fix(notes): ghost edges (#2970 )

* fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check
fix(hitl): fix condition blocks after hitl (#2967 )
2026-01-24 14:27:56 -05:00 · 2026-01-24 11:20:28 -08:00 · 2026-01-24 10:19:19 -08:00 · 2026-01-24 10:18:13 -08:00 · 2026-01-24 10:15:52 -08:00 · 2026-01-24 02:39:13 -08:00
105 changed files with 1186 additions and 891 deletions
--- a/apps/sim/app/api/function/execute/route.test.ts
+++ b/apps/sim/app/api/function/execute/route.test.ts
@@ -85,10 +85,10 @@ vi.mock('@/lib/execution/isolated-vm', () => ({
 vi.mock('@sim/logger', () => loggerMock)

 vi.mock('@/lib/auth/hybrid', () => ({
-  checkHybridAuth: vi.fn().mockResolvedValue({
+  checkInternalAuth: vi.fn().mockResolvedValue({
    success: true,
    userId: 'user-123',
-    authType: 'session',
+    authType: 'internal_jwt',
  }),
 }))

@@ -119,8 +119,8 @@ describe('Function Execute API Route', () => {

  describe('Security Tests', () => {
    it('should reject unauthorized requests', async () => {
-      const { checkHybridAuth } = await import('@/lib/auth/hybrid')
-      vi.mocked(checkHybridAuth).mockResolvedValueOnce({
+      const { checkInternalAuth } = await import('@/lib/auth/hybrid')
+      vi.mocked(checkInternalAuth).mockResolvedValueOnce({
        success: false,
        error: 'Unauthorized',
      })
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -582,7 +582,7 @@ export async function POST(req: NextRequest) {
  let resolvedCode = '' // Store resolved code for error reporting

  try {
-    const auth = await checkHybridAuth(req)
+    const auth = await checkInternalAuth(req)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/providers/route.ts
+++ b/apps/sim/app/api/providers/route.ts
@@ -3,7 +3,7 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const startTime = Date.now()

  try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/custom/route.test.ts
+++ b/apps/sim/app/api/tools/custom/route.test.ts
@@ -181,7 +181,7 @@ describe('Custom Tools API Routes', () => {
    }))

    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'user-123',
        authType: 'session',
@@ -254,7 +254,7 @@ describe('Custom Tools API Routes', () => {
      )

      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -304,7 +304,7 @@ describe('Custom Tools API Routes', () => {
  describe('POST /api/tools/custom', () => {
    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -390,7 +390,7 @@ describe('Custom Tools API Routes', () => {

    it('should prevent unauthorized deletion of user-scoped tool', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: true,
          userId: 'user-456',
          authType: 'session',
@@ -413,7 +413,7 @@ describe('Custom Tools API Routes', () => {

    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
--- a/apps/sim/app/api/tools/custom/route.ts
+++ b/apps/sim/app/api/tools/custom/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -42,8 +42,8 @@ export async function GET(request: NextRequest) {
  const workflowId = searchParams.get('workflowId')

  try {
-    // Use hybrid auth to support session, API key, and internal JWT
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    // Use session/internal auth to support session and internal JWT (no API key access)
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -69,8 +69,8 @@ export async function GET(request: NextRequest) {
    }

    // Check workspace permissions
-    // For internal JWT with workflowId: checkHybridAuth already resolved userId from workflow owner
-    // For session/API key: verify user has access to the workspace
+    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
+    // For session: verify user has access to the workspace
    // For legacy (no workspaceId): skip workspace check, rely on userId match
    if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
      const userPermission = await getUserEntityPermissions(
@@ -116,8 +116,8 @@ export async function POST(req: NextRequest) {
  const requestId = generateRequestId()

  try {
-    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkHybridAuth(req, { requireWorkflowId: false })
+    // Use session/internal auth (no API key access)
+    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -193,8 +193,8 @@ export async function DELETE(request: NextRequest) {
  }

  try {
-    // Use hybrid auth (though this endpoint is only called from UI)
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    // Use session/internal auth (no API key access)
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/discord/send-message/route.ts
+++ b/apps/sim/app/api/tools/discord/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Discord send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/add-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/add-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail add label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/archive/route.ts
+++ b/apps/sim/app/api/tools/gmail/archive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail archive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/delete/route.ts
+++ b/apps/sim/app/api/tools/gmail/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/draft/route.ts
+++ b/apps/sim/app/api/tools/gmail/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-read/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/move/route.ts
+++ b/apps/sim/app/api/tools/gmail/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/remove-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/remove-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail remove label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/send/route.ts
+++ b/apps/sim/app/api/tools/gmail/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/unarchive/route.ts
+++ b/apps/sim/app/api/tools/gmail/unarchive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail unarchive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/google_drive/upload/route.ts
+++ b/apps/sim/app/api/tools/google_drive/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -56,7 +56,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Google Drive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/image/route.ts
+++ b/apps/sim/app/api/tools/image/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateImageUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -15,7 +15,7 @@ export async function GET(request: NextRequest) {
  const imageUrl = url.searchParams.get('url')
  const requestId = generateRequestId()

-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
  if (!authResult.success) {
    logger.error(`[${requestId}] Authentication failed for image proxy:`, authResult.error)
    return new NextResponse('Unauthorized', { status: 401 })
--- a/apps/sim/app/api/tools/mail/send/route.ts
+++ b/apps/sim/app/api/tools/mail/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { Resend } from 'resend'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized mail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams channel write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/mistral/parse/route.ts
+++ b/apps/sim/app/api/tools/mistral/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -30,7 +30,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Mistral parse attempt`, {
--- a/apps/sim/app/api/tools/mysql/delete/route.ts
+++ b/apps/sim/app/api/tools/mysql/delete/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLDeleteAPI')
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/mysql/execute/route.ts
+++ b/apps/sim/app/api/tools/mysql/execute/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLExecuteAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/mysql/insert/route.ts
+++ b/apps/sim/app/api/tools/mysql/insert/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLInsertAPI')
@@ -43,7 +43,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/mysql/introspect/route.ts
+++ b/apps/sim/app/api/tools/mysql/introspect/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLIntrospectAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/mysql/query/route.ts
+++ b/apps/sim/app/api/tools/mysql/query/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLQueryAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/mysql/update/route.ts
+++ b/apps/sim/app/api/tools/mysql/update/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLUpdateAPI')
@@ -41,7 +41,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/onedrive/upload/route.ts
+++ b/apps/sim/app/api/tools/onedrive/upload/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import * as XLSX from 'xlsx'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -39,7 +39,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized OneDrive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/copy/route.ts
+++ b/apps/sim/app/api/tools/outlook/copy/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook copy attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/delete/route.ts
+++ b/apps/sim/app/api/tools/outlook/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/draft/route.ts
+++ b/apps/sim/app/api/tools/outlook/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/mark-read/route.ts
+++ b/apps/sim/app/api/tools/outlook/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/outlook/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/move/route.ts
+++ b/apps/sim/app/api/tools/outlook/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/send/route.ts
+++ b/apps/sim/app/api/tools/outlook/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/postgresql/delete/route.ts
+++ b/apps/sim/app/api/tools/postgresql/delete/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/postgresql/execute/route.ts
+++ b/apps/sim/app/api/tools/postgresql/execute/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createPostgresConnection,
  executeQuery,
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/postgresql/insert/route.ts
+++ b/apps/sim/app/api/tools/postgresql/insert/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLInsertAPI')
@@ -43,7 +43,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/postgresql/introspect/route.ts
+++ b/apps/sim/app/api/tools/postgresql/introspect/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/postgresql/query/route.ts
+++ b/apps/sim/app/api/tools/postgresql/query/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLQueryAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/postgresql/update/route.ts
+++ b/apps/sim/app/api/tools/postgresql/update/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -41,7 +41,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/pulse/parse/route.ts
+++ b/apps/sim/app/api/tools/pulse/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Pulse parse attempt`, {
--- a/apps/sim/app/api/tools/reducto/parse/route.ts
+++ b/apps/sim/app/api/tools/reducto/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Reducto parse attempt`, {
--- a/apps/sim/app/api/tools/s3/copy-object/route.ts
+++ b/apps/sim/app/api/tools/s3/copy-object/route.ts
@@ -2,7 +2,7 @@ import { CopyObjectCommand, type ObjectCannedACL, S3Client } from '@aws-sdk/clie
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 copy object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/delete-object/route.ts
+++ b/apps/sim/app/api/tools/s3/delete-object/route.ts
@@ -2,7 +2,7 @@ import { DeleteObjectCommand, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 delete object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/list-objects/route.ts
+++ b/apps/sim/app/api/tools/s3/list-objects/route.ts
@@ -2,7 +2,7 @@ import { ListObjectsV2Command, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 list objects attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/put-object/route.ts
+++ b/apps/sim/app/api/tools/s3/put-object/route.ts
@@ -2,7 +2,7 @@ import { type ObjectCannedACL, PutObjectCommand, S3Client } from '@aws-sdk/clien
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 put object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/search/route.ts
+++ b/apps/sim/app/api/tools/search/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { SEARCH_TOOL_COST } from '@/lib/billing/constants'
 import { env } from '@/lib/core/config/env'
 import { executeTool } from '@/tools'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
    const { searchParams: urlParams } = new URL(request.url)
    const workflowId = urlParams.get('workflowId') || undefined

-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      const errorMessage = workflowId ? 'Workflow not found' : authResult.error || 'Unauthorized'
--- a/apps/sim/app/api/tools/sftp/delete/route.ts
+++ b/apps/sim/app/api/tools/sftp/delete/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -72,7 +72,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/download/route.ts
+++ b/apps/sim/app/api/tools/sftp/download/route.ts
@@ -2,7 +2,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createSftpConnection, getSftp, isPathSafe, sanitizePath } from '@/app/api/tools/sftp/utils'

@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP download attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/list/route.ts
+++ b/apps/sim/app/api/tools/sftp/list/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP list attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/mkdir/route.ts
+++ b/apps/sim/app/api/tools/sftp/mkdir/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP mkdir attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/upload/route.ts
+++ b/apps/sim/app/api/tools/sftp/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -44,7 +44,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sharepoint/upload/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SharePoint upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/add-reaction/route.ts
+++ b/apps/sim/app/api/tools/slack/add-reaction/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'

 export const dynamic = 'force-dynamic'

