fix(notes): ghost edges (#2970)

* fix(notes): ghost edges

* fix deployed state fallback

* fallback

* remove UI level checks

* annotation missing from autoconnect source check

apps/sim/app/api/function/execute/route.test.ts

@@ -85,10 +85,10 @@ vi.mock('@/lib/execution/isolated-vm', () => ({
 vi.mock('@sim/logger', () => loggerMock)
 
 vi.mock('@/lib/auth/hybrid', () => ({
-  checkHybridAuth: vi.fn().mockResolvedValue({
+  checkInternalAuth: vi.fn().mockResolvedValue({
     success: true,
     userId: 'user-123',
-    authType: 'session',
+    authType: 'internal_jwt',
   }),
 }))
 
@@ -119,8 +119,8 @@ describe('Function Execute API Route', () => {
 
   describe('Security Tests', () => {
     it('should reject unauthorized requests', async () => {
-      const { checkHybridAuth } = await import('@/lib/auth/hybrid')
-      vi.mocked(checkHybridAuth).mockResolvedValueOnce({
+      const { checkInternalAuth } = await import('@/lib/auth/hybrid')
+      vi.mocked(checkInternalAuth).mockResolvedValueOnce({
         success: false,
         error: 'Unauthorized',
       })

apps/sim/app/api/function/execute/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -582,7 +582,7 @@ export async function POST(req: NextRequest) {
   let resolvedCode = '' // Store resolved code for error reporting
 
   try {
-    const auth = await checkHybridAuth(req)
+    const auth = await checkInternalAuth(req)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized function execution attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/providers/route.ts

@@ -3,7 +3,7 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/tools/custom/route.test.ts

@@ -181,7 +181,7 @@ describe('Custom Tools API Routes', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'user-123',
         authType: 'session',
@@ -254,7 +254,7 @@ describe('Custom Tools API Routes', () => {
       )
 
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
           success: false,
           error: 'Unauthorized',
         }),
@@ -304,7 +304,7 @@ describe('Custom Tools API Routes', () => {
   describe('POST /api/tools/custom', () => {
     it('should reject unauthorized requests', async () => {
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
           success: false,
           error: 'Unauthorized',
         }),
@@ -390,7 +390,7 @@ describe('Custom Tools API Routes', () => {
 
     it('should prevent unauthorized deletion of user-scoped tool', async () => {
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
           success: true,
           userId: 'user-456',
           authType: 'session',
@@ -413,7 +413,7 @@ describe('Custom Tools API Routes', () => {
 
     it('should reject unauthorized requests', async () => {
       vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
           success: false,
           error: 'Unauthorized',
         }),

apps/sim/app/api/tools/custom/route.ts

@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -42,8 +42,8 @@ export async function GET(request: NextRequest) {
   const workflowId = searchParams.get('workflowId')
 
   try {
-    // Use hybrid auth to support session, API key, and internal JWT
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    // Use session/internal auth to support session and internal JWT (no API key access)
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -69,8 +69,8 @@ export async function GET(request: NextRequest) {
     }
 
     // Check workspace permissions
-    // For internal JWT with workflowId: checkHybridAuth already resolved userId from workflow owner
-    // For session/API key: verify user has access to the workspace
+    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
+    // For session: verify user has access to the workspace
     // For legacy (no workspaceId): skip workspace check, rely on userId match
     if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
       const userPermission = await getUserEntityPermissions(
@@ -116,8 +116,8 @@ export async function POST(req: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkHybridAuth(req, { requireWorkflowId: false })
+    // Use session/internal auth (no API key access)
+    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -193,8 +193,8 @@ export async function DELETE(request: NextRequest) {
   }
 
   try {
-    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    // Use session/internal auth (no API key access)
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/discord/send-message/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Discord send attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/add-label/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail add label attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/archive/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail archive attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/delete/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/draft/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail draft attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/mark-read/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail mark read attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/mark-unread/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail mark unread attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/move/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail move attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/remove-label/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail remove label attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/send/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail send attempt: ${authResult.error}`)

apps/sim/app/api/tools/gmail/unarchive/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Gmail unarchive attempt: ${authResult.error}`)

apps/sim/app/api/tools/google_drive/upload/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -56,7 +56,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Google Drive upload attempt: ${authResult.error}`)

apps/sim/app/api/tools/image/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateImageUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -15,7 +15,7 @@ export async function GET(request: NextRequest) {
   const imageUrl = url.searchParams.get('url')
   const requestId = generateRequestId()
 
-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
   if (!authResult.success) {
     logger.error(`[${requestId}] Authentication failed for image proxy:`, authResult.error)
     return new NextResponse('Unauthorized', { status: 401 })

apps/sim/app/api/tools/mail/send/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { Resend } from 'resend'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized mail send attempt: ${authResult.error}`)

apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Teams chat delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Teams channel write attempt: ${authResult.error}`)

apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Teams chat write attempt: ${authResult.error}`)

apps/sim/app/api/tools/mistral/parse/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -30,7 +30,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Mistral parse attempt`, {

apps/sim/app/api/tools/mysql/delete/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLDeleteAPI')
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/mysql/execute/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLExecuteAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/mysql/insert/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLInsertAPI')
@@ -43,7 +43,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/mysql/introspect/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLIntrospectAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/mysql/query/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLQueryAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/mysql/update/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLUpdateAPI')
@@ -41,7 +41,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/onedrive/upload/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import * as XLSX from 'xlsx'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -39,7 +39,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized OneDrive upload attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/copy/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook copy attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/delete/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/draft/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook draft attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/mark-read/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook mark read attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/mark-unread/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook mark unread attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/move/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook move attempt: ${authResult.error}`)

apps/sim/app/api/tools/outlook/send/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Outlook send attempt: ${authResult.error}`)

apps/sim/app/api/tools/postgresql/delete/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/postgresql/execute/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createPostgresConnection,
   executeQuery,
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/postgresql/insert/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLInsertAPI')
@@ -43,7 +43,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/postgresql/introspect/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/postgresql/query/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLQueryAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/postgresql/update/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -41,7 +41,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/pulse/parse/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Pulse parse attempt`, {

apps/sim/app/api/tools/reducto/parse/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Reducto parse attempt`, {

apps/sim/app/api/tools/s3/copy-object/route.ts

@@ -2,7 +2,7 @@ import { CopyObjectCommand, type ObjectCannedACL, S3Client } from '@aws-sdk/clie
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized S3 copy object attempt: ${authResult.error}`)

apps/sim/app/api/tools/s3/delete-object/route.ts

@@ -2,7 +2,7 @@ import { DeleteObjectCommand, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized S3 delete object attempt: ${authResult.error}`)

apps/sim/app/api/tools/s3/list-objects/route.ts

@@ -2,7 +2,7 @@ import { ListObjectsV2Command, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized S3 list objects attempt: ${authResult.error}`)

apps/sim/app/api/tools/s3/put-object/route.ts

@@ -2,7 +2,7 @@ import { type ObjectCannedACL, PutObjectCommand, S3Client } from '@aws-sdk/clien
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized S3 put object attempt: ${authResult.error}`)

apps/sim/app/api/tools/search/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { SEARCH_TOOL_COST } from '@/lib/billing/constants'
 import { env } from '@/lib/core/config/env'
 import { executeTool } from '@/tools'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
     const { searchParams: urlParams } = new URL(request.url)
     const workflowId = urlParams.get('workflowId') || undefined
 
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       const errorMessage = workflowId ? 'Workflow not found' : authResult.error || 'Unauthorized'

apps/sim/app/api/tools/sftp/delete/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
   createSftpConnection,
@@ -72,7 +72,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SFTP delete attempt: ${authResult.error}`)

apps/sim/app/api/tools/sftp/download/route.ts

@@ -2,7 +2,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createSftpConnection, getSftp, isPathSafe, sanitizePath } from '@/app/api/tools/sftp/utils'
 
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SFTP download attempt: ${authResult.error}`)

apps/sim/app/api/tools/sftp/list/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
   createSftpConnection,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SFTP list attempt: ${authResult.error}`)

apps/sim/app/api/tools/sftp/mkdir/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
   createSftpConnection,
@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SFTP mkdir attempt: ${authResult.error}`)

apps/sim/app/api/tools/sftp/upload/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -44,7 +44,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SFTP upload attempt: ${authResult.error}`)

apps/sim/app/api/tools/sharepoint/upload/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SharePoint upload attempt: ${authResult.error}`)

apps/sim/app/api/tools/slack/add-reaction/route.ts

@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 
 export const dynamic = 'force-dynamic'
 
@@ -13,7 +13,7 @@ const SlackAddReactionSchema = z.object({
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       return NextResponse.json(

apps/sim/app/api/tools/slack/delete-message/route.ts

@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 
 export const dynamic = 'force-dynamic'
 
@@ -12,7 +12,7 @@ const SlackDeleteMessageSchema = z.object({
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       return NextResponse.json(

apps/sim/app/api/tools/slack/read-messages/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { openDMChannel } from '../utils'
 
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Slack read messages attempt: ${authResult.error}`)

apps/sim/app/api/tools/slack/send-message/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { sendSlackMessage } from '../utils'
 
