improvement(migration): move credential selector automigration logic to server side (#3310)

* improvement(credentials): move client side automigration to server side

* fix migration func

* fix tests

* address bugbot

.claude/commands/add-block.md

@@ -454,6 +454,8 @@ Enables AI-assisted field generation.
 
 ## Tools Configuration
 
+**Important:** `tools.config.tool` runs during serialization before variable resolution. Put `Number()` and other type coercions in `tools.config.params` instead, which runs at execution time after variables are resolved.
+
 **Preferred:** Use tool names directly as dropdown option IDs to avoid switch cases:
 ```typescript
 // Dropdown options use tool IDs directly

.github/workflows/images.yml

@@ -146,7 +146,7 @@ jobs:
 
   create-ghcr-manifests:
     name: Create GHCR Manifests
-    runs-on: blacksmith-8vcpu-ubuntu-2404
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     needs: [build-amd64, build-ghcr-arm64]
     if: github.ref == 'refs/heads/main'
     strategy:

.github/workflows/test-build.yml

@@ -110,7 +110,7 @@ jobs:
           RESEND_API_KEY: 'dummy_key_for_ci_only'
           AWS_REGION: 'us-west-2'
           ENCRYPTION_KEY: '7cf672e460e430c1fba707575c2b0e2ad5a99dddf9b7b7e3b5646e630861db1c' # dummy key for CI only
-        run: bun run build
+        run: bunx turbo run build --filter=sim
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v5

CLAUDE.md

@@ -238,7 +238,7 @@ export const ServiceBlock: BlockConfig = {
   bgColor: '#hexcolor',
   icon: ServiceIcon,
   subBlocks: [ /* see SubBlock Properties */ ],
-  tools: { access: ['service_action'], config: { tool: (p) => `service_${p.operation}` } },
+  tools: { access: ['service_action'], config: { tool: (p) => `service_${p.operation}`, params: (p) => ({ /* type coercions here */ }) } },
   inputs: { /* ... */ },
   outputs: { /* ... */ },
 }
@@ -246,6 +246,8 @@ export const ServiceBlock: BlockConfig = {
 
 Register in `blocks/registry.ts` (alphabetically).
 
+**Important:** `tools.config.tool` runs during serialization (before variable resolution). Never do `Number()` or other type coercions there — dynamic references like `<Block.output>` will be destroyed. Use `tools.config.params` for type coercions (it runs during execution, after variables are resolved).
+
 **SubBlock Properties:**
 ```typescript
 {

apps/docs/components/icons.tsx

@@ -1157,6 +1157,17 @@ export function AirweaveIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
+export function AlgoliaIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 50 50'>
+      <path
+        fill='#FFFFFF'
+        d='M25,0C11.3,0,0.2,11,0,24.6C-0.2,38.4,11,49.9,24.8,50c4.3,0,8.4-1,12-3c0.4-0.2,0.4-0.7,0.1-1l-2.3-2.1 c-0.5-0.4-1.2-0.5-1.7-0.3c-2.5,1.1-5.3,1.6-8.2,1.6c-11.2-0.1-20.2-9.4-20-20.6C4.9,13.6,13.9,4.7,25,4.7h20.3v36L33.7,30.5 c-0.4-0.3-0.9-0.3-1.2,0.1c-1.8,2.4-4.9,4-8.2,3.7c-4.6-0.3-8.4-4-8.7-8.7c-0.4-5.5,4-10.2,9.4-10.2c4.9,0,9,3.8,9.4,8.6 c0,0.4,0.2,0.8,0.6,1.1l3,2.7c0.3,0.3,0.9,0.1,1-0.3c0.2-1.2,0.3-2.4,0.2-3.6c-0.5-7-6.2-12.7-13.2-13.1c-8.1-0.5-14.8,5.8-15,13.7 c-0.2,7.7,6.1,14.4,13.8,14.5c3.2,0.1,6.2-0.9,8.6-2.7l15,13.3c0.6,0.6,1.7,0.1,1.7-0.7v-48C50,0.4,49.5,0,49,0L25,0 C25,0,25,0,25,0z'
+      />
+    </svg>
+  )
+}
+
 export function GoogleBooksIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 478.633 540.068'>
@@ -5737,3 +5748,86 @@ export function CloudflareIcon(props: SVGProps<SVGSVGElement>) {
     </svg>
   )
 }
+
+export function UpstashIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 256 341' width='24' height='24'>
+      <path
+        fill='#00C98D'
+        d='M0 298.417c56.554 56.553 148.247 56.553 204.801 0c56.554-56.554 56.554-148.247 0-204.801l-25.6 25.6c42.415 42.416 42.415 111.185 0 153.6c-42.416 42.416-111.185 42.416-153.601 0z'
+      />
+      <path
+        fill='#00C98D'
+        d='M51.2 247.216c28.277 28.277 74.123 28.277 102.4 0c28.277-28.276 28.277-74.123 0-102.4l-25.6 25.6c14.14 14.138 14.14 37.061 0 51.2c-14.138 14.139-37.061 14.139-51.2 0zM256 42.415c-56.554-56.553-148.247-56.553-204.8 0c-56.555 56.555-56.555 148.247 0 204.801l25.599-25.6c-42.415-42.415-42.415-111.185 0-153.6c42.416-42.416 111.185-42.416 153.6 0z'
+      />
+      <path
+        fill='#00C98D'
+        d='M204.8 93.616c-28.276-28.277-74.124-28.277-102.4 0c-28.278 28.277-28.278 74.123 0 102.4l25.6-25.6c-14.14-14.138-14.14-37.061 0-51.2c14.138-14.139 37.06-14.139 51.2 0z'
+      />
+      <path
+        fill='#FFF'
+        fillOpacity='.4'
+        d='M256 42.415c-56.554-56.553-148.247-56.553-204.8 0c-56.555 56.555-56.555 148.247 0 204.801l25.599-25.6c-42.415-42.415-42.415-111.185 0-153.6c42.416-42.416 111.185-42.416 153.6 0z'
+      />
+      <path
+        fill='#FFF'
+        fillOpacity='.4'
+        d='M204.8 93.616c-28.276-28.277-74.124-28.277-102.4 0c-28.278 28.277-28.278 74.123 0 102.4l25.6-25.6c-14.14-14.138-14.14-37.061 0-51.2c14.138-14.139 37.06-14.139 51.2 0z'
+      />
+    </svg>
+  )
+}
+
+export function RevenueCatIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      width='512'
+      height='512'
+      viewBox='0 0 512 512'
+      fill='none'
+      xmlns='http://www.w3.org/2000/svg'
+    >
+      <path
+        d='M95 109.774C110.152 106.108 133.612 104 154.795 104C212.046 104 246.32 123.928 246.32 174.646C246.32 205.746 233.737 226.264 214.005 237.437L261.765 318.946C258.05 321.632 250.035 323.176 238.864 323.176C226.282 323.176 217.987 321.672 211.982 318.946L172.225 248.3H167.645C157.789 248.305 147.945 247.601 138.18 246.192V319.255C134.172 321.672 127.022 323.176 116.73 323.176C106.73 323.176 99.2874 321.659 95 319.255V109.774ZM137.643 207.848C145.772 209.263 153.997 209.968 162.235 209.956C187.12 209.956 202.285 200.556 202.285 177.057C202.285 152.886 186.268 142.949 157.668 142.949C150.956 142.918 144.255 143.515 137.643 144.735V207.848Z'
+        fill='#FFFFFF'
+      />
+      <path
+        d='M428.529 329.244C428.529 365.526 410.145 375.494 396.306 382.195C360.972 399.32 304.368 379.4 244.206 373.338C189.732 366.214 135.706 361.522 127.309 373.738C124.152 376.832 123.481 386.798 127.309 390.862C138.604 402.85 168.061 394.493 188.919 390.714C195.391 389.694 201.933 392.099 206.079 397.021C210.226 401.944 211.349 408.637 209.024 414.58C206.699 420.522 201.28 424.811 194.809 425.831C185.379 427.264 175.85 427.989 166.306 428C145.988 428 120.442 424.495 105.943 409.072C98.7232 401.4 91.3266 387.78 97.0271 366.465C107.875 326.074 172.807 336.052 248.033 343.633C300.41 348.907 357.23 366.465 379.934 350.343C385.721 346.234 396.517 337.022 390.698 329.244C384.879 321.467 375.353 325.684 362.838 325.684C300.152 325.684 263.238 285.302 263.238 217.916C263.247 167.292 284.176 131.892 318.287 115.09C333.109 107.789 350.421 104 369.587 104C386.292 104 403.269 106.931 414.11 113.366C420.847 123.032 423.778 140.305 422.306 153.201C408.247 146.466 395.36 142.949 378.669 142.949C337.365 142.949 308.947 164.039 308.947 214.985C308.947 265.932 337.065 286.149 376.611 286.149C387.869 286.035 403.1 284.67 422.306 282.053C426.455 297.498 428.529 313.228 428.529 329.244Z'
+        fill='#FFFFFF'
+      />
+    </svg>
+  )
+}
+
+export function RedisIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      viewBox='0 0 512 512'
+      xmlns='http://www.w3.org/2000/svg'
+      fillRule='evenodd'
+      clipRule='evenodd'
+      strokeLinejoin='round'
+      strokeMiterlimit='2'
+    >
+      <path
+        d='M479.14 279.864c-34.584 43.578-71.94 93.385-146.645 93.385-66.73 0-91.59-58.858-93.337-106.672 14.62 30.915 43.203 55.949 87.804 54.792C412.737 318.6 471.53 241.127 471.53 170.57c0-84.388-62.947-145.262-172.24-145.262-78.165 0-175.004 29.743-238.646 76.782-.689 48.42 26.286 111.369 35.972 104.452 55.17-39.67 98.918-65.203 141.35-78.01C175.153 198.58 24.451 361.219 6 389.85c2.076 26.286 34.588 96.842 50.496 96.842 4.841 0 8.993-2.768 13.835-7.61 45.433-51.046 82.472-96.816 115.412-140.933 4.627 64.658 36.42 143.702 125.307 143.702 79.55 0 158.408-57.414 194.377-186.767 4.149-15.911-15.22-28.362-26.286-15.22zm-90.616-104.449c0 40.81-40.118 60.87-76.782 60.87-19.596 0-34.648-5.145-46.554-11.832 21.906-33.168 43.59-67.182 66.887-103.593 41.08 6.953 56.449 29.788 56.449 54.555z'
+        fill='#FFFFFF'
+        fillRule='nonzero'
+      />
+    </svg>
+  )
+}
+
+export function HexIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 1450.3 600'>
+      <path
+        fill='#5F509D'
+        fillRule='evenodd'
+        d='m250.11,0v199.49h-50V0H0v600h200.11v-300.69h50v300.69h200.18V0h-200.18Zm249.9,0v600h450.29v-250.23h-200.2v149h-50v-199.46h250.2V0h-450.29Zm200.09,199.49v-99.49h50v99.49h-50Zm550.02,0V0h200.18v150l-100,100.09,100,100.09v249.82h-200.18v-300.69h-50v300.69h-200.11v-249.82l100.11-100.09-100.11-100.09V0h200.11v199.49h50Z'
+      />
+    </svg>
+  )
+}

apps/docs/components/ui/icon-mapping.ts

@@ -8,6 +8,7 @@ import {
   AhrefsIcon,
   AirtableIcon,
   AirweaveIcon,
+  AlgoliaIcon,
   ApifyIcon,
   ApolloIcon,
   ArxivIcon,
@@ -53,6 +54,7 @@ import {
   GrafanaIcon,
   GrainIcon,
   GreptileIcon,
+  HexIcon,
   HubspotIcon,
   HuggingFaceIcon,
   HunterIOIcon,
@@ -98,8 +100,10 @@ import {
   QdrantIcon,
   RDSIcon,
   RedditIcon,
+  RedisIcon,
   ReductoIcon,
   ResendIcon,
+  RevenueCatIcon,
   S3Icon,
   SalesforceIcon,
   SearchIcon,
@@ -127,6 +131,7 @@ import {
   TTSIcon,
   TwilioIcon,
   TypeformIcon,
+  UpstashIcon,
   VercelIcon,
   VideoIcon,
   WealthboxIcon,
@@ -148,6 +153,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   ahrefs: AhrefsIcon,
   airtable: AirtableIcon,
   airweave: AirweaveIcon,
+  algolia: AlgoliaIcon,
   apify: ApifyIcon,
   apollo: ApolloIcon,
   arxiv: ArxivIcon,
@@ -191,6 +197,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   grafana: GrafanaIcon,
   grain: GrainIcon,
   greptile: GreptileIcon,
+  hex: HexIcon,
   hubspot: HubspotIcon,
   huggingface: HuggingFaceIcon,
   hunter: HunterIOIcon,
@@ -236,8 +243,10 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   qdrant: QdrantIcon,
   rds: RDSIcon,
   reddit: RedditIcon,
+  redis: RedisIcon,
   reducto_v2: ReductoIcon,
   resend: ResendIcon,
+  revenuecat: RevenueCatIcon,
   s3: S3Icon,
   salesforce: SalesforceIcon,
   search: SearchIcon,
@@ -267,6 +276,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   twilio_sms: TwilioIcon,
   twilio_voice: TwilioIcon,
   typeform: TypeformIcon,
+  upstash: UpstashIcon,
   vercel: VercelIcon,
   video_generator_v2: VideoIcon,
   vision_v2: EyeIcon,

apps/docs/content/docs/en/tools/algolia.mdx

@@ -0,0 +1,404 @@
+---
+title: Algolia
+description: Search and manage Algolia indices
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="algolia"
+  color="#003DFF"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Algolia](https://www.algolia.com/) is a powerful hosted search platform that enables developers and teams to deliver fast, relevant search experiences in their apps and websites. Algolia provides full-text, faceted, and filtered search as well as analytics and advanced ranking capabilities.
+
+With Algolia, you can:
+
+- **Deliver lightning-fast search**: Provide instant search results as users type, with typo tolerance and synonyms
+- **Manage and update records**: Easily add, update, or delete objects/records in your indices
+- **Perform advanced filtering**: Use filters, facets, and custom ranking to refine and organize search results
+- **Configure index settings**: Adjust relevance, ranking, attributes for search, and more to optimize user experience
+- **Scale confidently**: Algolia handles massive traffic and data volumes with globally distributed infrastructure
+- **Gain insights**: Track analytics, search patterns, and user engagement
+
+In Sim, the Algolia integration allows your agents to search, manage, and configure Algolia indices directly within your workflows. Use Algolia to power dynamic data exploration, automate record updates, run batch operations, and more—all from a single tool in your workspace.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate Algolia into your workflow. Search indices, manage records (add, update, delete, browse), configure index settings, and perform batch operations.
+
+
+
+## Tools
+
+### `algolia_search`
+
+Search an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia API Key |
+| `indexName` | string | Yes | Name of the Algolia index to search |
+| `query` | string | Yes | Search query text |
+| `hitsPerPage` | number | No | Number of hits per page \(default: 20\) |
+| `page` | number | No | Page number to retrieve \(default: 0\) |
+| `filters` | string | No | Filter string \(e.g., "category:electronics AND price &lt; 100"\) |
+| `attributesToRetrieve` | string | No | Comma-separated list of attributes to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `hits` | array | Array of matching records |
+|   ↳ `objectID` | string | Unique identifier of the record |
+|   ↳ `_highlightResult` | object | Highlighted attributes matching the query. Each attribute has value, matchLevel \(none, partial, full\), and matchedWords |
+|   ↳ `_snippetResult` | object | Snippeted attributes matching the query. Each attribute has value and matchLevel |
+|   ↳ `_rankingInfo` | object | Ranking information for the hit. Only present when getRankingInfo is enabled |
+|     ↳ `nbTypos` | number | Number of typos in the query match |
+|     ↳ `firstMatchedWord` | number | Position of the first matched word |
+|     ↳ `geoDistance` | number | Distance in meters for geo-search results |
+|     ↳ `nbExactWords` | number | Number of exactly matched words |
+|     ↳ `userScore` | number | Custom ranking score |
+|     ↳ `words` | number | Number of matched words |
+| `nbHits` | number | Total number of matching hits |
+| `page` | number | Current page number \(zero-based\) |
+| `nbPages` | number | Total number of pages available |
+| `hitsPerPage` | number | Number of hits per page \(1-1000, default 20\) |
+| `processingTimeMS` | number | Server-side processing time in milliseconds |
+| `query` | string | The search query that was executed |
+| `parsedQuery` | string | The query string after normalization and stop word removal |
+| `facets` | object | Facet counts keyed by facet name, each containing value-count pairs |
+| `facets_stats` | object | Statistics \(min, max, avg, sum\) for numeric facets |
+| `exhaustive` | object | Exhaustiveness flags for facetsCount, facetValues, nbHits, rulesMatch, and typo |
+
+### `algolia_add_record`
+
+Add or replace a record in an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `objectID` | string | No | Object ID for the record \(auto-generated if not provided\) |
+| `record` | json | Yes | JSON object representing the record to add |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the indexing operation |
+| `objectID` | string | The object ID of the added or replaced record |
+| `createdAt` | string | Timestamp when the record was created \(only present when objectID is auto-generated\) |
+| `updatedAt` | string | Timestamp when the record was updated \(only present when replacing an existing record\) |
+
+### `algolia_get_record`
+
+Get a record by objectID from an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia API Key |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `objectID` | string | Yes | The objectID of the record to retrieve |
+| `attributesToRetrieve` | string | No | Comma-separated list of attributes to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `objectID` | string | The objectID of the retrieved record |
+| `record` | object | The record data \(all attributes\) |
+
+### `algolia_get_records`
+
+Retrieve multiple records by objectID from one or more Algolia indices
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia API Key |
+| `indexName` | string | Yes | Default index name for all requests |
+| `requests` | json | Yes | Array of objects specifying records to retrieve. Each must have "objectID" and optionally "indexName" and "attributesToRetrieve". |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `results` | array | Array of retrieved records \(null entries for records not found\) |
+|   ↳ `objectID` | string | Unique identifier of the record |
+
+### `algolia_partial_update_record`
+
+Partially update a record in an Algolia index without replacing it entirely
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `objectID` | string | Yes | The objectID of the record to update |
+| `attributes` | json | Yes | JSON object with attributes to update. Supports built-in operations like \{"stock": \{"_operation": "Decrement", "value": 1\}\} |
+| `createIfNotExists` | boolean | No | Whether to create the record if it does not exist \(default: true\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the update operation |
+| `objectID` | string | The objectID of the updated record |
+| `updatedAt` | string | Timestamp when the record was updated |
+
+### `algolia_delete_record`
+
+Delete a record by objectID from an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `objectID` | string | Yes | The objectID of the record to delete |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the deletion |
+| `deletedAt` | string | Timestamp when the record was deleted |
+
+### `algolia_browse_records`
+
+Browse and iterate over all records in an Algolia index using cursor pagination
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia API Key \(must have browse ACL\) |
+| `indexName` | string | Yes | Name of the Algolia index to browse |
+| `query` | string | No | Search query to filter browsed records |
+| `filters` | string | No | Filter string to narrow down results |
+| `attributesToRetrieve` | string | No | Comma-separated list of attributes to retrieve |
+| `hitsPerPage` | number | No | Number of hits per page \(default: 1000, max: 1000\) |
+| `cursor` | string | No | Cursor from a previous browse response for pagination |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `hits` | array | Array of records from the index \(up to 1000 per request\) |
+|   ↳ `objectID` | string | Unique identifier of the record |
+| `cursor` | string | Opaque cursor string for retrieving the next page of results. Absent when no more results exist. |
+| `nbHits` | number | Total number of records matching the browse criteria |
+| `page` | number | Current page number \(zero-based\) |
+| `nbPages` | number | Total number of pages available |
+| `hitsPerPage` | number | Number of hits per page \(1-1000, default 1000 for browse\) |
+| `processingTimeMS` | number | Server-side processing time in milliseconds |
+
+### `algolia_batch_operations`
+
+Perform batch add, update, partial update, or delete operations on records in an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `requests` | json | Yes | Array of batch operations. Each item has "action" \(addObject, updateObject, partialUpdateObject, partialUpdateObjectNoCreate, deleteObject\) and "body" \(the record data, must include objectID for update/delete\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the batch operation |
+| `objectIDs` | array | Array of object IDs affected by the batch operation |
+
+### `algolia_list_indices`
+
+List all indices in an Algolia application
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia API Key |
+| `page` | number | No | Page number for paginating indices \(default: not paginated\) |
+| `hitsPerPage` | number | No | Number of indices per page \(default: 100\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `indices` | array | List of indices in the application |
+|   ↳ `name` | string | Name of the index |
+|   ↳ `entries` | number | Number of records in the index |
+|   ↳ `dataSize` | number | Size of the index data in bytes |
+|   ↳ `fileSize` | number | Size of the index files in bytes |
+|   ↳ `lastBuildTimeS` | number | Last build duration in seconds |
+|   ↳ `numberOfPendingTasks` | number | Number of pending indexing tasks |
+|   ↳ `pendingTask` | boolean | Whether the index has pending tasks |
+|   ↳ `createdAt` | string | Timestamp when the index was created |
+|   ↳ `updatedAt` | string | Timestamp when the index was last updated |
+|   ↳ `primary` | string | Name of the primary index \(if this is a replica\) |
+|   ↳ `replicas` | array | List of replica index names |
+|   ↳ `virtual` | boolean | Whether the index is a virtual replica |
+| `nbPages` | number | Total number of pages of indices |
+
+### `algolia_get_settings`
+
+Retrieve the settings of an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia API Key |
+| `indexName` | string | Yes | Name of the Algolia index |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `searchableAttributes` | array | List of searchable attributes |
+| `attributesForFaceting` | array | Attributes used for faceting |
+| `ranking` | array | Ranking criteria |
+| `customRanking` | array | Custom ranking criteria |
+| `replicas` | array | List of replica index names |
+| `hitsPerPage` | number | Default number of hits per page |
+| `maxValuesPerFacet` | number | Maximum number of facet values returned |
+| `highlightPreTag` | string | HTML tag inserted before highlighted parts |
+| `highlightPostTag` | string | HTML tag inserted after highlighted parts |
+| `paginationLimitedTo` | number | Maximum number of hits accessible via pagination |
+
+### `algolia_update_settings`
+
+Update the settings of an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key \(must have editSettings ACL\) |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `settings` | json | Yes | JSON object with settings to update \(e.g., \{"searchableAttributes": \["name", "description"\], "customRanking": \["desc\(popularity\)"\]\}\) |
+| `forwardToReplicas` | boolean | No | Whether to apply changes to replica indices \(default: false\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the settings update |
+| `updatedAt` | string | Timestamp when the settings were updated |
+
+### `algolia_delete_index`
+
+Delete an entire Algolia index and all its records
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key \(must have deleteIndex ACL\) |
+| `indexName` | string | Yes | Name of the Algolia index to delete |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the index deletion |
+| `deletedAt` | string | Timestamp when the index was deleted |
+
+### `algolia_copy_move_index`
+
+Copy or move an Algolia index to a new destination
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key |
+| `indexName` | string | Yes | Name of the source index |
+| `operation` | string | Yes | Operation to perform: "copy" or "move" |
+| `destination` | string | Yes | Name of the destination index |
+| `scope` | json | No | Array of scopes to copy \(only for "copy" operation\): \["settings", "synonyms", "rules"\]. Omit to copy everything including records. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the copy/move operation |
+| `updatedAt` | string | Timestamp when the operation was performed |
+
+### `algolia_clear_records`
+
+Clear all records from an Algolia index while keeping settings, synonyms, and rules
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key \(must have deleteIndex ACL\) |
+| `indexName` | string | Yes | Name of the Algolia index to clear |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the clear operation |
+| `updatedAt` | string | Timestamp when the records were cleared |
+
+### `algolia_delete_by_filter`
+
+Delete all records matching a filter from an Algolia index
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `applicationId` | string | Yes | Algolia Application ID |
+| `apiKey` | string | Yes | Algolia Admin API Key \(must have deleteIndex ACL\) |
+| `indexName` | string | Yes | Name of the Algolia index |
+| `filters` | string | No | Filter expression to match records for deletion \(e.g., "category:outdated"\) |
+| `facetFilters` | json | No | Array of facet filters \(e.g., \["brand:Acme"\]\) |
+| `numericFilters` | json | No | Array of numeric filters \(e.g., \["price &gt; 100"\]\) |
+| `tagFilters` | json | No | Array of tag filters using the _tags attribute \(e.g., \["published"\]\) |
+| `aroundLatLng` | string | No | Coordinates for geo-search filter \(e.g., "40.71,-74.01"\) |
+| `aroundRadius` | number | No | Maximum radius in meters for geo-search, or "all" for unlimited |
+| `insideBoundingBox` | json | No | Bounding box coordinates as \[\[lat1, lng1, lat2, lng2\]\] for geo-search filter |
+| `insidePolygon` | json | No | Polygon coordinates as \[\[lat1, lng1, lat2, lng2, lat3, lng3, ...\]\] for geo-search filter |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `taskID` | number | Algolia task ID for tracking the delete-by-filter operation |
+| `updatedAt` | string | Timestamp when the operation was performed |
+
+

