fix(envvars): resolution standardized (#2957)

* fix(envvars): resolution standardized

* remove comments

* address bugbot

* fix highlighting for env vars

* remove comments

* address greptile

* address bugbot

apps/sim/app/(landing)/components/footer/components/status-indicator.tsx

@@ -59,7 +59,7 @@ export default function StatusIndicator() {
       href={statusUrl}
       target='_blank'
       rel='noopener noreferrer'
-      className={`flex items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
+      className={`flex min-w-[165px] items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
       aria-label={`System status: ${message}`}
     >
       <StatusDotIcon status={status} className='h-[6px] w-[6px]' aria-hidden='true' />

apps/sim/app/(landing)/studio/page.tsx

@@ -22,7 +22,7 @@ export default async function StudioIndex({
       ? filtered.sort((a, b) => {
           if (a.featured && !b.featured) return -1
           if (!a.featured && b.featured) return 1
-          return 0
+          return new Date(b.date).getTime() - new Date(a.date).getTime()
         })
       : filtered
 

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -8,6 +8,7 @@ import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('A2AAgentCardAPI')
 
@@ -95,6 +96,11 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     const body = await request.json()
 
     if (
@@ -160,6 +166,11 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     await db.delete(a2aAgent).where(eq(a2aAgent.id, agentId))
 
     logger.info(`Deleted A2A agent: ${agentId}`)
@@ -194,6 +205,11 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     const body = await request.json()
     const action = body.action as 'publish' | 'unpublish' | 'refresh'
 

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -16,6 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1118,17 +1119,13 @@ async function handlePushNotificationSet(
     )
   }
 
-  try {
-    const url = new URL(params.pushNotificationConfig.url)
-    if (url.protocol !== 'https:') {
-      return NextResponse.json(
-        createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Push notification URL must use HTTPS'),
-        { status: 400 }
-      )
-    }
-  } catch {
+  const urlValidation = validateExternalUrl(
+    params.pushNotificationConfig.url,
+    'Push notification URL'
+  )
+  if (!urlValidation.isValid) {
     return NextResponse.json(
-      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Invalid push notification URL'),
+      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, urlValidation.error || 'Invalid URL'),
       { status: 400 }
     )
   }

apps/sim/app/api/copilot/execute-tool/route.ts

@@ -104,17 +104,11 @@ export async function POST(req: NextRequest) {
     })
 
     // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments
+    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
     const executionParams: Record<string, any> = resolveEnvVarReferences(
       toolArgs,
       decryptedEnvVars,
-      {
-        resolveExactMatch: true,
-        allowEmbedded: true,
-        trimKeys: true,
-        onMissing: 'keep',
-        deep: true,
-      }
+      { deep: true }
     ) as Record<string, any>
 
     logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {

apps/sim/app/api/function/execute/route.test.ts

@@ -84,6 +84,14 @@ vi.mock('@/lib/execution/isolated-vm', () => ({
 
 vi.mock('@sim/logger', () => loggerMock)
 
+vi.mock('@/lib/auth/hybrid', () => ({
+  checkHybridAuth: vi.fn().mockResolvedValue({
+    success: true,
+    userId: 'user-123',
+    authType: 'session',
+  }),
+}))
+
 vi.mock('@/lib/execution/e2b', () => ({
   executeInE2B: vi.fn(),
 }))
@@ -110,6 +118,24 @@ describe('Function Execute API Route', () => {
   })
 
   describe('Security Tests', () => {
+    it('should reject unauthorized requests', async () => {
+      const { checkHybridAuth } = await import('@/lib/auth/hybrid')
+      vi.mocked(checkHybridAuth).mockResolvedValueOnce({
+        success: false,
+        error: 'Unauthorized',
+      })
+
+      const req = createMockRequest('POST', {
+        code: 'return "test"',
+      })
+
+      const response = await POST(req)
+      const data = await response.json()
+
+      expect(response.status).toBe(401)
+      expect(data).toHaveProperty('error', 'Unauthorized')
+    })
+
     it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
       const req = createMockRequest('POST', {
         code: 'return "test"',

apps/sim/app/api/function/execute/route.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -581,6 +582,12 @@ export async function POST(req: NextRequest) {
   let resolvedCode = '' // Store resolved code for error reporting
 
   try {
+    const auth = await checkHybridAuth(req)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await req.json()
 
     const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
-import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
+import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
+import type { McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
-import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 
 const logger = createLogger('McpServerTestAPI')
 
@@ -19,30 +18,6 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
   return transport === 'streamable-http'
 }
 
-/**
- * Resolve environment variables in strings
- */
-function resolveEnvVars(value: string, envVars: Record<string, string>): string {
-  const missingVars: string[] = []
-  const resolvedValue = resolveEnvVarReferences(value, envVars, {
-    allowEmbedded: true,
-    resolveExactMatch: true,
-    trimKeys: true,
-    onMissing: 'keep',
-    deep: false,
-    missingKeys: missingVars,
-  }) as string
-
-  if (missingVars.length > 0) {
-    const uniqueMissing = Array.from(new Set(missingVars))
-    uniqueMissing.forEach((envKey) => {
-      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
-    })
-  }
-
-  return resolvedValue
-}
-
 interface TestConnectionRequest {
   name: string
   transport: McpTransport
@@ -96,39 +71,30 @@ export const POST = withMcpAuth('write')(
         )
       }
 
-      let resolvedUrl = body.url
-      let resolvedHeaders = body.headers || {}
-
-      try {
-        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
-
-        if (resolvedUrl) {
-          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
-        }
-
-        const resolvedHeadersObj: Record<string, string> = {}
-        for (const [key, value] of Object.entries(resolvedHeaders)) {
-          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
-        }
-        resolvedHeaders = resolvedHeadersObj
-      } catch (envError) {
-        logger.warn(
-          `[${requestId}] Failed to resolve environment variables, using raw values:`,
-          envError
-        )
-      }
-
-      const testConfig: McpServerConfig = {
+      // Build initial config for resolution
+      const initialConfig = {
         id: `test-${requestId}`,
         name: body.name,
         transport: body.transport,
-        url: resolvedUrl,
-        headers: resolvedHeaders,
+        url: body.url,
+        headers: body.headers || {},
         timeout: body.timeout || 10000,
         retries: 1, // Only one retry for tests
         enabled: true,
       }
 
+      // Resolve env vars using shared utility (non-strict mode for testing)
+      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
+        initialConfig,
+        userId,
+        workspaceId,
+        { strict: false }
+      )
+
+      if (missingVars.length > 0) {
+        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
+      }
+
       const testSecurityPolicy = {
         requireConsent: false,
         auditLevel: 'none' as const,

apps/sim/app/api/providers/route.ts

@@ -3,7 +3,9 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
@@ -20,6 +22,11 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
+    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    if (!auth.success || !auth.userId) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
     logger.info(`[${requestId}] Provider API request started`, {
       timestamp: new Date().toISOString(),
       userAgent: request.headers.get('User-Agent'),
@@ -85,6 +92,13 @@ export async function POST(request: NextRequest) {
       verbosity,
     })
 
+    if (workspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
     let finalApiKey: string | undefined = apiKey
     try {
       if (provider === 'vertex' && vertexCredential) {

apps/sim/app/api/tools/a2a/set-push-notification/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -39,6 +40,18 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = A2ASetPushNotificationSchema.parse(body)
 
+    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
+    if (!urlValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
+      return NextResponse.json(
+        {
+          success: false,
+          error: urlValidation.error,
+        },
+        { status: 400 }
+      )
+    }
+
     logger.info(`[${requestId}] A2A set push notification request`, {
       agentUrl: validatedData.agentUrl,
       taskId: validatedData.taskId,

apps/sim/app/api/tools/mysql/delete/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DeleteSchema.parse(body)
 

apps/sim/app/api/tools/mysql/execute/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLExecuteAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteSchema.parse(body)
 

apps/sim/app/api/tools/mysql/insert/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = InsertSchema.parse(body)
 

apps/sim/app/api/tools/mysql/introspect/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLIntrospectAPI')
@@ -19,6 +20,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = IntrospectSchema.parse(body)
 

apps/sim/app/api/tools/mysql/query/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = QuerySchema.parse(body)
 

apps/sim/app/api/tools/mysql/update/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = UpdateSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/delete/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DeleteSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/execute/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createPostgresConnection,
   executeQuery,
@@ -24,6 +25,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/insert/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
 
     const params = InsertSchema.parse(body)

apps/sim/app/api/tools/postgresql/introspect/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = IntrospectSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/query/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = QuerySchema.parse(body)
 

apps/sim/app/api/tools/postgresql/update/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = UpdateSchema.parse(body)
 

apps/sim/app/api/tools/ssh/check-command-exists/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHCheckCommandExistsAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH check command exists attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = CheckCommandExistsSchema.parse(body)
 

apps/sim/app/api/tools/ssh/check-file-exists/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper, Stats } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   getFileType,
@@ -39,10 +40,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH check file exists attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = CheckFileExistsSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/create-directory/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -27,10 +28,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH create directory attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = CreateDirectorySchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -53,7 +59,6 @@ export async function POST(request: NextRequest) {
       const dirPath = sanitizePath(params.path)
       const escapedPath = escapeShellArg(dirPath)
 
-      // Check if directory already exists
       const checkResult = await executeSSHCommand(
         client,
         `test -d '${escapedPath}' && echo "exists"`
@@ -70,7 +75,6 @@ export async function POST(request: NextRequest) {
         })
       }
 
-      // Create directory
       const mkdirFlag = params.recursive ? '-p' : ''
       const command = `mkdir ${mkdirFlag} -m ${params.permissions} '${escapedPath}'`
       const result = await executeSSHCommand(client, command)

apps/sim/app/api/tools/ssh/delete-file/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -27,10 +28,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH delete file attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DeleteFileSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -53,7 +59,6 @@ export async function POST(request: NextRequest) {
       const filePath = sanitizePath(params.path)
       const escapedPath = escapeShellArg(filePath)
 
-      // Check if path exists
       const checkResult = await executeSSHCommand(
         client,
         `test -e '${escapedPath}' && echo "exists"`
@@ -62,7 +67,6 @@ export async function POST(request: NextRequest) {
         return NextResponse.json({ error: `Path does not exist: ${filePath}` }, { status: 404 })
       }
 
-      // Build delete command
       let command: string
       if (params.recursive) {
         command = params.force ? `rm -rf '${escapedPath}'` : `rm -r '${escapedPath}'`

apps/sim/app/api/tools/ssh/download-file/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHDownloadFileAPI')
@@ -34,10 +35,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH download file attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DownloadFileSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/execute-command/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand, sanitizeCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHExecuteCommandAPI')
@@ -21,10 +22,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH execute command attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteCommandSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -44,7 +50,6 @@ export async function POST(request: NextRequest) {
     })
 
     try {
-      // Build command with optional working directory
       let command = sanitizeCommand(params.command)
       if (params.workingDirectory) {
         command = `cd "${params.workingDirectory}" && ${command}`

apps/sim/app/api/tools/ssh/execute-script/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHExecuteScriptAPI')
@@ -22,10 +23,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH execute script attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteScriptSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -45,13 +51,10 @@ export async function POST(request: NextRequest) {
     })
 
     try {
-      // Create a temporary script file, execute it, and clean up
       const scriptPath = `/tmp/sim_script_${requestId}.sh`
       const escapedScriptPath = escapeShellArg(scriptPath)
       const escapedInterpreter = escapeShellArg(params.interpreter)
 
-      // Build the command to create, execute, and clean up the script
-      // Note: heredoc with quoted delimiter ('SIMEOF') prevents variable expansion
       let command = `cat > '${escapedScriptPath}' << 'SIMEOF'
 ${params.script}
 SIMEOF

apps/sim/app/api/tools/ssh/get-system-info/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHGetSystemInfoAPI')
@@ -19,10 +20,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH get system info attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = GetSystemInfoSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/list-directory/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, FileEntry, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   getFileType,
@@ -60,10 +61,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH list directory attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ListDirectorySchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/move-rename/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -27,9 +28,16 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH move/rename attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = MoveRenameSchema.parse(body)
 
+    // Validate SSH authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/read-file-content/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHReadFileContentAPI')
@@ -35,6 +36,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH read file content attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ReadFileContentSchema.parse(body)
 

apps/sim/app/api/tools/ssh/upload-file/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHUploadFileAPI')
@@ -37,6 +38,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH upload file attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = UploadFileSchema.parse(body)
 

apps/sim/app/api/tools/ssh/write-file-content/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHWriteFileContentAPI')
@@ -36,10 +37,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH write file content attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = WriteFileContentSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/webhooks/[id]/route.ts

@@ -7,6 +7,7 @@ import { getSession } from '@/lib/auth'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
 import {
   cleanupExternalWebhook,
   createExternalWebhookSubscription,
@@ -112,9 +113,9 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       }
     }
 
+    const originalProviderConfig = providerConfig
     let resolvedProviderConfig = providerConfig
     if (providerConfig) {
-      const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
       const webhookDataForResolve = await db
         .select({
           workspaceId: workflow.workspaceId,
@@ -230,19 +231,23 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       hasFailedCountUpdate: failedCount !== undefined,
     })
 
-    // Merge providerConfig to preserve credential-related fields
     let finalProviderConfig = webhooks[0].webhook.providerConfig
-    if (providerConfig !== undefined) {
+    if (providerConfig !== undefined && originalProviderConfig) {
       const existingConfig = existingProviderConfig
       finalProviderConfig = {
-        ...nextProviderConfig,
+        ...originalProviderConfig,
         credentialId: existingConfig.credentialId,
         credentialSetId: existingConfig.credentialSetId,
         userId: existingConfig.userId,
         historyId: existingConfig.historyId,
         lastCheckedTimestamp: existingConfig.lastCheckedTimestamp,
         setupCompleted: existingConfig.setupCompleted,
-        externalId: nextProviderConfig.externalId ?? existingConfig.externalId,
+        externalId: existingConfig.externalId,
+      }
+      for (const [key, value] of Object.entries(nextProviderConfig)) {
+        if (!(key in originalProviderConfig)) {
+          ;(finalProviderConfig as Record<string, unknown>)[key] = value
+        }
       }
     }
 

apps/sim/app/api/webhooks/route.ts

@@ -7,6 +7,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
 import { createExternalWebhookSubscription } from '@/lib/webhooks/provider-subscriptions'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
@@ -298,14 +299,10 @@ export async function POST(request: NextRequest) {
       }
     }
 
