= now))
-
-  // Check if we should proactively refresh to prevent refresh token expiry
-  // This applies to Microsoft providers whose refresh tokens expire after 90 days of inactivity
-  const proactiveRefreshThreshold = new Date(
-    now.getTime() + PROACTIVE_REFRESH_THRESHOLD_DAYS * 24 * 60 * 60 * 1000
-  )
-  const refreshTokenNeedsProactiveRefresh =
-    !!credential.refreshToken &&
-    isMicrosoftProvider(credential.providerId) &&
-    refreshTokenExpiresAt &&
-    refreshTokenExpiresAt <= proactiveRefreshThreshold
-
-  const shouldRefresh = accessTokenNeedsRefresh || refreshTokenNeedsProactiveRefresh
 
   const accessToken = credential.accessToken
 
   if (shouldRefresh) {
-    logger.info(`[${requestId}] Refreshing token for credential`)
+    logger.info(`[${requestId}] Token expired, attempting to refresh for credential`)
     try {
       const refreshedToken = await refreshOAuthToken(
         credential.providerId,
@@ -249,15 +227,11 @@ export async function refreshAccessTokenIfNeeded(
           userId: credential.userId,
           hasRefreshToken: !!credential.refreshToken,
         })
-        if (!accessTokenNeedsRefresh && accessToken) {
-          logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
-          return accessToken
-        }
         return null
       }
 
       // Prepare update data
-      const updateData: Record<string, unknown> = {
+      const updateData: any = {
         accessToken: refreshedToken.accessToken,
         accessTokenExpiresAt: new Date(Date.now() + refreshedToken.expiresIn * 1000),
         updatedAt: new Date(),
@@ -269,10 +243,6 @@ export async function refreshAccessTokenIfNeeded(
         updateData.refreshToken = refreshedToken.refreshToken
       }
 
-      if (isMicrosoftProvider(credential.providerId)) {
-        updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
-      }
-
       // Update the token in the database
       await db.update(account).set(updateData).where(eq(account.id, credentialId))
 
@@ -286,10 +256,6 @@ export async function refreshAccessTokenIfNeeded(
         credentialId,
         userId: credential.userId,
       })
-      if (!accessTokenNeedsRefresh && accessToken) {
-        logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
-        return accessToken
-      }
       return null
     }
   } else if (!accessToken) {
@@ -311,27 +277,10 @@ export async function refreshTokenIfNeeded(
   credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
   // Decide if we should refresh: token missing OR expired
-  const accessTokenExpiresAt = credential.accessTokenExpiresAt
+  const expiresAt = credential.accessTokenExpiresAt
-  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
   const now = new Date()
-
+  const shouldRefresh =
-  // Check if access token needs refresh (missing or expired)
+    !!credential.refreshToken && (!credential.accessToken || (expiresAt && expiresAt <= now))
-  const accessTokenNeedsRefresh =
-    !!credential.refreshToken &&
-    (!credential.accessToken || (accessTokenExpiresAt && accessTokenExpiresAt <= now))
-
-  // Check if we should proactively refresh to prevent refresh token expiry
-  // This applies to Microsoft providers whose refresh tokens expire after 90 days of inactivity
-  const proactiveRefreshThreshold = new Date(
-    now.getTime() + PROACTIVE_REFRESH_THRESHOLD_DAYS * 24 * 60 * 60 * 1000
-  )
-  const refreshTokenNeedsProactiveRefresh =
-    !!credential.refreshToken &&
-    isMicrosoftProvider(credential.providerId) &&
-    refreshTokenExpiresAt &&
-    refreshTokenExpiresAt <= proactiveRefreshThreshold
-
-  const shouldRefresh = accessTokenNeedsRefresh || refreshTokenNeedsProactiveRefresh
 
   // If token appears valid and present, return it directly
   if (!shouldRefresh) {
@@ -344,17 +293,13 @@ export async function refreshTokenIfNeeded(
 
     if (!refreshResult) {
       logger.error(`[${requestId}] Failed to refresh token for credential`)
-      if (!accessTokenNeedsRefresh && credential.accessToken) {
-        logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
-        return { accessToken: credential.accessToken, refreshed: false }
-      }
       throw new Error('Failed to refresh token')
     }
 
     const { accessToken: refreshedToken, expiresIn, refreshToken: newRefreshToken } = refreshResult
 
     // Prepare update data
-    const updateData: Record<string, unknown> = {
+    const updateData: any = {
       accessToken: refreshedToken,
       accessTokenExpiresAt: new Date(Date.now() + expiresIn * 1000), // Use provider's expiry
       updatedAt: new Date(),
@@ -366,10 +311,6 @@ export async function refreshTokenIfNeeded(
       updateData.refreshToken = newRefreshToken
     }
 
-    if (isMicrosoftProvider(credential.providerId)) {
-      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
-    }
-
     await db.update(account).set(updateData).where(eq(account.id, credentialId))
 
     logger.info(`[${requestId}] Successfully refreshed access token`)
@@ -390,11 +331,6 @@ export async function refreshTokenIfNeeded(
       }
     }
 
-    if (!accessTokenNeedsRefresh && credential.accessToken) {
-      logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
-      return { accessToken: credential.accessToken, refreshed: false }
-    }
-
     logger.error(`[${requestId}] Refresh failed and no valid token found in DB`, error)
     throw error
   }

apps/sim/app/api/auth/reset-password/route.ts

@@ -15,8 +15,7 @@ const resetPasswordSchema = z.object({
     .max(100, 'Password must not exceed 100 characters')
     .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
     .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
-    .regex(/[0-9]/, 'Password must contain at least one number')
+    .regex(/[0-9]/, 'Password must contain at least one number'),
-    .regex(/[^A-Za-z0-9]/, 'Password must contain at least one special character'),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/app/api/copilot/chat/route.ts

@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { copilotChats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
+import { after } from 'next/server'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
@@ -16,6 +17,21 @@ import {
   createRequestTracker,
   createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
+import {
+  type RenderEvent,
+  serializeRenderEvent,
+} from '@/lib/copilot/render-events'
+import {
+  appendChunk,
+  appendContent,
+  checkAbortSignal,
+  completeStream,
+  createStream,
+  errorStream,
+  refreshStreamTTL,
+  updateToolCall,
+} from '@/lib/copilot/stream-persistence'
+import { transformStream } from '@/lib/copilot/stream-transformer'
 import { getCredentialsServerTool } from '@/lib/copilot/tools/server/user/get-credentials'
 import type { CopilotProviderConfig } from '@/lib/copilot/types'
 import { env } from '@/lib/core/config/env'
@@ -26,6 +42,10 @@ import { getLatestVersionTools, stripVersionSuffix } from '@/tools/utils'
 
 const logger = createLogger('CopilotChatAPI')
 
+export const dynamic = 'force-dynamic'
+export const fetchCache = 'force-no-store'
+export const runtime = 'nodejs'
+
 const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
 
 const FileAttachmentSchema = z.object({
@@ -492,11 +512,28 @@ export async function POST(req: NextRequest) {
       )
     }
 
-    // If streaming is requested, forward the stream and update chat later
+    // If streaming is requested, return a DIRECT SSE stream for low latency
+    // Also persist to Redis in background for stream resumption
     if (stream && simAgentResponse.body) {
-      // Create user message to save
+      // Create stream ID for persistence and resumption
+      const streamId = crypto.randomUUID()
+
+      // Initialize stream state in Redis (fire-and-forget)
+      createStream({
+        streamId,
+        chatId: actualChatId!,
+        userId: authenticatedUserId,
+        workflowId,
+        userMessageId: userMessageIdToUse,
+        isClientSession: true,
+      }).catch(() => {})
+
+      // Save user message to database immediately so it's available on refresh
+      // This is critical for stream resumption - user message must be persisted before stream starts
+      if (currentChat) {
+        const existingMessages = Array.isArray(currentChat.messages) ? currentChat.messages : []
         const userMessage = {
-        id: userMessageIdToUse, // Consistent ID used for request and persistence
+          id: userMessageIdToUse,
           role: 'user',
           content: message,
           timestamp: new Date().toISOString(),
@@ -508,369 +545,217 @@ export async function POST(req: NextRequest) {
             }),
         }
 
-      // Create a pass-through stream that captures the response
+        // Fire-and-forget - don't block the stream
-      const transformedStream = new ReadableStream({
+        db.update(copilotChats)
-        async start(controller) {
+          .set({
-          const encoder = new TextEncoder()
+            messages: [...existingMessages, userMessage],
-          let assistantContent = ''
+            updatedAt: new Date(),
-          const toolCalls: any[] = []
+          })
-          let buffer = ''
+          .where(eq(copilotChats.id, actualChatId!))
-          const isFirstDone = true
+          .catch(() => {})
-          let responseIdFromStart: string | undefined
-          let responseIdFromDone: string | undefined
-          // Track tool call progress to identify a safe done event
-          const announcedToolCallIds = new Set<string>()
-          const startedToolExecutionIds = new Set<string>()
-          const completedToolExecutionIds = new Set<string>()
-          let lastDoneResponseId: string | undefined
-          let lastSafeDoneResponseId: string | undefined
 
-          // Send chatId as first event
+        logger.info(`[${tracker.requestId}] Saving user message (async)`, {
-          if (actualChatId) {
-            const chatIdEvent = `data: ${JSON.stringify({
-              type: 'chat_id',
           chatId: actualChatId,
-            })}\n\n`
+          messageId: userMessageIdToUse,
-            controller.enqueue(encoder.encode(chatIdEvent))
+        })
-            logger.debug(`[${tracker.requestId}] Sent initial chatId event to client`)
       }
 
-          // Start title generation in parallel if needed
+      // Capture needed values
-          if (actualChatId && !currentChat?.title && conversationHistory.length === 0) {
+      const capturedChatId = actualChatId!
+      const capturedCurrentChat = currentChat
+      const assistantMessageId = crypto.randomUUID()
+
+      // Start title generation if needed (runs in parallel)
+      if (capturedChatId && !capturedCurrentChat?.title && conversationHistory.length === 0) {
         generateChatTitle(message)
           .then(async (title) => {
             if (title) {
               await db
                 .update(copilotChats)
-                    .set({
+                .set({ title, updatedAt: new Date() })
-                      title,
+                .where(eq(copilotChats.id, capturedChatId))
-                      updatedAt: new Date(),
-                    })
-                    .where(eq(copilotChats.id, actualChatId!))
-
-                  const titleEvent = `data: ${JSON.stringify({
-                    type: 'title_updated',
-                    title: title,
-                  })}\n\n`
-                  controller.enqueue(encoder.encode(titleEvent))
               logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
             }
           })
           .catch((error) => {
             logger.error(`[${tracker.requestId}] Title generation failed:`, error)
           })
-          } else {
-            logger.debug(`[${tracker.requestId}] Skipping title generation`)
       }
 
-          // Forward the sim agent stream and capture assistant response
+      // Track accumulated content for final persistence
-          const reader = simAgentResponse.body!.getReader()
+      let accumulatedContent = ''
-          const decoder = new TextDecoder()
+      const accumulatedToolCalls: Array<{
+        id: string
+        name: string
+        args: Record<string, unknown>
+        state: string
+        result?: unknown
+      }> = []
 
