fix(copilot): pre-validate credentials and apiKeys before applying edits

- Add preValidateCredentialInputs to validate inputs before operations are applied
- Block invalid credential IDs (non-existent or not owned by user) from being set
- Filter out apiKey inputs for hosted models when isHosted is true
- Skip oauth-input in post-validation to preserve existing collaborator credentials
- Return validation errors for LLM feedback on blocked inputs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.devcontainer/docker-compose.yml

@@ -44,7 +44,7 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 4G
     environment:
       - NODE_ENV=development
       - DATABASE_URL=postgresql://postgres:postgres@db:5432/simstudio

apps/docs/content/docs/de/self-hosting/index.mdx

@@ -10,20 +10,12 @@ Stellen Sie Sim auf Ihrer eigenen Infrastruktur mit Docker oder Kubernetes berei
 
 ## Anforderungen
 
-| Ressource | Klein | Standard | Produktion |
-|----------|-------|----------|------------|
-| CPU | 2 Kerne | 4 Kerne | 8+ Kerne |
-| RAM | 12 GB | 16 GB | 32+ GB |
-| Speicher | 20 GB SSD | 50 GB SSD | 100+ GB SSD |
-| Docker | 20.10+ | 20.10+ | Neueste Version |
-
-**Klein**: Entwicklung, Tests, Einzelnutzer (1-5 Nutzer)
-**Standard**: Teams (5-50 Nutzer), moderate Arbeitslasten
-**Produktion**: Große Teams (50+ Nutzer), Hochverfügbarkeit, intensive Workflow-Ausführung
-
-<Callout type="info">
-Die Ressourcenanforderungen werden durch Workflow-Ausführung (isolated-vm Sandboxing), Dateiverarbeitung (In-Memory-Dokumentenparsing) und Vektoroperationen (pgvector) bestimmt. Arbeitsspeicher ist typischerweise der limitierende Faktor, nicht CPU. Produktionsdaten zeigen, dass die Hauptanwendung durchschnittlich 4-8 GB und bei hoher Last bis zu 12 GB benötigt.
-</Callout>
+| Ressource | Minimum | Empfohlen |
+|----------|---------|-------------|
+| CPU | 2 Kerne | 4+ Kerne |
+| RAM | 12 GB | 16+ GB |
+| Speicher | 20 GB SSD | 50+ GB SSD |
+| Docker | 20.10+ | Neueste Version |
 
 ## Schnellstart
 

apps/docs/content/docs/en/quick-reference/index.mdx

@@ -5,14 +5,6 @@ description: Essential actions for navigating and using the Sim workflow editor
 
 import { Callout } from 'fumadocs-ui/components/callout'
 
-export const ActionImage = ({ src, alt }) => (
-  <img src={src} alt={alt} className="inline-block max-h-8 rounded border border-neutral-200 dark:border-neutral-700" />
-)
-
-export const ActionVideo = ({ src, alt }) => (
-  <video src={src} alt={alt} autoPlay loop muted playsInline className="inline-block max-h-8 rounded border border-neutral-200 dark:border-neutral-700" />
-)
-
 A quick lookup for everyday actions in the Sim workflow editor. For keyboard shortcuts, see [Keyboard Shortcuts](/keyboard-shortcuts).
 
 <Callout type="info">
@@ -21,209 +13,67 @@ A quick lookup for everyday actions in the Sim workflow editor. For keyboard sho
 
 ## Workspaces
 
-<table>
-  <thead>
-    <tr><th>Action</th><th>How</th><th>Preview</th></tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>Create a workspace</td>
-      <td>Click workspace dropdown → **New Workspace**</td>
-      <td><ActionVideo src="/static/quick-reference/create-workspace.mp4" alt="Create workspace" /></td>
-    </tr>
-    <tr>
-      <td>Switch workspaces</td>
-      <td>Click workspace dropdown → Select workspace</td>
-      <td><ActionVideo src="/static/quick-reference/switch-workspace.mp4" alt="Switch workspaces" /></td>
-    </tr>
-    <tr>
-      <td>Invite team members</td>
-      <td>Workspace settings → **Team** → **Invite**</td>
-      <td><ActionVideo src="/static/quick-reference/invite.mp4" alt="Invite team members" /></td>
-    </tr>
-    <tr>
-      <td>Rename a workspace</td>
-      <td>Right-click workspace → **Rename**</td>
-      <td rowSpan={4}><ActionImage src="/static/quick-reference/workspace-context-menu.png" alt="Workspace context menu" /></td>
-    </tr>
-    <tr>
-      <td>Duplicate a workspace</td>
-      <td>Right-click workspace → **Duplicate**</td>
-    </tr>
-    <tr>
-      <td>Export a workspace</td>
-      <td>Right-click workspace → **Export**</td>
-    </tr>
-    <tr>
-      <td>Delete a workspace</td>
-      <td>Right-click workspace → **Delete**</td>
-    </tr>
-  </tbody>
-</table>
+| Action | How |
+|--------|-----|
+| Create a workspace | Click workspace dropdown in sidebar → **New Workspace** |
+| Rename a workspace | Workspace settings → Edit name |
+| Switch workspaces | Click workspace dropdown in sidebar → Select workspace |
+| Invite team members | Workspace settings → **Team** → **Invite** |
 
 ## Workflows
 
-<table>
-  <thead>
-    <tr><th>Action</th><th>How</th><th>Preview</th></tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>Create a workflow</td>
-      <td>Click **+** button in sidebar</td>
-      <td><ActionImage src="/static/quick-reference/create-workflow.png" alt="Create workflow" /></td>
-    </tr>
-    <tr>
-      <td>Reorder / move workflows</td>
-      <td>Drag workflow up/down or onto a folder</td>
-      <td><ActionVideo src="/static/quick-reference/reordering.mp4" alt="Reorder workflows" /></td>
-    </tr>
-    <tr>
-      <td>Import a workflow</td>
-      <td>Click import button in sidebar → Select file</td>
-      <td><ActionImage src="/static/quick-reference/import-workflow.png" alt="Import workflow" /></td>
-    </tr>
-    <tr>
-      <td>Multi-select workflows</td>
-      <td>`Mod+Click` or `Shift+Click` workflows in sidebar</td>
-      <td><ActionVideo src="/static/quick-reference/multiselect.mp4" alt="Multi-select workflows" /></td>
-    </tr>
-    <tr>
-      <td>Open in new tab</td>
-      <td>Right-click workflow → **Open in New Tab**</td>
-      <td rowSpan={6}><ActionImage src="/static/quick-reference/workflow-context-menu.png" alt="Workflow context menu" /></td>
-    </tr>
-    <tr>
-      <td>Rename a workflow</td>
-      <td>Right-click workflow → **Rename**</td>
-    </tr>
-    <tr>
-      <td>Assign workflow color</td>
-      <td>Right-click workflow → **Change Color**</td>
-    </tr>
-    <tr>
-      <td>Duplicate a workflow</td>
-      <td>Right-click workflow → **Duplicate**</td>
-    </tr>
-    <tr>
-      <td>Export a workflow</td>
-      <td>Right-click workflow → **Export**</td>
-    </tr>
-    <tr>
-      <td>Delete a workflow</td>
-      <td>Right-click workflow → **Delete**</td>
-    </tr>
-    <tr>
-      <td>Rename a folder</td>
-      <td>Right-click folder → **Rename**</td>
-      <td rowSpan={6}><ActionImage src="/static/quick-reference/folder-context-menu.png" alt="Folder context menu" /></td>
-    </tr>
-    <tr>
-      <td>Create workflow in folder</td>
-      <td>Right-click folder → **Create workflow**</td>
-    </tr>
-    <tr>
-      <td>Create folder in folder</td>
-      <td>Right-click folder → **Create folder**</td>
-    </tr>
-    <tr>
-      <td>Duplicate a folder</td>
-      <td>Right-click folder → **Duplicate**</td>
-    </tr>
-    <tr>
-      <td>Export a folder</td>
-      <td>Right-click folder → **Export**</td>
-    </tr>
-    <tr>
-      <td>Delete a folder</td>
-      <td>Right-click folder → **Delete**</td>
-    </tr>
-  </tbody>
-</table>
+| Action | How |
+|--------|-----|
+| Create a workflow | Click **New Workflow** button or `Mod+Shift+A` |
+| Rename a workflow | Double-click workflow name in sidebar, or right-click → **Rename** |
+| Duplicate a workflow | Right-click workflow → **Duplicate** |
+| Reorder workflows | Drag workflow up/down in the sidebar list |
+| Import a workflow | Sidebar menu → **Import** → Select file |
+| Create a folder | Right-click in sidebar → **New Folder** |
+| Rename a folder | Right-click folder → **Rename** |
+| Delete a folder | Right-click folder → **Delete** |
+| Collapse/expand folder | Click folder arrow, or double-click folder |
+| Move workflow to folder | Drag workflow onto folder in sidebar |
+| Delete a workflow | Right-click workflow → **Delete** |
+| Export a workflow | Right-click workflow → **Export** |
+| Assign workflow color | Right-click workflow → **Change Color** |
+| Multi-select workflows | `Mod+Click` or `Shift+Click` workflows in sidebar |
+| Open in new tab | Right-click workflow → **Open in New Tab** |
 