-    let savedWebhook: any = null // Variable to hold the result of save/update
-
-    // Use the original provider config - Gmail/Outlook configuration functions will inject userId automatically
-    const finalProviderConfig = providerConfig || {}
-
-    const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
+    let savedWebhook: any = null
+    const originalProviderConfig = providerConfig || {}
     let resolvedProviderConfig = await resolveEnvVarsInObject(
-      finalProviderConfig,
+      originalProviderConfig,
       userId,
       workflowRecord.workspaceId || undefined
     )
@@ -469,6 +466,8 @@ export async function POST(request: NextRequest) {
       providerConfig: providerConfigOverride,
     })
 
+    const configToSave = { ...originalProviderConfig }
+
     try {
       const result = await createExternalWebhookSubscription(
         request,
@@ -477,7 +476,13 @@ export async function POST(request: NextRequest) {
         userId,
         requestId
       )
-      resolvedProviderConfig = result.updatedProviderConfig as Record<string, unknown>
+      const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
+      for (const [key, value] of Object.entries(updatedConfig)) {
+        if (!(key in originalProviderConfig)) {
+          configToSave[key] = value
+        }
+      }
+      resolvedProviderConfig = updatedConfig
       externalSubscriptionCreated = result.externalSubscriptionCreated
     } catch (err) {
       logger.error(`[${requestId}] Error creating external webhook subscription`, err)
@@ -490,25 +495,22 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    // Now save to database (only if subscription succeeded or provider doesn't need external subscription)
     try {
       if (targetWebhookId) {
         logger.info(`[${requestId}] Updating existing webhook for path: ${finalPath}`, {
           webhookId: targetWebhookId,
           provider,
-          hasCredentialId: !!(resolvedProviderConfig as any)?.credentialId,
-          credentialId: (resolvedProviderConfig as any)?.credentialId,
+          hasCredentialId: !!(configToSave as any)?.credentialId,
+          credentialId: (configToSave as any)?.credentialId,
         })
         const updatedResult = await db
           .update(webhook)
           .set({
             blockId,
             provider,
-            providerConfig: resolvedProviderConfig,
+            providerConfig: configToSave,
             credentialSetId:
-              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
-                | string
-                | null) || null,
+              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
             isActive: true,
             updatedAt: new Date(),
           })
@@ -531,11 +533,9 @@ export async function POST(request: NextRequest) {
             blockId,
             path: finalPath,
             provider,
-            providerConfig: resolvedProviderConfig,
+            providerConfig: configToSave,
             credentialSetId:
-              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
-                | string
-                | null) || null,
+              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
             isActive: true,
             createdAt: new Date(),
             updatedAt: new Date(),
@@ -549,7 +549,7 @@ export async function POST(request: NextRequest) {
         try {
           const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
           await cleanupExternalWebhook(
-            createTempWebhookData(resolvedProviderConfig),
+            createTempWebhookData(configToSave),
             workflowRecord,
             requestId
           )

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -116,7 +116,6 @@ type AsyncExecutionParams = {
   userId: string
   input: any
   triggerType: CoreTriggerType
-  preflighted?: boolean
 }
 
 /**
@@ -139,7 +138,6 @@ async function handleAsyncExecution(params: AsyncExecutionParams): Promise<NextR
     userId,
     input,
     triggerType,
-    preflighted: params.preflighted,
   }
 
   try {
@@ -276,7 +274,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId
     )
 
-    const shouldPreflightEnvVars = isAsyncMode && isTriggerDevEnabled
     const preprocessResult = await preprocessExecution({
       workflowId,
       userId,
@@ -285,9 +282,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId,
       checkDeployment: !shouldUseDraftState,
       loggingSession,
-      preflightEnvVars: shouldPreflightEnvVars,
       useDraftState: shouldUseDraftState,
-      envUserId: isClientSession ? userId : undefined,
     })
 
     if (!preprocessResult.success) {
@@ -319,7 +314,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         userId: actorUserId,
         input,
         triggerType: loggingTriggerType,
-        preflighted: shouldPreflightEnvVars,
       })
     }
 

apps/sim/app/workspace/[workspaceId]/logs/logs.tsx

@@ -94,7 +94,9 @@ export default function Logs() {
   const [previewLogId, setPreviewLogId] = useState<string | null>(null)
 
   const activeLogId = isPreviewOpen ? previewLogId : selectedLogId
-  const activeLogQuery = useLogDetail(activeLogId ?? undefined)
+  const activeLogQuery = useLogDetail(activeLogId ?? undefined, {
+    refetchInterval: isLive ? 3000 : false,
+  })
 
   const logFilters = useMemo(
     () => ({
@@ -113,7 +115,7 @@ export default function Logs() {
 
   const logsQuery = useLogsList(workspaceId, logFilters, {
     enabled: Boolean(workspaceId) && isInitialized.current,
-    refetchInterval: isLive ? 5000 : false,
+    refetchInterval: isLive ? 3000 : false,
   })
 
   const dashboardFilters = useMemo(
@@ -132,7 +134,7 @@ export default function Logs() {
 
   const dashboardStatsQuery = useDashboardStats(workspaceId, dashboardFilters, {
     enabled: Boolean(workspaceId) && isInitialized.current,
-    refetchInterval: isLive ? 5000 : false,
+    refetchInterval: isLive ? 3000 : false,
   })
 
   const logs = useMemo(() => {
@@ -160,12 +162,6 @@ export default function Logs() {
     }
   }, [debouncedSearchQuery, setStoreSearchQuery])
 
-  useEffect(() => {
-    if (!isLive || !selectedLogId) return
-    const interval = setInterval(() => activeLogQuery.refetch(), 5000)
-    return () => clearInterval(interval)
-  }, [isLive, selectedLogId, activeLogQuery])
-
   const handleLogClick = useCallback(
     (log: WorkflowLog) => {
       if (selectedLogId === log.id && isSidebarOpen) {
@@ -279,8 +275,11 @@ export default function Logs() {
       setIsVisuallyRefreshing(true)
       setTimeout(() => setIsVisuallyRefreshing(false), REFRESH_SPINNER_DURATION_MS)
       logsQuery.refetch()
+      if (selectedLogId) {
+        activeLogQuery.refetch()
+      }
     }
-  }, [isLive, logsQuery])
+  }, [isLive, logsQuery, activeLogQuery, selectedLogId])
 
   const prevIsFetchingRef = useRef(logsQuery.isFetching)
   useEffect(() => {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/code/code.tsx

@@ -38,6 +38,7 @@ import type { GenerationType } from '@/blocks/types'
 import { normalizeName } from '@/executor/constants'
 import { createEnvVarPattern, createReferencePattern } from '@/executor/utils/reference-validation'
 import { useTagSelection } from '@/hooks/kb/use-tag-selection'
+import { createShouldHighlightEnvVar, useAvailableEnvVarKeys } from '@/hooks/use-available-env-vars'
 
 const logger = createLogger('Code')
 
@@ -88,21 +89,27 @@ interface CodePlaceholder {
 /**
  * Creates a syntax highlighter function with custom reference and environment variable highlighting.
  * @param effectiveLanguage - The language to use for syntax highlighting
- * @param shouldHighlightReference - Function to determine if a reference should be highlighted
+ * @param shouldHighlightReference - Function to determine if a block reference should be highlighted
+ * @param shouldHighlightEnvVar - Function to determine if an env var should be highlighted
  * @returns A function that highlights code with syntax and custom highlights
  */
 const createHighlightFunction = (
   effectiveLanguage: 'javascript' | 'python' | 'json',
-  shouldHighlightReference: (part: string) => boolean
+  shouldHighlightReference: (part: string) => boolean,
+  shouldHighlightEnvVar: (varName: string) => boolean
 ) => {
   return (codeToHighlight: string): string => {
     const placeholders: CodePlaceholder[] = []
     let processedCode = codeToHighlight
 
     processedCode = processedCode.replace(createEnvVarPattern(), (match) => {
-      const placeholder = `__ENV_VAR_${placeholders.length}__`
-      placeholders.push({ placeholder, original: match, type: 'env' })
-      return placeholder
+      const varName = match.slice(2, -2).trim()
+      if (shouldHighlightEnvVar(varName)) {
+        const placeholder = `__ENV_VAR_${placeholders.length}__`
+        placeholders.push({ placeholder, original: match, type: 'env' })
+        return placeholder
+      }
+      return match
     })
 
     processedCode = processedCode.replace(createReferencePattern(), (match) => {
@@ -212,6 +219,7 @@ export const Code = memo(function Code({
   const accessiblePrefixes = useAccessibleReferencePrefixes(blockId)
   const emitTagSelection = useTagSelection(blockId, subBlockId)
   const [languageValue] = useSubBlockValue<string>(blockId, 'language')
+  const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
 
   const effectiveLanguage = (languageValue as 'javascript' | 'python' | 'json') || language
 
@@ -603,9 +611,15 @@ export const Code = memo(function Code({
     [generateCodeStream, isPromptVisible, isAiStreaming]
   )
 
+  const shouldHighlightEnvVar = useMemo(
+    () => createShouldHighlightEnvVar(availableEnvVars),
+    [availableEnvVars]
+  )
+
   const highlightCode = useMemo(
-    () => createHighlightFunction(effectiveLanguage, shouldHighlightReference),
-    [effectiveLanguage, shouldHighlightReference]
+    () =>
+      createHighlightFunction(effectiveLanguage, shouldHighlightReference, shouldHighlightEnvVar),
+    [effectiveLanguage, shouldHighlightReference, shouldHighlightEnvVar]
   )
 
   const handleValueChange = useCallback(

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/condition-input/condition-input.tsx

@@ -1,5 +1,5 @@
 import type { ReactElement } from 'react'
-import { useEffect, useRef, useState } from 'react'
+import { useEffect, useMemo, useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { ChevronDown, ChevronsUpDown, ChevronUp, Plus } from 'lucide-react'
 import { useParams } from 'next/navigation'
@@ -35,6 +35,7 @@ import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/
 import { normalizeName } from '@/executor/constants'
 import { createEnvVarPattern, createReferencePattern } from '@/executor/utils/reference-validation'
 import { useTagSelection } from '@/hooks/kb/use-tag-selection'
+import { createShouldHighlightEnvVar, useAvailableEnvVarKeys } from '@/hooks/use-available-env-vars'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
 
 const logger = createLogger('ConditionInput')
@@ -123,6 +124,11 @@ export function ConditionInput({
 
   const emitTagSelection = useTagSelection(blockId, subBlockId)
   const accessiblePrefixes = useAccessibleReferencePrefixes(blockId)
+  const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
+  const shouldHighlightEnvVar = useMemo(
+    () => createShouldHighlightEnvVar(availableEnvVars),
+    [availableEnvVars]
+  )
 
   const containerRef = useRef<HTMLDivElement>(null)
   const inputRefs = useRef<Map<string, HTMLTextAreaElement>>(new Map())
@@ -1136,14 +1142,18 @@ export function ConditionInput({
                           let processedCode = codeToHighlight
 
                           processedCode = processedCode.replace(createEnvVarPattern(), (match) => {
-                            const placeholder = `__ENV_VAR_${placeholders.length}__`
-                            placeholders.push({
-                              placeholder,
-                              original: match,
-                              type: 'env',
-                              shouldHighlight: true,
-                            })
-                            return placeholder
+                            const varName = match.slice(2, -2).trim()
+                            if (shouldHighlightEnvVar(varName)) {
+                              const placeholder = `__ENV_VAR_${placeholders.length}__`
+                              placeholders.push({
+                                placeholder,
+                                original: match,
+                                type: 'env',
+                                shouldHighlight: true,
+                              })
+                              return placeholder
+                            }
+                            return match
                           })
 
                           processedCode = processedCode.replace(

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/formatted-text.tsx

@@ -7,6 +7,7 @@ import { createCombinedPattern } from '@/executor/utils/reference-validation'
 
 export interface HighlightContext {
   accessiblePrefixes?: Set<string>
+  availableEnvVars?: Set<string>
   highlightAll?: boolean
 }
 
@@ -43,9 +44,17 @@ export function formatDisplayText(text: string, context?: HighlightContext): Rea
     return false
   }
 
+  const shouldHighlightEnvVar = (varName: string): boolean => {
+    if (context?.highlightAll) {
+      return true
+    }
+    if (context?.availableEnvVars === undefined) {
+      return true
+    }
+    return context.availableEnvVars.has(varName)
+  }
+
   const nodes: ReactNode[] = []
-  // Match variable references without allowing nested brackets to prevent matching across references
-  // e.g., "<3. text <real.ref>" should match "<3" and "<real.ref>", not the whole string
   const regex = createCombinedPattern()
   let lastIndex = 0
   let key = 0
@@ -65,11 +74,16 @@ export function formatDisplayText(text: string, context?: HighlightContext): Rea
     }
 
     if (matchText.startsWith(REFERENCE.ENV_VAR_START)) {
-      nodes.push(
-        <span key={key++} className='text-[var(--brand-secondary)]'>
-          {matchText}
-        </span>
-      )
+      const varName = matchText.slice(2, -2).trim()
+      if (shouldHighlightEnvVar(varName)) {
+        nodes.push(
+          <span key={key++} className='text-[var(--brand-secondary)]'>
+            {matchText}
+          </span>
+        )
+      } else {
+        nodes.push(<span key={key++}>{matchText}</span>)
+      }
     } else {
       const split = splitReferenceSegment(matchText)
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/text/text.tsx

@@ -19,6 +19,9 @@ interface TextProps {
  * - Automatically detects and renders HTML content safely
  * - Applies prose styling for HTML content (links, code, lists, etc.)
  * - Falls back to plain text rendering for non-HTML content
+ *
+ * Note: This component renders trusted, internally-defined content only
+ * (e.g., trigger setup instructions). It is NOT used for user-generated content.
  */
 export function Text({ blockId, subBlockId, content, className }: TextProps) {
   const containsHtml = /<[^>]+>/.test(content)

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-subflow-editor.ts

@@ -1,4 +1,5 @@
-import { useCallback, useRef, useState } from 'react'
+import { useCallback, useMemo, useRef, useState } from 'react'
+import { useParams } from 'next/navigation'
 import { highlight, languages } from '@/components/emcn'
 import {
   isLikelyReferenceSegment,
@@ -9,6 +10,7 @@ import { checkTagTrigger } from '@/app/workspace/[workspaceId]/w/[workflowId]/co
 import { useAccessibleReferencePrefixes } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-accessible-reference-prefixes'
 import { normalizeName, REFERENCE } from '@/executor/constants'
 import { createEnvVarPattern, createReferencePattern } from '@/executor/utils/reference-validation'
+import { createShouldHighlightEnvVar, useAvailableEnvVarKeys } from '@/hooks/use-available-env-vars'
 import { useCollaborativeWorkflow } from '@/hooks/use-collaborative-workflow'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
 import type { BlockState } from '@/stores/workflows/workflow/types'
@@ -53,6 +55,9 @@ const SUBFLOW_CONFIG = {
  * @returns Subflow editor state and handlers
  */
 export function useSubflowEditor(currentBlock: BlockState | null, currentBlockId: string | null) {
+  const params = useParams()
+  const workspaceId = params.workspaceId as string
+
   const textareaRef = useRef<HTMLTextAreaElement | null>(null)
   const editorContainerRef = useRef<HTMLDivElement>(null)
 