@@ -13,7 +13,7 @@ const SlackAddReactionSchema = z.object({

 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      return NextResponse.json(
--- a/apps/sim/app/api/tools/slack/delete-message/route.ts
+++ b/apps/sim/app/api/tools/slack/delete-message/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'

 export const dynamic = 'force-dynamic'

@@ -12,7 +12,7 @@ const SlackDeleteMessageSchema = z.object({

 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      return NextResponse.json(
--- a/apps/sim/app/api/tools/slack/read-messages/route.ts
+++ b/apps/sim/app/api/tools/slack/read-messages/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { openDMChannel } from '../utils'

@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack read messages attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/send-message/route.ts
+++ b/apps/sim/app/api/tools/slack/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { sendSlackMessage } from '../utils'

@@ -26,7 +26,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/update-message/route.ts
+++ b/apps/sim/app/api/tools/slack/update-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack update message attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sms/send/route.ts
+++ b/apps/sim/app/api/tools/sms/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { type SMSOptions, sendSMS } from '@/lib/messaging/sms/service'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SMS send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/smtp/send/route.ts
+++ b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import nodemailer from 'nodemailer'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SMTP send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/ssh/check-command-exists/route.ts
+++ b/apps/sim/app/api/tools/ssh/check-command-exists/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHCheckCommandExistsAPI')
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH check command exists attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/check-file-exists/route.ts
+++ b/apps/sim/app/api/tools/ssh/check-file-exists/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper, Stats } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  getFileType,
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH check file exists attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/create-directory/route.ts
+++ b/apps/sim/app/api/tools/ssh/create-directory/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -28,7 +28,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH create directory attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/delete-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/delete-file/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -28,7 +28,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH delete file attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/download-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/download-file/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHDownloadFileAPI')
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH download file attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/execute-command/route.ts
+++ b/apps/sim/app/api/tools/ssh/execute-command/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand, sanitizeCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHExecuteCommandAPI')
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH execute command attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/execute-script/route.ts
+++ b/apps/sim/app/api/tools/ssh/execute-script/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHExecuteScriptAPI')
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH execute script attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/get-system-info/route.ts
+++ b/apps/sim/app/api/tools/ssh/get-system-info/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHGetSystemInfoAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH get system info attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/list-directory/route.ts
+++ b/apps/sim/app/api/tools/ssh/list-directory/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, FileEntry, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  getFileType,
@@ -61,7 +61,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH list directory attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/move-rename/route.ts
+++ b/apps/sim/app/api/tools/ssh/move-rename/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -28,7 +28,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH move/rename attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/read-file-content/route.ts
+++ b/apps/sim/app/api/tools/ssh/read-file-content/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHReadFileContentAPI')
@@ -36,7 +36,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH read file content attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/upload-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/upload-file/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHUploadFileAPI')
@@ -38,7 +38,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH upload file attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/ssh/write-file-content/route.ts
+++ b/apps/sim/app/api/tools/ssh/write-file-content/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHWriteFileContentAPI')
@@ -37,7 +37,7 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkHybridAuth(request)
+    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH write file content attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/stt/route.ts
+++ b/apps/sim/app/api/tools/stt/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { extractAudioFromVideo, isVideoFile } from '@/lib/audio/extractor'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { TranscriptSegment } from '@/tools/stt/types'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
  logger.info(`[${requestId}] STT transcription request started`)

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/telegram/send-document/route.ts
+++ b/apps/sim/app/api/tools/telegram/send-document/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, {
+    const authResult = await checkInternalAuth(request, {
      requireWorkflowId: false,
    })

--- a/apps/sim/app/api/tools/textract/parse/route.ts
+++ b/apps/sim/app/api/tools/textract/parse/route.ts
@@ -2,7 +2,7 @@ import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  validateAwsRegion,
  validateExternalUrl,
@@ -292,7 +292,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Textract parse attempt`, {
--- a/apps/sim/app/api/tools/tts/route.ts
+++ b/apps/sim/app/api/tools/tts/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -10,7 +10,7 @@ const logger = createLogger('ProxyTTSAPI')

 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.error('Authentication failed for TTS proxy:', authResult.error)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/tts/unified/route.ts
+++ b/apps/sim/app/api/tools/tts/unified/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -87,7 +87,7 @@ export async function POST(request: NextRequest) {
  logger.info(`[${requestId}] TTS unified request started`)

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.error('Authentication failed for TTS unified proxy:', authResult.error)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/video/route.ts
+++ b/apps/sim/app/api/tools/video/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { VideoRequestBody } from '@/tools/video/types'
@@ -15,7 +15,7 @@ export async function POST(request: NextRequest) {
  logger.info(`[${requestId}] Video generation request started`)

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/vision/analyze/route.ts
+++ b/apps/sim/app/api/tools/vision/analyze/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Vision analyze attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/wordpress/upload/route.ts
+++ b/apps/sim/app/api/tools/wordpress/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  getFileExtension,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized WordPress upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -30,6 +30,7 @@ import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata, IterationContext } from '@/executor/execution/types'
 import type { NormalizedBlockOutput, StreamingExecution } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { Serializer } from '@/serializer'
 import { CORE_TRIGGER_TYPES, type CoreTriggerType } from '@/stores/logs/filters/types'

@@ -467,17 +468,17 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        }

        return NextResponse.json(filteredResult)
-      } catch (error: any) {
-        const errorMessage = error.message || 'Unknown error'
+      } catch (error: unknown) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error'
        logger.error(`[${requestId}] Non-SSE execution failed: ${errorMessage}`)

-        const executionResult = error.executionResult
+        const executionResult = hasExecutionResult(error) ? error.executionResult : undefined

        return NextResponse.json(
          {
            success: false,
            output: executionResult?.output,
-            error: executionResult?.error || error.message || 'Execution failed',
+            error: executionResult?.error || errorMessage || 'Execution failed',
            metadata: executionResult?.metadata
              ? {
                  duration: executionResult.metadata.duration,
@@ -788,11 +789,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:

          // Cleanup base64 cache for this execution
          await cleanupExecutionBase64Cache(executionId)
-        } catch (error: any) {
-          const errorMessage = error.message || 'Unknown error'
+        } catch (error: unknown) {
+          const errorMessage = error instanceof Error ? error.message : 'Unknown error'
          logger.error(`[${requestId}] SSE execution failed: ${errorMessage}`)

-          const executionResult = error.executionResult
+          const executionResult = hasExecutionResult(error) ? error.executionResult : undefined

          sendEvent({
            type: 'execution:error',
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
@@ -16,6 +16,7 @@ import {
 } from '@/lib/workflows/triggers/triggers'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
 import type { BlockLog, ExecutionResult, StreamingExecution } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { coerceValue } from '@/executor/utils/start-block'
 import { subscriptionKeys } from '@/hooks/queries/subscription'
 import { useExecutionStream } from '@/hooks/use-execution-stream'
@@ -76,17 +77,6 @@ function normalizeErrorMessage(error: unknown): string {
  return WORKFLOW_EXECUTION_FAILURE_MESSAGE
 }

-function isExecutionResult(value: unknown): value is ExecutionResult {
-  if (!isRecord(value)) return false
-  return typeof value.success === 'boolean' && isRecord(value.output)
-}
-
-function extractExecutionResult(error: unknown): ExecutionResult | null {
-  if (!isRecord(error)) return null
-  const candidate = error.executionResult
-  return isExecutionResult(candidate) ? candidate : null
-}
-
 export function useWorkflowExecution() {
  const queryClient = useQueryClient()
  const currentWorkflow = useCurrentWorkflow()
@@ -1138,11 +1128,11 @@ export function useWorkflowExecution() {

  const handleExecutionError = (error: unknown, options?: { executionId?: string }) => {
    const normalizedMessage = normalizeErrorMessage(error)
-    const executionResultFromError = extractExecutionResult(error)

    let errorResult: ExecutionResult

-    if (executionResultFromError) {
+    if (hasExecutionResult(error)) {
+      const executionResultFromError = error.executionResult
      const logs = Array.isArray(executionResultFromError.logs) ? executionResultFromError.logs : []

      errorResult = {
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/block.tsx
@@ -3,11 +3,26 @@
 import { memo, useMemo } from 'react'
 import { Handle, type NodeProps, Position } from 'reactflow'
 import { HANDLE_POSITIONS } from '@/lib/workflows/blocks/block-dimensions'
+import {
+  buildCanonicalIndex,
+  evaluateSubBlockCondition,
+  isSubBlockFeatureEnabled,
+  isSubBlockVisibleForMode,
+} from '@/lib/workflows/subblocks/visibility'
+import { getDisplayValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block'
 import { getBlock } from '@/blocks'
+import { SELECTOR_TYPES_HYDRATION_REQUIRED, type SubBlockConfig } from '@/blocks/types'
+import { useVariablesStore } from '@/stores/panel/variables/store'
+import { useWorkflowRegistry } from '@/stores/workflows/registry/store'

 /** Execution status for blocks in preview mode */
 type ExecutionStatus = 'success' | 'error' | 'not-executed'