 ## Blocks
 
-<table>
-  <thead>
-    <tr><th>Action</th><th>How</th><th>Preview</th></tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>Add a block</td>
-      <td>Drag from Toolbar panel, or right-click canvas → **Add Block**</td>
-      <td><ActionVideo src="/static/quick-reference/add-block.mp4" alt="Add a block" /></td>
-    </tr>
-    <tr>
-      <td>Multi-select blocks</td>
-      <td>`Mod+Click` additional blocks, or right-drag to draw selection box</td>
-      <td><ActionVideo src="/static/quick-reference/multiselect-blocks.mp4" alt="Multi-select blocks" /></td>
-    </tr>
-    <tr>
-      <td>Copy blocks</td>
-      <td>`Mod+C` with blocks selected</td>
-      <td rowSpan={2}><ActionVideo src="/static/quick-reference/copy-paste.mp4" alt="Copy and paste blocks" /></td>
-    </tr>
-    <tr>
-      <td>Paste blocks</td>
-      <td>`Mod+V` to paste copied blocks</td>
-    </tr>
-    <tr>
-      <td>Duplicate blocks</td>
-      <td>Right-click → **Duplicate**</td>
-      <td><ActionVideo src="/static/quick-reference/duplicate-block.mp4" alt="Duplicate blocks" /></td>
-    </tr>
-    <tr>
-      <td>Delete blocks</td>
-      <td>`Delete` or `Backspace` key, or right-click → **Delete**</td>
-      <td><ActionImage src="/static/quick-reference/delete-block.png" alt="Delete block" /></td>
-    </tr>
-    <tr>
-      <td>Rename a block</td>
-      <td>Click block name in header, or edit in the Editor panel</td>
-      <td><ActionVideo src="/static/quick-reference/rename-block.mp4" alt="Rename a block" /></td>
-    </tr>
-    <tr>
-      <td>Enable/Disable a block</td>
-      <td>Right-click → **Enable/Disable**</td>
-      <td><ActionImage src="/static/quick-reference/disable-block.png" alt="Disable block" /></td>
-    </tr>
-    <tr>
-      <td>Toggle handle orientation</td>
-      <td>Right-click → **Toggle Handles**</td>
-      <td><ActionVideo src="/static/quick-reference/toggle-handles.mp4" alt="Toggle handle orientation" /></td>
-    </tr>
-    <tr>
-      <td>Configure a block</td>
-      <td>Select block → use Editor panel on right</td>
-      <td><ActionVideo src="/static/quick-reference/configure-block.mp4" alt="Configure a block" /></td>
-    </tr>
-  </tbody>
-</table>
+| Action | How |
+|--------|-----|
+| Add a block | Drag from Toolbar panel, or right-click canvas → **Add Block** |
+| Select a block | Click on the block |
+| Multi-select blocks | `Mod+Click` additional blocks, or right-drag to draw selection box |
+| Move blocks | Drag selected block(s) to new position |
+| Copy blocks | `Mod+C` with blocks selected |
+| Paste blocks | `Mod+V` to paste copied blocks |
+| Duplicate blocks | Right-click → **Duplicate** |
+| Delete blocks | `Delete` or `Backspace` key, or right-click → **Delete** |
+| Rename a block | Click block name in header, or edit in the Editor panel |
+| Enable/Disable a block | Right-click → **Enable/Disable** |
+| Toggle handle orientation | Right-click → **Toggle Handles** |
+| Toggle trigger mode | Right-click trigger block → **Toggle Trigger Mode** |
+| Configure a block | Select block → use Editor panel on right |
 
 ## Connections
 
-<table>
-  <thead>
-    <tr><th>Action</th><th>How</th><th>Preview</th></tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>Create a connection</td>
-      <td>Drag from output handle to input handle</td>
-      <td><ActionVideo src="/static/quick-reference/connect-blocks.mp4" alt="Connect blocks" /></td>
-    </tr>
-    <tr>
-      <td>Delete a connection</td>
-      <td>Click edge to select → `Delete` key</td>
-      <td><ActionVideo src="/static/quick-reference/delete-connection.mp4" alt="Delete connection" /></td>
-    </tr>
-    <tr>
-      <td>Use output in another block</td>
-      <td>Drag connection tag into input field</td>
-      <td><ActionVideo src="/static/quick-reference/connection-tag.mp4" alt="Use connection tag" /></td>
-    </tr>
-  </tbody>
-</table>
+| Action | How |
+|--------|-----|
+| Create a connection | Drag from output handle to input handle |
+| Delete a connection | Click edge to select → `Delete` key |
+| Use output in another block | Drag connection tag into input field |
+
+## Canvas Navigation
+
+| Action | How |
+|--------|-----|
+| Pan/move canvas | Left-drag on empty space, or scroll/trackpad |
+| Zoom in/out | Scroll wheel or pinch gesture |
+| Auto-layout | `Shift+L` |
+| Draw selection box | Right-drag on empty canvas area |
 
 ## Panels & Views
 
@@ -233,8 +83,7 @@ A quick lookup for everyday actions in the Sim workflow editor. For keyboard sho
 | Open Toolbar tab | Press `T` or click Toolbar tab |
 | Open Editor tab | Press `E` or click Editor tab |
 | Search toolbar | `Mod+F` |
-| Search everything | `Mod+K` |
-| Toggle manual mode | Click toggle button in editor fields to switch between manual and selector |
+| Toggle advanced mode | Click toggle button on input fields |
 | Resize panels | Drag panel edge |
 | Collapse/expand sidebar | Click collapse button on sidebar |
 
@@ -274,8 +123,7 @@ A quick lookup for everyday actions in the Sim workflow editor. For keyboard sho
 | Edit workflow variable | Variables tab → Click variable to edit |
 | Delete workflow variable | Variables tab → Click delete icon on variable |
 | Add environment variable | Settings → **Environment Variables** → **Add** |
-| Reference a workflow variable | Use `<blockName.itemName>` syntax in block inputs |
-| Reference an environment variable | Use `{{ENV_VAR}}` syntax in block inputs |
+| Reference a variable | Use `{{variableName}}` syntax in block inputs |
 
 ## Credentials
 

apps/docs/content/docs/en/self-hosting/index.mdx

@@ -16,20 +16,12 @@ Deploy Sim on your own infrastructure with Docker or Kubernetes.
 
 ## Requirements
 
-| Resource | Small | Standard | Production |
-|----------|-------|----------|------------|
-| CPU | 2 cores | 4 cores | 8+ cores |
-| RAM | 12 GB | 16 GB | 32+ GB |
-| Storage | 20 GB SSD | 50 GB SSD | 100+ GB SSD |
-| Docker | 20.10+ | 20.10+ | Latest |
-
-**Small**: Development, testing, single user (1-5 users)
-**Standard**: Teams (5-50 users), moderate workloads
-**Production**: Large teams (50+ users), high availability, heavy workflow execution
-
-<Callout type="info">
-Resource requirements are driven by workflow execution (isolated-vm sandboxing), file processing (in-memory document parsing), and vector operations (pgvector). Memory is typically the constraining factor rather than CPU. Production telemetry shows the main app uses 4-8 GB average with peaks up to 12 GB under heavy load.
-</Callout>
+| Resource | Minimum | Recommended |
+|----------|---------|-------------|
+| CPU | 2 cores | 4+ cores |
+| RAM | 12 GB | 16+ GB |
+| Storage | 20 GB SSD | 50+ GB SSD |
+| Docker | 20.10+ | Latest |
 
 ## Quick Start
 

apps/docs/content/docs/es/self-hosting/index.mdx

@@ -10,20 +10,12 @@ Despliega Sim en tu propia infraestructura con Docker o Kubernetes.
 