@@ -81,6 +86,13 @@ export function useSubflowEditor(currentBlock: BlockState | null, currentBlockId
   // Get accessible prefixes for tag dropdown
   const accessiblePrefixes = useAccessibleReferencePrefixes(currentBlockId || '')
 
+  // Get available env vars for highlighting validation
+  const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
+  const shouldHighlightEnvVar = useMemo(
+    () => createShouldHighlightEnvVar(availableEnvVars),
+    [availableEnvVars]
+  )
+
   // Collaborative actions
   const {
     collaborativeUpdateLoopType,
@@ -140,9 +152,13 @@ export function useSubflowEditor(currentBlock: BlockState | null, currentBlockId
       let processedCode = code
 
       processedCode = processedCode.replace(createEnvVarPattern(), (match) => {
-        const placeholder = `__ENV_VAR_${placeholders.length}__`
-        placeholders.push({ placeholder, original: match, type: 'env' })
-        return placeholder
+        const varName = match.slice(2, -2).trim()
+        if (shouldHighlightEnvVar(varName)) {
+          const placeholder = `__ENV_VAR_${placeholders.length}__`
+          placeholders.push({ placeholder, original: match, type: 'env' })
+          return placeholder
+        }
+        return match
       })
 
       // Use [^<>]+ to prevent matching across nested brackets (e.g., "<3 <real.ref>" should match separately)
@@ -174,7 +190,7 @@ export function useSubflowEditor(currentBlock: BlockState | null, currentBlockId
 
       return highlightedCode
     },
-    [shouldHighlightReference]
+    [shouldHighlightReference, shouldHighlightEnvVar]
   )
 
   /**

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx

@@ -7,7 +7,7 @@ import { useStoreWithEqualityFn } from 'zustand/traditional'
 import { Badge, Tooltip } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { getBaseUrl } from '@/lib/core/utils/urls'
-import { createMcpToolId } from '@/lib/mcp/utils'
+import { createMcpToolId } from '@/lib/mcp/shared'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { BLOCK_DIMENSIONS, HANDLE_POSITIONS } from '@/lib/workflows/blocks/block-dimensions'
 import {

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/search-modal/search-modal.tsx

@@ -448,7 +448,7 @@ export const SearchModal = memo(function SearchModal({
   }, [workspaces, workflows, pages, blocks, triggers, tools, toolOperations, docs])
 
   const sectionOrder = useMemo<SearchItem['type'][]>(
-    () => ['block', 'tool', 'tool-operation', 'trigger', 'workflow', 'workspace', 'page', 'doc'],
+    () => ['block', 'tool', 'trigger', 'doc', 'tool-operation', 'workflow', 'workspace', 'page'],
     []
   )
 

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/search-modal/search-utils.ts

@@ -102,6 +102,47 @@ function calculateAliasScore(
   return { score: 0, matchType: null }
 }
 
+/**
+ * Calculate multi-word match score
+ * Each word in the query must appear somewhere in the field
+ * Returns a score based on how well the words match
+ */
+function calculateMultiWordScore(
+  queryWords: string[],
+  field: string
+): { score: number; matchType: 'word-boundary' | 'substring' | null } {
+  const normalizedField = field.toLowerCase().trim()
+  const fieldWords = normalizedField.split(/[\s\-_/:]+/)
+
+  let allWordsMatch = true
+  let totalScore = 0
+  let hasWordBoundary = false
+
+  for (const queryWord of queryWords) {
+    const wordBoundaryMatch = fieldWords.some((fw) => fw.startsWith(queryWord))
+    const substringMatch = normalizedField.includes(queryWord)
+
+    if (wordBoundaryMatch) {
+      totalScore += SCORE_WORD_BOUNDARY
+      hasWordBoundary = true
+    } else if (substringMatch) {
+      totalScore += SCORE_SUBSTRING_MATCH
+    } else {
+      allWordsMatch = false
+      break
+    }
+  }
+
+  if (!allWordsMatch) {
+    return { score: 0, matchType: null }
+  }
+
+  return {
+    score: totalScore / queryWords.length,
+    matchType: hasWordBoundary ? 'word-boundary' : 'substring',
+  }
+}
+
 /**
  * Search items using tiered matching algorithm
  * Returns items sorted by relevance (highest score first)
@@ -117,6 +158,8 @@ export function searchItems<T extends SearchableItem>(
   }
 
   const results: SearchResult<T>[] = []
+  const queryWords = normalizedQuery.toLowerCase().split(/\s+/).filter(Boolean)
+  const isMultiWord = queryWords.length > 1
 
   for (const item of items) {
     const nameMatch = calculateFieldScore(normalizedQuery, item.name)
@@ -127,16 +170,35 @@ export function searchItems<T extends SearchableItem>(
 
     const aliasMatch = calculateAliasScore(normalizedQuery, item.aliases)
 
-    const nameScore = nameMatch.score
-    const descScore = descMatch.score * DESCRIPTION_WEIGHT
+    let nameScore = nameMatch.score
+    let descScore = descMatch.score * DESCRIPTION_WEIGHT
     const aliasScore = aliasMatch.score
 
+    let bestMatchType = nameMatch.matchType
+
+    // For multi-word queries, also try matching each word independently and take the better score
+    if (isMultiWord) {
+      const multiWordNameMatch = calculateMultiWordScore(queryWords, item.name)
+      if (multiWordNameMatch.score > nameScore) {
+        nameScore = multiWordNameMatch.score
+        bestMatchType = multiWordNameMatch.matchType
+      }
+
+      if (item.description) {
+        const multiWordDescMatch = calculateMultiWordScore(queryWords, item.description)
+        const multiWordDescScore = multiWordDescMatch.score * DESCRIPTION_WEIGHT
+        if (multiWordDescScore > descScore) {
+          descScore = multiWordDescScore
+        }
+      }
+    }
+
     const bestScore = Math.max(nameScore, descScore, aliasScore)
 
     if (bestScore > 0) {
       let matchType: SearchResult<T>['matchType'] = 'substring'
       if (nameScore >= descScore && nameScore >= aliasScore) {
-        matchType = nameMatch.matchType || 'substring'
+        matchType = bestMatchType || 'substring'
       } else if (aliasScore >= descScore) {
         matchType = 'alias'
       } else {

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx

@@ -39,6 +39,7 @@ import {
   useRefreshMcpServer,
   useStoredMcpTools,
 } from '@/hooks/queries/mcp'
+import { useAvailableEnvVarKeys } from '@/hooks/use-available-env-vars'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import { FormField, McpServerSkeleton } from './components'
@@ -157,6 +158,7 @@ interface FormattedInputProps {
   scrollLeft: number
   showEnvVars: boolean
   envVarProps: EnvVarDropdownConfig
+  availableEnvVars?: Set<string>
   className?: string
   onChange: (e: React.ChangeEvent<HTMLInputElement>) => void
   onScroll: (scrollLeft: number) => void
@@ -169,6 +171,7 @@ function FormattedInput({
   scrollLeft,
   showEnvVars,
   envVarProps,
+  availableEnvVars,
   className,
   onChange,
   onScroll,
@@ -190,7 +193,7 @@ function FormattedInput({
       />
       <div className='pointer-events-none absolute inset-0 flex items-center overflow-hidden px-[8px] py-[6px] font-medium font-sans text-sm'>
         <div className='whitespace-nowrap' style={{ transform: `translateX(-${scrollLeft}px)` }}>
-          {formatDisplayText(value)}
+          {formatDisplayText(value, { availableEnvVars })}
         </div>
       </div>
       {showEnvVars && (
@@ -221,6 +224,7 @@ interface HeaderRowProps {
   envSearchTerm: string
   cursorPosition: number
   workspaceId: string
+  availableEnvVars?: Set<string>
   onInputChange: (field: InputFieldType, value: string, index?: number) => void
   onHeaderScroll: (key: string, scrollLeft: number) => void
   onEnvVarSelect: (value: string) => void
@@ -238,6 +242,7 @@ function HeaderRow({
   envSearchTerm,
   cursorPosition,
   workspaceId,
+  availableEnvVars,
   onInputChange,
   onHeaderScroll,
   onEnvVarSelect,
@@ -265,6 +270,7 @@ function HeaderRow({
         scrollLeft={headerScrollLeft[`key-${index}`] || 0}
         showEnvVars={isKeyActive}
         envVarProps={envVarProps}
+        availableEnvVars={availableEnvVars}
         className='flex-1'
         onChange={(e) => onInputChange('header-key', e.target.value, index)}
         onScroll={(scrollLeft) => onHeaderScroll(`key-${index}`, scrollLeft)}
@@ -276,6 +282,7 @@ function HeaderRow({
         scrollLeft={headerScrollLeft[`value-${index}`] || 0}
         showEnvVars={isValueActive}
         envVarProps={envVarProps}
+        availableEnvVars={availableEnvVars}
         className='flex-1'
         onChange={(e) => onInputChange('header-value', e.target.value, index)}
         onScroll={(scrollLeft) => onHeaderScroll(`value-${index}`, scrollLeft)}
@@ -371,6 +378,7 @@ export function MCP({ initialServerId }: MCPProps) {
   const deleteServerMutation = useDeleteMcpServer()
   const refreshServerMutation = useRefreshMcpServer()
   const { testResult, isTestingConnection, testConnection, clearTestResult } = useMcpServerTest()
+  const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
 
   const urlInputRef = useRef<HTMLInputElement>(null)
 
@@ -1061,6 +1069,7 @@ export function MCP({ initialServerId }: MCPProps) {
                     onSelect: handleEnvVarSelect,
                     onClose: resetEnvVarState,
                   }}
+                  availableEnvVars={availableEnvVars}
                   onChange={(e) => handleInputChange('url', e.target.value)}
                   onScroll={(scrollLeft) => handleUrlScroll(scrollLeft)}
                 />
@@ -1094,6 +1103,7 @@ export function MCP({ initialServerId }: MCPProps) {
                       envSearchTerm={envSearchTerm}
                       cursorPosition={cursorPosition}
                       workspaceId={workspaceId}
+                      availableEnvVars={availableEnvVars}
                       onInputChange={handleInputChange}
                       onHeaderScroll={handleHeaderScroll}
                       onEnvVarSelect={handleEnvVarSelect}

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/subscription.tsx

@@ -6,8 +6,8 @@ import { useParams } from 'next/navigation'
 import { Combobox, Label, Switch, Tooltip } from '@/components/emcn'
 import { Skeleton } from '@/components/ui'
 import { useSession } from '@/lib/auth/auth-client'
+import { USAGE_THRESHOLDS } from '@/lib/billing/client/consts'
 import { useSubscriptionUpgrade } from '@/lib/billing/client/upgrade'
-import { USAGE_THRESHOLDS } from '@/lib/billing/client/usage-visualization'
 import { getEffectiveSeats } from '@/lib/billing/subscriptions/utils'
 import { cn } from '@/lib/core/utils/cn'
 import { getBaseUrl } from '@/lib/core/utils/urls'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/usage-header/usage-header.tsx

@@ -2,11 +2,7 @@
 
 import type { ReactNode } from 'react'
 import { Badge } from '@/components/emcn'
-import {
-  getFilledPillColor,
-  USAGE_PILL_COLORS,
-  USAGE_THRESHOLDS,
-} from '@/lib/billing/client/usage-visualization'
+import { getFilledPillColor, USAGE_PILL_COLORS, USAGE_THRESHOLDS } from '@/lib/billing/client'
 
 const PILL_COUNT = 5
 

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/usage-indicator/usage-indicator.tsx

@@ -5,13 +5,14 @@ import { createLogger } from '@sim/logger'
 import { useQueryClient } from '@tanstack/react-query'
 import { Badge } from '@/components/emcn'
 import { Skeleton } from '@/components/ui'
+import { USAGE_PILL_COLORS, USAGE_THRESHOLDS } from '@/lib/billing/client/consts'
 import { useSubscriptionUpgrade } from '@/lib/billing/client/upgrade'
 import {
+  getBillingStatus,
   getFilledPillColor,
-  USAGE_PILL_COLORS,
-  USAGE_THRESHOLDS,
-} from '@/lib/billing/client/usage-visualization'
-import { getBillingStatus, getSubscriptionStatus, getUsage } from '@/lib/billing/client/utils'
+  getSubscriptionStatus,
+  getUsage,
+} from '@/lib/billing/client/utils'
 import { useContextMenu } from '@/app/workspace/[workspaceId]/w/components/sidebar/hooks'
 import { useSocket } from '@/app/workspace/providers/socket-provider'
 import { subscriptionKeys, useSubscriptionData } from '@/hooks/queries/subscription'

apps/sim/background/schedule-execution.ts

@@ -4,8 +4,6 @@ import { task } from '@trigger.dev/sdk'
 import { Cron } from 'croner'
 import { eq } from 'drizzle-orm'
 import { v4 as uuidv4 } from 'uuid'
-import type { ZodRecord, ZodString } from 'zod'
-import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { buildTraceSpans } from '@/lib/logs/execution/trace-spans/trace-spans'
@@ -122,7 +120,6 @@ async function runWorkflowExecution({
   loggingSession,
   requestId,
   executionId,
-  EnvVarsSchema,
 }: {
   payload: ScheduleExecutionPayload
   workflowRecord: WorkflowRecord
@@ -130,7 +127,6 @@ async function runWorkflowExecution({
   loggingSession: LoggingSession
   requestId: string
   executionId: string
-  EnvVarsSchema: ZodRecord<ZodString, ZodString>
 }): Promise<RunWorkflowResult> {
   try {
     logger.debug(`[${requestId}] Loading deployed workflow ${payload.workflowId}`)
@@ -156,31 +152,12 @@ async function runWorkflowExecution({
       throw new Error(`Workflow ${payload.workflowId} has no associated workspace`)
     }
 
-    const personalEnvUserId = workflowRecord.userId
-
-    const { personalEncrypted, workspaceEncrypted } = await getPersonalAndWorkspaceEnv(
-      personalEnvUserId,
-      workspaceId
-    )
-
-    const variables = EnvVarsSchema.parse({
-      ...personalEncrypted,
-      ...workspaceEncrypted,
-    })
-
     const input = {
       _context: {
         workflowId: payload.workflowId,
       },
     }
 