+/** Subblock value structure matching workflow state */
+interface SubBlockValueEntry {
+  value: unknown
+}
+
 interface WorkflowPreviewBlockData {
  type: string
  name: string
@@ -18,12 +33,220 @@ interface WorkflowPreviewBlockData {
  isPreviewSelected?: boolean
  /** Execution status for highlighting error/success states */
  executionStatus?: ExecutionStatus
+  /** Subblock values from the workflow state */
+  subBlockValues?: Record<string, SubBlockValueEntry | unknown>
+}
+
+/**
+ * Extracts the raw value from a subblock value entry.
+ * Handles both wrapped ({ value: ... }) and unwrapped formats.
+ */
+function extractValue(entry: SubBlockValueEntry | unknown): unknown {
+  if (entry && typeof entry === 'object' && 'value' in entry) {
+    return (entry as SubBlockValueEntry).value
+  }
+  return entry
+}
+
+interface SubBlockRowProps {
+  title: string
+  value?: string
+  subBlock?: SubBlockConfig
+  rawValue?: unknown
+}
+
+/**
+ * Resolves dropdown/combobox value to its display label.
+ * Returns null if not a dropdown/combobox or no matching option found.
+ */
+function resolveDropdownLabel(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (!subBlock || (subBlock.type !== 'dropdown' && subBlock.type !== 'combobox')) return null
+  if (!rawValue || typeof rawValue !== 'string') return null
+
+  const options = typeof subBlock.options === 'function' ? subBlock.options() : subBlock.options
+  if (!options) return null
+
+  const option = options.find((opt) =>
+    typeof opt === 'string' ? opt === rawValue : opt.id === rawValue
+  )
+
+  if (!option) return null
+  return typeof option === 'string' ? option : option.label
+}
+
+/**
+ * Resolves workflow ID to workflow name using the workflow registry.
+ * Uses synchronous store access to avoid hook dependencies.
+ */
+function resolveWorkflowName(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (subBlock?.type !== 'workflow-selector') return null
+  if (!rawValue || typeof rawValue !== 'string') return null
+
+  const workflowMap = useWorkflowRegistry.getState().workflows
+  return workflowMap[rawValue]?.name ?? null
+}
+
+/**
+ * Type guard for variable assignments array
+ */
+function isVariableAssignmentsArray(
+  value: unknown
+): value is Array<{ id?: string; variableId?: string; variableName?: string; value: unknown }> {
+  return (
+    Array.isArray(value) &&
+    value.length > 0 &&
+    value.every(
+      (item) =>
+        typeof item === 'object' &&
+        item !== null &&
+        ('variableName' in item || 'variableId' in item)
+    )
+  )
+}
+
+/**
+ * Resolves variables-input to display names.
+ * Uses synchronous store access to avoid hook dependencies.
+ */
+function resolveVariablesDisplay(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (subBlock?.type !== 'variables-input') return null
+  if (!isVariableAssignmentsArray(rawValue)) return null
+
+  const variables = useVariablesStore.getState().variables
+  const variablesArray = Object.values(variables)
+
+  const names = rawValue
+    .map((a) => {
+      if (a.variableId) {
+        const variable = variablesArray.find((v) => v.id === a.variableId)
+        return variable?.name
+      }
+      if (a.variableName) return a.variableName
+      return null
+    })
+    .filter((name): name is string => !!name)
+
+  if (names.length === 0) return null
+  if (names.length === 1) return names[0]
+  if (names.length === 2) return `${names[0]}, ${names[1]}`
+  return `${names[0]}, ${names[1]} +${names.length - 2}`
+}
+
+/**
+ * Resolves tool-input to display names.
+ * Resolves built-in tools from block registry (no API needed).
+ */
+function resolveToolsDisplay(
+  subBlock: SubBlockConfig | undefined,
+  rawValue: unknown
+): string | null {
+  if (subBlock?.type !== 'tool-input') return null
+  if (!Array.isArray(rawValue) || rawValue.length === 0) return null
+
+  const toolNames = rawValue
+    .map((tool: unknown) => {
+      if (!tool || typeof tool !== 'object') return null
+      const t = tool as Record<string, unknown>
+
+      // Priority 1: Use tool.title if already populated
+      if (t.title && typeof t.title === 'string') return t.title
+
+      // Priority 2: Extract from inline schema (legacy format)
+      const schema = t.schema as Record<string, unknown> | undefined
+      if (schema?.function && typeof schema.function === 'object') {
+        const fn = schema.function as Record<string, unknown>
+        if (fn.name && typeof fn.name === 'string') return fn.name
+      }
+
+      // Priority 3: Extract from OpenAI function format
+      const fn = t.function as Record<string, unknown> | undefined
+      if (fn?.name && typeof fn.name === 'string') return fn.name
+
+      // Priority 4: Resolve built-in tool blocks from registry
+      if (
+        typeof t.type === 'string' &&
+        t.type !== 'custom-tool' &&
+        t.type !== 'mcp' &&
+        t.type !== 'workflow' &&
+        t.type !== 'workflow_input'
+      ) {
+        const blockConfig = getBlock(t.type)
+        if (blockConfig?.name) return blockConfig.name
+      }
+
+      return null
+    })
+    .filter((name): name is string => !!name)
+
+  if (toolNames.length === 0) return null
+  if (toolNames.length === 1) return toolNames[0]
+  if (toolNames.length === 2) return `${toolNames[0]}, ${toolNames[1]}`
+  return `${toolNames[0]}, ${toolNames[1]} +${toolNames.length - 2}`
+}
+
+/**
+ * Renders a single subblock row with title and optional value.
+ * Matches the SubBlockRow component in WorkflowBlock.
+ * - Masks password fields with bullets
+ * - Resolves dropdown/combobox labels
+ * - Resolves workflow names from registry
+ * - Resolves variable names from store
+ * - Resolves tool names from block registry
+ * - Shows '-' for other selector types that need hydration
+ */
+function SubBlockRow({ title, value, subBlock, rawValue }: SubBlockRowProps) {
+  // Mask password fields
+  const isPasswordField = subBlock?.password === true
+  const maskedValue = isPasswordField && value && value !== '-' ? '•••' : null
+
+  // Resolve various display names (synchronous access, matching WorkflowBlock priority)
+  const dropdownLabel = resolveDropdownLabel(subBlock, rawValue)
+  const variablesDisplay = resolveVariablesDisplay(subBlock, rawValue)
+  const toolsDisplay = resolveToolsDisplay(subBlock, rawValue)
+  const workflowName = resolveWorkflowName(subBlock, rawValue)
+
+  // Check if this is a selector type that needs hydration (show '-' for raw IDs)
+  const isSelectorType = subBlock?.type && SELECTOR_TYPES_HYDRATION_REQUIRED.includes(subBlock.type)
+
+  // Compute final display value matching WorkflowBlock logic
+  // Priority order matches WorkflowBlock: masked > hydrated names > selector fallback > raw value
+  const hydratedName = dropdownLabel || variablesDisplay || toolsDisplay || workflowName
+  const displayValue = maskedValue || hydratedName || (isSelectorType && value ? '-' : value)
+
+  return (
+    <div className='flex items-center gap-[8px]'>
+      <span
+        className='min-w-0 truncate text-[14px] text-[var(--text-tertiary)] capitalize'
+        title={title}
+      >
+        {title}
+      </span>
+      {displayValue !== undefined && (
+        <span
+          className='flex-1 truncate text-right text-[14px] text-[var(--text-primary)]'
+          title={displayValue}
+        >
+          {displayValue}
+        </span>
+      )}
+    </div>
+  )
 }

 /**
 * Preview block component for workflow visualization.
- * Renders block header, subblocks skeleton, and handles without
+ * Renders block header, subblock values, and handles without
 * hooks, store subscriptions, or interactive features.
+ * Matches the visual structure of WorkflowBlock exactly.
 */
 function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>) {
  const {
@@ -34,21 +257,111 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
    enabled = true,
    isPreviewSelected = false,
    executionStatus,
+    subBlockValues,
  } = data

  const blockConfig = getBlock(type)

+  const canonicalIndex = useMemo(
+    () => buildCanonicalIndex(blockConfig?.subBlocks || []),
+    [blockConfig?.subBlocks]
+  )
+
+  const rawValues = useMemo(() => {
+    if (!subBlockValues) return {}
+    return Object.entries(subBlockValues).reduce<Record<string, unknown>>((acc, [key, entry]) => {
+      acc[key] = extractValue(entry)
+      return acc
+    }, {})
+  }, [subBlockValues])
+
  const visibleSubBlocks = useMemo(() => {
    if (!blockConfig?.subBlocks) return []

+    const isStarterOrTrigger =
+      blockConfig.category === 'triggers' || type === 'starter' || isTrigger
+
    return blockConfig.subBlocks.filter((subBlock) => {
      if (subBlock.hidden) return false
      if (subBlock.hideFromPreview) return false
-      if (subBlock.mode === 'trigger' && blockConfig.category !== 'triggers') return false
-      if (subBlock.mode === 'advanced') return false
-      return true
+      if (!isSubBlockFeatureEnabled(subBlock)) return false
+
+      // Handle trigger mode visibility
+      if (subBlock.mode === 'trigger' && !isStarterOrTrigger) return false
+
+      // Check advanced mode visibility
+      if (!isSubBlockVisibleForMode(subBlock, false, canonicalIndex, rawValues, undefined)) {
+        return false
+      }
+
+      // Check condition visibility
+      if (!subBlock.condition) return true
+      return evaluateSubBlockCondition(subBlock.condition, rawValues)
    })
-  }, [blockConfig?.subBlocks])
+  }, [blockConfig?.subBlocks, blockConfig?.category, type, isTrigger, canonicalIndex, rawValues])
+
+  /**
+   * Compute condition rows for condition blocks
+   */
+  const conditionRows = useMemo(() => {
+    if (type !== 'condition') return []
+
+    const conditionsValue = rawValues.conditions
+    const raw = typeof conditionsValue === 'string' ? conditionsValue : undefined
+
+    try {
+      if (raw) {
+        const parsed = JSON.parse(raw) as unknown
+        if (Array.isArray(parsed)) {
+          return parsed.map((item: unknown, index: number) => {
+            const conditionItem = item as { id?: string; value?: unknown }
+            const title = index === 0 ? 'if' : index === parsed.length - 1 ? 'else' : 'else if'
+            return {
+              id: conditionItem?.id ?? `cond-${index}`,
+              title,
+              value: typeof conditionItem?.value === 'string' ? conditionItem.value : '',
+            }
+          })
+        }
+      }
+    } catch {
+      // Failed to parse, use fallback
+    }
+
+    return [
+      { id: 'if', title: 'if', value: '' },
+      { id: 'else', title: 'else', value: '' },
+    ]
+  }, [type, rawValues])
+
+  /**
+   * Compute router rows for router_v2 blocks
+   */
+  const routerRows = useMemo(() => {
+    if (type !== 'router_v2') return []
+
+    const routesValue = rawValues.routes
+    const raw = typeof routesValue === 'string' ? routesValue : undefined
+
+    try {
+      if (raw) {
+        const parsed = JSON.parse(raw) as unknown
+        if (Array.isArray(parsed)) {
+          return parsed.map((item: unknown, index: number) => {
+            const routeItem = item as { id?: string; value?: string }
+            return {
+              id: routeItem?.id ?? `route${index + 1}`,
+              value: routeItem?.value ?? '',
+            }
+          })
+        }
+      }
+    } catch {
+      // Failed to parse, use fallback
+    }
+
+    return [{ id: 'route1', value: '' }]
+  }, [type, rawValues])

  if (!blockConfig) {
    return null
@@ -57,8 +370,14 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
  const IconComponent = blockConfig.icon
  const isStarterOrTrigger = blockConfig.category === 'triggers' || type === 'starter' || isTrigger

