Fix greptile

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM oven/bun:1.3.9-alpine
+FROM oven/bun:1.3.3-alpine
 
 # Install necessary packages for development
 RUN apk add --no-cache \

.github/workflows/docs-embeddings.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Setup Node
         uses: actions/setup-node@v4

.github/workflows/i18n.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Cache Bun dependencies
         uses: actions/cache@v4
@@ -125,7 +125,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Cache Bun dependencies
         uses: actions/cache@v4

.github/workflows/migrations.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Cache Bun dependencies
         uses: actions/cache@v4

.github/workflows/publish-cli.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Setup Node.js for npm publishing
         uses: actions/setup-node@v4

.github/workflows/publish-ts-sdk.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Setup Node.js for npm publishing
         uses: actions/setup-node@v4

.github/workflows/test-build.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: 1.3.3
 
       - name: Setup Node
         uses: actions/setup-node@v4

apps/docs/content/docs/en/tools/jira.mdx

@@ -44,7 +44,6 @@ Retrieve detailed information about a specific Jira issue
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `issueKey` | string | Yes | Jira issue key to retrieve \(e.g., PROJ-123\) |
-| `includeAttachments` | boolean | No | Download attachment file contents and include them as files in the output |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 
 #### Output
@@ -66,7 +65,6 @@ Retrieve detailed information about a specific Jira issue
 |     ↳ `key` | string | Status category key \(e.g., new, indeterminate, done\) |
 |     ↳ `name` | string | Status category name \(e.g., To Do, In Progress, Done\) |
 |     ↳ `colorName` | string | Status category color \(e.g., blue-gray, yellow, green\) |
-| `statusName` | string | Issue status name \(e.g., Open, In Progress, Done\) |
 | `issuetype` | object | Issue type |
 |   ↳ `id` | string | Issue type ID |
 |   ↳ `name` | string | Issue type name \(e.g., Task, Bug, Story, Epic\) |
@@ -90,7 +88,6 @@ Retrieve detailed information about a specific Jira issue
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
-| `assigneeName` | string | Assignee display name or account ID |
 | `reporter` | object | Reporter user |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
@@ -176,7 +173,6 @@ Retrieve detailed information about a specific Jira issue
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `authorName` | string | Comment author display name |
 |   ↳ `updateAuthor` | object | User who last updated the comment |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
@@ -200,7 +196,6 @@ Retrieve detailed information about a specific Jira issue
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `authorName` | string | Worklog author display name |
 |   ↳ `updateAuthor` | object | User who last updated the worklog |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
@@ -230,11 +225,9 @@ Retrieve detailed information about a specific Jira issue
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `authorName` | string | Attachment author display name |
 |   ↳ `created` | string | ISO 8601 timestamp when the attachment was created |
 | `issueKey` | string | Issue key \(e.g., PROJ-123\) |
 | `issue` | json | Complete raw Jira issue object from the API |
-| `files` | file[] | Downloaded attachment files \(only when includeAttachments is true\) |
 
 ### `jira_update`
 
@@ -265,7 +258,6 @@ Update a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Updated issue key \(e.g., PROJ-123\) |
 | `summary` | string | Issue summary after update |
 
@@ -304,7 +296,6 @@ Create a new Jira issue
 | `issueKey` | string | Created issue key \(e.g., PROJ-123\) |
 | `self` | string | REST API URL for the created issue |
 | `summary` | string | Issue summary |
-| `success` | boolean | Whether the issue was created successfully |
 | `url` | string | URL to the created issue in Jira |
 | `assigneeId` | string | Account ID of the assigned user \(null if no assignee was set\) |
 
@@ -367,7 +358,6 @@ Delete a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Deleted issue key |
 
 ### `jira_assign_issue`
@@ -388,7 +378,6 @@ Assign a Jira issue to a user
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key that was assigned |
 | `assigneeId` | string | Account ID of the assignee \(use "-1" for auto-assign, null to unassign\) |
 
@@ -412,7 +401,6 @@ Move a Jira issue between workflow statuses (e.g., To Do -> In Progress)
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key that was transitioned |
 | `transitionId` | string | Applied transition ID |
 | `transitionName` | string | Applied transition name |
@@ -455,7 +443,6 @@ Search for Jira issues using JQL (Jira Query Language)
 |       ↳ `key` | string | Status category key \(e.g., new, indeterminate, done\) |
 |       ↳ `name` | string | Status category name \(e.g., To Do, In Progress, Done\) |
 |       ↳ `colorName` | string | Status category color \(e.g., blue-gray, yellow, green\) |
-|   ↳ `statusName` | string | Issue status name \(e.g., Open, In Progress, Done\) |
 |   ↳ `issuetype` | object | Issue type |
 |     ↳ `id` | string | Issue type ID |
 |     ↳ `name` | string | Issue type name \(e.g., Task, Bug, Story, Epic\) |
@@ -479,7 +466,6 @@ Search for Jira issues using JQL (Jira Query Language)
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `assigneeName` | string | Assignee display name or account ID |
 |   ↳ `reporter` | object | Reporter user |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
@@ -523,7 +509,6 @@ Add a comment to a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key the comment was added to |
 | `commentId` | string | Created comment ID |
 | `body` | string | Comment text content |
@@ -573,7 +558,6 @@ Get all comments from a Jira issue
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `authorName` | string | Comment author display name |
 |   ↳ `updateAuthor` | object | User who last updated the comment |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
@@ -608,7 +592,6 @@ Update an existing comment on a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key |
 | `commentId` | string | Updated comment ID |
 | `body` | string | Updated comment text |
@@ -641,7 +624,6 @@ Delete a comment from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key |
 | `commentId` | string | Deleted comment ID |
 
@@ -655,7 +637,6 @@ Get all attachments from a Jira issue
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `issueKey` | string | Yes | Jira issue key to get attachments from \(e.g., PROJ-123\) |
-| `includeAttachments` | boolean | No | Download attachment file contents and include them as files in the output |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 
 #### Output
@@ -679,9 +660,7 @@ Get all attachments from a Jira issue
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `authorName` | string | Attachment author display name |
 |   ↳ `created` | string | ISO 8601 timestamp when the attachment was created |
-| `files` | file[] | Downloaded attachment files \(only when includeAttachments is true\) |
 
 ### `jira_add_attachment`
 
@@ -709,7 +688,10 @@ Add attachments to a Jira issue
 |   ↳ `size` | number | File size in bytes |
 |   ↳ `content` | string | URL to download the attachment |
 | `attachmentIds` | array | Array of attachment IDs |
-| `files` | file[] | Uploaded attachment files |
+| `files` | array | Uploaded file metadata |
+|   ↳ `name` | string | File name |
+|   ↳ `mimeType` | string | MIME type |
+|   ↳ `size` | number | File size in bytes |
 
 ### `jira_delete_attachment`
 
@@ -728,7 +710,6 @@ Delete an attachment from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `attachmentId` | string | Deleted attachment ID |
 
 ### `jira_add_worklog`
@@ -752,7 +733,6 @@ Add a time tracking worklog entry to a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key the worklog was added to |
 | `worklogId` | string | Created worklog ID |
 | `timeSpent` | string | Time spent in human-readable format \(e.g., 3h 20m\) |
@@ -801,7 +781,6 @@ Get all worklog entries from a Jira issue
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
-|   ↳ `authorName` | string | Worklog author display name |
 |   ↳ `updateAuthor` | object | User who last updated the worklog |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
@@ -839,7 +818,6 @@ Update an existing worklog entry on a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key |
 | `worklogId` | string | Updated worklog ID |
 | `timeSpent` | string | Human-readable time spent \(e.g., "3h 20m"\) |
@@ -883,7 +861,6 @@ Delete a worklog entry from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key |
 | `worklogId` | string | Deleted worklog ID |
 
@@ -907,7 +884,6 @@ Create a link relationship between two Jira issues
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `inwardIssue` | string | Inward issue key |
 | `outwardIssue` | string | Outward issue key |
 | `linkType` | string | Type of issue link |
@@ -930,7 +906,6 @@ Delete a link between two Jira issues
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `linkId` | string | Deleted link ID |
 
 ### `jira_add_watcher`
@@ -951,7 +926,6 @@ Add a watcher to a Jira issue to receive notifications about updates
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key |
 | `watcherAccountId` | string | Added watcher account ID |
 
@@ -973,7 +947,6 @@ Remove a watcher from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | ISO 8601 timestamp of the operation |
-| `success` | boolean | Operation success status |
 | `issueKey` | string | Issue key |
 | `watcherAccountId` | string | Removed watcher account ID |
 
@@ -1004,8 +977,6 @@ Get Jira users. If an account ID is provided, returns a single user. Otherwise,
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
-|   ↳ `avatarUrls` | json | User avatar URLs in multiple sizes \(16x16, 24x24, 32x32, 48x48\) |
-|   ↳ `self` | string | REST API URL for this user |
 | `total` | number | Total number of users returned |
 | `startAt` | number | Pagination start index |
 | `maxResults` | number | Maximum results per page |

apps/sim/app/api/a2a/agents/[agentId]/route.ts

@@ -41,12 +41,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
 
     if (!agent.agent.isPublished) {
       const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-      if (!auth.success || !auth.userId) {
-        return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
-      }
-
-      const workspaceAccess = await checkWorkspaceAccess(agent.agent.workspaceId, auth.userId)
-      if (!workspaceAccess.exists || !workspaceAccess.hasAccess) {
+      if (!auth.success) {
         return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
       }
     }

apps/sim/app/api/a2a/agents/route.ts

@@ -16,7 +16,7 @@ import { sanitizeAgentName } from '@/lib/a2a/utils'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { hasValidStartBlockInState } from '@/lib/workflows/triggers/trigger-utils'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('A2AAgentsAPI')
 
@@ -39,13 +39,10 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
     }
 
-    const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
-    if (!workspaceAccess.exists) {
+    const ws = await getWorkspaceById(workspaceId)
+    if (!ws) {
       return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
     }
-    if (!workspaceAccess.hasAccess) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
 
     const agents = await db
       .select({
@@ -106,14 +103,6 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
-    if (!workspaceAccess.exists) {
-      return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
-    }
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
     const [wf] = await db
       .select({
         id: workflow.id,

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -13,14 +13,12 @@ import {
   isTerminalState,
   parseWorkflowSSEChunk,
 } from '@/lib/a2a/utils'
-import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
-import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 import {
   A2A_ERROR_CODES,
   A2A_METHODS,
@@ -193,9 +191,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
 
     const authSchemes = (agent.authentication as { schemes?: string[] })?.schemes || []
     const requiresAuth = !authSchemes.includes('none')
-    let authenticatedUserId: string | null = null
-    let authenticatedAuthType: AuthResult['authType']
-    let authenticatedApiKeyType: AuthResult['apiKeyType']
 
     if (requiresAuth) {
       const auth = await checkHybridAuth(request, { requireWorkflowId: false })
@@ -205,17 +200,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
           { status: 401 }
         )
       }
-      authenticatedUserId = auth.userId
-      authenticatedAuthType = auth.authType
-      authenticatedApiKeyType = auth.apiKeyType
-
-      const workspaceAccess = await checkWorkspaceAccess(agent.workspaceId, authenticatedUserId)
-      if (!workspaceAccess.exists || !workspaceAccess.hasAccess) {
-        return NextResponse.json(
-          createError(null, A2A_ERROR_CODES.AUTHENTICATION_REQUIRED, 'Access denied'),
-          { status: 403 }
-        )
-      }
     }
 
     const [wf] = await db
@@ -241,61 +225,34 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
     }
 
     const { id, method, params: rpcParams } = body
-    const requestApiKey = request.headers.get('X-API-Key')
-    const apiKey = authenticatedAuthType === 'api_key' ? requestApiKey : null
-    const isPersonalApiKeyCaller =
-      authenticatedAuthType === 'api_key' && authenticatedApiKeyType === 'personal'
-    const billedUserId = await getWorkspaceBilledAccountUserId(agent.workspaceId)
-    if (!billedUserId) {
-      logger.error('Unable to resolve workspace billed account for A2A execution', {
-        agentId: agent.id,
-        workspaceId: agent.workspaceId,
-      })
-      return NextResponse.json(
-        createError(
-          id,
-          A2A_ERROR_CODES.INTERNAL_ERROR,
-          'Unable to resolve billing account for this workspace'
-        ),
-        { status: 500 }
-      )
-    }
-    const executionUserId =
-      isPersonalApiKeyCaller && authenticatedUserId ? authenticatedUserId : billedUserId
+    const apiKey = request.headers.get('X-API-Key')
 
     logger.info(`A2A request: ${method} for agent ${agentId}`)
 
     switch (method) {
       case A2A_METHODS.MESSAGE_SEND:
-        return handleMessageSend(id, agent, rpcParams as MessageSendParams, apiKey, executionUserId)
+        return handleMessageSend(id, agent, rpcParams as MessageSendParams, apiKey)
 
       case A2A_METHODS.MESSAGE_STREAM:
-        return handleMessageStream(
-          request,
-          id,
-          agent,
-          rpcParams as MessageSendParams,
-          apiKey,
-          executionUserId
-        )
+        return handleMessageStream(request, id, agent, rpcParams as MessageSendParams, apiKey)
 
       case A2A_METHODS.TASKS_GET:
-        return handleTaskGet(id, agent.id, rpcParams as TaskIdParams)
+        return handleTaskGet(id, rpcParams as TaskIdParams)
 
       case A2A_METHODS.TASKS_CANCEL:
-        return handleTaskCancel(id, agent.id, rpcParams as TaskIdParams)
+        return handleTaskCancel(id, rpcParams as TaskIdParams)
 
       case A2A_METHODS.TASKS_RESUBSCRIBE:
-        return handleTaskResubscribe(request, id, agent.id, rpcParams as TaskIdParams)
+        return handleTaskResubscribe(request, id, rpcParams as TaskIdParams)
 
       case A2A_METHODS.PUSH_NOTIFICATION_SET:
-        return handlePushNotificationSet(id, agent.id, rpcParams as PushNotificationSetParams)
+        return handlePushNotificationSet(id, rpcParams as PushNotificationSetParams)
 
       case A2A_METHODS.PUSH_NOTIFICATION_GET:
-        return handlePushNotificationGet(id, agent.id, rpcParams as TaskIdParams)
+        return handlePushNotificationGet(id, rpcParams as TaskIdParams)
 
       case A2A_METHODS.PUSH_NOTIFICATION_DELETE:
-        return handlePushNotificationDelete(id, agent.id, rpcParams as TaskIdParams)
+        return handlePushNotificationDelete(id, rpcParams as TaskIdParams)
 
       default:
         return NextResponse.json(
@@ -311,14 +268,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
   }
 }
 
-async function getTaskForAgent(taskId: string, agentId: string) {
-  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, taskId)).limit(1)
-  if (!task || task.agentId !== agentId) {
-    return null
-  }
-  return task
-}
-
 /**
  * Handle message/send - Send a message (v0.3)
  */
@@ -331,8 +280,7 @@ async function handleMessageSend(
     workspaceId: string
   },
   params: MessageSendParams,
-  apiKey?: string | null,
-  executionUserId?: string
+  apiKey?: string | null
 ): Promise<NextResponse> {
   if (!params?.message) {
     return NextResponse.json(
@@ -370,13 +318,6 @@ async function handleMessageSend(
         )
       }
 
-      if (existingTask.agentId !== agent.id) {
-        return NextResponse.json(
-          createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'),
-          { status: 404 }
-        )
-      }
-
       if (isTerminalState(existingTask.status as TaskState)) {
         return NextResponse.json(
           createError(id, A2A_ERROR_CODES.TASK_ALREADY_COMPLETE, 'Task already in terminal state'),
@@ -422,7 +363,6 @@ async function handleMessageSend(
     } = await buildExecuteRequest({
       workflowId: agent.workflowId,
       apiKey,
-      userId: executionUserId,
     })
 
     logger.info(`Executing workflow ${agent.workflowId} for A2A task ${taskId}`)
@@ -535,8 +475,7 @@ async function handleMessageStream(
     workspaceId: string
   },
   params: MessageSendParams,
-  apiKey?: string | null,
-  executionUserId?: string
+  apiKey?: string | null
 ): Promise<NextResponse> {
   if (!params?.message) {
     return NextResponse.json(
@@ -583,13 +522,6 @@ async function handleMessageStream(
       })
     }
 
-    if (existingTask.agentId !== agent.id) {
-      await releaseLock(lockKey, lockValue)
-      return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
-        status: 404,
-      })
-    }
-
     if (isTerminalState(existingTask.status as TaskState)) {
       await releaseLock(lockKey, lockValue)
       return NextResponse.json(
@@ -663,7 +595,6 @@ async function handleMessageStream(
         } = await buildExecuteRequest({
           workflowId: agent.workflowId,
           apiKey,
-          userId: executionUserId,
           stream: true,
         })
 
@@ -857,11 +788,7 @@ async function handleMessageStream(
 /**
  * Handle tasks/get - Query task status
  */
-async function handleTaskGet(
-  id: string | number,
-  agentId: string,
-  params: TaskIdParams
-): Promise<NextResponse> {
+async function handleTaskGet(id: string | number, params: TaskIdParams): Promise<NextResponse> {
   if (!params?.id) {
     return NextResponse.json(
       createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Task ID is required'),
@@ -874,7 +801,7 @@ async function handleTaskGet(
       ? params.historyLength
       : undefined
 
-  const task = await getTaskForAgent(params.id, agentId)
+  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
 
   if (!task) {
     return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -898,11 +825,7 @@ async function handleTaskGet(
 /**
  * Handle tasks/cancel - Cancel a running task
  */
-async function handleTaskCancel(
-  id: string | number,
-  agentId: string,
-  params: TaskIdParams
-): Promise<NextResponse> {
+async function handleTaskCancel(id: string | number, params: TaskIdParams): Promise<NextResponse> {
   if (!params?.id) {
     return NextResponse.json(
       createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Task ID is required'),
@@ -910,7 +833,7 @@ async function handleTaskCancel(
     )
   }
 
-  const task = await getTaskForAgent(params.id, agentId)
+  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
 
   if (!task) {
     return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -974,7 +897,6 @@ async function handleTaskCancel(
 async function handleTaskResubscribe(
   request: NextRequest,
   id: string | number,
-  agentId: string,
   params: TaskIdParams
 ): Promise<NextResponse> {
   if (!params?.id) {
@@ -984,7 +906,7 @@ async function handleTaskResubscribe(
     )
   }
 
-  const task = await getTaskForAgent(params.id, agentId)
+  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
 
   if (!task) {
     return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -1181,7 +1103,6 @@ async function handleTaskResubscribe(
  */
 async function handlePushNotificationSet(
   id: string | number,
-  agentId: string,
   params: PushNotificationSetParams
 ): Promise<NextResponse> {
   if (!params?.id) {
@@ -1209,7 +1130,7 @@ async function handlePushNotificationSet(
     )
   }
 
-  const task = await getTaskForAgent(params.id, agentId)
+  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
 
   if (!task) {
     return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -1260,7 +1181,6 @@ async function handlePushNotificationSet(
  */
 async function handlePushNotificationGet(
   id: string | number,
-  agentId: string,
   params: TaskIdParams
 ): Promise<NextResponse> {
   if (!params?.id) {
@@ -1270,7 +1190,7 @@ async function handlePushNotificationGet(
     )
   }
 
-  const task = await getTaskForAgent(params.id, agentId)
+  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
 
   if (!task) {
     return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {
@@ -1304,7 +1224,6 @@ async function handlePushNotificationGet(
  */
 async function handlePushNotificationDelete(
   id: string | number,
-  agentId: string,
   params: TaskIdParams
 ): Promise<NextResponse> {
   if (!params?.id) {
@@ -1314,7 +1233,7 @@ async function handlePushNotificationDelete(
     )
   }
 
-  const task = await getTaskForAgent(params.id, agentId)
+  const [task] = await db.select().from(a2aTask).where(eq(a2aTask.id, params.id)).limit(1)
 
   if (!task) {
     return NextResponse.json(createError(id, A2A_ERROR_CODES.TASK_NOT_FOUND, 'Task not found'), {

apps/sim/app/api/a2a/serve/[agentId]/utils.ts

@@ -105,7 +105,6 @@ export function formatTaskResponse(task: Task, historyLength?: number): Task {
 export interface ExecuteRequestConfig {
   workflowId: string
   apiKey?: string | null
-  userId?: string
   stream?: boolean
 }
 
@@ -125,7 +124,7 @@ export async function buildExecuteRequest(
   if (config.apiKey) {
     headers['X-API-Key'] = config.apiKey
   } else {
-    const internalToken = await generateInternalToken(config.userId)
+    const internalToken = await generateInternalToken()
     headers.Authorization = `Bearer ${internalToken}`
     useInternalAuth = true
   }

apps/sim/app/api/auth/oauth/credentials/route.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, user } from '@sim/db/schema'
+import { account, user, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
@@ -8,7 +8,7 @@ import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -80,7 +80,7 @@ export async function GET(request: NextRequest) {
 
     const { provider: providerParam, workflowId, credentialId } = parseResult.data
 
-    // Authenticate requester (supports session and internal JWT)
+    // Authenticate requester (supports session, API key, internal JWT)
     const authResult = await checkSessionOrInternalAuth(request)
     if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthenticated credentials request rejected`)
@@ -88,24 +88,47 @@ export async function GET(request: NextRequest) {
     }
     const requesterUserId = authResult.userId
 
-    const effectiveUserId = requesterUserId
+    // Resolve effective user id: workflow owner if workflowId provided (with access check); else requester
+    let effectiveUserId: string
     if (workflowId) {
-      const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId: requesterUserId,
-        action: 'read',
-      })
-      if (!workflowAuthorization.allowed) {
-        logger.warn(`[${requestId}] Forbidden credentials request for workflow`, {
-          requesterUserId,
-          workflowId,
-          status: workflowAuthorization.status,
-        })
-        return NextResponse.json(
-          { error: workflowAuthorization.message || 'Forbidden' },
-          { status: workflowAuthorization.status }
-        )
+      // Load workflow owner and workspace for access control
+      const rows = await db
+        .select({ userId: workflow.userId, workspaceId: workflow.workspaceId })
+        .from(workflow)
+        .where(eq(workflow.id, workflowId))
+        .limit(1)
+
+      if (!rows.length) {
+        logger.warn(`[${requestId}] Workflow not found for credentials request`, { workflowId })
+        return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
       }
+
+      const wf = rows[0]
+
+      if (requesterUserId !== wf.userId) {
+        if (!wf.workspaceId) {
+          logger.warn(
+            `[${requestId}] Forbidden - workflow has no workspace and requester is not owner`,
+            {
+              requesterUserId,
+            }
+          )
+          return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+        }
+
+        const perm = await getUserEntityPermissions(requesterUserId, 'workspace', wf.workspaceId)
+        if (perm === null) {
+          logger.warn(`[${requestId}] Forbidden credentials request - no workspace access`, {
+            requesterUserId,
+            workspaceId: wf.workspaceId,
+          })
+          return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+        }
+      }
+
+      effectiveUserId = wf.userId
+    } else {
+      effectiveUserId = requesterUserId
     }
 
     // Parse the provider to get base provider and feature type (if provider is present)
@@ -113,16 +136,18 @@ export async function GET(request: NextRequest) {
 
     let accountsData
 
-    if (credentialId && workflowId) {
-      // When both workflowId and credentialId are provided, fetch by ID only.
-      // Workspace authorization above already proves access; the credential
-      // may belong to another workspace member (e.g. for display name resolution).
-      accountsData = await db.select().from(account).where(eq(account.id, credentialId))
-    } else if (credentialId) {
-      accountsData = await db
-        .select()
-        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
+    if (credentialId) {
+      // Foreign-aware lookup for a specific credential by id
+      // If workflowId is provided and requester has access (checked above), allow fetching by id only
+      if (workflowId) {
+        accountsData = await db.select().from(account).where(eq(account.id, credentialId))
+      } else {
+        // Fallback: constrain to requester's own credentials when not in a workflow context
+        accountsData = await db
+          .select()
+          .from(account)
+          .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
+      }
     } else {
       // Fetch all credentials for provider and effective user
       accountsData = await db

apps/sim/app/api/auth/oauth/utils.test.ts

@@ -4,9 +4,16 @@
  * @vitest-environment node
  */
 
-import { loggerMock } from '@sim/testing'
+import { createSession, loggerMock } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
+const mockSession = createSession({ userId: 'test-user-id' })
+const mockGetSession = vi.fn()
+
+vi.mock('@/lib/auth', () => ({
+  getSession: () => mockGetSession(),
+}))
+
 vi.mock('@sim/db', () => ({
   db: {
     select: vi.fn().mockReturnThis(),
@@ -30,6 +37,7 @@ import { db } from '@sim/db'
 import { refreshOAuthToken } from '@/lib/oauth'
 import {
   getCredential,
+  getUserId,
   refreshAccessTokenIfNeeded,
   refreshTokenIfNeeded,
 } from '@/app/api/auth/oauth/utils'
@@ -40,6 +48,7 @@ const mockRefreshOAuthToken = refreshOAuthToken as any
 describe('OAuth Utils', () => {
   beforeEach(() => {
     vi.clearAllMocks()
+    mockGetSession.mockResolvedValue(mockSession)
     mockDbTyped.limit.mockReturnValue([])
   })
 
@@ -47,6 +56,42 @@ describe('OAuth Utils', () => {
     vi.clearAllMocks()
   })
 
+  describe('getUserId', () => {
+    it('should get user ID from session when no workflowId is provided', async () => {
+      const userId = await getUserId('request-id')
+
+      expect(userId).toBe('test-user-id')
+    })
+
+    it('should get user ID from workflow when workflowId is provided', async () => {
+      mockDbTyped.limit.mockReturnValueOnce([{ userId: 'workflow-owner-id' }])
+
+      const userId = await getUserId('request-id', 'workflow-id')
+
+      expect(mockDbTyped.select).toHaveBeenCalled()
+      expect(mockDbTyped.from).toHaveBeenCalled()
+      expect(mockDbTyped.where).toHaveBeenCalled()
+      expect(mockDbTyped.limit).toHaveBeenCalledWith(1)
+      expect(userId).toBe('workflow-owner-id')
+    })
+
+    it('should return undefined if no session is found', async () => {
+      mockGetSession.mockResolvedValueOnce(null)
+
+      const userId = await getUserId('request-id')
+
+      expect(userId).toBeUndefined()
+    })
+
+    it('should return undefined if workflow is not found', async () => {
+      mockDbTyped.limit.mockReturnValueOnce([])
+
+      const userId = await getUserId('request-id', 'nonexistent-workflow-id')
+
+      expect(userId).toBeUndefined()
+    })
+  })
+
   describe('getCredential', () => {
     it('should return credential when found', async () => {
       const mockCredential = { id: 'credential-id', userId: 'test-user-id' }

apps/sim/app/api/auth/oauth/utils.ts

@@ -1,7 +1,8 @@
 import { db } from '@sim/db'
-import { account, credentialSetMember } from '@sim/db/schema'
+import { account, credentialSetMember, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
+import { getSession } from '@/lib/auth'
 import { refreshOAuthToken } from '@/lib/oauth'
 import {
   getMicrosoftRefreshTokenExpiry,
@@ -48,6 +49,41 @@ export async function safeAccountInsert(
   }
 }
 
+/**
+ * Get the user ID based on either a session or a workflow ID
+ */
+export async function getUserId(
+  requestId: string,
+  workflowId?: string
+): Promise<string | undefined> {
+  // If workflowId is provided, this is a server-side request
+  if (workflowId) {
+    // Get the workflow to verify the user ID
+    const workflows = await db
+      .select({ userId: workflow.userId })
+      .from(workflow)
+      .where(eq(workflow.id, workflowId))
+      .limit(1)
+
+    if (!workflows.length) {
+      logger.warn(`[${requestId}] Workflow not found`)
+      return undefined
+    }
+
+    return workflows[0].userId
+  }
+  // This is a client-side request, use the session
+  const session = await getSession()
+
+  // Check if the user is authenticated
+  if (!session?.user?.id) {
+    logger.warn(`[${requestId}] Unauthenticated request rejected`)
+    return undefined
+  }
+
+  return session.user.id
+}
+
 /**
  * Get a credential by ID and verify it belongs to the user
  */

apps/sim/app/api/billing/portal/route.ts

@@ -4,7 +4,6 @@ import { createLogger } from '@sim/logger'
 import { and, eq, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
-import { isOrganizationOwnerOrAdmin } from '@/lib/billing/core/organization'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 
@@ -33,11 +32,6 @@ export async function POST(request: NextRequest) {
         return NextResponse.json({ error: 'organizationId is required' }, { status: 400 })
       }
 
-      const hasPermission = await isOrganizationOwnerOrAdmin(session.user.id, organizationId)
-      if (!hasPermission) {
-        return NextResponse.json({ error: 'Permission denied' }, { status: 403 })
-      }
-
       const rows = await db
         .select({ customer: subscriptionTable.stripeCustomerId })
         .from(subscriptionTable)

apps/sim/app/api/chat/utils.test.ts

@@ -47,10 +47,6 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
   isProd: false,
 }))
 
-vi.mock('@/lib/workflows/utils', () => ({
-  authorizeWorkflowByWorkspacePermission: vi.fn(),
-}))
-
 describe('Chat API Utils', () => {
   beforeEach(() => {
     vi.stubGlobal('process', {

apps/sim/app/api/chat/utils.ts

@@ -9,7 +9,7 @@ import {
   validateAuthToken,
 } from '@/lib/core/security/deployment'
 import { decryptSecret } from '@/lib/core/security/encryption'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { hasAdminPermission } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('ChatAuthUtils')
 
@@ -24,23 +24,29 @@ export function setChatAuthCookie(
 
 /**
  * Check if user has permission to create a chat for a specific workflow
+ * Either the user owns the workflow directly OR has admin permission for the workflow's workspace
  */
 export async function checkWorkflowAccessForChatCreation(
   workflowId: string,
   userId: string
 ): Promise<{ hasAccess: boolean; workflow?: any }> {
-  const authorization = await authorizeWorkflowByWorkspacePermission({
-    workflowId,
-    userId,
-    action: 'admin',
-  })
+  const workflowData = await db.select().from(workflow).where(eq(workflow.id, workflowId)).limit(1)
 
-  if (!authorization.workflow) {
+  if (workflowData.length === 0) {
     return { hasAccess: false }
   }
 
-  if (authorization.allowed) {
-    return { hasAccess: true, workflow: authorization.workflow }
+  const workflowRecord = workflowData[0]
+
+  if (workflowRecord.userId === userId) {
+    return { hasAccess: true, workflow: workflowRecord }
+  }
+
+  if (workflowRecord.workspaceId) {
+    const hasAdmin = await hasAdminPermission(userId, workflowRecord.workspaceId)
+    if (hasAdmin) {
+      return { hasAccess: true, workflow: workflowRecord }
+    }
   }
 
   return { hasAccess: false }
@@ -48,6 +54,7 @@ export async function checkWorkflowAccessForChatCreation(
 
 /**
  * Check if user has access to view/edit/delete a specific chat
+ * Either the user owns the chat directly OR has admin permission for the workflow's workspace
  */
 export async function checkChatAccess(
   chatId: string,
@@ -68,17 +75,19 @@ export async function checkChatAccess(
   }
 
   const { chat: chatRecord, workflowWorkspaceId } = chatData[0]
-  if (!workflowWorkspaceId) {
-    return { hasAccess: false }
+
+  if (chatRecord.userId === userId) {
+    return { hasAccess: true, chat: chatRecord }
   }
 