-    await loggingSession.safeStart({
-      userId: actorUserId,
-      workspaceId,
-      variables: variables || {},
-      deploymentVersionId,
-    })
-
     const metadata: ExecutionMetadata = {
       requestId,
       executionId,
@@ -279,7 +256,6 @@ export type ScheduleExecutionPayload = {
   failedCount?: number
   now: string
   scheduledFor?: string
-  preflighted?: boolean
 }
 
 function calculateNextRunTime(
@@ -319,9 +295,6 @@ export async function executeScheduleJob(payload: ScheduleExecutionPayload) {
     executionId,
   })
 
-  const zod = await import('zod')
-  const EnvVarsSchema = zod.z.record(zod.z.string())
-
   try {
     const loggingSession = new LoggingSession(
       payload.workflowId,
@@ -339,7 +312,6 @@ export async function executeScheduleJob(payload: ScheduleExecutionPayload) {
       checkRateLimit: true,
       checkDeployment: true,
       loggingSession,
-      preflightEnvVars: !payload.preflighted,
     })
 
     if (!preprocessResult.success) {
@@ -482,7 +454,6 @@ export async function executeScheduleJob(payload: ScheduleExecutionPayload) {
         loggingSession,
         requestId,
         executionId,
-        EnvVarsSchema,
       })
 
       if (executionResult.status === 'skip') {

apps/sim/background/webhook-execution.ts

@@ -17,6 +17,7 @@ import { getWorkflowById } from '@/lib/workflows/utils'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata } from '@/executor/execution/types'
 import type { ExecutionResult } from '@/executor/types'
+import { safeAssign } from '@/tools/safe-assign'
 import { getTrigger, isTriggerValid } from '@/triggers'
 
 const logger = createLogger('TriggerWebhookExecution')
@@ -397,7 +398,7 @@ async function executeWebhookJobInternal(
               requestId,
               userId: payload.userId,
             })
-            Object.assign(input, processedInput)
+            safeAssign(input, processedInput as Record<string, unknown>)
           }
         } else {
           logger.debug(`[${requestId}] No valid triggerId found for block ${payload.blockId}`)

apps/sim/background/workflow-execution.ts

@@ -20,7 +20,6 @@ export type WorkflowExecutionPayload = {
   input?: any
   triggerType?: CoreTriggerType
   metadata?: Record<string, any>
-  preflighted?: boolean
 }
 
 /**
@@ -52,7 +51,6 @@ export async function executeWorkflowJob(payload: WorkflowExecutionPayload) {
       checkRateLimit: true,
       checkDeployment: true,
       loggingSession: loggingSession,
-      preflightEnvVars: !payload.preflighted,
     })
 
     if (!preprocessResult.success) {

apps/sim/blocks/blocks/mcp.ts

@@ -1,5 +1,5 @@
 import { McpIcon } from '@/components/icons'
-import { createMcpToolId } from '@/lib/mcp/utils'
+import { createMcpToolId } from '@/lib/mcp/shared'
 import type { BlockConfig } from '@/blocks/types'
 import type { ToolResponse } from '@/tools/types'
 

apps/sim/content/blog/enterprise/components.tsx

@@ -0,0 +1,51 @@
+'use client'
+
+import { useState } from 'react'
+import { ArrowRight, ChevronRight } from 'lucide-react'
+
+interface ContactButtonProps {
+  href: string
+  children: React.ReactNode
+}
+
+export function ContactButton({ href, children }: ContactButtonProps) {
+  const [isHovered, setIsHovered] = useState(false)
+
+  return (
+    <a
+      href={href}
+      target='_blank'
+      rel='noopener noreferrer'
+      onMouseEnter={() => setIsHovered(true)}
+      onMouseLeave={() => setIsHovered(false)}
+      style={{
+        display: 'inline-flex',
+        alignItems: 'center',
+        gap: '4px',
+        borderRadius: '10px',
+        background: 'linear-gradient(to bottom, #8357ff, #6f3dfa)',
+        border: '1px solid #6f3dfa',
+        boxShadow: 'inset 0 2px 4px 0 #9b77ff',
+        paddingTop: '6px',
+        paddingBottom: '6px',
+        paddingLeft: '12px',
+        paddingRight: '10px',
+        fontSize: '15px',
+        fontWeight: 500,
+        color: '#ffffff',
+        textDecoration: 'none',
+        opacity: isHovered ? 0.9 : 1,
+        transition: 'opacity 200ms',
+      }}
+    >
+      {children}
+      <span style={{ display: 'inline-flex' }}>
+        {isHovered ? (
+          <ArrowRight style={{ height: '16px', width: '16px' }} aria-hidden='true' />
+        ) : (
+          <ChevronRight style={{ height: '16px', width: '16px' }} aria-hidden='true' />
+        )}
+      </span>
+    </a>
+  )
+}

apps/sim/content/blog/enterprise/index.mdx

@@ -0,0 +1,177 @@
+---
+slug: enterprise
+title: 'Build with Sim for Enterprise'
+description: 'Access control, BYOK, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, Admin API, and flexible data retention—enterprise features for teams with strict security and compliance requirements.'
+date: 2026-01-23
+updated: 2026-01-23
+authors:
+  - vik
+readingTime: 10
+tags: [Enterprise, Security, Self-Hosted, SSO, SAML, Compliance, BYOK, Access Control, Copilot, Whitelabel, API, Import, Export]
+ogImage: /studio/enterprise/cover.png
+ogAlt: 'Sim Enterprise features overview'
+about: ['Enterprise Software', 'Security', 'Compliance', 'Self-Hosting']
+timeRequired: PT10M
+canonical: https://sim.ai/studio/enterprise
+featured: false
+draft: true
+---
+
+We've been working with security teams at larger organizations to bring Sim into environments with strict compliance and data handling requirements. This post covers the enterprise capabilities we've built: granular access control, bring-your-own-keys, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, compliance, and programmatic management via the Admin API.
+
+## Access Control
+
+![Access Control Settings](/studio/enterprise/access-control.png)
+
+Permission groups let administrators control what features and integrations are available to different teams within an organization. This isn't just UI filtering—restrictions are enforced at the execution layer.
+
+### Model Provider Restrictions
+
+![Model Provider Restrictions](/studio/enterprise/model-providers.png)
+
+Allowlist specific providers while blocking others. Users in a restricted group see only approved providers in the model selector. A workflow that tries to use an unapproved provider won't execute.
+
+This is useful when you've approved certain providers for production use, negotiated enterprise agreements with specific vendors, or need to comply with data residency requirements that only certain providers meet.
+
+### Integration Controls
+
+![Integration Controls](/studio/enterprise/integration-controls.png)
+
+Restrict which workflow blocks appear in the editor. Disable the HTTP block to prevent arbitrary external API calls. Block access to integrations that haven't completed your security review.
+
+### Platform Feature Toggles
+
+![Platform Feature Toggles](/studio/enterprise/platform-controls.png)
+
+Control access to platform capabilities per permission group:
+
+- **[Knowledge Base](https://docs.sim.ai/blocks/knowledge)** — Disable document uploads if RAG workflows aren't approved
+- **[MCP Tools](https://docs.sim.ai/mcp)** — Block deployment of workflows as external tool endpoints
+- **Custom Tools** — Prevent creation of arbitrary HTTP integrations
+- **Invitations** — Disable self-service team invitations to maintain centralized control
+
+Users not assigned to any permission group have full access, so restrictions are opt-in per team rather than requiring you to grant permissions to everyone.
+
+---
+
+## Bring Your Own Keys
+
+![BYOK Configuration](/studio/enterprise/byok.png)
+
+When you configure your own API keys for model providers—OpenAI, Anthropic, Google, Azure OpenAI, AWS Bedrock, or any supported provider—your prompts and completions route directly between Sim and that provider. The traffic doesn't pass through our infrastructure.
+
+This matters because LLM requests contain the context you've assembled: customer data, internal documents, proprietary business logic. With your own keys, you maintain a direct relationship with your model provider. Their data handling policies and compliance certifications apply to your usage without an intermediary.
+
+BYOK is available to everyone, not just enterprise plans. Connect your credentials in workspace settings, and all model calls use your keys. For self-hosted deployments, this is the default—there are no Sim-managed keys involved.
+
+A healthcare organization can use Azure OpenAI with their BAA-covered subscription. A financial services firm can route through their approved API gateway with additional logging controls. The workflow builder stays the same; only the underlying data flow changes.
+
+---
+
+## Self-Hosted Deployments
+
+![Self-Hosted Architecture](/studio/enterprise/self-hosted.png)
+
+Run Sim entirely on your infrastructure. Deploy with [Docker Compose](https://docs.sim.ai/self-hosting/docker) or [Helm charts](https://docs.sim.ai/self-hosting/kubernetes) for Kubernetes—the application, WebSocket server, and PostgreSQL database all stay within your network.
+
+**Single-node** — Docker Compose setup for smaller teams getting started.
+
+**High availability** — Multi-replica Kubernetes deployments with horizontal pod autoscaling.
+
+**Air-gapped** — No external network access required. Pair with [Ollama](https://docs.sim.ai/self-hosting/ollama) or [vLLM](https://docs.sim.ai/self-hosting/vllm) for local model inference.
+
+Enterprise features like access control, SSO, and organization management are enabled through environment variables—no connection to our billing infrastructure required.
+
+---
+
+## On-Prem Copilot
+
+Copilot—our context-aware AI assistant for building and debugging workflows—can run entirely within your self-hosted deployment using your own LLM keys.
+
+When you configure Copilot with your API credentials, all assistant interactions route directly to your chosen provider. The prompts Copilot generates—which include context from your workflows, execution logs, and workspace configuration—never leave your network. You get the same capabilities as the hosted version: natural language workflow generation, error diagnosis, documentation lookup, and iterative editing through diffs.
+
+This is particularly relevant for organizations where the context Copilot needs to be helpful is also the context that can't leave the building. Your workflow definitions, block configurations, and execution traces stay within your infrastructure even when you're asking Copilot for help debugging a failure or generating a new integration.
+
+---
+
+## SSO & SAML
+
+![SSO Configuration](/studio/enterprise/sso.png)
+
+Integrate with your existing identity provider through SAML 2.0 or OIDC. We support Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Auth0, JumpCloud, Ping Identity, ADFS, and any compliant identity provider.
+
+Once enabled, users authenticate through your IdP instead of Sim credentials. Your MFA policies apply automatically. Session management ties to your IdP—logout there terminates Sim sessions. Account deprovisioning immediately revokes access.
+
+New users are provisioned on first SSO login based on IdP attributes. No invitation emails, no password setup, no manual account creation required.
+
+This centralizes your authentication and audit trail. Your security team's policies apply to Sim access through the same system that tracks everything else.
+
+---
+
+## Whitelabeling
+
+Customize Sim's appearance to match your brand. For self-hosted deployments, whitelabeling is configured through environment variables—no code changes required.
+
+**Brand name & logo** — Replace "Sim" with your company name and logo throughout the interface.
+
+**Theme colors** — Set primary, accent, and background colors to align with your brand palette.
+
+**Support & documentation links** — Point help links to your internal documentation and support channels instead of ours.
+
+**Legal pages** — Redirect terms of service and privacy policy links to your own policies.
+
+This is useful for internal platforms, customer-facing deployments, or any scenario where you want Sim to feel like a native part of your product rather than a third-party tool.
+
+---
+
+## Compliance & Data Retention
+
+![Compliance Certifications](/studio/enterprise/compliance.png)
+
+Sim maintains **SOC 2 Type II** certification with annual audits covering security, availability, and confidentiality controls. We share our SOC 2 report directly with prospective customers under NDA.
+
+**HIPAA** — Business Associate Agreements available for healthcare organizations. Requires self-hosted deployment or dedicated infrastructure.
+
+**Data Retention** — Configure how long workflow execution traces, inputs, and outputs are stored before automatic deletion. We work with enterprise customers to set retention policies that match their compliance requirements.
+
+We provide penetration test reports, architecture documentation, and completed security questionnaires (SIG, CAIQ, and custom formats) for your vendor review process.
+
+---
+
+## Admin API
+
+Manage Sim programmatically through the Admin API. Every operation available in the UI has a corresponding API endpoint, enabling infrastructure-as-code workflows and integration with your existing tooling.
+
+**User & Organization Management** — Provision users, create organizations, assign roles, and manage team membership. Integrate with your HR systems to automatically onboard and offboard employees.
+
+**Workspace Administration** — Create workspaces, configure settings, and manage access. Useful for setting up isolated environments for different teams or clients.
+
+**Workflow Lifecycle** — Deploy, undeploy, and manage workflow versions programmatically. Build CI/CD pipelines that promote workflows from development to staging to production.
+
+The API uses standard REST conventions with JSON payloads. Authentication is via API keys scoped to your organization.
+
+---
+
+## Import & Export
+
+Move workflows between environments, create backups, and maintain version control inside or outside of Sim.
+
+**Workflow Export** — Export individual workflows or entire folders as JSON. The export includes block configurations, connections, environment variable references, and metadata. Use this to back up critical workflows or move them between Sim instances.
+
+**Workspace Export** — Export an entire workspace as a ZIP archive containing all workflows, folder structure, and configuration. Useful for disaster recovery or migrating to a self-hosted deployment.
+
+**Import** — Import workflows into any workspace. Sim handles ID remapping and validates the structure before import. This enables workflow templates, sharing between teams, and restoring from backups.
+
+**Version History** — Each deployment creates a version snapshot. Roll back to previous versions if a deployment causes issues. The Admin API exposes version history for integration with your change management processes.
+
+For teams practicing GitOps, export workflows to your repository and use the Admin API to deploy from CI/CD pipelines.
+
+---
+
+## Get Started
+
+Enterprise features are available now. Check out our [self-hosting](https://docs.sim.ai/self-hosting) and [enterprise](https://docs.sim.ai/enterprise) docs to get started.
+
+*Questions about enterprise deployments?*
+
+<ContactButton href="https://form.typeform.com/to/jqCO12pF">Contact Us</ContactButton>

apps/sim/content/blog/v0-5/index.mdx

@@ -29,10 +29,13 @@ Your workspace is indexed for hybrid retrieval. When you ask a question, Copilot
 
 Copilot supports slash commands that trigger specialized capabilities:
 