@@ -26,7 +26,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Slack send attempt: ${authResult.error}`)

apps/sim/app/api/tools/slack/update-message/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Slack update message attempt: ${authResult.error}`)

apps/sim/app/api/tools/sms/send/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { type SMSOptions, sendSMS } from '@/lib/messaging/sms/service'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SMS send attempt: ${authResult.error}`)

apps/sim/app/api/tools/smtp/send/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import nodemailer from 'nodemailer'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized SMTP send attempt: ${authResult.error}`)

apps/sim/app/api/tools/ssh/check-command-exists/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHCheckCommandExistsAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH check command exists attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/check-file-exists/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper, Stats } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   getFileType,
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH check file exists attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/create-directory/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -28,7 +28,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH create directory attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/delete-file/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -28,7 +28,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH delete file attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/download-file/route.ts

@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHDownloadFileAPI')
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH download file attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/execute-command/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand, sanitizeCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHExecuteCommandAPI')
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH execute command attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/execute-script/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHExecuteScriptAPI')
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH execute script attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/get-system-info/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHGetSystemInfoAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH get system info attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/list-directory/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, FileEntry, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   getFileType,
@@ -61,7 +61,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH list directory attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/move-rename/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -28,7 +28,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH move/rename attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/read-file-content/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHReadFileContentAPI')
@@ -36,7 +36,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH read file content attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/upload-file/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHUploadFileAPI')
@@ -38,7 +38,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH upload file attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/ssh/write-file-content/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHWriteFileContentAPI')
@@ -37,7 +37,7 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Unauthorized SSH write file content attempt`)
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/stt/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { extractAudioFromVideo, isVideoFile } from '@/lib/audio/extractor'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { TranscriptSegment } from '@/tools/stt/types'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] STT transcription request started`)
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/tools/telegram/send-document/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, {
+    const authResult = await checkInternalAuth(request, {
       requireWorkflowId: false,
     })
 

apps/sim/app/api/tools/textract/parse/route.ts

@@ -2,7 +2,7 @@ import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   validateAwsRegion,
   validateExternalUrl,
@@ -292,7 +292,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Textract parse attempt`, {

apps/sim/app/api/tools/tts/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -10,7 +10,7 @@ const logger = createLogger('ProxyTTSAPI')
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       logger.error('Authentication failed for TTS proxy:', authResult.error)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/tts/unified/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -87,7 +87,7 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] TTS unified request started`)
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       logger.error('Authentication failed for TTS unified proxy:', authResult.error)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/tools/video/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { VideoRequestBody } from '@/tools/video/types'
@@ -15,7 +15,7 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] Video generation request started`)
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/tools/vision/analyze/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized Vision analyze attempt: ${authResult.error}`)

apps/sim/app/api/tools/wordpress/upload/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
   getFileExtension,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized WordPress upload attempt: ${authResult.error}`)

apps/sim/app/api/v1/admin/types.ts

@@ -640,6 +640,7 @@ export interface AdminDeployResult {
   isDeployed: boolean
   version: number
   deployedAt: string
+  warnings?: string[]
 }
 
 export interface AdminUndeployResult {

apps/sim/app/api/v1/admin/workflows/[id]/deploy/route.ts

@@ -1,14 +1,23 @@
-import { db, workflow } from '@sim/db'
+import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { cleanupWebhooksForWorkflow } from '@/lib/webhooks/deploy'
+import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
+import {
+  cleanupWebhooksForWorkflow,
+  restorePreviousVersionWebhooks,
+  saveTriggerWebhooksForDeploy,
+} from '@/lib/webhooks/deploy'
 import {
   deployWorkflow,
   loadWorkflowFromNormalizedTables,
   undeployWorkflow,
 } from '@/lib/workflows/persistence/utils'
-import { createSchedulesForDeploy, validateWorkflowSchedules } from '@/lib/workflows/schedules'
+import {
+  cleanupDeploymentVersion,
+  createSchedulesForDeploy,
+  validateWorkflowSchedules,
+} from '@/lib/workflows/schedules'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -28,10 +37,11 @@ interface RouteParams {
 
 export const POST = withAdminAuthParams<RouteParams>(async (request, context) => {
   const { id: workflowId } = await context.params
+  const requestId = generateRequestId()
 
   try {
     const [workflowRecord] = await db
-      .select({ id: workflow.id, name: workflow.name })
+      .select()
       .from(workflow)
       .where(eq(workflow.id, workflowId))
       .limit(1)
@@ -50,6 +60,18 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       return badRequestResponse(`Invalid schedule configuration: ${scheduleValidation.error}`)
     }
 
+    const [currentActiveVersion] = await db
+      .select({ id: workflowDeploymentVersion.id })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, workflowId),
+          eq(workflowDeploymentVersion.isActive, true)
+        )
+      )
+      .limit(1)
+    const previousVersionId = currentActiveVersion?.id
+
     const deployResult = await deployWorkflow({
       workflowId,
       deployedBy: ADMIN_ACTOR_ID,
@@ -65,6 +87,32 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       return internalErrorResponse('Failed to resolve deployment version')
     }
 
+    const workflowData = workflowRecord as Record<string, unknown>
+
+    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
+      request,
+      workflowId,
+      workflow: workflowData,
+      userId: workflowRecord.userId,
+      blocks: normalizedData.blocks,
+      requestId,
+      deploymentVersionId: deployResult.deploymentVersionId,
+      previousVersionId,
+    })
+
+    if (!triggerSaveResult.success) {
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: deployResult.deploymentVersionId,
+      })
+      await undeployWorkflow({ workflowId })
+      return internalErrorResponse(
+        triggerSaveResult.error?.message || 'Failed to sync trigger configuration'
+      )
+    }
+
     const scheduleResult = await createSchedulesForDeploy(
       workflowId,
       normalizedData.blocks,
@@ -72,15 +120,58 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       deployResult.deploymentVersionId
     )
     if (!scheduleResult.success) {
-      logger.warn(`Schedule creation failed for workflow ${workflowId}: ${scheduleResult.error}`)
+      logger.error(
+        `[${requestId}] Admin API: Schedule creation failed for workflow ${workflowId}: ${scheduleResult.error}`
+      )
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: deployResult.deploymentVersionId,
+      })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData,
+          userId: workflowRecord.userId,
+          previousVersionId,
+          requestId,
+        })
+      }
+      await undeployWorkflow({ workflowId })
+      return internalErrorResponse(scheduleResult.error || 'Failed to create schedule')
     }
 
-    logger.info(`Admin API: Deployed workflow ${workflowId} as v${deployResult.version}`)
+    if (previousVersionId && previousVersionId !== deployResult.deploymentVersionId) {
+      try {
+        logger.info(`[${requestId}] Admin API: Cleaning up previous version ${previousVersionId}`)
+        await cleanupDeploymentVersion({
+          workflowId,
+          workflow: workflowData,
+          requestId,
+          deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
+        })
+      } catch (cleanupError) {
+        logger.error(
+          `[${requestId}] Admin API: Failed to clean up previous version ${previousVersionId}`,
+          cleanupError
+        )
+      }
+    }
+
+    logger.info(
+      `[${requestId}] Admin API: Deployed workflow ${workflowId} as v${deployResult.version}`
+    )
+
+    // Sync MCP tools with the latest parameter schema
+    await syncMcpToolsForWorkflow({ workflowId, requestId, context: 'deploy' })
 
     const response: AdminDeployResult = {
       isDeployed: true,
       version: deployResult.version!,
       deployedAt: deployResult.deployedAt!.toISOString(),
+      warnings: triggerSaveResult.warnings,
     }
 
     return singleResponse(response)
@@ -105,7 +196,6 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (request, context)
       return notFoundResponse('Workflow')
     }
 
-    // Clean up external webhook subscriptions before undeploying
     await cleanupWebhooksForWorkflow(
       workflowId,
       workflowRecord as Record<string, unknown>,
@@ -117,6 +207,8 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (request, context)
       return internalErrorResponse(result.error || 'Failed to undeploy workflow')
     }
 
+    await removeMcpToolsForWorkflow(workflowId, requestId)
+
     logger.info(`Admin API: Undeployed workflow ${workflowId}`)
 
     const response: AdminUndeployResult = {

apps/sim/app/api/v1/admin/workflows/[id]/versions/[versionId]/activate/route.ts

@@ -1,7 +1,15 @@
-import { db, workflow } from '@sim/db'
+import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
+import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
 import { activateWorkflowVersion } from '@/lib/workflows/persistence/utils'
+import {
+  cleanupDeploymentVersion,
+  createSchedulesForDeploy,
+  validateWorkflowSchedules,
+} from '@/lib/workflows/schedules'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -9,6 +17,7 @@ import {
   notFoundResponse,
   singleResponse,
 } from '@/app/api/v1/admin/responses'
+import type { BlockState } from '@/stores/workflows/workflow/types'
 
 const logger = createLogger('AdminWorkflowActivateVersionAPI')
 
@@ -18,11 +27,12 @@ interface RouteParams {
 }
 
 export const POST = withAdminAuthParams<RouteParams>(async (request, context) => {
+  const requestId = generateRequestId()
   const { id: workflowId, versionId } = await context.params
 
   try {
     const [workflowRecord] = await db
-      .select({ id: workflow.id })
+      .select()
       .from(workflow)
       .where(eq(workflow.id, workflowId))
       .limit(1)
@@ -36,23 +46,161 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       return badRequestResponse('Invalid version number')
     }
 