apps/docs/content/docs/en/tools/hex.mdx

@@ -0,0 +1,459 @@
+---
+title: Hex
+description: Run and manage Hex projects
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="hex"
+  color="#F5E6FF"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Hex](https://hex.tech/) is a collaborative platform for analytics and data science that allows you to build, run, and share interactive data projects and notebooks. Hex lets teams work together on data exploration, transformation, and visualization, making it easy to turn analysis into shareable insights.
+
+With Hex, you can:
+
+- **Create and run powerful notebooks**: Blend SQL, Python, and visualizations in a single, interactive workspace.
+- **Collaborate and share**: Work together with teammates in real time and publish interactive data apps for broader audiences.
+- **Automate and orchestrate workflows**: Schedule notebook runs, parameterize runs with inputs, and automate data tasks.
+- **Visualize and communicate results**: Turn analysis results into dashboards or interactive apps that anyone can use.
+- **Integrate with your data stack**: Connect easily to data warehouses, APIs, and other sources.
+
+The Sim Hex integration allows your AI agents or workflows to:
+
+- List, get, and manage Hex projects directly from Sim.
+- Trigger and monitor notebook runs, check their statuses, or cancel them as part of larger automation flows.
+- Retrieve run results and use them within Sim-powered processes and decision-making.
+- Leverage Hex’s interactive analytics capabilities right inside your automated Sim workflows.
+
+Whether you’re empowering analysts, automating reporting, or embedding actionable data into your processes, Hex and Sim provide a seamless way to operationalize analytics and bring data-driven insights to your team.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate Hex into your workflow. Run projects, check run status, manage collections and groups, list users, and view data connections. Requires a Hex API token.
+
+
+
+## Tools
+
+### `hex_cancel_run`
+
+Cancel an active Hex project run.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `runId` | string | Yes | The UUID of the run to cancel |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `success` | boolean | Whether the run was successfully cancelled |
+| `projectId` | string | Project UUID |
+| `runId` | string | Run UUID that was cancelled |
+
+### `hex_create_collection`
+
+Create a new collection in the Hex workspace to organize projects.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `name` | string | Yes | Name for the new collection |
+| `description` | string | No | Optional description for the collection |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Newly created collection UUID |
+| `name` | string | Collection name |
+| `description` | string | Collection description |
+| `creator` | object | Collection creator |
+|   ↳ `email` | string | Creator email |
+|   ↳ `id` | string | Creator UUID |
+
+### `hex_get_collection`
+
+Retrieve details for a specific Hex collection by its ID.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `collectionId` | string | Yes | The UUID of the collection |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Collection UUID |
+| `name` | string | Collection name |
+| `description` | string | Collection description |
+| `creator` | object | Collection creator |
+|   ↳ `email` | string | Creator email |
+|   ↳ `id` | string | Creator UUID |
+
+### `hex_get_data_connection`
+
+Retrieve details for a specific data connection including type, description, and configuration flags.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `dataConnectionId` | string | Yes | The UUID of the data connection |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Connection UUID |
+| `name` | string | Connection name |
+| `type` | string | Connection type \(e.g., snowflake, postgres, bigquery\) |
+| `description` | string | Connection description |
+| `connectViaSsh` | boolean | Whether SSH tunneling is enabled |
+| `includeMagic` | boolean | Whether Magic AI features are enabled |
+| `allowWritebackCells` | boolean | Whether writeback cells are allowed |
+
+### `hex_get_group`
+
+Retrieve details for a specific Hex group.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `groupId` | string | Yes | The UUID of the group |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Group UUID |
+| `name` | string | Group name |
+| `createdAt` | string | Creation timestamp |
+
+### `hex_get_project`
+
+Get metadata and details for a specific Hex project by its ID.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Project UUID |
+| `title` | string | Project title |
+| `description` | string | Project description |
+| `status` | object | Project status |
+|   ↳ `name` | string | Status name \(e.g., PUBLISHED, DRAFT\) |
+| `type` | string | Project type \(PROJECT or COMPONENT\) |
+| `creator` | object | Project creator |
+|   ↳ `email` | string | Creator email |
+| `owner` | object | Project owner |
+|   ↳ `email` | string | Owner email |
+| `categories` | array | Project categories |
+|   ↳ `name` | string | Category name |
+|   ↳ `description` | string | Category description |
+| `lastEditedAt` | string | ISO 8601 last edited timestamp |
+| `lastPublishedAt` | string | ISO 8601 last published timestamp |
+| `createdAt` | string | ISO 8601 creation timestamp |
+| `archivedAt` | string | ISO 8601 archived timestamp |
+| `trashedAt` | string | ISO 8601 trashed timestamp |
+
+### `hex_get_project_runs`
+
+Retrieve API-triggered runs for a Hex project with optional filtering by status and pagination.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `limit` | number | No | Maximum number of runs to return \(1-100, default: 25\) |
+| `offset` | number | No | Offset for paginated results \(default: 0\) |
+| `statusFilter` | string | No | Filter by run status: PENDING, RUNNING, ERRORED, COMPLETED, KILLED, UNABLE_TO_ALLOCATE_KERNEL |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `runs` | array | List of project runs |
+|   ↳ `projectId` | string | Project UUID |
+|   ↳ `runId` | string | Run UUID |
+|   ↳ `runUrl` | string | URL to view the run |
+|   ↳ `status` | string | Run status \(PENDING, RUNNING, COMPLETED, ERRORED, KILLED, UNABLE_TO_ALLOCATE_KERNEL\) |
+|   ↳ `startTime` | string | Run start time |
+|   ↳ `endTime` | string | Run end time |
+|   ↳ `elapsedTime` | number | Elapsed time in seconds |
+|   ↳ `traceId` | string | Trace ID |
+|   ↳ `projectVersion` | number | Project version number |
+| `total` | number | Total number of runs returned |
+| `traceId` | string | Top-level trace ID |
+
+### `hex_get_queried_tables`
+
+Return the warehouse tables queried by a Hex project, including data connection and table names.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `limit` | number | No | Maximum number of tables to return \(1-100\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `tables` | array | List of warehouse tables queried by the project |
+|   ↳ `dataConnectionId` | string | Data connection UUID |
+|   ↳ `dataConnectionName` | string | Data connection name |
+|   ↳ `tableName` | string | Table name |
+| `total` | number | Total number of tables returned |
+
+### `hex_get_run_status`
+
+Check the status of a Hex project run by its run ID.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `runId` | string | Yes | The UUID of the run to check |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `projectId` | string | Project UUID |
+| `runId` | string | Run UUID |
+| `runUrl` | string | URL to view the run |
+| `status` | string | Run status \(PENDING, RUNNING, COMPLETED, ERRORED, KILLED, UNABLE_TO_ALLOCATE_KERNEL\) |
+| `startTime` | string | ISO 8601 run start time |
+| `endTime` | string | ISO 8601 run end time |
+| `elapsedTime` | number | Elapsed time in seconds |
+| `traceId` | string | Trace ID for debugging |
+| `projectVersion` | number | Project version number |
+
+### `hex_list_collections`
+
+List all collections in the Hex workspace.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of collections to return \(1-500, default: 25\) |
+| `sortBy` | string | No | Sort by field: NAME |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `collections` | array | List of collections |
+|   ↳ `id` | string | Collection UUID |
+|   ↳ `name` | string | Collection name |
+|   ↳ `description` | string | Collection description |
+|   ↳ `creator` | object | Collection creator |
+|     ↳ `email` | string | Creator email |
+|     ↳ `id` | string | Creator UUID |
+| `total` | number | Total number of collections returned |
+
+### `hex_list_data_connections`
+
+List all data connections in the Hex workspace (e.g., Snowflake, PostgreSQL, BigQuery).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of connections to return \(1-500, default: 25\) |
+| `sortBy` | string | No | Sort by field: CREATED_AT or NAME |
+| `sortDirection` | string | No | Sort direction: ASC or DESC |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `connections` | array | List of data connections |
+|   ↳ `id` | string | Connection UUID |
+|   ↳ `name` | string | Connection name |
+|   ↳ `type` | string | Connection type \(e.g., athena, bigquery, databricks, postgres, redshift, snowflake\) |
+|   ↳ `description` | string | Connection description |
+|   ↳ `connectViaSsh` | boolean | Whether SSH tunneling is enabled |
+|   ↳ `includeMagic` | boolean | Whether Magic AI features are enabled |
+|   ↳ `allowWritebackCells` | boolean | Whether writeback cells are allowed |
+| `total` | number | Total number of connections returned |
+
+### `hex_list_groups`
+
+List all groups in the Hex workspace with optional sorting.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of groups to return \(1-500, default: 25\) |
+| `sortBy` | string | No | Sort by field: CREATED_AT or NAME |
+| `sortDirection` | string | No | Sort direction: ASC or DESC |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `groups` | array | List of workspace groups |
+|   ↳ `id` | string | Group UUID |
+|   ↳ `name` | string | Group name |
+|   ↳ `createdAt` | string | Creation timestamp |
+| `total` | number | Total number of groups returned |
+
+### `hex_list_projects`
+
+List all projects in your Hex workspace with optional filtering by status.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of projects to return \(1-100\) |
+| `includeArchived` | boolean | No | Include archived projects in results |
+| `statusFilter` | string | No | Filter by status: PUBLISHED, DRAFT, or ALL |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `projects` | array | List of Hex projects |
+|   ↳ `id` | string | Project UUID |
+|   ↳ `title` | string | Project title |
+|   ↳ `description` | string | Project description |
+|   ↳ `status` | object | Project status |
+|     ↳ `name` | string | Status name \(e.g., PUBLISHED, DRAFT\) |
+|   ↳ `type` | string | Project type \(PROJECT or COMPONENT\) |
+|   ↳ `creator` | object | Project creator |
+|     ↳ `email` | string | Creator email |
+|   ↳ `owner` | object | Project owner |
+|     ↳ `email` | string | Owner email |
+|   ↳ `lastEditedAt` | string | Last edited timestamp |
+|   ↳ `lastPublishedAt` | string | Last published timestamp |
+|   ↳ `createdAt` | string | Creation timestamp |
+|   ↳ `archivedAt` | string | Archived timestamp |
+| `total` | number | Total number of projects returned |
+
+### `hex_list_users`
+
+List all users in the Hex workspace with optional filtering and sorting.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of users to return \(1-100, default: 25\) |
+| `sortBy` | string | No | Sort by field: NAME or EMAIL |
+| `sortDirection` | string | No | Sort direction: ASC or DESC |
+| `groupId` | string | No | Filter users by group UUID |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `users` | array | List of workspace users |
+|   ↳ `id` | string | User UUID |
+|   ↳ `name` | string | User name |
+|   ↳ `email` | string | User email |
+|   ↳ `role` | string | User role \(ADMIN, MANAGER, EDITOR, EXPLORER, MEMBER, GUEST, EMBEDDED_USER, ANONYMOUS\) |
+| `total` | number | Total number of users returned |
+
+### `hex_run_project`
+
+Execute a published Hex project. Optionally pass input parameters and control caching behavior.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project to run |
+| `inputParams` | json | No | JSON object of input parameters for the project \(e.g., \{"date": "2024-01-01"\}\) |
+| `dryRun` | boolean | No | If true, perform a dry run without executing the project |
+| `updateCache` | boolean | No | \(Deprecated\) If true, update the cached results after execution |
+| `updatePublishedResults` | boolean | No | If true, update the published app results after execution |
+| `useCachedSqlResults` | boolean | No | If true, use cached SQL results instead of re-running queries |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `projectId` | string | Project UUID |
+| `runId` | string | Run UUID |
+| `runUrl` | string | URL to view the run |
+| `runStatusUrl` | string | URL to check run status |
+| `traceId` | string | Trace ID for debugging |
+| `projectVersion` | number | Project version number |
+
+### `hex_update_project`
+
+Update a Hex project status label (e.g., endorsement or custom workspace statuses).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project to update |
+| `status` | string | Yes | New project status name \(custom workspace status label\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Project UUID |
+| `title` | string | Project title |
+| `description` | string | Project description |
+| `status` | object | Updated project status |
+|   ↳ `name` | string | Status name \(e.g., PUBLISHED, DRAFT\) |
+| `type` | string | Project type \(PROJECT or COMPONENT\) |
+| `creator` | object | Project creator |
+|   ↳ `email` | string | Creator email |
+| `owner` | object | Project owner |
+|   ↳ `email` | string | Owner email |
+| `categories` | array | Project categories |
+|   ↳ `name` | string | Category name |
+|   ↳ `description` | string | Category description |
+| `lastEditedAt` | string | Last edited timestamp |
+| `lastPublishedAt` | string | Last published timestamp |
+| `createdAt` | string | Creation timestamp |
+| `archivedAt` | string | Archived timestamp |
+| `trashedAt` | string | Trashed timestamp |
+
+

apps/docs/content/docs/en/tools/jira_service_management.mdx

@@ -116,7 +116,7 @@ Create a new service request in Jira Service Management
 | `summary` | string | Yes | Summary/title for the service request |
 | `description` | string | No | Description for the service request |
 | `raiseOnBehalfOf` | string | No | Account ID of customer to raise request on behalf of |
-| `requestFieldValues` | json | No | Custom field values as key-value pairs \(overrides summary/description if provided\) |
+| `requestFieldValues` | json | No | Request field values as key-value pairs \(overrides summary/description if provided\) |
 | `requestParticipants` | string | No | Comma-separated account IDs to add as request participants |
 | `channel` | string | No | Channel the request originates from \(e.g., portal, email\) |
 

apps/docs/content/docs/en/tools/meta.json

@@ -5,6 +5,7 @@
     "ahrefs",
     "airtable",
     "airweave",
+    "algolia",
     "apify",
     "apollo",
     "arxiv",
@@ -48,6 +49,7 @@
     "grafana",
     "grain",
     "greptile",
+    "hex",
     "hubspot",
     "huggingface",
     "hunter",
@@ -93,8 +95,10 @@
     "qdrant",
     "rds",
     "reddit",
+    "redis",
     "reducto",
     "resend",
+    "revenuecat",
     "s3",
     "salesforce",
     "search",
@@ -125,6 +129,7 @@
     "twilio_sms",
     "twilio_voice",
     "typeform",
+    "upstash",
     "vercel",
     "video_generator",
     "vision",

apps/docs/content/docs/en/tools/redis.mdx

@@ -0,0 +1,452 @@
+---
+title: Redis
+description: Key-value operations with Redis
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="redis"
+  color="#FF4438"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Redis](https://redis.io/) is an open-source, in-memory data structure store, used as a distributed key-value database, cache, and message broker. Redis supports a variety of data structures including strings, hashes, lists, sets, and more, making it highly flexible for different application scenarios.
+
+With Redis, you can:
+
+- **Store and retrieve key-value data instantly**: Use Redis as a fast database, cache, or session store for high performance.
+- **Work with multiple data structures**: Manage not just strings, but also lists, hashes, sets, sorted sets, streams, and bitmaps.
+- **Perform atomic operations**: Safely manipulate data using atomic commands and transactions.
+- **Support pub/sub messaging**: Use Redis’s publisher/subscriber features for real-time event handling and messaging.
+- **Set automatic expiration policies**: Assign TTLs to keys for caching and time-sensitive data.
+- **Scale horizontally**: Use Redis Cluster for sharding, high availability, and scalable workloads.
+
+In Sim, the Redis integration lets your agents connect to any Redis-compatible instance to perform key-value, hash, list, and utility operations. You can build workflows that involve storing, retrieving, or manipulating data in Redis, or manage your app’s cache, sessions, or real-time messaging, directly within your Sim workspace.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Connect to any Redis instance to perform key-value, hash, list, and utility operations via a direct connection.
+
+
+
+## Tools
+
+### `redis_get`
+
+Get the value of a key from Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was retrieved |
+| `value` | string | The value of the key, or null if the key does not exist |
+
+### `redis_set`
+
+Set the value of a key in Redis with an optional expiration time in seconds.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to set |
+| `value` | string | Yes | The value to store |
+| `ex` | number | No | Expiration time in seconds \(optional\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was set |
+| `result` | string | The result of the SET operation \(typically "OK"\) |
+
+### `redis_delete`
+
+Delete a key from Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to delete |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was deleted |
+| `deletedCount` | number | Number of keys deleted \(0 if key did not exist, 1 if deleted\) |
+
+### `redis_keys`
+
+List all keys matching a pattern in Redis. Avoid using on large databases in production; use the Redis Command tool with SCAN for large key spaces.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `pattern` | string | No | Pattern to match keys \(default: * for all keys\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `pattern` | string | The pattern used to match keys |
+| `keys` | array | List of keys matching the pattern |
+| `count` | number | Number of keys found |
+
+### `redis_command`
+
+Execute a raw Redis command as a JSON array (e.g. [
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `command` | string | Yes | Redis command as a JSON array \(e.g. \["SET", "key", "value"\]\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `command` | string | The command that was executed |
+| `result` | json | The result of the command |
+
+### `redis_hset`
+
+Set a field in a hash stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The hash key |
+| `field` | string | Yes | The field name within the hash |
+| `value` | string | Yes | The value to set for the field |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `field` | string | The field that was set |
+| `result` | number | Number of fields added \(1 if new, 0 if updated\) |
+
+### `redis_hget`
+
+Get the value of a field in a hash stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The hash key |
+| `field` | string | Yes | The field name to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `field` | string | The field that was retrieved |
+| `value` | string | The field value, or null if the field or key does not exist |
+
+### `redis_hgetall`
+
+Get all fields and values of a hash stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The hash key |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `fields` | object | All field-value pairs in the hash as a key-value object. Empty object if the key does not exist. |
+| `fieldCount` | number | Number of fields in the hash |
+
+### `redis_hdel`
+
+Delete a field from a hash stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The hash key |
+| `field` | string | Yes | The field name to delete |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `field` | string | The field that was deleted |
+| `deleted` | number | Number of fields removed \(1 if deleted, 0 if field did not exist\) |
+
+### `redis_incr`
+
+Increment the integer value of a key by one in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to increment |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was incremented |
+| `value` | number | The new value after increment |
+
+### `redis_incrby`
+
+Increment the integer value of a key by a given amount in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to increment |
+| `increment` | number | Yes | Amount to increment by \(negative to decrement\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was incremented |
+| `value` | number | The new value after increment |
+
+### `redis_expire`
+
+Set an expiration time (in seconds) on a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to set expiration on |
+| `seconds` | number | Yes | Timeout in seconds |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that expiration was set on |
+| `result` | number | 1 if the timeout was set, 0 if the key does not exist |
+
+### `redis_ttl`
+
+Get the remaining time to live (in seconds) of a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to check TTL for |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was checked |
+| `ttl` | number | Remaining TTL in seconds. Positive integer if TTL set, -1 if no expiration, -2 if key does not exist. |
+
+### `redis_persist`
+
+Remove the expiration from a key in Redis, making it persist indefinitely.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to persist |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was persisted |
+| `result` | number | 1 if the expiration was removed, 0 if the key does not exist or has no expiration |
+
+### `redis_lpush`
+
+Prepend a value to a list stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The list key |
+| `value` | string | Yes | The value to prepend |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `length` | number | Length of the list after the push |
+
+### `redis_rpush`
+
+Append a value to the end of a list stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The list key |
+| `value` | string | Yes | The value to append |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `length` | number | Length of the list after the push |
+
+### `redis_lpop`
+
+Remove and return the first element of a list stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The list key |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `value` | string | The removed element, or null if the list is empty |
+
+### `redis_rpop`
+
+Remove and return the last element of a list stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The list key |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `value` | string | The removed element, or null if the list is empty |
+
+### `redis_llen`
+
+Get the length of a list stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The list key |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `length` | number | The length of the list, or 0 if the key does not exist |
+
+### `redis_lrange`
+
+Get a range of elements from a list stored at a key in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The list key |
+| `start` | number | Yes | Start index \(0-based\) |
+| `stop` | number | Yes | Stop index \(-1 for all elements\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `values` | array | List elements in the specified range |
+| `count` | number | Number of elements returned |
+
+### `redis_exists`
+
+Check if a key exists in Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to check |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was checked |
+| `exists` | boolean | Whether the key exists \(true\) or not \(false\) |
+
+### `redis_setnx`
+
+Set the value of a key in Redis only if the key does not already exist.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `url` | string | Yes | Redis connection URL \(e.g. redis://user:password@host:port\) |
+| `key` | string | Yes | The key to set |
+| `value` | string | Yes | The value to store |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was set |
+| `wasSet` | boolean | Whether the key was set \(true\) or already existed \(false\) |
+
+

