address bugbot comments

* fix(webhooks): subscription recreation path

* improvement(webhooks): remove dead code

* fix tests

* address bugbot comments

* fix restoration edge case

* fix more edge cases

* address bugbot comments

* fix gmail polling

* add warnings for UI indication for credential sets

README.md

@@ -14,7 +14,7 @@
 </p>
 
 <p align="center">
-  <a href="https://deepwiki.com/simstudioai/sim" target="_blank" rel="noopener noreferrer"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>  <a href="https://cursor.com/link/prompt?text=Help%20me%20set%20up%20Sim%20Studio%20locally.%20Follow%20these%20steps%3A%0A%0A1.%20First%2C%20verify%20Docker%20is%20installed%20and%20running%3A%0A%20%20%20docker%20--version%0A%20%20%20docker%20info%0A%0A2.%20Clone%20the%20repository%3A%0A%20%20%20git%20clone%20https%3A%2F%2Fgithub.com%2Fsimstudioai%2Fsim.git%0A%20%20%20cd%20sim%0A%0A3.%20Start%20the%20services%20with%20Docker%20Compose%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20up%20-d%0A%0A4.%20Wait%20for%20all%20containers%20to%20be%20healthy%20(this%20may%20take%201-2%20minutes)%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20ps%0A%0A5.%20Verify%20the%20app%20is%20accessible%20at%20http%3A%2F%2Flocalhost%3A3000%0A%0AIf%20there%20are%20any%20errors%2C%20help%20me%20troubleshoot%20them.%20Common%20issues%3A%0A-%20Port%203000%2C%203002%2C%20or%205432%20already%20in%20use%0A-%20Docker%20not%20running%0A-%20Insufficient%20memory%20(needs%2012GB%2B%20RAM)%0A%0AFor%20local%20AI%20models%20with%20Ollama%2C%20use%20this%20instead%20of%20step%203%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.ollama.yml%20--profile%20setup%20up%20-d"><img src="https://img.shields.io/badge/Set%20Up%20with-Cursor-000000?logo=cursor&logoColor=white" alt="Set Up with Cursor"></a>
+  <a href="https://deepwiki.com/simstudioai/sim" target="_blank" rel="noopener noreferrer"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>  <a href="https://cursor.com/link/prompt?text=Help%20me%20set%20up%20Sim%20locally.%20Follow%20these%20steps%3A%0A%0A1.%20First%2C%20verify%20Docker%20is%20installed%20and%20running%3A%0A%20%20%20docker%20--version%0A%20%20%20docker%20info%0A%0A2.%20Clone%20the%20repository%3A%0A%20%20%20git%20clone%20https%3A%2F%2Fgithub.com%2Fsimstudioai%2Fsim.git%0A%20%20%20cd%20sim%0A%0A3.%20Start%20the%20services%20with%20Docker%20Compose%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20up%20-d%0A%0A4.%20Wait%20for%20all%20containers%20to%20be%20healthy%20(this%20may%20take%201-2%20minutes)%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.prod.yml%20ps%0A%0A5.%20Verify%20the%20app%20is%20accessible%20at%20http%3A%2F%2Flocalhost%3A3000%0A%0AIf%20there%20are%20any%20errors%2C%20help%20me%20troubleshoot%20them.%20Common%20issues%3A%0A-%20Port%203000%2C%203002%2C%20or%205432%20already%20in%20use%0A-%20Docker%20not%20running%0A-%20Insufficient%20memory%20(needs%2012GB%2B%20RAM)%0A%0AFor%20local%20AI%20models%20with%20Ollama%2C%20use%20this%20instead%20of%20step%203%3A%0A%20%20%20docker%20compose%20-f%20docker-compose.ollama.yml%20--profile%20setup%20up%20-d"><img src="https://img.shields.io/badge/Set%20Up%20with-Cursor-000000?logo=cursor&logoColor=white" alt="Set Up with Cursor"></a>
 </p>
 
 ### Build Workflows with Ease

apps/docs/components/icons.tsx

@@ -4093,6 +4093,23 @@ export function SQSIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
+export function TextractIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      viewBox='10 14 60 52'
+      version='1.1'
+      xmlns='http://www.w3.org/2000/svg'
+      xmlnsXlink='http://www.w3.org/1999/xlink'
+    >
+      <path
+        d='M22.0624102,50 C24.3763895,53.603 28.4103535,56 33.0003125,56 C40.1672485,56 45.9991964,50.168 45.9991964,43 C45.9991964,35.832 40.1672485,30 33.0003125,30 C27.6033607,30 22.9664021,33.307 21.0024196,38 L23.2143999,38 C25.0393836,34.444 28.7363506,32 33.0003125,32 C39.0652583,32 43.9992143,36.935 43.9992143,43 C43.9992143,49.065 39.0652583,54 33.0003125,54 C29.5913429,54 26.5413702,52.441 24.5213882,50 L22.0624102,50 Z M37.0002768,45 L37.0002768,43 L41.9992321,43 C41.9992321,38.038 37.9622682,34 33.0003125,34 C28.0373568,34 23.9993929,38.038 23.9993929,43 L28.9993482,43 L28.9993482,45 L24.2313908,45 C25.1443826,49.002 28.7253507,52 33.0003125,52 C35.1362934,52 37.0992759,51.249 38.6442621,50 L34.0003036,50 L34.0003036,48 L40.4782457,48 C41.0812403,47.102 41.5202364,46.087 41.7682342,45 L37.0002768,45 Z M21.0024196,48 L23.2143999,48 C22.4434068,46.498 22.0004107,44.801 22.0004107,43 C22.0004107,41.959 22.1554093,40.955 22.4264069,40 L20.3634253,40 C20.1344274,40.965 19.9994286,41.966 19.9994286,43 C19.9994286,44.771 20.3584254,46.46 21.0024196,48 L21.0024196,48 Z M19.7434309,50 L17.0004554,50 L17.0004554,48 L18.8744386,48 C18.5344417,47.04 18.2894438,46.038 18.1494451,45 L15.4144695,45 L16.707458,46.293 L15.2924706,47.707 L12.2924974,44.707 C11.9025009,44.316 11.9025009,43.684 12.2924974,43.293 L15.2924706,40.293 L16.707458,41.707 L15.4144695,43 L18.0004464,43 C18.0004464,41.973 18.1044455,40.97 18.3024437,40 L17.0004554,40 L17.0004554,38 L18.8744386,38 C20.9404202,32.184 26.4833707,28 33.0003125,28 C37.427273,28 41.4002375,29.939 44.148213,33 L59.0000804,33 L59.0000804,35 L45.6661994,35 C47.1351863,37.318 47.9991786,40.058 47.9991786,43 L59.0000804,43 L59.0000804,45 L47.8501799,45 C46.8681887,52.327 40.5912447,58 33.0003125,58 C27.2563638,58 22.2624084,54.752 19.7434309,50 L19.7434309,50 Z M37.0002768,39 C37.0002768,38.448 36.5522808,38 36.0002857,38 L29.9993482,38 C29.4473442,38 28.9993482,38.448 28.9993482,39 L28.9993482,41 L31.0003304,41 L31.0003304,40 L32.0003214,40 L32.0003214,43 L31.0003304,43 L31.0003304,45 L35.0002946,45 L35.0002946,43 L34.0003036,43 L34.0003036,40 L35.0002946,40 L35.0002946,41 L37.0002768,41 L37.0002768,39 Z M49.0001696,40 L59.0000804,40 L59.0000804,38 L49.0001696,38 L49.0001696,40 Z M49.0001696,50 L59.0000804,50 L59.0000804,48 L49.0001696,48 L49.0001696,50 Z M57.0000982,27 L60.5850662,27 L57.0000982,23.414 L57.0000982,27 Z M63.7070383,27.293 C63.8940367,27.48 64.0000357,27.735 64.0000357,28 L64.0000357,63 C64.0000357,63.552 63.5520397,64 63.0000446,64 L32.0003304,64 C31.4473264,64 31.0003304,63.552 31.0003304,63 L31.0003304,59 L33.0003125,59 L33.0003125,62 L62.0000536,62 L62.0000536,29 L56.0001071,29 C55.4471121,29 55.0001161,28.552 55.0001161,28 L55.0001161,22 L33.0003125,22 L33.0003125,27 L31.0003304,27 L31.0003304,21 C31.0003304,20.448 31.4473264,20 32.0003304,20 L56.0001071,20 C56.2651048,20 56.5191025,20.105 56.7071008,20.293 L63.7070383,27.293 Z M68,24.166 L68,61 C68,61.552 67.552004,62 67.0000089,62 L65.0000268,62 L65.0000268,60 L66.0000179,60 L66.0000179,24.612 L58.6170838,18 L36.0002857,18 L36.0002857,19 L34.0003036,19 L34.0003036,17 C34.0003036,16.448 34.4472996,16 35.0003036,16 L59.0000804,16 C59.2460782,16 59.483076,16.091 59.6660744,16.255 L67.666003,23.42 C67.8780011,23.61 68,23.881 68,24.166 L68,24.166 Z'
+        fill='currentColor'
+      />
+    </svg>
+  )
+}
+
 export function McpIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg

apps/docs/components/ui/icon-mapping.ts

@@ -110,6 +110,7 @@ import {
   SupabaseIcon,
   TavilyIcon,
   TelegramIcon,
+  TextractIcon,
   TinybirdIcon,
   TranslateIcon,
   TrelloIcon,
@@ -143,7 +144,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   calendly: CalendlyIcon,
   circleback: CirclebackIcon,
   clay: ClayIcon,
-  confluence: ConfluenceIcon,
+  confluence_v2: ConfluenceIcon,
   cursor_v2: CursorIcon,
   datadog: DatadogIcon,
   discord: DiscordIcon,
@@ -153,7 +154,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   elasticsearch: ElasticsearchIcon,
   elevenlabs: ElevenLabsIcon,
   exa: ExaAIIcon,
-  file: DocumentIcon,
+  file_v2: DocumentIcon,
   firecrawl: FirecrawlIcon,
   fireflies: FirefliesIcon,
   github_v2: GithubIcon,
@@ -195,7 +196,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   microsoft_excel_v2: MicrosoftExcelIcon,
   microsoft_planner: MicrosoftPlannerIcon,
   microsoft_teams: MicrosoftTeamsIcon,
-  mistral_parse: MistralIcon,
+  mistral_parse_v2: MistralIcon,
   mongodb: MongoDBIcon,
   mysql: MySQLIcon,
   neo4j: Neo4jIcon,
@@ -237,6 +238,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   supabase: SupabaseIcon,
   tavily: TavilyIcon,
   telegram: TelegramIcon,
+  textract: TextractIcon,
   tinybird: TinybirdIcon,
   translate: TranslateIcon,
   trello: TrelloIcon,
@@ -244,7 +246,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   twilio_sms: TwilioIcon,
   twilio_voice: TwilioIcon,
   typeform: TypeformIcon,
-  video_generator: VideoIcon,
+  video_generator_v2: VideoIcon,
   vision: EyeIcon,
   wealthbox: WealthboxIcon,
   webflow: WebflowIcon,

apps/docs/content/docs/en/tools/confluence.mdx

@@ -6,7 +6,7 @@ description: Interact with Confluence
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="confluence"
+  type="confluence_v2"
   color="#E0E0E0"
 />
 

apps/docs/content/docs/en/tools/file.mdx

@@ -6,7 +6,7 @@ description: Read and parse multiple files
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="file"
+  type="file_v2"
   color="#40916C"
 />
 
@@ -48,7 +48,7 @@ Parse one or more uploaded files or files from URLs (text, PDF, CSV, images, etc
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `files` | array | Array of parsed files |
-| `combinedContent` | string | Combined content of all parsed files |
+| `files` | array | Array of parsed files with content, metadata, and file properties |
+| `combinedContent` | string | All file contents merged into a single text string |
 
 

apps/docs/content/docs/en/tools/meta.json

@@ -106,6 +106,7 @@
     "supabase",
     "tavily",
     "telegram",
+    "textract",
     "tinybird",
     "translate",
     "trello",

apps/docs/content/docs/en/tools/mistral_parse.mdx

@@ -6,7 +6,7 @@ description: Extract text from PDF documents
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="mistral_parse"
+  type="mistral_parse_v2"
   color="#000000"
 />
 
@@ -54,18 +54,37 @@ Parse PDF documents using Mistral OCR API
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `success` | boolean | Whether the PDF was parsed successfully |
-| `content` | string | Extracted content in the requested format \(markdown, text, or JSON\) |
-| `metadata` | object | Processing metadata including jobId, fileType, pageCount, and usage info |
-| ↳ `jobId` | string | Unique job identifier |
-| ↳ `fileType` | string | File type \(e.g., pdf\) |
-| ↳ `fileName` | string | Original file name |
-| ↳ `source` | string | Source type \(url\) |
-| ↳ `pageCount` | number | Number of pages processed |
-| ↳ `model` | string | Mistral model used |
-| ↳ `resultType` | string | Output format \(markdown, text, json\) |
-| ↳ `processedAt` | string | Processing timestamp |
-| ↳ `sourceUrl` | string | Source URL if applicable |
-| ↳ `usageInfo` | object | Usage statistics from OCR processing |
+| `pages` | array | Array of page objects from Mistral OCR |
+|   ↳ `index` | number | Page index \(zero-based\) |
+|   ↳ `markdown` | string | Extracted markdown content |
+|   ↳ `images` | array | Images extracted from this page with bounding boxes |
+|   ↳ `id` | string | Image identifier \(e.g., img-0.jpeg\) |
+|   ↳ `top_left_x` | number | Top-left X coordinate in pixels |
+|   ↳ `top_left_y` | number | Top-left Y coordinate in pixels |
+|   ↳ `bottom_right_x` | number | Bottom-right X coordinate in pixels |
+|   ↳ `bottom_right_y` | number | Bottom-right Y coordinate in pixels |
+|   ↳ `image_base64` | string | Base64-encoded image data \(when include_image_base64=true\) |
+|   ↳ `id` | string | Image identifier \(e.g., img-0.jpeg\) |
+|   ↳ `top_left_x` | number | Top-left X coordinate in pixels |
+|   ↳ `top_left_y` | number | Top-left Y coordinate in pixels |
+|   ↳ `bottom_right_x` | number | Bottom-right X coordinate in pixels |
+|   ↳ `bottom_right_y` | number | Bottom-right Y coordinate in pixels |
+|   ↳ `image_base64` | string | Base64-encoded image data \(when include_image_base64=true\) |
+|   ↳ `dimensions` | object | Page dimensions |
+|   ↳ `dpi` | number | Dots per inch |
+|   ↳ `height` | number | Page height in pixels |
+|   ↳ `width` | number | Page width in pixels |
+|   ↳ `dpi` | number | Dots per inch |
+|   ↳ `height` | number | Page height in pixels |
+|   ↳ `width` | number | Page width in pixels |
+|   ↳ `tables` | array | Extracted tables as HTML/markdown \(when table_format is set\). Referenced via placeholders like \[tbl-0.html\] |
+|   ↳ `hyperlinks` | array | Array of URL strings detected in the page \(e.g., \[ |
+|   ↳ `header` | string | Page header content \(when extract_header=true\) |
+|   ↳ `footer` | string | Page footer content \(when extract_footer=true\) |
+| `model` | string | Mistral OCR model identifier \(e.g., mistral-ocr-latest\) |
+| `usage_info` | object | Usage and processing statistics |
+| ↳ `pages_processed` | number | Total number of pages processed |
+| ↳ `doc_size_bytes` | number | Document file size in bytes |
+| `document_annotation` | string | Structured annotation data as JSON string \(when applicable\) |
 
 

apps/docs/content/docs/en/tools/s3.mdx

@@ -58,6 +58,7 @@ Upload a file to an AWS S3 bucket
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `url` | string | URL of the uploaded S3 object |
+| `uri` | string | S3 URI of the uploaded object \(s3://bucket/key\) |
 | `metadata` | object | Upload metadata including ETag and location |
 
 ### `s3_get_object`
@@ -149,6 +150,7 @@ Copy an object within or between AWS S3 buckets
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `url` | string | URL of the copied S3 object |
+| `uri` | string | S3 URI of the copied object \(s3://bucket/key\) |
 | `metadata` | object | Copy operation metadata |
 
 

apps/docs/content/docs/en/tools/textract.mdx

@@ -0,0 +1,120 @@
+---
+title: AWS Textract
+description: Extract text, tables, and forms from documents
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="textract"
+  color="linear-gradient(135deg, #055F4E 0%, #56C0A7 100%)"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[AWS Textract](https://aws.amazon.com/textract/) is a powerful AI service from Amazon Web Services designed to automatically extract printed text, handwriting, tables, forms, key-value pairs, and other structured data from scanned documents and images. Textract leverages advanced optical character recognition (OCR) and document analysis to transform documents into actionable data, enabling automation, analytics, compliance, and more.
+
+With AWS Textract, you can:
+
+- **Extract text from images and documents**: Recognize printed text and handwriting in formats such as PDF, JPEG, PNG, or TIFF
+- **Detect and extract tables**: Automatically find tables and output their structured content
+- **Parse forms and key-value pairs**: Pull structured data from forms, including fields and their corresponding values
+- **Identify signatures and layout features**: Detect signatures, geometric layout, and relationships between document elements
+- **Customize extraction with queries**: Extract specific fields and answers using query-based extraction (e.g., "What is the invoice number?")
+
+In Sim, the AWS Textract integration empowers your agents to intelligently process documents as part of their workflows. This unlocks automation scenarios such as data entry from invoices, onboarding documents, contracts, receipts, and more. Your agents can extract relevant data, analyze structured forms, and generate summaries or reports directly from document uploads or URLs. By connecting Sim with AWS Textract, you can reduce manual effort, improve data accuracy, and streamline your business processes with robust document understanding.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate AWS Textract into your workflow to extract text, tables, forms, and key-value pairs from documents. Single-page mode supports JPEG, PNG, and single-page PDF. Multi-page mode supports multi-page PDF and TIFF.
+
+
+
+## Tools
+
+### `textract_parser`
+
+Parse documents using AWS Textract OCR and document analysis
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKeyId` | string | Yes | AWS Access Key ID |
+| `secretAccessKey` | string | Yes | AWS Secret Access Key |
+| `region` | string | Yes | AWS region for Textract service \(e.g., us-east-1\) |
+| `processingMode` | string | No | Document type: single-page or multi-page. Defaults to single-page. |
+| `filePath` | string | No | URL to a document to be processed \(JPEG, PNG, or single-page PDF\). |
+| `s3Uri` | string | No | S3 URI for multi-page processing \(s3://bucket/key\). |
+| `fileUpload` | object | No | File upload data from file-upload component |
+| `featureTypes` | array | No | Feature types to detect: TABLES, FORMS, QUERIES, SIGNATURES, LAYOUT. If not specified, only text detection is performed. |
+| `items` | string | No | Feature type |
+| `queries` | array | No | Custom queries to extract specific information. Only used when featureTypes includes QUERIES. |
+| `items` | object | No | Query configuration |
+| `properties` | string | No | The query text |
+| `Text` | string | No | No description |
+| `Alias` | string | No | No description |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `blocks` | array | Array of Block objects containing detected text, tables, forms, and other elements |
+|   ↳ `BlockType` | string | Type of block \(PAGE, LINE, WORD, TABLE, CELL, KEY_VALUE_SET, etc.\) |
+|   ↳ `Id` | string | Unique identifier for the block |
+|   ↳ `Text` | string | Query text |
+|   ↳ `TextType` | string | Type of text \(PRINTED or HANDWRITING\) |
+|   ↳ `Confidence` | number | Confidence score \(0-100\) |
+|   ↳ `Page` | number | Page number |
+|   ↳ `Geometry` | object | Location and bounding box information |
+|   ↳ `BoundingBox` | object | Height as ratio of document height |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Polygon` | array | Polygon coordinates |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `BoundingBox` | object | Height as ratio of document height |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Height` | number | Height as ratio of document height |
+|   ↳ `Left` | number | Left position as ratio of document width |
+|   ↳ `Top` | number | Top position as ratio of document height |
+|   ↳ `Width` | number | Width as ratio of document width |
+|   ↳ `Polygon` | array | Polygon coordinates |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `X` | number | X coordinate |
+|   ↳ `Y` | number | Y coordinate |
+|   ↳ `Relationships` | array | Relationships to other blocks |
+|   ↳ `Type` | string | Relationship type \(CHILD, VALUE, ANSWER, etc.\) |
+|   ↳ `Ids` | array | IDs of related blocks |
+|   ↳ `Type` | string | Relationship type \(CHILD, VALUE, ANSWER, etc.\) |
+|   ↳ `Ids` | array | IDs of related blocks |
+|   ↳ `EntityTypes` | array | Entity types for KEY_VALUE_SET \(KEY or VALUE\) |
+|   ↳ `SelectionStatus` | string | For checkboxes: SELECTED or NOT_SELECTED |
+|   ↳ `RowIndex` | number | Row index for table cells |
+|   ↳ `ColumnIndex` | number | Column index for table cells |
+|   ↳ `RowSpan` | number | Row span for merged cells |
+|   ↳ `ColumnSpan` | number | Column span for merged cells |
+|   ↳ `Query` | object | Query information for QUERY blocks |
+|   ↳ `Text` | string | Query text |
+|   ↳ `Alias` | string | Query alias |
+|   ↳ `Pages` | array | Pages to search |
+|   ↳ `Alias` | string | Query alias |
+|   ↳ `Pages` | array | Pages to search |
+| `documentMetadata` | object | Metadata about the analyzed document |
+| ↳ `pages` | number | Number of pages in the document |
+| `modelVersion` | string | Version of the Textract model used for processing |
+
+

apps/docs/content/docs/en/tools/video_generator.mdx

@@ -6,7 +6,7 @@ description: Generate videos from text using AI
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 
 <BlockInfoCard 
-  type="video_generator"
+  type="video_generator_v2"
   color="#181C1E"
 />
 

apps/sim/app/(auth)/login/login-form.tsx

@@ -2,10 +2,9 @@
 
 import { useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
+import { Eye, EyeOff } from 'lucide-react'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Button } from '@/components/ui/button'
 import {
   Dialog,
   DialogContent,
@@ -22,8 +21,10 @@ import { getBaseUrl } from '@/lib/core/utils/urls'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import { SocialLoginButtons } from '@/app/(auth)/components/social-login-buttons'
 import { SSOLoginButton } from '@/app/(auth)/components/sso-login-button'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('LoginForm')
 
@@ -105,8 +106,7 @@ export default function LoginPage({
   const [password, setPassword] = useState('')
   const [passwordErrors, setPasswordErrors] = useState<string[]>([])
   const [showValidationError, setShowValidationError] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
+  const buttonClass = useBrandedButtonClass()
 
   const [callbackUrl, setCallbackUrl] = useState('/workspace')
   const [isInviteFlow, setIsInviteFlow] = useState(false)
@@ -114,7 +114,6 @@ export default function LoginPage({
   const [forgotPasswordOpen, setForgotPasswordOpen] = useState(false)
   const [forgotPasswordEmail, setForgotPasswordEmail] = useState('')
   const [isSubmittingReset, setIsSubmittingReset] = useState(false)
-  const [isResetButtonHovered, setIsResetButtonHovered] = useState(false)
   const [resetStatus, setResetStatus] = useState<{
     type: 'success' | 'error' | null
     message: string
@@ -123,6 +122,7 @@ export default function LoginPage({
   const [email, setEmail] = useState('')
   const [emailErrors, setEmailErrors] = useState<string[]>([])
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
+  const [resetSuccessMessage, setResetSuccessMessage] = useState<string | null>(null)
 
   useEffect(() => {
     setMounted(true)
@@ -139,32 +139,12 @@ export default function LoginPage({
 
       const inviteFlow = searchParams.get('invite_flow') === 'true'
       setIsInviteFlow(inviteFlow)
-    }
 
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
+      const resetSuccess = searchParams.get('resetSuccess') === 'true'
+      if (resetSuccess) {
+        setResetSuccessMessage('Password reset successful. Please sign in with your new password.')
       }
     }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
   }, [searchParams])
 
   useEffect(() => {
@@ -202,6 +182,13 @@ export default function LoginPage({
     e.preventDefault()
     setIsLoading(true)
 
+    const redirectToVerify = (emailToVerify: string) => {
+      if (typeof window !== 'undefined') {
+        sessionStorage.setItem('verificationEmail', emailToVerify)
+      }
+      router.push('/verify')
+    }
+
     const formData = new FormData(e.currentTarget)
     const emailRaw = formData.get('email') as string
     const email = emailRaw.trim().toLowerCase()
@@ -221,6 +208,7 @@ export default function LoginPage({
 
     try {
       const safeCallbackUrl = validateCallbackUrl(callbackUrl) ? callbackUrl : '/workspace'
+      let errorHandled = false
 
       const result = await client.signIn.email(
         {
@@ -231,11 +219,16 @@ export default function LoginPage({
         {
           onError: (ctx) => {
             logger.error('Login error:', ctx.error)
-            const errorMessage: string[] = ['Invalid email or password']
 
             if (ctx.error.code?.includes('EMAIL_NOT_VERIFIED')) {
+              errorHandled = true
+              redirectToVerify(email)
               return
             }
+
+            errorHandled = true
+            const errorMessage: string[] = ['Invalid email or password']
+
             if (
               ctx.error.code?.includes('BAD_REQUEST') ||
               ctx.error.message?.includes('Email and password sign in is not enabled')
@@ -271,6 +264,7 @@ export default function LoginPage({
               errorMessage.push('Too many requests. Please wait a moment before trying again.')
             }
 
+            setResetSuccessMessage(null)
             setPasswordErrors(errorMessage)
             setShowValidationError(true)
           },
@@ -278,15 +272,25 @@ export default function LoginPage({
       )
 
       if (!result || result.error) {
+        // Show error if not already handled by onError callback
+        if (!errorHandled) {
+          setResetSuccessMessage(null)
+          const errorMessage = result?.error?.message || 'Login failed. Please try again.'
+          setPasswordErrors([errorMessage])
+          setShowValidationError(true)
+        }
         setIsLoading(false)
         return
       }
+
+      // Clear reset success message on successful login
+      setResetSuccessMessage(null)
+
+      // Explicit redirect fallback if better-auth doesn't redirect
+      router.push(safeCallbackUrl)
     } catch (err: any) {
       if (err.message?.includes('not verified') || err.code?.includes('EMAIL_NOT_VERIFIED')) {
-        if (typeof window !== 'undefined') {
-          sessionStorage.setItem('verificationEmail', email)
-        }
-        router.push('/verify')
+        redirectToVerify(email)
         return
       }
 
@@ -400,6 +404,13 @@ export default function LoginPage({
         </div>
       )}
 
+      {/* Password reset success message */}
+      {resetSuccessMessage && (
+        <div className={`${inter.className} mt-1 space-y-1 text-[#4CAF50] text-xs`}>
+          <p>{resetSuccessMessage}</p>
+        </div>
+      )}
+
       {/* Email/Password Form - show unless explicitly disabled */}
       {!isFalsy(getEnv('NEXT_PUBLIC_EMAIL_PASSWORD_SIGNUP_ENABLED')) && (
         <form onSubmit={onSubmit} className={`${inter.className} mt-8 space-y-8`}>
@@ -482,24 +493,14 @@ export default function LoginPage({
             </div>
           </div>
 
-          <Button
+          <BrandedButton
             type='submit'
-            onMouseEnter={() => setIsButtonHovered(true)}
-            onMouseLeave={() => setIsButtonHovered(false)}
-            className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
             disabled={isLoading}
+            loading={isLoading}
+            loadingText='Signing in'
           >
-            <span className='flex items-center gap-1'>
-              {isLoading ? 'Signing in...' : 'Sign in'}
-              <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-                {isButtonHovered ? (
-                  <ArrowRight className='h-4 w-4' aria-hidden='true' />
-                ) : (
-                  <ChevronRight className='h-4 w-4' aria-hidden='true' />
-                )}
-              </span>
-            </span>
-          </Button>
+            Sign in
+          </BrandedButton>
         </form>
       )}
 
@@ -610,25 +611,15 @@ export default function LoginPage({
                 <p>{resetStatus.message}</p>
               </div>
             )}
-            <Button
+            <BrandedButton
               type='button'
               onClick={handleForgotPassword}
-              onMouseEnter={() => setIsResetButtonHovered(true)}
-              onMouseLeave={() => setIsResetButtonHovered(false)}
-              className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
               disabled={isSubmittingReset}
+              loading={isSubmittingReset}
+              loadingText='Sending'
             >
-              <span className='flex items-center gap-1'>
-                {isSubmittingReset ? 'Sending...' : 'Send Reset Link'}
-                <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-                  {isResetButtonHovered ? (
-                    <ArrowRight className='h-4 w-4' aria-hidden='true' />
-                  ) : (
-                    <ChevronRight className='h-4 w-4' aria-hidden='true' />
-                  )}
-                </span>
-              </span>
-            </Button>
+              Send Reset Link
+            </BrandedButton>
           </div>
         </DialogContent>
       </Dialog>

apps/sim/app/(auth)/reset-password/reset-password-form.tsx

@@ -1,12 +1,12 @@
 'use client'
 
-import { useEffect, useState } from 'react'
-import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
-import { Button } from '@/components/ui/button'
+import { useState } from 'react'
+import { Eye, EyeOff } from 'lucide-react'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { cn } from '@/lib/core/utils/cn'
 import { inter } from '@/app/_styles/fonts/inter/inter'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 
 interface RequestResetFormProps {
   email: string
@@ -27,36 +27,6 @@ export function RequestResetForm({
   statusMessage,
   className,
 }: RequestResetFormProps) {
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
-
-  useEffect(() => {
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
-  }, [])
-
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
     onSubmit(email)
@@ -94,24 +64,14 @@ export function RequestResetForm({
         )}
       </div>
 
-      <Button
+      <BrandedButton
         type='submit'
         disabled={isSubmitting}
-        onMouseEnter={() => setIsButtonHovered(true)}
-        onMouseLeave={() => setIsButtonHovered(false)}
-        className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
+        loading={isSubmitting}
+        loadingText='Sending'
       >
-        <span className='flex items-center gap-1'>
-          {isSubmitting ? 'Sending...' : 'Send Reset Link'}
-          <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-            {isButtonHovered ? (
-              <ArrowRight className='h-4 w-4' aria-hidden='true' />
-            ) : (
-              <ChevronRight className='h-4 w-4' aria-hidden='true' />
-            )}
-          </span>
-        </span>
-      </Button>
+        Send Reset Link
+      </BrandedButton>
     </form>
   )
 }
@@ -138,35 +98,6 @@ export function SetNewPasswordForm({
   const [validationMessage, setValidationMessage] = useState('')
   const [showPassword, setShowPassword] = useState(false)
   const [showConfirmPassword, setShowConfirmPassword] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
-
-  useEffect(() => {
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
-  }, [])
 
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
@@ -296,24 +227,14 @@ export function SetNewPasswordForm({
         )}
       </div>
 
-      <Button
-        disabled={isSubmitting || !token}
+      <BrandedButton
         type='submit'
-        onMouseEnter={() => setIsButtonHovered(true)}
-        onMouseLeave={() => setIsButtonHovered(false)}
-        className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
+        disabled={isSubmitting || !token}
+        loading={isSubmitting}
+        loadingText='Resetting'
       >
-        <span className='flex items-center gap-1'>
-          {isSubmitting ? 'Resetting...' : 'Reset Password'}
-          <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-            {isButtonHovered ? (
-              <ArrowRight className='h-4 w-4' aria-hidden='true' />
-            ) : (
-              <ChevronRight className='h-4 w-4' aria-hidden='true' />
-            )}
-          </span>
-        </span>
-      </Button>
+        Reset Password
+      </BrandedButton>
     </form>
   )
 }

apps/sim/app/(auth)/signup/signup-form.tsx

@@ -2,10 +2,9 @@
 
 import { Suspense, useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { ArrowRight, ChevronRight, Eye, EyeOff } from 'lucide-react'
+import { Eye, EyeOff } from 'lucide-react'
 import Link from 'next/link'
 import { useRouter, useSearchParams } from 'next/navigation'
-import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { client, useSession } from '@/lib/auth/auth-client'
@@ -14,8 +13,10 @@ import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import { SocialLoginButtons } from '@/app/(auth)/components/social-login-buttons'
 import { SSOLoginButton } from '@/app/(auth)/components/sso-login-button'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('SignupForm')
 
@@ -95,8 +96,7 @@ function SignupFormContent({
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
   const [redirectUrl, setRedirectUrl] = useState('')
   const [isInviteFlow, setIsInviteFlow] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-  const [isButtonHovered, setIsButtonHovered] = useState(false)
+  const buttonClass = useBrandedButtonClass()
 
   const [name, setName] = useState('')
   const [nameErrors, setNameErrors] = useState<string[]>([])
@@ -126,31 +126,6 @@ function SignupFormContent({
     if (inviteFlowParam === 'true') {
       setIsInviteFlow(true)
     }
-
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
   }, [searchParams])
 
   const validatePassword = (passwordValue: string): string[] => {
@@ -500,24 +475,14 @@ function SignupFormContent({
             </div>
           </div>
 
-          <Button
+          <BrandedButton
             type='submit'
-            onMouseEnter={() => setIsButtonHovered(true)}
-            onMouseLeave={() => setIsButtonHovered(false)}
-            className='group inline-flex w-full items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all'
             disabled={isLoading}
+            loading={isLoading}
+            loadingText='Creating account'
           >
-            <span className='flex items-center gap-1'>
-              {isLoading ? 'Creating account' : 'Create account'}
-              <span className='inline-flex transition-transform duration-200 group-hover:translate-x-0.5'>
-                {isButtonHovered ? (
-                  <ArrowRight className='h-4 w-4' aria-hidden='true' />
-                ) : (
-                  <ChevronRight className='h-4 w-4' aria-hidden='true' />
-                )}
-              </span>
-            </span>
-          </Button>
+            Create account
+          </BrandedButton>
         </form>
       )}
 

apps/sim/app/(auth)/sso/sso-form.tsx

@@ -13,6 +13,7 @@ import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('SSOForm')
 