+    const [versionRow] = await db
+      .select({
+        id: workflowDeploymentVersion.id,
+        state: workflowDeploymentVersion.state,
+      })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, workflowId),
+          eq(workflowDeploymentVersion.version, versionNum)
+        )
+      )
+      .limit(1)
+
+    if (!versionRow?.state) {
+      return notFoundResponse('Deployment version')
+    }
+
+    const [currentActiveVersion] = await db
+      .select({ id: workflowDeploymentVersion.id })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, workflowId),
+          eq(workflowDeploymentVersion.isActive, true)
+        )
+      )
+      .limit(1)
+
+    const previousVersionId = currentActiveVersion?.id
+
+    const deployedState = versionRow.state as { blocks?: Record<string, BlockState> }
+    const blocks = deployedState.blocks
+    if (!blocks || typeof blocks !== 'object') {
+      return internalErrorResponse('Invalid deployed state structure')
+    }
+
+    const workflowData = workflowRecord as Record<string, unknown>
+
+    const scheduleValidation = validateWorkflowSchedules(blocks)
+    if (!scheduleValidation.isValid) {
+      return badRequestResponse(`Invalid schedule configuration: ${scheduleValidation.error}`)
+    }
+
+    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
+      request,
+      workflowId,
+      workflow: workflowData,
+      userId: workflowRecord.userId,
+      blocks,
+      requestId,
+      deploymentVersionId: versionRow.id,
+      previousVersionId,
+      forceRecreateSubscriptions: true,
+    })
+
+    if (!triggerSaveResult.success) {
+      logger.error(
+        `[${requestId}] Admin API: Failed to sync triggers for workflow ${workflowId}`,
+        triggerSaveResult.error
+      )
+      return internalErrorResponse(
+        triggerSaveResult.error?.message || 'Failed to sync trigger configuration'
+      )
+    }
+
+    const scheduleResult = await createSchedulesForDeploy(workflowId, blocks, db, versionRow.id)
+
+    if (!scheduleResult.success) {
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: versionRow.id,
+      })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData,
+          userId: workflowRecord.userId,
+          previousVersionId,
+          requestId,
+        })
+      }
+      return internalErrorResponse(scheduleResult.error || 'Failed to sync schedules')
+    }
+
     const result = await activateWorkflowVersion({ workflowId, version: versionNum })
     if (!result.success) {
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: versionRow.id,
+      })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData,
+          userId: workflowRecord.userId,
+          previousVersionId,
+          requestId,
+        })
+      }
       if (result.error === 'Deployment version not found') {
         return notFoundResponse('Deployment version')
       }
       return internalErrorResponse(result.error || 'Failed to activate version')
     }
 
-    logger.info(`Admin API: Activated version ${versionNum} for workflow ${workflowId}`)
+    if (previousVersionId && previousVersionId !== versionRow.id) {
+      try {
+        logger.info(
+          `[${requestId}] Admin API: Cleaning up previous version ${previousVersionId} webhooks/schedules`
+        )
+        await cleanupDeploymentVersion({
+          workflowId,
+          workflow: workflowData,
+          requestId,
+          deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
+        })
+        logger.info(`[${requestId}] Admin API: Previous version cleanup completed`)
+      } catch (cleanupError) {
+        logger.error(
+          `[${requestId}] Admin API: Failed to clean up previous version ${previousVersionId}`,
+          cleanupError
+        )
+      }
+    }
+
+    await syncMcpToolsForWorkflow({
+      workflowId,
+      requestId,
+      state: versionRow.state,
+      context: 'activate',
+    })
+
+    logger.info(
+      `[${requestId}] Admin API: Activated version ${versionNum} for workflow ${workflowId}`
+    )
 
     return singleResponse({
       success: true,
       version: versionNum,
       deployedAt: result.deployedAt!.toISOString(),
+      warnings: triggerSaveResult.warnings,
     })
   } catch (error) {
-    logger.error(`Admin API: Failed to activate version for workflow ${workflowId}`, { error })
+    logger.error(
+      `[${requestId}] Admin API: Failed to activate version for workflow ${workflowId}`,
+      {
+        error,
+      }
+    )
     return internalErrorResponse('Failed to activate deployment version')
   }
 })

apps/sim/app/api/webhooks/[id]/route.ts

@@ -7,12 +7,7 @@ import { getSession } from '@/lib/auth'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
-import {
-  cleanupExternalWebhook,
-  createExternalWebhookSubscription,
-  shouldRecreateExternalWebhookSubscription,
-} from '@/lib/webhooks/provider-subscriptions'
+import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WebhookAPI')
@@ -88,7 +83,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   }
 }
 
-// Update a webhook
 export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = generateRequestId()
 
@@ -103,7 +97,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     }
 
     const body = await request.json()
-    const { path, provider, providerConfig, isActive, failedCount } = body
+    const { isActive, failedCount } = body
 
     if (failedCount !== undefined) {
       const validation = validateInteger(failedCount, 'failedCount', { min: 0 })
@@ -113,28 +107,6 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       }
     }
 
-    const originalProviderConfig = providerConfig
-    let resolvedProviderConfig = providerConfig
-    if (providerConfig) {
-      const webhookDataForResolve = await db
-        .select({
-          workspaceId: workflow.workspaceId,
-        })
-        .from(webhook)
-        .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
-        .where(eq(webhook.id, id))
-        .limit(1)
-
-      if (webhookDataForResolve.length > 0) {
-        resolvedProviderConfig = await resolveEnvVarsInObject(
-          providerConfig,
-          session.user.id,
-          webhookDataForResolve[0].workspaceId || undefined
-        )
-      }
-    }
-
-    // Find the webhook and check permissions
     const webhooks = await db
       .select({
         webhook: webhook,
@@ -155,16 +127,12 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     }
 
     const webhookData = webhooks[0]
-
-    // Check if user has permission to modify this webhook
     let canModify = false
 
-    // Case 1: User owns the workflow
     if (webhookData.workflow.userId === session.user.id) {
       canModify = true
     }
 
-    // Case 2: Workflow belongs to a workspace and user has write or admin permission
     if (!canModify && webhookData.workflow.workspaceId) {
       const userPermission = await getUserEntityPermissions(
         session.user.id,
@@ -183,80 +151,14 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
-    const existingProviderConfig =
-      (webhookData.webhook.providerConfig as Record<string, unknown>) || {}
-    let nextProviderConfig =
-      providerConfig !== undefined &&
-      resolvedProviderConfig &&
-      typeof resolvedProviderConfig === 'object'
-        ? (resolvedProviderConfig as Record<string, unknown>)
-        : existingProviderConfig
-    const nextProvider = (provider ?? webhookData.webhook.provider) as string
-
-    if (
-      providerConfig !== undefined &&
-      shouldRecreateExternalWebhookSubscription({
-        previousProvider: webhookData.webhook.provider as string,
-        nextProvider,
-        previousConfig: existingProviderConfig,
-        nextConfig: nextProviderConfig,
-      })
-    ) {
-      await cleanupExternalWebhook(
-        { ...webhookData.webhook, providerConfig: existingProviderConfig },
-        webhookData.workflow,
-        requestId
-      )
-
-      const result = await createExternalWebhookSubscription(
-        request,
-        {
-          ...webhookData.webhook,
-          provider: nextProvider,
-          providerConfig: nextProviderConfig,
-        },
-        webhookData.workflow,
-        session.user.id,
-        requestId
-      )
-
-      nextProviderConfig = result.updatedProviderConfig as Record<string, unknown>
-    }
-
     logger.debug(`[${requestId}] Updating webhook properties`, {
-      hasPathUpdate: path !== undefined,
-      hasProviderUpdate: provider !== undefined,
-      hasConfigUpdate: providerConfig !== undefined,
       hasActiveUpdate: isActive !== undefined,
       hasFailedCountUpdate: failedCount !== undefined,
     })
 
-    let finalProviderConfig = webhooks[0].webhook.providerConfig
-    if (providerConfig !== undefined && originalProviderConfig) {
-      const existingConfig = existingProviderConfig
-      finalProviderConfig = {
-        ...originalProviderConfig,
-        credentialId: existingConfig.credentialId,
-        credentialSetId: existingConfig.credentialSetId,
-        userId: existingConfig.userId,
-        historyId: existingConfig.historyId,
-        lastCheckedTimestamp: existingConfig.lastCheckedTimestamp,
-        setupCompleted: existingConfig.setupCompleted,
-        externalId: existingConfig.externalId,
-      }
-      for (const [key, value] of Object.entries(nextProviderConfig)) {
-        if (!(key in originalProviderConfig)) {
-          ;(finalProviderConfig as Record<string, unknown>)[key] = value
-        }
-      }
-    }
-
     const updatedWebhook = await db
       .update(webhook)
       .set({
-        path: path !== undefined ? path : webhooks[0].webhook.path,
-        provider: provider !== undefined ? provider : webhooks[0].webhook.provider,
-        providerConfig: finalProviderConfig,
         isActive: isActive !== undefined ? isActive : webhooks[0].webhook.isActive,
         failedCount: failedCount !== undefined ? failedCount : webhooks[0].webhook.failedCount,
         updatedAt: new Date(),
@@ -339,11 +241,8 @@ export async function DELETE(
     }
 
     const foundWebhook = webhookData.webhook
-    const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
-
-    const providerConfig = foundWebhook.providerConfig as Record<string, unknown> | null
-    const credentialSetId = providerConfig?.credentialSetId as string | undefined
-    const blockId = providerConfig?.blockId as string | undefined
+    const credentialSetId = foundWebhook.credentialSetId as string | undefined
+    const blockId = foundWebhook.blockId as string | undefined
 
     if (credentialSetId && blockId) {
       const allCredentialSetWebhooks = await db
@@ -351,10 +250,9 @@ export async function DELETE(
         .from(webhook)
         .where(and(eq(webhook.workflowId, webhookData.workflow.id), eq(webhook.blockId, blockId)))
 