-          try {
-            while (true) {
-              const { done, value } = await reader.read()
-              if (done) {
-                break
-              }
-
-              // Decode and parse SSE events for logging and capturing content
-              const decodedChunk = decoder.decode(value, { stream: true })
-              buffer += decodedChunk
-
-              const lines = buffer.split('\n')
-              buffer = lines.pop() || '' // Keep incomplete line in buffer
-
-              for (const line of lines) {
-                if (line.trim() === '') continue // Skip empty lines
-
-                if (line.startsWith('data: ') && line.length > 6) {
-                  try {
-                    const jsonStr = line.slice(6)
-
-                    // Check if the JSON string is unusually large (potential streaming issue)
-                    if (jsonStr.length > 50000) {
-                      // 50KB limit
-                      logger.warn(`[${tracker.requestId}] Large SSE event detected`, {
-                        size: jsonStr.length,
-                        preview: `${jsonStr.substring(0, 100)}...`,
-                      })
-                    }
-
-                    const event = JSON.parse(jsonStr)
-
-                    // Log different event types comprehensively
-                    switch (event.type) {
-                      case 'content':
-                        if (event.data) {
-                          assistantContent += event.data
-                        }
-                        break
-
-                      case 'reasoning':
-                        logger.debug(
-                          `[${tracker.requestId}] Reasoning chunk received (${(event.data || event.content || '').length} chars)`
-                        )
-                        break
-
-                      case 'tool_call':
-                        if (!event.data?.partial) {
-                          toolCalls.push(event.data)
-                          if (event.data?.id) {
-                            announcedToolCallIds.add(event.data.id)
-                          }
-                        }
-                        break
-
-                      case 'tool_generating':
-                        if (event.toolCallId) {
-                          startedToolExecutionIds.add(event.toolCallId)
-                        }
-                        break
-
-                      case 'tool_result':
-                        if (event.toolCallId) {
-                          completedToolExecutionIds.add(event.toolCallId)
-                        }
-                        break
-
-                      case 'tool_error':
-                        logger.error(`[${tracker.requestId}] Tool error:`, {
-                          toolCallId: event.toolCallId,
-                          toolName: event.toolName,
-                          error: event.error,
-                          success: event.success,
-                        })
-                        if (event.toolCallId) {
-                          completedToolExecutionIds.add(event.toolCallId)
-                        }
-                        break
-
-                      case 'start':
-                        if (event.data?.responseId) {
-                          responseIdFromStart = event.data.responseId
-                        }
-                        break
-
-                      case 'done':
-                        if (event.data?.responseId) {
-                          responseIdFromDone = event.data.responseId
-                          lastDoneResponseId = responseIdFromDone
-
-                          // Mark this done as safe only if no tool call is currently in progress or pending
-                          const announced = announcedToolCallIds.size
-                          const completed = completedToolExecutionIds.size
-                          const started = startedToolExecutionIds.size
-                          const hasToolInProgress = announced > completed || started > completed
-                          if (!hasToolInProgress) {
-                            lastSafeDoneResponseId = responseIdFromDone
-                          }
-                        }
-                        break
-
-                      case 'error':
-                        break
-
-                      default:
-                    }
-
-                    // Emit to client: rewrite 'error' events into user-friendly assistant message
-                    if (event?.type === 'error') {
-                      try {
-                        const displayMessage: string =
-                          (event?.data && (event.data.displayMessage as string)) ||
-                          'Sorry, I encountered an error. Please try again.'
-                        const formatted = `_${displayMessage}_`
-                        // Accumulate so it persists to DB as assistant content
-                        assistantContent += formatted
-                        // Send as content chunk
-                        try {
-                          controller.enqueue(
-                            encoder.encode(
-                              `data: ${JSON.stringify({ type: 'content', data: formatted })}\n\n`
-                            )
-                          )
-                        } catch (enqueueErr) {
-                          reader.cancel()
-                          break
-                        }
-                        // Then close this response cleanly for the client
-                        try {
-                          controller.enqueue(
-                            encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`)
-                          )
-                        } catch (enqueueErr) {
-                          reader.cancel()
-                          break
-                        }
-                      } catch {}
-                      // Do not forward the original error event
-                    } else {
-                      // Forward original event to client
-                      try {
-                        controller.enqueue(encoder.encode(`data: ${jsonStr}\n\n`))
-                      } catch (enqueueErr) {
-                        reader.cancel()
-                        break
-                      }
-                    }
-                  } catch (e) {
-                    // Enhanced error handling for large payloads and parsing issues
-                    const lineLength = line.length
-                    const isLargePayload = lineLength > 10000
-
-                    if (isLargePayload) {
-                      logger.error(
-                        `[${tracker.requestId}] Failed to parse large SSE event (${lineLength} chars)`,
-                        {
-                          error: e,
-                          preview: `${line.substring(0, 200)}...`,
-                          size: lineLength,
-                        }
-                      )
-                    } else {
-                      logger.warn(
-                        `[${tracker.requestId}] Failed to parse SSE event: "${line.substring(0, 200)}..."`,
-                        e
-                      )
-                    }
-                  }
-                } else if (line.trim() && line !== 'data: [DONE]') {
-                  logger.debug(`[${tracker.requestId}] Non-SSE line from sim agent: "${line}"`)
-                }
-              }
-            }
-
-            // Process any remaining buffer
-            if (buffer.trim()) {
-              logger.debug(`[${tracker.requestId}] Processing remaining buffer: "${buffer}"`)
-              if (buffer.startsWith('data: ')) {
-                try {
-                  const jsonStr = buffer.slice(6)
-                  const event = JSON.parse(jsonStr)
-                  if (event.type === 'content' && event.data) {
-                    assistantContent += event.data
-                  }
-                  // Forward remaining event, applying same error rewrite behavior
-                  if (event?.type === 'error') {
-                    const displayMessage: string =
-                      (event?.data && (event.data.displayMessage as string)) ||
-                      'Sorry, I encountered an error. Please try again.'
-                    const formatted = `_${displayMessage}_`
-                    assistantContent += formatted
-                    try {
-                      controller.enqueue(
-                        encoder.encode(
-                          `data: ${JSON.stringify({ type: 'content', data: formatted })}\n\n`
-                        )
-                      )
-                      controller.enqueue(
-                        encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`)
-                      )
-                    } catch (enqueueErr) {
-                      reader.cancel()
-                    }
-                  } else {
-                    try {
-                      controller.enqueue(encoder.encode(`data: ${jsonStr}\n\n`))
-                    } catch (enqueueErr) {
-                      reader.cancel()
-                    }
-                  }
-                } catch (e) {
-                  logger.warn(`[${tracker.requestId}] Failed to parse final buffer: "${buffer}"`)
-                }
-              }
-            }
-
-            // Log final streaming summary
-            logger.info(`[${tracker.requestId}] Streaming complete summary:`, {
-              totalContentLength: assistantContent.length,
-              toolCallsCount: toolCalls.length,
-              hasContent: assistantContent.length > 0,
-              toolNames: toolCalls.map((tc) => tc?.name).filter(Boolean),
-            })
-
-            // NOTE: Messages are saved by the client via update-messages endpoint with full contentBlocks.
-            // Server only updates conversationId here to avoid overwriting client's richer save.
-            if (currentChat) {
-              // Persist only a safe conversationId to avoid continuing from a state that expects tool outputs
-              const previousConversationId = currentChat?.conversationId as string | undefined
-              const responseId = lastSafeDoneResponseId || previousConversationId || undefined
-
-              if (responseId) {
-                await db
-                  .update(copilotChats)
-                  .set({
-                    updatedAt: new Date(),
-                    conversationId: responseId,
-                  })
-                  .where(eq(copilotChats.id, actualChatId!))
-
-                logger.info(
-                  `[${tracker.requestId}] Updated conversationId for chat ${actualChatId}`,
-                  {
-                    updatedConversationId: responseId,
-                  }
-                )
-              }
-            }
-          } catch (error) {
-            logger.error(`[${tracker.requestId}] Error processing stream:`, error)
-
-            // Send an error event to the client before closing so it knows what happened
-            try {
-              const errorMessage =
-                error instanceof Error && error.message === 'terminated'
-                  ? 'Connection to AI service was interrupted. Please try again.'
-                  : 'An unexpected error occurred while processing the response.'
       const encoder = new TextEncoder()
 
-              // Send error as content so it shows in the chat
+      // Track if client is still connected
-              controller.enqueue(
+      let clientConnected = true
-                encoder.encode(
+
-                  `data: ${JSON.stringify({ type: 'content', data: `\n\n_${errorMessage}_` })}\n\n`
+      // Create the stream processing promise - this runs independently of client connection
-                )
+      // and is scheduled via after() to ensure it completes even if client disconnects
-              )
+      const streamProcessingPromise = transformStream(simAgentResponse.body!, {
-              // Send done event to properly close the stream on client
+        streamId,
-              controller.enqueue(encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`))
+        chatId: capturedChatId,
-            } catch (enqueueError) {
+        userId: authenticatedUserId,
-              // Stream might already be closed, that's ok
+        workflowId,
-              logger.warn(
+        userMessageId: userMessageIdToUse,
-                `[${tracker.requestId}] Could not send error event to client:`,
+        assistantMessageId,
-                enqueueError
+
-              )
+        // Emit render events - try to send to client, always persist to Redis
+        onRenderEvent: async (event: RenderEvent) => {
+          const serialized = serializeRenderEvent(event)
+
+          // 1. Persist to Redis FIRST (critical for resumption)
+          appendChunk(streamId, serialized).catch(() => {})
+
+          // 2. Try to send to client if still connected (best effort)
+          if (clientConnected) {
+            try {
+              streamController?.enqueue(encoder.encode(serialized))
+            } catch {
+              // Client disconnected - mark as disconnected and continue processing
+              clientConnected = false
+              logger.info(`[${tracker.requestId}] Client disconnected, continuing server-side`, {
+                streamId,
+              })
             }
-          } finally {
+          }
+
+          // Update stream metadata for specific events
+          switch (event.type) {
+            case 'text_delta':
+              accumulatedContent += (event as any).content || ''
+              appendContent(streamId, (event as any).content || '').catch(() => {})
+              break
+            case 'tool_pending':
+              updateToolCall(streamId, (event as any).toolCallId, {
+                id: (event as any).toolCallId,
+                name: (event as any).toolName,
+                args: (event as any).args || {},
+                state: 'pending',
+              }).catch(() => {})
+              break
+            case 'tool_executing':
+              updateToolCall(streamId, (event as any).toolCallId, {
+                state: 'executing',
+              }).catch(() => {})
+              break
+            case 'tool_success':
+              updateToolCall(streamId, (event as any).toolCallId, {
+                state: 'success',
+                result: (event as any).result,
+              }).catch(() => {})
+              accumulatedToolCalls.push({
+                id: (event as any).toolCallId,
+                name: (event as any).display?.label || '',
+                args: {},
+                state: 'success',
+                result: (event as any).result,
+              })
+              break
+            case 'tool_error':
+              updateToolCall(streamId, (event as any).toolCallId, {
+                state: 'error',
+                error: (event as any).error,
+              }).catch(() => {})
+              accumulatedToolCalls.push({
+                id: (event as any).toolCallId,
+                name: (event as any).display?.label || '',
+                args: {},
+                state: 'error',
+              })
+              break
+          }
+        },
+
+        onPersist: async (data) => {
+          if (data.type === 'message_complete') {
+            completeStream(streamId, undefined).catch(() => {})
+          }
+        },
+
+        // Never abort based on client - let stream complete
+        isAborted: () => false,
+      })
+        .then(() => {
+          if (capturedCurrentChat) {
+            db.update(copilotChats)
+              .set({ updatedAt: new Date() })
+              .where(eq(copilotChats.id, capturedChatId))
+              .catch(() => {})
+          }
+
+          logger.info(`[${tracker.requestId}] Stream processing complete`, {
+            streamId,
+            contentLength: accumulatedContent.length,
+            toolCallsCount: accumulatedToolCalls.length,
+            clientWasConnected: clientConnected,
+          })
+        })
+        .catch((error) => {
+          logger.error(`[${tracker.requestId}] Stream error`, { streamId, error })
+          errorStream(streamId, error instanceof Error ? error.message : 'Unknown error').catch(
+            () => {}
+          )
+        })
+
+      // Use after() to ensure stream processing completes even if client disconnects
+      // This is critical for serverless environments where the handler might be killed
+      after(streamProcessingPromise)
+
+      // Controller reference for the client stream
+      let streamController: ReadableStreamDefaultController<Uint8Array> | null = null
+
+      // Create ReadableStream for client - this is just a view into the processing
+      const readable = new ReadableStream({
+        start(controller) {
+          streamController = controller
+
+          // Prime the SSE stream to avoid buffering proxies
+          try {
+            controller.enqueue(encoder.encode(': ping\n\n'))
+          } catch {}
+
+          // When stream processing completes, close the client stream
+          streamProcessingPromise.finally(() => {
             try {
               controller.close()
             } catch {
-              // Controller might already be closed
+              // Already closed
-            }
             }
+          })
+        },
+        cancel() {
+          // Client cancelled the stream (e.g., navigated away)
+          clientConnected = false
+          logger.info(`[${tracker.requestId}] Client stream cancelled, server continues`, {
+            streamId,
+          })
         },
       })
 
-      const response = new Response(transformedStream, {
+      // Return direct SSE stream with streamId in header for resumption
+      logger.info(`[${tracker.requestId}] Returning direct SSE stream`, {
+        streamId,
+        chatId: capturedChatId,
+      })
+
+      return new Response(readable, {
         headers: {
-          'Content-Type': 'text/event-stream',
+          'Content-Type': 'text/event-stream; charset=utf-8',
-          'Cache-Control': 'no-cache',
+          'Cache-Control': 'no-cache, no-transform',
           Connection: 'keep-alive',
           'X-Accel-Buffering': 'no',
+          'X-Stream-Id': streamId,
+          'X-Chat-Id': capturedChatId,
         },
       })
-
-      logger.info(`[${tracker.requestId}] Returning streaming response to client`, {
-        duration: tracker.getDuration(),
-        chatId: actualChatId,
-        headers: {
-          'Content-Type': 'text/event-stream',
-          'Cache-Control': 'no-cache',
-          Connection: 'keep-alive',
-        },
-      })
-
-      return response
     }
 
     // For non-streaming responses
@@ -899,7 +784,7 @@ export async function POST(req: NextRequest) {
     // Save messages if we have a chat
     if (currentChat && responseData.content) {
       const userMessage = {
-        id: userMessageIdToUse, // Consistent ID used for request and persistence
+        id: userMessageIdToUse,
         role: 'user',
         content: message,
         timestamp: new Date().toISOString(),

apps/sim/app/api/copilot/execute-tool/route.ts

@@ -104,11 +104,17 @@ export async function POST(req: NextRequest) {
     })
 
     // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
+    // Resolve all {{ENV_VAR}} references in the arguments
     const executionParams: Record<string, any> = resolveEnvVarReferences(
       toolArgs,
       decryptedEnvVars,
-      { deep: true }
+      {
+        resolveExactMatch: true,
+        allowEmbedded: true,
+        trimKeys: true,
+        onMissing: 'keep',
+        deep: true,
+      }
     ) as Record<string, any>
 
     logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {
@@ -218,7 +224,7 @@ export async function POST(req: NextRequest) {
       hasApiKey: !!executionParams.apiKey,
     })
 
-    const result = await executeTool(resolvedToolName, executionParams)
+    const result = await executeTool(resolvedToolName, executionParams, true)
 