@@ -57,7 +58,7 @@ export default function SSOForm() {
   const [email, setEmail] = useState('')
   const [emailErrors, setEmailErrors] = useState<string[]>([])
   const [showEmailValidationError, setShowEmailValidationError] = useState(false)
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
+  const buttonClass = useBrandedButtonClass()
   const [callbackUrl, setCallbackUrl] = useState('/workspace')
 
   useEffect(() => {
@@ -90,31 +91,6 @@ export default function SSOForm() {
         setShowEmailValidationError(true)
       }
     }
-
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
   }, [searchParams])
 
   const handleEmailChange = (e: React.ChangeEvent<HTMLInputElement>) => {

apps/sim/app/(auth)/verify/verify-content.tsx

@@ -8,6 +8,7 @@ import { cn } from '@/lib/core/utils/cn'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { useVerification } from '@/app/(auth)/verify/use-verification'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 interface VerifyContentProps {
   hasEmailService: boolean
@@ -58,34 +59,7 @@ function VerificationForm({
     setCountdown(30)
   }
 
-  const [buttonClass, setButtonClass] = useState('branded-button-gradient')
-
-  useEffect(() => {
-    const checkCustomBrand = () => {
-      const computedStyle = getComputedStyle(document.documentElement)
-      const brandAccent = computedStyle.getPropertyValue('--brand-accent-hex').trim()
-
-      if (brandAccent && brandAccent !== '#6f3dfa') {
-        setButtonClass('branded-button-custom')
-      } else {
-        setButtonClass('branded-button-gradient')
-      }
-    }
-
-    checkCustomBrand()
-
-    window.addEventListener('resize', checkCustomBrand)
-    const observer = new MutationObserver(checkCustomBrand)
-    observer.observe(document.documentElement, {
-      attributes: true,
-      attributeFilter: ['style', 'class'],
-    })
-
-    return () => {
-      window.removeEventListener('resize', checkCustomBrand)
-      observer.disconnect()
-    }
-  }, [])
+  const buttonClass = useBrandedButtonClass()
 
   return (
     <>

apps/sim/app/(landing)/careers/page.tsx

@@ -4,7 +4,6 @@ import { useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { X } from 'lucide-react'
 import { Textarea } from '@/components/emcn'
-import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import {
@@ -18,6 +17,7 @@ import { isHosted } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
 import Footer from '@/app/(landing)/components/footer/footer'
 import Nav from '@/app/(landing)/components/nav/nav'
 
@@ -493,18 +493,17 @@ export default function CareersPage() {
 
               {/* Submit Button */}
               <div className='flex justify-end pt-2'>
-                <Button
+                <BrandedButton
                   type='submit'
                   disabled={isSubmitting || submitStatus === 'success'}
-                  className='min-w-[200px] rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all duration-300 hover:opacity-90 disabled:opacity-50'
-                  size='lg'
+                  loading={isSubmitting}
+                  loadingText='Submitting'
+                  showArrow={false}
+                  fullWidth={false}
+                  className='min-w-[200px]'
                 >
-                  {isSubmitting
-                    ? 'Submitting...'
-                    : submitStatus === 'success'
-                      ? 'Submitted'
-                      : 'Submit Application'}
-                </Button>
+                  {submitStatus === 'success' ? 'Submitted' : 'Submit Application'}
+                </BrandedButton>
               </div>
             </form>
           </section>

apps/sim/app/(landing)/components/footer/components/status-indicator.tsx

@@ -59,7 +59,7 @@ export default function StatusIndicator() {
       href={statusUrl}
       target='_blank'
       rel='noopener noreferrer'
-      className={`flex items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
+      className={`flex min-w-[165px] items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
       aria-label={`System status: ${message}`}
     >
       <StatusDotIcon status={status} className='h-[6px] w-[6px]' aria-hidden='true' />

apps/sim/app/(landing)/components/nav/nav.tsx

@@ -11,6 +11,7 @@ import { useBrandConfig } from '@/lib/branding/branding'
 import { isHosted } from '@/lib/core/config/feature-flags'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { getFormattedGitHubStars } from '@/app/(landing)/actions/github'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
 
 const logger = createLogger('nav')
 
@@ -20,11 +21,12 @@ interface NavProps {
 }
 
 export default function Nav({ hideAuthButtons = false, variant = 'landing' }: NavProps = {}) {
-  const [githubStars, setGithubStars] = useState('25.1k')
+  const [githubStars, setGithubStars] = useState('25.8k')
   const [isHovered, setIsHovered] = useState(false)
   const [isLoginHovered, setIsLoginHovered] = useState(false)
   const router = useRouter()
   const brand = useBrandConfig()
+  const buttonClass = useBrandedButtonClass()
 
   useEffect(() => {
     if (variant !== 'landing') return
@@ -183,7 +185,7 @@ export default function Nav({ hideAuthButtons = false, variant = 'landing' }: Na
             href='/signup'
             onMouseEnter={() => setIsHovered(true)}
             onMouseLeave={() => setIsHovered(false)}
-            className='group inline-flex items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[14px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all sm:text-[16px]'
+            className={`${buttonClass} group inline-flex items-center justify-center gap-2 rounded-[10px] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white transition-all`}
             aria-label='Get started with Sim - Sign up for free'
             prefetch={true}
           >

apps/sim/app/(landing)/studio/[slug]/back-link.tsx

@@ -0,0 +1,27 @@
+'use client'
+
+import { useState } from 'react'
+import { ArrowLeft, ChevronLeft } from 'lucide-react'
+import Link from 'next/link'
+
+export function BackLink() {
+  const [isHovered, setIsHovered] = useState(false)
+
+  return (
+    <Link
+      href='/studio'
+      className='group flex items-center gap-1 text-gray-600 text-sm hover:text-gray-900'
+      onMouseEnter={() => setIsHovered(true)}
+      onMouseLeave={() => setIsHovered(false)}
+    >
+      <span className='group-hover:-translate-x-0.5 inline-flex transition-transform duration-200'>
+        {isHovered ? (
+          <ArrowLeft className='h-4 w-4' aria-hidden='true' />
+        ) : (
+          <ChevronLeft className='h-4 w-4' aria-hidden='true' />
+        )}
+      </span>
+      Back to Sim Studio
+    </Link>
+  )
+}

apps/sim/app/(landing)/studio/[slug]/page.tsx

@@ -5,7 +5,10 @@ import { Avatar, AvatarFallback, AvatarImage } from '@/components/emcn'
 import { FAQ } from '@/lib/blog/faq'
 import { getAllPostMeta, getPostBySlug, getRelatedPosts } from '@/lib/blog/registry'
 import { buildArticleJsonLd, buildBreadcrumbJsonLd, buildPostMetadata } from '@/lib/blog/seo'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BackLink } from '@/app/(landing)/studio/[slug]/back-link'
+import { ShareButton } from '@/app/(landing)/studio/[slug]/share-button'
 
 export async function generateStaticParams() {
   const posts = await getAllPostMeta()
@@ -48,9 +51,7 @@ export default async function Page({ params }: { params: Promise<{ slug: string
       />
       <header className='mx-auto max-w-[1450px] px-6 pt-8 sm:px-8 sm:pt-12 md:px-12 md:pt-16'>
         <div className='mb-6'>
-          <Link href='/studio' className='text-gray-600 text-sm hover:text-gray-900'>
-            ← Back to Sim Studio
-          </Link>
+          <BackLink />
         </div>
         <div className='flex flex-col gap-8 md:flex-row md:gap-12'>
           <div className='w-full flex-shrink-0 md:w-[450px]'>
@@ -75,28 +76,31 @@ export default async function Page({ params }: { params: Promise<{ slug: string
             >
               {post.title}
             </h1>
-            <div className='mt-4 flex items-center gap-3'>
-              {(post.authors || [post.author]).map((a, idx) => (
-                <div key={idx} className='flex items-center gap-2'>
-                  {a?.avatarUrl ? (
-                    <Avatar className='size-6'>
-                      <AvatarImage src={a.avatarUrl} alt={a.name} />
-                      <AvatarFallback>{a.name.slice(0, 2)}</AvatarFallback>
-                    </Avatar>
-                  ) : null}
-                  <Link
-                    href={a?.url || '#'}
-                    target='_blank'
-                    rel='noopener noreferrer author'
-                    className='text-[14px] text-gray-600 leading-[1.5] hover:text-gray-900 sm:text-[16px]'
-                    itemProp='author'
-                    itemScope
-                    itemType='https://schema.org/Person'
-                  >
-                    <span itemProp='name'>{a?.name}</span>
-                  </Link>
-                </div>
-              ))}
+            <div className='mt-4 flex items-center justify-between'>
+              <div className='flex items-center gap-3'>
+                {(post.authors || [post.author]).map((a, idx) => (
+                  <div key={idx} className='flex items-center gap-2'>
+                    {a?.avatarUrl ? (
+                      <Avatar className='size-6'>
+                        <AvatarImage src={a.avatarUrl} alt={a.name} />
+                        <AvatarFallback>{a.name.slice(0, 2)}</AvatarFallback>
+                      </Avatar>
+                    ) : null}
+                    <Link
+                      href={a?.url || '#'}
+                      target='_blank'
+                      rel='noopener noreferrer author'
+                      className='text-[14px] text-gray-600 leading-[1.5] hover:text-gray-900 sm:text-[16px]'
+                      itemProp='author'
+                      itemScope
+                      itemType='https://schema.org/Person'
+                    >
+                      <span itemProp='name'>{a?.name}</span>
+                    </Link>
+                  </div>
+                ))}
+              </div>
+              <ShareButton url={`${getBaseUrl()}/studio/${slug}`} title={post.title} />
             </div>
           </div>
         </div>

apps/sim/app/(landing)/studio/[slug]/share-button.tsx

@@ -0,0 +1,65 @@
+'use client'
+
+import { useState } from 'react'
+import { Share2 } from 'lucide-react'
+import { Popover, PopoverContent, PopoverItem, PopoverTrigger } from '@/components/emcn'
+
+interface ShareButtonProps {
+  url: string
+  title: string
+}
+
+export function ShareButton({ url, title }: ShareButtonProps) {
+  const [open, setOpen] = useState(false)
+  const [copied, setCopied] = useState(false)
+
+  const handleCopyLink = async () => {
+    try {
+      await navigator.clipboard.writeText(url)
+      setCopied(true)
+      setTimeout(() => {
+        setCopied(false)
+        setOpen(false)
+      }, 1000)
+    } catch {
+      setOpen(false)
+    }
+  }
+
+  const handleShareTwitter = () => {
+    const tweetUrl = `https://twitter.com/intent/tweet?url=${encodeURIComponent(url)}&text=${encodeURIComponent(title)}`
+    window.open(tweetUrl, '_blank', 'noopener,noreferrer')
+    setOpen(false)
+  }
+
+  const handleShareLinkedIn = () => {
+    const linkedInUrl = `https://www.linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(url)}`
+    window.open(linkedInUrl, '_blank', 'noopener,noreferrer')
+    setOpen(false)
+  }
+
+  return (
+    <Popover
+      open={open}
+      onOpenChange={setOpen}
+      variant='secondary'
+      size='sm'
+      colorScheme='inverted'
+    >
+      <PopoverTrigger asChild>
+        <button
+          className='flex items-center gap-1.5 text-gray-600 text-sm hover:text-gray-900'
+          aria-label='Share this post'
+        >
+          <Share2 className='h-4 w-4' />
+          <span>Share</span>
+        </button>
+      </PopoverTrigger>
+      <PopoverContent align='end' minWidth={140}>
+        <PopoverItem onClick={handleCopyLink}>{copied ? 'Copied!' : 'Copy link'}</PopoverItem>
+        <PopoverItem onClick={handleShareTwitter}>Share on X</PopoverItem>
+        <PopoverItem onClick={handleShareLinkedIn}>Share on LinkedIn</PopoverItem>
+      </PopoverContent>
+    </Popover>
+  )
+}

apps/sim/app/(landing)/studio/page.tsx

@@ -22,7 +22,7 @@ export default async function StudioIndex({
       ? filtered.sort((a, b) => {
           if (a.featured && !b.featured) return -1
           if (!a.featured && b.featured) return 1
-          return 0
+          return new Date(b.date).getTime() - new Date(a.date).getTime()
         })
       : filtered
 

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -8,6 +8,7 @@ import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('A2AAgentCardAPI')
 
@@ -95,6 +96,11 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     const body = await request.json()
 
     if (
@@ -160,6 +166,11 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     await db.delete(a2aAgent).where(eq(a2aAgent.id, agentId))
 
     logger.info(`Deleted A2A agent: ${agentId}`)
@@ -194,6 +205,11 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
       return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
     }
 
+    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     const body = await request.json()
     const action = body.action as 'publish' | 'unpublish' | 'refresh'
 

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -16,6 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1118,17 +1119,13 @@ async function handlePushNotificationSet(
     )
   }
 
-  try {
-    const url = new URL(params.pushNotificationConfig.url)
-    if (url.protocol !== 'https:') {
-      return NextResponse.json(
-        createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Push notification URL must use HTTPS'),
-        { status: 400 }
-      )
-    }
-  } catch {
+  const urlValidation = validateExternalUrl(
+    params.pushNotificationConfig.url,
+    'Push notification URL'
+  )
+  if (!urlValidation.isValid) {
     return NextResponse.json(
-      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Invalid push notification URL'),
+      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, urlValidation.error || 'Invalid URL'),
       { status: 400 }
     )
   }

apps/sim/app/api/auth/oauth/utils.ts

@@ -4,6 +4,11 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { getSession } from '@/lib/auth'
 import { refreshOAuthToken } from '@/lib/oauth'
+import {
+  getMicrosoftRefreshTokenExpiry,
+  isMicrosoftProvider,
+  PROACTIVE_REFRESH_THRESHOLD_DAYS,
+} from '@/lib/oauth/microsoft'
 
 const logger = createLogger('OAuthUtilsAPI')
 
@@ -205,15 +210,32 @@ export async function refreshAccessTokenIfNeeded(
   }
 
   // Decide if we should refresh: token missing OR expired
-  const expiresAt = credential.accessTokenExpiresAt
+  const accessTokenExpiresAt = credential.accessTokenExpiresAt
+  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
   const now = new Date()
-  const shouldRefresh =
-    !!credential.refreshToken && (!credential.accessToken || (expiresAt && expiresAt <= now))
+
+  // Check if access token needs refresh (missing or expired)
+  const accessTokenNeedsRefresh =
+    !!credential.refreshToken &&
+    (!credential.accessToken || (accessTokenExpiresAt && accessTokenExpiresAt <= now))
+
+  // Check if we should proactively refresh to prevent refresh token expiry
+  // This applies to Microsoft providers whose refresh tokens expire after 90 days of inactivity
+  const proactiveRefreshThreshold = new Date(
+    now.getTime() + PROACTIVE_REFRESH_THRESHOLD_DAYS * 24 * 60 * 60 * 1000
+  )
+  const refreshTokenNeedsProactiveRefresh =
+    !!credential.refreshToken &&
+    isMicrosoftProvider(credential.providerId) &&
+    refreshTokenExpiresAt &&
+    refreshTokenExpiresAt <= proactiveRefreshThreshold
+
+  const shouldRefresh = accessTokenNeedsRefresh || refreshTokenNeedsProactiveRefresh
 
   const accessToken = credential.accessToken
 
   if (shouldRefresh) {
-    logger.info(`[${requestId}] Token expired, attempting to refresh for credential`)
+    logger.info(`[${requestId}] Refreshing token for credential`)
     try {
       const refreshedToken = await refreshOAuthToken(
         credential.providerId,
@@ -227,11 +249,15 @@ export async function refreshAccessTokenIfNeeded(
           userId: credential.userId,
           hasRefreshToken: !!credential.refreshToken,
         })
+        if (!accessTokenNeedsRefresh && accessToken) {
+          logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+          return accessToken
+        }
         return null
       }
 
       // Prepare update data
-      const updateData: any = {
+      const updateData: Record<string, unknown> = {
         accessToken: refreshedToken.accessToken,
         accessTokenExpiresAt: new Date(Date.now() + refreshedToken.expiresIn * 1000),
         updatedAt: new Date(),
@@ -243,6 +269,10 @@ export async function refreshAccessTokenIfNeeded(
         updateData.refreshToken = refreshedToken.refreshToken
       }
 
+      if (isMicrosoftProvider(credential.providerId)) {
+        updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
+      }
+
       // Update the token in the database
       await db.update(account).set(updateData).where(eq(account.id, credentialId))
 
@@ -256,6 +286,10 @@ export async function refreshAccessTokenIfNeeded(
         credentialId,
         userId: credential.userId,
       })
+      if (!accessTokenNeedsRefresh && accessToken) {
+        logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+        return accessToken
+      }
       return null
     }
   } else if (!accessToken) {
@@ -277,10 +311,27 @@ export async function refreshTokenIfNeeded(
   credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
   // Decide if we should refresh: token missing OR expired
-  const expiresAt = credential.accessTokenExpiresAt
+  const accessTokenExpiresAt = credential.accessTokenExpiresAt
+  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
   const now = new Date()
-  const shouldRefresh =
-    !!credential.refreshToken && (!credential.accessToken || (expiresAt && expiresAt <= now))
+
+  // Check if access token needs refresh (missing or expired)
+  const accessTokenNeedsRefresh =
+    !!credential.refreshToken &&
+    (!credential.accessToken || (accessTokenExpiresAt && accessTokenExpiresAt <= now))
+
+  // Check if we should proactively refresh to prevent refresh token expiry
+  // This applies to Microsoft providers whose refresh tokens expire after 90 days of inactivity
+  const proactiveRefreshThreshold = new Date(
+    now.getTime() + PROACTIVE_REFRESH_THRESHOLD_DAYS * 24 * 60 * 60 * 1000
+  )
+  const refreshTokenNeedsProactiveRefresh =
+    !!credential.refreshToken &&
+    isMicrosoftProvider(credential.providerId) &&
+    refreshTokenExpiresAt &&
+    refreshTokenExpiresAt <= proactiveRefreshThreshold
+
+  const shouldRefresh = accessTokenNeedsRefresh || refreshTokenNeedsProactiveRefresh
 
   // If token appears valid and present, return it directly
   if (!shouldRefresh) {
@@ -293,13 +344,17 @@ export async function refreshTokenIfNeeded(
 
     if (!refreshResult) {
       logger.error(`[${requestId}] Failed to refresh token for credential`)
+      if (!accessTokenNeedsRefresh && credential.accessToken) {
+        logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+        return { accessToken: credential.accessToken, refreshed: false }
+      }
       throw new Error('Failed to refresh token')
     }
 
     const { accessToken: refreshedToken, expiresIn, refreshToken: newRefreshToken } = refreshResult
 
     // Prepare update data
-    const updateData: any = {
+    const updateData: Record<string, unknown> = {
       accessToken: refreshedToken,
       accessTokenExpiresAt: new Date(Date.now() + expiresIn * 1000), // Use provider's expiry
       updatedAt: new Date(),
@@ -311,6 +366,10 @@ export async function refreshTokenIfNeeded(
       updateData.refreshToken = newRefreshToken
     }
 
+    if (isMicrosoftProvider(credential.providerId)) {
+      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
+    }
+
     await db.update(account).set(updateData).where(eq(account.id, credentialId))
 
     logger.info(`[${requestId}] Successfully refreshed access token`)
@@ -331,6 +390,11 @@ export async function refreshTokenIfNeeded(
       }
     }
 
+    if (!accessTokenNeedsRefresh && credential.accessToken) {
+      logger.info(`[${requestId}] Proactive refresh failed but access token still valid`)
+      return { accessToken: credential.accessToken, refreshed: false }
+    }
+
     logger.error(`[${requestId}] Refresh failed and no valid token found in DB`, error)
     throw error
   }

apps/sim/app/api/auth/reset-password/route.ts

@@ -15,7 +15,8 @@ const resetPasswordSchema = z.object({
     .max(100, 'Password must not exceed 100 characters')
     .regex(/[A-Z]/, 'Password must contain at least one uppercase letter')
     .regex(/[a-z]/, 'Password must contain at least one lowercase letter')
-    .regex(/[0-9]/, 'Password must contain at least one number'),
+    .regex(/[0-9]/, 'Password must contain at least one number')
+    .regex(/[^A-Za-z0-9]/, 'Password must contain at least one special character'),
 })
 
 export async function POST(request: NextRequest) {

apps/sim/app/api/copilot/chat/route.ts

@@ -2,7 +2,6 @@ import { db } from '@sim/db'
 import { copilotChats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
-import { after } from 'next/server'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
@@ -17,35 +16,16 @@ import {
   createRequestTracker,
   createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
-import {
-  type RenderEvent,
-  serializeRenderEvent,
-} from '@/lib/copilot/render-events'
-import {
-  appendChunk,
-  appendContent,
-  checkAbortSignal,
-  completeStream,
-  createStream,
-  errorStream,
-  refreshStreamTTL,
-  updateToolCall,
-} from '@/lib/copilot/stream-persistence'
-import { transformStream } from '@/lib/copilot/stream-transformer'
 import { getCredentialsServerTool } from '@/lib/copilot/tools/server/user/get-credentials'
 import type { CopilotProviderConfig } from '@/lib/copilot/types'
 import { env } from '@/lib/core/config/env'
-import { CopilotFiles } from '@/lib/uploads'  
+import { CopilotFiles } from '@/lib/uploads'
 import { createFileContent } from '@/lib/uploads/utils/file-utils'
 import { tools } from '@/tools/registry'
 import { getLatestVersionTools, stripVersionSuffix } from '@/tools/utils'
 
 const logger = createLogger('CopilotChatAPI')
 
-export const dynamic = 'force-dynamic'
-export const fetchCache = 'force-no-store'
-export const runtime = 'nodejs'
-
 const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
 
 const FileAttachmentSchema = z.object({
@@ -512,250 +492,385 @@ export async function POST(req: NextRequest) {
       )
     }
 
-    // If streaming is requested, return a DIRECT SSE stream for low latency
-    // Also persist to Redis in background for stream resumption
+    // If streaming is requested, forward the stream and update chat later
     if (stream && simAgentResponse.body) {
-      // Create stream ID for persistence and resumption
-      const streamId = crypto.randomUUID()
-
-      // Initialize stream state in Redis (fire-and-forget)
-      createStream({
-        streamId,
-        chatId: actualChatId!,
-        userId: authenticatedUserId,
-        workflowId,
-        userMessageId: userMessageIdToUse,
-        isClientSession: true,
-      }).catch(() => {})
-
-      // Save user message to database immediately so it's available on refresh
-      // This is critical for stream resumption - user message must be persisted before stream starts
-      if (currentChat) {
-        const existingMessages = Array.isArray(currentChat.messages) ? currentChat.messages : []
-        const userMessage = {
-          id: userMessageIdToUse,
-          role: 'user',
-          content: message,
-          timestamp: new Date().toISOString(),
-          ...(fileAttachments && fileAttachments.length > 0 && { fileAttachments }),
-          ...(Array.isArray(contexts) && contexts.length > 0 && { contexts }),
-          ...(Array.isArray(contexts) &&
-            contexts.length > 0 && {
-              contentBlocks: [{ type: 'contexts', contexts: contexts as any, timestamp: Date.now() }],
-            }),
-        }
-
-        // Fire-and-forget - don't block the stream
-        db.update(copilotChats)
-          .set({
-            messages: [...existingMessages, userMessage],
-            updatedAt: new Date(),
-          })
-          .where(eq(copilotChats.id, actualChatId!))
-          .catch(() => {})
-
-        logger.info(`[${tracker.requestId}] Saving user message (async)`, {
-          chatId: actualChatId,
-          messageId: userMessageIdToUse,
-        })
+      // Create user message to save
+      const userMessage = {
+        id: userMessageIdToUse, // Consistent ID used for request and persistence
+        role: 'user',
+        content: message,
+        timestamp: new Date().toISOString(),
+        ...(fileAttachments && fileAttachments.length > 0 && { fileAttachments }),
+        ...(Array.isArray(contexts) && contexts.length > 0 && { contexts }),
+        ...(Array.isArray(contexts) &&
+          contexts.length > 0 && {
+            contentBlocks: [{ type: 'contexts', contexts: contexts as any, timestamp: Date.now() }],
+          }),
       }
 
-      // Capture needed values
-      const capturedChatId = actualChatId!
-      const capturedCurrentChat = currentChat
-      const assistantMessageId = crypto.randomUUID()
+      // Create a pass-through stream that captures the response
+      const transformedStream = new ReadableStream({
+        async start(controller) {
+          const encoder = new TextEncoder()
+          let assistantContent = ''
+          const toolCalls: any[] = []
+          let buffer = ''
+          const isFirstDone = true
+          let responseIdFromStart: string | undefined
+          let responseIdFromDone: string | undefined
+          // Track tool call progress to identify a safe done event
+          const announcedToolCallIds = new Set<string>()
+          const startedToolExecutionIds = new Set<string>()
+          const completedToolExecutionIds = new Set<string>()
+          let lastDoneResponseId: string | undefined
+          let lastSafeDoneResponseId: string | undefined
 
-      // Start title generation if needed (runs in parallel)
-      if (capturedChatId && !capturedCurrentChat?.title && conversationHistory.length === 0) {
-        generateChatTitle(message)
-          .then(async (title) => {
-            if (title) {
-              await db
-                .update(copilotChats)
-                .set({ title, updatedAt: new Date() })
-                .where(eq(copilotChats.id, capturedChatId))
-              logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
-            }
-          })
-          .catch((error) => {
-            logger.error(`[${tracker.requestId}] Title generation failed:`, error)
-          })
-      }
+          // Send chatId as first event
+          if (actualChatId) {
+            const chatIdEvent = `data: ${JSON.stringify({
+              type: 'chat_id',
+              chatId: actualChatId,
+            })}\n\n`
+            controller.enqueue(encoder.encode(chatIdEvent))
+            logger.debug(`[${tracker.requestId}] Sent initial chatId event to client`)
+          }
 
-      // Track accumulated content for final persistence
-      let accumulatedContent = ''
-      const accumulatedToolCalls: Array<{
-        id: string
-        name: string
-        args: Record<string, unknown>
-        state: string
-        result?: unknown
-      }> = []
+          // Start title generation in parallel if needed
+          if (actualChatId && !currentChat?.title && conversationHistory.length === 0) {
+            generateChatTitle(message)
+              .then(async (title) => {
+                if (title) {
+                  await db
+                    .update(copilotChats)
+                    .set({
+                      title,
+                      updatedAt: new Date(),
+                    })
+                    .where(eq(copilotChats.id, actualChatId!))
 
-      const encoder = new TextEncoder()
-
-      // Track if client is still connected
-      let clientConnected = true
-
-      // Create the stream processing promise - this runs independently of client connection
-      // and is scheduled via after() to ensure it completes even if client disconnects
-      const streamProcessingPromise = transformStream(simAgentResponse.body!, {
-        streamId,
-        chatId: capturedChatId,
-        userId: authenticatedUserId,
-        workflowId,
-        userMessageId: userMessageIdToUse,
-        assistantMessageId,
-
-        // Emit render events - try to send to client, always persist to Redis
-        onRenderEvent: async (event: RenderEvent) => {
-          const serialized = serializeRenderEvent(event)
-
-          // 1. Persist to Redis FIRST (critical for resumption)
-          appendChunk(streamId, serialized).catch(() => {})
-
-          // 2. Try to send to client if still connected (best effort)
-          if (clientConnected) {
-            try {
-              streamController?.enqueue(encoder.encode(serialized))
-            } catch {
-              // Client disconnected - mark as disconnected and continue processing
-              clientConnected = false
-              logger.info(`[${tracker.requestId}] Client disconnected, continuing server-side`, {
-                streamId,
+                  const titleEvent = `data: ${JSON.stringify({
+                    type: 'title_updated',
+                    title: title,
+                  })}\n\n`
+                  controller.enqueue(encoder.encode(titleEvent))
+                  logger.info(`[${tracker.requestId}] Generated and saved title: ${title}`)
+                }
               })
-            }
-          }
-
-          // Update stream metadata for specific events
-          switch (event.type) {
-            case 'text_delta':
-              accumulatedContent += (event as any).content || ''
-              appendContent(streamId, (event as any).content || '').catch(() => {})
-              break
-            case 'tool_pending':
-              updateToolCall(streamId, (event as any).toolCallId, {
-                id: (event as any).toolCallId,
-                name: (event as any).toolName,
-                args: (event as any).args || {},
-                state: 'pending',
-              }).catch(() => {})
-              break
-            case 'tool_executing':
-              updateToolCall(streamId, (event as any).toolCallId, {
-                state: 'executing',
-              }).catch(() => {})
-              break
-            case 'tool_success':
-              updateToolCall(streamId, (event as any).toolCallId, {
-                state: 'success',
-                result: (event as any).result,
-              }).catch(() => {})
-              accumulatedToolCalls.push({
-                id: (event as any).toolCallId,
-                name: (event as any).display?.label || '',
-                args: {},
-                state: 'success',
-                result: (event as any).result,
+              .catch((error) => {
+                logger.error(`[${tracker.requestId}] Title generation failed:`, error)
               })
-              break
-            case 'tool_error':
-              updateToolCall(streamId, (event as any).toolCallId, {
-                state: 'error',
-                error: (event as any).error,
-              }).catch(() => {})
-              accumulatedToolCalls.push({
-                id: (event as any).toolCallId,
-                name: (event as any).display?.label || '',
-                args: {},
-                state: 'error',
-              })
-              break
-          }
-        },
-
-        onPersist: async (data) => {
-          if (data.type === 'message_complete') {
-            completeStream(streamId, undefined).catch(() => {})
-          }
-        },
-
-        // Never abort based on client - let stream complete
-        isAborted: () => false,
-      })
-        .then(() => {
-          if (capturedCurrentChat) {
-            db.update(copilotChats)
-              .set({ updatedAt: new Date() })
-              .where(eq(copilotChats.id, capturedChatId))
-              .catch(() => {})
+          } else {
+            logger.debug(`[${tracker.requestId}] Skipping title generation`)
           }
 
-          logger.info(`[${tracker.requestId}] Stream processing complete`, {
-            streamId,
-            contentLength: accumulatedContent.length,
-            toolCallsCount: accumulatedToolCalls.length,
-            clientWasConnected: clientConnected,
-          })
-        })
-        .catch((error) => {
-          logger.error(`[${tracker.requestId}] Stream error`, { streamId, error })
-          errorStream(streamId, error instanceof Error ? error.message : 'Unknown error').catch(
-            () => {}
-          )
-        })
+          // Forward the sim agent stream and capture assistant response
+          const reader = simAgentResponse.body!.getReader()
+          const decoder = new TextDecoder()
 
-      // Use after() to ensure stream processing completes even if client disconnects
-      // This is critical for serverless environments where the handler might be killed
-      after(streamProcessingPromise)
-
-      // Controller reference for the client stream
-      let streamController: ReadableStreamDefaultController<Uint8Array> | null = null
-
-      // Create ReadableStream for client - this is just a view into the processing
-      const readable = new ReadableStream({
-        start(controller) {
-          streamController = controller
-
-          // Prime the SSE stream to avoid buffering proxies
           try {
-            controller.enqueue(encoder.encode(': ping\n\n'))
-          } catch {}
+            while (true) {
+              const { done, value } = await reader.read()
+              if (done) {
+                break
+              }
 