-      const webhooksToDelete = allCredentialSetWebhooks.filter((w) => {
-        const config = w.providerConfig as Record<string, unknown> | null
-        return config?.credentialSetId === credentialSetId
-      })
+      const webhooksToDelete = allCredentialSetWebhooks.filter(
+        (w) => w.credentialSetId === credentialSetId
+      )
 
       for (const w of webhooksToDelete) {
         await cleanupExternalWebhook(w, webhookData.workflow, requestId)

apps/sim/app/api/webhooks/route.ts

@@ -7,9 +7,21 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
-import { createExternalWebhookSubscription } from '@/lib/webhooks/provider-subscriptions'
+import {
+  cleanupExternalWebhook,
+  createExternalWebhookSubscription,
+} from '@/lib/webhooks/provider-subscriptions'
+import { mergeNonUserFields } from '@/lib/webhooks/utils'
+import {
+  configureGmailPolling,
+  configureOutlookPolling,
+  configureRssPolling,
+  syncWebhooksForCredentialSet,
+} from '@/lib/webhooks/utils.server'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'
 
 const logger = createLogger('WebhooksAPI')
 
@@ -316,8 +328,6 @@ export async function POST(request: NextRequest) {
     const directCredentialSetId = resolvedProviderConfig?.credentialSetId as string | undefined
 
     if (directCredentialSetId || rawCredentialId) {
-      const { isCredentialSetValue, extractCredentialSetId } = await import('@/executor/constants')
-
       const credentialSetId =
         directCredentialSetId ||
         (rawCredentialId && isCredentialSetValue(rawCredentialId)
@@ -329,11 +339,6 @@ export async function POST(request: NextRequest) {
           `[${requestId}] Credential set detected for ${provider} trigger. Syncing webhooks for set ${credentialSetId}`
         )
 
-        const { getProviderIdFromServiceId } = await import('@/lib/oauth')
-        const { syncWebhooksForCredentialSet, configureGmailPolling, configureOutlookPolling } =
-          await import('@/lib/webhooks/utils.server')
-
-        // Map provider to OAuth provider ID
         const oauthProviderId = getProviderIdFromServiceId(provider)
 
         const {
@@ -466,7 +471,8 @@ export async function POST(request: NextRequest) {
       providerConfig: providerConfigOverride,
     })
 
-    const configToSave = { ...originalProviderConfig }
+    const userProvided = originalProviderConfig as Record<string, unknown>
+    const configToSave: Record<string, unknown> = { ...userProvided }
 
     try {
       const result = await createExternalWebhookSubscription(
@@ -477,11 +483,7 @@ export async function POST(request: NextRequest) {
         requestId
       )
       const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
-      for (const [key, value] of Object.entries(updatedConfig)) {
-        if (!(key in originalProviderConfig)) {
-          configToSave[key] = value
-        }
-      }
+      mergeNonUserFields(configToSave, updatedConfig, userProvided)
       resolvedProviderConfig = updatedConfig
       externalSubscriptionCreated = result.externalSubscriptionCreated
     } catch (err) {
@@ -547,7 +549,6 @@ export async function POST(request: NextRequest) {
       if (externalSubscriptionCreated) {
         logger.error(`[${requestId}] DB save failed, cleaning up external subscription`, dbError)
         try {
-          const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
           await cleanupExternalWebhook(
             createTempWebhookData(configToSave),
             workflowRecord,
@@ -567,7 +568,6 @@ export async function POST(request: NextRequest) {
     if (savedWebhook && provider === 'gmail') {
       logger.info(`[${requestId}] Gmail provider detected. Setting up Gmail webhook configuration.`)
       try {
-        const { configureGmailPolling } = await import('@/lib/webhooks/utils.server')
         const success = await configureGmailPolling(savedWebhook, requestId)
 
         if (!success) {
@@ -606,7 +606,6 @@ export async function POST(request: NextRequest) {
         `[${requestId}] Outlook provider detected. Setting up Outlook webhook configuration.`
       )
       try {
-        const { configureOutlookPolling } = await import('@/lib/webhooks/utils.server')
         const success = await configureOutlookPolling(savedWebhook, requestId)
 
         if (!success) {
@@ -643,7 +642,6 @@ export async function POST(request: NextRequest) {
     if (savedWebhook && provider === 'rss') {
       logger.info(`[${requestId}] RSS provider detected. Setting up RSS webhook configuration.`)
       try {
-        const { configureRssPolling } = await import('@/lib/webhooks/utils.server')
         const success = await configureRssPolling(savedWebhook, requestId)
 
         if (!success) {

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -4,7 +4,11 @@ import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { cleanupWebhooksForWorkflow, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
+import {
+  cleanupWebhooksForWorkflow,
+  restorePreviousVersionWebhooks,
+  saveTriggerWebhooksForDeploy,
+} from '@/lib/webhooks/deploy'
 import {
   deployWorkflow,
   loadWorkflowFromNormalizedTables,
@@ -135,6 +139,18 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
     }
 
+    const [currentActiveVersion] = await db
+      .select({ id: workflowDeploymentVersion.id })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, id),
+          eq(workflowDeploymentVersion.isActive, true)
+        )
+      )
+      .limit(1)
+    const previousVersionId = currentActiveVersion?.id
+
     const deployResult = await deployWorkflow({
       workflowId: id,
       deployedBy: actorUserId,
@@ -161,6 +177,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       blocks: normalizedData.blocks,
       requestId,
       deploymentVersionId,
+      previousVersionId,
     })
 
     if (!triggerSaveResult.success) {
@@ -194,6 +211,15 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
         requestId,
         deploymentVersionId,
       })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData as Record<string, unknown>,
+          userId: actorUserId,
+          previousVersionId,
+          requestId,
+        })
+      }
       await undeployWorkflow({ workflowId: id })
       return createErrorResponse(scheduleResult.error || 'Failed to create schedule', 500)
     }
@@ -208,6 +234,25 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
+    if (previousVersionId && previousVersionId !== deploymentVersionId) {
+      try {
+        logger.info(`[${requestId}] Cleaning up previous version ${previousVersionId} DB records`)
+        await cleanupDeploymentVersion({
+          workflowId: id,
+          workflow: workflowData as Record<string, unknown>,
+          requestId,
+          deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
+        })
+      } catch (cleanupError) {
+        logger.error(
+          `[${requestId}] Failed to clean up previous version ${previousVersionId}`,
+          cleanupError
+        )
+        // Non-fatal - continue with success response
+      }
+    }
+
     logger.info(`[${requestId}] Workflow deployed successfully: ${id}`)
 
     // Sync MCP tools with the latest parameter schema
@@ -228,6 +273,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
             nextRunAt: scheduleInfo.nextRunAt,
           }
         : undefined,
+      warnings: triggerSaveResult.warnings,
     })
   } catch (error: any) {
     logger.error(`[${requestId}] Error deploying workflow: ${id}`, {

apps/sim/app/api/workflows/[id]/deployments/[version]/activate/route.ts

@@ -4,7 +4,7 @@ import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
+import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
 import { activateWorkflowVersion } from '@/lib/workflows/persistence/utils'
 import {
   cleanupDeploymentVersion,
@@ -85,6 +85,11 @@ export async function POST(
       return createErrorResponse('Invalid deployed state structure', 500)
     }
 
+    const scheduleValidation = validateWorkflowSchedules(blocks)
+    if (!scheduleValidation.isValid) {
+      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
+    }
+
     const triggerSaveResult = await saveTriggerWebhooksForDeploy({
       request,
       workflowId: id,
@@ -93,6 +98,8 @@ export async function POST(
       blocks,
       requestId,
       deploymentVersionId: versionRow.id,
+      previousVersionId,
+      forceRecreateSubscriptions: true,
     })
 
     if (!triggerSaveResult.success) {
@@ -102,11 +109,6 @@ export async function POST(
       )
     }
 
-    const scheduleValidation = validateWorkflowSchedules(blocks)
-    if (!scheduleValidation.isValid) {
-      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
-    }
-
     const scheduleResult = await createSchedulesForDeploy(id, blocks, db, versionRow.id)
 
     if (!scheduleResult.success) {
@@ -116,6 +118,15 @@ export async function POST(
         requestId,
         deploymentVersionId: versionRow.id,
       })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData as Record<string, unknown>,
+          userId: actorUserId,
+          previousVersionId,
+          requestId,
+        })
+      }
       return createErrorResponse(scheduleResult.error || 'Failed to sync schedules', 500)
     }
 
@@ -127,6 +138,15 @@ export async function POST(
         requestId,
         deploymentVersionId: versionRow.id,
       })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData as Record<string, unknown>,
+          userId: actorUserId,
+          previousVersionId,
+          requestId,
+        })
+      }
       return createErrorResponse(result.error || 'Failed to activate deployment', 400)
     }
 