     logger.info(`[${tracker.requestId}] Tool execution complete`, {
       toolName,

apps/sim/app/api/copilot/headless/route.ts

@@ -0,0 +1,364 @@
+import { db } from '@sim/db'
+import { copilotChats, workflow as workflowTable } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
+import { getSession } from '@/lib/auth'
+import { getCopilotModel } from '@/lib/copilot/config'
+import { SIM_AGENT_API_URL_DEFAULT, SIM_AGENT_VERSION } from '@/lib/copilot/constants'
+import { COPILOT_MODEL_IDS } from '@/lib/copilot/models'
+import {
+  createRequestTracker,
+  createUnauthorizedResponse,
+} from '@/lib/copilot/request-helpers'
+import {
+  createStream,
+  completeStream,
+  errorStream,
+  updateStreamStatus,
+} from '@/lib/copilot/stream-persistence'
+import { executeToolServerSide, isServerExecutableTool } from '@/lib/copilot/tools/server/executor'
+import { getCredentialsServerTool } from '@/lib/copilot/tools/server/user/get-credentials'
+import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
+import { sanitizeForCopilot } from '@/lib/workflows/sanitization/json-sanitizer'
+import { env } from '@/lib/core/config/env'
+import { tools } from '@/tools/registry'
+import { getLatestVersionTools, stripVersionSuffix } from '@/tools/utils'
+
+const logger = createLogger('HeadlessCopilotAPI')
+
+const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
+
+const HeadlessRequestSchema = z.object({
+  message: z.string().min(1, 'Message is required'),
+  workflowId: z.string().min(1, 'Workflow ID is required'),
+  chatId: z.string().optional(),
+  model: z.enum(COPILOT_MODEL_IDS).optional(),
+  mode: z.enum(['agent', 'build', 'chat']).optional().default('agent'),
+  timeout: z.number().optional().default(300000), // 5 minute default
+  persistChanges: z.boolean().optional().default(true),
+  createNewChat: z.boolean().optional().default(false),
+})
+
+export const dynamic = 'force-dynamic'
+export const fetchCache = 'force-no-store'
+export const runtime = 'nodejs'
+
+/**
+ * POST /api/copilot/headless
+ *
+ * Execute copilot completely server-side without any client connection.
+ * All tool calls are executed server-side and results are persisted directly.
+ *
+ * Returns the final result after all processing is complete.
+ */
+export async function POST(req: NextRequest) {
+  const tracker = createRequestTracker()
+  const startTime = Date.now()
+
+  try {
+    // Authenticate via session or API key
+    let userId: string | null = null
+
+    const session = await getSession()
+    if (session?.user?.id) {
+      userId = session.user.id
+    } else {
+      // Try API key authentication from header
+      const apiKey = req.headers.get('x-api-key')
+      if (apiKey) {
+        const authResult = await authenticateApiKeyFromHeader(apiKey)
+        if (authResult.success && authResult.userId) {
+          userId = authResult.userId
+          // Update last used timestamp in background
+          if (authResult.keyId) {
+            updateApiKeyLastUsed(authResult.keyId).catch(() => {})
+          }
+        }
+      }
+    }
+
+    if (!userId) {
+      return createUnauthorizedResponse()
+    }
+
+    const body = await req.json()
+    const { message, workflowId, chatId, model, mode, timeout, persistChanges, createNewChat } =
+      HeadlessRequestSchema.parse(body)
+
+    logger.info(`[${tracker.requestId}] Headless copilot request`, {
+      userId,
+      workflowId,
+      messageLength: message.length,
+      mode,
+    })
+
+    // Verify user has access to workflow
+    const [wf] = await db
+      .select({ userId: workflowTable.userId, workspaceId: workflowTable.workspaceId })
+      .from(workflowTable)
+      .where(eq(workflowTable.id, workflowId))
+      .limit(1)
+
+    if (!wf) {
+      return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
+    }
+
+    // TODO: Add proper workspace access check
+    if (wf.userId !== userId) {
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    // Load current workflow state from database
+    const workflowData = await loadWorkflowFromNormalizedTables(workflowId)
+    if (!workflowData) {
+      return NextResponse.json({ error: 'Workflow data not found' }, { status: 404 })
+    }
+
+    const sanitizedWorkflow = sanitizeForCopilot({
+      blocks: workflowData.blocks,
+      edges: workflowData.edges,
+      loops: workflowData.loops,
+      parallels: workflowData.parallels,
+    })
+
+    // Create a stream for tracking (even in headless mode)
+    const streamId = crypto.randomUUID()
+    const userMessageId = crypto.randomUUID()
+    const assistantMessageId = crypto.randomUUID()
+
+    await createStream({
+      streamId,
+      chatId: chatId || '',
+      userId,
+      workflowId,
+      userMessageId,
+      isClientSession: false, // Key: this is headless
+    })
+
+    await updateStreamStatus(streamId, 'streaming')
+
+    // Handle chat persistence
+    let actualChatId = chatId
+    if (createNewChat && !chatId) {
+      const { provider, model: defaultModel } = getCopilotModel('chat')
+      const [newChat] = await db
+        .insert(copilotChats)
+        .values({
+          userId,
+          workflowId,
+          title: null,
+          model: model || defaultModel,
+          messages: [],
+        })
+        .returning()
+
+      if (newChat) {
+        actualChatId = newChat.id
+      }
+    }
+
+    // Get credentials for tools
+    let credentials: {
+      oauth: Record<string, { accessToken: string; accountId: string; name: string }>
+      apiKeys: string[]
+    } | null = null
+
+    try {
+      const rawCredentials = await getCredentialsServerTool.execute({ workflowId }, { userId })
+      const oauthMap: Record<string, { accessToken: string; accountId: string; name: string }> = {}
+
+      for (const cred of rawCredentials?.oauth?.connected?.credentials || []) {
+        if (cred.accessToken) {
+          oauthMap[cred.provider] = {
+            accessToken: cred.accessToken,
+            accountId: cred.id,
+            name: cred.name,
+          }
+        }
+      }
+
+      credentials = {
+        oauth: oauthMap,
+        apiKeys: rawCredentials?.environment?.variableNames || [],
+      }
+    } catch (error) {
+      logger.warn(`[${tracker.requestId}] Failed to fetch credentials`, { error })
+    }
+
+    // Build tool definitions
+    const { createUserToolSchema } = await import('@/tools/params')
+    const latestTools = getLatestVersionTools(tools)
+    const integrationTools = Object.entries(latestTools).map(([toolId, toolConfig]) => {
+      const userSchema = createUserToolSchema(toolConfig)
+      const strippedName = stripVersionSuffix(toolId)
+      return {
+        name: strippedName,
+        description: toolConfig.description || toolConfig.name || strippedName,
+        input_schema: userSchema,
+        defer_loading: true,
+      }
+    })
+
+    // Build request payload
+    const defaults = getCopilotModel('chat')
+    const selectedModel = model || defaults.model
+    const effectiveMode = mode === 'agent' ? 'build' : mode
+
+    const requestPayload = {
+      message,
+      workflowId,
+      userId,
+      stream: false, // Non-streaming for headless
+      model: selectedModel,
+      mode: effectiveMode,
+      version: SIM_AGENT_VERSION,
+      messageId: userMessageId,
+      ...(actualChatId && { chatId: actualChatId }),
+      ...(integrationTools.length > 0 && { tools: integrationTools }),
+      ...(credentials && { credentials }),
+    }
+
+    // Call sim agent (non-streaming)
+    const controller = new AbortController()
+    const timeoutId = setTimeout(() => controller.abort(), timeout)
+
+    try {
+      const response = await fetch(`${SIM_AGENT_API_URL}/api/chat-completion`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(env.COPILOT_API_KEY ? { 'x-api-key': env.COPILOT_API_KEY } : {}),
+        },
+        body: JSON.stringify(requestPayload),
+        signal: controller.signal,
+      })
+
+      clearTimeout(timeoutId)
+
+      if (!response.ok) {
+        const errorText = await response.text()
+        logger.error(`[${tracker.requestId}] Sim agent error`, {
+          status: response.status,
+          error: errorText,
+        })
+        await errorStream(streamId, `Agent error: ${response.statusText}`)
+        return NextResponse.json(
+          { error: `Agent error: ${response.statusText}` },
+          { status: response.status }
+        )
+      }
+
+      const result = await response.json()
+
+      // Execute tool calls server-side
+      const toolResults: Record<string, { success: boolean; result?: unknown; error?: string }> = {}
+
+      if (result.toolCalls && Array.isArray(result.toolCalls)) {
+        for (const toolCall of result.toolCalls) {
+          const toolName = toolCall.name
+          const toolArgs = toolCall.arguments || toolCall.input || {}
+
+          logger.info(`[${tracker.requestId}] Executing tool server-side`, {
+            toolName,
+            toolCallId: toolCall.id,
+          })
+
+          if (!isServerExecutableTool(toolName)) {
+            logger.warn(`[${tracker.requestId}] Tool not executable server-side`, { toolName })
+            toolResults[toolCall.id] = {
+              success: false,
+              error: `Tool ${toolName} requires client-side execution`,
+            }
+            continue
+          }
+
+          const toolResult = await executeToolServerSide(
+            { name: toolName, args: toolArgs },
+            { workflowId, userId, persistChanges }
+          )
+
+          toolResults[toolCall.id] = toolResult
+        }
+      }
+
+      // Mark stream complete
+      await completeStream(streamId, { content: result.content, toolResults })
+
+      // Save to chat history
+      if (actualChatId && persistChanges) {
+        const [chat] = await db
+          .select()
+          .from(copilotChats)
+          .where(eq(copilotChats.id, actualChatId))
+          .limit(1)
+
+        const existingMessages = chat ? (Array.isArray(chat.messages) ? chat.messages : []) : []
+
+        const newMessages = [
+          ...existingMessages,
+          {
+            id: userMessageId,
+            role: 'user',
+            content: message,
+            timestamp: new Date().toISOString(),
+          },
+          {
+            id: assistantMessageId,
+            role: 'assistant',
+            content: result.content,
+            timestamp: new Date().toISOString(),
+            toolCalls: Object.entries(toolResults).map(([id, r]) => ({
+              id,
+              success: r.success,
+            })),
+          },
+        ]
+
+        await db
+          .update(copilotChats)
+          .set({ messages: newMessages, updatedAt: new Date() })
+          .where(eq(copilotChats.id, actualChatId))
+      }
+
+      const duration = Date.now() - startTime
+      logger.info(`[${tracker.requestId}] Headless copilot complete`, {
+        duration,
+        contentLength: result.content?.length || 0,
+        toolCallsExecuted: Object.keys(toolResults).length,
+      })
+
+      return NextResponse.json({
+        success: true,
+        streamId,
+        chatId: actualChatId,
+        content: result.content,
+        toolResults,
+        duration,
+      })
+    } catch (error) {
+      clearTimeout(timeoutId)
+
+      if (error instanceof Error && error.name === 'AbortError') {
+        await errorStream(streamId, 'Request timed out')
+        return NextResponse.json({ error: 'Request timed out' }, { status: 504 })
+      }
+
+      throw error
+    }
+  } catch (error) {
+    logger.error(`[${tracker.requestId}] Headless copilot error`, { error })
+
+    if (error instanceof z.ZodError) {
+      return NextResponse.json({ error: 'Invalid request', details: error.errors }, { status: 400 })
+    }
+
+    return NextResponse.json(
+      { error: error instanceof Error ? error.message : 'Internal error' },
+      { status: 500 }
+    )
+  }
+}
+

apps/sim/app/api/copilot/stream/[streamId]/route.ts

@@ -0,0 +1,237 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import {
+  getStreamMetadata,
+  getStreamEvents,
+  getStreamEventCount,
+  getToolCallStates,
+  refreshStreamTTL,
+  checkAbortSignal,
+  abortStream,
+} from '@/lib/copilot/stream-persistence'
+
+const logger = createLogger('StreamResumeAPI')
+
+interface RouteParams {
+  streamId: string
+}
+
+/**
+ * GET /api/copilot/stream/{streamId}
+ * Subscribe to or resume a stream
+ *
+ * Query params:
+ * - offset: Start from this event index (for resumption)
+ * - mode: 'sse' (default) or 'poll'
+ */
+export async function GET(req: NextRequest, { params }: { params: Promise<RouteParams> }) {
+  const { streamId } = await params
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const metadata = await getStreamMetadata(streamId)
+  if (!metadata) {
+    return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
+  }
+
+  // Verify user owns this stream
+  if (metadata.userId !== session.user.id) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  const offset = parseInt(req.nextUrl.searchParams.get('offset') || '0', 10)
+  const mode = req.nextUrl.searchParams.get('mode') || 'sse'
+
+  // Refresh TTL since someone is actively consuming
+  await refreshStreamTTL(streamId)
+
+  // Poll mode: return current state as JSON
+  if (mode === 'poll') {
+    const events = await getStreamEvents(streamId, offset)
+    const toolCalls = await getToolCallStates(streamId)
+    const eventCount = await getStreamEventCount(streamId)
+
+    return NextResponse.json({
+      metadata,
+      events,
+      toolCalls,
+      totalEvents: eventCount,
+      nextOffset: offset + events.length,
+    })
+  }
+
+  // SSE mode: stream events
+  const encoder = new TextEncoder()
+
+  const readable = new ReadableStream({
+    async start(controller) {
+      let closed = false
+
+      const safeEnqueue = (data: string) => {
+        if (closed) return
+        try {
+          controller.enqueue(encoder.encode(data))
+        } catch {
+          closed = true
+        }
+      }
+
+      const safeClose = () => {
+        if (closed) return
+        closed = true
+        try {
+          controller.close()
+        } catch {
+          // Already closed
+        }
+      }
+
+      // Send initial connection event
+      safeEnqueue(`: connected\n\n`)
+
+      // Send metadata
+      safeEnqueue(`event: metadata\ndata: ${JSON.stringify(metadata)}\n\n`)
+
+      // Send tool call states
+      const toolCalls = await getToolCallStates(streamId)
+      if (Object.keys(toolCalls).length > 0) {
+        safeEnqueue(`event: tool_states\ndata: ${JSON.stringify(toolCalls)}\n\n`)
+      }
+
+      // Replay missed events
+      const missedEvents = await getStreamEvents(streamId, offset)
+      for (const event of missedEvents) {
+        safeEnqueue(event)
+      }
+
+      // If stream is complete, send done and close
+      if (metadata.status === 'complete' || metadata.status === 'error' || metadata.status === 'aborted') {
+        safeEnqueue(
+          `event: stream_status\ndata: ${JSON.stringify({
+            status: metadata.status,
+            error: metadata.error,
+          })}\n\n`
+        )
+        safeClose()
+        return
+      }
+
+      // Stream is still active - poll for new events
+      let lastOffset = offset + missedEvents.length
+      const pollInterval = 100 // 100ms
+      const maxPollTime = 5 * 60 * 1000 // 5 minutes max
+      const startTime = Date.now()
+
+      const poll = async () => {
+        if (closed) return
+
+        try {
+          // Check for timeout
+          if (Date.now() - startTime > maxPollTime) {
+            logger.info('Stream poll timeout', { streamId })
+            safeEnqueue(
+              `event: stream_status\ndata: ${JSON.stringify({ status: 'timeout' })}\n\n`
+            )
+            safeClose()
+            return
+          }
+
+          // Check if client disconnected
+          if (await checkAbortSignal(streamId)) {
+            safeEnqueue(
+              `event: stream_status\ndata: ${JSON.stringify({ status: 'aborted' })}\n\n`
+            )
+            safeClose()
+            return
+          }
+
+          // Get current metadata to check status
+          const currentMeta = await getStreamMetadata(streamId)
+          if (!currentMeta) {
+            safeClose()
+            return
+          }
+
+          // Get new events
+          const newEvents = await getStreamEvents(streamId, lastOffset)
+          for (const event of newEvents) {
+            safeEnqueue(event)
+          }
+          lastOffset += newEvents.length
+
+          // Refresh TTL
+          await refreshStreamTTL(streamId)
+
+          // If complete, send status and close
+          if (
+            currentMeta.status === 'complete' ||
+            currentMeta.status === 'error' ||
+            currentMeta.status === 'aborted'
+          ) {
+            safeEnqueue(
+              `event: stream_status\ndata: ${JSON.stringify({
+                status: currentMeta.status,
+                error: currentMeta.error,
+              })}\n\n`
+            )
+            safeClose()
+            return
+          }
+
+          // Continue polling
+          setTimeout(poll, pollInterval)
+        } catch (error) {
+          logger.error('Stream poll error', { streamId, error })
+          safeClose()
+        }
+      }
+
+      // Start polling
+      setTimeout(poll, pollInterval)
+    },
+  })
+
+  return new Response(readable, {
+    headers: {
+      'Content-Type': 'text/event-stream; charset=utf-8',
+      'Cache-Control': 'no-cache, no-transform',
+      Connection: 'keep-alive',
+      'X-Accel-Buffering': 'no',
+      'X-Stream-Id': streamId,
+    },
+  })
+}
+
+/**
+ * DELETE /api/copilot/stream/{streamId}
+ * Abort a stream
+ */
+export async function DELETE(req: NextRequest, { params }: { params: Promise<RouteParams> }) {
+  const { streamId } = await params
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const metadata = await getStreamMetadata(streamId)
+  if (!metadata) {
+    return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
+  }
+
+  // Verify user owns this stream
+  if (metadata.userId !== session.user.id) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  await abortStream(streamId)
+
+  logger.info('Stream aborted by user', { streamId, userId: session.user.id })
+
+  return NextResponse.json({ success: true, streamId })
+}
+

apps/sim/app/api/files/parse/route.ts

@@ -6,10 +6,9 @@ import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
 import { isSupportedFileType, parseFile } from '@/lib/file-parsers'
 import { isUsingCloudStorage, type StorageContext, StorageService } from '@/lib/uploads'
-import { uploadExecutionFile } from '@/lib/uploads/contexts/execution'
 import { UPLOAD_DIR_SERVER } from '@/lib/uploads/core/setup.server'
 import { getFileMetadataByKey } from '@/lib/uploads/server/metadata'
 import {
@@ -22,7 +21,6 @@ import {
 } from '@/lib/uploads/utils/file-utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
-import type { UserFile } from '@/executor/types'
 import '@/lib/uploads/core/setup.server'
 
 export const dynamic = 'force-dynamic'
@@ -32,12 +30,6 @@ const logger = createLogger('FilesParseAPI')
 const MAX_DOWNLOAD_SIZE_BYTES = 100 * 1024 * 1024 // 100 MB
 const DOWNLOAD_TIMEOUT_MS = 30000 // 30 seconds
 