-  const authorization = await authorizeWorkflowByWorkspacePermission({
-    workflowId: chatRecord.workflowId,
-    userId,
-    action: 'admin',
-  })
+  if (workflowWorkspaceId) {
+    const hasAdmin = await hasAdminPermission(userId, workflowWorkspaceId)
+    if (hasAdmin) {
+      return { hasAccess: true, chat: chatRecord }
+    }
+  }
 
-  return authorization.allowed ? { hasAccess: true, chat: chatRecord } : { hasAccess: false }
+  return { hasAccess: false }
 }
 
 export async function validateChatAuth(

apps/sim/app/api/copilot/checkpoints/revert/route.test.ts

@@ -25,13 +25,6 @@ describe('Copilot Checkpoints Revert API Route', () => {
       getEmailDomain: vi.fn(() => 'localhost:3000'),
     }))
 
-    vi.doMock('@/lib/workflows/utils', () => ({
-      authorizeWorkflowByWorkspacePermission: vi.fn().mockResolvedValue({
-        allowed: true,
-        status: 200,
-      }),
-    }))
-
     mockSelect.mockReturnValue({ from: mockFrom })
     mockFrom.mockReturnValue({ where: mockWhere })
     mockWhere.mockReturnValue({ then: mockThen })
@@ -219,12 +212,6 @@ describe('Copilot Checkpoints Revert API Route', () => {
         .mockResolvedValueOnce(mockCheckpoint) // Checkpoint found
         .mockResolvedValueOnce(mockWorkflow) // Workflow found but different user
 
-      const { authorizeWorkflowByWorkspacePermission } = await import('@/lib/workflows/utils')
-      vi.mocked(authorizeWorkflowByWorkspacePermission).mockResolvedValueOnce({
-        allowed: false,
-        status: 403,
-      })
-
       const req = createMockRequest('POST', {
         checkpointId: 'checkpoint-123',
       })

apps/sim/app/api/copilot/checkpoints/revert/route.ts

@@ -12,7 +12,6 @@ import {
   createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
 import { getBaseUrl } from '@/lib/core/utils/urls'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { isUuidV4 } from '@/executor/constants'
 
 const logger = createLogger('CheckpointRevertAPI')
@@ -59,12 +58,7 @@ export async function POST(request: NextRequest) {
       return createNotFoundResponse('Workflow not found')
     }
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId: checkpoint.workflowId,
-      userId,
-      action: 'write',
-    })
-    if (!authorization.allowed) {
+    if (workflowData.userId !== userId) {
       return createUnauthorizedResponse()
     }
 

apps/sim/app/api/cron/renew-subscriptions/route.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, webhook as webhookTable } from '@sim/db/schema'
+import { webhook as webhookTable, workflow as workflowTable } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -8,16 +8,6 @@ import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
 const logger = createLogger('TeamsSubscriptionRenewal')
 
-async function getCredentialOwnerUserId(credentialId: string): Promise<string | null> {
-  const [credentialRecord] = await db
-    .select({ userId: account.userId })
-    .from(account)
-    .where(eq(account.id, credentialId))
-    .limit(1)
-
-  return credentialRecord?.userId ?? null
-}
-
 /**
  * Cron endpoint to renew Microsoft Teams chat subscriptions before they expire
  *
@@ -37,12 +27,14 @@ export async function GET(request: NextRequest) {
     let totalFailed = 0
     let totalChecked = 0
 
-    // Get all active Microsoft Teams webhooks
+    // Get all active Microsoft Teams webhooks with their workflows
     const webhooksWithWorkflows = await db
       .select({
         webhook: webhookTable,
+        workflow: workflowTable,
       })
       .from(webhookTable)
+      .innerJoin(workflowTable, eq(webhookTable.workflowId, workflowTable.id))
       .where(
         and(
           eq(webhookTable.isActive, true),
@@ -60,7 +52,7 @@ export async function GET(request: NextRequest) {
     // Renewal threshold: 48 hours before expiration
     const renewalThreshold = new Date(Date.now() + 48 * 60 * 60 * 1000)
 
-    for (const { webhook } of webhooksWithWorkflows) {
+    for (const { webhook, workflow } of webhooksWithWorkflows) {
       const config = (webhook.providerConfig as Record<string, any>) || {}
 
       // Check if this is a Teams chat subscription that needs renewal
@@ -88,17 +80,10 @@ export async function GET(request: NextRequest) {
           continue
         }
 
-        const credentialOwnerUserId = await getCredentialOwnerUserId(credentialId)
-        if (!credentialOwnerUserId) {
-          logger.error(`Credential owner not found for credential ${credentialId}`)
-          totalFailed++
-          continue
-        }
-
         // Get fresh access token
         const accessToken = await refreshAccessTokenIfNeeded(
           credentialId,
-          credentialOwnerUserId,
+          workflow.userId,
           `renewal-${webhook.id}`
         )
 

apps/sim/app/api/files/upload/route.test.ts

@@ -42,10 +42,6 @@ function setupFileApiMocks(
     verifyCopilotFileAccess: vi.fn().mockResolvedValue(true),
   }))
 
-  vi.doMock('@/lib/workspaces/permissions/utils', () => ({
-    getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
-  }))
-
   vi.doMock('@/lib/uploads/contexts/workspace', () => ({
     uploadWorkspaceFile: vi.fn().mockResolvedValue({
       id: 'test-file-id',

apps/sim/app/api/files/upload/route.ts

@@ -206,13 +206,6 @@ export async function POST(request: NextRequest) {
         if (!workspaceId) {
           throw new InvalidRequestError('Workspace context requires workspaceId parameter')
         }
-        const permission = await getUserEntityPermissions(session.user.id, 'workspace', workspaceId)
-        if (permission !== 'admin' && permission !== 'write') {
-          return NextResponse.json(
-            { error: 'Write or Admin access required for workspace uploads' },
-            { status: 403 }
-          )
-        }
 
         try {
           const { uploadWorkspaceFile } = await import('@/lib/uploads/contexts/workspace')

apps/sim/app/api/form/utils.test.ts

@@ -22,8 +22,8 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
   isProd: false,
 }))
 
-vi.mock('@/lib/workflows/utils', () => ({
-  authorizeWorkflowByWorkspacePermission: vi.fn(),
+vi.mock('@/lib/workspaces/permissions/utils', () => ({
+  hasAdminPermission: vi.fn(),
 }))
 
 describe('Form API Utils', () => {

apps/sim/app/api/form/utils.ts

@@ -9,7 +9,7 @@ import {
   validateAuthToken,
 } from '@/lib/core/security/deployment'
 import { decryptSecret } from '@/lib/core/security/encryption'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { hasAdminPermission } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('FormAuthUtils')
 
@@ -24,23 +24,29 @@ export function setFormAuthCookie(
 
 /**
  * Check if user has permission to create a form for a specific workflow
+ * Either the user owns the workflow directly OR has admin permission for the workflow's workspace
  */
 export async function checkWorkflowAccessForFormCreation(
   workflowId: string,
   userId: string
 ): Promise<{ hasAccess: boolean; workflow?: any }> {
-  const authorization = await authorizeWorkflowByWorkspacePermission({
-    workflowId,
-    userId,
-    action: 'admin',
-  })
+  const workflowData = await db.select().from(workflow).where(eq(workflow.id, workflowId)).limit(1)
 
-  if (!authorization.workflow) {
+  if (workflowData.length === 0) {
     return { hasAccess: false }
   }
 
-  if (authorization.allowed) {
-    return { hasAccess: true, workflow: authorization.workflow }
+  const workflowRecord = workflowData[0]
+
+  if (workflowRecord.userId === userId) {
+    return { hasAccess: true, workflow: workflowRecord }
+  }
+
+  if (workflowRecord.workspaceId) {
+    const hasAdmin = await hasAdminPermission(userId, workflowRecord.workspaceId)
+    if (hasAdmin) {
+      return { hasAccess: true, workflow: workflowRecord }
+    }
   }
 
   return { hasAccess: false }
@@ -48,13 +54,17 @@ export async function checkWorkflowAccessForFormCreation(
 
 /**
  * Check if user has access to view/edit/delete a specific form
+ * Either the user owns the form directly OR has admin permission for the workflow's workspace
  */
 export async function checkFormAccess(
   formId: string,
   userId: string
 ): Promise<{ hasAccess: boolean; form?: any }> {
   const formData = await db
-    .select({ form: form, workflowWorkspaceId: workflow.workspaceId })
+    .select({
+      form: form,
+      workflowWorkspaceId: workflow.workspaceId,
+    })
     .from(form)
     .innerJoin(workflow, eq(form.workflowId, workflow.id))
     .where(eq(form.id, formId))
@@ -65,17 +75,19 @@ export async function checkFormAccess(
   }
 
   const { form: formRecord, workflowWorkspaceId } = formData[0]
-  if (!workflowWorkspaceId) {
-    return { hasAccess: false }
+
+  if (formRecord.userId === userId) {
+    return { hasAccess: true, form: formRecord }
   }
 
-  const authorization = await authorizeWorkflowByWorkspacePermission({
-    workflowId: formRecord.workflowId,
-    userId,
-    action: 'admin',
-  })
+  if (workflowWorkspaceId) {
+    const hasAdmin = await hasAdminPermission(userId, workflowWorkspaceId)
+    if (hasAdmin) {
+      return { hasAccess: true, form: formRecord }
+    }
+  }
 
-  return authorization.allowed ? { hasAccess: true, form: formRecord } : { hasAccess: false }
+  return { hasAccess: false }
 }
 
 export async function validateFormAuth(

apps/sim/app/api/guardrails/validate/route.ts

@@ -1,6 +1,5 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { validateHallucination } from '@/lib/guardrails/validate_hallucination'
 import { validateJson } from '@/lib/guardrails/validate_json'
@@ -14,11 +13,6 @@ export async function POST(request: NextRequest) {
   logger.info(`[${requestId}] Guardrails validation request received`)
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
     const body = await request.json()
     const {
       validationType,
@@ -115,10 +109,6 @@ export async function POST(request: NextRequest) {
       validationType,
       inputType: typeof input,
     })
-    const authHeaders = {
-      cookie: request.headers.get('cookie') || undefined,
-      authorization: request.headers.get('authorization') || undefined,
-    }
 
     const validationResult = await executeValidation(
       validationType,
@@ -144,7 +134,6 @@ export async function POST(request: NextRequest) {
       piiEntityTypes,
       piiMode,
       piiLanguage,
-      authHeaders,
       requestId
     )
 
@@ -224,7 +213,6 @@ async function executeValidation(
   piiEntityTypes: string[] | undefined,
   piiMode: string | undefined,
   piiLanguage: string | undefined,
-  authHeaders: { cookie?: string; authorization?: string } | undefined,
   requestId: string
 ): Promise<{
   passed: boolean
@@ -265,7 +253,6 @@ async function executeValidation(
       providerCredentials,
       workflowId,
       workspaceId,
-      authHeaders,
       requestId,
     })
   }

apps/sim/app/api/jobs/[jobId]/route.ts

@@ -76,7 +76,7 @@ export async function GET(
     }
 
     if (job.status === JOB_STATUS.PROCESSING || job.status === JOB_STATUS.PENDING) {
-      response.estimatedDuration = 300000
+      response.estimatedDuration = 180000
     }
 
     return NextResponse.json(response)

apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/route.ts

@@ -1,10 +1,10 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { batchChunkOperation, createChunk, queryChunks } from '@/lib/knowledge/chunks/service'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserId } from '@/app/api/auth/oauth/utils'
 import { checkDocumentAccess, checkDocumentWriteAccess } from '@/app/api/knowledge/utils'
 import { calculateCost } from '@/providers/utils'
 
@@ -38,14 +38,13 @@ export async function GET(
   const { id: knowledgeBaseId, documentId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized chunks access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, userId)
+    const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if (accessCheck.notFound) {
@@ -55,7 +54,7 @@ export async function GET(
         return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted unauthorized chunks access: ${accessCheck.reason}`
+        `[${requestId}] User ${session.user.id} attempted unauthorized chunks access: ${accessCheck.reason}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -114,25 +113,13 @@ export async function POST(
     const body = await req.json()
     const { workflowId, ...searchParams } = body
 
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Authentication failed: ${auth.error || 'Unauthorized'}`)
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-    const userId = auth.userId
+    const userId = await getUserId(requestId, workflowId)
 
-    if (workflowId) {
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId,
-        action: 'write',
-      })
-      if (!authorization.allowed) {
-        return NextResponse.json(
-          { error: authorization.message || 'Access denied' },
-          { status: authorization.status }
-        )
-      }
+    if (!userId) {
+      const errorMessage = workflowId ? 'Workflow not found' : 'Unauthorized'
+      const statusCode = workflowId ? 404 : 401
+      logger.warn(`[${requestId}] Authentication failed: ${errorMessage}`)
+      return NextResponse.json({ error: errorMessage }, { status: statusCode })
     }
 
     const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, userId)
@@ -261,14 +248,13 @@ export async function PATCH(
   const { id: knowledgeBaseId, documentId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized batch chunk operation attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, userId)
+    const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if (accessCheck.notFound) {
@@ -278,7 +264,7 @@ export async function PATCH(
         return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted unauthorized batch chunk operation: ${accessCheck.reason}`
+        `[${requestId}] User ${session.user.id} attempted unauthorized batch chunk operation: ${accessCheck.reason}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/knowledge/[id]/documents/[documentId]/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
   deleteDocument,
@@ -54,14 +54,13 @@ export async function GET(
   const { id: knowledgeBaseId, documentId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized document access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, userId)
+    const accessCheck = await checkDocumentAccess(knowledgeBaseId, documentId, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if (accessCheck.notFound) {
@@ -71,7 +70,7 @@ export async function GET(
         return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted unauthorized document access: ${accessCheck.reason}`
+        `[${requestId}] User ${session.user.id} attempted unauthorized document access: ${accessCheck.reason}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -98,14 +97,13 @@ export async function PUT(
   const { id: knowledgeBaseId, documentId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized document update attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, userId)
+    const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if (accessCheck.notFound) {
@@ -115,7 +113,7 @@ export async function PUT(
         return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted unauthorized document update: ${accessCheck.reason}`
+        `[${requestId}] User ${session.user.id} attempted unauthorized document update: ${accessCheck.reason}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -229,14 +227,13 @@ export async function DELETE(
   const { id: knowledgeBaseId, documentId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized document delete attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, userId)
+    const accessCheck = await checkDocumentWriteAccess(knowledgeBaseId, documentId, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if (accessCheck.notFound) {
@@ -246,7 +243,7 @@ export async function DELETE(
         return NextResponse.json({ error: accessCheck.reason }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted unauthorized document deletion: ${accessCheck.reason}`
+        `[${requestId}] User ${session.user.id} attempted unauthorized document deletion: ${accessCheck.reason}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }

apps/sim/app/api/knowledge/[id]/documents/route.ts

@@ -3,7 +3,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import {
   bulkDocumentOperation,
   bulkDocumentOperationByFilter,
@@ -14,7 +13,7 @@ import {
   processDocumentsWithQueue,
 } from '@/lib/knowledge/documents/service'
 import type { DocumentSortField, SortOrder } from '@/lib/knowledge/documents/types'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserId } from '@/app/api/auth/oauth/utils'
 import { checkKnowledgeBaseAccess, checkKnowledgeBaseWriteAccess } from '@/app/api/knowledge/utils'
 
 const logger = createLogger('DocumentsAPI')
@@ -171,28 +170,16 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       bodyKeys: Object.keys(body),
     })
 
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Authentication failed: ${auth.error || 'Unauthorized'}`, {
+    const userId = await getUserId(requestId, workflowId)
+
+    if (!userId) {
+      const errorMessage = workflowId ? 'Workflow not found' : 'Unauthorized'
+      const statusCode = workflowId ? 404 : 401
+      logger.warn(`[${requestId}] Authentication failed: ${errorMessage}`, {
         workflowId,
         hasWorkflowId: !!workflowId,
       })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-    const userId = auth.userId
-
-    if (workflowId) {
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId,
-        action: 'write',
-      })
-      if (!authorization.allowed) {
-        return NextResponse.json(
-          { error: authorization.message || 'Access denied' },
-          { status: authorization.status }
-        )
-      }
+      return NextResponse.json({ error: errorMessage }, { status: statusCode })
     }
 
     const accessCheck = await checkKnowledgeBaseWriteAccess(knowledgeBaseId, userId)

apps/sim/app/api/knowledge/[id]/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -54,14 +54,13 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
   const { id } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(_request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized knowledge base access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkKnowledgeBaseAccess(id, userId)
+    const accessCheck = await checkKnowledgeBaseAccess(id, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if ('notFound' in accessCheck && accessCheck.notFound) {
@@ -69,7 +68,7 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
         return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted to access unauthorized knowledge base ${id}`
+        `[${requestId}] User ${session.user.id} attempted to access unauthorized knowledge base ${id}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -80,7 +79,7 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
     }
 
-    logger.info(`[${requestId}] Retrieved knowledge base: ${id} for user ${userId}`)
+    logger.info(`[${requestId}] Retrieved knowledge base: ${id} for user ${session.user.id}`)
 
     return NextResponse.json({
       success: true,
@@ -97,14 +96,13 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
   const { id } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized knowledge base update attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkKnowledgeBaseWriteAccess(id, userId)
+    const accessCheck = await checkKnowledgeBaseWriteAccess(id, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if ('notFound' in accessCheck && accessCheck.notFound) {
@@ -112,7 +110,7 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
         return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted to update unauthorized knowledge base ${id}`
+        `[${requestId}] User ${session.user.id} attempted to update unauthorized knowledge base ${id}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -133,7 +131,7 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
         requestId
       )
 
-      logger.info(`[${requestId}] Knowledge base updated: ${id} for user ${userId}`)
+      logger.info(`[${requestId}] Knowledge base updated: ${id} for user ${session.user.id}`)
 
       return NextResponse.json({
         success: true,
@@ -165,14 +163,13 @@ export async function DELETE(
   const { id } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(_request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized knowledge base delete attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const accessCheck = await checkKnowledgeBaseWriteAccess(id, userId)
+    const accessCheck = await checkKnowledgeBaseWriteAccess(id, session.user.id)
 
     if (!accessCheck.hasAccess) {
       if ('notFound' in accessCheck && accessCheck.notFound) {
@@ -180,7 +177,7 @@ export async function DELETE(
         return NextResponse.json({ error: 'Knowledge base not found' }, { status: 404 })
       }
       logger.warn(
-        `[${requestId}] User ${userId} attempted to delete unauthorized knowledge base ${id}`
+        `[${requestId}] User ${session.user.id} attempted to delete unauthorized knowledge base ${id}`
       )
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
@@ -195,7 +192,7 @@ export async function DELETE(
       // Telemetry should not fail the operation
     }
 
-    logger.info(`[${requestId}] Knowledge base deleted: ${id} for user ${userId}`)
+    logger.info(`[${requestId}] Knowledge base deleted: ${id} for user ${session.user.id}`)
 
     return NextResponse.json({
       success: true,

apps/sim/app/api/knowledge/route.test.ts

@@ -17,7 +17,7 @@ mockDrizzleOrm()
 mockConsoleLogger()
 
 vi.mock('@/lib/workspaces/permissions/utils', () => ({
-  getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
+  getUserEntityPermissions: vi.fn().mockResolvedValue({ role: 'owner' }),
 }))
 
 describe('Knowledge Base API Route', () => {

apps/sim/app/api/knowledge/search/route.test.ts

@@ -104,8 +104,6 @@ describe('Knowledge Search API Route', () => {
 
   const mockGetUserId = vi.fn()
   const mockFetch = vi.fn()
-  const mockCheckSessionOrInternalAuth = vi.fn()
-  const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
 
   const mockEmbedding = [0.1, 0.2, 0.3, 0.4, 0.5]
   const mockSearchResults = [
@@ -134,12 +132,8 @@ describe('Knowledge Search API Route', () => {
       db: mockDbChain,
     }))
 
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
-    }))
-
-    vi.doMock('@/lib/workflows/utils', () => ({
-      authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
+    vi.doMock('@/app/api/auth/oauth/utils', () => ({
+      getUserId: mockGetUserId,
     }))
 
     Object.values(mockDbChain).forEach((fn) => {
@@ -163,15 +157,6 @@ describe('Knowledge Search API Route', () => {
       doc2: 'Document 2',
     })
     mockGetDocumentTagDefinitions.mockClear()
-    mockCheckSessionOrInternalAuth.mockClear().mockResolvedValue({
-      success: true,
-      userId: 'user-123',
-      authType: 'session',
-    })
-    mockAuthorizeWorkflowByWorkspacePermission.mockClear().mockResolvedValue({
-      allowed: true,
-      status: 200,
-    })
 
     vi.stubGlobal('crypto', {
       randomUUID: vi.fn().mockReturnValue('mock-uuid-1234-5678'),
@@ -326,18 +311,11 @@ describe('Knowledge Search API Route', () => {
 
       expect(response.status).toBe(200)
       expect(data.success).toBe(true)
-      expect(mockAuthorizeWorkflowByWorkspacePermission).toHaveBeenCalledWith({
-        workflowId: 'workflow-123',
-        userId: 'user-123',
-        action: 'read',
-      })
+      expect(mockGetUserId).toHaveBeenCalledWith(expect.any(String), 'workflow-123')
     })
 
     it.concurrent('should return unauthorized for unauthenticated request', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: false,
-        error: 'Unauthorized',
-      })
+      mockGetUserId.mockResolvedValue(null)
 
       const req = createMockRequest('POST', validSearchData)
       const { POST } = await import('@/app/api/knowledge/search/route')
@@ -354,11 +332,7 @@ describe('Knowledge Search API Route', () => {
         workflowId: 'nonexistent-workflow',
       }
 
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: false,
-        status: 404,
-        message: 'Workflow not found',
-      })
+      mockGetUserId.mockResolvedValue(null)
 
       const req = createMockRequest('POST', workflowData)
       const { POST } = await import('@/app/api/knowledge/search/route')

apps/sim/app/api/knowledge/search/route.ts

@@ -1,7 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { ALL_TAG_SLOTS } from '@/lib/knowledge/constants'
@@ -9,7 +8,7 @@ import { getDocumentTagDefinitions } from '@/lib/knowledge/tags/service'
 import { buildUndefinedTagsError, validateTagValue } from '@/lib/knowledge/tags/utils'
 import type { StructuredFilter } from '@/lib/knowledge/types'
 import { estimateTokenCount } from '@/lib/tokenization/estimators'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserId } from '@/app/api/auth/oauth/utils'
 import {
   generateSearchEmbedding,
   getDocumentNamesByIds,
@@ -77,24 +76,12 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const { workflowId, ...searchParams } = body
 
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-    const userId = auth.userId
+    const userId = await getUserId(requestId, workflowId)
 
-    if (workflowId) {
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId,
-        action: 'read',
-      })
-      if (!authorization.allowed) {
-        return NextResponse.json(
-          { error: authorization.message || 'Access denied' },
-          { status: authorization.status }
-        )
-      }
+    if (!userId) {
+      const errorMessage = workflowId ? 'Workflow not found' : 'Unauthorized'
+      const statusCode = workflowId ? 404 : 401
+      return NextResponse.json({ error: errorMessage }, { status: statusCode })
     }
 
     try {

apps/sim/app/api/mcp/copilot/route.ts

@@ -31,10 +31,7 @@ import {
 import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
 import { env } from '@/lib/core/config/env'
 import { RateLimiter } from '@/lib/core/rate-limiter'
-import {
-  authorizeWorkflowByWorkspacePermission,
-  resolveWorkflowIdForUser,
-} from '@/lib/workflows/utils'
+import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
 
 const logger = createLogger('CopilotMcpAPI')
 const mcpRateLimiter = new RateLimiter()
@@ -629,16 +626,7 @@ async function handleBuildToolCall(
     const requestText = (args.request as string) || JSON.stringify(args)
     const workflowId = args.workflowId as string | undefined
 
-    const resolved = workflowId
-      ? await (async () => {
-          const authorization = await authorizeWorkflowByWorkspacePermission({
-            workflowId,
-            userId,
-            action: 'read',
-          })
-          return authorization.allowed ? { workflowId } : null
-        })()
-      : await resolveWorkflowIdForUser(userId)
+    const resolved = workflowId ? { workflowId } : await resolveWorkflowIdForUser(userId)
 
     if (!resolved?.workflowId) {
       return {

apps/sim/app/api/mcp/serve/[serverId]/route.test.ts

@@ -1,227 +0,0 @@
-/**
- * Tests for MCP serve route auth propagation.
- *
- * @vitest-environment node
- */
-import { NextRequest } from 'next/server'
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-
-const mockCheckHybridAuth = vi.fn()
-const mockGetUserEntityPermissions = vi.fn()
-const mockGenerateInternalToken = vi.fn()
-const mockDbSelect = vi.fn()
-const mockDbFrom = vi.fn()
-const mockDbWhere = vi.fn()
-const mockDbLimit = vi.fn()
-const fetchMock = vi.fn()
-
-describe('MCP Serve Route', () => {
-  beforeEach(() => {
-    vi.resetModules()
-    vi.clearAllMocks()
-
-    mockDbSelect.mockReturnValue({ from: mockDbFrom })
-    mockDbFrom.mockReturnValue({ where: mockDbWhere })
-    mockDbWhere.mockReturnValue({ limit: mockDbLimit })
-
-    vi.doMock('@sim/logger', () => ({
-      createLogger: vi.fn(() => ({
-        info: vi.fn(),
-        warn: vi.fn(),
-        error: vi.fn(),
-        debug: vi.fn(),
-      })),
-    }))
-    vi.doMock('drizzle-orm', () => ({
-      and: vi.fn(),
-      eq: vi.fn(),
-    }))
-    vi.doMock('@sim/db', () => ({
-      db: {
-        select: mockDbSelect,
-      },
-    }))
-    vi.doMock('@sim/db/schema', () => ({
-      workflowMcpServer: {
-        id: 'id',
-        name: 'name',
-        workspaceId: 'workspaceId',
-        isPublic: 'isPublic',
-        createdBy: 'createdBy',
-      },
-      workflowMcpTool: {
-        serverId: 'serverId',
-        toolName: 'toolName',
-        toolDescription: 'toolDescription',
-        parameterSchema: 'parameterSchema',
-        workflowId: 'workflowId',
-      },
-      workflow: {
-        id: 'id',
-        isDeployed: 'isDeployed',
-      },
-    }))
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: mockCheckHybridAuth,
-    }))
-    vi.doMock('@/lib/workspaces/permissions/utils', () => ({
-      getUserEntityPermissions: mockGetUserEntityPermissions,
-    }))
-    vi.doMock('@/lib/auth/internal', () => ({
-      generateInternalToken: mockGenerateInternalToken,
-    }))
-    vi.doMock('@/lib/core/utils/urls', () => ({
-      getBaseUrl: () => 'http://localhost:3000',
-    }))
-    vi.doMock('@/lib/core/execution-limits', () => ({
-      getMaxExecutionTimeout: () => 10_000,
-    }))
-
-    vi.stubGlobal('fetch', fetchMock)
-  })
-
-  afterEach(() => {
-    vi.unstubAllGlobals()
-    vi.clearAllMocks()
-  })
-
-  it('returns 401 for private server when auth fails', async () => {
-    mockDbLimit.mockResolvedValueOnce([
-      {
-        id: 'server-1',
-        name: 'Private Server',
-        workspaceId: 'ws-1',
-        isPublic: false,
-        createdBy: 'owner-1',
-      },
-    ])
-    mockCheckHybridAuth.mockResolvedValueOnce({ success: false, error: 'Unauthorized' })
-
-    const { POST } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
-      method: 'POST',
-      body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'ping' }),
-    })
-    const response = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
-
-    expect(response.status).toBe(401)
-  })
-
-  it('returns 401 on GET for private server when auth fails', async () => {
-    mockDbLimit.mockResolvedValueOnce([
-      {
-        id: 'server-1',
-        name: 'Private Server',
-        workspaceId: 'ws-1',
-        isPublic: false,
-        createdBy: 'owner-1',
-      },
-    ])
-    mockCheckHybridAuth.mockResolvedValueOnce({ success: false, error: 'Unauthorized' })
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1')
-    const response = await GET(req, { params: Promise.resolve({ serverId: 'server-1' }) })
-
-    expect(response.status).toBe(401)
-  })
-
-  it('forwards X-API-Key for private server api_key auth', async () => {
-    mockDbLimit
-      .mockResolvedValueOnce([
-        {
-          id: 'server-1',
-          name: 'Private Server',
-          workspaceId: 'ws-1',
-          isPublic: false,
-          createdBy: 'owner-1',
-        },
-      ])
-      .mockResolvedValueOnce([{ toolName: 'tool_a', workflowId: 'wf-1' }])
-      .mockResolvedValueOnce([{ isDeployed: true }])
-
-    mockCheckHybridAuth.mockResolvedValueOnce({
-      success: true,
-      userId: 'user-1',
-      authType: 'api_key',
-      apiKeyType: 'personal',
-    })
-    mockGetUserEntityPermissions.mockResolvedValueOnce('write')
-    fetchMock.mockResolvedValueOnce(
-      new Response(JSON.stringify({ output: { ok: true } }), {
-        status: 200,
-        headers: { 'Content-Type': 'application/json' },
-      })
-    )
-
-    const { POST } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
-      method: 'POST',
-      headers: { 'X-API-Key': 'pk_test_123' },
-      body: JSON.stringify({
-        jsonrpc: '2.0',
-        id: 1,
-        method: 'tools/call',
-        params: { name: 'tool_a', arguments: { q: 'test' } },
-      }),
-    })
-    const response = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
-
-    expect(response.status).toBe(200)
-    expect(fetchMock).toHaveBeenCalledTimes(1)
-    const fetchOptions = fetchMock.mock.calls[0][1] as RequestInit
-    const headers = fetchOptions.headers as Record<string, string>
-    expect(headers['X-API-Key']).toBe('pk_test_123')
-    expect(headers.Authorization).toBeUndefined()
-    expect(mockGenerateInternalToken).not.toHaveBeenCalled()
-  })
-
-  it('forwards internal token for private server session auth', async () => {
-    mockDbLimit
-      .mockResolvedValueOnce([
-        {
-          id: 'server-1',
-          name: 'Private Server',
-          workspaceId: 'ws-1',
-          isPublic: false,
-          createdBy: 'owner-1',
-        },
-      ])
-      .mockResolvedValueOnce([{ toolName: 'tool_a', workflowId: 'wf-1' }])
-      .mockResolvedValueOnce([{ isDeployed: true }])
-
-    mockCheckHybridAuth.mockResolvedValueOnce({
-      success: true,
-      userId: 'user-1',
-      authType: 'session',
-    })
-    mockGetUserEntityPermissions.mockResolvedValueOnce('read')
-    mockGenerateInternalToken.mockResolvedValueOnce('internal-token-user-1')
-    fetchMock.mockResolvedValueOnce(
-      new Response(JSON.stringify({ output: { ok: true } }), {
-        status: 200,
-        headers: { 'Content-Type': 'application/json' },
-      })
-    )
-
-    const { POST } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
-      method: 'POST',
-      body: JSON.stringify({
-        jsonrpc: '2.0',
-        id: 1,
-        method: 'tools/call',
-        params: { name: 'tool_a' },
-      }),
-    })
-    const response = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
-
-    expect(response.status).toBe(200)
-    expect(fetchMock).toHaveBeenCalledTimes(1)
-    const fetchOptions = fetchMock.mock.calls[0][1] as RequestInit
-    const headers = fetchOptions.headers as Record<string, string>
-    expect(headers.Authorization).toBe('Bearer internal-token-user-1')
-    expect(headers['X-API-Key']).toBeUndefined()
-    expect(mockGenerateInternalToken).toHaveBeenCalledWith('user-1')
-  })
-})

apps/sim/app/api/mcp/serve/[serverId]/route.ts

@@ -19,11 +19,10 @@ import { workflow, workflowMcpServer, workflowMcpTool } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateInternalToken } from '@/lib/auth/internal'
 import { getMaxExecutionTimeout } from '@/lib/core/execution-limits'
 import { getBaseUrl } from '@/lib/core/utils/urls'
-import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkflowMcpServeAPI')
 
