remove dup test

* fix(executor): isolated-vm worker pool to prevent single-worker bottleneck

* chore(helm): add isolated-vm worker pool env vars to values.yaml

* fix(userid): resolution for fair scheduling

* add fallback back

* add to helm charts

* remove constant fallbacks

* fix

* address bugbot comments

* fix fallbacks

* one more bugbot comment

---------

Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>

apps/docs/components/icons.tsx

@@ -1131,6 +1131,32 @@ export function AirtableIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
+export function AirweaveIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      width='143'
+      height='143'
+      viewBox='0 0 143 143'
+      fill='none'
+      xmlns='http://www.w3.org/2000/svg'
+    >
+      <path
+        d='M89.8854 128.872C79.9165 123.339 66.7502 115.146 60.5707 107.642L60.0432 107.018C58.7836 105.5 57.481 104.014 56.1676 102.593C51.9152 97.9641 47.3614 93.7978 42.646 90.2021C40.7405 88.7487 38.7704 87.3492 36.8111 86.0789C35.7991 85.4222 34.8302 84.8193 33.9151 84.2703C31.6221 82.903 28.8338 82.5263 26.2716 83.2476C23.8385 83.9366 21.89 85.5406 20.7596 87.7476C18.5634 92.0323 20.0814 97.3289 24.2046 99.805C27.5204 101.786 30.7608 104.111 33.8398 106.717C34.2381 107.05 34.3996 107.578 34.2596 108.062C33.1292 112.185 31.9989 118.957 31.5682 121.67C30.6424 127.429 33.4737 133.081 38.5982 135.751L38.7812 135.848C41.0204 137 43.6472 136.946 45.8219 135.697C47.9858 134.459 49.353 132.231 49.4822 129.733C49.536 128.657 49.6006 127.58 49.676 126.59C49.719 126.062 50.042 125.632 50.5264 125.459C50.6772 125.406 50.8494 125.373 51.0001 125.373C51.3554 125.373 51.6784 125.513 51.9475 125.782C56.243 130.185 60.8829 134.169 65.7167 137.625C70.3674 140.951 75.8686 142.706 81.639 142.706C83.7383 142.706 85.8376 142.469 87.8938 141.995L88.1199 141.942C90.9943 141.274 93.029 139.024 93.4488 136.085C93.8687 133.146 92.4476 130.315 89.8747 128.883H89.8639L89.8854 128.872Z'
+        fill='currentColor'
+      />
+      <path
+        d='M142.551 58.1747L142.529 58.0563C142.045 55.591 140.118 53.7069 137.598 53.2548C135.112 52.8134 132.754 53.8577 131.484 55.9893L131.408 56.1077C126.704 64.1604 120.061 71.6101 111.653 78.2956C109.446 80.0504 107.293 81.902 105.226 83.8075C103.644 85.2717 101.265 85.53 99.4452 84.4212C97.6474 83.3339 95.8495 82.1389 94.1055 80.8686C90.3268 78.1233 86.6772 74.9475 83.2753 71.4271C81.4989 69.597 79.798 67.6915 78.1939 65.7321C76.0408 63.1161 73.7477 60.5539 71.3685 58.1316C66.3195 52.9857 56.6089 45.9127 53.7453 43.878C53.3792 43.6304 53.1639 43.2428 53.0993 42.8014C53.0455 42.3601 53.1639 41.9509 53.4546 41.6064C55.274 39.4318 56.9965 37.1818 58.5683 34.921C60.2369 32.5311 60.786 29.6028 60.0862 26.8899C59.408 24.2523 57.6424 22.11 55.134 20.8827C50.9139 18.7942 45.8972 20.0968 43.2273 23.9293C40.8373 27.3636 38.0167 30.7332 34.8732 33.9306C34.5718 34.232 34.1304 34.3397 33.7213 34.1889C30.5239 33.1447 27.2296 32.2942 23.9461 31.659C23.7093 31.616 23.354 31.5514 22.9126 31.4975C16.4102 30.5286 10.1123 33.7798 7.21639 39.5717L7.1195 39.7548C6.18289 41.628 6.26902 43.8349 7.32405 45.6651C8.40061 47.5167 10.3277 48.701 12.4592 48.8194C13.4604 48.8732 14.4401 48.9378 15.3659 49.0024C15.7966 49.0347 16.1411 49.2823 16.3025 49.6914C16.4533 50.1112 16.3671 50.5419 16.0657 50.8541C12.147 54.8804 8.60515 59.1974 5.5262 63.6867C1.1446 70.0814 -0.481008 78.2095 1.08 85.9822L1.10154 86.1006C1.70441 89.0719 4.05131 91.2035 7.07644 91.5264C9.98315 91.8386 12.6099 90.3208 13.7619 87.6724L13.8265 87.5109C18.6925 75.8625 26.7559 65.5168 37.7907 56.7536C38.3182 56.3445 39.0072 56.28 39.567 56.5922C45.3373 59.768 50.8601 63.902 55.9738 68.8864C56.5982 69.4893 56.6089 70.5013 56.0168 71.1257C53.4761 73.8063 51.0862 76.6054 48.9115 79.469C47.2106 81.7083 47.5335 84.8949 49.6221 86.7358L53.3254 89.9977L53.2824 90.0409C53.8637 90.5576 54.445 91.0744 55.0264 91.5911L55.8123 92.194C56.9319 93.1844 58.3529 93.6365 59.8386 93.4858C61.3027 93.3351 62.67 92.56 63.5635 91.3758C65.1353 89.2873 66.8578 87.2525 68.6556 85.304C68.957 84.9702 69.3661 84.798 69.8075 84.7872C70.2705 84.7872 70.6257 84.9379 70.9164 85.2286C75.8147 90.0624 81.1114 94.3686 86.6772 97.9966C88.8626 99.4176 89.4978 102.26 88.1306 104.477C86.9248 106.448 85.7729 108.493 84.7179 110.539C83.5014 112.918 83.2968 115.738 84.1688 118.257C84.9978 120.68 86.7095 122.585 88.981 123.64C90.2514 124.232 91.5971 124.534 92.9859 124.534C96.5062 124.534 99.682 122.596 101.286 119.452C102.729 116.61 104.419 113.8 106.281 111.131C107.369 109.559 109.36 108.838 111.255 109.322C115.26 110.355 120.643 111.421 124.454 112.143C128.308 112.864 132.119 111.023 133.96 107.578L134.143 107.233C135.521 104.628 135.531 101.506 134.164 98.8901C132.786 96.2526 130.181 94.4655 127.21 94.121C126.478 94.0349 125.778 93.9488 125.11 93.8626C124.97 93.8411 124.852 93.8196 124.744 93.798L123.356 93.4751L124.357 92.4523C124.432 92.377 124.529 92.2801 124.658 92.194C128.771 88.8028 132.571 85.1963 135.962 81.4714C141.668 75.1951 144.122 66.4965 142.518 58.1747H142.529H142.551Z'
+        fill='currentColor'
+      />
+      <path
+        d='M56.6506 14.3371C65.5861 19.6338 77.4067 27.3743 82.9833 34.1674C83.64 34.9532 84.2967 35.7391 84.9534 36.4927C86.1591 37.8815 86.2991 39.8731 85.2979 41.4233C83.4892 44.2116 81.4115 46.9569 79.1399 49.5945C77.4713 51.5107 77.4067 54.3098 78.9785 56.2476L79.0431 56.323C79.2261 56.5598 79.4306 56.8074 79.6136 57.0442C81.2931 59.1758 83.0801 61.2213 84.9211 63.1375C85.9007 64.1603 87.2249 64.7309 88.6352 64.7309L88.7644 65.5275L88.7429 64.7309C90.207 64.6986 91.6173 64.0526 92.5969 62.933C94.8362 60.4031 96.9247 57.744 98.8302 55.0633C100.133 53.2224 102.63 52.8026 104.525 54.1052C106.463 55.4402 108.465 56.7105 110.457 57.8839C112.793 59.2511 115.614 59.5095 118.165 58.5621C120.749 57.604 122.762 55.5694 123.656 52.9533C125.055 48.9055 123.257 44.2547 119.382 41.9078C116.755 40.3145 114.15 38.5166 111.674 36.5788C110.382 35.5561 109.833 33.8767 110.296 32.2941C111.437 28.3001 112.481 23.1218 113.148 19.4831C113.837 15.7259 112.147 11.8826 108.939 9.94477L108.562 9.72944C105.871 8.12537 102.587 8.00696 99.7668 9.40649C96.9247 10.8168 95.03 13.5405 94.6855 16.6733L94.6639 16.867C94.6209 17.2546 94.384 17.5453 94.018 17.6637C93.652 17.7821 93.2859 17.6852 93.0168 17.4269C89.0012 13.1422 84.738 9.25576 80.3134 5.8646C74.3708 1.31075 66.7811 -0.583999 59.4928 0.675575L59.1805 0.729423C56.1124 1.2677 53.7547 3.60383 53.1949 6.68279C52.6351 9.72946 53.9915 12.7223 56.6722 14.3048H56.6614L56.6506 14.3371Z'
+        fill='currentColor'
+      />
+    </svg>
+  )
+}
+
 export function GoogleDocsIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg
@@ -5436,3 +5462,24 @@ export function EnrichSoIcon(props: SVGProps<SVGSVGElement>) {
     </svg>
   )
 }
+
+export function AgentSkillsIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      xmlns='http://www.w3.org/2000/svg'
+      width='16'
+      height='16'
+      viewBox='0 0 16 16'
+      fill='none'
+    >
+      <path
+        d='M8 1L14.0622 4.5V11.5L8 15L1.93782 11.5V4.5L8 1Z'
+        stroke='currentColor'
+        strokeWidth='1.5'
+        fill='none'
+      />
+      <path d='M8 4.5L11 6.25V9.75L8 11.5L5 9.75V6.25L8 4.5Z' fill='currentColor' />
+    </svg>
+  )
+}

apps/docs/components/ui/icon-mapping.ts

@@ -7,6 +7,7 @@ import {
   A2AIcon,
   AhrefsIcon,
   AirtableIcon,
+  AirweaveIcon,
   ApifyIcon,
   ApolloIcon,
   ArxivIcon,
@@ -141,6 +142,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   a2a: A2AIcon,
   ahrefs: AhrefsIcon,
   airtable: AirtableIcon,
+  airweave: AirweaveIcon,
   apify: ApifyIcon,
   apollo: ApolloIcon,
   arxiv: ArxivIcon,

apps/docs/content/docs/en/meta.json

@@ -10,6 +10,7 @@
     "connections",
     "mcp",
     "copilot",
+    "skills",
     "knowledgebase",
     "variables",
     "execution",

apps/docs/content/docs/en/skills/index.mdx

@@ -0,0 +1,134 @@
+---
+title: Agent Skills
+---
+
+import { Callout } from 'fumadocs-ui/components/callout'
+
+Agent Skills are reusable packages of instructions that give your AI agents specialized capabilities. Based on the open [Agent Skills](https://agentskills.io) format, skills let you capture domain expertise, workflows, and best practices that agents can load on demand.
+
+## How Skills Work
+
+Skills use **progressive disclosure** to keep agent context lean:
+
+1. **Discovery** — Only skill names and descriptions are included in the agent's system prompt (~50-100 tokens each)
+2. **Activation** — When the agent decides a skill is relevant, it calls the `load_skill` tool to load the full instructions into context
+3. **Execution** — The agent follows the loaded instructions to complete the task
+
+This means you can attach many skills to an agent without bloating its context window. The agent only loads what it needs.
+
+## Creating Skills
+
+Go to **Settings** and select **Skills** under the Tools section.
+
+![Manage Skills](/static/skills/manage-skills.png)
+
+Click **Add** to create a new skill with three fields:
+
+| Field | Description |
+|-------|-------------|
+| **Name** | A kebab-case identifier (e.g. `sql-expert`, `code-reviewer`). Max 64 characters. |
+| **Description** | A short explanation of what the skill does and when to use it. This is what the agent reads to decide whether to activate the skill. Max 1024 characters. |
+| **Content** | The full skill instructions in markdown. This is loaded when the agent activates the skill. |
+
+<Callout type="info">
+  The description is critical — it's the only thing the agent sees before deciding to load a skill. Be specific about when and why the skill should be used.
+</Callout>
+
+### Writing Good Skill Content
+
+Skill content follows the same conventions as [SKILL.md files](https://agentskills.io/specification):
+
+```markdown
+# SQL Expert
+
+## When to use this skill
+Use when the user asks you to write, optimize, or debug SQL queries.
+
+## Instructions
+1. Always ask which database engine (PostgreSQL, MySQL, SQLite)
+2. Use CTEs over subqueries for readability
+3. Add index recommendations when relevant
+4. Explain query plans for optimization requests
+
+## Common Patterns
+...
+```
+
+**Recommended structure:**
+- **When to use** — Specific triggers and scenarios
+- **Instructions** — Step-by-step guidance with numbered lists
+- **Examples** — Input/output samples showing expected behavior
+- **Common Patterns** — Reusable approaches for frequent tasks
+- **Edge Cases** — Gotchas and special considerations
+
+Keep skills focused and under 500 lines. If a skill grows too large, split it into multiple specialized skills.
+
+## Adding Skills to an Agent
+
+Open any **Agent** block and find the **Skills** dropdown below the tools section. Select the skills you want the agent to have access to.
+
+![Add Skill](/static/skills/add-skill.png)
+
+Selected skills appear as cards that you can click to edit or remove.
+
+### What Happens at Runtime
+
+When the workflow runs:
+
+1. The agent's system prompt includes an `<available_skills>` section listing each skill's name and description
+2. A `load_skill` tool is automatically added to the agent's available tools
+3. When the agent determines a skill is relevant to the current task, it calls `load_skill` with the skill name
+4. The full skill content is returned as a tool response, giving the agent detailed instructions
+
+This works across all supported LLM providers — the `load_skill` tool uses standard tool-calling, so no provider-specific configuration is needed.
+
+## Common Use Cases
+
+Skills are most valuable when agents need specialized knowledge or multi-step workflows:
+
+**Domain Expertise**
+- `api-integration-expert` — Best practices for calling specific APIs (authentication, rate limiting, error handling)
+- `data-transformation` — ETL patterns, data cleaning, and validation rules
+- `code-reviewer` — Code review guidelines specific to your team's standards
+
+**Workflow Templates**
+- `bug-investigation` — Step-by-step debugging methodology (reproduce → isolate → test → fix)
+- `feature-implementation` — Development workflow from requirements to deployment
+- `document-generator` — Templates and formatting rules for technical documentation
+
+**Company-Specific Knowledge**
+- `our-architecture` — System architecture diagrams, service dependencies, and deployment processes
+- `style-guide` — Brand guidelines, writing tone, UI/UX patterns
+- `customer-onboarding` — Standard procedures and common customer questions
+
+**When to use skills vs. agent instructions:**
+- Use **skills** for knowledge that applies across multiple workflows or changes frequently
+- Use **agent instructions** for task-specific context that's unique to a single agent
+
+## Best Practices
+
+**Writing Effective Descriptions**
+- **Be specific and keyword-rich** — Instead of "Helps with SQL", write "Write optimized SQL queries for PostgreSQL, MySQL, and SQLite, including index recommendations and query plan analysis"
+- **Include activation triggers** — Mention specific words or phrases that should prompt the skill (e.g., "Use when the user mentions PDFs, forms, or document extraction")
+- **Keep it under 200 words** — Agents scan descriptions quickly; make every word count
+
+**Skill Scope and Organization**
+- **One skill per domain** — A focused `sql-expert` skill works better than a broad `database-everything` skill
+- **Limit to 5-10 skills per agent** — More skills = more decision overhead; start small and add as needed
+- **Split large skills** — If a skill exceeds 500 lines, break it into focused sub-skills
+
+**Content Structure**
+- **Use markdown formatting** — Headers, lists, and code blocks help agents parse and follow instructions
+- **Provide examples** — Show input/output pairs so agents understand expected behavior
+- **Be explicit about edge cases** — Don't assume agents will infer special handling
+
+**Testing and Iteration**
+- **Test activation** — Run your workflow and verify the agent loads the skill when expected
+- **Check for false positives** — Make sure skills aren't activating when they shouldn't
+- **Refine descriptions** — If a skill isn't loading when needed, add more keywords to the description
+
+## Learn More
+
+- [Agent Skills specification](https://agentskills.io) — The open format for portable agent skills
+- [Example skills](https://github.com/anthropics/skills) — Browse community skill examples
+- [Best practices](https://agentskills.io/what-are-skills) — Writing effective skills

apps/docs/content/docs/en/tools/airweave.mdx

@@ -0,0 +1,67 @@
+---
+title: Airweave
+description: Search your synced data collections
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="airweave"
+  color="#6366F1"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Airweave](https://airweave.ai/) is an AI-powered semantic search platform that helps you discover and retrieve knowledge across all your synced data sources. Built for modern teams, Airweave enables fast, relevant search results using neural, hybrid, or keyword-based strategies tailored to your needs.
+
+With Airweave, you can:
+
+- **Search smarter**: Use natural language queries to uncover information stored across your connected tools and databases
+- **Unify your data**: Seamlessly access content from sources like code, docs, chat, emails, cloud files, and more
+- **Customize retrieval**: Select between hybrid (semantic + keyword), neural, or keyword search strategies for optimal results
+- **Boost recall**: Expand search queries with AI to find more comprehensive answers
+- **Rerank results using AI**: Prioritize the most relevant answers with powerful language models
+- **Get instant answers**: Generate clear, AI-powered responses synthesized from your data
+
+In Sim, the Airweave integration empowers your agents to search, summarize, and extract insights from all your organization’s data via a single tool. Use Airweave to drive rich, contextual knowledge retrieval within your workflows—whether answering questions, generating summaries, or supporting dynamic decision-making.
+{/* MANUAL-CONTENT-END */}
+
+## Usage Instructions
+
+Search across your synced data sources using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.
+
+
+
+## Tools
+
+### `airweave_search`
+
+Search your synced data collections using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Airweave API Key for authentication |
+| `collectionId` | string | Yes | The readable ID of the collection to search |
+| `query` | string | Yes | The search query text |
+| `limit` | number | No | Maximum number of results to return \(default: 100\) |
+| `retrievalStrategy` | string | No | Retrieval strategy: hybrid \(default\), neural, or keyword |
+| `expandQuery` | boolean | No | Generate query variations to improve recall |
+| `rerank` | boolean | No | Reorder results for improved relevance using LLM |
+| `generateAnswer` | boolean | No | Generate a natural-language answer to the query |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `results` | array | Search results with content, scores, and metadata from your synced data |
+|   ↳ `entity_id` | string | Unique identifier for the search result entity |
+|   ↳ `source_name` | string | Name of the data source \(e.g., "GitHub", "Slack"\) |
+|   ↳ `md_content` | string | Markdown-formatted content of the result |
+|   ↳ `score` | number | Relevance score from the search |
+|   ↳ `metadata` | object | Additional metadata associated with the result |
+|   ↳ `breadcrumbs` | array | Navigation path to the result within its source |
+|   ↳ `url` | string | URL to the original content |
+| `completion` | string | AI-generated answer to the query \(when generateAnswer is enabled\) |
+
+

apps/docs/content/docs/en/tools/meta.json

@@ -4,6 +4,7 @@
     "a2a",
     "ahrefs",
     "airtable",
+    "airweave",
     "apify",
     "apollo",
     "arxiv",

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { generateAgentCard, generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
@@ -40,7 +40,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
     }
 
     if (!agent.agent.isPublished) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
       if (!auth.success) {
         return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
       }
@@ -81,7 +81,7 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -151,7 +151,7 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -189,7 +189,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
   const { agentId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       logger.warn('A2A agent publish auth failed:', { error: auth.error, hasUserId: !!auth.userId })
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })

apps/sim/app/api/a2a/agents/route.ts

@@ -13,7 +13,7 @@ import { v4 as uuidv4 } from 'uuid'
 import { generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import { A2A_DEFAULT_CAPABILITIES } from '@/lib/a2a/constants'
 import { sanitizeAgentName } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { hasValidStartBlockInState } from '@/lib/workflows/triggers/trigger-utils'
 import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
@@ -27,7 +27,7 @@ export const dynamic = 'force-dynamic'
  */
 export async function GET(request: NextRequest) {
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -87,7 +87,7 @@ export async function GET(request: NextRequest) {
  */
 export async function POST(request: NextRequest) {
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -5,7 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -81,7 +81,7 @@ export async function GET(request: NextRequest) {
     const { provider: providerParam, workflowId, credentialId } = parseResult.data
 
     // Authenticate requester (supports session, API key, internal JWT)
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkSessionOrInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthenticated credentials request rejected`)
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })

apps/sim/app/api/auth/oauth/token/route.test.ts

@@ -12,7 +12,7 @@ describe('OAuth Token API Routes', () => {
   const mockRefreshTokenIfNeeded = vi.fn()
   const mockGetOAuthToken = vi.fn()
   const mockAuthorizeCredentialUse = vi.fn()
-  const mockCheckHybridAuth = vi.fn()
+  const mockCheckSessionOrInternalAuth = vi.fn()
 
   const mockLogger = createMockLogger()
 
@@ -42,7 +42,7 @@ describe('OAuth Token API Routes', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: mockCheckHybridAuth,
+      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
     }))
   })
 
@@ -235,7 +235,7 @@ describe('OAuth Token API Routes', () => {
 
     describe('credentialAccountUserId + providerId path', () => {
       it('should reject unauthenticated requests', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: false,
           error: 'Authentication required',
         })
@@ -255,30 +255,8 @@ describe('OAuth Token API Routes', () => {
         expect(mockGetOAuthToken).not.toHaveBeenCalled()
       })
 
-      it('should reject API key authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
-          success: true,
-          authType: 'api_key',
-          userId: 'test-user-id',
-        })
-
-        const req = createMockRequest('POST', {
-          credentialAccountUserId: 'test-user-id',
-          providerId: 'google',
-        })
-
-        const { POST } = await import('@/app/api/auth/oauth/token/route')
-
-        const response = await POST(req)
-        const data = await response.json()
-
-        expect(response.status).toBe(401)
-        expect(data).toHaveProperty('error', 'User not authenticated')
-        expect(mockGetOAuthToken).not.toHaveBeenCalled()
-      })
-
       it('should reject internal JWT authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'internal_jwt',
           userId: 'test-user-id',
@@ -300,7 +278,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should reject requests for other users credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'attacker-user-id',
@@ -322,7 +300,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should allow session-authenticated users to access their own credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'test-user-id',
@@ -345,7 +323,7 @@ describe('OAuth Token API Routes', () => {
       })
 
       it('should return 404 when credential not found for user', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
           success: true,
           authType: 'session',
           userId: 'test-user-id',
@@ -373,7 +351,7 @@ describe('OAuth Token API Routes', () => {
    */
   describe('GET handler', () => {
     it('should return access token successfully', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -402,7 +380,7 @@ describe('OAuth Token API Routes', () => {
       expect(response.status).toBe(200)
       expect(data).toHaveProperty('accessToken', 'fresh-token')
 