@@ -140,6 +160,7 @@ export async function POST(
           workflow: workflowData as Record<string, unknown>,
           requestId,
           deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
         })
         logger.info(`[${requestId}] Previous version cleanup completed`)
       } catch (cleanupError) {
@@ -157,7 +178,11 @@ export async function POST(
       context: 'activate',
     })
 
-    return createSuccessResponse({ success: true, deployedAt: result.deployedAt })
+    return createSuccessResponse({
+      success: true,
+      deployedAt: result.deployedAt,
+      warnings: triggerSaveResult.warnings,
+    })
   } catch (error: any) {
     logger.error(`[${requestId}] Error activating deployment for workflow: ${id}`, error)
     return createErrorResponse(error.message || 'Failed to activate deployment', 500)

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -30,6 +30,7 @@ import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata, IterationContext } from '@/executor/execution/types'
 import type { NormalizedBlockOutput, StreamingExecution } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { Serializer } from '@/serializer'
 import { CORE_TRIGGER_TYPES, type CoreTriggerType } from '@/stores/logs/filters/types'
 
@@ -467,17 +468,17 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         }
 
         return NextResponse.json(filteredResult)
-      } catch (error: any) {
-        const errorMessage = error.message || 'Unknown error'
+      } catch (error: unknown) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error'
         logger.error(`[${requestId}] Non-SSE execution failed: ${errorMessage}`)
 
-        const executionResult = error.executionResult
+        const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
 
         return NextResponse.json(
           {
             success: false,
             output: executionResult?.output,
-            error: executionResult?.error || error.message || 'Execution failed',
+            error: executionResult?.error || errorMessage || 'Execution failed',
             metadata: executionResult?.metadata
               ? {
                   duration: executionResult.metadata.duration,
@@ -788,11 +789,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
           // Cleanup base64 cache for this execution
           await cleanupExecutionBase64Cache(executionId)
-        } catch (error: any) {
-          const errorMessage = error.message || 'Unknown error'
+        } catch (error: unknown) {
+          const errorMessage = error instanceof Error ? error.message : 'Unknown error'
           logger.error(`[${requestId}] SSE execution failed: ${errorMessage}`)
 
-          const executionResult = error.executionResult
+          const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
 
           sendEvent({
             type: 'execution:error',

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/copilot-message.tsx

@@ -78,9 +78,10 @@ const CopilotMessage: FC<CopilotMessageProps> = memo(
       mode,
       setMode,
       isAborting,
-      maskCredentialValue,
     } = useCopilotStore()
 
+    const maskCredentialValue = useCopilotStore((s) => s.maskCredentialValue)
+
     const messageCheckpoints = isUser ? allMessageCheckpoints[message.id] || [] : []
     const hasCheckpoints = messageCheckpoints.length > 0 && messageCheckpoints.some((cp) => cp?.id)
 
@@ -265,7 +266,7 @@ const CopilotMessage: FC<CopilotMessageProps> = memo(
         }
         return null
       })
-    }, [message.contentBlocks, isActivelyStreaming, parsedTags, isLastMessage, maskCredentialValue])
+    }, [message.contentBlocks, isActivelyStreaming, parsedTags, isLastMessage])
 
     if (isUser) {
       return (

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/deploy-modal.tsx

@@ -95,6 +95,7 @@ export function DeployModal({
   const [activeTab, setActiveTab] = useState<TabView>('general')
   const [chatSubmitting, setChatSubmitting] = useState(false)
   const [apiDeployError, setApiDeployError] = useState<string | null>(null)
+  const [apiDeployWarnings, setApiDeployWarnings] = useState<string[]>([])
   const [isChatFormValid, setIsChatFormValid] = useState(false)
   const [selectedStreamingOutputs, setSelectedStreamingOutputs] = useState<string[]>([])
 
@@ -227,6 +228,7 @@ export function DeployModal({
     if (open && workflowId) {
       setActiveTab('general')
       setApiDeployError(null)
+      setApiDeployWarnings([])
     }
   }, [open, workflowId])
 
@@ -282,9 +284,13 @@ export function DeployModal({
     if (!workflowId) return
 
     setApiDeployError(null)
+    setApiDeployWarnings([])
 
     try {
-      await deployMutation.mutateAsync({ workflowId, deployChatEnabled: false })
+      const result = await deployMutation.mutateAsync({ workflowId, deployChatEnabled: false })
+      if (result.warnings && result.warnings.length > 0) {
+        setApiDeployWarnings(result.warnings)
+      }
       await refetchDeployedState()
     } catch (error: unknown) {
       logger.error('Error deploying workflow:', { error })
@@ -297,8 +303,13 @@ export function DeployModal({
     async (version: number) => {
       if (!workflowId) return
 
+      setApiDeployWarnings([])
+
       try {
-        await activateVersionMutation.mutateAsync({ workflowId, version })
+        const result = await activateVersionMutation.mutateAsync({ workflowId, version })
+        if (result.warnings && result.warnings.length > 0) {
+          setApiDeployWarnings(result.warnings)
+        }
         await refetchDeployedState()
       } catch (error) {
         logger.error('Error promoting version:', { error })
@@ -324,9 +335,13 @@ export function DeployModal({
     if (!workflowId) return
 
     setApiDeployError(null)
+    setApiDeployWarnings([])
 
     try {
-      await deployMutation.mutateAsync({ workflowId, deployChatEnabled: false })
+      const result = await deployMutation.mutateAsync({ workflowId, deployChatEnabled: false })
+      if (result.warnings && result.warnings.length > 0) {
+        setApiDeployWarnings(result.warnings)
+      }
       await refetchDeployedState()
     } catch (error: unknown) {
       logger.error('Error redeploying workflow:', { error })
@@ -338,6 +353,7 @@ export function DeployModal({
   const handleCloseModal = useCallback(() => {
     setChatSubmitting(false)
     setApiDeployError(null)
+    setApiDeployWarnings([])
     onOpenChange(false)
   }, [onOpenChange])
 
@@ -479,6 +495,14 @@ export function DeployModal({
                   <div>{apiDeployError}</div>
                 </div>
               )}
+              {apiDeployWarnings.length > 0 && (
+                <div className='mb-3 rounded-[4px] border border-amber-500/30 bg-amber-500/10 p-3 text-amber-700 dark:text-amber-400 text-sm'>
+                  <div className='font-semibold'>Deployment Warning</div>
+                  {apiDeployWarnings.map((warning, index) => (
+                    <div key={index}>{warning}</div>
+                  ))}
+                </div>
+              )}
               <ModalTabsContent value='general'>
                 <GeneralDeploy
                   workflowId={workflowId}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts

@@ -16,6 +16,7 @@ import {
 } from '@/lib/workflows/triggers/triggers'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
 import type { BlockLog, ExecutionResult, StreamingExecution } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { coerceValue } from '@/executor/utils/start-block'
 import { subscriptionKeys } from '@/hooks/queries/subscription'
 import { useExecutionStream } from '@/hooks/use-execution-stream'
@@ -76,17 +77,6 @@ function normalizeErrorMessage(error: unknown): string {
   return WORKFLOW_EXECUTION_FAILURE_MESSAGE
 }
 
-function isExecutionResult(value: unknown): value is ExecutionResult {
-  if (!isRecord(value)) return false
-  return typeof value.success === 'boolean' && isRecord(value.output)
-}
-
-function extractExecutionResult(error: unknown): ExecutionResult | null {
-  if (!isRecord(error)) return null
-  const candidate = error.executionResult
-  return isExecutionResult(candidate) ? candidate : null
-}
-
 export function useWorkflowExecution() {
   const queryClient = useQueryClient()
   const currentWorkflow = useCurrentWorkflow()
@@ -1138,11 +1128,11 @@ export function useWorkflowExecution() {
 
   const handleExecutionError = (error: unknown, options?: { executionId?: string }) => {
     const normalizedMessage = normalizeErrorMessage(error)
-    const executionResultFromError = extractExecutionResult(error)
 
     let errorResult: ExecutionResult
 
-    if (executionResultFromError) {
+    if (hasExecutionResult(error)) {
+      const executionResultFromError = error.executionResult
       const logs = Array.isArray(executionResultFromError.logs) ? executionResultFromError.logs : []
 
       errorResult = {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx

@@ -81,6 +81,7 @@ import { useWorkflowDiffStore } from '@/stores/workflow-diff/store'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { getUniqueBlockName, prepareBlockState } from '@/stores/workflows/utils'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
+import type { BlockState } from '@/stores/workflows/workflow/types'
 
 /** Lazy-loaded components for non-critical UI that can load after initial render */
 const LazyChat = lazy(() =>
@@ -535,8 +536,7 @@ const WorkflowContent = React.memo(() => {
     return edgesToFilter.filter((edge) => {
       const sourceBlock = blocks[edge.source]
       const targetBlock = blocks[edge.target]
-      if (!sourceBlock || !targetBlock) return false
-      return !isAnnotationOnlyBlock(sourceBlock.type) && !isAnnotationOnlyBlock(targetBlock.type)
+      return Boolean(sourceBlock && targetBlock)
     })
   }, [edges, isShowingDiff, isDiffReady, diffAnalysis, blocks])
 
@@ -1097,6 +1097,13 @@ const WorkflowContent = React.memo(() => {
     [collaborativeBatchRemoveEdges]
   )
 