apps/docs/content/docs/en/tools/revenuecat.mdx

@@ -0,0 +1,456 @@
+---
+title: RevenueCat
+description: Manage in-app subscriptions and entitlements
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="revenuecat"
+  color="#F25A5A"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[RevenueCat](https://www.revenuecat.com/) is a subscription management platform that enables you to easily set up, manage, and analyze in-app subscriptions for your apps. With RevenueCat, you can handle the complexities of in-app purchases across platforms like iOS, Android, and web—all through a single unified API.
+
+With RevenueCat, you can:
+
+- **Manage subscribers**: Track user subscriptions, entitlements, and purchases across all platforms in real time
+- **Simplify implementation**: Integrate RevenueCat’s SDKs to abstract away App Store and Play Store purchase logic
+- **Automate entitlement logic**: Define and manage what features users should receive when they purchase or renew
+- **Analyze revenue**: Access dashboards and analytics to view churn, LTV, revenue, active subscriptions, and more
+- **Grant or revoke entitlements**: Manually adjust user access (for example, for customer support or promotions)
+- **Operate globally**: Support purchases, refunds, and promotions worldwide with ease
+
+In Sim, the RevenueCat integration allows your agents to fetch and manage subscriber data, review and update entitlements, and automate subscription-related workflows. Use RevenueCat to centralize subscription operations for your apps directly within your Sim workspace.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate RevenueCat into the workflow. Manage subscribers, entitlements, offerings, and Google Play subscriptions. Retrieve customer subscription status, grant or revoke promotional entitlements, record purchases, update subscriber attributes, and manage Google Play subscription billing.
+
+
+
+## Tools
+
+### `revenuecat_get_customer`
+
+Retrieve subscriber information by app user ID
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The subscriber object with subscriptions and entitlements |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+| `metadata` | object | Subscriber summary metadata |
+|   ↳ `app_user_id` | string | The app user ID |
+|   ↳ `first_seen` | string | ISO 8601 date when the subscriber was first seen |
+|   ↳ `active_entitlements` | number | Number of active entitlements |
+|   ↳ `active_subscriptions` | number | Number of active subscriptions |
+
+### `revenuecat_delete_customer`
+
+Permanently delete a subscriber and all associated data
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber to delete |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `deleted` | boolean | Whether the subscriber was deleted |
+| `app_user_id` | string | The deleted app user ID |
+
+### `revenuecat_create_purchase`
+
+Record a purchase (receipt) for a subscriber via the REST API
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat API key \(public or secret\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `fetchToken` | string | Yes | The receipt token or purchase token from the store \(App Store receipt, Google Play purchase token, or Stripe subscription ID\) |
+| `productId` | string | Yes | The product identifier for the purchase |
+| `price` | number | No | The price of the product in the currency specified |
+| `currency` | string | No | ISO 4217 currency code \(e.g., USD, EUR\) |
+| `isRestore` | boolean | No | Whether this is a restore of a previous purchase |
+| `platform` | string | No | Platform of the purchase \(ios, android, amazon, macos, stripe\). Required for Stripe and Paddle purchases. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The updated subscriber object after recording the purchase |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+
+### `revenuecat_grant_entitlement`
+
+Grant a promotional entitlement to a subscriber
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `entitlementIdentifier` | string | Yes | The entitlement identifier to grant |
+| `duration` | string | Yes | Duration of the entitlement \(daily, three_day, weekly, monthly, two_month, three_month, six_month, yearly, lifetime\) |
+| `startTimeMs` | number | No | Optional start time in milliseconds since Unix epoch. Set to a past time to achieve custom durations shorter than daily. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The updated subscriber object after granting the entitlement |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+
+### `revenuecat_revoke_entitlement`
+
+Revoke all promotional entitlements for a specific entitlement identifier
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `entitlementIdentifier` | string | Yes | The entitlement identifier to revoke |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The updated subscriber object after revoking the entitlement |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+
+### `revenuecat_list_offerings`
+
+List all offerings configured for the project
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat API key |
+| `appUserId` | string | Yes | An app user ID to retrieve offerings for |
+| `platform` | string | No | Platform to filter offerings \(ios, android, stripe, etc.\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `current_offering_id` | string | The identifier of the current offering |
+| `offerings` | array | List of offerings |
+|   ↳ `identifier` | string | Offering identifier |
+|   ↳ `description` | string | Offering description |
+|   ↳ `packages` | array | List of packages in the offering |
+|     ↳ `identifier` | string | Package identifier |
+|     ↳ `platform_product_identifier` | string | Platform-specific product identifier |
+| `metadata` | object | Offerings metadata |
+|   ↳ `count` | number | Number of offerings returned |
+|   ↳ `current_offering_id` | string | Current offering identifier |
+
+### `revenuecat_update_subscriber_attributes`
+
+Update custom subscriber attributes (e.g., $email, $displayName, or custom key-value pairs)
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `attributes` | json | Yes | JSON object of attributes to set. Each key maps to an object with a "value" field. Example: \{"$email": \{"value": "user@example.com"\}, "$displayName": \{"value": "John"\}\} |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `updated` | boolean | Whether the subscriber attributes were successfully updated |
+| `app_user_id` | string | The app user ID of the updated subscriber |
+
+### `revenuecat_defer_google_subscription`
+
+Defer a Google Play subscription by extending its billing date by a number of days (Google Play only)
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `productId` | string | Yes | The Google Play product identifier of the subscription to defer \(use the part before the colon for products set up after Feb 2023\) |
+| `extendByDays` | number | Yes | Number of days to extend the subscription by \(1-365\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The updated subscriber object after deferring the Google subscription |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+
+### `revenuecat_refund_google_subscription`
+
+Refund and optionally revoke a Google Play subscription (Google Play only)
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `productId` | string | Yes | The Google Play product identifier of the subscription to refund |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The updated subscriber object after refunding the Google subscription |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+
+### `revenuecat_revoke_google_subscription`
+
+Immediately revoke access to a Google Play subscription and issue a refund (Google Play only)
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | RevenueCat secret API key \(sk_...\) |
+| `appUserId` | string | Yes | The app user ID of the subscriber |
+| `productId` | string | Yes | The Google Play product identifier of the subscription to revoke |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `subscriber` | object | The updated subscriber object after revoking the Google subscription |
+|   ↳ `first_seen` | string | ISO 8601 date when subscriber was first seen |
+|   ↳ `original_app_user_id` | string | Original app user ID |
+|   ↳ `original_purchase_date` | string | ISO 8601 date of original purchase |
+|   ↳ `management_url` | string | URL for managing the subscriber subscriptions |
+|   ↳ `subscriptions` | object | Map of product identifiers to subscription objects |
+|     ↳ `store_transaction_id` | string | Store transaction identifier |
+|     ↳ `original_transaction_id` | string | Original transaction identifier |
+|     ↳ `purchase_date` | string | ISO 8601 purchase date |
+|     ↳ `original_purchase_date` | string | ISO 8601 date of the original purchase |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `is_sandbox` | boolean | Whether this is a sandbox purchase |
+|     ↳ `unsubscribe_detected_at` | string | ISO 8601 date when unsubscribe was detected |
+|     ↳ `billing_issues_detected_at` | string | ISO 8601 date when billing issues were detected |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|     ↳ `ownership_type` | string | Ownership type \(purchased, family_shared\) |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional, prepaid\) |
+|     ↳ `store` | string | Store the subscription was purchased from \(app_store, play_store, stripe, etc.\) |
+|     ↳ `refunded_at` | string | ISO 8601 date when subscription was refunded |
+|     ↳ `auto_resume_date` | string | ISO 8601 date when a paused subscription will auto-resume |
+|     ↳ `product_plan_identifier` | string | Google Play base plan identifier \(for products set up after Feb 2023\) |
+|   ↳ `entitlements` | object | Map of entitlement identifiers to entitlement objects |
+|     ↳ `grant_date` | string | ISO 8601 grant date |
+|     ↳ `expires_date` | string | ISO 8601 expiration date |
+|     ↳ `product_identifier` | string | Product identifier |
+|     ↳ `is_active` | boolean | Whether the entitlement is active |
+|     ↳ `will_renew` | boolean | Whether the entitlement will renew |
+|     ↳ `period_type` | string | Period type \(normal, trial, intro, promotional\) |
+|     ↳ `purchase_date` | string | ISO 8601 date of the latest purchase or renewal |
+|     ↳ `store` | string | Store the entitlement was granted from |
+|     ↳ `grace_period_expires_date` | string | ISO 8601 grace period expiration date |
+|   ↳ `non_subscriptions` | object | Map of non-subscription product identifiers to arrays of purchase objects |
+
+

apps/docs/content/docs/en/tools/slack.mdx

@@ -1,6 +1,6 @@
 ---
 title: Slack
-description: Send, update, delete messages, add reactions in Slack or trigger workflows from Slack events
+description: Send, update, delete messages, send ephemeral messages, add reactions in Slack or trigger workflows from Slack events
 ---
 
 import { BlockInfoCard } from "@/components/ui/block-info-card"
@@ -59,7 +59,7 @@ If you encounter issues with the Slack integration, contact us at [help@sim.ai](
 
 ## Usage Instructions
 
-Integrate Slack into the workflow. Can send, update, and delete messages, create canvases, read messages, and add reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.
+Integrate Slack into the workflow. Can send, update, and delete messages, send ephemeral messages visible only to a specific user, create canvases, read messages, and add reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.
 
 
 
@@ -80,6 +80,7 @@ Send messages to Slack channels or direct messages. Supports Slack mrkdwn format
 | `dmUserId` | string | No | Slack user ID for direct messages \(e.g., U1234567890\) |
 | `text` | string | Yes | Message text to send \(supports Slack mrkdwn formatting\) |
 | `threadTs` | string | No | Thread timestamp to reply to \(creates thread reply\) |
+| `blocks` | json | No | Block Kit layout blocks as a JSON array. When provided, text becomes the fallback notification text. |
 | `files` | file[] | No | Files to attach to the message |
 
 #### Output
@@ -146,6 +147,29 @@ Send messages to Slack channels or direct messages. Supports Slack mrkdwn format
 | `fileCount` | number | Number of files uploaded \(when files are attached\) |
 | `files` | file[] | Files attached to the message |
 
+### `slack_ephemeral_message`
+
+Send an ephemeral message visible only to a specific user in a channel. Optionally reply in a thread. The message does not persist across sessions.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `channel` | string | Yes | Slack channel ID \(e.g., C1234567890\) |
+| `user` | string | Yes | User ID who will see the ephemeral message \(e.g., U1234567890\). Must be a member of the channel. |
+| `text` | string | Yes | Message text to send \(supports Slack mrkdwn formatting\) |
+| `threadTs` | string | No | Thread timestamp to reply in. When provided, the ephemeral message appears as a thread reply. |
+| `blocks` | json | No | Block Kit layout blocks as a JSON array. When provided, text becomes the fallback notification text. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `messageTs` | string | Timestamp of the ephemeral message \(cannot be used with chat.update\) |
+| `channel` | string | Channel ID where the ephemeral message was sent |
+
 ### `slack_canvas`
 
 Create and share Slack canvases in channels. Canvases are collaborative documents within Slack.
@@ -682,6 +706,7 @@ Update a message previously sent by the bot in Slack
 | `channel` | string | Yes | Channel ID where the message was posted \(e.g., C1234567890\) |
 | `timestamp` | string | Yes | Timestamp of the message to update \(e.g., 1405894322.002768\) |
 | `text` | string | Yes | New message text \(supports Slack mrkdwn formatting\) |
+| `blocks` | json | No | Block Kit layout blocks as a JSON array. When provided, text becomes the fallback notification text. |
 
 #### Output
 

apps/docs/content/docs/en/tools/upstash.mdx

@@ -0,0 +1,357 @@
+---
+title: Upstash
+description: Serverless Redis with Upstash
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="upstash"
+  color="#181C1E"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Upstash](https://upstash.com/) is a serverless data platform designed for modern applications that need fast, simple, and scalable data storage with minimal setup. Upstash specializes in providing Redis and Kafka as fully managed, pay-per-request cloud services, making it a popular choice for developers building serverless, edge, and event-driven architectures.
+
+With Upstash Redis, you can:
+
+- **Store and retrieve data instantly**: Read and write key-value pairs, hashes, lists, sets, and more—all over a high-performance REST API.
+- **Scale serverlessly**: No infrastructure to manage. Upstash automatically scales with your app and charges only for what you use.
+- **Access globally**: Deploy near your users with multi-region support and global distribution.
+- **Integrate easily**: Use Upstash’s REST API in serverless functions, edge workers, Next.js, Vercel, Cloudflare Workers, and more.
+- **Automate with scripts**: Run Lua scripts for advanced transactions and automation.
+- **Ensure security**: Protect your data with built-in authentication and TLS encryption.
+
+In Sim, the Upstash integration empowers your agents and workflows to read, write, and manage data in Upstash Redis using simple, unified commands—perfect for building scalable automations, caching results, managing queues, and more, all without dealing with server management.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Connect to Upstash Redis to perform key-value, hash, list, and utility operations via the REST API.
+
+
+
+## Tools
+
+### `upstash_redis_get`
+
+Get the value of a key from Upstash Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was retrieved |
+| `value` | json | The value of the key \(string\), or null if not found |
+
+### `upstash_redis_set`
+
+Set the value of a key in Upstash Redis with an optional expiration time in seconds.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to set |
+| `value` | string | Yes | The value to store |
+| `ex` | number | No | Expiration time in seconds \(optional\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was set |
+| `result` | string | The result of the SET operation \(typically "OK"\) |
+
+### `upstash_redis_delete`
+
+Delete a key from Upstash Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to delete |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was deleted |
+| `deletedCount` | number | Number of keys deleted \(0 if key did not exist, 1 if deleted\) |
+
+### `upstash_redis_keys`
+
+List keys matching a pattern in Upstash Redis. Defaults to listing all keys (*).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `pattern` | string | No | Pattern to match keys \(e.g., "user:*"\). Defaults to "*" for all keys. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `pattern` | string | The pattern used to match keys |
+| `keys` | array | List of keys matching the pattern |
+| `count` | number | Number of keys found |
+
+### `upstash_redis_command`
+
+Execute an arbitrary Redis command against Upstash Redis. Pass the full command as a JSON array (e.g., [
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `command` | string | Yes | Redis command as a JSON array \(e.g., \["HSET", "myhash", "field1", "value1"\]\) or a simple command string \(e.g., "PING"\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `command` | string | The command that was executed |
+| `result` | json | The result of the Redis command |
+
+### `upstash_redis_hset`
+
+Set a field in a hash stored at a key in Upstash Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The hash key |
+| `field` | string | Yes | The field name within the hash |
+| `value` | string | Yes | The value to store in the hash field |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `field` | string | The field that was set |
+| `result` | number | Number of new fields added \(0 if field was updated, 1 if new\) |
+
+### `upstash_redis_hget`
+
+Get the value of a field in a hash stored at a key in Upstash Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The hash key |
+| `field` | string | Yes | The field name to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `field` | string | The field that was retrieved |
+| `value` | json | The value of the hash field \(string\), or null if not found |
+
+### `upstash_redis_hgetall`
+
+Get all fields and values of a hash stored at a key in Upstash Redis.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The hash key |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The hash key |
+| `fields` | object | All field-value pairs in the hash, keyed by field name |
+| `fieldCount` | number | Number of fields in the hash |
+
+### `upstash_redis_incr`
+
+Atomically increment the integer value of a key by one in Upstash Redis. If the key does not exist, it is set to 0 before incrementing.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to increment |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was incremented |
+| `value` | number | The new value after incrementing |
+
+### `upstash_redis_expire`
+
+Set a timeout on a key in Upstash Redis. After the timeout, the key is deleted.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to set expiration on |
+| `seconds` | number | Yes | Timeout in seconds |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that expiration was set on |
+| `result` | number | 1 if the timeout was set, 0 if the key does not exist |
+
+### `upstash_redis_ttl`
+
+Get the remaining time to live of a key in Upstash Redis. Returns -1 if the key has no expiration, -2 if the key does not exist.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to check TTL for |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key checked |
+| `ttl` | number | Remaining TTL in seconds. Positive integer if the key has a TTL set, -1 if the key exists with no expiration, -2 if the key does not exist. |
+
+### `upstash_redis_lpush`
+
+Prepend a value to the beginning of a list in Upstash Redis. Creates the list if it does not exist.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The list key |
+| `value` | string | Yes | The value to prepend to the list |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `length` | number | The length of the list after the push |
+
+### `upstash_redis_lrange`
+
+Get a range of elements from a list in Upstash Redis. Use 0 and -1 for start and stop to get all elements.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The list key |
+| `start` | number | Yes | Start index \(0-based, negative values count from end\) |
+| `stop` | number | Yes | Stop index \(inclusive, -1 for last element\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The list key |
+| `values` | array | List of elements in the specified range |
+| `count` | number | Number of elements returned |
+
+### `upstash_redis_exists`
+
+Check if a key exists in Upstash Redis. Returns true if the key exists, false otherwise.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to check |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was checked |
+| `exists` | boolean | Whether the key exists \(true\) or not \(false\) |
+
+### `upstash_redis_setnx`
+
+Set the value of a key only if it does not already exist. Returns true if the key was set, false if it already existed.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to set |
+| `value` | string | Yes | The value to store if the key does not exist |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was attempted to set |
+| `wasSet` | boolean | Whether the key was set \(true\) or already existed \(false\) |
+
+### `upstash_redis_incrby`
+
+Increment the integer value of a key by a given amount. Use a negative value to decrement. If the key does not exist, it is set to 0 before the operation.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `restUrl` | string | Yes | Upstash Redis REST URL |
+| `restToken` | string | Yes | Upstash Redis REST Token |
+| `key` | string | Yes | The key to increment |
+| `increment` | number | Yes | Amount to increment by \(use negative value to decrement\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `key` | string | The key that was incremented |
+| `value` | number | The new value after incrementing |
+
+

apps/sim/app/(auth)/oauth/consent/page.tsx

@@ -0,0 +1,274 @@
+'use client'
+
+import { useCallback, useEffect, useState } from 'react'
+import { ArrowLeftRight } from 'lucide-react'
+import Image from 'next/image'
+import { useRouter, useSearchParams } from 'next/navigation'
+import { Button } from '@/components/emcn'
+import { signOut, useSession } from '@/lib/auth/auth-client'
+import { inter } from '@/app/_styles/fonts/inter/inter'
+import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
+
+const SCOPE_DESCRIPTIONS: Record<string, string> = {
+  openid: 'Verify your identity',
+  profile: 'Access your basic profile information',
+  email: 'View your email address',
+  offline_access: 'Maintain access when you are not actively using the app',
+  'mcp:tools': 'Use Sim workflows and tools on your behalf',
+} as const
+
+interface ClientInfo {
+  clientId: string
+  name: string
+  icon: string
+}
+
+export default function OAuthConsentPage() {
+  const router = useRouter()
+  const searchParams = useSearchParams()
+  const { data: session } = useSession()
+  const consentCode = searchParams.get('consent_code')
+  const clientId = searchParams.get('client_id')
+  const scope = searchParams.get('scope')
+
+  const [clientInfo, setClientInfo] = useState<ClientInfo | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const scopes = scope?.split(' ').filter(Boolean) ?? []
+
+  useEffect(() => {
+    if (!clientId) {
+      setLoading(false)
+      setError('The authorization request is missing a required client identifier.')
+      return
+    }
+
+    fetch(`/api/auth/oauth2/client/${encodeURIComponent(clientId)}`, { credentials: 'include' })
+      .then(async (res) => {
+        if (!res.ok) return
+        const data = await res.json()
+        setClientInfo(data)
+      })
+      .catch(() => {})
+      .finally(() => {
+        setLoading(false)
+      })
+  }, [clientId])
+
+  const handleConsent = useCallback(
+    async (accept: boolean) => {
+      if (!consentCode) {
+        setError('The authorization request is missing a required consent code.')
+        return
+      }
+
+      setSubmitting(true)
+      try {
+        const res = await fetch('/api/auth/oauth2/consent', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          credentials: 'include',
+          body: JSON.stringify({ accept, consent_code: consentCode }),
+        })
+
+        if (!res.ok) {
+          const body = await res.json().catch(() => null)
+          setError(
+            (body as Record<string, string> | null)?.message ??
+              'The consent request could not be processed. Please try again.'
+          )
+          setSubmitting(false)
+          return
+        }
+
+        const data = (await res.json()) as { redirectURI?: string }
+        if (data.redirectURI) {
+          window.location.href = data.redirectURI
+        } else {
+          setError('The server did not return a redirect. Please try again.')
+          setSubmitting(false)
+        }
+      } catch {
+        setError('Something went wrong. Please try again.')
+        setSubmitting(false)
+      }
+    },
+    [consentCode]
+  )
+
+  const handleSwitchAccount = useCallback(async () => {
+    if (!consentCode) return
+
+    const res = await fetch(`/api/auth/oauth2/authorize-params?consent_code=${consentCode}`, {
+      credentials: 'include',
+    })
+    if (!res.ok) {
+      setError('Unable to switch accounts. Please re-initiate the connection.')
+      return
+    }
+
+    const params = (await res.json()) as Record<string, string | null>
+    const authorizeUrl = new URL('/api/auth/oauth2/authorize', window.location.origin)
+    for (const [key, value] of Object.entries(params)) {
+      if (value) authorizeUrl.searchParams.set(key, value)
+    }
+
+    await signOut({
+      fetchOptions: {
+        onSuccess: () => {
+          window.location.href = authorizeUrl.toString()
+        },
+      },
+    })
+  }, [consentCode])
+
+  if (loading) {
+    return (
+      <div className='flex flex-col items-center justify-center'>
+        <div className='space-y-1 text-center'>
+          <h1 className={`${soehne.className} font-medium text-[32px] text-black tracking-tight`}>
+            Authorize Application
+          </h1>
+          <p className={`${inter.className} font-[380] text-[16px] text-muted-foreground`}>
+            Loading application details...
+          </p>
+        </div>
+      </div>
+    )
+  }
+
+  if (error) {
+    return (
+      <div className='flex flex-col items-center justify-center'>
+        <div className='space-y-1 text-center'>
+          <h1 className={`${soehne.className} font-medium text-[32px] text-black tracking-tight`}>
+            Authorization Error
+          </h1>
+          <p className={`${inter.className} font-[380] text-[16px] text-muted-foreground`}>
+            {error}
+          </p>
+        </div>
+        <div className={`${inter.className} mt-8 w-full max-w-[410px] space-y-3`}>
+          <BrandedButton onClick={() => router.push('/')}>Return to Home</BrandedButton>
+        </div>
+      </div>
+    )
+  }
+
+  const clientName = clientInfo?.name ?? clientId
+
+  return (
+    <div className='flex flex-col items-center justify-center'>
+      <div className='mb-6 flex items-center gap-4'>
+        {clientInfo?.icon ? (
+          <img
+            src={clientInfo.icon}
+            alt={clientName ?? 'Application'}
+            width={48}
+            height={48}
+            className='rounded-[10px]'
+          />
+        ) : (
+          <div className='flex h-12 w-12 items-center justify-center rounded-[10px] bg-muted font-medium text-[18px] text-muted-foreground'>
+            {(clientName ?? '?').charAt(0).toUpperCase()}
+          </div>
+        )}
+        <ArrowLeftRight className='h-5 w-5 text-muted-foreground' />
+        <Image
+          src='/new/logo/colorized-bg.svg'
+          alt='Sim'
+          width={48}
+          height={48}
+          className='rounded-[10px]'
+        />
+      </div>
+
+      <div className='space-y-1 text-center'>
+        <h1 className={`${soehne.className} font-medium text-[32px] text-black tracking-tight`}>
+          Authorize Application
+        </h1>
+        <p className={`${inter.className} font-[380] text-[16px] text-muted-foreground`}>
+          <span className='font-medium text-foreground'>{clientName}</span> is requesting access to
+          your account
+        </p>
+      </div>
+
+      {session?.user && (
+        <div
+          className={`${inter.className} mt-5 flex items-center gap-3 rounded-lg border px-4 py-3`}
+        >
+          {session.user.image ? (
+            <Image
+              src={session.user.image}
+              alt={session.user.name ?? 'User'}
+              width={32}
+              height={32}
+              className='rounded-full'
+              unoptimized
+            />
+          ) : (
+            <div className='flex h-8 w-8 items-center justify-center rounded-full bg-muted font-medium text-[13px] text-muted-foreground'>
+              {(session.user.name ?? session.user.email ?? '?').charAt(0).toUpperCase()}
+            </div>
+          )}
+          <div className='min-w-0'>
+            {session.user.name && (
+              <p className='truncate font-medium text-[14px]'>{session.user.name}</p>
+            )}
+            <p className='truncate text-[13px] text-muted-foreground'>{session.user.email}</p>
+          </div>
+          <button
+            type='button'
+            onClick={handleSwitchAccount}
+            className='ml-auto text-[13px] text-muted-foreground underline-offset-2 transition-colors hover:text-foreground hover:underline'
+          >
+            Switch
+          </button>
+        </div>
+      )}
+
+      {scopes.length > 0 && (
+        <div className={`${inter.className} mt-5 w-full max-w-[410px]`}>
+          <div className='rounded-lg border p-4'>
+            <p className='mb-3 font-medium text-[14px]'>This will allow the application to:</p>
+            <ul className='space-y-2'>
+              {scopes.map((s) => (
+                <li
+                  key={s}
+                  className='flex items-start gap-2 font-normal text-[13px] text-muted-foreground'
+                >
+                  <span className='mt-0.5 text-green-500'>&#10003;</span>
+                  <span>{SCOPE_DESCRIPTIONS[s] ?? s}</span>
+                </li>
+              ))}
+            </ul>
+          </div>
+        </div>
+      )}
+
+      <div className={`${inter.className} mt-6 flex w-full max-w-[410px] gap-3`}>
+        <Button
+          variant='outline'
+          size='md'
+          className='px-6 py-2'
+          disabled={submitting}
+          onClick={() => handleConsent(false)}
+        >
+          Deny
+        </Button>
+        <BrandedButton
+          fullWidth
+          showArrow={false}
+          loading={submitting}
+          loadingText='Authorizing'
+          onClick={() => handleConsent(true)}
+        >
+          Allow
+        </BrandedButton>
+      </div>
+    </div>
+  )
+}

apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }

apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }

apps/sim/app/.well-known/oauth-authorization-server/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }

apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }

apps/sim/app/.well-known/oauth-protected-resource/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }

apps/sim/app/_shell/providers/theme-provider.tsx

@@ -23,7 +23,8 @@ export function ThemeProvider({ children, ...props }: ThemeProviderProps) {
     pathname.startsWith('/chat') ||
     pathname.startsWith('/studio') ||
     pathname.startsWith('/resume') ||
-    pathname.startsWith('/form')
+    pathname.startsWith('/form') ||
+    pathname.startsWith('/oauth')
 
   return (
     <NextThemesProvider

apps/sim/app/api/auth/accounts/route.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, desc, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 
@@ -31,15 +31,13 @@ export async function GET(request: NextRequest) {
       })
       .from(account)
       .where(and(...whereConditions))
-
-    // Use the user's email as the display name (consistent with credential selector)
-    const userEmail = session.user.email
+      .orderBy(desc(account.updatedAt))
 
     const accountsWithDisplayName = accounts.map((acc) => ({
       id: acc.id,
       accountId: acc.accountId,
       providerId: acc.providerId,
-      displayName: userEmail || acc.providerId,
+      displayName: acc.accountId || acc.providerId,
     }))
 
     return NextResponse.json({ accounts: accountsWithDisplayName })

apps/sim/app/api/auth/oauth/credentials/route.test.ts

@@ -57,10 +57,6 @@ describe('OAuth Credentials API Route', () => {
       eq: vi.fn((field, value) => ({ field, value, type: 'eq' })),
     }))
 