@@ -33,12 +32,6 @@ interface RouteParams {
   serverId: string
 }
 
-interface ExecuteAuthContext {
-  authType?: AuthResult['authType']
-  userId: string
-  apiKey?: string | null
-}
-
 function createResponse(id: RequestId, result: unknown): JSONRPCResponse {
   return {
     jsonrpc: '2.0',
@@ -80,22 +73,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
       return NextResponse.json({ error: 'Server not found' }, { status: 404 })
     }
 
-    if (!server.isPublic) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
-      if (!auth.success || !auth.userId) {
-        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-      }
-
-      const workspacePermission = await getUserEntityPermissions(
-        auth.userId,
-        'workspace',
-        server.workspaceId
-      )
-      if (workspacePermission === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
     return NextResponse.json({
       name: server.name,
       version: '1.0.0',
@@ -117,27 +94,11 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
       return NextResponse.json({ error: 'Server not found' }, { status: 404 })
     }
 
-    let executeAuthContext: ExecuteAuthContext | null = null
     if (!server.isPublic) {
       const auth = await checkHybridAuth(request, { requireWorkflowId: false })
       if (!auth.success || !auth.userId) {
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
-
-      const workspacePermission = await getUserEntityPermissions(
-        auth.userId,
-        'workspace',
-        server.workspaceId
-      )
-      if (workspacePermission === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-
-      executeAuthContext = {
-        authType: auth.authType,
-        userId: auth.userId,
-        apiKey: auth.authType === 'api_key' ? request.headers.get('X-API-Key') : null,
-      }
     }
 
     const body = await request.json()
@@ -158,6 +119,9 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
     }
 
     const { id, method, params: rpcParams } = message
+    const apiKey =
+      request.headers.get('X-API-Key') ||
+      request.headers.get('Authorization')?.replace('Bearer ', '')
 
     switch (method) {
       case 'initialize': {
@@ -180,7 +144,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
           id,
           serverId,
           rpcParams as { name: string; arguments?: Record<string, unknown> },
-          executeAuthContext,
+          apiKey,
           server.isPublic ? server.createdBy : undefined
         )
 
@@ -243,7 +207,7 @@ async function handleToolsCall(
   id: RequestId,
   serverId: string,
   params: { name: string; arguments?: Record<string, unknown> } | undefined,
-  executeAuthContext?: ExecuteAuthContext | null,
+  apiKey?: string | null,
   publicServerOwnerId?: string
 ): Promise<NextResponse> {
   try {
@@ -291,13 +255,8 @@ async function handleToolsCall(
     if (publicServerOwnerId) {
       const internalToken = await generateInternalToken(publicServerOwnerId)
       headers.Authorization = `Bearer ${internalToken}`
-    } else if (executeAuthContext) {
-      if (executeAuthContext.authType === 'api_key' && executeAuthContext.apiKey) {
-        headers['X-API-Key'] = executeAuthContext.apiKey
-      } else {
-        const internalToken = await generateInternalToken(executeAuthContext.userId)
-        headers.Authorization = `Bearer ${internalToken}`
-      }
+    } else if (apiKey) {
+      headers['X-API-Key'] = apiKey
     }
 
     logger.info(`Executing workflow ${tool.workflowId} via MCP tool ${params.name}`)
@@ -352,17 +311,6 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    if (!server.isPublic) {
-      const workspacePermission = await getUserEntityPermissions(
-        auth.userId,
-        'workspace',
-        server.workspaceId
-      )
-      if (workspacePermission === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
     logger.info(`MCP session terminated for server ${serverId}`)
     return new NextResponse(null, { status: 204 })
   } catch (error) {

apps/sim/app/api/mcp/workflow-servers/[id]/tools/route.ts

@@ -6,7 +6,6 @@ import type { NextRequest } from 'next/server'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
-import { generateParameterSchemaForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
 import { hasValidStartBlock } from '@/lib/workflows/triggers/trigger-utils.server'
 
@@ -171,11 +170,6 @@ export const POST = withMcpAuth<RouteParams>('write')(
         workflowRecord.description ||
         `Execute ${workflowRecord.name} workflow`
 
-      const parameterSchema =
-        body.parameterSchema && Object.keys(body.parameterSchema).length > 0
-          ? body.parameterSchema
-          : await generateParameterSchemaForWorkflow(body.workflowId)
-
       const toolId = crypto.randomUUID()
       const [tool] = await db
         .insert(workflowMcpTool)
@@ -185,7 +179,7 @@ export const POST = withMcpAuth<RouteParams>('write')(
           workflowId: body.workflowId,
           toolName,
           toolDescription,
-          parameterSchema,
+          parameterSchema: body.parameterSchema || {},
           createdAt: new Date(),
           updatedAt: new Date(),
         })

apps/sim/app/api/mcp/workflow-servers/route.ts

@@ -6,7 +6,6 @@ import type { NextRequest } from 'next/server'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
-import { generateParameterSchemaForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
 import { hasValidStartBlock } from '@/lib/workflows/triggers/trigger-utils.server'
 
@@ -157,8 +156,6 @@ export const POST = withMcpAuth('write')(
           const toolDescription =
             workflowRecord.description || `Execute ${workflowRecord.name} workflow`
 
-          const parameterSchema = await generateParameterSchemaForWorkflow(workflowRecord.id)
-
           const toolId = crypto.randomUUID()
           await db.insert(workflowMcpTool).values({
             id: toolId,
@@ -166,7 +163,7 @@ export const POST = withMcpAuth('write')(
             workflowId: workflowRecord.id,
             toolName,
             toolDescription,
-            parameterSchema,
+            parameterSchema: {},
             createdAt: new Date(),
             updatedAt: new Date(),
           })

apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts

@@ -446,46 +446,15 @@ export async function PUT(
             })
             .where(eq(workspaceInvitation.id, wsInvitation.id))
 
-          const existingPermission = await tx
-            .select({ id: permissions.id, permissionType: permissions.permissionType })
-            .from(permissions)
-            .where(
-              and(
-                eq(permissions.entityId, wsInvitation.workspaceId),
-                eq(permissions.entityType, 'workspace'),
-                eq(permissions.userId, session.user.id)
-              )
-            )
-            .then((rows) => rows[0])
-
-          if (existingPermission) {
-            const PERMISSION_RANK = { read: 0, write: 1, admin: 2 } as const
-            type PermissionLevel = keyof typeof PERMISSION_RANK
-            const existingRank =
-              PERMISSION_RANK[existingPermission.permissionType as PermissionLevel] ?? 0
-            const newPermission = (wsInvitation.permissions || 'read') as PermissionLevel
-            const newRank = PERMISSION_RANK[newPermission] ?? 0
-
-            if (newRank > existingRank) {
-              await tx
-                .update(permissions)
-                .set({
-                  permissionType: newPermission,
-                  updatedAt: new Date(),
-                })
-                .where(eq(permissions.id, existingPermission.id))
-            }
-          } else {
-            await tx.insert(permissions).values({
-              id: randomUUID(),
-              entityType: 'workspace',
-              entityId: wsInvitation.workspaceId,
-              userId: session.user.id,
-              permissionType: wsInvitation.permissions || 'read',
-              createdAt: new Date(),
-              updatedAt: new Date(),
-            })
-          }
+          await tx.insert(permissions).values({
+            id: randomUUID(),
+            entityType: 'workspace',
+            entityId: wsInvitation.workspaceId,
+            userId: session.user.id,
+            permissionType: wsInvitation.permissions || 'read',
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          })
         }
       } else if (status === 'cancelled') {
         await tx

apps/sim/app/api/resume/[workflowId]/[executionId]/[contextId]/route.ts

@@ -4,7 +4,6 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { PauseResumeManager } from '@/lib/workflows/executor/human-in-the-loop-manager'
-import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 
 const logger = createLogger('WorkflowResumeAPI')
@@ -38,26 +37,7 @@ export async function POST(
   }
 
   const resumeInput = payload?.input ?? payload ?? {}
-  const isPersonalApiKeyCaller =
-    access.auth?.authType === 'api_key' && access.auth?.apiKeyType === 'personal'
-
-  let userId: string
-  if (isPersonalApiKeyCaller && access.auth?.userId) {
-    userId = access.auth.userId
-  } else {
-    const billedAccountUserId = await getWorkspaceBilledAccountUserId(workflow.workspaceId)
-    if (!billedAccountUserId) {
-      logger.error('Unable to resolve workspace billed account for resume execution', {
-        workflowId,
-        workspaceId: workflow.workspaceId,
-      })
-      return NextResponse.json(
-        { error: 'Unable to resolve billing account for this workspace' },
-        { status: 500 }
-      )
-    }
-    userId = billedAccountUserId
-  }
+  const userId = workflow.userId ?? ''
 
   const resumeExecutionId = randomUUID()
   const requestId = generateRequestId()
@@ -78,8 +58,8 @@ export async function POST(
     checkRateLimit: false, // Manual triggers bypass rate limits
     checkDeployment: false, // Resuming existing execution, deployment already checked
     skipUsageLimits: true, // Resume is continuation of authorized execution - don't recheck limits
-    useAuthenticatedUserAsActor: isPersonalApiKeyCaller,
     workspaceId: workflow.workspaceId || undefined,
+    isResumeContext: true, // Enable billing fallback for paused workflow resumes
   })
 
   if (!preprocessResult.success) {

apps/sim/app/api/schedules/[id]/route.test.ts

@@ -7,20 +7,21 @@ import { loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission, mockDbSelect, mockDbUpdate } =
-  vi.hoisted(() => ({
+const { mockGetSession, mockGetUserEntityPermissions, mockDbSelect, mockDbUpdate } = vi.hoisted(
+  () => ({
     mockGetSession: vi.fn(),
-    mockAuthorizeWorkflowByWorkspacePermission: vi.fn(),
+    mockGetUserEntityPermissions: vi.fn(),
     mockDbSelect: vi.fn(),
     mockDbUpdate: vi.fn(),
-  }))
+  })
+)
 
 vi.mock('@/lib/auth', () => ({
   getSession: mockGetSession,
 }))
 
-vi.mock('@/lib/workflows/utils', () => ({
-  authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
+vi.mock('@/lib/workspaces/permissions/utils', () => ({
+  getUserEntityPermissions: mockGetUserEntityPermissions,
 }))
 
 vi.mock('@sim/db', () => ({
@@ -80,12 +81,7 @@ describe('Schedule PUT API (Reactivate)', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-      allowed: true,
-      status: 200,
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: 'write',
-    })
+    mockGetUserEntityPermissions.mockResolvedValue('write')
   })
 
   afterEach(() => {
@@ -144,13 +140,6 @@ describe('Schedule PUT API (Reactivate)', () => {
     })
 
     it('returns 404 when workflow does not exist for schedule', async () => {
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 404,
-        workflow: null,
-        workspacePermission: null,
-        message: 'Workflow not found',
-      })
       mockDbChain([[{ id: 'sched-1', workflowId: 'wf-1', status: 'disabled' }], []])
 
       const res = await PUT(createRequest({ action: 'reactivate' }), createParams('sched-1'))
@@ -163,14 +152,6 @@ describe('Schedule PUT API (Reactivate)', () => {
 
   describe('Authorization', () => {
     it('returns 403 when user is not workflow owner', async () => {
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        workflow: { id: 'wf-1', workspaceId: null },
-        workspacePermission: null,
-        message:
-          'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
-      })
       mockDbChain([
         [{ id: 'sched-1', workflowId: 'wf-1', status: 'disabled' }],
         [{ userId: 'other-user', workspaceId: null }],
@@ -180,17 +161,11 @@ describe('Schedule PUT API (Reactivate)', () => {
 
       expect(res.status).toBe(403)
       const data = await res.json()
-      expect(data.error).toContain('Personal workflows are deprecated')
+      expect(data.error).toBe('Not authorized to modify this schedule')
     })
 
     it('returns 403 for workspace member with only read permission', async () => {
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-        workspacePermission: 'read',
-        message: 'Unauthorized: Access denied to write this workflow',
-      })
+      mockGetUserEntityPermissions.mockResolvedValue('read')
       mockDbChain([
         [{ id: 'sched-1', workflowId: 'wf-1', status: 'disabled' }],
         [{ userId: 'other-user', workspaceId: 'ws-1' }],
@@ -223,6 +198,7 @@ describe('Schedule PUT API (Reactivate)', () => {
     })
 
     it('allows workspace member with write permission to reactivate', async () => {
+      mockGetUserEntityPermissions.mockResolvedValue('write')
       mockDbChain([
         [
           {
@@ -242,6 +218,7 @@ describe('Schedule PUT API (Reactivate)', () => {
     })
 
     it('allows workspace admin to reactivate', async () => {
+      mockGetUserEntityPermissions.mockResolvedValue('admin')
       mockDbChain([
         [
           {

apps/sim/app/api/schedules/[id]/route.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { workflowSchedule } from '@sim/db/schema'
+import { workflow, workflowSchedule } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -7,7 +7,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { validateCronExpression } from '@/lib/workflows/schedules/utils'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('ScheduleAPI')
 
@@ -57,23 +57,31 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Schedule not found' }, { status: 404 })
     }
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId: schedule.workflowId,
-      userId: session.user.id,
-      action: 'write',
-    })
+    const [workflowRecord] = await db
+      .select({ userId: workflow.userId, workspaceId: workflow.workspaceId })
+      .from(workflow)
+      .where(eq(workflow.id, schedule.workflowId))
+      .limit(1)
 
-    if (!authorization.workflow) {
+    if (!workflowRecord) {
       logger.warn(`[${requestId}] Workflow not found for schedule: ${scheduleId}`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    if (!authorization.allowed) {
-      logger.warn(`[${requestId}] User not authorized to modify this schedule: ${scheduleId}`)
-      return NextResponse.json(
-        { error: authorization.message || 'Not authorized to modify this schedule' },
-        { status: authorization.status }
+    let isAuthorized = workflowRecord.userId === session.user.id
+
+    if (!isAuthorized && workflowRecord.workspaceId) {
+      const userPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        workflowRecord.workspaceId
       )
+      isAuthorized = userPermission === 'write' || userPermission === 'admin'
+    }
+
+    if (!isAuthorized) {
+      logger.warn(`[${requestId}] User not authorized to modify this schedule: ${scheduleId}`)
+      return NextResponse.json({ error: 'Not authorized to modify this schedule' }, { status: 403 })
     }
 
     if (schedule.status === 'active') {

apps/sim/app/api/schedules/route.test.ts

@@ -7,20 +7,18 @@ import { loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
-const { mockGetSession, mockAuthorizeWorkflowByWorkspacePermission, mockDbSelect } = vi.hoisted(
-  () => ({
-    mockGetSession: vi.fn(),
-    mockAuthorizeWorkflowByWorkspacePermission: vi.fn(),
-    mockDbSelect: vi.fn(),
-  })
-)
+const { mockGetSession, mockGetUserEntityPermissions, mockDbSelect } = vi.hoisted(() => ({
+  mockGetSession: vi.fn(),
+  mockGetUserEntityPermissions: vi.fn(),
+  mockDbSelect: vi.fn(),
+}))
 
 vi.mock('@/lib/auth', () => ({
   getSession: mockGetSession,
 }))
 
-vi.mock('@/lib/workflows/utils', () => ({
-  authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
+vi.mock('@/lib/workspaces/permissions/utils', () => ({
+  getUserEntityPermissions: mockGetUserEntityPermissions,
 }))
 
 vi.mock('@sim/db', () => ({
@@ -82,12 +80,7 @@ describe('Schedule GET API', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-      allowed: true,
-      status: 200,
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: 'read',
-    })
+    mockGetUserEntityPermissions.mockResolvedValue('read')
   })
 
   afterEach(() => {
@@ -96,6 +89,7 @@ describe('Schedule GET API', () => {
 
   it('returns schedule data for authorized user', async () => {
     mockDbChain([
+      [{ userId: 'user-1', workspaceId: null }],
       [
         {
           schedule: {
@@ -117,7 +111,7 @@ describe('Schedule GET API', () => {
   })
 
   it('returns null when no schedule exists', async () => {
-    mockDbChain([[]])
+    mockDbChain([[{ userId: 'user-1', workspaceId: null }], []])
 
     const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
     const data = await res.json()
@@ -141,13 +135,6 @@ describe('Schedule GET API', () => {
   })
 
   it('returns 404 for non-existent workflow', async () => {
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-      allowed: false,
-      status: 404,
-      message: 'Workflow not found',
-      workflow: null,
-      workspacePermission: null,
-    })
     mockDbChain([[]])
 
     const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
@@ -156,13 +143,6 @@ describe('Schedule GET API', () => {
   })
 
   it('denies access for unauthorized user', async () => {
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-      allowed: false,
-      status: 403,
-      message: 'Unauthorized: Access denied to read this workflow',
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: null,
-    })
     mockDbChain([[{ userId: 'other-user', workspaceId: null }]])
 
     const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
@@ -171,7 +151,10 @@ describe('Schedule GET API', () => {
   })
 
   it('allows workspace members to view', async () => {
-    mockDbChain([[{ schedule: { id: 'sched-1', status: 'active', failedCount: 0 } }]])
+    mockDbChain([
+      [{ userId: 'other-user', workspaceId: 'ws-1' }],
+      [{ schedule: { id: 'sched-1', status: 'active', failedCount: 0 } }],
+    ])
 
     const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
 
@@ -179,7 +162,10 @@ describe('Schedule GET API', () => {
   })
 
   it('indicates disabled schedule with failures', async () => {
-    mockDbChain([[{ schedule: { id: 'sched-1', status: 'disabled', failedCount: 100 } }]])
+    mockDbChain([
+      [{ userId: 'user-1', workspaceId: null }],
+      [{ schedule: { id: 'sched-1', status: 'disabled', failedCount: 100 } }],
+    ])
 
     const res = await GET(createRequest('http://test/api/schedules?workflowId=wf-1'))
     const data = await res.json()

apps/sim/app/api/schedules/route.ts

@@ -1,11 +1,11 @@
 import { db } from '@sim/db'
-import { workflowDeploymentVersion, workflowSchedule } from '@sim/db/schema'
+import { workflow, workflowDeploymentVersion, workflowSchedule } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('ScheduledAPI')
 
@@ -29,21 +29,29 @@ export async function GET(req: NextRequest) {
       return NextResponse.json({ error: 'Missing workflowId parameter' }, { status: 400 })
     }
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId: session.user.id,
-      action: 'read',
-    })
+    const [workflowRecord] = await db
+      .select({ userId: workflow.userId, workspaceId: workflow.workspaceId })
+      .from(workflow)
+      .where(eq(workflow.id, workflowId))
+      .limit(1)
 
-    if (!authorization.workflow) {
+    if (!workflowRecord) {
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    if (!authorization.allowed) {
-      return NextResponse.json(
-        { error: authorization.message || 'Not authorized to view this workflow' },
-        { status: authorization.status }
+    let isAuthorized = workflowRecord.userId === session.user.id
+
+    if (!isAuthorized && workflowRecord.workspaceId) {
+      const userPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        workflowRecord.workspaceId
       )
+      isAuthorized = userPermission !== null
+    }
+
+    if (!isAuthorized) {
+      return NextResponse.json({ error: 'Not authorized to view this workflow' }, { status: 403 })
     }
 
     logger.info(`[${requestId}] Getting schedule for workflow ${workflowId}`)

apps/sim/app/api/tools/custom/route.test.ts

@@ -214,14 +214,6 @@ describe('Custom Tools API Routes', () => {
     vi.doMock('@/lib/workflows/custom-tools/operations', () => ({
       upsertCustomTools: vi.fn().mockResolvedValue(sampleTools),
     }))
-
-    vi.doMock('@/lib/workflows/utils', () => ({
-      authorizeWorkflowByWorkspacePermission: vi.fn().mockResolvedValue({
-        allowed: true,
-        status: 200,
-        workflow: { workspaceId: 'workspace-123' },
-      }),
-    }))
   })
 
   afterEach(() => {
@@ -280,6 +272,20 @@ describe('Custom Tools API Routes', () => {
     it('should handle workflowId parameter', async () => {
       const req = new NextRequest('http://localhost:3000/api/tools/custom?workflowId=workflow-123')
 
+      mockLimit.mockResolvedValueOnce([{ workspaceId: 'workspace-123' }])
+
+      mockWhere.mockImplementationOnce((condition) => {
+        const queryBuilder = {
+          limit: mockLimit,
+          then: (resolve: (value: typeof sampleTools) => void) => {
+            resolve(sampleTools)
+            return queryBuilder
+          },
+          catch: (reject: (error: Error) => void) => queryBuilder,
+        }
+        return queryBuilder
+      })
+
       const { GET } = await import('@/app/api/tools/custom/route')
 
       const response = await GET(req)
@@ -369,8 +375,7 @@ describe('Custom Tools API Routes', () => {
     })
 
     it('should handle tool not found', async () => {
-      const mockLimitNotFound = vi.fn().mockResolvedValue([])
-      mockWhere.mockReturnValueOnce({ limit: mockLimitNotFound })
+      mockLimit.mockResolvedValueOnce([])
 
       const req = new NextRequest('http://localhost:3000/api/tools/custom?id=non-existent')
 
@@ -393,8 +398,7 @@ describe('Custom Tools API Routes', () => {
       }))
 
       const userScopedTool = { ...sampleTools[0], workspaceId: null, userId: 'user-123' }
-      const mockLimitUserScoped = vi.fn().mockResolvedValue([userScopedTool])
-      mockWhere.mockReturnValueOnce({ limit: mockLimitUserScoped })
+      mockLimit.mockResolvedValueOnce([userScopedTool])
 
       const req = new NextRequest('http://localhost:3000/api/tools/custom?id=tool-1')
 

apps/sim/app/api/tools/custom/route.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { customTools } from '@sim/db/schema'
+import { customTools, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -7,7 +7,6 @@ import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('CustomToolsAPI')
@@ -53,32 +52,27 @@ export async function GET(request: NextRequest) {
     const userId = authResult.userId
 
     let resolvedWorkspaceId: string | null = workspaceId
-    let resolvedFromWorkflowAuthorization = false
 
     if (!resolvedWorkspaceId && workflowId) {
-      const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId,
-        action: 'read',
-      })
-      if (!workflowAuthorization.allowed) {
-        logger.warn(`[${requestId}] Workflow authorization failed for custom tools`, {
-          workflowId,
-          userId,
-          status: workflowAuthorization.status,
-        })
-        return NextResponse.json(
-          { error: workflowAuthorization.message || 'Access denied' },
-          { status: workflowAuthorization.status }
-        )
+      const [workflowData] = await db
+        .select({ workspaceId: workflow.workspaceId })
+        .from(workflow)
+        .where(eq(workflow.id, workflowId))
+        .limit(1)
+
+      if (!workflowData) {
+        logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
+        return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
       }
 
-      resolvedWorkspaceId = workflowAuthorization.workflow?.workspaceId ?? null
-      resolvedFromWorkflowAuthorization = true
+      resolvedWorkspaceId = workflowData.workspaceId
     }
 
-    // Check workspace permissions for all auth types
-    if (resolvedWorkspaceId && !resolvedFromWorkflowAuthorization) {
+    // Check workspace permissions
+    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
+    // For session: verify user has access to the workspace
+    // For legacy (no workspaceId): skip workspace check, rely on userId match
+    if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
       const userPermission = await getUserEntityPermissions(
         userId,
         'workspace',

apps/sim/app/api/tools/jira/add-attachment/route.ts

@@ -47,9 +47,16 @@ export async function POST(request: NextRequest) {
       (await getJiraCloudId(validatedData.domain, validatedData.accessToken))
 
     const formData = new FormData()
+    const filesOutput: Array<{ name: string; mimeType: string; data: string; size: number }> = []
 
     for (const file of userFiles) {
       const buffer = await downloadFileFromStorage(file, requestId, logger)
+      filesOutput.push({
+        name: file.name,
+        mimeType: file.type || 'application/octet-stream',
+        data: buffer.toString('base64'),
+        size: buffer.length,
+      })
       const blob = new Blob([new Uint8Array(buffer)], {
         type: file.type || 'application/octet-stream',
       })
@@ -102,7 +109,7 @@ export async function POST(request: NextRequest) {
         issueKey: validatedData.issueKey,
         attachments,
         attachmentIds,
-        files: userFiles,
+        files: filesOutput,
       },
     })
   } catch (error) {

apps/sim/app/api/usage/route.ts

@@ -7,7 +7,6 @@ import {
   getOrganizationBillingData,
   isOrganizationOwnerOrAdmin,
 } from '@/lib/billing/core/organization'
-import { isUserMemberOfOrganization } from '@/lib/billing/organizations/membership'
 
 const logger = createLogger('UnifiedUsageAPI')
 
@@ -62,12 +61,6 @@ export async function GET(request: NextRequest) {
           { status: 400 }
         )
       }
-
-      const membership = await isUserMemberOfOrganization(session.user.id, organizationId)
-      if (!membership.isMember) {
-        return NextResponse.json({ error: 'Permission denied' }, { status: 403 })
-      }
-
       const org = await getOrganizationBillingData(organizationId)
       return NextResponse.json({
         success: true,

apps/sim/app/api/wand/route.ts

@@ -160,7 +160,7 @@ export async function POST(req: NextRequest) {
     let workspaceId: string | null = null
     if (workflowId) {
       const [workflowRecord] = await db
-        .select({ workspaceId: workflow.workspaceId })
+        .select({ workspaceId: workflow.workspaceId, userId: workflow.userId })
         .from(workflow)
         .where(eq(workflow.id, workflowId))
         .limit(1)
@@ -183,18 +183,9 @@ export async function POST(req: NextRequest) {
           )
           return NextResponse.json({ success: false, error: 'Unauthorized' }, { status: 403 })
         }
-      } else {
-        logger.warn(
-          `[${requestId}] Workflow ${workflowId} has no workspaceId; wand request blocked`
-        )
-        return NextResponse.json(
-          {
-            success: false,
-            error:
-              'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
-          },
-          { status: 403 }
-        )
+      } else if (workflowRecord.userId !== session.user.id) {
+        logger.warn(`[${requestId}] User ${session.user.id} does not own workflow ${workflowId}`)
+        return NextResponse.json({ success: false, error: 'Unauthorized' }, { status: 403 })
       }
     }
 

apps/sim/app/api/webhooks/[id]/route.ts

@@ -3,12 +3,12 @@ import { webhook, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WebhookAPI')
 
@@ -22,12 +22,11 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     const { id } = await params
     logger.debug(`[${requestId}] Fetching webhook with ID: ${id}`)
 
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized webhook access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
     const webhooks = await db
       .select({
@@ -51,15 +50,28 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
 
     const webhookData = webhooks[0]
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId: webhookData.workflow.id,
-      userId,
-      action: 'read',
-    })
-    const hasAccess = authorization.allowed
+    // Check if user has permission to access this webhook
+    let hasAccess = false
+
+    // Case 1: User owns the workflow
+    if (webhookData.workflow.userId === session.user.id) {
+      hasAccess = true
+    }
+
+    // Case 2: Workflow belongs to a workspace and user has any permission
+    if (!hasAccess && webhookData.workflow.workspaceId) {
+      const userPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        webhookData.workflow.workspaceId
+      )
+      if (userPermission !== null) {
+        hasAccess = true
+      }
+    }
 
     if (!hasAccess) {
-      logger.warn(`[${requestId}] User ${userId} denied access to webhook: ${id}`)
+      logger.warn(`[${requestId}] User ${session.user.id} denied access to webhook: ${id}`)
       return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
@@ -78,12 +90,11 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     const { id } = await params
     logger.debug(`[${requestId}] Updating webhook with ID: ${id}`)
 
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized webhook update attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
     const body = await request.json()
     const { isActive, failedCount } = body
@@ -116,15 +127,27 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     }
 
     const webhookData = webhooks[0]
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId: webhookData.workflow.id,
-      userId,
-      action: 'write',
-    })
-    const canModify = authorization.allowed
+    let canModify = false
+
+    if (webhookData.workflow.userId === session.user.id) {
+      canModify = true
+    }
+
+    if (!canModify && webhookData.workflow.workspaceId) {
+      const userPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        webhookData.workflow.workspaceId
+      )
+      if (userPermission === 'write' || userPermission === 'admin') {
+        canModify = true
+      }
+    }
 
     if (!canModify) {
-      logger.warn(`[${requestId}] User ${userId} denied permission to modify webhook: ${id}`)
+      logger.warn(
+        `[${requestId}] User ${session.user.id} denied permission to modify webhook: ${id}`
+      )
       return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
@@ -162,12 +185,11 @@ export async function DELETE(
     const { id } = await params
     logger.debug(`[${requestId}] Deleting webhook with ID: ${id}`)
 
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized webhook deletion attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
     // Find the webhook and check permissions
     const webhooks = await db
@@ -191,15 +213,30 @@ export async function DELETE(
 
     const webhookData = webhooks[0]
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId: webhookData.workflow.id,
-      userId,
-      action: 'write',
-    })
-    const canDelete = authorization.allowed
+    // Check if user has permission to delete this webhook
+    let canDelete = false
+
+    // Case 1: User owns the workflow
+    if (webhookData.workflow.userId === session.user.id) {
+      canDelete = true
+    }
+
+    // Case 2: Workflow belongs to a workspace and user has write or admin permission
+    if (!canDelete && webhookData.workflow.workspaceId) {
+      const userPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        webhookData.workflow.workspaceId
+      )
+      if (userPermission === 'write' || userPermission === 'admin') {
+        canDelete = true
+      }
+    }
 
     if (!canDelete) {
-      logger.warn(`[${requestId}] User ${userId} denied permission to delete webhook: ${id}`)
+      logger.warn(
+        `[${requestId}] User ${session.user.id} denied permission to delete webhook: ${id}`
+      )
       return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 

apps/sim/app/api/webhooks/route.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
-import { permissions, webhook, workflow, workflowDeploymentVersion } from '@sim/db/schema'
+import { webhook, workflow, workflowDeploymentVersion } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, desc, eq, inArray, isNull, or } from 'drizzle-orm'
+import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
@@ -20,7 +20,7 @@ import {
   configureRssPolling,
   syncWebhooksForCredentialSet,
 } from '@/lib/webhooks/utils.server'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'
 
 const logger = createLogger('WebhooksAPI')
@@ -57,12 +57,15 @@ export async function GET(request: NextRequest) {
       }
 
       const wfRecord = wf[0]
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId: wfRecord.id,
-        userId: session.user.id,
-        action: 'read',
-      })
-      const canRead = authorization.allowed
+      let canRead = wfRecord.userId === session.user.id
+      if (!canRead && wfRecord.workspaceId) {
+        const permission = await getUserEntityPermissions(
+          session.user.id,
+          'workspace',
+          wfRecord.workspaceId
+        )
+        canRead = permission === 'read' || permission === 'write' || permission === 'admin'
+      }
 
       if (!canRead) {
         logger.warn(
@@ -111,17 +114,8 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ webhooks: [] }, { status: 200 })
     }
 