-- `/deep-research` — performs multi-step web research on a topic, synthesizing results from multiple sources
-- `/api-docs` — fetches and parses API documentation from a URL, extracting endpoints, parameters, and authentication requirements
-- `/test` — runs your current workflow with sample inputs and reports results inline
-- `/build` — generates a complete workflow from a natural language description, wiring up blocks and configuring integrations
+- `/fast` — uses a faster model for quick responses when you need speed over depth
+- `/research` — performs multi-step web research on a topic, synthesizing results from multiple sources
+- `/actions` — enables agentic mode where Copilot can take actions on your behalf, like modifying blocks or creating workflows
+- `/search` — searches the web for relevant information
+- `/read` — reads and extracts content from a URL
+- `/scrape` — scrapes structured data from web pages
+- `/crawl` — crawls multiple pages from a website to gather comprehensive information
 
 Use `@` commands to pull specific context into your conversation. `@block` references a specific block's configuration and recent outputs. `@workflow` includes the full workflow structure. `@logs` pulls in recent execution traces. This lets you ask targeted questions like "why is `@Slack1` returning an error?" and Copilot has the exact context it needs to diagnose the issue.
 

apps/sim/executor/execution/block-executor.ts

@@ -1,7 +1,4 @@
-import { db } from '@sim/db'
-import { mcpServers } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray, isNull } from 'drizzle-orm'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import {
   containsUserFileWithMetadata,
@@ -86,10 +83,6 @@ export class BlockExecutor {
 
       resolvedInputs = this.resolver.resolveInputs(ctx, node.id, block.config.params, block)
 
-      if (block.metadata?.id === BlockType.AGENT && resolvedInputs.tools) {
-        resolvedInputs = await this.filterUnavailableMcpToolsForLog(ctx, resolvedInputs)
-      }
-
       if (blockLog) {
         blockLog.input = resolvedInputs
       }
@@ -437,60 +430,6 @@ export class BlockExecutor {
     return undefined
   }
 
-  /**
-   * Filters out unavailable MCP tools from agent inputs for logging.
-   * Only includes tools from servers with 'connected' status.
-   */
-  private async filterUnavailableMcpToolsForLog(
-    ctx: ExecutionContext,
-    inputs: Record<string, any>
-  ): Promise<Record<string, any>> {
-    const tools = inputs.tools
-    if (!Array.isArray(tools) || tools.length === 0) return inputs
-
-    const mcpTools = tools.filter((t: any) => t.type === 'mcp')
-    if (mcpTools.length === 0) return inputs
-
-    const serverIds = [
-      ...new Set(mcpTools.map((t: any) => t.params?.serverId).filter(Boolean)),
-    ] as string[]
-    if (serverIds.length === 0) return inputs
-
-    const availableServerIds = new Set<string>()
-    if (ctx.workspaceId && serverIds.length > 0) {
-      try {
-        const servers = await db
-          .select({ id: mcpServers.id, connectionStatus: mcpServers.connectionStatus })
-          .from(mcpServers)
-          .where(
-            and(
-              eq(mcpServers.workspaceId, ctx.workspaceId),
-              inArray(mcpServers.id, serverIds),
-              isNull(mcpServers.deletedAt)
-            )
-          )
-
-        for (const server of servers) {
-          if (server.connectionStatus === 'connected') {
-            availableServerIds.add(server.id)
-          }
-        }
-      } catch (error) {
-        logger.warn('Failed to check MCP server availability for logging:', error)
-        return inputs
-      }
-    }
-
-    const filteredTools = tools.filter((tool: any) => {
-      if (tool.type !== 'mcp') return true
-      const serverId = tool.params?.serverId
-      if (!serverId) return false
-      return availableServerIds.has(serverId)
-    })
-
-    return { ...inputs, tools: filteredTools }
-  }
-
   private preparePauseResumeSelfReference(
     ctx: ExecutionContext,
     node: DAGNode,

apps/sim/executor/execution/executor.ts

@@ -1,6 +1,5 @@
 import { createLogger } from '@sim/logger'
 import { StartBlockPath } from '@/lib/workflows/triggers/triggers'
-import type { BlockOutput } from '@/blocks/types'
 import { DAGBuilder } from '@/executor/dag/builder'
 import { BlockExecutor } from '@/executor/execution/block-executor'
 import { EdgeManager } from '@/executor/execution/edge-manager'
@@ -24,7 +23,6 @@ const logger = createLogger('DAGExecutor')
 
 export interface DAGExecutorOptions {
   workflow: SerializedWorkflow
-  currentBlockStates?: Record<string, BlockOutput>
   envVarValues?: Record<string, string>
   workflowInput?: WorkflowInput
   workflowVariables?: Record<string, unknown>

apps/sim/executor/utils/reference-validation.ts

@@ -28,6 +28,23 @@ export interface EnvVarResolveOptions {
   missingKeys?: string[]
 }
 
+/**
+ * Standard defaults for env var resolution across all contexts.
+ *
+ * - `resolveExactMatch: true` - Resolves `{{VAR}}` when it's the entire value
+ * - `allowEmbedded: true` - Resolves `{{VAR}}` embedded in strings like `https://{{HOST}}/api`
+ * - `trimKeys: true` - `{{ VAR }}` works the same as `{{VAR}}` (whitespace tolerant)
+ * - `onMissing: 'keep'` - Unknown patterns pass through (e.g., Grafana's `{{instance}}`)
+ * - `deep: false` - Only processes strings by default; set `true` for nested objects
+ */
+export const ENV_VAR_RESOLVE_DEFAULTS: Required<Omit<EnvVarResolveOptions, 'missingKeys'>> = {
+  resolveExactMatch: true,
+  allowEmbedded: true,
+  trimKeys: true,
+  onMissing: 'keep',
+  deep: false,
+} as const
+
 /**
  * Resolve {{ENV_VAR}} references in values using provided env vars.
  */
@@ -37,11 +54,11 @@ export function resolveEnvVarReferences(
   options: EnvVarResolveOptions = {}
 ): unknown {
   const {
-    allowEmbedded = true,
-    resolveExactMatch = true,
-    trimKeys = false,
-    onMissing = 'keep',
-    deep = true,
+    allowEmbedded = ENV_VAR_RESOLVE_DEFAULTS.allowEmbedded,
+    resolveExactMatch = ENV_VAR_RESOLVE_DEFAULTS.resolveExactMatch,
+    trimKeys = ENV_VAR_RESOLVE_DEFAULTS.trimKeys,
+    onMissing = ENV_VAR_RESOLVE_DEFAULTS.onMissing,
+    deep = ENV_VAR_RESOLVE_DEFAULTS.deep,
   } = options
 
   if (typeof value === 'string') {

apps/sim/executor/utils/start-block.ts

@@ -8,6 +8,7 @@ import {
 import type { InputFormatField } from '@/lib/workflows/types'
 import type { NormalizedBlockOutput, UserFile } from '@/executor/types'
 import type { SerializedBlock } from '@/serializer/types'
+import { safeAssign } from '@/tools/safe-assign'
 
 type ExecutionKind = 'chat' | 'manual' | 'api'
 
@@ -346,7 +347,7 @@ function buildLegacyStarterOutput(
   const finalObject = isPlainObject(finalInput) ? finalInput : undefined
 
   if (finalObject) {
-    Object.assign(output, finalObject)
+    safeAssign(output, finalObject)
     output.input = { ...finalObject }
   } else {
     output.input = finalInput

apps/sim/hooks/mcp/use-mcp-server-test.ts

@@ -2,8 +2,8 @@
 
 import { useCallback, useState } from 'react'
 import { createLogger } from '@sim/logger'
+import { sanitizeForHttp, sanitizeHeaders } from '@/lib/mcp/shared'
 import type { McpTransport } from '@/lib/mcp/types'
-import { sanitizeForHttp, sanitizeHeaders } from '@/lib/mcp/utils'
 
 const logger = createLogger('useMcpServerTest')
 

apps/sim/hooks/mcp/use-mcp-tools.ts

@@ -10,7 +10,7 @@ import { useCallback, useMemo } from 'react'
 import { createLogger } from '@sim/logger'
 import { useQueryClient } from '@tanstack/react-query'
 import { McpIcon } from '@/components/icons'
-import { createMcpToolId } from '@/lib/mcp/utils'
+import { createMcpToolId } from '@/lib/mcp/shared'
 import { mcpKeys, useMcpToolsQuery } from '@/hooks/queries/mcp'
 
 const logger = createLogger('useMcpTools')

apps/sim/hooks/queries/logs.ts

@@ -144,11 +144,17 @@ export function useLogsList(
   })
 }
 
-export function useLogDetail(logId: string | undefined) {
+interface UseLogDetailOptions {
+  enabled?: boolean
+  refetchInterval?: number | false
+}
+
+export function useLogDetail(logId: string | undefined, options?: UseLogDetailOptions) {
   return useQuery({
     queryKey: logKeys.detail(logId),
     queryFn: () => fetchLogDetail(logId as string),
-    enabled: Boolean(logId),
+    enabled: Boolean(logId) && (options?.enabled ?? true),
+    refetchInterval: options?.refetchInterval ?? false,
     staleTime: 30 * 1000,
     placeholderData: keepPreviousData,
   })

apps/sim/hooks/queries/mcp.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { keepPreviousData, useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { sanitizeForHttp, sanitizeHeaders } from '@/lib/mcp/shared'
 import type { McpServerStatusConfig, McpTool, StoredMcpTool } from '@/lib/mcp/types'
-import { sanitizeForHttp, sanitizeHeaders } from '@/lib/mcp/utils'
 
 const logger = createLogger('McpQueries')
 

apps/sim/hooks/use-available-env-vars.ts

@@ -0,0 +1,43 @@
+import { useMemo } from 'react'
+import { usePersonalEnvironment, useWorkspaceEnvironment } from '@/hooks/queries/environment'
+
+export function useAvailableEnvVarKeys(workspaceId?: string): Set<string> | undefined {
+  const { data: personalEnv, isLoading: personalLoading } = usePersonalEnvironment()
+  const { data: workspaceEnvData, isLoading: workspaceLoading } = useWorkspaceEnvironment(
+    workspaceId || ''
+  )
+
+  return useMemo(() => {
+    if (personalLoading || (workspaceId && workspaceLoading)) {
+      return undefined
+    }
+
+    const keys = new Set<string>()
+
+    if (personalEnv) {
+      Object.keys(personalEnv).forEach((key) => keys.add(key))
+    }
+
+    if (workspaceId && workspaceEnvData) {
+      if (workspaceEnvData.workspace) {
+        Object.keys(workspaceEnvData.workspace).forEach((key) => keys.add(key))
+      }
+      if (workspaceEnvData.personal) {
+        Object.keys(workspaceEnvData.personal).forEach((key) => keys.add(key))
+      }
+    }
+
+    return keys
+  }, [personalEnv, workspaceEnvData, personalLoading, workspaceLoading, workspaceId])
+}
+
+export function createShouldHighlightEnvVar(
+  availableEnvVars: Set<string> | undefined
+): (varName: string) => boolean {
+  return (varName: string): boolean => {
+    if (availableEnvVars === undefined) {
+      return true
+    }
+    return availableEnvVars.has(varName)
+  }
+}

apps/sim/lib/a2a/push-notifications.ts

@@ -4,6 +4,7 @@ import { a2aPushNotificationConfig, a2aTask } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
+import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
 
 const logger = createLogger('A2APushNotifications')
 
@@ -45,7 +46,17 @@ export async function deliverPushNotification(taskId: string, state: TaskState):
   }
 
   try {
-    const response = await fetch(config.url, {
+    const urlValidation = await validateUrlWithDNS(config.url, 'webhook URL')
+    if (!urlValidation.isValid || !urlValidation.resolvedIP) {
+      logger.error('Push notification URL validation failed', {
+        taskId,
+        url: config.url,
+        error: urlValidation.error,
+      })
+      return false
+    }
+
+    const response = await secureFetchWithPinnedIP(config.url, urlValidation.resolvedIP, {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -59,7 +70,7 @@ export async function deliverPushNotification(taskId: string, state: TaskState):
           artifacts: (task.artifacts as Artifact[]) || [],
         },
       }),
-      signal: AbortSignal.timeout(30000),
+      timeout: 30000,
     })
 
     if (!response.ok) {

apps/sim/lib/auth/auth.ts

@@ -256,6 +256,17 @@ export const auth = betterAuth({
           return { data: account }
         },
         after: async (account) => {
+          try {
+            const { ensureUserStatsExists } = await import('@/lib/billing/core/usage')
+            await ensureUserStatsExists(account.userId)
+          } catch (error) {
+            logger.error('[databaseHooks.account.create.after] Failed to ensure user stats', {
+              userId: account.userId,
+              accountId: account.id,
+              error,
+            })
+          }
+
           if (account.providerId === 'salesforce') {
             const updates: {
               accessTokenExpiresAt?: Date
@@ -462,7 +473,6 @@ export const auth = betterAuth({
   },
   emailVerification: {
     autoSignInAfterVerification: true,
-    // onEmailVerification is called by the emailOTP plugin when email is verified via OTP
     onEmailVerification: async (user) => {
       if (isHosted && user.email) {
         try {

apps/sim/lib/billing/client/consts.ts

@@ -0,0 +1,28 @@
+/**
+ * Number of pills to display in usage indicators.
+ */
+export const USAGE_PILL_COUNT = 8
+
+/**
+ * Usage percentage thresholds for visual states.
+ */
+export const USAGE_THRESHOLDS = {
+  /** Warning threshold (yellow/orange state) */
+  WARNING: 75,
+  /** Critical threshold (red state) */
+  CRITICAL: 90,
+} as const
+
+/**
+ * Color values for usage pill states using CSS variables
+ */
+export const USAGE_PILL_COLORS = {
+  /** Unfilled pill color (gray) */
+  UNFILLED: 'var(--surface-7)',
+  /** Normal filled pill color (blue) */
+  FILLED: 'var(--brand-secondary)',
+  /** Warning state pill color (yellow/orange) */
+  WARNING: 'var(--warning)',
+  /** Critical/limit reached pill color (red) */
+  AT_LIMIT: 'var(--text-error)',
+} as const

apps/sim/lib/billing/client/index.ts

@@ -1,3 +1,7 @@
+export {
+  USAGE_PILL_COLORS,
+  USAGE_THRESHOLDS,
+} from './consts'
 export type {
   BillingStatus,
   SubscriptionData,
@@ -8,6 +12,7 @@ export {
   canUpgrade,
   getBillingStatus,
   getDaysRemainingInPeriod,
+  getFilledPillColor,
   getRemainingBudget,
   getSubscriptionStatus,
   getUsage,