-      expect(mockCheckHybridAuth).toHaveBeenCalled()
+      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
       expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
       expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
     })
@@ -421,7 +399,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle authentication failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: false,
         error: 'Authentication required',
       })
@@ -440,7 +418,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle credential not found', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -461,7 +439,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle missing access token', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',
@@ -487,7 +465,7 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle token refresh failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
         success: true,
         authType: 'session',
         userId: 'test-user-id',

apps/sim/app/api/auth/oauth/token/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, getOAuthToken, refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -71,7 +71,7 @@ export async function POST(request: NextRequest) {
         providerId,
       })
 
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
       if (!auth.success || auth.authType !== 'session' || !auth.userId) {
         logger.warn(`[${requestId}] Unauthorized request for credentialAccountUserId path`, {
           success: auth.success,
@@ -187,7 +187,7 @@ export async function GET(request: NextRequest) {
     const { credentialId } = parseResult.data
 
     // For GET requests, we only support session-based authentication
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || auth.authType !== 'session' || !auth.userId) {
       return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
     }

apps/sim/app/api/copilot/chat/route.ts

@@ -285,6 +285,14 @@ export async function POST(req: NextRequest) {
           apiVersion: 'preview',
           endpoint: env.AZURE_OPENAI_ENDPOINT,
         }
+      } else if (providerEnv === 'azure-anthropic') {
+        providerConfig = {
+          provider: 'azure-anthropic',
+          model: envModel,
+          apiKey: env.AZURE_ANTHROPIC_API_KEY,
+          apiVersion: env.AZURE_ANTHROPIC_API_VERSION,
+          endpoint: env.AZURE_ANTHROPIC_ENDPOINT,
+        }
       } else if (providerEnv === 'vertex') {
         providerConfig = {
           provider: 'vertex',

apps/sim/app/api/files/delete/route.test.ts

@@ -29,7 +29,7 @@ function setupFileApiMocks(
   }
 
   vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
       success: authenticated,
       userId: authenticated ? 'test-user-id' : undefined,
       error: authenticated ? undefined : 'Unauthorized',

apps/sim/app/api/files/delete/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { deleteFile, hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
@@ -24,7 +24,7 @@ const logger = createLogger('FilesDeleteAPI')
  */
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized file delete request', {

apps/sim/app/api/files/download/route.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -12,7 +12,7 @@ export const dynamic = 'force-dynamic'
 
 export async function POST(request: NextRequest) {
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized download URL request', {

apps/sim/app/api/files/parse/route.test.ts

@@ -35,7 +35,7 @@ function setupFileApiMocks(
   }
 
   vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkInternalAuth: vi.fn().mockResolvedValue({
       success: authenticated,
       userId: authenticated ? 'test-user-id' : undefined,
       error: authenticated ? undefined : 'Unauthorized',

apps/sim/app/api/files/parse/route.ts

@@ -5,7 +5,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
   secureFetchWithPinnedIP,
   validateUrlWithDNS,
@@ -66,7 +66,7 @@ export async function POST(request: NextRequest) {
   const startTime = Date.now()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: true })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: true })
 
     if (!authResult.success) {
       logger.warn('Unauthorized file parse request', {

apps/sim/app/api/files/serve/[...path]/route.test.ts

@@ -55,7 +55,7 @@ describe('File Serve API Route', () => {
     })
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -165,7 +165,7 @@ describe('File Serve API Route', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -226,7 +226,7 @@ describe('File Serve API Route', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -291,7 +291,7 @@ describe('File Serve API Route', () => {
     }))
 
     vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
         success: true,
         userId: 'test-user-id',
       }),
@@ -350,7 +350,7 @@ describe('File Serve API Route', () => {
     for (const test of contentTypeTests) {
       it(`should serve ${test.ext} file with correct content type`, async () => {
         vi.doMock('@/lib/auth/hybrid', () => ({
-          checkHybridAuth: vi.fn().mockResolvedValue({
+          checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
             success: true,
             userId: 'test-user-id',
           }),

apps/sim/app/api/files/serve/[...path]/route.ts

@@ -2,7 +2,7 @@ import { readFile } from 'fs/promises'
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { CopilotFiles, isUsingCloudStorage } from '@/lib/uploads'
 import type { StorageContext } from '@/lib/uploads/config'
 import { downloadFile } from '@/lib/uploads/core/storage-service'
@@ -49,7 +49,7 @@ export async function GET(
       return await handleLocalFilePublic(fullPath)
     }
 
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {
       logger.warn('Unauthorized file access attempt', {

apps/sim/app/api/function/execute/route.ts

@@ -845,6 +845,8 @@ export async function POST(req: NextRequest) {
       contextVariables,
       timeoutMs: timeout,
       requestId,
+      ownerKey: `user:${auth.userId}`,
+      ownerWeight: 1,
     })
 
     const executionTime = Date.now() - startTime

apps/sim/app/api/guardrails/validate/route.ts

@@ -23,7 +23,16 @@ export async function POST(request: NextRequest) {
       topK,
       model,
       apiKey,
+      azureEndpoint,
+      azureApiVersion,
+      vertexProject,
+      vertexLocation,
+      vertexCredential,
+      bedrockAccessKeyId,
+      bedrockSecretKey,
+      bedrockRegion,
       workflowId,
+      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -110,7 +119,18 @@ export async function POST(request: NextRequest) {
       topK,
       model,
       apiKey,
+      {
+        azureEndpoint,
+        azureApiVersion,
+        vertexProject,
+        vertexLocation,
+        vertexCredential,
+        bedrockAccessKeyId,
+        bedrockSecretKey,
+        bedrockRegion,
+      },
       workflowId,
+      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -178,7 +198,18 @@ async function executeValidation(
   topK: string | undefined,
   model: string,
   apiKey: string | undefined,
+  providerCredentials: {
+    azureEndpoint?: string
+    azureApiVersion?: string
+    vertexProject?: string
+    vertexLocation?: string
+    vertexCredential?: string
+    bedrockAccessKeyId?: string
+    bedrockSecretKey?: string
+    bedrockRegion?: string
+  },
   workflowId: string | undefined,
+  workspaceId: string | undefined,
   piiEntityTypes: string[] | undefined,
   piiMode: string | undefined,
   piiLanguage: string | undefined,
@@ -219,7 +250,9 @@ async function executeValidation(
       topK: topK ? Number.parseInt(topK) : 10, // Default topK is 10
       model: model,
       apiKey,
+      providerCredentials,
       workflowId,
+      workspaceId,
       requestId,
     })
   }

apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts

@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { SUPPORTED_FIELD_TYPES } from '@/lib/knowledge/constants'
 import { createTagDefinition, getTagDefinitions } from '@/lib/knowledge/tags/service'
 import { checkKnowledgeBaseAccess } from '@/app/api/knowledge/utils'
@@ -19,19 +19,11 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
   try {
     logger.info(`[${requestId}] Getting tag definitions for knowledge base ${knowledgeBaseId}`)
 
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
     if (!auth.success) {
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
     }
 
-    // Only allow session and internal JWT auth (not API key)
-    if (auth.authType === 'api_key') {
-      return NextResponse.json(
-        { error: 'API key auth not supported for this endpoint' },
-        { status: 401 }
-      )
-    }
-
     // For session auth, verify KB access. Internal JWT is trusted.
     if (auth.authType === 'session' && auth.userId) {
       const accessCheck = await checkKnowledgeBaseAccess(knowledgeBaseId, auth.userId)
@@ -64,19 +56,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   try {
     logger.info(`[${requestId}] Creating tag definition for knowledge base ${knowledgeBaseId}`)
 
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
     if (!auth.success) {
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
     }
 
-    // Only allow session and internal JWT auth (not API key)
-    if (auth.authType === 'api_key') {
-      return NextResponse.json(
-        { error: 'API key auth not supported for this endpoint' },
-        { status: 401 }
-      )
-    }
-
     // For session auth, verify KB access. Internal JWT is trusted.
     if (auth.authType === 'session' && auth.userId) {
       const accessCheck = await checkKnowledgeBaseAccess(knowledgeBaseId, auth.userId)

apps/sim/app/api/logs/execution/[executionId]/route.ts

@@ -8,7 +8,7 @@ import {
 import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import type { TraceSpan, WorkflowExecutionLog } from '@/lib/logs/types'
 
@@ -23,7 +23,7 @@ export async function GET(
   try {
     const { executionId } = await params
 
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized execution data access attempt for: ${executionId}`)
       return NextResponse.json(

apps/sim/app/api/memory/[id]/route.ts

@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -36,7 +36,7 @@ async function validateMemoryAccess(
   requestId: string,
   action: 'read' | 'write'
 ): Promise<{ userId: string } | { error: NextResponse }> {
-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
   if (!authResult.success || !authResult.userId) {
     logger.warn(`[${requestId}] Unauthorized memory ${action} attempt`)
     return {

apps/sim/app/api/memory/route.ts

@@ -3,7 +3,7 @@ import { memory } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull, like } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -16,7 +16,7 @@ export async function GET(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized memory access attempt`)
       return NextResponse.json(
@@ -89,7 +89,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized memory creation attempt`)
       return NextResponse.json(
@@ -228,7 +228,7 @@ export async function DELETE(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized memory deletion attempt`)
       return NextResponse.json(

apps/sim/app/api/permission-groups/[id]/route.ts

@@ -24,6 +24,7 @@ const configSchema = z.object({
   hideFilesTab: z.boolean().optional(),
   disableMcpTools: z.boolean().optional(),
   disableCustomTools: z.boolean().optional(),
+  disableSkills: z.boolean().optional(),
   hideTemplates: z.boolean().optional(),
   disableInvitations: z.boolean().optional(),
   hideDeployApi: z.boolean().optional(),

apps/sim/app/api/permission-groups/route.ts

@@ -25,6 +25,7 @@ const configSchema = z.object({
   hideFilesTab: z.boolean().optional(),
   disableMcpTools: z.boolean().optional(),
   disableCustomTools: z.boolean().optional(),
+  disableSkills: z.boolean().optional(),
   hideTemplates: z.boolean().optional(),
   disableInvitations: z.boolean().optional(),
   hideDeployApi: z.boolean().optional(),

apps/sim/app/api/skills/route.ts

@@ -0,0 +1,182 @@
+import { db } from '@sim/db'
+import { skill } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, desc, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { upsertSkills } from '@/lib/workflows/skills/operations'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('SkillsAPI')
+
+const SkillSchema = z.object({
+  skills: z.array(
+    z.object({
+      id: z.string().optional(),
+      name: z
+        .string()
+        .min(1, 'Skill name is required')
+        .max(64)
+        .regex(/^[a-z0-9]+(-[a-z0-9]+)*$/, 'Name must be kebab-case (e.g. my-skill)'),
+      description: z.string().min(1, 'Description is required').max(1024),
+      content: z.string().min(1, 'Content is required').max(50000, 'Content is too large'),
+    })
+  ),
+  workspaceId: z.string().optional(),
+})
+
+/** GET - Fetch all skills for a workspace */
+export async function GET(request: NextRequest) {
+  const requestId = generateRequestId()
+  const searchParams = request.nextUrl.searchParams
+  const workspaceId = searchParams.get('workspaceId')
+
+  try {
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized skills access attempt`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = authResult.userId
+
+    if (!workspaceId) {
+      logger.warn(`[${requestId}] Missing workspaceId`)
+      return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
+    }
+
+    const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+    if (!userPermission) {
+      logger.warn(`[${requestId}] User ${userId} does not have access to workspace ${workspaceId}`)
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    const result = await db
+      .select()
+      .from(skill)
+      .where(eq(skill.workspaceId, workspaceId))
+      .orderBy(desc(skill.createdAt))
+
+    return NextResponse.json({ data: result }, { status: 200 })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching skills:`, error)
+    return NextResponse.json({ error: 'Failed to fetch skills' }, { status: 500 })
+  }
+}
+
+/** POST - Create or update skills */
+export async function POST(req: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized skills update attempt`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = authResult.userId
+    const body = await req.json()
+
+    try {
+      const { skills, workspaceId } = SkillSchema.parse(body)
+
+      if (!workspaceId) {
+        logger.warn(`[${requestId}] Missing workspaceId in request body`)
+        return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
+      }
+
+      const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+      if (!userPermission || (userPermission !== 'admin' && userPermission !== 'write')) {
+        logger.warn(
+          `[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
+        )
+        return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+      }
+
+      const resultSkills = await upsertSkills({
+        skills,
+        workspaceId,
+        userId,
+        requestId,
+      })
+
+      return NextResponse.json({ success: true, data: resultSkills })
+    } catch (validationError) {
+      if (validationError instanceof z.ZodError) {
+        logger.warn(`[${requestId}] Invalid skills data`, {
+          errors: validationError.errors,
+        })
+        return NextResponse.json(
+          { error: 'Invalid request data', details: validationError.errors },
+          { status: 400 }
+        )
+      }
+      if (validationError instanceof Error && validationError.message.includes('already exists')) {
+        return NextResponse.json({ error: validationError.message }, { status: 409 })
+      }
+      throw validationError
+    }
+  } catch (error) {
+    logger.error(`[${requestId}] Error updating skills`, error)
+    return NextResponse.json({ error: 'Failed to update skills' }, { status: 500 })
+  }
+}
+
+/** DELETE - Delete a skill by ID */
+export async function DELETE(request: NextRequest) {
+  const requestId = generateRequestId()
+  const searchParams = request.nextUrl.searchParams
+  const skillId = searchParams.get('id')
+  const workspaceId = searchParams.get('workspaceId')
+
+  try {
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized skill deletion attempt`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = authResult.userId
+
+    if (!skillId) {
+      logger.warn(`[${requestId}] Missing skill ID for deletion`)
+      return NextResponse.json({ error: 'Skill ID is required' }, { status: 400 })
+    }
+
+    if (!workspaceId) {
+      logger.warn(`[${requestId}] Missing workspaceId for deletion`)
+      return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
+    }
+
+    const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+    if (!userPermission || (userPermission !== 'admin' && userPermission !== 'write')) {
+      logger.warn(
+        `[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
+      )
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    const existingSkill = await db.select().from(skill).where(eq(skill.id, skillId)).limit(1)
+
+    if (existingSkill.length === 0) {
+      logger.warn(`[${requestId}] Skill not found: ${skillId}`)
+      return NextResponse.json({ error: 'Skill not found' }, { status: 404 })
+    }
+
+    if (existingSkill[0].workspaceId !== workspaceId) {
+      logger.warn(`[${requestId}] Skill ${skillId} does not belong to workspace ${workspaceId}`)
+      return NextResponse.json({ error: 'Skill not found' }, { status: 404 })
+    }
+
+    await db.delete(skill).where(and(eq(skill.id, skillId), eq(skill.workspaceId, workspaceId)))
+
+    logger.info(`[${requestId}] Deleted skill: ${skillId}`)
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    logger.error(`[${requestId}] Error deleting skill:`, error)
+    return NextResponse.json({ error: 'Failed to delete skill' }, { status: 500 })
+  }
+}

apps/sim/app/api/tools/a2a/cancel-task/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 const logger = createLogger('A2ACancelTaskAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A cancel task attempt`)

apps/sim/app/api/tools/a2a/delete-push-notification/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(

apps/sim/app/api/tools/a2a/get-agent-card/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A get agent card attempt: ${authResult.error}`)

apps/sim/app/api/tools/a2a/get-push-notification/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(

apps/sim/app/api/tools/a2a/get-task/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A get task attempt: ${authResult.error}`)

apps/sim/app/api/tools/a2a/resubscribe/route.ts

@@ -10,7 +10,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 const logger = createLogger('A2AResubscribeAPI')
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A resubscribe attempt`)

apps/sim/app/api/tools/a2a/send-message/route.ts

@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -32,7 +32,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A send message attempt: ${authResult.error}`)

apps/sim/app/api/tools/a2a/set-push-notification/route.ts

@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
 
   try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success) {
       logger.warn(`[${requestId}] Unauthorized A2A set push notification attempt`, {

apps/sim/app/api/users/me/usage-logs/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserUsageLogs, type UsageLogSource } from '@/lib/billing/core/usage-log'
 
 const logger = createLogger('UsageLogsAPI')
@@ -20,7 +20,7 @@ const QuerySchema = z.object({
  */
 export async function GET(req: NextRequest) {
   try {
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
 
     if (!auth.success || !auth.userId) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -325,6 +325,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId
     )
 
+    // Client-side sessions and personal API keys bill/permission-check the
+    // authenticated user, not the workspace billed account.
+    const useAuthenticatedUserAsActor =
+      isClientSession || (auth.authType === 'api_key' && auth.apiKeyType === 'personal')
+
     const preprocessResult = await preprocessExecution({
       workflowId,
       userId,
@@ -334,6 +339,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       checkDeployment: !shouldUseDraftState,
       loggingSession,
       useDraftState: shouldUseDraftState,
+      useAuthenticatedUserAsActor,
     })
 
     if (!preprocessResult.success) {

apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx

@@ -74,8 +74,7 @@ function FileCard({ file, isExecutionFile = false, workspaceId }: FileCardProps)
       }
 
       if (isExecutionFile) {
-        const serveUrl =
-          file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
+        const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
         window.open(serveUrl, '_blank')
         logger.info(`Opened execution file serve URL: ${serveUrl}`)
       } else {
@@ -88,16 +87,12 @@ function FileCard({ file, isExecutionFile = false, workspaceId }: FileCardProps)
           logger.warn(
             `Could not construct viewer URL for file: ${file.name}, falling back to serve URL`
           )
-          const serveUrl =
-            file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
+          const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
           window.open(serveUrl, '_blank')
         }
       }
     } catch (error) {
       logger.error(`Failed to download file ${file.name}:`, error)
-      if (file.url) {
-        window.open(file.url, '_blank')
-      }
     } finally {
       setIsDownloading(false)
     }
@@ -198,8 +193,7 @@ export function FileDownload({
       }
 
       if (isExecutionFile) {
-        const serveUrl =
-          file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
+        const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
         window.open(serveUrl, '_blank')
         logger.info(`Opened execution file serve URL: ${serveUrl}`)
       } else {
@@ -212,16 +206,12 @@ export function FileDownload({
           logger.warn(
             `Could not construct viewer URL for file: ${file.name}, falling back to serve URL`
           )
-          const serveUrl =
-            file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
+          const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
           window.open(serveUrl, '_blank')
         }
       }
     } catch (error) {
       logger.error(`Failed to download file ${file.name}:`, error)
-      if (file.url) {
-        window.open(file.url, '_blank')
-      }
     } finally {
       setIsDownloading(false)
     }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/index.ts

@@ -24,6 +24,7 @@ export { ResponseFormat } from './response/response-format'
 export { ScheduleInfo } from './schedule-info/schedule-info'
 export { SheetSelectorInput } from './sheet-selector/sheet-selector-input'
 export { ShortInput } from './short-input/short-input'
+export { SkillInput } from './skill-input/skill-input'
 export { SlackSelectorInput } from './slack-selector/slack-selector-input'
 export { SliderInput } from './slider-input/slider-input'
 export { InputFormat } from './starter/input-format'

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/skill-input/skill-input.tsx