+  const shouldShowDefaultHandles = !isStarterOrTrigger
  const hasSubBlocks = visibleSubBlocks.length > 0
-  const showErrorRow = !isStarterOrTrigger
+  const hasContentBelowHeader =
+    type === 'condition'
+      ? conditionRows.length > 0 || shouldShowDefaultHandles
+      : type === 'router_v2'
+        ? routerRows.length > 0 || shouldShowDefaultHandles
+        : hasSubBlocks || shouldShowDefaultHandles

  const horizontalHandleClass = '!border-none !bg-[var(--surface-7)] !h-5 !w-[7px] !rounded-[2px]'
  const verticalHandleClass = '!border-none !bg-[var(--surface-7)] !h-[7px] !w-5 !rounded-[2px]'
@@ -67,7 +386,7 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
  const hasSuccess = executionStatus === 'success'

  return (
-    <div className='relative w-[250px] select-none rounded-[8px] border border-[var(--border)] bg-[var(--surface-2)]'>
+    <div className='relative w-[250px] select-none rounded-[8px] border border-[var(--border-1)] bg-[var(--surface-2)]'>
      {/* Selection ring overlay (takes priority over execution rings) */}
      {isPreviewSelected && (
        <div className='pointer-events-none absolute inset-0 z-40 rounded-[8px] ring-[1.75px] ring-[var(--brand-secondary)]' />
@@ -82,7 +401,7 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
      )}

      {/* Target handle - not shown for triggers/starters */}
-      {!isStarterOrTrigger && (
+      {shouldShowDefaultHandles && (
        <Handle
          type='target'
          position={horizontalHandles ? Position.Left : Position.Top}
@@ -96,49 +415,67 @@ function WorkflowPreviewBlockInner({ data }: NodeProps<WorkflowPreviewBlockData>
        />
      )}

-      {/* Header */}
+      {/* Header - matches WorkflowBlock structure */}
      <div
-        className={`flex items-center gap-[10px] p-[8px] ${hasSubBlocks || showErrorRow ? 'border-[var(--divider)] border-b' : ''}`}
+        className={`flex items-center justify-between p-[8px] ${hasContentBelowHeader ? 'border-[var(--border-1)] border-b' : ''}`}
      >
-        <div
-          className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
-          style={{ background: enabled ? blockConfig.bgColor : 'gray' }}
-        >
-          <IconComponent className='h-[16px] w-[16px] text-white' />
+        <div className='relative z-10 flex min-w-0 flex-1 items-center gap-[10px]'>
+          <div
+            className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
+            style={{ background: enabled ? blockConfig.bgColor : 'gray' }}
+          >
+            <IconComponent className='h-[16px] w-[16px] text-white' />
+          </div>
+          <span
+            className={`truncate font-medium text-[16px] ${!enabled ? 'text-[var(--text-muted)]' : ''}`}
+            title={name}
+          >
+            {name}
+          </span>
        </div>
-        <span
-          className={`truncate font-medium text-[16px] ${!enabled ? 'text-[#808080]' : ''}`}
-          title={name}
-        >
-          {name}
-        </span>
      </div>

-      {/* Subblocks skeleton */}
-      {(hasSubBlocks || showErrorRow) && (
+      {/* Content area with subblocks */}
+      {hasContentBelowHeader && (
        <div className='flex flex-col gap-[8px] p-[8px]'>
-          {visibleSubBlocks.slice(0, 4).map((subBlock) => (
-            <div key={subBlock.id} className='flex items-center gap-[8px]'>
-              <span className='min-w-0 truncate text-[14px] text-[var(--text-tertiary)] capitalize'>
-                {subBlock.title ?? subBlock.id}
-              </span>
-              <span className='flex-1 truncate text-right text-[14px] text-[var(--white)]'>-</span>
-            </div>
-          ))}
-          {visibleSubBlocks.length > 4 && (
-            <div className='flex items-center gap-[8px]'>
-              <span className='text-[14px] text-[var(--text-tertiary)]'>
-                +{visibleSubBlocks.length - 4} more
-              </span>
-            </div>
-          )}
-          {showErrorRow && (
-            <div className='flex items-center gap-[8px]'>
-              <span className='min-w-0 truncate text-[14px] text-[var(--text-tertiary)] capitalize'>
-                error
-              </span>
-            </div>
+          {type === 'condition' ? (
+            // Condition block: render condition rows
+            conditionRows.map((cond) => (
+              <SubBlockRow key={cond.id} title={cond.title} value={getDisplayValue(cond.value)} />
+            ))
+          ) : type === 'router_v2' ? (
+            // Router block: render context + route rows
+            <>
+              <SubBlockRow
+                key='context'
+                title='Context'
+                value={getDisplayValue(rawValues.context)}
+              />
+              {routerRows.map((route, index) => (
+                <SubBlockRow
+                  key={route.id}
+                  title={`Route ${index + 1}`}
+                  value={getDisplayValue(route.value)}
+                />
+              ))}
+            </>
+          ) : (
+            // Standard blocks: render visible subblocks
+            visibleSubBlocks.map((subBlock) => {
+              const rawValue = rawValues[subBlock.id]
+              return (
+                <SubBlockRow
+                  key={subBlock.id}
+                  title={subBlock.title ?? subBlock.id}
+                  value={getDisplayValue(rawValue)}
+                  subBlock={subBlock}
+                  rawValue={rawValue}
+                />
+              )
+            })
          )}
+          {/* Error row for non-trigger blocks */}
+          {shouldShowDefaultHandles && <SubBlockRow title='error' />}
        </div>
      )}

@@ -162,16 +499,47 @@ function shouldSkipPreviewBlockRender(
  prevProps: NodeProps<WorkflowPreviewBlockData>,
  nextProps: NodeProps<WorkflowPreviewBlockData>
 ): boolean {
-  return (
-    prevProps.id === nextProps.id &&
-    prevProps.data.type === nextProps.data.type &&
-    prevProps.data.name === nextProps.data.name &&
-    prevProps.data.isTrigger === nextProps.data.isTrigger &&
-    prevProps.data.horizontalHandles === nextProps.data.horizontalHandles &&
-    prevProps.data.enabled === nextProps.data.enabled &&
-    prevProps.data.isPreviewSelected === nextProps.data.isPreviewSelected &&
-    prevProps.data.executionStatus === nextProps.data.executionStatus
-  )
+  // Check primitive props first (fast path)
+  if (
+    prevProps.id !== nextProps.id ||
+    prevProps.data.type !== nextProps.data.type ||
+    prevProps.data.name !== nextProps.data.name ||
+    prevProps.data.isTrigger !== nextProps.data.isTrigger ||
+    prevProps.data.horizontalHandles !== nextProps.data.horizontalHandles ||
+    prevProps.data.enabled !== nextProps.data.enabled ||
+    prevProps.data.isPreviewSelected !== nextProps.data.isPreviewSelected ||
+    prevProps.data.executionStatus !== nextProps.data.executionStatus
+  ) {
+    return false
+  }
+
+  // Compare subBlockValues by reference first
+  const prevValues = prevProps.data.subBlockValues
+  const nextValues = nextProps.data.subBlockValues
+
+  if (prevValues === nextValues) {
+    return true
+  }
+
+  if (!prevValues || !nextValues) {
+    return false
+  }
+
+  // Shallow compare keys and values
+  const prevKeys = Object.keys(prevValues)
+  const nextKeys = Object.keys(nextValues)
+
+  if (prevKeys.length !== nextKeys.length) {
+    return false
+  }
+
+  for (const key of prevKeys) {
+    if (prevValues[key] !== nextValues[key]) {
+      return false
+    }
+  }
+
+  return true
 }

 export const WorkflowPreviewBlock = memo(WorkflowPreviewBlockInner, shouldSkipPreviewBlockRender)
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/preview.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/preview.tsx
@@ -347,6 +347,7 @@ export function WorkflowPreview({
          enabled: block.enabled ?? true,
          isPreviewSelected: isSelected,
          executionStatus,
+          subBlockValues: block.subBlocks,
        },
      })
    })
--- a/apps/sim/background/schedule-execution.ts
+++ b/apps/sim/background/schedule-execution.ts
@@ -21,7 +21,7 @@ import {
 } from '@/lib/workflows/schedules/utils'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata } from '@/executor/execution/types'
-import type { ExecutionResult } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { MAX_CONSECUTIVE_FAILURES } from '@/triggers/constants'

 const logger = createLogger('TriggerScheduleExecution')
@@ -231,8 +231,7 @@ async function runWorkflowExecution({
  } catch (error: unknown) {
    logger.error(`[${requestId}] Early failure in scheduled workflow ${payload.workflowId}`, error)

-    const errorWithResult = error as { executionResult?: ExecutionResult }
-    const executionResult = errorWithResult?.executionResult
+    const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
    const { traceSpans } = executionResult ? buildTraceSpans(executionResult) : { traceSpans: [] }

    await loggingSession.safeCompleteWithError({
--- a/apps/sim/background/webhook-execution.ts
+++ b/apps/sim/background/webhook-execution.ts
@@ -16,7 +16,7 @@ import { loadDeployedWorkflowState } from '@/lib/workflows/persistence/utils'
 import { getWorkflowById } from '@/lib/workflows/utils'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata } from '@/executor/execution/types'
-import type { ExecutionResult } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { safeAssign } from '@/tools/safe-assign'
 import { getTrigger, isTriggerValid } from '@/triggers'

@@ -578,12 +578,13 @@ async function executeWebhookJobInternal(
        deploymentVersionId,
      })

-      const errorWithResult = error as { executionResult?: ExecutionResult }
-      const executionResult = errorWithResult?.executionResult || {
-        success: false,
-        output: {},
-        logs: [],
-      }
+      const executionResult = hasExecutionResult(error)
+        ? error.executionResult
+        : {
+            success: false,
+            output: {},
+            logs: [],
+          }
      const { traceSpans } = buildTraceSpans(executionResult)

      await loggingSession.safeCompleteWithError({
--- a/apps/sim/background/workflow-execution.ts
+++ b/apps/sim/background/workflow-execution.ts
@@ -9,7 +9,7 @@ import { PauseResumeManager } from '@/lib/workflows/executor/human-in-the-loop-m
 import { getWorkflowById } from '@/lib/workflows/utils'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata } from '@/executor/execution/types'
-import type { ExecutionResult } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import type { CoreTriggerType } from '@/stores/logs/filters/types'

 const logger = createLogger('TriggerWorkflowExecution')
@@ -160,8 +160,7 @@ export async function executeWorkflowJob(payload: WorkflowExecutionPayload) {
      executionId,
    })