-          // When stream processing completes, close the client stream
-          streamProcessingPromise.finally(() => {
+              // Decode and parse SSE events for logging and capturing content
+              const decodedChunk = decoder.decode(value, { stream: true })
+              buffer += decodedChunk
+
+              const lines = buffer.split('\n')
+              buffer = lines.pop() || '' // Keep incomplete line in buffer
+
+              for (const line of lines) {
+                if (line.trim() === '') continue // Skip empty lines
+
+                if (line.startsWith('data: ') && line.length > 6) {
+                  try {
+                    const jsonStr = line.slice(6)
+
+                    // Check if the JSON string is unusually large (potential streaming issue)
+                    if (jsonStr.length > 50000) {
+                      // 50KB limit
+                      logger.warn(`[${tracker.requestId}] Large SSE event detected`, {
+                        size: jsonStr.length,
+                        preview: `${jsonStr.substring(0, 100)}...`,
+                      })
+                    }
+
+                    const event = JSON.parse(jsonStr)
+
+                    // Log different event types comprehensively
+                    switch (event.type) {
+                      case 'content':
+                        if (event.data) {
+                          assistantContent += event.data
+                        }
+                        break
+
+                      case 'reasoning':
+                        logger.debug(
+                          `[${tracker.requestId}] Reasoning chunk received (${(event.data || event.content || '').length} chars)`
+                        )
+                        break
+
+                      case 'tool_call':
+                        if (!event.data?.partial) {
+                          toolCalls.push(event.data)
+                          if (event.data?.id) {
+                            announcedToolCallIds.add(event.data.id)
+                          }
+                        }
+                        break
+
+                      case 'tool_generating':
+                        if (event.toolCallId) {
+                          startedToolExecutionIds.add(event.toolCallId)
+                        }
+                        break
+
+                      case 'tool_result':
+                        if (event.toolCallId) {
+                          completedToolExecutionIds.add(event.toolCallId)
+                        }
+                        break
+
+                      case 'tool_error':
+                        logger.error(`[${tracker.requestId}] Tool error:`, {
+                          toolCallId: event.toolCallId,
+                          toolName: event.toolName,
+                          error: event.error,
+                          success: event.success,
+                        })
+                        if (event.toolCallId) {
+                          completedToolExecutionIds.add(event.toolCallId)
+                        }
+                        break
+
+                      case 'start':
+                        if (event.data?.responseId) {
+                          responseIdFromStart = event.data.responseId
+                        }
+                        break
+
+                      case 'done':
+                        if (event.data?.responseId) {
+                          responseIdFromDone = event.data.responseId
+                          lastDoneResponseId = responseIdFromDone
+
+                          // Mark this done as safe only if no tool call is currently in progress or pending
+                          const announced = announcedToolCallIds.size
+                          const completed = completedToolExecutionIds.size
+                          const started = startedToolExecutionIds.size
+                          const hasToolInProgress = announced > completed || started > completed
+                          if (!hasToolInProgress) {
+                            lastSafeDoneResponseId = responseIdFromDone
+                          }
+                        }
+                        break
+
+                      case 'error':
+                        break
+
+                      default:
+                    }
+
+                    // Emit to client: rewrite 'error' events into user-friendly assistant message
+                    if (event?.type === 'error') {
+                      try {
+                        const displayMessage: string =
+                          (event?.data && (event.data.displayMessage as string)) ||
+                          'Sorry, I encountered an error. Please try again.'
+                        const formatted = `_${displayMessage}_`
+                        // Accumulate so it persists to DB as assistant content
+                        assistantContent += formatted
+                        // Send as content chunk
+                        try {
+                          controller.enqueue(
+                            encoder.encode(
+                              `data: ${JSON.stringify({ type: 'content', data: formatted })}\n\n`
+                            )
+                          )
+                        } catch (enqueueErr) {
+                          reader.cancel()
+                          break
+                        }
+                        // Then close this response cleanly for the client
+                        try {
+                          controller.enqueue(
+                            encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`)
+                          )
+                        } catch (enqueueErr) {
+                          reader.cancel()
+                          break
+                        }
+                      } catch {}
+                      // Do not forward the original error event
+                    } else {
+                      // Forward original event to client
+                      try {
+                        controller.enqueue(encoder.encode(`data: ${jsonStr}\n\n`))
+                      } catch (enqueueErr) {
+                        reader.cancel()
+                        break
+                      }
+                    }
+                  } catch (e) {
+                    // Enhanced error handling for large payloads and parsing issues
+                    const lineLength = line.length
+                    const isLargePayload = lineLength > 10000
+
+                    if (isLargePayload) {
+                      logger.error(
+                        `[${tracker.requestId}] Failed to parse large SSE event (${lineLength} chars)`,
+                        {
+                          error: e,
+                          preview: `${line.substring(0, 200)}...`,
+                          size: lineLength,
+                        }
+                      )
+                    } else {
+                      logger.warn(
+                        `[${tracker.requestId}] Failed to parse SSE event: "${line.substring(0, 200)}..."`,
+                        e
+                      )
+                    }
+                  }
+                } else if (line.trim() && line !== 'data: [DONE]') {
+                  logger.debug(`[${tracker.requestId}] Non-SSE line from sim agent: "${line}"`)
+                }
+              }
+            }
+
+            // Process any remaining buffer
+            if (buffer.trim()) {
+              logger.debug(`[${tracker.requestId}] Processing remaining buffer: "${buffer}"`)
+              if (buffer.startsWith('data: ')) {
+                try {
+                  const jsonStr = buffer.slice(6)
+                  const event = JSON.parse(jsonStr)
+                  if (event.type === 'content' && event.data) {
+                    assistantContent += event.data
+                  }
+                  // Forward remaining event, applying same error rewrite behavior
+                  if (event?.type === 'error') {
+                    const displayMessage: string =
+                      (event?.data && (event.data.displayMessage as string)) ||
+                      'Sorry, I encountered an error. Please try again.'
+                    const formatted = `_${displayMessage}_`
+                    assistantContent += formatted
+                    try {
+                      controller.enqueue(
+                        encoder.encode(
+                          `data: ${JSON.stringify({ type: 'content', data: formatted })}\n\n`
+                        )
+                      )
+                      controller.enqueue(
+                        encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`)
+                      )
+                    } catch (enqueueErr) {
+                      reader.cancel()
+                    }
+                  } else {
+                    try {
+                      controller.enqueue(encoder.encode(`data: ${jsonStr}\n\n`))
+                    } catch (enqueueErr) {
+                      reader.cancel()
+                    }
+                  }
+                } catch (e) {
+                  logger.warn(`[${tracker.requestId}] Failed to parse final buffer: "${buffer}"`)
+                }
+              }
+            }
+
+            // Log final streaming summary
+            logger.info(`[${tracker.requestId}] Streaming complete summary:`, {
+              totalContentLength: assistantContent.length,
+              toolCallsCount: toolCalls.length,
+              hasContent: assistantContent.length > 0,
+              toolNames: toolCalls.map((tc) => tc?.name).filter(Boolean),
+            })
+
+            // NOTE: Messages are saved by the client via update-messages endpoint with full contentBlocks.
+            // Server only updates conversationId here to avoid overwriting client's richer save.
+            if (currentChat) {
+              // Persist only a safe conversationId to avoid continuing from a state that expects tool outputs
+              const previousConversationId = currentChat?.conversationId as string | undefined
+              const responseId = lastSafeDoneResponseId || previousConversationId || undefined
+
+              if (responseId) {
+                await db
+                  .update(copilotChats)
+                  .set({
+                    updatedAt: new Date(),
+                    conversationId: responseId,
+                  })
+                  .where(eq(copilotChats.id, actualChatId!))
+
+                logger.info(
+                  `[${tracker.requestId}] Updated conversationId for chat ${actualChatId}`,
+                  {
+                    updatedConversationId: responseId,
+                  }
+                )
+              }
+            }
+          } catch (error) {
+            logger.error(`[${tracker.requestId}] Error processing stream:`, error)
+
+            // Send an error event to the client before closing so it knows what happened
+            try {
+              const errorMessage =
+                error instanceof Error && error.message === 'terminated'
+                  ? 'Connection to AI service was interrupted. Please try again.'
+                  : 'An unexpected error occurred while processing the response.'
+              const encoder = new TextEncoder()
+
+              // Send error as content so it shows in the chat
+              controller.enqueue(
+                encoder.encode(
+                  `data: ${JSON.stringify({ type: 'content', data: `\n\n_${errorMessage}_` })}\n\n`
+                )
+              )
+              // Send done event to properly close the stream on client
+              controller.enqueue(encoder.encode(`data: ${JSON.stringify({ type: 'done' })}\n\n`))
+            } catch (enqueueError) {
+              // Stream might already be closed, that's ok
+              logger.warn(
+                `[${tracker.requestId}] Could not send error event to client:`,
+                enqueueError
+              )
+            }
+          } finally {
             try {
               controller.close()
             } catch {
-              // Already closed
+              // Controller might already be closed
             }
-          })
-        },
-        cancel() {
-          // Client cancelled the stream (e.g., navigated away)
-          clientConnected = false
-          logger.info(`[${tracker.requestId}] Client stream cancelled, server continues`, {
-            streamId,
-          })
+          }
         },
       })
 
-      // Return direct SSE stream with streamId in header for resumption
-      logger.info(`[${tracker.requestId}] Returning direct SSE stream`, {
-        streamId,
-        chatId: capturedChatId,
-      })
-
-      return new Response(readable, {
+      const response = new Response(transformedStream, {
         headers: {
-          'Content-Type': 'text/event-stream; charset=utf-8',
-          'Cache-Control': 'no-cache, no-transform',
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
           Connection: 'keep-alive',
           'X-Accel-Buffering': 'no',
-          'X-Stream-Id': streamId,
-          'X-Chat-Id': capturedChatId,
         },
       })
+
+      logger.info(`[${tracker.requestId}] Returning streaming response to client`, {
+        duration: tracker.getDuration(),
+        chatId: actualChatId,
+        headers: {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          Connection: 'keep-alive',
+        },
+      })
+
+      return response
     }
 
     // For non-streaming responses
@@ -784,7 +899,7 @@ export async function POST(req: NextRequest) {
     // Save messages if we have a chat
     if (currentChat && responseData.content) {
       const userMessage = {
-        id: userMessageIdToUse,
+        id: userMessageIdToUse, // Consistent ID used for request and persistence
         role: 'user',
         content: message,
         timestamp: new Date().toISOString(),

apps/sim/app/api/copilot/execute-tool/route.ts

@@ -104,17 +104,11 @@ export async function POST(req: NextRequest) {
     })
 
     // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments
+    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
     const executionParams: Record<string, any> = resolveEnvVarReferences(
       toolArgs,
       decryptedEnvVars,
-      {
-        resolveExactMatch: true,
-        allowEmbedded: true,
-        trimKeys: true,
-        onMissing: 'keep',
-        deep: true,
-      }
+      { deep: true }
     ) as Record<string, any>
 
     logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {
@@ -224,7 +218,7 @@ export async function POST(req: NextRequest) {
       hasApiKey: !!executionParams.apiKey,
     })
 
-    const result = await executeTool(resolvedToolName, executionParams, true)
+    const result = await executeTool(resolvedToolName, executionParams)
 
     logger.info(`[${tracker.requestId}] Tool execution complete`, {
       toolName,

apps/sim/app/api/copilot/headless/route.ts

@@ -1,364 +0,0 @@
-import { db } from '@sim/db'
-import { copilotChats, workflow as workflowTable } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
-import { getSession } from '@/lib/auth'
-import { getCopilotModel } from '@/lib/copilot/config'
-import { SIM_AGENT_API_URL_DEFAULT, SIM_AGENT_VERSION } from '@/lib/copilot/constants'
-import { COPILOT_MODEL_IDS } from '@/lib/copilot/models'
-import {
-  createRequestTracker,
-  createUnauthorizedResponse,
-} from '@/lib/copilot/request-helpers'
-import {
-  createStream,
-  completeStream,
-  errorStream,
-  updateStreamStatus,
-} from '@/lib/copilot/stream-persistence'
-import { executeToolServerSide, isServerExecutableTool } from '@/lib/copilot/tools/server/executor'
-import { getCredentialsServerTool } from '@/lib/copilot/tools/server/user/get-credentials'
-import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { sanitizeForCopilot } from '@/lib/workflows/sanitization/json-sanitizer'
-import { env } from '@/lib/core/config/env'
-import { tools } from '@/tools/registry'
-import { getLatestVersionTools, stripVersionSuffix } from '@/tools/utils'
-
-const logger = createLogger('HeadlessCopilotAPI')
-
-const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
-
-const HeadlessRequestSchema = z.object({
-  message: z.string().min(1, 'Message is required'),
-  workflowId: z.string().min(1, 'Workflow ID is required'),
-  chatId: z.string().optional(),
-  model: z.enum(COPILOT_MODEL_IDS).optional(),
-  mode: z.enum(['agent', 'build', 'chat']).optional().default('agent'),
-  timeout: z.number().optional().default(300000), // 5 minute default
-  persistChanges: z.boolean().optional().default(true),
-  createNewChat: z.boolean().optional().default(false),
-})
-
-export const dynamic = 'force-dynamic'
-export const fetchCache = 'force-no-store'
-export const runtime = 'nodejs'
-
-/**
- * POST /api/copilot/headless
- *
- * Execute copilot completely server-side without any client connection.
- * All tool calls are executed server-side and results are persisted directly.
- *
- * Returns the final result after all processing is complete.
- */
-export async function POST(req: NextRequest) {
-  const tracker = createRequestTracker()
-  const startTime = Date.now()
-
-  try {
-    // Authenticate via session or API key
-    let userId: string | null = null
-
-    const session = await getSession()
-    if (session?.user?.id) {
-      userId = session.user.id
-    } else {
-      // Try API key authentication from header
-      const apiKey = req.headers.get('x-api-key')
-      if (apiKey) {
-        const authResult = await authenticateApiKeyFromHeader(apiKey)
-        if (authResult.success && authResult.userId) {
-          userId = authResult.userId
-          // Update last used timestamp in background
-          if (authResult.keyId) {
-            updateApiKeyLastUsed(authResult.keyId).catch(() => {})
-          }
-        }
-      }
-    }
-
-    if (!userId) {
-      return createUnauthorizedResponse()
-    }
-
-    const body = await req.json()
-    const { message, workflowId, chatId, model, mode, timeout, persistChanges, createNewChat } =
-      HeadlessRequestSchema.parse(body)
-
-    logger.info(`[${tracker.requestId}] Headless copilot request`, {
-      userId,
-      workflowId,
-      messageLength: message.length,
-      mode,
-    })
-
-    // Verify user has access to workflow
-    const [wf] = await db
-      .select({ userId: workflowTable.userId, workspaceId: workflowTable.workspaceId })
-      .from(workflowTable)
-      .where(eq(workflowTable.id, workflowId))
-      .limit(1)
-
-    if (!wf) {
-      return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
-    }
-
-    // TODO: Add proper workspace access check
-    if (wf.userId !== userId) {
-      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
-    }
-
-    // Load current workflow state from database
-    const workflowData = await loadWorkflowFromNormalizedTables(workflowId)
-    if (!workflowData) {
-      return NextResponse.json({ error: 'Workflow data not found' }, { status: 404 })
-    }
-
-    const sanitizedWorkflow = sanitizeForCopilot({
-      blocks: workflowData.blocks,
-      edges: workflowData.edges,
-      loops: workflowData.loops,
-      parallels: workflowData.parallels,
-    })
-
-    // Create a stream for tracking (even in headless mode)
-    const streamId = crypto.randomUUID()
-    const userMessageId = crypto.randomUUID()
-    const assistantMessageId = crypto.randomUUID()
-
-    await createStream({
-      streamId,
-      chatId: chatId || '',
-      userId,
-      workflowId,
-      userMessageId,
-      isClientSession: false, // Key: this is headless
-    })
-
-    await updateStreamStatus(streamId, 'streaming')
-
-    // Handle chat persistence
-    let actualChatId = chatId
-    if (createNewChat && !chatId) {
-      const { provider, model: defaultModel } = getCopilotModel('chat')
-      const [newChat] = await db
-        .insert(copilotChats)
-        .values({
-          userId,
-          workflowId,
-          title: null,
-          model: model || defaultModel,
-          messages: [],
-        })
-        .returning()
-
-      if (newChat) {
-        actualChatId = newChat.id
-      }
-    }
-
-    // Get credentials for tools
-    let credentials: {
-      oauth: Record<string, { accessToken: string; accountId: string; name: string }>
-      apiKeys: string[]
-    } | null = null
-
-    try {
-      const rawCredentials = await getCredentialsServerTool.execute({ workflowId }, { userId })
-      const oauthMap: Record<string, { accessToken: string; accountId: string; name: string }> = {}
-
-      for (const cred of rawCredentials?.oauth?.connected?.credentials || []) {
-        if (cred.accessToken) {
-          oauthMap[cred.provider] = {
-            accessToken: cred.accessToken,
-            accountId: cred.id,
-            name: cred.name,
-          }
-        }
-      }
-
-      credentials = {
-        oauth: oauthMap,
-        apiKeys: rawCredentials?.environment?.variableNames || [],
-      }
-    } catch (error) {
-      logger.warn(`[${tracker.requestId}] Failed to fetch credentials`, { error })
-    }
-
-    // Build tool definitions
-    const { createUserToolSchema } = await import('@/tools/params')
-    const latestTools = getLatestVersionTools(tools)
-    const integrationTools = Object.entries(latestTools).map(([toolId, toolConfig]) => {
-      const userSchema = createUserToolSchema(toolConfig)
-      const strippedName = stripVersionSuffix(toolId)
-      return {
-        name: strippedName,
-        description: toolConfig.description || toolConfig.name || strippedName,
-        input_schema: userSchema,
-        defer_loading: true,
-      }
-    })
-
-    // Build request payload
-    const defaults = getCopilotModel('chat')
-    const selectedModel = model || defaults.model
-    const effectiveMode = mode === 'agent' ? 'build' : mode
-
-    const requestPayload = {
-      message,
-      workflowId,
-      userId,
-      stream: false, // Non-streaming for headless
-      model: selectedModel,
-      mode: effectiveMode,
-      version: SIM_AGENT_VERSION,
-      messageId: userMessageId,
-      ...(actualChatId && { chatId: actualChatId }),
-      ...(integrationTools.length > 0 && { tools: integrationTools }),
-      ...(credentials && { credentials }),
-    }
-
-    // Call sim agent (non-streaming)
-    const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), timeout)
-
-    try {
-      const response = await fetch(`${SIM_AGENT_API_URL}/api/chat-completion`, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          ...(env.COPILOT_API_KEY ? { 'x-api-key': env.COPILOT_API_KEY } : {}),
-        },
-        body: JSON.stringify(requestPayload),
-        signal: controller.signal,
-      })
-
-      clearTimeout(timeoutId)
-
-      if (!response.ok) {
-        const errorText = await response.text()
-        logger.error(`[${tracker.requestId}] Sim agent error`, {
-          status: response.status,
-          error: errorText,
-        })
-        await errorStream(streamId, `Agent error: ${response.statusText}`)
-        return NextResponse.json(
-          { error: `Agent error: ${response.statusText}` },
-          { status: response.status }
-        )
-      }
-
-      const result = await response.json()
-
-      // Execute tool calls server-side
-      const toolResults: Record<string, { success: boolean; result?: unknown; error?: string }> = {}
-
-      if (result.toolCalls && Array.isArray(result.toolCalls)) {
-        for (const toolCall of result.toolCalls) {
-          const toolName = toolCall.name
-          const toolArgs = toolCall.arguments || toolCall.input || {}
-
-          logger.info(`[${tracker.requestId}] Executing tool server-side`, {
-            toolName,
-            toolCallId: toolCall.id,
-          })
-
-          if (!isServerExecutableTool(toolName)) {
-            logger.warn(`[${tracker.requestId}] Tool not executable server-side`, { toolName })
-            toolResults[toolCall.id] = {
-              success: false,
-              error: `Tool ${toolName} requires client-side execution`,
-            }
-            continue
-          }
-
-          const toolResult = await executeToolServerSide(
-            { name: toolName, args: toolArgs },
-            { workflowId, userId, persistChanges }
-          )
-
-          toolResults[toolCall.id] = toolResult
-        }
-      }
-
-      // Mark stream complete
-      await completeStream(streamId, { content: result.content, toolResults })
-
-      // Save to chat history
-      if (actualChatId && persistChanges) {
-        const [chat] = await db
-          .select()
-          .from(copilotChats)
-          .where(eq(copilotChats.id, actualChatId))
-          .limit(1)
-
-        const existingMessages = chat ? (Array.isArray(chat.messages) ? chat.messages : []) : []
-
-        const newMessages = [
-          ...existingMessages,
-          {
-            id: userMessageId,
-            role: 'user',
-            content: message,
-            timestamp: new Date().toISOString(),
-          },
-          {
-            id: assistantMessageId,
-            role: 'assistant',
-            content: result.content,
-            timestamp: new Date().toISOString(),
-            toolCalls: Object.entries(toolResults).map(([id, r]) => ({
-              id,
-              success: r.success,
-            })),
-          },
-        ]
-
-        await db
-          .update(copilotChats)
-          .set({ messages: newMessages, updatedAt: new Date() })
-          .where(eq(copilotChats.id, actualChatId))
-      }
-
-      const duration = Date.now() - startTime
-      logger.info(`[${tracker.requestId}] Headless copilot complete`, {
-        duration,
-        contentLength: result.content?.length || 0,
-        toolCallsExecuted: Object.keys(toolResults).length,
-      })
-
-      return NextResponse.json({
-        success: true,
-        streamId,
-        chatId: actualChatId,
-        content: result.content,
-        toolResults,
-        duration,
-      })
-    } catch (error) {
-      clearTimeout(timeoutId)
-
-      if (error instanceof Error && error.name === 'AbortError') {
-        await errorStream(streamId, 'Request timed out')
-        return NextResponse.json({ error: 'Request timed out' }, { status: 504 })
-      }
-
-      throw error
-    }
-  } catch (error) {
-    logger.error(`[${tracker.requestId}] Headless copilot error`, { error })
-
-    if (error instanceof z.ZodError) {
-      return NextResponse.json({ error: 'Invalid request', details: error.errors }, { status: 400 })
-    }
-
-    return NextResponse.json(
-      { error: error instanceof Error ? error.message : 'Internal error' },
-      { status: 500 }
-    )
-  }
-}
-

apps/sim/app/api/copilot/stream/[streamId]/route.ts

@@ -1,237 +0,0 @@
-import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import {
-  getStreamMetadata,
-  getStreamEvents,
-  getStreamEventCount,
-  getToolCallStates,
-  refreshStreamTTL,
-  checkAbortSignal,
-  abortStream,
-} from '@/lib/copilot/stream-persistence'
-
-const logger = createLogger('StreamResumeAPI')
-
-interface RouteParams {
-  streamId: string
-}
-
-/**
- * GET /api/copilot/stream/{streamId}
- * Subscribe to or resume a stream
- *
- * Query params:
- * - offset: Start from this event index (for resumption)
- * - mode: 'sse' (default) or 'poll'
- */
-export async function GET(req: NextRequest, { params }: { params: Promise<RouteParams> }) {
-  const { streamId } = await params
-  const session = await getSession()
-
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const metadata = await getStreamMetadata(streamId)
-  if (!metadata) {
-    return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
-  }
-
-  // Verify user owns this stream
-  if (metadata.userId !== session.user.id) {
-    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-  }
-
-  const offset = parseInt(req.nextUrl.searchParams.get('offset') || '0', 10)
-  const mode = req.nextUrl.searchParams.get('mode') || 'sse'
-
-  // Refresh TTL since someone is actively consuming
-  await refreshStreamTTL(streamId)
-
-  // Poll mode: return current state as JSON
-  if (mode === 'poll') {
-    const events = await getStreamEvents(streamId, offset)
-    const toolCalls = await getToolCallStates(streamId)
-    const eventCount = await getStreamEventCount(streamId)
-
-    return NextResponse.json({
-      metadata,
-      events,
-      toolCalls,
-      totalEvents: eventCount,
-      nextOffset: offset + events.length,
-    })
-  }
-
-  // SSE mode: stream events
-  const encoder = new TextEncoder()
-
-  const readable = new ReadableStream({
-    async start(controller) {
-      let closed = false
-
-      const safeEnqueue = (data: string) => {
-        if (closed) return
-        try {
-          controller.enqueue(encoder.encode(data))
-        } catch {
-          closed = true
-        }
-      }
-
-      const safeClose = () => {
-        if (closed) return
-        closed = true
-        try {
-          controller.close()
-        } catch {
-          // Already closed
-        }
-      }
-
-      // Send initial connection event
-      safeEnqueue(`: connected\n\n`)
-
-      // Send metadata
-      safeEnqueue(`event: metadata\ndata: ${JSON.stringify(metadata)}\n\n`)
-
-      // Send tool call states
-      const toolCalls = await getToolCallStates(streamId)
-      if (Object.keys(toolCalls).length > 0) {
-        safeEnqueue(`event: tool_states\ndata: ${JSON.stringify(toolCalls)}\n\n`)
-      }
-
-      // Replay missed events
-      const missedEvents = await getStreamEvents(streamId, offset)
-      for (const event of missedEvents) {
-        safeEnqueue(event)
-      }
-
-      // If stream is complete, send done and close
-      if (metadata.status === 'complete' || metadata.status === 'error' || metadata.status === 'aborted') {
-        safeEnqueue(
-          `event: stream_status\ndata: ${JSON.stringify({
-            status: metadata.status,
-            error: metadata.error,
-          })}\n\n`
-        )
-        safeClose()
-        return
-      }
-
-      // Stream is still active - poll for new events
-      let lastOffset = offset + missedEvents.length
-      const pollInterval = 100 // 100ms
-      const maxPollTime = 5 * 60 * 1000 // 5 minutes max
-      const startTime = Date.now()
-
-      const poll = async () => {
-        if (closed) return
-
-        try {
-          // Check for timeout
-          if (Date.now() - startTime > maxPollTime) {
-            logger.info('Stream poll timeout', { streamId })
-            safeEnqueue(
-              `event: stream_status\ndata: ${JSON.stringify({ status: 'timeout' })}\n\n`
-            )
-            safeClose()
-            return
-          }
-
-          // Check if client disconnected
-          if (await checkAbortSignal(streamId)) {
-            safeEnqueue(
-              `event: stream_status\ndata: ${JSON.stringify({ status: 'aborted' })}\n\n`
-            )
-            safeClose()
-            return
-          }
-
-          // Get current metadata to check status
-          const currentMeta = await getStreamMetadata(streamId)
-          if (!currentMeta) {
-            safeClose()
-            return
-          }
-
-          // Get new events
-          const newEvents = await getStreamEvents(streamId, lastOffset)
-          for (const event of newEvents) {
-            safeEnqueue(event)
-          }
-          lastOffset += newEvents.length
-
-          // Refresh TTL
-          await refreshStreamTTL(streamId)
-
-          // If complete, send status and close
-          if (
-            currentMeta.status === 'complete' ||
-            currentMeta.status === 'error' ||
-            currentMeta.status === 'aborted'
-          ) {
-            safeEnqueue(
-              `event: stream_status\ndata: ${JSON.stringify({
-                status: currentMeta.status,
-                error: currentMeta.error,
-              })}\n\n`
-            )
-            safeClose()
-            return
-          }
-
-          // Continue polling
-          setTimeout(poll, pollInterval)
-        } catch (error) {
-          logger.error('Stream poll error', { streamId, error })
-          safeClose()
-        }
-      }
-
-      // Start polling
-      setTimeout(poll, pollInterval)
-    },
-  })
-
-  return new Response(readable, {
-    headers: {
-      'Content-Type': 'text/event-stream; charset=utf-8',
-      'Cache-Control': 'no-cache, no-transform',
-      Connection: 'keep-alive',
-      'X-Accel-Buffering': 'no',
-      'X-Stream-Id': streamId,
-    },
-  })
-}
-
-/**
- * DELETE /api/copilot/stream/{streamId}
- * Abort a stream
- */
-export async function DELETE(req: NextRequest, { params }: { params: Promise<RouteParams> }) {
-  const { streamId } = await params
-  const session = await getSession()
-
-  if (!session?.user?.id) {
-    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const metadata = await getStreamMetadata(streamId)
-  if (!metadata) {
-    return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
-  }
-
-  // Verify user owns this stream
-  if (metadata.userId !== session.user.id) {
-    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-  }
-
-  await abortStream(streamId)
-
-  logger.info('Stream aborted by user', { streamId, userId: session.user.id })
-
-  return NextResponse.json({ success: true, streamId })
-}
-

apps/sim/app/api/files/parse/route.ts

@@ -6,9 +6,10 @@ import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
 import { isSupportedFileType, parseFile } from '@/lib/file-parsers'
 import { isUsingCloudStorage, type StorageContext, StorageService } from '@/lib/uploads'
+import { uploadExecutionFile } from '@/lib/uploads/contexts/execution'
 import { UPLOAD_DIR_SERVER } from '@/lib/uploads/core/setup.server'
 import { getFileMetadataByKey } from '@/lib/uploads/server/metadata'
 import {
@@ -21,6 +22,7 @@ import {
 } from '@/lib/uploads/utils/file-utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
+import type { UserFile } from '@/executor/types'
 import '@/lib/uploads/core/setup.server'
 
 export const dynamic = 'force-dynamic'
@@ -30,6 +32,12 @@ const logger = createLogger('FilesParseAPI')
 const MAX_DOWNLOAD_SIZE_BYTES = 100 * 1024 * 1024 // 100 MB
 const DOWNLOAD_TIMEOUT_MS = 30000 // 30 seconds
 
+interface ExecutionContext {
+  workspaceId: string
+  workflowId: string
+  executionId: string
+}
+
 interface ParseResult {
   success: boolean
   content?: string
@@ -37,6 +45,7 @@ interface ParseResult {
   filePath: string
   originalName?: string // Original filename from database (for workspace files)
   viewerUrl?: string | null // Viewer URL for the file if available
+  userFile?: UserFile // UserFile object for the raw file
   metadata?: {
     fileType: string
     size: number
@@ -70,27 +79,45 @@ export async function POST(request: NextRequest) {
 
     const userId = authResult.userId
     const requestData = await request.json()
-    const { filePath, fileType, workspaceId } = requestData
+    const { filePath, fileType, workspaceId, workflowId, executionId } = requestData
 
     if (!filePath || (typeof filePath === 'string' && filePath.trim() === '')) {
       return NextResponse.json({ success: false, error: 'No file path provided' }, { status: 400 })
     }
 
-    logger.info('File parse request received:', { filePath, fileType, workspaceId, userId })
+    // Build execution context if all required fields are present
+    const executionContext: ExecutionContext | undefined =
+      workspaceId && workflowId && executionId
+        ? { workspaceId, workflowId, executionId }
+        : undefined
+
+    logger.info('File parse request received:', {
+      filePath,
+      fileType,
+      workspaceId,
+      userId,
+      hasExecutionContext: !!executionContext,
+    })
 
     if (Array.isArray(filePath)) {
       const results = []
-      for (const path of filePath) {
-        if (!path || (typeof path === 'string' && path.trim() === '')) {
+      for (const singlePath of filePath) {
+        if (!singlePath || (typeof singlePath === 'string' && singlePath.trim() === '')) {
           results.push({
             success: false,
             error: 'Empty file path in array',
-            filePath: path || '',
+            filePath: singlePath || '',
           })
           continue
         }
 
-        const result = await parseFileSingle(path, fileType, workspaceId, userId)
+        const result = await parseFileSingle(
+          singlePath,
+          fileType,
+          workspaceId,
+          userId,
+          executionContext
+        )
         if (result.metadata) {
           result.metadata.processingTime = Date.now() - startTime
         }
@@ -106,6 +133,7 @@ export async function POST(request: NextRequest) {
               fileType: result.metadata?.fileType || 'application/octet-stream',
               size: result.metadata?.size || 0,
               binary: false,
+              file: result.userFile,
             },
             filePath: result.filePath,
             viewerUrl: result.viewerUrl,
@@ -121,7 +149,7 @@ export async function POST(request: NextRequest) {
       })
     }
 
-    const result = await parseFileSingle(filePath, fileType, workspaceId, userId)
+    const result = await parseFileSingle(filePath, fileType, workspaceId, userId, executionContext)
 
     if (result.metadata) {
       result.metadata.processingTime = Date.now() - startTime
@@ -137,6 +165,7 @@ export async function POST(request: NextRequest) {
           fileType: result.metadata?.fileType || 'application/octet-stream',
           size: result.metadata?.size || 0,
           binary: false,
+          file: result.userFile,
         },
         filePath: result.filePath,
         viewerUrl: result.viewerUrl,
@@ -164,7 +193,8 @@ async function parseFileSingle(
   filePath: string,
   fileType: string,
   workspaceId: string,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   logger.info('Parsing file:', filePath)
 
@@ -186,18 +216,18 @@ async function parseFileSingle(
   }
 
   if (filePath.includes('/api/files/serve/')) {
-    return handleCloudFile(filePath, fileType, undefined, userId)
+    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
   }
 
   if (filePath.startsWith('http://') || filePath.startsWith('https://')) {
-    return handleExternalUrl(filePath, fileType, workspaceId, userId)
+    return handleExternalUrl(filePath, fileType, workspaceId, userId, executionContext)
   }
 
   if (isUsingCloudStorage()) {
-    return handleCloudFile(filePath, fileType, undefined, userId)
+    return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
   }
 
-  return handleLocalFile(filePath, fileType, userId)
+  return handleLocalFile(filePath, fileType, userId, executionContext)
 }
 
 /**
@@ -230,12 +260,14 @@ function validateFilePath(filePath: string): { isValid: boolean; error?: string
 /**
  * Handle external URL
  * If workspaceId is provided, checks if file already exists and saves to workspace if not
+ * If executionContext is provided, also stores the file in execution storage and returns UserFile
  */
 async function handleExternalUrl(
   url: string,
   fileType: string,
   workspaceId: string,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   try {
     logger.info('Fetching external URL:', url)
@@ -312,17 +344,13 @@ async function handleExternalUrl(
 
         if (existingFile) {
           const storageFilePath = `/api/files/serve/${existingFile.key}`
-          return handleCloudFile(storageFilePath, fileType, 'workspace', userId)
+          return handleCloudFile(storageFilePath, fileType, 'workspace', userId, executionContext)
         }
       }
     }
 
-    const pinnedUrl = createPinnedUrl(url, urlValidation.resolvedIP!)
-    const response = await fetch(pinnedUrl, {
-      signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS),
-      headers: {
-        Host: urlValidation.originalHostname!,
-      },
+    const response = await secureFetchWithPinnedIP(url, urlValidation.resolvedIP!, {
+      timeout: DOWNLOAD_TIMEOUT_MS,
     })
     if (!response.ok) {
       throw new Error(`Failed to fetch URL: ${response.status} ${response.statusText}`)
@@ -341,6 +369,19 @@ async function handleExternalUrl(
 
     logger.info(`Downloaded file from URL: ${url}, size: ${buffer.length} bytes`)
 
+    let userFile: UserFile | undefined
+    const mimeType = response.headers.get('content-type') || getMimeTypeFromExtension(extension)
+
+    if (executionContext) {
+      try {
+        userFile = await uploadExecutionFile(executionContext, buffer, filename, mimeType, userId)
+        logger.info(`Stored file in execution storage: ${filename}`, { key: userFile.key })
+      } catch (uploadError) {
+        logger.warn(`Failed to store file in execution storage:`, uploadError)
+        // Continue without userFile - parsing can still work
+      }
+    }
+
     if (shouldCheckWorkspace) {
       try {
         const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
@@ -353,8 +394,6 @@ async function handleExternalUrl(
           })
         } else {
           const { uploadWorkspaceFile } = await import('@/lib/uploads/contexts/workspace')
-          const mimeType =
-            response.headers.get('content-type') || getMimeTypeFromExtension(extension)
           await uploadWorkspaceFile(workspaceId, userId, buffer, filename, mimeType)
           logger.info(`Saved URL file to workspace storage: ${filename}`)
         }
@@ -363,17 +402,23 @@ async function handleExternalUrl(
       }
     }
 