@@ -0,0 +1,194 @@
+'use client'
+
+import { useCallback, useMemo, useState } from 'react'
+import { Plus, XIcon } from 'lucide-react'
+import { useParams } from 'next/navigation'
+import { Combobox, type ComboboxOptionGroup } from '@/components/emcn'
+import { AgentSkillsIcon } from '@/components/icons'
+import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
+import { SkillModal } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal'
+import type { SkillDefinition } from '@/hooks/queries/skills'
+import { useSkills } from '@/hooks/queries/skills'
+import { usePermissionConfig } from '@/hooks/use-permission-config'
+
+interface StoredSkill {
+  skillId: string
+  name?: string
+}
+
+interface SkillInputProps {
+  blockId: string
+  subBlockId: string
+  isPreview?: boolean
+  previewValue?: unknown
+  disabled?: boolean
+}
+
+export function SkillInput({
+  blockId,
+  subBlockId,
+  isPreview,
+  previewValue,
+  disabled,
+}: SkillInputProps) {
+  const params = useParams()
+  const workspaceId = params.workspaceId as string
+
+  const { config: permissionConfig } = usePermissionConfig()
+  const { data: workspaceSkills = [] } = useSkills(workspaceId)
+  const [value, setValue] = useSubBlockValue<StoredSkill[]>(blockId, subBlockId)
+  const [showCreateModal, setShowCreateModal] = useState(false)
+  const [editingSkill, setEditingSkill] = useState<SkillDefinition | null>(null)
+  const [open, setOpen] = useState(false)
+
+  const selectedSkills: StoredSkill[] = useMemo(() => {
+    if (isPreview && previewValue) {
+      return Array.isArray(previewValue) ? previewValue : []
+    }
+    return Array.isArray(value) ? value : []
+  }, [isPreview, previewValue, value])
+
+  const selectedIds = useMemo(() => new Set(selectedSkills.map((s) => s.skillId)), [selectedSkills])
+
+  const skillsDisabled = permissionConfig.disableSkills
+
+  const skillGroups = useMemo((): ComboboxOptionGroup[] => {
+    const groups: ComboboxOptionGroup[] = []
+
+    if (!skillsDisabled) {
+      groups.push({
+        items: [
+          {
+            label: 'Create Skill',
+            value: 'action-create-skill',
+            icon: Plus,
+            onSelect: () => {
+              setShowCreateModal(true)
+              setOpen(false)
+            },
+            disabled: isPreview,
+          },
+        ],
+      })
+    }
+
+    const availableSkills = workspaceSkills.filter((s) => !selectedIds.has(s.id))
+    if (!skillsDisabled && availableSkills.length > 0) {
+      groups.push({
+        section: 'Skills',
+        items: availableSkills.map((s) => {
+          return {
+            label: s.name,
+            value: `skill-${s.id}`,
+            icon: AgentSkillsIcon,
+            onSelect: () => {
+              const newSkills: StoredSkill[] = [...selectedSkills, { skillId: s.id, name: s.name }]
+              setValue(newSkills)
+              setOpen(false)
+            },
+          }
+        }),
+      })
+    }
+
+    return groups
+  }, [workspaceSkills, selectedIds, selectedSkills, setValue, isPreview, skillsDisabled])
+
+  const handleRemove = useCallback(
+    (skillId: string) => {
+      const newSkills = selectedSkills.filter((s) => s.skillId !== skillId)
+      setValue(newSkills)
+    },
+    [selectedSkills, setValue]
+  )
+
+  const handleSkillSaved = useCallback(() => {
+    setShowCreateModal(false)
+    setEditingSkill(null)
+  }, [])
+
+  const resolveSkillName = useCallback(
+    (stored: StoredSkill): string => {
+      const found = workspaceSkills.find((s) => s.id === stored.skillId)
+      return found?.name ?? stored.name ?? stored.skillId
+    },
+    [workspaceSkills]
+  )
+
+  return (
+    <>
+      <div className='w-full space-y-[8px]'>
+        <Combobox
+          options={[]}
+          groups={skillGroups}
+          placeholder='Add skill...'
+          disabled={disabled}
+          searchable
+          searchPlaceholder='Search skills...'
+          maxHeight={240}
+          emptyMessage='No skills found'
+          onOpenChange={setOpen}
+        />
+
+        {selectedSkills.length > 0 &&
+          selectedSkills.map((stored) => {
+            const fullSkill = workspaceSkills.find((s) => s.id === stored.skillId)
+            return (
+              <div
+                key={stored.skillId}
+                className='group relative flex flex-col overflow-hidden rounded-[4px] border border-[var(--border-1)] transition-all duration-200 ease-in-out'
+              >
+                <div
+                  className='flex cursor-pointer items-center justify-between gap-[8px] rounded-t-[4px] bg-[var(--surface-4)] px-[8px] py-[6.5px]'
+                  onClick={() => {
+                    if (fullSkill && !disabled && !isPreview) {
+                      setEditingSkill(fullSkill)
+                    }
+                  }}
+                >
+                  <div className='flex min-w-0 flex-1 items-center gap-[8px]'>
+                    <div
+                      className='flex h-[16px] w-[16px] flex-shrink-0 items-center justify-center rounded-[4px]'
+                      style={{ backgroundColor: '#e0e0e0' }}
+                    >
+                      <AgentSkillsIcon className='h-[10px] w-[10px] text-[#333]' />
+                    </div>
+                    <span className='truncate font-medium text-[13px] text-[var(--text-primary)]'>
+                      {resolveSkillName(stored)}
+                    </span>
+                  </div>
+                  <div className='flex flex-shrink-0 items-center gap-[8px]'>
+                    {!disabled && !isPreview && (
+                      <button
+                        type='button'
+                        onClick={(e) => {
+                          e.stopPropagation()
+                          handleRemove(stored.skillId)
+                        }}
+                        className='flex items-center justify-center text-[var(--text-tertiary)] transition-colors hover:text-[var(--text-primary)]'
+                        aria-label='Remove skill'
+                      >
+                        <XIcon className='h-[13px] w-[13px]' />
+                      </button>
+                    )}
+                  </div>
+                </div>
+              </div>
+            )
+          })}
+      </div>
+
+      <SkillModal
+        open={showCreateModal || !!editingSkill}
+        onOpenChange={(isOpen) => {
+          if (!isOpen) {
+            setShowCreateModal(false)
+            setEditingSkill(null)
+          }
+        }}
+        onSave={handleSkillSaved}
+        initialValues={editingSkill ?? undefined}
+      />
+    </>
+  )
+}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx

@@ -32,6 +32,7 @@ import {
   ScheduleInfo,
   SheetSelectorInput,
   ShortInput,
+  SkillInput,
   SlackSelectorInput,
   SliderInput,
   Switch,
@@ -687,6 +688,17 @@ function SubBlockComponent({
           />
         )
 
+      case 'skill-input':
+        return (
+          <SkillInput
+            blockId={blockId}
+            subBlockId={config.id}
+            isPreview={isPreview}
+            previewValue={previewValue}
+            disabled={isDisabled}
+          />
+        )
+
       case 'checkbox-list':
         return (
           <CheckboxList

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-editor-subblock-layout.ts

@@ -6,6 +6,7 @@ import {
   isSubBlockVisibleForMode,
 } from '@/lib/workflows/subblocks/visibility'
 import type { BlockConfig, SubBlockConfig, SubBlockType } from '@/blocks/types'
+import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff'
 import { mergeSubblockState } from '@/stores/workflows/utils'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -35,6 +36,7 @@ export function useEditorSubblockLayout(
   const blockDataFromStore = useWorkflowStore(
     useCallback((state) => state.blocks?.[blockId]?.data, [blockId])
   )
+  const { config: permissionConfig } = usePermissionConfig()
 
   return useMemo(() => {
     // Guard against missing config or block selection
@@ -100,6 +102,9 @@ export function useEditorSubblockLayout(
     const visibleSubBlocks = (config.subBlocks || []).filter((block) => {
       if (block.hidden) return false
 
+      // Hide skill-input subblock when skills are disabled via permissions
+      if (block.type === 'skill-input' && permissionConfig.disableSkills) return false
+
       // Check required feature if specified - declarative feature gating
       if (!isSubBlockFeatureEnabled(block)) return false
 
@@ -149,5 +154,6 @@ export function useEditorSubblockLayout(
     activeWorkflowId,
     isSnapshotView,
     blockDataFromStore,
+    permissionConfig.disableSkills,
   ])
 }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx

@@ -40,6 +40,7 @@ import { useCustomTools } from '@/hooks/queries/custom-tools'
 import { useMcpServers, useMcpToolsQuery } from '@/hooks/queries/mcp'
 import { useCredentialName } from '@/hooks/queries/oauth-credentials'
 import { useReactivateSchedule, useScheduleInfo } from '@/hooks/queries/schedules'
+import { useSkills } from '@/hooks/queries/skills'
 import { useDeployChildWorkflow } from '@/hooks/queries/workflows'
 import { useSelectorDisplayName } from '@/hooks/use-selector-display-name'
 import { useVariablesStore } from '@/stores/panel'
@@ -618,6 +619,48 @@ const SubBlockRow = memo(function SubBlockRow({
     return `${toolNames[0]}, ${toolNames[1]} +${toolNames.length - 2}`
   }, [subBlock?.type, rawValue, customTools, workspaceId])
 
+  /**
+   * Hydrates skill references to display names.
+   * Resolves skill IDs to their current names from the skills query.
+   */
+  const { data: workspaceSkills = [] } = useSkills(workspaceId || '')
+
+  const skillsDisplayValue = useMemo(() => {
+    if (subBlock?.type !== 'skill-input' || !Array.isArray(rawValue) || rawValue.length === 0) {
+      return null
+    }
+
+    interface StoredSkill {
+      skillId: string
+      name?: string
+    }
+
+    const skillNames = rawValue
+      .map((skill: StoredSkill) => {
+        if (!skill || typeof skill !== 'object') return null
+
+        // Priority 1: Resolve skill name from the skills query (fresh data)
+        if (skill.skillId) {
+          const foundSkill = workspaceSkills.find((s) => s.id === skill.skillId)
+          if (foundSkill?.name) return foundSkill.name
+        }
+
+        // Priority 2: Fall back to stored name (for deleted skills)
+        if (skill.name && typeof skill.name === 'string') return skill.name
+
+        // Priority 3: Use skillId as last resort
+        if (skill.skillId) return skill.skillId
+
+        return null
+      })
+      .filter((name): name is string => !!name)
+
+    if (skillNames.length === 0) return null
+    if (skillNames.length === 1) return skillNames[0]
+    if (skillNames.length === 2) return `${skillNames[0]}, ${skillNames[1]}`
+    return `${skillNames[0]}, ${skillNames[1]} +${skillNames.length - 2}`
+  }, [subBlock?.type, rawValue, workspaceSkills])
+
   const isPasswordField = subBlock?.password === true
   const maskedValue = isPasswordField && value && value !== '-' ? '•••' : null
 
@@ -627,6 +670,7 @@ const SubBlockRow = memo(function SubBlockRow({
     dropdownLabel ||
     variablesDisplayValue ||
     toolsDisplayValue ||
+    skillsDisplayValue ||
     knowledgeBaseDisplayName ||
     workflowSelectionName ||
     mcpServerDisplayName ||

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts

@@ -9,6 +9,7 @@ export { Files as FileUploads } from './files/files'
 export { General } from './general/general'
 export { Integrations } from './integrations/integrations'
 export { MCP } from './mcp/mcp'
+export { Skills } from './skills/skills'
 export { Subscription } from './subscription/subscription'
 export { TeamManagement } from './team-management/team-management'
 export { WorkflowMcpServers } from './workflow-mcp-servers/workflow-mcp-servers'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx

@@ -0,0 +1,225 @@
+'use client'
+
+import type { ChangeEvent } from 'react'
+import { useEffect, useMemo, useState } from 'react'
+import { useParams } from 'next/navigation'
+import {
+  Button,
+  Input,
+  Label,
+  Modal,
+  ModalBody,
+  ModalContent,
+  ModalFooter,
+  ModalHeader,
+  Textarea,
+} from '@/components/emcn'
+import type { SkillDefinition } from '@/hooks/queries/skills'
+import { useCreateSkill, useUpdateSkill } from '@/hooks/queries/skills'
+
+interface SkillModalProps {
+  open: boolean
+  onOpenChange: (open: boolean) => void
+  onSave: () => void
+  onDelete?: (skillId: string) => void
+  initialValues?: SkillDefinition
+}
+
+const KEBAB_CASE_REGEX = /^[a-z0-9]+(-[a-z0-9]+)*$/
+
+interface FieldErrors {
+  name?: string
+  description?: string
+  content?: string
+  general?: string
+}
+
+export function SkillModal({
+  open,
+  onOpenChange,
+  onSave,
+  onDelete,
+  initialValues,
+}: SkillModalProps) {
+  const params = useParams()
+  const workspaceId = params.workspaceId as string
+
+  const createSkill = useCreateSkill()
+  const updateSkill = useUpdateSkill()
+
+  const [name, setName] = useState('')
+  const [description, setDescription] = useState('')
+  const [content, setContent] = useState('')
+  const [errors, setErrors] = useState<FieldErrors>({})
+  const [saving, setSaving] = useState(false)
+
+  useEffect(() => {
+    if (open) {
+      if (initialValues) {
+        setName(initialValues.name)
+        setDescription(initialValues.description)
+        setContent(initialValues.content)
+      } else {
+        setName('')
+        setDescription('')
+        setContent('')
+      }
+      setErrors({})
+    }
+  }, [open, initialValues])
+
+  const hasChanges = useMemo(() => {
+    if (!initialValues) return true
+    return (
+      name !== initialValues.name ||
+      description !== initialValues.description ||
+      content !== initialValues.content
+    )
+  }, [name, description, content, initialValues])
+
+  const handleSave = async () => {
+    const newErrors: FieldErrors = {}
+
+    if (!name.trim()) {
+      newErrors.name = 'Name is required'
+    } else if (name.length > 64) {
+      newErrors.name = 'Name must be 64 characters or less'
+    } else if (!KEBAB_CASE_REGEX.test(name)) {
+      newErrors.name = 'Name must be kebab-case (e.g. my-skill)'
+    }
+
+    if (!description.trim()) {
+      newErrors.description = 'Description is required'
+    }
+
+    if (!content.trim()) {
+      newErrors.content = 'Content is required'
+    }
+
+    if (Object.keys(newErrors).length > 0) {
+      setErrors(newErrors)
+      return
+    }
+
+    setSaving(true)
+
+    try {
+      if (initialValues) {
+        await updateSkill.mutateAsync({
+          workspaceId,
+          skillId: initialValues.id,
+          updates: { name, description, content },
+        })
+      } else {
+        await createSkill.mutateAsync({
+          workspaceId,
+          skill: { name, description, content },
+        })
+      }
+      onSave()
+    } catch (error) {
+      const message =
+        error instanceof Error && error.message.includes('already exists')
+          ? error.message
+          : 'Failed to save skill. Please try again.'
+      setErrors({ general: message })
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  return (
+    <Modal open={open} onOpenChange={onOpenChange}>
+      <ModalContent size='xl'>
+        <ModalHeader>{initialValues ? 'Edit Skill' : 'Create Skill'}</ModalHeader>
+        <ModalBody>
+          <div className='flex flex-col gap-[16px]'>
+            <div className='flex flex-col gap-[4px]'>
+              <Label htmlFor='skill-name' className='font-medium text-[13px]'>
+                Name
+              </Label>
+              <Input
+                id='skill-name'
+                placeholder='my-skill-name'
+                value={name}
+                onChange={(e) => {
+                  setName(e.target.value)
+                  if (errors.name || errors.general)
+                    setErrors((prev) => ({ ...prev, name: undefined, general: undefined }))
+                }}
+              />
+              {errors.name ? (
+                <p className='text-[12px] text-[var(--text-error)]'>{errors.name}</p>
+              ) : (
+                <span className='text-[11px] text-[var(--text-muted)]'>
+                  Lowercase letters, numbers, and hyphens (e.g. my-skill)
+                </span>
+              )}
+            </div>
+
+            <div className='flex flex-col gap-[4px]'>
+              <Label htmlFor='skill-description' className='font-medium text-[13px]'>
+                Description
+              </Label>
+              <Input
+                id='skill-description'
+                placeholder='What this skill does and when to use it...'
+                value={description}
+                onChange={(e) => {
+                  setDescription(e.target.value)
+                  if (errors.description || errors.general)
+                    setErrors((prev) => ({ ...prev, description: undefined, general: undefined }))
+                }}
+                maxLength={1024}
+              />
+              {errors.description && (
+                <p className='text-[12px] text-[var(--text-error)]'>{errors.description}</p>
+              )}
+            </div>
+
+            <div className='flex flex-col gap-[4px]'>
+              <Label htmlFor='skill-content' className='font-medium text-[13px]'>
+                Content
+              </Label>
+              <Textarea
+                id='skill-content'
+                placeholder='Skill instructions in markdown...'
+                value={content}
+                onChange={(e: ChangeEvent<HTMLTextAreaElement>) => {
+                  setContent(e.target.value)
+                  if (errors.content || errors.general)
+                    setErrors((prev) => ({ ...prev, content: undefined, general: undefined }))
+                }}
+                className='min-h-[200px] resize-y font-mono text-[13px]'
+              />
+              {errors.content && (
+                <p className='text-[12px] text-[var(--text-error)]'>{errors.content}</p>
+              )}
+            </div>
+
+            {errors.general && (
+              <p className='text-[12px] text-[var(--text-error)]'>{errors.general}</p>
+            )}
+          </div>
+        </ModalBody>
+        <ModalFooter className='items-center justify-between'>
+          {initialValues && onDelete ? (
+            <Button variant='destructive' onClick={() => onDelete(initialValues.id)}>
+              Delete
+            </Button>
+          ) : (
+            <div />
+          )}
+          <div className='flex gap-2'>
+            <Button variant='default' onClick={() => onOpenChange(false)}>
+              Cancel
+            </Button>
+            <Button variant='tertiary' onClick={handleSave} disabled={saving || !hasChanges}>
+              {saving ? 'Saving...' : initialValues ? 'Update' : 'Create'}
+            </Button>
+          </div>
+        </ModalFooter>
+      </ModalContent>
+    </Modal>
+  )
+}

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/skills.tsx

@@ -0,0 +1,219 @@
+'use client'
+
+import { useState } from 'react'
+import { createLogger } from '@sim/logger'
+import { Plus, Search } from 'lucide-react'
+import { useParams } from 'next/navigation'
+import {
+  Button,
+  Input,
+  Modal,
+  ModalBody,
+  ModalContent,
+  ModalFooter,
+  ModalHeader,
+} from '@/components/emcn'
+import { Skeleton } from '@/components/ui'
+import { cn } from '@/lib/core/utils/cn'
+import { SkillModal } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal'
+import type { SkillDefinition } from '@/hooks/queries/skills'
+import { useDeleteSkill, useSkills } from '@/hooks/queries/skills'
+
+const logger = createLogger('SkillsSettings')
+
+function SkillSkeleton() {
+  return (
+    <div className='flex items-center justify-between gap-[12px]'>
+      <div className='flex min-w-0 flex-col justify-center gap-[1px]'>
+        <Skeleton className='h-[14px] w-[100px]' />
+        <Skeleton className='h-[13px] w-[200px]' />
+      </div>
+      <div className='flex flex-shrink-0 items-center gap-[8px]'>
+        <Skeleton className='h-[30px] w-[40px] rounded-[4px]' />
+        <Skeleton className='h-[30px] w-[54px] rounded-[4px]' />
+      </div>
+    </div>
+  )
+}
+
+export function Skills() {
+  const params = useParams()
+  const workspaceId = params.workspaceId as string
+
+  const { data: skills = [], isLoading, error, refetch: refetchSkills } = useSkills(workspaceId)
+  const deleteSkillMutation = useDeleteSkill()
+
+  const [searchTerm, setSearchTerm] = useState('')
+  const [deletingSkills, setDeletingSkills] = useState<Set<string>>(new Set())
+  const [editingSkill, setEditingSkill] = useState<SkillDefinition | null>(null)
+  const [showAddForm, setShowAddForm] = useState(false)
+  const [skillToDelete, setSkillToDelete] = useState<{ id: string; name: string } | null>(null)
+  const [showDeleteDialog, setShowDeleteDialog] = useState(false)
+
+  const filteredSkills = skills.filter((s) => {
+    if (!searchTerm.trim()) return true
+    const searchLower = searchTerm.toLowerCase()
+    return (
+      s.name.toLowerCase().includes(searchLower) ||
+      s.description.toLowerCase().includes(searchLower)
+    )
+  })
+
+  const handleDeleteClick = (skillId: string) => {
+    const s = skills.find((sk) => sk.id === skillId)
+    if (!s) return
+
+    setSkillToDelete({ id: skillId, name: s.name })
+    setShowDeleteDialog(true)
+  }
+
+  const handleDeleteSkill = async () => {
+    if (!skillToDelete) return
+
+    setDeletingSkills((prev) => new Set(prev).add(skillToDelete.id))
+    setShowDeleteDialog(false)
+
+    try {
+      await deleteSkillMutation.mutateAsync({
+        workspaceId,
+        skillId: skillToDelete.id,
+      })
+      logger.info(`Deleted skill: ${skillToDelete.id}`)
+    } catch (error) {
+      logger.error('Error deleting skill:', error)
+    } finally {
+      setDeletingSkills((prev) => {
+        const next = new Set(prev)
+        next.delete(skillToDelete.id)
+        return next
+      })
+      setSkillToDelete(null)
+    }
+  }
+
+  const handleSkillSaved = () => {
+    setShowAddForm(false)
+    setEditingSkill(null)
+    refetchSkills()
+  }
+
+  const hasSkills = skills && skills.length > 0
+  const showEmptyState = !hasSkills && !showAddForm && !editingSkill
+  const showNoResults = searchTerm.trim() && filteredSkills.length === 0 && skills.length > 0
+
+  return (
+    <>
+      <div className='flex h-full flex-col gap-[16px]'>
+        <div className='flex items-center gap-[8px]'>
+          <div
+            className={cn(
+              'flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]',
+              isLoading && 'opacity-50'
+            )}
+          >
+            <Search
+              className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
+              strokeWidth={2}
+            />
+            <Input
+              placeholder='Search skills...'
+              value={searchTerm}
+              onChange={(e) => setSearchTerm(e.target.value)}
+              disabled={isLoading}
+              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0 disabled:cursor-not-allowed disabled:opacity-100'
+            />
+          </div>
+          <Button onClick={() => setShowAddForm(true)} disabled={isLoading} variant='tertiary'>
+            <Plus className='mr-[6px] h-[13px] w-[13px]' />
+            Add
+          </Button>
+        </div>
+
+        <div className='min-h-0 flex-1 overflow-y-auto'>
+          {error ? (
+            <div className='flex h-full flex-col items-center justify-center gap-[8px]'>
+              <p className='text-[#DC2626] text-[11px] leading-tight dark:text-[#F87171]'>
+                {error instanceof Error ? error.message : 'Failed to load skills'}
+              </p>
+            </div>
+          ) : isLoading ? (
+            <div className='flex flex-col gap-[8px]'>
+              <SkillSkeleton />
+              <SkillSkeleton />
+              <SkillSkeleton />
+            </div>
+          ) : showEmptyState ? (
+            <div className='flex h-full items-center justify-center text-[13px] text-[var(--text-muted)]'>
+              Click "Add" above to get started
+            </div>
+          ) : (
+            <div className='flex flex-col gap-[8px]'>
+              {filteredSkills.map((s) => (
+                <div key={s.id} className='flex items-center justify-between gap-[12px]'>
+                  <div className='flex min-w-0 flex-col justify-center gap-[1px]'>
+                    <span className='truncate font-medium text-[14px]'>{s.name}</span>
+                    <p className='truncate text-[13px] text-[var(--text-muted)]'>{s.description}</p>
+                  </div>
+                  <div className='flex flex-shrink-0 items-center gap-[8px]'>
+                    <Button variant='default' onClick={() => setEditingSkill(s)}>
+                      Edit
+                    </Button>
+                    <Button
+                      variant='ghost'
+                      onClick={() => handleDeleteClick(s.id)}
+                      disabled={deletingSkills.has(s.id)}
+                    >
+                      {deletingSkills.has(s.id) ? 'Deleting...' : 'Delete'}
+                    </Button>
+                  </div>
+                </div>
+              ))}
+              {showNoResults && (
+                <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
+                  No skills found matching "{searchTerm}"
+                </div>
+              )}
+            </div>
+          )}
+        </div>
+      </div>
+
+      <SkillModal
+        open={showAddForm || !!editingSkill}
+        onOpenChange={(open) => {
+          if (!open) {
+            setShowAddForm(false)
+            setEditingSkill(null)
+          }
+        }}
+        onSave={handleSkillSaved}
+        onDelete={(skillId) => {
+          setEditingSkill(null)
+          handleDeleteClick(skillId)
+        }}
+        initialValues={editingSkill ?? undefined}
+      />
+
+      <Modal open={showDeleteDialog} onOpenChange={setShowDeleteDialog}>
+        <ModalContent size='sm'>
+          <ModalHeader>Delete Skill</ModalHeader>
+          <ModalBody>
+            <p className='text-[12px] text-[var(--text-secondary)]'>
+              Are you sure you want to delete{' '}
+              <span className='font-medium text-[var(--text-primary)]'>{skillToDelete?.name}</span>?{' '}
+              <span className='text-[var(--text-error)]'>This action cannot be undone.</span>
+            </p>
+          </ModalBody>
+          <ModalFooter>
+            <Button variant='default' onClick={() => setShowDeleteDialog(false)}>
+              Cancel
+            </Button>
+            <Button variant='destructive' onClick={handleDeleteSkill}>
+              Delete
+            </Button>
+          </ModalFooter>
+        </ModalContent>
+      </Modal>
+    </>
+  )
+}