-    const errorWithResult = error as { executionResult?: ExecutionResult }
-    const executionResult = errorWithResult?.executionResult
+    const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
    const { traceSpans } = executionResult ? buildTraceSpans(executionResult) : { traceSpans: [] }

    await loggingSession.safeCompleteWithError({
--- a/apps/sim/executor/errors/child-workflow-error.ts
+++ b/apps/sim/executor/errors/child-workflow-error.ts
@@ -0,0 +1,31 @@
+import type { TraceSpan } from '@/lib/logs/types'
+import type { ExecutionResult } from '@/executor/types'
+
+interface ChildWorkflowErrorOptions {
+  message: string
+  childWorkflowName: string
+  childTraceSpans?: TraceSpan[]
+  executionResult?: ExecutionResult
+  cause?: Error
+}
+
+/**
+ * Error raised when a child workflow execution fails.
+ */
+export class ChildWorkflowError extends Error {
+  readonly childTraceSpans: TraceSpan[]
+  readonly childWorkflowName: string
+  readonly executionResult?: ExecutionResult
+
+  constructor(options: ChildWorkflowErrorOptions) {
+    super(options.message, { cause: options.cause })
+    this.name = 'ChildWorkflowError'
+    this.childWorkflowName = options.childWorkflowName
+    this.childTraceSpans = options.childTraceSpans ?? []
+    this.executionResult = options.executionResult
+  }
+
+  static isChildWorkflowError(error: unknown): error is ChildWorkflowError {
+    return error instanceof ChildWorkflowError
+  }
+}
--- a/apps/sim/executor/execution/block-executor.ts
+++ b/apps/sim/executor/execution/block-executor.ts
@@ -13,6 +13,7 @@ import {
  isSentinelBlockType,
 } from '@/executor/constants'
 import type { DAGNode } from '@/executor/dag/builder'
+import { ChildWorkflowError } from '@/executor/errors/child-workflow-error'
 import type { BlockStateWriter, ContextExtensions } from '@/executor/execution/types'
 import {
  generatePauseContextId,
@@ -213,24 +214,26 @@ export class BlockExecutor {
        ? resolvedInputs
        : ((block.config?.params as Record<string, any> | undefined) ?? {})

+    const errorOutput: NormalizedBlockOutput = {
+      error: errorMessage,
+    }
+
+    if (ChildWorkflowError.isChildWorkflowError(error)) {
+      errorOutput.childTraceSpans = error.childTraceSpans
+      errorOutput.childWorkflowName = error.childWorkflowName
+    }
+
+    this.state.setBlockOutput(node.id, errorOutput, duration)
+
    if (blockLog) {
      blockLog.endedAt = new Date().toISOString()
      blockLog.durationMs = duration
      blockLog.success = false
      blockLog.error = errorMessage
      blockLog.input = input
+      blockLog.output = this.filterOutputForLog(block, errorOutput)
    }

-    const errorOutput: NormalizedBlockOutput = {
-      error: errorMessage,
-    }
-
-    if (error && typeof error === 'object' && 'childTraceSpans' in error) {
-      errorOutput.childTraceSpans = (error as any).childTraceSpans
-    }
-
-    this.state.setBlockOutput(node.id, errorOutput, duration)
-
    logger.error(
      phase === 'input_resolution' ? 'Failed to resolve block inputs' : 'Block execution failed',
      {
--- a/apps/sim/executor/execution/engine.ts
+++ b/apps/sim/executor/execution/engine.ts
@@ -13,7 +13,7 @@ import type {
  PausePoint,
  ResumeStatus,
 } from '@/executor/types'
-import { normalizeError } from '@/executor/utils/errors'
+import { attachExecutionResult, normalizeError } from '@/executor/utils/errors'

 const logger = createLogger('ExecutionEngine')

@@ -170,8 +170,8 @@ export class ExecutionEngine {
        metadata: this.context.metadata,
      }

-      if (error && typeof error === 'object') {
-        ;(error as any).executionResult = executionResult
+      if (error instanceof Error) {
+        attachExecutionResult(error, executionResult)
      }
      throw error
    }
--- a/apps/sim/executor/handlers/agent/agent-handler.test.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.test.ts
@@ -144,25 +144,22 @@ describe('AgentBlockHandler', () => {
    }
    mockGetProviderFromModel.mockReturnValue('mock-provider')

-    mockFetch.mockImplementation(() => {
+    mockExecuteProviderRequest.mockResolvedValue({
+      content: 'Mocked response content',
+      model: 'mock-model',
+      tokens: { input: 10, output: 20, total: 30 },
+      toolCalls: [],
+      cost: 0.001,
+      timing: { total: 100 },
+    })
+
+    mockFetch.mockImplementation((url: string) => {
      return Promise.resolve({
        ok: true,
        headers: {
-          get: (name: string) => {
-            if (name === 'Content-Type') return 'application/json'
-            if (name === 'X-Execution-Data') return null
-            return null
-          },
+          get: () => null,
        },
-        json: () =>
-          Promise.resolve({
-            content: 'Mocked response content',
-            model: 'mock-model',
-            tokens: { input: 10, output: 20, total: 30 },
-            toolCalls: [],
-            cost: 0.001,
-            timing: { total: 100 },
-          }),
+        json: () => Promise.resolve({}),
      })
    })

@@ -244,7 +241,7 @@ describe('AgentBlockHandler', () => {
      const result = await handler.execute(mockContext, mockBlock, inputs)

      expect(mockGetProviderFromModel).toHaveBeenCalledWith('gpt-4o')
-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
      expect(result).toEqual(expectedOutput)
    })

@@ -263,34 +260,21 @@ describe('AgentBlockHandler', () => {
        return result
      })

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Using tools to respond',
+        model: 'mock-model',
+        tokens: { input: 10, output: 20, total: 30 },
+        toolCalls: [
+          {
+            name: 'auto_tool',
+            arguments: { input: 'test input for auto tool' },
          },
-          json: () =>
-            Promise.resolve({
-              content: 'Using tools to respond',
-              model: 'mock-model',
-              tokens: { input: 10, output: 20, total: 30 },
-              toolCalls: [
-                {
-                  name: 'auto_tool',
-                  arguments: { input: 'test input for auto tool' },
-                },
-                {
-                  name: 'force_tool',
-                  arguments: { input: 'test input for force tool' },
-                },
-              ],
-              timing: { total: 100 },
-            }),
-        })
+          {
+            name: 'force_tool',
+            arguments: { input: 'test input for force tool' },
+          },
+        ],
+        timing: { total: 100 },
      })

      const inputs = {
@@ -403,8 +387,8 @@ describe('AgentBlockHandler', () => {
        expect.any(Object) // execution context
      )

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      expect(requestBody.tools.length).toBe(2)
    })
@@ -443,8 +427,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      expect(requestBody.tools.length).toBe(2)

@@ -488,8 +472,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      expect(requestBody.tools[0].usageControl).toBe('auto')
      expect(requestBody.tools[1].usageControl).toBe('force')
@@ -553,8 +537,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      expect(requestBody.tools.length).toBe(2)

@@ -583,7 +567,7 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
    })

    it('should execute with standard block tools', async () => {
@@ -625,7 +609,7 @@ describe('AgentBlockHandler', () => {
        inputs.tools[0],
        expect.objectContaining({ selectedOperation: 'analyze' })
      )
-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
      expect(result).toEqual(expectedOutput)
    })

@@ -676,30 +660,17 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
    })

    it('should handle responseFormat with valid JSON', async () => {
-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
-          },
-          json: () =>
-            Promise.resolve({
-              content: '{"result": "Success", "score": 0.95}',
-              model: 'mock-model',
-              tokens: { input: 10, output: 20, total: 30 },
-              timing: { total: 100 },
-              toolCalls: [],
-              cost: undefined,
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: '{"result": "Success", "score": 0.95}',
+        model: 'mock-model',
+        tokens: { input: 10, output: 20, total: 30 },
+        timing: { total: 100 },
+        toolCalls: [],
+        cost: undefined,
      })

      const inputs = {
@@ -723,24 +694,11 @@ describe('AgentBlockHandler', () => {
    })

    it('should handle responseFormat when it is an empty string', async () => {
-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
-          },
-          json: () =>
-            Promise.resolve({
-              content: 'Regular text response',
-              model: 'mock-model',
-              tokens: { input: 10, output: 20, total: 30 },
-              timing: { total: 100 },
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Regular text response',
+        model: 'mock-model',
+        tokens: { input: 10, output: 20, total: 30 },
+        timing: { total: 100 },
      })

      const inputs = {
@@ -763,26 +721,13 @@ describe('AgentBlockHandler', () => {
    })

    it('should handle invalid JSON in responseFormat gracefully', async () => {
-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
-          },
-          json: () =>
-            Promise.resolve({
-              content: 'Regular text response',
-              model: 'mock-model',
-              tokens: { input: 10, output: 20, total: 30 },
-              timing: { total: 100 },
-              toolCalls: [],
-              cost: undefined,
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Regular text response',
+        model: 'mock-model',
+        tokens: { input: 10, output: 20, total: 30 },
+        timing: { total: 100 },
+        toolCalls: [],
+        cost: undefined,
      })

      const inputs = {
@@ -806,26 +751,13 @@ describe('AgentBlockHandler', () => {
    })

    it('should handle variable references in responseFormat gracefully', async () => {
-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
-          },
-          json: () =>
-            Promise.resolve({
-              content: 'Regular text response',
-              model: 'mock-model',
-              tokens: { input: 10, output: 20, total: 30 },
-              timing: { total: 100 },
-              toolCalls: [],
-              cost: undefined,
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Regular text response',
+        model: 'mock-model',
+        tokens: { input: 10, output: 20, total: 30 },
+        timing: { total: 100 },
+        toolCalls: [],
+        cost: undefined,
      })

      const inputs = {
@@ -856,7 +788,7 @@ describe('AgentBlockHandler', () => {
      }

      mockGetProviderFromModel.mockReturnValue('openai')
-      mockFetch.mockRejectedValue(new Error('Provider API Error'))
+      mockExecuteProviderRequest.mockRejectedValueOnce(new Error('Provider API Error'))

      await expect(handler.execute(mockContext, mockBlock, inputs)).rejects.toThrow(
        'Provider API Error'
@@ -870,30 +802,17 @@ describe('AgentBlockHandler', () => {
        },
      })