-interface ExecutionContext {
-  workspaceId: string
-  workflowId: string
-  executionId: string
-}
-
 interface ParseResult {
   success: boolean
   content?: string
@@ -45,7 +37,6 @@ interface ParseResult {
   filePath: string
   originalName?: string // Original filename from database (for workspace files)
   viewerUrl?: string | null // Viewer URL for the file if available
-  userFile?: UserFile // UserFile object for the raw file
   metadata?: {
     fileType: string
     size: number
@@ -79,45 +70,27 @@ export async function POST(request: NextRequest) {
 
     const userId = authResult.userId
     const requestData = await request.json()
-    const { filePath, fileType, workspaceId, workflowId, executionId } = requestData
+    const { filePath, fileType, workspaceId } = requestData
 
     if (!filePath || (typeof filePath === 'string' && filePath.trim() === '')) {
       return NextResponse.json({ success: false, error: 'No file path provided' }, { status: 400 })
     }
 
-    // Build execution context if all required fields are present
+    logger.info('File parse request received:', { filePath, fileType, workspaceId, userId })
-    const executionContext: ExecutionContext | undefined =
-      workspaceId && workflowId && executionId
-        ? { workspaceId, workflowId, executionId }
-        : undefined
-
-    logger.info('File parse request received:', {
-      filePath,
-      fileType,
-      workspaceId,
-      userId,
-      hasExecutionContext: !!executionContext,
-    })
 
     if (Array.isArray(filePath)) {
       const results = []
-      for (const singlePath of filePath) {
+      for (const path of filePath) {
-        if (!singlePath || (typeof singlePath === 'string' && singlePath.trim() === '')) {
+        if (!path || (typeof path === 'string' && path.trim() === '')) {
           results.push({
             success: false,
             error: 'Empty file path in array',
-            filePath: singlePath || '',
+            filePath: path || '',
           })
           continue
         }
 
-        const result = await parseFileSingle(
+        const result = await parseFileSingle(path, fileType, workspaceId, userId)
-          singlePath,
-          fileType,
-          workspaceId,
-          userId,
-          executionContext
-        )
         if (result.metadata) {
           result.metadata.processingTime = Date.now() - startTime
         }
@@ -133,7 +106,6 @@ export async function POST(request: NextRequest) {
               fileType: result.metadata?.fileType || 'application/octet-stream',
               size: result.metadata?.size || 0,
               binary: false,
-              file: result.userFile,
             },
             filePath: result.filePath,
             viewerUrl: result.viewerUrl,
@@ -149,7 +121,7 @@ export async function POST(request: NextRequest) {
       })
     }
 
-    const result = await parseFileSingle(filePath, fileType, workspaceId, userId, executionContext)
+    const result = await parseFileSingle(filePath, fileType, workspaceId, userId)
 
     if (result.metadata) {
       result.metadata.processingTime = Date.now() - startTime
@@ -165,7 +137,6 @@ export async function POST(request: NextRequest) {
           fileType: result.metadata?.fileType || 'application/octet-stream',
           size: result.metadata?.size || 0,
           binary: false,
-          file: result.userFile,
         },
         filePath: result.filePath,
         viewerUrl: result.viewerUrl,
@@ -193,8 +164,7 @@ async function parseFileSingle(
   filePath: string,
   fileType: string,
   workspaceId: string,
-  userId: string,
+  userId: string
-  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   logger.info('Parsing file:', filePath)
 
@@ -216,18 +186,18 @@ async function parseFileSingle(
   }
 
   if (filePath.includes('/api/files/serve/')) {
-    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
+    return handleCloudFile(filePath, fileType, undefined, userId)
   }
 
   if (filePath.startsWith('http://') || filePath.startsWith('https://')) {
-    return handleExternalUrl(filePath, fileType, workspaceId, userId, executionContext)
+    return handleExternalUrl(filePath, fileType, workspaceId, userId)
   }
 
   if (isUsingCloudStorage()) {
-    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
+    return handleCloudFile(filePath, fileType, undefined, userId)
   }
 
-  return handleLocalFile(filePath, fileType, userId, executionContext)
+  return handleLocalFile(filePath, fileType, userId)
 }
 
 /**
@@ -260,14 +230,12 @@ function validateFilePath(filePath: string): { isValid: boolean; error?: string
 /**
  * Handle external URL
  * If workspaceId is provided, checks if file already exists and saves to workspace if not
- * If executionContext is provided, also stores the file in execution storage and returns UserFile
  */
 async function handleExternalUrl(
   url: string,
   fileType: string,
   workspaceId: string,
-  userId: string,
+  userId: string
-  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   try {
     logger.info('Fetching external URL:', url)
@@ -344,13 +312,17 @@ async function handleExternalUrl(
 
         if (existingFile) {
           const storageFilePath = `/api/files/serve/${existingFile.key}`
-          return handleCloudFile(storageFilePath, fileType, 'workspace', userId, executionContext)
+          return handleCloudFile(storageFilePath, fileType, 'workspace', userId)
         }
       }
     }
 
-    const response = await secureFetchWithPinnedIP(url, urlValidation.resolvedIP!, {
+    const pinnedUrl = createPinnedUrl(url, urlValidation.resolvedIP!)
-      timeout: DOWNLOAD_TIMEOUT_MS,
+    const response = await fetch(pinnedUrl, {
+      signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS),
+      headers: {
+        Host: urlValidation.originalHostname!,
+      },
     })
     if (!response.ok) {
       throw new Error(`Failed to fetch URL: ${response.status} ${response.statusText}`)
@@ -369,19 +341,6 @@ async function handleExternalUrl(
 
     logger.info(`Downloaded file from URL: ${url}, size: ${buffer.length} bytes`)
 
-    let userFile: UserFile | undefined
-    const mimeType = response.headers.get('content-type') || getMimeTypeFromExtension(extension)
-
-    if (executionContext) {
-      try {
-        userFile = await uploadExecutionFile(executionContext, buffer, filename, mimeType, userId)
-        logger.info(`Stored file in execution storage: ${filename}`, { key: userFile.key })
-      } catch (uploadError) {
-        logger.warn(`Failed to store file in execution storage:`, uploadError)
-        // Continue without userFile - parsing can still work
-      }
-    }
-
     if (shouldCheckWorkspace) {
       try {
         const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
@@ -394,6 +353,8 @@ async function handleExternalUrl(
           })
         } else {
           const { uploadWorkspaceFile } = await import('@/lib/uploads/contexts/workspace')
+          const mimeType =
+            response.headers.get('content-type') || getMimeTypeFromExtension(extension)
           await uploadWorkspaceFile(workspaceId, userId, buffer, filename, mimeType)
           logger.info(`Saved URL file to workspace storage: ${filename}`)
         }
@@ -402,23 +363,17 @@ async function handleExternalUrl(
       }
     }
 
-    let parseResult: ParseResult
     if (extension === 'pdf') {
-      parseResult = await handlePdfBuffer(buffer, filename, fileType, url)
+      return await handlePdfBuffer(buffer, filename, fileType, url)
-    } else if (extension === 'csv') {
+    }
-      parseResult = await handleCsvBuffer(buffer, filename, fileType, url)
+    if (extension === 'csv') {
-    } else if (isSupportedFileType(extension)) {
+      return await handleCsvBuffer(buffer, filename, fileType, url)
-      parseResult = await handleGenericTextBuffer(buffer, filename, extension, fileType, url)
+    }
-    } else {
+    if (isSupportedFileType(extension)) {
-      parseResult = handleGenericBuffer(buffer, filename, extension, fileType)
+      return await handleGenericTextBuffer(buffer, filename, extension, fileType, url)
     }
 
-    // Attach userFile to the result
+    return handleGenericBuffer(buffer, filename, extension, fileType)
-    if (userFile) {
-      parseResult.userFile = userFile
-    }
-
-    return parseResult
   } catch (error) {
     logger.error(`Error handling external URL ${url}:`, error)
     return {
@@ -431,15 +386,12 @@ async function handleExternalUrl(
 
 /**
  * Handle file stored in cloud storage
- * If executionContext is provided and file is not already from execution storage,
- * copies the file to execution storage and returns UserFile
  */
 async function handleCloudFile(
   filePath: string,
   fileType: string,
   explicitContext: string | undefined,
-  userId: string,
+  userId: string
-  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   try {
     const cloudKey = extractStorageKey(filePath)
@@ -486,7 +438,6 @@ async function handleCloudFile(
 
     const filename = originalFilename || cloudKey.split('/').pop() || cloudKey
     const extension = path.extname(filename).toLowerCase().substring(1)
-    const mimeType = getMimeTypeFromExtension(extension)
 
     const normalizedFilePath = `/api/files/serve/${encodeURIComponent(cloudKey)}?context=${context}`
     let workspaceIdFromKey: string | undefined
@@ -502,39 +453,6 @@ async function handleCloudFile(
 
     const viewerUrl = getViewerUrl(cloudKey, workspaceIdFromKey)
 
-    // Store file in execution storage if executionContext is provided
-    let userFile: UserFile | undefined
-
-    if (executionContext) {
-      // If file is already from execution context, create UserFile reference without re-uploading
-      if (context === 'execution') {
-        userFile = {
-          id: `file_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`,
-          name: filename,
-          url: normalizedFilePath,
-          size: fileBuffer.length,
-          type: mimeType,
-          key: cloudKey,
-          context: 'execution',
-        }
-        logger.info(`Created UserFile reference for existing execution file: ${filename}`)
-      } else {
-        // Copy from workspace/other storage to execution storage
-        try {
-          userFile = await uploadExecutionFile(
-            executionContext,
-            fileBuffer,
-            filename,
-            mimeType,
-            userId
-          )
-          logger.info(`Copied file to execution storage: ${filename}`, { key: userFile.key })
-        } catch (uploadError) {
-          logger.warn(`Failed to copy file to execution storage:`, uploadError)
-        }
-      }
-    }
-
     let parseResult: ParseResult
     if (extension === 'pdf') {
       parseResult = await handlePdfBuffer(fileBuffer, filename, fileType, normalizedFilePath)
@@ -559,11 +477,6 @@ async function handleCloudFile(
 
     parseResult.viewerUrl = viewerUrl
 
-    // Attach userFile to the result
-    if (userFile) {
-      parseResult.userFile = userFile
-    }
-
     return parseResult
   } catch (error) {
     logger.error(`Error handling cloud file ${filePath}:`, error)
@@ -587,8 +500,7 @@ async function handleCloudFile(
 async function handleLocalFile(
   filePath: string,
   fileType: string,
-  userId: string,
+  userId: string
-  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   try {
     const filename = filePath.split('/').pop() || filePath
@@ -628,32 +540,13 @@ async function handleLocalFile(
     const hash = createHash('md5').update(fileBuffer).digest('hex')
 
     const extension = path.extname(filename).toLowerCase().substring(1)
-    const mimeType = fileType || getMimeTypeFromExtension(extension)
-
-    // Store file in execution storage if executionContext is provided
-    let userFile: UserFile | undefined
-    if (executionContext) {
-      try {
-        userFile = await uploadExecutionFile(
-          executionContext,
-          fileBuffer,
-          filename,
-          mimeType,
-          userId
-        )
-        logger.info(`Stored local file in execution storage: ${filename}`, { key: userFile.key })
-      } catch (uploadError) {
-        logger.warn(`Failed to store local file in execution storage:`, uploadError)
-      }
-    }
 
     return {
       success: true,
       content: result.content,
       filePath,
-      userFile,
       metadata: {
-        fileType: mimeType,
+        fileType: fileType || getMimeTypeFromExtension(extension),
         size: stats.size,
         hash,
         processingTime: 0,

apps/sim/app/api/form/[identifier]/route.ts

@@ -11,7 +11,7 @@ import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { normalizeInputFormatValue } from '@/lib/workflows/input-format'
 import { createStreamingResponse } from '@/lib/workflows/streaming/streaming'
-import { isInputDefinitionTrigger } from '@/lib/workflows/triggers/input-definition-triggers'
+import { isValidStartBlockType } from '@/lib/workflows/triggers/start-block-types'
 import { setFormAuthCookie, validateFormAuth } from '@/app/api/form/utils'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
@@ -36,7 +36,7 @@ async function getWorkflowInputSchema(workflowId: string): Promise<any[]> {
       .from(workflowBlocks)
       .where(eq(workflowBlocks.workflowId, workflowId))
 
-    const startBlock = blocks.find((block) => isInputDefinitionTrigger(block.type))
+    const startBlock = blocks.find((block) => isValidStartBlockType(block.type))
 
     if (!startBlock) {
       return []

apps/sim/app/api/function/execute/route.test.ts

@@ -84,14 +84,6 @@ vi.mock('@/lib/execution/isolated-vm', () => ({
 
 vi.mock('@sim/logger', () => loggerMock)
 