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx

@@ -34,7 +34,7 @@ import {
   SModalSidebarSection,
   SModalSidebarSectionTitle,
 } from '@/components/emcn'
-import { McpIcon } from '@/components/icons'
+import { AgentSkillsIcon, McpIcon } from '@/components/icons'
 import { useSession } from '@/lib/auth/auth-client'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
@@ -52,6 +52,7 @@ import {
   General,
   Integrations,
   MCP,
+  Skills,
   Subscription,
   TeamManagement,
   WorkflowMcpServers,
@@ -93,6 +94,7 @@ type SettingsSection =
   | 'copilot'
   | 'mcp'
   | 'custom-tools'
+  | 'skills'
   | 'workflow-mcp-servers'
   | 'debug'
 
@@ -156,6 +158,7 @@ const allNavigationItems: NavigationItem[] = [
   },
   { id: 'integrations', label: 'Integrations', icon: Connections, section: 'tools' },
   { id: 'custom-tools', label: 'Custom Tools', icon: Wrench, section: 'tools' },
+  { id: 'skills', label: 'Skills', icon: AgentSkillsIcon, section: 'tools' },
   { id: 'mcp', label: 'MCP Tools', icon: McpIcon, section: 'tools' },
   { id: 'environment', label: 'Environment', icon: FolderCode, section: 'system' },
   { id: 'apikeys', label: 'API Keys', icon: Key, section: 'system' },
@@ -265,6 +268,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
       if (item.id === 'custom-tools' && permissionConfig.disableCustomTools) {
         return false
       }
+      if (item.id === 'skills' && permissionConfig.disableSkills) {
+        return false
+      }
 
       // Self-hosted override allows showing the item when not on hosted
       if (item.selfHostedOverride && !isHosted) {
@@ -556,6 +562,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
             {effectiveActiveSection === 'copilot' && <Copilot />}
             {effectiveActiveSection === 'mcp' && <MCP initialServerId={pendingMcpServerId} />}
             {effectiveActiveSection === 'custom-tools' && <CustomTools />}
+            {effectiveActiveSection === 'skills' && <Skills />}
             {effectiveActiveSection === 'workflow-mcp-servers' && <WorkflowMcpServers />}
             {effectiveActiveSection === 'debug' && <Debug />}
           </SModalMainBody>

apps/sim/blocks/blocks.test.ts

@@ -1,6 +1,5 @@
 import { describe, expect, it, vi } from 'vitest'
 
-// Use the real registry module, not the global mock from vitest.setup.ts
 vi.unmock('@/blocks/registry')
 
 import { generateRouterPrompt } from '@/blocks/blocks/router'
@@ -15,7 +14,7 @@ import {
 } from '@/blocks/registry'
 import { AuthMode } from '@/blocks/types'
 
-describe('Blocks Module', () => {
+describe.concurrent('Blocks Module', () => {
   describe('Registry', () => {
     it('should have a non-empty registry of blocks', () => {
       expect(Object.keys(registry).length).toBeGreaterThan(0)
@@ -409,6 +408,7 @@ describe('Blocks Module', () => {
         'workflow-input-mapper',
         'text',
         'router-input',
+        'skill-input',
       ]
 
       const blocks = getAllBlocks()

apps/sim/blocks/blocks/agent.ts

@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { AgentIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/feature-flags'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
+import { getApiKeyCondition } from '@/blocks/utils'
 import {
   getBaseModelProviders,
-  getHostedModels,
   getMaxTemperature,
   getProviderIcon,
   getReasoningEffortValuesForModel,
@@ -17,15 +16,6 @@ import {
   providers,
   supportsTemperature,
 } from '@/providers/utils'
-
-const getCurrentOllamaModels = () => {
-  return useProvidersStore.getState().providers.ollama.models
-}
-
-const getCurrentVLLMModels = () => {
-  return useProvidersStore.getState().providers.vllm.models
-}
-
 import { useProvidersStore } from '@/stores/providers'
 import type { ToolResponse } from '@/tools/types'
 
@@ -333,11 +323,11 @@ Return ONLY the JSON array.`,
       id: 'azureApiVersion',
       title: 'Azure API Version',
       type: 'short-input',
-      placeholder: '2024-07-01-preview',
+      placeholder: 'Enter API version',
       connectionDroppable: false,
       condition: {
         field: 'model',
-        value: providers['azure-openai'].models,
+        value: [...providers['azure-openai'].models, ...providers['azure-anthropic'].models],
       },
     },
     {
@@ -407,6 +397,12 @@ Return ONLY the JSON array.`,
       type: 'tool-input',
       defaultValue: [],
     },
+    {
+      id: 'skills',
+      title: 'Skills',
+      type: 'skill-input',
+      defaultValue: [],
+    },
     {
       id: 'apiKey',
       title: 'API Key',
@@ -415,23 +411,7 @@ Return ONLY the JSON array.`,
       password: true,
       connectionDroppable: false,
       required: true,
-      // Hide API key for hosted models, Ollama models, vLLM models, Vertex models (uses OAuth), and Bedrock (uses AWS credentials)
-      condition: isHosted
-        ? {
-            field: 'model',
-            value: [...getHostedModels(), ...providers.vertex.models, ...providers.bedrock.models],
-            not: true, // Show for all models EXCEPT those listed
-          }
-        : () => ({
-            field: 'model',
-            value: [
-              ...getCurrentOllamaModels(),
-              ...getCurrentVLLMModels(),
-              ...providers.vertex.models,
-              ...providers.bedrock.models,
-            ],
-            not: true, // Show for all models EXCEPT Ollama, vLLM, Vertex, and Bedrock models
-          }),
+      condition: getApiKeyCondition(),
     },
     {
       id: 'memoryType',
@@ -709,7 +689,7 @@ Example 3 (Array Input):
     },
     model: { type: 'string', description: 'AI model to use' },
     apiKey: { type: 'string', description: 'Provider API key' },
-    azureEndpoint: { type: 'string', description: 'Azure OpenAI endpoint URL' },
+    azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
     azureApiVersion: { type: 'string', description: 'Azure API version' },
     vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
     vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },
@@ -769,6 +749,7 @@ Example 3 (Array Input):
       description: 'Thinking level for models with extended thinking (Anthropic Claude, Gemini 3)',
     },
     tools: { type: 'json', description: 'Available tools configuration' },
+    skills: { type: 'json', description: 'Selected skills configuration' },
   },
   outputs: {
     content: { type: 'string', description: 'Generated response content' },

apps/sim/blocks/blocks/airweave.ts

@@ -0,0 +1,102 @@
+import { AirweaveIcon } from '@/components/icons'
+import type { BlockConfig } from '@/blocks/types'
+import { AuthMode } from '@/blocks/types'
+import type { AirweaveSearchResponse } from '@/tools/airweave/types'
+
+export const AirweaveBlock: BlockConfig<AirweaveSearchResponse> = {
+  type: 'airweave',
+  name: 'Airweave',
+  description: 'Search your synced data collections',
+  authMode: AuthMode.ApiKey,
+  longDescription:
+    'Search across your synced data sources using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.',
+  docsLink: 'https://docs.airweave.ai',
+  category: 'tools',
+  bgColor: '#6366F1',
+  icon: AirweaveIcon,
+  subBlocks: [
+    {
+      id: 'collectionId',
+      title: 'Collection ID',
+      type: 'short-input',
+      placeholder: 'Enter your collection readable ID...',
+      required: true,
+    },
+    {
+      id: 'query',
+      title: 'Search Query',
+      type: 'long-input',
+      placeholder: 'Enter your search query...',
+      required: true,
+    },
+    {
+      id: 'limit',
+      title: 'Max Results',
+      type: 'dropdown',
+      options: [
+        { label: '10', id: '10' },
+        { label: '25', id: '25' },
+        { label: '50', id: '50' },
+        { label: '100', id: '100' },
+      ],
+      value: () => '25',
+    },
+    {
+      id: 'retrievalStrategy',
+      title: 'Retrieval Strategy',
+      type: 'dropdown',
+      options: [
+        { label: 'Hybrid (Default)', id: 'hybrid' },
+        { label: 'Neural', id: 'neural' },
+        { label: 'Keyword', id: 'keyword' },
+      ],
+      value: () => 'hybrid',
+    },
+    {
+      id: 'expandQuery',
+      title: 'Expand Query',
+      type: 'switch',
+      description: 'Generate query variations to improve recall',
+    },
+    {
+      id: 'rerank',
+      title: 'Rerank Results',
+      type: 'switch',
+      description: 'Reorder results for improved relevance using LLM',
+    },
+    {
+      id: 'generateAnswer',
+      title: 'Generate Answer',
+      type: 'switch',
+      description: 'Generate a natural-language answer from results',
+    },
+    {
+      id: 'apiKey',
+      title: 'API Key',
+      type: 'short-input',
+      placeholder: 'Enter your Airweave API key',
+      password: true,
+      required: true,
+    },
+  ],
+  tools: {
+    access: ['airweave_search'],
+  },
+  inputs: {
+    collectionId: { type: 'string', description: 'Airweave collection readable ID' },
+    query: { type: 'string', description: 'Search query text' },
+    apiKey: { type: 'string', description: 'Airweave API key' },
+    limit: { type: 'number', description: 'Maximum number of results' },
+    retrievalStrategy: {
+      type: 'string',
+      description: 'Retrieval strategy (hybrid/neural/keyword)',
+    },
+    expandQuery: { type: 'boolean', description: 'Generate query variations' },
+    rerank: { type: 'boolean', description: 'Rerank results with LLM' },
+    generateAnswer: { type: 'boolean', description: 'Generate AI answer' },
+  },
+  outputs: {
+    results: { type: 'json', description: 'Search results with content and metadata' },
+    completion: { type: 'string', description: 'AI-generated answer (when enabled)' },
+  },
+}

apps/sim/blocks/blocks/translate.ts

@@ -76,8 +76,9 @@ export const TranslateBlock: BlockConfig = {
         vertexProject: params.vertexProject,
         vertexLocation: params.vertexLocation,
         vertexCredential: params.vertexCredential,
-        bedrockRegion: params.bedrockRegion,
+        bedrockAccessKeyId: params.bedrockAccessKeyId,
         bedrockSecretKey: params.bedrockSecretKey,
+        bedrockRegion: params.bedrockRegion,
       }),
     },
   },

apps/sim/blocks/registry.ts

@@ -2,6 +2,7 @@ import { A2ABlock } from '@/blocks/blocks/a2a'
 import { AgentBlock } from '@/blocks/blocks/agent'
 import { AhrefsBlock } from '@/blocks/blocks/ahrefs'
 import { AirtableBlock } from '@/blocks/blocks/airtable'
+import { AirweaveBlock } from '@/blocks/blocks/airweave'
 import { ApiBlock } from '@/blocks/blocks/api'
 import { ApiTriggerBlock } from '@/blocks/blocks/api_trigger'
 import { ApifyBlock } from '@/blocks/blocks/apify'
@@ -167,6 +168,7 @@ export const registry: Record<string, BlockConfig> = {
   agent: AgentBlock,
   ahrefs: AhrefsBlock,
   airtable: AirtableBlock,
+  airweave: AirweaveBlock,
   api: ApiBlock,
   api_trigger: ApiTriggerBlock,
   apify: ApifyBlock,

apps/sim/blocks/types.ts

@@ -51,6 +51,7 @@ export type SubBlockType =
   | 'code' // Code editor
   | 'switch' // Toggle button
   | 'tool-input' // Tool configuration
+  | 'skill-input' // Skill selection for agent blocks
   | 'checkbox-list' // Multiple selection
   | 'grouped-checkbox-list' // Grouped, scrollable checkbox list with select all
   | 'condition-input' // Conditional logic
@@ -207,7 +208,7 @@ export interface SubBlockConfig {
           not?: boolean
         }
       }
-    | (() => {
+    | ((values?: Record<string, unknown>) => {
         field: string
         value: string | number | boolean | Array<string | number | boolean>
         not?: boolean
@@ -260,7 +261,7 @@ export interface SubBlockConfig {
           not?: boolean
         }
       }
-    | (() => {
+    | ((values?: Record<string, unknown>) => {
         field: string
         value: string | number | boolean | Array<string | number | boolean>
         not?: boolean

apps/sim/blocks/utils.ts

@@ -1,6 +1,6 @@
 import { isHosted } from '@/lib/core/config/feature-flags'
 import type { BlockOutput, OutputFieldDefinition, SubBlockConfig } from '@/blocks/types'
-import { getHostedModels, providers } from '@/providers/utils'
+import { getHostedModels, getProviderFromModel, providers } from '@/providers/utils'
 import { useProvidersStore } from '@/stores/providers/store'
 
 /**
@@ -48,11 +48,54 @@ const getCurrentOllamaModels = () => {
   return useProvidersStore.getState().providers.ollama.models
 }
 
-/**
- * Helper to get current vLLM models from store
- */
-const getCurrentVLLMModels = () => {
-  return useProvidersStore.getState().providers.vllm.models
+function buildModelVisibilityCondition(model: string, shouldShow: boolean) {
+  if (!model) {
+    return { field: 'model', value: '__no_model_selected__' }
+  }
+
+  return shouldShow ? { field: 'model', value: model } : { field: 'model', value: model, not: true }
+}
+
+function shouldRequireApiKeyForModel(model: string): boolean {
+  const normalizedModel = model.trim().toLowerCase()
+  if (!normalizedModel) return false
+
+  const hostedModels = getHostedModels()
+  const isHostedModel = hostedModels.some(
+    (hostedModel) => hostedModel.toLowerCase() === normalizedModel
+  )
+  if (isHosted && isHostedModel) return false
+
+  if (normalizedModel.startsWith('vertex/') || normalizedModel.startsWith('bedrock/')) {
+    return false
+  }
+
+  if (normalizedModel.startsWith('vllm/')) {
+    return false
+  }
+
+  const currentOllamaModels = getCurrentOllamaModels()
+  if (currentOllamaModels.some((ollamaModel) => ollamaModel.toLowerCase() === normalizedModel)) {
+    return false
+  }
+
+  if (!isHosted) {
+    try {
+      const providerId = getProviderFromModel(model)
+      if (
+        providerId === 'ollama' ||
+        providerId === 'vllm' ||
+        providerId === 'vertex' ||
+        providerId === 'bedrock'
+      ) {
+        return false
+      }
+    } catch {
+      // If model resolution fails, fall through and require an API key.
+    }
+  }
+
+  return true
 }
 
 /**
@@ -60,27 +103,16 @@ const getCurrentVLLMModels = () => {
  * Handles hosted vs self-hosted environments and excludes providers that don't need API key.
  */
 export function getApiKeyCondition() {
-  return isHosted
-    ? {
-        field: 'model',
-        value: [...getHostedModels(), ...providers.vertex.models, ...providers.bedrock.models],
-        not: true,
-      }
-    : () => ({
-        field: 'model',
-        value: [
-          ...getCurrentOllamaModels(),
-          ...getCurrentVLLMModels(),
-          ...providers.vertex.models,
-          ...providers.bedrock.models,
-        ],
-        not: true,
-      })
+  return (values?: Record<string, unknown>) => {
+    const model = typeof values?.model === 'string' ? values.model : ''
+    const shouldShow = shouldRequireApiKeyForModel(model)
+    return buildModelVisibilityCondition(model, shouldShow)
+  }
 }
 
 /**
  * Returns the standard provider credential subblocks used by LLM-based blocks.
- * This includes: Vertex AI OAuth, API Key, Azure OpenAI, Vertex AI config, and Bedrock config.
+ * This includes: Vertex AI OAuth, API Key, Azure (OpenAI + Anthropic), Vertex AI config, and Bedrock config.
  *
  * Usage: Spread into your block's subBlocks array after block-specific fields
  */
@@ -111,25 +143,25 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
     },
     {
       id: 'azureEndpoint',
-      title: 'Azure OpenAI Endpoint',
+      title: 'Azure Endpoint',
       type: 'short-input',
       password: true,
-      placeholder: 'https://your-resource.openai.azure.com',
+      placeholder: 'https://your-resource.services.ai.azure.com',
       connectionDroppable: false,
       condition: {
         field: 'model',
-        value: providers['azure-openai'].models,
+        value: [...providers['azure-openai'].models, ...providers['azure-anthropic'].models],
       },
     },
     {
       id: 'azureApiVersion',
       title: 'Azure API Version',
       type: 'short-input',
-      placeholder: '2024-07-01-preview',
+      placeholder: 'Enter API version',
       connectionDroppable: false,
       condition: {
         field: 'model',
-        value: providers['azure-openai'].models,
+        value: [...providers['azure-openai'].models, ...providers['azure-anthropic'].models],
       },
     },
     {
@@ -202,7 +234,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
  */
 export const PROVIDER_CREDENTIAL_INPUTS = {
   apiKey: { type: 'string', description: 'Provider API key' },
-  azureEndpoint: { type: 'string', description: 'Azure OpenAI endpoint URL' },
+  azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
   azureApiVersion: { type: 'string', description: 'Azure API version' },
   vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
   vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },

apps/sim/components/icons.tsx

@@ -1131,6 +1131,32 @@ export function AirtableIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
+export function AirweaveIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      width='143'
+      height='143'
+      viewBox='0 0 143 143'
+      fill='none'
+      xmlns='http://www.w3.org/2000/svg'
+    >
+      <path
+        d='M89.8854 128.872C79.9165 123.339 66.7502 115.146 60.5707 107.642L60.0432 107.018C58.7836 105.5 57.481 104.014 56.1676 102.593C51.9152 97.9641 47.3614 93.7978 42.646 90.2021C40.7405 88.7487 38.7704 87.3492 36.8111 86.0789C35.7991 85.4222 34.8302 84.8193 33.9151 84.2703C31.6221 82.903 28.8338 82.5263 26.2716 83.2476C23.8385 83.9366 21.89 85.5406 20.7596 87.7476C18.5634 92.0323 20.0814 97.3289 24.2046 99.805C27.5204 101.786 30.7608 104.111 33.8398 106.717C34.2381 107.05 34.3996 107.578 34.2596 108.062C33.1292 112.185 31.9989 118.957 31.5682 121.67C30.6424 127.429 33.4737 133.081 38.5982 135.751L38.7812 135.848C41.0204 137 43.6472 136.946 45.8219 135.697C47.9858 134.459 49.353 132.231 49.4822 129.733C49.536 128.657 49.6006 127.58 49.676 126.59C49.719 126.062 50.042 125.632 50.5264 125.459C50.6772 125.406 50.8494 125.373 51.0001 125.373C51.3554 125.373 51.6784 125.513 51.9475 125.782C56.243 130.185 60.8829 134.169 65.7167 137.625C70.3674 140.951 75.8686 142.706 81.639 142.706C83.7383 142.706 85.8376 142.469 87.8938 141.995L88.1199 141.942C90.9943 141.274 93.029 139.024 93.4488 136.085C93.8687 133.146 92.4476 130.315 89.8747 128.883H89.8639L89.8854 128.872Z'
+        fill='currentColor'
+      />
+      <path
+        d='M142.551 58.1747L142.529 58.0563C142.045 55.591 140.118 53.7069 137.598 53.2548C135.112 52.8134 132.754 53.8577 131.484 55.9893L131.408 56.1077C126.704 64.1604 120.061 71.6101 111.653 78.2956C109.446 80.0504 107.293 81.902 105.226 83.8075C103.644 85.2717 101.265 85.53 99.4452 84.4212C97.6474 83.3339 95.8495 82.1389 94.1055 80.8686C90.3268 78.1233 86.6772 74.9475 83.2753 71.4271C81.4989 69.597 79.798 67.6915 78.1939 65.7321C76.0408 63.1161 73.7477 60.5539 71.3685 58.1316C66.3195 52.9857 56.6089 45.9127 53.7453 43.878C53.3792 43.6304 53.1639 43.2428 53.0993 42.8014C53.0455 42.3601 53.1639 41.9509 53.4546 41.6064C55.274 39.4318 56.9965 37.1818 58.5683 34.921C60.2369 32.5311 60.786 29.6028 60.0862 26.8899C59.408 24.2523 57.6424 22.11 55.134 20.8827C50.9139 18.7942 45.8972 20.0968 43.2273 23.9293C40.8373 27.3636 38.0167 30.7332 34.8732 33.9306C34.5718 34.232 34.1304 34.3397 33.7213 34.1889C30.5239 33.1447 27.2296 32.2942 23.9461 31.659C23.7093 31.616 23.354 31.5514 22.9126 31.4975C16.4102 30.5286 10.1123 33.7798 7.21639 39.5717L7.1195 39.7548C6.18289 41.628 6.26902 43.8349 7.32405 45.6651C8.40061 47.5167 10.3277 48.701 12.4592 48.8194C13.4604 48.8732 14.4401 48.9378 15.3659 49.0024C15.7966 49.0347 16.1411 49.2823 16.3025 49.6914C16.4533 50.1112 16.3671 50.5419 16.0657 50.8541C12.147 54.8804 8.60515 59.1974 5.5262 63.6867C1.1446 70.0814 -0.481008 78.2095 1.08 85.9822L1.10154 86.1006C1.70441 89.0719 4.05131 91.2035 7.07644 91.5264C9.98315 91.8386 12.6099 90.3208 13.7619 87.6724L13.8265 87.5109C18.6925 75.8625 26.7559 65.5168 37.7907 56.7536C38.3182 56.3445 39.0072 56.28 39.567 56.5922C45.3373 59.768 50.8601 63.902 55.9738 68.8864C56.5982 69.4893 56.6089 70.5013 56.0168 71.1257C53.4761 73.8063 51.0862 76.6054 48.9115 79.469C47.2106 81.7083 47.5335 84.8949 49.6221 86.7358L53.3254 89.9977L53.2824 90.0409C53.8637 90.5576 54.445 91.0744 55.0264 91.5911L55.8123 92.194C56.9319 93.1844 58.3529 93.6365 59.8386 93.4858C61.3027 93.3351 62.67 92.56 63.5635 91.3758C65.1353 89.2873 66.8578 87.2525 68.6556 85.304C68.957 84.9702 69.3661 84.798 69.8075 84.7872C70.2705 84.7872 70.6257 84.9379 70.9164 85.2286C75.8147 90.0624 81.1114 94.3686 86.6772 97.9966C88.8626 99.4176 89.4978 102.26 88.1306 104.477C86.9248 106.448 85.7729 108.493 84.7179 110.539C83.5014 112.918 83.2968 115.738 84.1688 118.257C84.9978 120.68 86.7095 122.585 88.981 123.64C90.2514 124.232 91.5971 124.534 92.9859 124.534C96.5062 124.534 99.682 122.596 101.286 119.452C102.729 116.61 104.419 113.8 106.281 111.131C107.369 109.559 109.36 108.838 111.255 109.322C115.26 110.355 120.643 111.421 124.454 112.143C128.308 112.864 132.119 111.023 133.96 107.578L134.143 107.233C135.521 104.628 135.531 101.506 134.164 98.8901C132.786 96.2526 130.181 94.4655 127.21 94.121C126.478 94.0349 125.778 93.9488 125.11 93.8626C124.97 93.8411 124.852 93.8196 124.744 93.798L123.356 93.4751L124.357 92.4523C124.432 92.377 124.529 92.2801 124.658 92.194C128.771 88.8028 132.571 85.1963 135.962 81.4714C141.668 75.1951 144.122 66.4965 142.518 58.1747H142.529H142.551Z'
+        fill='currentColor'
+      />
+      <path
+        d='M56.6506 14.3371C65.5861 19.6338 77.4067 27.3743 82.9833 34.1674C83.64 34.9532 84.2967 35.7391 84.9534 36.4927C86.1591 37.8815 86.2991 39.8731 85.2979 41.4233C83.4892 44.2116 81.4115 46.9569 79.1399 49.5945C77.4713 51.5107 77.4067 54.3098 78.9785 56.2476L79.0431 56.323C79.2261 56.5598 79.4306 56.8074 79.6136 57.0442C81.2931 59.1758 83.0801 61.2213 84.9211 63.1375C85.9007 64.1603 87.2249 64.7309 88.6352 64.7309L88.7644 65.5275L88.7429 64.7309C90.207 64.6986 91.6173 64.0526 92.5969 62.933C94.8362 60.4031 96.9247 57.744 98.8302 55.0633C100.133 53.2224 102.63 52.8026 104.525 54.1052C106.463 55.4402 108.465 56.7105 110.457 57.8839C112.793 59.2511 115.614 59.5095 118.165 58.5621C120.749 57.604 122.762 55.5694 123.656 52.9533C125.055 48.9055 123.257 44.2547 119.382 41.9078C116.755 40.3145 114.15 38.5166 111.674 36.5788C110.382 35.5561 109.833 33.8767 110.296 32.2941C111.437 28.3001 112.481 23.1218 113.148 19.4831C113.837 15.7259 112.147 11.8826 108.939 9.94477L108.562 9.72944C105.871 8.12537 102.587 8.00696 99.7668 9.40649C96.9247 10.8168 95.03 13.5405 94.6855 16.6733L94.6639 16.867C94.6209 17.2546 94.384 17.5453 94.018 17.6637C93.652 17.7821 93.2859 17.6852 93.0168 17.4269C89.0012 13.1422 84.738 9.25576 80.3134 5.8646C74.3708 1.31075 66.7811 -0.583999 59.4928 0.675575L59.1805 0.729423C56.1124 1.2677 53.7547 3.60383 53.1949 6.68279C52.6351 9.72946 53.9915 12.7223 56.6722 14.3048H56.6614L56.6506 14.3371Z'
+        fill='currentColor'
+      />
+    </svg>
+  )
+}
+
 export function GoogleDocsIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg
@@ -5436,3 +5462,24 @@ export function EnrichSoIcon(props: SVGProps<SVGSVGElement>) {
     </svg>
   )
 }
+
+export function AgentSkillsIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      xmlns='http://www.w3.org/2000/svg'
+      width='16'
+      height='16'
+      viewBox='0 0 16 16'
+      fill='none'
+    >
+      <path
+        d='M8 1L14.0622 4.5V11.5L8 15L1.93782 11.5V4.5L8 1Z'
+        stroke='currentColor'
+        strokeWidth='1.5'
+        fill='none'
+      />
+      <path d='M8 4.5L11 6.25V9.75L8 11.5L5 9.75V6.25L8 4.5Z' fill='currentColor' />
+    </svg>
+  )
+}