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        stream: mockStreamBody,
+        execution: {
+          success: true,
+          output: {},
+          logs: [],
+          metadata: {
+            duration: 0,
+            startTime: new Date().toISOString(),
          },
-          json: () =>
-            Promise.resolve({
-              stream: mockStreamBody,
-              execution: {
-                success: true,
-                output: {},
-                logs: [],
-                metadata: {
-                  duration: 0,
-                  startTime: new Date().toISOString(),
-                },
-              },
-            }),
-        })
+        },
      })

      const inputs = {
@@ -947,22 +866,9 @@ describe('AgentBlockHandler', () => {
        },
      }

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return JSON.stringify(mockExecutionData)
-              return null
-            },
-          },
-          json: () =>
-            Promise.resolve({
-              stream: mockStreamBody,
-              execution: mockExecutionData,
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        stream: mockStreamBody,
+        execution: mockExecutionData,
      })

      const inputs = {
@@ -996,30 +902,21 @@ describe('AgentBlockHandler', () => {
        },
      })

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => (name === 'Content-Type' ? 'application/json' : null),
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        stream: {}, // Serialized stream placeholder
+        execution: {
+          success: true,
+          output: {
+            content: 'Test streaming content',
+            model: 'gpt-4o',
+            tokens: { input: 10, output: 5, total: 15 },
          },
-          json: () =>
-            Promise.resolve({
-              stream: {}, // Serialized stream placeholder
-              execution: {
-                success: true,
-                output: {
-                  content: 'Test streaming content',
-                  model: 'gpt-4o',
-                  tokens: { input: 10, output: 5, total: 15 },
-                },
-                logs: [],
-                metadata: {
-                  startTime: new Date().toISOString(),
-                  duration: 150,
-                },
-              },
-            }),
-        })
+          logs: [],
+          metadata: {
+            startTime: new Date().toISOString(),
+            duration: 150,
+          },
+        },
      })

      const inputs = {
@@ -1060,8 +957,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify messages were built correctly
      expect(requestBody.messages).toBeDefined()
@@ -1110,8 +1007,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify messages were built correctly
      expect(requestBody.messages).toBeDefined()
@@ -1149,8 +1046,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify messages were built correctly
      expect(requestBody.messages).toBeDefined()
@@ -1181,8 +1078,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify messages were built correctly
      // Agent system (1) + legacy memories (3) + user from messages (1) = 5
@@ -1225,8 +1122,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify messages were built correctly
      expect(requestBody.messages).toBeDefined()
@@ -1268,8 +1165,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify messages were built correctly
      expect(requestBody.messages).toBeDefined()
@@ -1310,8 +1207,8 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

      // Verify user prompt content was extracted correctly
      expect(requestBody.messages).toBeDefined()
@@ -1337,15 +1234,14 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

-      // Check that Azure parameters are included in the request
      expect(requestBody.azureEndpoint).toBe('https://my-azure-resource.openai.azure.com')
      expect(requestBody.azureApiVersion).toBe('2024-07-01-preview')
-      expect(requestBody.provider).toBe('azure-openai')
+      expect(providerCall[0]).toBe('azure-openai')
      expect(requestBody.model).toBe('azure/gpt-4o')
      expect(requestBody.apiKey).toBe('test-azure-api-key')
    })
@@ -1365,15 +1261,14 @@ describe('AgentBlockHandler', () => {

      await handler.execute(mockContext, mockBlock, inputs)

-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

-      // Check that GPT-5 parameters are included in the request
      expect(requestBody.reasoningEffort).toBe('minimal')
      expect(requestBody.verbosity).toBe('high')
-      expect(requestBody.provider).toBe('openai')
+      expect(providerCall[0]).toBe('openai')
      expect(requestBody.model).toBe('gpt-5')
      expect(requestBody.apiKey).toBe('test-api-key')
    })
@@ -1385,22 +1280,20 @@ describe('AgentBlockHandler', () => {
        userPrompt: 'Hello!',
        apiKey: 'test-api-key',
        temperature: 0.7,
-        // No reasoningEffort or verbosity provided
      }

      mockGetProviderFromModel.mockReturnValue('openai')

      await handler.execute(mockContext, mockBlock, inputs)

-      expect(mockFetch).toHaveBeenCalledWith(expect.any(String), expect.any(Object))
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()

-      const fetchCall = mockFetch.mock.calls[0]
-      const requestBody = JSON.parse(fetchCall[1].body)
+      const providerCall = mockExecuteProviderRequest.mock.calls[0]
+      const requestBody = providerCall[1]

-      // Check that GPT-5 parameters are undefined when not provided
      expect(requestBody.reasoningEffort).toBeUndefined()
      expect(requestBody.verbosity).toBeUndefined()
-      expect(requestBody.provider).toBe('openai')
+      expect(providerCall[0]).toBe('openai')
      expect(requestBody.model).toBe('gpt-5')
    })

@@ -1422,42 +1315,29 @@ describe('AgentBlockHandler', () => {
        return Promise.resolve({ success: false, error: 'Unknown tool' })
      })

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'I will use MCP tools to help you.',
+        model: 'gpt-4o',
+        tokens: { input: 15, output: 25, total: 40 },
+        toolCalls: [
+          {
+            name: 'mcp-server1-list_files',
+            arguments: { path: '/tmp' },
+            result: {
+              success: true,
+              output: { content: [{ type: 'text', text: 'Files listed' }] },
            },
          },
-          json: () =>
-            Promise.resolve({
-              content: 'I will use MCP tools to help you.',
-              model: 'gpt-4o',
-              tokens: { input: 15, output: 25, total: 40 },
-              toolCalls: [
-                {
-                  name: 'mcp-server1-list_files',
-                  arguments: { path: '/tmp' },
-                  result: {
-                    success: true,
-                    output: { content: [{ type: 'text', text: 'Files listed' }] },
-                  },
-                },
-                {
-                  name: 'mcp-server2-search',
-                  arguments: { query: 'test', limit: 5 },
-                  result: {
-                    success: true,
-                    output: { content: [{ type: 'text', text: 'Search results' }] },
-                  },
-                },
-              ],
-              timing: { total: 150 },
-            }),
-        })
+          {
+            name: 'mcp-server2-search',
+            arguments: { query: 'test', limit: 5 },
+            result: {
+              success: true,
+              output: { content: [{ type: 'text', text: 'Search results' }] },
+            },
+          },
+        ],
+        timing: { total: 150 },
      })

      const inputs = {
@@ -1533,34 +1413,21 @@ describe('AgentBlockHandler', () => {
        return Promise.resolve({ success: false, error: 'Unknown tool' })
      })

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Let me try to use this tool.',
+        model: 'gpt-4o',
+        tokens: { input: 10, output: 15, total: 25 },
+        toolCalls: [
+          {
+            name: 'mcp-server1-failing_tool',
+            arguments: { param: 'value' },
+            result: {
+              success: false,
+              error: 'MCP server connection failed',
            },
          },
-          json: () =>
-            Promise.resolve({
-              content: 'Let me try to use this tool.',
-              model: 'gpt-4o',
-              tokens: { input: 10, output: 15, total: 25 },
-              toolCalls: [
-                {
-                  name: 'mcp-server1-failing_tool',
-                  arguments: { param: 'value' },
-                  result: {
-                    success: false,
-                    error: 'MCP server connection failed',
-                  },
-                },
-              ],
-              timing: { total: 100 },
-            }),
-        })
+        ],
+        timing: { total: 100 },
      })

      const inputs = {
@@ -1638,25 +1505,12 @@ describe('AgentBlockHandler', () => {

      mockGetProviderFromModel.mockReturnValue('openai')

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => {
-              if (name === 'Content-Type') return 'application/json'
-              if (name === 'X-Execution-Data') return null
-              return null
-            },
-          },
-          json: () =>
-            Promise.resolve({
-              content: 'Used MCP tools successfully',
-              model: 'gpt-4o',
-              tokens: { input: 20, output: 30, total: 50 },
-              toolCalls: [],
-              timing: { total: 200 },
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Used MCP tools successfully',
+        model: 'gpt-4o',
+        tokens: { input: 20, output: 30, total: 50 },
+        toolCalls: [],
+        timing: { total: 200 },
      })

      mockTransformBlockTool.mockImplementation((tool: any) => ({
@@ -1669,11 +1523,9 @@ describe('AgentBlockHandler', () => {

      const result = await handler.execute(mockContext, mockBlock, inputs)

-      // Verify that the agent executed successfully with MCP tools
      expect(result).toBeDefined()
-      expect(mockFetch).toHaveBeenCalled()
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()

-      // Verify the agent returns the expected response format
      expect((result as any).content).toBe('Used MCP tools successfully')
      expect((result as any).model).toBe('gpt-4o')
    })
@@ -1691,21 +1543,12 @@ describe('AgentBlockHandler', () => {
        return Promise.resolve({ success: false, error: 'Unknown tool' })
      })

-      mockFetch.mockImplementationOnce(() => {
-        return Promise.resolve({
-          ok: true,
-          headers: {
-            get: (name: string) => (name === 'Content-Type' ? 'application/json' : null),
-          },
-          json: () =>
-            Promise.resolve({
-              content: 'Using MCP tool',
-              model: 'gpt-4o',
-              tokens: { input: 10, output: 10, total: 20 },
-              toolCalls: [{ name: 'mcp-test-tool', arguments: {} }],
-              timing: { total: 50 },
-            }),
-        })
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Using MCP tool',
+        model: 'gpt-4o',
+        tokens: { input: 10, output: 10, total: 20 },
+        toolCalls: [{ name: 'mcp-test-tool', arguments: {} }],
+        timing: { total: 50 },
      })

      const inputs = {
@@ -1815,37 +1658,26 @@ describe('AgentBlockHandler', () => {
      const discoveryCalls = fetchCalls.filter((c) => c.url.includes('/api/mcp/tools/discover'))
      expect(discoveryCalls.length).toBe(0)

-      const providerCalls = fetchCalls.filter((c) => c.url.includes('/api/providers'))
-      expect(providerCalls.length).toBe(1)
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
    })

    it('should pass toolSchema to execution endpoint when using cached schema', async () => {
      let executionCall: any = null