+    let parseResult: ParseResult
     if (extension === 'pdf') {
-      return await handlePdfBuffer(buffer, filename, fileType, url)
-    }
-    if (extension === 'csv') {
-      return await handleCsvBuffer(buffer, filename, fileType, url)
-    }
-    if (isSupportedFileType(extension)) {
-      return await handleGenericTextBuffer(buffer, filename, extension, fileType, url)
+      parseResult = await handlePdfBuffer(buffer, filename, fileType, url)
+    } else if (extension === 'csv') {
+      parseResult = await handleCsvBuffer(buffer, filename, fileType, url)
+    } else if (isSupportedFileType(extension)) {
+      parseResult = await handleGenericTextBuffer(buffer, filename, extension, fileType, url)
+    } else {
+      parseResult = handleGenericBuffer(buffer, filename, extension, fileType)
     }
 
-    return handleGenericBuffer(buffer, filename, extension, fileType)
+    // Attach userFile to the result
+    if (userFile) {
+      parseResult.userFile = userFile
+    }
+
+    return parseResult
   } catch (error) {
     logger.error(`Error handling external URL ${url}:`, error)
     return {
@@ -386,12 +431,15 @@ async function handleExternalUrl(
 
 /**
  * Handle file stored in cloud storage
+ * If executionContext is provided and file is not already from execution storage,
+ * copies the file to execution storage and returns UserFile
  */
 async function handleCloudFile(
   filePath: string,
   fileType: string,
   explicitContext: string | undefined,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   try {
     const cloudKey = extractStorageKey(filePath)
@@ -438,6 +486,7 @@ async function handleCloudFile(
 
     const filename = originalFilename || cloudKey.split('/').pop() || cloudKey
     const extension = path.extname(filename).toLowerCase().substring(1)
+    const mimeType = getMimeTypeFromExtension(extension)
 
     const normalizedFilePath = `/api/files/serve/${encodeURIComponent(cloudKey)}?context=${context}`
     let workspaceIdFromKey: string | undefined
@@ -453,6 +502,39 @@ async function handleCloudFile(
 
     const viewerUrl = getViewerUrl(cloudKey, workspaceIdFromKey)
 
+    // Store file in execution storage if executionContext is provided
+    let userFile: UserFile | undefined
+
+    if (executionContext) {
+      // If file is already from execution context, create UserFile reference without re-uploading
+      if (context === 'execution') {
+        userFile = {
+          id: `file_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`,
+          name: filename,
+          url: normalizedFilePath,
+          size: fileBuffer.length,
+          type: mimeType,
+          key: cloudKey,
+          context: 'execution',
+        }
+        logger.info(`Created UserFile reference for existing execution file: ${filename}`)
+      } else {
+        // Copy from workspace/other storage to execution storage
+        try {
+          userFile = await uploadExecutionFile(
+            executionContext,
+            fileBuffer,
+            filename,
+            mimeType,
+            userId
+          )
+          logger.info(`Copied file to execution storage: ${filename}`, { key: userFile.key })
+        } catch (uploadError) {
+          logger.warn(`Failed to copy file to execution storage:`, uploadError)
+        }
+      }
+    }
+
     let parseResult: ParseResult
     if (extension === 'pdf') {
       parseResult = await handlePdfBuffer(fileBuffer, filename, fileType, normalizedFilePath)
@@ -477,6 +559,11 @@ async function handleCloudFile(
 
     parseResult.viewerUrl = viewerUrl
 
+    // Attach userFile to the result
+    if (userFile) {
+      parseResult.userFile = userFile
+    }
+
     return parseResult
   } catch (error) {
     logger.error(`Error handling cloud file ${filePath}:`, error)
@@ -500,7 +587,8 @@ async function handleCloudFile(
 async function handleLocalFile(
   filePath: string,
   fileType: string,
-  userId: string
+  userId: string,
+  executionContext?: ExecutionContext
 ): Promise<ParseResult> {
   try {
     const filename = filePath.split('/').pop() || filePath
@@ -540,13 +628,32 @@ async function handleLocalFile(
     const hash = createHash('md5').update(fileBuffer).digest('hex')
 
     const extension = path.extname(filename).toLowerCase().substring(1)
+    const mimeType = fileType || getMimeTypeFromExtension(extension)
+
+    // Store file in execution storage if executionContext is provided
+    let userFile: UserFile | undefined
+    if (executionContext) {
+      try {
+        userFile = await uploadExecutionFile(
+          executionContext,
+          fileBuffer,
+          filename,
+          mimeType,
+          userId
+        )
+        logger.info(`Stored local file in execution storage: ${filename}`, { key: userFile.key })
+      } catch (uploadError) {
+        logger.warn(`Failed to store local file in execution storage:`, uploadError)
+      }
+    }
 
     return {
       success: true,
       content: result.content,
       filePath,
+      userFile,
       metadata: {
-        fileType: fileType || getMimeTypeFromExtension(extension),
+        fileType: mimeType,
         size: stats.size,
         hash,
         processingTime: 0,

apps/sim/app/api/form/[identifier]/route.ts

@@ -11,7 +11,7 @@ import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { normalizeInputFormatValue } from '@/lib/workflows/input-format'
 import { createStreamingResponse } from '@/lib/workflows/streaming/streaming'
-import { isValidStartBlockType } from '@/lib/workflows/triggers/start-block-types'
+import { isInputDefinitionTrigger } from '@/lib/workflows/triggers/input-definition-triggers'
 import { setFormAuthCookie, validateFormAuth } from '@/app/api/form/utils'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
@@ -36,7 +36,7 @@ async function getWorkflowInputSchema(workflowId: string): Promise<any[]> {
       .from(workflowBlocks)
       .where(eq(workflowBlocks.workflowId, workflowId))
 
-    const startBlock = blocks.find((block) => isValidStartBlockType(block.type))
+    const startBlock = blocks.find((block) => isInputDefinitionTrigger(block.type))
 
     if (!startBlock) {
       return []

apps/sim/app/api/function/execute/route.test.ts

@@ -84,6 +84,14 @@ vi.mock('@/lib/execution/isolated-vm', () => ({
 
 vi.mock('@sim/logger', () => loggerMock)
 
+vi.mock('@/lib/auth/hybrid', () => ({
+  checkHybridAuth: vi.fn().mockResolvedValue({
+    success: true,
+    userId: 'user-123',
+    authType: 'session',
+  }),
+}))
+
 vi.mock('@/lib/execution/e2b', () => ({
   executeInE2B: vi.fn(),
 }))
@@ -110,6 +118,24 @@ describe('Function Execute API Route', () => {
   })
 
   describe('Security Tests', () => {
+    it('should reject unauthorized requests', async () => {
+      const { checkHybridAuth } = await import('@/lib/auth/hybrid')
+      vi.mocked(checkHybridAuth).mockResolvedValueOnce({
+        success: false,
+        error: 'Unauthorized',
+      })
+
+      const req = createMockRequest('POST', {
+        code: 'return "test"',
+      })
+
+      const response = await POST(req)
+      const data = await response.json()
+
+      expect(response.status).toBe(401)
+      expect(data).toHaveProperty('error', 'Unauthorized')
+    })
+
     it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
       const req = createMockRequest('POST', {
         code: 'return "test"',
@@ -276,8 +302,11 @@ describe('Function Execute API Route', () => {
     it.concurrent('should resolve tag variables with <tag_name> syntax', async () => {
       const req = createMockRequest('POST', {
         code: 'return <email>',
-        params: {
-          email: { id: '123', subject: 'Test Email' },
+        blockData: {
+          'block-123': { id: '123', subject: 'Test Email' },
+        },
+        blockNameMapping: {
+          email: 'block-123',
         },
       })
 
@@ -305,9 +334,13 @@ describe('Function Execute API Route', () => {
     it.concurrent('should only match valid variable names in angle brackets', async () => {
       const req = createMockRequest('POST', {
         code: 'return <validVar> + "<invalid@email.com>" + <another_valid>',
-        params: {
-          validVar: 'hello',
-          another_valid: 'world',
+        blockData: {
+          'block-1': 'hello',
+          'block-2': 'world',
+        },
+        blockNameMapping: {
+          validvar: 'block-1',
+          another_valid: 'block-2',
         },
       })
 
@@ -321,28 +354,22 @@ describe('Function Execute API Route', () => {
     it.concurrent(
       'should handle Gmail webhook data with email addresses containing angle brackets',
       async () => {
-        const gmailData = {
-          email: {
-            id: '123',
-            from: 'Waleed Latif <waleed@sim.ai>',
-            to: 'User <user@example.com>',
-            subject: 'Test Email',
-            bodyText: 'Hello world',
-          },
-          rawEmail: {
-            id: '123',
-            payload: {
-              headers: [
-                { name: 'From', value: 'Waleed Latif <waleed@sim.ai>' },
-                { name: 'To', value: 'User <user@example.com>' },
-              ],
-            },
-          },
+        const emailData = {
+          id: '123',
+          from: 'Waleed Latif <waleed@sim.ai>',
+          to: 'User <user@example.com>',
+          subject: 'Test Email',
+          bodyText: 'Hello world',
         }
 
         const req = createMockRequest('POST', {
           code: 'return <email>',
-          params: gmailData,
+          blockData: {
+            'block-email': emailData,
+          },
+          blockNameMapping: {
+            email: 'block-email',
+          },
         })
 
         const response = await POST(req)
@@ -356,17 +383,20 @@ describe('Function Execute API Route', () => {
     it.concurrent(
       'should properly serialize complex email objects with special characters',
       async () => {
-        const complexEmailData = {
-          email: {
-            from: 'Test User <test@example.com>',
-            bodyHtml: '<div>HTML content with "quotes" and \'apostrophes\'</div>',
-            bodyText: 'Text with\nnewlines\tand\ttabs',
-          },
+        const emailData = {
+          from: 'Test User <test@example.com>',
+          bodyHtml: '<div>HTML content with "quotes" and \'apostrophes\'</div>',
+          bodyText: 'Text with\nnewlines\tand\ttabs',
         }
 
         const req = createMockRequest('POST', {
           code: 'return <email>',
-          params: complexEmailData,
+          blockData: {
+            'block-email': emailData,
+          },
+          blockNameMapping: {
+            email: 'block-email',
+          },
         })
 
         const response = await POST(req)
@@ -519,18 +549,23 @@ describe('Function Execute API Route', () => {
     })
 
     it.concurrent('should handle JSON serialization edge cases', async () => {
+      const complexData = {
+        special: 'chars"with\'quotes',
+        unicode: '🎉 Unicode content',
+        nested: {
+          deep: {
+            value: 'test',
+          },
+        },
+      }
+
       const req = createMockRequest('POST', {
         code: 'return <complexData>',
-        params: {
-          complexData: {
-            special: 'chars"with\'quotes',
-            unicode: '🎉 Unicode content',
-            nested: {
-              deep: {
-                value: 'test',
-              },
-            },
-          },
+        blockData: {
+          'block-complex': complexData,
+        },
+        blockNameMapping: {
+          complexdata: 'block-complex',
         },
       })
 

apps/sim/app/api/function/execute/route.ts

@@ -1,15 +1,16 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
 import { executeInIsolatedVM } from '@/lib/execution/isolated-vm'
 import { CodeLanguage, DEFAULT_CODE_LANGUAGE, isValidCodeLanguage } from '@/lib/execution/languages'
 import { escapeRegExp, normalizeName, REFERENCE } from '@/executor/constants'
+import { type OutputSchema, resolveBlockReference } from '@/executor/utils/block-reference'
 import {
   createEnvVarPattern,
   createWorkflowVariablePattern,
-  resolveEnvVarReferences,
 } from '@/executor/utils/reference-validation'
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
@@ -18,8 +19,8 @@ export const MAX_DURATION = 210
 
 const logger = createLogger('FunctionExecuteAPI')
 
-const E2B_JS_WRAPPER_LINES = 3 // Lines before user code: ';(async () => {', '  try {', '    const __sim_result = await (async () => {'
-const E2B_PYTHON_WRAPPER_LINES = 1 // Lines before user code: 'def __sim_main__():'
+const E2B_JS_WRAPPER_LINES = 3
+const E2B_PYTHON_WRAPPER_LINES = 1
 
 type TypeScriptModule = typeof import('typescript')
 
@@ -134,33 +135,21 @@ function extractEnhancedError(
   if (error.stack) {
     enhanced.stack = error.stack
 
-    // Parse stack trace to extract line and column information
-    // Handle both compilation errors and runtime errors
     const stackLines: string[] = error.stack.split('\n')
 
     for (const line of stackLines) {
-      // Pattern 1: Compilation errors - "user-function.js:6"
       let match = line.match(/user-function\.js:(\d+)(?::(\d+))?/)
 
-      // Pattern 2: Runtime errors - "at user-function.js:5:12"
       if (!match) {
         match = line.match(/at\s+user-function\.js:(\d+):(\d+)/)
       }
 
-      // Pattern 3: Generic patterns for any line containing our filename
-      if (!match) {
-        match = line.match(/user-function\.js:(\d+)(?::(\d+))?/)
-      }
-
       if (match) {
         const stackLine = Number.parseInt(match[1], 10)
         const stackColumn = match[2] ? Number.parseInt(match[2], 10) : undefined
 
-        // Adjust line number to account for wrapper code
-        // The user code starts at a specific line in our wrapper
         const adjustedLine = stackLine - userCodeStartLine + 1
 
-        // Check if this is a syntax error in wrapper code caused by incomplete user code
         const isWrapperSyntaxError =
           stackLine > userCodeStartLine &&
           error.name === 'SyntaxError' &&
@@ -168,7 +157,6 @@ function extractEnhancedError(
             error.message.includes('Unexpected end of input'))
 
         if (isWrapperSyntaxError && userCode) {
-          // Map wrapper syntax errors to the last line of user code
           const codeLines = userCode.split('\n')
           const lastUserLine = codeLines.length
           enhanced.line = lastUserLine
@@ -181,7 +169,6 @@ function extractEnhancedError(
           enhanced.line = adjustedLine
           enhanced.column = stackColumn
 
-          // Extract the actual line content from user code
           if (userCode) {
             const codeLines = userCode.split('\n')
             if (adjustedLine <= codeLines.length) {
@@ -192,7 +179,6 @@ function extractEnhancedError(
         }
 
         if (stackLine <= userCodeStartLine) {
-          // Error is in wrapper code itself
           enhanced.line = stackLine
           enhanced.column = stackColumn
           break
@@ -200,7 +186,6 @@ function extractEnhancedError(
       }
     }
 
-    // Clean up stack trace to show user-relevant information
     const cleanedStackLines: string[] = stackLines
       .filter(
         (line: string) =>
@@ -214,9 +199,6 @@ function extractEnhancedError(
     }
   }
 
-  // Keep original message without adding error type prefix
-  // The error type will be added later in createUserFriendlyErrorMessage
-
   return enhanced
 }
 
@@ -231,7 +213,6 @@ function formatE2BError(
   userCode: string,
   prologueLineCount: number
 ): { formattedError: string; cleanedOutput: string } {
-  // Calculate line offset based on language and prologue
   const wrapperLines =
     language === CodeLanguage.Python ? E2B_PYTHON_WRAPPER_LINES : E2B_JS_WRAPPER_LINES
   const totalOffset = prologueLineCount + wrapperLines
@@ -241,27 +222,20 @@ function formatE2BError(
   let cleanErrorMsg = ''
 
   if (language === CodeLanguage.Python) {
-    // Python error format: "Cell In[X], line Y" followed by error details
-    // Extract line number from the Cell reference
     const cellMatch = errorOutput.match(/Cell In\[\d+\], line (\d+)/)
     if (cellMatch) {
       const originalLine = Number.parseInt(cellMatch[1], 10)
       userLine = originalLine - totalOffset
     }
 
-    // Extract clean error message from the error string
-    // Remove file references like "(detected at line X) (file.py, line Y)"
     cleanErrorMsg = errorMessage
       .replace(/\s*\(detected at line \d+\)/g, '')
       .replace(/\s*\([^)]+\.py, line \d+\)/g, '')
       .trim()
   } else if (language === CodeLanguage.JavaScript) {
-    // JavaScript error format from E2B: "SyntaxError: /path/file.ts: Message. (line:col)\n\n   9 | ..."
-    // First, extract the error type and message from the first line
     const firstLineEnd = errorMessage.indexOf('\n')
     const firstLine = firstLineEnd > 0 ? errorMessage.substring(0, firstLineEnd) : errorMessage
 
-    // Parse: "SyntaxError: /home/user/index.ts: Missing semicolon. (11:9)"
     const jsErrorMatch = firstLine.match(/^(\w+Error):\s*[^:]+:\s*([^(]+)\.\s*\((\d+):(\d+)\)/)
     if (jsErrorMatch) {
       cleanErrorType = jsErrorMatch[1]
@@ -269,13 +243,11 @@ function formatE2BError(
       const originalLine = Number.parseInt(jsErrorMatch[3], 10)
       userLine = originalLine - totalOffset
     } else {
-      // Fallback: look for line number in the arrow pointer line (> 11 |)
       const arrowMatch = errorMessage.match(/^>\s*(\d+)\s*\|/m)
       if (arrowMatch) {
         const originalLine = Number.parseInt(arrowMatch[1], 10)
         userLine = originalLine - totalOffset
       }
-      // Try to extract error type and message
       const errorMatch = firstLine.match(/^(\w+Error):\s*(.+)/)
       if (errorMatch) {
         cleanErrorType = errorMatch[1]
@@ -289,13 +261,11 @@ function formatE2BError(
     }
   }
 
-  // Build the final clean error message
   const finalErrorMsg =
     cleanErrorType && cleanErrorMsg
       ? `${cleanErrorType}: ${cleanErrorMsg}`
       : cleanErrorMsg || errorMessage
 
-  // Format with line number if available
   let formattedError = finalErrorMsg
   if (userLine && userLine > 0) {
     const codeLines = userCode.split('\n')
@@ -311,7 +281,6 @@ function formatE2BError(
     }
   }
 
-  // For stdout, just return the clean error message without the full traceback
   const cleanedOutput = finalErrorMsg
 
   return { formattedError, cleanedOutput }
@@ -327,7 +296,6 @@ function createUserFriendlyErrorMessage(
 ): string {
   let errorMessage = enhanced.message
 
-  // Add line information if available
   if (enhanced.line !== undefined) {
     let lineInfo = `Line ${enhanced.line}`
 
@@ -338,18 +306,14 @@ function createUserFriendlyErrorMessage(
 
     errorMessage = `${lineInfo} - ${errorMessage}`
   } else {
-    // If no line number, try to extract it from stack trace for display
     if (enhanced.stack) {
       const stackMatch = enhanced.stack.match(/user-function\.js:(\d+)(?::(\d+))?/)
       if (stackMatch) {
         const line = Number.parseInt(stackMatch[1], 10)
         let lineInfo = `Line ${line}`
 
-        // Try to get line content if we have userCode
         if (userCode) {
           const codeLines = userCode.split('\n')
-          // Note: stackMatch gives us VM line number, need to adjust
-          // This is a fallback case, so we might not have perfect line mapping
           if (line <= codeLines.length) {
             const lineContent = codeLines[line - 1]?.trim()
             if (lineContent) {
@@ -363,7 +327,6 @@ function createUserFriendlyErrorMessage(
     }
   }
 
-  // Add error type prefix with consistent naming
   if (enhanced.name !== 'Error') {
     const errorTypePrefix =
       enhanced.name === 'SyntaxError'
@@ -374,7 +337,6 @@ function createUserFriendlyErrorMessage(
             ? 'Reference Error'
             : enhanced.name
 
-    // Only add prefix if not already present
     if (!errorMessage.toLowerCase().includes(errorTypePrefix.toLowerCase())) {
       errorMessage = `${errorTypePrefix}: ${errorMessage}`
     }
@@ -383,9 +345,6 @@ function createUserFriendlyErrorMessage(
   return errorMessage
 }
 
-/**
- * Resolves workflow variables with <variable.name> syntax
- */
 function resolveWorkflowVariables(
   code: string,
   workflowVariables: Record<string, any>,
@@ -405,39 +364,35 @@ function resolveWorkflowVariables(
   while ((match = regex.exec(code)) !== null) {
     const variableName = match[1].trim()
 
-    // Find the variable by name (workflowVariables is indexed by ID, values are variable objects)
     const foundVariable = Object.entries(workflowVariables).find(
       ([_, variable]) => normalizeName(variable.name || '') === variableName
     )
 
-    let variableValue: unknown = ''
-    if (foundVariable) {
-      const variable = foundVariable[1]
-      variableValue = variable.value
+    if (!foundVariable) {
+      const availableVars = Object.values(workflowVariables)
+        .map((v) => v.name)
+        .filter(Boolean)
+      throw new Error(
+        `Variable "${variableName}" doesn't exist.` +
+          (availableVars.length > 0 ? ` Available: ${availableVars.join(', ')}` : '')
+      )
+    }
 
-      if (variable.value !== undefined && variable.value !== null) {
+    const variable = foundVariable[1]
+    let variableValue: unknown = variable.value
+
+    if (variable.value !== undefined && variable.value !== null) {
+      const type = variable.type === 'string' ? 'plain' : variable.type
+
+      if (type === 'number') {
+        variableValue = Number(variableValue)
+      } else if (type === 'boolean') {
+        variableValue = variableValue === 'true' || variableValue === true
+      } else if (type === 'json' && typeof variableValue === 'string') {
         try {
-          // Handle 'string' type the same as 'plain' for backward compatibility
-          const type = variable.type === 'string' ? 'plain' : variable.type
-
-          // For plain text, use exactly what's entered without modifications
-          if (type === 'plain' && typeof variableValue === 'string') {
-            // Use as-is for plain text
-          } else if (type === 'number') {
-            variableValue = Number(variableValue)
-          } else if (type === 'boolean') {
-            variableValue = variableValue === 'true' || variableValue === true
-          } else if (type === 'json') {
-            try {
-              variableValue =
-                typeof variableValue === 'string' ? JSON.parse(variableValue) : variableValue
-            } catch {
-              // Keep original value if JSON parsing fails
-            }
-          }
+          variableValue = JSON.parse(variableValue)
         } catch {
-          // Fallback to original value on error
-          variableValue = variable.value
+          // Keep as-is
         }
       }
     }
@@ -450,11 +405,9 @@ function resolveWorkflowVariables(
     })
   }
 
-  // Process replacements in reverse order to maintain correct indices
   for (let i = replacements.length - 1; i >= 0; i--) {
     const { match: matchStr, index, variableName, variableValue } = replacements[i]
 
-    // Use variable reference approach
     const safeVarName = `__variable_${variableName.replace(/[^a-zA-Z0-9_]/g, '_')}`
     contextVariables[safeVarName] = variableValue
     resolvedCode =
@@ -464,9 +417,6 @@ function resolveWorkflowVariables(
   return resolvedCode
 }
 
-/**
- * Resolves environment variables with {{var_name}} syntax
- */
 function resolveEnvironmentVariables(
   code: string,
   params: Record<string, any>,
@@ -482,32 +432,28 @@ function resolveEnvironmentVariables(
 
   const resolverVars: Record<string, string> = {}
   Object.entries(params).forEach(([key, value]) => {
-    if (value) {
+    if (value !== undefined && value !== null) {
       resolverVars[key] = String(value)
     }
   })
   Object.entries(envVars).forEach(([key, value]) => {
-    if (value) {
+    if (value !== undefined && value !== null) {
       resolverVars[key] = value
     }
   })
 
   while ((match = regex.exec(code)) !== null) {
     const varName = match[1].trim()
-    const resolved = resolveEnvVarReferences(match[0], resolverVars, {
-      allowEmbedded: true,
-      resolveExactMatch: true,
-      trimKeys: true,
-      onMissing: 'empty',
-      deep: false,
-    })
-    const varValue =
-      typeof resolved === 'string' ? resolved : resolved == null ? '' : String(resolved)
+
+    if (!(varName in resolverVars)) {
+      continue
+    }
+
     replacements.push({
       match: match[0],
       index: match.index,
       varName,
-      varValue: String(varValue),
+      varValue: resolverVars[varName],
     })
   }
 
@@ -523,64 +469,59 @@ function resolveEnvironmentVariables(
   return resolvedCode
 }
 
-/**
- * Resolves tags with <tag_name> syntax (including nested paths like <block.response.data>)
- */
 function resolveTagVariables(
   code: string,
-  params: Record<string, any>,
-  blockData: Record<string, any>,
+  blockData: Record<string, unknown>,
   blockNameMapping: Record<string, string>,
-  contextVariables: Record<string, any>
+  blockOutputSchemas: Record<string, OutputSchema>,
+  contextVariables: Record<string, unknown>,
+  language = 'javascript'
 ): string {
   let resolvedCode = code
+  const undefinedLiteral = language === 'python' ? 'None' : 'undefined'
 
   const tagPattern = new RegExp(
-    `${REFERENCE.START}([a-zA-Z_][a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])${REFERENCE.END}`,
+    `${REFERENCE.START}([a-zA-Z_](?:[a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])?)${REFERENCE.END}`,
     'g'
   )
   const tagMatches = resolvedCode.match(tagPattern) || []
 
   for (const match of tagMatches) {
     const tagName = match.slice(REFERENCE.START.length, -REFERENCE.END.length).trim()
+    const pathParts = tagName.split(REFERENCE.PATH_DELIMITER)
+    const blockName = pathParts[0]
+    const fieldPath = pathParts.slice(1)
 
-    // Handle nested paths like "getrecord.response.data" or "function1.response.result"
-    // First try params, then blockData directly, then try with block name mapping
-    let tagValue = getNestedValue(params, tagName) || getNestedValue(blockData, tagName) || ''
+    const result = resolveBlockReference(blockName, fieldPath, {
+      blockNameMapping,
+      blockData,
+      blockOutputSchemas,
+    })
 
-    // If not found and the path starts with a block name, try mapping the block name to ID
-    if (!tagValue && tagName.includes(REFERENCE.PATH_DELIMITER)) {
-      const pathParts = tagName.split(REFERENCE.PATH_DELIMITER)
-      const normalizedBlockName = pathParts[0] // This should already be normalized like "function1"
+    if (!result) {
+      continue
+    }
 
-      // Direct lookup using normalized block name
-      const blockId = blockNameMapping[normalizedBlockName] ?? null
+    let tagValue = result.value
 
-      if (blockId) {
-        const remainingPath = pathParts.slice(1).join('.')
-        const fullPath = `${blockId}.${remainingPath}`
-        tagValue = getNestedValue(blockData, fullPath) || ''
+    if (tagValue === undefined) {
+      resolvedCode = resolvedCode.replace(new RegExp(escapeRegExp(match), 'g'), undefinedLiteral)
+      continue
+    }
+
+    if (typeof tagValue === 'string') {
+      const trimmed = tagValue.trimStart()
+      if (trimmed.startsWith('{') || trimmed.startsWith('[')) {
+        try {
+          tagValue = JSON.parse(tagValue)
+        } catch {
+          // Keep as string if not valid JSON
+        }
       }
     }
 
-    // If the value is a stringified JSON, parse it back to object
-    if (
-      typeof tagValue === 'string' &&
-      tagValue.length > 100 &&
-      (tagValue.startsWith('{') || tagValue.startsWith('['))
-    ) {
-      try {
-        tagValue = JSON.parse(tagValue)
-      } catch (e) {
-        // Keep as string if parsing fails
-      }
-    }
-
-    // Instead of injecting large JSON directly, create a variable reference
-    const safeVarName = `__tag_${tagName.replace(/[^a-zA-Z0-9_]/g, '_')}`
+    const safeVarName = `__tag_${tagName.replace(/_/g, '_1').replace(/\./g, '_0')}`
     contextVariables[safeVarName] = tagValue
-
-    // Replace the template with a variable reference
     resolvedCode = resolvedCode.replace(new RegExp(escapeRegExp(match), 'g'), safeVarName)
   }
 
@@ -596,44 +537,31 @@ function resolveTagVariables(
  */
 function resolveCodeVariables(
   code: string,
-  params: Record<string, any>,
+  params: Record<string, unknown>,
   envVars: Record<string, string> = {},
-  blockData: Record<string, any> = {},
+  blockData: Record<string, unknown> = {},
   blockNameMapping: Record<string, string> = {},
-  workflowVariables: Record<string, any> = {}
-): { resolvedCode: string; contextVariables: Record<string, any> } {
+  blockOutputSchemas: Record<string, OutputSchema> = {},
+  workflowVariables: Record<string, unknown> = {},
+  language = 'javascript'
+): { resolvedCode: string; contextVariables: Record<string, unknown> } {
   let resolvedCode = code
-  const contextVariables: Record<string, any> = {}
+  const contextVariables: Record<string, unknown> = {}
 
-  // Resolve workflow variables with <variable.name> syntax first
   resolvedCode = resolveWorkflowVariables(resolvedCode, workflowVariables, contextVariables)
-
-  // Resolve environment variables with {{var_name}} syntax
   resolvedCode = resolveEnvironmentVariables(resolvedCode, params, envVars, contextVariables)
-
-  // Resolve tags with <tag_name> syntax (including nested paths like <block.response.data>)
   resolvedCode = resolveTagVariables(
     resolvedCode,
-    params,
     blockData,
     blockNameMapping,
-    contextVariables
+    blockOutputSchemas,
+    contextVariables,
+    language
   )
 
   return { resolvedCode, contextVariables }
 }
 
-/**
- * Get nested value from object using dot notation path
- */
-function getNestedValue(obj: any, path: string): any {
-  if (!obj || !path) return undefined
-
-  return path.split('.').reduce((current, key) => {
-    return current && typeof current === 'object' ? current[key] : undefined
-  }, obj)
-}
-
 /**
  * Remove one trailing newline from stdout
  * This handles the common case where print() or console.log() adds a trailing \n
@@ -654,6 +582,12 @@ export async function POST(req: NextRequest) {
   let resolvedCode = '' // Store resolved code for error reporting
 
   try {
+    const auth = await checkHybridAuth(req)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await req.json()
 
     const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')
@@ -666,12 +600,12 @@ export async function POST(req: NextRequest) {
       envVars = {},
       blockData = {},
       blockNameMapping = {},
+      blockOutputSchemas = {},
       workflowVariables = {},
       workflowId,
       isCustomTool = false,
     } = body
 
-    // Extract internal parameters that shouldn't be passed to the execution context
     const executionParams = { ...params }
     executionParams._context = undefined
 
@@ -683,21 +617,21 @@ export async function POST(req: NextRequest) {
       isCustomTool,
     })
 
-    // Resolve variables in the code with workflow environment variables
+    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
+
     const codeResolution = resolveCodeVariables(
       code,
       executionParams,
       envVars,
       blockData,
       blockNameMapping,
-      workflowVariables
+      blockOutputSchemas,
+      workflowVariables,
+      lang
     )
     resolvedCode = codeResolution.resolvedCode
     const contextVariables = codeResolution.contextVariables
 
-    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
-
-    // Extract imports once for JavaScript code (reuse later to avoid double extraction)
     let jsImports = ''
     let jsRemainingCode = resolvedCode
     let hasImports = false
@@ -707,31 +641,22 @@ export async function POST(req: NextRequest) {
       jsImports = extractionResult.imports
       jsRemainingCode = extractionResult.remainingCode
 
-      // Check for ES6 imports or CommonJS require statements
-      // ES6 imports are extracted by the TypeScript parser
-      // Also check for require() calls which indicate external dependencies
       const hasRequireStatements = /require\s*\(\s*['"`]/.test(resolvedCode)
       hasImports = jsImports.trim().length > 0 || hasRequireStatements
     }
 
-    // Python always requires E2B
     if (lang === CodeLanguage.Python && !isE2bEnabled) {
       throw new Error(
         'Python execution requires E2B to be enabled. Please contact your administrator to enable E2B, or use JavaScript instead.'
       )
     }
 
-    // JavaScript with imports requires E2B
     if (lang === CodeLanguage.JavaScript && hasImports && !isE2bEnabled) {
       throw new Error(
         'JavaScript code with import statements requires E2B to be enabled. Please remove the import statements, or contact your administrator to enable E2B.'
       )
     }
 
-    // Use E2B if:
-    // - E2B is enabled AND
-    // - Not a custom tool AND
-    // - (Python OR JavaScript with imports)
     const useE2B =
       isE2bEnabled &&
       !isCustomTool &&
@@ -744,13 +669,10 @@ export async function POST(req: NextRequest) {
         language: lang,
       })
       let prologue = ''
-      const epilogue = ''
 
       if (lang === CodeLanguage.JavaScript) {
-        // Track prologue lines for error adjustment
         let prologueLineCount = 0
 
-        // Reuse the imports we already extracted earlier
         const imports = jsImports
         const remainingCode = jsRemainingCode
 
@@ -765,7 +687,11 @@ export async function POST(req: NextRequest) {
         prologue += `const environmentVariables = JSON.parse(${JSON.stringify(JSON.stringify(envVars))});\n`
         prologueLineCount++
         for (const [k, v] of Object.entries(contextVariables)) {
-          prologue += `const ${k} = JSON.parse(${JSON.stringify(JSON.stringify(v))});\n`
+          if (v === undefined) {
+            prologue += `const ${k} = undefined;\n`
+          } else {
+            prologue += `const ${k} = JSON.parse(${JSON.stringify(JSON.stringify(v))});\n`
+          }
           prologueLineCount++
         }
 