apps/sim/ee/access-control/components/access-control.tsx

@@ -367,6 +367,12 @@ export function AccessControl() {
         category: 'Tools',
         configKey: 'disableCustomTools' as const,
       },
+      {
+        id: 'disable-skills',
+        label: 'Skills',
+        category: 'Tools',
+        configKey: 'disableSkills' as const,
+      },
       {
         id: 'hide-trace-spans',
         label: 'Trace Spans',
@@ -950,6 +956,7 @@ export function AccessControl() {
                             !editingConfig?.hideFilesTab &&
                             !editingConfig?.disableMcpTools &&
                             !editingConfig?.disableCustomTools &&
+                            !editingConfig?.disableSkills &&
                             !editingConfig?.hideTraceSpans &&
                             !editingConfig?.disableInvitations &&
                             !editingConfig?.hideDeployApi &&
@@ -969,6 +976,7 @@ export function AccessControl() {
                                   hideFilesTab: allVisible,
                                   disableMcpTools: allVisible,
                                   disableCustomTools: allVisible,
+                                  disableSkills: allVisible,
                                   hideTraceSpans: allVisible,
                                   disableInvitations: allVisible,
                                   hideDeployApi: allVisible,
@@ -989,6 +997,7 @@ export function AccessControl() {
                         !editingConfig?.hideFilesTab &&
                         !editingConfig?.disableMcpTools &&
                         !editingConfig?.disableCustomTools &&
+                        !editingConfig?.disableSkills &&
                         !editingConfig?.hideTraceSpans &&
                         !editingConfig?.disableInvitations &&
                         !editingConfig?.hideDeployApi &&

apps/sim/ee/access-control/utils/permission-check.ts

@@ -43,6 +43,13 @@ export class CustomToolsNotAllowedError extends Error {
   }
 }
 
+export class SkillsNotAllowedError extends Error {
+  constructor() {
+    super('Skills are not allowed based on your permission group settings')
+    this.name = 'SkillsNotAllowedError'
+  }
+}
+
 export class InvitationsNotAllowedError extends Error {
   constructor() {
     super('Invitations are not allowed based on your permission group settings')
@@ -201,6 +208,26 @@ export async function validateCustomToolsAllowed(
   }
 }
 
+export async function validateSkillsAllowed(
+  userId: string | undefined,
+  ctx?: ExecutionContext
+): Promise<void> {
+  if (!userId) {
+    return
+  }
+
+  const config = await getPermissionConfig(userId, ctx)
+
+  if (!config) {
+    return
+  }
+
+  if (config.disableSkills) {
+    logger.warn('Skills blocked by permission group', { userId })
+    throw new SkillsNotAllowedError()
+  }
+}
+
 /**
  * Validates if the user is allowed to send invitations.
  * Also checks the global feature flag.

apps/sim/executor/handlers/agent/agent-handler.ts

@@ -11,9 +11,15 @@ import {
   validateCustomToolsAllowed,
   validateMcpToolsAllowed,
   validateModelProvider,
+  validateSkillsAllowed,
 } from '@/ee/access-control/utils/permission-check'
 import { AGENT, BlockType, DEFAULTS, REFERENCE, stripCustomToolPrefix } from '@/executor/constants'
 import { memoryService } from '@/executor/handlers/agent/memory'
+import {
+  buildLoadSkillTool,
+  buildSkillsSystemPromptSection,
+  resolveSkillMetadata,
+} from '@/executor/handlers/agent/skills-resolver'
 import type {
   AgentInputs,
   Message,
@@ -57,8 +63,21 @@ export class AgentBlockHandler implements BlockHandler {
 
     const providerId = getProviderFromModel(model)
     const formattedTools = await this.formatTools(ctx, filteredInputs.tools || [])
+
+    // Resolve skill metadata for progressive disclosure
+    const skillInputs = filteredInputs.skills ?? []
+    let skillMetadata: Array<{ name: string; description: string }> = []
+    if (skillInputs.length > 0 && ctx.workspaceId) {
+      await validateSkillsAllowed(ctx.userId, ctx)
+      skillMetadata = await resolveSkillMetadata(skillInputs, ctx.workspaceId)
+      if (skillMetadata.length > 0) {
+        const skillNames = skillMetadata.map((s) => s.name)
+        formattedTools.push(buildLoadSkillTool(skillNames))
+      }
+    }
+
     const streamingConfig = this.getStreamingConfig(ctx, block)
-    const messages = await this.buildMessages(ctx, filteredInputs)
+    const messages = await this.buildMessages(ctx, filteredInputs, skillMetadata)
 
     const providerRequest = this.buildProviderRequest({
       ctx,
@@ -307,6 +326,7 @@ export class AgentBlockHandler implements BlockHandler {
             _context: {
               workflowId: ctx.workflowId,
               workspaceId: ctx.workspaceId,
+              userId: ctx.userId,
               isDeployedContext: ctx.isDeployedContext,
             },
           },
@@ -358,6 +378,9 @@ export class AgentBlockHandler implements BlockHandler {
       if (ctx.workflowId) {
         params.workflowId = ctx.workflowId
       }
+      if (ctx.userId) {
+        params.userId = ctx.userId
+      }
 
       const url = buildAPIUrl('/api/tools/custom', params)
       const response = await fetch(url.toString(), {
@@ -468,7 +491,9 @@ export class AgentBlockHandler implements BlockHandler {
       usageControl: tool.usageControl || 'auto',
       executeFunction: async (callParams: Record<string, any>) => {
         const headers = await buildAuthHeaders()
-        const execUrl = buildAPIUrl('/api/mcp/tools/execute')
+        const execParams: Record<string, string> = {}
+        if (ctx.userId) execParams.userId = ctx.userId
+        const execUrl = buildAPIUrl('/api/mcp/tools/execute', execParams)
 
         const execResponse = await fetch(execUrl.toString(), {
           method: 'POST',
@@ -577,6 +602,7 @@ export class AgentBlockHandler implements BlockHandler {
       serverId,
       workspaceId: ctx.workspaceId,
       workflowId: ctx.workflowId,
+      ...(ctx.userId ? { userId: ctx.userId } : {}),
     })
 
     const maxAttempts = 2
@@ -651,7 +677,9 @@ export class AgentBlockHandler implements BlockHandler {
       usageControl: tool.usageControl || 'auto',
       executeFunction: async (callParams: Record<string, any>) => {
         const headers = await buildAuthHeaders()
-        const execUrl = buildAPIUrl('/api/mcp/tools/execute')
+        const discoverExecParams: Record<string, string> = {}
+        if (ctx.userId) discoverExecParams.userId = ctx.userId
+        const execUrl = buildAPIUrl('/api/mcp/tools/execute', discoverExecParams)
 
         const execResponse = await fetch(execUrl.toString(), {
           method: 'POST',
@@ -723,7 +751,8 @@ export class AgentBlockHandler implements BlockHandler {
 
   private async buildMessages(
     ctx: ExecutionContext,
-    inputs: AgentInputs
+    inputs: AgentInputs,
+    skillMetadata: Array<{ name: string; description: string }> = []
   ): Promise<Message[] | undefined> {
     const messages: Message[] = []
     const memoryEnabled = inputs.memoryType && inputs.memoryType !== 'none'
@@ -803,6 +832,20 @@ export class AgentBlockHandler implements BlockHandler {
       messages.unshift(...systemMessages)
     }
 
+    // 8. Inject skill metadata into the system message (progressive disclosure)
+    if (skillMetadata.length > 0) {
+      const skillSection = buildSkillsSystemPromptSection(skillMetadata)
+      const systemIdx = messages.findIndex((m) => m.role === 'system')
+      if (systemIdx >= 0) {
+        messages[systemIdx] = {
+          ...messages[systemIdx],
+          content: messages[systemIdx].content + skillSection,
+        }
+      } else {
+        messages.unshift({ role: 'system', content: skillSection.trim() })
+      }
+    }
+
     return messages.length > 0 ? messages : undefined
   }
 
@@ -1021,6 +1064,7 @@ export class AgentBlockHandler implements BlockHandler {
         responseFormat: providerRequest.responseFormat,
         workflowId: providerRequest.workflowId,
         workspaceId: ctx.workspaceId,
+        userId: ctx.userId,
         stream: providerRequest.stream,
         messages: 'messages' in providerRequest ? providerRequest.messages : undefined,
         environmentVariables: ctx.environmentVariables || {},

apps/sim/executor/handlers/agent/skills-resolver.ts

@@ -0,0 +1,122 @@
+import { db } from '@sim/db'
+import { skill } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, inArray } from 'drizzle-orm'
+import type { SkillInput } from '@/executor/handlers/agent/types'
+
+const logger = createLogger('SkillsResolver')
+
+function escapeXml(str: string): string {
+  return str
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+}
+
+interface SkillMetadata {
+  name: string
+  description: string
+}
+
+/**
+ * Fetch skill metadata (name + description) for system prompt injection.
+ * Only returns lightweight data so the LLM knows what skills are available.
+ */
+export async function resolveSkillMetadata(
+  skillInputs: SkillInput[],
+  workspaceId: string
+): Promise<SkillMetadata[]> {
+  if (!skillInputs.length || !workspaceId) return []
+
+  const skillIds = skillInputs.map((s) => s.skillId)
+
+  try {
+    const rows = await db
+      .select({ name: skill.name, description: skill.description })
+      .from(skill)
+      .where(and(eq(skill.workspaceId, workspaceId), inArray(skill.id, skillIds)))
+
+    return rows
+  } catch (error) {
+    logger.error('Failed to resolve skill metadata', { error, skillIds, workspaceId })
+    return []
+  }
+}
+
+/**
+ * Fetch full skill content for a load_skill tool response.
+ * Called when the LLM decides a skill is relevant and invokes load_skill.
+ */
+export async function resolveSkillContent(
+  skillName: string,
+  workspaceId: string
+): Promise<string | null> {
+  if (!skillName || !workspaceId) return null
+
+  try {
+    const rows = await db
+      .select({ content: skill.content, name: skill.name })
+      .from(skill)
+      .where(and(eq(skill.workspaceId, workspaceId), eq(skill.name, skillName)))
+      .limit(1)
+
+    if (rows.length === 0) {
+      logger.warn('Skill not found', { skillName, workspaceId })
+      return null
+    }
+
+    return rows[0].content
+  } catch (error) {
+    logger.error('Failed to resolve skill content', { error, skillName, workspaceId })
+    return null
+  }
+}
+
+/**
+ * Build the system prompt section that lists available skills.
+ * Uses XML format per the agentskills.io integration guide.
+ */
+export function buildSkillsSystemPromptSection(skills: SkillMetadata[]): string {
+  if (!skills.length) return ''
+
+  const skillEntries = skills
+    .map(
+      (s) =>
+        `  <skill name="${escapeXml(s.name)}">\n    <description>${escapeXml(s.description)}</description>\n  </skill>`
+    )
+    .join('\n')
+
+  return [
+    '',
+    'You have access to the following skills. Use the load_skill tool to activate a skill when relevant.',
+    '',
+    '<available_skills>',
+    skillEntries,
+    '</available_skills>',
+  ].join('\n')
+}
+
+/**
+ * Build the load_skill tool definition for injection into the tools array.
+ * Returns a ProviderToolConfig-compatible object so all providers can process it.
+ */
+export function buildLoadSkillTool(skillNames: string[]) {
+  return {
+    id: 'load_skill',
+    name: 'load_skill',
+    description: `Load a skill to get specialized instructions. Available skills: ${skillNames.join(', ')}`,
+    params: {},
+    parameters: {
+      type: 'object',
+      properties: {
+        skill_name: {
+          type: 'string',
+          description: 'Name of the skill to load',
+          enum: skillNames,
+        },
+      },
+      required: ['skill_name'],
+    },
+  }
+}

apps/sim/executor/handlers/agent/types.ts

@@ -1,7 +1,14 @@
+export interface SkillInput {
+  skillId: string
+  name?: string
+  description?: string
+}
+
 export interface AgentInputs {
   model?: string
   responseFormat?: string | object
   tools?: ToolInput[]
+  skills?: SkillInput[]
   // Legacy inputs (backward compatible)
   systemPrompt?: string
   userPrompt?: string | object

apps/sim/executor/handlers/api/api-handler.ts

@@ -72,6 +72,7 @@ export class ApiBlockHandler implements BlockHandler {
             workflowId: ctx.workflowId,
             workspaceId: ctx.workspaceId,
             executionId: ctx.executionId,
+            userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
           },
         },

apps/sim/executor/handlers/condition/condition-handler.ts

@@ -48,6 +48,7 @@ export async function evaluateConditionExpression(
         _context: {
           workflowId: ctx.workflowId,
           workspaceId: ctx.workspaceId,
+          userId: ctx.userId,
           isDeployedContext: ctx.isDeployedContext,
         },
       },

apps/sim/executor/handlers/evaluator/evaluator-handler.ts

@@ -104,7 +104,7 @@ export class EvaluatorBlockHandler implements BlockHandler {
     }
 
     try {
-      const url = buildAPIUrl('/api/providers')
+      const url = buildAPIUrl('/api/providers', ctx.userId ? { userId: ctx.userId } : {})
 
       const providerRequest: Record<string, any> = {
         provider: providerId,
@@ -121,26 +121,17 @@ export class EvaluatorBlockHandler implements BlockHandler {
 
         temperature: EVALUATOR.DEFAULT_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: evaluatorConfig.vertexProject,
+        vertexLocation: evaluatorConfig.vertexLocation,
+        bedrockAccessKeyId: evaluatorConfig.bedrockAccessKeyId,
+        bedrockSecretKey: evaluatorConfig.bedrockSecretKey,
+        bedrockRegion: evaluatorConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = evaluatorConfig.vertexProject
-        providerRequest.vertexLocation = evaluatorConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = evaluatorConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = evaluatorConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = evaluatorConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),

apps/sim/executor/handlers/function/function-handler.ts

@@ -39,6 +39,7 @@ export class FunctionBlockHandler implements BlockHandler {
         _context: {
           workflowId: ctx.workflowId,
           workspaceId: ctx.workspaceId,
+          userId: ctx.userId,
           isDeployedContext: ctx.isDeployedContext,
         },
       },

apps/sim/executor/handlers/generic/generic-handler.ts

@@ -66,6 +66,7 @@ export class GenericBlockHandler implements BlockHandler {
             workflowId: ctx.workflowId,
             workspaceId: ctx.workspaceId,
             executionId: ctx.executionId,
+            userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
           },
         },

apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts

@@ -605,6 +605,7 @@ export class HumanInTheLoopBlockHandler implements BlockHandler {
           _context: {
             workflowId: ctx.workflowId,
             workspaceId: ctx.workspaceId,
+            userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
           },
           blockData: blockDataWithPause,

apps/sim/executor/handlers/router/router-handler.ts

@@ -80,6 +80,7 @@ export class RouterBlockHandler implements BlockHandler {
 
     try {
       const url = new URL('/api/providers', getBaseUrl())
+      if (ctx.userId) url.searchParams.set('userId', ctx.userId)
 
       const messages = [{ role: 'user', content: routerConfig.prompt }]
       const systemPrompt = generateRouterPrompt(routerConfig.prompt, targetBlocks)
@@ -96,26 +97,17 @@ export class RouterBlockHandler implements BlockHandler {
         context: JSON.stringify(messages),
         temperature: ROUTER.INFERENCE_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: routerConfig.vertexProject,
+        vertexLocation: routerConfig.vertexLocation,
+        bedrockAccessKeyId: routerConfig.bedrockAccessKeyId,
+        bedrockSecretKey: routerConfig.bedrockSecretKey,
+        bedrockRegion: routerConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = routerConfig.vertexProject
-        providerRequest.vertexLocation = routerConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = routerConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = routerConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = routerConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),
@@ -218,6 +210,7 @@ export class RouterBlockHandler implements BlockHandler {
 
     try {
       const url = new URL('/api/providers', getBaseUrl())
+      if (ctx.userId) url.searchParams.set('userId', ctx.userId)
 
       const messages = [{ role: 'user', content: routerConfig.context }]
       const systemPrompt = generateRouterV2Prompt(routerConfig.context, routes)
@@ -234,6 +227,13 @@ export class RouterBlockHandler implements BlockHandler {
         context: JSON.stringify(messages),
         temperature: ROUTER.INFERENCE_TEMPERATURE,
         apiKey: finalApiKey,
+        azureEndpoint: inputs.azureEndpoint,
+        azureApiVersion: inputs.azureApiVersion,
+        vertexProject: routerConfig.vertexProject,
+        vertexLocation: routerConfig.vertexLocation,
+        bedrockAccessKeyId: routerConfig.bedrockAccessKeyId,
+        bedrockSecretKey: routerConfig.bedrockSecretKey,
+        bedrockRegion: routerConfig.bedrockRegion,
         workflowId: ctx.workflowId,
         workspaceId: ctx.workspaceId,
         responseFormat: {
@@ -257,22 +257,6 @@ export class RouterBlockHandler implements BlockHandler {
         },
       }
 