-      mockFetch.mockImplementation((url: string, options: any) => {
-        if (url.includes('/api/providers')) {
-          return Promise.resolve({
-            ok: true,
-            headers: {
-              get: (name: string) => (name === 'Content-Type' ? 'application/json' : null),
-            },
-            json: () =>
-              Promise.resolve({
-                content: 'Tool executed',
-                model: 'gpt-4o',
-                tokens: { input: 10, output: 10, total: 20 },
-                toolCalls: [
-                  {
-                    name: 'search_files',
-                    arguments: { query: 'test' },
-                    result: { success: true, output: {} },
-                  },
-                ],
-                timing: { total: 50 },
-              }),
-          })
-        }
+      mockExecuteProviderRequest.mockResolvedValueOnce({
+        content: 'Tool executed',
+        model: 'gpt-4o',
+        tokens: { input: 10, output: 10, total: 20 },
+        toolCalls: [
+          {
+            name: 'search_files',
+            arguments: JSON.stringify({ query: 'test' }),
+          },
+        ],
+        timing: { total: 50 },
+      })

+      mockFetch.mockImplementation((url: string, options: any) => {
        if (url.includes('/api/mcp/tools/execute')) {
          executionCall = { url, body: JSON.parse(options.body) }
          return Promise.resolve({
@@ -1898,13 +1730,11 @@ describe('AgentBlockHandler', () => {

      await handler.execute(contextWithWorkspace, mockBlock, inputs)

-      const providerCalls = mockFetch.mock.calls.filter((c: any) => c[0].includes('/api/providers'))
-      expect(providerCalls.length).toBe(1)
-
-      const providerRequestBody = JSON.parse(providerCalls[0][1].body)
-      expect(providerRequestBody.tools).toBeDefined()
-      expect(providerRequestBody.tools.length).toBe(1)
-      expect(providerRequestBody.tools[0].name).toBe('search_files')
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
+      const providerCallArgs = mockExecuteProviderRequest.mock.calls[0]
+      expect(providerCallArgs[1].tools).toBeDefined()
+      expect(providerCallArgs[1].tools.length).toBe(1)
+      expect(providerCallArgs[1].tools[0].name).toBe('search_files')
    })

    it('should handle multiple MCP tools from the same server efficiently', async () => {
@@ -1987,14 +1817,12 @@ describe('AgentBlockHandler', () => {
      const discoveryCalls = fetchCalls.filter((c) => c.url.includes('/api/mcp/tools/discover'))
      expect(discoveryCalls.length).toBe(0)

-      const providerCalls = fetchCalls.filter((c) => c.url.includes('/api/providers'))
-      expect(providerCalls.length).toBe(1)
-
-      const providerRequestBody = JSON.parse(providerCalls[0].options.body)
-      expect(providerRequestBody.tools.length).toBe(3)
+      expect(mockExecuteProviderRequest).toHaveBeenCalled()
+      const providerCallArgs = mockExecuteProviderRequest.mock.calls[0]
+      expect(providerCallArgs[1].tools.length).toBe(3)
    })

-    it('should should fallback to discovery for MCP tools without cached schema', async () => {
+    it('should fallback to discovery for MCP tools without cached schema', async () => {
      const fetchCalls: any[] = []

      mockFetch.mockImplementation((url: string, options: any) => {
--- a/apps/sim/executor/handlers/agent/agent-handler.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.ts
@@ -6,14 +6,7 @@ import { createMcpToolId } from '@/lib/mcp/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { getAllBlocks } from '@/blocks'
 import type { BlockOutput } from '@/blocks/types'
-import {
-  AGENT,
-  BlockType,
-  DEFAULTS,
-  HTTP,
-  REFERENCE,
-  stripCustomToolPrefix,
-} from '@/executor/constants'
+import { AGENT, BlockType, DEFAULTS, REFERENCE, stripCustomToolPrefix } from '@/executor/constants'
 import { memoryService } from '@/executor/handlers/agent/memory'
 import type {
  AgentInputs,
@@ -23,7 +16,7 @@ import type {
 } from '@/executor/handlers/agent/types'
 import type { BlockHandler, ExecutionContext, StreamingExecution } from '@/executor/types'
 import { collectBlockData } from '@/executor/utils/block-data'
-import { buildAPIUrl, buildAuthHeaders, extractAPIErrorMessage } from '@/executor/utils/http'
+import { buildAPIUrl, buildAuthHeaders } from '@/executor/utils/http'
 import { stringifyJSON } from '@/executor/utils/json'
 import {
  validateBlockType,
@@ -52,11 +45,9 @@ export class AgentBlockHandler implements BlockHandler {
    block: SerializedBlock,
    inputs: AgentInputs
  ): Promise<BlockOutput | StreamingExecution> {
-    // Filter out unavailable MCP tools early so they don't appear in logs/inputs
    const filteredTools = await this.filterUnavailableMcpTools(ctx, inputs.tools || [])
    const filteredInputs = { ...inputs, tools: filteredTools }

-    // Validate tool permissions before processing
    await this.validateToolPermissions(ctx, filteredInputs.tools || [])

    const responseFormat = this.parseResponseFormat(filteredInputs.responseFormat)
@@ -80,13 +71,7 @@ export class AgentBlockHandler implements BlockHandler {
      streaming: streamingConfig.shouldUseStreaming ?? false,
    })

-    const result = await this.executeProviderRequest(
-      ctx,
-      providerRequest,
-      block,
-      responseFormat,
-      filteredInputs
-    )
+    const result = await this.executeProviderRequest(ctx, providerRequest, block, responseFormat)

    if (this.isStreamingExecution(result)) {
      if (filteredInputs.memoryType && filteredInputs.memoryType !== 'none') {
@@ -996,157 +981,60 @@ export class AgentBlockHandler implements BlockHandler {
    ctx: ExecutionContext,
    providerRequest: any,
    block: SerializedBlock,
-    responseFormat: any,
-    inputs: AgentInputs
+    responseFormat: any
  ): Promise<BlockOutput | StreamingExecution> {
    const providerId = providerRequest.provider
    const model = providerRequest.model
    const providerStartTime = Date.now()

    try {
-      const isBrowser = typeof window !== 'undefined'
+      let finalApiKey: string | undefined = providerRequest.apiKey

-      if (!isBrowser) {
-        return this.executeServerSide(
-          ctx,
-          providerRequest,
-          providerId,
-          model,
-          block,
-          responseFormat,
-          providerStartTime
+      if (providerId === 'vertex' && providerRequest.vertexCredential) {
+        finalApiKey = await this.resolveVertexCredential(
+          providerRequest.vertexCredential,
+          ctx.workflowId
        )
      }
-      return this.executeBrowserSide(
-        ctx,
-        providerRequest,
-        block,
-        responseFormat,
-        providerStartTime,
-        inputs
-      )
+
+      const { blockData, blockNameMapping } = collectBlockData(ctx)
+
+      const response = await executeProviderRequest(providerId, {
+        model,
+        systemPrompt: 'systemPrompt' in providerRequest ? providerRequest.systemPrompt : undefined,
+        context: 'context' in providerRequest ? providerRequest.context : undefined,
+        tools: providerRequest.tools,
+        temperature: providerRequest.temperature,
+        maxTokens: providerRequest.maxTokens,
+        apiKey: finalApiKey,
+        azureEndpoint: providerRequest.azureEndpoint,
+        azureApiVersion: providerRequest.azureApiVersion,
+        vertexProject: providerRequest.vertexProject,
+        vertexLocation: providerRequest.vertexLocation,
+        bedrockAccessKeyId: providerRequest.bedrockAccessKeyId,
+        bedrockSecretKey: providerRequest.bedrockSecretKey,
+        bedrockRegion: providerRequest.bedrockRegion,
+        responseFormat: providerRequest.responseFormat,
+        workflowId: providerRequest.workflowId,
+        workspaceId: ctx.workspaceId,
+        stream: providerRequest.stream,
+        messages: 'messages' in providerRequest ? providerRequest.messages : undefined,
+        environmentVariables: ctx.environmentVariables || {},
+        workflowVariables: ctx.workflowVariables || {},
+        blockData,
+        blockNameMapping,
+        isDeployedContext: ctx.isDeployedContext,
+        reasoningEffort: providerRequest.reasoningEffort,
+        verbosity: providerRequest.verbosity,
+      })
+
+      return this.processProviderResponse(response, block, responseFormat)
    } catch (error) {
      this.handleExecutionError(error, providerStartTime, providerId, model, ctx, block)
      throw error
    }
  }