-    vi.doMock('jwt-decode', () => ({
-      jwtDecode: vi.fn(),
-    }))
-
     vi.doMock('@sim/logger', () => ({
       createLogger: vi.fn().mockReturnValue(mockLogger),
     }))
@@ -84,64 +80,6 @@ describe('OAuth Credentials API Route', () => {
     vi.clearAllMocks()
   })
 
-  it('should return credentials successfully', async () => {
-    mockGetSession.mockResolvedValueOnce({
-      user: { id: 'user-123' },
-    })
-
-    mockParseProvider.mockReturnValueOnce({
-      baseProvider: 'google',
-    })
-
-    const mockAccounts = [
-      {
-        id: 'credential-1',
-        userId: 'user-123',
-        providerId: 'google-email',
-        accountId: 'test@example.com',
-        updatedAt: new Date('2024-01-01'),
-        idToken: null,
-      },
-      {
-        id: 'credential-2',
-        userId: 'user-123',
-        providerId: 'google-default',
-        accountId: 'user-id',
-        updatedAt: new Date('2024-01-02'),
-        idToken: null,
-      },
-    ]
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockResolvedValueOnce(mockAccounts)
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockReturnValueOnce(mockDb)
-    mockDb.limit.mockResolvedValueOnce([{ email: 'user@example.com' }])
-
-    const req = createMockRequestWithQuery('GET', '?provider=google-email')
-
-    const { GET } = await import('@/app/api/auth/oauth/credentials/route')
-
-    const response = await GET(req)
-    const data = await response.json()
-
-    expect(response.status).toBe(200)
-    expect(data.credentials).toHaveLength(2)
-    expect(data.credentials[0]).toMatchObject({
-      id: 'credential-1',
-      provider: 'google-email',
-      isDefault: false,
-    })
-    expect(data.credentials[1]).toMatchObject({
-      id: 'credential-2',
-      provider: 'google-default',
-      isDefault: true,
-    })
-  })
-
   it('should handle unauthenticated user', async () => {
     mockGetSession.mockResolvedValueOnce(null)
 
@@ -198,39 +136,12 @@ describe('OAuth Credentials API Route', () => {
     expect(data.credentials).toHaveLength(0)
   })
 
-  it('should decode ID token for display name', async () => {
-    const { jwtDecode } = await import('jwt-decode')
-    const mockJwtDecode = jwtDecode as any
-
+  it('should return empty credentials when no workspace context', async () => {
     mockGetSession.mockResolvedValueOnce({
       user: { id: 'user-123' },
     })
 
-    mockParseProvider.mockReturnValueOnce({
-      baseProvider: 'google',
-    })
-
-    const mockAccounts = [
-      {
-        id: 'credential-1',
-        userId: 'user-123',
-        providerId: 'google-default',
-        accountId: 'google-user-id',
-        updatedAt: new Date('2024-01-01'),
-        idToken: 'mock-jwt-token',
-      },
-    ]
-
-    mockJwtDecode.mockReturnValueOnce({
-      email: 'decoded@example.com',
-      name: 'Decoded User',
-    })
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockResolvedValueOnce(mockAccounts)
-
-    const req = createMockRequestWithQuery('GET', '?provider=google')
+    const req = createMockRequestWithQuery('GET', '?provider=google-email')
 
     const { GET } = await import('@/app/api/auth/oauth/credentials/route')
 
@@ -238,31 +149,6 @@ describe('OAuth Credentials API Route', () => {
     const data = await response.json()
 
     expect(response.status).toBe(200)
-    expect(data.credentials[0].name).toBe('decoded@example.com')
-  })
-
-  it('should handle database error', async () => {
-    mockGetSession.mockResolvedValueOnce({
-      user: { id: 'user-123' },
-    })
-
-    mockParseProvider.mockReturnValueOnce({
-      baseProvider: 'google',
-    })
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockRejectedValueOnce(new Error('Database error'))
-
-    const req = createMockRequestWithQuery('GET', '?provider=google')
-
-    const { GET } = await import('@/app/api/auth/oauth/credentials/route')
-
-    const response = await GET(req)
-    const data = await response.json()
-
-    expect(response.status).toBe(500)
-    expect(data.error).toBe('Internal server error')
-    expect(mockLogger.error).toHaveBeenCalled()
+    expect(data.credentials).toHaveLength(0)
   })
 })

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -1,14 +1,15 @@
 import { db } from '@sim/db'
-import { account, user } from '@sim/db/schema'
+import { account, credential, credentialMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
-import { jwtDecode } from 'jwt-decode'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { evaluateScopeCoverage } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -18,6 +19,7 @@ const credentialsQuerySchema = z
   .object({
     provider: z.string().nullish(),
     workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
     credentialId: z
       .string()
       .min(1, 'Credential ID must not be empty')
@@ -29,10 +31,30 @@ const credentialsQuerySchema = z
     path: ['provider'],
   })
 
-interface GoogleIdToken {
-  email?: string
-  sub?: string
-  name?: string
+function toCredentialResponse(
+  id: string,
+  displayName: string,
+  providerId: string,
+  updatedAt: Date,
+  scope: string | null
+) {
+  const storedScope = scope?.trim()
+  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
+  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
+  const [_, featureType = 'default'] = providerId.split('-')
+
+  return {
+    id,
+    name: displayName,
+    provider: providerId,
+    lastUsed: updatedAt.toISOString(),
+    isDefault: featureType === 'default',
+    scopes: scopeEvaluation.grantedScopes,
+    canonicalScopes: scopeEvaluation.canonicalScopes,
+    missingScopes: scopeEvaluation.missingScopes,
+    extraScopes: scopeEvaluation.extraScopes,
+    requiresReauthorization: scopeEvaluation.requiresReauthorization,
+  }
 }
 
 /**
@@ -46,6 +68,7 @@ export async function GET(request: NextRequest) {
     const rawQuery = {
       provider: searchParams.get('provider'),
       workflowId: searchParams.get('workflowId'),
+      workspaceId: searchParams.get('workspaceId'),
       credentialId: searchParams.get('credentialId'),
     }
 
@@ -78,7 +101,7 @@ export async function GET(request: NextRequest) {
       )
     }
 
-    const { provider: providerParam, workflowId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data
 
     // Authenticate requester (supports session and internal JWT)
     const authResult = await checkSessionOrInternalAuth(request)
@@ -88,7 +111,7 @@ export async function GET(request: NextRequest) {
     }
     const requesterUserId = authResult.userId
 
-    const effectiveUserId = requesterUserId
+    let effectiveWorkspaceId = workspaceId ?? undefined
     if (workflowId) {
       const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
         workflowId,
@@ -106,105 +129,125 @@ export async function GET(request: NextRequest) {
           { status: workflowAuthorization.status }
         )
       }
+      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
     }
 
-    // Parse the provider to get base provider and feature type (if provider is present)
-    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
-
-    let accountsData
-
-    if (credentialId && workflowId) {
-      // When both workflowId and credentialId are provided, fetch by ID only.
-      // Workspace authorization above already proves access; the credential
-      // may belong to another workspace member (e.g. for display name resolution).
-      accountsData = await db.select().from(account).where(eq(account.id, credentialId))
-    } else if (credentialId) {
-      accountsData = await db
-        .select()
-        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
-    } else {
-      // Fetch all credentials for provider and effective user
-      accountsData = await db
-        .select()
-        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
+    if (effectiveWorkspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
     }
 
-    // Transform accounts into credentials
-    const credentials = await Promise.all(
-      accountsData.map(async (acc) => {
-        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
-        const [_, featureType = 'default'] = acc.providerId.split('-')
+    if (credentialId) {
+      const [platformCredential] = await db
+        .select({
+          id: credential.id,
+          workspaceId: credential.workspaceId,
+          type: credential.type,
+          displayName: credential.displayName,
+          providerId: credential.providerId,
+          accountId: credential.accountId,
+          accountProviderId: account.providerId,
+          accountScope: account.scope,
+          accountUpdatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .leftJoin(account, eq(credential.accountId, account.id))
+        .where(eq(credential.id, credentialId))
+        .limit(1)
 
-        // Try multiple methods to get a user-friendly display name
-        let displayName = ''
+      if (platformCredential) {
+        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
+        }
 
-        // Method 1: Try to extract email from ID token (works for Google, etc.)
-        if (acc.idToken) {
-          try {
-            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
-            if (decoded.email) {
-              displayName = decoded.email
-            } else if (decoded.name) {
-              displayName = decoded.name
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error decoding ID token`, {
-              accountId: acc.id,
-            })
+        if (workflowId) {
+          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+        } else {
+          const [membership] = await db
+            .select({ id: credentialMember.id })
+            .from(credentialMember)
+            .where(
+              and(
+                eq(credentialMember.credentialId, platformCredential.id),
+                eq(credentialMember.userId, requesterUserId),
+                eq(credentialMember.status, 'active')
+              )
+            )
+            .limit(1)
+
+          if (!membership) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
           }
         }
 
-        // Method 2: For GitHub, the accountId might be the username
-        if (!displayName && baseProvider === 'github') {
-          displayName = `${acc.accountId} (GitHub)`
+        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
         }
 
-        // Method 3: Try to get the user's email from our database
-        if (!displayName) {
-          try {
-            const userRecord = await db
-              .select({ email: user.email })
-              .from(user)
-              .where(eq(user.id, acc.userId))
-              .limit(1)
+        return NextResponse.json(
+          {
+            credentials: [
+              toCredentialResponse(
+                platformCredential.id,
+                platformCredential.displayName,
+                platformCredential.accountProviderId,
+                platformCredential.accountUpdatedAt,
+                platformCredential.accountScope
+              ),
+            ],
+          },
+          { status: 200 }
+        )
+      }
+    }
 
-            if (userRecord.length > 0) {
-              displayName = userRecord[0].email
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error fetching user email`, {
-              userId: acc.userId,
-            })
-          }
-        }
-
-        // Fallback: Use accountId with provider type as context
-        if (!displayName) {
-          displayName = `${acc.accountId} (${baseProvider})`
-        }
-
-        const storedScope = acc.scope?.trim()
-        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
-        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
-
-        return {
-          id: acc.id,
-          name: displayName,
-          provider: acc.providerId,
-          lastUsed: acc.updatedAt.toISOString(),
-          isDefault: featureType === 'default',
-          scopes: scopeEvaluation.grantedScopes,
-          canonicalScopes: scopeEvaluation.canonicalScopes,
-          missingScopes: scopeEvaluation.missingScopes,
-          extraScopes: scopeEvaluation.extraScopes,
-          requiresReauthorization: scopeEvaluation.requiresReauthorization,
-        }
+    if (effectiveWorkspaceId && providerParam) {
+      await syncWorkspaceOAuthCredentialsForUser({
+        workspaceId: effectiveWorkspaceId,
+        userId: requesterUserId,
       })
-    )
 
-    return NextResponse.json({ credentials }, { status: 200 })
+      const credentialsData = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          providerId: account.providerId,
+          scope: account.scope,
+          updatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .innerJoin(account, eq(credential.accountId, account.id))
+        .innerJoin(
+          credentialMember,
+          and(
+            eq(credentialMember.credentialId, credential.id),
+            eq(credentialMember.userId, requesterUserId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .where(
+          and(
+            eq(credential.workspaceId, effectiveWorkspaceId),
+            eq(credential.type, 'oauth'),
+            eq(account.providerId, providerParam)
+          )
+        )
+
+      return NextResponse.json(
+        {
+          credentials: credentialsData.map((row) =>
+            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
+          ),
+        },
+        { status: 200 }
+      )
+    }
+
+    return NextResponse.json({ credentials: [] }, { status: 200 })
   } catch (error) {
     logger.error(`[${requestId}] Error fetching OAuth credentials`, error)
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })

apps/sim/app/api/auth/oauth/disconnect/route.ts

@@ -16,6 +16,7 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
   provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
   providerId: z.string().optional(),
+  accountId: z.string().optional(),
 })
 
 /**
@@ -51,15 +52,20 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const { provider, providerId } = parseResult.data
+    const { provider, providerId, accountId } = parseResult.data
 
     logger.info(`[${requestId}] Processing OAuth disconnect request`, {
       provider,
       hasProviderId: !!providerId,
     })
 
-    // If a specific providerId is provided, delete only that account
-    if (providerId) {
+    // If a specific account row ID is provided, delete that exact account
+    if (accountId) {
+      await db
+        .delete(account)
+        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
+    } else if (providerId) {
+      // If a specific providerId is provided, delete accounts for that provider ID
       await db
         .delete(account)
         .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))

apps/sim/app/api/auth/oauth/microsoft/file/route.ts

@@ -38,13 +38,18 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
     }
 
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
       authz.credentialOwnerUserId,
       requestId
     )

apps/sim/app/api/auth/oauth/microsoft/files/route.ts

@@ -37,14 +37,19 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
     }
 
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     // Refresh access token if needed using the utility function
     const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
       authz.credentialOwnerUserId,
       requestId
     )

apps/sim/app/api/auth/oauth/token/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { createMockLogger, createMockRequest } from '@sim/testing'
+import { createMockLogger, createMockRequest, mockHybridAuth } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 describe('OAuth Token API Routes', () => {
@@ -12,7 +12,7 @@ describe('OAuth Token API Routes', () => {
   const mockRefreshTokenIfNeeded = vi.fn()
   const mockGetOAuthToken = vi.fn()
   const mockAuthorizeCredentialUse = vi.fn()
-  const mockCheckSessionOrInternalAuth = vi.fn()
+  let mockCheckSessionOrInternalAuth: ReturnType<typeof vi.fn>
 
   const mockLogger = createMockLogger()
 
@@ -41,9 +41,7 @@ describe('OAuth Token API Routes', () => {
       authorizeCredentialUse: mockAuthorizeCredentialUse,
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
-    }))
+    ;({ mockCheckSessionOrInternalAuth } = mockHybridAuth())
   })
 
   afterEach(() => {
@@ -73,23 +71,18 @@ describe('OAuth Token API Routes', () => {
         refreshed: false,
       })
 
-      // Create mock request
       const req = createMockRequest('POST', {
         credentialId: 'credential-id',
       })
 
-      // Import handler after setting up mocks
       const { POST } = await import('@/app/api/auth/oauth/token/route')
 
-      // Call handler
       const response = await POST(req)
       const data = await response.json()
 
-      // Verify request was handled correctly
       expect(response.status).toBe(200)
       expect(data).toHaveProperty('accessToken', 'fresh-token')
 
-      // Verify mocks were called correctly
       expect(mockAuthorizeCredentialUse).toHaveBeenCalled()
       expect(mockGetCredential).toHaveBeenCalled()
       expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
@@ -351,10 +344,11 @@ describe('OAuth Token API Routes', () => {
    */
   describe('GET handler', () => {
     it('should return access token successfully', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce({
         id: 'credential-id',
@@ -380,8 +374,8 @@ describe('OAuth Token API Routes', () => {
       expect(response.status).toBe(200)
       expect(data).toHaveProperty('accessToken', 'fresh-token')
 
-      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
-      expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
+      expect(mockAuthorizeCredentialUse).toHaveBeenCalled()
+      expect(mockGetCredential).toHaveBeenCalled()
       expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
     })
 
@@ -399,8 +393,8 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle authentication failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: false,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: false,
         error: 'Authentication required',
       })
 
@@ -413,15 +407,16 @@ describe('OAuth Token API Routes', () => {
       const response = await GET(req as any)
       const data = await response.json()
 
-      expect(response.status).toBe(401)
+      expect(response.status).toBe(403)
       expect(data).toHaveProperty('error')
     })
 
     it('should handle credential not found', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce(undefined)
 
@@ -439,10 +434,11 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle missing access token', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce({
         id: 'credential-id',
@@ -465,10 +461,11 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle token refresh failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce({
         id: 'credential-id',

apps/sim/app/api/auth/oauth/token/route.ts

@@ -110,23 +110,35 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
     }
 
+    const callerUserId = new URL(request.url).searchParams.get('userId') || undefined
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       workflowId: workflowId ?? undefined,
       requireWorkflowIdForInternal: false,
+      callerUserId,
     })
     if (!authz.ok || !authz.credentialOwnerUserId) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )
 
       let instanceUrl: string | undefined
       if (credential.providerId === 'salesforce' && credential.scope) {
@@ -186,13 +198,20 @@ export async function GET(request: NextRequest) {
 
     const { credentialId } = parseResult.data
 
-    // For GET requests, we only support session-based authentication
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
+    const authz = await authorizeCredentialUse(request, {
+      credentialId,
+      requireWorkflowIdForInternal: false,
+    })
+    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const credential = await getCredential(requestId, credentialId, auth.userId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -204,7 +223,11 @@ export async function GET(request: NextRequest) {
     }
 
     try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )
 
       // For Salesforce, extract instanceUrl from the scope field
       let instanceUrl: string | undefined

apps/sim/app/api/auth/oauth/utils.test.ts

@@ -62,21 +62,23 @@ describe('OAuth Utils', () => {
 
   describe('getCredential', () => {
     it('should return credential when found', async () => {
-      const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
-      const { mockFrom, mockWhere, mockLimit } = mockSelectChain([mockCredential])
+      const mockCredentialRow = { type: 'oauth', accountId: 'resolved-account-id' }
+      const mockAccountRow = { id: 'resolved-account-id', userId: 'test-user-id' }
+
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
 
       const credential = await getCredential('request-id', 'credential-id', 'test-user-id')
 
-      expect(mockDb.select).toHaveBeenCalled()
-      expect(mockFrom).toHaveBeenCalled()
-      expect(mockWhere).toHaveBeenCalled()
-      expect(mockLimit).toHaveBeenCalledWith(1)
+      expect(mockDb.select).toHaveBeenCalledTimes(2)
 
-      expect(credential).toEqual(mockCredential)
+      expect(credential).toMatchObject(mockAccountRow)
+      expect(credential).toMatchObject({ resolvedCredentialId: 'resolved-account-id' })
     })
 
     it('should return undefined when credential is not found', async () => {
       mockSelectChain([])
+      mockSelectChain([])
 
       const credential = await getCredential('request-id', 'nonexistent-id', 'test-user-id')
 
@@ -158,15 +160,17 @@ describe('OAuth Utils', () => {
 
   describe('refreshAccessTokenIfNeeded', () => {
     it('should return valid access token without refresh if not expired', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
         accessToken: 'valid-token',
         refreshToken: 'refresh-token',
         accessTokenExpiresAt: new Date(Date.now() + 3600 * 1000),
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
 
       const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')
 
@@ -175,15 +179,17 @@ describe('OAuth Utils', () => {
     })
 
     it('should refresh token when expired', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
         accessToken: 'expired-token',
         refreshToken: 'refresh-token',
         accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
       mockUpdateChain()
 
       mockRefreshOAuthToken.mockResolvedValueOnce({
@@ -201,6 +207,7 @@ describe('OAuth Utils', () => {
 
     it('should return null if credential not found', async () => {
       mockSelectChain([])
+      mockSelectChain([])
 
       const token = await refreshAccessTokenIfNeeded('nonexistent-id', 'test-user-id', 'request-id')
 
@@ -208,15 +215,17 @@ describe('OAuth Utils', () => {
     })
 
     it('should return null if refresh fails', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
         accessToken: 'expired-token',
         refreshToken: 'refresh-token',
         accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
 
       mockRefreshOAuthToken.mockResolvedValueOnce(null)
 

apps/sim/app/api/auth/oauth/utils.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credentialSetMember } from '@sim/db/schema'
+import { account, credential, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,6 +25,38 @@ interface AccountInsertData {
   accessTokenExpiresAt?: Date
 }
 
+/**
+ * Resolves a credential ID to its underlying account ID.
+ * If `credentialId` matches a `credential` row, returns its `accountId` and `workspaceId`.
+ * Otherwise assumes `credentialId` is already a raw `account.id` (legacy).
+ */
+export async function resolveOAuthAccountId(
+  credentialId: string
+): Promise<{ accountId: string; workspaceId?: string; usedCredentialTable: boolean } | null> {
+  const [credentialRow] = await db
+    .select({
+      type: credential.type,
+      accountId: credential.accountId,
+      workspaceId: credential.workspaceId,
+    })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (credentialRow) {
+    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
+      return null
+    }
+    return {
+      accountId: credentialRow.accountId,
+      workspaceId: credentialRow.workspaceId,
+      usedCredentialTable: true,
+    }
+  }
+
+  return { accountId: credentialId, usedCredentialTable: false }
+}
+
 /**
  * Safely inserts an account record, handling duplicate constraint violations gracefully.
  * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -52,10 +84,16 @@ export async function safeAccountInsert(
  * Get a credential by ID and verify it belongs to the user
  */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
+    return undefined
+  }
+
   const credentials = await db
     .select()
     .from(account)
-    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
+    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
     .limit(1)
 
   if (!credentials.length) {
@@ -63,7 +101,10 @@ export async function getCredential(requestId: string, credentialId: string, use
     return undefined
   }
 
-  return credentials[0]
+  return {
+    ...credentials[0],
+    resolvedCredentialId: resolved.accountId,
+  }
 }
 
 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -238,7 +279,9 @@ export async function refreshAccessTokenIfNeeded(
       }
 
       // Update the token in the database
-      await db.update(account).set(updateData).where(eq(account.id, credentialId))
+      const resolvedCredentialId =
+        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
+      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
 
       logger.info(`[${requestId}] Successfully refreshed access token for credential`)
       return refreshedToken.accessToken
@@ -274,6 +317,8 @@ export async function refreshTokenIfNeeded(
   credential: any,
   credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
+  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
+
   // Decide if we should refresh: token missing OR expired
   const accessTokenExpiresAt = credential.accessTokenExpiresAt
   const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -334,7 +379,7 @@ export async function refreshTokenIfNeeded(
       updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
     }
 
-    await db.update(account).set(updateData).where(eq(account.id, credentialId))
+    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
 
     logger.info(`[${requestId}] Successfully refreshed access token`)
     return { accessToken: refreshedToken, refreshed: true }
@@ -343,7 +388,7 @@ export async function refreshTokenIfNeeded(
       `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
     )
 
-    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
     if (freshCredential?.accessToken) {
       const freshExpiresAt = freshCredential.accessTokenExpiresAt
       const stillValid = !freshExpiresAt || freshExpiresAt > new Date()

apps/sim/app/api/auth/oauth/wealthbox/item/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -57,24 +57,41 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: itemIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
 
     if (!credentials.length) {
       logger.warn(`[${requestId}] Credential not found`, { credentialId })
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
+    const accountRow = credentials[0]
 
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       logger.error(`[${requestId}] Failed to obtain valid access token`)

apps/sim/app/api/auth/oauth/wealthbox/items/route.ts

@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -47,27 +47,41 @@ export async function GET(request: NextRequest) {
       )
     }
 
-    // Get the credential from the database
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
 
     if (!credentials.length) {
       logger.warn(`[${requestId}] Credential not found`, { credentialId })
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
+    const accountRow = credentials[0]
 