-      if (providerId === 'vertex') {
-        providerRequest.vertexProject = routerConfig.vertexProject
-        providerRequest.vertexLocation = routerConfig.vertexLocation
-      }
-
-      if (providerId === 'azure-openai') {
-        providerRequest.azureEndpoint = inputs.azureEndpoint
-        providerRequest.azureApiVersion = inputs.azureApiVersion
-      }
-
-      if (providerId === 'bedrock') {
-        providerRequest.bedrockAccessKeyId = routerConfig.bedrockAccessKeyId
-        providerRequest.bedrockSecretKey = routerConfig.bedrockSecretKey
-        providerRequest.bedrockRegion = routerConfig.bedrockRegion
-      }
-
       const response = await fetch(url.toString(), {
         method: 'POST',
         headers: await buildAuthHeaders(),

apps/sim/executor/orchestrators/loop.ts

@@ -511,6 +511,8 @@ export class LoopOrchestrator {
         contextVariables: {},
         timeoutMs: LOOP_CONDITION_TIMEOUT_MS,
         requestId,
+        ownerKey: `user:${ctx.userId}`,
+        ownerWeight: 1,
       })
 
       if (vmResult.error) {

apps/sim/hooks/queries/skills.ts

@@ -0,0 +1,263 @@
+import { createLogger } from '@sim/logger'
+import { keepPreviousData, useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+
+const logger = createLogger('SkillsQueries')
+const API_ENDPOINT = '/api/skills'
+
+export interface SkillDefinition {
+  id: string
+  workspaceId: string | null
+  userId: string | null
+  name: string
+  description: string
+  content: string
+  createdAt: string
+  updatedAt?: string
+}
+
+/**
+ * Query key factories for skills queries
+ */
+export const skillsKeys = {
+  all: ['skills'] as const,
+  lists: () => [...skillsKeys.all, 'list'] as const,
+  list: (workspaceId: string) => [...skillsKeys.lists(), workspaceId] as const,
+}
+
+/**
+ * Fetch skills for a workspace
+ */
+async function fetchSkills(workspaceId: string): Promise<SkillDefinition[]> {
+  const response = await fetch(`${API_ENDPOINT}?workspaceId=${workspaceId}`)
+
+  if (!response.ok) {
+    const errorData = await response.json().catch(() => ({}))
+    throw new Error(errorData.error || `Failed to fetch skills: ${response.statusText}`)
+  }
+
+  const { data } = await response.json()
+
+  if (!Array.isArray(data)) {
+    throw new Error('Invalid response format')
+  }
+
+  return data.map((s: Record<string, unknown>) => ({
+    id: s.id as string,
+    workspaceId: (s.workspaceId as string) ?? null,
+    userId: (s.userId as string) ?? null,
+    name: s.name as string,
+    description: s.description as string,
+    content: s.content as string,
+    createdAt: (s.createdAt as string) ?? new Date().toISOString(),
+    updatedAt: s.updatedAt as string | undefined,
+  }))
+}
+
+/**
+ * Hook to fetch skills for a workspace
+ */
+export function useSkills(workspaceId: string) {
+  return useQuery<SkillDefinition[]>({
+    queryKey: skillsKeys.list(workspaceId),
+    queryFn: () => fetchSkills(workspaceId),
+    enabled: !!workspaceId,
+    staleTime: 60 * 1000,
+    placeholderData: keepPreviousData,
+  })
+}
+
+/**
+ * Create skill mutation
+ */
+interface CreateSkillParams {
+  workspaceId: string
+  skill: {
+    name: string
+    description: string
+    content: string
+  }
+}
+
+export function useCreateSkill() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async ({ workspaceId, skill: s }: CreateSkillParams) => {
+      logger.info(`Creating skill: ${s.name} in workspace ${workspaceId}`)
+
+      const response = await fetch(API_ENDPOINT, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          skills: [{ name: s.name, description: s.description, content: s.content }],
+          workspaceId,
+        }),
+      })
+
+      const data = await response.json()
+
+      if (!response.ok) {
+        throw new Error(data.error || 'Failed to create skill')
+      }
+
+      if (!data.data || !Array.isArray(data.data)) {
+        throw new Error('Invalid API response: missing skills data')
+      }
+
+      logger.info(`Created skill: ${s.name}`)
+      return data.data
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({ queryKey: skillsKeys.list(variables.workspaceId) })
+    },
+  })
+}
+
+/**
+ * Update skill mutation
+ */
+interface UpdateSkillParams {
+  workspaceId: string
+  skillId: string
+  updates: {
+    name?: string
+    description?: string
+    content?: string
+  }
+}
+
+export function useUpdateSkill() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async ({ workspaceId, skillId, updates }: UpdateSkillParams) => {
+      logger.info(`Updating skill: ${skillId} in workspace ${workspaceId}`)
+
+      const currentSkills = queryClient.getQueryData<SkillDefinition[]>(
+        skillsKeys.list(workspaceId)
+      )
+      const currentSkill = currentSkills?.find((s) => s.id === skillId)
+
+      if (!currentSkill) {
+        throw new Error('Skill not found')
+      }
+
+      const response = await fetch(API_ENDPOINT, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          skills: [
+            {
+              id: skillId,
+              name: updates.name ?? currentSkill.name,
+              description: updates.description ?? currentSkill.description,
+              content: updates.content ?? currentSkill.content,
+            },
+          ],
+          workspaceId,
+        }),
+      })
+
+      const data = await response.json()
+
+      if (!response.ok) {
+        throw new Error(data.error || 'Failed to update skill')
+      }
+
+      if (!data.data || !Array.isArray(data.data)) {
+        throw new Error('Invalid API response: missing skills data')
+      }
+
+      logger.info(`Updated skill: ${skillId}`)
+      return data.data
+    },
+    onMutate: async ({ workspaceId, skillId, updates }) => {
+      await queryClient.cancelQueries({ queryKey: skillsKeys.list(workspaceId) })
+
+      const previousSkills = queryClient.getQueryData<SkillDefinition[]>(
+        skillsKeys.list(workspaceId)
+      )
+
+      if (previousSkills) {
+        queryClient.setQueryData<SkillDefinition[]>(
+          skillsKeys.list(workspaceId),
+          previousSkills.map((s) =>
+            s.id === skillId
+              ? {
+                  ...s,
+                  name: updates.name ?? s.name,
+                  description: updates.description ?? s.description,
+                  content: updates.content ?? s.content,
+                }
+              : s
+          )
+        )
+      }
+
+      return { previousSkills }
+    },
+    onError: (_err, variables, context) => {
+      if (context?.previousSkills) {
+        queryClient.setQueryData(skillsKeys.list(variables.workspaceId), context.previousSkills)
+      }
+    },
+    onSettled: (_data, _error, variables) => {
+      queryClient.invalidateQueries({ queryKey: skillsKeys.list(variables.workspaceId) })
+    },
+  })
+}
+
+/**
+ * Delete skill mutation
+ */
+interface DeleteSkillParams {
+  workspaceId: string
+  skillId: string
+}
+
+export function useDeleteSkill() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async ({ workspaceId, skillId }: DeleteSkillParams) => {
+      logger.info(`Deleting skill: ${skillId}`)
+
+      const response = await fetch(`${API_ENDPOINT}?id=${skillId}&workspaceId=${workspaceId}`, {
+        method: 'DELETE',
+      })
+
+      const data = await response.json()
+
+      if (!response.ok) {
+        throw new Error(data.error || 'Failed to delete skill')
+      }
+
+      logger.info(`Deleted skill: ${skillId}`)
+      return data
+    },
+    onMutate: async ({ workspaceId, skillId }) => {
+      await queryClient.cancelQueries({ queryKey: skillsKeys.list(workspaceId) })
+
+      const previousSkills = queryClient.getQueryData<SkillDefinition[]>(
+        skillsKeys.list(workspaceId)
+      )
+
+      if (previousSkills) {
+        queryClient.setQueryData<SkillDefinition[]>(
+          skillsKeys.list(workspaceId),
+          previousSkills.filter((s) => s.id !== skillId)
+        )
+      }
+
+      return { previousSkills }
+    },
+    onError: (_err, variables, context) => {
+      if (context?.previousSkills) {
+        queryClient.setQueryData(skillsKeys.list(variables.workspaceId), context.previousSkills)
+      }
+    },
+    onSettled: (_data, _error, variables) => {
+      queryClient.invalidateQueries({ queryKey: skillsKeys.list(variables.workspaceId) })
+    },
+  })
+}

apps/sim/lib/auth/credential-access.ts

@@ -2,13 +2,13 @@ import { db } from '@sim/db'
 import { account, workflow as workflowTable } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 export interface CredentialAccessResult {
   ok: boolean
   error?: string
-  authType?: 'session' | 'api_key' | 'internal_jwt'
+  authType?: 'session' | 'internal_jwt'
   requesterUserId?: string
   credentialOwnerUserId?: string
   workspaceId?: string
@@ -16,10 +16,10 @@ export interface CredentialAccessResult {
 
 /**
  * Centralizes auth + collaboration rules for credential use.
- * - Uses checkHybridAuth to authenticate the caller
+ * - Uses checkSessionOrInternalAuth to authenticate the caller
  * - Fetches credential owner
  * - Authorization rules:
- *   - session/api_key: allow if requester owns the credential; otherwise require workflowId and
+ *   - session: allow if requester owns the credential; otherwise require workflowId and
  *     verify BOTH requester and owner have access to the workflow's workspace
  *   - internal_jwt: require workflowId (by default) and verify credential owner has access to the
  *     workflow's workspace (requester identity is the system/workflow)
@@ -30,7 +30,9 @@ export async function authorizeCredentialUse(
 ): Promise<CredentialAccessResult> {
   const { credentialId, workflowId, requireWorkflowIdForInternal = true } = params
 
-  const auth = await checkHybridAuth(request, { requireWorkflowId: requireWorkflowIdForInternal })
+  const auth = await checkSessionOrInternalAuth(request, {
+    requireWorkflowId: requireWorkflowIdForInternal,
+  })
   if (!auth.success || !auth.userId) {
     return { ok: false, error: auth.error || 'Authentication required' }
   }
@@ -52,7 +54,7 @@ export async function authorizeCredentialUse(
   if (auth.authType !== 'internal_jwt' && auth.userId === credentialOwnerUserId) {
     return {
       ok: true,
-      authType: auth.authType,
+      authType: auth.authType as CredentialAccessResult['authType'],
       requesterUserId: auth.userId,
       credentialOwnerUserId,
     }
@@ -85,14 +87,14 @@ export async function authorizeCredentialUse(
     }
     return {
       ok: true,
-      authType: auth.authType,
+      authType: auth.authType as CredentialAccessResult['authType'],
       requesterUserId: auth.userId,
       credentialOwnerUserId,
       workspaceId: wf.workspaceId,
     }
   }
 
-  // Session/API key: verify BOTH requester and owner belong to the workflow's workspace
+  // Session: verify BOTH requester and owner belong to the workflow's workspace
   const requesterPerm = await getUserEntityPermissions(auth.userId, 'workspace', wf.workspaceId)
   const ownerPerm = await getUserEntityPermissions(
     credentialOwnerUserId,
@@ -105,7 +107,7 @@ export async function authorizeCredentialUse(
 
   return {
     ok: true,
-    authType: auth.authType,
+    authType: auth.authType as CredentialAccessResult['authType'],
     requesterUserId: auth.userId,
     credentialOwnerUserId,
     workspaceId: wf.workspaceId,

apps/sim/lib/auth/hybrid.ts

@@ -1,7 +1,4 @@
-import { db } from '@sim/db'
-import { workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
 import { getSession } from '@/lib/auth'
@@ -13,35 +10,33 @@ export interface AuthResult {
   success: boolean
   userId?: string
   authType?: 'session' | 'api_key' | 'internal_jwt'
+  apiKeyType?: 'personal' | 'workspace'
   error?: string
 }
 
 /**
  * Resolves userId from a verified internal JWT token.
- * Extracts workflowId/userId from URL params or POST body, then looks up userId if needed.
+ * Extracts userId from the JWT payload, URL search params, or POST body.
  */
 async function resolveUserFromJwt(
   request: NextRequest,
   verificationUserId: string | null,
   options: { requireWorkflowId?: boolean }
 ): Promise<AuthResult> {
-  let workflowId: string | null = null
   let userId: string | null = verificationUserId
 
-  const { searchParams } = new URL(request.url)
-  workflowId = searchParams.get('workflowId')
   if (!userId) {
+    const { searchParams } = new URL(request.url)
     userId = searchParams.get('userId')
   }
 
-  if (!workflowId && !userId && request.method === 'POST') {
+  if (!userId && request.method === 'POST') {
     try {
       const clonedRequest = request.clone()
       const bodyText = await clonedRequest.text()
       if (bodyText) {
         const body = JSON.parse(bodyText)
-        workflowId = body.workflowId || body._context?.workflowId
-        userId = userId || body.userId || body._context?.userId
+        userId = body.userId || body._context?.userId || null
       }
     } catch {
       // Ignore JSON parse errors
@@ -52,22 +47,8 @@ async function resolveUserFromJwt(
     return { success: true, userId, authType: 'internal_jwt' }
   }
 
-  if (workflowId) {
-    const [workflowData] = await db
-      .select({ userId: workflow.userId })
-      .from(workflow)
-      .where(eq(workflow.id, workflowId))
-      .limit(1)
-
-    if (!workflowData) {
-      return { success: false, error: 'Workflow not found' }
-    }
-
-    return { success: true, userId: workflowData.userId, authType: 'internal_jwt' }
-  }
-
   if (options.requireWorkflowId !== false) {
-    return { success: false, error: 'workflowId or userId required for internal JWT calls' }
+    return { success: false, error: 'userId required for internal JWT calls' }
   }
 
   return { success: true, authType: 'internal_jwt' }
@@ -222,6 +203,7 @@ export async function checkHybridAuth(
           success: true,
           userId: result.userId!,
           authType: 'api_key',
+          apiKeyType: result.keyType,
         }
       }
 

apps/sim/lib/copilot/config.ts

@@ -12,6 +12,7 @@ const VALID_PROVIDER_IDS: readonly ProviderId[] = [
   'openai',
   'azure-openai',
   'anthropic',
+  'azure-anthropic',
   'google',
   'deepseek',
   'xai',

apps/sim/lib/copilot/types.ts

@@ -147,6 +147,13 @@ export type CopilotProviderConfig =
       apiVersion?: string
       endpoint?: string
     }
+  | {
+      provider: 'azure-anthropic'
+      model: string
+      apiKey?: string
+      apiVersion?: string
+      endpoint?: string
+    }
   | {
       provider: 'vertex'
       model: string
@@ -155,7 +162,7 @@ export type CopilotProviderConfig =
       vertexLocation?: string
     }
   | {
-      provider: Exclude<ProviderId, 'azure-openai' | 'vertex'>
+      provider: Exclude<ProviderId, 'azure-openai' | 'azure-anthropic' | 'vertex'>
       model?: string
       apiKey?: string
     }

apps/sim/lib/core/config/env.ts

@@ -95,6 +95,9 @@ export const env = createEnv({
     AZURE_OPENAI_ENDPOINT:                 z.string().url().optional(),            // Shared Azure OpenAI service endpoint
     AZURE_OPENAI_API_VERSION:              z.string().optional(),                  // Shared Azure OpenAI API version
     AZURE_OPENAI_API_KEY:                  z.string().min(1).optional(),           // Shared Azure OpenAI API key
+    AZURE_ANTHROPIC_ENDPOINT:              z.string().url().optional(),            // Azure Anthropic service endpoint
+    AZURE_ANTHROPIC_API_KEY:               z.string().min(1).optional(),           // Azure Anthropic API key
+    AZURE_ANTHROPIC_API_VERSION:           z.string().min(1).optional(),           // Azure Anthropic API version (e.g. 2023-06-01)
     KB_OPENAI_MODEL_NAME:                  z.string().optional(),                  // Knowledge base OpenAI model name (works with both regular OpenAI and Azure OpenAI)
     WAND_OPENAI_MODEL_NAME:                z.string().optional(),                  // Wand generation OpenAI model name (works with both regular OpenAI and Azure OpenAI)
     OCR_AZURE_ENDPOINT:                    z.string().url().optional(),            // Azure Mistral OCR service endpoint
@@ -180,6 +183,24 @@ export const env = createEnv({
     EXECUTION_TIMEOUT_ASYNC_TEAM:          z.string().optional().default('5400'),  // 90 minutes
     EXECUTION_TIMEOUT_ASYNC_ENTERPRISE:    z.string().optional().default('5400'),  // 90 minutes
 
+    // Isolated-VM Worker Pool Configuration
+    IVM_POOL_SIZE:                         z.string().optional().default('4'),      // Max worker processes in pool
+    IVM_MAX_CONCURRENT:                    z.string().optional().default('10000'),  // Max concurrent executions globally
+    IVM_MAX_PER_WORKER:                    z.string().optional().default('2500'),   // Max concurrent executions per worker
+    IVM_WORKER_IDLE_TIMEOUT_MS:            z.string().optional().default('60000'),  // Worker idle cleanup timeout (ms)
+    IVM_MAX_QUEUE_SIZE:                    z.string().optional().default('10000'),  // Max pending queued executions in memory
+    IVM_MAX_FETCH_RESPONSE_BYTES:          z.string().optional().default('8388608'),// Max bytes read from sandbox fetch responses
+    IVM_MAX_FETCH_RESPONSE_CHARS:          z.string().optional().default('4000000'),// Max chars returned to sandbox from fetch body
+    IVM_MAX_FETCH_OPTIONS_JSON_CHARS:      z.string().optional().default('262144'), // Max JSON payload size for sandbox fetch options
+    IVM_MAX_FETCH_URL_LENGTH:              z.string().optional().default('8192'),   // Max URL length accepted by sandbox fetch
+    IVM_MAX_STDOUT_CHARS:                  z.string().optional().default('200000'), // Max captured stdout characters per execution
+    IVM_MAX_ACTIVE_PER_OWNER:              z.string().optional().default('200'),    // Max active executions per owner (per process)
+    IVM_MAX_QUEUED_PER_OWNER:              z.string().optional().default('2000'),   // Max queued executions per owner (per process)
+    IVM_MAX_OWNER_WEIGHT:                  z.string().optional().default('5'),      // Max accepted weight for weighted owner scheduling
+    IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER:z.string().optional().default('2200'),   // Max owner in-flight leases across replicas
+    IVM_DISTRIBUTED_LEASE_MIN_TTL_MS:      z.string().optional().default('120000'), // Min TTL for distributed in-flight leases (ms)
+    IVM_QUEUE_TIMEOUT_MS:                  z.string().optional().default('300000'), // Max queue wait before rejection (ms)
+
     // Knowledge Base Processing Configuration - Shared across all processing methods
     KB_CONFIG_MAX_DURATION:                z.number().optional().default(600),     // Max processing duration in seconds (10 minutes)
     KB_CONFIG_MAX_ATTEMPTS:                z.number().optional().default(3),       // Max retry attempts

apps/sim/lib/core/security/input-validation.server.ts

@@ -103,6 +103,7 @@ export interface SecureFetchOptions {
   body?: string | Buffer | Uint8Array
   timeout?: number
   maxRedirects?: number
+  maxResponseBytes?: number
 }
 
 export class SecureFetchHeaders {
@@ -165,6 +166,7 @@ export async function secureFetchWithPinnedIP(
   redirectCount = 0
 ): Promise<SecureFetchResponse> {
   const maxRedirects = options.maxRedirects ?? DEFAULT_MAX_REDIRECTS
+  const maxResponseBytes = options.maxResponseBytes
 
   return new Promise((resolve, reject) => {
     const parsed = new URL(url)
@@ -237,14 +239,32 @@ export async function secureFetchWithPinnedIP(
       }
 
       const chunks: Buffer[] = []
+      let totalBytes = 0
+      let responseTerminated = false
 
-      res.on('data', (chunk: Buffer) => chunks.push(chunk))
+      res.on('data', (chunk: Buffer) => {
+        if (responseTerminated) return
+
+        totalBytes += chunk.length
+        if (
+          typeof maxResponseBytes === 'number' &&
+          maxResponseBytes > 0 &&
+          totalBytes > maxResponseBytes
+        ) {
+          responseTerminated = true
+          res.destroy(new Error(`Response exceeded maximum size of ${maxResponseBytes} bytes`))
+          return
+        }
+
+        chunks.push(chunk)
+      })
 
       res.on('error', (error) => {
         reject(error)
       })
 
       res.on('end', () => {
+        if (responseTerminated) return
         const bodyBuffer = Buffer.concat(chunks)
         const body = bodyBuffer.toString('utf-8')
         const headersRecord: Record<string, string> = {}

apps/sim/lib/execution/isolated-vm-worker.cjs

@@ -9,6 +9,21 @@ const USER_CODE_START_LINE = 4
 const pendingFetches = new Map()
 let fetchIdCounter = 0
 const FETCH_TIMEOUT_MS = 300000 // 5 minutes
+const MAX_STDOUT_CHARS = Number.parseInt(process.env.IVM_MAX_STDOUT_CHARS || '', 10) || 200000
+const MAX_FETCH_OPTIONS_JSON_CHARS =
+  Number.parseInt(process.env.IVM_MAX_FETCH_OPTIONS_JSON_CHARS || '', 10) || 256 * 1024
+
+function stringifyLogValue(value) {
+  if (typeof value !== 'object' || value === null) {
+    return String(value)
+  }
+
+  try {
+    return JSON.stringify(value)
+  } catch {
+    return '[unserializable]'
+  }
+}
 
 /**
  * Extract line and column from error stack or message
@@ -101,8 +116,32 @@ function convertToCompatibleError(errorInfo, userCode) {
 async function executeCode(request) {
   const { code, params, envVars, contextVariables, timeoutMs, requestId } = request
   const stdoutChunks = []
+  let stdoutLength = 0
+  let stdoutTruncated = false
   let isolate = null
 
+  const appendStdout = (line) => {
+    if (stdoutTruncated || !line) return
+
+    const remaining = MAX_STDOUT_CHARS - stdoutLength
+    if (remaining <= 0) {
+      stdoutTruncated = true
+      stdoutChunks.push('[stdout truncated]\n')
+      return
+    }
+
+    if (line.length <= remaining) {
+      stdoutChunks.push(line)
+      stdoutLength += line.length
+      return
+    }
+
+    stdoutChunks.push(line.slice(0, remaining))
+    stdoutChunks.push('\n[stdout truncated]\n')
+    stdoutLength = MAX_STDOUT_CHARS
+    stdoutTruncated = true
+  }
+
   try {
     isolate = new ivm.Isolate({ memoryLimit: 128 })
     const context = await isolate.createContext()
@@ -111,18 +150,14 @@ async function executeCode(request) {
     await jail.set('global', jail.derefInto())
 
     const logCallback = new ivm.Callback((...args) => {
-      const message = args
-        .map((arg) => (typeof arg === 'object' ? JSON.stringify(arg) : String(arg)))
-        .join(' ')
-      stdoutChunks.push(`${message}\n`)
+      const message = args.map((arg) => stringifyLogValue(arg)).join(' ')
+      appendStdout(`${message}\n`)
     })
     await jail.set('__log', logCallback)
 
     const errorCallback = new ivm.Callback((...args) => {
-      const message = args
-        .map((arg) => (typeof arg === 'object' ? JSON.stringify(arg) : String(arg)))
-        .join(' ')
-      stdoutChunks.push(`ERROR: ${message}\n`)
+      const message = args.map((arg) => stringifyLogValue(arg)).join(' ')
+      appendStdout(`ERROR: ${message}\n`)
     })
     await jail.set('__error', errorCallback)
 