-vi.mock('@/lib/auth/hybrid', () => ({
-  checkInternalAuth: vi.fn().mockResolvedValue({
-    success: true,
-    userId: 'user-123',
-    authType: 'internal_jwt',
-  }),
-}))
-
 vi.mock('@/lib/execution/e2b', () => ({
   executeInE2B: vi.fn(),
 }))
@@ -118,24 +110,6 @@ describe('Function Execute API Route', () => {
   })
 
   describe('Security Tests', () => {
-    it('should reject unauthorized requests', async () => {
-      const { checkInternalAuth } = await import('@/lib/auth/hybrid')
-      vi.mocked(checkInternalAuth).mockResolvedValueOnce({
-        success: false,
-        error: 'Unauthorized',
-      })
-
-      const req = createMockRequest('POST', {
-        code: 'return "test"',
-      })
-
-      const response = await POST(req)
-      const data = await response.json()
-
-      expect(response.status).toBe(401)
-      expect(data).toHaveProperty('error', 'Unauthorized')
-    })
-
     it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
       const req = createMockRequest('POST', {
         code: 'return "test"',
@@ -302,11 +276,8 @@ describe('Function Execute API Route', () => {
     it.concurrent('should resolve tag variables with <tag_name> syntax', async () => {
       const req = createMockRequest('POST', {
         code: 'return <email>',
-        blockData: {
+        params: {
-          'block-123': { id: '123', subject: 'Test Email' },
+          email: { id: '123', subject: 'Test Email' },
-        },
-        blockNameMapping: {
-          email: 'block-123',
         },
       })
 
@@ -334,13 +305,9 @@ describe('Function Execute API Route', () => {
     it.concurrent('should only match valid variable names in angle brackets', async () => {
       const req = createMockRequest('POST', {
         code: 'return <validVar> + "<invalid@email.com>" + <another_valid>',
-        blockData: {
+        params: {
-          'block-1': 'hello',
+          validVar: 'hello',
-          'block-2': 'world',
+          another_valid: 'world',
-        },
-        blockNameMapping: {
-          validvar: 'block-1',
-          another_valid: 'block-2',
         },
       })
 
@@ -354,22 +321,28 @@ describe('Function Execute API Route', () => {
     it.concurrent(
       'should handle Gmail webhook data with email addresses containing angle brackets',
       async () => {
-        const emailData = {
+        const gmailData = {
+          email: {
             id: '123',
             from: 'Waleed Latif <waleed@sim.ai>',
             to: 'User <user@example.com>',
             subject: 'Test Email',
             bodyText: 'Hello world',
+          },
+          rawEmail: {
+            id: '123',
+            payload: {
+              headers: [
+                { name: 'From', value: 'Waleed Latif <waleed@sim.ai>' },
+                { name: 'To', value: 'User <user@example.com>' },
+              ],
+            },
+          },
         }
 
         const req = createMockRequest('POST', {
           code: 'return <email>',
-          blockData: {
+          params: gmailData,
-            'block-email': emailData,
-          },
-          blockNameMapping: {
-            email: 'block-email',
-          },
         })
 
         const response = await POST(req)
@@ -383,20 +356,17 @@ describe('Function Execute API Route', () => {
     it.concurrent(
       'should properly serialize complex email objects with special characters',
       async () => {
-        const emailData = {
+        const complexEmailData = {
+          email: {
             from: 'Test User <test@example.com>',
             bodyHtml: '<div>HTML content with "quotes" and \'apostrophes\'</div>',
             bodyText: 'Text with\nnewlines\tand\ttabs',
+          },
         }
 
         const req = createMockRequest('POST', {
           code: 'return <email>',
-          blockData: {
+          params: complexEmailData,
-            'block-email': emailData,
-          },
-          blockNameMapping: {
-            email: 'block-email',
-          },
         })
 
         const response = await POST(req)
@@ -549,7 +519,10 @@ describe('Function Execute API Route', () => {
     })
 
     it.concurrent('should handle JSON serialization edge cases', async () => {
-      const complexData = {
+      const req = createMockRequest('POST', {
+        code: 'return <complexData>',
+        params: {
+          complexData: {
             special: 'chars"with\'quotes',
             unicode: '🎉 Unicode content',
             nested: {
@@ -557,15 +530,7 @@ describe('Function Execute API Route', () => {
                 value: 'test',
               },
             },
-      }
-
-      const req = createMockRequest('POST', {
-        code: 'return <complexData>',
-        blockData: {
-          'block-complex': complexData,
           },
-        blockNameMapping: {
-          complexdata: 'block-complex',
         },
       })
 

apps/sim/app/api/function/execute/route.ts

@@ -1,16 +1,15 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
 import { executeInIsolatedVM } from '@/lib/execution/isolated-vm'
 import { CodeLanguage, DEFAULT_CODE_LANGUAGE, isValidCodeLanguage } from '@/lib/execution/languages'
 import { escapeRegExp, normalizeName, REFERENCE } from '@/executor/constants'
-import { type OutputSchema, resolveBlockReference } from '@/executor/utils/block-reference'
 import {
   createEnvVarPattern,
   createWorkflowVariablePattern,
+  resolveEnvVarReferences,
 } from '@/executor/utils/reference-validation'
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
@@ -19,8 +18,8 @@ export const MAX_DURATION = 210
 
 const logger = createLogger('FunctionExecuteAPI')
 
-const E2B_JS_WRAPPER_LINES = 3
+const E2B_JS_WRAPPER_LINES = 3 // Lines before user code: ';(async () => {', '  try {', '    const __sim_result = await (async () => {'
-const E2B_PYTHON_WRAPPER_LINES = 1
+const E2B_PYTHON_WRAPPER_LINES = 1 // Lines before user code: 'def __sim_main__():'
 
 type TypeScriptModule = typeof import('typescript')
 
@@ -135,21 +134,33 @@ function extractEnhancedError(
   if (error.stack) {
     enhanced.stack = error.stack
 
+    // Parse stack trace to extract line and column information
+    // Handle both compilation errors and runtime errors
     const stackLines: string[] = error.stack.split('\n')
 
     for (const line of stackLines) {
+      // Pattern 1: Compilation errors - "user-function.js:6"
       let match = line.match(/user-function\.js:(\d+)(?::(\d+))?/)
 
+      // Pattern 2: Runtime errors - "at user-function.js:5:12"
       if (!match) {
         match = line.match(/at\s+user-function\.js:(\d+):(\d+)/)
       }
 
+      // Pattern 3: Generic patterns for any line containing our filename
+      if (!match) {
+        match = line.match(/user-function\.js:(\d+)(?::(\d+))?/)
+      }
+
       if (match) {
         const stackLine = Number.parseInt(match[1], 10)
         const stackColumn = match[2] ? Number.parseInt(match[2], 10) : undefined
 
+        // Adjust line number to account for wrapper code
+        // The user code starts at a specific line in our wrapper
         const adjustedLine = stackLine - userCodeStartLine + 1
 
+        // Check if this is a syntax error in wrapper code caused by incomplete user code
         const isWrapperSyntaxError =
           stackLine > userCodeStartLine &&
           error.name === 'SyntaxError' &&
@@ -157,6 +168,7 @@ function extractEnhancedError(
             error.message.includes('Unexpected end of input'))
 
         if (isWrapperSyntaxError && userCode) {
+          // Map wrapper syntax errors to the last line of user code
           const codeLines = userCode.split('\n')
           const lastUserLine = codeLines.length
           enhanced.line = lastUserLine
@@ -169,6 +181,7 @@ function extractEnhancedError(
           enhanced.line = adjustedLine
           enhanced.column = stackColumn
 
+          // Extract the actual line content from user code
           if (userCode) {
             const codeLines = userCode.split('\n')
             if (adjustedLine <= codeLines.length) {
@@ -179,6 +192,7 @@ function extractEnhancedError(
         }
 
         if (stackLine <= userCodeStartLine) {
+          // Error is in wrapper code itself
           enhanced.line = stackLine
           enhanced.column = stackColumn
           break
@@ -186,6 +200,7 @@ function extractEnhancedError(
       }
     }
 
+    // Clean up stack trace to show user-relevant information
     const cleanedStackLines: string[] = stackLines
       .filter(
         (line: string) =>
@@ -199,6 +214,9 @@ function extractEnhancedError(
     }
   }
 
+  // Keep original message without adding error type prefix
+  // The error type will be added later in createUserFriendlyErrorMessage
+
   return enhanced
 }
 
@@ -213,6 +231,7 @@ function formatE2BError(
   userCode: string,
   prologueLineCount: number
 ): { formattedError: string; cleanedOutput: string } {
+  // Calculate line offset based on language and prologue
   const wrapperLines =
     language === CodeLanguage.Python ? E2B_PYTHON_WRAPPER_LINES : E2B_JS_WRAPPER_LINES
   const totalOffset = prologueLineCount + wrapperLines
@@ -222,20 +241,27 @@ function formatE2BError(
   let cleanErrorMsg = ''
 
   if (language === CodeLanguage.Python) {
+    // Python error format: "Cell In[X], line Y" followed by error details
+    // Extract line number from the Cell reference
     const cellMatch = errorOutput.match(/Cell In\[\d+\], line (\d+)/)
     if (cellMatch) {
       const originalLine = Number.parseInt(cellMatch[1], 10)
       userLine = originalLine - totalOffset
     }
 
+    // Extract clean error message from the error string
+    // Remove file references like "(detected at line X) (file.py, line Y)"
     cleanErrorMsg = errorMessage
       .replace(/\s*\(detected at line \d+\)/g, '')
       .replace(/\s*\([^)]+\.py, line \d+\)/g, '')
       .trim()
   } else if (language === CodeLanguage.JavaScript) {
+    // JavaScript error format from E2B: "SyntaxError: /path/file.ts: Message. (line:col)\n\n   9 | ..."
+    // First, extract the error type and message from the first line
     const firstLineEnd = errorMessage.indexOf('\n')
     const firstLine = firstLineEnd > 0 ? errorMessage.substring(0, firstLineEnd) : errorMessage
 
+    // Parse: "SyntaxError: /home/user/index.ts: Missing semicolon. (11:9)"
     const jsErrorMatch = firstLine.match(/^(\w+Error):\s*[^:]+:\s*([^(]+)\.\s*\((\d+):(\d+)\)/)
     if (jsErrorMatch) {
       cleanErrorType = jsErrorMatch[1]
@@ -243,11 +269,13 @@ function formatE2BError(
       const originalLine = Number.parseInt(jsErrorMatch[3], 10)
       userLine = originalLine - totalOffset
     } else {
+      // Fallback: look for line number in the arrow pointer line (> 11 |)
       const arrowMatch = errorMessage.match(/^>\s*(\d+)\s*\|/m)
       if (arrowMatch) {
         const originalLine = Number.parseInt(arrowMatch[1], 10)
         userLine = originalLine - totalOffset
       }
+      // Try to extract error type and message
       const errorMatch = firstLine.match(/^(\w+Error):\s*(.+)/)
       if (errorMatch) {
         cleanErrorType = errorMatch[1]
@@ -261,11 +289,13 @@ function formatE2BError(
     }
   }
 
+  // Build the final clean error message
   const finalErrorMsg =
     cleanErrorType && cleanErrorMsg
       ? `${cleanErrorType}: ${cleanErrorMsg}`
       : cleanErrorMsg || errorMessage
 
+  // Format with line number if available
   let formattedError = finalErrorMsg
   if (userLine && userLine > 0) {
     const codeLines = userCode.split('\n')
@@ -281,6 +311,7 @@ function formatE2BError(
     }
   }
 
+  // For stdout, just return the clean error message without the full traceback
   const cleanedOutput = finalErrorMsg
 
   return { formattedError, cleanedOutput }
@@ -296,6 +327,7 @@ function createUserFriendlyErrorMessage(
 ): string {
   let errorMessage = enhanced.message
 
+  // Add line information if available
   if (enhanced.line !== undefined) {
     let lineInfo = `Line ${enhanced.line}`
 
@@ -306,14 +338,18 @@ function createUserFriendlyErrorMessage(
 
     errorMessage = `${lineInfo} - ${errorMessage}`
   } else {
+    // If no line number, try to extract it from stack trace for display
     if (enhanced.stack) {
       const stackMatch = enhanced.stack.match(/user-function\.js:(\d+)(?::(\d+))?/)
       if (stackMatch) {
         const line = Number.parseInt(stackMatch[1], 10)
         let lineInfo = `Line ${line}`
 
+        // Try to get line content if we have userCode
         if (userCode) {
           const codeLines = userCode.split('\n')
+          // Note: stackMatch gives us VM line number, need to adjust
+          // This is a fallback case, so we might not have perfect line mapping
           if (line <= codeLines.length) {
             const lineContent = codeLines[line - 1]?.trim()
             if (lineContent) {
@@ -327,6 +363,7 @@ function createUserFriendlyErrorMessage(
     }
   }
 
+  // Add error type prefix with consistent naming
   if (enhanced.name !== 'Error') {
     const errorTypePrefix =
       enhanced.name === 'SyntaxError'
@@ -337,6 +374,7 @@ function createUserFriendlyErrorMessage(
             ? 'Reference Error'
             : enhanced.name
 
+    // Only add prefix if not already present
     if (!errorMessage.toLowerCase().includes(errorTypePrefix.toLowerCase())) {
       errorMessage = `${errorTypePrefix}: ${errorMessage}`
     }
@@ -345,6 +383,9 @@ function createUserFriendlyErrorMessage(
   return errorMessage
 }
 
+/**
+ * Resolves workflow variables with <variable.name> syntax
+ */
 function resolveWorkflowVariables(
   code: string,
   workflowVariables: Record<string, any>,
@@ -364,35 +405,39 @@ function resolveWorkflowVariables(
   while ((match = regex.exec(code)) !== null) {
     const variableName = match[1].trim()
 
+    // Find the variable by name (workflowVariables is indexed by ID, values are variable objects)
     const foundVariable = Object.entries(workflowVariables).find(
       ([_, variable]) => normalizeName(variable.name || '') === variableName
     )
 
-    if (!foundVariable) {
+    let variableValue: unknown = ''
-      const availableVars = Object.values(workflowVariables)
+    if (foundVariable) {
-        .map((v) => v.name)
-        .filter(Boolean)
-      throw new Error(
-        `Variable "${variableName}" doesn't exist.` +
-          (availableVars.length > 0 ? ` Available: ${availableVars.join(', ')}` : '')
-      )
-    }
-
       const variable = foundVariable[1]
-    let variableValue: unknown = variable.value
+      variableValue = variable.value
 
       if (variable.value !== undefined && variable.value !== null) {
+        try {
+          // Handle 'string' type the same as 'plain' for backward compatibility
           const type = variable.type === 'string' ? 'plain' : variable.type
 
-      if (type === 'number') {
+          // For plain text, use exactly what's entered without modifications
+          if (type === 'plain' && typeof variableValue === 'string') {
+            // Use as-is for plain text
+          } else if (type === 'number') {
             variableValue = Number(variableValue)
           } else if (type === 'boolean') {
             variableValue = variableValue === 'true' || variableValue === true
-      } else if (type === 'json' && typeof variableValue === 'string') {
+          } else if (type === 'json') {
             try {
-          variableValue = JSON.parse(variableValue)
+              variableValue =
+                typeof variableValue === 'string' ? JSON.parse(variableValue) : variableValue
             } catch {
-          // Keep as-is
+              // Keep original value if JSON parsing fails
+            }
+          }
+        } catch {
+          // Fallback to original value on error
+          variableValue = variable.value
         }
       }
     }
@@ -405,9 +450,11 @@ function resolveWorkflowVariables(
     })
   }
 