apps/sim/lib/billing/client/usage-visualization.ts

@@ -1,150 +0,0 @@
-/**
- * Shared utilities for consistent usage visualization across the application.
- *
- * This module provides a single source of truth for how usage metrics are
- * displayed visually through "pills" or progress indicators.
- */
-
-/**
- * Number of pills to display in usage indicators.
- *
- * Using 8 pills provides:
- * - 12.5% granularity per pill
- * - Good balance between precision and visual clarity
- * - Consistent representation across panel and settings
- */
-export const USAGE_PILL_COUNT = 8
-
-/**
- * Usage percentage thresholds for visual states.
- */
-export const USAGE_THRESHOLDS = {
-  /** Warning threshold (yellow/orange state) */
-  WARNING: 75,
-  /** Critical threshold (red state) */
-  CRITICAL: 90,
-} as const
-
-/**
- * Color values for usage pill states using CSS variables
- */
-export const USAGE_PILL_COLORS = {
-  /** Unfilled pill color (gray) */
-  UNFILLED: 'var(--surface-7)',
-  /** Normal filled pill color (blue) */
-  FILLED: 'var(--brand-secondary)',
-  /** Warning state pill color (yellow/orange) */
-  WARNING: 'var(--warning)',
-  /** Critical/limit reached pill color (red) */
-  AT_LIMIT: 'var(--text-error)',
-} as const
-
-/**
- * Calculate the number of filled pills based on usage percentage.
- *
- * Uses Math.ceil() to ensure even minimal usage (0.01%) shows visual feedback.
- * This provides better UX by making it clear that there is some usage, even if small.
- *
- * @param percentUsed - The usage percentage (0-100). Can be a decimal (e.g., 0.315 for 0.315%)
- * @returns Number of pills that should be filled (0 to USAGE_PILL_COUNT)
- *
- * @example
- * calculateFilledPills(0.315)  // Returns 1 (shows feedback for 0.315% usage)
- * calculateFilledPills(50)     // Returns 4 (50% of 8 pills)
- * calculateFilledPills(100)    // Returns 8 (completely filled)
- * calculateFilledPills(150)    // Returns 8 (clamped to maximum)
- */
-export function calculateFilledPills(percentUsed: number): number {
-  // Clamp percentage to valid range [0, 100]
-  const safePercent = Math.min(Math.max(percentUsed, 0), 100)
-
-  // Calculate filled pills using ceil to show feedback for any usage
-  return Math.ceil((safePercent / 100) * USAGE_PILL_COUNT)
-}
-
-/**
- * Determine if usage has reached the limit (all pills filled).
- *
- * @param percentUsed - The usage percentage (0-100)
- * @returns true if all pills should be filled (at or over limit)
- */
-export function isUsageAtLimit(percentUsed: number): boolean {
-  return calculateFilledPills(percentUsed) >= USAGE_PILL_COUNT
-}
-
-/**
- * Get the appropriate color for a pill based on its state.
- *
- * @param isFilled - Whether this pill should be filled
- * @param isAtLimit - Whether usage has reached the limit
- * @returns CSS color value
- */
-export function getPillColor(isFilled: boolean, isAtLimit: boolean): string {
-  if (!isFilled) return USAGE_PILL_COLORS.UNFILLED
-  if (isAtLimit) return USAGE_PILL_COLORS.AT_LIMIT
-  return USAGE_PILL_COLORS.FILLED
-}
-
-/**
- * Get the appropriate filled pill color based on usage thresholds.
- *
- * @param isCritical - Whether usage is at critical level (blocked or >= 90%)
- * @param isWarning - Whether usage is at warning level (>= 75% but < critical)
- * @returns CSS color value for filled pills
- */
-export function getFilledPillColor(isCritical: boolean, isWarning: boolean): string {
-  if (isCritical) return USAGE_PILL_COLORS.AT_LIMIT
-  if (isWarning) return USAGE_PILL_COLORS.WARNING
-  return USAGE_PILL_COLORS.FILLED
-}
-
-/**
- * Determine usage state based on percentage and blocked status.
- *
- * @param percentUsed - The usage percentage (0-100)
- * @param isBlocked - Whether the account is blocked
- * @returns Object containing isCritical and isWarning flags
- */
-export function getUsageState(
-  percentUsed: number,
-  isBlocked = false
-): { isCritical: boolean; isWarning: boolean } {
-  const isCritical = isBlocked || percentUsed >= USAGE_THRESHOLDS.CRITICAL
-  const isWarning = !isCritical && percentUsed >= USAGE_THRESHOLDS.WARNING
-  return { isCritical, isWarning }
-}
-
-/**
- * Generate an array of pill states for rendering.
- *
- * @param percentUsed - The usage percentage (0-100)
- * @param isBlocked - Whether the account is blocked
- * @returns Array of pill states with colors
- *
- * @example
- * const pills = generatePillStates(50)
- * pills.forEach((pill, index) => (
- *   <Pill key={index} color={pill.color} filled={pill.filled} />
- * ))
- */
-export function generatePillStates(
-  percentUsed: number,
-  isBlocked = false
-): Array<{
-  filled: boolean
-  color: string
-  index: number
-}> {
-  const filledCount = calculateFilledPills(percentUsed)
-  const { isCritical, isWarning } = getUsageState(percentUsed, isBlocked)
-  const filledColor = getFilledPillColor(isCritical, isWarning)
-
-  return Array.from({ length: USAGE_PILL_COUNT }, (_, index) => {
-    const filled = index < filledCount
-    return {
-      filled,
-      color: filled ? filledColor : USAGE_PILL_COLORS.UNFILLED,
-      index,
-    }
-  })
-}

apps/sim/lib/billing/client/utils.ts

@@ -4,6 +4,7 @@
  */
 
 import { DEFAULT_FREE_CREDITS } from '@/lib/billing/constants'
+import { USAGE_PILL_COLORS } from './consts'
 import type { BillingStatus, SubscriptionData, UsageData } from './types'
 
 const defaultUsage: UsageData = {
@@ -36,9 +37,35 @@ export function getSubscriptionStatus(subscriptionData: SubscriptionData | null
 
 /**
  * Get usage data from subscription data
+ * Validates and sanitizes all numeric values to prevent crashes from malformed data
  */
 export function getUsage(subscriptionData: SubscriptionData | null | undefined): UsageData {
-  return subscriptionData?.usage ?? defaultUsage
+  const usage = subscriptionData?.usage
+
+  if (!usage) {
+    return defaultUsage
+  }
+
+  return {
+    current:
+      typeof usage.current === 'number' && Number.isFinite(usage.current) ? usage.current : 0,
+    limit:
+      typeof usage.limit === 'number' && Number.isFinite(usage.limit)
+        ? usage.limit
+        : DEFAULT_FREE_CREDITS,
+    percentUsed:
+      typeof usage.percentUsed === 'number' && Number.isFinite(usage.percentUsed)
+        ? usage.percentUsed
+        : 0,
+    isWarning: Boolean(usage.isWarning),
+    isExceeded: Boolean(usage.isExceeded),
+    billingPeriodStart: usage.billingPeriodStart ?? null,
+    billingPeriodEnd: usage.billingPeriodEnd ?? null,
+    lastPeriodCost:
+      typeof usage.lastPeriodCost === 'number' && Number.isFinite(usage.lastPeriodCost)
+        ? usage.lastPeriodCost
+        : 0,
+  }
 }
 
 /**
@@ -100,3 +127,16 @@ export function canUpgrade(subscriptionData: SubscriptionData | null | undefined
   const status = getSubscriptionStatus(subscriptionData)
   return status.plan === 'free' || status.plan === 'pro'
 }
+
+/**
+ * Get the appropriate filled pill color based on usage thresholds.
+ *
+ * @param isCritical - Whether usage is at critical level (blocked or >= 90%)
+ * @param isWarning - Whether usage is at warning level (>= 75% but < critical)
+ * @returns CSS color value for filled pills
+ */
+export function getFilledPillColor(isCritical: boolean, isWarning: boolean): string {
+  if (isCritical) return USAGE_PILL_COLORS.AT_LIMIT
+  if (isWarning) return USAGE_PILL_COLORS.WARNING
+  return USAGE_PILL_COLORS.FILLED
+}

apps/sim/lib/billing/core/usage.ts

@@ -96,11 +96,32 @@ export async function handleNewUser(userId: string): Promise<void> {
   }
 }
 
+/**
+ * Ensures a userStats record exists for a user.
+ * Creates one with default values if missing.
+ * This is a fallback for cases where the user.create.after hook didn't fire
+ * (e.g., OAuth account linking to existing users).
+ *
+ */
+export async function ensureUserStatsExists(userId: string): Promise<void> {
+  await db
+    .insert(userStats)
+    .values({
+      id: crypto.randomUUID(),
+      userId: userId,
+      currentUsageLimit: getFreeTierLimit().toString(),
+      usageLimitUpdatedAt: new Date(),
+    })
+    .onConflictDoNothing({ target: userStats.userId })
+}
+
 /**
  * Get comprehensive usage data for a user
  */
 export async function getUserUsageData(userId: string): Promise<UsageData> {
   try {
+    await ensureUserStatsExists(userId)
+
     const [userStatsData, subscription] = await Promise.all([
       db.select().from(userStats).where(eq(userStats.userId, userId)).limit(1),
       getHighestPrioritySubscription(userId),

apps/sim/lib/billing/organizations/membership.ts

@@ -16,6 +16,7 @@ import {
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, sql } from 'drizzle-orm'
+import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { validateSeatAvailability } from '@/lib/billing/validation/seat-management'
 
@@ -556,6 +557,8 @@ export async function removeUserFromOrganization(
           const restoreResult = await restoreUserProSubscription(userId)
           billingActions.proRestored = restoreResult.restored
           billingActions.usageRestored = restoreResult.usageRestored
+
+          await syncUsageLimitsFromSubscription(userId)
         }
       } catch (postRemoveError) {
         logger.error('Post-removal personal Pro restore check failed', {

apps/sim/lib/environment/utils.ts

@@ -3,9 +3,6 @@ import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { decryptSecret } from '@/lib/core/security/encryption'
-import { REFERENCE } from '@/executor/constants'
-import { createEnvVarPattern } from '@/executor/utils/reference-validation'
-import type { BlockState } from '@/stores/workflows/workflow/types'
 
 const logger = createLogger('EnvironmentUtils')
 
@@ -54,6 +51,7 @@ export async function getPersonalAndWorkspaceEnv(
   personalDecrypted: Record<string, string>
   workspaceDecrypted: Record<string, string>
   conflicts: string[]
+  decryptionFailures: string[]
 }> {
   const [personalRows, workspaceRows] = await Promise.all([
     db.select().from(environment).where(eq(environment.userId, userId)).limit(1),
@@ -69,14 +67,23 @@ export async function getPersonalAndWorkspaceEnv(
   const personalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
   const workspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
 
-  const decryptAll = async (src: Record<string, string>) => {
+  const decryptionFailures: string[] = []
+
+  const decryptAll = async (src: Record<string, string>, source: 'personal' | 'workspace') => {
     const entries = Object.entries(src)
     const results = await Promise.all(
       entries.map(async ([k, v]) => {
         try {
           const { decrypted } = await decryptSecret(v)
           return [k, decrypted] as const
-        } catch {
+        } catch (error) {
+          logger.error(`Failed to decrypt ${source} environment variable "${k}"`, {
+            userId,
+            workspaceId,
+            source,
+            error: error instanceof Error ? error.message : 'Unknown error',
+          })
+          decryptionFailures.push(k)
           return [k, ''] as const
         }
       })
@@ -85,18 +92,28 @@ export async function getPersonalAndWorkspaceEnv(
   }
 
   const [personalDecrypted, workspaceDecrypted] = await Promise.all([
-    decryptAll(personalEncrypted),
-    decryptAll(workspaceEncrypted),
+    decryptAll(personalEncrypted, 'personal'),
+    decryptAll(workspaceEncrypted, 'workspace'),
   ])
 
   const conflicts = Object.keys(personalEncrypted).filter((k) => k in workspaceEncrypted)
 
+  if (decryptionFailures.length > 0) {
+    logger.warn('Some environment variables failed to decrypt', {
+      userId,
+      workspaceId,
+      failedKeys: decryptionFailures,
+      failedCount: decryptionFailures.length,
+    })
+  }
+
   return {
     personalEncrypted,
     workspaceEncrypted,
     personalDecrypted,
     workspaceDecrypted,
     conflicts,
+    decryptionFailures,
   }
 }
 
@@ -110,86 +127,3 @@ export async function getEffectiveDecryptedEnv(
   )
   return { ...personalDecrypted, ...workspaceDecrypted }
 }
-
-/**
- * Ensure all environment variables can be decrypted.
- */
-export async function ensureEnvVarsDecryptable(
-  variables: Record<string, string>,
-  options: { requestId?: string } = {}
-): Promise<void> {
-  const requestId = options.requestId
-  for (const [key, encryptedValue] of Object.entries(variables)) {
-    try {
-      await decryptSecret(encryptedValue)
-    } catch (error) {
-      const message = error instanceof Error ? error.message : 'Unknown error'
-      if (requestId) {
-        logger.error(`[${requestId}] Failed to decrypt environment variable "${key}"`, error)
-      } else {
-        logger.error(`Failed to decrypt environment variable "${key}"`, error)
-      }
-      throw new Error(`Failed to decrypt environment variable "${key}": ${message}`)
-    }
-  }
-}
-
-/**
- * Ensure all {{ENV_VAR}} references in block subblocks resolve to decryptable values.
- */
-export async function ensureBlockEnvVarsResolvable(
-  blocks: Record<string, BlockState>,
-  variables: Record<string, string>,
-  options: { requestId?: string } = {}
-): Promise<void> {
-  const requestId = options.requestId
-  const envVarPattern = createEnvVarPattern()
-  await Promise.all(
-    Object.values(blocks).map(async (block) => {
-      const subBlocks = block.subBlocks ?? {}
-      await Promise.all(
-        Object.values(subBlocks).map(async (subBlock) => {
-          const value = subBlock.value
-          if (
-            typeof value !== 'string' ||
-            !value.includes(REFERENCE.ENV_VAR_START) ||
-            !value.includes(REFERENCE.ENV_VAR_END)
-          ) {
-            return
-          }
-
-          const matches = value.match(envVarPattern)
-          if (!matches) {
-            return
-          }
-
-          for (const match of matches) {
-            const varName = match.slice(
-              REFERENCE.ENV_VAR_START.length,
-              -REFERENCE.ENV_VAR_END.length
-            )
-            const encryptedValue = variables[varName]
-            if (!encryptedValue) {
-              throw new Error(`Environment variable "${varName}" was not found`)
-            }
-
-            try {
-              await decryptSecret(encryptedValue)
-            } catch (error) {
-              const message = error instanceof Error ? error.message : 'Unknown error'
-              if (requestId) {
-                logger.error(
-                  `[${requestId}] Error decrypting value for variable "${varName}"`,
-                  error
-                )
-              } else {
-                logger.error(`Error decrypting value for variable "${varName}"`, error)
-              }
-              throw new Error(`Failed to decrypt environment variable "${varName}": ${message}`)
-            }
-          }
-        })
-      )
-    })
-  )
-}

apps/sim/lib/execution/preprocessing.ts

@@ -6,7 +6,6 @@ import { checkServerSideUsageLimits } from '@/lib/billing/calculations/usage-mon
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { RateLimiter } from '@/lib/core/rate-limiter/rate-limiter'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
-import { preflightWorkflowEnvVars } from '@/lib/workflows/executor/preflight'
 import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 import type { CoreTriggerType } from '@/stores/logs/filters/types'
 