@@ -178,6 +213,9 @@ async function executeCode(request) {
           } catch {
             throw new Error('fetch options must be JSON-serializable');
           }
+          if (optionsJson.length > ${MAX_FETCH_OPTIONS_JSON_CHARS}) {
+            throw new Error('fetch options exceed maximum payload size');
+          }
         }
         const resultJson = await __fetchRef.apply(undefined, [url, optionsJson], { result: { promise: true } });
         let result;

apps/sim/lib/execution/isolated-vm.test.ts

@@ -0,0 +1,500 @@
+import { EventEmitter } from 'node:events'
+import { afterEach, describe, expect, it, vi } from 'vitest'
+
+type MockProc = EventEmitter & {
+  connected: boolean
+  stderr: EventEmitter
+  send: (message: unknown) => boolean
+  kill: () => boolean
+}
+
+type SpawnFactory = () => MockProc
+type RedisEval = (...args: any[]) => unknown | Promise<unknown>
+type SecureFetchImpl = (...args: any[]) => unknown | Promise<unknown>
+
+function createBaseProc(): MockProc {
+  const proc = new EventEmitter() as MockProc
+  proc.connected = true
+  proc.stderr = new EventEmitter()
+  proc.send = () => true
+  proc.kill = () => {
+    if (!proc.connected) return true
+    proc.connected = false
+    setImmediate(() => proc.emit('exit', 0))
+    return true
+  }
+  return proc
+}
+
+function createStartupFailureProc(): MockProc {
+  const proc = createBaseProc()
+  setImmediate(() => {
+    proc.connected = false
+    proc.emit('exit', 1)
+  })
+  return proc
+}
+
+function createReadyProc(result: unknown): MockProc {
+  const proc = createBaseProc()
+  proc.send = (message: unknown) => {
+    const msg = message as { type?: string; executionId?: number }
+    if (msg.type === 'execute') {
+      setImmediate(() => {
+        proc.emit('message', {
+          type: 'result',
+          executionId: msg.executionId,
+          result: { result, stdout: '' },
+        })
+      })
+    }
+    return true
+  }
+  setImmediate(() => proc.emit('message', { type: 'ready' }))
+  return proc
+}
+
+function createReadyProcWithDelay(delayMs: number): MockProc {
+  const proc = createBaseProc()
+  proc.send = (message: unknown) => {
+    const msg = message as { type?: string; executionId?: number; request?: { requestId?: string } }
+    if (msg.type === 'execute') {
+      setTimeout(() => {
+        proc.emit('message', {
+          type: 'result',
+          executionId: msg.executionId,
+          result: { result: msg.request?.requestId ?? 'unknown', stdout: '' },
+        })
+      }, delayMs)
+    }
+    return true
+  }
+  setImmediate(() => proc.emit('message', { type: 'ready' }))
+  return proc
+}
+
+function createReadyFetchProxyProc(fetchMessage: { url: string; optionsJson?: string }): MockProc {
+  const proc = createBaseProc()
+  let currentExecutionId = 0
+
+  proc.send = (message: unknown) => {
+    const msg = message as { type?: string; executionId?: number; request?: { requestId?: string } }
+
+    if (msg.type === 'execute') {
+      currentExecutionId = msg.executionId ?? 0
+      setImmediate(() => {
+        proc.emit('message', {
+          type: 'fetch',
+          fetchId: 1,
+          requestId: msg.request?.requestId ?? 'fetch-test',
+          url: fetchMessage.url,
+          optionsJson: fetchMessage.optionsJson,
+        })
+      })
+      return true
+    }
+
+    if (msg.type === 'fetchResponse') {
+      const fetchResponse = message as { response?: string }
+      setImmediate(() => {
+        proc.emit('message', {
+          type: 'result',
+          executionId: currentExecutionId,
+          result: { result: fetchResponse.response ?? '', stdout: '' },
+        })
+      })
+      return true
+    }
+
+    return true
+  }
+
+  setImmediate(() => proc.emit('message', { type: 'ready' }))
+  return proc
+}
+
+async function loadExecutionModule(options: {
+  envOverrides?: Record<string, string>
+  spawns: SpawnFactory[]
+  redisEvalImpl?: RedisEval
+  secureFetchImpl?: SecureFetchImpl
+}) {
+  vi.resetModules()
+
+  const spawnQueue = [...options.spawns]
+  const spawnMock = vi.fn(() => {
+    const next = spawnQueue.shift()
+    if (!next) {
+      throw new Error('No mock spawn factory configured')
+    }
+    return next() as any
+  })
+
+  vi.doMock('@sim/logger', () => ({
+    createLogger: () => ({
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+    }),
+  }))
+
+  const secureFetchMock = vi.fn(
+    options.secureFetchImpl ??
+      (async () => ({
+        ok: true,
+        status: 200,
+        statusText: 'OK',
+        headers: new Map<string, string>(),
+        text: async () => '',
+        json: async () => ({}),
+        arrayBuffer: async () => new ArrayBuffer(0),
+      }))
+  )
+  vi.doMock('@/lib/core/security/input-validation.server', () => ({
+    secureFetchWithValidation: secureFetchMock,
+  }))
+
+  vi.doMock('@/lib/core/config/env', () => ({
+    env: {
+      IVM_POOL_SIZE: '1',
+      IVM_MAX_CONCURRENT: '100',
+      IVM_MAX_PER_WORKER: '100',
+      IVM_WORKER_IDLE_TIMEOUT_MS: '60000',
+      IVM_MAX_QUEUE_SIZE: '10',
+      IVM_MAX_ACTIVE_PER_OWNER: '100',
+      IVM_MAX_QUEUED_PER_OWNER: '10',
+      IVM_MAX_OWNER_WEIGHT: '5',
+      IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER: '100',
+      IVM_DISTRIBUTED_LEASE_MIN_TTL_MS: '1000',
+      IVM_QUEUE_TIMEOUT_MS: '1000',
+      ...(options.envOverrides ?? {}),
+    },
+  }))
+
+  const redisEval = options.redisEvalImpl ? vi.fn(options.redisEvalImpl) : undefined
+  vi.doMock('@/lib/core/config/redis', () => ({
+    getRedisClient: vi.fn(() =>
+      redisEval
+        ? ({
+            eval: redisEval,
+          } as any)
+        : null
+    ),
+  }))
+
+  vi.doMock('node:child_process', () => ({
+    execSync: vi.fn(() => Buffer.from('v23.11.0')),
+    spawn: spawnMock,
+  }))
+
+  const mod = await import('./isolated-vm')
+  return { ...mod, spawnMock, secureFetchMock }
+}
+
+describe('isolated-vm scheduler', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+    vi.resetModules()
+  })
+
+  it('recovers from an initial spawn failure and drains queued work', async () => {
+    const { executeInIsolatedVM, spawnMock } = await loadExecutionModule({
+      spawns: [createStartupFailureProc, () => createReadyProc('ok')],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "ok"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-1',
+    })
+
+    expect(result.error).toBeUndefined()
+    expect(result.result).toBe('ok')
+    expect(spawnMock).toHaveBeenCalledTimes(2)
+  })
+
+  it('rejects new requests when the queue is full', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_QUEUE_SIZE: '1',
+        IVM_QUEUE_TIMEOUT_MS: '200',
+      },
+      spawns: [createStartupFailureProc, createStartupFailureProc, createStartupFailureProc],
+    })
+
+    const firstPromise = executeInIsolatedVM({
+      code: 'return 1',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-2',
+      ownerKey: 'user:a',
+    })
+
+    await new Promise((resolve) => setTimeout(resolve, 25))
+
+    const second = await executeInIsolatedVM({
+      code: 'return 2',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-3',
+      ownerKey: 'user:b',
+    })
+
+    expect(second.error?.message).toContain('at capacity')
+
+    const first = await firstPromise
+    expect(first.error?.message).toContain('timed out waiting')
+  })
+
+  it('enforces per-owner queued limit', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_QUEUED_PER_OWNER: '1',
+        IVM_QUEUE_TIMEOUT_MS: '200',
+      },
+      spawns: [createStartupFailureProc, createStartupFailureProc, createStartupFailureProc],
+    })
+
+    const firstPromise = executeInIsolatedVM({
+      code: 'return 1',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-4',
+      ownerKey: 'user:hog',
+    })
+
+    await new Promise((resolve) => setTimeout(resolve, 25))
+
+    const second = await executeInIsolatedVM({
+      code: 'return 2',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-5',
+      ownerKey: 'user:hog',
+    })
+
+    expect(second.error?.message).toContain('Too many concurrent')
+
+    const first = await firstPromise
+    expect(first.error?.message).toContain('timed out waiting')
+  })
+
+  it('enforces distributed owner in-flight lease limit when Redis is configured', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER: '1',
+        REDIS_URL: 'redis://localhost:6379',
+      },
+      spawns: [() => createReadyProc('ok')],
+      redisEvalImpl: (...args: any[]) => {
+        const script = String(args[0] ?? '')
+        if (script.includes('ZREMRANGEBYSCORE')) {
+          return 0
+        }
+        return 1
+      },
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "blocked"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-6',
+      ownerKey: 'user:distributed',
+    })
+
+    expect(result.error?.message).toContain('Too many concurrent')
+  })
+
+  it('fails closed when Redis is configured but unavailable', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        REDIS_URL: 'redis://localhost:6379',
+      },
+      spawns: [() => createReadyProc('ok')],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "blocked"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-7',
+      ownerKey: 'user:redis-down',
+    })
+
+    expect(result.error?.message).toContain('temporarily unavailable')
+  })
+
+  it('fails closed when Redis lease evaluation errors', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        REDIS_URL: 'redis://localhost:6379',
+      },
+      spawns: [() => createReadyProc('ok')],
+      redisEvalImpl: (...args: any[]) => {
+        const script = String(args[0] ?? '')
+        if (script.includes('ZREMRANGEBYSCORE')) {
+          throw new Error('redis timeout')
+        }
+        return 1
+      },
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "blocked"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-8',
+      ownerKey: 'user:redis-error',
+    })
+
+    expect(result.error?.message).toContain('temporarily unavailable')
+  })
+
+  it('applies weighted owner scheduling when draining queued executions', async () => {
+    const { executeInIsolatedVM } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_PER_WORKER: '1',
+      },
+      spawns: [() => createReadyProcWithDelay(10)],
+    })
+
+    const completionOrder: string[] = []
+    const pushCompletion = (label: string) => (res: { result: unknown }) => {
+      completionOrder.push(String(res.result ?? label))
+      return res
+    }
+
+    const p1 = executeInIsolatedVM({
+      code: 'return 1',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'a-1',
+      ownerKey: 'user:a',
+      ownerWeight: 2,
+    }).then(pushCompletion('a-1'))
+
+    const p2 = executeInIsolatedVM({
+      code: 'return 2',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'a-2',
+      ownerKey: 'user:a',
+      ownerWeight: 2,
+    }).then(pushCompletion('a-2'))
+
+    const p3 = executeInIsolatedVM({
+      code: 'return 3',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'b-1',
+      ownerKey: 'user:b',
+      ownerWeight: 1,
+    }).then(pushCompletion('b-1'))
+
+    const p4 = executeInIsolatedVM({
+      code: 'return 4',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'b-2',
+      ownerKey: 'user:b',
+      ownerWeight: 1,
+    }).then(pushCompletion('b-2'))
+
+    const p5 = executeInIsolatedVM({
+      code: 'return 5',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 500,
+      requestId: 'a-3',
+      ownerKey: 'user:a',
+      ownerWeight: 2,
+    }).then(pushCompletion('a-3'))
+
+    await Promise.all([p1, p2, p3, p4, p5])
+
+    expect(completionOrder.slice(0, 3)).toEqual(['a-1', 'a-2', 'a-3'])
+    expect(completionOrder).toEqual(['a-1', 'a-2', 'a-3', 'b-1', 'b-2'])
+  })
+
+  it('rejects oversized fetch options payloads before outbound call', async () => {
+    const { executeInIsolatedVM, secureFetchMock } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_FETCH_OPTIONS_JSON_CHARS: '50',
+      },
+      spawns: [
+        () =>
+          createReadyFetchProxyProc({
+            url: 'https://example.com',
+            optionsJson: 'x'.repeat(100),
+          }),
+      ],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "fetch-options"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-fetch-options',
+    })
+
+    const payload = JSON.parse(String(result.result))
+    expect(payload.error).toContain('Fetch options exceed maximum payload size')
+    expect(secureFetchMock).not.toHaveBeenCalled()
+  })
+
+  it('rejects overly long fetch URLs before outbound call', async () => {
+    const { executeInIsolatedVM, secureFetchMock } = await loadExecutionModule({
+      envOverrides: {
+        IVM_MAX_FETCH_URL_LENGTH: '30',
+      },
+      spawns: [
+        () =>
+          createReadyFetchProxyProc({
+            url: 'https://example.com/path/to/a/very/long/resource',
+          }),
+      ],
+    })
+
+    const result = await executeInIsolatedVM({
+      code: 'return "fetch-url"',
+      params: {},
+      envVars: {},
+      contextVariables: {},
+      timeoutMs: 100,
+      requestId: 'req-fetch-url',
+    })
+
+    const payload = JSON.parse(String(result.result))
+    expect(payload.error).toContain('fetch URL exceeds maximum length')
+    expect(secureFetchMock).not.toHaveBeenCalled()
+  })
+})

apps/sim/lib/execution/preprocessing.ts

@@ -124,6 +124,7 @@ export interface PreprocessExecutionOptions {
   workspaceId?: string // If known, used for billing resolution
   loggingSession?: LoggingSession // If provided, will be used for error logging
   isResumeContext?: boolean // If true, allows fallback billing on resolution failure (for paused workflow resumes)
+  useAuthenticatedUserAsActor?: boolean // If true, use the authenticated userId as actorUserId (for client-side executions and personal API keys)
   /** @deprecated No longer used - background/async executions always use deployed state */
   useDraftState?: boolean
 }
@@ -170,6 +171,7 @@ export async function preprocessExecution(
     workspaceId: providedWorkspaceId,
     loggingSession: providedLoggingSession,
     isResumeContext = false,
+    useAuthenticatedUserAsActor = false,
   } = options
 
   logger.info(`[${requestId}] Starting execution preprocessing`, {
@@ -257,7 +259,14 @@ export async function preprocessExecution(
   let actorUserId: string | null = null
 
   try {
-    if (workspaceId) {
+    // For client-side executions and personal API keys, the authenticated
+    // user is the billing and permission actor — not the workspace owner.
+    if (useAuthenticatedUserAsActor && userId) {
+      actorUserId = userId
+      logger.info(`[${requestId}] Using authenticated user as actor: ${actorUserId}`)
+    }
+
+    if (!actorUserId && workspaceId) {
       actorUserId = await getWorkspaceBilledAccountUserId(workspaceId)
       if (actorUserId) {
         logger.info(`[${requestId}] Using workspace billed account: ${actorUserId}`)

apps/sim/lib/guardrails/validate_hallucination.ts

@@ -1,7 +1,11 @@
+import { db } from '@sim/db'
+import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { executeProviderRequest } from '@/providers'
-import { getApiKey, getProviderFromModel } from '@/providers/utils'
+import { getProviderFromModel } from '@/providers/utils'
 
 const logger = createLogger('HallucinationValidator')
 
@@ -19,7 +23,18 @@ export interface HallucinationValidationInput {
   topK: number // Number of chunks to retrieve, default 10
   model: string
   apiKey?: string
+  providerCredentials?: {
+    azureEndpoint?: string
+    azureApiVersion?: string
+    vertexProject?: string
+    vertexLocation?: string
+    vertexCredential?: string
+    bedrockAccessKeyId?: string
+    bedrockSecretKey?: string
+    bedrockRegion?: string
+  }
   workflowId?: string
+  workspaceId?: string
   requestId: string
 }
 
@@ -89,7 +104,9 @@ async function scoreHallucinationWithLLM(
   userInput: string,
   ragContext: string[],
   model: string,
-  apiKey: string,
+  apiKey: string | undefined,
+  providerCredentials: HallucinationValidationInput['providerCredentials'],
+  workspaceId: string | undefined,
   requestId: string
 ): Promise<{ score: number; reasoning: string }> {
   try {
@@ -127,6 +144,23 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
 
     const providerId = getProviderFromModel(model)
 
+    let finalApiKey: string | undefined = apiKey
+    if (providerId === 'vertex' && providerCredentials?.vertexCredential) {
+      const credential = await db.query.account.findFirst({
+        where: eq(account.id, providerCredentials.vertexCredential),
+      })
+      if (credential) {
+        const { accessToken } = await refreshTokenIfNeeded(
+          requestId,
+          credential,
+          providerCredentials.vertexCredential
+        )
+        if (accessToken) {
+          finalApiKey = accessToken
+        }
+      }
+    }
+
     const response = await executeProviderRequest(providerId, {
       model,
       systemPrompt,
@@ -137,7 +171,15 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
         },
       ],
       temperature: 0.1, // Low temperature for consistent scoring
-      apiKey,
+      apiKey: finalApiKey,
+      azureEndpoint: providerCredentials?.azureEndpoint,
+      azureApiVersion: providerCredentials?.azureApiVersion,
+      vertexProject: providerCredentials?.vertexProject,
+      vertexLocation: providerCredentials?.vertexLocation,
+      bedrockAccessKeyId: providerCredentials?.bedrockAccessKeyId,
+      bedrockSecretKey: providerCredentials?.bedrockSecretKey,
+      bedrockRegion: providerCredentials?.bedrockRegion,
+      workspaceId,
     })
 
     if (response instanceof ReadableStream || ('stream' in response && 'execution' in response)) {
@@ -184,8 +226,18 @@ Evaluate the consistency and provide your score and reasoning in JSON format.`
 export async function validateHallucination(
   input: HallucinationValidationInput
 ): Promise<HallucinationValidationResult> {
-  const { userInput, knowledgeBaseId, threshold, topK, model, apiKey, workflowId, requestId } =
-    input
+  const {
+    userInput,
+    knowledgeBaseId,
+    threshold,
+    topK,
+    model,
+    apiKey,
+    providerCredentials,
+    workflowId,
+    workspaceId,
+    requestId,
+  } = input
 
   try {
     if (!userInput || userInput.trim().length === 0) {
@@ -202,17 +254,6 @@ export async function validateHallucination(
       }
     }
 
-    let finalApiKey: string
-    try {
-      const providerId = getProviderFromModel(model)
-      finalApiKey = getApiKey(providerId, model, apiKey)
-    } catch (error: any) {
-      return {
-        passed: false,
-        error: `API key error: ${error.message}`,
-      }
-    }
-
     // Step 1: Query knowledge base with RAG
     const ragContext = await queryKnowledgeBase(
       knowledgeBaseId,
@@ -234,7 +275,9 @@ export async function validateHallucination(
       userInput,
       ragContext,
       model,
-      finalApiKey,
+      apiKey,
+      providerCredentials,
+      workspaceId,
       requestId
     )
 

apps/sim/lib/mcp/middleware.ts

@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createMcpErrorResponse } from '@/lib/mcp/utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -43,7 +43,7 @@ async function validateMcpAuth(
   const requestId = generateRequestId()
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
     if (!auth.success || !auth.userId) {
       logger.warn(`[${requestId}] Authentication failed: ${auth.error}`)
       return {

apps/sim/lib/permission-groups/types.ts

@@ -10,6 +10,7 @@ export interface PermissionGroupConfig {
   hideFilesTab: boolean
   disableMcpTools: boolean
   disableCustomTools: boolean
+  disableSkills: boolean
   hideTemplates: boolean
   disableInvitations: boolean
   // Deploy Modal Tabs
@@ -31,6 +32,7 @@ export const DEFAULT_PERMISSION_GROUP_CONFIG: PermissionGroupConfig = {
   hideFilesTab: false,
   disableMcpTools: false,
   disableCustomTools: false,
+  disableSkills: false,
   hideTemplates: false,
   disableInvitations: false,
   hideDeployApi: false,
@@ -59,6 +61,7 @@ export function parsePermissionGroupConfig(config: unknown): PermissionGroupConf
     hideFilesTab: typeof c.hideFilesTab === 'boolean' ? c.hideFilesTab : false,
     disableMcpTools: typeof c.disableMcpTools === 'boolean' ? c.disableMcpTools : false,
     disableCustomTools: typeof c.disableCustomTools === 'boolean' ? c.disableCustomTools : false,
+    disableSkills: typeof c.disableSkills === 'boolean' ? c.disableSkills : false,
     hideTemplates: typeof c.hideTemplates === 'boolean' ? c.hideTemplates : false,
     disableInvitations: typeof c.disableInvitations === 'boolean' ? c.disableInvitations : false,
     hideDeployApi: typeof c.hideDeployApi === 'boolean' ? c.hideDeployApi : false,

apps/sim/lib/tokenization/constants.ts

@@ -21,6 +21,11 @@ export const TOKENIZATION_CONFIG = {
       confidence: 'high',
       supportedMethods: ['heuristic', 'fallback'],
     },
+    'azure-anthropic': {
+      avgCharsPerToken: 4.5,
+      confidence: 'high',
+      supportedMethods: ['heuristic', 'fallback'],
+    },
     google: {
       avgCharsPerToken: 5,
       confidence: 'medium',

apps/sim/lib/tokenization/estimators.ts

@@ -204,6 +204,7 @@ export function estimateTokenCount(text: string, providerId?: string): TokenEsti
       estimatedTokens = estimateOpenAITokens(text)
       break
     case 'anthropic':
+    case 'azure-anthropic':
       estimatedTokens = estimateAnthropicTokens(text)
       break
     case 'google':

apps/sim/lib/webhooks/processor.ts

@@ -24,6 +24,7 @@ import {
   validateTypeformSignature,
   verifyProviderWebhook,
 } from '@/lib/webhooks/utils.server'
+import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 import { executeWebhookJob } from '@/background/webhook-execution'
 import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 import { isGitHubEventMatch } from '@/triggers/github/utils'
@@ -1003,10 +1004,23 @@ export async function queueWebhookExecution(
       }
     }
 