+  // Process replacements in reverse order to maintain correct indices
   for (let i = replacements.length - 1; i >= 0; i--) {
     const { match: matchStr, index, variableName, variableValue } = replacements[i]
 
+    // Use variable reference approach
     const safeVarName = `__variable_${variableName.replace(/[^a-zA-Z0-9_]/g, '_')}`
     contextVariables[safeVarName] = variableValue
     resolvedCode =
@@ -417,6 +464,9 @@ function resolveWorkflowVariables(
   return resolvedCode
 }
 
+/**
+ * Resolves environment variables with {{var_name}} syntax
+ */
 function resolveEnvironmentVariables(
   code: string,
   params: Record<string, any>,
@@ -432,28 +482,32 @@ function resolveEnvironmentVariables(
 
   const resolverVars: Record<string, string> = {}
   Object.entries(params).forEach(([key, value]) => {
-    if (value !== undefined && value !== null) {
+    if (value) {
       resolverVars[key] = String(value)
     }
   })
   Object.entries(envVars).forEach(([key, value]) => {
-    if (value !== undefined && value !== null) {
+    if (value) {
       resolverVars[key] = value
     }
   })
 
   while ((match = regex.exec(code)) !== null) {
     const varName = match[1].trim()
-
+    const resolved = resolveEnvVarReferences(match[0], resolverVars, {
-    if (!(varName in resolverVars)) {
+      allowEmbedded: true,
-      continue
+      resolveExactMatch: true,
-    }
+      trimKeys: true,
-
+      onMissing: 'empty',
+      deep: false,
+    })
+    const varValue =
+      typeof resolved === 'string' ? resolved : resolved == null ? '' : String(resolved)
     replacements.push({
       match: match[0],
       index: match.index,
       varName,
-      varValue: resolverVars[varName],
+      varValue: String(varValue),
     })
   }
 
@@ -469,59 +523,64 @@ function resolveEnvironmentVariables(
   return resolvedCode
 }
 
+/**
+ * Resolves tags with <tag_name> syntax (including nested paths like <block.response.data>)
+ */
 function resolveTagVariables(
   code: string,
-  blockData: Record<string, unknown>,
+  params: Record<string, any>,
+  blockData: Record<string, any>,
   blockNameMapping: Record<string, string>,
-  blockOutputSchemas: Record<string, OutputSchema>,
+  contextVariables: Record<string, any>
-  contextVariables: Record<string, unknown>,
-  language = 'javascript'
 ): string {
   let resolvedCode = code
-  const undefinedLiteral = language === 'python' ? 'None' : 'undefined'
 
   const tagPattern = new RegExp(
-    `${REFERENCE.START}([a-zA-Z_](?:[a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])?)${REFERENCE.END}`,
+    `${REFERENCE.START}([a-zA-Z_][a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])${REFERENCE.END}`,
     'g'
   )
   const tagMatches = resolvedCode.match(tagPattern) || []
 
   for (const match of tagMatches) {
     const tagName = match.slice(REFERENCE.START.length, -REFERENCE.END.length).trim()
+
+    // Handle nested paths like "getrecord.response.data" or "function1.response.result"
+    // First try params, then blockData directly, then try with block name mapping
+    let tagValue = getNestedValue(params, tagName) || getNestedValue(blockData, tagName) || ''
+
+    // If not found and the path starts with a block name, try mapping the block name to ID
+    if (!tagValue && tagName.includes(REFERENCE.PATH_DELIMITER)) {
       const pathParts = tagName.split(REFERENCE.PATH_DELIMITER)
-    const blockName = pathParts[0]
+      const normalizedBlockName = pathParts[0] // This should already be normalized like "function1"
-    const fieldPath = pathParts.slice(1)
 
-    const result = resolveBlockReference(blockName, fieldPath, {
+      // Direct lookup using normalized block name
-      blockNameMapping,
+      const blockId = blockNameMapping[normalizedBlockName] ?? null
-      blockData,
-      blockOutputSchemas,
-    })
 
-    if (!result) {
+      if (blockId) {
-      continue
+        const remainingPath = pathParts.slice(1).join('.')
+        const fullPath = `${blockId}.${remainingPath}`
+        tagValue = getNestedValue(blockData, fullPath) || ''
+      }
     }
 
-    let tagValue = result.value
+    // If the value is a stringified JSON, parse it back to object
-
+    if (
-    if (tagValue === undefined) {
+      typeof tagValue === 'string' &&
-      resolvedCode = resolvedCode.replace(new RegExp(escapeRegExp(match), 'g'), undefinedLiteral)
+      tagValue.length > 100 &&
-      continue
+      (tagValue.startsWith('{') || tagValue.startsWith('['))
-    }
+    ) {
-
-    if (typeof tagValue === 'string') {
-      const trimmed = tagValue.trimStart()
-      if (trimmed.startsWith('{') || trimmed.startsWith('[')) {
       try {
         tagValue = JSON.parse(tagValue)
-        } catch {
+      } catch (e) {
-          // Keep as string if not valid JSON
+        // Keep as string if parsing fails
-        }
       }
     }
 
-    const safeVarName = `__tag_${tagName.replace(/_/g, '_1').replace(/\./g, '_0')}`
+    // Instead of injecting large JSON directly, create a variable reference
+    const safeVarName = `__tag_${tagName.replace(/[^a-zA-Z0-9_]/g, '_')}`
     contextVariables[safeVarName] = tagValue
+
+    // Replace the template with a variable reference
     resolvedCode = resolvedCode.replace(new RegExp(escapeRegExp(match), 'g'), safeVarName)
   }
 
@@ -537,31 +596,44 @@ function resolveTagVariables(
  */
 function resolveCodeVariables(
   code: string,
-  params: Record<string, unknown>,
+  params: Record<string, any>,
   envVars: Record<string, string> = {},
-  blockData: Record<string, unknown> = {},
+  blockData: Record<string, any> = {},
   blockNameMapping: Record<string, string> = {},
-  blockOutputSchemas: Record<string, OutputSchema> = {},
+  workflowVariables: Record<string, any> = {}
-  workflowVariables: Record<string, unknown> = {},
+): { resolvedCode: string; contextVariables: Record<string, any> } {
-  language = 'javascript'
-): { resolvedCode: string; contextVariables: Record<string, unknown> } {
   let resolvedCode = code
-  const contextVariables: Record<string, unknown> = {}
+  const contextVariables: Record<string, any> = {}
 
+  // Resolve workflow variables with <variable.name> syntax first
   resolvedCode = resolveWorkflowVariables(resolvedCode, workflowVariables, contextVariables)
+
+  // Resolve environment variables with {{var_name}} syntax
   resolvedCode = resolveEnvironmentVariables(resolvedCode, params, envVars, contextVariables)
+
+  // Resolve tags with <tag_name> syntax (including nested paths like <block.response.data>)
   resolvedCode = resolveTagVariables(
     resolvedCode,
+    params,
     blockData,
     blockNameMapping,
-    blockOutputSchemas,
+    contextVariables
-    contextVariables,
-    language
   )
 
   return { resolvedCode, contextVariables }
 }
 
+/**
+ * Get nested value from object using dot notation path
+ */
+function getNestedValue(obj: any, path: string): any {
+  if (!obj || !path) return undefined
+
+  return path.split('.').reduce((current, key) => {
+    return current && typeof current === 'object' ? current[key] : undefined
+  }, obj)
+}
+
 /**
  * Remove one trailing newline from stdout
  * This handles the common case where print() or console.log() adds a trailing \n
@@ -582,12 +654,6 @@ export async function POST(req: NextRequest) {
   let resolvedCode = '' // Store resolved code for error reporting
 
   try {
-    const auth = await checkInternalAuth(req)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await req.json()
 
     const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')
@@ -600,12 +666,12 @@ export async function POST(req: NextRequest) {
       envVars = {},
       blockData = {},
       blockNameMapping = {},
-      blockOutputSchemas = {},
       workflowVariables = {},
       workflowId,
       isCustomTool = false,
     } = body
 
+    // Extract internal parameters that shouldn't be passed to the execution context
     const executionParams = { ...params }
     executionParams._context = undefined
 
@@ -617,21 +683,21 @@ export async function POST(req: NextRequest) {
       isCustomTool,
     })
 
-    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
+    // Resolve variables in the code with workflow environment variables
-
     const codeResolution = resolveCodeVariables(
       code,
       executionParams,
       envVars,
       blockData,
       blockNameMapping,
-      blockOutputSchemas,
+      workflowVariables
-      workflowVariables,
-      lang
     )
     resolvedCode = codeResolution.resolvedCode
     const contextVariables = codeResolution.contextVariables
 
+    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
+
+    // Extract imports once for JavaScript code (reuse later to avoid double extraction)
     let jsImports = ''
     let jsRemainingCode = resolvedCode
     let hasImports = false
@@ -641,22 +707,31 @@ export async function POST(req: NextRequest) {
       jsImports = extractionResult.imports
       jsRemainingCode = extractionResult.remainingCode
 
+      // Check for ES6 imports or CommonJS require statements
+      // ES6 imports are extracted by the TypeScript parser
+      // Also check for require() calls which indicate external dependencies
       const hasRequireStatements = /require\s*\(\s*['"`]/.test(resolvedCode)
       hasImports = jsImports.trim().length > 0 || hasRequireStatements
     }
 
+    // Python always requires E2B
     if (lang === CodeLanguage.Python && !isE2bEnabled) {
       throw new Error(
         'Python execution requires E2B to be enabled. Please contact your administrator to enable E2B, or use JavaScript instead.'
       )
     }
 
+    // JavaScript with imports requires E2B
     if (lang === CodeLanguage.JavaScript && hasImports && !isE2bEnabled) {
       throw new Error(
         'JavaScript code with import statements requires E2B to be enabled. Please remove the import statements, or contact your administrator to enable E2B.'
       )
     }
 
+    // Use E2B if:
+    // - E2B is enabled AND
+    // - Not a custom tool AND
+    // - (Python OR JavaScript with imports)
     const useE2B =
       isE2bEnabled &&
       !isCustomTool &&
@@ -669,10 +744,13 @@ export async function POST(req: NextRequest) {
         language: lang,
       })
       let prologue = ''
+      const epilogue = ''
 
       if (lang === CodeLanguage.JavaScript) {
+        // Track prologue lines for error adjustment
         let prologueLineCount = 0
 
+        // Reuse the imports we already extracted earlier
         const imports = jsImports
         const remainingCode = jsRemainingCode
 
@@ -687,11 +765,7 @@ export async function POST(req: NextRequest) {
         prologue += `const environmentVariables = JSON.parse(${JSON.stringify(JSON.stringify(envVars))});\n`
         prologueLineCount++
         for (const [k, v] of Object.entries(contextVariables)) {
-          if (v === undefined) {
-            prologue += `const ${k} = undefined;\n`
-          } else {
           prologue += `const ${k} = JSON.parse(${JSON.stringify(JSON.stringify(v))});\n`
-          }
           prologueLineCount++
         }
 
@@ -708,7 +782,7 @@ export async function POST(req: NextRequest) {
           '  }',
           '})();',
         ].join('\n')
-        const codeForE2B = importSection + prologue + wrapped
+        const codeForE2B = importSection + prologue + wrapped + epilogue
 
         const execStart = Date.now()
         const {
@@ -730,6 +804,7 @@ export async function POST(req: NextRequest) {
           error: e2bError,
         })
 
+        // If there was an execution error, format it properly
         if (e2bError) {
           const { formattedError, cleanedOutput } = formatE2BError(
             e2bError,
@@ -753,7 +828,7 @@ export async function POST(req: NextRequest) {
           output: { result: e2bResult ?? null, stdout: cleanStdout(stdout), executionTime },
         })
       }
-
+      // Track prologue lines for error adjustment
       let prologueLineCount = 0
       prologue += 'import json\n'
       prologueLineCount++
@@ -762,11 +837,7 @@ export async function POST(req: NextRequest) {
       prologue += `environmentVariables = json.loads(${JSON.stringify(JSON.stringify(envVars))})\n`
       prologueLineCount++
       for (const [k, v] of Object.entries(contextVariables)) {
-        if (v === undefined) {
-          prologue += `${k} = None\n`
-        } else {
         prologue += `${k} = json.loads(${JSON.stringify(JSON.stringify(v))})\n`
-        }
         prologueLineCount++
       }
       const wrapped = [
@@ -775,7 +846,7 @@ export async function POST(req: NextRequest) {
         '__sim_result__ = __sim_main__()',
         "print('__SIM_RESULT__=' + json.dumps(__sim_result__))",
       ].join('\n')
-      const codeForE2B = prologue + wrapped
+      const codeForE2B = prologue + wrapped + epilogue
 
       const execStart = Date.now()
       const {
@@ -797,6 +868,7 @@ export async function POST(req: NextRequest) {
         error: e2bError,
       })
 
+      // If there was an execution error, format it properly
       if (e2bError) {
         const { formattedError, cleanedOutput } = formatE2BError(
           e2bError,
@@ -825,6 +897,7 @@ export async function POST(req: NextRequest) {
 
     const wrapperLines = ['(async () => {', '  try {']
     if (isCustomTool) {
+      wrapperLines.push('    // For custom tools, make parameters directly accessible')
       Object.keys(executionParams).forEach((key) => {
         wrapperLines.push(`    const ${key} = params.${key};`)
       })
@@ -858,10 +931,12 @@ export async function POST(req: NextRequest) {
       })
 
       const ivmError = isolatedResult.error
+      // Adjust line number for prepended param destructuring in custom tools
       let adjustedLine = ivmError.line
       let adjustedLineContent = ivmError.lineContent
       if (prependedLineCount > 0 && ivmError.line !== undefined) {
         adjustedLine = Math.max(1, ivmError.line - prependedLineCount)
+        // Get line content from original user code, not the prepended code
         const codeLines = resolvedCode.split('\n')
         if (adjustedLine <= codeLines.length) {
           adjustedLineContent = codeLines[adjustedLine - 1]?.trim()

apps/sim/app/api/knowledge/[id]/documents/route.test.ts

@@ -157,7 +157,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
         'kb-123',
         {
-          enabledFilter: undefined,
+          includeDisabled: false,
           search: undefined,
           limit: 50,
           offset: 0,
@@ -166,7 +166,7 @@ describe('Knowledge Base Documents API Route', () => {
       )
     })
 
-    it('should return documents with default filter', async () => {
+    it('should filter disabled documents by default', async () => {
       const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
       const { getDocuments } = await import('@/lib/knowledge/documents/service')
 