-    logger.debug(`[${requestId}] Fetching workspace-accessible webhooks for ${session.user.id}`)
-    const workspacePermissionRows = await db
-      .select({ workspaceId: permissions.entityId })
-      .from(permissions)
-      .where(and(eq(permissions.userId, session.user.id), eq(permissions.entityType, 'workspace')))
-
-    const workspaceIds = workspacePermissionRows.map((row) => row.workspaceId)
-    if (workspaceIds.length === 0) {
-      return NextResponse.json({ webhooks: [] }, { status: 200 })
-    }
-
+    // Default: list webhooks owned by the session user
+    logger.debug(`[${requestId}] Fetching user-owned webhooks for ${session.user.id}`)
     const webhooks = await db
       .select({
         webhook: webhook,
@@ -132,9 +126,9 @@ export async function GET(request: NextRequest) {
       })
       .from(webhook)
       .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
-      .where(inArray(workflow.workspaceId, workspaceIds))
+      .where(eq(workflow.userId, session.user.id))
 
-    logger.info(`[${requestId}] Retrieved ${webhooks.length} workspace-accessible webhooks`)
+    logger.info(`[${requestId}] Retrieved ${webhooks.length} user-owned webhooks`)
     return NextResponse.json({ webhooks }, { status: 200 })
   } catch (error) {
     logger.error(`[${requestId}] Error fetching webhooks`, error)
@@ -243,12 +237,25 @@ export async function POST(request: NextRequest) {
 
     const workflowRecord = workflowData[0]
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'write',
-    })
-    const canModify = authorization.allowed
+    // Check if user has permission to modify this workflow
+    let canModify = false
+
+    // Case 1: User owns the workflow
+    if (workflowRecord.userId === userId) {
+      canModify = true
+    }
+
+    // Case 2: Workflow belongs to a workspace and user has write or admin permission
+    if (!canModify && workflowRecord.workspaceId) {
+      const userPermission = await getUserEntityPermissions(
+        userId,
+        'workspace',
+        workflowRecord.workspaceId
+      )
+      if (userPermission === 'write' || userPermission === 'admin') {
+        canModify = true
+      }
+    }
 
     if (!canModify) {
       logger.warn(

apps/sim/app/api/workflows/[id]/autolayout/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { applyAutoLayout } from '@/lib/workflows/autolayout'
 import {
@@ -13,7 +13,7 @@ import {
   loadWorkflowFromNormalizedTables,
   type NormalizedWorkflowData,
 } from '@/lib/workflows/persistence/utils'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getWorkflowAccessContext } from '@/lib/workflows/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -52,13 +52,13 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
   const { id: workflowId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized autolayout attempt for workflow ${workflowId}`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const userId = auth.userId
+    const userId = session.user.id
 
     const body = await request.json()
     const layoutOptions = AutoLayoutRequestSchema.parse(body)
@@ -67,28 +67,26 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       userId,
     })
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'write',
-    })
-    const workflowData = authorization.workflow
+    const accessContext = await getWorkflowAccessContext(workflowId, userId)
+    const workflowData = accessContext?.workflow
 
     if (!workflowData) {
       logger.warn(`[${requestId}] Workflow ${workflowId} not found for autolayout`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    const canUpdate = authorization.allowed
+    const canUpdate =
+      accessContext?.isOwner ||
+      (workflowData.workspaceId
+        ? accessContext?.workspacePermission === 'write' ||
+          accessContext?.workspacePermission === 'admin'
+        : false)
 
     if (!canUpdate) {
       logger.warn(
         `[${requestId}] User ${userId} denied permission to autolayout workflow ${workflowId}`
       )
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status || 403 }
-      )
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
     let currentWorkflowData: NormalizedWorkflowData | null

apps/sim/app/api/workflows/[id]/chat/status/route.test.ts

@@ -1,131 +0,0 @@
-/**
- * Tests for workflow chat status route auth and access.
- *
- * @vitest-environment node
- */
-import { loggerMock } from '@sim/testing'
-import { NextRequest } from 'next/server'
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-
-const mockCheckSessionOrInternalAuth = vi.fn()
-const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
-const mockDbSelect = vi.fn()
-const mockDbFrom = vi.fn()
-const mockDbWhere = vi.fn()
-const mockDbLimit = vi.fn()
-
-describe('Workflow Chat Status Route', () => {
-  beforeEach(() => {
-    vi.resetModules()
-    vi.clearAllMocks()
-
-    mockDbSelect.mockReturnValue({ from: mockDbFrom })
-    mockDbFrom.mockReturnValue({ where: mockDbWhere })
-    mockDbWhere.mockReturnValue({ limit: mockDbLimit })
-    mockDbLimit.mockResolvedValue([])
-
-    vi.doMock('@sim/logger', () => loggerMock)
-    vi.doMock('drizzle-orm', () => ({
-      eq: vi.fn(),
-    }))
-    vi.doMock('@sim/db', () => ({
-      db: {
-        select: mockDbSelect,
-      },
-    }))
-    vi.doMock('@sim/db/schema', () => ({
-      chat: {
-        id: 'id',
-        identifier: 'identifier',
-        title: 'title',
-        description: 'description',
-        customizations: 'customizations',
-        authType: 'authType',
-        allowedEmails: 'allowedEmails',
-        outputConfigs: 'outputConfigs',
-        password: 'password',
-        isActive: 'isActive',
-        workflowId: 'workflowId',
-      },
-    }))
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
-    }))
-    vi.doMock('@/lib/workflows/utils', () => ({
-      authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
-    }))
-  })
-
-  afterEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('returns 401 when unauthenticated', async () => {
-    mockCheckSessionOrInternalAuth.mockResolvedValueOnce({ success: false })
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/chat/status')
-    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
-
-    expect(response.status).toBe(401)
-  })
-
-  it('returns 403 when user lacks workspace access', async () => {
-    mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-      success: true,
-      userId: 'user-1',
-      authType: 'session',
-    })
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-      allowed: false,
-      status: 403,
-      message: 'Access denied',
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: null,
-    })
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/chat/status')
-    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
-
-    expect(response.status).toBe(403)
-  })
-
-  it('returns deployment details when authorized', async () => {
-    mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-      success: true,
-      userId: 'user-1',
-      authType: 'session',
-    })
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-      allowed: true,
-      status: 200,
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: 'read',
-    })
-    mockDbLimit.mockResolvedValueOnce([
-      {
-        id: 'chat-1',
-        identifier: 'assistant',
-        title: 'Support Bot',
-        description: 'desc',
-        customizations: { theme: 'dark' },
-        authType: 'public',
-        allowedEmails: [],
-        outputConfigs: {},
-        password: 'secret',
-        isActive: true,
-      },
-    ])
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/chat/status')
-    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
-
-    expect(response.status).toBe(200)
-    const data = await response.json()
-    expect(data.isDeployed).toBe(true)
-    expect(data.deployment.id).toBe('chat-1')
-    expect(data.deployment.hasPassword).toBe(true)
-  })
-})

apps/sim/app/api/workflows/[id]/chat/status/route.ts

@@ -2,10 +2,7 @@ import { db } from '@sim/db'
 import { chat } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
-import type { NextRequest } from 'next/server'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
 const logger = createLogger('ChatStatusAPI')
@@ -13,28 +10,11 @@ const logger = createLogger('ChatStatusAPI')
 /**
  * GET endpoint to check if a workflow has an active chat deployment
  */
-export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params
   const requestId = generateRequestId()
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      return createErrorResponse('Unauthorized', 401)
-    }
-
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId: id,
-      userId: auth.userId,
-      action: 'read',
-    })
-    if (!authorization.allowed) {
-      return createErrorResponse(
-        authorization.message || 'Access denied',
-        authorization.status || 403
-      )
-    }
-
     logger.debug(`[${requestId}] Checking chat deployment status for workflow: ${id}`)
 
     // Find any active chat deployments for this workflow

apps/sim/app/api/workflows/[id]/duplicate/route.ts

@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { duplicateWorkflow } from '@/lib/workflows/persistence/duplicate'
@@ -22,22 +22,23 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   const requestId = generateRequestId()
   const startTime = Date.now()
 
-  const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-  if (!auth.success || !auth.userId) {
+  const session = await getSession()
+  if (!session?.user?.id) {
     logger.warn(`[${requestId}] Unauthorized workflow duplication attempt for ${sourceWorkflowId}`)
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
-  const userId = auth.userId
 
   try {
     const body = await req.json()
     const { name, description, color, workspaceId, folderId } = DuplicateRequestSchema.parse(body)
 
-    logger.info(`[${requestId}] Duplicating workflow ${sourceWorkflowId} for user ${userId}`)
+    logger.info(
+      `[${requestId}] Duplicating workflow ${sourceWorkflowId} for user ${session.user.id}`
+    )
 
     const result = await duplicateWorkflow({
       sourceWorkflowId,
-      userId,
+      userId: session.user.id,
       name,
       description,
       color,
@@ -71,7 +72,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
       if (error.message === 'Source workflow not found or access denied') {
         logger.warn(
-          `[${requestId}] User ${userId} denied access to source workflow ${sourceWorkflowId}`
+          `[${requestId}] User ${session.user.id} denied access to source workflow ${sourceWorkflowId}`
         )
         return NextResponse.json({ error: 'Access denied' }, { status: 403 })
       }

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -29,11 +29,7 @@ import {
   loadWorkflowFromNormalizedTables,
 } from '@/lib/workflows/persistence/utils'
 import { createStreamingResponse } from '@/lib/workflows/streaming/streaming'
-import {
-  authorizeWorkflowByWorkspacePermission,
-  createHttpResponseFromBlock,
-  workflowHasResponseBlock,
-} from '@/lib/workflows/utils'
+import { createHttpResponseFromBlock, workflowHasResponseBlock } from '@/lib/workflows/utils'
 import { executeWorkflowJob, type WorkflowExecutionPayload } from '@/background/workflow-execution'
 import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
@@ -344,17 +340,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         : validatedInput
 
     const shouldUseDraftState = useDraftState ?? auth.authType === 'session'
-    const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: shouldUseDraftState ? 'write' : 'read',
-    })
-    if (!workflowAuthorization.allowed) {
-      return NextResponse.json(
-        { error: workflowAuthorization.message || 'Access denied' },
-        { status: workflowAuthorization.status }
-      )
-    }
 
     const streamHeader = req.headers.get('X-Stream-Response') === 'true'
     const enableSSE = streamHeader || streamParam === true

apps/sim/app/api/workflows/[id]/executions/[executionId]/cancel/route.ts

@@ -2,7 +2,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 
 const logger = createLogger('CancelExecutionAPI')
 
@@ -21,18 +20,6 @@ export async function POST(
       return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
     }
 
-    const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId: auth.userId,
-      action: 'write',
-    })
-    if (!workflowAuthorization.allowed) {
-      return NextResponse.json(
-        { error: workflowAuthorization.message || 'Access denied' },
-        { status: workflowAuthorization.status }
-      )
-    }
-
     logger.info('Cancel execution requested', { workflowId, executionId, userId: auth.userId })
 
     const marked = await markExecutionCancelled(executionId)

apps/sim/app/api/workflows/[id]/form/status/route.test.ts

@@ -1,119 +0,0 @@
-/**
- * Tests for workflow form status route auth and access.
- *
- * @vitest-environment node
- */
-import { loggerMock } from '@sim/testing'
-import { NextRequest } from 'next/server'
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-
-const mockCheckSessionOrInternalAuth = vi.fn()
-const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
-const mockDbSelect = vi.fn()
-const mockDbFrom = vi.fn()
-const mockDbWhere = vi.fn()
-const mockDbLimit = vi.fn()
-
-describe('Workflow Form Status Route', () => {
-  beforeEach(() => {
-    vi.resetModules()
-    vi.clearAllMocks()
-
-    mockDbSelect.mockReturnValue({ from: mockDbFrom })
-    mockDbFrom.mockReturnValue({ where: mockDbWhere })
-    mockDbWhere.mockReturnValue({ limit: mockDbLimit })
-    mockDbLimit.mockResolvedValue([])
-
-    vi.doMock('@sim/logger', () => loggerMock)
-    vi.doMock('drizzle-orm', () => ({
-      and: vi.fn(),
-      eq: vi.fn(),
-    }))
-    vi.doMock('@sim/db', () => ({
-      db: {
-        select: mockDbSelect,
-      },
-    }))
-    vi.doMock('@sim/db/schema', () => ({
-      form: {
-        id: 'id',
-        identifier: 'identifier',
-        title: 'title',
-        workflowId: 'workflowId',
-        isActive: 'isActive',
-      },
-    }))
-    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
-    }))
-    vi.doMock('@/lib/workflows/utils', () => ({
-      authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
-    }))
-  })
-
-  afterEach(() => {
-    vi.clearAllMocks()
-  })
-
-  it('returns 401 when unauthenticated', async () => {
-    mockCheckSessionOrInternalAuth.mockResolvedValueOnce({ success: false })
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/form/status')
-    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
-
-    expect(response.status).toBe(401)
-  })
-
-  it('returns 403 when user lacks workspace access', async () => {
-    mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-      success: true,
-      userId: 'user-1',
-      authType: 'session',
-    })
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-      allowed: false,
-      status: 403,
-      message: 'Access denied',
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: null,
-    })
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/form/status')
-    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
-
-    expect(response.status).toBe(403)
-  })
-
-  it('returns deployed form when authorized', async () => {
-    mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-      success: true,
-      userId: 'user-1',
-      authType: 'session',
-    })
-    mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-      allowed: true,
-      status: 200,
-      workflow: { id: 'wf-1', workspaceId: 'ws-1' },
-      workspacePermission: 'read',
-    })
-    mockDbLimit.mockResolvedValueOnce([
-      {
-        id: 'form-1',
-        identifier: 'feedback-form',
-        title: 'Feedback',
-        isActive: true,
-      },
-    ])
-
-    const { GET } = await import('./route')
-    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/form/status')
-    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
-
-    expect(response.status).toBe(200)
-    const data = await response.json()
-    expect(data.isDeployed).toBe(true)
-    expect(data.form.id).toBe('form-1')
-  })
-})

apps/sim/app/api/workflows/[id]/form/status/route.ts

@@ -3,31 +3,20 @@ import { form } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getSession } from '@/lib/auth'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
 const logger = createLogger('FormStatusAPI')
 
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+
+    if (!session) {
       return createErrorResponse('Unauthorized', 401)
     }
 
     const { id: workflowId } = await params
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId: auth.userId,
-      action: 'read',
-    })
-    if (!authorization.allowed) {
-      return createErrorResponse(
-        authorization.message || 'Access denied',
-        authorization.status || 403
-      )
-    }
 
     const formResult = await db
       .select({

apps/sim/app/api/workflows/[id]/log/route.ts

@@ -4,7 +4,6 @@ import { z } from 'zod'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { buildTraceSpans } from '@/lib/logs/execution/trace-spans/trace-spans'
-import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 import type { ExecutionResult } from '@/executor/types'
@@ -70,19 +69,15 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       const triggerType = isChatExecution ? 'chat' : 'manual'
       const loggingSession = new LoggingSession(id, executionId, triggerType, requestId)
 
+      const userId = accessValidation.workflow.userId
       const workspaceId = accessValidation.workflow.workspaceId
       if (!workspaceId) {
         logger.error(`[${requestId}] Workflow ${id} has no workspaceId`)
         return createErrorResponse('Workflow has no associated workspace', 500)
       }
-      const billedAccountUserId = await getWorkspaceBilledAccountUserId(workspaceId)
-      if (!billedAccountUserId) {
-        logger.error(`[${requestId}] Unable to resolve billed account for workspace ${workspaceId}`)
-        return createErrorResponse('Unable to resolve billing account for this workspace', 500)
-      }
 
       await loggingSession.safeStart({
-        userId: billedAccountUserId,
+        userId,
         workspaceId,
         variables: {},
       })

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -12,7 +12,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 const mockGetSession = vi.fn()
 const mockLoadWorkflowFromNormalizedTables = vi.fn()
 const mockGetWorkflowById = vi.fn()
-const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
+const mockGetWorkflowAccessContext = vi.fn()
 const mockDbDelete = vi.fn()
 const mockDbUpdate = vi.fn()
 const mockDbSelect = vi.fn()
@@ -35,11 +35,8 @@ vi.mock('@/lib/workflows/utils', async () => {
   return {
     ...actual,
     getWorkflowById: (workflowId: string) => mockGetWorkflowById(workflowId),
-    authorizeWorkflowByWorkspacePermission: (params: {
-      workflowId: string
-      userId: string
-      action?: 'read' | 'write' | 'admin'
-    }) => mockAuthorizeWorkflowByWorkspacePermission(params),
+    getWorkflowAccessContext: (workflowId: string, userId?: string) =>
+      mockGetWorkflowAccessContext(workflowId, userId),
   }
 })
 
@@ -89,6 +86,13 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(null)
+      mockGetWorkflowAccessContext.mockResolvedValue({
+        workflow: null,
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: false,
+        isWorkspaceOwner: false,
+      })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/nonexistent')
       const params = Promise.resolve({ id: 'nonexistent' })
@@ -100,12 +104,12 @@ describe('Workflow By ID API Route', () => {
       expect(data.error).toBe('Workflow not found')
     })
 
-    it.concurrent('should allow access when user has admin workspace permission', async () => {
+    it.concurrent('should allow access when user owns the workflow', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
         name: 'Test Workflow',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
       }
 
       const mockNormalizedData = {
@@ -121,11 +125,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
-        workspacePermission: 'admin',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
@@ -161,11 +166,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: 'read',
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
@@ -193,12 +199,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to read this workflow',
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: null,
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123')
@@ -208,7 +214,7 @@ describe('Workflow By ID API Route', () => {
 
       expect(response.status).toBe(403)
       const data = await response.json()
-      expect(data.error).toBe('Unauthorized: Access denied to read this workflow')
+      expect(data.error).toBe('Access denied')
     })
 
     it.concurrent('should use normalized tables when available', async () => {
@@ -216,7 +222,7 @@ describe('Workflow By ID API Route', () => {
         id: 'workflow-123',
         userId: 'user-123',
         name: 'Test Workflow',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
       }
 
       const mockNormalizedData = {
@@ -232,11 +238,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
-        workspacePermission: 'admin',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
@@ -254,12 +261,12 @@ describe('Workflow By ID API Route', () => {
   })
 
   describe('DELETE /api/workflows/[id]', () => {
-    it('should allow admin to delete workflow', async () => {
+    it('should allow owner to delete workflow', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
         name: 'Test Workflow',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
       }
 
       mockGetSession.mockResolvedValue({
@@ -267,17 +274,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
-        workspacePermission: 'admin',
-      })
-
-      mockDbSelect.mockReturnValue({
-        from: vi.fn().mockReturnValue({
-          where: vi.fn().mockResolvedValue([{ id: 'workflow-123' }, { id: 'workflow-456' }]),
-        }),
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       mockDbDelete.mockReturnValue({
@@ -313,11 +315,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: 'admin',
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       // Mock db.select() to return multiple workflows so deletion is allowed
@@ -360,11 +363,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: 'admin',
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       // Mock db.select() to return only 1 workflow (the one being deleted)
@@ -399,12 +403,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to admin this workflow',
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: null,
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -416,17 +420,17 @@ describe('Workflow By ID API Route', () => {
 
       expect(response.status).toBe(403)
       const data = await response.json()
-      expect(data.error).toBe('Unauthorized: Access denied to admin this workflow')
+      expect(data.error).toBe('Access denied')
     })
   })
 
   describe('PUT /api/workflows/[id]', () => {
-    it('should allow user with write permission to update workflow', async () => {
+    it('should allow owner to update workflow', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
         name: 'Test Workflow',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
       }
 
       const updateData = { name: 'Updated Workflow' }
@@ -437,11 +441,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
-        workspacePermission: 'write',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       mockDbUpdate.mockReturnValue({
@@ -481,11 +486,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: 'write',
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       mockDbUpdate.mockReturnValue({
@@ -524,12 +530,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to write this workflow',
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-456',
         workspacePermission: 'read',
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -542,7 +548,7 @@ describe('Workflow By ID API Route', () => {
 
       expect(response.status).toBe(403)
       const data = await response.json()
-      expect(data.error).toBe('Unauthorized: Access denied to write this workflow')
+      expect(data.error).toBe('Access denied')
     })
 
     it.concurrent('should validate request data', async () => {
@@ -550,7 +556,7 @@ describe('Workflow By ID API Route', () => {
         id: 'workflow-123',
         userId: 'user-123',
         name: 'Test Workflow',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
       }
 
       mockGetSession.mockResolvedValue({
@@ -558,11 +564,12 @@ describe('Workflow By ID API Route', () => {
       })
 
       mockGetWorkflowById.mockResolvedValue(mockWorkflow)
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValue({
         workflow: mockWorkflow,
-        workspacePermission: 'write',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       const invalidData = { name: '' }

apps/sim/app/api/workflows/[id]/route.ts

@@ -4,12 +4,14 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth, checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
+import { getSession } from '@/lib/auth'
+import { verifyInternalToken } from '@/lib/auth/internal'
 import { env } from '@/lib/core/config/env'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { authorizeWorkflowByWorkspacePermission, getWorkflowById } from '@/lib/workflows/utils'
+import { getWorkflowAccessContext, getWorkflowById } from '@/lib/workflows/utils'
 
 const logger = createLogger('WorkflowByIdAPI')
 
@@ -32,14 +34,50 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
   const { id: workflowId } = await params
 
   try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
-    if (!auth.success) {
-      logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    const authHeader = request.headers.get('authorization')
+    let isInternalCall = false
+
+    if (authHeader?.startsWith('Bearer ')) {
+      const token = authHeader.split(' ')[1]
+      const verification = await verifyInternalToken(token)
+      isInternalCall = verification.valid
     }
 
-    const userId = auth.userId || null
+    let userId: string | null = null
 
+    if (isInternalCall) {
+      logger.info(`[${requestId}] Internal API call for workflow ${workflowId}`)
+    } else {
+      const session = await getSession()
+      let authenticatedUserId: string | null = session?.user?.id || null
+
+      if (!authenticatedUserId) {
+        const apiKeyHeader = request.headers.get('x-api-key')
+        if (apiKeyHeader) {
+          const authResult = await authenticateApiKeyFromHeader(apiKeyHeader)
+          if (authResult.success && authResult.userId) {
+            authenticatedUserId = authResult.userId
+            if (authResult.keyId) {
+              await updateApiKeyLastUsed(authResult.keyId).catch((error) => {
+                logger.warn(`[${requestId}] Failed to update API key last used timestamp:`, {
+                  keyId: authResult.keyId,
+                  error,
+                })
+              })
+            }
+          }
+        }
+      }
+
+      if (!authenticatedUserId) {
+        logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+      }
+
+      userId = authenticatedUserId
+    }
+
+    let accessContext = null
     let workflowData = await getWorkflowById(workflowId)
 
     if (!workflowData) {
@@ -48,28 +86,36 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     }
 
     // Check if user has access to this workflow
-    if (!userId) {
-      logger.warn(`[${requestId}] Unauthorized access attempt for workflow ${workflowId}`)
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
+    let hasAccess = false
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'read',
-    })
-    if (!authorization.workflow) {
-      logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
-      return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
-    }
+    if (isInternalCall) {
+      // Internal calls have full access
+      hasAccess = true
+    } else {
+      // Case 1: User owns the workflow
+      if (workflowData) {
+        accessContext = await getWorkflowAccessContext(workflowId, userId ?? undefined)
 
-    workflowData = authorization.workflow
-    if (!authorization.allowed) {
-      logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status }
-      )
+        if (!accessContext) {
+          logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
+          return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
+        }
+
+        workflowData = accessContext.workflow
+
+        if (accessContext.isOwner) {
+          hasAccess = true
+        }
+
+        if (!hasAccess && workflowData.workspaceId && accessContext.workspacePermission) {
+          hasAccess = true
+        }
+      }
+
+      if (!hasAccess) {
+        logger.warn(`[${requestId}] User ${userId} denied access to workflow ${workflowId}`)
+        return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+      }
     }
 
     logger.debug(`[${requestId}] Attempting to load workflow ${workflowId} from normalized tables`)
@@ -150,36 +196,43 @@ export async function DELETE(
   const { id: workflowId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized deletion attempt for workflow ${workflowId}`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const userId = auth.userId
+    const userId = session.user.id
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'admin',
-    })
-    const workflowData = authorization.workflow || (await getWorkflowById(workflowId))
+    const accessContext = await getWorkflowAccessContext(workflowId, userId)
+    const workflowData = accessContext?.workflow || (await getWorkflowById(workflowId))
 
     if (!workflowData) {
       logger.warn(`[${requestId}] Workflow ${workflowId} not found for deletion`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    const canDelete = authorization.allowed
+    // Check if user has permission to delete this workflow
+    let canDelete = false
+
+    // Case 1: User owns the workflow
+    if (workflowData.userId === userId) {
+      canDelete = true
+    }
+
+    // Case 2: Workflow belongs to a workspace and user has admin permission
+    if (!canDelete && workflowData.workspaceId) {
+      const context = accessContext || (await getWorkflowAccessContext(workflowId, userId))
+      if (context?.workspacePermission === 'admin') {
+        canDelete = true
+      }
+    }
 
     if (!canDelete) {
       logger.warn(
         `[${requestId}] User ${userId} denied permission to delete workflow ${workflowId}`
       )
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status || 403 }
-      )
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
     // Check if this is the last workflow in the workspace
@@ -350,40 +403,48 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
   const { id: workflowId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    // Get the session
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized update attempt for workflow ${workflowId}`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const userId = auth.userId
+    const userId = session.user.id
 
     const body = await request.json()
     const updates = UpdateWorkflowSchema.parse(body)
 
     // Fetch the workflow to check ownership/access
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'write',
-    })
-    const workflowData = authorization.workflow || (await getWorkflowById(workflowId))
+    const accessContext = await getWorkflowAccessContext(workflowId, userId)
+    const workflowData = accessContext?.workflow || (await getWorkflowById(workflowId))
 
     if (!workflowData) {
       logger.warn(`[${requestId}] Workflow ${workflowId} not found for update`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    const canUpdate = authorization.allowed
+    // Check if user has permission to update this workflow
+    let canUpdate = false
+
+    // Case 1: User owns the workflow
+    if (workflowData.userId === userId) {
+      canUpdate = true
+    }
+
+    // Case 2: Workflow belongs to a workspace and user has write or admin permission
+    if (!canUpdate && workflowData.workspaceId) {
+      const context = accessContext || (await getWorkflowAccessContext(workflowId, userId))
+      if (context?.workspacePermission === 'write' || context?.workspacePermission === 'admin') {
+        canUpdate = true
+      }
+    }
 
     if (!canUpdate) {
       logger.warn(
         `[${requestId}] User ${userId} denied permission to update workflow ${workflowId}`
       )
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status || 403 }
-      )
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
     const updateData: Record<string, unknown> = { updatedAt: new Date() }

apps/sim/app/api/workflows/[id]/state/route.ts

@@ -4,13 +4,13 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { extractAndPersistCustomTools } from '@/lib/workflows/persistence/custom-tools-persistence'
 import { saveWorkflowToNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { sanitizeAgentToolsInBlocks } from '@/lib/workflows/sanitization/validation'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getWorkflowAccessContext } from '@/lib/workflows/utils'
 import type { BlockState } from '@/stores/workflows/workflow/types'
 import { generateLoopBlocks, generateParallelBlocks } from '@/stores/workflows/workflow/utils'
 
@@ -118,38 +118,40 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
   const { id: workflowId } = await params
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    // Get the session
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized state update attempt for workflow ${workflowId}`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
+
+    const userId = session.user.id
 
     const body = await request.json()
     const state = WorkflowStateSchema.parse(body)
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'write',
-    })
-    const workflowData = authorization.workflow
+    // Fetch the workflow to check ownership/access
+    const accessContext = await getWorkflowAccessContext(workflowId, userId)
+    const workflowData = accessContext?.workflow
 
     if (!workflowData) {
       logger.warn(`[${requestId}] Workflow ${workflowId} not found for state update`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
 
-    const canUpdate = authorization.allowed
+    // Check if user has permission to update this workflow
+    const canUpdate =
+      accessContext?.isOwner ||
+      (workflowData.workspaceId
+        ? accessContext?.workspacePermission === 'write' ||
+          accessContext?.workspacePermission === 'admin'
+        : false)
 
     if (!canUpdate) {
       logger.warn(
         `[${requestId}] User ${userId} denied permission to update workflow state ${workflowId}`
       )
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status || 403 }
-      )
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
     }
 
     // Sanitize custom tools in agent blocks before saving

apps/sim/app/api/workflows/[id]/variables/route.test.ts

@@ -16,19 +16,19 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 describe('Workflow Variables API Route', () => {
   let authMocks: ReturnType<typeof mockAuth>
-  const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
+  const mockGetWorkflowAccessContext = vi.fn()
 
   beforeEach(() => {
     vi.resetModules()
     setupCommonApiMocks()
     mockCryptoUuid('mock-request-id-12345678')
     authMocks = mockAuth(defaultMockUser)
-    mockAuthorizeWorkflowByWorkspacePermission.mockReset()
+    mockGetWorkflowAccessContext.mockReset()
 
     vi.doMock('@sim/db', () => databaseMock)
 
     vi.doMock('@/lib/workflows/utils', () => ({
-      authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
+      getWorkflowAccessContext: mockGetWorkflowAccessContext,
     }))
   })
 
@@ -43,7 +43,7 @@ describe('Workflow Variables API Route', () => {
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
       expect(response.status).toBe(401)
@@ -53,18 +53,12 @@ describe('Workflow Variables API Route', () => {
 
     it('should return 404 when workflow does not exist', async () => {
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: false,
-        status: 404,
-        message: 'Workflow not found',
-        workflow: null,
-        workspacePermission: null,
-      })
+      mockGetWorkflowAccessContext.mockResolvedValueOnce(null)
 
       const req = new NextRequest('http://localhost:3000/api/workflows/nonexistent/variables')
       const params = Promise.resolve({ id: 'nonexistent' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
       expect(response.status).toBe(404)
@@ -72,28 +66,29 @@ describe('Workflow Variables API Route', () => {
       expect(data.error).toBe('Workflow not found')
     })
 
-    it('should allow access when user has workspace permission', async () => {
+    it('should allow access when user owns the workflow', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
         variables: {
           'var-1': { id: 'var-1', name: 'test', type: 'string', value: 'hello' },
         },
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
-        workspacePermission: 'admin',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
       expect(response.status).toBe(200)
@@ -112,17 +107,18 @@ describe('Workflow Variables API Route', () => {
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-owner',
         workspacePermission: 'read',
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
       expect(response.status).toBe(200)
@@ -139,47 +135,48 @@ describe('Workflow Variables API Route', () => {
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to read this workflow',
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-owner',
         workspacePermission: null,
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
-      expect(response.status).toBe(403)
+      expect(response.status).toBe(401)
       const data = await response.json()
-      expect(data.error).toBe('Unauthorized: Access denied to read this workflow')
+      expect(data.error).toBe('Unauthorized')
     })
 
     it.concurrent('should include proper cache headers', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
         variables: {
           'var-1': { id: 'var-1', name: 'test', type: 'string', value: 'hello' },
         },
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
-        workspacePermission: 'admin',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
       expect(response.status).toBe(200)
@@ -189,20 +186,21 @@ describe('Workflow Variables API Route', () => {
   })
 
   describe('POST /api/workflows/[id]/variables', () => {
-    it('should allow user with write permission to update variables', async () => {
+    it('should allow owner to update variables', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
         variables: {},
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
-        workspacePermission: 'write',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       const variables = {
@@ -221,7 +219,7 @@ describe('Workflow Variables API Route', () => {
       })
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { POST } = await import('./route')
+      const { POST } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await POST(req, { params })
 
       expect(response.status).toBe(200)
@@ -238,12 +236,12 @@ describe('Workflow Variables API Route', () => {
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: false,
-        status: 403,
-        message: 'Unauthorized: Access denied to write this workflow',
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
+        workspaceOwnerId: 'workspace-owner',
         workspacePermission: null,
+        isOwner: false,
+        isWorkspaceOwner: false,
       })
 
       const variables = {
@@ -262,28 +260,29 @@ describe('Workflow Variables API Route', () => {
       })
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { POST } = await import('./route')
+      const { POST } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await POST(req, { params })
 