-    // Check if the credential belongs to the user
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    // Refresh access token if needed
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       logger.error(`[${requestId}] Failed to obtain valid access token`)

apps/sim/app/api/auth/oauth2/authorize-params/route.ts

@@ -0,0 +1,59 @@
+import { db } from '@sim/db'
+import { verification } from '@sim/db/schema'
+import { and, eq, gt } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+
+/**
+ * Returns the original OAuth authorize parameters stored in the verification record
+ * for a given consent code. Used by the consent page to reconstruct the authorize URL
+ * when switching accounts.
+ */
+export async function GET(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const consentCode = request.nextUrl.searchParams.get('consent_code')
+  if (!consentCode) {
+    return NextResponse.json({ error: 'consent_code is required' }, { status: 400 })
+  }
+
+  const [record] = await db
+    .select({ value: verification.value })
+    .from(verification)
+    .where(and(eq(verification.identifier, consentCode), gt(verification.expiresAt, new Date())))
+    .limit(1)
+
+  if (!record) {
+    return NextResponse.json({ error: 'Invalid or expired consent code' }, { status: 404 })
+  }
+
+  const data = JSON.parse(record.value) as {
+    clientId: string
+    redirectURI: string
+    scope: string[]
+    userId: string
+    codeChallenge: string
+    codeChallengeMethod: string
+    state: string | null
+    nonce: string | null
+  }
+
+  if (data.userId !== session.user.id) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  return NextResponse.json({
+    client_id: data.clientId,
+    redirect_uri: data.redirectURI,
+    scope: data.scope.join(' '),
+    code_challenge: data.codeChallenge,
+    code_challenge_method: data.codeChallengeMethod,
+    state: data.state,
+    nonce: data.nonce,
+    response_type: 'code',
+  })
+}

apps/sim/app/api/auth/oauth2/shopify/store/route.ts

@@ -48,16 +48,21 @@ export async function GET(request: NextRequest) {
 
     const shopData = await shopResponse.json()
     const shopInfo = shopData.shop
+    const stableAccountId = shopInfo.id?.toString() || shopDomain
 
     const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'shopify')),
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'shopify'),
+        eq(account.accountId, stableAccountId)
+      ),
     })
 
     const now = new Date()
 
     const accountData = {
       accessToken: accessToken,
-      accountId: shopInfo.id?.toString() || shopDomain,
+      accountId: stableAccountId,
       scope: scope || '',
       updatedAt: now,
       idToken: shopDomain,

apps/sim/app/api/auth/trello/store/route.ts

@@ -52,7 +52,11 @@ export async function POST(request: NextRequest) {
     const trelloUser = await userResponse.json()
 
     const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'trello')),
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'trello'),
+        eq(account.accountId, trelloUser.id)
+      ),
     })
 
     const now = new Date()

apps/sim/app/api/chat/[identifier]/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { loggerMock } from '@sim/testing'
+import { loggerMock, requestUtilsMock } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 /**
@@ -94,9 +94,7 @@ vi.mock('@/lib/core/utils/sse', () => ({
   },
 }))
 
-vi.mock('@/lib/core/utils/request', () => ({
-  generateRequestId: vi.fn().mockReturnValue('test-request-id'),
-}))
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
 
 vi.mock('@/lib/core/security/encryption', () => ({
   decryptSecret: vi.fn().mockResolvedValue({ decrypted: 'test-password' }),

apps/sim/app/api/chat/utils.test.ts

@@ -1,4 +1,4 @@
-import { databaseMock, loggerMock } from '@sim/testing'
+import { databaseMock, loggerMock, requestUtilsMock } from '@sim/testing'
 import type { NextResponse } from 'next/server'
 /**
  * Tests for chat API utils
@@ -37,9 +37,7 @@ vi.mock('@/lib/core/security/encryption', () => ({
   decryptSecret: mockDecryptSecret,
 }))
 
-vi.mock('@/lib/core/utils/request', () => ({
-  generateRequestId: vi.fn(),
-}))
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
 
 vi.mock('@/lib/core/config/feature-flags', () => ({
   isDev: true,

apps/sim/app/api/credentials/[id]/members/route.ts

@@ -0,0 +1,226 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, user } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialMembersAPI')
+
+interface RouteContext {
+  params: Promise<{ id: string }>
+}
+
+async function requireWorkspaceAdminMembership(credentialId: string, userId: string) {
+  const [cred] = await db
+    .select({ id: credential.id, workspaceId: credential.workspaceId })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (!cred) return null
+
+  const perm = await getUserEntityPermissions(userId, 'workspace', cred.workspaceId)
+  if (perm === null) return null
+
+  const [membership] = await db
+    .select({ role: credentialMember.role, status: credentialMember.status })
+    .from(credentialMember)
+    .where(
+      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
+    )
+    .limit(1)
+
+  if (!membership || membership.status !== 'active' || membership.role !== 'admin') {
+    return null
+  }
+  return membership
+}
+
+export async function GET(_request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+
+    const [cred] = await db
+      .select({ id: credential.id, workspaceId: credential.workspaceId })
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    if (!cred) {
+      return NextResponse.json({ members: [] }, { status: 200 })
+    }
+
+    const callerPerm = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      cred.workspaceId
+    )
+    if (callerPerm === null) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const members = await db
+      .select({
+        id: credentialMember.id,
+        userId: credentialMember.userId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+        userName: user.name,
+        userEmail: user.email,
+      })
+      .from(credentialMember)
+      .innerJoin(user, eq(credentialMember.userId, user.id))
+      .where(eq(credentialMember.credentialId, credentialId))
+
+    return NextResponse.json({ members })
+  } catch (error) {
+    logger.error('Failed to fetch credential members', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+const addMemberSchema = z.object({
+  userId: z.string().min(1),
+  role: z.enum(['admin', 'member']).default('member'),
+})
+
+export async function POST(request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+
+    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
+    if (!admin) {
+      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
+    }
+
+    const body = await request.json()
+    const parsed = addMemberSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+    }
+
+    const { userId, role } = parsed.data
+    const now = new Date()
+
+    const [existing] = await db
+      .select({ id: credentialMember.id, status: credentialMember.status })
+      .from(credentialMember)
+      .where(
+        and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
+      )
+      .limit(1)
+
+    if (existing) {
+      await db
+        .update(credentialMember)
+        .set({ role, status: 'active', updatedAt: now })
+        .where(eq(credentialMember.id, existing.id))
+      return NextResponse.json({ success: true })
+    }
+
+    await db.insert(credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId,
+      role,
+      status: 'active',
+      joinedAt: now,
+      invitedBy: session.user.id,
+      createdAt: now,
+      updatedAt: now,
+    })
+
+    return NextResponse.json({ success: true }, { status: 201 })
+  } catch (error) {
+    logger.error('Failed to add credential member', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+    const targetUserId = new URL(request.url).searchParams.get('userId')
+    if (!targetUserId) {
+      return NextResponse.json({ error: 'userId query parameter required' }, { status: 400 })
+    }
+
+    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
+    if (!admin) {
+      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
+    }
+
+    const [target] = await db
+      .select({
+        id: credentialMember.id,
+        role: credentialMember.role,
+      })
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, targetUserId),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .limit(1)
+
+    if (!target) {
+      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
+    }
+
+    const revoked = await db.transaction(async (tx) => {
+      if (target.role === 'admin') {
+        const activeAdmins = await tx
+          .select({ id: credentialMember.id })
+          .from(credentialMember)
+          .where(
+            and(
+              eq(credentialMember.credentialId, credentialId),
+              eq(credentialMember.role, 'admin'),
+              eq(credentialMember.status, 'active')
+            )
+          )
+
+        if (activeAdmins.length <= 1) {
+          return false
+        }
+      }
+
+      await tx
+        .update(credentialMember)
+        .set({ status: 'revoked', updatedAt: new Date() })
+        .where(eq(credentialMember.id, target.id))
+
+      return true
+    })
+
+    if (!revoked) {
+      return NextResponse.json({ error: 'Cannot remove the last admin' }, { status: 400 })
+    }
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    logger.error('Failed to remove credential member', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/credentials/[id]/route.ts

@@ -0,0 +1,251 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, environment, workspaceEnvironment } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getCredentialActorContext } from '@/lib/credentials/access'
+import {
+  syncPersonalEnvCredentialsForUser,
+  syncWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
+
+const logger = createLogger('CredentialByIdAPI')
+
+const updateCredentialSchema = z
+  .object({
+    displayName: z.string().trim().min(1).max(255).optional(),
+    description: z.string().trim().max(500).nullish(),
+  })
+  .strict()
+  .refine((data) => data.displayName !== undefined || data.description !== undefined, {
+    message: 'At least one field must be provided',
+    path: ['displayName'],
+  })
+
+async function getCredentialResponse(credentialId: string, userId: string) {
+  const [row] = await db
+    .select({
+      id: credential.id,
+      workspaceId: credential.workspaceId,
+      type: credential.type,
+      displayName: credential.displayName,
+      description: credential.description,
+      providerId: credential.providerId,
+      accountId: credential.accountId,
+      envKey: credential.envKey,
+      envOwnerUserId: credential.envOwnerUserId,
+      createdBy: credential.createdBy,
+      createdAt: credential.createdAt,
+      updatedAt: credential.updatedAt,
+      role: credentialMember.role,
+      status: credentialMember.status,
+    })
+    .from(credential)
+    .innerJoin(
+      credentialMember,
+      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
+    )
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  return row ?? null
+}
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.member) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to fetch credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const parseResult = updateCredentialSchema.safeParse(await request.json())
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    const updates: Record<string, unknown> = {}
+
+    if (parseResult.data.description !== undefined) {
+      updates.description = parseResult.data.description ?? null
+    }
+
+    if (parseResult.data.displayName !== undefined && access.credential.type === 'oauth') {
+      updates.displayName = parseResult.data.displayName
+    }
+
+    if (Object.keys(updates).length === 0) {
+      if (access.credential.type === 'oauth') {
+        return NextResponse.json(
+          {
+            error: 'No updatable fields provided.',
+          },
+          { status: 400 }
+        )
+      }
+      return NextResponse.json(
+        {
+          error:
+            'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
+        },
+        { status: 400 }
+      )
+    }
+
+    updates.updatedAt = new Date()
+    await db.update(credential).set(updates).where(eq(credential.id, id))
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to update credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    if (access.credential.type === 'env_personal' && access.credential.envKey) {
+      const ownerUserId = access.credential.envOwnerUserId
+      if (!ownerUserId) {
+        return NextResponse.json({ error: 'Invalid personal secret owner' }, { status: 400 })
+      }
+
+      const [personalRow] = await db
+        .select({ variables: environment.variables })
+        .from(environment)
+        .where(eq(environment.userId, ownerUserId))
+        .limit(1)
+
+      const current = ((personalRow?.variables as Record<string, string> | null) ?? {}) as Record<
+        string,
+        string
+      >
+      if (access.credential.envKey in current) {
+        delete current[access.credential.envKey]
+      }
+
+      await db
+        .insert(environment)
+        .values({
+          id: ownerUserId,
+          userId: ownerUserId,
+          variables: current,
+          updatedAt: new Date(),
+        })
+        .onConflictDoUpdate({
+          target: [environment.userId],
+          set: { variables: current, updatedAt: new Date() },
+        })
+
+      await syncPersonalEnvCredentialsForUser({
+        userId: ownerUserId,
+        envKeys: Object.keys(current),
+      })
+
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    if (access.credential.type === 'env_workspace' && access.credential.envKey) {
+      const [workspaceRow] = await db
+        .select({
+          id: workspaceEnvironment.id,
+          createdAt: workspaceEnvironment.createdAt,
+          variables: workspaceEnvironment.variables,
+        })
+        .from(workspaceEnvironment)
+        .where(eq(workspaceEnvironment.workspaceId, access.credential.workspaceId))
+        .limit(1)
+
+      const current = ((workspaceRow?.variables as Record<string, string> | null) ?? {}) as Record<
+        string,
+        string
+      >
+      if (access.credential.envKey in current) {
+        delete current[access.credential.envKey]
+      }
+
+      await db
+        .insert(workspaceEnvironment)
+        .values({
+          id: workspaceRow?.id || crypto.randomUUID(),
+          workspaceId: access.credential.workspaceId,
+          variables: current,
+          createdAt: workspaceRow?.createdAt || new Date(),
+          updatedAt: new Date(),
+        })
+        .onConflictDoUpdate({
+          target: [workspaceEnvironment.workspaceId],
+          set: { variables: current, updatedAt: new Date() },
+        })
+
+      await syncWorkspaceEnvCredentials({
+        workspaceId: access.credential.workspaceId,
+        envKeys: Object.keys(current),
+        actingUserId: session.user.id,
+      })
+
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    await db.delete(credential).where(eq(credential.id, id))
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to delete credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/credentials/draft/route.ts

@@ -0,0 +1,116 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, pendingCredentialDraft } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, lt } from 'drizzle-orm'
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialDraftAPI')
+
+const DRAFT_TTL_MS = 15 * 60 * 1000
+
+const createDraftSchema = z.object({
+  workspaceId: z.string().min(1),
+  providerId: z.string().min(1),
+  displayName: z.string().min(1),
+  description: z.string().trim().max(500).optional(),
+  credentialId: z.string().min(1).optional(),
+})
+
+export async function POST(request: Request) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const body = await request.json()
+    const parsed = createDraftSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+    }
+
+    const { workspaceId, providerId, displayName, description, credentialId } = parsed.data
+    const userId = session.user.id
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    if (credentialId) {
+      const [membership] = await db
+        .select({ role: credentialMember.role, status: credentialMember.status })
+        .from(credentialMember)
+        .innerJoin(credential, eq(credential.id, credentialMember.credentialId))
+        .where(
+          and(
+            eq(credentialMember.credentialId, credentialId),
+            eq(credentialMember.userId, userId),
+            eq(credentialMember.status, 'active'),
+            eq(credentialMember.role, 'admin'),
+            eq(credential.workspaceId, workspaceId)
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        return NextResponse.json(
+          { error: 'Admin access required on the target credential' },
+          { status: 403 }
+        )
+      }
+    }
+
+    const now = new Date()
+
+    await db
+      .delete(pendingCredentialDraft)
+      .where(
+        and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
+      )
+
+    await db
+      .insert(pendingCredentialDraft)
+      .values({
+        id: crypto.randomUUID(),
+        userId,
+        workspaceId,
+        providerId,
+        displayName,
+        description: description || null,
+        credentialId: credentialId || null,
+        expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
+        createdAt: now,
+      })
+      .onConflictDoUpdate({
+        target: [
+          pendingCredentialDraft.userId,
+          pendingCredentialDraft.providerId,
+          pendingCredentialDraft.workspaceId,
+        ],
+        set: {
+          displayName,
+          description: description || null,
+          credentialId: credentialId || null,
+          expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
+          createdAt: now,
+        },
+      })
+
+    logger.info('Credential draft saved', {
+      userId,
+      workspaceId,
+      providerId,
+      displayName,
+      credentialId: credentialId || null,
+    })
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to save credential draft', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/credentials/memberships/route.ts

@@ -0,0 +1,120 @@
+import { db } from '@sim/db'
+import { credential, credentialMember } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+
+const logger = createLogger('CredentialMembershipsAPI')
+
+const leaveCredentialSchema = z.object({
+  credentialId: z.string().min(1),
+})
+
+export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const memberships = await db
+      .select({
+        membershipId: credentialMember.id,
+        credentialId: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        providerId: credential.providerId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+      })
+      .from(credentialMember)
+      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
+      .where(eq(credentialMember.userId, session.user.id))
+
+    return NextResponse.json({ memberships }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to list credential memberships', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const parseResult = leaveCredentialSchema.safeParse({
+      credentialId: new URL(request.url).searchParams.get('credentialId'),
+    })
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { credentialId } = parseResult.data
+    const [membership] = await db
+      .select()
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, session.user.id)
+        )
+      )
+      .limit(1)
+
+    if (!membership) {
+      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
+    }
+
+    if (membership.status !== 'active') {
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    const revoked = await db.transaction(async (tx) => {
+      if (membership.role === 'admin') {
+        const activeAdmins = await tx
+          .select({ id: credentialMember.id })
+          .from(credentialMember)
+          .where(
+            and(
+              eq(credentialMember.credentialId, credentialId),
+              eq(credentialMember.role, 'admin'),
+              eq(credentialMember.status, 'active')
+            )
+          )
+
+        if (activeAdmins.length <= 1) {
+          return false
+        }
+      }
+
+      await tx
+        .update(credentialMember)
+        .set({
+          status: 'revoked',
+          updatedAt: new Date(),
+        })
+        .where(eq(credentialMember.id, membership.id))
+
+      return true
+    })
+
+    if (!revoked) {
+      return NextResponse.json(
+        { error: 'Cannot leave credential as the last active admin' },
+        { status: 400 }
+      )
+    }
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to leave credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/credentials/route.ts

@@ -0,0 +1,520 @@
+import { db } from '@sim/db'
+import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { getServiceConfigByProviderId } from '@/lib/oauth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+import { isValidEnvVarName } from '@/executor/constants'
+
+const logger = createLogger('CredentialsAPI')
+
+const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
+
+function normalizeEnvKeyInput(raw: string): string {
+  const trimmed = raw.trim()
+  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
+  return wrappedMatch ? wrappedMatch[1] : trimmed
+}
+
+const listCredentialsSchema = z.object({
+  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+  type: credentialTypeSchema.optional(),
+  providerId: z.string().optional(),
+  credentialId: z.string().optional(),
+})
+
+const createCredentialSchema = z
+  .object({
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+    type: credentialTypeSchema,
+    displayName: z.string().trim().min(1).max(255).optional(),
+    description: z.string().trim().max(500).optional(),
+    providerId: z.string().trim().min(1).optional(),
+    accountId: z.string().trim().min(1).optional(),
+    envKey: z.string().trim().min(1).optional(),
+    envOwnerUserId: z.string().trim().min(1).optional(),
+  })
+  .superRefine((data, ctx) => {
+    if (data.type === 'oauth') {
+      if (!data.accountId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'accountId is required for oauth credentials',
+          path: ['accountId'],
+        })
+      }
+      if (!data.providerId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'providerId is required for oauth credentials',
+          path: ['providerId'],
+        })
+      }
+      if (!data.displayName) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'displayName is required for oauth credentials',
+          path: ['displayName'],
+        })
+      }
+      return
+    }
+
+    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
+    if (!normalizedEnvKey) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey is required for env credentials',
+        path: ['envKey'],
+      })
+      return
+    }
+
+    if (!isValidEnvVarName(normalizedEnvKey)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey must contain only letters, numbers, and underscores',
+        path: ['envKey'],
+      })
+    }
+  })
+
+interface ExistingCredentialSourceParams {
+  workspaceId: string
+  type: 'oauth' | 'env_workspace' | 'env_personal'
+  accountId?: string | null
+  envKey?: string | null
+  envOwnerUserId?: string | null
+}
+
+async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
+  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
+
+  if (type === 'oauth' && accountId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'oauth'),
+          eq(credential.accountId, accountId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_workspace' && envKey) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_workspace'),
+          eq(credential.envKey, envKey)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_personal' && envKey && envOwnerUserId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envKey, envKey),
+          eq(credential.envOwnerUserId, envOwnerUserId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  return null
+}
+
+export async function GET(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const { searchParams } = new URL(request.url)
+    const rawWorkspaceId = searchParams.get('workspaceId')
+    const rawType = searchParams.get('type')
+    const rawProviderId = searchParams.get('providerId')
+    const rawCredentialId = searchParams.get('credentialId')
+    const parseResult = listCredentialsSchema.safeParse({
+      workspaceId: rawWorkspaceId?.trim(),
+      type: rawType?.trim() || undefined,
+      providerId: rawProviderId?.trim() || undefined,
+      credentialId: rawCredentialId?.trim() || undefined,
+    })
+
+    if (!parseResult.success) {
+      logger.warn(`[${requestId}] Invalid credential list request`, {
+        workspaceId: rawWorkspaceId,
+        type: rawType,
+        providerId: rawProviderId,
+        errors: parseResult.error.errors,
+      })
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { workspaceId, type, providerId, credentialId: lookupCredentialId } = parseResult.data
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+
+    if (!workspaceAccess.hasAccess) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    if (lookupCredentialId) {
+      let [row] = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          type: credential.type,
+          providerId: credential.providerId,
+        })
+        .from(credential)
+        .where(and(eq(credential.id, lookupCredentialId), eq(credential.workspaceId, workspaceId)))
+        .limit(1)
+
+      if (!row) {
+        ;[row] = await db
+          .select({
+            id: credential.id,
+            displayName: credential.displayName,
+            type: credential.type,
+            providerId: credential.providerId,
+          })
+          .from(credential)
+          .where(
+            and(
+              eq(credential.accountId, lookupCredentialId),
+              eq(credential.workspaceId, workspaceId)
+            )
+          )
+          .limit(1)
+      }
+
+      return NextResponse.json({ credential: row ?? null })
+    }
+
+    if (!type || type === 'oauth') {
+      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
+    }
+
+    const whereClauses = [eq(credential.workspaceId, workspaceId)]
+
+    if (type) {
+      whereClauses.push(eq(credential.type, type))
+    }
+    if (providerId) {
+      whereClauses.push(eq(credential.providerId, providerId))
+    }
+
+    const credentials = await db
+      .select({
+        id: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        description: credential.description,
+        providerId: credential.providerId,
+        accountId: credential.accountId,
+        envKey: credential.envKey,
+        envOwnerUserId: credential.envOwnerUserId,
+        createdBy: credential.createdBy,
+        createdAt: credential.createdAt,
+        updatedAt: credential.updatedAt,
+        role: credentialMember.role,
+      })
+      .from(credential)
+      .innerJoin(
+        credentialMember,
+        and(
+          eq(credentialMember.credentialId, credential.id),
+          eq(credentialMember.userId, session.user.id),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .where(and(...whereClauses))
+
+    return NextResponse.json({ credentials })
+  } catch (error) {
+    logger.error(`[${requestId}] Failed to list credentials`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const body = await request.json()
+    const parseResult = createCredentialSchema.safeParse(body)
+
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const {
+      workspaceId,
+      type,
+      displayName,
+      description,
+      providerId,
+      accountId,
+      envKey,
+      envOwnerUserId,
+    } = parseResult.data
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    let resolvedDisplayName = displayName?.trim() ?? ''
+    const resolvedDescription = description?.trim() || null
+    let resolvedProviderId: string | null = providerId ?? null
+    let resolvedAccountId: string | null = accountId ?? null
+    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
+    let resolvedEnvOwnerUserId: string | null = null
+
+    if (type === 'oauth') {
+      const [accountRow] = await db
+        .select({
+          id: account.id,
+          userId: account.userId,
+          providerId: account.providerId,
+          accountId: account.accountId,
+        })
+        .from(account)
+        .where(eq(account.id, accountId!))
+        .limit(1)
+
+      if (!accountRow) {
+        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
+      }
+
+      if (accountRow.userId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only account owners can create oauth credentials for an account' },
+          { status: 403 }
+        )
+      }
+
+      if (providerId !== accountRow.providerId) {
+        return NextResponse.json(
+          { error: 'providerId does not match the selected OAuth account' },
+          { status: 400 }
+        )
+      }
+      if (!resolvedDisplayName) {
+        resolvedDisplayName =
+          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
+      }
+    } else if (type === 'env_personal') {
+      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
+      if (resolvedEnvOwnerUserId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only the current user can create personal env credentials for themselves' },
+          { status: 403 }
+        )
+      }
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    } else {
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedEnvOwnerUserId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    }
+
+    if (!resolvedDisplayName) {
+      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
+    }
+
+    const existingCredential = await findExistingCredentialBySource({
+      workspaceId,
+      type,
+      accountId: resolvedAccountId,
+      envKey: resolvedEnvKey,
+      envOwnerUserId: resolvedEnvOwnerUserId,
+    })
+
+    if (existingCredential) {
+      const [membership] = await db
+        .select({
+          id: credentialMember.id,
+          status: credentialMember.status,
+          role: credentialMember.role,
+        })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, existingCredential.id),
+            eq(credentialMember.userId, session.user.id)
+          )
+        )
+        .limit(1)
+
+      if (!membership || membership.status !== 'active') {
+        return NextResponse.json(
+          { error: 'A credential with this source already exists in this workspace' },
+          { status: 409 }
+        )
+      }
+
+      const canUpdateExistingCredential = membership.role === 'admin'
+      const shouldUpdateDisplayName =
+        type === 'oauth' &&
+        resolvedDisplayName &&
+        resolvedDisplayName !== existingCredential.displayName
+      const shouldUpdateDescription =
+        typeof description !== 'undefined' &&
+        (existingCredential.description ?? null) !== resolvedDescription
+
+      if (canUpdateExistingCredential && (shouldUpdateDisplayName || shouldUpdateDescription)) {
+        await db
+          .update(credential)
+          .set({
+            ...(shouldUpdateDisplayName ? { displayName: resolvedDisplayName } : {}),
+            ...(shouldUpdateDescription ? { description: resolvedDescription } : {}),
+            updatedAt: new Date(),
+          })
+          .where(eq(credential.id, existingCredential.id))
+
+        const [updatedCredential] = await db
+          .select()
+          .from(credential)
+          .where(eq(credential.id, existingCredential.id))
+          .limit(1)
+
+        return NextResponse.json(
+          { credential: updatedCredential ?? existingCredential },
+          { status: 200 }
+        )
+      }
+
+      return NextResponse.json({ credential: existingCredential }, { status: 200 })
+    }
+
+    const now = new Date()
+    const credentialId = crypto.randomUUID()
+    const [workspaceRow] = await db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1)
+
+    await db.transaction(async (tx) => {
+      await tx.insert(credential).values({
+        id: credentialId,
+        workspaceId,
+        type,
+        displayName: resolvedDisplayName,
+        description: resolvedDescription,
+        providerId: resolvedProviderId,
+        accountId: resolvedAccountId,
+        envKey: resolvedEnvKey,
+        envOwnerUserId: resolvedEnvOwnerUserId,
+        createdBy: session.user.id,
+        createdAt: now,
+        updatedAt: now,
+      })
+
+      if (type === 'env_workspace' && workspaceRow?.ownerId) {
+        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        if (workspaceUserIds.length > 0) {
+          for (const memberUserId of workspaceUserIds) {
+            await tx.insert(credentialMember).values({
+              id: crypto.randomUUID(),
+              credentialId,
+              userId: memberUserId,
+              role:
+                memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
+                  ? 'admin'
+                  : 'member',
+              status: 'active',
+              joinedAt: now,
+              invitedBy: session.user.id,
+              createdAt: now,
+              updatedAt: now,
+            })
+          }
+        }
+      } else {
+        await tx.insert(credentialMember).values({
+          id: crypto.randomUUID(),
+          credentialId,
+          userId: session.user.id,
+          role: 'admin',
+          status: 'active',
+          joinedAt: now,
+          invitedBy: session.user.id,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+    })
+
+    const [created] = await db
+      .select()
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    return NextResponse.json({ credential: created }, { status: 201 })
+  } catch (error: any) {
+    if (error?.code === '23505') {
+      return NextResponse.json(
+        { error: 'A credential with this source already exists' },
+        { status: 409 }
+      )
+    }
+    if (error?.code === '23503') {
+      return NextResponse.json(
+        { error: 'Invalid credential reference or membership target' },
+        { status: 400 }
+      )
+    }
+    if (error?.code === '23514') {
+      return NextResponse.json(
+        { error: 'Credential source data failed validation checks' },
+        { status: 400 }
+      )
+    }
+    logger.error(`[${requestId}] Credential create failure details`, {
+      code: error?.code,
+      detail: error?.detail,
+      constraint: error?.constraint,
+      table: error?.table,
+      message: error?.message,
+    })
+    logger.error(`[${requestId}] Failed to create credential`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/api/cron/renew-subscriptions/route.ts