+  const isAutoConnectSourceCandidate = useCallback((block: BlockState): boolean => {
+    if (!block.enabled) return false
+    if (block.type === 'response') return false
+    if (isAnnotationOnlyBlock(block.type)) return false
+    return true
+  }, [])
+
   /** Finds the closest block to a position for auto-connect. */
   const findClosestOutput = useCallback(
     (newNodePosition: { x: number; y: number }): BlockData | null => {
@@ -1109,8 +1116,7 @@ const WorkflowContent = React.memo(() => {
         position: { x: number; y: number }
         distanceSquared: number
       } | null>((acc, [id, block]) => {
-        if (!block.enabled) return acc
-        if (block.type === 'response') return acc
+        if (!isAutoConnectSourceCandidate(block)) return acc
         const node = nodeIndex.get(id)
         if (!node) return acc
 
@@ -1140,7 +1146,7 @@ const WorkflowContent = React.memo(() => {
         position: closest.position,
       }
     },
-    [blocks, getNodes, getNodeAnchorPosition, isPointInLoopNode]
+    [blocks, getNodes, getNodeAnchorPosition, isPointInLoopNode, isAutoConnectSourceCandidate]
   )
 
   /** Determines the appropriate source handle based on block type. */
@@ -1208,7 +1214,8 @@ const WorkflowContent = React.memo(() => {
         position: { x: number; y: number }
         distanceSquared: number
       } | null>((acc, block) => {
-        if (block.type === 'response') return acc
+        const blockState = blocks[block.id]
+        if (!blockState || !isAutoConnectSourceCandidate(blockState)) return acc
         const distanceSquared =
           (block.position.x - targetPosition.x) ** 2 + (block.position.y - targetPosition.y) ** 2
         if (!acc || distanceSquared < acc.distanceSquared) {
@@ -1225,7 +1232,7 @@ const WorkflowContent = React.memo(() => {
           }
         : undefined
     },
-    []
+    [blocks, isAutoConnectSourceCandidate]
   )
 
   /**
@@ -1241,8 +1248,6 @@ const WorkflowContent = React.memo(() => {
       position: { x: number; y: number },
       targetBlockId: string,
       options: {
-        blockType: string
-        enableTriggerMode?: boolean
         targetParentId?: string | null
         existingChildBlocks?: { id: string; type: string; position: { x: number; y: number } }[]
         containerId?: string
@@ -1250,17 +1255,6 @@ const WorkflowContent = React.memo(() => {
     ): Edge | undefined => {
       if (!autoConnectRef.current) return undefined
 
-      // Don't auto-connect starter or annotation-only blocks
-      if (options.blockType === 'starter' || isAnnotationOnlyBlock(options.blockType)) {
-        return undefined
-      }
-
-      // Check if target is a trigger block
-      const targetBlockConfig = getBlock(options.blockType)
-      const isTargetTrigger =
-        options.enableTriggerMode || targetBlockConfig?.category === 'triggers'
-      if (isTargetTrigger) return undefined
-
       // Case 1: Adding block inside a container with existing children
       if (options.existingChildBlocks && options.existingChildBlocks.length > 0) {
         const closestBlock = findClosestBlockInSet(options.existingChildBlocks, position)
@@ -1368,7 +1362,6 @@ const WorkflowContent = React.memo(() => {
           const name = getUniqueBlockName(baseName, blocks)
 
           const autoConnectEdge = tryCreateAutoConnectEdge(position, id, {
-            blockType: data.type,
             targetParentId: null,
           })
 
@@ -1439,8 +1432,6 @@ const WorkflowContent = React.memo(() => {
             .map((b) => ({ id: b.id, type: b.type, position: b.position }))
 
           const autoConnectEdge = tryCreateAutoConnectEdge(relativePosition, id, {
-            blockType: data.type,
-            enableTriggerMode: data.enableTriggerMode,
             targetParentId: containerInfo.loopId,
             existingChildBlocks,
             containerId: containerInfo.loopId,
@@ -1469,8 +1460,6 @@ const WorkflowContent = React.memo(() => {
           if (checkTriggerConstraints(data.type)) return
 
           const autoConnectEdge = tryCreateAutoConnectEdge(position, id, {
-            blockType: data.type,
-            enableTriggerMode: data.enableTriggerMode,
             targetParentId: null,
           })
 
@@ -1526,7 +1515,6 @@ const WorkflowContent = React.memo(() => {
         const name = getUniqueBlockName(baseName, blocks)
 
         const autoConnectEdge = tryCreateAutoConnectEdge(basePosition, id, {
-          blockType: type,
           targetParentId: null,
         })
 
@@ -1562,8 +1550,6 @@ const WorkflowContent = React.memo(() => {
       const name = getUniqueBlockName(baseName, blocks)
 
       const autoConnectEdge = tryCreateAutoConnectEdge(basePosition, id, {
-        blockType: type,
-        enableTriggerMode,
         targetParentId: null,
       })
 
@@ -2364,24 +2350,6 @@ const WorkflowContent = React.memo(() => {
 
         if (!sourceNode || !targetNode) return
 
-        // Prevent connections to/from annotation-only blocks (non-executable)
-        if (
-          isAnnotationOnlyBlock(sourceNode.data?.type) ||
-          isAnnotationOnlyBlock(targetNode.data?.type)
-        ) {
-          return
-        }
-
-        // Prevent incoming connections to trigger blocks (webhook, schedule, etc.)
-        if (targetNode.data?.config?.category === 'triggers') {
-          return
-        }
-
-        // Prevent incoming connections to starter blocks (still keep separate for backward compatibility)
-        if (targetNode.data?.type === 'starter') {
-          return
-        }
-
         // Get parent information (handle container start node case)
         const sourceParentId =
           blocks[sourceNode.id]?.data?.parentId ||
@@ -2787,7 +2755,6 @@ const WorkflowContent = React.memo(() => {
           .map((b) => ({ id: b.id, type: b.type, position: b.position }))
 
         const autoConnectEdge = tryCreateAutoConnectEdge(relativePositionBefore, node.id, {
-          blockType: node.data?.type || '',
           targetParentId: potentialParentId,
           existingChildBlocks,
           containerId: potentialParentId,

apps/sim/app/workspace/[workspaceId]/w/components/preview/components/block.tsx

@@ -3,11 +3,26 @@
 import { memo, useMemo } from 'react'
 import { Handle, type NodeProps, Position } from 'reactflow'
 import { HANDLE_POSITIONS } from '@/lib/workflows/blocks/block-dimensions'
+import {
+  buildCanonicalIndex,
+  evaluateSubBlockCondition,
+  isSubBlockFeatureEnabled,
+  isSubBlockVisibleForMode,
+} from '@/lib/workflows/subblocks/visibility'
+import { getDisplayValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block'
 import { getBlock } from '@/blocks'
+import { SELECTOR_TYPES_HYDRATION_REQUIRED, type SubBlockConfig } from '@/blocks/types'
+import { useVariablesStore } from '@/stores/panel/variables/store'
+import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
 /** Execution status for blocks in preview mode */
 type ExecutionStatus = 'success' | 'error' | 'not-executed'
 