 ## Requisitos
 
-| Recurso | Pequeño | Estándar | Producción |
-|----------|---------|----------|------------|
-| CPU | 2 núcleos | 4 núcleos | 8+ núcleos |
-| RAM | 12 GB | 16 GB | 32+ GB |
-| Almacenamiento | 20 GB SSD | 50 GB SSD | 100+ GB SSD |
-| Docker | 20.10+ | 20.10+ | Última versión |
-
-**Pequeño**: Desarrollo, pruebas, usuario único (1-5 usuarios)
-**Estándar**: Equipos (5-50 usuarios), cargas de trabajo moderadas
-**Producción**: Equipos grandes (50+ usuarios), alta disponibilidad, ejecución intensiva de workflows
-
-<Callout type="info">
-Los requisitos de recursos están determinados por la ejecución de workflows (sandboxing isolated-vm), procesamiento de archivos (análisis de documentos en memoria) y operaciones vectoriales (pgvector). La memoria suele ser el factor limitante, no la CPU. La telemetría de producción muestra que la aplicación principal usa 4-8 GB en promedio con picos de hasta 12 GB bajo carga pesada.
-</Callout>
+| Recurso | Mínimo | Recomendado |
+|----------|---------|-------------|
+| CPU | 2 núcleos | 4+ núcleos |
+| RAM | 12 GB | 16+ GB |
+| Almacenamiento | 20 GB SSD | 50+ GB SSD |
+| Docker | 20.10+ | Última versión |
 
 ## Inicio rápido
 

apps/docs/content/docs/fr/self-hosting/index.mdx

@@ -10,20 +10,12 @@ Déployez Sim sur votre propre infrastructure avec Docker ou Kubernetes.
 
 ## Prérequis
 
-| Ressource | Petit | Standard | Production |
-|----------|-------|----------|------------|
-| CPU | 2 cœurs | 4 cœurs | 8+ cœurs |
-| RAM | 12 Go | 16 Go | 32+ Go |
-| Stockage | 20 Go SSD | 50 Go SSD | 100+ Go SSD |
-| Docker | 20.10+ | 20.10+ | Dernière version |
-
-**Petit** : Développement, tests, utilisateur unique (1-5 utilisateurs)
-**Standard** : Équipes (5-50 utilisateurs), charges de travail modérées
-**Production** : Grandes équipes (50+ utilisateurs), haute disponibilité, exécution intensive de workflows
-
-<Callout type="info">
-Les besoins en ressources sont déterminés par l'exécution des workflows (sandboxing isolated-vm), le traitement des fichiers (analyse de documents en mémoire) et les opérations vectorielles (pgvector). La mémoire est généralement le facteur limitant, pas le CPU. La télémétrie de production montre que l'application principale utilise 4-8 Go en moyenne avec des pics jusqu'à 12 Go sous forte charge.
-</Callout>
+| Ressource | Minimum | Recommandé |
+|----------|---------|-------------|
+| CPU | 2 cœurs | 4+ cœurs |
+| RAM | 12 Go | 16+ Go |
+| Stockage | 20 Go SSD | 50+ Go SSD |
+| Docker | 20.10+ | Dernière version |
 
 ## Démarrage rapide
 

apps/docs/content/docs/ja/self-hosting/index.mdx

@@ -10,20 +10,12 @@ DockerまたはKubernetesを使用して、自社のインフラストラクチ
 
 ## 要件
 
-| リソース | スモール | スタンダード | プロダクション |
-|----------|---------|-------------|----------------|
-| CPU | 2コア | 4コア | 8+コア |
-| RAM | 12 GB | 16 GB | 32+ GB |
-| ストレージ | 20 GB SSD | 50 GB SSD | 100+ GB SSD |
-| Docker | 20.10+ | 20.10+ | 最新版 |
-
-**スモール**: 開発、テスト、シングルユーザー（1-5ユーザー）
-**スタンダード**: チーム（5-50ユーザー）、中程度のワークロード
-**プロダクション**: 大規模チーム（50+ユーザー）、高可用性、高負荷ワークフロー実行
-
-<Callout type="info">
-リソース要件は、ワークフロー実行（isolated-vmサンドボックス）、ファイル処理（メモリ内ドキュメント解析）、ベクトル演算（pgvector）によって決まります。CPUよりもメモリが制約要因となることが多いです。本番環境のテレメトリによると、メインアプリは平均4-8 GB、高負荷時は最大12 GBを使用します。
-</Callout>
+| リソース | 最小 | 推奨 |
+|----------|---------|-------------|
+| CPU | 2コア | 4+コア |
+| RAM | 12 GB | 16+ GB |
+| ストレージ | 20 GB SSD | 50+ GB SSD |
+| Docker | 20.10+ | 最新版 |
 
 ## クイックスタート
 

apps/docs/content/docs/zh/self-hosting/index.mdx

@@ -10,20 +10,12 @@ import { Callout } from 'fumadocs-ui/components/callout'
 
 ## 要求
 
-| 资源 | 小型 | 标准 | 生产环境 |
-|----------|------|------|----------|
-| CPU | 2 核 | 4 核 | 8+ 核 |
-| 内存 | 12 GB | 16 GB | 32+ GB |
-| 存储 | 20 GB SSD | 50 GB SSD | 100+ GB SSD |
-| Docker | 20.10+ | 20.10+ | 最新版本 |
-
-**小型**: 开发、测试、单用户（1-5 用户）
-**标准**: 团队（5-50 用户）、中等工作负载
-**生产环境**: 大型团队（50+ 用户）、高可用性、密集工作流执行
-
-<Callout type="info">
-资源需求由工作流执行（isolated-vm 沙箱）、文件处理（内存中文档解析）和向量运算（pgvector）决定。内存通常是限制因素，而不是 CPU。生产遥测数据显示，主应用平均使用 4-8 GB，高负载时峰值可达 12 GB。
-</Callout>
+| 资源 | 最低要求 | 推荐配置 |
+|----------|---------|-------------|
+| CPU | 2 核 | 4 核及以上 |
+| 内存 | 12 GB | 16 GB 及以上 |
+| 存储 | 20 GB SSD | 50 GB 及以上 SSD |
+| Docker | 20.10+ | 最新版本 |
 
 ## 快速开始
 

apps/sim/app/api/knowledge/search/utils.test.ts

@@ -408,7 +408,6 @@ describe('Knowledge Search Utils', () => {
             input: ['test query'],
             model: 'text-embedding-3-small',
             encoding_format: 'float',
-            dimensions: 1536,
           }),
         })
       )