@@ -4,18 +4,27 @@ import { createLogger } from '@sim/logger'
 import { and, eq, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { verifyCronAuth } from '@/lib/auth/internal'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 const logger = createLogger('TeamsSubscriptionRenewal')
 
-async function getCredentialOwnerUserId(credentialId: string): Promise<string | null> {
+async function getCredentialOwner(
+  credentialId: string
+): Promise<{ userId: string; accountId: string } | null> {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.error(`Failed to resolve OAuth account for credential ${credentialId}`)
+    return null
+  }
   const [credentialRecord] = await db
     .select({ userId: account.userId })
     .from(account)
-    .where(eq(account.id, credentialId))
+    .where(eq(account.id, resolved.accountId))
     .limit(1)
 
-  return credentialRecord?.userId ?? null
+  return credentialRecord
+    ? { userId: credentialRecord.userId, accountId: resolved.accountId }
+    : null
 }
 
 /**
@@ -88,8 +97,8 @@ export async function GET(request: NextRequest) {
           continue
         }
 
-        const credentialOwnerUserId = await getCredentialOwnerUserId(credentialId)
-        if (!credentialOwnerUserId) {
+        const credentialOwner = await getCredentialOwner(credentialId)
+        if (!credentialOwner) {
           logger.error(`Credential owner not found for credential ${credentialId}`)
           totalFailed++
           continue
@@ -97,8 +106,8 @@ export async function GET(request: NextRequest) {
 
         // Get fresh access token
         const accessToken = await refreshAccessTokenIfNeeded(
-          credentialId,
-          credentialOwnerUserId,
+          credentialOwner.accountId,
+          credentialOwner.userId,
           `renewal-${webhook.id}`
         )
 

apps/sim/app/api/environment/route.ts

@@ -8,6 +8,7 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'
 
 const logger = createLogger('EnvironmentAPI')
@@ -54,6 +55,11 @@ export async function POST(req: NextRequest) {
           },
         })
 
+      await syncPersonalEnvCredentialsForUser({
+        userId: session.user.id,
+        envKeys: Object.keys(variables),
+      })
+
       recordAudit({
         actorId: session.user.id,
         actorName: session.user.name,

apps/sim/app/api/files/delete/route.test.ts

@@ -2,6 +2,7 @@ import {
   createMockRequest,
   mockAuth,
   mockCryptoUuid,
+  mockHybridAuth,
   mockUuid,
   setupCommonApiMocks,
 } from '@sim/testing'
@@ -28,13 +29,12 @@ function setupFileApiMocks(
     authMocks.setUnauthenticated()
   }
 
-  vi.doMock('@/lib/auth/hybrid', () => ({
-    checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-      success: authenticated,
-      userId: authenticated ? 'test-user-id' : undefined,
-      error: authenticated ? undefined : 'Unauthorized',
-    }),
-  }))
+  const { mockCheckSessionOrInternalAuth } = mockHybridAuth()
+  mockCheckSessionOrInternalAuth.mockResolvedValue({
+    success: authenticated,
+    userId: authenticated ? 'test-user-id' : undefined,
+    error: authenticated ? undefined : 'Unauthorized',
+  })
 
   vi.doMock('@/app/api/files/authorization', () => ({
     verifyFileAccess: vi.fn().mockResolvedValue(true),

apps/sim/app/api/files/parse/route.test.ts

@@ -8,6 +8,7 @@ import {
   createMockRequest,
   mockAuth,
   mockCryptoUuid,
+  mockHybridAuth,
   mockUuid,
   setupCommonApiMocks,
 } from '@sim/testing'
@@ -34,13 +35,12 @@ function setupFileApiMocks(
     authMocks.setUnauthenticated()
   }
 
-  vi.doMock('@/lib/auth/hybrid', () => ({
-    checkInternalAuth: vi.fn().mockResolvedValue({
-      success: authenticated,
-      userId: authenticated ? 'test-user-id' : undefined,
-      error: authenticated ? undefined : 'Unauthorized',
-    }),
-  }))
+  const { mockCheckInternalAuth } = mockHybridAuth()
+  mockCheckInternalAuth.mockResolvedValue({
+    success: authenticated,
+    userId: authenticated ? 'test-user-id' : undefined,
+    error: authenticated ? undefined : 'Unauthorized',
+  })
 
   vi.doMock('@/app/api/files/authorization', () => ({
     verifyFileAccess: vi.fn().mockResolvedValue(true),

apps/sim/app/api/files/presigned/route.test.ts

@@ -1,4 +1,10 @@
-import { mockAuth, mockCryptoUuid, mockUuid, setupCommonApiMocks } from '@sim/testing'
+import {
+  mockAuth,
+  mockCryptoUuid,
+  mockHybridAuth,
+  mockUuid,
+  setupCommonApiMocks,
+} from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -28,13 +34,12 @@ function setupFileApiMocks(
     authMocks.setUnauthenticated()
   }
 
-  vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
-      success: authenticated,
-      userId: authenticated ? 'test-user-id' : undefined,
-      error: authenticated ? undefined : 'Unauthorized',
-    }),
-  }))
+  const { mockCheckHybridAuth } = mockHybridAuth()
+  mockCheckHybridAuth.mockResolvedValue({
+    success: authenticated,
+    userId: authenticated ? 'test-user-id' : undefined,
+    error: authenticated ? undefined : 'Unauthorized',
+  })
 
   vi.doMock('@/app/api/files/authorization', () => ({
     verifyFileAccess: vi.fn().mockResolvedValue(true),

apps/sim/app/api/files/serve/[...path]/route.test.ts

@@ -7,6 +7,7 @@ import {
   defaultMockUser,
   mockAuth,
   mockCryptoUuid,
+  mockHybridAuth,
   mockUuid,
   setupCommonApiMocks,
 } from '@sim/testing'
@@ -54,12 +55,11 @@ describe('File Serve API Route', () => {
       withUploadUtils: true,
     })
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-        success: true,
-        userId: 'test-user-id',
-      }),
-    }))
+    const { mockCheckSessionOrInternalAuth: serveAuthMock } = mockHybridAuth()
+    serveAuthMock.mockResolvedValue({
+      success: true,
+      userId: 'test-user-id',
+    })
 
     vi.doMock('@/app/api/files/authorization', () => ({
       verifyFileAccess: vi.fn().mockResolvedValue(true),
@@ -164,12 +164,11 @@ describe('File Serve API Route', () => {
       findLocalFile: vi.fn().mockReturnValue('/test/uploads/nested/path/file.txt'),
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-        success: true,
-        userId: 'test-user-id',
-      }),
-    }))
+    const { mockCheckSessionOrInternalAuth: serveAuthMock } = mockHybridAuth()
+    serveAuthMock.mockResolvedValue({
+      success: true,
+      userId: 'test-user-id',
+    })
 
     vi.doMock('@/app/api/files/authorization', () => ({
       verifyFileAccess: vi.fn().mockResolvedValue(true),
@@ -225,12 +224,11 @@ describe('File Serve API Route', () => {
       USE_BLOB_STORAGE: false,
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-        success: true,
-        userId: 'test-user-id',
-      }),
-    }))
+    const { mockCheckSessionOrInternalAuth: serveAuthMock } = mockHybridAuth()
+    serveAuthMock.mockResolvedValue({
+      success: true,
+      userId: 'test-user-id',
+    })
 
     vi.doMock('@/app/api/files/authorization', () => ({
       verifyFileAccess: vi.fn().mockResolvedValue(true),
@@ -290,12 +288,11 @@ describe('File Serve API Route', () => {
       readFile: vi.fn().mockRejectedValue(new Error('ENOENT: no such file or directory')),
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-        success: true,
-        userId: 'test-user-id',
-      }),
-    }))
+    const { mockCheckSessionOrInternalAuth: serveAuthMock } = mockHybridAuth()
+    serveAuthMock.mockResolvedValue({
+      success: true,
+      userId: 'test-user-id',
+    })
 
     vi.doMock('@/app/api/files/authorization', () => ({
       verifyFileAccess: vi.fn().mockResolvedValue(false), // File not found = no access
@@ -349,12 +346,11 @@ describe('File Serve API Route', () => {
 
     for (const test of contentTypeTests) {
       it(`should serve ${test.ext} file with correct content type`, async () => {
-        vi.doMock('@/lib/auth/hybrid', () => ({
-          checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-            success: true,
-            userId: 'test-user-id',
-          }),
-        }))
+        const { mockCheckSessionOrInternalAuth: ctAuthMock } = mockHybridAuth()
+        ctAuthMock.mockResolvedValue({
+          success: true,
+          userId: 'test-user-id',
+        })
 
         vi.doMock('@/app/api/files/authorization', () => ({
           verifyFileAccess: vi.fn().mockResolvedValue(true),

apps/sim/app/api/files/upload/route.test.ts

@@ -3,7 +3,13 @@
  *
  * @vitest-environment node
  */
-import { mockAuth, mockCryptoUuid, mockUuid, setupCommonApiMocks } from '@sim/testing'
+import {
+  mockAuth,
+  mockCryptoUuid,
+  mockHybridAuth,
+  mockUuid,
+  setupCommonApiMocks,
+} from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -27,13 +33,12 @@ function setupFileApiMocks(
     authMocks.setUnauthenticated()
   }
 
-  vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
-      success: authenticated,
-      userId: authenticated ? 'test-user-id' : undefined,
-      error: authenticated ? undefined : 'Unauthorized',
-    }),
-  }))
+  const { mockCheckHybridAuth } = mockHybridAuth()
+  mockCheckHybridAuth.mockResolvedValue({
+    success: authenticated,
+    userId: authenticated ? 'test-user-id' : undefined,
+    error: authenticated ? undefined : 'Unauthorized',
+  })
 
   vi.doMock('@/app/api/files/authorization', () => ({
     verifyFileAccess: vi.fn().mockResolvedValue(true),

apps/sim/app/api/function/execute/route.test.ts

@@ -211,7 +211,7 @@ describe('Function Execute API Route', () => {
 
     it.concurrent('should block SSRF attacks through secure fetch wrapper', async () => {
       expect(validateProxyUrl('http://169.254.169.254/latest/meta-data/').isValid).toBe(false)
-      expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(false)
+      expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(true)
       expect(validateProxyUrl('http://192.168.1.1/config').isValid).toBe(false)
       expect(validateProxyUrl('http://10.0.0.1/internal').isValid).toBe(false)
     })

apps/sim/app/api/knowledge/search/route.test.ts

@@ -10,6 +10,7 @@ import {
   createMockRequest,
   mockConsoleLogger,
   mockKnowledgeSchemas,
+  requestUtilsMock,
 } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -29,9 +30,7 @@ mockKnowledgeSchemas()
 
 vi.mock('@/lib/core/config/env', () => createEnvMock({ OPENAI_API_KEY: 'test-api-key' }))
 
-vi.mock('@/lib/core/utils/request', () => ({
-  generateRequestId: vi.fn(() => 'test-request-id'),
-}))
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
 
 vi.mock('@/lib/documents/utils', () => ({
   retryWithExponentialBackoff: vi.fn().mockImplementation((fn) => fn()),

apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }

apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts

@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 
-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }

apps/sim/app/api/mcp/copilot/route.ts

@@ -16,6 +16,7 @@ import { userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { validateOAuthAccessToken } from '@/lib/auth/oauth-token'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import {
   ORCHESTRATION_TIMEOUT_MS,
@@ -31,6 +32,7 @@ import {
 import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
 import { env } from '@/lib/core/config/env'
 import { RateLimiter } from '@/lib/core/rate-limiter'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 import {
   authorizeWorkflowByWorkspacePermission,
   resolveWorkflowIdForUser,
@@ -384,12 +386,14 @@ function buildMcpServer(abortSignal?: AbortSignal): Server {
       name: tool.name,
       description: tool.description,
       inputSchema: tool.inputSchema,
+      ...(tool.annotations && { annotations: tool.annotations }),
     }))
 
     const subagentTools = SUBAGENT_TOOL_DEFS.map((tool) => ({
       name: tool.name,
       description: tool.description,
       inputSchema: tool.inputSchema,
+      ...(tool.annotations && { annotations: tool.annotations }),
     }))
 
     const result: ListToolsResult = {
@@ -402,27 +406,51 @@ function buildMcpServer(abortSignal?: AbortSignal): Server {
   server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
     const headers = (extra.requestInfo?.headers || {}) as HeaderMap
     const apiKeyHeader = readHeader(headers, 'x-api-key')
+    const authorizationHeader = readHeader(headers, 'authorization')
 
-    if (!apiKeyHeader) {
-      return {
-        content: [
-          {
-            type: 'text' as const,
-            text: 'AUTHENTICATION ERROR: No Copilot API key provided. The user must set their Copilot API key in the x-api-key header. They can generate one in the Sim app under Settings → Copilot. Do NOT retry — this will fail until the key is configured.',
-          },
-        ],
-        isError: true,
+    let authResult: CopilotKeyAuthResult = { success: false }
+
+    if (authorizationHeader?.startsWith('Bearer ')) {
+      const token = authorizationHeader.slice(7)
+      const oauthResult = await validateOAuthAccessToken(token)
+      if (oauthResult.success && oauthResult.userId) {
+        if (!oauthResult.scopes?.includes('mcp:tools')) {
+          return {
+            content: [
+              {
+                type: 'text' as const,
+                text: 'AUTHENTICATION ERROR: OAuth token is missing the required "mcp:tools" scope. Re-authorize with the correct scopes.',
+              },
+            ],
+            isError: true,
+          }
+        }
+        authResult = { success: true, userId: oauthResult.userId }
+      } else {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `AUTHENTICATION ERROR: ${oauthResult.error ?? 'Invalid OAuth access token'} Do NOT retry — re-authorize via OAuth.`,
+            },
+          ],
+          isError: true,
+        }
       }
+    } else if (apiKeyHeader) {
+      authResult = await authenticateCopilotApiKey(apiKeyHeader)
     }
 
-    const authResult = await authenticateCopilotApiKey(apiKeyHeader)
     if (!authResult.success || !authResult.userId) {
-      logger.warn('MCP copilot key auth failed', { method: request.method })
+      const errorMsg = apiKeyHeader
+        ? `AUTHENTICATION ERROR: ${authResult.error} Do NOT retry — this will fail until the user fixes their Copilot API key.`
+        : 'AUTHENTICATION ERROR: No authentication provided. Provide a Bearer token (OAuth 2.1) or an x-api-key header. Generate a Copilot API key in Settings → Copilot.'
+      logger.warn('MCP copilot auth failed', { method: request.method })
       return {
         content: [
           {
             type: 'text' as const,
-            text: `AUTHENTICATION ERROR: ${authResult.error} Do NOT retry — this will fail until the user fixes their Copilot API key.`,
+            text: errorMsg,
           },
         ],
         isError: true,
@@ -512,6 +540,20 @@ export async function GET() {
 }
 
 export async function POST(request: NextRequest) {
+  const hasAuth = request.headers.has('authorization') || request.headers.has('x-api-key')
+
+  if (!hasAuth) {
+    const origin = getBaseUrl().replace(/\/$/, '')
+    const resourceMetadataUrl = `${origin}/.well-known/oauth-protected-resource/api/mcp/copilot`
+    return new NextResponse(JSON.stringify({ error: 'unauthorized' }), {
+      status: 401,
+      headers: {
+        'WWW-Authenticate': `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`,
+        'Content-Type': 'application/json',
+      },
+    })
+  }
+
   try {
     let parsedBody: unknown
 
@@ -532,6 +574,19 @@ export async function POST(request: NextRequest) {
   }
 }
 
+export async function OPTIONS() {
+  return new NextResponse(null, {
+    status: 204,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS, DELETE',
+      'Access-Control-Allow-Headers':
+        'Content-Type, Authorization, X-API-Key, X-Requested-With, Accept',
+      'Access-Control-Max-Age': '86400',
+    },
+  })
+}
+
 export async function DELETE(request: NextRequest) {
   void request
   return NextResponse.json(createError(0, -32000, 'Method not allowed.'), { status: 405 })

apps/sim/app/api/mcp/serve/[serverId]/route.test.ts

@@ -3,10 +3,11 @@
  *
  * @vitest-environment node
  */
+import { mockHybridAuth } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockCheckHybridAuth = vi.fn()
+let mockCheckHybridAuth: ReturnType<typeof vi.fn>
 const mockGetUserEntityPermissions = vi.fn()
 const mockGenerateInternalToken = vi.fn()
 const mockDbSelect = vi.fn()
@@ -61,9 +62,7 @@ describe('MCP Serve Route', () => {
         isDeployed: 'isDeployed',
       },
     }))
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: mockCheckHybridAuth,
-    }))
+    ;({ mockCheckHybridAuth } = mockHybridAuth())
     vi.doMock('@/lib/workspaces/permissions/utils', () => ({
       getUserEntityPermissions: mockGetUserEntityPermissions,
     }))

apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts

@@ -11,6 +11,7 @@ import {
   user,
   userStats,
   type WorkspaceInvitationStatus,
+  workspaceEnvironment,
   workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -24,6 +25,7 @@ import { hasAccessControlAccess } from '@/lib/billing'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 
 const logger = createLogger('OrganizationInvitation')
@@ -496,6 +498,34 @@ export async function PUT(
       }
     })
 
+    if (status === 'accepted') {
+      const acceptedWsInvitations = await db
+        .select({ workspaceId: workspaceInvitation.workspaceId })
+        .from(workspaceInvitation)
+        .where(
+          and(
+            eq(workspaceInvitation.orgInvitationId, invitationId),
+            eq(workspaceInvitation.status, 'accepted' as WorkspaceInvitationStatus)
+          )
+        )
+
+      for (const wsInv of acceptedWsInvitations) {
+        const [wsEnvRow] = await db
+          .select({ variables: workspaceEnvironment.variables })
+          .from(workspaceEnvironment)
+          .where(eq(workspaceEnvironment.workspaceId, wsInv.workspaceId))
+          .limit(1)
+        const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+        if (wsEnvKeys.length > 0) {
+          await syncWorkspaceEnvCredentials({
+            workspaceId: wsInv.workspaceId,
+            envKeys: wsEnvKeys,
+            actingUserId: session.user.id,
+          })
+        }
+      }
+    }
+
     // Handle Pro subscription cancellation after transaction commits
     if (personalProToCancel) {
       try {

apps/sim/app/api/permission-groups/[id]/route.ts

@@ -19,6 +19,7 @@ const configSchema = z.object({
   allowedModelProviders: z.array(z.string()).nullable().optional(),
   hideTraceSpans: z.boolean().optional(),
   hideKnowledgeBaseTab: z.boolean().optional(),
+  hideTablesTab: z.boolean().optional(),
   hideCopilot: z.boolean().optional(),
   hideApiKeysTab: z.boolean().optional(),
   hideEnvironmentTab: z.boolean().optional(),

apps/sim/app/api/permission-groups/route.ts

@@ -20,6 +20,7 @@ const configSchema = z.object({
   allowedModelProviders: z.array(z.string()).nullable().optional(),
   hideTraceSpans: z.boolean().optional(),
   hideKnowledgeBaseTab: z.boolean().optional(),
+  hideTablesTab: z.boolean().optional(),
   hideCopilot: z.boolean().optional(),
   hideApiKeysTab: z.boolean().optional(),
   hideEnvironmentTab: z.boolean().optional(),

apps/sim/app/api/providers/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
-import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
 
@@ -360,15 +360,20 @@ function sanitizeObject(obj: any): any {
 async function resolveVertexCredential(requestId: string, credentialId: string): Promise<string> {
   logger.info(`[${requestId}] Resolving Vertex AI credential: ${credentialId}`)
 
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    throw new Error(`Vertex AI credential not found: ${credentialId}`)
+  }
+
   const credential = await db.query.account.findFirst({
-    where: eq(account.id, credentialId),
+    where: eq(account.id, resolved.accountId),
   })
 
   if (!credential) {
     throw new Error(`Vertex AI credential not found: ${credentialId}`)
   }
 
-  const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+  const { accessToken } = await refreshTokenIfNeeded(requestId, credential, resolved.accountId)
 
   if (!accessToken) {
     throw new Error('Failed to get Vertex AI access token')

apps/sim/app/api/schedules/[id]/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { auditMock, databaseMock, loggerMock } from '@sim/testing'
+import { auditMock, databaseMock, loggerMock, requestUtilsMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -31,9 +31,7 @@ vi.mock('drizzle-orm', () => ({
   eq: vi.fn(),
 }))
 
-vi.mock('@/lib/core/utils/request', () => ({
-  generateRequestId: () => 'test-request-id',
-}))
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
 
 vi.mock('@sim/logger', () => loggerMock)
 

apps/sim/app/api/schedules/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { databaseMock, loggerMock } from '@sim/testing'
+import { databaseMock, loggerMock, requestUtilsMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -43,9 +43,7 @@ vi.mock('drizzle-orm', () => ({
   isNull: vi.fn(),
 }))
 
-vi.mock('@/lib/core/utils/request', () => ({
-  generateRequestId: () => 'test-request-id',
-}))
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
 
 vi.mock('@sim/logger', () => loggerMock)
 

apps/sim/app/api/tools/custom/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { createMockRequest, loggerMock } from '@sim/testing'
+import { createMockRequest, loggerMock, mockHybridAuth } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -180,13 +180,12 @@ describe('Custom Tools API Routes', () => {
       getSession: vi.fn().mockResolvedValue(mockSession),
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-        success: true,
-        userId: 'user-123',
-        authType: 'session',
-      }),
-    }))
+    const { mockCheckSessionOrInternalAuth: hybridAuthMock } = mockHybridAuth()
+    hybridAuthMock.mockResolvedValue({
+      success: true,
+      userId: 'user-123',
+      authType: 'session',
+    })
 
     vi.doMock('@/lib/workspaces/permissions/utils', () => ({
       getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
@@ -261,12 +260,11 @@ describe('Custom Tools API Routes', () => {
         'http://localhost:3000/api/tools/custom?workspaceId=workspace-123'
       )
 