-      expect(response.status).toBe(403)
+      expect(response.status).toBe(401)
       const data = await response.json()
-      expect(data.error).toBe('Unauthorized: Access denied to write this workflow')
+      expect(data.error).toBe('Unauthorized')
     })
 
     it.concurrent('should validate request data schema', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'user-123',
-        workspaceId: 'workspace-456',
+        workspaceId: null,
         variables: {},
       }
 
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValueOnce({
-        allowed: true,
-        status: 200,
+      mockGetWorkflowAccessContext.mockResolvedValueOnce({
         workflow: mockWorkflow,
-        workspacePermission: 'write',
+        workspaceOwnerId: null,
+        workspacePermission: null,
+        isOwner: true,
+        isWorkspaceOwner: false,
       })
 
       const invalidData = { variables: [{ name: 'test' }] }
@@ -294,7 +293,7 @@ describe('Workflow Variables API Route', () => {
       })
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { POST } = await import('./route')
+      const { POST } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await POST(req, { params })
 
       expect(response.status).toBe(400)
@@ -306,14 +305,12 @@ describe('Workflow Variables API Route', () => {
   describe('Error handling', () => {
     it.concurrent('should handle database errors gracefully', async () => {
       authMocks.setAuthenticated({ id: 'user-123', email: 'test@example.com' })
-      mockAuthorizeWorkflowByWorkspacePermission.mockRejectedValueOnce(
-        new Error('Database connection failed')
-      )
+      mockGetWorkflowAccessContext.mockRejectedValueOnce(new Error('Database connection failed'))
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123/variables')
       const params = Promise.resolve({ id: 'workflow-123' })
 
-      const { GET } = await import('./route')
+      const { GET } = await import('@/app/api/workflows/[id]/variables/route')
       const response = await GET(req, { params })
 
       expect(response.status).toBe(500)

apps/sim/app/api/workflows/[id]/variables/route.ts

@@ -4,9 +4,9 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { getWorkflowAccessContext } from '@/lib/workflows/utils'
 import type { Variable } from '@/stores/panel/variables/types'
 
 const logger = createLogger('WorkflowVariablesAPI')
@@ -34,34 +34,31 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   const workflowId = (await params).id
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized workflow variables update attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'write',
-    })
-    const workflowData = authorization.workflow
+    // Get the workflow record
+    const accessContext = await getWorkflowAccessContext(workflowId, session.user.id)
+    const workflowData = accessContext?.workflow
 
     if (!workflowData) {
       logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
-    const isAuthorized = authorization.allowed
+    const workspaceId = workflowData.workspaceId
+
+    // Check authorization - either the user owns the workflow or has workspace permissions
+    const isAuthorized =
+      accessContext?.isOwner || (workspaceId ? accessContext?.workspacePermission !== null : false)
 
     if (!isAuthorized) {
       logger.warn(
-        `[${requestId}] User ${userId} attempted to update variables for workflow ${workflowId} without permission`
-      )
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status || 403 }
+        `[${requestId}] User ${session.user.id} attempted to update variables for workflow ${workflowId} without permission`
       )
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
     const body = await req.json()
@@ -103,34 +100,32 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
   const workflowId = (await params).id
 
   try {
-    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    // Get the session directly in the API route
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized workflow variables access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
 
-    const authorization = await authorizeWorkflowByWorkspacePermission({
-      workflowId,
-      userId,
-      action: 'read',
-    })
-    const workflowData = authorization.workflow
+    // Get the workflow record
+    const accessContext = await getWorkflowAccessContext(workflowId, session.user.id)
+    const workflowData = accessContext?.workflow
 
     if (!workflowData) {
       logger.warn(`[${requestId}] Workflow not found: ${workflowId}`)
       return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
     }
-    const isAuthorized = authorization.allowed
+    const workspaceId = workflowData.workspaceId
+
+    // Check authorization - either the user owns the workflow or has workspace permissions
+    const isAuthorized =
+      accessContext?.isOwner || (workspaceId ? accessContext?.workspacePermission !== null : false)
 
     if (!isAuthorized) {
       logger.warn(
-        `[${requestId}] User ${userId} attempted to access variables for workflow ${workflowId} without permission`
-      )
-      return NextResponse.json(
-        { error: authorization.message || 'Access denied' },
-        { status: authorization.status || 403 }
+        `[${requestId}] User ${session.user.id} attempted to access variables for workflow ${workflowId} without permission`
       )
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
     // Return variables if they exist

apps/sim/app/api/workflows/middleware.ts

@@ -5,16 +5,14 @@ import {
   authenticateApiKeyFromHeader,
   updateApiKeyLastUsed,
 } from '@/lib/api-key/service'
-import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
-import { authorizeWorkflowByWorkspacePermission, getWorkflowById } from '@/lib/workflows/utils'
+import { getWorkflowById } from '@/lib/workflows/utils'
 
 const logger = createLogger('WorkflowMiddleware')
 
 export interface ValidationResult {
   error?: { message: string; status: number }
   workflow?: any
-  auth?: AuthResult
 }
 
 export async function validateWorkflowAccess(
@@ -33,44 +31,6 @@ export async function validateWorkflowAccess(
       }
     }
 
-    if (!workflow.workspaceId) {
-      return {
-        error: {
-          message:
-            'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
-          status: 403,
-        },
-      }
-    }
-
-    if (!requireDeployment) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
-      if (!auth.success || !auth.userId) {
-        return {
-          error: {
-            message: auth.error || 'Unauthorized',
-            status: 401,
-          },
-        }
-      }
-
-      const authorization = await authorizeWorkflowByWorkspacePermission({
-        workflowId,
-        userId: auth.userId,
-        action: 'read',
-      })
-      if (!authorization.allowed) {
-        return {
-          error: {
-            message: authorization.message || 'Access denied',
-            status: authorization.status,
-          },
-        }
-      }
-
-      return { workflow, auth }
-    }
-
     if (requireDeployment) {
       if (!workflow.isDeployed) {
         return {
@@ -105,13 +65,24 @@ export async function validateWorkflowAccess(
 
       let validResult: ApiKeyAuthResult | null = null
 
-      const workspaceResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
-        workspaceId: workflow.workspaceId as string,
-        keyTypes: ['workspace', 'personal'],
-      })
+      if (workflow.workspaceId) {
+        const workspaceResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
+          workspaceId: workflow.workspaceId as string,
+          keyTypes: ['workspace', 'personal'],
+        })
 
-      if (workspaceResult.success) {
-        validResult = workspaceResult
+        if (workspaceResult.success) {
+          validResult = workspaceResult
+        }
+      } else {
+        const personalResult = await authenticateApiKeyFromHeader(apiKeyHeader, {
+          userId: workflow.userId as string,
+          keyTypes: ['personal'],
+        })
+
+        if (personalResult.success) {
+          validResult = personalResult
+        }
       }
 
       if (!validResult) {

apps/sim/app/api/workflows/reorder/route.ts

@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
@@ -23,21 +23,21 @@ const ReorderSchema = z.object({
 
 export async function PUT(req: NextRequest) {
   const requestId = generateRequestId()
-  const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-  if (!auth.success || !auth.userId) {
+  const session = await getSession()
+
+  if (!session?.user?.id) {
     logger.warn(`[${requestId}] Unauthorized reorder attempt`)
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
-  const userId = auth.userId
 
   try {
     const body = await req.json()
     const { workspaceId, updates } = ReorderSchema.parse(body)
 
-    const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+    const permission = await getUserEntityPermissions(session.user.id, 'workspace', workspaceId)
     if (!permission || permission === 'read') {
       logger.warn(
-        `[${requestId}] User ${userId} lacks write permission for workspace ${workspaceId}`
+        `[${requestId}] User ${session.user.id} lacks write permission for workspace ${workspaceId}`
       )
       return NextResponse.json({ error: 'Write access required' }, { status: 403 })
     }

apps/sim/app/api/workflows/route.ts

@@ -1,10 +1,10 @@
 import { db } from '@sim/db'
-import { permissions, workflow } from '@sim/db/schema'
+import { workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, asc, eq, inArray, isNull, min } from 'drizzle-orm'
+import { and, asc, eq, isNull, min } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getUserEntityPermissions, workspaceExists } from '@/lib/workspaces/permissions/utils'
 import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
@@ -21,19 +21,20 @@ const CreateWorkflowSchema = z.object({
 })
 
 // GET /api/workflows - Get workflows for user (optionally filtered by workspaceId)
-export async function GET(request: NextRequest) {
+export async function GET(request: Request) {
   const requestId = generateRequestId()
   const startTime = Date.now()
   const url = new URL(request.url)
   const workspaceId = url.searchParams.get('workspaceId')
 
   try {
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
+    const session = await getSession()
+    if (!session?.user?.id) {
       logger.warn(`[${requestId}] Unauthorized workflow access attempt`)
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
-    const userId = auth.userId
+
+    const userId = session.user.id
 
     if (workspaceId) {
       const wsExists = await workspaceExists(workspaceId)
@@ -72,18 +73,10 @@ export async function GET(request: NextRequest) {
         .where(eq(workflow.workspaceId, workspaceId))
         .orderBy(...orderByClause)
     } else {
-      const workspacePermissionRows = await db
-        .select({ workspaceId: permissions.entityId })
-        .from(permissions)
-        .where(and(eq(permissions.userId, userId), eq(permissions.entityType, 'workspace')))
-      const workspaceIds = workspacePermissionRows.map((row) => row.workspaceId)
-      if (workspaceIds.length === 0) {
-        return NextResponse.json({ data: [] }, { status: 200 })
-      }
       workflows = await db
         .select()
         .from(workflow)
-        .where(inArray(workflow.workspaceId, workspaceIds))
+        .where(eq(workflow.userId, userId))
         .orderBy(...orderByClause)
     }
 
@@ -98,12 +91,12 @@ export async function GET(request: NextRequest) {
 // POST /api/workflows - Create a new workflow
 export async function POST(req: NextRequest) {
   const requestId = generateRequestId()
-  const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
-  if (!auth.success || !auth.userId) {
+  const session = await getSession()
+
+  if (!session?.user?.id) {
     logger.warn(`[${requestId}] Unauthorized workflow creation attempt`)
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
-  const userId = auth.userId
 
   try {
     const body = await req.json()
@@ -116,33 +109,28 @@ export async function POST(req: NextRequest) {
       sortOrder: providedSortOrder,
     } = CreateWorkflowSchema.parse(body)
 
-    if (!workspaceId) {
-      logger.warn(`[${requestId}] Workflow creation blocked: missing workspaceId`)
-      return NextResponse.json(
-        {
-          error:
-            'workspaceId is required. Personal workflows are deprecated and cannot be created.',
-        },
-        { status: 400 }
+    if (workspaceId) {
+      const workspacePermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        workspaceId
       )
-    }
 
-    const workspacePermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-
-    if (!workspacePermission || workspacePermission === 'read') {
-      logger.warn(
-        `[${requestId}] User ${userId} attempted to create workflow in workspace ${workspaceId} without write permissions`
-      )
-      return NextResponse.json(
-        { error: 'Write or Admin access required to create workflows in this workspace' },
-        { status: 403 }
-      )
+      if (!workspacePermission || workspacePermission === 'read') {
+        logger.warn(
+          `[${requestId}] User ${session.user.id} attempted to create workflow in workspace ${workspaceId} without write permissions`
+        )
+        return NextResponse.json(
+          { error: 'Write or Admin access required to create workflows in this workspace' },
+          { status: 403 }
+        )
+      }
     }
 
     const workflowId = crypto.randomUUID()
     const now = new Date()
 
-    logger.info(`[${requestId}] Creating workflow ${workflowId} for user ${userId}`)
+    logger.info(`[${requestId}] Creating workflow ${workflowId} for user ${session.user.id}`)
 
     import('@/lib/core/telemetry')
       .then(({ PlatformEvents }) => {
@@ -165,14 +153,18 @@ export async function POST(req: NextRequest) {
       const [minResult] = await db
         .select({ minOrder: min(workflow.sortOrder) })
         .from(workflow)
-        .where(and(eq(workflow.workspaceId, workspaceId), folderCondition))
+        .where(
+          workspaceId
+            ? and(eq(workflow.workspaceId, workspaceId), folderCondition)
+            : and(eq(workflow.userId, session.user.id), folderCondition)
+        )
       sortOrder = (minResult?.minOrder ?? 1) - 1
     }
 
     await db.insert(workflow).values({
       id: workflowId,
-      userId,
-      workspaceId,
+      userId: session.user.id,
+      workspaceId: workspaceId || null,
       folderId: folderId || null,
       sortOrder,
       name,

apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/trace-spans/trace-spans.tsx

@@ -16,7 +16,7 @@ import {
   PopoverItem,
   Tooltip,
 } from '@/components/emcn'
-import { AgentSkillsIcon, WorkflowIcon } from '@/components/icons'
+import { WorkflowIcon } from '@/components/icons'
 import { cn } from '@/lib/core/utils/cn'
 import { formatDuration } from '@/lib/core/utils/formatting'
 import { LoopTool } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/loop/loop-config'
@@ -118,10 +118,6 @@ function getBlockIconAndColor(
 
   // Check for tool by name first (most specific)
   if (lowerType === 'tool' && toolName) {
-    // Handle load_skill tool with the AgentSkillsIcon
-    if (toolName === 'load_skill') {
-      return { icon: AgentSkillsIcon, bgColor: '#8B5CF6' }
-    }
     const toolBlock = getBlockByToolName(toolName)
     if (toolBlock) {
       return { icon: toolBlock.icon, bgColor: toolBlock.bgColor }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/action-bar/action-bar.tsx

@@ -7,7 +7,7 @@ import { useUserPermissionsContext } from '@/app/workspace/[workspaceId]/provide
 import { useWorkflowExecution } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks'
 import { validateTriggerPaste } from '@/app/workspace/[workspaceId]/w/[workflowId]/utils'
 import { useCollaborativeWorkflow } from '@/hooks/use-collaborative-workflow'
-import { useCurrentWorkflowExecution, useExecutionStore } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { useNotificationStore } from '@/stores/notifications'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -114,8 +114,7 @@ export const ActionBar = memo(
     )
 
     const { activeWorkflowId } = useWorkflowRegistry()
-    const { isExecuting } = useCurrentWorkflowExecution()
-    const getLastExecutionSnapshot = useExecutionStore((s) => s.getLastExecutionSnapshot)
+    const { isExecuting, getLastExecutionSnapshot } = useExecutionStore()
     const userPermissions = useUserPermissionsContext()
     const edges = useWorkflowStore((state) => state.edges)
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx

@@ -51,7 +51,7 @@ import { useWorkflowExecution } from '@/app/workspace/[workspaceId]/w/[workflowI
 import type { BlockLog, ExecutionResult } from '@/executor/types'
 import { useChatStore } from '@/stores/chat/store'
 import { getChatPosition } from '@/stores/chat/utils'
-import { useCurrentWorkflowExecution } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { useOperationQueue } from '@/stores/operation-queue/store'
 import { useTerminalConsoleStore } from '@/stores/terminal'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -256,7 +256,7 @@ export function Chat() {
   const hasConsoleHydrated = useTerminalConsoleStore((state) => state._hasHydrated)
   const entriesFromStore = useTerminalConsoleStore((state) => state.entries)
   const entries = hasConsoleHydrated ? entriesFromStore : []
-  const { isExecuting } = useCurrentWorkflowExecution()
+  const { isExecuting } = useExecutionStore()
   const { handleRunWorkflow, handleCancelExecution } = useWorkflowExecution()
   const { data: session } = useSession()
   const { addToQueue } = useOperationQueue()

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/components/output-select/output-select.tsx

@@ -4,8 +4,11 @@ import type React from 'react'
 import { useMemo } from 'react'
 import { RepeatIcon, SplitIcon } from 'lucide-react'
 import { Combobox, type ComboboxOptionGroup } from '@/components/emcn'
-import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
-import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
+import {
+  extractFieldsFromSchema,
+  parseResponseFormatSafely,
+} from '@/lib/core/utils/response-format'
+import { getToolOutputs } from '@/lib/workflows/blocks/block-outputs'
 import { getBlock } from '@/blocks'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
@@ -121,26 +124,41 @@ export function OutputSelect({
           : `block-${block.id}`
 
       const blockConfig = getBlock(block.type)
-      const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
-      const effectiveTriggerMode = Boolean(block.triggerMode && isTriggerCapable)
+      const responseFormatValue =
+        shouldUseBaseline && baselineWorkflow
+          ? baselineWorkflow.blocks?.[block.id]?.subBlocks?.responseFormat?.value
+          : subBlockValues?.[block.id]?.responseFormat
+      const responseFormat = parseResponseFormatSafely(responseFormatValue, block.id)
 
       let outputsToProcess: Record<string, unknown> = {}
-      const rawSubBlockValues =
-        shouldUseBaseline && baselineWorkflow
-          ? baselineWorkflow.blocks?.[block.id]?.subBlocks
-          : subBlockValues?.[block.id]
-      const subBlocks: Record<string, { value: unknown }> = {}
-      if (rawSubBlockValues && typeof rawSubBlockValues === 'object') {
-        for (const [key, val] of Object.entries(rawSubBlockValues)) {
-          // Handle both { value: ... } and raw value formats
-          subBlocks[key] = val && typeof val === 'object' && 'value' in val ? val : { value: val }
-        }
-      }
 
-      outputsToProcess = getEffectiveBlockOutputs(block.type, subBlocks, {
-        triggerMode: effectiveTriggerMode,
-        preferToolOutputs: !effectiveTriggerMode,
-      }) as Record<string, unknown>
+      if (responseFormat) {
+        const schemaFields = extractFieldsFromSchema(responseFormat)
+        if (schemaFields.length > 0) {
+          schemaFields.forEach((field) => {
+            outputsToProcess[field.name] = { type: field.type }
+          })
+        } else {
+          outputsToProcess = blockConfig?.outputs || {}
+        }
+      } else {
+        // Build subBlocks object for tool selector
+        const rawSubBlockValues =
+          shouldUseBaseline && baselineWorkflow
+            ? baselineWorkflow.blocks?.[block.id]?.subBlocks
+            : subBlockValues?.[block.id]
+        const subBlocks: Record<string, { value: unknown }> = {}
+        if (rawSubBlockValues && typeof rawSubBlockValues === 'object') {
+          for (const [key, val] of Object.entries(rawSubBlockValues)) {
+            // Handle both { value: ... } and raw value formats
+            subBlocks[key] = val && typeof val === 'object' && 'value' in val ? val : { value: val }
+          }
+        }
+
+        const toolOutputs = blockConfig ? getToolOutputs(blockConfig, subBlocks) : {}
+        outputsToProcess =
+          Object.keys(toolOutputs).length > 0 ? toolOutputs : blockConfig?.outputs || {}
+      }
 
       if (Object.keys(outputsToProcess).length === 0) return
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/mcp/mcp.tsx

@@ -45,12 +45,6 @@ interface McpDeployProps {
   onCanSaveChange?: (canSave: boolean) => void
 }
 
-function haveSameServerSelection(a: string[], b: string[]): boolean {
-  if (a.length !== b.length) return false
-  const bSet = new Set(b)
-  return a.every((id) => bSet.has(id))
-}
-
 /**
  * Generate JSON Schema from input format with optional descriptions
  */
@@ -149,7 +143,6 @@ export function McpDeploy({
   })
   const [parameterDescriptions, setParameterDescriptions] = useState<Record<string, string>>({})
   const [pendingServerChanges, setPendingServerChanges] = useState<Set<string>>(new Set())
-  const [saveErrors, setSaveErrors] = useState<string[]>([])
 
   const parameterSchema = useMemo(
     () => generateParameterSchema(inputFormat, parameterDescriptions),
@@ -186,7 +179,6 @@ export function McpDeploy({
     }
     return ids
   }, [servers, serverToolsMap])
-  const [draftSelectedServerIds, setDraftSelectedServerIds] = useState<string[] | null>(null)
 
   const hasLoadedInitialData = useRef(false)
 
@@ -246,10 +238,9 @@ export function McpDeploy({
     }
   }, [toolName, toolDescription, parameterDescriptions, savedValues])
 
-  const selectedServerIdsForForm = draftSelectedServerIds ?? selectedServerIds
-
-  const hasToolConfigurationChanges = useMemo(() => {
-    if (!savedValues) return false
+  const hasDeployedTools = selectedServerIds.length > 0
+  const hasChanges = useMemo(() => {
+    if (!savedValues || !hasDeployedTools) return false
     if (toolName !== savedValues.toolName) return true
     if (toolDescription !== savedValues.toolDescription) return true
     if (
@@ -258,18 +249,11 @@ export function McpDeploy({
       return true
     }
     return false
-  }, [toolName, toolDescription, parameterDescriptions, savedValues])
-  const hasServerSelectionChanges = useMemo(
-    () => !haveSameServerSelection(selectedServerIdsForForm, selectedServerIds),
-    [selectedServerIdsForForm, selectedServerIds]
-  )
-  const hasChanges =
-    hasServerSelectionChanges ||
-    (hasToolConfigurationChanges && selectedServerIdsForForm.length > 0)
+  }, [toolName, toolDescription, parameterDescriptions, hasDeployedTools, savedValues])
 
   useEffect(() => {
-    onCanSaveChange?.(hasChanges && !!toolName.trim())
-  }, [hasChanges, toolName, onCanSaveChange])
+    onCanSaveChange?.(hasChanges && hasDeployedTools && !!toolName.trim())
+  }, [hasChanges, hasDeployedTools, toolName, onCanSaveChange])
 
   /**
    * Save tool configuration to all deployed servers
@@ -277,114 +261,35 @@ export function McpDeploy({
   const handleSave = useCallback(async () => {
     if (!toolName.trim()) return
 
-    const currentIds = new Set(selectedServerIds)
-    const nextIds = new Set(selectedServerIdsForForm)
-    const toAdd = new Set(selectedServerIdsForForm.filter((id) => !currentIds.has(id)))
-    const toRemove = selectedServerIds.filter((id) => !nextIds.has(id))
-    const shouldUpdateExisting = hasToolConfigurationChanges
+    const toolsToUpdate: Array<{ serverId: string; toolId: string }> = []
+    for (const server of servers) {
+      const toolInfo = serverToolsMap[server.id]
+      if (toolInfo?.tool) {
+        toolsToUpdate.push({ serverId: server.id, toolId: toolInfo.tool.id })
+      }
+    }
 
-    if (toAdd.size === 0 && toRemove.length === 0 && !shouldUpdateExisting) return
+    if (toolsToUpdate.length === 0) return
 
     onSubmittingChange?.(true)
-    setSaveErrors([])
     try {
-      const errors: string[] = []
-      const addedEntries: Record<string, { tool: WorkflowMcpTool; isLoading: boolean }> = {}
-      const removedIds: string[] = []
-
-      for (const serverId of toAdd) {
-        setPendingServerChanges((prev) => new Set(prev).add(serverId))
-        try {
-          const addedTool = await addToolMutation.mutateAsync({
-            workspaceId,
-            serverId,
-            workflowId,
-            toolName: toolName.trim(),
-            toolDescription: toolDescription.trim() || undefined,
-            parameterSchema,
-          })
-          addedEntries[serverId] = { tool: addedTool, isLoading: false }
-          onAddedToServer?.()
-          logger.info(`Added workflow ${workflowId} as tool to server ${serverId}`)
-        } catch (error) {
-          const serverName = servers.find((s) => s.id === serverId)?.name || serverId
-          errors.push(`Failed to add to ${serverName}`)
-          logger.error(`Failed to add tool to server ${serverId}:`, error)
-        } finally {
-          setPendingServerChanges((prev) => {
-            const next = new Set(prev)
-            next.delete(serverId)
-            return next
-          })
-        }
-      }
-
-      for (const serverId of toRemove) {
-        const toolInfo = serverToolsMap[serverId]
-        if (!toolInfo?.tool) continue
-
-        setPendingServerChanges((prev) => new Set(prev).add(serverId))
-        try {
-          await deleteToolMutation.mutateAsync({
-            workspaceId,
-            serverId,
-            toolId: toolInfo.tool.id,
-          })
-          removedIds.push(serverId)
-        } catch (error) {
-          const serverName = servers.find((s) => s.id === serverId)?.name || serverId
-          errors.push(`Failed to remove from ${serverName}`)
-          logger.error(`Failed to remove tool from server ${serverId}:`, error)
-        } finally {
-          setPendingServerChanges((prev) => {
-            const next = new Set(prev)
-            next.delete(serverId)
-            return next
-          })
-        }
-      }
-
-      if (shouldUpdateExisting) {
-        for (const serverId of selectedServerIdsForForm) {
-          if (toAdd.has(serverId)) continue
-          const toolInfo = serverToolsMap[serverId]
-          if (!toolInfo?.tool) continue
-
-          try {
-            await updateToolMutation.mutateAsync({
-              workspaceId,
-              serverId,
-              toolId: toolInfo.tool.id,
-              toolName: toolName.trim(),
-              toolDescription: toolDescription.trim() || undefined,
-              parameterSchema,
-            })
-          } catch (error) {
-            const serverName = servers.find((s) => s.id === serverId)?.name || serverId
-            errors.push(`Failed to update on ${serverName}`)
-            logger.error(`Failed to update tool on server ${serverId}:`, error)
-          }
-        }
-      }
-
-      setServerToolsMap((prev) => {
-        const next = { ...prev, ...addedEntries }
-        for (const id of removedIds) {
-          delete next[id]
-        }
-        return next
-      })
-      if (errors.length > 0) {
-        setSaveErrors(errors)
-      } else {
-        setDraftSelectedServerIds(null)
-        setSavedValues({
-          toolName,
-          toolDescription,
-          parameterDescriptions: { ...parameterDescriptions },
+      for (const { serverId, toolId } of toolsToUpdate) {
+        await updateToolMutation.mutateAsync({
+          workspaceId,
+          serverId,
+          toolId,
+          toolName: toolName.trim(),
+          toolDescription: toolDescription.trim() || undefined,
+          parameterSchema,
         })
-        onCanSaveChange?.(false)
       }
+      // Update saved values after successful save (triggers re-render → hasChanges becomes false)
+      setSavedValues({
+        toolName,
+        toolDescription,
+        parameterDescriptions: { ...parameterDescriptions },
+      })
+      onCanSaveChange?.(false)
       onSubmittingChange?.(false)
     } catch (error) {
       logger.error('Failed to save tool configuration:', error)
@@ -395,17 +300,10 @@ export function McpDeploy({
     toolDescription,
     parameterDescriptions,
     parameterSchema,
-    selectedServerIds,
-    selectedServerIdsForForm,
-    hasToolConfigurationChanges,
+    servers,
     serverToolsMap,
     workspaceId,
-    workflowId,
-    servers,
-    addToolMutation,
-    deleteToolMutation,
     updateToolMutation,
-    onAddedToServer,
     onSubmittingChange,
     onCanSaveChange,
   ])
@@ -417,19 +315,90 @@ export function McpDeploy({
     }))
   }, [servers])
 
-  const handleServerSelectionChange = useCallback((newSelectedIds: string[]) => {
-    setDraftSelectedServerIds(newSelectedIds)
-  }, [])
+  const handleServerSelectionChange = useCallback(
+    async (newSelectedIds: string[]) => {
+      if (!toolName.trim()) return
+
+      const currentIds = new Set(selectedServerIds)
+      const newIds = new Set(newSelectedIds)
+
+      const toAdd = newSelectedIds.filter((id) => !currentIds.has(id))
+      const toRemove = selectedServerIds.filter((id) => !newIds.has(id))
+
+      for (const serverId of toAdd) {
+        setPendingServerChanges((prev) => new Set(prev).add(serverId))
+        try {
+          await addToolMutation.mutateAsync({
+            workspaceId,
+            serverId,
+            workflowId,
+            toolName: toolName.trim(),
+            toolDescription: toolDescription.trim() || undefined,
+            parameterSchema,
+          })
+          onAddedToServer?.()
+          logger.info(`Added workflow ${workflowId} as tool to server ${serverId}`)
+        } catch (error) {
+          logger.error('Failed to add tool:', error)
+        } finally {
+          setPendingServerChanges((prev) => {
+            const next = new Set(prev)
+            next.delete(serverId)
+            return next
+          })
+        }
+      }
+
+      for (const serverId of toRemove) {
+        const toolInfo = serverToolsMap[serverId]
+        if (toolInfo?.tool) {
+          setPendingServerChanges((prev) => new Set(prev).add(serverId))
+          try {
+            await deleteToolMutation.mutateAsync({
+              workspaceId,
+              serverId,
+              toolId: toolInfo.tool.id,
+            })
+            setServerToolsMap((prev) => {
+              const next = { ...prev }
+              delete next[serverId]
+              return next
+            })
+          } catch (error) {
+            logger.error('Failed to remove tool:', error)
+          } finally {
+            setPendingServerChanges((prev) => {
+              const next = new Set(prev)
+              next.delete(serverId)
+              return next
+            })
+          }
+        }
+      }
+    },
+    [
+      selectedServerIds,
+      serverToolsMap,
+      toolName,
+      toolDescription,
+      workspaceId,
+      workflowId,
+      parameterSchema,
+      addToolMutation,
+      deleteToolMutation,
+      onAddedToServer,
+    ]
+  )
 
   const selectedServersLabel = useMemo(() => {
-    const count = selectedServerIdsForForm.length
+    const count = selectedServerIds.length
     if (count === 0) return 'Select servers...'
     if (count === 1) {
-      const server = servers.find((s) => s.id === selectedServerIdsForForm[0])
+      const server = servers.find((s) => s.id === selectedServerIds[0])
       return server?.name || '1 server'
     }
     return `${count} servers selected`
-  }, [selectedServerIdsForForm, servers])
+  }, [selectedServerIds, servers])
 
   const isPending = pendingServerChanges.size > 0
 
@@ -575,7 +544,7 @@ export function McpDeploy({
         <Combobox
           options={serverOptions}
           multiSelect
-          multiSelectValues={selectedServerIdsForForm}
+          multiSelectValues={selectedServerIds}
           onMultiSelectChange={handleServerSelectionChange}
           placeholder='Select servers...'
           searchable
@@ -592,14 +561,10 @@ export function McpDeploy({
         )}
       </div>
 
-      {saveErrors.length > 0 && (
-        <div className='mt-[6.5px] flex flex-col gap-[2px]'>
-          {saveErrors.map((error) => (
-            <p key={error} className='text-[12px] text-[var(--text-error)]'>
-              {error}
-            </p>
-          ))}
-        </div>
+      {addToolMutation.isError && (
+        <p className='mt-[6.5px] text-[12px] text-[var(--text-error)]'>
+          {addToolMutation.error?.message || 'Failed to add tool'}
+        </p>
       )}
     </form>
   )

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/connection-blocks/connection-blocks.tsx

@@ -61,6 +61,8 @@ function ConnectionItem({
     blockId: connection.id,
     blockType: connection.type,
     mergedSubBlocks,
+    responseFormat: connection.responseFormat,
+    operation: connection.operation,
     triggerMode: sourceBlock?.triggerMode,
   })
   const hasFields = fields.length > 0