apps/sim/app/api/tools/supabase/storage/upload/route.ts

@@ -1,379 +0,0 @@
-import { createLogger } from '@sim/logger'
-import { type NextRequest, NextResponse } from 'next/server'
-import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
-import { StorageService } from '@/lib/uploads'
-import {
-  extractStorageKey,
-  inferContextFromKey,
-  isInternalFileUrl,
-} from '@/lib/uploads/utils/file-utils'
-import { verifyFileAccess } from '@/app/api/files/authorization'
-
-export const dynamic = 'force-dynamic'
-
-const logger = createLogger('SupabaseStorageUploadAPI')
-
-const SupabaseStorageUploadSchema = z.object({
-  apiKey: z.string().min(1, 'API key is required'),
-  projectId: z.string().min(1, 'Project ID is required'),
-  bucket: z.string().min(1, 'Bucket name is required'),
-  fileName: z.string().min(1, 'File name is required'),
-  path: z.string().optional().nullable(),
-  fileUpload: z
-    .object({
-      name: z.string().optional(),
-      type: z.string().optional(),
-      url: z.string().optional(),
-      path: z.string().optional(),
-    })
-    .optional()
-    .nullable(),
-  fileContent: z.string().optional().nullable(),
-  contentType: z.string().optional().nullable(),
-  upsert: z.boolean().optional().default(false),
-})
-
-/**
- * Detects if a string is base64 encoded and decodes it to a Buffer.
- * Handles both standard base64 and base64url encoding.
- */
-function decodeBase64ToBuffer(content: string): Buffer {
-  // Remove data URI prefix if present (e.g., "data:application/pdf;base64,")
-  const base64Content = content.includes(',') ? content.split(',')[1] : content
-
-  // Convert base64url to standard base64 if needed
-  let normalizedBase64 = base64Content
-  if (base64Content.includes('-') || base64Content.includes('_')) {
-    normalizedBase64 = base64Content.replace(/-/g, '+').replace(/_/g, '/')
-  }
-
-  // Add padding if necessary
-  const padding = normalizedBase64.length % 4
-  if (padding > 0) {
-    normalizedBase64 += '='.repeat(4 - padding)
-  }
-
-  return Buffer.from(normalizedBase64, 'base64')
-}
-
-/**
- * Checks if a string appears to be base64 encoded.
- */
-function isBase64(str: string): boolean {
-  // Remove data URI prefix if present
-  const content = str.includes(',') ? str.split(',')[1] : str
-
-  // Check if it matches base64 pattern (including base64url)
-  const base64Regex = /^[A-Za-z0-9+/_-]*={0,2}$/
-  if (!base64Regex.test(content)) {
-    return false
-  }
-
-  // Additional heuristic: base64 strings are typically longer and don't contain spaces
-  if (content.length < 4 || content.includes(' ')) {
-    return false
-  }
-
-  // Try to decode and check if it produces valid bytes
-  try {
-    const decoded = decodeBase64ToBuffer(str)
-    // If decoded length is significantly smaller than input, it's likely base64
-    return decoded.length < content.length
-  } catch {
-    return false
-  }
-}
-
-/**
- * Infer content type from file extension
- */
-function inferContentType(fileName: string): string {
-  const ext = fileName.split('.').pop()?.toLowerCase()
-  const mimeTypes: Record<string, string> = {
-    pdf: 'application/pdf',
-    png: 'image/png',
-    jpg: 'image/jpeg',
-    jpeg: 'image/jpeg',
-    gif: 'image/gif',
-    webp: 'image/webp',
-    svg: 'image/svg+xml',
-    txt: 'text/plain',
-    html: 'text/html',
-    css: 'text/css',
-    js: 'application/javascript',
-    json: 'application/json',
-    xml: 'application/xml',
-    zip: 'application/zip',
-    doc: 'application/msword',
-    docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-    xls: 'application/vnd.ms-excel',
-    xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-    ppt: 'application/vnd.ms-powerpoint',
-    pptx: 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
-    mp3: 'audio/mpeg',
-    mp4: 'video/mp4',
-    wav: 'audio/wav',
-    csv: 'text/csv',
-  }
-  return mimeTypes[ext || ''] || 'application/octet-stream'
-}
-
-export async function POST(request: NextRequest) {
-  const requestId = generateRequestId()
-
-  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
-
-    if (!authResult.success || !authResult.userId) {
-      logger.warn(
-        `[${requestId}] Unauthorized Supabase storage upload attempt: ${authResult.error}`
-      )
-      return NextResponse.json(
-        {
-          success: false,
-          error: authResult.error || 'Authentication required',
-        },
-        { status: 401 }
-      )
-    }
-
-    const userId = authResult.userId
-
-    logger.info(
-      `[${requestId}] Authenticated Supabase storage upload request via ${authResult.authType}`,
-      { userId }
-    )
-
-    const body = await request.json()
-    const validatedData = SupabaseStorageUploadSchema.parse(body)
-
-    // Build the full file path
-    let fullPath = validatedData.fileName
-    if (validatedData.path) {
-      const folderPath = validatedData.path.endsWith('/')
-        ? validatedData.path
-        : `${validatedData.path}/`
-      fullPath = `${folderPath}${validatedData.fileName}`
-    }
-
-    logger.info(`[${requestId}] Uploading to Supabase Storage`, {
-      projectId: validatedData.projectId,
-      bucket: validatedData.bucket,
-      path: fullPath,
-      upsert: validatedData.upsert,
-      hasFileUpload: !!validatedData.fileUpload,
-      hasFileContent: !!validatedData.fileContent,
-    })
-
-    // Determine content type
-    let contentType = validatedData.contentType
-    if (!contentType && validatedData.fileUpload?.type) {
-      contentType = validatedData.fileUpload.type
-    }
-    if (!contentType) {
-      contentType = inferContentType(validatedData.fileName)
-    }
-
-    // Get the file content - either from fileUpload (internal storage) or fileContent (base64)
-    let uploadBody: Buffer
-
-    if (validatedData.fileUpload) {
-      // Handle file upload from internal storage
-      const fileUrl = validatedData.fileUpload.url || validatedData.fileUpload.path
-
-      if (!fileUrl) {
-        return NextResponse.json(
-          {
-            success: false,
-            error: 'File upload is missing URL or path',
-          },
-          { status: 400 }
-        )
-      }
-
-      logger.info(`[${requestId}] Processing file upload from: ${fileUrl}`)
-
-      // Check if it's an internal file URL (workspace file)
-      if (isInternalFileUrl(fileUrl)) {
-        try {
-          const storageKey = extractStorageKey(fileUrl)
-          const context = inferContextFromKey(storageKey)
-
-          const hasAccess = await verifyFileAccess(storageKey, userId, undefined, context, false)
-
-          if (!hasAccess) {
-            logger.warn(`[${requestId}] Unauthorized file access attempt`, {
-              userId,
-              key: storageKey,
-              context,
-            })
-            return NextResponse.json(
-              {
-                success: false,
-                error: 'File not found or access denied',
-              },
-              { status: 404 }
-            )
-          }
-
-          // Download file from internal storage
-          const fileBuffer = await StorageService.downloadFile({ key: storageKey, context })
-          uploadBody = Buffer.from(fileBuffer)
-          logger.info(
-            `[${requestId}] Downloaded file from internal storage: ${fileBuffer.byteLength} bytes`
-          )
-        } catch (error) {
-          logger.error(`[${requestId}] Failed to download from internal storage:`, error)
-          return NextResponse.json(
-            {
-              success: false,
-              error: 'Failed to access uploaded file',
-            },
-            { status: 500 }
-          )
-        }
-      } else {
-        // External URL - fetch the file
-        let fetchUrl = fileUrl
-        if (fetchUrl.startsWith('/')) {
-          const baseUrl = getBaseUrl()
-          fetchUrl = `${baseUrl}${fetchUrl}`
-        }
-
-        try {
-          const response = await fetch(fetchUrl)
-          if (!response.ok) {
-            throw new Error(`Failed to fetch file: ${response.status} ${response.statusText}`)
-          }
-          const arrayBuffer = await response.arrayBuffer()
-          uploadBody = Buffer.from(arrayBuffer)
-          logger.info(`[${requestId}] Downloaded file from URL: ${uploadBody.length} bytes`)
-        } catch (error) {
-          logger.error(`[${requestId}] Failed to fetch file from URL:`, error)
-          return NextResponse.json(
-            {
-              success: false,
-              error: `Failed to fetch file from URL: ${error instanceof Error ? error.message : 'Unknown error'}`,
-            },
-            { status: 500 }
-          )
-        }
-      }
-    } else if (validatedData.fileContent) {
-      // Handle direct file content (base64 or plain text)
-      if (isBase64(validatedData.fileContent)) {
-        logger.info(`[${requestId}] Detected base64 content, decoding to binary`)
-        uploadBody = decodeBase64ToBuffer(validatedData.fileContent)
-      } else {
-        logger.info(`[${requestId}] Using plain text content`)
-        uploadBody = Buffer.from(validatedData.fileContent, 'utf-8')
-      }
-    } else {
-      return NextResponse.json(
-        {
-          success: false,
-          error: 'Either fileUpload or fileContent is required',
-        },
-        { status: 400 }
-      )
-    }
-
-    logger.info(`[${requestId}] Upload body size: ${uploadBody.length} bytes`)
-
-    // Build Supabase Storage URL
-    const supabaseUrl = `https://${validatedData.projectId}.supabase.co/storage/v1/object/${validatedData.bucket}/${fullPath}`
-
-    // Build headers
-    const headers: Record<string, string> = {
-      apikey: validatedData.apiKey,
-      Authorization: `Bearer ${validatedData.apiKey}`,
-      'Content-Type': contentType,
-    }
-
-    if (validatedData.upsert) {
-      headers['x-upsert'] = 'true'
-    }
-
-    // Make the request to Supabase Storage
-    // Convert Buffer to Uint8Array for fetch compatibility
-    const response = await fetch(supabaseUrl, {
-      method: 'POST',
-      headers,
-      body: new Uint8Array(uploadBody),
-    })
-
-    if (!response.ok) {
-      let errorData: any
-      try {
-        errorData = await response.json()
-      } catch {
-        errorData = await response.text()
-      }
-
-      logger.error(`[${requestId}] Supabase Storage upload failed`, {
-        status: response.status,
-        statusText: response.statusText,
-        error: errorData,
-      })
-
-      return NextResponse.json(
-        {
-          success: false,
-          error:
-            typeof errorData === 'object' && errorData.message
-              ? errorData.message
-              : `Upload failed: ${response.status} ${response.statusText}`,
-        },
-        { status: response.status }
-      )
-    }
-
-    const result = await response.json()
-
-    logger.info(`[${requestId}] File uploaded successfully to Supabase Storage`, {
-      bucket: validatedData.bucket,
-      path: fullPath,
-    })
-
-    // Build public URL for reference
-    const publicUrl = `https://${validatedData.projectId}.supabase.co/storage/v1/object/public/${validatedData.bucket}/${fullPath}`
-
-    return NextResponse.json({
-      success: true,
-      output: {
-        message: 'Successfully uploaded file to storage',
-        results: {
-          ...result,
-          publicUrl,
-          bucket: validatedData.bucket,
-          path: fullPath,
-        },
-      },
-    })
-  } catch (error) {
-    if (error instanceof z.ZodError) {
-      logger.warn(`[${requestId}] Invalid request data`, { errors: error.errors })
-      return NextResponse.json(
-        {
-          success: false,
-          error: 'Invalid request data',
-          details: error.errors,
-        },
-        { status: 400 }
-      )
-    }
-
-    logger.error(`[${requestId}] Error uploading to Supabase Storage:`, error)
-
-    return NextResponse.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Internal server error',
-      },
-      { status: 500 }
-    )
-  }
-}