+/** Subblock value structure matching workflow state */
+interface SubBlockValueEntry {
+  value: unknown
+}
+
 interface WorkflowPreviewBlockData {
   type: string
   name: string
@@ -18,12 +33,220 @@ interface WorkflowPreviewBlockData {
   isPreviewSelected?: boolean
   /** Execution status for highlighting error/success states */
   executionStatus?: ExecutionStatus
+  /** Subblock values from the workflow state */
+  subBlockValues?: Record<string, SubBlockValueEntry | unknown>
+}
+
+/**
+ * Extracts the raw value from a subblock value entry.
+ * Handles both wrapped ({ value: ... }) and unwrapped formats.
+ */
+function extractValue(entry: SubBlockValueEntry | unknown): unknown {
+  if (entry && typeof entry === 'object' && 'value' in entry) {
+    return (entry as SubBlockValueEntry).value
+  }
+  return entry
+}
+
+interface SubBlockRowProps {
+  title: string
+  value?: string
+  subBlock?: SubBlockConfig
+  rawValue?: unknown
+}
+
+/**
+ * Resolves dropdown/combobox value to its display label.
+ * Returns null if not a dropdown/combobox or no matching option found.
+ */
+function resolveDropdownLabel(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (!subBlock || (subBlock.type !== 'dropdown' && subBlock.type !== 'combobox')) return null
+  if (!rawValue || typeof rawValue !== 'string') return null
+
+  const options = typeof subBlock.options === 'function' ? subBlock.options() : subBlock.options
+  if (!options) return null
+
+  const option = options.find((opt) =>
+    typeof opt === 'string' ? opt === rawValue : opt.id === rawValue
+  )
+
+  if (!option) return null
+  return typeof option === 'string' ? option : option.label
+}
+
+/**
+ * Resolves workflow ID to workflow name using the workflow registry.
+ * Uses synchronous store access to avoid hook dependencies.
+ */
+function resolveWorkflowName(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (subBlock?.type !== 'workflow-selector') return null
+  if (!rawValue || typeof rawValue !== 'string') return null
+
+  const workflowMap = useWorkflowRegistry.getState().workflows
+  return workflowMap[rawValue]?.name ?? null
+}
+
+/**
+ * Type guard for variable assignments array
+ */
+function isVariableAssignmentsArray(
+  value: unknown
+): value is Array<{ id?: string; variableId?: string; variableName?: string; value: unknown }> {
+  return (
+    Array.isArray(value) &&
+    value.length > 0 &&
+    value.every(
+      (item) =>
+        typeof item === 'object' &&
+        item !== null &&
+        ('variableName' in item || 'variableId' in item)
+    )
+  )
+}
+
+/**
+ * Resolves variables-input to display names.
+ * Uses synchronous store access to avoid hook dependencies.
+ */
+function resolveVariablesDisplay(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (subBlock?.type !== 'variables-input') return null
+  if (!isVariableAssignmentsArray(rawValue)) return null
+
+  const variables = useVariablesStore.getState().variables
+  const variablesArray = Object.values(variables)
+
+  const names = rawValue
+    .map((a) => {
+      if (a.variableId) {
+        const variable = variablesArray.find((v) => v.id === a.variableId)
+        return variable?.name
+      }
+      if (a.variableName) return a.variableName
+      return null
+    })
+    .filter((name): name is string => !!name)
+
+  if (names.length === 0) return null
+  if (names.length === 1) return names[0]
+  if (names.length === 2) return `${names[0]}, ${names[1]}`
+  return `${names[0]}, ${names[1]} +${names.length - 2}`
+}
+
+/**
+ * Resolves tool-input to display names.
+ * Resolves built-in tools from block registry (no API needed).
+ */
+function resolveToolsDisplay(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (subBlock?.type !== 'tool-input') return null
+  if (!Array.isArray(rawValue) || rawValue.length === 0) return null
+
+  const toolNames = rawValue
+    .map((tool: unknown) => {
+      if (!tool || typeof tool !== 'object') return null
+      const t = tool as Record<string, unknown>
+
+      // Priority 1: Use tool.title if already populated
+      if (t.title && typeof t.title === 'string') return t.title
+
+      // Priority 2: Extract from inline schema (legacy format)
+      const schema = t.schema as Record<string, unknown> | undefined
+      if (schema?.function && typeof schema.function === 'object') {
+        const fn = schema.function as Record<string, unknown>
+        if (fn.name && typeof fn.name === 'string') return fn.name
+      }
+
+      // Priority 3: Extract from OpenAI function format
+      const fn = t.function as Record<string, unknown> | undefined
+      if (fn?.name && typeof fn.name === 'string') return fn.name
+
+      // Priority 4: Resolve built-in tool blocks from registry
+      if (
+        typeof t.type === 'string' &&
+        t.type !== 'custom-tool' &&
+        t.type !== 'mcp' &&
+        t.type !== 'workflow' &&
+        t.type !== 'workflow_input'
+      ) {
+        const blockConfig = getBlock(t.type)
+        if (blockConfig?.name) return blockConfig.name
+      }
+
+      return null
+    })
+    .filter((name): name is string => !!name)
+
+  if (toolNames.length === 0) return null
+  if (toolNames.length === 1) return toolNames[0]
+  if (toolNames.length === 2) return `${toolNames[0]}, ${toolNames[1]}`
+  return `${toolNames[0]}, ${toolNames[1]} +${toolNames.length - 2}`
+}
+
+/**
+ * Renders a single subblock row with title and optional value.
+ * Matches the SubBlockRow component in WorkflowBlock.
+ * - Masks password fields with bullets
+ * - Resolves dropdown/combobox labels
+ * - Resolves workflow names from registry
+ * - Resolves variable names from store
+ * - Resolves tool names from block registry
+ * - Shows '-' for other selector types that need hydration
+ */
+function SubBlockRow({ title, value, subBlock, rawValue }: SubBlockRowProps) {
+  // Mask password fields
+  const isPasswordField = subBlock?.password === true
+  const maskedValue = isPasswordField && value && value !== '-' ? '•••' : null
+
+  // Resolve various display names (synchronous access, matching WorkflowBlock priority)
+  const dropdownLabel = resolveDropdownLabel(subBlock, rawValue)
+  const variablesDisplay = resolveVariablesDisplay(subBlock, rawValue)
+  const toolsDisplay = resolveToolsDisplay(subBlock, rawValue)
+  const workflowName = resolveWorkflowName(subBlock, rawValue)
+
+  // Check if this is a selector type that needs hydration (show '-' for raw IDs)
+  const isSelectorType = subBlock?.type && SELECTOR_TYPES_HYDRATION_REQUIRED.includes(subBlock.type)
+
+  // Compute final display value matching WorkflowBlock logic
+  // Priority order matches WorkflowBlock: masked > hydrated names > selector fallback > raw value
+  const hydratedName = dropdownLabel || variablesDisplay || toolsDisplay || workflowName
+  const displayValue = maskedValue || hydratedName || (isSelectorType && value ? '-' : value)
+
+  return (
+    <div className='flex items-center gap-[8px]'>
+      <span
+        className='min-w-0 truncate text-[14px] text-[var(--text-tertiary)] capitalize'
+        title={title}
+      >
+        {title}
+      </span>
+      {displayValue !== undefined && (
+        <span
+          className='flex-1 truncate text-right text-[14px] text-[var(--text-primary)]'
+          title={displayValue}
+        >
+          {displayValue}
+        </span>
+      )}
+    </div>
+  )
 }
 
 /**
  * Preview block component for workflow visualization.
- * Renders block header, subblocks skeleton, and handles without
+ * Renders block header, subblock values, and handles without
  * hooks, store subscriptions, or interactive features.
+ * Matches the visual structure of WorkflowBlock exactly.
  */
 function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>) {
   const {
@@ -34,21 +257,111 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
     enabled = true,
     isPreviewSelected = false,
     executionStatus,
+    subBlockValues,
   } = data
 
   const blockConfig = getBlock(type)
 
+  const canonicalIndex = useMemo(
+    () => buildCanonicalIndex(blockConfig?.subBlocks || []),
+    [blockConfig?.subBlocks]
+  )
+
+  const rawValues = useMemo(() => {
+    if (!subBlockValues) return {}
+    return Object.entries(subBlockValues).reduce<Record<string, unknown>>((acc, [key, entry]) => {
+      acc[key] = extractValue(entry)
+      return acc
+    }, {})
+  }, [subBlockValues])
+
   const visibleSubBlocks = useMemo(() => {
     if (!blockConfig?.subBlocks) return []
 
+    const isStarterOrTrigger =
+      blockConfig.category === 'triggers' || type === 'starter' || isTrigger
+
     return blockConfig.subBlocks.filter((subBlock) => {
       if (subBlock.hidden) return false
       if (subBlock.hideFromPreview) return false
-      if (subBlock.mode === 'trigger' && blockConfig.category !== 'triggers') return false
-      if (subBlock.mode === 'advanced') return false
-      return true
+      if (!isSubBlockFeatureEnabled(subBlock)) return false
+
+      // Handle trigger mode visibility
+      if (subBlock.mode === 'trigger' && !isStarterOrTrigger) return false
+
+      // Check advanced mode visibility
+      if (!isSubBlockVisibleForMode(subBlock, false, canonicalIndex, rawValues, undefined)) {
+        return false
+      }
+
+      // Check condition visibility
+      if (!subBlock.condition) return true
+      return evaluateSubBlockCondition(subBlock.condition, rawValues)
     })
-  }, [blockConfig?.subBlocks])
+  }, [blockConfig?.subBlocks, blockConfig?.category, type, isTrigger, canonicalIndex, rawValues])
+
+  /**
+   * Compute condition rows for condition blocks
+   */
+  const conditionRows = useMemo(() => {
+    if (type !== 'condition') return []
+
+    const conditionsValue = rawValues.conditions
+    const raw = typeof conditionsValue === 'string' ? conditionsValue : undefined
+
+    try {
+      if (raw) {
+        const parsed = JSON.parse(raw) as unknown
+        if (Array.isArray(parsed)) {
+          return parsed.map((item: unknown, index: number) => {
+            const conditionItem = item as { id?: string; value?: unknown }
+            const title = index === 0 ? 'if' : index === parsed.length - 1 ? 'else' : 'else if'
+            return {
+              id: conditionItem?.id ?? `cond-${index}`,
+              title,
+              value: typeof conditionItem?.value === 'string' ? conditionItem.value : '',
+            }
+          })
+        }
+      }
+    } catch {
+      // Failed to parse, use fallback
+    }
+
+    return [
+      { id: 'if', title: 'if', value: '' },
+      { id: 'else', title: 'else', value: '' },
+    ]
+  }, [type, rawValues])
+
+  /**
+   * Compute router rows for router_v2 blocks
+   */
+  const routerRows = useMemo(() => {
+    if (type !== 'router_v2') return []
+
+    const routesValue = rawValues.routes
+    const raw = typeof routesValue === 'string' ? routesValue : undefined
+
+    try {
+      if (raw) {
+        const parsed = JSON.parse(raw) as unknown
+        if (Array.isArray(parsed)) {
+          return parsed.map((item: unknown, index: number) => {
+            const routeItem = item as { id?: string; value?: string }
+            return {
+              id: routeItem?.id ?? `route${index + 1}`,
+              value: routeItem?.value ?? '',
+            }
+          })
+        }
+      }
+    } catch {
+      // Failed to parse, use fallback
+    }
+
+    return [{ id: 'route1', value: '' }]
+  }, [type, rawValues])
 
   if (!blockConfig) {
     return null
@@ -57,8 +370,14 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
   const IconComponent = blockConfig.icon
   const isStarterOrTrigger = blockConfig.category === 'triggers' || type === 'starter' || isTrigger
 