@@ -782,7 +708,7 @@ export async function POST(req: NextRequest) {
           '  }',
           '})();',
         ].join('\n')
-        const codeForE2B = importSection + prologue + wrapped + epilogue
+        const codeForE2B = importSection + prologue + wrapped
 
         const execStart = Date.now()
         const {
@@ -804,7 +730,6 @@ export async function POST(req: NextRequest) {
           error: e2bError,
         })
 
-        // If there was an execution error, format it properly
         if (e2bError) {
           const { formattedError, cleanedOutput } = formatE2BError(
             e2bError,
@@ -828,7 +753,7 @@ export async function POST(req: NextRequest) {
           output: { result: e2bResult ?? null, stdout: cleanStdout(stdout), executionTime },
         })
       }
-      // Track prologue lines for error adjustment
+
       let prologueLineCount = 0
       prologue += 'import json\n'
       prologueLineCount++
@@ -837,7 +762,11 @@ export async function POST(req: NextRequest) {
       prologue += `environmentVariables = json.loads(${JSON.stringify(JSON.stringify(envVars))})\n`
       prologueLineCount++
       for (const [k, v] of Object.entries(contextVariables)) {
-        prologue += `${k} = json.loads(${JSON.stringify(JSON.stringify(v))})\n`
+        if (v === undefined) {
+          prologue += `${k} = None\n`
+        } else {
+          prologue += `${k} = json.loads(${JSON.stringify(JSON.stringify(v))})\n`
+        }
         prologueLineCount++
       }
       const wrapped = [
@@ -846,7 +775,7 @@ export async function POST(req: NextRequest) {
         '__sim_result__ = __sim_main__()',
         "print('__SIM_RESULT__=' + json.dumps(__sim_result__))",
       ].join('\n')
-      const codeForE2B = prologue + wrapped + epilogue
+      const codeForE2B = prologue + wrapped
 
       const execStart = Date.now()
       const {
@@ -868,7 +797,6 @@ export async function POST(req: NextRequest) {
         error: e2bError,
       })
 
-      // If there was an execution error, format it properly
       if (e2bError) {
         const { formattedError, cleanedOutput } = formatE2BError(
           e2bError,
@@ -897,7 +825,6 @@ export async function POST(req: NextRequest) {
 
     const wrapperLines = ['(async () => {', '  try {']
     if (isCustomTool) {
-      wrapperLines.push('    // For custom tools, make parameters directly accessible')
       Object.keys(executionParams).forEach((key) => {
         wrapperLines.push(`    const ${key} = params.${key};`)
       })
@@ -931,12 +858,10 @@ export async function POST(req: NextRequest) {
       })
 
       const ivmError = isolatedResult.error
-      // Adjust line number for prepended param destructuring in custom tools
       let adjustedLine = ivmError.line
       let adjustedLineContent = ivmError.lineContent
       if (prependedLineCount > 0 && ivmError.line !== undefined) {
         adjustedLine = Math.max(1, ivmError.line - prependedLineCount)
-        // Get line content from original user code, not the prepended code
         const codeLines = resolvedCode.split('\n')
         if (adjustedLine <= codeLines.length) {
           adjustedLineContent = codeLines[adjustedLine - 1]?.trim()

apps/sim/app/api/knowledge/[id]/documents/route.test.ts

@@ -157,7 +157,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
         'kb-123',
         {
-          includeDisabled: false,
+          enabledFilter: undefined,
           search: undefined,
           limit: 50,
           offset: 0,
@@ -166,7 +166,7 @@ describe('Knowledge Base Documents API Route', () => {
       )
     })
 
-    it('should filter disabled documents by default', async () => {
+    it('should return documents with default filter', async () => {
       const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
       const { getDocuments } = await import('@/lib/knowledge/documents/service')
 
@@ -194,7 +194,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
         'kb-123',
         {
-          includeDisabled: false,
+          enabledFilter: undefined,
           search: undefined,
           limit: 50,
           offset: 0,
@@ -203,7 +203,7 @@ describe('Knowledge Base Documents API Route', () => {
       )
     })
 
-    it('should include disabled documents when requested', async () => {
+    it('should filter documents by enabled status when requested', async () => {
       const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
       const { getDocuments } = await import('@/lib/knowledge/documents/service')
 
@@ -223,7 +223,7 @@ describe('Knowledge Base Documents API Route', () => {
         },
       })
 
-      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?includeDisabled=true'
+      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?enabledFilter=disabled'
       const req = new Request(url, { method: 'GET' }) as any
 
       const { GET } = await import('@/app/api/knowledge/[id]/documents/route')
@@ -233,7 +233,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
         'kb-123',
         {
-          includeDisabled: true,
+          enabledFilter: 'disabled',
           search: undefined,
           limit: 50,
           offset: 0,
@@ -361,8 +361,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(createSingleDocument)).toHaveBeenCalledWith(
         validDocumentData,
         'kb-123',
-        expect.any(String),
-        'user-123'
+        expect.any(String)
       )
     })
 
@@ -470,8 +469,7 @@ describe('Knowledge Base Documents API Route', () => {
       expect(vi.mocked(createDocumentRecords)).toHaveBeenCalledWith(
         validBulkData.documents,
         'kb-123',
-        expect.any(String),
-        'user-123'
+        expect.any(String)
       )
       expect(vi.mocked(processDocumentsWithQueue)).toHaveBeenCalled()
     })

apps/sim/app/api/knowledge/[id]/documents/route.ts

@@ -5,6 +5,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import {
   bulkDocumentOperation,
+  bulkDocumentOperationByFilter,
   createDocumentRecords,
   createSingleDocument,
   getDocuments,
@@ -57,13 +58,20 @@ const BulkCreateDocumentsSchema = z.object({
   bulk: z.literal(true),
 })
 
-const BulkUpdateDocumentsSchema = z.object({
-  operation: z.enum(['enable', 'disable', 'delete']),
-  documentIds: z
-    .array(z.string())
-    .min(1, 'At least one document ID is required')
-    .max(100, 'Cannot operate on more than 100 documents at once'),
-})
+const BulkUpdateDocumentsSchema = z
+  .object({
+    operation: z.enum(['enable', 'disable', 'delete']),
+    documentIds: z
+      .array(z.string())
+      .min(1, 'At least one document ID is required')
+      .max(100, 'Cannot operate on more than 100 documents at once')
+      .optional(),
+    selectAll: z.boolean().optional(),
+    enabledFilter: z.enum(['all', 'enabled', 'disabled']).optional(),
+  })
+  .refine((data) => data.selectAll || (data.documentIds && data.documentIds.length > 0), {
+    message: 'Either selectAll must be true or documentIds must be provided',
+  })
 
 export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = randomUUID().slice(0, 8)
@@ -90,14 +98,17 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
     }
 
     const url = new URL(req.url)
-    const includeDisabled = url.searchParams.get('includeDisabled') === 'true'
+    const enabledFilter = url.searchParams.get('enabledFilter') as
+      | 'all'
+      | 'enabled'
+      | 'disabled'
+      | null
     const search = url.searchParams.get('search') || undefined
     const limit = Number.parseInt(url.searchParams.get('limit') || '50')
     const offset = Number.parseInt(url.searchParams.get('offset') || '0')
     const sortByParam = url.searchParams.get('sortBy')
     const sortOrderParam = url.searchParams.get('sortOrder')
 
-    // Validate sort parameters
     const validSortFields: DocumentSortField[] = [
       'filename',
       'fileSize',
@@ -105,6 +116,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
       'chunkCount',
       'uploadedAt',
       'processingStatus',
+      'enabled',
     ]
     const validSortOrders: SortOrder[] = ['asc', 'desc']
 
@@ -120,7 +132,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
     const result = await getDocuments(
       knowledgeBaseId,
       {
-        includeDisabled,
+        enabledFilter: enabledFilter || undefined,
         search,
         limit,
         offset,
@@ -190,8 +202,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         const createdDocuments = await createDocumentRecords(
           validatedData.documents,
           knowledgeBaseId,
-          requestId,
-          userId
+          requestId
         )
 
         logger.info(
@@ -250,16 +261,10 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         throw validationError
       }
     } else {
-      // Handle single document creation
       try {
         const validatedData = CreateDocumentSchema.parse(body)
 
-        const newDocument = await createSingleDocument(
-          validatedData,
-          knowledgeBaseId,
-          requestId,
-          userId
-        )
+        const newDocument = await createSingleDocument(validatedData, knowledgeBaseId, requestId)
 
         try {
           const { PlatformEvents } = await import('@/lib/core/telemetry')
@@ -294,7 +299,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   } catch (error) {
     logger.error(`[${requestId}] Error creating document`, error)
 
-    // Check if it's a storage limit error
     const errorMessage = error instanceof Error ? error.message : 'Failed to create document'
     const isStorageLimitError =
       errorMessage.includes('Storage limit exceeded') || errorMessage.includes('storage limit')
@@ -331,16 +335,22 @@ export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id
 
     try {
       const validatedData = BulkUpdateDocumentsSchema.parse(body)
-      const { operation, documentIds } = validatedData
+      const { operation, documentIds, selectAll, enabledFilter } = validatedData
 
       try {
-        const result = await bulkDocumentOperation(
-          knowledgeBaseId,
-          operation,
-          documentIds,
-          requestId,
-          session.user.id
-        )
+        let result
+        if (selectAll) {
+          result = await bulkDocumentOperationByFilter(
+            knowledgeBaseId,
+            operation,
+            enabledFilter,
+            requestId
+          )
+        } else if (documentIds && documentIds.length > 0) {
+          result = await bulkDocumentOperation(knowledgeBaseId, operation, documentIds, requestId)
+        } else {
+          return NextResponse.json({ error: 'No documents specified' }, { status: 400 })
+        }
 
         return NextResponse.json({
           success: true,

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
-import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
+import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
+import type { McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
-import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 
 const logger = createLogger('McpServerTestAPI')
 
@@ -19,30 +18,6 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
   return transport === 'streamable-http'
 }
 
-/**
- * Resolve environment variables in strings
- */
-function resolveEnvVars(value: string, envVars: Record<string, string>): string {
-  const missingVars: string[] = []
-  const resolvedValue = resolveEnvVarReferences(value, envVars, {
-    allowEmbedded: true,
-    resolveExactMatch: true,
-    trimKeys: true,
-    onMissing: 'keep',
-    deep: false,
-    missingKeys: missingVars,
-  }) as string
-
-  if (missingVars.length > 0) {
-    const uniqueMissing = Array.from(new Set(missingVars))
-    uniqueMissing.forEach((envKey) => {
-      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
-    })
-  }
-
-  return resolvedValue
-}
-
 interface TestConnectionRequest {
   name: string
   transport: McpTransport
@@ -96,39 +71,30 @@ export const POST = withMcpAuth('write')(
         )
       }
 
-      let resolvedUrl = body.url
-      let resolvedHeaders = body.headers || {}
-
-      try {
-        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
-
-        if (resolvedUrl) {
-          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
-        }
-
-        const resolvedHeadersObj: Record<string, string> = {}
-        for (const [key, value] of Object.entries(resolvedHeaders)) {
-          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
-        }
-        resolvedHeaders = resolvedHeadersObj
-      } catch (envError) {
-        logger.warn(
-          `[${requestId}] Failed to resolve environment variables, using raw values:`,
-          envError
-        )
-      }
-
-      const testConfig: McpServerConfig = {
+      // Build initial config for resolution
+      const initialConfig = {
         id: `test-${requestId}`,
         name: body.name,
         transport: body.transport,
-        url: resolvedUrl,
-        headers: resolvedHeaders,
+        url: body.url,
+        headers: body.headers || {},
         timeout: body.timeout || 10000,
         retries: 1, // Only one retry for tests
         enabled: true,
       }
 
+      // Resolve env vars using shared utility (non-strict mode for testing)
+      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
+        initialConfig,
+        userId,
+        workspaceId,
+        { strict: false }
+      )
+
+      if (missingVars.length > 0) {
+        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
+      }
+
       const testSecurityPolicy = {
         requireConsent: false,
         auditLevel: 'none' as const,

apps/sim/app/api/providers/route.ts

@@ -3,7 +3,9 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
@@ -20,6 +22,11 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
+    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    if (!auth.success || !auth.userId) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
     logger.info(`[${requestId}] Provider API request started`, {
       timestamp: new Date().toISOString(),
       userAgent: request.headers.get('User-Agent'),
@@ -85,6 +92,13 @@ export async function POST(request: NextRequest) {
       verbosity,
     })
 
+    if (workspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
     let finalApiKey: string | undefined = apiKey
     try {
       if (provider === 'vertex' && vertexCredential) {

apps/sim/app/api/proxy/route.ts

@@ -1,395 +0,0 @@
-import { createLogger } from '@sim/logger'
-import type { NextRequest } from 'next/server'
-import { NextResponse } from 'next/server'
-import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { generateInternalToken } from '@/lib/auth/internal'
-import { isDev } from '@/lib/core/config/feature-flags'
-import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
-import { executeTool } from '@/tools'
-import { getTool, validateRequiredParametersAfterMerge } from '@/tools/utils'
-
-const logger = createLogger('ProxyAPI')
-
-const proxyPostSchema = z.object({
-  toolId: z.string().min(1, 'toolId is required'),
-  params: z.record(z.any()).optional().default({}),
-  executionContext: z
-    .object({
-      workflowId: z.string().optional(),
-      workspaceId: z.string().optional(),
-      executionId: z.string().optional(),
-      userId: z.string().optional(),
-    })
-    .optional(),
-})
-
-/**
- * Creates a minimal set of default headers for proxy requests
- * @returns Record of HTTP headers
- */
-const getProxyHeaders = (): Record<string, string> => {
-  return {
-    'User-Agent':
-      'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36',
-    Accept: '*/*',
-    'Accept-Encoding': 'gzip, deflate, br',
-    'Cache-Control': 'no-cache',
-    Connection: 'keep-alive',
-  }
-}
-
-/**
- * Formats a response with CORS headers
- * @param responseData Response data object
- * @param status HTTP status code
- * @returns NextResponse with CORS headers
- */
-const formatResponse = (responseData: any, status = 200) => {
-  return NextResponse.json(responseData, {
-    status,
-    headers: {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-    },
-  })
-}
-
-/**
- * Creates an error response with consistent formatting
- * @param error Error object or message
- * @param status HTTP status code
- * @param additionalData Additional data to include in the response
- * @returns Formatted error response
- */
-const createErrorResponse = (error: any, status = 500, additionalData = {}) => {
-  const errorMessage = error instanceof Error ? error.message : String(error)
-  const errorStack = error instanceof Error ? error.stack : undefined
-
-  logger.error('Creating error response', {
-    errorMessage,
-    status,
-    stack: isDev ? errorStack : undefined,
-  })
-
-  return formatResponse(
-    {
-      success: false,
-      error: errorMessage,
-      stack: isDev ? errorStack : undefined,
-      ...additionalData,
-    },
-    status
-  )
-}
-
-/**
- * GET handler for direct external URL proxying
- * This allows for GET requests to external APIs
- */
-export async function GET(request: Request) {
-  const url = new URL(request.url)
-  const targetUrl = url.searchParams.get('url')
-  const requestId = generateRequestId()
-
-  // Vault download proxy: /api/proxy?vaultDownload=1&bucket=...&object=...&credentialId=...
-  const vaultDownload = url.searchParams.get('vaultDownload')
-  if (vaultDownload === '1') {
-    try {
-      const bucket = url.searchParams.get('bucket')
-      const objectParam = url.searchParams.get('object')
-      const credentialId = url.searchParams.get('credentialId')
-
-      if (!bucket || !objectParam || !credentialId) {
-        return createErrorResponse('Missing bucket, object, or credentialId', 400)
-      }
-
-      // Fetch access token using existing token API
-      const baseUrl = new URL(getBaseUrl())
-      const tokenUrl = new URL('/api/auth/oauth/token', baseUrl)
-
-      // Build headers: forward session cookies if present; include internal auth for server-side
-      const tokenHeaders: Record<string, string> = { 'Content-Type': 'application/json' }
-      const incomingCookie = request.headers.get('cookie')
-      if (incomingCookie) tokenHeaders.Cookie = incomingCookie
-      try {
-        const internalToken = await generateInternalToken()
-        tokenHeaders.Authorization = `Bearer ${internalToken}`
-      } catch (_e) {
-        // best-effort internal auth
-      }
-
-      // Optional workflow context for collaboration auth
-      const workflowId = url.searchParams.get('workflowId') || undefined
-
-      const tokenRes = await fetch(tokenUrl.toString(), {
-        method: 'POST',
-        headers: tokenHeaders,
-        body: JSON.stringify({ credentialId, workflowId }),
-      })
-
-      if (!tokenRes.ok) {
-        const err = await tokenRes.text()
-        return createErrorResponse(`Failed to fetch access token: ${err}`, 401)
-      }
-
-      const tokenJson = await tokenRes.json()
-      const accessToken = tokenJson.accessToken
-      if (!accessToken) {
-        return createErrorResponse('No access token available', 401)
-      }
-
-      // Avoid double-encoding: incoming object may already be percent-encoded
-      const objectDecoded = decodeURIComponent(objectParam)
-      const gcsUrl = `https://storage.googleapis.com/storage/v1/b/${encodeURIComponent(
-        bucket
-      )}/o/${encodeURIComponent(objectDecoded)}?alt=media`
-
-      const fileRes = await fetch(gcsUrl, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-      })
-
-      if (!fileRes.ok) {
-        const errText = await fileRes.text()
-        return createErrorResponse(errText || 'Failed to download file', fileRes.status)
-      }
-
-      const headers = new Headers()
-      fileRes.headers.forEach((v, k) => headers.set(k, v))
-      return new NextResponse(fileRes.body, { status: 200, headers })
-    } catch (error: any) {
-      logger.error(`[${requestId}] Vault download proxy failed`, {
-        error: error instanceof Error ? error.message : String(error),
-      })
-      return createErrorResponse('Vault download failed', 500)
-    }
-  }
-
-  if (!targetUrl) {
-    logger.error(`[${requestId}] Missing 'url' parameter`)
-    return createErrorResponse("Missing 'url' parameter", 400)
-  }
-
-  const urlValidation = await validateUrlWithDNS(targetUrl)
-  if (!urlValidation.isValid) {
-    logger.warn(`[${requestId}] Blocked proxy request`, {
-      url: targetUrl.substring(0, 100),
-      error: urlValidation.error,
-    })
-    return createErrorResponse(urlValidation.error || 'Invalid URL', 403)
-  }
-
-  const method = url.searchParams.get('method') || 'GET'
-
-  const bodyParam = url.searchParams.get('body')
-  let body: string | undefined
-
-  if (bodyParam && ['POST', 'PUT', 'PATCH'].includes(method.toUpperCase())) {
-    try {
-      body = decodeURIComponent(bodyParam)
-    } catch (error) {
-      logger.warn(`[${requestId}] Failed to decode body parameter`, error)
-    }
-  }
-
-  const customHeaders: Record<string, string> = {}
-
-  for (const [key, value] of url.searchParams.entries()) {
-    if (key.startsWith('header.')) {
-      const headerName = key.substring(7)
-      customHeaders[headerName] = value
-    }
-  }
-
-  if (body && !customHeaders['Content-Type']) {
-    customHeaders['Content-Type'] = 'application/json'
-  }
-
-  logger.info(`[${requestId}] Proxying ${method} request to: ${targetUrl}`)
-
-  try {
-    const pinnedUrl = createPinnedUrl(targetUrl, urlValidation.resolvedIP!)
-    const response = await fetch(pinnedUrl, {
-      method: method,
-      headers: {
-        ...getProxyHeaders(),
-        ...customHeaders,
-        Host: urlValidation.originalHostname!,
-      },
-      body: body || undefined,
-    })
-
-    const contentType = response.headers.get('content-type') || ''
-    let data
-
-    if (contentType.includes('application/json')) {
-      data = await response.json()
-    } else {
-      data = await response.text()
-    }
-
-    const errorMessage = !response.ok
-      ? data && typeof data === 'object' && data.error
-        ? `${data.error.message || JSON.stringify(data.error)}`
-        : response.statusText || `HTTP error ${response.status}`
-      : undefined
-
-    if (!response.ok) {
-      logger.error(`[${requestId}] External API error: ${response.status} ${response.statusText}`)
-    }
-
-    return formatResponse({
-      success: response.ok,
-      status: response.status,
-      statusText: response.statusText,
-      headers: Object.fromEntries(response.headers.entries()),
-      data,
-      error: errorMessage,
-    })
-  } catch (error: any) {
-    logger.error(`[${requestId}] Proxy GET request failed`, {
-      url: targetUrl,
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : undefined,
-    })
-
-    return createErrorResponse(error)
-  }
-}
-
-export async function POST(request: NextRequest) {
-  const requestId = generateRequestId()
-  const startTime = new Date()
-  const startTimeISO = startTime.toISOString()
-
-  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
-    if (!authResult.success) {
-      logger.error(`[${requestId}] Authentication failed for proxy:`, authResult.error)
-      return createErrorResponse('Unauthorized', 401)
-    }
-
-    let requestBody
-    try {
-      requestBody = await request.json()
-    } catch (parseError) {
-      logger.error(`[${requestId}] Failed to parse request body`, {
-        error: parseError instanceof Error ? parseError.message : String(parseError),
-      })
-      throw new Error('Invalid JSON in request body')
-    }
-
-    const validationResult = proxyPostSchema.safeParse(requestBody)
-    if (!validationResult.success) {
-      logger.error(`[${requestId}] Request validation failed`, {
-        errors: validationResult.error.errors,
-      })
-      const errorMessages = validationResult.error.errors
-        .map((err) => `${err.path.join('.')}: ${err.message}`)
-        .join(', ')
-      throw new Error(`Validation failed: ${errorMessages}`)
-    }
-
-    const { toolId, params } = validationResult.data
-
-    logger.info(`[${requestId}] Processing tool: ${toolId}`)
-
-    const tool = getTool(toolId)
-
-    if (!tool) {
-      logger.error(`[${requestId}] Tool not found: ${toolId}`)
-      throw new Error(`Tool not found: ${toolId}`)
-    }
-
-    try {
-      validateRequiredParametersAfterMerge(toolId, tool, params)
-    } catch (validationError) {
-      logger.warn(`[${requestId}] Tool validation failed for ${toolId}`, {
-        error: validationError instanceof Error ? validationError.message : String(validationError),
-      })
-
-      const endTime = new Date()
-      const endTimeISO = endTime.toISOString()
-      const duration = endTime.getTime() - startTime.getTime()
-
-      return createErrorResponse(validationError, 400, {
-        startTime: startTimeISO,
-        endTime: endTimeISO,
-        duration,
-      })
-    }
-
-    const hasFileOutputs =
-      tool.outputs &&
-      Object.values(tool.outputs).some(
-        (output) => output.type === 'file' || output.type === 'file[]'
-      )
-
-    const result = await executeTool(
-      toolId,
-      params,
-      true, // skipProxy (we're already in the proxy)
-      !hasFileOutputs, // skipPostProcess (don't skip if tool has file outputs)
-      undefined // execution context is not available in proxy context
-    )
-
-    if (!result.success) {
-      logger.warn(`[${requestId}] Tool execution failed for ${toolId}`, {
-        error: result.error || 'Unknown error',
-      })
-
-      throw new Error(result.error || 'Tool execution failed')
-    }
-
-    const endTime = new Date()
-    const endTimeISO = endTime.toISOString()
-    const duration = endTime.getTime() - startTime.getTime()
-
-    const responseWithTimingData = {
-      ...result,
-      startTime: startTimeISO,
-      endTime: endTimeISO,
-      duration,
-      timing: {
-        startTime: startTimeISO,
-        endTime: endTimeISO,
-        duration,
-      },
-    }
-
-    logger.info(`[${requestId}] Tool executed successfully: ${toolId} (${duration}ms)`)
-
-    return formatResponse(responseWithTimingData)
-  } catch (error: any) {
-    logger.error(`[${requestId}] Proxy request failed`, {
-      error: error instanceof Error ? error.message : String(error),
-      stack: error instanceof Error ? error.stack : undefined,
-      name: error instanceof Error ? error.name : undefined,
-    })
-
-    const endTime = new Date()
-    const endTimeISO = endTime.toISOString()
-    const duration = endTime.getTime() - startTime.getTime()
-
-    return createErrorResponse(error, 500, {
-      startTime: startTimeISO,
-      endTime: endTimeISO,
-      duration,
-    })
-  }
-}
-
-export async function OPTIONS() {
-  return new NextResponse(null, {
-    status: 204,
-    headers: {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      'Access-Control-Max-Age': '86400',
-    },
-  })
-}

apps/sim/app/api/tools/a2a/set-push-notification/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -39,6 +40,18 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = A2ASetPushNotificationSchema.parse(body)
 
+    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
+    if (!urlValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
+      return NextResponse.json(
+        {
+          success: false,
+          error: urlValidation.error,
+        },
+        { status: 400 }
+      )
+    }
+
     logger.info(`[${requestId}] A2A set push notification request`, {
       agentUrl: validatedData.agentUrl,
       taskId: validatedData.taskId,

apps/sim/app/api/tools/mistral/parse/route.ts

@@ -5,7 +5,11 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -47,13 +51,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Mistral parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
 

apps/sim/app/api/tools/mysql/delete/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DeleteSchema.parse(body)
 

apps/sim/app/api/tools/mysql/execute/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLExecuteAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteSchema.parse(body)
 

apps/sim/app/api/tools/mysql/insert/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = InsertSchema.parse(body)
 

apps/sim/app/api/tools/mysql/introspect/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLIntrospectAPI')
@@ -19,6 +20,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = IntrospectSchema.parse(body)
 

apps/sim/app/api/tools/mysql/query/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = QuerySchema.parse(body)
 

apps/sim/app/api/tools/mysql/update/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 
 const logger = createLogger('MySQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = UpdateSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/delete/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DeleteSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/execute/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createPostgresConnection,
   executeQuery,
@@ -24,6 +25,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/insert/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
 
     const params = InsertSchema.parse(body)

apps/sim/app/api/tools/postgresql/introspect/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = IntrospectSchema.parse(body)
 

apps/sim/app/api/tools/postgresql/query/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = QuerySchema.parse(body)
 

apps/sim/app/api/tools/postgresql/update/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'
 
 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = UpdateSchema.parse(body)
 

apps/sim/app/api/tools/pulse/parse/route.ts

@@ -5,7 +5,11 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -48,13 +52,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Pulse parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
         const context = inferContextFromKey(storageKey)

apps/sim/app/api/tools/reducto/parse/route.ts

@@ -5,7 +5,11 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -44,13 +48,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Reducto parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
         const context = inferContextFromKey(storageKey)

apps/sim/app/api/tools/s3/copy-object/route.ts

@@ -79,11 +79,13 @@ export async function POST(request: NextRequest) {
     // Generate public URL for destination (properly encode the destination key)
     const encodedDestKey = validatedData.destinationKey.split('/').map(encodeURIComponent).join('/')
     const url = `https://${validatedData.destinationBucket}.s3.${validatedData.region}.amazonaws.com/${encodedDestKey}`
+    const uri = `s3://${validatedData.destinationBucket}/${validatedData.destinationKey}`
 
     return NextResponse.json({
       success: true,
       output: {
         url,
+        uri,
         copySourceVersionId: result.CopySourceVersionId,
         versionId: result.VersionId,
         etag: result.CopyObjectResult?.ETag,

apps/sim/app/api/tools/s3/put-object/route.ts

@@ -117,11 +117,13 @@ export async function POST(request: NextRequest) {
 
     const encodedKey = validatedData.objectKey.split('/').map(encodeURIComponent).join('/')
     const url = `https://${validatedData.bucketName}.s3.${validatedData.region}.amazonaws.com/${encodedKey}`
+    const uri = `s3://${validatedData.bucketName}/${validatedData.objectKey}`
 
     return NextResponse.json({
       success: true,
       output: {
         url,
+        uri,
         etag: result.ETag,
         location: url,
         key: validatedData.objectKey,

apps/sim/app/api/tools/ssh/check-command-exists/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHCheckCommandExistsAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH check command exists attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = CheckCommandExistsSchema.parse(body)
 

apps/sim/app/api/tools/ssh/check-file-exists/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper, Stats } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   getFileType,
@@ -39,10 +40,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH check file exists attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = CheckFileExistsSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/create-directory/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -27,10 +28,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH create directory attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = CreateDirectorySchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -53,7 +59,6 @@ export async function POST(request: NextRequest) {
       const dirPath = sanitizePath(params.path)
       const escapedPath = escapeShellArg(dirPath)
 
-      // Check if directory already exists
       const checkResult = await executeSSHCommand(
         client,
         `test -d '${escapedPath}' && echo "exists"`
@@ -70,7 +75,6 @@ export async function POST(request: NextRequest) {
         })
       }
 
-      // Create directory
       const mkdirFlag = params.recursive ? '-p' : ''
       const command = `mkdir ${mkdirFlag} -m ${params.permissions} '${escapedPath}'`
       const result = await executeSSHCommand(client, command)

apps/sim/app/api/tools/ssh/delete-file/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -27,10 +28,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH delete file attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DeleteFileSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -53,7 +59,6 @@ export async function POST(request: NextRequest) {
       const filePath = sanitizePath(params.path)
       const escapedPath = escapeShellArg(filePath)
 
-      // Check if path exists
       const checkResult = await executeSSHCommand(
         client,
         `test -e '${escapedPath}' && echo "exists"`
@@ -62,7 +67,6 @@ export async function POST(request: NextRequest) {
         return NextResponse.json({ error: `Path does not exist: ${filePath}` }, { status: 404 })
       }
 
-      // Build delete command
       let command: string
       if (params.recursive) {
         command = params.force ? `rm -rf '${escapedPath}'` : `rm -r '${escapedPath}'`

apps/sim/app/api/tools/ssh/download-file/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHDownloadFileAPI')
@@ -34,10 +35,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH download file attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = DownloadFileSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/execute-command/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand, sanitizeCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHExecuteCommandAPI')
@@ -21,10 +22,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH execute command attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteCommandSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -44,7 +50,6 @@ export async function POST(request: NextRequest) {
     })
 
     try {
-      // Build command with optional working directory
       let command = sanitizeCommand(params.command)
       if (params.workingDirectory) {
         command = `cd "${params.workingDirectory}" && ${command}`

apps/sim/app/api/tools/ssh/execute-script/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHExecuteScriptAPI')
@@ -22,10 +23,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH execute script attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ExecuteScriptSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },
@@ -45,13 +51,10 @@ export async function POST(request: NextRequest) {
     })
 
     try {
-      // Create a temporary script file, execute it, and clean up
       const scriptPath = `/tmp/sim_script_${requestId}.sh`
       const escapedScriptPath = escapeShellArg(scriptPath)
       const escapedInterpreter = escapeShellArg(params.interpreter)
 
-      // Build the command to create, execute, and clean up the script
-      // Note: heredoc with quoted delimiter ('SIMEOF') prevents variable expansion
       let command = `cat > '${escapedScriptPath}' << 'SIMEOF'
 ${params.script}
 SIMEOF

apps/sim/app/api/tools/ssh/get-system-info/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHGetSystemInfoAPI')
@@ -19,10 +20,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH get system info attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = GetSystemInfoSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/list-directory/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, FileEntry, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   getFileType,
@@ -60,10 +61,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH list directory attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ListDirectorySchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/move-rename/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
   createSSHConnection,
   escapeShellArg,
@@ -27,9 +28,16 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH move/rename attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = MoveRenameSchema.parse(body)
 
+    // Validate SSH authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/ssh/read-file-content/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHReadFileContentAPI')
@@ -35,6 +36,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH read file content attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = ReadFileContentSchema.parse(body)
 

apps/sim/app/api/tools/ssh/upload-file/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHUploadFileAPI')
@@ -37,6 +38,12 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH upload file attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = UploadFileSchema.parse(body)
 

apps/sim/app/api/tools/ssh/write-file-content/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 
 const logger = createLogger('SSHWriteFileContentAPI')
@@ -36,10 +37,15 @@ export async function POST(request: NextRequest) {
   const requestId = randomUUID().slice(0, 8)
 
   try {
+    const auth = await checkHybridAuth(request)
+    if (!auth.success || !auth.userId) {
+      logger.warn(`[${requestId}] Unauthorized SSH write file content attempt`)
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
     const body = await request.json()
     const params = WriteFileContentSchema.parse(body)
 