@@ -194,7 +194,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
         'kb-123',
         {
-          enabledFilter: undefined,
+          includeDisabled: false,
           search: undefined,
           limit: 50,
           offset: 0,
@@ -203,7 +203,7 @@ describe('Knowledge Base Documents API Route', () => {
       )
     })
 
-    it('should filter documents by enabled status when requested', async () => {
+    it('should include disabled documents when requested', async () => {
       const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
       const { getDocuments } = await import('@/lib/knowledge/documents/service')
 
@@ -223,7 +223,7 @@ describe('Knowledge Base Documents API Route', () => {
         },
       })
 
-      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?enabledFilter=disabled'
+      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?includeDisabled=true'
       const req = new Request(url, { method: 'GET' }) as any
 
       const { GET } = await import('@/app/api/knowledge/[id]/documents/route')
@@ -233,7 +233,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
         'kb-123',
         {
-          enabledFilter: 'disabled',
+          includeDisabled: true,
           search: undefined,
           limit: 50,
           offset: 0,
@@ -361,7 +361,8 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(createSingleDocument)).toHaveBeenCalledWith(
         validDocumentData,
         'kb-123',
-        expect.any(String)
+        expect.any(String),
+        'user-123'
       )
     })
 
@@ -469,7 +470,8 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(createDocumentRecords)).toHaveBeenCalledWith(
         validBulkData.documents,
         'kb-123',
-        expect.any(String)
+        expect.any(String),
+        'user-123'
       )
       expect(vi.mocked(processDocumentsWithQueue)).toHaveBeenCalled()
     })

apps/sim/app/api/knowledge/[id]/documents/route.ts

@@ -5,7 +5,6 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import {
   bulkDocumentOperation,
-  bulkDocumentOperationByFilter,
   createDocumentRecords,
   createSingleDocument,
   getDocuments,
@@ -58,20 +57,13 @@ const BulkCreateDocumentsSchema = z.object({
   bulk: z.literal(true),
 })
 
-const BulkUpdateDocumentsSchema = z
+const BulkUpdateDocumentsSchema = z.object({
-  .object({
   operation: z.enum(['enable', 'disable', 'delete']),
   documentIds: z
     .array(z.string())
     .min(1, 'At least one document ID is required')
-      .max(100, 'Cannot operate on more than 100 documents at once')
+    .max(100, 'Cannot operate on more than 100 documents at once'),
-      .optional(),
+})
-    selectAll: z.boolean().optional(),
-    enabledFilter: z.enum(['all', 'enabled', 'disabled']).optional(),
-  })
-  .refine((data) => data.selectAll || (data.documentIds && data.documentIds.length > 0), {
-    message: 'Either selectAll must be true or documentIds must be provided',
-  })
 
 export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = randomUUID().slice(0, 8)
@@ -98,17 +90,14 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
     }
 
     const url = new URL(req.url)
-    const enabledFilter = url.searchParams.get('enabledFilter') as
+    const includeDisabled = url.searchParams.get('includeDisabled') === 'true'
-      | 'all'
-      | 'enabled'
-      | 'disabled'
-      | null
     const search = url.searchParams.get('search') || undefined
     const limit = Number.parseInt(url.searchParams.get('limit') || '50')
     const offset = Number.parseInt(url.searchParams.get('offset') || '0')
     const sortByParam = url.searchParams.get('sortBy')
     const sortOrderParam = url.searchParams.get('sortOrder')
 
+    // Validate sort parameters
     const validSortFields: DocumentSortField[] = [
       'filename',
       'fileSize',
@@ -116,7 +105,6 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
       'chunkCount',
       'uploadedAt',
       'processingStatus',
-      'enabled',
     ]
     const validSortOrders: SortOrder[] = ['asc', 'desc']
 
@@ -132,7 +120,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
     const result = await getDocuments(
       knowledgeBaseId,
       {
-        enabledFilter: enabledFilter || undefined,
+        includeDisabled,
         search,
         limit,
         offset,
@@ -202,7 +190,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         const createdDocuments = await createDocumentRecords(
           validatedData.documents,
           knowledgeBaseId,
-          requestId
+          requestId,
+          userId
         )
 
         logger.info(
@@ -261,10 +250,16 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         throw validationError
       }
     } else {
+      // Handle single document creation
       try {
         const validatedData = CreateDocumentSchema.parse(body)
 
-        const newDocument = await createSingleDocument(validatedData, knowledgeBaseId, requestId)
+        const newDocument = await createSingleDocument(
+          validatedData,
+          knowledgeBaseId,
+          requestId,
+          userId
+        )
 
         try {
           const { PlatformEvents } = await import('@/lib/core/telemetry')
@@ -299,6 +294,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   } catch (error) {
     logger.error(`[${requestId}] Error creating document`, error)
 
+    // Check if it's a storage limit error
     const errorMessage = error instanceof Error ? error.message : 'Failed to create document'
     const isStorageLimitError =
       errorMessage.includes('Storage limit exceeded') || errorMessage.includes('storage limit')
@@ -335,22 +331,16 @@ export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id
 
     try {
       const validatedData = BulkUpdateDocumentsSchema.parse(body)
-      const { operation, documentIds, selectAll, enabledFilter } = validatedData
+      const { operation, documentIds } = validatedData
 
       try {
-        let result
+        const result = await bulkDocumentOperation(
-        if (selectAll) {
-          result = await bulkDocumentOperationByFilter(
           knowledgeBaseId,
           operation,
-            enabledFilter,
+          documentIds,
-            requestId
+          requestId,
+          session.user.id
         )
-        } else if (documentIds && documentIds.length > 0) {
-          result = await bulkDocumentOperation(knowledgeBaseId, operation, documentIds, requestId)
-        } else {
-          return NextResponse.json({ error: 'No documents specified' }, { status: 400 })
-        }
 
         return NextResponse.json({
           success: true,

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -1,10 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
+import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
+import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
-import type { McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
+import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 
 const logger = createLogger('McpServerTestAPI')
 
@@ -18,6 +19,30 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
   return transport === 'streamable-http'
 }
 
+/**
+ * Resolve environment variables in strings
+ */
+function resolveEnvVars(value: string, envVars: Record<string, string>): string {
+  const missingVars: string[] = []
+  const resolvedValue = resolveEnvVarReferences(value, envVars, {
+    allowEmbedded: true,
+    resolveExactMatch: true,
+    trimKeys: true,
+    onMissing: 'keep',
+    deep: false,
+    missingKeys: missingVars,
+  }) as string
+
+  if (missingVars.length > 0) {
+    const uniqueMissing = Array.from(new Set(missingVars))
+    uniqueMissing.forEach((envKey) => {
+      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
+    })
+  }
+
+  return resolvedValue
+}
+
 interface TestConnectionRequest {
   name: string
   transport: McpTransport
@@ -71,30 +96,39 @@ export const POST = withMcpAuth('write')(
         )
       }
 
-      // Build initial config for resolution
+      let resolvedUrl = body.url
-      const initialConfig = {
+      let resolvedHeaders = body.headers || {}
+
+      try {
+        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
+
+        if (resolvedUrl) {
+          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
+        }
+
+        const resolvedHeadersObj: Record<string, string> = {}
+        for (const [key, value] of Object.entries(resolvedHeaders)) {
+          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
+        }
+        resolvedHeaders = resolvedHeadersObj
+      } catch (envError) {
+        logger.warn(
+          `[${requestId}] Failed to resolve environment variables, using raw values:`,
+          envError
+        )
+      }
+
+      const testConfig: McpServerConfig = {
         id: `test-${requestId}`,
         name: body.name,
         transport: body.transport,
-        url: body.url,
+        url: resolvedUrl,
-        headers: body.headers || {},
+        headers: resolvedHeaders,
         timeout: body.timeout || 10000,
         retries: 1, // Only one retry for tests
         enabled: true,
       }
 
-      // Resolve env vars using shared utility (non-strict mode for testing)
-      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
-        initialConfig,
-        userId,
-        workspaceId,
-        { strict: false }
-      )
-
-      if (missingVars.length > 0) {
-        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
-      }
-
       const testSecurityPolicy = {
         requireConsent: false,
         auditLevel: 'none' as const,

apps/sim/app/api/providers/route.ts

@@ -3,9 +3,7 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
@@ -22,11 +20,6 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
-    const auth = await checkInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
     logger.info(`[${requestId}] Provider API request started`, {
       timestamp: new Date().toISOString(),
       userAgent: request.headers.get('User-Agent'),
@@ -92,13 +85,6 @@ export async function POST(request: NextRequest) {
       verbosity,
     })
 
-    if (workspaceId) {
-      const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
-      if (!workspaceAccess.hasAccess) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
     let finalApiKey: string | undefined = apiKey
     try {
       if (provider === 'vertex' && vertexCredential) {

apps/sim/app/api/proxy/image/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateImageUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -15,7 +15,7 @@ export async function GET(request: NextRequest) {
   const imageUrl = url.searchParams.get('url')
   const requestId = generateRequestId()
 
-  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
   if (!authResult.success) {
     logger.error(`[${requestId}] Authentication failed for image proxy:`, authResult.error)
     return new NextResponse('Unauthorized', { status: 401 })