apps/sim/lib/copilot/tools/server/workflow/edit-workflow.ts

@@ -2508,6 +2508,10 @@ async function validateWorkflowSelectorIds(
     for (const subBlockConfig of blockConfig.subBlocks) {
       if (!SELECTOR_TYPES.has(subBlockConfig.type)) continue
 
+      // Skip oauth-input - credentials are pre-validated before edit application
+      // This allows existing collaborator credentials to remain untouched
+      if (subBlockConfig.type === 'oauth-input') continue
+
       const subBlockValue = blockData.subBlocks?.[subBlockConfig.id]?.value
       if (!subBlockValue) continue
 
@@ -2573,6 +2577,157 @@ async function validateWorkflowSelectorIds(
   return errors
 }
 
+/**
+ * Pre-validates credential and apiKey inputs in operations before they are applied.
+ * - Validates oauth-input (credential) IDs belong to the user
+ * - Filters out apiKey inputs for hosted models when isHosted is true
+ * Returns validation errors for any removed inputs.
+ */
+async function preValidateCredentialInputs(
+  operations: EditWorkflowOperation[],
+  context: { userId: string }
+): Promise<{ filteredOperations: EditWorkflowOperation[]; errors: ValidationError[] }> {
+  const { isHosted } = await import('@/lib/core/config/feature-flags')
+  const { getHostedModels } = await import('@/providers/utils')
+
+  const logger = createLogger('PreValidateCredentials')
+  const errors: ValidationError[] = []
+
+  // Collect credential and apiKey inputs that need validation/filtering
+  const credentialInputs: Array<{
+    operationIndex: number
+    blockId: string
+    blockType: string
+    fieldName: string
+    value: string
+  }> = []
+
+  const hostedApiKeyInputs: Array<{
+    operationIndex: number
+    blockId: string
+    blockType: string
+    model: string
+  }> = []
+
+  const hostedModels = isHosted ? getHostedModels() : []
+  const hostedModelsLower = new Set(hostedModels.map((m) => m.toLowerCase()))
+
+  operations.forEach((op, opIndex) => {
+    if (!op.params?.inputs || !op.params?.type) return
+
+    const blockConfig = getBlock(op.params.type)
+    if (!blockConfig) return
+
+    // Find oauth-input subblocks
+    for (const subBlockConfig of blockConfig.subBlocks) {
+      if (subBlockConfig.type !== 'oauth-input') continue
+
+      const inputValue = op.params.inputs[subBlockConfig.id]
+      if (!inputValue || typeof inputValue !== 'string' || inputValue.trim() === '') continue
+
+      credentialInputs.push({
+        operationIndex: opIndex,
+        blockId: op.block_id,
+        blockType: op.params.type,
+        fieldName: subBlockConfig.id,
+        value: inputValue,
+      })
+    }
+
+    // Check for apiKey inputs on hosted models
+    if (isHosted && op.params.inputs.apiKey) {
+      const modelValue = op.params.inputs.model
+      if (modelValue && typeof modelValue === 'string') {
+        if (hostedModelsLower.has(modelValue.toLowerCase())) {
+          hostedApiKeyInputs.push({
+            operationIndex: opIndex,
+            blockId: op.block_id,
+            blockType: op.params.type,
+            model: modelValue,
+          })
+        }
+      }
+    }
+  })
+
+  const hasCredentialsToValidate = credentialInputs.length > 0
+  const hasHostedApiKeysToFilter = hostedApiKeyInputs.length > 0
+
+  if (!hasCredentialsToValidate && !hasHostedApiKeysToFilter) {
+    return { filteredOperations: operations, errors }
+  }
+
+  // Deep clone operations so we can modify them
+  const filteredOperations = JSON.parse(JSON.stringify(operations)) as EditWorkflowOperation[]
+
+  // Filter out apiKey inputs for hosted models
+  if (hasHostedApiKeysToFilter) {
+    logger.info('Filtering apiKey inputs for hosted models', { count: hostedApiKeyInputs.length })
+
+    for (const apiKeyInput of hostedApiKeyInputs) {
+      const op = filteredOperations[apiKeyInput.operationIndex]
+      if (op.params?.inputs?.apiKey) {
+        op.params.inputs.apiKey = undefined
+        logger.info('Removed apiKey for hosted model', {
+          blockId: apiKeyInput.blockId,
+          model: apiKeyInput.model,
+        })
+      }
+
+      errors.push({
+        blockId: apiKeyInput.blockId,
+        blockType: apiKeyInput.blockType,
+        field: 'apiKey',
+        value: '[redacted]',
+        error: `API key not allowed for hosted model "${apiKeyInput.model}" - platform provides the key`,
+      })
+    }
+  }
+
+  // Validate credential inputs
+  if (hasCredentialsToValidate) {
+    logger.info('Pre-validating credential inputs', {
+      credentialCount: credentialInputs.length,
+      userId: context.userId,
+    })
+
+    const allCredentialIds = credentialInputs.map((c) => c.value)
+    const validationResult = await validateSelectorIds('oauth-input', allCredentialIds, context)
+    const invalidSet = new Set(validationResult.invalid)
+
+    if (invalidSet.size > 0) {
+      for (const credInput of credentialInputs) {
+        if (!invalidSet.has(credInput.value)) continue
+
+        const op = filteredOperations[credInput.operationIndex]
+        if (op.params?.inputs?.[credInput.fieldName]) {
+          delete op.params.inputs[credInput.fieldName]
+          logger.info('Removed invalid credential from operation', {
+            blockId: credInput.blockId,
+            field: credInput.fieldName,
+            invalidValue: credInput.value,
+          })
+        }
+
+        const warningInfo = validationResult.warning ? `. ${validationResult.warning}` : ''
+        errors.push({
+          blockId: credInput.blockId,
+          blockType: credInput.blockType,
+          field: credInput.fieldName,
+          value: credInput.value,
+          error: `Invalid credential ID "${credInput.value}" - credential does not exist or user doesn't have access${warningInfo}`,
+        })
+      }
+
+      logger.warn('Filtered out invalid credentials', {
+        invalidCount: invalidSet.size,
+      })
+    }
+  }
+
+  return { filteredOperations, errors }
+}
+
 async function getCurrentWorkflowStateFromDb(
   workflowId: string
 ): Promise<{ workflowState: any; subBlockValues: Record<string, Record<string, any>> }> {
@@ -2657,12 +2812,28 @@ export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, any> = {
     // Get permission config for the user
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
 
+    // Pre-validate credential and apiKey inputs before applying operations
+    // This filters out invalid credentials and apiKeys for hosted models
+    let operationsToApply = operations
+    const credentialErrors: ValidationError[] = []
+    if (context?.userId) {
+      const { filteredOperations, errors: credErrors } = await preValidateCredentialInputs(
+        operations,
+        { userId: context.userId }
+      )
+      operationsToApply = filteredOperations
+      credentialErrors.push(...credErrors)
+    }
+
     // Apply operations directly to the workflow state
     const {
       state: modifiedWorkflowState,
       validationErrors,
       skippedItems,
-    } = applyOperationsToWorkflowState(workflowState, operations, permissionConfig)
+    } = applyOperationsToWorkflowState(workflowState, operationsToApply, permissionConfig)
+
+    // Add credential validation errors
+    validationErrors.push(...credentialErrors)
 