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/tag-dropdown.tsx

@@ -14,11 +14,16 @@ import {
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import {
-  getEffectiveBlockOutputPaths,
-  getEffectiveBlockOutputType,
+  extractFieldsFromSchema,
+  parseResponseFormatSafely,
+} from '@/lib/core/utils/response-format'
+import {
+  getBlockOutputPaths,
+  getBlockOutputType,
   getOutputPathsFromSchema,
+  getToolOutputPaths,
+  getToolOutputType,
 } from '@/lib/workflows/blocks/block-outputs'
-import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
 import { TRIGGER_TYPES } from '@/lib/workflows/triggers/triggers'
 import { KeyboardNavigationHandler } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tag-dropdown/components/keyboard-navigation-handler'
 import type {
@@ -209,19 +214,43 @@ const getOutputTypeForPath = (
   outputPath: string,
   mergedSubBlocksOverride?: Record<string, any>
 ): string => {
-  if (block?.type === 'variables') {
-    return 'any'
+  if (block?.triggerMode && blockConfig?.triggers?.enabled) {
+    return getBlockOutputType(block.type, outputPath, mergedSubBlocksOverride, true)
+  }
+  if (block?.type === 'starter') {
+    const startWorkflowValue =
+      mergedSubBlocksOverride?.startWorkflow?.value ?? getSubBlockValue(blockId, 'startWorkflow')
+
+    if (startWorkflowValue === 'chat') {
+      const chatModeTypes: Record<string, string> = {
+        input: 'string',
+        conversationId: 'string',
+        files: 'file[]',
+      }
+      return chatModeTypes[outputPath] || 'any'
+    }
+    const inputFormatValue =
+      mergedSubBlocksOverride?.inputFormat?.value ?? getSubBlockValue(blockId, 'inputFormat')
+    if (inputFormatValue && Array.isArray(inputFormatValue)) {
+      const field = inputFormatValue.find(
+        (f: { name?: string; type?: string }) => f.name === outputPath
+      )
+      if (field?.type) return field.type
+    }
+  } else if (blockConfig?.category === 'triggers') {
+    const blockState = useWorkflowStore.getState().blocks[blockId]
+    const subBlocks = mergedSubBlocksOverride ?? (blockState?.subBlocks || {})
+    return getBlockOutputType(block.type, outputPath, subBlocks)
+  } else if (blockConfig?.tools?.config?.tool) {
+    const blockState = useWorkflowStore.getState().blocks[blockId]
+    const subBlocks = mergedSubBlocksOverride ?? (blockState?.subBlocks || {})
+    return getToolOutputType(blockConfig, subBlocks, outputPath)
   }
 
   const subBlocks =
     mergedSubBlocksOverride ?? useWorkflowStore.getState().blocks[blockId]?.subBlocks
-  const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
-  const triggerMode = Boolean(block?.triggerMode && isTriggerCapable)
-
-  return getEffectiveBlockOutputType(block?.type ?? '', outputPath, subBlocks, {
-    triggerMode,
-    preferToolOutputs: !triggerMode,
-  })
+  const triggerMode = block?.triggerMode && blockConfig?.triggers?.enabled
+  return getBlockOutputType(block?.type ?? '', outputPath, subBlocks, triggerMode)
 }
 
 /**
@@ -1059,9 +1088,24 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
       const normalizedBlockName = normalizeName(blockName)
 
       const mergedSubBlocks = getMergedSubBlocks(activeSourceBlockId)
+      const responseFormatValue = mergedSubBlocks?.responseFormat?.value
+      const responseFormat = parseResponseFormatSafely(responseFormatValue, activeSourceBlockId)
+
       let blockTags: string[]
 
-      if (sourceBlock.type === 'variables') {
+      if (sourceBlock.type === 'evaluator') {
+        const metricsValue = getSubBlockValue(activeSourceBlockId, 'metrics')
+
+        if (metricsValue && Array.isArray(metricsValue) && metricsValue.length > 0) {
+          const validMetrics = metricsValue.filter((metric: { name?: string }) => metric?.name)
+          blockTags = validMetrics.map(
+            (metric: { name: string }) => `${normalizedBlockName}.${metric.name.toLowerCase()}`
+          )
+        } else {
+          const outputPaths = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
+          blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+        }
+      } else if (sourceBlock.type === 'variables') {
         const variablesValue = getSubBlockValue(activeSourceBlockId, 'variables')
 
         if (variablesValue && Array.isArray(variablesValue) && variablesValue.length > 0) {
@@ -1075,24 +1119,106 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
         } else {
           blockTags = [normalizedBlockName]
         }
-      } else {
-        const sourceBlockConfig = getBlock(sourceBlock.type)
-        const isTriggerCapable = sourceBlockConfig ? hasTriggerCapability(sourceBlockConfig) : false
-        const effectiveTriggerMode = Boolean(sourceBlock.triggerMode && isTriggerCapable)
-        const outputPaths = getEffectiveBlockOutputPaths(sourceBlock.type, mergedSubBlocks, {
-          triggerMode: effectiveTriggerMode,
-          preferToolOutputs: !effectiveTriggerMode,
-        })
-        const allTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
-
-        if (sourceBlock.type === 'human_in_the_loop' && activeSourceBlockId === blockId) {
-          blockTags = allTags.filter(
-            (tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint')
-          )
-        } else if (allTags.length === 0) {
-          blockTags = [normalizedBlockName]
+      } else if (responseFormat) {
+        const schemaFields = extractFieldsFromSchema(responseFormat)
+        if (schemaFields.length > 0) {
+          blockTags = schemaFields.map((field) => `${normalizedBlockName}.${field.name}`)
         } else {
-          blockTags = allTags
+          const outputPaths = getBlockOutputPaths(
+            sourceBlock.type,
+            mergedSubBlocks,
+            sourceBlock.triggerMode
+          )
+          blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+        }
+      } else if (!blockConfig.outputs || Object.keys(blockConfig.outputs).length === 0) {
+        if (sourceBlock.type === 'starter') {
+          const startWorkflowValue = mergedSubBlocks?.startWorkflow?.value
+
+          if (startWorkflowValue === 'chat') {
+            blockTags = [
+              `${normalizedBlockName}.input`,
+              `${normalizedBlockName}.conversationId`,
+              `${normalizedBlockName}.files`,
+            ]
+          } else {
+            const inputFormatValue = mergedSubBlocks?.inputFormat?.value
+
+            if (
+              inputFormatValue &&
+              Array.isArray(inputFormatValue) &&
+              inputFormatValue.length > 0
+            ) {
+              blockTags = inputFormatValue
+                .filter((field: { name?: string }) => field.name && field.name.trim() !== '')
+                .map((field: { name: string }) => `${normalizedBlockName}.${field.name}`)
+            } else {
+              blockTags = [normalizedBlockName]
+            }
+          }
+        } else if (sourceBlock.type === 'api_trigger' || sourceBlock.type === 'input_trigger') {
+          const inputFormatValue = mergedSubBlocks?.inputFormat?.value
+
+          if (inputFormatValue && Array.isArray(inputFormatValue) && inputFormatValue.length > 0) {
+            blockTags = inputFormatValue
+              .filter((field: { name?: string }) => field.name && field.name.trim() !== '')
+              .map((field: { name: string }) => `${normalizedBlockName}.${field.name}`)
+          } else {
+            blockTags = []
+          }
+        } else {
+          blockTags = [normalizedBlockName]
+        }
+      } else {
+        if (blockConfig.category === 'triggers' || sourceBlock.type === 'starter') {
+          const dynamicOutputs = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
+          if (dynamicOutputs.length > 0) {
+            blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
+          } else if (sourceBlock.type === 'starter') {
+            blockTags = [normalizedBlockName]
+          } else if (sourceBlock.type === TRIGGER_TYPES.GENERIC_WEBHOOK) {
+            blockTags = [normalizedBlockName]
+          } else {
+            blockTags = []
+          }
+        } else if (sourceBlock?.triggerMode && blockConfig.triggers?.enabled) {
+          const dynamicOutputs = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks, true)
+          if (dynamicOutputs.length > 0) {
+            blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
+          } else {
+            const outputPaths = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks, true)
+            blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+          }
+        } else if (sourceBlock.type === 'human_in_the_loop') {
+          const dynamicOutputs = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
+
+          const isSelfReference = activeSourceBlockId === blockId
+
+          if (dynamicOutputs.length > 0) {
+            const allTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
+            blockTags = isSelfReference
+              ? allTags.filter((tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint'))
+              : allTags
+          } else {
+            const outputPaths = getBlockOutputPaths(sourceBlock.type, mergedSubBlocks)
+            const allTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+            blockTags = isSelfReference
+              ? allTags.filter((tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint'))
+              : allTags
+          }
+        } else {
+          const toolOutputPaths = getToolOutputPaths(blockConfig, mergedSubBlocks)
+
+          if (toolOutputPaths.length > 0) {
+            blockTags = toolOutputPaths.map((path) => `${normalizedBlockName}.${path}`)
+          } else {
+            const outputPaths = getBlockOutputPaths(
+              sourceBlock.type,
+              mergedSubBlocks,
+              sourceBlock.triggerMode
+            )
+            blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+          }
         }
       }
 
@@ -1306,10 +1432,45 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
       const normalizedBlockName = normalizeName(blockName)
 
       const mergedSubBlocks = getMergedSubBlocks(accessibleBlockId)
+      const responseFormatValue = mergedSubBlocks?.responseFormat?.value
+      const responseFormat = parseResponseFormatSafely(responseFormatValue, accessibleBlockId)
 
       let blockTags: string[]
 
-      if (accessibleBlock.type === 'variables') {
+      if (blockConfig.category === 'triggers' || accessibleBlock.type === 'starter') {
+        const dynamicOutputs = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks)
+
+        if (dynamicOutputs.length > 0) {
+          blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
+        } else if (accessibleBlock.type === 'starter') {
+          const startWorkflowValue = mergedSubBlocks?.startWorkflow?.value
+          if (startWorkflowValue === 'chat') {
+            blockTags = [
+              `${normalizedBlockName}.input`,
+              `${normalizedBlockName}.conversationId`,
+              `${normalizedBlockName}.files`,
+            ]
+          } else {
+            blockTags = [normalizedBlockName]
+          }
+        } else if (accessibleBlock.type === TRIGGER_TYPES.GENERIC_WEBHOOK) {
+          blockTags = [normalizedBlockName]
+        } else {
+          blockTags = []
+        }
+      } else if (accessibleBlock.type === 'evaluator') {
+        const metricsValue = getSubBlockValue(accessibleBlockId, 'metrics')
+
+        if (metricsValue && Array.isArray(metricsValue) && metricsValue.length > 0) {
+          const validMetrics = metricsValue.filter((metric: { name?: string }) => metric?.name)
+          blockTags = validMetrics.map(
+            (metric: { name: string }) => `${normalizedBlockName}.${metric.name.toLowerCase()}`
+          )
+        } else {
+          const outputPaths = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks)
+          blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+        }
+      } else if (accessibleBlock.type === 'variables') {
         const variablesValue = getSubBlockValue(accessibleBlockId, 'variables')
 
         if (variablesValue && Array.isArray(variablesValue) && variablesValue.length > 0) {
@@ -1323,26 +1484,57 @@ export const TagDropdown: React.FC<TagDropdownProps> = ({
         } else {
           blockTags = [normalizedBlockName]
         }
-      } else {
-        const accessibleBlockConfig = getBlock(accessibleBlock.type)
-        const isTriggerCapable = accessibleBlockConfig
-          ? hasTriggerCapability(accessibleBlockConfig)
-          : false
-        const effectiveTriggerMode = Boolean(accessibleBlock.triggerMode && isTriggerCapable)
-        const outputPaths = getEffectiveBlockOutputPaths(accessibleBlock.type, mergedSubBlocks, {
-          triggerMode: effectiveTriggerMode,
-          preferToolOutputs: !effectiveTriggerMode,
-        })
-        const allTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
-
-        if (accessibleBlock.type === 'human_in_the_loop' && accessibleBlockId === blockId) {
-          blockTags = allTags.filter(
-            (tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint')
-          )
-        } else if (allTags.length === 0) {
-          blockTags = [normalizedBlockName]
+      } else if (responseFormat) {
+        const schemaFields = extractFieldsFromSchema(responseFormat)
+        if (schemaFields.length > 0) {
+          blockTags = schemaFields.map((field) => `${normalizedBlockName}.${field.name}`)
         } else {
-          blockTags = allTags
+          const outputPaths = getBlockOutputPaths(
+            accessibleBlock.type,
+            mergedSubBlocks,
+            accessibleBlock.triggerMode
+          )
+          blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+        }
+      } else if (!blockConfig.outputs || Object.keys(blockConfig.outputs).length === 0) {
+        blockTags = [normalizedBlockName]
+      } else {
+        const blockState = blocks[accessibleBlockId]
+        if (blockState?.triggerMode && blockConfig.triggers?.enabled) {
+          const dynamicOutputs = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks, true)
+          if (dynamicOutputs.length > 0) {
+            blockTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
+          } else {
+            const outputPaths = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks, true)
+            blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+          }
+        } else if (accessibleBlock.type === 'human_in_the_loop') {
+          const dynamicOutputs = getBlockOutputPaths(accessibleBlock.type, mergedSubBlocks)
+
+          const isSelfReference = accessibleBlockId === blockId
+
+          if (dynamicOutputs.length > 0) {
+            const allTags = dynamicOutputs.map((path) => `${normalizedBlockName}.${path}`)
+            blockTags = isSelfReference
+              ? allTags.filter((tag) => tag.endsWith('.url') || tag.endsWith('.resumeEndpoint'))
+              : allTags
+          } else {
+            blockTags = [`${normalizedBlockName}.url`, `${normalizedBlockName}.resumeEndpoint`]
+          }
+        } else {
+          const toolOutputPaths = getToolOutputPaths(blockConfig, mergedSubBlocks)
+
+          if (toolOutputPaths.length > 0) {
+            blockTags = toolOutputPaths.map((path) => `${normalizedBlockName}.${path}`)
+          } else {
+            const outputPaths = getBlockOutputPaths(
+              accessibleBlock.type,
+              mergedSubBlocks,
+              accessibleBlock.triggerMode
+            )
+
+            blockTags = outputPaths.map((path) => `${normalizedBlockName}.${path}`)
+          }
         }
       }
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx

@@ -59,7 +59,7 @@ export function ToolCredentialSelector({
   disabled = false,
 }: ToolCredentialSelectorProps) {
   const [showOAuthModal, setShowOAuthModal] = useState(false)
-  const [editingInputValue, setEditingInputValue] = useState('')
+  const [inputValue, setInputValue] = useState('')
   const [isEditing, setIsEditing] = useState(false)
   const { activeWorkflowId } = useWorkflowRegistry()
 
@@ -100,7 +100,11 @@ export function ToolCredentialSelector({
     return ''
   }, [selectedCredential, isForeign])
 
-  const inputValue = isEditing ? editingInputValue : resolvedLabel
+  useEffect(() => {
+    if (!isEditing) {
+      setInputValue(resolvedLabel)
+    }
+  }, [resolvedLabel, isEditing])
 
   const invalidSelection =
     Boolean(selectedId) &&
@@ -185,12 +189,13 @@ export function ToolCredentialSelector({
 
       const matchedCred = credentials.find((c) => c.id === newValue)
       if (matchedCred) {
+        setInputValue(matchedCred.name)
         handleSelect(newValue)
         return
       }
 
       setIsEditing(true)
-      setEditingInputValue(newValue)
+      setInputValue(newValue)
     },
     [credentials, handleAddCredential, handleSelect]
   )

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx

@@ -2642,7 +2642,7 @@ export const ToolInput = memo(function ToolInput({
               </div>
 
               {!isCustomTool && isExpandedForDisplay && (
-                <div className='flex flex-col gap-[10px] overflow-visible rounded-b-[4px] border-[var(--border-1)] border-t bg-[var(--surface-2)] px-[8px] py-[8px]'>
+                <div className='flex flex-col gap-[10px] overflow-visible rounded-b-[4px] border-[var(--border-1)] border-t px-[8px] py-[8px]'>
                   {/* Operation dropdown for tools with multiple operations */}
                   {(() => {
                     const hasOperations = hasMultipleOperations(tool.type)

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-block-connections.ts

@@ -1,8 +1,10 @@
 import { useShallow } from 'zustand/react/shallow'
-import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
+import {
+  extractFieldsFromSchema,
+  parseResponseFormatSafely,
+} from '@/lib/core/utils/response-format'
+import { getBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
 import { BlockPathCalculator } from '@/lib/workflows/blocks/block-path-calculator'
-import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
-import { getBlock } from '@/blocks'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -18,7 +20,18 @@ export interface ConnectedBlock {
   type: string
   outputType: string | string[]
   name: string
+  responseFormat?: {
+    // Support both formats
+    fields?: Field[]
+    name?: string
+    schema?: {
+      type: string
+      properties: Record<string, any>
+      required?: string[]
+    }
+  }
   outputs?: Record<string, any>
+  operation?: string
 }
 
 export function useBlockConnections(blockId: string) {
@@ -89,32 +102,47 @@ export function useBlockConnections(blockId: string) {
 
       // Get merged subblocks for this source block
       const mergedSubBlocks = getMergedSubBlocks(sourceId)
-      const blockConfig = getBlock(sourceBlock.type)
-      const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
-      const effectiveTriggerMode = Boolean(sourceBlock.triggerMode && isTriggerCapable)
 
-      const blockOutputs = getEffectiveBlockOutputs(sourceBlock.type, mergedSubBlocks, {
-        triggerMode: effectiveTriggerMode,
-        preferToolOutputs: !effectiveTriggerMode,
-      })
+      // Get the response format from the subblock store
+      const responseFormatValue = useSubBlockStore.getState().getValue(sourceId, 'responseFormat')
 
-      const outputFields: Field[] = Object.entries(blockOutputs).map(
-        ([key, value]: [string, any]) => ({
+      // Safely parse response format with proper error handling
+      const responseFormat = parseResponseFormatSafely(responseFormatValue, sourceId)
+
+      // Get operation value for tool-based blocks
+      const operationValue = useSubBlockStore.getState().getValue(sourceId, 'operation')
+
+      // Use getBlockOutputs to properly handle dynamic outputs from inputFormat
+      const blockOutputs = getBlockOutputs(
+        sourceBlock.type,
+        mergedSubBlocks,
+        sourceBlock.triggerMode
+      )
+
+      // Extract fields from the response format if available, otherwise use block outputs
+      let outputFields: Field[]
+      if (responseFormat) {
+        outputFields = extractFieldsFromSchema(responseFormat)
+      } else {
+        // Convert block outputs to field format
+        outputFields = Object.entries(blockOutputs).map(([key, value]: [string, any]) => ({
           name: key,
           type: value && typeof value === 'object' && 'type' in value ? value.type : 'string',
           description:
             value && typeof value === 'object' && 'description' in value
               ? value.description
               : undefined,
-        })
-      )
+        }))
+      }
 
       return {
         id: sourceBlock.id,
         type: sourceBlock.type,
         outputType: outputFields.map((field: Field) => field.name),
         name: sourceBlock.name,
+        responseFormat,
         outputs: blockOutputs,
+        operation: operationValue,
         distance: nodeDistances.get(sourceId) || Number.POSITIVE_INFINITY,
       }
     })

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/hooks/use-block-state.ts

@@ -1,7 +1,7 @@
 import { useCallback } from 'react'
 import type { DiffStatus } from '@/lib/workflows/diff/types'
 import { hasDiffStatus } from '@/lib/workflows/diff/types'
-import { useIsBlockActive } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff'
 import type { CurrentWorkflow } from '../../../hooks/use-current-workflow'
 import type { WorkflowBlockProps } from '../types'
@@ -67,7 +67,7 @@ export function useBlockState(
   const isDeletedBlock = !isShowingDiff && diffAnalysis?.deleted_blocks?.includes(blockId)
 
   // Execution state
-  const isActiveBlock = useIsBlockActive(blockId)
+  const isActiveBlock = useExecutionStore((state) => state.activeBlockIds.has(blockId))
   const isActive = data.isActive || isActiveBlock
 
   return {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-edge/workflow-edge.tsx

@@ -3,7 +3,7 @@ import { X } from 'lucide-react'
 import { BaseEdge, EdgeLabelRenderer, type EdgeProps, getSmoothStepPath } from 'reactflow'
 import { useShallow } from 'zustand/react/shallow'
 import type { EdgeDiffStatus } from '@/lib/workflows/diff/types'
-import { useLastRunEdges } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff'
 
 /** Extended edge props with optional handle identifiers */
@@ -49,7 +49,7 @@ const WorkflowEdgeComponent = ({
       isDiffReady: state.isDiffReady,
     }))
   )
-  const lastRunEdges = useLastRunEdges()
+  const lastRunEdges = useExecutionStore((state) => state.lastRunEdges)
 
   const dataSourceHandle = (data as { sourceHandle?: string } | undefined)?.sourceHandle
   const isErrorEdge = (sourceHandle ?? dataSourceHandle) === 'error'

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-output-fields.ts

@@ -1,8 +1,13 @@
 'use client'
 
 import { useMemo } from 'react'
-import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
-import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
+import { extractFieldsFromSchema } from '@/lib/core/utils/response-format'
+import {
+  getBlockOutputPaths,
+  getBlockOutputs,
+  getToolOutputs,
+} from '@/lib/workflows/blocks/block-outputs'
+import { TRIGGER_TYPES } from '@/lib/workflows/triggers/triggers'
 import type { SchemaField } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/connection-blocks/components/field-item/field-item'
 import { getBlock } from '@/blocks'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
@@ -71,7 +76,11 @@ const extractNestedFields = (properties: Record<string, any>): SchemaField[] =>
 /**
  * Creates a schema field from an output definition
  */
-const createFieldFromOutput = (name: string, output: any): SchemaField => {
+const createFieldFromOutput = (
+  name: string,
+  output: any,
+  responseFormatFields?: SchemaField[]
+): SchemaField => {
   const hasExplicitType = isObject(output) && typeof output.type === 'string'
   const type = hasExplicitType ? output.type : isObject(output) ? 'object' : 'string'
 
@@ -81,7 +90,11 @@ const createFieldFromOutput = (name: string, output: any): SchemaField => {
     description: isObject(output) && 'description' in output ? output.description : undefined,
   }
 
-  field.children = extractChildFields(output)
+  if (name === 'data' && responseFormatFields && responseFormatFields.length > 0) {
+    field.children = responseFormatFields
+  } else {
+    field.children = extractChildFields(output)
+  }
 
   return field
 }
@@ -90,6 +103,8 @@ interface UseBlockOutputFieldsParams {
   blockId: string
   blockType: string
   mergedSubBlocks?: Record<string, any>
+  responseFormat?: any
+  operation?: string
   triggerMode?: boolean
 }
 
@@ -101,6 +116,8 @@ export function useBlockOutputFields({
   blockId,
   blockType,
   mergedSubBlocks,
+  responseFormat,
+  operation,
   triggerMode,
 }: UseBlockOutputFieldsParams): SchemaField[] {
   return useMemo(() => {
@@ -121,6 +138,21 @@ export function useBlockOutputFields({
       return []
     }
 
+    // Handle evaluator blocks - use metrics if available
+    if (blockType === 'evaluator') {
+      const metricsValue = mergedSubBlocks?.metrics?.value ?? getSubBlockValue(blockId, 'metrics')
+
+      if (metricsValue && Array.isArray(metricsValue) && metricsValue.length > 0) {
+        const validMetrics = metricsValue.filter((metric: { name?: string }) => metric?.name)
+        return validMetrics.map((metric: { name: string }) => ({
+          name: metric.name.toLowerCase(),
+          type: 'number',
+          description: `Metric: ${metric.name}`,
+        }))
+      }
+      // Fall through to use blockConfig.outputs
+    }
+
     // Handle variables blocks - use variable assignments if available
     if (blockType === 'variables') {
       const variablesValue =
@@ -140,16 +172,123 @@ export function useBlockOutputFields({
       return []
     }
 
-    const isTriggerCapable = hasTriggerCapability(blockConfig)
-    const effectiveTriggerMode = Boolean(triggerMode && isTriggerCapable)
-    const baseOutputs = getEffectiveBlockOutputs(blockType, mergedSubBlocks, {
-      triggerMode: effectiveTriggerMode,
-      preferToolOutputs: !effectiveTriggerMode,
-    }) as Record<string, any>
+    // Get base outputs using getBlockOutputs (handles triggers, starter, approval, etc.)
+    let baseOutputs: Record<string, any> = {}
+
+    if (blockConfig.category === 'triggers' || blockType === 'starter') {
+      // Use getBlockOutputPaths to get dynamic outputs, then reconstruct the structure
+      const outputPaths = getBlockOutputPaths(blockType, mergedSubBlocks, triggerMode)
+      if (outputPaths.length > 0) {
+        // Reconstruct outputs structure from paths
+        // This is a simplified approach - we'll use the paths to build the structure
+        baseOutputs = getBlockOutputs(blockType, mergedSubBlocks, triggerMode)
+      } else if (blockType === 'starter') {
+        const startWorkflowValue = mergedSubBlocks?.startWorkflow?.value
+        if (startWorkflowValue === 'chat') {
+          baseOutputs = {
+            input: { type: 'string', description: 'User message' },
+            conversationId: { type: 'string', description: 'Conversation ID' },
+            files: { type: 'file[]', description: 'Uploaded files' },
+          }
+        } else {
+          const inputFormatValue = mergedSubBlocks?.inputFormat?.value
+          if (inputFormatValue && Array.isArray(inputFormatValue) && inputFormatValue.length > 0) {
+            baseOutputs = {}
+            inputFormatValue.forEach((field: { name?: string; type?: string }) => {
+              if (field.name && field.name.trim() !== '') {
+                baseOutputs[field.name] = {
+                  type: field.type || 'string',
+                  description: `Field from input format`,
+                }
+              }
+            })
+          }
+        }
+      } else if (blockType === TRIGGER_TYPES.GENERIC_WEBHOOK) {
+        // Generic webhook returns the whole payload
+        baseOutputs = {}
+      } else {
+        baseOutputs = {}
+      }
+    } else if (triggerMode && blockConfig.triggers?.enabled) {
+      // Trigger mode enabled
+      const dynamicOutputs = getBlockOutputPaths(blockType, mergedSubBlocks, true)
+      if (dynamicOutputs.length > 0) {
+        baseOutputs = getBlockOutputs(blockType, mergedSubBlocks, true)
+      } else {
+        baseOutputs = blockConfig.outputs || {}
+      }
+    } else if (blockType === 'approval') {
+      // Approval block uses dynamic outputs from inputFormat
+      baseOutputs = getBlockOutputs(blockType, mergedSubBlocks)
+    } else {
+      // For tool-based blocks, try to get tool outputs first
+      const toolOutputs = blockConfig ? getToolOutputs(blockConfig, mergedSubBlocks) : {}
+
+      if (Object.keys(toolOutputs).length > 0) {
+        baseOutputs = toolOutputs
+      } else {
+        baseOutputs = getBlockOutputs(blockType, mergedSubBlocks, triggerMode)
+      }
+    }
+
+    // Handle responseFormat
+    const responseFormatFields = responseFormat ? extractFieldsFromSchema(responseFormat) : []
+
+    // If responseFormat exists and has fields, merge with base outputs
+    if (responseFormatFields.length > 0) {
+      // If base outputs is empty, use responseFormat fields directly
+      if (Object.keys(baseOutputs).length === 0) {
+        return responseFormatFields.map((field) => ({
+          name: field.name,
+          type: field.type,
+          description: field.description,
+          children: undefined, // ResponseFormat fields are flat
+        }))
+      }
+
+      // Otherwise, merge: responseFormat takes precedence for 'data' field
+      const fields: SchemaField[] = []
+      const responseFormatFieldNames = new Set(responseFormatFields.map((f) => f.name))
+
+      // Add base outputs, replacing 'data' with responseFormat fields if present
+      for (const [name, output] of Object.entries(baseOutputs)) {
+        if (name === 'data' && responseFormatFields.length > 0) {
+          fields.push(
+            createFieldFromOutput(
+              name,
+              output,
+              responseFormatFields.map((f) => ({
+                name: f.name,
+                type: f.type,
+                description: f.description,
+              }))
+            )
+          )
+        } else if (!responseFormatFieldNames.has(name)) {
+          fields.push(createFieldFromOutput(name, output))
+        }
+      }
+
+      // Add responseFormat fields that aren't in base outputs
+      for (const field of responseFormatFields) {
+        if (!baseOutputs[field.name]) {
+          fields.push({
+            name: field.name,
+            type: field.type,
+            description: field.description,
+          })
+        }
+      }
+
+      return fields
+    }
+
+    // No responseFormat, just use base outputs
     if (Object.keys(baseOutputs).length === 0) {
       return []
     }
 
     return Object.entries(baseOutputs).map(([name, output]) => createFieldFromOutput(name, output))
-  }, [blockId, blockType, mergedSubBlocks, triggerMode])
+  }, [blockId, blockType, mergedSubBlocks, responseFormat, operation, triggerMode])
 }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-block-visual.ts

@@ -3,7 +3,7 @@ import { useBlockState } from '@/app/workspace/[workspaceId]/w/[workflowId]/comp
 import type { WorkflowBlockProps } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/types'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
 import { getBlockRingStyles } from '@/app/workspace/[workspaceId]/w/[workflowId]/utils/block-ring-utils'
-import { useLastRunPath } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { usePanelEditorStore, usePanelStore } from '@/stores/panel'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
@@ -64,7 +64,7 @@ export function useBlockVisual({
   )
   const isEditorOpen = !isPreview && isThisBlockInEditor && activeTabIsEditor
 
-  const lastRunPath = useLastRunPath()
+  const lastRunPath = useExecutionStore((state) => state.lastRunPath)
   const runPathStatus = isPreview ? undefined : lastRunPath.get(blockId)
 
   const setCurrentBlockId = usePanelEditorStore((state) => state.setCurrentBlockId)