@@ -118,15 +117,13 @@ export interface PreprocessExecutionOptions {
   checkRateLimit?: boolean // Default: false for manual/chat, true for others
   checkDeployment?: boolean // Default: true for non-manual triggers
   skipUsageLimits?: boolean // Default: false (only use for test mode)
-  preflightEnvVars?: boolean // Default: false
 
   // Context information
   workspaceId?: string // If known, used for billing resolution
   loggingSession?: LoggingSession // If provided, will be used for error logging
   isResumeContext?: boolean // If true, allows fallback billing on resolution failure (for paused workflow resumes)
-  /** @deprecated No longer used - preflight always uses deployed state */
+  /** @deprecated No longer used - background/async executions always use deployed state */
   useDraftState?: boolean
-  envUserId?: string // Optional override for env var resolution user
 }
 
 /**
@@ -164,11 +161,9 @@ export async function preprocessExecution(
     checkRateLimit = triggerType !== 'manual' && triggerType !== 'chat',
     checkDeployment = triggerType !== 'manual',
     skipUsageLimits = false,
-    preflightEnvVars = false,
     workspaceId: providedWorkspaceId,
     loggingSession: providedLoggingSession,
     isResumeContext = false,
-    envUserId,
   } = options
 
   logger.info(`[${requestId}] Starting execution preprocessing`, {
@@ -483,44 +478,6 @@ export async function preprocessExecution(
   }
 
   // ========== SUCCESS: All Checks Passed ==========
-  if (preflightEnvVars) {
-    try {
-      const resolvedEnvUserId = envUserId || workflowRecord.userId || userId
-      await preflightWorkflowEnvVars({
-        workflowId,
-        workspaceId,
-        envUserId: resolvedEnvUserId,
-        requestId,
-      })
-    } catch (error) {
-      const message = error instanceof Error ? error.message : 'Env var preflight failed'
-      logger.warn(`[${requestId}] Env var preflight failed`, {
-        workflowId,
-        message,
-      })
-
-      await logPreprocessingError({
-        workflowId,
-        executionId,
-        triggerType,
-        requestId,
-        userId: actorUserId,
-        workspaceId,
-        errorMessage: message,
-        loggingSession: providedLoggingSession,
-      })
-
-      return {
-        success: false,
-        error: {
-          message,
-          statusCode: 400,
-          logCreated: true,
-        },
-      }
-    }
-  }
-
   logger.info(`[${requestId}] All preprocessing checks passed`, {
     workflowId,
     actorUserId,

apps/sim/lib/mcp/resolve-config.ts

@@ -0,0 +1,85 @@
+/**
+ * Server-only MCP config resolution utilities.
+ * This file contains functions that require server-side dependencies (database access).
+ * Do NOT import this file in client components.
+ */
+
+import { createLogger } from '@sim/logger'
+import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
+import type { McpServerConfig } from '@/lib/mcp/types'
+import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
+
+const logger = createLogger('McpResolveConfig')
+
+export interface ResolveMcpConfigOptions {
+  /** If true, throws an error when env vars are missing. Default: true */
+  strict?: boolean
+}
+
+/**
+ * Resolve environment variables in MCP server config (url, headers).
+ * Shared utility used by both MCP service and test-connection endpoint.
+ *
+ * @param config - MCP server config with potential {{ENV_VAR}} patterns
+ * @param userId - User ID to fetch environment variables for
+ * @param workspaceId - Workspace ID for workspace-specific env vars
+ * @param options - Resolution options (strict mode throws on missing vars)
+ * @returns Resolved config with env vars replaced
+ */
+export async function resolveMcpConfigEnvVars(
+  config: McpServerConfig,
+  userId: string,
+  workspaceId?: string,
+  options: ResolveMcpConfigOptions = {}
+): Promise<{ config: McpServerConfig; missingVars: string[] }> {
+  const { strict = true } = options
+  const allMissingVars: string[] = []
+
+  let envVars: Record<string, string> = {}
+  try {
+    envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
+  } catch (error) {
+    logger.error('Failed to fetch environment variables for MCP config:', error)
+    return { config, missingVars: [] }
+  }
+
+  const resolveValue = (value: string): string => {
+    const missingVars: string[] = []
+    const resolved = resolveEnvVarReferences(value, envVars, {
+      missingKeys: missingVars,
+    }) as string
+    allMissingVars.push(...missingVars)
+    return resolved
+  }
+
+  const resolvedConfig = { ...config }
+
+  if (resolvedConfig.url) {
+    resolvedConfig.url = resolveValue(resolvedConfig.url)
+  }
+
+  if (resolvedConfig.headers) {
+    const resolvedHeaders: Record<string, string> = {}
+    for (const [key, value] of Object.entries(resolvedConfig.headers)) {
+      resolvedHeaders[key] = resolveValue(value)
+    }
+    resolvedConfig.headers = resolvedHeaders
+  }
+
+  // Handle missing vars based on strict mode
+  if (allMissingVars.length > 0) {
+    const uniqueMissing = Array.from(new Set(allMissingVars))
+
+    if (strict) {
+      throw new Error(
+        `Missing required environment variable${uniqueMissing.length > 1 ? 's' : ''}: ${uniqueMissing.join(', ')}. ` +
+          `Please set ${uniqueMissing.length > 1 ? 'these variables' : 'this variable'} in your workspace or personal environment settings.`
+      )
+    }
+    uniqueMissing.forEach((envKey) => {
+      logger.warn(`Environment variable "${envKey}" not found in MCP config`)
+    })
+  }
+
+  return { config: resolvedConfig, missingVars: allMissingVars }
+}

apps/sim/lib/mcp/service.ts

@@ -8,8 +8,8 @@ import { createLogger } from '@sim/logger'
 import { and, eq, isNull } from 'drizzle-orm'
 import { isTest } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
+import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
 import {
   createMcpCacheAdapter,
   getMcpCacheType,
@@ -25,7 +25,6 @@ import type {
   McpTransport,
 } from '@/lib/mcp/types'
 import { MCP_CONSTANTS } from '@/lib/mcp/utils'
-import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 
 const logger = createLogger('McpService')
 
@@ -47,60 +46,18 @@ class McpService {
   }
 
   /**
-   * Resolve environment variables in strings
-   */
-  private resolveEnvVars(value: string, envVars: Record<string, string>): string {
-    const missingVars: string[] = []
-    const resolvedValue = resolveEnvVarReferences(value, envVars, {
-      allowEmbedded: true,
-      resolveExactMatch: true,
-      trimKeys: true,
-      onMissing: 'keep',
-      deep: false,
-      missingKeys: missingVars,
-    }) as string
-
-    if (missingVars.length > 0) {
-      const uniqueMissing = Array.from(new Set(missingVars))
-      throw new Error(
-        `Missing required environment variable${uniqueMissing.length > 1 ? 's' : ''}: ${uniqueMissing.join(', ')}. ` +
-          `Please set ${uniqueMissing.length > 1 ? 'these variables' : 'this variable'} in your workspace or personal environment settings.`
-      )
-    }
-
-    return resolvedValue
-  }
-
-  /**
-   * Resolve environment variables in server config
+   * Resolve environment variables in server config.
+   * Uses shared utility with strict mode (throws on missing vars).
    */
   private async resolveConfigEnvVars(
     config: McpServerConfig,
     userId: string,
     workspaceId?: string
   ): Promise<McpServerConfig> {
-    try {
-      const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
-
-      const resolvedConfig = { ...config }
-
-      if (resolvedConfig.url) {
-        resolvedConfig.url = this.resolveEnvVars(resolvedConfig.url, envVars)
-      }
-
-      if (resolvedConfig.headers) {
-        const resolvedHeaders: Record<string, string> = {}
-        for (const [key, value] of Object.entries(resolvedConfig.headers)) {
-          resolvedHeaders[key] = this.resolveEnvVars(value, envVars)
-        }
-        resolvedConfig.headers = resolvedHeaders
-      }
-
-      return resolvedConfig
-    } catch (error) {
-      logger.error('Failed to resolve environment variables for MCP server config:', error)
-      return config
-    }
+    const { config: resolvedConfig } = await resolveMcpConfigEnvVars(config, userId, workspaceId, {
+      strict: true,
+    })
+    return resolvedConfig
   }
 
   /**

apps/sim/lib/mcp/shared.ts

@@ -0,0 +1,48 @@
+/**
+ * Shared MCP utilities - safe for both client and server.
+ * No server-side dependencies (database, fs, etc.) should be imported here.
+ */
+
+import { isMcpTool, MCP } from '@/executor/constants'
+
+/**
+ * Sanitizes a string by removing invisible Unicode characters that cause HTTP header errors.
+ * Handles characters like U+2028 (Line Separator) that can be introduced via copy-paste.
+ */
+export function sanitizeForHttp(value: string): string {
+  return value
+    .replace(/[\u2028\u2029\u200B-\u200D\uFEFF]/g, '')
+    .replace(/[\x00-\x1F\x7F]/g, '')
+    .trim()
+}
+
+/**
+ * Sanitizes all header key-value pairs for HTTP usage.
+ */
+export function sanitizeHeaders(
+  headers: Record<string, string> | undefined
+): Record<string, string> | undefined {
+  if (!headers) return headers
+  return Object.fromEntries(
+    Object.entries(headers)
+      .map(([key, value]) => [sanitizeForHttp(key), sanitizeForHttp(value)])
+      .filter(([key, value]) => key !== '' && value !== '')
+  )
+}
+
+/**
+ * Client-safe MCP constants
+ */
+export const MCP_CLIENT_CONSTANTS = {
+  CLIENT_TIMEOUT: 60000,
+  MAX_RETRIES: 3,
+  RECONNECT_DELAY: 1000,
+} as const
+
+/**
+ * Create standardized MCP tool ID from server ID and tool name
+ */
+export function createMcpToolId(serverId: string, toolName: string): string {
+  const normalizedServerId = isMcpTool(serverId) ? serverId : `${MCP.TOOL_PREFIX}${serverId}`
+  return `${normalizedServerId}-${toolName}`
+}

apps/sim/lib/webhooks/env-resolver.ts

@@ -1,72 +1,22 @@
-import { createLogger } from '@sim/logger'
 import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
-import { extractEnvVarName, isEnvVarReference } from '@/executor/constants'
-
-const logger = createLogger('EnvResolver')
+import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 
 /**
- * Resolves environment variable references in a string value
- * Uses the same helper functions as the executor's EnvResolver
+ * Recursively resolves all environment variable references in a configuration object.
+ * Supports both exact matches (`{{VAR_NAME}}`) and embedded patterns (`https://{{HOST}}/path`).
  *
- * @param value - The string that may contain env var references
- * @param envVars - Object containing environment variable key-value pairs
- * @returns The resolved string with env vars replaced
- */
-function resolveEnvVarInString(value: string, envVars: Record<string, string>): string {
-  if (!isEnvVarReference(value)) {
-    return value
-  }
-
-  const varName = extractEnvVarName(value)
-  const resolvedValue = envVars[varName]
-
-  if (resolvedValue === undefined) {
-    logger.warn(`Environment variable not found: ${varName}`)
-    return value // Return original if not found
-  }
-
-  logger.debug(`Resolved environment variable: ${varName}`)
-  return resolvedValue
-}
-
-/**
- * Recursively resolves all environment variable references in a configuration object
- * Supports the pattern: {{VAR_NAME}}
+ * Uses `deep: true` because webhook configs have nested structures that need full resolution.
  *
  * @param config - Configuration object that may contain env var references
  * @param userId - User ID to fetch environment variables for
  * @param workspaceId - Optional workspace ID for workspace-specific env vars
  * @returns A new object with all env var references resolved
  */
-export async function resolveEnvVarsInObject(
-  config: Record<string, any>,
+export async function resolveEnvVarsInObject<T extends Record<string, unknown>>(
+  config: T,
   userId: string,
   workspaceId?: string
-): Promise<Record<string, any>> {
+): Promise<T> {
   const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
-
-  const resolved = { ...config }
-
-  function resolveValue(value: any): any {
-    if (typeof value === 'string') {
-      return resolveEnvVarInString(value, envVars)
-    }
-    if (Array.isArray(value)) {
-      return value.map(resolveValue)
-    }
-    if (value !== null && typeof value === 'object') {
-      const resolvedObj: Record<string, any> = {}
-      for (const [key, val] of Object.entries(value)) {
-        resolvedObj[key] = resolveValue(val)
-      }
-      return resolvedObj
-    }
-    return value
-  }
-
-  for (const [key, value] of Object.entries(resolved)) {
-    resolved[key] = resolveValue(value)
-  }
-
-  return resolved
+  return resolveEnvVarReferences(config, envVars, { deep: true }) as T
 }

apps/sim/lib/webhooks/processor.ts

@@ -413,13 +413,7 @@ export async function findAllWebhooksForPath(
  * @returns String with all {{VARIABLE}} references replaced
  */
 function resolveEnvVars(value: string, envVars: Record<string, string>): string {
-  return resolveEnvVarReferences(value, envVars, {
-    allowEmbedded: true,
-    resolveExactMatch: true,
-    trimKeys: true,
-    onMissing: 'keep',
-    deep: false,
-  }) as string
+  return resolveEnvVarReferences(value, envVars) as string
 }
 
 /**
@@ -804,7 +798,6 @@ export async function checkWebhookPreprocessing(
       checkRateLimit: true,
       checkDeployment: true,
       workspaceId: foundWorkflow.workspaceId,
-      preflightEnvVars: isTriggerDevEnabled,
     })
 
     if (!preprocessResult.success) {

apps/sim/lib/workflows/executor/execution-core.ts

@@ -6,7 +6,6 @@
 import { createLogger } from '@sim/logger'
 import type { Edge } from 'reactflow'
 import { z } from 'zod'
-import { parseResponseFormatSafely } from '@/lib/core/utils/response-format'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { clearExecutionCancellation } from '@/lib/execution/cancellation'
 import type { LoggingSession } from '@/lib/logs/execution/logging-session'
@@ -25,7 +24,6 @@ import type {
   IterationContext,
 } from '@/executor/execution/types'
 import type { ExecutionResult, NormalizedBlockOutput } from '@/executor/types'
-import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 import { Serializer } from '@/serializer'
 import { mergeSubblockState } from '@/stores/workflows/server-utils'
 