     // Get workspaceId for selector validation
     let workspaceId: string | undefined

apps/sim/lib/knowledge/embeddings.ts

@@ -8,17 +8,6 @@ const logger = createLogger('EmbeddingUtils')
 
 const MAX_TOKENS_PER_REQUEST = 8000
 const MAX_CONCURRENT_BATCHES = env.KB_CONFIG_CONCURRENCY_LIMIT || 50
-const EMBEDDING_DIMENSIONS = 1536
-
-/**
- * Check if the model supports custom dimensions.
- * text-embedding-3-* models support the dimensions parameter.
- * Checks for 'embedding-3' to handle Azure deployments with custom naming conventions.
- */
-function supportsCustomDimensions(modelName: string): boolean {
-  const name = modelName.toLowerCase()
-  return name.includes('embedding-3') && !name.includes('ada')
-}
 
 export class EmbeddingAPIError extends Error {
   public status: number
@@ -104,19 +93,15 @@ async function getEmbeddingConfig(
 async function callEmbeddingAPI(inputs: string[], config: EmbeddingConfig): Promise<number[][]> {
   return retryWithExponentialBackoff(
     async () => {
-      const useDimensions = supportsCustomDimensions(config.modelName)
-
       const requestBody = config.useAzure
         ? {
             input: inputs,
             encoding_format: 'float',
-            ...(useDimensions && { dimensions: EMBEDDING_DIMENSIONS }),
           }
         : {
             input: inputs,
             model: config.modelName,
             encoding_format: 'float',
-            ...(useDimensions && { dimensions: EMBEDDING_DIMENSIONS }),
           }
 
       const response = await fetch(config.apiUrl, {

apps/sim/lib/uploads/providers/blob/client.ts

@@ -18,52 +18,6 @@ const logger = createLogger('BlobClient')
 
 let _blobServiceClient: BlobServiceClientInstance | null = null
 
-interface ParsedCredentials {
-  accountName: string
-  accountKey: string
-}
-
-/**
- * Extract account name and key from an Azure connection string.
- * Connection strings have the format: DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=...
- */
-function parseConnectionString(connectionString: string): ParsedCredentials {
-  const accountNameMatch = connectionString.match(/AccountName=([^;]+)/)
-  if (!accountNameMatch) {
-    throw new Error('Cannot extract account name from connection string')
-  }
-
-  const accountKeyMatch = connectionString.match(/AccountKey=([^;]+)/)
-  if (!accountKeyMatch) {
-    throw new Error('Cannot extract account key from connection string')
-  }
-
-  return {
-    accountName: accountNameMatch[1],
-    accountKey: accountKeyMatch[1],
-  }
-}
-
-/**
- * Get account credentials from BLOB_CONFIG, extracting from connection string if necessary.
- */
-function getAccountCredentials(): ParsedCredentials {
-  if (BLOB_CONFIG.connectionString) {
-    return parseConnectionString(BLOB_CONFIG.connectionString)
-  }
-
-  if (BLOB_CONFIG.accountName && BLOB_CONFIG.accountKey) {
-    return {
-      accountName: BLOB_CONFIG.accountName,
-      accountKey: BLOB_CONFIG.accountKey,
-    }
-  }
-
-  throw new Error(
-    'Azure Blob Storage credentials are missing – set AZURE_CONNECTION_STRING or both AZURE_ACCOUNT_NAME and AZURE_ACCOUNT_KEY'
-  )
-}
-
 export async function getBlobServiceClient(): Promise<BlobServiceClientInstance> {
   if (_blobServiceClient) return _blobServiceClient
 
@@ -173,8 +127,6 @@ export async function getPresignedUrl(key: string, expiresIn = 3600) {
   const containerClient = blobServiceClient.getContainerClient(BLOB_CONFIG.containerName)
   const blockBlobClient = containerClient.getBlockBlobClient(key)
 
-  const { accountName, accountKey } = getAccountCredentials()
-
   const sasOptions = {
     containerName: BLOB_CONFIG.containerName,
     blobName: key,
@@ -185,7 +137,13 @@ export async function getPresignedUrl(key: string, expiresIn = 3600) {
 
   const sasToken = generateBlobSASQueryParameters(
     sasOptions,
-    new StorageSharedKeyCredential(accountName, accountKey)
+    new StorageSharedKeyCredential(
+      BLOB_CONFIG.accountName,
+      BLOB_CONFIG.accountKey ??
+        (() => {
+          throw new Error('AZURE_ACCOUNT_KEY is required when using account name authentication')
+        })()
+    )
   ).toString()
 
   return `${blockBlobClient.url}?${sasToken}`
@@ -210,14 +168,9 @@ export async function getPresignedUrlWithConfig(
     StorageSharedKeyCredential,
   } = await import('@azure/storage-blob')
   let tempBlobServiceClient: BlobServiceClientInstance
-  let accountName: string
-  let accountKey: string
 
   if (customConfig.connectionString) {
     tempBlobServiceClient = BlobServiceClient.fromConnectionString(customConfig.connectionString)
-    const credentials = parseConnectionString(customConfig.connectionString)
-    accountName = credentials.accountName
-    accountKey = credentials.accountKey
   } else if (customConfig.accountName && customConfig.accountKey) {
     const sharedKeyCredential = new StorageSharedKeyCredential(
       customConfig.accountName,
@@ -227,8 +180,6 @@ export async function getPresignedUrlWithConfig(
       `https://${customConfig.accountName}.blob.core.windows.net`,
       sharedKeyCredential
     )
-    accountName = customConfig.accountName
-    accountKey = customConfig.accountKey
   } else {
     throw new Error(
       'Custom blob config must include either connectionString or accountName + accountKey'
@@ -248,7 +199,13 @@ export async function getPresignedUrlWithConfig(
 
   const sasToken = generateBlobSASQueryParameters(
     sasOptions,
-    new StorageSharedKeyCredential(accountName, accountKey)
+    new StorageSharedKeyCredential(
+      customConfig.accountName,
+      customConfig.accountKey ??
+        (() => {
+          throw new Error('Account key is required when using account name authentication')
+        })()
+    )
   ).toString()
 
   return `${blockBlobClient.url}?${sasToken}`
@@ -446,9 +403,13 @@ export async function getMultipartPartUrls(
   if (customConfig) {
     if (customConfig.connectionString) {
       blobServiceClient = BlobServiceClient.fromConnectionString(customConfig.connectionString)
-      const credentials = parseConnectionString(customConfig.connectionString)
-      accountName = credentials.accountName
-      accountKey = credentials.accountKey
+      const match = customConfig.connectionString.match(/AccountName=([^;]+)/)
+      if (!match) throw new Error('Cannot extract account name from connection string')
+      accountName = match[1]
+
+      const keyMatch = customConfig.connectionString.match(/AccountKey=([^;]+)/)
+      if (!keyMatch) throw new Error('Cannot extract account key from connection string')
+      accountKey = keyMatch[1]
     } else if (customConfig.accountName && customConfig.accountKey) {
       const credential = new StorageSharedKeyCredential(
         customConfig.accountName,
@@ -467,9 +428,12 @@ export async function getMultipartPartUrls(
   } else {
     blobServiceClient = await getBlobServiceClient()
     containerName = BLOB_CONFIG.containerName
-    const credentials = getAccountCredentials()
-    accountName = credentials.accountName
-    accountKey = credentials.accountKey
+    accountName = BLOB_CONFIG.accountName
+    accountKey =
+      BLOB_CONFIG.accountKey ||
+      (() => {
+        throw new Error('AZURE_ACCOUNT_KEY is required')
+      })()
   }
 
   const containerClient = blobServiceClient.getContainerClient(containerName)
@@ -537,10 +501,12 @@ export async function completeMultipartUpload(
   const containerClient = blobServiceClient.getContainerClient(containerName)
   const blockBlobClient = containerClient.getBlockBlobClient(key)
 
+  // Sort parts by part number and extract block IDs
   const sortedBlockIds = parts
     .sort((a, b) => a.partNumber - b.partNumber)
     .map((part) => part.blockId)
 