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts

@@ -34,7 +34,7 @@ import { coerceValue } from '@/executor/utils/start-block'
 import { subscriptionKeys } from '@/hooks/queries/subscription'
 import { useExecutionStream } from '@/hooks/use-execution-stream'
 import { WorkflowValidationError } from '@/serializer'
-import { useCurrentWorkflowExecution, useExecutionStore } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { useNotificationStore } from '@/stores/notifications'
 import { useVariablesStore } from '@/stores/panel'
 import { useEnvironmentStore } from '@/stores/settings/environment'
@@ -112,19 +112,24 @@ export function useWorkflowExecution() {
     useTerminalConsoleStore()
   const { getAllVariables } = useEnvironmentStore()
   const { getVariablesByWorkflowId, variables } = useVariablesStore()
-  const { isExecuting, isDebugging, pendingBlocks, executor, debugContext } =
-    useCurrentWorkflowExecution()
-  const setIsExecuting = useExecutionStore((s) => s.setIsExecuting)
-  const setIsDebugging = useExecutionStore((s) => s.setIsDebugging)
-  const setPendingBlocks = useExecutionStore((s) => s.setPendingBlocks)
-  const setExecutor = useExecutionStore((s) => s.setExecutor)
-  const setDebugContext = useExecutionStore((s) => s.setDebugContext)
-  const setActiveBlocks = useExecutionStore((s) => s.setActiveBlocks)
-  const setBlockRunStatus = useExecutionStore((s) => s.setBlockRunStatus)
-  const setEdgeRunStatus = useExecutionStore((s) => s.setEdgeRunStatus)
-  const setLastExecutionSnapshot = useExecutionStore((s) => s.setLastExecutionSnapshot)
-  const getLastExecutionSnapshot = useExecutionStore((s) => s.getLastExecutionSnapshot)
-  const clearLastExecutionSnapshot = useExecutionStore((s) => s.clearLastExecutionSnapshot)
+  const {
+    isExecuting,
+    isDebugging,
+    pendingBlocks,
+    executor,
+    debugContext,
+    setIsExecuting,
+    setIsDebugging,
+    setPendingBlocks,
+    setExecutor,
+    setDebugContext,
+    setActiveBlocks,
+    setBlockRunStatus,
+    setEdgeRunStatus,
+    setLastExecutionSnapshot,
+    getLastExecutionSnapshot,
+    clearLastExecutionSnapshot,
+  } = useExecutionStore()
   const [executionResult, setExecutionResult] = useState<ExecutionResult | null>(null)
   const executionStream = useExecutionStream()
   const currentChatExecutionIdRef = useRef<string | null>(null)
@@ -153,15 +158,13 @@ export function useWorkflowExecution() {
    * Resets all debug-related state
    */
   const resetDebugState = useCallback(() => {
-    if (!activeWorkflowId) return
-    setIsExecuting(activeWorkflowId, false)
-    setIsDebugging(activeWorkflowId, false)
-    setDebugContext(activeWorkflowId, null)
-    setExecutor(activeWorkflowId, null)
-    setPendingBlocks(activeWorkflowId, [])
-    setActiveBlocks(activeWorkflowId, new Set())
+    setIsExecuting(false)
+    setIsDebugging(false)
+    setDebugContext(null)
+    setExecutor(null)
+    setPendingBlocks([])
+    setActiveBlocks(new Set())
   }, [
-    activeWorkflowId,
     setIsExecuting,
     setIsDebugging,
     setDebugContext,
@@ -309,20 +312,18 @@ export function useWorkflowExecution() {
       } = config
 
       const updateActiveBlocks = (blockId: string, isActive: boolean) => {
-        if (!workflowId) return
         if (isActive) {
           activeBlocksSet.add(blockId)
         } else {
           activeBlocksSet.delete(blockId)
         }
-        setActiveBlocks(workflowId, new Set(activeBlocksSet))
+        setActiveBlocks(new Set(activeBlocksSet))
       }
 
       const markIncomingEdges = (blockId: string) => {
-        if (!workflowId) return
         const incomingEdges = workflowEdges.filter((edge) => edge.target === blockId)
         incomingEdges.forEach((edge) => {
-          setEdgeRunStatus(workflowId, edge.id, 'success')
+          setEdgeRunStatus(edge.id, 'success')
         })
       }
 
@@ -458,7 +459,7 @@ export function useWorkflowExecution() {
 
       const onBlockCompleted = (data: BlockCompletedData) => {
         updateActiveBlocks(data.blockId, false)
-        if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'success')
+        setBlockRunStatus(data.blockId, 'success')
 
         executedBlockIds.add(data.blockId)
         accumulatedBlockStates.set(data.blockId, {
@@ -488,7 +489,7 @@ export function useWorkflowExecution() {
 
       const onBlockError = (data: BlockErrorData) => {
         updateActiveBlocks(data.blockId, false)
-        if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'error')
+        setBlockRunStatus(data.blockId, 'error')
 
         executedBlockIds.add(data.blockId)
         accumulatedBlockStates.set(data.blockId, {
@@ -546,20 +547,19 @@ export function useWorkflowExecution() {
    */
   const handleDebugSessionContinuation = useCallback(
     (result: ExecutionResult) => {
-      if (!activeWorkflowId) return
       logger.info('Debug step completed, next blocks pending', {
         nextPendingBlocks: result.metadata?.pendingBlocks?.length || 0,
       })
 
       // Update debug context and pending blocks
       if (result.metadata?.context) {
-        setDebugContext(activeWorkflowId, result.metadata.context)
+        setDebugContext(result.metadata.context)
       }
       if (result.metadata?.pendingBlocks) {
-        setPendingBlocks(activeWorkflowId, result.metadata.pendingBlocks)
+        setPendingBlocks(result.metadata.pendingBlocks)
       }
     },
-    [activeWorkflowId, setDebugContext, setPendingBlocks]
+    [setDebugContext, setPendingBlocks]
   )
 
   /**
@@ -663,11 +663,11 @@ export function useWorkflowExecution() {
 
       // Reset execution result and set execution state
       setExecutionResult(null)
-      setIsExecuting(activeWorkflowId, true)
+      setIsExecuting(true)
 
       // Set debug mode only if explicitly requested
       if (enableDebug) {
-        setIsDebugging(activeWorkflowId, true)
+        setIsDebugging(true)
       }
 
       // Determine if this is a chat execution
@@ -965,9 +965,9 @@ export function useWorkflowExecution() {
                 controller.close()
               }
               if (currentChatExecutionIdRef.current === executionId) {
-                setIsExecuting(activeWorkflowId, false)
-                setIsDebugging(activeWorkflowId, false)
-                setActiveBlocks(activeWorkflowId, new Set())
+                setIsExecuting(false)
+                setIsDebugging(false)
+                setActiveBlocks(new Set())
               }
             }
           },
@@ -989,16 +989,16 @@ export function useWorkflowExecution() {
           'manual'
         )
         if (result && 'metadata' in result && result.metadata?.isDebugSession) {
-          setDebugContext(activeWorkflowId, result.metadata.context || null)
+          setDebugContext(result.metadata.context || null)
           if (result.metadata.pendingBlocks) {
-            setPendingBlocks(activeWorkflowId, result.metadata.pendingBlocks)
+            setPendingBlocks(result.metadata.pendingBlocks)
           }
         } else if (result && 'success' in result) {
           setExecutionResult(result)
           // Reset execution state after successful non-debug execution
-          setIsExecuting(activeWorkflowId, false)
-          setIsDebugging(activeWorkflowId, false)
-          setActiveBlocks(activeWorkflowId, new Set())
+          setIsExecuting(false)
+          setIsDebugging(false)
+          setActiveBlocks(new Set())
 
           if (isChatExecution) {
             if (!result.metadata) {
@@ -1179,7 +1179,7 @@ export function useWorkflowExecution() {
         logger.error('No trigger blocks found for manual run', {
           allBlockTypes: Object.values(filteredStates).map((b) => b.type),
         })
-        if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
+        setIsExecuting(false)
         throw error
       }
 
@@ -1195,7 +1195,7 @@ export function useWorkflowExecution() {
           'Workflow Validation'
         )
         logger.error('Multiple API triggers found')
-        if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
+        setIsExecuting(false)
         throw error
       }
 
@@ -1220,7 +1220,7 @@ export function useWorkflowExecution() {
             'Workflow Validation'
           )
           logger.error('Trigger has no outgoing connections', { triggerName, startBlockId })
-          if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
+          setIsExecuting(false)
           throw error
         }
       }
@@ -1251,7 +1251,7 @@ export function useWorkflowExecution() {
         'Workflow Validation'
       )
       logger.error('No startBlockId found after trigger search')
-      if (activeWorkflowId) setIsExecuting(activeWorkflowId, false)
+      setIsExecuting(false)
       throw error
     }
 
@@ -1457,10 +1457,8 @@ export function useWorkflowExecution() {
           logger.info('Execution aborted by user')
 
           // Reset execution state
-          if (activeWorkflowId) {
-            setIsExecuting(activeWorkflowId, false)
-            setActiveBlocks(activeWorkflowId, new Set())
-          }
+          setIsExecuting(false)
+          setActiveBlocks(new Set())
 
           // Return gracefully without error
           return {
@@ -1535,11 +1533,9 @@ export function useWorkflowExecution() {
     }
 
     setExecutionResult(errorResult)
-    if (activeWorkflowId) {
-      setIsExecuting(activeWorkflowId, false)
-      setIsDebugging(activeWorkflowId, false)
-      setActiveBlocks(activeWorkflowId, new Set())
-    }
+    setIsExecuting(false)
+    setIsDebugging(false)
+    setActiveBlocks(new Set())
 
     let notificationMessage = WORKFLOW_EXECUTION_FAILURE_MESSAGE
     if (isRecord(error) && isRecord(error.request) && sanitizeMessage(error.request.url)) {
@@ -1710,8 +1706,8 @@ export function useWorkflowExecution() {
   const handleCancelExecution = useCallback(() => {
     logger.info('Workflow execution cancellation requested')
 
-    // Cancel the execution stream for this workflow (server-side)
-    executionStream.cancel(activeWorkflowId ?? undefined)
+    // Cancel the execution stream (server-side)
+    executionStream.cancel()
 
     // Mark current chat execution as superseded so its cleanup won't affect new executions
     currentChatExecutionIdRef.current = null
@@ -1719,13 +1715,13 @@ export function useWorkflowExecution() {
     // Mark all running entries as canceled in the terminal
     if (activeWorkflowId) {
       cancelRunningEntries(activeWorkflowId)
-
-      // Reset execution state - this triggers chat stream cleanup via useEffect in chat.tsx
-      setIsExecuting(activeWorkflowId, false)
-      setIsDebugging(activeWorkflowId, false)
-      setActiveBlocks(activeWorkflowId, new Set())
     }
 
+    // Reset execution state - this triggers chat stream cleanup via useEffect in chat.tsx
+    setIsExecuting(false)
+    setIsDebugging(false)
+    setActiveBlocks(new Set())
+
     // If in debug mode, also reset debug state
     if (isDebugging) {
       resetDebugState()
@@ -1837,7 +1833,7 @@ export function useWorkflowExecution() {
         }
       }
 
-      setIsExecuting(workflowId, true)
+      setIsExecuting(true)
       const executionId = uuidv4()
       const accumulatedBlockLogs: BlockLog[] = []
       const accumulatedBlockStates = new Map<string, BlockState>()
@@ -1933,8 +1929,8 @@ export function useWorkflowExecution() {
           logger.error('Run-from-block failed:', error)
         }
       } finally {
-        setIsExecuting(workflowId, false)
-        setActiveBlocks(workflowId, new Set())
+        setIsExecuting(false)
+        setActiveBlocks(new Set())
       }
     },
     [
@@ -1966,7 +1962,7 @@ export function useWorkflowExecution() {
       logger.info('Starting run-until-block execution', { workflowId, stopAfterBlockId: blockId })
 
       setExecutionResult(null)
-      setIsExecuting(workflowId, true)
+      setIsExecuting(true)
 
       const executionId = uuidv4()
       try {
@@ -1985,9 +1981,9 @@ export function useWorkflowExecution() {
         const errorResult = handleExecutionError(error, { executionId })
         return errorResult
       } finally {
-        setIsExecuting(workflowId, false)
-        setIsDebugging(workflowId, false)
-        setActiveBlocks(workflowId, new Set())
+        setIsExecuting(false)
+        setIsDebugging(false)
+        setActiveBlocks(new Set())
       }
     },
     [activeWorkflowId, setExecutionResult, setIsExecuting, setIsDebugging, setActiveBlocks]

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils.ts

@@ -35,7 +35,6 @@ export async function executeWorkflowWithFullLogging(
   const executionId = options.executionId || uuidv4()
   const { addConsole } = useTerminalConsoleStore.getState()
   const { setActiveBlocks, setBlockRunStatus, setEdgeRunStatus } = useExecutionStore.getState()
-  const wfId = activeWorkflowId
   const workflowEdges = useWorkflowStore.getState().edges
 
   const activeBlocksSet = new Set<string>()
@@ -104,22 +103,22 @@ export async function executeWorkflowWithFullLogging(
           switch (event.type) {
             case 'block:started': {
               activeBlocksSet.add(event.data.blockId)
-              setActiveBlocks(wfId, new Set(activeBlocksSet))
+              setActiveBlocks(new Set(activeBlocksSet))
 
               const incomingEdges = workflowEdges.filter(
                 (edge) => edge.target === event.data.blockId
               )
               incomingEdges.forEach((edge) => {
-                setEdgeRunStatus(wfId, edge.id, 'success')
+                setEdgeRunStatus(edge.id, 'success')
               })
               break
             }
 
             case 'block:completed':
               activeBlocksSet.delete(event.data.blockId)
-              setActiveBlocks(wfId, new Set(activeBlocksSet))
+              setActiveBlocks(new Set(activeBlocksSet))
 
-              setBlockRunStatus(wfId, event.data.blockId, 'success')
+              setBlockRunStatus(event.data.blockId, 'success')
 
               addConsole({
                 input: event.data.input || {},
@@ -146,9 +145,9 @@ export async function executeWorkflowWithFullLogging(
 
             case 'block:error':
               activeBlocksSet.delete(event.data.blockId)
-              setActiveBlocks(wfId, new Set(activeBlocksSet))
+              setActiveBlocks(new Set(activeBlocksSet))
 
-              setBlockRunStatus(wfId, event.data.blockId, 'error')
+              setBlockRunStatus(event.data.blockId, 'error')
 
               addConsole({
                 input: event.data.input || {},
@@ -193,7 +192,7 @@ export async function executeWorkflowWithFullLogging(
     }
   } finally {
     reader.releaseLock()
-    setActiveBlocks(wfId, new Set())
+    setActiveBlocks(new Set())
   }
 
   return executionResult

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx

@@ -74,7 +74,7 @@ import { useStreamCleanup } from '@/hooks/use-stream-cleanup'
 import { useCanvasModeStore } from '@/stores/canvas-mode'
 import { useChatStore } from '@/stores/chat/store'
 import { useCopilotTrainingStore } from '@/stores/copilot-training/store'
-import { defaultWorkflowExecutionState, useExecutionStore } from '@/stores/execution'
+import { useExecutionStore } from '@/stores/execution'
 import { useSearchModalStore } from '@/stores/modals/search/store'
 import { useNotificationStore } from '@/stores/notifications'
 import { useCopilotStore, usePanelEditorStore } from '@/stores/panel'
@@ -740,18 +740,16 @@ const WorkflowContent = React.memo(() => {
     [collaborativeBatchAddBlocks, setSelectedEdges, setPendingSelection]
   )
 
-  const { activeBlockIds, pendingBlocks, isDebugging, isExecuting } = useExecutionStore(
-    useShallow((state) => {
-      const wf = activeWorkflowId ? state.workflowExecutions.get(activeWorkflowId) : undefined
-      return {
-        activeBlockIds: wf?.activeBlockIds ?? defaultWorkflowExecutionState.activeBlockIds,
-        pendingBlocks: wf?.pendingBlocks ?? defaultWorkflowExecutionState.pendingBlocks,
-        isDebugging: wf?.isDebugging ?? false,
-        isExecuting: wf?.isExecuting ?? false,
-      }
-    })
-  )
-  const getLastExecutionSnapshot = useExecutionStore((s) => s.getLastExecutionSnapshot)
+  const { activeBlockIds, pendingBlocks, isDebugging, isExecuting, getLastExecutionSnapshot } =
+    useExecutionStore(
+      useShallow((state) => ({
+        activeBlockIds: state.activeBlockIds,
+        pendingBlocks: state.pendingBlocks,
+        isDebugging: state.isDebugging,
+        isExecuting: state.isExecuting,
+        getLastExecutionSnapshot: state.getLastExecutionSnapshot,
+      }))
+    )
 
   const [dragStartParentId, setDragStartParentId] = useState<string | null>(null)
 

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/custom-tools/custom-tools.tsx

@@ -6,6 +6,7 @@ import { Plus, Search } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import { Button, Modal, ModalBody, ModalContent, ModalFooter, ModalHeader } from '@/components/emcn'
 import { Input, Skeleton } from '@/components/ui'
+import { cn } from '@/lib/core/utils/cn'
 import { CustomToolModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/custom-tool-modal/custom-tool-modal'
 import { useCustomTools, useDeleteCustomTool } from '@/hooks/queries/custom-tools'
 
@@ -102,7 +103,12 @@ export function CustomTools() {
     <>
       <div className='flex h-full flex-col gap-[16px]'>
         <div className='flex items-center gap-[8px]'>
-          <div className='flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
+          <div
+            className={cn(
+              'flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]',
+              isLoading && 'opacity-50'
+            )}
+          >
             <Search
               className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
               strokeWidth={2}
@@ -112,7 +118,7 @@ export function CustomTools() {
               value={searchTerm}
               onChange={(e) => setSearchTerm(e.target.value)}
               disabled={isLoading}
-              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
+              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0 disabled:cursor-not-allowed disabled:opacity-100'
             />
           </div>
           <Button onClick={() => setShowAddForm(true)} disabled={isLoading} variant='tertiary'>

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx

@@ -38,7 +38,6 @@ import {
   useMcpToolsQuery,
   useRefreshMcpServer,
   useStoredMcpTools,
-  useUpdateMcpServer,
 } from '@/hooks/queries/mcp'
 import { useAvailableEnvVarKeys } from '@/hooks/use-available-env-vars'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -97,8 +96,6 @@ interface McpServer {
   name?: string
   transport?: string
   url?: string
-  headers?: Record<string, string>
-  enabled?: boolean
   connectionStatus?: 'connected' | 'disconnected' | 'error'
   lastError?: string | null
   lastConnected?: string
@@ -381,13 +378,6 @@ export function MCP({ initialServerId }: MCPProps) {
   const deleteServerMutation = useDeleteMcpServer()
   const refreshServerMutation = useRefreshMcpServer()
   const { testResult, isTestingConnection, testConnection, clearTestResult } = useMcpServerTest()
-  const updateServerMutation = useUpdateMcpServer()
-  const {
-    testResult: editTestResult,
-    isTestingConnection: isEditTestingConnection,
-    testConnection: editTestConnection,
-    clearTestResult: clearEditTestResult,
-  } = useMcpServerTest()
   const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
 
   const urlInputRef = useRef<HTMLInputElement>(null)
@@ -417,19 +407,6 @@ export function MCP({ initialServerId }: MCPProps) {
   const [urlScrollLeft, setUrlScrollLeft] = useState(0)
   const [headerScrollLeft, setHeaderScrollLeft] = useState<Record<string, number>>({})
 
-  const [showEditModal, setShowEditModal] = useState(false)
-  const [editFormData, setEditFormData] = useState<McpServerFormData>(DEFAULT_FORM_DATA)
-  const [editOriginalData, setEditOriginalData] = useState<McpServerFormData>(DEFAULT_FORM_DATA)
-  const [isUpdatingServer, setIsUpdatingServer] = useState(false)
-  const [editSaveError, setEditSaveError] = useState<string | null>(null)
-  const [editShowEnvVars, setEditShowEnvVars] = useState(false)
-  const [editEnvSearchTerm, setEditEnvSearchTerm] = useState('')
-  const [editCursorPosition, setEditCursorPosition] = useState(0)
-  const [editActiveInputField, setEditActiveInputField] = useState<InputFieldType | null>(null)
-  const [editActiveHeaderIndex, setEditActiveHeaderIndex] = useState<number | null>(null)
-  const [editUrlScrollLeft, setEditUrlScrollLeft] = useState(0)
-  const [editHeaderScrollLeft, setEditHeaderScrollLeft] = useState<Record<string, number>>({})
-
   useEffect(() => {
     if (initialServerId && servers.some((s) => s.id === initialServerId)) {
       setSelectedServerId(initialServerId)
@@ -780,215 +757,6 @@ export function MCP({ initialServerId }: MCPProps) {
     [refreshServerMutation, workspaceId]
   )
 
-  /**
-   * Resets edit modal environment variable dropdown state.
-   */
-  const resetEditEnvVarState = useCallback(() => {
-    setEditShowEnvVars(false)
-    setEditActiveInputField(null)
-    setEditActiveHeaderIndex(null)
-  }, [])
-
-  /**
-   * Opens the edit modal and populates form with current server data.
-   */
-  const handleOpenEditModal = useCallback(
-    (server: McpServer) => {
-      const headers: HeaderEntry[] = server.headers
-        ? Object.entries(server.headers).map(([key, value]) => ({ key, value }))
-        : [{ key: '', value: '' }]
-      if (headers.length === 0) headers.push({ key: '', value: '' })
-
-      const data: McpServerFormData = {
-        name: server.name || '',
-        transport: (server.transport as McpTransport) || 'streamable-http',
-        url: server.url || '',
-        timeout: 30000,
-        headers,
-      }
-      setEditFormData(data)
-      setEditOriginalData(JSON.parse(JSON.stringify(data)))
-      setShowEditModal(true)
-      setEditSaveError(null)
-      clearEditTestResult()
-      resetEditEnvVarState()
-      setEditUrlScrollLeft(0)
-      setEditHeaderScrollLeft({})
-    },
-    [clearEditTestResult, resetEditEnvVarState]
-  )
-
-  /**
-   * Closes the edit modal and resets state.
-   */
-  const handleCloseEditModal = useCallback(() => {
-    setShowEditModal(false)
-    setEditFormData(DEFAULT_FORM_DATA)
-    setEditOriginalData(DEFAULT_FORM_DATA)
-    setEditSaveError(null)
-    clearEditTestResult()
-    resetEditEnvVarState()
-  }, [clearEditTestResult, resetEditEnvVarState])
-
-  /**
-   * Handles environment variable selection in the edit modal.
-   */
-  const handleEditEnvVarSelect = useCallback(
-    (newValue: string) => {
-      if (editActiveInputField === 'url') {
-        setEditFormData((prev) => ({ ...prev, url: newValue }))
-      } else if (editActiveHeaderIndex !== null) {
-        const field = editActiveInputField === 'header-key' ? 'key' : 'value'
-        const processedValue = field === 'key' ? newValue.replace(/[{}]/g, '') : newValue
-        setEditFormData((prev) => {
-          const newHeaders = [...(prev.headers || [])]
-          if (newHeaders[editActiveHeaderIndex]) {
-            newHeaders[editActiveHeaderIndex] = {
-              ...newHeaders[editActiveHeaderIndex],
-              [field]: processedValue,
-            }
-          }
-          return { ...prev, headers: newHeaders }
-        })
-      }
-      resetEditEnvVarState()
-    },
-    [editActiveInputField, editActiveHeaderIndex, resetEditEnvVarState]
-  )
-
-  /**
-   * Handles input changes in the edit modal and manages env var dropdown.
-   */
-  const handleEditInputChange = useCallback(
-    (field: InputFieldType, value: string, headerIndex?: number) => {
-      const input = document.activeElement as HTMLInputElement
-      const pos = input?.selectionStart || 0
-      setEditCursorPosition(pos)
-
-      if (editTestResult) {
-        clearEditTestResult()
-      }
-
-      const envVarTrigger = checkEnvVarTrigger(value, pos)
-      setEditShowEnvVars(envVarTrigger.show)
-      setEditEnvSearchTerm(envVarTrigger.show ? envVarTrigger.searchTerm : '')
-
-      if (envVarTrigger.show) {
-        setEditActiveInputField(field)
-        setEditActiveHeaderIndex(headerIndex ?? null)
-      } else {
-        resetEditEnvVarState()
-      }
-
-      if (field === 'url') {
-        setEditFormData((prev) => ({ ...prev, url: value }))
-      } else if (headerIndex !== undefined) {
-        const headerField = field === 'header-key' ? 'key' : 'value'
-        setEditFormData((prev) => {
-          const newHeaders = [...(prev.headers || [])]
-          if (newHeaders[headerIndex]) {
-            newHeaders[headerIndex] = { ...newHeaders[headerIndex], [headerField]: value }
-          }
-          return { ...prev, headers: newHeaders }
-        })
-      }
-    },
-    [editTestResult, clearEditTestResult, resetEditEnvVarState]
-  )
-
-  const handleEditHeaderScroll = useCallback((key: string, scrollLeft: number) => {
-    setEditHeaderScrollLeft((prev) => ({ ...prev, [key]: scrollLeft }))
-  }, [])
-
-  const handleEditAddHeader = useCallback(() => {
-    setEditFormData((prev) => ({
-      ...prev,
-      headers: [...(prev.headers || []), { key: '', value: '' }],
-    }))
-  }, [])
-
-  const handleEditRemoveHeader = useCallback((index: number) => {
-    setEditFormData((prev) => ({
-      ...prev,
-      headers: (prev.headers || []).filter((_, i) => i !== index),
-    }))
-  }, [])
-
-  /**
-   * Tests the connection with the edit modal's form data.
-   */
-  const handleEditTestConnection = useCallback(async () => {
-    if (!editFormData.name.trim() || !editFormData.url?.trim()) return
-
-    await editTestConnection({
-      name: editFormData.name,
-      transport: editFormData.transport,
-      url: editFormData.url,
-      headers: headersToRecord(editFormData.headers),
-      timeout: editFormData.timeout,
-      workspaceId,
-    })
-  }, [editFormData, editTestConnection, workspaceId, headersToRecord])
-
-  /**
-   * Saves the edited MCP server after validating and testing the connection.
-   */
-  const handleSaveEdit = useCallback(async () => {
-    if (!selectedServerId || !editFormData.name.trim()) return
-
-    setEditSaveError(null)
-    try {
-      const headersRecord = headersToRecord(editFormData.headers)
-      const serverConfig = {
-        name: editFormData.name,
-        transport: editFormData.transport,
-        url: editFormData.url,
-        headers: headersRecord,
-        timeout: editFormData.timeout,
-        workspaceId,
-      }
-
-      const connectionResult = await editTestConnection(serverConfig)
-
-      if (!connectionResult.success) {
-        setEditSaveError(connectionResult.error || 'Connection test failed')
-        return
-      }
-
-      setIsUpdatingServer(true)
-      const currentServer = servers.find((s) => s.id === selectedServerId)
-      await updateServerMutation.mutateAsync({
-        workspaceId,
-        serverId: selectedServerId,
-        updates: {
-          name: editFormData.name.trim(),
-          transport: editFormData.transport,
-          url: editFormData.url,
-          headers: headersRecord,
-          timeout: editFormData.timeout || 30000,
-          enabled: currentServer?.enabled ?? true,
-        },
-      })
-
-      setShowEditModal(false)
-      logger.info(`Updated MCP server: ${editFormData.name}`)
-    } catch (error) {
-      const message = error instanceof Error ? error.message : 'Failed to update server'
-      setEditSaveError(message)
-      logger.error('Failed to update MCP server:', error)
-    } finally {
-      setIsUpdatingServer(false)
-    }
-  }, [
-    selectedServerId,
-    editFormData,
-    editTestConnection,
-    updateServerMutation,
-    workspaceId,
-    headersToRecord,
-    servers,
-  ])
-
   /**
    * Gets the selected server and its tools for the detail view.
    */
@@ -1009,26 +777,6 @@ export function MCP({ initialServerId }: MCPProps) {
   const isSubmitDisabled = serversLoading || isAddingServer || !isFormValid
   const testButtonLabel = getTestButtonLabel(testResult, isTestingConnection)
 
-  const isEditFormValid = editFormData.name.trim() && editFormData.url?.trim()
-  const editTestButtonLabel = getTestButtonLabel(editTestResult, isEditTestingConnection)
-  const hasEditChanges = useMemo(() => {
-    if (editFormData.name !== editOriginalData.name) return true
-    if (editFormData.url !== editOriginalData.url) return true
-    if (editFormData.transport !== editOriginalData.transport) return true
-
-    const currentHeaders = editFormData.headers || []
-    const originalHeaders = editOriginalData.headers || []
-    if (currentHeaders.length !== originalHeaders.length) return true
-    for (let i = 0; i < currentHeaders.length; i++) {
-      if (
-        currentHeaders[i].key !== originalHeaders[i].key ||
-        currentHeaders[i].value !== originalHeaders[i].value
-      )
-        return true
-    }
-    return false
-  }, [editFormData, editOriginalData])
-
   /**
    * Gets issues for stored tools that reference a specific server tool.
    * Returns issues from all workflows that have stored this tool.
@@ -1157,6 +905,7 @@ export function MCP({ initialServerId }: MCPProps) {
                                       <Badge
                                         variant={getIssueBadgeVariant(issues[0].issue)}
                                         size='sm'
+                                        className='cursor-help'
                                       >
                                         {getIssueBadgeLabel(issues[0].issue)}
                                       </Badge>
@@ -1242,135 +991,23 @@ export function MCP({ initialServerId }: MCPProps) {
         </div>
 
         <div className='mt-auto flex items-center justify-between'>
-          <div className='flex items-center gap-[8px]'>
-            <Button
-              onClick={() => handleRefreshServer(server.id)}
-              variant='default'
-              disabled={!!refreshingServers[server.id]}
-            >
-              {refreshingServers[server.id]?.status === 'refreshing'
-                ? 'Refreshing...'
-                : refreshingServers[server.id]?.status === 'refreshed'
-                  ? refreshingServers[server.id].workflowsUpdated
-                    ? `Synced (${refreshingServers[server.id].workflowsUpdated} workflow${refreshingServers[server.id].workflowsUpdated === 1 ? '' : 's'})`
-                    : 'Refreshed'
-                  : 'Refresh Tools'}
-            </Button>
-            <Button onClick={() => handleOpenEditModal(server)} variant='default'>
-              Edit
-            </Button>
-          </div>
+          <Button
+            onClick={() => handleRefreshServer(server.id)}
+            variant='default'
+            disabled={!!refreshingServers[server.id]}
+          >
+            {refreshingServers[server.id]?.status === 'refreshing'
+              ? 'Refreshing...'
+              : refreshingServers[server.id]?.status === 'refreshed'
+                ? refreshingServers[server.id].workflowsUpdated
+                  ? `Synced (${refreshingServers[server.id].workflowsUpdated} workflow${refreshingServers[server.id].workflowsUpdated === 1 ? '' : 's'})`
+                  : 'Refreshed'
+                : 'Refresh Tools'}
+          </Button>
           <Button onClick={handleBackToList} variant='tertiary'>
             Back
           </Button>
         </div>
-
-        <Modal open={showEditModal} onOpenChange={setShowEditModal}>
-          <ModalContent>
-            <ModalHeader>Edit MCP Server</ModalHeader>
-            <ModalBody>
-              <div className='flex flex-col gap-[8px]'>
-                <FormField label='Server Name'>
-                  <EmcnInput
-                    placeholder='e.g., My MCP Server'
-                    value={editFormData.name}
-                    onChange={(e) => {
-                      if (editTestResult) clearEditTestResult()
-                      setEditFormData((prev) => ({ ...prev, name: e.target.value }))
-                    }}
-                    className='h-9'
-                  />
-                </FormField>
-
-                <FormField label='Server URL'>
-                  <FormattedInput
-                    placeholder='https://mcp.server.dev/{{YOUR_API_KEY}}/sse'
-                    value={editFormData.url || ''}
-                    scrollLeft={editUrlScrollLeft}
-                    showEnvVars={editShowEnvVars && editActiveInputField === 'url'}
-                    envVarProps={{
-                      searchTerm: editEnvSearchTerm,
-                      cursorPosition: editCursorPosition,
-                      workspaceId,
-                      onSelect: handleEditEnvVarSelect,
-                      onClose: resetEditEnvVarState,
-                    }}
-                    availableEnvVars={availableEnvVars}
-                    onChange={(e) => handleEditInputChange('url', e.target.value)}
-                    onScroll={setEditUrlScrollLeft}
-                  />
-                </FormField>
-
-                <div className='flex flex-col gap-[8px]'>
-                  <div className='flex items-center justify-between'>
-                    <span className='font-medium text-[13px] text-[var(--text-secondary)]'>
-                      Headers
-                    </span>
-                    <Button
-                      type='button'
-                      variant='ghost'
-                      onClick={handleEditAddHeader}
-                      className='h-6 w-6 p-0'
-                    >
-                      <Plus className='h-3 w-3' />
-                    </Button>
-                  </div>
-
-                  <div className='flex max-h-[140px] flex-col gap-[8px] overflow-y-auto'>
-                    {(editFormData.headers || []).map((header, index) => (
-                      <HeaderRow
-                        key={index}
-                        header={header}
-                        index={index}
-                        headerScrollLeft={editHeaderScrollLeft}
-                        showEnvVars={editShowEnvVars}
-                        activeInputField={editActiveInputField}
-                        activeHeaderIndex={editActiveHeaderIndex}
-                        envSearchTerm={editEnvSearchTerm}
-                        cursorPosition={editCursorPosition}
-                        workspaceId={workspaceId}
-                        availableEnvVars={availableEnvVars}
-                        onInputChange={handleEditInputChange}
-                        onHeaderScroll={handleEditHeaderScroll}
-                        onEnvVarSelect={handleEditEnvVarSelect}
-                        onEnvVarClose={resetEditEnvVarState}
-                        onRemove={() => handleEditRemoveHeader(index)}
-                      />
-                    ))}
-                  </div>
-                </div>
-              </div>
-            </ModalBody>
-            <ModalFooter>
-              {editSaveError && (
-                <p className='mb-[8px] w-full text-[12px] text-[var(--text-error)]'>
-                  {editSaveError}
-                </p>
-              )}
-              <div className='flex w-full items-center justify-between'>
-                <Button
-                  variant='default'
-                  onClick={handleEditTestConnection}
-                  disabled={isEditTestingConnection || !isEditFormValid}
-                >
-                  {editTestButtonLabel}
-                </Button>
-                <div className='flex items-center gap-[8px]'>
-                  <Button variant='ghost' onClick={handleCloseEditModal}>
-                    Cancel
-                  </Button>
-                  <Button
-                    onClick={handleSaveEdit}
-                    disabled={!hasEditChanges || isUpdatingServer || !isEditFormValid}
-                    variant='tertiary'
-                  >
-                    {isUpdatingServer ? 'Saving...' : 'Save'}
-                  </Button>
-                </div>
-              </div>
-            </ModalFooter>
-          </ModalContent>
-        </Modal>
       </div>
     )
   }