-      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-          success: false,
-          error: 'Unauthorized',
-        }),
-      }))
+      const { mockCheckSessionOrInternalAuth: unauthMock } = mockHybridAuth()
+      unauthMock.mockResolvedValue({
+        success: false,
+        error: 'Unauthorized',
+      })
 
       const { GET } = await import('@/app/api/tools/custom/route')
 
@@ -297,12 +295,11 @@ describe('Custom Tools API Routes', () => {
    */
   describe('POST /api/tools/custom', () => {
     it('should reject unauthorized requests', async () => {
-      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-          success: false,
-          error: 'Unauthorized',
-        }),
-      }))
+      const { mockCheckSessionOrInternalAuth: unauthMock } = mockHybridAuth()
+      unauthMock.mockResolvedValue({
+        success: false,
+        error: 'Unauthorized',
+      })
 
       const req = createMockRequest('POST', { tools: [], workspaceId: 'workspace-123' })
 
@@ -384,13 +381,12 @@ describe('Custom Tools API Routes', () => {
     })
 
     it('should prevent unauthorized deletion of user-scoped tool', async () => {
-      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-          success: true,
-          userId: 'user-456',
-          authType: 'session',
-        }),
-      }))
+      const { mockCheckSessionOrInternalAuth: diffUserMock } = mockHybridAuth()
+      diffUserMock.mockResolvedValue({
+        success: true,
+        userId: 'user-456',
+        authType: 'session',
+      })
 
       const userScopedTool = { ...sampleTools[0], workspaceId: null, userId: 'user-123' }
       const mockLimitUserScoped = vi.fn().mockResolvedValue([userScopedTool])
@@ -408,12 +404,11 @@ describe('Custom Tools API Routes', () => {
     })
 
     it('should reject unauthorized requests', async () => {
-      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
-          success: false,
-          error: 'Unauthorized',
-        }),
-      }))
+      const { mockCheckSessionOrInternalAuth: unauthMock } = mockHybridAuth()
+      unauthMock.mockResolvedValue({
+        success: false,
+        error: 'Unauthorized',
+      })
 
       const req = new NextRequest('http://localhost:3000/api/tools/custom?id=tool-1')
 

apps/sim/app/api/tools/gmail/label/route.ts

@@ -1,12 +1,12 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -41,10 +41,27 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: labelIdValidation.error }, { status: 400 })
     }
 
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
     const credentials = await db
       .select()
       .from(account)
-      .where(and(eq(account.id, credentialId), eq(account.userId, session.user.id)))
+      .where(eq(account.id, resolved.accountId))
       .limit(1)
 
     if (!credentials.length) {
@@ -52,13 +69,17 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
+    const accountRow = credentials[0]
 
     logger.info(
-      `[${requestId}] Using credential: ${credential.id}, provider: ${credential.providerId}`
+      `[${requestId}] Using credential: ${accountRow.id}, provider: ${accountRow.providerId}`
     )
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })

apps/sim/app/api/tools/gmail/labels/route.ts

@@ -1,12 +1,12 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 export const dynamic = 'force-dynamic'
 
 const logger = createLogger('GmailLabelsAPI')
@@ -45,27 +45,45 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    let credentials = await db
-      .select()
-      .from(account)
-      .where(and(eq(account.id, credentialId), eq(account.userId, session.user.id)))
-      .limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
 
-    if (!credentials.length) {
-      credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
-      if (!credentials.length) {
-        logger.warn(`[${requestId}] Credential not found`)
-        return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
       }
     }
 
-    const credential = credentials[0]
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
+
+    if (!credentials.length) {
+      logger.warn(`[${requestId}] Credential not found`)
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    const accountRow = credentials[0]
 
     logger.info(
-      `[${requestId}] Using credential: ${credential.id}, provider: ${credential.providerId}`
+      `[${requestId}] Using credential: ${accountRow.id}, provider: ${accountRow.providerId}`
     )
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, credential.userId, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })

apps/sim/app/api/tools/microsoft_planner/tasks/route.ts

@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 import type { PlannerTask } from '@/tools/microsoft_planner/types'
 
 const logger = createLogger('MicrosoftPlannerTasksAPI')
@@ -42,24 +42,41 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: planIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
 
     if (!credentials.length) {
       logger.warn(`[${requestId}] Credential not found`, { credentialId })
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
+    const accountRow = credentials[0]
 
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       logger.error(`[${requestId}] Failed to obtain valid access token`)

apps/sim/app/api/tools/onedrive/files/route.ts

@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -45,22 +45,40 @@ export async function GET(request: NextRequest) {
 
     logger.info(`[${requestId}] Fetching credential`, { credentialId })
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
     if (!credentials.length) {
       logger.warn(`[${requestId}] Credential not found`, { credentialId })
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
     if (!accessToken) {
       logger.error(`[${requestId}] Failed to obtain valid access token`)
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })

apps/sim/app/api/tools/onedrive/folder/route.ts

@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -34,17 +34,39 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: fileIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
     if (!credentials.length) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
     }

apps/sim/app/api/tools/onedrive/folders/route.ts

@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -40,17 +40,39 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
     if (!credentials.length) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
     }

apps/sim/app/api/tools/outlook/folders/route.ts

@@ -6,7 +6,7 @@ import { NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -44,7 +44,28 @@ export async function GET(request: Request) {
         return NextResponse.json({ error: 'Authentication required' }, { status: 401 })
       }
 
-      const creds = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+      const resolved = await resolveOAuthAccountId(credentialId)
+      if (!resolved) {
+        return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+      }
+
+      if (resolved.workspaceId) {
+        const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+        const perm = await getUserEntityPermissions(
+          session!.user!.id,
+          'workspace',
+          resolved.workspaceId
+        )
+        if (perm === null) {
+          return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+        }
+      }
+
+      const creds = await db
+        .select()
+        .from(account)
+        .where(eq(account.id, resolved.accountId))
+        .limit(1)
       if (!creds.length) {
         logger.warn('Credential not found', { credentialId })
         return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -52,7 +73,7 @@ export async function GET(request: Request) {
       const credentialOwnerUserId = creds[0].userId
 
       const accessToken = await refreshAccessTokenIfNeeded(
-        credentialId,
+        resolved.accountId,
         credentialOwnerUserId,
         generateRequestId()
       )

apps/sim/app/api/tools/redis/execute/route.ts

@@ -0,0 +1,57 @@
+import { createLogger } from '@sim/logger'
+import Redis from 'ioredis'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+
+const logger = createLogger('RedisAPI')
+
+const RequestSchema = z.object({
+  url: z.string().min(1, 'Redis connection URL is required'),
+  command: z.string().min(1, 'Redis command is required'),
+  args: z.array(z.union([z.string(), z.number()])).default([]),
+})
+
+export async function POST(request: NextRequest) {
+  let client: Redis | null = null
+
+  try {
+    const auth = await checkInternalAuth(request)
+    if (!auth.success || !auth.userId) {
+      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+    }
+
+    const body = await request.json()
+    const { url, command, args } = RequestSchema.parse(body)
+
+    client = new Redis(url, {
+      connectTimeout: 10000,
+      commandTimeout: 10000,
+      maxRetriesPerRequest: 1,
+      lazyConnect: true,
+    })
+
+    await client.connect()
+
+    const cmd = command.toUpperCase()
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const result = await (client as any).call(cmd, ...args)
+
+    await client.quit()
+    client = null
+
+    return NextResponse.json({ result })
+  } catch (error) {
+    logger.error('Redis command failed', { error })
+    const errorMessage = error instanceof Error ? error.message : 'Redis command failed'
+    return NextResponse.json({ error: errorMessage }, { status: 500 })
+  } finally {
+    if (client) {
+      try {
+        await client.quit()
+      } catch {
+        client.disconnect()
+      }
+    }
+  }
+}

apps/sim/app/api/tools/sharepoint/site/route.ts

@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -34,17 +34,39 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: siteIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
     if (!credentials.length) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
     }

apps/sim/app/api/tools/sharepoint/sites/route.ts

@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 import type { SharepointSite } from '@/tools/sharepoint/types'
 
 export const dynamic = 'force-dynamic'
@@ -39,17 +39,39 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
     if (!credentials.length) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]
 
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
     if (!accessToken) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
     }

apps/sim/app/api/tools/slack/send-ephemeral/route.ts

@@ -0,0 +1,96 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('SlackSendEphemeralAPI')
+
+const SlackSendEphemeralSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  channel: z.string().min(1, 'Channel ID is required'),
+  user: z.string().min(1, 'User ID is required'),
+  text: z.string().min(1, 'Message text is required'),
+  thread_ts: z.string().optional().nullable(),
+  blocks: z.array(z.record(z.unknown())).optional().nullable(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Slack ephemeral send attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    logger.info(
+      `[${requestId}] Authenticated Slack ephemeral send request via ${authResult.authType}`,
+      { userId: authResult.userId }
+    )
+
+    const body = await request.json()
+    const validatedData = SlackSendEphemeralSchema.parse(body)
+
+    logger.info(`[${requestId}] Sending ephemeral message`, {
+      channel: validatedData.channel,
+      user: validatedData.user,
+      threadTs: validatedData.thread_ts ?? undefined,
+    })
+
+    const response = await fetch('https://slack.com/api/chat.postEphemeral', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${validatedData.accessToken}`,
+      },
+      body: JSON.stringify({
+        channel: validatedData.channel,
+        user: validatedData.user,
+        text: validatedData.text,
+        ...(validatedData.thread_ts && { thread_ts: validatedData.thread_ts }),
+        ...(validatedData.blocks &&
+          validatedData.blocks.length > 0 && { blocks: validatedData.blocks }),
+      }),
+    })
+
+    const data = await response.json()
+
+    if (!data.ok) {
+      logger.error(`[${requestId}] Slack API error:`, data.error)
+      return NextResponse.json(
+        { success: false, error: data.error || 'Failed to send ephemeral message' },
+        { status: 400 }
+      )
+    }
+
+    logger.info(`[${requestId}] Ephemeral message sent successfully`)
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        messageTs: data.message_ts,
+        channel: validatedData.channel,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error sending ephemeral message:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}

apps/sim/app/api/tools/slack/send-message/route.ts

@@ -17,6 +17,7 @@ const SlackSendMessageSchema = z
     userId: z.string().optional().nullable(),
     text: z.string().min(1, 'Message text is required'),
     thread_ts: z.string().optional().nullable(),
+    blocks: z.array(z.record(z.unknown())).optional().nullable(),
     files: RawFileInputArraySchema.optional().nullable(),
   })
   .refine((data) => data.channel || data.userId, {
@@ -63,6 +64,7 @@ export async function POST(request: NextRequest) {
         userId: validatedData.userId ?? undefined,
         text: validatedData.text,
         threadTs: validatedData.thread_ts ?? undefined,
+        blocks: validatedData.blocks ?? undefined,
         files: validatedData.files ?? undefined,
       },
       requestId,

apps/sim/app/api/tools/slack/update-message/route.ts

@@ -13,6 +13,7 @@ const SlackUpdateMessageSchema = z.object({
   channel: z.string().min(1, 'Channel is required'),
   timestamp: z.string().min(1, 'Message timestamp is required'),
   text: z.string().min(1, 'Message text is required'),
+  blocks: z.array(z.record(z.unknown())).optional().nullable(),
 })
 
 export async function POST(request: NextRequest) {
@@ -57,6 +58,8 @@ export async function POST(request: NextRequest) {
         channel: validatedData.channel,
         ts: validatedData.timestamp,
         text: validatedData.text,
+        ...(validatedData.blocks &&
+          validatedData.blocks.length > 0 && { blocks: validatedData.blocks }),
       }),
     })
 

apps/sim/app/api/tools/slack/utils.ts

@@ -11,7 +11,8 @@ export async function postSlackMessage(
   accessToken: string,
   channel: string,
   text: string,
-  threadTs?: string | null
+  threadTs?: string | null,
+  blocks?: unknown[] | null
 ): Promise<{ ok: boolean; ts?: string; channel?: string; message?: any; error?: string }> {
   const response = await fetch('https://slack.com/api/chat.postMessage', {
     method: 'POST',
@@ -23,6 +24,7 @@ export async function postSlackMessage(
       channel,
       text,
       ...(threadTs && { thread_ts: threadTs }),
+      ...(blocks && blocks.length > 0 && { blocks }),
     }),
   })
 
@@ -220,6 +222,7 @@ export interface SlackMessageParams {
   userId?: string
   text: string
   threadTs?: string | null
+  blocks?: unknown[] | null
   files?: any[] | null
 }
 
@@ -242,7 +245,7 @@ export async function sendSlackMessage(
   }
   error?: string
 }> {
-  const { accessToken, text, threadTs, files } = params
+  const { accessToken, text, threadTs, blocks, files } = params
   let { channel } = params
 
   if (!channel && params.userId) {
@@ -258,7 +261,7 @@ export async function sendSlackMessage(
   if (!files || files.length === 0) {
     logger.info(`[${requestId}] No files, using chat.postMessage`)
 
-    const data = await postSlackMessage(accessToken, channel, text, threadTs)
+    const data = await postSlackMessage(accessToken, channel, text, threadTs, blocks)
 
     if (!data.ok) {
       logger.error(`[${requestId}] Slack API error:`, data.error)
@@ -282,7 +285,7 @@ export async function sendSlackMessage(
   if (fileIds.length === 0) {
     logger.warn(`[${requestId}] No valid files to upload, sending text-only message`)
 
-    const data = await postSlackMessage(accessToken, channel, text, threadTs)
+    const data = await postSlackMessage(accessToken, channel, text, threadTs, blocks)
 
     if (!data.ok) {
       return { success: false, error: data.error || 'Failed to send message' }

apps/sim/app/api/tools/stagehand/agent/route.ts

@@ -165,7 +165,7 @@ export async function POST(request: NextRequest) {
     }
 
     const modelName =
-      provider === 'anthropic' ? 'anthropic/claude-3-7-sonnet-latest' : 'openai/gpt-4.1'
+      provider === 'anthropic' ? 'anthropic/claude-sonnet-4-5-20250929' : 'openai/gpt-5'
 
     try {
       logger.info('Initializing Stagehand with Browserbase (v3)', { provider, modelName })

apps/sim/app/api/tools/stagehand/extract/route.ts

@@ -101,7 +101,7 @@ export async function POST(request: NextRequest) {
 
     try {
       const modelName =
-        provider === 'anthropic' ? 'anthropic/claude-3-7-sonnet-latest' : 'openai/gpt-4.1'
+        provider === 'anthropic' ? 'anthropic/claude-sonnet-4-5-20250929' : 'openai/gpt-5'
 
       logger.info('Initializing Stagehand with Browserbase (v3)', { provider, modelName })
 

apps/sim/app/api/tools/stt/route.ts

@@ -766,7 +766,7 @@ async function transcribeWithGemini(
     const error = await response.json()
     if (response.status === 404) {
       throw new Error(
-        `Model not found: ${modelName}. Use gemini-3-pro-preview, gemini-2.5-pro, gemini-2.5-flash, gemini-2.5-flash-lite, or gemini-2.0-flash-exp`
+        `Model not found: ${modelName}. Use gemini-3.1-pro-preview, gemini-3-pro-preview, gemini-2.5-pro, gemini-2.5-flash, gemini-2.5-flash-lite, or gemini-2.0-flash-exp`
       )
     }
     const errorMessage = error.error?.message || JSON.stringify(error)

apps/sim/app/api/tools/wealthbox/item/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -64,24 +64,41 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
 
     if (!credentials.length) {
       logger.warn(`[${requestId}] Credential not found`, { credentialId })
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
+    const accountRow = credentials[0]
 
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       logger.error(`[${requestId}] Failed to obtain valid access token`)

apps/sim/app/api/tools/wealthbox/items/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -64,24 +64,41 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: typeValidation.error }, { status: 400 })
     }
 
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
 
     if (!credentials.length) {
       logger.warn(`[${requestId}] Credential not found`, { credentialId })
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
-    const credential = credentials[0]
+    const accountRow = credentials[0]
 
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
 
     if (!accessToken) {
       logger.error(`[${requestId}] Failed to obtain valid access token`)

apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts

@@ -25,6 +25,7 @@ import { db } from '@sim/db'
 import { permissions, user, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
+import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -215,6 +216,8 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (_, context) => {
 
     await db.delete(permissions).where(eq(permissions.id, memberId))
 
+    await revokeWorkspaceCredentialMemberships(workspaceId, existingMember.userId)
+
     logger.info(`Admin API: Removed member ${memberId} from workspace ${workspaceId}`, {
       userId: existingMember.userId,
     })

apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts

@@ -32,9 +32,10 @@
 
 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, user, workspace } from '@sim/db/schema'
+import { permissions, user, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, count, eq } from 'drizzle-orm'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -232,6 +233,20 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       permissionId,
     })
 
+    const [wsEnvRow] = await db
+      .select({ variables: workspaceEnvironment.variables })
+      .from(workspaceEnvironment)
+      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+      .limit(1)
+    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+    if (wsEnvKeys.length > 0) {
+      await syncWorkspaceEnvCredentials({
+        workspaceId,
+        envKeys: wsEnvKeys,
+        actingUserId: body.userId,
+      })
+    }
+
     return singleResponse({
       id: permissionId,
       workspaceId,

apps/sim/app/api/webhooks/trigger/[path]/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { createMockRequest, loggerMock } from '@sim/testing'
+import { createMockRequest, loggerMock, requestUtilsMock } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 /** Mock execution dependencies for webhook tests */
@@ -348,9 +348,7 @@ vi.mock('postgres', () => vi.fn().mockReturnValue({}))
 
 vi.mock('@sim/logger', () => loggerMock)
 
-vi.mock('@/lib/core/utils/request', () => ({
-  generateRequestId: vi.fn().mockReturnValue('test-request-id'),
-}))
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
 
 process.env.DATABASE_URL = 'postgresql://test:test@localhost:5432/test'
 

apps/sim/app/api/workflows/[id]/chat/status/route.test.ts

@@ -3,11 +3,11 @@
  *
  * @vitest-environment node
  */
-import { loggerMock } from '@sim/testing'
+import { loggerMock, mockHybridAuth } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockCheckSessionOrInternalAuth = vi.fn()
+let mockCheckSessionOrInternalAuth: ReturnType<typeof vi.fn>
 const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
 const mockDbSelect = vi.fn()
 const mockDbFrom = vi.fn()
@@ -48,9 +48,7 @@ describe('Workflow Chat Status Route', () => {
         workflowId: 'workflowId',
       },
     }))
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
-    }))
+    ;({ mockCheckSessionOrInternalAuth } = mockHybridAuth())
     vi.doMock('@/lib/workflows/utils', () => ({
       authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
     }))

apps/sim/app/api/workflows/[id]/deployed/route.ts

@@ -1,9 +1,8 @@
-import { db, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest, NextResponse } from 'next/server'
 import { verifyInternalToken } from '@/lib/auth/internal'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { loadDeployedWorkflowState } from '@/lib/workflows/persistence/utils'
 import { validateWorkflowPermissions } from '@/lib/workflows/utils'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
@@ -43,21 +42,21 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       logger.debug(`[${requestId}] Internal API call for deployed workflow: ${id}`)
     }
 
-    const [active] = await db
-      .select({ state: workflowDeploymentVersion.state })
-      .from(workflowDeploymentVersion)
-      .where(
-        and(
-          eq(workflowDeploymentVersion.workflowId, id),
-          eq(workflowDeploymentVersion.isActive, true)
-        )
-      )
-      .orderBy(desc(workflowDeploymentVersion.createdAt))
-      .limit(1)
+    let deployedState = null
+    try {
+      const data = await loadDeployedWorkflowState(id)
+      deployedState = {
+        blocks: data.blocks,
+        edges: data.edges,
+        loops: data.loops,
+        parallels: data.parallels,
+        variables: data.variables,
+      }
+    } catch {
+      deployedState = null
+    }
 
-    const response = createSuccessResponse({
-      deployedState: active?.state || null,
-    })
+    const response = createSuccessResponse({ deployedState })
     return addNoCacheHeaders(response)
   } catch (error: any) {
     logger.error(`[${requestId}] Error fetching deployed state: ${id}`, error)

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -38,6 +38,7 @@ import { executeWorkflowJob, type WorkflowExecutionPayload } from '@/background/
 import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type {
+  ChildWorkflowContext,
   ExecutionMetadata,
   IterationContext,
   SerializableExecutionState,
@@ -536,6 +537,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           useDraftState: shouldUseDraftState,
           startTime: new Date().toISOString(),
           isClientSession,
+          enforceCredentialAccess: useAuthenticatedUserAsActor,
           workflowStateOverride: effectiveWorkflowStateOverride,
         }
 
@@ -742,7 +744,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             blockName: string,
             blockType: string,
             executionOrder: number,
-            iterationContext?: IterationContext
+            iterationContext?: IterationContext,
+            childWorkflowContext?: ChildWorkflowContext
           ) => {
             logger.info(`[${requestId}] 🔷 onBlockStart called:`, { blockId, blockName, blockType })
             sendEvent({
@@ -761,6 +764,10 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
                   iterationType: iterationContext.iterationType,
                   iterationContainerId: iterationContext.iterationContainerId,
                 }),
+                ...(childWorkflowContext && {
+                  childWorkflowBlockId: childWorkflowContext.parentBlockId,
+                  childWorkflowName: childWorkflowContext.workflowName,
+                }),
               },
             })
           }
@@ -770,9 +777,20 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             blockName: string,
             blockType: string,
             callbackData: any,
-            iterationContext?: IterationContext
+            iterationContext?: IterationContext,
+            childWorkflowContext?: ChildWorkflowContext
           ) => {
             const hasError = callbackData.output?.error
+            const childWorkflowData = childWorkflowContext
+              ? {
+                  childWorkflowBlockId: childWorkflowContext.parentBlockId,
+                  childWorkflowName: childWorkflowContext.workflowName,
+                }
+              : {}
+
+            const instanceData = callbackData.childWorkflowInstanceId
+              ? { childWorkflowInstanceId: callbackData.childWorkflowInstanceId }
+              : {}
 
             if (hasError) {
               logger.info(`[${requestId}] ✗ onBlockComplete (error) called:`, {
@@ -802,6 +820,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
                     iterationType: iterationContext.iterationType,
                     iterationContainerId: iterationContext.iterationContainerId,
                   }),
+                  ...childWorkflowData,
+                  ...instanceData,
                 },
               })
             } else {
@@ -831,6 +851,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
                     iterationType: iterationContext.iterationType,
                     iterationContainerId: iterationContext.iterationContainerId,
                   }),
+                  ...childWorkflowData,
+                  ...instanceData,
                 },
               })
             }
@@ -885,6 +907,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             useDraftState: shouldUseDraftState,
             startTime: new Date().toISOString(),
             isClientSession,
+            enforceCredentialAccess: useAuthenticatedUserAsActor,
             workflowStateOverride: effectiveWorkflowStateOverride,
           }
 
@@ -898,12 +921,34 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             selectedOutputs
           )
 
+          const onChildWorkflowInstanceReady = (
+            blockId: string,
+            childWorkflowInstanceId: string,
+            iterationContext?: IterationContext
+          ) => {
+            sendEvent({
+              type: 'block:childWorkflowStarted',
+              timestamp: new Date().toISOString(),
+              executionId,
+              workflowId,
+              data: {
+                blockId,
+                childWorkflowInstanceId,
+                ...(iterationContext && {
+                  iterationCurrent: iterationContext.iterationCurrent,
+                  iterationContainerId: iterationContext.iterationContainerId,
+                }),
+              },
+            })
+          }
+
           const result = await executeWorkflowCore({
             snapshot,
             callbacks: {
               onBlockStart,
               onBlockComplete,
               onStream,
+              onChildWorkflowInstanceReady,
             },
             loggingSession,
             abortSignal: timeoutController.signal,

apps/sim/app/api/workflows/[id]/form/status/route.test.ts

@@ -3,11 +3,11 @@
  *
  * @vitest-environment node
  */
-import { loggerMock } from '@sim/testing'
+import { loggerMock, mockHybridAuth } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockCheckSessionOrInternalAuth = vi.fn()
+let mockCheckSessionOrInternalAuth: ReturnType<typeof vi.fn>
 const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
 const mockDbSelect = vi.fn()
 const mockDbFrom = vi.fn()
@@ -43,9 +43,7 @@ describe('Workflow Form Status Route', () => {
         isActive: 'isActive',
       },
     }))
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
-    }))
+    ;({ mockCheckSessionOrInternalAuth } = mockHybridAuth())
     vi.doMock('@/lib/workflows/utils', () => ({
       authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
     }))