+  // Commit the block list to create the final blob
   await blockBlobClient.commitBlockList(sortedBlockIds, {
     metadata: {
       multipartUpload: 'completed',
@@ -591,8 +557,10 @@ export async function abortMultipartUpload(key: string, customConfig?: BlobConfi
   const blockBlobClient = containerClient.getBlockBlobClient(key)
 
   try {
+    // Delete the blob if it exists (this also cleans up any uncommitted blocks)
     await blockBlobClient.deleteIfExists()
   } catch (error) {
+    // Ignore errors since we're just cleaning up
     logger.warn('Error cleaning up multipart upload:', error)
   }
 }

docker-compose.local.yml

@@ -52,7 +52,7 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 8G
     healthcheck:
       test: ['CMD', 'wget', '--spider', '--quiet', 'http://127.0.0.1:3002/health']
       interval: 90s

docker-compose.ollama.yml

@@ -56,7 +56,7 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 8G
     healthcheck:
       test: ['CMD', 'wget', '--spider', '--quiet', 'http://127.0.0.1:3002/health']
       interval: 90s

docker-compose.prod.yml

@@ -42,7 +42,7 @@ services:
     deploy:
       resources:
         limits:
-          memory: 1G
+          memory: 4G
     environment:
       - DATABASE_URL=postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-simstudio}
       - NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL:-http://localhost:3000}

docs/enterprise-faq-response.md

@@ -1,362 +0,0 @@
-# Enterprise Self-Hosting FAQ Response
-
-This document addresses common questions from enterprise customers regarding self-hosted Sim deployments.
-
----
-
-## 1. Resource Requirements and Scalability
-
-### What drives resource consumption?
-
-Sim's resource requirements are driven by several memory-intensive components:
-
-| Component | Memory Driver | Description |
-|-----------|--------------|-------------|
-| **Isolated-VM** | High | JavaScript sandboxing for secure workflow code execution. Each concurrent workflow maintains an execution context in memory. |
-| **File Processing** | Medium-High | Documents (PDF, DOCX, XLSX, etc.) are parsed in-memory before chunking for knowledge base operations. |
-| **pgvector Operations** | Medium | Vector database operations for embeddings (1536 dimensions per vector for knowledge base). |
-| **FFmpeg** | Variable | Media transcoding for audio/video processing happens synchronously in memory. |
-| **Sharp** | Low-Medium | Image processing and manipulation. |
-
-### Actual Production Metrics
-
-Based on production telemetry from our cloud deployment:
-
-**Main Application (simstudio)**
-| Metric | Average | Peak | Notes |
-|--------|---------|------|-------|
-| CPU | ~10% | ~30% | Spikes during workflow execution |
-| Memory | ~35% | ~75% | Increases with concurrent workflows |
-
-**WebSocket Server (realtime)**
-| Metric | Average | Peak | Notes |
-|--------|---------|------|-------|
-| CPU | ~1-2% | ~30% | Very lightweight |
-| Memory | ~7% | ~13% | Scales with connected clients |
-
-### Recommended Resource Tiers
-
-Based on actual production data (60k+ users), we recommend the following tiers:
-
-#### Small (Development/Testing)
-- **CPU**: 2 cores
-- **RAM**: 12 GB
-- **Storage**: 20 GB SSD
-- **Use case**: 1-5 users, development, testing, light workloads
-
-#### Standard (Teams)
-- **CPU**: 4 cores
-- **RAM**: 16 GB
-- **Storage**: 50 GB SSD
-- **Use case**: 5-50 users, moderate workflow execution
-
-#### Production (Enterprise)
-- **CPU**: 8+ cores
-- **RAM**: 32+ GB
-- **Storage**: 100+ GB SSD
-- **Use case**: 50+ users, high availability, heavy workflow execution
-- **Note**: Consider running multiple replicas for high availability
-
-### Memory Breakdown (Standard Deployment)
-
-| Component | Recommended | Notes |
-|-----------|-------------|-------|
-| Main App | 6-8 GB | Handles workflow execution, API, UI (peaks to 12 GB under heavy load) |
-| WebSocket | 1 GB | Real-time updates (typically uses 300-500 MB) |
-| PostgreSQL + pgvector | 2-4 GB | Database with vector extensions |
-| OS/Buffer | 2-4 GB | System overhead, file cache |
-| **Total** | **~12-16 GB** | |
-
-### Scalability Considerations
-
-- **Horizontal scaling**: The main app and WebSocket server are stateless and can be scaled horizontally with a load balancer.
-- **Database**: PostgreSQL can be scaled vertically or replaced with managed services (Supabase, Neon, RDS).
-- **Workflow concurrency**: Each concurrent workflow execution consumes additional memory. Plan for peak usage.
-
----
-
-## 2. Managing Releases in Enterprise Environments
-
-### Multi-Environment Strategy
-
-For enterprise deployments requiring dev/staging/production environments, we recommend deploying **separate Sim instances** for each environment:
-
-```
-┌─────────────┐    ┌─────────────┐    ┌─────────────┐
-│     Dev     │ -> │   Staging   │ -> │ Production  │
-│  Instance   │    │  Instance   │    │  Instance   │
-└─────────────┘    └─────────────┘    └─────────────┘
-       │                  │                  │
-       v                  v                  v
-   Develop            Test/QA            Deploy
-```
-
-**Advantages**:
-- Complete isolation between environments
-- Independent scaling per environment
-- No risk of accidental production changes
-- Environment-specific configurations and credentials
-
-### Promoting Changes Between Environments
-
-Sim provides multiple ways to move workflows, folders, and workspaces between environments:
-
-#### UI-Based Export/Import
-1. **Export** workflows, folders, or entire workspaces from the source environment via the UI
-2. **Import** into the target environment
-3. Configure environment-specific variables and credentials
-
-#### Admin APIs (Automation)
-For CI/CD integration, use the admin APIs to programmatically:
-- Export workflows, folders, and workspaces as JSON
-- Import configurations into target environments
-- Automate promotion pipelines between dev → staging → production
-
-### Version Control Within an Instance
-
-Within a single Sim instance, the **Deploy Modal** provides version control:
-
-1. **Draft Mode**: Edit and test workflows without affecting the live version
-2. **Explicit Deploy**: The live version is **not updated** until you explicitly click Deploy
-3. **Snapshots**: Each deployment creates a snapshot of the workflow state
-4. **Rollback**: Revert to any previous version at any time with one click
-
-This allows teams to:
-- Safely iterate on workflows without disrupting production
-- Test changes before making them live
-- Quickly recover from issues by rolling back
-
----
-
-## 3. Stable Releases and Backward Compatibility
-
-### Versioning Strategy
-
-Sim uses the following versioning scheme:
-- **Major versions** (0.x): e.g., 0.5, 0.6 - New major features
-- **Minor versions** (0.x.y): e.g., 0.5.1, 0.5.2 - Incremental updates, bug fixes
-
-### Backward Compatibility Guarantees
-
-**Forward upgrades are safe:**
-- Changes are **additive** - new features don't break existing workflows
-- We ensure no breaking changes between versions
-- Breaking changes are announced in advance when necessary
-- Database migrations are automatic and handle schema changes
-
-**Rollbacks are not guaranteed:**
-- Rolling back to an older version may break things due to database schema changes
-- Always backup your database before upgrading
-- If you need to rollback, restore from a database backup taken before the upgrade
-
-### Upgrade Best Practices
-
-1. **Backup first**: Always backup your database before upgrading
-2. **Review release notes**: Check for any announced changes
-3. **Test in staging**: Upgrade your staging environment first
-4. **Monitor after upgrade**: Verify workflows continue to function correctly
-
-### Enterprise Support
-
-For enterprise customers requiring additional stability guarantees:
-- Contact us for support arrangements
-- We can provide guidance on upgrade planning
-- Security patches are prioritized for supported versions
-
----
-
-## 4. OAuth and OIDC Providers
-
-### Built-in OAuth Providers (Environment Variables)
-
-Only the following providers can be configured via environment variables:
-
-| Provider | Environment Variables |
-|----------|----------------------|
-| **GitHub** | `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET` |
-| **Google** | `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET` |
-
-There are no plans to add additional OAuth providers via environment variables.
-
-### All Other Identity Providers (SSO)
-
-For any other identity providers, configure SSO through the app settings:
-
-1. Enable SSO in environment variables:
-   ```
-   SSO_ENABLED=true
-   NEXT_PUBLIC_SSO_ENABLED=true
-   ```
-
-2. Configure your identity provider in the app's SSO settings UI
-
-Supported protocols:
-- SAML 2.0
-- OpenID Connect (OIDC)
-
-Compatible with any OIDC/SAML provider including:
-- Okta
-- Azure AD / Entra ID
-- Auth0
-- Ping Identity
-- OneLogin
-- Custom OIDC providers
-
----
-
-## 5. Known Issues and Workarounds
-
-### SSO Save Button Disabled
-
-**Issue**: The 'Save' button remains disabled when configuring SSO.
-
-**Cause**: The form has strict validation on all required fields. The button remains disabled until ALL validations pass.
-
-**Required fields for OIDC**:
-- Provider ID (letters, numbers, dashes only)
-- Issuer URL (must be HTTPS, except for localhost)
-- Domain (no `https://` prefix, must be valid domain format)
-- Client ID
-- Client Secret
-- Scopes (defaults to `openid,profile,email`)
-
-**Required fields for SAML**:
-- Provider ID
-- Issuer URL
-- Domain
-- Entry Point URL
-- Certificate
-
-**Common validation issues**:
-1. **Domain field**: Do NOT include `https://` - enter only the domain (e.g., `login.okta.com` not `https://login.okta.com`)
-2. **Issuer URL**: Must use HTTPS protocol (except localhost for testing)
-3. **Provider ID**: Only lowercase letters, numbers, and dashes allowed (e.g., `okta-prod`)
-
-**Debugging**:
-- Open browser DevTools console to check for JavaScript errors
-- Ensure `SSO_ENABLED=true` and `NEXT_PUBLIC_SSO_ENABLED=true` environment variables are set
-- Try using one of the suggested provider IDs from the dropdown (e.g., `okta`, `azure-ad`)
-
-### Access Control Group Creation
-
-**Issue**: Button appears enabled but nothing happens when clicked.
-
-**Cause**: For self-hosted deployments, an organization must be created via the admin API before access control groups can be used.
-
-**Required Setup**:
-
-1. **Enable required environment variables**:
-   ```env
-   ADMIN_API_KEY=your-admin-api-key
-   ACCESS_CONTROL_ENABLED=true
-   ORGANIZATIONS_ENABLED=true
-   NEXT_PUBLIC_ACCESS_CONTROL_ENABLED=true
-   NEXT_PUBLIC_ORGANIZATIONS_ENABLED=true
-   ```
-
-2. **Create an organization via admin API**:
-   ```bash
-   # List users to get admin user ID
-   curl -H "x-admin-key: $ADMIN_API_KEY" \
-     "https://your-sim-instance.com/api/v1/admin/users?limit=10"
-
-   # Create organization
-   curl -X POST https://your-sim-instance.com/api/v1/admin/organizations \
-     -H "x-admin-key: $ADMIN_API_KEY" \
-     -H "Content-Type: application/json" \
-     -d '{"name": "Your Organization", "slug": "your-org", "ownerId": "<user-id-from-step-1>"}'
-
-   # Add members to organization
-   curl -X POST https://your-sim-instance.com/api/v1/admin/organizations/<org-id>/members \
-     -H "x-admin-key: $ADMIN_API_KEY" \
-     -H "Content-Type: application/json" \
-     -d '{"userId": "<user-id>", "role": "member"}'
-   ```
-
-3. **Create permission groups**: After the organization is set up, go to Settings > Permission Groups in the UI.
-
----
-
-## 6. File Storage Configuration
-
-### Supported Storage Backends
-
-Sim supports multiple storage backends for file storage:
-
-#### Local Storage (Default)
-Files are stored on the local filesystem. Suitable for development and single-node deployments.
-
-#### AWS S3
-```env
-AWS_REGION=us-east-1
-AWS_ACCESS_KEY_ID=your-access-key
-AWS_SECRET_ACCESS_KEY=your-secret-key
-S3_BUCKET_NAME=sim-files
-S3_KB_BUCKET_NAME=sim-knowledge-base
-S3_EXECUTION_FILES_BUCKET_NAME=sim-execution-files
-S3_CHAT_BUCKET_NAME=sim-chat-files
-```
-
-#### Azure Blob Storage
-
-You can configure Azure Blob Storage using either a connection string or account name/key:
-
-**Option 1: Connection String**
-```env
-AZURE_CONNECTION_STRING=DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=core.windows.net
-AZURE_STORAGE_CONTAINER_NAME=sim-files
-AZURE_STORAGE_KB_CONTAINER_NAME=sim-knowledge-base
-AZURE_STORAGE_EXECUTION_FILES_CONTAINER_NAME=sim-execution-files
-AZURE_STORAGE_CHAT_CONTAINER_NAME=sim-chat-files
-```
-
-**Option 2: Account Name and Key**
-```env
-AZURE_ACCOUNT_NAME=your-storage-account
-AZURE_ACCOUNT_KEY=your-storage-key
-AZURE_STORAGE_CONTAINER_NAME=sim-files
-AZURE_STORAGE_KB_CONTAINER_NAME=sim-knowledge-base
-AZURE_STORAGE_EXECUTION_FILES_CONTAINER_NAME=sim-execution-files
-AZURE_STORAGE_CHAT_CONTAINER_NAME=sim-chat-files
-```
-
-Both options are fully supported. The connection string is automatically parsed to extract credentials when needed for operations like presigned URL generation.
-
----
-
-## 7. Knowledge Base Configuration
-
-### Required Environment Variables
-
-```env
-# OpenAI API key for embeddings
-OPENAI_API_KEY=your-openai-api-key
-
-# Embedding model configuration (optional)
-KB_OPENAI_MODEL_NAME=text-embedding-3-small
-```
-
-### Embedding Model Compatibility
-
-**Supported models**:
-- `text-embedding-3-small` (default, 1536 dimensions)
-- `text-embedding-3-large` (1536 dimensions, automatically reduced from 3072)
-- `text-embedding-ada-002` (1536 dimensions)
-
-All text-embedding-3-* models automatically use 1536 dimensions to match the database schema. This allows you to use `text-embedding-3-large` for higher quality embeddings without schema modifications.
-
-### Database Requirements
-
-The knowledge base requires PostgreSQL with the pgvector extension:
-- PostgreSQL 12+ with pgvector
-- The `vector` extension must be enabled
-- Tables are created automatically during migration
-
----
-
-## Questions?
-
-For additional support:
-- Documentation: https://docs.sim.ai
-- GitHub Issues: https://github.com/simstudioai/sim/issues
-- Enterprise Support: Contact your account representative