+  const shouldShowDefaultHandles = !isStarterOrTrigger
   const hasSubBlocks = visibleSubBlocks.length > 0
-  const showErrorRow = !isStarterOrTrigger
+  const hasContentBelowHeader =
+    type === 'condition'
+      ? conditionRows.length > 0 || shouldShowDefaultHandles
+      : type === 'router_v2'
+        ? routerRows.length > 0 || shouldShowDefaultHandles
+        : hasSubBlocks || shouldShowDefaultHandles
 
   const horizontalHandleClass = '!border-none !bg-[var(--surface-7)] !h-5 !w-[7px] !rounded-[2px]'
   const verticalHandleClass = '!border-none !bg-[var(--surface-7)] !h-[7px] !w-5 !rounded-[2px]'
@@ -67,7 +386,7 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
   const hasSuccess = executionStatus === 'success'
 
   return (
-    <div className='relative w-[250px] select-none rounded-[8px] border border-[var(--border)] bg-[var(--surface-2)]'>
+    <div className='relative w-[250px] select-none rounded-[8px] border border-[var(--border-1)] bg-[var(--surface-2)]'>
       {/* Selection ring overlay (takes priority over execution rings) */}
       {isPreviewSelected && (
         <div className='pointer-events-none absolute inset-0 z-40 rounded-[8px] ring-[1.75px] ring-[var(--brand-secondary)]' />
@@ -82,7 +401,7 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
       )}
 
       {/* Target handle - not shown for triggers/starters */}
-      {!isStarterOrTrigger && (
+      {shouldShowDefaultHandles && (
         <Handle
           type='target'
           position={horizontalHandles ? Position.Left : Position.Top}
@@ -96,49 +415,67 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
         />
       )}
 
-      {/* Header */}
+      {/* Header - matches WorkflowBlock structure */}
       <div
-        className={`flex items-center gap-[10px] p-[8px] ${hasSubBlocks || showErrorRow ? 'border-[var(--divider)] border-b' : ''}`}
+        className={`flex items-center justify-between p-[8px] ${hasContentBelowHeader ? 'border-[var(--border-1)] border-b' : ''}`}
       >
-        <div
-          className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
-          style={{ background: enabled ? blockConfig.bgColor : 'gray' }}
-        >
-          <IconComponent className='h-[16px] w-[16px] text-white' />
+        <div className='relative z-10 flex min-w-0 flex-1 items-center gap-[10px]'>
+          <div
+            className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
+            style={{ background: enabled ? blockConfig.bgColor : 'gray' }}
+          >
+            <IconComponent className='h-[16px] w-[16px] text-white' />
+          </div>
+          <span
+            className={`truncate font-medium text-[16px] ${!enabled ? 'text-[var(--text-muted)]' : ''}`}
+            title={name}
+          >
+            {name}
+          </span>
         </div>
-        <span
-          className={`truncate font-medium text-[16px] ${!enabled ? 'text-[#808080]' : ''}`}
-          title={name}
-        >
-          {name}
-        </span>
       </div>
 
-      {/* Subblocks skeleton */}
-      {(hasSubBlocks || showErrorRow) && (
+      {/* Content area with subblocks */}
+      {hasContentBelowHeader && (
         <div className='flex flex-col gap-[8px] p-[8px]'>
-          {visibleSubBlocks.slice(0, 4).map((subBlock) => (
-            <div key={subBlock.id} className='flex items-center gap-[8px]'>
-              <span className='min-w-0 truncate text-[14px] text-[var(--text-tertiary)] capitalize'>
-                {subBlock.title ?? subBlock.id}
-              </span>
-              <span className='flex-1 truncate text-right text-[14px] text-[var(--white)]'>-</span>
-            </div>
-          ))}
-          {visibleSubBlocks.length > 4 && (
-            <div className='flex items-center gap-[8px]'>
-              <span className='text-[14px] text-[var(--text-tertiary)]'>
-                +{visibleSubBlocks.length - 4} more
-              </span>
-            </div>
-          )}
-          {showErrorRow && (
-            <div className='flex items-center gap-[8px]'>
-              <span className='min-w-0 truncate text-[14px] text-[var(--text-tertiary)] capitalize'>
-                error
-              </span>
-            </div>
+          {type === 'condition' ? (
+            // Condition block: render condition rows
+            conditionRows.map((cond) => (
+              <SubBlockRow key={cond.id} title={cond.title} value={getDisplayValue(cond.value)} />
+            ))
+          ) : type === 'router_v2' ? (
+            // Router block: render context + route rows
+            <>
+              <SubBlockRow
+                key='context'
+                title='Context'
+                value={getDisplayValue(rawValues.context)}
+              />
+              {routerRows.map((route, index) => (
+                <SubBlockRow
+                  key={route.id}
+                  title={`Route ${index + 1}`}
+                  value={getDisplayValue(route.value)}
+                />
+              ))}
+            </>
+          ) : (
+            // Standard blocks: render visible subblocks
+            visibleSubBlocks.map((subBlock) => {
+              const rawValue = rawValues[subBlock.id]
+              return (
+                <SubBlockRow
+                  key={subBlock.id}
+                  title={subBlock.title ?? subBlock.id}
+                  value={getDisplayValue(rawValue)}
+                  subBlock={subBlock}
+                  rawValue={rawValue}
+                />
+              )
+            })
           )}
+          {/* Error row for non-trigger blocks */}
+          {shouldShowDefaultHandles && <SubBlockRow title='error' />}
         </div>
       )}
 
@@ -162,16 +499,47 @@ function shouldSkipPreviewBlockRender(
   prevProps: NodeProps<WorkflowPreviewBlockData>,
   nextProps: NodeProps<WorkflowPreviewBlockData>
 ): boolean {
-  return (
-    prevProps.id === nextProps.id &&
-    prevProps.data.type === nextProps.data.type &&
-    prevProps.data.name === nextProps.data.name &&
-    prevProps.data.isTrigger === nextProps.data.isTrigger &&
-    prevProps.data.horizontalHandles === nextProps.data.horizontalHandles &&
-    prevProps.data.enabled === nextProps.data.enabled &&
-    prevProps.data.isPreviewSelected === nextProps.data.isPreviewSelected &&
-    prevProps.data.executionStatus === nextProps.data.executionStatus
-  )
+  // Check primitive props first (fast path)
+  if (
+    prevProps.id !== nextProps.id ||
+    prevProps.data.type !== nextProps.data.type ||
+    prevProps.data.name !== nextProps.data.name ||
+    prevProps.data.isTrigger !== nextProps.data.isTrigger ||
+    prevProps.data.horizontalHandles !== nextProps.data.horizontalHandles ||
+    prevProps.data.enabled !== nextProps.data.enabled ||
+    prevProps.data.isPreviewSelected !== nextProps.data.isPreviewSelected ||
+    prevProps.data.executionStatus !== nextProps.data.executionStatus
+  ) {
+    return false
+  }
+
+  // Compare subBlockValues by reference first
+  const prevValues = prevProps.data.subBlockValues
+  const nextValues = nextProps.data.subBlockValues
+
+  if (prevValues === nextValues) {
+    return true
+  }
+
+  if (!prevValues || !nextValues) {
+    return false
+  }
+
+  // Shallow compare keys and values
+  const prevKeys = Object.keys(prevValues)
+  const nextKeys = Object.keys(nextValues)
+
+  if (prevKeys.length !== nextKeys.length) {
+    return false
+  }
+
+  for (const key of prevKeys) {
+    if (prevValues[key] !== nextValues[key]) {
+      return false
+    }
+  }
+
+  return true
 }
 
 export const WorkflowPreviewBlock = memo(WorkflowPreviewBlockInner, shouldSkipPreviewBlockRender)

apps/sim/app/workspace/[workspaceId]/w/components/preview/preview.tsx

@@ -347,6 +347,7 @@ export function WorkflowPreview({
           enabled: block.enabled ?? true,
           isPreviewSelected: isSelected,
           executionStatus,
+          subBlockValues: block.subBlocks,
         },
       })
     })

apps/sim/app/workspace/providers/socket-provider.tsx

@@ -352,7 +352,7 @@ export function SocketProvider({ children, user }: SocketProviderProps) {
             })
           })
 
-          useWorkflowStore.setState({
+          useWorkflowStore.getState().replaceWorkflowState({
             blocks: workflowState.blocks || {},
             edges: workflowState.edges || [],
             loops: workflowState.loops || {},

apps/sim/background/schedule-execution.ts

@@ -21,7 +21,7 @@ import {
 } from '@/lib/workflows/schedules/utils'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata } from '@/executor/execution/types'
-import type { ExecutionResult } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { MAX_CONSECUTIVE_FAILURES } from '@/triggers/constants'
 
 const logger = createLogger('TriggerScheduleExecution')
@@ -231,8 +231,7 @@ async function runWorkflowExecution({
   } catch (error: unknown) {
     logger.error(`[${requestId}] Early failure in scheduled workflow ${payload.workflowId}`, error)
 
-    const errorWithResult = error as { executionResult?: ExecutionResult }
-    const executionResult = errorWithResult?.executionResult
+    const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
     const { traceSpans } = executionResult ? buildTraceSpans(executionResult) : { traceSpans: [] }
 
     await loggingSession.safeCompleteWithError({