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -5,11 +5,19 @@
  * @vitest-environment node
  */
 
-import { auditMock, loggerMock, setupGlobalFetchMock } from '@sim/testing'
+import {
+  auditMock,
+  envMock,
+  loggerMock,
+  requestUtilsMock,
+  setupGlobalFetchMock,
+  telemetryMock,
+} from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockGetSession = vi.fn()
+const mockCheckHybridAuth = vi.fn()
+const mockCheckSessionOrInternalAuth = vi.fn()
 const mockLoadWorkflowFromNormalizedTables = vi.fn()
 const mockGetWorkflowById = vi.fn()
 const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
@@ -17,10 +25,34 @@ const mockDbDelete = vi.fn()
 const mockDbUpdate = vi.fn()
 const mockDbSelect = vi.fn()
 
+/**
+ * Helper to set mock auth state consistently across getSession and hybrid auth.
+ */
+function mockGetSession(session: { user: { id: string } } | null) {
+  if (session) {
+    mockCheckHybridAuth.mockResolvedValue({ success: true, userId: session.user.id })
+    mockCheckSessionOrInternalAuth.mockResolvedValue({ success: true, userId: session.user.id })
+  } else {
+    mockCheckHybridAuth.mockResolvedValue({ success: false })
+    mockCheckSessionOrInternalAuth.mockResolvedValue({ success: false })
+  }
+}
+
 vi.mock('@/lib/auth', () => ({
-  getSession: () => mockGetSession(),
+  getSession: vi.fn(),
 }))
 
+vi.mock('@/lib/auth/hybrid', () => ({
+  checkHybridAuth: (...args: unknown[]) => mockCheckHybridAuth(...args),
+  checkSessionOrInternalAuth: (...args: unknown[]) => mockCheckSessionOrInternalAuth(...args),
+}))
+
+vi.mock('@/lib/core/config/env', () => envMock)
+
+vi.mock('@/lib/core/telemetry', () => telemetryMock)
+
+vi.mock('@/lib/core/utils/request', () => requestUtilsMock)
+
 vi.mock('@sim/logger', () => loggerMock)
 
 vi.mock('@/lib/audit/log', () => auditMock)
@@ -30,20 +62,14 @@ vi.mock('@/lib/workflows/persistence/utils', () => ({
     mockLoadWorkflowFromNormalizedTables(workflowId),
 }))
 
-vi.mock('@/lib/workflows/utils', async () => {
-  const actual =
-    await vi.importActual<typeof import('@/lib/workflows/utils')>('@/lib/workflows/utils')
-
-  return {
-    ...actual,
-    getWorkflowById: (workflowId: string) => mockGetWorkflowById(workflowId),
-    authorizeWorkflowByWorkspacePermission: (params: {
-      workflowId: string
-      userId: string
-      action?: 'read' | 'write' | 'admin'
-    }) => mockAuthorizeWorkflowByWorkspacePermission(params),
-  }
-})
+vi.mock('@/lib/workflows/utils', () => ({
+  getWorkflowById: (workflowId: string) => mockGetWorkflowById(workflowId),
+  authorizeWorkflowByWorkspacePermission: (params: {
+    workflowId: string
+    userId: string
+    action?: 'read' | 'write' | 'admin'
+  }) => mockAuthorizeWorkflowByWorkspacePermission(params),
+}))
 
 vi.mock('@sim/db', () => ({
   db: {
@@ -73,7 +99,7 @@ describe('Workflow By ID API Route', () => {
 
   describe('GET /api/workflows/[id]', () => {
     it('should return 401 when user is not authenticated', async () => {
-      mockGetSession.mockResolvedValue(null)
+      mockGetSession(null)
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123')
       const params = Promise.resolve({ id: 'workflow-123' })
@@ -86,9 +112,7 @@ describe('Workflow By ID API Route', () => {
     })
 
     it('should return 404 when workflow does not exist', async () => {
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(null)
 
@@ -118,9 +142,7 @@ describe('Workflow By ID API Route', () => {
         isFromNormalizedTables: true,
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -158,9 +180,7 @@ describe('Workflow By ID API Route', () => {
         isFromNormalizedTables: true,
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -190,9 +210,7 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -229,9 +247,7 @@ describe('Workflow By ID API Route', () => {
         isFromNormalizedTables: true,
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -264,9 +280,7 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -308,9 +322,7 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -353,9 +365,7 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -392,9 +402,7 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -419,6 +427,16 @@ describe('Workflow By ID API Route', () => {
   })
 
   describe('PUT /api/workflows/[id]', () => {
+    function mockDuplicateCheck(results: Array<{ id: string }> = []) {
+      mockDbSelect.mockReturnValue({
+        from: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            limit: vi.fn().mockResolvedValue(results),
+          }),
+        }),
+      })
+    }
+
     it('should allow user with write permission to update workflow', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
@@ -430,9 +448,7 @@ describe('Workflow By ID API Route', () => {
       const updateData = { name: 'Updated Workflow' }
       const updatedWorkflow = { ...mockWorkflow, ...updateData, updatedAt: new Date() }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -442,6 +458,8 @@ describe('Workflow By ID API Route', () => {
         workspacePermission: 'write',
       })
 
+      mockDuplicateCheck([])
+
       mockDbUpdate.mockReturnValue({
         set: vi.fn().mockReturnValue({
           where: vi.fn().mockReturnValue({
@@ -474,9 +492,7 @@ describe('Workflow By ID API Route', () => {
       const updateData = { name: 'Updated Workflow' }
       const updatedWorkflow = { ...mockWorkflow, ...updateData, updatedAt: new Date() }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -486,6 +502,8 @@ describe('Workflow By ID API Route', () => {
         workspacePermission: 'write',
       })
 
+      mockDuplicateCheck([])
+
       mockDbUpdate.mockReturnValue({
         set: vi.fn().mockReturnValue({
           where: vi.fn().mockReturnValue({
@@ -517,9 +535,7 @@ describe('Workflow By ID API Route', () => {
 
       const updateData = { name: 'Updated Workflow' }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -551,9 +567,7 @@ describe('Workflow By ID API Route', () => {
         workspaceId: 'workspace-456',
       }
 
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
@@ -577,13 +591,238 @@ describe('Workflow By ID API Route', () => {
       const data = await response.json()
       expect(data.error).toBe('Invalid request data')
     })
+
+    it('should reject rename when duplicate name exists in same folder', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'user-123',
+        name: 'Original Name',
+        folderId: 'folder-1',
+        workspaceId: 'workspace-456',
+      }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      mockDuplicateCheck([{ id: 'workflow-other' }])
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'PUT',
+        body: JSON.stringify({ name: 'Duplicate Name' }),
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(409)
+      const data = await response.json()
+      expect(data.error).toBe('A workflow named "Duplicate Name" already exists in this folder')
+    })
+
+    it('should reject rename when duplicate name exists at root level', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'user-123',
+        name: 'Original Name',
+        folderId: null,
+        workspaceId: 'workspace-456',
+      }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      mockDuplicateCheck([{ id: 'workflow-other' }])
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'PUT',
+        body: JSON.stringify({ name: 'Duplicate Name' }),
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(409)
+      const data = await response.json()
+      expect(data.error).toBe('A workflow named "Duplicate Name" already exists in this folder')
+    })
+
+    it('should allow rename when no duplicate exists in same folder', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'user-123',
+        name: 'Original Name',
+        folderId: 'folder-1',
+        workspaceId: 'workspace-456',
+      }
+
+      const updatedWorkflow = { ...mockWorkflow, name: 'Unique Name', updatedAt: new Date() }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      mockDuplicateCheck([])
+
+      mockDbUpdate.mockReturnValue({
+        set: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            returning: vi.fn().mockResolvedValue([updatedWorkflow]),
+          }),
+        }),
+      })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'PUT',
+        body: JSON.stringify({ name: 'Unique Name' }),
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(200)
+      const data = await response.json()
+      expect(data.workflow.name).toBe('Unique Name')
+    })
+
+    it('should allow same name in different folders', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'user-123',
+        name: 'My Workflow',
+        folderId: 'folder-1',
+        workspaceId: 'workspace-456',
+      }
+
+      const updatedWorkflow = { ...mockWorkflow, folderId: 'folder-2', updatedAt: new Date() }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      // No duplicate in target folder
+      mockDuplicateCheck([])
+
+      mockDbUpdate.mockReturnValue({
+        set: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            returning: vi.fn().mockResolvedValue([updatedWorkflow]),
+          }),
+        }),
+      })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'PUT',
+        body: JSON.stringify({ folderId: 'folder-2' }),
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(200)
+      const data = await response.json()
+      expect(data.workflow.folderId).toBe('folder-2')
+    })
+
+    it('should reject moving to a folder where same name already exists', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'user-123',
+        name: 'My Workflow',
+        folderId: 'folder-1',
+        workspaceId: 'workspace-456',
+      }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      // Duplicate exists in target folder
+      mockDuplicateCheck([{ id: 'workflow-other' }])
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'PUT',
+        body: JSON.stringify({ folderId: 'folder-2' }),
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(409)
+      const data = await response.json()
+      expect(data.error).toBe('A workflow named "My Workflow" already exists in this folder')
+    })
+
+    it('should skip duplicate check when only updating non-name/non-folder fields', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'user-123',
+        name: 'Test Workflow',
+        workspaceId: 'workspace-456',
+      }
+
+      const updatedWorkflow = { ...mockWorkflow, color: '#FF0000', updatedAt: new Date() }
+
+      mockGetSession({ user: { id: 'user-123' } })
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      mockDbUpdate.mockReturnValue({
+        set: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            returning: vi.fn().mockResolvedValue([updatedWorkflow]),
+          }),
+        }),
+      })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'PUT',
+        body: JSON.stringify({ color: '#FF0000' }),
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(200)
+      // db.select should NOT have been called since no name/folder change
+      expect(mockDbSelect).not.toHaveBeenCalled()
+    })
   })
 
   describe('Error handling', () => {
     it.concurrent('should handle database errors gracefully', async () => {
-      mockGetSession.mockResolvedValue({
-        user: { id: 'user-123' },
-      })
+      mockGetSession({ user: { id: 'user-123' } })
 
       mockGetWorkflowById.mockRejectedValue(new Error('Database connection timeout'))
 

apps/sim/app/api/workflows/[id]/route.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { templates, webhook, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, eq, isNull, ne } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
@@ -411,6 +411,45 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
     if (updates.folderId !== undefined) updateData.folderId = updates.folderId
     if (updates.sortOrder !== undefined) updateData.sortOrder = updates.sortOrder
 
+    if (updates.name !== undefined || updates.folderId !== undefined) {
+      const targetName = updates.name ?? workflowData.name
+      const targetFolderId =
+        updates.folderId !== undefined ? updates.folderId : workflowData.folderId
+
+      if (!workflowData.workspaceId) {
+        logger.error(`[${requestId}] Workflow ${workflowId} has no workspaceId`)
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+      }
+
+      const conditions = [
+        eq(workflow.workspaceId, workflowData.workspaceId),
+        eq(workflow.name, targetName),
+        ne(workflow.id, workflowId),
+      ]
+
+      if (targetFolderId) {
+        conditions.push(eq(workflow.folderId, targetFolderId))
+      } else {
+        conditions.push(isNull(workflow.folderId))
+      }
+
+      const [duplicate] = await db
+        .select({ id: workflow.id })
+        .from(workflow)
+        .where(and(...conditions))
+        .limit(1)
+
+      if (duplicate) {
+        logger.warn(
+          `[${requestId}] Duplicate workflow name "${targetName}" in folder ${targetFolderId ?? 'root'}`
+        )
+        return NextResponse.json(
+          { error: `A workflow named "${targetName}" already exists in this folder` },
+          { status: 409 }
+        )
+      }
+    }
+
     // Update the workflow
     const [updatedWorkflow] = await db
       .update(workflow)

apps/sim/app/api/workflows/route.test.ts

@@ -1,11 +1,16 @@
 /**
  * @vitest-environment node
  */
-import { auditMock, createMockRequest, mockConsoleLogger, setupCommonApiMocks } from '@sim/testing'
+import {
+  auditMock,
+  createMockRequest,
+  mockConsoleLogger,
+  mockHybridAuth,
+  setupCommonApiMocks,
+} from '@sim/testing'
 import { drizzleOrmMock } from '@sim/testing/mocks'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
-const mockCheckSessionOrInternalAuth = vi.fn()
 const mockGetUserEntityPermissions = vi.fn()
 const mockDbSelect = vi.fn()
 const mockDbInsert = vi.fn()
@@ -30,6 +35,7 @@ describe('Workflows API Route - POST ordering', () => {
       randomUUID: vi.fn().mockReturnValue('workflow-new-id'),
     })
 
+    const { mockCheckSessionOrInternalAuth } = mockHybridAuth()
     mockCheckSessionOrInternalAuth.mockResolvedValue({
       success: true,
       userId: 'user-123',
@@ -45,10 +51,6 @@ describe('Workflows API Route - POST ordering', () => {
       },
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: (...args: unknown[]) => mockCheckSessionOrInternalAuth(...args),
-    }))
-
     vi.doMock('@/lib/workspaces/permissions/utils', () => ({
       getUserEntityPermissions: (...args: unknown[]) => mockGetUserEntityPermissions(...args),
       workspaceExists: vi.fn(),

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -1,13 +1,15 @@
 import { db } from '@sim/db'
-import { environment, workspaceEnvironment } from '@sim/db/schema'
+import { workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
+import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
+import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceEnvironmentAPI')
@@ -45,44 +47,10 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    // Workspace env (encrypted)
-    const wsEnvRow = await db
-      .select()
-      .from(workspaceEnvironment)
-      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-      .limit(1)
-
-    const wsEncrypted: Record<string, string> = (wsEnvRow[0]?.variables as any) || {}
-
-    // Personal env (encrypted)
-    const personalRow = await db
-      .select()
-      .from(environment)
-      .where(eq(environment.userId, userId))
-      .limit(1)
-
-    const personalEncrypted: Record<string, string> = (personalRow[0]?.variables as any) || {}
-
-    // Decrypt both for UI
-    const decryptAll = async (src: Record<string, string>) => {
-      const out: Record<string, string> = {}
-      for (const [k, v] of Object.entries(src)) {
-        try {
-          const { decrypted } = await decryptSecret(v)
-          out[k] = decrypted
-        } catch {
-          out[k] = ''
-        }
-      }
-      return out
-    }
-
-    const [workspaceDecrypted, personalDecrypted] = await Promise.all([
-      decryptAll(wsEncrypted),
-      decryptAll(personalEncrypted),
-    ])
-
-    const conflicts = Object.keys(personalDecrypted).filter((k) => k in workspaceDecrypted)
+    const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
+      userId,
+      workspaceId
+    )
 
     return NextResponse.json(
       {
@@ -157,6 +125,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         set: { variables: merged, updatedAt: new Date() },
       })
 
+    await syncWorkspaceEnvCredentials({
+      workspaceId,
+      envKeys: Object.keys(merged),
+      actingUserId: userId,
+    })
+
     recordAudit({
       workspaceId,
       actorId: userId,
@@ -236,6 +210,12 @@ export async function DELETE(
         set: { variables: current, updatedAt: new Date() },
       })
 
+    await syncWorkspaceEnvCredentials({
+      workspaceId,
+      envKeys: Object.keys(current),
+      actingUserId: userId,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace env DELETE error`, error)

apps/sim/app/api/workspaces/[id]/permissions/route.ts

@@ -1,12 +1,13 @@
 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, workspace } from '@sim/db/schema'
+import { permissions, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import {
   getUsersWithPermissions,
   hasWorkspaceAdminAccess,
@@ -155,6 +156,20 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       }
     })
 
+    const [wsEnvRow] = await db
+      .select({ variables: workspaceEnvironment.variables })
+      .from(workspaceEnvironment)
+      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+      .limit(1)
+    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+    if (wsEnvKeys.length > 0) {
+      await syncWorkspaceEnvCredentials({
+        workspaceId,
+        envKeys: wsEnvKeys,
+        actingUserId: session.user.id,
+      })
+    }
+
     const updatedUsers = await getUsersWithPermissions(workspaceId)
 
     for (const update of body.updates) {

apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts

@@ -8,15 +8,27 @@ const mockHasWorkspaceAdminAccess = vi.fn()
 let dbSelectResults: any[] = []
 let dbSelectCallIndex = 0
 
-const mockDbSelect = vi.fn().mockImplementation(() => ({
-  from: vi.fn().mockReturnThis(),
-  where: vi.fn().mockReturnThis(),
-  then: vi.fn().mockImplementation((callback: (rows: any[]) => any) => {
-    const result = dbSelectResults[dbSelectCallIndex] || []
-    dbSelectCallIndex++
-    return Promise.resolve(callback ? callback(result) : result)
-  }),
-}))
+const mockDbSelect = vi.fn().mockImplementation(() => {
+  const makeThen = () =>
+    vi.fn().mockImplementation((callback: (rows: any[]) => any) => {
+      const result = dbSelectResults[dbSelectCallIndex] || []
+      dbSelectCallIndex++
+      return Promise.resolve(callback ? callback(result) : result)
+    })
+  const makeLimit = () =>
+    vi.fn().mockImplementation(() => {
+      const result = dbSelectResults[dbSelectCallIndex] || []
+      dbSelectCallIndex++
+      return Promise.resolve(result)
+    })
+
+  const chain: any = {}
+  chain.from = vi.fn().mockReturnValue(chain)
+  chain.where = vi.fn().mockReturnValue(chain)
+  chain.limit = makeLimit()
+  chain.then = makeThen()
+  return chain
+})
 
 const mockDbInsert = vi.fn().mockImplementation(() => ({
   values: vi.fn().mockResolvedValue(undefined),
@@ -53,6 +65,10 @@ vi.mock('@/lib/workspaces/permissions/utils', () => ({
     mockHasWorkspaceAdminAccess(userId, workspaceId),
 }))
 
+vi.mock('@/lib/credentials/environment', () => ({
+  syncWorkspaceEnvCredentials: vi.fn().mockResolvedValue(undefined),
+}))
+
 vi.mock('@sim/logger', () => loggerMock)
 
 vi.mock('@/lib/audit/log', () => auditMock)
@@ -97,6 +113,10 @@ vi.mock('@sim/db/schema', () => ({
     userId: 'userId',
     permissionType: 'permissionType',
   },
+  workspaceEnvironment: {
+    workspaceId: 'workspaceId',
+    variables: 'variables',
+  },
 }))
 
 vi.mock('drizzle-orm', () => ({
@@ -209,6 +229,7 @@ describe('Workspace Invitation [invitationId] API Route', () => {
         [mockWorkspace],
         [{ ...mockUser, email: 'invited@example.com' }],
         [],
+        [],
       ]
 
       const request = new NextRequest(
@@ -462,6 +483,7 @@ describe('Workspace Invitation [invitationId] API Route', () => {
         [mockWorkspace],
         [{ ...mockUser, email: 'invited@example.com' }],
         [],
+        [],
       ]
 
       const request2 = new NextRequest(

apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts

@@ -6,6 +6,7 @@ import {
   user,
   type WorkspaceInvitationStatus,
   workspace,
+  workspaceEnvironment,
   workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -15,6 +16,7 @@ import { WorkspaceInvitationEmail } from '@/components/emails'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
@@ -163,6 +165,20 @@ export async function GET(
           .where(eq(workspaceInvitation.id, invitation.id))
       })
 
+      const [wsEnvRow] = await db
+        .select({ variables: workspaceEnvironment.variables })
+        .from(workspaceEnvironment)
+        .where(eq(workspaceEnvironment.workspaceId, invitation.workspaceId))
+        .limit(1)
+      const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+      if (wsEnvKeys.length > 0) {
+        await syncWorkspaceEnvCredentials({
+          workspaceId: invitation.workspaceId,
+          envKeys: wsEnvKeys,
+          actingUserId: session.user.id,
+        })
+      }
+
       recordAudit({
         workspaceId: invitation.workspaceId,
         actorId: session.user.id,

apps/sim/app/api/workspaces/members/[id]/route.ts

@@ -6,6 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
+import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceMemberAPI')
@@ -102,6 +103,8 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
         )
       )
 
+    await revokeWorkspaceCredentialMemberships(workspaceId, userId)
+
     recordAudit({
       workspaceId,
       actorId: session.user.id,

apps/sim/app/workspace/[workspaceId]/logs/logs.tsx

@@ -208,9 +208,10 @@ export default function Logs() {
 
   const selectedLog = useMemo(() => {
     if (!selectedLogFromList) return null
-    if (!activeLogQuery.data || isPreviewOpen) return selectedLogFromList
+    if (!activeLogQuery.data || isPreviewOpen || activeLogQuery.isPlaceholderData)
+      return selectedLogFromList
     return { ...selectedLogFromList, ...activeLogQuery.data }
-  }, [selectedLogFromList, activeLogQuery.data, isPreviewOpen])
+  }, [selectedLogFromList, activeLogQuery.data, activeLogQuery.isPlaceholderData, isPreviewOpen])
 
   const handleLogHover = useCallback(
     (log: WorkflowLog) => {
@@ -650,7 +651,7 @@ export default function Logs() {
         hasActiveFilters={filtersActive}
       />
 
-      {isPreviewOpen && activeLogQuery.data?.executionId && (
+      {isPreviewOpen && !activeLogQuery.isPlaceholderData && activeLogQuery.data?.executionId && (
         <ExecutionSnapshot
           executionId={activeLogQuery.data.executionId}
           traceSpans={activeLogQuery.data.executionData?.traceSpans}

apps/sim/app/workspace/[workspaceId]/tables/page.tsx

@@ -1,6 +1,7 @@
 import { redirect } from 'next/navigation'
 import { getSession } from '@/lib/auth'
 import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { TablesView } from './components'
 
 interface TablesPageProps {
@@ -22,5 +23,10 @@ export default async function TablesPage({ params }: TablesPageProps) {
     redirect('/')
   }
 
+  const permissionConfig = await getUserPermissionConfig(session.user.id)
+  if (permissionConfig?.hideTablesTab) {
+    redirect(`/workspace/${workspaceId}`)
+  }
+
   return <TablesView />
 }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/hooks/use-change-detection.ts

@@ -1,5 +1,6 @@
 import { useMemo } from 'react'
 import { hasWorkflowChanged } from '@/lib/workflows/comparison'
+import { mergeSubblockStateWithValues } from '@/lib/workflows/subblocks'
 import { useVariablesStore } from '@/stores/panel/variables/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -42,44 +43,10 @@ export function useChangeDetection({
   const currentState = useMemo((): WorkflowState | null => {
     if (!workflowId) return null
 
-    const blocksWithSubBlocks: WorkflowState['blocks'] = {}
-    for (const [blockId, block] of Object.entries(blocks)) {
-      const blockSubValues = subBlockValues?.[blockId] || {}
-      const subBlocks: Record<string, any> = {}
-
-      if (block.subBlocks) {
-        for (const [subId, subBlock] of Object.entries(block.subBlocks)) {
-          const storedValue = blockSubValues[subId]
-          subBlocks[subId] = {
-            ...subBlock,
-            value: storedValue !== undefined ? storedValue : subBlock.value,
-          }
-        }
-      }
-
-      if (block.triggerMode) {
-        const triggerConfigValue = blockSubValues?.triggerConfig
-        if (
-          triggerConfigValue &&
-          typeof triggerConfigValue === 'object' &&
-          !subBlocks.triggerConfig
-        ) {
-          subBlocks.triggerConfig = {
-            id: 'triggerConfig',
-            type: 'short-input',
-            value: triggerConfigValue,
-          }
-        }
-      }
-
-      blocksWithSubBlocks[blockId] = {
-        ...block,
-        subBlocks,
-      }
-    }
+    const mergedBlocks = mergeSubblockStateWithValues(blocks, subBlockValues ?? {})
 
     return {
-      blocks: blocksWithSubBlocks,
+      blocks: mergedBlocks,
       edges,
       loops,
       parallels,