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal.tsx

@@ -1,7 +1,7 @@
 'use client'
 
 import type { ChangeEvent } from 'react'
-import { useMemo, useState } from 'react'
+import { useEffect, useMemo, useState } from 'react'
 import { useParams } from 'next/navigation'
 import {
   Button,
@@ -52,17 +52,21 @@ export function SkillModal({
   const [content, setContent] = useState('')
   const [errors, setErrors] = useState<FieldErrors>({})
   const [saving, setSaving] = useState(false)
-  const [prevOpen, setPrevOpen] = useState(false)
-  const [prevInitialValues, setPrevInitialValues] = useState(initialValues)
 
-  if ((open && !prevOpen) || (open && initialValues !== prevInitialValues)) {
-    setName(initialValues?.name ?? '')
-    setDescription(initialValues?.description ?? '')
-    setContent(initialValues?.content ?? '')
-    setErrors({})
-  }
-  if (open !== prevOpen) setPrevOpen(open)
-  if (initialValues !== prevInitialValues) setPrevInitialValues(initialValues)
+  useEffect(() => {
+    if (open) {
+      if (initialValues) {
+        setName(initialValues.name)
+        setDescription(initialValues.description)
+        setContent(initialValues.content)
+      } else {
+        setName('')
+        setDescription('')
+        setContent('')
+      }
+      setErrors({})
+    }
+  }, [open, initialValues])
 
   const hasChanges = useMemo(() => {
     if (!initialValues) return true

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/skills.tsx

@@ -4,8 +4,17 @@ import { useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { Plus, Search } from 'lucide-react'
 import { useParams } from 'next/navigation'
-import { Button, Modal, ModalBody, ModalContent, ModalFooter, ModalHeader } from '@/components/emcn'
-import { Input, Skeleton } from '@/components/ui'
+import {
+  Button,
+  Input,
+  Modal,
+  ModalBody,
+  ModalContent,
+  ModalFooter,
+  ModalHeader,
+} from '@/components/emcn'
+import { Skeleton } from '@/components/ui'
+import { cn } from '@/lib/core/utils/cn'
 import { SkillModal } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/skills/components/skill-modal'
 import type { SkillDefinition } from '@/hooks/queries/skills'
 import { useDeleteSkill, useSkills } from '@/hooks/queries/skills'
@@ -96,7 +105,12 @@ export function Skills() {
     <>
       <div className='flex h-full flex-col gap-[16px]'>
         <div className='flex items-center gap-[8px]'>
-          <div className='flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
+          <div
+            className={cn(
+              'flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]',
+              isLoading && 'opacity-50'
+            )}
+          >
             <Search
               className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
               strokeWidth={2}
@@ -106,7 +120,7 @@ export function Skills() {
               value={searchTerm}
               onChange={(e) => setSearchTerm(e.target.value)}
               disabled={isLoading}
-              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
+              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0 disabled:cursor-not-allowed disabled:opacity-100'
             />
           </div>
           <Button onClick={() => setShowAddForm(true)} disabled={isLoading} variant='tertiary'>

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/components/member-invitation-card/member-invitation-card.tsx

@@ -1,18 +1,17 @@
 'use client'
 
-import React from 'react'
+import React, { useState } from 'react'
 import { ChevronDown } from 'lucide-react'
 import {
   Button,
   ButtonGroup,
   ButtonGroupItem,
   Checkbox,
+  Input,
   Popover,
   PopoverContent,
   PopoverItem,
   PopoverTrigger,
-  TagInput,
-  type TagItem,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
@@ -65,8 +64,8 @@ const PermissionSelector = React.memo<PermissionSelectorProps>(
 PermissionSelector.displayName = 'PermissionSelector'
 
 interface MemberInvitationCardProps {
-  inviteEmails: TagItem[]
-  setInviteEmails: (emails: TagItem[]) => void
+  inviteEmail: string
+  setInviteEmail: (email: string) => void
   isInviting: boolean
   showWorkspaceInvite: boolean
   setShowWorkspaceInvite: (show: boolean) => void
@@ -83,8 +82,8 @@ interface MemberInvitationCardProps {
 }
 
 export function MemberInvitationCard({
-  inviteEmails,
-  setInviteEmails,
+  inviteEmail,
+  setInviteEmail,
   isInviting,
   showWorkspaceInvite,
   setShowWorkspaceInvite,
@@ -101,26 +100,45 @@ export function MemberInvitationCard({
 }: MemberInvitationCardProps) {
   const selectedCount = selectedWorkspaces.length
   const hasAvailableSeats = availableSeats > 0
-  const hasValidEmails = inviteEmails.some((e) => e.isValid)
+  const [emailError, setEmailError] = useState<string>('')
 
-  const handleAddEmail = (value: string) => {
-    const normalized = value.trim().toLowerCase()
-    if (!normalized) return false
+  const validateEmailInput = (email: string) => {
+    if (!email.trim()) {
+      setEmailError('')
+      return
+    }
 
-    const isDuplicate = inviteEmails.some((e) => e.value === normalized)
-    if (isDuplicate) return false
-
-    const validation = quickValidateEmail(normalized)
-    setInviteEmails([...inviteEmails, { value: normalized, isValid: validation.isValid }])
-    return validation.isValid
+    const validation = quickValidateEmail(email.trim())
+    if (!validation.isValid) {
+      setEmailError(validation.reason || 'Please enter a valid email address')
+    } else {
+      setEmailError('')
+    }
   }
 
-  const handleRemoveEmail = (_value: string, index: number) => {
-    setInviteEmails(inviteEmails.filter((_, i) => i !== index))
+  const handleEmailChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const value = e.target.value
+    setInviteEmail(value)
+    if (emailError) {
+      setEmailError('')
+    }
+  }
+
+  const handleInviteClick = () => {
+    if (inviteEmail.trim()) {
+      validateEmailInput(inviteEmail)
+      const validation = quickValidateEmail(inviteEmail.trim())
+      if (!validation.isValid) {
+        return // Don't proceed if validation fails
+      }
+    }
+
+    onInviteMember()
   }
 
   return (
     <div className='overflow-hidden rounded-[6px] border border-[var(--border-1)] bg-[var(--surface-5)]'>
+      {/* Header */}
       <div className='px-[14px] py-[10px]'>
         <h4 className='font-medium text-[14px] text-[var(--text-primary)]'>Invite Team Members</h4>
         <p className='text-[12px] text-[var(--text-muted)]'>
@@ -129,18 +147,46 @@ export function MemberInvitationCard({
       </div>
 
       <div className='flex flex-col gap-[12px] border-[var(--border-1)] border-t bg-[var(--surface-4)] px-[14px] py-[12px]'>
+        {/* Main invitation input */}
         <div className='flex items-start gap-[8px]'>
           <div className='flex-1'>
-            <TagInput
-              items={inviteEmails}
-              onAdd={handleAddEmail}
-              onRemove={handleRemoveEmail}
-              placeholder='Enter email addresses'
-              placeholderWithTags='Add another email'
-              disabled={isInviting || !hasAvailableSeats}
-              triggerKeys={['Enter', ',', ' ']}
-              maxHeight='max-h-24'
+            {/* Hidden decoy fields to prevent browser autofill */}
+            <input
+              type='text'
+              name='fakeusernameremembered'
+              autoComplete='username'
+              style={{ position: 'absolute', left: '-9999px', opacity: 0, pointerEvents: 'none' }}
+              tabIndex={-1}
+              readOnly
             />
+            <input
+              type='email'
+              name='fakeemailremembered'
+              autoComplete='email'
+              style={{ position: 'absolute', left: '-9999px', opacity: 0, pointerEvents: 'none' }}
+              tabIndex={-1}
+              readOnly
+            />
+            <Input
+              placeholder='Enter email address'
+              value={inviteEmail}
+              onChange={handleEmailChange}
+              disabled={isInviting || !hasAvailableSeats}
+              className={cn(emailError && 'border-red-500 focus-visible:ring-red-500')}
+              name='member_invite_field'
+              autoComplete='off'
+              autoCorrect='off'
+              autoCapitalize='off'
+              spellCheck={false}
+              data-lpignore='true'
+              data-form-type='other'
+              aria-autocomplete='none'
+            />
+            {emailError && (
+              <p className='mt-1 text-[12px] text-[var(--text-error)] leading-tight'>
+                {emailError}
+              </p>
+            )}
           </div>
           <Popover
             open={showWorkspaceInvite}
@@ -174,9 +220,8 @@ export function MemberInvitationCard({
               align='end'
               maxHeight={320}
               sideOffset={4}
-              minWidth={240}
-              maxWidth={240}
-              border
+              className='w-[240px] border border-[var(--border-muted)] [scrollbar-width:none] [&::-webkit-scrollbar]:hidden'
+              style={{ minWidth: '240px', maxWidth: '240px' }}
             >
               {isLoadingWorkspaces ? (
                 <div className='px-[6px] py-[16px] text-center'>
@@ -241,13 +286,14 @@ export function MemberInvitationCard({
           </Popover>
           <Button
             variant='tertiary'
-            onClick={() => onInviteMember()}
-            disabled={!hasValidEmails || isInviting || !hasAvailableSeats}
+            onClick={handleInviteClick}
+            disabled={!inviteEmail || isInviting || !hasAvailableSeats}
           >
             {isInviting ? 'Inviting...' : hasAvailableSeats ? 'Invite' : 'No Seats'}
           </Button>
         </div>
 
+        {/* Invitation error - inline */}
         {invitationError && (
           <p className='text-[12px] text-[var(--text-error)] leading-tight'>
             {invitationError instanceof Error && invitationError.message
@@ -256,6 +302,7 @@ export function MemberInvitationCard({
           </p>
         )}
 
+        {/* Success message */}
         {inviteSuccess && (
           <p className='text-[11px] text-[var(--text-success)] leading-tight'>
             Invitation sent successfully

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/team-management.tsx

@@ -2,7 +2,6 @@
 
 import { useCallback, useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import type { TagItem } from '@/components/emcn'
 import { Skeleton } from '@/components/ui'
 import { useSession } from '@/lib/auth/auth-client'
 import { DEFAULT_TEAM_TIER_COST_LIMIT } from '@/lib/billing/constants'
@@ -70,7 +69,7 @@ export function TeamManagement() {
 
   const [inviteSuccess, setInviteSuccess] = useState(false)
 
-  const [inviteEmails, setInviteEmails] = useState<TagItem[]>([])
+  const [inviteEmail, setInviteEmail] = useState('')
   const [showWorkspaceInvite, setShowWorkspaceInvite] = useState(false)
   const [selectedWorkspaces, setSelectedWorkspaces] = useState<
     Array<{ workspaceId: string; permission: string }>
@@ -130,8 +129,7 @@ export function TeamManagement() {
   }, [orgName, orgSlug, createOrgMutation])
 
   const handleInviteMember = useCallback(async () => {
-    const validEmails = inviteEmails.filter((e) => e.isValid).map((e) => e.value)
-    if (!session?.user || !activeOrganization?.id || validEmails.length === 0) return
+    if (!session?.user || !activeOrganization?.id || !inviteEmail.trim()) return
 
     try {
       const workspaceInvitations =
@@ -143,21 +141,23 @@ export function TeamManagement() {
           : undefined
 
       await inviteMutation.mutateAsync({
-        emails: validEmails,
+        email: inviteEmail.trim(),
         orgId: activeOrganization.id,
         workspaceInvitations,
       })
 
+      // Show success state
       setInviteSuccess(true)
       setTimeout(() => setInviteSuccess(false), 3000)
 
-      setInviteEmails([])
+      // Reset form
+      setInviteEmail('')
       setSelectedWorkspaces([])
       setShowWorkspaceInvite(false)
     } catch (error) {
       logger.error('Failed to invite member', error)
     }
-  }, [session?.user?.id, activeOrganization?.id, inviteEmails, selectedWorkspaces, inviteMutation])
+  }, [session?.user?.id, activeOrganization?.id, inviteEmail, selectedWorkspaces, inviteMutation])
 
   const handleWorkspaceToggle = useCallback((workspaceId: string, permission: string) => {
     setSelectedWorkspaces((prev) => {
@@ -391,15 +391,15 @@ export function TeamManagement() {
       {adminOrOwner && !isInvitationsDisabled && (
         <div>
           <MemberInvitationCard
-            inviteEmails={inviteEmails}
-            setInviteEmails={setInviteEmails}
+            inviteEmail={inviteEmail}
+            setInviteEmail={setInviteEmail}
             isInviting={inviteMutation.isPending}
             showWorkspaceInvite={showWorkspaceInvite}
             setShowWorkspaceInvite={setShowWorkspaceInvite}
             selectedWorkspaces={selectedWorkspaces}
             userWorkspaces={adminWorkspaces}
             onInviteMember={handleInviteMember}
-            onLoadUserWorkspaces={async () => {}}
+            onLoadUserWorkspaces={async () => {}} // No-op: data is auto-loaded by React Query
             onWorkspaceToggle={handleWorkspaceToggle}
             inviteSuccess={inviteSuccess}
             availableSeats={Math.max(0, totalSeats - usedSeats.used)}

apps/sim/background/workspace-notification-delivery.ts

@@ -24,7 +24,6 @@ import { getBaseUrl } from '@/lib/core/utils/urls'
 import type { TraceSpan, WorkflowExecutionLog } from '@/lib/logs/types'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import type { AlertConfig } from '@/lib/notifications/alert-rules'
-import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 
 const logger = createLogger('WorkspaceNotificationDelivery')
 
@@ -73,20 +72,14 @@ async function buildPayload(
   if (!log.workflowId) return null
 
   const workflowData = await db
-    .select({
-      name: workflowTable.name,
-      workspaceId: workflowTable.workspaceId,
-    })
+    .select({ name: workflowTable.name, userId: workflowTable.userId })
     .from(workflowTable)
     .where(eq(workflowTable.id, log.workflowId))
     .limit(1)
 
   const timestamp = Date.now()
   const executionData = (log.executionData || {}) as Record<string, unknown>
-  const workflowRecord = workflowData[0]
-  const userId = workflowRecord?.workspaceId
-    ? await getWorkspaceBilledAccountUserId(workflowRecord.workspaceId)
-    : null
+  const userId = workflowData[0]?.userId
 
   const payload: NotificationPayload = {
     id: `evt_${uuidv4()}`,

apps/sim/blocks/blocks/confluence.ts

@@ -44,7 +44,7 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
       id: 'domain',
       title: 'Domain',
       type: 'short-input',
-      placeholder: 'Enter Confluence domain (e.g., company.atlassian.net)',
+      placeholder: 'Enter Confluence domain (e.g., simstudio.atlassian.net)',
       required: true,
     },
     {
@@ -462,7 +462,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
       id: 'domain',
       title: 'Domain',
       type: 'short-input',
-      placeholder: 'Enter Confluence domain (e.g., company.atlassian.net)',
+      placeholder: 'Enter Confluence domain (e.g., simstudio.atlassian.net)',
       required: true,
     },
     {

apps/sim/blocks/blocks/jira.ts

@@ -54,7 +54,7 @@ export const JiraBlock: BlockConfig<JiraResponse> = {
       title: 'Domain',
       type: 'short-input',
       required: true,
-      placeholder: 'Enter Jira domain (e.g., company.atlassian.net)',
+      placeholder: 'Enter Jira domain (e.g., simstudio.atlassian.net)',
     },
     {
       id: 'credential',

apps/sim/blocks/blocks/jira_service_management.ts

@@ -49,7 +49,7 @@ export const JiraServiceManagementBlock: BlockConfig<JsmResponse> = {
       title: 'Domain',
       type: 'short-input',
       required: true,
-      placeholder: 'Enter Jira domain (e.g., company.atlassian.net)',
+      placeholder: 'Enter Jira domain (e.g., simstudio.atlassian.net)',
     },
     {
       id: 'credential',

apps/sim/executor/execution/block-executor.ts

@@ -1,5 +1,4 @@
 import { createLogger } from '@sim/logger'
-import { redactApiKeys } from '@/lib/core/security/redaction'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import {
   containsUserFileWithMetadata,
@@ -377,7 +376,6 @@ export class BlockExecutor {
    * - Filters out system fields (UI-only, readonly, internal flags)
    * - Removes UI state from inputFormat items (e.g., collapsed)
    * - Parses JSON strings to objects for readability
-   * - Redacts sensitive fields (privateKey, password, tokens, etc.)
    * Returns a new object - does not mutate the original inputs.
    */
   private sanitizeInputsForLog(inputs: Record<string, any>): Record<string, any> {
@@ -412,7 +410,7 @@ export class BlockExecutor {
       }
     }
 
-    return redactApiKeys(result)
+    return result
   }
 
   private callOnBlockStart(

apps/sim/executor/utils/block-data.ts

@@ -1,6 +1,8 @@
-import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
-import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
-import { getBlock } from '@/blocks/registry'
+import {
+  extractFieldsFromSchema,
+  parseResponseFormatSafely,
+} from '@/lib/core/utils/response-format'
+import { normalizeInputFormatValue } from '@/lib/workflows/input-format'
 import { isTriggerBehavior, normalizeName } from '@/executor/constants'
 import type { ExecutionContext } from '@/executor/types'
 import type { OutputSchema } from '@/executor/utils/block-reference'
@@ -10,6 +12,8 @@ import {
   isBranchNodeId,
 } from '@/executor/utils/subflow-utils'
 import type { SerializedBlock } from '@/serializer/types'
+import type { ToolConfig } from '@/tools/types'
+import { getTool } from '@/tools/utils'
 
 export interface BlockDataCollection {
   blockData: Record<string, unknown>
@@ -17,44 +21,118 @@ export interface BlockDataCollection {
   blockOutputSchemas: Record<string, OutputSchema>
 }
 
-interface SubBlockWithValue {
-  value?: unknown
-}
+/**
+ * Block types where inputFormat fields should be merged into outputs schema.
+ * These are blocks where users define custom fields via inputFormat that become
+ * valid output paths (e.g., <start.myField>, <webhook1.customField>, <hitl1.resumeField>).
+ *
+ * Note: This includes non-trigger blocks like 'starter' and 'human_in_the_loop' which
+ * have category 'blocks' but still need their inputFormat exposed as outputs.
+ */
+const BLOCKS_WITH_INPUT_FORMAT_OUTPUTS = [
+  'start_trigger',
+  'starter',
+  'api_trigger',
+  'input_trigger',
+  'generic_webhook',
+  'human_in_the_loop',
+] as const
 
-function paramsToSubBlocks(
-  params: Record<string, unknown> | undefined
-): Record<string, SubBlockWithValue> {
-  if (!params) return {}
-
-  const subBlocks: Record<string, SubBlockWithValue> = {}
-  for (const [key, value] of Object.entries(params)) {
-    subBlocks[key] = { value }
+function getInputFormatFields(block: SerializedBlock): OutputSchema {
+  const inputFormat = normalizeInputFormatValue(block.config?.params?.inputFormat)
+  if (inputFormat.length === 0) {
+    return {}
   }
-  return subBlocks
+
+  const schema: OutputSchema = {}
+  for (const field of inputFormat) {
+    if (!field.name) continue
+    schema[field.name] = { type: field.type || 'any' }
+  }
+
+  return schema
 }
 
-function getRegistrySchema(block: SerializedBlock): OutputSchema | undefined {
+function getEvaluatorMetricsSchema(block: SerializedBlock): OutputSchema | undefined {
+  if (block.metadata?.id !== 'evaluator') return undefined
+
+  const metrics = block.config?.params?.metrics
+  if (!Array.isArray(metrics) || metrics.length === 0) return undefined
+
+  const validMetrics = metrics.filter(
+    (m: { name?: string }) => m?.name && typeof m.name === 'string'
+  )
+  if (validMetrics.length === 0) return undefined
+
+  const schema: OutputSchema = { ...(block.outputs as OutputSchema) }
+  for (const metric of validMetrics) {
+    schema[metric.name.toLowerCase()] = { type: 'number' }
+  }
+  return schema
+}
+
+function getResponseFormatSchema(block: SerializedBlock): OutputSchema | undefined {
+  const responseFormatValue = block.config?.params?.responseFormat
+  if (!responseFormatValue) return undefined
+
+  const parsed = parseResponseFormatSafely(responseFormatValue, block.id)
+  if (!parsed) return undefined
+
+  const fields = extractFieldsFromSchema(parsed)
+  if (fields.length === 0) return undefined
+
+  const schema: OutputSchema = {}
+  for (const field of fields) {
+    schema[field.name] = { type: field.type || 'any' }
+  }
+  return schema
+}
+
+export function getBlockSchema(
+  block: SerializedBlock,
+  toolConfig?: ToolConfig
+): OutputSchema | undefined {
   const blockType = block.metadata?.id
-  if (!blockType) return undefined
 
-  const subBlocks = paramsToSubBlocks(block.config?.params)
-  const blockConfig = getBlock(blockType)
-  const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
-  const triggerMode = Boolean(isTriggerBehavior(block) && isTriggerCapable)
-  const outputs = getEffectiveBlockOutputs(blockType, subBlocks, {
-    triggerMode,
-    preferToolOutputs: !triggerMode,
-    includeHidden: true,
-  }) as OutputSchema
-
-  if (!outputs || Object.keys(outputs).length === 0) {
-    return undefined
+  if (
+    blockType &&
+    BLOCKS_WITH_INPUT_FORMAT_OUTPUTS.includes(
+      blockType as (typeof BLOCKS_WITH_INPUT_FORMAT_OUTPUTS)[number]
+    )
+  ) {
+    const baseOutputs = (block.outputs as OutputSchema) || {}
+    const inputFormatFields = getInputFormatFields(block)
+    const merged = { ...baseOutputs, ...inputFormatFields }
+    if (Object.keys(merged).length > 0) {
+      return merged
+    }
   }
-  return outputs
-}
 
-export function getBlockSchema(block: SerializedBlock): OutputSchema | undefined {
-  return getRegistrySchema(block)
+  const evaluatorSchema = getEvaluatorMetricsSchema(block)
+  if (evaluatorSchema) {
+    return evaluatorSchema
+  }
+
+  const responseFormatSchema = getResponseFormatSchema(block)
+  if (responseFormatSchema) {
+    return responseFormatSchema
+  }
+
+  const isTrigger = isTriggerBehavior(block)
+
+  if (isTrigger && block.outputs && Object.keys(block.outputs).length > 0) {
+    return block.outputs as OutputSchema
+  }
+
+  if (toolConfig?.outputs && Object.keys(toolConfig.outputs).length > 0) {
+    return toolConfig.outputs as OutputSchema
+  }
+
+  if (block.outputs && Object.keys(block.outputs).length > 0) {
+    return block.outputs as OutputSchema
+  }
+
+  return undefined
 }
 
 export function collectBlockData(
@@ -92,7 +170,9 @@ export function collectBlockData(
       blockNameMapping[normalizeName(block.metadata.name)] = id
     }
 
-    const schema = getBlockSchema(block)
+    const toolId = block.config?.tool
+    const toolConfig = toolId ? getTool(toolId) : undefined
+    const schema = getBlockSchema(block, toolConfig)
     if (schema && Object.keys(schema).length > 0) {
       blockOutputSchemas[id] = schema
     }

apps/sim/executor/variables/resolvers/block.test.ts

@@ -5,10 +5,10 @@ import { BlockResolver } from './block'
 import type { ResolutionContext } from './reference'
 
 vi.mock('@sim/logger', () => loggerMock)
-vi.mock('@/blocks/registry', async () => {
-  const actual = await vi.importActual<typeof import('@/blocks/registry')>('@/blocks/registry')
-  return actual
-})
+
+vi.mock('@/lib/workflows/blocks/block-outputs', () => ({
+  getBlockOutputs: vi.fn(() => ({})),
+}))
 
 function createTestWorkflow(
   blocks: Array<{
@@ -135,7 +135,7 @@ describe('BlockResolver', () => {
     })
 
     it.concurrent('should return undefined for non-existent path when no schema defined', () => {
-      const workflow = createTestWorkflow([{ id: 'source', type: 'unknown_block_type' }])
+      const workflow = createTestWorkflow([{ id: 'source' }])
       const resolver = new BlockResolver(workflow)
       const ctx = createTestContext('current', {
         source: { existing: 'value' },
@@ -144,93 +144,55 @@ describe('BlockResolver', () => {
       expect(resolver.resolve('<source.nonexistent>', ctx)).toBeUndefined()
     })
 
-    it.concurrent('should throw error for path not in output schema', () => {
+    it.concurrent('should throw error for path not in output schema', async () => {
+      const { getBlockOutputs } = await import('@/lib/workflows/blocks/block-outputs')
+      const mockGetBlockOutputs = vi.mocked(getBlockOutputs)
+      const customOutputs = {
+        validField: { type: 'string', description: 'A valid field' },
+        nested: {
+          child: { type: 'number', description: 'Nested child' },
+        },
+      }
+      mockGetBlockOutputs.mockReturnValue(customOutputs as any)
+
       const workflow = createTestWorkflow([
         {
           id: 'source',
-          type: 'start_trigger',
+          outputs: customOutputs,
         },
       ])
       const resolver = new BlockResolver(workflow)
       const ctx = createTestContext('current', {
-        source: { input: 'value' },
+        source: { validField: 'value', nested: { child: 42 } },
       })
 
       expect(() => resolver.resolve('<source.invalidField>', ctx)).toThrow(
         /"invalidField" doesn't exist on block "source"/
       )
       expect(() => resolver.resolve('<source.invalidField>', ctx)).toThrow(/Available fields:/)
+
+      mockGetBlockOutputs.mockReturnValue({})
     })
 
     it.concurrent('should return undefined for path in schema but missing in data', () => {
       const workflow = createTestWorkflow([
         {
           id: 'source',
-          type: 'function',
+          outputs: {
+            requiredField: { type: 'string', description: 'Always present' },
+            optionalField: { type: 'string', description: 'Sometimes missing' },
+          },
         },
       ])
       const resolver = new BlockResolver(workflow)
       const ctx = createTestContext('current', {
-        source: { stdout: 'log output' },
+        source: { requiredField: 'value' },
       })
 
-      expect(resolver.resolve('<source.stdout>', ctx)).toBe('log output')
-      expect(resolver.resolve('<source.result>', ctx)).toBeUndefined()
+      expect(resolver.resolve('<source.requiredField>', ctx)).toBe('value')
+      expect(resolver.resolve('<source.optionalField>', ctx)).toBeUndefined()
     })
 
-    it.concurrent(
-      'should allow hiddenFromDisplay fields for pre-execution schema validation',
-      () => {
-        const workflow = createTestWorkflow([
-          {
-            id: 'workflow-block',
-            name: 'Workflow',
-            type: 'workflow',
-          },
-        ])
-        const resolver = new BlockResolver(workflow)
-        const ctx = createTestContext('current', {})
-
-        expect(resolver.resolve('<workflow.childTraceSpans>', ctx)).toBeUndefined()
-      }
-    )
-
-    it.concurrent(
-      'should allow hiddenFromDisplay fields for workflow_input pre-execution schema validation',
-      () => {
-        const workflow = createTestWorkflow([
-          {
-            id: 'workflow-input-block',
-            name: 'Workflow Input',
-            type: 'workflow_input',
-          },
-        ])
-        const resolver = new BlockResolver(workflow)
-        const ctx = createTestContext('current', {})
-
-        expect(resolver.resolve('<workflowinput.childTraceSpans>', ctx)).toBeUndefined()
-      }
-    )
-
-    it.concurrent(
-      'should allow hiddenFromDisplay fields for HITL pre-execution schema validation',
-      () => {
-        const workflow = createTestWorkflow([
-          {
-            id: 'hitl-block',
-            name: 'HITL',
-            type: 'human_in_the_loop',
-          },
-        ])
-        const resolver = new BlockResolver(workflow)
-        const ctx = createTestContext('current', {})
-
-        expect(resolver.resolve('<hitl.response>', ctx)).toBeUndefined()
-        expect(resolver.resolve('<hitl.submission>', ctx)).toBeUndefined()
-        expect(resolver.resolve('<hitl.resumeInput>', ctx)).toBeUndefined()
-      }
-    )
-
     it.concurrent('should return undefined for non-existent block', () => {
       const workflow = createTestWorkflow([{ id: 'existing' }])
       const resolver = new BlockResolver(workflow)
@@ -1013,7 +975,7 @@ describe('BlockResolver', () => {
     })
 
     it.concurrent('should handle output with undefined values', () => {
-      const workflow = createTestWorkflow([{ id: 'source', type: 'unknown_block_type' }])
+      const workflow = createTestWorkflow([{ id: 'source' }])
       const resolver = new BlockResolver(workflow)
       const ctx = createTestContext('current', {
         source: { value: undefined, other: 'exists' },
@@ -1023,7 +985,7 @@ describe('BlockResolver', () => {
     })
 
     it.concurrent('should return undefined for deeply nested non-existent path', () => {
-      const workflow = createTestWorkflow([{ id: 'source', type: 'unknown_block_type' }])
+      const workflow = createTestWorkflow([{ id: 'source' }])
       const resolver = new BlockResolver(workflow)
       const ctx = createTestContext('current', {
         source: { level1: { level2: {} } },

apps/sim/executor/variables/resolvers/block.ts

@@ -17,6 +17,7 @@ import {
   type Resolver,
 } from '@/executor/variables/resolvers/reference'
 import type { SerializedBlock, SerializedWorkflow } from '@/serializer/types'
+import { getTool } from '@/tools/utils'
 
 export class BlockResolver implements Resolver {
   private nameToBlockId: Map<string, string>
@@ -67,7 +68,9 @@ export class BlockResolver implements Resolver {
       blockData[blockId] = output
     }
 
-    const outputSchema = getBlockSchema(block)
+    const toolId = block.config?.tool
+    const toolConfig = toolId ? getTool(toolId) : undefined
+    const outputSchema = getBlockSchema(block, toolConfig)
 
     if (outputSchema && Object.keys(outputSchema).length > 0) {
       blockOutputSchemas[blockId] = outputSchema