helm/sim/examples/values-production.yaml

@@ -10,13 +10,13 @@ global:
 app:
   enabled: true
   replicaCount: 2
-
+  
   resources:
     limits:
-      memory: "8Gi"
+      memory: "6Gi"
       cpu: "2000m"
     requests:
-      memory: "6Gi"
+      memory: "4Gi"
       cpu: "1000m"
   
   # Production URLs (REQUIRED - update with your actual domain names)
@@ -49,14 +49,14 @@ app:
 realtime:
   enabled: true
   replicaCount: 2
-
+  
   resources:
     limits:
-      memory: "1Gi"
-      cpu: "500m"
+      memory: "4Gi"
+      cpu: "1000m"
     requests:
-      memory: "512Mi"
-      cpu: "250m"
+      memory: "2Gi"
+      cpu: "500m"
   
   env:
     NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"

helm/sim/values.yaml

@@ -29,10 +29,10 @@ app:
   # Resource limits and requests
   resources:
     limits:
-      memory: "8Gi"
+      memory: "4Gi"
       cpu: "2000m"
     requests:
-      memory: "4Gi"
+      memory: "2Gi"
       cpu: "1000m"
 
   # Node selector for pod scheduling (leave empty to allow scheduling on any node)
@@ -232,24 +232,24 @@ app:
 realtime:
   # Enable/disable the realtime service
   enabled: true
-
+  
   # Image configuration
   image:
     repository: simstudioai/realtime
     tag: latest
     pullPolicy: Always
-
+  
   # Number of replicas
   replicaCount: 1
-
+  
   # Resource limits and requests
   resources:
     limits:
+      memory: "2Gi"
+      cpu: "1000m"
+    requests:
       memory: "1Gi"
       cpu: "500m"
-    requests:
-      memory: "512Mi"
-      cpu: "250m"
   
   # Node selector for pod scheduling (leave empty to allow scheduling on any node)
   nodeSelector: {}