@@ -202,50 +200,6 @@ export async function executeWorkflowCore(
       deploymentVersionId,
     })
 
-    // Process block states with env var substitution using pre-decrypted values
-    const currentBlockStates = Object.entries(mergedStates).reduce(
-      (acc, [id, block]) => {
-        acc[id] = Object.entries(block.subBlocks).reduce(
-          (subAcc, [key, subBlock]) => {
-            let value = subBlock.value
-
-            if (typeof value === 'string') {
-              value = resolveEnvVarReferences(value, decryptedEnvVars, {
-                resolveExactMatch: false,
-                trimKeys: false,
-                onMissing: 'keep',
-                deep: false,
-              }) as string
-            }
-
-            subAcc[key] = value
-            return subAcc
-          },
-          {} as Record<string, any>
-        )
-        return acc
-      },
-      {} as Record<string, Record<string, any>>
-    )
-
-    // Process response format
-    const processedBlockStates = Object.entries(currentBlockStates).reduce(
-      (acc, [blockId, blockState]) => {
-        const responseFormatValue = blockState.responseFormat
-        if (responseFormatValue === undefined || responseFormatValue === null) {
-          acc[blockId] = blockState
-          return acc
-        }
-
-        const responseFormat = parseResponseFormatSafely(responseFormatValue, blockId, {
-          allowReferences: true,
-        })
-        acc[blockId] = { ...blockState, responseFormat: responseFormat ?? undefined }
-        return acc
-      },
-      {} as Record<string, Record<string, any>>
-    )
-
     // Use edges directly - trigger-to-trigger edges are prevented at creation time
     const filteredEdges = edges
 
@@ -346,7 +300,6 @@ export async function executeWorkflowCore(
 
     const executorInstance = new Executor({
       workflow: serializedWorkflow,
-      currentBlockStates: processedBlockStates,
       envVarValues: decryptedEnvVars,
       workflowInput: processedInput,
       workflowVariables,

apps/sim/lib/workflows/executor/preflight.ts

@@ -1,51 +0,0 @@
-import { createLogger } from '@sim/logger'
-import {
-  ensureBlockEnvVarsResolvable,
-  ensureEnvVarsDecryptable,
-  getPersonalAndWorkspaceEnv,
-} from '@/lib/environment/utils'
-import { loadDeployedWorkflowState } from '@/lib/workflows/persistence/utils'
-import { mergeSubblockState } from '@/stores/workflows/server-utils'
-
-const logger = createLogger('ExecutionPreflight')
-
-export interface EnvVarPreflightOptions {
-  workflowId: string
-  workspaceId: string
-  envUserId: string
-  requestId?: string
-}
-
-/**
- * Preflight env var checks to avoid scheduling executions that will fail.
- * Always uses deployed workflow state since preflight is only done for async
- * executions which always run on deployed state.
- */
-export async function preflightWorkflowEnvVars({
-  workflowId,
-  workspaceId,
-  envUserId,
-  requestId,
-}: EnvVarPreflightOptions): Promise<void> {
-  const workflowData = await loadDeployedWorkflowState(workflowId)
-
-  if (!workflowData) {
-    throw new Error('Workflow state not found')
-  }
-
-  const mergedStates = mergeSubblockState(workflowData.blocks)
-  const { personalEncrypted, workspaceEncrypted } = await getPersonalAndWorkspaceEnv(
-    envUserId,
-    workspaceId
-  )
-  const variables = { ...personalEncrypted, ...workspaceEncrypted }
-
-  await ensureBlockEnvVarsResolvable(mergedStates, variables, { requestId })
-  await ensureEnvVarsDecryptable(variables, { requestId })
-
-  if (requestId) {
-    logger.debug(`[${requestId}] Env var preflight passed`, { workflowId })
-  } else {
-    logger.debug('Env var preflight passed', { workflowId })
-  }
-}

apps/sim/package.json

@@ -113,6 +113,7 @@
     "jose": "6.0.11",
     "js-tiktoken": "1.0.21",
     "js-yaml": "4.1.0",
+    "json5": "2.2.3",
     "jszip": "3.10.1",
     "jwt-decode": "^4.0.0",
     "lodash": "4.17.21",
@@ -137,7 +138,6 @@
     "posthog-node": "5.9.2",
     "prismjs": "^1.30.0",
     "react": "19.2.1",
-    "react-colorful": "5.6.1",
     "react-dom": "19.2.1",
     "react-hook-form": "^7.54.2",
     "react-markdown": "^10.1.0",

apps/sim/serializer/index.test.ts

@@ -132,7 +132,6 @@ describe('Serializer', () => {
       expect(agentBlock?.metadata?.id).toBe('agent')
       expect(agentBlock?.config.tool).toBe('openai')
       expect(agentBlock?.config.params.model).toBe('gpt-4o')
-      expect(agentBlock?.outputs.responseFormat).toBeDefined()
     })
 
     it.concurrent('should serialize agent block with custom tools correctly', () => {

apps/sim/serializer/index.ts

@@ -1,6 +1,5 @@
 import { createLogger } from '@sim/logger'
 import type { Edge } from 'reactflow'
-import { parseResponseFormatSafely } from '@/lib/core/utils/response-format'
 import { BlockPathCalculator } from '@/lib/workflows/blocks/block-path-calculator'
 import {
   buildCanonicalIndex,
@@ -275,15 +274,6 @@ export class Serializer {
       inputs,
       outputs: {
         ...block.outputs,
-        // Include response format fields if available
-        ...(params.responseFormat
-          ? {
-              responseFormat:
-                parseResponseFormatSafely(params.responseFormat, block.id, {
-                  allowReferences: true,
-                }) ?? undefined,
-            }
-          : {}),
       },
       metadata: {
         id: block.type,

apps/sim/serializer/tests/serializer.extended.test.ts

@@ -257,148 +257,6 @@ describe('Serializer Extended Tests', () => {
     })
   })
 
-  describe('parseResponseFormatSafely edge cases', () => {
-    it('should handle null responseFormat', () => {
-      const serializer = new Serializer()
-      const block: BlockState = {
-        id: 'agent-1',
-        type: 'agent',
-        name: 'Agent',
-        position: { x: 0, y: 0 },
-        subBlocks: {
-          model: { id: 'model', type: 'dropdown', value: 'gpt-4o' },
-          prompt: { id: 'prompt', type: 'long-input', value: 'Test' },
-          responseFormat: { id: 'responseFormat', type: 'code', value: null },
-        },
-        outputs: {},
-        enabled: true,
-      }
-
-      const serialized = serializer.serializeWorkflow({ 'agent-1': block }, [], {})
-      const agentBlock = serialized.blocks.find((b) => b.id === 'agent-1')
-
-      expect(agentBlock?.outputs.responseFormat).toBeUndefined()
-    })
-
-    it('should handle empty string responseFormat', () => {
-      const serializer = new Serializer()
-      const block: BlockState = {
-        id: 'agent-1',
-        type: 'agent',
-        name: 'Agent',
-        position: { x: 0, y: 0 },
-        subBlocks: {
-          model: { id: 'model', type: 'dropdown', value: 'gpt-4o' },
-          prompt: { id: 'prompt', type: 'long-input', value: 'Test' },
-          responseFormat: { id: 'responseFormat', type: 'code', value: '   ' },
-        },
-        outputs: {},
-        enabled: true,
-      }
-
-      const serialized = serializer.serializeWorkflow({ 'agent-1': block }, [], {})
-      const agentBlock = serialized.blocks.find((b) => b.id === 'agent-1')
-
-      expect(agentBlock?.outputs.responseFormat).toBeUndefined()
-    })
-
-    it('should handle variable reference in responseFormat', () => {
-      const serializer = new Serializer()
-      const block: BlockState = {
-        id: 'agent-1',
-        type: 'agent',
-        name: 'Agent',
-        position: { x: 0, y: 0 },
-        subBlocks: {
-          model: { id: 'model', type: 'dropdown', value: 'gpt-4o' },
-          prompt: { id: 'prompt', type: 'long-input', value: 'Test' },
-          responseFormat: { id: 'responseFormat', type: 'code', value: '<start.schema>' },
-        },
-        outputs: {},
-        enabled: true,
-      }
-
-      const serialized = serializer.serializeWorkflow({ 'agent-1': block }, [], {})
-      const agentBlock = serialized.blocks.find((b) => b.id === 'agent-1')
-
-      expect(agentBlock?.outputs.responseFormat).toBe('<start.schema>')
-    })
-
-    it('should handle object responseFormat', () => {
-      const serializer = new Serializer()
-      const schemaObject = { type: 'object', properties: { name: { type: 'string' } } }
-      const block: BlockState = {
-        id: 'agent-1',
-        type: 'agent',
-        name: 'Agent',
-        position: { x: 0, y: 0 },
-        subBlocks: {
-          model: { id: 'model', type: 'dropdown', value: 'gpt-4o' },
-          prompt: { id: 'prompt', type: 'long-input', value: 'Test' },
-          responseFormat: { id: 'responseFormat', type: 'code', value: schemaObject as any },
-        },
-        outputs: {},
-        enabled: true,
-      }
-
-      const serialized = serializer.serializeWorkflow({ 'agent-1': block }, [], {})
-      const agentBlock = serialized.blocks.find((b) => b.id === 'agent-1')
-
-      expect(agentBlock?.outputs.responseFormat).toEqual(schemaObject)
-    })
-
-    it('should handle invalid JSON responseFormat gracefully', () => {
-      const serializer = new Serializer()
-      const block: BlockState = {
-        id: 'agent-1',
-        type: 'agent',
-        name: 'Agent',
-        position: { x: 0, y: 0 },
-        subBlocks: {
-          model: { id: 'model', type: 'dropdown', value: 'gpt-4o' },
-          prompt: { id: 'prompt', type: 'long-input', value: 'Test' },
-          responseFormat: { id: 'responseFormat', type: 'code', value: '{invalid json}' },
-        },
-        outputs: {},
-        enabled: true,
-      }
-
-      const serialized = serializer.serializeWorkflow({ 'agent-1': block }, [], {})
-      const agentBlock = serialized.blocks.find((b) => b.id === 'agent-1')
-
-      expect(agentBlock?.outputs.responseFormat).toBeUndefined()
-    })
-
-    it('should parse valid JSON responseFormat', () => {
-      const serializer = new Serializer()
-      const block: BlockState = {
-        id: 'agent-1',
-        type: 'agent',
-        name: 'Agent',
-        position: { x: 0, y: 0 },
-        subBlocks: {
-          model: { id: 'model', type: 'dropdown', value: 'gpt-4o' },
-          prompt: { id: 'prompt', type: 'long-input', value: 'Test' },
-          responseFormat: {
-            id: 'responseFormat',
-            type: 'code',
-            value: '{"type":"object","properties":{"result":{"type":"string"}}}',
-          },
-        },
-        outputs: {},
-        enabled: true,
-      }
-
-      const serialized = serializer.serializeWorkflow({ 'agent-1': block }, [], {})
-      const agentBlock = serialized.blocks.find((b) => b.id === 'agent-1')
-
-      expect(agentBlock?.outputs.responseFormat).toEqual({
-        type: 'object',
-        properties: { result: { type: 'string' } },
-      })
-    })
-  })
-
   describe('subflow block serialization', () => {
     it('should serialize loop blocks correctly', () => {
       const serializer = new Serializer()

apps/sim/stores/panel/variables/store.ts

@@ -1,4 +1,5 @@
 import { createLogger } from '@sim/logger'
+import JSON5 from 'json5'
 import { create } from 'zustand'
 import { devtools } from 'zustand/middleware'
 import { normalizeName } from '@/executor/constants'
@@ -30,7 +31,7 @@ function validateVariable(variable: Variable): string | undefined {
             return 'Not a valid object format'
           }
 
-          const parsed = new Function(`return ${valueToEvaluate}`)()
+          const parsed = JSON5.parse(valueToEvaluate)
 
           if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
             return 'Not a valid object'
@@ -43,12 +44,12 @@ function validateVariable(variable: Variable): string | undefined {
         }
       case 'array':
         try {
-          const parsed = JSON.parse(String(variable.value))
+          const parsed = JSON5.parse(String(variable.value))
           if (!Array.isArray(parsed)) {
-            return 'Not a valid JSON array'
+            return 'Not a valid array'
           }
         } catch {
-          return 'Invalid JSON array syntax'
+          return 'Invalid array syntax'
         }
         break
     }

apps/sim/stores/variables/store.ts

@@ -1,4 +1,5 @@
 import { createLogger } from '@sim/logger'
+import JSON5 from 'json5'
 import { v4 as uuidv4 } from 'uuid'
 import { create } from 'zustand'
 import { devtools, persist } from 'zustand/middleware'
@@ -125,8 +126,7 @@ function validateVariable(variable: Variable): string | undefined {
           if (!valueToEvaluate.startsWith('{') || !valueToEvaluate.endsWith('}')) {
             return 'Not a valid object format'
           }
-          // eslint-disable-next-line no-new-func
-          const parsed = new Function(`return ${valueToEvaluate}`)()
+          const parsed = JSON5.parse(valueToEvaluate)
           if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
             return 'Not a valid object'
           }
@@ -138,12 +138,12 @@ function validateVariable(variable: Variable): string | undefined {
       }
       case 'array': {
         try {
-          const parsed = JSON.parse(String(variable.value))
+          const parsed = JSON5.parse(String(variable.value))
           if (!Array.isArray(parsed)) {
-            return 'Not a valid JSON array'
+            return 'Not a valid array'
           }
         } catch {
-          return 'Invalid JSON array syntax'
+          return 'Invalid array syntax'
         }
         return undefined
       }

apps/sim/tools/firecrawl/scrape.ts

@@ -1,4 +1,5 @@
 import type { ScrapeParams, ScrapeResponse } from '@/tools/firecrawl/types'
+import { safeAssign } from '@/tools/safe-assign'
 import type { ToolConfig } from '@/tools/types'
 
 export const scrapeTool: ToolConfig<ScrapeParams, ScrapeResponse> = {
@@ -64,7 +65,7 @@ export const scrapeTool: ToolConfig<ScrapeParams, ScrapeResponse> = {
         body.zeroDataRetention = params.zeroDataRetention
 
       if (params.scrapeOptions) {
-        Object.assign(body, params.scrapeOptions)
+        safeAssign(body, params.scrapeOptions as Record<string, unknown>)
       }
 
       return body