-    // Validate authentication
     if (!params.password && !params.privateKey) {
       return NextResponse.json(
         { error: 'Either password or privateKey must be provided' },

apps/sim/app/api/tools/textract/parse/route.ts

@@ -0,0 +1,637 @@
+import crypto from 'crypto'
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
+import {
+  validateAwsRegion,
+  validateExternalUrl,
+  validateS3BucketName,
+} from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { StorageService } from '@/lib/uploads'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
+import { verifyFileAccess } from '@/app/api/files/authorization'
+
+export const dynamic = 'force-dynamic'
+export const maxDuration = 300 // 5 minutes for large multi-page PDF processing
+
+const logger = createLogger('TextractParseAPI')
+
+const QuerySchema = z.object({
+  Text: z.string().min(1),
+  Alias: z.string().optional(),
+  Pages: z.array(z.string()).optional(),
+})
+
+const TextractParseSchema = z
+  .object({
+    accessKeyId: z.string().min(1, 'AWS Access Key ID is required'),
+    secretAccessKey: z.string().min(1, 'AWS Secret Access Key is required'),
+    region: z.string().min(1, 'AWS region is required'),
+    processingMode: z.enum(['sync', 'async']).optional().default('sync'),
+    filePath: z.string().optional(),
+    s3Uri: z.string().optional(),
+    featureTypes: z
+      .array(z.enum(['TABLES', 'FORMS', 'QUERIES', 'SIGNATURES', 'LAYOUT']))
+      .optional(),
+    queries: z.array(QuerySchema).optional(),
+  })
+  .superRefine((data, ctx) => {
+    const regionValidation = validateAwsRegion(data.region, 'AWS region')
+    if (!regionValidation.isValid) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: regionValidation.error,
+        path: ['region'],
+      })
+    }
+  })
+
+function getSignatureKey(
+  key: string,
+  dateStamp: string,
+  regionName: string,
+  serviceName: string
+): Buffer {
+  const kDate = crypto.createHmac('sha256', `AWS4${key}`).update(dateStamp).digest()
+  const kRegion = crypto.createHmac('sha256', kDate).update(regionName).digest()
+  const kService = crypto.createHmac('sha256', kRegion).update(serviceName).digest()
+  const kSigning = crypto.createHmac('sha256', kService).update('aws4_request').digest()
+  return kSigning
+}
+
+function signAwsRequest(
+  method: string,
+  host: string,
+  uri: string,
+  body: string,
+  accessKeyId: string,
+  secretAccessKey: string,
+  region: string,
+  service: string,
+  amzTarget: string
+): Record<string, string> {
+  const date = new Date()
+  const amzDate = date.toISOString().replace(/[:-]|\.\d{3}/g, '')
+  const dateStamp = amzDate.slice(0, 8)
+
+  const payloadHash = crypto.createHash('sha256').update(body).digest('hex')
+
+  const canonicalHeaders =
+    `content-type:application/x-amz-json-1.1\n` +
+    `host:${host}\n` +
+    `x-amz-date:${amzDate}\n` +
+    `x-amz-target:${amzTarget}\n`
+
+  const signedHeaders = 'content-type;host;x-amz-date;x-amz-target'
+
+  const canonicalRequest = `${method}\n${uri}\n\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`
+
+  const algorithm = 'AWS4-HMAC-SHA256'
+  const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`
+  const stringToSign = `${algorithm}\n${amzDate}\n${credentialScope}\n${crypto.createHash('sha256').update(canonicalRequest).digest('hex')}`
+
+  const signingKey = getSignatureKey(secretAccessKey, dateStamp, region, service)
+  const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex')
+
+  const authorizationHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`
+
+  return {
+    'Content-Type': 'application/x-amz-json-1.1',
+    Host: host,
+    'X-Amz-Date': amzDate,
+    'X-Amz-Target': amzTarget,
+    Authorization: authorizationHeader,
+  }
+}
+
+async function fetchDocumentBytes(url: string): Promise<{ bytes: string; contentType: string }> {
+  const response = await fetch(url)
+  if (!response.ok) {
+    throw new Error(`Failed to fetch document: ${response.statusText}`)
+  }
+
+  const arrayBuffer = await response.arrayBuffer()
+  const bytes = Buffer.from(arrayBuffer).toString('base64')
+  const contentType = response.headers.get('content-type') || 'application/octet-stream'
+
+  return { bytes, contentType }
+}
+
+function parseS3Uri(s3Uri: string): { bucket: string; key: string } {
+  const match = s3Uri.match(/^s3:\/\/([^/]+)\/(.+)$/)
+  if (!match) {
+    throw new Error(
+      `Invalid S3 URI format: ${s3Uri}. Expected format: s3://bucket-name/path/to/object`
+    )
+  }
+
+  const bucket = match[1]
+  const key = match[2]
+
+  const bucketValidation = validateS3BucketName(bucket, 'S3 bucket name')
+  if (!bucketValidation.isValid) {
+    throw new Error(bucketValidation.error)
+  }
+
+  if (key.includes('..') || key.startsWith('/')) {
+    throw new Error('S3 key contains invalid path traversal sequences')
+  }
+
+  return { bucket, key }
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms))
+}
+
+async function callTextractAsync(
+  host: string,
+  amzTarget: string,
+  body: Record<string, unknown>,
+  accessKeyId: string,
+  secretAccessKey: string,
+  region: string
+): Promise<Record<string, unknown>> {
+  const bodyString = JSON.stringify(body)
+  const headers = signAwsRequest(
+    'POST',
+    host,
+    '/',
+    bodyString,
+    accessKeyId,
+    secretAccessKey,
+    region,
+    'textract',
+    amzTarget
+  )
+
+  const response = await fetch(`https://${host}/`, {
+    method: 'POST',
+    headers,
+    body: bodyString,
+  })
+
+  if (!response.ok) {
+    const errorText = await response.text()
+    let errorMessage = `Textract API error: ${response.statusText}`
+    try {
+      const errorJson = JSON.parse(errorText)
+      if (errorJson.Message) {
+        errorMessage = errorJson.Message
+      } else if (errorJson.__type) {
+        errorMessage = `${errorJson.__type}: ${errorJson.message || errorText}`
+      }
+    } catch {
+      // Use default error message
+    }
+    throw new Error(errorMessage)
+  }
+
+  return response.json()
+}
+
+async function pollForJobCompletion(
+  host: string,
+  jobId: string,
+  accessKeyId: string,
+  secretAccessKey: string,
+  region: string,
+  useAnalyzeDocument: boolean,
+  requestId: string
+): Promise<Record<string, unknown>> {
+  const pollIntervalMs = 5000 // 5 seconds between polls
+  const maxPollTimeMs = 180000 // 3 minutes maximum polling time
+  const maxAttempts = Math.ceil(maxPollTimeMs / pollIntervalMs)
+
+  const getTarget = useAnalyzeDocument
+    ? 'Textract.GetDocumentAnalysis'
+    : 'Textract.GetDocumentTextDetection'
+
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    const result = await callTextractAsync(
+      host,
+      getTarget,
+      { JobId: jobId },
+      accessKeyId,
+      secretAccessKey,
+      region
+    )
+
+    const jobStatus = result.JobStatus as string
+
+    if (jobStatus === 'SUCCEEDED') {
+      logger.info(`[${requestId}] Async job completed successfully after ${attempt + 1} polls`)
+
+      let allBlocks = (result.Blocks as unknown[]) || []
+      let nextToken = result.NextToken as string | undefined
+
+      while (nextToken) {
+        const nextResult = await callTextractAsync(
+          host,
+          getTarget,
+          { JobId: jobId, NextToken: nextToken },
+          accessKeyId,
+          secretAccessKey,
+          region
+        )
+        allBlocks = allBlocks.concat((nextResult.Blocks as unknown[]) || [])
+        nextToken = nextResult.NextToken as string | undefined
+      }
+
+      return {
+        ...result,
+        Blocks: allBlocks,
+      }
+    }
+
+    if (jobStatus === 'FAILED') {
+      throw new Error(`Textract job failed: ${result.StatusMessage || 'Unknown error'}`)
+    }
+
+    if (jobStatus === 'PARTIAL_SUCCESS') {
+      logger.warn(`[${requestId}] Job completed with partial success: ${result.StatusMessage}`)
+
+      let allBlocks = (result.Blocks as unknown[]) || []
+      let nextToken = result.NextToken as string | undefined
+
+      while (nextToken) {
+        const nextResult = await callTextractAsync(
+          host,
+          getTarget,
+          { JobId: jobId, NextToken: nextToken },
+          accessKeyId,
+          secretAccessKey,
+          region
+        )
+        allBlocks = allBlocks.concat((nextResult.Blocks as unknown[]) || [])
+        nextToken = nextResult.NextToken as string | undefined
+      }
+
+      return {
+        ...result,
+        Blocks: allBlocks,
+      }
+    }
+
+    logger.info(`[${requestId}] Job status: ${jobStatus}, attempt ${attempt + 1}/${maxAttempts}`)
+    await sleep(pollIntervalMs)
+  }
+
+  throw new Error(
+    `Timeout waiting for Textract job to complete (max ${maxPollTimeMs / 1000} seconds)`
+  )
+}
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized Textract parse attempt`, {
+        error: authResult.error || 'Missing userId',
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Unauthorized',
+        },
+        { status: 401 }
+      )
+    }
+
+    const userId = authResult.userId
+    const body = await request.json()
+    const validatedData = TextractParseSchema.parse(body)
+
+    const processingMode = validatedData.processingMode || 'sync'
+    const featureTypes = validatedData.featureTypes ?? []
+    const useAnalyzeDocument = featureTypes.length > 0
+    const host = `textract.${validatedData.region}.amazonaws.com`
+
+    logger.info(`[${requestId}] Textract parse request`, {
+      processingMode,
+      filePath: validatedData.filePath?.substring(0, 50),
+      s3Uri: validatedData.s3Uri?.substring(0, 50),
+      featureTypes,
+      userId,
+    })
+
+    if (processingMode === 'async') {
+      if (!validatedData.s3Uri) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: 'S3 URI is required for multi-page processing (s3://bucket/key)',
+          },
+          { status: 400 }
+        )
+      }
+
+      const { bucket: s3Bucket, key: s3Key } = parseS3Uri(validatedData.s3Uri)
+
+      logger.info(`[${requestId}] Starting async Textract job`, { s3Bucket, s3Key })
+
+      const startTarget = useAnalyzeDocument
+        ? 'Textract.StartDocumentAnalysis'
+        : 'Textract.StartDocumentTextDetection'
+
+      const startBody: Record<string, unknown> = {
+        DocumentLocation: {
+          S3Object: {
+            Bucket: s3Bucket,
+            Name: s3Key,
+          },
+        },
+      }
+
+      if (useAnalyzeDocument) {
+        startBody.FeatureTypes = featureTypes
+
+        if (
+          validatedData.queries &&
+          validatedData.queries.length > 0 &&
+          featureTypes.includes('QUERIES')
+        ) {
+          startBody.QueriesConfig = {
+            Queries: validatedData.queries.map((q) => ({
+              Text: q.Text,
+              Alias: q.Alias,
+              Pages: q.Pages,
+            })),
+          }
+        }
+      }
+
+      const startResult = await callTextractAsync(
+        host,
+        startTarget,
+        startBody,
+        validatedData.accessKeyId,
+        validatedData.secretAccessKey,
+        validatedData.region
+      )
+
+      const jobId = startResult.JobId as string
+      if (!jobId) {
+        throw new Error('Failed to start Textract job: No JobId returned')
+      }
+
+      logger.info(`[${requestId}] Async job started`, { jobId })
+
+      const textractData = await pollForJobCompletion(
+        host,
+        jobId,
+        validatedData.accessKeyId,
+        validatedData.secretAccessKey,
+        validatedData.region,
+        useAnalyzeDocument,
+        requestId
+      )
+
+      logger.info(`[${requestId}] Textract async parse successful`, {
+        pageCount: (textractData.DocumentMetadata as { Pages?: number })?.Pages ?? 0,
+        blockCount: (textractData.Blocks as unknown[])?.length ?? 0,
+      })
+
+      return NextResponse.json({
+        success: true,
+        output: {
+          blocks: textractData.Blocks ?? [],
+          documentMetadata: {
+            pages: (textractData.DocumentMetadata as { Pages?: number })?.Pages ?? 0,
+          },
+          modelVersion: (textractData.AnalyzeDocumentModelVersion ??
+            textractData.DetectDocumentTextModelVersion) as string | undefined,
+        },
+      })
+    }
+
+    if (!validatedData.filePath) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'File path is required for single-page processing',
+        },
+        { status: 400 }
+      )
+    }
+
+    let fileUrl = validatedData.filePath
+
+    const isInternalFilePath = validatedData.filePath && isInternalFileUrl(validatedData.filePath)
+
+    if (isInternalFilePath) {
+      try {
+        const storageKey = extractStorageKey(validatedData.filePath)
+        const context = inferContextFromKey(storageKey)
+
+        const hasAccess = await verifyFileAccess(storageKey, userId, undefined, context, false)
+
+        if (!hasAccess) {
+          logger.warn(`[${requestId}] Unauthorized presigned URL generation attempt`, {
+            userId,
+            key: storageKey,
+            context,
+          })
+          return NextResponse.json(
+            {
+              success: false,
+              error: 'File not found',
+            },
+            { status: 404 }
+          )
+        }
+
+        fileUrl = await StorageService.generatePresignedDownloadUrl(storageKey, context, 5 * 60)
+        logger.info(`[${requestId}] Generated presigned URL for ${context} file`)
+      } catch (error) {
+        logger.error(`[${requestId}] Failed to generate presigned URL:`, error)
+        return NextResponse.json(
+          {
+            success: false,
+            error: 'Failed to generate file access URL',
+          },
+          { status: 500 }
+        )
+      }
+    } else if (validatedData.filePath?.startsWith('/')) {
+      // Reject arbitrary absolute paths that don't contain /api/files/serve/
+      logger.warn(`[${requestId}] Invalid internal path`, {
+        userId,
+        path: validatedData.filePath.substring(0, 50),
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'Invalid file path. Only uploaded files are supported for internal paths.',
+        },
+        { status: 400 }
+      )
+    } else {
+      const urlValidation = validateExternalUrl(fileUrl, 'Document URL')
+      if (!urlValidation.isValid) {
+        logger.warn(`[${requestId}] SSRF attempt blocked`, {
+          userId,
+          url: fileUrl.substring(0, 100),
+          error: urlValidation.error,
+        })
+        return NextResponse.json(
+          {
+            success: false,
+            error: urlValidation.error,
+          },
+          { status: 400 }
+        )
+      }
+    }
+
+    const { bytes, contentType } = await fetchDocumentBytes(fileUrl)
+
+    // Track if this is a PDF for better error messaging
+    const isPdf = contentType.includes('pdf') || fileUrl.toLowerCase().endsWith('.pdf')
+
+    const uri = '/'
+
+    let textractBody: Record<string, unknown>
+    let amzTarget: string
+
+    if (useAnalyzeDocument) {
+      amzTarget = 'Textract.AnalyzeDocument'
+      textractBody = {
+        Document: {
+          Bytes: bytes,
+        },
+        FeatureTypes: featureTypes,
+      }
+
+      if (
+        validatedData.queries &&
+        validatedData.queries.length > 0 &&
+        featureTypes.includes('QUERIES')
+      ) {
+        textractBody.QueriesConfig = {
+          Queries: validatedData.queries.map((q) => ({
+            Text: q.Text,
+            Alias: q.Alias,
+            Pages: q.Pages,
+          })),
+        }
+      }
+    } else {
+      amzTarget = 'Textract.DetectDocumentText'
+      textractBody = {
+        Document: {
+          Bytes: bytes,
+        },
+      }
+    }
+
+    const bodyString = JSON.stringify(textractBody)
+
+    const headers = signAwsRequest(
+      'POST',
+      host,
+      uri,
+      bodyString,
+      validatedData.accessKeyId,
+      validatedData.secretAccessKey,
+      validatedData.region,
+      'textract',
+      amzTarget
+    )
+
+    const textractResponse = await fetch(`https://${host}${uri}`, {
+      method: 'POST',
+      headers,
+      body: bodyString,
+    })
+
+    if (!textractResponse.ok) {
+      const errorText = await textractResponse.text()
+      logger.error(`[${requestId}] Textract API error:`, errorText)
+
+      let errorMessage = `Textract API error: ${textractResponse.statusText}`
+      let isUnsupportedFormat = false
+      try {
+        const errorJson = JSON.parse(errorText)
+        if (errorJson.Message) {
+          errorMessage = errorJson.Message
+        } else if (errorJson.__type) {
+          errorMessage = `${errorJson.__type}: ${errorJson.message || errorText}`
+        }
+        // Check for unsupported document format error
+        isUnsupportedFormat =
+          errorJson.__type === 'UnsupportedDocumentException' ||
+          errorJson.Message?.toLowerCase().includes('unsupported document') ||
+          errorText.toLowerCase().includes('unsupported document')
+      } catch {
+        isUnsupportedFormat = errorText.toLowerCase().includes('unsupported document')
+      }
+
+      // Provide helpful message for unsupported format (likely multi-page PDF)
+      if (isUnsupportedFormat && isPdf) {
+        errorMessage =
+          'This document format is not supported in Single Page mode. If this is a multi-page PDF, please use "Multi-Page (PDF, TIFF via S3)" mode instead, which requires uploading your document to S3 first. Single Page mode only supports JPEG, PNG, and single-page PDF files.'
+      }
+
+      return NextResponse.json(
+        {
+          success: false,
+          error: errorMessage,
+        },
+        { status: textractResponse.status }
+      )
+    }
+
+    const textractData = await textractResponse.json()
+
+    logger.info(`[${requestId}] Textract parse successful`, {
+      pageCount: textractData.DocumentMetadata?.Pages ?? 0,
+      blockCount: textractData.Blocks?.length ?? 0,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        blocks: textractData.Blocks ?? [],
+        documentMetadata: {
+          pages: textractData.DocumentMetadata?.Pages ?? 0,
+        },
+        modelVersion:
+          textractData.AnalyzeDocumentModelVersion ??
+          textractData.DetectDocumentTextModelVersion ??
+          undefined,
+      },
+    })
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      logger.warn(`[${requestId}] Invalid request data`, { errors: error.errors })
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'Invalid request data',
+          details: error.errors,
+        },
+        { status: 400 }
+      )
+    }
+
+    logger.error(`[${requestId}] Error in Textract parse:`, error)
+
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Internal server error',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/v1/admin/credits/route.ts

@@ -0,0 +1,211 @@
+/**
+ * POST /api/v1/admin/credits
+ *
+ * Issue credits to a user by user ID or email.
+ *
+ * Body:
+ *   - userId?: string - The user ID to issue credits to
+ *   - email?: string - The user email to issue credits to (alternative to userId)
+ *   - amount: number - The amount of credits to issue (in dollars)
+ *   - reason?: string - Reason for issuing credits (for audit logging)
+ *
+ * Response: AdminSingleResponse<{
+ *   success: true,
+ *   entityType: 'user' | 'organization',
+ *   entityId: string,
+ *   amount: number,
+ *   newCreditBalance: number,
+ *   newUsageLimit: number,
+ * }>
+ *
+ * For Pro users: credits are added to user_stats.credit_balance
+ * For Team users: credits are added to organization.credit_balance
+ * Usage limits are updated accordingly to allow spending the credits.
+ */
+
+import { db } from '@sim/db'
+import { organization, subscription, user, userStats } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { nanoid } from 'nanoid'
+import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
+import { addCredits } from '@/lib/billing/credits/balance'
+import { setUsageLimitForCredits } from '@/lib/billing/credits/purchase'
+import { getEffectiveSeats } from '@/lib/billing/subscriptions/utils'
+import { withAdminAuth } from '@/app/api/v1/admin/middleware'
+import {
+  badRequestResponse,
+  internalErrorResponse,
+  notFoundResponse,
+  singleResponse,
+} from '@/app/api/v1/admin/responses'
+
+const logger = createLogger('AdminCreditsAPI')
+
+export const POST = withAdminAuth(async (request) => {
+  try {
+    const body = await request.json()
+    const { userId, email, amount, reason } = body
+
+    if (!userId && !email) {
+      return badRequestResponse('Either userId or email is required')
+    }
+
+    if (userId && typeof userId !== 'string') {
+      return badRequestResponse('userId must be a string')
+    }
+
+    if (email && typeof email !== 'string') {
+      return badRequestResponse('email must be a string')
+    }
+
+    if (typeof amount !== 'number' || !Number.isFinite(amount) || amount <= 0) {
+      return badRequestResponse('amount must be a positive number')
+    }
+
+    let resolvedUserId: string
+    let userEmail: string | null = null
+
+    if (userId) {
+      const [userData] = await db
+        .select({ id: user.id, email: user.email })
+        .from(user)
+        .where(eq(user.id, userId))
+        .limit(1)
+
+      if (!userData) {
+        return notFoundResponse('User')
+      }
+      resolvedUserId = userData.id
+      userEmail = userData.email
+    } else {
+      const normalizedEmail = email.toLowerCase().trim()
+      const [userData] = await db
+        .select({ id: user.id, email: user.email })
+        .from(user)
+        .where(eq(user.email, normalizedEmail))
+        .limit(1)
+
+      if (!userData) {
+        return notFoundResponse('User with email')
+      }
+      resolvedUserId = userData.id
+      userEmail = userData.email
+    }
+
+    const userSubscription = await getHighestPrioritySubscription(resolvedUserId)
+
+    if (!userSubscription || !['pro', 'team', 'enterprise'].includes(userSubscription.plan)) {
+      return badRequestResponse(
+        'User must have an active Pro, Team, or Enterprise subscription to receive credits'
+      )
+    }
+
+    let entityType: 'user' | 'organization'
+    let entityId: string
+    const plan = userSubscription.plan
+    let seats: number | null = null
+
+    if (plan === 'team' || plan === 'enterprise') {
+      entityType = 'organization'
+      entityId = userSubscription.referenceId
+
+      const [orgExists] = await db
+        .select({ id: organization.id })
+        .from(organization)
+        .where(eq(organization.id, entityId))
+        .limit(1)
+
+      if (!orgExists) {
+        return notFoundResponse('Organization')
+      }
+
+      const [subData] = await db
+        .select()
+        .from(subscription)
+        .where(and(eq(subscription.referenceId, entityId), eq(subscription.status, 'active')))
+        .limit(1)
+
+      seats = getEffectiveSeats(subData)
+    } else {
+      entityType = 'user'
+      entityId = resolvedUserId
+
+      const [existingStats] = await db
+        .select({ id: userStats.id })
+        .from(userStats)
+        .where(eq(userStats.userId, entityId))
+        .limit(1)
+
+      if (!existingStats) {
+        await db.insert(userStats).values({
+          id: nanoid(),
+          userId: entityId,
+        })
+      }
+    }
+
+    await addCredits(entityType, entityId, amount)
+
+    let newCreditBalance: number
+    if (entityType === 'organization') {
+      const [orgData] = await db
+        .select({ creditBalance: organization.creditBalance })
+        .from(organization)
+        .where(eq(organization.id, entityId))
+        .limit(1)
+      newCreditBalance = Number.parseFloat(orgData?.creditBalance || '0')
+    } else {
+      const [stats] = await db
+        .select({ creditBalance: userStats.creditBalance })
+        .from(userStats)
+        .where(eq(userStats.userId, entityId))
+        .limit(1)
+      newCreditBalance = Number.parseFloat(stats?.creditBalance || '0')
+    }
+
+    await setUsageLimitForCredits(entityType, entityId, plan, seats, newCreditBalance)
+
+    let newUsageLimit: number
+    if (entityType === 'organization') {
+      const [orgData] = await db
+        .select({ orgUsageLimit: organization.orgUsageLimit })
+        .from(organization)
+        .where(eq(organization.id, entityId))
+        .limit(1)
+      newUsageLimit = Number.parseFloat(orgData?.orgUsageLimit || '0')
+    } else {
+      const [stats] = await db
+        .select({ currentUsageLimit: userStats.currentUsageLimit })
+        .from(userStats)
+        .where(eq(userStats.userId, entityId))
+        .limit(1)
+      newUsageLimit = Number.parseFloat(stats?.currentUsageLimit || '0')
+    }
+
+    logger.info('Admin API: Issued credits', {
+      resolvedUserId,
+      userEmail,
+      entityType,
+      entityId,
+      amount,
+      newCreditBalance,
+      newUsageLimit,
+      reason: reason || 'No reason provided',
+    })
+
+    return singleResponse({
+      success: true,
+      userId: resolvedUserId,
+      userEmail,
+      entityType,
+      entityId,
+      amount,
+      newCreditBalance,
+      newUsageLimit,
+    })
+  } catch (error) {
+    logger.error('Admin API: Failed to issue credits', { error })
+    return internalErrorResponse('Failed to issue credits')
+  }
+})

apps/sim/app/api/v1/admin/index.ts

@@ -63,6 +63,9 @@
  *   GET    /api/v1/admin/subscriptions/:id                  - Get subscription details
  *   DELETE /api/v1/admin/subscriptions/:id                  - Cancel subscription (?atPeriodEnd=true for scheduled)
  *
+ *   Credits:
+ *   POST   /api/v1/admin/credits                            - Issue credits to user (by userId or email)
+ *
  *   Access Control (Permission Groups):
  *   GET    /api/v1/admin/access-control                     - List permission groups (?organizationId=X)
  *   DELETE /api/v1/admin/access-control                     - Delete permission groups for org (?organizationId=X)

apps/sim/app/api/v1/admin/types.ts

@@ -640,6 +640,7 @@ export interface AdminDeployResult {
   isDeployed: boolean
   version: number
   deployedAt: string
+  warnings?: string[]
 }
 
 export interface AdminUndeployResult {

apps/sim/app/api/v1/admin/workflows/[id]/deploy/route.ts

@@ -1,14 +1,23 @@
-import { db, workflow } from '@sim/db'
+import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { cleanupWebhooksForWorkflow } from '@/lib/webhooks/deploy'
+import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
+import {
+  cleanupWebhooksForWorkflow,
+  restorePreviousVersionWebhooks,
+  saveTriggerWebhooksForDeploy,
+} from '@/lib/webhooks/deploy'
 import {
   deployWorkflow,
   loadWorkflowFromNormalizedTables,
   undeployWorkflow,
 } from '@/lib/workflows/persistence/utils'
-import { createSchedulesForDeploy, validateWorkflowSchedules } from '@/lib/workflows/schedules'
+import {
+  cleanupDeploymentVersion,
+  createSchedulesForDeploy,
+  validateWorkflowSchedules,
+} from '@/lib/workflows/schedules'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -28,10 +37,11 @@ interface RouteParams {
 
 export const POST = withAdminAuthParams<RouteParams>(async (request, context) => {
   const { id: workflowId } = await context.params
+  const requestId = generateRequestId()
 
   try {
     const [workflowRecord] = await db
-      .select({ id: workflow.id, name: workflow.name })
+      .select()
       .from(workflow)
       .where(eq(workflow.id, workflowId))
       .limit(1)
@@ -50,6 +60,18 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       return badRequestResponse(`Invalid schedule configuration: ${scheduleValidation.error}`)
     }
 
+    const [currentActiveVersion] = await db
+      .select({ id: workflowDeploymentVersion.id })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, workflowId),
+          eq(workflowDeploymentVersion.isActive, true)
+        )
+      )
+      .limit(1)
+    const previousVersionId = currentActiveVersion?.id
+
     const deployResult = await deployWorkflow({
       workflowId,
       deployedBy: ADMIN_ACTOR_ID,
@@ -65,6 +87,32 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       return internalErrorResponse('Failed to resolve deployment version')
     }
 
+    const workflowData = workflowRecord as Record<string, unknown>
+
+    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
+      request,
+      workflowId,
+      workflow: workflowData,
+      userId: workflowRecord.userId,
+      blocks: normalizedData.blocks,
+      requestId,
+      deploymentVersionId: deployResult.deploymentVersionId,
+      previousVersionId,
+    })
+
+    if (!triggerSaveResult.success) {
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: deployResult.deploymentVersionId,
+      })
+      await undeployWorkflow({ workflowId })
+      return internalErrorResponse(
+        triggerSaveResult.error?.message || 'Failed to sync trigger configuration'
+      )
+    }
+
     const scheduleResult = await createSchedulesForDeploy(
       workflowId,
       normalizedData.blocks,
@@ -72,15 +120,58 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       deployResult.deploymentVersionId
     )
     if (!scheduleResult.success) {
-      logger.warn(`Schedule creation failed for workflow ${workflowId}: ${scheduleResult.error}`)
+      logger.error(
+        `[${requestId}] Admin API: Schedule creation failed for workflow ${workflowId}: ${scheduleResult.error}`
+      )
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: deployResult.deploymentVersionId,
+      })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData,
+          userId: workflowRecord.userId,
+          previousVersionId,
+          requestId,
+        })
+      }
+      await undeployWorkflow({ workflowId })
+      return internalErrorResponse(scheduleResult.error || 'Failed to create schedule')
     }
 
-    logger.info(`Admin API: Deployed workflow ${workflowId} as v${deployResult.version}`)
+    if (previousVersionId && previousVersionId !== deployResult.deploymentVersionId) {
+      try {
+        logger.info(`[${requestId}] Admin API: Cleaning up previous version ${previousVersionId}`)
+        await cleanupDeploymentVersion({
+          workflowId,
+          workflow: workflowData,
+          requestId,
+          deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
+        })
+      } catch (cleanupError) {
+        logger.error(
+          `[${requestId}] Admin API: Failed to clean up previous version ${previousVersionId}`,
+          cleanupError
+        )
+      }
+    }
+
+    logger.info(
+      `[${requestId}] Admin API: Deployed workflow ${workflowId} as v${deployResult.version}`
+    )
+
+    // Sync MCP tools with the latest parameter schema
+    await syncMcpToolsForWorkflow({ workflowId, requestId, context: 'deploy' })
 
     const response: AdminDeployResult = {
       isDeployed: true,
       version: deployResult.version!,
       deployedAt: deployResult.deployedAt!.toISOString(),
+      warnings: triggerSaveResult.warnings,
     }
 
     return singleResponse(response)
@@ -105,7 +196,6 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (request, context)
       return notFoundResponse('Workflow')
     }
 
-    // Clean up external webhook subscriptions before undeploying
     await cleanupWebhooksForWorkflow(
       workflowId,
       workflowRecord as Record<string, unknown>,
@@ -117,6 +207,8 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (request, context)
       return internalErrorResponse(result.error || 'Failed to undeploy workflow')
     }
 
+    await removeMcpToolsForWorkflow(workflowId, requestId)
+
     logger.info(`Admin API: Undeployed workflow ${workflowId}`)
 
     const response: AdminUndeployResult = {

apps/sim/app/api/v1/admin/workflows/[id]/versions/[versionId]/activate/route.ts

@@ -1,7 +1,15 @@
-import { db, workflow } from '@sim/db'
+import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, eq } from 'drizzle-orm'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
+import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
 import { activateWorkflowVersion } from '@/lib/workflows/persistence/utils'
+import {
+  cleanupDeploymentVersion,
+  createSchedulesForDeploy,
+  validateWorkflowSchedules,
+} from '@/lib/workflows/schedules'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -9,6 +17,7 @@ import {
   notFoundResponse,
   singleResponse,
 } from '@/app/api/v1/admin/responses'
+import type { BlockState } from '@/stores/workflows/workflow/types'
 
 const logger = createLogger('AdminWorkflowActivateVersionAPI')
 
@@ -18,11 +27,12 @@ interface RouteParams {
 }
 
 export const POST = withAdminAuthParams<RouteParams>(async (request, context) => {
+  const requestId = generateRequestId()
   const { id: workflowId, versionId } = await context.params
 
   try {
     const [workflowRecord] = await db
-      .select({ id: workflow.id })
+      .select()
       .from(workflow)
       .where(eq(workflow.id, workflowId))
       .limit(1)
@@ -36,23 +46,161 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       return badRequestResponse('Invalid version number')
     }
 
+    const [versionRow] = await db
+      .select({
+        id: workflowDeploymentVersion.id,
+        state: workflowDeploymentVersion.state,
+      })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, workflowId),
+          eq(workflowDeploymentVersion.version, versionNum)
+        )
+      )
+      .limit(1)
+
+    if (!versionRow?.state) {
+      return notFoundResponse('Deployment version')
+    }
+
+    const [currentActiveVersion] = await db
+      .select({ id: workflowDeploymentVersion.id })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, workflowId),
+          eq(workflowDeploymentVersion.isActive, true)
+        )
+      )
+      .limit(1)
+
+    const previousVersionId = currentActiveVersion?.id
+
+    const deployedState = versionRow.state as { blocks?: Record<string, BlockState> }
+    const blocks = deployedState.blocks
+    if (!blocks || typeof blocks !== 'object') {
+      return internalErrorResponse('Invalid deployed state structure')
+    }
+
+    const workflowData = workflowRecord as Record<string, unknown>
+
+    const scheduleValidation = validateWorkflowSchedules(blocks)
+    if (!scheduleValidation.isValid) {
+      return badRequestResponse(`Invalid schedule configuration: ${scheduleValidation.error}`)
+    }
+
+    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
+      request,
+      workflowId,
+      workflow: workflowData,
+      userId: workflowRecord.userId,
+      blocks,
+      requestId,
+      deploymentVersionId: versionRow.id,
+      previousVersionId,
+      forceRecreateSubscriptions: true,
+    })
+
+    if (!triggerSaveResult.success) {
+      logger.error(
+        `[${requestId}] Admin API: Failed to sync triggers for workflow ${workflowId}`,
+        triggerSaveResult.error
+      )
+      return internalErrorResponse(
+        triggerSaveResult.error?.message || 'Failed to sync trigger configuration'
+      )
+    }
+
+    const scheduleResult = await createSchedulesForDeploy(workflowId, blocks, db, versionRow.id)
+
+    if (!scheduleResult.success) {
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: versionRow.id,
+      })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData,
+          userId: workflowRecord.userId,
+          previousVersionId,
+          requestId,
+        })
+      }
+      return internalErrorResponse(scheduleResult.error || 'Failed to sync schedules')
+    }
+
     const result = await activateWorkflowVersion({ workflowId, version: versionNum })
     if (!result.success) {
+      await cleanupDeploymentVersion({
+        workflowId,
+        workflow: workflowData,
+        requestId,
+        deploymentVersionId: versionRow.id,
+      })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData,
+          userId: workflowRecord.userId,
+          previousVersionId,
+          requestId,
+        })
+      }
       if (result.error === 'Deployment version not found') {
         return notFoundResponse('Deployment version')
       }
       return internalErrorResponse(result.error || 'Failed to activate version')
     }
 