-  private async executeServerSide(
-    ctx: ExecutionContext,
-    providerRequest: any,
-    providerId: string,
-    model: string,
-    block: SerializedBlock,
-    responseFormat: any,
-    providerStartTime: number
-  ) {
-    let finalApiKey: string | undefined = providerRequest.apiKey
-
-    if (providerId === 'vertex' && providerRequest.vertexCredential) {
-      finalApiKey = await this.resolveVertexCredential(
-        providerRequest.vertexCredential,
-        ctx.workflowId
-      )
-    }
-
-    const { blockData, blockNameMapping } = collectBlockData(ctx)
-
-    const response = await executeProviderRequest(providerId, {
-      model,
-      systemPrompt: 'systemPrompt' in providerRequest ? providerRequest.systemPrompt : undefined,
-      context: 'context' in providerRequest ? providerRequest.context : undefined,
-      tools: providerRequest.tools,
-      temperature: providerRequest.temperature,
-      maxTokens: providerRequest.maxTokens,
-      apiKey: finalApiKey,
-      azureEndpoint: providerRequest.azureEndpoint,
-      azureApiVersion: providerRequest.azureApiVersion,
-      vertexProject: providerRequest.vertexProject,
-      vertexLocation: providerRequest.vertexLocation,
-      bedrockAccessKeyId: providerRequest.bedrockAccessKeyId,
-      bedrockSecretKey: providerRequest.bedrockSecretKey,
-      bedrockRegion: providerRequest.bedrockRegion,
-      responseFormat: providerRequest.responseFormat,
-      workflowId: providerRequest.workflowId,
-      workspaceId: ctx.workspaceId,
-      stream: providerRequest.stream,
-      messages: 'messages' in providerRequest ? providerRequest.messages : undefined,
-      environmentVariables: ctx.environmentVariables || {},
-      workflowVariables: ctx.workflowVariables || {},
-      blockData,
-      blockNameMapping,
-      isDeployedContext: ctx.isDeployedContext,
-    })
-
-    return this.processProviderResponse(response, block, responseFormat)
-  }
-
-  private async executeBrowserSide(
-    ctx: ExecutionContext,
-    providerRequest: any,
-    block: SerializedBlock,
-    responseFormat: any,
-    providerStartTime: number,
-    inputs: AgentInputs
-  ) {
-    const url = buildAPIUrl('/api/providers')
-    const response = await fetch(url.toString(), {
-      method: 'POST',
-      headers: { 'Content-Type': HTTP.CONTENT_TYPE.JSON },
-      body: stringifyJSON(providerRequest),
-      signal: AbortSignal.timeout(AGENT.REQUEST_TIMEOUT),
-    })
-
-    if (!response.ok) {
-      const errorMessage = await extractAPIErrorMessage(response)
-      throw new Error(errorMessage)
-    }
-
-    const contentType = response.headers.get('Content-Type')
-    if (contentType?.includes(HTTP.CONTENT_TYPE.EVENT_STREAM)) {
-      return this.handleStreamingResponse(response, block, ctx, inputs)
-    }
-
-    const result = await response.json()
-    return this.processProviderResponse(result, block, responseFormat)
-  }
-
-  private async handleStreamingResponse(
-    response: Response,
-    block: SerializedBlock,
-    _ctx?: ExecutionContext,
-    _inputs?: AgentInputs
-  ): Promise<StreamingExecution> {
-    const executionDataHeader = response.headers.get('X-Execution-Data')
-
-    if (executionDataHeader) {
-      try {
-        const executionData = JSON.parse(executionDataHeader)
-        return {
-          stream: response.body!,
-          execution: {
-            success: executionData.success,
-            output: executionData.output || {},
-            error: executionData.error,
-            logs: [],
-            metadata: executionData.metadata || {
-              duration: DEFAULTS.EXECUTION_TIME,
-              startTime: new Date().toISOString(),
-            },
-            isStreaming: true,
-            blockId: block.id,
-            blockName: block.metadata?.name,
-            blockType: block.metadata?.id,
-          } as any,
-        }
-      } catch (error) {
-        logger.error('Failed to parse execution data from header:', error)
-      }
-    }
-
-    return this.createMinimalStreamingExecution(response.body!)
-  }
-
  /**
   * Resolves a Vertex AI OAuth credential to an access token
   */
--- a/apps/sim/executor/handlers/condition/condition-handler.ts
+++ b/apps/sim/executor/handlers/condition/condition-handler.ts
@@ -85,7 +85,11 @@ export class ConditionBlockHandler implements BlockHandler {

    const sourceBlockId = ctx.workflow?.connections.find((conn) => conn.target === block.id)?.source
    const evalContext = this.buildEvaluationContext(ctx, sourceBlockId)
-    const sourceOutput = sourceBlockId ? ctx.blockStates.get(sourceBlockId)?.output : null
+    const rawSourceOutput = sourceBlockId ? ctx.blockStates.get(sourceBlockId)?.output : null
+
+    // Filter out _pauseMetadata from source output to prevent the engine from
+    // thinking this block is pausing (it was already resumed by the HITL block)
+    const sourceOutput = this.filterPauseMetadata(rawSourceOutput)

    const outgoingConnections = ctx.workflow?.connections.filter((conn) => conn.source === block.id)

@@ -125,6 +129,14 @@ export class ConditionBlockHandler implements BlockHandler {
    }
  }

+  private filterPauseMetadata(output: any): any {
+    if (!output || typeof output !== 'object') {
+      return output
+    }
+    const { _pauseMetadata, ...rest } = output
+    return rest
+  }
+
  private parseConditions(input: any): Array<{ id: string; title: string; value: string }> {
    try {
      const conditions = Array.isArray(input) ? input : JSON.parse(input || '[]')
--- a/apps/sim/executor/handlers/workflow/workflow-handler.ts
+++ b/apps/sim/executor/handlers/workflow/workflow-handler.ts
@@ -4,12 +4,14 @@ import type { TraceSpan } from '@/lib/logs/types'
 import type { BlockOutput } from '@/blocks/types'
 import { Executor } from '@/executor'
 import { BlockType, DEFAULTS, HTTP } from '@/executor/constants'
+import { ChildWorkflowError } from '@/executor/errors/child-workflow-error'
 import type {
  BlockHandler,
  ExecutionContext,
  ExecutionResult,
  StreamingExecution,
 } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { buildAPIUrl, buildAuthHeaders } from '@/executor/utils/http'
 import { parseJSON } from '@/executor/utils/json'
 import { lazyCleanupInputMapping } from '@/executor/utils/lazy-cleanup'
@@ -137,39 +139,39 @@ export class WorkflowBlockHandler implements BlockHandler {
      )

      return mappedResult
-    } catch (error: any) {
+    } catch (error: unknown) {
      logger.error(`Error executing child workflow ${workflowId}:`, error)

      const { workflows } = useWorkflowRegistry.getState()
      const workflowMetadata = workflows[workflowId]
      const childWorkflowName = workflowMetadata?.name || workflowId

-      const originalError = error.message || 'Unknown error'
-      const wrappedError = new Error(
-        `Error in child workflow "${childWorkflowName}": ${originalError}`
-      )
+      const originalError = error instanceof Error ? error.message : 'Unknown error'
+      let childTraceSpans: WorkflowTraceSpan[] = []
+      let executionResult: ExecutionResult | undefined

-      if (error.executionResult?.logs) {
-        const executionResult = error.executionResult as ExecutionResult
+      if (hasExecutionResult(error) && error.executionResult.logs) {
+        executionResult = error.executionResult

        logger.info(`Extracting child trace spans from error.executionResult`, {
          hasLogs: (executionResult.logs?.length ?? 0) > 0,
          logCount: executionResult.logs?.length ?? 0,
        })

-        const childTraceSpans = this.captureChildWorkflowLogs(
-          executionResult,
-          childWorkflowName,
-          ctx
-        )
+        childTraceSpans = this.captureChildWorkflowLogs(executionResult, childWorkflowName, ctx)

        logger.info(`Captured ${childTraceSpans.length} child trace spans from failed execution`)
-        ;(wrappedError as any).childTraceSpans = childTraceSpans
-      } else if (error.childTraceSpans && Array.isArray(error.childTraceSpans)) {
-        ;(wrappedError as any).childTraceSpans = error.childTraceSpans
+      } else if (ChildWorkflowError.isChildWorkflowError(error)) {
+        childTraceSpans = error.childTraceSpans
      }

-      throw wrappedError
+      throw new ChildWorkflowError({
+        message: `Error in child workflow "${childWorkflowName}": ${originalError}`,
+        childWorkflowName,
+        childTraceSpans,
+        executionResult,
+        cause: error instanceof Error ? error : undefined,
+      })
    }
  }

@@ -441,11 +443,11 @@ export class WorkflowBlockHandler implements BlockHandler {

    if (!success) {
      logger.warn(`Child workflow ${childWorkflowName} failed`)
-      const error = new Error(
-        `Error in child workflow "${childWorkflowName}": ${childResult.error || 'Child workflow execution failed'}`
-      )
-      ;(error as any).childTraceSpans = childTraceSpans || []
-      throw error
+      throw new ChildWorkflowError({
+        message: `Error in child workflow "${childWorkflowName}": ${childResult.error || 'Child workflow execution failed'}`,
+        childWorkflowName,
+        childTraceSpans: childTraceSpans || [],
+      })
    }

    return {
--- a/apps/sim/executor/utils/errors.ts
+++ b/apps/sim/executor/utils/errors.ts
@@ -1,6 +1,39 @@
-import type { ExecutionContext } from '@/executor/types'
+import type { ExecutionContext, ExecutionResult } from '@/executor/types'
 import type { SerializedBlock } from '@/serializer/types'

+/**
+ * Interface for errors that carry an ExecutionResult.
+ * Used when workflow execution fails and we want to preserve partial results.
+ */
+export interface ErrorWithExecutionResult extends Error {
+  executionResult: ExecutionResult
+}
+
+/**
+ * Type guard to check if an error carries an ExecutionResult.
+ * Validates that executionResult has required fields (success, output).
+ */
+export function hasExecutionResult(error: unknown): error is ErrorWithExecutionResult {
+  if (
+    !(error instanceof Error) ||
+    !('executionResult' in error) ||
+    error.executionResult == null ||
+    typeof error.executionResult !== 'object'
+  ) {
+    return false
+  }
+
+  const result = error.executionResult as Record<string, unknown>
+  return typeof result.success === 'boolean' && result.output != null
+}
+
+/**
+ * Attaches an ExecutionResult to an error for propagation to parent workflows.
+ */
+export function attachExecutionResult(error: Error, executionResult: ExecutionResult): void {
+  Object.assign(error, { executionResult })
+}
+
 export interface BlockExecutionErrorDetails {
  block: SerializedBlock
  error: Error | string
--- a/apps/sim/hooks/use-execution-stream.ts
+++ b/apps/sim/hooks/use-execution-stream.ts
@@ -100,8 +100,13 @@ export function useExecutionStream() {
      })

      if (!response.ok) {
-        const error = await response.json()
-        throw new Error(error.error || 'Failed to start execution')
+        const errorResponse = await response.json()
+        const error = new Error(errorResponse.error || 'Failed to start execution')
+        // Attach the execution result from server response for error handling
+        if (errorResponse && typeof errorResponse === 'object') {
+          Object.assign(error, { executionResult: errorResponse })
+        }
+        throw error
      }

      if (!response.body) {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Vikhyath Mondreti	8429040921	fix(notes): ghost edges (#2970 ) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check	2026-01-24 11:20:28 -08:00
Siddharth Ganesan	8574e6c71f	fix(hitl): fix condition blocks after hitl (#2967 )	2026-01-24 10:19:19 -08:00
Siddharth Ganesan	9c3e663cd8	fix(copilot): update copilot chat title (#2968 )	2026-01-24 10:18:13 -08:00
Waleed	48adaa00d8	fix(security): restrict API key access on internal-only routes (#2964 ) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt	2026-01-24 10:15:52 -08:00
Vikhyath Mondreti	211a7ac3a4	fix(child-workflow): nested spans handoff (#2966 ) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments	2026-01-24 02:39:13 -08:00
Emir Karabeg	0f9b6ad1d2	fix(preview): subblock values (#2969 )	2026-01-24 02:32:08 -08:00