apps/sim/app/api/proxy/route.ts

@@ -0,0 +1,395 @@
+import { createLogger } from '@sim/logger'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { generateInternalToken } from '@/lib/auth/internal'
+import { isDev } from '@/lib/core/config/feature-flags'
+import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getBaseUrl } from '@/lib/core/utils/urls'
+import { executeTool } from '@/tools'
+import { getTool, validateRequiredParametersAfterMerge } from '@/tools/utils'
+
+const logger = createLogger('ProxyAPI')
+
+const proxyPostSchema = z.object({
+  toolId: z.string().min(1, 'toolId is required'),
+  params: z.record(z.any()).optional().default({}),
+  executionContext: z
+    .object({
+      workflowId: z.string().optional(),
+      workspaceId: z.string().optional(),
+      executionId: z.string().optional(),
+      userId: z.string().optional(),
+    })
+    .optional(),
+})
+
+/**
+ * Creates a minimal set of default headers for proxy requests
+ * @returns Record of HTTP headers
+ */
+const getProxyHeaders = (): Record<string, string> => {
+  return {
+    'User-Agent':
+      'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36',
+    Accept: '*/*',
+    'Accept-Encoding': 'gzip, deflate, br',
+    'Cache-Control': 'no-cache',
+    Connection: 'keep-alive',
+  }
+}
+
+/**
+ * Formats a response with CORS headers
+ * @param responseData Response data object
+ * @param status HTTP status code
+ * @returns NextResponse with CORS headers
+ */
+const formatResponse = (responseData: any, status = 200) => {
+  return NextResponse.json(responseData, {
+    status,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+    },
+  })
+}
+
+/**
+ * Creates an error response with consistent formatting
+ * @param error Error object or message
+ * @param status HTTP status code
+ * @param additionalData Additional data to include in the response
+ * @returns Formatted error response
+ */
+const createErrorResponse = (error: any, status = 500, additionalData = {}) => {
+  const errorMessage = error instanceof Error ? error.message : String(error)
+  const errorStack = error instanceof Error ? error.stack : undefined
+
+  logger.error('Creating error response', {
+    errorMessage,
+    status,
+    stack: isDev ? errorStack : undefined,
+  })
+
+  return formatResponse(
+    {
+      success: false,
+      error: errorMessage,
+      stack: isDev ? errorStack : undefined,
+      ...additionalData,
+    },
+    status
+  )
+}
+
+/**
+ * GET handler for direct external URL proxying
+ * This allows for GET requests to external APIs
+ */
+export async function GET(request: Request) {
+  const url = new URL(request.url)
+  const targetUrl = url.searchParams.get('url')
+  const requestId = generateRequestId()
+
+  // Vault download proxy: /api/proxy?vaultDownload=1&bucket=...&object=...&credentialId=...
+  const vaultDownload = url.searchParams.get('vaultDownload')
+  if (vaultDownload === '1') {
+    try {
+      const bucket = url.searchParams.get('bucket')
+      const objectParam = url.searchParams.get('object')
+      const credentialId = url.searchParams.get('credentialId')
+
+      if (!bucket || !objectParam || !credentialId) {
+        return createErrorResponse('Missing bucket, object, or credentialId', 400)
+      }
+
+      // Fetch access token using existing token API
+      const baseUrl = new URL(getBaseUrl())
+      const tokenUrl = new URL('/api/auth/oauth/token', baseUrl)
+
+      // Build headers: forward session cookies if present; include internal auth for server-side
+      const tokenHeaders: Record<string, string> = { 'Content-Type': 'application/json' }
+      const incomingCookie = request.headers.get('cookie')
+      if (incomingCookie) tokenHeaders.Cookie = incomingCookie
+      try {
+        const internalToken = await generateInternalToken()
+        tokenHeaders.Authorization = `Bearer ${internalToken}`
+      } catch (_e) {
+        // best-effort internal auth
+      }
+
+      // Optional workflow context for collaboration auth
+      const workflowId = url.searchParams.get('workflowId') || undefined
+
+      const tokenRes = await fetch(tokenUrl.toString(), {
+        method: 'POST',
+        headers: tokenHeaders,
+        body: JSON.stringify({ credentialId, workflowId }),
+      })
+
+      if (!tokenRes.ok) {
+        const err = await tokenRes.text()
+        return createErrorResponse(`Failed to fetch access token: ${err}`, 401)
+      }
+
+      const tokenJson = await tokenRes.json()
+      const accessToken = tokenJson.accessToken
+      if (!accessToken) {
+        return createErrorResponse('No access token available', 401)
+      }
+
+      // Avoid double-encoding: incoming object may already be percent-encoded
+      const objectDecoded = decodeURIComponent(objectParam)
+      const gcsUrl = `https://storage.googleapis.com/storage/v1/b/${encodeURIComponent(
+        bucket
+      )}/o/${encodeURIComponent(objectDecoded)}?alt=media`
+
+      const fileRes = await fetch(gcsUrl, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      })
+
+      if (!fileRes.ok) {
+        const errText = await fileRes.text()
+        return createErrorResponse(errText || 'Failed to download file', fileRes.status)
+      }
+
+      const headers = new Headers()
+      fileRes.headers.forEach((v, k) => headers.set(k, v))
+      return new NextResponse(fileRes.body, { status: 200, headers })
+    } catch (error: any) {
+      logger.error(`[${requestId}] Vault download proxy failed`, {
+        error: error instanceof Error ? error.message : String(error),
+      })
+      return createErrorResponse('Vault download failed', 500)
+    }
+  }
+
+  if (!targetUrl) {
+    logger.error(`[${requestId}] Missing 'url' parameter`)
+    return createErrorResponse("Missing 'url' parameter", 400)
+  }
+
+  const urlValidation = await validateUrlWithDNS(targetUrl)
+  if (!urlValidation.isValid) {
+    logger.warn(`[${requestId}] Blocked proxy request`, {
+      url: targetUrl.substring(0, 100),
+      error: urlValidation.error,
+    })
+    return createErrorResponse(urlValidation.error || 'Invalid URL', 403)
+  }
+
+  const method = url.searchParams.get('method') || 'GET'
+
+  const bodyParam = url.searchParams.get('body')
+  let body: string | undefined
+
+  if (bodyParam && ['POST', 'PUT', 'PATCH'].includes(method.toUpperCase())) {
+    try {
+      body = decodeURIComponent(bodyParam)
+    } catch (error) {
+      logger.warn(`[${requestId}] Failed to decode body parameter`, error)
+    }
+  }
+
+  const customHeaders: Record<string, string> = {}
+
+  for (const [key, value] of url.searchParams.entries()) {
+    if (key.startsWith('header.')) {
+      const headerName = key.substring(7)
+      customHeaders[headerName] = value
+    }
+  }
+
+  if (body && !customHeaders['Content-Type']) {
+    customHeaders['Content-Type'] = 'application/json'
+  }
+
+  logger.info(`[${requestId}] Proxying ${method} request to: ${targetUrl}`)
+
+  try {
+    const pinnedUrl = createPinnedUrl(targetUrl, urlValidation.resolvedIP!)
+    const response = await fetch(pinnedUrl, {
+      method: method,
+      headers: {
+        ...getProxyHeaders(),
+        ...customHeaders,
+        Host: urlValidation.originalHostname!,
+      },
+      body: body || undefined,
+    })
+
+    const contentType = response.headers.get('content-type') || ''
+    let data
+
+    if (contentType.includes('application/json')) {
+      data = await response.json()
+    } else {
+      data = await response.text()
+    }
+
+    const errorMessage = !response.ok
+      ? data && typeof data === 'object' && data.error
+        ? `${data.error.message || JSON.stringify(data.error)}`
+        : response.statusText || `HTTP error ${response.status}`
+      : undefined
+
+    if (!response.ok) {
+      logger.error(`[${requestId}] External API error: ${response.status} ${response.statusText}`)
+    }
+
+    return formatResponse({
+      success: response.ok,
+      status: response.status,
+      statusText: response.statusText,
+      headers: Object.fromEntries(response.headers.entries()),
+      data,
+      error: errorMessage,
+    })
+  } catch (error: any) {
+    logger.error(`[${requestId}] Proxy GET request failed`, {
+      url: targetUrl,
+      error: error instanceof Error ? error.message : String(error),
+      stack: error instanceof Error ? error.stack : undefined,
+    })
+
+    return createErrorResponse(error)
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+  const startTime = new Date()
+  const startTimeISO = startTime.toISOString()
+
+  try {
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    if (!authResult.success) {
+      logger.error(`[${requestId}] Authentication failed for proxy:`, authResult.error)
+      return createErrorResponse('Unauthorized', 401)
+    }
+
+    let requestBody
+    try {
+      requestBody = await request.json()
+    } catch (parseError) {
+      logger.error(`[${requestId}] Failed to parse request body`, {
+        error: parseError instanceof Error ? parseError.message : String(parseError),
+      })
+      throw new Error('Invalid JSON in request body')
+    }
+
+    const validationResult = proxyPostSchema.safeParse(requestBody)
+    if (!validationResult.success) {
+      logger.error(`[${requestId}] Request validation failed`, {
+        errors: validationResult.error.errors,
+      })
+      const errorMessages = validationResult.error.errors
+        .map((err) => `${err.path.join('.')}: ${err.message}`)
+        .join(', ')
+      throw new Error(`Validation failed: ${errorMessages}`)
+    }
+
+    const { toolId, params } = validationResult.data
+
+    logger.info(`[${requestId}] Processing tool: ${toolId}`)
+
+    const tool = getTool(toolId)
+
+    if (!tool) {
+      logger.error(`[${requestId}] Tool not found: ${toolId}`)
+      throw new Error(`Tool not found: ${toolId}`)
+    }
+
+    try {
+      validateRequiredParametersAfterMerge(toolId, tool, params)
+    } catch (validationError) {
+      logger.warn(`[${requestId}] Tool validation failed for ${toolId}`, {
+        error: validationError instanceof Error ? validationError.message : String(validationError),
+      })
+
+      const endTime = new Date()
+      const endTimeISO = endTime.toISOString()
+      const duration = endTime.getTime() - startTime.getTime()
+
+      return createErrorResponse(validationError, 400, {
+        startTime: startTimeISO,
+        endTime: endTimeISO,
+        duration,
+      })
+    }
+
+    const hasFileOutputs =
+      tool.outputs &&
+      Object.values(tool.outputs).some(
+        (output) => output.type === 'file' || output.type === 'file[]'
+      )
+
+    const result = await executeTool(
+      toolId,
+      params,
+      true, // skipProxy (we're already in the proxy)
+      !hasFileOutputs, // skipPostProcess (don't skip if tool has file outputs)
+      undefined // execution context is not available in proxy context
+    )
+
+    if (!result.success) {
+      logger.warn(`[${requestId}] Tool execution failed for ${toolId}`, {
+        error: result.error || 'Unknown error',
+      })
+
+      throw new Error(result.error || 'Tool execution failed')
+    }
+
+    const endTime = new Date()
+    const endTimeISO = endTime.toISOString()
+    const duration = endTime.getTime() - startTime.getTime()
+
+    const responseWithTimingData = {
+      ...result,
+      startTime: startTimeISO,
+      endTime: endTimeISO,
+      duration,
+      timing: {
+        startTime: startTimeISO,
+        endTime: endTimeISO,
+        duration,
+      },
+    }
+
+    logger.info(`[${requestId}] Tool executed successfully: ${toolId} (${duration}ms)`)
+
+    return formatResponse(responseWithTimingData)
+  } catch (error: any) {
+    logger.error(`[${requestId}] Proxy request failed`, {
+      error: error instanceof Error ? error.message : String(error),
+      stack: error instanceof Error ? error.stack : undefined,
+      name: error instanceof Error ? error.name : undefined,
+    })
+
+    const endTime = new Date()
+    const endTimeISO = endTime.toISOString()
+    const duration = endTime.getTime() - startTime.getTime()
+
+    return createErrorResponse(error, 500, {
+      startTime: startTimeISO,
+      endTime: endTimeISO,
+      duration,
+    })
+  }
+}
+
+export async function OPTIONS() {
+  return new NextResponse(null, {
+    status: 204,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+      'Access-Control-Max-Age': '86400',
+    },
+  })
+}

apps/sim/app/api/proxy/stt/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { extractAudioFromVideo, isVideoFile } from '@/lib/audio/extractor'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { TranscriptSegment } from '@/tools/stt/types'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] STT transcription request started`)
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/proxy/tts/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -10,7 +10,7 @@ const logger = createLogger('ProxyTTSAPI')
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       logger.error('Authentication failed for TTS proxy:', authResult.error)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/proxy/tts/unified/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -87,7 +87,7 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] TTS unified request started`)
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       logger.error('Authentication failed for TTS unified proxy:', authResult.error)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/proxy/video/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { VideoRequestBody } from '@/tools/video/types'
@@ -15,7 +15,7 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] Video generation request started`)
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/tools/a2a/set-push-notification/route.ts

@@ -3,7 +3,6 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -40,18 +39,6 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = A2ASetPushNotificationSchema.parse(body)
 
-    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
-    if (!urlValidation.isValid) {
-      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
-      return NextResponse.json(
-        {
-          success: false,
-          error: urlValidation.error,
-        },
-        { status: 400 }
-      )
-    }
-
     logger.info(`[${requestId}] A2A set push notification request`, {
       agentUrl: validatedData.agentUrl,
       taskId: validatedData.taskId,

apps/sim/app/api/tools/custom/route.test.ts

@@ -181,7 +181,7 @@ describe('Custom Tools API Routes', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+      checkHybridAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'user-123',
         authType: 'session',
@@ -254,7 +254,7 @@ describe('Custom Tools API Routes', () => {
       )
 
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
           success: false,
           error: 'Unauthorized',
         }),
@@ -304,7 +304,7 @@ describe('Custom Tools API Routes', () => {
   describe('POST /api/tools/custom', () => {
     it('should reject unauthorized requests', async () => {
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
           success: false,
           error: 'Unauthorized',
         }),
@@ -390,7 +390,7 @@ describe('Custom Tools API Routes', () => {
 
     it('should prevent unauthorized deletion of user-scoped tool', async () => {
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
           success: true,
           userId: 'user-456',
           authType: 'session',
@@ -413,7 +413,7 @@ describe('Custom Tools API Routes', () => {
 
     it('should reject unauthorized requests', async () => {
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
           success: false,
           error: 'Unauthorized',
         }),

apps/sim/app/api/tools/custom/route.ts

@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -42,8 +42,8 @@ export async function GET(request: NextRequest) {
   const workflowId = searchParams.get('workflowId')
 
   try {
-    // Use session/internal auth to support session and internal JWT (no API key access)
+    // Use hybrid auth to support session, API key, and internal JWT
-    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -69,8 +69,8 @@ export async function GET(request: NextRequest) {
     }
 
     // Check workspace permissions
-    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
+    // For internal JWT with workflowId: checkHybridAuth already resolved userId from workflow owner
-    // For session: verify user has access to the workspace
+    // For session/API key: verify user has access to the workspace
     // For legacy (no workspaceId): skip workspace check, rely on userId match
     if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
       const userPermission = await getUserEntityPermissions(
@@ -116,8 +116,8 @@ export async function POST(req: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    // Use session/internal auth (no API key access)
+    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(req, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -193,8 +193,8 @@ export async function DELETE(request: NextRequest) {
   }
 
   try {
-    // Use session/internal auth (no API key access)
+    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/discord/send-message/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Discord send attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/add-label/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail add label attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/archive/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail archive attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/delete/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/draft/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail draft attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/mark-read/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail mark read attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/mark-unread/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail mark unread attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/move/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail move attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/remove-label/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail remove label attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/send/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail send attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/unarchive/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail unarchive attempt: ${authResult.error}`)

apps/sim/app/api/tools/google_drive/upload/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -56,7 +56,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Google Drive upload attempt: ${authResult.error}`)

apps/sim/app/api/tools/mail/send/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { Resend } from 'resend'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized mail send attempt: ${authResult.error}`)

apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Teams chat delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Teams channel write attempt: ${authResult.error}`)

apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Teams chat write attempt: ${authResult.error}`)

apps/sim/app/api/tools/mistral/parse/route.ts

@@ -1,15 +1,11 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import {
+import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
-  extractStorageKey,
-  inferContextFromKey,
-  isInternalFileUrl,
-} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -30,7 +26,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Mistral parse attempt`, {
@@ -51,13 +47,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Mistral parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (validatedData.filePath?.includes('/api/files/serve/')) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
 

apps/sim/app/api/tools/mysql/delete/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLDeleteAPI')
@@ -22,12 +21,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = DeleteSchema.parse(body)
 

apps/sim/app/api/tools/mysql/execute/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLExecuteAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = ExecuteSchema.parse(body)
 

apps/sim/app/api/tools/mysql/insert/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLInsertAPI')
@@ -43,12 +42,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = InsertSchema.parse(body)
 

apps/sim/app/api/tools/mysql/introspect/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLIntrospectAPI')
@@ -20,12 +19,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = IntrospectSchema.parse(body)
 

apps/sim/app/api/tools/mysql/query/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLQueryAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = QuerySchema.parse(body)
 

apps/sim/app/api/tools/mysql/update/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLUpdateAPI')
@@ -41,12 +40,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = UpdateSchema.parse(body)
 

apps/sim/app/api/tools/onedrive/upload/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import * as XLSX from 'xlsx'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -39,7 +39,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized OneDrive upload attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/copy/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook copy attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/delete/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/draft/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook draft attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/mark-read/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook mark read attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/mark-unread/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook mark unread attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/move/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook move attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/send/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook send attempt: ${authResult.error}`)

apps/sim/app/api/tools/postgresql/delete/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -22,12 +21,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = DeleteSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/execute/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createPostgresConnection,
   executeQuery,
@@ -25,12 +24,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = ExecuteSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/insert/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLInsertAPI')
@@ -43,12 +42,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
 
     const params = InsertSchema.parse(body)

apps/sim/app/api/tools/postgresql/introspect/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = IntrospectSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/query/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLQueryAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = QuerySchema.parse(body)
 

apps/sim/app/api/tools/postgresql/update/route.ts

@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -41,12 +40,6 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const params = UpdateSchema.parse(body)
 

apps/sim/app/api/tools/pulse/parse/route.ts

@@ -1,15 +1,11 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import {
+import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
-  extractStorageKey,
-  inferContextFromKey,
-  isInternalFileUrl,
-} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -31,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Pulse parse attempt`, {
@@ -52,13 +48,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Pulse parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (validatedData.filePath?.includes('/api/files/serve/')) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
         const context = inferContextFromKey(storageKey)

apps/sim/app/api/tools/reducto/parse/route.ts

@@ -1,15 +1,11 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import {
+import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
-  extractStorageKey,
-  inferContextFromKey,
-  isInternalFileUrl,
-} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -27,7 +23,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Reducto parse attempt`, {
@@ -48,13 +44,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Reducto parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
+      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (isInternalFileUrl(validatedData.filePath)) {
+    if (validatedData.filePath?.includes('/api/files/serve/')) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
         const context = inferContextFromKey(storageKey)

apps/sim/app/api/tools/s3/copy-object/route.ts

@@ -2,7 +2,7 @@ import { CopyObjectCommand, type ObjectCannedACL, S3Client } from '@aws-sdk/clie
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized S3 copy object attempt: ${authResult.error}`)
@@ -79,13 +79,11 @@ export async function POST(request: NextRequest) {
     // Generate public URL for destination (properly encode the destination key)
     const encodedDestKey = validatedData.destinationKey.split('/').map(encodeURIComponent).join('/')
     const url = `https://${validatedData.destinationBucket}.s3.${validatedData.region}.amazonaws.com/${encodedDestKey}`
-    const uri = `s3://${validatedData.destinationBucket}/${validatedData.destinationKey}`
 
     return NextResponse.json({
       success: true,
       output: {
         url,
-        uri,
         copySourceVersionId: result.CopySourceVersionId,
         versionId: result.VersionId,
         etag: result.CopyObjectResult?.ETag,

apps/sim/app/api/tools/s3/delete-object/route.ts

@@ -2,7 +2,7 @@ import { DeleteObjectCommand, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized S3 delete object attempt: ${authResult.error}`)