-    logger.info(`Admin API: Activated version ${versionNum} for workflow ${workflowId}`)
+    if (previousVersionId && previousVersionId !== versionRow.id) {
+      try {
+        logger.info(
+          `[${requestId}] Admin API: Cleaning up previous version ${previousVersionId} webhooks/schedules`
+        )
+        await cleanupDeploymentVersion({
+          workflowId,
+          workflow: workflowData,
+          requestId,
+          deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
+        })
+        logger.info(`[${requestId}] Admin API: Previous version cleanup completed`)
+      } catch (cleanupError) {
+        logger.error(
+          `[${requestId}] Admin API: Failed to clean up previous version ${previousVersionId}`,
+          cleanupError
+        )
+      }
+    }
+
+    await syncMcpToolsForWorkflow({
+      workflowId,
+      requestId,
+      state: versionRow.state,
+      context: 'activate',
+    })
+
+    logger.info(
+      `[${requestId}] Admin API: Activated version ${versionNum} for workflow ${workflowId}`
+    )
 
     return singleResponse({
       success: true,
       version: versionNum,
       deployedAt: result.deployedAt!.toISOString(),
+      warnings: triggerSaveResult.warnings,
     })
   } catch (error) {
-    logger.error(`Admin API: Failed to activate version for workflow ${workflowId}`, { error })
+    logger.error(
+      `[${requestId}] Admin API: Failed to activate version for workflow ${workflowId}`,
+      {
+        error,
+      }
+    )
     return internalErrorResponse('Failed to activate deployment version')
   }
 })

apps/sim/app/api/webhooks/[id]/route.ts

@@ -7,11 +7,7 @@ import { getSession } from '@/lib/auth'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
-import {
-  cleanupExternalWebhook,
-  createExternalWebhookSubscription,
-  shouldRecreateExternalWebhookSubscription,
-} from '@/lib/webhooks/provider-subscriptions'
+import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WebhookAPI')
@@ -87,7 +83,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   }
 }
 
-// Update a webhook
 export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = generateRequestId()
 
@@ -102,7 +97,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     }
 
     const body = await request.json()
-    const { path, provider, providerConfig, isActive, failedCount } = body
+    const { isActive, failedCount } = body
 
     if (failedCount !== undefined) {
       const validation = validateInteger(failedCount, 'failedCount', { min: 0 })
@@ -112,28 +107,6 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       }
     }
 
-    let resolvedProviderConfig = providerConfig
-    if (providerConfig) {
-      const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
-      const webhookDataForResolve = await db
-        .select({
-          workspaceId: workflow.workspaceId,
-        })
-        .from(webhook)
-        .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
-        .where(eq(webhook.id, id))
-        .limit(1)
-
-      if (webhookDataForResolve.length > 0) {
-        resolvedProviderConfig = await resolveEnvVarsInObject(
-          providerConfig,
-          session.user.id,
-          webhookDataForResolve[0].workspaceId || undefined
-        )
-      }
-    }
-
-    // Find the webhook and check permissions
     const webhooks = await db
       .select({
         webhook: webhook,
@@ -154,16 +127,12 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     }
 
     const webhookData = webhooks[0]
-
-    // Check if user has permission to modify this webhook
     let canModify = false
 
-    // Case 1: User owns the workflow
     if (webhookData.workflow.userId === session.user.id) {
       canModify = true
     }
 
-    // Case 2: Workflow belongs to a workspace and user has write or admin permission
     if (!canModify && webhookData.workflow.workspaceId) {
       const userPermission = await getUserEntityPermissions(
         session.user.id,
@@ -182,76 +151,14 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
-    const existingProviderConfig =
-      (webhookData.webhook.providerConfig as Record<string, unknown>) || {}
-    let nextProviderConfig =
-      providerConfig !== undefined &&
-      resolvedProviderConfig &&
-      typeof resolvedProviderConfig === 'object'
-        ? (resolvedProviderConfig as Record<string, unknown>)
-        : existingProviderConfig
-    const nextProvider = (provider ?? webhookData.webhook.provider) as string
-
-    if (
-      providerConfig !== undefined &&
-      shouldRecreateExternalWebhookSubscription({
-        previousProvider: webhookData.webhook.provider as string,
-        nextProvider,
-        previousConfig: existingProviderConfig,
-        nextConfig: nextProviderConfig,
-      })
-    ) {
-      await cleanupExternalWebhook(
-        { ...webhookData.webhook, providerConfig: existingProviderConfig },
-        webhookData.workflow,
-        requestId
-      )
-
-      const result = await createExternalWebhookSubscription(
-        request,
-        {
-          ...webhookData.webhook,
-          provider: nextProvider,
-          providerConfig: nextProviderConfig,
-        },
-        webhookData.workflow,
-        session.user.id,
-        requestId
-      )
-
-      nextProviderConfig = result.updatedProviderConfig as Record<string, unknown>
-    }
-
     logger.debug(`[${requestId}] Updating webhook properties`, {
-      hasPathUpdate: path !== undefined,
-      hasProviderUpdate: provider !== undefined,
-      hasConfigUpdate: providerConfig !== undefined,
       hasActiveUpdate: isActive !== undefined,
       hasFailedCountUpdate: failedCount !== undefined,
     })
 
-    // Merge providerConfig to preserve credential-related fields
-    let finalProviderConfig = webhooks[0].webhook.providerConfig
-    if (providerConfig !== undefined) {
-      const existingConfig = existingProviderConfig
-      finalProviderConfig = {
-        ...nextProviderConfig,
-        credentialId: existingConfig.credentialId,
-        credentialSetId: existingConfig.credentialSetId,
-        userId: existingConfig.userId,
-        historyId: existingConfig.historyId,
-        lastCheckedTimestamp: existingConfig.lastCheckedTimestamp,
-        setupCompleted: existingConfig.setupCompleted,
-        externalId: nextProviderConfig.externalId ?? existingConfig.externalId,
-      }
-    }
-
     const updatedWebhook = await db
       .update(webhook)
       .set({
-        path: path !== undefined ? path : webhooks[0].webhook.path,
-        provider: provider !== undefined ? provider : webhooks[0].webhook.provider,
-        providerConfig: finalProviderConfig,
         isActive: isActive !== undefined ? isActive : webhooks[0].webhook.isActive,
         failedCount: failedCount !== undefined ? failedCount : webhooks[0].webhook.failedCount,
         updatedAt: new Date(),
@@ -334,11 +241,8 @@ export async function DELETE(
     }
 
     const foundWebhook = webhookData.webhook
-    const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
-
-    const providerConfig = foundWebhook.providerConfig as Record<string, unknown> | null
-    const credentialSetId = providerConfig?.credentialSetId as string | undefined
-    const blockId = providerConfig?.blockId as string | undefined
+    const credentialSetId = foundWebhook.credentialSetId as string | undefined
+    const blockId = foundWebhook.blockId as string | undefined
 
     if (credentialSetId && blockId) {
       const allCredentialSetWebhooks = await db
@@ -346,10 +250,9 @@ export async function DELETE(
         .from(webhook)
         .where(and(eq(webhook.workflowId, webhookData.workflow.id), eq(webhook.blockId, blockId)))
 
-      const webhooksToDelete = allCredentialSetWebhooks.filter((w) => {
-        const config = w.providerConfig as Record<string, unknown> | null
-        return config?.credentialSetId === credentialSetId
-      })
+      const webhooksToDelete = allCredentialSetWebhooks.filter(
+        (w) => w.credentialSetId === credentialSetId
+      )
 
       for (const w of webhooksToDelete) {
         await cleanupExternalWebhook(w, webhookData.workflow, requestId)

apps/sim/app/api/webhooks/route.ts

@@ -7,8 +7,21 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { createExternalWebhookSubscription } from '@/lib/webhooks/provider-subscriptions'
+import { getProviderIdFromServiceId } from '@/lib/oauth'
+import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
+import {
+  cleanupExternalWebhook,
+  createExternalWebhookSubscription,
+} from '@/lib/webhooks/provider-subscriptions'
+import { mergeNonUserFields } from '@/lib/webhooks/utils'
+import {
+  configureGmailPolling,
+  configureOutlookPolling,
+  configureRssPolling,
+  syncWebhooksForCredentialSet,
+} from '@/lib/webhooks/utils.server'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'
 
 const logger = createLogger('WebhooksAPI')
 
@@ -298,14 +311,10 @@ export async function POST(request: NextRequest) {
       }
     }
 
-    let savedWebhook: any = null // Variable to hold the result of save/update
-
-    // Use the original provider config - Gmail/Outlook configuration functions will inject userId automatically
-    const finalProviderConfig = providerConfig || {}
-
-    const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
+    let savedWebhook: any = null
+    const originalProviderConfig = providerConfig || {}
     let resolvedProviderConfig = await resolveEnvVarsInObject(
-      finalProviderConfig,
+      originalProviderConfig,
       userId,
       workflowRecord.workspaceId || undefined
     )
@@ -319,8 +328,6 @@ export async function POST(request: NextRequest) {
     const directCredentialSetId = resolvedProviderConfig?.credentialSetId as string | undefined
 
     if (directCredentialSetId || rawCredentialId) {
-      const { isCredentialSetValue, extractCredentialSetId } = await import('@/executor/constants')
-
       const credentialSetId =
         directCredentialSetId ||
         (rawCredentialId && isCredentialSetValue(rawCredentialId)
@@ -332,11 +339,6 @@ export async function POST(request: NextRequest) {
           `[${requestId}] Credential set detected for ${provider} trigger. Syncing webhooks for set ${credentialSetId}`
         )
 
-        const { getProviderIdFromServiceId } = await import('@/lib/oauth')
-        const { syncWebhooksForCredentialSet, configureGmailPolling, configureOutlookPolling } =
-          await import('@/lib/webhooks/utils.server')
-
-        // Map provider to OAuth provider ID
         const oauthProviderId = getProviderIdFromServiceId(provider)
 
         const {
@@ -469,6 +471,9 @@ export async function POST(request: NextRequest) {
       providerConfig: providerConfigOverride,
     })
 
+    const userProvided = originalProviderConfig as Record<string, unknown>
+    const configToSave: Record<string, unknown> = { ...userProvided }
+
     try {
       const result = await createExternalWebhookSubscription(
         request,
@@ -477,7 +482,9 @@ export async function POST(request: NextRequest) {
         userId,
         requestId
       )
-      resolvedProviderConfig = result.updatedProviderConfig as Record<string, unknown>
+      const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
+      mergeNonUserFields(configToSave, updatedConfig, userProvided)
+      resolvedProviderConfig = updatedConfig
       externalSubscriptionCreated = result.externalSubscriptionCreated
     } catch (err) {
       logger.error(`[${requestId}] Error creating external webhook subscription`, err)
@@ -490,25 +497,22 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    // Now save to database (only if subscription succeeded or provider doesn't need external subscription)
     try {
       if (targetWebhookId) {
         logger.info(`[${requestId}] Updating existing webhook for path: ${finalPath}`, {
           webhookId: targetWebhookId,
           provider,
-          hasCredentialId: !!(resolvedProviderConfig as any)?.credentialId,
-          credentialId: (resolvedProviderConfig as any)?.credentialId,
+          hasCredentialId: !!(configToSave as any)?.credentialId,
+          credentialId: (configToSave as any)?.credentialId,
         })
         const updatedResult = await db
           .update(webhook)
           .set({
             blockId,
             provider,
-            providerConfig: resolvedProviderConfig,
+            providerConfig: configToSave,
             credentialSetId:
-              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
-                | string
-                | null) || null,
+              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
             isActive: true,
             updatedAt: new Date(),
           })
@@ -531,11 +535,9 @@ export async function POST(request: NextRequest) {
             blockId,
             path: finalPath,
             provider,
-            providerConfig: resolvedProviderConfig,
+            providerConfig: configToSave,
             credentialSetId:
-              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
-                | string
-                | null) || null,
+              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
             isActive: true,
             createdAt: new Date(),
             updatedAt: new Date(),
@@ -547,9 +549,8 @@ export async function POST(request: NextRequest) {
       if (externalSubscriptionCreated) {
         logger.error(`[${requestId}] DB save failed, cleaning up external subscription`, dbError)
         try {
-          const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
           await cleanupExternalWebhook(
-            createTempWebhookData(resolvedProviderConfig),
+            createTempWebhookData(configToSave),
             workflowRecord,
             requestId
           )
@@ -567,7 +568,6 @@ export async function POST(request: NextRequest) {
     if (savedWebhook && provider === 'gmail') {
       logger.info(`[${requestId}] Gmail provider detected. Setting up Gmail webhook configuration.`)
       try {
-        const { configureGmailPolling } = await import('@/lib/webhooks/utils.server')
         const success = await configureGmailPolling(savedWebhook, requestId)
 
         if (!success) {
@@ -606,7 +606,6 @@ export async function POST(request: NextRequest) {
         `[${requestId}] Outlook provider detected. Setting up Outlook webhook configuration.`
       )
       try {
-        const { configureOutlookPolling } = await import('@/lib/webhooks/utils.server')
         const success = await configureOutlookPolling(savedWebhook, requestId)
 
         if (!success) {
@@ -643,7 +642,6 @@ export async function POST(request: NextRequest) {
     if (savedWebhook && provider === 'rss') {
       logger.info(`[${requestId}] RSS provider detected. Setting up RSS webhook configuration.`)
       try {
-        const { configureRssPolling } = await import('@/lib/webhooks/utils.server')
         const success = await configureRssPolling(savedWebhook, requestId)
 
         if (!success) {

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -4,7 +4,11 @@ import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { cleanupWebhooksForWorkflow, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
+import {
+  cleanupWebhooksForWorkflow,
+  restorePreviousVersionWebhooks,
+  saveTriggerWebhooksForDeploy,
+} from '@/lib/webhooks/deploy'
 import {
   deployWorkflow,
   loadWorkflowFromNormalizedTables,
@@ -135,6 +139,18 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
     }
 
+    const [currentActiveVersion] = await db
+      .select({ id: workflowDeploymentVersion.id })
+      .from(workflowDeploymentVersion)
+      .where(
+        and(
+          eq(workflowDeploymentVersion.workflowId, id),
+          eq(workflowDeploymentVersion.isActive, true)
+        )
+      )
+      .limit(1)
+    const previousVersionId = currentActiveVersion?.id
+
     const deployResult = await deployWorkflow({
       workflowId: id,
       deployedBy: actorUserId,
@@ -161,6 +177,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       blocks: normalizedData.blocks,
       requestId,
       deploymentVersionId,
+      previousVersionId,
     })
 
     if (!triggerSaveResult.success) {
@@ -194,6 +211,15 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
         requestId,
         deploymentVersionId,
       })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData as Record<string, unknown>,
+          userId: actorUserId,
+          previousVersionId,
+          requestId,
+        })
+      }
       await undeployWorkflow({ workflowId: id })
       return createErrorResponse(scheduleResult.error || 'Failed to create schedule', 500)
     }
@@ -208,6 +234,25 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
+    if (previousVersionId && previousVersionId !== deploymentVersionId) {
+      try {
+        logger.info(`[${requestId}] Cleaning up previous version ${previousVersionId} DB records`)
+        await cleanupDeploymentVersion({
+          workflowId: id,
+          workflow: workflowData as Record<string, unknown>,
+          requestId,
+          deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
+        })
+      } catch (cleanupError) {
+        logger.error(
+          `[${requestId}] Failed to clean up previous version ${previousVersionId}`,
+          cleanupError
+        )
+        // Non-fatal - continue with success response
+      }
+    }
+
     logger.info(`[${requestId}] Workflow deployed successfully: ${id}`)
 
     // Sync MCP tools with the latest parameter schema
@@ -228,6 +273,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
             nextRunAt: scheduleInfo.nextRunAt,
           }
         : undefined,
+      warnings: triggerSaveResult.warnings,
     })
   } catch (error: any) {
     logger.error(`[${requestId}] Error deploying workflow: ${id}`, {

apps/sim/app/api/workflows/[id]/deployments/[version]/activate/route.ts

@@ -4,7 +4,7 @@ import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
+import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
 import { activateWorkflowVersion } from '@/lib/workflows/persistence/utils'
 import {
   cleanupDeploymentVersion,
@@ -85,6 +85,11 @@ export async function POST(
       return createErrorResponse('Invalid deployed state structure', 500)
     }
 
+    const scheduleValidation = validateWorkflowSchedules(blocks)
+    if (!scheduleValidation.isValid) {
+      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
+    }
+
     const triggerSaveResult = await saveTriggerWebhooksForDeploy({
       request,
       workflowId: id,
@@ -93,6 +98,8 @@ export async function POST(
       blocks,
       requestId,
       deploymentVersionId: versionRow.id,
+      previousVersionId,
+      forceRecreateSubscriptions: true,
     })
 
     if (!triggerSaveResult.success) {
@@ -102,11 +109,6 @@ export async function POST(
       )
     }
 
-    const scheduleValidation = validateWorkflowSchedules(blocks)
-    if (!scheduleValidation.isValid) {
-      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
-    }
-
     const scheduleResult = await createSchedulesForDeploy(id, blocks, db, versionRow.id)
 
     if (!scheduleResult.success) {
@@ -116,6 +118,15 @@ export async function POST(
         requestId,
         deploymentVersionId: versionRow.id,
       })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData as Record<string, unknown>,
+          userId: actorUserId,
+          previousVersionId,
+          requestId,
+        })
+      }
       return createErrorResponse(scheduleResult.error || 'Failed to sync schedules', 500)
     }
 
@@ -127,6 +138,15 @@ export async function POST(
         requestId,
         deploymentVersionId: versionRow.id,
       })
+      if (previousVersionId) {
+        await restorePreviousVersionWebhooks({
+          request,
+          workflow: workflowData as Record<string, unknown>,
+          userId: actorUserId,
+          previousVersionId,
+          requestId,
+        })
+      }
       return createErrorResponse(result.error || 'Failed to activate deployment', 400)
     }
 
@@ -140,6 +160,7 @@ export async function POST(
           workflow: workflowData as Record<string, unknown>,
           requestId,
           deploymentVersionId: previousVersionId,
+          skipExternalCleanup: true,
         })
         logger.info(`[${requestId}] Previous version cleanup completed`)
       } catch (cleanupError) {
@@ -157,7 +178,11 @@ export async function POST(
       context: 'activate',
     })
 
-    return createSuccessResponse({ success: true, deployedAt: result.deployedAt })
+    return createSuccessResponse({
+      success: true,
+      deployedAt: result.deployedAt,
+      warnings: triggerSaveResult.warnings,
+    })
   } catch (error: any) {
     logger.error(`[${requestId}] Error activating deployment for workflow: ${id}`, error)
     return createErrorResponse(error.message || 'Failed to activate deployment', 500)

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -12,6 +12,10 @@ import { markExecutionCancelled } from '@/lib/execution/cancellation'
 import { processInputFileFields } from '@/lib/execution/files'
 import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
+import {
+  cleanupExecutionBase64Cache,
+  hydrateUserFilesWithBase64,
+} from '@/lib/uploads/utils/user-file-base64.server'
 import { executeWorkflowCore } from '@/lib/workflows/executor/execution-core'
 import { type ExecutionEvent, encodeSSEEvent } from '@/lib/workflows/executor/execution-events'
 import { PauseResumeManager } from '@/lib/workflows/executor/human-in-the-loop-manager'
@@ -25,7 +29,8 @@ import type { WorkflowExecutionPayload } from '@/background/workflow-execution'
 import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata, IterationContext } from '@/executor/execution/types'
-import type { StreamingExecution } from '@/executor/types'
+import type { NormalizedBlockOutput, StreamingExecution } from '@/executor/types'
+import { hasExecutionResult } from '@/executor/utils/errors'
 import { Serializer } from '@/serializer'
 import { CORE_TRIGGER_TYPES, type CoreTriggerType } from '@/stores/logs/filters/types'
 
@@ -38,6 +43,8 @@ const ExecuteWorkflowSchema = z.object({
   useDraftState: z.boolean().optional(),
   input: z.any().optional(),
   isClientSession: z.boolean().optional(),
+  includeFileBase64: z.boolean().optional().default(true),
+  base64MaxBytes: z.number().int().positive().optional(),
   workflowStateOverride: z
     .object({
       blocks: z.record(z.any()),
@@ -110,7 +117,6 @@ type AsyncExecutionParams = {
   userId: string
   input: any
   triggerType: CoreTriggerType
-  preflighted?: boolean
 }
 
 /**
@@ -133,7 +139,6 @@ async function handleAsyncExecution(params: AsyncExecutionParams): Promise<NextR
     userId,
     input,
     triggerType,
-    preflighted: params.preflighted,
   }
 
   try {
@@ -214,6 +219,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       useDraftState,
       input: validatedInput,
       isClientSession = false,
+      includeFileBase64,
+      base64MaxBytes,
       workflowStateOverride,
     } = validation.data
 
@@ -227,6 +234,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
               triggerType,
               stream,
               useDraftState,
+              includeFileBase64,
+              base64MaxBytes,
               workflowStateOverride,
               workflowId: _workflowId, // Also exclude workflowId used for internal JWT auth
               ...rest
@@ -266,7 +275,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId
     )
 
-    const shouldPreflightEnvVars = isAsyncMode && isTriggerDevEnabled
     const preprocessResult = await preprocessExecution({
       workflowId,
       userId,
@@ -275,9 +283,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId,
       checkDeployment: !shouldUseDraftState,
       loggingSession,
-      preflightEnvVars: shouldPreflightEnvVars,
       useDraftState: shouldUseDraftState,
-      envUserId: isClientSession ? userId : undefined,
     })
 
     if (!preprocessResult.success) {
@@ -309,7 +315,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         userId: actorUserId,
         input,
         triggerType: loggingTriggerType,
-        preflighted: shouldPreflightEnvVars,
       })
     }
 
@@ -427,16 +432,31 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           snapshot,
           callbacks: {},
           loggingSession,
+          includeFileBase64,
+          base64MaxBytes,
         })
 
-        const hasResponseBlock = workflowHasResponseBlock(result)
+        const outputWithBase64 = includeFileBase64
+          ? ((await hydrateUserFilesWithBase64(result.output, {
+              requestId,
+              executionId,
+              maxBytes: base64MaxBytes,
+            })) as NormalizedBlockOutput)
+          : result.output
+
+        const resultWithBase64 = { ...result, output: outputWithBase64 }
+
+        // Cleanup base64 cache for this execution
+        await cleanupExecutionBase64Cache(executionId)
+
+        const hasResponseBlock = workflowHasResponseBlock(resultWithBase64)
         if (hasResponseBlock) {
-          return createHttpResponseFromBlock(result)
+          return createHttpResponseFromBlock(resultWithBase64)
         }
 
         const filteredResult = {
           success: result.success,
-          output: result.output,
+          output: outputWithBase64,
           error: result.error,
           metadata: result.metadata
             ? {
@@ -448,17 +468,17 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         }
 
         return NextResponse.json(filteredResult)
-      } catch (error: any) {
-        const errorMessage = error.message || 'Unknown error'
+      } catch (error: unknown) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error'
         logger.error(`[${requestId}] Non-SSE execution failed: ${errorMessage}`)
 
-        const executionResult = error.executionResult
+        const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
 
         return NextResponse.json(
           {
             success: false,
             output: executionResult?.output,
-            error: executionResult?.error || error.message || 'Execution failed',
+            error: executionResult?.error || errorMessage || 'Execution failed',
             metadata: executionResult?.metadata
               ? {
                   duration: executionResult.metadata.duration,
@@ -498,6 +518,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           selectedOutputs: resolvedSelectedOutputs,
           isSecureMode: false,
           workflowTriggerType: triggerType === 'chat' ? 'chat' : 'api',
+          includeFileBase64,
+          base64MaxBytes,
         },
         executionId,
       })
@@ -698,6 +720,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             },
             loggingSession,
             abortSignal: abortController.signal,
+            includeFileBase64,
+            base64MaxBytes,
           })
 
           if (result.status === 'paused') {
@@ -750,17 +774,26 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             workflowId,
             data: {
               success: result.success,
-              output: result.output,
+              output: includeFileBase64
+                ? await hydrateUserFilesWithBase64(result.output, {
+                    requestId,
+                    executionId,
+                    maxBytes: base64MaxBytes,
+                  })
+                : result.output,
               duration: result.metadata?.duration || 0,
               startTime: result.metadata?.startTime || startTime.toISOString(),
               endTime: result.metadata?.endTime || new Date().toISOString(),
             },
           })
-        } catch (error: any) {
-          const errorMessage = error.message || 'Unknown error'
+
+          // Cleanup base64 cache for this execution
+          await cleanupExecutionBase64Cache(executionId)
+        } catch (error: unknown) {
+          const errorMessage = error instanceof Error ? error.message : 'Unknown error'
           logger.error(`[${requestId}] SSE execution failed: ${errorMessage}`)
 
-          const executionResult = error.executionResult
+          const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
 
           sendEvent({
             type: 'execution:error',

apps/sim/app/changelog/components/branded-link.tsx

@@ -0,0 +1,27 @@
+'use client'
+
+import Link from 'next/link'
+import { useBrandedButtonClass } from '@/hooks/use-branded-button-class'
+
+interface BrandedLinkProps {
+  href: string
+  children: React.ReactNode
+  className?: string
+  target?: string
+  rel?: string
+}
+
+export function BrandedLink({ href, children, className = '', target, rel }: BrandedLinkProps) {
+  const buttonClass = useBrandedButtonClass()
+
+  return (
+    <Link
+      href={href}
+      target={target}
+      rel={rel}
+      className={`${buttonClass} group inline-flex items-center justify-center gap-2 rounded-[10px] py-[6px] pr-[10px] pl-[12px] text-[15px] text-white transition-all ${className}`}
+    >
+      {children}
+    </Link>
+  )
+}

apps/sim/app/changelog/components/changelog-content.tsx

@@ -2,6 +2,7 @@ import { BookOpen, Github, Rss } from 'lucide-react'
 import Link from 'next/link'
 import { inter } from '@/app/_styles/fonts/inter/inter'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedLink } from '@/app/changelog/components/branded-link'
 import ChangelogList from '@/app/changelog/components/timeline-list'
 
 export interface ChangelogEntry {
@@ -66,25 +67,24 @@ export default async function ChangelogContent() {
             <hr className='mt-6 border-border' />
 
             <div className='mt-6 flex flex-wrap items-center gap-3 text-sm'>
-              <Link
+              <BrandedLink
                 href='https://github.com/simstudioai/sim/releases'
                 target='_blank'
                 rel='noopener noreferrer'
-                className='group inline-flex items-center justify-center gap-2 rounded-[10px] border border-[#6F3DFA] bg-gradient-to-b from-[#8357FF] to-[#6F3DFA] py-[6px] pr-[10px] pl-[12px] text-[14px] text-white shadow-[inset_0_2px_4px_0_#9B77FF] transition-all sm:text-[16px]'
               >
                 <Github className='h-4 w-4' />
                 View on GitHub
-              </Link>
+              </BrandedLink>
               <Link
                 href='https://docs.sim.ai'
-                className='inline-flex items-center gap-2 rounded-md border border-border px-3 py-1.5 hover:bg-muted'
+                className='inline-flex items-center gap-2 rounded-[10px] border border-border py-[6px] pr-[10px] pl-[12px] text-[15px] transition-all hover:bg-muted'
               >
                 <BookOpen className='h-4 w-4' />
                 Documentation
               </Link>
               <Link
                 href='/changelog.xml'
-                className='inline-flex items-center gap-2 rounded-md border border-border px-3 py-1.5 hover:bg-muted'
+                className='inline-flex items-center gap-2 rounded-[10px] border border-border py-[6px] pr-[10px] pl-[12px] text-[15px] transition-all hover:bg-muted'
               >
                 <Rss className='h-4 w-4' />
                 RSS Feed

apps/sim/app/chat/[identifier]/chat.tsx

@@ -117,7 +117,7 @@ export default function ChatClient({ identifier }: { identifier: string }) {
   const [error, setError] = useState<string | null>(null)
   const messagesEndRef = useRef<HTMLDivElement>(null)
   const messagesContainerRef = useRef<HTMLDivElement>(null)
-  const [starCount, setStarCount] = useState('25.1k')
+  const [starCount, setStarCount] = useState('25.8k')
   const [conversationId, setConversationId] = useState('')
 
   const [showScrollButton, setShowScrollButton] = useState(false)

apps/sim/app/chat/hooks/use-chat-streaming.ts

@@ -2,7 +2,7 @@
 
 import { useRef, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { isUserFile } from '@/lib/core/utils/display-filters'
+import { isUserFileWithMetadata } from '@/lib/core/utils/user-file'
 import type { ChatFile, ChatMessage } from '@/app/chat/components/message/message'
 import { CHAT_ERROR_MESSAGES } from '@/app/chat/constants'
 
@@ -17,7 +17,7 @@ function extractFilesFromData(
     return files
   }
 
-  if (isUserFile(data)) {
+  if (isUserFileWithMetadata(data)) {
     if (!seenIds.has(data.id)) {
       seenIds.add(data.id)
       files.push({
@@ -232,7 +232,7 @@ export function useChatStreaming() {
                     return null
                   }
 
-                  if (isUserFile(value)) {
+                  if (isUserFileWithMetadata(value)) {
                     return null
                   }
 
@@ -285,7 +285,7 @@ export function useChatStreaming() {
 
                     const value = getOutputValue(blockOutputs, config.path)
 
-                    if (isUserFile(value)) {
+                    if (isUserFileWithMetadata(value)) {
                       extractedFiles.push({
                         id: value.id,
                         name: value.name,

apps/sim/app/templates/components/template-card.tsx

@@ -207,7 +207,6 @@ function TemplateCardInner({
             isPannable={false}
             defaultZoom={0.8}
             fitPadding={0.2}
-            lightweight
           />
         ) : (
           <div className='h-full w-full bg-[var(--surface-4)]' />

apps/sim/app/workspace/[workspaceId]/knowledge/[id]/[documentId]/components/edit-chunk-modal/edit-chunk-modal.tsx

@@ -61,6 +61,7 @@ export function EditChunkModal({
   const [showUnsavedChangesAlert, setShowUnsavedChangesAlert] = useState(false)
   const [pendingNavigation, setPendingNavigation] = useState<(() => void) | null>(null)
   const [tokenizerOn, setTokenizerOn] = useState(false)
+  const [hoveredTokenIndex, setHoveredTokenIndex] = useState<number | null>(null)
   const textareaRef = useRef<HTMLTextAreaElement>(null)
 
   const error = mutationError?.message ?? null
@@ -254,6 +255,8 @@ export function EditChunkModal({
                         style={{
                           backgroundColor: getTokenBgColor(index),
                         }}
+                        onMouseEnter={() => setHoveredTokenIndex(index)}
+                        onMouseLeave={() => setHoveredTokenIndex(null)}
                       >
                         {token}
                       </span>
@@ -281,6 +284,11 @@ export function EditChunkModal({
                 <div className='flex items-center gap-[8px]'>
                   <span className='text-[12px] text-[var(--text-secondary)]'>Tokenizer</span>
                   <Switch checked={tokenizerOn} onCheckedChange={setTokenizerOn} />
+                  {tokenizerOn && hoveredTokenIndex !== null && (
+                    <span className='text-[12px] text-[var(--text-tertiary)]'>
+                      Token #{hoveredTokenIndex + 1}
+                    </span>
+                  )}
                 </div>
                 <span className='text-[12px] text-[var(--text-secondary)]'>
                   {tokenCount.toLocaleString()}

apps/sim/app/workspace/[workspaceId]/knowledge/[id]/[documentId]/document.tsx

@@ -36,6 +36,7 @@ import {
 import { Input } from '@/components/ui/input'
 import { SearchHighlight } from '@/components/ui/search-highlight'
 import { Skeleton } from '@/components/ui/skeleton'
+import { formatAbsoluteDate, formatRelativeTime } from '@/lib/core/utils/formatting'
 import type { ChunkData } from '@/lib/knowledge/types'
 import {
   ChunkContextMenu,
@@ -58,55 +59,6 @@ import {
 
 const logger = createLogger('Document')
 
-/**
- * Formats a date string to relative time (e.g., "2h ago", "3d ago")
- */
-function formatRelativeTime(dateString: string): string {
-  const date = new Date(dateString)
-  const now = new Date()
-  const diffInSeconds = Math.floor((now.getTime() - date.getTime()) / 1000)
-
-  if (diffInSeconds < 60) {
-    return 'just now'
-  }
-  if (diffInSeconds < 3600) {
-    const minutes = Math.floor(diffInSeconds / 60)
-    return `${minutes}m ago`
-  }
-  if (diffInSeconds < 86400) {
-    const hours = Math.floor(diffInSeconds / 3600)
-    return `${hours}h ago`
-  }
-  if (diffInSeconds < 604800) {
-    const days = Math.floor(diffInSeconds / 86400)
-    return `${days}d ago`
-  }
-  if (diffInSeconds < 2592000) {
-    const weeks = Math.floor(diffInSeconds / 604800)
-    return `${weeks}w ago`
-  }
-  if (diffInSeconds < 31536000) {
-    const months = Math.floor(diffInSeconds / 2592000)
-    return `${months}mo ago`
-  }
-  const years = Math.floor(diffInSeconds / 31536000)
-  return `${years}y ago`
-}
-
-/**
- * Formats a date string to absolute format for tooltip display
- */
-function formatAbsoluteDate(dateString: string): string {
-  const date = new Date(dateString)
-  return date.toLocaleDateString('en-US', {
-    year: 'numeric',
-    month: 'short',
-    day: 'numeric',
-    hour: '2-digit',
-    minute: '2-digit',
-  })
-}
-
 interface DocumentProps {
   knowledgeBaseId: string
   documentId: string
@@ -304,7 +256,6 @@ export function Document({
 
   const [searchQuery, setSearchQuery] = useState('')
   const [debouncedSearchQuery, setDebouncedSearchQuery] = useState('')
-  const [isSearching, setIsSearching] = useState(false)
 
   const {
     chunks: initialChunks,
@@ -344,7 +295,6 @@ export function Document({
     const handler = setTimeout(() => {
       startTransition(() => {
         setDebouncedSearchQuery(searchQuery)
-        setIsSearching(searchQuery.trim().length > 0)
       })
     }, 200)
 