+    if (!foundWorkflow.workspaceId) {
+      logger.error(`[${options.requestId}] Workflow ${foundWorkflow.id} has no workspaceId`)
+      return NextResponse.json({ error: 'Workflow has no associated workspace' }, { status: 500 })
+    }
+
+    const actorUserId = await getWorkspaceBilledAccountUserId(foundWorkflow.workspaceId)
+    if (!actorUserId) {
+      logger.error(
+        `[${options.requestId}] No billing account for workspace ${foundWorkflow.workspaceId}`
+      )
+      return NextResponse.json({ error: 'Unable to resolve billing account' }, { status: 500 })
+    }
+
     const payload = {
       webhookId: foundWebhook.id,
       workflowId: foundWorkflow.id,
-      userId: foundWorkflow.userId,
+      userId: actorUserId,
       provider: foundWebhook.provider,
       body,
       headers,
@@ -1017,7 +1031,7 @@ export async function queueWebhookExecution(
 
     const jobQueue = await getJobQueue()
     const jobId = await jobQueue.enqueue('webhook-execution', payload, {
-      metadata: { workflowId: foundWorkflow.id, userId: foundWorkflow.userId },
+      metadata: { workflowId: foundWorkflow.id, userId: actorUserId },
     })
     logger.info(
       `[${options.requestId}] Queued webhook execution task ${jobId} for ${foundWebhook.provider} webhook`

apps/sim/lib/workflows/skills/operations.ts

@@ -0,0 +1,100 @@
+import { db } from '@sim/db'
+import { skill } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, desc, eq, ne } from 'drizzle-orm'
+import { nanoid } from 'nanoid'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+const logger = createLogger('SkillsOperations')
+
+/**
+ * Internal function to create/update skills.
+ * Can be called from API routes or internal services.
+ */
+export async function upsertSkills(params: {
+  skills: Array<{
+    id?: string
+    name: string
+    description: string
+    content: string
+  }>
+  workspaceId: string
+  userId: string
+  requestId?: string
+}) {
+  const { skills, workspaceId, userId, requestId = generateRequestId() } = params
+
+  return await db.transaction(async (tx) => {
+    for (const s of skills) {
+      const nowTime = new Date()
+
+      if (s.id) {
+        const existingSkill = await tx
+          .select()
+          .from(skill)
+          .where(and(eq(skill.id, s.id), eq(skill.workspaceId, workspaceId)))
+          .limit(1)
+
+        if (existingSkill.length > 0) {
+          if (s.name !== existingSkill[0].name) {
+            const nameConflict = await tx
+              .select({ id: skill.id })
+              .from(skill)
+              .where(
+                and(eq(skill.workspaceId, workspaceId), eq(skill.name, s.name), ne(skill.id, s.id))
+              )
+              .limit(1)
+
+            if (nameConflict.length > 0) {
+              throw new Error(`A skill with the name "${s.name}" already exists in this workspace`)
+            }
+          }
+
+          await tx
+            .update(skill)
+            .set({
+              name: s.name,
+              description: s.description,
+              content: s.content,
+              updatedAt: nowTime,
+            })
+            .where(and(eq(skill.id, s.id), eq(skill.workspaceId, workspaceId)))
+
+          logger.info(`[${requestId}] Updated skill ${s.id}`)
+          continue
+        }
+      }
+
+      const duplicateName = await tx
+        .select()
+        .from(skill)
+        .where(and(eq(skill.workspaceId, workspaceId), eq(skill.name, s.name)))
+        .limit(1)
+
+      if (duplicateName.length > 0) {
+        throw new Error(`A skill with the name "${s.name}" already exists in this workspace`)
+      }
+
+      await tx.insert(skill).values({
+        id: nanoid(),
+        workspaceId,
+        userId,
+        name: s.name,
+        description: s.description,
+        content: s.content,
+        createdAt: nowTime,
+        updatedAt: nowTime,
+      })
+
+      logger.info(`[${requestId}] Created skill "${s.name}"`)
+    }
+
+    const resultSkills = await tx
+      .select()
+      .from(skill)
+      .where(eq(skill.workspaceId, workspaceId))
+      .orderBy(desc(skill.createdAt))
+
+    return resultSkills
+  })
+}

apps/sim/lib/workflows/subblocks/visibility.test.ts

@@ -156,6 +156,15 @@ describe('evaluateSubBlockCondition', () => {
       expect(evaluateSubBlockCondition(condition, values)).toBe(true)
     })
 
+    it.concurrent('passes current values into function conditions', () => {
+      const condition = (values?: Record<string, unknown>) => ({
+        field: 'model',
+        value: typeof values?.model === 'string' ? values.model : '__no_model_selected__',
+      })
+      const values = { model: 'ollama/gemma3:4b' }
+      expect(evaluateSubBlockCondition(condition, values)).toBe(true)
+    })
+
     it.concurrent('handles boolean values', () => {
       const condition = { field: 'enabled', value: true }
       const values = { enabled: true }

apps/sim/lib/workflows/subblocks/visibility.ts

@@ -100,11 +100,14 @@ export function resolveCanonicalMode(
  * Evaluate a subblock condition against a map of raw values.
  */
 export function evaluateSubBlockCondition(
-  condition: SubBlockCondition | (() => SubBlockCondition) | undefined,
+  condition:
+    | SubBlockCondition
+    | ((values?: Record<string, unknown>) => SubBlockCondition)
+    | undefined,
   values: Record<string, unknown>
 ): boolean {
   if (!condition) return true
-  const actual = typeof condition === 'function' ? condition() : condition
+  const actual = typeof condition === 'function' ? condition(values) : condition
   const fieldValue = values[actual.field]
   const valueMatch = Array.isArray(actual.value)
     ? fieldValue != null &&

apps/sim/providers/azure-anthropic/index.ts

@@ -35,6 +35,8 @@ export const azureAnthropicProvider: ProviderConfig = {
     // The SDK appends /v1/messages automatically
     const baseURL = `${request.azureEndpoint.replace(/\/$/, '')}/anthropic`
 
+    const anthropicVersion = request.azureApiVersion || '2023-06-01'
+
     return executeAnthropicProviderRequest(
       {
         ...request,
@@ -49,7 +51,7 @@ export const azureAnthropicProvider: ProviderConfig = {
             apiKey,
             defaultHeaders: {
               'api-key': apiKey,
-              'anthropic-version': '2023-06-01',
+              'anthropic-version': anthropicVersion,
               ...(useNativeStructuredOutputs
                 ? { 'anthropic-beta': 'structured-outputs-2025-11-13' }
                 : {}),

apps/sim/tools/airweave/index.ts

@@ -0,0 +1 @@
+export { airweaveSearchTool } from './search'

apps/sim/tools/airweave/search.ts

@@ -0,0 +1,130 @@
+import type { AirweaveSearchParams, AirweaveSearchResponse } from '@/tools/airweave/types'
+import { AIRWEAVE_SEARCH_RESULT_OUTPUT_PROPERTIES } from '@/tools/airweave/types'
+import type { ToolConfig } from '@/tools/types'
+
+export const airweaveSearchTool: ToolConfig<AirweaveSearchParams, AirweaveSearchResponse> = {
+  id: 'airweave_search',
+  name: 'Airweave Search',
+  description:
+    'Search your synced data collections using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.',
+  version: '1.0.0',
+
+  params: {
+    apiKey: {
+      type: 'string',
+      required: true,
+      visibility: 'user-only',
+      description: 'Airweave API Key for authentication',
+    },
+    collectionId: {
+      type: 'string',
+      required: true,
+      visibility: 'user-or-llm',
+      description: 'The readable ID of the collection to search',
+    },
+    query: {
+      type: 'string',
+      required: true,
+      visibility: 'user-or-llm',
+      description: 'The search query text',
+    },
+    limit: {
+      type: 'number',
+      required: false,
+      visibility: 'user-only',
+      description: 'Maximum number of results to return (default: 100)',
+    },
+    retrievalStrategy: {
+      type: 'string',
+      required: false,
+      visibility: 'user-or-llm',
+      description: 'Retrieval strategy: hybrid (default), neural, or keyword',
+    },
+    expandQuery: {
+      type: 'boolean',
+      required: false,
+      visibility: 'user-or-llm',
+      description: 'Generate query variations to improve recall',
+    },
+    rerank: {
+      type: 'boolean',
+      required: false,
+      visibility: 'user-or-llm',
+      description: 'Reorder results for improved relevance using LLM',
+    },
+    generateAnswer: {
+      type: 'boolean',
+      required: false,
+      visibility: 'user-or-llm',
+      description: 'Generate a natural-language answer to the query',
+    },
+  },
+
+  request: {
+    url: (params) => `https://api.airweave.ai/collections/${params.collectionId}/search`,
+    method: 'POST',
+    headers: (params) => ({
+      'X-API-Key': params.apiKey,
+      'Content-Type': 'application/json',
+    }),
+    body: (params) => {
+      const body: Record<string, any> = {
+        query: params.query,
+      }
+
+      // Only include optional parameters if explicitly set
+      if (params.limit !== undefined) body.limit = Number(params.limit)
+      if (params.retrievalStrategy) body.retrieval_strategy = params.retrievalStrategy
+      if (params.expandQuery !== undefined) body.expand_query = params.expandQuery
+      if (params.rerank !== undefined) body.rerank = params.rerank
+      if (params.generateAnswer !== undefined) body.generate_answer = params.generateAnswer
+
+      return body
+    },
+  },
+
+  transformResponse: async (response: Response) => {
+    const data = await response.json()
+
+    // Handle error responses
+    if (!response.ok) {
+      return {
+        success: false,
+        output: { results: [] },
+        error: data.detail ?? data.message ?? 'Search request failed',
+      }
+    }
+
+    return {
+      success: true,
+      output: {
+        results: (data.results ?? []).map((result: any) => ({
+          entity_id: result.entity_id ?? result.id ?? '',
+          source_name: result.source_name ?? '',
+          md_content: result.md_content ?? null,
+          score: result.score ?? 0,
+          metadata: result.metadata ?? null,
+          breadcrumbs: result.breadcrumbs ?? null,
+          url: result.url ?? null,
+        })),
+        ...(data.completion && { completion: data.completion }),
+      },
+    }
+  },
+
+  outputs: {
+    results: {
+      type: 'array',
+      description: 'Search results with content, scores, and metadata from your synced data',
+      items: {
+        type: 'object',
+        properties: AIRWEAVE_SEARCH_RESULT_OUTPUT_PROPERTIES,
+      },
+    },
+    completion: {
+      type: 'string',
+      description: 'AI-generated answer to the query (when generateAnswer is enabled)',
+      optional: true,
+    },
+  },
+}

apps/sim/tools/airweave/types.ts

@@ -0,0 +1,84 @@
+import type { OutputProperty, ToolResponse } from '@/tools/types'
+
+/**
+ * Output definition for Airweave search result items.
+ * Based on Airweave Search API response format.
+ */
+export const AIRWEAVE_SEARCH_RESULT_OUTPUT_PROPERTIES = {
+  entity_id: { type: 'string', description: 'Unique identifier for the search result entity' },
+  source_name: { type: 'string', description: 'Name of the data source (e.g., "GitHub", "Slack")' },
+  md_content: {
+    type: 'string',
+    description: 'Markdown-formatted content of the result',
+    optional: true,
+  },
+  score: { type: 'number', description: 'Relevance score from the search' },
+  metadata: {
+    type: 'object',
+    description: 'Additional metadata associated with the result',
+    optional: true,
+  },
+  breadcrumbs: {
+    type: 'array',
+    description: 'Navigation path to the result within its source',
+    optional: true,
+    items: { type: 'string', description: 'Breadcrumb segment' },
+  },
+  url: { type: 'string', description: 'URL to the original content', optional: true },
+} as const satisfies Record<string, OutputProperty>
+
+/**
+ * Complete search result output definition.
+ */
+export const AIRWEAVE_SEARCH_RESULT_OUTPUT: OutputProperty = {
+  type: 'object',
+  description: 'Search result item with content and metadata',
+  properties: AIRWEAVE_SEARCH_RESULT_OUTPUT_PROPERTIES,
+}
+
+/**
+ * Parameters for Airweave search requests.
+ */
+export interface AirweaveSearchParams {
+  /** Airweave API Key for authentication */
+  apiKey: string
+  /** The readable ID of the collection to search */
+  collectionId: string
+  /** The search query text */
+  query: string
+  /** Maximum number of results to return */
+  limit?: number
+  /** Retrieval strategy: hybrid, neural, or keyword */
+  retrievalStrategy?: 'hybrid' | 'neural' | 'keyword'
+  /** Generate query variations to improve recall */
+  expandQuery?: boolean
+  /** Reorder results for improved relevance using LLM */
+  rerank?: boolean
+  /** Generate a natural-language answer to the query */
+  generateAnswer?: boolean
+}
+
+/**
+ * Individual search result from Airweave.
+ */
+export interface AirweaveSearchResult {
+  entity_id: string
+  source_name: string
+  md_content?: string
+  score: number
+  metadata?: Record<string, any>
+  breadcrumbs?: string[]
+  url?: string
+}
+
+/**
+ * Response from Airweave search API.
+ */
+export interface AirweaveSearchResponse extends ToolResponse {
+  output: {
+    /** Array of search results */
+    results: AirweaveSearchResult[]
+    /** AI-generated answer to the query (when generateAnswer is true) */
+    completion?: string
+  }
+}

apps/sim/tools/guardrails/validate.ts

@@ -9,6 +9,14 @@ export interface GuardrailsValidateInput {
   topK?: string
   model?: string
   apiKey?: string
+  azureEndpoint?: string
+  azureApiVersion?: string
+  vertexProject?: string
+  vertexLocation?: string
+  vertexCredential?: string
+  bedrockAccessKeyId?: string
+  bedrockSecretKey?: string
+  bedrockRegion?: string
   piiEntityTypes?: string[]
   piiMode?: string
   piiLanguage?: string
@@ -166,6 +174,14 @@ export const guardrailsValidateTool: ToolConfig<GuardrailsValidateInput, Guardra
         topK: params.topK,
         model: params.model,
         apiKey: params.apiKey,
+        azureEndpoint: params.azureEndpoint,
+        azureApiVersion: params.azureApiVersion,
+        vertexProject: params.vertexProject,
+        vertexLocation: params.vertexLocation,
+        vertexCredential: params.vertexCredential,
+        bedrockAccessKeyId: params.bedrockAccessKeyId,
+        bedrockSecretKey: params.bedrockSecretKey,
+        bedrockRegion: params.bedrockRegion,
         piiEntityTypes: params.piiEntityTypes,
         piiMode: params.piiMode,
         piiLanguage: params.piiLanguage,

apps/sim/tools/index.ts

@@ -9,6 +9,7 @@ import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { parseMcpToolId } from '@/lib/mcp/utils'
 import { isCustomTool, isMcpTool } from '@/executor/constants'
+import { resolveSkillContent } from '@/executor/handlers/agent/skills-resolver'
 import type { ExecutionContext } from '@/executor/types'
 import type { ErrorInfo } from '@/tools/error-extractors'
 import { extractErrorMessage } from '@/tools/error-extractors'
@@ -218,10 +219,36 @@ export async function executeTool(
     // Normalize tool ID to strip resource suffixes (e.g., workflow_executor_<uuid> -> workflow_executor)
     const normalizedToolId = normalizeToolId(toolId)
 
+    // Handle load_skill tool for agent skills progressive disclosure
+    if (normalizedToolId === 'load_skill') {
+      const skillName = params.skill_name
+      const workspaceId = params._context?.workspaceId
+      if (!skillName || !workspaceId) {
+        return {
+          success: false,
+          output: { error: 'Missing skill_name or workspace context' },
+          error: 'Missing skill_name or workspace context',
+        }
+      }
+      const content = await resolveSkillContent(skillName, workspaceId)
+      if (!content) {
+        return {
+          success: false,
+          output: { error: `Skill "${skillName}" not found` },
+          error: `Skill "${skillName}" not found`,
+        }
+      }
+      return {
+        success: true,
+        output: { content },
+      }
+    }
+
     // If it's a custom tool, use the async version with workflowId
     if (isCustomTool(normalizedToolId)) {
       const workflowId = params._context?.workflowId
-      tool = await getToolAsync(normalizedToolId, workflowId)
+      const userId = params._context?.userId
+      tool = await getToolAsync(normalizedToolId, workflowId, userId)
       if (!tool) {
         logger.error(`[${requestId}] Custom tool not found: ${normalizedToolId}`)
       }
@@ -260,26 +287,25 @@ export async function executeTool(
       try {
         const baseUrl = getBaseUrl()
 
+        const workflowId = contextParams._context?.workflowId
+        const userId = contextParams._context?.userId
+
         const tokenPayload: OAuthTokenPayload = {
           credentialId: contextParams.credential as string,
         }
-
-        // Add workflowId if it exists in params, context, or executionContext
-        const workflowId =
-          contextParams.workflowId ||
-          contextParams._context?.workflowId ||
-          executionContext?.workflowId
         if (workflowId) {
           tokenPayload.workflowId = workflowId
         }
 
         logger.info(`[${requestId}] Fetching access token from ${baseUrl}/api/auth/oauth/token`)
 
-        // Build token URL and also include workflowId in query so server auth can read it
         const tokenUrlObj = new URL('/api/auth/oauth/token', baseUrl)
         if (workflowId) {
           tokenUrlObj.searchParams.set('workflowId', workflowId)
         }
+        if (userId) {
+          tokenUrlObj.searchParams.set('userId', userId)
+        }
 
         // Always send Content-Type; add internal auth on server-side runs
         const tokenHeaders: Record<string, string> = { 'Content-Type': 'application/json' }
@@ -583,6 +609,10 @@ async function executeToolRequest(
       if (workflowId) {
         fullUrlObj.searchParams.set('workflowId', workflowId)
       }
+      const userId = params._context?.userId
+      if (userId) {
+        fullUrlObj.searchParams.set('userId', userId)
+      }
     }
 
     const fullUrl = fullUrlObj.toString()
@@ -931,6 +961,7 @@ async function executeMcpTool(
 
     const workspaceId = params._context?.workspaceId || executionContext?.workspaceId
     const workflowId = params._context?.workflowId || executionContext?.workflowId
+    const userId = params._context?.userId || executionContext?.userId
 
     if (!workspaceId) {
       return {
@@ -972,7 +1003,12 @@ async function executeMcpTool(
       hasToolSchema: !!toolSchema,
     })
 
-    const response = await fetch(`${baseUrl}/api/mcp/tools/execute`, {
+    const mcpUrl = new URL('/api/mcp/tools/execute', baseUrl)
+    if (userId) {
+      mcpUrl.searchParams.set('userId', userId)
+    }
+
+    const response = await fetch(mcpUrl.toString(), {
       method: 'POST',
       headers,
       body,

apps/sim/tools/registry.ts

@@ -24,6 +24,7 @@ import {
   airtableListRecordsTool,
   airtableUpdateRecordTool,
 } from '@/tools/airtable'
+import { airweaveSearchTool } from '@/tools/airweave'
 import { apifyRunActorAsyncTool, apifyRunActorSyncTool } from '@/tools/apify'
 import {
   apolloAccountBulkCreateTool,
@@ -1809,6 +1810,7 @@ export const tools: Record<string, ToolConfig> = {
   a2a_resubscribe: a2aResubscribeTool,
   a2a_send_message: a2aSendMessageTool,
   a2a_set_push_notification: a2aSetPushNotificationTool,
+  airweave_search: airweaveSearchTool,
   arxiv_search: arxivSearchTool,
   arxiv_get_paper: arxivGetPaperTool,
   arxiv_get_author_papers: arxivGetAuthorPapersTool,

apps/sim/tools/utils.ts

@@ -311,7 +311,8 @@ export function getTool(toolId: string): ToolConfig | undefined {
 // Get a tool by its ID asynchronously (supports server-side)
 export async function getToolAsync(
   toolId: string,
-  workflowId?: string
+  workflowId?: string,
+  userId?: string
 ): Promise<ToolConfig | undefined> {
   // Check for built-in tools
   const builtInTool = tools[toolId]
@@ -319,7 +320,7 @@ export async function getToolAsync(
 
   // Check if it's a custom tool
   if (isCustomTool(toolId)) {
-    return fetchCustomToolFromAPI(toolId, workflowId)
+    return fetchCustomToolFromAPI(toolId, workflowId, userId)
   }
 
   return undefined
@@ -366,7 +367,8 @@ function createToolConfig(customTool: any, customToolId: string): ToolConfig {
 // Create a tool config from a custom tool definition by fetching from API
 async function fetchCustomToolFromAPI(
   customToolId: string,
-  workflowId?: string
+  workflowId?: string,
+  userId?: string
 ): Promise<ToolConfig | undefined> {
   const identifier = customToolId.replace('custom_', '')
 
@@ -374,10 +376,12 @@ async function fetchCustomToolFromAPI(
     const baseUrl = getBaseUrl()
     const url = new URL('/api/tools/custom', baseUrl)
 
-    // Add workflowId as a query parameter if available
     if (workflowId) {
       url.searchParams.append('workflowId', workflowId)
     }
+    if (userId) {
+      url.searchParams.append('userId', userId)
+    }
 
     // For server-side calls (during workflow execution), use internal JWT token
     const headers: Record<string, string> = {}

helm/sim/values.yaml

@@ -139,7 +139,25 @@ app:
     EXECUTION_TIMEOUT_ASYNC_PRO: "5400"                   # Pro tier async timeout (90 minutes)
     EXECUTION_TIMEOUT_ASYNC_TEAM: "5400"                  # Team tier async timeout (90 minutes)
     EXECUTION_TIMEOUT_ASYNC_ENTERPRISE: "5400"            # Enterprise tier async timeout (90 minutes)
-    
+
+    # Isolated-VM Worker Pool Configuration
+    IVM_POOL_SIZE: "4"                                    # Max worker processes in pool
+    IVM_MAX_CONCURRENT: "10000"                           # Max concurrent executions globally
+    IVM_MAX_PER_WORKER: "2500"                            # Max concurrent executions per worker
+    IVM_WORKER_IDLE_TIMEOUT_MS: "60000"                   # Worker idle cleanup timeout (ms)
+    IVM_QUEUE_TIMEOUT_MS: "300000"                        # Max queue wait before rejection (ms)
+    IVM_MAX_QUEUE_SIZE: "10000"                           # Max queued executions globally
+    IVM_MAX_ACTIVE_PER_OWNER: "200"                       # Max concurrent executions per user
+    IVM_MAX_QUEUED_PER_OWNER: "2000"                      # Max queued executions per user
+    IVM_MAX_OWNER_WEIGHT: "5"                             # Max scheduling weight per user
+    IVM_DISTRIBUTED_MAX_INFLIGHT_PER_OWNER: "2200"        # Max in-flight per user across instances (Redis)
+    IVM_DISTRIBUTED_LEASE_MIN_TTL_MS: "120000"            # Min distributed lease TTL (ms)
+    IVM_MAX_FETCH_RESPONSE_BYTES: "8388608"               # Max fetch response size (8MB)
+    IVM_MAX_FETCH_RESPONSE_CHARS: "4000000"               # Max fetch response chars
+    IVM_MAX_FETCH_URL_LENGTH: "8192"                      # Max fetch URL length
+    IVM_MAX_FETCH_OPTIONS_JSON_CHARS: "262144"            # Max fetch options payload (256KB)
+    IVM_MAX_STDOUT_CHARS: "200000"                        # Max stdout capture per execution
+
     # UI Branding & Whitelabeling Configuration
     NEXT_PUBLIC_BRAND_NAME: "Sim"                         # Custom brand name
     NEXT_PUBLIC_BRAND_LOGO_URL: ""                        # Custom logo URL (leave empty for default)