@@ -353,6 +303,7 @@ export function Document({
     }
   }, [searchQuery])
 
+  const isSearching = debouncedSearchQuery.trim().length > 0
   const showingSearch = isSearching && searchQuery.trim().length > 0 && searchResults.length > 0
   const SEARCH_PAGE_SIZE = 50
   const maxSearchPages = Math.ceil(searchResults.length / SEARCH_PAGE_SIZE)

apps/sim/app/workspace/[workspaceId]/knowledge/[id]/base.tsx

@@ -27,6 +27,10 @@ import {
   ModalContent,
   ModalFooter,
   ModalHeader,
+  Popover,
+  PopoverContent,
+  PopoverItem,
+  PopoverTrigger,
   Table,
   TableBody,
   TableCell,
@@ -40,8 +44,11 @@ import { Input } from '@/components/ui/input'
 import { SearchHighlight } from '@/components/ui/search-highlight'
 import { Skeleton } from '@/components/ui/skeleton'
 import { cn } from '@/lib/core/utils/cn'
+import { formatAbsoluteDate, formatRelativeTime } from '@/lib/core/utils/formatting'
+import { ALL_TAG_SLOTS, type AllTagSlot, getFieldTypeForSlot } from '@/lib/knowledge/constants'
 import type { DocumentSortField, SortOrder } from '@/lib/knowledge/documents/types'
 import type { DocumentData } from '@/lib/knowledge/types'
+import { formatFileSize } from '@/lib/uploads/utils/file-utils'
 import {
   ActionBar,
   AddDocumentsModal,
@@ -189,8 +196,8 @@ function KnowledgeBaseLoading({ knowledgeBaseName }: KnowledgeBaseLoadingProps)
             </div>
           </div>
 
-          <div className='mt-[4px]'>
-            <Skeleton className='h-[21px] w-[300px] rounded-[4px]' />
+          <div>
+            <Skeleton className='mt-[4px] h-[21px] w-[300px] rounded-[4px]' />
           </div>
 
           <div className='mt-[16px] flex items-center gap-[8px]'>
@@ -208,9 +215,12 @@ function KnowledgeBaseLoading({ knowledgeBaseName }: KnowledgeBaseLoadingProps)
                 className='flex-1 border-0 bg-transparent px-0 font-medium text-[var(--text-secondary)] text-small leading-none placeholder:text-[var(--text-subtle)] focus-visible:ring-0 focus-visible:ring-offset-0'
               />
             </div>
-            <Button disabled variant='tertiary' className='h-[32px] rounded-[6px]'>
-              Add Documents
-            </Button>
+            <div className='flex items-center gap-[8px]'>
+              <Skeleton className='h-[32px] w-[52px] rounded-[6px]' />
+              <Button disabled variant='tertiary' className='h-[32px] rounded-[6px]'>
+                Add Documents
+              </Button>
+            </div>
           </div>
 
           <div className='mt-[12px] flex flex-1 flex-col overflow-hidden'>
@@ -222,73 +232,11 @@ function KnowledgeBaseLoading({ knowledgeBaseName }: KnowledgeBaseLoadingProps)
   )
 }
 
-/**
- * Formats a date string to relative time (e.g., "2h ago", "3d ago")
- */
-function formatRelativeTime(dateString: string): string {
-  const date = new Date(dateString)
-  const now = new Date()
-  const diffInSeconds = Math.floor((now.getTime() - date.getTime()) / 1000)
-
-  if (diffInSeconds < 60) {
-    return 'just now'
-  }
-  if (diffInSeconds < 3600) {
-    const minutes = Math.floor(diffInSeconds / 60)
-    return `${minutes}m ago`
-  }
-  if (diffInSeconds < 86400) {
-    const hours = Math.floor(diffInSeconds / 3600)
-    return `${hours}h ago`
-  }
-  if (diffInSeconds < 604800) {
-    const days = Math.floor(diffInSeconds / 86400)
-    return `${days}d ago`
-  }
-  if (diffInSeconds < 2592000) {
-    const weeks = Math.floor(diffInSeconds / 604800)
-    return `${weeks}w ago`
-  }
-  if (diffInSeconds < 31536000) {
-    const months = Math.floor(diffInSeconds / 2592000)
-    return `${months}mo ago`
-  }
-  const years = Math.floor(diffInSeconds / 31536000)
-  return `${years}y ago`
-}
-
-/**
- * Formats a date string to absolute format for tooltip display
- */
-function formatAbsoluteDate(dateString: string): string {
-  const date = new Date(dateString)
-  return date.toLocaleDateString('en-US', {
-    year: 'numeric',
-    month: 'short',
-    day: 'numeric',
-    hour: '2-digit',
-    minute: '2-digit',
-  })
-}
-
 interface KnowledgeBaseProps {
   id: string
   knowledgeBaseName?: string
 }
 
-function getFileIcon(mimeType: string, filename: string) {
-  const IconComponent = getDocumentIcon(mimeType, filename)
-  return <IconComponent className='h-6 w-5 flex-shrink-0' />
-}
-
-function formatFileSize(bytes: number): string {
-  if (bytes === 0) return '0 Bytes'
-  const k = 1024
-  const sizes = ['Bytes', 'KB', 'MB', 'GB']
-  const i = Math.floor(Math.log(bytes) / Math.log(k))
-  return `${Number.parseFloat((bytes / k ** i).toFixed(2))} ${sizes[i]}`
-}
-
 const AnimatedLoader = ({ className }: { className?: string }) => (
   <Loader2 className={cn(className, 'animate-spin')} />
 )
@@ -336,53 +284,24 @@ const getStatusBadge = (doc: DocumentData) => {
   }
 }
 
-const TAG_SLOTS = [
-  'tag1',
-  'tag2',
-  'tag3',
-  'tag4',
-  'tag5',
-  'tag6',
-  'tag7',
-  'number1',
-  'number2',
-  'number3',
-  'number4',
-  'number5',
-  'date1',
-  'date2',
-  'boolean1',
-  'boolean2',
-  'boolean3',
-] as const
-
-type TagSlot = (typeof TAG_SLOTS)[number]
-
 interface TagValue {
-  slot: TagSlot
+  slot: AllTagSlot
   displayName: string
   value: string
 }
 
-const TAG_FIELD_TYPES: Record<string, string> = {
-  tag: 'text',
-  number: 'number',
-  date: 'date',
-  boolean: 'boolean',
-}
-
 /**
  * Computes tag values for a document
  */
 function getDocumentTags(doc: DocumentData, definitions: TagDefinition[]): TagValue[] {
   const result: TagValue[] = []
 
-  for (const slot of TAG_SLOTS) {
+  for (const slot of ALL_TAG_SLOTS) {
     const raw = doc[slot]
     if (raw == null) continue
 
     const def = definitions.find((d) => d.tagSlot === slot)
-    const fieldType = def?.fieldType || TAG_FIELD_TYPES[slot.replace(/\d+$/, '')] || 'text'
+    const fieldType = def?.fieldType || getFieldTypeForSlot(slot) || 'text'
 
     let value: string
     if (fieldType === 'date') {
@@ -424,6 +343,8 @@ export function KnowledgeBase({
 
   const [searchQuery, setSearchQuery] = useState('')
   const [showTagsModal, setShowTagsModal] = useState(false)
+  const [enabledFilter, setEnabledFilter] = useState<'all' | 'enabled' | 'disabled'>('all')
+  const [isFilterPopoverOpen, setIsFilterPopoverOpen] = useState(false)
 
   /**
    * Memoize the search query setter to prevent unnecessary re-renders
@@ -434,6 +355,7 @@ export function KnowledgeBase({
   }, [])
 
   const [selectedDocuments, setSelectedDocuments] = useState<Set<string>>(new Set())
+  const [isSelectAllMode, setIsSelectAllMode] = useState(false)
   const [showDeleteDialog, setShowDeleteDialog] = useState(false)
   const [showAddDocumentsModal, setShowAddDocumentsModal] = useState(false)
   const [showDeleteDocumentModal, setShowDeleteDocumentModal] = useState(false)
@@ -460,7 +382,6 @@ export function KnowledgeBase({
     error: knowledgeBaseError,
     refresh: refreshKnowledgeBase,
   } = useKnowledgeBase(id)
-  const [hasProcessingDocuments, setHasProcessingDocuments] = useState(false)
 
   const {
     documents,
@@ -469,6 +390,7 @@ export function KnowledgeBase({
     isFetching: isFetchingDocuments,
     isPlaceholderData: isPlaceholderDocuments,
     error: documentsError,
+    hasProcessingDocuments,
     updateDocument,
     refreshDocuments,
   } = useKnowledgeBaseDocuments(id, {
@@ -477,7 +399,14 @@ export function KnowledgeBase({
     offset: (currentPage - 1) * DOCUMENTS_PER_PAGE,
     sortBy,
     sortOrder,
-    refetchInterval: hasProcessingDocuments && !isDeleting ? 3000 : false,
+    refetchInterval: (data) => {
+      if (isDeleting) return false
+      const hasPending = data?.documents?.some(
+        (doc) => doc.processingStatus === 'pending' || doc.processingStatus === 'processing'
+      )
+      return hasPending ? 3000 : false
+    },
+    enabledFilter,
   })
 
   const { tagDefinitions } = useKnowledgeBaseTagDefinitions(id)
@@ -543,52 +472,52 @@ export function KnowledgeBase({
     </TableHead>
   )
 
-  useEffect(() => {
-    const processing = documents.some(
-      (doc) => doc.processingStatus === 'pending' || doc.processingStatus === 'processing'
-    )
-    setHasProcessingDocuments(processing)
-
-    if (processing) {
-      checkForDeadProcesses()
-    }
-  }, [documents])
-
   /**
    * Checks for documents with stale processing states and marks them as failed
    */
-  const checkForDeadProcesses = () => {
-    const now = new Date()
-    const DEAD_PROCESS_THRESHOLD_MS = 600 * 1000 // 10 minutes
+  const checkForDeadProcesses = useCallback(
+    (docsToCheck: DocumentData[]) => {
+      const now = new Date()
+      const DEAD_PROCESS_THRESHOLD_MS = 600 * 1000 // 10 minutes
 
-    const staleDocuments = documents.filter((doc) => {
-      if (doc.processingStatus !== 'processing' || !doc.processingStartedAt) {
-        return false
-      }
-
-      const processingDuration = now.getTime() - new Date(doc.processingStartedAt).getTime()
-      return processingDuration > DEAD_PROCESS_THRESHOLD_MS
-    })
-
-    if (staleDocuments.length === 0) return
-
-    logger.warn(`Found ${staleDocuments.length} documents with dead processes`)
-
-    staleDocuments.forEach((doc) => {
-      updateDocumentMutation(
-        {
-          knowledgeBaseId: id,
-          documentId: doc.id,
-          updates: { markFailedDueToTimeout: true },
-        },
-        {
-          onSuccess: () => {
-            logger.info(`Successfully marked dead process as failed for document: ${doc.filename}`)
-          },
+      const staleDocuments = docsToCheck.filter((doc) => {
+        if (doc.processingStatus !== 'processing' || !doc.processingStartedAt) {
+          return false
         }
-      )
-    })
-  }
+
+        const processingDuration = now.getTime() - new Date(doc.processingStartedAt).getTime()
+        return processingDuration > DEAD_PROCESS_THRESHOLD_MS
+      })
+
+      if (staleDocuments.length === 0) return
+
+      logger.warn(`Found ${staleDocuments.length} documents with dead processes`)
+
+      staleDocuments.forEach((doc) => {
+        updateDocumentMutation(
+          {
+            knowledgeBaseId: id,
+            documentId: doc.id,
+            updates: { markFailedDueToTimeout: true },
+          },
+          {
+            onSuccess: () => {
+              logger.info(
+                `Successfully marked dead process as failed for document: ${doc.filename}`
+              )
+            },
+          }
+        )
+      })
+    },
+    [id, updateDocumentMutation]
+  )
+
+  useEffect(() => {
+    if (hasProcessingDocuments) {
+      checkForDeadProcesses(documents)
+    }
+  }, [hasProcessingDocuments, documents, checkForDeadProcesses])
 
   const handleToggleEnabled = (docId: string) => {
     const document = documents.find((doc) => doc.id === docId)
@@ -748,6 +677,7 @@ export function KnowledgeBase({
       setSelectedDocuments(new Set(documents.map((doc) => doc.id)))
     } else {
       setSelectedDocuments(new Set())
+      setIsSelectAllMode(false)
     }
   }
 
@@ -793,6 +723,26 @@ export function KnowledgeBase({
    * Handles bulk enabling of selected documents
    */
   const handleBulkEnable = () => {
+    if (isSelectAllMode) {
+      bulkDocumentMutation(
+        {
+          knowledgeBaseId: id,
+          operation: 'enable',
+          selectAll: true,
+          enabledFilter,
+        },
+        {
+          onSuccess: (result) => {
+            logger.info(`Successfully enabled ${result.successCount} documents`)
+            setSelectedDocuments(new Set())
+            setIsSelectAllMode(false)
+            refreshDocuments()
+          },
+        }
+      )
+      return
+    }
+
     const documentsToEnable = documents.filter(
       (doc) => selectedDocuments.has(doc.id) && !doc.enabled
     )
@@ -821,6 +771,26 @@ export function KnowledgeBase({
    * Handles bulk disabling of selected documents
    */
   const handleBulkDisable = () => {
+    if (isSelectAllMode) {
+      bulkDocumentMutation(
+        {
+          knowledgeBaseId: id,
+          operation: 'disable',
+          selectAll: true,
+          enabledFilter,
+        },
+        {
+          onSuccess: (result) => {
+            logger.info(`Successfully disabled ${result.successCount} documents`)
+            setSelectedDocuments(new Set())
+            setIsSelectAllMode(false)
+            refreshDocuments()
+          },
+        }
+      )
+      return
+    }
+
     const documentsToDisable = documents.filter(
       (doc) => selectedDocuments.has(doc.id) && doc.enabled
     )
@@ -845,18 +815,35 @@ export function KnowledgeBase({
     )
   }
 
-  /**
-   * Opens the bulk delete confirmation modal
-   */
   const handleBulkDelete = () => {
     if (selectedDocuments.size === 0) return
     setShowBulkDeleteModal(true)
   }
 
-  /**
-   * Confirms and executes the bulk deletion of selected documents
-   */
   const confirmBulkDelete = () => {
+    if (isSelectAllMode) {
+      bulkDocumentMutation(
+        {
+          knowledgeBaseId: id,
+          operation: 'delete',
+          selectAll: true,
+          enabledFilter,
+        },
+        {
+          onSuccess: (result) => {
+            logger.info(`Successfully deleted ${result.successCount} documents`)
+            refreshDocuments()
+            setSelectedDocuments(new Set())
+            setIsSelectAllMode(false)
+          },
+          onSettled: () => {
+            setShowBulkDeleteModal(false)
+          },
+        }
+      )
+      return
+    }
+
     const documentsToDelete = documents.filter((doc) => selectedDocuments.has(doc.id))
 
     if (documentsToDelete.length === 0) return
@@ -881,14 +868,17 @@ export function KnowledgeBase({
   }
 
   const selectedDocumentsList = documents.filter((doc) => selectedDocuments.has(doc.id))
-  const enabledCount = selectedDocumentsList.filter((doc) => doc.enabled).length
-  const disabledCount = selectedDocumentsList.filter((doc) => !doc.enabled).length
+  const enabledCount = isSelectAllMode
+    ? enabledFilter === 'disabled'
+      ? 0
+      : pagination.total
+    : selectedDocumentsList.filter((doc) => doc.enabled).length
+  const disabledCount = isSelectAllMode
+    ? enabledFilter === 'enabled'
+      ? 0
+      : pagination.total
+    : selectedDocumentsList.filter((doc) => !doc.enabled).length
 
-  /**
-   * Handle right-click on a document row
-   * If right-clicking on an unselected document, select only that document
-   * If right-clicking on a selected document with multiple selections, keep all selections
-   */
   const handleDocumentContextMenu = useCallback(
     (e: React.MouseEvent, doc: DocumentData) => {
       const isCurrentlySelected = selectedDocuments.has(doc.id)
@@ -1005,11 +995,13 @@ export function KnowledgeBase({
             </div>
           </div>
 
-          {knowledgeBase?.description && (
-            <p className='mt-[4px] line-clamp-2 max-w-[40vw] font-medium text-[14px] text-[var(--text-tertiary)]'>
-              {knowledgeBase.description}
-            </p>
-          )}
+          <div>
+            {knowledgeBase?.description && (
+              <p className='mt-[4px] line-clamp-2 max-w-[40vw] font-medium text-[14px] text-[var(--text-tertiary)]'>
+                {knowledgeBase.description}
+              </p>
+            )}
+          </div>
 
           <div className='mt-[16px] flex items-center gap-[8px]'>
             <span className='text-[14px] text-[var(--text-muted)]'>
@@ -1052,21 +1044,76 @@ export function KnowledgeBase({
                 ))}
             </div>
 
-            <Tooltip.Root>
-              <Tooltip.Trigger asChild>
-                <Button
-                  onClick={handleAddDocuments}
-                  disabled={userPermissions.canEdit !== true}
-                  variant='tertiary'
-                  className='h-[32px] rounded-[6px]'
-                >
-                  Add Documents
-                </Button>
-              </Tooltip.Trigger>
-              {userPermissions.canEdit !== true && (
-                <Tooltip.Content>Write permission required to add documents</Tooltip.Content>
-              )}
-            </Tooltip.Root>
+            <div className='flex items-center gap-[8px]'>
+              <Popover open={isFilterPopoverOpen} onOpenChange={setIsFilterPopoverOpen}>
+                <PopoverTrigger asChild>
+                  <Button variant='default' className='h-[32px] rounded-[6px]'>
+                    {enabledFilter === 'all'
+                      ? 'All'
+                      : enabledFilter === 'enabled'
+                        ? 'Enabled'
+                        : 'Disabled'}
+                    <ChevronDown className='ml-2 h-4 w-4 text-muted-foreground' />
+                  </Button>
+                </PopoverTrigger>
+                <PopoverContent align='end' side='bottom' sideOffset={4}>
+                  <div className='flex flex-col gap-[2px]'>
+                    <PopoverItem
+                      active={enabledFilter === 'all'}
+                      onClick={() => {
+                        setEnabledFilter('all')
+                        setIsFilterPopoverOpen(false)
+                        setCurrentPage(1)
+                        setSelectedDocuments(new Set())
+                        setIsSelectAllMode(false)
+                      }}
+                    >
+                      All
+                    </PopoverItem>
+                    <PopoverItem
+                      active={enabledFilter === 'enabled'}
+                      onClick={() => {
+                        setEnabledFilter('enabled')
+                        setIsFilterPopoverOpen(false)
+                        setCurrentPage(1)
+                        setSelectedDocuments(new Set())
+                        setIsSelectAllMode(false)
+                      }}
+                    >
+                      Enabled
+                    </PopoverItem>
+                    <PopoverItem
+                      active={enabledFilter === 'disabled'}
+                      onClick={() => {
+                        setEnabledFilter('disabled')
+                        setIsFilterPopoverOpen(false)
+                        setCurrentPage(1)
+                        setSelectedDocuments(new Set())
+                        setIsSelectAllMode(false)
+                      }}
+                    >
+                      Disabled
+                    </PopoverItem>
+                  </div>
+                </PopoverContent>
+              </Popover>
+
+              <Tooltip.Root>
+                <Tooltip.Trigger asChild>
+                  <Button
+                    onClick={handleAddDocuments}
+                    disabled={userPermissions.canEdit !== true}
+                    variant='tertiary'
+                    className='h-[32px] rounded-[6px]'
+                  >
+                    Add Documents
+                  </Button>
+                </Tooltip.Trigger>
+                {userPermissions.canEdit !== true && (
+                  <Tooltip.Content>Write permission required to add documents</Tooltip.Content>
+                )}
+              </Tooltip.Root>
+            </div>
           </div>
 
           {error && !isLoadingKnowledgeBase && (
@@ -1089,14 +1136,20 @@ export function KnowledgeBase({
               <div className='mt-[10px] flex h-64 items-center justify-center rounded-lg border border-muted-foreground/25 bg-muted/20'>
                 <div className='text-center'>
                   <p className='font-medium text-[var(--text-secondary)] text-sm'>
-                    {searchQuery ? 'No documents found' : 'No documents yet'}
+                    {searchQuery
+                      ? 'No documents found'
+                      : enabledFilter !== 'all'
+                        ? 'Nothing matches your filter'
+                        : 'No documents yet'}
                   </p>
                   <p className='mt-1 text-[var(--text-muted)] text-xs'>
                     {searchQuery
                       ? 'Try a different search term'
-                      : userPermissions.canEdit === true
-                        ? 'Add documents to get started'
-                        : 'Documents will appear here once added'}
+                      : enabledFilter !== 'all'
+                        ? 'Try changing the filter'
+                        : userPermissions.canEdit === true
+                          ? 'Add documents to get started'
+                          : 'Documents will appear here once added'}
                   </p>
                 </div>
               </div>
@@ -1120,7 +1173,7 @@ export function KnowledgeBase({
                     {renderSortableHeader('tokenCount', 'Tokens', 'hidden w-[8%] lg:table-cell')}
                     {renderSortableHeader('chunkCount', 'Chunks', 'w-[8%]')}
                     {renderSortableHeader('uploadedAt', 'Uploaded', 'w-[11%]')}
-                    {renderSortableHeader('processingStatus', 'Status', 'w-[10%]')}
+                    {renderSortableHeader('enabled', 'Status', 'w-[10%]')}
                     <TableHead className='w-[12%] px-[12px] py-[8px] text-[12px] text-[var(--text-secondary)]'>
                       Tags
                     </TableHead>
@@ -1164,7 +1217,10 @@ export function KnowledgeBase({
                         </TableCell>
                         <TableCell className='w-[180px] max-w-[180px] px-[12px] py-[8px]'>
                           <div className='flex min-w-0 items-center gap-[8px]'>
-                            {getFileIcon(doc.mimeType, doc.filename)}
+                            {(() => {
+                              const IconComponent = getDocumentIcon(doc.mimeType, doc.filename)
+                              return <IconComponent className='h-6 w-5 flex-shrink-0' />
+                            })()}
                             <Tooltip.Root>
                               <Tooltip.Trigger asChild>
                                 <span
@@ -1508,6 +1564,14 @@ export function KnowledgeBase({
         enabledCount={enabledCount}
         disabledCount={disabledCount}
         isLoading={isBulkOperating}
+        totalCount={pagination.total}
+        isAllPageSelected={isAllSelected}
+        isAllSelected={isSelectAllMode}
+        onSelectAll={() => setIsSelectAllMode(true)}
+        onClearSelectAll={() => {
+          setIsSelectAllMode(false)
+          setSelectedDocuments(new Set())
+        }}
       />
 
       <DocumentContextMenu

apps/sim/app/workspace/[workspaceId]/knowledge/[id]/components/action-bar/action-bar.tsx

@@ -13,6 +13,11 @@ interface ActionBarProps {
   disabledCount?: number
   isLoading?: boolean
   className?: string
+  totalCount?: number
+  isAllPageSelected?: boolean
+  isAllSelected?: boolean
+  onSelectAll?: () => void
+  onClearSelectAll?: () => void
 }
 
 export function ActionBar({
@@ -24,14 +29,21 @@ export function ActionBar({
   disabledCount = 0,
   isLoading = false,
   className,
+  totalCount = 0,
+  isAllPageSelected = false,
+  isAllSelected = false,
+  onSelectAll,
+  onClearSelectAll,
 }: ActionBarProps) {
   const userPermissions = useUserPermissionsContext()
 
-  if (selectedCount === 0) return null
+  if (selectedCount === 0 && !isAllSelected) return null
 
   const canEdit = userPermissions.canEdit
   const showEnableButton = disabledCount > 0 && onEnable && canEdit
   const showDisableButton = enabledCount > 0 && onDisable && canEdit
+  const showSelectAllOption =
+    isAllPageSelected && !isAllSelected && totalCount > selectedCount && onSelectAll
 
   return (
     <motion.div
@@ -43,7 +55,31 @@ export function ActionBar({
     >
       <div className='flex items-center gap-[8px] rounded-[10px] border border-[var(--border)] bg-[var(--surface-2)] px-[8px] py-[6px]'>
         <span className='px-[4px] text-[13px] text-[var(--text-secondary)]'>
-          {selectedCount} selected
+          {isAllSelected ? totalCount : selectedCount} selected
+          {showSelectAllOption && (
+            <>
+              {' · '}
+              <button
+                type='button'
+                onClick={onSelectAll}
+                className='text-[var(--brand-primary)] hover:underline'
+              >
+                Select all
+              </button>
+            </>
+          )}
+          {isAllSelected && onClearSelectAll && (
+            <>
+              {' · '}
+              <button
+                type='button'
+                onClick={onClearSelectAll}
+                className='text-[var(--brand-primary)] hover:underline'
+              >
+                Clear
+              </button>
+            </>
+          )}
         </span>
 
         <div className='flex items-center gap-[5px]'>

apps/sim/app/workspace/[workspaceId]/knowledge/[id]/components/rename-document-modal/rename-document-modal.tsx

@@ -123,7 +123,11 @@ export function RenameDocumentModal({
                 >
                   Cancel
                 </Button>
-                <Button variant='tertiary' type='submit' disabled={isSubmitting || !name?.trim()}>
+                <Button
+                  variant='tertiary'
+                  type='submit'
+                  disabled={isSubmitting || !name?.trim() || name.trim() === initialName}
+                >
                   {isSubmitting ? 'Renaming...' : 'Rename'}
                 </Button>
               </div>

apps/sim/app/workspace/[workspaceId]/knowledge/components/base-card/base-card.tsx

@@ -3,6 +3,7 @@
 import { useCallback, useState } from 'react'
 import { useParams, useRouter } from 'next/navigation'
 import { Badge, DocumentAttachment, Tooltip } from '@/components/emcn'
+import { formatAbsoluteDate, formatRelativeTime } from '@/lib/core/utils/formatting'
 import { BaseTagsModal } from '@/app/workspace/[workspaceId]/knowledge/[id]/components'
 import { useUserPermissionsContext } from '@/app/workspace/[workspaceId]/providers/workspace-permissions-provider'
 import { useContextMenu } from '@/app/workspace/[workspaceId]/w/components/sidebar/hooks'
@@ -21,55 +22,6 @@ interface BaseCardProps {
   onDelete?: (id: string) => Promise<void>
 }
 
-/**
- * Formats a date string to relative time (e.g., "2h ago", "3d ago")
- */
-function formatRelativeTime(dateString: string): string {
-  const date = new Date(dateString)
-  const now = new Date()
-  const diffInSeconds = Math.floor((now.getTime() - date.getTime()) / 1000)
-
-  if (diffInSeconds < 60) {
-    return 'just now'
-  }
-  if (diffInSeconds < 3600) {
-    const minutes = Math.floor(diffInSeconds / 60)
-    return `${minutes}m ago`
-  }
-  if (diffInSeconds < 86400) {
-    const hours = Math.floor(diffInSeconds / 3600)
-    return `${hours}h ago`
-  }
-  if (diffInSeconds < 604800) {
-    const days = Math.floor(diffInSeconds / 86400)
-    return `${days}d ago`
-  }
-  if (diffInSeconds < 2592000) {
-    const weeks = Math.floor(diffInSeconds / 604800)
-    return `${weeks}w ago`
-  }
-  if (diffInSeconds < 31536000) {
-    const months = Math.floor(diffInSeconds / 2592000)
-    return `${months}mo ago`
-  }
-  const years = Math.floor(diffInSeconds / 31536000)
-  return `${years}y ago`
-}
-
-/**
- * Formats a date string to absolute format for tooltip display
- */
-function formatAbsoluteDate(dateString: string): string {
-  const date = new Date(dateString)
-  return date.toLocaleDateString('en-US', {
-    year: 'numeric',
-    month: 'short',
-    day: 'numeric',
-    hour: '2-digit',
-    minute: '2-digit',
-  })
-}
-
 /**
  * Skeleton placeholder for a knowledge base card
  */

apps/sim/app/workspace/[workspaceId]/knowledge/components/create-base-modal/create-base-modal.tsx

@@ -344,53 +344,51 @@ export function CreateBaseModal({ open, onOpenChange }: CreateBaseModalProps) {
                   <Textarea
                     id='description'
                     placeholder='Describe this knowledge base (optional)'
-                    rows={3}
+                    rows={4}
                     {...register('description')}
                     className={cn(errors.description && 'border-[var(--text-error)]')}
                   />
                 </div>
 
-                <div className='space-y-[12px] rounded-[6px] bg-[var(--surface-5)] px-[12px] py-[14px]'>
-                  <div className='grid grid-cols-2 gap-[12px]'>
-                    <div className='flex flex-col gap-[8px]'>
-                      <Label htmlFor='minChunkSize'>Min Chunk Size (characters)</Label>
-                      <Input
-                        id='minChunkSize'
-                        placeholder='100'
-                        {...register('minChunkSize', { valueAsNumber: true })}
-                        className={cn(errors.minChunkSize && 'border-[var(--text-error)]')}
-                        autoComplete='off'
-                        data-form-type='other'
-                        name='min-chunk-size'
-                      />
-                    </div>
-
-                    <div className='flex flex-col gap-[8px]'>
-                      <Label htmlFor='maxChunkSize'>Max Chunk Size (tokens)</Label>
-                      <Input
-                        id='maxChunkSize'
-                        placeholder='1024'
-                        {...register('maxChunkSize', { valueAsNumber: true })}
-                        className={cn(errors.maxChunkSize && 'border-[var(--text-error)]')}
-                        autoComplete='off'
-                        data-form-type='other'
-                        name='max-chunk-size'
-                      />
-                    </div>
+                <div className='grid grid-cols-2 gap-[12px]'>
+                  <div className='flex flex-col gap-[8px]'>
+                    <Label htmlFor='minChunkSize'>Min Chunk Size (characters)</Label>
+                    <Input
+                      id='minChunkSize'
+                      placeholder='100'
+                      {...register('minChunkSize', { valueAsNumber: true })}
+                      className={cn(errors.minChunkSize && 'border-[var(--text-error)]')}
+                      autoComplete='off'
+                      data-form-type='other'
+                      name='min-chunk-size'
+                    />
                   </div>
 
                   <div className='flex flex-col gap-[8px]'>
-                    <Label htmlFor='overlapSize'>Overlap (tokens)</Label>
+                    <Label htmlFor='maxChunkSize'>Max Chunk Size (tokens)</Label>
                     <Input
-                      id='overlapSize'
-                      placeholder='200'
-                      {...register('overlapSize', { valueAsNumber: true })}
-                      className={cn(errors.overlapSize && 'border-[var(--text-error)]')}
+                      id='maxChunkSize'
+                      placeholder='1024'
+                      {...register('maxChunkSize', { valueAsNumber: true })}
+                      className={cn(errors.maxChunkSize && 'border-[var(--text-error)]')}
                       autoComplete='off'
                       data-form-type='other'
-                      name='overlap-size'
+                      name='max-chunk-size'
                     />
                   </div>
+                </div>
+
+                <div className='flex flex-col gap-[8px]'>
+                  <Label htmlFor='overlapSize'>Overlap (tokens)</Label>
+                  <Input
+                    id='overlapSize'
+                    placeholder='200'
+                    {...register('overlapSize', { valueAsNumber: true })}
+                    className={cn(errors.overlapSize && 'border-[var(--text-error)]')}
+                    autoComplete='off'
+                    data-form-type='other'
+                    name='overlap-size'
+                  />
                   <p className='text-[11px] text-[var(--text-muted)]'>
                     1 token ≈ 4 characters. Max chunk size and overlap are in tokens.
                   </p>

apps/sim/app/workspace/[workspaceId]/knowledge/components/edit-knowledge-base-modal/edit-knowledge-base-modal.tsx

@@ -59,7 +59,7 @@ export function EditKnowledgeBaseModal({
     handleSubmit,
     reset,
     watch,
-    formState: { errors },
+    formState: { errors, isDirty },
   } = useForm<FormValues>({
     resolver: zodResolver(FormSchema),
     defaultValues: {
@@ -127,7 +127,7 @@ export function EditKnowledgeBaseModal({
                 <Textarea
                   id='description'
                   placeholder='Describe this knowledge base (optional)'
-                  rows={3}
+                  rows={4}
                   {...register('description')}
                   className={cn(errors.description && 'border-[var(--text-error)]')}
                 />
@@ -161,7 +161,7 @@ export function EditKnowledgeBaseModal({
                 <Button
                   variant='tertiary'
                   type='submit'
-                  disabled={isSubmitting || !nameValue?.trim()}
+                  disabled={isSubmitting || !nameValue?.trim() || !isDirty}
                 >
                   {isSubmitting ? 'Saving...' : 'Save'}
                 </Button>

apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/execution-snapshot/execution-snapshot.tsx

@@ -16,8 +16,8 @@ import {
 import { redactApiKeys } from '@/lib/core/security/redaction'
 import { cn } from '@/lib/core/utils/cn'
 import {
-  BlockDetailsSidebar,
   getLeftmostBlockId,
+  PreviewEditor,
   WorkflowPreview,
 } from '@/app/workspace/[workspaceId]/w/components/preview'
 import { useExecutionSnapshot } from '@/hooks/queries/logs'
@@ -248,11 +248,10 @@ export function ExecutionSnapshot({
             cursorStyle='pointer'
             executedBlocks={blockExecutions}
             selectedBlockId={pinnedBlockId}
-            lightweight
           />
         </div>
         {pinnedBlockId && workflowState.blocks[pinnedBlockId] && (
-          <BlockDetailsSidebar
+          <PreviewEditor
             block={workflowState.blocks[pinnedBlockId]}
             executionData={blockExecutions[pinnedBlockId]}
             allBlockExecutions={blockExecutions}